commit ffd294d346d185b70e28b1a28abe367bbfe53c04 Author: Linus Torvalds Date: Sun Jan 19 15:51:45 2025 -0800 Linux 6.13 commit 9528d418de4d83c7ada69314ddd8d4427b1f703a Merge: 25144ea31b90af ae02ae16b76160 Author: Linus Torvalds Date: Sun Jan 19 09:33:40 2025 -0800 Merge tag 'x86_urgent_for_v6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull x86 fixes from Borislav Petkov: - Mark serialize() noinstr so that it can be used from instrumentation- free code - Make sure FRED's RSP0 MSR is synchronized with its corresponding per-CPU value in order to avoid double faults in hotplug scenarios - Disable EXECMEM_ROX on x86 for now because it didn't receive proper x86 maintainers review, went in and broke a bunch of things * tag 'x86_urgent_for_v6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: x86/asm: Make serialize() always_inline x86/fred: Fix the FRED RSP0 MSR out of sync with its per-CPU cache x86: Disable EXECMEM_ROX support commit 25144ea31b90af6fa860e1ce3ab735d8bb8deb83 Merge: b031457ab15dac 2f8dea1692eef2 Author: Linus Torvalds Date: Sun Jan 19 09:09:07 2025 -0800 Merge tag 'timers_urgent_for_v6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull timer fixes from Borislav Petkov: - Reset hrtimers correctly when a CPU hotplug state traversal happens "half-ways" and leaves hrtimers not (re-)initialized properly - Annotate accesses to a timer group's ignore flag to prevent KCSAN from raising data_race warnings - Make sure timer group initialization is visible to timer tree walkers and avoid a hypothetical race - Fix another race between CPU hotplug and idle entry/exit where timers on a fully idle system are getting ignored - Fix a case where an ignored signal is still being handled which it shouldn't be * tag 'timers_urgent_for_v6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: hrtimers: Handle CPU state correctly on hotplug timers/migration: Annotate accesses to ignore flag timers/migration: Enforce group initialization visibility to tree walkers timers/migration: Fix another race between hotplug and idle entry/exit signal/posixtimers: Handle ignore/blocked sequences correctly commit b031457ab15dacb47d714ee872e724f1aa6a1b30 Merge: 8ff6d472ab35d5 9322d1915f9d97 Author: Linus Torvalds Date: Sun Jan 19 09:04:33 2025 -0800 Merge tag 'irq_urgent_for_v6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull irq fixes from Borislav Petkov: - Fix an OF node leak in irqchip init's error handling path - Fix sunxi systems to wake up from suspend with an NMI by pressing the power button - Do not spuriously enable interrupts in gic-v3 in a nested interrupts-off section - Make sure gic-v3 handles properly a failure to enter a low power state * tag 'irq_urgent_for_v6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: irqchip: Plug a OF node reference leak in platform_irqchip_probe() irqchip/sunxi-nmi: Add missing SKIP_WAKE flag irqchip/gic-v3-its: Don't enable interrupts in its_irq_set_vcpu_affinity() irqchip/gic-v3: Handle CPU_PM_ENTER_FAILED correctly commit 8ff6d472ab35d5cb9a3941a1fcd5b7cbc9338c7f Merge: fda5e3f284002e 66951e4860d3c6 Author: Linus Torvalds Date: Sun Jan 19 09:01:17 2025 -0800 Merge tag 'sched_urgent_for_v6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull scheduler fixes from Borislav Petkov: - Do not adjust the weight of empty group entities and avoid scheduling artifacts - Avoid scheduling lag by computing lag properly and thus address an EEVDF entity placement issue * tag 'sched_urgent_for_v6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: sched/fair: Fix update_cfs_group() vs DELAY_DEQUEUE sched/fair: Fix EEVDF entity placement bug causing scheduling lag commit fda5e3f284002ea55dac1c98c1498d6dd684046e Merge: 595523945be0a5 60295b944ff680 Author: Linus Torvalds Date: Sat Jan 18 13:22:53 2025 -0800 Merge tag 'trace-v6.13-rc7-2' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace Pull tracing fix from Steven Rostedt: "Fix regression in GFP output in trace events It was reported that the GFP flags in trace events went from human readable to just their hex values: gfp_flags=GFP_HIGHUSER_MOVABLE|__GFP_COMP to gfp_flags=0x140cca This was caused by a change that added the use of enums in calculating the GFP flags. As defines get translated into their values in the trace event format files, the user space tooling could easily convert the GFP flags into their symbols via the __print_flags() helper macro. The problem is that enums do not get converted, and the names of the enums show up in the format files and user space tooling cannot translate them. Add TRACE_DEFINE_ENUM() around the enums used for GFP flags which is the tracing infrastructure macro that informs the tracing subsystem what the values for enums and it can then expose that to user space" * tag 'trace-v6.13-rc7-2' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace: tracing: gfp: Fix the GFP enum values shown for user space tracing tools commit 595523945be0a5a2f12a1c04772383293fbc04a1 Merge: ed9add2b32253b 6e5773d52f4a2d Author: Linus Torvalds Date: Fri Jan 17 15:01:24 2025 -0800 Merge tag 'devicetree-fixes-for-6.13-2' of git://git.kernel.org/pub/scm/linux/kernel/git/robh/linux Pull devicetree fixes from Rob Herring: "Another fix and testcase to avoid the newly added WARN in the case of non-translatable addresses" * tag 'devicetree-fixes-for-6.13-2' of git://git.kernel.org/pub/scm/linux/kernel/git/robh/linux: of/address: Fix WARN when attempting translating non-translatable addresses of/unittest: Add test that of_address_to_resource() fails on non-translatable address commit ed9add2b32253b73d4909cc5cd4e7abcfdc0568b Merge: 775a15eaf71d86 352bba6c19cdea Author: Linus Torvalds Date: Fri Jan 17 14:49:53 2025 -0800 Merge tag 'soc-fixes-6.13-4' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc Pull SoC fixes from Arnd Bergmann: "Two last minute fixes: one build issue on TI soc drivers, and a regression in the renesas reset controller driver" * tag 'soc-fixes-6.13-4' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc: soc: ti: pruss: Fix pruss APIs reset: rzg2l-usbphy-ctrl: Assign proper of node to the allocated device commit 775a15eaf71d8624024ad91b719ba47d4b04cd2b Merge: 42f38ccb00dffd 59616a91e5e748 Author: Linus Torvalds Date: Fri Jan 17 14:40:09 2025 -0800 Merge tag 'platform-drivers-x86-v6.13-6' of git://git.kernel.org/pub/scm/linux/kernel/git/pdx86/platform-drivers-x86 Pull x86 platform driver fixes from Ilpo Järvinen: - dell-uart-backlight: Fix serdev race - lenovo-yoga-tab2-pro-1380-fastcharger: Fix serdev race * tag 'platform-drivers-x86-v6.13-6' of git://git.kernel.org/pub/scm/linux/kernel/git/pdx86/platform-drivers-x86: platform/x86: lenovo-yoga-tab2-pro-1380-fastcharger: fix serdev race platform/x86: dell-uart-backlight: fix serdev race commit 42f38ccb00dffdb198d26d18681ea37d95881bcf Merge: 07757eeb9657e6 d15638bf76ad47 Author: Linus Torvalds Date: Fri Jan 17 14:22:36 2025 -0800 Merge tag 'mtd/fixes-for-6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/mtd/linux Pull mtd revert from Miquel Raynal: "Very late this cycle we identified a breakage that could potentially hit several spi controller drivers because of a change in the way the dummy cycles validity is checked. We do not know at the moment how to handle the situation properly, so we prefer to revert the faulty patch for the next release" * tag 'mtd/fixes-for-6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/mtd/linux: Revert "mtd: spi-nor: core: replace dummy buswidth from addr to data" commit 60295b944ff6805e677c48ae4178532b207d43be Author: Steven Rostedt Date: Thu Jan 16 16:41:24 2025 -0500 tracing: gfp: Fix the GFP enum values shown for user space tracing tools Tracing tools like perf and trace-cmd read the /sys/kernel/tracing/events/*/*/format files to know how to parse the data and also how to print it. For the "print fmt" portion of that file, if anything uses an enum that is not exported to the tracing system, user space will not be able to parse it. The GFP flags use to be defines, and defines get translated in the print fmt sections. But now they are converted to use enums, which is not. The mm_page_alloc trace event format use to have: print fmt: "page=%p pfn=0x%lx order=%d migratetype=%d gfp_flags=%s", REC->pfn != -1UL ? (((struct page *)vmemmap_base) + (REC->pfn)) : ((void *)0), REC->pfn != -1UL ? REC->pfn : 0, REC->order, REC->migratetype, (REC->gfp_flags) ? __print_flags(REC->gfp_flags, "|", {( unsigned long)(((((((( gfp_t)(0x400u|0x800u)) | (( gfp_t)0x40u) | (( gfp_t)0x80u) | (( gfp_t)0x100000u)) | (( gfp_t)0x02u)) | (( gfp_t)0x08u) | (( gfp_t)0)) | (( gfp_t)0x40000u) | (( gfp_t)0x80000u) | (( gfp_t)0x2000u)) & ~(( gfp_t)(0x400u|0x800u))) | (( gfp_t)0x400u)), "GFP_TRANSHUGE"}, {( unsigned long)((((((( gfp_t)(0x400u|0x800u)) | (( gfp_t)0x40u) | (( gfp_t)0x80u) | (( gfp_t)0x100000u)) | (( gfp_t)0x02u)) | (( gfp_t)0x08u) | (( gfp_t)0)) ... Where the GFP values are shown and not their names. But after the GFP flags were converted to use enums, it has: print fmt: "page=%p pfn=0x%lx order=%d migratetype=%d gfp_flags=%s", REC->pfn != -1UL ? (vmemmap + (REC->pfn)) : ((void *)0), REC->pfn != -1UL ? REC->pfn : 0, REC->order, REC->migratetype, (REC->gfp_flags) ? __print_flags(REC->gfp_flags, "|", {( unsigned long)(((((((( gfp_t)(((((1UL))) << (___GFP_DIRECT_RECLAIM_BIT))|((((1UL))) << (___GFP_KSWAPD_RECLAIM_BIT)))) | (( gfp_t)((((1UL))) << (___GFP_IO_BIT))) | (( gfp_t)((((1UL))) << (___GFP_FS_BIT))) | (( gfp_t)((((1UL))) << (___GFP_HARDWALL_BIT)))) | (( gfp_t)((((1UL))) << (___GFP_HIGHMEM_BIT)))) | (( gfp_t)((((1UL))) << (___GFP_MOVABLE_BIT))) | (( gfp_t)0)) | (( gfp_t)((((1UL))) << (___GFP_COMP_BIT))) ... Where the enums names like ___GFP_KSWAPD_RECLAIM_BIT are shown and not their values. User space has no way to convert these names to their values and the output will fail to parse. What is shown is now: mm_page_alloc: page=0xffffffff981685f3 pfn=0x1d1ac1 order=0 migratetype=1 gfp_flags=0x140cca The TRACE_DEFINE_ENUM() macro was created to handle enums in the print fmt files. This causes them to be replaced at boot up with the numbers, so that user space tooling can parse it. By using this macro, the output is back to the human readable: mm_page_alloc: page=0xffffffff981685f3 pfn=0x122233 order=0 migratetype=1 gfp_flags=GFP_HIGHUSER_MOVABLE|__GFP_COMP Cc: stable@vger.kernel.org Cc: Masami Hiramatsu Cc: Mark Rutland Cc: Mathieu Desnoyers Cc: Andrew Morton Cc: Veronika Molnarova Cc: Suren Baghdasaryan Cc: Linus Torvalds Link: https://lore.kernel.org/20250116214438.749504792@goodmis.org Reported-by: Michael Petlan Closes: https://lore.kernel.org/all/87be5f7c-1a0-dad-daa0-54e342efaea7@redhat.com/ Fixes: 772dd0342727c ("mm: enumerate all gfp flags") Signed-off-by: Steven Rostedt (Google) commit 07757eeb9657e6939475b3eac8b3936e7a72ba5f Merge: 7fed891d6ebdbb e9b24deb84863c Author: Linus Torvalds Date: Fri Jan 17 12:31:37 2025 -0800 Merge tag 'hwmon-for-v6.13-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging Pull hwmon fixes from Guenter Roeck: - ltc2991, tmp513: Fix problems seen when dividing negative numbers - drivetemp: Handle large timeouts observed on some drives - acpi_power_meter: Fix loading the driver on platforms without _PMD method * tag 'hwmon-for-v6.13-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging: hwmon: (ltc2991) Fix mixed signed/unsigned in DIV_ROUND_CLOSEST hwmon: (drivetemp) Set scsi command timeout to 10s hwmon: (acpi_power_meter) Fix a check for the return value of read_domain_devices(). hwmon: (tmp513) Fix division of negative numbers commit 7fed891d6ebdbb6de549eacab225f93aa91c1498 Merge: 5e74b9bf263f5a 9860370c217270 Author: Linus Torvalds Date: Fri Jan 17 11:39:28 2025 -0800 Merge tag 'gpio-fixes-for-v6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/brgl/linux Pull gpio fix from Bartosz Golaszewski: - convert regular spinlock to raw spinlock in gpio-xilinx to avoid a lockdep splat * tag 'gpio-fixes-for-v6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/brgl/linux: gpio: xilinx: Convert gpio_lock to raw spinlock commit 5e74b9bf263f5ab7b65e5553c9844c8197b73004 Merge: 4b040f0abe6d19 6ad30f78904233 Author: Linus Torvalds Date: Fri Jan 17 11:14:47 2025 -0800 Merge tag 'i2c-for-6.13-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux Pull i2c fixes from Wolfram Sang: - fix ref leak in the I2C core - fix remove notification in the address translator - missing error check in the pinctrl demuxer (plus a typo fix) - fix NAK handling when Linux is testunit target - fix NAK handling for the Renesas R-Car controller when it is a target * tag 'i2c-for-6.13-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux: i2c: testunit: on errors, repeat NACK until STOP i2c: rcar: fix NACK handling when being a target i2c: mux: demux-pinctrl: correct comment i2c: mux: demux-pinctrl: check initial mux selection, too i2c: atr: Fix client detach i2c: core: fix reference leak in i2c_register_adapter() commit 4b040f0abe6d19a14306d276a26a033f5087f2fa Merge: ad26fc09dabfa6 726efa92e02b46 Author: Linus Torvalds Date: Fri Jan 17 09:21:22 2025 -0800 Merge tag 'pmdomain-v6.13-rc2-2' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/linux-pm Pull pmdomain fix from Ulf Hansson: - imx8mp-blk-ctrl: Add missing loop break condition * tag 'pmdomain-v6.13-rc2-2' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/linux-pm: pmdomain: imx8mp-blk-ctrl: add missing loop break condition commit ad26fc09dabfa6a33ad5baee80479f518370b316 Merge: 9ca27296662e3e b0fce54b8c0d8e Author: Linus Torvalds Date: Thu Jan 16 21:24:34 2025 -0800 Merge tag 'mm-hotfixes-stable-2025-01-16-21-11' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Pull misc fixes from Andrew Morton: "7 singleton hotfixes. 6 are MM. Two are cc:stable and the remainder address post-6.12 issues" * tag 'mm-hotfixes-stable-2025-01-16-21-11' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm: ocfs2: check dir i_size in ocfs2_find_entry mailmap: update entry for Ethan Carter Edwards mm: zswap: move allocations during CPU init outside the lock mm: khugepaged: fix call hpage_collapse_scan_file() for anonymous vma mm: shmem: use signed int for version handling in casefold option alloc_tag: skip pgalloc_tag_swap if profiling is disabled mm: page_alloc: fix missed updates of lowmem_reserve in adjust_managed_page_count commit 9ca27296662e3eef9cf6c58bcf22a0490d217738 Merge: 9bffa1ad25b8b3 fa2f9906a7b333 Author: Linus Torvalds Date: Thu Jan 16 21:18:12 2025 -0800 Merge tag '6.13-rc7-SMB3-client-fixes' of git://git.samba.org/sfrench/cifs-2.6 Pull smb client fixes from Steve French: - fix double free when reconnect racing with closing session - fix SMB1 reconnect with password rotation * tag '6.13-rc7-SMB3-client-fixes' of git://git.samba.org/sfrench/cifs-2.6: smb: client: fix double free of TCP_Server_Info::hostname cifs: support reconnect with alternate password for SMB1 commit 9bffa1ad25b8b3b95d8f463e5c24dabe3c87d54d Merge: a634dda26186cf 9b1c673a1648cc Author: Linus Torvalds Date: Thu Jan 16 19:49:26 2025 -0800 Merge tag 'drm-fixes-2025-01-17' of https://gitlab.freedesktop.org/drm/kernel Pull drm fixes from Dave Airlie: "Final(?) set of fixes for 6.13, I think the holidays finally caught up with everyone, the misc changes are 2 weeks worth, otherwise amdgpu and xe are most of it. The largest pieces is a new test so I'm not too worried about that. kunit: - Fix W=1 build for kunit tests bridge: - Handle YCbCr420 better in bridge code, with tests - itee-it6263 error handling fix amdgpu: - SMU 13 fix - DP MST fixes - DCN 3.5 fix - PSR fixes - eDP fix - VRR fix - Enforce isolation fixes - GFX 12 fix - PSP 14.x fix xe: - Add steering info support for GuC register lists - Add means to wait for reset and synchronous reset - Make changing ccs_mode a synchronous action - Add missing mux registers - Mark ComputeCS read mode as UC on iGPU, unblocking ULLS on iGPU i915: - Relax clear color alignment to 64 bytes [fb] v3d: - Fix warn when unloading v3d nouveau: - Fix cross-device fence handling in nouveau - Fix backlight regression for macbooks 5,1 vmwgfx: - Fix BO reservation handling in vmwgfx" * tag 'drm-fixes-2025-01-17' of https://gitlab.freedesktop.org/drm/kernel: (33 commits) drm/xe: Mark ComputeCS read mode as UC on iGPU drm/xe/oa: Add missing VISACTL mux registers drm/xe: make change ccs_mode a synchronous action drm/xe: introduce xe_gt_reset and xe_gt_wait_for_reset drm/xe/guc: Adding steering info support for GuC register lists drm/bridge: ite-it6263: Prevent error pointer dereference in probe() drm/v3d: Ensure job pointer is set to NULL after job completion drm/vmwgfx: Add new keep_resv BO param drm/vmwgfx: Remove busy_places drm/vmwgfx: Unreserve BO on error drm/amdgpu: fix fw attestation for MP0_14_0_{2/3} drm/amdgpu: always sync the GFX pipe on ctx switch drm/amdgpu: disable gfxoff with the compute workload on gfx12 drm/amdgpu: Fix Circular Locking Dependency in AMDGPU GFX Isolation drm/i915/fb: Relax clear color alignment to 64 bytes drm/amd/display: Disable replay and psr while VRR is enabled drm/amd/display: Fix PSR-SU not support but still call the amdgpu_dm_psr_enable nouveau/fence: handle cross device fences properly drm/tests: connector: Add ycbcr_420_allowed tests drm/connector: hdmi: Validate supported_formats matches ycbcr_420_allowed ... commit a634dda26186cf9a51567020fcce52bcba5e1e59 Merge: f692a6c69076ee 6f7a644eb7db10 Author: Linus Torvalds Date: Thu Jan 16 17:02:28 2025 -0800 Merge tag 'io_uring-6.13-20250116' of git://git.kernel.dk/linux Pull io_uring fixes from Jens Axboe: "One fix for the error handling in buffer cloning, and one fix for the ring resizing. Two minor followups for the latter as well. Both of these issues only affect 6.13, so not marked for stable" * tag 'io_uring-6.13-20250116' of git://git.kernel.dk/linux: io_uring/register: cache old SQ/CQ head reading for copies io_uring/register: document io_register_resize_rings() shared mem usage io_uring/register: use stable SQ/CQ ring data during resize io_uring/rsrc: fixup io_clone_buffers() error handling commit 9b1c673a1648cc3501a3b7719db2bec931cf00f7 Merge: cfaf51adaf4e0b b1231ff7ea0689 Author: Dave Airlie Date: Fri Jan 17 08:54:06 2025 +1000 Merge tag 'drm-xe-fixes-2025-01-16' of https://gitlab.freedesktop.org/drm/xe/kernel into drm-fixes Driver Changes: - Add steering info support for GuC register lists (Jesus Narvaez) - Add means to wait for reset and synchronous reset (Maciej) - Make changing ccs_mode a synchronous action (Maciej) - Add missing mux registers (Ashutosh) - Mark ComputeCS read mode as UC on iGPU, unblocking ULLS on iGPU (Matt Brost) Signed-off-by: Dave Airlie From: Thomas Hellstrom Link: https://patchwork.freedesktop.org/patch/msgid/Z4ll3F1anLEwCvrf@fedora commit f692a6c69076ee5ecc95c5c7da018fe95ff63c28 Merge: ce69b401900140 94d529a3255ce6 Author: Linus Torvalds Date: Thu Jan 16 16:19:05 2025 -0800 Merge tag 'trace-v6.13-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace Pull tracing fixes from Steven Rostedt: - Fix a regression in the irqsoff and wakeup latency tracing The function graph tracer infrastructure has become generic so that fprobes and BPF can be based on it. As it use to only handle function graph tracing, it would always calculate the time the function entered so that it could then calculate the time it exits and give the length of time the function executed for. But this is not needed for the other users (fprobes and BPF) and reading the clock adds a non-negligible overhead, so the calculation was moved into the function graph tracer logic. But the irqsoff and wakeup latency tracers, when the "display-graph" option was set, would use the function graph tracer to calculate the times of functions during the latency. The movement of the calltime calculation made the value zero for these tracers, and the output no longer showed the length of time of each tracer, but instead the absolute timestamp of when the function returned (rettime - calltime where calltime is now zero). Have the irqsoff and wakeup latency tracers also do the calltime calculation as the function graph tracer does and report the proper length of the function timings. - Update the tracing display to reflect the new preempt lazy model When the system is configured with preempt lazy, the output of the trace data would state "unknown" for the current preemption model. Because the lazy preemption model was just added, make it known to the tracing subsystem too. This is just a one line change. - Document multiple function graph having slightly different timings Now that function graph tracer infrastructure is separate, this also allows the function graph tracer to run in multiple instances (it wasn't able to do so before). If two instances ran the function graph tracer and traced the same functions, the timings for them will be slightly different because each does their own timings and collects the timestamps differently. Document this to not have people be confused by it. * tag 'trace-v6.13-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace: ftrace: Document that multiple function_graph tracing may have different times tracing: Print lazy preemption model tracing: Fix irqsoff and wakeup latency tracers when using function graph commit cfaf51adaf4e0b1850c84e05c81e879dd571c17c Merge: cf8182d3379896 1a5401ec3018c1 Author: Dave Airlie Date: Fri Jan 17 08:48:11 2025 +1000 Merge tag 'drm-intel-fixes-2025-01-15' of https://gitlab.freedesktop.org/drm/i915/kernel into drm-fixes - Relax clear color alignment to 64 bytes [fb] (Ville Syrjälä) Signed-off-by: Dave Airlie From: Tvrtko Ursulin Link: https://patchwork.freedesktop.org/patch/msgid/Z4fdIVf68qsqIpiN@linux commit b1231ff7ea0689d04040a44864c265bc11612fa8 Author: Matthew Brost Date: Mon Jan 13 16:25:07 2025 -0800 drm/xe: Mark ComputeCS read mode as UC on iGPU RING_CMD_CCTL read index should be UC on iGPU parts due to L3 caching structure. Having this as WB blocks ULLS from being enabled. Change to UC to unblock ULLS on iGPU. v2: - Drop internal communications commnet, bspec is updated Cc: Balasubramani Vivekanandan Cc: Michal Mrozek Cc: Paulo Zanoni Cc: José Roberto de Souza Cc: stable@vger.kernel.org Fixes: 328e089bfb37 ("drm/xe: Leverage ComputeCS read L3 caching") Signed-off-by: Matthew Brost Acked-by: Michal Mrozek Reviewed-by: Stuart Summers Reviewed-by: Matt Roper Link: https://patchwork.freedesktop.org/patch/msgid/20250114002507.114087-1-matthew.brost@intel.com (cherry picked from commit 758debf35b9cda5450e40996991a6e4b222899bd) Signed-off-by: Thomas Hellström commit ce69b4019001407f9cd738dd2ba217b3a8ab831b Merge: 6b4ccf11fa5dae a50da36562cd62 Author: Linus Torvalds Date: Thu Jan 16 09:09:44 2025 -0800 Merge tag 'net-6.13-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net Pull networking fixes from Paolo Abeni: "Notably this includes fixes for a few regressions spotted very recently. No known outstanding ones. Current release - regressions: - core: avoid CFI problems with sock priv helpers - xsk: bring back busy polling support - netpoll: ensure skb_pool list is always initialized Current release - new code bugs: - core: make page_pool_ref_netmem work with net iovs - ipv4: route: fix drop reason being overridden in ip_route_input_slow - udp: make rehash4 independent in udp_lib_rehash() Previous releases - regressions: - bpf: fix bpf_sk_select_reuseport() memory leak - openvswitch: fix lockup on tx to unregistering netdev with carrier - mptcp: be sure to send ack when mptcp-level window re-opens - eth: - bnxt: always recalculate features after XDP clearing, fix null-deref - mlx5: fix sub-function add port error handling - fec: handle page_pool_dev_alloc_pages error Previous releases - always broken: - vsock: some fixes due to transport de-assignment - eth: - ice: fix E825 initialization - mlx5e: fix inversion dependency warning while enabling IPsec tunnel - gtp: destroy device along with udp socket's netns dismantle. - xilinx: axienet: Fix IRQ coalescing packet count overflow" * tag 'net-6.13-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (44 commits) netdev: avoid CFI problems with sock priv helpers net/mlx5e: Always start IPsec sequence number from 1 net/mlx5e: Rely on reqid in IPsec tunnel mode net/mlx5e: Fix inversion dependency warning while enabling IPsec tunnel net/mlx5: Clear port select structure when fail to create net/mlx5: SF, Fix add port error handling net/mlx5: Fix a lockdep warning as part of the write combining test net/mlx5: Fix RDMA TX steering prio net: make page_pool_ref_netmem work with net iovs net: ethernet: xgbe: re-add aneg to supported features in PHY quirks net: pcs: xpcs: actively unset DW_VR_MII_DIG_CTRL1_2G5_EN for 1G SGMII net: pcs: xpcs: fix DW_VR_MII_DIG_CTRL1_2G5_EN bit being set for 1G SGMII w/o inband selftests: net: Adapt ethtool mq tests to fix in qdisc graft net: fec: handle page_pool_dev_alloc_pages error net: netpoll: ensure skb_pool list is always initialized net: xilinx: axienet: Fix IRQ coalescing packet count overflow nfp: bpf: prevent integer overflow in nfp_bpf_event_output() selftests: mptcp: avoid spurious errors on disconnect mptcp: fix spurious wake-up on under memory pressure mptcp: be sure to send ack when mptcp-level window re-opens ... commit 6b4ccf11fa5dae17ac815c5a07ce56655d60a815 Merge: 5d5c4787595268 3744b08449c27b Author: Linus Torvalds Date: Thu Jan 16 09:04:10 2025 -0800 Merge tag 'pm-6.13-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm Pull power management fixes from Rafael Wysocki: "Update the documentation of cpuidle governors that does not match the code any more after previous functional changes (Rafael Wysocki) and fix up the cpufreq Kconfig file broken inadvertently by a previous update (Viresh Kumar)" * tag 'pm-6.13-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm: cpufreq: Move endif to the end of Kconfig file cpuidle: teo: Update documentation after previous changes cpuidle: menu: Update documentation after previous changes commit 5d5c4787595268a5ac11f77660d4673feb744c57 Merge: ed8fd8d5dd4aa2 14578923e8c251 Author: Linus Torvalds Date: Thu Jan 16 09:02:10 2025 -0800 Merge tag 'acpi-6.13-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm Pull ACPI fix from Rafael Wysocki: "Prevent acpi_video_device_EDID() from returning a pointer to a memory region that should not be passed to kfree() which causes one of its users to crash randomly on attempts to free it (Chris Bainbridge)" * tag 'acpi-6.13-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm: ACPI: video: Fix random crashes due to bad kfree() commit ed8fd8d5dd4aa250e18152b80cbac24de7335488 Merge: 619f0b6fad524f fe4de594f7a2e9 Author: Linus Torvalds Date: Thu Jan 16 08:54:33 2025 -0800 Merge tag 'for-6.13-rc7-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux Pull btrfs fix from David Sterba: - handle d_path() errors when canonicalizing device mapper paths during device scan * tag 'for-6.13-rc7-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux: btrfs: add the missing error handling inside get_canonical_dev_path commit ae02ae16b76160f0aeeae2c5fb9b15226d00a4ef Author: Juergen Gross Date: Wed Dec 18 11:09:18 2024 +0100 x86/asm: Make serialize() always_inline In order to allow serialize() to be used from noinstr code, make it __always_inline. Fixes: 0ef8047b737d ("x86/static-call: provide a way to do very early static-call updates") Closes: https://lore.kernel.org/oe-kbuild-all/202412181756.aJvzih2K-lkp@intel.com/ Reported-by: kernel test robot Signed-off-by: Juergen Gross Signed-off-by: Borislav Petkov (AMD) Link: https://lore.kernel.org/r/20241218100918.22167-1-jgross@suse.com commit 726efa92e02b460811e8bc6990dd742f03b645ea Author: Xiaolei Wang Date: Wed Jan 15 09:41:18 2025 +0800 pmdomain: imx8mp-blk-ctrl: add missing loop break condition Currently imx8mp_blk_ctrl_remove() will continue the for loop until an out-of-bounds exception occurs. pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : dev_pm_domain_detach+0x8/0x48 lr : imx8mp_blk_ctrl_shutdown+0x58/0x90 sp : ffffffc084f8bbf0 x29: ffffffc084f8bbf0 x28: ffffff80daf32ac0 x27: 0000000000000000 x26: ffffffc081658d78 x25: 0000000000000001 x24: ffffffc08201b028 x23: ffffff80d0db9490 x22: ffffffc082340a78 x21: 00000000000005b0 x20: ffffff80d19bc180 x19: 000000000000000a x18: ffffffffffffffff x17: ffffffc080a39e08 x16: ffffffc080a39c98 x15: 4f435f464f006c72 x14: 0000000000000004 x13: ffffff80d0172110 x12: 0000000000000000 x11: ffffff80d0537740 x10: ffffff80d05376c0 x9 : ffffffc0808ed2d8 x8 : ffffffc084f8bab0 x7 : 0000000000000000 x6 : 0000000000000000 x5 : ffffff80d19b9420 x4 : fffffffe03466e60 x3 : 0000000080800077 x2 : 0000000000000000 x1 : 0000000000000001 x0 : 0000000000000000 Call trace: dev_pm_domain_detach+0x8/0x48 platform_shutdown+0x2c/0x48 device_shutdown+0x158/0x268 kernel_restart_prepare+0x40/0x58 kernel_kexec+0x58/0xe8 __do_sys_reboot+0x198/0x258 __arm64_sys_reboot+0x2c/0x40 invoke_syscall+0x5c/0x138 el0_svc_common.constprop.0+0x48/0xf0 do_el0_svc+0x24/0x38 el0_svc+0x38/0xc8 el0t_64_sync_handler+0x120/0x130 el0t_64_sync+0x190/0x198 Code: 8128c2d0 ffffffc0 aa1e03e9 d503201f Fixes: 556f5cf9568a ("soc: imx: add i.MX8MP HSIO blk-ctrl") Cc: stable@vger.kernel.org Signed-off-by: Xiaolei Wang Reviewed-by: Lucas Stach Reviewed-by: Fabio Estevam Reviewed-by: Frank Li Link: https://lore.kernel.org/r/20250115014118.4086729-1-xiaolei.wang@windriver.com Signed-off-by: Ulf Hansson commit 3744b08449c27bfa085aa218c4830f3996a51626 Merge: 5a597a19a2148d 7e265fc04690d4 Author: Rafael J. Wysocki Date: Thu Jan 16 15:36:41 2025 +0100 Merge branch 'pm-cpufreq' Merge a cpufreq fix for 6.13: - Fix cpufreq Kconfig breakage after previous changes (Viresh Kumar). * pm-cpufreq: cpufreq: Move endif to the end of Kconfig file commit a50da36562cd62b41de9bef08edbb3e8af00f118 Author: Jakub Kicinski Date: Wed Jan 15 08:14:36 2025 -0800 netdev: avoid CFI problems with sock priv helpers Li Li reports that casting away callback type may cause issues for CFI. Let's generate a small wrapper for each callback, to make sure compiler sees the anticipated types. Reported-by: Li Li Link: https://lore.kernel.org/CANBPYPjQVqmzZ4J=rVQX87a9iuwmaetULwbK_5_3YWk2eGzkaA@mail.gmail.com Fixes: 170aafe35cb9 ("netdev: support binding dma-buf to netdevice") Signed-off-by: Jakub Kicinski Reviewed-by: Mina Almasry Link: https://patch.msgid.link/20250115161436.648646-1-kuba@kernel.org Signed-off-by: Paolo Abeni commit 2f8dea1692eef2b7ba6a256246ed82c365fdc686 Author: Koichiro Den Date: Fri Dec 20 22:44:21 2024 +0900 hrtimers: Handle CPU state correctly on hotplug Consider a scenario where a CPU transitions from CPUHP_ONLINE to halfway through a CPU hotunplug down to CPUHP_HRTIMERS_PREPARE, and then back to CPUHP_ONLINE: Since hrtimers_prepare_cpu() does not run, cpu_base.hres_active remains set to 1 throughout. However, during a CPU unplug operation, the tick and the clockevents are shut down at CPUHP_AP_TICK_DYING. On return to the online state, for instance CFS incorrectly assumes that the hrtick is already active, and the chance of the clockevent device to transition to oneshot mode is also lost forever for the CPU, unless it goes back to a lower state than CPUHP_HRTIMERS_PREPARE once. This round-trip reveals another issue; cpu_base.online is not set to 1 after the transition, which appears as a WARN_ON_ONCE in enqueue_hrtimer(). Aside of that, the bulk of the per CPU state is not reset either, which means there are dangling pointers in the worst case. Address this by adding a corresponding startup() callback, which resets the stale per CPU state and sets the online flag. [ tglx: Make the new callback unconditionally available, remove the online modification in the prepare() callback and clear the remaining state in the starting callback instead of the prepare callback ] Fixes: 5c0930ccaad5 ("hrtimers: Push pending hrtimers away from outgoing CPU earlier") Signed-off-by: Koichiro Den Signed-off-by: Thomas Gleixner Cc: stable@vger.kernel.org Link: https://lore.kernel.org/all/20241220134421.3809834-1-koichiro.den@canonical.com commit 922efd298bb2636880408c00942dbd54d8bf6e0d Author: Frederic Weisbecker Date: Wed Jan 15 00:15:06 2025 +0100 timers/migration: Annotate accesses to ignore flag The group's ignore flag is: _ read under the group's lock (idle entry, remote expiry) _ turned on/off under the group's lock (idle entry, remote expiry) _ turned on locklessly on idle exit When idle entry or remote expiry clear the "ignore" flag of a group, the operation must be synchronized against other concurrent idle entry or remote expiry to make sure the related group timer is never missed. To enforce this synchronization, both "ignore" clear and read are performed under the group lock. On the contrary, whether idle entry or remote expiry manage to observe the "ignore" flag turned on by a CPU exiting idle is a matter of optimization. If that flag set is missed or cleared concurrently, the worst outcome is a migrator wasting time remotely handling a "ghost" timer. This is why the ignore flag can be set locklessly. Unfortunately, the related lockless accesses are bare and miss appropriate annotations. KCSAN rightfully complains: BUG: KCSAN: data-race in __tmigr_cpu_activate / print_report write to 0xffff88842fc28004 of 1 bytes by task 0 on cpu 0: __tmigr_cpu_activate tmigr_cpu_activate timer_clear_idle tick_nohz_restart_sched_tick tick_nohz_idle_exit do_idle cpu_startup_entry kernel_init do_initcalls clear_bss reserve_bios_regions common_startup_64 read to 0xffff88842fc28004 of 1 bytes by task 0 on cpu 1: print_report kcsan_report_known_origin kcsan_setup_watchpoint tmigr_next_groupevt tmigr_update_events tmigr_inactive_up __walk_groups+0x50/0x77 walk_groups __tmigr_cpu_deactivate tmigr_cpu_deactivate __get_next_timer_interrupt timer_base_try_to_set_idle tick_nohz_stop_tick tick_nohz_idle_stop_tick cpuidle_idle_call do_idle Although the relevant accesses could be marked as data_race(), the "ignore" flag being read several times within the same tmigr_update_events() function is confusing and error prone. Prefer reading it once in that function and make use of similar/paired accesses elsewhere with appropriate comments when necessary. Reported-by: kernel test robot Signed-off-by: Frederic Weisbecker Signed-off-by: Thomas Gleixner Link: https://lore.kernel.org/all/20250114231507.21672-4-frederic@kernel.org Closes: https://lore.kernel.org/oe-lkp/202501031612.62e0c498-lkp@intel.com commit de3ced72a79280fefd680e5e101d8b9f03cfa1d7 Author: Frederic Weisbecker Date: Wed Jan 15 00:15:05 2025 +0100 timers/migration: Enforce group initialization visibility to tree walkers Commit 2522c84db513 ("timers/migration: Fix another race between hotplug and idle entry/exit") fixed yet another race between idle exit and CPU hotplug up leading to a wrong "0" value migrator assigned to the top level. However there is yet another situation that remains unhandled: [GRP0:0] migrator = TMIGR_NONE active = NONE groupmask = 1 / \ \ 0 1 2..7 idle idle idle 0) The system is fully idle. [GRP0:0] migrator = CPU 0 active = CPU 0 groupmask = 1 / \ \ 0 1 2..7 active idle idle 1) CPU 0 is activating. It has done the cmpxchg on the top's ->migr_state but it hasn't yet returned to __walk_groups(). [GRP0:0] migrator = CPU 0 active = CPU 0, CPU 1 groupmask = 1 / \ \ 0 1 2..7 active active idle 2) CPU 1 is activating. CPU 0 stays the migrator (still stuck in __walk_groups(), delayed by #VMEXIT for example). [GRP1:0] migrator = TMIGR_NONE active = NONE groupmask = 1 / \ [GRP0:0] [GRP0:1] migrator = CPU 0 migrator = TMIGR_NONE active = CPU 0, CPU1 active = NONE groupmask = 1 groupmask = 2 / \ \ 0 1 2..7 8 active active idle !online 3) CPU 8 is preparing to boot. CPUHP_TMIGR_PREPARE is being ran by CPU 1 which has created the GRP0:1 and the new top GRP1:0 connected to GRP0:1 and GRP0:0. CPU 1 hasn't yet propagated its activation up to GRP1:0. [GRP1:0] migrator = GRP0:0 active = GRP0:0 groupmask = 1 / \ [GRP0:0] [GRP0:1] migrator = CPU 0 migrator = TMIGR_NONE active = CPU 0, CPU1 active = NONE groupmask = 1 groupmask = 2 / \ \ 0 1 2..7 8 active active idle !online 4) CPU 0 finally resumed after its #VMEXIT. It's in __walk_groups() returning from tmigr_cpu_active(). The new top GRP1:0 is visible and fetched and the pre-initialized groupmask of GRP0:0 is also visible. As a result tmigr_active_up() is called to GRP1:0 with GRP0:0 as active and migrator. CPU 0 is returning to __walk_groups() but suffers again a #VMEXIT. [GRP1:0] migrator = GRP0:0 active = GRP0:0 groupmask = 1 / \ [GRP0:0] [GRP0:1] migrator = CPU 0 migrator = TMIGR_NONE active = CPU 0, CPU1 active = NONE groupmask = 1 groupmask = 2 / \ \ 0 1 2..7 8 active active idle !online 5) CPU 1 propagates its activation of GRP0:0 to GRP1:0. This has no effect since CPU 0 did it already. [GRP1:0] migrator = GRP0:0 active = GRP0:0, GRP0:1 groupmask = 1 / \ [GRP0:0] [GRP0:1] migrator = CPU 0 migrator = CPU 8 active = CPU 0, CPU1 active = CPU 8 groupmask = 1 groupmask = 2 / \ \ \ 0 1 2..7 8 active active idle active 6) CPU 1 links CPU 8 to its group. CPU 8 boots and goes through CPUHP_AP_TMIGR_ONLINE which propagates activation. [GRP2:0] migrator = TMIGR_NONE active = NONE groupmask = 1 / \ [GRP1:0] [GRP1:1] migrator = GRP0:0 migrator = TMIGR_NONE active = GRP0:0, GRP0:1 active = NONE groupmask = 1 groupmask = 2 / \ [GRP0:0] [GRP0:1] [GRP0:2] migrator = CPU 0 migrator = CPU 8 migrator = TMIGR_NONE active = CPU 0, CPU1 active = CPU 8 active = NONE groupmask = 1 groupmask = 2 groupmask = 0 / \ \ \ 0 1 2..7 8 64 active active idle active !online 7) CPU 64 is booting. CPUHP_TMIGR_PREPARE is being ran by CPU 1 which has created the GRP1:1, GRP0:2 and the new top GRP2:0 connected to GRP1:1 and GRP1:0. CPU 1 hasn't yet propagated its activation up to GRP2:0. [GRP2:0] migrator = 0 (!!!) active = NONE groupmask = 1 / \ [GRP1:0] [GRP1:1] migrator = GRP0:0 migrator = TMIGR_NONE active = GRP0:0, GRP0:1 active = NONE groupmask = 1 groupmask = 2 / \ [GRP0:0] [GRP0:1] [GRP0:2] migrator = CPU 0 migrator = CPU 8 migrator = TMIGR_NONE active = CPU 0, CPU1 active = CPU 8 active = NONE groupmask = 1 groupmask = 2 groupmask = 0 / \ \ \ 0 1 2..7 8 64 active active idle active !online 8) CPU 0 finally resumed after its #VMEXIT. It's in __walk_groups() returning from tmigr_cpu_active(). The new top GRP2:0 is visible and fetched but the pre-initialized groupmask of GRP1:0 is not because no ordering made its initialization visible. As a result tmigr_active_up() may be called to GRP2:0 with a "0" child's groumask. Leaving the timers ignored for ever when the system is fully idle. The race is highly theoretical and perhaps impossible in practice but the groupmask of the child is not the only concern here as the whole initialization of the child is not guaranteed to be visible to any tree walker racing against hotplug (idle entry/exit, remote handling, etc...). Although the current code layout seem to be resilient to such hazards, this doesn't tell much about the future. Fix this with enforcing address dependency between group initialization and the write/read to the group's parent's pointer. Fortunately that doesn't involve any barrier addition in the fast paths. Fixes: 10a0e6f3d3db ("timers/migration: Move hierarchy setup into cpuhotplug prepare callback") Signed-off-by: Frederic Weisbecker Signed-off-by: Thomas Gleixner Cc: stable@vger.kernel.org Link: https://lore.kernel.org/all/20250114231507.21672-3-frederic@kernel.org commit b729cc1ec21a5899b7879ccfbe1786664928d597 Author: Frederic Weisbecker Date: Wed Jan 15 00:15:04 2025 +0100 timers/migration: Fix another race between hotplug and idle entry/exit Commit 10a0e6f3d3db ("timers/migration: Move hierarchy setup into cpuhotplug prepare callback") fixed a race between idle exit and CPU hotplug up leading to a wrong "0" value migrator assigned to the top level. However there is still a situation that remains unhandled: [GRP0:0] migrator = TMIGR_NONE active = NONE groupmask = 0 / \ \ 0 1 2..7 idle idle idle 0) The system is fully idle. [GRP0:0] migrator = CPU 0 active = CPU 0 groupmask = 0 / \ \ 0 1 2..7 active idle idle 1) CPU 0 is activating. It has done the cmpxchg on the top's ->migr_state but it hasn't yet returned to __walk_groups(). [GRP0:0] migrator = CPU 0 active = CPU 0, CPU 1 groupmask = 0 / \ \ 0 1 2..7 active active idle 2) CPU 1 is activating. CPU 0 stays the migrator (still stuck in __walk_groups(), delayed by #VMEXIT for example). [GRP1:0] migrator = TMIGR_NONE active = NONE groupmask = 0 / \ [GRP0:0] [GRP0:1] migrator = CPU 0 migrator = TMIGR_NONE active = CPU 0, CPU1 active = NONE groupmask = 2 groupmask = 1 / \ \ 0 1 2..7 8 active active idle !online 3) CPU 8 is preparing to boot. CPUHP_TMIGR_PREPARE is being ran by CPU 1 which has created the GRP0:1 and the new top GRP1:0 connected to GRP0:1 and GRP0:0. The groupmask of GRP0:0 is now 2. CPU 1 hasn't yet propagated its activation up to GRP1:0. [GRP1:0] migrator = 0 (!!!) active = NONE groupmask = 0 / \ [GRP0:0] [GRP0:1] migrator = CPU 0 migrator = TMIGR_NONE active = CPU 0, CPU1 active = NONE groupmask = 2 groupmask = 1 / \ \ 0 1 2..7 8 active active idle !online 4) CPU 0 finally resumed after its #VMEXIT. It's in __walk_groups() returning from tmigr_cpu_active(). The new top GRP1:0 is visible and fetched but the freshly updated groupmask of GRP0:0 may not be visible due to lack of ordering! As a result tmigr_active_up() is called to GRP0:0 with a child's groupmask of "0". This buggy "0" groupmask then becomes the migrator for GRP1:0 forever. As a result, timers on a fully idle system get ignored. One possible fix would be to define TMIGR_NONE as "0" so that such a race would have no effect. And after all TMIGR_NONE doesn't need to be anything else. However this would leave an uncomfortable state machine where gears happen not to break by chance but are vulnerable to future modifications. Keep TMIGR_NONE as is instead and pre-initialize to "1" the groupmask of any newly created top level. This groupmask is guaranteed to be visible upon fetching the corresponding group for the 1st time: _ By the upcoming CPU thanks to CPU hotplug synchronization between the control CPU (BP) and the booting one (AP). _ By the control CPU since the groupmask and parent pointers are initialized locally. _ By all CPUs belonging to the same group than the control CPU because they must wait for it to ever become idle before needing to walk to the new top. The cmpcxhg() on ->migr_state then makes sure its groupmask is visible. With this pre-initialization, it is guaranteed that if a future top level is linked to an old one, it is walked through with a valid groupmask. Fixes: 10a0e6f3d3db ("timers/migration: Move hierarchy setup into cpuhotplug prepare callback") Signed-off-by: Frederic Weisbecker Signed-off-by: Thomas Gleixner Cc: stable@vger.kernel.org Link: https://lore.kernel.org/all/20250114231507.21672-2-frederic@kernel.org commit 676d53a480b4fc9836e5a40452609cf85be88ba0 Merge: cbc16bceea7842 7f95b0247764ac Author: Paolo Abeni Date: Thu Jan 16 12:45:50 2025 +0100 Merge branch 'mlx5-misc-fixes-2025-01-15' Tariq Toukan says: ==================== mlx5 misc fixes 2025-01-15 This patchset provides misc bug fixes from the team to the mlx5 core and Eth drivers. ==================== Link: https://patch.msgid.link/20250115113910.1990174-1-tariqt@nvidia.com Signed-off-by: Paolo Abeni commit 7f95b0247764acd739d949ff247db4b76138e55a Author: Leon Romanovsky Date: Wed Jan 15 13:39:10 2025 +0200 net/mlx5e: Always start IPsec sequence number from 1 According to RFC4303, section "3.3.3. Sequence Number Generation", the first packet sent using a given SA will contain a sequence number of 1. This is applicable to both ESN and non-ESN mode, which was not covered in commit mentioned in Fixes line. Fixes: 3d42c8cc67a8 ("net/mlx5e: Ensure that IPsec sequence packet number starts from 1") Signed-off-by: Leon Romanovsky Reviewed-by: Jacob Keller Signed-off-by: Tariq Toukan Signed-off-by: Paolo Abeni commit 25f23524dfa227959beb3b2c2c0f38e0222f4cfa Author: Leon Romanovsky Date: Wed Jan 15 13:39:09 2025 +0200 net/mlx5e: Rely on reqid in IPsec tunnel mode All packet offloads SAs have reqid in it to make sure they have corresponding policy. While it is not strictly needed for transparent mode, it is extremely important in tunnel mode. In that mode, policy and SAs have different match criteria. Policy catches the whole subnet addresses, and SA catches the tunnel gateways addresses. The source address of such tunnel is not known during egress packet traversal in flow steering as it is added only after successful encryption. As reqid is required for packet offload and it is unique for every SA, we can safely rely on it only. The output below shows the configured egress policy and SA by strongswan: [leonro@vm ~]$ sudo ip x s src 192.169.101.2 dst 192.169.101.1 proto esp spi 0xc88b7652 reqid 1 mode tunnel replay-window 0 flag af-unspec esn aead rfc4106(gcm(aes)) 0xe406a01083986e14d116488549094710e9c57bc6 128 anti-replay esn context: seq-hi 0x0, seq 0x0, oseq-hi 0x0, oseq 0x0 replay_window 1, bitmap-length 1 00000000 crypto offload parameters: dev eth2 dir out mode packet [leonro@064 ~]$ sudo ip x p src 192.170.0.0/16 dst 192.170.0.0/16 dir out priority 383615 ptype main tmpl src 192.169.101.2 dst 192.169.101.1 proto esp spi 0xc88b7652 reqid 1 mode tunnel crypto offload parameters: dev eth2 mode packet Fixes: b3beba1fb404 ("net/mlx5e: Allow policies with reqid 0, to support IKE policy holes") Signed-off-by: Leon Romanovsky Reviewed-by: Jacob Keller Signed-off-by: Tariq Toukan Signed-off-by: Paolo Abeni commit 2c3688090f8a1f085230aa839cc63e4a7b977df0 Author: Leon Romanovsky Date: Wed Jan 15 13:39:08 2025 +0200 net/mlx5e: Fix inversion dependency warning while enabling IPsec tunnel Attempt to enable IPsec packet offload in tunnel mode in debug kernel generates the following kernel panic, which is happening due to two issues: 1. In SA add section, the should be _bh() variant when marking SA mode. 2. There is not needed flush_workqueue in SA delete routine. It is not needed as at this stage as it is removed from SADB and the running work will be canceled later in SA free. ===================================================== WARNING: SOFTIRQ-safe -> SOFTIRQ-unsafe lock order detected 6.12.0+ #4 Not tainted ----------------------------------------------------- charon/1337 [HC0[0]:SC0[4]:HE1:SE0] is trying to acquire: ffff88810f365020 (&xa->xa_lock#24){+.+.}-{3:3}, at: mlx5e_xfrm_del_state+0xca/0x1e0 [mlx5_core] and this task is already holding: ffff88813e0f0d48 (&x->lock){+.-.}-{3:3}, at: xfrm_state_delete+0x16/0x30 which would create a new lock dependency: (&x->lock){+.-.}-{3:3} -> (&xa->xa_lock#24){+.+.}-{3:3} but this new dependency connects a SOFTIRQ-irq-safe lock: (&x->lock){+.-.}-{3:3} ... which became SOFTIRQ-irq-safe at: lock_acquire+0x1be/0x520 _raw_spin_lock_bh+0x34/0x40 xfrm_timer_handler+0x91/0xd70 __hrtimer_run_queues+0x1dd/0xa60 hrtimer_run_softirq+0x146/0x2e0 handle_softirqs+0x266/0x860 irq_exit_rcu+0x115/0x1a0 sysvec_apic_timer_interrupt+0x6e/0x90 asm_sysvec_apic_timer_interrupt+0x16/0x20 default_idle+0x13/0x20 default_idle_call+0x67/0xa0 do_idle+0x2da/0x320 cpu_startup_entry+0x50/0x60 start_secondary+0x213/0x2a0 common_startup_64+0x129/0x138 to a SOFTIRQ-irq-unsafe lock: (&xa->xa_lock#24){+.+.}-{3:3} ... which became SOFTIRQ-irq-unsafe at: ... lock_acquire+0x1be/0x520 _raw_spin_lock+0x2c/0x40 xa_set_mark+0x70/0x110 mlx5e_xfrm_add_state+0xe48/0x2290 [mlx5_core] xfrm_dev_state_add+0x3bb/0xd70 xfrm_add_sa+0x2451/0x4a90 xfrm_user_rcv_msg+0x493/0x880 netlink_rcv_skb+0x12e/0x380 xfrm_netlink_rcv+0x6d/0x90 netlink_unicast+0x42f/0x740 netlink_sendmsg+0x745/0xbe0 __sock_sendmsg+0xc5/0x190 __sys_sendto+0x1fe/0x2c0 __x64_sys_sendto+0xdc/0x1b0 do_syscall_64+0x6d/0x140 entry_SYSCALL_64_after_hwframe+0x4b/0x53 other info that might help us debug this: Possible interrupt unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&xa->xa_lock#24); local_irq_disable(); lock(&x->lock); lock(&xa->xa_lock#24); lock(&x->lock); *** DEADLOCK *** 2 locks held by charon/1337: #0: ffffffff87f8f858 (&net->xfrm.xfrm_cfg_mutex){+.+.}-{4:4}, at: xfrm_netlink_rcv+0x5e/0x90 #1: ffff88813e0f0d48 (&x->lock){+.-.}-{3:3}, at: xfrm_state_delete+0x16/0x30 the dependencies between SOFTIRQ-irq-safe lock and the holding lock: -> (&x->lock){+.-.}-{3:3} ops: 29 { HARDIRQ-ON-W at: lock_acquire+0x1be/0x520 _raw_spin_lock_bh+0x34/0x40 xfrm_alloc_spi+0xc0/0xe60 xfrm_alloc_userspi+0x5f6/0xbc0 xfrm_user_rcv_msg+0x493/0x880 netlink_rcv_skb+0x12e/0x380 xfrm_netlink_rcv+0x6d/0x90 netlink_unicast+0x42f/0x740 netlink_sendmsg+0x745/0xbe0 __sock_sendmsg+0xc5/0x190 __sys_sendto+0x1fe/0x2c0 __x64_sys_sendto+0xdc/0x1b0 do_syscall_64+0x6d/0x140 entry_SYSCALL_64_after_hwframe+0x4b/0x53 IN-SOFTIRQ-W at: lock_acquire+0x1be/0x520 _raw_spin_lock_bh+0x34/0x40 xfrm_timer_handler+0x91/0xd70 __hrtimer_run_queues+0x1dd/0xa60 hrtimer_run_softirq+0x146/0x2e0 handle_softirqs+0x266/0x860 irq_exit_rcu+0x115/0x1a0 sysvec_apic_timer_interrupt+0x6e/0x90 asm_sysvec_apic_timer_interrupt+0x16/0x20 default_idle+0x13/0x20 default_idle_call+0x67/0xa0 do_idle+0x2da/0x320 cpu_startup_entry+0x50/0x60 start_secondary+0x213/0x2a0 common_startup_64+0x129/0x138 INITIAL USE at: lock_acquire+0x1be/0x520 _raw_spin_lock_bh+0x34/0x40 xfrm_alloc_spi+0xc0/0xe60 xfrm_alloc_userspi+0x5f6/0xbc0 xfrm_user_rcv_msg+0x493/0x880 netlink_rcv_skb+0x12e/0x380 xfrm_netlink_rcv+0x6d/0x90 netlink_unicast+0x42f/0x740 netlink_sendmsg+0x745/0xbe0 __sock_sendmsg+0xc5/0x190 __sys_sendto+0x1fe/0x2c0 __x64_sys_sendto+0xdc/0x1b0 do_syscall_64+0x6d/0x140 entry_SYSCALL_64_after_hwframe+0x4b/0x53 } ... key at: [] __key.18+0x0/0x40 the dependencies between the lock to be acquired and SOFTIRQ-irq-unsafe lock: -> (&xa->xa_lock#24){+.+.}-{3:3} ops: 9 { HARDIRQ-ON-W at: lock_acquire+0x1be/0x520 _raw_spin_lock_bh+0x34/0x40 mlx5e_xfrm_add_state+0xc5b/0x2290 [mlx5_core] xfrm_dev_state_add+0x3bb/0xd70 xfrm_add_sa+0x2451/0x4a90 xfrm_user_rcv_msg+0x493/0x880 netlink_rcv_skb+0x12e/0x380 xfrm_netlink_rcv+0x6d/0x90 netlink_unicast+0x42f/0x740 netlink_sendmsg+0x745/0xbe0 __sock_sendmsg+0xc5/0x190 __sys_sendto+0x1fe/0x2c0 __x64_sys_sendto+0xdc/0x1b0 do_syscall_64+0x6d/0x140 entry_SYSCALL_64_after_hwframe+0x4b/0x53 SOFTIRQ-ON-W at: lock_acquire+0x1be/0x520 _raw_spin_lock+0x2c/0x40 xa_set_mark+0x70/0x110 mlx5e_xfrm_add_state+0xe48/0x2290 [mlx5_core] xfrm_dev_state_add+0x3bb/0xd70 xfrm_add_sa+0x2451/0x4a90 xfrm_user_rcv_msg+0x493/0x880 netlink_rcv_skb+0x12e/0x380 xfrm_netlink_rcv+0x6d/0x90 netlink_unicast+0x42f/0x740 netlink_sendmsg+0x745/0xbe0 __sock_sendmsg+0xc5/0x190 __sys_sendto+0x1fe/0x2c0 __x64_sys_sendto+0xdc/0x1b0 do_syscall_64+0x6d/0x140 entry_SYSCALL_64_after_hwframe+0x4b/0x53 INITIAL USE at: lock_acquire+0x1be/0x520 _raw_spin_lock_bh+0x34/0x40 mlx5e_xfrm_add_state+0xc5b/0x2290 [mlx5_core] xfrm_dev_state_add+0x3bb/0xd70 xfrm_add_sa+0x2451/0x4a90 xfrm_user_rcv_msg+0x493/0x880 netlink_rcv_skb+0x12e/0x380 xfrm_netlink_rcv+0x6d/0x90 netlink_unicast+0x42f/0x740 netlink_sendmsg+0x745/0xbe0 __sock_sendmsg+0xc5/0x190 __sys_sendto+0x1fe/0x2c0 __x64_sys_sendto+0xdc/0x1b0 do_syscall_64+0x6d/0x140 entry_SYSCALL_64_after_hwframe+0x4b/0x53 } ... key at: [] __key.48+0x0/0xfffffffffff210a0 [mlx5_core] ... acquired at: __lock_acquire+0x30a0/0x5040 lock_acquire+0x1be/0x520 _raw_spin_lock_bh+0x34/0x40 mlx5e_xfrm_del_state+0xca/0x1e0 [mlx5_core] xfrm_dev_state_delete+0x90/0x160 __xfrm_state_delete+0x662/0xae0 xfrm_state_delete+0x1e/0x30 xfrm_del_sa+0x1c2/0x340 xfrm_user_rcv_msg+0x493/0x880 netlink_rcv_skb+0x12e/0x380 xfrm_netlink_rcv+0x6d/0x90 netlink_unicast+0x42f/0x740 netlink_sendmsg+0x745/0xbe0 __sock_sendmsg+0xc5/0x190 __sys_sendto+0x1fe/0x2c0 __x64_sys_sendto+0xdc/0x1b0 do_syscall_64+0x6d/0x140 entry_SYSCALL_64_after_hwframe+0x4b/0x53 stack backtrace: CPU: 7 UID: 0 PID: 1337 Comm: charon Not tainted 6.12.0+ #4 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 Call Trace: dump_stack_lvl+0x74/0xd0 check_irq_usage+0x12e8/0x1d90 ? print_shortest_lock_dependencies_backwards+0x1b0/0x1b0 ? check_chain_key+0x1bb/0x4c0 ? __lockdep_reset_lock+0x180/0x180 ? check_path.constprop.0+0x24/0x50 ? mark_lock+0x108/0x2fb0 ? print_circular_bug+0x9b0/0x9b0 ? mark_lock+0x108/0x2fb0 ? print_usage_bug.part.0+0x670/0x670 ? check_prev_add+0x1c4/0x2310 check_prev_add+0x1c4/0x2310 __lock_acquire+0x30a0/0x5040 ? lockdep_set_lock_cmp_fn+0x190/0x190 ? lockdep_set_lock_cmp_fn+0x190/0x190 lock_acquire+0x1be/0x520 ? mlx5e_xfrm_del_state+0xca/0x1e0 [mlx5_core] ? lockdep_hardirqs_on_prepare+0x400/0x400 ? __xfrm_state_delete+0x5f0/0xae0 ? lock_downgrade+0x6b0/0x6b0 _raw_spin_lock_bh+0x34/0x40 ? mlx5e_xfrm_del_state+0xca/0x1e0 [mlx5_core] mlx5e_xfrm_del_state+0xca/0x1e0 [mlx5_core] xfrm_dev_state_delete+0x90/0x160 __xfrm_state_delete+0x662/0xae0 xfrm_state_delete+0x1e/0x30 xfrm_del_sa+0x1c2/0x340 ? xfrm_get_sa+0x250/0x250 ? check_chain_key+0x1bb/0x4c0 xfrm_user_rcv_msg+0x493/0x880 ? copy_sec_ctx+0x270/0x270 ? check_chain_key+0x1bb/0x4c0 ? lockdep_set_lock_cmp_fn+0x190/0x190 ? lockdep_set_lock_cmp_fn+0x190/0x190 netlink_rcv_skb+0x12e/0x380 ? copy_sec_ctx+0x270/0x270 ? netlink_ack+0xd90/0xd90 ? netlink_deliver_tap+0xcd/0xb60 xfrm_netlink_rcv+0x6d/0x90 netlink_unicast+0x42f/0x740 ? netlink_attachskb+0x730/0x730 ? lock_acquire+0x1be/0x520 netlink_sendmsg+0x745/0xbe0 ? netlink_unicast+0x740/0x740 ? __might_fault+0xbb/0x170 ? netlink_unicast+0x740/0x740 __sock_sendmsg+0xc5/0x190 ? fdget+0x163/0x1d0 __sys_sendto+0x1fe/0x2c0 ? __x64_sys_getpeername+0xb0/0xb0 ? do_user_addr_fault+0x856/0xe30 ? lock_acquire+0x1be/0x520 ? __task_pid_nr_ns+0x117/0x410 ? lock_downgrade+0x6b0/0x6b0 __x64_sys_sendto+0xdc/0x1b0 ? lockdep_hardirqs_on_prepare+0x284/0x400 do_syscall_64+0x6d/0x140 entry_SYSCALL_64_after_hwframe+0x4b/0x53 RIP: 0033:0x7f7d31291ba4 Code: 7d e8 89 4d d4 e8 4c 42 f7 ff 44 8b 4d d0 4c 8b 45 c8 89 c3 44 8b 55 d4 8b 7d e8 b8 2c 00 00 00 48 8b 55 d8 48 8b 75 e0 0f 05 <48> 3d 00 f0 ff ff 77 34 89 df 48 89 45 e8 e8 99 42 f7 ff 48 8b 45 RSP: 002b:00007f7d2ccd94f0 EFLAGS: 00000297 ORIG_RAX: 000000000000002c RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007f7d31291ba4 RDX: 0000000000000028 RSI: 00007f7d2ccd96a0 RDI: 000000000000000a RBP: 00007f7d2ccd9530 R08: 00007f7d2ccd9598 R09: 000000000000000c R10: 0000000000000000 R11: 0000000000000297 R12: 0000000000000028 R13: 00007f7d2ccd9598 R14: 00007f7d2ccd96a0 R15: 00000000000000e1 Fixes: 4c24272b4e2b ("net/mlx5e: Listen to ARP events to update IPsec L2 headers in tunnel mode") Signed-off-by: Leon Romanovsky Signed-off-by: Tariq Toukan Signed-off-by: Paolo Abeni commit 5641e82cb55b4ecbc6366a499300917d2f3e6790 Author: Mark Zhang Date: Wed Jan 15 13:39:07 2025 +0200 net/mlx5: Clear port select structure when fail to create Clear the port select structure on error so no stale values left after definers are destroyed. That's because the mlx5_lag_destroy_definers() always try to destroy all lag definers in the tt_map, so in the flow below lag definers get double-destroyed and cause kernel crash: mlx5_lag_port_sel_create() mlx5_lag_create_definers() mlx5_lag_create_definer() <- Failed on tt 1 mlx5_lag_destroy_definers() <- definers[tt=0] gets destroyed mlx5_lag_port_sel_create() mlx5_lag_create_definers() mlx5_lag_create_definer() <- Failed on tt 0 mlx5_lag_destroy_definers() <- definers[tt=0] gets double-destroyed Unable to handle kernel NULL pointer dereference at virtual address 0000000000000008 Mem abort info: ESR = 0x0000000096000005 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x05: level 1 translation fault Data abort info: ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000 CM = 0, WnR = 0, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 user pgtable: 64k pages, 48-bit VAs, pgdp=0000000112ce2e00 [0000000000000008] pgd=0000000000000000, p4d=0000000000000000, pud=0000000000000000 Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP Modules linked in: iptable_raw bonding ip_gre ip6_gre gre ip6_tunnel tunnel6 geneve ip6_udp_tunnel udp_tunnel ipip tunnel4 ip_tunnel rdma_ucm(OE) rdma_cm(OE) iw_cm(OE) ib_ipoib(OE) ib_cm(OE) ib_umad(OE) mlx5_ib(OE) ib_uverbs(OE) mlx5_fwctl(OE) fwctl(OE) mlx5_core(OE) mlxdevm(OE) ib_core(OE) mlxfw(OE) memtrack(OE) mlx_compat(OE) openvswitch nsh nf_conncount psample xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink xfrm_user xfrm_algo xt_addrtype iptable_filter iptable_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 br_netfilter bridge stp llc netconsole overlay efi_pstore sch_fq_codel zram ip_tables crct10dif_ce qemu_fw_cfg fuse ipv6 crc_ccitt [last unloaded: mlx_compat(OE)] CPU: 3 UID: 0 PID: 217 Comm: kworker/u53:2 Tainted: G OE 6.11.0+ #2 Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015 Workqueue: mlx5_lag mlx5_do_bond_work [mlx5_core] pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : mlx5_del_flow_rules+0x24/0x2c0 [mlx5_core] lr : mlx5_lag_destroy_definer+0x54/0x100 [mlx5_core] sp : ffff800085fafb00 x29: ffff800085fafb00 x28: ffff0000da0c8000 x27: 0000000000000000 x26: ffff0000da0c8000 x25: ffff0000da0c8000 x24: ffff0000da0c8000 x23: ffff0000c31f81a0 x22: 0400000000000000 x21: ffff0000da0c8000 x20: 0000000000000000 x19: 0000000000000001 x18: 0000000000000000 x17: 0000000000000000 x16: 0000000000000000 x15: 0000ffff8b0c9350 x14: 0000000000000000 x13: ffff800081390d18 x12: ffff800081dc3cc0 x11: 0000000000000001 x10: 0000000000000b10 x9 : ffff80007ab7304c x8 : ffff0000d00711f0 x7 : 0000000000000004 x6 : 0000000000000190 x5 : ffff00027edb3010 x4 : 0000000000000000 x3 : 0000000000000000 x2 : ffff0000d39b8000 x1 : ffff0000d39b8000 x0 : 0400000000000000 Call trace: mlx5_del_flow_rules+0x24/0x2c0 [mlx5_core] mlx5_lag_destroy_definer+0x54/0x100 [mlx5_core] mlx5_lag_destroy_definers+0xa0/0x108 [mlx5_core] mlx5_lag_port_sel_create+0x2d4/0x6f8 [mlx5_core] mlx5_activate_lag+0x60c/0x6f8 [mlx5_core] mlx5_do_bond_work+0x284/0x5c8 [mlx5_core] process_one_work+0x170/0x3e0 worker_thread+0x2d8/0x3e0 kthread+0x11c/0x128 ret_from_fork+0x10/0x20 Code: a9025bf5 aa0003f6 a90363f7 f90023f9 (f9400400) ---[ end trace 0000000000000000 ]--- Fixes: dc48516ec7d3 ("net/mlx5: Lag, add support to create definers for LAG") Signed-off-by: Mark Zhang Reviewed-by: Leon Romanovsky Reviewed-by: Mark Bloch Reviewed-by: Jacob Keller Signed-off-by: Tariq Toukan Signed-off-by: Paolo Abeni commit 2011a2a18ef00b5b8e4b753acbe6451a8c5f2260 Author: Chris Mi Date: Wed Jan 15 13:39:06 2025 +0200 net/mlx5: SF, Fix add port error handling If failed to add SF, error handling doesn't delete the SF from the SF table. But the hw resources are deleted. So when unload driver, hw resources will be deleted again. Firmware will report syndrome 0x68def3 which means "SF is not allocated can not deallocate". Fix it by delete SF from SF table if failed to add SF. Fixes: 2597ee190b4e ("net/mlx5: Call mlx5_sf_id_erase() once in mlx5_sf_dealloc()") Signed-off-by: Chris Mi Reviewed-by: Shay Drori Reviewed-by: Jacob Keller Signed-off-by: Tariq Toukan Signed-off-by: Paolo Abeni commit 1b10a519a45704d4b06ebd9245b272d145752c18 Author: Yishai Hadas Date: Wed Jan 15 13:39:05 2025 +0200 net/mlx5: Fix a lockdep warning as part of the write combining test Fix a lockdep warning [1] observed during the write combining test. The warning indicates a potential nested lock scenario that could lead to a deadlock. However, this is a false positive alarm because the SF lock and its parent lock are distinct ones. The lockdep confusion arises because the locks belong to the same object class (i.e., struct mlx5_core_dev). To resolve this, the code has been refactored to avoid taking both locks. Instead, only the parent lock is acquired. [1] raw_ethernet_bw/2118 is trying to acquire lock: [ 213.619032] ffff88811dd75e08 (&dev->wc_state_lock){+.+.}-{3:3}, at: mlx5_wc_support_get+0x18c/0x210 [mlx5_core] [ 213.620270] [ 213.620270] but task is already holding lock: [ 213.620943] ffff88810b585e08 (&dev->wc_state_lock){+.+.}-{3:3}, at: mlx5_wc_support_get+0x10c/0x210 [mlx5_core] [ 213.622045] [ 213.622045] other info that might help us debug this: [ 213.622778] Possible unsafe locking scenario: [ 213.622778] [ 213.623465] CPU0 [ 213.623815] ---- [ 213.624148] lock(&dev->wc_state_lock); [ 213.624615] lock(&dev->wc_state_lock); [ 213.625071] [ 213.625071] *** DEADLOCK *** [ 213.625071] [ 213.625805] May be due to missing lock nesting notation [ 213.625805] [ 213.626522] 4 locks held by raw_ethernet_bw/2118: [ 213.627019] #0: ffff88813f80d578 (&uverbs_dev->disassociate_srcu){.+.+}-{0:0}, at: ib_uverbs_ioctl+0xc4/0x170 [ib_uverbs] [ 213.628088] #1: ffff88810fb23930 (&file->hw_destroy_rwsem){.+.+}-{3:3}, at: ib_init_ucontext+0x2d/0xf0 [ib_uverbs] [ 213.629094] #2: ffff88810fb23878 (&file->ucontext_lock){+.+.}-{3:3}, at: ib_init_ucontext+0x49/0xf0 [ib_uverbs] [ 213.630106] #3: ffff88810b585e08 (&dev->wc_state_lock){+.+.}-{3:3}, at: mlx5_wc_support_get+0x10c/0x210 [mlx5_core] [ 213.631185] [ 213.631185] stack backtrace: [ 213.631718] CPU: 1 UID: 0 PID: 2118 Comm: raw_ethernet_bw Not tainted 6.12.0-rc7_internal_net_next_mlx5_89a0ad0 #1 [ 213.632722] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 [ 213.633785] Call Trace: [ 213.634099] [ 213.634393] dump_stack_lvl+0x7e/0xc0 [ 213.634806] print_deadlock_bug+0x278/0x3c0 [ 213.635265] __lock_acquire+0x15f4/0x2c40 [ 213.635712] lock_acquire+0xcd/0x2d0 [ 213.636120] ? mlx5_wc_support_get+0x18c/0x210 [mlx5_core] [ 213.636722] ? mlx5_ib_enable_lb+0x24/0xa0 [mlx5_ib] [ 213.637277] __mutex_lock+0x81/0xda0 [ 213.637697] ? mlx5_wc_support_get+0x18c/0x210 [mlx5_core] [ 213.638305] ? mlx5_wc_support_get+0x18c/0x210 [mlx5_core] [ 213.638902] ? rcu_read_lock_sched_held+0x3f/0x70 [ 213.639400] ? mlx5_wc_support_get+0x18c/0x210 [mlx5_core] [ 213.640016] mlx5_wc_support_get+0x18c/0x210 [mlx5_core] [ 213.640615] set_ucontext_resp+0x68/0x2b0 [mlx5_ib] [ 213.641144] ? debug_mutex_init+0x33/0x40 [ 213.641586] mlx5_ib_alloc_ucontext+0x18e/0x7b0 [mlx5_ib] [ 213.642145] ib_init_ucontext+0xa0/0xf0 [ib_uverbs] [ 213.642679] ib_uverbs_handler_UVERBS_METHOD_GET_CONTEXT+0x95/0xc0 [ib_uverbs] [ 213.643426] ? _copy_from_user+0x46/0x80 [ 213.643878] ib_uverbs_cmd_verbs+0xa6b/0xc80 [ib_uverbs] [ 213.644426] ? ib_uverbs_handler_UVERBS_METHOD_INVOKE_WRITE+0x130/0x130 [ib_uverbs] [ 213.645213] ? __lock_acquire+0xa99/0x2c40 [ 213.645675] ? lock_acquire+0xcd/0x2d0 [ 213.646101] ? ib_uverbs_ioctl+0xc4/0x170 [ib_uverbs] [ 213.646625] ? reacquire_held_locks+0xcf/0x1f0 [ 213.647102] ? do_user_addr_fault+0x45d/0x770 [ 213.647586] ib_uverbs_ioctl+0xe0/0x170 [ib_uverbs] [ 213.648102] ? ib_uverbs_ioctl+0xc4/0x170 [ib_uverbs] [ 213.648632] __x64_sys_ioctl+0x4d3/0xaa0 [ 213.649060] ? do_user_addr_fault+0x4a8/0x770 [ 213.649528] do_syscall_64+0x6d/0x140 [ 213.649947] entry_SYSCALL_64_after_hwframe+0x4b/0x53 [ 213.650478] RIP: 0033:0x7fa179b0737b [ 213.650893] Code: ff ff ff 85 c0 79 9b 49 c7 c4 ff ff ff ff 5b 5d 4c 89 e0 41 5c c3 66 0f 1f 84 00 00 00 00 00 f3 0f 1e fa b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 7d 2a 0f 00 f7 d8 64 89 01 48 [ 213.652619] RSP: 002b:00007ffd2e6d46e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 213.653390] RAX: ffffffffffffffda RBX: 00007ffd2e6d47f8 RCX: 00007fa179b0737b [ 213.654084] RDX: 00007ffd2e6d47e0 RSI: 00000000c0181b01 RDI: 0000000000000003 [ 213.654767] RBP: 00007ffd2e6d47c0 R08: 00007fa1799be010 R09: 0000000000000002 [ 213.655453] R10: 00007ffd2e6d4960 R11: 0000000000000246 R12: 00007ffd2e6d487c [ 213.656170] R13: 0000000000000027 R14: 0000000000000001 R15: 00007ffd2e6d4f70 Fixes: d98995b4bf98 ("net/mlx5: Reimplement write combining test") Signed-off-by: Yishai Hadas Reviewed-by: Michael Guralnik Reviewed-by: Larysa Zaremba Signed-off-by: Tariq Toukan Signed-off-by: Paolo Abeni commit c08d3e62b2e73e14da318a1d20b52d0486a28ee0 Author: Patrisious Haddad Date: Wed Jan 15 13:39:04 2025 +0200 net/mlx5: Fix RDMA TX steering prio User added steering rules at RDMA_TX were being added to the first prio, which is the counters prio. Fix that so that they are correctly added to the BYPASS_PRIO instead. Fixes: 24670b1a3166 ("net/mlx5: Add support for RDMA TX steering") Signed-off-by: Patrisious Haddad Reviewed-by: Mark Bloch Reviewed-by: Jacob Keller Signed-off-by: Tariq Toukan Signed-off-by: Paolo Abeni commit cf8182d33798966146c7eaab7209b606939a17c5 Merge: fa6493440f084c bd275e6cfc9723 Author: Dave Airlie Date: Thu Jan 16 12:33:52 2025 +1000 Merge tag 'amd-drm-fixes-6.13-2025-01-15' of https://gitlab.freedesktop.org/agd5f/linux into drm-fixes amd-drm-fixes-6.13-2025-01-15: amdgpu: - SMU 13 fix - DP MST fixes - DCN 3.5 fix - PSR fixes - eDP fix - VRR fix - Enforce isolation fixes - GFX 12 fix - PSP 14.x fix Signed-off-by: Dave Airlie From: Alex Deucher Link: https://patchwork.freedesktop.org/patch/msgid/20250115151602.210704-1-alexander.deucher@amd.com commit b0fce54b8c0d8e5f2b4c243c803c5996e73baee8 Author: Su Yue Date: Mon Jan 6 22:06:40 2025 +0800 ocfs2: check dir i_size in ocfs2_find_entry syz reports an out of bounds read: ================================================================== BUG: KASAN: slab-out-of-bounds in ocfs2_match fs/ocfs2/dir.c:334 [inline] BUG: KASAN: slab-out-of-bounds in ocfs2_search_dirblock+0x283/0x6e0 fs/ocfs2/dir.c:367 Read of size 1 at addr ffff88804d8b9982 by task syz-executor.2/14802 CPU: 0 UID: 0 PID: 14802 Comm: syz-executor.2 Not tainted 6.13.0-rc4 #2 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Sched_ext: serialise (enabled+all), task: runnable_at=-10ms Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x229/0x350 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0x164/0x530 mm/kasan/report.c:489 kasan_report+0x147/0x180 mm/kasan/report.c:602 ocfs2_match fs/ocfs2/dir.c:334 [inline] ocfs2_search_dirblock+0x283/0x6e0 fs/ocfs2/dir.c:367 ocfs2_find_entry_id fs/ocfs2/dir.c:414 [inline] ocfs2_find_entry+0x1143/0x2db0 fs/ocfs2/dir.c:1078 ocfs2_find_files_on_disk+0x18e/0x530 fs/ocfs2/dir.c:1981 ocfs2_lookup_ino_from_name+0xb6/0x110 fs/ocfs2/dir.c:2003 ocfs2_lookup+0x30a/0xd40 fs/ocfs2/namei.c:122 lookup_open fs/namei.c:3627 [inline] open_last_lookups fs/namei.c:3748 [inline] path_openat+0x145a/0x3870 fs/namei.c:3984 do_filp_open+0xe9/0x1c0 fs/namei.c:4014 do_sys_openat2+0x135/0x1d0 fs/open.c:1402 do_sys_open fs/open.c:1417 [inline] __do_sys_openat fs/open.c:1433 [inline] __se_sys_openat fs/open.c:1428 [inline] __x64_sys_openat+0x15d/0x1c0 fs/open.c:1428 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf6/0x210 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f01076903ad Code: c3 e8 a7 2b 00 00 0f 1f 80 00 00 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f01084acfc8 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 RAX: ffffffffffffffda RBX: 00007f01077cbf80 RCX: 00007f01076903ad RDX: 0000000000105042 RSI: 0000000020000080 RDI: ffffffffffffff9c RBP: 00007f01077cbf80 R08: 0000000000000000 R09: 0000000000000000 R10: 00000000000001ff R11: 0000000000000246 R12: 0000000000000000 R13: 00007f01077cbf80 R14: 00007f010764fc90 R15: 00007f010848d000 ================================================================== And a general protection fault in ocfs2_prepare_dir_for_insert: ================================================================== loop0: detected capacity change from 0 to 32768 JBD2: Ignoring recovery information on journal ocfs2: Mounting device (7,0) on (node local, slot 0) with ordered data mode. Oops: general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f] CPU: 0 UID: 0 PID: 5096 Comm: syz-executor792 Not tainted 6.11.0-rc4-syzkaller-00002-gb0da640826ba #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 RIP: 0010:ocfs2_find_dir_space_id fs/ocfs2/dir.c:3406 [inline] RIP: 0010:ocfs2_prepare_dir_for_insert+0x3309/0x5c70 fs/ocfs2/dir.c:4280 Code: 00 00 e8 2a 25 13 fe e9 ba 06 00 00 e8 20 25 13 fe e9 4f 01 00 00 e8 16 25 13 fe 49 8d 7f 08 49 8d 5f 09 48 89 f8 48 c1 e8 03 <42> 0f b6 04 20 84 c0 0f 85 bd 23 00 00 48 89 d8 48 c1 e8 03 42 0f RSP: 0018:ffffc9000af9f020 EFLAGS: 00010202 RAX: 0000000000000001 RBX: 0000000000000009 RCX: ffff88801e27a440 RDX: 0000000000000000 RSI: 0000000000000400 RDI: 0000000000000008 RBP: ffffc9000af9f830 R08: ffffffff8380395b R09: ffffffff838090a7 R10: 0000000000000002 R11: ffff88801e27a440 R12: dffffc0000000000 R13: ffff88803c660878 R14: f700000000000088 R15: 0000000000000000 FS: 000055555a677380(0000) GS:ffff888020800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000560bce569178 CR3: 000000001de5a000 CR4: 0000000000350ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: ocfs2_mknod+0xcaf/0x2b40 fs/ocfs2/namei.c:292 vfs_mknod+0x36d/0x3b0 fs/namei.c:4088 do_mknodat+0x3ec/0x5b0 __do_sys_mknodat fs/namei.c:4166 [inline] __se_sys_mknodat fs/namei.c:4163 [inline] __x64_sys_mknodat+0xa7/0xc0 fs/namei.c:4163 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f2dafda3a99 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ffe336a6658 EFLAGS: 00000246 ORIG_RAX: 0000000000000103 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f2dafda3a99 RDX: 00000000000021c0 RSI: 0000000020000040 RDI: 00000000ffffff9c RBP: 00007f2dafe1b5f0 R08: 0000000000004480 R09: 000055555a6784c0 R10: 0000000000000103 R11: 0000000000000246 R12: 00007ffe336a6680 R13: 00007ffe336a68a8 R14: 431bde82d7b634db R15: 00007f2dafdec03b ================================================================== The two reports are all caused invalid negative i_size of dir inode. For ocfs2, dir_inode can't be negative or zero. Here add a check in which is called by ocfs2_check_dir_for_entry(). It fixes the second report as ocfs2_check_dir_for_entry() must be called before ocfs2_prepare_dir_for_insert(). Also set a up limit for dir with OCFS2_INLINE_DATA_FL. The i_size can't be great than blocksize. Link: https://lkml.kernel.org/r/20250106140640.92260-1-glass.su@suse.com Reported-by: Jiacheng Xu Link: https://lore.kernel.org/ocfs2-devel/17a04f01.1ae74.19436d003fc.Coremail.stitch@zju.edu.cn/T/#u Reported-by: syzbot+5a64828fcc4c2ad9b04f@syzkaller.appspotmail.com Link: https://lore.kernel.org/all/0000000000005894f3062018caf1@google.com/T/ Signed-off-by: Su Yue Reviewed-by: Heming Zhao Reviewed-by: Joseph Qi Cc: Mark Fasheh Cc: Joel Becker Cc: Junxiao Bi Cc: Changwei Ge Cc: Jun Piao Signed-off-by: Andrew Morton commit 3e1a9371e40ee92fbdf22752538e95497bf9152d Author: Ethan Carter Edwards Date: Mon Jan 13 11:22:22 2025 -0500 mailmap: update entry for Ethan Carter Edwards Map old gmail + name to my current full name and email. Link: https://lkml.kernel.org/r/xbfkmvmp4wyxrvlan57bjnul5icrwfyt67vnhhw2cyr5rzbnee@mfvihhd6s7l5 Signed-off-by: Ethan Carter Edwards Signed-off-by: Andrew Morton commit 779b9955f64327c339a16f68055af98252fd3315 Author: Yosry Ahmed Date: Mon Jan 13 21:44:58 2025 +0000 mm: zswap: move allocations during CPU init outside the lock In zswap_cpu_comp_prepare(), allocations are made and assigned to various members of acomp_ctx under acomp_ctx->mutex. However, allocations may recurse into zswap through reclaim, trying to acquire the same mutex and deadlocking. Move the allocations before the mutex critical section. Only the initialization of acomp_ctx needs to be done with the mutex held. Link: https://lkml.kernel.org/r/20250113214458.2123410-1-yosryahmed@google.com Fixes: 12dcb0ef5406 ("mm: zswap: properly synchronize freeing resources during CPU hotunplug") Signed-off-by: Yosry Ahmed Reviewed-by: Chengming Zhou Cc: Johannes Weiner Cc: Nhat Pham Cc: Signed-off-by: Andrew Morton commit f1897f2f08b28ae59476d8b73374b08f856973af Author: Liu Shixin Date: Sat Jan 11 11:45:11 2025 +0800 mm: khugepaged: fix call hpage_collapse_scan_file() for anonymous vma syzkaller reported such a BUG_ON(): ------------[ cut here ]------------ kernel BUG at mm/khugepaged.c:1835! Internal error: Oops - BUG: 00000000f2000800 [#1] SMP ... CPU: 6 UID: 0 PID: 8009 Comm: syz.15.106 Kdump: loaded Tainted: G W 6.13.0-rc6 #22 Tainted: [W]=WARN Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015 pstate: 00400005 (nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : collapse_file+0xa44/0x1400 lr : collapse_file+0x88/0x1400 sp : ffff80008afe3a60 ... Call trace: collapse_file+0xa44/0x1400 (P) hpage_collapse_scan_file+0x278/0x400 madvise_collapse+0x1bc/0x678 madvise_vma_behavior+0x32c/0x448 madvise_walk_vmas.constprop.0+0xbc/0x140 do_madvise.part.0+0xdc/0x2c8 __arm64_sys_madvise+0x68/0x88 invoke_syscall+0x50/0x120 el0_svc_common.constprop.0+0xc8/0xf0 do_el0_svc+0x24/0x38 el0_svc+0x34/0x128 el0t_64_sync_handler+0xc8/0xd0 el0t_64_sync+0x190/0x198 This indicates that the pgoff is unaligned. After analysis, I confirm the vma is mapped to /dev/zero. Such a vma certainly has vm_file, but it is set to anonymous by mmap_zero(). So even if it's mmapped by 2m-unaligned, it can pass the check in thp_vma_allowable_order() as it is an anonymous-mmap, but then be collapsed as a file-mmap. It seems the problem has existed for a long time, but actually, since we have khugepaged_max_ptes_none check before, we will skip collapse it as it is /dev/zero and so has no present page. But commit d8ea7cc8547c limit the check for only khugepaged, so the BUG_ON() can be triggered by madvise_collapse(). Add vma_is_anonymous() check to make such vma be processed by hpage_collapse_scan_pmd(). Link: https://lkml.kernel.org/r/20250111034511.2223353-1-liushixin2@huawei.com Fixes: d8ea7cc8547c ("mm/khugepaged: add flag to predicate khugepaged-only behavior") Signed-off-by: Liu Shixin Reviewed-by: Yang Shi Acked-by: David Hildenbrand Cc: Chengming Zhou Cc: Johannes Weiner Cc: Kefeng Wang Cc: Mattew Wilcox Cc: Muchun Song Cc: Nanyong Sun Cc: Qi Zheng Signed-off-by: Andrew Morton commit b071cc35469ea44392222fe8de69b431a0778a5f Author: Karan Sanghavi Date: Sat Jan 11 15:31:30 2025 +0000 mm: shmem: use signed int for version handling in casefold option Fixes an issue where the use of an unsigned data type in `shmem_parse_opt_casefold()` caused incorrect evaluation of negative conditions. Link: https://lkml.kernel.org/r/20250111-unsignedcompare1601569-v3-1-c861b4221831@gmail.com Fixes: 58e55efd6c72 ("tmpfs: Add casefold lookup support") Reviewed-by: André Almeida Reviewed-by: Gabriel Krisman Bertazi Signed-off-by: Karan Sanghavi Cc: Christian Brauner Cc: Hugh Dickens Cc: Shuah khan Signed-off-by: Andrew Morton commit 05c82ee363f64c64b87a0cfd744298e9333475f5 Author: Suren Baghdasaryan Date: Thu Dec 26 13:16:39 2024 -0800 alloc_tag: skip pgalloc_tag_swap if profiling is disabled When memory allocation profiling is disabled, there is no need to swap allocation tags during migration. Skip it to avoid unnecessary overhead. Once I added these checks, the overhead of the mode when memory profiling is enabled but turned off went down by about 50%. Link: https://lkml.kernel.org/r/20241226211639.1357704-2-surenb@google.com Fixes: e0a955bf7f61 ("mm/codetag: add pgalloc_tag_copy()") Signed-off-by: Suren Baghdasaryan Cc: David Wang <00107082@163.com> Cc: Kent Overstreet Cc: Yu Zhao Cc: Zhenhua Huang Cc: Signed-off-by: Andrew Morton commit 9726891fe753910b8d7db712781438ad229091b3 Author: zihan zhou <15645113830zzh@gmail.com> Date: Wed Dec 25 10:10:35 2024 +0800 mm: page_alloc: fix missed updates of lowmem_reserve in adjust_managed_page_count In the kernel, the zone's lowmem_reserve and _watermark, and the global variable 'totalreserve_pages' depend on the value of managed_pages, but after running adjust_managed_page_count, these values aren't updated, which causes some problems. For example, in a system with six 1GB large pages, we found that the value of protection in zoneinfo (zone->lowmem_reserve), is not right. Its value seems to be calculated from the initial managed_pages, but after the managed_pages changed, was not updated. Only after reading the file /proc/sys/vm/lowmem_reserve_ratio, updates happen. read file /proc/sys/vm/lowmem_reserve_ratio: lowmem_reserve_ratio_sysctl_handler ----setup_per_zone_lowmem_reserve --------calculate_totalreserve_pages protection changed after reading file: [root@test ~]# cat /proc/zoneinfo | grep protection protection: (0, 2719, 57360, 0) protection: (0, 0, 54640, 0) protection: (0, 0, 0, 0) protection: (0, 0, 0, 0) [root@test ~]# cat /proc/sys/vm/lowmem_reserve_ratio 256 256 32 0 [root@test ~]# cat /proc/zoneinfo | grep protection protection: (0, 2735, 63524, 0) protection: (0, 0, 60788, 0) protection: (0, 0, 0, 0) protection: (0, 0, 0, 0) lowmem_reserve increased also makes the totalreserve_pages increased, which causes a decrease in available memory. The one above is just a test machine, and the increase is not significant. On our online machine, the reserved memory will increase by several GB due to reading this file. It is clearly unreasonable to cause a sharp drop in available memory just by reading a file. In this patch, we update reserve memory when update managed_pages, The size of reserved memory becomes stable. But it seems that the _watermark should also be updated along with the managed_pages. We have not done it because we are unsure if it is reasonable to set the watermark through the initial managed_pages. If it is not reasonable, we will propose new patch. Link: https://lkml.kernel.org/r/20241225021034.45693-1-15645113830zzh@gmail.com Signed-off-by: zihan zhou <15645113830zzh@gmail.com> Signed-off-by: yaowenchao Signed-off-by: Andrew Morton commit cbc16bceea784210d585a42ac9f8f10ce62b300e Author: Pavel Begunkov Date: Wed Jan 8 14:06:22 2025 -0800 net: make page_pool_ref_netmem work with net iovs page_pool_ref_netmem() should work with either netmem representation, but currently it casts to a page with netmem_to_page(), which will fail with net iovs. Use netmem_get_pp_ref_count_ref() instead. Fixes: 8ab79ed50cf1 ("page_pool: devmem support") Signed-off-by: Pavel Begunkov Signed-off-by: David Wei Link: https://lore.kernel.org/20250108220644.3528845-2-dw@davidwei.uk Signed-off-by: Jakub Kicinski commit fa6493440f084c5ba8e30dce84158cbfeac86311 Merge: 5bc55a333a2f73 ef84aee151bd6c Author: Dave Airlie Date: Thu Jan 16 11:54:13 2025 +1000 Merge tag 'drm-misc-fixes-2025-01-15' of https://gitlab.freedesktop.org/drm/misc/kernel into drm-fixes drm-misc-fixes for v6.13: - itee-it6263 error handling fix. - Fix warn when unloading v3d. - Fix W=1 build for kunit tests. - Fix backlight regression for macbooks 5,1 in nouveau. - Handle YCbCr420 better in bridge code, with tests. - Fix cross-device fence handling in nouveau. - Fix BO reservation handling in vmwgfx. Signed-off-by: Dave Airlie From: Maarten Lankhorst Link: https://patchwork.freedesktop.org/patch/msgid/a89adcd5-2042-4e7f-93f4-2b299bb1ef17@linux.intel.com commit fa2f9906a7b333ba757a7dbae0713d8a5396186e Author: Paulo Alcantara Date: Tue Jan 14 12:48:48 2025 -0300 smb: client: fix double free of TCP_Server_Info::hostname When shutting down the server in cifs_put_tcp_session(), cifsd thread might be reconnecting to multiple DFS targets before it realizes it should exit the loop, so @server->hostname can't be freed as long as cifsd thread isn't done. Otherwise the following can happen: RIP: 0010:__slab_free+0x223/0x3c0 Code: 5e 41 5f c3 cc cc cc cc 4c 89 de 4c 89 cf 44 89 44 24 08 4c 89 1c 24 e8 fb cf 8e 00 44 8b 44 24 08 4c 8b 1c 24 e9 5f fe ff ff <0f> 0b 41 f7 45 08 00 0d 21 00 0f 85 2d ff ff ff e9 1f ff ff ff 80 RSP: 0018:ffffb26180dbfd08 EFLAGS: 00010246 RAX: ffff8ea34728e510 RBX: ffff8ea34728e500 RCX: 0000000000800068 RDX: 0000000000800068 RSI: 0000000000000000 RDI: ffff8ea340042400 RBP: ffffe112041ca380 R08: 0000000000000001 R09: 0000000000000000 R10: 6170732e31303000 R11: 70726f632e786563 R12: ffff8ea34728e500 R13: ffff8ea340042400 R14: ffff8ea34728e500 R15: 0000000000800068 FS: 0000000000000000(0000) GS:ffff8ea66fd80000(0000) 000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007ffc25376080 CR3: 000000012a2ba001 CR4: PKRU: 55555554 Call Trace: ? show_trace_log_lvl+0x1c4/0x2df ? show_trace_log_lvl+0x1c4/0x2df ? __reconnect_target_unlocked+0x3e/0x160 [cifs] ? __die_body.cold+0x8/0xd ? die+0x2b/0x50 ? do_trap+0xce/0x120 ? __slab_free+0x223/0x3c0 ? do_error_trap+0x65/0x80 ? __slab_free+0x223/0x3c0 ? exc_invalid_op+0x4e/0x70 ? __slab_free+0x223/0x3c0 ? asm_exc_invalid_op+0x16/0x20 ? __slab_free+0x223/0x3c0 ? extract_hostname+0x5c/0xa0 [cifs] ? extract_hostname+0x5c/0xa0 [cifs] ? __kmalloc+0x4b/0x140 __reconnect_target_unlocked+0x3e/0x160 [cifs] reconnect_dfs_server+0x145/0x430 [cifs] cifs_handle_standard+0x1ad/0x1d0 [cifs] cifs_demultiplex_thread+0x592/0x730 [cifs] ? __pfx_cifs_demultiplex_thread+0x10/0x10 [cifs] kthread+0xdd/0x100 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x29/0x50 Fixes: 7be3248f3139 ("cifs: To match file servers, make sure the server hostname matches") Reported-by: Jay Shin Signed-off-by: Paulo Alcantara (Red Hat) Signed-off-by: Steve French commit e9b24deb84863c5a77dda5be57b6cb5bf4127b85 Author: David Lechner Date: Wed Jan 15 14:48:27 2025 -0600 hwmon: (ltc2991) Fix mixed signed/unsigned in DIV_ROUND_CLOSEST Fix use of DIV_ROUND_CLOSEST where a possibly negative value is divided by an unsigned type by casting the unsigned type to the signed type of the same size (st->r_sense_uohm[channel] has type of u32). The docs on the DIV_ROUND_CLOSEST macro explain that dividing a negative value by an unsigned type is undefined behavior. The actual behavior is that it converts both values to unsigned before doing the division, for example: int ret = DIV_ROUND_CLOSEST(-100, 3U); results in ret == 1431655732 instead of -33. Fixes: 2b9ea4262ae9 ("hwmon: Add driver for ltc2991") Signed-off-by: David Lechner Link: https://lore.kernel.org/r/20250115-hwmon-ltc2991-fix-div-round-closest-v1-1-b4929667e457@baylibre.com Signed-off-by: Guenter Roeck commit 6be7aca91009865d8c2b73589270224a6b6e67ab Author: Heiner Kallweit Date: Sun Jan 12 22:59:59 2025 +0100 net: ethernet: xgbe: re-add aneg to supported features in PHY quirks In 4.19, before the switch to linkmode bitmaps, PHY_GBIT_FEATURES included feature bits for aneg and TP/MII ports. SUPPORTED_TP | \ SUPPORTED_MII) SUPPORTED_10baseT_Full) SUPPORTED_100baseT_Full) SUPPORTED_1000baseT_Full) PHY_100BT_FEATURES | \ PHY_DEFAULT_FEATURES) PHY_1000BT_FEATURES) Referenced commit expanded PHY_GBIT_FEATURES, silently removing PHY_DEFAULT_FEATURES. The removed part can be re-added by using the new PHY_GBIT_FEATURES definition. Not clear to me is why nobody seems to have noticed this issue. I stumbled across this when checking what it takes to make phy_10_100_features_array et al private to phylib. Fixes: d0939c26c53a ("net: ethernet: xgbe: expand PHY_GBIT_FEAUTRES") Cc: stable@vger.kernel.org Signed-off-by: Heiner Kallweit Link: https://patch.msgid.link/46521973-7738-4157-9f5e-0bb6f694acba@gmail.com Signed-off-by: Jakub Kicinski commit d6e3316a1680305da291a5b5deaf424559aaf06c Author: Vladimir Oltean Date: Tue Jan 14 18:47:21 2025 +0200 net: pcs: xpcs: actively unset DW_VR_MII_DIG_CTRL1_2G5_EN for 1G SGMII xpcs_config_2500basex() sets DW_VR_MII_DIG_CTRL1_2G5_EN, but xpcs_config_aneg_c37_sgmii() never unsets it. So, on a protocol change from 2500base-x to sgmii, the DW_VR_MII_DIG_CTRL1_2G5_EN bit will remain set. Fixes: f27abde3042a ("net: pcs: add 2500BASEX support for Intel mGbE controller") Signed-off-by: Vladimir Oltean Reviewed-by: Maxime Chevallier Reviewed-by: Russell King (Oracle) Link: https://patch.msgid.link/20250114164721.2879380-2-vladimir.oltean@nxp.com Signed-off-by: Jakub Kicinski commit 5c71729ab92c7e710d48ed93043a2d1e35cc8d3c Author: Vladimir Oltean Date: Tue Jan 14 18:47:20 2025 +0200 net: pcs: xpcs: fix DW_VR_MII_DIG_CTRL1_2G5_EN bit being set for 1G SGMII w/o inband On a port with SGMII fixed-link at SPEED_1000, DW_VR_MII_DIG_CTRL1 gets set to 0x2404. This is incorrect, because bit 2 (DW_VR_MII_DIG_CTRL1_2G5_EN) is set. It comes from the previous write to DW_VR_MII_AN_CTRL, because the "val" variable is reused and is dirty. Actually, its value is 0x4, aka FIELD_PREP(DW_VR_MII_PCS_MODE_MASK, DW_VR_MII_PCS_MODE_C37_SGMII). Resolve the issue by clearing "val" to 0 when writing to a new register. After the fix, the register value is 0x2400. Prior to the blamed commit, when the read-modify-write was open-coded, the code saved the content of the DW_VR_MII_DIG_CTRL1 register in the "ret" variable. Fixes: ce8d6081fcf4 ("net: pcs: xpcs: add _modify() accessors") Signed-off-by: Vladimir Oltean Reviewed-by: Maxime Chevallier Reviewed-by: Russell King (Oracle) Link: https://patch.msgid.link/20250114164721.2879380-1-vladimir.oltean@nxp.com Signed-off-by: Jakub Kicinski commit 6ad30f7890423341f4b79329af1f9b9bb3cdec03 Author: Wolfram Sang Date: Wed Jan 15 17:23:47 2025 +0100 i2c: testunit: on errors, repeat NACK until STOP This backend requests a NACK from the controller driver when it detects an error. If that request gets ignored from some reason, subsequent accesses will wrongly be handled OK. To fix this, an error now changes the state machine, so the backend will report NACK until a STOP condition has been detected. This make the driver more robust against controllers which will sadly apply the NACK not to the current byte but the next one. Fixes: a8335c64c5f0 ("i2c: add slave testunit driver") Signed-off-by: Wolfram Sang commit 093f70c134f70e4632b295240f07d2b50b74e247 Author: Wolfram Sang Date: Wed Jan 15 13:36:23 2025 +0100 i2c: rcar: fix NACK handling when being a target When this controller is a target, the NACK handling had two issues. First, the return value from the backend was not checked on the initial WRITE_REQUESTED. So, the driver missed to send a NACK in this case. Also, the NACK always arrives one byte late on the bus, even in the WRITE_RECEIVED case. This seems to be a HW issue. We should then not rely on the backend to correctly NACK the superfluous byte as well. Fix both issues by introducing a flag which gets set whenever the backend requests a NACK and keep sending it until we get a STOP condition. Fixes: de20d1857dd6 ("i2c: rcar: add slave support") Signed-off-by: Wolfram Sang commit 385f2dbbc957eb2e21df749104cefd6d26d4115a Author: Wolfram Sang Date: Tue Jan 14 21:45:16 2025 +0100 i2c: mux: demux-pinctrl: correct comment Two characters flipped, fix them. Signed-off-by: Wolfram Sang commit ca89f73394daf92779ddaa37b42956f4953f3941 Author: Wolfram Sang Date: Wed Jan 15 08:29:45 2025 +0100 i2c: mux: demux-pinctrl: check initial mux selection, too When misconfigured, the initial setup of the current mux channel can fail, too. It must be checked as well. Fixes: 50a5ba876908 ("i2c: mux: demux-pinctrl: add driver") Signed-off-by: Wolfram Sang commit d15638bf76ad47874ecb5dc386f0945fc0b2a875 Author: Pratyush Yadav Date: Wed Jan 15 13:41:56 2025 +0000 Revert "mtd: spi-nor: core: replace dummy buswidth from addr to data" This reverts commit 98d1fb94ce75f39febd456d6d3cbbe58b6678795. The commit uses data nbits instead of addr nbits for dummy phase. This causes a regression for all boards where spi-tx-bus-width is smaller than spi-rx-bus-width. It is a common pattern for boards to have spi-tx-bus-width == 1 and spi-rx-bus-width > 1. The regression causes all reads with a dummy phase to become unavailable for such boards, leading to a usually slower 0-dummy-cycle read being selected. Most controllers' supports_op hooks call spi_mem_default_supports_op(). In spi_mem_default_supports_op(), spi_mem_check_buswidth() is called to check if the buswidths for the op can actually be supported by the board's wiring. This wiring information comes from (among other things) the spi-{tx,rx}-bus-width DT properties. Based on these properties, SPI_TX_* or SPI_RX_* flags are set by of_spi_parse_dt(). spi_mem_check_buswidth() then uses these flags to make the decision whether an op can be supported by the board's wiring (in a way, indirectly checking against spi-{rx,tx}-bus-width). Now the tricky bit here is that spi_mem_check_buswidth() does: if (op->dummy.nbytes && spi_check_buswidth_req(mem, op->dummy.buswidth, true)) return false; The true argument to spi_check_buswidth_req() means the op is treated as a TX op. For a board that has say 1-bit TX and 4-bit RX, a 4-bit dummy TX is considered as unsupported, and the op gets rejected. The commit being reverted uses the data buswidth for dummy buswidth. So for reads, the RX buswidth gets used for the dummy phase, uncovering this issue. In reality, a dummy phase is neither RX nor TX. As the name suggests, these are just dummy cycles that send or receive no data, and thus don't really need to have any buswidth at all. Ideally, dummy phases should not be checked against the board's wiring capabilities at all, and should only be sanity-checked for having a sane buswidth value. Since we are now at rc7 and such a change might introduce many unexpected bugs, revert the commit for now. It can be sent out later along with the spi_mem_check_buswidth() fix. Fixes: 98d1fb94ce75 ("mtd: spi-nor: core: replace dummy buswidth from addr to data") Reported-by: Alexander Stein Closes: https://lore.kernel.org/linux-mtd/3342163.44csPzL39Z@steina-w/ Tested-by: Alexander Stein Reviewed-by: Tudor Ambarus Signed-off-by: Pratyush Yadav Signed-off-by: Miquel Raynal commit 8c4840277b6daffe09dea0338f3fce1eb4319a43 Author: Thomas Gleixner Date: Tue Jan 14 18:28:44 2025 +0100 signal/posixtimers: Handle ignore/blocked sequences correctly syzbot triggered the warning in posixtimer_send_sigqueue(), which warns about a non-ignored signal being already queued on the ignored list. The warning is actually bogus, as the following sequence causes this: signal($SIG, SIGIGN); timer_settime(...); // arm periodic timer timer fires, signal is ignored and queued on ignored list sigprocmask(SIG_BLOCK, ...); // block the signal timer_settime(...); // re-arm periodic timer timer fires, signal is not ignored because it is blocked ---> Warning triggers as signal is on the ignored list Ideally timer_settime() could remove the signal, but that's racy and incomplete vs. other scenarios and requires a full reevaluation of the pending signal list. Instead of adding more complexity, handle it gracefully by removing the warning and requeueing the signal to the pending list. That's correct versus: 1) sig[timed]wait() as that does not check for SIGIGN and only relies on dequeue_signal() -> posixtimers_deliver_signal() to check whether the pending signal is still valid. 2) Unblocking of the signal. - If the unblocking happens before SIGIGN is replaced by a signal handler, then the timer is rearmed in dequeue_signal(), but get_signal() will ignore it. The next timer expiry will move it back to the ignored list. - If SIGIGN was replaced before unblocking, then the signal will be delivered and a subsequent expiry will queue a signal on the pending list again. There is a related scenario to trigger the complementary warning in the signal ignored path, which does not expect the signal to be on the pending list when it is ignored. That can be triggered even before the above change via: task1 task2 signal($SIG, SIGIGN); sigprocmask(SIG_BLOCK, ...); timer_create(); // Signal target is task2 timer_settime(...); // arm periodic timer timer fires, signal is not ignored because it is blocked and queued on the pending list of task2 syscall() // Sets the pending flag sigprocmask(SIG_UNBLOCK, ...); -> preemption, task2 cannot dequeue the signal timer_settime(...); // re-arm periodic timer timer fires, signal is ignored ---> Warning triggers as signal is on task2's pending list and the thread group is not exiting Consequently, remove that warning too and just keep the signal on the pending list. The following attempt to deliver the signal on return to user space of task2 will ignore the signal and a subsequent expiry will bring it back to the ignored list, if it did not get blocked or un-ignored before that. Fixes: df7a996b4dab ("signal: Queue ignored posixtimers on ignore list") Reported-by: syzbot+3c2e3cc60665d71de2f7@syzkaller.appspotmail.com Signed-off-by: Thomas Gleixner Reviewed-by: Frederic Weisbecker Link: https://lore.kernel.org/all/87ikqhcnjn.ffs@tglx commit 6f7a644eb7db10f9993039bab7740f7982d4edf4 Author: Jens Axboe Date: Wed Jan 15 08:39:15 2025 -0700 io_uring/register: cache old SQ/CQ head reading for copies The SQ and CQ ring heads are read twice - once for verifying that it's within bounds, and once inside the loops copying SQE and CQE entries. This is technically incorrect, in case the values could get modified in between verifying them and using them in the copy loop. While this won't lead to anything truly nefarious, it may cause longer loop times for the copies than expected. Read the ring head values once, and use the verified value in the copy loops. Signed-off-by: Jens Axboe commit 2c5aae129f427f83eeba5efbfb4e60a777cd073c Author: Jens Axboe Date: Wed Jan 15 08:23:55 2025 -0700 io_uring/register: document io_register_resize_rings() shared mem usage It can be a bit hard to tell which parts of io_register_resize_rings() are operating on shared memory, and which ones are not. And anything reading or writing to those regions should really use the read/write once primitives. Hence add those, ensuring sanity in how this memory is accessed, and helping document the shared nature of it. Signed-off-by: Jens Axboe commit 352bba6c19cdeac107e7fc1684548269e6b0f111 Merge: bc6a958d76f29d 202580b6022934 Author: Arnd Bergmann Date: Wed Jan 15 15:56:24 2025 +0100 Merge tag 'ti-driver-soc-for-v6.14' of https://git.kernel.org/pub/scm/linux/kernel/git/ti/linux into arm/fixes TI SoC driver updates for v6.14 - Build fixup when CONFIG_TI_PRUSS is disabled. commit 8911798d3e8a9624b1acf2882c7a0183694d714d Author: Jens Axboe Date: Wed Jan 15 07:39:12 2025 -0700 io_uring/register: use stable SQ/CQ ring data during resize Normally the kernel would not expect an application to modify any of the data shared with the kernel during a resize operation, but of course the kernel cannot always assume good intent on behalf of the application. As part of resizing the rings, existing SQEs and CQEs are copied over to the new storage. Resizing uses the masks in the newly allocated shared storage to index the arrays, however it's possible that malicious userspace could modify these after they have been sanity checked. Use the validated and locally stored CQ and SQ ring sizing for masking to ensure the values are both stable and valid. Fixes: 79cfe9e59c2a ("io_uring/register: add IORING_REGISTER_RESIZE_RINGS") Reported-by: Jann Horn Signed-off-by: Jens Axboe commit b46ba47d7bb461a0969317be1f2e165c0571d6c5 Author: Russell Harmon Date: Wed Jan 15 05:13:41 2025 -0800 hwmon: (drivetemp) Set scsi command timeout to 10s There's at least one drive (MaxDigitalData OOS14000G) such that if it receives a large amount of I/O while entering an idle power state will first exit idle before responding, including causing SMART temperature requests to be delayed. This causes the drivetemp request to exceed its timeout of 1 second. Signed-off-by: Russell Harmon Link: https://lore.kernel.org/r/20250115131340.3178988-1-russ@har.mn Signed-off-by: Guenter Roeck commit 8d6bf2e1055fa2cca4bf233f46d4d1e2086cc5ff Author: Kazuhiro Abe Date: Wed Jan 15 07:35:32 2025 +0000 hwmon: (acpi_power_meter) Fix a check for the return value of read_domain_devices(). After commit fabb1f813ec0 ("hwmon: (acpi_power_meter) Fix fail to load module on platform without _PMD method"), the acpi_power_meter driver fails to load if the platform has _PMD method. To address this, add a check for successful read_domain_devices(). Tested on Nvidia Grace machine. Fixes: fabb1f813ec0 ("hwmon: (acpi_power_meter) Fix fail to load module on platform without _PMD method") Signed-off-by: Kazuhiro Abe Link: https://lore.kernel.org/r/20250115073532.3211000-1-fj1078ii@aa.jp.fujitsu.com [groeck: Dropped unnecessary () from expression] Signed-off-by: Guenter Roeck commit bc6a958d76f29d238c12a85c1886f68651d0093b Merge: 5bc55a333a2f73 1f8af9712413f4 Author: Arnd Bergmann Date: Wed Jan 15 14:58:00 2025 +0100 Merge tag 'reset-fixes-for-v6.13' of git://git.pengutronix.de/pza/linux into arm/fixes Reset controller fixes for v6.13 * Fix rzg2l-usb-vbus-regulator lookup by assigning the proper of node to the allocated platform device in the rzg2l-usbphy-ctrl driver. * tag 'reset-fixes-for-v6.13' of git://git.pengutronix.de/pza/linux: reset: rzg2l-usbphy-ctrl: Assign proper of node to the allocated device Link: https://lore.kernel.org/r/20250113163642.1757160-1-p.zabel@pengutronix.de Signed-off-by: Arnd Bergmann commit 79a21fc921d7aafaf69d00b4938435b81bf66022 Author: Ashutosh Dixit Date: Fri Jan 10 18:15:39 2025 -0800 drm/xe/oa: Add missing VISACTL mux registers Add missing VISACTL mux registers required for some OA config's (e.g. RenderPipeCtrl). Fixes: cdf02fe1a94a ("drm/xe/oa/uapi: Add/remove OA config perf ops") Cc: stable@vger.kernel.org Signed-off-by: Ashutosh Dixit Reviewed-by: Umesh Nerlige Ramappa Link: https://patchwork.freedesktop.org/patch/msgid/20250111021539.2920346-1-ashutosh.dixit@intel.com (cherry picked from commit c26f22dac3449d8a687237cdfc59a6445eb8f75a) Signed-off-by: Thomas Hellström commit b26de02cf903b5182588c0df91a6e1b512f7d3f3 Author: Maciej Patelczyk Date: Wed Dec 11 12:17:27 2024 +0100 drm/xe: make change ccs_mode a synchronous action If ccs_mode is being modified via /sys/class/drm/cardX/device/tileY/gtY/ccs_mode the asynchronous reset is triggered and the write returns immediately. With that some test receive false information about number of CCS engines or even fail if they proceed without delay after changing the ccs_mode. Changing the ccs_mode change from async to sync to prevent failures in tests. Signed-off-by: Maciej Patelczyk Reviewed-by: Lucas De Marchi Fixes: f3bc5bb4d53d ("drm/xe: Allow userspace to configure CCS mode") Reviewed-by: Nirmoy Das Link: https://patchwork.freedesktop.org/patch/msgid/20241211111727.1481476-3-maciej.patelczyk@intel.com Signed-off-by: Nirmoy Das (cherry picked from commit 480fb9806e2e073532f7786166287114c696b340) Signed-off-by: Thomas Hellström commit 5db89168c408871d306e9fb669e494a1444da8ee Author: Maciej Patelczyk Date: Wed Dec 11 12:17:26 2024 +0100 drm/xe: introduce xe_gt_reset and xe_gt_wait_for_reset Add synchronous version gt reset as there are few places where it is expected. Also add a wait helper to wait until gt reset is done. Signed-off-by: Maciej Patelczyk Reviewed-by: Lucas De Marchi Fixes: f3bc5bb4d53d ("drm/xe: Allow userspace to configure CCS mode") Reviewed-by: Nirmoy Das Link: https://patchwork.freedesktop.org/patch/msgid/20241211111727.1481476-2-maciej.patelczyk@intel.com Signed-off-by: Nirmoy Das (cherry picked from commit 155c77f45f63dd58a37eeb0896b0b140ab785836) Signed-off-by: Thomas Hellström commit 64192bb2e52d48cfccd8373b0ad565bb9ce3d2e6 Author: Jesus Narvaez Date: Thu Dec 12 11:01:00 2024 -0800 drm/xe/guc: Adding steering info support for GuC register lists The guc_mmio_reg interface supports steering, but it is currently not implemented. This will allow the GuC to control steering of MMIO registers after save-restore and avoid reading from fused off MCR register instances. Fixes: 9c57bc08652a ("drm/xe/lnl: Drop force_probe requirement") Signed-off-by: Jesus Narvaez Cc: Matt Roper Cc: Lucas De Marchi Cc: Daniele Ceraolo Spurio Reviewed-by: Jonathan Cavitt Signed-off-by: Daniele Ceraolo Spurio Link: https://patchwork.freedesktop.org/patch/msgid/20241212190100.3768068-1-jesus.narvaez@intel.com (cherry picked from commit ee5a1321df90891d59d83b7c9d5b6c5b755d059d) Signed-off-by: Thomas Hellström commit 9322d1915f9d976ee48c09d800fbd5169bc2ddcc Author: Joe Hattori Date: Sun Dec 15 12:39:45 2024 +0900 irqchip: Plug a OF node reference leak in platform_irqchip_probe() platform_irqchip_probe() leaks a OF node when irq_init_cb() fails. Fix it by declaring par_np with the __free(device_node) cleanup construct. This bug was found by an experimental static analysis tool that I am developing. Fixes: f8410e626569 ("irqchip: Add IRQCHIP_PLATFORM_DRIVER_BEGIN/END and IRQCHIP_MATCH helper macros") Signed-off-by: Joe Hattori Signed-off-by: Thomas Gleixner Cc: stable@vger.kernel.org Link: https://lore.kernel.org/all/20241215033945.3414223-1-joe@pf.is.s.u-tokyo.ac.jp commit 0a5b8fff01bde1b9908f00004c676f2e2459333b Author: Victor Nogueira Date: Sat Jan 11 18:15:15 2025 -0300 selftests: net: Adapt ethtool mq tests to fix in qdisc graft Because of patch[1] the graft behaviour changed So the command: tcq replace parent 100:1 handle 204: Is no longer valid and will not delete 100:4 added by command: tcq replace parent 100:4 handle 204: pfifo_fast So to maintain the original behaviour, this patch manually deletes 100:4 and grafts 100:1 Note: This change will also work fine without [1] [1] https://lore.kernel.org/netdev/20250111151455.75480-1-jhs@mojatatu.com/T/#u Signed-off-by: Victor Nogueira Reviewed-by: Jamal Hadi Salim Signed-off-by: David S. Miller commit 3a748d483d80f066ca4b26abe45cdc0c367d13e9 Author: Philippe Simons Date: Sun Jan 12 13:34:02 2025 +0100 irqchip/sunxi-nmi: Add missing SKIP_WAKE flag Some boards with Allwinner SoCs connect the PMIC's IRQ pin to the SoC's NMI pin instead of a normal GPIO. Since the power key is connected to the PMIC, and people expect to wake up a suspended system via this key, the NMI IRQ controller must stay alive when the system goes into suspend. Add the SKIP_WAKE flag to prevent the sunxi NMI controller from going to sleep, so that the power key can wake up those systems. [ tglx: Fixed up coding style ] Signed-off-by: Philippe Simons Signed-off-by: Thomas Gleixner Link: https://lore.kernel.org/all/20250112123402.388520-1-simons.philippe@gmail.com commit 35cb2c6ce7da545f3b5cb1e6473ad7c3a6f08310 Author: Tomas Krcka Date: Mon Dec 30 15:08:25 2024 +0000 irqchip/gic-v3-its: Don't enable interrupts in its_irq_set_vcpu_affinity() The following call-chain leads to enabling interrupts in a nested interrupt disabled section: irq_set_vcpu_affinity() irq_get_desc_lock() raw_spin_lock_irqsave() <--- Disable interrupts its_irq_set_vcpu_affinity() guard(raw_spinlock_irq) <--- Enables interrupts when leaving the guard() irq_put_desc_unlock() <--- Warns because interrupts are enabled This was broken in commit b97e8a2f7130, which replaced the original raw_spin_[un]lock() pair with guard(raw_spinlock_irq). Fix the issue by using guard(raw_spinlock). [ tglx: Massaged change log ] Fixes: b97e8a2f7130 ("irqchip/gic-v3-its: Fix potential race condition in its_vlpi_prop_update()") Signed-off-by: Tomas Krcka Signed-off-by: Thomas Gleixner Reviewed-by: Marc Zyngier Cc: stable@vger.kernel.org Link: https://lore.kernel.org/all/20241230150825.62894-1-krckatom@amazon.de commit 0d62a49ab55c99e8deb4593b8d9f923de1ab5c18 Author: Yogesh Lal Date: Fri Dec 20 15:09:07 2024 +0530 irqchip/gic-v3: Handle CPU_PM_ENTER_FAILED correctly When a CPU attempts to enter low power mode, it disables the redistributor and Group 1 interrupts and reinitializes the system registers upon wakeup. If the transition into low power mode fails, then the CPU_PM framework invokes the PM notifier callback with CPU_PM_ENTER_FAILED to allow the drivers to undo the state changes. The GIC V3 driver ignores CPU_PM_ENTER_FAILED, which leaves the GIC in disabled state. Handle CPU_PM_ENTER_FAILED in the same way as CPU_PM_EXIT to restore normal operation. [ tglx: Massage change log, add Fixes tag ] Fixes: 3708d52fc6bb ("irqchip: gic-v3: Implement CPU PM notifier") Signed-off-by: Yogesh Lal Signed-off-by: Thomas Gleixner Acked-by: Marc Zyngier Cc: stable@vger.kernel.org Link: https://lore.kernel.org/all/20241220093907.2747601-1-quic_ylal@quicinc.com commit ef84aee151bd6c2c9223c8b430cae21d57b5e1c1 Author: Dan Carpenter Date: Tue Nov 12 13:23:03 2024 +0300 drm/bridge: ite-it6263: Prevent error pointer dereference in probe() If devm_i2c_new_dummy_device() fails then we were supposed to return an error code, but instead the function continues and will crash on the next line. Add the missing return statement. Fixes: 049723628716 ("drm/bridge: Add ITE IT6263 LVDS to HDMI converter") Signed-off-by: Dan Carpenter Reviewed-by: Biju Das Reviewed-by: Liu Ying Signed-off-by: Liu Ying Link: https://patchwork.freedesktop.org/patch/msgid/804a758b-f2e7-4116-b72d-29bc8905beed@stanley.mountain commit 001ba0902046cb6c352494df610718c0763e77a5 Author: Kevin Groeneveld Date: Mon Jan 13 10:48:45 2025 -0500 net: fec: handle page_pool_dev_alloc_pages error The fec_enet_update_cbd function calls page_pool_dev_alloc_pages but did not handle the case when it returned NULL. There was a WARN_ON(!new_page) but it would still proceed to use the NULL pointer and then crash. This case does seem somewhat rare but when the system is under memory pressure it can happen. One case where I can duplicate this with some frequency is when writing over a smbd share to a SATA HDD attached to an imx6q. Setting /proc/sys/vm/min_free_kbytes to higher values also seems to solve the problem for my test case. But it still seems wrong that the fec driver ignores the memory allocation error and can crash. This commit handles the allocation error by dropping the current packet. Fixes: 95698ff6177b5 ("net: fec: using page pool to manage RX buffers") Signed-off-by: Kevin Groeneveld Reviewed-by: Jacob Keller Reviewed-by: Wei Fang Link: https://patch.msgid.link/20250113154846.1765414-1-kgroeneveld@lenbrook.com Signed-off-by: Jakub Kicinski commit f0d0277796db613c124206544b6dbe95b520ab6c Author: John Sperbeck Date: Mon Jan 13 17:13:54 2025 -0800 net: netpoll: ensure skb_pool list is always initialized When __netpoll_setup() is called directly, instead of through netpoll_setup(), the np->skb_pool list head isn't initialized. If skb_pool_flush() is later called, then we hit a NULL pointer in skb_queue_purge_reason(). This can be seen with this repro, when CONFIG_NETCONSOLE is enabled as a module: ip tuntap add mode tap tap0 ip link add name br0 type bridge ip link set dev tap0 master br0 modprobe netconsole netconsole=4444@10.0.0.1/br0,9353@10.0.0.2/ rmmod netconsole The backtrace is: BUG: kernel NULL pointer dereference, address: 0000000000000008 #PF: supervisor write access in kernel mode #PF: error_code(0x0002) - not-present page ... ... ... Call Trace: __netpoll_free+0xa5/0xf0 br_netpoll_cleanup+0x43/0x50 [bridge] do_netpoll_cleanup+0x43/0xc0 netconsole_netdev_event+0x1e3/0x300 [netconsole] unregister_netdevice_notifier+0xd9/0x150 cleanup_module+0x45/0x920 [netconsole] __se_sys_delete_module+0x205/0x290 do_syscall_64+0x70/0x150 entry_SYSCALL_64_after_hwframe+0x76/0x7e Move the skb_pool list setup and initial skb fill into __netpoll_setup(). Fixes: 221a9c1df790 ("net: netpoll: Individualize the skb pool") Signed-off-by: John Sperbeck Reviewed-by: Breno Leitao Link: https://patch.msgid.link/20250114011354.2096812-1-jsperbeck@google.com Signed-off-by: Jakub Kicinski commit c17ff476f53afb30f90bb3c2af77de069c81a622 Author: Sean Anderson Date: Mon Jan 13 11:30:00 2025 -0500 net: xilinx: axienet: Fix IRQ coalescing packet count overflow If coalesce_count is greater than 255 it will not fit in the register and will overflow. This can be reproduced by running # ethtool -C ethX rx-frames 256 which will result in a timeout of 0us instead. Fix this by checking for invalid values and reporting an error. Fixes: 8a3b7a252dca ("drivers/net/ethernet/xilinx: added Xilinx AXI Ethernet driver") Signed-off-by: Sean Anderson Reviewed-by: Shannon Nelson Reviewed-by: Radhey Shyam Pandey Link: https://patch.msgid.link/20250113163001.2335235-1-sean.anderson@linux.dev Signed-off-by: Jakub Kicinski commit e2c68cea431d65292b592c9f8446c918d45fcf78 Author: David Lechner Date: Tue Jan 14 15:45:52 2025 -0600 hwmon: (tmp513) Fix division of negative numbers Fix several issues with division of negative numbers in the tmp513 driver. The docs on the DIV_ROUND_CLOSEST macro explain that dividing a negative value by an unsigned type is undefined behavior. The driver was doing this in several places, i.e. data->shunt_uohms has type of u32. The actual "undefined" behavior is that it converts both values to unsigned before doing the division, for example: int ret = DIV_ROUND_CLOSEST(-100, 3U); results in ret == 1431655732 instead of -33. Furthermore the MILLI macro has a type of unsigned long. Multiplying a signed long by an unsigned long results in an unsigned long. So, we need to cast both MILLI and data data->shunt_uohms to long when using the DIV_ROUND_CLOSEST macro. Fixes: f07f9d2467f4 ("hwmon: (tmp513) Use SI constants from units.h") Fixes: 59dfa75e5d82 ("hwmon: Add driver for Texas Instruments TMP512/513 sensor chips.") Signed-off-by: David Lechner Link: https://lore.kernel.org/r/20250114-fix-si-prefix-macro-sign-bugs-v1-1-696fd8d10f00@baylibre.com [groeck: Drop some continuation lines] Signed-off-by: Guenter Roeck commit 16ebb6f5b6295c9688749862a39a4889c56227f8 Author: Dan Carpenter Date: Mon Jan 13 09:18:39 2025 +0300 nfp: bpf: prevent integer overflow in nfp_bpf_event_output() The "sizeof(struct cmsg_bpf_event) + pkt_size + data_size" math could potentially have an integer wrapping bug on 32bit systems. Check for this and return an error. Fixes: 9816dd35ecec ("nfp: bpf: perf event output helpers support") Signed-off-by: Dan Carpenter Link: https://patch.msgid.link/6074805b-e78d-4b8a-bf05-e929b5377c28@stanley.mountain Signed-off-by: Jakub Kicinski commit de31b3cd706347044e1a57d68c3a683d58e8cca4 Author: Xin Li (Intel) Date: Fri Jan 10 09:46:39 2025 -0800 x86/fred: Fix the FRED RSP0 MSR out of sync with its per-CPU cache The FRED RSP0 MSR is only used for delivering events when running userspace. Linux leverages this property to reduce expensive MSR writes and optimize context switches. The kernel only writes the MSR when about to run userspace *and* when the MSR has actually changed since the last time userspace ran. This optimization is implemented by maintaining a per-CPU cache of FRED RSP0 and then checking that against the value for the top of current task stack before running userspace. However cpu_init_fred_exceptions() writes the MSR without updating the per-CPU cache. This means that the kernel might return to userspace with MSR_IA32_FRED_RSP0==0 when it needed to point to the top of current task stack. This would induce a double fault (#DF), which is bad. A context switch after cpu_init_fred_exceptions() can paper over the issue since it updates the cached value. That evidently happens most of the time explaining how this bug got through. Fix the bug through resynchronizing the FRED RSP0 MSR with its per-CPU cache in cpu_init_fred_exceptions(). Fixes: fe85ee391966 ("x86/entry: Set FRED RSP0 on return to userspace instead of context switch") Signed-off-by: Xin Li (Intel) Signed-off-by: Dave Hansen Acked-by: Dave Hansen Cc:stable@vger.kernel.org Link: https://lore.kernel.org/all/20250110174639.1250829-1-xin%40zytor.com commit 619f0b6fad524f08d493a98d55bac9ab8895e3a6 Merge: 7f5b6a8ec18e3a f90877dd7fb508 Author: Linus Torvalds Date: Tue Jan 14 14:10:17 2025 -0800 Merge tag 'seccomp-v6.13-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux Pull seccomp fix from Kees Cook: "Fix a randconfig failure: - Unconditionally define stub for !CONFIG_SECCOMP (Linus Walleij)" * tag 'seccomp-v6.13-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux: seccomp: Stub for !CONFIG_SECCOMP commit f62bb88782ffc2d8b619ac781ca26582b00c4db6 Merge: 9de1280fb5034a 258f5f90581597 Author: Jakub Kicinski Date: Tue Jan 14 13:41:16 2025 -0800 Merge branch '100GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/tnguy/net-queue Tony Nguyen says: ==================== Fix E825 initialization Grzegorz Nitka says: E825 products have incorrect initialization procedure, which may lead to initialization failures and register values. Fix E825 products initialization by adding correct sync delay, checking the PHY revision only for current PHY and adding proper destination device when reading port/quad. In addition, E825 uses PF ID for indexing per PF registers and as a primary PHY lane number, which is incorrect. * '100GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/tnguy/net-queue: ice: Add correct PHY lane assignment ice: Fix ETH56G FC-FEC Rx offset value ice: Fix quad registers read on E825 ice: Fix E825 initialization ==================== Link: https://patch.msgid.link/20250113182840.3564250-1-anthony.l.nguyen@intel.com Signed-off-by: Jakub Kicinski commit 9de1280fb5034a56f8827a521dec259982298581 Merge: 665bcfc982deef 218cc166321fb3 Author: Jakub Kicinski Date: Tue Jan 14 13:32:13 2025 -0800 Merge branch 'mptcp-fixes-for-connect-selftest-flakes' Matthieu Baerts says: ==================== mptcp: fixes for connect selftest flakes Last week, Jakub reported [1] that the MPTCP Connect selftest was unstable. It looked like it started after the introduction of some fixes [2]. After analysis from Paolo, these patches revealed existing bugs, that should be fixed by the following patches. - Patch 1: Make sure ACK are sent when MPTCP-level window re-opens. In some corner cases, the other peer was not notified when more data could be sent. A fix for v5.11, but depending on a feature introduced in v5.19. - Patch 2: Fix spurious wake-up under memory pressure. In this situation, the userspace could be invited to read data not being there yet. A fix for v6.7. - Patch 3: Fix a false positive error when running the MPTCP Connect selftest with the "disconnect" cases. The userspace could disconnect the socket too soon, which would reset (MP_FASTCLOSE) the connection, interpreted as an error by the test. A fix for v5.17. Link: https://lore.kernel.org/20250107131845.5e5de3c5@kernel.org [1] Link: https://lore.kernel.org/20241230-net-mptcp-rbuf-fixes-v1-0-8608af434ceb@kernel.org [2] ==================== Link: https://patch.msgid.link/20250113-net-mptcp-connect-st-flakes-v1-0-0d986ee7b1b6@kernel.org Signed-off-by: Jakub Kicinski commit 218cc166321fb3cc8786677ffe0d09a78778a910 Author: Paolo Abeni Date: Mon Jan 13 16:44:58 2025 +0100 selftests: mptcp: avoid spurious errors on disconnect The disconnect test-case generates spurious errors: INFO: disconnect INFO: extra options: -I 3 -i /tmp/tmp.r43niviyoI 01 ns1 MPTCP -> ns1 (10.0.1.1:10000 ) MPTCP (duration 140ms) [FAIL] file received by server does not match (in, out): Unexpected revents: POLLERR/POLLNVAL(19) -rw-r--r-- 1 root root 10028676 Jan 10 10:47 /tmp/tmp.r43niviyoI.disconnect Trailing bytes are: ��\����R���!8��u2��5N% -rw------- 1 root root 9992290 Jan 10 10:47 /tmp/tmp.Os4UbnWbI1 Trailing bytes are: ��\����R���!8��u2��5N% 02 ns1 MPTCP -> ns1 (dead:beef:1::1:10001) MPTCP (duration 206ms) [ OK ] 03 ns1 MPTCP -> ns1 (dead:beef:1::1:10002) TCP (duration 31ms) [ OK ] 04 ns1 TCP -> ns1 (dead:beef:1::1:10003) MPTCP (duration 26ms) [ OK ] [FAIL] Tests of the full disconnection have failed Time: 2 seconds The root cause is actually in the user-space bits: the test program currently disconnects as soon as all the pending data has been spooled, generating an FASTCLOSE. If such option reaches the peer before the latter has reached the closed status, the msk socket will report an error to the user-space, as per protocol specification, causing the above failure. Address the issue explicitly waiting for all the relevant sockets to reach a closed status before performing the disconnect. Fixes: 05be5e273c84 ("selftests: mptcp: add disconnect tests") Cc: stable@vger.kernel.org Signed-off-by: Paolo Abeni Reviewed-by: Matthieu Baerts (NGI0) Signed-off-by: Matthieu Baerts (NGI0) Link: https://patch.msgid.link/20250113-net-mptcp-connect-st-flakes-v1-3-0d986ee7b1b6@kernel.org Signed-off-by: Jakub Kicinski commit e226d9259dc4f5d2c19e6682ad1356fa97cf38f4 Author: Paolo Abeni Date: Mon Jan 13 16:44:57 2025 +0100 mptcp: fix spurious wake-up on under memory pressure The wake-up condition currently implemented by mptcp_epollin_ready() is wrong, as it could mark the MPTCP socket as readable even when no data are present and the system is under memory pressure. Explicitly check for some data being available in the receive queue. Fixes: 5684ab1a0eff ("mptcp: give rcvlowat some love") Cc: stable@vger.kernel.org Signed-off-by: Paolo Abeni Reviewed-by: Matthieu Baerts (NGI0) Signed-off-by: Matthieu Baerts (NGI0) Link: https://patch.msgid.link/20250113-net-mptcp-connect-st-flakes-v1-2-0d986ee7b1b6@kernel.org Signed-off-by: Jakub Kicinski commit 2ca06a2f65310aeef30bb69b7405437a14766e4d Author: Paolo Abeni Date: Mon Jan 13 16:44:56 2025 +0100 mptcp: be sure to send ack when mptcp-level window re-opens mptcp_cleanup_rbuf() is responsible to send acks when the user-space reads enough data to update the receive windows significantly. It tries hard to avoid acquiring the subflow sockets locks by checking conditions similar to the ones implemented at the TCP level. To avoid too much code duplication - the MPTCP protocol can't reuse the TCP helpers as part of the relevant status is maintained into the msk socket - and multiple costly window size computation, mptcp_cleanup_rbuf uses a rough estimate for the most recently advertised window size: the MPTCP receive free space, as recorded as at last-ack time. Unfortunately the above does not allow mptcp_cleanup_rbuf() to detect a zero to non-zero win change in some corner cases, skipping the tcp_cleanup_rbuf call and leaving the peer stuck. After commit ea66758c1795 ("tcp: allow MPTCP to update the announced window"), MPTCP has actually cheap access to the announced window value. Use it in mptcp_cleanup_rbuf() for a more accurate ack generation. Fixes: e3859603ba13 ("mptcp: better msk receive window updates") Cc: stable@vger.kernel.org Reported-by: Jakub Kicinski Closes: https://lore.kernel.org/20250107131845.5e5de3c5@kernel.org Signed-off-by: Paolo Abeni Reviewed-by: Matthieu Baerts (NGI0) Signed-off-by: Matthieu Baerts (NGI0) Link: https://patch.msgid.link/20250113-net-mptcp-connect-st-flakes-v1-1-0d986ee7b1b6@kernel.org Signed-off-by: Jakub Kicinski commit e4b5ccd392b92300a2b341705cc4805681094e49 Author: Maíra Canal Date: Mon Jan 13 12:47:40 2025 -0300 drm/v3d: Ensure job pointer is set to NULL after job completion After a job completes, the corresponding pointer in the device must be set to NULL. Failing to do so triggers a warning when unloading the driver, as it appears the job is still active. To prevent this, assign the job pointer to NULL after completing the job, indicating the job has finished. Fixes: 14d1d1908696 ("drm/v3d: Remove the bad signaled() implementation.") Signed-off-by: Maíra Canal Reviewed-by: Jose Maria Casanova Crespo Link: https://patchwork.freedesktop.org/patch/msgid/20250113154741.67520-1-mcanal@igalia.com commit 7e265fc04690d449a40b413b0348b15c748cea6f Author: Viresh Kumar Date: Fri Jan 10 11:23:10 2025 +0530 cpufreq: Move endif to the end of Kconfig file It is possible to enable few cpufreq drivers, without the framework being enabled. This happened due to a bug while moving the entries earlier. Fix it. Fixes: 7ee1378736f0 ("cpufreq: Move CPPC configs to common Kconfig and add RISC-V") Signed-off-by: Viresh Kumar Reviewed-by: Pierre Gondois Reviewed-by: Sunil V L Reviewed-by: Sudeep Holla Link: https://patch.msgid.link/84ac7a8fa72a8fe20487bb0a350a758bce060965.1736488384.git.viresh.kumar@linaro.org Signed-off-by: Rafael J. Wysocki commit 7f5b6a8ec18e3add4c74682f60b90c31bdf849f2 Merge: c3812b15000cc5 15b8968dcb90f1 Author: Linus Torvalds Date: Tue Jan 14 11:32:14 2025 -0800 Merge tag 'pci-v6.13-fixes-3' of git://git.kernel.org/pub/scm/linux/kernel/git/pci/pci Pull pci fix from Bjorn Helgaas: - Prevent bwctrl NULL pointer dereference that caused hangs on shutdown on ASUS ROG Strix SCAR 17 G733PYV (Lukas Wunner) * tag 'pci-v6.13-fixes-3' of git://git.kernel.org/pub/scm/linux/kernel/git/pci/pci: PCI/bwctrl: Fix NULL pointer deref on unbind and bind commit c3812b15000cc5b7b17c7238f8b12f6a22df0b1d Merge: 79a1d390f87956 63ca02221cc5aa Author: Linus Torvalds Date: Tue Jan 14 10:07:40 2025 -0800 Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi Pull SCSI fixes from James Bottomley: "One iscsi driver fix and one core fix. The core fix is an important one because a retry efficiency update is now causing some USB devices to get the wrong size on discovery (it upset their retry logic for READ_CAPACITY_16)" * tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi: scsi: iscsi: Fix redundant response for ISCSI_UEVENT_GET_HOST_STATS request scsi: core: Fix command pass through retry regression commit b7d40627813799870e72729c6fc979a8a40d9ba6 Author: Ian Forbes Date: Fri Jan 10 12:53:35 2025 -0600 drm/vmwgfx: Add new keep_resv BO param Adds a new BO param that keeps the reservation locked after creation. This removes the need to re-reserve the BO after creation which is a waste of cycles. This also fixes a bug in vmw_prime_import_sg_table where the imported reservation is unlocked twice. Signed-off-by: Ian Forbes Fixes: b32233acceff ("drm/vmwgfx: Fix prime import/export") Reviewed-by: Zack Rusin Signed-off-by: Zack Rusin Link: https://patchwork.freedesktop.org/patch/msgid/20250110185335.15301-1-ian.forbes@broadcom.com commit 9cdebfa97d5844ac3a2ad815a87e60cec8f84795 Author: Ian Forbes Date: Wed Jan 8 14:13:55 2025 -0600 drm/vmwgfx: Remove busy_places Unused since commit a78a8da51b36 ("drm/ttm: replace busy placement with flags v6") Signed-off-by: Ian Forbes Reviewed-by: Martin Krastev Signed-off-by: Zack Rusin Link: https://patchwork.freedesktop.org/patch/msgid/20250108201355.2521070-1-ian.forbes@broadcom.com commit cb343ded122e0bf41e4b2a9f89386296451be109 Author: Ian Forbes Date: Tue Dec 10 13:55:35 2024 -0600 drm/vmwgfx: Unreserve BO on error Unlock BOs in reverse order. Add an acquire context so that lockdep doesn't complain. Fixes: d6667f0ddf46 ("drm/vmwgfx: Fix handling of dumb buffers") Signed-off-by: Ian Forbes Signed-off-by: Zack Rusin Link: https://patchwork.freedesktop.org/patch/msgid/20241210195535.2074918-1-ian.forbes@broadcom.com commit 79a1d390f879563119bf2848b621bc7eed228c7d Merge: c45323b7560ec8 34c8e74cd6667e Author: Linus Torvalds Date: Tue Jan 14 09:54:57 2025 -0800 Merge tag 'sound-6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound Pull sound fixes from Takashi Iwai: "Hopefully the last PR for 6.13. This became bigger than wished due to the timing after holiday breaks. The only large LOC is the additional document for Cirrus codec which is nice for users (and absolutely safe). All the rest are small fixes in ASoC Rcar and codecs as well as HD-audio quirks (And no fix for USB guitar pedals seen yet :)" * tag 'sound-6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound: ALSA: hda/realtek: Fix volume adjustment issue on Lenovo ThinkBook 16P Gen5 ALSA: hda/realtek: fixup ASUS H7606W ALSA: hda/realtek: fixup ASUS GA605W ALSA: hda/realtek: Add support for Ayaneo System using CS35L41 HDA ASoC: rsnd: check rsnd_adg_clk_enable() return value ASoC: cs42l43: Add codec force suspend/resume ops ALSA: doc: Add codecs/index.rst to top-level index ALSA: doc: cs35l56: Add information about Cirrus Logic CS35L54/56/57 ASoC: samsung: Add missing depends on I2C MAINTAINERS: add missing maintainers for Simple Audio Card ASoC: samsung: Add missing selects for MFD_WM8994 ASoC: codecs: es8316: Fix HW rate calculation for 48Mhz MCLK ASoC: wm8994: Add depends on MFD core ASoC: tas2781: Fix occasional calibration failture ASoC: codecs: ES8326: Adjust ANA_MICBIAS to reduce pop noise commit bd275e6cfc972329d39c6406a3c6d2ba2aba7db6 Author: Gui Chengming Date: Tue Jan 7 17:09:08 2025 +0800 drm/amdgpu: fix fw attestation for MP0_14_0_{2/3} FW attestation was disabled on MP0_14_0_{2/3}. V2: Move check into is_fw_attestation_support func. (Frank) Remove DRM_WARN log info. (Alex) Fix format. (Christian) Signed-off-by: Gui Chengming Reviewed-by: Frank.Min Reviewed-by: Christian König Signed-off-by: Alex Deucher (cherry picked from commit 62952a38d9bcf357d5ffc97615c48b12c9cd627c) Cc: stable@vger.kernel.org # 6.12.x commit af04b320c71c4b59971f021615876808a36e5038 Author: Christian König Date: Fri Dec 20 16:21:11 2024 +0100 drm/amdgpu: always sync the GFX pipe on ctx switch That is needed to enforce isolation between contexts. Signed-off-by: Christian König Reviewed-by: Alex Deucher Signed-off-by: Alex Deucher (cherry picked from commit def59436fb0d3ca0f211d14873d0273d69ebb405) Cc: stable@vger.kernel.org commit 90505894c4ed581318836b792c57723df491cb91 Author: Kenneth Feng Date: Thu Jan 9 15:58:23 2025 +0800 drm/amdgpu: disable gfxoff with the compute workload on gfx12 Disable gfxoff with the compute workload on gfx12. This is a workaround for the opencl test failure. Signed-off-by: Kenneth Feng Acked-by: Alex Deucher Signed-off-by: Alex Deucher (cherry picked from commit 2affe2bbc997b3920045c2c434e480c81a5f9707) Cc: stable@vger.kernel.org # 6.12.x commit c1c03ee7957ec178756cae09c39d77194e8cddb7 Author: Jens Axboe Date: Tue Jan 14 09:44:21 2025 -0700 io_uring/rsrc: fixup io_clone_buffers() error handling Jann reports he can trigger a UAF if the target ring unregisters buffers before the clone operation is fully done. And additionally also an issue related to node allocation failures. Both of those stemp from the fact that the cleanup logic puts the buffers manually, rather than just relying on io_rsrc_data_free() doing it. Hence kill the manual cleanup code and just let io_rsrc_data_free() handle it, it'll put the nodes appropriately. Reported-by: Jann Horn Fixes: 3597f2786b68 ("io_uring/rsrc: unify file and buffer resource tables") Signed-off-by: Jens Axboe commit 1e8c193f8ca7ab7dff4f4747b45a55dca23c00f4 Author: Srinivasan Shanmugam Date: Thu Jan 9 21:33:51 2025 +0530 drm/amdgpu: Fix Circular Locking Dependency in AMDGPU GFX Isolation This commit addresses a circular locking dependency issue within the GFX isolation mechanism. The problem was identified by a warning indicating a potential deadlock due to inconsistent lock acquisition order. - The `amdgpu_gfx_enforce_isolation_ring_begin_use` and `amdgpu_gfx_enforce_isolation_ring_end_use` functions previously acquired `enforce_isolation_mutex` and called `amdgpu_gfx_kfd_sch_ctrl`, leading to potential deadlocks. ie., If `amdgpu_gfx_kfd_sch_ctrl` is called while `enforce_isolation_mutex` is held, and `amdgpu_gfx_enforce_isolation_handler` is called while `kfd_sch_mutex` is held, it can create a circular dependency. By ensuring consistent lock usage, this fix resolves the issue: [ 606.297333] ====================================================== [ 606.297343] WARNING: possible circular locking dependency detected [ 606.297353] 6.10.0-amd-mlkd-610-311224-lof #19 Tainted: G OE [ 606.297365] ------------------------------------------------------ [ 606.297375] kworker/u96:3/3825 is trying to acquire lock: [ 606.297385] ffff9aa64e431cb8 ((work_completion)(&(&adev->gfx.enforce_isolation[i].work)->work)){+.+.}-{0:0}, at: __flush_work+0x232/0x610 [ 606.297413] but task is already holding lock: [ 606.297423] ffff9aa64e432338 (&adev->gfx.kfd_sch_mutex){+.+.}-{3:3}, at: amdgpu_gfx_kfd_sch_ctrl+0x51/0x4d0 [amdgpu] [ 606.297725] which lock already depends on the new lock. [ 606.297738] the existing dependency chain (in reverse order) is: [ 606.297749] -> #2 (&adev->gfx.kfd_sch_mutex){+.+.}-{3:3}: [ 606.297765] __mutex_lock+0x85/0x930 [ 606.297776] mutex_lock_nested+0x1b/0x30 [ 606.297786] amdgpu_gfx_kfd_sch_ctrl+0x51/0x4d0 [amdgpu] [ 606.298007] amdgpu_gfx_enforce_isolation_ring_begin_use+0x2a4/0x5d0 [amdgpu] [ 606.298225] amdgpu_ring_alloc+0x48/0x70 [amdgpu] [ 606.298412] amdgpu_ib_schedule+0x176/0x8a0 [amdgpu] [ 606.298603] amdgpu_job_run+0xac/0x1e0 [amdgpu] [ 606.298866] drm_sched_run_job_work+0x24f/0x430 [gpu_sched] [ 606.298880] process_one_work+0x21e/0x680 [ 606.298890] worker_thread+0x190/0x350 [ 606.298899] kthread+0xe7/0x120 [ 606.298908] ret_from_fork+0x3c/0x60 [ 606.298919] ret_from_fork_asm+0x1a/0x30 [ 606.298929] -> #1 (&adev->enforce_isolation_mutex){+.+.}-{3:3}: [ 606.298947] __mutex_lock+0x85/0x930 [ 606.298956] mutex_lock_nested+0x1b/0x30 [ 606.298966] amdgpu_gfx_enforce_isolation_handler+0x87/0x370 [amdgpu] [ 606.299190] process_one_work+0x21e/0x680 [ 606.299199] worker_thread+0x190/0x350 [ 606.299208] kthread+0xe7/0x120 [ 606.299217] ret_from_fork+0x3c/0x60 [ 606.299227] ret_from_fork_asm+0x1a/0x30 [ 606.299236] -> #0 ((work_completion)(&(&adev->gfx.enforce_isolation[i].work)->work)){+.+.}-{0:0}: [ 606.299257] __lock_acquire+0x16f9/0x2810 [ 606.299267] lock_acquire+0xd1/0x300 [ 606.299276] __flush_work+0x250/0x610 [ 606.299286] cancel_delayed_work_sync+0x71/0x80 [ 606.299296] amdgpu_gfx_kfd_sch_ctrl+0x287/0x4d0 [amdgpu] [ 606.299509] amdgpu_gfx_enforce_isolation_ring_begin_use+0x2a4/0x5d0 [amdgpu] [ 606.299723] amdgpu_ring_alloc+0x48/0x70 [amdgpu] [ 606.299909] amdgpu_ib_schedule+0x176/0x8a0 [amdgpu] [ 606.300101] amdgpu_job_run+0xac/0x1e0 [amdgpu] [ 606.300355] drm_sched_run_job_work+0x24f/0x430 [gpu_sched] [ 606.300369] process_one_work+0x21e/0x680 [ 606.300378] worker_thread+0x190/0x350 [ 606.300387] kthread+0xe7/0x120 [ 606.300396] ret_from_fork+0x3c/0x60 [ 606.300406] ret_from_fork_asm+0x1a/0x30 [ 606.300416] other info that might help us debug this: [ 606.300428] Chain exists of: (work_completion)(&(&adev->gfx.enforce_isolation[i].work)->work) --> &adev->enforce_isolation_mutex --> &adev->gfx.kfd_sch_mutex [ 606.300458] Possible unsafe locking scenario: [ 606.300468] CPU0 CPU1 [ 606.300476] ---- ---- [ 606.300484] lock(&adev->gfx.kfd_sch_mutex); [ 606.300494] lock(&adev->enforce_isolation_mutex); [ 606.300508] lock(&adev->gfx.kfd_sch_mutex); [ 606.300521] lock((work_completion)(&(&adev->gfx.enforce_isolation[i].work)->work)); [ 606.300536] *** DEADLOCK *** [ 606.300546] 5 locks held by kworker/u96:3/3825: [ 606.300555] #0: ffff9aa5aa1f5d58 ((wq_completion)comp_1.1.0){+.+.}-{0:0}, at: process_one_work+0x3f5/0x680 [ 606.300577] #1: ffffaa53c3c97e40 ((work_completion)(&sched->work_run_job)){+.+.}-{0:0}, at: process_one_work+0x1d6/0x680 [ 606.300600] #2: ffff9aa64e463c98 (&adev->enforce_isolation_mutex){+.+.}-{3:3}, at: amdgpu_gfx_enforce_isolation_ring_begin_use+0x1c3/0x5d0 [amdgpu] [ 606.300837] #3: ffff9aa64e432338 (&adev->gfx.kfd_sch_mutex){+.+.}-{3:3}, at: amdgpu_gfx_kfd_sch_ctrl+0x51/0x4d0 [amdgpu] [ 606.301062] #4: ffffffff8c1a5660 (rcu_read_lock){....}-{1:2}, at: __flush_work+0x70/0x610 [ 606.301083] stack backtrace: [ 606.301092] CPU: 14 PID: 3825 Comm: kworker/u96:3 Tainted: G OE 6.10.0-amd-mlkd-610-311224-lof #19 [ 606.301109] Hardware name: Gigabyte Technology Co., Ltd. X570S GAMING X/X570S GAMING X, BIOS F7 03/22/2024 [ 606.301124] Workqueue: comp_1.1.0 drm_sched_run_job_work [gpu_sched] [ 606.301140] Call Trace: [ 606.301146] [ 606.301154] dump_stack_lvl+0x9b/0xf0 [ 606.301166] dump_stack+0x10/0x20 [ 606.301175] print_circular_bug+0x26c/0x340 [ 606.301187] check_noncircular+0x157/0x170 [ 606.301197] ? register_lock_class+0x48/0x490 [ 606.301213] __lock_acquire+0x16f9/0x2810 [ 606.301230] lock_acquire+0xd1/0x300 [ 606.301239] ? __flush_work+0x232/0x610 [ 606.301250] ? srso_alias_return_thunk+0x5/0xfbef5 [ 606.301261] ? mark_held_locks+0x54/0x90 [ 606.301274] ? __flush_work+0x232/0x610 [ 606.301284] __flush_work+0x250/0x610 [ 606.301293] ? __flush_work+0x232/0x610 [ 606.301305] ? __pfx_wq_barrier_func+0x10/0x10 [ 606.301318] ? mark_held_locks+0x54/0x90 [ 606.301331] ? srso_alias_return_thunk+0x5/0xfbef5 [ 606.301345] cancel_delayed_work_sync+0x71/0x80 [ 606.301356] amdgpu_gfx_kfd_sch_ctrl+0x287/0x4d0 [amdgpu] [ 606.301661] amdgpu_gfx_enforce_isolation_ring_begin_use+0x2a4/0x5d0 [amdgpu] [ 606.302050] ? srso_alias_return_thunk+0x5/0xfbef5 [ 606.302069] amdgpu_ring_alloc+0x48/0x70 [amdgpu] [ 606.302452] amdgpu_ib_schedule+0x176/0x8a0 [amdgpu] [ 606.302862] ? drm_sched_entity_error+0x82/0x190 [gpu_sched] [ 606.302890] amdgpu_job_run+0xac/0x1e0 [amdgpu] [ 606.303366] drm_sched_run_job_work+0x24f/0x430 [gpu_sched] [ 606.303388] process_one_work+0x21e/0x680 [ 606.303409] worker_thread+0x190/0x350 [ 606.303424] ? __pfx_worker_thread+0x10/0x10 [ 606.303437] kthread+0xe7/0x120 [ 606.303449] ? __pfx_kthread+0x10/0x10 [ 606.303463] ret_from_fork+0x3c/0x60 [ 606.303476] ? __pfx_kthread+0x10/0x10 [ 606.303489] ret_from_fork_asm+0x1a/0x30 [ 606.303512] v2: Refactor lock handling to resolve circular dependency (Alex) - Introduced a `sched_work` flag to defer the call to `amdgpu_gfx_kfd_sch_ctrl` until after releasing `enforce_isolation_mutex`. - This change ensures that `amdgpu_gfx_kfd_sch_ctrl` is called outside the critical section, preventing the circular dependency and deadlock. - The `sched_work` flag is set within the mutex-protected section if conditions are met, and the actual function call is made afterward. - This approach ensures consistent lock acquisition order. Fixes: afefd6f24502 ("drm/amdgpu: Implement Enforce Isolation Handler for KGD/KFD serialization") Cc: Christian König Cc: Alex Deucher Signed-off-by: Srinivasan Shanmugam Suggested-by: Alex Deucher Reviewed-by: Alex Deucher Signed-off-by: Alex Deucher (cherry picked from commit 0b6b2dd38336d5fd49214f0e4e6495e658e3ab44) Cc: stable@vger.kernel.org commit 59616a91e5e74833b2008b56c66879857c616006 Author: Chenyuan Yang Date: Sat Jan 11 12:09:51 2025 -0600 platform/x86: lenovo-yoga-tab2-pro-1380-fastcharger: fix serdev race The yt2_1380_fc_serdev_probe() function calls devm_serdev_device_open() before setting the client ops via serdev_device_set_client_ops(). This ordering can trigger a NULL pointer dereference in the serdev controller's receive_buf handler, as it assumes serdev->ops is valid when SERPORT_ACTIVE is set. This is similar to the issue fixed in commit 5e700b384ec1 ("platform/chrome: cros_ec_uart: properly fix race condition") where devm_serdev_device_open() was called before fully initializing the device. Fix the race by ensuring client ops are set before enabling the port via devm_serdev_device_open(). Note, serdev_device_set_baudrate() and serdev_device_set_flow_control() calls should be after the devm_serdev_device_open() call. Fixes: b2ed33e8d486 ("platform/x86: Add lenovo-yoga-tab2-pro-1380-fastcharger driver") Signed-off-by: Chenyuan Yang Reviewed-by: Hans de Goede Link: https://lore.kernel.org/r/20250111180951.2277757-1-chenyuan0y@gmail.com Reviewed-by: Ilpo Järvinen Signed-off-by: Ilpo Järvinen commit 1b2128aa2d45ab20b22548dcf4b48906298ca7fd Author: Chenyuan Yang Date: Sat Jan 11 12:01:18 2025 -0600 platform/x86: dell-uart-backlight: fix serdev race The dell_uart_bl_serdev_probe() function calls devm_serdev_device_open() before setting the client ops via serdev_device_set_client_ops(). This ordering can trigger a NULL pointer dereference in the serdev controller's receive_buf handler, as it assumes serdev->ops is valid when SERPORT_ACTIVE is set. This is similar to the issue fixed in commit 5e700b384ec1 ("platform/chrome: cros_ec_uart: properly fix race condition") where devm_serdev_device_open() was called before fully initializing the device. Fix the race by ensuring client ops are set before enabling the port via devm_serdev_device_open(). Note, serdev_device_set_baudrate() and serdev_device_set_flow_control() calls should be after the devm_serdev_device_open() call. Fixes: 484bae9e4d6a ("platform/x86: Add new Dell UART backlight driver") Signed-off-by: Chenyuan Yang Reviewed-by: Hans de Goede Link: https://lore.kernel.org/r/20250111180118.2274516-1-chenyuan0y@gmail.com Reviewed-by: Ilpo Järvinen Signed-off-by: Ilpo Järvinen commit 94d529a3255ce65496e932173d7f13e801170597 Author: Steven Rostedt Date: Tue Jan 14 10:12:02 2025 -0500 ftrace: Document that multiple function_graph tracing may have different times The function graph tracer now calculates the calltime internally and for each instance. If there are two instances that are running function graph tracer and are tracing the same functions, the timings of the length of those functions may be slightly different: # trace-cmd record -B foo -p function_graph -B bar -p function_graph sleep 5 # trace-cmd report [..] bar: sleep-981 [000] ...1. 1101.109027: funcgraph_entry: 0.764 us | mutex_unlock(); (ret=0xffff8abcc256c300) foo: sleep-981 [000] ...1. 1101.109028: funcgraph_entry: 0.748 us | mutex_unlock(); (ret=0xffff8abcc256c300) bar: sleep-981 [000] ..... 1101.109029: funcgraph_exit: 2.456 us | } (ret=0xffff8abcc256c300) foo: sleep-981 [000] ..... 1101.109029: funcgraph_exit: 2.403 us | } (ret=0xffff8abcc256c300) bar: sleep-981 [000] d..1. 1101.109031: funcgraph_entry: 0.844 us | fpregs_assert_state_consistent(); (ret=0x0) foo: sleep-981 [000] d..1. 1101.109032: funcgraph_entry: 0.803 us | fpregs_assert_state_consistent(); (ret=0x0) Link: https://lore.kernel.org/all/20250114101806.b2778cb01f34f5be9d23ad98@kernel.org/ Cc: Mark Rutland Cc: Mathieu Desnoyers Suggested-by: Masami Hiramatsu Link: https://lore.kernel.org/20250114101202.02e7bc68@gandalf.local.home Signed-off-by: Steven Rostedt (Google) commit 24e0e610400aa2c765ee87b1b3c1401732b20fc5 Author: Shrikanth Hegde Date: Fri Jan 3 15:06:47 2025 +0530 tracing: Print lazy preemption model Print lazy preemption model in ftrace header when latency-format=1. # cat /sys/kernel/debug/sched/preempt none voluntary full (lazy) Without patch: latency: 0 us, #232946/232946, CPU#40 | (M:unknown VP:0, KP:0, SP:0 HP:0 #P:80) ^^^^^^^ With Patch: latency: 0 us, #1897938/25566788, CPU#16 | (M:lazy VP:0, KP:0, SP:0 HP:0 #P:80) ^^^^ Now that lazy preemption is part of the kernel, make sure the tracing infrastructure reflects that. Link: https://lore.kernel.org/20250103093647.575919-1-sshegde@linux.ibm.com Signed-off-by: Shrikanth Hegde Acked-by: Masami Hiramatsu (Google) Signed-off-by: Steven Rostedt (Google) commit a485ea9e3ef31ac4e3a2245cdb11fa73352b950f Author: Steven Rostedt Date: Mon Jan 13 18:31:24 2025 -0500 tracing: Fix irqsoff and wakeup latency tracers when using function graph The function graph tracer has become generic so that kretprobes and BPF can use it along with function graph tracing itself. Some of the infrastructure was specific for function graph tracing such as recording the calltime and return time of the functions. Calling the clock code on a high volume function does add overhead. The calculation of the calltime was removed from the generic code and placed into the function graph tracer itself so that the other users did not incur this overhead as they did not need that timestamp. The calltime field was still kept in the generic return entry structure and the function graph return entry callback filled it as that structure was passed to other code. But this broke both irqsoff and wakeup latency tracer as they still depended on the trace structure containing the calltime when the option display-graph is set as it used some of those same functions that the function graph tracer used. But now the calltime was not set and was just zero. This caused the calculation of the function time to be the absolute value of the return timestamp and not the length of the function. # cd /sys/kernel/tracing # echo 1 > options/display-graph # echo irqsoff > current_tracer The tracers went from: # REL TIME CPU TASK/PID |||| DURATION FUNCTION CALLS # | | | | |||| | | | | | | 0 us | 4) -0 | d..1. | 0.000 us | irqentry_enter(); 3 us | 4) -0 | d..2. | | irq_enter_rcu() { 4 us | 4) -0 | d..2. | 0.431 us | preempt_count_add(); 5 us | 4) -0 | d.h2. | | tick_irq_enter() { 5 us | 4) -0 | d.h2. | 0.433 us | tick_check_oneshot_broadcast_this_cpu(); 6 us | 4) -0 | d.h2. | 2.426 us | ktime_get(); 9 us | 4) -0 | d.h2. | | tick_nohz_stop_idle() { 10 us | 4) -0 | d.h2. | 0.398 us | nr_iowait_cpu(); 11 us | 4) -0 | d.h1. | 1.903 us | } 11 us | 4) -0 | d.h2. | | tick_do_update_jiffies64() { 12 us | 4) -0 | d.h2. | | _raw_spin_lock() { 12 us | 4) -0 | d.h2. | 0.360 us | preempt_count_add(); 13 us | 4) -0 | d.h3. | 0.354 us | do_raw_spin_lock(); 14 us | 4) -0 | d.h2. | 2.207 us | } 15 us | 4) -0 | d.h3. | 0.428 us | calc_global_load(); 16 us | 4) -0 | d.h3. | | _raw_spin_unlock() { 16 us | 4) -0 | d.h3. | 0.380 us | do_raw_spin_unlock(); 17 us | 4) -0 | d.h3. | 0.334 us | preempt_count_sub(); 18 us | 4) -0 | d.h1. | 1.768 us | } 18 us | 4) -0 | d.h2. | | update_wall_time() { [..] To: # REL TIME CPU TASK/PID |||| DURATION FUNCTION CALLS # | | | | |||| | | | | | | 0 us | 5) -0 | d.s2. | 0.000 us | _raw_spin_lock_irqsave(); 0 us | 5) -0 | d.s3. | 312159583 us | preempt_count_add(); 2 us | 5) -0 | d.s4. | 312159585 us | do_raw_spin_lock(); 3 us | 5) -0 | d.s4. | | _raw_spin_unlock() { 3 us | 5) -0 | d.s4. | 312159586 us | do_raw_spin_unlock(); 4 us | 5) -0 | d.s4. | 312159587 us | preempt_count_sub(); 4 us | 5) -0 | d.s2. | 312159587 us | } 5 us | 5) -0 | d.s3. | | _raw_spin_lock() { 5 us | 5) -0 | d.s3. | 312159588 us | preempt_count_add(); 6 us | 5) -0 | d.s4. | 312159589 us | do_raw_spin_lock(); 7 us | 5) -0 | d.s3. | 312159590 us | } 8 us | 5) -0 | d.s4. | 312159591 us | calc_wheel_index(); 9 us | 5) -0 | d.s4. | | enqueue_timer() { 9 us | 5) -0 | d.s4. | | wake_up_nohz_cpu() { 11 us | 5) -0 | d.s4. | | native_smp_send_reschedule() { 11 us | 5) -0 | d.s4. | 312171987 us | default_send_IPI_single_phys(); 12408 us | 5) -0 | d.s3. | 312171990 us | } 12408 us | 5) -0 | d.s3. | 312171991 us | } 12409 us | 5) -0 | d.s3. | 312171991 us | } Where the calculation of the time for each function was the return time minus zero and not the time of when the function returned. Have these tracers also save the calltime in the fgraph data section and retrieve it again on the return to get the correct timings again. Cc: Masami Hiramatsu Cc: Mathieu Desnoyers Cc: Mark Rutland Link: https://lore.kernel.org/20250113183124.61767419@gandalf.local.home Fixes: f1f36e22bee9 ("ftrace: Have calltime be saved in the fgraph storage") Signed-off-by: Steven Rostedt (Google) commit 9860370c2172704b6b4f0075a0c2a29fd84af96a Author: Sean Anderson Date: Fri Jan 10 11:33:54 2025 -0500 gpio: xilinx: Convert gpio_lock to raw spinlock irq_chip functions may be called in raw spinlock context. Therefore, we must also use a raw spinlock for our own internal locking. This fixes the following lockdep splat: [ 5.349336] ============================= [ 5.353349] [ BUG: Invalid wait context ] [ 5.357361] 6.13.0-rc5+ #69 Tainted: G W [ 5.363031] ----------------------------- [ 5.367045] kworker/u17:1/44 is trying to lock: [ 5.371587] ffffff88018b02c0 (&chip->gpio_lock){....}-{3:3}, at: xgpio_irq_unmask (drivers/gpio/gpio-xilinx.c:433 (discriminator 8)) [ 5.380079] other info that might help us debug this: [ 5.385138] context-{5:5} [ 5.387762] 5 locks held by kworker/u17:1/44: [ 5.392123] #0: ffffff8800014958 ((wq_completion)events_unbound){+.+.}-{0:0}, at: process_one_work (kernel/workqueue.c:3204) [ 5.402260] #1: ffffffc082fcbdd8 (deferred_probe_work){+.+.}-{0:0}, at: process_one_work (kernel/workqueue.c:3205) [ 5.411528] #2: ffffff880172c900 (&dev->mutex){....}-{4:4}, at: __device_attach (drivers/base/dd.c:1006) [ 5.419929] #3: ffffff88039c8268 (request_class#2){+.+.}-{4:4}, at: __setup_irq (kernel/irq/internals.h:156 kernel/irq/manage.c:1596) [ 5.428331] #4: ffffff88039c80c8 (lock_class#2){....}-{2:2}, at: __setup_irq (kernel/irq/manage.c:1614) [ 5.436472] stack backtrace: [ 5.439359] CPU: 2 UID: 0 PID: 44 Comm: kworker/u17:1 Tainted: G W 6.13.0-rc5+ #69 [ 5.448690] Tainted: [W]=WARN [ 5.451656] Hardware name: xlnx,zynqmp (DT) [ 5.455845] Workqueue: events_unbound deferred_probe_work_func [ 5.461699] Call trace: [ 5.464147] show_stack+0x18/0x24 C [ 5.467821] dump_stack_lvl (lib/dump_stack.c:123) [ 5.471501] dump_stack (lib/dump_stack.c:130) [ 5.474824] __lock_acquire (kernel/locking/lockdep.c:4828 kernel/locking/lockdep.c:4898 kernel/locking/lockdep.c:5176) [ 5.478758] lock_acquire (arch/arm64/include/asm/percpu.h:40 kernel/locking/lockdep.c:467 kernel/locking/lockdep.c:5851 kernel/locking/lockdep.c:5814) [ 5.482429] _raw_spin_lock_irqsave (include/linux/spinlock_api_smp.h:111 kernel/locking/spinlock.c:162) [ 5.486797] xgpio_irq_unmask (drivers/gpio/gpio-xilinx.c:433 (discriminator 8)) [ 5.490737] irq_enable (kernel/irq/internals.h:236 kernel/irq/chip.c:170 kernel/irq/chip.c:439 kernel/irq/chip.c:432 kernel/irq/chip.c:345) [ 5.494060] __irq_startup (kernel/irq/internals.h:241 kernel/irq/chip.c:180 kernel/irq/chip.c:250) [ 5.497645] irq_startup (kernel/irq/chip.c:270) [ 5.501143] __setup_irq (kernel/irq/manage.c:1807) [ 5.504728] request_threaded_irq (kernel/irq/manage.c:2208) Fixes: a32c7caea292 ("gpio: gpio-xilinx: Add interrupt support") Signed-off-by: Sean Anderson Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20250110163354.2012654-1-sean.anderson@linux.dev Signed-off-by: Bartosz Golaszewski commit 665bcfc982deef247016a9ff679cdf45ae37162c Merge: 0865b9fdb27219 91751e248256ef Author: Paolo Abeni Date: Tue Jan 14 12:29:39 2025 +0100 Merge branch 'vsock-some-fixes-due-to-transport-de-assignment' Stefano Garzarella says: ==================== vsock: some fixes due to transport de-assignment v1: https://lore.kernel.org/netdev/20250108180617.154053-1-sgarzare@redhat.com/ v2: - Added patch 3 to cancel the virtio close delayed work when de-assigning the transport - Added patch 4 to clean the socket state after de-assigning the transport - Added patch 5 as suggested by Michael and Hyunwoo Kim. It's based on Hyunwoo Kim and Wongi Lee patch [1] but using WARN_ON and covering more functions - Added R-b/T-b tags This series includes two patches discussed in the thread started by Hyunwoo Kim a few weeks ago [1], plus 3 more patches added after some discussions on v1 (see changelog). All related to the case where a vsock socket is de-assigned from a transport (e.g., because the connect fails or is interrupted by a signal) and then assigned to another transport or to no-one (NULL). I tested with usual vsock test suite, plus Michal repro [2]. (Note: the repo works only if a G2H transport is not loaded, e.g. virtio-vsock driver). The first patch is a fix more appropriate to the problem reported in that thread, the second patch on the other hand is a related fix but of a different problem highlighted by Michal Luczaj. It's present only in vsock_bpf and already handled in af_vsock.c The third patch is to cancel the virtio close delayed work when de-assigning the transport, the fourth patch is to clean the socket state after de-assigning the transport, the last patch adds warnings and prevents null-ptr-deref in vsock_*[has_data|has_space]. Hyunwoo Kim, Michal, if you can test and report your Tested-by that would be great! [1] https://lore.kernel.org/netdev/Z2K%2FI4nlHdfMRTZC@v4bel-B760M-AORUS-ELITE-AX/ [2] https://lore.kernel.org/netdev/2b3062e3-bdaa-4c94-a3c0-2930595b9670@rbox.co/ ==================== Link: https://patch.msgid.link/20250110083511.30419-1-sgarzare@redhat.com Signed-off-by: Paolo Abeni commit 91751e248256efc111e52e15115840c35d85abaf Author: Stefano Garzarella Date: Fri Jan 10 09:35:11 2025 +0100 vsock: prevent null-ptr-deref in vsock_*[has_data|has_space] Recent reports have shown how we sometimes call vsock_*_has_data() when a vsock socket has been de-assigned from a transport (see attached links), but we shouldn't. Previous commits should have solved the real problems, but we may have more in the future, so to avoid null-ptr-deref, we can return 0 (no space, no data available) but with a warning. This way the code should continue to run in a nearly consistent state and have a warning that allows us to debug future problems. Fixes: c0cfa2d8a788 ("vsock: add multi-transports support") Cc: stable@vger.kernel.org Link: https://lore.kernel.org/netdev/Z2K%2FI4nlHdfMRTZC@v4bel-B760M-AORUS-ELITE-AX/ Link: https://lore.kernel.org/netdev/5ca20d4c-1017-49c2-9516-f6f75fd331e9@rbox.co/ Link: https://lore.kernel.org/netdev/677f84a8.050a0220.25a300.01b3.GAE@google.com/ Co-developed-by: Hyunwoo Kim Signed-off-by: Hyunwoo Kim Co-developed-by: Wongi Lee Signed-off-by: Wongi Lee Signed-off-by: Stefano Garzarella Reviewed-by: Luigi Leonardi Reviewed-by: Hyunwoo Kim Signed-off-by: Paolo Abeni commit a24009bc9be60242651a21702609381b5092459e Author: Stefano Garzarella Date: Fri Jan 10 09:35:10 2025 +0100 vsock: reset socket state when de-assigning the transport Transport's release() and destruct() are called when de-assigning the vsock transport. These callbacks can touch some socket state like sock flags, sk_state, and peer_shutdown. Since we are reassigning the socket to a new transport during vsock_connect(), let's reset these fields to have a clean state with the new transport. Fixes: c0cfa2d8a788 ("vsock: add multi-transports support") Cc: stable@vger.kernel.org Signed-off-by: Stefano Garzarella Reviewed-by: Luigi Leonardi Signed-off-by: Paolo Abeni commit df137da9d6d166e87e40980e36eb8e0bc90483ef Author: Stefano Garzarella Date: Fri Jan 10 09:35:09 2025 +0100 vsock/virtio: cancel close work in the destructor During virtio_transport_release() we can schedule a delayed work to perform the closing of the socket before destruction. The destructor is called either when the socket is really destroyed (reference counter to zero), or it can also be called when we are de-assigning the transport. In the former case, we are sure the delayed work has completed, because it holds a reference until it completes, so the destructor will definitely be called after the delayed work is finished. But in the latter case, the destructor is called by AF_VSOCK core, just after the release(), so there may still be delayed work scheduled. Refactor the code, moving the code to delete the close work already in the do_close() to a new function. Invoke it during destruction to make sure we don't leave any pending work. Fixes: c0cfa2d8a788 ("vsock: add multi-transports support") Cc: stable@vger.kernel.org Reported-by: Hyunwoo Kim Closes: https://lore.kernel.org/netdev/Z37Sh+utS+iV3+eb@v4bel-B760M-AORUS-ELITE-AX/ Signed-off-by: Stefano Garzarella Reviewed-by: Luigi Leonardi Tested-by: Hyunwoo Kim Signed-off-by: Paolo Abeni commit f6abafcd32f9cfc4b1a2f820ecea70773e26d423 Author: Stefano Garzarella Date: Fri Jan 10 09:35:08 2025 +0100 vsock/bpf: return early if transport is not assigned Some of the core functions can only be called if the transport has been assigned. As Michal reported, a socket might have the transport at NULL, for example after a failed connect(), causing the following trace: BUG: kernel NULL pointer dereference, address: 00000000000000a0 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 12faf8067 P4D 12faf8067 PUD 113670067 PMD 0 Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI CPU: 15 UID: 0 PID: 1198 Comm: a.out Not tainted 6.13.0-rc2+ RIP: 0010:vsock_connectible_has_data+0x1f/0x40 Call Trace: vsock_bpf_recvmsg+0xca/0x5e0 sock_recvmsg+0xb9/0xc0 __sys_recvfrom+0xb3/0x130 __x64_sys_recvfrom+0x20/0x30 do_syscall_64+0x93/0x180 entry_SYSCALL_64_after_hwframe+0x76/0x7e So we need to check the `vsk->transport` in vsock_bpf_recvmsg(), especially for connected sockets (stream/seqpacket) as we already do in __vsock_connectible_recvmsg(). Fixes: 634f1a7110b4 ("vsock: support sockmap") Cc: stable@vger.kernel.org Reported-by: Michal Luczaj Closes: https://lore.kernel.org/netdev/5ca20d4c-1017-49c2-9516-f6f75fd331e9@rbox.co/ Tested-by: Michal Luczaj Reported-by: syzbot+3affdbfc986ecd9200fd@syzkaller.appspotmail.com Closes: https://lore.kernel.org/netdev/677f84a8.050a0220.25a300.01b3.GAE@google.com/ Tested-by: syzbot+3affdbfc986ecd9200fd@syzkaller.appspotmail.com Reviewed-by: Hyunwoo Kim Acked-by: Michael S. Tsirkin Reviewed-by: Luigi Leonardi Signed-off-by: Stefano Garzarella Signed-off-by: Paolo Abeni commit 2cb7c756f605ec02ffe562fb26828e4bcc5fdfc1 Author: Stefano Garzarella Date: Fri Jan 10 09:35:07 2025 +0100 vsock/virtio: discard packets if the transport changes If the socket has been de-assigned or assigned to another transport, we must discard any packets received because they are not expected and would cause issues when we access vsk->transport. A possible scenario is described by Hyunwoo Kim in the attached link, where after a first connect() interrupted by a signal, and a second connect() failed, we can find `vsk->transport` at NULL, leading to a NULL pointer dereference. Fixes: c0cfa2d8a788 ("vsock: add multi-transports support") Cc: stable@vger.kernel.org Reported-by: Hyunwoo Kim Reported-by: Wongi Lee Closes: https://lore.kernel.org/netdev/Z2LvdTTQR7dBmPb5@v4bel-B760M-AORUS-ELITE-AX/ Signed-off-by: Stefano Garzarella Reviewed-by: Hyunwoo Kim Signed-off-by: Paolo Abeni commit 0865b9fdb27219db79f3687bc50a0b534b437ee7 Merge: 644f9108f3a505 ffc90e9ca61b0f Author: Paolo Abeni Date: Tue Jan 14 11:20:06 2025 +0100 Merge branch 'gtp-pfcp-fix-use-after-free-of-udp-tunnel-socket' Kuniyuki Iwashima says: ==================== gtp/pfcp: Fix use-after-free of UDP tunnel socket. Xiao Liang pointed out weird netns usages in ->newlink() of gtp and pfcp. This series fixes the issues. Link: https://lore.kernel.org/netdev/20250104125732.17335-1-shaw.leon@gmail.com/ Changes: v2: * Patch 1 * Fix uninit/unused local var v1: https://lore.kernel.org/netdev/20250108062834.11117-1-kuniyu@amazon.com/ ==================== Link: https://patch.msgid.link/20250110014754.33847-1-kuniyu@amazon.com Signed-off-by: Paolo Abeni commit ffc90e9ca61b0f619326a1417ff32efd6cc71ed2 Author: Kuniyuki Iwashima Date: Fri Jan 10 10:47:54 2025 +0900 pfcp: Destroy device along with udp socket's netns dismantle. pfcp_newlink() links the device to a list in dev_net(dev) instead of net, where a udp tunnel socket is created. Even when net is removed, the device stays alive on dev_net(dev). Then, removing net triggers the splat below. [0] In this example, pfcp0 is created in ns2, but the udp socket is created in ns1. ip netns add ns1 ip netns add ns2 ip -n ns1 link add netns ns2 name pfcp0 type pfcp ip netns del ns1 Let's link the device to the socket's netns instead. Now, pfcp_net_exit() needs another netdev iteration to remove all pfcp devices in the netns. pfcp_dev_list is not used under RCU, so the list API is converted to the non-RCU variant. pfcp_net_exit() can be converted to .exit_batch_rtnl() in net-next. [0]: ref_tracker: net notrefcnt@00000000128b34dc has 1/1 users at sk_alloc (./include/net/net_namespace.h:345 net/core/sock.c:2236) inet_create (net/ipv4/af_inet.c:326 net/ipv4/af_inet.c:252) __sock_create (net/socket.c:1558) udp_sock_create4 (net/ipv4/udp_tunnel_core.c:18) pfcp_create_sock (drivers/net/pfcp.c:168) pfcp_newlink (drivers/net/pfcp.c:182 drivers/net/pfcp.c:197) rtnl_newlink (net/core/rtnetlink.c:3786 net/core/rtnetlink.c:3897 net/core/rtnetlink.c:4012) rtnetlink_rcv_msg (net/core/rtnetlink.c:6922) netlink_rcv_skb (net/netlink/af_netlink.c:2542) netlink_unicast (net/netlink/af_netlink.c:1321 net/netlink/af_netlink.c:1347) netlink_sendmsg (net/netlink/af_netlink.c:1891) ____sys_sendmsg (net/socket.c:711 net/socket.c:726 net/socket.c:2583) ___sys_sendmsg (net/socket.c:2639) __sys_sendmsg (net/socket.c:2669) do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) WARNING: CPU: 1 PID: 11 at lib/ref_tracker.c:179 ref_tracker_dir_exit (lib/ref_tracker.c:179) Modules linked in: CPU: 1 UID: 0 PID: 11 Comm: kworker/u16:0 Not tainted 6.13.0-rc5-00147-g4c1224501e9d #5 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 Workqueue: netns cleanup_net RIP: 0010:ref_tracker_dir_exit (lib/ref_tracker.c:179) Code: 00 00 00 fc ff df 4d 8b 26 49 bd 00 01 00 00 00 00 ad de 4c 39 f5 0f 85 df 00 00 00 48 8b 74 24 08 48 89 df e8 a5 cc 12 02 90 <0f> 0b 90 48 8d 6b 44 be 04 00 00 00 48 89 ef e8 80 de 67 ff 48 89 RSP: 0018:ff11000007f3fb60 EFLAGS: 00010286 RAX: 00000000000020ef RBX: ff1100000d6481e0 RCX: 1ffffffff0e40d82 RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffff8423ee3c RBP: ff1100000d648230 R08: 0000000000000001 R09: fffffbfff0e395af R10: 0000000000000001 R11: 0000000000000000 R12: ff1100000d648230 R13: dead000000000100 R14: ff1100000d648230 R15: dffffc0000000000 FS: 0000000000000000(0000) GS:ff1100006ce80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00005620e1363990 CR3: 000000000eeb2002 CR4: 0000000000771ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: ? __warn (kernel/panic.c:748) ? ref_tracker_dir_exit (lib/ref_tracker.c:179) ? report_bug (lib/bug.c:201 lib/bug.c:219) ? handle_bug (arch/x86/kernel/traps.c:285) ? exc_invalid_op (arch/x86/kernel/traps.c:309 (discriminator 1)) ? asm_exc_invalid_op (./arch/x86/include/asm/idtentry.h:621) ? _raw_spin_unlock_irqrestore (./arch/x86/include/asm/irqflags.h:42 ./arch/x86/include/asm/irqflags.h:97 ./arch/x86/include/asm/irqflags.h:155 ./include/linux/spinlock_api_smp.h:151 kernel/locking/spinlock.c:194) ? ref_tracker_dir_exit (lib/ref_tracker.c:179) ? __pfx_ref_tracker_dir_exit (lib/ref_tracker.c:158) ? kfree (mm/slub.c:4613 mm/slub.c:4761) net_free (net/core/net_namespace.c:476 net/core/net_namespace.c:467) cleanup_net (net/core/net_namespace.c:664 (discriminator 3)) process_one_work (kernel/workqueue.c:3229) worker_thread (kernel/workqueue.c:3304 kernel/workqueue.c:3391) kthread (kernel/kthread.c:389) ret_from_fork (arch/x86/kernel/process.c:147) ret_from_fork_asm (arch/x86/entry/entry_64.S:257) Fixes: 76c8764ef36a ("pfcp: add PFCP module") Reported-by: Xiao Liang Closes: https://lore.kernel.org/netdev/20250104125732.17335-1-shaw.leon@gmail.com/ Signed-off-by: Kuniyuki Iwashima Signed-off-by: Paolo Abeni commit eb28fd76c0a08a47b470677c6cef9dd1c60e92d1 Author: Kuniyuki Iwashima Date: Fri Jan 10 10:47:53 2025 +0900 gtp: Destroy device along with udp socket's netns dismantle. gtp_newlink() links the device to a list in dev_net(dev) instead of src_net, where a udp tunnel socket is created. Even when src_net is removed, the device stays alive on dev_net(dev). Then, removing src_net triggers the splat below. [0] In this example, gtp0 is created in ns2, and the udp socket is created in ns1. ip netns add ns1 ip netns add ns2 ip -n ns1 link add netns ns2 name gtp0 type gtp role sgsn ip netns del ns1 Let's link the device to the socket's netns instead. Now, gtp_net_exit_batch_rtnl() needs another netdev iteration to remove all gtp devices in the netns. [0]: ref_tracker: net notrefcnt@000000003d6e7d05 has 1/2 users at sk_alloc (./include/net/net_namespace.h:345 net/core/sock.c:2236) inet_create (net/ipv4/af_inet.c:326 net/ipv4/af_inet.c:252) __sock_create (net/socket.c:1558) udp_sock_create4 (net/ipv4/udp_tunnel_core.c:18) gtp_create_sock (./include/net/udp_tunnel.h:59 drivers/net/gtp.c:1423) gtp_create_sockets (drivers/net/gtp.c:1447) gtp_newlink (drivers/net/gtp.c:1507) rtnl_newlink (net/core/rtnetlink.c:3786 net/core/rtnetlink.c:3897 net/core/rtnetlink.c:4012) rtnetlink_rcv_msg (net/core/rtnetlink.c:6922) netlink_rcv_skb (net/netlink/af_netlink.c:2542) netlink_unicast (net/netlink/af_netlink.c:1321 net/netlink/af_netlink.c:1347) netlink_sendmsg (net/netlink/af_netlink.c:1891) ____sys_sendmsg (net/socket.c:711 net/socket.c:726 net/socket.c:2583) ___sys_sendmsg (net/socket.c:2639) __sys_sendmsg (net/socket.c:2669) do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83) WARNING: CPU: 1 PID: 60 at lib/ref_tracker.c:179 ref_tracker_dir_exit (lib/ref_tracker.c:179) Modules linked in: CPU: 1 UID: 0 PID: 60 Comm: kworker/u16:2 Not tainted 6.13.0-rc5-00147-g4c1224501e9d #5 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 Workqueue: netns cleanup_net RIP: 0010:ref_tracker_dir_exit (lib/ref_tracker.c:179) Code: 00 00 00 fc ff df 4d 8b 26 49 bd 00 01 00 00 00 00 ad de 4c 39 f5 0f 85 df 00 00 00 48 8b 74 24 08 48 89 df e8 a5 cc 12 02 90 <0f> 0b 90 48 8d 6b 44 be 04 00 00 00 48 89 ef e8 80 de 67 ff 48 89 RSP: 0018:ff11000009a07b60 EFLAGS: 00010286 RAX: 0000000000002bd3 RBX: ff1100000f4e1aa0 RCX: 1ffffffff0e40ac6 RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffff8423ee3c RBP: ff1100000f4e1af0 R08: 0000000000000001 R09: fffffbfff0e395ae R10: 0000000000000001 R11: 0000000000036001 R12: ff1100000f4e1af0 R13: dead000000000100 R14: ff1100000f4e1af0 R15: dffffc0000000000 FS: 0000000000000000(0000) GS:ff1100006ce80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f9b2464bd98 CR3: 0000000005286005 CR4: 0000000000771ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: ? __warn (kernel/panic.c:748) ? ref_tracker_dir_exit (lib/ref_tracker.c:179) ? report_bug (lib/bug.c:201 lib/bug.c:219) ? handle_bug (arch/x86/kernel/traps.c:285) ? exc_invalid_op (arch/x86/kernel/traps.c:309 (discriminator 1)) ? asm_exc_invalid_op (./arch/x86/include/asm/idtentry.h:621) ? _raw_spin_unlock_irqrestore (./arch/x86/include/asm/irqflags.h:42 ./arch/x86/include/asm/irqflags.h:97 ./arch/x86/include/asm/irqflags.h:155 ./include/linux/spinlock_api_smp.h:151 kernel/locking/spinlock.c:194) ? ref_tracker_dir_exit (lib/ref_tracker.c:179) ? __pfx_ref_tracker_dir_exit (lib/ref_tracker.c:158) ? kfree (mm/slub.c:4613 mm/slub.c:4761) net_free (net/core/net_namespace.c:476 net/core/net_namespace.c:467) cleanup_net (net/core/net_namespace.c:664 (discriminator 3)) process_one_work (kernel/workqueue.c:3229) worker_thread (kernel/workqueue.c:3304 kernel/workqueue.c:3391) kthread (kernel/kthread.c:389) ret_from_fork (arch/x86/kernel/process.c:147) ret_from_fork_asm (arch/x86/entry/entry_64.S:257) Fixes: 459aa660eb1d ("gtp: add initial driver for datapath of GPRS Tunneling Protocol (GTP-U)") Reported-by: Xiao Liang Closes: https://lore.kernel.org/netdev/20250104125732.17335-1-shaw.leon@gmail.com/ Signed-off-by: Kuniyuki Iwashima Signed-off-by: Paolo Abeni commit 46841c7053e6d25fb33e0534ef023833bf03e382 Author: Kuniyuki Iwashima Date: Fri Jan 10 10:47:52 2025 +0900 gtp: Use for_each_netdev_rcu() in gtp_genl_dump_pdp(). gtp_newlink() links the gtp device to a list in dev_net(dev). However, even after the gtp device is moved to another netns, it stays on the list but should be invisible. Let's use for_each_netdev_rcu() for netdev traversal in gtp_genl_dump_pdp(). Note that gtp_dev_list is no longer used under RCU, so list helpers are converted to the non-RCU variant. Fixes: 459aa660eb1d ("gtp: add initial driver for datapath of GPRS Tunneling Protocol (GTP-U)") Reported-by: Xiao Liang Closes: https://lore.kernel.org/netdev/CABAhCOQdBL6h9M2C+kd+bGivRJ9Q72JUxW+-gur0nub_=PmFPA@mail.gmail.com/ Signed-off-by: Kuniyuki Iwashima Signed-off-by: Paolo Abeni commit 644f9108f3a505022ef43510e5143cb985e0cf8b Author: Philo Lu Date: Fri Jan 10 09:08:10 2025 +0800 udp: Make rehash4 independent in udp_lib_rehash() As discussed in [0], rehash4 could be missed in udp_lib_rehash() when udp hash4 changes while hash2 doesn't change. This patch fixes this by moving rehash4 codes out of rehash2 checking, and then rehash2 and rehash4 are done separately. By doing this, we no longer need to call rehash4 explicitly in udp_lib_hash4(), as the rehash callback in __ip4_datagram_connect takes it. Thus, now udp_lib_hash4() returns directly if the sk is already hashed. Note that uhash4 may fail to work under consecutive connect() calls because rehash() is not called with every connect(). To overcome this, connect() needs to be called after the next connect to a new destination. [0] https://lore.kernel.org/all/4761e466ab9f7542c68cdc95f248987d127044d2.1733499715.git.pabeni@redhat.com/ Fixes: 78c91ae2c6de ("ipv4/udp: Add 4-tuple hash for connected socket") Suggested-by: Paolo Abeni Signed-off-by: Philo Lu Link: https://patch.msgid.link/20250110010810.107145-1-lulie@linux.alibaba.com Signed-off-by: Paolo Abeni commit 1a5401ec3018c101c456cdbda2eaef9482db6786 Author: Ville Syrjälä Date: Fri Nov 29 08:50:11 2024 +0200 drm/i915/fb: Relax clear color alignment to 64 bytes Mesa changed its clear color alignment from 4k to 64 bytes without informing the kernel side about the change. This is now likely to cause framebuffer creation to fail. The only thing we do with the clear color buffer in i915 is: 1. map a single page 2. read out bytes 16-23 from said page 3. unmap the page So the only requirement we really have is that those 8 bytes are all contained within one page. Thus we can deal with the Mesa regression by reducing the alignment requiment from 4k to the same 64 bytes in the kernel. We could even go as low as 32 bytes, but IIRC 64 bytes is the hardware requirement on the 3D engine side so matching that seems sensible. Note that the Mesa alignment chages were partially undone so the regression itself was already fixed on userspace side. Cc: stable@vger.kernel.org Cc: Sagar Ghuge Cc: Nanley Chery Reported-by: Xi Ruoyao Closes: https://gitlab.freedesktop.org/drm/i915/kernel/-/issues/13057 Closes: https://lore.kernel.org/all/45a5bba8de009347262d86a4acb27169d9ae0d9f.camel@xry111.site/ Link: https://gitlab.freedesktop.org/mesa/mesa/-/commit/17f97a69c13832a6c1b0b3aad45b06f07d4b852f Link: https://gitlab.freedesktop.org/mesa/mesa/-/commit/888f63cf1baf34bc95e847a30a041dc7798edddb Signed-off-by: Ville Syrjälä Link: https://patchwork.freedesktop.org/patch/msgid/20241129065014.8363-2-ville.syrjala@linux.intel.com Tested-by: Xi Ruoyao Reviewed-by: José Roberto de Souza (cherry picked from commit ed3a892e5e3d6b3f6eeb76db7c92a968aeb52f3d) Signed-off-by: Tvrtko Ursulin commit 1f691a1fc4bef1c5cf5f503e14e1a22fc37c97e3 Author: Heiner Kallweit Date: Thu Jan 9 23:43:12 2025 +0100 r8169: remove redundant hwmon support The temperature sensor is actually part of the integrated PHY and available also on the standalone versions of the PHY. Therefore hwmon support will be added to the Realtek PHY driver and can be removed here. Fixes: 1ffcc8d41306 ("r8169: add support for the temperature sensor being available from RTL8125B") Signed-off-by: Heiner Kallweit Reviewed-by: Jacob Keller Link: https://patch.msgid.link/afba85f5-987b-4449-83cc-350438af7fe7@gmail.com Signed-off-by: Jakub Kicinski commit 9e2bbab94b88295dcc57c7580393c9ee08d7314d Author: Paul Fertser Date: Thu Jan 9 17:50:54 2025 +0300 net/ncsi: fix locking in Get MAC Address handling Obtaining RTNL lock in a response handler is not allowed since it runs in an atomic softirq context. Postpone setting the MAC address by adding a dedicated step to the configuration FSM. Fixes: 790071347a0a ("net/ncsi: change from ndo_set_mac_address to dev_set_mac_address") Cc: stable@vger.kernel.org Link: https://lore.kernel.org/20241129-potin-revert-ncsi-set-mac-addr-v1-1-94ea2cb596af@gmail.com Signed-off-by: Paul Fertser Tested-by: Potin Lai Link: https://patch.msgid.link/20250109145054.30925-1-fercerpav@gmail.com Signed-off-by: Jakub Kicinski commit fe4de594f7a2e9bc49407de60fbd20809fad4192 Author: Qu Wenruo Date: Wed Jan 8 14:14:04 2025 +1030 btrfs: add the missing error handling inside get_canonical_dev_path Inside function get_canonical_dev_path(), we call d_path() to get the final device path. But d_path() can return error, and in that case the next strscpy() call will trigger an invalid memory access. Add back the missing error handling for d_path(). Reported-by: Boris Burkov Fixes: 7e06de7c83a7 ("btrfs: canonicalize the device path before adding it") Signed-off-by: Qu Wenruo Signed-off-by: David Sterba commit 14578923e8c251091d2bb8a2756cde3b662ac316 Author: Chris Bainbridge Date: Sat Jan 11 18:59:45 2025 +0000 ACPI: video: Fix random crashes due to bad kfree() Commit c6a837088bed ("drm/amd/display: Fetch the EDID from _DDC if available for eDP") added function dm_helpers_probe_acpi_edid(), which fetches the EDID from the BIOS by calling acpi_video_get_edid(). acpi_video_get_edid() returns a pointer to the EDID, but this pointer does not originate from kmalloc() - it is actually the internal "pointer" field from an acpi_buffer struct (which did come from kmalloc()). dm_helpers_probe_acpi_edid() then attempts to kfree() the EDID pointer, resulting in memory corruption which leads to random, intermittent crashes (e.g. 4% of boots will fail with some Oops). Fix this by allocating a new array (which can be safely freed) for the EDID data, and correctly freeing the acpi_buffer pointer. The only other caller of acpi_video_get_edid() is nouveau_acpi_edid(): remove the extraneous kmemdup() here as the EDID data is now copied in acpi_video_device_EDID(). Signed-off-by: Chris Bainbridge Fixes: c6a837088bed ("drm/amd/display: Fetch the EDID from _DDC if available for eDP") Reviewed-by: Hans de Goede Reviewed-by: Mario Limonciello Reported-by: Borislav Petkov (AMD) Tested-by: Borislav Petkov (AMD) Closes: https://lore.kernel.org/amd-gfx/20250110175252.GBZ4FedNKqmBRaY4T3@fat_crate.local/T/#m324a23eb4c4c32fa7e89e31f8ba96c781e496fb1 Link: https://patch.msgid.link/Z4K_oQL7eA9Owkbs@debian.local [ rjw: Changed function description comment into a kerneldoc one ] [ rjw: Subject and changelog edits ] Signed-off-by: Rafael J. Wysocki commit 5a597a19a2148d1c5cd987907a60c042ab0f62d5 Author: Rafael J. Wysocki Date: Fri Jan 10 13:48:10 2025 +0100 cpuidle: teo: Update documentation after previous changes After previous changes, the description of the teo governor in the documentation comment does not match the code any more, so update it as appropriate. Fixes: 449914398083 ("cpuidle: teo: Remove recent intercepts metric") Fixes: 2662342079f5 ("cpuidle: teo: Gather statistics regarding whether or not to stop the tick") Fixes: 6da8f9ba5a87 ("cpuidle: teo: Skip tick_nohz_get_sleep_length() call in some cases") Signed-off-by: Rafael J. Wysocki Reviewed-by: Christian Loehle Link: https://patch.msgid.link/6120335.lOV4Wx5bFT@rjwysocki.net [ rjw: Corrected 3 typos found by Christian ] Signed-off-by: Rafael J. Wysocki commit 56098a4505e7ba54c7942c82eeca8de522c8c2ee Author: Rafael J. Wysocki Date: Fri Jan 10 13:46:43 2025 +0100 cpuidle: menu: Update documentation after previous changes After commit 38f83090f515 ("cpuidle: menu: Remove iowait influence") and other previous changes, the description of the menu governor in the documentation does not match the code any more, so update it as appropriate. Fixes: 38f83090f515 ("cpuidle: menu: Remove iowait influence") Fixes: 5484e31bbbff ("cpuidle: menu: Skip tick_nohz_get_sleep_length() call in some cases") Reported-by: Artem Bityutskiy Signed-off-by: Rafael J. Wysocki Reviewed-by: Christian Loehle Link: https://patch.msgid.link/12589281.O9o76ZdvQC@rjwysocki.net commit 67edb81d6e9af43a0d58edf74630f82cfda4155d Author: Tom Chung Date: Thu Dec 5 23:20:45 2024 +0800 drm/amd/display: Disable replay and psr while VRR is enabled [Why] Replay and PSR will cause some video corruption while VRR is enabled. [How] 1. Disable the Replay and PSR while VRR is enabled. 2. Change the amdgpu_dm_crtc_vrr_active() parameter to const. Because the function will only read data from dm_crtc_state. Reviewed-by: Sun peng Li Signed-off-by: Tom Chung Signed-off-by: Roman Li Tested-by: Daniel Wheeler Signed-off-by: Alex Deucher (cherry picked from commit d7879340e987b3056b8ae39db255b6c19c170a0d) Cc: stable@vger.kernel.org commit b0a3e840ad287c33a86b5515d606451b7df86ad4 Author: Tom Chung Date: Thu Dec 5 23:08:28 2024 +0800 drm/amd/display: Fix PSR-SU not support but still call the amdgpu_dm_psr_enable [Why] The enum DC_PSR_VERSION_SU_1 of psr_version is 1 and DC_PSR_VERSION_UNSUPPORTED is 0xFFFFFFFF. The original code may has chance trigger the amdgpu_dm_psr_enable() while psr version is set to DC_PSR_VERSION_UNSUPPORTED. [How] Modify the condition to psr->psr_version == DC_PSR_VERSION_SU_1 Reviewed-by: Sun peng Li Signed-off-by: Tom Chung Signed-off-by: Roman Li Tested-by: Daniel Wheeler Signed-off-by: Alex Deucher (cherry picked from commit f765e7ce0417f8dc38479b4b495047c397c16902) Cc: stable@vger.kernel.org commit 258f5f905815979f15d5151d2ea4f20d8e057fe1 Author: Karol Kolacinski Date: Tue Nov 5 13:29:16 2024 +0100 ice: Add correct PHY lane assignment Driver always naively assumes, that for PTP purposes, PHY lane to configure is corresponding to PF ID. This is not true for some port configurations, e.g.: - 2x50G per quad, where lanes used are 0 and 2 on each quad, but PF IDs are 0 and 1 - 100G per quad on 2 quads, where lanes used are 0 and 4, but PF IDs are 0 and 1 Use correct PHY lane assignment by getting and parsing port options. This is read from the NVM by the FW and provided to the driver with the indication of active port split. Remove ice_is_muxed_topo(), which is no longer needed. Fixes: 4409ea1726cb ("ice: Adjust PTP init for 2x50G E825C devices") Reviewed-by: Przemek Kitszel Reviewed-by: Arkadiusz Kubalewski Signed-off-by: Karol Kolacinski Signed-off-by: Grzegorz Nitka Tested-by: Pucha Himasekhar Reddy (A Contingent worker at Intel) Signed-off-by: Tony Nguyen commit 2e60560f1ec9b722f9c6699ec5d966f1732d14dd Author: Karol Kolacinski Date: Tue Nov 5 13:29:15 2024 +0100 ice: Fix ETH56G FC-FEC Rx offset value Fix ETH56G FC-FEC incorrect Rx offset value by changing it from -255.96 to -469.26 ns. Those values are derived from HW spec and reflect internal delays. Hex value is a fixed point representation in Q23.9 format. Fixes: 7cab44f1c35f ("ice: Introduce ETH56G PHY model for E825C products") Reviewed-by: Arkadiusz Kubalewski Signed-off-by: Karol Kolacinski Tested-by: Pucha Himasekhar Reddy (A Contingent worker at Intel) Signed-off-by: Tony Nguyen commit dc26548d729e5f732197d2b210fb77c745b01495 Author: Karol Kolacinski Date: Tue Nov 5 13:29:14 2024 +0100 ice: Fix quad registers read on E825 Quad registers are read/written incorrectly. E825 devices always use quad 0 address and differentiate between the PHYs by changing SBQ destination device (phy_0 or phy_0_peer). Add helpers for reading/writing PTP registers shared per quad and use correct quad address and SBQ destination device based on port. Fixes: 7cab44f1c35f ("ice: Introduce ETH56G PHY model for E825C products") Reviewed-by: Arkadiusz Kubalewski Signed-off-by: Karol Kolacinski Signed-off-by: Grzegorz Nitka Tested-by: Pucha Himasekhar Reddy (A Contingent worker at Intel) Signed-off-by: Tony Nguyen commit d79c304c76e9b30ff5527afc176b5c4f9f0374b6 Author: Karol Kolacinski Date: Tue Nov 5 13:29:13 2024 +0100 ice: Fix E825 initialization Current implementation checks revision of all PHYs on all PFs, which is incorrect and may result in initialization failure. Check only the revision of the current PHY. Fixes: 7cab44f1c35f ("ice: Introduce ETH56G PHY model for E825C products") Reviewed-by: Arkadiusz Kubalewski Signed-off-by: Karol Kolacinski Signed-off-by: Grzegorz Nitka Tested-by: Pucha Himasekhar Reddy (A Contingent worker at Intel) Signed-off-by: Tony Nguyen commit c45323b7560ec87c37c729b703c86ee65f136d75 Merge: 5bc55a333a2f73 cbc5dde0a46124 Author: Linus Torvalds Date: Mon Jan 13 09:03:18 2025 -0800 Merge tag 'mm-hotfixes-stable-2025-01-13-00-03' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Pull misc fixes from Andrew Morton: "18 hotfixes. 11 are cc:stable. 13 are MM and 5 are non-MM. All patches are singletons - please see the relevant changelogs for details" * tag 'mm-hotfixes-stable-2025-01-13-00-03' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm: fs/proc: fix softlockup in __read_vmcore (part 2) mm: fix assertion in folio_end_read() mm: vmscan : pgdemote vmstat is not getting updated when MGLRU is enabled. vmstat: disable vmstat_work on vmstat_cpu_down_prep() zram: fix potential UAF of zram table selftests/mm: set allocated memory to non-zero content in cow test mm: clear uffd-wp PTE/PMD state on mremap() module: fix writing of livepatch relocations in ROX text mm: zswap: properly synchronize freeing resources during CPU hotunplug Revert "mm: zswap: fix race between [de]compression and CPU hotunplug" hugetlb: fix NULL pointer dereference in trace_hugetlbfs_alloc_inode mm: fix div by zero in bdi_ratio_from_pages x86/execmem: fix ROX cache usage in Xen PV guests filemap: avoid truncating 64-bit offset to 32 bits tools: fix atomic_set() definition to set the value correctly mm/mempolicy: count MPOL_WEIGHTED_INTERLEAVE to "interleave_hit" scripts/decode_stacktrace.sh: fix decoding of lines with an additional info mm/kmemleak: fix percpu memory leak detection failure commit 1f9910b41c857a892b83801feebdc7bdf38c5985 Author: Dave Airlie Date: Thu Jan 9 10:55:53 2025 +1000 nouveau/fence: handle cross device fences properly The fence sync logic doesn't handle a fence sync across devices as it tries to write to a channel offset from one device into the fence bo from a different device, which won't work so well. This patch fixes that to avoid using the sync path in the case where the fences come from different nouveau drm devices. This works fine on a single device as the fence bo is shared across the devices, and mapped into each channels vma space, the channel offsets are therefore okay to pass between sides, so one channel can sync on the seqnos from the other by using the offset into it's vma. Signed-off-by: Dave Airlie Cc: stable@vger.kernel.org Reviewed-by: Ben Skeggs [ Fix compilation issue; remove version log from commit messsage. - Danilo ] Signed-off-by: Danilo Krummrich Link: https://patchwork.freedesktop.org/patch/msgid/20250109005553.623947-1-airlied@gmail.com commit 66951e4860d3c688bfa550ea4a19635b57e00eca Author: Peter Zijlstra Date: Mon Jan 13 13:50:11 2025 +0100 sched/fair: Fix update_cfs_group() vs DELAY_DEQUEUE Normally dequeue_entities() will continue to dequeue an empty group entity; except DELAY_DEQUEUE changes things -- it retains empty entities such that they might continue to compete and burn off some lag. However, doing this results in update_cfs_group() re-computing the cgroup weight 'slice' for an empty group, which it (rightly) figures isn't much at all. This in turn means that the delayed entity is not competing at the expected weight. Worse, the very low weight causes its lag to be inflated, which combined with avg_vruntime() using scale_load_down(), leads to artifacts. As such, don't adjust the weight for empty group entities and let them compete at their original weight. Fixes: 152e11f6df29 ("sched/fair: Implement delayed dequeue") Signed-off-by: Peter Zijlstra (Intel) Link: https://lkml.kernel.org/r/20250110115720.GA17405@noisy.programming.kicks-ass.net commit a9bbe341333109465605e8733bab0b573cddcc8c Author: Peter Zijlstra Date: Mon Jan 13 12:29:34 2025 +0100 x86: Disable EXECMEM_ROX support The whole module_writable_address() nonsense made a giant mess of alternative.c, not to mention it still contains bugs -- notable some of the CFI variants crash and burn. Mike has been working on patches to clean all this up again, but given the current state of things, this stuff just isn't ready. Disable for now, lets try again next cycle. Fixes: 5185e7f9f3bd ("x86/module: enable ROX caches for module text on 64 bit") Signed-off-by: Peter Zijlstra (Intel) Signed-off-by: Borislav Petkov (AMD) Link: https://lore.kernel.org/r/20250113112934.GA8385@noisy.programming.kicks-ass.net commit 93801b8c2d18546fdf807c8e3075e6df93960446 Author: Cristian Ciocaltea Date: Tue Dec 24 20:22:44 2024 +0200 drm/tests: connector: Add ycbcr_420_allowed tests Extend HDMI connector output format tests to verify its registration succeeds only when the presence of YUV420 in the supported formats matches the state of ycbcr_420_allowed flag. Signed-off-by: Cristian Ciocaltea Reviewed-by: Dmitry Baryshkov Reviewed-by: Maxime Ripard Link: https://patchwork.freedesktop.org/patch/msgid/20241224-bridge-conn-fmt-prio-v4-4-a9ceb5671379@collabora.com Signed-off-by: Dmitry Baryshkov commit f2f96619590f944f74f3c2b0b57a6dcc5d13cd9f Author: Cristian Ciocaltea Date: Tue Dec 24 20:22:43 2024 +0200 drm/connector: hdmi: Validate supported_formats matches ycbcr_420_allowed Ensure HDMI connector initialization fails when the presence of HDMI_COLORSPACE_YUV420 in the given supported_formats bitmask doesn't match the value of drm_connector->ycbcr_420_allowed. Suggested-by: Dmitry Baryshkov Reviewed-by: Dmitry Baryshkov Signed-off-by: Cristian Ciocaltea Reviewed-by: Maxime Ripard Link: https://patchwork.freedesktop.org/patch/msgid/20241224-bridge-conn-fmt-prio-v4-3-a9ceb5671379@collabora.com Signed-off-by: Dmitry Baryshkov commit 1bd1562d3522f7a846dad795359c31b371e6303b Author: Cristian Ciocaltea Date: Tue Dec 24 20:22:42 2024 +0200 drm/bridge-connector: Sync supported_formats with computed ycbcr_420_allowed The case of having an HDMI bridge in the pipeline which advertises YUV420 capability via its ->supported_formats and a non-HDMI one that didn't enable ->ycbcr_420_allowed, is incorrectly handled because supported_formats is passed as is to the helper initializing the HDMI connector. Ensure HDMI_COLORSPACE_YUV420 is removed from the bitmask passed to drmm_connector_hdmi_init() when connector's ->ycbcr_420_allowed flag ends up not being set. Fixes: 3ced1c687512 ("drm/display: bridge_connector: handle ycbcr_420_allowed") Signed-off-by: Cristian Ciocaltea Reviewed-by: Dmitry Baryshkov Reviewed-by: Maxime Ripard Link: https://patchwork.freedesktop.org/patch/msgid/20241224-bridge-conn-fmt-prio-v4-2-a9ceb5671379@collabora.com Signed-off-by: Dmitry Baryshkov commit d102ac39fbe181a6f0c9e98bc26bd94018657808 Author: Cristian Ciocaltea Date: Tue Dec 24 20:22:41 2024 +0200 drm/bridge: Prioritize supported_formats over ycbcr_420_allowed Bridges having DRM_BRIDGE_OP_HDMI set in their ->ops are supposed to rely on the ->supported_formats bitmask to advertise the permitted colorspaces, including HDMI_COLORSPACE_YUV420. However, a new flag ->ycbcr_420_allowed has been recently introduced, which brings the necessity to require redundant and potentially inconsistent information to be provided on HDMI bridges initialization. Adjust ->ycbcr_420_allowed for HDMI bridges according to ->supported_formats, right before adding them to the global bridge list. This keeps the initialization process straightforward and unambiguous, thereby preventing any further confusion. Fixes: 3ced1c687512 ("drm/display: bridge_connector: handle ycbcr_420_allowed") Signed-off-by: Cristian Ciocaltea Reviewed-by: Dmitry Baryshkov Reviewed-by: Maxime Ripard Link: https://patchwork.freedesktop.org/patch/msgid/20241224-bridge-conn-fmt-prio-v4-1-a9ceb5671379@collabora.com Signed-off-by: Dmitry Baryshkov commit 76201b5979768500bca362871db66d77cb4c225e Author: Artem Chernyshev Date: Thu Jan 9 11:30:39 2025 +0300 pktgen: Avoid out-of-bounds access in get_imix_entries Passing a sufficient amount of imix entries leads to invalid access to the pkt_dev->imix_entries array because of the incorrect boundary check. UBSAN: array-index-out-of-bounds in net/core/pktgen.c:874:24 index 20 is out of range for type 'imix_pkt [20]' CPU: 2 PID: 1210 Comm: bash Not tainted 6.10.0-rc1 #121 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) Call Trace: dump_stack_lvl lib/dump_stack.c:117 __ubsan_handle_out_of_bounds lib/ubsan.c:429 get_imix_entries net/core/pktgen.c:874 pktgen_if_write net/core/pktgen.c:1063 pde_write fs/proc/inode.c:334 proc_reg_write fs/proc/inode.c:346 vfs_write fs/read_write.c:593 ksys_write fs/read_write.c:644 do_syscall_64 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe arch/x86/entry/entry_64.S:130 Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: 52a62f8603f9 ("pktgen: Parse internet mix (imix) input") Signed-off-by: Artem Chernyshev [ fp: allow to fill the array completely; minor changelog cleanup ] Signed-off-by: Fedor Pchelkin Signed-off-by: David S. Miller commit 34c8e74cd6667ef5da90d448a1af702c4b873bd3 Author: Yage Geng Date: Mon Jan 13 16:52:08 2025 +0800 ALSA: hda/realtek: Fix volume adjustment issue on Lenovo ThinkBook 16P Gen5 This patch fixes the volume adjustment issue on the Lenovo ThinkBook 16P Gen5 by applying the necessary quirk configuration for the Realtek ALC287 codec. The issue was caused by incorrect configuration in the driver, which prevented proper volume control on certain systems. Signed-off-by: Yage Geng Link: https://patch.msgid.link/20250113085208.15351-1-icoderdev@gmail.com Signed-off-by: Takashi Iwai commit b8ed9da102beb2d0926a1d7a7e652392190151c0 Author: Meetakshi Setiya Date: Fri Jan 10 07:10:27 2025 -0500 cifs: support reconnect with alternate password for SMB1 SMB1 shares the mount and remount code paths with SMB2/3 and already supports password rotation in some scenarios. This patch extends the password rotation support to SMB1 reconnects as well. Cc: stable@vger.kernel.org Signed-off-by: Meetakshi Setiya Signed-off-by: Steve French commit cbc5dde0a461240046e8a41c43d7c3b76d5db952 Author: Rik van Riel Date: Fri Jan 10 10:28:21 2025 -0500 fs/proc: fix softlockup in __read_vmcore (part 2) Since commit 5cbcb62dddf5 ("fs/proc: fix softlockup in __read_vmcore") the number of softlockups in __read_vmcore at kdump time have gone down, but they still happen sometimes. In a memory constrained environment like the kdump image, a softlockup is not just a harmless message, but it can interfere with things like RCU freeing memory, causing the crashdump to get stuck. The second loop in __read_vmcore has a lot more opportunities for natural sleep points, like scheduling out while waiting for a data write to happen, but apparently that is not always enough. Add a cond_resched() to the second loop in __read_vmcore to (hopefully) get rid of the softlockups. Link: https://lkml.kernel.org/r/20250110102821.2a37581b@fangorn Fixes: 5cbcb62dddf5 ("fs/proc: fix softlockup in __read_vmcore") Signed-off-by: Rik van Riel Reported-by: Breno Leitao Cc: Baoquan He Cc: Dave Young Cc: Vivek Goyal Cc: Signed-off-by: Andrew Morton commit 1c47c57818ad73d2d09ddbcb4839708aab5ff2e3 Author: Matthew Wilcox (Oracle) Date: Fri Jan 10 16:32:57 2025 +0000 mm: fix assertion in folio_end_read() We only need to assert that the uptodate flag is clear if we're going to set it. This hasn't been a problem before now because we have only used folio_end_read() when completing with an error, but it's convenient to use it in squashfs if we discover the folio is already uptodate. Link: https://lkml.kernel.org/r/20250110163300.3346321-1-willy@infradead.org Signed-off-by: Matthew Wilcox (Oracle) Cc: Phillip Lougher Signed-off-by: Andrew Morton commit bd3d56ffa2c450364acf02663ba88996da37079d Author: Donet Tom Date: Thu Jan 9 00:05:39 2025 -0600 mm: vmscan : pgdemote vmstat is not getting updated when MGLRU is enabled. When MGLRU is enabled, the pgdemote_kswapd, pgdemote_direct, and pgdemote_khugepaged stats in vmstat are not being updated. Commit f77f0c751478 ("mm,memcg: provide per-cgroup counters for NUMA balancing operations") moved the pgdemote vmstat update from demote_folio_list() to shrink_inactive_list(), which is in the normal LRU path. As a result, the pgdemote stats are updated correctly for the normal LRU but not for MGLRU. To address this, we have added the pgdemote stat update in the evict_folios() function, which is in the MGLRU path. With this patch, the pgdemote stats will now be updated correctly when MGLRU is enabled. Without this patch vmstat output when MGLRU is enabled ====================================================== pgdemote_kswapd 0 pgdemote_direct 0 pgdemote_khugepaged 0 With this patch vmstat output when MGLRU is enabled =================================================== pgdemote_kswapd 43234 pgdemote_direct 4691 pgdemote_khugepaged 0 Link: https://lkml.kernel.org/r/20250109060540.451261-1-donettom@linux.ibm.com Fixes: f77f0c751478 ("mm,memcg: provide per-cgroup counters for NUMA balancing operations") Signed-off-by: Donet Tom Acked-by: Yu Zhao Tested-by: Li Zhijian Reviewed-by: Li Zhijian Cc: Aneesh Kumar K.V (Arm) Cc: David Rientjes Cc: Johannes Weiner Cc: Kaiyang Zhao Cc: Michal Hocko Cc: Muchun Song Cc: Ritesh Harjani (IBM) Cc: Roman Gushchin Cc: Shakeel Butt Cc: Wei Xu Cc: Signed-off-by: Andrew Morton commit 9fd8fcf171dcc39d2a8ecf221388820fb5fbc00e Author: Koichiro Den Date: Wed Jan 8 13:28:07 2025 +0900 vmstat: disable vmstat_work on vmstat_cpu_down_prep() The upstream commit adcfb264c3ed ("vmstat: disable vmstat_work on vmstat_cpu_down_prep()") introduced another warning during the boot phase so was soon reverted on upstream by commit cd6313beaeae ("Revert "vmstat: disable vmstat_work on vmstat_cpu_down_prep()""). This commit resolves it and reattempts the original fix. Even after mm/vmstat:online teardown, shepherd may still queue work for the dying cpu until the cpu is removed from online mask. While it's quite rare, this means that after unbind_workers() unbinds a per-cpu kworker, it potentially runs vmstat_update for the dying CPU on an irrelevant cpu before entering atomic AP states. When CONFIG_DEBUG_PREEMPT=y, it results in the following error with the backtrace. BUG: using smp_processor_id() in preemptible [00000000] code: \ kworker/7:3/1702 caller is refresh_cpu_vm_stats+0x235/0x5f0 CPU: 0 UID: 0 PID: 1702 Comm: kworker/7:3 Tainted: G Tainted: [N]=TEST Workqueue: mm_percpu_wq vmstat_update Call Trace: dump_stack_lvl+0x8d/0xb0 check_preemption_disabled+0xce/0xe0 refresh_cpu_vm_stats+0x235/0x5f0 vmstat_update+0x17/0xa0 process_one_work+0x869/0x1aa0 worker_thread+0x5e5/0x1100 kthread+0x29e/0x380 ret_from_fork+0x2d/0x70 ret_from_fork_asm+0x1a/0x30 So, for mm/vmstat:online, disable vmstat_work reliably on teardown and symmetrically enable it on startup. For secondary CPUs during CPU hotplug scenarios, ensure the delayed work is disabled immediately after the initialization. These CPUs are not yet online when start_shepherd_timer() runs on boot CPU. vmstat_cpu_online() will enable the work for them. Link: https://lkml.kernel.org/r/20250108042807.3429745-1-koichiro.den@canonical.com Signed-off-by: Huacai Chen Signed-off-by: Koichiro Den Suggested-by: Huacai Chen Tested-by: Charalampos Mitrodimas Cc: Lorenzo Stoakes Signed-off-by: Andrew Morton commit 212fe1c0df4a150fb6298db2cfff267ceaba5402 Author: Kairui Song Date: Tue Jan 7 14:54:46 2025 +0800 zram: fix potential UAF of zram table If zram_meta_alloc failed early, it frees allocated zram->table without setting it NULL. Which will potentially cause zram_meta_free to access the table if user reset an failed and uninitialized device. Link: https://lkml.kernel.org/r/20250107065446.86928-1-ryncsn@gmail.com Fixes: 74363ec674cb ("zram: fix uninitialized ZRAM not releasing backing device") Signed-off-by: Kairui Song Reviewed-by: Sergey Senozhatsky Cc: Signed-off-by: Andrew Morton commit a32bf5bb7933fde6f39747499f8ec232b5b5400f Author: Ryan Roberts Date: Tue Jan 7 14:25:53 2025 +0000 selftests/mm: set allocated memory to non-zero content in cow test After commit b1f202060afe ("mm: remap unused subpages to shared zeropage when splitting isolated thp"), cow test cases involving swapping out THPs via madvise(MADV_PAGEOUT) started to be skipped due to the subsequent check via pagemap determining that the memory was not actually swapped out. Logs similar to this were emitted: ... # [RUN] Basic COW after fork() ... with swapped-out, PTE-mapped THP (16 kB) ok 2 # SKIP MADV_PAGEOUT did not work, is swap enabled? # [RUN] Basic COW after fork() ... with single PTE of swapped-out THP (16 kB) ok 3 # SKIP MADV_PAGEOUT did not work, is swap enabled? # [RUN] Basic COW after fork() ... with swapped-out, PTE-mapped THP (32 kB) ok 4 # SKIP MADV_PAGEOUT did not work, is swap enabled? ... The commit in question introduces the behaviour of scanning THPs and if their content is predominantly zero, it splits them and replaces the pages which are wholly zero with the zero page. These cow test cases were getting caught up in this. So let's avoid that by filling the contents of all allocated memory with a non-zero value. With this in place, the tests are passing again. Link: https://lkml.kernel.org/r/20250107142555.1870101-1-ryan.roberts@arm.com Fixes: b1f202060afe ("mm: remap unused subpages to shared zeropage when splitting isolated thp") Signed-off-by: Ryan Roberts Acked-by: David Hildenbrand Cc: Usama Arif Cc: Yu Zhao Cc: Signed-off-by: Andrew Morton commit 0cef0bb836e3cfe00f08f9606c72abd72fe78ca3 Author: Ryan Roberts Date: Tue Jan 7 14:47:52 2025 +0000 mm: clear uffd-wp PTE/PMD state on mremap() When mremap()ing a memory region previously registered with userfaultfd as write-protected but without UFFD_FEATURE_EVENT_REMAP, an inconsistency in flag clearing leads to a mismatch between the vma flags (which have uffd-wp cleared) and the pte/pmd flags (which do not have uffd-wp cleared). This mismatch causes a subsequent mprotect(PROT_WRITE) to trigger a warning in page_table_check_pte_flags() due to setting the pte to writable while uffd-wp is still set. Fix this by always explicitly clearing the uffd-wp pte/pmd flags on any such mremap() so that the values are consistent with the existing clearing of VM_UFFD_WP. Be careful to clear the logical flag regardless of its physical form; a PTE bit, a swap PTE bit, or a PTE marker. Cover PTE, huge PMD and hugetlb paths. Link: https://lkml.kernel.org/r/20250107144755.1871363-2-ryan.roberts@arm.com Co-developed-by: Mikołaj Lenczewski Signed-off-by: Mikołaj Lenczewski Signed-off-by: Ryan Roberts Closes: https://lore.kernel.org/linux-mm/810b44a8-d2ae-4107-b665-5a42eae2d948@arm.com/ Fixes: 63b2d4174c4a ("userfaultfd: wp: add the writeprotect API to userfaultfd ioctl") Cc: David Hildenbrand Cc: Jann Horn Cc: Liam R. Howlett Cc: Lorenzo Stoakes Cc: Mark Rutland Cc: Muchun Song Cc: Peter Xu Cc: Shuah Khan Cc: Vlastimil Babka Cc: Signed-off-by: Andrew Morton commit 4bcf29741145e73440323e3e9af8b1a6f4961183 Author: Petr Pavlu Date: Tue Jan 7 16:34:57 2025 +0100 module: fix writing of livepatch relocations in ROX text A livepatch module can contain a special relocation section .klp.rela.. to apply its relocations at the appropriate time and to additionally access local and unexported symbols. When points to another module, such relocations are processed separately from the regular module relocation process. For instance, only when the target actually becomes loaded. With CONFIG_STRICT_MODULE_RWX, when the livepatch core decides to apply these relocations, their processing results in the following bug: [ 25.827238] BUG: unable to handle page fault for address: 00000000000012ba [ 25.827819] #PF: supervisor read access in kernel mode [ 25.828153] #PF: error_code(0x0000) - not-present page [ 25.828588] PGD 0 P4D 0 [ 25.829063] Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI [ 25.829742] CPU: 2 UID: 0 PID: 452 Comm: insmod Tainted: G O K 6.13.0-rc4-00078-g059dd502b263 #7820 [ 25.830417] Tainted: [O]=OOT_MODULE, [K]=LIVEPATCH [ 25.830768] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-20220807_005459-localhost 04/01/2014 [ 25.831651] RIP: 0010:memcmp+0x24/0x60 [ 25.832190] Code: [...] [ 25.833378] RSP: 0018:ffffa40b403a3ae8 EFLAGS: 00000246 [ 25.833637] RAX: 0000000000000000 RBX: ffff93bc81d8e700 RCX: ffffffffc0202000 [ 25.834072] RDX: 0000000000000000 RSI: 0000000000000004 RDI: 00000000000012ba [ 25.834548] RBP: ffffa40b403a3b68 R08: ffffa40b403a3b30 R09: 0000004a00000002 [ 25.835088] R10: ffffffffffffd222 R11: f000000000000000 R12: 0000000000000000 [ 25.835666] R13: ffffffffc02032ba R14: ffffffffc007d1e0 R15: 0000000000000004 [ 25.836139] FS: 00007fecef8c3080(0000) GS:ffff93bc8f900000(0000) knlGS:0000000000000000 [ 25.836519] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 25.836977] CR2: 00000000000012ba CR3: 0000000002f24000 CR4: 00000000000006f0 [ 25.837442] Call Trace: [ 25.838297] [ 25.841083] __write_relocate_add.constprop.0+0xc7/0x2b0 [ 25.841701] apply_relocate_add+0x75/0xa0 [ 25.841973] klp_write_section_relocs+0x10e/0x140 [ 25.842304] klp_write_object_relocs+0x70/0xa0 [ 25.842682] klp_init_object_loaded+0x21/0xf0 [ 25.842972] klp_enable_patch+0x43d/0x900 [ 25.843572] do_one_initcall+0x4c/0x220 [ 25.844186] do_init_module+0x6a/0x260 [ 25.844423] init_module_from_file+0x9c/0xe0 [ 25.844702] idempotent_init_module+0x172/0x270 [ 25.845008] __x64_sys_finit_module+0x69/0xc0 [ 25.845253] do_syscall_64+0x9e/0x1a0 [ 25.845498] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 25.846056] RIP: 0033:0x7fecef9eb25d [ 25.846444] Code: [...] [ 25.847563] RSP: 002b:00007ffd0c5d6de8 EFLAGS: 00000246 ORIG_RAX: 0000000000000139 [ 25.848082] RAX: ffffffffffffffda RBX: 000055b03f05e470 RCX: 00007fecef9eb25d [ 25.848456] RDX: 0000000000000000 RSI: 000055b001e74e52 RDI: 0000000000000003 [ 25.848969] RBP: 00007ffd0c5d6ea0 R08: 0000000000000040 R09: 0000000000004100 [ 25.849411] R10: 00007fecefac7b20 R11: 0000000000000246 R12: 000055b001e74e52 [ 25.849905] R13: 0000000000000000 R14: 000055b03f05e440 R15: 0000000000000000 [ 25.850336] [ 25.850553] Modules linked in: deku(OK+) uinput [ 25.851408] CR2: 00000000000012ba [ 25.852085] ---[ end trace 0000000000000000 ]--- The problem is that the .klp.rela.. relocations are processed after the module was already formed and mod->rw_copy was reset. However, the code in __write_relocate_add() calls module_writable_address() which translates the target address 'loc' still to 'loc + (mem->rw_copy - mem->base)', with mem->rw_copy now being 0. Fix the problem by returning directly 'loc' in module_writable_address() when the module is already formed. Function __write_relocate_add() knows to use text_poke() in such a case. Link: https://lkml.kernel.org/r/20250107153507.14733-1-petr.pavlu@suse.com Fixes: 0c133b1e78cd ("module: prepare to handle ROX allocations for text") Signed-off-by: Petr Pavlu Reported-by: Marek Maslanka Closes: https://lore.kernel.org/linux-modules/CAGcaFA2hdThQV6mjD_1_U+GNHThv84+MQvMWLgEuX+LVbAyDxg@mail.gmail.com/ Reviewed-by: Petr Mladek Tested-by: Petr Mladek Cc: Joe Lawrence Cc: Josh Poimboeuf Cc: Luis Chamberlain Cc: Mike Rapoport (Microsoft) Cc: Petr Mladek Signed-off-by: Andrew Morton commit 12dcb0ef540629a281533f9dedc1b6b8e14cfb65 Author: Yosry Ahmed Date: Wed Jan 8 22:24:41 2025 +0000 mm: zswap: properly synchronize freeing resources during CPU hotunplug In zswap_compress() and zswap_decompress(), the per-CPU acomp_ctx of the current CPU at the beginning of the operation is retrieved and used throughout. However, since neither preemption nor migration are disabled, it is possible that the operation continues on a different CPU. If the original CPU is hotunplugged while the acomp_ctx is still in use, we run into a UAF bug as some of the resources attached to the acomp_ctx are freed during hotunplug in zswap_cpu_comp_dead() (i.e. acomp_ctx.buffer, acomp_ctx.req, or acomp_ctx.acomp). The problem was introduced in commit 1ec3b5fe6eec ("mm/zswap: move to use crypto_acomp API for hardware acceleration") when the switch to the crypto_acomp API was made. Prior to that, the per-CPU crypto_comp was retrieved using get_cpu_ptr() which disables preemption and makes sure the CPU cannot go away from under us. Preemption cannot be disabled with the crypto_acomp API as a sleepable context is needed. Use the acomp_ctx.mutex to synchronize CPU hotplug callbacks allocating and freeing resources with compression/decompression paths. Make sure that acomp_ctx.req is NULL when the resources are freed. In the compression/decompression paths, check if acomp_ctx.req is NULL after acquiring the mutex (meaning the CPU was offlined) and retry on the new CPU. The initialization of acomp_ctx.mutex is moved from the CPU hotplug callback to the pool initialization where it belongs (where the mutex is allocated). In addition to adding clarity, this makes sure that CPU hotplug cannot reinitialize a mutex that is already locked by compression/decompression. Previously a fix was attempted by holding cpus_read_lock() [1]. This would have caused a potential deadlock as it is possible for code already holding the lock to fall into reclaim and enter zswap (causing a deadlock). A fix was also attempted using SRCU for synchronization, but Johannes pointed out that synchronize_srcu() cannot be used in CPU hotplug notifiers [2]. Alternative fixes that were considered/attempted and could have worked: - Refcounting the per-CPU acomp_ctx. This involves complexity in handling the race between the refcount dropping to zero in zswap_[de]compress() and the refcount being re-initialized when the CPU is onlined. - Disabling migration before getting the per-CPU acomp_ctx [3], but that's discouraged and is a much bigger hammer than needed, and could result in subtle performance issues. [1]https://lkml.kernel.org/20241219212437.2714151-1-yosryahmed@google.com/ [2]https://lkml.kernel.org/20250107074724.1756696-2-yosryahmed@google.com/ [3]https://lkml.kernel.org/20250107222236.2715883-2-yosryahmed@google.com/ [yosryahmed@google.com: remove comment] Link: https://lkml.kernel.org/r/CAJD7tkaxS1wjn+swugt8QCvQ-rVF5RZnjxwPGX17k8x9zSManA@mail.gmail.com Link: https://lkml.kernel.org/r/20250108222441.3622031-1-yosryahmed@google.com Fixes: 1ec3b5fe6eec ("mm/zswap: move to use crypto_acomp API for hardware acceleration") Signed-off-by: Yosry Ahmed Reported-by: Johannes Weiner Closes: https://lore.kernel.org/lkml/20241113213007.GB1564047@cmpxchg.org/ Reported-by: Sam Sun Closes: https://lore.kernel.org/lkml/CAEkJfYMtSdM5HceNsXUDf5haghD5+o2e7Qv4OcuruL4tPg6OaQ@mail.gmail.com/ Cc: Barry Song Cc: Chengming Zhou Cc: Kanchana P Sridhar Cc: Nhat Pham Cc: Vitaly Wool Cc: Signed-off-by: Andrew Morton commit 4dff389c9f1dd787e8058930b3fbd3248a6238c5 Author: Yosry Ahmed Date: Tue Jan 7 22:22:34 2025 +0000 Revert "mm: zswap: fix race between [de]compression and CPU hotunplug" This reverts commit eaebeb93922ca6ab0dd92027b73d0112701706ef. Commit eaebeb93922c ("mm: zswap: fix race between [de]compression and CPU hotunplug") used the CPU hotplug lock in zswap compress/decompress operations to protect against a race with CPU hotunplug making some per-CPU resources go away. However, zswap compress/decompress can be reached through reclaim while the lock is held, resulting in a potential deadlock as reported by syzbot: ====================================================== WARNING: possible circular locking dependency detected 6.13.0-rc6-syzkaller-00006-g5428dc1906dd #0 Not tainted ------------------------------------------------------ kswapd0/89 is trying to acquire lock: ffffffff8e7d2ed0 (cpu_hotplug_lock){++++}-{0:0}, at: acomp_ctx_get_cpu mm/zswap.c:886 [inline] ffffffff8e7d2ed0 (cpu_hotplug_lock){++++}-{0:0}, at: zswap_compress mm/zswap.c:908 [inline] ffffffff8e7d2ed0 (cpu_hotplug_lock){++++}-{0:0}, at: zswap_store_page mm/zswap.c:1439 [inline] ffffffff8e7d2ed0 (cpu_hotplug_lock){++++}-{0:0}, at: zswap_store+0xa74/0x1ba0 mm/zswap.c:1546 but task is already holding lock: ffffffff8ea355a0 (fs_reclaim){+.+.}-{0:0}, at: balance_pgdat mm/vmscan.c:6871 [inline] ffffffff8ea355a0 (fs_reclaim){+.+.}-{0:0}, at: kswapd+0xb58/0x2f30 mm/vmscan.c:7253 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #1 (fs_reclaim){+.+.}-{0:0}: lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5849 __fs_reclaim_acquire mm/page_alloc.c:3853 [inline] fs_reclaim_acquire+0x88/0x130 mm/page_alloc.c:3867 might_alloc include/linux/sched/mm.h:318 [inline] slab_pre_alloc_hook mm/slub.c:4070 [inline] slab_alloc_node mm/slub.c:4148 [inline] __kmalloc_cache_node_noprof+0x40/0x3a0 mm/slub.c:4337 kmalloc_node_noprof include/linux/slab.h:924 [inline] alloc_worker kernel/workqueue.c:2638 [inline] create_worker+0x11b/0x720 kernel/workqueue.c:2781 workqueue_prepare_cpu+0xe3/0x170 kernel/workqueue.c:6628 cpuhp_invoke_callback+0x48d/0x830 kernel/cpu.c:194 __cpuhp_invoke_callback_range kernel/cpu.c:965 [inline] cpuhp_invoke_callback_range kernel/cpu.c:989 [inline] cpuhp_up_callbacks kernel/cpu.c:1020 [inline] _cpu_up+0x2b3/0x580 kernel/cpu.c:1690 cpu_up+0x184/0x230 kernel/cpu.c:1722 cpuhp_bringup_mask+0xdf/0x260 kernel/cpu.c:1788 cpuhp_bringup_cpus_parallel+0xf9/0x160 kernel/cpu.c:1878 bringup_nonboot_cpus+0x2b/0x50 kernel/cpu.c:1892 smp_init+0x34/0x150 kernel/smp.c:1009 kernel_init_freeable+0x417/0x5d0 init/main.c:1569 kernel_init+0x1d/0x2b0 init/main.c:1466 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 -> #0 (cpu_hotplug_lock){++++}-{0:0}: check_prev_add kernel/locking/lockdep.c:3161 [inline] check_prevs_add kernel/locking/lockdep.c:3280 [inline] validate_chain+0x18ef/0x5920 kernel/locking/lockdep.c:3904 __lock_acquire+0x1397/0x2100 kernel/locking/lockdep.c:5226 lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5849 percpu_down_read include/linux/percpu-rwsem.h:51 [inline] cpus_read_lock+0x42/0x150 kernel/cpu.c:490 acomp_ctx_get_cpu mm/zswap.c:886 [inline] zswap_compress mm/zswap.c:908 [inline] zswap_store_page mm/zswap.c:1439 [inline] zswap_store+0xa74/0x1ba0 mm/zswap.c:1546 swap_writepage+0x647/0xce0 mm/page_io.c:279 shmem_writepage+0x1248/0x1610 mm/shmem.c:1579 pageout mm/vmscan.c:696 [inline] shrink_folio_list+0x35ee/0x57e0 mm/vmscan.c:1374 shrink_inactive_list mm/vmscan.c:1967 [inline] shrink_list mm/vmscan.c:2205 [inline] shrink_lruvec+0x16db/0x2f30 mm/vmscan.c:5734 mem_cgroup_shrink_node+0x385/0x8e0 mm/vmscan.c:6575 mem_cgroup_soft_reclaim mm/memcontrol-v1.c:312 [inline] memcg1_soft_limit_reclaim+0x346/0x810 mm/memcontrol-v1.c:362 balance_pgdat mm/vmscan.c:6975 [inline] kswapd+0x17b3/0x2f30 mm/vmscan.c:7253 kthread+0x2f0/0x390 kernel/kthread.c:389 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 other info that might help us debug this: Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(fs_reclaim); lock(cpu_hotplug_lock); lock(fs_reclaim); rlock(cpu_hotplug_lock); *** DEADLOCK *** 1 lock held by kswapd0/89: #0: ffffffff8ea355a0 (fs_reclaim){+.+.}-{0:0}, at: balance_pgdat mm/vmscan.c:6871 [inline] #0: ffffffff8ea355a0 (fs_reclaim){+.+.}-{0:0}, at: kswapd+0xb58/0x2f30 mm/vmscan.c:7253 stack backtrace: CPU: 0 UID: 0 PID: 89 Comm: kswapd0 Not tainted 6.13.0-rc6-syzkaller-00006-g5428dc1906dd #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 print_circular_bug+0x13a/0x1b0 kernel/locking/lockdep.c:2074 check_noncircular+0x36a/0x4a0 kernel/locking/lockdep.c:2206 check_prev_add kernel/locking/lockdep.c:3161 [inline] check_prevs_add kernel/locking/lockdep.c:3280 [inline] validate_chain+0x18ef/0x5920 kernel/locking/lockdep.c:3904 __lock_acquire+0x1397/0x2100 kernel/locking/lockdep.c:5226 lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5849 percpu_down_read include/linux/percpu-rwsem.h:51 [inline] cpus_read_lock+0x42/0x150 kernel/cpu.c:490 acomp_ctx_get_cpu mm/zswap.c:886 [inline] zswap_compress mm/zswap.c:908 [inline] zswap_store_page mm/zswap.c:1439 [inline] zswap_store+0xa74/0x1ba0 mm/zswap.c:1546 swap_writepage+0x647/0xce0 mm/page_io.c:279 shmem_writepage+0x1248/0x1610 mm/shmem.c:1579 pageout mm/vmscan.c:696 [inline] shrink_folio_list+0x35ee/0x57e0 mm/vmscan.c:1374 shrink_inactive_list mm/vmscan.c:1967 [inline] shrink_list mm/vmscan.c:2205 [inline] shrink_lruvec+0x16db/0x2f30 mm/vmscan.c:5734 mem_cgroup_shrink_node+0x385/0x8e0 mm/vmscan.c:6575 mem_cgroup_soft_reclaim mm/memcontrol-v1.c:312 [inline] memcg1_soft_limit_reclaim+0x346/0x810 mm/memcontrol-v1.c:362 balance_pgdat mm/vmscan.c:6975 [inline] kswapd+0x17b3/0x2f30 mm/vmscan.c:7253 kthread+0x2f0/0x390 kernel/kthread.c:389 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Revert the change. A different fix for the race with CPU hotunplug will follow. Link: https://lkml.kernel.org/r/20250107222236.2715883-1-yosryahmed@google.com Signed-off-by: Yosry Ahmed Reported-by: syzbot Cc: Barry Song Cc: Chengming Zhou Cc: Johannes Weiner Cc: Kanchana P Sridhar Cc: Nhat Pham Cc: Sam Sun Cc: Vitaly Wool Cc: Signed-off-by: Andrew Morton commit 9ab96b524dce598c041388a599e3a227c7a7926c Author: Muchun Song Date: Mon Jan 6 11:31:17 2025 +0800 hugetlb: fix NULL pointer dereference in trace_hugetlbfs_alloc_inode hugetlb_file_setup() will pass a NULL @dir to hugetlbfs_get_inode(), so we will access a NULL pointer for @dir. Fix it and set __entry->dr to 0 if @dir is NULL. Because ->i_ino cannot be 0 (see get_next_ino()), there is no confusing if user sees a 0 inode number. Link: https://lkml.kernel.org/r/20250106033118.4640-1-songmuchun@bytedance.com Fixes: 318580ad7f28 ("hugetlbfs: support tracepoint") Signed-off-by: Muchun Song Reported-by: Cheung Wall Closes: https://lore.kernel.org/linux-mm/02858D60-43C1-4863-A84F-3C76A8AF1F15@linux.dev/T/# Reviewed-by: Hongbo Li Cc: cheung wall Cc: Christian Brauner Cc: Signed-off-by: Andrew Morton commit 4ce718f39776b5e162ea6b8010da7a6f02b13dc0 Author: Stefan Roesch Date: Fri Jan 3 17:20:37 2025 -0800 mm: fix div by zero in bdi_ratio_from_pages During testing it has been detected, that it is possible to get div by zero error in bdi_set_min_bytes. The error is caused by the function bdi_ratio_from_pages(). bdi_ratio_from_pages() calls global_dirty_limits. If the dirty threshold is 0, the div by zero is raised. This can happen if the root user is setting: echo 0 > /proc/sys/vm/dirty_ratio The following is a test case: echo 0 > /proc/sys/vm/dirty_ratio cd /sys/class/bdi/ echo 1 > strict_limit echo 8192 > min_bytes ==> error is raised. The problem is addressed by returning -EINVAL if dirty_ratio or dirty_bytes is set to 0. [shr@devkernel.io: check for -EINVAL in bdi_set_min_bytes() and bdi_set_max_bytes()] Link: https://lkml.kernel.org/r/20250108014723.166637-1-shr@devkernel.io [shr@devkernel.io: v3] Link: https://lkml.kernel.org/r/20250109063411.6591-1-shr@devkernel.io Link: https://lkml.kernel.org/r/20250104012037.159386-1-shr@devkernel.io Signed-off-by: Stefan Roesch Reported-by: cheung wall Closes: https://lore.kernel.org/linux-mm/87pll35yd0.fsf@devkernel.io/T/#t Acked-by: David Hildenbrand Cc: Matthew Wilcox (Oracle) Cc: Qiang Zhang Signed-off-by: Andrew Morton commit 59f59108475e8fadd5f9fc9a5d79563203df40f1 Author: Juergen Gross Date: Fri Jan 3 07:56:31 2025 +0100 x86/execmem: fix ROX cache usage in Xen PV guests The recently introduced ROX cache for modules is assuming large page support in 64-bit mode without testing the related feature bit. This results in breakage when running as a Xen PV guest, as in this mode large pages are not supported. Fix that by testing the X86_FEATURE_PSE capability when deciding whether to enable the ROX cache. Link: https://lkml.kernel.org/r/20250103065631.26459-1-jgross@suse.com Fixes: 2e45474ab14f ("execmem: add support for cache of large ROX pages") Signed-off-by: Juergen Gross Reported-by: Marek Marczykowski-Górecki Tested-by: Marek Marczykowski-Górecki Cc: Luis Chamberlain Cc: Andy Lutomirski Cc: Dave Hansen Cc: "H. Peter Anvin" Cc: Ingo Molnar Cc: Mike Rapoport (Microsoft) Cc: Peter Zijlstra Cc: Thomas Gleixner Signed-off-by: Andrew Morton commit f505e6c91e7a22d10316665a86d79f84d9f0ba76 Author: Marco Nelissen Date: Thu Jan 2 11:04:11 2025 -0800 filemap: avoid truncating 64-bit offset to 32 bits On 32-bit kernels, folio_seek_hole_data() was inadvertently truncating a 64-bit value to 32 bits, leading to a possible infinite loop when writing to an xfs filesystem. Link: https://lkml.kernel.org/r/20250102190540.1356838-1-marco.nelissen@gmail.com Fixes: 54fa39ac2e00 ("iomap: use mapping_seek_hole_data") Signed-off-by: Marco Nelissen Cc: Matthew Wilcox (Oracle) Cc: Signed-off-by: Andrew Morton commit 4bbb6df62c54e6a2c1fcce4908df768f0cfa1e91 Author: Suren Baghdasaryan Date: Fri Dec 27 14:22:20 2024 -0800 tools: fix atomic_set() definition to set the value correctly Currently vma test is failing because of the new vma_assert_attached() assertion. The check is failing because previous refcount_set() inside vma_mark_attached() is a NoOp. Fix the definition of atomic_set() to correctly set the value of the atomic. Link: https://lkml.kernel.org/r/20241227222220.1726384-1-surenb@google.com Fixes: 9325b8b5a1cb ("tools: add skeleton code for userland testing of VMA logic") Signed-off-by: Suren Baghdasaryan Reviewed-by: Lorenzo Stoakes Cc: Jann Horn Cc: Liam R. Howlett Cc: Vlastimil Babka Cc: Signed-off-by: Andrew Morton commit 264a88cafdbd0f4579af903145ac605d030f3f66 Author: Honggyu Kim Date: Fri Dec 27 18:57:37 2024 +0900 mm/mempolicy: count MPOL_WEIGHTED_INTERLEAVE to "interleave_hit" Commit fa3bea4e1f82 introduced MPOL_WEIGHTED_INTERLEAVE but it missed adding its counter to "interleave_hit" of numastat, which is located at /sys/devices/system/node/nodeN/ directory. It'd be better to add weighted interleving counter info to the existing "interleave_hit" instead of introducing a new counter "weighted_interleave_hit". Link: https://lkml.kernel.org/r/20241227095737.645-1-honggyu.kim@sk.com Fixes: fa3bea4e1f82 ("mm/mempolicy: introduce MPOL_WEIGHTED_INTERLEAVE for weighted interleaving") Signed-off-by: Honggyu Kim Reviewed-by: Gregory Price Reviewed-by: Hyeonggon Yoo Tested-by: Yunjeong Mun Cc: Andi Kleen Signed-off-by: Andrew Morton commit 2bff77c665edd854a09c479effe75b3b0e3fedef Author: Luca Ceresoli Date: Mon Dec 30 22:55:10 2024 +0100 scripts/decode_stacktrace.sh: fix decoding of lines with an additional info Since commit bdf8eafbf7f5 ("arm64: stacktrace: report source of unwind data") a stack trace line can contain an additional info field that was not present before, in the form of one or more letters in parentheses. E.g.: [ 504.517915] led_sysfs_enable+0x54/0x80 (P) ^^^ When this is present, decode_stacktrace decodes the line incorrectly: [ 504.517915] led_sysfs_enable+0x54/0x80 P Extend parsing to decode it correctly: [ 504.517915] led_sysfs_enable (drivers/leds/led-core.c:455 (discriminator 7)) (P) The regex to match such lines assumes the info can be extended in the future to other uppercase characters, and will need to be extended in case other characters will be used. Using a much more generic regex might incur in false positives, so this looked like a good tradeoff. Link: https://lkml.kernel.org/r/20241230-decode_stacktrace-fix-info-v1-1-984910659173@bootlin.com Fixes: bdf8eafbf7f5 ("arm64: stacktrace: report source of unwind data") Signed-off-by: Luca Ceresoli Cc: Catalin Marinas Cc: Mark Brown Cc: Mark Rutland Cc: Miroslav Benes Cc: Puranjay Mohan Cc: Thomas Petazzoni Signed-off-by: Andrew Morton commit 76d5d4c53e68719c018691b19a961e78524a155c Author: Guo Weikang Date: Fri Dec 27 17:23:10 2024 +0800 mm/kmemleak: fix percpu memory leak detection failure kmemleak_alloc_percpu gives an incorrect min_count parameter, causing percpu memory to be considered a gray object. Link: https://lkml.kernel.org/r/20241227092311.3572500-1-guoweikang.kernel@gmail.com Fixes: 8c8685928910 ("mm/kmemleak: use IS_ERR_PCPU() for pointer in the percpu address space") Signed-off-by: Guo Weikang Acked-by: Uros Bizjak Acked-by: Catalin Marinas Cc: Guo Weikang Cc: Signed-off-by: Andrew Morton commit 5bc55a333a2f7316b58edc7573e8e893f7acb532 Author: Linus Torvalds Date: Sun Jan 12 14:37:56 2025 -0800 Linux 6.13-rc7 commit 0cbe10470b4473ab5e290f1d39033fdb6d6c69c9 Merge: 083f9fac673dca c7a5378a0f7076 Author: Linus Torvalds Date: Sun Jan 12 14:34:00 2025 -0800 Merge tag 'char-misc-6.13-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc Pull char/misc/IIO driver fixes from Greg KH: "Here are a bunch of small IIO and interconnect and other driver fixes to resolve reported issues. Included in here are: - loads of iio driver fixes as a result of an audit of places where uninitialized data would leak to userspace. - other smaller, and normal, iio driver fixes. - mhi driver fix - interconnect driver fixes - pci1xxxx driver fix All of these have been in linux-next for a while with no reported issues" * tag 'char-misc-6.13-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc: (32 commits) misc: microchip: pci1xxxx: Resolve return code mismatch during GPIO set config misc: microchip: pci1xxxx: Resolve kernel panic during GPIO IRQ handling interconnect: icc-clk: check return values of devm_kasprintf() interconnect: qcom: icc-rpm: Set the count member before accessing the flex array iio: adc: ti-ads1119: fix sample size in scan struct for triggered buffer iio: temperature: tmp006: fix information leak in triggered buffer iio: inkern: call iio_device_put() only on mapped devices iio: adc: ad9467: Fix the "don't allow reading vref if not available" case iio: adc: at91: call input_free_device() on allocated iio_dev iio: adc: ad7173: fix using shared static info struct iio: adc: ti-ads124s08: Use gpiod_set_value_cansleep() iio: adc: ti-ads1119: fix information leak in triggered buffer iio: pressure: zpa2326: fix information leak in triggered buffer iio: adc: rockchip_saradc: fix information leak in triggered buffer iio: imu: kmx61: fix information leak in triggered buffer iio: light: vcnl4035: fix information leak in triggered buffer iio: light: bh1745: fix information leak in triggered buffer iio: adc: ti-ads8688: fix information leak in triggered buffer iio: dummy: iio_simply_dummy_buffer: fix information leak in triggered buffer iio: test: Fix GTS test config ... commit 083f9fac673dca75b355b6bc6c1b4bf4792ad949 Merge: 91fff6fa94cbe1 67510d7e2e5f5b Author: Linus Torvalds Date: Sun Jan 12 14:26:31 2025 -0800 Merge tag 'driver-core-6.13-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core Pull driver core and debugfs fixes from Greg KH: "Here are some small driver core and debugfs fixes that resolve some reported problems: - debugfs runtime error reporting fixes - topology cpumask race-condition fix - MAINTAINERS file email update All of these have been in linux-next this week with no reported issues" * tag 'driver-core-6.13-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core: fs: debugfs: fix open proxy for unsafe files MAINTAINERS: align Danilo's maintainer entries topology: Keep the cpumask unchanged when printing cpumap debugfs: fix missing mutex_destroy() in short_fops case fs: debugfs: differentiate short fops with proxy ops commit 91fff6fa94cbe13d28caa978ce3f600749304e11 Merge: 4bd9e3b4c51478 6f79db028e827b Author: Linus Torvalds Date: Sun Jan 12 14:22:13 2025 -0800 Merge tag 'staging-6.13-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging Pull staging driver fixes from Greg KH: "Here are some small staging driver fixes that resolve some reported issues and have been in my tree for too long due to the holiday break. They resolve the following issues: - lots of gpib build-time fixes as reported by testers and 0-day - gpib logical fixes - mailmap fix All of these have been in linux-next for a while, with no reported issues other than the duplicated change" * tag 'staging-6.13-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging: staging: gpib: mite: remove unused global functions staging: gpib: refer to correct config symbol in tnt4882 Makefile mailmap: update Bingwu Zhang's email address staging: gpib: fix address space mixup staging: gpib: use ioport_map staging: gpib: fix pcmcia dependencies staging: gpib: add module author and description fields staging: gpib: fix Makefiles staging: gpib: make global 'usec_diff' functions static staging: gpib: Modify mismatched function name staging: gpib: Add lower bound check for secondary address staging: gpib: Fix erroneous removal of blank before newline commit 6e5773d52f4a2d9c80692245f295069260cff6fc Author: Rob Herring (Arm) Date: Fri Jan 10 15:50:29 2025 -0600 of/address: Fix WARN when attempting translating non-translatable addresses The recently added WARN() for deprecated #address-cells and #size-cells triggered a WARN when of_platform_populate() (which calls of_address_to_resource()) is used on nodes with non-translatable addresses. This case is expected to return an error. Rework the bus matching to allow no match and make the default require an #address-cells property. That should be safe to do as any platform missing #address-cells would have a warning already. Fixes: 045b14ca5c36 ("of: WARN on deprecated #address-cells/#size-cells handling") Tested-by: Sean Anderson Link: https://lore.kernel.org/r/20250110215030.3637845-2-robh@kernel.org Signed-off-by: Rob Herring (Arm) commit 44748065ed321041db6e18cdcaa8c2a9554768ac Author: Rob Herring (Arm) Date: Fri Jan 10 15:50:28 2025 -0600 of/unittest: Add test that of_address_to_resource() fails on non-translatable address of_address_to_resource() on a non-translatable address should return an error. Additionally, this case also triggers a spurious WARN for missing #address-cells/#size-cells. Link: https://lore.kernel.org/r/20250110215030.3637845-1-robh@kernel.org Signed-off-by: Rob Herring (Arm) commit 4bd9e3b4c514781ac96276fbb96985066d4dff2f Merge: 196856db7c792b 0cfc36ea51684b Author: Linus Torvalds Date: Sun Jan 12 13:27:15 2025 -0800 Merge tag 'tty-6.13-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty Pull serial driver fixes from Greg KH: "Here are three small serial driver fixes tree. They resolve some reported issues: - stm32 break control fix - 8250 runtime pm usage counter fix - imx driver locking fix All have been in my tree and linux-next for three weeks now, with no reported issues" * tag 'tty-6.13-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty: serial: stm32: use port lock wrappers for break control serial: imx: Use uart_port_lock_irq() instead of uart_port_lock() tty: serial: 8250: Fix another runtime PM usage counter underflow commit 196856db7c792b0f4a8213e29dbddf9acbb1e910 Merge: be548645527a13 f3149ed697dd0c Author: Linus Torvalds Date: Sun Jan 12 13:09:00 2025 -0800 Merge tag 'usb-6.13-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb Pull USB fixes from Greg KH: "Here are some small USB driver fixes and new device ids for 6.13-rc7. Included in here are: - usb serial new device ids - typec bugfixes for reported issues - dwc3 driver fixes - chipidea driver fixes - gadget driver fixes - other minor fixes for reported problems. All of these have been in linux-next for a while, with no reported issues" * tag 'usb-6.13-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb: USB: serial: option: add Neoway N723-EA support USB: serial: option: add MeiG Smart SRM815 USB: serial: cp210x: add Phoenix Contact UPS Device usb: typec: fix pm usage counter imbalance in ucsi_ccg_sync_control() usb-storage: Add max sectors quirk for Nokia 208 usb: gadget: midi2: Reverse-select at the right place usb: gadget: f_fs: Remove WARN_ON in functionfs_bind USB: core: Disable LPM only for non-suspended ports usb: fix reference leak in usb_new_device() usb: typec: tcpci: fix NULL pointer issue on shared irq case usb: gadget: u_serial: Disable ep before setting port to null to fix the crash caused by port being null usb: chipidea: ci_hdrc_imx: decrement device's refcount in .remove() and in the error path of .probe() usb: typec: ucsi: Set orientation as none when connector is unplugged usb: gadget: configfs: Ignore trailing LF for user strings to cdev USB: usblp: return error when setting unsupported protocol usb: gadget: f_uac2: Fix incorrect setting of bNumEndpoints usb: typec: tcpm/tcpci_maxim: fix error code in max_contaminant_read_resistance_kohm() usb: host: xhci-plat: set skip_phy_initialization if software node has XHCI_SKIP_PHY_INIT property usb: dwc3-am62: Disable autosuspend during remove usb: dwc3: gadget: fix writing NYET threshold commit be548645527a131a097fdc884b7fca40c8b86231 Merge: a603abe345d630 a5546c2f0dc4f8 Author: Linus Torvalds Date: Sun Jan 12 12:04:53 2025 -0800 Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm Pull kvm fixes from Paolo Bonzini: "The largest part here is for KVM/PPC, where a NULL pointer dereference was introduced in the 6.13 merge window and is now fixed. There's some "holiday-induced lateness", as the s390 submaintainer put it, but otherwise things looks fine. s390: - fix a latent bug when the kernel is compiled in debug mode - two small UCONTROL fixes and their selftests arm64: - always check page state in hyp_ack_unshare() - align set_id_regs selftest with the fact that ASIDBITS field is RO - various vPMU fixes for bugs that only affect nested virt PPC e500: - Fix a mostly impossible (but just wrong) case where IRQs were never re-enabled - Observe host permissions instead of mapping readonly host pages as guest-writable. This fixes a NULL-pointer dereference in 6.13 - Replace brittle VMA-based attempts at building huge shadow TLB entries with PTE lookups" * tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm: KVM: e500: perform hugepage check after looking up the PFN KVM: e500: map readonly host pages for read KVM: e500: track host-writability of pages KVM: e500: use shadow TLB entry as witness for writability KVM: e500: always restore irqs KVM: s390: selftests: Add has device attr check to uc_attr_mem_limit selftest KVM: s390: selftests: Add ucontrol gis routing test KVM: s390: Reject KVM_SET_GSI_ROUTING on ucontrol VMs KVM: s390: selftests: Add ucontrol flic attr selftests KVM: s390: Reject setting flic pfault attributes on ucontrol VMs KVM: s390: vsie: fix virtual/physical address in unpin_scb() KVM: arm64: Only apply PMCR_EL0.P to the guest range of counters KVM: arm64: nv: Reload PMU events upon MDCR_EL2.HPME change KVM: arm64: Use KVM_REQ_RELOAD_PMU to handle PMCR_EL0.E change KVM: arm64: Add unified helper for reprogramming counters by mask KVM: arm64: Always check the state from hyp_ack_unshare() KVM: arm64: Fix set_id_regs selftest for ASIDBITS becoming unwritable commit a603abe345d6301f04dc2ceb5fbdaa19e4c8f7da Merge: f31acaef553fb3 b583ef82b671c9 Author: Linus Torvalds Date: Sun Jan 12 11:57:45 2025 -0800 Merge tag 'perf_urgent_for_v6.13_rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull perf fix from Borislav Petkov: - Fix a #GP in the perf user callchain code caused by a race between uprobe freeing the task and the bpf profiler unwinding the task's user stack * tag 'perf_urgent_for_v6.13_rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: uprobes: Fix race in uprobe_free_utask commit f31acaef553fb3cff8f2f6bdf4e5fc76b83e082d Merge: a87d1203bb232a a9d9c33132d493 Author: Linus Torvalds Date: Sun Jan 12 11:55:48 2025 -0800 Merge tag 'x86_urgent_for_v6.13_rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull x86 fixes from Borislav Petkov: - Check whether shadow stack is active before using the ptrace regset getter - Remove a wrong BUG_ON in the early static call code which breaks Xen PVH when booting as dom0 * tag 'x86_urgent_for_v6.13_rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: x86/fpu: Ensure shadow stack is active before "getting" registers x86/static-call: Remove early_boot_irqs_disabled check to fix Xen PVH dom0 commit a5546c2f0dc4f84727a4bb8a91633917929735f5 Merge: 5c99a684c9ad4d e376d958871c0e Author: Paolo Bonzini Date: Sun Jan 12 12:51:05 2025 +0100 Merge tag 'kvm-s390-master-6.13-1' of https://git.kernel.org/pub/scm/linux/kernel/git/kvms390/linux into HEAD KVM: s390: three small bugfixes Fix a latent bug when the kernel is compiled in debug mode. Two small UCONTROL fixes and their selftests. commit 5c99a684c9ad4dd5e26e83e08bddacd0bf6e2b44 Merge: 71b7bf1702c9f8 e96d8b80afd3f6 Author: Paolo Bonzini Date: Sun Jan 12 12:50:39 2025 +0100 Merge tag 'kvmarm-fixes-6.13-3' of https://git.kernel.org/pub/scm/linux/kernel/git/kvmarm/kvmarm into HEAD KVM/arm64 changes for 6.13, part #3 - Always check page state in hyp_ack_unshare() - Align set_id_regs selftest with the fact that ASIDBITS field is RO - Various vPMU fixes for bugs that only affect nested virt commit 71b7bf1702c9f8b04c0eae78df6845db19e2bc28 Merge: f07044dd0df0c9 55f4db79c4d94d Author: Paolo Bonzini Date: Sun Jan 12 12:48:14 2025 +0100 Merge branch 'kvm-e500-check-writable-pfn' into HEAD The new __kvm_faultin_pfn() function is upset by the fact that e500 KVM ignores host page permissions - __kvm_faultin requires a "writable" outgoing argument, but e500 KVM is passing NULL. While a simple fix would be possible that simply allows writable to be NULL, it is quite ugly to have e500 KVM ignore completely the host permissions and map readonly host pages as guest-writable. Merge a more complete fix and remove the VMA-based attempts at building huge shadow TLB entries. Using a PTE lookup, similar to what is done for x86, is better and works with remap_pfn_range() because it does not assume that VM_PFNMAP areas are contiguous. Note that the same incorrect logic is there in ARM's get_vma_page_shift() and RISC-V's kvm_riscv_gstage_ioremap(). Fortunately, for e500 most of the code is already there; it just has to be changed to compute the range from find_linux_pte()'s output rather than find_vma(). The new code works for both VM_PFNMAP and hugetlb mappings, so the latter is removed. Patches 2-5 were tested by the reporter, Christian Zigotzky. Since the difference with v1 is minimal, I am going to send it to Linus today. commit 55f4db79c4d94d4bb757f7a31a7f14de22fe517d Author: Paolo Bonzini Date: Wed Jan 8 16:49:50 2025 +0100 KVM: e500: perform hugepage check after looking up the PFN e500 KVM tries to bypass __kvm_faultin_pfn() in order to map VM_PFNMAP VMAs as huge pages. This is a Bad Idea because VM_PFNMAP VMAs could become noncontiguous as a result of callsto remap_pfn_range(). Instead, use the already existing host PTE lookup to retrieve a valid host-side mapping level after __kvm_faultin_pfn() has returned. Then find the largest size that will satisfy the guest's request while staying within a single host PTE. Signed-off-by: Paolo Bonzini commit 03b755b2aa48d242440cbfbd365e153b4b20fe54 Author: Paolo Bonzini Date: Wed Jan 8 16:14:55 2025 +0100 KVM: e500: map readonly host pages for read The new __kvm_faultin_pfn() function is upset by the fact that e500 KVM ignores host page permissions - __kvm_faultin requires a "writable" outgoing argument, but e500 KVM is nonchalantly passing NULL. If the host page permissions do not include writability, the shadow TLB entry is forcibly mapped read-only. Signed-off-by: Paolo Bonzini commit f2104bf22f0475a08a0feeee40d8e45ce38ed5a1 Author: Paolo Bonzini Date: Wed Jan 8 16:21:38 2025 +0100 KVM: e500: track host-writability of pages Add the possibility of marking a page so that the UW and SW bits are force-cleared. This is stored in the private info so that it persists across multiple calls to kvmppc_e500_setup_stlbe. Signed-off-by: Paolo Bonzini commit e97fbb43fb1b2e909dfd726204af3cdcb971517e Author: Paolo Bonzini Date: Wed Jan 8 16:19:28 2025 +0100 KVM: e500: use shadow TLB entry as witness for writability kvmppc_e500_ref_setup is returning whether the guest TLB entry is writable, which is than passed to kvm_release_faultin_page. This makes little sense for two reasons: first, because the function sets up the private data for the page and the return value feels like it has been bolted on the side; second, because what really matters is whether the _shadow_ TLB entry is writable. If it is not writable, the page can be released as non-dirty. Shift from using tlbe_is_writable(gtlbe) to doing the same check on the shadow TLB entry. Signed-off-by: Paolo Bonzini commit 87ecfdbc699cc95fac73291b52650283ddcf929d Author: Paolo Bonzini Date: Sun Jan 12 10:34:44 2025 +0100 KVM: e500: always restore irqs If find_linux_pte fails, IRQs will not be restored. This is unlikely to happen in practice since it would have been reported as hanging hosts, but it should of course be fixed anyway. Cc: stable@vger.kernel.org Reported-by: Sean Christopherson Signed-off-by: Paolo Bonzini commit 44a48b26639e591e53f6f72000c16576ce107274 Author: Luke D. Jones Date: Sat Jan 11 15:27:54 2025 +1300 ALSA: hda/realtek: fixup ASUS H7606W The H7606W laptop has almost the exact same codec setup as the GA403 and so the same quirks apply to it. Signed-off-by: Luke D. Jones Cc: Link: https://patch.msgid.link/20250111022754.177551-2-luke@ljones.dev Signed-off-by: Takashi Iwai commit f67b1ef261f4370c48e3a7d19907de136be2d5bd Author: Luke D. Jones Date: Sat Jan 11 15:27:53 2025 +1300 ALSA: hda/realtek: fixup ASUS GA605W The GA605W laptop has almost the exact same codec setup as the GA403 and so the same quirks apply to it. Signed-off-by: Luke D. Jones Cc: Link: https://patch.msgid.link/20250111022754.177551-1-luke@ljones.dev Signed-off-by: Takashi Iwai commit a87d1203bb232a2bec674879b62f87322b20c2c8 Merge: b62cef9a5c673f 30c8fd31c571db Author: Linus Torvalds Date: Sat Jan 11 20:34:12 2025 -0800 Merge tag 'probes-fixes-v6.13-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace Pull probes fix from Masami Hiramatsu: "Fix to free trace_kprobe objects at a failure path in __trace_kprobe_create() function. This fixes a memory leak" * tag 'probes-fixes-v6.13-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace: tracing/kprobes: Fix to free objects when failed to copy a symbol commit b62cef9a5c673f1b8083159f5dc03c1c5daced2f Merge: 05c2d1f2728240 82163d63ae7a4c Author: Linus Torvalds Date: Sat Jan 11 11:42:48 2025 -0800 Merge tag 'hwmon-for-v6.13-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging Pull hwmon fix from Guenter Roeck: "One patch to fix error handling in drivetemp driver" * tag 'hwmon-for-v6.13-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging: hwmon: (drivetemp) Fix driver producing garbage data when SCSI errors occur commit 05c2d1f2728240f7cd750ea389d4ad87fba0ad03 Merge: 52a5a22d8afe3b fcede1f0a043cc Author: Linus Torvalds Date: Sat Jan 11 11:17:08 2025 -0800 Merge tag 'block-6.13-20250111' of git://git.kernel.dk/linux Pull block fix from Jens Axboe: "A single fix for a use-after-free in the BFQ IO scheduler" * tag 'block-6.13-20250111' of git://git.kernel.dk/linux: block, bfq: fix waker_bfqq UAF after bfq_split_bfqq() commit 52a5a22d8afe3bd195f7b470c7535c63717f5ff7 Merge: 57162361c3c540 bd2703b42deceb Author: Linus Torvalds Date: Sat Jan 11 10:59:43 2025 -0800 Merge tag 'io_uring-6.13-20250111' of git://git.kernel.dk/linux Pull io_uring fixes from Jens Axboe: - Fix for multishot timeout updates only using the updated value for the first invocation, not subsequent ones - Silence a false positive lockdep warning - Fix the eventfd signaling and putting RCU logic - Fix fault injected SQPOLL setup not clearing the task pointer in the error path - Fix local task_work looking at the SQPOLL thread rather than just signaling the safe variant. Again one of those theoretical issues, which should be closed up none the less. * tag 'io_uring-6.13-20250111' of git://git.kernel.dk/linux: io_uring: don't touch sqd->thread off tw add io_uring/sqpoll: zero sqd->thread on tctx errors io_uring/eventfd: ensure io_eventfd_signal() defers another RCU period io_uring: silence false positive warnings io_uring/timeout: fix multishot updates commit 57162361c3c5405e9be836d06fc9db7efd499217 Merge: da60d1547deea5 20b1aa912316ff Author: Linus Torvalds Date: Sat Jan 11 10:49:50 2025 -0800 Merge tag '6.13-rc6-SMB3-client-fix' of git://git.samba.org/sfrench/cifs-2.6 Pull smb client fix from Steve French: - fix unneeded session setup retry due to stale password e.g. for DFS automounts * tag '6.13-rc6-SMB3-client-fix' of git://git.samba.org/sfrench/cifs-2.6: smb: client: sync the root session and superblock context passwords before automounting commit da60d1547deea5d597a0a70d43a547e6148b719c Merge: 77a903cd8e5a91 5391c5d8e60610 Author: Linus Torvalds Date: Sat Jan 11 10:42:05 2025 -0800 Merge tag 'soc-fixes-6.13-3' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc Pull SoC fixes from Arnd Bergmann: "Over the Christmas break a couple of devicetree fixes came in for Rockchips, Qualcomm and NXP/i.MX. These add some missing board specific properties, address build time warnings, The USB/TOG supoprt on X1 Elite regressed, so two earlier DT changes get reverted for now. Aside from the devicetree fixes, there is One build fix for the stm32 firewall driver, and a defconfig change to enable SPDIF support for i.MX" * tag 'soc-fixes-6.13-3' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc: firewall: remove misplaced semicolon from stm32_firewall_get_firewall arm64: dts: rockchip: add hevc power domain clock to rk3328 arm64: dts: rockchip: Fix the SD card detection on NanoPi R6C/R6S arm64: dts: qcom: sa8775p: fix the secure device bootup issue Revert "arm64: dts: qcom: x1e80100: enable OTG on USB-C controllers" Revert "arm64: dts: qcom: x1e80100-crd: enable otg on usb ports" arm64: dts: qcom: x1e80100: Fix up BAR space size for PCIe6a Revert "arm64: dts: qcom: x1e78100-t14s: enable otg on usb-c ports" ARM: dts: imxrt1050: Fix clocks for mmc ARM: imx_v6_v7_defconfig: enable SND_SOC_SPDIF arm64: dts: imx95: correct the address length of netcmix_blk_ctrl arm64: dts: imx8-ss-audio: add fallback compatible string fsl,imx6ull-esai for esai arm64: dts: rockchip: rename rfkill label for Radxa ROCK 5B arm64: dts: rockchip: add reset-names for combphy on rk3568 arm64: dts: qcom: sa8775p: Fix the size of 'addr_space' regions commit 47e55e4b410f7d552e43011baa5be1aab4093990 Author: Ilya Maximets Date: Thu Jan 9 13:21:24 2025 +0100 openvswitch: fix lockup on tx to unregistering netdev with carrier Commit in a fixes tag attempted to fix the issue in the following sequence of calls: do_output -> ovs_vport_send -> dev_queue_xmit -> __dev_queue_xmit -> netdev_core_pick_tx -> skb_tx_hash When device is unregistering, the 'dev->real_num_tx_queues' goes to zero and the 'while (unlikely(hash >= qcount))' loop inside the 'skb_tx_hash' becomes infinite, locking up the core forever. But unfortunately, checking just the carrier status is not enough to fix the issue, because some devices may still be in unregistering state while reporting carrier status OK. One example of such device is a net/dummy. It sets carrier ON on start, but it doesn't implement .ndo_stop to set the carrier off. And it makes sense, because dummy doesn't really have a carrier. Therefore, while this device is unregistering, it's still easy to hit the infinite loop in the skb_tx_hash() from the OVS datapath. There might be other drivers that do the same, but dummy by itself is important for the OVS ecosystem, because it is frequently used as a packet sink for tcpdump while debugging OVS deployments. And when the issue is hit, the only way to recover is to reboot. Fix that by also checking if the device is running. The running state is handled by the net core during unregistering, so it covers unregistering case better, and we don't really need to send packets to devices that are not running anyway. While only checking the running state might be enough, the carrier check is preserved. The running and the carrier states seem disjoined throughout the code and different drivers. And other core functions like __dev_direct_xmit() check both before attempting to transmit a packet. So, it seems safer to check both flags in OVS as well. Fixes: 066b86787fa3 ("net: openvswitch: fix race on port output") Reported-by: Friedrich Weber Closes: https://mail.openvswitch.org/pipermail/ovs-discuss/2025-January/053423.html Signed-off-by: Ilya Maximets Tested-by: Friedrich Weber Reviewed-by: Aaron Conole Link: https://patch.msgid.link/20250109122225.4034688-1-i.maximets@ovn.org Signed-off-by: Jakub Kicinski commit e7e441a4100e4bc90b52f80494a28a9667993975 Author: Paul Barker Date: Thu Jan 9 11:37:06 2025 +0000 net: ravb: Fix max TX frame size for RZ/V2M When tx_max_frame_size was added to struct ravb_hw_info, no value was set in ravb_rzv2m_hw_info so the default value of zero was used. The maximum MTU is set by subtracting from tx_max_frame_size to allow space for headers and frame checksums. As ndev->max_mtu is unsigned, this subtraction wraps around leading to a ridiculously large positive value that is obviously incorrect. Before tx_max_frame_size was introduced, the maximum MTU was based on rx_max_frame_size. So, we can restore the correct maximum MTU by copying the rx_max_frame_size value into tx_max_frame_size for RZ/V2M. Fixes: 1d63864299ca ("net: ravb: Fix maximum TX frame size for GbEth devices") Signed-off-by: Paul Barker Reviewed-by: Niklas Söderlund Reviewed-by: Simon Horman Reviewed-by: Sergey Shtylyov Link: https://patch.msgid.link/20250109113706.1409149-1-paul.barker.ct@bp.renesas.com Signed-off-by: Jakub Kicinski commit eaeea5028fa82412392d9325c44624ef8fcd1869 Author: Shradha Gupta Date: Wed Jan 8 21:03:11 2025 -0800 net: mana: Cleanup "mana" debugfs dir after cleanup of all children In mana_driver_exit(), mana_debugfs_root gets cleanup before any of it's children (which happens later in the pci_unregister_driver()). Due to this, when mana driver is configured as a module and rmmod is invoked, following stack gets printed along with failure in rmmod command. [ 2399.317651] BUG: kernel NULL pointer dereference, address: 0000000000000098 [ 2399.318657] #PF: supervisor write access in kernel mode [ 2399.319057] #PF: error_code(0x0002) - not-present page [ 2399.319528] PGD 10eb68067 P4D 0 [ 2399.319914] Oops: Oops: 0002 [#1] SMP NOPTI [ 2399.320308] CPU: 72 UID: 0 PID: 5815 Comm: rmmod Not tainted 6.13.0-rc5+ #89 [ 2399.320986] Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.1 09/28/2024 [ 2399.321892] RIP: 0010:down_write+0x1a/0x50 [ 2399.322303] Code: 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 44 00 00 55 48 89 e5 41 54 49 89 fc e8 9d cd ff ff 31 c0 ba 01 00 00 00 49 0f b1 14 24 75 17 65 48 8b 05 f6 84 dd 5f 49 89 44 24 08 4c [ 2399.323669] RSP: 0018:ff53859d6c663a70 EFLAGS: 00010246 [ 2399.324061] RAX: 0000000000000000 RBX: ff1d4eb505060180 RCX: ffffff8100000000 [ 2399.324620] RDX: 0000000000000001 RSI: 0000000000000064 RDI: 0000000000000098 [ 2399.325167] RBP: ff53859d6c663a78 R08: 00000000000009c4 R09: ff1d4eb4fac90000 [ 2399.325681] R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000098 [ 2399.326185] R13: ff1d4e42e1a4a0c8 R14: ff1d4eb538ce0000 R15: 0000000000000098 [ 2399.326755] FS: 00007fe729570000(0000) GS:ff1d4eb2b7200000(0000) knlGS:0000000000000000 [ 2399.327269] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 2399.327690] CR2: 0000000000000098 CR3: 00000001c0584005 CR4: 0000000000373ef0 [ 2399.328166] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 2399.328623] DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400 [ 2399.329055] Call Trace: [ 2399.329243] [ 2399.329379] ? show_regs+0x69/0x80 [ 2399.329602] ? __die+0x25/0x70 [ 2399.329856] ? page_fault_oops+0x271/0x550 [ 2399.330088] ? psi_group_change+0x217/0x470 [ 2399.330341] ? do_user_addr_fault+0x455/0x7b0 [ 2399.330667] ? finish_task_switch.isra.0+0x91/0x2f0 [ 2399.331004] ? exc_page_fault+0x73/0x160 [ 2399.331275] ? asm_exc_page_fault+0x27/0x30 [ 2399.343324] ? down_write+0x1a/0x50 [ 2399.343631] simple_recursive_removal+0x4d/0x2c0 [ 2399.343977] ? __pfx_remove_one+0x10/0x10 [ 2399.344251] debugfs_remove+0x45/0x70 [ 2399.344511] mana_destroy_rxq+0x44/0x400 [mana] [ 2399.344845] mana_destroy_vport+0x54/0x1c0 [mana] [ 2399.345229] mana_detach+0x2f1/0x4e0 [mana] [ 2399.345466] ? ida_free+0x150/0x160 [ 2399.345718] ? __cond_resched+0x1a/0x50 [ 2399.345987] mana_remove+0xf4/0x1a0 [mana] [ 2399.346243] mana_gd_remove+0x25/0x80 [mana] [ 2399.346605] pci_device_remove+0x41/0xb0 [ 2399.346878] device_remove+0x46/0x70 [ 2399.347150] device_release_driver_internal+0x1e3/0x250 [ 2399.347831] ? klist_remove+0x81/0xe0 [ 2399.348377] driver_detach+0x4b/0xa0 [ 2399.348906] bus_remove_driver+0x83/0x100 [ 2399.349435] driver_unregister+0x31/0x60 [ 2399.349919] pci_unregister_driver+0x40/0x90 [ 2399.350492] mana_driver_exit+0x1c/0xb50 [mana] [ 2399.351102] __do_sys_delete_module.constprop.0+0x184/0x320 [ 2399.351664] ? __fput+0x1a9/0x2d0 [ 2399.352200] __x64_sys_delete_module+0x12/0x20 [ 2399.352760] x64_sys_call+0x1e66/0x2140 [ 2399.353316] do_syscall_64+0x79/0x150 [ 2399.353813] ? syscall_exit_to_user_mode+0x49/0x230 [ 2399.354346] ? do_syscall_64+0x85/0x150 [ 2399.354816] ? irqentry_exit+0x1d/0x30 [ 2399.355287] ? exc_page_fault+0x7f/0x160 [ 2399.355756] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 2399.356302] RIP: 0033:0x7fe728d26aeb [ 2399.356776] Code: 73 01 c3 48 8b 0d 45 33 0f 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 b0 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 15 33 0f 00 f7 d8 64 89 01 48 [ 2399.358372] RSP: 002b:00007ffff954d6f8 EFLAGS: 00000206 ORIG_RAX: 00000000000000b0 [ 2399.359066] RAX: ffffffffffffffda RBX: 00005609156cc760 RCX: 00007fe728d26aeb [ 2399.359779] RDX: 000000000000000a RSI: 0000000000000800 RDI: 00005609156cc7c8 [ 2399.360535] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 2399.361261] R10: 00007fe728dbeac0 R11: 0000000000000206 R12: 00007ffff954d950 [ 2399.361952] R13: 00005609156cc2a0 R14: 00007ffff954ee5f R15: 00005609156cc760 [ 2399.362688] Fixes: 6607c17c6c5e ("net: mana: Enable debugfs files for MANA device") Cc: stable@vger.kernel.org Signed-off-by: Shradha Gupta Reviewed-by: Michal Swiatkowski Link: https://patch.msgid.link/1736398991-764-1-git-send-email-shradhagupta@linux.microsoft.com Signed-off-by: Jakub Kicinski commit 5ef44b3cb43bda4009ba7fe3d54e0d258ae4aee7 Author: Stanislav Fomichev Date: Wed Jan 8 16:34:36 2025 -0800 xsk: Bring back busy polling support Commit 86e25f40aa1e ("net: napi: Add napi_config") moved napi->napi_id assignment to a later point in time (napi_hash_add_with_id). This breaks __xdp_rxq_info_reg which copies napi_id at an earlier time and now stores 0 napi_id. It also makes sk_mark_napi_id_once_xdp and __sk_mark_napi_id_once useless because they now work against 0 napi_id. Since sk_busy_loop requires valid napi_id to busy-poll on, there is no way to busy-poll AF_XDP sockets anymore. Bring back the ability to busy-poll on XSK by resolving socket's napi_id at bind time. This relies on relatively recent netif_queue_set_napi, but (assume) at this point most popular drivers should have been converted. This also removes per-tx/rx cycles which used to check and/or set the napi_id value. Confirmed by running a busy-polling AF_XDP socket (github.com/fomichev/xskrtt) on mlx5 and looking at BusyPollRxPackets from /proc/net/netstat. Fixes: 86e25f40aa1e ("net: napi: Add napi_config") Signed-off-by: Stanislav Fomichev Acked-by: Magnus Karlsson Reviewed-by: Jakub Kicinski Link: https://patch.msgid.link/20250109003436.2829560-1-sdf@fomichev.me Signed-off-by: Jakub Kicinski commit f0aa6a37a3dbb40b272df5fc6db93c114688adcd Author: Jakub Kicinski Date: Wed Jan 8 20:30:57 2025 -0800 eth: bnxt: always recalculate features after XDP clearing, fix null-deref Recalculate features when XDP is detached. Before: # ip li set dev eth0 xdp obj xdp_dummy.bpf.o sec xdp # ip li set dev eth0 xdp off # ethtool -k eth0 | grep gro rx-gro-hw: off [requested on] After: # ip li set dev eth0 xdp obj xdp_dummy.bpf.o sec xdp # ip li set dev eth0 xdp off # ethtool -k eth0 | grep gro rx-gro-hw: on The fact that HW-GRO doesn't get re-enabled automatically is just a minor annoyance. The real issue is that the features will randomly come back during another reconfiguration which just happens to invoke netdev_update_features(). The driver doesn't handle reconfiguring two things at a time very robustly. Starting with commit 98ba1d931f61 ("bnxt_en: Fix RSS logic in __bnxt_reserve_rings()") we only reconfigure the RSS hash table if the "effective" number of Rx rings has changed. If HW-GRO is enabled "effective" number of rings is 2x what user sees. So if we are in the bad state, with HW-GRO re-enablement "pending" after XDP off, and we lower the rings by / 2 - the HW-GRO rings doing 2x and the ethtool -L doing / 2 may cancel each other out, and the: if (old_rx_rings != bp->hw_resc.resv_rx_rings && condition in __bnxt_reserve_rings() will be false. The RSS map won't get updated, and we'll crash with: BUG: kernel NULL pointer dereference, address: 0000000000000168 RIP: 0010:__bnxt_hwrm_vnic_set_rss+0x13a/0x1a0 bnxt_hwrm_vnic_rss_cfg_p5+0x47/0x180 __bnxt_setup_vnic_p5+0x58/0x110 bnxt_init_nic+0xb72/0xf50 __bnxt_open_nic+0x40d/0xab0 bnxt_open_nic+0x2b/0x60 ethtool_set_channels+0x18c/0x1d0 As we try to access a freed ring. The issue is present since XDP support was added, really, but prior to commit 98ba1d931f61 ("bnxt_en: Fix RSS logic in __bnxt_reserve_rings()") it wasn't causing major issues. Fixes: 1054aee82321 ("bnxt_en: Use NETIF_F_GRO_HW.") Fixes: 98ba1d931f61 ("bnxt_en: Fix RSS logic in __bnxt_reserve_rings()") Reviewed-by: Michael Chan Reviewed-by: Somnath Kotur Link: https://patch.msgid.link/20250109043057.2888953-1-kuba@kernel.org Signed-off-by: Jakub Kicinski commit b3af60928ab9129befa65e6df0310d27300942bf Author: Michal Luczaj Date: Fri Jan 10 14:21:55 2025 +0100 bpf: Fix bpf_sk_select_reuseport() memory leak As pointed out in the original comment, lookup in sockmap can return a TCP ESTABLISHED socket. Such TCP socket may have had SO_ATTACH_REUSEPORT_EBPF set before it was ESTABLISHED. In other words, a non-NULL sk_reuseport_cb does not imply a non-refcounted socket. Drop sk's reference in both error paths. unreferenced object 0xffff888101911800 (size 2048): comm "test_progs", pid 44109, jiffies 4297131437 hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 80 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace (crc 9336483b): __kmalloc_noprof+0x3bf/0x560 __reuseport_alloc+0x1d/0x40 reuseport_alloc+0xca/0x150 reuseport_attach_prog+0x87/0x140 sk_reuseport_attach_bpf+0xc8/0x100 sk_setsockopt+0x1181/0x1990 do_sock_setsockopt+0x12b/0x160 __sys_setsockopt+0x7b/0xc0 __x64_sys_setsockopt+0x1b/0x30 do_syscall_64+0x93/0x180 entry_SYSCALL_64_after_hwframe+0x76/0x7e Fixes: 64d85290d79c ("bpf: Allow bpf_map_lookup_elem for SOCKMAP and SOCKHASH") Signed-off-by: Michal Luczaj Reviewed-by: Martin KaFai Lau Link: https://patch.msgid.link/20250110-reuseport-memleak-v1-1-fa1ddab0adfe@rbox.co Signed-off-by: Jakub Kicinski commit 77a903cd8e5a91d120ee014c8f8eae74d6c5d0f6 Author: Michael Ellerman Date: Sat Jan 11 10:57:38 2025 +1100 MAINTAINERS: powerpc: Update my status Maddy is taking over the day-to-day maintenance of powerpc. I will still be around to help, and as a backup. Re-order the main POWERPC list to put Maddy first to reflect that. KVM/powerpc patches will be handled by Maddy via the powerpc tree with review from Nick, so replace myself with Maddy there. Remove myself from BPF, leaving Hari & Christophe as maintainers. Signed-off-by: Michael Ellerman Signed-off-by: Linus Torvalds commit 20b1aa912316ffb7fbb5f407f17c330f2a22ddff Author: Meetakshi Setiya Date: Wed Jan 8 05:10:34 2025 -0500 smb: client: sync the root session and superblock context passwords before automounting In some cases, when password2 becomes the working password, the client swaps the two password fields in the root session struct, but not in the smb3_fs_context struct in cifs_sb. DFS automounts inherit fs context from their parent mounts. Therefore, they might end up getting the passwords in the stale order. The automount should succeed, because the mount function will end up retrying with the actual password anyway. But to reduce these unnecessary session setup retries for automounts, we can sync the parent context's passwords with the root session's passwords before duplicating it to the child's fs context. Cc: stable@vger.kernel.org Signed-off-by: Meetakshi Setiya Reviewed-by: Shyam Prasad N Acked-by: Paulo Alcantara (Red Hat) Signed-off-by: Steve French commit 2e3f3090bd8bf61633b36ae3b13d4a6e777f182a Merge: 58624e4bc87619 a2a3374c47c428 Author: Linus Torvalds Date: Fri Jan 10 15:11:58 2025 -0800 Merge tag 'sched_ext-for-6.13-rc6-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/sched_ext Pull sched_ext fixes from Tejun Heo: - Fix corner case bug where ops.dispatch() couldn't extend the execution of the current task if SCX_OPS_ENQ_LAST is set. - Fix ops.cpu_release() not being called when a SCX task is preempted by a higher priority sched class task. - Fix buitin idle mask being incorrectly left as busy after an idle CPU is picked and kicked. - scx_ops_bypass() was unnecessarily using rq_lock() which comes with rq pinning related sanity checks which could trigger spuriously. Switch to raw_spin_rq_lock(). * tag 'sched_ext-for-6.13-rc6-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/sched_ext: sched_ext: idle: Refresh idle masks during idle-to-idle transitions sched_ext: switch class when preempted by higher priority scheduler sched_ext: Replace rq_lock() to raw_spin_rq_lock() in scx_ops_bypass() sched_ext: keep running prev when prev->scx.slice != 0 commit 58624e4bc876198a5dc41be1d7dd39e7c944b9c6 Merge: 257a8be4e9a6fc 3cb97a927fffe4 Author: Linus Torvalds Date: Fri Jan 10 15:03:02 2025 -0800 Merge tag 'cgroup-for-6.13-rc6-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/cgroup Pull cgroup fixes from Tejun Heo: "Cpuset fixes: - Fix isolated CPUs leaking into sched domains - Remove now unnecessary kernfs active break which can trigger a warning - Comment updates" * tag 'cgroup-for-6.13-rc6-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/cgroup: cgroup/cpuset: remove kernfs active break cgroup/cpuset: Prevent leakage of isolated CPUs into sched domains cgroup/cpuset: Remove stale text commit 257a8be4e9a6fc3e821c337275256416750afa5b Merge: da13af839228cc da30ba227c4176 Author: Linus Torvalds Date: Fri Jan 10 14:52:30 2025 -0800 Merge tag 'wq-for-6.13-rc6-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/wq Pull workqueue fix from Tejun Heo: - Add a WARN_ON_ONCE() on queue_delayed_work_on() on an offline CPU as such work items won't get executed till the CPU comes back online * tag 'wq-for-6.13-rc6-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/wq: workqueue: warn if delayed_work is queued to an offlined cpu. commit da13af839228cc3ec51d9caabea9c0b411dc464a Merge: 475c9f5854d3c6 9164e0912af206 Author: Linus Torvalds Date: Fri Jan 10 14:46:49 2025 -0800 Merge tag 'thermal-6.13-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm Pull thermal control fix from Rafael Wysocki: "Fix an OF node leak in the code parsing thermal zone DT properties (Joe Hattori)" * tag 'thermal-6.13-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm: thermal: of: fix OF node leak in of_thermal_zone_find() commit 475c9f5854d3c68ac9aa0239c1db14ae0fcc1d8b Merge: e0daef7de1acec cd4a7b2e6a2437 Author: Linus Torvalds Date: Fri Jan 10 14:41:46 2025 -0800 Merge tag 'acpi-6.13-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm Pull ACPI fixes from Rafael Wysocki: "Add two more ACPI IRQ override quirks and update the code using them to avoid unnecessary overhead (Hans de Goede)" * tag 'acpi-6.13-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm: ACPI: resource: acpi_dev_irq_override(): Check DMI match last ACPI: resource: Add TongFang GM5HG0A to irq1_edge_low_force_override[] ACPI: resource: Add Asus Vivobook X1504VAP to irq1_level_low_skip_override[] commit a2a3374c47c428c0edb0bbc693638d4783f81e31 Author: Andrea Righi Date: Fri Jan 10 23:16:31 2025 +0100 sched_ext: idle: Refresh idle masks during idle-to-idle transitions With the consolidation of put_prev_task/set_next_task(), see commit 436f3eed5c69 ("sched: Combine the last put_prev_task() and the first set_next_task()"), we are now skipping the transition between these two functions when the previous and the next tasks are the same. As a result, the scx idle state of a CPU is updated only when transitioning to or from the idle thread. While this is generally correct, it can lead to uneven and inefficient core utilization in certain scenarios [1]. A typical scenario involves proactive wake-ups: scx_bpf_pick_idle_cpu() selects and marks an idle CPU as busy, followed by a wake-up via scx_bpf_kick_cpu(), without dispatching any tasks. In this case, the CPU continues running the idle thread, returns to idle, but remains marked as busy, preventing it from being selected again as an idle CPU (until a task eventually runs on it and releases the CPU). For example, running a workload that uses 20% of each CPU, combined with an scx scheduler using proactive wake-ups, results in the following core utilization: CPU 0: 25.7% CPU 1: 29.3% CPU 2: 26.5% CPU 3: 25.5% CPU 4: 0.0% CPU 5: 25.5% CPU 6: 0.0% CPU 7: 10.5% To address this, refresh the idle state also in pick_task_idle(), during idle-to-idle transitions, but only trigger ops.update_idle() on actual state changes to prevent unnecessary updates to the scx scheduler and maintain balanced state transitions. With this change in place, the core utilization in the previous example becomes the following: CPU 0: 18.8% CPU 1: 19.4% CPU 2: 18.0% CPU 3: 18.7% CPU 4: 19.3% CPU 5: 18.9% CPU 6: 18.7% CPU 7: 19.3% [1] https://github.com/sched-ext/scx/pull/1139 Fixes: 7c65ae81ea86 ("sched_ext: Don't call put_prev_task_scx() before picking the next task") Signed-off-by: Andrea Righi Signed-off-by: Tejun Heo commit bd2703b42decebdcddf76e277ba76b4c4a142d73 Author: Pavel Begunkov Date: Fri Jan 10 20:36:45 2025 +0000 io_uring: don't touch sqd->thread off tw add With IORING_SETUP_SQPOLL all requests are created by the SQPOLL task, which means that req->task should always match sqd->thread. Since accesses to sqd->thread should be separately protected, use req->task in io_req_normal_work_add() instead. Note, in the eyes of io_req_normal_work_add(), the SQPOLL task struct is always pinned and alive, and sqd->thread can either be the task or NULL. It's only problematic if the compiler decides to reload the value after the null check, which is not so likely. Cc: stable@vger.kernel.org Cc: Bui Quang Minh Reported-by: lizetao Fixes: 78f9b61bd8e54 ("io_uring: wake SQPOLL task when task_work is added to an empty queue") Signed-off-by: Pavel Begunkov Link: https://lore.kernel.org/r/1cbbe72cf32c45a8fee96026463024cd8564a7d7.1736541357.git.asml.silence@gmail.com Signed-off-by: Jens Axboe commit 4b7cfa8b6c28a9fa22b86894166a1a34f6d630ba Author: Pavel Begunkov Date: Fri Jan 10 14:31:23 2025 +0000 io_uring/sqpoll: zero sqd->thread on tctx errors Syzkeller reports: BUG: KASAN: slab-use-after-free in thread_group_cputime+0x409/0x700 kernel/sched/cputime.c:341 Read of size 8 at addr ffff88803578c510 by task syz.2.3223/27552 Call Trace: ... kasan_report+0x143/0x180 mm/kasan/report.c:602 thread_group_cputime+0x409/0x700 kernel/sched/cputime.c:341 thread_group_cputime_adjusted+0xa6/0x340 kernel/sched/cputime.c:639 getrusage+0x1000/0x1340 kernel/sys.c:1863 io_uring_show_fdinfo+0xdfe/0x1770 io_uring/fdinfo.c:197 seq_show+0x608/0x770 fs/proc/fd.c:68 ... That's due to sqd->task not being cleared properly in cases where SQPOLL task tctx setup fails, which can essentially only happen with fault injection to insert allocation errors. Cc: stable@vger.kernel.org Fixes: 1251d2025c3e1 ("io_uring/sqpoll: early exit thread if task_context wasn't allocated") Reported-by: syzbot+3d92cfcfa84070b0a470@syzkaller.appspotmail.com Signed-off-by: Pavel Begunkov Link: https://lore.kernel.org/r/efc7ec7010784463b2e7466d7b5c02c2cb381635.1736519461.git.asml.silence@gmail.com Signed-off-by: Jens Axboe commit e0daef7de1acecdb64c1fa31abc06529abb98710 Merge: f8c6263347e174 fddb4fd91a9556 Author: Linus Torvalds Date: Fri Jan 10 12:35:46 2025 -0800 Merge tag 'drm-fixes-2025-01-11' of https://gitlab.freedesktop.org/drm/kernel Pull drm fixes from Dave Airlie: "Regular weekly fixes, this has the usual amdgpu/xe/i915 bits. There is a bigger bunch of mediatek patches that I considered not including at this stage, but all the changes (except for one were obvious small fixes, and the rotation one is a few lines, and I suppose will help someone have their screen up the right way), I decided to include it since I expect it got slowed down by holidays etc, and it's not that mainstream a hw platform. i915: - Revert "drm/i915/hdcp: Don't enable HDCP1.4 directly from check_link" amdgpu: - Display interrupt fixes - Fix display max surface mismatches - Fix divide error in DM plane scale calcs - Display divide by 0 checks in dml helpers - SMU 13 AD/DC interrrupt handling fix - Fix locking around buddy trim handling amdkfd: - Fix page fault with shader debugger enabled - Fix eviction fence wq handling xe: - Avoid a NULL ptr deref when wedging - Fix power gate sequence on DG1 mediatek: - Revert "drm/mediatek: dsi: Correct calculation formula of PHY Timing" - Set private->all_drm_private[i]->drm to NULL if mtk_drm_bind returns err - Move mtk_crtc_finish_page_flip() to ddp_cmdq_cb() - Only touch DISP_REG_OVL_PITCH_MSB if AFBC is supported - Add support for 180-degree rotation in the display driver - Stop selecting foreign drivers - Revert "drm/mediatek: Switch to for_each_child_of_node_scoped()" - Fix YCbCr422 color format issue for DP - Fix mode valid issue for dp - dp: Reference common DAI properties - dsi: Add registers to pdata to fix MT8186/MT8188 - Remove unneeded semicolon - Add return value check when reading DPCD - Initialize pointer in mtk_drm_of_ddp_path_build_one()" * tag 'drm-fixes-2025-01-11' of https://gitlab.freedesktop.org/drm/kernel: (26 commits) drm/xe/dg1: Fix power gate sequence. drm/xe: Fix tlb invalidation when wedging Revert "drm/i915/hdcp: Don't enable HDCP1.4 directly from check_link" drm/amdgpu: Add a lock when accessing the buddy trim function drm/amd/pm: fix BUG: scheduling while atomic drm/amdkfd: wq_release signals dma_fence only when available drm/amd/display: Add check for granularity in dml ceil/floor helpers drm/amdkfd: fixed page fault when enable MES shader debugger drm/amd/display: fix divide error in DM plane scale calcs drm/amd/display: increase MAX_SURFACES to the value supported by hw drm/amd/display: fix page fault due to max surface definition mismatch drm/amd/display: Remove unnecessary amdgpu_irq_get/put drm/mediatek: Initialize pointer in mtk_drm_of_ddp_path_build_one() drm/mediatek: Add return value check when reading DPCD drm/mediatek: Remove unneeded semicolon drm/mediatek: mtk_dsi: Add registers to pdata to fix MT8186/MT8188 dt-bindings: display: mediatek: dp: Reference common DAI properties drm/mediatek: Fix mode valid issue for dp drm/mediatek: Fix YCbCr422 color format issue for DP Revert "drm/mediatek: Switch to for_each_child_of_node_scoped()" ... commit f8c6263347e1740edf159584775332f4abf693a1 Merge: 7110f24f9e3397 6f6ecce59d99ef Author: Linus Torvalds Date: Fri Jan 10 10:50:30 2025 -0800 Merge tag 'riscv-for-linus-6.13-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux Pull RISC-V fixes from Palmer Dabbelt: - a handful of selftest fixes - fix a memory leak in relocation processing during module loading - avoid sleeping in die() - fix kprobe instruction slot address calculations - fix DT node reference leak in SBI idle probing - avoid initializing out of bounds pages on sparse vmemmap systems with a gap at the start of their physical memory map - fix backtracing through exceptions - _Q_PENDING_LOOPS is now defined whenever QUEUED_SPINLOCKS=y - local labels in entry.S are now marked with ".L", which prevents them from trashing backtraces - a handful of fixes for SBI-based performance counters * tag 'riscv-for-linus-6.13-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux: drivers/perf: riscv: Do not allow invalid raw event config drivers/perf: riscv: Return error for default case drivers/perf: riscv: Fix Platform firmware event data tools: selftests: riscv: Add test count for vstate_prctl tools: selftests: riscv: Add pass message for v_initval_nolibc riscv: use local label names instead of global ones in assembly riscv: qspinlock: Fixup _Q_PENDING_LOOPS definition riscv: stacktrace: fix backtracing through exceptions riscv: mm: Fix the out of bound issue of vmemmap address cpuidle: riscv-sbi: fix device node release in early exit of for_each_possible_cpu riscv: kprobes: Fix incorrect address calculation riscv: Fix sleeping in invalid context in die() riscv: module: remove relocation_head rel_entry member allocation riscv: selftests: Fix warnings pointer masking test commit 36b23e3baf9129d5b6c3a3a85b6b7ffb75ae287c Author: Alex Hung Date: Tue Dec 17 11:51:58 2024 -0700 drm/amd/display: Initialize denominator defaults to 1 [WHAT & HOW] Variables, used as denominators and maybe not assigned to other values, should be initialized to non-zero to avoid DIVIDE_BY_ZERO, as reported by Coverity. Reviewed-by: Austin Zheng Reviewed-by: Rodrigo Siqueira Signed-off-by: Alex Hung Signed-off-by: Tom Chung Tested-by: Daniel Wheeler Signed-off-by: Alex Deucher (cherry picked from commit e2c4c6c10542ccfe4a0830bb6c9fd5b177b7bbb7) commit b5c764d6ed556c4e81fbe3fd976da77ec450c08e Author: Tom Chung Date: Tue Oct 1 17:13:07 2024 +0800 drm/amd/display: Use HW lock mgr for PSR1 [Why] Without the dmub hw lock, it may cause the lock timeout issue while do modeset on PSR1 eDP panel. [How] Allow dmub hw lock for PSR1. Reviewed-by: Sun peng Li Signed-off-by: Tom Chung Tested-by: Daniel Wheeler Signed-off-by: Alex Deucher (cherry picked from commit a2b5a9956269f4c1a09537177f18ab0229fe79f7) commit 470d4f05c77153b97f53554a3c44164361a4d939 Author: Yiling Chen Date: Fri Dec 20 17:12:54 2024 +0800 drm/amd/display: Remove unnecessary eDP power down [why] When first time of link training is fail, eDP would be powered down and would not be powered up for next retry link training. It causes that all of retry link linking would be fail. [how] We has extracted both power up and down sequence from enable/disable link output function before DCN32. We remov eDP power down in dcn32_disable_link_output(). Reviewed-by: Charlene Liu Signed-off-by: Yiling Chen Signed-off-by: Tom Chung Tested-by: Daniel Wheeler Signed-off-by: Alex Deucher (cherry picked from commit f5860c88cdfe7300d08c1aef881bba0cac369e34) commit 35ca53b7b0f0ffd16c6675fd76abac9409cf83e0 Author: Leo Li Date: Wed Dec 11 12:06:24 2024 -0500 drm/amd/display: Do not elevate mem_type change to full update [Why] There should not be any need to revalidate bandwidth on memory placement change, since the fb is expected to be pinned to DCN-accessable memory before scanout. For APU it's DRAM, and DGPU, it's VRAM. However, async flips + memory type change needs to be rejected. [How] Do not set lock_and_validation_needed on mem_type change. Instead, reject an async_flip request if the crtc's buffer(s) changed mem_type. This may fix stuttering/corruption experienced with PSR SU and PSR1 panels, if the compositor allocates fbs in both VRAM carveout and GTT and flips between them. Fixes: a7c0cad0dc06 ("drm/amd/display: ensure async flips are only accepted for fast updates") Reviewed-by: Tom Chung Signed-off-by: Leo Li Signed-off-by: Tom Chung Tested-by: Daniel Wheeler Signed-off-by: Alex Deucher (cherry picked from commit 4caacd1671b7a013ad04cd8b6398f002540bdd4d) Cc: stable@vger.kernel.org commit ff2e4d874726c549130308b6b46aa0f8a34e04cb Author: Leo Li Date: Mon Dec 9 12:58:33 2024 -0500 drm/amd/display: Do not wait for PSR disable on vbl enable [Why] Outside of a modeset/link configuration change, we should not have to wait for the panel to exit PSR. Depending on the panel and it's state, it may take multiple frames for it to exit PSR. Therefore, waiting in all scenarios may cause perceived stuttering, especially in combination with faster vblank shutdown. [How] PSR1 disable is hooked up to the vblank enable event, and vice versa. In case of vblank enable, do not wait for panel to exit PSR, but still wait in all other cases. We also avoid a call to unnecessarily change power_opts on disable - this ends up sending another command to dmcub fw. When testing against IGT, some crc tests like kms_plane_alpha_blend and amd_hotplug were failing due to CRC timeouts. This was found to be caused by the early return before HW has fully exited PSR1. Fix this by first making sure we grab a vblank reference, then waiting for panel to exit PSR1, before programming hw for CRC generation. Fixes: 58a261bfc967 ("drm/amd/display: use a more lax vblank enable policy for older ASICs") Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/3743 Reviewed-by: Tom Chung Signed-off-by: Leo Li Signed-off-by: Tom Chung Tested-by: Daniel Wheeler Signed-off-by: Alex Deucher (cherry picked from commit aa6713fa2046f4c09bf3013dd1420ae15603ca6f) Cc: stable@vger.kernel.org commit da30ba227c41762ac98e993a1453460450b3e642 Author: Imran Khan Date: Fri Jan 10 10:27:11 2025 +1100 workqueue: warn if delayed_work is queued to an offlined cpu. delayed_work submitted to an offlined cpu, will not get executed, after the specified delay if the cpu remains offline. If the cpu never comes online the work will never get executed. checking for online cpu in __queue_delayed_work, does not sound like a good idea because to do this reliably we need hotplug lock and since work may be submitted from atomic contexts, we would have to use cpus_read_trylock. But if trylock fails we would queue the work on any cpu and this may not be optimal because our intended cpu might still be online. Putting a WARN_ON_ONCE for an already offlined cpu, will indicate users of queue_delayed_work_on, if they are (wrongly) trying to queue delayed_work on offlined cpu. Also indicate the problem of using offlined cpu with queue_delayed_work_on, in its description. Signed-off-by: Imran Khan Signed-off-by: Tejun Heo commit 3412860cc4c0c484f53f91b371483e6e4440c3e5 Author: Nicholas Susanto Date: Thu Dec 19 14:15:37 2024 -0500 Revert "drm/amd/display: Enable urgent latency adjustments for DCN35" Revert commit 284f141f5ce5 ("drm/amd/display: Enable urgent latency adjustments for DCN35") [Why & How] Urgent latency increase caused 2.8K OLED monitor caused it to block this panel support P0. Reverting this change does not reintroduce the netflix corruption issue which it fixed. Fixes: 284f141f5ce5 ("drm/amd/display: Enable urgent latency adjustments for DCN35") Reviewed-by: Charlene Liu Signed-off-by: Nicholas Susanto Signed-off-by: Tom Chung Tested-by: Daniel Wheeler Signed-off-by: Alex Deucher (cherry picked from commit c7ccfc0d4241a834c25a9a9e1e78b388b4445d23) Cc: stable@vger.kernel.org commit adb4998f4928a17d91be054218a902ba9f8c1f93 Author: Wayne Lin Date: Mon Dec 9 15:25:35 2024 +0800 drm/amd/display: Reduce accessing remote DPCD overhead [Why] Observed frame rate get dropped by tool like glxgear. Even though the output to monitor is 60Hz, the rendered frame rate drops to 30Hz lower. It's due to code path in some cases will trigger dm_dp_mst_is_port_support_mode() to read out remote Link status to assess the available bandwidth for dsc maniplation. Overhead of keep reading remote DPCD is considerable. [How] Store the remote link BW in mst_local_bw and use end-to-end full_pbn as an indicator to decide whether update the remote link bw or not. Whenever we need the info to assess the BW, visit the stored one first. Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/3720 Fixes: fa57924c76d9 ("drm/amd/display: Refactor function dm_dp_mst_is_port_support_mode()") Cc: Mario Limonciello Cc: Alex Deucher Reviewed-by: Jerry Zuo Signed-off-by: Wayne Lin Signed-off-by: Tom Chung Tested-by: Daniel Wheeler Signed-off-by: Alex Deucher (cherry picked from commit 4a9a918545455a5979c6232fcf61ed3d8f0db3ae) Cc: stable@vger.kernel.org commit b5cd418f016fb801be413fd52fe4711d2d13018c Author: Wayne Lin Date: Tue Dec 10 11:17:55 2024 +0800 drm/amd/display: Validate mdoe under MST LCT=1 case as well [Why & How] Currently in dm_dp_mst_is_port_support_mode(), when valdidating mode under dsc decoding at the last DP link config, we only validate the case when there is an UFP. However, if the MSTB LCT=1, there is no UFP. Under this case, use root_link_bw_in_kbps as the available bw to compare. Link: https://gitlab.freedesktop.org/drm/amd/-/issues/3720 Fixes: fa57924c76d9 ("drm/amd/display: Refactor function dm_dp_mst_is_port_support_mode()") Cc: Mario Limonciello Cc: Alex Deucher Reviewed-by: Jerry Zuo Signed-off-by: Wayne Lin Signed-off-by: Tom Chung Tested-by: Daniel Wheeler Signed-off-by: Alex Deucher (cherry picked from commit a04d9534a8a75b2806c5321c387be450c364b55e) Cc: stable@vger.kernel.org commit 11510e67d0bd956878ab4ffa03c45766788092c1 Author: Alex Deucher Date: Wed Jan 8 15:17:12 2025 -0500 drm/amdgpu/smu13: update powersave optimizations Only apply when compute profile is selected. This is the only supported configuration. Selecting other profiles can lead to performane degradations. Reviewed-by: Kenneth Feng Signed-off-by: Alex Deucher (cherry picked from commit d477e39532d725b1cdb3c8005c689c74ffbf3b94) Cc: stable@vger.kernel.org # 6.12.x commit 5391c5d8e60610bf914f767a6a749004e2d223f0 Merge: 155c5bf26f983e 3699f2c43ea998 Author: Arnd Bergmann Date: Fri Jan 10 18:20:46 2025 +0100 Merge tag 'v6.13-rockchip-dtsfixes1' of https://git.kernel.org/pub/scm/linux/kernel/git/mmind/linux-rockchip into arm/fixes Fixed card-detect on one board and some missing properties added. * tag 'v6.13-rockchip-dtsfixes1' of https://git.kernel.org/pub/scm/linux/kernel/git/mmind/linux-rockchip: arm64: dts: rockchip: add hevc power domain clock to rk3328 arm64: dts: rockchip: Fix the SD card detection on NanoPi R6C/R6S arm64: dts: rockchip: rename rfkill label for Radxa ROCK 5B arm64: dts: rockchip: add reset-names for combphy on rk3568 Link: https://lore.kernel.org/r/2914560.yaVYbkx8dN@diego Signed-off-by: Arnd Bergmann commit 7110f24f9e33979fd704f7a4a595a9d3e9bdacb7 Merge: 36eb21945a19d8 1623bc27a85a93 Author: Linus Torvalds Date: Fri Jan 10 09:11:11 2025 -0800 Merge tag 'vfs-6.13-rc7.fixes.2' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs Pull vfs fixes from Christian Brauner: "afs: - Fix the maximum cell name length - Fix merge preference rule failure condition fuse: - Fix fuse_get_user_pages() so it doesn't risk misleading the caller to think pages have been allocated when they actually haven't - Fix direct-io folio offset and length calculation netfs: - Fix async direct-io handling - Fix read-retry for filesystems that don't provide a ->prepare_read() method vfs: - Prevent truncating 64-bit offsets to 32-bits in iomap - Fix memory barrier interactions when polling - Remove MNT_ONRB to fix concurrent modification of @mnt->mnt_flags leading to MNT_ONRB to not be raised and invalid access to a list member" * tag 'vfs-6.13-rc7.fixes.2' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs: poll: kill poll_does_not_wait() sock_poll_wait: kill the no longer necessary barrier after poll_wait() io_uring_poll: kill the no longer necessary barrier after poll_wait() poll_wait: kill the obsolete wait_address check poll_wait: add mb() to fix theoretical race between waitqueue_active() and .poll() afs: Fix merge preference rule failure condition netfs: Fix read-retry for fs with no ->prepare_read() netfs: Fix kernel async DIO fs: kill MNT_ONRB iomap: avoid avoid truncating 64-bit offset to 32 bits afs: Fix the maximum cell name length fuse: Set *nbytesp=0 in fuse_get_user_pages on allocation failure fuse: fix direct io folio offset and length calculation commit 36eb21945a19d82c5b4bb1e995ca798104cb85ec Merge: 8c8d54116fa289 111d36d6278756 Author: Linus Torvalds Date: Fri Jan 10 09:04:27 2025 -0800 Merge tag 'xfs-fixes-6.13-rc7' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux Pull xfs fixes from Carlos Maiolino: - Fix a missing lock while detaching a dquot buffer - Fix failure on xfs_update_last_rtgroup_size for !XFS_RT * tag 'xfs-fixes-6.13-rc7' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux: xfs: lock dquot buffer before detaching dquot from b_li_list xfs: don't return an error from xfs_update_last_rtgroup_size for !XFS_RT commit 8c8d54116fa289e4d559c0a8fb27d11de9a3a8bc Merge: b999e7f92e24e3 1d7461d0c83306 Author: Linus Torvalds Date: Fri Jan 10 08:14:22 2025 -0800 Merge tag 'platform-drivers-x86-v6.13-5' of git://git.kernel.org/pub/scm/linux/kernel/git/pdx86/platform-drivers-x86 Pull x86 platform driver fixes from Ilpo Järvinen: "Fixes and new HW support: - amd/pmc: Match IRQ1 wakeup disable with the enable on i8042 side - intel: power-domains: Clearwater Forest support - intel/pmc: Skip SSRAM setup when no additional devices are present - ISST: Clearwater Forest support" * tag 'platform-drivers-x86-v6.13-5' of git://git.kernel.org/pub/scm/linux/kernel/git/pdx86/platform-drivers-x86: platform/x86: intel/pmc: Fix ioremap() of bad address platform/x86: ISST: Add Clearwater Forest to support list platform/x86/intel: power-domains: Add Clearwater Forest support platform/x86/amd/pmc: Only disable IRQ1 wakeup where i8042 actually enabled it commit b999e7f92e24e32a785934e5c561c0999e8c14bb Merge: 9d64558493fef2 907af7d6e0c8cf Author: Linus Torvalds Date: Fri Jan 10 08:05:32 2025 -0800 Merge tag 'regulator-fix-v6.13-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regulator Pull regulator fixes from Mark Brown: "A couple of fixes for !REGULATOR and !OF configurations, adding missing stubs" * tag 'regulator-fix-v6.13-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regulator: regulator: Move OF_ API declarations/definitions outside CONFIG_REGULATOR regulator: Guard of_regulator_bulk_get_all() with CONFIG_OF commit 9d64558493fef271a38672d048f16e3617e3290a Merge: 2144da25584eb1 e59f4c97172de0 Author: Linus Torvalds Date: Fri Jan 10 07:59:47 2025 -0800 Merge tag 'gpio-fixes-for-v6.13-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/brgl/linux Pull gpio fixes from Bartosz Golaszewski: "There's one small fix for real HW - gpio-loongson. The rest concern two virtual testing drivers in which some issues were recently found and addressed: - fix resource leaks in error path in gpio-virtuser (and one consistent memory leak triggered on every device removal)) - fix the use-case of having multiple con_ids in a lookup table in gpio-virtuser which has never worked (despite being advertised) - don't allow rmdir() on configfs directories when they are in use in gpio-sim and gpio-virtuser - fix register offsets in gpio-loongson-64" * tag 'gpio-fixes-for-v6.13-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/brgl/linux: gpio: loongson: Fix Loongson-2K2000 ACPI GPIO register offset gpio: sim: lock up configfs that an instantiated device depends on gpio: virtuser: lock up configfs that an instantiated device depends on gpio: virtuser: fix handling of multiple conn_ids in lookup table gpio: virtuser: fix missing lookup table cleanups commit 0fa01cf41ff9719f5d81f396285fc120c312ead8 Merge: de5afaddd5a7af 139fa599cea0fd Author: Takashi Iwai Date: Fri Jan 10 15:30:28 2025 +0100 Merge tag 'asoc-fix-v6.13-rc6' of https://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound into for-linus ASoC: Fixes for v6.13 A collection of device specific fixes that came in over the holidays, plus a MAINTAINERS update and some documentation to help users debug problems with some of the Cirrus CODECs found in modern laptops. commit f3149ed697dd0c4fc1d696fef78129fa2fe4ca12 Merge: b0e525d7a22ea3 f5b435be70cb12 Author: Greg Kroah-Hartman Date: Fri Jan 10 14:59:20 2025 +0100 Merge tag 'usb-serial-6.13-rc7' of ssh://gitolite.kernel.org/pub/scm/linux/kernel/git/johan/usb-serial into usb-linus Johan writes: USB-serial device ids for 6.13-rc7 Here are some new modem and cp210x device ids. All have been in linux-next with no reported issues. * tag 'usb-serial-6.13-rc7' of ssh://gitolite.kernel.org/pub/scm/linux/kernel/git/johan/usb-serial: USB: serial: option: add Neoway N723-EA support USB: serial: option: add MeiG Smart SRM815 USB: serial: cp210x: add Phoenix Contact UPS Device commit 1623bc27a85a93e82194c8d077eccc464efa67db Merge: 17a4fde81d3a74 67cd2e23c0f353 Author: Christian Brauner Date: Fri Jan 10 12:01:21 2025 +0100 Merge branch 'vfs-6.14.poll' into vfs.fixes Bring in the fixes for __pollwait() and waitqueue_active() interactions. Signed-off-by: Christian Brauner commit 67cd2e23c0f353803f182ae790a7d5074d4c1a4d Merge: 40384c840ea194 f005bf18a57aad Author: Christian Brauner Date: Fri Jan 10 11:59:08 2025 +0100 Merge patch series "poll_wait: add mb() to fix theoretical race between waitqueue_active() and .poll()" Oleg Nesterov says: The waitqueue_active() helper can only be used if both waker and waiter have memory barriers that pair with each other. But __pollwait() is broken in this respect. Fix it. * patches from https://lore.kernel.org/r/20250107162649.GA18886@redhat.com: poll: kill poll_does_not_wait() sock_poll_wait: kill the no longer necessary barrier after poll_wait() io_uring_poll: kill the no longer necessary barrier after poll_wait() poll_wait: kill the obsolete wait_address check poll_wait: add mb() to fix theoretical race between waitqueue_active() and .poll() Link: https://lore.kernel.org/r/20250107162649.GA18886@redhat.com Signed-off-by: Christian Brauner commit f005bf18a57aadf3af1e85a0f0151cb3688ee606 Author: Oleg Nesterov Date: Tue Jan 7 17:27:43 2025 +0100 poll: kill poll_does_not_wait() It no longer has users. Signed-off-by: Oleg Nesterov Link: https://lore.kernel.org/r/20250107162743.GA18947@redhat.com Signed-off-by: Christian Brauner commit b2849867b3a70c2d675ddca01c4e4540f7d3b8e9 Author: Oleg Nesterov Date: Tue Jan 7 17:27:36 2025 +0100 sock_poll_wait: kill the no longer necessary barrier after poll_wait() Now that poll_wait() provides a full barrier we can remove smp_mb() from sock_poll_wait(). Also, the poll_does_not_wait() check before poll_wait() just adds the unnecessary confusion, kill it. poll_wait() does the same "p && p->_qproc" check. Signed-off-by: Oleg Nesterov Link: https://lore.kernel.org/r/20250107162736.GA18944@redhat.com Signed-off-by: Christian Brauner commit 4e15fa8305deecdf20233558ed9f7a8a62b708fd Author: Oleg Nesterov Date: Tue Jan 7 17:27:30 2025 +0100 io_uring_poll: kill the no longer necessary barrier after poll_wait() Now that poll_wait() provides a full barrier we can remove smp_rmb() from io_uring_poll(). In fact I don't think smp_rmb() was correct, it can't serialize LOADs and STOREs. Signed-off-by: Oleg Nesterov Link: https://lore.kernel.org/r/20250107162730.GA18940@redhat.com Signed-off-by: Christian Brauner commit 10b02a2cfec2f106db4897ad87732db56d71e6fd Author: Oleg Nesterov Date: Tue Jan 7 17:27:24 2025 +0100 poll_wait: kill the obsolete wait_address check This check is historical and no longer needed, wait_address is never NULL. These days we rely on the poll_table->_qproc check. NULL if select/poll is not going to sleep, or it already has a data to report, or all waiters have already been registered after the 1st iteration. However, poll_table *p can be NULL, see p9_fd_poll() for example, so we can't remove the "p != NULL" check. Link: https://lore.kernel.org/all/20250106180325.GF7233@redhat.com/ Signed-off-by: Oleg Nesterov Link: https://lore.kernel.org/r/20250107162724.GA18926@redhat.com Signed-off-by: Christian Brauner commit cacd9ae4bf801ff4125d8961bb9a3ba955e51680 Author: Oleg Nesterov Date: Tue Jan 7 17:27:17 2025 +0100 poll_wait: add mb() to fix theoretical race between waitqueue_active() and .poll() As the comment above waitqueue_active() explains, it can only be used if both waker and waiter have mb()'s that pair with each other. However __pollwait() is broken in this respect. This is not pipe-specific, but let's look at pipe_poll() for example: poll_wait(...); // -> __pollwait() -> add_wait_queue() LOAD(pipe->head); LOAD(pipe->head); In theory these LOAD()'s can leak into the critical section inside add_wait_queue() and can happen before list_add(entry, wq_head), in this case pipe_poll() can race with wakeup_pipe_readers/writers which do smp_mb(); if (waitqueue_active(wq_head)) wake_up_interruptible(wq_head); There are more __pollwait()-like functions (grep init_poll_funcptr), and it seems that at least ep_ptable_queue_proc() has the same problem, so the patch adds smp_mb() into poll_wait(). Link: https://lore.kernel.org/all/20250102163320.GA17691@redhat.com/ Signed-off-by: Oleg Nesterov Link: https://lore.kernel.org/r/20250107162717.GA18922@redhat.com Signed-off-by: Christian Brauner commit 111d36d6278756128b7d7fab787fdcbf8221cd98 Author: Darrick J. Wong Date: Wed Jan 8 16:54:02 2025 -0800 xfs: lock dquot buffer before detaching dquot from b_li_list We have to lock the buffer before we can delete the dquot log item from the buffer's log item list. Cc: stable@vger.kernel.org # v6.13-rc3 Fixes: acc8f8628c3737 ("xfs: attach dquot buffer to dquot log item buffer") Signed-off-by: Darrick J. Wong Reviewed-by: Christoph Hellwig Signed-off-by: Carlos Maiolino commit 67510d7e2e5f5bdc020bf9d759aa575cce48c8e1 Author: Johannes Berg Date: Fri Jan 10 08:58:14 2025 +0100 fs: debugfs: fix open proxy for unsafe files In the previous commit referenced below, I had to split the short fops handling into different proxy fops. This necessitated knowing out-of-band whether or not the ops are short or full, when attempting to convert from fops to allocated fsdata. Unfortunately, I only converted full_proxy_open() which is used for the new full_proxy_open_regular() and full_proxy_open_short(), but forgot about the call in open_proxy_open(), used for debugfs_create_file_unsafe(). Fix that, it never has short fops. Fixes: f8f25893a477 ("fs: debugfs: differentiate short fops with proxy ops") Reported-by: Suresh Kumar Kurmi Reported-by: kernel test robot Closes: https://lore.kernel.org/oe-lkp/202501101055.bb8bf3e7-lkp@intel.com Reported-by: Venkat Rao Bagalkote Signed-off-by: Johannes Berg Link: https://lore.kernel.org/r/20250110085826.cd74f3b7a36b.I430c79c82ec3f954c2ff9665753bf6ac9e63eef8@changeid Signed-off-by: Greg Kroah-Hartman commit b583ef82b671c9a752fbe3e95bd4c1c51eab764d Author: Jiri Olsa Date: Thu Jan 9 15:14:40 2025 +0100 uprobes: Fix race in uprobe_free_utask Max Makarov reported kernel panic [1] in perf user callchain code. The reason for that is the race between uprobe_free_utask and bpf profiler code doing the perf user stack unwind and is triggered within uprobe_free_utask function: - after current->utask is freed and - before current->utask is set to NULL general protection fault, probably for non-canonical address 0x9e759c37ee555c76: 0000 [#1] SMP PTI RIP: 0010:is_uprobe_at_func_entry+0x28/0x80 ... ? die_addr+0x36/0x90 ? exc_general_protection+0x217/0x420 ? asm_exc_general_protection+0x26/0x30 ? is_uprobe_at_func_entry+0x28/0x80 perf_callchain_user+0x20a/0x360 get_perf_callchain+0x147/0x1d0 bpf_get_stackid+0x60/0x90 bpf_prog_9aac297fb833e2f5_do_perf_event+0x434/0x53b ? __smp_call_single_queue+0xad/0x120 bpf_overflow_handler+0x75/0x110 ... asm_sysvec_apic_timer_interrupt+0x1a/0x20 RIP: 0010:__kmem_cache_free+0x1cb/0x350 ... ? uprobe_free_utask+0x62/0x80 ? acct_collect+0x4c/0x220 uprobe_free_utask+0x62/0x80 mm_release+0x12/0xb0 do_exit+0x26b/0xaa0 __x64_sys_exit+0x1b/0x20 do_syscall_64+0x5a/0x80 It can be easily reproduced by running following commands in separate terminals: # while :; do bpftrace -e 'uprobe:/bin/ls:_start { printf("hit\n"); }' -c ls; done # bpftrace -e 'profile:hz:100000 { @[ustack()] = count(); }' Fixing this by making sure current->utask pointer is set to NULL before we start to release the utask object. [1] https://github.com/grafana/pyroscope/issues/3673 Fixes: cfa7f3d2c526 ("perf,x86: avoid missing caller address in stack traces captured in uprobe") Reported-by: Max Makarov Signed-off-by: Jiri Olsa Signed-off-by: Peter Zijlstra (Intel) Acked-by: Oleg Nesterov Acked-by: Andrii Nakryiko Link: https://lore.kernel.org/r/20250109141440.2692173-1-jolsa@kernel.org commit de5afaddd5a7af6b9c48900741b410ca03e453ae Author: Stefan Binding Date: Thu Jan 9 16:54:48 2025 +0000 ALSA: hda/realtek: Add support for Ayaneo System using CS35L41 HDA Add support for Ayaneo Portable Game System. System use 2 CS35L41 Amps with HDA, using Internal boost, with I2C Signed-off-by: Stefan Binding Cc: Link: https://patch.msgid.link/20250109165455.645810-1-sbinding@opensource.cirrus.com Signed-off-by: Takashi Iwai commit fddb4fd91a955636baa451fe82ad0266f55c7ede Merge: 85bf89f2684e35 f563dd9ca6cb6e Author: Dave Airlie Date: Fri Jan 10 16:57:45 2025 +1000 Merge tag 'mediatek-drm-fixes-20250104' of https://git.kernel.org/pub/scm/linux/kernel/git/chunkuang.hu/linux into drm-fixes Mediatek DRM Fixes - 20250104 1. Revert "drm/mediatek: dsi: Correct calculation formula of PHY Timing" 2. Set private->all_drm_private[i]->drm to NULL if mtk_drm_bind returns err 3. Move mtk_crtc_finish_page_flip() to ddp_cmdq_cb() 4. Only touch DISP_REG_OVL_PITCH_MSB if AFBC is supported 5. Add support for 180-degree rotation in the display driver 6. Stop selecting foreign drivers 7. Revert "drm/mediatek: Switch to for_each_child_of_node_scoped()" 8. Fix YCbCr422 color format issue for DP 9. Fix mode valid issue for dp 10. dp: Reference common DAI properties 11. dsi: Add registers to pdata to fix MT8186/MT8188 12. Remove unneeded semicolon 13. Add return value check when reading DPCD 14. Initialize pointer in mtk_drm_of_ddp_path_build_one() Signed-off-by: Dave Airlie From: Chun-Kuang Hu Link: https://patchwork.freedesktop.org/patch/msgid/20250104124227.45505-1-chunkuang.hu@kernel.org commit 85bf89f2684e354b692b3d684f72b62376f5ff66 Merge: 66d4709abcf853 b84e1cd22f8a8c Author: Dave Airlie Date: Fri Jan 10 16:41:59 2025 +1000 Merge tag 'drm-xe-fixes-2025-01-09' of https://gitlab.freedesktop.org/drm/xe/kernel into drm-fixes Driver Changes: - Avoid a NULL ptr deref when wedging (Lucas) - Fix power gate sequence on DG1 (Rodrigo) Signed-off-by: Dave Airlie From: Thomas Hellstrom Link: https://patchwork.freedesktop.org/patch/msgid/Z4AcqP3Io_r0pEsR@fedora commit 66d4709abcf85369b23554cfb4d43e09bb5da703 Merge: 7ac9f3366fb83a 75c8b703e5bded Author: Dave Airlie Date: Fri Jan 10 16:12:25 2025 +1000 Merge tag 'amd-drm-fixes-6.13-2025-01-09' of https://gitlab.freedesktop.org/agd5f/linux into drm-fixes amd-drm-fixes-6.13-2025-01-09: amdgpu: - Display interrupt fixes - Fix display max surface mismatches - Fix divide error in DM plane scale calcs - Display divide by 0 checks in dml helpers - SMU 13 AD/DC interrrupt handling fix - Fix locking around buddy trim handling amdkfd: - Fix page fault with shader debugger enabled - Fix eviction fence wq handling Signed-off-by: Dave Airlie From: Alex Deucher Link: https://patchwork.freedesktop.org/patch/msgid/20250109164236.477295-1-alexander.deucher@amd.com commit 7ac9f3366fb83aa4a1b25f6e84ad96c06549e95f Merge: 9d89551994a430 77bf21a03a2ad4 Author: Dave Airlie Date: Fri Jan 10 14:50:19 2025 +1000 Merge tag 'drm-intel-fixes-2025-01-08' of https://gitlab.freedesktop.org/drm/i915/kernel into drm-fixes - Revert "drm/i915/hdcp: Don't enable HDCP1.4 directly from check_link" [hdcp] (Suraj Kandpal) Signed-off-by: Dave Airlie From: Tvrtko Ursulin Link: https://patchwork.freedesktop.org/patch/msgid/Z37BPchEzY0ovIqF@linux commit 2144da25584eb10b84252230319b5783f6a83041 Merge: c77cd47cee041b e8580b4c600e08 Author: Linus Torvalds Date: Thu Jan 9 18:19:59 2025 -0800 Merge tag '6.13-rc6-ksmbd-server-fixes' of git://git.samba.org/ksmbd Pull smb server fixes from Steve French: "Four ksmbd server fixes, most also for stable: - fix for reporting special file type more accurately when POSIX extensions negotiated - minor cleanup - fix possible incorrect creation path when dirname is not present. In some cases, Windows apps create files without checking if they exist. - fix potential NULL pointer dereference sending interim response" * tag '6.13-rc6-ksmbd-server-fixes' of git://git.samba.org/ksmbd: ksmbd: Implement new SMB3 POSIX type ksmbd: fix unexpectedly changed path in ksmbd_vfs_kern_path_locked ksmbd: Remove unneeded if check in ksmbd_rdma_capable_netdev() ksmbd: fix a missing return value check bug commit 8c7a6efc017e59f2b773a8a4c0897309dfe1d742 Author: Antoine Tenart Date: Wed Jan 8 17:57:15 2025 +0100 ipv4: route: fix drop reason being overridden in ip_route_input_slow When jumping to 'martian_destination' a drop reason is always set but that label falls-through the 'e_nobufs' one, overriding the value. The behavior was introduced by the mentioned commit. The logic went from, goto martian_destination; ... martian_destination: ... e_inval: err = -EINVAL; goto out; e_nobufs: err = -ENOBUFS; goto out; to, reason = ...; goto martian_destination; ... martian_destination: ... e_nobufs: reason = SKB_DROP_REASON_NOMEM; goto out; A 'goto out' is clearly missing now after 'martian_destination' to avoid overriding the drop reason. Fixes: 5b92112acd8e ("net: ip: make ip_route_input_slow() return drop reasons") Reported-by: Sabrina Dubroca Cc: Menglong Dong Signed-off-by: Antoine Tenart Reviewed-by: Sabrina Dubroca Link: https://patch.msgid.link/20250108165725.404564-1-atenart@kernel.org Signed-off-by: Jakub Kicinski commit 03d120f27d050336f7e7d21879891542c4741f81 Author: Sudheer Kumar Doredla Date: Wed Jan 8 22:54:33 2025 +0530 net: ethernet: ti: cpsw_ale: Fix cpsw_ale_get_field() CPSW ALE has 75-bit ALE entries stored across three 32-bit words. The cpsw_ale_get_field() and cpsw_ale_set_field() functions support ALE field entries spanning up to two words at the most. The cpsw_ale_get_field() and cpsw_ale_set_field() functions work as expected when ALE field spanned across word1 and word2, but fails when ALE field spanned across word2 and word3. For example, while reading the ALE field spanned across word2 and word3 (i.e. bits 62 to 64), the word3 data shifted to an incorrect position due to the index becoming zero while flipping. The same issue occurred when setting an ALE entry. This issue has not been seen in practice but will be an issue in the future if the driver supports accessing ALE fields spanning word2 and word3 Fix the methods to handle getting/setting fields spanning up to two words. Fixes: b685f1a58956 ("net: ethernet: ti: cpsw_ale: Fix cpsw_ale_get_field()/cpsw_ale_set_field()") Signed-off-by: Sudheer Kumar Doredla Reviewed-by: Simon Horman Reviewed-by: Roger Quadros Reviewed-by: Siddharth Vadapalli Link: https://patch.msgid.link/20250108172433.311694-1-s-doredla@ti.com Signed-off-by: Jakub Kicinski commit 63ca02221cc5aa0731fe2b0cc28158aaa4b84982 Author: Xiang Zhang Date: Tue Jan 7 10:24:31 2025 +0800 scsi: iscsi: Fix redundant response for ISCSI_UEVENT_GET_HOST_STATS request The ISCSI_UEVENT_GET_HOST_STATS request is already handled in iscsi_get_host_stats(). This fix ensures that redundant responses are skipped in iscsi_if_rx(). - On success: send reply and stats from iscsi_get_host_stats() within if_recv_msg(). - On error: fall through. Signed-off-by: Xiang Zhang Link: https://lore.kernel.org/r/20250107022432.65390-1-hawkxiang.cpp@gmail.com Reviewed-by: Mike Christie Signed-off-by: Martin K. Petersen commit 8604f633f59375687fa115d6f691de95a42520e3 Author: Mike Christie Date: Mon Jan 6 19:02:20 2025 -0600 scsi: core: Fix command pass through retry regression scsi_check_passthrough() is always called, but it doesn't check for if a command completed successfully. As a result, if a command was successful and the caller used SCMD_FAILURE_RESULT_ANY to indicate what failures it wanted to retry, we will end up retrying the command. This will cause delays during device discovery because of the command being sent multiple times. For some USB devices it can also cause the wrong device size to be used. This patch adds a check for if the command was successful. If it is we return immediately instead of trying to match a failure. Fixes: 994724e6b3f0 ("scsi: core: Allow passthrough to request midlayer retries") Reported-by: Kris Karas Closes: https://bugzilla.kernel.org/show_bug.cgi?id=219652 Signed-off-by: Mike Christie Link: https://lore.kernel.org/r/20250107010220.7215-1-michael.christie@oracle.com Reviewed-by: Bart Van Assche Reviewed-by: John Garry Signed-off-by: Martin K. Petersen commit 30c8fd31c571db486a5331a92d03eb60a0fb277c Author: Masami Hiramatsu (Google) Date: Thu Jan 9 23:29:37 2025 +0900 tracing/kprobes: Fix to free objects when failed to copy a symbol In __trace_kprobe_create(), if something fails it must goto error block to free objects. But when strdup() a symbol, it returns without that. Fix it to goto the error block to free objects correctly. Link: https://lore.kernel.org/all/173643297743.1514810.2408159540454241947.stgit@devnote2/ Fixes: 6212dd29683e ("tracing/kprobes: Use dyn_event framework for kprobe events") Signed-off-by: Masami Hiramatsu (Google) Reviewed-by: Steven Rostedt (Google) commit 155c5bf26f983e9988333eeb0ef217138304d13b Author: guanjing Date: Fri Dec 20 09:33:35 2024 +0100 firewall: remove misplaced semicolon from stm32_firewall_get_firewall Remove misplaced colon in stm32_firewall_get_firewall() which results in a syntax error when the code is compiled without CONFIG_STM32_FIREWALL. Fixes: 5c9668cfc6d7 ("firewall: introduce stm32_firewall framework") Signed-off-by: guanjing Reviewed-by: Gatien Chevallier Signed-off-by: Alexandre Torgue Signed-off-by: Arnd Bergmann commit 00f63a0f5fa53f65d4bc167c7367e686d7810ada Merge: 627522c8bf4be8 5f122030061db3 Author: Arnd Bergmann Date: Thu Jan 9 22:56:14 2025 +0100 Merge tag 'imx-fixes-6.13' of https://git.kernel.org/pub/scm/linux/kernel/git/shawnguo/linux into arm/fixes i.MX fixes for 6.13: - Add fallback for i.MX8QM ESAI compatible to fix a dt-schema warning caused by bindings update - Fix uSDHC1 clock for i.MX RT1050 - Enable SND_SOC_SPDIF in imx_v6_v7_defconfig to fix a regression caused by an i.MX6 SPDIF sound card change in DT - Fix address length of i.MX95 netcmix_blk_ctrl * tag 'imx-fixes-6.13' of https://git.kernel.org/pub/scm/linux/kernel/git/shawnguo/linux: ARM: dts: imxrt1050: Fix clocks for mmc ARM: imx_v6_v7_defconfig: enable SND_SOC_SPDIF arm64: dts: imx95: correct the address length of netcmix_blk_ctrl arm64: dts: imx8-ss-audio: add fallback compatible string fsl,imx6ull-esai for esai Link: https://lore.kernel.org/r/Z3Jf9zbv/xH3YzuB@dragon Signed-off-by: Arnd Bergmann commit 627522c8bf4be82d3540ff3fcb816af9ad37ba72 Merge: 9d89551994a430 8a6442ec343708 Author: Arnd Bergmann Date: Thu Jan 9 22:54:39 2025 +0100 Merge tag 'qcom-arm64-fixes-for-6.13' of https://git.kernel.org/pub/scm/linux/kernel/git/qcom/linux into arm/fixes Qualcomm Arm64 DeviceTree fixes for v6.13 Revert the enablement of OTG support on primary and secondary USB Type-C controllers of X1 Elite, for now, as this broke support for USB hotplug. Disable the TPDM DCC device on SA8775P, as this is inaccessible per current firmware configuration. Also correct the PCIe "addr_space" region to enable larger BAR sizes. Also fix the address space of PCIe6a found in X1 Elite. * tag 'qcom-arm64-fixes-for-6.13' of https://git.kernel.org/pub/scm/linux/kernel/git/qcom/linux: arm64: dts: qcom: sa8775p: fix the secure device bootup issue Revert "arm64: dts: qcom: x1e80100: enable OTG on USB-C controllers" Revert "arm64: dts: qcom: x1e80100-crd: enable otg on usb ports" arm64: dts: qcom: x1e80100: Fix up BAR space size for PCIe6a Revert "arm64: dts: qcom: x1e78100-t14s: enable otg on usb-c ports" arm64: dts: qcom: sa8775p: Fix the size of 'addr_space' regions Link: https://lore.kernel.org/r/20250103024945.4649-1-andersson@kernel.org Signed-off-by: Arnd Bergmann commit c77cd47cee041bc1664b8e5fcd23036e5aab8e2a Merge: 643e2e259c2b25 b5cf67a8f716af Author: Linus Torvalds Date: Thu Jan 9 12:40:58 2025 -0800 Merge tag 'net-6.13-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net Pull networking fixes from Jakub Kicinski: "Including fixes from netfilter, Bluetooth and WPAN. No outstanding fixes / investigations at this time. Current release - new code bugs: - eth: fbnic: revert HWMON support, it doesn't work at all and revert is similar size as the fixes Previous releases - regressions: - tcp: allow a connection when sk_max_ack_backlog is zero - tls: fix tls_sw_sendmsg error handling Previous releases - always broken: - netdev netlink family: - prevent accessing NAPI instances from another namespace - don't dump Tx and uninitialized NAPIs - net: sysctl: avoid using current->nsproxy, fix null-deref if task is exiting and stick to opener's netns - sched: sch_cake: add bounds checks to host bulk flow fairness counts Misc: - annual cleanup of inactive maintainers" * tag 'net-6.13-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (57 commits) rds: sysctl: rds_tcp_{rcv,snd}buf: avoid using current->nsproxy sctp: sysctl: plpmtud_probe_interval: avoid using current->nsproxy sctp: sysctl: udp_port: avoid using current->nsproxy sctp: sysctl: auth_enable: avoid using current->nsproxy sctp: sysctl: rto_min/max: avoid using current->nsproxy sctp: sysctl: cookie_hmac_alg: avoid using current->nsproxy mptcp: sysctl: blackhole timeout: avoid using current->nsproxy mptcp: sysctl: sched: avoid using current->nsproxy mptcp: sysctl: avail sched: remove write access MAINTAINERS: remove Lars Povlsen from Microchip Sparx5 SoC MAINTAINERS: remove Noam Dagan from AMAZON ETHERNET MAINTAINERS: remove Ying Xue from TIPC MAINTAINERS: remove Mark Lee from MediaTek Ethernet MAINTAINERS: mark stmmac ethernet as an Orphan MAINTAINERS: remove Andy Gospodarek from bonding MAINTAINERS: update maintainers for Microchip LAN78xx MAINTAINERS: mark Synopsys DW XPCS as Orphan net/mlx5: Fix variable not being completed when function returns rtase: Fix a check for error in rtase_alloc_msix() net: stmmac: dwmac-tegra: Read iommu stream id from device tree ... commit 643e2e259c2b25a2af0ae4c23c6e16586d9fd19c Merge: eea6e4b4dfb885 0ee4736c003dad Author: Linus Torvalds Date: Thu Jan 9 10:16:45 2025 -0800 Merge tag 'for-6.13-rc6-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux Pull btrfs fixes from David Sterba: "A few more fixes. Besides the one-liners in Btrfs there's fix to the io_uring and encoded read integration (added in this development cycle). The update to io_uring provides more space for the ongoing command that is then used in Btrfs to handle some cases. - io_uring and encoded read: - provide stable storage for io_uring command data - make a copy of encoded read ioctl call, reuse that in case the call would block and will be called again - properly initialize zlib context for hardware compression on s390 - fix max extent size calculation on filesystems with non-zoned devices - fix crash in scrub on crafted image due to invalid extent tree" * tag 'for-6.13-rc6-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux: btrfs: zlib: fix avail_in bytes for s390 zlib HW compression path btrfs: zoned: calculate max_extent_size properly on non-zoned setup btrfs: avoid NULL pointer dereference if no valid extent tree btrfs: don't read from userspace twice in btrfs_uring_encoded_read() io_uring: add io_uring_cmd_get_async_data helper io_uring/cmd: add per-op data to struct io_uring_cmd_data io_uring/cmd: rename struct uring_cache to io_uring_cmd_data commit 6f6ecce59d99ef95a31a137c51e61c3d7b4ab278 Merge: 89726fb01a12d6 3aff4cdbe50665 Author: Palmer Dabbelt Date: Thu Jan 9 09:37:12 2025 -0800 Merge patch series "SBI PMU event related fixes" Atish Patra says: Here are two minor improvement/fixes in the PMU event path. The first patch was part of the series[1]. The 2nd patch was suggested during the series review. While the series can only be merged once SBI v3.0 is frozen, these two patches can be independent of SBI v3.0 and can be merged sooner. Hence, these two patches are sent as a separate series. * b4-shazam-merge: drivers/perf: riscv: Do not allow invalid raw event config drivers/perf: riscv: Return error for default case drivers/perf: riscv: Fix Platform firmware event data Link: https://lore.kernel.org/r/20241212-pmu_event_fixes_v2-v2-0-813e8a4f5962@rivosinc.com Signed-off-by: Palmer Dabbelt commit 3aff4cdbe506652da77570baccad623511628250 Author: Atish Patra Date: Thu Dec 12 16:09:34 2024 -0800 drivers/perf: riscv: Do not allow invalid raw event config The SBI specification allows only lower 48bits of hpmeventX to be configured via SBI PMU. Currently, the driver masks of the higher bits but doesn't return an error. This will lead to an additional SBI call for config matching which should return for an invalid event error in most of the cases. However, if a platform(i.e Rocket and sifive cores) implements a bitmap of all bits in the event encoding this will lead to an incorrect event being programmed leading to user confusion. Report the error to the user if higher bits are set during the event mapping itself to avoid the confusion and save an additional SBI call. Suggested-by: Samuel Holland Signed-off-by: Atish Patra Link: https://lore.kernel.org/r/20241212-pmu_event_fixes_v2-v2-3-813e8a4f5962@rivosinc.com Signed-off-by: Palmer Dabbelt commit 2c206cdede567f53035c622e846678a996f39d69 Author: Atish Patra Date: Thu Dec 12 16:09:33 2024 -0800 drivers/perf: riscv: Return error for default case If the upper two bits has an invalid valid (0x1), the event mapping is not reliable as it returns an uninitialized variable. Return appropriate value for the default case. Fixes: f0c9363db2dd ("perf/riscv-sbi: Add platform specific firmware event handling") Signed-off-by: Atish Patra Link: https://lore.kernel.org/r/20241212-pmu_event_fixes_v2-v2-2-813e8a4f5962@rivosinc.com Signed-off-by: Palmer Dabbelt commit fc58db9aeb15e89b69ff5e9abc69ecf9e5f888ed Author: Atish Patra Date: Thu Dec 12 16:09:32 2024 -0800 drivers/perf: riscv: Fix Platform firmware event data Platform firmware event data field is allowed to be 62 bits for Linux as uppper most two bits are reserved to indicate SBI fw or platform specific firmware events. However, the event data field is masked as per the hardware raw event mask which is not correct. Fix the platform firmware event data field with proper mask. Fixes: f0c9363db2dd ("perf/riscv-sbi: Add platform specific firmware event handling") Signed-off-by: Atish Patra Link: https://lore.kernel.org/r/20241212-pmu_event_fixes_v2-v2-1-813e8a4f5962@rivosinc.com Signed-off-by: Palmer Dabbelt commit 89726fb01a12d639fbf1172f74f8215b1c2ebf24 Merge: 5cd900b8b7e42c ebdc22c51acee9 Author: Palmer Dabbelt Date: Thu Jan 9 09:35:42 2025 -0800 Merge patch series "selftest: fix riscv/vector tests" This contains a pair of fixes for the vector self tests, which avoids some warnings and provides proper status messages. * b4-shazam-merge: tools: selftests: riscv: Add test count for vstate_prctl tools: selftests: riscv: Add pass message for v_initval_nolibc Link: https://lore.kernel.org/r/20241220091730.28006-1-yongxuan.wang@sifive.com Signed-off-by: Palmer Dabbelt commit ebdc22c51acee963e26cacb2cb63f8fa2f483808 Author: Yong-Xuan Wang Date: Fri Dec 20 17:17:27 2024 +0800 tools: selftests: riscv: Add test count for vstate_prctl Add the test count to drop the warning message. "Planned tests != run tests (0 != 1)" Fixes: 7cf6198ce22d ("selftests: Test RISC-V Vector prctl interface") Signed-off-by: Yong-Xuan Wang Reviewed-by: Andrew Jones Reviewed-by: Andy Chiu Link: https://lore.kernel.org/r/20241220091730.28006-3-yongxuan.wang@sifive.com Signed-off-by: Palmer Dabbelt commit 503465d4dc40849af3cc18a517a5c06e155c5e33 Author: Yong-Xuan Wang Date: Fri Dec 20 17:17:26 2024 +0800 tools: selftests: riscv: Add pass message for v_initval_nolibc Add the pass message after we successfully complete the test. Fixes: 5c93c4c72fbc ("selftests: Test RISC-V Vector's first-use handler") Signed-off-by: Yong-Xuan Wang Reviewed-by: Andrew Jones Reviewed-by: Andy Chiu Link: https://lore.kernel.org/r/20241220091730.28006-2-yongxuan.wang@sifive.com Signed-off-by: Palmer Dabbelt commit b5cf67a8f716afbd7f8416edfe898c2df460811a Merge: 2664bc9c7d5908 b541ba7d1f5a5b Author: Jakub Kicinski Date: Thu Jan 9 08:54:49 2025 -0800 Merge tag 'nf-25-01-09' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf Pablo Neira Ayuso says: ==================== Netfilter fixes for net The following patchset contains Netfilter fixes for net: 1) Fix imbalance between flowtable BIND and UNBIND calls to configure hardware offload, this fixes a possible kmemleak. 2) Clamp maximum conntrack hashtable size to INT_MAX to fix a possible WARN_ON_ONCE splat coming from kvmalloc_array(), only possible from init_netns. * tag 'nf-25-01-09' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf: netfilter: conntrack: clamp maximum hashtable size to INT_MAX netfilter: nf_tables: imbalance in flowtable binding ==================== Link: https://patch.msgid.link/20250109123532.41768-1-pablo@netfilter.org Signed-off-by: Jakub Kicinski commit 2664bc9c7d59086e27415b66245f7d83b6c36b40 Merge: 92afd9f3bc22c9 7f5611cbc4871c Author: Jakub Kicinski Date: Thu Jan 9 08:53:37 2025 -0800 Merge branch 'net-sysctl-avoid-using-current-nsproxy' Matthieu Baerts says: ==================== net: sysctl: avoid using current->nsproxy As pointed out by Al Viro and Eric Dumazet in [1], using the 'net' structure via 'current' is not recommended for different reasons: - Inconsistency: getting info from the reader's/writer's netns vs only from the opener's netns as it is usually done. This could cause unexpected issues when other operations are done on the wrong netns. - current->nsproxy can be NULL in some cases, resulting in an 'Oops' (null-ptr-deref), e.g. when the current task is exiting, as spotted by syzbot [1] using acct(2). The 'net' or 'pernet' structure can be obtained from the table->data using container_of(). Note that table->data could also be used directly in more places, but that would increase the size of this fix to replace all accesses via 'net'. Probably best to avoid that for fixes. Patches 2-9 remove access of net via current->nsproxy in sysfs handlers in MPTCP, SCTP and RDS. There are multiple patches doing almost the same thing, but the reason is to ease the backports. Patch 1 is not directly linked to this, but it is a small fix for MPTCP available_schedulers sysctl knob to explicitly mark it as read-only. Please note that this series does not address Al's comment [2]. In SCTP, some sysctl knobs set other sysfs-exposed variables for the min/max: two processes could then write two linked values at the same time, resulting in new values being outside the new boundaries. It would be great if SCTP developers can look at this problem. Link: https://lore.kernel.org/67769ecb.050a0220.3a8527.003f.GAE@google.com [1] Link: https://lore.kernel.org/20250105211158.GL1977892@ZenIV [2] ==================== Link: https://patch.msgid.link/20250108-net-sysctl-current-nsproxy-v1-0-5df34b2083e8@kernel.org Signed-off-by: Jakub Kicinski commit 7f5611cbc4871c7fb1ad36c2e5a9edad63dca95c Author: Matthieu Baerts (NGI0) Date: Wed Jan 8 16:34:37 2025 +0100 rds: sysctl: rds_tcp_{rcv,snd}buf: avoid using current->nsproxy As mentioned in a previous commit of this series, using the 'net' structure via 'current' is not recommended for different reasons: - Inconsistency: getting info from the reader's/writer's netns vs only from the opener's netns. - current->nsproxy can be NULL in some cases, resulting in an 'Oops' (null-ptr-deref), e.g. when the current task is exiting, as spotted by syzbot [1] using acct(2). The per-netns structure can be obtained from the table->data using container_of(), then the 'net' one can be retrieved from the listen socket (if available). Fixes: c6a58ffed536 ("RDS: TCP: Add sysctl tunables for sndbuf/rcvbuf on rds-tcp socket") Cc: stable@vger.kernel.org Link: https://lore.kernel.org/67769ecb.050a0220.3a8527.003f.GAE@google.com [1] Suggested-by: Al Viro Signed-off-by: Matthieu Baerts (NGI0) Link: https://patch.msgid.link/20250108-net-sysctl-current-nsproxy-v1-9-5df34b2083e8@kernel.org Signed-off-by: Jakub Kicinski commit 6259d2484d0ceff42245d1f09cc8cb6ee72d847a Author: Matthieu Baerts (NGI0) Date: Wed Jan 8 16:34:36 2025 +0100 sctp: sysctl: plpmtud_probe_interval: avoid using current->nsproxy As mentioned in a previous commit of this series, using the 'net' structure via 'current' is not recommended for different reasons: - Inconsistency: getting info from the reader's/writer's netns vs only from the opener's netns. - current->nsproxy can be NULL in some cases, resulting in an 'Oops' (null-ptr-deref), e.g. when the current task is exiting, as spotted by syzbot [1] using acct(2). The 'net' structure can be obtained from the table->data using container_of(). Note that table->data could also be used directly, as this is the only member needed from the 'net' structure, but that would increase the size of this fix, to use '*data' everywhere 'net->sctp.probe_interval' is used. Fixes: d1e462a7a5f3 ("sctp: add probe_interval in sysctl and sock/asoc/transport") Cc: stable@vger.kernel.org Link: https://lore.kernel.org/67769ecb.050a0220.3a8527.003f.GAE@google.com [1] Suggested-by: Al Viro Signed-off-by: Matthieu Baerts (NGI0) Link: https://patch.msgid.link/20250108-net-sysctl-current-nsproxy-v1-8-5df34b2083e8@kernel.org Signed-off-by: Jakub Kicinski commit c10377bbc1972d858eaf0ab366a311b39f8ef1b6 Author: Matthieu Baerts (NGI0) Date: Wed Jan 8 16:34:35 2025 +0100 sctp: sysctl: udp_port: avoid using current->nsproxy As mentioned in a previous commit of this series, using the 'net' structure via 'current' is not recommended for different reasons: - Inconsistency: getting info from the reader's/writer's netns vs only from the opener's netns. - current->nsproxy can be NULL in some cases, resulting in an 'Oops' (null-ptr-deref), e.g. when the current task is exiting, as spotted by syzbot [1] using acct(2). The 'net' structure can be obtained from the table->data using container_of(). Note that table->data could also be used directly, but that would increase the size of this fix, while 'sctp.ctl_sock' still needs to be retrieved from 'net' structure. Fixes: 046c052b475e ("sctp: enable udp tunneling socks") Cc: stable@vger.kernel.org Link: https://lore.kernel.org/67769ecb.050a0220.3a8527.003f.GAE@google.com [1] Suggested-by: Al Viro Signed-off-by: Matthieu Baerts (NGI0) Link: https://patch.msgid.link/20250108-net-sysctl-current-nsproxy-v1-7-5df34b2083e8@kernel.org Signed-off-by: Jakub Kicinski commit 15649fd5415eda664ef35780c2013adeb5d9c695 Author: Matthieu Baerts (NGI0) Date: Wed Jan 8 16:34:34 2025 +0100 sctp: sysctl: auth_enable: avoid using current->nsproxy As mentioned in a previous commit of this series, using the 'net' structure via 'current' is not recommended for different reasons: - Inconsistency: getting info from the reader's/writer's netns vs only from the opener's netns. - current->nsproxy can be NULL in some cases, resulting in an 'Oops' (null-ptr-deref), e.g. when the current task is exiting, as spotted by syzbot [1] using acct(2). The 'net' structure can be obtained from the table->data using container_of(). Note that table->data could also be used directly, but that would increase the size of this fix, while 'sctp.ctl_sock' still needs to be retrieved from 'net' structure. Fixes: b14878ccb7fa ("net: sctp: cache auth_enable per endpoint") Cc: stable@vger.kernel.org Link: https://lore.kernel.org/67769ecb.050a0220.3a8527.003f.GAE@google.com [1] Suggested-by: Al Viro Signed-off-by: Matthieu Baerts (NGI0) Link: https://patch.msgid.link/20250108-net-sysctl-current-nsproxy-v1-6-5df34b2083e8@kernel.org Signed-off-by: Jakub Kicinski commit 9fc17b76fc70763780aa78b38fcf4742384044a5 Author: Matthieu Baerts (NGI0) Date: Wed Jan 8 16:34:33 2025 +0100 sctp: sysctl: rto_min/max: avoid using current->nsproxy As mentioned in a previous commit of this series, using the 'net' structure via 'current' is not recommended for different reasons: - Inconsistency: getting info from the reader's/writer's netns vs only from the opener's netns. - current->nsproxy can be NULL in some cases, resulting in an 'Oops' (null-ptr-deref), e.g. when the current task is exiting, as spotted by syzbot [1] using acct(2). The 'net' structure can be obtained from the table->data using container_of(). Note that table->data could also be used directly, as this is the only member needed from the 'net' structure, but that would increase the size of this fix, to use '*data' everywhere 'net->sctp.rto_min/max' is used. Fixes: 4f3fdf3bc59c ("sctp: add check rto_min and rto_max in sysctl") Cc: stable@vger.kernel.org Link: https://lore.kernel.org/67769ecb.050a0220.3a8527.003f.GAE@google.com [1] Suggested-by: Al Viro Signed-off-by: Matthieu Baerts (NGI0) Link: https://patch.msgid.link/20250108-net-sysctl-current-nsproxy-v1-5-5df34b2083e8@kernel.org Signed-off-by: Jakub Kicinski commit ea62dd1383913b5999f3d16ae99d411f41b528d4 Author: Matthieu Baerts (NGI0) Date: Wed Jan 8 16:34:32 2025 +0100 sctp: sysctl: cookie_hmac_alg: avoid using current->nsproxy As mentioned in a previous commit of this series, using the 'net' structure via 'current' is not recommended for different reasons: - Inconsistency: getting info from the reader's/writer's netns vs only from the opener's netns. - current->nsproxy can be NULL in some cases, resulting in an 'Oops' (null-ptr-deref), e.g. when the current task is exiting, as spotted by syzbot [1] using acct(2). The 'net' structure can be obtained from the table->data using container_of(). Note that table->data could also be used directly, as this is the only member needed from the 'net' structure, but that would increase the size of this fix, to use '*data' everywhere 'net->sctp.sctp_hmac_alg' is used. Fixes: 3c68198e7511 ("sctp: Make hmac algorithm selection for cookie generation dynamic") Cc: stable@vger.kernel.org Link: https://lore.kernel.org/67769ecb.050a0220.3a8527.003f.GAE@google.com [1] Suggested-by: Al Viro Signed-off-by: Matthieu Baerts (NGI0) Link: https://patch.msgid.link/20250108-net-sysctl-current-nsproxy-v1-4-5df34b2083e8@kernel.org Signed-off-by: Jakub Kicinski commit 92cf7a51bdae24a32c592adcdd59a773ae149289 Author: Matthieu Baerts (NGI0) Date: Wed Jan 8 16:34:31 2025 +0100 mptcp: sysctl: blackhole timeout: avoid using current->nsproxy As mentioned in the previous commit, using the 'net' structure via 'current' is not recommended for different reasons: - Inconsistency: getting info from the reader's/writer's netns vs only from the opener's netns. - current->nsproxy can be NULL in some cases, resulting in an 'Oops' (null-ptr-deref), e.g. when the current task is exiting, as spotted by syzbot [1] using acct(2). The 'pernet' structure can be obtained from the table->data using container_of(). Fixes: 27069e7cb3d1 ("mptcp: disable active MPTCP in case of blackhole") Cc: stable@vger.kernel.org Link: https://lore.kernel.org/67769ecb.050a0220.3a8527.003f.GAE@google.com [1] Suggested-by: Al Viro Reviewed-by: Mat Martineau Signed-off-by: Matthieu Baerts (NGI0) Link: https://patch.msgid.link/20250108-net-sysctl-current-nsproxy-v1-3-5df34b2083e8@kernel.org Signed-off-by: Jakub Kicinski commit d38e26e36206ae3d544d496513212ae931d1da0a Author: Matthieu Baerts (NGI0) Date: Wed Jan 8 16:34:30 2025 +0100 mptcp: sysctl: sched: avoid using current->nsproxy Using the 'net' structure via 'current' is not recommended for different reasons. First, if the goal is to use it to read or write per-netns data, this is inconsistent with how the "generic" sysctl entries are doing: directly by only using pointers set to the table entry, e.g. table->data. Linked to that, the per-netns data should always be obtained from the table linked to the netns it had been created for, which may not coincide with the reader's or writer's netns. Another reason is that access to current->nsproxy->netns can oops if attempted when current->nsproxy had been dropped when the current task is exiting. This is what syzbot found, when using acct(2): Oops: general protection fault, probably for non-canonical address 0xdffffc0000000005: 0000 [#1] PREEMPT SMP KASAN PTI KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f] CPU: 1 UID: 0 PID: 5924 Comm: syz-executor Not tainted 6.13.0-rc5-syzkaller-00004-gccb98ccef0e5 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 RIP: 0010:proc_scheduler+0xc6/0x3c0 net/mptcp/ctrl.c:125 Code: 03 42 80 3c 38 00 0f 85 fe 02 00 00 4d 8b a4 24 08 09 00 00 48 b8 00 00 00 00 00 fc ff df 49 8d 7c 24 28 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 cc 02 00 00 4d 8b 7c 24 28 48 8d 84 24 c8 00 00 RSP: 0018:ffffc900034774e8 EFLAGS: 00010206 RAX: dffffc0000000000 RBX: 1ffff9200068ee9e RCX: ffffc90003477620 RDX: 0000000000000005 RSI: ffffffff8b08f91e RDI: 0000000000000028 RBP: 0000000000000001 R08: ffffc90003477710 R09: 0000000000000040 R10: 0000000000000040 R11: 00000000726f7475 R12: 0000000000000000 R13: ffffc90003477620 R14: ffffc90003477710 R15: dffffc0000000000 FS: 0000000000000000(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fee3cd452d8 CR3: 000000007d116000 CR4: 00000000003526f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: proc_sys_call_handler+0x403/0x5d0 fs/proc/proc_sysctl.c:601 __kernel_write_iter+0x318/0xa80 fs/read_write.c:612 __kernel_write+0xf6/0x140 fs/read_write.c:632 do_acct_process+0xcb0/0x14a0 kernel/acct.c:539 acct_pin_kill+0x2d/0x100 kernel/acct.c:192 pin_kill+0x194/0x7c0 fs/fs_pin.c:44 mnt_pin_kill+0x61/0x1e0 fs/fs_pin.c:81 cleanup_mnt+0x3ac/0x450 fs/namespace.c:1366 task_work_run+0x14e/0x250 kernel/task_work.c:239 exit_task_work include/linux/task_work.h:43 [inline] do_exit+0xad8/0x2d70 kernel/exit.c:938 do_group_exit+0xd3/0x2a0 kernel/exit.c:1087 get_signal+0x2576/0x2610 kernel/signal.c:3017 arch_do_signal_or_restart+0x90/0x7e0 arch/x86/kernel/signal.c:337 exit_to_user_mode_loop kernel/entry/common.c:111 [inline] exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline] __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline] syscall_exit_to_user_mode+0x150/0x2a0 kernel/entry/common.c:218 do_syscall_64+0xda/0x250 arch/x86/entry/common.c:89 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fee3cb87a6a Code: Unable to access opcode bytes at 0x7fee3cb87a40. RSP: 002b:00007fffcccac688 EFLAGS: 00000202 ORIG_RAX: 0000000000000037 RAX: 0000000000000000 RBX: 00007fffcccac710 RCX: 00007fee3cb87a6a RDX: 0000000000000041 RSI: 0000000000000000 RDI: 0000000000000003 RBP: 0000000000000003 R08: 00007fffcccac6ac R09: 00007fffcccacac7 R10: 00007fffcccac710 R11: 0000000000000202 R12: 00007fee3cd49500 R13: 00007fffcccac6ac R14: 0000000000000000 R15: 00007fee3cd4b000 Modules linked in: ---[ end trace 0000000000000000 ]--- RIP: 0010:proc_scheduler+0xc6/0x3c0 net/mptcp/ctrl.c:125 Code: 03 42 80 3c 38 00 0f 85 fe 02 00 00 4d 8b a4 24 08 09 00 00 48 b8 00 00 00 00 00 fc ff df 49 8d 7c 24 28 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 cc 02 00 00 4d 8b 7c 24 28 48 8d 84 24 c8 00 00 RSP: 0018:ffffc900034774e8 EFLAGS: 00010206 RAX: dffffc0000000000 RBX: 1ffff9200068ee9e RCX: ffffc90003477620 RDX: 0000000000000005 RSI: ffffffff8b08f91e RDI: 0000000000000028 RBP: 0000000000000001 R08: ffffc90003477710 R09: 0000000000000040 R10: 0000000000000040 R11: 00000000726f7475 R12: 0000000000000000 R13: ffffc90003477620 R14: ffffc90003477710 R15: dffffc0000000000 FS: 0000000000000000(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fee3cd452d8 CR3: 000000007d116000 CR4: 00000000003526f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 ---------------- Code disassembly (best guess), 1 bytes skipped: 0: 42 80 3c 38 00 cmpb $0x0,(%rax,%r15,1) 5: 0f 85 fe 02 00 00 jne 0x309 b: 4d 8b a4 24 08 09 00 mov 0x908(%r12),%r12 12: 00 13: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax 1a: fc ff df 1d: 49 8d 7c 24 28 lea 0x28(%r12),%rdi 22: 48 89 fa mov %rdi,%rdx 25: 48 c1 ea 03 shr $0x3,%rdx * 29: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1) <-- trapping instruction 2d: 0f 85 cc 02 00 00 jne 0x2ff 33: 4d 8b 7c 24 28 mov 0x28(%r12),%r15 38: 48 rex.W 39: 8d .byte 0x8d 3a: 84 24 c8 test %ah,(%rax,%rcx,8) Here with 'net.mptcp.scheduler', the 'net' structure is not really needed, because the table->data already has a pointer to the current scheduler, the only thing needed from the per-netns data. Simply use 'data', instead of getting (most of the time) the same thing, but from a longer and indirect way. Fixes: 6963c508fd7a ("mptcp: only allow set existing scheduler for net.mptcp.scheduler") Cc: stable@vger.kernel.org Reported-by: syzbot+e364f774c6f57f2c86d1@syzkaller.appspotmail.com Closes: https://lore.kernel.org/67769ecb.050a0220.3a8527.003f.GAE@google.com Suggested-by: Al Viro Reviewed-by: Mat Martineau Signed-off-by: Matthieu Baerts (NGI0) Link: https://patch.msgid.link/20250108-net-sysctl-current-nsproxy-v1-2-5df34b2083e8@kernel.org Signed-off-by: Jakub Kicinski commit 771ec78dc8b48d562e6015bb535ed3cd37043d78 Author: Matthieu Baerts (NGI0) Date: Wed Jan 8 16:34:29 2025 +0100 mptcp: sysctl: avail sched: remove write access 'net.mptcp.available_schedulers' sysctl knob is there to list available schedulers, not to modify this list. There are then no reasons to give write access to it. Nothing would have been written anyway, but no errors would have been returned, which is unexpected. Fixes: 73c900aa3660 ("mptcp: add net.mptcp.available_schedulers") Cc: stable@vger.kernel.org Reviewed-by: Mat Martineau Signed-off-by: Matthieu Baerts (NGI0) Reviewed-by: Eric Dumazet Link: https://patch.msgid.link/20250108-net-sysctl-current-nsproxy-v1-1-5df34b2083e8@kernel.org Signed-off-by: Jakub Kicinski commit 92afd9f3bc22c92a88a8972eb34a9ef814d3286b Merge: 0e2909c6bec904 d9e03c6ffc4cd9 Author: Jakub Kicinski Date: Thu Jan 9 08:30:04 2025 -0800 Merge branch 'maintainers-spring-2025-cleanup-of-networking-maintainers' Jakub Kicinski says: ==================== MAINTAINERS: spring 2025 cleanup of networking maintainers Annual cleanup of inactive maintainers. To identify inactive maintainers we use Jon Corbet's maintainer analysis script from gitdm, and some manual scanning of lore. v1: https://lore.kernel.org/20250106165404.1832481-1-kuba@kernel.org ==================== Link: https://patch.msgid.link/20250108155242.2575530-1-kuba@kernel.org Signed-off-by: Jakub Kicinski commit d9e03c6ffc4cd92c99418afc970ea8c8c53c66a8 Author: Jakub Kicinski Date: Wed Jan 8 07:52:42 2025 -0800 MAINTAINERS: remove Lars Povlsen from Microchip Sparx5 SoC We have not seen emails or tags from Lars in almost 4 years. Steen and Daniel are pretty active, but the review coverage isn't stellar (35% of changes go in without a review tag). Subsystem ARM/Microchip Sparx5 SoC support Changes 28 / 79 (35%) Last activity: 2024-11-24 Lars Povlsen : Steen Hegelund : Tags 6c7c4b91aa43 2024-04-08 00:00:00 15 Daniel Machon : Author 48ba00da2eb4 2024-04-09 00:00:00 2 Tags f164b296638d 2024-11-24 00:00:00 6 Top reviewers: [7]: horms@kernel.org [1]: jacob.e.keller@intel.com [1]: jensemil.schulzostergaard@microchip.com [1]: horatiu.vultur@microchip.com INACTIVE MAINTAINER Lars Povlsen Acked-by: Daniel Machon Link: https://patch.msgid.link/20250108155242.2575530-9-kuba@kernel.org Signed-off-by: Jakub Kicinski commit d95e2cc737017de537fc07cfc7d59307182bd0bc Author: Jakub Kicinski Date: Wed Jan 8 07:52:41 2025 -0800 MAINTAINERS: remove Noam Dagan from AMAZON ETHERNET Noam Dagan was added to ENA reviewers in 2021, we have not seen a single email from this person to any list, ever (according to lore). Git history mentions the name in 2 SoB tags from 2020. Acked-by: Arthur Kiyanovski Link: https://patch.msgid.link/20250108155242.2575530-8-kuba@kernel.org Signed-off-by: Jakub Kicinski commit d4782fbab1c06fe1a3b1e064d2d6efd3e281e805 Author: Jakub Kicinski Date: Wed Jan 8 07:52:40 2025 -0800 MAINTAINERS: remove Ying Xue from TIPC There is a steady stream of fixes for TIPC, even tho the development has slowed down a lot. Over last 2 years we have merged almost 70 TIPC patches, but we haven't heard from Ying Xue once: Subsystem TIPC NETWORK LAYER Changes 42 / 69 (60%) Last activity: 2023-10-04 Jon Maloy : Tags 08e50cf07184 2023-10-04 00:00:00 6 Ying Xue : Top reviewers: [9]: horms@kernel.org [8]: tung.q.nguyen@dektech.com.au [4]: jiri@nvidia.com [3]: tung.q.nguyen@endava.com [2]: kuniyu@amazon.com INACTIVE MAINTAINER Ying Xue Reviewed-by: Simon Horman Link: https://patch.msgid.link/20250108155242.2575530-7-kuba@kernel.org Signed-off-by: Jakub Kicinski commit 9d7b1191d030bb0f6932722755b1103a2207421d Author: Jakub Kicinski Date: Wed Jan 8 07:52:39 2025 -0800 MAINTAINERS: remove Mark Lee from MediaTek Ethernet The mailing lists have seen no email from Mark Lee in the last 4 years. gitdm missingmaints says: Subsystem MEDIATEK ETHERNET DRIVER Changes 103 / 400 (25%) Last activity: 2024-12-19 Felix Fietkau : Author 88806efc034a 2024-10-17 00:00:00 44 Tags 88806efc034a 2024-10-17 00:00:00 51 Sean Wang : Tags a5d75538295b 2020-04-07 00:00:00 1 Mark Lee : Lorenzo Bianconi : Author 0c7469ee718e 2024-12-19 00:00:00 123 Tags 0c7469ee718e 2024-12-19 00:00:00 139 Top reviewers: [32]: horms@kernel.org [15]: leonro@nvidia.com [9]: andrew@lunn.ch INACTIVE MAINTAINER Mark Lee Reviewed-by: Simon Horman Link: https://patch.msgid.link/20250108155242.2575530-6-kuba@kernel.org Signed-off-by: Jakub Kicinski commit 03868822c553e549ac5c28781c29f80bddee5487 Author: Jakub Kicinski Date: Wed Jan 8 07:52:38 2025 -0800 MAINTAINERS: mark stmmac ethernet as an Orphan I tried a couple of things to reinvigorate the stmmac maintainers over the last few years but with little effect. The maintainers are not active, let the MAINTAINERS file reflect reality. The Synopsys IP this driver supports is very popular we need a solid maintainer to deal with the complexity of the driver. gitdm missingmaints says: Subsystem STMMAC ETHERNET DRIVER Changes 344 / 978 (35%) Last activity: 2020-05-01 Alexandre Torgue : Tags 1bb694e20839 2020-05-01 00:00:00 1 Jose Abreu : Top reviewers: [75]: horms@kernel.org [49]: andrew@lunn.ch [46]: fancer.lancer@gmail.com INACTIVE MAINTAINER Jose Abreu Acked-by: Alexandre Torgue Link: https://patch.msgid.link/20250108155242.2575530-5-kuba@kernel.org Signed-off-by: Jakub Kicinski commit e049fb86d39139050bb792b17ef86c3918cc8068 Author: Jakub Kicinski Date: Wed Jan 8 07:52:37 2025 -0800 MAINTAINERS: remove Andy Gospodarek from bonding Andy does not participate much in bonding reviews, unfortunately. Move him to CREDITS. gitdm missingmaint says: Subsystem BONDING DRIVER Changes 149 / 336 (44%) Last activity: 2024-09-05 Jay Vosburgh : Tags 68db604e16d5 2024-09-05 00:00:00 8 Andy Gospodarek : Top reviewers: [65]: jay.vosburgh@canonical.com [23]: liuhangbin@gmail.com [16]: razor@blackwall.org INACTIVE MAINTAINER Andy Gospodarek Reviewed-by: Nikolay Aleksandrov Link: https://patch.msgid.link/20250108155242.2575530-4-kuba@kernel.org Signed-off-by: Jakub Kicinski commit b506668613ef9138cac7479a5dd47559835b6552 Author: Jakub Kicinski Date: Wed Jan 8 07:52:36 2025 -0800 MAINTAINERS: update maintainers for Microchip LAN78xx Woojung Huh seems to have only replied to the list 35 times in the last 5 years, and didn't provide any reviews in 3 years. The LAN78XX driver has seen quite a bit of activity lately. gitdm missingmaints says: Subsystem USB LAN78XX ETHERNET DRIVER Changes 35 / 91 (38%) (No activity) Top reviewers: [23]: andrew@lunn.ch [3]: horms@kernel.org [2]: mateusz.polchlopek@intel.com INACTIVE MAINTAINER Woojung Huh Move Woojung to CREDITS and add new maintainers who are more likely to review LAN78xx patches. Acked-by: Woojung Huh Acked-by: Rengarajan Sundararajan Link: https://patch.msgid.link/20250108155242.2575530-3-kuba@kernel.org Signed-off-by: Jakub Kicinski commit d58200966ed7985be48d342e99a5e81bc481821c Author: Jakub Kicinski Date: Wed Jan 8 07:52:35 2025 -0800 MAINTAINERS: mark Synopsys DW XPCS as Orphan There's not much review support from Jose, there is a sharp drop in his participation around 4 years ago. The DW XPCS IP is very popular and the driver requires active maintenance. gitdm missingmaints says: Subsystem SYNOPSYS DESIGNWARE ETHERNET XPCS DRIVER Changes 33 / 94 (35%) (No activity) Top reviewers: [16]: andrew@lunn.ch [12]: vladimir.oltean@nxp.com [2]: f.fainelli@gmail.com INACTIVE MAINTAINER Jose Abreu Reviewed-by: Simon Horman Link: https://patch.msgid.link/20250108155242.2575530-2-kuba@kernel.org Signed-off-by: Jakub Kicinski commit 0e2909c6bec9048f49d0c8e16887c63b50b14647 Author: Chenguang Zhao Date: Wed Jan 8 11:00:09 2025 +0800 net/mlx5: Fix variable not being completed when function returns When cmd_alloc_index(), fails cmd_work_handler() needs to complete ent->slotted before returning early. Otherwise the task which issued the command may hang: mlx5_core 0000:01:00.0: cmd_work_handler:877:(pid 3880418): failed to allocate command entry INFO: task kworker/13:2:4055883 blocked for more than 120 seconds. Not tainted 4.19.90-25.44.v2101.ky10.aarch64 #1 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. kworker/13:2 D 0 4055883 2 0x00000228 Workqueue: events mlx5e_tx_dim_work [mlx5_core] Call trace: __switch_to+0xe8/0x150 __schedule+0x2a8/0x9b8 schedule+0x2c/0x88 schedule_timeout+0x204/0x478 wait_for_common+0x154/0x250 wait_for_completion+0x28/0x38 cmd_exec+0x7a0/0xa00 [mlx5_core] mlx5_cmd_exec+0x54/0x80 [mlx5_core] mlx5_core_modify_cq+0x6c/0x80 [mlx5_core] mlx5_core_modify_cq_moderation+0xa0/0xb8 [mlx5_core] mlx5e_tx_dim_work+0x54/0x68 [mlx5_core] process_one_work+0x1b0/0x448 worker_thread+0x54/0x468 kthread+0x134/0x138 ret_from_fork+0x10/0x18 Fixes: 485d65e13571 ("net/mlx5: Add a timeout to acquire the command queue semaphore") Signed-off-by: Chenguang Zhao Reviewed-by: Moshe Shemesh Acked-by: Tariq Toukan Link: https://patch.msgid.link/20250108030009.68520-1-zhaochenguang@kylinos.cn Signed-off-by: Jakub Kicinski commit 2055272e3ae01a954e41a5afb437c5d76f758e0b Author: Dan Carpenter Date: Wed Jan 8 12:15:53 2025 +0300 rtase: Fix a check for error in rtase_alloc_msix() The pci_irq_vector() function never returns zero. It returns negative error codes or a positive non-zero IRQ number. Fix the error checking to test for negatives. Fixes: a36e9f5cfe9e ("rtase: Add support for a pci table in this module") Signed-off-by: Dan Carpenter Reviewed-by: Simon Horman Reviewed-by: Kalesh AP Link: https://patch.msgid.link/f2ecc88d-af13-4651-9820-7cc665230019@stanley.mountain Signed-off-by: Jakub Kicinski commit 17a4fde81d3a7478d97d15304a6d61094a10c2e3 Author: Lizhi Xu Date: Tue Jan 7 14:52:32 2025 +0000 afs: Fix merge preference rule failure condition syzbot reported a lock held when returning to userspace[1]. This is because if argc is less than 0 and the function returns directly, the held inode lock is not released. Fix this by store the error in ret and jump to done to clean up instead of returning directly. [dh: Modified Lizhi Xu's original patch to make it honour the error code from afs_split_string()] [1] WARNING: lock held when returning to user space! 6.13.0-rc3-syzkaller-00209-g499551201b5f #0 Not tainted ------------------------------------------------ syz-executor133/5823 is leaving the kernel with locks still held! 1 lock held by syz-executor133/5823: #0: ffff888071cffc00 (&sb->s_type->i_mutex_key#9){++++}-{4:4}, at: inode_lock include/linux/fs.h:818 [inline] #0: ffff888071cffc00 (&sb->s_type->i_mutex_key#9){++++}-{4:4}, at: afs_proc_addr_prefs_write+0x2bb/0x14e0 fs/afs/addr_prefs.c:388 Reported-by: syzbot+76f33569875eb708e575@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=76f33569875eb708e575 Signed-off-by: Lizhi Xu Signed-off-by: David Howells Link: https://lore.kernel.org/r/20241226012616.2348907-1-lizhi.xu@windriver.com/ Link: https://lore.kernel.org/r/529850.1736261552@warthog.procyon.org.uk Tested-by: syzbot+76f33569875eb708e575@syzkaller.appspotmail.com cc: Marc Dionne cc: linux-afs@lists.infradead.org Signed-off-by: Christian Brauner commit 426046e2d62dd19533808661e912b8e8a9eaec16 Author: Parker Newman Date: Tue Jan 7 16:24:59 2025 -0500 net: stmmac: dwmac-tegra: Read iommu stream id from device tree Nvidia's Tegra MGBE controllers require the IOMMU "Stream ID" (SID) to be written to the MGBE_WRAP_AXI_ASID0_CTRL register. The current driver is hard coded to use MGBE0's SID for all controllers. This causes softirq time outs and kernel panics when using controllers other than MGBE0. Example dmesg errors when an ethernet cable is connected to MGBE1: [ 116.133290] tegra-mgbe 6910000.ethernet eth1: Link is Up - 1Gbps/Full - flow control rx/tx [ 121.851283] tegra-mgbe 6910000.ethernet eth1: NETDEV WATCHDOG: CPU: 5: transmit queue 0 timed out 5690 ms [ 121.851782] tegra-mgbe 6910000.ethernet eth1: Reset adapter. [ 121.892464] tegra-mgbe 6910000.ethernet eth1: Register MEM_TYPE_PAGE_POOL RxQ-0 [ 121.905920] tegra-mgbe 6910000.ethernet eth1: PHY [stmmac-1:00] driver [Aquantia AQR113] (irq=171) [ 121.907356] tegra-mgbe 6910000.ethernet eth1: Enabling Safety Features [ 121.907578] tegra-mgbe 6910000.ethernet eth1: IEEE 1588-2008 Advanced Timestamp supported [ 121.908399] tegra-mgbe 6910000.ethernet eth1: registered PTP clock [ 121.908582] tegra-mgbe 6910000.ethernet eth1: configuring for phy/10gbase-r link mode [ 125.961292] tegra-mgbe 6910000.ethernet eth1: Link is Up - 1Gbps/Full - flow control rx/tx [ 181.921198] rcu: INFO: rcu_preempt detected stalls on CPUs/tasks: [ 181.921404] rcu: 7-....: (1 GPs behind) idle=540c/1/0x4000000000000002 softirq=1748/1749 fqs=2337 [ 181.921684] rcu: (detected by 4, t=6002 jiffies, g=1357, q=1254 ncpus=8) [ 181.921878] Sending NMI from CPU 4 to CPUs 7: [ 181.921886] NMI backtrace for cpu 7 [ 181.922131] CPU: 7 UID: 0 PID: 0 Comm: swapper/7 Kdump: loaded Not tainted 6.13.0-rc3+ #6 [ 181.922390] Hardware name: NVIDIA CTI Forge + Orin AGX/Jetson, BIOS 202402.1-Unknown 10/28/2024 [ 181.922658] pstate: 40400009 (nZcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 181.922847] pc : handle_softirqs+0x98/0x368 [ 181.922978] lr : __do_softirq+0x18/0x20 [ 181.923095] sp : ffff80008003bf50 [ 181.923189] x29: ffff80008003bf50 x28: 0000000000000008 x27: 0000000000000000 [ 181.923379] x26: ffffce78ea277000 x25: 0000000000000000 x24: 0000001c61befda0 [ 181.924486] x23: 0000000060400009 x22: ffffce78e99918bc x21: ffff80008018bd70 [ 181.925568] x20: ffffce78e8bb00d8 x19: ffff80008018bc20 x18: 0000000000000000 [ 181.926655] x17: ffff318ebe7d3000 x16: ffff800080038000 x15: 0000000000000000 [ 181.931455] x14: ffff000080816680 x13: ffff318ebe7d3000 x12: 000000003464d91d [ 181.938628] x11: 0000000000000040 x10: ffff000080165a70 x9 : ffffce78e8bb0160 [ 181.945804] x8 : ffff8000827b3160 x7 : f9157b241586f343 x6 : eeb6502a01c81c74 [ 181.953068] x5 : a4acfcdd2e8096bb x4 : ffffce78ea277340 x3 : 00000000ffffd1e1 [ 181.960329] x2 : 0000000000000101 x1 : ffffce78ea277340 x0 : ffff318ebe7d3000 [ 181.967591] Call trace: [ 181.970043] handle_softirqs+0x98/0x368 (P) [ 181.974240] __do_softirq+0x18/0x20 [ 181.977743] ____do_softirq+0x14/0x28 [ 181.981415] call_on_irq_stack+0x24/0x30 [ 181.985180] do_softirq_own_stack+0x20/0x30 [ 181.989379] __irq_exit_rcu+0x114/0x140 [ 181.993142] irq_exit_rcu+0x14/0x28 [ 181.996816] el1_interrupt+0x44/0xb8 [ 182.000316] el1h_64_irq_handler+0x14/0x20 [ 182.004343] el1h_64_irq+0x80/0x88 [ 182.007755] cpuidle_enter_state+0xc4/0x4a8 (P) [ 182.012305] cpuidle_enter+0x3c/0x58 [ 182.015980] cpuidle_idle_call+0x128/0x1c0 [ 182.020005] do_idle+0xe0/0xf0 [ 182.023155] cpu_startup_entry+0x3c/0x48 [ 182.026917] secondary_start_kernel+0xdc/0x120 [ 182.031379] __secondary_switched+0x74/0x78 [ 212.971162] rcu: INFO: rcu_preempt detected expedited stalls on CPUs/tasks: { 7-.... } 6103 jiffies s: 417 root: 0x80/. [ 212.985935] rcu: blocking rcu_node structures (internal RCU debug): [ 212.992758] Sending NMI from CPU 0 to CPUs 7: [ 212.998539] NMI backtrace for cpu 7 [ 213.004304] CPU: 7 UID: 0 PID: 0 Comm: swapper/7 Kdump: loaded Not tainted 6.13.0-rc3+ #6 [ 213.016116] Hardware name: NVIDIA CTI Forge + Orin AGX/Jetson, BIOS 202402.1-Unknown 10/28/2024 [ 213.030817] pstate: 40400009 (nZcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 213.040528] pc : handle_softirqs+0x98/0x368 [ 213.046563] lr : __do_softirq+0x18/0x20 [ 213.051293] sp : ffff80008003bf50 [ 213.055839] x29: ffff80008003bf50 x28: 0000000000000008 x27: 0000000000000000 [ 213.067304] x26: ffffce78ea277000 x25: 0000000000000000 x24: 0000001c61befda0 [ 213.077014] x23: 0000000060400009 x22: ffffce78e99918bc x21: ffff80008018bd70 [ 213.087339] x20: ffffce78e8bb00d8 x19: ffff80008018bc20 x18: 0000000000000000 [ 213.097313] x17: ffff318ebe7d3000 x16: ffff800080038000 x15: 0000000000000000 [ 213.107201] x14: ffff000080816680 x13: ffff318ebe7d3000 x12: 000000003464d91d [ 213.116651] x11: 0000000000000040 x10: ffff000080165a70 x9 : ffffce78e8bb0160 [ 213.127500] x8 : ffff8000827b3160 x7 : 0a37b344852820af x6 : 3f049caedd1ff608 [ 213.138002] x5 : cff7cfdbfaf31291 x4 : ffffce78ea277340 x3 : 00000000ffffde04 [ 213.150428] x2 : 0000000000000101 x1 : ffffce78ea277340 x0 : ffff318ebe7d3000 [ 213.162063] Call trace: [ 213.165494] handle_softirqs+0x98/0x368 (P) [ 213.171256] __do_softirq+0x18/0x20 [ 213.177291] ____do_softirq+0x14/0x28 [ 213.182017] call_on_irq_stack+0x24/0x30 [ 213.186565] do_softirq_own_stack+0x20/0x30 [ 213.191815] __irq_exit_rcu+0x114/0x140 [ 213.196891] irq_exit_rcu+0x14/0x28 [ 213.202401] el1_interrupt+0x44/0xb8 [ 213.207741] el1h_64_irq_handler+0x14/0x20 [ 213.213519] el1h_64_irq+0x80/0x88 [ 213.217541] cpuidle_enter_state+0xc4/0x4a8 (P) [ 213.224364] cpuidle_enter+0x3c/0x58 [ 213.228653] cpuidle_idle_call+0x128/0x1c0 [ 213.233993] do_idle+0xe0/0xf0 [ 213.237928] cpu_startup_entry+0x3c/0x48 [ 213.243791] secondary_start_kernel+0xdc/0x120 [ 213.249830] __secondary_switched+0x74/0x78 This bug has existed since the dwmac-tegra driver was added in Dec 2022 (See Fixes tag below for commit hash). The Tegra234 SOC has 4 MGBE controllers, however Nvidia's Developer Kit only uses MGBE0 which is why the bug was not found previously. Connect Tech has many products that use 2 (or more) MGBE controllers. The solution is to read the controller's SID from the existing "iommus" device tree property. The 2nd field of the "iommus" device tree property is the controller's SID. Device tree snippet from tegra234.dtsi showing MGBE1's "iommus" property: smmu_niso0: iommu@12000000 { compatible = "nvidia,tegra234-smmu", "nvidia,smmu-500"; ... } /* MGBE1 */ ethernet@6900000 { compatible = "nvidia,tegra234-mgbe"; ... iommus = <&smmu_niso0 TEGRA234_SID_MGBE_VF1>; ... } Nvidia's arm-smmu driver reads the "iommus" property and stores the SID in the MGBE device's "fwspec" struct. The dwmac-tegra driver can access the SID using the tegra_dev_iommu_get_stream_id() helper function found in linux/iommu.h. Calling tegra_dev_iommu_get_stream_id() should not fail unless the "iommus" property is removed from the device tree or the IOMMU is disabled. While the Tegra234 SOC technically supports bypassing the IOMMU, it is not supported by the current firmware, has not been tested and not recommended. More detailed discussion with Thierry Reding from Nvidia linked below. Fixes: d8ca113724e7 ("net: stmmac: tegra: Add MGBE support") Link: https://lore.kernel.org/netdev/cover.1731685185.git.pnewman@connecttech.com Signed-off-by: Parker Newman Reviewed-by: Andrew Lunn Acked-by: Thierry Reding Link: https://patch.msgid.link/6fb97f32cf4accb4f7cf92846f6b60064ba0a3bd.1736284360.git.pnewman@connecttech.com Signed-off-by: Jakub Kicinski commit 904abff4b1b94184aaa0e9f5fce7821f7b5b81a3 Author: David Howells Date: Tue Jan 7 14:43:30 2025 +0000 netfs: Fix read-retry for fs with no ->prepare_read() Fix netfslib's read-retry to only call ->prepare_read() in the backing filesystem such a function is provided. We can get to this point if a there's an active cache as failed reads from the cache need negotiating with the server instead. Fixes: ee4cdf7ba857 ("netfs: Speed up buffered reading") Signed-off-by: David Howells Link: https://lore.kernel.org/r/529329.1736261010@warthog.procyon.org.uk cc: Jeff Layton cc: netfs@lists.linux.dev cc: linux-fsdevel@vger.kernel.org Signed-off-by: Christian Brauner commit 3f6bc9e3ab9b127171d39f9ac6eca1abb693b731 Author: David Howells Date: Tue Jan 7 18:39:27 2025 +0000 netfs: Fix kernel async DIO Netfslib needs to be able to handle kernel-initiated asynchronous DIO that is supplied with a bio_vec[] array. Currently, because of the async flag, this gets passed to netfs_extract_user_iter() which throws a warning and fails because it only handles IOVEC and UBUF iterators. This can be triggered through a combination of cifs and a loopback blockdev with something like: mount //my/cifs/share /foo dd if=/dev/zero of=/foo/m0 bs=4K count=1K losetup --sector-size 4096 --direct-io=on /dev/loop2046 /foo/m0 echo hello >/dev/loop2046 This causes the following to appear in syslog: WARNING: CPU: 2 PID: 109 at fs/netfs/iterator.c:50 netfs_extract_user_iter+0x170/0x250 [netfs] and the write to fail. Fix this by removing the check in netfs_unbuffered_write_iter_locked() that causes async kernel DIO writes to be handled as userspace writes. Note that this change relies on the kernel caller maintaining the existence of the bio_vec array (or kvec[] or folio_queue) until the op is complete. Fixes: 153a9961b551 ("netfs: Implement unbuffered/DIO write support") Reported-by: Nicolas Baranger Closes: https://lore.kernel.org/r/fedd8a40d54b2969097ffa4507979858@3xo.fr/ Signed-off-by: David Howells Link: https://lore.kernel.org/r/608725.1736275167@warthog.procyon.org.uk Tested-by: Nicolas Baranger Acked-by: Paulo Alcantara (Red Hat) cc: Steve French cc: Jeff Layton cc: netfs@lists.linux.dev cc: linux-cifs@vger.kernel.org cc: linux-fsdevel@vger.kernel.org Signed-off-by: Christian Brauner commit 737d4d91d35b5f7fa5bb442651472277318b0bfd Author: Toke Høiland-Jørgensen Date: Tue Jan 7 13:01:05 2025 +0100 sched: sch_cake: add bounds checks to host bulk flow fairness counts Even though we fixed a logic error in the commit cited below, syzbot still managed to trigger an underflow of the per-host bulk flow counters, leading to an out of bounds memory access. To avoid any such logic errors causing out of bounds memory accesses, this commit factors out all accesses to the per-host bulk flow counters to a series of helpers that perform bounds-checking before any increments and decrements. This also has the benefit of improving readability by moving the conditional checks for the flow mode into these helpers, instead of having them spread out throughout the code (which was the cause of the original logic error). As part of this change, the flow quantum calculation is consolidated into a helper function, which means that the dithering applied to the ost load scaling is now applied both in the DRR rotation and when a sparse flow's quantum is first initiated. The only user-visible effect of this is that the maximum packet size that can be sent while a flow stays sparse will now vary with +/- one byte in some cases. This should not make a noticeable difference in practice, and thus it's not worth complicating the code to preserve the old behaviour. Fixes: 546ea84d07e3 ("sched: sch_cake: fix bulk flow accounting logic for host fairness") Reported-by: syzbot+f63600d288bfb7057424@syzkaller.appspotmail.com Signed-off-by: Toke Høiland-Jørgensen Acked-by: Dave Taht Link: https://patch.msgid.link/20250107120105.70685-1-toke@redhat.com Signed-off-by: Jakub Kicinski commit 482d520d86e889cf40d8173388a498375079cab6 Merge: c13094b894de28 344bac8f0d73fe Author: Christian Brauner Date: Thu Jan 9 17:03:21 2025 +0100 Merge tag 'vfs-6.14-rc7.mount.fixes' Bring in the fix for the mount namespace rbtree. It is used as the base for the vfs mount work for this cycle and so shouldn't be applied directly. Signed-off-by: Christian Brauner commit 344bac8f0d73fe970cd9f5b2f132906317d29e8b Author: Christian Brauner Date: Sun Dec 15 21:17:05 2024 +0100 fs: kill MNT_ONRB Move mnt->mnt_node into the union with mnt->mnt_rcu and mnt->mnt_llist instead of keeping it with mnt->mnt_list. This allows us to use RB_CLEAR_NODE(&mnt->mnt_node) in umount_tree() as well as list_empty(&mnt->mnt_node). That in turn allows us to remove MNT_ONRB. This also fixes the bug reported in [1] where seemingly MNT_ONRB wasn't set in @mnt->mnt_flags even though the mount was present in the mount rbtree of the mount namespace. The root cause is the following race. When a btrfs subvolume is mounted a temporary mount is created: btrfs_get_tree_subvol() { mnt = fc_mount() // Register the newly allocated mount with sb->mounts: lock_mount_hash(); list_add_tail(&mnt->mnt_instance, &mnt->mnt.mnt_sb->s_mounts); unlock_mount_hash(); } and registered on sb->s_mounts. Later it is added to an anonymous mount namespace via mount_subvol(): -> mount_subvol() -> mount_subtree() -> alloc_mnt_ns() mnt_add_to_ns() vfs_path_lookup() put_mnt_ns() The mnt_add_to_ns() call raises MNT_ONRB in @mnt->mnt_flags. If someone concurrently does a ro remount: reconfigure_super() -> sb_prepare_remount_readonly() { list_for_each_entry(mnt, &sb->s_mounts, mnt_instance) { } all mounts registered in sb->s_mounts are visited and first MNT_WRITE_HOLD is raised, then MNT_READONLY is raised, and finally MNT_WRITE_HOLD is removed again. The flag modification for MNT_WRITE_HOLD/MNT_READONLY and MNT_ONRB race so MNT_ONRB might be lost. Fixes: 2eea9ce4310d ("mounts: keep list of mounts in an rbtree") Cc: # v6.8+ Link: https://lore.kernel.org/r/20241215-vfs-6-14-mount-work-v1-1-fd55922c4af8@kernel.org Link: https://lore.kernel.org/r/ec6784ed-8722-4695-980a-4400d4e7bd1a@gmx.com [1] Signed-off-by: Christian Brauner commit 3699f2c43ea9984e00d70463f8c29baaf260ea97 Author: Peter Geis Date: Sat Dec 14 22:43:39 2024 +0000 arm64: dts: rockchip: add hevc power domain clock to rk3328 There is a race condition at startup between disabling power domains not used and disabling clocks not used on the rk3328. When the clocks are disabled first, the hevc power domain fails to shut off leading to a splat of failures. Add the hevc core clock to the rk3328 power domain node to prevent this condition. rcu: INFO: rcu_sched detected expedited stalls on CPUs/tasks: { 3-.... } 1087 jiffies s: 89 root: 0x8/. rcu: blocking rcu_node structures (internal RCU debug): Sending NMI from CPU 0 to CPUs 3: NMI backtrace for cpu 3 CPU: 3 UID: 0 PID: 86 Comm: kworker/3:3 Not tainted 6.12.0-rc5+ #53 Hardware name: Firefly ROC-RK3328-CC (DT) Workqueue: pm genpd_power_off_work_fn pstate: 20400005 (nzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : regmap_unlock_spinlock+0x18/0x30 lr : regmap_read+0x60/0x88 sp : ffff800081123c00 x29: ffff800081123c00 x28: ffff2fa4c62cad80 x27: 0000000000000000 x26: ffffd74e6e660eb8 x25: ffff2fa4c62cae00 x24: 0000000000000040 x23: ffffd74e6d2f3ab8 x22: 0000000000000001 x21: ffff800081123c74 x20: 0000000000000000 x19: ffff2fa4c0412000 x18: 0000000000000000 x17: 77202c31203d2065 x16: 6c6469203a72656c x15: 6c6f72746e6f632d x14: 7265776f703a6e6f x13: 2063766568206e69 x12: 616d6f64202c3431 x11: 347830206f742030 x10: 3430303034783020 x9 : ffffd74e6c7369e0 x8 : 3030316666206e69 x7 : 205d383738353733 x6 : 332e31202020205b x5 : ffffd74e6c73fc88 x4 : ffffd74e6c73fcd4 x3 : ffffd74e6c740b40 x2 : ffff800080015484 x1 : 0000000000000000 x0 : ffff2fa4c0412000 Call trace: regmap_unlock_spinlock+0x18/0x30 rockchip_pmu_set_idle_request+0xac/0x2c0 rockchip_pd_power+0x144/0x5f8 rockchip_pd_power_off+0x1c/0x30 _genpd_power_off+0x9c/0x180 genpd_power_off.part.0.isra.0+0x130/0x2a8 genpd_power_off_work_fn+0x6c/0x98 process_one_work+0x170/0x3f0 worker_thread+0x290/0x4a8 kthread+0xec/0xf8 ret_from_fork+0x10/0x20 rockchip-pm-domain ff100000.syscon:power-controller: failed to get ack on domain 'hevc', val=0x88220 Fixes: 52e02d377a72 ("arm64: dts: rockchip: add core dtsi file for RK3328 SoCs") Signed-off-by: Peter Geis Reviewed-by: Dragan Simic Link: https://lore.kernel.org/r/20241214224339.24674-1-pgwipeout@gmail.com Signed-off-by: Heiko Stuebner commit c13094b894de289514d84b8db56d1f2931a0bade Author: Marco Nelissen Date: Wed Jan 8 20:11:50 2025 -0800 iomap: avoid avoid truncating 64-bit offset to 32 bits on 32-bit kernels, iomap_write_delalloc_scan() was inadvertently using a 32-bit position due to folio_next_index() returning an unsigned long. This could lead to an infinite loop when writing to an xfs filesystem. Signed-off-by: Marco Nelissen Link: https://lore.kernel.org/r/20250109041253.2494374-1-marco.nelissen@gmail.com Reviewed-by: Darrick J. Wong Reviewed-by: Christoph Hellwig Signed-off-by: Christian Brauner commit c9a40292a44e78f71258b8522655bffaf5753bdb Author: Jens Axboe Date: Wed Jan 8 10:28:05 2025 -0700 io_uring/eventfd: ensure io_eventfd_signal() defers another RCU period io_eventfd_do_signal() is invoked from an RCU callback, but when dropping the reference to the io_ev_fd, it calls io_eventfd_free() directly if the refcount drops to zero. This isn't correct, as any potential freeing of the io_ev_fd should be deferred another RCU grace period. Just call io_eventfd_put() rather than open-code the dec-and-test and free, which will correctly defer it another RCU grace period. Fixes: 21a091b970cd ("io_uring: signal registered eventfd to process deferred task work") Reported-by: Jann Horn Cc: stable@vger.kernel.org Tested-by: Li Zetao Reviewed-by: Li Zetao Reviewed-by: Prasanna Kumar T S M Signed-off-by: Jens Axboe commit fcede1f0a043ccefe9bc6ad57f12718e42f63f1d Author: Yu Kuai Date: Wed Jan 8 16:41:48 2025 +0800 block, bfq: fix waker_bfqq UAF after bfq_split_bfqq() Our syzkaller report a following UAF for v6.6: BUG: KASAN: slab-use-after-free in bfq_init_rq+0x175d/0x17a0 block/bfq-iosched.c:6958 Read of size 8 at addr ffff8881b57147d8 by task fsstress/232726 CPU: 2 PID: 232726 Comm: fsstress Not tainted 6.6.0-g3629d1885222 #39 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x91/0xf0 lib/dump_stack.c:106 print_address_description.constprop.0+0x66/0x300 mm/kasan/report.c:364 print_report+0x3e/0x70 mm/kasan/report.c:475 kasan_report+0xb8/0xf0 mm/kasan/report.c:588 hlist_add_head include/linux/list.h:1023 [inline] bfq_init_rq+0x175d/0x17a0 block/bfq-iosched.c:6958 bfq_insert_request.isra.0+0xe8/0xa20 block/bfq-iosched.c:6271 bfq_insert_requests+0x27f/0x390 block/bfq-iosched.c:6323 blk_mq_insert_request+0x290/0x8f0 block/blk-mq.c:2660 blk_mq_submit_bio+0x1021/0x15e0 block/blk-mq.c:3143 __submit_bio+0xa0/0x6b0 block/blk-core.c:639 __submit_bio_noacct_mq block/blk-core.c:718 [inline] submit_bio_noacct_nocheck+0x5b7/0x810 block/blk-core.c:747 submit_bio_noacct+0xca0/0x1990 block/blk-core.c:847 __ext4_read_bh fs/ext4/super.c:205 [inline] ext4_read_bh+0x15e/0x2e0 fs/ext4/super.c:230 __read_extent_tree_block+0x304/0x6f0 fs/ext4/extents.c:567 ext4_find_extent+0x479/0xd20 fs/ext4/extents.c:947 ext4_ext_map_blocks+0x1a3/0x2680 fs/ext4/extents.c:4182 ext4_map_blocks+0x929/0x15a0 fs/ext4/inode.c:660 ext4_iomap_begin_report+0x298/0x480 fs/ext4/inode.c:3569 iomap_iter+0x3dd/0x1010 fs/iomap/iter.c:91 iomap_fiemap+0x1f4/0x360 fs/iomap/fiemap.c:80 ext4_fiemap+0x181/0x210 fs/ext4/extents.c:5051 ioctl_fiemap.isra.0+0x1b4/0x290 fs/ioctl.c:220 do_vfs_ioctl+0x31c/0x11a0 fs/ioctl.c:811 __do_sys_ioctl fs/ioctl.c:869 [inline] __se_sys_ioctl+0xae/0x190 fs/ioctl.c:857 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x70/0x120 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x78/0xe2 Allocated by task 232719: kasan_save_stack+0x22/0x50 mm/kasan/common.c:45 kasan_set_track+0x25/0x30 mm/kasan/common.c:52 __kasan_slab_alloc+0x87/0x90 mm/kasan/common.c:328 kasan_slab_alloc include/linux/kasan.h:188 [inline] slab_post_alloc_hook mm/slab.h:768 [inline] slab_alloc_node mm/slub.c:3492 [inline] kmem_cache_alloc_node+0x1b8/0x6f0 mm/slub.c:3537 bfq_get_queue+0x215/0x1f00 block/bfq-iosched.c:5869 bfq_get_bfqq_handle_split+0x167/0x5f0 block/bfq-iosched.c:6776 bfq_init_rq+0x13a4/0x17a0 block/bfq-iosched.c:6938 bfq_insert_request.isra.0+0xe8/0xa20 block/bfq-iosched.c:6271 bfq_insert_requests+0x27f/0x390 block/bfq-iosched.c:6323 blk_mq_insert_request+0x290/0x8f0 block/blk-mq.c:2660 blk_mq_submit_bio+0x1021/0x15e0 block/blk-mq.c:3143 __submit_bio+0xa0/0x6b0 block/blk-core.c:639 __submit_bio_noacct_mq block/blk-core.c:718 [inline] submit_bio_noacct_nocheck+0x5b7/0x810 block/blk-core.c:747 submit_bio_noacct+0xca0/0x1990 block/blk-core.c:847 __ext4_read_bh fs/ext4/super.c:205 [inline] ext4_read_bh_nowait+0x15a/0x240 fs/ext4/super.c:217 ext4_read_bh_lock+0xac/0xd0 fs/ext4/super.c:242 ext4_bread_batch+0x268/0x500 fs/ext4/inode.c:958 __ext4_find_entry+0x448/0x10f0 fs/ext4/namei.c:1671 ext4_lookup_entry fs/ext4/namei.c:1774 [inline] ext4_lookup.part.0+0x359/0x6f0 fs/ext4/namei.c:1842 ext4_lookup+0x72/0x90 fs/ext4/namei.c:1839 __lookup_slow+0x257/0x480 fs/namei.c:1696 lookup_slow fs/namei.c:1713 [inline] walk_component+0x454/0x5c0 fs/namei.c:2004 link_path_walk.part.0+0x773/0xda0 fs/namei.c:2331 link_path_walk fs/namei.c:3826 [inline] path_openat+0x1b9/0x520 fs/namei.c:3826 do_filp_open+0x1b7/0x400 fs/namei.c:3857 do_sys_openat2+0x5dc/0x6e0 fs/open.c:1428 do_sys_open fs/open.c:1443 [inline] __do_sys_openat fs/open.c:1459 [inline] __se_sys_openat fs/open.c:1454 [inline] __x64_sys_openat+0x148/0x200 fs/open.c:1454 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x70/0x120 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x78/0xe2 Freed by task 232726: kasan_save_stack+0x22/0x50 mm/kasan/common.c:45 kasan_set_track+0x25/0x30 mm/kasan/common.c:52 kasan_save_free_info+0x2b/0x50 mm/kasan/generic.c:522 ____kasan_slab_free mm/kasan/common.c:236 [inline] __kasan_slab_free+0x12a/0x1b0 mm/kasan/common.c:244 kasan_slab_free include/linux/kasan.h:164 [inline] slab_free_hook mm/slub.c:1827 [inline] slab_free_freelist_hook mm/slub.c:1853 [inline] slab_free mm/slub.c:3820 [inline] kmem_cache_free+0x110/0x760 mm/slub.c:3842 bfq_put_queue+0x6a7/0xfb0 block/bfq-iosched.c:5428 bfq_forget_entity block/bfq-wf2q.c:634 [inline] bfq_put_idle_entity+0x142/0x240 block/bfq-wf2q.c:645 bfq_forget_idle+0x189/0x1e0 block/bfq-wf2q.c:671 bfq_update_vtime block/bfq-wf2q.c:1280 [inline] __bfq_lookup_next_entity block/bfq-wf2q.c:1374 [inline] bfq_lookup_next_entity+0x350/0x480 block/bfq-wf2q.c:1433 bfq_update_next_in_service+0x1c0/0x4f0 block/bfq-wf2q.c:128 bfq_deactivate_entity+0x10a/0x240 block/bfq-wf2q.c:1188 bfq_deactivate_bfqq block/bfq-wf2q.c:1592 [inline] bfq_del_bfqq_busy+0x2e8/0xad0 block/bfq-wf2q.c:1659 bfq_release_process_ref+0x1cc/0x220 block/bfq-iosched.c:3139 bfq_split_bfqq+0x481/0xdf0 block/bfq-iosched.c:6754 bfq_init_rq+0xf29/0x17a0 block/bfq-iosched.c:6934 bfq_insert_request.isra.0+0xe8/0xa20 block/bfq-iosched.c:6271 bfq_insert_requests+0x27f/0x390 block/bfq-iosched.c:6323 blk_mq_insert_request+0x290/0x8f0 block/blk-mq.c:2660 blk_mq_submit_bio+0x1021/0x15e0 block/blk-mq.c:3143 __submit_bio+0xa0/0x6b0 block/blk-core.c:639 __submit_bio_noacct_mq block/blk-core.c:718 [inline] submit_bio_noacct_nocheck+0x5b7/0x810 block/blk-core.c:747 submit_bio_noacct+0xca0/0x1990 block/blk-core.c:847 __ext4_read_bh fs/ext4/super.c:205 [inline] ext4_read_bh+0x15e/0x2e0 fs/ext4/super.c:230 __read_extent_tree_block+0x304/0x6f0 fs/ext4/extents.c:567 ext4_find_extent+0x479/0xd20 fs/ext4/extents.c:947 ext4_ext_map_blocks+0x1a3/0x2680 fs/ext4/extents.c:4182 ext4_map_blocks+0x929/0x15a0 fs/ext4/inode.c:660 ext4_iomap_begin_report+0x298/0x480 fs/ext4/inode.c:3569 iomap_iter+0x3dd/0x1010 fs/iomap/iter.c:91 iomap_fiemap+0x1f4/0x360 fs/iomap/fiemap.c:80 ext4_fiemap+0x181/0x210 fs/ext4/extents.c:5051 ioctl_fiemap.isra.0+0x1b4/0x290 fs/ioctl.c:220 do_vfs_ioctl+0x31c/0x11a0 fs/ioctl.c:811 __do_sys_ioctl fs/ioctl.c:869 [inline] __se_sys_ioctl+0xae/0x190 fs/ioctl.c:857 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x70/0x120 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x78/0xe2 commit 1ba0403ac644 ("block, bfq: fix uaf for accessing waker_bfqq after splitting") fix the problem that if waker_bfqq is in the merge chain, and current is the only procress, waker_bfqq can be freed from bfq_split_bfqq(). However, the case that waker_bfqq is not in the merge chain is missed, and if the procress reference of waker_bfqq is 0, waker_bfqq can be freed as well. Fix the problem by checking procress reference if waker_bfqq is not in the merge_chain. Fixes: 1ba0403ac644 ("block, bfq: fix uaf for accessing waker_bfqq after splitting") Signed-off-by: Hou Tao Signed-off-by: Yu Kuai Reviewed-by: Jan Kara Link: https://lore.kernel.org/r/20250108084148.1549973-1-yukuai1@huaweicloud.com Signed-off-by: Jens Axboe commit 139fa599cea0fd9d38e00246ea9f79af6c59acbd Author: Kuninori Morimoto Date: Thu Jan 9 00:40:05 2025 +0000 ASoC: rsnd: check rsnd_adg_clk_enable() return value rsnd_adg_clk_enable() might be failed for some reasons, but it doesn't check return value for now. In such case, we might get below WARNING from clk_disable() during probe or suspend. Check rsnd_adg_clk_enable() return value. clk_multiplier already disabled ... Call trace: clk_core_disable+0xd0/0xd8 (P) clk_disable+0x2c/0x44 rsnd_adg_clk_control+0x80/0xf4 According to Geert, it happened only 7 times during the last 2 years. So I have reproduced the issue and created patch by Intentionally making an error. Link: https://lore.kernel.org/r/CAMuHMdVUKpO2rsia+36BLFFwdMapE8LrYS0duyd0FmrxDvwEfg@mail.gmail.com Reported-by: Geert Uytterhoeven Signed-off-by: Kuninori Morimoto Link: https://patch.msgid.link/87seps2522.wl-kuninori.morimoto.gx@renesas.com Signed-off-by: Mark Brown commit b541ba7d1f5a5b7b3e2e22dc9e40e18a7d6dbc13 Author: Pablo Neira Ayuso Date: Wed Jan 8 22:56:33 2025 +0100 netfilter: conntrack: clamp maximum hashtable size to INT_MAX Use INT_MAX as maximum size for the conntrack hashtable. Otherwise, it is possible to hit WARN_ON_ONCE in __kvmalloc_node_noprof() when resizing hashtable because __GFP_NOWARN is unset. See: 0708a0afe291 ("mm: Consider __GFP_NOWARN flag for oversized kvmalloc() calls") Note: hashtable resize is only possible from init_netns. Fixes: 9cc1c73ad666 ("netfilter: conntrack: avoid integer overflow when resizing") Signed-off-by: Pablo Neira Ayuso commit 13210fc63f353fe78584048079343413a3cdf819 Author: Pablo Neira Ayuso Date: Thu Jan 2 13:01:13 2025 +0100 netfilter: nf_tables: imbalance in flowtable binding All these cases cause imbalance between BIND and UNBIND calls: - Delete an interface from a flowtable with multiple interfaces - Add a (device to a) flowtable with --check flag - Delete a netns containing a flowtable - In an interactive nft session, create a table with owner flag and flowtable inside, then quit. Fix it by calling FLOW_BLOCK_UNBIND when unregistering hooks, then remove late FLOW_BLOCK_UNBIND call when destroying flowtable. Fixes: ff4bf2f42a40 ("netfilter: nf_tables: add nft_unregister_flowtable_hook()") Reported-by: Phil Sutter Tested-by: Phil Sutter Signed-off-by: Pablo Neira Ayuso commit 6d71a9c6160479899ee744d2c6d6602a191deb1f Author: Peter Zijlstra Date: Thu Jan 9 11:59:59 2025 +0100 sched/fair: Fix EEVDF entity placement bug causing scheduling lag I noticed this in my traces today: turbostat-1222 [006] d..2. 311.935649: reweight_entity: (ffff888108f13e00-ffff88885ef38440-6) { weight: 1048576 avg_vruntime: 3184159639071 vruntime: 3184159640194 (-1123) deadline: 3184162621107 } -> { weight: 2 avg_vruntime: 3184177463330 vruntime: 3184748414495 (-570951165) deadline: 4747605329439 } turbostat-1222 [006] d..2. 311.935651: reweight_entity: (ffff888108f13e00-ffff88885ef38440-6) { weight: 2 avg_vruntime: 3184177463330 vruntime: 3184748414495 (-570951165) deadline: 4747605329439 } -> { weight: 1048576 avg_vruntime: 3184176414812 vruntime: 3184177464419 (-1049607) deadline: 3184180445332 } Which is a weight transition: 1048576 -> 2 -> 1048576. One would expect the lag to shoot out *AND* come back, notably: -1123*1048576/2 = -588775424 -588775424*2/1048576 = -1123 Except the trace shows it is all off. Worse, subsequent cycles shoot it out further and further. This made me have a very hard look at reweight_entity(), and specifically the ->on_rq case, which is more prominent with DELAY_DEQUEUE. And indeed, it is all sorts of broken. While the computation of the new lag is correct, the computation for the new vruntime, using the new lag is broken for it does not consider the logic set out in place_entity(). With the below patch, I now see things like: migration/12-55 [012] d..3. 309.006650: reweight_entity: (ffff8881e0e6f600-ffff88885f235f40-12) { weight: 977582 avg_vruntime: 4860513347366 vruntime: 4860513347908 (-542) deadline: 4860516552475 } -> { weight: 2 avg_vruntime: 4860528915984 vruntime: 4860793840706 (-264924722) deadline: 6427157349203 } migration/14-62 [014] d..3. 309.006698: reweight_entity: (ffff8881e0e6cc00-ffff88885f3b5f40-15) { weight: 2 avg_vruntime: 4874472992283 vruntime: 4939833828823 (-65360836540) deadline: 6316614641111 } -> { weight: 967149 avg_vruntime: 4874217684324 vruntime: 4874217688559 (-4235) deadline: 4874220535650 } Which isn't perfect yet, but much closer. Reported-by: Doug Smythies Reported-by: Ingo Molnar Tested-by: Ingo Molnar Signed-off-by: Peter Zijlstra (Intel) Signed-off-by: Ingo Molnar Fixes: eab03c23c2a1 ("sched/eevdf: Fix vruntime adjustment on reweight") Link: https://lore.kernel.org/r/20250109105959.GA2981@noisy.programming.kicks-ass.net commit 8f0defd2e52d22eb994d7e770b1261caa24917d8 Author: Maciej Strozek Date: Thu Jan 9 09:38:22 2025 +0000 ASoC: cs42l43: Add codec force suspend/resume ops This ensures codec will resume after suspending during playback. Signed-off-by: Maciej Strozek Reviewed-by: Charles Keepax Link: https://patch.msgid.link/20250109093822.5745-1-mstrozek@opensource.cirrus.com Signed-off-by: Mark Brown commit 080505f3c6c3fa5560f3b84249875fd26229124c Author: Richard Fitzgerald Date: Thu Jan 9 10:56:57 2025 +0000 ALSA: doc: Add codecs/index.rst to top-level index commit 088fb4ee17fc ("ALSA: doc: cs35l56: Add information about Cirrus Logic CS35L54/56/57") added a new subdirectory with an index file, so this file must be added to the top-level index. Fixes: 088fb4ee17fc ("ALSA: doc: cs35l56: Add information about Cirrus Logic CS35L54/56/57") Signed-off-by: Richard Fitzgerald Link: https://patch.msgid.link/20250109105657.96860-1-rf@opensource.cirrus.com Signed-off-by: Mark Brown commit 2d2d4f60ed266a8f340a721102d035252606980b Author: Leo Yang Date: Tue Jan 7 11:15:30 2025 +0800 mctp i3c: fix MCTP I3C driver multi-thread issue We found a timeout problem with the pldm command on our system. The reason is that the MCTP-I3C driver has a race condition when receiving multiple-packet messages in multi-thread, resulting in a wrong packet order problem. We identified this problem by adding a debug message to the mctp_i3c_read function. According to the MCTP spec, a multiple-packet message must be composed in sequence, and if there is a wrong sequence, the whole message will be discarded and wait for the next SOM. For example, SOM → Pkt Seq #2 → Pkt Seq #1 → Pkt Seq #3 → EOM. Therefore, we try to solve this problem by adding a mutex to the mctp_i3c_read function. Before the modification, when a command requesting a multiple-packet message response is sent consecutively, an error usually occurs within 100 loops. After the mutex, it can go through 40000 loops without any error, and it seems to run well. Fixes: c8755b29b58e ("mctp i3c: MCTP I3C driver") Signed-off-by: Leo Yang Link: https://patch.msgid.link/20250107031529.3296094-1-Leo-Yang@quantatw.com [pabeni@redhat.com: dropped already answered question from changelog] Signed-off-by: Paolo Abeni commit cefc479cbb50399dec0c8e996f3539c48a1ee9dd Author: Tomi Valkeinen Date: Fri Nov 22 14:26:18 2024 +0200 i2c: atr: Fix client detach i2c-atr catches the BUS_NOTIFY_DEL_DEVICE event on the bus and removes the translation by calling i2c_atr_detach_client(). However, BUS_NOTIFY_DEL_DEVICE happens when the device is about to be removed from this bus, i.e. before removal, and thus before calling .remove() on the driver. If the driver happens to do any i2c transactions in its remove(), they will fail. Fix this by catching BUS_NOTIFY_REMOVED_DEVICE instead, thus removing the translation only after the device is actually removed. Fixes: a076a860acae ("media: i2c: add I2C Address Translator (ATR) support") Cc: stable@vger.kernel.org Signed-off-by: Tomi Valkeinen Reviewed-by: Luca Ceresoli Reviewed-by: Romain Gantois Tested-by: Romain Gantois Signed-off-by: Wolfram Sang commit 3f8c4f5e9a57868fa107016c81165686d23325f2 Author: Joe Hattori Date: Wed Dec 11 12:08:03 2024 +0900 i2c: core: fix reference leak in i2c_register_adapter() The reference count of the device incremented in device_initialize() is not decremented when device_add() fails. Add a put_device() call before returning from the function. This bug was found by an experimental static analysis tool that I am developing. Fixes: 60f68597024d ("i2c: core: Setup i2c_adapter runtime-pm before calling device_add()") Signed-off-by: Joe Hattori Signed-off-by: Wolfram Sang commit b84e1cd22f8a8c03b7b1051372560c7017c8be92 Author: Rodrigo Vivi Date: Thu Dec 19 18:55:36 2024 -0500 drm/xe/dg1: Fix power gate sequence. sub-pipe PG is not present on DG1. Setting these bits can disable other power gates and cause GPU hangs on video playbacks. VLK: 16314, 4304 Closes: https://gitlab.freedesktop.org/drm/i915/kernel/-/issues/13381 Cc: Vinay Belgaumkar Cc: Himal Prasad Ghimiray Reviewed-by: Himal Prasad Ghimiray Link: https://patchwork.freedesktop.org/patch/msgid/20241219235536.454270-1-rodrigo.vivi@intel.com Signed-off-by: Rodrigo Vivi (cherry picked from commit 2f12e9c029315c1400059b2e7fdf53117c09c3a9) Signed-off-by: Thomas Hellström commit 9ab4981552930a9c45682d62424ba610edc3992d Author: Lucas De Marchi Date: Thu Jan 2 16:11:10 2025 -0800 drm/xe: Fix tlb invalidation when wedging If GuC fails to load, the driver wedges, but in the process it tries to do stuff that may not be initialized yet. This moves the xe_gt_tlb_invalidation_init() to be done earlier: as its own doc says, it's a software-only initialization and should had been named with the _early() suffix. Move it to be called by xe_gt_init_early(), so the locks and seqno are initialized, avoiding a NULL ptr deref when wedging: xe 0000:03:00.0: [drm] *ERROR* GT0: load failed: status: Reset = 0, BootROM = 0x50, UKernel = 0x00, MIA = 0x00, Auth = 0x01 xe 0000:03:00.0: [drm] *ERROR* GT0: firmware signature verification failed xe 0000:03:00.0: [drm] *ERROR* CRITICAL: Xe has declared device 0000:03:00.0 as wedged. ... BUG: kernel NULL pointer dereference, address: 0000000000000000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI CPU: 9 UID: 0 PID: 3908 Comm: modprobe Tainted: G U W 6.13.0-rc4-xe+ #3 Tainted: [U]=USER, [W]=WARN Hardware name: Intel Corporation Alder Lake Client Platform/AlderLake-S ADP-S DDR5 UDIMM CRB, BIOS ADLSFWI1.R00.3275.A00.2207010640 07/01/2022 RIP: 0010:xe_gt_tlb_invalidation_reset+0x75/0x110 [xe] This can be easily triggered by poking the GuC binary to force a signature failure. There will still be an extra message, xe 0000:03:00.0: [drm] *ERROR* GT0: GuC mmio request 0x4100: no reply 0x4100 but that's better than a NULL ptr deref. Closes: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/3956 Fixes: c9474b726b93 ("drm/xe: Wedge the entire device") Reviewed-by: Matthew Brost Link: https://patchwork.freedesktop.org/patch/msgid/20250103001111.331684-2-lucas.demarchi@intel.com Signed-off-by: Lucas De Marchi (cherry picked from commit 5001ef3af8f2c972d6fd9c5221a8457556f8bea6) Signed-off-by: Thomas Hellström commit d1bf27c4e1768d4733143f26962a5c68ea8bd03c Author: Kory Maincent Date: Tue Jan 7 15:26:59 2025 +0100 dt-bindings: net: pse-pd: Fix unusual character in documentation The documentation contained an unusual character due to an issue in my personal b4 setup. Fix the problem by providing the correct PSE Pinout Alternatives table number description. Signed-off-by: Kory Maincent Reviewed-by: Simon Horman Link: https://patch.msgid.link/20250107142659.425877-1-kory.maincent@bootlin.com Signed-off-by: Jakub Kicinski commit 4460e45700e77b455b64b604c6acb5a2fd2fd66b Merge: 6730ee8f083cd2 bd2776e39c2a82 Author: Jakub Kicinski Date: Wed Jan 8 19:33:26 2025 -0800 Merge branch '100GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/tnguy/net-queue Tony Nguyen says: ==================== Intel Wired LAN Driver Updates 2025-01-07 (ice, igc) For ice: Arkadiusz corrects mask value being used to determine DPLL phase range. Przemyslaw corrects frequency value for E823 devices. For igc: En-Wei Wu adds a check and, early, return for failed register read. * '100GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/tnguy/net-queue: igc: return early when failing to read EECD register ice: fix incorrect PHY settings for 100 GB/s ice: fix max values for dpll pin phase adjust ==================== Link: https://patch.msgid.link/20250107190150.1758577-1-anthony.l.nguyen@intel.com Signed-off-by: Jakub Kicinski commit 6730ee8f083cd263b0380b60b3ee74262e94b38e Merge: f552b3037d0ccc 67dba2c28fe0af Author: Jakub Kicinski Date: Wed Jan 8 19:08:18 2025 -0800 Merge tag 'for-net-2025-01-08' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth Luiz Augusto von Dentz says: ==================== bluetooth pull request for net: - btmtk: Fix failed to send func ctrl for MediaTek devices. - hci_sync: Fix not setting Random Address when required - MGMT: Fix Add Device to responding before completing - btnxpuart: Fix driver sending truncated data * tag 'for-net-2025-01-08' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth: Bluetooth: btmtk: Fix failed to send func ctrl for MediaTek devices. Bluetooth: btnxpuart: Fix driver sending truncated data Bluetooth: MGMT: Fix Add Device to responding before completing Bluetooth: hci_sync: Fix not setting Random Address when required ==================== Link: https://patch.msgid.link/20250108162627.1623760-1-luiz.dentz@gmail.com Signed-off-by: Jakub Kicinski commit 3cb97a927fffe443e1e7e8eddbfebfdb062e86ed Author: Chen Ridong Date: Mon Jan 6 08:19:04 2025 +0000 cgroup/cpuset: remove kernfs active break A warning was found: WARNING: CPU: 10 PID: 3486953 at fs/kernfs/file.c:828 CPU: 10 PID: 3486953 Comm: rmdir Kdump: loaded Tainted: G RIP: 0010:kernfs_should_drain_open_files+0x1a1/0x1b0 RSP: 0018:ffff8881107ef9e0 EFLAGS: 00010202 RAX: 0000000080000002 RBX: ffff888154738c00 RCX: dffffc0000000000 RDX: 0000000000000007 RSI: 0000000000000004 RDI: ffff888154738c04 RBP: ffff888154738c04 R08: ffffffffaf27fa15 R09: ffffed102a8e7180 R10: ffff888154738c07 R11: 0000000000000000 R12: ffff888154738c08 R13: ffff888750f8c000 R14: ffff888750f8c0e8 R15: ffff888154738ca0 FS: 00007f84cd0be740(0000) GS:ffff8887ddc00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000555f9fbe00c8 CR3: 0000000153eec001 CR4: 0000000000370ee0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: kernfs_drain+0x15e/0x2f0 __kernfs_remove+0x165/0x300 kernfs_remove_by_name_ns+0x7b/0xc0 cgroup_rm_file+0x154/0x1c0 cgroup_addrm_files+0x1c2/0x1f0 css_clear_dir+0x77/0x110 kill_css+0x4c/0x1b0 cgroup_destroy_locked+0x194/0x380 cgroup_rmdir+0x2a/0x140 It can be explained by: rmdir echo 1 > cpuset.cpus kernfs_fop_write_iter // active=0 cgroup_rm_file kernfs_remove_by_name_ns kernfs_get_active // active=1 __kernfs_remove // active=0x80000002 kernfs_drain cpuset_write_resmask wait_event //waiting (active == 0x80000001) kernfs_break_active_protection // active = 0x80000001 // continue kernfs_unbreak_active_protection // active = 0x80000002 ... kernfs_should_drain_open_files // warning occurs kernfs_put_active This warning is caused by 'kernfs_break_active_protection' when it is writing to cpuset.cpus, and the cgroup is removed concurrently. The commit 3a5a6d0c2b03 ("cpuset: don't nest cgroup_mutex inside get_online_cpus()") made cpuset_hotplug_workfn asynchronous, This change involves calling flush_work(), which can create a multiple processes circular locking dependency that involve cgroup_mutex, potentially leading to a deadlock. To avoid deadlock. the commit 76bb5ab8f6e3 ("cpuset: break kernfs active protection in cpuset_write_resmask()") added 'kernfs_break_active_protection' in the cpuset_write_resmask. This could lead to this warning. After the commit 2125c0034c5d ("cgroup/cpuset: Make cpuset hotplug processing synchronous"), the cpuset_write_resmask no longer needs to wait the hotplug to finish, which means that concurrent hotplug and cpuset operations are no longer possible. Therefore, the deadlock doesn't exist anymore and it does not have to 'break active protection' now. To fix this warning, just remove kernfs_break_active_protection operation in the 'cpuset_write_resmask'. Fixes: bdb2fd7fc56e ("kernfs: Skip kernfs_drain_open_files() more aggressively") Fixes: 76bb5ab8f6e3 ("cpuset: break kernfs active protection in cpuset_write_resmask()") Reported-by: Ji Fa Signed-off-by: Chen Ridong Acked-by: Waiman Long Signed-off-by: Tejun Heo commit f90877dd7fb5085dd9abd6399daf63dd2969fc90 Author: Linus Walleij Date: Wed Jan 8 23:44:45 2025 +0100 seccomp: Stub for !CONFIG_SECCOMP When using !CONFIG_SECCOMP with CONFIG_GENERIC_ENTRY, the randconfig bots found the following snag: kernel/entry/common.c: In function 'syscall_trace_enter': >> kernel/entry/common.c:52:23: error: implicit declaration of function '__secure_computing' [-Wimplicit-function-declaration] 52 | ret = __secure_computing(NULL); | ^~~~~~~~~~~~~~~~~~ Since generic entry calls __secure_computing() unconditionally, fix this by moving the stub out of the ifdef clause for CONFIG_HAVE_ARCH_SECCOMP_FILTER so it's always available. Link: https://lore.kernel.org/oe-kbuild-all/202501061240.Fzk9qiFZ-lkp@intel.com/ Signed-off-by: Linus Walleij Link: https://lore.kernel.org/r/20250108-seccomp-stub-2-v2-1-74523d49420f@linaro.org Signed-off-by: Kees Cook commit eea6e4b4dfb8859446177c32961c96726d0117be Merge: 0b7958fa05d562 3b2f56860b05bf Author: Linus Torvalds Date: Wed Jan 8 11:55:20 2025 -0800 Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi Pull SCSI fixes from James Bottomley: "Four driver fixes in UFS, mostly to do with power management" * tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi: scsi: ufs: qcom: Power down the controller/device during system suspend for SM8550/SM8650 SoCs scsi: ufs: qcom: Allow passing platform specific OF data scsi: ufs: core: Honor runtime/system PM levels if set by host controller drivers scsi: ufs: qcom: Power off the PHY if it was already powered on in ufs_qcom_power_up_sequence() commit 5cd900b8b7e42c492431eb4261c18927768db1f9 Author: Clément Léger Date: Fri Jan 3 15:17:58 2025 +0100 riscv: use local label names instead of global ones in assembly Local labels should be prefix by '.L' or they'll be exported in the symbol table. Additionally, this messes up the backtrace by displaying an incorrect symbol: ... [ 12.751810] [] _copy_from_user+0x28/0xc2 [ 12.752035] [] handle_misaligned_load+0x1ca/0x2fc [ 12.752310] [] do_trap_load_misaligned+0x24/0xee [ 12.752596] [] _new_vmalloc_restore_context_a0+0xc2/0xce After: ... [ 10.243916] [] _copy_from_user+0x28/0xc2 [ 10.244026] [] handle_misaligned_load+0x1ca/0x2fc [ 10.244150] [] do_trap_load_misaligned+0x24/0xee [ 10.244268] [] handle_exception+0x146/0x152 Signed-off-by: Clément Léger Reviewed-by: Alexandre Ghiti Fixes: 503638e0babf3 ("riscv: Stop emitting preventive sfence.vma for new vmalloc mappings") Link: https://lore.kernel.org/r/20250103141814.508865-1-cleger@rivosinc.com Signed-off-by: Palmer Dabbelt commit 40e6073e764870da39d0203fc4326adc4c37e690 Author: Guo Ren Date: Sun Dec 15 08:52:52 2024 -0500 riscv: qspinlock: Fixup _Q_PENDING_LOOPS definition When CONFIG_RISCV_QUEUED_SPINLOCKS=y, the _Q_PENDING_LOOPS definition is missing. Add the _Q_PENDING_LOOPS definition for pure qspinlock usage. Fixes: ab83647fadae ("riscv: Add qspinlock support") Signed-off-by: Guo Ren Signed-off-by: Guo Ren Reviewed-by: Alexandre Ghiti Link: https://lore.kernel.org/r/20241215135252.201983-1-guoren@kernel.org Signed-off-by: Palmer Dabbelt commit 51356ce60e5915a6bd812873186ed54e45c2699d Author: Clément Léger Date: Mon Dec 9 16:57:12 2024 +0100 riscv: stacktrace: fix backtracing through exceptions Prior to commit 5d5fc33ce58e ("riscv: Improve exception and system call latency"), backtrace through exception worked since ra was filled with ret_from_exception symbol address and the stacktrace code checked 'pc' to be equal to that symbol. Now that handle_exception uses regular 'call' instructions, this isn't working anymore and backtrace stops at handle_exception(). Since there are multiple call site to C code in the exception handling path, rather than checking multiple potential return addresses, add a new symbol at the end of exception handling and check pc to be in that range. Fixes: 5d5fc33ce58e ("riscv: Improve exception and system call latency") Signed-off-by: Clément Léger Tested-by: Alexandre Ghiti Reviewed-by: Alexandre Ghiti Link: https://lore.kernel.org/r/20241209155714.1239665-1-cleger@rivosinc.com Signed-off-by: Palmer Dabbelt commit f754f27e98f88428aaf6be6e00f5cbce97f62d4b Author: Xu Lu Date: Mon Dec 9 20:26:17 2024 +0800 riscv: mm: Fix the out of bound issue of vmemmap address In sparse vmemmap model, the virtual address of vmemmap is calculated as: ((struct page *)VMEMMAP_START - (phys_ram_base >> PAGE_SHIFT)). And the struct page's va can be calculated with an offset: (vmemmap + (pfn)). However, when initializing struct pages, kernel actually starts from the first page from the same section that phys_ram_base belongs to. If the first page's physical address is not (phys_ram_base >> PAGE_SHIFT), then we get an va below VMEMMAP_START when calculating va for it's struct page. For example, if phys_ram_base starts from 0x82000000 with pfn 0x82000, the first page in the same section is actually pfn 0x80000. During init_unavailable_range(), we will initialize struct page for pfn 0x80000 with virtual address ((struct page *)VMEMMAP_START - 0x2000), which is below VMEMMAP_START as well as PCI_IO_END. This commit fixes this bug by introducing a new variable 'vmemmap_start_pfn' which is aligned with memory section size and using it to calculate vmemmap address instead of phys_ram_base. Fixes: a11dd49dcb93 ("riscv: Sparse-Memory/vmemmap out-of-bounds fix") Signed-off-by: Xu Lu Reviewed-by: Alexandre Ghiti Tested-by: Björn Töpel Reviewed-by: Björn Töpel Link: https://lore.kernel.org/r/20241209122617.53341-1-luxu.kernel@bytedance.com Signed-off-by: Palmer Dabbelt commit 7e25044b804581b9c029d5a28d8800aebde18043 Author: Javier Carrasco Date: Sat Nov 16 00:32:39 2024 +0100 cpuidle: riscv-sbi: fix device node release in early exit of for_each_possible_cpu The 'np' device_node is initialized via of_cpu_device_node_get(), which requires explicit calls to of_node_put() when it is no longer required to avoid leaking the resource. Instead of adding the missing calls to of_node_put() in all execution paths, use the cleanup attribute for 'np' by means of the __free() macro, which automatically calls of_node_put() when the variable goes out of scope. Given that 'np' is only used within the for_each_possible_cpu(), reduce its scope to release the nood after every iteration of the loop. Fixes: 6abf32f1d9c5 ("cpuidle: Add RISC-V SBI CPU idle driver") Reviewed-by: Andrew Jones Signed-off-by: Javier Carrasco Link: https://lore.kernel.org/r/20241116-cpuidle-riscv-sbi-cleanup-v3-1-a3a46372ce08@gmail.com Signed-off-by: Palmer Dabbelt commit 13134cc949148e1dfa540a0fe5dc73569bc62155 Author: Nam Cao Date: Tue Nov 19 12:10:56 2024 +0100 riscv: kprobes: Fix incorrect address calculation p->ainsn.api.insn is a pointer to u32, therefore arithmetic operations are multiplied by four. This is clearly undesirable for this case. Cast it to (void *) first before any calculation. Below is a sample before/after. The dumped memory is two kprobe slots, the first slot has - c.addiw a0, 0x1c (0x7125) - ebreak (0x00100073) and the second slot has: - c.addiw a0, -4 (0x7135) - ebreak (0x00100073) Before this patch: (gdb) x/16xh 0xff20000000135000 0xff20000000135000: 0x7125 0x0000 0x0000 0x0000 0x7135 0x0010 0x0000 0x0000 0xff20000000135010: 0x0073 0x0010 0x0000 0x0000 0x0000 0x0000 0x0000 0x0000 After this patch: (gdb) x/16xh 0xff20000000125000 0xff20000000125000: 0x7125 0x0073 0x0010 0x0000 0x7135 0x0073 0x0010 0x0000 0xff20000000125010: 0x0000 0x0000 0x0000 0x0000 0x0000 0x0000 0x0000 0x0000 Fixes: b1756750a397 ("riscv: kprobes: Use patch_text_nosync() for insn slots") Signed-off-by: Nam Cao Cc: stable@vger.kernel.org Reviewed-by: Alexandre Ghiti Link: https://lore.kernel.org/r/20241119111056.2554419-1-namcao@linutronix.de Signed-off-by: Palmer Dabbelt commit f552b3037d0ccc865b11b19314502f341f8b6717 Merge: 80fb40baba19e2 9741e72b2286de Author: Jakub Kicinski Date: Wed Jan 8 10:33:16 2025 -0800 Merge branch 'there-are-some-bugfix-for-the-hns3-ethernet-driver' Jijie Shao says: ==================== There are some bugfix for the HNS3 ethernet driver There's a series of bugfix that's been accepted: https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=d80a3091308491455b6501b1c4b68698c4a7cd24 However, The series is making the driver poke into IOMMU internals instead of implementing appropriate IOMMU workarounds. After discussion, the series was reverted: https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=249cfa318fb1b77eb726c2ff4f74c9685f04e568 But only two patches are related to the IOMMU. Other patches involve only the modification of the driver. This series resends other patches. v2*: https://lore.kernel.org/20241217010839.1742227-1-shaojijie@huawei.com v2: https://lore.kernel.org/20241216132346.1197079-1-shaojijie@huawei.com v1: https://lore.kernel.org/20241107133023.3813095-1-shaojijie@huawei.com ==================== Link: https://patch.msgid.link/20250106143642.539698-1-shaojijie@huawei.com Signed-off-by: Jakub Kicinski commit 9741e72b2286de8b38de9db685588ac421a95c87 Author: Jie Wang Date: Mon Jan 6 22:36:42 2025 +0800 net: hns3: fix kernel crash when 1588 is sent on HIP08 devices Currently, HIP08 devices does not register the ptp devices, so the hdev->ptp is NULL. But the tx process would still try to set hardware time stamp info with SKBTX_HW_TSTAMP flag and cause a kernel crash. [ 128.087798] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000018 ... [ 128.280251] pc : hclge_ptp_set_tx_info+0x2c/0x140 [hclge] [ 128.286600] lr : hclge_ptp_set_tx_info+0x20/0x140 [hclge] [ 128.292938] sp : ffff800059b93140 [ 128.297200] x29: ffff800059b93140 x28: 0000000000003280 [ 128.303455] x27: ffff800020d48280 x26: ffff0cb9dc814080 [ 128.309715] x25: ffff0cb9cde93fa0 x24: 0000000000000001 [ 128.315969] x23: 0000000000000000 x22: 0000000000000194 [ 128.322219] x21: ffff0cd94f986000 x20: 0000000000000000 [ 128.328462] x19: ffff0cb9d2a166c0 x18: 0000000000000000 [ 128.334698] x17: 0000000000000000 x16: ffffcf1fc523ed24 [ 128.340934] x15: 0000ffffd530a518 x14: 0000000000000000 [ 128.347162] x13: ffff0cd6bdb31310 x12: 0000000000000368 [ 128.353388] x11: ffff0cb9cfbc7070 x10: ffff2cf55dd11e02 [ 128.359606] x9 : ffffcf1f85a212b4 x8 : ffff0cd7cf27dab0 [ 128.365831] x7 : 0000000000000a20 x6 : ffff0cd7cf27d000 [ 128.372040] x5 : 0000000000000000 x4 : 000000000000ffff [ 128.378243] x3 : 0000000000000400 x2 : ffffcf1f85a21294 [ 128.384437] x1 : ffff0cb9db520080 x0 : ffff0cb9db500080 [ 128.390626] Call trace: [ 128.393964] hclge_ptp_set_tx_info+0x2c/0x140 [hclge] [ 128.399893] hns3_nic_net_xmit+0x39c/0x4c4 [hns3] [ 128.405468] xmit_one.constprop.0+0xc4/0x200 [ 128.410600] dev_hard_start_xmit+0x54/0xf0 [ 128.415556] sch_direct_xmit+0xe8/0x634 [ 128.420246] __dev_queue_xmit+0x224/0xc70 [ 128.425101] dev_queue_xmit+0x1c/0x40 [ 128.429608] ovs_vport_send+0xac/0x1a0 [openvswitch] [ 128.435409] do_output+0x60/0x17c [openvswitch] [ 128.440770] do_execute_actions+0x898/0x8c4 [openvswitch] [ 128.446993] ovs_execute_actions+0x64/0xf0 [openvswitch] [ 128.453129] ovs_dp_process_packet+0xa0/0x224 [openvswitch] [ 128.459530] ovs_vport_receive+0x7c/0xfc [openvswitch] [ 128.465497] internal_dev_xmit+0x34/0xb0 [openvswitch] [ 128.471460] xmit_one.constprop.0+0xc4/0x200 [ 128.476561] dev_hard_start_xmit+0x54/0xf0 [ 128.481489] __dev_queue_xmit+0x968/0xc70 [ 128.486330] dev_queue_xmit+0x1c/0x40 [ 128.490856] ip_finish_output2+0x250/0x570 [ 128.495810] __ip_finish_output+0x170/0x1e0 [ 128.500832] ip_finish_output+0x3c/0xf0 [ 128.505504] ip_output+0xbc/0x160 [ 128.509654] ip_send_skb+0x58/0xd4 [ 128.513892] udp_send_skb+0x12c/0x354 [ 128.518387] udp_sendmsg+0x7a8/0x9c0 [ 128.522793] inet_sendmsg+0x4c/0x8c [ 128.527116] __sock_sendmsg+0x48/0x80 [ 128.531609] __sys_sendto+0x124/0x164 [ 128.536099] __arm64_sys_sendto+0x30/0x5c [ 128.540935] invoke_syscall+0x50/0x130 [ 128.545508] el0_svc_common.constprop.0+0x10c/0x124 [ 128.551205] do_el0_svc+0x34/0xdc [ 128.555347] el0_svc+0x20/0x30 [ 128.559227] el0_sync_handler+0xb8/0xc0 [ 128.563883] el0_sync+0x160/0x180 Fixes: 0bf5eb788512 ("net: hns3: add support for PTP") Signed-off-by: Jie Wang Signed-off-by: Jijie Shao Reviewed-by: Michal Swiatkowski Link: https://patch.msgid.link/20250106143642.539698-8-shaojijie@huawei.com Signed-off-by: Jakub Kicinski commit 7997ddd46c54408bcba5e37fe18b4d832e45d4d4 Author: Hao Lan Date: Mon Jan 6 22:36:41 2025 +0800 net: hns3: fixed hclge_fetch_pf_reg accesses bar space out of bounds issue The TQP BAR space is divided into two segments. TQPs 0-1023 and TQPs 1024-1279 are in different BAR space addresses. However, hclge_fetch_pf_reg does not distinguish the tqp space information when reading the tqp space information. When the number of TQPs is greater than 1024, access bar space overwriting occurs. The problem of different segments has been considered during the initialization of tqp.io_base. Therefore, tqp.io_base is directly used when the queue is read in hclge_fetch_pf_reg. The error message: Unable to handle kernel paging request at virtual address ffff800037200000 pc : hclge_fetch_pf_reg+0x138/0x250 [hclge] lr : hclge_get_regs+0x84/0x1d0 [hclge] Call trace: hclge_fetch_pf_reg+0x138/0x250 [hclge] hclge_get_regs+0x84/0x1d0 [hclge] hns3_get_regs+0x2c/0x50 [hns3] ethtool_get_regs+0xf4/0x270 dev_ethtool+0x674/0x8a0 dev_ioctl+0x270/0x36c sock_do_ioctl+0x110/0x2a0 sock_ioctl+0x2ac/0x530 __arm64_sys_ioctl+0xa8/0x100 invoke_syscall+0x4c/0x124 el0_svc_common.constprop.0+0x140/0x15c do_el0_svc+0x30/0xd0 el0_svc+0x1c/0x2c el0_sync_handler+0xb0/0xb4 el0_sync+0x168/0x180 Fixes: 939ccd107ffc ("net: hns3: move dump regs function to a separate file") Signed-off-by: Hao Lan Signed-off-by: Jijie Shao Link: https://patch.msgid.link/20250106143642.539698-7-shaojijie@huawei.com Signed-off-by: Jakub Kicinski commit 247fd1e33e1cd156aabe444e932d2648d33f1245 Author: Jian Shen Date: Mon Jan 6 22:36:40 2025 +0800 net: hns3: initialize reset_timer before hclgevf_misc_irq_init() Currently the misc irq is initialized before reset_timer setup. But it will access the reset_timer in the irq handler. So initialize the reset_timer earlier. Fixes: ff200099d271 ("net: hns3: remove unnecessary work in hclgevf_main") Signed-off-by: Jian Shen Signed-off-by: Jijie Shao Link: https://patch.msgid.link/20250106143642.539698-6-shaojijie@huawei.com Signed-off-by: Jakub Kicinski commit 98b1e3b27734139c76295754b6c317aa4df6d32e Author: Jian Shen Date: Mon Jan 6 22:36:39 2025 +0800 net: hns3: don't auto enable misc vector Currently, there is a time window between misc irq enabled and service task inited. If an interrupte is reported at this time, it will cause warning like below: [ 16.324639] Call trace: [ 16.324641] __queue_delayed_work+0xb8/0xe0 [ 16.324643] mod_delayed_work_on+0x78/0xd0 [ 16.324655] hclge_errhand_task_schedule+0x58/0x90 [hclge] [ 16.324662] hclge_misc_irq_handle+0x168/0x240 [hclge] [ 16.324666] __handle_irq_event_percpu+0x64/0x1e0 [ 16.324667] handle_irq_event+0x80/0x170 [ 16.324670] handle_fasteoi_edge_irq+0x110/0x2bc [ 16.324671] __handle_domain_irq+0x84/0xfc [ 16.324673] gic_handle_irq+0x88/0x2c0 [ 16.324674] el1_irq+0xb8/0x140 [ 16.324677] arch_cpu_idle+0x18/0x40 [ 16.324679] default_idle_call+0x5c/0x1bc [ 16.324682] cpuidle_idle_call+0x18c/0x1c4 [ 16.324684] do_idle+0x174/0x17c [ 16.324685] cpu_startup_entry+0x30/0x6c [ 16.324687] secondary_start_kernel+0x1a4/0x280 [ 16.324688] ---[ end trace 6aa0bff672a964aa ]--- So don't auto enable misc vector when request irq.. Fixes: 7be1b9f3e99f ("net: hns3: make hclge_service use delayed workqueue") Signed-off-by: Jian Shen Signed-off-by: Jijie Shao Link: https://patch.msgid.link/20250106143642.539698-5-shaojijie@huawei.com Signed-off-by: Jakub Kicinski commit 5191a8d3c2ab5bc01930ea3425e06a739af5b0e9 Author: Hao Lan Date: Mon Jan 6 22:36:38 2025 +0800 net: hns3: Resolved the issue that the debugfs query result is inconsistent. This patch modifies the implementation of debugfs: When the user process stops unexpectedly, not all data of the file system is read. In this case, the save_buf pointer is not released. When the user process is called next time, save_buf is used to copy the cached data to the user space. As a result, the queried data is stale. To solve this problem, this patch implements .open() and .release() handler for debugfs file_operations. moving allocation buffer and execution of the cmd to the .open() handler and freeing in to the .release() handler. Allocate separate buffer for each reader and associate the buffer with the file pointer. When different user read processes no longer share the buffer, the stale data problem is fixed. Fixes: 5e69ea7ee2a6 ("net: hns3: refactor the debugfs process") Signed-off-by: Hao Lan Signed-off-by: Guangwei Zhang Signed-off-by: Jijie Shao Reviewed-by: Michal Swiatkowski Link: https://patch.msgid.link/20250106143642.539698-4-shaojijie@huawei.com Signed-off-by: Jakub Kicinski commit ac1e2836fe294c2007ca81cf7006862c3bdf0510 Author: Hao Lan Date: Mon Jan 6 22:36:37 2025 +0800 net: hns3: fix missing features due to dev->features configuration too early Currently, the netdev->features is configured in hns3_nic_set_features. As a result, __netdev_update_features considers that there is no feature difference, and the procedures of the real features are missing. Fixes: 2a7556bb2b73 ("net: hns3: implement ndo_features_check ops for hns3 driver") Signed-off-by: Hao Lan Signed-off-by: Jian Shen Signed-off-by: Jijie Shao Reviewed-by: Michal Swiatkowski Link: https://patch.msgid.link/20250106143642.539698-3-shaojijie@huawei.com Signed-off-by: Jakub Kicinski commit 5a4b584c67699a69981f0740618a144965a63237 Author: Hao Lan Date: Mon Jan 6 22:36:36 2025 +0800 net: hns3: fixed reset failure issues caused by the incorrect reset type When a reset type that is not supported by the driver is input, a reset pending flag bit of the HNAE3_NONE_RESET type is generated in reset_pending. The driver does not have a mechanism to clear this type of error. As a result, the driver considers that the reset is not complete. This patch provides a mechanism to clear the HNAE3_NONE_RESET flag and the parameter of hnae3_ae_ops.set_default_reset_request is verified. The error message: hns3 0000:39:01.0: cmd failed -16 hns3 0000:39:01.0: hclge device re-init failed, VF is disabled! hns3 0000:39:01.0: failed to reset VF stack hns3 0000:39:01.0: failed to reset VF(4) hns3 0000:39:01.0: prepare reset(2) wait done hns3 0000:39:01.0 eth4: already uninitialized Use the crash tool to view struct hclgevf_dev: struct hclgevf_dev { ... default_reset_request = 0x20, reset_level = HNAE3_NONE_RESET, reset_pending = 0x100, reset_type = HNAE3_NONE_RESET, ... }; Fixes: 720bd5837e37 ("net: hns3: add set_default_reset_request in the hnae3_ae_ops") Signed-off-by: Hao Lan Signed-off-by: Jijie Shao Link: https://patch.msgid.link/20250106143642.539698-2-shaojijie@huawei.com Signed-off-by: Jakub Kicinski commit 6a97f4118ac07cfdc316433f385dbdc12af5025e Author: Nam Cao Date: Mon Nov 18 10:13:33 2024 +0100 riscv: Fix sleeping in invalid context in die() die() can be called in exception handler, and therefore cannot sleep. However, die() takes spinlock_t which can sleep with PREEMPT_RT enabled. That causes the following warning: BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48 in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 285, name: mutex preempt_count: 110001, expected: 0 RCU nest depth: 0, expected: 0 CPU: 0 UID: 0 PID: 285 Comm: mutex Not tainted 6.12.0-rc7-00022-ge19049cf7d56-dirty #234 Hardware name: riscv-virtio,qemu (DT) Call Trace: dump_backtrace+0x1c/0x24 show_stack+0x2c/0x38 dump_stack_lvl+0x5a/0x72 dump_stack+0x14/0x1c __might_resched+0x130/0x13a rt_spin_lock+0x2a/0x5c die+0x24/0x112 do_trap_insn_illegal+0xa0/0xea _new_vmalloc_restore_context_a0+0xcc/0xd8 Oops - illegal instruction [#1] Switch to use raw_spinlock_t, which does not sleep even with PREEMPT_RT enabled. Fixes: 76d2a0493a17 ("RISC-V: Init and Halt Code") Signed-off-by: Nam Cao Cc: stable@vger.kernel.org Reviewed-by: Sebastian Andrzej Siewior Link: https://lore.kernel.org/r/20241118091333.1185288-1-namcao@linutronix.de Signed-off-by: Palmer Dabbelt commit 03f0b548537f758830bdb2dc3f2aba713069cef2 Author: Clément Léger Date: Thu Nov 28 09:16:34 2024 +0100 riscv: module: remove relocation_head rel_entry member allocation relocation_head's list_head member, rel_entry, doesn't need to be allocated, its storage can just be part of the allocated relocation_head. Remove the pointer which allows to get rid of the allocation as well as an existing memory leak found by Kai Zhang using kmemleak. Fixes: 8fd6c5142395 ("riscv: Add remaining module relocations") Reported-by: Kai Zhang Signed-off-by: Clément Léger Reviewed-by: Andrew Jones Reviewed-by: Charlie Jenkins Tested-by: Charlie Jenkins Link: https://lore.kernel.org/r/20241128081636.3620468-1-cleger@rivosinc.com Signed-off-by: Palmer Dabbelt commit 80fb40baba19e25a1b6f3ecff6fc5c0171806bde Author: Daniel Borkmann Date: Tue Jan 7 11:14:39 2025 +0100 tcp: Annotate data-race around sk->sk_mark in tcp_v4_send_reset This is a follow-up to 3c5b4d69c358 ("net: annotate data-races around sk->sk_mark"). sk->sk_mark can be read and written without holding the socket lock. IPv6 equivalent is already covered with READ_ONCE() annotation in tcp_v6_send_response(). Fixes: 3c5b4d69c358 ("net: annotate data-races around sk->sk_mark") Signed-off-by: Daniel Borkmann Reviewed-by: Eric Dumazet Link: https://patch.msgid.link/f459d1fc44f205e13f6d8bdca2c8bfb9902ffac9.1736244569.git.daniel@iogearbox.net Signed-off-by: Jakub Kicinski commit d1cacd74776895f6435941f86a1130e58f6dd226 Author: Jakub Kicinski Date: Mon Jan 6 10:01:36 2025 -0800 netdev: prevent accessing NAPI instances from another namespace The NAPI IDs were not fully exposed to user space prior to the netlink API, so they were never namespaced. The netlink API must ensure that at the very least NAPI instance belongs to the same netns as the owner of the genl sock. napi_by_id() can become static now, but it needs to move because of dev_get_by_napi_id(). Cc: stable@vger.kernel.org Fixes: 1287c1ae0fc2 ("netdev-genl: Support setting per-NAPI config values") Fixes: 27f91aaf49b3 ("netdev-genl: Add netlink framework functions for napi") Reviewed-by: Sridhar Samudrala Reviewed-by: Joe Damato Link: https://patch.msgid.link/20250106180137.1861472-1-kuba@kernel.org Signed-off-by: Jakub Kicinski commit 0b7958fa05d562e514fd0abe2a4800042abf868b Merge: 09a0fa92e5b45e 80f130bfad1dab Author: Linus Torvalds Date: Wed Jan 8 10:12:01 2025 -0800 Merge tag 'for-6.13/dm-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm Pull device mapper fixes from Mikulas Patocka: - dm-array fixes - dm-verity forward error correction fixes - remove the flag DM_TARGET_PASSES_INTEGRITY from dm-ebs - dm-thin RCU list fix * tag 'for-6.13/dm-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm: dm thin: make get_first_thin use rcu-safe list first function dm-ebs: don't set the flag DM_TARGET_PASSES_INTEGRITY dm-verity FEC: Avoid copying RS parity bytes twice. dm-verity FEC: Fix RS FEC repair for roots unaligned to block size (take 2) dm array: fix cursor index when skipping across block boundaries dm array: fix unreleased btree blocks on closing a faulty array cursor dm array: fix releasing a faulty array block twice in dm_array_cursor_end commit 68e449d849fd50bd5e61d8bd32b3458dbd3a3df6 Author: Honglei Wang Date: Wed Jan 8 10:33:28 2025 +0800 sched_ext: switch class when preempted by higher priority scheduler ops.cpu_release() function, if defined, must be invoked when preempted by a higher priority scheduler class task. This scenario was skipped in commit f422316d7466 ("sched_ext: Remove switch_class_scx()"). Let's fix it. Fixes: f422316d7466 ("sched_ext: Remove switch_class_scx()") Signed-off-by: Honglei Wang Acked-by: Andrea Righi Signed-off-by: Tejun Heo commit 6268d5bc10354fc2ab8d44a0cd3b042d49a0417e Author: Changwoo Min Date: Thu Jan 9 00:08:06 2025 +0900 sched_ext: Replace rq_lock() to raw_spin_rq_lock() in scx_ops_bypass() scx_ops_bypass() iterates all CPUs to re-enqueue all the scx tasks. For each CPU, it acquires a lock using rq_lock() regardless of whether a CPU is offline or the CPU is currently running a task in a higher scheduler class (e.g., deadline). The rq_lock() is supposed to be used for online CPUs, and the use of rq_lock() may trigger an unnecessary warning in rq_pin_lock(). Therefore, replace rq_lock() to raw_spin_rq_lock() in scx_ops_bypass(). Without this change, we observe the following warning: ===== START ===== [ 6.615205] rq->balance_callback && rq->balance_callback != &balance_push_callback [ 6.615208] WARNING: CPU: 2 PID: 0 at kernel/sched/sched.h:1730 __schedule+0x1130/0x1c90 ===== END ===== Fixes: 0e7ffff1b811 ("scx: Fix raciness in scx_ops_bypass()") Signed-off-by: Changwoo Min Acked-by: Andrea Righi Signed-off-by: Tejun Heo commit 30dd3b13f9de612ef7328ccffcf1a07d0d40ab51 Author: Henry Huang Date: Wed Jan 8 16:47:10 2025 +0800 sched_ext: keep running prev when prev->scx.slice != 0 When %SCX_OPS_ENQ_LAST is set and prev->scx.slice != 0, @prev will be dispacthed into the local DSQ in put_prev_task_scx(). However, pick_task_scx() is executed before put_prev_task_scx(), so it will not pick @prev. Set %SCX_RQ_BAL_KEEP in balance_one() to ensure that pick_task_scx() can pick @prev. Signed-off-by: Henry Huang Acked-by: Andrea Righi Signed-off-by: Tejun Heo commit 088fb4ee17fc456fcbce0a9ff46d147e3b2be139 Author: Richard Fitzgerald Date: Wed Jan 8 14:10:45 2025 +0000 ALSA: doc: cs35l56: Add information about Cirrus Logic CS35L54/56/57 Add documentation for the Cirrus Logic CS35L54/56/57 amps, which are all managed by the cs35l56 drivers. The aim and scope of this documentation is to provide troubleshooting information for end-users. Signed-off-by: Richard Fitzgerald Link: https://patch.msgid.link/20250108141045.1032-1-rf@opensource.cirrus.com Signed-off-by: Mark Brown commit 704dbe97a68153a84319ad63f526e12ba868b88e Author: Charles Keepax Date: Wed Jan 8 13:48:28 2025 +0000 ASoC: samsung: Add missing depends on I2C When switching to selects for MFD_WM8994 a dependency should have also been added for I2C, as the dependency on MFD_WM8994 will not be considered by the select. Fixes: fd55c6065bec ("ASoC: samsung: Add missing selects for MFD_WM8994") Reported-by: kernel test robot Closes: https://lore.kernel.org/oe-kbuild-all/202501082020.2bpGGVTW-lkp@intel.com/ Signed-off-by: Charles Keepax Link: https://patch.msgid.link/20250108134828.246570-1-ckeepax@opensource.cirrus.com Signed-off-by: Mark Brown commit 67dba2c28fe0af7e25ea1aeade677162ed05310a Author: Chris Lu Date: Wed Jan 8 17:50:28 2025 +0800 Bluetooth: btmtk: Fix failed to send func ctrl for MediaTek devices. Use usb_autopm_get_interface() and usb_autopm_put_interface() in btmtk_usb_shutdown(), it could send func ctrl after enabling autosuspend. Bluetooth: btmtk_usb_hci_wmt_sync() hci0: Execution of wmt command timed out Bluetooth: btmtk_usb_shutdown() hci0: Failed to send wmt func ctrl (-110) Fixes: 5c5e8c52e3ca ("Bluetooth: btmtk: move btusb_mtk_[setup, shutdown] to btmtk.c") Signed-off-by: Chris Lu Signed-off-by: Luiz Augusto von Dentz commit 8023dd2204254a70887f5ee58d914bf70a060b9d Author: Neeraj Sanjay Kale Date: Fri Dec 20 18:32:52 2024 +0530 Bluetooth: btnxpuart: Fix driver sending truncated data This fixes the apparent controller hang issue seen during stress test where the host sends a truncated payload, followed by HCI commands. The controller treats these HCI commands as a part of previously truncated payload, leading to command timeouts. Adding a serdev_device_wait_until_sent() call after serdev_device_write_buf() fixed the issue. Fixes: 689ca16e5232 ("Bluetooth: NXP: Add protocol support for NXP Bluetooth chipsets") Signed-off-by: Neeraj Sanjay Kale Signed-off-by: Luiz Augusto von Dentz commit a182d9c84f9c52fb5db895ecceeee8b3a1bf661e Author: Luiz Augusto von Dentz Date: Mon Nov 25 15:42:10 2024 -0500 Bluetooth: MGMT: Fix Add Device to responding before completing Add Device with LE type requires updating resolving/accept list which requires quite a number of commands to complete and each of them may fail, so instead of pretending it would always work this checks the return of hci_update_passive_scan_sync which indicates if everything worked as intended. Fixes: e8907f76544f ("Bluetooth: hci_sync: Make use of hci_cmd_sync_queue set 3") Signed-off-by: Luiz Augusto von Dentz commit c2994b008492db033d40bd767be1620229a3035e Author: Luiz Augusto von Dentz Date: Mon Nov 25 15:42:09 2024 -0500 Bluetooth: hci_sync: Fix not setting Random Address when required This fixes errors such as the following when Own address type is set to Random Address but it has not been programmed yet due to either be advertising or connecting: < HCI Command: LE Set Exte.. (0x08|0x0041) plen 13 Own address type: Random (0x03) Filter policy: Ignore not in accept list (0x01) PHYs: 0x05 Entry 0: LE 1M Type: Passive (0x00) Interval: 60.000 msec (0x0060) Window: 30.000 msec (0x0030) Entry 1: LE Coded Type: Passive (0x00) Interval: 180.000 msec (0x0120) Window: 90.000 msec (0x0090) > HCI Event: Command Complete (0x0e) plen 4 LE Set Extended Scan Parameters (0x08|0x0041) ncmd 1 Status: Success (0x00) < HCI Command: LE Set Exten.. (0x08|0x0042) plen 6 Extended scan: Enabled (0x01) Filter duplicates: Enabled (0x01) Duration: 0 msec (0x0000) Period: 0.00 sec (0x0000) > HCI Event: Command Complete (0x0e) plen 4 LE Set Extended Scan Enable (0x08|0x0042) ncmd 1 Status: Invalid HCI Command Parameters (0x12) Fixes: c45074d68a9b ("Bluetooth: Fix not generating RPA when required") Signed-off-by: Luiz Augusto von Dentz commit c7a5378a0f707686de3ddb489f1653c523bb7dcc Author: Rengarajan S Date: Thu Dec 5 19:06:26 2024 +0530 misc: microchip: pci1xxxx: Resolve return code mismatch during GPIO set config Driver returns -EOPNOTSUPPORTED on unsupported parameters case in set config. Upper level driver checks for -ENOTSUPP. Because of the return code mismatch, the ioctls from userspace fail. Resolve the issue by passing -ENOTSUPP during unsupported case. Fixes: 7d3e4d807df2 ("misc: microchip: pci1xxxx: load gpio driver for the gpio controller auxiliary device enumerated by the auxiliary bus driver.") Cc: stable Signed-off-by: Rengarajan S Link: https://lore.kernel.org/r/20241205133626.1483499-3-rengarajan.s@microchip.com Signed-off-by: Greg Kroah-Hartman commit 194f9f94a5169547d682e9bbcc5ae6d18a564735 Author: Rengarajan S Date: Thu Dec 5 19:06:25 2024 +0530 misc: microchip: pci1xxxx: Resolve kernel panic during GPIO IRQ handling Resolve kernel panic caused by improper handling of IRQs while accessing GPIO values. This is done by replacing generic_handle_irq with handle_nested_irq. Fixes: 1f4d8ae231f4 ("misc: microchip: pci1xxxx: Add gpio irq handler and irq helper functions irq_ack, irq_mask, irq_unmask and irq_set_type of irq_chip.") Cc: stable Signed-off-by: Rengarajan S Link: https://lore.kernel.org/r/20241205133626.1483499-2-rengarajan.s@microchip.com Signed-off-by: Greg Kroah-Hartman commit 80f130bfad1dab93b95683fc39b87235682b8f72 Author: Krister Johansen Date: Tue Jan 7 15:24:58 2025 -0800 dm thin: make get_first_thin use rcu-safe list first function The documentation in rculist.h explains the absence of list_empty_rcu() and cautions programmers against relying on a list_empty() -> list_first() sequence in RCU safe code. This is because each of these functions performs its own READ_ONCE() of the list head. This can lead to a situation where the list_empty() sees a valid list entry, but the subsequent list_first() sees a different view of list head state after a modification. In the case of dm-thin, this author had a production box crash from a GP fault in the process_deferred_bios path. This function saw a valid list head in get_first_thin() but when it subsequently dereferenced that and turned it into a thin_c, it got the inside of the struct pool, since the list was now empty and referring to itself. The kernel on which this occurred printed both a warning about a refcount_t being saturated, and a UBSAN error for an out-of-bounds cpuid access in the queued spinlock, prior to the fault itself. When the resulting kdump was examined, it was possible to see another thread patiently waiting in thin_dtr's synchronize_rcu. The thin_dtr call managed to pull the thin_c out of the active thins list (and have it be the last entry in the active_thins list) at just the wrong moment which lead to this crash. Fortunately, the fix here is straight forward. Switch get_first_thin() function to use list_first_or_null_rcu() which performs just a single READ_ONCE() and returns NULL if the list is already empty. This was run against the devicemapper test suite's thin-provisioning suites for delete and suspend and no regressions were observed. Signed-off-by: Krister Johansen Fixes: b10ebd34ccca ("dm thin: fix rcu_read_lock being held in code that can sleep") Cc: stable@vger.kernel.org Acked-by: Ming-Hung Tsai Signed-off-by: Mikulas Patocka commit 47f33c27fc9565fb0bc7dfb76be08d445cd3d236 Author: Mikulas Patocka Date: Tue Jan 7 17:47:01 2025 +0100 dm-ebs: don't set the flag DM_TARGET_PASSES_INTEGRITY dm-ebs uses dm-bufio to process requests that are not aligned on logical sector size. dm-bufio doesn't support passing integrity data (and it is unclear how should it do it), so we shouldn't set the DM_TARGET_PASSES_INTEGRITY flag. Signed-off-by: Mikulas Patocka Cc: stable@vger.kernel.org Fixes: d3c7b35c20d6 ("dm: add emulated block size target") commit 7ee7c9b39ed36caf983706f5b893cc5c37a79071 Author: Christoph Hellwig Date: Tue Dec 17 05:27:35 2024 +0100 xfs: don't return an error from xfs_update_last_rtgroup_size for !XFS_RT Non-rtg file systems have a fake RT group even if they do not have a RT device, and thus an rgcount of 1. Ensure xfs_update_last_rtgroup_size doesn't fail when called for !XFS_RT to handle this case. Fixes: 87fe4c34a383 ("xfs: create incore realtime group structures") Reported-by: Brian Foster Signed-off-by: Christoph Hellwig Reviewed-by: Darrick J. Wong Signed-off-by: Carlos Maiolino commit 1acb73db4893345d5811f48f1ff979cec495009e Author: Kuninori Morimoto Date: Wed Jan 8 02:22:43 2025 +0000 MAINTAINERS: add missing maintainers for Simple Audio Card Mark Brown will take the patch. Add his name. Signed-off-by: Kuninori Morimoto Link: https://patch.msgid.link/87v7uqkpye.wl-kuninori.morimoto.gx@renesas.com Signed-off-by: Mark Brown commit 95147bb42bc163866fc103c957820345fefa96cd Author: Anton Kirilov Date: Thu Dec 19 11:31:45 2024 +0000 arm64: dts: rockchip: Fix the SD card detection on NanoPi R6C/R6S Fix the SD card detection on FriendlyElec NanoPi R6C/R6S boards. Signed-off-by: Anton Kirilov Link: https://lore.kernel.org/r/20241219113145.483205-1-anton.kirilov@arm.com Signed-off-by: Heiko Stuebner commit 6f79db028e827b023623a6ff825952e0d5fb619f Author: Greg Kroah-Hartman Date: Wed Jan 8 10:10:10 2025 +0100 staging: gpib: mite: remove unused global functions The mite.c file was originally copied from the COMEDI code, and now that it is in the kernel tree, along with the comedi code, on some build configurations there are errors due to duplicate symbols (specifically mite_dma_disarm). Remove all of the unused functions in the gpib mite.c and .h files as they aren't needed and cause the compiler to be confused. Reported-by: kernel test robot Closes: https://lore.kernel.org/r/202501081239.BAPhfAHJ-lkp@intel.com/ Reported-by: Stephen Rothwell Link: https://lore.kernel.org/r/2025010809-padding-survive-91b3@gregkh Signed-off-by: Greg Kroah-Hartman commit f5b435be70cb126866fa92ffc6f89cda9e112c75 Author: Michal Hrusecky Date: Tue Jan 7 17:08:29 2025 +0100 USB: serial: option: add Neoway N723-EA support Update the USB serial option driver to support Neoway N723-EA. ID 2949:8700 Marvell Mobile Composite Device Bus T: Bus=02 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 2 Spd=480 MxCh= 0 D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 P: Vendor=2949 ProdID=8700 Rev= 1.00 S: Manufacturer=Marvell S: Product=Mobile Composite Device Bus S: SerialNumber=200806006809080000 C:* #Ifs= 5 Cfg#= 1 Atr=c0 MxPwr=500mA A: FirstIf#= 0 IfCount= 2 Cls=e0(wlcon) Sub=01 Prot=03 I:* If#= 0 Alt= 0 #EPs= 1 Cls=e0(wlcon) Sub=01 Prot=03 Driver=rndis_host E: Ad=87(I) Atr=03(Int.) MxPS= 64 Ivl=4096ms I:* If#= 1 Alt= 0 #EPs= 2 Cls=0a(data ) Sub=00 Prot=00 Driver=rndis_host E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=0c(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms I:* If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option E: Ad=89(I) Atr=03(Int.) MxPS= 64 Ivl=4096ms E: Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=0b(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms I:* If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option E: Ad=86(I) Atr=03(Int.) MxPS= 64 Ivl=4096ms E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=0e(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms I:* If#= 6 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option E: Ad=88(I) Atr=03(Int.) MxPS= 64 Ivl=4096ms E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=0a(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms Tested successfully connecting to the Internet via rndis interface after dialing via AT commands on If#=4 or If#=6. Not sure of the purpose of the other serial interface. Signed-off-by: Michal Hrusecky Cc: stable@vger.kernel.org Signed-off-by: Johan Hovold commit c1947d244f807b1f95605b75a4059e7b37b5dcc3 Author: Chukun Pan Date: Sun Dec 15 18:00:27 2024 +0800 USB: serial: option: add MeiG Smart SRM815 It looks like SRM815 shares ID with SRM825L. T: Bus=03 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 2 Spd=480 MxCh= 0 D: Ver= 2.10 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 P: Vendor=2dee ProdID=4d22 Rev= 4.14 S: Manufacturer=MEIG S: Product=LTE-A Module S: SerialNumber=123456 C:* #Ifs= 5 Cfg#= 1 Atr=80 MxPwr=500mA I:* If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms I:* If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option E: Ad=83(I) Atr=03(Int.) MxPS= 10 Ivl=32ms E: Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms I:* If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option E: Ad=85(I) Atr=03(Int.) MxPS= 10 Ivl=32ms E: Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms I:* If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option E: Ad=87(I) Atr=03(Int.) MxPS= 10 Ivl=32ms E: Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms I:* If#= 4 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=(none) E: Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=88(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms Signed-off-by: Chukun Pan Link: https://lore.kernel.org/lkml/20241215100027.1970930-1-amadeus@jmu.edu.cn/ Link: https://lore.kernel.org/all/4333b4d0-281f-439d-9944-5570cbc4971d@gmail.com/ Cc: stable@vger.kernel.org Signed-off-by: Johan Hovold commit 854eee93bd6e3dca619d47087af4d65b2045828e Author: Johan Hovold Date: Wed Jan 8 11:24:36 2025 +0100 USB: serial: cp210x: add Phoenix Contact UPS Device Phoenix Contact sells UPS Quint devices [1] with a custom datacable [2] that embeds a Silicon Labs converter: Bus 001 Device 003: ID 1b93:1013 Silicon Labs Phoenix Contact UPS Device Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 2.00 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x1b93 idProduct 0x1013 bcdDevice 1.00 iManufacturer 1 Silicon Labs iProduct 2 Phoenix Contact UPS Device iSerial 3 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 0x0020 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 255 Vendor Specific Class bInterfaceSubClass 0 bInterfaceProtocol 0 iInterface 2 Phoenix Contact UPS Device Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x01 EP 1 OUT bmAttributes 2 Transfer Type Bulk Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 2 Transfer Type Bulk Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 0 [1] https://www.phoenixcontact.com/en-pc/products/power-supply-unit-quint-ps-1ac-24dc-10-2866763 [2] https://www.phoenixcontact.com/en-il/products/data-cable-preassembled-ifs-usb-datacable-2320500 Reported-by: Giuseppe Corbelli Cc: stable@vger.kernel.org Signed-off-by: Johan Hovold commit e59f4c97172de0c302894cfd5616161c1f0c4d85 Author: Binbin Zhou Date: Tue Jan 7 18:38:56 2025 +0800 gpio: loongson: Fix Loongson-2K2000 ACPI GPIO register offset Since commit 3feb70a61740 ("gpio: loongson: add more gpio chip support"), the Loongson-2K2000 GPIO is supported. However, according to the firmware development specification, the Loongson-2K2000 ACPI GPIO register offsets in the driver do not match the register base addresses in the firmware, resulting in the registers not being accessed properly. Now, we fix it to ensure the GPIO function works properly. Cc: stable@vger.kernel.org Cc: Yinbo Zhu Fixes: 3feb70a61740 ("gpio: loongson: add more gpio chip support") Co-developed-by: Hongliang Wang Signed-off-by: Hongliang Wang Signed-off-by: Binbin Zhou Link: https://lore.kernel.org/r/20250107103856.1037222-1-zhoubinbin@loongson.cn Signed-off-by: Bartosz Golaszewski commit 77bf21a03a2ad45cf66f73f13154b1669d9cf52a Author: Suraj Kandpal Date: Fri Jan 3 14:15:17 2025 +0530 Revert "drm/i915/hdcp: Don't enable HDCP1.4 directly from check_link" This reverts commit 483f7d94a0453564ad9295288c0242136c5f36a0. This needs to be reverted since HDCP even after updating the connector state HDCP property we don't reenable HDCP until the next commit in which the CP Property is set causing compliance to fail. --v2 -Fix build issue [Dnyaneshwar] Signed-off-by: Suraj Kandpal Reviewed-by: Dnyaneshwar Bhadane Link: https://patchwork.freedesktop.org/patch/msgid/20250103084517.239998-1-suraj.kandpal@intel.com (cherry picked from commit fcf73e20cd1fe60c3ba5f9626f1e8f9cd4511edf) Signed-off-by: Tvrtko Ursulin commit db78475ba0d3c66d430f7ded2388cc041078a542 Author: Jakub Kicinski Date: Mon Jan 6 10:02:10 2025 -0800 eth: gve: use appropriate helper to set xdp_features Commit f85949f98206 ("xdp: add xdp_set_features_flag utility routine") added routines to inform the core about XDP flag changes. GVE support was added around the same time and missed using them. GVE only changes the flags on error recover or resume. Presumably the flags may change during resume if VM migrated. User would not get the notification and upper devices would not get a chance to recalculate their flags. Fixes: 75eaae158b1b ("gve: Add XDP DROP and TX support for GQI-QPL format") Reviewed-By: Jeroen de Borst Reviewed-by: Willem de Bruijn Link: https://patch.msgid.link/20250106180210.1861784-1-kuba@kernel.org Signed-off-by: Jakub Kicinski commit cb358ff94154774d031159b018adf45e17673941 Author: Kuniyuki Iwashima Date: Mon Jan 6 16:19:11 2025 +0900 ipvlan: Fix use-after-free in ipvlan_get_iflink(). syzbot presented an use-after-free report [0] regarding ipvlan and linkwatch. ipvlan does not hold a refcnt of the lower device unlike vlan and macvlan. If the linkwatch work is triggered for the ipvlan dev, the lower dev might have already been freed, resulting in UAF of ipvlan->phy_dev in ipvlan_get_iflink(). We can delay the lower dev unregistration like vlan and macvlan by holding the lower dev's refcnt in dev->netdev_ops->ndo_init() and releasing it in dev->priv_destructor(). Jakub pointed out calling .ndo_XXX after unregister_netdevice() has returned is error prone and suggested [1] addressing this UAF in the core by taking commit 750e51603395 ("net: avoid potential UAF in default_operstate()") further. Let's assume unregistering devices DOWN and use RCU protection in default_operstate() not to race with the device unregistration. [0]: BUG: KASAN: slab-use-after-free in ipvlan_get_iflink+0x84/0x88 drivers/net/ipvlan/ipvlan_main.c:353 Read of size 4 at addr ffff0000d768c0e0 by task kworker/u8:35/6944 CPU: 0 UID: 0 PID: 6944 Comm: kworker/u8:35 Not tainted 6.13.0-rc2-g9bc5c9515b48 #12 4c3cb9e8b4565456f6a355f312ff91f4f29b3c47 Hardware name: linux,dummy-virt (DT) Workqueue: events_unbound linkwatch_event Call trace: show_stack+0x38/0x50 arch/arm64/kernel/stacktrace.c:484 (C) __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0xbc/0x108 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0x16c/0x6f0 mm/kasan/report.c:489 kasan_report+0xc0/0x120 mm/kasan/report.c:602 __asan_report_load4_noabort+0x20/0x30 mm/kasan/report_generic.c:380 ipvlan_get_iflink+0x84/0x88 drivers/net/ipvlan/ipvlan_main.c:353 dev_get_iflink+0x7c/0xd8 net/core/dev.c:674 default_operstate net/core/link_watch.c:45 [inline] rfc2863_policy+0x144/0x360 net/core/link_watch.c:72 linkwatch_do_dev+0x60/0x228 net/core/link_watch.c:175 __linkwatch_run_queue+0x2f4/0x5b8 net/core/link_watch.c:239 linkwatch_event+0x64/0xa8 net/core/link_watch.c:282 process_one_work+0x700/0x1398 kernel/workqueue.c:3229 process_scheduled_works kernel/workqueue.c:3310 [inline] worker_thread+0x8c4/0xe10 kernel/workqueue.c:3391 kthread+0x2b0/0x360 kernel/kthread.c:389 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:862 Allocated by task 9303: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x30/0x68 mm/kasan/common.c:68 kasan_save_alloc_info+0x44/0x58 mm/kasan/generic.c:568 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0x84/0xa0 mm/kasan/common.c:394 kasan_kmalloc include/linux/kasan.h:260 [inline] __do_kmalloc_node mm/slub.c:4283 [inline] __kmalloc_node_noprof+0x2a0/0x560 mm/slub.c:4289 __kvmalloc_node_noprof+0x9c/0x230 mm/util.c:650 alloc_netdev_mqs+0xb4/0x1118 net/core/dev.c:11209 rtnl_create_link+0x2b8/0xb60 net/core/rtnetlink.c:3595 rtnl_newlink_create+0x19c/0x868 net/core/rtnetlink.c:3771 __rtnl_newlink net/core/rtnetlink.c:3896 [inline] rtnl_newlink+0x122c/0x15c0 net/core/rtnetlink.c:4011 rtnetlink_rcv_msg+0x61c/0x918 net/core/rtnetlink.c:6901 netlink_rcv_skb+0x1dc/0x398 net/netlink/af_netlink.c:2542 rtnetlink_rcv+0x34/0x50 net/core/rtnetlink.c:6928 netlink_unicast_kernel net/netlink/af_netlink.c:1321 [inline] netlink_unicast+0x618/0x838 net/netlink/af_netlink.c:1347 netlink_sendmsg+0x5fc/0x8b0 net/netlink/af_netlink.c:1891 sock_sendmsg_nosec net/socket.c:711 [inline] __sock_sendmsg net/socket.c:726 [inline] __sys_sendto+0x2ec/0x438 net/socket.c:2197 __do_sys_sendto net/socket.c:2204 [inline] __se_sys_sendto net/socket.c:2200 [inline] __arm64_sys_sendto+0xe4/0x110 net/socket.c:2200 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x90/0x278 arch/arm64/kernel/syscall.c:49 el0_svc_common+0x13c/0x250 arch/arm64/kernel/syscall.c:132 do_el0_svc+0x54/0x70 arch/arm64/kernel/syscall.c:151 el0_svc+0x4c/0xa8 arch/arm64/kernel/entry-common.c:744 el0t_64_sync_handler+0x78/0x108 arch/arm64/kernel/entry-common.c:762 el0t_64_sync+0x198/0x1a0 arch/arm64/kernel/entry.S:600 Freed by task 10200: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x30/0x68 mm/kasan/common.c:68 kasan_save_free_info+0x58/0x70 mm/kasan/generic.c:582 poison_slab_object mm/kasan/common.c:247 [inline] __kasan_slab_free+0x48/0x68 mm/kasan/common.c:264 kasan_slab_free include/linux/kasan.h:233 [inline] slab_free_hook mm/slub.c:2338 [inline] slab_free mm/slub.c:4598 [inline] kfree+0x140/0x420 mm/slub.c:4746 kvfree+0x4c/0x68 mm/util.c:693 netdev_release+0x94/0xc8 net/core/net-sysfs.c:2034 device_release+0x98/0x1c0 kobject_cleanup lib/kobject.c:689 [inline] kobject_release lib/kobject.c:720 [inline] kref_put include/linux/kref.h:65 [inline] kobject_put+0x2b0/0x438 lib/kobject.c:737 netdev_run_todo+0xdd8/0xf48 net/core/dev.c:10924 rtnl_unlock net/core/rtnetlink.c:152 [inline] rtnl_net_unlock net/core/rtnetlink.c:209 [inline] rtnl_dellink+0x484/0x680 net/core/rtnetlink.c:3526 rtnetlink_rcv_msg+0x61c/0x918 net/core/rtnetlink.c:6901 netlink_rcv_skb+0x1dc/0x398 net/netlink/af_netlink.c:2542 rtnetlink_rcv+0x34/0x50 net/core/rtnetlink.c:6928 netlink_unicast_kernel net/netlink/af_netlink.c:1321 [inline] netlink_unicast+0x618/0x838 net/netlink/af_netlink.c:1347 netlink_sendmsg+0x5fc/0x8b0 net/netlink/af_netlink.c:1891 sock_sendmsg_nosec net/socket.c:711 [inline] __sock_sendmsg net/socket.c:726 [inline] ____sys_sendmsg+0x410/0x708 net/socket.c:2583 ___sys_sendmsg+0x178/0x1d8 net/socket.c:2637 __sys_sendmsg net/socket.c:2669 [inline] __do_sys_sendmsg net/socket.c:2674 [inline] __se_sys_sendmsg net/socket.c:2672 [inline] __arm64_sys_sendmsg+0x12c/0x1c8 net/socket.c:2672 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x90/0x278 arch/arm64/kernel/syscall.c:49 el0_svc_common+0x13c/0x250 arch/arm64/kernel/syscall.c:132 do_el0_svc+0x54/0x70 arch/arm64/kernel/syscall.c:151 el0_svc+0x4c/0xa8 arch/arm64/kernel/entry-common.c:744 el0t_64_sync_handler+0x78/0x108 arch/arm64/kernel/entry-common.c:762 el0t_64_sync+0x198/0x1a0 arch/arm64/kernel/entry.S:600 The buggy address belongs to the object at ffff0000d768c000 which belongs to the cache kmalloc-cg-4k of size 4096 The buggy address is located 224 bytes inside of freed 4096-byte region [ffff0000d768c000, ffff0000d768d000) The buggy address belongs to the physical page: page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x117688 head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 memcg:ffff0000c77ef981 flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) page_type: f5(slab) raw: 0bfffe0000000040 ffff0000c000f500 dead000000000100 dead000000000122 raw: 0000000000000000 0000000000040004 00000001f5000000 ffff0000c77ef981 head: 0bfffe0000000040 ffff0000c000f500 dead000000000100 dead000000000122 head: 0000000000000000 0000000000040004 00000001f5000000 ffff0000c77ef981 head: 0bfffe0000000003 fffffdffc35da201 ffffffffffffffff 0000000000000000 head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff0000d768bf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff0000d768c000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff0000d768c080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff0000d768c100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff0000d768c180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb Fixes: 8c55facecd7a ("net: linkwatch: only report IF_OPER_LOWERLAYERDOWN if iflink is actually down") Reported-by: syzkaller Suggested-by: Jakub Kicinski Link: https://lore.kernel.org/netdev/20250102174400.085fd8ac@kernel.org/ [1] Signed-off-by: Kuniyuki Iwashima Link: https://patch.msgid.link/20250106071911.64355-1-kuniyu@amazon.com Signed-off-by: Jakub Kicinski commit b341ca51d2679829d26a3f6a4aa9aee9abd94f92 Author: Benjamin Coddington Date: Sat Jan 4 10:29:45 2025 -0500 tls: Fix tls_sw_sendmsg error handling We've noticed that NFS can hang when using RPC over TLS on an unstable connection, and investigation shows that the RPC layer is stuck in a tight loop attempting to transmit, but forever getting -EBADMSG back from the underlying network. The loop begins when tcp_sendmsg_locked() returns -EPIPE to tls_tx_records(), but that error is converted to -EBADMSG when calling the socket's error reporting handler. Instead of converting errors from tcp_sendmsg_locked(), let's pass them along in this path. The RPC layer handles -EPIPE by reconnecting the transport, which prevents the endless attempts to transmit on a broken connection. Signed-off-by: Benjamin Coddington Fixes: a42055e8d2c3 ("net/tls: Add support for async encryption of records for performance") Link: https://patch.msgid.link/9594185559881679d81f071b181a10eb07cd079f.1736004079.git.bcodding@redhat.com Signed-off-by: Jakub Kicinski commit e8580b4c600e085b3c8e6404392de2f822d4c132 Author: Namjae Jeon Date: Tue Jan 7 17:41:21 2025 +0900 ksmbd: Implement new SMB3 POSIX type As SMB3 posix extension specification, Give posix file type to posix mode. https://www.samba.org/~slow/SMB3_POSIX/fscc_posix_extensions.html#posix-file-type-definition Cc: stable@vger.kernel.org Signed-off-by: Namjae Jeon Signed-off-by: Steve French commit 82163d63ae7a4c36142cd252388737205bb7e4b9 Author: Daniil Stas Date: Sun Jan 5 21:36:18 2025 +0000 hwmon: (drivetemp) Fix driver producing garbage data when SCSI errors occur scsi_execute_cmd() function can return both negative (linux codes) and positive (scsi_cmnd result field) error codes. Currently the driver just passes error codes of scsi_execute_cmd() to hwmon core, which is incorrect because hwmon only checks for negative error codes. This leads to hwmon reporting uninitialized data to userspace in case of SCSI errors (for example if the disk drive was disconnected). This patch checks scsi_execute_cmd() output and returns -EIO if it's error code is positive. Fixes: 5b46903d8bf37 ("hwmon: Driver for disk and solid state drives with temperature sensors") Signed-off-by: Daniil Stas Cc: Guenter Roeck Cc: Chris Healy Cc: Linus Walleij Cc: Martin K. Petersen Cc: Bart Van Assche Cc: linux-kernel@vger.kernel.org Cc: linux-scsi@vger.kernel.org Cc: linux-ide@vger.kernel.org Cc: linux-hwmon@vger.kernel.org Link: https://lore.kernel.org/r/20250105213618.531691-1-daniil.stas@posteo.net [groeck: Avoid inline variable declaration for portability] Signed-off-by: Guenter Roeck commit a9d9c33132d49329ada647e4514d210d15e31d81 Author: Rick Edgecombe Date: Tue Jan 7 15:30:56 2025 -0800 x86/fpu: Ensure shadow stack is active before "getting" registers The x86 shadow stack support has its own set of registers. Those registers are XSAVE-managed, but they are "supervisor state components" which means that userspace can not touch them with XSAVE/XRSTOR. It also means that they are not accessible from the existing ptrace ABI for XSAVE state. Thus, there is a new ptrace get/set interface for it. The regset code that ptrace uses provides an ->active() handler in addition to the get/set ones. For shadow stack this ->active() handler verifies that shadow stack is enabled via the ARCH_SHSTK_SHSTK bit in the thread struct. The ->active() handler is checked from some call sites of the regset get/set handlers, but not the ptrace ones. This was not understood when shadow stack support was put in place. As a result, both the set/get handlers can be called with XFEATURE_CET_USER in its init state, which would cause get_xsave_addr() to return NULL and trigger a WARN_ON(). The ssp_set() handler luckily has an ssp_active() check to avoid surprising the kernel with shadow stack behavior when the kernel is not ready for it (ARCH_SHSTK_SHSTK==0). That check just happened to avoid the warning. But the ->get() side wasn't so lucky. It can be called with shadow stacks disabled, triggering the warning in practice, as reported by Christina Schimpe: WARNING: CPU: 5 PID: 1773 at arch/x86/kernel/fpu/regset.c:198 ssp_get+0x89/0xa0 [...] Call Trace: ? show_regs+0x6e/0x80 ? ssp_get+0x89/0xa0 ? __warn+0x91/0x150 ? ssp_get+0x89/0xa0 ? report_bug+0x19d/0x1b0 ? handle_bug+0x46/0x80 ? exc_invalid_op+0x1d/0x80 ? asm_exc_invalid_op+0x1f/0x30 ? __pfx_ssp_get+0x10/0x10 ? ssp_get+0x89/0xa0 ? ssp_get+0x52/0xa0 __regset_get+0xad/0xf0 copy_regset_to_user+0x52/0xc0 ptrace_regset+0x119/0x140 ptrace_request+0x13c/0x850 ? wait_task_inactive+0x142/0x1d0 ? do_syscall_64+0x6d/0x90 arch_ptrace+0x102/0x300 [...] Ensure that shadow stacks are active in a thread before looking them up in the XSAVE buffer. Since ARCH_SHSTK_SHSTK and user_ssp[SHSTK_EN] are set at the same time, the active check ensures that there will be something to find in the XSAVE buffer. [ dhansen: changelog/subject tweaks ] Fixes: 2fab02b25ae7 ("x86: Add PTRACE interface for shadow stack") Reported-by: Christina Schimpe Signed-off-by: Rick Edgecombe Signed-off-by: Dave Hansen Tested-by: Christina Schimpe Cc:stable@vger.kernel.org Link: https://lore.kernel.org/all/20250107233056.235536-1-rick.p.edgecombe%40intel.com commit 2ac538e40278a2c0c051cca81bcaafc547d61372 Author: He Wang Date: Mon Jan 6 03:39:54 2025 +0000 ksmbd: fix unexpectedly changed path in ksmbd_vfs_kern_path_locked When `ksmbd_vfs_kern_path_locked` met an error and it is not the last entry, it will exit without restoring changed path buffer. But later this buffer may be used as the filename for creation. Fixes: c5a709f08d40 ("ksmbd: handle caseless file creation") Signed-off-by: He Wang Acked-by: Namjae Jeon Signed-off-by: Steve French commit 09a0fa92e5b45e99cf435b2fbf5ebcf889cf8780 Merge: fbfd64d25c7af3 5e7f0efd232380 Author: Linus Torvalds Date: Tue Jan 7 14:49:48 2025 -0800 Merge tag 'selinux-pr-20250107' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux Pull selinux fix from Paul Moore: "A single SELinux patch to address a problem with a single domain using multiple xperm classes" * tag 'selinux-pr-20250107' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux: selinux: match extended permissions to their base permissions commit 15b8968dcb90f194d44501468b230e6e0d816d4a Author: Lukas Wunner Date: Mon Jan 6 12:26:35 2025 +0100 PCI/bwctrl: Fix NULL pointer deref on unbind and bind The interrupt handler for bandwidth notifications, pcie_bwnotif_irq(), dereferences a "data" pointer. On unbind, that pointer is set to NULL by pcie_bwnotif_remove(). However the interrupt handler may still be invoked afterwards and will dereference that NULL pointer. That's because the interrupt is requested using a devm_*() helper and the driver core releases devm_*() resources *after* calling ->remove(). pcie_bwnotif_remove() does clear the Link Bandwidth Management Interrupt Enable and Link Autonomous Bandwidth Interrupt Enable bits in the Link Control Register, but that won't prevent execution of pcie_bwnotif_irq(): The interrupt for bandwidth notifications may be shared with AER, DPC, PME, and hotplug. So pcie_bwnotif_irq() may be executed as long as the interrupt is requested. There's a similar race on bind: pcie_bwnotif_probe() requests the interrupt when the "data" pointer still points to NULL. A NULL pointer deref may thus likewise occur if AER, DPC, PME or hotplug raise an interrupt in-between the bandwidth controller's call to devm_request_irq() and assignment of the "data" pointer. Drop the devm_*() usage and reorder requesting of the interrupt to fix the issue. While at it, drop a stray but harmless no_free_ptr() invocation when assigning the "data" pointer in pcie_bwnotif_probe(). Ilpo points out that the locking on unbind and bind needs to be symmetric, so move the call to pcie_bwnotif_disable() inside the critical section protected by pcie_bwctrl_setspeed_rwsem and pcie_bwctrl_lbms_rwsem. Evert reports a hang on shutdown of an ASUS ROG Strix SCAR 17 G733PYV. The issue is no longer reproducible with the present commit. Evert found that attaching a USB-C monitor prevented the hang. The machine contains an ASMedia USB 3.2 controller below a hotplug-capable Root Port. So one possible explanation is that the controller gets hot-removed on shutdown unless something is connected. And the ensuing hotplug interrupt occurs exactly when the bandwidth controller is unregistering. The precise cause could not be determined because the screen had already turned black when the hang occurred. Link: https://lore.kernel.org/r/ae2b02c9cfbefff475b6e132b0aa962aaccbd7b2.1736162539.git.lukas@wunner.de Fixes: 665745f27487 ("PCI/bwctrl: Re-add BW notification portdrv as PCIe BW controller") Reported-by: Evert Vorster Closes: https://bugzilla.kernel.org/show_bug.cgi?id=219629 Signed-off-by: Lukas Wunner Signed-off-by: Bjorn Helgaas Tested-by: Evert Vorster Reviewed-by: Ilpo Järvinen commit 95978931d55fb7685f8c0b2598d6c12a9b6bc82a Author: Su Hui Date: Mon Jan 6 10:36:48 2025 +0800 eth: fbnic: Revert "eth: fbnic: Add hardware monitoring support via HWMON interface" There is a garbage value problem in fbnic_mac_get_sensor_asic(). 'fw_cmpl' is uninitialized which makes 'sensor' and '*val' to be stored garbage value. Revert commit d85ebade02e8 ("eth: fbnic: Add hardware monitoring support via HWMON interface") to avoid this problem. Fixes: d85ebade02e8 ("eth: fbnic: Add hardware monitoring support via HWMON interface") Signed-off-by: Su Hui Suggested-by: Jakub Kicinski Suggested-by: Michal Swiatkowski Link: https://patch.msgid.link/20250106023647.47756-1-suhui@nfschina.com Signed-off-by: Jakub Kicinski commit 9164e0912af206a72ddac4915f7784e470a04ace Author: Joe Hattori Date: Tue Dec 24 12:18:09 2024 +0900 thermal: of: fix OF node leak in of_thermal_zone_find() of_thermal_zone_find() calls of_parse_phandle_with_args(), but does not release the OF node reference obtained by it. Add a of_node_put() call when the call is successful. Fixes: 3fd6d6e2b4e8 ("thermal/of: Rework the thermal device tree initialization") Signed-off-by: Joe Hattori Link: https://patch.msgid.link/20241224031809.950461-1-joe@pf.is.s.u-tokyo.ac.jp [ rjw: Changelog edit ] Signed-off-by: Rafael J. Wysocki commit cd4a7b2e6a2437a5502910c08128ea3bad55a80b Author: Hans de Goede Date: Sat Dec 28 17:52:53 2024 +0100 ACPI: resource: acpi_dev_irq_override(): Check DMI match last acpi_dev_irq_override() gets called approx. 30 times during boot (15 legacy IRQs * 2 override_table entries). Of these 30 calls at max 1 will match the non DMI checks done by acpi_dev_irq_override(). The dmi_check_system() check is by far the most expensive check done by acpi_dev_irq_override(), make this call the last check done by acpi_dev_irq_override() so that it will be called at max 1 time instead of 30 times. Signed-off-by: Hans de Goede Reviewed-by: Mario Limonciello Link: https://patch.msgid.link/20241228165253.42584-1-hdegoede@redhat.com [ rjw: Subject edit ] Signed-off-by: Rafael J. Wysocki commit 7ed4e4a659d99499dc6968c61970d41b64feeac0 Author: Hans de Goede Date: Sat Dec 28 17:48:45 2024 +0100 ACPI: resource: Add TongFang GM5HG0A to irq1_edge_low_force_override[] The TongFang GM5HG0A is a TongFang barebone design which is sold under various brand names. The ACPI IRQ override for the keyboard IRQ must be used on these AMD Zen laptops in order for the IRQ to work. At least on the SKIKK Vanaheim variant the DMI product- and board-name strings have been replaced by the OEM with "Vanaheim" so checking that board-name contains "GM5HG0A" as is usually done for TongFang barebones quirks does not work. The DMI OEM strings do contain "GM5HG0A". I have looked at the dmidecode for a few other TongFang devices and the TongFang code-name string being in the OEM strings seems to be something which is consistently true. Add a quirk checking one of the DMI_OEM_STRING(s) is "GM5HG0A" in the hope that this will work for other OEM versions of the "GM5HG0A" too. Link: https://www.skikk.eu/en/laptops/vanaheim-15-rtx-4060 Closes: https://bugzilla.kernel.org/show_bug.cgi?id=219614 Cc: All applicable Signed-off-by: Hans de Goede Link: https://patch.msgid.link/20241228164845.42381-1-hdegoede@redhat.com Signed-off-by: Rafael J. Wysocki commit 66d337fede44dcbab4107d37684af8fcab3d648e Author: Hans de Goede Date: Fri Dec 20 19:13:52 2024 +0100 ACPI: resource: Add Asus Vivobook X1504VAP to irq1_level_low_skip_override[] Like the Vivobook X1704VAP the X1504VAP has its keyboard IRQ (1) described as ActiveLow in the DSDT, which the kernel overrides to EdgeHigh which breaks the keyboard. Add the X1504VAP to the irq1_level_low_skip_override[] quirk table to fix this. Closes: https://bugzilla.kernel.org/show_bug.cgi?id=219224 Cc: All applicable Signed-off-by: Hans de Goede Link: https://patch.msgid.link/20241220181352.25974-1-hdegoede@redhat.com Signed-off-by: Rafael J. Wysocki commit b4aee757f1baf20fa2650fc23a7b0335696e005c Author: Danilo Krummrich Date: Wed Dec 4 16:22:47 2024 +0100 MAINTAINERS: align Danilo's maintainer entries Some entries use my kernel.org address, while others use my Red Hat one. Since this is a bit of an inconvinience for me, align them to all use the same (kernel.org) address. Signed-off-by: Danilo Krummrich Link: https://lore.kernel.org/r/20241204152248.8644-1-dakr@kernel.org Signed-off-by: Greg Kroah-Hartman commit bd2776e39c2a82ef4681d02678bb77b3d41e79be Author: En-Wei Wu Date: Wed Dec 18 10:37:42 2024 +0800 igc: return early when failing to read EECD register When booting with a dock connected, the igc driver may get stuck for ~40 seconds if PCIe link is lost during initialization. This happens because the driver access device after EECD register reads return all F's, indicating failed reads. Consequently, hw->hw_addr is set to NULL, which impacts subsequent rd32() reads. This leads to the driver hanging in igc_get_hw_semaphore_i225(), as the invalid hw->hw_addr prevents retrieving the expected value. To address this, a validation check and a corresponding return value catch is added for the EECD register read result. If all F's are returned, indicating PCIe link loss, the driver will return -ENXIO immediately. This avoids the 40-second hang and significantly improves boot time when using a dock with an igc NIC. Log before the patch: [ 0.911913] igc 0000:70:00.0: enabling device (0000 -> 0002) [ 0.912386] igc 0000:70:00.0: PTM enabled, 4ns granularity [ 1.571098] igc 0000:70:00.0 (unnamed net_device) (uninitialized): PCIe link lost, device now detached [ 43.449095] igc_get_hw_semaphore_i225: igc 0000:70:00.0 (unnamed net_device) (uninitialized): Driver can't access device - SMBI bit is set. [ 43.449186] igc 0000:70:00.0: probe with driver igc failed with error -13 [ 46.345701] igc 0000:70:00.0: enabling device (0000 -> 0002) [ 46.345777] igc 0000:70:00.0: PTM enabled, 4ns granularity Log after the patch: [ 1.031000] igc 0000:70:00.0: enabling device (0000 -> 0002) [ 1.032097] igc 0000:70:00.0: PTM enabled, 4ns granularity [ 1.642291] igc 0000:70:00.0 (unnamed net_device) (uninitialized): PCIe link lost, device now detached [ 5.480490] igc 0000:70:00.0: enabling device (0000 -> 0002) [ 5.480516] igc 0000:70:00.0: PTM enabled, 4ns granularity Fixes: ab4056126813 ("igc: Add NVM support") Cc: Chia-Lin Kao (AceLan) Signed-off-by: En-Wei Wu Reviewed-by: Vitaly Lifshits Tested-by: Mor Bar-Gabay Signed-off-by: Tony Nguyen commit 6c5b989116083a98f45aada548ff54e7a83a9c2d Author: Przemyslaw Korba Date: Wed Dec 4 14:22:18 2024 +0100 ice: fix incorrect PHY settings for 100 GB/s ptp4l application reports too high offset when ran on E823 device with a 100GB/s link. Those values cannot go under 100ns, like in a working case when using 100 GB/s cable. This is due to incorrect frequency settings on the PHY clocks for 100 GB/s speed. Changes are introduced to align with the internal hardware documentation, and correctly initialize frequency in PHY clocks with the frequency values that are in our HW spec. To reproduce the issue run ptp4l as a Time Receiver on E823 device, and observe the offset, which will never approach values seen in the PTP working case. Reproduction output: ptp4l -i enp137s0f3 -m -2 -s -f /etc/ptp4l_8275.conf ptp4l[5278.775]: master offset 12470 s2 freq +41288 path delay -3002 ptp4l[5278.837]: master offset 10525 s2 freq +39202 path delay -3002 ptp4l[5278.900]: master offset -24840 s2 freq -20130 path delay -3002 ptp4l[5278.963]: master offset 10597 s2 freq +37908 path delay -3002 ptp4l[5279.025]: master offset 8883 s2 freq +36031 path delay -3002 ptp4l[5279.088]: master offset 7267 s2 freq +34151 path delay -3002 ptp4l[5279.150]: master offset 5771 s2 freq +32316 path delay -3002 ptp4l[5279.213]: master offset 4388 s2 freq +30526 path delay -3002 ptp4l[5279.275]: master offset -30434 s2 freq -28485 path delay -3002 ptp4l[5279.338]: master offset -28041 s2 freq -27412 path delay -3002 ptp4l[5279.400]: master offset 7870 s2 freq +31118 path delay -3002 Fixes: 3a7496234d17 ("ice: implement basic E822 PTP support") Reviewed-by: Milena Olech Signed-off-by: Przemyslaw Korba Tested-by: Rinitha S (A Contingent worker at Intel) Signed-off-by: Tony Nguyen commit 65104599b3a8ed42d85b3f8f27be650afe1f3a7e Author: Arkadiusz Kubalewski Date: Wed Nov 20 08:51:12 2024 +0100 ice: fix max values for dpll pin phase adjust Mask admin command returned max phase adjust value for both input and output pins. Only 31 bits are relevant, last released data sheet wrongly points that 32 bits are valid - see [1] 3.2.6.4.1 Get CCU Capabilities Command for reference. Fix of the datasheet itself is in progress. Fix the min/max assignment logic, previously the value was wrongly considered as negative value due to most significant bit being set. Example of previous broken behavior: $ ./tools/net/ynl/cli.py --spec Documentation/netlink/specs/dpll.yaml \ --do pin-get --json '{"id":1}'| grep phase-adjust 'phase-adjust': 0, 'phase-adjust-max': 16723, 'phase-adjust-min': -16723, Correct behavior with the fix: $ ./tools/net/ynl/cli.py --spec Documentation/netlink/specs/dpll.yaml \ --do pin-get --json '{"id":1}'| grep phase-adjust 'phase-adjust': 0, 'phase-adjust-max': 2147466925, 'phase-adjust-min': -2147466925, [1] https://cdrdv2.intel.com/v1/dl/getContent/613875?explicitVersion=true Fixes: 90e1c90750d7 ("ice: dpll: implement phase related callbacks") Reviewed-by: Przemek Kitszel Signed-off-by: Arkadiusz Kubalewski Tested-by: Pucha Himasekhar Reddy (A Contingent worker at Intel) Signed-off-by: Tony Nguyen commit cbd399f78e23ad4492c174fc5e6b3676dba74a52 Author: Li Huafei Date: Thu Nov 14 19:01:41 2024 +0800 topology: Keep the cpumask unchanged when printing cpumap During fuzz testing, the following warning was discovered: different return values (15 and 11) from vsnprintf("%*pbl ", ...) test:keyward is WARNING in kvasprintf WARNING: CPU: 55 PID: 1168477 at lib/kasprintf.c:30 kvasprintf+0x121/0x130 Call Trace: kvasprintf+0x121/0x130 kasprintf+0xa6/0xe0 bitmap_print_to_buf+0x89/0x100 core_siblings_list_read+0x7e/0xb0 kernfs_file_read_iter+0x15b/0x270 new_sync_read+0x153/0x260 vfs_read+0x215/0x290 ksys_read+0xb9/0x160 do_syscall_64+0x56/0x100 entry_SYSCALL_64_after_hwframe+0x78/0xe2 The call trace shows that kvasprintf() reported this warning during the printing of core_siblings_list. kvasprintf() has several steps: (1) First, calculate the length of the resulting formatted string. (2) Allocate a buffer based on the returned length. (3) Then, perform the actual string formatting. (4) Check whether the lengths of the formatted strings returned in steps (1) and (2) are consistent. If the core_cpumask is modified between steps (1) and (3), the lengths obtained in these two steps may not match. Indeed our test includes cpu hotplugging, which should modify core_cpumask while printing. To fix this issue, cache the cpumask into a temporary variable before calling cpumap_print_{list, cpumask}_to_buf(), to keep it unchanged during the printing process. Fixes: bb9ec13d156e ("topology: use bin_attribute to break the size limitation of cpumap ABI") Cc: stable Signed-off-by: Li Huafei Reviewed-by: Jonathan Cameron Link: https://lore.kernel.org/r/20241114110141.94725-1-lihuafei1@huawei.com Signed-off-by: Greg Kroah-Hartman commit e376d958871c0eeb7e97cf95655015fc343d209c Author: Christoph Schlameuss Date: Mon Dec 16 10:21:40 2024 +0100 KVM: s390: selftests: Add has device attr check to uc_attr_mem_limit selftest Fixup the uc_attr_mem_limit test case to also cover the KVM_HAS_DEVICE_ATTR ioctl. Signed-off-by: Christoph Schlameuss Tested-by: Hariharan Mari Reviewed-by: Claudio Imbrenda Link: https://lore.kernel.org/r/20241216092140.329196-7-schlameuss@linux.ibm.com Message-ID: <20241216092140.329196-7-schlameuss@linux.ibm.com> Signed-off-by: Claudio Imbrenda commit b1da33b0e3dcd0d14cf375be2fd05b54cf75df56 Author: Christoph Schlameuss Date: Mon Dec 16 10:21:38 2024 +0100 KVM: s390: selftests: Add ucontrol gis routing test Add a selftests for the interrupt routing configuration when using ucontrol VMs. Calling the test may trigger a null pointer dereferences on kernels not containing the fixes in this patch series. Signed-off-by: Christoph Schlameuss Tested-by: Hariharan Mari Reviewed-by: Hariharan Mari Reviewed-by: Claudio Imbrenda Link: https://lore.kernel.org/r/20241216092140.329196-5-schlameuss@linux.ibm.com Message-ID: <20241216092140.329196-5-schlameuss@linux.ibm.com> Signed-off-by: Claudio Imbrenda commit 5021fd77d68fce28048b1af18c87bad6b7ffb282 Author: Christoph Schlameuss Date: Mon Dec 16 10:21:37 2024 +0100 KVM: s390: Reject KVM_SET_GSI_ROUTING on ucontrol VMs Prevent null pointer dereference when processing KVM_IRQ_ROUTING_S390_ADAPTER routing entries. The ioctl cannot be processed for ucontrol VMs. Fixes: f65470661f36 ("KVM: s390/interrupt: do not pin adapter interrupt pages") Signed-off-by: Christoph Schlameuss Tested-by: Hariharan Mari Reviewed-by: Hariharan Mari Reviewed-by: Claudio Imbrenda Link: https://lore.kernel.org/r/20241216092140.329196-4-schlameuss@linux.ibm.com Message-ID: <20241216092140.329196-4-schlameuss@linux.ibm.com> Signed-off-by: Claudio Imbrenda commit b07f6a30c7a42661ce7c0222a642c8e91d69c8b1 Author: Christoph Schlameuss Date: Mon Dec 16 10:21:36 2024 +0100 KVM: s390: selftests: Add ucontrol flic attr selftests Add some superficial selftests for the floating interrupt controller when using ucontrol VMs. These tests are intended to cover very basic calls only. Some of the calls may trigger null pointer dereferences on kernels not containing the fixes in this patch series. Signed-off-by: Christoph Schlameuss Tested-by: Hariharan Mari Reviewed-by: Hariharan Mari Reviewed-by: Claudio Imbrenda Link: https://lore.kernel.org/r/20241216092140.329196-3-schlameuss@linux.ibm.com Message-ID: <20241216092140.329196-3-schlameuss@linux.ibm.com> Signed-off-by: Claudio Imbrenda commit df989238fa46039393f0af5cfb93a863a233c061 Author: Christoph Schlameuss Date: Mon Dec 16 10:21:35 2024 +0100 KVM: s390: Reject setting flic pfault attributes on ucontrol VMs Prevent null pointer dereference when processing the KVM_DEV_FLIC_APF_ENABLE and KVM_DEV_FLIC_APF_DISABLE_WAIT ioctls in the interrupt controller. Fixes: 3c038e6be0e2 ("KVM: async_pf: Async page fault support on s390") Reported-by: Claudio Imbrenda Signed-off-by: Christoph Schlameuss Reviewed-by: Hariharan Mari Reviewed-by: Claudio Imbrenda Link: https://lore.kernel.org/r/20241216092140.329196-2-schlameuss@linux.ibm.com Message-ID: <20241216092140.329196-2-schlameuss@linux.ibm.com> Signed-off-by: Claudio Imbrenda commit 984aaf6161bcbec22795a61b92f627051a91b465 Author: Claudio Imbrenda Date: Tue Dec 10 09:39:48 2024 +0100 KVM: s390: vsie: fix virtual/physical address in unpin_scb() In commit 77b533411595 ("KVM: s390: VSIE: sort out virtual/physical address in pin_guest_page"), only pin_scb() has been updated. This means that in unpin_scb() a virtual address was still used directly as physical address without conversion. The resulting physical address is obviously wrong and most of the time also invalid. Since commit d0ef8d9fbebe ("KVM: s390: Use kvm_release_page_dirty() to unpin "struct page" memory"), unpin_guest_page() will directly use kvm_release_page_dirty(), instead of kvm_release_pfn_dirty(), which has since been removed. One of the checks that were performed by kvm_release_pfn_dirty() was to verify whether the page was valid at all, and silently return successfully without doing anything if the page was invalid. When kvm_release_pfn_dirty() was still used, the invalid page was thus silently ignored. Now the check is gone and the result is an Oops. This also means that when running with a V!=R kernel, the page was not released, causing a leak. The solution is simply to add the missing virt_to_phys(). Fixes: 77b533411595 ("KVM: s390: VSIE: sort out virtual/physical address in pin_guest_page") Reviewed-by: Janosch Frank Reviewed-by: Nico Boehr Link: https://lore.kernel.org/r/20241210083948.23963-1-imbrenda@linux.ibm.com Signed-off-by: Claudio Imbrenda Message-ID: <20241210083948.23963-1-imbrenda@linux.ibm.com> commit 1d7461d0c8330689117286169106af6531a747ed Author: David E. Box Date: Mon Jan 6 09:46:52 2025 -0800 platform/x86: intel/pmc: Fix ioremap() of bad address In pmc_core_ssram_get_pmc(), the physical addresses for hidden SSRAM devices are retrieved from the MMIO region of the primary SSRAM device. If additional devices are not present, the address returned is zero. Currently, the code does not check for this condition, resulting in ioremap() incorrectly attempting to map address 0. Add a check for a zero address and return 0 if no additional devices are found, as it is not an error for the device to be absent. Fixes: a01486dc4bb1 ("platform/x86/intel/pmc: Cleanup SSRAM discovery") Signed-off-by: David E. Box Link: https://lore.kernel.org/r/20250106174653.1497128-1-david.e.box@linux.intel.com Reviewed-by: Ilpo Järvinen Signed-off-by: Ilpo Järvinen commit cc1ff7bc1bb378e7c46992c977b605e97d908801 Author: Srinivas Pandruvada Date: Fri Jan 3 07:52:54 2025 -0800 platform/x86: ISST: Add Clearwater Forest to support list Add Clearwater Forest (INTEL_ATOM_DARKMONT_X) to SST support list by adding to isst_cpu_ids. Signed-off-by: Srinivas Pandruvada Link: https://lore.kernel.org/r/20250103155255.1488139-2-srinivas.pandruvada@linux.intel.com Reviewed-by: Ilpo Järvinen Signed-off-by: Ilpo Järvinen commit bee9a0838fd223823e5a6d85c055ab1691dc738e Author: Srinivas Pandruvada Date: Fri Jan 3 07:52:53 2025 -0800 platform/x86/intel: power-domains: Add Clearwater Forest support Add Clearwater Forest support (INTEL_ATOM_DARKMONT_X) to tpmi_cpu_ids to support domaid id mappings. Signed-off-by: Srinivas Pandruvada Link: https://lore.kernel.org/r/20250103155255.1488139-1-srinivas.pandruvada@linux.intel.com Reviewed-by: Ilpo Järvinen Signed-off-by: Ilpo Järvinen commit dd410d784402c5775f66faf8b624e85e41c38aaf Author: Maciej S. Szmigiero Date: Mon Jan 6 18:40:34 2025 +0100 platform/x86/amd/pmc: Only disable IRQ1 wakeup where i8042 actually enabled it Wakeup for IRQ1 should be disabled only in cases where i8042 had actually enabled it, otherwise "wake_depth" for this IRQ will try to drop below zero and there will be an unpleasant WARN() logged: kernel: atkbd serio0: Disabling IRQ1 wakeup source to avoid platform firmware bug kernel: ------------[ cut here ]------------ kernel: Unbalanced IRQ 1 wake disable kernel: WARNING: CPU: 10 PID: 6431 at kernel/irq/manage.c:920 irq_set_irq_wake+0x147/0x1a0 The PMC driver uses DEFINE_SIMPLE_DEV_PM_OPS() to define its dev_pm_ops which sets amd_pmc_suspend_handler() to the .suspend, .freeze, and .poweroff handlers. i8042_pm_suspend(), however, is only set as the .suspend handler. Fix the issue by call PMC suspend handler only from the same set of dev_pm_ops handlers as i8042_pm_suspend(), which currently means just the .suspend handler. To reproduce this issue try hibernating (S4) the machine after a fresh boot without putting it into s2idle first. Fixes: 8e60615e8932 ("platform/x86/amd: pmc: Disable IRQ1 wakeup for RN/CZN") Reviewed-by: Mario Limonciello Signed-off-by: Maciej S. Szmigiero Link: https://lore.kernel.org/r/c8f28c002ca3c66fbeeb850904a1f43118e17200.1736184606.git.mail@maciej.szmigiero.name [ij: edited the commit message.] Reviewed-by: Ilpo Järvinen Signed-off-by: Ilpo Järvinen commit 24edfbdedf19998366205130cfc93158a475497e Author: Al Viro Date: Sun Dec 29 08:12:04 2024 +0000 debugfs: fix missing mutex_destroy() in short_fops case we need that in ->real_fops == NULL, ->short_fops != NULL case Fixes: 8dc6d81c6b2a "debugfs: add small file operations for most files" Signed-off-by: Al Viro Link: https://lore.kernel.org/r/20241229081223.3193228-1-viro@zeniv.linux.org.uk Signed-off-by: Greg Kroah-Hartman commit f8f25893a477a4da4414c3e40ddd51d77fac9cfc Author: Johannes Berg Date: Fri Nov 29 13:15:37 2024 +0100 fs: debugfs: differentiate short fops with proxy ops Geert reported that my previous short fops debugfs changes broke m68k, because it only has mandatory alignement of two, so we can't stash the "is it short" information into the pointer (as we already did with the "is it real" bit.) Instead, exploit the fact that debugfs_file_get() called on an already open file will already find that the fsdata is no longer the real fops but rather the allocated data that already distinguishes full/short ops, so only open() needs to be able to distinguish. We can achieve that by using two different open functions. Unfortunately this requires another set of full file ops, increasing the size by 536 bytes (x86-64), but that's still a reasonable trade-off given that only converting some of the wireless stack gained over 28k. This brings the total cost of this to around 1k, for wins of 28k (all x86-64). Reported-and-tested-by: Geert Uytterhoeven Link: https://lore.kernel.org/CAMuHMdWu_9-L2Te101w8hU7H_2yobJFPXSwwUmGHSJfaPWDKiQ@mail.gmail.com Fixes: 8dc6d81c6b2a ("debugfs: add small file operations for most files") Signed-off-by: Johannes Berg Tested-by: Geert Uytterhoeven Link: https://lore.kernel.org/r/20241129121536.30989-2-johannes@sipsolutions.net Signed-off-by: Greg Kroah-Hartman commit 8fd56ad6e7c90ac2bddb0741c6b248c8c5d56ac8 Author: David Howells Date: Mon Jan 6 16:21:00 2025 +0000 afs: Fix the maximum cell name length The kafs filesystem limits the maximum length of a cell to 256 bytes, but a problem occurs if someone actually does that: kafs tries to create a directory under /proc/net/afs/ with the name of the cell, but that fails with a warning: WARNING: CPU: 0 PID: 9 at fs/proc/generic.c:405 because procfs limits the maximum filename length to 255. However, the DNS limits the maximum lookup length and, by extension, the maximum cell name, to 255 less two (length count and trailing NUL). Fix this by limiting the maximum acceptable cellname length to 253. This also allows us to be sure we can create the "/afs/./" mountpoint too. Further, split the YFS VL record cell name maximum to be the 256 allowed by the protocol and ignore the record retrieved by YFSVL.GetCellName if it exceeds 253. Fixes: c3e9f888263b ("afs: Implement client support for the YFSVL.GetCellName RPC op") Reported-by: syzbot+7848fee1f1e5c53f912b@syzkaller.appspotmail.com Closes: https://lore.kernel.org/r/6776d25d.050a0220.3a8527.0048.GAE@google.com/ Signed-off-by: David Howells Link: https://lore.kernel.org/r/376236.1736180460@warthog.procyon.org.uk Tested-by: syzbot+7848fee1f1e5c53f912b@syzkaller.appspotmail.com cc: Marc Dionne cc: linux-afs@lists.infradead.org Signed-off-by: Christian Brauner commit 35243fc777566ccb3370e175cf591fea0f81f68c Author: Takashi Iwai Date: Thu Jan 2 12:49:36 2025 +0100 drm/nouveau/disp: Fix missing backlight control on Macbook 5,1 Macbook 5,1 with MCP79 lost its backlight control since the recent change for supporting GSP-RM; it rewrote the whole nv50 backlight control code and each display engine is supposed to have an entry for IOR bl callback, but it didn't cover mcp77. This patch adds the missing bl entry initialization for mcp77 display engine to recover the backlight control. Fixes: 2274ce7e3681 ("drm/nouveau/disp: add output backlight control methods") Cc: stable@vger.kernel.org Link: https://bugzilla.suse.com/show_bug.cgi?id=1223838 Signed-off-by: Takashi Iwai Signed-off-by: Danilo Krummrich Link: https://patchwork.freedesktop.org/patch/msgid/20250102114944.11499-1-tiwai@suse.de commit 3ff93c5935610f1f53f4b730d9b7b76a9559968a Merge: fbfd64d25c7af3 78f2560fc9fa5c Author: Christian Brauner Date: Tue Jan 7 15:43:07 2025 +0100 Merge tag 'fuse-fixes-6.13-rc7' of ssh://gitolite.kernel.org/pub/scm/linux/kernel/git/mszeredi/fuse Pull fuse fixes from Miklos Szeredi : - Fix fuse_get_user_pages() allocation failure handling. - Fix direct-io folio offset and length calculation. * tag 'fuse-fixes-6.13-rc7' of ssh://gitolite.kernel.org/pub/scm/linux/kernel/git/mszeredi/fuse: fuse: Set *nbytesp=0 in fuse_get_user_pages on allocation failure fuse: fix direct io folio offset and length calculation Link: https://lore.kernel.org/r/CAJfpegu7o_X%3DSBWk_C47dUVUQ1mJZDEGe1MfD0N3wVJoUBWdmg@mail.gmail.com Signed-off-by: Christian Brauner commit 84b172cea4a23016dc80a44eaa7ff8b7c97b04b3 Author: Lukas Bulwahn Date: Tue Jan 7 14:50:32 2025 +0100 staging: gpib: refer to correct config symbol in tnt4882 Makefile Commit 79d2e1919a27 ("staging: gpib: fix Makefiles") uses the corresponding config symbols to let Makefiles include the driver sources appropriately in the kernel build. Unfortunately, the Makefile in the tnt4882 directory refers to the non-existing config GPIB_TNT4882. The actual config name for this driver is GPIB_NI_PCI_ISA, as can be observed in the gpib Makefile. Probably, this is caused by the subtle differences between the config names, directory names and file names in ./drivers/staging/gpib/, where often config names and directory names are identical or at least close in naming, but in this case, it is not. Change the reference in the tnt4882 Makefile from the non-existing config GPIB_TNT4882 to the existing config GPIB_NI_PCI_ISA. Fixes: 79d2e1919a27 ("staging: gpib: fix Makefiles") Signed-off-by: Lukas Bulwahn Link: https://lore.kernel.org/r/20250107135032.34424-1-lukas.bulwahn@redhat.com Signed-off-by: Greg Kroah-Hartman commit 60495b08cf7a6920035c5172a22655ca2001270b Author: Pavel Begunkov Date: Tue Jan 7 14:11:32 2025 +0000 io_uring: silence false positive warnings If we kill a ring and then immediately exit the task, we'll get cancellattion running by the task and a kthread in io_ring_exit_work. For DEFER_TASKRUN, we do want to limit it to only one entity executing it, however it's currently not an issue as it's protected by uring_lock. Silence lockdep assertions for now, we'll return to it later. Reported-by: syzbot+1bcb75613069ad4957fc@syzkaller.appspotmail.com Signed-off-by: Pavel Begunkov Link: https://lore.kernel.org/r/7e5f68281acb0f081f65fde435833c68a3b7e02f.1736257837.git.asml.silence@gmail.com Signed-off-by: Jens Axboe commit fd48f071a3d6d51e737e953bb43fe69785cf59a9 Author: Jakub Kicinski Date: Fri Jan 3 10:32:07 2025 -0800 net: don't dump Tx and uninitialized NAPIs We use NAPI ID as the key for continuing dumps. We also depend on the NAPIs being sorted by ID within the driver list. Tx NAPIs (which don't have an ID assigned) break this expectation, it's not currently possible to dump them reliably. Since Tx NAPIs are relatively rare, and can't be used in doit (GET or SET) hide them from the dump API as well. Fixes: 27f91aaf49b3 ("netdev-genl: Add netlink framework functions for napi") Signed-off-by: Jakub Kicinski Reviewed-by: Eric Dumazet Link: https://patch.msgid.link/20250103183207.1216004-1-kuba@kernel.org Signed-off-by: Paolo Abeni commit fd55c6065bec5268740e944a1800e6fad00974d9 Author: Charles Keepax Date: Tue Jan 7 10:41:34 2025 +0000 ASoC: samsung: Add missing selects for MFD_WM8994 Anything selecting SND_SOC_WM8994 should also select MFD_WM8994, as SND_SOC_WM8994 does not automatically do so. Add the missing selects. Reported-by: kernel test robot Closes: https://lore.kernel.org/oe-kbuild-all/202501071530.UwIXs7OL-lkp@intel.com/ Signed-off-by: Charles Keepax Link: https://patch.msgid.link/20250107104134.12147-1-ckeepax@opensource.cirrus.com Signed-off-by: Mark Brown commit 85c9ac7a56f731ecd59317c822cb6295464444cc Author: Marian Postevca Date: Fri Dec 27 22:27:51 2024 +0200 ASoC: codecs: es8316: Fix HW rate calculation for 48Mhz MCLK For 48Mhz MCLK systems the calculation of the HW rate is broken, and will not produce even one sane rate. Since es83xx supports the option to halve MCLK, calculate also rates with MCLK/2. Signed-off-by: Marian Postevca Link: https://patch.msgid.link/20241227202751.244954-1-posteuca@mutex.one Signed-off-by: Mark Brown commit 5ed01155cea69801f1f0c908954a56a5a3474bed Author: Charles Keepax Date: Mon Jan 6 15:46:39 2025 +0000 ASoC: wm8994: Add depends on MFD core The ASoC driver should not be used without the MFD component. This was causing randconfig issues with regmap IRQ which is selected by the MFD part of the wm8994 driver. Reported-by: kernel test robot Closes: https://lore.kernel.org/oe-kbuild-all/202501061337.R0DlBUoD-lkp@intel.com/ Signed-off-by: Charles Keepax Link: https://patch.msgid.link/20250106154639.3999553-1-ckeepax@opensource.cirrus.com Signed-off-by: Mark Brown commit cf86e0ae60a225e2c7921ced755e922da9012bea Author: Shenghao Ding Date: Fri Dec 27 15:49:09 2024 +0800 ASoC: tas2781: Fix occasional calibration failture The root cause is that TAS2781 internal register is not unlocked before writing data into TAS2781_PRM_TEST_57_REG. Fixes: 49e2e353fb0d ("ASoC: tas2781: Add Calibration Kcontrols for Chromebook") Signed-off-by: Shenghao Ding Link: https://patch.msgid.link/20241227074909.1974-1-shenghao-ding@ti.com Signed-off-by: Mark Brown commit b0e525d7a22ea350e75e2aec22e47fcfafa4cacd Author: GONG Ruiqi Date: Tue Jan 7 09:57:50 2025 +0800 usb: typec: fix pm usage counter imbalance in ucsi_ccg_sync_control() The error handling for the case `con_index == 0` should involve dropping the pm usage counter, as ucsi_ccg_sync_control() gets it at the beginning. Fix it. Cc: stable Fixes: e56aac6e5a25 ("usb: typec: fix potential array underflow in ucsi_ccg_sync_control()") Signed-off-by: GONG Ruiqi Reviewed-by: Dan Carpenter Reviewed-by: Heikki Krogerus Link: https://lore.kernel.org/r/20250107015750.2778646-1-gongruiqi1@huawei.com Signed-off-by: Greg Kroah-Hartman commit cdef30e0774802df2f87024d68a9d86c3b99ca2a Author: Lubomir Rintel Date: Wed Jan 1 22:22:06 2025 +0100 usb-storage: Add max sectors quirk for Nokia 208 This fixes data corruption when accessing the internal SD card in mass storage mode. I am actually not too sure why. I didn't figure a straightforward way to reproduce the issue, but i seem to get garbage when issuing a lot (over 50) of large reads (over 120 sectors) are done in a quick succession. That is, time seems to matter here -- larger reads are fine if they are done with some delay between them. But I'm not great at understanding this sort of things, so I'll assume the issue other, smarter, folks were seeing with similar phones is the same problem and I'll just put my quirk next to theirs. The "Software details" screen on the phone is as follows: V 04.06 07-08-13 RM-849 (c) Nokia TL;DR version of the device descriptor: idVendor 0x0421 Nokia Mobile Phones idProduct 0x06c2 bcdDevice 4.06 iManufacturer 1 Nokia iProduct 2 Nokia 208 The patch assumes older firmwares are broken too (I'm unable to test, but no biggie if they aren't I guess), and I have no idea if newer firmware exists. Signed-off-by: Lubomir Rintel Cc: stable Acked-by: Alan Stern Link: https://lore.kernel.org/r/20250101212206.2386207-1-lkundrak@v3.sk Signed-off-by: Greg Kroah-Hartman commit 6f660ffce7c938f2a5d8473c0e0b45e4fb25ef7f Author: Takashi Iwai Date: Wed Jan 1 14:11:19 2025 +0100 usb: gadget: midi2: Reverse-select at the right place We should do reverse selection of other components from CONFIG_USB_F_MIDI2 which is tristate, instead of CONFIG_USB_CONFIGFS_F_MIDI2 which is bool, for satisfying subtle module dependencies. Fixes: 8b645922b223 ("usb: gadget: Add support for USB MIDI 2.0 function driver") Cc: stable Signed-off-by: Takashi Iwai Link: https://lore.kernel.org/r/20250101131124.27599-1-tiwai@suse.de Signed-off-by: Greg Kroah-Hartman commit 4c1224501e9d6c5fd12d83752f1c1b444e0e3418 Author: Anumula Murali Mohan Reddy Date: Fri Jan 3 14:53:27 2025 +0530 cxgb4: Avoid removal of uninserted tid During ARP failure, tid is not inserted but _c4iw_free_ep() attempts to remove tid which results in error. This patch fixes the issue by avoiding removal of uninserted tid. Fixes: 59437d78f088 ("cxgb4/chtls: fix ULD connection failures due to wrong TID base") Signed-off-by: Anumula Murali Mohan Reddy Signed-off-by: Potnuri Bharat Teja Link: https://patch.msgid.link/20250103092327.1011925-1-anumula@chelsio.com Signed-off-by: Jakub Kicinski commit 3085d4b847e016125609f3f03002833d8df476da Merge: 8c817eb26230dc 40452969a50652 Author: Jakub Kicinski Date: Mon Jan 6 16:40:28 2025 -0800 Merge branch 'bnxt_en-2-bug-fixes' Michael Chan says: ==================== bnxt_en: 2 Bug fixes The first patch fixes a potential memory leak when sending a FW message for the RoCE driver. The second patch fixes the potential issue of DIM modifying the coalescing parameters of a ring that has been freed. ==================== Link: https://patch.msgid.link/20250104043849.3482067-1-michael.chan@broadcom.com Signed-off-by: Jakub Kicinski commit 40452969a50652e3cbf89dac83d54eebf2206d27 Author: Michael Chan Date: Fri Jan 3 20:38:48 2025 -0800 bnxt_en: Fix DIM shutdown DIM work will call the firmware to adjust the coalescing parameters on the RX rings. We should cancel DIM work before we call the firmware to free the RX rings. Otherwise, FW will reject the call from DIM work if the RX ring has been freed. This will generate an error message like this: bnxt_en 0000:21:00.1 ens2f1np1: hwrm req_type 0x53 seq id 0x6fca error 0x2 and cause unnecessary concern for the user. It is also possible to modify the coalescing parameters of the wrong ring if the ring has been re-allocated. To prevent this, cancel DIM work right before freeing the RX rings. We also have to add a check in NAPI poll to not schedule DIM if the RX rings are shutting down. Check that the VNIC is active before we schedule DIM. The VNIC is always disabled before we free the RX rings. Fixes: 0bc0b97fca73 ("bnxt_en: cleanup DIM work on device shutdown") Reviewed-by: Hongguang Gao Reviewed-by: Kalesh AP Reviewed-by: Somnath Kotur Signed-off-by: Michael Chan Link: https://patch.msgid.link/20250104043849.3482067-3-michael.chan@broadcom.com Signed-off-by: Jakub Kicinski commit c8dafb0e4398dacc362832098a04b97da3b0395b Author: Kalesh AP Date: Fri Jan 3 20:38:47 2025 -0800 bnxt_en: Fix possible memory leak when hwrm_req_replace fails When hwrm_req_replace() fails, the driver is not invoking bnxt_req_drop() which could cause a memory leak. Fixes: bbf33d1d9805 ("bnxt_en: update all firmware calls to use the new APIs") Reviewed-by: Pavan Chebbi Signed-off-by: Kalesh AP Signed-off-by: Michael Chan Link: https://patch.msgid.link/20250104043849.3482067-2-michael.chan@broadcom.com Signed-off-by: Jakub Kicinski commit 8c817eb26230dc0ae553cee16ff43a4a895f6756 Author: Shannon Nelson Date: Fri Jan 3 11:51:47 2025 -0800 pds_core: limit loop over fw name list Add an array size limit to the for-loop to be sure we don't try to reference a fw_version string off the end of the fw info names array. We know that our firmware only has a limited number of firmware slot names, but we shouldn't leave this unchecked. Fixes: 45d76f492938 ("pds_core: set up device and adminq") Signed-off-by: Shannon Nelson Reviewed-by: Simon Horman Reviewed-by: Brett Creeley Reviewed-by: Jacob Keller Link: https://patch.msgid.link/20250103195147.7408-1-shannon.nelson@amd.com Signed-off-by: Jakub Kicinski commit 75c8b703e5bded1e33b08fb09b829e7c2c1ed50a Author: Arunpravin Paneer Selvam Date: Tue Dec 10 12:50:08 2024 +0530 drm/amdgpu: Add a lock when accessing the buddy trim function When running YouTube videos and Steam games simultaneously, the tester found a system hang / race condition issue with the multi-display configuration setting. Adding a lock to the buddy allocator's trim function would be the solution. [ 7197.250436] general protection fault, probably for non-canonical address 0xdead000000000108 [ 7197.250447] RIP: 0010:__alloc_range+0x8b/0x340 [amddrm_buddy] [ 7197.250470] Call Trace: [ 7197.250472] [ 7197.250475] ? show_regs+0x6d/0x80 [ 7197.250481] ? die_addr+0x37/0xa0 [ 7197.250483] ? exc_general_protection+0x1db/0x480 [ 7197.250488] ? drm_suballoc_new+0x13c/0x93d [drm_suballoc_helper] [ 7197.250493] ? asm_exc_general_protection+0x27/0x30 [ 7197.250498] ? __alloc_range+0x8b/0x340 [amddrm_buddy] [ 7197.250501] ? __alloc_range+0x109/0x340 [amddrm_buddy] [ 7197.250506] amddrm_buddy_block_trim+0x1b5/0x260 [amddrm_buddy] [ 7197.250511] amdgpu_vram_mgr_new+0x4f5/0x590 [amdgpu] [ 7197.250682] amdttm_resource_alloc+0x46/0xb0 [amdttm] [ 7197.250689] ttm_bo_alloc_resource+0xe4/0x370 [amdttm] [ 7197.250696] amdttm_bo_validate+0x9d/0x180 [amdttm] [ 7197.250701] amdgpu_bo_pin+0x15a/0x2f0 [amdgpu] [ 7197.250831] amdgpu_dm_plane_helper_prepare_fb+0xb2/0x360 [amdgpu] [ 7197.251025] ? try_wait_for_completion+0x59/0x70 [ 7197.251030] drm_atomic_helper_prepare_planes.part.0+0x2f/0x1e0 [ 7197.251035] drm_atomic_helper_prepare_planes+0x5d/0x70 [ 7197.251037] drm_atomic_helper_commit+0x84/0x160 [ 7197.251040] drm_atomic_nonblocking_commit+0x59/0x70 [ 7197.251043] drm_mode_atomic_ioctl+0x720/0x850 [ 7197.251047] ? __pfx_drm_mode_atomic_ioctl+0x10/0x10 [ 7197.251049] drm_ioctl_kernel+0xb9/0x120 [ 7197.251053] ? srso_alias_return_thunk+0x5/0xfbef5 [ 7197.251056] drm_ioctl+0x2d4/0x550 [ 7197.251058] ? __pfx_drm_mode_atomic_ioctl+0x10/0x10 [ 7197.251063] amdgpu_drm_ioctl+0x4e/0x90 [amdgpu] [ 7197.251186] __x64_sys_ioctl+0xa0/0xf0 [ 7197.251190] x64_sys_call+0x143b/0x25c0 [ 7197.251193] do_syscall_64+0x7f/0x180 [ 7197.251197] ? srso_alias_return_thunk+0x5/0xfbef5 [ 7197.251199] ? amdgpu_display_user_framebuffer_create+0x215/0x320 [amdgpu] [ 7197.251329] ? drm_internal_framebuffer_create+0xb7/0x1a0 [ 7197.251332] ? srso_alias_return_thunk+0x5/0xfbef5 Signed-off-by: Arunpravin Paneer Selvam Fixes: 4a5ad08f5377 ("drm/amdgpu: Add address alignment support to DCC buffers") Acked-by: Christian König Signed-off-by: Alex Deucher (cherry picked from commit 3318ba94e56b9183d0304577c74b33b6b01ce516) Cc: stable@vger.kernel.org commit 2a238b09bfd04e8155a7a323364bce1c38b28c0f Author: Kun Liu Date: Fri Dec 27 11:43:22 2024 +0800 drm/amd/pm: fix BUG: scheduling while atomic atomic scheduling will be triggered in interrupt handler for AC/DC mode switch as following backtrace. Call Trace: dump_stack_lvl __schedule_bug __schedule schedule schedule_preempt_disabled __mutex_lock smu_cmn_send_smc_msg_with_param smu_v13_0_irq_process amdgpu_irq_dispatch amdgpu_ih_process amdgpu_irq_handler __handle_irq_event_percpu handle_irq_event handle_edge_irq __common_interrupt common_interrupt asm_common_interrupt Reviewed-by: Lijo Lazar Reviewed-by: Kenneth Feng Signed-off-by: Kun Liu Signed-off-by: Alex Deucher (cherry picked from commit 03cc84b102d1a832e8dfc59344346dedcebcdf42) Cc: stable@vger.kernel.org commit a993d319aebb7cce8a10c6e685344b7c2ad5c4c2 Author: Zhu Lingshan Date: Wed Dec 11 11:51:13 2024 +0800 drm/amdkfd: wq_release signals dma_fence only when available kfd_process_wq_release() signals eviction fence by dma_fence_signal() which wanrs if dma_fence is NULL. kfd_process->ef is initialized by kfd_process_device_init_vm() through ioctl. That means the fence is NULL for a new created kfd_process, and close a kfd_process right after open it will trigger the warning. This commit conditionally signals the eviction fence in kfd_process_wq_release() only when it is available. [ 503.660882] WARNING: CPU: 0 PID: 9 at drivers/dma-buf/dma-fence.c:467 dma_fence_signal+0x74/0xa0 [ 503.782940] Workqueue: kfd_process_wq kfd_process_wq_release [amdgpu] [ 503.789640] RIP: 0010:dma_fence_signal+0x74/0xa0 [ 503.877620] Call Trace: [ 503.880066] [ 503.882168] ? __warn+0xcd/0x260 [ 503.885407] ? dma_fence_signal+0x74/0xa0 [ 503.889416] ? report_bug+0x288/0x2d0 [ 503.893089] ? handle_bug+0x53/0xa0 [ 503.896587] ? exc_invalid_op+0x14/0x50 [ 503.900424] ? asm_exc_invalid_op+0x16/0x20 [ 503.904616] ? dma_fence_signal+0x74/0xa0 [ 503.908626] kfd_process_wq_release+0x6b/0x370 [amdgpu] [ 503.914081] process_one_work+0x654/0x10a0 [ 503.918186] worker_thread+0x6c3/0xe70 [ 503.921943] ? srso_alias_return_thunk+0x5/0xfbef5 [ 503.926735] ? srso_alias_return_thunk+0x5/0xfbef5 [ 503.931527] ? __kthread_parkme+0x82/0x140 [ 503.935631] ? __pfx_worker_thread+0x10/0x10 [ 503.939904] kthread+0x2a8/0x380 [ 503.943132] ? __pfx_kthread+0x10/0x10 [ 503.946882] ret_from_fork+0x2d/0x70 [ 503.950458] ? __pfx_kthread+0x10/0x10 [ 503.954210] ret_from_fork_asm+0x1a/0x30 [ 503.958142] [ 503.960328] ---[ end trace 0000000000000000 ]--- Fixes: 967d226eaae8 ("dma-buf: add WARN_ON() illegal dma-fence signaling") Signed-off-by: Zhu Lingshan Reviewed-by: Felix Kuehling Signed-off-by: Alex Deucher (cherry picked from commit 2774ef7625adb5fb9e9265c26a59dca7b8fd171e) Cc: stable@vger.kernel.org commit 0881fbc4fd62e00a2b8e102725f76d10351b2ea8 Author: Roman Li Date: Fri Dec 13 13:51:07 2024 -0500 drm/amd/display: Add check for granularity in dml ceil/floor helpers [Why] Wrapper functions for dcn_bw_ceil2() and dcn_bw_floor2() should check for granularity is non zero to avoid assert and divide-by-zero error in dcn_bw_ functions. [How] Add check for granularity 0. Cc: Mario Limonciello Reviewed-by: Alvin Lee Signed-off-by: Roman Li Tested-by: Daniel Wheeler Signed-off-by: Alex Deucher (cherry picked from commit f6e09701c3eb2ccb8cb0518e0b67f1c69742a4ec) Cc: stable@vger.kernel.org commit 9738609449c3e44d1afb73eecab4763362b57930 Author: Jesse.zhang@amd.com Date: Wed Dec 18 18:23:52 2024 +0800 drm/amdkfd: fixed page fault when enable MES shader debugger Initialize the process context address before setting the shader debugger. [ 260.781212] amdgpu 0000:03:00.0: amdgpu: [gfxhub] page fault (src_id:0 ring:32 vmid:0 pasid:0) [ 260.781236] amdgpu 0000:03:00.0: amdgpu: in page starting at address 0x0000000000000000 from client 10 [ 260.781255] amdgpu 0000:03:00.0: amdgpu: GCVM_L2_PROTECTION_FAULT_STATUS:0x00040A40 [ 260.781270] amdgpu 0000:03:00.0: amdgpu: Faulty UTCL2 client ID: CPC (0x5) [ 260.781284] amdgpu 0000:03:00.0: amdgpu: MORE_FAULTS: 0x0 [ 260.781296] amdgpu 0000:03:00.0: amdgpu: WALKER_ERROR: 0x0 [ 260.781308] amdgpu 0000:03:00.0: amdgpu: PERMISSION_FAULTS: 0x4 [ 260.781320] amdgpu 0000:03:00.0: amdgpu: MAPPING_ERROR: 0x0 [ 260.781332] amdgpu 0000:03:00.0: amdgpu: RW: 0x1 [ 260.782017] amdgpu 0000:03:00.0: amdgpu: [gfxhub] page fault (src_id:0 ring:32 vmid:0 pasid:0) [ 260.782039] amdgpu 0000:03:00.0: amdgpu: in page starting at address 0x0000000000000000 from client 10 [ 260.782058] amdgpu 0000:03:00.0: amdgpu: GCVM_L2_PROTECTION_FAULT_STATUS:0x00040A41 [ 260.782073] amdgpu 0000:03:00.0: amdgpu: Faulty UTCL2 client ID: CPC (0x5) [ 260.782087] amdgpu 0000:03:00.0: amdgpu: MORE_FAULTS: 0x1 [ 260.782098] amdgpu 0000:03:00.0: amdgpu: WALKER_ERROR: 0x0 [ 260.782110] amdgpu 0000:03:00.0: amdgpu: PERMISSION_FAULTS: 0x4 [ 260.782122] amdgpu 0000:03:00.0: amdgpu: MAPPING_ERROR: 0x0 [ 260.782137] amdgpu 0000:03:00.0: amdgpu: RW: 0x1 [ 260.782155] amdgpu 0000:03:00.0: amdgpu: [gfxhub] page fault (src_id:0 ring:32 vmid:0 pasid:0) [ 260.782166] amdgpu 0000:03:00.0: amdgpu: in page starting at address 0x0000000000000000 from client 10 Fixes: 438b39ac74e2 ("drm/amdkfd: pause autosuspend when creating pdd") Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/3849 Signed-off-by: Jesse Zhang Reviewed-by: Alex Deucher Signed-off-by: Alex Deucher (cherry picked from commit 5b231f5bc9ff02ec5737f2ec95cdf15ac95088e9) Cc: stable@vger.kernel.org commit 5225fd2a26211d012533acf98a6ad3f983885817 Author: Melissa Wen Date: Tue Dec 17 17:45:05 2024 -0300 drm/amd/display: fix divide error in DM plane scale calcs dm_get_plane_scale doesn't take into account plane scaled size equal to zero, leading to a kernel oops due to division by zero. Fix by setting out-scale size as zero when the dst size is zero, similar to what is done by drm_calc_scale(). This issue started with the introduction of cursor ovelay mode that uses this function to assess cursor mode changes via dm_crtc_get_cursor_mode() before checking plane state. [Dec17 17:14] Oops: divide error: 0000 [#1] PREEMPT SMP NOPTI [ +0.000018] CPU: 5 PID: 1660 Comm: surface-DP-1 Not tainted 6.10.0+ #231 [ +0.000007] Hardware name: Valve Jupiter/Jupiter, BIOS F7A0131 01/30/2024 [ +0.000004] RIP: 0010:dm_get_plane_scale+0x3f/0x60 [amdgpu] [ +0.000553] Code: 44 0f b7 41 3a 44 0f b7 49 3e 83 e0 0f 48 0f a3 c2 73 21 69 41 28 e8 03 00 00 31 d2 41 f7 f1 31 d2 89 06 69 41 2c e8 03 00 00 <41> f7 f0 89 07 e9 d7 d8 7e e9 44 89 c8 45 89 c1 41 89 c0 eb d4 66 [ +0.000005] RSP: 0018:ffffa8df0de6b8a0 EFLAGS: 00010246 [ +0.000006] RAX: 00000000000003e8 RBX: ffff9ac65c1f6e00 RCX: ffff9ac65d055500 [ +0.000003] RDX: 0000000000000000 RSI: ffffa8df0de6b8b0 RDI: ffffa8df0de6b8b4 [ +0.000004] RBP: ffff9ac64e7a5800 R08: 0000000000000000 R09: 0000000000000a00 [ +0.000003] R10: 00000000000000ff R11: 0000000000000054 R12: ffff9ac6d0700010 [ +0.000003] R13: ffff9ac65d054f00 R14: ffff9ac65d055500 R15: ffff9ac64e7a60a0 [ +0.000004] FS: 00007f869ea00640(0000) GS:ffff9ac970080000(0000) knlGS:0000000000000000 [ +0.000004] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ +0.000003] CR2: 000055ca701becd0 CR3: 000000010e7f2000 CR4: 0000000000350ef0 [ +0.000004] Call Trace: [ +0.000007] [ +0.000006] ? __die_body.cold+0x19/0x27 [ +0.000009] ? die+0x2e/0x50 [ +0.000007] ? do_trap+0xca/0x110 [ +0.000007] ? do_error_trap+0x6a/0x90 [ +0.000006] ? dm_get_plane_scale+0x3f/0x60 [amdgpu] [ +0.000504] ? exc_divide_error+0x38/0x50 [ +0.000005] ? dm_get_plane_scale+0x3f/0x60 [amdgpu] [ +0.000488] ? asm_exc_divide_error+0x1a/0x20 [ +0.000011] ? dm_get_plane_scale+0x3f/0x60 [amdgpu] [ +0.000593] dm_crtc_get_cursor_mode+0x33f/0x430 [amdgpu] [ +0.000562] amdgpu_dm_atomic_check+0x2ef/0x1770 [amdgpu] [ +0.000501] drm_atomic_check_only+0x5e1/0xa30 [drm] [ +0.000047] drm_mode_atomic_ioctl+0x832/0xcb0 [drm] [ +0.000050] ? __pfx_drm_mode_atomic_ioctl+0x10/0x10 [drm] [ +0.000047] drm_ioctl_kernel+0xb3/0x100 [drm] [ +0.000062] drm_ioctl+0x27a/0x4f0 [drm] [ +0.000049] ? __pfx_drm_mode_atomic_ioctl+0x10/0x10 [drm] [ +0.000055] amdgpu_drm_ioctl+0x4e/0x90 [amdgpu] [ +0.000360] __x64_sys_ioctl+0x97/0xd0 [ +0.000010] do_syscall_64+0x82/0x190 [ +0.000008] ? __pfx_drm_mode_createblob_ioctl+0x10/0x10 [drm] [ +0.000044] ? srso_return_thunk+0x5/0x5f [ +0.000006] ? drm_ioctl_kernel+0xb3/0x100 [drm] [ +0.000040] ? srso_return_thunk+0x5/0x5f [ +0.000005] ? __check_object_size+0x50/0x220 [ +0.000007] ? srso_return_thunk+0x5/0x5f [ +0.000005] ? srso_return_thunk+0x5/0x5f [ +0.000005] ? drm_ioctl+0x2a4/0x4f0 [drm] [ +0.000039] ? __pfx_drm_mode_createblob_ioctl+0x10/0x10 [drm] [ +0.000043] ? srso_return_thunk+0x5/0x5f [ +0.000005] ? srso_return_thunk+0x5/0x5f [ +0.000005] ? __pm_runtime_suspend+0x69/0xc0 [ +0.000006] ? srso_return_thunk+0x5/0x5f [ +0.000005] ? amdgpu_drm_ioctl+0x71/0x90 [amdgpu] [ +0.000366] ? srso_return_thunk+0x5/0x5f [ +0.000006] ? syscall_exit_to_user_mode+0x77/0x210 [ +0.000007] ? srso_return_thunk+0x5/0x5f [ +0.000005] ? do_syscall_64+0x8e/0x190 [ +0.000006] ? srso_return_thunk+0x5/0x5f [ +0.000006] ? do_syscall_64+0x8e/0x190 [ +0.000006] ? srso_return_thunk+0x5/0x5f [ +0.000007] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ +0.000008] RIP: 0033:0x55bb7cd962bc [ +0.000007] Code: 4c 89 6c 24 18 4c 89 64 24 20 4c 89 74 24 28 0f 57 c0 0f 11 44 24 30 89 c7 48 8d 54 24 08 b8 10 00 00 00 be bc 64 38 c0 0f 05 <49> 89 c7 48 83 3b 00 74 09 4c 89 c7 ff 15 62 64 99 00 48 83 7b 18 [ +0.000005] RSP: 002b:00007f869e9f4da0 EFLAGS: 00000217 ORIG_RAX: 0000000000000010 [ +0.000007] RAX: ffffffffffffffda RBX: 00007f869e9f4fb8 RCX: 000055bb7cd962bc [ +0.000004] RDX: 00007f869e9f4da8 RSI: 00000000c03864bc RDI: 000000000000003b [ +0.000003] RBP: 000055bb9ddcbcc0 R08: 00007f86541b9920 R09: 0000000000000009 [ +0.000004] R10: 0000000000000004 R11: 0000000000000217 R12: 00007f865406c6b0 [ +0.000003] R13: 00007f86541b5290 R14: 00007f865410b700 R15: 000055bb9ddcbc18 [ +0.000009] Fixes: 1b04dcca4fb1 ("drm/amd/display: Introduce overlay cursor mode") Link: https://gitlab.freedesktop.org/drm/amd/-/issues/3729 Reported-by: Fabio Scaccabarozzi Co-developed-by: Fabio Scaccabarozzi Signed-off-by: Fabio Scaccabarozzi Signed-off-by: Melissa Wen Reviewed-by: Rodrigo Siqueira Signed-off-by: Rodrigo Siqueira Signed-off-by: Alex Deucher (cherry picked from commit ab75a0d2e07942ae15d32c0a5092fd336451378c) Cc: stable@vger.kernel.org commit 21541bc6b44241e3f791f9e552352d8440b2b29e Author: Melissa Wen Date: Tue Dec 17 17:45:04 2024 -0300 drm/amd/display: increase MAX_SURFACES to the value supported by hw As the hw supports up to 4 surfaces, increase the maximum number of surfaces to prevent the DC error when trying to use more than three planes. [drm:dc_state_add_plane [amdgpu]] *ERROR* Surface: can not attach plane_state 000000003e2cb82c! Maximum is: 3 Link: https://gitlab.freedesktop.org/drm/amd/-/issues/3693 Signed-off-by: Melissa Wen Reviewed-by: Rodrigo Siqueira Signed-off-by: Rodrigo Siqueira Signed-off-by: Alex Deucher (cherry picked from commit b8d6daffc871a42026c3c20bff7b8fa0302298c1) Cc: stable@vger.kernel.org commit 7de8d5c90be9ad9f6575e818a674801db2ada794 Author: Melissa Wen Date: Tue Dec 17 17:45:03 2024 -0300 drm/amd/display: fix page fault due to max surface definition mismatch DC driver is using two different values to define the maximum number of surfaces: MAX_SURFACES and MAX_SURFACE_NUM. Consolidate MAX_SURFACES as the unique definition for surface updates across DC. It fixes page fault faced by Cosmic users on AMD display versions that support two overlay planes, since the introduction of cursor overlay mode. [Nov26 21:33] BUG: unable to handle page fault for address: 0000000051d0f08b [ +0.000015] #PF: supervisor read access in kernel mode [ +0.000006] #PF: error_code(0x0000) - not-present page [ +0.000005] PGD 0 P4D 0 [ +0.000007] Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI [ +0.000006] CPU: 4 PID: 71 Comm: kworker/u32:6 Not tainted 6.10.0+ #300 [ +0.000006] Hardware name: Valve Jupiter/Jupiter, BIOS F7A0131 01/30/2024 [ +0.000007] Workqueue: events_unbound commit_work [drm_kms_helper] [ +0.000040] RIP: 0010:copy_stream_update_to_stream.isra.0+0x30d/0x750 [amdgpu] [ +0.000847] Code: 8b 10 49 89 94 24 f8 00 00 00 48 8b 50 08 49 89 94 24 00 01 00 00 8b 40 10 41 89 84 24 08 01 00 00 49 8b 45 78 48 85 c0 74 0b <0f> b6 00 41 88 84 24 90 64 00 00 49 8b 45 60 48 85 c0 74 3b 48 8b [ +0.000010] RSP: 0018:ffffc203802f79a0 EFLAGS: 00010206 [ +0.000009] RAX: 0000000051d0f08b RBX: 0000000000000004 RCX: ffff9f964f0a8070 [ +0.000004] RDX: ffff9f9710f90e40 RSI: ffff9f96600c8000 RDI: ffff9f964f000000 [ +0.000004] RBP: ffffc203802f79f8 R08: 0000000000000000 R09: 0000000000000000 [ +0.000005] R10: 0000000000000000 R11: 0000000000000000 R12: ffff9f96600c8000 [ +0.000004] R13: ffff9f9710f90e40 R14: ffff9f964f000000 R15: ffff9f96600c8000 [ +0.000004] FS: 0000000000000000(0000) GS:ffff9f9970000000(0000) knlGS:0000000000000000 [ +0.000005] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ +0.000005] CR2: 0000000051d0f08b CR3: 00000002e6a20000 CR4: 0000000000350ef0 [ +0.000005] Call Trace: [ +0.000011] [ +0.000010] ? __die_body.cold+0x19/0x27 [ +0.000012] ? page_fault_oops+0x15a/0x2d0 [ +0.000014] ? exc_page_fault+0x7e/0x180 [ +0.000009] ? asm_exc_page_fault+0x26/0x30 [ +0.000013] ? copy_stream_update_to_stream.isra.0+0x30d/0x750 [amdgpu] [ +0.000739] ? dc_commit_state_no_check+0xd6c/0xe70 [amdgpu] [ +0.000470] update_planes_and_stream_state+0x49b/0x4f0 [amdgpu] [ +0.000450] ? srso_return_thunk+0x5/0x5f [ +0.000009] ? commit_minimal_transition_state+0x239/0x3d0 [amdgpu] [ +0.000446] update_planes_and_stream_v2+0x24a/0x590 [amdgpu] [ +0.000464] ? srso_return_thunk+0x5/0x5f [ +0.000009] ? sort+0x31/0x50 [ +0.000007] ? amdgpu_dm_atomic_commit_tail+0x159f/0x3a30 [amdgpu] [ +0.000508] ? srso_return_thunk+0x5/0x5f [ +0.000009] ? amdgpu_crtc_get_scanout_position+0x28/0x40 [amdgpu] [ +0.000377] ? srso_return_thunk+0x5/0x5f [ +0.000009] ? drm_crtc_vblank_helper_get_vblank_timestamp_internal+0x160/0x390 [drm] [ +0.000058] ? srso_return_thunk+0x5/0x5f [ +0.000005] ? dma_fence_default_wait+0x8c/0x260 [ +0.000010] ? srso_return_thunk+0x5/0x5f [ +0.000005] ? wait_for_completion_timeout+0x13b/0x170 [ +0.000006] ? srso_return_thunk+0x5/0x5f [ +0.000005] ? dma_fence_wait_timeout+0x108/0x140 [ +0.000010] ? commit_tail+0x94/0x130 [drm_kms_helper] [ +0.000024] ? process_one_work+0x177/0x330 [ +0.000008] ? worker_thread+0x266/0x3a0 [ +0.000006] ? __pfx_worker_thread+0x10/0x10 [ +0.000004] ? kthread+0xd2/0x100 [ +0.000006] ? __pfx_kthread+0x10/0x10 [ +0.000006] ? ret_from_fork+0x34/0x50 [ +0.000004] ? __pfx_kthread+0x10/0x10 [ +0.000005] ? ret_from_fork_asm+0x1a/0x30 [ +0.000011] Fixes: 1b04dcca4fb1 ("drm/amd/display: Introduce overlay cursor mode") Suggested-by: Leo Li Link: https://gitlab.freedesktop.org/drm/amd/-/issues/3693 Signed-off-by: Melissa Wen Reviewed-by: Rodrigo Siqueira Signed-off-by: Rodrigo Siqueira Signed-off-by: Alex Deucher (cherry picked from commit 1c86c81a86c60f9b15d3e3f43af0363cf56063e7) Cc: stable@vger.kernel.org commit 5009628d8509dbb90e1b88e01eda00430fa24b4b Author: Alex Hung Date: Tue Dec 17 14:03:50 2024 -0700 drm/amd/display: Remove unnecessary amdgpu_irq_get/put [WHY & HOW] commit 7fb363c57522 ("drm/amd/display: Let drm_crtc_vblank_on/off manage interrupts") lets drm_crtc_vblank_* to manage interrupts in amdgpu_dm_crtc_set_vblank, and amdgpu_irq_get/put do not need to be called here. Part of that patch got lost somehow, so fix it up. Fixes: 7fb363c57522 ("drm/amd/display: Let drm_crtc_vblank_on/off manage interrupts") Reviewed-by: Alex Deucher Reviewed-by: Leo Li Signed-off-by: Alex Hung Signed-off-by: Alex Deucher (cherry picked from commit 3782305ce5807c18fbf092124b9e8303cf1723ae) Cc: stable@vger.kernel.org commit fbfd64d25c7af3b8695201ebc85efe90be28c5a3 Merge: 13563da6ffcf49 368fcc5d3f8bf6 Author: Linus Torvalds Date: Mon Jan 6 10:26:39 2025 -0800 Merge tag 'vfs-6.13-rc7.fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs Pull vfs fixes from Christian Brauner: - Relax assertions on failure to encode file handles The ->encode_fh() method can fail for various reasons. None of them warrant a WARN_ON(). - Fix overlayfs file handle encoding by allowing encoding an fid from an inode without an alias - Make sure fuse_dir_open() handles FOPEN_KEEP_CACHE. If it's not specified fuse needs to invaludate the directory inode page cache - Fix qnx6 so it builds with gcc-15 - Various fixes for netfslib and ceph and nfs filesystems: - Ignore silly rename files from afs and nfs when building header archives - Fix read result collection in netfslib with multiple subrequests - Handle ENOMEM for netfslib buffered reads - Fix oops in nfs_netfs_init_request() - Parse the secctx command immediately in cachefiles - Remove a redundant smp_rmb() in netfslib - Handle recursion in read retry in netfslib - Fix clearing of folio_queue - Fix missing cancellation of copy-to_cache when the cache for a file is temporarly disabled in netfslib - Sanity check the hfs root record - Fix zero padding data issues in concurrent write scenarios - Fix is_mnt_ns_file() after converting nsfs to path_from_stashed() - Fix missing declaration of init_files - Increase I/O priority when writing revoke records in jbd2 - Flush filesystem device before updating tail sequence in jbd2 * tag 'vfs-6.13-rc7.fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs: (23 commits) ovl: support encoding fid from inode with no alias ovl: pass realinode to ovl_encode_real_fh() instead of realdentry fuse: respect FOPEN_KEEP_CACHE on opendir netfs: Fix is-caching check in read-retry netfs: Fix the (non-)cancellation of copy when cache is temporarily disabled netfs: Fix ceph copy to cache on write-begin netfs: Work around recursion by abandoning retry if nothing read netfs: Fix missing barriers by using clear_and_wake_up_bit() netfs: Remove redundant use of smp_rmb() cachefiles: Parse the "secctx" immediately nfs: Fix oops in nfs_netfs_init_request() when copying to cache netfs: Fix enomem handling in buffered reads netfs: Fix non-contiguous donation between completed reads kheaders: Ignore silly-rename files fs: relax assertions on failure to encode file handles fs: fix missing declaration of init_files fs: fix is_mnt_ns_file() iomap: fix zero padding data issue in concurrent append writes iomap: pass byte granular end position to iomap_add_to_ioend jbd2: flush filesystem device before updating tail sequence ... commit 0ee4736c003daded513de0ff112d4a1e9c85bbab Author: Mikhail Zaslonko Date: Wed Dec 18 11:32:51 2024 +0100 btrfs: zlib: fix avail_in bytes for s390 zlib HW compression path Since the input data length passed to zlib_compress_folios() can be arbitrary, always setting strm.avail_in to a multiple of PAGE_SIZE may cause read-in bytes to exceed the input range. Currently this triggers an assert in btrfs_compress_folios() on the debug kernel (see below). Fix strm.avail_in calculation for S390 hardware acceleration path. assertion failed: *total_in <= orig_len, in fs/btrfs/compression.c:1041 ------------[ cut here ]------------ kernel BUG at fs/btrfs/compression.c:1041! monitor event: 0040 ilc:2 [#1] PREEMPT SMP CPU: 16 UID: 0 PID: 325 Comm: kworker/u273:3 Not tainted 6.13.0-20241204.rc1.git6.fae3b21430ca.300.fc41.s390x+debug #1 Hardware name: IBM 3931 A01 703 (z/VM 7.4.0) Workqueue: btrfs-delalloc btrfs_work_helper Krnl PSW : 0704d00180000000 0000021761df6538 (btrfs_compress_folios+0x198/0x1a0) R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:1 PM:0 RI:0 EA:3 Krnl GPRS: 0000000080000000 0000000000000001 0000000000000047 0000000000000000 0000000000000006 ffffff01757bb000 000001976232fcc0 000000000000130c 000001976232fcd0 000001976232fcc8 00000118ff4a0e30 0000000000000001 00000111821ab400 0000011100000000 0000021761df6534 000001976232fb58 Krnl Code: 0000021761df6528: c020006f5ef4 larl %r2,0000021762be2310 0000021761df652e: c0e5ffbd09d5 brasl %r14,00000217615978d8 #0000021761df6534: af000000 mc 0,0 >0000021761df6538: 0707 bcr 0,%r7 0000021761df653a: 0707 bcr 0,%r7 0000021761df653c: 0707 bcr 0,%r7 0000021761df653e: 0707 bcr 0,%r7 0000021761df6540: c004004bb7ec brcl 0,000002176276d518 Call Trace: [<0000021761df6538>] btrfs_compress_folios+0x198/0x1a0 ([<0000021761df6534>] btrfs_compress_folios+0x194/0x1a0) [<0000021761d97788>] compress_file_range+0x3b8/0x6d0 [<0000021761dcee7c>] btrfs_work_helper+0x10c/0x160 [<0000021761645760>] process_one_work+0x2b0/0x5d0 [<000002176164637e>] worker_thread+0x20e/0x3e0 [<000002176165221a>] kthread+0x15a/0x170 [<00000217615b859c>] __ret_from_fork+0x3c/0x60 [<00000217626e72d2>] ret_from_fork+0xa/0x38 INFO: lockdep is turned off. Last Breaking-Event-Address: [<0000021761597924>] _printk+0x4c/0x58 Kernel panic - not syncing: Fatal exception: panic_on_oops Fixes: fd1e75d0105d ("btrfs: make compression path to be subpage compatible") CC: stable@vger.kernel.org # 6.12+ Acked-by: Ilya Leoshkevich Reviewed-by: Qu Wenruo Signed-off-by: Mikhail Zaslonko Signed-off-by: David Sterba commit 7467bc5959bf02ef5210ea7e7948e548565c799c Author: Christoph Hellwig Date: Fri Dec 13 07:43:43 2024 +0100 btrfs: zoned: calculate max_extent_size properly on non-zoned setup Since commit 559218d43ec9 ("block: pre-calculate max_zone_append_sectors"), queue_limits's max_zone_append_sectors is default to be 0 and it is only updated when there is a zoned device. So, we have lim->max_zone_append_sectors = 0 when there is no zoned device in the filesystem. That leads to fs_info->max_zone_append_size and thus fs_info->max_extent_size to be 0, which is wrong and can for example lead to a divide by zero in count_max_extents(). Fix this by only capping fs_info->max_extent_size to fs_info->max_zone_append_size when it is non-zero. Based on a patch from Naohiro Aota , from which much of this commit message is stolen as well. Reported-by: Shinichiro Kawasaki Fixes: 559218d43ec9 ("block: pre-calculate max_zone_append_sectors") Tested-by: Shinichiro Kawasaki Reviewed-by: Johannes Thumshirn Reviewed-by: Naohiro Aota Signed-off-by: Christoph Hellwig Signed-off-by: David Sterba commit 6aecd91a5c5b68939cf4169e32bc49f3cd2dd329 Author: Qu Wenruo Date: Thu Jan 2 14:44:16 2025 +1030 btrfs: avoid NULL pointer dereference if no valid extent tree [BUG] Syzbot reported a crash with the following call trace: BTRFS info (device loop0): scrub: started on devid 1 BUG: kernel NULL pointer dereference, address: 0000000000000208 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 106e70067 P4D 106e70067 PUD 107143067 PMD 0 Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI CPU: 1 UID: 0 PID: 689 Comm: repro Kdump: loaded Tainted: G O 6.13.0-rc4-custom+ #206 Tainted: [O]=OOT_MODULE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS unknown 02/02/2022 RIP: 0010:find_first_extent_item+0x26/0x1f0 [btrfs] Call Trace: scrub_find_fill_first_stripe+0x13d/0x3b0 [btrfs] scrub_simple_mirror+0x175/0x260 [btrfs] scrub_stripe+0x5d4/0x6c0 [btrfs] scrub_chunk+0xbb/0x170 [btrfs] scrub_enumerate_chunks+0x2f4/0x5f0 [btrfs] btrfs_scrub_dev+0x240/0x600 [btrfs] btrfs_ioctl+0x1dc8/0x2fa0 [btrfs] ? do_sys_openat2+0xa5/0xf0 __x64_sys_ioctl+0x97/0xc0 do_syscall_64+0x4f/0x120 entry_SYSCALL_64_after_hwframe+0x76/0x7e [CAUSE] The reproducer is using a corrupted image where extent tree root is corrupted, thus forcing to use "rescue=all,ro" mount option to mount the image. Then it triggered a scrub, but since scrub relies on extent tree to find where the data/metadata extents are, scrub_find_fill_first_stripe() relies on an non-empty extent root. But unfortunately scrub_find_fill_first_stripe() doesn't really expect an NULL pointer for extent root, it use extent_root to grab fs_info and triggered a NULL pointer dereference. [FIX] Add an extra check for a valid extent root at the beginning of scrub_find_fill_first_stripe(). The new error path is introduced by 42437a6386ff ("btrfs: introduce mount option rescue=ignorebadroots"), but that's pretty old, and later commit b979547513ff ("btrfs: scrub: introduce helper to find and fill sector info for a scrub_stripe") changed how we do scrub. So for kernels older than 6.6, the fix will need manual backport. Reported-by: syzbot+339e9dbe3a2ca419b85d@syzkaller.appspotmail.com Link: https://lore.kernel.org/linux-btrfs/67756935.050a0220.25abdd.0a12.GAE@google.com/ Fixes: 42437a6386ff ("btrfs: introduce mount option rescue=ignorebadroots") Reviewed-by: Anand Jain Signed-off-by: Qu Wenruo Reviewed-by: David Sterba Signed-off-by: David Sterba commit 13563da6ffcf49b8b45772e40b35f96926a7ee1e Merge: 5428dc1906dde5 09dfc8a5f2ce89 Author: Linus Torvalds Date: Mon Jan 6 06:56:23 2025 -0800 Merge tag 'vfio-v6.13-rc7' of https://github.com/awilliam/linux-vfio Pull vfio fix from Alex Williamson: - Fix a missed order alignment requirement of the pfn when inserting mappings through the new huge fault handler introduced in v6.12 (Alex Williamson) * tag 'vfio-v6.13-rc7' of https://github.com/awilliam/linux-vfio: vfio/pci: Fallback huge faults for unaligned pfn commit 368fcc5d3f8bf645a630a44e65f5eb008aba7082 Merge: 03f275adb8fbd7 c45beebfde34aa Author: Christian Brauner Date: Mon Jan 6 15:43:58 2025 +0100 Merge patch series "Fix encoding overlayfs fid for fanotify delete events" Amir Goldstein says: This is a followup fix to the reported regression [1] that was introduced by overlayfs non-decodable file handles support in v6.6. The first fix posted two weeks ago [2] was a quick band aid which is justified on its own and is still queued on your vfs.fixes branch. This followup fix fixes the root cause of overlayfs file handle encoding failure and it also solves a bug with fanotify FAN_DELETE_SELF events on overlayfs, that was discovered from analysis of the first report. The fix to fanotify delete events was verified with a new LTP test [3]. [1] https://lore.kernel.org/linux-fsdevel/CAOQ4uxiie81voLZZi2zXS1BziXZCM24nXqPAxbu8kxXCUWdwOg@mail.gmail.com/ [2] https://lore.kernel.org/linux-fsdevel/20241219115301.465396-1-amir73il@gmail.com/ [3] https://github.com/amir73il/ltp/commits/ovl_encode_fid/ * patches from https://lore.kernel.org/r/20250105162404.357058-1-amir73il@gmail.com: ovl: support encoding fid from inode with no alias ovl: pass realinode to ovl_encode_real_fh() instead of realdentry Link: https://lore.kernel.org/r/20250105162404.357058-1-amir73il@gmail.com Signed-off-by: Christian Brauner commit c45beebfde34aa71afbc48b2c54cdda623515037 Author: Amir Goldstein Date: Sun Jan 5 17:24:04 2025 +0100 ovl: support encoding fid from inode with no alias Dmitry Safonov reported that a WARN_ON() assertion can be trigered by userspace when calling inotify_show_fdinfo() for an overlayfs watched inode, whose dentry aliases were discarded with drop_caches. The WARN_ON() assertion in inotify_show_fdinfo() was removed, because it is possible for encoding file handle to fail for other reason, but the impact of failing to encode an overlayfs file handle goes beyond this assertion. As shown in the LTP test case mentioned in the link below, failure to encode an overlayfs file handle from a non-aliased inode also leads to failure to report an fid with FAN_DELETE_SELF fanotify events. As Dmitry notes in his analyzis of the problem, ovl_encode_fh() fails if it cannot find an alias for the inode, but this failure can be fixed. ovl_encode_fh() seldom uses the alias and in the case of non-decodable file handles, as is often the case with fanotify fid info, ovl_encode_fh() never needs to use the alias to encode a file handle. Defer finding an alias until it is actually needed so ovl_encode_fh() will not fail in the common case of FAN_DELETE_SELF fanotify events. Fixes: 16aac5ad1fa9 ("ovl: support encoding non-decodable file handles") Reported-by: Dmitry Safonov Closes: https://lore.kernel.org/linux-fsdevel/CAOQ4uxiie81voLZZi2zXS1BziXZCM24nXqPAxbu8kxXCUWdwOg@mail.gmail.com/ Signed-off-by: Amir Goldstein Link: https://lore.kernel.org/r/20250105162404.357058-3-amir73il@gmail.com Signed-off-by: Christian Brauner commit 07aeefae7ff44d80524375253980b1bdee2396b0 Author: Amir Goldstein Date: Sun Jan 5 17:24:03 2025 +0100 ovl: pass realinode to ovl_encode_real_fh() instead of realdentry We want to be able to encode an fid from an inode with no alias. Signed-off-by: Amir Goldstein Link: https://lore.kernel.org/r/20250105162404.357058-2-amir73il@gmail.com Signed-off-by: Christian Brauner commit 5428dc1906dde5fb5ab283cda4714011f9811aa1 Merge: cd6313beaeaea0 a5324b3a488d88 Author: Linus Torvalds Date: Mon Jan 6 06:19:36 2025 -0800 Merge tag 'exfat-for-6.13-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/linkinjeon/exfat Pull exfat fixes from Namjae Jeon: "All fixes are for issues reported by syzbot: - Fix wrong error return in exfat_find_empty_entry() - Fix a endless loop by self-linked chain - fix a KMSAN uninit-value issue in exfat_extend_valid_size()" * tag 'exfat-for-6.13-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/linkinjeon/exfat: exfat: fix the infinite loop in __exfat_free_cluster() exfat: fix the new buffer was not zeroed before writing exfat: fix the infinite loop in exfat_readdir() exfat: fix exfat_find_empty_entry() not returning error on failure commit cd6313beaeaea0b2e6d428afef7a86a986b50abe Author: Linus Torvalds Date: Mon Jan 6 06:10:24 2025 -0800 Revert "vmstat: disable vmstat_work on vmstat_cpu_down_prep()" This reverts commit adcfb264c3ed51fbbf5068ddf10d309a63683868. It turns out this just causes a different warning splat instead that seems to be much easier to trigger, so let's revert ASAP. Reported-and-bisected-by: Borislav Petkov Tested-by: Breno Leitao Reported-by: Alexander Gordeev Link: https://lore.kernel.org/all/20250106131817.GAZ3vYGVr3-hWFFPLj@fat_crate.local/ Cc: Koichiro Den Cc: Sebastian Andrzej Siewior Cc: Andrew Morton Signed-off-by: Linus Torvalds commit b1d4ac91a9246d7fb1906b2f38f529b097884c8e Author: Zhang Yi Date: Mon Dec 30 11:27:52 2024 +0800 ASoC: codecs: ES8326: Adjust ANA_MICBIAS to reduce pop noise We modify the value of ES8326_ANA_MICBIAS to reduce the pop noise Signed-off-by: Zhang Yi Link: https://patch.msgid.link/20241230032752.108298-1-zhangyi@everest-semi.com Signed-off-by: Mark Brown commit 907af7d6e0c8cf4086b1bc5218281b2ca09f130b Author: Manivannan Sadhasivam Date: Sat Jan 4 17:20:58 2025 +0530 regulator: Move OF_ API declarations/definitions outside CONFIG_REGULATOR Since these are hidden inside CONFIG_REGULATOR, building the consumer drivers without CONFIG_REGULATOR will result in the following build error: >> drivers/pci/pwrctrl/slot.c:39:15: error: implicit declaration of function 'of_regulator_bulk_get_all'; did you mean 'regulator_bulk_get'? [-Werror=implicit-function-declaration] 39 | ret = of_regulator_bulk_get_all(dev, dev_of_node(dev), | ^~~~~~~~~~~~~~~~~~~~~~~~~ | regulator_bulk_get cc1: some warnings being treated as errors This also removes the duplicated definitions that were possibly added to fix the build issues. Reported-by: kernel test robot Closes: https://lore.kernel.org/oe-kbuild-all/202501020407.HmQQQKa0-lkp@intel.com/ Fixes: 27b9ecc7a9ba ("regulator: Add of_regulator_bulk_get_all") Signed-off-by: Manivannan Sadhasivam Link: https://patch.msgid.link/20250104115058.19216-3-manivannan.sadhasivam@linaro.org Signed-off-by: Mark Brown commit 1156b5e8be98c97087f8971609c852e418daf03b Author: Manivannan Sadhasivam Date: Sat Jan 4 17:20:57 2025 +0530 regulator: Guard of_regulator_bulk_get_all() with CONFIG_OF Since the definition is in drivers/regulator/of_regulator.c and compiled only if CONFIG_OF is enabled, building the consumer driver without CONFIG_OF and with CONFIG_REGULATOR will result in below build error: ERROR: modpost: "of_regulator_bulk_get_all" [drivers/pci/pwrctrl/pci-pwrctl-slot.ko] undefined! Reported-by: kernel test robot Closes: https://lore.kernel.org/oe-kbuild-all/202412181640.12Iufkvd-lkp@intel.com/ Fixes: 27b9ecc7a9ba ("regulator: Add of_regulator_bulk_get_all") Signed-off-by: Manivannan Sadhasivam Reviewed-by: Bartosz Golaszewski Link: https://patch.msgid.link/20250104115058.19216-2-manivannan.sadhasivam@linaro.org Signed-off-by: Mark Brown commit c21b89d495bab6ae7ce0a1592bb955e5e80127fd Author: Mark Harmstone Date: Fri Jan 3 15:02:26 2025 +0000 btrfs: don't read from userspace twice in btrfs_uring_encoded_read() If we return -EAGAIN the first time because we need to block, btrfs_uring_encoded_read() will get called twice. Take a copy of args, the iovs, and the iter the first time, as by the time we are called the second time these may have gone out of scope. Reported-by: Jens Axboe Fixes: 34310c442e17 ("btrfs: add io_uring command for encoded reads (ENCODED_READ ioctl)") Signed-off-by: Mark Harmstone Signed-off-by: David Sterba commit b0af20d33f63c74985a6dd98344326e5111b2fea Author: Mark Harmstone Date: Fri Jan 3 15:02:25 2025 +0000 io_uring: add io_uring_cmd_get_async_data helper Add a helper function in include/linux/io_uring/cmd.h to read the async_data pointer from a struct io_uring_cmd. Signed-off-by: Mark Harmstone Signed-off-by: David Sterba commit 3347fa658a1baecd61b007787d031b729cd86537 Author: Jens Axboe Date: Fri Jan 3 15:02:24 2025 +0000 io_uring/cmd: add per-op data to struct io_uring_cmd_data In case an op handler for ->uring_cmd() needs stable storage for user data, it can allocate io_uring_cmd_data->op_data and use it for the duration of the request. When the request gets cleaned up, uring_cmd will free it automatically. Signed-off-by: Jens Axboe Signed-off-by: David Sterba commit dadf03cfd4eaa09f1d0e8b2521de1e11d3e3bec1 Author: Jens Axboe Date: Fri Jan 3 15:02:23 2025 +0000 io_uring/cmd: rename struct uring_cache to io_uring_cmd_data In preparation for making this more generically available for ->uring_cmd() usage that needs stable command data, rename it and move it to io_uring/cmd.h instead. Signed-off-by: Jens Axboe Signed-off-by: David Sterba commit b9097e4c8bf3934e4e07e6f9b88741957fef351e Author: Yu-Chun Lin Date: Sun Jan 5 00:51:33 2025 +0800 drm/tests: helpers: Fix compiler warning Delete one line break to make the format correct, resolving the following warning during a W=1 build: >> drivers/gpu/drm/tests/drm_kunit_helpers.c:324: warning: bad line: for a KUnit test Fixes: caa714f86699 ("drm/tests: helpers: Add helper for drm_display_mode_from_cea_vic()") Reported-by: kernel test robot Closes: https://lore.kernel.org/oe-kbuild-all/202501032001.O6WY1VCW-lkp@intel.com/ Reviewed-by: Kuan-Wei Chiu Tested-by: Kuan-Wei Chiu Reviewed-by: Dmitry Baryshkov Signed-off-by: Yu-Chun Lin Link: https://patchwork.freedesktop.org/patch/msgid/20250104165134.1695864-1-eleanor15x@gmail.com Signed-off-by: Maxime Ripard commit c7f3cd1b245dbdd846ae376cc022c22af8059717 Author: Thorsten Blum Date: Mon Dec 30 13:44:56 2024 +0100 ksmbd: Remove unneeded if check in ksmbd_rdma_capable_netdev() Remove the unnecessary if check and assign the result directly. Signed-off-by: Thorsten Blum Acked-by: Namjae Jeon Signed-off-by: Steve French commit 4c16e1cadcbcaf3c82d5fc310fbd34d0f5d0db7c Author: Wentao Liang Date: Mon Dec 23 23:30:50 2024 +0800 ksmbd: fix a missing return value check bug In the smb2_send_interim_resp(), if ksmbd_alloc_work_struct() fails to allocate a node, it returns a NULL pointer to the in_work pointer. This can lead to an illegal memory write of in_work->response_buf when allocate_interim_rsp_buf() attempts to perform a kzalloc() on it. To address this issue, incorporating a check for the return value of ksmbd_alloc_work_struct() ensures that the function returns immediately upon allocation failure, thereby preventing the aforementioned illegal memory access. Fixes: 041bba4414cd ("ksmbd: fix wrong interim response on compound") Signed-off-by: Wentao Liang Acked-by: Namjae Jeon Signed-off-by: Steve French commit 9d89551994a430b50c4fffcb1e617a057fa76e20 Author: Linus Torvalds Date: Sun Jan 5 14:13:40 2025 -0800 Linux 6.13-rc6 commit 9244696b34f2a626d7468864420ab6a47289bf10 Merge: 5635d8bad22170 385443057f475e Author: Linus Torvalds Date: Sun Jan 5 10:52:47 2025 -0800 Merge tag 'kbuild-fixes-v6.13-3' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild Pull Kbuild fixes from Masahiro Yamada: - Fix escaping of '$' in scripts/mksysmap - Fix a modpost crash observed with the latest binutils - Fix 'provides' in the linux-api-headers pacman package * tag 'kbuild-fixes-v6.13-3' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild: kbuild: pacman-pkg: provide versioned linux-api-headers package modpost: work around unaligned data access error modpost: refactor do_vmbus_entry() modpost: fix the missed iteration for the max bit in do_input() scripts/mksysmap: Fix escape chars '$' commit 5635d8bad221701188017a6087fbe25ab245c226 Merge: 7a5b6fc8bd70cb e7404921818d67 Author: Linus Torvalds Date: Sun Jan 5 10:37:45 2025 -0800 Merge tag 'mm-hotfixes-stable-2025-01-04-18-02' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Pull hotfixes from Andrew Morton: "25 hotfixes. 16 are cc:stable. 18 are MM and 7 are non-MM. The usual bunch of singletons and two doubletons - please see the relevant changelogs for details" * tag 'mm-hotfixes-stable-2025-01-04-18-02' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm: (25 commits) MAINTAINERS: change Arınç _NAL's name and email address scripts/sorttable: fix orc_sort_cmp() to maintain symmetry and transitivity mm/util: make memdup_user_nul() similar to memdup_user() mm, madvise: fix potential workingset node list_lru leaks mm/damon/core: fix ignored quota goals and filters of newly committed schemes mm/damon/core: fix new damon_target objects leaks on damon_commit_targets() mm/list_lru: fix false warning of negative counter vmstat: disable vmstat_work on vmstat_cpu_down_prep() mm: shmem: fix the update of 'shmem_falloc->nr_unswapped' mm: shmem: fix incorrect index alignment for within_size policy percpu: remove intermediate variable in PERCPU_PTR() mm: zswap: fix race between [de]compression and CPU hotunplug ocfs2: fix slab-use-after-free due to dangling pointer dqi_priv fs/proc/task_mmu: fix pagemap flags with PMD THP entries on 32bit kcov: mark in_softirq_really() as __always_inline docs: mm: fix the incorrect 'FileHugeMapped' field mailmap: modify the entry for Mathieu Othacehe mm/kmemleak: fix sleeping function called from invalid context at print message mm: hugetlb: independent PMD page table shared count maple_tree: reload mas before the second call for mas_empty_area ... commit 7a5b6fc8bd70cbb22b1e9eacd7edaf5626e9fc74 Merge: ab75170520d496 c384481006476a Author: Linus Torvalds Date: Sun Jan 5 10:28:34 2025 -0800 Merge tag 'clk-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux Pull clk fixes from Stephen Boyd: "A randconfig build fix and a performance fix: - Fix the CONFIG_RESET_CONTROLLER=n path signature of clk_imx8mp_audiomix_reset_controller_register() to appease randconfig - Speed up the sdhci clk on TH1520 by a factor of 4 by adding a fixed factor clk" * tag 'clk-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux: clk: clk-imx8mp-audiomix: fix function signature clk: thead: Fix TH1520 emmc and shdci clock rate commit 385443057f475e775fe1c66e77d4be9727f40973 Author: Thomas Weißschuh Date: Fri Jan 3 19:20:23 2025 +0100 kbuild: pacman-pkg: provide versioned linux-api-headers package The Arch Linux glibc package contains a versioned dependency on "linux-api-headers". If the linux-api-headers package provided by pacman-pkg does not specify an explicit version this dependency is not satisfied. Fix the dependency by providing an explicit version. Fixes: c8578539deba ("kbuild: add script and target to generate pacman package") Signed-off-by: Thomas Weißschuh Reviewed-by: Nathan Chancellor Signed-off-by: Masahiro Yamada commit 5e7f0efd23238039bcd4fc72ff28d94f364ec26b Author: Thiébaud Weksteen Date: Fri Dec 20 15:25:58 2024 +1100 selinux: match extended permissions to their base permissions In commit d1d991efaf34 ("selinux: Add netlink xperm support") a new extended permission was added ("nlmsg"). This was the second extended permission implemented in selinux ("ioctl" being the first one). Extended permissions are associated with a base permission. It was found that, in the access vector cache (avc), the extended permission did not keep track of its base permission. This is an issue for a domain that is using both extended permissions (i.e., a domain calling ioctl() on a netlink socket). In this case, the extended permissions were overlapping. Keep track of the base permission in the cache. A new field "base_perm" is added to struct extended_perms_decision to make sure that the extended permission refers to the correct policy permission. A new field "base_perms" is added to struct extended_perms to quickly decide if extended permissions apply. While it is in theory possible to retrieve the base permission from the access vector, the same base permission may not be mapped to the same bit for each class (e.g., "nlmsg" is mapped to a different bit for "netlink_route_socket" and "netlink_audit_socket"). Instead, use a constant (AVC_EXT_IOCTL or AVC_EXT_NLMSG) provided by the caller. Fixes: d1d991efaf34 ("selinux: Add netlink xperm support") Signed-off-by: Thiébaud Weksteen Signed-off-by: Paul Moore commit 8ce4f287524c74a118b0af1eebd4b24a8efca57a Author: Jiawen Wu Date: Fri Jan 3 16:10:13 2025 +0800 net: libwx: fix firmware mailbox abnormal return The existing SW-FW interaction flow on the driver is wrong. Follow this wrong flow, driver would never return error if there is a unknown command. Since firmware writes back 'firmware ready' and 'unknown command' in the mailbox message if there is an unknown command sent by driver. So reading 'firmware ready' does not timeout. Then driver would mistakenly believe that the interaction has completed successfully. It tends to happen with the use of custom firmware. Move the check for 'unknown command' out of the poll timeout for 'firmware ready'. And adjust the debug log so that mailbox messages are always printed when commands timeout. Fixes: 1efa9bfe58c5 ("net: libwx: Implement interaction with firmware") Signed-off-by: Jiawen Wu Link: https://patch.msgid.link/20250103081013.1995939-1-jiawenwu@trustnetic.com Signed-off-by: Jakub Kicinski commit a4faa15d28f4afb0a7d6213894175e612f825cd6 Merge: e95274dfe86490 eb09fbeb48709f Author: Jakub Kicinski Date: Sat Jan 4 17:00:43 2025 -0800 Merge tag 'ieee802154-for-net-2025-01-03' of git://git.kernel.org/pub/scm/linux/kernel/git/wpan/wpan Stefan Schmidt says: ==================== pull-request: ieee802154 for net 2025-01-03 Keisuke Nishimura provided a fix to check for kfifo_alloc() in the ca8210 driver. Lizhi Xu provided a fix a corrupted list, found by syzkaller, by checking local interfaces first. * tag 'ieee802154-for-net-2025-01-03' of git://git.kernel.org/pub/scm/linux/kernel/git/wpan/wpan: mac802154: check local interfaces before deleting sdata list ieee802154: ca8210: Add missing check for kfifo_alloc() in ca8210_probe() ==================== Link: https://patch.msgid.link/20250103160046.469363-1-stefan@datenfreihafen.org Signed-off-by: Jakub Kicinski commit ab75170520d4964f3acf8bb1f91d34cbc650688e Merge: 63676eefb7a026 cc0dc9e871a91a Author: Linus Torvalds Date: Sat Jan 4 10:59:10 2025 -0800 Merge tag 'linux-watchdog-6.13-rc6' of git://www.linux-watchdog.org/linux-watchdog Pull watchdog fix from Wim Van Sebroeck: - fix error message during stm32 driver probe * tag 'linux-watchdog-6.13-rc6' of git://www.linux-watchdog.org/linux-watchdog: watchdog: stm32_iwdg: fix error message during driver probe commit c83c846231db8b153bfcb44d552d373c34f78245 Author: Pavel Begunkov Date: Sat Jan 4 18:29:02 2025 +0000 io_uring/timeout: fix multishot updates After update only the first shot of a multishot timeout request adheres to the new timeout value while all subsequent retries continue to use the old value. Don't forget to update the timeout stored in struct io_timeout_data. Cc: stable@vger.kernel.org Fixes: ea97f6c8558e8 ("io_uring: add support for multishot timeouts") Reported-by: Christian Mazakas Signed-off-by: Pavel Begunkov Link: https://lore.kernel.org/r/e6516c3304eb654ec234cfa65c88a9579861e597.1736015288.git.asml.silence@gmail.com Signed-off-by: Jens Axboe commit e95274dfe86490ec2a5633035c24b2de6722841f Author: Jakub Kicinski Date: Fri Jan 3 10:24:58 2025 -0800 selftests: tc-testing: reduce rshift value After previous change rshift >= 32 is no longer allowed. Modify the test to use 31, the test doesn't seem to send any traffic so the exact value shouldn't matter. Reviewed-by: Eric Dumazet Link: https://patch.msgid.link/20250103182458.1213486-1-kuba@kernel.org Signed-off-by: Jakub Kicinski commit a039e54397c6a75b713b9ce7894a62e06956aa92 Author: Eric Dumazet Date: Fri Jan 3 10:45:46 2025 +0000 net_sched: cls_flow: validate TCA_FLOW_RSHIFT attribute syzbot found that TCA_FLOW_RSHIFT attribute was not validated. Right shitfing a 32bit integer is undefined for large shift values. UBSAN: shift-out-of-bounds in net/sched/cls_flow.c:329:23 shift exponent 9445 is too large for 32-bit type 'u32' (aka 'unsigned int') CPU: 1 UID: 0 PID: 54 Comm: kworker/u8:3 Not tainted 6.13.0-rc3-syzkaller-00180-g4f619d518db9 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Workqueue: ipv6_addrconf addrconf_dad_work Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 ubsan_epilogue lib/ubsan.c:231 [inline] __ubsan_handle_shift_out_of_bounds+0x3c8/0x420 lib/ubsan.c:468 flow_classify+0x24d5/0x25b0 net/sched/cls_flow.c:329 tc_classify include/net/tc_wrapper.h:197 [inline] __tcf_classify net/sched/cls_api.c:1771 [inline] tcf_classify+0x420/0x1160 net/sched/cls_api.c:1867 sfb_classify net/sched/sch_sfb.c:260 [inline] sfb_enqueue+0x3ad/0x18b0 net/sched/sch_sfb.c:318 dev_qdisc_enqueue+0x4b/0x290 net/core/dev.c:3793 __dev_xmit_skb net/core/dev.c:3889 [inline] __dev_queue_xmit+0xf0e/0x3f50 net/core/dev.c:4400 dev_queue_xmit include/linux/netdevice.h:3168 [inline] neigh_hh_output include/net/neighbour.h:523 [inline] neigh_output include/net/neighbour.h:537 [inline] ip_finish_output2+0xd41/0x1390 net/ipv4/ip_output.c:236 iptunnel_xmit+0x55d/0x9b0 net/ipv4/ip_tunnel_core.c:82 udp_tunnel_xmit_skb+0x262/0x3b0 net/ipv4/udp_tunnel_core.c:173 geneve_xmit_skb drivers/net/geneve.c:916 [inline] geneve_xmit+0x21dc/0x2d00 drivers/net/geneve.c:1039 __netdev_start_xmit include/linux/netdevice.h:5002 [inline] netdev_start_xmit include/linux/netdevice.h:5011 [inline] xmit_one net/core/dev.c:3590 [inline] dev_hard_start_xmit+0x27a/0x7d0 net/core/dev.c:3606 __dev_queue_xmit+0x1b73/0x3f50 net/core/dev.c:4434 Fixes: e5dfb815181f ("[NET_SCHED]: Add flow classifier") Reported-by: syzbot+1dbb57d994e54aaa04d2@syzkaller.appspotmail.com Closes: https://lore.kernel.org/netdev/6777bf49.050a0220.178762.0040.GAE@google.com/T/#u Signed-off-by: Eric Dumazet Link: https://patch.msgid.link/20250103104546.3714168-1-edumazet@google.com Signed-off-by: Jakub Kicinski commit 3479c7549fb1dfa7a1db4efb7347c7b8ef50de4b Author: Zhongqiu Duan Date: Thu Jan 2 17:14:26 2025 +0000 tcp/dccp: allow a connection when sk_max_ack_backlog is zero If the backlog of listen() is set to zero, sk_acceptq_is_full() allows one connection to be made, but inet_csk_reqsk_queue_is_full() does not. When the net.ipv4.tcp_syncookies is zero, inet_csk_reqsk_queue_is_full() will cause an immediate drop before the sk_acceptq_is_full() check in tcp_conn_request(), resulting in no connection can be made. This patch tries to keep consistent with 64a146513f8f ("[NET]: Revert incorrect accept queue backlog changes."). Link: https://lore.kernel.org/netdev/20250102080258.53858-1-kuniyu@amazon.com/ Fixes: ef547f2ac16b ("tcp: remove max_qlen_log") Signed-off-by: Zhongqiu Duan Reviewed-by: Kuniyuki Iwashima Reviewed-by: Jason Xing Reviewed-by: Eric Dumazet Link: https://patch.msgid.link/20250102171426.915276-1-dzq.aishenghu0@gmail.com Signed-off-by: Jakub Kicinski commit 1e9b0e1c550c42c13c111d1a31e822057232abc4 Author: Antonio Pastor Date: Thu Jan 2 20:23:00 2025 -0500 net: 802: LLC+SNAP OID:PID lookup on start of skb data 802.2+LLC+SNAP frames received by napi_complete_done() with GRO and DSA have skb->transport_header set two bytes short, or pointing 2 bytes before network_header & skb->data. This was an issue as snap_rcv() expected offset to point to SNAP header (OID:PID), causing packet to be dropped. A fix at llc_fixup_skb() (a024e377efed) resets transport_header for any LLC consumers that may care about it, and stops SNAP packets from being dropped, but doesn't fix the problem which is that LLC and SNAP should not use transport_header offset. Ths patch eliminates the use of transport_header offset for SNAP lookup of OID:PID so that SNAP does not rely on the offset at all. The offset is reset after pull for any SNAP packet consumers that may (but shouldn't) use it. Fixes: fda55eca5a33 ("net: introduce skb_transport_header_was_set()") Signed-off-by: Antonio Pastor Reviewed-by: Eric Dumazet Link: https://patch.msgid.link/20250103012303.746521-1-antonio.pastor@gmail.com Signed-off-by: Jakub Kicinski commit f563dd9ca6cb6ed52c5fb6e4285d1ef26cfa7e8a Author: AngeloGioacchino Del Regno Date: Tue Nov 12 11:50:30 2024 +0100 drm/mediatek: Initialize pointer in mtk_drm_of_ddp_path_build_one() The struct device_node *next pointer is not initialized, and it is used in an error path in which it may have never been modified by function mtk_drm_of_get_ddp_ep_cid(). Since the error path is relying on that pointer being NULL for the OVL Adaptor and/or invalid component check and since said pointer is being used in prints for %pOF, in the case that it points to a bogus address, the print may cause a KP. To resolve that, initialize the *next pointer to NULL before usage. Fixes: 4c932840db1d ("drm/mediatek: Implement OF graphs support for display paths") Reported-by: Dan Carpenter Closes: https://lore.kernel.org/dri-devel/633f3c6d-d09f-447c-95f1-dfb4114c50e6@stanley.mountain/ Signed-off-by: AngeloGioacchino Del Regno Reviewed-by: CK Hu Reviewed-by: Alexandre Mergnat Link: https://patchwork.kernel.org/project/dri-devel/patch/20241112105030.93337-1-angelogioacchino.delregno@collabora.com/ Signed-off-by: Chun-Kuang Hu commit 522908140645865dc3e2fac70fd3b28834dfa7be Author: Liankun Yang Date: Wed Dec 18 19:34:07 2024 +0800 drm/mediatek: Add return value check when reading DPCD Check the return value of drm_dp_dpcd_readb() to confirm that AUX communication is successful. To simplify the code, replace drm_dp_dpcd_readb() and DP_GET_SINK_COUNT() with drm_dp_read_sink_count(). Fixes: f70ac097a2cf ("drm/mediatek: Add MT8195 Embedded DisplayPort driver") Signed-off-by: Liankun Yang Reviewed-by: Guillaume Ranquet Link: https://patchwork.kernel.org/project/dri-devel/patch/20241218113448.2992-1-liankun.yang@mediatek.com/ Signed-off-by: Chun-Kuang Hu commit 03f275adb8fbd7b4ebe96a1ad5044d8e602692dc Author: Amir Goldstein Date: Wed Jan 1 14:00:37 2025 +0100 fuse: respect FOPEN_KEEP_CACHE on opendir The re-factoring of fuse_dir_open() missed the need to invalidate directory inode page cache with open flag FOPEN_KEEP_CACHE. Fixes: 7de64d521bf92 ("fuse: break up fuse_open_common()") Reported-by: Prince Kumar Closes: https://lore.kernel.org/linux-fsdevel/CAEW=TRr7CYb4LtsvQPLj-zx5Y+EYBmGfM24SuzwyDoGVNoKm7w@mail.gmail.com/ Signed-off-by: Amir Goldstein Link: https://lore.kernel.org/r/20250101130037.96680-1-amir73il@gmail.com Reviewed-by: Bernd Schubert Signed-off-by: Christian Brauner commit 63676eefb7a026d04b51dcb7aaf54f358517a2ec Merge: f9aa1fb9f8c054 ce2b93fc1dfa1c Author: Linus Torvalds Date: Fri Jan 3 15:09:12 2025 -0800 Merge tag 'sched_ext-for-6.13-rc5-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/sched_ext Pull sched_ext fixes from Tejun Heo: - Fix a bug where bpf_iter_scx_dsq_new() was not initializing the iterator's flags and could inadvertently enable e.g. reverse iteration - Fix a bug where scx_ops_bypass() could call irq_restore twice - Add Andrea and Changwoo as maintainers for better review coverage - selftests and tools/sched_ext build and other fixes * tag 'sched_ext-for-6.13-rc5-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/sched_ext: sched_ext: Fix dsq_local_on selftest sched_ext: initialize kit->cursor.flags sched_ext: Fix invalid irq restore in scx_ops_bypass() MAINTAINERS: add me as reviewer for sched_ext MAINTAINERS: add self as reviewer for sched_ext scx: Fix maximal BPF selftest prog sched_ext: fix application of sizeof to pointer selftests/sched_ext: fix build after renames in sched_ext API sched_ext: Add __weak to fix the build errors commit f9aa1fb9f8c0542f5f6e6e620de320995d5622ad Merge: 2ae3aab5578142 d57212f281fda9 Author: Linus Torvalds Date: Fri Jan 3 15:03:56 2025 -0800 Merge tag 'wq-for-6.13-rc5-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/wq Pull workqueue fixes from Tejun Heo: - Suppress a corner case spurious flush dependency warning - Two trivial changes * tag 'wq-for-6.13-rc5-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/wq: workqueue: add printf attribute to __alloc_workqueue() workqueue: Do not warn when cancelling WQ_MEM_RECLAIM work from !WQ_MEM_RECLAIM worker rust: add safety comment in workqueue traits commit 2ae3aab55781428eaefecc10dc40ae65071150ed Merge: a984e234fcdce2 cc0331e29fce4c Author: Linus Torvalds Date: Fri Jan 3 14:58:57 2025 -0800 Merge tag 'block-6.13-20250103' of git://git.kernel.dk/linux Pull block fixes from Jens Axboe: "Collection of fixes for block. Particularly the target name overflow has been a bit annoying, as it results in overwriting random memory and hence shows up as triggering various other bugs. - NVMe pull request via Keith: - Fix device specific quirk for PRP list alignment (Robert) - Fix target name overflow (Leo) - Fix target write granularity (Luis) - Fix target sleeping in atomic context (Nilay) - Remove unnecessary tcp queue teardown (Chunguang) - Simple cdrom typo fix" * tag 'block-6.13-20250103' of git://git.kernel.dk/linux: cdrom: Fix typo, 'devicen' to 'device' nvme-tcp: remove nvme_tcp_destroy_io_queues() nvmet-loop: avoid using mutex in IO hotpath nvmet: propagate npwg topology nvmet: Don't overflow subsysnqn nvme-pci: 512 byte aligned dma pool segment quirk commit a984e234fcdce25a276be882c799e5fda1b32812 Merge: aba74e639f8d76 ed123c948d0668 Author: Linus Torvalds Date: Fri Jan 3 14:45:59 2025 -0800 Merge tag 'io_uring-6.13-20250103' of git://git.kernel.dk/linux Pull io_uring fixes from Jens Axboe: - Fix an issue with the read multishot support and posting of CQEs from io-wq context - Fix a regression introduced in this cycle, where making the timeout lock a raw one uncovered another locking dependency. As a result, move the timeout flushing outside of the timeout lock, punting them to a local list first - Fix use of an uninitialized variable in io_async_msghdr. Doesn't really matter functionally, but silences a valid KMSAN complaint that it's not always initialized - Fix use of incrementally provided buffers for read on non-pollable files, where the buffer always gets committed upfront. Unfortunately the buffer address isn't resolved first, so the read ends up using the updated rather than the current value * tag 'io_uring-6.13-20250103' of git://git.kernel.dk/linux: io_uring/kbuf: use pre-committed buffer address for non-pollable file io_uring/net: always initialize kmsg->msg.msg_inq upfront io_uring/timeout: flush timeouts outside of the timeout lock io_uring/rw: fix downgraded mshot read commit aba74e639f8d76d29b94991615e33319d7371b63 Merge: ee063c23e48212 ce21419b55d867 Author: Linus Torvalds Date: Fri Jan 3 14:36:54 2025 -0800 Merge tag 'net-6.13-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net Pull networking fixes from Jakub Kicinski: "Including fixes from wireles and netfilter. Nothing major here. Over the last two weeks we gathered only around two-thirds of our normal weekly fix count, but delaying sending these until -rc7 seemed like a really bad idea. AFAIK we have no bugs under investigation. One or two reverts for stuff for which we haven't gotten a proper fix will likely come in the next PR. Current release - fix to a fix: - netfilter: nft_set_hash: unaligned atomic read on struct nft_set_ext - eth: gve: trigger RX NAPI instead of TX NAPI in gve_xsk_wakeup Previous releases - regressions: - net: reenable NETIF_F_IPV6_CSUM offload for BIG TCP packets - mptcp: - fix sleeping rcvmsg sleeping forever after bad recvbuffer adjust - fix TCP options overflow - prevent excessive coalescing on receive, fix throughput - net: fix memory leak in tcp_conn_request() if map insertion fails - wifi: cw1200: fix potential NULL dereference after conversion to GPIO descriptors - phy: micrel: dynamically control external clock of KSZ PHY, fix suspend behavior Previous releases - always broken: - af_packet: fix VLAN handling with MSG_PEEK - net: restrict SO_REUSEPORT to inet sockets - netdev-genl: avoid empty messages in NAPI get - dsa: microchip: fix set_ageing_time function on KSZ9477 and LAN937X - eth: - gve: XDP fixes around transmit, queue wakeup etc. - ti: icssg-prueth: fix firmware load sequence to prevent time jump which breaks timesync related operations Misc: - netlink: specs: mptcp: add missing attr and improve documentation" * tag 'net-6.13-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (50 commits) net: ti: icssg-prueth: Fix clearing of IEP_CMP_CFG registers during iep_init net: ti: icssg-prueth: Fix firmware load sequence. mptcp: prevent excessive coalescing on receive mptcp: don't always assume copied data in mptcp_cleanup_rbuf() mptcp: fix recvbuffer adjust on sleeping rcvmsg ila: serialize calls to nf_register_net_hooks() af_packet: fix vlan_get_protocol_dgram() vs MSG_PEEK af_packet: fix vlan_get_tci() vs MSG_PEEK net: wwan: iosm: Properly check for valid exec stage in ipc_mmio_init() net: restrict SO_REUSEPORT to inet sockets net: reenable NETIF_F_IPV6_CSUM offload for BIG TCP packets net: sfc: Correct key_len for efx_tc_ct_zone_ht_params net: wwan: t7xx: Fix FSM command timeout issue sky2: Add device ID 11ab:4373 for Marvell 88E8075 mptcp: fix TCP options overflow. net: mv643xx_eth: fix an OF node reference leak gve: trigger RX NAPI instead of TX NAPI in gve_xsk_wakeup eth: bcmsysport: fix call balance of priv->clk handling routines net: llc: reset skb->transport_header netlink: specs: mptcp: fix missing doc ... commit ee063c23e48212a6af163f8d45560a92fcaec125 Merge: dea3165f989b25 0efbca0fec7d16 Author: Linus Torvalds Date: Fri Jan 3 14:16:25 2025 -0800 Merge tag 'nios2_update_for_v6.14' of git://git.kernel.org/pub/scm/linux/kernel/git/dinguyen/linux Pull nios2 fixlet from Dinh Nguyen: - Use str_yes_no() helper function * tag 'nios2_update_for_v6.14' of git://git.kernel.org/pub/scm/linux/kernel/git/dinguyen/linux: nios2: Use str_yes_no() helper in show_cpuinfo() commit dea3165f989b259bc1293d9dfc50053223f5f4b2 Merge: f274fffbc28849 45d339fefaa3dc Author: Linus Torvalds Date: Fri Jan 3 11:09:35 2025 -0800 Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma Pull rdma fixes from Jason Gunthorpe: "A lot of fixes accumulated over the holiday break: - Static tool fixes, value is already proven to be NULL, possible integer overflow - Many bnxt_re fixes: - Crashes due to a mismatch in the maximum SGE list size - Don't waste memory for user QPs by creating kernel-only structures - Fix compatability issues with older HW in some of the new HW features recently introduced: RTS->RTS feature, work around 9096 - Do not allow destroy_qp to fail - Validate QP MTU against device limits - Add missing validation on madatory QP attributes for RTR->RTS - Report port_num in query_qp as required by the spec - Fix creation of QPs of the maximum queue size, and in the variable mode - Allow all QPs to be used on newer HW by limiting a work around only to HW it affects - Use the correct MSN table size for variable mode QPs - Add missing locking in create_qp() accessing the qp_tbl - Form WQE buffers correctly when some of the buffers are 0 hop - Don't crash on QP destroy if the userspace doesn't setup the dip_ctx - Add the missing QP flush handler call on the DWQE path to avoid hanging on error recovery - Consistently use ENXIO for return codes if the devices is fatally errored - Try again to fix VLAN support on iwarp, previous fix was reverted due to breaking other cards - Correct error path return code for rdma netlink events - Remove the seperate net_device pointer in siw and rxe which syzkaller found a way to UAF - Fix a UAF of a stack ib_sge in rtrs - Fix a regression where old mlx5 devices and FW were wrongly activing new device features and failing" * tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma: (28 commits) RDMA/mlx5: Enable multiplane mode only when it is supported RDMA/bnxt_re: Fix error recovery sequence RDMA/rtrs: Ensure 'ib_sge list' is accessible RDMA/rxe: Remove the direct link to net_device RDMA/hns: Fix missing flush CQE for DWQE RDMA/hns: Fix warning storm caused by invalid input in IO path RDMA/hns: Fix accessing invalid dip_ctx during destroying QP RDMA/hns: Fix mapping error of zero-hop WQE buffer RDMA/bnxt_re: Fix the locking while accessing the QP table RDMA/bnxt_re: Fix MSN table size for variable wqe mode RDMA/bnxt_re: Add send queue size check for variable wqe RDMA/bnxt_re: Disable use of reserved wqes RDMA/bnxt_re: Fix max_qp_wrs reported RDMA/siw: Remove direct link to net_device RDMA/nldev: Set error code in rdma_nl_notify_event RDMA/bnxt_re: Fix reporting hw_ver in query_device RDMA/bnxt_re: Fix to export port num to ib_query_qp RDMA/bnxt_re: Fix setting mandatory attributes for modify_qp RDMA/bnxt_re: Add check for path mtu in modify_qp RDMA/bnxt_re: Fix the check for 9060 condition ... commit f274fffbc28849848fd48379dbc83f10e1019270 Merge: 4f5d3da619fdc7 a37eecb705f337 Author: Linus Torvalds Date: Fri Jan 3 10:57:57 2025 -0800 Merge tag 'pinctrl-v6.13-2' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl Pull pin control fixes from Linus Walleij: - A small Kconfig fixup for the i.MX. In principle this could come in from the SoC tree but the bug was introduced from the pin control tree so let's fix it from here. - Fix a sleep in atomic context in the MCP23xxx GPIO expander by disabling the regmap locking and using explicit mutex locks. * tag 'pinctrl-v6.13-2' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl: pinctrl: mcp23s08: Fix sleeping in atomic context due to regmap locking ARM: imx: Re-introduce the PINCTRL selection commit 4f5d3da619fdc78c1de2765e2e47a44ee9aba98d Merge: 92c3bb3d2e89ab 8765429279e7d3 Author: Linus Torvalds Date: Fri Jan 3 10:54:51 2025 -0800 Merge tag 'sound-6.13-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound Pull sound fixes from Takashi Iwai: "The first new year pull request: no surprises, all small fixes, including: - Follow-up fixes for the new compress-offload API extension - A couple of fixes for MIDI 2.0 UMP handling - A trivial race fix for OSS sequencer emulation ioctls - USB-audio and HD-audio fixes / quirks" * tag 'sound-6.13-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound: ALSA: seq: Check UMP support for midi_version change ALSA hda/realtek: Add quirk for Framework F111:000C Revert "ALSA: ump: Don't enumeration invalid groups for legacy rawmidi" ALSA: seq: oss: Fix races at processing SysEx messages ALSA: compress_offload: fix remaining descriptor races in sound/core/compress_offload.c ALSA: compress_offload: Drop unneeded no_free_ptr() ALSA: hda/tas2781: Ignore SUBSYS_ID not found for tas2563 projects ALSA: usb-audio: US16x08: Initialize array before use commit 92c3bb3d2e89ab35072248b08008c508f714f070 Merge: e30dd219c75023 273b3eb600713a Author: Linus Torvalds Date: Fri Jan 3 10:06:44 2025 -0800 Merge tag 'drm-fixes-2025-01-03' of https://gitlab.freedesktop.org/drm/kernel Pull drm fixes from Dave Airlie: "Happy New Year. It was fairly quiet for holidays period, certainly nothing that worth getting off the couch before I needed to, this is for the past two weeks, i915, xe and some adv7511, I expect we will see some amdgpu etc happening next week, but otherwise all quiet. i915: - Fix C10 pll programming sequence [cx0_phy] - Fix power gate sequence. [dg1] xe: - uapi: Revert some devcoredump file format changes breaking a mesa debug tool - Fixes around waits when moving to system - Fix a typo when checking for LMEM provisioning - Fix a fault on fd close after unbind - A couple of OA fixes squashed for stable backporting adv7511: - fix UAF - drop single lane support - audio infoframe fix" * tag 'drm-fixes-2025-01-03' of https://gitlab.freedesktop.org/drm/kernel: xe/oa: Fix query mode of operation for OAR/OAC drm/i915/dg1: Fix power gate sequence. drm/i915/cx0_phy: Fix C10 pll programming sequence drm/xe: Fix fault on fd close after unbind drm/xe/pf: Use correct function to check LMEM provisioning drm/xe: Wait for migration job before unmapping pages drm/xe: Use non-interruptible wait when moving BO to system drm/xe: Revert some changes that break a mesa debug tool drm: adv7511: Drop dsi single lane support dt-bindings: display: adi,adv7533: Drop single lane support drm: adv7511: Fix use-after-free in adv7533_attach_dsi() drm/bridge: adv7511_audio: Update Audio InfoFrame properly commit e30dd219c75023afc5f5ba76dbeb48e926cea645 Merge: 0bc21e701a6ffa 789a8cff8d2dbe Author: Linus Torvalds Date: Fri Jan 3 10:04:43 2025 -0800 Merge tag 'ftrace-v6.13-rc5-2' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace Pull ftrace fixes from Steven Rostedt: - Add needed READ_ONCE() around access to the fgraph array element The updates to the fgraph array can happen when callbacks are registered and unregistered. The __ftrace_return_to_handler() can handle reading either the old value or the new value. But once it reads that value it must stay consistent otherwise the check that looks to see if the value is a stub may show false, but if the compiler decides to re-read after that check, it can be true which can cause the code to crash later on. - Make function profiler use the top level ops for filtering again When function graph became available for instances, its filter ops became independent from the top level set_ftrace_filter. In the process the function profiler received its own filter ops as well. But the function profiler uses the top level set_ftrace_filter file and does not have one of its own. In giving it its own filter ops, it lost any user interface it once had. Make it use the top level set_ftrace_filter file again. This fixes a regression. * tag 'ftrace-v6.13-rc5-2' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace: ftrace: Fix function profiler's filtering functionality fgraph: Add READ_ONCE() when accessing fgraph_array[] commit ed123c948d06688d10f3b10a7bce1d6fbfd1ed07 Author: Jens Axboe Date: Fri Jan 3 09:29:09 2025 -0700 io_uring/kbuf: use pre-committed buffer address for non-pollable file For non-pollable files, buffer ring consumption will commit upfront. This is fine, but io_ring_buffer_select() will return the address of the buffer after having committed it. For incrementally consumed buffers, this is incorrect as it will modify the buffer address. Store the pre-committed value and return that. If that isn't done, then the initial part of the buffer is not used and the application will correctly assume the content arrived at the start of the userspace buffer, but the kernel will have put it later in the buffer. Or it can cause a spurious -EFAULT returned in the CQE, depending on the buffer size. As bounds are suitably checked for doing the actual IO, no adverse side effects are possible - it's just a data misplacement within the existing buffer. Reported-by: Gwendal Fernet Cc: stable@vger.kernel.org Fixes: ae98dbf43d75 ("io_uring/kbuf: add support for incremental buffer consumption") Signed-off-by: Jens Axboe commit 8bd76b3d3f3af7ac2898b6a27ad90c444fec418f Author: Koichiro Den Date: Fri Jan 3 23:18:29 2025 +0900 gpio: sim: lock up configfs that an instantiated device depends on Once a sim device is instantiated and actively used, allowing rmdir for its configfs serves no purpose and can be confusing. Effectively, arbitrary users start depending on its existence. Make the subsystem itself depend on the configfs entry for a sim device while it is in active use. Signed-off-by: Koichiro Den Link: https://lore.kernel.org/r/20250103141829.430662-5-koichiro.den@canonical.com Signed-off-by: Bartosz Golaszewski commit c7c434c1dba955005f5161dae73f09c0a922cfa7 Author: Koichiro Den Date: Fri Jan 3 23:18:28 2025 +0900 gpio: virtuser: lock up configfs that an instantiated device depends on Once a virtuser device is instantiated and actively used, allowing rmdir for its configfs serves no purpose and can be confusing. Userspace interacts with the virtual consumer at arbitrary times, meaning it depends on its existence. Make the subsystem itself depend on the configfs entry for a virtuser device while it is in active use. Signed-off-by: Koichiro Den Link: https://lore.kernel.org/r/20250103141829.430662-4-koichiro.den@canonical.com Signed-off-by: Bartosz Golaszewski commit 656cc2e892f128b03ea9ef19bd11d70f71d5472b Author: Koichiro Den Date: Fri Jan 3 23:18:27 2025 +0900 gpio: virtuser: fix handling of multiple conn_ids in lookup table Creating a virtuser device via configfs with multiple conn_ids fails due to incorrect indexing of lookup entries. Correct the indexing logic to ensure proper functionality when multiple gpio_virtuser_lookup are created. Fixes: 91581c4b3f29 ("gpio: virtuser: new virtual testing driver for the GPIO API") Signed-off-by: Koichiro Den Link: https://lore.kernel.org/r/20250103141829.430662-3-koichiro.den@canonical.com Signed-off-by: Bartosz Golaszewski commit a619cba8c69c434258ff4101d463322cd63e1bdc Author: Koichiro Den Date: Fri Jan 3 23:18:26 2025 +0900 gpio: virtuser: fix missing lookup table cleanups When a virtuser device is created via configfs and the probe fails due to an incorrect lookup table, the table is not removed. This prevents subsequent probe attempts from succeeding, even if the issue is corrected, unless the device is released. Additionally, cleanup is also needed in the less likely case of platform_device_register_full() failure. Besides, a consistent memory leak in lookup_table->dev_id was spotted using kmemleak by toggling the live state between 0 and 1 with a correct lookup table. Introduce gpio_virtuser_remove_lookup_table() as the counterpart to the existing gpio_virtuser_make_lookup_table() and call it from all necessary points to ensure proper cleanup. Fixes: 91581c4b3f29 ("gpio: virtuser: new virtual testing driver for the GPIO API") Signed-off-by: Koichiro Den Link: https://lore.kernel.org/r/20250103141829.430662-2-koichiro.den@canonical.com Signed-off-by: Bartosz Golaszewski commit 548c6edbed92031baa4aa32cae55628c810c3ebb Author: Milan Broz Date: Wed Dec 18 13:56:59 2024 +0100 dm-verity FEC: Avoid copying RS parity bytes twice. Caching RS parity bytes is already done in fec_decode_bufs() now, no need to use yet another buffer for conversion to uint16_t. This patch removes that double copy of RS parity bytes. Signed-off-by: Milan Broz Signed-off-by: Mikulas Patocka commit 6df90c02bae468a3a6110bafbc659884d0c4966c Author: Milan Broz Date: Wed Dec 18 13:56:58 2024 +0100 dm-verity FEC: Fix RS FEC repair for roots unaligned to block size (take 2) This patch fixes an issue that was fixed in the commit df7b59ba9245 ("dm verity: fix FEC for RS roots unaligned to block size") but later broken again in the commit 8ca7cab82bda ("dm verity fec: fix misaligned RS roots IO") If the Reed-Solomon roots setting spans multiple blocks, the code does not use proper parity bytes and randomly fails to repair even trivial errors. This bug cannot happen if the sector size is multiple of RS roots setting (Android case with roots 2). The previous solution was to find a dm-bufio block size that is multiple of the device sector size and roots size. Unfortunately, the optimization in commit 8ca7cab82bda ("dm verity fec: fix misaligned RS roots IO") is incorrect and uses data block size for some roots (for example, it uses 4096 block size for roots = 20). This patch uses a different approach: - It always uses a configured data block size for dm-bufio to avoid possible misaligned IOs. - and it caches the processed parity bytes, so it can join it if it spans two blocks. As the RS calculation is called only if an error is detected and the process is computationally intensive, copying a few more bytes should not introduce performance issues. The issue was reported to cryptsetup with trivial reproducer https://gitlab.com/cryptsetup/cryptsetup/-/issues/923 Reproducer (with roots=20): # create verity device with RS FEC dd if=/dev/urandom of=data.img bs=4096 count=8 status=none veritysetup format data.img hash.img --fec-device=fec.img --fec-roots=20 | \ awk '/^Root hash/{ print $3 }' >roothash # create an erasure that should always be repairable with this roots setting dd if=/dev/zero of=data.img conv=notrunc bs=1 count=4 seek=4 status=none # try to read it through dm-verity veritysetup open data.img test hash.img --fec-device=fec.img --fec-roots=20 $(cat roothash) dd if=/dev/mapper/test of=/dev/null bs=4096 status=noxfer Even now the log says it cannot repair it: : verity-fec: 7:1: FEC 0: failed to correct: -74 : device-mapper: verity: 7:1: data block 0 is corrupted ... With this fix, errors are properly repaired. : verity-fec: 7:1: FEC 0: corrected 4 errors Signed-off-by: Milan Broz Fixes: 8ca7cab82bda ("dm verity fec: fix misaligned RS roots IO") Cc: stable@vger.kernel.org Signed-off-by: Mikulas Patocka commit 09dfc8a5f2ce897005a94bf66cca4f91e4e03700 Author: Alex Williamson Date: Thu Jan 2 11:32:54 2025 -0700 vfio/pci: Fallback huge faults for unaligned pfn The PFN must also be aligned to the fault order to insert a huge pfnmap. Test the alignment and fallback when unaligned. Fixes: f9e54c3a2f5b ("vfio/pci: implement huge_fault support") Link: https://bugzilla.kernel.org/show_bug.cgi?id=219619 Reported-by: Athul Krishna Reported-by: Precific Reviewed-by: Peter Xu Tested-by: Precific Link: https://lore.kernel.org/r/20250102183416.1841878-1-alex.williamson@redhat.com Cc: stable@vger.kernel.org Signed-off-by: Alex Williamson commit 45d339fefaa3dcd237038769e0d34584fb867390 Author: Mark Zhang Date: Thu Dec 19 14:23:36 2024 +0200 RDMA/mlx5: Enable multiplane mode only when it is supported Driver queries vport_cxt.num_plane and enables multiplane when it is greater then 0, but some old FWs (versions from x.40.1000 till x.42.1000), report vport_cxt.num_plane = 1 unexpectedly. Fix it by querying num_plane only when HCA_CAP2.multiplane bit is set. Fixes: 2a5db20fa532 ("RDMA/mlx5: Add support to multi-plane device and port") Link: https://patch.msgid.link/r/1ef901acdf564716fcf550453cf5e94f343777ec.1734610916.git.leon@kernel.org Cc: stable@vger.kernel.org Reported-by: Francesco Poli Closes: https://lore.kernel.org/all/nvs4i2v7o6vn6zhmtq4sgazy2hu5kiulukxcntdelggmznnl7h@so3oul6uwgbl/ Signed-off-by: Mark Zhang Signed-off-by: Leon Romanovsky Reviewed-by: Michal Swiatkowski Signed-off-by: Jason Gunthorpe commit ce21419b55d8671b886ae780ef15734843a6f668 Merge: 3473020d0fcf13 9b115361248dc6 Author: David S. Miller Date: Fri Jan 3 11:54:06 2025 +0000 Merge branch 'net-iep-clock-module-fixes' Meghana Malladi says: ==================== IEP clock module bug fixes This series has some bug fixes for IEP module needed by PPS and timesync operations. Patch 1/2 fixes firmware load sequence to run all the firmwares when either of the ethernet interfaces is up. Move all the code common for firmware bringup under common functions. Patch 2/2 fixes distorted PPS signal when the ethernet interfaces are brough down and up. This patch also fixes enabling PPS signal after bringing the interface up, without disabling PPS. ==================== Signed-off-by: David S. Miller commit 9b115361248dc6cce182a2dc030c1c70b0a9639e Author: Meghana Malladi Date: Mon Dec 23 20:45:50 2024 +0530 net: ti: icssg-prueth: Fix clearing of IEP_CMP_CFG registers during iep_init When ICSSG interfaces are brought down and brought up again, the pru cores are shut down and booted again, flushing out all the memories and start again in a clean state. Hence it is expected that the IEP_CMP_CFG register needs to be flushed during iep_init() to ensure that the existing residual configuration doesn't cause any unusual behavior. If the register is not cleared, existing IEP_CMP_CFG set for CMP1 will result in SYNC0_OUT signal based on the SYNC_OUT register values. After bringing the interface up, calling PPS enable doesn't work as the driver believes PPS is already enabled, (iep->pps_enabled is not cleared during interface bring down) and driver will just return true even though there is no signal. Fix this by disabling pps and perout. Fixes: c1e0230eeaab ("net: ti: icss-iep: Add IEP driver") Signed-off-by: Meghana Malladi Reviewed-by: Roger Quadros Signed-off-by: David S. Miller commit 9facce84f4062f782ebde18daa7006a23d40b607 Author: MD Danish Anwar Date: Mon Dec 23 20:45:49 2024 +0530 net: ti: icssg-prueth: Fix firmware load sequence. Timesync related operations are ran in PRU0 cores for both ICSSG SLICE0 and SLICE1. Currently whenever any ICSSG interface comes up we load the respective firmwares to PRU cores and whenever interface goes down, we stop the resective cores. Due to this, when SLICE0 goes down while SLICE1 is still active, PRU0 firmwares are unloaded and PRU0 core is stopped. This results in clock jump for SLICE1 interface as the timesync related operations are no longer running. As there are interdependencies between SLICE0 and SLICE1 firmwares, fix this by running both PRU0 and PRU1 firmwares as long as at least 1 ICSSG interface is up. Add new flag in prueth struct to check if all firmwares are running and remove the old flag (fw_running). Use emacs_initialized as reference count to load the firmwares for the first and last interface up/down. Moving init_emac_mode and fw_offload_mode API outside of icssg_config to icssg_common_start API as they need to be called only once per firmware boot. Change prueth_emac_restart() to return error code and add error prints inside the caller of this functions in case of any failures. Move prueth_emac_stop() from common to sr1 driver. sr1 and sr2 drivers have different logic handling for stopping the firmwares. While sr1 driver is dependent on emac structure to stop the corresponding pru cores for that slice, for sr2 all the pru cores of both the slices are stopped and is not dependent on emac. So the prueth_emac_stop() function is no longer common and can be moved to sr1 driver. Fixes: c1e0230eeaab ("net: ti: icss-iep: Add IEP driver") Signed-off-by: MD Danish Anwar Signed-off-by: Meghana Malladi Signed-off-by: David S. Miller commit 3473020d0fcf131a94a6289df8a3dac37e67f0d4 Merge: 260466b576bca0 56b824eb49d625 Author: Jakub Kicinski Date: Thu Jan 2 18:44:05 2025 -0800 Merge branch 'mptcp-rx-path-fixes' Matthieu Baerts says: ==================== mptcp: rx path fixes Here are 3 different fixes, all related to the MPTCP receive buffer: - Patch 1: fix receive buffer space when recvmsg() blocks after receiving some data. For a fix introduced in v6.12, backported to v6.1. - Patch 2: mptcp_cleanup_rbuf() can be called when no data has been copied. For 5.11. - Patch 3: prevent excessive coalescing on receive, which can affect the throughput badly. It looks better to wait a bit before backporting this one to stable versions, to get more results. For 5.10. ==================== Link: https://patch.msgid.link/20241230-net-mptcp-rbuf-fixes-v1-0-8608af434ceb@kernel.org Signed-off-by: Jakub Kicinski commit 56b824eb49d6258aa0bad09a406ceac3f643cdae Author: Paolo Abeni Date: Mon Dec 30 19:12:32 2024 +0100 mptcp: prevent excessive coalescing on receive Currently the skb size after coalescing is only limited by the skb layout (the skb must not carry frag_list). A single coalesced skb covering several MSS can potentially fill completely the receive buffer. In such a case, the snd win will zero until the receive buffer will be empty again, affecting tput badly. Fixes: 8268ed4c9d19 ("mptcp: introduce and use mptcp_try_coalesce()") Cc: stable@vger.kernel.org # please delay 2 weeks after 6.13-final release Signed-off-by: Paolo Abeni Reviewed-by: Mat Martineau Signed-off-by: Matthieu Baerts (NGI0) Link: https://patch.msgid.link/20241230-net-mptcp-rbuf-fixes-v1-3-8608af434ceb@kernel.org Signed-off-by: Jakub Kicinski commit 551844f26da2a9f76c0a698baaffa631d1178645 Author: Paolo Abeni Date: Mon Dec 30 19:12:31 2024 +0100 mptcp: don't always assume copied data in mptcp_cleanup_rbuf() Under some corner cases the MPTCP protocol can end-up invoking mptcp_cleanup_rbuf() when no data has been copied, but such helper assumes the opposite condition. Explicitly drop such assumption and performs the costly call only when strictly needed - before releasing the msk socket lock. Fixes: fd8976790a6c ("mptcp: be careful on MPTCP-level ack.") Cc: stable@vger.kernel.org Signed-off-by: Paolo Abeni Reviewed-by: Mat Martineau Signed-off-by: Matthieu Baerts (NGI0) Link: https://patch.msgid.link/20241230-net-mptcp-rbuf-fixes-v1-2-8608af434ceb@kernel.org Signed-off-by: Jakub Kicinski commit 449e6912a2522af672e99992e1201a454910864e Author: Paolo Abeni Date: Mon Dec 30 19:12:30 2024 +0100 mptcp: fix recvbuffer adjust on sleeping rcvmsg If the recvmsg() blocks after receiving some data - i.e. due to SO_RCVLOWAT - the MPTCP code will attempt multiple times to adjust the receive buffer size, wrongly accounting every time the cumulative of received data - instead of accounting only for the delta. Address the issue moving mptcp_rcv_space_adjust just after the data reception and passing it only the just received bytes. This also removes an unneeded difference between the TCP and MPTCP RX code path implementation. Fixes: 581302298524 ("mptcp: error out earlier on disconnect") Cc: stable@vger.kernel.org Signed-off-by: Paolo Abeni Reviewed-by: Mat Martineau Signed-off-by: Matthieu Baerts (NGI0) Link: https://patch.msgid.link/20241230-net-mptcp-rbuf-fixes-v1-1-8608af434ceb@kernel.org Signed-off-by: Jakub Kicinski commit 260466b576bca0081a7d4acecc8e93687aa22d0e Author: Eric Dumazet Date: Mon Dec 30 16:28:49 2024 +0000 ila: serialize calls to nf_register_net_hooks() syzbot found a race in ila_add_mapping() [1] commit 031ae72825ce ("ila: call nf_unregister_net_hooks() sooner") attempted to fix a similar issue. Looking at the syzbot repro, we have concurrent ILA_CMD_ADD commands. Add a mutex to make sure at most one thread is calling nf_register_net_hooks(). [1] BUG: KASAN: slab-use-after-free in rht_key_hashfn include/linux/rhashtable.h:159 [inline] BUG: KASAN: slab-use-after-free in __rhashtable_lookup.constprop.0+0x426/0x550 include/linux/rhashtable.h:604 Read of size 4 at addr ffff888028f40008 by task dhcpcd/5501 CPU: 1 UID: 0 PID: 5501 Comm: dhcpcd Not tainted 6.13.0-rc4-syzkaller-00054-gd6ef8b40d075 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xc3/0x620 mm/kasan/report.c:489 kasan_report+0xd9/0x110 mm/kasan/report.c:602 rht_key_hashfn include/linux/rhashtable.h:159 [inline] __rhashtable_lookup.constprop.0+0x426/0x550 include/linux/rhashtable.h:604 rhashtable_lookup include/linux/rhashtable.h:646 [inline] rhashtable_lookup_fast include/linux/rhashtable.h:672 [inline] ila_lookup_wildcards net/ipv6/ila/ila_xlat.c:127 [inline] ila_xlat_addr net/ipv6/ila/ila_xlat.c:652 [inline] ila_nf_input+0x1ee/0x620 net/ipv6/ila/ila_xlat.c:185 nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline] nf_hook_slow+0xbb/0x200 net/netfilter/core.c:626 nf_hook.constprop.0+0x42e/0x750 include/linux/netfilter.h:269 NF_HOOK include/linux/netfilter.h:312 [inline] ipv6_rcv+0xa4/0x680 net/ipv6/ip6_input.c:309 __netif_receive_skb_one_core+0x12e/0x1e0 net/core/dev.c:5672 __netif_receive_skb+0x1d/0x160 net/core/dev.c:5785 process_backlog+0x443/0x15f0 net/core/dev.c:6117 __napi_poll.constprop.0+0xb7/0x550 net/core/dev.c:6883 napi_poll net/core/dev.c:6952 [inline] net_rx_action+0xa94/0x1010 net/core/dev.c:7074 handle_softirqs+0x213/0x8f0 kernel/softirq.c:561 __do_softirq kernel/softirq.c:595 [inline] invoke_softirq kernel/softirq.c:435 [inline] __irq_exit_rcu+0x109/0x170 kernel/softirq.c:662 irq_exit_rcu+0x9/0x30 kernel/softirq.c:678 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1049 [inline] sysvec_apic_timer_interrupt+0xa4/0xc0 arch/x86/kernel/apic/apic.c:1049 Fixes: 7f00feaf1076 ("ila: Add generic ILA translation facility") Reported-by: syzbot+47e761d22ecf745f72b9@syzkaller.appspotmail.com Closes: https://lore.kernel.org/netdev/6772c9ae.050a0220.2f3838.04c7.GAE@google.com/T/#u Signed-off-by: Eric Dumazet Cc: Florian Westphal Cc: Tom Herbert Link: https://patch.msgid.link/20241230162849.2795486-1-edumazet@google.com Signed-off-by: Jakub Kicinski commit f91a5b8089389eb408501af2762f168c3aaa7b79 Author: Eric Dumazet Date: Mon Dec 30 16:10:04 2024 +0000 af_packet: fix vlan_get_protocol_dgram() vs MSG_PEEK Blamed commit forgot MSG_PEEK case, allowing a crash [1] as found by syzbot. Rework vlan_get_protocol_dgram() to not touch skb at all, so that it can be used from many cpus on the same skb. Add a const qualifier to skb argument. [1] skbuff: skb_under_panic: text:ffffffff8a8ccd05 len:29 put:14 head:ffff88807fc8e400 data:ffff88807fc8e3f4 tail:0x11 end:0x140 dev: ------------[ cut here ]------------ kernel BUG at net/core/skbuff.c:206 ! Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI CPU: 1 UID: 0 PID: 5892 Comm: syz-executor883 Not tainted 6.13.0-rc4-syzkaller-00054-gd6ef8b40d075 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 RIP: 0010:skb_panic net/core/skbuff.c:206 [inline] RIP: 0010:skb_under_panic+0x14b/0x150 net/core/skbuff.c:216 Code: 0b 8d 48 c7 c6 86 d5 25 8e 48 8b 54 24 08 8b 0c 24 44 8b 44 24 04 4d 89 e9 50 41 54 41 57 41 56 e8 5a 69 79 f7 48 83 c4 20 90 <0f> 0b 0f 1f 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 RSP: 0018:ffffc900038d7638 EFLAGS: 00010282 RAX: 0000000000000087 RBX: dffffc0000000000 RCX: 609ffd18ea660600 RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000 RBP: ffff88802483c8d0 R08: ffffffff817f0a8c R09: 1ffff9200071ae60 R10: dffffc0000000000 R11: fffff5200071ae61 R12: 0000000000000140 R13: ffff88807fc8e400 R14: ffff88807fc8e3f4 R15: 0000000000000011 FS: 00007fbac5e006c0(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fbac5e00d58 CR3: 000000001238e000 CR4: 00000000003526f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: skb_push+0xe5/0x100 net/core/skbuff.c:2636 vlan_get_protocol_dgram+0x165/0x290 net/packet/af_packet.c:585 packet_recvmsg+0x948/0x1ef0 net/packet/af_packet.c:3552 sock_recvmsg_nosec net/socket.c:1033 [inline] sock_recvmsg+0x22f/0x280 net/socket.c:1055 ____sys_recvmsg+0x1c6/0x480 net/socket.c:2803 ___sys_recvmsg net/socket.c:2845 [inline] do_recvmmsg+0x426/0xab0 net/socket.c:2940 __sys_recvmmsg net/socket.c:3014 [inline] __do_sys_recvmmsg net/socket.c:3037 [inline] __se_sys_recvmmsg net/socket.c:3030 [inline] __x64_sys_recvmmsg+0x199/0x250 net/socket.c:3030 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Fixes: 79eecf631c14 ("af_packet: Handle outgoing VLAN packets without hardware offloading") Reported-by: syzbot+74f70bb1cb968bf09e4f@syzkaller.appspotmail.com Closes: https://lore.kernel.org/netdev/6772c485.050a0220.2f3838.04c5.GAE@google.com/T/#u Signed-off-by: Eric Dumazet Cc: Chengen Du Reviewed-by: Willem de Bruijn Link: https://patch.msgid.link/20241230161004.2681892-2-edumazet@google.com Signed-off-by: Jakub Kicinski commit 77ee7a6d16b6ec07b5c3ae2b6b60a24c1afbed09 Author: Eric Dumazet Date: Mon Dec 30 16:10:03 2024 +0000 af_packet: fix vlan_get_tci() vs MSG_PEEK Blamed commit forgot MSG_PEEK case, allowing a crash [1] as found by syzbot. Rework vlan_get_tci() to not touch skb at all, so that it can be used from many cpus on the same skb. Add a const qualifier to skb argument. [1] skbuff: skb_under_panic: text:ffffffff8a8da482 len:32 put:14 head:ffff88807a1d5800 data:ffff88807a1d5810 tail:0x14 end:0x140 dev: ------------[ cut here ]------------ kernel BUG at net/core/skbuff.c:206 ! Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI CPU: 0 UID: 0 PID: 5880 Comm: syz-executor172 Not tainted 6.13.0-rc3-syzkaller-00762-g9268abe611b0 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 RIP: 0010:skb_panic net/core/skbuff.c:206 [inline] RIP: 0010:skb_under_panic+0x14b/0x150 net/core/skbuff.c:216 Code: 0b 8d 48 c7 c6 9e 6c 26 8e 48 8b 54 24 08 8b 0c 24 44 8b 44 24 04 4d 89 e9 50 41 54 41 57 41 56 e8 3a 5a 79 f7 48 83 c4 20 90 <0f> 0b 0f 1f 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 RSP: 0018:ffffc90003baf5b8 EFLAGS: 00010286 RAX: 0000000000000087 RBX: dffffc0000000000 RCX: 8565c1eec37aa000 RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000 RBP: ffff88802616fb50 R08: ffffffff817f0a4c R09: 1ffff92000775e50 R10: dffffc0000000000 R11: fffff52000775e51 R12: 0000000000000140 R13: ffff88807a1d5800 R14: ffff88807a1d5810 R15: 0000000000000014 FS: 00007fa03261f6c0(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007ffd65753000 CR3: 0000000031720000 CR4: 00000000003526f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: skb_push+0xe5/0x100 net/core/skbuff.c:2636 vlan_get_tci+0x272/0x550 net/packet/af_packet.c:565 packet_recvmsg+0x13c9/0x1ef0 net/packet/af_packet.c:3616 sock_recvmsg_nosec net/socket.c:1044 [inline] sock_recvmsg+0x22f/0x280 net/socket.c:1066 ____sys_recvmsg+0x1c6/0x480 net/socket.c:2814 ___sys_recvmsg net/socket.c:2856 [inline] do_recvmmsg+0x426/0xab0 net/socket.c:2951 __sys_recvmmsg net/socket.c:3025 [inline] __do_sys_recvmmsg net/socket.c:3048 [inline] __se_sys_recvmmsg net/socket.c:3041 [inline] __x64_sys_recvmmsg+0x199/0x250 net/socket.c:3041 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 Fixes: 79eecf631c14 ("af_packet: Handle outgoing VLAN packets without hardware offloading") Reported-by: syzbot+8400677f3fd43f37d3bc@syzkaller.appspotmail.com Closes: https://lore.kernel.org/netdev/6772c485.050a0220.2f3838.04c6.GAE@google.com/T/#u Signed-off-by: Eric Dumazet Cc: Chengen Du Reviewed-by: Willem de Bruijn Link: https://patch.msgid.link/20241230161004.2681892-1-edumazet@google.com Signed-off-by: Jakub Kicinski commit a7af435df0e04cfb4a4004136d597c42639a2ae7 Author: Maciej S. Szmigiero Date: Sun Dec 29 17:46:58 2024 +0100 net: wwan: iosm: Properly check for valid exec stage in ipc_mmio_init() ipc_mmio_init() used the post-decrement operator in its loop continuing condition of "retries" counter being "> 0", which meant that when this condition caused loop exit "retries" counter reached -1. But the later valid exec stage failure check only tests for "retries" counter being exactly zero, so it didn't trigger in this case (but would wrongly trigger if the code reaches a valid exec stage in the very last loop iteration). Fix this by using the pre-decrement operator instead, so the loop counter is exactly zero on valid exec stage failure. Fixes: dc0514f5d828 ("net: iosm: mmio scratchpad") Signed-off-by: Maciej S. Szmigiero Link: https://patch.msgid.link/8b19125a825f9dcdd81c667c1e5c48ba28d505a6.1735490770.git.mail@maciej.szmigiero.name Signed-off-by: Jakub Kicinski commit 5b0af621c3f6ef9261cf6067812f2fd9943acb4b Author: Eric Dumazet Date: Tue Dec 31 16:05:27 2024 +0000 net: restrict SO_REUSEPORT to inet sockets After blamed commit, crypto sockets could accidentally be destroyed from RCU call back, as spotted by zyzbot [1]. Trying to acquire a mutex in RCU callback is not allowed. Restrict SO_REUSEPORT socket option to inet sockets. v1 of this patch supported TCP, UDP and SCTP sockets, but fcnal-test.sh test needed RAW and ICMP support. [1] BUG: sleeping function called from invalid context at kernel/locking/mutex.c:562 in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 24, name: ksoftirqd/1 preempt_count: 100, expected: 0 RCU nest depth: 0, expected: 0 1 lock held by ksoftirqd/1/24: #0: ffffffff8e937ba0 (rcu_callback){....}-{0:0}, at: rcu_lock_acquire include/linux/rcupdate.h:337 [inline] #0: ffffffff8e937ba0 (rcu_callback){....}-{0:0}, at: rcu_do_batch kernel/rcu/tree.c:2561 [inline] #0: ffffffff8e937ba0 (rcu_callback){....}-{0:0}, at: rcu_core+0xa37/0x17a0 kernel/rcu/tree.c:2823 Preemption disabled at: [] softirq_handle_begin kernel/softirq.c:402 [inline] [] handle_softirqs+0x128/0x9b0 kernel/softirq.c:537 CPU: 1 UID: 0 PID: 24 Comm: ksoftirqd/1 Not tainted 6.13.0-rc3-syzkaller-00174-ga024e377efed #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 __might_resched+0x5d4/0x780 kernel/sched/core.c:8758 __mutex_lock_common kernel/locking/mutex.c:562 [inline] __mutex_lock+0x131/0xee0 kernel/locking/mutex.c:735 crypto_put_default_null_skcipher+0x18/0x70 crypto/crypto_null.c:179 aead_release+0x3d/0x50 crypto/algif_aead.c:489 alg_do_release crypto/af_alg.c:118 [inline] alg_sock_destruct+0x86/0xc0 crypto/af_alg.c:502 __sk_destruct+0x58/0x5f0 net/core/sock.c:2260 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0xaaa/0x17a0 kernel/rcu/tree.c:2823 handle_softirqs+0x2d4/0x9b0 kernel/softirq.c:561 run_ksoftirqd+0xca/0x130 kernel/softirq.c:950 smpboot_thread_fn+0x544/0xa30 kernel/smpboot.c:164 kthread+0x2f0/0x390 kernel/kthread.c:389 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Fixes: 8c7138b33e5c ("net: Unpublish sk from sk_reuseport_cb before call_rcu") Reported-by: syzbot+b3e02953598f447d4d2a@syzkaller.appspotmail.com Closes: https://lore.kernel.org/netdev/6772f2f4.050a0220.2f3838.04cb.GAE@google.com/T/#u Signed-off-by: Eric Dumazet Cc: Martin KaFai Lau Reviewed-by: Kuniyuki Iwashima Link: https://patch.msgid.link/20241231160527.3994168-1-edumazet@google.com Signed-off-by: Jakub Kicinski commit 68e068cabd2c6c533ef934c2e5151609cf6ecc6d Author: Willem de Bruijn Date: Wed Jan 1 11:47:40 2025 -0500 net: reenable NETIF_F_IPV6_CSUM offload for BIG TCP packets The blamed commit disabled hardware offoad of IPv6 packets with extension headers on devices that advertise NETIF_F_IPV6_CSUM, based on the definition of that feature in skbuff.h: * * - %NETIF_F_IPV6_CSUM * - Driver (device) is only able to checksum plain * TCP or UDP packets over IPv6. These are specifically * unencapsulated packets of the form IPv6|TCP or * IPv6|UDP where the Next Header field in the IPv6 * header is either TCP or UDP. IPv6 extension headers * are not supported with this feature. This feature * cannot be set in features for a device with * NETIF_F_HW_CSUM also set. This feature is being * DEPRECATED (see below). The change causes skb_warn_bad_offload to fire for BIG TCP packets. [ 496.310233] WARNING: CPU: 13 PID: 23472 at net/core/dev.c:3129 skb_warn_bad_offload+0xc4/0xe0 [ 496.310297] ? skb_warn_bad_offload+0xc4/0xe0 [ 496.310300] skb_checksum_help+0x129/0x1f0 [ 496.310303] skb_csum_hwoffload_help+0x150/0x1b0 [ 496.310306] validate_xmit_skb+0x159/0x270 [ 496.310309] validate_xmit_skb_list+0x41/0x70 [ 496.310312] sch_direct_xmit+0x5c/0x250 [ 496.310317] __qdisc_run+0x388/0x620 BIG TCP introduced an IPV6_TLV_JUMBO IPv6 extension header to communicate packet length, as this is an IPv6 jumbogram. But, the feature is only enabled on devices that support BIG TCP TSO. The header is only present for PF_PACKET taps like tcpdump, and not transmitted by physical devices. For this specific case of extension headers that are not transmitted, return to the situation before the blamed commit and support hardware offload. ipv6_has_hopopt_jumbo() tests not only whether this header is present, but also that it is the only extension header before a terminal (L4) header. Fixes: 04c20a9356f2 ("net: skip offload for NETIF_F_IPV6_CSUM if ipv6 header contains extension") Reported-by: syzbot Reported-by: Eric Dumazet Closes: https://lore.kernel.org/netdev/CANn89iK1hdC3Nt8KPhOtTF8vCPc1AHDCtse_BTNki1pWxAByTQ@mail.gmail.com/ Signed-off-by: Willem de Bruijn Reviewed-by: Eric Dumazet Link: https://patch.msgid.link/20250101164909.1331680-1-willemdebruijn.kernel@gmail.com Signed-off-by: Jakub Kicinski commit a8620de72e5676993ec3a3b975f7c10908f5f60f Author: Liang Jie Date: Mon Dec 30 17:37:09 2024 +0800 net: sfc: Correct key_len for efx_tc_ct_zone_ht_params In efx_tc_ct_zone_ht_params, the key_len was previously set to offsetof(struct efx_tc_ct_zone, linkage). This calculation is incorrect because it includes any padding between the zone field and the linkage field due to structure alignment, which can vary between systems. This patch updates key_len to use sizeof_field(struct efx_tc_ct_zone, zone) , ensuring that the hash table correctly uses the zone as the key. This fix prevents potential hash lookup errors and improves connection tracking reliability. Fixes: c3bb5c6acd4e ("sfc: functions to register for conntrack zone offload") Signed-off-by: Liang Jie Acked-by: Edward Cree Link: https://patch.msgid.link/20241230093709.3226854-1-buaajxlj@163.com Signed-off-by: Jakub Kicinski commit 273b3eb600713a5e71c64b8b403b355dc580f167 Merge: 198c653edf4f30 f0ed39830e6064 Author: Dave Airlie Date: Fri Jan 3 10:57:00 2025 +1000 Merge tag 'drm-xe-fixes-2025-01-02' of https://gitlab.freedesktop.org/drm/xe/kernel into drm-fixes Driver Changes: - A couple of OA fixes squashed for stable backporting (Umesh) Signed-off-by: Dave Airlie From: Thomas Hellstrom Link: https://patchwork.freedesktop.org/patch/msgid/Z3bur0RmH6-70YSh@fedora commit 198c653edf4f30c877f38e551abfdc4c2d2e6bef Merge: 48fc4378dec636 79d67c499c3f88 Author: Dave Airlie Date: Fri Jan 3 10:43:36 2025 +1000 Merge tag 'drm-misc-fixes-2025-01-02' of https://gitlab.freedesktop.org/drm/misc/kernel into drm-fixes drm-misc-fixes for v6.13-rc6: - Only fixes for adv7511 driver, including a use-after-free. Signed-off-by: Dave Airlie From: Maarten Lankhorst Link: https://patchwork.freedesktop.org/patch/msgid/f58429b7-5f11-4b78-b577-de32b41299ea@linux.intel.com commit 48fc4378dec636b2061830c74db91cf4e4b611a1 Merge: 3bce3cc6442176 20e7c5313ffbf1 Author: Dave Airlie Date: Fri Jan 3 10:40:43 2025 +1000 Merge tag 'drm-intel-fixes-2024-12-25' of https://gitlab.freedesktop.org/drm/i915/kernel into drm-fixes - Fix C10 pll programming sequence [cx0_phy] (Suraj Kandpal) - Fix power gate sequence. [dg1] (Rodrigo Vivi) Signed-off-by: Dave Airlie From: Tvrtko Ursulin Link: https://patchwork.freedesktop.org/patch/msgid/Z2wKf7tmElKFdnoP@linux commit 3bce3cc6442176ebd9a14a08675c18a2f6b30a96 Merge: fc033cf25e612e fe39b222a41393 Author: Dave Airlie Date: Fri Jan 3 10:28:43 2025 +1000 Merge tag 'drm-xe-fixes-2024-12-23' of https://gitlab.freedesktop.org/drm/xe/kernel into drm-fixes UAPI Changes: - Revert some devcoredump file format changes breaking a mesa debug tool (John) Driver Changes: - Fixes around waits when moving to system (Nirmoy) - Fix a typo when checking for LMEM provisioning (Michal) - Fix a fault on fd close after unbind (Lucas) Signed-off-by: Dave Airlie From: Thomas Hellstrom Link: https://patchwork.freedesktop.org/patch/msgid/Z2mjt7OTfH76cgua@fedora commit c6e60a0a68b7e6b3c7e33863a16e8e88ba9eee6f Author: Jens Axboe Date: Thu Jan 2 16:32:51 2025 -0700 io_uring/net: always initialize kmsg->msg.msg_inq upfront syzbot reports that ->msg_inq may get used uinitialized from the following path: BUG: KMSAN: uninit-value in io_recv_buf_select io_uring/net.c:1094 [inline] BUG: KMSAN: uninit-value in io_recv+0x930/0x1f90 io_uring/net.c:1158 io_recv_buf_select io_uring/net.c:1094 [inline] io_recv+0x930/0x1f90 io_uring/net.c:1158 io_issue_sqe+0x420/0x2130 io_uring/io_uring.c:1740 io_queue_sqe io_uring/io_uring.c:1950 [inline] io_req_task_submit+0xfa/0x1d0 io_uring/io_uring.c:1374 io_handle_tw_list+0x55f/0x5c0 io_uring/io_uring.c:1057 tctx_task_work_run+0x109/0x3e0 io_uring/io_uring.c:1121 tctx_task_work+0x6d/0xc0 io_uring/io_uring.c:1139 task_work_run+0x268/0x310 kernel/task_work.c:239 io_run_task_work+0x43a/0x4a0 io_uring/io_uring.h:343 io_cqring_wait io_uring/io_uring.c:2527 [inline] __do_sys_io_uring_enter io_uring/io_uring.c:3439 [inline] __se_sys_io_uring_enter+0x204f/0x4ce0 io_uring/io_uring.c:3330 __x64_sys_io_uring_enter+0x11f/0x1a0 io_uring/io_uring.c:3330 x64_sys_call+0xce5/0x3c30 arch/x86/include/generated/asm/syscalls_64.h:427 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f and it is correct, as it's never initialized upfront. Hence the first submission can end up using it uninitialized, if the recv wasn't successful and the networking stack didn't honor ->msg_get_inq being set and filling in the output value of ->msg_inq as requested. Set it to 0 upfront when it's allocated, just to silence this KMSAN warning. There's no side effect of using it uninitialized, it'll just potentially cause the next receive to use a recv value hint that's not accurate. Fixes: c6f32c7d9e09 ("io_uring/net: get rid of ->prep_async() for receive side") Reported-by: syzbot+068ff190354d2f74892f@syzkaller.appspotmail.com Signed-off-by: Jens Axboe commit 789a8cff8d2dbe4b5c617c3004b5eb63fa7a3b35 Author: Kohei Enju Date: Thu Jan 2 04:08:20 2025 +0900 ftrace: Fix function profiler's filtering functionality Commit c132be2c4fcc ("function_graph: Have the instances use their own ftrace_ops for filtering"), function profiler (enabled via function_profile_enabled) has been showing statistics for all functions, ignoring set_ftrace_filter settings. While tracers are instantiated, the function profiler is not. Therefore, it should use the global set_ftrace_filter for consistency. This patch modifies the function profiler to use the global filter, fixing the filtering functionality. Before (filtering not working): ``` root@localhost:~# echo 'vfs*' > /sys/kernel/tracing/set_ftrace_filter root@localhost:~# echo 1 > /sys/kernel/tracing/function_profile_enabled root@localhost:~# sleep 1 root@localhost:~# echo 0 > /sys/kernel/tracing/function_profile_enabled root@localhost:~# head /sys/kernel/tracing/trace_stat/* Function Hit Time Avg s^2 -------- --- ---- --- --- schedule 314 22290594 us 70989.15 us 40372231 us x64_sys_call 1527 8762510 us 5738.382 us 3414354 us schedule_hrtimeout_range 176 8665356 us 49234.98 us 405618876 us __x64_sys_ppoll 324 5656635 us 17458.75 us 19203976 us do_sys_poll 324 5653747 us 17449.83 us 19214945 us schedule_timeout 67 5531396 us 82558.15 us 2136740827 us __x64_sys_pselect6 12 3029540 us 252461.7 us 63296940171 us do_pselect.constprop.0 12 3029532 us 252461.0 us 63296952931 us ``` After (filtering working): ``` root@localhost:~# echo 'vfs*' > /sys/kernel/tracing/set_ftrace_filter root@localhost:~# echo 1 > /sys/kernel/tracing/function_profile_enabled root@localhost:~# sleep 1 root@localhost:~# echo 0 > /sys/kernel/tracing/function_profile_enabled root@localhost:~# head /sys/kernel/tracing/trace_stat/* Function Hit Time Avg s^2 -------- --- ---- --- --- vfs_write 462 68476.43 us 148.217 us 25874.48 us vfs_read 641 9611.356 us 14.994 us 28868.07 us vfs_fstat 890 878.094 us 0.986 us 1.667 us vfs_fstatat 227 757.176 us 3.335 us 18.928 us vfs_statx 226 610.610 us 2.701 us 17.749 us vfs_getattr_nosec 1187 460.919 us 0.388 us 0.326 us vfs_statx_path 297 343.287 us 1.155 us 11.116 us vfs_rename 6 291.575 us 48.595 us 9889.236 us ``` Cc: stable@vger.kernel.org Link: https://lore.kernel.org/20250101190820.72534-1-enjuk@amazon.com Fixes: c132be2c4fcc ("function_graph: Have the instances use their own ftrace_ops for filtering") Signed-off-by: Kohei Enju Signed-off-by: Steven Rostedt (Google) commit d65474033740ded0a4fe9a097fce72328655b41d Author: Zilin Guan Date: Tue Dec 31 11:37:31 2024 +0000 fgraph: Add READ_ONCE() when accessing fgraph_array[] In __ftrace_return_to_handler(), a loop iterates over the fgraph_array[] elements, which are fgraph_ops. The loop checks if an element is a fgraph_stub to prevent using a fgraph_stub afterward. However, if the compiler reloads fgraph_array[] after this check, it might race with an update to fgraph_array[] that introduces a fgraph_stub. This could result in the stub being processed, but the stub contains a null "func_hash" field, leading to a NULL pointer dereference. To ensure that the gops compared against the fgraph_stub matches the gops processed later, add a READ_ONCE(). A similar patch appears in commit 63a8dfb ("function_graph: Add READ_ONCE() when accessing fgraph_array[]"). Cc: stable@vger.kernel.org Fixes: 37238abe3cb47 ("ftrace/function_graph: Pass fgraph_ops to function graph callbacks") Link: https://lore.kernel.org/20241231113731.277668-1-zilin@seu.edu.cn Signed-off-by: Zilin Guan Signed-off-by: Steven Rostedt (Google) commit 0bc21e701a6ffacfdde7f04f87d664d82e8a13bf Author: Olof Johansson Date: Thu Jan 2 06:30:03 2025 -0800 MAINTAINERS: Remove Olof from SoC maintainers I haven't been an active participant for a couple of years now, and after discussions at Linux Plumbers in 2024, Arnd is getting fresh help from a few more participants. It's time to remove myself, and spare myself from patches and pull requests in my inbox. Signed-off-by: Olof Johansson Cc: Arnd Bergmann Signed-off-by: Linus Torvalds commit e6b7c8c5a173c7c99ae2222f640e02b5fa822691 Merge: 8c2d370154bab8 f64f610ec6ab59 Author: Linus Torvalds Date: Thu Jan 2 10:40:40 2025 -0800 Merge tag 'pmdomain-v6.13-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/linux-pm Pull pmdomain fixes from Ulf Hansson: - Silence warning by adding a dummy release function - imx: Fix an OF node reference leak in imx_gpcv2_probe() * tag 'pmdomain-v6.13-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/linux-pm: pmdomain: core: add dummy release function to genpd device pmdomain: imx: gpcv2: fix an OF node reference leak in imx_gpcv2_probe() commit 8c2d370154bab85f7f6a7dbaa9ec11e052e042d3 Merge: 56e6a3499e1471 8d90a86ed05322 Author: Linus Torvalds Date: Thu Jan 2 10:33:07 2025 -0800 Merge tag 'mmc-v6.13-rc2-2' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc Pull MMC fix from Ulf Hansson: - sdhci-msm: Fix crypto key eviction * tag 'mmc-v6.13-rc2-2' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc: mmc: sdhci-msm: fix crypto key eviction commit f0ed39830e6064d62f9c5393505677a26569bb56 Author: Umesh Nerlige Ramappa Date: Fri Dec 20 09:19:18 2024 -0800 xe/oa: Fix query mode of operation for OAR/OAC This is a set of squashed commits to facilitate smooth applying to stable. Each commit message is retained for reference. 1) Allow a GGTT mapped batch to be submitted to user exec queue For a OA use case, one of the HW registers needs to be modified by submitting an MI_LOAD_REGISTER_IMM command to the users exec queue, so that the register is modified in the user's hardware context. In order to do this a batch that is mapped in GGTT, needs to be submitted to the user exec queue. Since all user submissions use q->vm and hence PPGTT, add some plumbing to enable submission of batches mapped in GGTT. v2: ggtt is zero-initialized, so no need to set it false (Matt Brost) 2) xe/oa: Use MI_LOAD_REGISTER_IMMEDIATE to enable OAR/OAC To enable OAR/OAC, a bit in RING_CONTEXT_CONTROL needs to be set. Setting this bit cause the context image size to change and if not done correct, can cause undesired hangs. Current code uses a separate exec_queue to modify this bit and is error-prone. As per HW recommendation, submit MI_LOAD_REGISTER_IMM to the target hardware context to modify the relevant bit. In v2 version, an attempt to submit everything to the user-queue was made, but it failed the unprivileged-single-ctx-counters test. It appears that the OACTXCONTROL must be modified from a remote context. In v3 version, all context specific register configurations were moved to use LOAD_REGISTER_IMMEDIATE and that seems to work well. This is a cleaner way, since we can now submit all configuration to user exec_queue and the fence handling is simplified. v2: (Matt) - set job->ggtt to true if create job is successful - unlock vm on job error (Ashutosh) - don't wait on job submission - use kernel exec queue where possible v3: (Ashutosh) - Fix checkpatch issues - Remove extra spaces/new-lines - Add Fixes: and Cc: tags - Reset context control bit when OA stream is closed - Submit all config via MI_LOAD_REGISTER_IMMEDIATE (Umesh) - Update commit message for v3 experiment - Squash patches for easier port to stable v4: (Ashutosh) - No need to pass q to xe_oa_submit_bb - Do not support exec queues with width > 1 - Fix disabling of CTX_CTRL_OAC_CONTEXT_ENABLE v5: (Ashutosh) - Drop reg_lri related comments - Use XE_OA_SUBMIT_NO_DEPS in xe_oa_load_with_lri Fixes: 8135f1c09dd2 ("drm/xe/oa: Don't reset OAC_CONTEXT_ENABLE on OA stream close") Signed-off-by: Umesh Nerlige Ramappa Reviewed-by: Matthew Brost # commit 1 Reviewed-by: Ashutosh Dixit Cc: stable@vger.kernel.org Reviewed-by: Jonathan Cavitt Signed-off-by: Ashutosh Dixit Link: https://patchwork.freedesktop.org/patch/msgid/20241220171919.571528-2-umesh.nerlige.ramappa@intel.com (cherry picked from commit 55039832f98c7e05f1cf9e0d8c12b2490abd0f16) Signed-off-by: Thomas Hellström commit 3b2f56860b05bf0cea86af786fd9b7faa8fe3ef3 Author: Manivannan Sadhasivam Date: Thu Dec 19 22:20:44 2024 +0530 scsi: ufs: qcom: Power down the controller/device during system suspend for SM8550/SM8650 SoCs SM8550 and SM8650 SoCs doesn't support UFS PHY retention. So once these SoCs reaches the low power state (CX power collapse) during system suspend, all the PHY hardware state gets lost. This leads to the UFS resume failure: ufshcd-qcom 1d84000.ufs: ufshcd_uic_hibern8_exit: hibern8 exit failed. ret = 5 ufshcd-qcom 1d84000.ufs: __ufshcd_wl_resume: hibern8 exit failed 5 ufs_device_wlun 0:0:0:49488: ufshcd_wl_resume failed: 5 ufs_device_wlun 0:0:0:49488: PM: dpm_run_callback(): scsi_bus_resume+0x0/0x84 returns 5 ufs_device_wlun 0:0:0:49488: PM: failed to resume async: error 5 With the default system suspend level of UFS_PM_LVL_3, the power domain for UFS PHY needs to be kept always ON to retain the state. But this would prevent these SoCs from reaching the CX power collapse state, leading to poor power saving during system suspend. So to fix this issue without affecting the power saving, set 'ufs_qcom_drvdata::no_phy_retention' to true which sets 'hba->spm_lvl' to UFS_PM_LVL_5 to allow both the controller and device (in turn the PHY) to be powered down during system suspend for these SoCs by default. Cc: stable@vger.kernel.org # 6.3 Fixes: 35cf1aaab169 ("arm64: dts: qcom: sm8550: Add UFS host controller and phy nodes") Fixes: 10e024671295 ("arm64: dts: qcom: sm8650: add interconnect dependent device nodes") Reported-by: Neil Armstrong Tested-by: Amit Pundir # on SM8550-HDK Reviewed-by: Bart Van Assche Tested-by: Neil Armstrong # on SM8550-QRD Signed-off-by: Manivannan Sadhasivam Link: https://lore.kernel.org/r/20241219-ufs-qcom-suspend-fix-v3-4-63c4b95a70b9@linaro.org Signed-off-by: Martin K. Petersen commit 4f78a56af4c472834681759d4365fb93921da77d Author: Manivannan Sadhasivam Date: Thu Dec 19 22:20:43 2024 +0530 scsi: ufs: qcom: Allow passing platform specific OF data In order to allow platform specific flags and configurations, introduce the platform specific OF data and move the existing quirk UFSHCD_QUIRK_BROKEN_LSDBS_CAP for SM8550 and SM8650 SoCs. Reviewed-by: Avri Altman Reviewed-by: Neil Armstrong Tested-by: Amit Pundir # on SM8550-HDK Reviewed-by: Bart Van Assche Tested-by: Neil Armstrong # on SM8550-QRD Signed-off-by: Manivannan Sadhasivam Link: https://lore.kernel.org/r/20241219-ufs-qcom-suspend-fix-v3-3-63c4b95a70b9@linaro.org Signed-off-by: Martin K. Petersen commit bb9850704c043e48c86cc9df90ee102e8a338229 Author: Manivannan Sadhasivam Date: Thu Dec 19 22:20:42 2024 +0530 scsi: ufs: core: Honor runtime/system PM levels if set by host controller drivers Otherwise, the default levels will override the levels set by the host controller drivers. Signed-off-by: Manivannan Sadhasivam Link: https://lore.kernel.org/r/20241219-ufs-qcom-suspend-fix-v3-2-63c4b95a70b9@linaro.org Reviewed-by: Bart Van Assche Signed-off-by: Martin K. Petersen commit 7bac65687510038390a0a54cbe14fba08d037e46 Author: Manivannan Sadhasivam Date: Thu Dec 19 22:20:41 2024 +0530 scsi: ufs: qcom: Power off the PHY if it was already powered on in ufs_qcom_power_up_sequence() PHY might already be powered on during ufs_qcom_power_up_sequence() in a couple of cases: 1. During UFSHCD_QUIRK_REINIT_AFTER_MAX_GEAR_SWITCH quirk 2. Resuming from spm_lvl = 5 suspend In those cases, it is necessary to call phy_power_off() and phy_exit() in ufs_qcom_power_up_sequence() function to power off the PHY before calling phy_init() and phy_power_on(). Case (1) is doing it via ufs_qcom_reinit_notify() callback, but case (2) is not handled. So to satisfy both cases, call phy_power_off() and phy_exit() if the phy_count is non-zero. And with this change, the reinit_notify() callback is no longer needed. This fixes the below UFS resume failure with spm_lvl = 5: ufshcd-qcom 1d84000.ufshc: Enabling the controller failed ufshcd-qcom 1d84000.ufshc: Enabling the controller failed ufshcd-qcom 1d84000.ufshc: Enabling the controller failed ufshcd-qcom 1d84000.ufshc: ufshcd_host_reset_and_restore: Host init failed -5 ufshcd-qcom 1d84000.ufshc: Enabling the controller failed ufshcd-qcom 1d84000.ufshc: Enabling the controller failed ufshcd-qcom 1d84000.ufshc: Enabling the controller failed ufshcd-qcom 1d84000.ufshc: ufshcd_host_reset_and_restore: Host init failed -5 ufshcd-qcom 1d84000.ufshc: Enabling the controller failed ufshcd-qcom 1d84000.ufshc: Enabling the controller failed ufshcd-qcom 1d84000.ufshc: Enabling the controller failed ufshcd-qcom 1d84000.ufshc: ufshcd_host_reset_and_restore: Host init failed -5 ufshcd-qcom 1d84000.ufshc: Enabling the controller failed ufshcd-qcom 1d84000.ufshc: Enabling the controller failed ufshcd-qcom 1d84000.ufshc: Enabling the controller failed ufshcd-qcom 1d84000.ufshc: ufshcd_host_reset_and_restore: Host init failed -5 ufshcd-qcom 1d84000.ufshc: Enabling the controller failed ufshcd-qcom 1d84000.ufshc: Enabling the controller failed ufshcd-qcom 1d84000.ufshc: Enabling the controller failed ufshcd-qcom 1d84000.ufshc: ufshcd_host_reset_and_restore: Host init failed -5 ufs_device_wlun 0:0:0:49488: ufshcd_wl_resume failed: -5 ufs_device_wlun 0:0:0:49488: PM: dpm_run_callback(): scsi_bus_resume returns -5 ufs_device_wlun 0:0:0:49488: PM: failed to resume async: error -5 Cc: stable@vger.kernel.org # 6.3 Fixes: baf5ddac90dc ("scsi: ufs: ufs-qcom: Add support for reinitializing the UFS device") Reported-by: Ram Kumar Dwivedi Tested-by: Amit Pundir # on SM8550-HDK Reviewed-by: Bart Van Assche Tested-by: Neil Armstrong # on SM8550-QRD Signed-off-by: Manivannan Sadhasivam Link: https://lore.kernel.org/r/20241219-ufs-qcom-suspend-fix-v3-1-63c4b95a70b9@linaro.org Signed-off-by: Martin K. Petersen commit 202580b60229345dc2637099f10c8a8857c1fdc2 Author: MD Danish Anwar Date: Fri Dec 20 15:35:07 2024 +0530 soc: ti: pruss: Fix pruss APIs PRUSS APIs in pruss_driver.h produce lots of compilation errors when CONFIG_TI_PRUSS is not set. The errors and warnings, warning: returning 'void *' from a function with return type 'int' makes integer from pointer without a cast [-Wint-conversion] error: expected identifier or '(' before '{' token Fix these warnings and errors by fixing the return type of pruss APIs as well as removing the misplaced semicolon from pruss_cfg_xfr_enable() Fixes: 0211cc1e4fbb ("soc: ti: pruss: Add helper functions to set GPI mode, MII_RT_event and XFR") Signed-off-by: MD Danish Anwar Reviewed-by: Roger Quadros Link: https://lore.kernel.org/r/20241220100508.1554309-2-danishanwar@ti.com Signed-off-by: Nishanth Menon commit 5cc2db37124bb33914996d6fdbb2ddb3811f2945 Author: Andrew Cooper Date: Sat Dec 21 21:10:46 2024 +0000 x86/static-call: Remove early_boot_irqs_disabled check to fix Xen PVH dom0 __static_call_update_early() has a check for early_boot_irqs_disabled, but is used before early_boot_irqs_disabled is set up in start_kernel(). Xen PV has always special cased early_boot_irqs_disabled, but Xen PVH does not and falls over the BUG when booting as dom0. It is very suspect that early_boot_irqs_disabled starts as 0, becomes 1 for a time, then becomes 0 again, but as this needs backporting to fix a breakage in a security fix, dropping the BUG_ON() is the far safer option. Fixes: 0ef8047b737d ("x86/static-call: provide a way to do very early static-call updates") Closes: https://bugzilla.kernel.org/show_bug.cgi?id=219620 Reported-by: Alex Zenla Suggested-by: Peter Zijlstra Signed-off-by: Andrew Cooper Signed-off-by: Borislav Petkov (AMD) Reviewed-by: Juergen Gross Acked-by: Peter Zijlstra (Intel) Tested-by: Alex Zenla Link: https://lore.kernel.org/r/20241221211046.6475-1-andrew.cooper3@citrix.com commit 997bb2d75646d2d07d6629503b5864e174cb1d18 Merge: e16ebd9d839d12 44c5aa73ccd1e8 Author: Greg Kroah-Hartman Date: Thu Jan 2 16:53:11 2025 +0100 Merge tag 'icc-6.13-rc6' of ssh://gitolite.kernel.org/pub/scm/linux/kernel/git/djakov/icc into char-misc-next Georgi writes: interconnect fixes for v6.13-rc This contains two fixes. One fixing a boot error on db410c board when UBSAN is enabled with clang-19 builds. The other one adds a missing return value check after devm_kasprintf. - interconnect: qcom: icc-rpm: Set the count member before accessing the flex array - interconnect: icc-clk: check return values of devm_kasprintf() Signed-off-by: Georgi Djakov * tag 'icc-6.13-rc6' of ssh://gitolite.kernel.org/pub/scm/linux/kernel/git/djakov/icc: interconnect: icc-clk: check return values of devm_kasprintf() interconnect: qcom: icc-rpm: Set the count member before accessing the flex array commit c4bd13be1949020e3b1c9ed6889988e0b30c3d3b Author: Chun-Kuang Hu Date: Mon Dec 30 13:53:14 2024 +0000 drm/mediatek: Remove unneeded semicolon cocci warnings: (new ones prefixed by >>) >> drivers/gpu/drm/mediatek/mtk_drm_drv.c:1092:2-3: Unneeded semicolon Fixes: 4c932840db1d ("drm/mediatek: Implement OF graphs support for display paths") Reported-by: kernel test robot Closes: https://lore.kernel.org/oe-kbuild-all/202412022048.kY2ZhxZ4-lkp@intel.com/ Reviewed-by: AngeloGioacchino Del Regno Link: https://patchwork.kernel.org/project/dri-devel/patch/20241230135314.5419-1-chunkuang.hu@kernel.org/ Signed-off-by: Chun-Kuang Hu commit 56e6a3499e14716b9a28a307bb6d18c10e95301e Merge: ccb98ccef0e543 afc6717628f959 Author: Linus Torvalds Date: Wed Jan 1 11:22:07 2025 -0800 Merge tag 'trace-v6.13-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace Pull tracing fix from Steven Rostedt: "Fix trace event string check when dealing with array of strings The xe_bo_move event has a field that indexes into an array of strings. The TP_fast_assign() added the index into the ring buffer and the TP_printk() had a "%s" that referenced the array using the index in the ring buffer. This is a legitimate use of "%s" in trace events. But this triggered a false positive in the test_event_printk() at boot saying that the string was dangerous. Change the check to allow arrays using fields in the ring buffer as an index to be considered a safe string" * tag 'trace-v6.13-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace: tracing: Have process_string() also allow arrays commit cc0331e29fce4c3c2eaedeb7029360be6ed1185c Merge: de30d74f58cbec 36e3b1f9abe359 Author: Jens Axboe Date: Tue Dec 31 10:41:58 2024 -0700 Merge tag 'nvme-6.13-2024-12-31' of git://git.infradead.org/nvme into block-6.13 Pull NVMe fixes from Keith: "nvme fixes for Linux 6.13 - Fix device specific quirk for PRP list alignment (Robert) - Fix target name overflow (Leo) - Fix target write granularity (Luis) - Fix target sleeping in atomic context (Nilay) - Remove unnecessary tcp queue teardown (Chunguang)" * tag 'nvme-6.13-2024-12-31' of git://git.infradead.org/nvme: nvme-tcp: remove nvme_tcp_destroy_io_queues() nvmet-loop: avoid using mutex in IO hotpath nvmet: propagate npwg topology nvmet: Don't overflow subsysnqn nvme-pci: 512 byte aligned dma pool segment quirk commit 8765429279e7d3d68d39ace5f84af2815174bb1e Author: Takashi Iwai Date: Tue Dec 31 15:53:58 2024 +0100 ALSA: seq: Check UMP support for midi_version change When the kernel is built without UMP support but a user-space app requires the midi_version > 0, the kernel should return an error. Otherwise user-space assumes as if it were possible to deal, eventually hitting serious errors later. Fixes: 46397622a3fa ("ALSA: seq: Add UMP support") Cc: Link: https://patch.msgid.link/20241231145358.21946-1-tiwai@suse.de Signed-off-by: Takashi Iwai commit e6178bf78d0378c2d397a6aafaf4882d0af643fa Author: Kalesh AP Date: Tue Dec 31 08:20:08 2024 +0530 RDMA/bnxt_re: Fix error recovery sequence Fixed to return ENXIO from __send_message_basic_sanity() to indicate that device is in error state. In the case of ERR_DEVICE_DETACHED state, the driver should not post the commands to the firmware as it will time out eventually. Removed bnxt_re_modify_qp() call from bnxt_re_dev_stop() as it is a no-op. Fixes: cc5b9b48d447 ("RDMA/bnxt_re: Recover the device when FW error is detected") Signed-off-by: Kalesh AP Signed-off-by: Kashyap Desai Link: https://patch.msgid.link/20241231025008.2267162-1-kalesh-anakkur.purayil@broadcom.com Reviewed-by: Selvin Xavier Signed-off-by: Leon Romanovsky commit fb514b31395946022f13a08e06a435f53cf9e8b3 Author: Li Zhijian Date: Tue Dec 31 09:34:16 2024 +0800 RDMA/rtrs: Ensure 'ib_sge list' is accessible Move the declaration of the 'ib_sge list' variable outside the 'always_invalidate' block to ensure it remains accessible for use throughout the function. Previously, 'ib_sge list' was declared within the 'always_invalidate' block, limiting its accessibility, then caused a 'BUG: kernel NULL pointer dereference'[1]. ? __die_body.cold+0x19/0x27 ? page_fault_oops+0x15a/0x2d0 ? search_module_extables+0x19/0x60 ? search_bpf_extables+0x5f/0x80 ? exc_page_fault+0x7e/0x180 ? asm_exc_page_fault+0x26/0x30 ? memcpy_orig+0xd5/0x140 rxe_mr_copy+0x1c3/0x200 [rdma_rxe] ? rxe_pool_get_index+0x4b/0x80 [rdma_rxe] copy_data+0xa5/0x230 [rdma_rxe] rxe_requester+0xd9b/0xf70 [rdma_rxe] ? finish_task_switch.isra.0+0x99/0x2e0 rxe_sender+0x13/0x40 [rdma_rxe] do_task+0x68/0x1e0 [rdma_rxe] process_one_work+0x177/0x330 worker_thread+0x252/0x390 ? __pfx_worker_thread+0x10/0x10 This change ensures the variable is available for subsequent operations that require it. [1] https://lore.kernel.org/linux-rdma/6a1f3e8f-deb0-49f9-bc69-a9b03ecfcda7@fujitsu.com/ Fixes: 9cb837480424 ("RDMA/rtrs: server: main functionality") Signed-off-by: Li Zhijian Link: https://patch.msgid.link/20241231013416.1290920-1-lizhijian@fujitsu.com Signed-off-by: Leon Romanovsky commit 7b509910b3ad6d7aacead24c8744de10daf8715d Author: Daniel Schaefer Date: Tue Dec 31 12:59:58 2024 +0800 ALSA hda/realtek: Add quirk for Framework F111:000C Similar to commit eb91c456f371 ("ALSA: hda/realtek: Add Framework Laptop 13 (Intel Core Ultra) to quirks") and previous quirks for Framework systems with Realtek codecs. 000C is a new platform that will also have an ALC285 codec and needs the same quirk. Cc: Jaroslav Kysela Cc: Takashi Iwai Cc: linux@frame.work Cc: Dustin L. Howett Signed-off-by: Daniel Schaefer Cc: Link: https://patch.msgid.link/20241231045958.14545-1-dhs@frame.work Signed-off-by: Takashi Iwai commit a5324b3a488d883aa2d42f72260054e87d0940a0 Author: Yuezhang Mo Date: Mon Dec 16 13:39:42 2024 +0800 exfat: fix the infinite loop in __exfat_free_cluster() In __exfat_free_cluster(), the cluster chain is traversed until the EOF cluster. If the cluster chain includes a loop due to file system corruption, the EOF cluster cannot be traversed, resulting in an infinite loop. This commit uses the total number of clusters to prevent this infinite loop. Reported-by: syzbot+1de5a37cb85a2d536330@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=1de5a37cb85a2d536330 Tested-by: syzbot+1de5a37cb85a2d536330@syzkaller.appspotmail.com Fixes: 31023864e67a ("exfat: add fat entry operations") Signed-off-by: Yuezhang Mo Reviewed-by: Sungjong Seo Signed-off-by: Namjae Jeon commit 98e2fb26d1a9eafe79f46d15d54e68e014d81d8c Author: Yuezhang Mo Date: Thu Dec 12 16:29:23 2024 +0800 exfat: fix the new buffer was not zeroed before writing Before writing, if a buffer_head marked as new, its data must be zeroed, otherwise uninitialized data in the page cache will be written. So this commit uses folio_zero_new_buffers() to zero the new buffers before ->write_end(). Fixes: 6630ea49103c ("exfat: move extend valid_size into ->page_mkwrite()") Reported-by: syzbot+91ae49e1c1a2634d20c0@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=91ae49e1c1a2634d20c0 Tested-by: syzbot+91ae49e1c1a2634d20c0@syzkaller.appspotmail.com Signed-off-by: Yuezhang Mo Reviewed-by: Sungjong Seo Signed-off-by: Namjae Jeon commit fee873761bd978d077d8c55334b4966ac4cb7b59 Author: Yuezhang Mo Date: Fri Dec 13 13:08:37 2024 +0800 exfat: fix the infinite loop in exfat_readdir() If the file system is corrupted so that a cluster is linked to itself in the cluster chain, and there is an unused directory entry in the cluster, 'dentry' will not be incremented, causing condition 'dentry < max_dentries' unable to prevent an infinite loop. This infinite loop causes s_lock not to be released, and other tasks will hang, such as exfat_sync_fs(). This commit stops traversing the cluster chain when there is unused directory entry in the cluster to avoid this infinite loop. Reported-by: syzbot+205c2644abdff9d3f9fc@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=205c2644abdff9d3f9fc Tested-by: syzbot+205c2644abdff9d3f9fc@syzkaller.appspotmail.com Fixes: ca06197382bd ("exfat: add directory operations") Signed-off-by: Yuezhang Mo Reviewed-by: Sungjong Seo Signed-off-by: Namjae Jeon commit afc6717628f959941d7b33728570568b4af1c4b8 Author: Steven Rostedt Date: Tue Dec 31 00:06:46 2024 -0500 tracing: Have process_string() also allow arrays In order to catch a common bug where a TRACE_EVENT() TP_fast_assign() assigns an address of an allocated string to the ring buffer and then references it in TP_printk(), which can be executed hours later when the string is free, the function test_event_printk() runs on all events as they are registered to make sure there's no unwanted dereferencing. It calls process_string() to handle cases in TP_printk() format that has "%s". It returns whether or not the string is safe. But it can have some false positives. For instance, xe_bo_move() has: TP_printk("move_lacks_source:%s, migrate object %p [size %zu] from %s to %s device_id:%s", __entry->move_lacks_source ? "yes" : "no", __entry->bo, __entry->size, xe_mem_type_to_name[__entry->old_placement], xe_mem_type_to_name[__entry->new_placement], __get_str(device_id)) Where the "%s" references into xe_mem_type_to_name[]. This is an array of pointers that should be safe for the event to access. Instead of flagging this as a bad reference, if a reference points to an array, where the record field is the index, consider it safe. Link: https://lore.kernel.org/all/9dee19b6185d325d0e6fa5f7cbba81d007d99166.camel@sapience.com/ Cc: stable@vger.kernel.org Cc: Masami Hiramatsu Cc: Mathieu Desnoyers Link: https://lore.kernel.org/20241231000646.324fb5f7@gandalf.local.home Fixes: 65a25d9f7ac02 ("tracing: Add "%s" check in test_event_printk()") Reported-by: Genes Lists Tested-by: Gene C Signed-off-by: Steven Rostedt (Google) commit 4f619d518db9cd1a933c3a095a5f95d0c1584ae8 Author: Jinjian Song Date: Tue Dec 24 12:15:52 2024 +0800 net: wwan: t7xx: Fix FSM command timeout issue When driver processes the internal state change command, it use an asynchronous thread to process the command operation. If the main thread detects that the task has timed out, the asynchronous thread will panic when executing the completion notification because the main thread completion object has been released. BUG: unable to handle page fault for address: fffffffffffffff8 PGD 1f283a067 P4D 1f283a067 PUD 1f283c067 PMD 0 Oops: 0000 [#1] PREEMPT SMP NOPTI RIP: 0010:complete_all+0x3e/0xa0 [...] Call Trace: ? __die_body+0x68/0xb0 ? page_fault_oops+0x379/0x3e0 ? exc_page_fault+0x69/0xa0 ? asm_exc_page_fault+0x22/0x30 ? complete_all+0x3e/0xa0 fsm_main_thread+0xa3/0x9c0 [mtk_t7xx (HASH:1400 5)] ? __pfx_autoremove_wake_function+0x10/0x10 kthread+0xd8/0x110 ? __pfx_fsm_main_thread+0x10/0x10 [mtk_t7xx (HASH:1400 5)] ? __pfx_kthread+0x10/0x10 ret_from_fork+0x38/0x50 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1b/0x30 [...] CR2: fffffffffffffff8 ---[ end trace 0000000000000000 ]--- Use the reference counter to ensure safe release as Sergey suggests: https://lore.kernel.org/all/da90f64c-260a-4329-87bf-1f9ff20a5951@gmail.com/ Fixes: 13e920d93e37 ("net: wwan: t7xx: Add core components") Signed-off-by: Jinjian Song Acked-by: Sergey Ryazanov Link: https://patch.msgid.link/20241224041552.8711-1-jinjian.song@fibocom.com Signed-off-by: Jakub Kicinski commit e7404921818d676da4d7143ce78659456b05e2af Author: Chester A. Unal Date: Wed Dec 25 15:50:41 2024 +0300 MAINTAINERS: change Arınç _NAL's name and email address My legal name now includes Chester. Change the name and the email address sections to reflect that. Link: https://lkml.kernel.org/r/20241225-for-unknown-upstream-v1-1-3e35e4d5e161@arinc9.com Signed-off-by: Chester A. Unal Signed-off-by: Andrew Morton commit 0210d251162f4033350a94a43f95b1c39ec84a90 Author: Kuan-Wei Chiu Date: Thu Dec 26 22:03:32 2024 +0800 scripts/sorttable: fix orc_sort_cmp() to maintain symmetry and transitivity The orc_sort_cmp() function, used with qsort(), previously violated the symmetry and transitivity rules required by the C standard. Specifically, when both entries are ORC_TYPE_UNDEFINED, it could result in both a < b and b < a, which breaks the required symmetry and transitivity. This can lead to undefined behavior and incorrect sorting results, potentially causing memory corruption in glibc implementations [1]. Symmetry: If x < y, then y > x. Transitivity: If x < y and y < z, then x < z. Fix the comparison logic to return 0 when both entries are ORC_TYPE_UNDEFINED, ensuring compliance with qsort() requirements. Link: https://www.qualys.com/2024/01/30/qsort.txt [1] Link: https://lkml.kernel.org/r/20241226140332.2670689-1-visitorckw@gmail.com Fixes: 57fa18994285 ("scripts/sorttable: Implement build-time ORC unwind table sorting") Fixes: fb799447ae29 ("x86,objtool: Split UNWIND_HINT_EMPTY in two") Signed-off-by: Kuan-Wei Chiu Cc: Ching-Chun (Jim) Huang Cc: Cc: Ingo Molnar Cc: Josh Poimboeuf Cc: Peter Zijlstra Cc: Shile Zhang Cc: Steven Rostedt Cc: Signed-off-by: Andrew Morton commit dd2a5b5514ab0e690f018595e34dd1fcb981d345 Author: Tetsuo Handa Date: Sat Dec 21 16:47:29 2024 +0900 mm/util: make memdup_user_nul() similar to memdup_user() Since the string data to copy from userspace is likely less than PAGE_SIZE bytes, replace GFP_KERNEL with GFP_USER like commit 6c2c97a24f09 ("memdup_user(): switch to GFP_USER") does and add __GFP_NOWARN like commit 6c8fcc096be9 ("mm: don't let userspace spam allocations warnings") does. Also, use dedicated slab buckets like commit d73778e4b867 ("mm/util: Use dedicated slab buckets for memdup_user()") does. Link: https://lkml.kernel.org/r/014cd694-cc27-4a07-a34a-2ae95d744515@I-love.SAKURA.ne.jp Reported-by: syzbot+7e12e97b36154c54414b@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=7e12e97b36154c54414b Signed-off-by: Tetsuo Handa Signed-off-by: Andrew Morton commit 62e72d2cf702a5e2fb53d9c46ed900d9384e4a06 Author: Kairui Song Date: Sun Dec 22 20:29:36 2024 +0800 mm, madvise: fix potential workingset node list_lru leaks Since commit 5abc1e37afa0 ("mm: list_lru: allocate list_lru_one only when needed"), all list_lru users need to allocate the items using the new infrastructure that provides list_lru info for slab allocation, ensuring that the corresponding memcg list_lru is allocated before use. For workingset shadow nodes (which are xa_node), users are converted to use the new infrastructure by commit 9bbdc0f32409 ("xarray: use kmem_cache_alloc_lru to allocate xa_node"). The xas->xa_lru will be set correctly for filemap users. However, there is a missing case: xa_node allocations caused by madvise(..., MADV_COLLAPSE). madvise(..., MADV_COLLAPSE) will also read in the absent parts of file map, and there will be xa_nodes allocated for the caller's memcg (assuming it's not rootcg). However, these allocations won't trigger memcg list_lru allocation because the proper xas info was not set. If nothing else has allocated other xa_nodes for that memcg to trigger list_lru creation, and memory pressure starts to evict file pages, workingset_update_node will try to add these xa_nodes to their corresponding memcg list_lru, and it does not exist (NULL). So they will be added to rootcg's list_lru instead. This shouldn't be a significant issue in practice, but it is indeed unexpected behavior, and these xa_nodes will not be reclaimed effectively. And may lead to incorrect counting of the list_lru->nr_items counter. This problem wasn't exposed until recent commit 28e98022b31ef ("mm/list_lru: simplify reparenting and initial allocation") added a sanity check: only dying memcg could have a NULL list_lru when list_lru_{add,del} is called. This problem triggered this WARNING. So make madvise(..., MADV_COLLAPSE) also call xas_set_lru() to pass the list_lru which we may want to insert xa_node into later. And move mapping_set_update to mm/internal.h, and turn into a macro to avoid including extra headers in mm/internal.h. Link: https://lkml.kernel.org/r/20241222122936.67501-1-ryncsn@gmail.com Fixes: 9bbdc0f32409 ("xarray: use kmem_cache_alloc_lru to allocate xa_node") Reported-by: syzbot+38a0cbd267eff2d286ff@syzkaller.appspotmail.com Closes: https://lore.kernel.org/lkml/675d01e9.050a0220.37aaf.00be.GAE@google.com/ Signed-off-by: Kairui Song Cc: Chengming Zhou Cc: Johannes Weiner Cc: Matthew Wilcox (Oracle) Cc: Michal Hocko Cc: Muchun Song Cc: Qi Zheng Cc: Roman Gushchin Cc: Sasha Levin Cc: Shakeel Butt Cc: Yu Zhao Signed-off-by: Andrew Morton commit 7d390b53067ef745e2d9bee5a9683df4c96b80a0 Author: SeongJae Park Date: Sun Dec 22 15:12:22 2024 -0800 mm/damon/core: fix ignored quota goals and filters of newly committed schemes damon_commit_schemes() ignores quota goals and filters of the newly committed schemes. This makes users confused about the behaviors. Correctly handle those inputs. Link: https://lkml.kernel.org/r/20241222231222.85060-3-sj@kernel.org Fixes: 9cb3d0b9dfce ("mm/damon/core: implement DAMON context commit function") Signed-off-by: SeongJae Park Cc: Signed-off-by: Andrew Morton commit 8debfc5b1aa569d3d2ac836af2553da037611c61 Author: SeongJae Park Date: Sun Dec 22 15:12:21 2024 -0800 mm/damon/core: fix new damon_target objects leaks on damon_commit_targets() Patch series "mm/damon/core: fix memory leaks and ignored inputs from damon_commit_ctx()". Due to two bugs in damon_commit_targets() and damon_commit_schemes(), which are called from damon_commit_ctx(), some user inputs can be ignored, and some mmeory objects can be leaked. Fix those. Note that only DAMON sysfs interface users are affected. Other DAMON core API user modules that more focused more on simple and dedicated production usages, including DAMON_RECLAIM and DAMON_LRU_SORT are not using the buggy function in the way, so not affected. This patch (of 2): When new DAMON targets are added via damon_commit_targets(), the newly created targets are not deallocated when updating the internal data (damon_commit_target()) is failed. Worse yet, even if the setup is successfully done, the new target is not linked to the context. Hence, the new targets are always leaked regardless of the internal data setup failure. Fix the leaks. Link: https://lkml.kernel.org/r/20241222231222.85060-2-sj@kernel.org Fixes: 9cb3d0b9dfce ("mm/damon/core: implement DAMON context commit function") Signed-off-by: SeongJae Park Cc: Signed-off-by: Andrew Morton commit 98a6abc6cec186bdc3d94c162227cc8e003de76c Author: Kairui Song Date: Mon Dec 23 23:09:07 2024 +0800 mm/list_lru: fix false warning of negative counter commit 2788cf0c401c ("memcg: reparent list_lrus and free kmemcg_id on css offline") removed sanity checks for the nr_items counter's value because it implemented list_lru re-parenting in a way that will redirect children's list_lru to the parent before re-parenting the items in list_lru. This will make item counter uncharging happen in the parent while the item is still being held by the child. As a result, the parent's counter value may become negative. This is acceptable because re-parenting will sum up the children's counter values, and the parent's counter will be fixed. Later commit fb56fdf8b9a2 ("mm/list_lru: split the lock to per-cgroup scope") reworked the re-parenting process, and removed the redirect. So it added the sanity check back, assuming that as long as items are still in the children's list_lru, parent's counter will not be uncharged. But that assumption is incorrect. The xas_store in memcg_reparent_list_lrus will set children's list_lru to NULL before re-parenting the items, it redirects list_lru helpers to use parent's list_lru just like before. But still, it's not a problem as re-parenting will fix the counter. Therefore, remove this sanity check, but add a new check to ensure that the counter won't go negative in a different way: the child's list_lru being re-parented should never have a negative counter, since re-parenting should occur in order and fixes counters. Link: https://lkml.kernel.org/r/20241223150907.1591-1-ryncsn@gmail.com Fixes: fb56fdf8b9a2 ("mm/list_lru: split the lock to per-cgroup scope") Signed-off-by: Kairui Song Closes: https://lore.kernel.org/lkml/Z2Bz9t92Be9l1xqj@lappy/ Cc: Chengming Zhou Cc: Johannes Weiner Cc: Matthew Wilcox Cc: Michal Hocko Cc: Muchun Song Cc: Qi Zheng Cc: Roman Gushchin Cc: Sasha Levin Cc: Shakeel Butt Cc: Yu Zhao Signed-off-by: Andrew Morton commit adcfb264c3ed51fbbf5068ddf10d309a63683868 Author: Koichiro Den Date: Sat Dec 21 12:33:20 2024 +0900 vmstat: disable vmstat_work on vmstat_cpu_down_prep() Even after mm/vmstat:online teardown, shepherd may still queue work for the dying cpu until the cpu is removed from online mask. While it's quite rare, this means that after unbind_workers() unbinds a per-cpu kworker, it potentially runs vmstat_update for the dying CPU on an irrelevant cpu before entering atomic AP states. When CONFIG_DEBUG_PREEMPT=y, it results in the following error with the backtrace. BUG: using smp_processor_id() in preemptible [00000000] code: \ kworker/7:3/1702 caller is refresh_cpu_vm_stats+0x235/0x5f0 CPU: 0 UID: 0 PID: 1702 Comm: kworker/7:3 Tainted: G Tainted: [N]=TEST Workqueue: mm_percpu_wq vmstat_update Call Trace: dump_stack_lvl+0x8d/0xb0 check_preemption_disabled+0xce/0xe0 refresh_cpu_vm_stats+0x235/0x5f0 vmstat_update+0x17/0xa0 process_one_work+0x869/0x1aa0 worker_thread+0x5e5/0x1100 kthread+0x29e/0x380 ret_from_fork+0x2d/0x70 ret_from_fork_asm+0x1a/0x30 So, for mm/vmstat:online, disable vmstat_work reliably on teardown and symmetrically enable it on startup. Link: https://lkml.kernel.org/r/20241221033321.4154409-1-koichiro.den@canonical.com Signed-off-by: Koichiro Den Cc: Sebastian Andrzej Siewior Cc: Signed-off-by: Andrew Morton commit d77b90d2b2642655b5f60953c36ad887257e1802 Author: Baolin Wang Date: Thu Dec 19 15:30:09 2024 +0800 mm: shmem: fix the update of 'shmem_falloc->nr_unswapped' The 'shmem_falloc->nr_unswapped' is used to record how many writepage refused to swap out because fallocate() is allocating, but after shmem supports large folio swap out, the update of 'shmem_falloc->nr_unswapped' does not use the correct number of pages in the large folio, which may lead to fallocate() not exiting as soon as possible. Anyway, this is found through code inspection, and I am not sure whether it would actually cause serious issues. Link: https://lkml.kernel.org/r/f66a0119d0564c2c37c84f045835b870d1b2196f.1734593154.git.baolin.wang@linux.alibaba.com Fixes: 809bc86517cc ("mm: shmem: support large folio swap out") Signed-off-by: Baolin Wang Acked-by: David Hildenbrand Cc: Hugh Dickins Cc: Signed-off-by: Andrew Morton commit d0e6983a6d1719738cf8d13982a68094f0a1872a Author: Baolin Wang Date: Thu Dec 19 15:30:08 2024 +0800 mm: shmem: fix incorrect index alignment for within_size policy With enabling the shmem per-size within_size policy, using an incorrect 'order' size to round_up() the index can lead to incorrect i_size checks, resulting in an inappropriate large orders being returned. Changing to use '1 << order' to round_up() the index to fix this issue. Additionally, adding an 'aligned_index' variable to avoid affecting the index checks. Link: https://lkml.kernel.org/r/77d8ef76a7d3d646e9225e9af88a76549a68aab1.1734593154.git.baolin.wang@linux.alibaba.com Fixes: e7a2ab7b3bb5 ("mm: shmem: add mTHP support for anonymous shmem") Signed-off-by: Baolin Wang Acked-by: David Hildenbrand Cc: Hugh Dickins Cc: Signed-off-by: Andrew Morton commit 11673247700e2af3a6a95f7b3f1bb80b691c950e Author: Gal Pressman Date: Thu Dec 19 14:18:28 2024 +0200 percpu: remove intermediate variable in PERCPU_PTR() The intermediate variable in the PERCPU_PTR() macro results in a kernel panic on boot [1] due to a compiler bug seen when compiling the kernel (+ KASAN) with gcc 11.3.1, but not when compiling with latest gcc (v14.2)/clang(v18.1). To solve it, remove the intermediate variable (which is not needed) and keep the casting that resolves the address space checks. [1] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000003: 0000 [#1] SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f] CPU: 0 UID: 0 PID: 547 Comm: iptables Not tainted 6.13.0-rc1_external_tested-master #1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 RIP: 0010:nf_ct_netns_do_get+0x139/0x540 Code: 03 00 00 48 81 c4 88 00 00 00 5b 5d 41 5c 41 5d 41 5e 41 5f c3 4d 8d 75 08 48 b8 00 00 00 00 00 fc ff df 4c 89 f2 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e 27 03 00 00 41 8b 45 08 83 c0 RSP: 0018:ffff888116df75e8 EFLAGS: 00010207 RAX: dffffc0000000000 RBX: 1ffff11022dbeebe RCX: ffffffff839a2382 RDX: 0000000000000003 RSI: 0000000000000008 RDI: ffff88842ec46d10 RBP: 0000000000000002 R08: 0000000000000000 R09: fffffbfff0b0860c R10: ffff888116df75e8 R11: 0000000000000001 R12: ffffffff879d6a80 R13: 0000000000000016 R14: 000000000000001e R15: ffff888116df7908 FS: 00007fba01646740(0000) GS:ffff88842ec00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000055bd901800d8 CR3: 00000001205f0003 CR4: 0000000000172eb0 Call Trace: ? die_addr+0x3d/0xa0 ? exc_general_protection+0x144/0x220 ? asm_exc_general_protection+0x22/0x30 ? __mutex_lock+0x2c2/0x1d70 ? nf_ct_netns_do_get+0x139/0x540 ? nf_ct_netns_do_get+0xb5/0x540 ? net_generic+0x1f0/0x1f0 ? __create_object+0x5e/0x80 xt_check_target+0x1f0/0x930 ? textify_hooks.constprop.0+0x110/0x110 ? pcpu_alloc_noprof+0x7cd/0xcf0 ? xt_find_target+0x148/0x1e0 find_check_entry.constprop.0+0x6c0/0x920 ? get_info+0x380/0x380 ? __virt_addr_valid+0x1df/0x3b0 ? kasan_quarantine_put+0xe3/0x200 ? kfree+0x13e/0x3d0 ? translate_table+0xaf5/0x1750 translate_table+0xbd8/0x1750 ? ipt_unregister_table_exit+0x30/0x30 ? __might_fault+0xbb/0x170 do_ipt_set_ctl+0x408/0x1340 ? nf_sockopt_find.constprop.0+0x17b/0x1f0 ? lock_downgrade+0x680/0x680 ? lockdep_hardirqs_on_prepare+0x284/0x400 ? ipt_register_table+0x440/0x440 ? bit_wait_timeout+0x160/0x160 nf_setsockopt+0x6f/0xd0 raw_setsockopt+0x7e/0x200 ? raw_bind+0x590/0x590 ? do_user_addr_fault+0x812/0xd20 do_sock_setsockopt+0x1e2/0x3f0 ? move_addr_to_user+0x90/0x90 ? lock_downgrade+0x680/0x680 __sys_setsockopt+0x9e/0x100 __x64_sys_setsockopt+0xb9/0x150 ? do_syscall_64+0x33/0x140 do_syscall_64+0x6d/0x140 entry_SYSCALL_64_after_hwframe+0x4b/0x53 RIP: 0033:0x7fba015134ce Code: 0f 1f 40 00 48 8b 15 59 69 0e 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b1 0f 1f 00 f3 0f 1e fa 49 89 ca b8 36 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 0a c3 66 0f 1f 84 00 00 00 00 00 48 8b 15 21 RSP: 002b:00007ffd9de6f388 EFLAGS: 00000246 ORIG_RAX: 0000000000000036 RAX: ffffffffffffffda RBX: 000055bd9017f490 RCX: 00007fba015134ce RDX: 0000000000000040 RSI: 0000000000000000 RDI: 0000000000000004 RBP: 0000000000000500 R08: 0000000000000560 R09: 0000000000000052 R10: 000055bd901800e0 R11: 0000000000000246 R12: 000055bd90180140 R13: 000055bd901800e0 R14: 000055bd9017f498 R15: 000055bd9017ff10 Modules linked in: xt_MASQUERADE nf_conntrack_netlink nfnetlink xt_addrtype iptable_nat nf_nat br_netfilter rpcsec_gss_krb5 auth_rpcgss oid_registry overlay zram zsmalloc mlx4_ib mlx4_en mlx4_core rpcrdma rdma_ucm ib_uverbs ib_iser libiscsi scsi_transport_iscsi fuse ib_umad rdma_cm ib_ipoib iw_cm ib_cm ib_core ---[ end trace 0000000000000000 ]--- [akpm@linux-foundation.org: simplification, per Uros] Link: https://lkml.kernel.org/r/20241219121828.2120780-1-gal@nvidia.com Fixes: dabddd687c9e ("percpu: cast percpu pointer in PERCPU_PTR() via unsigned long") Signed-off-by: Gal Pressman Closes: https://lore.kernel.org/all/7590f546-4021-4602-9252-0d525de35b52@nvidia.com Cc: Uros Bizjak Cc: Bill Wendling Cc: Christoph Lameter Cc: Dennis Zhou Cc: Justin Stitt Cc: Nathan Chancellor Cc: Nick Desaulniers Cc: Tejun Heo Signed-off-by: Andrew Morton commit eaebeb93922ca6ab0dd92027b73d0112701706ef Author: Yosry Ahmed Date: Thu Dec 19 21:24:37 2024 +0000 mm: zswap: fix race between [de]compression and CPU hotunplug In zswap_compress() and zswap_decompress(), the per-CPU acomp_ctx of the current CPU at the beginning of the operation is retrieved and used throughout. However, since neither preemption nor migration are disabled, it is possible that the operation continues on a different CPU. If the original CPU is hotunplugged while the acomp_ctx is still in use, we run into a UAF bug as the resources attached to the acomp_ctx are freed during hotunplug in zswap_cpu_comp_dead(). The problem was introduced in commit 1ec3b5fe6eec ("mm/zswap: move to use crypto_acomp API for hardware acceleration") when the switch to the crypto_acomp API was made. Prior to that, the per-CPU crypto_comp was retrieved using get_cpu_ptr() which disables preemption and makes sure the CPU cannot go away from under us. Preemption cannot be disabled with the crypto_acomp API as a sleepable context is needed. Commit 8ba2f844f050 ("mm/zswap: change per-cpu mutex and buffer to per-acomp_ctx") increased the UAF surface area by making the per-CPU buffers dynamic, adding yet another resource that can be freed from under zswap compression/decompression by CPU hotunplug. There are a few ways to fix this: (a) Add a refcount for acomp_ctx. (b) Disable migration while using the per-CPU acomp_ctx. (c) Disable CPU hotunplug while using the per-CPU acomp_ctx by holding the CPUs read lock. Implement (c) since it's simpler than (a), and (b) involves using migrate_disable() which is apparently undesired (see huge comment in include/linux/preempt.h). Link: https://lkml.kernel.org/r/20241219212437.2714151-1-yosryahmed@google.com Fixes: 1ec3b5fe6eec ("mm/zswap: move to use crypto_acomp API for hardware acceleration") Signed-off-by: Yosry Ahmed Reported-by: Johannes Weiner Closes: https://lore.kernel.org/lkml/20241113213007.GB1564047@cmpxchg.org/ Reported-by: Sam Sun Closes: https://lore.kernel.org/lkml/CAEkJfYMtSdM5HceNsXUDf5haghD5+o2e7Qv4OcuruL4tPg6OaQ@mail.gmail.com/ Reviewed-by: Chengming Zhou Acked-by: Barry Song Reviewed-by: Nhat Pham Cc: Vitaly Wool Cc: Signed-off-by: Andrew Morton commit 5f3fd772d152229d94602bca243fbb658068a597 Author: Dennis Lam Date: Tue Dec 17 21:39:25 2024 -0500 ocfs2: fix slab-use-after-free due to dangling pointer dqi_priv When mounting ocfs2 and then remounting it as read-only, a slab-use-after-free occurs after the user uses a syscall to quota_getnextquota. Specifically, sb_dqinfo(sb, type)->dqi_priv is the dangling pointer. During the remounting process, the pointer dqi_priv is freed but is never set as null leaving it to be accessed. Additionally, the read-only option for remounting sets the DQUOT_SUSPENDED flag instead of setting the DQUOT_USAGE_ENABLED flags. Moreover, later in the process of getting the next quota, the function ocfs2_get_next_id is called and only checks the quota usage flags and not the quota suspended flags. To fix this, I set dqi_priv to null when it is freed after remounting with read-only and put a check for DQUOT_SUSPENDED in ocfs2_get_next_id. [akpm@linux-foundation.org: coding-style cleanups] Link: https://lkml.kernel.org/r/20241218023924.22821-2-dennis.lamerice@gmail.com Fixes: 8f9e8f5fcc05 ("ocfs2: Fix Q_GETNEXTQUOTA for filesystem without quotas") Signed-off-by: Dennis Lam Reported-by: syzbot+d173bf8a5a7faeede34c@syzkaller.appspotmail.com Tested-by: syzbot+d173bf8a5a7faeede34c@syzkaller.appspotmail.com Closes: https://lore.kernel.org/all/6731d26f.050a0220.1fb99c.014b.GAE@google.com/T/ Reviewed-by: Joseph Qi Cc: Mark Fasheh Cc: Joel Becker Cc: Junxiao Bi Cc: Changwei Ge Cc: Jun Piao Cc: Signed-off-by: Andrew Morton commit 3754137d263f52f4b507cf9ae913f8f0497d1b0e Author: David Hildenbrand Date: Tue Dec 17 20:50:00 2024 +0100 fs/proc/task_mmu: fix pagemap flags with PMD THP entries on 32bit Entries (including flags) are u64, even on 32bit. So right now we are cutting of the flags on 32bit. This way, for example the cow selftest complains about: # ./cow ... Bail Out! read and ioctl return unmatched results for populated: 0 1 Link: https://lkml.kernel.org/r/20241217195000.1734039-1-david@redhat.com Fixes: 2c1f057e5be6 ("fs/proc/task_mmu: properly detect PM_MMAP_EXCLUSIVE per page of PMD-mapped THPs") Signed-off-by: David Hildenbrand Cc: Oscar Salvador Cc: Signed-off-by: Andrew Morton commit cb0ca08b326aa03f87fe94bb91872ce8d2ef1ed8 Author: Arnd Bergmann Date: Tue Dec 17 08:18:10 2024 +0100 kcov: mark in_softirq_really() as __always_inline If gcc decides not to inline in_softirq_really(), objtool warns about a function call with UACCESS enabled: kernel/kcov.o: warning: objtool: __sanitizer_cov_trace_pc+0x1e: call to in_softirq_really() with UACCESS enabled kernel/kcov.o: warning: objtool: check_kcov_mode+0x11: call to in_softirq_really() with UACCESS enabled Mark this as __always_inline to avoid the problem. Link: https://lkml.kernel.org/r/20241217071814.2261620-1-arnd@kernel.org Fixes: 7d4df2dad312 ("kcov: properly check for softirq context") Signed-off-by: Arnd Bergmann Reviewed-by: Marco Elver Cc: Aleksandr Nogikh Cc: Andrey Konovalov Cc: Dmitry Vyukov Cc: Josh Poimboeuf Cc: Peter Zijlstra Cc: Signed-off-by: Andrew Morton commit 472098f23323c39cc6269d7b7bf76cba62830a4c Author: Baolin Wang Date: Tue Dec 17 16:55:39 2024 +0800 docs: mm: fix the incorrect 'FileHugeMapped' field The '/proc/PID/smaps' does not have the 'FileHugeMapped' field to count the file transparent huge pages, instead, the 'FilePmdMapped' field should be used. Fix it. Link: https://lkml.kernel.org/r/d520ce3aba2b03b088be30bece732426a939049a.1734425264.git.baolin.wang@linux.alibaba.com Signed-off-by: Baolin Wang Acked-by: David Hildenbrand Signed-off-by: Andrew Morton commit 4d9b90df2eb49ab9becdbfd1fd60071bb107406e Author: Mathieu Othacehe Date: Tue Dec 17 11:09:21 2024 +0100 mailmap: modify the entry for Mathieu Othacehe Set my gnu address as the main one. Link: https://lkml.kernel.org/r/20241217100924.7821-1-othacehe@gnu.org Signed-off-by: Mathieu Othacehe Cc: Alex Elder Cc: David S. Miller Cc: Geliang Tang Cc: Kees Cook Cc: Matthieu Baerts (NGI0) Cc: Neeraj Upadhyay Cc: Quentin Monnet Signed-off-by: Andrew Morton commit cddc76b165161a02ff14c4d84d0f5266d9d32b9e Author: Alessandro Carminati Date: Tue Dec 17 14:20:33 2024 +0000 mm/kmemleak: fix sleeping function called from invalid context at print message Address a bug in the kernel that triggers a "sleeping function called from invalid context" warning when /sys/kernel/debug/kmemleak is printed under specific conditions: - CONFIG_PREEMPT_RT=y - Set SELinux as the LSM for the system - Set kptr_restrict to 1 - kmemleak buffer contains at least one item BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48 in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 136, name: cat preempt_count: 1, expected: 0 RCU nest depth: 2, expected: 2 6 locks held by cat/136: #0: ffff32e64bcbf950 (&p->lock){+.+.}-{3:3}, at: seq_read_iter+0xb8/0xe30 #1: ffffafe6aaa9dea0 (scan_mutex){+.+.}-{3:3}, at: kmemleak_seq_start+0x34/0x128 #3: ffff32e6546b1cd0 (&object->lock){....}-{2:2}, at: kmemleak_seq_show+0x3c/0x1e0 #4: ffffafe6aa8d8560 (rcu_read_lock){....}-{1:2}, at: has_ns_capability_noaudit+0x8/0x1b0 #5: ffffafe6aabbc0f8 (notif_lock){+.+.}-{2:2}, at: avc_compute_av+0xc4/0x3d0 irq event stamp: 136660 hardirqs last enabled at (136659): [] _raw_spin_unlock_irqrestore+0xa8/0xd8 hardirqs last disabled at (136660): [] _raw_spin_lock_irqsave+0x8c/0xb0 softirqs last enabled at (0): [] copy_process+0x11d8/0x3df8 softirqs last disabled at (0): [<0000000000000000>] 0x0 Preemption disabled at: [] kmemleak_seq_show+0x3c/0x1e0 CPU: 1 UID: 0 PID: 136 Comm: cat Tainted: G E 6.11.0-rt7+ #34 Tainted: [E]=UNSIGNED_MODULE Hardware name: linux,dummy-virt (DT) Call trace: dump_backtrace+0xa0/0x128 show_stack+0x1c/0x30 dump_stack_lvl+0xe8/0x198 dump_stack+0x18/0x20 rt_spin_lock+0x8c/0x1a8 avc_perm_nonode+0xa0/0x150 cred_has_capability.isra.0+0x118/0x218 selinux_capable+0x50/0x80 security_capable+0x7c/0xd0 has_ns_capability_noaudit+0x94/0x1b0 has_capability_noaudit+0x20/0x30 restricted_pointer+0x21c/0x4b0 pointer+0x298/0x760 vsnprintf+0x330/0xf70 seq_printf+0x178/0x218 print_unreferenced+0x1a4/0x2d0 kmemleak_seq_show+0xd0/0x1e0 seq_read_iter+0x354/0xe30 seq_read+0x250/0x378 full_proxy_read+0xd8/0x148 vfs_read+0x190/0x918 ksys_read+0xf0/0x1e0 __arm64_sys_read+0x70/0xa8 invoke_syscall.constprop.0+0xd4/0x1d8 el0_svc+0x50/0x158 el0t_64_sync+0x17c/0x180 %pS and %pK, in the same back trace line, are redundant, and %pS can void %pK service in certain contexts. %pS alone already provides the necessary information, and if it cannot resolve the symbol, it falls back to printing the raw address voiding the original intent behind the %pK. Additionally, %pK requires a privilege check CAP_SYSLOG enforced through the LSM, which can trigger a "sleeping function called from invalid context" warning under RT_PREEMPT kernels when the check occurs in an atomic context. This issue may also affect other LSMs. This change avoids the unnecessary privilege check and resolves the sleeping function warning without any loss of information. Link: https://lkml.kernel.org/r/20241217142032.55793-1-acarmina@redhat.com Fixes: 3a6f33d86baa ("mm/kmemleak: use %pK to display kernel pointers in backtrace") Signed-off-by: Alessandro Carminati Acked-by: Sebastian Andrzej Siewior Acked-by: Catalin Marinas Cc: Clément Léger Cc: Alessandro Carminati Cc: Eric Chanudet Cc: Gabriele Paoloni Cc: Juri Lelli Cc: Steven Rostedt Cc: Thomas Weißschuh Cc: Signed-off-by: Andrew Morton commit 59d9094df3d79443937add8700b2ef1a866b1081 Author: Liu Shixin Date: Mon Dec 16 15:11:47 2024 +0800 mm: hugetlb: independent PMD page table shared count The folio refcount may be increased unexpectly through try_get_folio() by caller such as split_huge_pages. In huge_pmd_unshare(), we use refcount to check whether a pmd page table is shared. The check is incorrect if the refcount is increased by the above caller, and this can cause the page table leaked: BUG: Bad page state in process sh pfn:109324 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x66 pfn:0x109324 flags: 0x17ffff800000000(node=0|zone=2|lastcpupid=0xfffff) page_type: f2(table) raw: 017ffff800000000 0000000000000000 0000000000000000 0000000000000000 raw: 0000000000000066 0000000000000000 00000000f2000000 0000000000000000 page dumped because: nonzero mapcount ... CPU: 31 UID: 0 PID: 7515 Comm: sh Kdump: loaded Tainted: G B 6.13.0-rc2master+ #7 Tainted: [B]=BAD_PAGE Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015 Call trace: show_stack+0x20/0x38 (C) dump_stack_lvl+0x80/0xf8 dump_stack+0x18/0x28 bad_page+0x8c/0x130 free_page_is_bad_report+0xa4/0xb0 free_unref_page+0x3cc/0x620 __folio_put+0xf4/0x158 split_huge_pages_all+0x1e0/0x3e8 split_huge_pages_write+0x25c/0x2d8 full_proxy_write+0x64/0xd8 vfs_write+0xcc/0x280 ksys_write+0x70/0x110 __arm64_sys_write+0x24/0x38 invoke_syscall+0x50/0x120 el0_svc_common.constprop.0+0xc8/0xf0 do_el0_svc+0x24/0x38 el0_svc+0x34/0x128 el0t_64_sync_handler+0xc8/0xd0 el0t_64_sync+0x190/0x198 The issue may be triggered by damon, offline_page, page_idle, etc, which will increase the refcount of page table. 1. The page table itself will be discarded after reporting the "nonzero mapcount". 2. The HugeTLB page mapped by the page table miss freeing since we treat the page table as shared and a shared page table will not be unmapped. Fix it by introducing independent PMD page table shared count. As described by comment, pt_index/pt_mm/pt_frag_refcount are used for s390 gmap, x86 pgds and powerpc, pt_share_count is used for x86/arm64/riscv pmds, so we can reuse the field as pt_share_count. Link: https://lkml.kernel.org/r/20241216071147.3984217-1-liushixin2@huawei.com Fixes: 39dde65c9940 ("[PATCH] shared page table for hugetlb page") Signed-off-by: Liu Shixin Cc: Kefeng Wang Cc: Ken Chen Cc: Muchun Song Cc: Nanyong Sun Cc: Jane Chu Cc: Signed-off-by: Andrew Morton commit 1fd8bc7cd889bd73d07a83cb32d674ac68f99153 Author: Yang Erkun Date: Sat Dec 14 17:30:05 2024 +0800 maple_tree: reload mas before the second call for mas_empty_area Change the LONG_MAX in simple_offset_add to 1024, and do latter: [root@fedora ~]# mkdir /tmp/dir [root@fedora ~]# for i in {1..1024}; do touch /tmp/dir/$i; done touch: cannot touch '/tmp/dir/1024': Device or resource busy [root@fedora ~]# rm /tmp/dir/123 [root@fedora ~]# touch /tmp/dir/1024 [root@fedora ~]# rm /tmp/dir/100 [root@fedora ~]# touch /tmp/dir/1025 touch: cannot touch '/tmp/dir/1025': Device or resource busy After we delete file 100, actually this is a empty entry, but the latter create failed unexpected. mas_alloc_cyclic has two chance to find empty entry. First find the entry with range range_lo and range_hi, if no empty entry exist, and range_lo > min, retry find with range min and range_hi. However, the first call mas_empty_area may mark mas as EBUSY, and the second call for mas_empty_area will return false directly. Fix this by reload mas before second call for mas_empty_area. [Liam.Howlett@Oracle.com: fix mas_alloc_cyclic() second search] Link: https://lore.kernel.org/all/20241216060600.287B4C4CED0@smtp.kernel.org/ Link: https://lkml.kernel.org/r/20241216190113.1226145-2-Liam.Howlett@oracle.com Link: https://lkml.kernel.org/r/20241214093005.72284-1-yangerkun@huaweicloud.com Fixes: 9b6713cc7522 ("maple_tree: Add mtree_alloc_cyclic()") Signed-off-by: Yang Erkun Signed-off-by: Liam R. Howlett Cc: Christian Brauner Cc: Chuck Lever says: Cc: Liam R. Howlett Cc: Signed-off-by: Andrew Morton commit 158cdce87c8c172787063998ad5dd3e2f658b963 Author: Yafang Shao Date: Fri Dec 6 16:30:25 2024 +0800 mm/readahead: fix large folio support in async readahead When testing large folio support with XFS on our servers, we observed that only a few large folios are mapped when reading large files via mmap. After a thorough analysis, I identified it was caused by the `/sys/block/*/queue/read_ahead_kb` setting. On our test servers, this parameter is set to 128KB. After I tune it to 2MB, the large folio can work as expected. However, I believe the large folio behavior should not be dependent on the value of read_ahead_kb. It would be more robust if the kernel can automatically adopt to it. With /sys/block/*/queue/read_ahead_kb set to 128KB and performing a sequential read on a 1GB file using MADV_HUGEPAGE, the differences in /proc/meminfo are as follows: - before this patch FileHugePages: 18432 kB FilePmdMapped: 4096 kB - after this patch FileHugePages: 1067008 kB FilePmdMapped: 1048576 kB This shows that after applying the patch, the entire 1GB file is mapped to huge pages. The stable list is CCed, as without this patch, large folios don't function optimally in the readahead path. It's worth noting that if read_ahead_kb is set to a larger value that isn't aligned with huge page sizes (e.g., 4MB + 128KB), it may still fail to map to hugepages. Link: https://lkml.kernel.org/r/20241108141710.9721-1-laoar.shao@gmail.com Link: https://lkml.kernel.org/r/20241206083025.3478-1-laoar.shao@gmail.com Fixes: 4687fdbb805a ("mm/filemap: Support VM_HUGEPAGE for file mappings") Signed-off-by: Yafang Shao Tested-by: kernel test robot Cc: Matthew Wilcox Cc: David Hildenbrand Cc: Signed-off-by: Andrew Morton commit 34d7cf637c437d5c2a8a6ef23ea45193bad8a91c Author: Kefeng Wang Date: Fri Dec 6 15:03:45 2024 +0800 mm: don't try THP alignment for FS without get_unmapped_area Commit ed48e87c7df3 ("thp: add thp_get_unmapped_area_vmflags()") changes thp_get_unmapped_area() to thp_get_unmapped_area_vmflags() in __get_unmapped_area(), which doesn't initialize local get_area for anonymous mappings. This leads to us always trying THP alignment even for file_operations which have a NULL ->get_unmapped_area() callback. Since commit efa7df3e3bb5 ("mm: align larger anonymous mappings on THP boundaries") we only want to enable THP alignment for anonymous mappings, so add a !file check to avoid attempting THP alignment for file mappings. Found issue by code inspection. THP alignment is used for easy or more pmd mappings, from vma side. This may cause unnecessary VMA fragmentation and potentially worse performance on filesystems that do not actually support THPs and thus cannot benefit from the alignment. Link: https://lkml.kernel.org/r/20241206070345.2526501-1-wangkefeng.wang@huawei.com Fixes: ed48e87c7df3 ("thp: add thp_get_unmapped_area_vmflags()") Signed-off-by: Kefeng Wang Reviewed-by: Vlastimil Babka Reviewed-by: Yang Shi Cc: Christophe Leroy Cc: David Hildenbrand Cc: Jann Horn Cc: Liam R. Howlett Cc: Lorenzo Stoakes Cc: Rick Edgecombe Cc: Ryan Roberts Signed-off-by: Andrew Morton commit 6aaced5abd32e2a57cd94fd64f824514d0361da8 Author: Seiji Nishikawa Date: Sun Dec 1 01:12:34 2024 +0900 mm: vmscan: account for free pages to prevent infinite Loop in throttle_direct_reclaim() The task sometimes continues looping in throttle_direct_reclaim() because allow_direct_reclaim(pgdat) keeps returning false. #0 [ffff80002cb6f8d0] __switch_to at ffff8000080095ac #1 [ffff80002cb6f900] __schedule at ffff800008abbd1c #2 [ffff80002cb6f990] schedule at ffff800008abc50c #3 [ffff80002cb6f9b0] throttle_direct_reclaim at ffff800008273550 #4 [ffff80002cb6fa20] try_to_free_pages at ffff800008277b68 #5 [ffff80002cb6fae0] __alloc_pages_nodemask at ffff8000082c4660 #6 [ffff80002cb6fc50] alloc_pages_vma at ffff8000082e4a98 #7 [ffff80002cb6fca0] do_anonymous_page at ffff80000829f5a8 #8 [ffff80002cb6fce0] __handle_mm_fault at ffff8000082a5974 #9 [ffff80002cb6fd90] handle_mm_fault at ffff8000082a5bd4 At this point, the pgdat contains the following two zones: NODE: 4 ZONE: 0 ADDR: ffff00817fffe540 NAME: "DMA32" SIZE: 20480 MIN/LOW/HIGH: 11/28/45 VM_STAT: NR_FREE_PAGES: 359 NR_ZONE_INACTIVE_ANON: 18813 NR_ZONE_ACTIVE_ANON: 0 NR_ZONE_INACTIVE_FILE: 50 NR_ZONE_ACTIVE_FILE: 0 NR_ZONE_UNEVICTABLE: 0 NR_ZONE_WRITE_PENDING: 0 NR_MLOCK: 0 NR_BOUNCE: 0 NR_ZSPAGES: 0 NR_FREE_CMA_PAGES: 0 NODE: 4 ZONE: 1 ADDR: ffff00817fffec00 NAME: "Normal" SIZE: 8454144 PRESENT: 98304 MIN/LOW/HIGH: 68/166/264 VM_STAT: NR_FREE_PAGES: 146 NR_ZONE_INACTIVE_ANON: 94668 NR_ZONE_ACTIVE_ANON: 3 NR_ZONE_INACTIVE_FILE: 735 NR_ZONE_ACTIVE_FILE: 78 NR_ZONE_UNEVICTABLE: 0 NR_ZONE_WRITE_PENDING: 0 NR_MLOCK: 0 NR_BOUNCE: 0 NR_ZSPAGES: 0 NR_FREE_CMA_PAGES: 0 In allow_direct_reclaim(), while processing ZONE_DMA32, the sum of inactive/active file-backed pages calculated in zone_reclaimable_pages() based on the result of zone_page_state_snapshot() is zero. Additionally, since this system lacks swap, the calculation of inactive/ active anonymous pages is skipped. crash> p nr_swap_pages nr_swap_pages = $1937 = { counter = 0 } As a result, ZONE_DMA32 is deemed unreclaimable and skipped, moving on to the processing of the next zone, ZONE_NORMAL, despite ZONE_DMA32 having free pages significantly exceeding the high watermark. The problem is that the pgdat->kswapd_failures hasn't been incremented. crash> px ((struct pglist_data *) 0xffff00817fffe540)->kswapd_failures $1935 = 0x0 This is because the node deemed balanced. The node balancing logic in balance_pgdat() evaluates all zones collectively. If one or more zones (e.g., ZONE_DMA32) have enough free pages to meet their watermarks, the entire node is deemed balanced. This causes balance_pgdat() to exit early before incrementing the kswapd_failures, as it considers the overall memory state acceptable, even though some zones (like ZONE_NORMAL) remain under significant pressure. The patch ensures that zone_reclaimable_pages() includes free pages (NR_FREE_PAGES) in its calculation when no other reclaimable pages are available (e.g., file-backed or anonymous pages). This change prevents zones like ZONE_DMA32, which have sufficient free pages, from being mistakenly deemed unreclaimable. By doing so, the patch ensures proper node balancing, avoids masking pressure on other zones like ZONE_NORMAL, and prevents infinite loops in throttle_direct_reclaim() caused by allow_direct_reclaim(pgdat) repeatedly returning false. The kernel hangs due to a task stuck in throttle_direct_reclaim(), caused by a node being incorrectly deemed balanced despite pressure in certain zones, such as ZONE_NORMAL. This issue arises from zone_reclaimable_pages() returning 0 for zones without reclaimable file- backed or anonymous pages, causing zones like ZONE_DMA32 with sufficient free pages to be skipped. The lack of swap or reclaimable pages results in ZONE_DMA32 being ignored during reclaim, masking pressure in other zones. Consequently, pgdat->kswapd_failures remains 0 in balance_pgdat(), preventing fallback mechanisms in allow_direct_reclaim() from being triggered, leading to an infinite loop in throttle_direct_reclaim(). This patch modifies zone_reclaimable_pages() to account for free pages (NR_FREE_PAGES) when no other reclaimable pages exist. This ensures zones with sufficient free pages are not skipped, enabling proper balancing and reclaim behavior. [akpm@linux-foundation.org: coding-style cleanups] Link: https://lkml.kernel.org/r/20241130164346.436469-1-snishika@redhat.com Link: https://lkml.kernel.org/r/20241130161236.433747-2-snishika@redhat.com Fixes: 5a1c84b404a7 ("mm: remove reclaim and compaction retry approximations") Signed-off-by: Seiji Nishikawa Cc: Mel Gorman Cc: Signed-off-by: Andrew Morton commit ea0916e01d0b0f2cce1369ac1494239a79827270 Author: Lorenzo Stoakes Date: Thu Nov 28 15:06:18 2024 +0000 selftests/memfd: add test for mapping write-sealed memfd read-only Now we have reinstated the ability to map F_SEAL_WRITE mappings read-only, assert that we are able to do this in a test to ensure that we do not regress this again. Link: https://lkml.kernel.org/r/a6377ec470b14c0539b4600cf8fa24bf2e4858ae.1732804776.git.lorenzo.stoakes@oracle.com Signed-off-by: Lorenzo Stoakes Cc: Jann Horn Cc: Julian Orth Cc: Liam R. Howlett Cc: Linus Torvalds Cc: Shuah Khan Cc: Vlastimil Babka Signed-off-by: Andrew Morton commit 8ec396d05d1b737c87311fb7311f753b02c2a6b1 Author: Lorenzo Stoakes Date: Thu Nov 28 15:06:17 2024 +0000 mm: reinstate ability to map write-sealed memfd mappings read-only Patch series "mm: reinstate ability to map write-sealed memfd mappings read-only". In commit 158978945f31 ("mm: perform the mapping_map_writable() check after call_mmap()") (and preceding changes in the same series) it became possible to mmap() F_SEAL_WRITE sealed memfd mappings read-only. Commit 5de195060b2e ("mm: resolve faulty mmap_region() error path behaviour") unintentionally undid this logic by moving the mapping_map_writable() check before the shmem_mmap() hook is invoked, thereby regressing this change. This series reworks how we both permit write-sealed mappings being mapped read-only and disallow mprotect() from undoing the write-seal, fixing this regression. We also add a regression test to ensure that we do not accidentally regress this in future. Thanks to Julian Orth for reporting this regression. This patch (of 2): In commit 158978945f31 ("mm: perform the mapping_map_writable() check after call_mmap()") (and preceding changes in the same series) it became possible to mmap() F_SEAL_WRITE sealed memfd mappings read-only. This was previously unnecessarily disallowed, despite the man page documentation indicating that it would be, thereby limiting the usefulness of F_SEAL_WRITE logic. We fixed this by adapting logic that existed for the F_SEAL_FUTURE_WRITE seal (one which disallows future writes to the memfd) to also be used for F_SEAL_WRITE. For background - the F_SEAL_FUTURE_WRITE seal clears VM_MAYWRITE for a read-only mapping to disallow mprotect() from overriding the seal - an operation performed by seal_check_write(), invoked from shmem_mmap(), the f_op->mmap() hook used by shmem mappings. By extending this to F_SEAL_WRITE and critically - checking mapping_map_writable() to determine if we may map the memfd AFTER we invoke shmem_mmap() - the desired logic becomes possible. This is because mapping_map_writable() explicitly checks for VM_MAYWRITE, which we will have cleared. Commit 5de195060b2e ("mm: resolve faulty mmap_region() error path behaviour") unintentionally undid this logic by moving the mapping_map_writable() check before the shmem_mmap() hook is invoked, thereby regressing this change. We reinstate this functionality by moving the check out of shmem_mmap() and instead performing it in do_mmap() at the point at which VMA flags are being determined, which seems in any case to be a more appropriate place in which to make this determination. In order to achieve this we rework memfd seal logic to allow us access to this information using existing logic and eliminate the clearing of VM_MAYWRITE from seal_check_write() which we are performing in do_mmap() instead. Link: https://lkml.kernel.org/r/99fc35d2c62bd2e05571cf60d9f8b843c56069e0.1732804776.git.lorenzo.stoakes@oracle.com Fixes: 5de195060b2e ("mm: resolve faulty mmap_region() error path behaviour") Signed-off-by: Lorenzo Stoakes Reported-by: Julian Orth Closes: https://lore.kernel.org/all/CAHijbEUMhvJTN9Xw1GmbM266FXXv=U7s4L_Jem5x3AaPZxrYpQ@mail.gmail.com/ Cc: Jann Horn Cc: Liam R. Howlett Cc: Linus Torvalds Cc: Shuah Khan Cc: Vlastimil Babka Cc: Signed-off-by: Andrew Morton commit 03c8d0af2e409e15c16130b185e12b5efba0a6b9 Author: Pascal Hambourg Date: Mon Dec 23 17:44:01 2024 +0100 sky2: Add device ID 11ab:4373 for Marvell 88E8075 A Marvell 88E8075 ethernet controller has this device ID instead of 11ab:4370 and works fine with the sky2 driver. Signed-off-by: Pascal Hambourg Cc: stable@vger.kernel.org Link: https://patch.msgid.link/10165a62-99fb-4be6-8c64-84afd6234085@plouf.fr.eu.org Signed-off-by: Jakub Kicinski commit cbb26f7d8451fe56ccac802c6db48d16240feebd Author: Paolo Abeni Date: Sat Dec 21 09:51:46 2024 +0100 mptcp: fix TCP options overflow. Syzbot reported the following splat: Oops: general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN PTI KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f] CPU: 1 UID: 0 PID: 5836 Comm: sshd Not tainted 6.13.0-rc3-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/25/2024 RIP: 0010:_compound_head include/linux/page-flags.h:242 [inline] RIP: 0010:put_page+0x23/0x260 include/linux/mm.h:1552 Code: 90 90 90 90 90 90 90 55 41 57 41 56 53 49 89 fe 48 bd 00 00 00 00 00 fc ff df e8 f8 5e 12 f8 49 8d 5e 08 48 89 d8 48 c1 e8 03 <80> 3c 28 00 74 08 48 89 df e8 8f c7 78 f8 48 8b 1b 48 89 de 48 83 RSP: 0000:ffffc90003916c90 EFLAGS: 00010202 RAX: 0000000000000001 RBX: 0000000000000008 RCX: ffff888030458000 RDX: 0000000000000100 RSI: 0000000000000000 RDI: 0000000000000000 RBP: dffffc0000000000 R08: ffffffff898ca81d R09: 1ffff110054414ac R10: dffffc0000000000 R11: ffffed10054414ad R12: 0000000000000007 R13: ffff88802a20a542 R14: 0000000000000000 R15: 0000000000000000 FS: 00007f34f496e800(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f9d6ec9ec28 CR3: 000000004d260000 CR4: 00000000003526f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: skb_page_unref include/linux/skbuff_ref.h:43 [inline] __skb_frag_unref include/linux/skbuff_ref.h:56 [inline] skb_release_data+0x483/0x8a0 net/core/skbuff.c:1119 skb_release_all net/core/skbuff.c:1190 [inline] __kfree_skb+0x55/0x70 net/core/skbuff.c:1204 tcp_clean_rtx_queue net/ipv4/tcp_input.c:3436 [inline] tcp_ack+0x2442/0x6bc0 net/ipv4/tcp_input.c:4032 tcp_rcv_state_process+0x8eb/0x44e0 net/ipv4/tcp_input.c:6805 tcp_v4_do_rcv+0x77d/0xc70 net/ipv4/tcp_ipv4.c:1939 tcp_v4_rcv+0x2dc0/0x37f0 net/ipv4/tcp_ipv4.c:2351 ip_protocol_deliver_rcu+0x22e/0x440 net/ipv4/ip_input.c:205 ip_local_deliver_finish+0x341/0x5f0 net/ipv4/ip_input.c:233 NF_HOOK+0x3a4/0x450 include/linux/netfilter.h:314 NF_HOOK+0x3a4/0x450 include/linux/netfilter.h:314 __netif_receive_skb_one_core net/core/dev.c:5672 [inline] __netif_receive_skb+0x2bf/0x650 net/core/dev.c:5785 process_backlog+0x662/0x15b0 net/core/dev.c:6117 __napi_poll+0xcb/0x490 net/core/dev.c:6883 napi_poll net/core/dev.c:6952 [inline] net_rx_action+0x89b/0x1240 net/core/dev.c:7074 handle_softirqs+0x2d4/0x9b0 kernel/softirq.c:561 __do_softirq kernel/softirq.c:595 [inline] invoke_softirq kernel/softirq.c:435 [inline] __irq_exit_rcu+0xf7/0x220 kernel/softirq.c:662 irq_exit_rcu+0x9/0x30 kernel/softirq.c:678 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1049 [inline] sysvec_apic_timer_interrupt+0x57/0xc0 arch/x86/kernel/apic/apic.c:1049 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702 RIP: 0033:0x7f34f4519ad5 Code: 85 d2 74 0d 0f 10 02 48 8d 54 24 20 0f 11 44 24 20 64 8b 04 25 18 00 00 00 85 c0 75 27 41 b8 08 00 00 00 b8 0f 01 00 00 0f 05 <48> 3d 00 f0 ff ff 76 75 48 8b 15 24 73 0d 00 f7 d8 64 89 02 48 83 RSP: 002b:00007ffec5b32ce0 EFLAGS: 00000246 RAX: 0000000000000001 RBX: 00000000000668a0 RCX: 00007f34f4519ad5 RDX: 00007ffec5b32d00 RSI: 0000000000000004 RDI: 0000564f4bc6cae0 RBP: 0000564f4bc6b5a0 R08: 0000000000000008 R09: 0000000000000000 R10: 00007ffec5b32de8 R11: 0000000000000246 R12: 0000564f48ea8aa4 R13: 0000000000000001 R14: 0000564f48ea93e8 R15: 00007ffec5b32d68 Eric noted a probable shinfo->nr_frags corruption, which indeed occurs. The root cause is a buggy MPTCP option len computation in some circumstances: the ADD_ADDR option should be mutually exclusive with DSS since the blamed commit. Still, mptcp_established_options_add_addr() tries to set the relevant info in mptcp_out_options, if the remaining space is large enough even when DSS is present. Since the ADD_ADDR infos and the DSS share the same union fields, adding first corrupts the latter. In the worst-case scenario, such corruption increases the DSS binary layout, exceeding the computed length and possibly overwriting the skb shared info. Address the issue by enforcing mutual exclusion in mptcp_established_options_add_addr(), too. Cc: stable@vger.kernel.org Reported-by: syzbot+38a095a81f30d82884c1@syzkaller.appspotmail.com Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/538 Fixes: 1bff1e43a30e ("mptcp: optimize out option generation") Signed-off-by: Paolo Abeni Reviewed-by: Matthieu Baerts (NGI0) Reviewed-by: Eric Dumazet Link: https://patch.msgid.link/025d9df8cde3c9a557befc47e9bc08fbbe3476e5.1734771049.git.pabeni@redhat.com Signed-off-by: Jakub Kicinski commit ad5c318086e2e23b577eca33559c5ebf89bc7eb9 Author: Joe Hattori Date: Sat Dec 21 17:14:48 2024 +0900 net: mv643xx_eth: fix an OF node reference leak Current implementation of mv643xx_eth_shared_of_add_port() calls of_parse_phandle(), but does not release the refcount on error. Call of_node_put() in the error path and in mv643xx_eth_shared_of_remove(). This bug was found by an experimental verification tool that I am developing. Fixes: 76723bca2802 ("net: mv643xx_eth: add DT parsing support") Signed-off-by: Joe Hattori Link: https://patch.msgid.link/20241221081448.3313163-1-joe@pf.is.s.u-tokyo.ac.jp Signed-off-by: Jakub Kicinski commit fb3a9a1165cea104b5ab3753e88218e4497b01c1 Author: Joshua Washington Date: Fri Dec 20 19:28:06 2024 -0800 gve: trigger RX NAPI instead of TX NAPI in gve_xsk_wakeup Commit ba0925c34e0f ("gve: process XSK TX descriptors as part of RX NAPI") moved XSK TX processing to be part of the RX NAPI. However, that commit did not include triggering the RX NAPI in gve_xsk_wakeup. This is necessary because the TX NAPI only processes TX completions, meaning that a TX wakeup would not actually trigger XSK descriptor processing. Also, the branch on XDP_WAKEUP_TX was supposed to have been removed, as the NAPI should be scheduled whether the wakeup is for RX or TX. Fixes: ba0925c34e0f ("gve: process XSK TX descriptors as part of RX NAPI") Cc: stable@vger.kernel.org Signed-off-by: Joshua Washington Signed-off-by: Praveen Kaligineedi Link: https://patch.msgid.link/20241221032807.302244-1-pkaligineedi@google.com Signed-off-by: Jakub Kicinski commit b255ef45fcc2141c1bf98456796abb956d843a27 Author: Vitalii Mordan Date: Fri Dec 27 15:30:07 2024 +0300 eth: bcmsysport: fix call balance of priv->clk handling routines Check the return value of clk_prepare_enable to ensure that priv->clk has been successfully enabled. If priv->clk was not enabled during bcm_sysport_probe, bcm_sysport_resume, or bcm_sysport_open, it must not be disabled in any subsequent execution paths. Fixes: 31bc72d97656 ("net: systemport: fetch and use clock resources") Signed-off-by: Vitalii Mordan Reviewed-by: Florian Fainelli Link: https://patch.msgid.link/20241227123007.2333397-1-mordan@ispras.ru Signed-off-by: Jakub Kicinski commit a9c83a0ab66a5b02e914daed502fb8d3a8d3d619 Author: Jens Axboe Date: Mon Dec 30 14:15:17 2024 -0700 io_uring/timeout: flush timeouts outside of the timeout lock syzbot reports that a recent fix causes nesting issues between the (now) raw timeoutlock and the eventfd locking: ============================= [ BUG: Invalid wait context ] 6.13.0-rc4-00080-g9828a4c0901f #29 Not tainted ----------------------------- kworker/u32:0/68094 is trying to lock: ffff000014d7a520 (&ctx->wqh#2){..-.}-{3:3}, at: eventfd_signal_mask+0x64/0x180 other info that might help us debug this: context-{5:5} 6 locks held by kworker/u32:0/68094: #0: ffff0000c1d98148 ((wq_completion)iou_exit){+.+.}-{0:0}, at: process_one_work+0x4e8/0xfc0 #1: ffff80008d927c78 ((work_completion)(&ctx->exit_work)){+.+.}-{0:0}, at: process_one_work+0x53c/0xfc0 #2: ffff0000c59bc3d8 (&ctx->completion_lock){+.+.}-{3:3}, at: io_kill_timeouts+0x40/0x180 #3: ffff0000c59bc358 (&ctx->timeout_lock){-.-.}-{2:2}, at: io_kill_timeouts+0x48/0x180 #4: ffff800085127aa0 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire+0x8/0x38 #5: ffff800085127aa0 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire+0x8/0x38 stack backtrace: CPU: 7 UID: 0 PID: 68094 Comm: kworker/u32:0 Not tainted 6.13.0-rc4-00080-g9828a4c0901f #29 Hardware name: linux,dummy-virt (DT) Workqueue: iou_exit io_ring_exit_work Call trace: show_stack+0x1c/0x30 (C) __dump_stack+0x24/0x30 dump_stack_lvl+0x60/0x80 dump_stack+0x14/0x20 __lock_acquire+0x19f8/0x60c8 lock_acquire+0x1a4/0x540 _raw_spin_lock_irqsave+0x90/0xd0 eventfd_signal_mask+0x64/0x180 io_eventfd_signal+0x64/0x108 io_req_local_work_add+0x294/0x430 __io_req_task_work_add+0x1c0/0x270 io_kill_timeout+0x1f0/0x288 io_kill_timeouts+0xd4/0x180 io_uring_try_cancel_requests+0x2e8/0x388 io_ring_exit_work+0x150/0x550 process_one_work+0x5e8/0xfc0 worker_thread+0x7ec/0xc80 kthread+0x24c/0x300 ret_from_fork+0x10/0x20 because after the preempt-rt fix for the timeout lock nesting inside the io-wq lock, we now have the eventfd spinlock nesting inside the raw timeout spinlock. Rather than play whack-a-mole with other nesting on the timeout lock, split the deletion and killing of timeouts so queueing the task_work for the timeout cancelations can get done outside of the timeout lock. Reported-by: syzbot+b1fc199a40b65d601b65@syzkaller.appspotmail.com Fixes: 020b40f35624 ("io_uring: make ctx->timeout_lock a raw spinlock") Signed-off-by: Jens Axboe commit de30d74f58cbecb3894c7738985bd0086d04bec1 Author: Steven Davis Date: Mon Dec 30 19:34:31 2024 +0000 cdrom: Fix typo, 'devicen' to 'device' Fix typo in cd_dbg line to add trailing newline character. Signed-off-by: Steven Davis Link: https://lore.kernel.org/lkml/20241229165744.21725-1-goldside000@outlook.com Reviewed-by: Phillip Potter Link: https://lore.kernel.org/lkml/Z3GV2W_MUOw5BrtR@equinox Signed-off-by: Phillip Potter Link: https://lore.kernel.org/r/20241230193431.441120-2-phil@philpotter.co.uk Signed-off-by: Jens Axboe commit ccb98ccef0e543c2bd4ef1a72270461957f3d8d0 Merge: fc033cf25e612e 7e16ae558a87ac Author: Linus Torvalds Date: Mon Dec 30 11:20:42 2024 -0800 Merge tag 'platform-drivers-x86-v6.13-4' of git://git.kernel.org/pub/scm/linux/kernel/git/pdx86/platform-drivers-x86 Pull x86 platform drivers fixes from Ilpo Järvinen: "hp-wmi: - mark 8A15 board for timed OMEN thermal profile mlx-platform: - call pci_dev_put() to balance the refcount thinkpad-acpi: - Add support for hotkey 0x1401" * tag 'platform-drivers-x86-v6.13-4' of git://git.kernel.org/pub/scm/linux/kernel/git/pdx86/platform-drivers-x86: platform/x86: thinkpad-acpi: Add support for hotkey 0x1401 platform/x86: hp-wmi: mark 8A15 board for timed OMEN thermal profile platform/x86: mlx-platform: call pci_dev_put() to balance the refcount commit 76aed5e00ff2625e0ec4b40c75f3514bdb27fae4 Author: AngeloGioacchino Del Regno Date: Thu Dec 19 12:27:33 2024 +0100 drm/mediatek: mtk_dsi: Add registers to pdata to fix MT8186/MT8188 Registers DSI_VM_CMD and DSI_SHADOW_DEBUG start at different addresses in both MT8186 and MT8188 compared to the older IPs. Add two members in struct mtk_dsi_driver_data to specify the offsets for these two registers on a per-SoC basis, then do specify those in all of the currently present SoC driver data. This fixes writes to the Video Mode Command Packet Control register, fixing enablement of command packet transmission (VM_CMD_EN) and allowance of this transmission during the VFP period (TS_VFP_EN) on both MT8186 and MT8188. Fixes: 03d7adc41027 ("drm/mediatek: Add mt8186 dsi compatible to mtk_dsi.c") Fixes: 814d5341f314 ("drm/mediatek: Add mt8188 dsi compatible to mtk_dsi.c") Signed-off-by: AngeloGioacchino Del Regno Reviewed-by: CK Hu Link: https://patchwork.kernel.org/project/dri-devel/patch/20241219112733.47907-1-angelogioacchino.delregno@collabora.com/ Signed-off-by: Chun-Kuang Hu commit 8fe3ee95da1bf42830e9b02c70f111b53ab65229 Author: Fei Shao Date: Tue Nov 5 17:00:28 2024 +0800 dt-bindings: display: mediatek: dp: Reference common DAI properties The MediaTek DP hardware supports audio and exposes a DAI, so the '#sound-dai-cells' property is needed for describing the DAI links. Reference the dai-common.yaml schema to allow '#sound-dai-cells' to be used, and filter out non-DP compatibles as MediaTek eDP in the same binding doesn't support audio. This fixes dtbs_check error: '#sound-dai-cells' does not match any of the regexes: 'pinctrl-[0-9]+' Signed-off-by: Fei Shao Reviewed-by: Rob Herring (Arm) Link: https://patchwork.kernel.org/project/dri-devel/patch/20241105090207.3892242-1-fshao@chromium.org/ Signed-off-by: Chun-Kuang Hu commit cc0dc9e871a91aadf5b26a2d7760fb762e0d9203 Author: Clément Le Goffic Date: Wed Dec 18 10:22:27 2024 +0100 watchdog: stm32_iwdg: fix error message during driver probe The commit 3ab1663af6c1 ("watchdog: stm32_iwdg: Add pretimeout support") introduces the support for the pre-timeout interrupt. The support for this interrupt is optional but the driver uses the platform_get_irq() which produces an error message during the driver probe if we don't have any `interrupts` property in the DT. Use the platform_get_irq_optional() API to get rid of the error message as this property is optional. Fixes: 3ab1663af6c1 ("watchdog: stm32_iwdg: Add pretimeout support") Signed-off-by: Clément Le Goffic Reviewed-by: Marek Vasut Reviewed-by: Guenter Roeck Link: https://lore.kernel.org/r/20241218092227.771133-1-clement.legoffic@foss.st.com Signed-off-by: Guenter Roeck Signed-off-by: Wim Van Sebroeck commit 0d68b55887cedc7487036ed34cb4c2097c4228f1 Author: Liankun Yang Date: Fri Oct 25 16:28:28 2024 +0800 drm/mediatek: Fix mode valid issue for dp Fix dp mode valid issue to avoid abnormal display of limit state. After DP passes link training, it can express the lane count of the current link status is good. Calculate the maximum bandwidth supported by DP using the current lane count. The color format will select the best one based on the bandwidth requirements of the current timing mode. If the current timing mode uses RGB and meets the DP link bandwidth requirements, RGB will be used. If the timing mode uses RGB but does not meet the DP link bandwidthi requirements, it will continue to check whether YUV422 meets the DP link bandwidth. FEC overhead is approximately 2.4% from DP 1.4a spec 2.2.1.4.2. The down-spread amplitude shall either be disabled (0.0%) or up to 0.5% from 1.4a 3.5.2.6. Add up to approximately 3% total overhead. Because rate is already divided by 10, mode->clock does not need to be multiplied by 10. Fixes: f70ac097a2cf ("drm/mediatek: Add MT8195 Embedded DisplayPort driver") Signed-off-by: Liankun Yang Link: https://patchwork.kernel.org/project/dri-devel/patch/20241025083036.8829-3-liankun.yang@mediatek.com/ Signed-off-by: Chun-Kuang Hu commit ef24fbd8f12015ff827973fffefed3902ffd61cc Author: Liankun Yang Date: Fri Oct 25 16:28:27 2024 +0800 drm/mediatek: Fix YCbCr422 color format issue for DP Setting up misc0 for Pixel Encoding Format. According to the definition of YCbCr in spec 1.2a Table 2-96, 0x1 << 1 should be written to the register. Use switch case to distinguish RGB, YCbCr422, and unsupported color formats. Fixes: f70ac097a2cf ("drm/mediatek: Add MT8195 Embedded DisplayPort driver") Signed-off-by: Liankun Yang Link: https://patchwork.kernel.org/project/dri-devel/patch/20241025083036.8829-2-liankun.yang@mediatek.com/ Signed-off-by: Chun-Kuang Hu commit a10f26062a9973c38c0a11ea91757f9228e200f2 Author: Chun-Kuang Hu Date: Mon Dec 23 15:12:18 2024 +0000 Revert "drm/mediatek: Switch to for_each_child_of_node_scoped()" This reverts commit fd620fc25d88a1e490eaa9f72bc31962be1b4741. Boot failures reported by KernelCI: [ 4.395400] mediatek-drm mediatek-drm.5.auto: bound 1c014000.merge (ops 0xffffd35fd12975f8) [ 4.396155] mediatek-drm mediatek-drm.5.auto: bound 1c000000.ovl (ops 0xffffd35fd12977b8) [ 4.411951] mediatek-drm mediatek-drm.5.auto: bound 1c002000.rdma (ops 0xffffd35fd12989c0) [ 4.536837] mediatek-drm mediatek-drm.5.auto: bound 1c004000.ccorr (ops 0xffffd35fd1296cf0) [ 4.545181] mediatek-drm mediatek-drm.5.auto: bound 1c005000.aal (ops 0xffffd35fd1296a80) [ 4.553344] mediatek-drm mediatek-drm.5.auto: bound 1c006000.gamma (ops 0xffffd35fd12972b0) [ 4.561680] mediatek-drm mediatek-drm.5.auto: bound 1c014000.merge (ops 0xffffd35fd12975f8) [ 4.570025] ------------[ cut here ]------------ [ 4.574630] refcount_t: underflow; use-after-free. [ 4.579416] WARNING: CPU: 6 PID: 81 at lib/refcount.c:28 refcount_warn_saturate+0xf4/0x148 [ 4.587670] Modules linked in: [ 4.590714] CPU: 6 UID: 0 PID: 81 Comm: kworker/u32:3 Tainted: G W 6.12.0 #1 cab58e2e59020ebd4be8ada89a65f465a316c742 [ 4.602695] Tainted: [W]=WARN [ 4.605649] Hardware name: Acer Tomato (rev2) board (DT) [ 4.610947] Workqueue: events_unbound deferred_probe_work_func [ 4.616768] pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 4.623715] pc : refcount_warn_saturate+0xf4/0x148 [ 4.628493] lr : refcount_warn_saturate+0xf4/0x148 [ 4.633270] sp : ffff8000807639c0 [ 4.636571] x29: ffff8000807639c0 x28: ffff34ff4116c640 x27: ffff34ff4368e080 [ 4.643693] x26: ffffd35fd1299ac8 x25: ffff34ff46c8c410 x24: 0000000000000000 [ 4.650814] x23: ffff34ff4368e080 x22: 00000000fffffdfb x21: 0000000000000002 [ 4.657934] x20: ffff34ff470c6000 x19: ffff34ff410c7c10 x18: 0000000000000006 [ 4.665055] x17: 666678302073706f x16: 2820656772656d2e x15: ffff800080763440 [ 4.672176] x14: 0000000000000000 x13: 2e656572662d7265 x12: ffffd35fd2ed14f0 [ 4.679297] x11: 0000000000000001 x10: 0000000000000001 x9 : ffffd35fd0342150 [ 4.686418] x8 : c0000000ffffdfff x7 : ffffd35fd2e21450 x6 : 00000000000affa8 [ 4.693539] x5 : ffffd35fd2ed1498 x4 : 0000000000000000 x3 : 0000000000000000 [ 4.700660] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff34ff40932580 [ 4.707781] Call trace: [ 4.710216] refcount_warn_saturate+0xf4/0x148 (P) [ 4.714993] refcount_warn_saturate+0xf4/0x148 (L) [ 4.719772] kobject_put+0x110/0x118 [ 4.723335] put_device+0x1c/0x38 [ 4.726638] mtk_drm_bind+0x294/0x5c0 [ 4.730289] try_to_bring_up_aggregate_device+0x16c/0x1e0 [ 4.735673] __component_add+0xbc/0x1c0 [ 4.739495] component_add+0x1c/0x30 [ 4.743058] mtk_disp_rdma_probe+0x140/0x210 [ 4.747314] platform_probe+0x70/0xd0 [ 4.750964] really_probe+0xc4/0x2a8 [ 4.754527] __driver_probe_device+0x80/0x140 [ 4.758870] driver_probe_device+0x44/0x120 [ 4.763040] __device_attach_driver+0xc0/0x108 [ 4.767470] bus_for_each_drv+0x8c/0xf0 [ 4.771294] __device_attach+0xa4/0x198 [ 4.775117] device_initial_probe+0x1c/0x30 [ 4.779286] bus_probe_device+0xb4/0xc0 [ 4.783109] deferred_probe_work_func+0xb0/0x100 [ 4.787714] process_one_work+0x18c/0x420 [ 4.791712] worker_thread+0x30c/0x418 [ 4.795449] kthread+0x128/0x138 [ 4.798665] ret_from_fork+0x10/0x20 [ 4.802229] ---[ end trace 0000000000000000 ]--- Fixes: fd620fc25d88 ("drm/mediatek: Switch to for_each_child_of_node_scoped()") Cc: stable@vger.kernel.org Cc: Javier Carrasco Reported-by: Sasha Levin Closes: https://lore.kernel.org/lkml/Z0lNHdwQ3rODHQ2c@sashalap/T/#mfaa6343cfd4d59aae5912b095c0693c0553e746c Link: https://patchwork.kernel.org/project/dri-devel/patch/20241223151218.7958-1-chunkuang.hu@kernel.org/ Signed-off-by: Chun-Kuang Hu commit abbff41b6932cde359589fd51f4024b7c85f366b Author: Takashi Iwai Date: Mon Dec 30 12:40:22 2024 +0100 Revert "ALSA: ump: Don't enumeration invalid groups for legacy rawmidi" This reverts commit c2d188e137e77294323132a760a4608321a36a70. Although it's fine to filter the invalid UMP groups at the first probe time, this will become a problem when UMP groups are updated and (re-)activated. Then there is no way to re-add the substreams properly for the legacy rawmidi, and the new active groups will be still invisible. So let's revert the change. This will move back to showing the full 16 groups, but it's better than forever lost. Link: https://patch.msgid.link/20241230114023.3787-1-tiwai@suse.de Signed-off-by: Takashi Iwai commit 0179488ca992d79908b8e26b9213f1554fc5bacc Author: Takashi Iwai Date: Mon Dec 30 12:05:35 2024 +0100 ALSA: seq: oss: Fix races at processing SysEx messages OSS sequencer handles the SysEx messages split in 6 bytes packets, and ALSA sequencer OSS layer tries to combine those. It stores the data in the internal buffer and this access is racy as of now, which may lead to the out-of-bounds access. As a temporary band-aid fix, introduce a mutex for serializing the process of the SysEx message packets. Reported-by: Kun Hu Closes: https://lore.kernel.org/2B7E93E4-B13A-4AE4-8E87-306A8EE9BBB7@m.fudan.edu.cn Cc: Link: https://patch.msgid.link/20241230110543.32454-1-tiwai@suse.de Signed-off-by: Takashi Iwai commit 7439b395211874e20c24b2fe0e4903864357a3f5 Author: Al Viro Date: Sun Dec 29 18:52:32 2024 +0000 ALSA: compress_offload: fix remaining descriptor races in sound/core/compress_offload.c 3d3f43fab4cf ("ALSA: compress_offload: improve file descriptors installation for dma-buf") fixed some of descriptor races in snd_compr_task_new(), but there's a couple more left. We need to grab the references to dmabuf before moving them into descriptor table - trying to do that by descriptor afterwards might end up getting a different object, with a dangling reference left in task->{input,output} Fixes: 3d3f43fab4cf ("ALSA: compress_offload: improve file descriptors installation for dma-buf") Signed-off-by: Al Viro Link: https://patch.msgid.link/20241229185232.GA1977892@ZenIV Signed-off-by: Takashi Iwai commit ac9fae799eda81e24bbf2e0d5cb9e5c33fc9bdcb Author: Takashi Iwai Date: Sun Dec 29 09:39:13 2024 +0100 ALSA: compress_offload: Drop unneeded no_free_ptr() The error path for memdup_user() no longer needs the tricky wrap with no_free_ptr() and we can safely return the error pointer directly. Fixes: 04177158cf98 ("ALSA: compress_offload: introduce accel operation mode") Reported-by: kernel test robot Closes: https://lore.kernel.org/oe-kbuild-all/202412290846.cncnpGaw-lkp@intel.com/ Link: https://patch.msgid.link/20241229083917.14912-1-tiwai@suse.de Signed-off-by: Takashi Iwai commit 6a451e2c5c03e27aa3ec36be424fccaa286c3ccd Author: Baojun Xu Date: Mon Dec 30 14:49:10 2024 +0800 ALSA: hda/tas2781: Ignore SUBSYS_ID not found for tas2563 projects Driver will return error if no SUBSYS_ID found in BIOS(acpi). It will cause error in tas2563 projects, which have no SUBSYS_ID. Fixes: 4e7035a75da9 ("ALSA: hda/tas2781: Add speaker id check for ASUS projects") Signed-off-by: Baojun Xu Link: https://lore.kernel.org/20241223225442.1358491-1-stuart.a.hayhurst@gmail.com Link: https://patch.msgid.link/20241230064910.1583-1-baojun.xu@ti.com Signed-off-by: Takashi Iwai commit fc033cf25e612e840e545f8d5ad2edd6ba613ed5 Author: Linus Torvalds Date: Sun Dec 29 13:15:45 2024 -0800 Linux 6.13-rc5 commit 4099a71718b056d16af5ba095c91016c3b107862 Merge: 6cbc4b29eb0d11 f718faf3940e95 Author: Linus Torvalds Date: Sun Dec 29 10:19:54 2024 -0800 Merge tag 'sched-urgent-2024-12-29' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull scheduler fix from Ingo Molnar: "Fix a procfs task state reporting regression when freezing sleeping tasks" * tag 'sched-urgent-2024-12-29' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: freezer, sched: Report frozen tasks as 'D' instead of 'R' commit 6cbc4b29eb0d115e9cf7dcc513a5324dc4c9fcc8 Merge: f65832a32f2e8b 27834971f616c5 Author: Linus Torvalds Date: Sun Dec 29 10:16:41 2024 -0800 Merge tag 'x86-urgent-2024-12-29' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull x86 fixes from Ingo Molnar: - Fix a hang in the "kernel IBT no ENDBR" self-test that may trigger on FRED systems, caused by incomplete FRED state cleanup in the #CP fault handler - Improve TDX (Coco VM) guest unrecoverable error handling to not potentially leak decrypted memory * tag 'x86-urgent-2024-12-29' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: virt: tdx-guest: Just leak decrypted memory on unrecoverable errors x86/fred: Clear WFE in missing-ENDBRANCH #CPs commit f65832a32f2e8bd9d16e1bf2c3653f5dd4dc9533 Merge: bcfac5530a7880 aa5d2ca7c179c4 Author: Linus Torvalds Date: Sun Dec 29 10:14:08 2024 -0800 Merge tag 'perf-urgent-2024-12-29' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull x86 perf fixes from Ingo Molnar: - Fix Intel Lunar Lake build-in event definitions - Fall back to (compatible) legacy features on new Intel PEBS format v6 hardware - Enable uncore support on Intel Clearwater Forest CPUs, which is the same as the existing Sierra Forest uncore driver * tag 'perf-urgent-2024-12-29' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: perf/x86/intel: Fix bitmask of OCR and FRONTEND events for LNC perf/x86/intel/ds: Add PEBS format 6 perf/x86/intel/uncore: Add Clearwater Forest support commit bcfac5530a7880c762fd4fe6c86e3c79710fa454 Merge: bf7a281b806342 31ad36a2712906 Author: Linus Torvalds Date: Sun Dec 29 10:07:40 2024 -0800 Merge tag 'objtool-urgent-2024-12-29' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull objtool fix from Ingo Molnar: "Fix false positive objtool build warning related to a noreturn function in the bcachefs code" * tag 'objtool-urgent-2024-12-29' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: objtool: Add bch2_trans_unlocked_error() to bcachefs noreturns commit bf7a281b806342ff0750827853bf16e53a082073 Merge: feffd35a03445e 4a077914578183 Author: Linus Torvalds Date: Sun Dec 29 10:04:47 2024 -0800 Merge tag 'locking-urgent-2024-12-29' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull locking fix from Ingo Molnar: "Fix missed rtmutex wakeups causing sporadic boot hangs and other misbehavior" * tag 'locking-urgent-2024-12-29' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: locking/rtmutex: Make sure we wake anything on the wake_q when we release the lock->wait_lock commit feffd35a03445ed2e9ea65f47af5fc9a0d1ede80 Merge: c059361673e487 a60b990798eb17 Author: Linus Torvalds Date: Sun Dec 29 10:03:01 2024 -0800 Merge tag 'irq-urgent-2024-12-29' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull irq fix from Ingo Molnar: "Fix bogus MSI IRQ setup warning on RISC-V" * tag 'irq-urgent-2024-12-29' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: PCI/MSI: Handle lack of irqdomain gracefully commit c059361673e487fe33bb736fb944f313024ad726 Merge: e1d93266083955 fca432e73db2be Author: Linus Torvalds Date: Sun Dec 29 09:34:34 2024 -0800 Merge tag 'for-6.13-rc4-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux Pull btrfs fixes from David Sterba: "A few more fixes that accumulated over the last two weeks, fixing some user reported problems: - swapfile fixes: - conditional reschedule in the activation loop - fix race with memory mapped file when activating - make activation loop interruptible - rework and fix extent sharing checks - folio fixes: - in send, recheck folio mapping after unlock - in relocation, recheck folio mapping after unlock - fix waiting for encoded read io_uring requests - fix transaction atomicity when enabling simple quotas - move COW block trace point before the block gets freed - print various sizes in sysfs with correct endianity" * tag 'for-6.13-rc4-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux: btrfs: sysfs: fix direct super block member reads btrfs: fix transaction atomicity bug when enabling simple quotas btrfs: avoid monopolizing a core when activating a swap file btrfs: allow swap activation to be interruptible btrfs: fix swap file activation failure due to extents that used to be shared btrfs: fix race with memory mapped writes when activating swap file btrfs: check folio mapping after unlock in put_file_data() btrfs: check folio mapping after unlock in relocate_one_folio() btrfs: fix use-after-free when COWing tree bock and tracing is enabled btrfs: fix use-after-free waiting for encoded read endios commit e1d9326608395543d9c4d1bf2932f14fdb75c3c5 Merge: 059dd502b263d8 f802f11b2336b0 Author: Linus Torvalds Date: Sun Dec 29 09:31:55 2024 -0800 Merge tag 'i2c-for-6.13-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux Pull i2c fixes from Wolfram Sang: - IMX: fix stop condition in single master mode and add compatible string for errata adherence - Microchip: Add support for proper repeated sends and fix unnecessary NAKs on empty messages, which caused false bus detection * tag 'i2c-for-6.13-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux: i2c: microchip-core: fix "ghost" detections i2c: microchip-core: actually use repeated sends i2c: imx: add imx7d compatible string for applying erratum ERR007805 i2c: imx: fix missing stop condition in single-master mode commit 7e16ae558a87ac9099b6a93a43f19b42d809fd78 Author: Vishnu Sankar Date: Sat Dec 28 08:18:40 2024 +0900 platform/x86: thinkpad-acpi: Add support for hotkey 0x1401 F8 mode key on Lenovo 2025 platforms use a different key code. Adding support for the new keycode 0x1401. Tested on X1 Carbon Gen 13 and X1 2-in-1 Gen 10. Signed-off-by: Vishnu Sankar Reviewed-by: Mark Pearson Link: https://lore.kernel.org/r/20241227231840.21334-1-vishnuocv@gmail.com Reviewed-by: Ilpo Järvinen Signed-off-by: Ilpo Järvinen commit 032fe9b0516702599c2dd990a4703f783d5716b8 Author: Mingcong Bai Date: Thu Dec 26 14:22:05 2024 +0800 platform/x86: hp-wmi: mark 8A15 board for timed OMEN thermal profile The HP OMEN 8 (2022), corresponding to a board ID of 8A15, supports OMEN thermal profile and requires the timed profile quirk. Upon adding this ID to both the omen_thermal_profile_boards and omen_timed_thermal_profile_boards, significant bump in performance can be observed. For instance, SilverBench (https://silver.urih.com/) results improved from ~56,000 to ~69,000, as a result of higher power draws (and thus core frequencies) whilst under load: Package Power: - Before the patch: ~65W (dropping to about 55W under sustained load). - After the patch: ~115W (dropping to about 105W under sustained load). Core Power: - Before: ~60W (ditto above). - After: ~108W (ditto above). Add 8A15 to omen_thermal_profile_boards and omen_timed_thermal_profile_boards to improve performance. Signed-off-by: Xi Xiao <1577912515@qq.com> Signed-off-by: Mingcong Bai Link: https://lore.kernel.org/r/20241226062207.3352629-1-jeffbai@aosc.io Reviewed-by: Ilpo Järvinen Signed-off-by: Ilpo Järvinen commit 27834971f616c5e154423c578fa95e0444444ce1 Author: Li RongQing Date: Wed Jun 19 19:18:01 2024 +0800 virt: tdx-guest: Just leak decrypted memory on unrecoverable errors In CoCo VMs it is possible for the untrusted host to cause set_memory_decrypted() to fail such that an error is returned and the resulting memory is shared. Callers need to take care to handle these errors to avoid returning decrypted (shared) memory to the page allocator, which could lead to functional or security issues. Leak the decrypted memory when set_memory_decrypted() fails, and don't need to print an error since set_memory_decrypted() will call WARN_ONCE(). Fixes: f4738f56d1dc ("virt: tdx-guest: Add Quote generation support using TSM_REPORTS") Signed-off-by: Li RongQing Signed-off-by: Dave Hansen Signed-off-by: Ingo Molnar Reviewed-by: Rick Edgecombe Reviewed-by: Kirill A. Shutemov Cc: stable@vger.kernel.org Link: https://lore.kernel.org/all/20240619111801.25630-1-lirongqing%40baidu.com commit dc81e556f2a017d681251ace21bf06c126d5a192 Author: Xin Li (Intel) Date: Wed Nov 13 09:59:34 2024 -0800 x86/fred: Clear WFE in missing-ENDBRANCH #CPs An indirect branch instruction sets the CPU indirect branch tracker (IBT) into WAIT_FOR_ENDBRANCH (WFE) state and WFE stays asserted across the instruction boundary. When the decoder finds an inappropriate instruction while WFE is set ENDBR, the CPU raises a #CP fault. For the "kernel IBT no ENDBR" selftest where #CPs are deliberately triggered, the WFE state of the interrupted context needs to be cleared to let execution continue. Otherwise when the CPU resumes from the instruction that just caused the previous #CP, another missing-ENDBRANCH #CP is raised and the CPU enters a dead loop. This is not a problem with IDT because it doesn't preserve WFE and IRET doesn't set WFE. But FRED provides space on the entry stack (in an expanded CS area) to save and restore the WFE state, thus the WFE state is no longer clobbered, so software must clear it. Clear WFE to avoid dead looping in ibt_clear_fred_wfe() and the !ibt_fatal code path when execution is allowed to continue. Clobbering WFE in any other circumstance is a security-relevant bug. [ dhansen: changelog rewording ] Fixes: a5f6c2ace997 ("x86/shstk: Add user control-protection fault handler") Signed-off-by: Xin Li (Intel) Signed-off-by: Dave Hansen Signed-off-by: Ingo Molnar Acked-by: Dave Hansen Cc: stable@vger.kernel.org Link: https://lore.kernel.org/all/20241113175934.3897541-1-xin%40zytor.com commit f718faf3940e95d5d34af9041f279f598396ab7d Author: Chen Ridong Date: Tue Dec 17 00:48:18 2024 +0000 freezer, sched: Report frozen tasks as 'D' instead of 'R' Before commit: f5d39b020809 ("freezer,sched: Rewrite core freezer logic") the frozen task stat was reported as 'D' in cgroup v1. However, after rewriting the core freezer logic, the frozen task stat is reported as 'R'. This is confusing, especially when a task with stat of 'S' is frozen. This bug can be reproduced with these steps: $ cd /sys/fs/cgroup/freezer/ $ mkdir test $ sleep 1000 & [1] 739 // task whose stat is 'S' $ echo 739 > test/cgroup.procs $ echo FROZEN > test/freezer.state $ ps -aux | grep 739 root 739 0.1 0.0 8376 1812 pts/0 R 10:56 0:00 sleep 1000 As shown above, a task whose stat is 'S' was changed to 'R' when it was frozen. To solve this regression, simply maintain the same reported state as before the rewrite. [ mingo: Enhanced the changelog and comments ] Fixes: f5d39b020809 ("freezer,sched: Rewrite core freezer logic") Signed-off-by: Chen Ridong Signed-off-by: Peter Zijlstra (Intel) Signed-off-by: Ingo Molnar Acked-by: Tejun Heo Acked-by: Michal Koutný Link: https://lore.kernel.org/r/20241217004818.3200515-1-chenridong@huaweicloud.com commit 31ad36a271290648e7c2288a03d7b933d20254d6 Author: chenchangcheng Date: Fri Dec 20 15:48:47 2024 +0800 objtool: Add bch2_trans_unlocked_error() to bcachefs noreturns Fix the following objtool warning during build time: fs/bcachefs/btree_trans_commit.o: warning: objtool: bch2_trans_commit_write_locked.isra.0() falls through to next function do_bch2_trans_commit.isra.0() fs/bcachefs/btree_trans_commit.o: warning: objtool: .text: unexpected end of section ...... fs/bcachefs/btree_update.o: warning: objtool: bch2_trans_update_get_key_cache() falls through to next function flush_new_cached_update() fs/bcachefs/btree_update.o: warning: objtool: flush_new_cached_update() falls through to next function bch2_trans_update_by_path() bch2_trans_unlocked_error() is an Obviously Correct (tm) panic() wrapper, add it to the list of known noreturns. [ mingo: Improved the changelog ] Fixes: fd104e2967b7 ("bcachefs: bch2_trans_verify_not_unlocked()") Signed-off-by: chenchangcheng Signed-off-by: Peter Zijlstra (Intel) Signed-off-by: Ingo Molnar Link: https://lkml.kernel.org/r/20241220074847.3418134-1-ccc194101@163.com commit b06a6187ef983f501e93faa56209169752d3bde3 Author: Tanya Agarwal Date: Sun Dec 29 11:32:42 2024 +0530 ALSA: usb-audio: US16x08: Initialize array before use Initialize meter_urb array before use in mixer_us16x08.c. CID 1410197: (#1 of 1): Uninitialized scalar variable (UNINIT) uninit_use_in_call: Using uninitialized value *meter_urb when calling get_meter_levels_from_urb. Coverity Link: https://scan7.scan.coverity.com/#/project-view/52849/11354?selectedIssue=1410197 Fixes: d2bb390a2081 ("ALSA: usb-audio: Tascam US-16x08 DSP mixer quirk") Signed-off-by: Tanya Agarwal Link: https://patch.msgid.link/20241229060240.1642-1-tanyaagarwal25699@gmail.com Signed-off-by: Takashi Iwai commit 38fc96a58ce40257aec79b32e9b310c86907c63c Author: Pavel Begunkov Date: Sat Dec 28 17:44:52 2024 +0000 io_uring/rw: fix downgraded mshot read The io-wq path can downgrade a multishot request to oneshot mode, however io_read_mshot() doesn't handle that and would still post multiple CQEs. That's not allowed, because io_req_post_cqe() requires stricter context requirements. The described can only happen with pollable files that don't support FMODE_NOWAIT, which is an odd combination, so if even allowed it should be fairly rare. Cc: stable@vger.kernel.org Reported-by: chase xd Fixes: bee1d5becdf5b ("io_uring: disable io-wq execution of multishot NOWAIT requests") Signed-off-by: Pavel Begunkov Link: https://lore.kernel.org/r/c5c8c4a50a882fd581257b81bf52eee260ac29fd.1735407848.git.asml.silence@gmail.com Signed-off-by: Jens Axboe commit 059dd502b263d8a4e2a84809cf1068d6a3905e6f Merge: d19a3ee573e31d 75cd4005da5492 Author: Linus Torvalds Date: Sat Dec 28 11:02:35 2024 -0800 Merge tag 'block-6.13-20241228' of git://git.kernel.dk/linux Pull block fix from Jens Axboe: "Just a single fix for ublk setup error handling" * tag 'block-6.13-20241228' of git://git.kernel.dk/linux: ublk: detach gendisk from ublk device if add_disk() fails commit d19a3ee573e31d74d5d13595ec515660ac8a3800 Merge: e51da4a2324e59 e33ac68e5e21ec Author: Linus Torvalds Date: Sat Dec 28 11:00:29 2024 -0800 Merge tag 'io_uring-6.13-20241228' of git://git.kernel.dk/linux Pull io_uring fix from Jens Axboe: "Just a single fix for a theoretical issue with SQPOLL setup" * tag 'io_uring-6.13-20241228' of git://git.kernel.dk/linux: io_uring/sqpoll: fix sqpoll error handling races commit e51da4a2324e595af54a0cb3b4c35eed87548de4 Merge: fd0584d220fe28 f17224c2a7bdc1 Author: Linus Torvalds Date: Sat Dec 28 10:58:01 2024 -0800 Merge tag '6.13-rc4-SMB3-client-fixes' of git://git.samba.org/sfrench/cifs-2.6 Pull smb client fixes from Steve French: - fix caching of files that will be reused for write - minor cleanup * tag '6.13-rc4-SMB3-client-fixes' of git://git.samba.org/sfrench/cifs-2.6: cifs: Remove unused is_server_using_iface() smb: enable reuse of deferred file handles for write operations commit 8fe1a63d3d99d86f1bdc034505aad6fc70424737 Author: Masahiro Yamada Date: Thu Dec 26 00:33:37 2024 +0900 modpost: work around unaligned data access error With the latest binutils, modpost fails with a bus error on some architectures such as ARM and sparc64. Since binutils commit 1f1b5e506bf0 ("bfd/ELF: restrict file alignment for object files"), the byte offset to each section (sh_offset) in relocatable ELF is no longer guaranteed to be aligned. modpost parses MODULE_DEVICE_TABLE() data structures, which are usually located in the .rodata section. If it is not properly aligned, unaligned access errors may occur. To address the issue, this commit imports the get_unaligned() helper from include/linux/unaligned.h. The get_unaligned_native() helper caters to the endianness in addition to handling the unaligned access. I slightly refactored do_pcmcia_entry() and do_input() to avoid writing back to an unaligned address. (We would need the put_unaligned() helper to do that.) The addend_*_rel() functions need similar adjustments because the .text sections are not aligned either. It seems that the .symtab, .rel.* and .rela.* sections are still aligned. Keep normal pointer access for these sections to avoid unnecessary performance costs. Reported-by: Paulo Pisati Reported-by: Matthias Klose Closes: https://sourceware.org/bugzilla/show_bug.cgi?id=32435 Reported-by: John Paul Adrian Glaubitz Closes: https://sourceware.org/bugzilla/show_bug.cgi?id=32493 Signed-off-by: Masahiro Yamada Tested-by: John Paul Adrian Glaubitz commit e1352d7ead2b8803689823cd4059c1ec72609ed4 Author: Masahiro Yamada Date: Thu Dec 26 00:33:36 2024 +0900 modpost: refactor do_vmbus_entry() Optimize the size of guid_name[], as it only requires 1 additional byte for '\0' instead of 2. Simplify the loop by incrementing the iterator by 1 instead of 2. Remove the unnecessary TO_NATIVE() call, as the guid is represented as a byte stream. Signed-off-by: Masahiro Yamada Tested-by: John Paul Adrian Glaubitz commit bf36b4bf1b9a7a0015610e2f038ee84ddb085de2 Author: Masahiro Yamada Date: Thu Dec 26 00:33:35 2024 +0900 modpost: fix the missed iteration for the max bit in do_input() This loop should iterate over the range from 'min' to 'max' inclusively. The last interation is missed. Fixes: 1d8f430c15b3 ("[PATCH] Input: add modalias support") Signed-off-by: Masahiro Yamada Tested-by: John Paul Adrian Glaubitz commit 7a6c355b55c051eb37cb15d191241da3aa3d6cba Author: Mostafa Saleh Date: Mon Dec 23 12:44:53 2024 +0000 scripts/mksysmap: Fix escape chars '$' Commit b18b047002b7 ("kbuild: change scripts/mksysmap into sed script") changed the invocation of the script, to call sed directly without shell. That means, the current extra escape that was added in: commit ec336aa83162 ("scripts/mksysmap: Fix badly escaped '$'") for the shell is not correct any more, at the moment the stack traces for nvhe are corrupted: [ 22.840904] kvm [190]: [] __kvm_nvhe_$x.220+0x58/0x9c [ 22.842913] kvm [190]: [] __kvm_nvhe_$x.9+0x44/0x50 [ 22.844112] kvm [190]: [] __kvm_nvhe___skip_pauth_save+0x4/0x4 With this patch: [ 25.793513] kvm [192]: nVHE call trace: [ 25.794141] kvm [192]: [] __kvm_nvhe_hyp_panic+0xb0/0xf4 [ 25.796590] kvm [192]: [] __kvm_nvhe_handle_trap+0xe4/0x188 [ 25.797553] kvm [192]: [] __kvm_nvhe___skip_pauth_save+0x4/0x4 Fixes: b18b047002b7 ("kbuild: change scripts/mksysmap into sed script") Signed-off-by: Mostafa Saleh Reviewed-by: Nathan Chancellor Signed-off-by: Masahiro Yamada commit fd0584d220fe285dc45be43eede55df89ad6a3d9 Merge: 8379578b11d5e0 6cc45f8c1f8985 Author: Linus Torvalds Date: Fri Dec 27 15:31:52 2024 -0800 Merge tag 'trace-tools-v6.13-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace Pull tracing tool fix from Steven Rostedt: - Fix rtla divide by zero when the count is zero in histograms * tag 'trace-tools-v6.13-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace: rtla/timerlat: Fix histogram ALL for zero samples commit f802f11b2336b0f5c522c6ba827a013bb0b83826 Merge: 78d4f34e2115b5 49e1f0fd0d4cb0 Author: Wolfram Sang Date: Sat Dec 28 00:25:04 2024 +0100 Merge tag 'i2c-host-fixes-6.13-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/andi.shyti/linux into i2c/for-current i2c-host-fixes for v6.13-rc5 - IMX: fixed stop condition in single master mode and added compatible string for errata adherence. - Microchip: Added support for proper repeated sends and fixed unnecessary NAKs on empty messages, which caused false bus detection. commit 36e3b1f9abe359b2bc25e81bc47b64354e42c9b1 Author: Chunguang.xu Date: Tue Dec 3 11:39:55 2024 +0800 nvme-tcp: remove nvme_tcp_destroy_io_queues() Now when destroying the IO queue we call nvme_tcp_stop_io_queues() twice, nvme_tcp_destroy_io_queues() has an unnecessary call. Here we try to remove nvme_tcp_destroy_io_queues() and merge it into nvme_tcp_teardown_io_queues(), simplify the code and align with nvme-rdma, make it easy to maintaince. Signed-off-by: Chunguang.xu Reviewed-by: Sagi Grimberg Reviewed-by: Christoph Hellwig Signed-off-by: Keith Busch commit 74d16965d7ac378d28ebd833ae6d6a097186a4ec Author: Nilay Shroff Date: Wed Dec 11 14:28:06 2024 +0530 nvmet-loop: avoid using mutex in IO hotpath Using mutex lock in IO hot path causes the kernel BUG sleeping while atomic. Shinichiro[1], first encountered this issue while running blktest nvme/052 shown below: BUG: sleeping function called from invalid context at kernel/locking/mutex.c:585 in_atomic(): 0, irqs_disabled(): 0, non_block: 0, pid: 996, name: (udev-worker) preempt_count: 0, expected: 0 RCU nest depth: 1, expected: 0 2 locks held by (udev-worker)/996: #0: ffff8881004570c8 (mapping.invalidate_lock){.+.+}-{3:3}, at: page_cache_ra_unbounded+0x155/0x5c0 #1: ffffffff8607eaa0 (rcu_read_lock){....}-{1:2}, at: blk_mq_flush_plug_list+0xa75/0x1950 CPU: 2 UID: 0 PID: 996 Comm: (udev-worker) Not tainted 6.12.0-rc3+ #339 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014 Call Trace: dump_stack_lvl+0x6a/0x90 __might_resched.cold+0x1f7/0x23d ? __pfx___might_resched+0x10/0x10 ? vsnprintf+0xdeb/0x18f0 __mutex_lock+0xf4/0x1220 ? nvmet_subsys_nsid_exists+0xb9/0x150 [nvmet] ? __pfx_vsnprintf+0x10/0x10 ? __pfx___mutex_lock+0x10/0x10 ? snprintf+0xa5/0xe0 ? xas_load+0x1ce/0x3f0 ? nvmet_subsys_nsid_exists+0xb9/0x150 [nvmet] nvmet_subsys_nsid_exists+0xb9/0x150 [nvmet] ? __pfx_nvmet_subsys_nsid_exists+0x10/0x10 [nvmet] nvmet_req_find_ns+0x24e/0x300 [nvmet] nvmet_req_init+0x694/0xd40 [nvmet] ? blk_mq_start_request+0x11c/0x750 ? nvme_setup_cmd+0x369/0x990 [nvme_core] nvme_loop_queue_rq+0x2a7/0x7a0 [nvme_loop] ? __pfx___lock_acquire+0x10/0x10 ? __pfx_nvme_loop_queue_rq+0x10/0x10 [nvme_loop] __blk_mq_issue_directly+0xe2/0x1d0 ? __pfx___blk_mq_issue_directly+0x10/0x10 ? blk_mq_request_issue_directly+0xc2/0x140 blk_mq_plug_issue_direct+0x13f/0x630 ? lock_acquire+0x2d/0xc0 ? blk_mq_flush_plug_list+0xa75/0x1950 blk_mq_flush_plug_list+0xa9d/0x1950 ? __pfx_blk_mq_flush_plug_list+0x10/0x10 ? __pfx_mpage_readahead+0x10/0x10 __blk_flush_plug+0x278/0x4d0 ? __pfx___blk_flush_plug+0x10/0x10 ? lock_release+0x460/0x7a0 blk_finish_plug+0x4e/0x90 read_pages+0x51b/0xbc0 ? __pfx_read_pages+0x10/0x10 ? lock_release+0x460/0x7a0 page_cache_ra_unbounded+0x326/0x5c0 force_page_cache_ra+0x1ea/0x2f0 filemap_get_pages+0x59e/0x17b0 ? __pfx_filemap_get_pages+0x10/0x10 ? lock_is_held_type+0xd5/0x130 ? __pfx___might_resched+0x10/0x10 ? find_held_lock+0x2d/0x110 filemap_read+0x317/0xb70 ? up_write+0x1ba/0x510 ? __pfx_filemap_read+0x10/0x10 ? inode_security+0x54/0xf0 ? selinux_file_permission+0x36d/0x420 blkdev_read_iter+0x143/0x3b0 vfs_read+0x6ac/0xa20 ? __pfx_vfs_read+0x10/0x10 ? __pfx_vm_mmap_pgoff+0x10/0x10 ? __pfx___seccomp_filter+0x10/0x10 ksys_read+0xf7/0x1d0 ? __pfx_ksys_read+0x10/0x10 do_syscall_64+0x93/0x180 ? lockdep_hardirqs_on_prepare+0x16d/0x400 ? do_syscall_64+0x9f/0x180 ? lockdep_hardirqs_on+0x78/0x100 ? do_syscall_64+0x9f/0x180 ? lockdep_hardirqs_on_prepare+0x16d/0x400 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7f565bd1ce11 Code: 00 48 8b 15 09 90 0d 00 f7 d8 64 89 02 b8 ff ff ff ff eb bd e8 d0 ad 01 00 f3 0f 1e fa 80 3d 35 12 0e 00 00 74 13 31 c0 0f 05 <48> 3d 00 f0 ff ff 77 4f c3 66 0f 1f 44 00 00 55 48 89 e5 48 83 ec RSP: 002b:00007ffd6e7a20c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 RAX: ffffffffffffffda RBX: 0000000000001000 RCX: 00007f565bd1ce11 RDX: 0000000000001000 RSI: 00007f565babb000 RDI: 0000000000000014 RBP: 00007ffd6e7a2130 R08: 00000000ffffffff R09: 0000000000000000 R10: 0000556000bfa610 R11: 0000000000000246 R12: 000000003ffff000 R13: 0000556000bfa5b0 R14: 0000000000000e00 R15: 0000556000c07328 Apparently, the above issue is caused due to using mutex lock while we're in IO hot path. It's a regression caused with commit 505363957fad ("nvmet: fix nvme status code when namespace is disabled"). The mutex ->su_mutex is used to find whether a disabled nsid exists in the config group or not. This is to differentiate between a nsid that is disabled vs non-existent. To mitigate the above issue, we've worked upon a fix[2] where we now insert nsid in subsys Xarray as soon as it's created under config group and later when that nsid is enabled, we add an Xarray mark on it and set ns->enabled to true. The Xarray mark is useful while we need to loop through all enabled namepsaces under a subsystem using xa_for_each_marked() API. If later a nsid is disabled then we clear Xarray mark from it and also set ns->enabled to false. It's only when nsid is deleted from the config group we delete it from the Xarray. So with this change, now we could easily differentiate a nsid is disabled (i.e. Xarray entry for ns exists but ns->enabled is set to false) vs non- existent (i.e.Xarray entry for ns doesn't exist). Link: https://lore.kernel.org/linux-nvme/20241022070252.GA11389@lst.de/ [2] Reported-by: Shinichiro Kawasaki Closes: https://lore.kernel.org/linux-nvme/tqcy3sveity7p56v7ywp7ssyviwcb3w4623cnxj3knoobfcanq@yxgt2mjkbkam/ [1] Fixes: 505363957fad ("nvmet: fix nvme status code when namespace is disabled") Fix-suggested-by: Christoph Hellwig Reviewed-by: Hannes Reinecke Reviewed-by: Chaitanya Kulkarni Reviewed-by: Sagi Grimberg Reviewed-by: Christoph Hellwig Signed-off-by: Nilay Shroff Signed-off-by: Keith Busch commit b579d6fdc3a9149bb4d2b3133cc0767130ed13e6 Author: Luis Chamberlain Date: Tue Dec 17 18:33:25 2024 -0800 nvmet: propagate npwg topology Ensure we propagate npwg to the target as well instead of assuming its the same logical blocks per physical block. This ensures devices with large IUs information properly propagated on the target. Signed-off-by: Luis Chamberlain Reviewed-by: Sagi Grimberg Signed-off-by: Keith Busch commit 4db3d750ac7e894278ef1cb1c53cc7d883060496 Author: Leo Stone Date: Wed Dec 18 10:49:57 2024 -0800 nvmet: Don't overflow subsysnqn nvmet_root_discovery_nqn_store treats the subsysnqn string like a fixed size buffer, even though it is dynamically allocated to the size of the string. Create a new string with kstrndup instead of using the old buffer. Reported-by: syzbot+ff4aab278fa7e27e0f9e@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=ff4aab278fa7e27e0f9e Fixes: 95409e277d83 ("nvmet: implement unique discovery NQN") Signed-off-by: Leo Stone Reviewed-by: Sagi Grimberg Reviewed-by: Christoph Hellwig Signed-off-by: Keith Busch commit a024e377efed31ecfb39210bed562932321345b3 Author: Antonio Pastor Date: Tue Dec 24 20:07:20 2024 -0500 net: llc: reset skb->transport_header 802.2+LLC+SNAP frames received by napi_complete_done with GRO and DSA have skb->transport_header set two bytes short, or pointing 2 bytes before network_header & skb->data. As snap_rcv expects transport_header to point to SNAP header (OID:PID) after LLC processing advances offset over LLC header (llc_rcv & llc_fixup_skb), code doesn't find a match and packet is dropped. Between napi_complete_done and snap_rcv, transport_header is not used until __netif_receive_skb_core, where originally it was being reset. Commit fda55eca5a33 ("net: introduce skb_transport_header_was_set()") only does so if not set, on the assumption the value was set correctly by GRO (and also on assumption that "network stacks usually reset the transport header anyway"). Afterwards it is moved forward by llc_fixup_skb. Locally generated traffic shows up at __netif_receive_skb_core with no transport_header set and is processed without issue. On a setup with GRO but no DSA, transport_header and network_header are both set to point to skb->data which is also correct. As issue is LLC specific, to avoid impacting non-LLC traffic, and to follow up on original assumption made on previous code change, llc_fixup_skb to reset the offset after skb pull. llc_fixup_skb assumes the LLC header is at skb->data, and by definition SNAP header immediately follows. Fixes: fda55eca5a33 ("net: introduce skb_transport_header_was_set()") Signed-off-by: Antonio Pastor Reviewed-by: Eric Dumazet Link: https://patch.msgid.link/20241225010723.2830290-1-antonio.pastor@gmail.com Signed-off-by: Jakub Kicinski commit daefdbb5cc39247cf85122f52d3021e6c4d7aa19 Merge: 1fa9d91e9f2549 542ed8145e6f93 Author: Jakub Kicinski Date: Fri Dec 27 11:21:32 2024 -0800 Merge tag 'nf-24-12-25' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf Pablo Neira Ayuso says: ==================== Netfilter fixes for net The following batch contains one Netfilter fix for net: 1) Fix unaligned atomic read on struct nft_set_ext in nft_set_hash backend that causes an alignment failure splat on aarch64. This is related to a recent fix and it has been reported via the regressions mailing list. * tag 'nf-24-12-25' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf: netfilter: nft_set_hash: unaligned atomic read on struct nft_set_ext ==================== Link: https://patch.msgid.link/20241224233109.361755-1-pablo@netfilter.org Signed-off-by: Jakub Kicinski commit 1fa9d91e9f2549e3a4bc90495c6ec615c56702a6 Merge: b3a69c559899b0 4f363fe9f6b28e Author: Jakub Kicinski Date: Fri Dec 27 11:16:25 2024 -0800 Merge branch 'netlink-specs-mptcp-fixes-for-some-descriptions' Matthieu Baerts says: ==================== netlink: specs: mptcp: fixes for some descriptions When looking at the MPTCP PM Netlink specs rendered version [1], a few small issues have been found with the descriptions, and fixed here: - Patch 1: add a missing attribute for two events. For >= v5.19. - Patch 2: clearly mention the attributes. For >= v6.7. - Patch 3: fix missing descriptions and replace a wrong one. For >= v6.7. Link: https://docs.kernel.org/networking/netlink_spec/mptcp_pm.html [1] v1: https://lore.kernel.org/20241219-net-mptcp-netlink-specs-pm-doc-fixes-v1-0-825d3b45f27b@kernel.org ==================== Link: https://patch.msgid.link/20241221-net-mptcp-netlink-specs-pm-doc-fixes-v2-0-e54f2db3f844@kernel.org Signed-off-by: Jakub Kicinski commit 4f363fe9f6b28ed9b714cd7fe5ce880171927dab Author: Matthieu Baerts (NGI0) Date: Sat Dec 21 12:09:16 2024 +0100 netlink: specs: mptcp: fix missing doc Two operations didn't have a small description. It looks like something that has been missed in the original commit introducing this file. Replace the two "todo" by a small and simple description: Create/Destroy subflow. While at it, also uniform the capital letters, avoid double spaces, and fix the "announce" event description: a new "address" has been announced, not a new "subflow". Reviewed-by: Geliang Tang Signed-off-by: Matthieu Baerts (NGI0) Link: https://patch.msgid.link/20241221-net-mptcp-netlink-specs-pm-doc-fixes-v2-3-e54f2db3f844@kernel.org Signed-off-by: Jakub Kicinski commit bea87657b5ee8e6f18af2833ee4b88212ef52d28 Author: Matthieu Baerts (NGI0) Date: Sat Dec 21 12:09:15 2024 +0100 netlink: specs: mptcp: clearly mention attributes The rendered version of the MPTCP events [1] looked strange, because the whole content of the 'doc' was displayed in the same block. It was then not clear that the first words, not even ended by a period, were the attributes that are defined when such events are emitted. These attributes have now been moved to the end, prefixed by 'Attributes:' and ended with a period. Note that '>-' has been added after 'doc:' to allow ':' in the text below. The documentation in the UAPI header has been auto-generated by: ./tools/net/ynl/ynl-regen.sh Link: https://docs.kernel.org/networking/netlink_spec/mptcp_pm.html#event-type [1] Reviewed-by: Geliang Tang Signed-off-by: Matthieu Baerts (NGI0) Link: https://patch.msgid.link/20241221-net-mptcp-netlink-specs-pm-doc-fixes-v2-2-e54f2db3f844@kernel.org Signed-off-by: Jakub Kicinski commit 6b830c6a023ff6e8fe05dbe47a9e5cd276df09ee Author: Matthieu Baerts (NGI0) Date: Sat Dec 21 12:09:14 2024 +0100 netlink: specs: mptcp: add missing 'server-side' attr This attribute is added with the 'created' and 'established' events, but the documentation didn't mention it. The documentation in the UAPI header has been auto-generated by: ./tools/net/ynl/ynl-regen.sh Reviewed-by: Geliang Tang Signed-off-by: Matthieu Baerts (NGI0) Link: https://patch.msgid.link/20241221-net-mptcp-netlink-specs-pm-doc-fixes-v2-1-e54f2db3f844@kernel.org Signed-off-by: Jakub Kicinski commit 8379578b11d5e073792b5db2690faa12effce8e0 Merge: eff4f675836098 b3ded6072c5600 Author: Linus Torvalds Date: Fri Dec 27 11:10:56 2024 -0800 Merge tag 'for-v6.13-rc' of git://git.kernel.org/pub/scm/linux/kernel/git/sre/linux-power-supply Pull power supply fixes from Sebastian Reichel: - fix potential array out of bounds access in gpio-charger - cros_charge-control: - fix concurrent sysfs access - allow start_threshold == end_threshold - workaround limited v2 charge threshold API - bq24296: fix vbus regulator handling * tag 'for-v6.13-rc' of git://git.kernel.org/pub/scm/linux/kernel/git/sre/linux-power-supply: power: supply: bq24190: Fix BQ24296 Vbus regulator support power: supply: cros_charge-control: hide start threshold on v2 cmd power: supply: cros_charge-control: allow start_threshold == end_threshold power: supply: cros_charge-control: add mutex for driver data power: supply: gpio-charger: Fix set charge current limits commit eff4f6758360986fa913c2f17b4960645f4f4b1c Merge: 411a678d30ee7c 05aa156e156ef3 Author: Linus Torvalds Date: Fri Dec 27 11:06:29 2024 -0800 Merge tag 'powerpc-6.13-3' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux Pull powerpc fix from Madhavan Srinivasan: - Add close() callback in vas_vm_ops struct for proper cleanup Thanks to Haren Myneni. * tag 'powerpc-6.13-3' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux: powerpc/pseries/vas: Add close() callback in vas_vm_ops struct commit 411a678d30ee7c0a5a53d51121c4b51efff98e9d Merge: f0bc704f4688ab d685d55dfc86b1 Author: Linus Torvalds Date: Fri Dec 27 11:03:15 2024 -0800 Merge tag 'probes-fixes-v6.13-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace Pull probes fix from Masami Hiramatsu: "Change the priority of the module callback of kprobe events so that it is called after the jump label list on the module is updated. This ensures the kprobe can check whether it is not on the jump label address correctly" * tag 'probes-fixes-v6.13-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace: tracing/kprobe: Make trace_kprobe's module callback called after jump_label update commit f0bc704f4688ab6625dc1226cf33338c638ae6b8 Merge: 2c2b3d906c88a4 724c6ce38bbaeb Author: Linus Torvalds Date: Fri Dec 27 10:39:05 2024 -0800 Merge tag 'hardening-v6.13-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux Pull hardening fix from Kees Cook: - stddef: make __struct_group() UAPI C++-friendly (Alexander Lobakin) * tag 'hardening-v6.13-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux: stddef: make __struct_group() UAPI C++-friendly commit 2c2b3d906c88a40b75f8d258119400a047e587de Merge: d6ef8b40d075c4 98feccbf32cfdd Author: Linus Torvalds Date: Fri Dec 27 10:33:21 2024 -0800 Merge tag 'trace-v6.13-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace Pull tracing fixes from Steven Rostedt: "Two minor tracing fixes: - Add "const" to "char *" in event structure field that gets assigned literals. - Check size of input passed into the tracing cpumask file. If a too large of an input gets passed into the cpumask file, it could trigger a warning in the bitmask parsing code" * tag 'trace-v6.13-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace: tracing: Prevent bad count for tracing_cpumask_write tracing: Constify string literal data member in struct trace_event_call commit 6cc45f8c1f898570916044f606be9890d295e129 Author: Tomas Glozar Date: Wed Nov 27 14:41:30 2024 +0100 rtla/timerlat: Fix histogram ALL for zero samples rtla timerlat hist currently computers the minimum, maximum and average latency even in cases when there are zero samples. This leads to nonsensical values being calculated for maximum and minimum, and to divide by zero for average. A similar bug is fixed by 01b05fc0e5f3 ("rtla/timerlat: Fix histogram report when a cpu count is 0") but the bug still remains for printing the sum over all CPUs in timerlat_print_stats_all. The issue can be reproduced with this command: $ rtla timerlat hist -U -d 1s Index over: count: min: avg: max: Floating point exception (core dumped) (There are always no samples with -U unless the user workload is created.) Fix the bug by omitting max/min/avg when sample count is zero, displaying a dash instead, just like we already do for the individual CPUs. The logic is moved into a new function called format_summary_value, which is used for both the individual CPUs and for the overall summary. Cc: stable@vger.kernel.org Link: https://lore.kernel.org/20241127134130.51171-1-tglozar@redhat.com Fixes: 1462501c7a8 ("rtla/timerlat: Add a summary for hist mode") Signed-off-by: Tomas Glozar Signed-off-by: Steven Rostedt (Google) commit d6ef8b40d075c425f548002d2f35ae3f06e9cf96 Merge: 23db0ed34f9e37 8cbd01ba9c38eb Author: Linus Torvalds Date: Thu Dec 26 10:49:02 2024 -0800 Merge tag 'sound-6.13-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound Pull sound fixes from Takashi Iwai: "A collection of small fixes. Nothing really stands out, fortunately. - Follow-up fixes for the new compress offload API extension - A few ASoC SOF, AMD and Mediatek quirks and fixes - A regression fix in legacy SH driver cleanup - Fix DMA mapping error handling in the helper code - Fix kselftest dependency" * tag 'sound-6.13-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound: ALSA: sh: Fix wrong argument order for copy_from_iter() selftests/alsa: Fix circular dependency involving global-timer ALSA: memalloc: prefer dma_mapping_error() over explicit address checking ALSA: compress_offload: improve file descriptors installation for dma-buf ALSA: compress_offload: use safe list iteration in snd_compr_task_seq() ALSA: compress_offload: avoid 64-bit get_user() ALSA: compress_offload: import DMA_BUF namespace ASoC: mediatek: disable buffer pre-allocation ASoC: rt722: add delay time to wait for the calibration procedure ASoC: SOF: Intel: hda-dai: Do not release the link DMA on STOP ASoC: dt-bindings: realtek,rt5645: Fix CPVDD voltage comment ASoC: Intel: sof_sdw: Fix DMI match for Lenovo 21QA and 21QB ASoC: Intel: sof_sdw: Fix DMI match for Lenovo 21Q6 and 21Q7 ASoC: amd: ps: Fix for enabling DMIC on acp63 platform via _DSD entry commit 23db0ed34f9e3756d243c5dc56d9f7c1fadecf89 Merge: 6fcb22ef50b479 ebc008699fd957 Author: Linus Torvalds Date: Thu Dec 26 10:43:25 2024 -0800 Merge tag 'dmaengine-fix-6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/vkoul/dmaengine Pull dmaengine fixes from Vinod Koul: "Bunch of minor driver fixes for drivers in this cycle: - Kernel doc warning documentation fixes - apple driver fix for register access - amd driver dropping private dma_ops - freescale cleanup path fix - refcount fix for mv_xor driver - null pointer deref fix for at_xdmac driver - GENMASK to GENMASK_ULL fix for loongson2 apb driver - Tegra driver fix for correcting dma status" * tag 'dmaengine-fix-6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/vkoul/dmaengine: dmaengine: tegra: Return correct DMA status when paused dmaengine: mv_xor: fix child node refcount handling in early exit dmaengine: fsl-edma: implement the cleanup path of fsl_edma3_attach_pd() dmaengine: amd: qdma: Remove using the private get and set dma_ops APIs dmaengine: apple-admac: Avoid accessing registers in probe linux/dmaengine.h: fix a few kernel-doc warnings dmaengine: loongson2-apb: Change GENMASK to GENMASK_ULL dmaengine: dw: Select only supported masters for ACPI devices dmaengine: at_xdmac: avoid null_prt_deref in at_xdmac_prep_dma_memset commit 6fcb22ef50b47959e17012be57dcad0fdca8d237 Merge: ab8beb204723d5 17194c2998d39a Author: Linus Torvalds Date: Thu Dec 26 10:39:57 2024 -0800 Merge tag 'phy-fixes-6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/phy/linux-phy Pull phy fixes from Vinod Koul: "A few core API fixes for devm calls and bunch of driver fixes as usual: - devm_phy_xxx fixes for few APIs in the phy core - qmp driver register name config - init sequence fix for usb driver - rockchip driver setting drvdata correctly in samsung hdptx and reset fix for naneng combophy - regulator dependency fix for mediatek hdmi driver - overflow assertion fix for stm32 driver" * tag 'phy-fixes-6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/phy/linux-phy: phy: mediatek: phy-mtk-hdmi: add regulator dependency phy: freescale: fsl-samsung-hdmi: Fix 64-by-32 division cocci warnings phy: core: Fix an OF node refcount leakage in of_phy_provider_lookup() phy: core: Fix an OF node refcount leakage in _of_phy_get() phy: core: Fix that API devm_phy_destroy() fails to destroy the phy phy: core: Fix that API devm_of_phy_provider_unregister() fails to unregister the phy provider phy: core: Fix that API devm_phy_put() fails to release the phy phy: rockchip: samsung-hdptx: Set drvdata before enabling runtime PM phy: stm32: work around constant-value overflow assertion phy: qcom-qmp: Fix register name in RX Lane config of SC8280XP phy: rockchip: naneng-combphy: fix phy reset phy: usb: Toggle the PHY power during init commit ab8beb204723d5eff978614160cc5efc78c31ffb Merge: 9b2ffa6148b1e4 dcd59d0d7d51b2 Author: Linus Torvalds Date: Thu Dec 26 10:35:13 2024 -0800 Merge tag 'chrome-platform-for-6.13-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/chrome-platform/linux Pull chrome platform fix from Tzung-Bi Shih: - Fix wrong product names for early Framework Laptops * tag 'chrome-platform-for-6.13-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/chrome-platform/linux: platform/chrome: cros_ec_lpc: fix product identity for early Framework Laptops commit e33ac68e5e21ec1292490dfe061e75c0dbdd3bd4 Author: Pavel Begunkov Date: Thu Dec 26 16:49:23 2024 +0000 io_uring/sqpoll: fix sqpoll error handling races BUG: KASAN: slab-use-after-free in __lock_acquire+0x370b/0x4a10 kernel/locking/lockdep.c:5089 Call Trace: ... _raw_spin_lock_irqsave+0x3d/0x60 kernel/locking/spinlock.c:162 class_raw_spinlock_irqsave_constructor include/linux/spinlock.h:551 [inline] try_to_wake_up+0xb5/0x23c0 kernel/sched/core.c:4205 io_sq_thread_park+0xac/0xe0 io_uring/sqpoll.c:55 io_sq_thread_finish+0x6b/0x310 io_uring/sqpoll.c:96 io_sq_offload_create+0x162/0x11d0 io_uring/sqpoll.c:497 io_uring_create io_uring/io_uring.c:3724 [inline] io_uring_setup+0x1728/0x3230 io_uring/io_uring.c:3806 ... Kun Hu reports that the SQPOLL creating error path has UAF, which happens if io_uring_alloc_task_context() fails and then io_sq_thread() manages to run and complete before the rest of error handling code, which means io_sq_thread_finish() is looking at already killed task. Note that this is mostly theoretical, requiring fault injection on the allocation side to trigger in practice. Cc: stable@vger.kernel.org Reported-by: Kun Hu Signed-off-by: Pavel Begunkov Link: https://lore.kernel.org/r/0f2f1aa5729332612bd01fe0f2f385fd1f06ce7c.1735231717.git.asml.silence@gmail.com Signed-off-by: Jens Axboe commit 75cd4005da5492129917a4a4ee45e81660556104 Author: Ming Lei Date: Wed Dec 25 19:06:40 2024 +0800 ublk: detach gendisk from ublk device if add_disk() fails Inside ublk_abort_requests(), gendisk is grabbed for aborting all inflight requests. And ublk_abort_requests() is called when exiting the uring context or handling timeout. If add_disk() fails, the gendisk may have been freed when calling ublk_abort_requests(), so use-after-free can be caused when getting disk's reference in ublk_abort_requests(). Fixes the bug by detaching gendisk from ublk device if add_disk() fails. Fixes: bd23f6c2c2d0 ("ublk: quiesce request queue when aborting queue") Signed-off-by: Ming Lei Link: https://lore.kernel.org/r/20241225110640.351531-1-ming.lei@redhat.com Signed-off-by: Jens Axboe commit 8a6442ec3437083348f32a6159b9a67bf66417bc Author: Jie Gan Date: Thu Dec 19 10:52:16 2024 +0800 arm64: dts: qcom: sa8775p: fix the secure device bootup issue The secure device(fused) cannot bootup with TPDM_DCC device. So disable it in DT. Fixes: 6596118ccdcd ("arm64: dts: qcom: Add coresight nodes for SA8775p") Signed-off-by: Jie Gan Reviewed-by: Konrad Dybcio Link: https://lore.kernel.org/r/20241219025216.3463527-1-quic_jiegan@quicinc.com Signed-off-by: Bjorn Andersson commit 49e1f0fd0d4cb03a16b8526c4e683e1958f71490 Author: Conor Dooley Date: Wed Dec 18 12:07:42 2024 +0000 i2c: microchip-core: fix "ghost" detections Running i2c-detect currently produces an output akin to: 0 1 2 3 4 5 6 7 8 9 a b c d e f 00: 08 -- 0a -- 0c -- 0e -- 10: 10 -- 12 -- 14 -- 16 -- UU 19 -- 1b -- 1d -- 1f 20: -- 21 -- 23 -- 25 -- 27 -- 29 -- 2b -- 2d -- 2f 30: -- -- -- -- -- -- -- -- 38 -- 3a -- 3c -- 3e -- 40: 40 -- 42 -- 44 -- 46 -- 48 -- 4a -- 4c -- 4e -- 50: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- 60: 60 -- 62 -- 64 -- 66 -- 68 -- 6a -- 6c -- 6e -- 70: 70 -- 72 -- 74 -- 76 -- This happens because for an i2c_msg with a len of 0 the driver will mark the transmission of the message as a success once the START has been sent, without waiting for the devices on the bus to respond with an ACK/NAK. Since i2cdetect seems to run in a tight loop over all addresses the NAK is treated as part of the next test for the next address. Delete the fast path that marks a message as complete when idev->msg_len is zero after sending a START/RESTART since this isn't a valid scenario. CC: stable@vger.kernel.org Fixes: 64a6f1c4987e ("i2c: add support for microchip fpga i2c controllers") Signed-off-by: Conor Dooley Reviewed-by: Andi Shyti Link: https://lore.kernel.org/r/20241218-outbid-encounter-b2e78b1cc707@spud Signed-off-by: Andi Shyti commit 9a8f9320d67b27ddd7f1ee88d91820197a0e908f Author: Conor Dooley Date: Wed Dec 18 12:07:40 2024 +0000 i2c: microchip-core: actually use repeated sends At present, where repeated sends are intended to be used, the i2c-microchip-core driver sends a stop followed by a start. Lots of i2c devices must not malfunction in the face of this behaviour, because the driver has operated like this for years! Try to keep track of whether or not a repeated send is required, and suppress sending a stop in these cases. CC: stable@vger.kernel.org Fixes: 64a6f1c4987e ("i2c: add support for microchip fpga i2c controllers") Signed-off-by: Conor Dooley Reviewed-by: Andi Shyti Link: https://lore.kernel.org/r/20241218-football-composure-e56df2461461@spud Signed-off-by: Andi Shyti commit e0cec363197e41af870613e8e17b30bf0e3d41b5 Author: Carlos Song Date: Wed Dec 18 12:42:38 2024 +0800 i2c: imx: add imx7d compatible string for applying erratum ERR007805 Compatible string "fsl,imx7d-i2c" is not exited at i2c-imx driver compatible string table, at the result, "fsl,imx21-i2c" will be matched, but it will cause erratum ERR007805 not be applied in fact. So Add "fsl,imx7d-i2c" compatible string in i2c-imx driver to apply the erratum ERR007805(https://www.nxp.com/docs/en/errata/IMX7DS_3N09P.pdf). " ERR007805 I2C: When the I2C clock speed is configured for 400 kHz, the SCL low period violates the I2C spec of 1.3 uS min Description: When the I2C module is programmed to operate at the maximum clock speed of 400 kHz (as defined by the I2C spec), the SCL clock low period violates the I2C spec of 1.3 uS min. The user must reduce the clock speed to obtain the SCL low time to meet the 1.3us I2C minimum required. This behavior means the SoC is not compliant to the I2C spec at 400kHz. Workaround: To meet the clock low period requirement in fast speed mode, SCL must be configured to 384KHz or less. " "fsl,imx7d-i2c" already is documented in binding doc. This erratum fix has been included in imx6_i2c_hwdata and it is the same in all I.MX6/7/8, so just reuse it. Fixes: 39c025721d70 ("i2c: imx: Implement errata ERR007805 or e7805 bus frequency limit") Cc: stable@vger.kernel.org # v5.18+ Signed-off-by: Carlos Song Signed-off-by: Haibo Chen Reviewed-by: Frank Li Fixes: 39c025721d70 ("i2c: imx: Implement errata ERR007805 or e7805 bus frequency limit") Acked-by: Oleksij Rempel Link: https://lore.kernel.org/r/20241218044238.143414-1-carlos.song@nxp.com Signed-off-by: Andi Shyti commit 768776dd4efc681cdca33a79e29bb508d6de9bc0 Author: Stefan Eichenberger Date: Mon Dec 16 16:16:40 2024 +0100 i2c: imx: fix missing stop condition in single-master mode A regression was introduced with the implementation of single-master mode, preventing proper stop conditions from being generated. Devices that require a valid stop condition, such as EEPROMs, fail to function correctly as a result. The issue only affects devices with the single-master property enabled. This commit resolves the issue by re-enabling I2C bus busy bit (IBB) polling for single-master mode when generating a stop condition. The fix further ensures that the i2c_imx->stopped flag is cleared at the start of each transfer, allowing the stop condition to be correctly generated in i2c_imx_stop(). According to the reference manual (IMX8MMRM, Rev. 2, 09/2019, page 5270), polling the IBB bit to determine if the bus is free is only necessary in multi-master mode. Consequently, the IBB bit is not polled for the start condition in single-master mode. Fixes: 6692694aca86 ("i2c: imx: do not poll for bus busy in single master mode") Signed-off-by: Stefan Eichenberger Reviewed-by: Frank Li Reviewed-by: Francesco Dolcini Link: https://lore.kernel.org/r/20241216151829.74056-1-eichest@gmail.com Signed-off-by: Andi Shyti commit 924d66011f2401a4145e2e814842c5c4572e439f Author: Arnd Bergmann Date: Wed Dec 18 09:58:31 2024 +0100 drm/mediatek: stop selecting foreign drivers The PHY portion of the mediatek hdmi driver was originally part of the driver it self and later split out into drivers/phy, which a 'select' to keep the prior behavior. However, this leads to build failures when the PHY driver cannot be built: WARNING: unmet direct dependencies detected for PHY_MTK_HDMI Depends on [n]: (ARCH_MEDIATEK || COMPILE_TEST [=y]) && COMMON_CLK [=y] && OF [=y] && REGULATOR [=n] Selected by [m]: - DRM_MEDIATEK_HDMI [=m] && HAS_IOMEM [=y] && DRM [=m] && DRM_MEDIATEK [=m] ERROR: modpost: "devm_regulator_register" [drivers/phy/mediatek/phy-mtk-hdmi-drv.ko] undefined! ERROR: modpost: "rdev_get_drvdata" [drivers/phy/mediatek/phy-mtk-hdmi-drv.ko] undefined! The best option here is to just not select the phy driver and leave that up to the defconfig. Do the same for the other PHY and memory drivers selected here as well for consistency. Fixes: a481bf2f0ca4 ("drm/mediatek: Separate mtk_hdmi_phy to an independent module") Signed-off-by: Arnd Bergmann Reviewed-by: AngeloGioacchino Del Regno Reviewed-by: CK Hu Link: https://patchwork.kernel.org/project/dri-devel/patch/20241218085837.2670434-1-arnd@kernel.org/ Signed-off-by: Chun-Kuang Hu commit 5c9d7e79ba154e8e1f0bfdeb7b495f454c1a3eba Author: Jason-JH.Lin Date: Mon Nov 18 10:51:26 2024 +0800 drm/mediatek: Add support for 180-degree rotation in the display driver mediatek-drm driver reported the capability of 180-degree rotation by adding `DRM_MODE_ROTATE_180` to the plane property, as flip-x combined with flip-y equals a 180-degree rotation. However, we did not handle the rotation property in the driver and lead to rotation issues. Fixes: 74608d8feefd ("drm/mediatek: Add DRM_MODE_ROTATE_0 to rotation property") Signed-off-by: Jason-JH.Lin Reviewed-by: AngeloGioacchino Del Regno Reviewed-by: CK Hu Link: https://patchwork.kernel.org/project/dri-devel/patch/20241118025126.30808-1-jason-jh.lin@mediatek.com/ Signed-off-by: Chun-Kuang Hu commit f8d9b91739e1fb436447c437a346a36deb676a36 Author: Daniel Golle Date: Tue Dec 17 01:18:01 2024 +0000 drm/mediatek: Only touch DISP_REG_OVL_PITCH_MSB if AFBC is supported Touching DISP_REG_OVL_PITCH_MSB leads to video overlay on MT2701, MT7623N and probably other older SoCs being broken. Move setting up AFBC layer configuration into a separate function only being called on hardware which actually supports AFBC which restores the behavior as it was before commit c410fa9b07c3 ("drm/mediatek: Add AFBC support to Mediatek DRM driver") on non-AFBC hardware. Fixes: c410fa9b07c3 ("drm/mediatek: Add AFBC support to Mediatek DRM driver") Cc: stable@vger.kernel.org Signed-off-by: Daniel Golle Reviewed-by: CK Hu Link: https://patchwork.kernel.org/project/dri-devel/patch/c7fbd3c3e633c0b7dd6d1cd78ccbdded31e1ca0f.1734397800.git.daniel@makrotopia.org/ Signed-off-by: Chun-Kuang Hu commit da03801ad08f2488c01e684509cd89e1aa5d17ec Author: Jason-JH.Lin Date: Wed Dec 11 11:47:16 2024 +0800 drm/mediatek: Move mtk_crtc_finish_page_flip() to ddp_cmdq_cb() mtk_crtc_finish_page_flip() is used to notify userspace that a page flip has been completed, allowing userspace to free the frame buffer of the last frame and commit the next frame. In MediaTek's hardware design for configuring display hardware by using GCE, `DRM_EVENT_FLIP_COMPLETE` should be notified to userspace after GCE has finished configuring all display hardware settings for each atomic_commit(). Currently, mtk_crtc_finish_page_flip() cannot guarantee that GCE has configured all the display hardware settings of the last frame. Therefore, to increase the accuracy of the timing for notifying `DRM_EVENT_FLIP_COMPLETE` to userspace, mtk_crtc_finish_page_flip() should be moved to ddp_cmdq_cb(). Fixes: 7f82d9c43879 ("drm/mediatek: Clear pending flag when cmdq packet is done") Signed-off-by: Jason-JH.Lin Reviewed-by: CK Hu Link: https://patchwork.kernel.org/project/dri-devel/patch/20241211034716.29241-1-jason-jh.lin@mediatek.com/ Signed-off-by: Chun-Kuang Hu commit 36684e9d88a2e2401ae26715a2e217cb4295cea7 Author: Guoqing Jiang Date: Mon Dec 23 10:32:27 2024 +0800 drm/mediatek: Set private->all_drm_private[i]->drm to NULL if mtk_drm_bind returns err The pointer need to be set to NULL, otherwise KASAN complains about use-after-free. Because in mtk_drm_bind, all private's drm are set as follows. private->all_drm_private[i]->drm = drm; And drm will be released by drm_dev_put in case mtk_drm_kms_init returns failure. However, the shutdown path still accesses the previous allocated memory in drm_atomic_helper_shutdown. [ 84.874820] watchdog: watchdog0: watchdog did not stop! [ 86.512054] ================================================================== [ 86.513162] BUG: KASAN: use-after-free in drm_atomic_helper_shutdown+0x33c/0x378 [ 86.514258] Read of size 8 at addr ffff0000d46fc068 by task shutdown/1 [ 86.515213] [ 86.515455] CPU: 1 UID: 0 PID: 1 Comm: shutdown Not tainted 6.13.0-rc1-mtk+gfa1a78e5d24b-dirty #55 [ 86.516752] Hardware name: Unknown Product/Unknown Product, BIOS 2022.10 10/01/2022 [ 86.517960] Call trace: [ 86.518333] show_stack+0x20/0x38 (C) [ 86.518891] dump_stack_lvl+0x90/0xd0 [ 86.519443] print_report+0xf8/0x5b0 [ 86.519985] kasan_report+0xb4/0x100 [ 86.520526] __asan_report_load8_noabort+0x20/0x30 [ 86.521240] drm_atomic_helper_shutdown+0x33c/0x378 [ 86.521966] mtk_drm_shutdown+0x54/0x80 [ 86.522546] platform_shutdown+0x64/0x90 [ 86.523137] device_shutdown+0x260/0x5b8 [ 86.523728] kernel_restart+0x78/0xf0 [ 86.524282] __do_sys_reboot+0x258/0x2f0 [ 86.524871] __arm64_sys_reboot+0x90/0xd8 [ 86.525473] invoke_syscall+0x74/0x268 [ 86.526041] el0_svc_common.constprop.0+0xb0/0x240 [ 86.526751] do_el0_svc+0x4c/0x70 [ 86.527251] el0_svc+0x4c/0xc0 [ 86.527719] el0t_64_sync_handler+0x144/0x168 [ 86.528367] el0t_64_sync+0x198/0x1a0 [ 86.528920] [ 86.529157] The buggy address belongs to the physical page: [ 86.529972] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff0000d46fd4d0 pfn:0x1146fc [ 86.531319] flags: 0xbfffc0000000000(node=0|zone=2|lastcpupid=0xffff) [ 86.532267] raw: 0bfffc0000000000 0000000000000000 dead000000000122 0000000000000000 [ 86.533390] raw: ffff0000d46fd4d0 0000000000000000 00000000ffffffff 0000000000000000 [ 86.534511] page dumped because: kasan: bad access detected [ 86.535323] [ 86.535559] Memory state around the buggy address: [ 86.536265] ffff0000d46fbf00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 86.537314] ffff0000d46fbf80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 86.538363] >ffff0000d46fc000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 86.544733] ^ [ 86.551057] ffff0000d46fc080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 86.557510] ffff0000d46fc100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 86.563928] ================================================================== [ 86.571093] Disabling lock debugging due to kernel taint [ 86.577642] Unable to handle kernel paging request at virtual address e0e9c0920000000b [ 86.581834] KASAN: maybe wild-memory-access in range [0x0752049000000058-0x075204900000005f] ... Fixes: 1ef7ed48356c ("drm/mediatek: Modify mediatek-drm for mt8195 multi mmsys support") Signed-off-by: Guoqing Jiang Reviewed-by: AngeloGioacchino Del Regno Link: https://patchwork.kernel.org/project/dri-devel/patch/20241223023227.1258112-1-guoqing.jiang@canonical.com/ Signed-off-by: Chun-Kuang Hu commit dcd59d0d7d51b2a4b768fc132b0d74a97dfd6d6a Author: Dustin L. Howett Date: Tue Dec 24 12:55:58 2024 -0600 platform/chrome: cros_ec_lpc: fix product identity for early Framework Laptops The product names for the Framework Laptop (12th and 13th Generation Intel Core) are incorrect as of 62be134abf42. Fixes: 62be134abf42 ("platform/chrome: cros_ec_lpc: switch primary DMI data for Framework Laptop") Cc: stable@vger.kernel.org # 6.12.x Signed-off-by: Dustin L. Howett Reviewed-by: Thomas Weißschuh Link: https://lore.kernel.org/r/20241224-platform-chrome-cros_ec_lpc-fix-product-identity-for-early-framework-laptops-v1-1-0d31d6e1d22c@howett.net Signed-off-by: Tzung-Bi Shih commit ce2b93fc1dfa1c82f2576aa571731c4e5dcc8dd7 Author: Tejun Heo Date: Tue Dec 24 14:09:15 2024 -1000 sched_ext: Fix dsq_local_on selftest The dsp_local_on selftest expects the scheduler to fail by trying to schedule an e.g. CPU-affine task to the wrong CPU. However, this isn't guaranteed to happen in the 1 second window that the test is running. Besides, it's odd to have this particular exception path tested when there are no other tests that verify that the interface is working at all - e.g. the test would pass if dsp_local_on interface is completely broken and fails on any attempt. Flip the test so that it verifies that the feature works. While at it, fix a typo in the info message. Signed-off-by: Tejun Heo Reported-by: Ihor Solodrai Link: http://lkml.kernel.org/r/Z1n9v7Z6iNJ-wKmq@slm.duckdns.org Signed-off-by: Tejun Heo commit 542ed8145e6f9392e3d0a86a0e9027d2ffd183e4 Author: Pablo Neira Ayuso Date: Sat Dec 21 00:29:20 2024 +0100 netfilter: nft_set_hash: unaligned atomic read on struct nft_set_ext Access to genmask field in struct nft_set_ext results in unaligned atomic read: [ 72.130109] Unable to handle kernel paging request at virtual address ffff0000c2bb708c [ 72.131036] Mem abort info: [ 72.131213] ESR = 0x0000000096000021 [ 72.131446] EC = 0x25: DABT (current EL), IL = 32 bits [ 72.132209] SET = 0, FnV = 0 [ 72.133216] EA = 0, S1PTW = 0 [ 72.134080] FSC = 0x21: alignment fault [ 72.135593] Data abort info: [ 72.137194] ISV = 0, ISS = 0x00000021, ISS2 = 0x00000000 [ 72.142351] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 72.145989] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 72.150115] swapper pgtable: 4k pages, 48-bit VAs, pgdp=0000000237d27000 [ 72.154893] [ffff0000c2bb708c] pgd=0000000000000000, p4d=180000023ffff403, pud=180000023f84b403, pmd=180000023f835403, +pte=0068000102bb7707 [ 72.163021] Internal error: Oops: 0000000096000021 [#1] SMP [...] [ 72.170041] CPU: 7 UID: 0 PID: 54 Comm: kworker/7:0 Tainted: G E 6.13.0-rc3+ #2 [ 72.170509] Tainted: [E]=UNSIGNED_MODULE [ 72.170720] Hardware name: QEMU QEMU Virtual Machine, BIOS edk2-stable202302-for-qemu 03/01/2023 [ 72.171192] Workqueue: events_power_efficient nft_rhash_gc [nf_tables] [ 72.171552] pstate: 21400005 (nzCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) [ 72.171915] pc : nft_rhash_gc+0x200/0x2d8 [nf_tables] [ 72.172166] lr : nft_rhash_gc+0x128/0x2d8 [nf_tables] [ 72.172546] sp : ffff800081f2bce0 [ 72.172724] x29: ffff800081f2bd40 x28: ffff0000c2bb708c x27: 0000000000000038 [ 72.173078] x26: ffff0000c6780ef0 x25: ffff0000c643df00 x24: ffff0000c6778f78 [ 72.173431] x23: 000000000000001a x22: ffff0000c4b1f000 x21: ffff0000c6780f78 [ 72.173782] x20: ffff0000c2bb70dc x19: ffff0000c2bb7080 x18: 0000000000000000 [ 72.174135] x17: ffff0000c0a4e1c0 x16: 0000000000003000 x15: 0000ac26d173b978 [ 72.174485] x14: ffffffffffffffff x13: 0000000000000030 x12: ffff0000c6780ef0 [ 72.174841] x11: 0000000000000000 x10: ffff800081f2bcf8 x9 : ffff0000c3000000 [ 72.175193] x8 : 00000000000004be x7 : 0000000000000000 x6 : 0000000000000000 [ 72.175544] x5 : 0000000000000040 x4 : ffff0000c3000010 x3 : 0000000000000000 [ 72.175871] x2 : 0000000000003a98 x1 : ffff0000c2bb708c x0 : 0000000000000004 [ 72.176207] Call trace: [ 72.176316] nft_rhash_gc+0x200/0x2d8 [nf_tables] (P) [ 72.176653] process_one_work+0x178/0x3d0 [ 72.176831] worker_thread+0x200/0x3f0 [ 72.176995] kthread+0xe8/0xf8 [ 72.177130] ret_from_fork+0x10/0x20 [ 72.177289] Code: 54fff984 d503201f d2800080 91003261 (f820303f) [ 72.177557] ---[ end trace 0000000000000000 ]--- Align struct nft_set_ext to word size to address this and documentation it. pahole reports that this increases the size of elements for rhash and pipapo in 8 bytes on x86_64. Fixes: 7ffc7481153b ("netfilter: nft_set_hash: skip duplicated elements pending gc run") Signed-off-by: Pablo Neira Ayuso commit 35bf430e08a18fdab6eb94492a06d9ad14c6179b Author: Henry Huang Date: Sun Dec 22 23:43:16 2024 +0800 sched_ext: initialize kit->cursor.flags struct bpf_iter_scx_dsq *it maybe not initialized. If we didn't call scx_bpf_dsq_move_set_vtime and scx_bpf_dsq_move_set_slice before scx_bpf_dsq_move, it would cause unexpected behaviors: 1. Assign a huge slice into p->scx.slice 2. Assign a invalid vtime into p->scx.dsq_vtime Signed-off-by: Henry Huang Fixes: 6462dd53a260 ("sched_ext: Compact struct bpf_iter_scx_dsq_kern") Cc: stable@vger.kernel.org # v6.12 Signed-off-by: Tejun Heo commit d57212f281fda9056412cd6cca983d9d2eb89f53 Author: Su Hui Date: Tue Dec 24 12:43:58 2024 +0800 workqueue: add printf attribute to __alloc_workqueue() Fix a compiler warning with W=1: kernel/workqueue.c: error: function ‘__alloc_workqueue’ might be a candidate for ‘gnu_printf’ format attribute[-Werror=suggest-attribute=format] 5657 | name_len = vsnprintf(wq->name, sizeof(wq->name), fmt, args); | ^~~~~~~~ Fixes: 9b59a85a84dc ("workqueue: Don't call va_start / va_end twice") Signed-off-by: Su Hui Signed-off-by: Tejun Heo commit 9b2ffa6148b1e4468d08f7e0e7e371c43cac9ffe Merge: ef49c460ab89d3 140054a25f8503 Author: Linus Torvalds Date: Tue Dec 24 09:08:45 2024 -0800 Merge tag 'mtd/fixes-for-6.13-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/mtd/linux Pull mtd fixes from Miquel Raynal: "Four minor fixes for NAND controller drivers (cleanup path, double actions, and W=1 warning) as well as a cast to avoid overflows in an mtd device driver" * tag 'mtd/fixes-for-6.13-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/mtd/linux: mtd: rawnand: omap2: Fix build warnings with W=1 mtd: rawnand: arasan: Fix missing de-registration of NAND mtd: rawnand: arasan: Fix double assertion of chip-select mtd: diskonchip: Cast an operand to prevent potential overflow mtd: rawnand: fix double free in atmel_pmecc_create_user() commit 17194c2998d39ab366a2ecbc4d1f3281e00d6a05 Author: Arnd Bergmann Date: Fri Dec 13 09:30:51 2024 +0100 phy: mediatek: phy-mtk-hdmi: add regulator dependency The driver no longer builds when regulator support is unavailable: arm-linux-gnueabi-ld: drivers/phy/mediatek/phy-mtk-hdmi.o: in function `mtk_hdmi_phy_register_regulators': phy-mtk-hdmi.c:(.text.unlikely+0x3e): undefined reference to `devm_regulator_register' arm-linux-gnueabi-ld: drivers/phy/mediatek/phy-mtk-hdmi-mt8195.o: in function `mtk_hdmi_phy_pwr5v_is_enabled': phy-mtk-hdmi-mt8195.c:(.text+0x326): undefined reference to `rdev_get_drvdata' arm-linux-gnueabi-ld: drivers/phy/mediatek/phy-mtk-hdmi-mt8195.o: in function `mtk_hdmi_phy_pwr5v_disable': phy-mtk-hdmi-mt8195.c:(.text+0x346): undefined reference to `rdev_get_drvdata' arm-linux-gnueabi-ld: drivers/phy/mediatek/phy-mtk-hdmi-mt8195.o: in function `mtk_hdmi_phy_pwr5v_enable': Fixes: 49393b2da1cd ("phy: mediatek: phy-mtk-hdmi: Register PHY provided regulator") Signed-off-by: Arnd Bergmann Reviewed-by: AngeloGioacchino Del Regno Link: https://lore.kernel.org/r/20241213083056.2596499-1-arnd@kernel.org Signed-off-by: Vinod Koul commit 739214dd1c209e34323814fb815fb17cccb9f95b Author: Adam Ford Date: Sun Dec 15 16:05:55 2024 -0600 phy: freescale: fsl-samsung-hdmi: Fix 64-by-32 division cocci warnings The Kernel test robot returns the following warning: do_div() does a 64-by-32 division, please consider using div64_ul instead. To prevent the 64-by-32 divsion, consolidate both the multiplication and the do_div into one line which explicitly uses u64 sizes. Fixes: 1951dbb41d1d ("phy: freescale: fsl-samsung-hdmi: Support dynamic integer") Signed-off-by: Adam Ford Reported-by: kernel test robot Closes: https://lore.kernel.org/oe-kbuild-all/202412091243.fSObwwPi-lkp@intel.com/ Link: https://lore.kernel.org/r/20241215220555.99113-1-aford173@gmail.com Signed-off-by: Vinod Koul commit a2d633cb1421e679b56f1a9fe1f42f089706f1ed Author: Zijun Hu Date: Fri Dec 13 20:36:45 2024 +0800 phy: core: Fix an OF node refcount leakage in of_phy_provider_lookup() For macro for_each_child_of_node(parent, child), refcount of @child has been increased before entering its loop body, so normally needs to call of_node_put(@child) before returning from the loop body to avoid refcount leakage. of_phy_provider_lookup() has such usage but does not call of_node_put() before returning, so cause leakage of the OF node refcount. Fix by simply calling of_node_put() before returning from the loop body. The APIs affected by this issue are shown below since they indirectly invoke problematic of_phy_provider_lookup(). phy_get() of_phy_get() devm_phy_get() devm_of_phy_get() devm_of_phy_get_by_index() Fixes: 2a4c37016ca9 ("phy: core: Fix of_phy_provider_lookup to return PHY provider for sub node") Cc: stable@vger.kernel.org Reviewed-by: Johan Hovold Signed-off-by: Zijun Hu Link: https://lore.kernel.org/r/20241213-phy_core_fix-v6-5-40ae28f5015a@quicinc.com Signed-off-by: Vinod Koul commit 5ebdc6be16c2000e37fcb8b4072d442d268ad492 Author: Zijun Hu Date: Fri Dec 13 20:36:44 2024 +0800 phy: core: Fix an OF node refcount leakage in _of_phy_get() _of_phy_get() will directly return when suffers of_device_is_compatible() error, but it forgets to decrease refcount of OF node @args.np before error return, the refcount was increased by previous of_parse_phandle_with_args() so causes the OF node's refcount leakage. Fix by decreasing the refcount via of_node_put() before the error return. Fixes: b7563e2796f8 ("phy: work around 'phys' references to usb-nop-xceiv devices") Cc: stable@vger.kernel.org Reviewed-by: Johan Hovold Signed-off-by: Zijun Hu Link: https://lore.kernel.org/r/20241213-phy_core_fix-v6-4-40ae28f5015a@quicinc.com Signed-off-by: Vinod Koul commit 4dc48c88fcf82b89fdebd83a906aaa64f40fb8a9 Author: Zijun Hu Date: Fri Dec 13 20:36:43 2024 +0800 phy: core: Fix that API devm_phy_destroy() fails to destroy the phy For devm_phy_destroy(), its comment says it needs to invoke phy_destroy() to destroy the phy, but it will not actually invoke the function since devres_destroy() does not call devm_phy_consume(), and the missing phy_destroy() call will cause that the phy fails to be destroyed. Fortunately, the faulty API has not been used by current kernel tree. Fix by using devres_release() instead of devres_destroy() within the API. Fixes: ff764963479a ("drivers: phy: add generic PHY framework") Reviewed-by: Johan Hovold Signed-off-by: Zijun Hu Link: https://lore.kernel.org/r/20241213-phy_core_fix-v6-3-40ae28f5015a@quicinc.com Signed-off-by: Vinod Koul commit c0b82ab95b4f1fbc3e3aeab9d829d012669524b6 Author: Zijun Hu Date: Fri Dec 13 20:36:42 2024 +0800 phy: core: Fix that API devm_of_phy_provider_unregister() fails to unregister the phy provider For devm_of_phy_provider_unregister(), its comment says it needs to invoke of_phy_provider_unregister() to unregister the phy provider, but it will not actually invoke the function since devres_destroy() does not call devm_phy_provider_release(), and the missing of_phy_provider_unregister() call will cause: - The phy provider fails to be unregistered. - Leak both memory and the OF node refcount. Fortunately, the faulty API has not been used by current kernel tree. Fix by using devres_release() instead of devres_destroy() within the API. Fixes: ff764963479a ("drivers: phy: add generic PHY framework") Reviewed-by: Johan Hovold Signed-off-by: Zijun Hu Link: https://lore.kernel.org/stable/20241213-phy_core_fix-v6-2-40ae28f5015a%40quicinc.com Link: https://lore.kernel.org/r/20241213-phy_core_fix-v6-2-40ae28f5015a@quicinc.com Signed-off-by: Vinod Koul commit fe4bfa9b6d7bd752bfe4700c937f235aa8ce997b Author: Zijun Hu Date: Fri Dec 13 20:36:41 2024 +0800 phy: core: Fix that API devm_phy_put() fails to release the phy For devm_phy_put(), its comment says it needs to invoke phy_put() to release the phy, but it will not actually invoke the function since devres_destroy() does not call devm_phy_release(), and the missing phy_put() call will cause: - The phy fails to be released. - devm_phy_put() can not fully undo what API devm_phy_get() does. - Leak refcount of both the module and device for below typical usage: devm_phy_get(); // or its variant ... err = do_something(); if (err) goto err_out; ... err_out: devm_phy_put(); // leak refcount here The file(s) affected by this issue are shown below since they have such typical usage. drivers/pci/controller/cadence/pcie-cadence.c drivers/net/ethernet/ti/am65-cpsw-nuss.c Fix by using devres_release() instead of devres_destroy() within the API. Fixes: ff764963479a ("drivers: phy: add generic PHY framework") Cc: stable@vger.kernel.org Cc: Lorenzo Pieralisi Cc: Krzysztof Wilczyński Cc: Bjorn Helgaas Cc: David S. Miller Cc: Eric Dumazet Cc: Jakub Kicinski Cc: Paolo Abeni Reviewed-by: Johan Hovold Signed-off-by: Zijun Hu Link: https://lore.kernel.org/r/20241213-phy_core_fix-v6-1-40ae28f5015a@quicinc.com Signed-off-by: Vinod Koul commit ebc008699fd95701c9af5ebaeb0793eef81a71d5 Author: Akhil R Date: Thu Dec 12 18:14:12 2024 +0530 dmaengine: tegra: Return correct DMA status when paused Currently, the driver does not return the correct DMA status when a DMA pause is issued by the client drivers. This causes GPCDMA users to assume that DMA is still running, while in reality, the DMA is paused. Return DMA_PAUSED for tx_status() if the channel is paused in the middle of a transfer. Fixes: ee17028009d4 ("dmaengine: tegra: Add tegra gpcdma driver") Cc: stable@vger.kernel.org Signed-off-by: Akhil R Signed-off-by: Kartik Rajput Link: https://lore.kernel.org/r/20241212124412.5650-1-kkartik@nvidia.com Signed-off-by: Vinod Koul commit 362f1bf98a3ecb5a2a4fcbdaa9718c8403beceb2 Author: Javier Carrasco Date: Fri Oct 11 22:57:59 2024 +0200 dmaengine: mv_xor: fix child node refcount handling in early exit The for_each_child_of_node() loop requires explicit calls to of_node_put() to decrement the child's refcount upon early exits (break, goto, return). Add the missing calls in the two early exits before the goto instructions. Cc: stable@vger.kernel.org Fixes: f7d12ef53ddf ("dma: mv_xor: add Device Tree binding") Signed-off-by: Javier Carrasco Link: https://lore.kernel.org/r/20241011-dma_mv_xor_of_node_put-v1-1-3c2de819f463@gmail.com Signed-off-by: Vinod Koul commit 20e7c5313ffbf11c34a46395345677adbe890bee Author: Rodrigo Vivi Date: Thu Dec 19 16:00:19 2024 -0500 drm/i915/dg1: Fix power gate sequence. sub-pipe PG is not present on DG1. Setting these bits can disable other power gates and cause GPU hangs on video playbacks. VLK: 16314, 4304 Closes: https://gitlab.freedesktop.org/drm/i915/kernel/-/issues/13381 Fixes: 85a12d7eb8fe ("drm/i915/tgl: Fix Media power gate sequence.") Cc: Vinay Belgaumkar Cc: Himal Prasad Ghimiray Reviewed-by: Vinay Belgaumkar Reviewed-by: Himal Prasad Ghimiray Link: https://patchwork.freedesktop.org/patch/msgid/20241219210019.70532-1-rodrigo.vivi@intel.com Signed-off-by: Rodrigo Vivi (cherry picked from commit de7061947b4ed4be857d452c60d5fb795831d79e) Signed-off-by: Tvrtko Ursulin commit 385a95cc72941c7f88630a7bc4176048cc03b395 Author: Suraj Kandpal Date: Mon Dec 16 23:45:54 2024 +0530 drm/i915/cx0_phy: Fix C10 pll programming sequence According to spec VDR_CUSTOM_WIDTH register gets programmed after pll specific VDR registers and TX Lane programming registers are done. Moreover we only program into C10_VDR_CONTROL1 to update config and setup master lane once all VDR registers are written into. Bspec: 67636 Fixes: 51390cc0e00a ("drm/i915/mtl: Add Support for C10 PHY message bus and pll programming") Signed-off-by: Suraj Kandpal Reviewed-by: Ankit Nautiyal Link: https://patchwork.freedesktop.org/patch/msgid/20241216181554.2861381-1-suraj.kandpal@intel.com (cherry picked from commit f9d418552ba1e3a0e92487ff82eb515dab7516c0) Signed-off-by: Tvrtko Ursulin commit 2ac5415022d16d63d912a39a06f32f1f51140261 Author: Zhu Yanjun Date: Fri Dec 20 23:23:25 2024 +0100 RDMA/rxe: Remove the direct link to net_device The similar patch in siw is in the link: https://git.kernel.org/rdma/rdma/c/16b87037b48889 This problem also occurred in RXE. The following analyze this problem. In the following Call Traces: " BUG: KASAN: slab-use-after-free in dev_get_flags+0x188/0x1d0 net/core/dev.c:8782 Read of size 4 at addr ffff8880554640b0 by task kworker/1:4/5295 CPU: 1 UID: 0 PID: 5295 Comm: kworker/1:4 Not tainted 6.12.0-rc3-syzkaller-00399-g9197b73fd7bb #0 Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Workqueue: infiniband ib_cache_event_task Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:377 [inline] print_report+0x169/0x550 mm/kasan/report.c:488 kasan_report+0x143/0x180 mm/kasan/report.c:601 dev_get_flags+0x188/0x1d0 net/core/dev.c:8782 rxe_query_port+0x12d/0x260 drivers/infiniband/sw/rxe/rxe_verbs.c:60 __ib_query_port drivers/infiniband/core/device.c:2111 [inline] ib_query_port+0x168/0x7d0 drivers/infiniband/core/device.c:2143 ib_cache_update+0x1a9/0xb80 drivers/infiniband/core/cache.c:1494 ib_cache_event_task+0xf3/0x1e0 drivers/infiniband/core/cache.c:1568 process_one_work kernel/workqueue.c:3229 [inline] process_scheduled_works+0xa65/0x1850 kernel/workqueue.c:3310 worker_thread+0x870/0xd30 kernel/workqueue.c:3391 kthread+0x2f2/0x390 kernel/kthread.c:389 ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 " 1). In the link [1], " infiniband syz2: set down " This means that on 839.350575, the event ib_cache_event_task was sent andi queued in ib_wq. 2). In the link [1], " team0 (unregistering): Port device team_slave_0 removed " It indicates that before 843.251853, the net device should be freed. 3). In the link [1], " BUG: KASAN: slab-use-after-free in dev_get_flags+0x188/0x1d0 " This means that on 850.559070, this slab-use-after-free problem occurred. In all, on 839.350575, the event ib_cache_event_task was sent and queued in ib_wq, before 843.251853, the net device veth was freed. on 850.559070, this event was executed, and the mentioned freed net device was called. Thus, the above call trace occurred. [1] https://syzkaller.appspot.com/x/log.txt?x=12e7025f980000 Reported-by: syzbot+4b87489410b4efd181bf@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=4b87489410b4efd181bf Fixes: 8700e3e7c485 ("Soft RoCE driver") Signed-off-by: Zhu Yanjun Link: https://patch.msgid.link/20241220222325.2487767-1-yanjun.zhu@linux.dev Signed-off-by: Leon Romanovsky commit ccfa3131d4a0347988e73638edea5c8281b6d2c7 Author: Joe Hattori Date: Sat Dec 21 16:57:12 2024 +0900 dmaengine: fsl-edma: implement the cleanup path of fsl_edma3_attach_pd() Current implementation of fsl_edma3_attach_pd() does not provide a cleanup path, resulting in a memory leak. For example, dev_pm_domain_detach() is not called after dev_pm_domain_attach_by_id(), and the device link created with the DL_FLAG_STATELESS is not released explicitly. Therefore, provide a cleanup function fsl_edma3_detach_pd() and call it upon failure. Also add a devm_add_action_or_reset() call with this function after a successful fsl_edma3_attach_pd(). Fixes: 72f5801a4e2b ("dmaengine: fsl-edma: integrate v3 support") Signed-off-by: Joe Hattori Link: https://lore.kernel.org/r/20241221075712.3297200-1-joe@pf.is.s.u-tokyo.ac.jp Signed-off-by: Vinod Koul commit 98feccbf32cfdde8c722bc4587aaa60ee5ac33f0 Author: Lizhi Xu Date: Mon Dec 16 15:32:38 2024 +0800 tracing: Prevent bad count for tracing_cpumask_write If a large count is provided, it will trigger a warning in bitmap_parse_user. Also check zero for it. Cc: stable@vger.kernel.org Fixes: 9e01c1b74c953 ("cpumask: convert kernel trace functions") Link: https://lore.kernel.org/20241216073238.2573704-1-lizhi.xu@windriver.com Reported-by: syzbot+0aecfd34fb878546f3fd@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=0aecfd34fb878546f3fd Tested-by: syzbot+0aecfd34fb878546f3fd@syzkaller.appspotmail.com Signed-off-by: Lizhi Xu Signed-off-by: Steven Rostedt (Google) commit 452f4b31e3f70a52b97890888eeb9eaa9a87139a Author: Christian Göttsche Date: Mon Nov 25 11:50:25 2024 +0100 tracing: Constify string literal data member in struct trace_event_call The name member of the struct trace_event_call is assigned with generated string literals; declare them pointer to read-only. Reported by clang: security/landlock/syscalls.c:179:1: warning: initializing 'char *' with an expression of type 'const char[34]' discards qualifiers [-Wincompatible-pointer-types-discards-qualifiers] 179 | SYSCALL_DEFINE3(landlock_create_ruleset, | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 180 | const struct landlock_ruleset_attr __user *const, attr, | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 181 | const size_t, size, const __u32, flags) | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ./include/linux/syscalls.h:226:36: note: expanded from macro 'SYSCALL_DEFINE3' 226 | #define SYSCALL_DEFINE3(name, ...) SYSCALL_DEFINEx(3, _##name, __VA_ARGS__) | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ./include/linux/syscalls.h:234:2: note: expanded from macro 'SYSCALL_DEFINEx' 234 | SYSCALL_METADATA(sname, x, __VA_ARGS__) \ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ./include/linux/syscalls.h:184:2: note: expanded from macro 'SYSCALL_METADATA' 184 | SYSCALL_TRACE_ENTER_EVENT(sname); \ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ./include/linux/syscalls.h:151:30: note: expanded from macro 'SYSCALL_TRACE_ENTER_EVENT' 151 | .name = "sys_enter"#sname, \ | ^~~~~~~~~~~~~~~~~ Cc: stable@vger.kernel.org Cc: Masami Hiramatsu Cc: Mathieu Desnoyers Cc: Mickaël Salaün Cc: Günther Noack Cc: Nathan Chancellor Cc: Nick Desaulniers Cc: Bill Wendling Cc: Justin Stitt Link: https://lore.kernel.org/20241125105028.42807-1-cgoettsche@seltendoof.de Fixes: b77e38aa240c3 ("tracing: add event trace infrastructure") Signed-off-by: Christian Göttsche Signed-off-by: Steven Rostedt (Google) commit ef49c460ab89d3d0ccc01c0ac3b55a47927ec6d5 Merge: f07044dd0df0c9 0b7a66a2c86485 Author: Linus Torvalds Date: Mon Dec 23 13:06:48 2024 -0800 Merge tag 'modules-6.13-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/modules/linux Pull modules fix from Petr Pavlu: "A single fix is present to correct the module vermagic for PREEMPT_RT" * tag 'modules-6.13-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/modules/linux: preempt: Move PREEMPT_RT before PREEMPT in vermagic. commit fca432e73db2bec0fdbfbf6d98d3ebcd5388a977 Author: Qu Wenruo Date: Wed Dec 18 17:00:56 2024 +1030 btrfs: sysfs: fix direct super block member reads The following sysfs entries are reading super block member directly, which can have a different endian and cause wrong values: - sys/fs/btrfs//nodesize - sys/fs/btrfs//sectorsize - sys/fs/btrfs//clone_alignment Thankfully those values (nodesize and sectorsize) are always aligned inside the btrfs_super_block, so it won't trigger unaligned read errors, just endian problems. Fix them by using the native cached members instead. Fixes: df93589a1737 ("btrfs: export more from FS_INFO to sysfs") CC: stable@vger.kernel.org Reviewed-by: Naohiro Aota Reviewed-by: Johannes Thumshirn Signed-off-by: Qu Wenruo Reviewed-by: David Sterba Signed-off-by: David Sterba commit f2363e6fcc7938c5f0f6ac066fad0dd247598b51 Author: Julian Sun Date: Wed Dec 11 19:13:15 2024 +0800 btrfs: fix transaction atomicity bug when enabling simple quotas Set squota incompat bit before committing the transaction that enables the feature. With the config CONFIG_BTRFS_ASSERT enabled, an assertion failure occurs regarding the simple quota feature. [5.596534] assertion failed: btrfs_fs_incompat(fs_info, SIMPLE_QUOTA), in fs/btrfs/qgroup.c:365 [5.597098] ------------[ cut here ]------------ [5.597371] kernel BUG at fs/btrfs/qgroup.c:365! [5.597946] CPU: 1 UID: 0 PID: 268 Comm: mount Not tainted 6.13.0-rc2-00031-gf92f4749861b #146 [5.598450] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 [5.599008] RIP: 0010:btrfs_read_qgroup_config+0x74d/0x7a0 [5.604303] [5.605230] ? btrfs_read_qgroup_config+0x74d/0x7a0 [5.605538] ? exc_invalid_op+0x56/0x70 [5.605775] ? btrfs_read_qgroup_config+0x74d/0x7a0 [5.606066] ? asm_exc_invalid_op+0x1f/0x30 [5.606441] ? btrfs_read_qgroup_config+0x74d/0x7a0 [5.606741] ? btrfs_read_qgroup_config+0x74d/0x7a0 [5.607038] ? try_to_wake_up+0x317/0x760 [5.607286] open_ctree+0xd9c/0x1710 [5.607509] btrfs_get_tree+0x58a/0x7e0 [5.608002] vfs_get_tree+0x2e/0x100 [5.608224] fc_mount+0x16/0x60 [5.608420] btrfs_get_tree+0x2f8/0x7e0 [5.608897] vfs_get_tree+0x2e/0x100 [5.609121] path_mount+0x4c8/0xbc0 [5.609538] __x64_sys_mount+0x10d/0x150 The issue can be easily reproduced using the following reproducer: root@q:linux# cat repro.sh set -e mkfs.btrfs -q -f /dev/sdb mount /dev/sdb /mnt/btrfs btrfs quota enable -s /mnt/btrfs umount /mnt/btrfs mount /dev/sdb /mnt/btrfs The issue is that when enabling quotas, at btrfs_quota_enable(), we set BTRFS_QGROUP_STATUS_FLAG_SIMPLE_MODE at fs_info->qgroup_flags and persist it in the quota root in the item with the key BTRFS_QGROUP_STATUS_KEY, but we only set the incompat bit BTRFS_FEATURE_INCOMPAT_SIMPLE_QUOTA after we commit the transaction used to enable simple quotas. This means that if after that transaction commit we unmount the filesystem without starting and committing any other transaction, or we have a power failure, the next time we mount the filesystem we will find the flag BTRFS_QGROUP_STATUS_FLAG_SIMPLE_MODE set in the item with the key BTRFS_QGROUP_STATUS_KEY but we will not find the incompat bit BTRFS_FEATURE_INCOMPAT_SIMPLE_QUOTA set in the superblock, triggering an assertion failure at: btrfs_read_qgroup_config() -> qgroup_read_enable_gen() To fix this issue, set the BTRFS_FEATURE_INCOMPAT_SIMPLE_QUOTA flag immediately after setting the BTRFS_QGROUP_STATUS_FLAG_SIMPLE_MODE. This ensures that both flags are flushed to disk within the same transaction. Fixes: 182940f4f4db ("btrfs: qgroup: add new quota mode for simple quotas") CC: stable@vger.kernel.org # 6.6+ Reviewed-by: Filipe Manana Signed-off-by: Julian Sun Signed-off-by: Filipe Manana Signed-off-by: David Sterba commit 2c8507c63f5498d4ee4af404a8e44ceae4345056 Author: Filipe Manana Date: Mon Dec 9 16:43:44 2024 +0000 btrfs: avoid monopolizing a core when activating a swap file During swap activation we iterate over the extents of a file and we can have many thousands of them, so we can end up in a busy loop monopolizing a core. Avoid this by doing a voluntary reschedule after processing each extent. CC: stable@vger.kernel.org # 5.4+ Reviewed-by: Qu Wenruo Signed-off-by: Filipe Manana Signed-off-by: David Sterba commit 9a45022a0efadd99bcc58f7f1cc2b6fb3b808c40 Author: Filipe Manana Date: Mon Dec 9 16:31:41 2024 +0000 btrfs: allow swap activation to be interruptible During swap activation we iterate over the extents of a file, then do several checks for each extent, some of which may take some significant time such as checking if an extent is shared. Since a file can have many thousands of extents, this can be a very slow operation and it's currently not interruptible. I had a bug during development of a previous patch that resulted in an infinite loop when iterating the extents, so a core was busy looping and I couldn't cancel the operation, which is very annoying and requires a reboot. So make the loop interruptible by checking for fatal signals at the end of each iteration and stopping immediately if there is one. CC: stable@vger.kernel.org # 5.4+ Reviewed-by: Qu Wenruo Signed-off-by: Filipe Manana Signed-off-by: David Sterba commit 03018e5d8508254534511d40fb57bc150e6a87f2 Author: Filipe Manana Date: Mon Dec 9 12:54:14 2024 +0000 btrfs: fix swap file activation failure due to extents that used to be shared When activating a swap file, to determine if an extent is shared we use can_nocow_extent(), which ends up at btrfs_cross_ref_exist(). That helper is meant to be quick because it's used in the NOCOW write path, when flushing delalloc and when doing a direct IO write, however it does return some false positives, meaning it may indicate that an extent is shared even if it's no longer the case. For the write path this is fine, we just do a unnecessary COW operation instead of doing a more rigorous check which would be too heavy (calling btrfs_is_data_extent_shared()). However when activating a swap file, the false positives simply result in a failure, which is confusing for users/applications. One particular case where this happens is when a data extent only has 1 reference but that reference is not inlined in the extent item located in the extent tree - this happens when we create more than 33 references for an extent and then delete those 33 references plus every other non-inline reference except one. The function check_committed_ref() assumes that if the size of an extent item doesn't match the size of struct btrfs_extent_item plus the size of an inline reference (plus an owner reference in case simple quotas are enabled), then the extent is shared - that is not the case however, we can have a single reference but it's not inlined - the reason we do this is to be fast and avoid inspecting non-inline references which may be located in another leaf of the extent tree, slowing down write paths. The following test script reproduces the bug: $ cat test.sh #!/bin/bash DEV=/dev/sdi MNT=/mnt/sdi NUM_CLONES=50 umount $DEV &> /dev/null run_test() { local sync_after_add_reflinks=$1 local sync_after_remove_reflinks=$2 mkfs.btrfs -f $DEV > /dev/null #mkfs.xfs -f $DEV > /dev/null mount $DEV $MNT touch $MNT/foo chmod 0600 $MNT/foo # On btrfs the file must be NOCOW. chattr +C $MNT/foo &> /dev/null xfs_io -s -c "pwrite -b 1M 0 1M" $MNT/foo mkswap $MNT/foo for ((i = 1; i <= $NUM_CLONES; i++)); do touch $MNT/foo_clone_$i chmod 0600 $MNT/foo_clone_$i # On btrfs the file must be NOCOW. chattr +C $MNT/foo_clone_$i &> /dev/null cp --reflink=always $MNT/foo $MNT/foo_clone_$i done if [ $sync_after_add_reflinks -ne 0 ]; then # Flush delayed refs and commit current transaction. sync -f $MNT fi # Remove the original file and all clones except the last. rm -f $MNT/foo for ((i = 1; i < $NUM_CLONES; i++)); do rm -f $MNT/foo_clone_$i done if [ $sync_after_remove_reflinks -ne 0 ]; then # Flush delayed refs and commit current transaction. sync -f $MNT fi # Now use the last clone as a swap file. It should work since # its extent are not shared anymore. swapon $MNT/foo_clone_${NUM_CLONES} swapoff $MNT/foo_clone_${NUM_CLONES} umount $MNT } echo -e "\nTest without sync after creating and removing clones" run_test 0 0 echo -e "\nTest with sync after creating clones" run_test 1 0 echo -e "\nTest with sync after removing clones" run_test 0 1 echo -e "\nTest with sync after creating and removing clones" run_test 1 1 Running the test: $ ./test.sh Test without sync after creating and removing clones wrote 1048576/1048576 bytes at offset 0 1 MiB, 1 ops; 0.0017 sec (556.793 MiB/sec and 556.7929 ops/sec) Setting up swapspace version 1, size = 1020 KiB (1044480 bytes) no label, UUID=a6b9c29e-5ef4-4689-a8ac-bc199c750f02 swapon: /mnt/sdi/foo_clone_50: swapon failed: Invalid argument swapoff: /mnt/sdi/foo_clone_50: swapoff failed: Invalid argument Test with sync after creating clones wrote 1048576/1048576 bytes at offset 0 1 MiB, 1 ops; 0.0036 sec (271.739 MiB/sec and 271.7391 ops/sec) Setting up swapspace version 1, size = 1020 KiB (1044480 bytes) no label, UUID=5e9008d6-1f7a-4948-a1b4-3f30aba20a33 swapon: /mnt/sdi/foo_clone_50: swapon failed: Invalid argument swapoff: /mnt/sdi/foo_clone_50: swapoff failed: Invalid argument Test with sync after removing clones wrote 1048576/1048576 bytes at offset 0 1 MiB, 1 ops; 0.0103 sec (96.665 MiB/sec and 96.6651 ops/sec) Setting up swapspace version 1, size = 1020 KiB (1044480 bytes) no label, UUID=916c2740-fa9f-4385-9f06-29c3f89e4764 Test with sync after creating and removing clones wrote 1048576/1048576 bytes at offset 0 1 MiB, 1 ops; 0.0031 sec (314.268 MiB/sec and 314.2678 ops/sec) Setting up swapspace version 1, size = 1020 KiB (1044480 bytes) no label, UUID=06aab1dd-4d90-49c0-bd9f-3a8db4e2f912 swapon: /mnt/sdi/foo_clone_50: swapon failed: Invalid argument swapoff: /mnt/sdi/foo_clone_50: swapoff failed: Invalid argument Fix this by reworking btrfs_swap_activate() to instead of using extent maps and checking for shared extents with can_nocow_extent(), iterate over the inode's file extent items and use the accurate btrfs_is_data_extent_shared(). CC: stable@vger.kernel.org # 5.4+ Reviewed-by: Qu Wenruo Signed-off-by: Filipe Manana Signed-off-by: David Sterba commit 0525064bb82e50d59543b62b9d41a606198a4a44 Author: Filipe Manana Date: Fri Nov 29 12:25:30 2024 +0000 btrfs: fix race with memory mapped writes when activating swap file When activating the swap file we flush all delalloc and wait for ordered extent completion, so that we don't miss any delalloc and extents before we check that the file's extent layout is usable for a swap file and activate the swap file. We are called with the inode's VFS lock acquired, so we won't race with buffered and direct IO writes, however we can still race with memory mapped writes since they don't acquire the inode's VFS lock. The race window is between flushing all delalloc and locking the whole file's extent range, since memory mapped writes lock an extent range with the length of a page. Fix this by acquiring the inode's mmap lock before we flush delalloc. CC: stable@vger.kernel.org # 5.4+ Reviewed-by: Qu Wenruo Signed-off-by: Filipe Manana Signed-off-by: David Sterba commit 0fba7be1ca6df2881e68386e5575fe096f33c4ca Author: Boris Burkov Date: Fri Dec 13 12:33:22 2024 -0800 btrfs: check folio mapping after unlock in put_file_data() When we call btrfs_read_folio() we get an unlocked folio, so it is possible for a different thread to concurrently modify folio->mapping. We must check that this hasn't happened once we do have the lock. CC: stable@vger.kernel.org # 6.12+ Reviewed-by: Qu Wenruo Signed-off-by: Boris Burkov Signed-off-by: David Sterba commit 3e74859ee35edc33a022c3f3971df066ea0ca6b9 Author: Boris Burkov Date: Fri Dec 13 12:22:32 2024 -0800 btrfs: check folio mapping after unlock in relocate_one_folio() When we call btrfs_read_folio() to bring a folio uptodate, we unlock the folio. The result of that is that a different thread can modify the mapping (like remove it with invalidate) before we call folio_lock(). This results in an invalid page and we need to try again. In particular, if we are relocating concurrently with aborting a transaction, this can result in a crash like the following: BUG: kernel NULL pointer dereference, address: 0000000000000000 PGD 0 P4D 0 Oops: 0000 [#1] SMP CPU: 76 PID: 1411631 Comm: kworker/u322:5 Workqueue: events_unbound btrfs_reclaim_bgs_work RIP: 0010:set_page_extent_mapped+0x20/0xb0 RSP: 0018:ffffc900516a7be8 EFLAGS: 00010246 RAX: ffffea009e851d08 RBX: ffffea009e0b1880 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffffc900516a7b90 RDI: ffffea009e0b1880 RBP: 0000000003573000 R08: 0000000000000001 R09: ffff88c07fd2f3f0 R10: 0000000000000000 R11: 0000194754b575be R12: 0000000003572000 R13: 0000000003572fff R14: 0000000000100cca R15: 0000000005582fff FS: 0000000000000000(0000) GS:ffff88c07fd00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 000000407d00f002 CR4: 00000000007706f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: ? __die+0x78/0xc0 ? page_fault_oops+0x2a8/0x3a0 ? __switch_to+0x133/0x530 ? wq_worker_running+0xa/0x40 ? exc_page_fault+0x63/0x130 ? asm_exc_page_fault+0x22/0x30 ? set_page_extent_mapped+0x20/0xb0 relocate_file_extent_cluster+0x1a7/0x940 relocate_data_extent+0xaf/0x120 relocate_block_group+0x20f/0x480 btrfs_relocate_block_group+0x152/0x320 btrfs_relocate_chunk+0x3d/0x120 btrfs_reclaim_bgs_work+0x2ae/0x4e0 process_scheduled_works+0x184/0x370 worker_thread+0xc6/0x3e0 ? blk_add_timer+0xb0/0xb0 kthread+0xae/0xe0 ? flush_tlb_kernel_range+0x90/0x90 ret_from_fork+0x2f/0x40 ? flush_tlb_kernel_range+0x90/0x90 ret_from_fork_asm+0x11/0x20 This occurs because cleanup_one_transaction() calls destroy_delalloc_inodes() which calls invalidate_inode_pages2() which takes the folio_lock before setting mapping to NULL. We fail to check this, and subsequently call set_extent_mapping(), which assumes that mapping != NULL (in fact it asserts that in debug mode) Note that the "fixes" patch here is not the one that introduced the race (the very first iteration of this code from 2009) but a more recent change that made this particular crash happen in practice. Fixes: e7f1326cc24e ("btrfs: set page extent mapped after read_folio in relocate_one_page") CC: stable@vger.kernel.org # 6.1+ Reviewed-by: Qu Wenruo Signed-off-by: Boris Burkov Signed-off-by: David Sterba commit 44f52bbe96dfdbe4aca3818a2534520082a07040 Author: Filipe Manana Date: Wed Dec 11 16:08:07 2024 +0000 btrfs: fix use-after-free when COWing tree bock and tracing is enabled When a COWing a tree block, at btrfs_cow_block(), and we have the tracepoint trace_btrfs_cow_block() enabled and preemption is also enabled (CONFIG_PREEMPT=y), we can trigger a use-after-free in the COWed extent buffer while inside the tracepoint code. This is because in some paths that call btrfs_cow_block(), such as btrfs_search_slot(), we are holding the last reference on the extent buffer @buf so btrfs_force_cow_block() drops the last reference on the @buf extent buffer when it calls free_extent_buffer_stale(buf), which schedules the release of the extent buffer with RCU. This means that if we are on a kernel with preemption, the current task may be preempted before calling trace_btrfs_cow_block() and the extent buffer already released by the time trace_btrfs_cow_block() is called, resulting in a use-after-free. Fix this by moving the trace_btrfs_cow_block() from btrfs_cow_block() to btrfs_force_cow_block() before the COWed extent buffer is freed. This also has a side effect of invoking the tracepoint in the tree defrag code, at defrag.c:btrfs_realloc_node(), since btrfs_force_cow_block() is called there, but this is fine and it was actually missing there. Reported-by: syzbot+8517da8635307182c8a5@syzkaller.appspotmail.com Link: https://lore.kernel.org/linux-btrfs/6759a9b9.050a0220.1ac542.000d.GAE@google.com/ CC: stable@vger.kernel.org # 5.4+ Reviewed-by: Qu Wenruo Signed-off-by: Filipe Manana Signed-off-by: David Sterba commit d29662695ed7c015521e5fc9387df25aab192a2e Author: Johannes Thumshirn Date: Wed Nov 13 18:16:49 2024 +0100 btrfs: fix use-after-free waiting for encoded read endios Fix a use-after-free in the I/O completion path for encoded reads by using a completion instead of a wait_queue for synchronizing the destruction of 'struct btrfs_encoded_read_private'. Fixes: 1881fba89bd5 ("btrfs: add BTRFS_IOC_ENCODED_READ ioctl") CC: stable@vger.kernel.org # 6.1+ Reviewed-by: Filipe Manana Reviewed-by: Qu Wenruo Signed-off-by: Johannes Thumshirn Reviewed-by: David Sterba Signed-off-by: David Sterba commit f07044dd0df0c9d0ad177c3098b62ccddb735a2d Merge: 4bbf9020becbfd 7917f01a286ce0 Author: Linus Torvalds Date: Mon Dec 23 12:16:15 2024 -0800 Merge tag 'nfsd-6.13-1' of git://git.kernel.org/pub/scm/linux/kernel/git/cel/linux Pull nfsd fixes from Chuck Lever:: - Revert one v6.13 fix at the author's request (to be done differently) - Fix a minor problem with recent NFSv4.2 COPY enhancements - Fix an NFSv4.0 callback bug introduced in the v6.13 merge window * tag 'nfsd-6.13-1' of git://git.kernel.org/pub/scm/linux/kernel/git/cel/linux: nfsd: restore callback functionality for NFSv4.0 NFSD: fix management of pending async copies nfsd: Revert "nfsd: release svc_expkey/svc_export with rcu_work" commit b3a69c559899b00ca106767c873680b0adf5882c Merge: 75221e96101fa9 2a4f56fbcc473d Author: Jakub Kicinski Date: Mon Dec 23 10:54:06 2024 -0800 Merge branch 'mlx5-misc-fixes-2024-12-20' Tariq Toukan says: ==================== mlx5 misc fixes 2024-12-20 This small patchset provides misc bug fixes from the team to the mlx5 core and Eth drivers. ==================== Link: https://patch.msgid.link/20241220081505.1286093-1-tariqt@nvidia.com Signed-off-by: Jakub Kicinski commit 2a4f56fbcc473d8faeb29b73082df39efbe5893c Author: Jianbo Liu Date: Fri Dec 20 10:15:05 2024 +0200 net/mlx5e: Keep netdev when leave switchdev for devlink set legacy only In the cited commit, when changing from switchdev to legacy mode, uplink representor's netdev is kept, and its profile is replaced with nic profile, so netdev is detached from old profile, then attach to new profile. During profile change, the hardware resources allocated by the old profile will be cleaned up. However, the cleanup is relying on the related kernel modules. And they may need to flush themselves first, which is triggered by netdev events, for example, NETDEV_UNREGISTER. However, netdev is kept, or netdev_register is called after the cleanup, which may cause troubles because the resources are still referred by kernel modules. The same process applies to all the caes when uplink is leaving switchdev mode, including devlink eswitch mode set legacy, driver unload and devlink reload. For the first one, it can be blocked and returns failure to users, whenever possible. But it's hard for the others. Besides, the attachment to nic profile is unnecessary as the netdev will be unregistered anyway for such cases. So in this patch, the original behavior is kept only for devlink eswitch set mode legacy. For the others, moves netdev unregistration before the profile change. Fixes: 7a9fb35e8c3a ("net/mlx5e: Do not reload ethernet ports when changing eswitch mode") Signed-off-by: Jianbo Liu Signed-off-by: Tariq Toukan Link: https://patch.msgid.link/20241220081505.1286093-5-tariqt@nvidia.com Signed-off-by: Jakub Kicinski commit 5a03b368562a7ff5f5f1f63b5adf8309cbdbd5be Author: Jianbo Liu Date: Fri Dec 20 10:15:04 2024 +0200 net/mlx5e: Skip restore TC rules for vport rep without loaded flag During driver unload, unregister_netdev is called after unloading vport rep. So, the mlx5e_rep_priv is already freed while trying to get rpriv->netdev, or walk rpriv->tc_ht, which results in use-after-free. So add the checking to make sure access the data of vport rep which is still loaded. Fixes: d1569537a837 ("net/mlx5e: Modify and restore TC rules for IPSec TX rules") Signed-off-by: Jianbo Liu Reviewed-by: Saeed Mahameed Signed-off-by: Tariq Toukan Link: https://patch.msgid.link/20241220081505.1286093-4-tariqt@nvidia.com Signed-off-by: Jakub Kicinski commit 8c6254479b3d5bd788d2b5fefaa48fb194331ed0 Author: Dragos Tatulea Date: Fri Dec 20 10:15:03 2024 +0200 net/mlx5e: macsec: Maintain TX SA from encoding_sa In MACsec, it is possible to create multiple active TX SAs on a SC, but only one such SA can be used at a time for transmission. This SA is selected through the encoding_sa link parameter. When there are 2 or more active TX SAs configured (encoding_sa=0): ip macsec add macsec0 tx sa 0 pn 1 on key 00 ip macsec add macsec0 tx sa 1 pn 1 on key 00 ... the traffic should be still sent via TX SA 0 as the encoding_sa was not changed. However, the driver ignores the encoding_sa and overrides it to SA 1 by installing the flow steering id of the newly created TX SA into the SCI -> flow steering id hash map. The future packet tx descriptors will point to the incorrect flow steering rule (SA 1). This patch fixes the issue by avoiding the creation of the flow steering rule for an active TX SA that is not the encoding_sa. The driver side tx_sa object and the FW side macsec object are still created. When the encoding_sa link parameter is changed to another active TX SA, only the new flow steering rule will be created in the mlx5e_macsec_upd_txsa() handler. Fixes: 8ff0ac5be144 ("net/mlx5: Add MACsec offload Tx command support") Signed-off-by: Dragos Tatulea Reviewed-by: Cosmin Ratiu Reviewed-by: Lior Nahmanson Signed-off-by: Tariq Toukan Link: https://patch.msgid.link/20241220081505.1286093-3-tariqt@nvidia.com Signed-off-by: Jakub Kicinski commit 050a4c011b0dfeb91664a5d7bd3647ff38db08ce Author: Shahar Shitrit Date: Fri Dec 20 10:15:02 2024 +0200 net/mlx5: DR, select MSIX vector 0 for completion queue creation When creating a software steering completion queue (CQ), an arbitrary MSIX vector n is selected. This results in the CQ sharing the same Ethernet traffic channel n associated with the chosen vector. However, the value of n is often unpredictable, which can introduce complications for interrupt monitoring and verification tools. Moreover, SW steering uses polling rather than event-driven interrupts. Therefore, there is no need to select any MSIX vector other than the existing vector 0 for CQ creation. In light of these factors, and to enhance predictability, we modify the code to consistently select MSIX vector 0 for CQ creation. Fixes: 297cccebdc5a ("net/mlx5: DR, Expose an internal API to issue RDMA operations") Signed-off-by: Shahar Shitrit Reviewed-by: Yevgeny Kliteynik Signed-off-by: Tariq Toukan Link: https://patch.msgid.link/20241220081505.1286093-2-tariqt@nvidia.com Signed-off-by: Jakub Kicinski commit 75221e96101fa93390d3db5c23e026f5e3565d9b Author: Kory Maincent Date: Fri Dec 20 18:04:00 2024 +0100 net: pse-pd: tps23881: Fix power on/off issue An issue was present in the initial driver implementation. The driver read the power status of all channels before toggling the bit of the desired one. Using the power status register as a base value introduced a problem, because only the bit corresponding to the concerned channel ID should be set in the write-only power enable register. This led to cases where disabling power for one channel also powered off other channels. This patch removes the power status read and ensures the value is limited to the bit matching the channel index of the PI. Fixes: 20e6d190ffe1 ("net: pse-pd: Add TI TPS23881 PSE controller driver") Signed-off-by: Kory Maincent Acked-by: Oleksij Rempel Link: https://patch.msgid.link/20241220170400.291705-1-kory.maincent@bootlin.com Signed-off-by: Jakub Kicinski commit 4a4d38ace1fb0586bffd2aab03caaa05d6011748 Author: Siddharth Vadapalli Date: Fri Dec 20 13:26:14 2024 +0530 net: ethernet: ti: am65-cpsw: default to round-robin for host port receive The Host Port (i.e. CPU facing port) of CPSW receives traffic from Linux via TX DMA Channels which are Hardware Queues consisting of traffic categorized according to their priority. The Host Port is configured to dequeue traffic from these Hardware Queues on the basis of priority i.e. as long as traffic exists on a Hardware Queue of a higher priority, the traffic on Hardware Queues of lower priority isn't dequeued. An alternate operation is also supported wherein traffic can be dequeued by the Host Port in a Round-Robin manner. Until commit under Fixes, the am65-cpsw driver enabled a single TX DMA Channel, due to which, unless modified by user via "ethtool", all traffic from Linux is transmitted on DMA Channel 0. Therefore, configuring the Host Port for priority based dequeuing or Round-Robin operation is identical since there is a single DMA Channel. Since commit under Fixes, all 8 TX DMA Channels are enabled by default. Additionally, the default "tc mapping" doesn't take into account the possibility of different traffic profiles which various users might have. This results in traffic starvation at the Host Port due to the priority based dequeuing which has been enabled by default since the inception of the driver. The traffic starvation triggers NETDEV WATCHDOG timeout for all TX DMA Channels that haven't been serviced due to the presence of traffic on the higher priority TX DMA Channels. Fix this by defaulting to Round-Robin dequeuing at the Host Port, which shall ensure that traffic is dequeued from all TX DMA Channels irrespective of the traffic profile. This will address the NETDEV WATCHDOG timeouts. At the same time, users can still switch from Round-Robin to Priority based dequeuing at the Host Port with the help of the "p0-rx-ptype-rrobin" private flag of "ethtool". Users are expected to setup an appropriate "tc mapping" that suits their traffic profile when switching to priority based dequeuing at the Host Port. Fixes: be397ea3473d ("net: ethernet: am65-cpsw: Set default TX channels to maximum") Cc: Signed-off-by: Siddharth Vadapalli Link: https://patch.msgid.link/20241220075618.228202-1-s-vadapalli@ti.com Signed-off-by: Jakub Kicinski commit 4e86729d1ff329815a6e8a920cb554a1d4cb5b8d Author: Nikolay Kuratov Date: Thu Dec 19 19:21:14 2024 +0300 net/sctp: Prevent autoclose integer overflow in sctp_association_init() While by default max_autoclose equals to INT_MAX / HZ, one may set net.sctp.max_autoclose to UINT_MAX. There is code in sctp_association_init() that can consequently trigger overflow. Cc: stable@vger.kernel.org Fixes: 9f70f46bd4c7 ("sctp: properly latch and use autoclose value from sock to association") Signed-off-by: Nikolay Kuratov Acked-by: Xin Long Link: https://patch.msgid.link/20241219162114.2863827-1-kniv@yandex-team.ru Signed-off-by: Jakub Kicinski commit a4fd163aed2edd967a244499754dec991d8b4c7d Author: Ilya Shchipletsov Date: Thu Dec 19 08:23:07 2024 +0000 netrom: check buffer length before accessing it Syzkaller reports an uninit value read from ax25cmp when sending raw message through ieee802154 implementation. ===================================================== BUG: KMSAN: uninit-value in ax25cmp+0x3a5/0x460 net/ax25/ax25_addr.c:119 ax25cmp+0x3a5/0x460 net/ax25/ax25_addr.c:119 nr_dev_get+0x20e/0x450 net/netrom/nr_route.c:601 nr_route_frame+0x1a2/0xfc0 net/netrom/nr_route.c:774 nr_xmit+0x5a/0x1c0 net/netrom/nr_dev.c:144 __netdev_start_xmit include/linux/netdevice.h:4940 [inline] netdev_start_xmit include/linux/netdevice.h:4954 [inline] xmit_one net/core/dev.c:3548 [inline] dev_hard_start_xmit+0x247/0xa10 net/core/dev.c:3564 __dev_queue_xmit+0x33b8/0x5130 net/core/dev.c:4349 dev_queue_xmit include/linux/netdevice.h:3134 [inline] raw_sendmsg+0x654/0xc10 net/ieee802154/socket.c:299 ieee802154_sock_sendmsg+0x91/0xc0 net/ieee802154/socket.c:96 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg net/socket.c:745 [inline] ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2584 ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638 __sys_sendmsg net/socket.c:2667 [inline] __do_sys_sendmsg net/socket.c:2676 [inline] __se_sys_sendmsg net/socket.c:2674 [inline] __x64_sys_sendmsg+0x307/0x490 net/socket.c:2674 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b Uninit was created at: slab_post_alloc_hook+0x129/0xa70 mm/slab.h:768 slab_alloc_node mm/slub.c:3478 [inline] kmem_cache_alloc_node+0x5e9/0xb10 mm/slub.c:3523 kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:560 __alloc_skb+0x318/0x740 net/core/skbuff.c:651 alloc_skb include/linux/skbuff.h:1286 [inline] alloc_skb_with_frags+0xc8/0xbd0 net/core/skbuff.c:6334 sock_alloc_send_pskb+0xa80/0xbf0 net/core/sock.c:2780 sock_alloc_send_skb include/net/sock.h:1884 [inline] raw_sendmsg+0x36d/0xc10 net/ieee802154/socket.c:282 ieee802154_sock_sendmsg+0x91/0xc0 net/ieee802154/socket.c:96 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg net/socket.c:745 [inline] ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2584 ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638 __sys_sendmsg net/socket.c:2667 [inline] __do_sys_sendmsg net/socket.c:2676 [inline] __se_sys_sendmsg net/socket.c:2674 [inline] __x64_sys_sendmsg+0x307/0x490 net/socket.c:2674 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b CPU: 0 PID: 5037 Comm: syz-executor166 Not tainted 6.7.0-rc7-syzkaller-00003-gfbafc3e621c3 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023 ===================================================== This issue occurs because the skb buffer is too small, and it's actual allocation is aligned. This hides an actual issue, which is that nr_route_frame does not validate the buffer size before using it. Fix this issue by checking skb->len before accessing any fields in skb->data. Found by Linux Verification Center (linuxtesting.org) with Syzkaller. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Co-developed-by: Nikita Marushkin Signed-off-by: Nikita Marushkin Signed-off-by: Ilya Shchipletsov Link: https://patch.msgid.link/20241219082308.3942-1-rabbelkin@mail.ru Signed-off-by: Jakub Kicinski commit b5a7b661a073727219fedc35f5619f62418ffe72 Author: Xiao Liang Date: Thu Dec 19 21:03:36 2024 +0800 net: Fix netns for ip_tunnel_init_flow() The device denoted by tunnel->parms.link resides in the underlay net namespace. Therefore pass tunnel->net to ip_tunnel_init_flow(). Fixes: db53cd3d88dc ("net: Handle l3mdev in ip_tunnel_init_flow") Signed-off-by: Xiao Liang Reviewed-by: Ido Schimmel Link: https://patch.msgid.link/20241219130336.103839-1-shaw.leon@gmail.com Signed-off-by: Jakub Kicinski commit 4f4aa4aa28142d53f8b06585c478476cfe325cfc Author: Wang Liang Date: Thu Dec 19 15:28:59 2024 +0800 net: fix memory leak in tcp_conn_request() If inet_csk_reqsk_queue_hash_add() return false, tcp_conn_request() will return without free the dst memory, which allocated in af_ops->route_req. Here is the kmemleak stack: unreferenced object 0xffff8881198631c0 (size 240): comm "softirq", pid 0, jiffies 4299266571 (age 1802.392s) hex dump (first 32 bytes): 00 10 9b 03 81 88 ff ff 80 98 da bc ff ff ff ff ................ 81 55 18 bb ff ff ff ff 00 00 00 00 00 00 00 00 .U.............. backtrace: [] kmem_cache_alloc+0x60c/0xa80 [] dst_alloc+0x55/0x250 [] rt_dst_alloc+0x46/0x1d0 [] __mkroute_output+0x29a/0xa50 [] ip_route_output_key_hash+0x10b/0x240 [] ip_route_output_flow+0x1d/0x90 [] inet_csk_route_req+0x2c5/0x500 [] tcp_conn_request+0x691/0x12c0 [] tcp_rcv_state_process+0x3c8/0x11b0 [] tcp_v4_do_rcv+0x156/0x3b0 [] tcp_v4_rcv+0x1cf8/0x1d80 [] ip_protocol_deliver_rcu+0xf6/0x360 [] ip_local_deliver_finish+0xe6/0x1e0 [] ip_local_deliver+0xee/0x360 [] ip_rcv+0xad/0x2f0 [] __netif_receive_skb_one_core+0x123/0x140 Call dst_release() to free the dst memory when inet_csk_reqsk_queue_hash_add() return false in tcp_conn_request(). Fixes: ff46e3b44219 ("Fix race for duplicate reqsk on identical SYN") Signed-off-by: Wang Liang Link: https://patch.msgid.link/20241219072859.3783576-1-wangliang74@huawei.com Signed-off-by: Jakub Kicinski commit 0cfc36ea51684b5932cd3951ded523777d807af2 Author: Ben Wolsieffer Date: Mon Dec 16 09:53:23 2024 -0500 serial: stm32: use port lock wrappers for break control Commit 30e945861f3b ("serial: stm32: add support for break control") added another usage of the port lock, but was merged on the same day as c5d06662551c ("serial: stm32: Use port lock wrappers"), therefore the latter did not update this usage to use the port lock wrappers. Fixes: c5d06662551c ("serial: stm32: Use port lock wrappers") Cc: stable Signed-off-by: Ben Wolsieffer Reviewed-by: John Ogness Link: https://lore.kernel.org/r/20241216145323.111612-1-ben.wolsieffer@hefring.com Signed-off-by: Greg Kroah-Hartman commit fbd22c4fa737f9559be8b87a73bb1cdfcd39fd11 Author: Xiaolei Wang Date: Wed Dec 11 07:36:13 2024 +0800 serial: imx: Use uart_port_lock_irq() instead of uart_port_lock() When executing 'echo mem > /sys/power/state', the following deadlock occurs. Since there is output during the serial port entering the suspend process, the suspend will be interrupted, resulting in the nesting of locks. Therefore, use uart_port_lock_irq() instead of uart_port_unlock(). WARNING: inconsistent lock state 6.12.0-rc2-00002-g3c199ed5bd64-dirty #23 Not tainted -------------------------------- inconsistent {IN-HARDIRQ-W} -> {HARDIRQ-ON-W} usage. sh/494 [HC0[0]:SC0[0]:HE1:SE1] takes: c4db5850 (&port_lock_key){?.-.}-{3:3}, at: imx_uart_enable_wakeup+0x14/0x254 {IN-HARDIRQ-W} state was registered at: lock_acquire+0x104/0x348 _raw_spin_lock+0x48/0x84 imx_uart_int+0x14/0x4dc __handle_irq_event_percpu+0xac/0x2fc handle_irq_event_percpu+0xc/0x40 handle_irq_event+0x38/0x8c handle_fasteoi_irq+0xb4/0x1b8 handle_irq_desc+0x1c/0x2c gic_handle_irq+0x6c/0xa0 generic_handle_arch_irq+0x2c/0x64 call_with_stack+0x18/0x20 __irq_svc+0x9c/0xbc _raw_spin_unlock_irqrestore+0x2c/0x48 uart_write+0xd8/0x3a0 do_output_char+0x1a8/0x1e4 n_tty_write+0x224/0x440 file_tty_write.constprop.0+0x124/0x250 do_iter_readv_writev+0x100/0x1e0 vfs_writev+0xc4/0x448 do_writev+0x68/0xf8 ret_fast_syscall+0x0/0x1c irq event stamp: 31593 hardirqs last enabled at (31593): [] _raw_spin_unlock_irqrestore+0x44/0x48 hardirqs last disabled at (31592): [] clk_enable_lock+0x60/0x120 softirqs last enabled at (30334): [] handle_softirqs+0x2cc/0x478 softirqs last disabled at (30325): [] __irq_exit_rcu+0x120/0x15c other info that might help us debug this: Possible unsafe locking scenario: CPU0 ---- lock(&port_lock_key); lock(&port_lock_key); Fixes: 3c199ed5bd64 ("serial: imx: Grab port lock in imx_uart_enable_wakeup()") Signed-off-by: Xiaolei Wang Reviewed-by: Lucas Stach Reviewed-by: Fabio Estevam Link: https://lore.kernel.org/r/20241210233613.2881264-1-xiaolei.wang@windriver.com Signed-off-by: Greg Kroah-Hartman commit ed2761958ad77e54791802b07095786150eab844 Author: Ilpo Järvinen Date: Tue Dec 10 19:01:20 2024 +0200 tty: serial: 8250: Fix another runtime PM usage counter underflow The commit f9b11229b79c ("serial: 8250: Fix PM usage_count for console handover") fixed one runtime PM usage counter balance problem that occurs because .dev is not set during univ8250 setup preventing call to pm_runtime_get_sync(). Later, univ8250_console_exit() will trigger the runtime PM usage counter underflow as .dev is already set at that time. Call pm_runtime_get_sync() to balance the RPM usage counter also in serial8250_register_8250_port() before trying to add the port. Reported-by: Borislav Petkov (AMD) Fixes: bedb404e91bb ("serial: 8250_port: Don't use power management for kernel console") Cc: stable Tested-by: Borislav Petkov (AMD) Signed-off-by: Ilpo Järvinen Link: https://lore.kernel.org/r/20241210170120.2231-1-ilpo.jarvinen@linux.intel.com Signed-off-by: Greg Kroah-Hartman commit dfc51e48bca475bbee984e90f33fdc537ce09699 Author: Akash M Date: Thu Dec 19 18:22:19 2024 +0530 usb: gadget: f_fs: Remove WARN_ON in functionfs_bind This commit addresses an issue related to below kernel panic where panic_on_warn is enabled. It is caused by the unnecessary use of WARN_ON in functionsfs_bind, which easily leads to the following scenarios. 1.adb_write in adbd 2. UDC write via configfs ================= ===================== ->usb_ffs_open_thread() ->UDC write ->open_functionfs() ->configfs_write_iter() ->adb_open() ->gadget_dev_desc_UDC_store() ->adb_write() ->usb_gadget_register_driver_owner ->driver_register() ->StartMonitor() ->bus_add_driver() ->adb_read() ->gadget_bind_driver() ->configfs_composite_bind() ->usb_add_function() ->open_functionfs() ->ffs_func_bind() ->adb_open() ->functionfs_bind() state !=FFS_ACTIVE> The adb_open, adb_read, and adb_write operations are invoked from the daemon, but trying to bind the function is a process that is invoked by UDC write through configfs, which opens up the possibility of a race condition between the two paths. In this race scenario, the kernel panic occurs due to the WARN_ON from functionfs_bind when panic_on_warn is enabled. This commit fixes the kernel panic by removing the unnecessary WARN_ON. Kernel panic - not syncing: kernel: panic_on_warn set ... [ 14.542395] Call trace: [ 14.542464] ffs_func_bind+0x1c8/0x14a8 [ 14.542468] usb_add_function+0xcc/0x1f0 [ 14.542473] configfs_composite_bind+0x468/0x588 [ 14.542478] gadget_bind_driver+0x108/0x27c [ 14.542483] really_probe+0x190/0x374 [ 14.542488] __driver_probe_device+0xa0/0x12c [ 14.542492] driver_probe_device+0x3c/0x220 [ 14.542498] __driver_attach+0x11c/0x1fc [ 14.542502] bus_for_each_dev+0x104/0x160 [ 14.542506] driver_attach+0x24/0x34 [ 14.542510] bus_add_driver+0x154/0x270 [ 14.542514] driver_register+0x68/0x104 [ 14.542518] usb_gadget_register_driver_owner+0x48/0xf4 [ 14.542523] gadget_dev_desc_UDC_store+0xf8/0x144 [ 14.542526] configfs_write_iter+0xf0/0x138 Fixes: ddf8abd25994 ("USB: f_fs: the FunctionFS driver") Cc: stable Signed-off-by: Akash M Link: https://lore.kernel.org/r/20241219125221.1679-1-akash.m5@samsung.com Signed-off-by: Greg Kroah-Hartman commit 59bfeaf5454b7e764288d84802577f4a99bf0819 Author: Kai-Heng Feng Date: Fri Dec 6 15:48:17 2024 +0800 USB: core: Disable LPM only for non-suspended ports There's USB error when tegra board is shutting down: [ 180.919315] usb 2-3: Failed to set U1 timeout to 0x0,error code -113 [ 180.919995] usb 2-3: Failed to set U1 timeout to 0xa,error code -113 [ 180.920512] usb 2-3: Failed to set U2 timeout to 0x4,error code -113 [ 186.157172] tegra-xusb 3610000.usb: xHCI host controller not responding, assume dead [ 186.157858] tegra-xusb 3610000.usb: HC died; cleaning up [ 186.317280] tegra-xusb 3610000.usb: Timeout while waiting for evaluate context command The issue is caused by disabling LPM on already suspended ports. For USB2 LPM, the LPM is already disabled during port suspend. For USB3 LPM, port won't transit to U1/U2 when it's already suspended in U3, hence disabling LPM is only needed for ports that are not suspended. Cc: Wayne Chang Cc: stable Fixes: d920a2ed8620 ("usb: Disable USB3 LPM at shutdown") Signed-off-by: Kai-Heng Feng Acked-by: Alan Stern Tested-by: Jon Hunter Link: https://lore.kernel.org/r/20241206074817.89189-1-kaihengf@nvidia.com Signed-off-by: Greg Kroah-Hartman commit 0df11fa8cee5a9cf8753d4e2672bb3667138c652 Author: Ma Ke Date: Wed Dec 18 15:13:46 2024 +0800 usb: fix reference leak in usb_new_device() When device_add(&udev->dev) succeeds and a later call fails, usb_new_device() does not properly call device_del(). As comment of device_add() says, 'if device_add() succeeds, you should call device_del() when you want to get rid of it. If device_add() has not succeeded, use only put_device() to drop the reference count'. Found by code review. Cc: stable Fixes: 9f8b17e643fe ("USB: make usbdevices export their device nodes instead of using a separate class") Signed-off-by: Ma Ke Reviewed-by: Alan Stern Link: https://lore.kernel.org/r/20241218071346.2973980-1-make_ruc2021@163.com Signed-off-by: Greg Kroah-Hartman commit 862a9c0f68487fd6ced15622d9cdcec48f8b5aaa Author: Xu Yang Date: Wed Dec 18 17:53:28 2024 +0800 usb: typec: tcpci: fix NULL pointer issue on shared irq case The tcpci_irq() may meet below NULL pointer dereference issue: [ 2.641851] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000010 [ 2.641951] status 0x1, 0x37f [ 2.650659] Mem abort info: [ 2.656490] ESR = 0x0000000096000004 [ 2.660230] EC = 0x25: DABT (current EL), IL = 32 bits [ 2.665532] SET = 0, FnV = 0 [ 2.668579] EA = 0, S1PTW = 0 [ 2.671715] FSC = 0x04: level 0 translation fault [ 2.676584] Data abort info: [ 2.679459] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 [ 2.684936] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 2.689980] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 2.695284] [0000000000000010] user address but active_mm is swapper [ 2.701632] Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP [ 2.707883] Modules linked in: [ 2.710936] CPU: 1 UID: 0 PID: 87 Comm: irq/111-2-0051 Not tainted 6.12.0-rc6-06316-g7f63786ad3d1-dirty #4 [ 2.720570] Hardware name: NXP i.MX93 11X11 EVK board (DT) [ 2.726040] pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 2.732989] pc : tcpci_irq+0x38/0x318 [ 2.736647] lr : _tcpci_irq+0x14/0x20 [ 2.740295] sp : ffff80008324bd30 [ 2.743597] x29: ffff80008324bd70 x28: ffff800080107894 x27: ffff800082198f70 [ 2.750721] x26: ffff0000050e6680 x25: ffff000004d172ac x24: ffff0000050f0000 [ 2.757845] x23: ffff000004d17200 x22: 0000000000000001 x21: ffff0000050f0000 [ 2.764969] x20: ffff000004d17200 x19: 0000000000000000 x18: 0000000000000001 [ 2.772093] x17: 0000000000000000 x16: ffff80008183d8a0 x15: ffff00007fbab040 [ 2.779217] x14: ffff00007fb918c0 x13: 0000000000000000 x12: 000000000000017a [ 2.786341] x11: 0000000000000001 x10: 0000000000000a90 x9 : ffff80008324bd00 [ 2.793465] x8 : ffff0000050f0af0 x7 : ffff00007fbaa840 x6 : 0000000000000031 [ 2.800589] x5 : 000000000000017a x4 : 0000000000000002 x3 : 0000000000000002 [ 2.807713] x2 : ffff80008324bd3a x1 : 0000000000000010 x0 : 0000000000000000 [ 2.814838] Call trace: [ 2.817273] tcpci_irq+0x38/0x318 [ 2.820583] _tcpci_irq+0x14/0x20 [ 2.823885] irq_thread_fn+0x2c/0xa8 [ 2.827456] irq_thread+0x16c/0x2f4 [ 2.830940] kthread+0x110/0x114 [ 2.834164] ret_from_fork+0x10/0x20 [ 2.837738] Code: f9426420 f9001fe0 d2800000 52800201 (f9400a60) This may happen on shared irq case. Such as two Type-C ports share one irq. After the first port finished tcpci_register_port(), it may trigger interrupt. However, if the interrupt comes by chance the 2nd port finishes devm_request_threaded_irq(), the 2nd port interrupt handler will run at first. Then the above issue happens due to tcpci is still a NULL pointer in tcpci_irq() when dereference to regmap. devm_request_threaded_irq() <-- port1 irq comes disable_irq(client->irq); tcpci_register_port() This will restore the logic to the state before commit (77e85107a771 "usb: typec: tcpci: support edge irq"). However, moving tcpci_register_port() earlier creates a problem when use edge irq because tcpci_init() will be called before devm_request_threaded_irq(). The tcpci_init() writes the ALERT_MASK to the hardware to tell it to start generating interrupts but we're not ready to deal with them yet, then the ALERT events may be missed and ALERT line will not recover to high level forever. To avoid the issue, this will also set ALERT_MASK register after devm_request_threaded_irq() return. Fixes: 77e85107a771 ("usb: typec: tcpci: support edge irq") Cc: stable Tested-by: Emanuele Ghidoli Signed-off-by: Xu Yang Reviewed-by: Francesco Dolcini Reviewed-by: Heikki Krogerus Reviewed-by: Dan Carpenter Link: https://lore.kernel.org/r/20241218095328.2604607-1-xu.yang_2@nxp.com Signed-off-by: Greg Kroah-Hartman commit 13014969cbf07f18d62ceea40bd8ca8ec9d36cec Author: Lianqin Hu Date: Tue Dec 17 07:58:44 2024 +0000 usb: gadget: u_serial: Disable ep before setting port to null to fix the crash caused by port being null Considering that in some extreme cases, when performing the unbinding operation, gserial_disconnect has cleared gser->ioport, which triggers gadget reconfiguration, and then calls gs_read_complete, resulting in access to a null pointer. Therefore, ep is disabled before gserial_disconnect sets port to null to prevent this from happening. Call trace: gs_read_complete+0x58/0x240 usb_gadget_giveback_request+0x40/0x160 dwc3_remove_requests+0x170/0x484 dwc3_ep0_out_start+0xb0/0x1d4 __dwc3_gadget_start+0x25c/0x720 kretprobe_trampoline.cfi_jt+0x0/0x8 kretprobe_trampoline.cfi_jt+0x0/0x8 udc_bind_to_driver+0x1d8/0x300 usb_gadget_probe_driver+0xa8/0x1dc gadget_dev_desc_UDC_store+0x13c/0x188 configfs_write_iter+0x160/0x1f4 vfs_write+0x2d0/0x40c ksys_write+0x7c/0xf0 __arm64_sys_write+0x20/0x30 invoke_syscall+0x60/0x150 el0_svc_common+0x8c/0xf8 do_el0_svc+0x28/0xa0 el0_svc+0x24/0x84 Fixes: c1dca562be8a ("usb gadget: split out serial core") Cc: stable Suggested-by: Greg Kroah-Hartman Signed-off-by: Lianqin Hu Link: https://lore.kernel.org/r/TYUPR06MB621733B5AC690DBDF80A0DCCD2042@TYUPR06MB6217.apcprd06.prod.outlook.com Signed-off-by: Greg Kroah-Hartman commit 2b6ffcd7873b7e8a62c3e15a6f305bfc747c466b Author: Joe Hattori Date: Thu Dec 19 11:41:19 2024 +0900 net: stmmac: restructure the error path of stmmac_probe_config_dt() Current implementation of stmmac_probe_config_dt() does not release the OF node reference obtained by of_parse_phandle() in some error paths. The problem is that some error paths call stmmac_remove_config_dt() to clean up but others use and unwind ladder. These two types of error handling have not kept in sync and have been a recurring source of bugs. Re-write the error handling in stmmac_probe_config_dt() to use an unwind ladder. Consequently, stmmac_remove_config_dt() is not needed anymore, thus remove it. This bug was found by an experimental verification tool that I am developing. Fixes: 4838a5405028 ("net: stmmac: Fix wrapper drivers not detecting PHY") Signed-off-by: Joe Hattori Link: https://patch.msgid.link/20241219024119.2017012-1-joe@pf.is.s.u-tokyo.ac.jp Signed-off-by: Jakub Kicinski commit 74adad500346fb07d69af2c79acbff4adb061134 Author: Joe Hattori Date: Mon Dec 16 10:55:39 2024 +0900 usb: chipidea: ci_hdrc_imx: decrement device's refcount in .remove() and in the error path of .probe() Current implementation of ci_hdrc_imx_driver does not decrement the refcount of the device obtained in usbmisc_get_init_data(). Add a put_device() call in .remove() and in .probe() before returning an error. This bug was found by an experimental static analysis tool that I am developing. Cc: stable Fixes: f40017e0f332 ("chipidea: usbmisc_imx: Add USB support for VF610 SoCs") Signed-off-by: Joe Hattori Acked-by: Peter Chen Link: https://lore.kernel.org/r/20241216015539.352579-1-joe@pf.is.s.u-tokyo.ac.jp Signed-off-by: Greg Kroah-Hartman commit f47eba045e6cb97f9ee154c68dbf7c3c756919aa Author: Abel Vesa Date: Thu Dec 12 19:37:43 2024 +0200 usb: typec: ucsi: Set orientation as none when connector is unplugged The current implementation of the ucsi glink client connector_status() callback is only relying on the state of the gpio. This means that even when the cable is unplugged, the orientation propagated to the switches along the graph is "orientation normal", instead of "orientation none", which would be the correct one in this case. One of the Qualcomm DP-USB PHY combo drivers, which needs to be aware of the orientation change, is relying on the "orientation none" to skip the reinitialization of the entire PHY. Since the ucsi glink client advertises "orientation normal" even when the cable is unplugged, the mentioned PHY is taken down and reinitialized when in fact it should be left as-is. This triggers a crash within the displayport controller driver in turn, which brings the whole system down on some Qualcomm platforms. Propagating "orientation none" from the ucsi glink client on the connector_status() callback hides the problem of the mentioned PHY driver away for now. But the "orientation none" is nonetheless the correct one to be used in this case. So propagate the "orientation none" instead when the connector status flags says cable is disconnected. Fixes: 76716fd5bf09 ("usb: typec: ucsi: glink: move GPIO reading into connector_status callback") Cc: stable # 6.10 Reviewed-by: Bryan O'Donoghue Reviewed-by: Heikki Krogerus Reviewed-by: Neil Armstrong Signed-off-by: Abel Vesa Reviewed-by: Johan Hovold Tested-by: Johan Hovold Link: https://lore.kernel.org/r/20241212-usb-typec-ucsi-glink-add-orientation-none-v2-1-db5a50498a77@linaro.org Signed-off-by: Greg Kroah-Hartman commit 9466545720e231fc02acd69b5f4e9138e09a26f6 Author: Ingo Rohloff Date: Thu Dec 12 16:41:14 2024 +0100 usb: gadget: configfs: Ignore trailing LF for user strings to cdev Since commit c033563220e0f7a8 ("usb: gadget: configfs: Attach arbitrary strings to cdev") a user can provide extra string descriptors to a USB gadget via configfs. For "manufacturer", "product", "serialnumber", setting the string via configfs ignores a trailing LF. For the arbitrary strings the LF was not ignored. This patch ignores a trailing LF to make this consistent with the existing behavior for "manufacturer", ... string descriptors. Fixes: c033563220e0 ("usb: gadget: configfs: Attach arbitrary strings to cdev") Cc: stable Signed-off-by: Ingo Rohloff Link: https://lore.kernel.org/r/20241212154114.29295-1-ingo.rohloff@lauterbach.com Signed-off-by: Greg Kroah-Hartman commit 7a3d76a0b60b3f6fc3375e4de2174bab43f64545 Author: Jun Yan Date: Thu Dec 12 22:38:52 2024 +0800 USB: usblp: return error when setting unsupported protocol Fix the regression introduced by commit d8c6edfa3f4e ("USB: usblp: don't call usb_set_interface if there's a single alt"), which causes that unsupported protocols can also be set via ioctl when the num_altsetting of the device is 1. Move the check for protocol support to the earlier stage. Fixes: d8c6edfa3f4e ("USB: usblp: don't call usb_set_interface if there's a single alt") Cc: stable Signed-off-by: Jun Yan Link: https://lore.kernel.org/r/20241212143852.671889-1-jerrysteve1101@gmail.com Signed-off-by: Greg Kroah-Hartman commit 057bd54dfcf68b1f67e6dfc32a47a72e12198495 Author: Prashanth K Date: Wed Dec 11 17:29:15 2024 +0530 usb: gadget: f_uac2: Fix incorrect setting of bNumEndpoints Currently afunc_bind sets std_ac_if_desc.bNumEndpoints to 1 if controls (mute/volume) are enabled. During next afunc_bind call, bNumEndpoints would be unchanged and incorrectly set to 1 even if the controls aren't enabled. Fix this by resetting the value of bNumEndpoints to 0 on every afunc_bind call. Fixes: eaf6cbe09920 ("usb: gadget: f_uac2: add volume and mute support") Cc: stable Signed-off-by: Prashanth K Link: https://lore.kernel.org/r/20241211115915.159864-1-quic_prashk@quicinc.com Signed-off-by: Greg Kroah-Hartman commit a072ffd896efa6a6c8a0334c712fbc98a63c789c Author: Mohsin Bashir Date: Wed Dec 18 15:25:58 2024 -0800 eth: fbnic: fix csr boundary for RPM RAM section The CSR dump support leverages the FBNIC_BOUNDS macro, which pads the end condition for each section by adding an offset of 1. However, the RPC RAM section, which is dumped differently from other sections, does not rely on this macro and instead directly uses end boundary address. Hence, subtracting 1 from the end address results in skipping a register. Fixes 3d12862b216d (“eth: fbnic: Add support to dump registers”) Signed-off-by: Mohsin Bashir Reviewed-by: Michal Swiatkowski Link: https://patch.msgid.link/20241218232614.439329-1-mohsin.bashr@gmail.com Signed-off-by: Jakub Kicinski commit b9711ff7cde0cfbcdd44cb1fac55b6eec496e690 Author: Dan Carpenter Date: Fri Dec 6 16:09:18 2024 +0300 usb: typec: tcpm/tcpci_maxim: fix error code in max_contaminant_read_resistance_kohm() If max_contaminant_read_adc_mv() fails, then return the error code. Don't return zero. Fixes: 02b332a06397 ("usb: typec: maxim_contaminant: Implement check_contaminant callback") Cc: stable Signed-off-by: Dan Carpenter Reviewed-by: André Draszik Reviewed-by: Heikki Krogerus Link: https://lore.kernel.org/r/f1bf3768-419e-40dd-989c-f7f455d6c824@stanley.mountain Signed-off-by: Greg Kroah-Hartman commit e19852d0bfecbc80976b1423cf2af87ca514a58c Author: Xu Yang Date: Mon Dec 9 19:14:23 2024 +0800 usb: host: xhci-plat: set skip_phy_initialization if software node has XHCI_SKIP_PHY_INIT property The source of quirk XHCI_SKIP_PHY_INIT comes from xhci_plat_priv.quirks or software node property. This will set skip_phy_initialization if software node also has XHCI_SKIP_PHY_INIT property. Fixes: a6cd2b3fa894 ("usb: host: xhci-plat: Parse xhci-missing_cas_quirk and apply quirk") Cc: stable Signed-off-by: Xu Yang Link: https://lore.kernel.org/r/20241209111423.4085548-1-xu.yang_2@nxp.com Signed-off-by: Greg Kroah-Hartman commit 625e70ccb7bbbb2cc912e23c63390946170c085c Author: Prashanth K Date: Mon Dec 9 16:27:28 2024 +0530 usb: dwc3-am62: Disable autosuspend during remove Runtime PM documentation (Section 5) mentions, during remove() callbacks, drivers should undo the runtime PM changes done in probe(). Usually this means calling pm_runtime_disable(), pm_runtime_dont_use_autosuspend() etc. Hence add missing function to disable autosuspend on dwc3-am62 driver unbind. Fixes: e8784c0aec03 ("drivers: usb: dwc3: Add AM62 USB wrapper driver") Cc: stable Signed-off-by: Prashanth K Acked-by: Thinh Nguyen Link: https://lore.kernel.org/r/20241209105728.3216872-1-quic_prashk@quicinc.com Signed-off-by: Greg Kroah-Hartman commit 01ea6bf5cb58b20cc1bd159f0cf74a76cf04bb69 Author: André Draszik Date: Mon Dec 9 11:49:53 2024 +0000 usb: dwc3: gadget: fix writing NYET threshold Before writing a new value to the register, the old value needs to be masked out for the new value to be programmed as intended, because at least in some cases the reset value of that field is 0xf (max value). At the moment, the dwc3 core initialises the threshold to the maximum value (0xf), with the option to override it via a DT. No upstream DTs seem to override it, therefore this commit doesn't change behaviour for any upstream platform. Nevertheless, the code should be fixed to have the desired outcome. Do so. Fixes: 80caf7d21adc ("usb: dwc3: add lpm erratum support") Cc: stable@vger.kernel.org # 5.10+ (needs adjustment for 5.4) Signed-off-by: André Draszik Acked-by: Thinh Nguyen Link: https://lore.kernel.org/r/20241209-dwc3-nyet-fix-v2-1-02755683345b@linaro.org Signed-off-by: Greg Kroah-Hartman commit fe39b222a4139354d32ff9d46b88757f63f71d63 Author: Lucas De Marchi Date: Tue Dec 17 21:31:21 2024 -0800 drm/xe: Fix fault on fd close after unbind If userspace holds an fd open, unbinds the device and then closes it, the driver shouldn't try to access the hardware. Protect it by using drm_dev_enter()/drm_dev_exit(). This fixes the following page fault: <6> [IGT] xe_wedged: exiting, ret=98 <1> BUG: unable to handle page fault for address: ffffc901bc5e508c <1> #PF: supervisor read access in kernel mode <1> #PF: error_code(0x0000) - not-present page ... <4> xe_lrc_update_timestamp+0x1c/0xd0 [xe] <4> xe_exec_queue_update_run_ticks+0x50/0xb0 [xe] <4> xe_exec_queue_fini+0x16/0xb0 [xe] <4> __guc_exec_queue_fini_async+0xc4/0x190 [xe] <4> guc_exec_queue_fini_async+0xa0/0xe0 [xe] <4> guc_exec_queue_fini+0x23/0x40 [xe] <4> xe_exec_queue_destroy+0xb3/0xf0 [xe] <4> xe_file_close+0xd4/0x1a0 [xe] <4> drm_file_free+0x210/0x280 [drm] <4> drm_close_helper.isra.0+0x6d/0x80 [drm] <4> drm_release_noglobal+0x20/0x90 [drm] Fixes: 514447a12190 ("drm/xe: Stop accumulating LRC timestamp on job_free") Closes: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/3421 Reviewed-by: Umesh Nerlige Ramappa Link: https://patchwork.freedesktop.org/patch/msgid/20241218053122.2730195-1-lucas.demarchi@intel.com Signed-off-by: Lucas De Marchi (cherry picked from commit 4ca1fd418338d4d135428a0eb1e16e3b3ce17ee8) Signed-off-by: Thomas Hellström commit af12ba67d09ebe2b31ab997cea1a930864028562 Author: Michal Wajdeczko Date: Mon Dec 16 23:32:53 2024 +0100 drm/xe/pf: Use correct function to check LMEM provisioning There is a typo in function call and instead of VF LMEM we were looking at VF GGTT provisioning. Fix that. Fixes: 234670cea9a2 ("drm/xe/pf: Skip fair VFs provisioning if already provisioned") Signed-off-by: Michal Wajdeczko Cc: Piotr Piórkowski Reviewed-by: Himal Prasad Ghimiray Link: https://patchwork.freedesktop.org/patch/msgid/20241216223253.819-1-michal.wajdeczko@intel.com (cherry picked from commit a8d0aa0e7fcd20c9f1992688c0f0d07a68287403) Signed-off-by: Thomas Hellström commit 5e0a67fdb894d34c5f109e969320eef9ddae7480 Author: Nirmoy Das Date: Fri Dec 13 13:24:15 2024 +0100 drm/xe: Wait for migration job before unmapping pages Fix a potential GPU page fault during tt -> system moves by waiting for migration jobs to complete before unmapping SG. This ensures that IOMMU mappings are not prematurely torn down while a migration job is still in progress. v2: Use intr=false(Matt A) v3: Update commit message(Matt A) v4: s/DMA_RESV_USAGE_BOOKKEEP/DMA_RESV_USAGE_KERNEL(Thomas) Closes: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/3466 Fixes: 75521e8b56e8 ("drm/xe: Perform dma_map when moving system buffer objects to TT") Cc: Thomas Hellström Cc: Matthew Brost Cc: Lucas De Marchi Cc: stable@vger.kernel.org # v6.11+ Cc: Matthew Auld Reviewed-by: Matthew Auld Reviewed-by: Thomas Hellström Link: https://patchwork.freedesktop.org/patch/msgid/20241213122415.3880017-2-nirmoy.das@intel.com Signed-off-by: Nirmoy Das (cherry picked from commit cda06412c06893a6f07a2fbf89d42a0972ec9e8e) Signed-off-by: Thomas Hellström commit 528cef1b4170f328d28d4e9b437380d8e5a2d18f Author: Nirmoy Das Date: Fri Dec 13 13:24:14 2024 +0100 drm/xe: Use non-interruptible wait when moving BO to system Ensure a non-interruptible wait is used when moving a bo to XE_PL_SYSTEM. This prevents dma_mappings from being removed prematurely while a GPU job is still in progress, even if the CPU receives a signal during the operation. Fixes: 75521e8b56e8 ("drm/xe: Perform dma_map when moving system buffer objects to TT") Cc: Thomas Hellström Cc: Matthew Brost Cc: Lucas De Marchi Cc: stable@vger.kernel.org # v6.11+ Suggested-by: Matthew Auld Reviewed-by: Matthew Auld Reviewed-by: Thomas Hellström Link: https://patchwork.freedesktop.org/patch/msgid/20241213122415.3880017-1-nirmoy.das@intel.com Signed-off-by: Nirmoy Das (cherry picked from commit dc5e20ae1f8a7c354dc9833faa2720254e5a5443) Signed-off-by: Thomas Hellström commit a53da2fb25a31f4fb8eaeb93c7b1134fc14fd209 Author: John Harrison Date: Fri Dec 13 09:28:33 2024 -0800 drm/xe: Revert some changes that break a mesa debug tool There is a mesa debug tool for decoding devcoredump files. Recent changes to improve the devcoredump output broke that tool. So revert the changes until the tool can be extended to support the new fields. Signed-off-by: John Harrison Fixes: c28fd6c358db ("drm/xe/devcoredump: Improve section headings and add tile info") Fixes: ec1455ce7e35 ("drm/xe/devcoredump: Add ASCII85 dump helper function") Cc: John Harrison Cc: Julia Filipchuk Cc: Lucas De Marchi Cc: Thomas Hellström Cc: Rodrigo Vivi Cc: intel-xe@lists.freedesktop.org Reviewed-by: Jonathan Cavitt Reviewed-by: José Roberto de Souza Link: https://patchwork.freedesktop.org/patch/msgid/20241213172833.1733376-1-John.C.Harrison@Intel.com Signed-off-by: Rodrigo Vivi (cherry picked from commit 70fb86a85dc9fd66014d7eb2fe356f50702ceeb6) Signed-off-by: Thomas Hellström commit d685d55dfc86b1a4bdcec77c3c1f8a83f181264e Author: Masami Hiramatsu (Google) Date: Wed Dec 11 09:10:55 2024 +0900 tracing/kprobe: Make trace_kprobe's module callback called after jump_label update Make sure the trace_kprobe's module notifer callback function is called after jump_label's callback is called. Since the trace_kprobe's callback eventually checks jump_label address during registering new kprobe on the loading module, jump_label must be updated before this registration happens. Link: https://lore.kernel.org/all/173387585556.995044.3157941002975446119.stgit@devnote2/ Fixes: 614243181050 ("tracing/kprobes: Support module init function probing") Signed-off-by: Masami Hiramatsu (Google) commit e3debdd48423d3d75b9d366399228d7225d902cd Author: Chengchang Tang Date: Fri Dec 20 13:52:49 2024 +0800 RDMA/hns: Fix missing flush CQE for DWQE Flush CQE handler has not been called if QP state gets into errored mode in DWQE path. So, the new added outstanding WQEs will never be flushed. It leads to a hung task timeout when using NFS over RDMA: __switch_to+0x7c/0xd0 __schedule+0x350/0x750 schedule+0x50/0xf0 schedule_timeout+0x2c8/0x340 wait_for_common+0xf4/0x2b0 wait_for_completion+0x20/0x40 __ib_drain_sq+0x140/0x1d0 [ib_core] ib_drain_sq+0x98/0xb0 [ib_core] rpcrdma_xprt_disconnect+0x68/0x270 [rpcrdma] xprt_rdma_close+0x20/0x60 [rpcrdma] xprt_autoclose+0x64/0x1cc [sunrpc] process_one_work+0x1d8/0x4e0 worker_thread+0x154/0x420 kthread+0x108/0x150 ret_from_fork+0x10/0x18 Fixes: 01584a5edcc4 ("RDMA/hns: Add support of direct wqe") Signed-off-by: Chengchang Tang Signed-off-by: Junxian Huang Link: https://patch.msgid.link/20241220055249.146943-5-huangjunxian6@hisilicon.com Signed-off-by: Leon Romanovsky commit fa5c4ba8cdbfd2c2d6422e001311c8213283ebbf Author: Chengchang Tang Date: Fri Dec 20 13:52:48 2024 +0800 RDMA/hns: Fix warning storm caused by invalid input in IO path WARN_ON() is called in the IO path. And it could lead to a warning storm. Use WARN_ON_ONCE() instead of WARN_ON(). Fixes: 12542f1de179 ("RDMA/hns: Refactor process about opcode in post_send()") Signed-off-by: Chengchang Tang Signed-off-by: Junxian Huang Link: https://patch.msgid.link/20241220055249.146943-4-huangjunxian6@hisilicon.com Signed-off-by: Leon Romanovsky commit 0572eccf239ce4bd89bd531767ec5ab20e249290 Author: Chengchang Tang Date: Fri Dec 20 13:52:47 2024 +0800 RDMA/hns: Fix accessing invalid dip_ctx during destroying QP If it fails to modify QP to RTR, dip_ctx will not be attached. And during detroying QP, the invalid dip_ctx pointer will be accessed. Fixes: faa62440a577 ("RDMA/hns: Fix different dgids mapping to the same dip_idx") Signed-off-by: Chengchang Tang Signed-off-by: Junxian Huang Link: https://patch.msgid.link/20241220055249.146943-3-huangjunxian6@hisilicon.com Signed-off-by: Leon Romanovsky commit 8673a6c2d9e483dfeeef83a1f06f59e05636f4d1 Author: wenglianfa Date: Fri Dec 20 13:52:46 2024 +0800 RDMA/hns: Fix mapping error of zero-hop WQE buffer Due to HW limitation, the three region of WQE buffer must be mapped and set to HW in a fixed order: SQ buffer, SGE buffer, and RQ buffer. Currently when one region is zero-hop while the other two are not, the zero-hop region will not be mapped. This violate the limitation above and leads to address error. Fixes: 38389eaa4db1 ("RDMA/hns: Add mtr support for mixed multihop addressing") Signed-off-by: wenglianfa Signed-off-by: Junxian Huang Link: https://patch.msgid.link/20241220055249.146943-2-huangjunxian6@hisilicon.com Signed-off-by: Leon Romanovsky commit d08555758fb1dbfb48f0cb58176fdc98009e6070 Author: Chun-Kuang Hu Date: Thu Dec 12 00:19:08 2024 +0000 Revert "drm/mediatek: dsi: Correct calculation formula of PHY Timing" This reverts commit 417d8c47271d5cf1a705e997065873b2a9a36fd4. With that patch the panel in the Tentacruel ASUS Chromebook CM14 (CM1402F) flickers. There are 1 or 2 times per second a black panel. Stable Kernel 6.11.5 and mainline 6.12-rc4 works only when reverse that patch. Fixes: 417d8c47271d ("drm/mediatek: dsi: Correct calculation formula of PHY Timing") Cc: stable@vger.kernel.org Cc: Shuijing Li Reported-by: Jens Ziller Closes: https://patchwork.kernel.org/project/dri-devel/patch/20240412031208.30688-1-shuijing.li@mediatek.com/ Link: https://patchwork.kernel.org/project/dri-devel/patch/20241212001908.6056-1-chunkuang.hu@kernel.org/ Signed-off-by: Chun-Kuang Hu commit f17224c2a7bdc11a17c96d9d8cb2d829f54d40bb Author: Dr. David Alan Gilbert Date: Fri Dec 20 21:59:37 2024 +0000 cifs: Remove unused is_server_using_iface() The last use of is_server_using_iface() was removed in 2022 by commit aa45dadd34e4 ("cifs: change iface_list from array to sorted linked list") Remove it. Signed-off-by: Dr. David Alan Gilbert Signed-off-by: Steve French commit b8ea3b1ff544b47c1d64a22860f33b755638164e Author: Bharath SM Date: Fri Dec 13 22:50:21 2024 +0530 smb: enable reuse of deferred file handles for write operations Previously, deferred file handles were reused only for read operations, this commit extends to reusing deferred handles for write operations. By reusing these handles we can reduce the need for open/close operations over the wire. Signed-off-by: Bharath SM Signed-off-by: Steve French commit 0b7a66a2c864859fbf9bb16229c03172eef02c05 Author: Sebastian Andrzej Siewior Date: Thu Dec 5 17:06:02 2024 +0100 preempt: Move PREEMPT_RT before PREEMPT in vermagic. Since the dynamic preemption has been enabled for PREEMPT_RT we have now CONFIG_PREEMPT and CONFIG_PREEMPT_RT set simultaneously. This affects the vermagic strings which comes now PREEMPT with PREEMPT_RT enabled. The PREEMPT_RT module usually can not be loaded on a PREEMPT kernel because some symbols are missing. However if the symbols are fine then it continues and it crashes later. The problem is that the struct module has a different layout and the num_exentries or init members are at a different position leading to a crash later on. This is not necessary caught by the size check in elf_validity_cache_index_mod() because the mem member has an alignment requirement of __module_memory_align which is big enough keep the total size unchanged. Therefore we should keep the string accurate instead of removing it. Move the PREEMPT_RT check before the PREEMPT so that it takes precedence if both symbols are enabled. Fixes: 35772d627b55c ("sched: Enable PREEMPT_DYNAMIC for PREEMPT_RT") Signed-off-by: Sebastian Andrzej Siewior Reviewed-by: Petr Pavlu Link: https://lore.kernel.org/r/20241205160602.3lIAsJRT@linutronix.de Signed-off-by: Petr Pavlu commit 4bbf9020becbfd8fc2c3da790855b7042fad455b Author: Linus Torvalds Date: Sun Dec 22 13:22:21 2024 -0800 Linux 6.13-rc4 commit b1fdbe77be6d31d78ecc2a82ea7167773293fed0 Merge: bcde95ce32b666 8afa5b10af9d74 Author: Linus Torvalds Date: Sun Dec 22 12:16:41 2024 -0800 Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm Pull KVM x86 fixes from Paolo Bonzini: - Disable AVIC on SNP-enabled systems that don't allow writes to the virtual APIC page, as such hosts will hit unexpected RMP #PFs in the host when running VMs of any flavor. - Fix a WARN in the hypercall completion path due to KVM trying to determine if a guest with protected register state is in 64-bit mode (KVM's ABI is to assume such guests only make hypercalls in 64-bit mode). - Allow the guest to write to supported bits in MSR_AMD64_DE_CFG to fix a regression with Windows guests, and because KVM's read-only behavior appears to be entirely made up. - Treat TDP MMU faults as spurious if the faulting access is allowed given the existing SPTE. This fixes a benign WARN (other than the WARN itself) due to unexpectedly replacing a writable SPTE with a read-only SPTE. - Emit a warning when KVM is configured with ignore_msrs=1 and also to hide the MSRs that the guest is looking for from the kernel logs. ignore_msrs can trick guests into assuming that certain processor features are present, and this in turn leads to bogus bug reports. * tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm: KVM: x86: let it be known that ignore_msrs is a bad idea KVM: VMX: don't include '' directly KVM: x86/mmu: Treat TDP MMU faults as spurious if access is already allowed KVM: SVM: Allow guest writes to set MSR_AMD64_DE_CFG bits KVM: x86: Play nice with protected guests in complete_hypercall_exit() KVM: SVM: Disable AVIC on SNP-enabled system without HvInUseWrAllowed feature commit 8afa5b10af9d748b055a43949f819d9991d63938 Merge: 398b7b6cb9e046 386d69f9f29b08 Author: Paolo Bonzini Date: Sun Dec 22 12:07:16 2024 -0500 Merge tag 'kvm-x86-fixes-6.13-rcN' of https://github.com/kvm-x86/linux into HEAD KVM x86 fixes for 6.13: - Disable AVIC on SNP-enabled systems that don't allow writes to the virtual APIC page, as such hosts will hit unexpected RMP #PFs in the host when running VMs of any flavor. - Fix a WARN in the hypercall completion path due to KVM trying to determine if a guest with protected register state is in 64-bit mode (KVM's ABI is to assume such guests only make hypercalls in 64-bit mode). - Allow the guest to write to supported bits in MSR_AMD64_DE_CFG to fix a regression with Windows guests, and because KVM's read-only behavior appears to be entirely made up. - Treat TDP MMU faults as spurious if the faulting access is allowed given the existing SPTE. This fixes a benign WARN (other than the WARN itself) due to unexpectedly replacing a writable SPTE with a read-only SPTE. commit 398b7b6cb9e046f137a188670da12f790492b56b Author: Paolo Bonzini Date: Thu Dec 19 07:43:20 2024 -0500 KVM: x86: let it be known that ignore_msrs is a bad idea When running KVM with ignore_msrs=1 and report_ignored_msrs=0, the user has no clue that that the guest is being lied to. This may cause bug reports such as https://gitlab.com/qemu-project/qemu/-/issues/2571, where enabling a CPUID bit in QEMU caused Linux guests to try reading MSR_CU_DEF_ERR; and being lied about the existence of MSR_CU_DEF_ERR caused the guest to assume other things about the local APIC which were not true: Sep 14 12:02:53 kernel: mce: [Firmware Bug]: Your BIOS is not setting up LVT offset 0x2 for deferred error IRQs correctly. Sep 14 12:02:53 kernel: unchecked MSR access error: RDMSR from 0x852 at rIP: 0xffffffffb548ffa7 (native_read_msr+0x7/0x40) Sep 14 12:02:53 kernel: Call Trace: ... Sep 14 12:02:53 kernel: native_apic_msr_read+0x20/0x30 Sep 14 12:02:53 kernel: setup_APIC_eilvt+0x47/0x110 Sep 14 12:02:53 kernel: mce_amd_feature_init+0x485/0x4e0 ... Sep 14 12:02:53 kernel: [Firmware Bug]: cpu 0, try to use APIC520 (LVT offset 2) for vector 0xf4, but the register is already in use for vector 0x0 on this cpu Without reported_ignored_msrs=0 at least the host kernel log will contain enough information to avoid going on a wild goose chase. But if reports about individual MSR accesses are being silenced too, at least complain loudly the first time a VM is started. Signed-off-by: Paolo Bonzini commit 37d1d99b8806b24ffe4a2b453620df932994a5c0 Author: Wolfram Sang Date: Tue Dec 17 08:05:40 2024 +0100 KVM: VMX: don't include '' directly The header clearly states that it does not want to be included directly, only via ''. Replace the include accordingly. Signed-off-by: Wolfram Sang Message-ID: <20241217070539.2433-2-wsa+renesas@sang-engineering.com> Signed-off-by: Paolo Bonzini commit bcde95ce32b666478d6737219caa4f8005a8f201 Merge: 48f506ad0b683d 8600058ba28a7b Author: Linus Torvalds Date: Sun Dec 22 08:40:23 2024 -0800 Merge tag 'devicetree-fixes-for-6.13-1' of git://git.kernel.org/pub/scm/linux/kernel/git/robh/linux Pull devicetree fixes from Rob Herring: - Disable #address-cells/#size-cells warning on coreboot (Chromebooks) platforms - Add missing root #address-cells/#size-cells in default empty DT - Fix uninitialized variable in of_irq_parse_one() - Fix interrupt-map cell length check in of_irq_parse_imap_parent() - Fix refcount handling in __of_get_dma_parent() - Fix error path in of_parse_phandle_with_args_map() - Fix dma-ranges handling with flags cells - Drop explicit fw_devlink handling of 'interrupt-parent' - Fix "compression" typo in fixed-partitions binding - Unify "fsl,liodn" property type definitions * tag 'devicetree-fixes-for-6.13-1' of git://git.kernel.org/pub/scm/linux/kernel/git/robh/linux: of: Add coreboot firmware to excluded default cells list of/irq: Fix using uninitialized variable @addr_len in API of_irq_parse_one() of/irq: Fix interrupt-map cell length check in of_irq_parse_imap_parent() of: Fix refcount leakage for OF node returned by __of_get_dma_parent() of: Fix error path in of_parse_phandle_with_args_map() dt-bindings: mtd: fixed-partitions: Fix "compression" typo of: Add #address-cells/#size-cells in the device-tree root empty node dt-bindings: Unify "fsl,liodn" type definitions of: address: Preserve the flags portion on 1:1 dma-ranges mapping of/unittest: Add empty dma-ranges address translation tests of: property: fw_devlink: Do not use interrupt-parent directly commit 48f506ad0b683d3e7e794efa60c5785c4fdc86fa Merge: 4aa748dd1abf33 a31ffd6ed5ee99 Author: Linus Torvalds Date: Sat Dec 21 15:45:06 2024 -0800 Merge tag 'soc-fixes-6.13-2' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc Pull SoC fixes from Arnd Bergmann: "Two more small fixes, correcting the cacheline size on Raspberry Pi 5 and fixing a logic mistake in the microchip mpfs firmware driver" * tag 'soc-fixes-6.13-2' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc: arm64: dts: broadcom: Fix L2 linesize for Raspberry Pi 5 firmware: microchip: fix UL_IAP lock check in mpfs_auto_update_state() commit 4aa748dd1abf337426b4c941ae1b606ed0e2a5aa Merge: e84a3bf7f4aa66 d3ac65d274b3a9 Author: Linus Torvalds Date: Sat Dec 21 15:31:56 2024 -0800 Merge tag 'mm-hotfixes-stable-2024-12-21-12-09' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Pull misc fixes from Andrew Morton: "25 hotfixes. 16 are cc:stable. 19 are MM and 6 are non-MM. The usual bunch of singletons and doubletons - please see the relevant changelogs for details" * tag 'mm-hotfixes-stable-2024-12-21-12-09' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm: (25 commits) mm: huge_memory: handle strsep not finding delimiter alloc_tag: fix set_codetag_empty() when !CONFIG_MEM_ALLOC_PROFILING_DEBUG alloc_tag: fix module allocation tags populated area calculation mm/codetag: clear tags before swap mm/vmstat: fix a W=1 clang compiler warning mm: convert partially_mapped set/clear operations to be atomic nilfs2: fix buffer head leaks in calls to truncate_inode_pages() vmalloc: fix accounting with i915 mm/page_alloc: don't call pfn_to_page() on possibly non-existent PFN in split_large_buddy() fork: avoid inappropriate uprobe access to invalid mm nilfs2: prevent use of deleted inode zram: fix uninitialized ZRAM not releasing backing device zram: refuse to use zero sized block device as backing device mm: use clear_user_(high)page() for arch with special user folio handling mm: introduce cpu_icache_is_aliasing() across all architectures mm: add RCU annotation to pte_offset_map(_lock) mm: correctly reference merged VMA mm: use aligned address in copy_user_gigantic_page() mm: use aligned address in clear_gigantic_page() mm: shmem: fix ShmemHugePages at swapout ... commit e84a3bf7f4aa669c05e3884497774148ac111468 Author: Steven Rostedt Date: Tue Dec 17 10:19:04 2024 -0500 staging: gpib: Fix allyesconfig build failures My tests run an allyesconfig build and it failed with the following errors: LD [M] samples/kfifo/dma-example.ko ld.lld: error: undefined symbol: nec7210_board_reset ld.lld: error: undefined symbol: nec7210_read ld.lld: error: undefined symbol: nec7210_write It appears that some modules call the function nec7210_board_reset() that is defined in nec7210.c. In an allyesconfig build, these other modules are built in. But the file that holds nec7210_board_reset() has: obj-m += nec7210.o Where that "-m" means it only gets built as a module. With the other modules built in, they have no access to nec7210_board_reset() and the build fails. This isn't the only function. After fixing that one, I hit another: ld.lld: error: undefined symbol: push_gpib_event ld.lld: error: undefined symbol: gpib_match_device_path Where push_gpib_event() was also used outside of the file it was defined in, and that file too only was built as a module. Since the directory that nec7210.c is only traversed when CONFIG_GPIB_NEC7210 is set, and the directory with gpib_common.c is only traversed when CONFIG_GPIB_COMMON is set, use those configs as the option to build those modules. When it is an allyesconfig, then they will both be built in and their functions will be available to the other modules that are also built in. Fixes: 3ba84ac69b53e ("staging: gpib: Add nec7210 GPIB chip driver") Fixes: 9dde4559e9395 ("staging: gpib: Add GPIB common core driver") Signed-off-by: Steven Rostedt (Google) Reviewed-by: Palmer Dabbelt Signed-off-by: Linus Torvalds commit a016546ba60cbf3243f10670ae24fbd0bb343c08 Merge: 9c707ba99f1b63 9435dc77a33fa2 Author: Linus Torvalds Date: Sat Dec 21 11:24:32 2024 -0800 Merge tag 'kbuild-fixes-v6.13-2' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild Pull Kbuild fixes from Masahiro Yamada: - Remove stale code in usr/include/headers_check.pl - Fix issues in the user-mode-linux Debian package - Fix false-positive "export twice" errors in modpost * tag 'kbuild-fixes-v6.13-2' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild: modpost: distinguish same module paths from different dump files kbuild: deb-pkg: Do not install maint scripts for arch 'um' kbuild: deb-pkg: add debarch for ARCH=um kbuild: Drop support for include/asm- in headers_check.pl commit 9c707ba99f1b638e32724691b18fd1429e23b7f4 Merge: 876685ce5e1a5f 4a58963d10fa3c Author: Linus Torvalds Date: Sat Dec 21 11:07:19 2024 -0800 Merge tag 'bpf-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf Pull BPF fixes from Daniel Borkmann: - Fix inlining of bpf_get_smp_processor_id helper for !CONFIG_SMP systems (Andrea Righi) - Fix BPF USDT selftests helper code to use asm constraint "m" for LoongArch (Tiezhu Yang) - Fix BPF selftest compilation error in get_uprobe_offset when PROCMAP_QUERY is not defined (Jerome Marchand) - Fix BPF bpf_skb_change_tail helper when used in context of BPF sockmap to handle negative skb header offsets (Cong Wang) - Several fixes to BPF sockmap code, among others, in the area of socket buffer accounting (Levi Zim, Zijian Zhang, Cong Wang) * tag 'bpf-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf: selftests/bpf: Test bpf_skb_change_tail() in TC ingress selftests/bpf: Introduce socket_helpers.h for TC tests selftests/bpf: Add a BPF selftest for bpf_skb_change_tail() bpf: Check negative offsets in __bpf_skb_min_len() tcp_bpf: Fix copied value in tcp_bpf_sendmsg skmsg: Return copied bytes in sk_msg_memcopy_from_iter tcp_bpf: Add sk_rmem_alloc related logic for tcp_bpf ingress redirection tcp_bpf: Charge receive socket buffer in bpf_tcp_ingress() selftests/bpf: Fix compilation error in get_uprobe_offset() selftests/bpf: Use asm constraint "m" for LoongArch bpf: Fix bpf_get_smp_processor_id() on !CONFIG_SMP commit 876685ce5e1a5f8696a7124de9bfa0ffbbbd27ae Merge: a99b4a369a5495 8b55f8818900c9 Author: Linus Torvalds Date: Sat Dec 21 10:56:34 2024 -0800 Merge tag 'media/v6.13-3' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media Pull media fixes from Mauro Carvalho Chehab: - fix a clang build issue with mediatec vcodec - add missing variable initialization to dib3000mb write function * tag 'media/v6.13-3' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media: media: mediatek: vcodec: mark vdec_vp9_slice_map_counts_eob_coef noinline media: dvb-frontends: dib3000mb: fix uninit-value in dib3000_write_reg commit a99b4a369a5495dbb625e1dfb5cd7a5ff6ba4bd5 Merge: 78b1346123bbd6 774c71c52aa487 Author: Linus Torvalds Date: Sat Dec 21 10:51:04 2024 -0800 Merge tag 'pci-v6.13-fixes-2' of git://git.kernel.org/pub/scm/linux/kernel/git/pci/pci Pull PCI fixes from Krzysztof Wilczyński: "Two small patches that are important for fixing boot time hang on Intel JHL7540 'Titan Ridge' platforms equipped with a Thunderbolt controller. The boot time issue manifests itself when a PCI Express bandwidth control is unnecessarily enabled on the Thunderbolt controller downstream ports, which only supports a link speed of 2.5 GT/s in accordance with USB4 v2 specification (p. 671, sec. 11.2.1, "PCIe Physical Layer Logical Sub-block"). As such, there is no need to enable bandwidth control on such downstream port links, which also works around the issue. Both patches were tested by the original reporter on the hardware on which the failure origin golly manifested itself. Both fixes were proven to resolve the reported boot hang issue, and both patches have been in linux-next this week with no reported problems" * tag 'pci-v6.13-fixes-2' of git://git.kernel.org/pub/scm/linux/kernel/git/pci/pci: PCI/bwctrl: Enable only if more than one speed is supported PCI: Honor Max Link Speed when determining supported speeds commit 78b1346123bbd66060432994c28a7ca390b7e0cd Merge: be6bb3619eeda0 05648c2f58b3da Author: Linus Torvalds Date: Sat Dec 21 10:47:47 2024 -0800 Merge tag 'pm-6.13-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm Pull power management fixes from Rafael Wysocki: "These fix some amd-pstate driver issues: - Detect preferred core support in amd-pstate before driver registration to avoid initialization ordering issues (K Prateek Nayak) - Fix issues with with boost numerator handling in amd-pstate leading to inconsistently programmed CPPC max performance values (Mario Limonciello)" * tag 'pm-6.13-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm: cpufreq/amd-pstate: Use boost numerator for upper bound of frequencies cpufreq/amd-pstate: Store the boost numerator as highest perf again cpufreq/amd-pstate: Detect preferred core support before driver registration commit be6bb3619eeda0cd3a52ead9e63c5795ac87f0c5 Merge: 5100b6f9e7bfc5 4feaedf7d243f1 Author: Linus Torvalds Date: Sat Dec 21 10:44:44 2024 -0800 Merge tag 'thermal-6.13-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm Pull thermal control fixes from Rafael Wysocki: "Fix two issues with the user thermal thresholds feature introduced in this development cycle (Daniel Lezcano)" * tag 'thermal-6.13-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm: thermal/thresholds: Fix boundaries and detection routine thermal/thresholds: Fix uapi header macros leading to a compilation error commit 5100b6f9e7bfc520e8129a5042a4bdd7dd486df6 Merge: baa172c77ac52b 0674188f2f4d38 Author: Linus Torvalds Date: Sat Dec 21 10:42:35 2024 -0800 Merge tag 'acpi-6.13-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm Pull ACPI fix from Rafael Wysocki: "Unbreak ACPI EC support on LoongArch that has been broken earlier in this development cycle (Huacai Chen)" * tag 'acpi-6.13-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm: ACPI: EC: Enable EC support on LoongArch by default commit baa172c77ac52b2058ba3abae7512b7b16d0c461 Merge: 4a5da3f5d35000 92941c7f2c9529 Author: Linus Torvalds Date: Sat Dec 21 09:35:18 2024 -0800 Merge tag '6.13-rc3-SMB3-client-fixes' of git://git.samba.org/sfrench/cifs-2.6 Pull smb client fixes from Steve French: - fix regression in display of write stats - fix rmmod failure with network namespaces - two minor cleanups * tag '6.13-rc3-SMB3-client-fixes' of git://git.samba.org/sfrench/cifs-2.6: smb: fix bytes written value in /proc/fs/cifs/Stats smb: client: fix TCP timers deadlock after rmmod smb: client: Deduplicate "select NETFS_SUPPORT" in Kconfig smb: use macros instead of constants for leasekey size and default cifsattrs value commit 4a5da3f5d35000bd8e5dd78732679a1e00fae719 Merge: 7684392f17b05a bedb4e6088a886 Author: Linus Torvalds Date: Sat Dec 21 09:32:24 2024 -0800 Merge tag 'nfs-for-6.13-2' of git://git.linux-nfs.org/projects/trondmy/linux-nfs Pull NFS client fixes from Trond Myklebust: - NFS/pnfs: Fix a live lock between recalled layouts and layoutget - Fix a build warning about an undeclared symbol 'nfs_idmap_cache_timeout' * tag 'nfs-for-6.13-2' of git://git.linux-nfs.org/projects/trondmy/linux-nfs: fs/nfs: fix missing declaration of nfs_idmap_cache_timeout NFS/pnfs: Fix a live lock between recalled layouts and layoutget commit 7684392f17b05a9881a5f05b6ca5684321598140 Merge: 499551201b5f4f 18d44c5d062b97 Author: Linus Torvalds Date: Sat Dec 21 09:29:46 2024 -0800 Merge tag 'ceph-for-6.13-rc4' of https://github.com/ceph/ceph-client Pull ceph fixes from Ilya Dryomov: "A handful of important CephFS fixes from Max, Alex and myself: memory corruption due to a buffer overrun, potential infinite loop and several memory leaks on the error paths. All but one marked for stable" * tag 'ceph-for-6.13-rc4' of https://github.com/ceph/ceph-client: ceph: allocate sparse_ext map only for sparse reads ceph: fix memory leak in ceph_direct_read_write() ceph: improve error handling and short/overflow-read logic in __ceph_sync_read() ceph: validate snapdirname option length when mounting ceph: give up on paths longer than PATH_MAX ceph: fix memory leaks in __ceph_sync_read() commit 9435dc77a33fa20afec7cd35ceaae5f7f42dbbe2 Author: Masahiro Yamada Date: Fri Dec 13 00:46:15 2024 +0900 modpost: distinguish same module paths from different dump files Since commit 13b25489b6f8 ("kbuild: change working directory to external module directory with M="), module paths are always relative to the top of the external module tree. The module paths recorded in Module.symvers are no longer globally unique when they are passed via KBUILD_EXTRA_SYMBOLS for building other external modules, which may result in false-positive "exported twice" errors. Such errors should not occur because external modules should be able to override in-tree modules. To address this, record the dump file path in struct module and check it when searching for a module. Fixes: 13b25489b6f8 ("kbuild: change working directory to external module directory with M=") Reported-by: Jon Hunter Closes: https://lore.kernel.org/all/eb21a546-a19c-40df-b821-bbba80f19a3d@nvidia.com/ Signed-off-by: Masahiro Yamada Tested-by: Jon Hunter commit 54956567a055345d17438f08c895c68aff3f4cf2 Author: Nicolas Schier Date: Thu Dec 12 14:05:29 2024 +0100 kbuild: deb-pkg: Do not install maint scripts for arch 'um' Stop installing Debian maintainer scripts when building a user-mode-linux Debian package. Debian maintainer scripts are used for e.g. requesting rebuilds of initrd, rebuilding DKMS modules and updating of grub configuration. As all of this is not relevant for UML but also may lead to failures while processing the kernel hooks, do no more install maintainer scripts for the UML package. Suggested-by: Masahiro Yamada Signed-off-by: Nicolas Schier Signed-off-by: Masahiro Yamada commit a34e92d2e831729f0ed5df20d15b4df419cd0ba4 Author: Masahiro Yamada Date: Tue Dec 3 20:14:45 2024 +0900 kbuild: deb-pkg: add debarch for ARCH=um 'make ARCH=um bindeb-pkg' shows the following warning. $ make ARCH=um bindeb-pkg [snip] GEN debian ** ** ** WARNING ** ** ** Your architecture doesn't have its equivalent Debian userspace architecture defined! Falling back to the current host architecture (amd64). Please add support for um to ./scripts/package/mkdebian ... This commit hard-codes i386/amd64 because UML is only supported for x86. Signed-off-by: Masahiro Yamada Reviewed-by: Nicolas Schier commit d67393f4d28ef0544eaf382f1123dcaf56495dc9 Author: Geert Uytterhoeven Date: Thu Dec 5 14:20:43 2024 +0100 kbuild: Drop support for include/asm- in headers_check.pl "include/asm-" was replaced by "arch//include/asm" a long time ago. All assembler header files are now included using "#include ", so there is no longer a need to rewrite paths. Signed-off-by: Geert Uytterhoeven Signed-off-by: Masahiro Yamada commit c384481006476ac65478fa3584c7245782e52f34 Author: Nikolaus Voss Date: Thu Dec 19 11:54:11 2024 +0100 clk: clk-imx8mp-audiomix: fix function signature clk_imx8mp_audiomix_reset_controller_register() in the "if !CONFIG_RESET_CONTROLLER" branch had the first argument missing. It is an empty function for this branch so it wasn't immediately apparent. Fixes: 6f0e817175c5 ("clk: imx: clk-audiomix: Add reset controller") Cc: # 6.12.x Signed-off-by: Nikolaus Voss Link: https://lore.kernel.org/r/20241219105447.889CB11FE@mail.steuer-voss.de Reviewed-by: Daniel Baluta Acked-by: Shengjiu Wang Reviewed-by: Peng Fan Signed-off-by: Stephen Boyd commit 4a58963d10fa3cb654b859e3f9a8aecbcf9f4982 Author: Cong Wang Date: Thu Dec 12 19:40:57 2024 -0800 selftests/bpf: Test bpf_skb_change_tail() in TC ingress Similarly to the previous test, we also need a test case to cover positive offsets as well, TC is an excellent hook for this. Signed-off-by: Cong Wang Signed-off-by: Daniel Borkmann Tested-by: Zijian Zhang Acked-by: John Fastabend Link: https://lore.kernel.org/bpf/20241213034057.246437-5-xiyou.wangcong@gmail.com commit 472759c9f5377912c7483cca5da847888a27cecc Author: Cong Wang Date: Thu Dec 12 19:40:56 2024 -0800 selftests/bpf: Introduce socket_helpers.h for TC tests Pull socket helpers out of sockmap_helpers.h so that they can be reused for TC tests as well. This prepares for the next patch. Signed-off-by: Cong Wang Signed-off-by: Daniel Borkmann Acked-by: John Fastabend Link: https://lore.kernel.org/bpf/20241213034057.246437-4-xiyou.wangcong@gmail.com commit 9ee0c7b8654346d60c823babe4b3747357a30477 Author: Cong Wang Date: Thu Dec 12 19:40:55 2024 -0800 selftests/bpf: Add a BPF selftest for bpf_skb_change_tail() As requested by Daniel, we need to add a selftest to cover bpf_skb_change_tail() cases in skb_verdict. Here we test trimming, growing and error cases, and validate its expected return values and the expected sizes of the payload. Signed-off-by: Cong Wang Signed-off-by: Daniel Borkmann Acked-by: John Fastabend Link: https://lore.kernel.org/bpf/20241213034057.246437-3-xiyou.wangcong@gmail.com commit 9ecc4d858b92c1bb0673ad9c327298e600c55659 Author: Cong Wang Date: Thu Dec 12 19:40:54 2024 -0800 bpf: Check negative offsets in __bpf_skb_min_len() skb_network_offset() and skb_transport_offset() can be negative when they are called after we pull the transport header, for example, when we use eBPF sockmap at the point of ->sk_data_ready(). __bpf_skb_min_len() uses an unsigned int to get these offsets, this leads to a very large number which then causes bpf_skb_change_tail() failed unexpectedly. Fix this by using a signed int to get these offsets and ensure the minimum is at least zero. Fixes: 5293efe62df8 ("bpf: add bpf_skb_change_tail helper") Signed-off-by: Cong Wang Signed-off-by: Daniel Borkmann Acked-by: John Fastabend Link: https://lore.kernel.org/bpf/20241213034057.246437-2-xiyou.wangcong@gmail.com commit 499551201b5f4fd3c0618a3e95e3d0d15ea18f31 Merge: d74276290cf92b 926e862058978a Author: Linus Torvalds Date: Fri Dec 20 14:10:01 2024 -0800 Merge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux Pull arm64 fix from Catalin Marinas: "Fix a sparse warning in the arm64 signal code dealing with the user shadow stack register, GCSPR_EL0" * tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux: arm64/signal: Silence sparse warning storing GCSPR_EL0 commit 5153a75ef34b3f7478ca918044d0f05eed8fb3f9 Author: Levi Zim Date: Sat Nov 30 21:38:23 2024 +0800 tcp_bpf: Fix copied value in tcp_bpf_sendmsg bpf kselftest sockhash::test_txmsg_cork_hangs in test_sockmap.c triggers a kernel NULL pointer dereference: BUG: kernel NULL pointer dereference, address: 0000000000000008 ? __die_body+0x6e/0xb0 ? __die+0x8b/0xa0 ? page_fault_oops+0x358/0x3c0 ? local_clock+0x19/0x30 ? lock_release+0x11b/0x440 ? kernelmode_fixup_or_oops+0x54/0x60 ? __bad_area_nosemaphore+0x4f/0x210 ? mmap_read_unlock+0x13/0x30 ? bad_area_nosemaphore+0x16/0x20 ? do_user_addr_fault+0x6fd/0x740 ? prb_read_valid+0x1d/0x30 ? exc_page_fault+0x55/0xd0 ? asm_exc_page_fault+0x2b/0x30 ? splice_to_socket+0x52e/0x630 ? shmem_file_splice_read+0x2b1/0x310 direct_splice_actor+0x47/0x70 splice_direct_to_actor+0x133/0x300 ? do_splice_direct+0x90/0x90 do_splice_direct+0x64/0x90 ? __ia32_sys_tee+0x30/0x30 do_sendfile+0x214/0x300 __se_sys_sendfile64+0x8e/0xb0 __x64_sys_sendfile64+0x25/0x30 x64_sys_call+0xb82/0x2840 do_syscall_64+0x75/0x110 entry_SYSCALL_64_after_hwframe+0x4b/0x53 This is caused by tcp_bpf_sendmsg() returning a larger value(12289) than size (8192), which causes the while loop in splice_to_socket() to release an uninitialized pipe buf. The underlying cause is that this code assumes sk_msg_memcopy_from_iter() will copy all bytes upon success but it actually might only copy part of it. This commit changes it to use the real copied bytes. Signed-off-by: Levi Zim Signed-off-by: Daniel Borkmann Tested-by: Björn Töpel Reviewed-by: John Fastabend Link: https://lore.kernel.org/bpf/20241130-tcp-bpf-sendmsg-v1-2-bae583d014f3@outlook.com commit fdf478d236dcf0f1f68534df5d456ced625195bd Author: Levi Zim Date: Sat Nov 30 21:38:22 2024 +0800 skmsg: Return copied bytes in sk_msg_memcopy_from_iter Previously sk_msg_memcopy_from_iter returns the copied bytes from the last copy_from_iter{,_nocache} call upon success. This commit changes it to return the total number of copied bytes on success. Signed-off-by: Levi Zim Signed-off-by: Daniel Borkmann Tested-by: Björn Töpel Reviewed-by: John Fastabend Link: https://lore.kernel.org/bpf/20241130-tcp-bpf-sendmsg-v1-1-bae583d014f3@outlook.com commit d74276290cf92bc16d129fc38883ab448128048c Merge: 11167b29e53b9a dd471e25770e7e Author: Linus Torvalds Date: Fri Dec 20 13:48:41 2024 -0800 Merge tag 'hwmon-for-v6.13-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging Pull hwmon fixes from Guenter Roeck: - Fix reporting of negative temperature, current, and voltage values in the tmp513 driver * tag 'hwmon-for-v6.13-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging: hwmon: (tmp513) Fix interpretation of values of Temperature Result and Limit Registers hwmon: (tmp513) Fix Current Register value interpretation hwmon: (tmp513) Fix interpretation of values of Shunt Voltage and Limit Registers commit 8600058ba28a7b07660ddcd150372d72fb3bc895 Author: Rob Herring (Arm) Date: Fri Dec 20 15:06:47 2024 -0600 of: Add coreboot firmware to excluded default cells list Google Juniper and other Chromebook platforms have a very old bootloader which populates /firmware node without proper address/size-cells leading to warnings: Missing '#address-cells' in /firmware WARNING: CPU: 0 PID: 1 at drivers/of/base.c:106 of_bus_n_addr_cells+0x90/0xf0 Modules linked in: CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.12.0 #1 933ab9971ff4d5dc58cb378a96f64c7f72e3454d Hardware name: Google juniper sku16 board (DT) ... Missing '#size-cells' in /firmware WARNING: CPU: 0 PID: 1 at drivers/of/base.c:133 of_bus_n_size_cells+0x90/0xf0 Modules linked in: CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Tainted: G W 6.12.0 #1 933ab9971ff4d5dc58cb378a96f64c7f72e3454d Tainted: [W]=WARN Hardware name: Google juniper sku16 board (DT) These platform won't receive updated bootloader/firmware, so add an exclusion for platforms with a "coreboot" compatible node. While this is wider than necessary, that's the easiest fix and it doesn't doesn't matter if we miss checking other platforms using coreboot. We may revisit this later and address with a fixup to the DT itself. Reported-by: Sasha Levin Closes: https://lore.kernel.org/all/Z0NUdoG17EwuCigT@sashalap/ Cc: AngeloGioacchino Del Regno Cc: Matthias Brugger Cc: Chen-Yu Tsai Cc: Krzysztof Kozlowski Signed-off-by: Rob Herring (Arm) commit 11167b29e53b9a06635309445ead7edfd54e6616 Merge: 7c05bd92305d13 85672ca9ceeaa1 Author: Linus Torvalds Date: Fri Dec 20 13:37:58 2024 -0800 Merge tag 'block-6.13-20241220' of git://git.kernel.dk/linux Pull block fixes from Jens Axboe: - Minor cleanups for bdev/nvme using the helpers introduced - Revert of a deadlock fix that still needs more work - Fix a UAF of hctx in the cpu hotplug code * tag 'block-6.13-20241220' of git://git.kernel.dk/linux: block: avoid to reuse `hctx` not removed from cpuhp callback list block: Revert "block: Fix potential deadlock while freezing queue and acquiring sysfs_lock" nvme: use blk_validate_block_size() for max LBA check block/bdev: use helper for max block size check commit 7c05bd92305d13e18945270b7bfaf300d53f6ed2 Merge: e9b8ffafd20ad2 dbd2ca9367eb19 Author: Linus Torvalds Date: Fri Dec 20 13:32:43 2024 -0800 Merge tag 'io_uring-6.13-20241220' of git://git.kernel.dk/linux Pull io_uring fixes from Jens Axboe: - Fix for a file ref leak for registered ring fds - Turn the ->timeout_lock into a raw spinlock, as it nests under the io-wq lock which is a raw spinlock as it's called from the scheduler side - Limit ring resizing to DEFER_TASKRUN for now. We will broaden this in the future, but for now, ensure that it's only feasible on rings with a single user - Add sanity check for io-wq enqueuing * tag 'io_uring-6.13-20241220' of git://git.kernel.dk/linux: io_uring: check if iowq is killed before queuing io_uring/register: limit ring resizing to DEFER_TASKRUN io_uring: Fix registered ring file refcount leak io_uring: make ctx->timeout_lock a raw spinlock commit 5fe85a5c513344161cde33b79f8badc81b8aa8d3 Merge: 974e3fe0ac61de d4e338de17cb65 Author: Christian Brauner Date: Fri Dec 20 22:08:16 2024 +0100 Merge patch series "netfs, ceph, nfs, cachefiles: Miscellaneous fixes/changes" David Howells says: Here are some miscellaneous fixes and changes for netfslib and the ceph and nfs filesystems: (1) Ignore silly-rename files from afs and nfs when building the header archive in a kernel build. (2) netfs: Fix the way read result collection applies results to folios when each folio is being read by multiple subrequests and the results come out of order. (3) netfs: Fix ENOMEM handling in buffered reads. (4) nfs: Fix an oops in nfs_netfs_init_request() when copying to the cache. (5) cachefiles: Parse the "secctx" command immediately to get the correct error rather than leaving it to the "bind" command. (6) netfs: Remove a redundant smp_rmb(). This isn't a bug per se and could be deferred. (7) netfs: Fix missing barriers by using clear_and_wake_up_bit(). (8) netfs: Work around recursion in read retry by failing and abandoning the retried subrequest if no I/O is performed. [!] NOTE: This only works around the recursion problem if the recursion keeps returning no data. If the server manages, say, to repeatedly return a single byte of data faster than the retry algorithm can complete, it will still recurse and the stack overrun may still occur. Actually fixing this requires quite an intrusive change which will hopefully make the next merge window. (9) netfs: Fix the clearance of a folio_queue when unlocking the page if we're going to want to subsequently send the queue for copying to the cache (if, for example, we're using ceph). (10) netfs: Fix the lack of cancellation of copy-to-cache when the cache for a file is temporarily disabled (for example when a DIO write is done to the file). This patch and (9) fix hangs with ceph. With these patches, I can run xfstest -g quick to completion on ceph with a local cache. The patches can also be found here with a bonus cifs patch: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/log/?h=netfs-fixes * patches from https://lore.kernel.org/r/20241213135013.2964079-1-dhowells@redhat.com: netfs: Fix is-caching check in read-retry netfs: Fix the (non-)cancellation of copy when cache is temporarily disabled netfs: Fix ceph copy to cache on write-begin netfs: Work around recursion by abandoning retry if nothing read netfs: Fix missing barriers by using clear_and_wake_up_bit() netfs: Remove redundant use of smp_rmb() cachefiles: Parse the "secctx" immediately nfs: Fix oops in nfs_netfs_init_request() when copying to cache netfs: Fix enomem handling in buffered reads netfs: Fix non-contiguous donation between completed reads kheaders: Ignore silly-rename files Link: https://lore.kernel.org/r/20241213135013.2964079-1-dhowells@redhat.com Signed-off-by: Christian Brauner commit d4e338de17cb6532bf805fae00db8b41e914009b Author: David Howells Date: Mon Dec 16 20:34:45 2024 +0000 netfs: Fix is-caching check in read-retry netfs: Fix is-caching check in read-retry The read-retry code checks the NETFS_RREQ_COPY_TO_CACHE flag to determine if there might be failed reads from the cache that need turning into reads from the server, with the intention of skipping the complicated part if it can. The code that set the flag, however, got lost during the read-side rewrite. Fix the check to see if the cache_resources are valid instead. The flag can then be removed. Fixes: ee4cdf7ba857 ("netfs: Speed up buffered reading") Signed-off-by: David Howells Link: https://lore.kernel.org/r/3752048.1734381285@warthog.procyon.org.uk cc: Jeff Layton cc: netfs@lists.linux.dev cc: linux-fsdevel@vger.kernel.org Signed-off-by: Christian Brauner commit d0327c824338cdccad058723a31d038ecd553409 Author: David Howells Date: Fri Dec 13 13:50:10 2024 +0000 netfs: Fix the (non-)cancellation of copy when cache is temporarily disabled When the caching for a cookie is temporarily disabled (e.g. due to a DIO write on that file), future copying to the cache for that file is disabled until all fds open on that file are closed. However, if netfslib is using the deprecated PG_private_2 method (such as is currently used by ceph), and decides it wants to copy to the cache, netfs_advance_write() will just bail at the first check seeing that the cache stream is unavailable, and indicate that it dealt with all the content. This means that we have no subrequests to provide notifications to drive the state machine or even to pin the request and the request just gets discarded, leaving the folios with PG_private_2 set. Fix this by jumping directly to cancel the request if the cache is not available. That way, we don't remove mark3 from the folio_queue list and netfs_pgpriv2_cancel() will clean up the folios. This was found by running the generic/013 xfstest against ceph with an active cache and the "-o fsc" option passed to ceph. That would usually hang Fixes: ee4cdf7ba857 ("netfs: Speed up buffered reading") Reported-by: Max Kellermann Closes: https://lore.kernel.org/r/CAKPOu+_4m80thNy5_fvROoxBm689YtA0dZ-=gcmkzwYSY4syqw@mail.gmail.com/ Signed-off-by: David Howells Link: https://lore.kernel.org/r/20241213135013.2964079-11-dhowells@redhat.com cc: Jeff Layton cc: Ilya Dryomov cc: Xiubo Li cc: netfs@lists.linux.dev cc: ceph-devel@vger.kernel.org cc: linux-fsdevel@vger.kernel.org Signed-off-by: Christian Brauner commit 38cf8e945721ffe708fa675507465da7f4f2a9f7 Author: David Howells Date: Fri Dec 13 13:50:09 2024 +0000 netfs: Fix ceph copy to cache on write-begin At the end of netfs_unlock_read_folio() in which folios are marked appropriately for copying to the cache (either with by being marked dirty and having their private data set or by having PG_private_2 set) and then unlocked, the folio_queue struct has the entry pointing to the folio cleared. This presents a problem for netfs_pgpriv2_write_to_the_cache(), which is used to write folios marked with PG_private_2 to the cache as it expects to be able to trawl the folio_queue list thereafter to find the relevant folios, leading to a hang. Fix this by not clearing the folio_queue entry if we're going to do the deprecated copy-to-cache. The clearance will be done instead as the folios are written to the cache. This can be reproduced by starting cachefiles, mounting a ceph filesystem with "-o fsc" and writing to it. Fixes: 796a4049640b ("netfs: In readahead, put the folio refs as soon extracted") Reported-by: Max Kellermann Closes: https://lore.kernel.org/r/CAKPOu+_4m80thNy5_fvROoxBm689YtA0dZ-=gcmkzwYSY4syqw@mail.gmail.com/ Signed-off-by: David Howells Link: https://lore.kernel.org/r/20241213135013.2964079-10-dhowells@redhat.com Fixes: ee4cdf7ba857 ("netfs: Speed up buffered reading") cc: Jeff Layton cc: Ilya Dryomov cc: Xiubo Li cc: netfs@lists.linux.dev cc: ceph-devel@vger.kernel.org cc: linux-fsdevel@vger.kernel.org Signed-off-by: Christian Brauner commit 4acb665cf4f3e5436844f17ece0a8a55ce688c7b Author: David Howells Date: Fri Dec 13 13:50:08 2024 +0000 netfs: Work around recursion by abandoning retry if nothing read syzkaller reported recursion with a loop of three calls (netfs_rreq_assess, netfs_retry_reads and netfs_rreq_terminated) hitting the limit of the stack during an unbuffered or direct I/O read. There are a number of issues: (1) There is no limit on the number of retries. (2) A subrequest is supposed to be abandoned if it does not transfer anything (NETFS_SREQ_NO_PROGRESS), but that isn't checked under all circumstances. (3) The actual root cause, which is this: if (atomic_dec_and_test(&rreq->nr_outstanding)) netfs_rreq_terminated(rreq, ...); When we do a retry, we bump the rreq->nr_outstanding counter to prevent the final cleanup phase running before we've finished dispatching the retries. The problem is if we hit 0, we have to do the cleanup phase - but we're in the cleanup phase and end up repeating the retry cycle, hence the recursion. Work around the problem by limiting the number of retries. This is based on Lizhi Xu's patch[1], and makes the following changes: (1) Replace NETFS_SREQ_NO_PROGRESS with NETFS_SREQ_MADE_PROGRESS and make the filesystem set it if it managed to read or write at least one byte of data. Clear this bit before issuing a subrequest. (2) Add a ->retry_count member to the subrequest and increment it any time we do a retry. (3) Remove the NETFS_SREQ_RETRYING flag as it is superfluous with ->retry_count. If the latter is non-zero, we're doing a retry. (4) Abandon a subrequest if retry_count is non-zero and we made no progress. (5) Use ->retry_count in both the write-side and the read-size. [?] Question: Should I set a hard limit on retry_count in both read and write? Say it hits 50, we always abandon it. The problem is that these changes only mitigate the issue. As long as it made at least one byte of progress, the recursion is still an issue. This patch mitigates the problem, but does not fix the underlying cause. I have patches that will do that, but it's an intrusive fix that's currently pending for the next merge window. The oops generated by KASAN looks something like: BUG: TASK stack guard page was hit at ffffc9000482ff48 (stack is ffffc90004830000..ffffc90004838000) Oops: stack guard page: 0000 [#1] PREEMPT SMP KASAN NOPTI ... RIP: 0010:mark_lock+0x25/0xc60 kernel/locking/lockdep.c:4686 ... mark_usage kernel/locking/lockdep.c:4646 [inline] __lock_acquire+0x906/0x3ce0 kernel/locking/lockdep.c:5156 lock_acquire.part.0+0x11b/0x380 kernel/locking/lockdep.c:5825 local_lock_acquire include/linux/local_lock_internal.h:29 [inline] ___slab_alloc+0x123/0x1880 mm/slub.c:3695 __slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3908 __slab_alloc_node mm/slub.c:3961 [inline] slab_alloc_node mm/slub.c:4122 [inline] kmem_cache_alloc_noprof+0x2a7/0x2f0 mm/slub.c:4141 radix_tree_node_alloc.constprop.0+0x1e8/0x350 lib/radix-tree.c:253 idr_get_free+0x528/0xa40 lib/radix-tree.c:1506 idr_alloc_u32+0x191/0x2f0 lib/idr.c:46 idr_alloc+0xc1/0x130 lib/idr.c:87 p9_tag_alloc+0x394/0x870 net/9p/client.c:321 p9_client_prepare_req+0x19f/0x4d0 net/9p/client.c:644 p9_client_zc_rpc.constprop.0+0x105/0x880 net/9p/client.c:793 p9_client_read_once+0x443/0x820 net/9p/client.c:1570 p9_client_read+0x13f/0x1b0 net/9p/client.c:1534 v9fs_issue_read+0x115/0x310 fs/9p/vfs_addr.c:74 netfs_retry_read_subrequests fs/netfs/read_retry.c:60 [inline] netfs_retry_reads+0x153a/0x1d00 fs/netfs/read_retry.c:232 netfs_rreq_assess+0x5d3/0x870 fs/netfs/read_collect.c:371 netfs_rreq_terminated+0xe5/0x110 fs/netfs/read_collect.c:407 netfs_retry_reads+0x155e/0x1d00 fs/netfs/read_retry.c:235 netfs_rreq_assess+0x5d3/0x870 fs/netfs/read_collect.c:371 netfs_rreq_terminated+0xe5/0x110 fs/netfs/read_collect.c:407 netfs_retry_reads+0x155e/0x1d00 fs/netfs/read_retry.c:235 netfs_rreq_assess+0x5d3/0x870 fs/netfs/read_collect.c:371 ... netfs_rreq_terminated+0xe5/0x110 fs/netfs/read_collect.c:407 netfs_retry_reads+0x155e/0x1d00 fs/netfs/read_retry.c:235 netfs_rreq_assess+0x5d3/0x870 fs/netfs/read_collect.c:371 netfs_rreq_terminated+0xe5/0x110 fs/netfs/read_collect.c:407 netfs_retry_reads+0x155e/0x1d00 fs/netfs/read_retry.c:235 netfs_rreq_assess+0x5d3/0x870 fs/netfs/read_collect.c:371 netfs_rreq_terminated+0xe5/0x110 fs/netfs/read_collect.c:407 netfs_dispatch_unbuffered_reads fs/netfs/direct_read.c:103 [inline] netfs_unbuffered_read fs/netfs/direct_read.c:127 [inline] netfs_unbuffered_read_iter_locked+0x12f6/0x19b0 fs/netfs/direct_read.c:221 netfs_unbuffered_read_iter+0xc5/0x100 fs/netfs/direct_read.c:256 v9fs_file_read_iter+0xbf/0x100 fs/9p/vfs_file.c:361 do_iter_readv_writev+0x614/0x7f0 fs/read_write.c:832 vfs_readv+0x4cf/0x890 fs/read_write.c:1025 do_preadv fs/read_write.c:1142 [inline] __do_sys_preadv fs/read_write.c:1192 [inline] __se_sys_preadv fs/read_write.c:1187 [inline] __x64_sys_preadv+0x22d/0x310 fs/read_write.c:1187 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 Fixes: ee4cdf7ba857 ("netfs: Speed up buffered reading") Closes: https://syzkaller.appspot.com/bug?extid=1fc6f64c40a9d143cfb6 Signed-off-by: David Howells Link: https://lore.kernel.org/r/20241108034020.3695718-1-lizhi.xu@windriver.com/ [1] Link: https://lore.kernel.org/r/20241213135013.2964079-9-dhowells@redhat.com Tested-by: syzbot+885c03ad650731743489@syzkaller.appspotmail.com Suggested-by: Lizhi Xu cc: Dominique Martinet cc: Jeff Layton cc: v9fs@lists.linux.dev cc: netfs@lists.linux.dev cc: linux-fsdevel@vger.kernel.org Reported-by: syzbot+885c03ad650731743489@syzkaller.appspotmail.com Signed-off-by: Christian Brauner commit aa3956418985bda1f68313eadde3267921847978 Author: David Howells Date: Fri Dec 13 13:50:07 2024 +0000 netfs: Fix missing barriers by using clear_and_wake_up_bit() Use clear_and_wake_up_bit() rather than something like: clear_bit_unlock(NETFS_RREQ_IN_PROGRESS, &rreq->flags); wake_up_bit(&rreq->flags, NETFS_RREQ_IN_PROGRESS); as there needs to be a barrier inserted between which is present in clear_and_wake_up_bit(). Fixes: 288ace2f57c9 ("netfs: New writeback implementation") Fixes: ee4cdf7ba857 ("netfs: Speed up buffered reading") Signed-off-by: David Howells Link: https://lore.kernel.org/r/20241213135013.2964079-8-dhowells@redhat.com Reviewed-by: Akira Yokosawa cc: Zilin Guan cc: Akira Yokosawa cc: Jeff Layton cc: netfs@lists.linux.dev cc: linux-fsdevel@vger.kernel.org Signed-off-by: Christian Brauner commit f4d3cde410cc62b5483f59f0f3454a5c5203a2cb Author: Zilin Guan Date: Fri Dec 13 13:50:06 2024 +0000 netfs: Remove redundant use of smp_rmb() The function netfs_unbuffered_write_iter_locked() in fs/netfs/direct_write.c contains an unnecessary smp_rmb() call after wait_on_bit(). Since wait_on_bit() already incorporates a memory barrier that ensures the flag update is visible before the function returns, the smp_rmb() provides no additional benefit and incurs unnecessary overhead. This patch removes the redundant barrier to simplify and optimize the code. Signed-off-by: Zilin Guan Signed-off-by: David Howells Link: https://lore.kernel.org/r/20241207021952.2978530-1-zilin@seu.edu.cn/ Link: https://lore.kernel.org/r/20241213135013.2964079-7-dhowells@redhat.com Reviewed-by: Akira Yokosawa cc: Akira Yokosawa cc: Jeff Layton cc: netfs@lists.linux.dev cc: linux-fsdevel@vger.kernel.org Signed-off-by: Christian Brauner commit e5a8b6446c0d370716f193771ccacf3260a57534 Author: Max Kellermann Date: Fri Dec 13 13:50:05 2024 +0000 cachefiles: Parse the "secctx" immediately Instead of storing an opaque string, call security_secctx_to_secid() right in the "secctx" command handler and store only the numeric "secid". This eliminates an unnecessary string allocation and allows the daemon to receive errors when writing the "secctx" command instead of postponing the error to the "bind" command handler. For example, if the kernel was built without `CONFIG_SECURITY`, "bind" will return `EOPNOTSUPP`, but the daemon doesn't know why. With this patch, the "secctx" will instead return `EOPNOTSUPP` which is the right context for this error. This patch adds a boolean flag `have_secid` because I'm not sure if we can safely assume that zero is the special secid value for "not set". This appears to be true for SELinux, Smack and AppArmor, but since this attribute is not documented, I'm unable to derive a stable guarantee for that. Signed-off-by: Max Kellermann Signed-off-by: David Howells Link: https://lore.kernel.org/r/20241209141554.638708-1-max.kellermann@ionos.com/ Link: https://lore.kernel.org/r/20241213135013.2964079-6-dhowells@redhat.com Signed-off-by: Christian Brauner commit 86ad1a58f6a9453f49e06ef957a40a8dac00a13f Author: David Howells Date: Fri Dec 13 13:50:04 2024 +0000 nfs: Fix oops in nfs_netfs_init_request() when copying to cache When netfslib wants to copy some data that has just been read on behalf of nfs, it creates a new write request and calls nfs_netfs_init_request() to initialise it, but with a NULL file pointer. This causes nfs_file_open_context() to oops - however, we don't actually need the nfs context as we're only going to write to the cache. Fix this by just returning if we aren't given a file pointer and emit a warning if the request was for something other than copy-to-cache. Further, fix nfs_netfs_free_request() so that it doesn't try to free the context if the pointer is NULL. Fixes: ee4cdf7ba857 ("netfs: Speed up buffered reading") Reported-by: Max Kellermann Closes: https://lore.kernel.org/r/CAKPOu+9DyMbKLhyJb7aMLDTb=Fh0T8Teb9sjuf_pze+XWT1VaQ@mail.gmail.com/ Signed-off-by: David Howells Link: https://lore.kernel.org/r/20241213135013.2964079-5-dhowells@redhat.com cc: Trond Myklebust cc: Anna Schumaker cc: Dave Wysochanski cc: Jeff Layton cc: linux-nfs@vger.kernel.org cc: netfs@lists.linux.dev cc: linux-fsdevel@vger.kernel.org Signed-off-by: Christian Brauner commit 105549d09a539a876b7c3330ab52d8aceedad358 Author: David Howells Date: Fri Dec 13 13:50:03 2024 +0000 netfs: Fix enomem handling in buffered reads If netfs_read_to_pagecache() gets an error from either ->prepare_read() or from netfs_prepare_read_iterator(), it needs to decrement ->nr_outstanding, cancel the subrequest and break out of the issuing loop. Currently, it only does this for two of the cases, but there are two more that aren't handled. Fix this by moving the handling to a common place and jumping to it from all four places. This is in preference to inserting a wrapper around netfs_prepare_read_iterator() as proposed by Dmitry Antipov[1]. Link: https://lore.kernel.org/r/20241202093943.227786-1-dmantipov@yandex.ru/ [1] Fixes: ee4cdf7ba857 ("netfs: Speed up buffered reading") Reported-by: syzbot+404b4b745080b6210c6c@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=404b4b745080b6210c6c Signed-off-by: David Howells Link: https://lore.kernel.org/r/20241213135013.2964079-4-dhowells@redhat.com Tested-by: syzbot+404b4b745080b6210c6c@syzkaller.appspotmail.com cc: Dmitry Antipov cc: Jeff Layton cc: netfs@lists.linux.dev cc: linux-fsdevel@vger.kernel.org Signed-off-by: Christian Brauner commit c8b90d40d5bba8e6fba457b8a7c10d3c0d467e37 Author: David Howells Date: Fri Dec 13 13:50:02 2024 +0000 netfs: Fix non-contiguous donation between completed reads When a read subrequest finishes, if it doesn't have sufficient coverage to complete the folio(s) covering either side of it, it will donate the excess coverage to the adjacent subrequests on either side, offloading responsibility for unlocking the folio(s) covered to them. Now, preference is given to donating down to a lower file offset over donating up because that check is done first - but there's no check that the lower subreq is actually contiguous, and so we can end up donating incorrectly. The scenario seen[1] is that an 8MiB readahead request spanning four 2MiB folios is split into eight 1MiB subreqs (numbered 1 through 8). These terminate in the order 1,6,2,5,3,7,4,8. What happens is: - 1 donates to 2 - 6 donates to 5 - 2 completes, unlocking the first folio (with 1). - 5 completes, unlocking the third folio (with 6). - 3 donates to 4 - 7 donates to 4 incorrectly - 4 completes, unlocking the second folio (with 3), but can't use the excess from 7. - 8 donates to 4, also incorrectly. Fix this by preventing downward donation if the subreqs are not contiguous (in the example above, 7 donates to 4 across the gap left by 5 and 6). Reported-by: Shyam Prasad N Closes: https://lore.kernel.org/r/CANT5p=qBwjBm-D8soFVVtswGEfmMtQXVW83=TNfUtvyHeFQZBA@mail.gmail.com/ Signed-off-by: David Howells Link: https://lore.kernel.org/r/526707.1733224486@warthog.procyon.org.uk/ [1] Link: https://lore.kernel.org/r/20241213135013.2964079-3-dhowells@redhat.com cc: Steve French cc: Paulo Alcantara cc: Jeff Layton cc: linux-cifs@vger.kernel.org cc: netfs@lists.linux.dev cc: linux-fsdevel@vger.kernel.org Signed-off-by: Christian Brauner commit 973b710b8821c3401ad7a25360c89e94b26884ac Author: David Howells Date: Fri Dec 13 13:50:01 2024 +0000 kheaders: Ignore silly-rename files Tell tar to ignore silly-rename files (".__afs*" and ".nfs*") when building the header archive. These occur when a file that is open is unlinked locally, but hasn't yet been closed. Such files are visible to the user via the getdents() syscall and so programs may want to do things with them. During the kernel build, such files may be made during the processing of header files and the cleanup may get deferred by fput() which may result in tar seeing these files when it reads the directory, but they may have disappeared by the time it tries to open them, causing tar to fail with an error. Further, we don't want to include them in the tarball if they still exist. With CONFIG_HEADERS_INSTALL=y, something like the following may be seen: find: './kernel/.tmp_cpio_dir/include/dt-bindings/reset/.__afs2080': No such file or directory tar: ./include/linux/greybus/.__afs3C95: File removed before we read it The find warning doesn't seem to cause a problem. Fix this by telling tar when called from in gen_kheaders.sh to exclude such files. This only affects afs and nfs; cifs uses the Windows Hidden attribute to prevent the file from being seen. Signed-off-by: David Howells Link: https://lore.kernel.org/r/20241213135013.2964079-2-dhowells@redhat.com cc: Masahiro Yamada cc: Marc Dionne cc: linux-afs@lists.infradead.org cc: linux-nfs@vger.kernel.org cc: linux-kernel@vger.kernel.org Signed-off-by: Christian Brauner commit 30b981796b94b083da8fdded7cb74cb493608760 Author: Jakub Kicinski Date: Wed Dec 18 19:28:33 2024 -0800 selftests: drv-net: test empty queue and NAPI responses in netlink Make sure kernel doesn't respond to GETs for queues and NAPIs when link is down. Not with valid data, or with empty message, we want a ENOENT. Link: https://patch.msgid.link/20241219032833.1165433-2-kuba@kernel.org Signed-off-by: Jakub Kicinski commit 4a25201aa46ce88e8e31f9ccdec0e4e3dd6bb736 Author: Jakub Kicinski Date: Wed Dec 18 19:28:32 2024 -0800 netdev-genl: avoid empty messages in napi get Empty netlink responses from do() are not correct (as opposed to dump() where not dumping anything is perfectly fine). We should return an error if the target object does not exist, in this case if the netdev is down we "hide" the NAPI instances. Fixes: 27f91aaf49b3 ("netdev-genl: Add netlink framework functions for napi") Reviewed-by: Eric Dumazet Link: https://patch.msgid.link/20241219032833.1165433-1-kuba@kernel.org Signed-off-by: Jakub Kicinski commit 246068b86b1c36e4590388ab8f278e21f1997dc1 Author: Vladimir Oltean Date: Thu Dec 19 17:54:10 2024 +0200 selftests: net: local_termination: require mausezahn Since the blamed commit, we require mausezahn because send_raw() uses it. Remove the "REQUIRE_MZ=no" line, which overwrites the default of requiring it. Fixes: 237979504264 ("selftests: net: local_termination: add PTP frames to the mix") Signed-off-by: Vladimir Oltean Link: https://patch.msgid.link/20241219155410.1856868-1-vladimir.oltean@nxp.com Signed-off-by: Jakub Kicinski commit e9b8ffafd20ad21357a789cc58ffaa162b3ad074 Merge: 5127e1495b04c4 1b62f3cb74d296 Author: Linus Torvalds Date: Fri Dec 20 11:09:40 2024 -0800 Merge tag 'usb-6.13-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb Pull USB / Thunderbolt fixes from Greg KH: "Here are some important, and small, fixes for USB and Thunderbolt issues that have come up in the -rc releases. And some new device ids for good measure. Included in here are: - Much reported xhci bugfix for usb-storage devices (and other devices as well, tripped me up on a video camera) - thunderbolt fixes for some small reported issues - new usb-serial device ids All of these have been in linux-next this week with no reported issues" * tag 'usb-6.13-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb: usb: xhci: fix ring expansion regression in 6.13-rc1 xhci: Turn NEC specific quirk for handling Stop Endpoint errors generic thunderbolt: Improve redrive mode handling USB: serial: option: add Telit FE910C04 rmnet compositions USB: serial: option: add MediaTek T7XX compositions USB: serial: option: add Netprisma LCUK54 modules for WWAN Ready USB: serial: option: add MeiG Smart SLM770A USB: serial: option: add TCL IK512 MBIM & ECM thunderbolt: Don't display nvm_version unless upgrade supported thunderbolt: Add support for Intel Panther Lake-M/P commit 5127e1495b04c4516f3d9ab5bd6f241873793245 Merge: b648264cd490c8 7f9a1eed1ad8b2 Author: Linus Torvalds Date: Fri Dec 20 11:06:25 2024 -0800 Merge tag 'spi-fix-v6.13-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi Pull spi fix from Mark Brown: "A fix for the remove path of the Rockchip driver, the code was just clearly and obviously wrong" * tag 'spi-fix-v6.13-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi: spi: rockchip-sfc: Fix error in remove progress commit b648264cd490c811a9a6b43bd478e1656b44b447 Merge: af215c980c1fbf 13221496065fa1 Author: Linus Torvalds Date: Fri Dec 20 11:04:02 2024 -0800 Merge tag 'regulator-fix-v6.13-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regulator Pull regulator fix from Mark Brown: "The recently added regulator-uv-survival-time-ms property was renamed during the review of the series that added it, but unfortunately only in the DT binding and not in the code that parses the binding. This brings the code in line with the binding, if someone started using the original name we can add compat support for it but there's nothing upstream yet and it's a very niche feature so hopefully not" * tag 'regulator-fix-v6.13-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regulator: regulator: rename regulator-uv-survival-time-ms according to DT binding commit af215c980c1fbf1ca01675b128b0dd194745b880 Merge: 5b83bcdea52153 e639fb046b8150 Author: Linus Torvalds Date: Fri Dec 20 10:17:53 2024 -0800 Merge tag 'drm-fixes-2024-12-20' of https://gitlab.freedesktop.org/drm/kernel Pull drm fixes from Dave Airlie: "Probably the last pull before Christmas holidays, I'll still be around for most of the time anyways, nothing too major in here, bunch of amdgpu and i915 along with a smattering of fixes across the board. core: - fix FB dependency - avoid div by 0 more in vrefresh - maintainers update display: - fix DP tunnel error path dma-buf: - fix !DEBUG_FS sched: - docs warning fix panel: - collection of misc panel fixes i915: - Reset engine utilization buffer before registration - Ensure busyness counter increases motonically - Accumulate active runtime on gt reset amdgpu: - Disable BOCO when CONFIG_HOTPLUG_PCI_PCIE is not enabled - scheduler job fixes - IP version check fixes - devcoredump fix - GPUVM update fix - NBIO 2.5 fix udmabuf: - fix memory leak on last export - sealing fixes ivpu: - fix NULL pointer - fix memory leak - fix WARN" * tag 'drm-fixes-2024-12-20' of https://gitlab.freedesktop.org/drm/kernel: (33 commits) drm/sched: Fix drm_sched_fini() docu generation accel/ivpu: Fix WARN in ivpu_ipc_send_receive_internal() accel/ivpu: Fix memory leak in ivpu_mmu_reserved_context_init() accel/ivpu: Fix general protection fault in ivpu_bo_list() drm/amdgpu/nbio7.0: fix IP version check drm/amd: Update strapping for NBIO 2.5.0 drm/amdgpu: Handle NULL bo->tbo.resource (again) in amdgpu_vm_bo_update drm/amdgpu: fix amdgpu_coredump drm/amdgpu/smu14.0.2: fix IP version check drm/amdgpu/gfx12: fix IP version check drm/amdgpu/mmhub4.1: fix IP version check drm/amdgpu/nbio7.11: fix IP version check drm/amdgpu/nbio7.7: fix IP version check drm/amdgpu: don't access invalid sched drm/amd: Require CONFIG_HOTPLUG_PCI_PCIE for BOCO drm: rework FB_CORE dependency drm/fbdev: Select FB_CORE dependency for fbdev on DMA and TTM fbdev: Fix recursive dependencies wrt BACKLIGHT_CLASS_DEVICE i915/guc: Accumulate active runtime on gt reset i915/guc: Ensure busyness counter increases motonically ... commit 5b83bcdea521534f370cd2b24bc8cbd76c8a6f32 Merge: 8faabc041a0011 8cd63406d08110 Author: Linus Torvalds Date: Fri Dec 20 10:13:26 2024 -0800 Merge tag 'trace-ringbuffer-v6.13-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace Pull ring-buffer fixes from Steven Rostedt: - Fix possible overflow of mmapped ring buffer with bad offset If the mmap() to the ring buffer passes in a start address that is passed the end of the mmapped file, it is not caught and a slab-out-of-bounds is triggered. Add a check to make sure the start address is within the bounds - Do not use TP_printk() to boot mapped ring buffers As a boot mapped ring buffer's data may have pointers that map to the previous boot's memory map, it is unsafe to allow the TP_printk() to be used to read the boot mapped buffer's events. If a TP_printk() points to a static string from within the kernel it will not match the current kernel mapping if KASLR is active, and it can fault. Have it simply print out the raw fields. * tag 'trace-ringbuffer-v6.13-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace: trace/ring-buffer: Do not use TP_printk() formatting for boot mapped buffers ring-buffer: Fix overflow in __rb_map_vma commit 724c6ce38bbaeb4b3f109b0e066d6c0ecd15446c Author: Alexander Lobakin Date: Thu Dec 19 14:57:34 2024 +0100 stddef: make __struct_group() UAPI C++-friendly For the most part of the C++ history, it couldn't have type declarations inside anonymous unions for different reasons. At the same time, __struct_group() relies on the latters, so when the @TAG argument is not empty, C++ code doesn't want to build (even under `extern "C"`): ../linux/include/uapi/linux/pkt_cls.h:25:24: error: 'struct tc_u32_sel::::tc_u32_sel_hdr,' invalid; an anonymous union may only have public non-static data members [-fpermissive] The safest way to fix this without trying to switch standards (which is impossible in UAPI anyway) etc., is to disable tag declaration for that language. This won't break anything since for now it's not buildable at all. Use a separate definition for __struct_group() when __cplusplus is defined to mitigate the error, including the version from tools/. Fixes: 50d7bd38c3aa ("stddef: Introduce struct_group() helper macro") Reported-by: Christopher Ferris Closes: https://lore.kernel.org/linux-hardening/Z1HZpe3WE5As8UAz@google.com Suggested-by: Kees Cook # __struct_group_tag() Signed-off-by: Alexander Lobakin Reviewed-by: Gustavo A. R. Silva Link: https://lore.kernel.org/r/20241219135734.2130002-1-aleksander.lobakin@intel.com Signed-off-by: Kees Cook commit a31ffd6ed5ee994e1c04dc794499a0c04618dc55 Merge: a61dae110138b4 058387d9c6b70e Author: Arnd Bergmann Date: Fri Dec 20 18:02:27 2024 +0100 Merge tag 'arm-soc/for-6.13/devicetree-arm64-fixes' of https://github.com/Broadcom/stblinux into arm/fixes This pull request contains Broadcom ARM64-based SoCs Device Tree fixes for 6.13, please pull the following: - Willow corrects the L2 cache line size on the Raspberry Pi 5 (2712) to the correct value of 64 bytes * tag 'arm-soc/for-6.13/devicetree-arm64-fixes' of https://github.com/Broadcom/stblinux: arm64: dts: broadcom: Fix L2 linesize for Raspberry Pi 5 Link: https://lore.kernel.org/r/20241217190547.868744-1-florian.fainelli@broadcom.com Signed-off-by: Arnd Bergmann commit a61dae110138b4eb7e4ffab301d156bc2ce13605 Merge: f578281000c50c 48808b55b07c3c Author: Arnd Bergmann Date: Fri Dec 20 18:00:30 2024 +0100 Merge tag 'riscv-soc-fixes-for-v6.13-rc4' of https://git.kernel.org/pub/scm/linux/kernel/git/conor/linux into arm/fixes RISC-V soc driver fixes for v6.13-rc4 A single fix for the Auto Update driver, where a mistake in array indexing (accessing as a u32 rather than a u8) caused the driver to read the wrong feature disable bits. Signed-off-by: Conor Dooley * tag 'riscv-soc-fixes-for-v6.13-rc4' of https://git.kernel.org/pub/scm/linux/kernel/git/conor/linux: firmware: microchip: fix UL_IAP lock check in mpfs_auto_update_state() Link: https://lore.kernel.org/r/20241218-suffrage-unfazed-fa0113072a42@spud Signed-off-by: Arnd Bergmann commit d888b7af7c149c115dd6ac772cc11c375da3e17c Author: Zijian Zhang Date: Tue Dec 10 01:20:39 2024 +0000 tcp_bpf: Add sk_rmem_alloc related logic for tcp_bpf ingress redirection When we do sk_psock_verdict_apply->sk_psock_skb_ingress, an sk_msg will be created out of the skb, and the rmem accounting of the sk_msg will be handled by the skb. For skmsgs in __SK_REDIRECT case of tcp_bpf_send_verdict, when redirecting to the ingress of a socket, although we sk_rmem_schedule and add sk_msg to the ingress_msg of sk_redir, we do not update sk_rmem_alloc. As a result, except for the global memory limit, the rmem of sk_redir is nearly unlimited. Thus, add sk_rmem_alloc related logic to limit the recv buffer. Since the function sk_msg_recvmsg and __sk_psock_purge_ingress_msg are used in these two paths. We use "msg->skb" to test whether the sk_msg is skb backed up. If it's not, we shall do the memory accounting explicitly. Fixes: 604326b41a6f ("bpf, sockmap: convert to generic sk_msg interface") Signed-off-by: Zijian Zhang Signed-off-by: Daniel Borkmann Reviewed-by: John Fastabend Link: https://lore.kernel.org/bpf/20241210012039.1669389-3-zijianzhang@bytedance.com commit 54f89b3178d5448dd4457afbb98fc1ab99090a65 Author: Cong Wang Date: Tue Dec 10 01:20:38 2024 +0000 tcp_bpf: Charge receive socket buffer in bpf_tcp_ingress() When bpf_tcp_ingress() is called, the skmsg is being redirected to the ingress of the destination socket. Therefore, we should charge its receive socket buffer, instead of sending socket buffer. Because sk_rmem_schedule() tests pfmemalloc of skb, we need to introduce a wrapper and call it for skmsg. Fixes: 604326b41a6f ("bpf, sockmap: convert to generic sk_msg interface") Signed-off-by: Cong Wang Signed-off-by: Daniel Borkmann Reviewed-by: John Fastabend Link: https://lore.kernel.org/bpf/20241210012039.1669389-2-zijianzhang@bytedance.com commit 669bf56cb2a197bca968ed6079226ee340606671 Author: Bingwu Zhang Date: Sun Dec 8 12:13:52 2024 +0800 mailmap: update Bingwu Zhang's email address I used to contribute to the kernel as 'Bingwu Zhang ' and 'Zhang Bingwu '. Signed-off-by: Bingwu Zhang Link: https://lore.kernel.org/r/20241208041352.168131-2-xtex@envs.net Signed-off-by: Greg Kroah-Hartman commit baf8855c916007a8a372576b65492316f43ed60b Author: Arnd Bergmann Date: Fri Dec 13 07:49:51 2024 +0100 staging: gpib: fix address space mixup Throughout the gpib drivers, a 'void *' struct member is used in place of either port numbers or __iomem pointers, which leads to lots of extra type casts, sparse warnings and less portable code. Split the struct member in two separate ones with the correct types, so each driver can pick which one to use. Signed-off-by: Arnd Bergmann Link: https://lore.kernel.org/all/f10e976e-7a04-4454-b38d-39cd18f142da@roeck-us.net/ Link: https://lore.kernel.org/r/20241213064959.1045243-3-arnd@kernel.org Signed-off-by: Greg Kroah-Hartman commit fec866a00360a19a1f4c8e6bd123a4d1b2d5a8ee Author: Arnd Bergmann Date: Fri Dec 13 07:49:50 2024 +0100 staging: gpib: use ioport_map The tnt4882 backend has a rather elabolate way of abstracting the PIO and MMIO based hardware variants, duplicating the functionality of ioport_map() in a less portable way. Change it to use ioport_map() with ioread8()/iowrite8() to do this more easily. Signed-off-by: Arnd Bergmann Link: https://lore.kernel.org/r/20241213064959.1045243-2-arnd@kernel.org Signed-off-by: Greg Kroah-Hartman commit edbb7200ca99b29b173ea4f3f473e4e8db595025 Author: Arnd Bergmann Date: Fri Dec 13 07:49:49 2024 +0100 staging: gpib: fix pcmcia dependencies With CONFIG_PCMCIA=m, the gpib drivers that optionally support PCMCIA cannot be built-in. Add a Kconfig dependency to force these to be loadable modules as well, and change the GPIB_PCMCIA symbol to have the correct state for that. Signed-off-by: Arnd Bergmann Link: https://lore.kernel.org/r/20241213064959.1045243-1-arnd@kernel.org Signed-off-by: Greg Kroah-Hartman commit 003d2abde115102a3e62c1a96d2cb8c5345b2af2 Author: Arnd Bergmann Date: Fri Dec 13 09:31:12 2024 +0100 staging: gpib: add module author and description fields The FMH driver is still missing both, so take them from the comment at the start of the file. Fixes: 8e4841a0888c ("staging: gpib: Add Frank Mori Hess FPGA PCI GPIB driver") Signed-off-by: Arnd Bergmann Reviewed-by: Dominik Karol Piątkowski Link: https://lore.kernel.org/r/20241213083119.2607901-1-arnd@kernel.org Signed-off-by: Greg Kroah-Hartman commit 79d2e1919a2728ef49d938eb20ebd5903c14dfb0 Author: Arnd Bergmann Date: Thu Dec 12 16:42:35 2024 +0100 staging: gpib: fix Makefiles Having gpib drivers built-in rather than as loadable modules causes link failure because the drivers are never actually built: arm-linux-gnueabi-ld: drivers/staging/gpib/fmh_gpib/fmh_gpib.o: in function `fmh_gpib_t1_delay': fmh_gpib.c:(.text+0x3b0): undefined reference to `nec7210_t1_delay' arm-linux-gnueabi-ld: drivers/staging/gpib/fmh_gpib/fmh_gpib.o: in function `fmh_gpib_serial_poll_status': fmh_gpib.c:(.text+0x418): undefined reference to `nec7210_serial_poll_status' arm-linux-gnueabi-ld: drivers/staging/gpib/fmh_gpib/fmh_gpib.o: in function `fmh_gpib_secondary_address': fmh_gpib.c:(.text+0x57c): undefined reference to `nec7210_secondary_address' arm-linux-gnueabi-ld: drivers/staging/gpib/fmh_gpib/fmh_gpib.o: in function `fmh_gpib_primary_address': fmh_gpib.c:(.text+0x5ac): undefined reference to `nec7210_primary_address' Change this to use the correct Makefile syntax, setting either obj-m or obj-y. Signed-off-by: Arnd Bergmann Link: https://lore.kernel.org/r/20241212154245.1411411-2-arnd@kernel.org Signed-off-by: Greg Kroah-Hartman commit d99d65aeddf437c052031043c96f94f93f0124d6 Author: Arnd Bergmann Date: Thu Dec 12 16:42:34 2024 +0100 staging: gpib: make global 'usec_diff' functions static Trying to build both gpib_bitbang and lpvo_usb_gpib into the kernel reveals a function that should have been static and is also duplicated: x86_64-linux-ld: drivers/staging/gpib/lpvo_usb_gpib/lpvo_usb_gpib.o: in function `usec_diff': lpvo_usb_gpib.c:(.text+0x23c0): multiple definition of `usec_diff'; drivers/staging/gpib/gpio/gpib_bitbang.o:gpib_bitbang.c:(.text+0x2470): first defined here Signed-off-by: Arnd Bergmann Link: https://lore.kernel.org/r/20241212154245.1411411-1-arnd@kernel.org Signed-off-by: Greg Kroah-Hartman commit 8c41fae53016c2c9796441148c08b754c4e7dfc8 Author: Jiapeng Chong Date: Fri Dec 6 10:25:04 2024 +0800 staging: gpib: Modify mismatched function name No functional modification involved. drivers/staging/gpib/lpvo_usb_gpib/lpvo_usb_gpib.c:676: warning: expecting prototype for interface_clear(). Prototype was for usb_gpib_interface_clear() instead. drivers/staging/gpib/lpvo_usb_gpib/lpvo_usb_gpib.c:654: warning: expecting prototype for go_to_standby(). Prototype was for usb_gpib_go_to_standby() instead. drivers/staging/gpib/lpvo_usb_gpib/lpvo_usb_gpib.c:636: warning: expecting prototype for enable_eos(). Prototype was for usb_gpib_enable_eos() instead. drivers/staging/gpib/lpvo_usb_gpib/lpvo_usb_gpib.c:618: warning: expecting prototype for disable_eos(). Prototype was for usb_gpib_disable_eos() instead. Reported-by: Abaci Robot Closes: https://bugzilla.openanolis.cn/show_bug.cgi?id=12253 Signed-off-by: Jiapeng Chong Link: https://lore.kernel.org/r/20241206022504.69670-1-jiapeng.chong@linux.alibaba.com Signed-off-by: Greg Kroah-Hartman commit fd1885db8ecab1abc96dbb9df49b0d4b9eed1672 Author: Dave Penkler Date: Sat Dec 7 13:34:10 2024 +0100 staging: gpib: Add lower bound check for secondary address Commit 9dde4559e939 ("staging: gpib: Add GPIB common core driver") from Sep 18, 2024 (linux-next), leads to the following Smatch static checker warning: drivers/staging/gpib/common/gpib_os.c:541 dvrsp() warn: no lower bound on 'sad' rl='s32min-30' The value -1 was introduced in user land to signify No secondary address to the driver so that a lower bound check could be added. This patch adds that check. Reported-by: Dan Carpenter Closes: https://lore.kernel.org/linux-staging/4efd91f3-4259-4e95-a4e0-925853b98858@stanley.mountain/ Signed-off-by: Dave Penkler Link: https://lore.kernel.org/r/20241207123410.28759-1-dpenkler@gmail.com Signed-off-by: Greg Kroah-Hartman commit 4da38536e2190fb5bfabfcf5229f4d5398648295 Author: Dave Penkler Date: Thu Dec 5 10:34:42 2024 +0100 staging: gpib: Fix erroneous removal of blank before newline The USB_GPIB_SET_LINES command string used to be: "\nIBDC \n" but when we were merging this code into the upstream kernel we deleted the space character before the newline to make checkpatch happy. That turned out to be a mistake. The "\nIBDC" part of the string is a command that we pass to the firmware and the next character is a variable u8 value. It gets set in set_control_line(). msg[leng - 2] = value ? (retval & ~line) : retval | line; where leng is the length of the command string. Imagine the parameter was supposed to be "8". With the pre-merge code the command string would be "\nIBDC8\n" With the post-merge code the command string became "\nIBD8\n" The firmware doesn't recognize "IBD8" as a valid command and rejects it. Putting a "." where the parameter is supposed to go fixes the driver and makes checkpatch happy. Same thing with the other define and the in-line assignment. Reported-by: Marcello Carla' Fixes: fce79512a96a ("staging: gpib: Add LPVO DIY USB GPIB driver") Co-developed-by: Marcello Carla' Signed-off-by: Marcello Carla' Signed-off-by: Dave Penkler Reviewed-by: Dan Carpenter Link: https://lore.kernel.org/r/20241205093442.5796-1-dpenkler@gmail.com Signed-off-by: Greg Kroah-Hartman commit aa5d2ca7c179c40669edb5e96d931bf9828dea3d Author: Kan Liang Date: Mon Dec 16 08:02:52 2024 -0800 perf/x86/intel: Fix bitmask of OCR and FRONTEND events for LNC The released OCR and FRONTEND events utilized more bits on Lunar Lake p-core. The corresponding mask in the extra_regs has to be extended to unblock the extra bits. Add a dedicated intel_lnc_extra_regs. Fixes: a932aa0e868f ("perf/x86: Add Lunar Lake and Arrow Lake support") Reported-by: Andi Kleen Signed-off-by: Kan Liang Signed-off-by: Peter Zijlstra (Intel) Cc: stable@vger.kernel.org Link: https://lkml.kernel.org/r/20241216160252.430858-1-kan.liang@linux.intel.com commit 7917f01a286ce01e9c085e24468421f596ee1a0c Author: NeilBrown Date: Fri Dec 20 15:28:18 2024 +1100 nfsd: restore callback functionality for NFSv4.0 A recent patch inadvertently broke callbacks for NFSv4.0. In the 4.0 case we do not expect a session to be found but still need to call setup_callback_client() which will not try to dereference it. This patch moves the check for failure to find a session into the 4.1+ branch of setup_callback_client() Fixes: 1e02c641c3a4 ("NFSD: Prevent NULL dereference in nfsd4_process_cb_update()") Signed-off-by: NeilBrown Reviewed-by: Jeff Layton Signed-off-by: Chuck Lever commit 926e862058978a8f81872845715d67ad21c30f65 Author: Mark Brown Date: Sat Dec 14 02:12:06 2024 +0000 arm64/signal: Silence sparse warning storing GCSPR_EL0 We are seeing a sparse warning in gcs_restore_signal(): arch/arm64/kernel/signal.c:1054:9: sparse: sparse: cast removes address space '__user' of expression when storing the final GCSPR_EL0 value back into the register, caused by the fact that write_sysreg_s() casts the value it writes to a u64 which sparse sees as discarding the __userness of the pointer. Avoid this by treating the address as an integer, casting to a pointer only when using it to write to userspace. While we're at it also inline gcs_signal_cap_valid() into it's one user and make equivalent updates to gcs_signal_entry(). Reported-by: kernel test robot Closes: https://lore.kernel.org/oe-kbuild-all/202412082005.OBJ0BbWs-lkp@intel.com/ Signed-off-by: Mark Brown Link: https://lore.kernel.org/r/20241214-arm64-gcs-signal-sparse-v3-1-5e8d18fffc0c@kernel.org Signed-off-by: Catalin Marinas commit 8cbd01ba9c38eb16f3a572300da486ac544519b7 Merge: 66a0a2b0473c39 32c9c06adb5b15 Author: Takashi Iwai Date: Fri Dec 20 14:09:45 2024 +0100 Merge tag 'asoc-fix-v6.13-rc3' of https://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound into for-linus ASoC: Fixes for v6.13 A mix of quirks and small fixes, nothing too major anywhere. commit cc54ec56d822d4e4bfe16b6d1d85e8122fad1f67 Merge: b6075c80537558 de63ac44a527b2 Author: David S. Miller Date: Fri Dec 20 12:49:42 2024 +0000 Merge branch 'gve-xdp-fixes' Joshua Washington says: ==================== gve: various XDP fixes This patch series contains the following XDP fixes: - clean up XDP tx queue when stopping rings - use RCU synchronization to guard existence of XDP queues - perform XSK TX as part of RX NAPI to fix busy polling - fix XDP allocation issues when non-XDP configurations occur ==================== Signed-off-by: David S. Miller commit de63ac44a527b2c5067551dbd70d939fe151325a Author: Joshua Washington Date: Wed Dec 18 05:34:15 2024 -0800 gve: fix XDP allocation path in edge cases This patch fixes a number of consistency issues in the queue allocation path related to XDP. As it stands, the number of allocated XDP queues changes in three different scenarios. 1) Adding an XDP program while the interface is up via gve_add_xdp_queues 2) Removing an XDP program while the interface is up via gve_remove_xdp_queues 3) After queues have been allocated and the old queue memory has been removed in gve_queues_start. However, the requirement for the interface to be up for gve_(add|remove)_xdp_queues to be called, in conjunction with the fact that the number of queues stored in priv isn't updated until _after_ XDP queues have been allocated in the normal queue allocation path means that if an XDP program is added while the interface is down, XDP queues won't be added until the _second_ if_up, not the first. Given the expectation that the number of XDP queues is equal to the number of RX queues, scenario (3) has another problematic implication. When changing the number of queues while an XDP program is loaded, the number of XDP queues must be updated as well, as there is logic in the driver (gve_xdp_tx_queue_id()) which relies on every RX queue having a corresponding XDP TX queue. However, the number of XDP queues stored in priv would not be updated until _after_ a close/open leading to a mismatch in the number of XDP queues reported vs the number of XDP queues which actually exist after the queue count update completes. This patch remedies these issues by doing the following: 1) The allocation config getter function is set up to retrieve the _expected_ number of XDP queues to allocate instead of relying on the value stored in `priv` which is only updated once the queues have been allocated. 2) When adjusting queues, XDP queues are adjusted to match the number of RX queues when XDP is enabled. This only works in the case when queues are live, so part (1) of the fix must still be available in the case that queues are adjusted when there is an XDP program and the interface is down. Fixes: 5f08cd3d6423 ("gve: Alloc before freeing when adjusting queues") Cc: stable@vger.kernel.org Signed-off-by: Joshua Washington Signed-off-by: Praveen Kaligineedi Reviewed-by: Praveen Kaligineedi Reviewed-by: Shailend Chand Reviewed-by: Willem de Bruijn Signed-off-by: David S. Miller commit ba0925c34e0fa6fe02d3d642bc02ab099ab312c7 Author: Joshua Washington Date: Wed Dec 18 05:34:14 2024 -0800 gve: process XSK TX descriptors as part of RX NAPI When busy polling is enabled, xsk_sendmsg for AF_XDP zero copy marks the NAPI ID corresponding to the memory pool allocated for the socket. In GVE, this NAPI ID will never correspond to a NAPI ID of one of the dedicated XDP TX queues registered with the umem because XDP TX is not set up to share a NAPI with a corresponding RX queue. This patch moves XSK TX descriptor processing from the TX NAPI to the RX NAPI, and the gve_xsk_wakeup callback is updated to use the RX NAPI instead of the TX NAPI, accordingly. The branch on if the wakeup is for TX is removed, as the NAPI poll should be invoked whether the wakeup is for TX or for RX. Fixes: fd8e40321a12 ("gve: Add AF_XDP zero-copy support for GQI-QPL format") Cc: stable@vger.kernel.org Signed-off-by: Praveen Kaligineedi Signed-off-by: Joshua Washington Reviewed-by: Willem de Bruijn Signed-off-by: David S. Miller commit 40338d7987d810fcaa95c500b1068a52b08eec9b Author: Joshua Washington Date: Wed Dec 18 05:34:13 2024 -0800 gve: guard XSK operations on the existence of queues This patch predicates the enabling and disabling of XSK pools on the existence of queues. As it stands, if the interface is down, disabling or enabling XSK pools would result in a crash, as the RX queue pointer would be NULL. XSK pool registration will occur as part of the next interface up. Similarly, xsk_wakeup needs be guarded against queues disappearing while the function is executing, so a check against the GVE_PRIV_FLAGS_NAPI_ENABLED flag is added to synchronize with the disabling of the bit and the synchronize_net() in gve_turndown. Fixes: fd8e40321a12 ("gve: Add AF_XDP zero-copy support for GQI-QPL format") Cc: stable@vger.kernel.org Signed-off-by: Joshua Washington Signed-off-by: Praveen Kaligineedi Reviewed-by: Praveen Kaligineedi Reviewed-by: Shailend Chand Reviewed-by: Willem de Bruijn Reviewed-by: Larysa Zaremba Signed-off-by: David S. Miller commit ff7c2dea9dd1a436fc79d6273adffdcc4a7ffea3 Author: Joshua Washington Date: Wed Dec 18 05:34:12 2024 -0800 gve: guard XDP xmit NDO on existence of xdp queues In GVE, dedicated XDP queues only exist when an XDP program is installed and the interface is up. As such, the NDO XDP XMIT callback should return early if either of these conditions are false. In the case of no loaded XDP program, priv->num_xdp_queues=0 which can cause a divide-by-zero error, and in the case of interface down, num_xdp_queues remains untouched to persist XDP queue count for the next interface up, but the TX pointer itself would be NULL. The XDP xmit callback also needs to synchronize with a device transitioning from open to close. This synchronization will happen via the GVE_PRIV_FLAGS_NAPI_ENABLED bit along with a synchronize_net() call, which waits for any RCU critical sections at call-time to complete. Fixes: 39a7f4aa3e4a ("gve: Add XDP REDIRECT support for GQI-QPL format") Cc: stable@vger.kernel.org Signed-off-by: Joshua Washington Signed-off-by: Praveen Kaligineedi Reviewed-by: Praveen Kaligineedi Reviewed-by: Shailend Chand Reviewed-by: Willem de Bruijn Signed-off-by: David S. Miller commit 6321f5fb70d502d95de8a212a7b484c297ec9644 Author: Joshua Washington Date: Wed Dec 18 05:34:11 2024 -0800 gve: clean XDP queues in gve_tx_stop_ring_gqi When stopping XDP TX rings, the XDP clean function needs to be called to clean out the entire queue, similar to what happens in the normal TX queue case. Otherwise, the FIFO won't be cleared correctly, and xsk_tx_completed won't be reported. Fixes: 75eaae158b1b ("gve: Add XDP DROP and TX support for GQI-QPL format") Cc: stable@vger.kernel.org Signed-off-by: Joshua Washington Signed-off-by: Praveen Kaligineedi Reviewed-by: Praveen Kaligineedi Reviewed-by: Willem de Bruijn Signed-off-by: David S. Miller commit 66a0a2b0473c39ae85c44628d14e4366fdc0aa0d Author: Takashi Iwai Date: Fri Dec 20 12:44:16 2024 +0100 ALSA: sh: Fix wrong argument order for copy_from_iter() Fix a brown paper bag bug I introduced at converting to the standard iter helper; the arguments were wrongly passed and have to be swapped. Fixes: 9b5f8ee43e48 ("ALSA: sh: Use standard helper for buffer accesses") Reported-by: kernel test robot Closes: https://lore.kernel.org/oe-kbuild-all/202412140019.jat5Dofr-lkp@intel.com/ Link: https://patch.msgid.link/20241220114417.5898-1-tiwai@suse.de Signed-off-by: Takashi Iwai commit 55853cb829dc707427c3519f6b8686682a204368 Author: Li Zhijian Date: Wed Dec 18 10:59:31 2024 +0800 selftests/alsa: Fix circular dependency involving global-timer The pattern rule `$(OUTPUT)/%: %.c` inadvertently included a circular dependency on the global-timer target due to its inclusion in $(TEST_GEN_PROGS_EXTENDED). This resulted in a circular dependency warning during the build process. To resolve this, the dependency on $(TEST_GEN_PROGS_EXTENDED) has been replaced with an explicit dependency on $(OUTPUT)/libatest.so. This change ensures that libatest.so is built before any other targets that require it, without creating a circular dependency. This fix addresses the following warning: make[4]: Entering directory 'tools/testing/selftests/alsa' make[4]: Circular default_modconfig/kselftest/alsa/global-timer <- default_modconfig/kselftest/alsa/global-timer dependency dropped. make[4]: Nothing to be done for 'all'. make[4]: Leaving directory 'tools/testing/selftests/alsa' Cc: Mark Brown Cc: Jaroslav Kysela Cc: Takashi Iwai Cc: Shuah Khan Signed-off-by: Li Zhijian Link: https://patch.msgid.link/20241218025931.914164-1-lizhijian@fujitsu.com Signed-off-by: Takashi Iwai commit fa0308134d26dbbeb209a1581eea46df663866b6 Author: Fedor Pchelkin Date: Thu Dec 19 23:33:45 2024 +0300 ALSA: memalloc: prefer dma_mapping_error() over explicit address checking With CONFIG_DMA_API_DEBUG enabled, the following warning is observed: DMA-API: snd_hda_intel 0000:03:00.1: device driver failed to check map error[device address=0x00000000ffff0000] [size=20480 bytes] [mapped as single] WARNING: CPU: 28 PID: 2255 at kernel/dma/debug.c:1036 check_unmap+0x1408/0x2430 CPU: 28 UID: 42 PID: 2255 Comm: wireplumber Tainted: G W L 6.12.0-10-133577cad6bf48e5a7848c4338124081393bfe8a+ #759 debug_dma_unmap_page+0xe9/0xf0 snd_dma_wc_free+0x85/0x130 [snd_pcm] snd_pcm_lib_free_pages+0x1e3/0x440 [snd_pcm] snd_pcm_common_ioctl+0x1c9a/0x2960 [snd_pcm] snd_pcm_ioctl+0x6a/0xc0 [snd_pcm] ... Check for returned DMA addresses using specialized dma_mapping_error() helper which is generally recommended for this purpose by Documentation/core-api/dma-api.rst. Fixes: c880a5146642 ("ALSA: memalloc: Use proper DMA mapping API for x86 WC buffer allocations") Reported-by: Mikhail Gavrilov Closes: https://lore.kernel.org/r/CABXGCsNB3RsMGvCucOy3byTEOxoc-Ys+zB_HQ=Opb_GhX1ioDA@mail.gmail.com/ Tested-by: Mikhail Gavrilov Signed-off-by: Fedor Pchelkin Link: https://patch.msgid.link/20241219203345.195898-1-pchelkin@ispras.ru Signed-off-by: Takashi Iwai commit 3d3f43fab4cfb9cf245e3dbffa1736ce925bb54a Author: Jaroslav Kysela Date: Tue Dec 17 11:07:26 2024 +0100 ALSA: compress_offload: improve file descriptors installation for dma-buf Avoid to use single dma_buf_fd() call for both directions. This code ensures that both file descriptors are allocated before fd_install(). Link: https://lore.kernel.org/linux-sound/6a923647-4495-4cff-a253-b73f48cfd0ea@stanley.mountain/ Fixes: 04177158cf98 ("ALSA: compress_offload: introduce accel operation mode") Reported-by: Dan Carpenter Cc: Vinod Koul Signed-off-by: Jaroslav Kysela Signed-off-by: Takashi Iwai Link: https://patch.msgid.link/20241217100726.732863-1-perex@perex.cz commit f25a51b47c61540585a9e8a4e16f91677ebcbbc4 Author: Jaroslav Kysela Date: Tue Dec 17 11:07:07 2024 +0100 ALSA: compress_offload: use safe list iteration in snd_compr_task_seq() The sequence function can call snd_compr_task_free_one(). Use list_for_each_entry_safe_reverse() to make sure that the used pointers are safe. Link: https://lore.kernel.org/linux-sound/f2769cff-6c7a-4092-a2d1-c33a5411a182@stanley.mountain/ Fixes: 04177158cf98 ("ALSA: compress_offload: introduce accel operation mode") Reported-by: Dan Carpenter Cc: Vinod Koul Signed-off-by: Jaroslav Kysela Signed-off-by: Takashi Iwai Link: https://patch.msgid.link/20241217100707.732766-1-perex@perex.cz commit 6018f2fe1089b46c6c9eb136338eca7b16a92331 Author: Arnd Bergmann Date: Mon Dec 16 10:33:41 2024 +0100 ALSA: compress_offload: avoid 64-bit get_user() On some architectures, get_user() cannot read a 64-bit user variable: arm-linux-gnueabi-ld: sound/core/compress_offload.o: in function `snd_compr_ioctl': compress_offload.c:(.text.snd_compr_ioctl+0x538): undefined reference to `__get_user_bad' Use an equivalent copy_from_user() instead. Fixes: 04177158cf98 ("ALSA: compress_offload: introduce accel operation mode") Signed-off-by: Arnd Bergmann Acked-by: Shengjiu Wang Acked-by: Vinod Koul Signed-off-by: Takashi Iwai Link: https://patch.msgid.link/20241216093410.377112-2-arnd@kernel.org commit 1ae40d5231732275c620a1c58c83884a979b6eb1 Author: Arnd Bergmann Date: Mon Dec 16 10:33:40 2024 +0100 ALSA: compress_offload: import DMA_BUF namespace The compression offload code cannot be in a loadable module unless it imports that namespace: ERROR: modpost: module snd-compress uses symbol dma_buf_get from namespace DMA_BUF, but does not import it. ERROR: modpost: module snd-compress uses symbol dma_buf_put from namespace DMA_BUF, but does not import it. ERROR: modpost: module snd-compress uses symbol dma_buf_fd from namespace DMA_BUF, but does not import it. Fixes: 04177158cf98 ("ALSA: compress_offload: introduce accel operation mode") Signed-off-by: Arnd Bergmann Acked-by: Shengjiu Wang Acked-by: Vinod Koul Signed-off-by: Takashi Iwai Link: https://patch.msgid.link/20241216093410.377112-1-arnd@kernel.org commit e639fb046b8150625c1b96bf6f02a18f11ef1760 Merge: 87fd88332567e2 3abb660f9e1892 Author: Dave Airlie Date: Fri Dec 20 12:53:42 2024 +1000 Merge tag 'amd-drm-fixes-6.13-2024-12-18' of https://gitlab.freedesktop.org/agd5f/linux into drm-fixes amd-drm-fixes-6.13-2024-12-18: amdgpu: - Disable BOCO when CONFIG_HOTPLUG_PCI_PCIE is not enabled - scheduler job fixes - IP version check fixes - devcoredump fix - GPUVM update fix - NBIO 2.5 fix Signed-off-by: Dave Airlie From: Alex Deucher Link: https://patchwork.freedesktop.org/patch/msgid/20241218204637.2966198-1-alexander.deucher@amd.com commit b6075c80537558b16ff72861af4c0539c375e11b Merge: c0cc126882bab3 146b6057e1fd28 Author: Jakub Kicinski Date: Thu Dec 19 18:53:15 2024 -0800 Merge tag 'wireless-2024-12-19' of git://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless Kalle Valo says: ==================== wireless fixes for v6.13-rc5 Few minor fixes this time, nothing special. * tag 'wireless-2024-12-19' of git://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless: wifi: cw1200: Fix potential NULL dereference wifi: iwlwifi: mvm: Fix __counted_by usage in cfg80211_wowlan_nd_* MAINTAINERS: wifi: ath: add Jeff Johnson as maintainer wifi: iwlwifi: fix CRF name for Bz ==================== Link: https://patch.msgid.link/20241219185042.662B6C4CECE@smtp.kernel.org Signed-off-by: Jakub Kicinski commit c0cc126882bab3553f77c768f8a8847879d9abb9 Merge: 25c6a5ab151fb9 bb9869043438af Author: Jakub Kicinski Date: Thu Dec 19 18:04:05 2024 -0800 Merge branch 'net-dsa-microchip-fix-set_ageing_time-function-for-ksz9477-and-lan937x-switches' Tristram Ha says: ==================== net: dsa: microchip: Fix set_ageing_time function for KSZ9477 and LAN937X switches The aging count is not a simple number that is broken into two parts and programmed into 2 registers. These patches correct the programming for KSZ9477 and LAN937X switches. ==================== Link: https://patch.msgid.link/20241218020224.70590-1-Tristram.Ha@microchip.com Signed-off-by: Jakub Kicinski commit bb9869043438af5b94230f94fb4c39206525d758 Author: Tristram Ha Date: Tue Dec 17 18:02:24 2024 -0800 net: dsa: microchip: Fix LAN937X set_ageing_time function The aging count is not a simple 20-bit value but comprises a 3-bit multiplier and a 20-bit second time. The code tries to use the original multiplier which is 4 as the second count is still 300 seconds by default. As the 20-bit number is now too large for practical use there is an option to interpret it as microseconds instead of seconds. Fixes: 2c119d9982b1 ("net: dsa: microchip: add the support for set_ageing_time") Signed-off-by: Tristram Ha Reviewed-by: Andrew Lunn Link: https://patch.msgid.link/20241218020224.70590-3-Tristram.Ha@microchip.com Signed-off-by: Jakub Kicinski commit 262bfba8ab820641c8cfbbf03b86d6c00242c078 Author: Tristram Ha Date: Tue Dec 17 18:02:23 2024 -0800 net: dsa: microchip: Fix KSZ9477 set_ageing_time function The aging count is not a simple 11-bit value but comprises a 3-bit multiplier and an 8-bit second count. The code tries to use the original multiplier which is 4 as the second count is still 300 seconds by default. Fixes: 2c119d9982b1 ("net: dsa: microchip: add the support for set_ageing_time") Signed-off-by: Tristram Ha Reviewed-by: Andrew Lunn Link: https://patch.msgid.link/20241218020224.70590-2-Tristram.Ha@microchip.com Signed-off-by: Jakub Kicinski commit 79d67c499c3f886202a40c5cb27e747e4fa4d738 Author: Biju Das Date: Tue Nov 19 19:20:31 2024 +0000 drm: adv7511: Drop dsi single lane support As per [1] and [2], ADV7535/7533 supports only 2-, 3-, or 4-lane. Drop unsupported 1-lane. [1] https://www.analog.com/media/en/technical-documentation/data-sheets/ADV7535.pdf [2] https://www.analog.com/media/en/technical-documentation/data-sheets/ADV7533.pdf Fixes: 1e4d58cd7f88 ("drm/bridge: adv7533: Create a MIPI DSI device") Reported-by: Hien Huynh Cc: stable@vger.kernel.org Reviewed-by: Laurent Pinchart Reviewed-by: Adam Ford Signed-off-by: Biju Das Link: https://patchwork.freedesktop.org/patch/msgid/20241119192040.152657-4-biju.das.jz@bp.renesas.com Signed-off-by: Dmitry Baryshkov commit ee8f9ed57a397605434caeef351bafa3ec4dfdd4 Author: Biju Das Date: Tue Nov 19 19:20:30 2024 +0000 dt-bindings: display: adi,adv7533: Drop single lane support As per [1] and [2], ADV7535/7533 supports only 2-, 3-, or 4-lane. Drop unsupported 1-lane from bindings. [1] https://www.analog.com/media/en/technical-documentation/data-sheets/ADV7535.pdf [2] https://www.analog.com/media/en/technical-documentation/data-sheets/ADV7533.pdf Fixes: 1e4d58cd7f88 ("drm/bridge: adv7533: Create a MIPI DSI device") Cc: stable@vger.kernel.org Acked-by: Krzysztof Kozlowski Reviewed-by: Geert Uytterhoeven Reviewed-by: Laurent Pinchart Signed-off-by: Biju Das Link: https://patchwork.freedesktop.org/patch/msgid/20241119192040.152657-3-biju.das.jz@bp.renesas.com Signed-off-by: Dmitry Baryshkov commit 81adbd3ff21c1182e06aa02c6be0bfd9ea02d8e8 Author: Biju Das Date: Tue Nov 19 19:20:29 2024 +0000 drm: adv7511: Fix use-after-free in adv7533_attach_dsi() The host_node pointer was assigned and freed in adv7533_parse_dt(), and later, adv7533_attach_dsi() uses the same. Fix this use-after-free issue by dropping of_node_put() in adv7533_parse_dt() and calling of_node_put() in error path of probe() and also in the remove(). Fixes: 1e4d58cd7f88 ("drm/bridge: adv7533: Create a MIPI DSI device") Cc: stable@vger.kernel.org Reviewed-by: Laurent Pinchart Signed-off-by: Biju Das Link: https://patchwork.freedesktop.org/patch/msgid/20241119192040.152657-2-biju.das.jz@bp.renesas.com Signed-off-by: Dmitry Baryshkov commit 902806baf3c1e8383c1fe3ff0b6042b8cb5c2707 Author: Stefan Ekenberg Date: Tue Nov 19 08:40:29 2024 +0100 drm/bridge: adv7511_audio: Update Audio InfoFrame properly AUDIO_UPDATE bit (Bit 5 of MAIN register 0x4A) needs to be set to 1 while updating Audio InfoFrame information and then set to 0 when done. Otherwise partially updated Audio InfoFrames could be sent out. Two cases where this rule were not followed are fixed: - In adv7511_hdmi_hw_params() make sure AUDIO_UPDATE bit is updated before/after setting ADV7511_REG_AUDIO_INFOFRAME. - In audio_startup() use the correct register for clearing AUDIO_UPDATE bit. The problem with corrupted audio infoframes were discovered by letting a HDMI logic analyser check the output of ADV7535. Note that this patchs replaces writing REG_GC(1) with REG_INFOFRAME_UPDATE. Bit 5 of REG_GC(1) is positioned within field GC_PP[3:0] and that field doesn't control audio infoframe and is read- only. My conclusion therefore was that the author if this code meant to clear bit 5 of REG_INFOFRAME_UPDATE from the very beginning. Tested-by: Biju Das Fixes: 53c515befe28 ("drm/bridge: adv7511: Add Audio support") Signed-off-by: Stefan Ekenberg Reviewed-by: Dmitry Baryshkov Link: https://patchwork.freedesktop.org/patch/msgid/20241119-adv7511-audio-info-frame-v4-1-4ae68e76c89c@axis.com Signed-off-by: Dmitry Baryshkov commit 386d69f9f29b0814881fa4f92ac7b8dfa9b4f44a Author: Sean Christopherson Date: Wed Dec 18 13:36:11 2024 -0800 KVM: x86/mmu: Treat TDP MMU faults as spurious if access is already allowed Treat slow-path TDP MMU faults as spurious if the access is allowed given the existing SPTE to fix a benign warning (other than the WARN itself) due to replacing a writable SPTE with a read-only SPTE, and to avoid the unnecessary LOCK CMPXCHG and subsequent TLB flush. If a read fault races with a write fault, fast GUP fails for any reason when trying to "promote" the read fault to a writable mapping, and KVM resolves the write fault first, then KVM will end up trying to install a read-only SPTE (for a !map_writable fault) overtop a writable SPTE. Note, it's not entirely clear why fast GUP fails, or if that's even how KVM ends up with a !map_writable fault with a writable SPTE. If something else is going awry, e.g. due to a bug in mmu_notifiers, then treating read faults as spurious in this scenario could effectively mask the underlying problem. However, retrying the faulting access instead of overwriting an existing SPTE is functionally correct and desirable irrespective of the WARN, and fast GUP _can_ legitimately fail with a writable VMA, e.g. if the Accessed bit in primary MMU's PTE is toggled and causes a PTE value mismatch. The WARN was also recently added, specifically to track down scenarios where KVM is unnecessarily overwrites SPTEs, i.e. treating the fault as spurious doesn't regress KVM's bug-finding capabilities in any way. In short, letting the WARN linger because there's a tiny chance it's due to a bug elsewhere would be excessively paranoid. Fixes: 1a175082b190 ("KVM: x86/mmu: WARN and flush if resolving a TDP MMU fault clears MMU-writable") Reported-by: Lei Yang Closes: https://bugzilla.kernel.org/show_bug.cgi?id=219588 Tested-by: Lei Yang Link: https://lore.kernel.org/r/20241218213611.3181643-1-seanjc@google.com Signed-off-by: Sean Christopherson commit 4d5163cba43fe96902165606fa54e1aecbbb32de Author: Sean Christopherson Date: Wed Dec 11 09:29:52 2024 -0800 KVM: SVM: Allow guest writes to set MSR_AMD64_DE_CFG bits Drop KVM's arbitrary behavior of making DE_CFG.LFENCE_SERIALIZE read-only for the guest, as rejecting writes can lead to guest crashes, e.g. Windows in particular doesn't gracefully handle unexpected #GPs on the WRMSR, and nothing in the AMD manuals suggests that LFENCE_SERIALIZE is read-only _if it exists_. KVM only allows LFENCE_SERIALIZE to be set, by the guest or host, if the underlying CPU has X86_FEATURE_LFENCE_RDTSC, i.e. if LFENCE is guaranteed to be serializing. So if the guest sets LFENCE_SERIALIZE, KVM will provide the desired/correct behavior without any additional action (the guest's value is never stuffed into hardware). And having LFENCE be serializing even when it's not _required_ to be is a-ok from a functional perspective. Fixes: 74a0e79df68a ("KVM: SVM: Disallow guest from changing userspace's MSR_AMD64_DE_CFG value") Fixes: d1d93fa90f1a ("KVM: SVM: Add MSR-based feature support for serializing LFENCE") Reported-by: Simon Pilkington Closes: https://lore.kernel.org/all/52914da7-a97b-45ad-86a0-affdf8266c61@mailbox.org Cc: Tom Lendacky Cc: stable@vger.kernel.org Reviewed-by: Tom Lendacky Link: https://lore.kernel.org/r/20241211172952.1477605-1-seanjc@google.com Signed-off-by: Sean Christopherson commit 9b42d1e8e4fe9dc631162c04caa69b0d1860b0f0 Author: Sean Christopherson Date: Wed Nov 27 16:43:39 2024 -0800 KVM: x86: Play nice with protected guests in complete_hypercall_exit() Use is_64_bit_hypercall() instead of is_64_bit_mode() to detect a 64-bit hypercall when completing said hypercall. For guests with protected state, e.g. SEV-ES and SEV-SNP, KVM must assume the hypercall was made in 64-bit mode as the vCPU state needed to detect 64-bit mode is unavailable. Hacking the sev_smoke_test selftest to generate a KVM_HC_MAP_GPA_RANGE hypercall via VMGEXIT trips the WARN: ------------[ cut here ]------------ WARNING: CPU: 273 PID: 326626 at arch/x86/kvm/x86.h:180 complete_hypercall_exit+0x44/0xe0 [kvm] Modules linked in: kvm_amd kvm ... [last unloaded: kvm] CPU: 273 UID: 0 PID: 326626 Comm: sev_smoke_test Not tainted 6.12.0-smp--392e932fa0f3-feat #470 Hardware name: Google Astoria/astoria, BIOS 0.20240617.0-0 06/17/2024 RIP: 0010:complete_hypercall_exit+0x44/0xe0 [kvm] Call Trace: kvm_arch_vcpu_ioctl_run+0x2400/0x2720 [kvm] kvm_vcpu_ioctl+0x54f/0x630 [kvm] __se_sys_ioctl+0x6b/0xc0 do_syscall_64+0x83/0x160 entry_SYSCALL_64_after_hwframe+0x76/0x7e ---[ end trace 0000000000000000 ]--- Fixes: b5aead0064f3 ("KVM: x86: Assume a 64-bit hypercall for guests with protected state") Cc: stable@vger.kernel.org Cc: Tom Lendacky Reviewed-by: Xiaoyao Li Reviewed-by: Nikunj A Dadhania Reviewed-by: Tom Lendacky Reviewed-by: Binbin Wu Reviewed-by: Kai Huang Link: https://lore.kernel.org/r/20241128004344.4072099-2-seanjc@google.com Signed-off-by: Sean Christopherson commit d81cadbe164265337f149cf31c9462d7217c1eed Author: Suravee Suthikulpanit Date: Mon Nov 4 07:58:45 2024 +0000 KVM: SVM: Disable AVIC on SNP-enabled system without HvInUseWrAllowed feature On SNP-enabled system, VMRUN marks AVIC Backing Page as in-use while the guest is running for both secure and non-secure guest. Any hypervisor write to the in-use vCPU's AVIC backing page (e.g. to inject an interrupt) will generate unexpected #PF in the host. Currently, attempt to run AVIC guest would result in the following error: BUG: unable to handle page fault for address: ff3a442e549cc270 #PF: supervisor write access in kernel mode #PF: error_code(0x80000003) - RMP violation PGD b6ee01067 P4D b6ee02067 PUD 10096d063 PMD 11c540063 PTE 80000001149cc163 SEV-SNP: PFN 0x1149cc unassigned, dumping non-zero entries in 2M PFN region: [0x114800 - 0x114a00] ... Newer AMD system is enhanced to allow hypervisor to modify the backing page for non-secure guest on SNP-enabled system. This enhancement is available when the CPUID Fn8000_001F_EAX bit 30 is set (HvInUseWrAllowed). This table describes AVIC support matrix w.r.t. SNP enablement: | Non-SNP system | SNP system ----------------------------------------------------- Non-SNP guest | AVIC Activate | AVIC Activate iff | | HvInuseWrAllowed=1 ----------------------------------------------------- SNP guest | N/A | Secure AVIC Therefore, check and disable AVIC in kvm_amd driver when the feature is not available on SNP-enabled system. See the AMD64 Architecture Programmer’s Manual (APM) Volume 2 for detail. (https://www.amd.com/content/dam/amd/en/documents/processor-tech-docs/ programmer-references/40332.pdf) Fixes: 216d106c7ff7 ("x86/sev: Add SEV-SNP host initialization support") Signed-off-by: Suravee Suthikulpanit Link: https://lore.kernel.org/r/20241104075845.7583-1-suravee.suthikulpanit@amd.com Signed-off-by: Sean Christopherson commit 25c6a5ab151fb9c886552bf5aa7cbf2a5c6e96af Author: Wei Fang Date: Tue Dec 17 14:35:00 2024 +0800 net: phy: micrel: Dynamically control external clock of KSZ PHY On the i.MX6ULL-14x14-EVK board, enet1_ref and enet2_ref are used as the clock sources for two external KSZ PHYs. However, after closing the two FEC ports, the clk_enable_count of the enet1_ref and enet2_ref clocks is not 0. The root cause is that since the commit 985329462723 ("net: phy: micrel: use devm_clk_get_optional_enabled for the rmii-ref clock"), the external clock of KSZ PHY has been enabled when the PHY driver probes, and it can only be disabled when the PHY driver is removed. This causes the clock to continue working when the system is suspended or the network port is down. Although Heiko explained in the commit message that the patch was because some clock suppliers need to enable the clock to get the valid clock rate , it seems that the simple fix is to disable the clock after getting the clock rate to solve the current problem. This is indeed true, but we need to admit that Heiko's patch has been applied for more than a year, and we cannot guarantee whether there are platforms that only enable rmii-ref in the KSZ PHY driver during this period. If this is the case, disabling rmii-ref will cause RMII on these platforms to not work. Secondly, commit 99ac4cbcc2a5 ("net: phy: micrel: allow usage of generic ethernet-phy clock") just simply enables the generic clock permanently, which seems like the generic clock may only be enabled in the PHY driver. If we simply disable the generic clock, RMII may not work. If we keep it as it is, the platform using the generic clock will have the same problem as the i.MX6ULL platform. To solve this problem, the clock is enabled when phy_driver::resume() is called, and the clock is disabled when phy_driver::suspend() is called. Since phy_driver::resume() and phy_driver::suspend() are not called in pairs, an additional clk_enable flag is added. When phy_driver::suspend() is called, the clock is disabled only if clk_enable is true. Conversely, when phy_driver::resume() is called, the clock is enabled if clk_enable is false. The changes that introduced the problem were only a few lines, while the current fix is about a hundred lines, which seems out of proportion, but it is necessary because kszphy_probe() is used by multiple KSZ PHYs and we need to fix all of them. Fixes: 985329462723 ("net: phy: micrel: use devm_clk_get_optional_enabled for the rmii-ref clock") Fixes: 99ac4cbcc2a5 ("net: phy: micrel: allow usage of generic ethernet-phy clock") Signed-off-by: Wei Fang Reviewed-by: Andrew Lunn Reviewed-by: Florian Fainelli Link: https://patch.msgid.link/20241217063500.1424011-1-wei.fang@nxp.com Signed-off-by: Jakub Kicinski commit 87fd88332567e22986d4989d912a1e44f164dc7d Merge: e9088ac19e87ce 1b684ca15f9d78 Author: Dave Airlie Date: Fri Dec 20 07:13:44 2024 +1000 Merge tag 'drm-misc-fixes-2024-12-19' of https://gitlab.freedesktop.org/drm/misc/kernel into drm-fixes drm-misc-fixes for v6.13-rc4: - udma-buf fixes related to sealing. - dma-buf build warning fix when debugfs is not enabled. - Assorted drm/panel fixes. - Correct error return in drm_dp_tunnel_mgr_create. - Fix even more divide by zero in drm_mode_vrefresh. - Fix FBDEV dependencies in Kconfig. - Documentation fix for drm_sched_fini. - IVPU NULL pointer, memory leak and WARN fix. Signed-off-by: Dave Airlie From: Maarten Lankhorst Link: https://patchwork.freedesktop.org/patch/msgid/d0763051-87b7-483e-89e0-a9f993383450@linux.intel.com commit dbd2ca9367eb19bc5e269b8c58b0b1514ada9156 Author: Pavel Begunkov Date: Thu Dec 19 19:52:58 2024 +0000 io_uring: check if iowq is killed before queuing task work can be executed after the task has gone through io_uring termination, whether it's the final task_work run or the fallback path. In this case, task work will find ->io_wq being already killed and null'ed, which is a problem if it then tries to forward the request to io_queue_iowq(). Make io_queue_iowq() fail requests in this case. Note that it also checks PF_KTHREAD, because the user can first close a DEFER_TASKRUN ring and shortly after kill the task, in which case ->iowq check would race. Cc: stable@vger.kernel.org Fixes: 50c52250e2d74 ("block: implement async io_uring discard cmd") Fixes: 773af69121ecc ("io_uring: always reissue from task_work context") Reported-by: Will Signed-off-by: Pavel Begunkov Link: https://lore.kernel.org/r/63312b4a2c2bb67ad67b857d17a300e1d3b078e8.1734637909.git.asml.silence@gmail.com Signed-off-by: Jens Axboe commit 7db0ba3e6e6c215353c1e58b42dfd77c7ab89256 Author: Johan Hovold Date: Tue Dec 10 12:14:44 2024 +0100 Revert "arm64: dts: qcom: x1e80100: enable OTG on USB-C controllers" This reverts commit f042bc234c2e00764b8aa2c9e2f8177cdc63f664. A recent change enabling role switching for the x1e80100 USB-C controllers breaks UCSI and DisplayPort Alternate Mode when the controllers are in host mode: ucsi_glink.pmic_glink_ucsi pmic_glink.ucsi.0: PPM init failed, stop trying As enabling OTG mode currently breaks SuperSpeed hotplug and suspend, and with retimer (and orientation detection) support not even merged yet, let's revert at least until we have stable host mode in mainline. Fixes: f042bc234c2e ("arm64: dts: qcom: x1e80100: enable OTG on USB-C controllers") Reported-by: Dmitry Baryshkov Link: https://lore.kernel.org/all/hw2pdof4ajadjsjrb44f2q4cz4yh5qcqz5d3l7gjt2koycqs3k@xx5xvd26uyef Link: https://lore.kernel.org/lkml/Z1gbyXk-SktGjL6-@hovoldconsulting.com/ Cc: Jonathan Marek Signed-off-by: Johan Hovold Reviewed-by: Abel Vesa Link: https://lore.kernel.org/r/20241210111444.26240-4-johan+linaro@kernel.org Signed-off-by: Bjorn Andersson commit 2e5e1a7ea692dc2b9f1acf0ebeb75bc282733cac Author: Johan Hovold Date: Tue Dec 10 12:14:43 2024 +0100 Revert "arm64: dts: qcom: x1e80100-crd: enable otg on usb ports" This reverts commit 2dd3250191bcfe93b0c9da46624af830310400a7. A recent change enabling OTG mode on the x1e81000 CRD breaks suspend. Specifically, the device hard resets during resume if suspended with all controllers in device mode (i.e. no USB device connected). The corresponding change on the T14s also led to SuperSpeed hotplugs not being detected. With retimer (and orientation detection) support not even merged yet, let's revert at least until we have stable host mode in mainline. Fixes: 2dd3250191bc ("arm64: dts: qcom: x1e80100-crd: enable otg on usb ports") Reported-by: Abel Vesa Cc: Jonathan Marek Signed-off-by: Johan Hovold Reviewed-by: Abel Vesa Link: https://lore.kernel.org/r/20241210111444.26240-3-johan+linaro@kernel.org Signed-off-by: Bjorn Andersson commit 92941c7f2c9529fac1b2670482d0ced3b46eac70 Author: Bharath SM Date: Thu Dec 19 23:28:50 2024 +0530 smb: fix bytes written value in /proc/fs/cifs/Stats With recent netfs apis changes, the bytes written value was not getting updated in /proc/fs/cifs/Stats. Fix this by updating tcon->bytes in write operations. Fixes: 3ee1a1fc3981 ("cifs: Cut over to using netfslib") Signed-off-by: Bharath SM Signed-off-by: Steve French commit 8faabc041a001140564f718dabe37753e88b37fa Merge: baaa2567a712d4 ce1219c3f76bb1 Author: Linus Torvalds Date: Thu Dec 19 09:19:11 2024 -0800 Merge tag 'net-6.13-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net Pull networking fixes from Paolo Abeni: "Including fixes from can and netfilter. Current release - regressions: - rtnetlink: try the outer netns attribute in rtnl_get_peer_net() - rust: net::phy fix module autoloading Current release - new code bugs: - phy: avoid undefined behavior in *_led_polarity_set() - eth: octeontx2-pf: fix netdev memory leak in rvu_rep_create() Previous releases - regressions: - smc: check sndbuf_space again after NOSPACE flag is set in smc_poll - ipvs: fix clamp() of ip_vs_conn_tab on small memory systems - dsa: restore dsa_software_vlan_untag() ability to operate on VLAN-untagged traffic - eth: - tun: fix tun_napi_alloc_frags() - ionic: no double destroy workqueue - idpf: trigger SW interrupt when exiting wb_on_itr mode - rswitch: rework ts tags management - team: fix feature exposure when no ports are present Previous releases - always broken: - core: fix repeated netlink messages in queue dump - mdiobus: fix an OF node reference leak - smc: check iparea_offset and ipv6_prefixes_cnt when receiving proposal msg - can: fix missed interrupts with m_can_pci - eth: oa_tc6: fix infinite loop error when tx credits becomes 0" * tag 'net-6.13-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (45 commits) net: mctp: handle skb cleanup on sock_queue failures net: mdiobus: fix an OF node reference leak octeontx2-pf: fix error handling of devlink port in rvu_rep_create() octeontx2-pf: fix netdev memory leak in rvu_rep_create() psample: adjust size if rate_as_probability is set netdev-genl: avoid empty messages in queue dump net: dsa: restore dsa_software_vlan_untag() ability to operate on VLAN-untagged traffic selftests: openvswitch: fix tcpdump execution net: usb: qmi_wwan: add Quectel RG255C net: phy: avoid undefined behavior in *_led_polarity_set() netfilter: ipset: Fix for recursive locking warning ipvs: Fix clamp() of ip_vs_conn_tab on small memory systems can: m_can: fix missed interrupts with m_can_pci can: m_can: set init flag earlier in probe rtnetlink: Try the outer netns attribute in rtnl_get_peer_net(). net: netdevsim: fix nsim_pp_hold_write() idpf: trigger SW interrupt when exiting wb_on_itr mode idpf: add support for SW triggered interrupts qed: fix possible uninit pointer read in qed_mcp_nvm_info_populate() net: ethernet: bgmac-platform: fix an OF node reference leak ... commit baaa2567a712d449bbaabc7e923c4d972f67cae1 Merge: a0db71c7fe57bf f3d87abe11ed04 Author: Linus Torvalds Date: Thu Dec 19 08:53:51 2024 -0800 Merge tag 'mmc-v6.13-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc Pull MMC fixes from Ulf Hansson: - mtk-sd: Cleanup the wakeup configuration in error/remove-path - sdhci-tegra: Correct quirk for ADMA2 length * tag 'mmc-v6.13-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc: mmc: mtk-sd: disable wakeup in .remove() and in the error path of .probe() mmc: sdhci-tegra: Remove SDHCI_QUIRK_BROKEN_ADMA_ZEROLEN_DESC quirk commit a0db71c7fe57bf08dcb46376237b78317c035b69 Merge: 466b2d40f60ce8 edc19bd0e571c7 Author: Linus Torvalds Date: Thu Dec 19 08:50:05 2024 -0800 Merge tag 'pwm/for-6.13-rc4-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/ukleinek/linux Pull pwm fix from Uwe Kleine-König: "Fix regression in pwm-stm32 driver when converting to new waveform support Fabrice Gasnier found and fixed a regression I introduced with v6.13-rc1 when converting the stm32 pwm driver to support the new waveform stuff. On some hardware variants this completely broke the driver" * tag 'pwm/for-6.13-rc4-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/ukleinek/linux: pwm: stm32: Fix complementary output in round_waveform_tohw() commit 466b2d40f60ce874cb9b56dc88bd1a0880a43786 Merge: eabcdba3ad4098 fe4ed2f09b492e Author: Linus Torvalds Date: Thu Dec 19 08:45:37 2024 -0800 Merge tag 'v6.13-rc3-ksmbd-server-fixes' of git://git.samba.org/ksmbd Pull smb server fixes from Steve French: - Two fixes for better handling maximum outstanding requests - Fix simultaneous negotiate protocol race * tag 'v6.13-rc3-ksmbd-server-fixes' of git://git.samba.org/ksmbd: ksmbd: conn lock to serialize smb2 negotiate ksmbd: fix broken transfers when exceeding max simultaneous operations ksmbd: count all requests in req_running counter commit 774c71c52aa487001c7da9f93b10cedc9985c371 Author: Lukas Wunner Date: Tue Dec 17 10:51:02 2024 +0100 PCI/bwctrl: Enable only if more than one speed is supported If a PCIe port only supports a single speed, enabling bandwidth control is pointless: There's no need to monitor autonomous speed changes, nor can the speed be changed. Not enabling it saves a small amount of memory and compute resources, but also fixes a boot hang reported by Niklas: It occurs when enabling bandwidth control on Downstream Ports of Intel JHL7540 "Titan Ridge 2018" Thunderbolt controllers. The ports only support 2.5 GT/s in accordance with USB4 v2 sec 11.2.1, so the present commit works around the issue. PCIe r6.2 sec 8.2.1 prescribes that: "A device must support 2.5 GT/s and is not permitted to skip support for any data rates between 2.5 GT/s and the highest supported rate." Consequently, bandwidth control is currently only disabled if a port doesn't support higher speeds than 2.5 GT/s. However the Implementation Note in PCIe r6.2 sec 7.5.3.18 cautions: "It is strongly encouraged that software primarily utilize the Supported Link Speeds Vector instead of the Max Link Speed field, so that software can determine the exact set of supported speeds on current and future hardware. This can avoid software being confused if a future specification defines Links that do not require support for all slower speeds." In other words, future revisions of the PCIe Base Spec may allow gaps in the Supported Link Speeds Vector. To be future-proof, don't just check whether speeds above 2.5 GT/s are supported, but rather check whether *more than one* speed is supported. Fixes: 665745f27487 ("PCI/bwctrl: Re-add BW notification portdrv as PCIe BW controller") Closes: https://lore.kernel.org/r/db8e457fcd155436449b035e8791a8241b0df400.camel@kernel.org Link: https://lore.kernel.org/r/3564908a9c99fc0d2a292473af7a94ebfc8f5820.1734428762.git.lukas@wunner.de Reported-by: Niklas Schnelle Tested-by: Niklas Schnelle Signed-off-by: Lukas Wunner Signed-off-by: Krzysztof Wilczyński Reviewed-by: Jonathan Cameron Reviewed-by: Mario Limonciello Reviewed-by: Ilpo Järvinen commit 3202ca221578850f34e0fea39dc6cfa745ed7aac Author: Lukas Wunner Date: Tue Dec 17 10:51:01 2024 +0100 PCI: Honor Max Link Speed when determining supported speeds The Supported Link Speeds Vector in the Link Capabilities 2 Register indicates the *supported* link speeds. The Max Link Speed field in the Link Capabilities Register indicates the *maximum* of those speeds. pcie_get_supported_speeds() neglects to honor the Max Link Speed field and will thus incorrectly deem higher speeds as supported. Fix it. One user-visible issue addressed here is an incorrect value in the sysfs attribute "max_link_speed". But the main motivation is a boot hang reported by Niklas: Intel JHL7540 "Titan Ridge 2018" Thunderbolt controllers supports 2.5-8 GT/s speeds, but indicate 2.5 GT/s as maximum. Ilpo recalls seeing this on more devices. It can be explained by the controller's Downstream Ports supporting 8 GT/s if an Endpoint is attached, but limiting to 2.5 GT/s if the port interfaces to a PCIe Adapter, in accordance with USB4 v2 sec 11.2.1: "This section defines the functionality of an Internal PCIe Port that interfaces to a PCIe Adapter. [...] The Logical sub-block shall update the PCIe configuration registers with the following characteristics: [...] Max Link Speed field in the Link Capabilities Register set to 0001b (data rate of 2.5 GT/s only). Note: These settings do not represent actual throughput. Throughput is implementation specific and based on the USB4 Fabric performance." The present commit is not sufficient on its own to fix Niklas' boot hang, but it is a prerequisite: A subsequent commit will fix the boot hang by enabling bandwidth control only if more than one speed is supported. The GENMASK() macro used herein specifies 0 as lowest bit, even though the Supported Link Speeds Vector ends at bit 1. This is done on purpose to avoid a GENMASK(0, 1) macro if Max Link Speed is zero. That macro would be invalid as the lowest bit is greater than the highest bit. Ilpo has witnessed a zero Max Link Speed on Root Complex Integrated Endpoints in particular, so it does occur in practice. (The Link Capabilities Register is optional on RCiEPs per PCIe r6.2 sec 7.5.3.) Fixes: d2bd39c0456b ("PCI: Store all PCIe Supported Link Speeds") Closes: https://lore.kernel.org/r/70829798889c6d779ca0f6cd3260a765780d1369.camel@kernel.org Link: https://lore.kernel.org/r/fe03941e3e1cc42fb9bf4395e302bff53ee2198b.1734428762.git.lukas@wunner.de Reported-by: Niklas Schnelle Tested-by: Niklas Schnelle Signed-off-by: Lukas Wunner Signed-off-by: Krzysztof Wilczyński Reviewed-by: Jonathan Cameron Reviewed-by: Ilpo Järvinen commit c261e4f1dd29fabab54b325bc1da8769a3998be1 Author: Jens Axboe Date: Thu Dec 19 09:32:26 2024 -0700 io_uring/register: limit ring resizing to DEFER_TASKRUN With DEFER_TASKRUN, we know the ring can't be both waited upon and resized at the same time. This is important for CQ resizing. Allowing SQ ring resizing is more trivial, but isn't the interesting use case. Hence limit ring resizing in general to DEFER_TASKRUN only for now. This isn't a huge problem as CQ ring resizing is generally the most useful on networking type of workloads where it can be hard to size the ring appropriately upfront, and those should be using DEFER_TASKRUN for better performance. Fixes: 79cfe9e59c2a ("io_uring/register: add IORING_REGISTER_RESIZE_RINGS") Signed-off-by: Jens Axboe commit de35994ecd2dd6148ab5a6c5050a1670a04dec77 Author: Tvrtko Ursulin Date: Thu Dec 19 09:30:30 2024 +0000 workqueue: Do not warn when cancelling WQ_MEM_RECLAIM work from !WQ_MEM_RECLAIM worker After commit 746ae46c1113 ("drm/sched: Mark scheduler work queues with WQ_MEM_RECLAIM") amdgpu started seeing the following warning: [ ] workqueue: WQ_MEM_RECLAIM sdma0:drm_sched_run_job_work [gpu_sched] is flushing !WQ_MEM_RECLAIM events:amdgpu_device_delay_enable_gfx_off [amdgpu] ... [ ] Workqueue: sdma0 drm_sched_run_job_work [gpu_sched] ... [ ] Call Trace: [ ] ... [ ] ? check_flush_dependency+0xf5/0x110 ... [ ] cancel_delayed_work_sync+0x6e/0x80 [ ] amdgpu_gfx_off_ctrl+0xab/0x140 [amdgpu] [ ] amdgpu_ring_alloc+0x40/0x50 [amdgpu] [ ] amdgpu_ib_schedule+0xf4/0x810 [amdgpu] [ ] ? drm_sched_run_job_work+0x22c/0x430 [gpu_sched] [ ] amdgpu_job_run+0xaa/0x1f0 [amdgpu] [ ] drm_sched_run_job_work+0x257/0x430 [gpu_sched] [ ] process_one_work+0x217/0x720 ... [ ] The intent of the verifcation done in check_flush_depedency is to ensure forward progress during memory reclaim, by flagging cases when either a memory reclaim process, or a memory reclaim work item is flushed from a context not marked as memory reclaim safe. This is correct when flushing, but when called from the cancel(_delayed)_work_sync() paths it is a false positive because work is either already running, or will not be running at all. Therefore cancelling it is safe and we can relax the warning criteria by letting the helper know of the calling context. Signed-off-by: Tvrtko Ursulin Fixes: fca839c00a12 ("workqueue: warn if memory reclaim tries to flush !WQ_MEM_RECLAIM workqueue") References: 746ae46c1113 ("drm/sched: Mark scheduler work queues with WQ_MEM_RECLAIM") Cc: Tejun Heo Cc: Peter Zijlstra Cc: Lai Jiangshan Cc: Alex Deucher Cc: Christian König Cc: # v4.5+ Signed-off-by: Tejun Heo commit e9f2517a3e18a54a3943c098d2226b245d488801 Author: Enzo Matsumiya Date: Tue Dec 10 18:15:12 2024 -0300 smb: client: fix TCP timers deadlock after rmmod Commit ef7134c7fc48 ("smb: client: Fix use-after-free of network namespace.") fixed a netns UAF by manually enabled socket refcounting (sk->sk_net_refcnt=1 and sock_inuse_add(net, 1)). The reason the patch worked for that bug was because we now hold references to the netns (get_net_track() gets a ref internally) and they're properly released (internally, on __sk_destruct()), but only because sk->sk_net_refcnt was set. Problem: (this happens regardless of CONFIG_NET_NS_REFCNT_TRACKER and regardless if init_net or other) Setting sk->sk_net_refcnt=1 *manually* and *after* socket creation is not only out of cifs scope, but also technically wrong -- it's set conditionally based on user (=1) vs kernel (=0) sockets. And net/ implementations seem to base their user vs kernel space operations on it. e.g. upon TCP socket close, the TCP timers are not cleared because sk->sk_net_refcnt=1: (cf. commit 151c9c724d05 ("tcp: properly terminate timers for kernel sockets")) net/ipv4/tcp.c: void tcp_close(struct sock *sk, long timeout) { lock_sock(sk); __tcp_close(sk, timeout); release_sock(sk); if (!sk->sk_net_refcnt) inet_csk_clear_xmit_timers_sync(sk); sock_put(sk); } Which will throw a lockdep warning and then, as expected, deadlock on tcp_write_timer(). A way to reproduce this is by running the reproducer from ef7134c7fc48 and then 'rmmod cifs'. A few seconds later, the deadlock/lockdep warning shows up. Fix: We shouldn't mess with socket internals ourselves, so do not set sk_net_refcnt manually. Also change __sock_create() to sock_create_kern() for explicitness. As for non-init_net network namespaces, we deal with it the best way we can -- hold an extra netns reference for server->ssocket and drop it when it's released. This ensures that the netns still exists whenever we need to create/destroy server->ssocket, but is not directly tied to it. Fixes: ef7134c7fc48 ("smb: client: Fix use-after-free of network namespace.") Cc: stable@vger.kernel.org Signed-off-by: Enzo Matsumiya Signed-off-by: Steve French commit ee1c8e6b2931811a906b8c78006bfe0a3386fa60 Author: Dragan Simic Date: Tue Dec 17 10:25:10 2024 +0100 smb: client: Deduplicate "select NETFS_SUPPORT" in Kconfig Repeating automatically selected options in Kconfig files is redundant, so let's delete repeated "select NETFS_SUPPORT" that was added accidentally. Fixes: 69c3c023af25 ("cifs: Implement netfslib hooks") Signed-off-by: Dragan Simic Signed-off-by: Steve French commit a769bee5f9fbca47efd4fa6bc3d726d370cedebe Author: Bharath SM Date: Tue Dec 17 00:09:36 2024 +0530 smb: use macros instead of constants for leasekey size and default cifsattrs value Replace default hardcoded value for cifsAttrs with ATTR_ARCHIVE macro Use SMB2_LEASE_KEY_SIZE macro for leasekey size in smb2_lease_break Signed-off-by: Bharath SM Signed-off-by: Steve French commit 1b684ca15f9d78f45de3cdba7e19611387e16aa7 Author: Bagas Sanjaya Date: Tue Dec 17 10:49:15 2024 +0700 drm/sched: Fix drm_sched_fini() docu generation Commit baf4afc5831438 ("drm/sched: Improve teardown documentation") added a list of drm_sched_fini()'s problems. The list triggers htmldocs warning (but renders correctly in htmldocs output): Documentation/gpu/drm-mm:571: ./drivers/gpu/drm/scheduler/sched_main.c:1359: ERROR: Unexpected indentation. Separate the list from the preceding paragraph by a blank line to fix the warning. While at it, also end the aforementioned paragraph by a colon. Fixes: baf4afc58314 ("drm/sched: Improve teardown documentation") Reported-by: Stephen Rothwell Closes: https://lore.kernel.org/r/20241108175655.6d3fcfb7@canb.auug.org.au/ Signed-off-by: Bagas Sanjaya [phasta: Adjust commit message] Signed-off-by: Philipp Stanner Link: https://patchwork.freedesktop.org/patch/msgid/20241217034915.62594-1-bagasdotme@gmail.com commit f64f610ec6ab59dd0391b03842cea3a4cd8ee34f Author: Lucas Stach Date: Wed Dec 18 19:44:33 2024 +0100 pmdomain: core: add dummy release function to genpd device The genpd device, which is really only used as a handle to lookup OPP, but not even registered to the device core otherwise and thus lifetime linked to the genpd struct it is contained in, is missing a release function. After b8f7bbd1f4ec ("pmdomain: core: Add missing put_device()") the device will be cleaned up going through the driver core device_release() function, which will warn when no release callback is present for the device. Add a dummy release function to shut up the warning. Signed-off-by: Lucas Stach Tested-by: Luca Ceresoli Fixes: b8f7bbd1f4ec ("pmdomain: core: Add missing put_device()") Cc: stable@vger.kernel.org Message-ID: <20241218184433.1930532-1-l.stach@pengutronix.de> Signed-off-by: Ulf Hansson commit 469c0682e03d67d8dc970ecaa70c2d753057c7c0 Author: Joe Hattori Date: Sun Dec 15 12:01:59 2024 +0900 pmdomain: imx: gpcv2: fix an OF node reference leak in imx_gpcv2_probe() imx_gpcv2_probe() leaks an OF node reference obtained by of_get_child_by_name(). Fix it by declaring the device node with the __free(device_node) cleanup construct. This bug was found by an experimental static analysis tool that I am developing. Fixes: 03aa12629fc4 ("soc: imx: Add GPCv2 power gating driver") Signed-off-by: Joe Hattori Cc: stable@vger.kernel.org Message-ID: <20241215030159.1526624-1-joe@pf.is.s.u-tokyo.ac.jp> Signed-off-by: Ulf Hansson commit 974e3fe0ac61de85015bbe5a4990cf4127b304b2 Author: Amir Goldstein Date: Thu Dec 19 12:53:01 2024 +0100 fs: relax assertions on failure to encode file handles Encoding file handles is usually performed by a filesystem >encode_fh() method that may fail for various reasons. The legacy users of exportfs_encode_fh(), namely, nfsd and name_to_handle_at(2) syscall are ready to cope with the possibility of failure to encode a file handle. There are a few other users of exportfs_encode_{fh,fid}() that currently have a WARN_ON() assertion when ->encode_fh() fails. Relax those assertions because they are wrong. The second linked bug report states commit 16aac5ad1fa9 ("ovl: support encoding non-decodable file handles") in v6.6 as the regressing commit, but this is not accurate. The aforementioned commit only increases the chances of the assertion and allows triggering the assertion with the reproducer using overlayfs, inotify and drop_caches. Triggering this assertion was always possible with other filesystems and other reasons of ->encode_fh() failures and more particularly, it was also possible with the exact same reproducer using overlayfs that is mounted with options index=on,nfs_export=on also on kernels < v6.6. Therefore, I am not listing the aforementioned commit as a Fixes commit. Backport hint: this patch will have a trivial conflict applying to v6.6.y, and other trivial conflicts applying to stable kernels < v6.6. Reported-by: syzbot+ec07f6f5ce62b858579f@syzkaller.appspotmail.com Tested-by: syzbot+ec07f6f5ce62b858579f@syzkaller.appspotmail.com Closes: https://lore.kernel.org/linux-unionfs/671fd40c.050a0220.4735a.024f.GAE@google.com/ Reported-by: Dmitry Safonov Closes: https://lore.kernel.org/linux-fsdevel/CAGrbwDTLt6drB9eaUagnQVgdPBmhLfqqxAf3F+Juqy_o6oP8uw@mail.gmail.com/ Cc: stable@vger.kernel.org Signed-off-by: Amir Goldstein Link: https://lore.kernel.org/r/20241219115301.465396-1-amir73il@gmail.com Signed-off-by: Christian Brauner commit 8d90a86ed053226a297ce062f4d9f4f521e05c4c Author: Eric Biggers Date: Thu Dec 12 20:19:48 2024 -0800 mmc: sdhci-msm: fix crypto key eviction Commit c7eed31e235c ("mmc: sdhci-msm: Switch to the new ICE API") introduced an incorrect check of the algorithm ID into the key eviction path, and thus qcom_ice_evict_key() is no longer ever called. Fix it. Fixes: c7eed31e235c ("mmc: sdhci-msm: Switch to the new ICE API") Cc: stable@vger.kernel.org Cc: Abel Vesa Signed-off-by: Eric Biggers Message-ID: <20241213041958.202565-6-ebiggers@kernel.org> Signed-off-by: Ulf Hansson commit 716f2bca1ce93bb95364f1fc0555c1650507b588 Author: Jerome Marchand Date: Wed Dec 18 18:57:24 2024 +0100 selftests/bpf: Fix compilation error in get_uprobe_offset() In get_uprobe_offset(), the call to procmap_query() use the constant PROCMAP_QUERY_VMA_EXECUTABLE, even if PROCMAP_QUERY is not defined. Define PROCMAP_QUERY_VMA_EXECUTABLE when PROCMAP_QUERY isn't. Fixes: 4e9e07603ecd ("selftests/bpf: make use of PROCMAP_QUERY ioctl if available") Signed-off-by: Jerome Marchand Signed-off-by: Daniel Borkmann Acked-by: Yonghong Song Link: https://lore.kernel.org/bpf/20241218175724.578884-1-jmarchan@redhat.com commit 0f6482caa6acdfdfc744db7430771fe7e6c4e787 Author: Jacek Lawrynowicz Date: Tue Dec 10 14:09:39 2024 +0100 accel/ivpu: Fix WARN in ivpu_ipc_send_receive_internal() Move pm_runtime_set_active() to ivpu_pm_init() so when ivpu_ipc_send_receive_internal() is executed before ivpu_pm_enable() it already has correct runtime state, even if last resume was not successful. Fixes: 8ed520ff4682 ("accel/ivpu: Move set autosuspend delay to HW specific code") Cc: stable@vger.kernel.org # v6.7+ Reviewed-by: Karol Wachowski Reviewed-by: Jeffrey Hugo Signed-off-by: Jacek Lawrynowicz Link: https://patchwork.freedesktop.org/patch/msgid/20241210130939.1575610-4-jacek.lawrynowicz@linux.intel.com commit 6c9ba75f147b24b5c59aac7356a38a0fef664afa Author: Jacek Lawrynowicz Date: Tue Dec 10 14:09:38 2024 +0100 accel/ivpu: Fix memory leak in ivpu_mmu_reserved_context_init() Add appropriate error handling to ensure all allocated resources are released upon encountering an error. Fixes: a74f4d991352 ("accel/ivpu: Defer MMU root page table allocation") Cc: Karol Wachowski Reviewed-by: Karol Wachowski Reviewed-by: Jeffrey Hugo Signed-off-by: Jacek Lawrynowicz Link: https://patchwork.freedesktop.org/patch/msgid/20241210130939.1575610-3-jacek.lawrynowicz@linux.intel.com commit 4b2efb9db0c22a130bbd1275e489b42c02d08050 Author: Jacek Lawrynowicz Date: Tue Dec 10 14:09:37 2024 +0100 accel/ivpu: Fix general protection fault in ivpu_bo_list() Check if ctx is not NULL before accessing its fields. Fixes: 37dee2a2f433 ("accel/ivpu: Improve buffer object debug logs") Cc: stable@vger.kernel.org # v6.8 Reviewed-by: Karol Wachowski Reviewed-by: Jeffrey Hugo Signed-off-by: Jacek Lawrynowicz Link: https://patchwork.freedesktop.org/patch/msgid/20241210130939.1575610-2-jacek.lawrynowicz@linux.intel.com commit 29d44cce324dab2bd86c447071a596262e7109b6 Author: Tiezhu Yang Date: Thu Dec 19 19:15:06 2024 +0800 selftests/bpf: Use asm constraint "m" for LoongArch Currently, LoongArch LLVM does not support the constraint "o" and no plan to support it, it only supports the similar constraint "m", so change the constraints from "nor" in the "else" case to arch-specific "nmr" to avoid the build error such as "unexpected asm memory constraint" for LoongArch. Fixes: 630301b0d59d ("selftests/bpf: Add basic USDT selftests") Suggested-by: Weining Lu Suggested-by: Li Chen Signed-off-by: Tiezhu Yang Signed-off-by: Daniel Borkmann Reviewed-by: Huacai Chen Cc: stable@vger.kernel.org Link: https://llvm.org/docs/LangRef.html#supported-constraint-code-list Link: https://github.com/llvm/llvm-project/blob/main/llvm/lib/Target/LoongArch/LoongArchISelDAGToDAG.cpp#L172 Link: https://lore.kernel.org/bpf/20241219111506.20643-1-yangtiezhu@loongson.cn commit 9272cba0ded71b5a2084da3004ec7806b8cb7fd2 Author: Selvin Xavier Date: Tue Dec 17 15:56:49 2024 +0530 RDMA/bnxt_re: Fix the locking while accessing the QP table QP table handling is synchronized with destroy QP and Async event from the HW. The same needs to be synchronized during create_qp also. Use the same lock in create_qp also. Fixes: 76d3ddff7153 ("RDMA/bnxt_re: synchronize the qp-handle table array") Fixes: f218d67ef004 ("RDMA/bnxt_re: Allow posting when QPs are in error") Fixes: 84cf229f4001 ("RDMA/bnxt_re: Fix the qp table indexing") Signed-off-by: Selvin Xavier Link: https://patch.msgid.link/20241217102649.1377704-6-kalesh-anakkur.purayil@broadcom.com Signed-off-by: Leon Romanovsky commit bb839f3ace0fee532a0487b692cc4d868fccb7cf Author: Damodharam Ammepalli Date: Tue Dec 17 15:56:48 2024 +0530 RDMA/bnxt_re: Fix MSN table size for variable wqe mode For variable size wqe mode, the MSN table size should be half the size of the SQ depth. Fixing this to avoid wrap around problems in the retransmission path. Fixes: de1d364c3815 ("RDMA/bnxt_re: Add support for Variable WQE in Genp7 adapters") Reviewed-by: Kashyap Desai Reviewed-by: Kalesh AP Signed-off-by: Damodharam Ammepalli Signed-off-by: Selvin Xavier Link: https://patch.msgid.link/20241217102649.1377704-5-kalesh-anakkur.purayil@broadcom.com Signed-off-by: Leon Romanovsky commit d13be54dc18baee7a3e44349b80755a8c8205d3f Author: Damodharam Ammepalli Date: Tue Dec 17 15:56:47 2024 +0530 RDMA/bnxt_re: Add send queue size check for variable wqe For the fixed WQE case, HW supports 0xFFFF WQEs. For variable Size WQEs, HW treats this number as the 16 bytes slots. The maximum supported WQEs needs to be adjusted based on the number of slots. Set a maximum WQE limit for variable WQE scenario. Fixes: de1d364c3815 ("RDMA/bnxt_re: Add support for Variable WQE in Genp7 adapters") Reviewed-by: Kalesh AP Signed-off-by: Damodharam Ammepalli Signed-off-by: Selvin Xavier Link: https://patch.msgid.link/20241217102649.1377704-4-kalesh-anakkur.purayil@broadcom.com Signed-off-by: Leon Romanovsky commit d5a38bf2f35979537c526acbc56bc435ed40685f Author: Kalesh AP Date: Tue Dec 17 15:56:46 2024 +0530 RDMA/bnxt_re: Disable use of reserved wqes Disabling the reserved wqes logic for Gen P5/P7 devices because this workaround is required only for legacy devices. Fixes: ecb53febfcad ("RDMA/bnxt_en: Enable RDMA driver support for 57500 chip") Signed-off-by: Kalesh AP Signed-off-by: Selvin Xavier Link: https://patch.msgid.link/20241217102649.1377704-3-kalesh-anakkur.purayil@broadcom.com Signed-off-by: Leon Romanovsky commit 40be32303ec829ea12f9883e499bfd3fe9e52baf Author: Selvin Xavier Date: Tue Dec 17 15:56:45 2024 +0530 RDMA/bnxt_re: Fix max_qp_wrs reported While creating qps, driver adds one extra entry to the sq size passed by the ULPs in order to avoid queue full condition. When ULPs creates QPs with max_qp_wr reported, driver creates QP with 1 more than the max_wqes supported by HW. Create QP fails in this case. To avoid this error, reduce 1 entry in max_qp_wqes and report it to the stack. Fixes: 1ac5a4047975 ("RDMA/bnxt_re: Add bnxt_re RoCE driver") Reviewed-by: Kalesh AP Signed-off-by: Selvin Xavier Link: https://patch.msgid.link/20241217102649.1377704-2-kalesh-anakkur.purayil@broadcom.com Signed-off-by: Leon Romanovsky commit 1b62f3cb74d2965e8f96f20241b1fe85017aa3e8 Merge: b9252f80b80780 24740385cb0d6d Author: Greg Kroah-Hartman Date: Thu Dec 19 12:35:02 2024 +0100 Merge tag 'thunderbolt-for-v6.13-rc4' of ssh://gitolite.kernel.org/pub/scm/linux/kernel/git/westeri/thunderbolt into usb-linus Mika writes: thunderbolt: Fixes for v6.13-rc4 This includes following USB4/Thunderbolt fixes for v6.13-rc4: - Add Intel Panther Lake PCI IDs - Do not show nvm_version for retimers that are not supported - Fix redrive mode handling. All these have been in linux-next with no reported issues. * tag 'thunderbolt-for-v6.13-rc4' of ssh://gitolite.kernel.org/pub/scm/linux/kernel/git/westeri/thunderbolt: thunderbolt: Improve redrive mode handling thunderbolt: Don't display nvm_version unless upgrade supported thunderbolt: Add support for Intel Panther Lake-M/P commit 13221496065fa12fac4f8a8e725444679ffddb78 Author: Ahmad Fatoum Date: Wed Dec 18 20:54:53 2024 +0100 regulator: rename regulator-uv-survival-time-ms according to DT binding The regulator bindings don't document regulator-uv-survival-time-ms, but the more descriptive regulator-uv-less-critical-window-ms instead. Looking back at v3[1] and v4[2] of the series adding the support, the property was indeed renamed between these patch series, but unfortunately the rename only made it into the DT bindings with the driver code still using the old name. Let's therefore rename the property in the driver code to follow suit. This will break backwards compatibility, but there are no upstream device trees using the property and we never documented the old name of the property anyway. ¯\_(ツ)_/¯" [1]: https://lore.kernel.org/all/20231025084614.3092295-7-o.rempel@pengutronix.de/ [2]: https://lore.kernel.org/all/20231026144824.4065145-5-o.rempel@pengutronix.de/ Signed-off-by: Ahmad Fatoum Link: https://patch.msgid.link/20241218-regulator-uv-survival-time-ms-rename-v1-1-6cac9c3c75da@pengutronix.de Signed-off-by: Mark Brown commit 32c9c06adb5b157ef259233775a063a43746d699 Author: Chen-Yu Tsai Date: Thu Dec 19 18:53:02 2024 +0800 ASoC: mediatek: disable buffer pre-allocation On Chromebooks based on Mediatek MT8195 or MT8188, the audio frontend (AFE) is limited to accessing a very small window (1 MiB) of memory, which is described as a reserved memory region in the device tree. On these two platforms, the maximum buffer size is given as 512 KiB. The MediaTek common code uses the same value for preallocations. This means that only the first two PCM substreams get preallocations, and then the whole space is exhausted, barring any other substreams from working. Since the substreams used are not always the first two, this means audio won't work correctly. This is observed on the MT8188 Geralt Chromebooks, on which the "mediatek,dai-link" property was dropped when it was upstreamed. That property causes the driver to only register the PCM substreams listed in the property, and in the order given. Instead of trying to compute an optimal value and figuring out which streams are used, simply disable preallocation. The PCM buffers are managed by the core and are allocated and released on the fly. There should be no impact to any of the other MediaTek platforms. Signed-off-by: Chen-Yu Tsai Reviewed-by: AngeloGioacchino Del Regno Link: https://patch.msgid.link/20241219105303.548437-1-wenst@chromium.org Signed-off-by: Mark Brown commit ce1219c3f76bb131d095e90521506d3c6ccfa086 Author: Jeremy Kerr Date: Wed Dec 18 11:53:01 2024 +0800 net: mctp: handle skb cleanup on sock_queue failures Currently, we don't use the return value from sock_queue_rcv_skb, which means we may leak skbs if a message is not successfully queued to a socket. Instead, ensure that we're freeing the skb where the sock hasn't otherwise taken ownership of the skb by adding checks on the sock_queue_rcv_skb() to invoke a kfree on failure. In doing so, rather than using the 'rc' value to trigger the kfree_skb(), use the skb pointer itself, which is more explicit. Also, add a kunit test for the sock delivery failure cases. Fixes: 4a992bbd3650 ("mctp: Implement message fragmentation & reassembly") Cc: stable@vger.kernel.org Signed-off-by: Jeremy Kerr Link: https://patch.msgid.link/20241218-mctp-next-v2-1-1c1729645eaa@codeconstruct.com.au Signed-off-by: Paolo Abeni commit 572af9f284669d31d9175122bbef9bc62cea8ded Author: Joe Hattori Date: Wed Dec 18 12:51:06 2024 +0900 net: mdiobus: fix an OF node reference leak fwnode_find_mii_timestamper() calls of_parse_phandle_with_fixed_args() but does not decrement the refcount of the obtained OF node. Add an of_node_put() call before returning from the function. This bug was detected by an experimental static analysis tool that I am developing. Fixes: bc1bee3b87ee ("net: mdiobus: Introduce fwnode_mdiobus_register_phy()") Signed-off-by: Joe Hattori Reviewed-by: Andrew Lunn Link: https://patch.msgid.link/20241218035106.1436405-1-joe@pf.is.s.u-tokyo.ac.jp Signed-off-by: Paolo Abeni commit e9088ac19e87ceb8b739877c3b6c29a67f7cf19a Merge: 78d4f34e2115b5 1622ed27d26ab4 Author: Dave Airlie Date: Thu Dec 19 20:31:35 2024 +1000 Merge tag 'drm-intel-fixes-2024-12-18' of https://gitlab.freedesktop.org/drm/i915/kernel into drm-fixes - Reset engine utilization buffer before registration (Umesh Nerlige Ramappa) - Ensure busyness counter increases motonically (Umesh Nerlige Ramappa) - Accumulate active runtime on gt reset (Umesh Nerlige Ramappa) Signed-off-by: Dave Airlie From: Tvrtko Ursulin Link: https://patchwork.freedesktop.org/patch/msgid/Z2LppUZudGKXwWjW@linux commit 16b87037b48889d21854c8e97aec8a1baf2642b3 Author: Bernard Metzler Date: Thu Dec 12 16:18:48 2024 +0100 RDMA/siw: Remove direct link to net_device Do not manage a per device direct link to net_device. Rely on associated ib_devices net_device management, not doubling the effort locally. A badly managed local link to net_device was causing a 'KASAN: slab-use-after-free' exception during siw_query_port() call. Fixes: bdcf26bf9b3a ("rdma/siw: network and RDMA core interface") Reported-by: syzbot+4b87489410b4efd181bf@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=4b87489410b4efd181bf Signed-off-by: Bernard Metzler Link: https://patch.msgid.link/20241212151848.564872-1-bmt@zurich.ibm.com Reviewed-by: Zhu Yanjun Signed-off-by: Leon Romanovsky commit 13a6691910cc23ea9ba4066e098603088673d5b0 Author: Chiara Meiohas Date: Tue Dec 10 09:33:10 2024 +0200 RDMA/nldev: Set error code in rdma_nl_notify_event In case of error set the error code before the goto. Fixes: 6ff57a2ea7c2 ("RDMA/nldev: Fix NULL pointer dereferences issue in rdma_nl_notify_event") Reported-by: Dan Carpenter Closes: https://lore.kernel.org/linux-rdma/a84a2fc3-33b6-46da-a1bd-3343fa07eaf9@stanley.mountain/ Signed-off-by: Chiara Meiohas Reviewed-by: Maher Sanalla Link: https://patch.msgid.link/13eb25961923f5de9eb9ecbbc94e26113d6049ef.1733815944.git.leonro@nvidia.com Reviewed-by: Kalesh AP Signed-off-by: Leon Romanovsky commit b4adc04954592cb9f2e5dc796c5119c4d4c9b906 Merge: b95c8c33ae687f 70b6f46a4ed8bd Author: Paolo Abeni Date: Thu Dec 19 09:55:21 2024 +0100 Merge tag 'nf-24-12-19' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf Pablo Neira Ayuso says: ==================== Netfilter/IPVS fixes for net The following series contains two fixes for Netfilter/IPVS: 1) Possible build failure in IPVS on systems with less than 512MB memory due to incorrect use of clamp(), from David Laight. 2) Fix bogus lockdep nesting splat with ipset list:set type, from Phil Sutter. netfilter pull request 24-12-19 * tag 'nf-24-12-19' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf: netfilter: ipset: Fix for recursive locking warning ipvs: Fix clamp() of ip_vs_conn_tab on small memory systems ==================== Link: https://patch.msgid.link/20241218234137.1687288-1-pablo@netfilter.org Signed-off-by: Paolo Abeni commit b95c8c33ae687fcd3007cefa93907a6bd270119b Author: Harshit Mogalapalli Date: Mon Dec 16 21:23:25 2024 -0800 octeontx2-pf: fix error handling of devlink port in rvu_rep_create() Unregister the devlink port when register_netdev() fails. Fixes: 9ed0343f561e ("octeontx2-pf: Add devlink port support") Reviewed-by: Przemek Kitszel Signed-off-by: Harshit Mogalapalli Link: https://patch.msgid.link/20241217052326.1086191-2-harshit.m.mogalapalli@oracle.com Signed-off-by: Jakub Kicinski commit 51df947678360faf1967fe0bd1a40c681f634104 Author: Harshit Mogalapalli Date: Mon Dec 16 21:23:24 2024 -0800 octeontx2-pf: fix netdev memory leak in rvu_rep_create() When rvu_rep_devlink_port_register() fails, free_netdev(ndev) for this incomplete iteration before going to "exit:" label. Fixes: 9ed0343f561e ("octeontx2-pf: Add devlink port support") Reviewed-by: Przemek Kitszel Signed-off-by: Harshit Mogalapalli Link: https://patch.msgid.link/20241217052326.1086191-1-harshit.m.mogalapalli@oracle.com Signed-off-by: Jakub Kicinski commit 5eecd85c77a254a43bde3212da8047b001745c9f Author: Adrian Moreno Date: Tue Dec 17 12:37:39 2024 +0100 psample: adjust size if rate_as_probability is set If PSAMPLE_ATTR_SAMPLE_PROBABILITY flag is to be sent, the available size for the packet data has to be adjusted accordingly. Also, check the error code returned by nla_put_flag. Fixes: 7b1b2b60c63f ("net: psample: allow using rate as probability") Signed-off-by: Adrian Moreno Reviewed-by: Aaron Conole Reviewed-by: Ido Schimmel Link: https://patch.msgid.link/20241217113739.3929300-1-amorenoz@redhat.com Signed-off-by: Jakub Kicinski commit 5eb70dbebf32c2fd1f2814c654ae17fc47d6e859 Author: Jakub Kicinski Date: Tue Dec 17 18:25:08 2024 -0800 netdev-genl: avoid empty messages in queue dump Empty netlink responses from do() are not correct (as opposed to dump() where not dumping anything is perfectly fine). We should return an error if the target object does not exist, in this case if the netdev is down it has no queues. Fixes: 6b6171db7fc8 ("netdev-genl: Add netlink framework functions for queue") Reported-by: syzbot+0a884bc2d304ce4af70f@syzkaller.appspotmail.com Reviewed-by: Eric Dumazet Reviewed-by: Joe Damato Link: https://patch.msgid.link/20241218022508.815344-1-kuba@kernel.org Signed-off-by: Jakub Kicinski commit 16f027cd40eeedd2325f7e720689462ca8d9d13e Author: Vladimir Oltean Date: Mon Dec 16 15:50:59 2024 +0200 net: dsa: restore dsa_software_vlan_untag() ability to operate on VLAN-untagged traffic Robert Hodaszi reports that locally terminated traffic towards VLAN-unaware bridge ports is broken with ocelot-8021q. He is describing the same symptoms as for commit 1f9fc48fd302 ("net: dsa: sja1105: fix reception from VLAN-unaware bridges"). For context, the set merged as "VLAN fixes for Ocelot driver": https://lore.kernel.org/netdev/20240815000707.2006121-1-vladimir.oltean@nxp.com/ was developed in a slightly different form earlier this year, in January. Initially, the switch was unconditionally configured to set OCELOT_ES0_TAG when using ocelot-8021q, regardless of port operating mode. This led to the situation where VLAN-unaware bridge ports would always push their PVID - see ocelot_vlan_unaware_pvid() - a negligible value anyway - into RX packets. To strip this in software, we would have needed DSA to know what private VID the switch chose for VLAN-unaware bridge ports, and pushed into the packets. This was implemented downstream, and a remnant of it remains in the form of a comment mentioning ds->ops->get_private_vid(), as something which would maybe need to be considered in the future. However, for upstream, it was deemed inappropriate, because it would mean introducing yet another behavior for stripping VLAN tags from VLAN-unaware bridge ports, when one already existed (ds->untag_bridge_pvid). The latter has been marked as obsolete along with an explanation why it is logically broken, but still, it would have been confusing. So, for upstream, felix_update_tag_8021q_rx_rule() was developed, which essentially changed the state of affairs from "Felix with ocelot-8021q delivers all packets as VLAN-tagged towards the CPU" into "Felix with ocelot-8021q delivers all packets from VLAN-aware bridge ports towards the CPU". This was done on the premise that in VLAN-unaware mode, there's nothing useful in the VLAN tags, and we can avoid introducing ds->ops->get_private_vid() in the DSA receive path if we configure the switch to not push those VLAN tags into packets in the first place. Unfortunately, and this is when the trainwreck started, the selftests developed initially and posted with the series were not re-ran. dsa_software_vlan_untag() was initially written given the assumption that users of this feature would send _all_ traffic as VLAN-tagged. It was only partially adapted to the new scheme, by removing ds->ops->get_private_vid(), which also used to be necessary in standalone ports mode. Where the trainwreck became even worse is that I had a second opportunity to think about this, when the dsa_software_vlan_untag() logic change initially broke sja1105, in commit 1f9fc48fd302 ("net: dsa: sja1105: fix reception from VLAN-unaware bridges"). I did not connect the dots that it also breaks ocelot-8021q, for pretty much the same reason that not all received packets will be VLAN-tagged. To be compatible with the optimized Felix control path which runs felix_update_tag_8021q_rx_rule() to only push VLAN tags when useful (in VLAN-aware mode), we need to restore the old dsa_software_vlan_untag() logic. The blamed commit introduced the assumption that dsa_software_vlan_untag() will see only VLAN-tagged packets, assumption which is false. What corrupts RX traffic is the fact that we call skb_vlan_untag() on packets which are not VLAN-tagged in the first place. Fixes: 93e4649efa96 ("net: dsa: provide a software untagging function on RX for VLAN-aware bridges") Reported-by: Robert Hodaszi Closes: https://lore.kernel.org/netdev/20241215163334.615427-1-robert.hodaszi@digi.com/ Signed-off-by: Vladimir Oltean Link: https://patch.msgid.link/20241216135059.1258266-1-vladimir.oltean@nxp.com Signed-off-by: Jakub Kicinski commit a713c017ef0e63e43b26fd77a5675cd877514f13 Merge: a17975992cc115 0c1683c681681c Author: Jakub Kicinski Date: Wed Dec 18 19:20:20 2024 -0800 Merge branch '200GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/tnguy/net-queue Tony Nguyen says: ==================== idpf: trigger SW interrupt when exiting wb_on_itr mode Joshua Hay says: This patch series introduces SW triggered interrupt support for idpf, then uses said interrupt to fix a race condition between completion writebacks and re-enabling interrupts. * '200GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/tnguy/net-queue: idpf: trigger SW interrupt when exiting wb_on_itr mode idpf: add support for SW triggered interrupts ==================== Link: https://patch.msgid.link/20241217225715.4005644-1-anthony.l.nguyen@intel.com Signed-off-by: Jakub Kicinski commit a17975992cc11588767175247ccaae1213a8b582 Author: Adrian Moreno Date: Tue Dec 17 22:16:51 2024 +0100 selftests: openvswitch: fix tcpdump execution Fix the way tcpdump is executed by: - Using the right variable for the namespace. Currently the use of the empty "ns" makes the command fail. - Waiting until it starts to capture to ensure the interesting traffic is caught on slow systems. - Using line-buffered output to ensure logs are available when the test is paused with "-p". Otherwise the last chunk of data might only be written when tcpdump is killed. Fixes: 74cc26f416b9 ("selftests: openvswitch: add interface support") Signed-off-by: Adrian Moreno Acked-by: Eelco Chaudron Link: https://patch.msgid.link/20241217211652.483016-1-amorenoz@redhat.com Signed-off-by: Jakub Kicinski commit d3ac65d274b3a93cf9cf9559fd1473ab65e00e10 Author: Leo Stone Date: Sun Dec 15 20:27:51 2024 -0800 mm: huge_memory: handle strsep not finding delimiter split_huge_pages_write() does not handle the case where strsep finds no delimiter in the given string and sets the input buffer to NULL, which allows this reproducer to trigger a protection fault. Link: https://lkml.kernel.org/r/20241216042752.257090-2-leocstone@gmail.com Signed-off-by: Leo Stone Reported-by: syzbot+8a3da2f1bbf59227c289@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=8a3da2f1bbf59227c289 Signed-off-by: Andrew Morton commit 60da7445a142bd15e67f3cda915497781c3f781f Author: Suren Baghdasaryan Date: Fri Nov 29 16:14:23 2024 -0800 alloc_tag: fix set_codetag_empty() when !CONFIG_MEM_ALLOC_PROFILING_DEBUG It was recently noticed that set_codetag_empty() might be used not only to mark NULL alloctag references as empty to avoid warnings but also to reset valid tags (in clear_page_tag_ref()). Since set_codetag_empty() is defined as NOOP for CONFIG_MEM_ALLOC_PROFILING_DEBUG=n, such use of set_codetag_empty() leads to subtle bugs. Fix set_codetag_empty() for CONFIG_MEM_ALLOC_PROFILING_DEBUG=n to reset the tag reference. Link: https://lkml.kernel.org/r/20241130001423.1114965-2-surenb@google.com Fixes: a8fc28dad6d5 ("alloc_tag: introduce clear_page_tag_ref() helper function") Signed-off-by: Suren Baghdasaryan Reported-by: David Wang <00107082@163.com> Closes: https://lore.kernel.org/lkml/20241124074318.399027-1-00107082@163.com/ Cc: David Wang <00107082@163.com> Cc: Kent Overstreet Cc: Mike Rapoport (Microsoft) Cc: Pasha Tatashin Cc: Sourav Panda Cc: Yu Zhao Cc: Signed-off-by: Andrew Morton commit e269b5d2916d7a696c2d2ed370cea95d95a0675a Author: Suren Baghdasaryan Date: Fri Nov 29 16:14:22 2024 -0800 alloc_tag: fix module allocation tags populated area calculation vm_module_tags_populate() calculation of the populated area assumes that area starts at a page boundary and therefore when new pages are allocation, the end of the area is page-aligned as well. If the start of the area is not page-aligned then allocating a page and incrementing the end of the area by PAGE_SIZE leads to an area at the end but within the area boundary which is not populated. Accessing this are will lead to a kernel panic. Fix the calculation by down-aligning the start of the area and using that as the location allocated pages are mapped to. [gehao@kylinos.cn: fix vm_module_tags_populate's KASAN poisoning logic] Link: https://lkml.kernel.org/r/20241205170528.81000-1-hao.ge@linux.dev [gehao@kylinos.cn: fix panic when CONFIG_KASAN enabled and CONFIG_KASAN_VMALLOC not enabled] Link: https://lkml.kernel.org/r/20241212072126.134572-1-hao.ge@linux.dev Link: https://lkml.kernel.org/r/20241130001423.1114965-1-surenb@google.com Fixes: 0f9b685626da ("alloc_tag: populate memory for module tags as needed") Signed-off-by: Suren Baghdasaryan Reported-by: kernel test robot Closes: https://lore.kernel.org/oe-lkp/202411132111.6a221562-lkp@intel.com Acked-by: Yu Zhao Tested-by: Adrian Huang Cc: David Wang <00107082@163.com> Cc: Kent Overstreet Cc: Mike Rapoport (Microsoft) Cc: Pasha Tatashin Cc: Sourav Panda Cc: Signed-off-by: Andrew Morton commit 640a603943a7659340c10044c0a1c98ae4e13189 Author: David Wang <00107082@163.com> Date: Fri Dec 13 09:33:32 2024 +0800 mm/codetag: clear tags before swap When CONFIG_MEM_ALLOC_PROFILING_DEBUG is set, kernel WARN would be triggered when calling __alloc_tag_ref_set() during swap: alloc_tag was not cleared (got tag for mm/filemap.c:1951) WARNING: CPU: 0 PID: 816 at ./include/linux/alloc_tag.h... Clear code tags before swap can fix the warning. And this patch also fix a potential invalid address dereference in alloc_tag_add_check() when CONFIG_MEM_ALLOC_PROFILING_DEBUG is set and ref->ct is CODETAG_EMPTY, which is defined as ((void *)1). Link: https://lkml.kernel.org/r/20241213013332.89910-1-00107082@163.com Fixes: 51f43d5d82ed ("mm/codetag: swap tags when migrate pages") Signed-off-by: David Wang <00107082@163.com> Reported-by: kernel test robot Closes: https://lore.kernel.org/oe-lkp/202412112227.df61ebb-lkp@intel.com Acked-by: Suren Baghdasaryan Cc: Kent Overstreet Cc: Yu Zhao Cc: Signed-off-by: Andrew Morton commit 30c2de0a267c04046d89e678cc0067a9cfb455df Author: Bart Van Assche Date: Thu Dec 12 13:31:26 2024 -0800 mm/vmstat: fix a W=1 clang compiler warning Fix the following clang compiler warning that is reported if the kernel is built with W=1: ./include/linux/vmstat.h:518:36: error: arithmetic between different enumeration types ('enum node_stat_item' and 'enum lru_list') [-Werror,-Wenum-enum-conversion] 518 | return node_stat_name(NR_LRU_BASE + lru) + 3; // skip "nr_" | ~~~~~~~~~~~ ^ ~~~ Link: https://lkml.kernel.org/r/20241212213126.1269116-1-bvanassche@acm.org Fixes: 9d7ea9a297e6 ("mm/vmstat: add helpers to get vmstat item names for each enum type") Signed-off-by: Bart Van Assche Cc: Konstantin Khlebnikov Cc: Nathan Chancellor Signed-off-by: Andrew Morton commit 42b2eb69835b0fda797f70eb5b4fc213dbe3a7ea Author: Usama Arif Date: Thu Dec 12 18:33:51 2024 +0000 mm: convert partially_mapped set/clear operations to be atomic Other page flags in the 2nd page, like PG_hwpoison and PG_anon_exclusive can get modified concurrently. Changes to other page flags might be lost if they are happening at the same time as non-atomic partially_mapped operations. Hence, make partially_mapped operations atomic. Link: https://lkml.kernel.org/r/20241212183351.1345389-1-usamaarif642@gmail.com Fixes: 8422acdc97ed ("mm: introduce a pageflag for partially mapped folios") Reported-by: David Hildenbrand Link: https://lore.kernel.org/all/e53b04ad-1827-43a2-a1ab-864c7efecf6e@redhat.com/ Signed-off-by: Usama Arif Acked-by: David Hildenbrand Acked-by: Johannes Weiner Acked-by: Roman Gushchin Cc: Barry Song Cc: Domenico Cerasuolo Cc: Jonathan Corbet Cc: Matthew Wilcox Cc: Mike Rapoport (Microsoft) Cc: Nico Pache Cc: Rik van Riel Cc: Ryan Roberts Cc: Shakeel Butt Cc: Yu Zhao Cc: Signed-off-by: Andrew Morton commit 6309b8ce98e9a18390b9fd8f03fc412f3c17aee9 Author: Ryusuke Konishi Date: Fri Dec 13 01:43:28 2024 +0900 nilfs2: fix buffer head leaks in calls to truncate_inode_pages() When block_invalidatepage was converted to block_invalidate_folio, the fallback to block_invalidatepage in folio_invalidate() if the address_space_operations method invalidatepage (currently invalidate_folio) was not set, was removed. Unfortunately, some pseudo-inodes in nilfs2 use empty_aops set by inode_init_always_gfp() as is, or explicitly set it to address_space_operations. Therefore, with this change, block_invalidatepage() is no longer called from folio_invalidate(), and as a result, the buffer_head structures attached to these pages/folios are no longer freed via try_to_free_buffers(). Thus, these buffer heads are now leaked by truncate_inode_pages(), which cleans up the page cache from inode evict(), etc. Three types of caches use empty_aops: gc inode caches and the DAT shadow inode used by GC, and b-tree node caches. Of these, b-tree node caches explicitly call invalidate_mapping_pages() during cleanup, which involves calling try_to_free_buffers(), so the leak was not visible during normal operation but worsened when GC was performed. Fix this issue by using address_space_operations with invalidate_folio set to block_invalidate_folio instead of empty_aops, which will ensure the same behavior as before. Link: https://lkml.kernel.org/r/20241212164556.21338-1-konishi.ryusuke@gmail.com Fixes: 7ba13abbd31e ("fs: Turn block_invalidatepage into block_invalidate_folio") Signed-off-by: Ryusuke Konishi Cc: [5.18+] Signed-off-by: Andrew Morton commit a2e740e216f5bf49ccb83b6d490c72a340558a43 Author: Matthew Wilcox (Oracle) Date: Wed Dec 11 20:25:37 2024 +0000 vmalloc: fix accounting with i915 If the caller of vmap() specifies VM_MAP_PUT_PAGES (currently only the i915 driver), we will decrement nr_vmalloc_pages and MEMCG_VMALLOC in vfree(). These counters are incremented by vmalloc() but not by vmap() so this will cause an underflow. Check the VM_MAP_PUT_PAGES flag before decrementing either counter. Link: https://lkml.kernel.org/r/20241211202538.168311-1-willy@infradead.org Fixes: b944afc9d64d ("mm: add a VM_MAP_PUT_PAGES flag for vmap") Signed-off-by: Matthew Wilcox (Oracle) Acked-by: Johannes Weiner Reviewed-by: Shakeel Butt Reviewed-by: Balbir Singh Acked-by: Michal Hocko Cc: Christoph Hellwig Cc: Muchun Song Cc: Roman Gushchin Cc: "Uladzislau Rezki (Sony)" Cc: Signed-off-by: Andrew Morton commit faeec8e23c10bd30e8aa759a2eb3018dae00f924 Author: David Hildenbrand Date: Tue Dec 10 10:34:37 2024 +0100 mm/page_alloc: don't call pfn_to_page() on possibly non-existent PFN in split_large_buddy() In split_large_buddy(), we might call pfn_to_page() on a PFN that might not exist. In corner cases, such as when freeing the highest pageblock in the last memory section, this could result with CONFIG_SPARSEMEM && !CONFIG_SPARSEMEM_EXTREME in __pfn_to_section() returning NULL and and __section_mem_map_addr() dereferencing that NULL pointer. Let's fix it, and avoid doing a pfn_to_page() call for the first iteration, where we already have the page. So far this was found by code inspection, but let's just CC stable as the fix is easy. Link: https://lkml.kernel.org/r/20241210093437.174413-1-david@redhat.com Fixes: fd919a85cd55 ("mm: page_isolation: prepare for hygienic freelists") Signed-off-by: David Hildenbrand Reported-by: Vlastimil Babka Closes: https://lkml.kernel.org/r/e1a898ba-a717-4d20-9144-29df1a6c8813@suse.cz Reviewed-by: Vlastimil Babka Reviewed-by: Zi Yan Acked-by: Johannes Weiner Cc: Yu Zhao Cc: Signed-off-by: Andrew Morton commit 8ac662f5da19f5873fdd94c48a5cdb45b2e1b58f Author: Lorenzo Stoakes Date: Tue Dec 10 17:24:12 2024 +0000 fork: avoid inappropriate uprobe access to invalid mm If dup_mmap() encounters an issue, currently uprobe is able to access the relevant mm via the reverse mapping (in build_map_info()), and if we are very unlucky with a race window, observe invalid XA_ZERO_ENTRY state which we establish as part of the fork error path. This occurs because uprobe_write_opcode() invokes anon_vma_prepare() which in turn invokes find_mergeable_anon_vma() that uses a VMA iterator, invoking vma_iter_load() which uses the advanced maple tree API and thus is able to observe XA_ZERO_ENTRY entries added to dup_mmap() in commit d24062914837 ("fork: use __mt_dup() to duplicate maple tree in dup_mmap()"). This change was made on the assumption that only process tear-down code would actually observe (and make use of) these values. However this very unlikely but still possible edge case with uprobes exists and unfortunately does make these observable. The uprobe operation prevents races against the dup_mmap() operation via the dup_mmap_sem semaphore, which is acquired via uprobe_start_dup_mmap() and dropped via uprobe_end_dup_mmap(), and held across register_for_each_vma() prior to invoking build_map_info() which does the reverse mapping lookup. Currently these are acquired and dropped within dup_mmap(), which exposes the race window prior to error handling in the invoking dup_mm() which tears down the mm. We can avoid all this by just moving the invocation of uprobe_start_dup_mmap() and uprobe_end_dup_mmap() up a level to dup_mm() and only release this lock once the dup_mmap() operation succeeds or clean up is done. This means that the uprobe code can never observe an incompletely constructed mm and resolves the issue in this case. Link: https://lkml.kernel.org/r/20241210172412.52995-1-lorenzo.stoakes@oracle.com Fixes: d24062914837 ("fork: use __mt_dup() to duplicate maple tree in dup_mmap()") Signed-off-by: Lorenzo Stoakes Reported-by: syzbot+2d788f4f7cb660dac4b7@syzkaller.appspotmail.com Closes: https://lore.kernel.org/all/6756d273.050a0220.2477f.003d.GAE@google.com/ Cc: Adrian Hunter Cc: Alexander Shishkin Cc: Arnaldo Carvalho de Melo Cc: Ian Rogers Cc: Ingo Molnar Cc: Jann Horn Cc: Jiri Olsa Cc: Kan Liang Cc: Liam R. Howlett Cc: Mark Rutland Cc: Masami Hiramatsu Cc: Namhyung Kim Cc: Oleg Nesterov Cc: Peng Zhang Cc: Peter Zijlstra Cc: Vlastimil Babka Cc: David Hildenbrand Signed-off-by: Andrew Morton commit 901ce9705fbb9f330ff1f19600e5daf9770b0175 Author: Edward Adam Davis Date: Mon Dec 9 15:56:52 2024 +0900 nilfs2: prevent use of deleted inode syzbot reported a WARNING in nilfs_rmdir. [1] Because the inode bitmap is corrupted, an inode with an inode number that should exist as a ".nilfs" file was reassigned by nilfs_mkdir for "file0", causing an inode duplication during execution. And this causes an underflow of i_nlink in rmdir operations. The inode is used twice by the same task to unmount and remove directories ".nilfs" and "file0", it trigger warning in nilfs_rmdir. Avoid to this issue, check i_nlink in nilfs_iget(), if it is 0, it means that this inode has been deleted, and iput is executed to reclaim it. [1] WARNING: CPU: 1 PID: 5824 at fs/inode.c:407 drop_nlink+0xc4/0x110 fs/inode.c:407 ... Call Trace: nilfs_rmdir+0x1b0/0x250 fs/nilfs2/namei.c:342 vfs_rmdir+0x3a3/0x510 fs/namei.c:4394 do_rmdir+0x3b5/0x580 fs/namei.c:4453 __do_sys_rmdir fs/namei.c:4472 [inline] __se_sys_rmdir fs/namei.c:4470 [inline] __x64_sys_rmdir+0x47/0x50 fs/namei.c:4470 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Link: https://lkml.kernel.org/r/20241209065759.6781-1-konishi.ryusuke@gmail.com Fixes: d25006523d0b ("nilfs2: pathname operations") Signed-off-by: Ryusuke Konishi Reported-by: syzbot+9260555647a5132edd48@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=9260555647a5132edd48 Tested-by: syzbot+9260555647a5132edd48@syzkaller.appspotmail.com Signed-off-by: Edward Adam Davis Cc: Signed-off-by: Andrew Morton commit 74363ec674cb172d8856de25776c8f3103f05e2f Author: Kairui Song Date: Tue Dec 10 00:57:16 2024 +0800 zram: fix uninitialized ZRAM not releasing backing device Setting backing device is done before ZRAM initialization. If we set the backing device, then remove the ZRAM module without initializing the device, the backing device reference will be leaked and the device will be hold forever. Fix this by always reset the ZRAM fully on rmmod or reset store. Link: https://lkml.kernel.org/r/20241209165717.94215-3-ryncsn@gmail.com Fixes: 013bf95a83ec ("zram: add interface to specif backing device") Signed-off-by: Kairui Song Reported-by: Desheng Wu Suggested-by: Sergey Senozhatsky Reviewed-by: Sergey Senozhatsky Cc: Signed-off-by: Andrew Morton commit be48c412f6ebf38849213c19547bc6d5b692b5e5 Author: Kairui Song Date: Tue Dec 10 00:57:15 2024 +0800 zram: refuse to use zero sized block device as backing device Patch series "zram: fix backing device setup issue", v2. This series fixes two bugs of backing device setting: - ZRAM should reject using a zero sized (or the uninitialized ZRAM device itself) as the backing device. - Fix backing device leaking when removing a uninitialized ZRAM device. This patch (of 2): Setting a zero sized block device as backing device is pointless, and one can easily create a recursive loop by setting the uninitialized ZRAM device itself as its own backing device by (zram0 is uninitialized): echo /dev/zram0 > /sys/block/zram0/backing_dev It's definitely a wrong config, and the module will pin itself, kernel should refuse doing so in the first place. By refusing to use zero sized device we avoided misuse cases including this one above. Link: https://lkml.kernel.org/r/20241209165717.94215-1-ryncsn@gmail.com Link: https://lkml.kernel.org/r/20241209165717.94215-2-ryncsn@gmail.com Fixes: 013bf95a83ec ("zram: add interface to specif backing device") Signed-off-by: Kairui Song Reported-by: Desheng Wu Reviewed-by: Sergey Senozhatsky Cc: Signed-off-by: Andrew Morton commit c51a4f11e6d8246590b5e64908c1ed84b33e8ba2 Author: Zi Yan Date: Mon Dec 9 13:23:26 2024 -0500 mm: use clear_user_(high)page() for arch with special user folio handling Some architectures have special handling after clearing user folios: architectures, which set cpu_dcache_is_aliasing() to true, require flushing dcache; arc, which sets cpu_icache_is_aliasing() to true, changes folio->flags to make icache coherent to dcache. So __GFP_ZERO using only clear_page() is not enough to zero user folios and clear_user_(high)page() must be used. Otherwise, user data will be corrupted. Fix it by always clearing user folios with clear_user_(high)page() when cpu_dcache_is_aliasing() is true or cpu_icache_is_aliasing() is true. Rename alloc_zeroed() to user_alloc_needs_zeroing() and invert the logic to clarify its intend. Link: https://lkml.kernel.org/r/20241209182326.2955963-2-ziy@nvidia.com Fixes: 5708d96da20b ("mm: avoid zeroing user movable page twice with init_on_alloc=1") Signed-off-by: Zi Yan Reported-by: Geert Uytterhoeven Closes: https://lore.kernel.org/linux-mm/CAMuHMdV1hRp_NtR5YnJo=HsfgKQeH91J537Gh4gKk3PFZhSkbA@mail.gmail.com/ Tested-by: Geert Uytterhoeven Acked-by: Vlastimil Babka Cc: Alexander Potapenko Cc: David Hildenbrand Cc: John Hubbard Cc: Kees Cook Cc: Kefeng Wang Cc: Mathieu Desnoyers Cc: Matthew Wilcox Cc: Miaohe Lin Cc: Ryan Roberts Cc: Vineet Gupta Signed-off-by: Andrew Morton commit 5c0541e11c16bd2f162e23a22d07c09d58017e5a Author: Zi Yan Date: Mon Dec 9 13:23:25 2024 -0500 mm: introduce cpu_icache_is_aliasing() across all architectures In commit eacd0e950dc2 ("ARC: [mm] Lazy D-cache flush (non aliasing VIPT)"), arc adds the need to flush dcache to make icache see the code page change. This also requires special handling for clear_user_(high)page(). Introduce cpu_icache_is_aliasing() to make MM code query special clear_user_(high)page() easier. This will be used by the following commit. Link: https://lkml.kernel.org/r/20241209182326.2955963-1-ziy@nvidia.com Fixes: 5708d96da20b ("mm: avoid zeroing user movable page twice with init_on_alloc=1") Signed-off-by: Zi Yan Suggested-by: Mathieu Desnoyers Reviewed-by: Mathieu Desnoyers Acked-by: Vlastimil Babka Cc: Alexander Potapenko Cc: David Hildenbrand Cc: Geert Uytterhoeven Cc: John Hubbard Cc: Kees Cook Cc: Kefeng Wang Cc: Matthew Wilcox Cc: Miaohe Lin Cc: Ryan Roberts Cc: Vineet Gupta Signed-off-by: Andrew Morton commit 31c5629920b82ddf66059f20f79be2bc00c4197b Author: Petr Malat Date: Tue Dec 10 01:06:04 2024 +0100 mm: add RCU annotation to pte_offset_map(_lock) RCU lock is taken by ___pte_offset_map() unless it returns NULL. Add this information to its inline callers to avoid sparse warning about context imbalance in pte_unmap(). Link: https://lkml.kernel.org/r/20241210000604.700710-1-oss@malat.biz Signed-off-by: Petr Malat Signed-off-by: Andrew Morton commit 42c4e4b20d9c4651903c4afc53a4ff18b7451b3e Author: Lorenzo Stoakes Date: Fri Dec 6 21:52:29 2024 +0000 mm: correctly reference merged VMA On second merge attempt on mmap() we incorrectly discard the possibly merged VMA, resulting in a possible use-after-free (and most certainly a reference to the wrong VMA) in this instance in the subsequent __mmap_complete() invocation. Correct this mistake by reassigning vma correctly if a merge succeeds in this case. Link: https://lkml.kernel.org/r/20241206215229.244413-1-lorenzo.stoakes@oracle.com Fixes: 5ac87a885aec ("mm: defer second attempt at merge on mmap()") Signed-off-by: Lorenzo Stoakes Suggested-by: Jann Horn Reported-by: syzbot+91cf8da9401355f946c3@syzkaller.appspotmail.com Closes: https://lore.kernel.org/all/67536a25.050a0220.a30f1.0149.GAE@google.com/ Reviewed-by: Liam R. Howlett Reviewed-by: Vlastimil Babka Signed-off-by: Andrew Morton commit f5d09de9f1bf9674c6418ff10d0a40cfe29268e1 Author: Kefeng Wang Date: Mon Oct 28 22:56:56 2024 +0800 mm: use aligned address in copy_user_gigantic_page() In current kernel, hugetlb_wp() calls copy_user_large_folio() with the fault address. Where the fault address may be not aligned with the huge page size. Then, copy_user_large_folio() may call copy_user_gigantic_page() with the address, while copy_user_gigantic_page() requires the address to be huge page size aligned. So, this may cause memory corruption or information leak, addtional, use more obvious naming 'addr_hint' instead of 'addr' for copy_user_gigantic_page(). Link: https://lkml.kernel.org/r/20241028145656.932941-2-wangkefeng.wang@huawei.com Fixes: 530dd9926dc1 ("mm: memory: improve copy_user_large_folio()") Signed-off-by: Kefeng Wang Reviewed-by: David Hildenbrand Cc: Huang Ying Cc: Matthew Wilcox (Oracle) Cc: Muchun Song Cc: Signed-off-by: Andrew Morton commit 8aca2bc96c833ba695ede7a45ad7784c836a262e Author: Kefeng Wang Date: Mon Oct 28 22:56:55 2024 +0800 mm: use aligned address in clear_gigantic_page() In current kernel, hugetlb_no_page() calls folio_zero_user() with the fault address. Where the fault address may be not aligned with the huge page size. Then, folio_zero_user() may call clear_gigantic_page() with the address, while clear_gigantic_page() requires the address to be huge page size aligned. So, this may cause memory corruption or information leak, addtional, use more obvious naming 'addr_hint' instead of 'addr' for clear_gigantic_page(). Link: https://lkml.kernel.org/r/20241028145656.932941-1-wangkefeng.wang@huawei.com Fixes: 78fefd04c123 ("mm: memory: convert clear_huge_page() to folio_zero_user()") Signed-off-by: Kefeng Wang Reviewed-by: "Huang, Ying" Reviewed-by: David Hildenbrand Cc: Matthew Wilcox (Oracle) Cc: Muchun Song Cc: Signed-off-by: Andrew Morton commit dad2dc9c92e0f93f33cebcb0595b8daa3d57473f Author: Hugh Dickins Date: Wed Dec 4 22:50:06 2024 -0800 mm: shmem: fix ShmemHugePages at swapout /proc/meminfo ShmemHugePages has been showing overlarge amounts (more than Shmem) after swapping out THPs: we forgot to update NR_SHMEM_THPS. Add shmem_update_stats(), to avoid repetition, and risk of making that mistake again: the call from shmem_delete_from_page_cache() is the bugfix; the call from shmem_replace_folio() is reassuring, but not really a bugfix (replace corrects misplaced swapin readahead, but huge swapin readahead would be a mistake). Link: https://lkml.kernel.org/r/5ba477c8-a569-70b5-923e-09ab221af45b@google.com Fixes: 809bc86517cc ("mm: shmem: support large folio swap out") Signed-off-by: Hugh Dickins Reviewed-by: Shakeel Butt Reviewed-by: Yosry Ahmed Reviewed-by: Baolin Wang Tested-by: Baolin Wang Cc: Signed-off-by: Andrew Morton commit 7782e3b3b004e8cb94a88621a22cc3c2f33e5b90 Author: Heming Zhao Date: Thu Dec 5 18:48:33 2024 +0800 ocfs2: fix the space leak in LA when releasing LA Commit 30dd3478c3cd ("ocfs2: correctly use ocfs2_find_next_zero_bit()") introduced an issue, the ocfs2_sync_local_to_main() ignores the last contiguous free bits, which causes an OCFS2 volume to lose the last free clusters of LA window during the release routine. Please note, because commit dfe6c5692fb5 ("ocfs2: fix the la space leak when unmounting an ocfs2 volume") was reverted, this commit is a replacement fix for commit dfe6c5692fb5. Link: https://lkml.kernel.org/r/20241205104835.18223-3-heming.zhao@suse.com Fixes: 30dd3478c3cd ("ocfs2: correctly use ocfs2_find_next_zero_bit()") Signed-off-by: Heming Zhao Suggested-by: Joseph Qi Reviewed-by: Joseph Qi Cc: Mark Fasheh Cc: Joel Becker Cc: Junxiao Bi Cc: Changwei Ge Cc: Jun Piao Cc: Signed-off-by: Andrew Morton commit 1a72d2ebeec51f10e5b0f0609c6754e92b11ee9d Author: Heming Zhao Date: Thu Dec 5 18:48:32 2024 +0800 ocfs2: revert "ocfs2: fix the la space leak when unmounting an ocfs2 volume" Patch series "Revert ocfs2 commit dfe6c5692fb5 and provide a new fix". SUSE QA team detected a mistake in my commit dfe6c5692fb5 ("ocfs2: fix the la space leak when unmounting an ocfs2 volume"). I am very sorry for my error. (If my eyes are correct) From the mailling list mails, this patch shouldn't be applied to 4.19 5.4 5.10 5.15 6.1 6.6, and these branches should perform a revert operation. Reason for revert: In commit dfe6c5692fb5, I mistakenly wrote: "This bug has existed since the initial OCFS2 code.". The statement is wrong. The correct introduction commit is 30dd3478c3cd. IOW, if the branch doesn't include 30dd3478c3cd, dfe6c5692fb5 should also not be included. This reverts commit dfe6c5692fb5 ("ocfs2: fix the la space leak when unmounting an ocfs2 volume"). In commit dfe6c5692fb5, the commit log "This bug has existed since the initial OCFS2 code." is wrong. The correct introduction commit is 30dd3478c3cd ("ocfs2: correctly use ocfs2_find_next_zero_bit()"). The influence of commit dfe6c5692fb5 is that it provides a correct fix for the latest kernel. however, it shouldn't be pushed to stable branches. Let's use this commit to revert all branches that include dfe6c5692fb5 and use a new fix method to fix commit 30dd3478c3cd. Link: https://lkml.kernel.org/r/20241205104835.18223-1-heming.zhao@suse.com Link: https://lkml.kernel.org/r/20241205104835.18223-2-heming.zhao@suse.com Fixes: dfe6c5692fb5 ("ocfs2: fix the la space leak when unmounting an ocfs2 volume") Signed-off-by: Heming Zhao Reviewed-by: Joseph Qi Cc: Mark Fasheh Cc: Joel Becker Cc: Junxiao Bi Cc: Changwei Ge Cc: Jun Piao Cc: Signed-off-by: Andrew Morton commit da5bd7fa789ae212ac18ebc3ac52b7f2ce1781da Author: Huang Ying Date: Thu Dec 5 20:42:01 2024 +0800 mailmap: add entry for Ying Huang Map my old company email to my personal email. Link: https://lkml.kernel.org/r/20241205124201.529308-1-huang.ying.caritas@gmail.com Signed-off-by: "Huang, Ying" Signed-off-by: Andrew Morton commit 6a75f19af16ff482cfd6085c77123aa0f464f8dd Author: Isaac J. Manjarres Date: Thu Dec 5 11:29:41 2024 -0800 selftests/memfd: run sysctl tests when PID namespace support is enabled The sysctl tests for vm.memfd_noexec rely on the kernel to support PID namespaces (i.e. the kernel is built with CONFIG_PID_NS=y). If the kernel the test runs on does not support PID namespaces, the first sysctl test will fail when attempting to spawn a new thread in a new PID namespace, abort the test, preventing the remaining tests from being run. This is not desirable, as not all kernels need PID namespaces, but can still use the other features provided by memfd. Therefore, only run the sysctl tests if the kernel supports PID namespaces. Otherwise, skip those tests and emit an informative message to let the user know why the sysctl tests are not being run. Link: https://lkml.kernel.org/r/20241205192943.3228757-1-isaacmanjarres@google.com Fixes: 11f75a01448f ("selftests/memfd: add tests for MFD_NOEXEC_SEAL MFD_EXEC") Signed-off-by: Isaac J. Manjarres Reviewed-by: Jeff Xu Cc: Suren Baghdasaryan Cc: Kalesh Singh Cc: [6.6+] Signed-off-by: Andrew Morton commit dbf8be8218e7ff2ee2bbeebc91bf0e0c58a8c60b Author: Lorenzo Stoakes Date: Fri Nov 8 13:57:06 2024 +0000 docs/mm: add VMA locks documentation Locking around VMAs is complicated and confusing. While we have a number of disparate comments scattered around the place, we seem to be reaching a level of complexity that justifies a serious effort at clearly documenting how locks are expected to be used when it comes to interacting with mm_struct and vm_area_struct objects. This is especially pertinent as regards the efforts to find sensible abstractions for these fundamental objects in kernel rust code whose compiler strictly requires some means of expressing these rules (and through this expression, self-document these requirements as well as enforce them). The document limits scope to mmap and VMA locks and those that are immediately adjacent and relevant to them - so additionally covers page table locking as this is so very closely tied to VMA operations (and relies upon us handling these correctly). The document tries to cover some of the nastier and more confusing edge cases and concerns especially around lock ordering and page table teardown. The document is split between generally useful information for users of mm interfaces, and separately a section intended for mm kernel developers providing a discussion around internal implementation details. [lorenzo.stoakes@oracle.com: v3] Link: https://lkml.kernel.org/r/20241114205402.859737-1-lorenzo.stoakes@oracle.com [lorenzo.stoakes@oracle.com: docs/mm: minor corrections] Link: https://lkml.kernel.org/r/d3de735a-25ae-4eb2-866c-a9624fe6f795@lucifer.local [jannh@google.com: docs/mm: add more warnings around page table access] Link: https://lkml.kernel.org/r/20241118-vma-docs-addition1-onv3-v2-1-c9d5395b72ee@google.com Link: https://lkml.kernel.org/r/20241108135708.48567-1-lorenzo.stoakes@oracle.com Signed-off-by: Lorenzo Stoakes Acked-by: Qi Zheng Acked-by: Mike Rapoport (Microsoft) Reviewed-by: Bagas Sanjaya Reviewed-by: Jann Horn Cc: Alice Ryhl Cc: Boqun Feng Cc: Hillf Danton Cc: Jonathan Corbet Cc: Liam R. Howlett Cc: Matthew Wilcox Cc: SeongJae Park Cc: Suren Baghdasaryan Cc: Vlastimil Babka Signed-off-by: Andrew Morton commit dbfca1641e697fa088a1cd7e305b47db1dfd3567 Merge: 5c964c8a97c121 87f54c12195150 Author: Jakub Kicinski Date: Wed Dec 18 17:51:38 2024 -0800 Merge tag 'linux-can-fixes-for-6.13-20241218' of git://git.kernel.org/pub/scm/linux/kernel/git/mkl/linux-can Marc Kleine-Budde says: ==================== pull-request: can 2024-12-18 There are 2 patches by Matthias Schiffer for the m_can_pci driver that handles the m_can cores found on the Intel Elkhart Lake processor. They fix the initialization and the interrupt handling under high CAN bus load. * tag 'linux-can-fixes-for-6.13-20241218' of git://git.kernel.org/pub/scm/linux/kernel/git/mkl/linux-can: can: m_can: fix missed interrupts with m_can_pci can: m_can: set init flag earlier in probe ==================== Link: https://patch.msgid.link/20241218121722.2311963-1-mkl@pengutronix.de Signed-off-by: Jakub Kicinski commit 5c964c8a97c12145104f5d2782aa1ffccf3a93dd Author: Martin Hou Date: Mon Dec 16 11:06:18 2024 +0800 net: usb: qmi_wwan: add Quectel RG255C Add support for Quectel RG255C which is based on Qualcomm SDX35 chip. The composition is DM / NMEA / AT / QMI. T: Bus=01 Lev=01 Prnt=01 Port=04 Cnt=01 Dev#= 2 Spd=480 MxCh= 0 D: Ver= 2.01 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 P: Vendor=2c7c ProdID=0316 Rev= 5.15 S: Manufacturer=Quectel S: Product=RG255C-CN S: SerialNumber=c68192c1 C:* #Ifs= 4 Cfg#= 1 Atr=a0 MxPwr=500mA I:* If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms I:* If#= 1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option E: Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms I:* If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms I:* If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=50 Driver=qmi_wwan E: Ad=86(I) Atr=03(Int.) MxPS= 8 Ivl=32ms E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms Signed-off-by: Martin Hou Link: https://patch.msgid.link/tencent_17DDD787B48E8A5AB8379ED69E23A0CD9309@qq.com Signed-off-by: Jakub Kicinski commit 12d908116f7efd34f255a482b9afc729d7a5fb78 Author: Jann Horn Date: Wed Dec 18 17:56:25 2024 +0100 io_uring: Fix registered ring file refcount leak Currently, io_uring_unreg_ringfd() (which cleans up registered rings) is only called on exit, but __io_uring_free (which frees the tctx in which the registered ring pointers are stored) is also called on execve (via begin_new_exec -> io_uring_task_cancel -> __io_uring_cancel -> io_uring_cancel_generic -> __io_uring_free). This means: A process going through execve while having registered rings will leak references to the rings' `struct file`. Fix it by zapping registered rings on execve(). This is implemented by moving the io_uring_unreg_ringfd() from io_uring_files_cancel() into its callee __io_uring_cancel(), which is called from io_uring_task_cancel() on execve. This could probably be exploited *on 32-bit kernels* by leaking 2^32 references to the same ring, because the file refcount is stored in a pointer-sized field and get_file() doesn't have protection against refcount overflow, just a WARN_ONCE(); but on 64-bit it should have no impact beyond a memory leak. Cc: stable@vger.kernel.org Fixes: e7a6c00dc77a ("io_uring: add support for registering ring file descriptors") Signed-off-by: Jann Horn Link: https://lore.kernel.org/r/20241218-uring-reg-ring-cleanup-v1-1-8f63e999045b@google.com Signed-off-by: Jens Axboe commit cff865c700711ecc3824b2dfe181637f3ed23c80 Author: Arnd Bergmann Date: Tue Dec 17 09:10:34 2024 +0100 net: phy: avoid undefined behavior in *_led_polarity_set() gcc runs into undefined behavior at the end of the three led_polarity_set() callback functions if it were called with a zero 'modes' argument and it just ends the function there without returning from it. This gets flagged by 'objtool' as a function that continues on to the next one: drivers/net/phy/aquantia/aquantia_leds.o: warning: objtool: aqr_phy_led_polarity_set+0xf: can't find jump dest instruction at .text+0x5d9 drivers/net/phy/intel-xway.o: warning: objtool: xway_gphy_led_polarity_set() falls through to next function xway_gphy_config_init() drivers/net/phy/mxl-gpy.o: warning: objtool: gpy_led_polarity_set() falls through to next function gpy_led_hw_control_get() There is no point to micro-optimize the behavior here to save a single-digit number of bytes in the kernel, so just change this to a "return -EINVAL" as we do when any unexpected bits are set. Fixes: 1758af47b98c ("net: phy: intel-xway: add support for PHY LEDs") Fixes: 9d55e68b19f2 ("net: phy: aquantia: correctly describe LED polarity override") Fixes: eb89c79c1b8f ("net: phy: mxl-gpy: correctly describe LED polarity") Signed-off-by: Arnd Bergmann Reviewed-by: Andrew Lunn Link: https://patch.msgid.link/20241217081056.238792-1-arnd@kernel.org Signed-off-by: Jakub Kicinski commit b3ded6072c5600704cfa3ce3a8dc8718d34bda66 Author: Hans de Goede Date: Sat Nov 16 21:36:47 2024 +0100 power: supply: bq24190: Fix BQ24296 Vbus regulator support There are 2 issues with bq24296_set_otg_vbus(): 1. When writing the OTG_CONFIG bit it uses POC_CHG_CONFIG_SHIFT which should be POC_OTG_CONFIG_SHIFT. 2. When turning the regulator off it never turns charging back on. Note this must be done through bq24190_charger_set_charge_type(), to ensure that the charge_type property value of none/trickle/fast is honored. Resolve both issues to fix BQ24296 Vbus regulator support not working. Fixes: b150a703b56f ("power: supply: bq24190_charger: Add support for BQ24296") Signed-off-by: Hans de Goede Link: https://lore.kernel.org/r/20241116203648.169100-2-hdegoede@redhat.com Signed-off-by: Sebastian Reichel commit 70b6f46a4ed8bd56c85ffff22df91e20e8c85e33 Author: Phil Sutter Date: Tue Dec 17 20:56:55 2024 +0100 netfilter: ipset: Fix for recursive locking warning With CONFIG_PROVE_LOCKING, when creating a set of type bitmap:ip, adding it to a set of type list:set and populating it from iptables SET target triggers a kernel warning: | WARNING: possible recursive locking detected | 6.12.0-rc7-01692-g5e9a28f41134-dirty #594 Not tainted | -------------------------------------------- | ping/4018 is trying to acquire lock: | ffff8881094a6848 (&set->lock){+.-.}-{2:2}, at: ip_set_add+0x28c/0x360 [ip_set] | | but task is already holding lock: | ffff88811034c048 (&set->lock){+.-.}-{2:2}, at: ip_set_add+0x28c/0x360 [ip_set] This is a false alarm: ipset does not allow nested list:set type, so the loop in list_set_kadd() can never encounter the outer set itself. No other set type supports embedded sets, so this is the only case to consider. To avoid the false report, create a distinct lock class for list:set type ipset locks. Fixes: f830837f0eed ("netfilter: ipset: list:set set type support") Signed-off-by: Phil Sutter Signed-off-by: Pablo Neira Ayuso commit cf2c97423a4f89c8b798294d3f34ecfe7e7035c3 Author: David Laight Date: Sat Dec 14 17:30:53 2024 +0000 ipvs: Fix clamp() of ip_vs_conn_tab on small memory systems The 'max_avail' value is calculated from the system memory size using order_base_2(). order_base_2(x) is defined as '(x) ? fn(x) : 0'. The compiler generates two copies of the code that follows and then expands clamp(max, min, PAGE_SHIFT - 12) (11 on 32bit). This triggers a compile-time assert since min is 5. In reality a system would have to have less than 512MB memory for the bounds passed to clamp to be reversed. Swap the order of the arguments to clamp() to avoid the warning. Replace the clamp_val() on the line below with clamp(). clamp_val() is just 'an accident waiting to happen' and not needed here. Detected by compile time checks added to clamp(), specifically: minmax.h: use BUILD_BUG_ON_MSG() for the lo < hi test in clamp() Reported-by: Linux Kernel Functional Testing Closes: https://lore.kernel.org/all/CA+G9fYsT34UkGFKxus63H6UVpYi5GRZkezT9MRLfAbM3f6ke0g@mail.gmail.com/ Fixes: 4f325e26277b ("ipvs: dynamically limit the connection hash table") Tested-by: Bartosz Golaszewski Reviewed-by: Bartosz Golaszewski Signed-off-by: David Laight Acked-by: Julian Anastasov Signed-off-by: Pablo Neira Ayuso commit eabcdba3ad4098460a376538df2ae36500223c1e Merge: b69810f38cb01f dfb92681a19e1d Author: Linus Torvalds Date: Wed Dec 18 14:17:21 2024 -0800 Merge tag 'for-6.13-rc3-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux Pull btrfs fixes from David Sterba: - tree-checker catches invalid number of inline extent references - zoned mode fixes: - enhance zone append IO command so it also detects emulated writes - handle bio splitting at sectorsize boundary - when deleting a snapshot, fix a condition for visiting nodes in reloc trees * tag 'for-6.13-rc3-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux: btrfs: tree-checker: reject inline extent items with 0 ref count btrfs: split bios to the fs sector size boundary btrfs: use bio_is_zone_append() in the completion handler btrfs: fix improper generation check in snapshot delete commit e96d8b80afd3f63ffad58c0fdd5e0c380c4c404e Author: Oliver Upton Date: Tue Dec 17 09:56:11 2024 -0800 KVM: arm64: Only apply PMCR_EL0.P to the guest range of counters An important distinction from other registers affected by HPMN is that PMCR_EL0 only affects the guest range of counters, regardless of the EL from which it is accessed. Ensure that PMCR_EL0.P is always applied to 'guest' counters by manually computing the mask rather than deriving it from the current context. Reviewed-by: Marc Zyngier Link: https://lore.kernel.org/r/20241217175611.3658290-1-oliver.upton@linux.dev Signed-off-by: Oliver Upton commit d3ba35b69eaed060bbc92a99bf027627bad170eb Author: Oliver Upton Date: Tue Dec 17 09:55:50 2024 -0800 KVM: arm64: nv: Reload PMU events upon MDCR_EL2.HPME change MDCR_EL2.HPME is the 'global' enable bit for event counters reserved for EL2. Give the PMU a kick when it's changed to ensure events are reprogrammed before returning to the guest. Reviewed-by: Marc Zyngier Link: https://lore.kernel.org/r/20241217175550.3658212-1-oliver.upton@linux.dev Signed-off-by: Oliver Upton commit adf8623b3f51e9c7eb18a7bb0381093f31053e38 Author: Oliver Upton Date: Tue Dec 17 09:55:32 2024 -0800 KVM: arm64: Use KVM_REQ_RELOAD_PMU to handle PMCR_EL0.E change Nested virt introduces yet another set of 'global' knobs for controlling event counters that are reserved for EL2 (i.e. >= HPMN). Get ready to share some plumbing with the NV controls by offloading counter reprogramming to KVM_REQ_RELOAD_PMU. Reviewed-by: Marc Zyngier Link: https://lore.kernel.org/r/20241217175532.3658134-1-oliver.upton@linux.dev Signed-off-by: Oliver Upton commit e22c369520d0a2a191820cc308f81a860b1b8d47 Author: Oliver Upton Date: Tue Dec 17 09:55:13 2024 -0800 KVM: arm64: Add unified helper for reprogramming counters by mask Having separate helpers for enabling/disabling counters provides the wrong abstraction, as the state of each counter needs to be evaluated independently and, in some cases, use a different global enable bit. Collapse the enable/disable accessors into a single, common helper that reconfigures every counter set in @mask, leaving the complexity of determining if an event is actually enabled in kvm_pmu_counter_is_enabled(). Reviewed-by: Marc Zyngier Link: https://lore.kernel.org/r/20241217175513.3658056-1-oliver.upton@linux.dev Signed-off-by: Oliver Upton commit 985bb51f17abbe83c697a5ac0aa40fad5f4e00f4 Author: Quentin Perret Date: Thu Nov 28 15:44:06 2024 +0000 KVM: arm64: Always check the state from hyp_ack_unshare() There are multiple pKVM memory transitions where the state of a page is not cross-checked from the completer's PoV for performance reasons. For example, if a page is PKVM_PAGE_OWNED from the initiator's PoV, we should be guaranteed by construction that it is PKVM_NOPAGE for everybody else, hence allowing us to save a page-table lookup. When it was introduced, hyp_ack_unshare() followed that logic and bailed out without checking the PKVM_PAGE_SHARED_BORROWED state in the hypervisor's stage-1. This was correct as we could safely assume that all host-initiated shares were directed at the hypervisor at the time. But with the introduction of other types of shares (e.g. for FF-A or non-protected guests), it is now very much required to cross check this state to prevent the host from running __pkvm_host_unshare_hyp() on a page shared with TZ or a non-protected guest. Thankfully, if an attacker were to try this, the hyp_unmap() call from hyp_complete_unshare() would fail, hence causing to WARN() from __do_unshare() with the host lock held, which is fatal. But this is fragile at best, and can hardly be considered a security measure. Let's just do the right thing and always check the state from hyp_ack_unshare(). Signed-off-by: Quentin Perret Acked-by: Will Deacon Link: https://lore.kernel.org/r/20241128154406.602875-1-qperret@google.com Signed-off-by: Oliver Upton commit b69810f38cb01fbc958190de43f1a02247f56a9c Merge: 397d1d88af2670 76467a94810c2a Author: Linus Torvalds Date: Wed Dec 18 12:52:57 2024 -0800 Merge tag 'cxl-fixes-6.13-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/cxl/cxl Pull cxl fixes from Ira Weiny: - prevent probe failure when non-critical RAS unmasking fails - fix CXL 1.1 link status sysfs attribute - fix 4 way (and greater) switch interleave region creation * tag 'cxl-fixes-6.13-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/cxl/cxl: cxl/region: Fix region creation for greater than x2 switches cxl/pci: Check dport->regs.rcd_pcie_cap availability before accessing cxl/pci: Fix potential bogus return value upon successful probing commit 3abb660f9e18925468685591a3702bda05faba4f Author: Alex Deucher Date: Thu Dec 12 16:49:20 2024 -0500 drm/amdgpu/nbio7.0: fix IP version check Use the helper function rather than reading it directly. Reviewed-by: Yang Wang Signed-off-by: Alex Deucher (cherry picked from commit 0ec43fbece784215d3c4469973e4556d70bce915) Cc: stable@vger.kernel.org commit a7f9d98eb1202132014ba760c26ad8608ffc9caf Author: Mario Limonciello Date: Tue Dec 10 20:44:14 2024 -0600 drm/amd: Update strapping for NBIO 2.5.0 This helps to avoid a spurious PME event on hotplug to Azalia. Cc: Vijendar Mukunda Reported-and-tested-by: ionut_n2001@yahoo.com Closes: https://bugzilla.kernel.org/show_bug.cgi?id=215884 Tested-by: Gabriel Marcano Acked-by: Alex Deucher Link: https://lore.kernel.org/r/20241211024414.7840-1-mario.limonciello@amd.com Signed-off-by: Mario Limonciello Signed-off-by: Alex Deucher (cherry picked from commit 3f6f237b9dd189e1fb85b8a3f7c97a8f27c1e49a) Cc: stable@vger.kernel.org commit 397d1d88af2670db9c73d2806ae270b147e6f949 Merge: c061cf420ded39 900f83cf376bda Author: Linus Torvalds Date: Wed Dec 18 12:10:15 2024 -0800 Merge tag 'selinux-pr-20241217' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux Pull selinux fix from Paul Moore: "One small SELinux patch to get rid improve our handling of unknown extended permissions by safely ignoring them. Not only does this make it easier to support newer SELinux policy on older kernels in the future, it removes to BUG() calls from the SELinux code." * tag 'selinux-pr-20241217' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux: selinux: ignore unknown extended permissions commit 0674188f2f4d38d74aa863f17373d76256f2ed09 Author: Huacai Chen Date: Tue Dec 17 15:37:04 2024 +0800 ACPI: EC: Enable EC support on LoongArch by default Commit a6021aa24f6417416d933 ("ACPI: EC: make EC support compile-time conditional") only enable ACPI_EC on X86 by default, but the embedded controller is also widely used on LoongArch laptops so we also enable ACPI_EC for LoongArch. The laptop driver cannot work without EC, so also update the dependency of LOONGSON_LAPTOP to let it depend on APCI_EC. Fixes: a6021aa24f6417416d933 ("ACPI: EC: make EC support compile-time conditional") Reported-by: Xiaotian Wu Tested-by: Binbin Zhou Signed-off-by: Huacai Chen Link: https://patch.msgid.link/20241217073704.3339587-1-chenhuacai@loongson.cn [ rjw: Added Fixes: ] Signed-off-by: Rafael J. Wysocki commit 8cd63406d08110c8098e1efda8aef7ddab4db348 Author: Steven Rostedt Date: Wed Dec 18 14:15:07 2024 -0500 trace/ring-buffer: Do not use TP_printk() formatting for boot mapped buffers The TP_printk() of a TRACE_EVENT() is a generic printf format that any developer can create for their event. It may include pointers to strings and such. A boot mapped buffer may contain data from a previous kernel where the strings addresses are different. One solution is to copy the event content and update the pointers by the recorded delta, but a simpler solution (for now) is to just use the print_fields() function to print these events. The print_fields() function just iterates the fields and prints them according to what type they are, and ignores the TP_printk() format from the event itself. To understand the difference, when printing via TP_printk() the output looks like this: 4582.696626: kmem_cache_alloc: call_site=getname_flags+0x47/0x1f0 ptr=00000000e70e10e0 bytes_req=4096 bytes_alloc=4096 gfp_flags=GFP_KERNEL node=-1 accounted=false 4582.696629: kmem_cache_alloc: call_site=alloc_empty_file+0x6b/0x110 ptr=0000000095808002 bytes_req=360 bytes_alloc=384 gfp_flags=GFP_KERNEL node=-1 accounted=false 4582.696630: kmem_cache_alloc: call_site=security_file_alloc+0x24/0x100 ptr=00000000576339c3 bytes_req=16 bytes_alloc=16 gfp_flags=GFP_KERNEL|__GFP_ZERO node=-1 accounted=false 4582.696653: kmem_cache_free: call_site=do_sys_openat2+0xa7/0xd0 ptr=00000000e70e10e0 name=names_cache But when printing via print_fields() (echo 1 > /sys/kernel/tracing/options/fields) the same event output looks like this: 4582.696626: kmem_cache_alloc: call_site=0xffffffff92d10d97 (-1831793257) ptr=0xffff9e0e8571e000 (-107689771147264) bytes_req=0x1000 (4096) bytes_alloc=0x1000 (4096) gfp_flags=0xcc0 (3264) node=0xffffffff (-1) accounted=(0) 4582.696629: kmem_cache_alloc: call_site=0xffffffff92d0250b (-1831852789) ptr=0xffff9e0e8577f800 (-107689770747904) bytes_req=0x168 (360) bytes_alloc=0x180 (384) gfp_flags=0xcc0 (3264) node=0xffffffff (-1) accounted=(0) 4582.696630: kmem_cache_alloc: call_site=0xffffffff92efca74 (-1829778828) ptr=0xffff9e0e8d35d3b0 (-107689640864848) bytes_req=0x10 (16) bytes_alloc=0x10 (16) gfp_flags=0xdc0 (3520) node=0xffffffff (-1) accounted=(0) 4582.696653: kmem_cache_free: call_site=0xffffffff92cfbea7 (-1831879001) ptr=0xffff9e0e8571e000 (-107689771147264) name=names_cache Cc: stable@vger.kernel.org Cc: Masami Hiramatsu Cc: Mathieu Desnoyers Cc: Linus Torvalds Link: https://lore.kernel.org/20241218141507.28389a1d@gandalf.local.home Fixes: 07714b4bb3f98 ("tracing: Handle old buffer mappings for event strings and functions") Signed-off-by: Steven Rostedt (Google) commit c58a812c8e49ad688f94f4b050ad5c5b388fc5d2 Author: Edward Adam Davis Date: Wed Dec 18 21:36:55 2024 +0800 ring-buffer: Fix overflow in __rb_map_vma An overflow occurred when performing the following calculation: nr_pages = ((nr_subbufs + 1) << subbuf_order) - pgoff; Add a check before the calculation to avoid this problem. syzbot reported this as a slab-out-of-bounds in __rb_map_vma: BUG: KASAN: slab-out-of-bounds in __rb_map_vma+0x9ab/0xae0 kernel/trace/ring_buffer.c:7058 Read of size 8 at addr ffff8880767dd2b8 by task syz-executor187/5836 CPU: 0 UID: 0 PID: 5836 Comm: syz-executor187 Not tainted 6.13.0-rc2-syzkaller-00159-gf932fb9b4074 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/25/2024 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xc3/0x620 mm/kasan/report.c:489 kasan_report+0xd9/0x110 mm/kasan/report.c:602 __rb_map_vma+0x9ab/0xae0 kernel/trace/ring_buffer.c:7058 ring_buffer_map+0x56e/0x9b0 kernel/trace/ring_buffer.c:7138 tracing_buffers_mmap+0xa6/0x120 kernel/trace/trace.c:8482 call_mmap include/linux/fs.h:2183 [inline] mmap_file mm/internal.h:124 [inline] __mmap_new_file_vma mm/vma.c:2291 [inline] __mmap_new_vma mm/vma.c:2355 [inline] __mmap_region+0x1786/0x2670 mm/vma.c:2456 mmap_region+0x127/0x320 mm/mmap.c:1348 do_mmap+0xc00/0xfc0 mm/mmap.c:496 vm_mmap_pgoff+0x1ba/0x360 mm/util.c:580 ksys_mmap_pgoff+0x32c/0x5c0 mm/mmap.c:542 __do_sys_mmap arch/x86/kernel/sys_x86_64.c:89 [inline] __se_sys_mmap arch/x86/kernel/sys_x86_64.c:82 [inline] __x64_sys_mmap+0x125/0x190 arch/x86/kernel/sys_x86_64.c:82 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f The reproducer for this bug is: ------------------------8<------------------------- #include #include #include #include #include int main(int argc, char **argv) { int page_size = getpagesize(); int fd; void *meta; system("echo 1 > /sys/kernel/tracing/buffer_size_kb"); fd = open("/sys/kernel/tracing/per_cpu/cpu0/trace_pipe_raw", O_RDONLY); meta = mmap(NULL, page_size, PROT_READ, MAP_SHARED, fd, page_size * 5); } ------------------------>8------------------------- Cc: stable@vger.kernel.org Fixes: 117c39200d9d7 ("ring-buffer: Introducing ring-buffer mapping functions") Link: https://lore.kernel.org/tencent_06924B6674ED771167C23CC336C097223609@qq.com Reported-by: syzbot+345e4443a21200874b18@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=345e4443a21200874b18 Signed-off-by: Edward Adam Davis Signed-off-by: Steven Rostedt (Google) commit c061cf420ded391e32f99cd483e1e0107f213b12 Merge: 37cb0c76ac6c3b afd2627f727b89 Author: Linus Torvalds Date: Wed Dec 18 10:03:33 2024 -0800 Merge tag 'trace-v6.13-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace Pull tracing fixes from Steven Rostedt: "Replace trace_check_vprintf() with test_event_printk() and ignore_event() The function test_event_printk() checks on boot up if the trace event printf() formats dereference any pointers, and if they do, it then looks at the arguments to make sure that the pointers they dereference will exist in the event on the ring buffer. If they do not, it issues a WARN_ON() as it is a likely bug. But this isn't the case for the strings that can be dereferenced with "%s", as some trace events (notably RCU and some IPI events) save a pointer to a static string in the ring buffer. As the string it points to lives as long as the kernel is running, it is not a bug to reference it, as it is guaranteed to be there when the event is read. But it is also possible (and a common bug) to point to some allocated string that could be freed before the trace event is read and the dereference is to bad memory. This case requires a run time check. The previous way to handle this was with trace_check_vprintf() that would process the printf format piece by piece and send what it didn't care about to vsnprintf() to handle arguments that were not strings. This kept it from having to reimplement vsnprintf(). But it relied on va_list implementation and for architectures that copied the va_list and did not pass it by reference, it wasn't even possible to do this check and it would be skipped. As 64bit x86 passed va_list by reference, most events were tested and this kept out bugs where strings would have been dereferenced after being freed. Instead of relying on the implementation of va_list, extend the boot up test_event_printk() function to validate all the "%s" strings that can be validated at boot, and for the few events that point to strings outside the ring buffer, flag both the event and the field that is dereferenced as "needs_test". Then before the event is printed, a call to ignore_event() is made, and if the event has the flag set, it iterates all its fields and for every field that is to be tested, it will read the pointer directly from the event in the ring buffer and make sure that it is valid. If the pointer is not valid, it will print a WARN_ON(), print out to the trace that the event has unsafe memory and ignore the print format. With this new update, the trace_check_vprintf() can be safely removed and now all events can be verified regardless of architecture" * tag 'trace-v6.13-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace: tracing: Check "%s" dereference via the field and not the TP_printk format tracing: Add "%s" check in test_event_printk() tracing: Add missing helper functions in event pointer dereference check tracing: Fix test_event_printk() to process entire print argument commit 85230ee36d88e7a09fb062d43203035659dd10a5 Author: Michel Dänzer Date: Tue Dec 17 18:22:56 2024 +0100 drm/amdgpu: Handle NULL bo->tbo.resource (again) in amdgpu_vm_bo_update Third time's the charm, I hope? Fixes: d3116756a710 ("drm/ttm: rename bo->mem and make it a pointer") Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/3837 Reviewed-by: Christian König Signed-off-by: Michel Dänzer Signed-off-by: Alex Deucher (cherry picked from commit 695c2c745e5dff201b75da8a1d237ce403600d04) Cc: stable@vger.kernel.org commit 8d1a13816e59254bd3b18f5ae0895230922bd120 Author: Christian König Date: Thu Dec 12 16:29:18 2024 +0100 drm/amdgpu: fix amdgpu_coredump The VM pointer might already be outdated when that function is called. Use the PASID instead to gather the information instead. Signed-off-by: Christian König Reviewed-by: Alex Deucher Signed-off-by: Alex Deucher (cherry picked from commit 57f812d171af4ba233d3ed7c94dfa5b8e92dcc04) Cc: stable@vger.kernel.org commit 9e752ee26c1031312a01d2afc281f5f6fdfca176 Author: Alex Deucher Date: Thu Dec 12 17:06:26 2024 -0500 drm/amdgpu/smu14.0.2: fix IP version check Use the helper function rather than reading it directly. Reviewed-by: Yang Wang Signed-off-by: Alex Deucher (cherry picked from commit 8f2cd1067afe68372a1723e05e19b68ed187676a) Cc: stable@vger.kernel.org commit 41be00f839e9ee7753892a73a36ce4c14c6f5cbf Author: Alex Deucher Date: Thu Dec 12 17:04:58 2024 -0500 drm/amdgpu/gfx12: fix IP version check Use the helper function rather than reading it directly. Reviewed-by: Yang Wang Signed-off-by: Alex Deucher (cherry picked from commit f1fd1d0f40272948aa6ab82a3a82ecbbc76dff53) Cc: stable@vger.kernel.org commit 6ebc5b92190e01dd48313b68cbf752c9adcfefa8 Author: Alex Deucher Date: Thu Dec 12 17:03:20 2024 -0500 drm/amdgpu/mmhub4.1: fix IP version check Use the helper function rather than reading it directly. Reviewed-by: Yang Wang Signed-off-by: Alex Deucher (cherry picked from commit 63bfd24088b42c6f55c2096bfc41b50213d419b2) Cc: stable@vger.kernel.org commit 8c1ecc7197a88c6ae62de56e1c0887f220712a32 Author: Alex Deucher Date: Thu Dec 12 17:00:07 2024 -0500 drm/amdgpu/nbio7.11: fix IP version check Use the helper function rather than reading it directly. Reviewed-by: Yang Wang Signed-off-by: Alex Deucher (cherry picked from commit 2c8eeaaa0fe5841ccf07a0eb51b1426f34ef39f7) Cc: stable@vger.kernel.org commit 458600da793da12e0f3724ecbea34a80703f4d5b Author: Alex Deucher Date: Thu Dec 12 16:47:48 2024 -0500 drm/amdgpu/nbio7.7: fix IP version check Use the helper function rather than reading it directly. Reviewed-by: Yang Wang Signed-off-by: Alex Deucher (cherry picked from commit 22b9555bc90df22b585bdd1f161b61584b13af51) Cc: stable@vger.kernel.org commit 146b6057e1fd28fb1a38d300bf76a38dfba7f9fb Author: Linus Walleij Date: Tue Dec 17 13:55:48 2024 +0100 wifi: cw1200: Fix potential NULL dereference A recent refactoring was identified by smatch to cause another potential NULL dereference: drivers/net/wireless/st/cw1200/cw1200_spi.c:440 cw1200_spi_disconnect() error: we previously assumed 'self' could be null (see line 433) Reported-by: kernel test robot Reported-by: Dan Carpenter Closes: https://lore.kernel.org/r/202411271742.Xa7CNVh1-lkp@intel.com/ Fixes: 2719a9e7156c ("wifi: cw1200: Convert to GPIO descriptors") Signed-off-by: Linus Walleij Signed-off-by: Kalle Valo Link: https://patch.msgid.link/20241217-cw1200-fix-v1-1-911e6b5823ec@linaro.org commit a93b1020eb9386d7da11608477121b10079c076a Author: Pierre-Eric Pelloux-Prayer Date: Fri Dec 6 13:17:45 2024 +0100 drm/amdgpu: don't access invalid sched Since 2320c9e6a768 ("drm/sched: memset() 'job' in drm_sched_job_init()") accessing job->base.sched can produce unexpected results as the initialisation of (*job)->base.sched done in amdgpu_job_alloc is overwritten by the memset. This commit fixes an issue when a CS would fail validation and would be rejected after job->num_ibs is incremented. In this case, amdgpu_ib_free(ring->adev, ...) will be called, which would crash the machine because the ring value is bogus. To fix this, pass a NULL pointer to amdgpu_ib_free(): we can do this because the device is actually not used in this function. The next commit will remove the ring argument completely. Fixes: 2320c9e6a768 ("drm/sched: memset() 'job' in drm_sched_job_init()") Signed-off-by: Pierre-Eric Pelloux-Prayer Reviewed-by: Alex Deucher Reviewed-by: Christian König Signed-off-by: Alex Deucher (cherry picked from commit 2ae520cb12831d264ceb97c61f72c59d33c0dbd7) commit 536ae08d7b6ae16872f0b3c2679e656a7fc9d5e2 Author: Mario Limonciello Date: Wed Dec 11 09:56:01 2024 -0600 drm/amd: Require CONFIG_HOTPLUG_PCI_PCIE for BOCO If the kernel hasn't been compiled with PCIe hotplug support this can lead to problems with dGPUs that use BOCO because they effectively drop off the bus. To prevent issues, disable BOCO support when compiled without PCIe hotplug. Reported-by: Gabriel Marcano Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/1707#note_2696862 Acked-by: Alex Deucher Link: https://lore.kernel.org/r/20241211155601.3585256-1-superm1@kernel.org Signed-off-by: Mario Limonciello Signed-off-by: Alex Deucher (cherry picked from commit 1ad5bdc28bafa66db0f041cc6cdd278a80426aae) commit 37cb0c76ac6c3bf3d82d25a7c95950f2dac3ca41 Merge: 349f0086ba8b2a 175c71c2aceef1 Author: Linus Torvalds Date: Wed Dec 18 09:55:55 2024 -0800 Merge tag 'hyperv-fixes-signed-20241217' of git://git.kernel.org/pub/scm/linux/kernel/git/hyperv/linux Pull hyperv fixes from Wei Liu: - Various fixes to Hyper-V tools in the kernel tree (Dexuan Cui, Olaf Hering, Vitaly Kuznetsov) - Fix a bug in the Hyper-V TSC page based sched_clock() (Naman Jain) - Two bug fixes in the Hyper-V utility functions (Michael Kelley) - Convert open-coded timeouts to secs_to_jiffies() in Hyper-V drivers (Easwar Hariharan) * tag 'hyperv-fixes-signed-20241217' of git://git.kernel.org/pub/scm/linux/kernel/git/hyperv/linux: tools/hv: reduce resource usage in hv_kvp_daemon tools/hv: add a .gitignore file tools/hv: reduce resouce usage in hv_get_dns_info helper hv/hv_kvp_daemon: Pass NIC name to hv_get_dns_info as well Drivers: hv: util: Avoid accessing a ringbuffer not initialized yet Drivers: hv: util: Don't force error code to ENODEV in util_probe() tools/hv: terminate fcopy daemon if read from uio fails drivers: hv: Convert open-coded timeouts to secs_to_jiffies() tools: hv: change permissions of NetworkManager configuration file x86/hyperv: Fix hv tsc page based sched_clock for hibernation tools: hv: Fix a complier warning in the fcopy uio daemon commit 349f0086ba8b2a169877d21ff15a4d9da3a60054 Author: Juergen Gross Date: Wed Dec 18 09:02:28 2024 +0100 x86/static-call: fix 32-bit build In 32-bit x86 builds CONFIG_STATIC_CALL_INLINE isn't set, leading to static_call_initialized not being available. Define it as "0" in that case. Reported-by: Stephen Rothwell Fixes: 0ef8047b737d ("x86/static-call: provide a way to do very early static-call updates") Signed-off-by: Juergen Gross Acked-by: Peter Zijlstra (Intel) Signed-off-by: Linus Torvalds commit cc0c53f4fac562efb3aca2bc493515e77642ae33 Author: Kees Cook Date: Wed Jun 19 14:12:45 2024 -0700 wifi: iwlwifi: mvm: Fix __counted_by usage in cfg80211_wowlan_nd_* Both struct cfg80211_wowlan_nd_match and struct cfg80211_wowlan_nd_info pre-allocate space for channels and matches, but then may end up using fewer that the full allocation. Shrink the associated counter (n_channels and n_matches) after counting the results. This avoids compile-time (and run-time) warnings from __counted_by. (The counter member needs to be updated _before_ accessing the array index.) Seen with coming GCC 15: drivers/net/wireless/intel/iwlwifi/mvm/d3.c: In function 'iwl_mvm_query_set_freqs': drivers/net/wireless/intel/iwlwifi/mvm/d3.c:2877:66: warning: operation on 'match->n_channels' may be undefined [-Wsequence-point] 2877 | match->channels[match->n_channels++] = | ~~~~~~~~~~~~~~~~~^~ drivers/net/wireless/intel/iwlwifi/mvm/d3.c:2885:66: warning: operation on 'match->n_channels' may be undefined [-Wsequence-point] 2885 | match->channels[match->n_channels++] = | ~~~~~~~~~~~~~~~~~^~ drivers/net/wireless/intel/iwlwifi/mvm/d3.c: In function 'iwl_mvm_query_netdetect_reasons': drivers/net/wireless/intel/iwlwifi/mvm/d3.c:2982:58: warning: operation on 'net_detect->n_matches' may be undefined [-Wsequence-point] 2982 | net_detect->matches[net_detect->n_matches++] = match; | ~~~~~~~~~~~~~~~~~~~~~^~ Cc: stable@vger.kernel.org Fixes: aa4ec06c455d ("wifi: cfg80211: use __counted_by where appropriate") Signed-off-by: Kees Cook Reviewed-by: Gustavo A. R. Silva Link: https://patch.msgid.link/20240619211233.work.355-kees@kernel.org Signed-off-by: Johannes Berg commit 7f9a1eed1ad8b274ed9163a02cef891a90427237 Author: Jon Lin Date: Wed Dec 18 23:47:41 2024 +0800 spi: rockchip-sfc: Fix error in remove progress Fix error in remove progress: [ 43.026148] Call trace: [ 43.026370] klist_next+0x1c/0x1d4 [ 43.026671] device_for_each_child+0x48/0xac [ 43.027049] spi_unregister_controller+0x30/0x130 [ 43.027469] rockchip_sfc_remove+0x48/0x80 [spi_rockchip_sfc] Signed-off-by: Jon Lin Link: https://patch.msgid.link/20241218154741.901591-1-jon.lin@rock-chips.com Signed-off-by: Mark Brown commit 05648c2f58b3da82d304e7a449101a4545472836 Merge: 78d4f34e2115b5 2993b29b2a98f2 Author: Rafael J. Wysocki Date: Wed Dec 18 15:38:22 2024 +0100 Merge tag 'amd-pstate-v6.13-2024-12-11' of ssh://gitolite.kernel.org/pub/scm/linux/kernel/git/superm1/linux Merge amd-pstate driver fixes for 6.13-rc4 from Mario Liminciello: "Fix a problem where systems without preferred cores were misdetecting preferred cores. Fix issues with with boost numerator handling leading to inconsistently programmed CPPC max performance values." * tag 'amd-pstate-v6.13-2024-12-11' of ssh://gitolite.kernel.org/pub/scm/linux/kernel/git/superm1/linux: cpufreq/amd-pstate: Use boost numerator for upper bound of frequencies cpufreq/amd-pstate: Store the boost numerator as highest perf again cpufreq/amd-pstate: Detect preferred core support before driver registration commit 85672ca9ceeaa1dcf2777a7048af5f4aee3fd02b Author: Ming Lei Date: Wed Dec 18 18:16:15 2024 +0800 block: avoid to reuse `hctx` not removed from cpuhp callback list If the 'hctx' isn't removed from cpuhp callback list, we can't reuse it, otherwise use-after-free may be triggered. Reported-by: kernel test robot Closes: https://lore.kernel.org/oe-lkp/202412172217.b906db7c-lkp@intel.com Tested-by: kernel test robot Fixes: 22465bbac53c ("blk-mq: move cpuhp callback registering out of q->sysfs_lock") Signed-off-by: Ming Lei Link: https://lore.kernel.org/r/20241218101617.3275704-3-ming.lei@redhat.com Signed-off-by: Jens Axboe commit 224749be6c23efe7fb8a030854f4fc5d1dd813b3 Author: Ming Lei Date: Wed Dec 18 18:16:14 2024 +0800 block: Revert "block: Fix potential deadlock while freezing queue and acquiring sysfs_lock" This reverts commit be26ba96421ab0a8fa2055ccf7db7832a13c44d2. Commit be26ba96421a ("block: Fix potential deadlock while freezing queue and acquiring sysfs_loc") actually reverts commit 22465bbac53c ("blk-mq: move cpuhp callback registering out of q->sysfs_lock"), and causes the original resctrl lockdep warning. So revert it and we need to fix the issue in another way. Cc: Nilay Shroff Fixes: be26ba96421a ("block: Fix potential deadlock while freezing queue and acquiring sysfs_loc") Signed-off-by: Ming Lei Link: https://lore.kernel.org/r/20241218101617.3275704-2-ming.lei@redhat.com Signed-off-by: Jens Axboe commit 51588b1b77b65cd0fb3440f78f37bef7178a2715 Author: Luis Chamberlain Date: Tue Dec 17 18:02:12 2024 -0800 nvme: use blk_validate_block_size() for max LBA check The block layer already has support to validates proper block sizes with blk_validate_block_size(), we can leverage that as well. No functional changes. Signed-off-by: Luis Chamberlain Reviewed-by: John Garry Reviewed-by: Keith Busch Reviewed-by: Christoph Hellwig Link: https://lore.kernel.org/r/20241218020212.3657139-3-mcgrof@kernel.org Signed-off-by: Jens Axboe commit 26fff8a4432ffd03409346b7dae1e1a2c5318b7c Author: Luis Chamberlain Date: Tue Dec 17 18:02:11 2024 -0800 block/bdev: use helper for max block size check We already have a helper for checking the limits on the block size both low and high, just use that. No functional changes. Reviewed-by: John Garry Signed-off-by: Luis Chamberlain Reviewed-by: Keith Busch Reviewed-by: Christoph Hellwig Link: https://lore.kernel.org/r/20241218020212.3657139-2-mcgrof@kernel.org Signed-off-by: Jens Axboe commit c9e3ebdc52ebe028f238c9df5162ae92483bedd5 Author: Shuming Fan Date: Wed Dec 18 17:13:07 2024 +0800 ASoC: rt722: add delay time to wait for the calibration procedure The calibration procedure needs some time to finish. This patch adds the delay time to ensure the calibration procedure is completed correctly. Signed-off-by: Shuming Fan Link: https://patch.msgid.link/20241218091307.96656-1-shumingf@realtek.com Signed-off-by: Mark Brown commit 4feaedf7d243f1a9af36dfb2711a5641fe3559dc Author: Daniel Lezcano Date: Mon Dec 16 22:26:44 2024 +0100 thermal/thresholds: Fix boundaries and detection routine The current implementation does not work if the thermal zone is interrupt driven only. The boundaries are not correctly checked and computed as it happens only when the temperature is increasing or decreasing. The problem arises because the routine to detect when we cross a threshold is correlated with the computation of the boundaries. We assume we have to recompute the boundaries when a threshold is crossed but actually we should do that even if the it is not the case. Mixing the boundaries computation and the threshold detection for the sake of optimizing the routine is much more complex as it appears intuitively and prone to errors. This fix separates the boundaries computation and the threshold crossing detection into different routines. The result is a code much more simple to understand, thus easier to maintain. The drawback is we browse the thresholds list several time but we can consider that as neglictible because that happens when the temperature is updated. There are certainly some aeras to improve in the temperature update routine but it would be not adequate as this change aims to fix the thresholds for v6.13. Fixes: 445936f9e258 ("thermal: core: Add user thresholds support") Tested-by: Daniel Lezcano # rock5b, Lenovo x13s Signed-off-by: Daniel Lezcano Link: https://patch.msgid.link/20241216212644.1145122-1-daniel.lezcano@linaro.org Signed-off-by: Rafael J. Wysocki commit edc19bd0e571c732cd01c8da62f904e6d2a29a48 Author: Fabrice Gasnier Date: Tue Dec 17 16:00:21 2024 +0100 pwm: stm32: Fix complementary output in round_waveform_tohw() When the timer supports complementary output, the CCxNE bit must be set additionally to the CCxE bit. So to not overwrite the latter use |= instead of = to set the former. Fixes: deaba9cff809 ("pwm: stm32: Implementation of the waveform callbacks") Signed-off-by: Fabrice Gasnier Link: https://lore.kernel.org/r/20241217150021.2030213-1-fabrice.gasnier@foss.st.com [ukleinek: Slightly improve commit log] Signed-off-by: Uwe Kleine-König commit 05aa156e156ef3168e7ab8a68721945196495c17 Author: Haren Myneni Date: Fri Dec 13 21:17:58 2024 -0800 powerpc/pseries/vas: Add close() callback in vas_vm_ops struct The mapping VMA address is saved in VAS window struct when the paste address is mapped. This VMA address is used during migration to unmap the paste address if the window is active. The paste address mapping will be removed when the window is closed or with the munmap(). But the VMA address in the VAS window is not updated with munmap() which is causing invalid access during migration. The KASAN report shows: [16386.254991] BUG: KASAN: slab-use-after-free in reconfig_close_windows+0x1a0/0x4e8 [16386.255043] Read of size 8 at addr c00000014a819670 by task drmgr/696928 [16386.255096] CPU: 29 UID: 0 PID: 696928 Comm: drmgr Kdump: loaded Tainted: G B 6.11.0-rc5-nxgzip #2 [16386.255128] Tainted: [B]=BAD_PAGE [16386.255148] Hardware name: IBM,9080-HEX Power11 (architected) 0x820200 0xf000007 of:IBM,FW1110.00 (NH1110_016) hv:phyp pSeries [16386.255181] Call Trace: [16386.255202] [c00000016b297660] [c0000000018ad0ac] dump_stack_lvl+0x84/0xe8 (unreliable) [16386.255246] [c00000016b297690] [c0000000006e8a90] print_report+0x19c/0x764 [16386.255285] [c00000016b297760] [c0000000006e9490] kasan_report+0x128/0x1f8 [16386.255309] [c00000016b297880] [c0000000006eb5c8] __asan_load8+0xac/0xe0 [16386.255326] [c00000016b2978a0] [c00000000013f898] reconfig_close_windows+0x1a0/0x4e8 [16386.255343] [c00000016b297990] [c000000000140e58] vas_migration_handler+0x3a4/0x3fc [16386.255368] [c00000016b297a90] [c000000000128848] pseries_migrate_partition+0x4c/0x4c4 ... [16386.256136] Allocated by task 696554 on cpu 31 at 16377.277618s: [16386.256149] kasan_save_stack+0x34/0x68 [16386.256163] kasan_save_track+0x34/0x80 [16386.256175] kasan_save_alloc_info+0x58/0x74 [16386.256196] __kasan_slab_alloc+0xb8/0xdc [16386.256209] kmem_cache_alloc_noprof+0x200/0x3d0 [16386.256225] vm_area_alloc+0x44/0x150 [16386.256245] mmap_region+0x214/0x10c4 [16386.256265] do_mmap+0x5fc/0x750 [16386.256277] vm_mmap_pgoff+0x14c/0x24c [16386.256292] ksys_mmap_pgoff+0x20c/0x348 [16386.256303] sys_mmap+0xd0/0x160 ... [16386.256350] Freed by task 0 on cpu 31 at 16386.204848s: [16386.256363] kasan_save_stack+0x34/0x68 [16386.256374] kasan_save_track+0x34/0x80 [16386.256384] kasan_save_free_info+0x64/0x10c [16386.256396] __kasan_slab_free+0x120/0x204 [16386.256415] kmem_cache_free+0x128/0x450 [16386.256428] vm_area_free_rcu_cb+0xa8/0xd8 [16386.256441] rcu_do_batch+0x2c8/0xcf0 [16386.256458] rcu_core+0x378/0x3c4 [16386.256473] handle_softirqs+0x20c/0x60c [16386.256495] do_softirq_own_stack+0x6c/0x88 [16386.256509] do_softirq_own_stack+0x58/0x88 [16386.256521] __irq_exit_rcu+0x1a4/0x20c [16386.256533] irq_exit+0x20/0x38 [16386.256544] interrupt_async_exit_prepare.constprop.0+0x18/0x2c ... [16386.256717] Last potentially related work creation: [16386.256729] kasan_save_stack+0x34/0x68 [16386.256741] __kasan_record_aux_stack+0xcc/0x12c [16386.256753] __call_rcu_common.constprop.0+0x94/0xd04 [16386.256766] vm_area_free+0x28/0x3c [16386.256778] remove_vma+0xf4/0x114 [16386.256797] do_vmi_align_munmap.constprop.0+0x684/0x870 [16386.256811] __vm_munmap+0xe0/0x1f8 [16386.256821] sys_munmap+0x54/0x6c [16386.256830] system_call_exception+0x1a0/0x4a0 [16386.256841] system_call_vectored_common+0x15c/0x2ec [16386.256868] The buggy address belongs to the object at c00000014a819670 which belongs to the cache vm_area_struct of size 168 [16386.256887] The buggy address is located 0 bytes inside of freed 168-byte region [c00000014a819670, c00000014a819718) [16386.256915] The buggy address belongs to the physical page: [16386.256928] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x14a81 [16386.256950] memcg:c0000000ba430001 [16386.256961] anon flags: 0x43ffff800000000(node=4|zone=0|lastcpupid=0x7ffff) [16386.256975] page_type: 0xfdffffff(slab) [16386.256990] raw: 043ffff800000000 c00000000501c080 0000000000000000 5deadbee00000001 [16386.257003] raw: 0000000000000000 00000000011a011a 00000001fdffffff c0000000ba430001 [16386.257018] page dumped because: kasan: bad access detected This patch adds close() callback in vas_vm_ops vm_operations_struct which will be executed during munmap() before freeing VMA. The VMA address in the VAS window is set to NULL after holding the window mmap_mutex. Fixes: 37e6764895ef ("powerpc/pseries/vas: Add VAS migration handler") Signed-off-by: Haren Myneni Signed-off-by: Madhavan Srinivasan Link: https://patch.msgid.link/20241214051758.997759-1-haren@linux.ibm.com commit 87f54c12195150fec052f6a5458fcecdda5ec62f Merge: 954a2b40719a21 743375f8deee36 Author: Marc Kleine-Budde Date: Wed Dec 18 09:32:14 2024 +0100 Merge patch series "can: m_can: set init flag earlier in probe" This series fixes problems in the m_can_pci driver found on the Intel Elkhart Lake processor. Link: https://patch.msgid.link/e247f331cb72829fcbdfda74f31a59cbad1a6006.1728288535.git.matthias.schiffer@ew.tq-group.com Signed-off-by: Marc Kleine-Budde commit 743375f8deee360b0e902074bab99b0c9368d42f Author: Matthias Schiffer Date: Mon Oct 7 10:23:59 2024 +0200 can: m_can: fix missed interrupts with m_can_pci The interrupt line of PCI devices is interpreted as edge-triggered, however the interrupt signal of the m_can controller integrated in Intel Elkhart Lake CPUs appears to be generated level-triggered. Consider the following sequence of events: - IR register is read, interrupt X is set - A new interrupt Y is triggered in the m_can controller - IR register is written to acknowledge interrupt X. Y remains set in IR As at no point in this sequence no interrupt flag is set in IR, the m_can interrupt line will never become deasserted, and no edge will ever be observed to trigger another run of the ISR. This was observed to result in the TX queue of the EHL m_can to get stuck under high load, because frames were queued to the hardware in m_can_start_xmit(), but m_can_finish_tx() was never run to account for their successful transmission. On an Elkhart Lake based board with the two CAN interfaces connected to each other, the following script can reproduce the issue: ip link set can0 up type can bitrate 1000000 ip link set can1 up type can bitrate 1000000 cangen can0 -g 2 -I 000 -L 8 & cangen can0 -g 2 -I 001 -L 8 & cangen can0 -g 2 -I 002 -L 8 & cangen can0 -g 2 -I 003 -L 8 & cangen can0 -g 2 -I 004 -L 8 & cangen can0 -g 2 -I 005 -L 8 & cangen can0 -g 2 -I 006 -L 8 & cangen can0 -g 2 -I 007 -L 8 & cangen can1 -g 2 -I 100 -L 8 & cangen can1 -g 2 -I 101 -L 8 & cangen can1 -g 2 -I 102 -L 8 & cangen can1 -g 2 -I 103 -L 8 & cangen can1 -g 2 -I 104 -L 8 & cangen can1 -g 2 -I 105 -L 8 & cangen can1 -g 2 -I 106 -L 8 & cangen can1 -g 2 -I 107 -L 8 & stress-ng --matrix 0 & To fix the issue, repeatedly read and acknowledge interrupts at the start of the ISR until no interrupt flags are set, so the next incoming interrupt will also result in an edge on the interrupt line. While we have received a report that even with this patch, the TX queue can become stuck under certain (currently unknown) circumstances on the Elkhart Lake, this patch completely fixes the issue with the above reproducer, and it is unclear whether the remaining issue has a similar cause at all. Fixes: cab7ffc0324f ("can: m_can: add PCI glue driver for Intel Elkhart Lake") Signed-off-by: Matthias Schiffer Reviewed-by: Markus Schneider-Pargmann Link: https://patch.msgid.link/fdf0439c51bcb3a46c21e9fb21c7f1d06363be84.1728288535.git.matthias.schiffer@ew.tq-group.com Signed-off-by: Marc Kleine-Budde commit fca2977629f49dee437e217c3fc423b6e0cad98c Author: Matthias Schiffer Date: Mon Oct 7 10:23:58 2024 +0200 can: m_can: set init flag earlier in probe While an m_can controller usually already has the init flag from a hardware reset, no such reset happens on the integrated m_can_pci of the Intel Elkhart Lake. If the CAN controller is found in an active state, m_can_dev_setup() would fail because m_can_niso_supported() calls m_can_cccr_update_bits(), which refuses to modify any other configuration bits when CCCR_INIT is not set. To avoid this issue, set CCCR_INIT before attempting to modify any other configuration flags. Fixes: cd5a46ce6fa6 ("can: m_can: don't enable transceiver when probing") Signed-off-by: Matthias Schiffer Reviewed-by: Markus Schneider-Pargmann Link: https://patch.msgid.link/e247f331cb72829fcbdfda74f31a59cbad1a6006.1728288535.git.matthias.schiffer@ew.tq-group.com Signed-off-by: Marc Kleine-Budde commit 954a2b40719a21e763a1bba2f0da92347e058fce Author: Kuniyuki Iwashima Date: Mon Dec 16 20:04:32 2024 +0900 rtnetlink: Try the outer netns attribute in rtnl_get_peer_net(). Xiao Liang reported that the cited commit changed netns handling in newlink() of netkit, veth, and vxcan. Before the patch, if we don't find a netns attribute in the peer device attributes, we tried to find another netns attribute in the outer netlink attributes by passing it to rtnl_link_get_net(). Let's restore the original behaviour. Fixes: 48327566769a ("rtnetlink: fix double call of rtnl_link_get_net_ifla()") Reported-by: Xiao Liang Closes: https://lore.kernel.org/netdev/CABAhCORBVVU8P6AHcEkENMj+gD2d3ce9t=A_o48E0yOQp8_wUQ@mail.gmail.com/#t Signed-off-by: Kuniyuki Iwashima Tested-by: Xiao Liang Link: https://patch.msgid.link/20241216110432.51488-1-kuniyu@amazon.com Signed-off-by: Jakub Kicinski commit b9b8301d369b4c876de5255dbf067b19ba88ac71 Author: Eric Dumazet Date: Mon Dec 16 08:37:03 2024 +0000 net: netdevsim: fix nsim_pp_hold_write() nsim_pp_hold_write() has two problems: 1) It may return with rtnl held, as found by syzbot. 2) Its return value does not propagate an error if any. Fixes: 1580cbcbfe77 ("net: netdevsim: add some fake page pool use") Reported-by: syzbot Signed-off-by: Eric Dumazet Reviewed-by: Simon Horman Link: https://patch.msgid.link/20241216083703.1859921-1-edumazet@google.com Signed-off-by: Jakub Kicinski commit 23579010cf0a12476e96a5f1acdf78a9c5843657 Author: Andrea Righi Date: Tue Dec 17 20:58:13 2024 +0100 bpf: Fix bpf_get_smp_processor_id() on !CONFIG_SMP On x86-64 calling bpf_get_smp_processor_id() in a kernel with CONFIG_SMP disabled can trigger the following bug, as pcpu_hot is unavailable: [ 8.471774] BUG: unable to handle page fault for address: 00000000936a290c [ 8.471849] #PF: supervisor read access in kernel mode [ 8.471881] #PF: error_code(0x0000) - not-present page Fix by inlining a return 0 in the !CONFIG_SMP case. Fixes: 1ae6921009e5 ("bpf: inline bpf_get_smp_processor_id() helper") Signed-off-by: Andrea Righi Signed-off-by: Andrii Nakryiko Link: https://lore.kernel.org/bpf/20241217195813.622568-1-arighi@nvidia.com commit 498d5b14db8c9118be139f668720c67bea2dc344 Author: Charlie Jenkins Date: Wed Dec 11 23:01:43 2024 -0800 riscv: selftests: Fix warnings pointer masking test When compiling the pointer masking tests with -Wall this warning is present: pointer_masking.c: In function ‘test_tagged_addr_abi_sysctl’: pointer_masking.c:203:9: warning: ignoring return value of ‘pwrite’ declared with attribute ‘warn_unused_result’ [-Wunused-result] 203 | pwrite(fd, &value, 1, 0); | ^~~~~~~~~~~~~~~~~~~~~~~~ pointer_masking.c:208:9: warning: ignoring return value of ‘pwrite’ declared with attribute ‘warn_unused_result’ [-Wunused-result] 208 | pwrite(fd, &value, 1, 0); I came across this on riscv64-linux-gnu-gcc (Ubuntu 11.4.0-1ubuntu1~22.04). Fix this by checking that the number of bytes written equal the expected number of bytes written. Fixes: 7470b5afd150 ("riscv: selftests: Add a pointer masking test") Signed-off-by: Charlie Jenkins Reviewed-by: Andrew Jones Link: https://lore.kernel.org/r/20241211-fix_warnings_pointer_masking_tests-v6-1-c7ae708fbd2f@rivosinc.com Signed-off-by: Palmer Dabbelt commit aef25be35d23ec768eed08bfcf7ca3cf9685bc28 Author: Nathan Chancellor Date: Thu Nov 21 11:22:18 2024 -0700 hexagon: Disable constant extender optimization for LLVM prior to 19.1.0 The Hexagon-specific constant extender optimization in LLVM may crash on Linux kernel code [1], such as fs/bcache/btree_io.c after commit 32ed4a620c54 ("bcachefs: Btree path tracepoints") in 6.12: clang: llvm/lib/Target/Hexagon/HexagonConstExtenders.cpp:745: bool (anonymous namespace)::HexagonConstExtenders::ExtRoot::operator<(const HCE::ExtRoot &) const: Assertion `ThisB->getParent() == OtherB->getParent()' failed. Stack dump: 0. Program arguments: clang --target=hexagon-linux-musl ... fs/bcachefs/btree_io.c 1. parser at end of file 2. Code generation 3. Running pass 'Function Pass Manager' on module 'fs/bcachefs/btree_io.c'. 4. Running pass 'Hexagon constant-extender optimization' on function '@__btree_node_lock_nopath' Without assertions enabled, there is just a hang during compilation. This has been resolved in LLVM main (20.0.0) [2] and backported to LLVM 19.1.0 but the kernel supports LLVM 13.0.1 and newer, so disable the constant expander optimization using the '-mllvm' option when using a toolchain that is not fixed. Cc: stable@vger.kernel.org Link: https://github.com/llvm/llvm-project/issues/99714 [1] Link: https://github.com/llvm/llvm-project/commit/68df06a0b2998765cb0a41353fcf0919bbf57ddb [2] Link: https://github.com/llvm/llvm-project/commit/2ab8d93061581edad3501561722ebd5632d73892 [3] Reviewed-by: Brian Cain Signed-off-by: Nathan Chancellor Signed-off-by: Linus Torvalds commit 0c1683c681681c14f4389e3bfa8de10baf242ba8 Author: Joshua Hay Date: Mon Nov 25 15:58:55 2024 -0800 idpf: trigger SW interrupt when exiting wb_on_itr mode There is a race condition between exiting wb_on_itr and completion write backs. For example, we are in wb_on_itr mode and a Tx completion is generated by HW, ready to be written back, as we are re-enabling interrupts: HW SW | | | | idpf_tx_splitq_clean_all | | napi_complete_done | | | tx_completion_wb | idpf_vport_intr_update_itr_ena_irq That tx_completion_wb happens before the vector is fully re-enabled. Continuing with this example, it is a UDP stream and the tx_completion_wb is the last one in the flow (there are no rx packets). Because the HW generated the completion before the interrupt is fully enabled, the HW will not fire the interrupt once the timer expires and the write back will not happen. NAPI poll won't be called. We have indicated we're back in interrupt mode but nothing else will trigger the interrupt. Therefore, the completion goes unprocessed, triggering a Tx timeout. To mitigate this, fire a SW triggered interrupt upon exiting wb_on_itr. This interrupt will catch the rogue completion and avoid the timeout. Add logic to set the appropriate bits in the vector's dyn_ctl register. Fixes: 9c4a27da0ecc ("idpf: enable WB_ON_ITR") Reviewed-by: Madhu Chittim Signed-off-by: Joshua Hay Tested-by: Krishneil Singh Signed-off-by: Tony Nguyen commit 9048cf05a17a7bc26f0b8e2e53750b1237303970 Author: Olga Kornievskaia Date: Tue Dec 17 16:18:12 2024 -0500 NFSD: fix management of pending async copies Currently the pending_async_copies count is decremented just before a struct nfsd4_copy is destroyed. After commit aa0ebd21df9c ("NFSD: Add nfsd4_copy time-to-live") nfsd4_copy structures sticks around for 10 lease periods after the COPY itself has completed, the pending_async_copies count stays high for a long time. This causes NFSD to avoid the use of background copy even though the actual background copy workload might no longer be running. In this patch, decrement pending_async_copies once async copy thread is done processing the copy work. Fixes: aa0ebd21df9c ("NFSD: Add nfsd4_copy time-to-live") Signed-off-by: Olga Kornievskaia Signed-off-by: Chuck Lever commit 93433c1d919775f8ac0f7893692f42e6731a5373 Author: Joshua Hay Date: Mon Nov 25 15:58:54 2024 -0800 idpf: add support for SW triggered interrupts SW triggered interrupts are guaranteed to fire after their timer expires, unlike Tx and Rx interrupts which will only fire after the timer expires _and_ a descriptor write back is available to be processed by the driver. Add the necessary fields, defines, and initializations to enable a SW triggered interrupt in the vector's dyn_ctl register. Reviewed-by: Madhu Chittim Signed-off-by: Joshua Hay Tested-by: Krishneil Singh Signed-off-by: Tony Nguyen commit f4bf0b909a6bf64a2220a42a7c8b8c2ee1b77b89 Author: Maksim Kiselev Date: Tue Dec 10 11:30:27 2024 +0300 clk: thead: Fix TH1520 emmc and shdci clock rate In accordance with LicheePi 4A BSP the clock that comes to emmc/sdhci is 198Mhz which is got through frequency division of source clock VIDEO PLL by 4 [1]. But now the AP_SUBSYS driver sets the CLK EMMC SDIO to the same frequency as the VIDEO PLL, equal to 792 MHz. This causes emmc/sdhci to work 4 times slower. Let's fix this issue by adding fixed factor clock that divides VIDEO PLL by 4 for emmc/sdhci. Link: https://github.com/revyos/thead-kernel/blob/7563179071a314f41cdcdbfd8cf6e101e73707f3/drivers/clk/thead/clk-light-fm.c#L454 Fixes: ae81b69fd2b1 ("clk: thead: Add support for T-Head TH1520 AP_SUBSYS clocks") Signed-off-by: Maksim Kiselev Link: https://lore.kernel.org/r/20241210083029.92620-1-bigunclemax@gmail.com Tested-by: Xi Ruoyao Reviewed-by: Drew Fustini Signed-off-by: Stephen Boyd commit 058387d9c6b70e225da82492e1e193635c3fac3f Author: Willow Cunningham Date: Mon Oct 7 17:29:54 2024 -0400 arm64: dts: broadcom: Fix L2 linesize for Raspberry Pi 5 Set the cache-line-size parameter of the L2 cache for each core to the correct value of 64 bytes. Previously, the L2 cache line size was incorrectly set to 128 bytes for the Broadcom BCM2712. This causes validation tests for the Performance Application Programming Interface (PAPI) tool to fail as they depend on sysfs accurately reporting cache line sizes. The correct value of 64 bytes is stated in the official documentation of the ARM Cortex A-72, which is linked in the comments of arm64/boot/dts/broadcom/bcm2712.dtsi as the source for cache-line-size. Fixes: faa3381267d0 ("arm64: dts: broadcom: Add minimal support for Raspberry Pi 5") Signed-off-by: Willow Cunningham Link: https://lore.kernel.org/r/20241007212954.214724-1-willow.e.cunningham@maine.edu Signed-off-by: Florian Fainelli commit dfb92681a19e1d5172420baa242806414b3eff6f Author: Qu Wenruo Date: Wed Dec 4 13:30:46 2024 +1030 btrfs: tree-checker: reject inline extent items with 0 ref count [BUG] There is a bug report in the mailing list where btrfs_run_delayed_refs() failed to drop the ref count for logical 25870311358464 num_bytes 2113536. The involved leaf dump looks like this: item 166 key (25870311358464 168 2113536) itemoff 10091 itemsize 50 extent refs 1 gen 84178 flags 1 ref#0: shared data backref parent 32399126528000 count 0 <<< ref#1: shared data backref parent 31808973717504 count 1 Notice the count number is 0. [CAUSE] There is no concrete evidence yet, but considering 0 -> 1 is also a single bit flipped, it's possible that hardware memory bitflip is involved, causing the on-disk extent tree to be corrupted. [FIX] To prevent us reading such corrupted extent item, or writing such damaged extent item back to disk, enhance the handling of BTRFS_EXTENT_DATA_REF_KEY and BTRFS_SHARED_DATA_REF_KEY keys for both inlined and key items, to detect such 0 ref count and reject them. CC: stable@vger.kernel.org # 5.4+ Link: https://lore.kernel.org/linux-btrfs/7c69dd49-c346-4806-86e7-e6f863a66f48@app.fastmail.com/ Reported-by: Frankie Fisher Reviewed-by: Filipe Manana Signed-off-by: Qu Wenruo Reviewed-by: David Sterba Signed-off-by: David Sterba commit be691b5e593f2cc8cef67bbc59c1fb91b74a86a9 Author: Christoph Hellwig Date: Mon Nov 4 07:26:33 2024 +0100 btrfs: split bios to the fs sector size boundary Btrfs like other file systems can't really deal with I/O not aligned to it's internal block size (which strangely is called sector size in btrfs, for historical reasons), but the block layer split helper doesn't even know about that. Round down the split boundary so that all I/Os are aligned. Fixes: d5e4377d5051 ("btrfs: split zone append bios in btrfs_submit_bio") CC: stable@vger.kernel.org # 6.12 Reviewed-by: Johannes Thumshirn Signed-off-by: Christoph Hellwig Reviewed-by: Damien Le Moal Reviewed-by: David Sterba Signed-off-by: David Sterba commit 6c3864e055486fadb5b97793b57688082e14b43b Author: Christoph Hellwig Date: Mon Nov 4 07:26:32 2024 +0100 btrfs: use bio_is_zone_append() in the completion handler Otherwise it won't catch bios turned into regular writes by the block level zone write plugging. The additional test it adds is for emulated zone append. Fixes: 9b1ce7f0c6f8 ("block: Implement zone append emulation") CC: stable@vger.kernel.org # 6.12 Reviewed-by: Johannes Thumshirn Reviewed-by: Damien Le Moal Signed-off-by: Christoph Hellwig Reviewed-by: David Sterba Signed-off-by: David Sterba commit d75d72a858f0c00ca8ae161b48cdb403807be4de Author: Josef Bacik Date: Wed Nov 13 11:11:55 2024 -0500 btrfs: fix improper generation check in snapshot delete We have been using the following check if (generation <= root->root_key.offset) to make decisions about whether or not to visit a node during snapshot delete. This is because for normal subvolumes this is set to 0, and for snapshots it's set to the creation generation. The idea being that if the generation of the node is less than or equal to our creation generation then we don't need to visit that node, because it doesn't belong to us, we can simply drop our reference and move on. However reloc roots don't have their generation stored in root->root_key.offset, instead that is the objectid of their corresponding fs root. This means we can incorrectly not walk into nodes that need to be dropped when deleting a reloc root. There are a variety of consequences to making the wrong choice in two distinct areas. visit_node_for_delete() 1. False positive. We think we are newer than the block when we really aren't. We don't visit the node and drop our reference to the node and carry on. This would result in leaked space. 2. False negative. We do decide to walk down into a block that we should have just dropped our reference to. However this means that the child node will have refs > 1, so we will switch to UPDATE_BACKREF, and then the subsequent walk_down_proc() will notice that btrfs_header_owner(node) != root->root_key.objectid and it'll break out of the loop, and then walk_up_proc() will drop our reference, so this appears to be ok. do_walk_down() 1. False positive. We are in UPDATE_BACKREF and incorrectly decide that we are done and don't need to update the backref for our lower nodes. This is another case that simply won't happen with relocation, as we only have to do UPDATE_BACKREF if the node below us was shared and didn't have FULL_BACKREF set, and since we don't own that node because we're a reloc root we actually won't end up in this case. 2. False negative. Again this is tricky because as described above, we simply wouldn't be here from relocation, because we don't own any of the nodes because we never set btrfs_header_owner() to the reloc root objectid, and we always use FULL_BACKREF, we never actually need to set FULL_BACKREF on any children. Having spent a lot of time stressing relocation/snapshot delete recently I've not seen this pop in practice. But this is objectively incorrect, so fix this to get the correct starting generation based on the root we're dropping to keep me from thinking there's a problem here. CC: stable@vger.kernel.org Reviewed-by: Filipe Manana Signed-off-by: Josef Bacik Signed-off-by: David Sterba commit 2182e0f200d097805f2f6bc0042de8695c60f386 Author: Arnd Bergmann Date: Mon Dec 16 08:42:49 2024 +0100 drm: rework FB_CORE dependency The 'select FB_CORE' statement moved from CONFIG_DRM to DRM_CLIENT_LIB, but there are now configurations that have code calling into fb_core as built-in even though the client_lib itself is a loadable module: x86_64-linux-ld: drivers/gpu/drm/drm_fb_helper.o: in function `drm_fb_helper_set_suspend': drm_fb_helper.c:(.text+0x2c6): undefined reference to `fb_set_suspend' x86_64-linux-ld: drivers/gpu/drm/drm_fb_helper.o: in function `drm_fb_helper_resume_worker': drm_fb_helper.c:(.text+0x2e1): undefined reference to `fb_set_suspend' In addition to DRM_CLIENT_LIB, the 'select' needs to be at least in DRM_KMS_HELPER and DRM_GEM_SHMEM_HELPER, so add it here. This patch is the KMS_HELPER part of [1]. Fixes: dadd28d4142f ("drm/client: Add client-lib module") Signed-off-by: Arnd Bergmann Reviewed-by: Thomas Zimmermann Link: https://patchwork.freedesktop.org/series/141411/ # 1 Link: https://patchwork.freedesktop.org/patch/msgid/20241216074450.8590-4-tzimmermann@suse.de Signed-off-by: Thomas Zimmermann commit 5529876063e110ea49326138149fdf2a28a484dd Merge: a241d7f0d3a289 166438a432d76c Author: Linus Torvalds Date: Tue Dec 17 09:14:31 2024 -0800 Merge tag 'ftrace-v6.13-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace Pull ftrace fixes from Steven Rostedt: - Always try to initialize the idle functions when graph tracer starts A bug was found that when a CPU is offline when graph tracing starts and then comes online, that CPU is not traced. The fix to that was to move the initialization of the idle shadow stack over to the hot plug online logic, which also handle onlined CPUs. The issue was that it removed the initialization of the shadow stack when graph tracing starts, but the callbacks to the hot plug logic do nothing if graph tracing isn't currently running. Although that fix fixed the onlining of a CPU during tracing, it broke the CPUs that were already online. - Have microblaze not try to get the "true parent" in function tracing If function tracing and graph tracing are both enabled at the same time the parent of the functions traced by the function tracer may sometimes be the graph tracing trampoline. The graph tracing hijacks the return pointer of the function to trace it, but that can interfere with the function tracing parent output. This was fixed by using the ftrace_graph_ret_addr() function passing in the kernel stack pointer using the ftrace_regs_get_stack_pointer() function. But Al Viro reported that Microblaze does not implement the kernel_stack_pointer(regs) helper function that ftrace_regs_get_stack_pointer() uses and fails to compile when function graph tracing is enabled. It was first thought that this was a microblaze issue, but the real cause is that this only works when an architecture implements HAVE_DYNAMIC_FTRACE_WITH_ARGS, as a requirement for that config is to have ftrace always pass a valid ftrace_regs to the callbacks. That also means that the architecture supports ftrace_regs_get_stack_pointer() Microblaze does not set HAVE_DYNAMIC_FTRACE_WITH_ARGS nor does it implement ftrace_regs_get_stack_pointer() which caused it to fail to build. Only implement the "true parent" logic if an architecture has that config set" * tag 'ftrace-v6.13-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace: ftrace: Do not find "true_parent" if HAVE_DYNAMIC_FTRACE_WITH_ARGS is not set fgraph: Still initialize idle shadow stacks when starting commit a241d7f0d3a289a52b5245ec1f486d57c8f3c97b Merge: ed90ed56e4b131 282da38b465395 Author: Linus Torvalds Date: Tue Dec 17 09:09:32 2024 -0800 Merge tag 's390-6.13-3' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux Pull s390 fixes from Alexander Gordeev: - Fix DirectMap accounting in /proc/meminfo file - Fix strscpy() return code handling that led to "unsigned 'len' is never less than zero" warning - Fix the calculation determining whether to use three- or four-level paging: account KMSAN modules metadata * tag 's390-6.13-3' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux: s390/mm: Consider KMSAN modules metadata for paging levels s390/ipl: Fix never less than zero warning s390/mm: Fix DirectMap accounting commit 8ce35bf0ef5a659f3a15237152770a7c1d13c996 Author: Thomas Zimmermann Date: Mon Dec 16 08:42:48 2024 +0100 drm/fbdev: Select FB_CORE dependency for fbdev on DMA and TTM Select FB_CORE if GEM's DMA and TTM implementations support fbdev emulation. Fixes linker errors about missing symbols from the fbdev subsystem. Also see [1] for a related SHMEM fix. Fixes: dadd28d4142f ("drm/client: Add client-lib module") Signed-off-by: Thomas Zimmermann Link: https://patchwork.freedesktop.org/series/141411/ # 1 Reviewed-by: Arnd Bergmann Link: https://patchwork.freedesktop.org/patch/msgid/20241216074450.8590-3-tzimmermann@suse.de commit 8fc38062be3f692ff8816da84fde71972530bcc4 Author: Thomas Zimmermann Date: Mon Dec 16 08:42:47 2024 +0100 fbdev: Fix recursive dependencies wrt BACKLIGHT_CLASS_DEVICE Do not select BACKLIGHT_CLASS_DEVICE from FB_BACKLIGHT. The latter only controls backlight support within fbdev core code and data structures. Make fbdev drivers depend on BACKLIGHT_CLASS_DEVICE and let users select it explicitly. Fixes warnings about recursive dependencies, such as error: recursive dependency detected! symbol BACKLIGHT_CLASS_DEVICE is selected by FB_BACKLIGHT symbol FB_BACKLIGHT is selected by FB_SH_MOBILE_LCDC symbol FB_SH_MOBILE_LCDC depends on FB_DEVICE symbol FB_DEVICE depends on FB_CORE symbol FB_CORE is selected by DRM_GEM_DMA_HELPER symbol DRM_GEM_DMA_HELPER is selected by DRM_PANEL_ILITEK_ILI9341 symbol DRM_PANEL_ILITEK_ILI9341 depends on BACKLIGHT_CLASS_DEVICE BACKLIGHT_CLASS_DEVICE is user-selectable, so making drivers adapt to it is the correct approach in any case. For most drivers, backlight support is also configurable separately. v3: - Select BACKLIGHT_CLASS_DEVICE in PowerMac defconfigs (Christophe) - Fix PMAC_BACKLIGHT module dependency corner cases (Christophe) v2: - s/BACKLIGHT_DEVICE_CLASS/BACKLIGHT_CLASS_DEVICE (Helge) - Fix fbdev driver-dependency corner case (Arnd) Signed-off-by: Thomas Zimmermann Reviewed-by: Arnd Bergmann Link: https://patchwork.freedesktop.org/patch/msgid/20241216074450.8590-2-tzimmermann@suse.de commit ed90ed56e4b1311797302c2e6107f5049ba4586d Merge: 1f13c38a854d13 6422cde1b0d5a3 Author: Linus Torvalds Date: Tue Dec 17 09:04:42 2024 -0800 Merge tag 'erofs-for-6.13-rc4-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/xiang/erofs Pull erofs fixes from Gao Xiang: "The first one fixes a syzbot UAF report caused by a commit introduced in this cycle, but it also addresses a longstanding memory leak. The second one resolves a PSI memstall mis-accounting issue. The remaining patches switch file-backed mounts to use buffered I/Os by default instead of direct I/Os, since the page cache of underlay files is typically valid and maybe even dirty. This change also aligns with the default policy of loopback devices. A mount option has been added to try to use direct I/Os explicitly. Summary: - Fix (pcluster) memory leak and (sbi) UAF after umounting - Fix a case of PSI memstall mis-accounting - Use buffered I/Os by default for file-backed mounts" * tag 'erofs-for-6.13-rc4-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/xiang/erofs: erofs: use buffered I/O for file-backed mounts by default erofs: reference `struct erofs_device_info` for erofs_map_dev erofs: use `struct erofs_device_info` for the primary device erofs: add erofs_sb_free() helper MAINTAINERS: erofs: update Yue Hu's email address erofs: fix PSI memstall accounting erofs: fix rare pcluster memory leak after unmounting commit 4a077914578183ec397ad09f7156a357e00e5d72 Author: John Stultz Date: Thu Dec 12 14:21:33 2024 -0800 locking/rtmutex: Make sure we wake anything on the wake_q when we release the lock->wait_lock Bert reported seeing occasional boot hangs when running with PREEPT_RT and bisected it down to commit 894d1b3db41c ("locking/mutex: Remove wakeups from under mutex::wait_lock"). It looks like I missed a few spots where we drop the wait_lock and potentially call into schedule without waking up the tasks on the wake_q structure. Since the tasks being woken are ww_mutex tasks they need to be able to run to release the mutex and unblock the task that currently is planning to wake them. Thus we can deadlock. So make sure we wake the wake_q tasks when we unlock the wait_lock. Closes: https://lore.kernel.org/lkml/20241211182502.2915-1-spasswolf@web.de Fixes: 894d1b3db41c ("locking/mutex: Remove wakeups from under mutex::wait_lock") Reported-by: Bert Karwatzki Signed-off-by: John Stultz Signed-off-by: Peter Zijlstra (Intel) Link: https://lkml.kernel.org/r/20241212222138.2400498-1-jstultz@google.com commit b8c3a2502a205321fe66c356f4b70cabd8e1a5fc Author: Kan Liang Date: Mon Dec 16 12:45:02 2024 -0800 perf/x86/intel/ds: Add PEBS format 6 The only difference between 5 and 6 is the new counters snapshotting group, without the following counters snapshotting enabling patches, it's impossible to utilize the feature in a PEBS record. It's safe to share the same code path with format 5. Add format 6, so the end user can at least utilize the legacy PEBS features. Fixes: a932aa0e868f ("perf/x86: Add Lunar Lake and Arrow Lake support") Signed-off-by: Kan Liang Signed-off-by: Peter Zijlstra (Intel) Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20241216204505.748363-1-kan.liang@linux.intel.com commit b6ccddd6fe1fd49c7a82b6fbed01cccad21a29c7 Author: Kan Liang Date: Wed Dec 11 08:11:46 2024 -0800 perf/x86/intel/uncore: Add Clearwater Forest support From the perspective of the uncore PMU, the Clearwater Forest is the same as the previous Sierra Forest. The only difference is the event list, which will be supported in the perf tool later. Signed-off-by: Kan Liang Signed-off-by: Peter Zijlstra (Intel) Link: https://lkml.kernel.org/r/20241211161146.235253-1-kan.liang@linux.intel.com commit 1f13c38a854d13acafe6feedaa2705e61f79a538 Merge: 59dbb9d81adfe0 239d87327dcd36 Author: Linus Torvalds Date: Tue Dec 17 08:45:40 2024 -0800 Merge tag 'hardening-v6.13-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux Pull hardening fix from Kees Cook: "Silence a GCC value-range warning that is being ironically triggered by bounds checking" * tag 'hardening-v6.13-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux: fortify: Hide run-time copy size from value range tracking commit afd2627f727b89496d79a6b934a025fc916d4ded Author: Steven Rostedt Date: Mon Dec 16 21:41:22 2024 -0500 tracing: Check "%s" dereference via the field and not the TP_printk format The TP_printk() portion of a trace event is executed at the time a event is read from the trace. This can happen seconds, minutes, hours, days, months, years possibly later since the event was recorded. If the print format contains a dereference to a string via "%s", and that string was allocated, there's a chance that string could be freed before it is read by the trace file. To protect against such bugs, there are two functions that verify the event. The first one is test_event_printk(), which is called when the event is created. It reads the TP_printk() format as well as its arguments to make sure nothing may be dereferencing a pointer that was not copied into the ring buffer along with the event. If it is, it will trigger a WARN_ON(). For strings that use "%s", it is not so easy. The string may not reside in the ring buffer but may still be valid. Strings that are static and part of the kernel proper which will not be freed for the life of the running system, are safe to dereference. But to know if it is a pointer to a static string or to something on the heap can not be determined until the event is triggered. This brings us to the second function that tests for the bad dereferencing of strings, trace_check_vprintf(). It would walk through the printf format looking for "%s", and when it finds it, it would validate that the pointer is safe to read. If not, it would produces a WARN_ON() as well and write into the ring buffer "[UNSAFE-MEMORY]". The problem with this is how it used va_list to have vsnprintf() handle all the cases that it didn't need to check. Instead of re-implementing vsnprintf(), it would make a copy of the format up to the %s part, and call vsnprintf() with the current va_list ap variable, where the ap would then be ready to point at the string in question. For architectures that passed va_list by reference this was possible. For architectures that passed it by copy it was not. A test_can_verify() function was used to differentiate between the two, and if it wasn't possible, it would disable it. Even for architectures where this was feasible, it was a stretch to rely on such a method that is undocumented, and could cause issues later on with new optimizations of the compiler. Instead, the first function test_event_printk() was updated to look at "%s" as well. If the "%s" argument is a pointer outside the event in the ring buffer, it would find the field type of the event that is the problem and mark the structure with a new flag called "needs_test". The event itself will be marked by TRACE_EVENT_FL_TEST_STR to let it be known that this event has a field that needs to be verified before the event can be printed using the printf format. When the event fields are created from the field type structure, the fields would copy the field type's "needs_test" value. Finally, before being printed, a new function ignore_event() is called which will check if the event has the TEST_STR flag set (if not, it returns false). If the flag is set, it then iterates through the events fields looking for the ones that have the "needs_test" flag set. Then it uses the offset field from the field structure to find the pointer in the ring buffer event. It runs the tests to make sure that pointer is safe to print and if not, it triggers the WARN_ON() and also adds to the trace output that the event in question has an unsafe memory access. The ignore_event() makes the trace_check_vprintf() obsolete so it is removed. Link: https://lore.kernel.org/all/CAHk-=wh3uOnqnZPpR0PeLZZtyWbZLboZ7cHLCKRWsocvs9Y7hQ@mail.gmail.com/ Cc: stable@vger.kernel.org Cc: Masami Hiramatsu Cc: Mark Rutland Cc: Mathieu Desnoyers Cc: Andrew Morton Cc: Al Viro Cc: Linus Torvalds Link: https://lore.kernel.org/20241217024720.848621576@goodmis.org Fixes: 5013f454a352c ("tracing: Add check of trace event print fmts for dereferencing pointers") Signed-off-by: Steven Rostedt (Google) commit 65a25d9f7ac02e0cf361356e834d1c71d36acca9 Author: Steven Rostedt Date: Mon Dec 16 21:41:21 2024 -0500 tracing: Add "%s" check in test_event_printk() The test_event_printk() code makes sure that when a trace event is registered, any dereferenced pointers in from the event's TP_printk() are pointing to content in the ring buffer. But currently it does not handle "%s", as there's cases where the string pointer saved in the ring buffer points to a static string in the kernel that will never be freed. As that is a valid case, the pointer needs to be checked at runtime. Currently the runtime check is done via trace_check_vprintf(), but to not have to replicate everything in vsnprintf() it does some logic with the va_list that may not be reliable across architectures. In order to get rid of that logic, more work in the test_event_printk() needs to be done. Some of the strings can be validated at this time when it is obvious the string is valid because the string will be saved in the ring buffer content. Do all the validation of strings in the ring buffer at boot in test_event_printk(), and make sure that the field of the strings that point into the kernel are accessible. This will allow adding checks at runtime that will validate the fields themselves and not rely on paring the TP_printk() format at runtime. Cc: stable@vger.kernel.org Cc: Masami Hiramatsu Cc: Mark Rutland Cc: Mathieu Desnoyers Cc: Andrew Morton Cc: Al Viro Cc: Linus Torvalds Link: https://lore.kernel.org/20241217024720.685917008@goodmis.org Fixes: 5013f454a352c ("tracing: Add check of trace event print fmts for dereferencing pointers") Signed-off-by: Steven Rostedt (Google) commit 917110481f6bc1c96b1e54b62bb114137fbc6d17 Author: Steven Rostedt Date: Mon Dec 16 21:41:20 2024 -0500 tracing: Add missing helper functions in event pointer dereference check The process_pointer() helper function looks to see if various trace event macros are used. These macros are for storing data in the event. This makes it safe to dereference as the dereference will then point into the event on the ring buffer where the content of the data stays with the event itself. A few helper functions were missing. Those were: __get_rel_dynamic_array() __get_dynamic_array_len() __get_rel_dynamic_array_len() __get_rel_sockaddr() Also add a helper function find_print_string() to not need to use a middle man variable to test if the string exists. Cc: stable@vger.kernel.org Cc: Masami Hiramatsu Cc: Mark Rutland Cc: Mathieu Desnoyers Cc: Andrew Morton Cc: Al Viro Cc: Linus Torvalds Link: https://lore.kernel.org/20241217024720.521836792@goodmis.org Fixes: 5013f454a352c ("tracing: Add check of trace event print fmts for dereferencing pointers") Signed-off-by: Steven Rostedt (Google) commit a6629626c584200daf495cc9a740048b455addcd Author: Steven Rostedt Date: Mon Dec 16 21:41:19 2024 -0500 tracing: Fix test_event_printk() to process entire print argument The test_event_printk() analyzes print formats of trace events looking for cases where it may dereference a pointer that is not in the ring buffer which can possibly be a bug when the trace event is read from the ring buffer and the content of that pointer no longer exists. The function needs to accurately go from one print format argument to the next. It handles quotes and parenthesis that may be included in an argument. When it finds the start of the next argument, it uses a simple "c = strstr(fmt + i, ',')" to find the end of that argument! In order to include "%s" dereferencing, it needs to process the entire content of the print format argument and not just the content of the first ',' it finds. As there may be content like: ({ const char *saved_ptr = trace_seq_buffer_ptr(p); static const char *access_str[] = { "---", "--x", "w--", "w-x", "-u-", "-ux", "wu-", "wux" }; union kvm_mmu_page_role role; role.word = REC->role; trace_seq_printf(p, "sp gen %u gfn %llx l%u %u-byte q%u%s %s%s" " %snxe %sad root %u %s%c", REC->mmu_valid_gen, REC->gfn, role.level, role.has_4_byte_gpte ? 4 : 8, role.quadrant, role.direct ? " direct" : "", access_str[role.access], role.invalid ? " invalid" : "", role.efer_nx ? "" : "!", role.ad_disabled ? "!" : "", REC->root_count, REC->unsync ? "unsync" : "sync", 0); saved_ptr; }) Which is an example of a full argument of an existing event. As the code already handles finding the next print format argument, process the argument at the end of it and not the start of it. This way it has both the start of the argument as well as the end of it. Add a helper function "process_pointer()" that will do the processing during the loop as well as at the end. It also makes the code cleaner and easier to read. Cc: stable@vger.kernel.org Cc: Masami Hiramatsu Cc: Mark Rutland Cc: Mathieu Desnoyers Cc: Andrew Morton Cc: Al Viro Cc: Linus Torvalds Link: https://lore.kernel.org/20241217024720.362271189@goodmis.org Fixes: 5013f454a352c ("tracing: Add check of trace event print fmts for dereferencing pointers") Signed-off-by: Steven Rostedt (Google) commit 59dbb9d81adfe07a6f8483269146b407cf9d44d7 Merge: f44d154d6e3d63 7fa0da5373685e Author: Linus Torvalds Date: Tue Dec 17 08:29:58 2024 -0800 Merge tag 'xsa465+xsa466-6.13-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip Pull xen fixes from Juergen Gross: "Fix xen netfront crash (XSA-465) and avoid using the hypercall page that doesn't do speculation mitigations (XSA-466)" * tag 'xsa465+xsa466-6.13-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip: x86/xen: remove hypercall page x86/xen: use new hypercall functions instead of hypercall page x86/xen: add central hypercall functions x86/xen: don't do PV iret hypercall through hypercall page x86/static-call: provide a way to do very early static-call updates objtool/x86: allow syscall instruction x86: make get_cpu_vendor() accessible from Xen code xen/netfront: fix crash when removing device commit 185e1b1d91e419445d3fd99c1c0376a970438acf Author: Joe Hattori Date: Mon Dec 16 11:25:38 2024 +0900 platform/x86: mlx-platform: call pci_dev_put() to balance the refcount mlxplat_pci_fpga_device_init() calls pci_get_device() but does not release the refcount on error path. Call pci_dev_put() on the error path and in mlxplat_pci_fpga_device_exit() to fix this. This bug was found by an experimental static analysis tool that I am developing. Fixes: 02daa222fbdd ("platform: mellanox: Add initial support for PCIe based programming logic device") Signed-off-by: Joe Hattori Reviewed-by: Vadim Pasternak Link: https://lore.kernel.org/r/20241216022538.381209-1-joe@pf.is.s.u-tokyo.ac.jp Reviewed-by: Ilpo Järvinen Signed-off-by: Ilpo Järvinen commit bedb4e6088a886f587d2ea44e0c198c8ce2182c9 Author: Zhang Kunbo Date: Tue Dec 17 07:19:21 2024 +0000 fs/nfs: fix missing declaration of nfs_idmap_cache_timeout fs/nfs/super.c should include fs/nfs/nfs4idmap.h for declaration of nfs_idmap_cache_timeout. This fixes the sparse warning: fs/nfs/super.c:1397:14: warning: symbol 'nfs_idmap_cache_timeout' was not declared. Should it be static? Signed-off-by: Zhang Kunbo Signed-off-by: Trond Myklebust commit 62e2a47ceab8f3f7d2e3f0e03fdd1c5e0059fd8b Author: Trond Myklebust Date: Mon Dec 16 19:28:06 2024 -0500 NFS/pnfs: Fix a live lock between recalled layouts and layoutget When the server is recalling a layout, we should ignore the count of outstanding layoutget calls, since the server is expected to return either NFS4ERR_RECALLCONFLICT or NFS4ERR_RETURNCONFLICT for as long as the recall is outstanding. Currently, we may end up livelocking, causing the layout to eventually be forcibly revoked. Fixes: bf0291dd2267 ("pNFS: Ensure LAYOUTGET and LAYOUTRETURN are properly serialised") Cc: stable@vger.kernel.org Signed-off-by: Trond Myklebust commit 020b40f3562495f3c703a283ece145ffec19e82d Author: Jens Axboe Date: Tue Dec 17 08:21:46 2024 -0700 io_uring: make ctx->timeout_lock a raw spinlock Chase reports that their tester complaints about a locking context mismatch: ============================= [ BUG: Invalid wait context ] 6.13.0-rc1-gf137f14b7ccb-dirty #9 Not tainted ----------------------------- syz.1.25198/182604 is trying to lock: ffff88805e66a358 (&ctx->timeout_lock){-.-.}-{3:3}, at: spin_lock_irq include/linux/spinlock.h:376 [inline] ffff88805e66a358 (&ctx->timeout_lock){-.-.}-{3:3}, at: io_match_task_safe io_uring/io_uring.c:218 [inline] ffff88805e66a358 (&ctx->timeout_lock){-.-.}-{3:3}, at: io_match_task_safe+0x187/0x250 io_uring/io_uring.c:204 other info that might help us debug this: context-{5:5} 1 lock held by syz.1.25198/182604: #0: ffff88802b7d48c0 (&acct->lock){+.+.}-{2:2}, at: io_acct_cancel_pending_work+0x2d/0x6b0 io_uring/io-wq.c:1049 stack backtrace: CPU: 0 UID: 0 PID: 182604 Comm: syz.1.25198 Not tainted 6.13.0-rc1-gf137f14b7ccb-dirty #9 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x82/0xd0 lib/dump_stack.c:120 print_lock_invalid_wait_context kernel/locking/lockdep.c:4826 [inline] check_wait_context kernel/locking/lockdep.c:4898 [inline] __lock_acquire+0x883/0x3c80 kernel/locking/lockdep.c:5176 lock_acquire.part.0+0x11b/0x370 kernel/locking/lockdep.c:5849 __raw_spin_lock_irq include/linux/spinlock_api_smp.h:119 [inline] _raw_spin_lock_irq+0x36/0x50 kernel/locking/spinlock.c:170 spin_lock_irq include/linux/spinlock.h:376 [inline] io_match_task_safe io_uring/io_uring.c:218 [inline] io_match_task_safe+0x187/0x250 io_uring/io_uring.c:204 io_acct_cancel_pending_work+0xb8/0x6b0 io_uring/io-wq.c:1052 io_wq_cancel_pending_work io_uring/io-wq.c:1074 [inline] io_wq_cancel_cb+0xb0/0x390 io_uring/io-wq.c:1112 io_uring_try_cancel_requests+0x15e/0xd70 io_uring/io_uring.c:3062 io_uring_cancel_generic+0x6ec/0x8c0 io_uring/io_uring.c:3140 io_uring_files_cancel include/linux/io_uring.h:20 [inline] do_exit+0x494/0x27a0 kernel/exit.c:894 do_group_exit+0xb3/0x250 kernel/exit.c:1087 get_signal+0x1d77/0x1ef0 kernel/signal.c:3017 arch_do_signal_or_restart+0x79/0x5b0 arch/x86/kernel/signal.c:337 exit_to_user_mode_loop kernel/entry/common.c:111 [inline] exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline] __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline] syscall_exit_to_user_mode+0x150/0x2a0 kernel/entry/common.c:218 do_syscall_64+0xd8/0x250 arch/x86/entry/common.c:89 entry_SYSCALL_64_after_hwframe+0x77/0x7f which is because io_uring has ctx->timeout_lock nesting inside the io-wq acct lock, the latter of which is used from inside the scheduler and hence is a raw spinlock, while the former is a "normal" spinlock and can hence be sleeping on PREEMPT_RT. Change ctx->timeout_lock to be a raw spinlock to solve this nesting dependency on PREEMPT_RT=y. Reported-by: chase xd Signed-off-by: Jens Axboe commit 69d803c40edeaf94089fbc8751c9b746cdc35044 Author: Yang Erkun Date: Mon Dec 16 22:21:52 2024 +0800 nfsd: Revert "nfsd: release svc_expkey/svc_export with rcu_work" This reverts commit f8c989a0c89a75d30f899a7cabdc14d72522bb8d. Before this commit, svc_export_put or expkey_put will call path_put with sync mode. After this commit, path_put will be called with async mode. And this can lead the unexpected results show as follow. mkfs.xfs -f /dev/sda echo "/ *(rw,no_root_squash,fsid=0)" > /etc/exports echo "/mnt *(rw,no_root_squash,fsid=1)" >> /etc/exports exportfs -ra service nfs-server start mount -t nfs -o vers=4.0 127.0.0.1:/mnt /mnt1 mount /dev/sda /mnt/sda touch /mnt1/sda/file exportfs -r umount /mnt/sda # failed unexcepted The touch will finally call nfsd_cross_mnt, add refcount to mount, and then add cache_head. Before this commit, exportfs -r will call cache_flush to cleanup all cache_head, and path_put in svc_export_put/expkey_put will be finished with sync mode. So, the latter umount will always success. However, after this commit, path_put will be called with async mode, the latter umount may failed, and if we add some delay, umount will success too. Personally I think this bug and should be fixed. We first revert before bugfix patch, and then fix the original bug with a different way. Fixes: f8c989a0c89a ("nfsd: release svc_expkey/svc_export with rcu_work") Signed-off-by: Yang Erkun Signed-off-by: Chuck Lever commit a37eecb705f33726f1fb7cd2a67e514a15dfe693 Author: Evgenii Shatokhin Date: Mon Dec 9 10:46:59 2024 +0300 pinctrl: mcp23s08: Fix sleeping in atomic context due to regmap locking If a device uses MCP23xxx IO expander to receive IRQs, the following bug can happen: BUG: sleeping function called from invalid context at kernel/locking/mutex.c:283 in_atomic(): 1, irqs_disabled(): 1, non_block: 0, ... preempt_count: 1, expected: 0 ... Call Trace: ... __might_resched+0x104/0x10e __might_sleep+0x3e/0x62 mutex_lock+0x20/0x4c regmap_lock_mutex+0x10/0x18 regmap_update_bits_base+0x2c/0x66 mcp23s08_irq_set_type+0x1ae/0x1d6 __irq_set_trigger+0x56/0x172 __setup_irq+0x1e6/0x646 request_threaded_irq+0xb6/0x160 ... We observed the problem while experimenting with a touchscreen driver which used MCP23017 IO expander (I2C). The regmap in the pinctrl-mcp23s08 driver uses a mutex for protection from concurrent accesses, which is the default for regmaps without .fast_io, .disable_locking, etc. mcp23s08_irq_set_type() calls regmap_update_bits_base(), and the latter locks the mutex. However, __setup_irq() locks desc->lock spinlock before calling these functions. As a result, the system tries to lock the mutex whole holding the spinlock. It seems, the internal regmap locks are not needed in this driver at all. mcp->lock seems to protect the regmap from concurrent accesses already, except, probably, in mcp_pinconf_get/set. mcp23s08_irq_set_type() and mcp23s08_irq_mask/unmask() are called under chip_bus_lock(), which calls mcp23s08_irq_bus_lock(). The latter takes mcp->lock and enables regmap caching, so that the potentially slow I2C accesses are deferred until chip_bus_unlock(). The accesses to the regmap from mcp23s08_probe_one() do not need additional locking. In all remaining places where the regmap is accessed, except mcp_pinconf_get/set(), the driver already takes mcp->lock. This patch adds locking in mcp_pinconf_get/set() and disables internal locking in the regmap config. Among other things, it fixes the sleeping in atomic context described above. Fixes: 8f38910ba4f6 ("pinctrl: mcp23s08: switch to regmap caching") Cc: stable@vger.kernel.org Signed-off-by: Evgenii Shatokhin Link: https://lore.kernel.org/20241209074659.1442898-1-e.shatokhin@yadro.com Signed-off-by: Linus Walleij commit 7ed2d91588779f0a2b27fd502ce2aaf1fab9b3ca Author: Gianfranco Trad Date: Sun Dec 15 02:17:34 2024 +0100 qed: fix possible uninit pointer read in qed_mcp_nvm_info_populate() Coverity reports an uninit pointer read in qed_mcp_nvm_info_populate(). If EOPNOTSUPP is returned from qed_mcp_bist_nvm_get_num_images() ensure nvm_info.num_images is set to 0 to avoid possible uninit assignment to p_hwfn->nvm_info.image_att later on in out label. Closes: https://scan5.scan.coverity.com/#/project-view/63204/10063?selectedIssue=1636666 Suggested-by: Simon Horman Signed-off-by: Gianfranco Trad Reviewed-by: Simon Horman Link: https://patch.msgid.link/20241215011733.351325-2-gianf.trad@gmail.com Signed-off-by: Paolo Abeni commit e8d0ba147d901022bcb69da8d8fd817f84e9f3ca Author: Peter Ujfalusi Date: Tue Dec 17 11:10:19 2024 +0200 ASoC: SOF: Intel: hda-dai: Do not release the link DMA on STOP The linkDMA should not be released on stop trigger since a stream re-start might happen without closing of the stream. This leaves a short time for other streams to 'steal' the linkDMA since it has been released. This issue is not easy to reproduce under normal conditions as usually after stop the stream is closed, or the same stream is restarted, but if another stream got in between the stop and start, like this: aplay -Dhw:0,3 -c2 -r48000 -fS32_LE /dev/zero -d 120 CTRL+z aplay -Dhw:0,0 -c2 -r48000 -fS32_LE /dev/zero -d 120 then the link DMA channels will be mixed up, resulting firmware error or crash. Fixes: ab5593793e90 ("ASoC: SOF: Intel: hda: Always clean up link DMA during stop") Cc: stable@vger.kernel.org Closes: https://github.com/thesofproject/sof/issues/9695 Signed-off-by: Peter Ujfalusi Reviewed-by: Ranjani Sridharan Reviewed-by: Liam Girdwood Reviewed-by: Bard Liao Link: https://patch.msgid.link/20241217091019.31798-1-peter.ujfalusi@linux.intel.com Signed-off-by: Mark Brown commit 2b2fc0be98a828cf33a88a28e9745e8599fb05cf Author: Zhang Kunbo Date: Tue Dec 17 07:18:36 2024 +0000 fs: fix missing declaration of init_files fs/file.c should include include/linux/init_task.h for declaration of init_files. This fixes the sparse warning: fs/file.c:501:21: warning: symbol 'init_files' was not declared. Should it be static? Signed-off-by: Zhang Kunbo Link: https://lore.kernel.org/r/20241217071836.2634868-1-zhangkunbo@huawei.com Signed-off-by: Christian Brauner commit 0cb2c504d79e7caa3abade3f466750c82ad26f01 Author: Joe Hattori Date: Sat Dec 14 10:49:12 2024 +0900 net: ethernet: bgmac-platform: fix an OF node reference leak The OF node obtained by of_parse_phandle() is not freed. Call of_node_put() to balance the refcount. This bug was found by an experimental static analysis tool that I am developing. Fixes: 1676aba5ef7e ("net: ethernet: bgmac: device tree phy enablement") Signed-off-by: Joe Hattori Reviewed-by: Simon Horman Link: https://patch.msgid.link/20241214014912.2810315-1-joe@pf.is.s.u-tokyo.ac.jp Signed-off-by: Paolo Abeni commit 90d130aadce1592f6f2dc0cfecfc9502bbd6f5c0 Merge: 94901b7a74d82b e592b5110b3e93 Author: Paolo Abeni Date: Tue Dec 17 13:11:35 2024 +0100 Merge branch 'fixes-on-the-open-alliance-tc6-10base-t1x-mac-phy-support-generic-lib' Parthiban Veerasooran says: ==================== Fixes on the OPEN Alliance TC6 10BASE-T1x MAC-PHY support generic lib This patch series contain the below fixes. - Infinite loop error when tx credits becomes 0. - Race condition between tx skb reference pointers. v2: - Added mutex lock to protect tx skb reference handling. v3: - Added mutex protection in assigning new tx skb to waiting_tx_skb pointer. - Explained the possible scenario for the race condition with the time diagram in the commit message. v4: - Replaced mutex with spin_lock_bh() variants as the start_xmit runs in BH/softirq context which can't take sleeping locks. ==================== Link: https://patch.msgid.link/20241213123159.439739-1-parthiban.veerasooran@microchip.com Signed-off-by: Paolo Abeni commit e592b5110b3e9393881b0a019d86832bbf71a47f Author: Parthiban Veerasooran Date: Fri Dec 13 18:01:59 2024 +0530 net: ethernet: oa_tc6: fix tx skb race condition between reference pointers There are two skb pointers to manage tx skb's enqueued from n/w stack. waiting_tx_skb pointer points to the tx skb which needs to be processed and ongoing_tx_skb pointer points to the tx skb which is being processed. SPI thread prepares the tx data chunks from the tx skb pointed by the ongoing_tx_skb pointer. When the tx skb pointed by the ongoing_tx_skb is processed, the tx skb pointed by the waiting_tx_skb is assigned to ongoing_tx_skb and the waiting_tx_skb pointer is assigned with NULL. Whenever there is a new tx skb from n/w stack, it will be assigned to waiting_tx_skb pointer if it is NULL. Enqueuing and processing of a tx skb handled in two different threads. Consider a scenario where the SPI thread processed an ongoing_tx_skb and it moves next tx skb from waiting_tx_skb pointer to ongoing_tx_skb pointer without doing any NULL check. At this time, if the waiting_tx_skb pointer is NULL then ongoing_tx_skb pointer is also assigned with NULL. After that, if a new tx skb is assigned to waiting_tx_skb pointer by the n/w stack and there is a chance to overwrite the tx skb pointer with NULL in the SPI thread. Finally one of the tx skb will be left as unhandled, resulting packet missing and memory leak. - Consider the below scenario where the TXC reported from the previous transfer is 10 and ongoing_tx_skb holds an tx ethernet frame which can be transported in 20 TXCs and waiting_tx_skb is still NULL. tx_credits = 10; /* 21 are filled in the previous transfer */ ongoing_tx_skb = 20; waiting_tx_skb = NULL; /* Still NULL */ - So, (tc6->ongoing_tx_skb || tc6->waiting_tx_skb) becomes true. - After oa_tc6_prepare_spi_tx_buf_for_tx_skbs() ongoing_tx_skb = 10; waiting_tx_skb = NULL; /* Still NULL */ - Perform SPI transfer. - Process SPI rx buffer to get the TXC from footers. - Now let's assume previously filled 21 TXCs are freed so we are good to transport the next remaining 10 tx chunks from ongoing_tx_skb. tx_credits = 21; ongoing_tx_skb = 10; waiting_tx_skb = NULL; - So, (tc6->ongoing_tx_skb || tc6->waiting_tx_skb) becomes true again. - In the oa_tc6_prepare_spi_tx_buf_for_tx_skbs() ongoing_tx_skb = NULL; waiting_tx_skb = NULL; - Now the below bad case might happen, Thread1 (oa_tc6_start_xmit) Thread2 (oa_tc6_spi_thread_handler) --------------------------- ----------------------------------- - if waiting_tx_skb is NULL - if ongoing_tx_skb is NULL - ongoing_tx_skb = waiting_tx_skb - waiting_tx_skb = skb - waiting_tx_skb = NULL ... - ongoing_tx_skb = NULL - if waiting_tx_skb is NULL - waiting_tx_skb = skb To overcome the above issue, protect the moving of tx skb reference from waiting_tx_skb pointer to ongoing_tx_skb pointer and assigning new tx skb to waiting_tx_skb pointer, so that the other thread can't access the waiting_tx_skb pointer until the current thread completes moving the tx skb reference safely. Fixes: 53fbde8ab21e ("net: ethernet: oa_tc6: implement transmit path to transfer tx ethernet frames") Signed-off-by: Parthiban Veerasooran Reviewed-by: Larysa Zaremba Signed-off-by: Paolo Abeni commit 7d2f320e12744e5906a4fab40381060a81d22c12 Author: Parthiban Veerasooran Date: Fri Dec 13 18:01:58 2024 +0530 net: ethernet: oa_tc6: fix infinite loop error when tx credits becomes 0 SPI thread wakes up to perform SPI transfer whenever there is an TX skb from n/w stack or interrupt from MAC-PHY. Ethernet frame from TX skb is transferred based on the availability tx credits in the MAC-PHY which is reported from the previous SPI transfer. Sometimes there is a possibility that TX skb is available to transmit but there is no tx credits from MAC-PHY. In this case, there will not be any SPI transfer but the thread will be running in an endless loop until tx credits available again. So checking the availability of tx credits along with TX skb will prevent the above infinite loop. When the tx credits available again that will be notified through interrupt which will trigger the SPI transfer to get the available tx credits. Fixes: 53fbde8ab21e ("net: ethernet: oa_tc6: implement transmit path to transfer tx ethernet frames") Reviewed-by: Jacob Keller Signed-off-by: Parthiban Veerasooran Signed-off-by: Paolo Abeni commit 44c5aa73ccd1e8a738fd011354ee8fb9fcda201a Author: Bartosz Golaszewski Date: Mon Dec 2 17:57:23 2024 +0100 interconnect: icc-clk: check return values of devm_kasprintf() devm_kasprintf() can fail and return NULL, add missing return value checks. Fixes: 0ac2a08f42ce ("interconnect: add clk-based icc provider support") Signed-off-by: Bartosz Golaszewski Reviewed-by: Dmitry Baryshkov Link: https://lore.kernel.org/r/20241202165723.17292-1-brgl@bgdev.pl Signed-off-by: Georgi Djakov commit 00a973e093e93690d433f1e1873ee52a6a6eca1f Author: Georgi Djakov Date: Wed Dec 4 00:33:34 2024 +0200 interconnect: qcom: icc-rpm: Set the count member before accessing the flex array The following UBSAN error is reported during boot on the db410c board on a clang-19 build: Internal error: UBSAN: array index out of bounds: 00000000f2005512 [#1] PREEMPT SMP ... pc : qnoc_probe+0x5f8/0x5fc ... The cause of the error is that the counter member was not set before accessing the annotated flexible array member, but after that. Fix this by initializing it earlier. Reported-by: Linux Kernel Functional Testing Closes: https://lore.kernel.org/r/CA+G9fYs+2mBz1y2dAzxkj9-oiBJ2Acm1Sf1h2YQ3VmBqj_VX2g@mail.gmail.com Fixes: dd4904f3b924 ("interconnect: qcom: Annotate struct icc_onecell_data with __counted_by") Reviewed-by: Nathan Chancellor Link: https://lore.kernel.org/r/20241203223334.233404-1-djakov@kernel.org Signed-off-by: Georgi Djakov commit 70465acbb0ce1bb69447acf32f136c8153cda0de Author: Yuezhang Mo Date: Mon Dec 2 09:53:17 2024 +0800 exfat: fix exfat_find_empty_entry() not returning error on failure On failure, "dentry" is the error code. If the error code indicates that there is no space, a new cluster may need to be allocated; for other errors, it should be returned directly. Only on success, "dentry" is the index of the directory entry, and it needs to be converted into the directory entry index within the cluster where it is located. Fixes: 8a3f5711ad74 ("exfat: reduce FAT chain traversal") Reported-by: syzbot+6f6c9397e0078ef60bce@syzkaller.appspotmail.com Tested-by: syzbot+6f6c9397e0078ef60bce@syzkaller.appspotmail.com Signed-off-by: Yuezhang Mo Reviewed-by: Sungjong Seo Signed-off-by: Namjae Jeon commit b9252f80b807801056e67e3a672fb1be0ecb81d8 Author: Niklas Neronin Date: Tue Dec 17 12:21:22 2024 +0200 usb: xhci: fix ring expansion regression in 6.13-rc1 The source and destination rings were incorrectly assigned during the ring linking process. The "source" ring, which contains the new segments, was not spliced into the "destination" ring, leading to incorrect ring expansion. Fixes: fe688e500613 ("usb: xhci: refactor xhci_link_rings() to use source and destination rings") Reported-by: Jeff Chua Closes: https://lore.kernel.org/lkml/CAAJw_ZtppNqC9XA=-WVQDr+vaAS=di7jo15CzSqONeX48H75MA@mail.gmail.com/ Signed-off-by: Niklas Neronin Signed-off-by: Mathias Nyman Link: https://lore.kernel.org/r/20241217102122.2316814-3-mathias.nyman@linux.intel.com Signed-off-by: Greg Kroah-Hartman commit e21ebe51af688eb98fd6269240212a3c7300deea Author: Mathias Nyman Date: Tue Dec 17 12:21:21 2024 +0200 xhci: Turn NEC specific quirk for handling Stop Endpoint errors generic xHC hosts from several vendors have the same issue where endpoints start so slowly that a later queued 'Stop Endpoint' command may complete before endpoint is up and running. The 'Stop Endpoint' command fails with context state error as the endpoint still appears as stopped. See commit 42b758137601 ("usb: xhci: Limit Stop Endpoint retries") for details CC: stable@vger.kernel.org Signed-off-by: Mathias Nyman Link: https://lore.kernel.org/r/20241217102122.2316814-2-mathias.nyman@linux.intel.com Signed-off-by: Greg Kroah-Hartman commit 1622ed27d26ab4c234476be746aa55bcd39159dd Author: Umesh Nerlige Ramappa Date: Wed Nov 27 09:40:06 2024 -0800 i915/guc: Accumulate active runtime on gt reset On gt reset, if a context is running, then accumulate it's active time into the busyness counter since there will be no chance for the context to switch out and update it's run time. v2: Move comment right above the if (John) Fixes: 77cdd054dd2c ("drm/i915/pmu: Connect engine busyness stats from GuC to pmu") Signed-off-by: Umesh Nerlige Ramappa Reviewed-by: John Harrison Link: https://patchwork.freedesktop.org/patch/msgid/20241127174006.190128-4-umesh.nerlige.ramappa@intel.com (cherry picked from commit 7ed047da59cfa1acb558b95169d347acc8d85da1) Signed-off-by: Tvrtko Ursulin commit 59a0b46788d58fdcee8d2f6b4e619d264a1799bf Author: Umesh Nerlige Ramappa Date: Wed Nov 27 09:40:05 2024 -0800 i915/guc: Ensure busyness counter increases motonically Active busyness of an engine is calculated using gt timestamp and the context switch in time. While capturing the gt timestamp, it's possible that the context switches out. This race could result in an active busyness value that is greater than the actual context runtime value by a small amount. This leads to a negative delta and throws off busyness calculations for the user. If a subsequent count is smaller than the previous one, just return the previous one, since we expect the busyness to catch up. Fixes: 77cdd054dd2c ("drm/i915/pmu: Connect engine busyness stats from GuC to pmu") Signed-off-by: Umesh Nerlige Ramappa Reviewed-by: John Harrison Link: https://patchwork.freedesktop.org/patch/msgid/20241127174006.190128-3-umesh.nerlige.ramappa@intel.com (cherry picked from commit cf907f6d294217985e9dafd9985dce874e04ca37) Signed-off-by: Tvrtko Ursulin commit abcc2ddae5f82aa6cfca162e3db643dd33f0a2e8 Author: Umesh Nerlige Ramappa Date: Wed Nov 27 09:40:04 2024 -0800 i915/guc: Reset engine utilization buffer before registration On GT reset, we store total busyness counts for all engines and re-register the utilization buffer with GuC. At that time we should reset the buffer, so that we don't get spurious busyness counts on subsequent queries. To repro this issue, run igt@perf_pmu@busy-hang followed by igt@perf_pmu@most-busy-idle-check-all for a couple iterations. Fixes: 77cdd054dd2c ("drm/i915/pmu: Connect engine busyness stats from GuC to pmu") Signed-off-by: Umesh Nerlige Ramappa Reviewed-by: John Harrison Link: https://patchwork.freedesktop.org/patch/msgid/20241127174006.190128-2-umesh.nerlige.ramappa@intel.com (cherry picked from commit abd318237fa6556c1e5225529af145ef15d5ff0d) Signed-off-by: Tvrtko Ursulin commit 212fbabe1dfecdda35bf5aaa900f745a3bab5ac4 Author: Mark Brown Date: Mon Dec 16 19:28:24 2024 +0000 KVM: arm64: Fix set_id_regs selftest for ASIDBITS becoming unwritable In commit 03c7527e97f7 ("KVM: arm64: Do not allow ID_AA64MMFR0_EL1.ASIDbits to be overridden") we made that bitfield in the ID registers unwritable however the change neglected to make the corresponding update to set_id_regs resulting in it failing: ok 56 ID_AA64MMFR0_EL1_BIGEND ==== Test Assertion Failure ==== aarch64/set_id_regs.c:434: masks[idx] & ftr_bits[j].mask == ftr_bits[j].mask pid=5566 tid=5566 errno=22 - Invalid argument 1 0x00000000004034a7: test_vm_ftr_id_regs at set_id_regs.c:434 2 0x0000000000401b53: main at set_id_regs.c:684 3 0x0000ffff8e6b7543: ?? ??:0 4 0x0000ffff8e6b7617: ?? ??:0 5 0x0000000000401e6f: _start at ??:? not ok 8 selftests: kvm: set_id_regs # exit=254 Remove ID_AA64MMFR1_EL1.ASIDBITS from the set of bitfields we test for writeability. Signed-off-by: Mark Brown Link: https://lore.kernel.org/r/20241216-kvm-arm64-fix-set-id-asidbits-v1-1-8b105b888fc3@kernel.org Acked-by: Marc Zyngier Signed-off-by: Oliver Upton commit 94901b7a74d82bfd30420f1d9d00898278fdc8bf Author: FUJITA Tomonori Date: Thu Dec 12 22:00:15 2024 +0900 rust: net::phy fix module autoloading The alias symbol name was renamed. Adjust module_phy_driver macro to create the proper symbol name to fix module autoloading. Fixes: 054a9cd395a7 ("modpost: rename alias symbol for MODULE_DEVICE_TABLE()") Signed-off-by: FUJITA Tomonori Link: https://patch.msgid.link/20241212130015.238863-1-fujita.tomonori@gmail.com Signed-off-by: Paolo Abeni commit 7fa0da5373685e7ed249af3fa317ab1e1ba8b0a6 Author: Juergen Gross Date: Thu Oct 17 15:27:31 2024 +0200 x86/xen: remove hypercall page The hypercall page is no longer needed. It can be removed, as from the Xen perspective it is optional. But, from Linux's perspective, it removes naked RET instructions that escape the speculative protections that Call Depth Tracking and/or Untrain Ret are trying to achieve. This is part of XSA-466 / CVE-2024-53241. Reported-by: Andrew Cooper Signed-off-by: Juergen Gross Reviewed-by: Andrew Cooper Reviewed-by: Jan Beulich commit b1c2cb86f4a7861480ad54bb9a58df3cbebf8e92 Author: Juergen Gross Date: Thu Oct 17 14:47:13 2024 +0200 x86/xen: use new hypercall functions instead of hypercall page Call the Xen hypervisor via the new xen_hypercall_func static-call instead of the hypercall page. This is part of XSA-466 / CVE-2024-53241. Reported-by: Andrew Cooper Signed-off-by: Juergen Gross Co-developed-by: Peter Zijlstra Co-developed-by: Josh Poimboeuf commit b4845bb6383821a9516ce30af3a27dc873e37fd4 Author: Juergen Gross Date: Thu Oct 17 11:00:52 2024 +0200 x86/xen: add central hypercall functions Add generic hypercall functions usable for all normal (i.e. not iret) hypercalls. Depending on the guest type and the processor vendor different functions need to be used due to the to be used instruction for entering the hypervisor: - PV guests need to use syscall - HVM/PVH guests on Intel need to use vmcall - HVM/PVH guests on AMD and Hygon need to use vmmcall As PVH guests need to issue hypercalls very early during boot, there is a 4th hypercall function needed for HVM/PVH which can be used on Intel and AMD processors. It will check the vendor type and then set the Intel or AMD specific function to use via static_call(). This is part of XSA-466 / CVE-2024-53241. Reported-by: Andrew Cooper Signed-off-by: Juergen Gross Co-developed-by: Peter Zijlstra commit 7203d10e93b6e6e1d19481ef7907de6a9133a467 Author: Dan Carpenter Date: Fri Dec 13 17:28:11 2024 +0300 net: hinic: Fix cleanup in create_rxqs/txqs() There is a check for NULL at the start of create_txqs() and create_rxqs() which tess if "nic_dev->txqs" is non-NULL. The intention is that if the device is already open and the queues are already created then we don't create them a second time. However, the bug is that if we have an error in the create_txqs() then the pointer doesn't get set back to NULL. The NULL check at the start of the function will say that it's already open when it's not and the device can't be used. Set ->txqs back to NULL on cleanup on error. Fixes: c3e79baf1b03 ("net-next/hinic: Add logical Txq and Rxq") Signed-off-by: Dan Carpenter Reviewed-by: Simon Horman Link: https://patch.msgid.link/0cc98faf-a0ed-4565-a55b-0fa2734bc205@stanley.mountain Signed-off-by: Jakub Kicinski commit e78c20f327bd94dabac68b98218dff069a8780f0 Author: Daniel Borkmann Date: Fri Dec 13 13:36:57 2024 +0100 team: Fix feature exposure when no ports are present Small follow-up to align this to an equivalent behavior as the bond driver. The change in 3625920b62c3 ("teaming: fix vlan_features computing") removed the netdevice vlan_features when there is no team port attached, yet it leaves the full set of enc_features intact. Instead, leave the default features as pre 3625920b62c3, and recompute once we do have ports attached. Also, similarly as in bonding case, call the netdev_base_features() helper on the enc_features. Fixes: 3625920b62c3 ("teaming: fix vlan_features computing") Signed-off-by: Daniel Borkmann Reviewed-by: Nikolay Aleksandrov Link: https://patch.msgid.link/20241213123657.401868-1-daniel@iogearbox.net Signed-off-by: Jakub Kicinski commit fbbd84af6ba70334335bdeba3ae536cf751c14c6 Author: Dan Carpenter Date: Fri Dec 13 12:47:27 2024 +0300 chelsio/chtls: prevent potential integer overflow on 32bit The "gl->tot_len" variable is controlled by the user. It comes from process_responses(). On 32bit systems, the "gl->tot_len + sizeof(struct cpl_pass_accept_req) + sizeof(struct rss_header)" addition could have an integer wrapping bug. Use size_add() to prevent this. Fixes: a08943947873 ("crypto: chtls - Register chtls with net tls") Cc: stable@vger.kernel.org Signed-off-by: Dan Carpenter Reviewed-by: Simon Horman Link: https://patch.msgid.link/c6bfb23c-2db2-4e1b-b8ab-ba3925c82ef5@stanley.mountain Signed-off-by: Jakub Kicinski commit c8eb0c3ffde699c981449f8b86da12df577c46b9 Merge: 922b4b955a03d1 5712e323d4c3ad Author: Jakub Kicinski Date: Mon Dec 16 17:30:14 2024 -0800 Merge branch 'netdev-fix-repeated-netlink-messages-in-queue-dumps' Jakub Kicinski says: ==================== netdev: fix repeated netlink messages in queue dumps Fix dump continuation for queues and queue stats in the netdev family. Because we used post-increment when saving id of dumped queue next skb would re-dump the already dumped queue. ==================== Link: https://patch.msgid.link/20241213152244.3080955-1-kuba@kernel.org Signed-off-by: Jakub Kicinski commit 5712e323d4c3ad03bba4d28f83e80593171ac3f1 Author: Jakub Kicinski Date: Fri Dec 13 07:22:44 2024 -0800 selftests: net-drv: stats: sanity check netlink dumps Sanity check netlink dumps, to make sure dumps don't have repeated entries or gaps in IDs. Reviewed-by: Petr Machata Link: https://patch.msgid.link/20241213152244.3080955-6-kuba@kernel.org Signed-off-by: Jakub Kicinski commit 1234810b1649e9d781aeafd4b23fb1fcfbf95d8f Author: Jakub Kicinski Date: Fri Dec 13 07:22:43 2024 -0800 selftests: net-drv: queues: sanity check netlink dumps This test already catches a netlink bug fixed by this series, but only when running on HW with many queues. Make sure the netdevsim instance created has a lot of queues, and constrain the size of the recv_buffer used by netlink. While at it test both rx and tx queues. Reviewed-by: Joe Damato Reviewed-by: Petr Machata Link: https://patch.msgid.link/20241213152244.3080955-5-kuba@kernel.org Signed-off-by: Jakub Kicinski commit 0518863407b8dcc7070fdbc1c015046d66777e78 Author: Jakub Kicinski Date: Fri Dec 13 07:22:42 2024 -0800 selftests: net: support setting recv_size in YNL recv_size parameter allows constraining the buffer size for dumps. It's useful in testing kernel handling of dump continuation, IOW testing dumps which span multiple skbs. Let the tests set this parameter when initializing the YNL family. Keep the normal default, we don't want tests to unintentionally behave very differently than normal code. Reviewed-by: Joe Damato Reviewed-by: Petr Machata Link: https://patch.msgid.link/20241213152244.3080955-4-kuba@kernel.org Signed-off-by: Jakub Kicinski commit ecc391a541573da46b7ccc188105efedd40aef1b Author: Jakub Kicinski Date: Fri Dec 13 07:22:41 2024 -0800 netdev: fix repeated netlink messages in queue stats The context is supposed to record the next queue to dump, not last dumped. If the dump doesn't fit we will restart from the already-dumped queue, duplicating the message. Before this fix and with the selftest improvements later in this series we see: # ./run_kselftest.sh -t drivers/net:stats.py timeout set to 45 selftests: drivers/net: stats.py KTAP version 1 1..5 ok 1 stats.check_pause ok 2 stats.check_fec ok 3 stats.pkt_byte_sum # Check| At /root/ksft-net-drv/drivers/net/./stats.py, line 125, in qstat_by_ifindex: # Check| ksft_eq(len(queues[qtype]), len(set(queues[qtype])), # Check failed 45 != 44 repeated queue keys # Check| At /root/ksft-net-drv/drivers/net/./stats.py, line 127, in qstat_by_ifindex: # Check| ksft_eq(len(queues[qtype]), max(queues[qtype]) + 1, # Check failed 45 != 44 missing queue keys # Check| At /root/ksft-net-drv/drivers/net/./stats.py, line 125, in qstat_by_ifindex: # Check| ksft_eq(len(queues[qtype]), len(set(queues[qtype])), # Check failed 45 != 44 repeated queue keys # Check| At /root/ksft-net-drv/drivers/net/./stats.py, line 127, in qstat_by_ifindex: # Check| ksft_eq(len(queues[qtype]), max(queues[qtype]) + 1, # Check failed 45 != 44 missing queue keys # Check| At /root/ksft-net-drv/drivers/net/./stats.py, line 125, in qstat_by_ifindex: # Check| ksft_eq(len(queues[qtype]), len(set(queues[qtype])), # Check failed 103 != 100 repeated queue keys # Check| At /root/ksft-net-drv/drivers/net/./stats.py, line 127, in qstat_by_ifindex: # Check| ksft_eq(len(queues[qtype]), max(queues[qtype]) + 1, # Check failed 103 != 100 missing queue keys # Check| At /root/ksft-net-drv/drivers/net/./stats.py, line 125, in qstat_by_ifindex: # Check| ksft_eq(len(queues[qtype]), len(set(queues[qtype])), # Check failed 102 != 100 repeated queue keys # Check| At /root/ksft-net-drv/drivers/net/./stats.py, line 127, in qstat_by_ifindex: # Check| ksft_eq(len(queues[qtype]), max(queues[qtype]) + 1, # Check failed 102 != 100 missing queue keys not ok 4 stats.qstat_by_ifindex ok 5 stats.check_down # Totals: pass:4 fail:1 xfail:0 xpass:0 skip:0 error:0 With the fix: # ./ksft-net-drv/run_kselftest.sh -t drivers/net:stats.py timeout set to 45 selftests: drivers/net: stats.py KTAP version 1 1..5 ok 1 stats.check_pause ok 2 stats.check_fec ok 3 stats.pkt_byte_sum ok 4 stats.qstat_by_ifindex ok 5 stats.check_down # Totals: pass:5 fail:0 xfail:0 xpass:0 skip:0 error:0 Fixes: ab63a2387cb9 ("netdev: add per-queue statistics") Reviewed-by: Joe Damato Link: https://patch.msgid.link/20241213152244.3080955-3-kuba@kernel.org Signed-off-by: Jakub Kicinski commit b1f3a2f5a742c1e939a73031bd31b9e557a2d77d Author: Jakub Kicinski Date: Fri Dec 13 07:22:40 2024 -0800 netdev: fix repeated netlink messages in queue dump The context is supposed to record the next queue to dump, not last dumped. If the dump doesn't fit we will restart from the already-dumped queue, duplicating the message. Before this fix and with the selftest improvements later in this series we see: # ./run_kselftest.sh -t drivers/net:queues.py timeout set to 45 selftests: drivers/net: queues.py KTAP version 1 1..2 # Check| At /root/ksft-net-drv/drivers/net/./queues.py, line 32, in get_queues: # Check| ksft_eq(queues, expected) # Check failed 102 != 100 # Check| At /root/ksft-net-drv/drivers/net/./queues.py, line 32, in get_queues: # Check| ksft_eq(queues, expected) # Check failed 101 != 100 not ok 1 queues.get_queues ok 2 queues.addremove_queues # Totals: pass:1 fail:1 xfail:0 xpass:0 skip:0 error:0 not ok 1 selftests: drivers/net: queues.py # exit=1 With the fix: # ./ksft-net-drv/run_kselftest.sh -t drivers/net:queues.py timeout set to 45 selftests: drivers/net: queues.py KTAP version 1 1..2 ok 1 queues.get_queues ok 2 queues.addremove_queues # Totals: pass:2 fail:0 xfail:0 xpass:0 skip:0 error:0 Fixes: 6b6171db7fc8 ("netdev-genl: Add netlink framework functions for queue") Reviewed-by: Joe Damato Link: https://patch.msgid.link/20241213152244.3080955-2-kuba@kernel.org Signed-off-by: Jakub Kicinski commit 0efbca0fec7d1665e19fa008ba95daab71f76f4d Author: Thorsten Blum Date: Mon Dec 9 12:06:39 2024 +0100 nios2: Use str_yes_no() helper in show_cpuinfo() Remove hard-coded strings by using the str_yes_no() helper function. Signed-off-by: Thorsten Blum Signed-off-by: Dinh Nguyen commit 239d87327dcd361b0098038995f8908f3296864f Author: Kees Cook Date: Thu Dec 12 17:28:06 2024 -0800 fortify: Hide run-time copy size from value range tracking GCC performs value range tracking for variables as a way to provide better diagnostics. One place this is regularly seen is with warnings associated with bounds-checking, e.g. -Wstringop-overflow, -Wstringop-overread, -Warray-bounds, etc. In order to keep the signal-to-noise ratio high, warnings aren't emitted when a value range spans the entire value range representable by a given variable. For example: unsigned int len; char dst[8]; ... memcpy(dst, src, len); If len's value is unknown, it has the full "unsigned int" range of [0, UINT_MAX], and GCC's compile-time bounds checks against memcpy() will be ignored. However, when a code path has been able to narrow the range: if (len > 16) return; memcpy(dst, src, len); Then the range will be updated for the execution path. Above, len is now [0, 16] when reading memcpy(), so depending on other optimizations, we might see a -Wstringop-overflow warning like: error: '__builtin_memcpy' writing between 9 and 16 bytes into region of size 8 [-Werror=stringop-overflow] When building with CONFIG_FORTIFY_SOURCE, the fortified run-time bounds checking can appear to narrow value ranges of lengths for memcpy(), depending on how the compiler constructs the execution paths during optimization passes, due to the checks against the field sizes. For example: if (p_size_field != SIZE_MAX && p_size != p_size_field && p_size_field < size) As intentionally designed, these checks only affect the kernel warnings emitted at run-time and do not block the potentially overflowing memcpy(), so GCC thinks it needs to produce a warning about the resulting value range that might be reaching the memcpy(). We have seen this manifest a few times now, with the most recent being with cpumasks: In function ‘bitmap_copy’, inlined from ‘cpumask_copy’ at ./include/linux/cpumask.h:839:2, inlined from ‘__padata_set_cpumasks’ at kernel/padata.c:730:2: ./include/linux/fortify-string.h:114:33: error: ‘__builtin_memcpy’ reading between 257 and 536870904 bytes from a region of size 256 [-Werror=stringop-overread] 114 | #define __underlying_memcpy __builtin_memcpy | ^ ./include/linux/fortify-string.h:633:9: note: in expansion of macro ‘__underlying_memcpy’ 633 | __underlying_##op(p, q, __fortify_size); \ | ^~~~~~~~~~~~~ ./include/linux/fortify-string.h:678:26: note: in expansion of macro ‘__fortify_memcpy_chk’ 678 | #define memcpy(p, q, s) __fortify_memcpy_chk(p, q, s, \ | ^~~~~~~~~~~~~~~~~~~~ ./include/linux/bitmap.h:259:17: note: in expansion of macro ‘memcpy’ 259 | memcpy(dst, src, len); | ^~~~~~ kernel/padata.c: In function ‘__padata_set_cpumasks’: kernel/padata.c:713:48: note: source object ‘pcpumask’ of size [0, 256] 713 | cpumask_var_t pcpumask, | ~~~~~~~~~~~~~~^~~~~~~~ This warning is _not_ emitted when CONFIG_FORTIFY_SOURCE is disabled, and with the recent -fdiagnostics-details we can confirm the origin of the warning is due to FORTIFY's bounds checking: ../include/linux/bitmap.h:259:17: note: in expansion of macro 'memcpy' 259 | memcpy(dst, src, len); | ^~~~~~ '__padata_set_cpumasks': events 1-2 ../include/linux/fortify-string.h:613:36: 612 | if (p_size_field != SIZE_MAX && | ~~~~~~~~~~~~~~~~~~~~~~~~~~~ 613 | p_size != p_size_field && p_size_field < size) | ~~~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~ | | | (1) when the condition is evaluated to false | (2) when the condition is evaluated to true '__padata_set_cpumasks': event 3 114 | #define __underlying_memcpy __builtin_memcpy | ^ | | | (3) out of array bounds here Note that the cpumask warning started appearing since bitmap functions were recently marked __always_inline in commit ed8cd2b3bd9f ("bitmap: Switch from inline to __always_inline"), which allowed GCC to gain visibility into the variables as they passed through the FORTIFY implementation. In order to silence these false positives but keep otherwise deterministic compile-time warnings intact, hide the length variable from GCC with OPTIMIZE_HIDE_VAR() before calling the builtin memcpy. Additionally add a comment about why all the macro args have copies with const storage. Reported-by: "Thomas Weißschuh" Closes: https://lore.kernel.org/all/db7190c8-d17f-4a0d-bc2f-5903c79f36c2@t-8ch.de/ Reported-by: Nilay Shroff Closes: https://lore.kernel.org/all/20241112124127.1666300-1-nilay@linux.ibm.com/ Tested-by: Nilay Shroff Acked-by: Yury Norov Acked-by: Greg Kroah-Hartman Signed-off-by: Kees Cook commit dd471e25770e7e632f736b90db1e2080b2171668 Author: Murad Masimov Date: Mon Dec 16 20:36:48 2024 +0300 hwmon: (tmp513) Fix interpretation of values of Temperature Result and Limit Registers The values returned by the driver after processing the contents of the Temperature Result and the Temperature Limit Registers do not correspond to the TMP512/TMP513 specifications. A raw register value is converted to a signed integer value by a sign extension in accordance with the algorithm provided in the specification, but due to the off-by-one error in the sign bit index, the result is incorrect. According to the TMP512 and TMP513 datasheets, the Temperature Result (08h to 0Bh) and Limit (11h to 14h) Registers are 13-bit two's complement integer values, shifted left by 3 bits. The value is scaled by 0.0625 degrees Celsius per bit. E.g., if regval = 1 1110 0111 0000 000, the output should be -25 degrees, but the driver will return +487 degrees. Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: 59dfa75e5d82 ("hwmon: Add driver for Texas Instruments TMP512/513 sensor chips.") Signed-off-by: Murad Masimov Link: https://lore.kernel.org/r/20241216173648.526-4-m.masimov@maxima.ru [groeck: fixed description line length] Signed-off-by: Guenter Roeck commit da1d0e6ba211baf6747db74c07700caddfd8a179 Author: Murad Masimov Date: Mon Dec 16 20:36:47 2024 +0300 hwmon: (tmp513) Fix Current Register value interpretation The value returned by the driver after processing the contents of the Current Register does not correspond to the TMP512/TMP513 specifications. A raw register value is converted to a signed integer value by a sign extension in accordance with the algorithm provided in the specification, but due to the off-by-one error in the sign bit index, the result is incorrect. Moreover, negative values will be reported as large positive due to missing sign extension from u32 to long. According to the TMP512 and TMP513 datasheets, the Current Register (07h) is a 16-bit two's complement integer value. E.g., if regval = 1000 0011 0000 0000, then the value must be (-32000 * lsb), but the driver will return (33536 * lsb). Fix off-by-one bug, and also cast data->curr_lsb_ua (which is of type u32) to long to prevent incorrect cast for negative values. Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: 59dfa75e5d82 ("hwmon: Add driver for Texas Instruments TMP512/513 sensor chips.") Signed-off-by: Murad Masimov Link: https://lore.kernel.org/r/20241216173648.526-3-m.masimov@maxima.ru [groeck: Fixed description line length] Signed-off-by: Guenter Roeck commit 74d7e038fd072635d21e4734e3223378e09168d3 Author: Murad Masimov Date: Mon Dec 16 20:36:46 2024 +0300 hwmon: (tmp513) Fix interpretation of values of Shunt Voltage and Limit Registers The values returned by the driver after processing the contents of the Shunt Voltage Register and the Shunt Limit Registers do not correspond to the TMP512/TMP513 specifications. A raw register value is converted to a signed integer value by a sign extension in accordance with the algorithm provided in the specification, but due to the off-by-one error in the sign bit index, the result is incorrect. Moreover, the PGA shift calculated with the tmp51x_get_pga_shift function is relevant only to the Shunt Voltage Register, but is also applied to the Shunt Limit Registers. According to the TMP512 and TMP513 datasheets, the Shunt Voltage Register (04h) is 13 to 16 bit two's complement integer value, depending on the PGA setting. The Shunt Positive (0Ch) and Negative (0Dh) Limit Registers are 16-bit two's complement integer values. Below are some examples: * Shunt Voltage Register If PGA = 8, and regval = 1000 0011 0000 0000, then the decimal value must be -32000, but the value calculated by the driver will be 33536. * Shunt Limit Register If regval = 1000 0011 0000 0000, then the decimal value must be -32000, but the value calculated by the driver will be 768, if PGA = 1. Fix sign bit index, and also correct misleading comment describing the tmp51x_get_pga_shift function. Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: 59dfa75e5d82 ("hwmon: Add driver for Texas Instruments TMP512/513 sensor chips.") Signed-off-by: Murad Masimov Link: https://lore.kernel.org/r/20241216173648.526-2-m.masimov@maxima.ru [groeck: Fixed description and multi-line alignments] Signed-off-by: Guenter Roeck commit 18d44c5d062b97b97bb0162d9742440518958dc1 Author: Ilya Dryomov Date: Sat Dec 7 17:33:25 2024 +0100 ceph: allocate sparse_ext map only for sparse reads If mounted with sparseread option, ceph_direct_read_write() ends up making an unnecessarily allocation for O_DIRECT writes. Fixes: 03bc06c7b0bd ("ceph: add new mount option to enable sparse reads") Signed-off-by: Ilya Dryomov Reviewed-by: Alex Markuze commit 66e0c4f91461d17d48071695271c824620bed4ef Author: Ilya Dryomov Date: Fri Dec 6 17:32:59 2024 +0100 ceph: fix memory leak in ceph_direct_read_write() The bvecs array which is allocated in iter_get_bvecs_alloc() is leaked and pages remain pinned if ceph_alloc_sparse_ext_map() fails. There is no need to delay the allocation of sparse_ext map until after the bvecs array is set up, so fix this by moving sparse_ext allocation a bit earlier. Also, make a similar adjustment in __ceph_sync_read() for consistency (a leak of the same kind in __ceph_sync_read() has been addressed differently). Cc: stable@vger.kernel.org Fixes: 03bc06c7b0bd ("ceph: add new mount option to enable sparse reads") Signed-off-by: Ilya Dryomov Reviewed-by: Alex Markuze commit 9abee475803fab6ad59d4f4fc59c6a75374a7d9d Author: Alex Markuze Date: Wed Nov 27 15:34:10 2024 +0200 ceph: improve error handling and short/overflow-read logic in __ceph_sync_read() This patch refines the read logic in __ceph_sync_read() to ensure more predictable and efficient behavior in various edge cases. - Return early if the requested read length is zero or if the file size (`i_size`) is zero. - Initialize the index variable (`idx`) where needed and reorder some code to ensure it is always set before use. - Improve error handling by checking for negative return values earlier. - Remove redundant encrypted file checks after failures. Only attempt filesystem-level decryption if the read succeeded. - Simplify leftover calculations to correctly handle cases where the read extends beyond the end of the file or stops short. This can be hit by continuously reading a file while, on another client, we keep truncating and writing new data into it. - This resolves multiple issues caused by integer and consequent buffer overflow (`pages` array being accessed beyond `num_pages`): - https://tracker.ceph.com/issues/67524 - https://tracker.ceph.com/issues/68980 - https://tracker.ceph.com/issues/68981 Cc: stable@vger.kernel.org Fixes: 1065da21e5df ("ceph: stop copying to iter at EOF on sync reads") Reported-by: Luis Henriques (SUSE) Signed-off-by: Alex Markuze Reviewed-by: Viacheslav Dubeyko Signed-off-by: Ilya Dryomov commit 12eb22a5a609421b380c3c6ca887474fb2089b2c Author: Ilya Dryomov Date: Wed Nov 20 16:43:51 2024 +0100 ceph: validate snapdirname option length when mounting It becomes a path component, so it shouldn't exceed NAME_MAX characters. This was hardened in commit c152737be22b ("ceph: Use strscpy() instead of strcpy() in __get_snap_name()"), but no actual check was put in place. Cc: stable@vger.kernel.org Signed-off-by: Ilya Dryomov Reviewed-by: Alex Markuze commit 550f7ca98ee028a606aa75705a7e77b1bd11720f Author: Max Kellermann Date: Mon Nov 18 23:28:28 2024 +0100 ceph: give up on paths longer than PATH_MAX If the full path to be built by ceph_mdsc_build_path() happens to be longer than PATH_MAX, then this function will enter an endless (retry) loop, effectively blocking the whole task. Most of the machine becomes unusable, making this a very simple and effective DoS vulnerability. I cannot imagine why this retry was ever implemented, but it seems rather useless and harmful to me. Let's remove it and fail with ENAMETOOLONG instead. Cc: stable@vger.kernel.org Reported-by: Dario Weißer Signed-off-by: Max Kellermann Reviewed-by: Alex Markuze Signed-off-by: Ilya Dryomov commit d6fd6f8280f0257ba93f16900a0d3d3912f32c79 Author: Max Kellermann Date: Thu Dec 5 16:49:51 2024 +0100 ceph: fix memory leaks in __ceph_sync_read() In two `break` statements, the call to ceph_release_page_vector() was missing, leaking the allocation from ceph_alloc_page_vector(). Instead of adding the missing ceph_release_page_vector() calls, the Ceph maintainers preferred to transfer page ownership to the `ceph_osd_request` by passing `own_pages=true` to osd_req_op_extent_osd_data_pages(). This requires postponing the ceph_osdc_put_request() call until after the block that accesses the `pages`. Cc: stable@vger.kernel.org Fixes: 03bc06c7b0bd ("ceph: add new mount option to enable sparse reads") Fixes: f0fe1e54cfcf ("ceph: plumb in decryption during reads") Signed-off-by: Max Kellermann Reviewed-by: Ilya Dryomov Signed-off-by: Ilya Dryomov commit 166438a432d76c68d3f0da60667248f3c2303d6c Author: Steven Rostedt Date: Mon Dec 16 16:46:33 2024 -0500 ftrace: Do not find "true_parent" if HAVE_DYNAMIC_FTRACE_WITH_ARGS is not set When function tracing and function graph tracing are both enabled (in different instances) the "parent" of some of the function tracing events is "return_to_handler" which is the trampoline used by function graph tracing. To fix this, ftrace_get_true_parent_ip() was introduced that returns the "true" parent ip instead of the trampoline. To do this, the ftrace_regs_get_stack_pointer() is used, which uses kernel_stack_pointer(). The problem is that microblaze does not implement kerenl_stack_pointer() so when function graph tracing is enabled, the build fails. But microblaze also does not enabled HAVE_DYNAMIC_FTRACE_WITH_ARGS. That option has to be enabled by the architecture to reliably get the values from the fregs parameter passed in. When that config is not set, the architecture can also pass in NULL, which is not tested for in that function and could cause the kernel to crash. Cc: Masami Hiramatsu Cc: Mathieu Desnoyers Cc: Mark Rutland Cc: Al Viro Cc: Michal Simek Cc: Jeff Xie Link: https://lore.kernel.org/20241216164633.6df18e87@gandalf.local.home Fixes: 60b1f578b578 ("ftrace: Get the true parent ip for function tracer") Reported-by: Al Viro Signed-off-by: Steven Rostedt (Google) commit cc252bb592638e0f7aea40d580186c36d89526b8 Author: Steven Rostedt Date: Wed Dec 11 13:53:35 2024 -0500 fgraph: Still initialize idle shadow stacks when starting A bug was discovered where the idle shadow stacks were not initialized for offline CPUs when starting function graph tracer, and when they came online they were not traced due to the missing shadow stack. To fix this, the idle task shadow stack initialization was moved to using the CPU hotplug callbacks. But it removed the initialization when the function graph was enabled. The problem here is that the hotplug callbacks are called when the CPUs come online, but the idle shadow stack initialization only happens if function graph is currently active. This caused the online CPUs to not get their shadow stack initialized. The idle shadow stack initialization still needs to be done when the function graph is registered, as they will not be allocated if function graph is not registered. Cc: stable@vger.kernel.org Cc: Masami Hiramatsu Cc: Mathieu Desnoyers Link: https://lore.kernel.org/20241211135335.094ba282@batman.local.home Fixes: 2c02f7375e65 ("fgraph: Use CPU hotplug mechanism to initialize idle shadow stacks") Reported-by: Linus Walleij Tested-by: Linus Walleij Closes: https://lore.kernel.org/all/CACRpkdaTBrHwRbbrphVy-=SeDz6MSsXhTKypOtLrTQ+DgGAOcQ@mail.gmail.com/ Signed-off-by: Steven Rostedt (Google) commit fb8e7b33c2174e00dfa411361eeed21eeaf3634b Author: Qiang Yu Date: Wed Nov 13 00:05:08 2024 -0800 arm64: dts: qcom: x1e80100: Fix up BAR space size for PCIe6a As per memory map table, the region for PCIe6a is 64MByte. Hence, set the size of 32 bit non-prefetchable memory region beginning on address 0x70300000 as 0x3d00000 so that BAR space assigned to BAR registers can be allocated from 0x70300000 to 0x74000000. Fixes: 7af141850012 ("arm64: dts: qcom: x1e80100: Fix up BAR spaces") Cc: stable@vger.kernel.org Signed-off-by: Qiang Yu Reviewed-by: Johan Hovold Link: https://lore.kernel.org/r/20241113080508.3458849-1-quic_qianyu@quicinc.com Signed-off-by: Bjorn Andersson commit 1fb5cf0d165afc3be76ec754d1b1013515c3896a Author: Johan Hovold Date: Fri Dec 6 18:24:02 2024 +0100 Revert "arm64: dts: qcom: x1e78100-t14s: enable otg on usb-c ports" This reverts commit 1a48dd7b9ac809d1bd0fd2fef509abba83433846. A recent change enabling OTG mode on the Lenovo ThinkPad T14s USB-C ports can break SuperSpeed device hotplugging. The host controller is enumerated, but the device is not: xhci-hcd xhci-hcd.5.auto: xHCI Host Controller xhci-hcd xhci-hcd.5.auto: new USB bus registered, assigned bus number 3 xhci-hcd xhci-hcd.5.auto: hcc params 0x0110ffc5 hci version 0x110 quirks 0x000080a000000810 xhci-hcd xhci-hcd.5.auto: irq 247, io mem 0x0a800000 xhci-hcd xhci-hcd.5.auto: xHCI Host Controller xhci-hcd xhci-hcd.5.auto: new USB bus registered, assigned bus number 4 xhci-hcd xhci-hcd.5.auto: Host supports USB 3.1 Enhanced SuperSpeed hub 3-0:1.0: USB hub found hub 3-0:1.0: 1 port detected hub 4-0:1.0: USB hub found hub 4-0:1.0: 1 port detected Once this happens on either of the two ports, no amount of disconnecting and reconnecting makes the SuperSpeed device be enumerated, while FullSpeed device enumeration still works. With retimer (and orientation detection) support not even merged yet, let's revert at least until we have stable host mode in mainline. Fixes: 1a48dd7b9ac8 ("arm64: dts: qcom: x1e78100-t14s: enable otg on usb-c ports") Cc: Jonathan Marek Signed-off-by: Johan Hovold Reviewed-by: Abel Vesa Link: https://lore.kernel.org/r/20241206172402.20724-1-johan+linaro@kernel.org Signed-off-by: Bjorn Andersson commit 65c8c78cc74d5bcbc43f1f785a004796a2d78360 Author: Daniel Lezcano Date: Thu Dec 12 21:13:10 2024 +0100 thermal/thresholds: Fix uapi header macros leading to a compilation error The macros giving the direction of the crossing thresholds use the BIT macro which is not exported to the userspace. Consequently when an userspace program includes the header, it fails to compile. Replace the macros by their litteral to allow the compilation of userspace program using this header. Fixes: 445936f9e258 ("thermal: core: Add user thresholds support") Signed-off-by: Daniel Lezcano Link: https://patch.msgid.link/20241212201311.4143196-1-daniel.lezcano@linaro.org [ rjw: Add Fixes: ] Signed-off-by: Rafael J. Wysocki commit f44d154d6e3d633d4c49a5d6aed8a0e4684ae25e Merge: dc690bc256edd9 f578281000c50c Author: Linus Torvalds Date: Mon Dec 16 10:10:53 2024 -0800 Merge tag 'soc-fixes-6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc Pull SoC fixes from Arnd Bergmann: "Three small fixes for the soc tree: - devicetee fix for the Arm Juno reference machine, to allow more interesting PCI configurations - build fix for SCMI firmware on the NXP i.MX platform - fix for a race condition in Arm FF-A firmware" * tag 'soc-fixes-6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc: arm64: dts: fvp: Update PCIe bus-range property firmware: arm_ffa: Fix the race around setting ffa_dev->properties firmware: arm_scmi: Fix i.MX build dependency commit dc690bc256edd9da6596fccf978327309173f44a Merge: 78d4f34e2115b5 83848e37f6ee80 Author: Linus Torvalds Date: Mon Dec 16 10:01:57 2024 -0800 Merge tag 'platform-drivers-x86-v6.13-3' of git://git.kernel.org/pub/scm/linux/kernel/git/pdx86/platform-drivers-x86 Pull x86 platform driver fixes from Ilpo Järvinen: - alienware-wmi: - Add support for Alienware m16 R1 AMD - Do not setup legacy LED control with X and G Series - intel/ifs: Clearwater Forest support - intel/vsec: Panther Lake support - p2sb: Do not hide the device if BIOS left it unhidden - touchscreen_dmi: Add SARY Tab 3 tablet information * tag 'platform-drivers-x86-v6.13-3' of git://git.kernel.org/pub/scm/linux/kernel/git/pdx86/platform-drivers-x86: platform/x86/intel/vsec: Add support for Panther Lake platform/x86/intel/ifs: Add Clearwater Forest to CPU support list platform/x86: touchscreen_dmi: Add info for SARY Tab 3 tablet p2sb: Do not scan and remove the P2SB device when it is unhidden p2sb: Move P2SB hide and unhide code to p2sb_scan_and_cache() p2sb: Introduce the global flag p2sb_hidden_by_bios p2sb: Factor out p2sb_read_from_cache() alienware-wmi: Adds support to Alienware m16 R1 AMD alienware-wmi: Fix X Series and G Series quirks commit 001a3d5e8b449f8e48dda76affa5d5fa55f69ec6 Merge: 6f4a0fd03ce856 ba7d47a54bf23a Author: Mark Brown Date: Mon Dec 16 17:10:37 2024 +0000 ASoC: Intel: sof_sdw: Update DMI matches for Lenovo Merge series from Bard Liao : The DMI match information for these models has changed so the match entries need updates. commit 59275b763306877a275563f89834cad88131d7e5 Merge: 78d4f34e2115b5 8366e64a445448 Author: Greg Kroah-Hartman Date: Mon Dec 16 16:31:47 2024 +0100 Merge tag 'usb-serial-6.13-rc3' of ssh://gitolite.kernel.org/pub/scm/linux/kernel/git/johan/usb-serial into usb-linus Johan writes: USB-serial device ids for 6.13-rc3 Here are some new modem device ids. All have been in linux-next with no reported issues. * tag 'usb-serial-6.13-rc3' of ssh://gitolite.kernel.org/pub/scm/linux/kernel/git/johan/usb-serial: USB: serial: option: add Telit FE910C04 rmnet compositions USB: serial: option: add MediaTek T7XX compositions USB: serial: option: add Netprisma LCUK54 modules for WWAN Ready USB: serial: option: add MeiG Smart SLM770A USB: serial: option: add TCL IK512 MBIM & ECM commit e16ebd9d839d1252ff15c29d37b0cf303ddd2662 Merge: 6ffc565c242ac7 098d8374033f32 Author: Greg Kroah-Hartman Date: Mon Dec 16 16:30:58 2024 +0100 Merge tag 'mhi-fixes-for-v6.13' of ssh://gitolite.kernel.org/pub/scm/linux/kernel/git/mani/mhi into char-misc-linus Manivannan writes: MHI Host ======== - Fix the MHI BAR mapping by passing BAR number to pcim_iomap_region() API instead of BAR mask. This fixes a regression for Qualcomm MHI modems. * tag 'mhi-fixes-for-v6.13' of ssh://gitolite.kernel.org/pub/scm/linux/kernel/git/mani/mhi: bus: mhi: host: pci_generic: fix MHI BAR mapping commit 6ffc565c242ac76eb43bc0fb841726ad8c0366bc Merge: 78d4f34e2115b5 54d394905c92b9 Author: Greg Kroah-Hartman Date: Mon Dec 16 16:29:55 2024 +0100 Merge tag 'iio-fixes-for-6.13a' of ssh://gitolite.kernel.org/pub/scm/linux/kernel/git/jic23/iio into char-misc-linus Jonathan writes: IIO: 1st set of fixes for 6.13 cycle. The usual mixed back of fixes for ancient and recent bugs A number of these were from an audit by Javier Carrasco of places we may leak stack data via holes in structures passed to userspace that were not explicitly zeroed. Very helpful effort after we found a similar bug in review of new code. This affected: - dummy driver - kionix,kmx61 - murrata,zpa2326 - rockchip,saradc - rohm,bh1745 - veml,vcnl4035 - ti,ads1119 - ti,ads8688 - ti,tmp0006 Other fixes: core,inkern - Underflow fo reference count issue in error path of iio_channel_get_all() for devices we haven't yet gotten. tests - Kconfig typo fix so it's possible to tell what test is being enabled. - Check for allocation failures. adi,ad4695 - Ensure timing requirement wrt to final clock edge vs next conversion signal are met by adding an additional SPI transfer. adi,ad7124 - Ensure channels are disabled at probe to avoid wrong data if channel 0 is not the first one read. adi,ad7173 - Fix handing of multiple devices by not editing a single static structure and instead making a per instance copy. adi,ad9467 - Fix handing of multiple devices by not editing a single static structure and instead making a per instance copy. adi,ad9832 - Off by one error on input verification for phase control adi,ad9834 - Off by one error on input verification for phase control. atmel,at91 - In an error path don't use a variable that hasn't been initialized yet. invensense,icm42600 - SPI burst write does not work for some icm426000 chips, disable it. - Ensure correct handling of timestamps after resume. st,sensors - Add back accidentally dropped IIS2MDC compatible in binding doc. st,stm32-dfsdm: - label property was accidentally made a required property. Make it optional again to fix use of older DT. ti,ads1119 - Use a fixed size for the channel data rather than an integer, bringing the code inline with the advertised 16 bit channel size and avoiding userspace misinterpreting the data. ti,ads124s08 - Use _cansleep gpio calls as no reason to prevent sleeping and it was stopping a new board design working (trivial fix). ti,ads1298 - Add a check on failure of devm_kasprintf() * tag 'iio-fixes-for-6.13a' of ssh://gitolite.kernel.org/pub/scm/linux/kernel/git/jic23/iio: (27 commits) iio: adc: ti-ads1119: fix sample size in scan struct for triggered buffer iio: temperature: tmp006: fix information leak in triggered buffer iio: inkern: call iio_device_put() only on mapped devices iio: adc: ad9467: Fix the "don't allow reading vref if not available" case iio: adc: at91: call input_free_device() on allocated iio_dev iio: adc: ad7173: fix using shared static info struct iio: adc: ti-ads124s08: Use gpiod_set_value_cansleep() iio: adc: ti-ads1119: fix information leak in triggered buffer iio: pressure: zpa2326: fix information leak in triggered buffer iio: adc: rockchip_saradc: fix information leak in triggered buffer iio: imu: kmx61: fix information leak in triggered buffer iio: light: vcnl4035: fix information leak in triggered buffer iio: light: bh1745: fix information leak in triggered buffer iio: adc: ti-ads8688: fix information leak in triggered buffer iio: dummy: iio_simply_dummy_buffer: fix information leak in triggered buffer iio: test: Fix GTS test config dt-bindings: iio: st-sensors: Re-add IIS2MDC magnetometer iio: adc: ti-ads1298: Add NULL check in ads1298_init iio: adc: stm32-dfsdm: handle label as an optional property iio: adc: ad4695: fix buffered read, single sample timings ... commit 6f4a0fd03ce856c6d9811429b9969b4f27e2eaee Author: Chen-Yu Tsai Date: Wed Dec 11 11:54:02 2024 +0800 ASoC: dt-bindings: realtek,rt5645: Fix CPVDD voltage comment Both the ALC5645 and ALC5650 datasheets specify a recommended voltage of 1.8V for CPVDD, not 3.5V. Fix the comment. Cc: Matthias Brugger Fixes: 26aa19174f0d ("ASoC: dt-bindings: rt5645: add suppliers") Fixes: 83d43ab0a1cb ("ASoC: dt-bindings: realtek,rt5645: Convert to dtschema") Signed-off-by: Chen-Yu Tsai Acked-by: Krzysztof Kozlowski Link: https://patch.msgid.link/20241211035403.4157760-1-wenst@chromium.org Signed-off-by: Mark Brown commit ba7d47a54bf23a7201bdd2978e16b04fc1cb1f6e Author: Richard Fitzgerald Date: Mon Dec 16 22:08:21 2024 +0800 ASoC: Intel: sof_sdw: Fix DMI match for Lenovo 21QA and 21QB Update the DMI match for a Lenovo laptop to the new DMI identifier. This laptop ships with a different DMI identifier to what was expected, and now has two identifiers. Signed-off-by: Richard Fitzgerald Fixes: ea657f6b24e1 ("ASoC: Intel: sof_sdw: Add quirk for cs42l43 system using host DMICs") Signed-off-by: Bard Liao Link: https://patch.msgid.link/20241216140821.153670-3-yung-chuan.liao@linux.intel.com Signed-off-by: Mark Brown commit 7c449ef0fdce540bfb235a2d93e7184864c3388b Author: Richard Fitzgerald Date: Mon Dec 16 22:08:20 2024 +0800 ASoC: Intel: sof_sdw: Fix DMI match for Lenovo 21Q6 and 21Q7 Update the DMI match for a Lenovo laptop to the new DMI identifier. This laptop ships with a different DMI identifier to what was expected, and now has two identifiers. Signed-off-by: Richard Fitzgerald Fixes: 83c062ae81e8 ("ASoC: Intel: sof_sdw: Add quirks for some new Lenovo laptops") Signed-off-by: Bard Liao Link: https://patch.msgid.link/20241216140821.153670-2-yung-chuan.liao@linux.intel.com Signed-off-by: Mark Brown commit 7179fe0074a3c962e43a9e51169304c4911989ed Author: Kalesh AP Date: Wed Dec 11 14:09:31 2024 +0530 RDMA/bnxt_re: Fix reporting hw_ver in query_device Driver currently populates subsystem_device id in the "hw_ver" field of ib_attr structure in query_device. Updated to populate PCI revision ID. Fixes: 1ac5a4047975 ("RDMA/bnxt_re: Add bnxt_re RoCE driver") Reviewed-by: Preethi G Signed-off-by: Kalesh AP Signed-off-by: Selvin Xavier Link: https://patch.msgid.link/20241211083931.968831-6-kalesh-anakkur.purayil@broadcom.com Signed-off-by: Leon Romanovsky commit 34db8ec931b84d1426423f263b1927539e73b397 Author: Hongguang Gao Date: Wed Dec 11 14:09:30 2024 +0530 RDMA/bnxt_re: Fix to export port num to ib_query_qp Current driver implementation doesn't populate the port_num field in query_qp. Adding the code to convert internal firmware port id to ibv defined port number and export it. Reviewed-by: Saravanan Vajravel Reviewed-by: Kalesh AP Signed-off-by: Hongguang Gao Signed-off-by: Selvin Xavier Link: https://patch.msgid.link/20241211083931.968831-5-kalesh-anakkur.purayil@broadcom.com Signed-off-by: Leon Romanovsky commit da2132e683954e7ddda3cd674e866a847b7389eb Author: Damodharam Ammepalli Date: Wed Dec 11 14:09:29 2024 +0530 RDMA/bnxt_re: Fix setting mandatory attributes for modify_qp Firmware expects "min_rnr_timer" as a mandatory attribute in MODIFY_QP command during the RTR-RTS transition. This needs to be enforced by the driver which is missing while setting bnxt_set_mandatory_attributes that sends these flags as part of modify_qp optimization. Fixes: 82c32d219272 ("RDMA/bnxt_re: Add support for optimized modify QP") Reviewed-by: Rukhsana Ansari Reviewed-by: Kalesh AP Signed-off-by: Damodharam Ammepalli Signed-off-by: Selvin Xavier Link: https://patch.msgid.link/20241211083931.968831-4-kalesh-anakkur.purayil@broadcom.com Signed-off-by: Leon Romanovsky commit 798653a0ee30d3cd495099282751c0f248614ae7 Author: Saravanan Vajravel Date: Wed Dec 11 14:09:28 2024 +0530 RDMA/bnxt_re: Add check for path mtu in modify_qp When RDMA app configures path MTU, add a check in modify_qp verb to make sure that it doesn't go beyond interface MTU. If this check fails, driver will fail the modify_qp verb. Fixes: 1ac5a4047975 ("RDMA/bnxt_re: Add bnxt_re RoCE driver") Reviewed-by: Kalesh AP Signed-off-by: Saravanan Vajravel Signed-off-by: Selvin Xavier Link: https://patch.msgid.link/20241211083931.968831-3-kalesh-anakkur.purayil@broadcom.com Signed-off-by: Leon Romanovsky commit 38651476e46e088598354510502c383e932e2297 Author: Kalesh AP Date: Wed Dec 11 14:09:27 2024 +0530 RDMA/bnxt_re: Fix the check for 9060 condition The check for 9060 condition should only be made for legacy chips. Fixes: 9152e0b722b2 ("RDMA/bnxt_re: HW workarounds for handling specific conditions") Reviewed-by: Kashyap Desai Signed-off-by: Kalesh AP Signed-off-by: Selvin Xavier Link: https://patch.msgid.link/20241211083931.968831-2-kalesh-anakkur.purayil@broadcom.com Signed-off-by: Leon Romanovsky commit 6422cde1b0d5a31b206b263417c1c2b3c80fe82c Author: Gao Xiang Date: Thu Dec 12 21:43:36 2024 +0800 erofs: use buffered I/O for file-backed mounts by default For many use cases (e.g. container images are just fetched from remote), performance will be impacted if underlay page cache is up-to-date but direct i/o flushes dirty pages first. Instead, let's use buffered I/O by default to keep in sync with loop devices and add a (re)mount option to explicitly give a try to use direct I/O if supported by the underlying files. The container startup time is improved as below: [workload] docker.io/library/workpress:latest unpack 1st run non-1st runs EROFS snapshotter buffered I/O file 4.586404265s 0.308s 0.198s EROFS snapshotter direct I/O file 4.581742849s 2.238s 0.222s EROFS snapshotter loop 4.596023152s 0.346s 0.201s Overlayfs snapshotter 5.382851037s 0.206s 0.214s Fixes: fb176750266a ("erofs: add file-backed mount support") Cc: Derek McGowan Reviewed-by: Chao Yu Signed-off-by: Gao Xiang Link: https://lore.kernel.org/r/20241212134336.2059899-1-hsiangkao@linux.alibaba.com commit f8d920a402aec3482931cb5f1539ed438740fc49 Author: Gao Xiang Date: Fri Dec 13 07:54:01 2024 +0800 erofs: reference `struct erofs_device_info` for erofs_map_dev Record `m_sb` and `m_dif` to replace `m_fscache`, `m_daxdev`, `m_fp` and `m_dax_part_off` in order to simplify the codebase. Note that `m_bdev` is still left since it can be assigned from `sb->s_bdev` directly. Reviewed-by: Chao Yu Signed-off-by: Gao Xiang Link: https://lore.kernel.org/r/20241212235401.2857246-1-hsiangkao@linux.alibaba.com commit 7b00af2c5414dc01e0718deef7ead81102867636 Author: Gao Xiang Date: Mon Dec 16 20:53:08 2024 +0800 erofs: use `struct erofs_device_info` for the primary device Instead of just listing each one directly in `struct erofs_sb_info` except that we still use `sb->s_bdev` for the primary block device. Reviewed-by: Chao Yu Signed-off-by: Gao Xiang Link: https://lore.kernel.org/r/20241216125310.930933-2-hsiangkao@linux.alibaba.com commit 88438444fdddd0244c8b2697713adcca3e71599e Author: Venkata Prasad Potturu Date: Fri Dec 13 11:41:46 2024 +0530 ASoC: amd: ps: Fix for enabling DMIC on acp63 platform via _DSD entry Add condition check to register ACP PDM sound card by reading _WOV acpi entry. Fixes: 0386d765f27a ("ASoC: amd: ps: refactor acp device configuration read logic") Signed-off-by: Venkata Prasad Potturu Link: https://patch.msgid.link/20241213061147.1060451-1-venkataprasad.potturu@amd.com Signed-off-by: Mark Brown commit a60b990798eb17433d0283788280422b1bd94b18 Author: Thomas Gleixner Date: Sat Dec 14 12:50:18 2024 +0100 PCI/MSI: Handle lack of irqdomain gracefully Alexandre observed a warning emitted from pci_msi_setup_msi_irqs() on a RISCV platform which does not provide PCI/MSI support: WARNING: CPU: 1 PID: 1 at drivers/pci/msi/msi.h:121 pci_msi_setup_msi_irqs+0x2c/0x32 __pci_enable_msix_range+0x30c/0x596 pci_msi_setup_msi_irqs+0x2c/0x32 pci_alloc_irq_vectors_affinity+0xb8/0xe2 RISCV uses hierarchical interrupt domains and correctly does not implement the legacy fallback. The warning triggers from the legacy fallback stub. That warning is bogus as the PCI/MSI layer knows whether a PCI/MSI parent domain is associated with the device or not. There is a check for MSI-X, which has a legacy assumption. But that legacy fallback assumption is only valid when legacy support is enabled, but otherwise the check should simply return -ENOTSUPP. Loongarch tripped over the same problem and blindly enabled legacy support without implementing the legacy fallbacks. There are weak implementations which return an error, so the problem was papered over. Correct pci_msi_domain_supports() to evaluate the legacy mode and add the missing supported check into the MSI enable path to complete it. Fixes: d2a463b29741 ("PCI/MSI: Reject multi-MSI early") Reported-by: Alexandre Ghiti Signed-off-by: Thomas Gleixner Tested-by: Alexandre Ghiti Cc: stable@vger.kernel.org Link: https://lore.kernel.org/all/87ed2a8ow5.ffs@tglx commit 24740385cb0d6d22ab7fa7adf36546d5b3cdcf73 Author: Mika Westerberg Date: Fri Nov 15 11:54:40 2024 +0200 thunderbolt: Improve redrive mode handling When USB-C monitor is connected directly to Intel Barlow Ridge host, it goes into "redrive" mode that basically routes the DisplayPort signals directly from the GPU to the USB-C monitor without any tunneling needed. However, the host router must be powered on for this to work. Aaron reported that there are a couple of cases where this will not work with the current code: - Booting with USB-C monitor plugged in. - Plugging in USB-C monitor when the host router is in sleep state (runtime suspended). - Plugging in USB-C device while the system is in system sleep state. In all these cases once the host router is runtime suspended the picture on the connected USB-C display disappears too. This is certainly not what the user expected. For this reason improve the redrive mode handling to keep the host router from runtime suspending when detect that any of the above cases is happening. Fixes: a75e0684efe5 ("thunderbolt: Keep the domain powered when USB4 port is in redrive mode") Reported-by: Aaron Rainbolt Closes: https://lore.kernel.org/linux-usb/20241009220118.70bfedd0@kf-ir16/ Cc: stable@vger.kernel.org Signed-off-by: Mika Westerberg commit fe4ed2f09b492e3507615a053814daa8fafdecb1 Author: Namjae Jeon Date: Sat Dec 14 12:19:03 2024 +0900 ksmbd: conn lock to serialize smb2 negotiate If client send parallel smb2 negotiate request on same connection, ksmbd_conn can be racy. smb2 negotiate handling that are not performance-related can be serialized with conn lock. Signed-off-by: Namjae Jeon Signed-off-by: Steve French commit 43fb7bce8866e793275c4f9f25af6a37745f3416 Author: Marios Makassikis Date: Sat Dec 14 12:17:23 2024 +0900 ksmbd: fix broken transfers when exceeding max simultaneous operations Since commit 0a77d947f599 ("ksmbd: check outstanding simultaneous SMB operations"), ksmbd enforces a maximum number of simultaneous operations for a connection. The problem is that reaching the limit causes ksmbd to close the socket, and the client has no indication that it should have slowed down. This behaviour can be reproduced by setting "smb2 max credits = 128" (or lower), and transferring a large file (25GB). smbclient fails as below: $ smbclient //192.168.1.254/testshare -U user%pass smb: \> put file.bin cli_push returned NT_STATUS_USER_SESSION_DELETED putting file file.bin as \file.bin smb2cli_req_compound_submit: Insufficient credits. 0 available, 1 needed NT_STATUS_INTERNAL_ERROR closing remote file \file.bin smb: \> smb2cli_req_compound_submit: Insufficient credits. 0 available, 1 needed Windows clients fail with 0x8007003b (with smaller files even). Fix this by delaying reading from the socket until there's room to allocate a request. This effectively applies backpressure on the client, so the transfer completes, albeit at a slower rate. Fixes: 0a77d947f599 ("ksmbd: check outstanding simultaneous SMB operations") Signed-off-by: Marios Makassikis Signed-off-by: Namjae Jeon Signed-off-by: Steve French commit 83c47d9e0ce79b5d7c0b21b9f35402dbde0fa15c Author: Marios Makassikis Date: Sat Dec 14 12:16:45 2024 +0900 ksmbd: count all requests in req_running counter This changes the semantics of req_running to count all in-flight requests on a given connection, rather than the number of elements in the conn->request list. The latter is used only in smb2_cancel, and the counter is not used Signed-off-by: Marios Makassikis Acked-by: Namjae Jeon Signed-off-by: Steve French commit 900f83cf376bdaf798b6f5dcb2eae0c822e908b6 Author: Thiébaud Weksteen Date: Thu Dec 5 12:09:19 2024 +1100 selinux: ignore unknown extended permissions When evaluating extended permissions, ignore unknown permissions instead of calling BUG(). This commit ensures that future permissions can be added without interfering with older kernels. Cc: stable@vger.kernel.org Fixes: fa1aa143ac4a ("selinux: extended permissions for ioctls") Signed-off-by: Thiébaud Weksteen Signed-off-by: Paul Moore commit 78d4f34e2115b517bcbfe7ec0d018bbbb6f9b0b8 Author: Linus Torvalds Date: Sun Dec 15 15:58:23 2024 -0800 Linux 6.13-rc3 commit 42a19aa1707cce382bc5e534e2e36024c3611674 Merge: 7031a38ab74cfe 824927e8845633 Author: Linus Torvalds Date: Sun Dec 15 15:38:12 2024 -0800 Merge tag 'arc-6.13-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/vgupta/arc Pull ARC fixes from Vineet Gupta: - Sundry build and misc fixes * tag 'arc-6.13-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/vgupta/arc: ARC: build: Try to guess GCC variant of cross compiler ARC: bpf: Correct conditional check in 'check_jmp_32' ARC: dts: Replace deprecated snps,nr-gpios property for snps,dw-apb-gpio-port devices ARC: build: Use __force to suppress per-CPU cmpxchg warnings ARC: fix reference of dependency for PAE40 config ARC: build: disallow invalid PAE40 + 4K page config arc: rename aux.h to arc_aux.h commit 7031a38ab74cfe997d2a767d18e3af7445547d07 Merge: 151167d85ae514 145ac100b63732 Author: Linus Torvalds Date: Sun Dec 15 15:33:41 2024 -0800 Merge tag 'efi-fixes-for-v6.13-1' of git://git.kernel.org/pub/scm/linux/kernel/git/efi/efi Pull EFI fixes from Ard Biesheuvel: - Limit EFI zboot to GZIP and ZSTD before it comes in wider use - Fix inconsistent error when looking up a non-existent file in efivarfs with a name that does not adhere to the NAME-GUID format - Drop some unused code * tag 'efi-fixes-for-v6.13-1' of git://git.kernel.org/pub/scm/linux/kernel/git/efi/efi: efi/esrt: remove esre_attribute::store() efivarfs: Fix error on non-existent file efi/zboot: Limit compression options to GZIP and ZSTD commit 151167d85ae5147dbe67842b702f0511052dc803 Merge: dccbe2047a5b08 5b6b08af1fb09e Author: Linus Torvalds Date: Sun Dec 15 15:29:07 2024 -0800 Merge tag 'i2c-for-6.13-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux Pull i2c fixes from Wolfram Sang: "i2c host fixes: PNX used the wrong unit for timeouts, Nomadik was missing a sentinel, and RIIC was missing rounding up" * tag 'i2c-for-6.13-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux: i2c: riic: Always round-up when calculating bus period i2c: nomadik: Add missing sentinel to match table i2c: pnx: Fix timeout in wait functions commit 922b4b955a03d19fea98938f33ef0e62d01f5159 Author: Nikita Yushchenko Date: Thu Dec 12 11:25:58 2024 +0500 net: renesas: rswitch: rework ts tags management The existing linked list based implementation of how ts tags are assigned and managed is unsafe against concurrency and corner cases: - element addition in tx processing can race against element removal in ts queue completion, - element removal in ts queue completion can race against element removal in device close, - if a large number of frames gets added to tx queue without ts queue completions in between, elements with duplicate tag values can get added. Use a different implementation, based on per-port used tags bitmaps and saved skb arrays. Safety for addition in tx processing vs removal in ts completion is provided by: tag = find_first_zero_bit(...); smp_mb(); ts_skb[tag]> set_bit(...); vs ts_skb[tag]> smp_mb(); clear_bit(...); Safety for removal in ts completion vs removal in device close is provided by using atomic read-and-clear for rdev->ts_skb[tag]: ts_skb = xchg(&rdev->ts_skb[tag], NULL); if (ts_skb) Fixes: 33f5d733b589 ("net: renesas: rswitch: Improve TX timestamp accuracy") Signed-off-by: Nikita Yushchenko Link: https://patch.msgid.link/20241212062558.436455-1-nikita.yoush@cogentembedded.com Signed-off-by: Jakub Kicinski commit 282da38b465395c930687974627c24f47ddce5ff Author: Vasily Gorbik Date: Tue Dec 10 12:35:34 2024 +0100 s390/mm: Consider KMSAN modules metadata for paging levels The calculation determining whether to use three- or four-level paging didn't account for KMSAN modules metadata. Include this metadata in the virtual memory size calculation to ensure correct paging mode selection and avoiding potentially unnecessary physical memory size limitations. Fixes: 65ca73f9fb36 ("s390/mm: define KMSAN metadata for vmalloc and modules") Acked-by: Heiko Carstens Reviewed-by: Alexander Gordeev Reviewed-by: Ilya Leoshkevich Signed-off-by: Vasily Gorbik Signed-off-by: Alexander Gordeev commit cb85f2b8973c8077749fb5618c5123c1ba166a70 Merge: 663ad7481f0680 b096d62ba13233 Author: Jakub Kicinski Date: Sun Dec 15 14:33:33 2024 -0800 Merge branch 'ionic-minor-code-fixes' Shannon Nelson says: ==================== ionic: minor code fixes These are a couple of code fixes for the ionic driver. ==================== Link: https://patch.msgid.link/20241212213157.12212-1-shannon.nelson@amd.com Signed-off-by: Jakub Kicinski commit b096d62ba1323391b2db98b7704e2468cf3b1588 Author: Shannon Nelson Date: Thu Dec 12 13:31:57 2024 -0800 ionic: use ee->offset when returning sprom data Some calls into ionic_get_module_eeprom() don't use a single full buffer size, but instead multiple calls with an offset. Teach our driver to use the offset correctly so we can respond appropriately to the caller. Fixes: 4d03e00a2140 ("ionic: Add initial ethtool support") Signed-off-by: Shannon Nelson Reviewed-by: Jacob Keller Link: https://patch.msgid.link/20241212213157.12212-4-shannon.nelson@amd.com Signed-off-by: Jakub Kicinski commit 746e6ae2e202b062b9deee7bd86d94937997ecd7 Author: Shannon Nelson Date: Thu Dec 12 13:31:56 2024 -0800 ionic: no double destroy workqueue There are some FW error handling paths that can cause us to try to destroy the workqueue more than once, so let's be sure we're checking for that. The case where this popped up was in an AER event where the handlers got called in such a way that ionic_reset_prepare() and thus ionic_dev_teardown() got called twice in a row. The second time through the workqueue was already destroyed, and destroy_workqueue() choked on the bad wq pointer. We didn't hit this in AER handler testing before because at that time we weren't using a private workqueue. Later we replaced the use of the system workqueue with our own private workqueue but hadn't rerun the AER handler testing since then. Fixes: 9e25450da700 ("ionic: add private workqueue per-device") Signed-off-by: Shannon Nelson Reviewed-by: Jacob Keller Link: https://patch.msgid.link/20241212213157.12212-3-shannon.nelson@amd.com Signed-off-by: Jakub Kicinski commit 9590d32e090ea2751e131ae5273859ca22f5ac14 Author: Brett Creeley Date: Thu Dec 12 13:31:55 2024 -0800 ionic: Fix netdev notifier unregister on failure If register_netdev() fails, then the driver leaks the netdev notifier. Fix this by calling ionic_lif_unregister() on register_netdev() failure. This will also call ionic_lif_unregister_phc() if it has already been registered. Fixes: 30b87ab4c0b3 ("ionic: remove lif list concept") Signed-off-by: Brett Creeley Signed-off-by: Shannon Nelson Reviewed-by: Jacob Keller Link: https://patch.msgid.link/20241212213157.12212-2-shannon.nelson@amd.com Signed-off-by: Jakub Kicinski commit 663ad7481f068057f6f692c5368c47150e855370 Author: Donald Hunter Date: Fri Dec 13 13:07:11 2024 +0000 tools/net/ynl: fix sub-message key lookup for nested attributes Use the correct attribute space for sub-message key lookup in nested attributes when adding attributes. This fixes rt_link where the "kind" key and "data" sub-message are nested attributes in "linkinfo". For example: ./tools/net/ynl/cli.py \ --create \ --spec Documentation/netlink/specs/rt_link.yaml \ --do newlink \ --json '{"link": 99, "linkinfo": { "kind": "vlan", "data": {"id": 4 } } }' Signed-off-by: Donald Hunter Fixes: ab463c4342d1 ("tools/net/ynl: Add support for encoding sub-messages") Link: https://patch.msgid.link/20241213130711.40267-1-donald.hunter@gmail.com Signed-off-by: Jakub Kicinski commit ee76746387f6233bdfa93d7406990f923641568f Author: Eric Dumazet Date: Fri Dec 13 17:25:18 2024 +0000 netdevsim: prevent bad user input in nsim_dev_health_break_write() If either a zero count or a large one is provided, kernel can crash. Fixes: 82c93a87bf8b ("netdevsim: implement couple of testing devlink health reporters") Reported-by: syzbot+ea40e4294e58b0292f74@syzkaller.appspotmail.com Closes: https://lore.kernel.org/netdev/675c6862.050a0220.37aaf.00b1.GAE@google.com/T/#u Signed-off-by: Eric Dumazet Cc: Jiri Pirko Reviewed-by: Joe Damato Link: https://patch.msgid.link/20241213172518.2415666-1-edumazet@google.com Signed-off-by: Jakub Kicinski commit 2d5df3a680ffdaf606baa10636bdb1daf757832e Author: Vladimir Oltean Date: Thu Dec 12 18:55:45 2024 +0200 net: mscc: ocelot: fix incorrect IFH SRC_PORT field in ocelot_ifh_set_basic() Packets injected by the CPU should have a SRC_PORT field equal to the CPU port module index in the Analyzer block (ocelot->num_phys_ports). The blamed commit copied the ocelot_ifh_set_basic() call incorrectly from ocelot_xmit_common() in net/dsa/tag_ocelot.c. Instead of calling with "x", it calls with BIT_ULL(x), but the field is not a port mask, but rather a single port index. [ side note: this is the technical debt of code duplication :( ] The error used to be silent and doesn't appear to have other user-visible manifestations, but with new changes in the packing library, it now fails loudly as follows: ------------[ cut here ]------------ Cannot store 0x40 inside bits 46-43 - will truncate sja1105 spi2.0: xmit timed out WARNING: CPU: 1 PID: 102 at lib/packing.c:98 __pack+0x90/0x198 sja1105 spi2.0: timed out polling for tstamp CPU: 1 UID: 0 PID: 102 Comm: felix_xmit Tainted: G W N 6.13.0-rc1-00372-gf706b85d972d-dirty #2605 Call trace: __pack+0x90/0x198 (P) __pack+0x90/0x198 (L) packing+0x78/0x98 ocelot_ifh_set_basic+0x260/0x368 ocelot_port_inject_frame+0xa8/0x250 felix_port_deferred_xmit+0x14c/0x258 kthread_worker_fn+0x134/0x350 kthread+0x114/0x138 The code path pertains to the ocelot switchdev driver and to the felix secondary DSA tag protocol, ocelot-8021q. Here seen with ocelot-8021q. The messenger (packing) is not really to blame, so fix the original commit instead. Fixes: e1b9e80236c5 ("net: mscc: ocelot: fix QoS class for injected packets with "ocelot-8021q"") Signed-off-by: Vladimir Oltean Reviewed-by: Simon Horman Link: https://patch.msgid.link/20241212165546.879567-1-vladimir.oltean@nxp.com Signed-off-by: Jakub Kicinski commit dccbe2047a5b0859de24bf463dae9eeea8e01c1e Merge: f7c7a1ba222a54 747367340ca6b5 Author: Linus Torvalds Date: Sun Dec 15 10:01:10 2024 -0800 Merge tag 'edac_urgent_for_v6.13_rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/ras/ras Pull EDAC fix from Borislav Petkov: - Make sure amd64_edac loads successfully on certain Zen4 memory configurations * tag 'edac_urgent_for_v6.13_rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/ras/ras: EDAC/amd64: Simplify ECC check on unified memory controllers commit f7c7a1ba222a546438921b0d378a07e7776f9b43 Merge: acd855a949fc16 773c05f417fa14 Author: Linus Torvalds Date: Sun Dec 15 09:58:27 2024 -0800 Merge tag 'irq_urgent_for_v6.13_rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull irq fixes from Borislav Petkov: - Disable the secure programming interface of the GIC500 chip in the RK3399 SoC to fix interrupt priority assignment and even make a dead machine boot again when the gic-v3 driver enables pseudo NMIs - Correct the declaration of a percpu variable to fix several sparse warnings * tag 'irq_urgent_for_v6.13_rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: irqchip/gic-v3: Work around insecure GIC integrations irqchip/gic: Correct declaration of *percpu_base pointer in union gic_base commit acd855a949fc168f5cefe643ed4875a052b66060 Merge: 81576a9a27dfee c7f7e9c73178e0 Author: Linus Torvalds Date: Sun Dec 15 09:38:03 2024 -0800 Merge tag 'sched_urgent_for_v6.13_rc3-p2' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull scheduler fixes from Borislav Petkov: - Prevent incorrect dequeueing of the deadline dlserver helper task and fix its time accounting - Properly track the CFS runqueue runnable stats - Check the total number of all queued tasks in a sched fair's runqueue hierarchy before deciding to stop the tick - Fix the scheduling of the task that got woken last (NEXT_BUDDY) by preventing those from being delayed * tag 'sched_urgent_for_v6.13_rc3-p2' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: sched/dlserver: Fix dlserver time accounting sched/dlserver: Fix dlserver double enqueue sched/eevdf: More PELT vs DELAYED_DEQUEUE sched/fair: Fix sched_can_stop_tick() for fair tasks sched/fair: Fix NEXT_BUDDY commit 81576a9a27dfee37acc2f8a71c7326f233bbbeba Merge: 2d8308bf5b67df 3522c419758ee8 Author: Linus Torvalds Date: Sun Dec 15 09:26:13 2024 -0800 Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm Pull kvm fixes from Paolo Bonzini: "ARM64: - Fix confusion with implicitly-shifted MDCR_EL2 masks breaking SPE/TRBE initialization - Align nested page table walker with the intended memory attribute combining rules of the architecture - Prevent userspace from constraining the advertised ASID width, avoiding horrors of guest TLBIs not matching the intended context in hardware - Don't leak references on LPIs when insertion into the translation cache fails RISC-V: - Replace csr_write() with csr_set() for HVIEN PMU overflow bit x86: - Cache CPUID.0xD XSTATE offsets+sizes during module init On Intel's Emerald Rapids CPUID costs hundreds of cycles and there are a lot of leaves under 0xD. Getting rid of the CPUIDs during nested VM-Enter and VM-Exit is planned for the next release, for now just cache them: even on Skylake that is 40% faster" * tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm: KVM: x86: Cache CPUID.0xD XSTATE offsets+sizes during module init RISC-V: KVM: Fix csr_write -> csr_set for HVIEN PMU overflow bit KVM: arm64: vgic-its: Add error handling in vgic_its_cache_translation KVM: arm64: Do not allow ID_AA64MMFR0_EL1.ASIDbits to be overridden KVM: arm64: Fix S1/S2 combination when FWB==1 and S2 has Device memory type arm64: Fix usage of new shifted MDCR_EL2 values commit c296c0bf45181463b3243d8e8c6b4ed2f1a0a3dd Merge: 429fde2d81bcef c5b8ee5022a194 Author: David S. Miller Date: Sun Dec 15 12:35:00 2024 +0000 Merge branch 'smc-fixes' Guangguan Wang says: ==================== net: several fixes for smc v1 -> v2: rewrite patch #2 suggested by Paolo. ==================== Signed-off-by: David S. Miller commit c5b8ee5022a19464783058dc6042e8eefa34e8cd Author: Guangguan Wang Date: Wed Dec 11 17:21:21 2024 +0800 net/smc: check return value of sock_recvmsg when draining clc data When receiving clc msg, the field length in smc_clc_msg_hdr indicates the length of msg should be received from network and the value should not be fully trusted as it is from the network. Once the value of length exceeds the value of buflen in function smc_clc_wait_msg it may run into deadloop when trying to drain the remaining data exceeding buflen. This patch checks the return value of sock_recvmsg when draining data in case of deadloop in draining. Fixes: fb4f79264c0f ("net/smc: tolerate future SMCD versions") Signed-off-by: Guangguan Wang Reviewed-by: Wen Gu Reviewed-by: D. Wythe Signed-off-by: David S. Miller commit 9ab332deb671d8f7e66d82a2ff2b3f715bc3a4ad Author: Guangguan Wang Date: Wed Dec 11 17:21:20 2024 +0800 net/smc: check smcd_v2_ext_offset when receiving proposal msg When receiving proposal msg in server, the field smcd_v2_ext_offset in proposal msg is from the remote client and can not be fully trusted. Once the value of smcd_v2_ext_offset exceed the max value, there has the chance to access wrong address, and crash may happen. This patch checks the value of smcd_v2_ext_offset before using it. Fixes: 5c21c4ccafe8 ("net/smc: determine accepted ISM devices") Signed-off-by: Guangguan Wang Reviewed-by: Wen Gu Reviewed-by: D. Wythe Signed-off-by: David S. Miller commit 7863c9f3d24ba49dbead7e03dfbe40deb5888fdf Author: Guangguan Wang Date: Wed Dec 11 17:21:19 2024 +0800 net/smc: check v2_ext_offset/eid_cnt/ism_gid_cnt when receiving proposal msg When receiving proposal msg in server, the fields v2_ext_offset/ eid_cnt/ism_gid_cnt in proposal msg are from the remote client and can not be fully trusted. Especially the field v2_ext_offset, once exceed the max value, there has the chance to access wrong address, and crash may happen. This patch checks the fields v2_ext_offset/eid_cnt/ism_gid_cnt before using them. Fixes: 8c3dca341aea ("net/smc: build and send V2 CLC proposal") Signed-off-by: Guangguan Wang Reviewed-by: Wen Gu Reviewed-by: D. Wythe Signed-off-by: David S. Miller commit a29e220d3c8edbf0e1beb0f028878a4a85966556 Author: Guangguan Wang Date: Wed Dec 11 17:21:18 2024 +0800 net/smc: check iparea_offset and ipv6_prefixes_cnt when receiving proposal msg When receiving proposal msg in server, the field iparea_offset and the field ipv6_prefixes_cnt in proposal msg are from the remote client and can not be fully trusted. Especially the field iparea_offset, once exceed the max value, there has the chance to access wrong address, and crash may happen. This patch checks iparea_offset and ipv6_prefixes_cnt before using them. Fixes: e7b7a64a8493 ("smc: support variable CLC proposal messages") Signed-off-by: Guangguan Wang Reviewed-by: Wen Gu Reviewed-by: D. Wythe Signed-off-by: David S. Miller commit 679e9ddcf90dbdf98aaaa71a492454654b627bcb Author: Guangguan Wang Date: Wed Dec 11 17:21:17 2024 +0800 net/smc: check sndbuf_space again after NOSPACE flag is set in smc_poll When application sending data more than sndbuf_space, there have chances application will sleep in epoll_wait, and will never be wakeup again. This is caused by a race between smc_poll and smc_cdc_tx_handler. application tasklet smc_tx_sendmsg(len > sndbuf_space) | epoll_wait for EPOLL_OUT,timeout=0 | smc_poll | if (!smc->conn.sndbuf_space) | | smc_cdc_tx_handler | atomic_add sndbuf_space | smc_tx_sndbuf_nonfull | if (!test_bit SOCK_NOSPACE) | do not sk_write_space; set_bit SOCK_NOSPACE; | return mask=0; | Application will sleep in epoll_wait as smc_poll returns 0. And smc_cdc_tx_handler will not call sk_write_space because the SOCK_NOSPACE has not be set. If there is no inflight cdc msg, sk_write_space will not be called any more, and application will sleep in epoll_wait forever. So check sndbuf_space again after NOSPACE flag is set to break the race. Fixes: 8dce2786a290 ("net/smc: smc_poll improvements") Signed-off-by: Guangguan Wang Suggested-by: Paolo Abeni Signed-off-by: David S. Miller commit 2b33eb8f1b3e8c2f87cfdbc8cc117f6bdfabc6ec Author: Guangguan Wang Date: Wed Dec 11 17:21:16 2024 +0800 net/smc: protect link down work from execute after lgr freed link down work may be scheduled before lgr freed but execute after lgr freed, which may result in crash. So it is need to hold a reference before shedule link down work, and put the reference after work executed or canceled. The relevant crash call stack as follows: list_del corruption. prev->next should be ffffb638c9c0fe20, but was 0000000000000000 ------------[ cut here ]------------ kernel BUG at lib/list_debug.c:51! invalid opcode: 0000 [#1] SMP NOPTI CPU: 6 PID: 978112 Comm: kworker/6:119 Kdump: loaded Tainted: G #1 Hardware name: Alibaba Cloud Alibaba Cloud ECS, BIOS 2221b89 04/01/2014 Workqueue: events smc_link_down_work [smc] RIP: 0010:__list_del_entry_valid.cold+0x31/0x47 RSP: 0018:ffffb638c9c0fdd8 EFLAGS: 00010086 RAX: 0000000000000054 RBX: ffff942fb75e5128 RCX: 0000000000000000 RDX: ffff943520930aa0 RSI: ffff94352091fc80 RDI: ffff94352091fc80 RBP: 0000000000000000 R08: 0000000000000000 R09: ffffb638c9c0fc38 R10: ffffb638c9c0fc30 R11: ffffffffa015eb28 R12: 0000000000000002 R13: ffffb638c9c0fe20 R14: 0000000000000001 R15: ffff942f9cd051c0 FS: 0000000000000000(0000) GS:ffff943520900000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f4f25214000 CR3: 000000025fbae004 CR4: 00000000007706e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: rwsem_down_write_slowpath+0x17e/0x470 smc_link_down_work+0x3c/0x60 [smc] process_one_work+0x1ac/0x350 worker_thread+0x49/0x2f0 ? rescuer_thread+0x360/0x360 kthread+0x118/0x140 ? __kthread_bind_mask+0x60/0x60 ret_from_fork+0x1f/0x30 Fixes: 541afa10c126 ("net/smc: add smcr_port_err() and smcr_link_down() processing") Signed-off-by: Guangguan Wang Reviewed-by: Tony Lu Signed-off-by: David S. Miller commit 2d8308bf5b67dff50262d8a9260a50113b3628c6 Merge: 35f301dd4551fa f103396ae31851 Author: Linus Torvalds Date: Sat Dec 14 15:53:02 2024 -0800 Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi Pull SCSI fix from James Bottomley: "Single one-line fix in the ufs driver" * tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi: scsi: ufs: core: Update compl_time_stamp_local_clock after completing a cqe commit 35f301dd4551fa731db4834f915e8351838f6f19 Merge: a0e3919a2df29b c83508da5620ef Author: Linus Torvalds Date: Sat Dec 14 12:58:14 2024 -0800 Merge tag 'bpf-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf Pull bpf fixes from Daniel Borkmann: - Fix a bug in the BPF verifier to track changes to packet data property for global functions (Eduard Zingerman) - Fix a theoretical BPF prog_array use-after-free in RCU handling of __uprobe_perf_func (Jann Horn) - Fix BPF tracing to have an explicit list of tracepoints and their arguments which need to be annotated as PTR_MAYBE_NULL (Kumar Kartikeya Dwivedi) - Fix a logic bug in the bpf_remove_insns code where a potential error would have been wrongly propagated (Anton Protopopov) - Avoid deadlock scenarios caused by nested kprobe and fentry BPF programs (Priya Bala Govindasamy) - Fix a bug in BPF verifier which was missing a size check for BTF-based context access (Kumar Kartikeya Dwivedi) - Fix a crash found by syzbot through an invalid BPF prog_array access in perf_event_detach_bpf_prog (Jiri Olsa) - Fix several BPF sockmap bugs including a race causing a refcount imbalance upon element replace (Michal Luczaj) - Fix a use-after-free from mismatching BPF program/attachment RCU flavors (Jann Horn) * tag 'bpf-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf: (23 commits) bpf: Avoid deadlock caused by nested kprobe and fentry bpf programs selftests/bpf: Add tests for raw_tp NULL args bpf: Augment raw_tp arguments with PTR_MAYBE_NULL bpf: Revert "bpf: Mark raw_tp arguments with PTR_MAYBE_NULL" selftests/bpf: Add test for narrow ctx load for pointer args bpf: Check size for BTF-based ctx access of pointer members selftests/bpf: extend changes_pkt_data with cases w/o subprograms bpf: fix null dereference when computing changes_pkt_data of prog w/o subprogs bpf: Fix theoretical prog_array UAF in __uprobe_perf_func() bpf: fix potential error return selftests/bpf: validate that tail call invalidates packet pointers bpf: consider that tail calls invalidate packet pointers selftests/bpf: freplace tests for tracking of changes_packet_data bpf: check changes_pkt_data property for extension programs selftests/bpf: test for changing packet data from global functions bpf: track changes_pkt_data property for global functions bpf: refactor bpf_helper_changes_pkt_data to use helper number bpf: add find_containing_subprog() utility function bpf,perf: Fix invalid prog_array access in perf_event_detach_bpf_prog bpf: Fix UAF via mismatching bpf_prog/attachment RCU flavors ... commit c83508da5620ef89232cb614fb9e02dfdfef2b8f Author: Priya Bala Govindasamy Date: Fri Dec 13 17:58:58 2024 -0800 bpf: Avoid deadlock caused by nested kprobe and fentry bpf programs BPF program types like kprobe and fentry can cause deadlocks in certain situations. If a function takes a lock and one of these bpf programs is hooked to some point in the function's critical section, and if the bpf program tries to call the same function and take the same lock it will lead to deadlock. These situations have been reported in the following bug reports. In percpu_freelist - Link: https://lore.kernel.org/bpf/CAADnVQLAHwsa+2C6j9+UC6ScrDaN9Fjqv1WjB1pP9AzJLhKuLQ@mail.gmail.com/T/ Link: https://lore.kernel.org/bpf/CAPPBnEYm+9zduStsZaDnq93q1jPLqO-PiKX9jy0MuL8LCXmCrQ@mail.gmail.com/T/ In bpf_lru_list - Link: https://lore.kernel.org/bpf/CAPPBnEajj+DMfiR_WRWU5=6A7KKULdB5Rob_NJopFLWF+i9gCA@mail.gmail.com/T/ Link: https://lore.kernel.org/bpf/CAPPBnEZQDVN6VqnQXvVqGoB+ukOtHGZ9b9U0OLJJYvRoSsMY_g@mail.gmail.com/T/ Link: https://lore.kernel.org/bpf/CAPPBnEaCB1rFAYU7Wf8UxqcqOWKmRPU1Nuzk3_oLk6qXR7LBOA@mail.gmail.com/T/ Similar bugs have been reported by syzbot. In queue_stack_maps - Link: https://lore.kernel.org/lkml/0000000000004c3fc90615f37756@google.com/ Link: https://lore.kernel.org/all/20240418230932.2689-1-hdanton@sina.com/T/ In lpm_trie - Link: https://lore.kernel.org/linux-kernel/00000000000035168a061a47fa38@google.com/T/ In ringbuf - Link: https://lore.kernel.org/bpf/20240313121345.2292-1-hdanton@sina.com/T/ Prevent kprobe and fentry bpf programs from attaching to these critical sections by removing CC_FLAGS_FTRACE for percpu_freelist.o, bpf_lru_list.o, queue_stack_maps.o, lpm_trie.o, ringbuf.o files. The bugs reported by syzbot are due to tracepoint bpf programs being called in the critical sections. This patch does not aim to fix deadlocks caused by tracepoint programs. However, it does prevent deadlocks from occurring in similar situations due to kprobe and fentry programs. Signed-off-by: Priya Bala Govindasamy Link: https://lore.kernel.org/r/CAPPBnEZpjGnsuA26Mf9kYibSaGLm=oF6=12L21X1GEQdqjLnzQ@mail.gmail.com Signed-off-by: Alexei Starovoitov commit a0e3919a2df29b373b19a8fbd6e4c4c38fc10d87 Merge: 636110be626b1e 33ead7e538183b Author: Linus Torvalds Date: Sat Dec 14 09:35:22 2024 -0800 Merge tag 'usb-6.13-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb Pull USB driver fixes from Greg KH: "Here are some small USB driver fixes for some reported issues. Included in here are: - typec driver bugfixes - u_serial gadget driver bugfix for much reported and discussed issue - dwc2 bugfixes - midi gadget driver bugfix - ehci-hcd driver bugfix - other small bugfixes All of these have been in linux-next for over a week with no reported issues" * tag 'usb-6.13-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb: usb: typec: ucsi: Fix connector status writing past buffer size usb: typec: ucsi: Fix completion notifications usb: dwc2: Fix HCD port connection race usb: dwc2: hcd: Fix GetPortStatus & SetPortFeature usb: dwc2: Fix HCD resume usb: gadget: u_serial: Fix the issue that gs_start_io crashed due to accessing null pointer usb: misc: onboard_usb_dev: skip suspend/resume sequence for USB5744 SMBus support usb: dwc3: xilinx: make sure pipe clock is deselected in usb2 only mode usb: core: hcd: only check primary hcd skip_phy_initialization usb: gadget: midi2: Fix interpretation of is_midi1 bits usb: dwc3: imx8mp: fix software node kernel dump usb: typec: anx7411: fix OF node reference leaks in anx7411_typec_switch_probe() usb: typec: anx7411: fix fwnode_handle reference leak usb: host: max3421-hcd: Correctly abort a USB request. dt-bindings: phy: imx8mq-usb: correct reference to usb-switch.yaml usb: ehci-hcd: fix call balance of clocks handling routines commit 636110be626b1e039b82d6eba4192d3cb82e5c92 Merge: 3de4f6d9191956 4e450dfd0f968b Author: Linus Torvalds Date: Sat Dec 14 09:31:19 2024 -0800 Merge tag 'tty-6.13-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty Pull serial driver fixes from Greg KH: "Here are two small serial driver fixes for 6.13-rc3. They are: - ioport build fallout fix for the 8250 port driver that should resolve Guenter's runtime problems - sh-sci driver bugfix for a reported problem Both of these have been in linux-next for a while with no reported issues" * tag 'tty-6.13-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty: tty: serial: Work around warning backtrace in serial8250_set_defaults serial: sh-sci: Check if TX data was written to device in .tx_empty() commit 3de4f6d919195678fa400c4da2bb5fda4a124632 Merge: ec2092915d60df 48e8a8160dba52 Author: Linus Torvalds Date: Sat Dec 14 09:27:07 2024 -0800 Merge tag 'staging-6.13-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging Pull staging driver fixes from Greg KH: "Here are some small staging gpib driver build and bugfixes for issues that have been much-reported (should finally fix Guenter's build issues). There are more of these coming in later -rc releases, but for now this should fix the majority of the reported problems. All of these have been in linux-next for a while with no reported issues" * tag 'staging-6.13-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging: staging: gpib: Fix i386 build issue staging: gpib: Fix faulty workaround for assignment in if staging: gpib: Workaround for ppc build failure staging: gpib: Make GPIB_NI_PCI_ISA depend on HAS_IOPORT commit ec2092915d60df2700f7062f171a7fbbad93166b Merge: 7824850768aafe cd26cd65476711 Author: Linus Torvalds Date: Sat Dec 14 09:15:49 2024 -0800 Merge tag 'v6.13-p2' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 Pull crypto fixes from Herbert Xu: "Fix a regression in rsassa-pkcs1 as well as a buffer overrun in hisilicon/debugfs" * tag 'v6.13-p2' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6: crypto: hisilicon/debugfs - fix the struct pointer incorrectly offset problem crypto: rsassa-pkcs1 - Copy source data for SG list commit 7824850768aafe0e69ec6586900cc5c1dac94fe3 Merge: 115c0cc25130c5 7a5f93ea5862da Author: Linus Torvalds Date: Sat Dec 14 08:51:43 2024 -0800 Merge tag 'rust-fixes-6.13' of https://github.com/Rust-for-Linux/linux Pull rust fixes from Miguel Ojeda: "Toolchain and infrastructure: - Set bindgen's Rust target version to prevent issues when pairing older rustc releases with newer bindgen releases, such as bindgen >= 0.71.0 and rustc < 1.82 due to unsafe_extern_blocks. drm/panic: - Remove spurious empty line detected by a new Clippy warning" * tag 'rust-fixes-6.13' of https://github.com/Rust-for-Linux/linux: rust: kbuild: set `bindgen`'s Rust target version drm/panic: remove spurious empty line to clean warning commit 115c0cc25130c59025cab8f8a5f1a3a97b1e16e1 Merge: 5d97859e177500 dda2b8c3c6ccc5 Author: Linus Torvalds Date: Sat Dec 14 08:41:40 2024 -0800 Merge tag 'iommu-fixes-v6.13-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/iommu/linux Pull iommu fixes from Joerg Roedel: - Per-domain device-list locking fixes for the AMD IOMMU driver - Fix incorrect use of smp_processor_id() in the NVidia-specific part of the ARM-SMMU-v3 driver - Intel IOMMU driver fixes: - Remove cache tags before disabling ATS - Avoid draining PRQ in sva mm release path - Fix qi_batch NULL pointer with nested parent domain * tag 'iommu-fixes-v6.13-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/iommu/linux: iommu/vt-d: Avoid draining PRQ in sva mm release path iommu/vt-d: Fix qi_batch NULL pointer with nested parent domain iommu/vt-d: Remove cache tags before disabling ATS iommu/amd: Add lockdep asserts for domain->dev_list iommu/amd: Put list_add/del(dev_data) back under the domain->lock iommu/tegra241-cmdqv: do not use smp_processor_id in preemptible context commit 5d97859e17750073052a45d127cdaec446843838 Merge: a446e965a188ee 676fe1f6f74db9 Author: Linus Torvalds Date: Sat Dec 14 08:40:05 2024 -0800 Merge tag 'ata-6.13-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/libata/linux Pull ata fix from Damien Le Moal: - Fix an OF node reference leak in the sata_highbank driver * tag 'ata-6.13-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/libata/linux: ata: sata_highbank: fix OF node reference leak in highbank_initialize_phys() commit 5b6b08af1fb09ec1ffab9564994cc152e4930431 Merge: fac04efc5c793d de6b43798d9043 Author: Wolfram Sang Date: Sat Dec 14 10:01:46 2024 +0100 Merge tag 'i2c-host-fixes-6.13-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/andi.shyti/linux into i2c/for-current i2c-host-fixes for v6.13-rc3 - Replaced jiffies with msec for timeout calculations. - Added a sentinel to the 'of_device_id' array in Nomadik. - Rounded up bus period calculation in RIIC. commit 429fde2d81bcef0ebab002215358955704586457 Author: Eric Dumazet Date: Thu Dec 12 22:22:47 2024 +0000 net: tun: fix tun_napi_alloc_frags() syzbot reported the following crash [1] Issue came with the blamed commit. Instead of going through all the iov components, we keep using the first one and end up with a malformed skb. [1] kernel BUG at net/core/skbuff.c:2849 ! Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI CPU: 0 UID: 0 PID: 6230 Comm: syz-executor132 Not tainted 6.13.0-rc1-syzkaller-00407-g96b6fcc0ee41 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/25/2024 RIP: 0010:__pskb_pull_tail+0x1568/0x1570 net/core/skbuff.c:2848 Code: 38 c1 0f 8c 32 f1 ff ff 4c 89 f7 e8 92 96 74 f8 e9 25 f1 ff ff e8 e8 ae 09 f8 48 8b 5c 24 08 e9 eb fb ff ff e8 d9 ae 09 f8 90 <0f> 0b 66 0f 1f 44 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 RSP: 0018:ffffc90004cbef30 EFLAGS: 00010293 RAX: ffffffff8995c347 RBX: 00000000fffffff2 RCX: ffff88802cf45a00 RDX: 0000000000000000 RSI: 00000000fffffff2 RDI: 0000000000000000 RBP: ffff88807df0c06a R08: ffffffff8995b084 R09: 1ffff1100fbe185c R10: dffffc0000000000 R11: ffffed100fbe185d R12: ffff888076e85d50 R13: ffff888076e85c80 R14: ffff888076e85cf4 R15: ffff888076e85c80 FS: 00007f0dca6ea6c0(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f0dca6ead58 CR3: 00000000119da000 CR4: 00000000003526f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: skb_cow_data+0x2da/0xcb0 net/core/skbuff.c:5284 tipc_aead_decrypt net/tipc/crypto.c:894 [inline] tipc_crypto_rcv+0x402/0x24e0 net/tipc/crypto.c:1844 tipc_rcv+0x57e/0x12a0 net/tipc/node.c:2109 tipc_l2_rcv_msg+0x2bd/0x450 net/tipc/bearer.c:668 __netif_receive_skb_list_ptype net/core/dev.c:5720 [inline] __netif_receive_skb_list_core+0x8b7/0x980 net/core/dev.c:5762 __netif_receive_skb_list net/core/dev.c:5814 [inline] netif_receive_skb_list_internal+0xa51/0xe30 net/core/dev.c:5905 gro_normal_list include/net/gro.h:515 [inline] napi_complete_done+0x2b5/0x870 net/core/dev.c:6256 napi_complete include/linux/netdevice.h:567 [inline] tun_get_user+0x2ea0/0x4890 drivers/net/tun.c:1982 tun_chr_write_iter+0x10d/0x1f0 drivers/net/tun.c:2057 do_iter_readv_writev+0x600/0x880 vfs_writev+0x376/0xba0 fs/read_write.c:1050 do_writev+0x1b6/0x360 fs/read_write.c:1096 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Fixes: de4f5fed3f23 ("iov_iter: add iter_iovec() helper") Reported-by: syzbot+4f66250f6663c0c1d67e@syzkaller.appspotmail.com Closes: https://lore.kernel.org/netdev/675b61aa.050a0220.599f4.00bb.GAE@google.com/T/#u Cc: stable@vger.kernel.org Signed-off-by: Eric Dumazet Reviewed-by: Joe Damato Reviewed-by: Jens Axboe Acked-by: Willem de Bruijn Acked-by: Michael S. Tsirkin Link: https://patch.msgid.link/20241212222247.724674-1-edumazet@google.com Signed-off-by: Jakub Kicinski commit a446e965a188ee8f745859e63ce046fe98577d45 Merge: f86135613a2552 633609c48a3581 Author: Linus Torvalds Date: Fri Dec 13 17:36:02 2024 -0800 Merge tag '6.13-rc2-smb3-client-fixes' of git://git.samba.org/sfrench/cifs-2.6 Pull smb client fixes from Steve French: - fix rmmod leak - two minor cleanups - fix for unlink/rename with pending i/o * tag '6.13-rc2-smb3-client-fixes' of git://git.samba.org/sfrench/cifs-2.6: smb: client: destroy cfid_put_wq on module exit cifs: Use str_yes_no() helper in cifs_ses_add_channel() cifs: Fix rmdir failure due to ongoing I/O on deleted file smb3: fix compiler warning in reparse code commit f86135613a2552b1e6c0875726f45b34b0ddd5a6 Merge: 4e1b4861a28841 25fb0e77b90e29 Author: Linus Torvalds Date: Fri Dec 13 17:29:19 2024 -0800 Merge tag 'spi-fix-v6.13-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi Pull spi fixes from Mark Brown: "A few fairly small fixes for v6.13, the most substatial one being disabling STIG mode for Cadence QSPI controllers on Altera SoCFPGA platforms since it doesn't work" * tag 'spi-fix-v6.13-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi: spi: spi-cadence-qspi: Disable STIG mode for Altera SoCFPGA. spi: rockchip: Fix PM runtime count on no-op cs spi: aspeed: Fix an error handling path in aspeed_spi_[read|write]_user() commit 4e1b4861a28841afc3ec4c192845feb411953d56 Merge: e72da82d5a6dee f07ae52f5cf6a5 Author: Linus Torvalds Date: Fri Dec 13 17:18:28 2024 -0800 Merge tag 'regulator-fix-v6.13-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regulator Pull regulator fixes from Mark Brown: "A couple of additional changes, one ensuring we give AXP717 enough time to stabilise after changing voltages which fixes serious stability issues on some platforms and another documenting the DT support required for the Qualcomm WCN6750" * tag 'regulator-fix-v6.13-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regulator: regulator: axp20x: AXP717: set ramp_delay regulator: dt-bindings: qcom,qca6390-pmu: document wcn6750-pmu commit e72da82d5a6deec67a680434e1f19ba3996fbb11 Merge: 974acf99744ca5 d172ea67dbeec5 Author: Linus Torvalds Date: Fri Dec 13 16:58:39 2024 -0800 Merge tag 'drm-fixes-2024-12-14' of https://gitlab.freedesktop.org/drm/kernel Pull drm fixes from Dave Airlie: "This is the weekly fixes pull for drm. Just has i915, xe and amdgpu changes in it. Nothing too major in here: i915: - Don't use indexed register writes needlessly [dsb] - Stop using non-posted DSB writes for legacy LUT [color] - Fix NULL pointer dereference in capture_engine - Fix memory leak by correcting cache object name in error handler xe: - Fix a KUNIT test error message (Mirsad Todorovac) - Fix an invalidation fence PM ref leak (Daniele) - Fix a register pool UAF (Lucas) amdgpu: - ISP hw init fix - SR-IOV fixes - Fix contiguous VRAM mapping for UVD on older GPUs - Fix some regressions due to drm scheduler changes - Workload profile fixes - Cleaner shader fix amdkfd: - Fix DMA map direction for migration - Fix a potential null pointer dereference - Cacheline size fixes - Runtime PM fix" * tag 'drm-fixes-2024-12-14' of https://gitlab.freedesktop.org/drm/kernel: drm/xe/reg_sr: Remove register pool drm/xe: Call invalidation_fence_fini for PT inval fences in error state drm/xe: fix the ERR_PTR() returned on failure to allocate tiny pt drm/amdkfd: pause autosuspend when creating pdd drm/amdgpu: fix when the cleaner shader is emitted drm/amdgpu: Fix ISP HW init issue drm/amdkfd: hard-code MALL cacheline size for gfx11, gfx12 drm/amdkfd: hard-code cacheline size for gfx11 drm/amdkfd: Dereference null return value drm/i915: Fix memory leak by correcting cache object name in error handler drm/i915: Fix NULL pointer dereference in capture_engine drm/i915/color: Stop using non-posted DSB writes for legacy LUT drm/i915/dsb: Don't use indexed register writes needlessly drm/amdkfd: Correct the migration DMA map direction drm/amd/pm: Set SMU v13.0.7 default workload type drm/amd/pm: Initialize power profile mode amdgpu/uvd: get ring reference from rq scheduler drm/amdgpu: fix UVD contiguous CS mapping problem drm/amdgpu: use sjt mec fw on gfx943 for sriov Revert "drm/amdgpu: Fix ISP hw init issue" commit 974acf99744ca5c0663d0864a1ff3a13491c4f4b Merge: c810e8df9668d3 ccb84dc8f4a02e Author: Linus Torvalds Date: Fri Dec 13 16:55:43 2024 -0800 Merge tag 'pm-6.13-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm Pull power management documentation fix from Rafael Wysocki: "Fix a runtime PM documentation mistake that may mislead someone into making a coding mistake (Paul Barker)" * tag 'pm-6.13-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm: Documentation: PM: Clarify pm_runtime_resume_and_get() return value commit c810e8df9668d378430862ceb5eeff619da28509 Merge: c30c65f3fe3506 e14d5ae28eb28c Author: Linus Torvalds Date: Fri Dec 13 16:51:56 2024 -0800 Merge tag 'acpi-6.13-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm Pull ACPI fixes from Rafael Wysocki: "These fix two coding mistakes, one in the ACPI resources handling code and one in ACPICA: - Relocate the addr->info.mem.caching check in acpi_decode_space() to only execute it if the resource is of the correct type (Ilpo Järvinen) - Don't release a context_mutex that was never acquired in acpi_remove_address_space_handler() (Daniil Tatianin)" * tag 'acpi-6.13-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm: ACPICA: events/evxfregn: don't release the ContextMutex that was never acquired ACPI: resource: Fix memory resource type union access commit a8e1a3ddf7246cd43c93e5459fcc1b4989853a06 Merge: e4c80f69758e50 0da1955b5bd2af Author: Alexei Starovoitov Date: Fri Dec 13 16:24:54 2024 -0800 Merge branch 'explicit-raw_tp-null-arguments' Kumar Kartikeya Dwivedi says: ==================== Explicit raw_tp NULL arguments This set reverts the raw_tp masking changes introduced in commit cb4158ce8ec8 ("bpf: Mark raw_tp arguments with PTR_MAYBE_NULL") and replaces it wwith an explicit list of tracepoints and their arguments which need to be annotated as PTR_MAYBE_NULL. More context on the fallout caused by the masking fix and subsequent discussions can be found in [0]. To remedy this, we implement a solution of explicitly defined tracepoint and define which args need to be marked NULL or scalar (for IS_ERR case). The commit logs describes the details of this approach in detail. We will follow up this solution an approach Eduard is working on to perform automated analysis of NULL-ness of tracepoint arguments. The current PoC is available here: - LLVM branch with the analysis: https://github.com/eddyz87/llvm-project/tree/nullness-for-tracepoint-params - Python script for merging of analysis results: https://gist.github.com/eddyz87/e47c164466a60e8d49e6911cff146f47 The idea is to infer a tri-state verdict for each tracepoint parameter: definitely not null, can be null, unknown (in which case no assumptions should be made). Using this information, the verifier in most cases will be able to precisely determine the state of the tracepoint parameter without any human effort. At that point, the table maintained manually in this set can be dropped and replace with this automated analysis tool's result. This will be kept up to date with each kernel release. [0]: https://lore.kernel.org/bpf/20241206161053.809580-1-memxor@gmail.com Changelog: ---------- v2 -> v3: v2: https://lore.kernel.org/bpf/20241213175127.2084759-1-memxor@gmail.com * Address Eduard's nits, add Reviewed-by v1 -> v2: v1: https://lore.kernel.org/bpf/20241211020156.18966-1-memxor@gmail.com * Address comments from Jiri * Mark module tracepoints args NULL by default * Add more sunrpc tracepoints * Unify scalar or null handling * Address comments from Alexei * Use bitmask approach suggested in review * Unify scalar or null handling * Drop most tests that rely on CONFIG options * Drop scripts to generate tests ==================== Link: https://patch.msgid.link/20241213221929.3495062-1-memxor@gmail.com Signed-off-by: Alexei Starovoitov commit 0da1955b5bd2af3a1c3d13916df06e34ffa6df3d Author: Kumar Kartikeya Dwivedi Date: Fri Dec 13 14:19:29 2024 -0800 selftests/bpf: Add tests for raw_tp NULL args Add tests to ensure that arguments are correctly marked based on their specified positions, and whether they get marked correctly as maybe null. For modules, all tracepoint parameters should be marked PTR_MAYBE_NULL by default. Signed-off-by: Kumar Kartikeya Dwivedi Link: https://lore.kernel.org/r/20241213221929.3495062-4-memxor@gmail.com Signed-off-by: Alexei Starovoitov commit 838a10bd2ebfe11a60dd67687533a7cfc220cc86 Author: Kumar Kartikeya Dwivedi Date: Fri Dec 13 14:19:28 2024 -0800 bpf: Augment raw_tp arguments with PTR_MAYBE_NULL Arguments to a raw tracepoint are tagged as trusted, which carries the semantics that the pointer will be non-NULL. However, in certain cases, a raw tracepoint argument may end up being NULL. More context about this issue is available in [0]. Thus, there is a discrepancy between the reality, that raw_tp arguments can actually be NULL, and the verifier's knowledge, that they are never NULL, causing explicit NULL check branch to be dead code eliminated. A previous attempt [1], i.e. the second fixed commit, was made to simulate symbolic execution as if in most accesses, the argument is a non-NULL raw_tp, except for conditional jumps. This tried to suppress branch prediction while preserving compatibility, but surfaced issues with production programs that were difficult to solve without increasing verifier complexity. A more complete discussion of issues and fixes is available at [2]. Fix this by maintaining an explicit list of tracepoints where the arguments are known to be NULL, and mark the positional arguments as PTR_MAYBE_NULL. Additionally, capture the tracepoints where arguments are known to be ERR_PTR, and mark these arguments as scalar values to prevent potential dereference. Each hex digit is used to encode NULL-ness (0x1) or ERR_PTR-ness (0x2), shifted by the zero-indexed argument number x 4. This can be represented as follows: 1st arg: 0x1 2nd arg: 0x10 3rd arg: 0x100 ... and so on (likewise for ERR_PTR case). In the future, an automated pass will be used to produce such a list, or insert __nullable annotations automatically for tracepoints. Each compilation unit will be analyzed and results will be collated to find whether a tracepoint pointer is definitely not null, maybe null, or an unknown state where verifier conservatively marks it PTR_MAYBE_NULL. A proof of concept of this tool from Eduard is available at [3]. Note that in case we don't find a specification in the raw_tp_null_args array and the tracepoint belongs to a kernel module, we will conservatively mark the arguments as PTR_MAYBE_NULL. This is because unlike for in-tree modules, out-of-tree module tracepoints may pass NULL freely to the tracepoint. We don't protect against such tracepoints passing ERR_PTR (which is uncommon anyway), lest we mark all such arguments as SCALAR_VALUE. While we are it, let's adjust the test raw_tp_null to not perform dereference of the skb->mark, as that won't be allowed anymore, and make it more robust by using inline assembly to test the dead code elimination behavior, which should still stay the same. [0]: https://lore.kernel.org/bpf/ZrCZS6nisraEqehw@jlelli-thinkpadt14gen4.remote.csb [1]: https://lore.kernel.org/all/20241104171959.2938862-1-memxor@gmail.com [2]: https://lore.kernel.org/bpf/20241206161053.809580-1-memxor@gmail.com [3]: https://github.com/eddyz87/llvm-project/tree/nullness-for-tracepoint-params Reported-by: Juri Lelli # original bug Reported-by: Manu Bretelle # bugs in masking fix Fixes: 3f00c5239344 ("bpf: Allow trusted pointers to be passed to KF_TRUSTED_ARGS kfuncs") Fixes: cb4158ce8ec8 ("bpf: Mark raw_tp arguments with PTR_MAYBE_NULL") Reviewed-by: Eduard Zingerman Co-developed-by: Jiri Olsa Signed-off-by: Jiri Olsa Signed-off-by: Kumar Kartikeya Dwivedi Link: https://lore.kernel.org/r/20241213221929.3495062-3-memxor@gmail.com Signed-off-by: Alexei Starovoitov commit c00d738e1673ab801e1577e4e3c780ccf88b1a5b Author: Kumar Kartikeya Dwivedi Date: Fri Dec 13 14:19:27 2024 -0800 bpf: Revert "bpf: Mark raw_tp arguments with PTR_MAYBE_NULL" This patch reverts commit cb4158ce8ec8 ("bpf: Mark raw_tp arguments with PTR_MAYBE_NULL"). The patch was well-intended and meant to be as a stop-gap fixing branch prediction when the pointer may actually be NULL at runtime. Eventually, it was supposed to be replaced by an automated script or compiler pass detecting possibly NULL arguments and marking them accordingly. However, it caused two main issues observed for production programs and failed to preserve backwards compatibility. First, programs relied on the verifier not exploring == NULL branch when pointer is not NULL, thus they started failing with a 'dereference of scalar' error. Next, allowing raw_tp arguments to be modified surfaced the warning in the verifier that warns against reg->off when PTR_MAYBE_NULL is set. More information, context, and discusson on both problems is available in [0]. Overall, this approach had several shortcomings, and the fixes would further complicate the verifier's logic, and the entire masking scheme would have to be removed eventually anyway. Hence, revert the patch in preparation of a better fix avoiding these issues to replace this commit. [0]: https://lore.kernel.org/bpf/20241206161053.809580-1-memxor@gmail.com Reported-by: Manu Bretelle Fixes: cb4158ce8ec8 ("bpf: Mark raw_tp arguments with PTR_MAYBE_NULL") Signed-off-by: Kumar Kartikeya Dwivedi Link: https://lore.kernel.org/r/20241213221929.3495062-2-memxor@gmail.com Signed-off-by: Alexei Starovoitov commit c30c65f3fe3506e8838c3eb64b4b5f48b667a131 Merge: 2a816e4f6a407c be26ba96421ab0 Author: Linus Torvalds Date: Fri Dec 13 15:10:59 2024 -0800 Merge tag 'block-6.13-20241213' of git://git.kernel.dk/linux Pull block fixes from Jens Axboe: - Series from Damien fixing issues with the zoned write plugging - Fix for a potential UAF in block cgroups - Fix deadlock around queue freezing and the sysfs lock - Various little cleanups and fixes * tag 'block-6.13-20241213' of git://git.kernel.dk/linux: block: Fix potential deadlock while freezing queue and acquiring sysfs_lock block: Fix queue_iostats_passthrough_show() blk-mq: Clean up blk_mq_requeue_work() mq-deadline: Remove a local variable blk-iocost: Avoid using clamp() on inuse in __propagate_weights() block: Make bio_iov_bvec_set() accept pointer to const iov_iter block: get wp_offset by bdev_offset_from_zone_start blk-cgroup: Fix UAF in blkcg_unpin_online() MAINTAINERS: update Coly Li's email address block: Prevent potential deadlocks in zone write plug error recovery dm: Fix dm-zoned-reclaim zone write pointer alignment block: Ignore REQ_NOWAIT for zone reset and zone finish operations block: Use a zone write plug BIO work for REQ_NOWAIT BIOs commit 2a816e4f6a407cfbd7a8345a0c09473eff656139 Merge: 1c021e7908cc66 99d6af6e8a22b7 Author: Linus Torvalds Date: Fri Dec 13 15:08:55 2024 -0800 Merge tag 'io_uring-6.13-20241213' of git://git.kernel.dk/linux Pull io_uring fix from Jens Axboe: "A single fix for a regression introduced in the 6.13 merge window" * tag 'io_uring-6.13-20241213' of git://git.kernel.dk/linux: io_uring/rsrc: don't put/free empty buffers commit 1c021e7908cc6683a1fcbd26eb02bc8c7c880da0 Merge: 4800575d8c0b2f 265e98f72bac6c Author: Linus Torvalds Date: Fri Dec 13 15:07:22 2024 -0800 Merge tag 'libnvdimm-fixes-6.13-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/nvdimm/nvdimm Pull libnvdimm fix from Ira Weiny: - sysbot fix for out of bounds access * tag 'libnvdimm-fixes-6.13-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/nvdimm/nvdimm: acpi: nfit: vmalloc-out-of-bounds Read in acpi_nfit_ctl commit 824927e88456331c7a999fdf5d9d27923b619590 Author: Leon Romanovsky Date: Tue Dec 3 14:37:15 2024 +0200 ARC: build: Try to guess GCC variant of cross compiler ARC GCC compiler is packaged starting from Fedora 39i and the GCC variant of cross compile tools has arc-linux-gnu- prefix and not arc-linux-. This is causing that CROSS_COMPILE variable is left unset. This change allows builds without need to supply CROSS_COMPILE argument if distro package is used. Before this change: $ make -j 128 ARCH=arc W=1 drivers/infiniband/hw/mlx4/ gcc: warning: ‘-mcpu=’ is deprecated; use ‘-mtune=’ or ‘-march=’ instead gcc: error: unrecognized command-line option ‘-mmedium-calls’ gcc: error: unrecognized command-line option ‘-mlock’ gcc: error: unrecognized command-line option ‘-munaligned-access’ [1] https://packages.fedoraproject.org/pkgs/cross-gcc/gcc-arc-linux-gnu/index.html Signed-off-by: Leon Romanovsky Signed-off-by: Vineet Gupta commit 4800575d8c0b2f354ab05ab1c4749e45e213bf73 Merge: 01af50af760b5b bf354410af8322 Author: Linus Torvalds Date: Fri Dec 13 14:27:40 2024 -0800 Merge tag 'xfs-fixes-6.13-rc3' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux Pull xfs fixes from Carlos Maiolino: - Fixes for scrub subsystem - Fix quota crashes - Fix sb_spino_align checons on large fsblock sizes - Fix discarded superblock updates - Fix stuck unmount due to a locked inode * tag 'xfs-fixes-6.13-rc3' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux: (28 commits) xfs: port xfs_ioc_start_commit to multigrain timestamps xfs: return from xfs_symlink_verify early on V4 filesystems xfs: fix zero byte checking in the superblock scrubber xfs: check pre-metadir fields correctly xfs: don't crash on corrupt /quotas dirent xfs: don't move nondir/nonreg temporary repair files to the metadir namespace xfs: fix sb_spino_align checks for large fsblock sizes xfs: convert quotacheck to attach dquot buffers xfs: attach dquot buffer to dquot log item buffer xfs: clean up log item accesses in xfs_qm_dqflush{,_done} xfs: separate dquot buffer reads from xfs_dqflush xfs: don't lose solo dquot update transactions xfs: don't lose solo superblock counter update transactions xfs: avoid nested calls to __xfs_trans_commit xfs: only run precommits once per transaction object xfs: unlock inodes when erroring out of xfs_trans_alloc_dir xfs: fix scrub tracepoints when inode-rooted btrees are involved xfs: update btree keys correctly when _insrec splits an inode root block xfs: fix error bailout in xfs_rtginode_create xfs: fix null bno_hint handling in xfs_rtallocate_rtg ... commit 01af50af760b5b796794282d997a3610f74039da Merge: a5b3d5dfce3a1a ce03573a191753 Author: Linus Torvalds Date: Fri Dec 13 14:23:09 2024 -0800 Merge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux Pull arm64 fixes from Catalin Marinas: - arm64 stacktrace: address some fallout from the recent changes to unwinding across exception boundaries - Ensure the arm64 signal delivery failure is recoverable - only override the return registers after all the user accesses took place - Fix the arm64 kselftest access to SVCR - only when SME is detected * tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux: kselftest/arm64: abi: fix SVCR detection arm64: signal: Ensure signal delivery failure is recoverable arm64: stacktrace: Don't WARN when unwinding other tasks arm64: stacktrace: Skip reporting LR at exception boundaries commit a5b3d5dfce3a1ac2e87cae8ea6b279038d418a6c Merge: 243f750a2df066 21f1b85c891226 Author: Linus Torvalds Date: Fri Dec 13 14:18:18 2024 -0800 Merge tag 'riscv-for-linus-6.13-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux Pull RISC-V fixes from Palmer Dabbelt: - avoid taking a mutex while resolving jump_labels in the mutex implementation - avoid trying to resolve the early boot DT pointer via the linear map - avoid trying to IPI kfence TLB flushes, as kfence might flush with IRQs disabled - avoid calling PMD destructors on PMDs that were never constructed * tag 'riscv-for-linus-6.13-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux: riscv: mm: Do not call pmd dtor on vmemmap page table teardown riscv: Fix IPIs usage in kfence_protect_page() riscv: Fix wrong usage of __pa() on a fixmap address riscv: Fixup boot failure when CONFIG_DEBUG_RT_MUTEXES=y commit 9398332f23fab10c5ec57c168b44e72997d6318e Author: Ville Syrjälä Date: Fri Nov 29 06:26:28 2024 +0200 drm/modes: Avoid divide by zero harder in drm_mode_vrefresh() drm_mode_vrefresh() is trying to avoid divide by zero by checking whether htotal or vtotal are zero. But we may still end up with a div-by-zero of vtotal*htotal*... Cc: stable@vger.kernel.org Reported-by: syzbot+622bba18029bcde672e1@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=622bba18029bcde672e1 Signed-off-by: Ville Syrjälä Link: https://patchwork.freedesktop.org/patch/msgid/20241129042629.18280-2-ville.syrjala@linux.intel.com Reviewed-by: Jani Nikula commit e14d5ae28eb28c5edef53bd648037d2bb4fce1b3 Merge: 7899ca9f3bd2b0 c53d96a4481f42 Author: Rafael J. Wysocki Date: Fri Dec 13 21:32:06 2024 +0100 Merge branch 'acpica' Merge an ACPICA fix for 6.13-rc3: - Don't release a context_mutex that was never acquired in acpi_remove_address_space_handler() (Daniil Tatianin). * acpica: ACPICA: events/evxfregn: don't release the ContextMutex that was never acquired commit 3522c419758ee8dca5a0e8753ee0070a22157bc1 Merge: 1201f226c863b7 ea6398a5af81e3 Author: Paolo Bonzini Date: Fri Dec 13 13:59:20 2024 -0500 Merge tag 'kvm-riscv-fixes-6.13-1' of https://github.com/kvm-riscv/linux into HEAD KVM/riscv fixes for 6.13, take #1 - Replace csr_write() with csr_set() for HVIEN PMU overflow bit commit 1201f226c863b7da739f7420ddba818cedf372fc Author: Sean Christopherson Date: Tue Dec 10 17:32:58 2024 -0800 KVM: x86: Cache CPUID.0xD XSTATE offsets+sizes during module init Snapshot the output of CPUID.0xD.[1..n] during kvm.ko initiliaization to avoid the overead of CPUID during runtime. The offset, size, and metadata for CPUID.0xD.[1..n] sub-leaves does not depend on XCR0 or XSS values, i.e. is constant for a given CPU, and thus can be cached during module load. On Intel's Emerald Rapids, CPUID is *wildly* expensive, to the point where recomputing XSAVE offsets and sizes results in a 4x increase in latency of nested VM-Enter and VM-Exit (nested transitions can trigger xstate_required_size() multiple times per transition), relative to using cached values. The issue is easily visible by running `perf top` while triggering nested transitions: kvm_update_cpuid_runtime() shows up at a whopping 50%. As measured via RDTSC from L2 (using KVM-Unit-Test's CPUID VM-Exit test and a slightly modified L1 KVM to handle CPUID in the fastpath), a nested roundtrip to emulate CPUID on Skylake (SKX), Icelake (ICX), and Emerald Rapids (EMR) takes: SKX 11650 ICX 22350 EMR 28850 Using cached values, the latency drops to: SKX 6850 ICX 9000 EMR 7900 The underlying issue is that CPUID itself is slow on ICX, and comically slow on EMR. The problem is exacerbated on CPUs which support XSAVES and/or XSAVEC, as KVM invokes xstate_required_size() twice on each runtime CPUID update, and because there are more supported XSAVE features (CPUID for supported XSAVE feature sub-leafs is significantly slower). SKX: CPUID.0xD.2 = 348 cycles CPUID.0xD.3 = 400 cycles CPUID.0xD.4 = 276 cycles CPUID.0xD.5 = 236 cycles EMR: CPUID.0xD.2 = 1138 cycles CPUID.0xD.3 = 1362 cycles CPUID.0xD.4 = 1068 cycles CPUID.0xD.5 = 910 cycles CPUID.0xD.6 = 914 cycles CPUID.0xD.7 = 1350 cycles CPUID.0xD.8 = 734 cycles CPUID.0xD.9 = 766 cycles CPUID.0xD.10 = 732 cycles CPUID.0xD.11 = 718 cycles CPUID.0xD.12 = 734 cycles CPUID.0xD.13 = 1700 cycles CPUID.0xD.14 = 1126 cycles CPUID.0xD.15 = 898 cycles CPUID.0xD.16 = 716 cycles CPUID.0xD.17 = 748 cycles CPUID.0xD.18 = 776 cycles Note, updating runtime CPUID information multiple times per nested transition is itself a flaw, especially since CPUID is a mandotory intercept on both Intel and AMD. E.g. KVM doesn't need to ensure emulated CPUID state is up-to-date while running L2. That flaw will be fixed in a future patch, as deferring runtime CPUID updates is more subtle than it appears at first glance, the benefits aren't super critical to have once the XSAVE issue is resolved, and caching CPUID output is desirable even if KVM's updates are deferred. Cc: Jim Mattson Cc: stable@vger.kernel.org Signed-off-by: Sean Christopherson Message-ID: <20241211013302.1347853-2-seanjc@google.com> Signed-off-by: Paolo Bonzini commit 243f750a2df0662bc45119f9dd5d7da031a17f36 Merge: de20dc2b9604f5 9ac4b58fcef0f9 Author: Linus Torvalds Date: Fri Dec 13 09:57:15 2024 -0800 Merge tag 'gpio-fixes-for-v6.13-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/brgl/linux Pull gpio fixes from Bartosz Golaszewski: - fix several low-level issues in gpio-graniterapids - fix an initialization order issue that manifests itself with __counted_by() checks in gpio-ljca - don't default to y for CONFIG_GPIO_MVEBU with COMPILE_TEST enabled - move the DEFAULT_SYMBOL_NAMESPACE define before the export.h include in gpio-idio-16 * tag 'gpio-fixes-for-v6.13-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/brgl/linux: gpio: idio-16: Actually make use of the GPIO_IDIO_16 symbol namespace gpio: graniterapids: Fix GPIO Ack functionality gpio: graniterapids: Check if GPIO line can be used for IRQs gpio: graniterapids: Determine if GPIO pad can be used by driver gpio: graniterapids: Fix invalid RXEVCFG register bitmask gpio: graniterapids: Fix invalid GPI_IS register offset gpio: graniterapids: Fix incorrect BAR assignment gpio: graniterapids: Fix vGPIO driver crash gpio: ljca: Initialize num before accessing item in ljca_gpio_config gpio: GPIO_MVEBU should not default to y when compile-testing commit be26ba96421ab0a8fa2055ccf7db7832a13c44d2 Author: Nilay Shroff Date: Tue Dec 10 20:11:43 2024 +0530 block: Fix potential deadlock while freezing queue and acquiring sysfs_lock For storing a value to a queue attribute, the queue_attr_store function first freezes the queue (->q_usage_counter(io)) and then acquire ->sysfs_lock. This seems not correct as the usual ordering should be to acquire ->sysfs_lock before freezing the queue. This incorrect ordering causes the following lockdep splat which we are able to reproduce always simply by accessing /sys/kernel/debug file using ls command: [ 57.597146] WARNING: possible circular locking dependency detected [ 57.597154] 6.12.0-10553-gb86545e02e8c #20 Tainted: G W [ 57.597162] ------------------------------------------------------ [ 57.597168] ls/4605 is trying to acquire lock: [ 57.597176] c00000003eb56710 (&mm->mmap_lock){++++}-{4:4}, at: __might_fault+0x58/0xc0 [ 57.597200] but task is already holding lock: [ 57.597207] c0000018e27c6810 (&sb->s_type->i_mutex_key#3){++++}-{4:4}, at: iterate_dir+0x94/0x1d4 [ 57.597226] which lock already depends on the new lock. [ 57.597233] the existing dependency chain (in reverse order) is: [ 57.597241] -> #5 (&sb->s_type->i_mutex_key#3){++++}-{4:4}: [ 57.597255] down_write+0x6c/0x18c [ 57.597264] start_creating+0xb4/0x24c [ 57.597274] debugfs_create_dir+0x2c/0x1e8 [ 57.597283] blk_register_queue+0xec/0x294 [ 57.597292] add_disk_fwnode+0x2e4/0x548 [ 57.597302] brd_alloc+0x2c8/0x338 [ 57.597309] brd_init+0x100/0x178 [ 57.597317] do_one_initcall+0x88/0x3e4 [ 57.597326] kernel_init_freeable+0x3cc/0x6e0 [ 57.597334] kernel_init+0x34/0x1cc [ 57.597342] ret_from_kernel_user_thread+0x14/0x1c [ 57.597350] -> #4 (&q->debugfs_mutex){+.+.}-{4:4}: [ 57.597362] __mutex_lock+0xfc/0x12a0 [ 57.597370] blk_register_queue+0xd4/0x294 [ 57.597379] add_disk_fwnode+0x2e4/0x548 [ 57.597388] brd_alloc+0x2c8/0x338 [ 57.597395] brd_init+0x100/0x178 [ 57.597402] do_one_initcall+0x88/0x3e4 [ 57.597410] kernel_init_freeable+0x3cc/0x6e0 [ 57.597418] kernel_init+0x34/0x1cc [ 57.597426] ret_from_kernel_user_thread+0x14/0x1c [ 57.597434] -> #3 (&q->sysfs_lock){+.+.}-{4:4}: [ 57.597446] __mutex_lock+0xfc/0x12a0 [ 57.597454] queue_attr_store+0x9c/0x110 [ 57.597462] sysfs_kf_write+0x70/0xb0 [ 57.597471] kernfs_fop_write_iter+0x1b0/0x2ac [ 57.597480] vfs_write+0x3dc/0x6e8 [ 57.597488] ksys_write+0x84/0x140 [ 57.597495] system_call_exception+0x130/0x360 [ 57.597504] system_call_common+0x160/0x2c4 [ 57.597516] -> #2 (&q->q_usage_counter(io)#21){++++}-{0:0}: [ 57.597530] __submit_bio+0x5ec/0x828 [ 57.597538] submit_bio_noacct_nocheck+0x1e4/0x4f0 [ 57.597547] iomap_readahead+0x2a0/0x448 [ 57.597556] xfs_vm_readahead+0x28/0x3c [ 57.597564] read_pages+0x88/0x41c [ 57.597571] page_cache_ra_unbounded+0x1ac/0x2d8 [ 57.597580] filemap_get_pages+0x188/0x984 [ 57.597588] filemap_read+0x13c/0x4bc [ 57.597596] xfs_file_buffered_read+0x88/0x17c [ 57.597605] xfs_file_read_iter+0xac/0x158 [ 57.597614] vfs_read+0x2d4/0x3b4 [ 57.597622] ksys_read+0x84/0x144 [ 57.597629] system_call_exception+0x130/0x360 [ 57.597637] system_call_common+0x160/0x2c4 [ 57.597647] -> #1 (mapping.invalidate_lock#2){++++}-{4:4}: [ 57.597661] down_read+0x6c/0x220 [ 57.597669] filemap_fault+0x870/0x100c [ 57.597677] xfs_filemap_fault+0xc4/0x18c [ 57.597684] __do_fault+0x64/0x164 [ 57.597693] __handle_mm_fault+0x1274/0x1dac [ 57.597702] handle_mm_fault+0x248/0x484 [ 57.597711] ___do_page_fault+0x428/0xc0c [ 57.597719] hash__do_page_fault+0x30/0x68 [ 57.597727] do_hash_fault+0x90/0x35c [ 57.597736] data_access_common_virt+0x210/0x220 [ 57.597745] _copy_from_user+0xf8/0x19c [ 57.597754] sel_write_load+0x178/0xd54 [ 57.597762] vfs_write+0x108/0x6e8 [ 57.597769] ksys_write+0x84/0x140 [ 57.597777] system_call_exception+0x130/0x360 [ 57.597785] system_call_common+0x160/0x2c4 [ 57.597794] -> #0 (&mm->mmap_lock){++++}-{4:4}: [ 57.597806] __lock_acquire+0x17cc/0x2330 [ 57.597814] lock_acquire+0x138/0x400 [ 57.597822] __might_fault+0x7c/0xc0 [ 57.597830] filldir64+0xe8/0x390 [ 57.597839] dcache_readdir+0x80/0x2d4 [ 57.597846] iterate_dir+0xd8/0x1d4 [ 57.597855] sys_getdents64+0x88/0x2d4 [ 57.597864] system_call_exception+0x130/0x360 [ 57.597872] system_call_common+0x160/0x2c4 [ 57.597881] other info that might help us debug this: [ 57.597888] Chain exists of: &mm->mmap_lock --> &q->debugfs_mutex --> &sb->s_type->i_mutex_key#3 [ 57.597905] Possible unsafe locking scenario: [ 57.597911] CPU0 CPU1 [ 57.597917] ---- ---- [ 57.597922] rlock(&sb->s_type->i_mutex_key#3); [ 57.597932] lock(&q->debugfs_mutex); [ 57.597940] lock(&sb->s_type->i_mutex_key#3); [ 57.597950] rlock(&mm->mmap_lock); [ 57.597958] *** DEADLOCK *** [ 57.597965] 2 locks held by ls/4605: [ 57.597971] #0: c0000000137c12f8 (&f->f_pos_lock){+.+.}-{4:4}, at: fdget_pos+0xcc/0x154 [ 57.597989] #1: c0000018e27c6810 (&sb->s_type->i_mutex_key#3){++++}-{4:4}, at: iterate_dir+0x94/0x1d4 Prevent the above lockdep warning by acquiring ->sysfs_lock before freezing the queue while storing a queue attribute in queue_attr_store function. Later, we also found[1] another function __blk_mq_update_nr_ hw_queues where we first freeze queue and then acquire the ->sysfs_lock. So we've also updated lock ordering in __blk_mq_update_nr_hw_queues function and ensured that in all code paths we follow the correct lock ordering i.e. acquire ->sysfs_lock before freezing the queue. [1] https://lore.kernel.org/all/CAFj5m9Ke8+EHKQBs_Nk6hqd=LGXtk4mUxZUN5==ZcCjnZSBwHw@mail.gmail.com/ Reported-by: kjain@linux.ibm.com Fixes: af2814149883 ("block: freeze the queue in queue_attr_store") Tested-by: kjain@linux.ibm.com Cc: hch@lst.de Cc: axboe@kernel.dk Cc: ritesh.list@gmail.com Cc: ming.lei@redhat.com Cc: gjoyce@linux.ibm.com Signed-off-by: Nilay Shroff Reviewed-by: Ming Lei Link: https://lore.kernel.org/r/20241210144222.1066229-1-nilay@linux.ibm.com Signed-off-by: Jens Axboe commit de20dc2b9604f5130f62d19905cbfae7453fae80 Merge: a3170b7d9319f7 7b26bc6582b13a Author: Linus Torvalds Date: Fri Dec 13 09:51:40 2024 -0800 Merge tag 'sound-6.13-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound Pull sound fixes from Takashi Iwai: "A collection of fixes; all look small, device-specific and boring" * tag 'sound-6.13-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound: ASoC: Intel: sof_sdw: Add space for a terminator into DAIs array ASoC: fsl_spdif: change IFACE_PCM to IFACE_MIXER ASoC: fsl_xcvr: change IFACE_PCM to IFACE_MIXER ASoC: tas2781: Fix calibration issue in stress test ASoC: audio-graph-card: Call of_node_put() on correct node ASoC: amd: yc: Fix the wrong return value ALSA: control: Avoid WARN() for symlink errors sound: usb: format: don't warn that raw DSD is unsupported sound: usb: enable DSD output for ddHiFi TC44C ALSA: hda/realtek: Add new alc2xx-fixup-headset-mic model ALSA: hda/ca0132: Use standard HD-audio quirk matching helpers ALSA: usb-audio: Add implicit feedback quirk for Yamaha THR5 ALSA: hda/realtek - Add support for ASUS Zen AIO 27 Z272SD_A272SD audio ALSA: hda/realtek: Fix headset mic on Acer Nitro 5 ALSA: hda: cs35l56: Remove calls to cs35l56_force_sync_asp1_registers_from_cache() commit a3170b7d9319f79235a4747164ba1aaba981e758 Merge: 266facde8367ca d9339496729f14 Author: Linus Torvalds Date: Fri Dec 13 09:46:02 2024 -0800 Merge tag 'docs-6.13-fix' of git://git.lwn.net/linux Pull documentation fix from Jonathan Corbet: "A single fix for a docs-build regression caused by the EXPORT_SYMBOL_NS() mass change" * tag 'docs-6.13-fix' of git://git.lwn.net/linux: scripts/kernel-doc: Get -export option working again commit 266facde8367cac71d748f04dfb4f72a76bfe51e Merge: f932fb9b40749d b7ffecbe198e2d Author: Linus Torvalds Date: Fri Dec 13 09:43:50 2024 -0800 Merge tag 'slab-for-6.13-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/vbabka/slab Pull slab fix from Vlastimil Babka: - Fix for memcg unreclaimable slab stats drift when post-charging large kmalloc allocations (Shakeel Butt) * tag 'slab-for-6.13-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/vbabka/slab: memcg: slub: fix SUnreclaim for post charged objects commit 773c05f417fa14e1ac94776619e9c978ec001f0b Author: Marc Zyngier Date: Fri Dec 13 14:10:37 2024 +0000 irqchip/gic-v3: Work around insecure GIC integrations It appears that the relatively popular RK3399 SoC has been put together using a large amount of illicit substances, as experiments reveal that its integration of GIC500 exposes the *secure* programming interface to non-secure. This has some pretty bad effects on the way priorities are handled, and results in a dead machine if booting with pseudo-NMI enabled (irqchip.gicv3_pseudo_nmi=1) if the kernel contains 18fdb6348c480 ("arm64: irqchip/gic-v3: Select priorities at boot time"), which relies on the priorities being programmed using the NS view. Let's restore some sanity by going one step further and disable security altogether in this case. This is not any worse, and puts us in a mode where priorities actually make some sense. Huge thanks to Mark Kettenis who initially identified this issue on OpenBSD, and to Chen-Yu Tsai who reported the problem in Linux. Fixes: 18fdb6348c480 ("arm64: irqchip/gic-v3: Select priorities at boot time") Reported-by: Mark Kettenis Reported-by: Chen-Yu Tsai Signed-off-by: Marc Zyngier Signed-off-by: Thomas Gleixner Tested-by: Chen-Yu Tsai Cc: stable@vger.kernel.org Link: https://lore.kernel.org/all/20241213141037.3995049-1-maz@kernel.org commit a1855f1b7c33642c9f7a01991fb763342a312e9b Author: Uros Bizjak Date: Fri Dec 13 15:57:53 2024 +0100 irqchip/gic: Correct declaration of *percpu_base pointer in union gic_base percpu_base is used in various percpu functions that expect variable in __percpu address space. Correct the declaration of percpu_base to void __iomem * __percpu *percpu_base; to declare the variable as __percpu pointer. The patch fixes several sparse warnings: irq-gic.c:1172:44: warning: incorrect type in assignment (different address spaces) irq-gic.c:1172:44: expected void [noderef] __percpu *[noderef] __iomem *percpu_base irq-gic.c:1172:44: got void [noderef] __iomem *[noderef] __percpu * ... irq-gic.c:1231:43: warning: incorrect type in argument 1 (different address spaces) irq-gic.c:1231:43: expected void [noderef] __percpu *__pdata irq-gic.c:1231:43: got void [noderef] __percpu *[noderef] __iomem *percpu_base There were no changes in the resulting object files. Signed-off-by: Uros Bizjak Signed-off-by: Thomas Gleixner Acked-by: Marc Zyngier Link: https://lore.kernel.org/all/20241213145809.2918-2-ubizjak@gmail.com commit 080b2e7b5e9ad23343e4b11f0751e4c724a78958 Author: Krzysztof Karas Date: Thu Dec 12 11:00:41 2024 +0000 drm/display: use ERR_PTR on DP tunnel manager creation fail Instead of returning a generic NULL on error from drm_dp_tunnel_mgr_create(), use error pointers with informative codes to align the function with stub that is executed when CONFIG_DRM_DISPLAY_DP_TUNNEL is unset. This will also trigger IS_ERR() in current caller (intel_dp_tunnerl_mgr_init()) instead of bypassing it via NULL pointer. v2: use error codes inside drm_dp_tunnel_mgr_create() instead of handling on caller's side (Michal, Imre) v3: fixup commit message and add "CC"/"Fixes" lines (Andi), mention aligning function code with stub Fixes: 91888b5b1ad2 ("drm/i915/dp: Add support for DP tunnel BW allocation") Cc: Imre Deak Cc: # v6.9+ Signed-off-by: Krzysztof Karas Reviewed-by: Andi Shyti Signed-off-by: Imre Deak Link: https://patchwork.freedesktop.org/patch/msgid/7q4fpnmmztmchczjewgm6igy55qt6jsm7tfd4fl4ucfq6yg2oy@q4lxtsu6445c commit 8b55f8818900c99dd4f55a59a103f5b29e41eb2c Author: Arnd Bergmann Date: Fri Oct 18 15:14:42 2024 +0000 media: mediatek: vcodec: mark vdec_vp9_slice_map_counts_eob_coef noinline With KASAN enabled, clang fails to optimize the inline version of vdec_vp9_slice_map_counts_eob_coef() properly, leading to kilobytes of temporary values spilled to the stack: drivers/media/platform/mediatek/vcodec/decoder/vdec/vdec_vp9_req_lat_if.c:1526:12: error: stack frame size (2160) exceeds limit (2048) in 'vdec_vp9_slice_update_prob' [-Werror,-Wframe-larger-than] This seems to affect all versions of clang including the latest (clang-20), but the degree of stack overhead is different per release. Marking the function as noinline_for_stack is harmless here and avoids the problem completely. Signed-off-by: Arnd Bergmann Reviewed-by: Nathan Chancellor Signed-off-by: Sebastian Fricke Signed-off-by: Mauro Carvalho Chehab commit 78f2560fc9fa5ccaaf23ac78edb732c08bad7a92 Author: Bernd Schubert Date: Tue Dec 3 00:01:10 2024 +0100 fuse: Set *nbytesp=0 in fuse_get_user_pages on allocation failure In fuse_get_user_pages(), set *nbytesp to 0 when struct page **pages allocation fails. This prevents the caller (fuse_direct_io) from making incorrect assumptions that could lead to NULL pointer dereferences when processing the request reply. Previously, *nbytesp was left unmodified on allocation failure, which could cause issues if the caller assumed pages had been added to ap->descs[] when they hadn't. Reported-by: syzbot+87b8e6ed25dbc41759f7@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=87b8e6ed25dbc41759f7 Fixes: 3b97c3652d91 ("fuse: convert direct io to use folios") Signed-off-by: Bernd Schubert Reviewed-by: Joanne Koong Tested-by: Dmitry Antipov Tested-by: David Howells Signed-off-by: Miklos Szeredi commit a6fe7b70513fbf11ffa5e85f7b6ba444497a5a3d Author: Bart Van Assche Date: Thu Dec 12 13:29:41 2024 -0800 block: Fix queue_iostats_passthrough_show() Make queue_iostats_passthrough_show() report 0/1 in sysfs instead of 0/4. This patch fixes the following sparse warning: block/blk-sysfs.c:266:31: warning: incorrect type in argument 1 (different base types) block/blk-sysfs.c:266:31: expected unsigned long var block/blk-sysfs.c:266:31: got restricted blk_flags_t Cc: Keith Busch Cc: Christoph Hellwig Fixes: 110234da18ab ("block: enable passthrough command statistics") Signed-off-by: Bart Van Assche Link: https://lore.kernel.org/r/20241212212941.1268662-4-bvanassche@acm.org Signed-off-by: Jens Axboe commit 312ccd4b755a09dc44e8a25f9c9526a4587ab53c Author: Bart Van Assche Date: Thu Dec 12 13:29:40 2024 -0800 blk-mq: Clean up blk_mq_requeue_work() Move a statement that occurs in both branches of an if-statement in front of the if-statement. Fix a typo in a source code comment. No functionality has been changed. Reviewed-by: Damien Le Moal Cc: Christoph Hellwig Signed-off-by: Bart Van Assche Reviewed-by: Christoph Hellwig Reviewed-by: Nitesh Shetty Reviewed-by: Johannes Thumshirn Link: https://lore.kernel.org/r/20241212212941.1268662-3-bvanassche@acm.org Signed-off-by: Jens Axboe commit e01424fab35d77439956ea98c915c639fbf16db0 Author: Bart Van Assche Date: Thu Dec 12 13:29:39 2024 -0800 mq-deadline: Remove a local variable Since commit fde02699c242 ("block: mq-deadline: Remove support for zone write locking"), the local variable 'insert_before' is assigned once and is used once. Hence remove this local variable. Reviewed-by: Damien Le Moal Cc: Christoph Hellwig Signed-off-by: Bart Van Assche Reviewed-by: Christoph Hellwig Reviewed-by: Nitesh Shetty Reviewed-by: Johannes Thumshirn Link: https://lore.kernel.org/r/20241212212941.1268662-2-bvanassche@acm.org Signed-off-by: Jens Axboe commit ce03573a1917532da06057da9f8e74a2ee9e2ac9 Author: Weizhao Ouyang Date: Wed Dec 11 19:16:39 2024 +0800 kselftest/arm64: abi: fix SVCR detection When using svcr_in to check ZA and Streaming Mode, we should make sure that the value in x2 is correct, otherwise it may trigger an Illegal instruction if FEAT_SVE and !FEAT_SME. Fixes: 43e3f85523e4 ("kselftest/arm64: Add SME support to syscall ABI test") Signed-off-by: Weizhao Ouyang Reviewed-by: Mark Brown Link: https://lore.kernel.org/r/20241211111639.12344-1-o451686892@gmail.com Signed-off-by: Catalin Marinas commit dda2b8c3c6ccc50deae65cc75f246577348e2ec5 Author: Lu Baolu Date: Fri Dec 13 09:17:52 2024 +0800 iommu/vt-d: Avoid draining PRQ in sva mm release path When a PASID is used for SVA by a device, it's possible that the PASID entry is cleared before the device flushes all ongoing DMA requests and removes the SVA domain. This can occur when an exception happens and the process terminates before the device driver stops DMA and calls the iommu driver to unbind the PASID. There's no need to drain the PRQ in the mm release path. Instead, the PRQ will be drained in the SVA unbind path. Unfortunately, commit c43e1ccdebf2 ("iommu/vt-d: Drain PRQs when domain removed from RID") changed this behavior by unconditionally draining the PRQ in intel_pasid_tear_down_entry(). This can lead to a potential sleeping-in-atomic-context issue. Smatch static checker warning: drivers/iommu/intel/prq.c:95 intel_iommu_drain_pasid_prq() warn: sleeping in atomic context To avoid this issue, prevent draining the PRQ in the SVA mm release path and restore the previous behavior. Fixes: c43e1ccdebf2 ("iommu/vt-d: Drain PRQs when domain removed from RID") Reported-by: Dan Carpenter Closes: https://lore.kernel.org/linux-iommu/c5187676-2fa2-4e29-94e0-4a279dc88b49@stanley.mountain/ Signed-off-by: Lu Baolu Reviewed-by: Kevin Tian Link: https://lore.kernel.org/r/20241212021529.1104745-1-baolu.lu@linux.intel.com Signed-off-by: Joerg Roedel commit 74536f91962d5f6af0a42414773ce61e653c10ee Author: Yi Liu Date: Fri Dec 13 09:17:51 2024 +0800 iommu/vt-d: Fix qi_batch NULL pointer with nested parent domain The qi_batch is allocated when assigning cache tag for a domain. While for nested parent domain, it is missed. Hence, when trying to map pages to the nested parent, NULL dereference occurred. Also, there is potential memleak since there is no lock around domain->qi_batch allocation. To solve it, add a helper for qi_batch allocation, and call it in both the __cache_tag_assign_domain() and __cache_tag_assign_parent_domain(). BUG: kernel NULL pointer dereference, address: 0000000000000200 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 8104795067 P4D 0 Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI CPU: 223 UID: 0 PID: 4357 Comm: qemu-system-x86 Not tainted 6.13.0-rc1-00028-g4b50c3c3b998-dirty #2632 Call Trace: ? __die+0x24/0x70 ? page_fault_oops+0x80/0x150 ? do_user_addr_fault+0x63/0x7b0 ? exc_page_fault+0x7c/0x220 ? asm_exc_page_fault+0x26/0x30 ? cache_tag_flush_range_np+0x13c/0x260 intel_iommu_iotlb_sync_map+0x1a/0x30 iommu_map+0x61/0xf0 batch_to_domain+0x188/0x250 iopt_area_fill_domains+0x125/0x320 ? rcu_is_watching+0x11/0x50 iopt_map_pages+0x63/0x100 iopt_map_common.isra.0+0xa7/0x190 iopt_map_user_pages+0x6a/0x80 iommufd_ioas_map+0xcd/0x1d0 iommufd_fops_ioctl+0x118/0x1c0 __x64_sys_ioctl+0x93/0xc0 do_syscall_64+0x71/0x140 entry_SYSCALL_64_after_hwframe+0x76/0x7e Fixes: 705c1cdf1e73 ("iommu/vt-d: Introduce batched cache invalidation") Cc: stable@vger.kernel.org Co-developed-by: Lu Baolu Signed-off-by: Lu Baolu Signed-off-by: Yi Liu Reviewed-by: Kevin Tian Link: https://lore.kernel.org/r/20241210130322.17175-1-yi.l.liu@intel.com Signed-off-by: Joerg Roedel commit 1f2557e08a617a4b5e92a48a1a9a6f86621def18 Author: Lu Baolu Date: Fri Dec 13 09:17:50 2024 +0800 iommu/vt-d: Remove cache tags before disabling ATS The current implementation removes cache tags after disabling ATS, leading to potential memory leaks and kernel crashes. Specifically, CACHE_TAG_DEVTLB type cache tags may still remain in the list even after the domain is freed, causing a use-after-free condition. This issue really shows up when multiple VFs from different PFs passed through to a single user-space process via vfio-pci. In such cases, the kernel may crash with kernel messages like: BUG: kernel NULL pointer dereference, address: 0000000000000014 PGD 19036a067 P4D 1940a3067 PUD 136c9b067 PMD 0 Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI CPU: 74 UID: 0 PID: 3183 Comm: testCli Not tainted 6.11.9 #2 RIP: 0010:cache_tag_flush_range+0x9b/0x250 Call Trace: ? __die+0x1f/0x60 ? page_fault_oops+0x163/0x590 ? exc_page_fault+0x72/0x190 ? asm_exc_page_fault+0x22/0x30 ? cache_tag_flush_range+0x9b/0x250 ? cache_tag_flush_range+0x5d/0x250 intel_iommu_tlb_sync+0x29/0x40 intel_iommu_unmap_pages+0xfe/0x160 __iommu_unmap+0xd8/0x1a0 vfio_unmap_unpin+0x182/0x340 [vfio_iommu_type1] vfio_remove_dma+0x2a/0xb0 [vfio_iommu_type1] vfio_iommu_type1_ioctl+0xafa/0x18e0 [vfio_iommu_type1] Move cache_tag_unassign_domain() before iommu_disable_pci_caps() to fix it. Fixes: 3b1d9e2b2d68 ("iommu/vt-d: Add cache tag assignment interface") Cc: stable@vger.kernel.org Signed-off-by: Lu Baolu Reviewed-by: Kevin Tian Link: https://lore.kernel.org/r/20241129020506.576413-1-baolu.lu@linux.intel.com Signed-off-by: Joerg Roedel commit a3b4647e2f9ae8e8c6829ce637945b3c07a727ad Author: Kevin Brodsky Date: Tue Dec 10 16:09:40 2024 +0000 arm64: signal: Ensure signal delivery failure is recoverable Commit eaf62ce1563b ("arm64/signal: Set up and restore the GCS context for signal handlers") introduced a potential failure point at the end of setup_return(). This is unfortunate as it is too late to deliver a SIGSEGV: if that SIGSEGV is handled, the subsequent sigreturn will end up returning to the original handler, which is not the intention (since we failed to deliver that signal). Make sure this does not happen by calling gcs_signal_entry() at the very beginning of setup_return(), and add a comment just after to discourage error cases being introduced from that point onwards. While at it, also take care of copy_siginfo_to_user(): since it may fail, we shouldn't be calling it after setup_return() either. Call it before setup_return() instead, and move the setting of X1/X2 inside setup_return() where it belongs (after the "point of no failure"). Background: the first part of setup_rt_frame(), including setup_sigframe(), has no impact on the execution of the interrupted thread. The signal frame is written to the stack, but the stack pointer remains unchanged. Failure at this stage can be recovered by a SIGSEGV handler, and sigreturn will restore the original context, at the point where the original signal occurred. On the other hand, once setup_return() has updated registers including SP, the thread's control flow has been modified and we must deliver the original signal. Fixes: eaf62ce1563b ("arm64/signal: Set up and restore the GCS context for signal handlers") Signed-off-by: Kevin Brodsky Reviewed-by: Dave Martin Reviewed-by: Mark Brown Link: https://lore.kernel.org/r/20241210160940.2031997-1-kevin.brodsky@arm.com Signed-off-by: Catalin Marinas commit 0bb1968da2737ba68fd63857d1af2b301a18d3bf Author: Ming-Hung Tsai Date: Thu Dec 5 19:41:53 2024 +0800 dm array: fix cursor index when skipping across block boundaries dm_array_cursor_skip() seeks to the target position by loading array blocks iteratively until the specified number of entries to skip is reached. When seeking across block boundaries, it uses dm_array_cursor_next() to step into the next block. dm_array_cursor_skip() must first move the cursor index to the end of the current block; otherwise, the cursor position could incorrectly remain in the same block, causing the actual number of skipped entries to be much smaller than expected. This bug affects cache resizing in v2 metadata and could lead to data loss if the fast device is shrunk during the first-time resume. For example: 1. create a cache metadata consists of 32768 blocks, with a dirty block assigned to the second bitmap block. cache_restore v1.0 is required. cat <> cmeta.xml EOF dmsetup create cmeta --table "0 8192 linear /dev/sdc 0" cache_restore -i cmeta.xml -o /dev/mapper/cmeta --metadata-version=2 2. bring up the cache while attempt to discard all the blocks belonging to the second bitmap block (block# 32576 to 32767). The last command is expected to fail, but it actually succeeds. dmsetup create cdata --table "0 2084864 linear /dev/sdc 8192" dmsetup create corig --table "0 65536 linear /dev/sdc 2105344" dmsetup create cache --table "0 65536 cache /dev/mapper/cmeta \ /dev/mapper/cdata /dev/mapper/corig 64 2 metadata2 writeback smq \ 2 migration_threshold 0" In addition to the reproducer described above, this fix can be verified using the "array_cursor/skip" tests in dm-unit: dm-unit run /pdata/array_cursor/skip/ --kernel-dir Signed-off-by: Ming-Hung Tsai Fixes: 9b696229aa7d ("dm persistent data: add cursor skip functions to the cursor APIs") Reviewed-by: Joe Thornber Signed-off-by: Mike Snitzer commit 626f128ee9c4133b1cfce4be2b34a1508949370e Author: Ming-Hung Tsai Date: Thu Dec 5 19:41:52 2024 +0800 dm array: fix unreleased btree blocks on closing a faulty array cursor The cached block pointer in dm_array_cursor might be NULL if it reaches an unreadable array block, or the array is empty. Therefore, dm_array_cursor_end() should call dm_btree_cursor_end() unconditionally, to prevent leaving unreleased btree blocks. This fix can be verified using the "array_cursor/iterate/empty" test in dm-unit: dm-unit run /pdata/array_cursor/iterate/empty --kernel-dir Signed-off-by: Ming-Hung Tsai Fixes: fdd1315aa5f0 ("dm array: introduce cursor api") Reviewed-by: Joe Thornber Signed-off-by: Mike Snitzer commit f2893c0804d86230ffb8f1c8703fdbb18648abc8 Author: Ming-Hung Tsai Date: Thu Dec 5 19:41:51 2024 +0800 dm array: fix releasing a faulty array block twice in dm_array_cursor_end When dm_bm_read_lock() fails due to locking or checksum errors, it releases the faulty block implicitly while leaving an invalid output pointer behind. The caller of dm_bm_read_lock() should not operate on this invalid dm_block pointer, or it will lead to undefined result. For example, the dm_array_cursor incorrectly caches the invalid pointer on reading a faulty array block, causing a double release in dm_array_cursor_end(), then hitting the BUG_ON in dm-bufio cache_put(). Reproduce steps: 1. initialize a cache device dmsetup create cmeta --table "0 8192 linear /dev/sdc 0" dmsetup create cdata --table "0 65536 linear /dev/sdc 8192" dmsetup create corig --table "0 524288 linear /dev/sdc $262144" dd if=/dev/zero of=/dev/mapper/cmeta bs=4k count=1 dmsetup create cache --table "0 524288 cache /dev/mapper/cmeta \ /dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0" 2. wipe the second array block offline dmsteup remove cache cmeta cdata corig mapping_root=$(dd if=/dev/sdc bs=1c count=8 skip=192 \ 2>/dev/null | hexdump -e '1/8 "%u\n"') ablock=$(dd if=/dev/sdc bs=1c count=8 skip=$((4096*mapping_root+2056)) \ 2>/dev/null | hexdump -e '1/8 "%u\n"') dd if=/dev/zero of=/dev/sdc bs=4k count=1 seek=$ablock 3. try reopen the cache device dmsetup create cmeta --table "0 8192 linear /dev/sdc 0" dmsetup create cdata --table "0 65536 linear /dev/sdc 8192" dmsetup create corig --table "0 524288 linear /dev/sdc $262144" dmsetup create cache --table "0 524288 cache /dev/mapper/cmeta \ /dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0" Kernel logs: (snip) device-mapper: array: array_block_check failed: blocknr 0 != wanted 10 device-mapper: block manager: array validator check failed for block 10 device-mapper: array: get_ablock failed device-mapper: cache metadata: dm_array_cursor_next for mapping failed ------------[ cut here ]------------ kernel BUG at drivers/md/dm-bufio.c:638! Fix by setting the cached block pointer to NULL on errors. In addition to the reproducer described above, this fix can be verified using the "array_cursor/damaged" test in dm-unit: dm-unit run /pdata/array_cursor/damaged --kernel-dir Signed-off-by: Ming-Hung Tsai Fixes: fdd1315aa5f0 ("dm array: introduce cursor api") Reviewed-by: Joe Thornber Signed-off-by: Mike Snitzer commit f578281000c50cae991c40e1f68b2fc0b1b9e60e Merge: c9bc45b346fc04 6fe437cfe2cdc7 Author: Arnd Bergmann Date: Fri Dec 13 14:26:22 2024 +0100 Merge tag 'ffa-fix-6.13' of https://git.kernel.org/pub/scm/linux/kernel/git/sudeep.holla/linux into arm/fixes Arm FF-A fix for v6.13 A single fix to address a possible race around setting ffa_dev->properties in ffa_device_register() by updating ffa_device_register() to take all the partition information received from the firmware and updating the struct ffa_device accordingly before registering the device to the bus/driver model in the kernel. * tag 'ffa-fix-6.13' of https://git.kernel.org/pub/scm/linux/kernel/git/sudeep.holla/linux: firmware: arm_ffa: Fix the race around setting ffa_dev->properties Link: https://lore.kernel.org/r/20241210101113.3232602-1-sudeep.holla@arm.com Signed-off-by: Arnd Bergmann commit b83accfec0811421df065f820e73ca8df7f6439a Author: Jeff Johnson Date: Thu Dec 12 08:27:05 2024 -0800 MAINTAINERS: wifi: ath: add Jeff Johnson as maintainer The "ATHEROS ATH GENERIC UTILITIES" entry shares the same git tree as the ATH10K, ATH11K, and ATH12K entries which I already maintain, so add me to that entry as well. Signed-off-by: Jeff Johnson Signed-off-by: Kalle Valo Link: https://patch.msgid.link/20241212-ath-maintainer-v1-1-7ea5e86780a8@kernel.org commit aa21f333c86c8a09d39189de87abb0153d338190 Author: Miklos Szeredi Date: Wed Dec 11 13:11:17 2024 +0100 fs: fix is_mnt_ns_file() Commit 1fa08aece425 ("nsfs: convert to path_from_stashed() helper") reused nsfs dentry's d_fsdata, which no longer contains a pointer to proc_ns_operations. Fix the remaining use in is_mnt_ns_file(). Fixes: 1fa08aece425 ("nsfs: convert to path_from_stashed() helper") Cc: stable@vger.kernel.org # v6.9 Signed-off-by: Miklos Szeredi Link: https://lore.kernel.org/r/20241211121118.85268-1-mszeredi@redhat.com Acked-by: Al Viro Reviewed-by: Jeff Layton Signed-off-by: Christian Brauner commit 0e8c52091633b354b12d0c29a27a22077584c111 Author: Emmanuel Grumbach Date: Thu Dec 12 13:29:42 2024 +0200 wifi: iwlwifi: fix CRF name for Bz We had BE201 hard coded. Look at the RF_ID and decide based on its value. Fixes: 6795a37161fb ("wifi: iwlwifi: Print a specific device name.") Signed-off-by: Emmanuel Grumbach Signed-off-by: Miri Korenblit Link: https://patch.msgid.link/20241212132940.b9eebda1ca60.I36791a134ed5e538e059418eb6520761da97b44c@changeid Signed-off-by: Johannes Berg commit c7f7e9c73178e0e342486fd31e7f363ef60e3f83 Author: Vineeth Pillai (Google) Date: Thu Dec 12 22:22:37 2024 -0500 sched/dlserver: Fix dlserver time accounting dlserver time is accounted when: - dlserver is active and the dlserver proxies the cfs task. - dlserver is active but deferred and cfs task runs after being picked through the normal fair class pick. dl_server_update is called in two places to make sure that both the above times are accounted for. But it doesn't check if dlserver is active or not. Now that we have this dl_server_active flag, we can consolidate dl_server_update into one place and all we need to check is whether dlserver is active or not. When dlserver is active there is only two possible conditions: - dlserver is deferred. - cfs task is running on behalf of dlserver. Fixes: a110a81c52a9 ("sched/deadline: Deferrable dl server") Signed-off-by: "Vineeth Pillai (Google)" Signed-off-by: Peter Zijlstra (Intel) Tested-by: Marcel Ziswiler # ROCK 5B Link: https://lore.kernel.org/r/20241213032244.877029-2-vineeth@bitbyteword.org commit b53127db1dbf7f1047cf35c10922d801dcd40324 Author: Vineeth Pillai (Google) Date: Thu Dec 12 22:22:36 2024 -0500 sched/dlserver: Fix dlserver double enqueue dlserver can get dequeued during a dlserver pick_task due to the delayed deueue feature and this can lead to issues with dlserver logic as it still thinks that dlserver is on the runqueue. The dlserver throttling and replenish logic gets confused and can lead to double enqueue of dlserver. Double enqueue of dlserver could happend due to couple of reasons: Case 1 ------ Delayed dequeue feature[1] can cause dlserver being stopped during a pick initiated by dlserver: __pick_next_task pick_task_dl -> server_pick_task pick_task_fair pick_next_entity (if (sched_delayed)) dequeue_entities dl_server_stop server_pick_task goes ahead with update_curr_dl_se without knowing that dlserver is dequeued and this confuses the logic and may lead to unintended enqueue while the server is stopped. Case 2 ------ A race condition between a task dequeue on one cpu and same task's enqueue on this cpu by a remote cpu while the lock is released causing dlserver double enqueue. One cpu would be in the schedule() and releasing RQ-lock: current->state = TASK_INTERRUPTIBLE(); schedule(); deactivate_task() dl_stop_server(); pick_next_task() pick_next_task_fair() sched_balance_newidle() rq_unlock(this_rq) at which point another CPU can take our RQ-lock and do: try_to_wake_up() ttwu_queue() rq_lock() ... activate_task() dl_server_start() --> first enqueue wakeup_preempt() := check_preempt_wakeup_fair() update_curr() update_curr_task() if (current->dl_server) dl_server_update() enqueue_dl_entity() --> second enqueue This bug was not apparent as the enqueue in dl_server_start doesn't usually happen because of the defer logic. But as a side effect of the first case(dequeue during dlserver pick), dl_throttled and dl_yield will be set and this causes the time accounting of dlserver to messup and then leading to a enqueue in dl_server_start. Have an explicit flag representing the status of dlserver to avoid the confusion. This is set in dl_server_start and reset in dlserver_stop. Fixes: 63ba8422f876 ("sched/deadline: Introduce deadline servers") Suggested-by: Peter Zijlstra Signed-off-by: "Vineeth Pillai (Google)" Signed-off-by: Peter Zijlstra (Intel) Tested-by: Marcel Ziswiler # ROCK 5B Link: https://lkml.kernel.org/r/20241213032244.877029-1-vineeth@bitbyteword.org commit d2bd3fcb825725a59c8880070b1206b1710922bd Author: Michael Trimarchi Date: Thu Dec 5 17:29:58 2024 +0100 drm/panel: synaptics-r63353: Fix regulator unbalance The shutdown function can be called when the display is already unprepared. For example during reboot this trigger a kernel backlog. Calling the drm_panel_unprepare, allow us to avoid to trigger the kernel warning. Fixes: 2e87bad7cd33 ("drm/panel: Add Synaptics R63353 panel driver") Tested-by: Dario Binacchi Signed-off-by: Michael Trimarchi Signed-off-by: Dario Binacchi Reviewed-by: Neil Armstrong Reviewed-by: Jessica Zhang Link: https://lore.kernel.org/r/20241205163002.1804784-1-dario.binacchi@amarulasolutions.com Signed-off-by: Neil Armstrong Link: https://patchwork.freedesktop.org/patch/msgid/20241205163002.1804784-1-dario.binacchi@amarulasolutions.com commit 406dd4c7984a457567ca652455d5efad81983f02 Author: Marek Vasut Date: Sun Nov 24 23:48:07 2024 +0100 drm/panel: st7701: Add prepare_prev_first flag to drm_panel The DSI host must be enabled for the panel to be initialized in prepare(). Set the prepare_prev_first flag to guarantee this. This fixes the panel operation on NXP i.MX8MP SoC / Samsung DSIM DSI host. Fixes: 849b2e3ff969 ("drm/panel: Add Sitronix ST7701 panel driver") Signed-off-by: Marek Vasut Reviewed-by: Jessica Zhang Link: https://lore.kernel.org/r/20241124224812.150263-1-marex@denx.de Signed-off-by: Neil Armstrong Link: https://patchwork.freedesktop.org/patch/msgid/20241124224812.150263-1-marex@denx.de commit f8fd0968eff52cf092c0d517d17507ea2f6e5ea5 Author: Yang Yingliang Date: Tue Oct 29 20:39:57 2024 +0800 drm/panel: novatek-nt35950: fix return value check in nt35950_probe() mipi_dsi_device_register_full() never returns NULL pointer, it will return ERR_PTR() when it fails, so replace the check with IS_ERR(). Fixes: 623a3531e9cf ("drm/panel: Add driver for Novatek NT35950 DSI DriverIC panels") Signed-off-by: Yang Yingliang Reviewed-by: Neil Armstrong Link: https://lore.kernel.org/r/20241029123957.1588-1-yangyingliang@huaweicloud.com Signed-off-by: Neil Armstrong Link: https://patchwork.freedesktop.org/patch/msgid/20241029123957.1588-1-yangyingliang@huaweicloud.com commit e1e1af9148dc4c866eda3fb59cd6ec3c7ea34b1d Author: Zhang Zekun Date: Fri Oct 25 15:34:08 2024 +0800 drm/panel: himax-hx83102: Add a check to prevent NULL pointer dereference drm_mode_duplicate() could return NULL due to lack of memory, which will then call NULL pointer dereference. Add a check to prevent it. Fixes: 0ef94554dc40 ("drm/panel: himax-hx83102: Break out as separate driver") Signed-off-by: Zhang Zekun Reviewed-by: Neil Armstrong Link: https://lore.kernel.org/r/20241025073408.27481-3-zhangzekun11@huawei.com Signed-off-by: Neil Armstrong Link: https://patchwork.freedesktop.org/patch/msgid/20241025073408.27481-3-zhangzekun11@huawei.com commit a2796dff62d6c6bfc5fbebdf2bee0d5ac0438906 Author: Juergen Gross Date: Wed Oct 16 10:40:26 2024 +0200 x86/xen: don't do PV iret hypercall through hypercall page Instead of jumping to the Xen hypercall page for doing the iret hypercall, directly code the required sequence in xen-asm.S. This is done in preparation of no longer using hypercall page at all, as it has shown to cause problems with speculation mitigations. This is part of XSA-466 / CVE-2024-53241. Reported-by: Andrew Cooper Signed-off-by: Juergen Gross Reviewed-by: Jan Beulich commit 0ef8047b737d7480a5d4c46d956e97c190f13050 Author: Juergen Gross Date: Fri Nov 29 16:15:54 2024 +0100 x86/static-call: provide a way to do very early static-call updates Add static_call_update_early() for updating static-call targets in very early boot. This will be needed for support of Xen guest type specific hypercall functions. This is part of XSA-466 / CVE-2024-53241. Reported-by: Andrew Cooper Signed-off-by: Juergen Gross Co-developed-by: Peter Zijlstra Co-developed-by: Josh Poimboeuf commit dda014ba59331dee4f3b773a020e109932f4bd24 Author: Juergen Gross Date: Fri Nov 29 15:47:49 2024 +0100 objtool/x86: allow syscall instruction The syscall instruction is used in Xen PV mode for doing hypercalls. Allow syscall to be used in the kernel in case it is tagged with an unwind hint for objtool. This is part of XSA-466 / CVE-2024-53241. Reported-by: Andrew Cooper Signed-off-by: Juergen Gross Co-developed-by: Peter Zijlstra commit efbcd61d9bebb771c836a3b8bfced8165633db7c Author: Juergen Gross Date: Thu Oct 17 08:29:48 2024 +0200 x86: make get_cpu_vendor() accessible from Xen code In order to be able to differentiate between AMD and Intel based systems for very early hypercalls without having to rely on the Xen hypercall page, make get_cpu_vendor() non-static. Refactor early_cpu_init() for the same reason by splitting out the loop initializing cpu_devs() into an externally callable function. This is part of XSA-466 / CVE-2024-53241. Reported-by: Andrew Cooper Signed-off-by: Juergen Gross commit f9244fb55f37356f75c739c57323d9422d7aa0f8 Author: Juergen Gross Date: Thu Nov 7 16:17:00 2024 +0100 xen/netfront: fix crash when removing device When removing a netfront device directly after a suspend/resume cycle it might happen that the queues have not been setup again, causing a crash during the attempt to stop the queues another time. Fix that by checking the queues are existing before trying to stop them. This is XSA-465 / CVE-2024-53240. Reported-by: Marek Marczykowski-Górecki Fixes: d50b7914fae0 ("xen-netfront: Fix NULL sring after live migration") Signed-off-by: Juergen Gross commit 145ac100b63732291c0612528444d7f5ab593fb2 Author: Jiri Slaby (SUSE) Date: Wed Dec 11 08:05:03 2024 +0100 efi/esrt: remove esre_attribute::store() esre_attribute::store() is not needed since commit af97a77bc01c (efi: Move some sysfs files to be read-only by root). Drop it. Found by https://github.com/jirislaby/clang-struct. Signed-off-by: Jiri Slaby (SUSE) Cc: Ard Biesheuvel Cc: linux-efi@vger.kernel.org Signed-off-by: Ard Biesheuvel commit bf354410af832232db8438afe006bb12675778bc Merge: f932fb9b40749d 12f2930f5f91bc Author: Carlos Maiolino Date: Fri Dec 13 07:47:12 2024 +0100 Merge tag 'xfs-6.13-fixes_2024-12-12' of https://git.kernel.org/pub/scm/linux/kernel/git/djwong/xfs-linux into next-rc xfs: bug fixes for 6.13 [01/12] Bug fixes for 6.13. This has been running on the djcloud for months with no problems. Enjoy! Signed-off-by: "Darrick J. Wong" Signed-off-by: Carlos Maiolino commit 12f2930f5f91bc0d67794c69d1961098c7c72040 Author: Darrick J. Wong Date: Mon Dec 2 10:58:11 2024 -0800 xfs: port xfs_ioc_start_commit to multigrain timestamps Take advantage of the multigrain timestamp APIs to ensure that nobody can sneak in and write things to a file between starting a file update operation and committing the results. This should have been part of the multigrain timestamp merge, but I forgot to fling it at jlayton when he resubmitted the patchset due to developer bandwidth problems. Cc: # v6.13-rc1 Fixes: 4e40eff0b5737c ("fs: add infrastructure for multigrain timestamps") Signed-off-by: Darrick J. Wong Reviewed-by: Christoph Hellwig Reviewed-by: Jeff Layton commit 7f8b718c58783f3ff0810b39e2f62f50ba2549f6 Author: Darrick J. Wong Date: Mon Dec 2 10:57:43 2024 -0800 xfs: return from xfs_symlink_verify early on V4 filesystems V4 symlink blocks didn't have headers, so return early if this is a V4 filesystem. Cc: # v5.1 Fixes: 39708c20ab5133 ("xfs: miscellaneous verifier magic value fixups") Signed-off-by: "Darrick J. Wong" Reviewed-by: Christoph Hellwig commit c004a793e0ec34047c3bd423bcd8966f5fac88dc Author: Darrick J. Wong Date: Mon Dec 2 10:57:42 2024 -0800 xfs: fix zero byte checking in the superblock scrubber The logic to check that the region past the end of the superblock is all zeroes is wrong -- we don't want to check only the bytes past the end of the maximally sized ondisk superblock structure as currently defined in xfs_format.h; we want to check the bytes beyond the end of the ondisk as defined by the feature bits. Port the superblock size logic from xfs_repair and then put it to use in xfs_scrub. Cc: # v4.15 Fixes: 21fb4cb1981ef7 ("xfs: scrub the secondary superblocks") Signed-off-by: "Darrick J. Wong" Reviewed-by: Christoph Hellwig commit 06b20ef09ba16374e1e68f1e8dbe434c4ad4e6fd Author: Darrick J. Wong Date: Mon Dec 2 10:57:42 2024 -0800 xfs: check pre-metadir fields correctly The checks that were added to the superblock scrubber for metadata directories aren't quite right -- the old inode pointers are now defined to be zeroes until someone else reuses them. Also consolidate the new metadir field checks to one place; they were inexplicably scattered around. Cc: # v6.13-rc1 Fixes: 28d756d4d562dc ("xfs: update sb field checks when metadir is turned on") Signed-off-by: "Darrick J. Wong" Reviewed-by: Christoph Hellwig commit e57e083be9b9bc5c341e1245b988f290c09a5ed7 Author: Darrick J. Wong Date: Mon Dec 2 10:57:41 2024 -0800 xfs: don't crash on corrupt /quotas dirent If the /quotas dirent points to an inode but the inode isn't loadable (and hence mkdir returns -EEXIST), don't crash, just bail out. Cc: # v6.13-rc1 Fixes: e80fbe1ad8eff7 ("xfs: use metadir for quota inodes") Signed-off-by: "Darrick J. Wong" Reviewed-by: Christoph Hellwig commit 3853b5e1d7ccb83f572df8a12619d1a58d266d6d Author: Darrick J. Wong Date: Mon Dec 2 10:57:40 2024 -0800 xfs: don't move nondir/nonreg temporary repair files to the metadir namespace Only directories or regular files are allowed in the metadata directory tree. Don't move the repair tempfile to the metadir namespace if this is not true; this will cause the inode verifiers to trip. xrep_tempfile_adjust_directory_tree opportunistically moves sc->tempip from the regular directory tree to the metadata directory tree if sc->ip is part of the metadata directory tree. However, the scrub setup functions grab sc->ip and create sc->tempip before we actually get around to checking if the file mode is the right type for the scrubber. IOWs, you can invoke the symlink scrubber with the file handle of a subdirectory in the metadir. xrep_setup_symlink will create a temporary symlink file, xrep_tempfile_adjust_directory_tree will foolishly try to set the METADATA flag on the temp symlink, which trips the inode verifier in the inode item precommit, which shuts down the filesystem when expensive checks are turned on. If they're /not/ turned on, then xchk_symlink will return ENOENT when it sees that it's been passed a symlink, but the invalid inode could still get flushed to disk. We don't want that. Cc: # v6.13-rc1 Fixes: 9dc31acb01a1c7 ("xfs: move repair temporary files to the metadata directory tree") Signed-off-by: "Darrick J. Wong" Reviewed-by: Christoph Hellwig commit 7f8a44f37229fc76bfcafa341a4b8862368ef44a Author: Darrick J. Wong Date: Mon Dec 2 10:57:39 2024 -0800 xfs: fix sb_spino_align checks for large fsblock sizes For a sparse inodes filesystem, mkfs.xfs computes the values of sb_spino_align and sb_inoalignmt with the following code: int cluster_size = XFS_INODE_BIG_CLUSTER_SIZE; if (cfg->sb_feat.crcs_enabled) cluster_size *= cfg->inodesize / XFS_DINODE_MIN_SIZE; sbp->sb_spino_align = cluster_size >> cfg->blocklog; sbp->sb_inoalignmt = XFS_INODES_PER_CHUNK * cfg->inodesize >> cfg->blocklog; On a V5 filesystem with 64k fsblocks and 512 byte inodes, this results in cluster_size = 8192 * (512 / 256) = 16384. As a result, sb_spino_align and sb_inoalignmt are both set to zero. Unfortunately, this trips the new sb_spino_align check that was just added to xfs_validate_sb_common, and the mkfs fails: # mkfs.xfs -f -b size=64k, /dev/sda meta-data=/dev/sda isize=512 agcount=4, agsize=81136 blks = sectsz=512 attr=2, projid32bit=1 = crc=1 finobt=1, sparse=1, rmapbt=1 = reflink=1 bigtime=1 inobtcount=1 nrext64=1 = exchange=0 metadir=0 data = bsize=65536 blocks=324544, imaxpct=25 = sunit=0 swidth=0 blks naming =version 2 bsize=65536 ascii-ci=0, ftype=1, parent=0 log =internal log bsize=65536 blocks=5006, version=2 = sectsz=512 sunit=0 blks, lazy-count=1 realtime =none extsz=65536 blocks=0, rtextents=0 = rgcount=0 rgsize=0 extents Discarding blocks...Sparse inode alignment (0) is invalid. Metadata corruption detected at 0x560ac5a80bbe, xfs_sb block 0x0/0x200 libxfs_bwrite: write verifier failed on xfs_sb bno 0x0/0x1 mkfs.xfs: Releasing dirty buffer to free list! found dirty buffer (bulk) on free list! Sparse inode alignment (0) is invalid. Metadata corruption detected at 0x560ac5a80bbe, xfs_sb block 0x0/0x200 libxfs_bwrite: write verifier failed on xfs_sb bno 0x0/0x1 mkfs.xfs: writing AG headers failed, err=22 Prior to commit 59e43f5479cce1 this all worked fine, even if "sparse" inodes are somewhat meaningless when everything fits in a single fsblock. Adjust the checks to handle existing filesystems. Cc: # v6.13-rc1 Fixes: 59e43f5479cce1 ("xfs: sb_spino_align is not verified") Signed-off-by: "Darrick J. Wong" Reviewed-by: Christoph Hellwig commit ca378189fdfa890a4f0622f85ee41b710bbac271 Author: Darrick J. Wong Date: Mon Dec 2 10:57:39 2024 -0800 xfs: convert quotacheck to attach dquot buffers Now that we've converted the dquot logging machinery to attach the dquot buffer to the li_buf pointer so that the AIL dqflush doesn't have to allocate or read buffers in a reclaim path, do the same for the quotacheck code so that the reclaim shrinker dqflush call doesn't have to do that either. Cc: # v6.12 Fixes: 903edea6c53f09 ("mm: warn about illegal __GFP_NOFAIL usage in a more appropriate location and manner") Signed-off-by: "Darrick J. Wong" Reviewed-by: Christoph Hellwig commit acc8f8628c3737108f36e5637f4d5daeaf96d90e Author: Darrick J. Wong Date: Mon Dec 2 10:57:38 2024 -0800 xfs: attach dquot buffer to dquot log item buffer Ever since 6.12-rc1, I've observed a pile of warnings from the kernel when running fstests with quotas enabled: WARNING: CPU: 1 PID: 458580 at mm/page_alloc.c:4221 __alloc_pages_noprof+0xc9c/0xf18 CPU: 1 UID: 0 PID: 458580 Comm: xfsaild/sda3 Tainted: G W 6.12.0-rc6-djwa #rc6 6ee3e0e531f6457e2d26aa008a3b65ff184b377c Call trace: __alloc_pages_noprof+0xc9c/0xf18 alloc_pages_mpol_noprof+0x94/0x240 alloc_pages_noprof+0x68/0xf8 new_slab+0x3e0/0x568 ___slab_alloc+0x5a0/0xb88 __slab_alloc.constprop.0+0x7c/0xf8 __kmalloc_noprof+0x404/0x4d0 xfs_buf_get_map+0x594/0xde0 [xfs 384cb02810558b4c490343c164e9407332118f88] xfs_buf_read_map+0x64/0x2e0 [xfs 384cb02810558b4c490343c164e9407332118f88] xfs_trans_read_buf_map+0x1dc/0x518 [xfs 384cb02810558b4c490343c164e9407332118f88] xfs_qm_dqflush+0xac/0x468 [xfs 384cb02810558b4c490343c164e9407332118f88] xfs_qm_dquot_logitem_push+0xe4/0x148 [xfs 384cb02810558b4c490343c164e9407332118f88] xfsaild+0x3f4/0xde8 [xfs 384cb02810558b4c490343c164e9407332118f88] kthread+0x110/0x128 ret_from_fork+0x10/0x20 ---[ end trace 0000000000000000 ]--- This corresponds to the line: WARN_ON_ONCE(current->flags & PF_MEMALLOC); within the NOFAIL checks. What's happening here is that the XFS AIL is trying to write a disk quota update back into the filesystem, but for that it needs to read the ondisk buffer for the dquot. The buffer is not in memory anymore, probably because it was evicted. Regardless, the buffer cache tries to allocate a new buffer, but those allocations are NOFAIL. The AIL thread has marked itself PF_MEMALLOC (aka noreclaim) since commit 43ff2122e6492b ("xfs: on-stack delayed write buffer lists") presumably because reclaim can push on XFS to push on the AIL. An easy way to fix this probably would have been to drop the NOFAIL flag from the xfs_buf allocation and open code a retry loop, but then there's still the problem that for bs>ps filesystems, the buffer itself could require up to 64k worth of pages. Inode items had similar behavior (multi-page cluster buffers that we don't want to allocate in the AIL) which we solved by making transaction precommit attach the inode cluster buffers to the dirty log item. Let's solve the dquot problem in the same way. So: Make a real precommit handler to read the dquot buffer and attach it to the log item; pass it to dqflush in the push method; and have the iodone function detach the buffer once we've flushed everything. Add a state flag to the log item to track when a thread has entered the precommit -> push mechanism to skip the detaching if it turns out that the dquot is very busy, as we don't hold the dquot lock between log item commit and AIL push). Reading and attaching the dquot buffer in the precommit hook is inspired by the work done for inode cluster buffers some time ago. Cc: # v6.12 Fixes: 903edea6c53f09 ("mm: warn about illegal __GFP_NOFAIL usage in a more appropriate location and manner") Signed-off-by: "Darrick J. Wong" Reviewed-by: Christoph Hellwig commit ec88b41b932d5731291dcc0d0d63ea13ab8e07d5 Author: Darrick J. Wong Date: Mon Dec 2 10:57:37 2024 -0800 xfs: clean up log item accesses in xfs_qm_dqflush{,_done} Clean up these functions a little bit before we move on to the real modifications, and make the variable naming consistent for dquot log items. Signed-off-by: "Darrick J. Wong" Reviewed-by: Christoph Hellwig commit a40fe30868ba433ac08376e30132400bec067583 Author: Darrick J. Wong Date: Mon Dec 2 10:57:36 2024 -0800 xfs: separate dquot buffer reads from xfs_dqflush The first step towards holding the dquot buffer in the li_buf instead of reading it in the AIL is to separate the part that reads the buffer from the actual flush code. There should be no functional changes. Signed-off-by: "Darrick J. Wong" Reviewed-by: Christoph Hellwig commit 07137e925fa951646325762bda6bd2503dfe64c6 Author: Darrick J. Wong Date: Mon Dec 2 10:57:36 2024 -0800 xfs: don't lose solo dquot update transactions Quota counter updates are tracked via incore objects which hang off the xfs_trans object. These changes are then turned into dirty log items in xfs_trans_apply_dquot_deltas just prior to commiting the log items to the CIL. However, updating the incore deltas do not cause XFS_TRANS_DIRTY to be set on the transaction. In other words, a pure quota counter update will be silently discarded if there are no other dirty log items attached to the transaction. This is currently not the case anywhere in the filesystem because quota updates always dirty at least one other metadata item, but a subsequent bug fix will add dquot log item precommits, so we actually need a dirty dquot log item prior to xfs_trans_run_precommits. Also let's not leave a logic bomb. Cc: # v2.6.35 Fixes: 0924378a689ccb ("xfs: split out iclog writing from xfs_trans_commit()") Signed-off-by: "Darrick J. Wong" Reviewed-by: Christoph Hellwig commit 3762113b597fa600d4e03300eec048256c546b1c Author: Darrick J. Wong Date: Mon Dec 2 10:57:35 2024 -0800 xfs: don't lose solo superblock counter update transactions Superblock counter updates are tracked via per-transaction counters in the xfs_trans object. These changes are then turned into dirty log items in xfs_trans_apply_sb_deltas just prior to commiting the log items to the CIL. However, updating the per-transaction counter deltas do not cause XFS_TRANS_DIRTY to be set on the transaction. In other words, a pure sb counter update will be silently discarded if there are no other dirty log items attached to the transaction. This is currently not the case anywhere in the filesystem because sb counter updates always dirty at least one other metadata item, but let's not leave a logic bomb. Signed-off-by: "Darrick J. Wong" Reviewed-by: Christoph Hellwig commit a004afdc62946d3261f724c6472997085c4f0735 Author: Darrick J. Wong Date: Mon Dec 2 10:57:34 2024 -0800 xfs: avoid nested calls to __xfs_trans_commit Currently, __xfs_trans_commit calls xfs_defer_finish_noroll, which calls __xfs_trans_commit again on the same transaction. In other words, there's a nested function call (albeit with slightly different arguments) that has caused minor amounts of confusion in the past. There's no reason to keep this around, since there's only one place where we actually want the xfs_defer_finish_noroll, and that is in the top level xfs_trans_commit call. This also reduces stack usage a little bit. Signed-off-by: "Darrick J. Wong" Reviewed-by: Christoph Hellwig commit 44d9b07e52db25035680713c3428016cadcd2ea1 Author: Darrick J. Wong Date: Mon Dec 2 10:57:33 2024 -0800 xfs: only run precommits once per transaction object Committing a transaction tx0 with a defer ops chain of (A, B, C) creates a chain of transactions that looks like this: tx0 -> txA -> txB -> txC Prior to commit cb042117488dbf, __xfs_trans_commit would run precommits on tx0, then call xfs_defer_finish_noroll to convert A-C to tx[A-C]. Unfortunately, after the finish_noroll loop we forgot to run precommits on txC. That was fixed by adding the second precommit call. Unfortunately, none of us remembered that xfs_defer_finish_noroll calls __xfs_trans_commit a second time to commit tx0 before finishing work A in txA and committing that. In other words, we run precommits twice on tx0: xfs_trans_commit(tx0) __xfs_trans_commit(tx0, false) xfs_trans_run_precommits(tx0) xfs_defer_finish_noroll(tx0) xfs_trans_roll(tx0) txA = xfs_trans_dup(tx0) __xfs_trans_commit(tx0, true) xfs_trans_run_precommits(tx0) This currently isn't an issue because the inode item precommit is idempotent; the iunlink item precommit deletes itself so it can't be called again; and the buffer/dquot item precommits only check the incore objects for corruption. However, it doesn't make sense to run precommits twice. Fix this situation by only running precommits after finish_noroll. Cc: # v6.4 Fixes: cb042117488dbf ("xfs: defered work could create precommits") Signed-off-by: "Darrick J. Wong" Reviewed-by: Christoph Hellwig commit 53b001a21c9dff73b64e8c909c41991f01d5d00f Author: Darrick J. Wong Date: Mon Dec 2 10:57:33 2024 -0800 xfs: unlock inodes when erroring out of xfs_trans_alloc_dir Debugging a filesystem patch with generic/475 caused the system to hang after observing the following sequences in dmesg: XFS (dm-0): metadata I/O error in "xfs_imap_to_bp+0x61/0xe0 [xfs]" at daddr 0x491520 len 32 error 5 XFS (dm-0): metadata I/O error in "xfs_btree_read_buf_block+0xba/0x160 [xfs]" at daddr 0x3445608 len 8 error 5 XFS (dm-0): metadata I/O error in "xfs_imap_to_bp+0x61/0xe0 [xfs]" at daddr 0x138e1c0 len 32 error 5 XFS (dm-0): log I/O error -5 XFS (dm-0): Metadata I/O Error (0x1) detected at xfs_trans_read_buf_map+0x1ea/0x4b0 [xfs] (fs/xfs/xfs_trans_buf.c:311). Shutting down filesystem. XFS (dm-0): Please unmount the filesystem and rectify the problem(s) XFS (dm-0): Internal error dqp->q_ino.reserved < dqp->q_ino.count at line 869 of file fs/xfs/xfs_trans_dquot.c. Caller xfs_trans_dqresv+0x236/0x440 [xfs] XFS (dm-0): Corruption detected. Unmount and run xfs_repair XFS (dm-0): Unmounting Filesystem be6bcbcc-9921-4deb-8d16-7cc94e335fa7 The system is stuck in unmount trying to lock a couple of inodes so that they can be purged. The dquot corruption notice above is a clue to what happened -- a link() call tried to set up a transaction to link a child into a directory. Quota reservation for the transaction failed after IO errors shut down the filesystem, but then we forgot to unlock the inodes on our way out. Fix that. Cc: # v6.10 Fixes: bd5562111d5839 ("xfs: Hold inode locks in xfs_trans_alloc_dir") Signed-off-by: "Darrick J. Wong" Reviewed-by: Christoph Hellwig commit ffc3ea4f3c1cc83a86b7497b0c4b0aee7de5480d Author: Darrick J. Wong Date: Mon Dec 2 10:57:32 2024 -0800 xfs: fix scrub tracepoints when inode-rooted btrees are involved Fix a minor mistakes in the scrub tracepoints that can manifest when inode-rooted btrees are enabled. The existing code worked fine for bmap btrees, but we should tighten the code up to be less sloppy. Cc: # v5.7 Fixes: 92219c292af8dd ("xfs: convert btree cursor inode-private member names") Signed-off-by: "Darrick J. Wong" Reviewed-by: Christoph Hellwig commit 6d7b4bc1c3e00b1a25b7a05141a64337b4629337 Author: Darrick J. Wong Date: Mon Dec 2 10:57:31 2024 -0800 xfs: update btree keys correctly when _insrec splits an inode root block In commit 2c813ad66a72, I partially fixed a bug wherein xfs_btree_insrec would erroneously try to update the parent's key for a block that had been split if we decided to insert the new record into the new block. The solution was to detect this situation and update the in-core key value that we pass up to the caller so that the caller will (eventually) add the new block to the parent level of the tree with the correct key. However, I missed a subtlety about the way inode-rooted btrees work. If the full block was a maximally sized inode root block, we'll solve that fullness by moving the root block's records to a new block, resizing the root block, and updating the root to point to the new block. We don't pass a pointer to the new block to the caller because that work has already been done. The new record will /always/ land in the new block, so in this case we need to use xfs_btree_update_keys to update the keys. This bug can theoretically manifest itself in the very rare case that we split a bmbt root block and the new record lands in the very first slot of the new block, though I've never managed to trigger it in practice. However, it is very easy to reproduce by running generic/522 with the realtime rmapbt patchset if rtinherit=1. Cc: # v4.8 Fixes: 2c813ad66a7218 ("xfs: support btrees with overlapping intervals for keys") Signed-off-by: "Darrick J. Wong" Reviewed-by: Christoph Hellwig commit 23bee6f390a12d0c4c51fefc083704bc5dac377e Author: Darrick J. Wong Date: Mon Dec 2 10:57:30 2024 -0800 xfs: fix error bailout in xfs_rtginode_create smatch reported that we screwed up the error cleanup in this function. Fix it. Cc: # v6.13-rc1 Fixes: ae897e0bed0f54 ("xfs: support creating per-RTG files in growfs") Reported-by: Dan Carpenter Signed-off-by: "Darrick J. Wong" Reviewed-by: Christoph Hellwig commit af9f02457f461b23307fe826a37be61ba6e32c92 Author: Darrick J. Wong Date: Mon Dec 2 10:57:30 2024 -0800 xfs: fix null bno_hint handling in xfs_rtallocate_rtg xfs_bmap_rtalloc initializes the bno_hint variable to NULLRTBLOCK (aka NULLFSBLOCK). If the allocation request is for a file range that's adjacent to an existing mapping, it will then change bno_hint to the blkno hint in the bmalloca structure. In other words, bno_hint is either a rt block number, or it's all 1s. Unfortunately, commit ec12f97f1b8a8f didn't take the NULLRTBLOCK state into account, which means that it tries to translate that into a realtime extent number. We then end up with an obnoxiously high rtx number and pointlessly feed that to the near allocator. This often fails and falls back to the by-size allocator. Seeing as we had no locality hint anyway, this is a waste of time. Fix the code to detect a lack of bno_hint correctly. This was detected by running xfs/009 with metadir enabled and a 28k rt extent size. Cc: # v6.12 Fixes: ec12f97f1b8a8f ("xfs: make the rtalloc start hint a xfs_rtblock_t") Signed-off-by: "Darrick J. Wong" Reviewed-by: Christoph Hellwig commit dc5a0527398d42e4d3e47abe8a43960fca0314ed Author: Darrick J. Wong Date: Mon Dec 2 10:57:29 2024 -0800 xfs: mark metadir repair tempfiles with IRECOVERY Once in a long while, xfs/566 and xfs/801 report directory corruption in one of the metadata subdirectories while it's forcibly rebuilding all filesystem metadata. I observed the following sequence of events: 1. Initiate a repair of the parent pointers for the /quota/user file. This is the secret file containing user quota data. 2. The pptr repair thread creates a temporary file and begins staging parent pointers in the ondisk metadata in preparation for an exchange-range to commit the new pptr data. 3. At the same time, initiate a repair of the /quota directory itself. 4. The dir repair thread finds the temporary file from (2), scans it for parent pointers, and stages a dirent in its own temporary dir in preparation to commit the fixed directory. 5. The parent pointer repair completes and frees the temporary file. 6. The dir repair commits the new directory and scans it again. It finds the dirent that points to the old temporary file in (2) and marks the directory corrupt. Oops! Repair code must never scan the temporary files that other repair functions create to stage new metadata. They're not supposed to do that, but the predicate function xrep_is_tempfile is incorrect because it assumes that any XFS_DIFLAG2_METADATA file cannot ever be a temporary file, but xrep_tempfile_adjust_directory_tree creates exactly that. Fix this by setting the IRECOVERY flag on temporary metadata directory inodes and using that to correct the predicate. Repair code is supposed to erase all the data in temporary files before releasing them, so it's ok if a thread scans the temporary file after we drop IRECOVERY. Cc: # v6.13-rc1 Fixes: bb6cdd5529ff67 ("xfs: hide metadata inodes from everyone because they are special") Signed-off-by: "Darrick J. Wong" Reviewed-by: Christoph Hellwig commit 6f4669708a69fd21f0299c2d5c4780a6ce358ab5 Author: Darrick J. Wong Date: Mon Dec 2 10:57:28 2024 -0800 xfs: set XFS_SICK_INO_SYMLINK_ZAPPED explicitly when zapping a symlink If we need to reset a symlink target to the "durr it's busted" string, then we clear the zapped flag as well. However, this should be using the provided helper so that we don't set the zapped state on an otherwise ok symlink. Cc: # v6.10 Fixes: 2651923d8d8db0 ("xfs: online repair of symbolic links") Signed-off-by: "Darrick J. Wong" Reviewed-by: Christoph Hellwig commit aa7bfb537edf62085d7718845f6644b0e4efb9df Author: Darrick J. Wong Date: Mon Dec 2 10:57:27 2024 -0800 xfs: separate healthy clearing mask during repair In commit d9041681dd2f53 we introduced some XFS_SICK_*ZAPPED flags so that the inode record repair code could clean up a damaged inode record enough to iget the inode but still be able to remember that the higher level repair code needs to be called. As part of that, we introduced a xchk_mark_healthy_if_clean helper that is supposed to cause the ZAPPED state to be removed if that higher level metadata actually checks out. This was done by setting additional bits in sick_mask hoping that xchk_update_health will clear all those bits after a healthy scrub. Unfortunately, that's not quite what sick_mask means -- bits in that mask are indeed cleared if the metadata is healthy, but they're set if the metadata is NOT healthy. fsck is only intended to set the ZAPPED bits explicitly. If something else sets the CORRUPT/XCORRUPT state after the xchk_mark_healthy_if_clean call, we end up marking the metadata zapped. This can happen if the following sequence happens: 1. Scrub runs, discovers that the metadata is fine but could be optimized and calls xchk_mark_healthy_if_clean on a ZAPPED flag. That causes the ZAPPED flag to be set in sick_mask because the metadata is not CORRUPT or XCORRUPT. 2. Repair runs to optimize the metadata. 3. Some other metadata used for cross-referencing in (1) becomes corrupt. 4. Post-repair scrub runs, but this time it sets CORRUPT or XCORRUPT due to the events in (3). 5. Now the xchk_health_update sets the ZAPPED flag on the metadata we just repaired. This is not the correct state. Fix this by moving the "if healthy" mask to a separate field, and only ever using it to clear the sick state. Cc: # v6.8 Fixes: d9041681dd2f53 ("xfs: set inode sick state flags when we zap either ondisk fork") Signed-off-by: "Darrick J. Wong" Reviewed-by: Christoph Hellwig commit 7ce31f20a0771d71779c3b0ec9cdf474cc3c8e9a Author: Darrick J. Wong Date: Mon Dec 2 10:57:27 2024 -0800 xfs: don't drop errno values when we fail to ficlone the entire range Way back when we first implemented FICLONE for XFS, life was simple -- either the the entire remapping completed, or something happened and we had to return an errno explaining what happened. Neither of those ioctls support returning partial results, so it's all or nothing. Then things got complicated when copy_file_range came along, because it actually can return the number of bytes copied, so commit 3f68c1f562f1e4 tried to make it so that we could return a partial result if the REMAP_FILE_CAN_SHORTEN flag is set. This is also how FIDEDUPERANGE can indicate that the kernel performed a partial deduplication. Unfortunately, the logic is wrong if an error stops the remapping and CAN_SHORTEN is not set. Because those callers cannot return partial results, it is an error for ->remap_file_range to return a positive quantity that is less than the @len passed in. Implementations really should be returning a negative errno in this case, because that's what btrfs (which introduced FICLONE{,RANGE}) did. Therefore, ->remap_range implementations cannot silently drop an errno that they might have when the number of bytes remapped is less than the number of bytes requested and CAN_SHORTEN is not set. Found by running generic/562 on a 64k fsblock filesystem and wondering why it reported corrupt files. Cc: # v4.20 Fixes: 3fc9f5e409319e ("xfs: remove xfs_reflink_remap_range") Really-Fixes: 3f68c1f562f1e4 ("xfs: support returning partial reflink results") Signed-off-by: "Darrick J. Wong" Reviewed-by: Christoph Hellwig commit bd27c7bcdca25ce8067ebb94ded6ac1bd7b47317 Author: Darrick J. Wong Date: Mon Dec 2 10:57:26 2024 -0800 xfs: return a 64-bit block count from xfs_btree_count_blocks With the nrext64 feature enabled, it's possible for a data fork to have 2^48 extent mappings. Even with a 64k fsblock size, that maps out to a bmbt containing more than 2^32 blocks. Therefore, this predicate must return a u64 count to avoid an integer wraparound that will cause scrub to do the wrong thing. It's unlikely that any such filesystem currently exists, because the incore bmbt would consume more than 64GB of kernel memory on its own, and so far nobody except me has driven a filesystem that far, judging from the lack of complaints. Cc: # v5.19 Fixes: df9ad5cc7a5240 ("xfs: Introduce macros to represent new maximum extent counts for data/attr forks") Signed-off-by: "Darrick J. Wong" Reviewed-by: Christoph Hellwig commit e1d8602b6cfb757952827d11c7d26f2a1714fe82 Author: Darrick J. Wong Date: Mon Dec 2 10:57:25 2024 -0800 xfs: keep quota directory inode loaded In the same vein as the previous patch, there's no point in the metapath scrub setup function doing a lookup on the quota metadir just so it can validate that lookups work correctly. Instead, retain the quota directory inode in memory for the lifetime of the mount so that we can check this meaningfully. Cc: # v6.13-rc1 Fixes: 128a055291ebbc ("xfs: scrub quota file metapaths") Signed-off-by: "Darrick J. Wong" Reviewed-by: Christoph Hellwig commit 9b7280010366dbe32791acd498a37dc522f568db Author: Darrick J. Wong Date: Mon Dec 2 10:57:24 2024 -0800 xfs: metapath scrubber should use the already loaded inodes Don't waste time in xchk_setup_metapath_dqinode doing a second lookup of the quota inodes, just grab them from the quotainfo structure. The whole point of this scrubber is to make sure that the dirents exist, so it's completely silly to do lookups. Cc: # v6.13-rc1 Fixes: 128a055291ebbc ("xfs: scrub quota file metapaths") Signed-off-by: "Darrick J. Wong" Reviewed-by: Christoph Hellwig commit a440a28ddbdcb861150987b4d6e828631656b92f Author: Darrick J. Wong Date: Mon Dec 2 10:57:24 2024 -0800 xfs: fix off-by-one error in fsmap's end_daddr usage In commit ca6448aed4f10a, we created an "end_daddr" variable to fix fsmap reporting when the end of the range requested falls in the middle of an unknown (aka free on the rmapbt) region. Unfortunately, I didn't notice that the the code sets end_daddr to the last sector of the device but then uses that quantity to compute the length of the synthesized mapping. Zizhi Wo later observed that when end_daddr isn't set, we still don't report the last fsblock on a device because in that case (aka when info->last is true), the info->high mapping that we pass to xfs_getfsmap_group_helper has a startblock that points to the last fsblock. This is also wrong because the code uses startblock to compute the length of the synthesized mapping. Fix the second problem by setting end_daddr unconditionally, and fix the first problem by setting start_daddr to one past the end of the range to query. Cc: # v6.11 Fixes: ca6448aed4f10a ("xfs: Fix missing interval for missing_owner in xfs fsmap") Signed-off-by: "Darrick J. Wong" Reported-by: Zizhi Wo Reviewed-by: Christoph Hellwig commit f932fb9b40749d1c9a539d89bb3e288c077aafe5 Merge: 01abac26dccd77 21e46a79bbe6c4 Author: Linus Torvalds Date: Thu Dec 12 17:33:20 2024 -0800 Merge tag 'v6.13-rc2-ksmbd-server-fixes' of git://git.samba.org/ksmbd Pull smb server fixes from Steve French: - fix ctime setting in setattr - fix reference count on user session to avoid potential race with session expire - fix query dir issue * tag 'v6.13-rc2-ksmbd-server-fixes' of git://git.samba.org/ksmbd: ksmbd: set ATTR_CTIME flags when setting mtime ksmbd: fix racy issue from session lookup and expire ksmbd: retry iterate_dir in smb2_query_dir commit 01abac26dccd77eddffec6b032e51f501714dee3 Merge: eefa7a9c069908 434fffa926b107 Author: Linus Torvalds Date: Thu Dec 12 17:26:55 2024 -0800 Merge tag 'perf-tools-fixes-for-v6.13-2024-12-12' of git://git.kernel.org/pub/scm/linux/kernel/git/perf/perf-tools Pull perf tools fixes from Namhyung Kim: "A set of random fixes for this cycle. perf record: - Fix build-id event size calculation in perf record - Fix perf record -C/--cpu option on hybrid systems - Fix perf mem record with precise-ip on SapphireRapids perf test: - Refresh hwmon directory before reading the test files - Make sure system_tsc_freq event is tested on x86 only Others: - Usual header file sync - Fix undefined behavior in perf ftrace profile - Properly initialize a return variable in perf probe" * tag 'perf-tools-fixes-for-v6.13-2024-12-12' of git://git.kernel.org/pub/scm/linux/kernel/git/perf/perf-tools: (21 commits) perf probe: Fix uninitialized variable libperf: evlist: Fix --cpu argument on hybrid platform perf test expr: Fix system_tsc_freq for only x86 perf test hwmon_pmu: Fix event file location perf hwmon_pmu: Use openat rather than dup to refresh directory perf ftrace: Fix undefined behavior in cmp_profile_data() perf tools: Fix precise_ip fallback logic perf tools: Fix build error on generated/fs_at_flags_array.c tools headers: Sync uapi/linux/prctl.h with the kernel sources tools headers: Sync uapi/linux/mount.h with the kernel sources tools headers: Sync uapi/linux/fcntl.h with the kernel sources tools headers: Sync uapi/asm-generic/mman.h with the kernel sources tools headers: Sync *xattrat syscall changes with the kernel sources tools headers: Sync arm64 kvm header with the kernel sources tools headers: Sync x86 kvm and cpufeature headers with the kernel tools headers: Sync uapi/linux/kvm.h with the kernel sources tools headers: Sync uapi/linux/perf_event.h with the kernel sources tools headers: Sync uapi/drm/drm.h with the kernel sources perf machine: Initialize machine->env to address a segfault perf test: Don't signal all processes on system when interrupting tests ... commit d172ea67dbeec5c90f72752c91d202d5718e3754 Merge: 4dba1fd3fe19a3 438b39ac74e2a9 Author: Dave Airlie Date: Fri Dec 13 09:42:57 2024 +1000 Merge tag 'amd-drm-fixes-6.13-2024-12-11' of https://gitlab.freedesktop.org/agd5f/linux into drm-fixes amd-drm-fixes-6.13-2024-12-11: amdgpu: - ISP hw init fix - SR-IOV fixes - Fix contiguous VRAM mapping for UVD on older GPUs - Fix some regressions due to drm scheduler changes - Workload profile fixes - Cleaner shader fix amdkfd: - Fix DMA map direction for migration - Fix a potential null pointer dereference - Cacheline size fixes - Runtime PM fix Signed-off-by: Dave Airlie From: Alex Deucher Link: https://patchwork.freedesktop.org/patch/msgid/20241211215449.741848-1-alexander.deucher@amd.com commit 4dba1fd3fe19a3227489779ba7f5b67c0fd041a8 Merge: c98f9ab909bab6 d7b028656c29b2 Author: Dave Airlie Date: Fri Dec 13 09:15:41 2024 +1000 Merge tag 'drm-xe-fixes-2024-12-12' of https://gitlab.freedesktop.org/drm/xe/kernel into drm-fixes - Fix a KUNIT test error message (Mirsad Todorovac) - Fix an invalidation fence PM ref leak (Daniele) - Fix a register pool UAF (Lucas) Signed-off-by: Dave Airlie From: Thomas Hellstrom Link: https://patchwork.freedesktop.org/patch/msgid/Z1s5elHXOyeIHnE0@fedora commit c98f9ab909bab66e6b6f5ba4911f5783ebdcb490 Merge: fac04efc5c793d 2828e5808bcd5a Author: Dave Airlie Date: Fri Dec 13 08:53:15 2024 +1000 Merge tag 'drm-intel-fixes-2024-12-11' of https://gitlab.freedesktop.org/drm/i915/kernel into drm-fixes - Don't use indexed register writes needlessly [dsb] (Ville Syrjälä) - Stop using non-posted DSB writes for legacy LUT [color] (Ville Syrjälä) - Fix NULL pointer dereference in capture_engine (Eugene Kobyak) - Fix memory leak by correcting cache object name in error handler (Jiasheng Jiang) Signed-off-by: Dave Airlie From: Tvrtko Ursulin Link: https://patchwork.freedesktop.org/patch/msgid/Z1nULMrutE4HERvB@linux commit eefa7a9c069908412f8f5d15833901d1b46ae1b2 Merge: 150b567e0d5723 c8f8d4344d50d7 Author: Linus Torvalds Date: Thu Dec 12 13:20:53 2024 -0800 Merge tag 'for-linus' of https://github.com/openrisc/linux Pull OpenRISC fixes from Stafford Horne: - Fix from Masahiro Yamada to fix 6.13 OpenRISC boot issues after vmlinux.lds.h symbol ordering was changed - Code formatting fixups from Geert * tag 'for-linus' of https://github.com/openrisc/linux: openrisc: Fix misalignments in head.S openrisc: place exception table at the head of vmlinux commit e4c80f69758e5088e8aae48f3d6abb41c6da7812 Merge: 04789af756a4a4 8025731c28beb4 Author: Alexei Starovoitov Date: Thu Dec 12 11:40:18 2024 -0800 Merge branch 'add-missing-size-check-for-btf-based-ctx-access' Kumar Kartikeya Dwivedi says: ==================== Add missing size check for BTF-based ctx access This set fixes a issue reported for tracing and struct ops programs using btf_ctx_access for ctx checks, where loading a pointer argument from the ctx doesn't enforce a BPF_DW access size check. The original report is at link [0]. Also add a regression test along with the fix. [0]: https://lore.kernel.org/bpf/51338.1732985814@localhost ==================== Link: https://patch.msgid.link/20241212092050.3204165-1-memxor@gmail.com Signed-off-by: Alexei Starovoitov commit 8025731c28beb4700dc801a1ca4504d1f78bac27 Author: Kumar Kartikeya Dwivedi Date: Thu Dec 12 01:20:50 2024 -0800 selftests/bpf: Add test for narrow ctx load for pointer args Ensure that performing narrow ctx loads other than size == 8 are rejected when the argument is a pointer type. Signed-off-by: Kumar Kartikeya Dwivedi Link: https://lore.kernel.org/r/20241212092050.3204165-3-memxor@gmail.com Signed-off-by: Alexei Starovoitov commit 659b9ba7cb2d7adb64618b87ddfaa528a143766e Author: Kumar Kartikeya Dwivedi Date: Thu Dec 12 01:20:49 2024 -0800 bpf: Check size for BTF-based ctx access of pointer members Robert Morris reported the following program type which passes the verifier in [0]: SEC("struct_ops/bpf_cubic_init") void BPF_PROG(bpf_cubic_init, struct sock *sk) { asm volatile("r2 = *(u16*)(r1 + 0)"); // verifier should demand u64 asm volatile("*(u32 *)(r2 +1504) = 0"); // 1280 in some configs } The second line may or may not work, but the first instruction shouldn't pass, as it's a narrow load into the context structure of the struct ops callback. The code falls back to btf_ctx_access to ensure correctness and obtaining the types of pointers. Ensure that the size of the access is correctly checked to be 8 bytes, otherwise the verifier thinks the narrow load obtained a trusted BTF pointer and will permit loads/stores as it sees fit. Perform the check on size after we've verified that the load is for a pointer field, as for scalar values narrow loads are fine. Access to structs passed as arguments to a BPF program are also treated as scalars, therefore no adjustment is needed in their case. Existing verifier selftests are broken by this change, but because they were incorrect. Verifier tests for d_path were performing narrow load into context to obtain path pointer, had this program actually run it would cause a crash. The same holds for verifier_btf_ctx_access tests. [0]: https://lore.kernel.org/bpf/51338.1732985814@localhost Fixes: 9e15db66136a ("bpf: Implement accurate raw_tp context access via BTF") Reported-by: Robert Morris Signed-off-by: Kumar Kartikeya Dwivedi Link: https://lore.kernel.org/r/20241212092050.3204165-2-memxor@gmail.com Signed-off-by: Alexei Starovoitov commit 04789af756a4a43e72986185f66f148e65b32fed Author: Eduard Zingerman Date: Wed Dec 11 23:07:11 2024 -0800 selftests/bpf: extend changes_pkt_data with cases w/o subprograms Extend changes_pkt_data tests with test cases freplacing the main program that does not have subprograms. Try four combinations when both main program and replacement do and do not change packet data. Signed-off-by: Eduard Zingerman Link: https://lore.kernel.org/r/20241212070711.427443-2-eddyz87@gmail.com Signed-off-by: Alexei Starovoitov commit ac6542ad92759cda383ad62b4e4cbfc28136abc1 Author: Eduard Zingerman Date: Wed Dec 11 23:07:10 2024 -0800 bpf: fix null dereference when computing changes_pkt_data of prog w/o subprogs bpf_prog_aux->func field might be NULL if program does not have subprograms except for main sub-program. The fixed commit does bpf_prog_aux->func access unconditionally, which might lead to null pointer dereference. The bug could be triggered by replacing the following BPF program: SEC("tc") int main_changes(struct __sk_buff *sk) { bpf_skb_pull_data(sk, 0); return 0; } With the following BPF program: SEC("freplace") long changes_pkt_data(struct __sk_buff *sk) { return bpf_skb_pull_data(sk, 0); } bpf_prog_aux instance itself represents the main sub-program, use this property to fix the bug. Fixes: 81f6d0530ba0 ("bpf: check changes_pkt_data property for extension programs") Reported-by: kernel test robot Reported-by: Dan Carpenter Closes: https://lore.kernel.org/r/202412111822.qGw6tOyB-lkp@intel.com/ Signed-off-by: Eduard Zingerman Link: https://lore.kernel.org/r/20241212070711.427443-1-eddyz87@gmail.com Signed-off-by: Alexei Starovoitov commit 150b567e0d572342ef08bace7ee7aff80fd75327 Merge: 231825b2e1ff6b ad913dfd8bfacd Author: Linus Torvalds Date: Thu Dec 12 11:28:05 2024 -0800 Merge tag 'net-6.13-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net Pull networking fixes from Jakub Kicinski: "Including fixes from bluetooth, netfilter and wireless. Current release - fix to a fix: - rtnetlink: fix error code in rtnl_newlink() - tipc: fix NULL deref in cleanup_bearer() Current release - regressions: - ip: fix warning about invalid return from in ip_route_input_rcu() Current release - new code bugs: - udp: fix L4 hash after reconnect - eth: lan969x: fix cyclic dependency between modules - eth: bnxt_en: fix potential crash when dumping FW log coredump Previous releases - regressions: - wifi: mac80211: - fix a queue stall in certain cases of channel switch - wake the queues in case of failure in resume - splice: do not checksum AF_UNIX sockets - virtio_net: fix BUG()s in BQL support due to incorrect accounting of purged packets during interface stop - eth: - stmmac: fix TSO DMA API mis-usage causing oops - bnxt_en: fixes for HW GRO: GSO type on 5750X chips and oops due to incorrect aggregation ID mask on 5760X chips Previous releases - always broken: - Bluetooth: improve setsockopt() handling of malformed user input - eth: ocelot: fix PTP timestamping in presence of packet loss - ptp: kvm: x86: avoid "fail to initialize ptp_kvm" when simply not supported" * tag 'net-6.13-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (81 commits) net: dsa: tag_ocelot_8021q: fix broken reception net: dsa: microchip: KSZ9896 register regmap alignment to 32 bit boundaries net: renesas: rswitch: fix initial MPIC register setting Bluetooth: btmtk: avoid UAF in btmtk_process_coredump Bluetooth: iso: Fix circular lock in iso_conn_big_sync Bluetooth: iso: Fix circular lock in iso_listen_bis Bluetooth: SCO: Add support for 16 bits transparent voice setting Bluetooth: iso: Fix recursive locking warning Bluetooth: iso: Always release hdev at the end of iso_listen_bis Bluetooth: hci_event: Fix using rcu_read_(un)lock while iterating Bluetooth: hci_core: Fix sleeping function called from invalid context team: Fix feature propagation of NETIF_F_GSO_ENCAP_ALL team: Fix initial vlan_feature set in __team_compute_features bonding: Fix feature propagation of NETIF_F_GSO_ENCAP_ALL bonding: Fix initial {vlan,mpls}_feature set in bond_compute_features net, team, bonding: Add netdev_base_features helper net/sched: netem: account for backlog updates from child qdisc net: dsa: felix: fix stuck CPU-injected packets with short taprio windows splice: do not checksum AF_UNIX sockets net: usb: qmi_wwan: add Telit FE910C04 compositions ... commit 57e420c84f9ab55ba4c5e2ae9c5f6c8e1ea834d2 Author: Nathan Chancellor Date: Thu Dec 12 10:13:29 2024 -0700 blk-iocost: Avoid using clamp() on inuse in __propagate_weights() After a recent change to clamp() and its variants [1] that increases the coverage of the check that high is greater than low because it can be done through inlining, certain build configurations (such as s390 defconfig) fail to build with clang with: block/blk-iocost.c:1101:11: error: call to '__compiletime_assert_557' declared with 'error' attribute: clamp() low limit 1 greater than high limit active 1101 | inuse = clamp_t(u32, inuse, 1, active); | ^ include/linux/minmax.h:218:36: note: expanded from macro 'clamp_t' 218 | #define clamp_t(type, val, lo, hi) __careful_clamp(type, val, lo, hi) | ^ include/linux/minmax.h:195:2: note: expanded from macro '__careful_clamp' 195 | __clamp_once(type, val, lo, hi, __UNIQUE_ID(v_), __UNIQUE_ID(l_), __UNIQUE_ID(h_)) | ^ include/linux/minmax.h:188:2: note: expanded from macro '__clamp_once' 188 | BUILD_BUG_ON_MSG(statically_true(ulo > uhi), \ | ^ __propagate_weights() is called with an active value of zero in ioc_check_iocgs(), which results in the high value being less than the low value, which is undefined because the value returned depends on the order of the comparisons. The purpose of this expression is to ensure inuse is not more than active and at least 1. This could be written more simply with a ternary expression that uses min(inuse, active) as the condition so that the value of that condition can be used if it is not zero and one if it is. Do this conversion to resolve the error and add a comment to deter people from turning this back into clamp(). Fixes: 7caa47151ab2 ("blkcg: implement blk-iocost") Link: https://lore.kernel.org/r/34d53778977747f19cce2abb287bb3e6@AcuMS.aculab.com/ [1] Suggested-by: David Laight Reported-by: Linux Kernel Functional Testing Closes: https://lore.kernel.org/llvm/CA+G9fYsD7mw13wredcZn0L-KBA3yeoVSTuxnss-AEWMN3ha0cA@mail.gmail.com/ Reported-by: kernel test robot Closes: https://lore.kernel.org/oe-kbuild-all/202412120322.3GfVe3vF-lkp@intel.com/ Signed-off-by: Nathan Chancellor Acked-by: Tejun Heo Signed-off-by: Jens Axboe commit e2de3c1bf6a0c99b089bd706a62da8f988918858 Author: Gao Xiang Date: Thu Dec 12 21:35:01 2024 +0800 erofs: add erofs_sb_free() helper Unify the common parts of erofs_fc_free() and erofs_kill_sb() as erofs_sb_free(). Thus, fput() in erofs_fc_get_tree() is no longer needed, too. Reviewed-by: Chao Yu Signed-off-by: Gao Xiang Link: https://lore.kernel.org/r/20241212133504.2047178-1-hsiangkao@linux.alibaba.com commit 7460d43bd75d261cdba5708bc349ce7f16759d78 Merge: 91da87d38cca46 1f806218164d1b Author: Joerg Roedel Date: Thu Dec 12 17:25:37 2024 +0100 Merge tag 'arm-smmu-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/will/linux into fixes Arm SMMU fixes for 6.13-rc - Use raw_smp_processor_id() when balancing traffic for NVIDIA's custom command queue implementation. commit 6d1917045ef4f584593ad30b3dbb887d95fc331f Author: Yue Hu Date: Wed Dec 11 16:09:18 2024 +0800 MAINTAINERS: erofs: update Yue Hu's email address The current email address is no longer valid, use my gmail instead. Signed-off-by: Yue Hu Acked-by: Gao Xiang Acked-by: Chao Yu Link: https://lore.kernel.org/r/20241211080918.8512-1-zbestahu@163.com Signed-off-by: Gao Xiang commit 1a2180f6859c73c674809f9f82e36c94084682ba Author: Gao Xiang Date: Wed Nov 27 16:52:36 2024 +0800 erofs: fix PSI memstall accounting Max Kellermann recently reported psi_group_cpu.tasks[NR_MEMSTALL] is incorrect in the 6.11.9 kernel. The root cause appears to be that, since the problematic commit, bio can be NULL, causing psi_memstall_leave() to be skipped in z_erofs_submit_queue(). Reported-by: Max Kellermann Closes: https://lore.kernel.org/r/CAKPOu+8tvSowiJADW2RuKyofL_CSkm_SuyZA7ME5vMLWmL6pqw@mail.gmail.com Fixes: 9e2f9d34dd12 ("erofs: handle overlapped pclusters out of crafted images properly") Reviewed-by: Chao Yu Signed-off-by: Gao Xiang Link: https://lore.kernel.org/r/20241127085236.3538334-1-hsiangkao@linux.alibaba.com commit b10a1e5643e505c367c7e16aa6d8a9a0dc07354b Author: Gao Xiang Date: Tue Dec 3 15:28:21 2024 +0800 erofs: fix rare pcluster memory leak after unmounting There may still exist some pcluster with valid reference counts during unmounting. Instead of introducing another synchronization primitive, just try again as unmounting is relatively rare. This approach is similar to z_erofs_cache_invalidate_folio(). It was also reported by syzbot as a UAF due to commit f5ad9f9a603f ("erofs: free pclusters if no cached folio is attached"): BUG: KASAN: slab-use-after-free in do_raw_spin_trylock+0x72/0x1f0 kernel/locking/spinlock_debug.c:123 .. queued_spin_trylock include/asm-generic/qspinlock.h:92 [inline] do_raw_spin_trylock+0x72/0x1f0 kernel/locking/spinlock_debug.c:123 __raw_spin_trylock include/linux/spinlock_api_smp.h:89 [inline] _raw_spin_trylock+0x20/0x80 kernel/locking/spinlock.c:138 spin_trylock include/linux/spinlock.h:361 [inline] z_erofs_put_pcluster fs/erofs/zdata.c:959 [inline] z_erofs_decompress_pcluster fs/erofs/zdata.c:1403 [inline] z_erofs_decompress_queue+0x3798/0x3ef0 fs/erofs/zdata.c:1425 z_erofs_decompressqueue_work+0x99/0xe0 fs/erofs/zdata.c:1437 process_one_work kernel/workqueue.c:3229 [inline] process_scheduled_works+0xa68/0x1840 kernel/workqueue.c:3310 worker_thread+0x870/0xd30 kernel/workqueue.c:3391 kthread+0x2f2/0x390 kernel/kthread.c:389 ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 However, it seems a long outstanding memory leak. Fix it now. Fixes: f5ad9f9a603f ("erofs: free pclusters if no cached folio is attached") Reported-by: syzbot+7ff87b095e7ca0c5ac39@syzkaller.appspotmail.com Closes: https://lore.kernel.org/r/674c1235.050a0220.ad585.0032.GAE@google.com Reviewed-by: Chao Yu Signed-off-by: Gao Xiang Link: https://lore.kernel.org/r/20241203072821.1885740-1-hsiangkao@linux.alibaba.com commit 65ac33bed8b9255213b08ed153dbe9c0ca3535e6 Author: Mark Rutland Date: Wed Dec 11 14:07:04 2024 +0000 arm64: stacktrace: Don't WARN when unwinding other tasks The arm64 stacktrace code has a few error conditions where a WARN_ON_ONCE() is triggered before the stacktrace is terminated and an error is returned to the caller. The conditions shouldn't be triggered when unwinding the current task, but it is possible to trigger these when unwinding another task which is not blocked, as the stack of that task is concurrently modified. Kent reports that these warnings can be triggered while running filesystem tests on bcachefs, which calls the stacktrace code directly. To produce a meaningful stacktrace of another task, the task in question should be blocked, but the stacktrace code is expected to be robust to cases where it is not blocked. Note that this is purely about not unuduly scaring the user and/or crashing the kernel; stacktraces in such cases are meaningless and may leak kernel secrets from the stack of the task being unwound. Ideally we'd pin the task in a blocked state during the unwind, as we do for /proc/${PID}/wchan since commit: 42a20f86dc19f928 ("sched: Add wrapper for get_wchan() to keep task blocked") ... but a bunch of places don't do that, notably /proc/${PID}/stack, where we don't pin the task in a blocked state, but do restrict the output to privileged users since commit: f8a00cef17206ecd ("proc: restrict kernel stack dumps to root") ... and so it's possible to trigger these warnings accidentally, e.g. by reading /proc/*/stack (as root): | for n in $(seq 1 10); do | while true; do cat /proc/*/stack > /dev/null 2>&1; done & | done | ------------[ cut here ]------------ | WARNING: CPU: 3 PID: 166 at arch/arm64/kernel/stacktrace.c:207 arch_stack_walk+0x1c8/0x370 | Modules linked in: | CPU: 3 UID: 0 PID: 166 Comm: cat Not tainted 6.13.0-rc2-00003-g3dafa7a7925d #2 | Hardware name: linux,dummy-virt (DT) | pstate: 81400005 (Nzcv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) | pc : arch_stack_walk+0x1c8/0x370 | lr : arch_stack_walk+0x1b0/0x370 | sp : ffff800080773890 | x29: ffff800080773930 x28: fff0000005c44500 x27: fff00000058fa038 | x26: 000000007ffff000 x25: 0000000000000000 x24: 0000000000000000 | x23: ffffa35a8d9600ec x22: 0000000000000000 x21: fff00000043a33c0 | x20: ffff800080773970 x19: ffffa35a8d960168 x18: 0000000000000000 | x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 | x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 | x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000 | x8 : ffff8000807738e0 x7 : ffff8000806e3800 x6 : ffff8000806e3818 | x5 : ffff800080773920 x4 : ffff8000806e4000 x3 : ffff8000807738e0 | x2 : 0000000000000018 x1 : ffff8000806e3800 x0 : 0000000000000000 | Call trace: | arch_stack_walk+0x1c8/0x370 (P) | stack_trace_save_tsk+0x8c/0x108 | proc_pid_stack+0xb0/0x134 | proc_single_show+0x60/0x120 | seq_read_iter+0x104/0x438 | seq_read+0xf8/0x140 | vfs_read+0xc4/0x31c | ksys_read+0x70/0x108 | __arm64_sys_read+0x1c/0x28 | invoke_syscall+0x48/0x104 | el0_svc_common.constprop.0+0x40/0xe0 | do_el0_svc+0x1c/0x28 | el0_svc+0x30/0xcc | el0t_64_sync_handler+0x10c/0x138 | el0t_64_sync+0x198/0x19c | ---[ end trace 0000000000000000 ]--- Fix this by only warning when unwinding the current task. When unwinding another task the error conditions will be handled by returning an error without producing a warning. The two warnings in kunwind_next_frame_record_meta() were added recently as part of commit: c2c6b27b5aa14fa2 ("arm64: stacktrace: unwind exception boundaries") The warning when recovering the fgraph return address has changed form many times, but was originally introduced back in commit: 9f416319f40cd857 ("arm64: fix unwind_frame() for filtered out fn for function graph tracing") Fixes: c2c6b27b5aa1 ("arm64: stacktrace: unwind exception boundaries") Fixes: 9f416319f40c ("arm64: fix unwind_frame() for filtered out fn for function graph tracing") Signed-off-by: Mark Rutland Reported-by: Kent Overstreet Cc: Kees Cook Cc: Peter Zijlstra Cc: Will Deacon Link: https://lore.kernel.org/r/20241211140704.2498712-3-mark.rutland@arm.com Signed-off-by: Catalin Marinas commit 32ed1205682ec42ad51e55b239a190d55476aeb8 Author: Mark Rutland Date: Wed Dec 11 14:07:03 2024 +0000 arm64: stacktrace: Skip reporting LR at exception boundaries Aishwarya reports that warnings are sometimes seen when running the ftrace kselftests, e.g. | WARNING: CPU: 5 PID: 2066 at arch/arm64/kernel/stacktrace.c:141 arch_stack_walk+0x4a0/0x4c0 | Modules linked in: | CPU: 5 UID: 0 PID: 2066 Comm: ftracetest Not tainted 6.13.0-rc2 #2 | Hardware name: linux,dummy-virt (DT) | pstate: 604000c5 (nZCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--) | pc : arch_stack_walk+0x4a0/0x4c0 | lr : arch_stack_walk+0x248/0x4c0 | sp : ffff800083643d20 | x29: ffff800083643dd0 x28: ffff00007b891400 x27: ffff00007b891928 | x26: 0000000000000001 x25: 00000000000000c0 x24: ffff800082f39d80 | x23: ffff80008003ee8c x22: ffff80008004baa8 x21: ffff8000800533e0 | x20: ffff800083643e10 x19: ffff80008003eec8 x18: 0000000000000000 | x17: 0000000000000000 x16: ffff800083640000 x15: 0000000000000000 | x14: 02a37a802bbb8a92 x13: 00000000000001a9 x12: 0000000000000001 | x11: ffff800082ffad60 x10: ffff800083643d20 x9 : ffff80008003eed0 | x8 : ffff80008004baa8 x7 : ffff800086f2be80 x6 : ffff0000057cf000 | x5 : 0000000000000000 x4 : 0000000000000000 x3 : ffff800086f2b690 | x2 : ffff80008004baa8 x1 : ffff80008004baa8 x0 : ffff80008004baa8 | Call trace: | arch_stack_walk+0x4a0/0x4c0 (P) | arch_stack_walk+0x248/0x4c0 (L) | profile_pc+0x44/0x80 | profile_tick+0x50/0x80 (F) | tick_nohz_handler+0xcc/0x160 (F) | __hrtimer_run_queues+0x2ac/0x340 (F) | hrtimer_interrupt+0xf4/0x268 (F) | arch_timer_handler_virt+0x34/0x60 (F) | handle_percpu_devid_irq+0x88/0x220 (F) | generic_handle_domain_irq+0x34/0x60 (F) | gic_handle_irq+0x54/0x140 (F) | call_on_irq_stack+0x24/0x58 (F) | do_interrupt_handler+0x88/0x98 | el1_interrupt+0x34/0x68 (F) | el1h_64_irq_handler+0x18/0x28 | el1h_64_irq+0x6c/0x70 | queued_spin_lock_slowpath+0x78/0x460 (P) The warning in question is: WARN_ON_ONCE(state->common.pc == orig_pc)) ... in kunwind_recover_return_address(), which is triggered when return_to_handler() is encountered in the trace, but ftrace_graph_ret_addr() cannot find a corresponding original return address on the fgraph return stack. This happens because the stacktrace code encounters an exception boundary where the LR was not live at the time of the exception, but the LR happens to contain return_to_handler(); either because the task recently returned there, or due to unfortunate usage of the LR at a scratch register. In such cases attempts to recover the return address via ftrace_graph_ret_addr() may fail, triggering the WARN_ON_ONCE() above and aborting the unwind (hence the stacktrace terminating after reporting the PC at the time of the exception). Handling unreliable LR values in these cases is likely to require some larger rework, so for the moment avoid this problem by restoring the old behaviour of skipping the LR at exception boundaries, which the stacktrace code did prior to commit: c2c6b27b5aa14fa2 ("arm64: stacktrace: unwind exception boundaries") This commit is effectively a partial revert, keeping the structures and logic to explicitly identify exception boundaries while still skipping reporting of the LR. The logic to explicitly identify exception boundaries is still useful for general robustness and as a building block for future support for RELIABLE_STACKTRACE. Fixes: c2c6b27b5aa1 ("arm64: stacktrace: unwind exception boundaries") Signed-off-by: Mark Rutland Reported-by: Aishwarya TCV Cc: Will Deacon Link: https://lore.kernel.org/r/20241211140704.2498712-2-mark.rutland@arm.com Signed-off-by: Catalin Marinas commit d7b028656c29b22fcde1c6ee1df5b28fbba987b5 Author: Lucas De Marchi Date: Mon Dec 9 15:27:35 2024 -0800 drm/xe/reg_sr: Remove register pool That pool implementation doesn't really work: if the krealloc happens to move the memory and return another address, the entries in the xarray become invalid, leading to use-after-free later: BUG: KASAN: slab-use-after-free in xe_reg_sr_apply_mmio+0x570/0x760 [xe] Read of size 4 at addr ffff8881244b2590 by task modprobe/2753 Allocated by task 2753: kasan_save_stack+0x39/0x70 kasan_save_track+0x14/0x40 kasan_save_alloc_info+0x37/0x60 __kasan_kmalloc+0xc3/0xd0 __kmalloc_node_track_caller_noprof+0x200/0x6d0 krealloc_noprof+0x229/0x380 Simplify the code to fix the bug. A better pooling strategy may be added back later if needed. Fixes: dd08ebf6c352 ("drm/xe: Introduce a new DRM driver for Intel GPUs") Reviewed-by: Matt Roper Link: https://patchwork.freedesktop.org/patch/msgid/20241209232739.147417-2-lucas.demarchi@intel.com Signed-off-by: Lucas De Marchi (cherry picked from commit e5283bd4dfecbd3335f43b62a68e24dae23f59e4) Signed-off-by: Thomas Hellström commit cefade70f346160f47cc24776160329e2ee63653 Author: Daniele Ceraolo Spurio Date: Thu Dec 5 17:50:22 2024 -0800 drm/xe: Call invalidation_fence_fini for PT inval fences in error state Invalidation_fence_init takes a PM reference, which is released in its _fini counterpart, so we need to make sure that the latter is called, even if the fence is in an error state. Since we already have a function that calls _fini() and signals the fence in the tlb inval code, we can expose that and call it from the PT code. Fixes: f002702290fc ("drm/xe: Hold a PM ref when GT TLB invalidations are inflight") Signed-off-by: Daniele Ceraolo Spurio Cc: # v6.11+ Cc: Matthew Brost Cc: Nirmoy Das Cc: Rodrigo Vivi Reviewed-by: Nirmoy Das Reviewed-by: Matthew Brost Link: https://patchwork.freedesktop.org/patch/msgid/20241206015022.1567113-1-daniele.ceraolospurio@intel.com (cherry picked from commit 65338639b79ce88aef5263cd518cde570a3c7c8e) Signed-off-by: Thomas Hellström commit ed69b28b3a5e39871ba5599992f80562d6ee59db Author: Mirsad Todorovac Date: Thu Nov 21 22:20:58 2024 +0100 drm/xe: fix the ERR_PTR() returned on failure to allocate tiny pt Running coccinelle spatch gave the following warning: ./drivers/gpu/drm/xe/tests/xe_migrate.c:226:5-11: inconsistent IS_ERR and PTR_ERR on line 228. The code reports PTR_ERR(pt) when IS_ERR(tiny) is checked: → 211 pt = xe_bo_create_pin_map(xe, tile, m->q->vm, XE_PAGE_SIZE, 212 ttm_bo_type_kernel, 213 XE_BO_FLAG_VRAM_IF_DGFX(tile) | 214 XE_BO_FLAG_PINNED); 215 if (IS_ERR(pt)) { 216 KUNIT_FAIL(test, "Failed to allocate fake pt: %li\n", 217 PTR_ERR(pt)); 218 goto free_big; 219 } 220 221 tiny = xe_bo_create_pin_map(xe, tile, m->q->vm, → 222 2 * SZ_4K, 223 ttm_bo_type_kernel, 224 XE_BO_FLAG_VRAM_IF_DGFX(tile) | 225 XE_BO_FLAG_PINNED); → 226 if (IS_ERR(tiny)) { → 227 KUNIT_FAIL(test, "Failed to allocate fake pt: %li\n", → 228 PTR_ERR(pt)); 229 goto free_pt; 230 } Now, the IS_ERR(tiny) and the corresponding PTR_ERR(pt) do not match. Returning PTR_ERR(tiny), as the last failed function call, seems logical. Fixes: dd08ebf6c352 ("drm/xe: Introduce a new DRM driver for Intel GPUs") Signed-off-by: Mirsad Todorovac Link: https://patchwork.freedesktop.org/patch/msgid/20241121212057.1526634-2-mtodorovac69@gmail.com Signed-off-by: Rodrigo Vivi (cherry picked from commit cb57c75098c1c449a007ba301f9073f96febaaa9) Signed-off-by: Thomas Hellström commit 2f4873f9b5f8a49113045ad91c021347486de323 Author: John Garry Date: Mon Dec 2 11:57:27 2024 +0000 block: Make bio_iov_bvec_set() accept pointer to const iov_iter Make bio_iov_bvec_set() accept a pointer to const iov_iter, which means that we can drop the undesirable casting to struct iov_iter pointer in blk_rq_map_user_bvec(). Signed-off-by: John Garry Reviewed-by: Christoph Hellwig Link: https://lore.kernel.org/r/20241202115727.2320401-1-john.g.garry@oracle.com Signed-off-by: Jens Axboe commit ad913dfd8bfacdf1d2232fe9f49ccb025885ef22 Merge: 36ff681d228341 b548f5e9456c56 Author: Jakub Kicinski Date: Thu Dec 12 07:10:39 2024 -0800 Merge tag 'for-net-2024-12-12' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth Luiz Augusto von Dentz says: ==================== bluetooth pull request for net: - SCO: Fix transparent voice setting - ISO: Locking fixes - hci_core: Fix sleeping function called from invalid context - hci_event: Fix using rcu_read_(un)lock while iterating - btmtk: avoid UAF in btmtk_process_coredump * tag 'for-net-2024-12-12' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth: Bluetooth: btmtk: avoid UAF in btmtk_process_coredump Bluetooth: iso: Fix circular lock in iso_conn_big_sync Bluetooth: iso: Fix circular lock in iso_listen_bis Bluetooth: SCO: Add support for 16 bits transparent voice setting Bluetooth: iso: Fix recursive locking warning Bluetooth: iso: Always release hdev at the end of iso_listen_bis Bluetooth: hci_event: Fix using rcu_read_(un)lock while iterating Bluetooth: hci_core: Fix sleeping function called from invalid context Bluetooth: Improve setsockopt() handling of malformed user input ==================== Link: https://patch.msgid.link/20241212142806.2046274-1-luiz.dentz@gmail.com Signed-off-by: Jakub Kicinski commit 36ff681d2283410742489ce77e7b01419eccf58c Author: Robert Hodaszi Date: Wed Dec 11 15:47:41 2024 +0100 net: dsa: tag_ocelot_8021q: fix broken reception The blamed commit changed the dsa_8021q_rcv() calling convention to accept pre-populated source_port and switch_id arguments. If those are not available, as in the case of tag_ocelot_8021q, the arguments must be pre-initialized with -1. Due to the bug of passing uninitialized arguments in tag_ocelot_8021q, dsa_8021q_rcv() does not detect that it needs to populate the source_port and switch_id, and this makes dsa_conduit_find_user() fail, which leads to packet loss on reception. Fixes: dcfe7673787b ("net: dsa: tag_sja1105: absorb logic for not overwriting precise info into dsa_8021q_rcv()") Signed-off-by: Robert Hodaszi Reviewed-by: Vladimir Oltean Link: https://patch.msgid.link/20241211144741.1415758-1-robert.hodaszi@digi.com Signed-off-by: Jakub Kicinski commit 5af53577c64fa84da032d490b701127fe8d1a6aa Author: Jesse Van Gavere Date: Wed Dec 11 10:29:32 2024 +0100 net: dsa: microchip: KSZ9896 register regmap alignment to 32 bit boundaries Commit 8d7ae22ae9f8 ("net: dsa: microchip: KSZ9477 register regmap alignment to 32 bit boundaries") fixed an issue whereby regmap_reg_range did not allow writes as 32 bit words to KSZ9477 PHY registers, this fix for KSZ9896 is adapted from there as the same errata is present in KSZ9896C as "Module 5: Certain PHY registers must be written as pairs instead of singly" the explanation below is likewise taken from this commit. The commit provided code to apply "Module 6: Certain PHY registers must be written as pairs instead of singly" errata for KSZ9477 as this chip for certain PHY registers (0xN120 to 0xN13F, N=1,2,3,4,5) must be accessed as 32 bit words instead of 16 or 8 bit access. Otherwise, adjacent registers (no matter if reserved or not) are overwritten with 0x0. Without this patch some registers (e.g. 0x113c or 0x1134) required for 32 bit access are out of valid regmap ranges. As a result, following error is observed and KSZ9896 is not properly configured: ksz-switch spi1.0: can't rmw 32bit reg 0x113c: -EIO ksz-switch spi1.0: can't rmw 32bit reg 0x1134: -EIO ksz-switch spi1.0 lan1 (uninitialized): failed to connect to PHY: -EIO ksz-switch spi1.0 lan1 (uninitialized): error -5 setting up PHY for tree 0, switch 0, port 0 The solution is to modify regmap_reg_range to allow accesses with 4 bytes boundaries. Fixes: 5c844d57aa78 ("net: dsa: microchip: fix writes to phy registers >= 0x10") Signed-off-by: Jesse Van Gavere Link: https://patch.msgid.link/20241211092932.26881-1-jesse.vangavere@scioteq.com Signed-off-by: Jakub Kicinski commit 99d6af6e8a22b792e1845b186f943cd10bb4b7b0 Author: Jens Axboe Date: Thu Dec 12 08:01:52 2024 -0700 io_uring/rsrc: don't put/free empty buffers If cloning of buffers fail and we have to put the ones already grabbed, check for NULL buffers and skip those. They used to be dummy ubufs, but now they are just NULL and that should be checked before reaping them. Reported-by: chase xd Link: https://lore.kernel.org/io-uring/CADZouDQ7TcKn8gz8_efnyAEp1JvU1ktRk8PWz-tO0FXUoh8VGQ@mail.gmail.com/ Fixes: d50f94d761a5 ("io_uring/rsrc: get rid of the empty node and dummy_ubuf") Signed-off-by: Jens Axboe commit fb9e6039c325cc205a368046dc03c56c87df2310 Author: Nikita Yushchenko Date: Wed Dec 11 10:30:12 2024 +0500 net: renesas: rswitch: fix initial MPIC register setting MPIC.PIS must be set per phy interface type. MPIC.LSC must be set per speed. Do that strictly per datasheet, instead of hardcoding MPIC.PIS to GMII. Fixes: 3590918b5d07 ("net: ethernet: renesas: Add support for "Ethernet Switch"") Signed-off-by: Nikita Yushchenko Reviewed-by: Michal Swiatkowski Link: https://patch.msgid.link/20241211053012.368914-1-nikita.yoush@cogentembedded.com Signed-off-by: Paolo Abeni commit b548f5e9456c568155499d9ebac675c0d7a296e8 Author: Thadeu Lima de Souza Cascardo Date: Tue Dec 10 16:36:10 2024 -0300 Bluetooth: btmtk: avoid UAF in btmtk_process_coredump hci_devcd_append may lead to the release of the skb, so it cannot be accessed once it is called. ================================================================== BUG: KASAN: slab-use-after-free in btmtk_process_coredump+0x2a7/0x2d0 [btmtk] Read of size 4 at addr ffff888033cfabb0 by task kworker/0:3/82 CPU: 0 PID: 82 Comm: kworker/0:3 Tainted: G U 6.6.40-lockdep-03464-g1d8b4eb3060e #1 b0b3c1cc0c842735643fb411799d97921d1f688c Hardware name: Google Yaviks_Ufs/Yaviks_Ufs, BIOS Google_Yaviks_Ufs.15217.552.0 05/07/2024 Workqueue: events btusb_rx_work [btusb] Call Trace: dump_stack_lvl+0xfd/0x150 print_report+0x131/0x780 kasan_report+0x177/0x1c0 btmtk_process_coredump+0x2a7/0x2d0 [btmtk 03edd567dd71a65958807c95a65db31d433e1d01] btusb_recv_acl_mtk+0x11c/0x1a0 [btusb 675430d1e87c4f24d0c1f80efe600757a0f32bec] btusb_rx_work+0x9e/0xe0 [btusb 675430d1e87c4f24d0c1f80efe600757a0f32bec] worker_thread+0xe44/0x2cc0 kthread+0x2ff/0x3a0 ret_from_fork+0x51/0x80 ret_from_fork_asm+0x1b/0x30 Allocated by task 82: stack_trace_save+0xdc/0x190 kasan_set_track+0x4e/0x80 __kasan_slab_alloc+0x4e/0x60 kmem_cache_alloc+0x19f/0x360 skb_clone+0x132/0xf70 btusb_recv_acl_mtk+0x104/0x1a0 [btusb] btusb_rx_work+0x9e/0xe0 [btusb] worker_thread+0xe44/0x2cc0 kthread+0x2ff/0x3a0 ret_from_fork+0x51/0x80 ret_from_fork_asm+0x1b/0x30 Freed by task 1733: stack_trace_save+0xdc/0x190 kasan_set_track+0x4e/0x80 kasan_save_free_info+0x28/0xb0 ____kasan_slab_free+0xfd/0x170 kmem_cache_free+0x183/0x3f0 hci_devcd_rx+0x91a/0x2060 [bluetooth] worker_thread+0xe44/0x2cc0 kthread+0x2ff/0x3a0 ret_from_fork+0x51/0x80 ret_from_fork_asm+0x1b/0x30 The buggy address belongs to the object at ffff888033cfab40 which belongs to the cache skbuff_head_cache of size 232 The buggy address is located 112 bytes inside of freed 232-byte region [ffff888033cfab40, ffff888033cfac28) The buggy address belongs to the physical page: page:00000000a174ba93 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x33cfa head:00000000a174ba93 order:1 entire_mapcount:0 nr_pages_mapped:0 pincount:0 anon flags: 0x4000000000000840(slab|head|zone=1) page_type: 0xffffffff() raw: 4000000000000840 ffff888100848a00 0000000000000000 0000000000000001 raw: 0000000000000000 0000000080190019 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888033cfaa80: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc ffff888033cfab00: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb >ffff888033cfab80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888033cfac00: fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc ffff888033cfac80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== Check if we need to call hci_devcd_complete before calling hci_devcd_append. That requires that we check data->cd_info.cnt >= MTK_COREDUMP_NUM instead of data->cd_info.cnt > MTK_COREDUMP_NUM, as we increment data->cd_info.cnt only once the call to hci_devcd_append succeeds. Fixes: 0b7015132878 ("Bluetooth: btusb: mediatek: add MediaTek devcoredump support") Signed-off-by: Thadeu Lima de Souza Cascardo Signed-off-by: Luiz Augusto von Dentz commit 7a17308c17880d259105f6e591eb1bc77b9612f0 Author: Iulia Tanasescu Date: Mon Dec 9 11:42:18 2024 +0200 Bluetooth: iso: Fix circular lock in iso_conn_big_sync This fixes the circular locking dependency warning below, by reworking iso_sock_recvmsg, to ensure that the socket lock is always released before calling a function that locks hdev. [ 561.670344] ====================================================== [ 561.670346] WARNING: possible circular locking dependency detected [ 561.670349] 6.12.0-rc6+ #26 Not tainted [ 561.670351] ------------------------------------------------------ [ 561.670353] iso-tester/3289 is trying to acquire lock: [ 561.670355] ffff88811f600078 (&hdev->lock){+.+.}-{3:3}, at: iso_conn_big_sync+0x73/0x260 [bluetooth] [ 561.670405] but task is already holding lock: [ 561.670407] ffff88815af58258 (sk_lock-AF_BLUETOOTH){+.+.}-{0:0}, at: iso_sock_recvmsg+0xbf/0x500 [bluetooth] [ 561.670450] which lock already depends on the new lock. [ 561.670452] the existing dependency chain (in reverse order) is: [ 561.670453] -> #2 (sk_lock-AF_BLUETOOTH){+.+.}-{0:0}: [ 561.670458] lock_acquire+0x7c/0xc0 [ 561.670463] lock_sock_nested+0x3b/0xf0 [ 561.670467] bt_accept_dequeue+0x1a5/0x4d0 [bluetooth] [ 561.670510] iso_sock_accept+0x271/0x830 [bluetooth] [ 561.670547] do_accept+0x3dd/0x610 [ 561.670550] __sys_accept4+0xd8/0x170 [ 561.670553] __x64_sys_accept+0x74/0xc0 [ 561.670556] x64_sys_call+0x17d6/0x25f0 [ 561.670559] do_syscall_64+0x87/0x150 [ 561.670563] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 561.670567] -> #1 (sk_lock-AF_BLUETOOTH-BTPROTO_ISO){+.+.}-{0:0}: [ 561.670571] lock_acquire+0x7c/0xc0 [ 561.670574] lock_sock_nested+0x3b/0xf0 [ 561.670577] iso_sock_listen+0x2de/0xf30 [bluetooth] [ 561.670617] __sys_listen_socket+0xef/0x130 [ 561.670620] __x64_sys_listen+0xe1/0x190 [ 561.670623] x64_sys_call+0x2517/0x25f0 [ 561.670626] do_syscall_64+0x87/0x150 [ 561.670629] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 561.670632] -> #0 (&hdev->lock){+.+.}-{3:3}: [ 561.670636] __lock_acquire+0x32ad/0x6ab0 [ 561.670639] lock_acquire.part.0+0x118/0x360 [ 561.670642] lock_acquire+0x7c/0xc0 [ 561.670644] __mutex_lock+0x18d/0x12f0 [ 561.670647] mutex_lock_nested+0x1b/0x30 [ 561.670651] iso_conn_big_sync+0x73/0x260 [bluetooth] [ 561.670687] iso_sock_recvmsg+0x3e9/0x500 [bluetooth] [ 561.670722] sock_recvmsg+0x1d5/0x240 [ 561.670725] sock_read_iter+0x27d/0x470 [ 561.670727] vfs_read+0x9a0/0xd30 [ 561.670731] ksys_read+0x1a8/0x250 [ 561.670733] __x64_sys_read+0x72/0xc0 [ 561.670736] x64_sys_call+0x1b12/0x25f0 [ 561.670738] do_syscall_64+0x87/0x150 [ 561.670741] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 561.670744] other info that might help us debug this: [ 561.670745] Chain exists of: &hdev->lock --> sk_lock-AF_BLUETOOTH-BTPROTO_ISO --> sk_lock-AF_BLUETOOTH [ 561.670751] Possible unsafe locking scenario: [ 561.670753] CPU0 CPU1 [ 561.670754] ---- ---- [ 561.670756] lock(sk_lock-AF_BLUETOOTH); [ 561.670758] lock(sk_lock AF_BLUETOOTH-BTPROTO_ISO); [ 561.670761] lock(sk_lock-AF_BLUETOOTH); [ 561.670764] lock(&hdev->lock); [ 561.670767] *** DEADLOCK *** Fixes: 07a9342b94a9 ("Bluetooth: ISO: Send BIG Create Sync via hci_sync") Signed-off-by: Iulia Tanasescu Signed-off-by: Luiz Augusto von Dentz commit 168e28305b871d8ec604a8f51f35467b8d7ba05b Author: Iulia Tanasescu Date: Mon Dec 9 11:42:17 2024 +0200 Bluetooth: iso: Fix circular lock in iso_listen_bis This fixes the circular locking dependency warning below, by releasing the socket lock before enterning iso_listen_bis, to avoid any potential deadlock with hdev lock. [ 75.307983] ====================================================== [ 75.307984] WARNING: possible circular locking dependency detected [ 75.307985] 6.12.0-rc6+ #22 Not tainted [ 75.307987] ------------------------------------------------------ [ 75.307987] kworker/u81:2/2623 is trying to acquire lock: [ 75.307988] ffff8fde1769da58 (sk_lock-AF_BLUETOOTH-BTPROTO_ISO) at: iso_connect_cfm+0x253/0x840 [bluetooth] [ 75.308021] but task is already holding lock: [ 75.308022] ffff8fdd61a10078 (&hdev->lock) at: hci_le_per_adv_report_evt+0x47/0x2f0 [bluetooth] [ 75.308053] which lock already depends on the new lock. [ 75.308054] the existing dependency chain (in reverse order) is: [ 75.308055] -> #1 (&hdev->lock){+.+.}-{3:3}: [ 75.308057] __mutex_lock+0xad/0xc50 [ 75.308061] mutex_lock_nested+0x1b/0x30 [ 75.308063] iso_sock_listen+0x143/0x5c0 [bluetooth] [ 75.308085] __sys_listen_socket+0x49/0x60 [ 75.308088] __x64_sys_listen+0x4c/0x90 [ 75.308090] x64_sys_call+0x2517/0x25f0 [ 75.308092] do_syscall_64+0x87/0x150 [ 75.308095] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 75.308098] -> #0 (sk_lock-AF_BLUETOOTH-BTPROTO_ISO){+.+.}-{0:0}: [ 75.308100] __lock_acquire+0x155e/0x25f0 [ 75.308103] lock_acquire+0xc9/0x300 [ 75.308105] lock_sock_nested+0x32/0x90 [ 75.308107] iso_connect_cfm+0x253/0x840 [bluetooth] [ 75.308128] hci_connect_cfm+0x6c/0x190 [bluetooth] [ 75.308155] hci_le_per_adv_report_evt+0x27b/0x2f0 [bluetooth] [ 75.308180] hci_le_meta_evt+0xe7/0x200 [bluetooth] [ 75.308206] hci_event_packet+0x21f/0x5c0 [bluetooth] [ 75.308230] hci_rx_work+0x3ae/0xb10 [bluetooth] [ 75.308254] process_one_work+0x212/0x740 [ 75.308256] worker_thread+0x1bd/0x3a0 [ 75.308258] kthread+0xe4/0x120 [ 75.308259] ret_from_fork+0x44/0x70 [ 75.308261] ret_from_fork_asm+0x1a/0x30 [ 75.308263] other info that might help us debug this: [ 75.308264] Possible unsafe locking scenario: [ 75.308264] CPU0 CPU1 [ 75.308265] ---- ---- [ 75.308265] lock(&hdev->lock); [ 75.308267] lock(sk_lock- AF_BLUETOOTH-BTPROTO_ISO); [ 75.308268] lock(&hdev->lock); [ 75.308269] lock(sk_lock-AF_BLUETOOTH-BTPROTO_ISO); [ 75.308270] *** DEADLOCK *** [ 75.308271] 4 locks held by kworker/u81:2/2623: [ 75.308272] #0: ffff8fdd66e52148 ((wq_completion)hci0#2){+.+.}-{0:0}, at: process_one_work+0x443/0x740 [ 75.308276] #1: ffffafb488b7fe48 ((work_completion)(&hdev->rx_work)), at: process_one_work+0x1ce/0x740 [ 75.308280] #2: ffff8fdd61a10078 (&hdev->lock){+.+.}-{3:3} at: hci_le_per_adv_report_evt+0x47/0x2f0 [bluetooth] [ 75.308304] #3: ffffffffb6ba4900 (rcu_read_lock){....}-{1:2}, at: hci_connect_cfm+0x29/0x190 [bluetooth] Fixes: 02171da6e86a ("Bluetooth: ISO: Add hcon for listening bis sk") Signed-off-by: Iulia Tanasescu Signed-off-by: Luiz Augusto von Dentz commit 29a651451e6c264f58cd9d9a26088e579d17b242 Author: Frédéric Danis Date: Thu Dec 5 16:51:59 2024 +0100 Bluetooth: SCO: Add support for 16 bits transparent voice setting The voice setting is used by sco_connect() or sco_conn_defer_accept() after being set by sco_sock_setsockopt(). The PCM part of the voice setting is used for offload mode through PCM chipset port. This commits add support for mSBC 16 bits offloading, i.e. audio data not transported over HCI. The BCM4349B1 supports 16 bits transparent data on its I2S port. If BT_VOICE_TRANSPARENT is used when accepting a SCO connection, this gives only garbage audio while using BT_VOICE_TRANSPARENT_16BIT gives correct audio. This has been tested with connection to iPhone 14 and Samsung S24. Fixes: ad10b1a48754 ("Bluetooth: Add Bluetooth socket voice option") Signed-off-by: Frédéric Danis Signed-off-by: Luiz Augusto von Dentz commit 9bde7c3b3ad0e1f39d6df93dd1c9caf63e19e50f Author: Iulia Tanasescu Date: Wed Dec 4 14:28:49 2024 +0200 Bluetooth: iso: Fix recursive locking warning This updates iso_sock_accept to use nested locking for the parent socket, to avoid lockdep warnings caused because the parent and child sockets are locked by the same thread: [ 41.585683] ============================================ [ 41.585688] WARNING: possible recursive locking detected [ 41.585694] 6.12.0-rc6+ #22 Not tainted [ 41.585701] -------------------------------------------- [ 41.585705] iso-tester/3139 is trying to acquire lock: [ 41.585711] ffff988b29530a58 (sk_lock-AF_BLUETOOTH) at: bt_accept_dequeue+0xe3/0x280 [bluetooth] [ 41.585905] but task is already holding lock: [ 41.585909] ffff988b29533a58 (sk_lock-AF_BLUETOOTH) at: iso_sock_accept+0x61/0x2d0 [bluetooth] [ 41.586064] other info that might help us debug this: [ 41.586069] Possible unsafe locking scenario: [ 41.586072] CPU0 [ 41.586076] ---- [ 41.586079] lock(sk_lock-AF_BLUETOOTH); [ 41.586086] lock(sk_lock-AF_BLUETOOTH); [ 41.586093] *** DEADLOCK *** [ 41.586097] May be due to missing lock nesting notation [ 41.586101] 1 lock held by iso-tester/3139: [ 41.586107] #0: ffff988b29533a58 (sk_lock-AF_BLUETOOTH) at: iso_sock_accept+0x61/0x2d0 [bluetooth] Fixes: ccf74f2390d6 ("Bluetooth: Add BTPROTO_ISO socket type") Signed-off-by: Iulia Tanasescu Signed-off-by: Luiz Augusto von Dentz commit 9c76fff747a73ba01d1d87ed53dd9c00cb40ba05 Author: Iulia Tanasescu Date: Wed Dec 4 14:28:48 2024 +0200 Bluetooth: iso: Always release hdev at the end of iso_listen_bis Since hci_get_route holds the device before returning, the hdev should be released with hci_dev_put at the end of iso_listen_bis even if the function returns with an error. Fixes: 02171da6e86a ("Bluetooth: ISO: Add hcon for listening bis sk") Signed-off-by: Iulia Tanasescu Signed-off-by: Luiz Augusto von Dentz commit 581dd2dc168fe0ed2a7a5534a724f0d3751c93ae Author: Luiz Augusto von Dentz Date: Wed Dec 4 11:40:59 2024 -0500 Bluetooth: hci_event: Fix using rcu_read_(un)lock while iterating The usage of rcu_read_(un)lock while inside list_for_each_entry_rcu is not safe since for the most part entries fetched this way shall be treated as rcu_dereference: Note that the value returned by rcu_dereference() is valid only within the enclosing RCU read-side critical section [1]_. For example, the following is **not** legal:: rcu_read_lock(); p = rcu_dereference(head.next); rcu_read_unlock(); x = p->address; /* BUG!!! */ rcu_read_lock(); y = p->data; /* BUG!!! */ rcu_read_unlock(); Fixes: a0bfde167b50 ("Bluetooth: ISO: Add support for connecting multiple BISes") Signed-off-by: Luiz Augusto von Dentz commit 4d94f05558271654670d18c26c912da0c1c15549 Author: Luiz Augusto von Dentz Date: Tue Dec 3 16:07:32 2024 -0500 Bluetooth: hci_core: Fix sleeping function called from invalid context This reworks hci_cb_list to not use mutex hci_cb_list_lock to avoid bugs like the bellow: BUG: sleeping function called from invalid context at kernel/locking/mutex.c:585 in_atomic(): 0, irqs_disabled(): 0, non_block: 0, pid: 5070, name: kworker/u9:2 preempt_count: 0, expected: 0 RCU nest depth: 1, expected: 0 4 locks held by kworker/u9:2/5070: #0: ffff888015be3948 ((wq_completion)hci0#2){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3229 [inline] #0: ffff888015be3948 ((wq_completion)hci0#2){+.+.}-{0:0}, at: process_scheduled_works+0x8e0/0x1770 kernel/workqueue.c:3335 #1: ffffc90003b6fd00 ((work_completion)(&hdev->rx_work)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3230 [inline] #1: ffffc90003b6fd00 ((work_completion)(&hdev->rx_work)){+.+.}-{0:0}, at: process_scheduled_works+0x91b/0x1770 kernel/workqueue.c:3335 #2: ffff8880665d0078 (&hdev->lock){+.+.}-{3:3}, at: hci_le_create_big_complete_evt+0xcf/0xae0 net/bluetooth/hci_event.c:6914 #3: ffffffff8e132020 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:298 [inline] #3: ffffffff8e132020 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:750 [inline] #3: ffffffff8e132020 (rcu_read_lock){....}-{1:2}, at: hci_le_create_big_complete_evt+0xdb/0xae0 net/bluetooth/hci_event.c:6915 CPU: 0 PID: 5070 Comm: kworker/u9:2 Not tainted 6.8.0-syzkaller-08073-g480e035fc4c7 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 Workqueue: hci0 hci_rx_work Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114 __might_resched+0x5d4/0x780 kernel/sched/core.c:10187 __mutex_lock_common kernel/locking/mutex.c:585 [inline] __mutex_lock+0xc1/0xd70 kernel/locking/mutex.c:752 hci_connect_cfm include/net/bluetooth/hci_core.h:2004 [inline] hci_le_create_big_complete_evt+0x3d9/0xae0 net/bluetooth/hci_event.c:6939 hci_event_func net/bluetooth/hci_event.c:7514 [inline] hci_event_packet+0xa53/0x1540 net/bluetooth/hci_event.c:7569 hci_rx_work+0x3e8/0xca0 net/bluetooth/hci_core.c:4171 process_one_work kernel/workqueue.c:3254 [inline] process_scheduled_works+0xa00/0x1770 kernel/workqueue.c:3335 worker_thread+0x86d/0xd70 kernel/workqueue.c:3416 kthread+0x2f0/0x390 kernel/kthread.c:388 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:243 Reported-by: syzbot+2fb0835e0c9cefc34614@syzkaller.appspotmail.com Tested-by: syzbot+2fb0835e0c9cefc34614@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=2fb0835e0c9cefc34614 Signed-off-by: Luiz Augusto von Dentz commit 7b26bc6582b13a52a42a4a9765e8f30d58a81198 Merge: b2e538a9827dd0 255cc582e6e161 Author: Takashi Iwai Date: Thu Dec 12 14:49:35 2024 +0100 Merge tag 'asoc-fix-v6.12-rc2' of https://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound into for-linus ASoC: Fixes for v6.13 A small pile of driver specific fixes, all quite small and not particularly major. commit 0cff90dec63da908fb16d9ea2872ebbcd2d18e6a Author: T.J. Mercier Date: Sun Nov 17 17:03:25 2024 +0000 dma-buf: Fix __dma_buf_debugfs_list_del argument for !CONFIG_DEBUG_FS The arguments for __dma_buf_debugfs_list_del do not match for both the CONFIG_DEBUG_FS case and the !CONFIG_DEBUG_FS case. The !CONFIG_DEBUG_FS case should take a struct dma_buf *, but it's currently struct file *. This can lead to the build error: error: passing argument 1 of ‘__dma_buf_debugfs_list_del’ from incompatible pointer type [-Werror=incompatible-pointer-types] dma-buf.c:63:53: note: expected ‘struct file *’ but argument is of type ‘struct dma_buf *’ 63 | static void __dma_buf_debugfs_list_del(struct file *file) Fixes: bfc7bc539392 ("dma-buf: Do not build debugfs related code when !CONFIG_DEBUG_FS") Signed-off-by: T.J. Mercier Reviewed-by: Tvrtko Ursulin Signed-off-by: Sumit Semwal Link: https://patchwork.freedesktop.org/patch/msgid/20241117170326.1971113-1-tjmercier@google.com commit c53d96a4481f42a1635b96d2c1acbb0a126bfd54 Author: Daniil Tatianin Date: Fri Nov 22 11:29:54 2024 +0300 ACPICA: events/evxfregn: don't release the ContextMutex that was never acquired This bug was first introduced in c27f3d011b08, where the author of the patch probably meant to do DeleteMutex instead of ReleaseMutex. The mutex leak was noticed later on and fixed in e4dfe108371, but the bogus MutexRelease line was never removed, so do it now. Link: https://github.com/acpica/acpica/pull/982 Fixes: c27f3d011b08 ("ACPICA: Fix race in generic_serial_bus (I2C) and GPIO op_region parameter handling") Signed-off-by: Daniil Tatianin Link: https://patch.msgid.link/20241122082954.658356-1-d-tatianin@yandex-team.ru Signed-off-by: Rafael J. Wysocki commit 3d64c3d3c6d8c740a310d40ec1faaab59dde81ee Merge: 98712844589e06 b04df3da1b5c6f Author: Paolo Abeni Date: Thu Dec 12 13:11:38 2024 +0100 Merge tag 'nf-24-12-11' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf Pablo Neira Ayuso says: ==================== Netfilter fixes for net The following patchset contains Netfilter fixes for net: 1) Fix bogus test reports in rpath.sh selftest by adding permanent neighbor entries, from Phil Sutter. 2) Lockdep reports possible ABBA deadlock in xt_IDLETIMER, fix it by removing sysfs out of the mutex section, also from Phil Sutter. 3) It is illegal to release basechain via RCU callback, for several reasons. Keep it simple and safe by calling synchronize_rcu() instead. This is a partially reverting a botched recent attempt of me to fix this basechain release path on netdevice removal. From Florian Westphal. netfilter pull request 24-12-11 * tag 'nf-24-12-11' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf: netfilter: nf_tables: do not defer rule destruction via call_rcu netfilter: IDLETIMER: Fix for possible ABBA deadlock selftests: netfilter: Stabilize rpath.sh ==================== Link: https://patch.msgid.link/20241211230130.176937-1-pablo@netfilter.org Signed-off-by: Paolo Abeni commit de6b43798d9043a7c749a0428dbb02d5fff156e5 Author: Geert Uytterhoeven Date: Fri Nov 22 15:14:35 2024 +0100 i2c: riic: Always round-up when calculating bus period Currently, the RIIC driver may run the I2C bus faster than requested, which may cause subtle failures. E.g. Biju reported a measured bus speed of 450 kHz instead of the expected maximum of 400 kHz on RZ/G2L. The initial calculation of the bus period uses DIV_ROUND_UP(), to make sure the actual bus speed never becomes faster than the requested bus speed. However, the subsequent division-by-two steps do not use round-up, which may lead to a too-small period, hence a too-fast and possible out-of-spec bus speed. E.g. on RZ/Five, requesting a bus speed of 100 resp. 400 kHz will yield too-fast target bus speeds of 100806 resp. 403226 Hz instead of 97656 resp. 390625 Hz. Fix this by using DIV_ROUND_UP() in the subsequent divisions, too. Tested on RZ/A1H, RZ/A2M, and RZ/Five. Fixes: d982d66514192cdb ("i2c: riic: remove clock and frequency restrictions") Reported-by: Biju Das Signed-off-by: Geert Uytterhoeven Cc: # v4.15+ Link: https://lore.kernel.org/r/c59aea77998dfea1b4456c4b33b55ab216fcbf5e.1732284746.git.geert+renesas@glider.be Signed-off-by: Andi Shyti commit 255cc582e6e16191a20d54bcdbca6c91d3e90c5e Author: Charles Keepax Date: Thu Dec 12 10:57:42 2024 +0000 ASoC: Intel: sof_sdw: Add space for a terminator into DAIs array The code uses the initialised member of the asoc_sdw_dailink struct to determine if a member of the array is in use. However in the case the array is completely full this will lead to an access 1 past the end of the array, expand the array by one entry to include a space for a terminator. Fixes: 27fd36aefa00 ("ASoC: Intel: sof-sdw: Add new code for parsing the snd_soc_acpi structs") Reviewed-by: Bard Liao Reviewed-by: Péter Ujfalusi Signed-off-by: Charles Keepax Link: https://patch.msgid.link/20241212105742.1508574-1-ckeepax@opensource.cirrus.com Signed-off-by: Mark Brown commit 98712844589e06d9aa305b5077169942139fd75c Author: Daniel Borkmann Date: Tue Dec 10 15:12:45 2024 +0100 team: Fix feature propagation of NETIF_F_GSO_ENCAP_ALL Similar to bonding driver, add NETIF_F_GSO_ENCAP_ALL to TEAM_VLAN_FEATURES in order to support slave devices which propagate NETIF_F_GSO_UDP_TUNNEL & NETIF_F_GSO_UDP_TUNNEL_CSUM as vlan_features. Fixes: 3625920b62c3 ("teaming: fix vlan_features computing") Signed-off-by: Daniel Borkmann Cc: Nikolay Aleksandrov Cc: Ido Schimmel Cc: Jiri Pirko Reviewed-by: Nikolay Aleksandrov Reviewed-by: Hangbin Liu Link: https://patch.msgid.link/20241210141245.327886-5-daniel@iogearbox.net Signed-off-by: Paolo Abeni commit 396699ac2cb1bc4e3485abb48a1e3e41956de0cd Author: Daniel Borkmann Date: Tue Dec 10 15:12:44 2024 +0100 team: Fix initial vlan_feature set in __team_compute_features Similarly as with bonding, fix the calculation of vlan_features to reuse netdev_base_features() in order derive the set in the same way as ndo_fix_features before iterating through the slave devices to refine the feature set. Fixes: 3625920b62c3 ("teaming: fix vlan_features computing") Signed-off-by: Daniel Borkmann Cc: Nikolay Aleksandrov Cc: Ido Schimmel Cc: Jiri Pirko Reviewed-by: Nikolay Aleksandrov Reviewed-by: Hangbin Liu Link: https://patch.msgid.link/20241210141245.327886-4-daniel@iogearbox.net Signed-off-by: Paolo Abeni commit 77b11c8bf3a228d1c63464534c2dcc8d9c8bf7ff Author: Daniel Borkmann Date: Tue Dec 10 15:12:43 2024 +0100 bonding: Fix feature propagation of NETIF_F_GSO_ENCAP_ALL Drivers like mlx5 expose NIC's vlan_features such as NETIF_F_GSO_UDP_TUNNEL & NETIF_F_GSO_UDP_TUNNEL_CSUM which are later not propagated when the underlying devices are bonded and a vlan device created on top of the bond. Right now, the more cumbersome workaround for this is to create the vlan on top of the mlx5 and then enslave the vlan devices to a bond. To fix this, add NETIF_F_GSO_ENCAP_ALL to BOND_VLAN_FEATURES such that bond_compute_features() can probe and propagate the vlan_features from the slave devices up to the vlan device. Given the following bond: # ethtool -i enp2s0f{0,1}np{0,1} driver: mlx5_core [...] # ethtool -k enp2s0f0np0 | grep udp tx-udp_tnl-segmentation: on tx-udp_tnl-csum-segmentation: on tx-udp-segmentation: on rx-udp_tunnel-port-offload: on rx-udp-gro-forwarding: off # ethtool -k enp2s0f1np1 | grep udp tx-udp_tnl-segmentation: on tx-udp_tnl-csum-segmentation: on tx-udp-segmentation: on rx-udp_tunnel-port-offload: on rx-udp-gro-forwarding: off # ethtool -k bond0 | grep udp tx-udp_tnl-segmentation: on tx-udp_tnl-csum-segmentation: on tx-udp-segmentation: on rx-udp_tunnel-port-offload: off [fixed] rx-udp-gro-forwarding: off Before: # ethtool -k bond0.100 | grep udp tx-udp_tnl-segmentation: off [requested on] tx-udp_tnl-csum-segmentation: off [requested on] tx-udp-segmentation: on rx-udp_tunnel-port-offload: off [fixed] rx-udp-gro-forwarding: off After: # ethtool -k bond0.100 | grep udp tx-udp_tnl-segmentation: on tx-udp_tnl-csum-segmentation: on tx-udp-segmentation: on rx-udp_tunnel-port-offload: off [fixed] rx-udp-gro-forwarding: off Various users have run into this reporting performance issues when configuring Cilium in vxlan tunneling mode and having the combination of bond & vlan for the core devices connecting the Kubernetes cluster to the outside world. Fixes: a9b3ace44c7d ("bonding: fix vlan_features computing") Signed-off-by: Daniel Borkmann Cc: Nikolay Aleksandrov Cc: Ido Schimmel Cc: Jiri Pirko Reviewed-by: Nikolay Aleksandrov Reviewed-by: Hangbin Liu Link: https://patch.msgid.link/20241210141245.327886-3-daniel@iogearbox.net Signed-off-by: Paolo Abeni commit d064ea7fe2a24938997b5e88e6b61cbb0a4bb906 Author: Daniel Borkmann Date: Tue Dec 10 15:12:42 2024 +0100 bonding: Fix initial {vlan,mpls}_feature set in bond_compute_features If a bonding device has slave devices, then the current logic to derive the feature set for the master bond device is limited in that flags which are fully supported by the underlying slave devices cannot be propagated up to vlan devices which sit on top of bond devices. Instead, these get blindly masked out via current NETIF_F_ALL_FOR_ALL logic. vlan_features and mpls_features should reuse netdev_base_features() in order derive the set in the same way as ndo_fix_features before iterating through the slave devices to refine the feature set. Fixes: a9b3ace44c7d ("bonding: fix vlan_features computing") Fixes: 2e770b507ccd ("net: bonding: Inherit MPLS features from slave devices") Signed-off-by: Daniel Borkmann Cc: Nikolay Aleksandrov Cc: Ido Schimmel Cc: Jiri Pirko Reviewed-by: Nikolay Aleksandrov Reviewed-by: Hangbin Liu Link: https://patch.msgid.link/20241210141245.327886-2-daniel@iogearbox.net Signed-off-by: Paolo Abeni commit d2516c3a53705f783bb6868df0f4a2b977898a71 Author: Daniel Borkmann Date: Tue Dec 10 15:12:41 2024 +0100 net, team, bonding: Add netdev_base_features helper Both bonding and team driver have logic to derive the base feature flags before iterating over their slave devices to refine the set via netdev_increment_features(). Add a small helper netdev_base_features() so this can be reused instead of having it open-coded multiple times. Signed-off-by: Daniel Borkmann Cc: Nikolay Aleksandrov Cc: Ido Schimmel Cc: Jiri Pirko Reviewed-by: Hangbin Liu Reviewed-by: Nikolay Aleksandrov Link: https://patch.msgid.link/20241210141245.327886-1-daniel@iogearbox.net Signed-off-by: Paolo Abeni commit 7a4f541873734f41f9645ec147cfae72ef3ffd00 Author: Joanne Koong Date: Wed Dec 11 12:55:56 2024 -0800 fuse: fix direct io folio offset and length calculation For the direct io case, the pages from userspace may be part of a huge folio, even if all folios in the page cache for fuse are small. Fix the logic for calculating the offset and length of the folio for the direct io case, which currently incorrectly assumes that all folios encountered are one page size. Fixes: 3b97c3652d91 ("fuse: convert direct io to use folios") Signed-off-by: Joanne Koong Reviewed-by: Jingbo Xu Reviewed-by: Bernd Schubert Signed-off-by: Miklos Szeredi commit 434fffa926b10706f2bde2db22979d68463302fc Author: James Clark Date: Wed Dec 11 08:55:23 2024 +0000 perf probe: Fix uninitialized variable Since the linked fixes: commit, err is returned uninitialized due to the removal of "return 0". Initialize err to fix it. This fixes the following intermittent test failure on release builds: $ perf test "testsuite_probe" ... -- [ FAIL ] -- perf_probe :: test_invalid_options :: mutually exclusive options :: -L foo -V bar (output regexp parsing) Regexp not found: \"Error: switch .+ cannot be used with switch .+\" ... Fixes: 080e47b2a237 ("perf probe: Introduce quotation marks support") Tested-by: Namhyung Kim Reviewed-by: Arnaldo Carvalho de Melo Acked-by: Masami Hiramatsu (Google) Signed-off-by: James Clark Link: https://lore.kernel.org/r/20241211085525.519458-2-james.clark@linaro.org Signed-off-by: Namhyung Kim commit f8d4bc455047cf3903cd6f85f49978987dbb3027 Author: Martin Ottens Date: Tue Dec 10 14:14:11 2024 +0100 net/sched: netem: account for backlog updates from child qdisc In general, 'qlen' of any classful qdisc should keep track of the number of packets that the qdisc itself and all of its children holds. In case of netem, 'qlen' only accounts for the packets in its internal tfifo. When netem is used with a child qdisc, the child qdisc can use 'qdisc_tree_reduce_backlog' to inform its parent, netem, about created or dropped SKBs. This function updates 'qlen' and the backlog statistics of netem, but netem does not account for changes made by a child qdisc. 'qlen' then indicates the wrong number of packets in the tfifo. If a child qdisc creates new SKBs during enqueue and informs its parent about this, netem's 'qlen' value is increased. When netem dequeues the newly created SKBs from the child, the 'qlen' in netem is not updated. If 'qlen' reaches the configured sch->limit, the enqueue function stops working, even though the tfifo is not full. Reproduce the bug: Ensure that the sender machine has GSO enabled. Configure netem as root qdisc and tbf as its child on the outgoing interface of the machine as follows: $ tc qdisc add dev root handle 1: netem delay 100ms limit 100 $ tc qdisc add dev parent 1:0 tbf rate 50Mbit burst 1542 latency 50ms Send bulk TCP traffic out via this interface, e.g., by running an iPerf3 client on the machine. Check the qdisc statistics: $ tc -s qdisc show dev Statistics after 10s of iPerf3 TCP test before the fix (note that netem's backlog > limit, netem stopped accepting packets): qdisc netem 1: root refcnt 2 limit 1000 delay 100ms Sent 2767766 bytes 1848 pkt (dropped 652, overlimits 0 requeues 0) backlog 4294528236b 1155p requeues 0 qdisc tbf 10: parent 1:1 rate 50Mbit burst 1537b lat 50ms Sent 2767766 bytes 1848 pkt (dropped 327, overlimits 7601 requeues 0) backlog 0b 0p requeues 0 Statistics after the fix: qdisc netem 1: root refcnt 2 limit 1000 delay 100ms Sent 37766372 bytes 24974 pkt (dropped 9, overlimits 0 requeues 0) backlog 0b 0p requeues 0 qdisc tbf 10: parent 1:1 rate 50Mbit burst 1537b lat 50ms Sent 37766372 bytes 24974 pkt (dropped 327, overlimits 96017 requeues 0) backlog 0b 0p requeues 0 tbf segments the GSO SKBs (tbf_segment) and updates the netem's 'qlen'. The interface fully stops transferring packets and "locks". In this case, the child qdisc and tfifo are empty, but 'qlen' indicates the tfifo is at its limit and no more packets are accepted. This patch adds a counter for the entries in the tfifo. Netem's 'qlen' is only decreased when a packet is returned by its dequeue function, and not during enqueuing into the child qdisc. External updates to 'qlen' are thus accounted for and only the behavior of the backlog statistics changes. As in other qdiscs, 'qlen' then keeps track of how many packets are held in netem and all of its children. As before, sch->limit remains as the maximum number of packets in the tfifo. The same applies to netem's backlog statistics. Fixes: 50612537e9ab ("netem: fix classful handling") Signed-off-by: Martin Ottens Acked-by: Jamal Hadi Salim Link: https://patch.msgid.link/20241210131412.1837202-1-martin.ottens@fau.de Signed-off-by: Jakub Kicinski commit 564d74d6ac4af8c3a15974ca1aa9a1dc5ce41871 Merge: acfcdb78d5d4cd fff8f17c1a6fc8 Author: Jakub Kicinski Date: Wed Dec 11 20:25:59 2024 -0800 Merge tag 'batadv-net-pullrequest-20241210' of git://git.open-mesh.org/linux-merge Simon Wunderlich says: ==================== Here are some batman-adv bugfixes: - fix TT unitialized data and size limit issues, by Remi Pommarel (3 patches) * tag 'batadv-net-pullrequest-20241210' of git://git.open-mesh.org/linux-merge: batman-adv: Do not let TT changes list grows indefinitely batman-adv: Remove uninitialized data in full table TT response batman-adv: Do not send uninitialized TT changes ==================== Link: https://patch.msgid.link/20241210135024.39068-1-sw@simonwunderlich.de Signed-off-by: Jakub Kicinski commit acfcdb78d5d4cdb78e975210c8825b9a112463f6 Author: Vladimir Oltean Date: Tue Dec 10 15:26:40 2024 +0200 net: dsa: felix: fix stuck CPU-injected packets with short taprio windows With this port schedule: tc qdisc replace dev $send_if parent root handle 100 taprio \ num_tc 8 queues 1@0 1@1 1@2 1@3 1@4 1@5 1@6 1@7 \ map 0 1 2 3 4 5 6 7 \ base-time 0 cycle-time 10000 \ sched-entry S 01 1250 \ sched-entry S 02 1250 \ sched-entry S 04 1250 \ sched-entry S 08 1250 \ sched-entry S 10 1250 \ sched-entry S 20 1250 \ sched-entry S 40 1250 \ sched-entry S 80 1250 \ flags 2 ptp4l would fail to take TX timestamps of Pdelay_Resp messages like this: increasing tx_timestamp_timeout may correct this issue, but it is likely caused by a driver bug ptp4l[4134.168]: port 2: send peer delay response failed It turns out that the driver can't take their TX timestamps because it can't transmit them in the first place. And there's nothing special about the Pdelay_Resp packets - they're just regular 68 byte packets. But with this taprio configuration, the switch would refuse to send even the ETH_ZLEN minimum packet size. This should have definitely not been the case. When applying the taprio config, the driver prints: mscc_felix 0000:00:00.5: port 0 tc 0 min gate length 1250 ns not enough for max frame size 1526 at 1000 Mbps, dropping frames over 132 octets including FCS mscc_felix 0000:00:00.5: port 0 tc 1 min gate length 1250 ns not enough for max frame size 1526 at 1000 Mbps, dropping frames over 132 octets including FCS mscc_felix 0000:00:00.5: port 0 tc 2 min gate length 1250 ns not enough for max frame size 1526 at 1000 Mbps, dropping frames over 132 octets including FCS mscc_felix 0000:00:00.5: port 0 tc 3 min gate length 1250 ns not enough for max frame size 1526 at 1000 Mbps, dropping frames over 132 octets including FCS mscc_felix 0000:00:00.5: port 0 tc 4 min gate length 1250 ns not enough for max frame size 1526 at 1000 Mbps, dropping frames over 132 octets including FCS mscc_felix 0000:00:00.5: port 0 tc 5 min gate length 1250 ns not enough for max frame size 1526 at 1000 Mbps, dropping frames over 132 octets including FCS mscc_felix 0000:00:00.5: port 0 tc 6 min gate length 1250 ns not enough for max frame size 1526 at 1000 Mbps, dropping frames over 132 octets including FCS mscc_felix 0000:00:00.5: port 0 tc 7 min gate length 1250 ns not enough for max frame size 1526 at 1000 Mbps, dropping frames over 132 octets including FCS and thus, everything under 132 bytes - ETH_FCS_LEN should have been sent without problems. Yet it's not. For the forwarding path, the configuration is fine, yet packets injected from Linux get stuck with this schedule no matter what. The first hint that the static guard bands are the cause of the problem is that reverting Michael Walle's commit 297c4de6f780 ("net: dsa: felix: re-enable TAS guard band mode") made things work. It must be that the guard bands are calculated incorrectly. I remembered that there is a magic constant in the driver, set to 33 ns for no logical reason other than experimentation, which says "never let the static guard bands get so large as to leave less than this amount of remaining space in the time slot, because the queue system will refuse to schedule packets otherwise, and they will get stuck". I had a hunch that my previous experimentally-determined value was only good for packets coming from the forwarding path, and that the CPU injection path needed more. I came to the new value of 35 ns through binary search, after seeing that with 544 ns (the bit time required to send the Pdelay_Resp packet at gigabit) it works. Again, this is purely experimental, there's no logic and the manual doesn't say anything. The new driver prints for this schedule look like this: mscc_felix 0000:00:00.5: port 0 tc 0 min gate length 1250 ns not enough for max frame size 1526 at 1000 Mbps, dropping frames over 131 octets including FCS mscc_felix 0000:00:00.5: port 0 tc 1 min gate length 1250 ns not enough for max frame size 1526 at 1000 Mbps, dropping frames over 131 octets including FCS mscc_felix 0000:00:00.5: port 0 tc 2 min gate length 1250 ns not enough for max frame size 1526 at 1000 Mbps, dropping frames over 131 octets including FCS mscc_felix 0000:00:00.5: port 0 tc 3 min gate length 1250 ns not enough for max frame size 1526 at 1000 Mbps, dropping frames over 131 octets including FCS mscc_felix 0000:00:00.5: port 0 tc 4 min gate length 1250 ns not enough for max frame size 1526 at 1000 Mbps, dropping frames over 131 octets including FCS mscc_felix 0000:00:00.5: port 0 tc 5 min gate length 1250 ns not enough for max frame size 1526 at 1000 Mbps, dropping frames over 131 octets including FCS mscc_felix 0000:00:00.5: port 0 tc 6 min gate length 1250 ns not enough for max frame size 1526 at 1000 Mbps, dropping frames over 131 octets including FCS mscc_felix 0000:00:00.5: port 0 tc 7 min gate length 1250 ns not enough for max frame size 1526 at 1000 Mbps, dropping frames over 131 octets including FCS So yes, the maximum MTU is now even smaller by 1 byte than before. This is maybe counter-intuitive, but makes more sense with a diagram of one time slot. Before: Gate open Gate close | | v 1250 ns total time slot duration v <----------------------------------------------------> <----><----------------------------------------------> 33 ns 1217 ns static guard band useful Gate open Gate close | | v 1250 ns total time slot duration v <----------------------------------------------------> <-----><---------------------------------------------> 35 ns 1215 ns static guard band useful The static guard band implemented by this switch hardware directly determines the maximum allowable MTU for that traffic class. The larger it is, the earlier the switch will stop scheduling frames for transmission, because otherwise they might overrun the gate close time (and avoiding that is the entire purpose of Michael's patch). So, we now have guard bands smaller by 2 ns, thus, in this particular case, we lose a byte of the maximum MTU. Fixes: 11afdc6526de ("net: dsa: felix: tc-taprio intervals smaller than MTU should send at least one packet") Signed-off-by: Vladimir Oltean Reviewed-by: Michael Walle Link: https://patch.msgid.link/20241210132640.3426788-1-vladimir.oltean@nxp.com Signed-off-by: Jakub Kicinski commit 6bd8614fc2d076fc21b7488c9f279853960964e2 Author: Frederik Deweerdt Date: Mon Dec 9 21:06:48 2024 -0800 splice: do not checksum AF_UNIX sockets When `skb_splice_from_iter` was introduced, it inadvertently added checksumming for AF_UNIX sockets. This resulted in significant slowdowns, for example when using sendfile over unix sockets. Using the test code in [1] in my test setup (2G single core qemu), the client receives a 1000M file in: - without the patch: 1482ms (+/- 36ms) - with the patch: 652.5ms (+/- 22.9ms) This commit addresses the issue by marking checksumming as unnecessary in `unix_stream_sendmsg` Cc: stable@vger.kernel.org Signed-off-by: Frederik Deweerdt Fixes: 2e910b95329c ("net: Add a function to splice pages into an skbuff for MSG_SPLICE_PAGES") Reviewed-by: Kuniyuki Iwashima Reviewed-by: Eric Dumazet Reviewed-by: Joe Damato Link: https://patch.msgid.link/Z1fMaHkRf8cfubuE@xiberoa Signed-off-by: Jakub Kicinski commit 3b58b53a26598209a7ad8259a5114ce71f7c3d64 Author: Daniele Palmas Date: Mon Dec 9 16:18:21 2024 +0100 net: usb: qmi_wwan: add Telit FE910C04 compositions Add the following Telit FE910C04 compositions: 0x10c0: rmnet + tty (AT/NMEA) + tty (AT) + tty (diag) T: Bus=02 Lev=01 Prnt=03 Port=06 Cnt=01 Dev#= 13 Spd=480 MxCh= 0 D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 P: Vendor=1bc7 ProdID=10c0 Rev=05.15 S: Manufacturer=Telit Cinterion S: Product=FE910 S: SerialNumber=f71b8b32 C: #Ifs= 4 Cfg#= 1 Atr=e0 MxPwr=500mA I: If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=50 Driver=qmi_wwan E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=82(I) Atr=03(Int.) MxPS= 8 Ivl=32ms I: If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=60 Driver=option E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=86(I) Atr=03(Int.) MxPS= 10 Ivl=32ms I: If#= 3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms 0x10c4: rmnet + tty (AT) + tty (AT) + tty (diag) T: Bus=02 Lev=01 Prnt=03 Port=06 Cnt=01 Dev#= 14 Spd=480 MxCh= 0 D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 P: Vendor=1bc7 ProdID=10c4 Rev=05.15 S: Manufacturer=Telit Cinterion S: Product=FE910 S: SerialNumber=f71b8b32 C: #Ifs= 4 Cfg#= 1 Atr=e0 MxPwr=500mA I: If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=50 Driver=qmi_wwan E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=82(I) Atr=03(Int.) MxPS= 8 Ivl=32ms I: If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=86(I) Atr=03(Int.) MxPS= 10 Ivl=32ms I: If#= 3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms 0x10c8: rmnet + tty (AT) + tty (diag) + DPL (data packet logging) + adb T: Bus=02 Lev=01 Prnt=03 Port=06 Cnt=01 Dev#= 17 Spd=480 MxCh= 0 D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 P: Vendor=1bc7 ProdID=10c8 Rev=05.15 S: Manufacturer=Telit Cinterion S: Product=FE910 S: SerialNumber=f71b8b32 C: #Ifs= 5 Cfg#= 1 Atr=e0 MxPwr=500mA I: If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=50 Driver=qmi_wwan E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=82(I) Atr=03(Int.) MxPS= 8 Ivl=32ms I: If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms I: If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms I: If#= 3 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=80 Driver=(none) E: Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms I: If#= 4 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=(none) E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms Signed-off-by: Daniele Palmas Link: https://patch.msgid.link/20241209151821.3688829-1-dnlplm@gmail.com Signed-off-by: Jakub Kicinski commit 563307e9c02187d660a696193a05f180ab2fe167 Merge: 15bfb14727bcf5 9a5beb6ca6305d Author: Jakub Kicinski Date: Wed Dec 11 20:21:06 2024 -0800 Merge branch 'mana-fix-few-memory-leaks-in-mana_gd_setup_irqs' Maxim Levitsky says: ==================== MANA: Fix few memory leaks in mana_gd_setup_irqs Fix 2 minor memory leaks in the mana driver, introduced by commit ==================== Link: https://patch.msgid.link/20241209175751.287738-1-mlevitsk@redhat.com Signed-off-by: Jakub Kicinski commit 9a5beb6ca6305de5c5210efab0702ea79b62eb39 Author: Maxim Levitsky Date: Mon Dec 9 12:57:51 2024 -0500 net: mana: Fix irq_contexts memory leak in mana_gd_setup_irqs gc->irq_contexts is not freeded if one of the later operations fail. Suggested-by: Michael Kelley Fixes: 8afefc361209 ("net: mana: Assigning IRQ affinity on HT cores") Signed-off-by: Maxim Levitsky Reviewed-by: Michal Swiatkowski Reviewed-by: Kalesh AP Reviewed-by: Saurabh Sengar Reviewed-by: Yury Norov Link: https://patch.msgid.link/20241209175751.287738-3-mlevitsk@redhat.com Signed-off-by: Jakub Kicinski commit bb1e3eb57d2cc38951f9a9f1b8c298ced175798f Author: Maxim Levitsky Date: Mon Dec 9 12:57:50 2024 -0500 net: mana: Fix memory leak in mana_gd_setup_irqs Commit 8afefc361209 ("net: mana: Assigning IRQ affinity on HT cores") added memory allocation in mana_gd_setup_irqs of 'irqs' but the code doesn't free this temporary array in the success path. This was caught by kmemleak. Fixes: 8afefc361209 ("net: mana: Assigning IRQ affinity on HT cores") Signed-off-by: Maxim Levitsky Reviewed-by: Michal Swiatkowski Reviewed-by: Kalesh AP Reviewed-by: Saurabh Sengar Reviewed-by: Yury Norov Link: https://patch.msgid.link/20241209175751.287738-2-mlevitsk@redhat.com Signed-off-by: Jakub Kicinski commit 15bfb14727bcf5f72b099338fcdb5aca631f9197 Author: Simon Horman Date: Tue Dec 10 13:47:44 2024 +0000 MAINTAINERS: Add ethtool.h to NETWORKING [GENERAL] This is part of an effort to assign a section in MAINTAINERS to header files related to Networking. In this case the files named ethool.h. Signed-off-by: Simon Horman Link: https://patch.msgid.link/20241210-mnt-ethtool-h-v1-1-2a40b567939d@kernel.org Signed-off-by: Jakub Kicinski commit f49856f525acd5bef52ae28b7da2e001bbe7439e Author: Jann Horn Date: Wed Dec 4 17:26:21 2024 +0100 udmabuf: fix memory leak on last export_udmabuf() error path In export_udmabuf(), if dma_buf_fd() fails because the FD table is full, a dma_buf owning the udmabuf has already been created; but the error handling in udmabuf_create() will tear down the udmabuf without doing anything about the containing dma_buf. This leaves a dma_buf in memory that contains a dangling pointer; though that doesn't seem to lead to anything bad except a memory leak. Fix it by moving the dma_buf_fd() call out of export_udmabuf() so that we can give it different error handling. Note that the shape of this code changed a lot in commit 5e72b2b41a21 ("udmabuf: convert udmabuf driver to use folios"); but the memory leak seems to have existed since the introduction of udmabuf. Fixes: fbb0de795078 ("Add udmabuf misc device") Acked-by: Vivek Kasireddy Signed-off-by: Jann Horn Signed-off-by: Vivek Kasireddy Link: https://patchwork.freedesktop.org/patch/msgid/20241204-udmabuf-fixes-v2-3-23887289de1c@google.com commit 0a16e24e34f28210f68195259456c73462518597 Author: Jann Horn Date: Wed Dec 4 17:26:20 2024 +0100 udmabuf: also check for F_SEAL_FUTURE_WRITE When F_SEAL_FUTURE_WRITE was introduced, it was overlooked that udmabuf must reject memfds with this flag, just like ones with F_SEAL_WRITE. Fix it by adding F_SEAL_FUTURE_WRITE to SEALS_DENIED. Fixes: ab3948f58ff8 ("mm/memfd: add an F_SEAL_FUTURE_WRITE seal to memfd") Cc: stable@vger.kernel.org Acked-by: Vivek Kasireddy Signed-off-by: Jann Horn Reviewed-by: Joel Fernandes (Google) Signed-off-by: Vivek Kasireddy Link: https://patchwork.freedesktop.org/patch/msgid/20241204-udmabuf-fixes-v2-2-23887289de1c@google.com commit 9cb189a882738c1d28b349d4e7c6a1ef9b3d8f87 Author: Jann Horn Date: Wed Dec 4 17:26:19 2024 +0100 udmabuf: fix racy memfd sealing check The current check_memfd_seals() is racy: Since we first do check_memfd_seals() and then udmabuf_pin_folios() without holding any relevant lock across both, F_SEAL_WRITE can be set in between. This is problematic because we can end up holding pins to pages in a write-sealed memfd. Fix it using the inode lock, that's probably the easiest way. In the future, we might want to consider moving this logic into memfd, especially if anyone else wants to use memfd_pin_folios(). Reported-by: Julian Orth Closes: https://bugzilla.kernel.org/show_bug.cgi?id=219106 Closes: https://lore.kernel.org/r/CAG48ez0w8HrFEZtJkfmkVKFDhE5aP7nz=obrimeTgpD+StkV9w@mail.gmail.com Fixes: fbb0de795078 ("Add udmabuf misc device") Cc: stable@vger.kernel.org Signed-off-by: Jann Horn Acked-by: Joel Fernandes (Google) Acked-by: Vivek Kasireddy Signed-off-by: Vivek Kasireddy Link: https://patchwork.freedesktop.org/patch/msgid/20241204-udmabuf-fixes-v2-1-23887289de1c@google.com commit ebefac5647968679f6ef5803e5d35a71997d20fa Author: Robert Beckett Date: Tue Nov 12 19:50:00 2024 +0000 nvme-pci: 512 byte aligned dma pool segment quirk We initially introduced a quick fix limiting the queue depth to 1 as experimentation showed that it fixed data corruption on 64GB steamdecks. Further experimentation revealed corruption only happens when the last PRP data element aligns to the end of the page boundary. The device appears to treat this as a PRP chain to a new list instead of the data element that it actually is. This implementation is in violation of the spec. Encountering this errata with the Linux driver requires the host request a 128k transfer and coincidently be handed the last small pool dma buffer within a page. The QD1 quirk effectly works around this because the last data PRP always was at a 248 byte offset from the page start, so it never appeared at the end of the page, but comes at the expense of throttling IO and wasting the remainder of the PRP page beyond 256 bytes. Also to note, the MDTS on these devices is small enough that the "large" prp pool can hold enough PRP elements to never reach the end, so that pool is not a problem either. Introduce a new quirk to ensure the small pool is always aligned such that the last PRP element can't appear a the end of the page. This comes at the expense of wasting 256 bytes per small pool page allocated. Link: https://lore.kernel.org/linux-nvme/20241113043151.GA20077@lst.de/T/#u Fixes: 83bdfcbdbe5d ("nvme-pci: qdepth 1 quirk") Cc: Paweł Anikiel Signed-off-by: Robert Beckett Signed-off-by: Keith Busch commit b04df3da1b5c6f6dc7cdccc37941740c078c4043 Author: Florian Westphal Date: Sat Dec 7 12:14:48 2024 +0100 netfilter: nf_tables: do not defer rule destruction via call_rcu nf_tables_chain_destroy can sleep, it can't be used from call_rcu callbacks. Moreover, nf_tables_rule_release() is only safe for error unwinding, while transaction mutex is held and the to-be-desroyed rule was not exposed to either dataplane or dumps, as it deactives+frees without the required synchronize_rcu() in-between. nft_rule_expr_deactivate() callbacks will change ->use counters of other chains/sets, see e.g. nft_lookup .deactivate callback, these must be serialized via transaction mutex. Also add a few lockdep asserts to make this more explicit. Calling synchronize_rcu() isn't ideal, but fixing this without is hard and way more intrusive. As-is, we can get: WARNING: .. net/netfilter/nf_tables_api.c:5515 nft_set_destroy+0x.. Workqueue: events nf_tables_trans_destroy_work RIP: 0010:nft_set_destroy+0x3fe/0x5c0 Call Trace: nf_tables_trans_destroy_work+0x6b7/0xad0 process_one_work+0x64a/0xce0 worker_thread+0x613/0x10d0 In case the synchronize_rcu becomes an issue, we can explore alternatives. One way would be to allocate nft_trans_rule objects + one nft_trans_chain object, deactivate the rules + the chain and then defer the freeing to the nft destroy workqueue. We'd still need to keep the synchronize_rcu path as a fallback to handle -ENOMEM corner cases though. Reported-by: syzbot+b26935466701e56cfdc2@syzkaller.appspotmail.com Closes: https://lore.kernel.org/all/67478d92.050a0220.253251.0062.GAE@google.com/T/ Fixes: c03d278fdf35 ("netfilter: nf_tables: wait for rcu grace period on net_device removal") Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso commit f36b01994d68ffc253c8296e2228dfe6e6431c03 Author: Phil Sutter Date: Fri Dec 6 19:32:29 2024 +0100 netfilter: IDLETIMER: Fix for possible ABBA deadlock Deletion of the last rule referencing a given idletimer may happen at the same time as a read of its file in sysfs: | ====================================================== | WARNING: possible circular locking dependency detected | 6.12.0-rc7-01692-g5e9a28f41134-dirty #594 Not tainted | ------------------------------------------------------ | iptables/3303 is trying to acquire lock: | ffff8881057e04b8 (kn->active#48){++++}-{0:0}, at: __kernfs_remove+0x20 | | but task is already holding lock: | ffffffffa0249068 (list_mutex){+.+.}-{3:3}, at: idletimer_tg_destroy_v] | | which lock already depends on the new lock. A simple reproducer is: | #!/bin/bash | | while true; do | iptables -A INPUT -i foo -j IDLETIMER --timeout 10 --label "testme" | iptables -D INPUT -i foo -j IDLETIMER --timeout 10 --label "testme" | done & | while true; do | cat /sys/class/xt_idletimer/timers/testme >/dev/null | done Avoid this by freeing list_mutex right after deleting the element from the list, then continuing with the teardown. Fixes: 0902b469bd25 ("netfilter: xtables: idletimer target implementation") Signed-off-by: Phil Sutter Signed-off-by: Pablo Neira Ayuso commit d92906fd1b940681b4509f7bb8ae737789fb4695 Author: Phil Sutter Date: Fri Dec 6 15:08:40 2024 +0100 selftests: netfilter: Stabilize rpath.sh On some systems, neighbor discoveries from ns1 for fec0:42::1 (i.e., the martian trap address) would happen at the wrong time and cause false-negative test result. Problem analysis also discovered that IPv6 martian ping test was broken in that sent neighbor discoveries, not echo requests were inadvertently trapped Avoid the race condition by introducing the neighbors to each other upfront. Also pin down the firewall rules to matching on echo requests only. Fixes: efb056e5f1f0 ("netfilter: ip6t_rpfilter: Fix regression with VRF interfaces") Signed-off-by: Phil Sutter Signed-off-by: Pablo Neira Ayuso commit 231825b2e1ff6ba799c5eaf396d3ab2354e37c6b Author: Linus Torvalds Date: Wed Dec 11 14:11:23 2024 -0800 Revert "unicode: Don't special case ignorable code points" This reverts commit 5c26d2f1d3f5e4be3e196526bead29ecb139cf91. It turns out that we can't do this, because while the old behavior of ignoring ignorable code points was most definitely wrong, we have case-folding filesystems with on-disk hash values with that wrong behavior. So now you can't look up those names, because they hash to something different. Of course, it's also entirely possible that in the meantime people have created *new* files with the new ("more correct") case folding logic, and reverting will just make other things break. The correct solution is to not do case folding in filesystems, but sadly, people seem to never really understand that. People still see it as a feature, not a bug. Reported-by: Qi Han Link: https://bugzilla.kernel.org/show_bug.cgi?id=219586 Cc: Gabriel Krisman Bertazi Requested-by: Jaegeuk Kim Signed-off-by: Linus Torvalds commit ec8e2d3889114f41d07cd341e80dc6de7f8eb213 Merge: becb337c237f9c 9c7c5430bca36e Author: Linus Torvalds Date: Wed Dec 11 13:48:25 2024 -0800 Merge tag 'vfio-v6.13-rc3' of https://github.com/awilliam/linux-vfio Pull vfio fix from Alex Williamson: - Fix migration dirty page tracking support in the mlx5-vfio-pci variant driver in configurations where the system page size exceeds the device maximum message size, and anticipate device updates where the opposite may also be required (Yishai Hadas) * tag 'vfio-v6.13-rc3' of https://github.com/awilliam/linux-vfio: vfio/mlx5: Align the page tracking max message size with the device capability commit becb337c237f9c8030fb976a1d643c0347408cf8 Merge: f92f4749861b06 777f290ab328de Author: Linus Torvalds Date: Wed Dec 11 13:41:41 2024 -0800 Merge tag 'linux_kselftest-fixes-6.13-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest Pull Kselftest fix from Shuah Khan: - fix the offset for kprobe syntax error test case when checking the BTF arguments on 64-bit powerpc * tag 'linux_kselftest-fixes-6.13-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest: selftests/ftrace: adjust offset for kprobe syntax error test commit 18b2093f4598d8ee67a8153badc93f0fa7686b8a Author: Tejun Heo Date: Wed Dec 11 11:01:51 2024 -1000 sched_ext: Fix invalid irq restore in scx_ops_bypass() While adding outer irqsave/restore locking, 0e7ffff1b811 ("scx: Fix raciness in scx_ops_bypass()") forgot to convert an inner rq_unlock_irqrestore() to rq_unlock() which could re-enable IRQ prematurely leading to the following warning: raw_local_irq_restore() called with IRQs enabled WARNING: CPU: 1 PID: 96 at kernel/locking/irqflag-debug.c:10 warn_bogus_irq_restore+0x30/0x40 ... Sched_ext: create_dsq (enabling) pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : warn_bogus_irq_restore+0x30/0x40 lr : warn_bogus_irq_restore+0x30/0x40 ... Call trace: warn_bogus_irq_restore+0x30/0x40 (P) warn_bogus_irq_restore+0x30/0x40 (L) scx_ops_bypass+0x224/0x3b8 scx_ops_enable.isra.0+0x2c8/0xaa8 bpf_scx_reg+0x18/0x30 ... irq event stamp: 33739 hardirqs last enabled at (33739): [] scx_ops_bypass+0x174/0x3b8 hardirqs last disabled at (33738): [] _raw_spin_lock_irqsave+0xb4/0xd8 Drop the stray _irqrestore(). Signed-off-by: Tejun Heo Reported-by: Ihor Solodrai Link: http://lkml.kernel.org/r/qC39k3UsonrBYD_SmuxHnZIQLsuuccoCrkiqb_BT7DvH945A1_LZwE4g-5Pu9FcCtqZt4lY1HhIPi0homRuNWxkgo1rgP3bkxa0donw8kV4=@pm.me Fixes: 0e7ffff1b811 ("scx: Fix raciness in scx_ops_bypass()") Cc: stable@vger.kernel.org # v6.12 commit 747367340ca6b5070728b86ae36ad6747f66b2fb Author: Borislav Petkov (AMD) Date: Wed Dec 11 12:07:42 2024 +0100 EDAC/amd64: Simplify ECC check on unified memory controllers The intent of the check is to see whether at least one UMC has ECC enabled. So do that instead of tracking which ones are enabled in masks which are too small in size anyway and lead to not loading the driver on Zen4 machines with UMCs enabled over UMC8. Fixes: e2be5955a886 ("EDAC/amd64: Add support for AMD Family 19h Models 10h-1Fh and A0h-AFh") Reported-by: Avadhut Naik Signed-off-by: Borislav Petkov (AMD) Tested-by: Avadhut Naik Reviewed-by: Avadhut Naik Cc: Link: https://lore.kernel.org/r/20241210212054.3895697-1-avadhut.naik@amd.com commit 21f1b85c8912262adf51707e63614a114425eb10 Author: Björn Töpel Date: Wed Nov 20 14:12:02 2024 +0100 riscv: mm: Do not call pmd dtor on vmemmap page table teardown The vmemmap's, which is used for RV64 with SPARSEMEM_VMEMMAP, page tables are populated using pmd (page middle directory) hugetables. However, the pmd allocation is not using the generic mechanism used by the VMA code (e.g. pmd_alloc()), or the RISC-V specific create_pgd_mapping()/alloc_pmd_late(). Instead, the vmemmap page table code allocates a page, and calls vmemmap_set_pmd(). This results in that the pmd ctor is *not* called, nor would it make sense to do so. Now, when tearing down a vmemmap page table pmd, the cleanup code would unconditionally, and incorrectly call the pmd dtor, which results in a crash (best case). This issue was found when running the HMM selftests: | tools/testing/selftests/mm# ./test_hmm.sh smoke | ... # when unloading the test_hmm.ko module | page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10915b | flags: 0x1000000000000000(node=0|zone=1) | raw: 1000000000000000 0000000000000000 dead000000000122 0000000000000000 | raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 | page dumped because: VM_BUG_ON_PAGE(ptdesc->pmd_huge_pte) | ------------[ cut here ]------------ | kernel BUG at include/linux/mm.h:3080! | Kernel BUG [#1] | Modules linked in: test_hmm(-) sch_fq_codel fuse drm drm_panel_orientation_quirks backlight dm_mod | CPU: 1 UID: 0 PID: 514 Comm: modprobe Tainted: G W 6.12.0-00982-gf2a4f1682d07 #2 | Tainted: [W]=WARN | Hardware name: riscv-virtio qemu/qemu, BIOS 2024.10 10/01/2024 | epc : remove_pgd_mapping+0xbec/0x1070 | ra : remove_pgd_mapping+0xbec/0x1070 | epc : ffffffff80010a68 ra : ffffffff80010a68 sp : ff20000000a73940 | gp : ffffffff827b2d88 tp : ff6000008785da40 t0 : ffffffff80fbce04 | t1 : 0720072007200720 t2 : 706d756420656761 s0 : ff20000000a73a50 | s1 : ff6000008915cff8 a0 : 0000000000000039 a1 : 0000000000000008 | a2 : ff600003fff0de20 a3 : 0000000000000000 a4 : 0000000000000000 | a5 : 0000000000000000 a6 : c0000000ffffefff a7 : ffffffff824469b8 | s2 : ff1c0000022456c0 s3 : ff1ffffffdbfffff s4 : ff6000008915c000 | s5 : ff6000008915c000 s6 : ff6000008915c000 s7 : ff1ffffffdc00000 | s8 : 0000000000000001 s9 : ff1ffffffdc00000 s10: ffffffff819a31f0 | s11: ffffffffffffffff t3 : ffffffff8000c950 t4 : ff60000080244f00 | t5 : ff60000080244000 t6 : ff20000000a73708 | status: 0000000200000120 badaddr: ffffffff80010a68 cause: 0000000000000003 | [] remove_pgd_mapping+0xbec/0x1070 | [] vmemmap_free+0x14/0x1e | [] section_deactivate+0x220/0x452 | [] sparse_remove_section+0x4a/0x58 | [] __remove_pages+0x7e/0xba | [] memunmap_pages+0x2bc/0x3fe | [] dmirror_device_remove_chunks+0x2ea/0x518 [test_hmm] | [] hmm_dmirror_exit+0x3e/0x1018 [test_hmm] | [] __riscv_sys_delete_module+0x15a/0x2a6 | [] do_trap_ecall_u+0x1f2/0x266 | [] _new_vmalloc_restore_context_a0+0xc6/0xd2 | Code: bf51 7597 0184 8593 76a5 854a 4097 0029 80e7 2c00 (9002) 7597 | ---[ end trace 0000000000000000 ]--- | Kernel panic - not syncing: Fatal exception in interrupt Add a check to avoid calling the pmd dtor, if the calling context is vmemmap_free(). Fixes: c75a74f4ba19 ("riscv: mm: Add memory hotplugging support") Signed-off-by: Björn Töpel Reviewed-by: Alexandre Ghiti Link: https://lore.kernel.org/r/20241120131203.1859787-1-bjorn@kernel.org Cc: stable@vger.kernel.org Signed-off-by: Palmer Dabbelt commit b3431a8bb336cece8adc452437befa7d4534b2fd Author: Alexandre Ghiti Date: Mon Dec 9 08:41:25 2024 +0100 riscv: Fix IPIs usage in kfence_protect_page() flush_tlb_kernel_range() may use IPIs to flush the TLBs of all the cores, which triggers the following warning when the irqs are disabled: [ 3.455330] WARNING: CPU: 1 PID: 0 at kernel/smp.c:815 smp_call_function_many_cond+0x452/0x520 [ 3.456647] Modules linked in: [ 3.457218] CPU: 1 UID: 0 PID: 0 Comm: swapper/1 Not tainted 6.12.0-rc7-00010-g91d3de7240b8 #1 [ 3.457416] Hardware name: QEMU QEMU Virtual Machine, BIOS [ 3.457633] epc : smp_call_function_many_cond+0x452/0x520 [ 3.457736] ra : on_each_cpu_cond_mask+0x1e/0x30 [ 3.457786] epc : ffffffff800b669a ra : ffffffff800b67c2 sp : ff2000000000bb50 [ 3.457824] gp : ffffffff815212b8 tp : ff6000008014f080 t0 : 000000000000003f [ 3.457859] t1 : ffffffff815221e0 t2 : 000000000000000f s0 : ff2000000000bc10 [ 3.457920] s1 : 0000000000000040 a0 : ffffffff815221e0 a1 : 0000000000000001 [ 3.457953] a2 : 0000000000010000 a3 : 0000000000000003 a4 : 0000000000000000 [ 3.458006] a5 : 0000000000000000 a6 : ffffffffffffffff a7 : 0000000000000000 [ 3.458042] s2 : ffffffff815223be s3 : 00fffffffffff000 s4 : ff600001ffe38fc0 [ 3.458076] s5 : ff600001ff950d00 s6 : 0000000200000120 s7 : 0000000000000001 [ 3.458109] s8 : 0000000000000001 s9 : ff60000080841ef0 s10: 0000000000000001 [ 3.458141] s11: ffffffff81524812 t3 : 0000000000000001 t4 : ff60000080092bc0 [ 3.458172] t5 : 0000000000000000 t6 : ff200000000236d0 [ 3.458203] status: 0000000200000100 badaddr: ffffffff800b669a cause: 0000000000000003 [ 3.458373] [] smp_call_function_many_cond+0x452/0x520 [ 3.458593] [] on_each_cpu_cond_mask+0x1e/0x30 [ 3.458625] [] __flush_tlb_range+0x118/0x1ca [ 3.458656] [] flush_tlb_kernel_range+0x1e/0x26 [ 3.458683] [] kfence_protect+0xc0/0xce [ 3.458717] [] kfence_guarded_free+0xc6/0x1c0 [ 3.458742] [] __kfence_free+0x62/0xc6 [ 3.458764] [] kfree+0x106/0x32c [ 3.458786] [] detach_buf_split+0x188/0x1a8 [ 3.458816] [] virtqueue_get_buf_ctx+0xb6/0x1f6 [ 3.458839] [] virtqueue_get_buf+0xe/0x16 [ 3.458880] [] virtblk_done+0x5c/0xe2 [ 3.458908] [] vring_interrupt+0x6a/0x74 [ 3.458930] [] __handle_irq_event_percpu+0x7c/0xe2 [ 3.458956] [] handle_irq_event+0x3c/0x86 [ 3.458978] [] handle_simple_irq+0x9e/0xbe [ 3.459004] [] generic_handle_domain_irq+0x1c/0x2a [ 3.459027] [] imsic_handle_irq+0xba/0x120 [ 3.459056] [] generic_handle_domain_irq+0x1c/0x2a [ 3.459080] [] riscv_intc_aia_irq+0x24/0x34 [ 3.459103] [] handle_riscv_irq+0x2e/0x4c [ 3.459133] [] call_on_irq_stack+0x32/0x40 So only flush the local TLB and let the lazy kfence page fault handling deal with the faults which could happen when a core has an old protected pte version cached in its TLB. That leads to potential inaccuracies which can be tolerated when using kfence. Fixes: 47513f243b45 ("riscv: Enable KFENCE for riscv64") Signed-off-by: Alexandre Ghiti Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20241209074125.52322-1-alexghiti@rivosinc.com Signed-off-by: Palmer Dabbelt commit c796e187201242992d6d292bfeff41aadfdf3f29 Author: Alexandre Ghiti Date: Mon Dec 9 08:45:08 2024 +0100 riscv: Fix wrong usage of __pa() on a fixmap address riscv uses fixmap addresses to map the dtb so we can't use __pa() which is reserved for linear mapping addresses. Fixes: b2473a359763 ("of/fdt: add dt_phys arg to early_init_dt_scan and early_init_dt_verify") Signed-off-by: Alexandre Ghiti Link: https://lore.kernel.org/r/20241209074508.53037-1-alexghiti@rivosinc.com Cc: stable@vger.kernel.org Signed-off-by: Palmer Dabbelt commit b3134b8c1a1cf5779a74df902c75fa185083006e Author: Guo Ren Date: Sat Nov 30 10:33:10 2024 -0500 riscv: Fixup boot failure when CONFIG_DEBUG_RT_MUTEXES=y When CONFIG_DEBUG_RT_MUTEXES=y, mutex_lock->rt_mutex_try_acquire would change from rt_mutex_cmpxchg_acquire to rt_mutex_slowtrylock(): raw_spin_lock_irqsave(&lock->wait_lock, flags); ret = __rt_mutex_slowtrylock(lock); raw_spin_unlock_irqrestore(&lock->wait_lock, flags); Because queued_spin_#ops to ticket_#ops is changed one by one by jump_label, raw_spin_lock/unlock would cause a deadlock during the changing. That means in arch/riscv/kernel/jump_label.c: 1. arch_jump_label_transform_queue() -> mutex_lock(&text_mutex); +-> raw_spin_lock -> queued_spin_lock |-> raw_spin_unlock -> queued_spin_unlock patch_insn_write -> change the raw_spin_lock to ticket_lock mutex_unlock(&text_mutex); ... 2. /* Dirty the lock value */ arch_jump_label_transform_queue() -> mutex_lock(&text_mutex); +-> raw_spin_lock -> *ticket_lock* |-> raw_spin_unlock -> *queued_spin_unlock* /* BUG: ticket_lock with queued_spin_unlock */ patch_insn_write -> change the raw_spin_unlock to ticket_unlock mutex_unlock(&text_mutex); ... 3. /* Dead lock */ arch_jump_label_transform_queue() -> mutex_lock(&text_mutex); +-> raw_spin_lock -> ticket_lock /* deadlock! */ |-> raw_spin_unlock -> ticket_unlock patch_insn_write -> change other raw_spin_#op -> ticket_#op mutex_unlock(&text_mutex); So, the solution is to disable mutex usage of arch_jump_label_transform_queue() during early_boot_irqs_disabled, just like we have done for stop_machine. Reported-by: Conor Dooley Signed-off-by: Guo Ren Signed-off-by: Guo Ren Fixes: ab83647fadae ("riscv: Add qspinlock support") Link: https://lore.kernel.org/linux-riscv/CAJF2gTQwYTGinBmCSgVUoPv0_q4EPt_+WiyfUA1HViAKgUzxAg@mail.gmail.com/T/#mf488e6347817fca03bb93a7d34df33d8615b3775 Cc: Palmer Dabbelt Cc: Alexandre Ghiti Tested-by: Conor Dooley Reviewed-by: Alexandre Ghiti Tested-by: Alexandre Ghiti Tested-by: Nam Cao Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20241130153310.3349484-1-guoren@kernel.org Signed-off-by: Palmer Dabbelt commit bb76e82bfe57fdd1fe595cb0ccd33159df49ed09 Author: Shengjiu Wang Date: Tue Nov 26 13:32:54 2024 +0800 ASoC: fsl_spdif: change IFACE_PCM to IFACE_MIXER As the snd_soc_card_get_kcontrol() is updated to use snd_ctl_find_id_mixer() in commit 897cc72b0837 ("ASoC: soc-card: Use snd_ctl_find_id_mixer() instead of open-coding") which make the iface fix to be IFACE_MIXER. Fixes: 897cc72b0837 ("ASoC: soc-card: Use snd_ctl_find_id_mixer() instead of open-coding") Signed-off-by: Shengjiu Wang Link: https://patch.msgid.link/20241126053254.3657344-3-shengjiu.wang@nxp.com Signed-off-by: Mark Brown commit 7c17f7780a48b5ed36b6d13a06004fac993e75af Author: Shengjiu Wang Date: Tue Nov 26 13:32:53 2024 +0800 ASoC: fsl_xcvr: change IFACE_PCM to IFACE_MIXER As the snd_soc_card_get_kcontrol() is updated to use snd_ctl_find_id_mixer() in commit 897cc72b0837 ("ASoC: soc-card: Use snd_ctl_find_id_mixer() instead of open-coding") which make the iface fix to be IFACE_MIXER. Fixes: 897cc72b0837 ("ASoC: soc-card: Use snd_ctl_find_id_mixer() instead of open-coding") Signed-off-by: Shengjiu Wang Link: https://patch.msgid.link/20241126053254.3657344-2-shengjiu.wang@nxp.com Signed-off-by: Mark Brown commit f7e36d02d771ee14acae1482091718460cffb321 Author: James Clark Date: Thu Nov 14 16:04:48 2024 +0000 libperf: evlist: Fix --cpu argument on hybrid platform Since the linked fixes: commit, specifying a CPU on hybrid platforms results in an error because Perf tries to open an extended type event on "any" CPU which isn't valid. Extended type events can only be opened on CPUs that match the type. Before (working): $ perf record --cpu 1 -- true [ perf record: Woken up 1 times to write data ] [ perf record: Captured and wrote 2.385 MB perf.data (7 samples) ] After (not working): $ perf record -C 1 -- true WARNING: A requested CPU in '1' is not supported by PMU 'cpu_atom' (CPUs 16-27) for event 'cycles:P' Error: The sys_perf_event_open() syscall returned with 22 (Invalid argument) for event (cpu_atom/cycles:P/). /bin/dmesg | grep -i perf may provide additional information. (Ignore the warning message, that's expected and not particularly relevant to this issue). This is because perf_cpu_map__intersect() of the user specified CPU (1) and one of the PMU's CPUs (16-27) correctly results in an empty (NULL) CPU map. However for the purposes of opening an event, libperf converts empty CPU maps into an any CPU (-1) which the kernel rejects. Fix it by deleting evsels with empty CPU maps in the specific case where user requested CPU maps are evaluated. Fixes: 251aa040244a ("perf parse-events: Wildcard most "numeric" events") Reviewed-by: Ian Rogers Tested-by: Thomas Falcon Signed-off-by: James Clark Tested-by: Arnaldo Carvalho de Melo Link: https://lore.kernel.org/r/20241114160450.295844-2-james.clark@linaro.org Signed-off-by: Namhyung Kim commit a93a620c38f3763ec74cb0def9625756966f12d9 Author: Ian Rogers Date: Wed Dec 4 18:23:05 2024 -0800 perf test expr: Fix system_tsc_freq for only x86 The refactoring of tool PMU events to have a PMU then adding the expr literals to the tool PMU made it so that the literal system_tsc_freq was only supported on x86. Update the test expectations to match - namely the parsing is x86 specific and only yields a non-zero value on Intel. Fixes: 609aa2667f67 ("perf tool_pmu: Switch to standard pmu functions and json descriptions") Reported-by: Athira Rajeev Closes: https://lore.kernel.org/linux-perf-users/20241022140156.98854-1-atrajeev@linux.vnet.ibm.com/ Co-developed-by: Athira Rajeev Tested-by: Namhyung Kim Signed-off-by: Ian Rogers Cc: James Clark Cc: akanksha@linux.ibm.com Cc: hbathini@linux.ibm.com Cc: kjain@linux.ibm.com Cc: maddy@linux.ibm.com Cc: disgoel@linux.vnet.ibm.com Cc: linuxppc-dev@lists.ozlabs.org Link: https://lore.kernel.org/r/20241205022305.158202-1-irogers@google.com Signed-off-by: Namhyung Kim commit 777f290ab328de333b85558bb6807a69a59b36ba Author: Hari Bathini Date: Sat Nov 30 01:56:21 2024 +0530 selftests/ftrace: adjust offset for kprobe syntax error test In 'NOFENTRY_ARGS' test case for syntax check, any offset X of `vfs_read+X` except function entry offset (0) fits the criterion, even if that offset is not at instruction boundary, as the parser comes before probing. But with "ENDBR64" instruction on x86, offset 4 is treated as function entry. So, X can't be 4 as well. Thus, 8 was used as offset for the test case. On 64-bit powerpc though, any offset <= 16 can be considered function entry depending on build configuration (see arch_kprobe_on_func_entry() for implementation details). So, use `vfs_read+20` to accommodate that scenario too. Link: https://lore.kernel.org/r/20241129202621.721159-1-hbathini@linux.ibm.com Fixes: 4231f30fcc34a ("selftests/ftrace: Add BTF arguments test cases") Suggested-by: Masami Hiramatsu Signed-off-by: Hari Bathini Acked-by: Steven Rostedt (Google) Signed-off-by: Shuah Khan commit 5fa49dd8e521a42379e5e41fcf2c92edaaec0a8b Author: Alexander Gordeev Date: Mon Dec 9 17:43:48 2024 +0100 s390/ipl: Fix never less than zero warning DEFINE_IPL_ATTR_STR_RW() macro produces "unsigned 'len' is never less than zero." warning when sys_vmcmd_on_*_store() callbacks are defined. Reported-by: kernel test robot Closes: https://lore.kernel.org/oe-kbuild-all/202412081614.5uel8F6W-lkp@intel.com/ Fixes: 247576bf624a ("s390/ipl: Do not accept z/VM CP diag X'008' cmds longer than max length") Reviewed-by: Heiko Carstens Signed-off-by: Alexander Gordeev commit 3e643e4efa1e87432204b62f9cfdea3b2508c830 Author: Michal Luczaj Date: Tue Nov 19 14:31:40 2024 +0100 Bluetooth: Improve setsockopt() handling of malformed user input The bt_copy_from_sockptr() return value is being misinterpreted by most users: a non-zero result is mistakenly assumed to represent an error code, but actually indicates the number of bytes that could not be copied. Remove bt_copy_from_sockptr() and adapt callers to use copy_safe_from_sockptr(). For sco_sock_setsockopt() (case BT_CODEC) use copy_struct_from_sockptr() to scrub parts of uninitialized buffer. Opportunistically, rename `len` to `optlen` in hci_sock_setsockopt_old() and hci_sock_setsockopt(). Fixes: 51eda36d33e4 ("Bluetooth: SCO: Fix not validating setsockopt user input") Fixes: a97de7bff13b ("Bluetooth: RFCOMM: Fix not validating setsockopt user input") Fixes: 4f3951242ace ("Bluetooth: L2CAP: Fix not validating setsockopt user input") Fixes: 9e8742cdfc4b ("Bluetooth: ISO: Fix not validating setsockopt user input") Fixes: b2186061d604 ("Bluetooth: hci_sock: Fix not validating setsockopt user input") Reviewed-by: Luiz Augusto von Dentz Reviewed-by: David Wei Signed-off-by: Michal Luczaj Signed-off-by: Luiz Augusto von Dentz commit 2dd59fe0e19e1ab955259978082b62e5751924c7 Author: Nikita Zhandarovich Date: Fri May 17 08:58:00 2024 -0700 media: dvb-frontends: dib3000mb: fix uninit-value in dib3000_write_reg Syzbot reports [1] an uninitialized value issue found by KMSAN in dib3000_read_reg(). Local u8 rb[2] is used in i2c_transfer() as a read buffer; in case that call fails, the buffer may end up with some undefined values. Since no elaborate error handling is expected in dib3000_write_reg(), simply zero out rb buffer to mitigate the problem. [1] Syzkaller report dvb-usb: bulk message failed: -22 (6/0) ===================================================== BUG: KMSAN: uninit-value in dib3000mb_attach+0x2d8/0x3c0 drivers/media/dvb-frontends/dib3000mb.c:758 dib3000mb_attach+0x2d8/0x3c0 drivers/media/dvb-frontends/dib3000mb.c:758 dibusb_dib3000mb_frontend_attach+0x155/0x2f0 drivers/media/usb/dvb-usb/dibusb-mb.c:31 dvb_usb_adapter_frontend_init+0xed/0x9a0 drivers/media/usb/dvb-usb/dvb-usb-dvb.c:290 dvb_usb_adapter_init drivers/media/usb/dvb-usb/dvb-usb-init.c:90 [inline] dvb_usb_init drivers/media/usb/dvb-usb/dvb-usb-init.c:186 [inline] dvb_usb_device_init+0x25a8/0x3760 drivers/media/usb/dvb-usb/dvb-usb-init.c:310 dibusb_probe+0x46/0x250 drivers/media/usb/dvb-usb/dibusb-mb.c:110 ... Local variable rb created at: dib3000_read_reg+0x86/0x4e0 drivers/media/dvb-frontends/dib3000mb.c:54 dib3000mb_attach+0x123/0x3c0 drivers/media/dvb-frontends/dib3000mb.c:758 ... Fixes: 74340b0a8bc6 ("V4L/DVB (4457): Remove dib3000-common-module") Reported-by: syzbot+c88fc0ebe0d5935c70da@syzkaller.appspotmail.com Signed-off-by: Nikita Zhandarovich Link: https://lore.kernel.org/r/20240517155800.9881-1-n.zhandarovich@fintech.ru Signed-off-by: Mauro Carvalho Chehab commit d9339496729f1471b8dc326face17c4cf108b027 Author: Akira Yokosawa Date: Tue Dec 10 20:04:15 2024 +0900 scripts/kernel-doc: Get -export option working again Since commit cdd30ebb1b9f ("module: Convert symbol namespace to string literal"), exported symbols marked by EXPORT_SYMBOL_NS(_GPL) are ignored by "kernel-doc -export" in fresh build of "make htmldocs". This is because regex in the perl script for those markers fails to match the new signatures: - EXPORT_SYMBOL_NS(symbol, "ns"); - EXPORT_SYMBOL_NS_GPL(symbol, "ns"); Update the regex so that it matches quoted string. Note: Escape sequence of \w is good for C identifiers, but can be too strict for quoted strings. Instead, use \S, which matches any non-whitespace character, for compatibility with possible extension of namespace convention in the future [1]. Fixes: cdd30ebb1b9f ("module: Convert symbol namespace to string literal") Link: https://lore.kernel.org/CAK7LNATMufXP0EA6QUE9hBkZMa6vJO6ZiaYuak2AhOrd2nSVKQ@mail.gmail.com/ [1] Signed-off-by: Akira Yokosawa Cc: Masahiro Yamada Tested-by: Randy Dunlap Acked-by: Randy Dunlap Signed-off-by: Jonathan Corbet Link: https://lore.kernel.org/r/e5c43f36-45cd-49f4-b7b8-ff342df3c7a4@gmail.com commit 9b496a8bbed9cc292b0dfd796f38ec58b6d0375f Author: Waiman Long Date: Thu Dec 5 14:51:01 2024 -0500 cgroup/cpuset: Prevent leakage of isolated CPUs into sched domains Isolated CPUs are not allowed to be used in a non-isolated partition. The only exception is the top cpuset which is allowed to contain boot time isolated CPUs. Commit ccac8e8de99c ("cgroup/cpuset: Fix remote root partition creation problem") introduces a simplified scheme of including only partition roots in sched domain generation. However, it does not properly account for this exception case. This can result in leakage of isolated CPUs into a sched domain. Fix it by making sure that isolated CPUs are excluded from the top cpuset before generating sched domains. Also update the way the boot time isolated CPUs are handled in test_cpuset_prs.sh to make sure that those isolated CPUs are really isolated instead of just skipping them in the tests. Fixes: ccac8e8de99c ("cgroup/cpuset: Fix remote root partition creation problem") Signed-off-by: Waiman Long Signed-off-by: Tejun Heo commit 48ca421268735c60ea0d4c2e19610b224d5c8656 Author: Changwoo Min Date: Wed Dec 11 17:39:45 2024 +0900 MAINTAINERS: add me as reviewer for sched_ext Add me as a reviewer for sched_ext. I have been actively working on the project and would like to help review patches and address related kernel issues/features. Signed-off-by: Changwoo Min Signed-off-by: Tejun Heo commit 83848e37f6ee80f60b04139fefdfa1bde4aaa826 Author: Xi Pardee Date: Tue Dec 10 13:26:41 2024 -0800 platform/x86/intel/vsec: Add support for Panther Lake Add Panther Lake PMT telemetry support. Signed-off-by: Xi Pardee Link: https://lore.kernel.org/r/20241210212646.239211-1-xi.pardee@linux.intel.com Reviewed-by: Ilpo Järvinen Signed-off-by: Ilpo Järvinen commit 6c0a473fc5f89dabbed0af605a09370b533aa856 Author: Jithu Joseph Date: Tue Dec 10 12:31:52 2024 -0800 platform/x86/intel/ifs: Add Clearwater Forest to CPU support list Add Clearwater Forest (INTEL_ATOM_DARKMONT_X) to the x86 match table of Intel In Field Scan (IFS) driver, enabling IFS functionality on this processor. Signed-off-by: Jithu Joseph Link: https://lore.kernel.org/r/20241210203152.1136463-1-jithu.joseph@intel.com Reviewed-by: Ilpo Järvinen Signed-off-by: Ilpo Järvinen commit 220326c4650a0ef7db3bfcae903f758555ecb973 Author: Huy Minh Date: Tue Dec 10 22:45:00 2024 +0700 platform/x86: touchscreen_dmi: Add info for SARY Tab 3 tablet There's no info about the OEM behind the tablet, only online stores listing. This tablet uses an Intel Atom x5-Z8300, 4GB of RAM & 64GB of storage. Signed-off-by: Huy Minh Link: https://lore.kernel.org/r/20241210154500.32124-1-buingoc67@gmail.com Reviewed-by: Ilpo Järvinen Signed-off-by: Ilpo Järvinen commit 2aa13da97e2b92d20a8ad4ead10da89f880b64e7 Author: Shenghao Ding Date: Wed Dec 11 12:38:59 2024 +0800 ASoC: tas2781: Fix calibration issue in stress test One specific test condition: the default registers of p[j].reg ~ p[j+3].reg are 0, TASDEVICE_REG(0x00, 0x14, 0x38)(PLT_FLAG_REG), TASDEVICE_REG(0x00, 0x14, 0x40)(SINEGAIN_REG), and TASDEVICE_REG(0x00, 0x14, 0x44)(SINEGAIN2_REG). After first calibration, they are freshed to TASDEVICE_REG(0x00, 0x1a, 0x20), TASDEVICE_REG(0x00, 0x16, 0x58)(PLT_FLAG_REG), TASDEVICE_REG(0x00, 0x14, 0x44)(SINEGAIN_REG), and TASDEVICE_REG(0x00, 0x16, 0x64)(SINEGAIN2_REG) via "Calibration Start" kcontrol. In second calibration, the p[j].reg ~ p[j+3].reg have already become tas2781_cali_start_reg. However, p[j+2].reg, TASDEVICE_REG(0x00, 0x14, 0x44)(SINEGAIN_REG), will be freshed to TASDEVICE_REG(0x00, 0x16, 0x64), which is the third register in the input params of the kcontrol. This is why only first calibration can work, the second-time, third-time or more-time calibration always failed without reboot. Of course, if no p[j].reg is in the list of tas2781_cali_start_reg, this stress test can work well. Fixes: 49e2e353fb0d ("ASoC: tas2781: Add Calibration Kcontrols for Chromebook") Signed-off-by: Shenghao Ding Link: https://patch.msgid.link/20241211043859.1328-1-shenghao-ding@ti.com Signed-off-by: Mark Brown commit 867f85679cb4bb9cc549270ad767629de6108d22 Merge: 930e7c209b77a9 51d20d1dacbec5 Author: Christian Brauner Date: Wed Dec 11 11:09:16 2024 +0100 Merge patch series "iomap: fix zero padding data issue in concurrent append writes" Long Li says: This patch series fixes zero padding data issues in concurrent append write scenarios. A detailed problem description and solution can be found in patch 2. Patch 1 is introduced as preparation for the fix in patch 2, eliminating the need to resample inode size for io_size trimming and avoiding issues caused by inode size changes during concurrent writeback and truncate operations. * patches from https://lore.kernel.org/r/20241209114241.3725722-1-leo.lilong@huawei.com: iomap: fix zero padding data issue in concurrent append writes iomap: pass byte granular end position to iomap_add_to_ioend Link: https://lore.kernel.org/r/20241209114241.3725722-1-leo.lilong@huawei.com Signed-off-by: Christian Brauner commit 51d20d1dacbec589d459e11fc88fbca419f84a99 Author: Long Li Date: Mon Dec 9 19:42:40 2024 +0800 iomap: fix zero padding data issue in concurrent append writes During concurrent append writes to XFS filesystem, zero padding data may appear in the file after power failure. This happens due to imprecise disk size updates when handling write completion. Consider this scenario with concurrent append writes same file: Thread 1: Thread 2: ------------ ----------- write [A, A+B] update inode size to A+B submit I/O [A, A+BS] write [A+B, A+B+C] update inode size to A+B+C After reboot: 1) with A+B+C < A+BS, the file has zero padding in range [A+B, A+B+C] |< Block Size (BS) >| |DDDDDDDDDDDDDDDD0000000000000000| ^ ^ ^ A A+B A+B+C (EOF) 2) with A+B+C > A+BS, the file has zero padding in range [A+B, A+BS] |< Block Size (BS) >|< Block Size (BS) >| |DDDDDDDDDDDDDDDD0000000000000000|00000000000000000000000000000000| ^ ^ ^ ^ A A+B A+BS A+B+C (EOF) D = Valid Data 0 = Zero Padding The issue stems from disk size being set to min(io_offset + io_size, inode->i_size) at I/O completion. Since io_offset+io_size is block size granularity, it may exceed the actual valid file data size. In the case of concurrent append writes, inode->i_size may be larger than the actual range of valid file data written to disk, leading to inaccurate disk size updates. This patch modifies the meaning of io_size to represent the size of valid data within EOF in an ioend. If the ioend spans beyond i_size, io_size will be trimmed to provide the file with more accurate size information. This is particularly useful for on-disk size updates at completion time. After this change, ioends that span i_size will not grow or merge with other ioends in concurrent scenarios. However, these cases that need growth/merging rarely occur and it seems no noticeable performance impact. Although rounding up io_size could enable ioend growth/merging in these scenarios, we decided to keep the code simple after discussion [1]. Another benefit is that it makes the xfs_ioend_is_append() check more accurate, which can reduce unnecessary end bio callbacks of xfs_end_bio() in certain scenarios, such as repeated writes at the file tail without extending the file size. Link [1]: https://patchwork.kernel.org/project/xfs/patch/20241113091907.56937-1-leo.lilong@huawei.com Fixes: ae259a9c8593 ("fs: introduce iomap infrastructure") # goes further back than this Signed-off-by: Long Li Link: https://lore.kernel.org/r/20241209114241.3725722-3-leo.lilong@huawei.com Reviewed-by: Brian Foster Reviewed-by: Christoph Hellwig Signed-off-by: Christian Brauner commit b44679c63e4d3ac820998b6bd59fba89a72ad3e7 Author: Long Li Date: Mon Dec 9 19:42:39 2024 +0800 iomap: pass byte granular end position to iomap_add_to_ioend This is a preparatory patch for fixing zero padding issues in concurrent append write scenarios. In the following patches, we need to obtain byte-granular writeback end position for io_size trimming after EOF handling. Due to concurrent writeback and truncate operations, inode size may shrink. Resampling inode size would force writeback code to handle the newly appeared post-EOF blocks, which is undesirable. As Dave explained in [1]: "Really, the issue is that writeback mappings have to be able to handle the range being mapped suddenly appear to be beyond EOF. This behaviour is a longstanding writeback constraint, and is what iomap_writepage_handle_eof() is attempting to handle. We handle this by only sampling i_size_read() whilst we have the folio locked and can determine the action we should take with that folio (i.e. nothing, partial zeroing, or skip altogether). Once we've made the decision that the folio is within EOF and taken action on it (i.e. moved the folio to writeback state), we cannot then resample the inode size because a truncate may have started and changed the inode size." To avoid resampling inode size after EOF handling, we convert end_pos to byte-granular writeback position and return it from EOF handling function. Since iomap_set_range_dirty() can handle unaligned lengths, this conversion has no impact on it. However, iomap_find_dirty_range() requires aligned start and end range to find dirty blocks within the given range, so the end position needs to be rounded up when passed to it. LINK [1]: https://lore.kernel.org/linux-xfs/Z1Gg0pAa54MoeYME@localhost.localdomain/ Signed-off-by: Long Li Link: https://lore.kernel.org/r/20241209114241.3725722-2-leo.lilong@huawei.com Reviewed-by: Brian Foster Signed-off-by: Christian Brauner commit 8366e64a4454481339e7c56a8ad280161f2e441d Author: Daniele Palmas Date: Mon Dec 9 16:32:54 2024 +0100 USB: serial: option: add Telit FE910C04 rmnet compositions Add the following Telit FE910C04 compositions: 0x10c0: rmnet + tty (AT/NMEA) + tty (AT) + tty (diag) T: Bus=02 Lev=01 Prnt=03 Port=06 Cnt=01 Dev#= 13 Spd=480 MxCh= 0 D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 P: Vendor=1bc7 ProdID=10c0 Rev=05.15 S: Manufacturer=Telit Cinterion S: Product=FE910 S: SerialNumber=f71b8b32 C: #Ifs= 4 Cfg#= 1 Atr=e0 MxPwr=500mA I: If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=50 Driver=qmi_wwan E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=82(I) Atr=03(Int.) MxPS= 8 Ivl=32ms I: If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=60 Driver=option E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=86(I) Atr=03(Int.) MxPS= 10 Ivl=32ms I: If#= 3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms 0x10c4: rmnet + tty (AT) + tty (AT) + tty (diag) T: Bus=02 Lev=01 Prnt=03 Port=06 Cnt=01 Dev#= 14 Spd=480 MxCh= 0 D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 P: Vendor=1bc7 ProdID=10c4 Rev=05.15 S: Manufacturer=Telit Cinterion S: Product=FE910 S: SerialNumber=f71b8b32 C: #Ifs= 4 Cfg#= 1 Atr=e0 MxPwr=500mA I: If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=50 Driver=qmi_wwan E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=82(I) Atr=03(Int.) MxPS= 8 Ivl=32ms I: If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=86(I) Atr=03(Int.) MxPS= 10 Ivl=32ms I: If#= 3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms 0x10c8: rmnet + tty (AT) + tty (diag) + DPL (data packet logging) + adb T: Bus=02 Lev=01 Prnt=03 Port=06 Cnt=01 Dev#= 17 Spd=480 MxCh= 0 D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 P: Vendor=1bc7 ProdID=10c8 Rev=05.15 S: Manufacturer=Telit Cinterion S: Product=FE910 S: SerialNumber=f71b8b32 C: #Ifs= 5 Cfg#= 1 Atr=e0 MxPwr=500mA I: If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=50 Driver=qmi_wwan E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=82(I) Atr=03(Int.) MxPS= 8 Ivl=32ms I: If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms I: If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms I: If#= 3 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=80 Driver=(none) E: Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms I: If#= 4 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=(none) E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms Signed-off-by: Daniele Palmas Cc: stable@vger.kernel.org Signed-off-by: Johan Hovold commit f07dfa6a1b65034a5c3ba3a555950d972f252757 Author: Jack Wu Date: Thu Nov 28 10:22:27 2024 +0800 USB: serial: option: add MediaTek T7XX compositions Add the MediaTek T7XX compositions: T: Bus=03 Lev=01 Prnt=01 Port=05 Cnt=01 Dev#= 74 Spd=480 MxCh= 0 D: Ver= 2.10 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs= 1 P: Vendor=0e8d ProdID=7129 Rev= 0.01 S: Manufacturer=MediaTek Inc. S: Product=USB DATA CARD S: SerialNumber=004402459035402 C:* #Ifs=10 Cfg#= 1 Atr=a0 MxPwr=500mA A: FirstIf#= 0 IfCount= 2 Cls=02(comm.) Sub=0e Prot=00 I:* If#= 0 Alt= 0 #EPs= 1 Cls=02(comm.) Sub=0e Prot=00 Driver=cdc_mbim E: Ad=82(I) Atr=03(Int.) MxPS= 64 Ivl=32ms I: If#= 1 Alt= 0 #EPs= 0 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim I:* If#= 1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms I:* If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms I:* If#= 3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option E: Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms I:* If#= 4 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms I:* If#= 5 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=(none) E: Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms I:* If#= 6 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=06(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms I:* If#= 7 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option E: Ad=88(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=07(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms I:* If#= 8 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option E: Ad=89(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=08(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms I:* If#= 9 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option E: Ad=8a(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=09(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms ------------------------------- | If Number | Function | ------------------------------- | 2 | USB AP Log Port | ------------------------------- | 3 | USB AP GNSS Port| ------------------------------- | 4 | USB AP META Port| ------------------------------- | 5 | ADB port | ------------------------------- | 6 | USB MD AT Port | ------------------------------ | 7 | USB MD META Port| ------------------------------- | 8 | USB NTZ Port | ------------------------------- | 9 | USB Debug port | ------------------------------- Signed-off-by: Jack Wu Cc: stable@vger.kernel.org Signed-off-by: Johan Hovold commit aa954ae08262bb5cd6ab18dd56a0b58c1315db8b Author: Mank Wang Date: Fri Nov 22 09:06:00 2024 +0000 USB: serial: option: add Netprisma LCUK54 modules for WWAN Ready LCUK54-WRD's pid/vid 0x3731/0x010a 0x3731/0x010c LCUK54-WWD's pid/vid 0x3731/0x010b 0x3731/0x010d Above products use the exact same interface layout and option driver: MBIM + GNSS + DIAG + NMEA + AT + QDSS + DPL T: Bus=01 Lev=01 Prnt=01 Port=01 Cnt=02 Dev#= 5 Spd=480 MxCh= 0 D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 P: Vendor=3731 ProdID=0101 Rev= 5.04 S: Manufacturer=NetPrisma S: Product=LCUK54-WRD S: SerialNumber=feeba631 C:* #Ifs= 8 Cfg#= 1 Atr=a0 MxPwr=500mA A: FirstIf#= 0 IfCount= 2 Cls=02(comm.) Sub=0e Prot=00 I:* If#= 0 Alt= 0 #EPs= 1 Cls=02(comm.) Sub=0e Prot=00 Driver=cdc_mbim E: Ad=81(I) Atr=03(Int.) MxPS= 64 Ivl=32ms I: If#= 1 Alt= 0 #EPs= 0 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim I:* If#= 1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim E: Ad=8e(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=0f(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms I:* If#= 2 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none) E: Ad=82(I) Atr=03(Int.) MxPS= 64 Ivl=32ms I:* If#= 3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms I:* If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=40 Driver=option E: Ad=85(I) Atr=03(Int.) MxPS= 10 Ivl=32ms E: Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms I:* If#= 5 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option E: Ad=87(I) Atr=03(Int.) MxPS= 10 Ivl=32ms E: Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms I:* If#= 6 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=70 Driver=(none) E: Ad=88(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms I:* If#= 7 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=80 Driver=(none) E: Ad=8f(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms Signed-off-by: Mank Wang [ johan: use lower case hex notation ] Cc: stable@vger.kernel.org Signed-off-by: Johan Hovold commit 724d461e44dfc0815624d2a9792f2f2beb7ee46d Author: Michal Hrusecky Date: Tue Nov 19 14:00:18 2024 +0100 USB: serial: option: add MeiG Smart SLM770A Update the USB serial option driver to support MeiG Smart SLM770A. ID 2dee:4d57 Marvell Mobile Composite Device Bus T: Bus=02 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 2 Spd=480 MxCh= 0 D: Ver= 2.00 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs= 1 P: Vendor=2dee ProdID=4d57 Rev= 1.00 S: Manufacturer=Marvell S: Product=Mobile Composite Device Bus C:* #Ifs= 6 Cfg#= 1 Atr=c0 MxPwr=500mA A: FirstIf#= 0 IfCount= 2 Cls=e0(wlcon) Sub=01 Prot=03 I:* If#= 0 Alt= 0 #EPs= 1 Cls=e0(wlcon) Sub=01 Prot=03 Driver=rndis_host E: Ad=87(I) Atr=03(Int.) MxPS= 64 Ivl=4096ms I:* If#= 1 Alt= 0 #EPs= 2 Cls=0a(data ) Sub=00 Prot=00 Driver=rndis_host E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=0c(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms I:* If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option E: Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=0b(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms I:* If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option E: Ad=88(I) Atr=03(Int.) MxPS= 64 Ivl=4096ms E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=0a(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms I:* If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option E: Ad=89(I) Atr=03(Int.) MxPS= 64 Ivl=4096ms E: Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=0f(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms I:* If#= 5 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=0e(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms Tested successfully connecting to the Internet via rndis interface after dialing via AT commands on If#=3 or If#=4. Not sure of the purpose of the other serial interfaces. Signed-off-by: Michal Hrusecky Cc: stable@vger.kernel.org Signed-off-by: Johan Hovold commit fdad4fb7c506bea8b419f70ff2163d99962e8ede Author: Daniel Swanemar Date: Mon Nov 4 14:42:17 2024 +0100 USB: serial: option: add TCL IK512 MBIM & ECM Add the following TCL IK512 compositions: 0x0530: Modem + Diag + AT + MBIM T: Bus=04 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 3 Spd=10000 MxCh= 0 D: Ver= 3.20 Cls=00(>ifc ) Sub=00 Prot=00 MxPS= 9 #Cfgs= 1 P: Vendor=1bbb ProdID=0530 Rev=05.04 S: Manufacturer=TCL S: Product=TCL 5G USB Dongle S: SerialNumber=3136b91a C: #Ifs= 5 Cfg#= 1 Atr=80 MxPwr=896mA I: If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option E: Ad=01(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms E: Ad=81(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms E: Ad=82(I) Atr=03(Int.) MxPS= 10 Ivl=32ms I: If#= 1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option E: Ad=02(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms E: Ad=83(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option E: Ad=03(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms E: Ad=84(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms E: Ad=85(I) Atr=03(Int.) MxPS= 10 Ivl=32ms I: If#= 3 Alt= 0 #EPs= 1 Cls=02(commc) Sub=0e Prot=00 Driver=cdc_mbim E: Ad=86(I) Atr=03(Int.) MxPS= 64 Ivl=32ms I: If#= 4 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim E: Ad=0f(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms E: Ad=8e(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms 0x0640: ECM + Modem + Diag + AT T: Bus=04 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 4 Spd=10000 MxCh= 0 D: Ver= 3.20 Cls=00(>ifc ) Sub=00 Prot=00 MxPS= 9 #Cfgs= 1 P: Vendor=1bbb ProdID=0640 Rev=05.04 S: Manufacturer=TCL S: Product=TCL 5G USB Dongle S: SerialNumber=3136b91a C: #Ifs= 5 Cfg#= 1 Atr=80 MxPwr=896mA I: If#= 0 Alt= 0 #EPs= 1 Cls=02(commc) Sub=06 Prot=00 Driver=cdc_ether E: Ad=81(I) Atr=03(Int.) MxPS= 16 Ivl=32ms I: If#= 1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=00 Driver=cdc_ether E: Ad=0f(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms E: Ad=8e(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option E: Ad=01(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms E: Ad=82(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms E: Ad=83(I) Atr=03(Int.) MxPS= 10 Ivl=32ms I: If#= 3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option E: Ad=02(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms E: Ad=84(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms I: If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option E: Ad=03(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms E: Ad=85(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms E: Ad=86(I) Atr=03(Int.) MxPS= 10 Ivl=32ms Signed-off-by: Daniel Swanemar Cc: stable@vger.kernel.org Signed-off-by: Johan Hovold commit e34f1717ef0632fcec5cb827e5e0e9f223d70c9b Author: Mario Limonciello Date: Mon Dec 9 10:25:51 2024 -0600 thunderbolt: Don't display nvm_version unless upgrade supported The read will never succeed if NVM wasn't initialized due to an unknown format. Add a new callback for visibility to only show when supported. Cc: stable@vger.kernel.org Fixes: aef9c693e7e5 ("thunderbolt: Move vendor specific NVM handling into nvm.c") Reported-by: Richard Hughes Closes: https://github.com/fwupd/fwupd/issues/8200 Signed-off-by: Mario Limonciello Signed-off-by: Mika Westerberg commit eb1dd15fb26d9ad85204f444ef03f29f9049eb1e Author: Costa Shulyupin Date: Wed Dec 4 13:04:41 2024 +0200 cgroup/cpuset: Remove stale text Task's cpuset pointer was removed by commit 8793d854edbc ("Task Control Groups: make cpusets a client of cgroups") Paragraph "The task_lock() exception ...." was removed by commit 2df167a300d7 ("cgroups: update comments in cpuset.c") Remove stale text: We also require taking task_lock() when dereferencing a task's cpuset pointer. See "The task_lock() exception", at the end of this comment. Accessing a task's cpuset should be done in accordance with the guidelines for accessing subsystem state in kernel/cgroup.c and reformat. Co-developed-by: Michal Koutný Co-developed-by: Waiman Long Signed-off-by: Costa Shulyupin Acked-by: Waiman Long Signed-off-by: Tejun Heo commit 2d2f25405a87cfa270ea7b5bb03a612c1a16020a Author: Andrea Righi Date: Mon Dec 9 18:45:01 2024 +0100 MAINTAINERS: add self as reviewer for sched_ext Add myself as a reviewer for sched_ext, as I am actively working on this project and would like to help review relevant patches and address any related kernel issues. Signed-off-by: Andrea Righi Signed-off-by: Tejun Heo commit b8f614207b0d5e4abd6df8d5cb3cc11f009d1d93 Author: David Vernet Date: Mon Dec 9 09:29:24 2024 -0600 scx: Fix maximal BPF selftest prog maximal.bpf.c is still dispatching to and consuming from SCX_DSQ_GLOBAL. Let's have it use its own DSQ to avoid any runtime errors. Signed-off-by: David Vernet Tested-by: Andrea Righi Signed-off-by: Tejun Heo commit 3dd002f20098b9569f8fd7f8703f364571e2e975 Author: Nikita Yushchenko Date: Mon Dec 9 16:32:04 2024 +0500 net: renesas: rswitch: handle stop vs interrupt race Currently the stop routine of rswitch driver does not immediately prevent hardware from continuing to update descriptors and requesting interrupts. It can happen that when rswitch_stop() executes the masking of interrupts from the queues of the port being closed, napi poll for that port is already scheduled or running on a different CPU. When execution of this napi poll completes, it will unmask the interrupts. And unmasked interrupt can fire after rswitch_stop() returns from napi_disable() call. Then, the handler won't mask it, because napi_schedule_prep() will return false, and interrupt storm will happen. This can't be fixed by making rswitch_stop() call napi_disable() before masking interrupts. In this case, the interrupt storm will happen if interrupt fires between napi_disable() and masking. Fix this by checking for priv->opened_ports bit when unmasking interrupts after napi poll. For that to be consistent, move priv->opened_ports changes into spinlock-protected areas, and reorder other operations in rswitch_open() and rswitch_stop() accordingly. Signed-off-by: Nikita Yushchenko Reviewed-by: Yoshihiro Shimoda Fixes: 3590918b5d07 ("net: ethernet: renesas: Add support for "Ethernet Switch"") Link: https://patch.msgid.link/20241209113204.175015-1-nikita.yoush@cogentembedded.com Signed-off-by: Jakub Kicinski commit 93763e68f1119d8bb09e1494004913a3ad137698 Merge: d02af27fa2e815 66b7e9f85b8459 Author: Jakub Kicinski Date: Tue Dec 10 19:02:49 2024 -0800 Merge branch 'net-renesas-rswitch-several-fixes' Nikita Yushchenko says: ==================== net: renesas: rswitch: several fixes This series fixes several glitches found in the rswitch driver. Repost of https://lore.kernel.org/20241206190015.4194153-1-nikita.yoush@cogentembedded.com ==================== Link: https://patch.msgid.link/20241208095004.69468-1-nikita.yoush@cogentembedded.com Signed-off-by: Jakub Kicinski commit 66b7e9f85b8459c823b11e9af69dbf4be5eb6be8 Author: Nikita Yushchenko Date: Sun Dec 8 14:50:04 2024 +0500 net: renesas: rswitch: avoid use-after-put for a device tree node The device tree node saved in the rswitch_device structure is used at several driver locations. So passing this node to of_node_put() after the first use is wrong. Move of_node_put() for this node to exit paths. Fixes: b46f1e579329 ("net: renesas: rswitch: Simplify struct phy * handling") Signed-off-by: Nikita Yushchenko Reviewed-by: Yoshihiro Shimoda Link: https://patch.msgid.link/20241208095004.69468-5-nikita.yoush@cogentembedded.com Signed-off-by: Jakub Kicinski commit bb617328bafa1023d8e9c25a25345a564c66c14f Author: Nikita Yushchenko Date: Sun Dec 8 14:50:03 2024 +0500 net: renesas: rswitch: fix leaked pointer on error path If error path is taken while filling descriptor for a frame, skb pointer is left in the entry. Later, on the ring entry reuse, the same entry could be used as a part of a multi-descriptor frame, and skb for that new frame could be stored in a different entry. Then, the stale pointer will reach the completion routine, and passed to the release operation. Fix that by clearing the saved skb pointer at the error path. Fixes: d2c96b9d5f83 ("net: rswitch: Add jumbo frames handling for TX") Signed-off-by: Nikita Yushchenko Reviewed-by: Yoshihiro Shimoda Link: https://patch.msgid.link/20241208095004.69468-4-nikita.yoush@cogentembedded.com Signed-off-by: Jakub Kicinski commit 0c9547e6ccf40455b0574cf589be3b152a3edf5b Author: Nikita Yushchenko Date: Sun Dec 8 14:50:02 2024 +0500 net: renesas: rswitch: fix race window between tx start and complete If hardware is already transmitting, it can start handling the descriptor being written to immediately after it observes updated DT field, before the queue is kicked by a write to GWTRC. If the start_xmit() execution is preempted at unfortunate moment, this transmission can complete, and interrupt handled, before gq->cur gets updated. With the current implementation of completion, this will cause the last entry not completed. Fix that by changing completion loop to check DT values directly, instead of depending on gq->cur. Fixes: 3590918b5d07 ("net: ethernet: renesas: Add support for "Ethernet Switch"") Signed-off-by: Nikita Yushchenko Reviewed-by: Yoshihiro Shimoda Link: https://patch.msgid.link/20241208095004.69468-3-nikita.yoush@cogentembedded.com Signed-off-by: Jakub Kicinski commit 5cb099902b6b6292b3a85ffa1bb844e0ba195945 Author: Nikita Yushchenko Date: Sun Dec 8 14:50:01 2024 +0500 net: renesas: rswitch: fix possible early skb release When sending frame split into multiple descriptors, hardware processes descriptors one by one, including writing back DT values. The first descriptor could be already marked as completed when processing of next descriptors for the same frame is still in progress. Although only the last descriptor is configured to generate interrupt, completion of the first descriptor could be noticed by the driver when handling interrupt for the previous frame. Currently, driver stores skb in the entry that corresponds to the first descriptor. This results into skb could be unmapped and freed when hardware did not complete the send yet. This opens a window for corrupting the data being sent. Fix this by saving skb in the entry that corresponds to the last descriptor used to send the frame. Fixes: d2c96b9d5f83 ("net: rswitch: Add jumbo frames handling for TX") Signed-off-by: Nikita Yushchenko Reviewed-by: Yoshihiro Shimoda Link: https://patch.msgid.link/20241208095004.69468-2-nikita.yoush@cogentembedded.com Signed-off-by: Jakub Kicinski commit 633609c48a358134d3f8ef8241dff24841577f58 Author: Enzo Matsumiya Date: Tue Dec 10 10:21:48 2024 -0300 smb: client: destroy cfid_put_wq on module exit Fix potential problem in rmmod Signed-off-by: Enzo Matsumiya Signed-off-by: Steve French commit 8676c4dfae5bea2582f9a999fd7463e3c79a3412 Author: Thorsten Blum Date: Mon Dec 9 12:07:09 2024 +0100 cifs: Use str_yes_no() helper in cifs_ses_add_channel() Remove hard-coded strings by using the str_yes_no() helper function. Signed-off-by: Thorsten Blum Signed-off-by: Steve French commit bb57c81e97e0082abfb0406ed6f67c615c3d206c Author: David Howells Date: Fri Dec 6 11:06:32 2024 +0000 cifs: Fix rmdir failure due to ongoing I/O on deleted file The cifs_io_request struct (a wrapper around netfs_io_request) holds open the file on the server, even beyond the local Linux file being closed. This can cause problems with Windows-based filesystems as the file's name still exists after deletion until the file is closed, preventing the parent directory from being removed and causing spurious test failures in xfstests due to inability to remove a directory. The symptom looks something like this in the test output: rm: cannot remove '/mnt/scratch/test/p0/d3': Directory not empty rm: cannot remove '/mnt/scratch/test/p1/dc/dae': Directory not empty Fix this by waiting in unlink and rename for any outstanding I/O requests to be completed on the target file before removing that file. Note that this doesn't prevent Linux from trying to start new requests after deletion if it still has the file open locally - something that's perfectly acceptable on a UNIX system. Note also that whilst I've marked this as fixing the commit to make cifs use netfslib, I don't know that it won't occur before that. Fixes: 3ee1a1fc3981 ("cifs: Cut over to using netfslib") Signed-off-by: David Howells Acked-by: Paulo Alcantara (Red Hat) cc: Jeff Layton cc: linux-cifs@vger.kernel.org cc: netfs@lists.linux.dev cc: linux-fsdevel@vger.kernel.org Signed-off-by: Steve French commit d02af27fa2e8156faf989a5ef7782e7b9a48e2de Merge: 06d64ab46f19ac f1d3334d604cc3 Author: Jakub Kicinski Date: Tue Dec 10 18:44:24 2024 -0800 Merge tag 'wireless-2024-12-10' of https://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless Johannes Berg says: ==================== A small set of fixes: - avoid CSA warnings during link removal (by changing link bitmap after remove) - fix # of spatial streams initialisation - fix queues getting stuck in some CSA cases and resume failures - fix interface address when switching monitor mode - fix MBSS change flags 32-bit stack corruption - more UBSAN __counted_by "fixes" ... - fix link ID netlink validation * tag 'wireless-2024-12-10' of https://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless: wifi: cfg80211: sme: init n_channels before channels[] access wifi: mac80211: fix station NSS capability initialization order wifi: mac80211: fix vif addr when switching from monitor to station wifi: mac80211: fix a queue stall in certain cases of CSA wifi: mac80211: wake the queues in case of failure in resume wifi: cfg80211: clear link ID from bitmap during link delete after clean up wifi: mac80211: init cnt before accessing elem in ieee80211_copy_mbssid_beacon wifi: mac80211: fix mbss changed flags corruption on 32 bit systems wifi: nl80211: fix NL80211_ATTR_MLO_LINK_ID off-by-one ==================== Link: https://patch.msgid.link/20241210130145.28618-3-johannes@sipsolutions.net Signed-off-by: Jakub Kicinski commit 06d64ab46f19ac12f59a1d2aa8cd196b2e4edb5b Author: MoYuanhao Date: Mon Dec 9 13:28:14 2024 +0100 tcp: check space before adding MPTCP SYN options Ensure there is enough space before adding MPTCP options in tcp_syn_options(). Without this check, 'remaining' could underflow, and causes issues. If there is not enough space, MPTCP should not be used. Signed-off-by: MoYuanhao Fixes: cec37a6e41aa ("mptcp: Handle MP_CAPABLE options for outgoing connections") Cc: stable@vger.kernel.org Acked-by: Matthieu Baerts (NGI0) [ Matt: Add Fixes, cc Stable, update Description ] Signed-off-by: Matthieu Baerts (NGI0) Reviewed-by: Eric Dumazet Link: https://patch.msgid.link/20241209-net-mptcp-check-space-syn-v1-1-2da992bb6f74@kernel.org Signed-off-by: Jakub Kicinski commit bbe4b41259a3e255a16d795486d331c1670b4e75 Author: Petr Machata Date: Mon Dec 9 12:05:31 2024 +0100 Documentation: networking: Add a caveat to nexthop_compat_mode sysctl net.ipv4.nexthop_compat_mode was added when nexthop objects were added to provide the view of nexthop objects through the usual lens of the route UAPI. As nexthop objects evolved, the information provided through this lens became incomplete. For example, details of resilient nexthop groups are obviously omitted. Now that 16-bit nexthop group weights are a thing, the 8-bit UAPI cannot convey the >8-bit weight accurately. Instead of inventing workarounds for an obsolete interface, just document the expectations of inaccuracy. Fixes: b72a6a7ab957 ("net: nexthop: Increase weight to u16") Signed-off-by: Petr Machata Reviewed-by: Ido Schimmel Reviewed-by: David Ahern Link: https://patch.msgid.link/b575e32399ccacd09079b2a218255164535123bd.1733740749.git.petrm@nvidia.com Signed-off-by: Jakub Kicinski commit 24c6843b7393ebc80962b59d7ae71af91bf0dcc1 Author: Michael Chan Date: Sun Dec 8 17:54:48 2024 -0800 bnxt_en: Fix aggregation ID mask to prevent oops on 5760X chips The 5760X (P7) chip's HW GRO/LRO interface is very similar to that of the previous generation (5750X or P5). However, the aggregation ID fields in the completion structures on P7 have been redefined from 16 bits to 12 bits. The freed up 4 bits are redefined for part of the metadata such as the VLAN ID. The aggregation ID mask was not modified when adding support for P7 chips. Including the extra 4 bits for the aggregation ID can potentially cause the driver to store or fetch the packet header of GRO/LRO packets in the wrong TPA buffer. It may hit the BUG() condition in __skb_pull() because the SKB contains no valid packet header: kernel BUG at include/linux/skbuff.h:2766! Oops: invalid opcode: 0000 1 PREEMPT SMP NOPTI CPU: 4 UID: 0 PID: 0 Comm: swapper/4 Kdump: loaded Tainted: G OE 6.12.0-rc2+ #7 Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE Hardware name: Dell Inc. PowerEdge R760/0VRV9X, BIOS 1.0.1 12/27/2022 RIP: 0010:eth_type_trans+0xda/0x140 Code: 80 00 00 00 eb c1 8b 47 70 2b 47 74 48 8b 97 d0 00 00 00 83 f8 01 7e 1b 48 85 d2 74 06 66 83 3a ff 74 09 b8 00 04 00 00 eb a5 <0f> 0b b8 00 01 00 00 eb 9c 48 85 ff 74 eb 31 f6 b9 02 00 00 00 48 RSP: 0018:ff615003803fcc28 EFLAGS: 00010283 RAX: 00000000000022d2 RBX: 0000000000000003 RCX: ff2e8c25da334040 RDX: 0000000000000040 RSI: ff2e8c25c1ce8000 RDI: ff2e8c25869f9000 RBP: ff2e8c258c31c000 R08: ff2e8c25da334000 R09: 0000000000000001 R10: ff2e8c25da3342c0 R11: ff2e8c25c1ce89c0 R12: ff2e8c258e0990b0 R13: ff2e8c25bb120000 R14: ff2e8c25c1ce89c0 R15: ff2e8c25869f9000 FS: 0000000000000000(0000) GS:ff2e8c34be300000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000055f05317e4c8 CR3: 000000108bac6006 CR4: 0000000000773ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: ? die+0x33/0x90 ? do_trap+0xd9/0x100 ? eth_type_trans+0xda/0x140 ? do_error_trap+0x65/0x80 ? eth_type_trans+0xda/0x140 ? exc_invalid_op+0x4e/0x70 ? eth_type_trans+0xda/0x140 ? asm_exc_invalid_op+0x16/0x20 ? eth_type_trans+0xda/0x140 bnxt_tpa_end+0x10b/0x6b0 [bnxt_en] ? bnxt_tpa_start+0x195/0x320 [bnxt_en] bnxt_rx_pkt+0x902/0xd90 [bnxt_en] ? __bnxt_tx_int.constprop.0+0x89/0x300 [bnxt_en] ? kmem_cache_free+0x343/0x440 ? __bnxt_tx_int.constprop.0+0x24f/0x300 [bnxt_en] __bnxt_poll_work+0x193/0x370 [bnxt_en] bnxt_poll_p5+0x9a/0x300 [bnxt_en] ? try_to_wake_up+0x209/0x670 __napi_poll+0x29/0x1b0 Fix it by redefining the aggregation ID mask for P5_PLUS chips to be 12 bits. This will work because the maximum aggregation ID is less than 4096 on all P5_PLUS chips. Fixes: 13d2d3d381ee ("bnxt_en: Add new P7 hardware interface definitions") Reviewed-by: Damodharam Ammepalli Reviewed-by: Kalesh AP Reviewed-by: Andy Gospodarek Signed-off-by: Michael Chan Reviewed-by: Simon Horman Link: https://patch.msgid.link/20241209015448.1937766-1-michael.chan@broadcom.com Signed-off-by: Jakub Kicinski commit f92f4749861b06fed908d336b4dee1326003291b Merge: 5a087a6b17eeb6 52fd1709e41d3a Author: Linus Torvalds Date: Tue Dec 10 18:21:40 2024 -0800 Merge tag 'clk-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux Pull clk fixes from Stephen Boyd: "Two reverts and two EN7581 driver fixes: - Revert the attempt to make CLK_GET_RATE_NOCACHE flag work in clk_set_rate() because it led to problems with the Qualcomm CPUFreq driver - Revert Amlogic reset driver back to the initial implementation. This broke probe of the audio subsystem on axg based platforms and also had compilation problems. We'll try again next time. - Fix a clk frequency and fix array bounds runtime checks in the Airoha EN7581 driver" * tag 'clk-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux: clk: en7523: Initialize num before accessing hws in en7523_register_clocks() clk: en7523: Fix wrong BUS clock for EN7581 clk: amlogic: axg-audio: revert reset implementation Revert "clk: Fix invalid execution of clk_set_rate" commit 5a087a6b17eeb64893b81d08d38e6f6300419ee5 Merge: 1594c49394ffb0 f10bef73fb355e Author: Linus Torvalds Date: Tue Dec 10 18:18:01 2024 -0800 Merge tag 'for-6.13-rc2-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux Pull btrfs fixes from David Sterba: "A few more fixes. Apart from the one liners and updated bio splitting error handling there's a fix for subvolume mount with different flags. This was known and fixed for some time but I've delayed it to give it more testing. - fix unbalanced locking when swapfile activation fails when the subvolume gets deleted in the meantime - add btrfs error handling after bio_split() calls that got error handling recently - during unmount, flush delalloc workers at the right time before the cleaner thread is shut down - fix regression in buffered write folio conversion, explicitly wait for writeback as FGP_STABLE flag is currently a no-op on btrfs - handle race in subvolume mount with different flags, the conversion to the new mount API did not handle the case where multiple subvolumes get mounted in parallel, which is a distro use case" * tag 'for-6.13-rc2-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux: btrfs: flush delalloc workers queue before stopping cleaner kthread during unmount btrfs: handle bio_split() errors btrfs: properly wait for writeback before buffered write btrfs: fix missing snapshot drew unlock when root is dead during swap activation btrfs: fix mount failure due to remount races commit 1594c49394ffb0a5a9c889276ea204f05c1d46e3 Merge: 7cb1b466315004 494b332064c0ce Author: Linus Torvalds Date: Tue Dec 10 18:15:25 2024 -0800 Merge tag 'probes-fixes-v6.13-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace Pull eprobes fix from Masami Hiramatsu: - release eprobe when failing to add dyn_event. This unregisters event call and release eprobe when it fails to add a dynamic event. Found in cleaning up. * tag 'probes-fixes-v6.13-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace: tracing/eprobe: Fix to release eprobe when failed to add dyn_event commit 21e46a79bbe6c4e1aa73b3ed998130f2ff07b128 Author: Namjae Jeon Date: Fri Dec 6 17:25:25 2024 +0900 ksmbd: set ATTR_CTIME flags when setting mtime David reported that the new warning from setattr_copy_mgtime is coming like the following. [ 113.215316] ------------[ cut here ]------------ [ 113.215974] WARNING: CPU: 1 PID: 31 at fs/attr.c:300 setattr_copy+0x1ee/0x200 [ 113.219192] CPU: 1 UID: 0 PID: 31 Comm: kworker/1:1 Not tainted 6.13.0-rc1+ #234 [ 113.220127] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014 [ 113.221530] Workqueue: ksmbd-io handle_ksmbd_work [ksmbd] [ 113.222220] RIP: 0010:setattr_copy+0x1ee/0x200 [ 113.222833] Code: 24 28 49 8b 44 24 30 48 89 53 58 89 43 6c 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc 48 89 df e8 77 d6 ff ff e9 cd fe ff ff <0f> 0b e9 be fe ff ff 66 0 [ 113.225110] RSP: 0018:ffffaf218010fb68 EFLAGS: 00010202 [ 113.225765] RAX: 0000000000000120 RBX: ffffa446815f8568 RCX: 0000000000000003 [ 113.226667] RDX: ffffaf218010fd38 RSI: ffffa446815f8568 RDI: ffffffff94eb03a0 [ 113.227531] RBP: ffffaf218010fb90 R08: 0000001a251e217d R09: 00000000675259fa [ 113.228426] R10: 0000000002ba8a6d R11: ffffa4468196c7a8 R12: ffffaf218010fd38 [ 113.229304] R13: 0000000000000120 R14: ffffffff94eb03a0 R15: 0000000000000000 [ 113.230210] FS: 0000000000000000(0000) GS:ffffa44739d00000(0000) knlGS:0000000000000000 [ 113.231215] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 113.232055] CR2: 00007efe0053d27e CR3: 000000000331a000 CR4: 00000000000006b0 [ 113.232926] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 113.233812] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 113.234797] Call Trace: [ 113.235116] [ 113.235393] ? __warn+0x73/0xd0 [ 113.235802] ? setattr_copy+0x1ee/0x200 [ 113.236299] ? report_bug+0xf3/0x1e0 [ 113.236757] ? handle_bug+0x4d/0x90 [ 113.237202] ? exc_invalid_op+0x13/0x60 [ 113.237689] ? asm_exc_invalid_op+0x16/0x20 [ 113.238185] ? setattr_copy+0x1ee/0x200 [ 113.238692] btrfs_setattr+0x80/0x820 [btrfs] [ 113.239285] ? get_stack_info_noinstr+0x12/0xf0 [ 113.239857] ? __module_address+0x22/0xa0 [ 113.240368] ? handle_ksmbd_work+0x6e/0x460 [ksmbd] [ 113.240993] ? __module_text_address+0x9/0x50 [ 113.241545] ? __module_address+0x22/0xa0 [ 113.242033] ? unwind_next_frame+0x10e/0x920 [ 113.242600] ? __pfx_stack_trace_consume_entry+0x10/0x10 [ 113.243268] notify_change+0x2c2/0x4e0 [ 113.243746] ? stack_depot_save_flags+0x27/0x730 [ 113.244339] ? set_file_basic_info+0x130/0x2b0 [ksmbd] [ 113.244993] set_file_basic_info+0x130/0x2b0 [ksmbd] [ 113.245613] ? process_scheduled_works+0xbe/0x310 [ 113.246181] ? worker_thread+0x100/0x240 [ 113.246696] ? kthread+0xc8/0x100 [ 113.247126] ? ret_from_fork+0x2b/0x40 [ 113.247606] ? ret_from_fork_asm+0x1a/0x30 [ 113.248132] smb2_set_info+0x63f/0xa70 [ksmbd] ksmbd is trying to set the atime and mtime via notify_change without also setting the ctime. so This patch add ATTR_CTIME flags when setting mtime to avoid a warning. Reported-by: David Disseldorp Signed-off-by: Namjae Jeon Signed-off-by: Steve French commit b95629435b84b9ecc0c765995204a4d8a913ed52 Author: Namjae Jeon Date: Thu Dec 5 21:38:47 2024 +0900 ksmbd: fix racy issue from session lookup and expire Increment the session reference count within the lock for lookup to avoid racy issue with session expire. Cc: stable@vger.kernel.org Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-25737 Signed-off-by: Namjae Jeon Signed-off-by: Steve French commit 2b904d61a97e8ba79e3bc216ba290fd7e1d85028 Author: Hobin Woo Date: Thu Dec 5 11:31:19 2024 +0900 ksmbd: retry iterate_dir in smb2_query_dir Some file systems do not ensure that the single call of iterate_dir reaches the end of the directory. For example, FUSE fetches entries from a daemon using 4KB buffer and stops fetching if entries exceed the buffer. And then an actor of caller, KSMBD, is used to fill the entries from the buffer. Thus, pattern searching on FUSE, files located after the 4KB could not be found and STATUS_NO_SUCH_FILE was returned. Signed-off-by: Hobin Woo Reviewed-by: Sungjong Seo Reviewed-by: Namjae Jeon Tested-by: Yoonho Shin Acked-by: Namjae Jeon Signed-off-by: Steve French commit 2872e21c47c359b902e53faf7e749c8ea682f7f7 Author: Danilo Krummrich Date: Wed Dec 4 16:22:47 2024 +0100 MAINTAINERS: align Danilo's maintainer entries Some entries use my kernel.org address, while others use my Red Hat one. Since this is a bit of an inconvinience for me, align them to all use the same (kernel.org) address. Acked-by: Dave Airlie Signed-off-by: Danilo Krummrich Link: https://patchwork.freedesktop.org/patch/msgid/20241204152248.8644-1-dakr@kernel.org commit 76467a94810c2aa4dd3096903291ac6df30c399e Author: Huaisheng Ye Date: Mon Dec 9 15:33:02 2024 -0800 cxl/region: Fix region creation for greater than x2 switches The cxl_port_setup_targets() algorithm fails to identify valid target list ordering in the presence of 4-way and above switches resulting in 'cxl create-region' failures of the form: $ cxl create-region -d decoder0.0 -g 1024 -s 2G -t ram -w 8 -m mem4 mem1 mem6 mem3 mem2 mem5 mem7 mem0 cxl region: create_region: region0: failed to set target7 to mem0 cxl region: cmd_create_region: created 0 regions [kernel debug message] check_last_peer:1213: cxl region0: pci0000:0c:port1: cannot host mem6:decoder7.0 at 2 bus_remove_device:574: bus: 'cxl': remove device region0 QEMU can create this failing topology: ACPI0017:00 [root0] | HB_0 [port1] / \ RP_0 RP_1 | | USP [port2] USP [port3] / / \ \ / / \ \ DSP DSP DSP DSP DSP DSP DSP DSP | | | | | | | | mem4 mem6 mem2 mem7 mem1 mem3 mem5 mem0 Pos: 0 2 4 6 1 3 5 7 HB: Host Bridge RP: Root Port USP: Upstream Port DSP: Downstream Port ...with the following command steps: $ qemu-system-x86_64 -machine q35,cxl=on,accel=tcg \ -smp cpus=8 \ -m 8G \ -hda /home/work/vm-images/centos-stream8-02.qcow2 \ -object memory-backend-ram,size=4G,id=m0 \ -object memory-backend-ram,size=4G,id=m1 \ -object memory-backend-ram,size=2G,id=cxl-mem0 \ -object memory-backend-ram,size=2G,id=cxl-mem1 \ -object memory-backend-ram,size=2G,id=cxl-mem2 \ -object memory-backend-ram,size=2G,id=cxl-mem3 \ -object memory-backend-ram,size=2G,id=cxl-mem4 \ -object memory-backend-ram,size=2G,id=cxl-mem5 \ -object memory-backend-ram,size=2G,id=cxl-mem6 \ -object memory-backend-ram,size=2G,id=cxl-mem7 \ -numa node,memdev=m0,cpus=0-3,nodeid=0 \ -numa node,memdev=m1,cpus=4-7,nodeid=1 \ -netdev user,id=net0,hostfwd=tcp::2222-:22 \ -device virtio-net-pci,netdev=net0 \ -device pxb-cxl,bus_nr=12,bus=pcie.0,id=cxl.1 \ -device cxl-rp,port=0,bus=cxl.1,id=root_port0,chassis=0,slot=0 \ -device cxl-rp,port=1,bus=cxl.1,id=root_port1,chassis=0,slot=1 \ -device cxl-upstream,bus=root_port0,id=us0 \ -device cxl-downstream,port=0,bus=us0,id=swport0,chassis=0,slot=4 \ -device cxl-type3,bus=swport0,volatile-memdev=cxl-mem0,id=cxl-vmem0 \ -device cxl-downstream,port=1,bus=us0,id=swport1,chassis=0,slot=5 \ -device cxl-type3,bus=swport1,volatile-memdev=cxl-mem1,id=cxl-vmem1 \ -device cxl-downstream,port=2,bus=us0,id=swport2,chassis=0,slot=6 \ -device cxl-type3,bus=swport2,volatile-memdev=cxl-mem2,id=cxl-vmem2 \ -device cxl-downstream,port=3,bus=us0,id=swport3,chassis=0,slot=7 \ -device cxl-type3,bus=swport3,volatile-memdev=cxl-mem3,id=cxl-vmem3 \ -device cxl-upstream,bus=root_port1,id=us1 \ -device cxl-downstream,port=4,bus=us1,id=swport4,chassis=0,slot=8 \ -device cxl-type3,bus=swport4,volatile-memdev=cxl-mem4,id=cxl-vmem4 \ -device cxl-downstream,port=5,bus=us1,id=swport5,chassis=0,slot=9 \ -device cxl-type3,bus=swport5,volatile-memdev=cxl-mem5,id=cxl-vmem5 \ -device cxl-downstream,port=6,bus=us1,id=swport6,chassis=0,slot=10 \ -device cxl-type3,bus=swport6,volatile-memdev=cxl-mem6,id=cxl-vmem6 \ -device cxl-downstream,port=7,bus=us1,id=swport7,chassis=0,slot=11 \ -device cxl-type3,bus=swport7,volatile-memdev=cxl-mem7,id=cxl-vmem7 \ -M cxl-fmw.0.targets.0=cxl.1,cxl-fmw.0.size=32G & In Guest OS: $ cxl create-region -d decoder0.0 -g 1024 -s 2G -t ram -w 8 -m mem4 mem1 mem6 mem3 mem2 mem5 mem7 mem0 Fix the method to calculate @distance by iterativeley multiplying the number of targets per switch port. This also follows the algorithm recommended here [1]. Fixes: 27b3f8d13830 ("cxl/region: Program target lists") Link: http://lore.kernel.org/6538824b52349_7258329466@dwillia2-xfh.jf.intel.com.notmuch [1] Signed-off-by: Huaisheng Ye Tested-by: Li Zhijian [djbw: add a comment explaining 'distance'] Signed-off-by: Dan Williams Link: https://patch.msgid.link/173378716722.1270362.9546805175813426729.stgit@dwillia2-xfh.jf.intel.com Signed-off-by: Dave Jiang commit 09ceba3a93450b652ae6910b6f65be99885f4437 Author: Li Ming Date: Fri Nov 29 21:28:25 2024 +0800 cxl/pci: Check dport->regs.rcd_pcie_cap availability before accessing RCD Upstream Port's PCI Express Capability is a component registers block stored in RCD Upstream Port RCRB. CXL PCI driver helps to map it during the RCD probing, but mapping failure is allowed for component registers blocks in CXL PCI driver. dport->regs.rcd_pcie_cap is used to store the virtual address of the RCD Upstream Port's PCI Express Capability, add a dport->regs.rcd_pcie_cap checking in rcd_pcie_cap_emit() just in case user accesses a invalid address via RCD sysfs. Fixes: c5eaec79fa43 ("cxl/pci: Add sysfs attribute for CXL 1.1 device link status") Signed-off-by: Li Ming Reviewed-by: Alison Schofield Reviewed-by: Dan Williams Link: https://patch.msgid.link/20241129132825.569237-1-ming.li@zohomail.com Signed-off-by: Dave Jiang commit da4d8c83358163df9a4addaeba0ef8bcb03b22e8 Author: Davidlohr Bueso Date: Fri Nov 15 09:00:32 2024 -0800 cxl/pci: Fix potential bogus return value upon successful probing If cxl_pci_ras_unmask() returns non-zero, cxl_pci_probe() will end up returning that value, instead of zero. Fixes: 248529edc86f ("cxl: add RAS status unmasking for CXL") Reviewed-by: Fan Ni Signed-off-by: Davidlohr Bueso Reviewed-by: Ira Weiny Link: https://patch.msgid.link/20241115170032.108445-1-dave@stgolabs.net Signed-off-by: Dave Jiang commit 7d0d673627e20cfa3b21a829a896ce03b58a4f1c Author: Jann Horn Date: Tue Dec 10 20:08:14 2024 +0100 bpf: Fix theoretical prog_array UAF in __uprobe_perf_func() Currently, the pointer stored in call->prog_array is loaded in __uprobe_perf_func(), with no RCU annotation and no immediately visible RCU protection, so it looks as if the loaded pointer can immediately be dangling. Later, bpf_prog_run_array_uprobe() starts a RCU-trace read-side critical section, but this is too late. It then uses rcu_dereference_check(), but this use of rcu_dereference_check() does not actually dereference anything. Fix it by aligning the semantics to bpf_prog_run_array(): Let the caller provide rcu_read_lock_trace() protection and then load call->prog_array with rcu_dereference_check(). This issue seems to be theoretical: I don't know of any way to reach this code without having handle_swbp() further up the stack, which is already holding a rcu_read_lock_trace() lock, so where we take rcu_read_lock_trace() in __uprobe_perf_func()/bpf_prog_run_array_uprobe() doesn't actually have any effect. Fixes: 8c7dcb84e3b7 ("bpf: implement sleepable uprobes by chaining gps") Suggested-by: Andrii Nakryiko Signed-off-by: Jann Horn Signed-off-by: Andrii Nakryiko Link: https://lore.kernel.org/bpf/20241210-bpf-fix-uprobe-uaf-v4-1-5fc8959b2b74@google.com commit 790eb09e59709a1ffc1c64fe4aae2789120851b0 Author: LongPing Wei Date: Thu Nov 7 10:04:41 2024 +0800 block: get wp_offset by bdev_offset_from_zone_start Call bdev_offset_from_zone_start() instead of open-coding it. Fixes: dd291d77cc90 ("block: Introduce zone write plugging") Signed-off-by: LongPing Wei Reviewed-by: Damien Le Moal Reviewed-by: Bart Van Assche Link: https://lore.kernel.org/r/20241107020439.1644577-1-weilongping@oppo.com Signed-off-by: Jens Axboe commit c4441ca86afe4814039ee1b32c39d833c1a16bbc Author: Anton Protopopov Date: Tue Dec 10 11:42:45 2024 +0000 bpf: fix potential error return The bpf_remove_insns() function returns WARN_ON_ONCE(error), where error is a result of bpf_adj_branches(), and thus should be always 0 However, if for any reason it is not 0, then it will be converted to boolean by WARN_ON_ONCE and returned to user space as 1, not an actual error value. Fix this by returning the original err after the WARN check. Signed-off-by: Anton Protopopov Acked-by: Jiri Olsa Acked-by: Andrii Nakryiko Link: https://lore.kernel.org/r/20241210114245.836164-1-aspsk@isovalent.com Signed-off-by: Alexei Starovoitov commit ccb84dc8f4a02e7d30ffd388522996546b4d00e1 Author: Paul Barker Date: Tue Dec 3 14:37:29 2024 +0000 Documentation: PM: Clarify pm_runtime_resume_and_get() return value Update the documentation to match the behaviour of the code. pm_runtime_resume_and_get() always returns 0 on success, even if __pm_runtime_resume() returns 1. Fixes: 2c412337cfe6 ("PM: runtime: Add documentation for pm_runtime_resume_and_get()") Signed-off-by: Paul Barker Link: https://patch.msgid.link/20241203143729.478-1-paul.barker.ct@bp.renesas.com [ rjw: Subject and changelog edits, adjusted new comment formatting ] Signed-off-by: Rafael J. Wysocki commit cf8b876363da4fccdcc4ba209d4d098ec0f1ffac Merge: 978c4486cca5c7 d9706b56e13b79 Author: Alexei Starovoitov Date: Tue Dec 10 10:24:58 2024 -0800 Merge branch 'bpf-track-changes_pkt_data-property-for-global-functions' Eduard Zingerman says: ==================== bpf: track changes_pkt_data property for global functions Nick Zavaritsky reported [0] a bug in verifier, where the following unsafe program is not rejected: __attribute__((__noinline__)) long skb_pull_data(struct __sk_buff *sk, __u32 len) { return bpf_skb_pull_data(sk, len); } SEC("tc") int test_invalidate_checks(struct __sk_buff *sk) { int *p = (void *)(long)sk->data; if ((void *)(p + 1) > (void *)(long)sk->data_end) return TCX_DROP; skb_pull_data(sk, 0); /* not safe, p is invalid after bpf_skb_pull_data call */ *p = 42; return TCX_PASS; } This happens because verifier does not track package invalidation effect of global sub-programs. This patch-set fixes the issue by modifying check_cfg() to compute whether or not each sub-program calls (directly or indirectly) helper invalidating packet pointers. As global functions could be replaced with extension programs, a new field 'changes_pkt_data' is added to struct bpf_prog_aux. Verifier only allows replacing functions that do not change packet data with functions that do not change packet data. In case if there is a need to a have a global function that does not change packet data, but allow replacing it with function that does, the recommendation is to add a noop call to a helper, e.g.: - for skb do 'bpf_skb_change_proto(skb, 0, 0)'; - for xdp do 'bpf_xdp_adjust_meta(xdp, 0)'. Functions also can do tail calls. Effects of the tail call cannot be analyzed before-hand, thus verifier assumes that tail calls always change packet data. Changes v1 [1] -> v2: - added handling of extension programs and tail calls (thanks, Alexei, for all the input). [0] https://lore.kernel.org/bpf/0498CA22-5779-4767-9C0C-A9515CEA711F@gmail.com/ [1] https://lore.kernel.org/bpf/20241206040307.568065-1-eddyz87@gmail.com/ ==================== Link: https://patch.msgid.link/20241210041100.1898468-1-eddyz87@gmail.com Signed-off-by: Alexei Starovoitov commit d9706b56e13b7916461ca6b4b731e169ed44ed09 Author: Eduard Zingerman Date: Mon Dec 9 20:11:00 2024 -0800 selftests/bpf: validate that tail call invalidates packet pointers Add a test case with a tail call done from a global sub-program. Such tails calls should be considered as invalidating packet pointers. Signed-off-by: Eduard Zingerman Link: https://lore.kernel.org/r/20241210041100.1898468-9-eddyz87@gmail.com Signed-off-by: Alexei Starovoitov commit 1a4607ffba35bf2a630aab299e34dd3f6e658d70 Author: Eduard Zingerman Date: Mon Dec 9 20:10:59 2024 -0800 bpf: consider that tail calls invalidate packet pointers Tail-called programs could execute any of the helpers that invalidate packet pointers. Hence, conservatively assume that each tail call invalidates packet pointers. Making the change in bpf_helper_changes_pkt_data() automatically makes use of check_cfg() logic that computes 'changes_pkt_data' effect for global sub-programs, such that the following program could be rejected: int tail_call(struct __sk_buff *sk) { bpf_tail_call_static(sk, &jmp_table, 0); return 0; } SEC("tc") int not_safe(struct __sk_buff *sk) { int *p = (void *)(long)sk->data; ... make p valid ... tail_call(sk); *p = 42; /* this is unsafe */ ... } The tc_bpf2bpf.c:subprog_tc() needs change: mark it as a function that can invalidate packet pointers. Otherwise, it can't be freplaced with tailcall_freplace.c:entry_freplace() that does a tail call. Signed-off-by: Eduard Zingerman Link: https://lore.kernel.org/r/20241210041100.1898468-8-eddyz87@gmail.com Signed-off-by: Alexei Starovoitov commit 89ff40890d8f12a7d7e93fb602cc27562f3834f0 Author: Eduard Zingerman Date: Mon Dec 9 20:10:58 2024 -0800 selftests/bpf: freplace tests for tracking of changes_packet_data Try different combinations of global functions replacement: - replace function that changes packet data with one that doesn't; - replace function that changes packet data with one that does; - replace function that doesn't change packet data with one that does; - replace function that doesn't change packet data with one that doesn't; Signed-off-by: Eduard Zingerman Link: https://lore.kernel.org/r/20241210041100.1898468-7-eddyz87@gmail.com Signed-off-by: Alexei Starovoitov commit 81f6d0530ba031b5f038a091619bf2ff29568852 Author: Eduard Zingerman Date: Mon Dec 9 20:10:57 2024 -0800 bpf: check changes_pkt_data property for extension programs When processing calls to global sub-programs, verifier decides whether to invalidate all packet pointers in current state depending on the changes_pkt_data property of the global sub-program. Because of this, an extension program replacing a global sub-program must be compatible with changes_pkt_data property of the sub-program being replaced. This commit: - adds changes_pkt_data flag to struct bpf_prog_aux: - this flag is set in check_cfg() for main sub-program; - in jit_subprogs() for other sub-programs; - modifies bpf_check_attach_btf_id() to check changes_pkt_data flag; - moves call to check_attach_btf_id() after the call to check_cfg(), because it needs changes_pkt_data flag to be set: bpf_check: ... ... - check_attach_btf_id resolve_pseudo_ldimm64 resolve_pseudo_ldimm64 --> bpf_prog_is_offloaded bpf_prog_is_offloaded check_cfg check_cfg + check_attach_btf_id ... ... The following fields are set by check_attach_btf_id(): - env->ops - prog->aux->attach_btf_trace - prog->aux->attach_func_name - prog->aux->attach_func_proto - prog->aux->dst_trampoline - prog->aux->mod - prog->aux->saved_dst_attach_type - prog->aux->saved_dst_prog_type - prog->expected_attach_type Neither of these fields are used by resolve_pseudo_ldimm64() or bpf_prog_offload_verifier_prep() (for netronome and netdevsim drivers), so the reordering is safe. Suggested-by: Alexei Starovoitov Signed-off-by: Eduard Zingerman Link: https://lore.kernel.org/r/20241210041100.1898468-6-eddyz87@gmail.com Signed-off-by: Alexei Starovoitov commit 3f23ee5590d9605dbde9a5e1d4b97637a4803329 Author: Eduard Zingerman Date: Mon Dec 9 20:10:56 2024 -0800 selftests/bpf: test for changing packet data from global functions Check if verifier is aware of packet pointers invalidation done in global functions. Based on a test shared by Nick Zavaritsky in [0]. [0] https://lore.kernel.org/bpf/0498CA22-5779-4767-9C0C-A9515CEA711F@gmail.com/ Suggested-by: Nick Zavaritsky Signed-off-by: Eduard Zingerman Link: https://lore.kernel.org/r/20241210041100.1898468-5-eddyz87@gmail.com Signed-off-by: Alexei Starovoitov commit 51081a3f25c742da5a659d7fc6fd77ebfdd555be Author: Eduard Zingerman Date: Mon Dec 9 20:10:55 2024 -0800 bpf: track changes_pkt_data property for global functions When processing calls to certain helpers, verifier invalidates all packet pointers in a current state. For example, consider the following program: __attribute__((__noinline__)) long skb_pull_data(struct __sk_buff *sk, __u32 len) { return bpf_skb_pull_data(sk, len); } SEC("tc") int test_invalidate_checks(struct __sk_buff *sk) { int *p = (void *)(long)sk->data; if ((void *)(p + 1) > (void *)(long)sk->data_end) return TCX_DROP; skb_pull_data(sk, 0); *p = 42; return TCX_PASS; } After a call to bpf_skb_pull_data() the pointer 'p' can't be used safely. See function filter.c:bpf_helper_changes_pkt_data() for a list of such helpers. At the moment verifier invalidates packet pointers when processing helper function calls, and does not traverse global sub-programs when processing calls to global sub-programs. This means that calls to helpers done from global sub-programs do not invalidate pointers in the caller state. E.g. the program above is unsafe, but is not rejected by verifier. This commit fixes the omission by computing field bpf_subprog_info->changes_pkt_data for each sub-program before main verification pass. changes_pkt_data should be set if: - subprogram calls helper for which bpf_helper_changes_pkt_data returns true; - subprogram calls a global function, for which bpf_subprog_info->changes_pkt_data should be set. The verifier.c:check_cfg() pass is modified to compute this information. The commit relies on depth first instruction traversal done by check_cfg() and absence of recursive function calls: - check_cfg() would eventually visit every call to subprogram S in a state when S is fully explored; - when S is fully explored: - every direct helper call within S is explored (and thus changes_pkt_data is set if needed); - every call to subprogram S1 called by S was visited with S1 fully explored (and thus S inherits changes_pkt_data from S1). The downside of such approach is that dead code elimination is not taken into account: if a helper call inside global function is dead because of current configuration, verifier would conservatively assume that the call occurs for the purpose of the changes_pkt_data computation. Reported-by: Nick Zavaritsky Closes: https://lore.kernel.org/bpf/0498CA22-5779-4767-9C0C-A9515CEA711F@gmail.com/ Signed-off-by: Eduard Zingerman Link: https://lore.kernel.org/r/20241210041100.1898468-4-eddyz87@gmail.com Signed-off-by: Alexei Starovoitov commit b238e187b4a2d3b54d80aec05a9cab6466b79dde Author: Eduard Zingerman Date: Mon Dec 9 20:10:54 2024 -0800 bpf: refactor bpf_helper_changes_pkt_data to use helper number Use BPF helper number instead of function pointer in bpf_helper_changes_pkt_data(). This would simplify usage of this function in verifier.c:check_cfg() (in a follow-up patch), where only helper number is easily available and there is no real need to lookup helper proto. Signed-off-by: Eduard Zingerman Link: https://lore.kernel.org/r/20241210041100.1898468-3-eddyz87@gmail.com Signed-off-by: Alexei Starovoitov commit 27e88bc4df1d80888fe1aaca786a7cc6e69587e2 Author: Eduard Zingerman Date: Mon Dec 9 20:10:53 2024 -0800 bpf: add find_containing_subprog() utility function Add a utility function, looking for a subprogram containing a given instruction index, rewrite find_subprog() to use this function. Signed-off-by: Eduard Zingerman Link: https://lore.kernel.org/r/20241210041100.1898468-2-eddyz87@gmail.com Signed-off-by: Alexei Starovoitov commit 978c4486cca5c7b9253d3ab98a88c8e769cb9bbd Author: Jiri Olsa Date: Sun Dec 8 15:25:07 2024 +0100 bpf,perf: Fix invalid prog_array access in perf_event_detach_bpf_prog Syzbot reported [1] crash that happens for following tracing scenario: - create tracepoint perf event with attr.inherit=1, attach it to the process and set bpf program to it - attached process forks -> chid creates inherited event the new child event shares the parent's bpf program and tp_event (hence prog_array) which is global for tracepoint - exit both process and its child -> release both events - first perf_event_detach_bpf_prog call will release tp_event->prog_array and second perf_event_detach_bpf_prog will crash, because tp_event->prog_array is NULL The fix makes sure the perf_event_detach_bpf_prog checks prog_array is valid before it tries to remove the bpf program from it. [1] https://lore.kernel.org/bpf/Z1MR6dCIKajNS6nU@krava/T/#m91dbf0688221ec7a7fc95e896a7ef9ff93b0b8ad Fixes: 0ee288e69d03 ("bpf,perf: Fix perf_event_detach_bpf_prog error handling") Reported-by: syzbot+2e0d2840414ce817aaac@syzkaller.appspotmail.com Signed-off-by: Jiri Olsa Signed-off-by: Andrii Nakryiko Link: https://lore.kernel.org/bpf/20241208142507.1207698-1-jolsa@kernel.org commit ef1b808e3b7c98612feceedf985c2fbbeb28f956 Author: Jann Horn Date: Tue Dec 10 17:32:13 2024 +0100 bpf: Fix UAF via mismatching bpf_prog/attachment RCU flavors Uprobes always use bpf_prog_run_array_uprobe() under tasks-trace-RCU protection. But it is possible to attach a non-sleepable BPF program to a uprobe, and non-sleepable BPF programs are freed via normal RCU (see __bpf_prog_put_noref()). This leads to UAF of the bpf_prog because a normal RCU grace period does not imply a tasks-trace-RCU grace period. Fix it by explicitly waiting for a tasks-trace-RCU grace period after removing the attachment of a bpf_prog to a perf_event. Fixes: 8c7dcb84e3b7 ("bpf: implement sleepable uprobes by chaining gps") Suggested-by: Andrii Nakryiko Suggested-by: Alexei Starovoitov Signed-off-by: Jann Horn Signed-off-by: Andrii Nakryiko Cc: stable@vger.kernel.org Link: https://lore.kernel.org/bpf/20241210-bpf-fix-actual-uprobe-uaf-v1-1-19439849dd44@google.com commit 7dd9eb6ba88964b091b89855ce7d2a12405013af Author: Hardevsinh Palaniya Date: Wed Nov 13 19:11:18 2024 +0530 ARC: bpf: Correct conditional check in 'check_jmp_32' The original code checks 'if (ARC_CC_AL)', which is always true since ARC_CC_AL is a constant. This makes the check redundant and likely obscures the intention of verifying whether the jump is conditional. Updates the code to check cond == ARC_CC_AL instead, reflecting the intent to differentiate conditional from unconditional jumps. Suggested-by: Vadim Fedorenko Reviewed-by: Vadim Fedorenko Acked-by: Shahab Vahedi Signed-off-by: Hardevsinh Palaniya Signed-off-by: Vineet Gupta commit 4d93ffe661ff59d2d66231b4054fe9c9658bd16c Author: Uwe Kleine-König Date: Tue Oct 22 11:14:27 2024 +0200 ARC: dts: Replace deprecated snps,nr-gpios property for snps,dw-apb-gpio-port devices snps,dw-apb-gpio-port is deprecated since commit ef42a8da3cf3 ("dt-bindings: gpio: dwapb: Add ngpios property support"). The respective driver supports this since commit 7569486d79ae ("gpio: dwapb: Add ngpios DT-property support") which is included in Linux v5.10-rc1. This change was created using git grep -l snps,nr-gpios arch/arc/boot/dts | xargs perl -p -i -e 's/\bsnps,nr-gpios\b/ngpios/ . Signed-off-by: Uwe Kleine-König Signed-off-by: Vineet Gupta commit 1e8af9f04346ecc0bccf0c53b728fc8eb3490a28 Author: Paul E. McKenney Date: Wed Oct 9 10:55:13 2024 -0700 ARC: build: Use __force to suppress per-CPU cmpxchg warnings Currently, the cast of the first argument to cmpxchg_emu_u8() drops the __percpu address-space designator, which results in sparse complaints when applying cmpxchg() to per-CPU variables in ARC. Therefore, use __force to suppress these complaints, given that this does not pertain to cmpxchg() semantics, which are plently well-defined on variables in general, whether per-CPU or otherwise. Reported-by: kernel test robot Closes: https://lore.kernel.org/oe-kbuild-all/202409251336.ToC0TvWB-lkp@intel.com/ Signed-off-by: Paul E. McKenney Cc: Signed-off-by: Vineet Gupta commit dd2b2302efffab751d1c2d9a436365db0ee55a42 Author: Lukas Bulwahn Date: Mon Oct 28 10:59:07 2024 +0100 ARC: fix reference of dependency for PAE40 config Commit d71e629bed5b ("ARC: build: disallow invalid PAE40 + 4K page config") reworks the build dependencies for ARC_HAS_PAE40, and accidentally refers to the non-existing config option MMU_V4 rather than the intended option ARC_MMU_V4. Note the missing prefix in the name here. Refer to the intended config option in the dependency of the ARC_HAS_PAE40 config. Fixes: d71e629bed5b ("ARC: build: disallow invalid PAE40 + 4K page config") Signed-off-by: Lukas Bulwahn Signed-off-by: Vineet Gupta commit 8871331b1769978ecece205a430338a2581e5050 Author: Vineet Gupta Date: Wed Oct 9 10:33:22 2024 -0700 ARC: build: disallow invalid PAE40 + 4K page config The config option being built was | CONFIG_ARC_MMU_V4=y | CONFIG_ARC_PAGE_SIZE_4K=y | CONFIG_HIGHMEM=y | CONFIG_ARC_HAS_PAE40=y This was hitting a BUILD_BUG_ON() since a 4K page can't hoist 1k, 8-byte PTE entries (8 byte due to PAE40). BUILD_BUG_ON() is a good last ditch resort, but such a config needs to be disallowed explicitly in Kconfig. Side-note: the actual fix is single liner dependency, but while at it cleaned out a few things: - 4K dependency on MMU v3 or v4 is always true, since 288ff7de62af09 ("ARC: retire MMUv1 and MMUv2 support") - PAE40 dependency in on MMU ver not really ISA, although that follows eventually. Reported-by: kernel test robot Closes: https://lore.kernel.org/oe-kbuild-all/202409160223.xydgucbY-lkp@intel.com/ Signed-off-by: Vineet Gupta commit c0cd2941bceca784864dd21199cd8e6e7ce9e906 Author: Benjamin Szőke Date: Mon May 20 16:26:47 2024 +0200 arc: rename aux.h to arc_aux.h The goal is to clean-up Linux repository from AUX file names, because the use of such file names is prohibited on other operating systems such as Windows, so the Linux repository cannot be cloned and edited on them. Reviewed-by: Shahab Vahedi Signed-off-by: Benjamin Szőke Signed-off-by: Vineet Gupta commit 0f7ca6f69354e0c3923bbc28c92d0ecab4d50a3e Author: Zijun Hu Date: Mon Dec 9 21:25:02 2024 +0800 of/irq: Fix using uninitialized variable @addr_len in API of_irq_parse_one() of_irq_parse_one() may use uninitialized variable @addr_len as shown below: // @addr_len is uninitialized int addr_len; // This operation does not touch @addr_len if it fails. addr = of_get_property(device, "reg", &addr_len); // Use uninitialized @addr_len if the operation fails. if (addr_len > sizeof(addr_buf)) addr_len = sizeof(addr_buf); // Check the operation result here. if (addr) memcpy(addr_buf, addr, addr_len); Fix by initializing @addr_len before the operation. Fixes: b739dffa5d57 ("of/irq: Prevent device address out-of-bounds read in interrupt map walk") Cc: stable@vger.kernel.org Signed-off-by: Zijun Hu Link: https://lore.kernel.org/r/20241209-of_irq_fix-v1-4-782f1419c8a1@quicinc.com Signed-off-by: Rob Herring (Arm) commit fec3edc47d5cfc2dd296a5141df887bf567944db Author: Zijun Hu Date: Mon Dec 9 21:24:59 2024 +0800 of/irq: Fix interrupt-map cell length check in of_irq_parse_imap_parent() On a malformed interrupt-map property which is shorter than expected by 1 cell, we may read bogus data past the end of the property instead of returning an error in of_irq_parse_imap_parent(). Decrement the remaining length when skipping over the interrupt parent phandle cell. Fixes: 935df1bd40d4 ("of/irq: Factor out parsing of interrupt-map parent phandle+args from of_irq_parse_raw()") Cc: stable@vger.kernel.org Signed-off-by: Zijun Hu Link: https://lore.kernel.org/r/20241209-of_irq_fix-v1-1-782f1419c8a1@quicinc.com [rh: reword commit msg] Signed-off-by: Rob Herring (Arm) commit 5d009e024056ded20c5bb1583146b833b23bbd5a Author: Zijun Hu Date: Fri Dec 6 08:52:30 2024 +0800 of: Fix refcount leakage for OF node returned by __of_get_dma_parent() __of_get_dma_parent() returns OF device node @args.np, but the node's refcount is increased twice, by both of_parse_phandle_with_args() and of_node_get(), so causes refcount leakage for the node. Fix by directly returning the node got by of_parse_phandle_with_args(). Fixes: f83a6e5dea6c ("of: address: Add support for the parent DMA bus") Cc: stable@vger.kernel.org Signed-off-by: Zijun Hu Link: https://lore.kernel.org/r/20241206-of_core_fix-v1-4-dc28ed56bec3@quicinc.com Signed-off-by: Rob Herring (Arm) commit 11d5245f608f8ac01c97b93f31497cef7b96e457 Author: Michal Luczaj Date: Mon Dec 2 12:29:24 2024 +0100 selftests/bpf: Extend test for sockmap update with same Verify that the sockmap link was not severed, and socket's entry is indeed removed from the map when the corresponding descriptor gets closed. Signed-off-by: Michal Luczaj Signed-off-by: Daniel Borkmann Reviewed-by: John Fastabend Link: https://lore.kernel.org/bpf/20241202-sockmap-replace-v1-2-1e88579e7bd5@rbox.co commit ed1fc5d76b81a4d681211333c026202cad4d5649 Author: Michal Luczaj Date: Mon Dec 2 12:29:25 2024 +0100 bpf, sockmap: Fix race between element replace and close() Element replace (with a socket different from the one stored) may race with socket's close() link popping & unlinking. __sock_map_delete() unconditionally unrefs the (wrong) element: // set map[0] = s0 map_update_elem(map, 0, s0) // drop fd of s0 close(s0) sock_map_close() lock_sock(sk) (s0!) sock_map_remove_links(sk) link = sk_psock_link_pop() sock_map_unlink(sk, link) sock_map_delete_from_link // replace map[0] with s1 map_update_elem(map, 0, s1) sock_map_update_elem (s1!) lock_sock(sk) sock_map_update_common psock = sk_psock(sk) spin_lock(&stab->lock) osk = stab->sks[idx] sock_map_add_link(..., &stab->sks[idx]) sock_map_unref(osk, &stab->sks[idx]) psock = sk_psock(osk) sk_psock_put(sk, psock) if (refcount_dec_and_test(&psock)) sk_psock_drop(sk, psock) spin_unlock(&stab->lock) unlock_sock(sk) __sock_map_delete spin_lock(&stab->lock) sk = *psk // s1 replaced s0; sk == s1 if (!sk_test || sk_test == sk) // sk_test (s0) != sk (s1); no branch sk = xchg(psk, NULL) if (sk) sock_map_unref(sk, psk) // unref s1; sks[idx] will dangle psock = sk_psock(sk) sk_psock_put(sk, psock) if (refcount_dec_and_test()) sk_psock_drop(sk, psock) spin_unlock(&stab->lock) release_sock(sk) Then close(map) enqueues bpf_map_free_deferred, which finally calls sock_map_free(). This results in some refcount_t warnings along with a KASAN splat [1]. Fix __sock_map_delete(), do not allow sock_map_unref() on elements that may have been replaced. [1]: BUG: KASAN: slab-use-after-free in sock_map_free+0x10e/0x330 Write of size 4 at addr ffff88811f5b9100 by task kworker/u64:12/1063 CPU: 14 UID: 0 PID: 1063 Comm: kworker/u64:12 Not tainted 6.12.0+ #125 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Arch Linux 1.16.3-1-1 04/01/2014 Workqueue: events_unbound bpf_map_free_deferred Call Trace: dump_stack_lvl+0x68/0x90 print_report+0x174/0x4f6 kasan_report+0xb9/0x190 kasan_check_range+0x10f/0x1e0 sock_map_free+0x10e/0x330 bpf_map_free_deferred+0x173/0x320 process_one_work+0x846/0x1420 worker_thread+0x5b3/0xf80 kthread+0x29e/0x360 ret_from_fork+0x2d/0x70 ret_from_fork_asm+0x1a/0x30 Allocated by task 1202: kasan_save_stack+0x1e/0x40 kasan_save_track+0x10/0x30 __kasan_slab_alloc+0x85/0x90 kmem_cache_alloc_noprof+0x131/0x450 sk_prot_alloc+0x5b/0x220 sk_alloc+0x2c/0x870 unix_create1+0x88/0x8a0 unix_create+0xc5/0x180 __sock_create+0x241/0x650 __sys_socketpair+0x1ce/0x420 __x64_sys_socketpair+0x92/0x100 do_syscall_64+0x93/0x180 entry_SYSCALL_64_after_hwframe+0x76/0x7e Freed by task 46: kasan_save_stack+0x1e/0x40 kasan_save_track+0x10/0x30 kasan_save_free_info+0x37/0x60 __kasan_slab_free+0x4b/0x70 kmem_cache_free+0x1a1/0x590 __sk_destruct+0x388/0x5a0 sk_psock_destroy+0x73e/0xa50 process_one_work+0x846/0x1420 worker_thread+0x5b3/0xf80 kthread+0x29e/0x360 ret_from_fork+0x2d/0x70 ret_from_fork_asm+0x1a/0x30 The buggy address belongs to the object at ffff88811f5b9080 which belongs to the cache UNIX-STREAM of size 1984 The buggy address is located 128 bytes inside of freed 1984-byte region [ffff88811f5b9080, ffff88811f5b9840) The buggy address belongs to the physical page: page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11f5b8 head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 memcg:ffff888127d49401 flags: 0x17ffffc0000040(head|node=0|zone=2|lastcpupid=0x1fffff) page_type: f5(slab) raw: 0017ffffc0000040 ffff8881042e4500 dead000000000122 0000000000000000 raw: 0000000000000000 00000000800f000f 00000001f5000000 ffff888127d49401 head: 0017ffffc0000040 ffff8881042e4500 dead000000000122 0000000000000000 head: 0000000000000000 00000000800f000f 00000001f5000000 ffff888127d49401 head: 0017ffffc0000003 ffffea00047d6e01 ffffffffffffffff 0000000000000000 head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff88811f5b9000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88811f5b9080: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff88811f5b9180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88811f5b9200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb Disabling lock debugging due to kernel taint refcount_t: addition on 0; use-after-free. WARNING: CPU: 14 PID: 1063 at lib/refcount.c:25 refcount_warn_saturate+0xce/0x150 CPU: 14 UID: 0 PID: 1063 Comm: kworker/u64:12 Tainted: G B 6.12.0+ #125 Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Arch Linux 1.16.3-1-1 04/01/2014 Workqueue: events_unbound bpf_map_free_deferred RIP: 0010:refcount_warn_saturate+0xce/0x150 Code: 34 73 eb 03 01 e8 82 53 ad fe 0f 0b eb b1 80 3d 27 73 eb 03 00 75 a8 48 c7 c7 80 bd 95 84 c6 05 17 73 eb 03 01 e8 62 53 ad fe <0f> 0b eb 91 80 3d 06 73 eb 03 00 75 88 48 c7 c7 e0 bd 95 84 c6 05 RSP: 0018:ffff88815c49fc70 EFLAGS: 00010282 RAX: 0000000000000000 RBX: ffff88811f5b9100 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000004 RDI: 0000000000000001 RBP: 0000000000000002 R08: 0000000000000001 R09: ffffed10bcde6349 R10: ffff8885e6f31a4b R11: 0000000000000000 R12: ffff88813be0b000 R13: ffff88811f5b9100 R14: ffff88811f5b9080 R15: ffff88813be0b024 FS: 0000000000000000(0000) GS:ffff8885e6f00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000055dda99b0250 CR3: 000000015dbac000 CR4: 0000000000752ef0 PKRU: 55555554 Call Trace: ? __warn.cold+0x5f/0x1ff ? refcount_warn_saturate+0xce/0x150 ? report_bug+0x1ec/0x390 ? handle_bug+0x58/0x90 ? exc_invalid_op+0x13/0x40 ? asm_exc_invalid_op+0x16/0x20 ? refcount_warn_saturate+0xce/0x150 sock_map_free+0x2e5/0x330 bpf_map_free_deferred+0x173/0x320 process_one_work+0x846/0x1420 worker_thread+0x5b3/0xf80 kthread+0x29e/0x360 ret_from_fork+0x2d/0x70 ret_from_fork_asm+0x1a/0x30 irq event stamp: 10741 hardirqs last enabled at (10741): [] asm_sysvec_apic_timer_interrupt+0x16/0x20 hardirqs last disabled at (10740): [] handle_softirqs+0x60d/0x770 softirqs last enabled at (10506): [] __irq_exit_rcu+0x109/0x210 softirqs last disabled at (10301): [] __irq_exit_rcu+0x109/0x210 refcount_t: underflow; use-after-free. WARNING: CPU: 14 PID: 1063 at lib/refcount.c:28 refcount_warn_saturate+0xee/0x150 CPU: 14 UID: 0 PID: 1063 Comm: kworker/u64:12 Tainted: G B W 6.12.0+ #125 Tainted: [B]=BAD_PAGE, [W]=WARN Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Arch Linux 1.16.3-1-1 04/01/2014 Workqueue: events_unbound bpf_map_free_deferred RIP: 0010:refcount_warn_saturate+0xee/0x150 Code: 17 73 eb 03 01 e8 62 53 ad fe 0f 0b eb 91 80 3d 06 73 eb 03 00 75 88 48 c7 c7 e0 bd 95 84 c6 05 f6 72 eb 03 01 e8 42 53 ad fe <0f> 0b e9 6e ff ff ff 80 3d e6 72 eb 03 00 0f 85 61 ff ff ff 48 c7 RSP: 0018:ffff88815c49fc70 EFLAGS: 00010282 RAX: 0000000000000000 RBX: ffff88811f5b9100 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000004 RDI: 0000000000000001 RBP: 0000000000000003 R08: 0000000000000001 R09: ffffed10bcde6349 R10: ffff8885e6f31a4b R11: 0000000000000000 R12: ffff88813be0b000 R13: ffff88811f5b9100 R14: ffff88811f5b9080 R15: ffff88813be0b024 FS: 0000000000000000(0000) GS:ffff8885e6f00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000055dda99b0250 CR3: 000000015dbac000 CR4: 0000000000752ef0 PKRU: 55555554 Call Trace: ? __warn.cold+0x5f/0x1ff ? refcount_warn_saturate+0xee/0x150 ? report_bug+0x1ec/0x390 ? handle_bug+0x58/0x90 ? exc_invalid_op+0x13/0x40 ? asm_exc_invalid_op+0x16/0x20 ? refcount_warn_saturate+0xee/0x150 sock_map_free+0x2d3/0x330 bpf_map_free_deferred+0x173/0x320 process_one_work+0x846/0x1420 worker_thread+0x5b3/0xf80 kthread+0x29e/0x360 ret_from_fork+0x2d/0x70 ret_from_fork_asm+0x1a/0x30 irq event stamp: 10741 hardirqs last enabled at (10741): [] asm_sysvec_apic_timer_interrupt+0x16/0x20 hardirqs last disabled at (10740): [] handle_softirqs+0x60d/0x770 softirqs last enabled at (10506): [] __irq_exit_rcu+0x109/0x210 softirqs last disabled at (10301): [] __irq_exit_rcu+0x109/0x210 Fixes: 604326b41a6f ("bpf, sockmap: convert to generic sk_msg interface") Signed-off-by: Michal Luczaj Signed-off-by: Daniel Borkmann Reviewed-by: John Fastabend Link: https://lore.kernel.org/bpf/20241202-sockmap-replace-v1-3-1e88579e7bd5@rbox.co commit 75e072a390da9a22e7ae4a4e8434dfca5da499fb Author: Michal Luczaj Date: Mon Dec 2 12:29:23 2024 +0100 bpf, sockmap: Fix update element with same Consider a sockmap entry being updated with the same socket: osk = stab->sks[idx]; sock_map_add_link(psock, link, map, &stab->sks[idx]); stab->sks[idx] = sk; if (osk) sock_map_unref(osk, &stab->sks[idx]); Due to sock_map_unref(), which invokes sock_map_del_link(), all the psock's links for stab->sks[idx] are torn: list_for_each_entry_safe(link, tmp, &psock->link, list) { if (link->link_raw == link_raw) { ... list_del(&link->list); sk_psock_free_link(link); } } And that includes the new link sock_map_add_link() added just before the unref. This results in a sockmap holding a socket, but without the respective link. This in turn means that close(sock) won't trigger the cleanup, i.e. a closed socket will not be automatically removed from the sockmap. Stop tearing the links when a matching link_raw is found. Fixes: 604326b41a6f ("bpf, sockmap: convert to generic sk_msg interface") Signed-off-by: Michal Luczaj Signed-off-by: Daniel Borkmann Reviewed-by: John Fastabend Link: https://lore.kernel.org/bpf/20241202-sockmap-replace-v1-1-1e88579e7bd5@rbox.co commit 2993b29b2a98f2bc9d55dfd37ef39f56a2908748 Author: Mario Limonciello Date: Mon Dec 9 12:52:35 2024 -0600 cpufreq/amd-pstate: Use boost numerator for upper bound of frequencies commit 18d9b5227121 ("cpufreq/amd-pstate: Use nominal perf for limits when boost is disabled") introduced different semantics for min/max limits based upon whether the user turned off boost from sysfs. This however is not necessary when the highest perf value is the boost numerator. Suggested-by: Dhananjay Ugwekar Reviewed-by: Gautham R. Shenoy Fixes: 18d9b5227121 ("cpufreq/amd-pstate: Use nominal perf for limits when boost is disabled") Link: https://lore.kernel.org/r/20241209185248.16301-3-mario.limonciello@amd.com Signed-off-by: Mario Limonciello commit 50a062a7620051c09adacd6d140ebd56881a333b Author: Mario Limonciello Date: Mon Dec 9 12:52:34 2024 -0600 cpufreq/amd-pstate: Store the boost numerator as highest perf again commit ad4caad58d91d ("cpufreq: amd-pstate: Merge amd_pstate_highest_perf_set() into amd_get_boost_ratio_numerator()") changed the semantics for highest perf and commit 18d9b52271213 ("cpufreq/amd-pstate: Use nominal perf for limits when boost is disabled") worked around those semantic changes. This however is a confusing result and furthermore makes it awkward to change frequency limits and boost due to the scaling differences. Restore the boost numerator to highest perf again. Suggested-by: Dhananjay Ugwekar Reviewed-by: Gautham R. Shenoy Fixes: ad4caad58d91 ("cpufreq: amd-pstate: Merge amd_pstate_highest_perf_set() into amd_get_boost_ratio_numerator()") Link: https://lore.kernel.org/r/20241209185248.16301-2-mario.limonciello@amd.com Signed-off-by: Mario Limonciello commit 86e6ca55b83c575ab0f2e105cf08f98e58d3d7af Author: Tejun Heo Date: Fri Dec 6 07:59:51 2024 -1000 blk-cgroup: Fix UAF in blkcg_unpin_online() blkcg_unpin_online() walks up the blkcg hierarchy putting the online pin. To walk up, it uses blkcg_parent(blkcg) but it was calling that after blkcg_destroy_blkgs(blkcg) which could free the blkcg, leading to the following UAF: ================================================================== BUG: KASAN: slab-use-after-free in blkcg_unpin_online+0x15a/0x270 Read of size 8 at addr ffff8881057678c0 by task kworker/9:1/117 CPU: 9 UID: 0 PID: 117 Comm: kworker/9:1 Not tainted 6.13.0-rc1-work-00182-gb8f52214c61a-dirty #48 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS unknown 02/02/2022 Workqueue: cgwb_release cgwb_release_workfn Call Trace: dump_stack_lvl+0x27/0x80 print_report+0x151/0x710 kasan_report+0xc0/0x100 blkcg_unpin_online+0x15a/0x270 cgwb_release_workfn+0x194/0x480 process_scheduled_works+0x71b/0xe20 worker_thread+0x82a/0xbd0 kthread+0x242/0x2c0 ret_from_fork+0x33/0x70 ret_from_fork_asm+0x1a/0x30 ... Freed by task 1944: kasan_save_track+0x2b/0x70 kasan_save_free_info+0x3c/0x50 __kasan_slab_free+0x33/0x50 kfree+0x10c/0x330 css_free_rwork_fn+0xe6/0xb30 process_scheduled_works+0x71b/0xe20 worker_thread+0x82a/0xbd0 kthread+0x242/0x2c0 ret_from_fork+0x33/0x70 ret_from_fork_asm+0x1a/0x30 Note that the UAF is not easy to trigger as the free path is indirected behind a couple RCU grace periods and a work item execution. I could only trigger it with artifical msleep() injected in blkcg_unpin_online(). Fix it by reading the parent pointer before destroying the blkcg's blkg's. Signed-off-by: Tejun Heo Reported-by: Abagail ren Suggested-by: Linus Torvalds Fixes: 4308a434e5e0 ("blkcg: don't offline parent blkcg first") Cc: stable@vger.kernel.org # v5.7+ Signed-off-by: Jens Axboe commit 6f604b59c2841168131523e25f5e36afa17306f4 Author: Coly Li Date: Sun Dec 8 19:53:50 2024 +0800 MAINTAINERS: update Coly Li's email address This patch updates Coly Li's email addres to colyli@kernel.org. Signed-off-by: Coly Li Link: https://lore.kernel.org/r/20241208115350.85103-1-colyli@kernel.org Signed-off-by: Jens Axboe commit fe0418eb9bd69a19a948b297c8de815e05f3cde1 Author: Damien Le Moal Date: Mon Dec 9 21:23:57 2024 +0900 block: Prevent potential deadlocks in zone write plug error recovery Zone write plugging for handling writes to zones of a zoned block device always execute a zone report whenever a write BIO to a zone fails. The intent of this is to ensure that the tracking of a zone write pointer is always correct to ensure that the alignment to a zone write pointer of write BIOs can be checked on submission and that we can always correctly emulate zone append operations using regular write BIOs. However, this error recovery scheme introduces a potential deadlock if a device queue freeze is initiated while BIOs are still plugged in a zone write plug and one of these write operation fails. In such case, the disk zone write plug error recovery work is scheduled and executes a report zone. This in turn can result in a request allocation in the underlying driver to issue the report zones command to the device. But with the device queue freeze already started, this allocation will block, preventing the report zone execution and the continuation of the processing of the plugged BIOs. As plugged BIOs hold a queue usage reference, the queue freeze itself will never complete, resulting in a deadlock. Avoid this problem by completely removing from the zone write plugging code the use of report zones operations after a failed write operation, instead relying on the device user to either execute a report zones, reset the zone, finish the zone, or give up writing to the device (which is a fairly common pattern for file systems which degrade to read-only after write failures). This is not an unreasonnable requirement as all well-behaved applications, FSes and device mapper already use report zones to recover from write errors whenever possible by comparing the current position of a zone write pointer with what their assumption about the position is. The changes to remove the automatic error recovery are as follows: - Completely remove the error recovery work and its associated resources (zone write plug list head, disk error list, and disk zone_wplugs_work work struct). This also removes the functions disk_zone_wplug_set_error() and disk_zone_wplug_clear_error(). - Change the BLK_ZONE_WPLUG_ERROR zone write plug flag into BLK_ZONE_WPLUG_NEED_WP_UPDATE. This new flag is set for a zone write plug whenever a write opration targetting the zone of the zone write plug fails. This flag indicates that the zone write pointer offset is not reliable and that it must be updated when the next report zone, reset zone, finish zone or disk revalidation is executed. - Modify blk_zone_write_plug_bio_endio() to set the BLK_ZONE_WPLUG_NEED_WP_UPDATE flag for the target zone of a failed write BIO. - Modify the function disk_zone_wplug_set_wp_offset() to clear this new flag, thus implementing recovery of a correct write pointer offset with the reset (all) zone and finish zone operations. - Modify blkdev_report_zones() to always use the disk_report_zones_cb() callback so that disk_zone_wplug_sync_wp_offset() can be called for any zone marked with the BLK_ZONE_WPLUG_NEED_WP_UPDATE flag. This implements recovery of a correct write pointer offset for zone write plugs marked with BLK_ZONE_WPLUG_NEED_WP_UPDATE and within the range of the report zones operation executed by the user. - Modify blk_revalidate_seq_zone() to call disk_zone_wplug_sync_wp_offset() for all sequential write required zones when a zoned block device is revalidated, thus always resolving any inconsistency between the write pointer offset of zone write plugs and the actual write pointer position of sequential zones. Fixes: dd291d77cc90 ("block: Introduce zone write plugging") Cc: stable@vger.kernel.org Signed-off-by: Damien Le Moal Reviewed-by: Christoph Hellwig Reviewed-by: Martin K. Petersen Link: https://lore.kernel.org/r/20241209122357.47838-5-dlemoal@kernel.org Signed-off-by: Jens Axboe commit b76b840fd93374240b59825f1ab8e2f5c9907acb Author: Damien Le Moal Date: Mon Dec 9 21:23:56 2024 +0900 dm: Fix dm-zoned-reclaim zone write pointer alignment The zone reclaim processing of the dm-zoned device mapper uses blkdev_issue_zeroout() to align the write pointer of a zone being used for reclaiming another zone, to write the valid data blocks from the zone being reclaimed at the same position relative to the zone start in the reclaim target zone. The first call to blkdev_issue_zeroout() will try to use hardware offload using a REQ_OP_WRITE_ZEROES operation if the device reports a non-zero max_write_zeroes_sectors queue limit. If this operation fails because of the lack of hardware support, blkdev_issue_zeroout() falls back to using a regular write operation with the zero-page as buffer. Currently, such REQ_OP_WRITE_ZEROES failure is automatically handled by the block layer zone write plugging code which will execute a report zones operation to ensure that the write pointer of the target zone of the failed operation has not changed and to "rewind" the zone write pointer offset of the target zone as it was advanced when the write zero operation was submitted. So the REQ_OP_WRITE_ZEROES failure does not cause any issue and blkdev_issue_zeroout() works as expected. However, since the automatic recovery of zone write pointers by the zone write plugging code can potentially cause deadlocks with queue freeze operations, a different recovery must be implemented in preparation for the removal of zone write plugging report zones based recovery. Do this by introducing the new function blk_zone_issue_zeroout(). This function first calls blkdev_issue_zeroout() with the flag BLKDEV_ZERO_NOFALLBACK to intercept failures on the first execution which attempt to use the device hardware offload with the REQ_OP_WRITE_ZEROES operation. If this attempt fails, a report zone operation is issued to restore the zone write pointer offset of the target zone to the correct position and blkdev_issue_zeroout() is called again without the BLKDEV_ZERO_NOFALLBACK flag. The report zones operation performing this recovery is implemented using the helper function disk_zone_sync_wp_offset() which calls the gendisk report_zones file operation with the callback disk_report_zones_cb(). This callback updates the target write pointer offset of the target zone using the new function disk_zone_wplug_sync_wp_offset(). dmz_reclaim_align_wp() is modified to change its call to blkdev_issue_zeroout() to a call to blk_zone_issue_zeroout() without any other change needed as the two functions are functionnally equivalent. Fixes: dd291d77cc90 ("block: Introduce zone write plugging") Cc: stable@vger.kernel.org Signed-off-by: Damien Le Moal Reviewed-by: Christoph Hellwig Acked-by: Mike Snitzer Reviewed-by: Martin K. Petersen Link: https://lore.kernel.org/r/20241209122357.47838-4-dlemoal@kernel.org Signed-off-by: Jens Axboe commit 5eb3317aa5a2ffe4574ab1a12cf9bc9447ca26c0 Author: Damien Le Moal Date: Mon Dec 9 21:23:55 2024 +0900 block: Ignore REQ_NOWAIT for zone reset and zone finish operations There are currently any issuer of REQ_OP_ZONE_RESET and REQ_OP_ZONE_FINISH operations that set REQ_NOWAIT. However, as we cannot handle this flag correctly due to the potential request allocation failure that may happen in blk_mq_submit_bio() after blk_zone_plug_bio() has handled the zone write plug write pointer updates for the targeted zones, modify blk_zone_wplug_handle_reset_or_finish() to warn if this flag is set and ignore it. Fixes: dd291d77cc90 ("block: Introduce zone write plugging") Cc: stable@vger.kernel.org Signed-off-by: Damien Le Moal Reviewed-by: Christoph Hellwig Reviewed-by: Martin K. Petersen Link: https://lore.kernel.org/r/20241209122357.47838-3-dlemoal@kernel.org Signed-off-by: Jens Axboe commit cae005670887cb07ceafc25bb32e221e56286488 Author: Damien Le Moal Date: Mon Dec 9 21:23:54 2024 +0900 block: Use a zone write plug BIO work for REQ_NOWAIT BIOs For zoned block devices, a write BIO issued to a zone that has no on-going writes will be prepared for execution and allowed to execute immediately by blk_zone_wplug_handle_write() (called from blk_zone_plug_bio()). However, if this BIO specifies REQ_NOWAIT, the allocation of a request for its execution in blk_mq_submit_bio() may fail after blk_zone_plug_bio() completed, marking the target zone of the BIO as plugged. When this BIO is retried later on, it will be blocked as the zone write plug of the target zone is in a plugged state without any on-going write operation (completion of write operations trigger unplugging of the next write BIOs for a zone). This leads to a BIO that is stuck in a zone write plug and never completes, which results in various issues such as hung tasks. Avoid this problem by always executing REQ_NOWAIT write BIOs using the BIO work of a zone write plug. This ensure that we never block the BIO issuer and can thus safely ignore the REQ_NOWAIT flag when executing the BIO from the zone write plug BIO work. Since such BIO may be the first write BIO issued to a zone with no on-going write, modify disk_zone_wplug_add_bio() to schedule the zone write plug BIO work if the write plug is not already marked with the BLK_ZONE_WPLUG_PLUGGED flag. This scheduling is otherwise not necessary as the completion of the on-going write for the zone will schedule the execution of the next plugged BIOs. blk_zone_wplug_handle_write() is also fixed to better handle zone write plug allocation failures for REQ_NOWAIT BIOs by failing a write BIO using bio_wouldblock_error() instead of bio_io_error(). Reported-by: Bart Van Assche Fixes: dd291d77cc90 ("block: Introduce zone write plugging") Cc: stable@vger.kernel.org Signed-off-by: Damien Le Moal Reviewed-by: Christoph Hellwig Reviewed-by: Martin K. Petersen Link: https://lore.kernel.org/r/20241209122357.47838-2-dlemoal@kernel.org Signed-off-by: Jens Axboe commit 438b39ac74e2a9dc0a5c9d653b7d8066877e86b1 Author: Jesse.zhang@amd.com Date: Thu Dec 5 17:41:26 2024 +0800 drm/amdkfd: pause autosuspend when creating pdd When using MES creating a pdd will require talking to the GPU to setup the relevant context. The code here forgot to wake up the GPU in case it was in suspend, this causes KVM to EFAULT for passthrough GPU for example. This issue can be masked if the GPU was woken up by other things (e.g. opening the KMS node) first and have not yet gone to sleep. v4: do the allocation of proc_ctx_bo in a lazy fashion when the first queue is created in a process (Felix) Signed-off-by: Jesse Zhang Reviewed-by: Yunxiang Li Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org commit f4df208177d02f1c90f3644da3a2453080b8c24f Author: Christian König Date: Fri Dec 6 14:46:06 2024 +0100 drm/amdgpu: fix when the cleaner shader is emitted Emitting the cleaner shader must come after the check if a VM switch is necessary or not. Otherwise we will emit the cleaner shader every time and not just when it is necessary because we switched between applications. This can otherwise crash on gang submit and probably decreases performance quite a bit. v2: squash in fix from Srini (Alex) Signed-off-by: Christian König Fixes: ee7a846ea27b ("drm/amdgpu: Emit cleaner shader at end of IB submission") Acked-by: Alex Deucher Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org commit ee2003d5fd139f5c881b87615c216c0053b69093 Author: Pratap Nirujogi Date: Thu Dec 5 11:27:36 2024 -0500 drm/amdgpu: Fix ISP HW init issue ISP hw_init is not called with the recent changes related to hw init levels. AMDGPU_INIT_LEVEL_DEFAULT is ignoring the ISP IP block as AMDGPU_IP_BLK_MASK_ALL is derived using incorrect max number of IP blocks. Update AMDGPU_IP_BLK_MASK_ALL to use AMD_IP_BLOCK_TYPE_NUM instead of AMDGPU_MAX_IP_NUM to fix the issue. Fixes: 14f2fe34f5c6 ("drm/amdgpu: Add init levels") Reviewed-by: Lijo Lazar Signed-off-by: Pratap Nirujogi Signed-off-by: Alex Deucher commit d50bf3f0fab636574c163ba8b5863e12b1ed19bd Author: Harish Kasiviswanathan Date: Thu Nov 28 11:07:57 2024 -0500 drm/amdkfd: hard-code MALL cacheline size for gfx11, gfx12 This information is not available in ip discovery table. Signed-off-by: Harish Kasiviswanathan Reviewed-by: David Belanger Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org commit 321048c4a3e375416b51b4093978f9ce2aa4d391 Author: Harish Kasiviswanathan Date: Wed Nov 27 14:01:35 2024 -0500 drm/amdkfd: hard-code cacheline size for gfx11 This information is not available in ip discovery table. Signed-off-by: Harish Kasiviswanathan Reviewed-by: David Belanger Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org commit a592bb19abdc2072875c87da606461bfd7821b08 Author: Andrew Martin Date: Tue Nov 26 12:10:59 2024 -0500 drm/amdkfd: Dereference null return value In the function pqm_uninit there is a call-assignment of "pdd = kfd_get_process_device_data" which could be null, and this value was later dereferenced without checking. Fixes: fb91065851cd ("drm/amdkfd: Refactor queue wptr_bo GART mapping") Signed-off-by: Andrew Martin Reviewed-by: Felix Kuehling Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org commit 5751eee5c620c7e47a277ca929c4010caf24654c Author: Geert Uytterhoeven Date: Fri Dec 6 09:28:06 2024 +0100 i2c: nomadik: Add missing sentinel to match table The OF match table is not NULL-terminated. Fix this by adding a sentinel to nmk_i2c_eyeq_match_table[]. Fixes: a0d15cc47f29be6d ("i2c: nomadik: switch from of_device_is_compatible() to of_match_device()") Signed-off-by: Geert Uytterhoeven Reviewed-by: Théo Lebrun Signed-off-by: Andi Shyti commit f3d87abe11ed04d1b23a474a212f0e5deeb50892 Author: Joe Hattori Date: Tue Dec 3 11:34:42 2024 +0900 mmc: mtk-sd: disable wakeup in .remove() and in the error path of .probe() Current implementation leaves pdev->dev as a wakeup source. Add a device_init_wakeup(&pdev->dev, false) call in the .remove() function and in the error path of the .probe() function. Signed-off-by: Joe Hattori Fixes: 527f36f5efa4 ("mmc: mediatek: add support for SDIO eint wakup IRQ") Cc: stable@vger.kernel.org Message-ID: <20241203023442.2434018-1-joe@pf.is.s.u-tokyo.ac.jp> Signed-off-by: Ulf Hansson commit a56335c85b592cb2833db0a71f7112b7d9f0d56b Author: Prathamesh Shete Date: Mon Dec 9 15:40:09 2024 +0530 mmc: sdhci-tegra: Remove SDHCI_QUIRK_BROKEN_ADMA_ZEROLEN_DESC quirk Value 0 in ADMA length descriptor is interpreted as 65536 on new Tegra chips, remove SDHCI_QUIRK_BROKEN_ADMA_ZEROLEN_DESC quirk to make sure max ADMA2 length is 65536. Fixes: 4346b7c7941d ("mmc: tegra: Add Tegra186 support") Cc: stable@vger.kernel.org Signed-off-by: Prathamesh Shete Acked-by: Thierry Reding Acked-by: Adrian Hunter Message-ID: <20241209101009.22710-1-pshete@nvidia.com> Signed-off-by: Ulf Hansson commit 7363f2d4c18557c99c536b70489187bb4e05c412 Author: Vladimir Riabchun Date: Sat Dec 7 00:19:34 2024 +0100 i2c: pnx: Fix timeout in wait functions Since commit f63b94be6942 ("i2c: pnx: Fix potential deadlock warning from del_timer_sync() call in isr") jiffies are stored in i2c_pnx_algo_data.timeout, but wait_timeout and wait_reset are still using it as milliseconds. Convert jiffies back to milliseconds to wait for the expected amount of time. Fixes: f63b94be6942 ("i2c: pnx: Fix potential deadlock warning from del_timer_sync() call in isr") Signed-off-by: Vladimir Riabchun Signed-off-by: Andi Shyti commit 41856638e6c4ed51d8aa9e54f70059d1e357b46e Author: Heiko Carstens Date: Fri Nov 29 17:39:27 2024 +0100 s390/mm: Fix DirectMap accounting With uncoupling of physical and virtual address spaces population of the identity mapping was changed to use the type POPULATE_IDENTITY instead of POPULATE_DIRECT. This breaks DirectMap accounting: > cat /proc/meminfo DirectMap4k: 55296 kB DirectMap1M: 18446744073709496320 kB Adjust all locations of update_page_count() in vmem.c to use POPULATE_IDENTITY instead of POPULATE_DIRECT as well. With this accounting is correct again: > cat /proc/meminfo DirectMap4k: 54264 kB DirectMap1M: 8334336 kB Fixes: c98d2ecae08f ("s390/mm: Uncouple physical vs virtual address spaces") Cc: stable@vger.kernel.org Reviewed-by: Alexander Gordeev Signed-off-by: Heiko Carstens Signed-off-by: Alexander Gordeev commit 51a00be6a0994da2ba6b4ace3b7a0d9373b4b25e Author: Paolo Abeni Date: Fri Dec 6 16:49:14 2024 +0100 udp: fix l4 hash after reconnect After the blamed commit below, udp_rehash() is supposed to be called with both local and remote addresses set. Currently that is already the case for IPv6 sockets, but for IPv4 the destination address is updated after rehashing. Address the issue moving the destination address and port initialization before rehashing. Fixes: 1b29a730ef8b ("ipv6/udp: Add 4-tuple hash for connected socket") Reviewed-by: Eric Dumazet Link: https://patch.msgid.link/4761e466ab9f7542c68cdc95f248987d127044d2.1733499715.git.pabeni@redhat.com Signed-off-by: Paolo Abeni commit 360c400d0f568636c1b98d1d5f9f49aa3d420c70 Author: Shin'ichiro Kawasaki Date: Thu Nov 28 09:28:36 2024 +0900 p2sb: Do not scan and remove the P2SB device when it is unhidden When drivers access P2SB device resources, it calls p2sb_bar(). Before the commit 5913320eb0b3 ("platform/x86: p2sb: Allow p2sb_bar() calls during PCI device probe"), p2sb_bar() obtained the resources and then called pci_stop_and_remove_bus_device() for clean up. Then the P2SB device disappeared. The commit 5913320eb0b3 introduced the P2SB device resource cache feature in the boot process. During the resource cache, pci_stop_and_remove_bus_device() is called for the P2SB device, then the P2SB device disappears regardless of whether p2sb_bar() is called or not. Such P2SB device disappearance caused a confusion [1]. To avoid the confusion, avoid the pci_stop_and_remove_bus_device() call when the BIOS does not hide the P2SB device. For that purpose, cache the P2SB device resources only if the BIOS hides the P2SB device. Call p2sb_scan_and_cache() only if p2sb_hidden_by_bios is true. This allows removing two branches from p2sb_scan_and_cache(). When p2sb_bar() is called, get the resources from the cache if the P2SB device is hidden. Otherwise, read the resources from the unhidden P2SB device. Reported-by: Daniel Walker (danielwa) Closes: https://lore.kernel.org/lkml/ZzTI+biIUTvFT6NC@goliath/ [1] Fixes: 5913320eb0b3 ("platform/x86: p2sb: Allow p2sb_bar() calls during PCI device probe") Signed-off-by: Shin'ichiro Kawasaki Reviewed-by: Hans de Goede Link: https://lore.kernel.org/r/20241128002836.373745-5-shinichiro.kawasaki@wdc.com Reviewed-by: Ilpo Järvinen Signed-off-by: Ilpo Järvinen commit 0286070c74ee48391fc07f7f617460479472d221 Author: Shin'ichiro Kawasaki Date: Thu Nov 28 09:28:35 2024 +0900 p2sb: Move P2SB hide and unhide code to p2sb_scan_and_cache() To prepare for the following fix, move the code to hide and unhide the P2SB device from p2sb_cache_resources() to p2sb_scan_and_cache(). Signed-off-by: Shin'ichiro Kawasaki Reviewed-by: Hans de Goede Link: https://lore.kernel.org/r/20241128002836.373745-4-shinichiro.kawasaki@wdc.com Reviewed-by: Ilpo Järvinen Signed-off-by: Ilpo Järvinen commit ae3e6ebc5ab046d434c05c58a3e3f7e94441fec2 Author: Shin'ichiro Kawasaki Date: Thu Nov 28 09:28:34 2024 +0900 p2sb: Introduce the global flag p2sb_hidden_by_bios To prepare for the following fix, introduce the global flag p2sb_hidden_by_bios. Check if the BIOS hides the P2SB device and store the result in the flag. This allows to refer to the check result across functions. Signed-off-by: Shin'ichiro Kawasaki Reviewed-by: Hans de Goede Link: https://lore.kernel.org/r/20241128002836.373745-3-shinichiro.kawasaki@wdc.com Reviewed-by: Ilpo Järvinen Signed-off-by: Ilpo Järvinen commit 9244524d60ddea55f4df54c51200e8fef2032447 Author: Shin'ichiro Kawasaki Date: Thu Nov 28 09:28:33 2024 +0900 p2sb: Factor out p2sb_read_from_cache() To prepare for the following fix, factor out the code to read the P2SB resource from the cache to the new function p2sb_read_from_cache(). Signed-off-by: Shin'ichiro Kawasaki Reviewed-by: Hans de Goede Link: https://lore.kernel.org/r/20241128002836.373745-2-shinichiro.kawasaki@wdc.com Reviewed-by: Ilpo Järvinen Signed-off-by: Ilpo Järvinen commit 54a8cada2f3d7efb4a7920807473d89c442d9c45 Author: Kurt Borja Date: Sat Dec 7 21:30:15 2024 -0300 alienware-wmi: Adds support to Alienware m16 R1 AMD Adds support to Alienware m16 R1 AMD. Tested-by: Cihan Ozakca Signed-off-by: Kurt Borja Reviewed-by: Armin Wolf Link: https://lore.kernel.org/r/20241208003013.6490-3-kuurtb@gmail.com Reviewed-by: Ilpo Järvinen Signed-off-by: Ilpo Järvinen commit c1043cdb019ed4d053d673e62b553a5cea1a287d Author: Kurt Borja Date: Sat Dec 7 21:26:55 2024 -0300 alienware-wmi: Fix X Series and G Series quirks Devices that are known to support the WMI thermal interface do not support the legacy LED control interface. Make `.num_zones = 0` and avoid calling alienware_zone_init() if that's the case. Fixes: 9f6c43041552 ("alienware-wmi: added platform profile support") Fixes: 1c1eb70e7d23 ("alienware-wmi: extends the list of supported models") Suggested-by: Armin Wolf Reviewed-by: Armin Wolf Signed-off-by: Kurt Borja Link: https://lore.kernel.org/r/20241208002652.5885-4-kuurtb@gmail.com Reviewed-by: Ilpo Järvinen Signed-off-by: Ilpo Järvinen commit 3154bddf8cf2112cf63918b8ab867efe80403208 Merge: fac04efc5c793d be7e611274224b Author: Paolo Bonzini Date: Tue Dec 10 08:50:55 2024 -0500 Merge tag 'kvmarm-fixes-6.13-2' of https://git.kernel.org/pub/scm/linux/kernel/git/kvmarm/kvmarm into HEAD KVM/arm64 fixes for 6.13, part #2 - Fix confusion with implicitly-shifted MDCR_EL2 masks breaking SPE/TRBE initialization - Align nested page table walker with the intended memory attribute combining rules of the architecture - Prevent userspace from constraining the advertised ASID width, avoiding horrors of guest TLBIs not matching the intended context in hardware - Don't leak references on LPIs when insertion into the translation cache fails commit 687630aa582acf674120c87350beb01d836c837c Author: Stephen Gordon Date: Sat Dec 7 23:22:56 2024 +1100 ASoC: audio-graph-card: Call of_node_put() on correct node Signed-off-by: Stephen Gordon Acked-by: Kuninori Morimoto Link: https://patch.msgid.link/20241207122257.165096-1-gordoste@iinet.net.au Signed-off-by: Mark Brown commit 984795e76def5c903724b8d6a8228e356bbdf2af Author: Venkata Prasad Potturu Date: Tue Dec 10 14:40:25 2024 +0530 ASoC: amd: yc: Fix the wrong return value With the current implementation, when ACP driver fails to read ACPI _WOV entry then the DMI overrides code won't invoke, may cause regressions for some BIOS versions. Add a condition check to jump to check the DMI entries incase of ACP driver fail to read ACPI _WOV method. Fixes: 4095cf872084 (ASoC: amd: yc: Fix for enabling DMIC on acp6x via _DSD entry) Signed-off-by: Venkata Prasad Potturu Link: https://patch.msgid.link/20241210091026.996860-1-venkataprasad.potturu@amd.com Signed-off-by: Mark Brown commit c8f8d4344d50d72181207ee73175bba567c25f58 Author: Geert Uytterhoeven Date: Thu Dec 5 14:04:26 2024 +0100 openrisc: Fix misalignments in head.S Align all line continuations and (sub)section headers in a consistent way. Signed-off-by: Geert Uytterhoeven Signed-off-by: Stafford Horne commit a412f04070e52e6d6b5f6f964b9d9644de16bb81 Author: Masahiro Yamada Date: Mon Dec 2 15:28:22 2024 +0900 openrisc: place exception table at the head of vmlinux Since commit 0043ecea2399 ("vmlinux.lds.h: Adjust symbol ordering in text output section"), the exception table in arch/openrisc/kernel/head.S is no longer positioned at the very beginning of the kernel image, which causes a boot failure. Currently, the exception table resides in the regular .text section. Previously, it was placed at the head by relying on the linker receiving arch/openrisc/kernel/head.o as the first object. However, this behavior has changed because sections like .text.{asan,unknown,unlikely,hot} now precede the regular .text section. The .head.text section is intended for entry points requiring special placement. However, in OpenRISC, this section has been misused: instead of the entry points, it contains boot code meant to be discarded after booting. This feature is typically handled by the .init.text section. This commit addresses the issue by replacing the current __HEAD marker with __INIT and re-annotating the entry points with __HEAD. Additionally, it adds __REF to entry.S to suppress the following modpost warning: WARNING: modpost: vmlinux: section mismatch in reference: _tng_kernel_start+0x70 (section: .text) -> _start (section: .init.text) Fixes: 0043ecea2399 ("vmlinux.lds.h: Adjust symbol ordering in text output section") Reported-by: Guenter Roeck Closes: https://lore.kernel.org/all/5e032233-5b65-4ad5-ac50-d2eb6c00171c@roeck-us.net/#t Signed-off-by: Masahiro Yamada Tested-by: Guenter Roeck Reviewed-by: Rong Xu Signed-off-by: Stafford Horne commit b2e538a9827dd04ab5273bf4be8eb2edb84357b0 Author: Takashi Iwai Date: Mon Dec 9 10:56:12 2024 +0100 ALSA: control: Avoid WARN() for symlink errors Using WARN() for showing the error of symlink creations don't give more information than telling that something goes wrong, since the usual code path is a lregister callback from each control element creation. More badly, the use of WARN() rather confuses fuzzer as if it were serious issues. This patch downgrades the warning messages to use the normal dev_err() instead of WARN(). For making it clearer, add the function name to the prefix, too. Fixes: a135dfb5de15 ("ALSA: led control - add sysfs kcontrol LED marking layer") Reported-by: syzbot+4e7919b09c67ffd198ae@syzkaller.appspotmail.com Closes: https://lore.kernel.org/675664c7.050a0220.a30f1.018c.GAE@google.com Link: https://patch.msgid.link/20241209095614.4273-1-tiwai@suse.de Signed-off-by: Takashi Iwai commit 9ac4b58fcef0f9fc03fa6e126a5f53c1c71ada8a Author: Uwe Kleine-König Date: Tue Dec 3 18:26:30 2024 +0100 gpio: idio-16: Actually make use of the GPIO_IDIO_16 symbol namespace DEFAULT_SYMBOL_NAMESPACE must already be defined when is included. So move the define above the include block. Fixes: b9b1fc1ae119 ("gpio: idio-16: Introduce the ACCES IDIO-16 GPIO library module") Signed-off-by: Uwe Kleine-König Acked-by: William Breathitt Gray Link: https://lore.kernel.org/r/20241203172631.1647792-2-u.kleine-koenig@baylibre.com Signed-off-by: Bartosz Golaszewski commit dd4d315f38272688edea0611a11cadf6a445f61a Merge: 0bb18e34abdde7 fac04efc5c793d Author: Bartosz Golaszewski Date: Tue Dec 10 11:38:38 2024 +0100 Merge tag 'v6.13-rc2' into gpio/for-current Linux 6.13-rc2 commit 00301ef4b26d551141c96efeebff40904241f594 Merge: af47a328e8130c 76a771ec4c9adf Author: Paolo Abeni Date: Tue Dec 10 11:22:21 2024 +0100 Merge branch 'virtio_net-correct-netdev_tx_reset_queue-invocation-points' Koichiro Den says: ==================== virtio_net: correct netdev_tx_reset_queue() invocation points When virtnet_close is followed by virtnet_open, some TX completions can possibly remain unconsumed, until they are finally processed during the first NAPI poll after the netdev_tx_reset_queue(), resulting in a crash [1]. Commit b96ed2c97c79 ("virtio_net: move netdev_tx_reset_queue() call before RX napi enable") was not sufficient to eliminate all BQL crash scenarios for virtio-net. This issue can be reproduced with the latest net-next master by running: `while :; do ip l set DEV down; ip l set DEV up; done` under heavy network TX load from inside the machine. This patch series resolves the issue and also addresses similar existing problems: (a). Drop netdev_tx_reset_queue() from open/close path. This eliminates the BQL crashes due to the problematic open/close path. (b). As a result of (a), netdev_tx_reset_queue() is now explicitly required in freeze/restore path. Add netdev_tx_reset_queue() immediately after free_unused_bufs() invocation. (c). Fix missing resetting in virtnet_tx_resize(). virtnet_tx_resize() has lacked proper resetting since commit c8bd1f7f3e61 ("virtio_net: add support for Byte Queue Limits"). (d). Fix missing resetting in the XDP_SETUP_XSK_POOL path. Similar to (c), this path lacked proper resetting. Call netdev_tx_reset_queue() when virtqueue_reset() has actually recycled unused buffers. This patch series consists of six commits: [1/6]: Resolves (a) and (b). # also -stable 6.11.y [2/6]: Minor fix to make [4/6] streamlined. [3/6]: Prerequisite for (c). # also -stable 6.11.y [4/6]: Resolves (c) (incl. Prerequisite for (d)) # also -stable 6.11.y [5/6]: Preresuisite for (d). [6/6]: Resolves (d). Changes for v4: - move netdev_tx_reset_queue() out of free_unused_bufs() - submit to net, not net-next Changes for v3: - replace 'flushed' argument with 'recycle_done' Changes for v2: - add tx queue resetting for (b) to (d) above v3: https://lore.kernel.org/all/20241204050724.307544-1-koichiro.den@canonical.com/ v2: https://lore.kernel.org/all/20241203073025.67065-1-koichiro.den@canonical.com/ v1: https://lore.kernel.org/all/20241130181744.3772632-1-koichiro.den@canonical.com/ [1]: ------------[ cut here ]------------ kernel BUG at lib/dynamic_queue_limits.c:99! Oops: invalid opcode: 0000 [#1] PREEMPT SMP NOPTI CPU: 7 UID: 0 PID: 1598 Comm: ip Tainted: G N 6.12.0net-next_main+ #2 Tainted: [N]=TEST Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), \ BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 RIP: 0010:dql_completed+0x26b/0x290 Code: b7 c2 49 89 e9 44 89 da 89 c6 4c 89 d7 e8 ed 17 47 00 58 65 ff 0d 4d 27 90 7e 0f 85 fd fe ff ff e8 ea 53 8d ff e9 f3 fe ff ff <0f> 0b 01 d2 44 89 d1 29 d1 ba 00 00 00 00 0f 48 ca e9 28 ff ff ff RSP: 0018:ffffc900002b0d08 EFLAGS: 00010297 RAX: 0000000000000000 RBX: ffff888102398c80 RCX: 0000000080190009 RDX: 0000000000000000 RSI: 000000000000006a RDI: 0000000000000000 RBP: ffff888102398c00 R08: 0000000000000000 R09: 0000000000000000 R10: 00000000000000ca R11: 0000000000015681 R12: 0000000000000001 R13: ffffc900002b0d68 R14: ffff88811115e000 R15: ffff8881107aca40 FS: 00007f41ded69500(0000) GS:ffff888667dc0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000556ccc2dc1a0 CR3: 0000000104fd8003 CR4: 0000000000772ef0 PKRU: 55555554 Call Trace: ? die+0x32/0x80 ? do_trap+0xd9/0x100 ? dql_completed+0x26b/0x290 ? dql_completed+0x26b/0x290 ? do_error_trap+0x6d/0xb0 ? dql_completed+0x26b/0x290 ? exc_invalid_op+0x4c/0x60 ? dql_completed+0x26b/0x290 ? asm_exc_invalid_op+0x16/0x20 ? dql_completed+0x26b/0x290 __free_old_xmit+0xff/0x170 [virtio_net] free_old_xmit+0x54/0xc0 [virtio_net] virtnet_poll+0xf4/0xe30 [virtio_net] ? __update_load_avg_cfs_rq+0x264/0x2d0 ? update_curr+0x35/0x260 ? reweight_entity+0x1be/0x260 __napi_poll.constprop.0+0x28/0x1c0 net_rx_action+0x329/0x420 ? enqueue_hrtimer+0x35/0x90 ? trace_hardirqs_on+0x1d/0x80 ? kvm_sched_clock_read+0xd/0x20 ? sched_clock+0xc/0x30 ? kvm_sched_clock_read+0xd/0x20 ? sched_clock+0xc/0x30 ? sched_clock_cpu+0xd/0x1a0 handle_softirqs+0x138/0x3e0 do_softirq.part.0+0x89/0xc0 __local_bh_enable_ip+0xa7/0xb0 virtnet_open+0xc8/0x310 [virtio_net] __dev_open+0xfa/0x1b0 __dev_change_flags+0x1de/0x250 dev_change_flags+0x22/0x60 do_setlink.isra.0+0x2df/0x10b0 ? rtnetlink_rcv_msg+0x34f/0x3f0 ? netlink_rcv_skb+0x54/0x100 ? netlink_unicast+0x23e/0x390 ? netlink_sendmsg+0x21e/0x490 ? ____sys_sendmsg+0x31b/0x350 ? avc_has_perm_noaudit+0x67/0xf0 ? cred_has_capability.isra.0+0x75/0x110 ? __nla_validate_parse+0x5f/0xee0 ? __pfx___probestub_irq_enable+0x3/0x10 ? __create_object+0x5e/0x90 ? security_capable+0x3b/0x70 rtnl_newlink+0x784/0xaf0 ? avc_has_perm_noaudit+0x67/0xf0 ? cred_has_capability.isra.0+0x75/0x110 ? stack_depot_save_flags+0x24/0x6d0 ? __pfx_rtnl_newlink+0x10/0x10 rtnetlink_rcv_msg+0x34f/0x3f0 ? do_syscall_64+0x6c/0x180 ? entry_SYSCALL_64_after_hwframe+0x76/0x7e ? __pfx_rtnetlink_rcv_msg+0x10/0x10 netlink_rcv_skb+0x54/0x100 netlink_unicast+0x23e/0x390 netlink_sendmsg+0x21e/0x490 ____sys_sendmsg+0x31b/0x350 ? copy_msghdr_from_user+0x6d/0xa0 ___sys_sendmsg+0x86/0xd0 ? __pte_offset_map+0x17/0x160 ? preempt_count_add+0x69/0xa0 ? __call_rcu_common.constprop.0+0x147/0x610 ? preempt_count_add+0x69/0xa0 ? preempt_count_add+0x69/0xa0 ? _raw_spin_trylock+0x13/0x60 ? trace_hardirqs_on+0x1d/0x80 __sys_sendmsg+0x66/0xc0 do_syscall_64+0x6c/0x180 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7f41defe5b34 Code: 15 e1 12 0f 00 f7 d8 64 89 02 b8 ff ff ff ff eb bf 0f 1f 44 00 00 f3 0f 1e fa 80 3d 35 95 0f 00 00 74 13 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 4c c3 0f 1f 00 55 48 89 e5 48 83 ec 20 89 55 RSP: 002b:00007ffe5336ecc8 EFLAGS: 00000202 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f41defe5b34 RDX: 0000000000000000 RSI: 00007ffe5336ed30 RDI: 0000000000000003 RBP: 00007ffe5336eda0 R08: 0000000000000010 R09: 0000000000000001 R10: 00007ffe5336f6f9 R11: 0000000000000202 R12: 0000000000000003 R13: 0000000067452259 R14: 0000556ccc28b040 R15: 0000000000000000 [...] ==================== Link: https://patch.msgid.link/20241206011047.923923-1-koichiro.den@canonical.com Signed-off-by: Paolo Abeni commit 76a771ec4c9adfd75fe53c8505cf656a075d7101 Author: Koichiro Den Date: Fri Dec 6 10:10:47 2024 +0900 virtio_net: ensure netdev_tx_reset_queue is called on bind xsk for tx virtnet_sq_bind_xsk_pool() flushes tx skbs and then resets tx queue, so DQL counters need to be reset when flushing has actually occurred, Add virtnet_sq_free_unused_buf_done() as a callback for virtqueue_resize() to handle this. Fixes: 21a4e3ce6dc7 ("virtio_net: xsk: bind/unbind xsk for tx") Signed-off-by: Koichiro Den Acked-by: Jason Wang Reviewed-by: Xuan Zhuo Signed-off-by: Paolo Abeni commit 8d2da07c813ad333c20eb803e15f8c4541f25350 Author: Koichiro Den Date: Fri Dec 6 10:10:46 2024 +0900 virtio_ring: add a func argument 'recycle_done' to virtqueue_reset() When virtqueue_reset() has actually recycled all unused buffers, additional work may be required in some cases. Relying solely on its return status is fragile, so introduce a new function argument 'recycle_done', which is invoked when it really occurs. Signed-off-by: Koichiro Den Acked-by: Jason Wang Reviewed-by: Xuan Zhuo Signed-off-by: Paolo Abeni commit 1480f0f61b675567ca5d0943d6ef2e39172dcafd Author: Koichiro Den Date: Fri Dec 6 10:10:45 2024 +0900 virtio_net: ensure netdev_tx_reset_queue is called on tx ring resize virtnet_tx_resize() flushes remaining tx skbs, requiring DQL counters to be reset when flushing has actually occurred. Add virtnet_sq_free_unused_buf_done() as a callback for virtqueue_reset() to handle this. Fixes: c8bd1f7f3e61 ("virtio_net: add support for Byte Queue Limits") Cc: # v6.11+ Signed-off-by: Koichiro Den Acked-by: Jason Wang Reviewed-by: Xuan Zhuo Signed-off-by: Paolo Abeni commit 8d6712c892019b9b9dc5c7039edd3c9d770b510b Author: Koichiro Den Date: Fri Dec 6 10:10:44 2024 +0900 virtio_ring: add a func argument 'recycle_done' to virtqueue_resize() When virtqueue_resize() has actually recycled all unused buffers, additional work may be required in some cases. Relying solely on its return status is fragile, so introduce a new function argument 'recycle_done', which is invoked when the recycle really occurs. Cc: # v6.11+ Signed-off-by: Koichiro Den Acked-by: Jason Wang Reviewed-by: Xuan Zhuo Signed-off-by: Paolo Abeni commit 4571dc7272b22cf35c7a5a1b14d3b036a2fefdc5 Author: Koichiro Den Date: Fri Dec 6 10:10:43 2024 +0900 virtio_net: replace vq2rxq with vq2txq where appropriate While not harmful, using vq2rxq where it's always sq appears odd. Replace it with the more appropriate vq2txq for clarity and correctness. Fixes: 89f86675cb03 ("virtio_net: xsk: tx: support xmit xsk buffer") Signed-off-by: Koichiro Den Acked-by: Jason Wang Reviewed-by: Xuan Zhuo Signed-off-by: Paolo Abeni commit 3ddccbefebdbe0c4c72a248676e4d39ac66a8e26 Author: Koichiro Den Date: Fri Dec 6 10:10:42 2024 +0900 virtio_net: correct netdev_tx_reset_queue() invocation point When virtnet_close is followed by virtnet_open, some TX completions can possibly remain unconsumed, until they are finally processed during the first NAPI poll after the netdev_tx_reset_queue(), resulting in a crash [1]. Commit b96ed2c97c79 ("virtio_net: move netdev_tx_reset_queue() call before RX napi enable") was not sufficient to eliminate all BQL crash cases for virtio-net. This issue can be reproduced with the latest net-next master by running: `while :; do ip l set DEV down; ip l set DEV up; done` under heavy network TX load from inside the machine. netdev_tx_reset_queue() can actually be dropped from virtnet_open path; the device is not stopped in any case. For BQL core part, it's just like traffic nearly ceases to exist for some period. For stall detector added to BQL, even if virtnet_close could somehow lead to some TX completions delayed for long, followed by virtnet_open, we can just take it as stall as mentioned in commit 6025b9135f7a ("net: dqs: add NIC stall detector based on BQL"). Note also that users can still reset stall_max via sysfs. So, drop netdev_tx_reset_queue() from virtnet_enable_queue_pair(). This eliminates the BQL crashes. As a result, netdev_tx_reset_queue() is now explicitly required in freeze/restore path. This patch adds it to immediately after free_unused_bufs(), following the rule of thumb: netdev_tx_reset_queue() should follow any SKB freeing not followed by netdev_tx_completed_queue(). This seems the most consistent and streamlined approach, and now netdev_tx_reset_queue() runs whenever free_unused_bufs() is done. [1]: ------------[ cut here ]------------ kernel BUG at lib/dynamic_queue_limits.c:99! Oops: invalid opcode: 0000 [#1] PREEMPT SMP NOPTI CPU: 7 UID: 0 PID: 1598 Comm: ip Tainted: G N 6.12.0net-next_main+ #2 Tainted: [N]=TEST Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), \ BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 RIP: 0010:dql_completed+0x26b/0x290 Code: b7 c2 49 89 e9 44 89 da 89 c6 4c 89 d7 e8 ed 17 47 00 58 65 ff 0d 4d 27 90 7e 0f 85 fd fe ff ff e8 ea 53 8d ff e9 f3 fe ff ff <0f> 0b 01 d2 44 89 d1 29 d1 ba 00 00 00 00 0f 48 ca e9 28 ff ff ff RSP: 0018:ffffc900002b0d08 EFLAGS: 00010297 RAX: 0000000000000000 RBX: ffff888102398c80 RCX: 0000000080190009 RDX: 0000000000000000 RSI: 000000000000006a RDI: 0000000000000000 RBP: ffff888102398c00 R08: 0000000000000000 R09: 0000000000000000 R10: 00000000000000ca R11: 0000000000015681 R12: 0000000000000001 R13: ffffc900002b0d68 R14: ffff88811115e000 R15: ffff8881107aca40 FS: 00007f41ded69500(0000) GS:ffff888667dc0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000556ccc2dc1a0 CR3: 0000000104fd8003 CR4: 0000000000772ef0 PKRU: 55555554 Call Trace: ? die+0x32/0x80 ? do_trap+0xd9/0x100 ? dql_completed+0x26b/0x290 ? dql_completed+0x26b/0x290 ? do_error_trap+0x6d/0xb0 ? dql_completed+0x26b/0x290 ? exc_invalid_op+0x4c/0x60 ? dql_completed+0x26b/0x290 ? asm_exc_invalid_op+0x16/0x20 ? dql_completed+0x26b/0x290 __free_old_xmit+0xff/0x170 [virtio_net] free_old_xmit+0x54/0xc0 [virtio_net] virtnet_poll+0xf4/0xe30 [virtio_net] ? __update_load_avg_cfs_rq+0x264/0x2d0 ? update_curr+0x35/0x260 ? reweight_entity+0x1be/0x260 __napi_poll.constprop.0+0x28/0x1c0 net_rx_action+0x329/0x420 ? enqueue_hrtimer+0x35/0x90 ? trace_hardirqs_on+0x1d/0x80 ? kvm_sched_clock_read+0xd/0x20 ? sched_clock+0xc/0x30 ? kvm_sched_clock_read+0xd/0x20 ? sched_clock+0xc/0x30 ? sched_clock_cpu+0xd/0x1a0 handle_softirqs+0x138/0x3e0 do_softirq.part.0+0x89/0xc0 __local_bh_enable_ip+0xa7/0xb0 virtnet_open+0xc8/0x310 [virtio_net] __dev_open+0xfa/0x1b0 __dev_change_flags+0x1de/0x250 dev_change_flags+0x22/0x60 do_setlink.isra.0+0x2df/0x10b0 ? rtnetlink_rcv_msg+0x34f/0x3f0 ? netlink_rcv_skb+0x54/0x100 ? netlink_unicast+0x23e/0x390 ? netlink_sendmsg+0x21e/0x490 ? ____sys_sendmsg+0x31b/0x350 ? avc_has_perm_noaudit+0x67/0xf0 ? cred_has_capability.isra.0+0x75/0x110 ? __nla_validate_parse+0x5f/0xee0 ? __pfx___probestub_irq_enable+0x3/0x10 ? __create_object+0x5e/0x90 ? security_capable+0x3b/0x70 rtnl_newlink+0x784/0xaf0 ? avc_has_perm_noaudit+0x67/0xf0 ? cred_has_capability.isra.0+0x75/0x110 ? stack_depot_save_flags+0x24/0x6d0 ? __pfx_rtnl_newlink+0x10/0x10 rtnetlink_rcv_msg+0x34f/0x3f0 ? do_syscall_64+0x6c/0x180 ? entry_SYSCALL_64_after_hwframe+0x76/0x7e ? __pfx_rtnetlink_rcv_msg+0x10/0x10 netlink_rcv_skb+0x54/0x100 netlink_unicast+0x23e/0x390 netlink_sendmsg+0x21e/0x490 ____sys_sendmsg+0x31b/0x350 ? copy_msghdr_from_user+0x6d/0xa0 ___sys_sendmsg+0x86/0xd0 ? __pte_offset_map+0x17/0x160 ? preempt_count_add+0x69/0xa0 ? __call_rcu_common.constprop.0+0x147/0x610 ? preempt_count_add+0x69/0xa0 ? preempt_count_add+0x69/0xa0 ? _raw_spin_trylock+0x13/0x60 ? trace_hardirqs_on+0x1d/0x80 __sys_sendmsg+0x66/0xc0 do_syscall_64+0x6c/0x180 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7f41defe5b34 Code: 15 e1 12 0f 00 f7 d8 64 89 02 b8 ff ff ff ff eb bf 0f 1f 44 00 00 f3 0f 1e fa 80 3d 35 95 0f 00 00 74 13 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 4c c3 0f 1f 00 55 48 89 e5 48 83 ec 20 89 55 RSP: 002b:00007ffe5336ecc8 EFLAGS: 00000202 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f41defe5b34 RDX: 0000000000000000 RSI: 00007ffe5336ed30 RDI: 0000000000000003 RBP: 00007ffe5336eda0 R08: 0000000000000010 R09: 0000000000000001 R10: 00007ffe5336f6f9 R11: 0000000000000202 R12: 0000000000000003 R13: 0000000067452259 R14: 0000556ccc28b040 R15: 0000000000000000 [...] Fixes: c8bd1f7f3e61 ("virtio_net: add support for Byte Queue Limits") Cc: # v6.11+ Signed-off-by: Koichiro Den Acked-by: Jason Wang Reviewed-by: Xuan Zhuo [ pabeni: trimmed possibly troublesome separator ] Signed-off-by: Paolo Abeni commit efb113fc30e7b805f7375d269b93bb4593d11d97 Author: Arnd Bergmann Date: Fri Nov 15 17:23:10 2024 +0100 drm: rework FB_CORE dependency The 'select FB_CORE' statement moved from CONFIG_DRM to DRM_CLIENT_LIB, but there are now configurations that have code calling into fb_core as built-in even though the client_lib itself is a loadable module: x86_64-linux-ld: drivers/gpu/drm/drm_fbdev_shmem.o: in function `drm_fbdev_shmem_driver_fbdev_probe': drm_fbdev_shmem.c:(.text+0x1fc): undefined reference to `fb_deferred_io_init' x86_64-linux-ld: drivers/gpu/drm/drm_fbdev_shmem.o: in function `drm_fbdev_shmem_fb_destroy': drm_fbdev_shmem.c:(.text+0x2e1): undefined reference to `fb_deferred_io_cleanup' In addition to DRM_CLIENT_LIB, the 'select' needs to be at least in two more parts, DRM_KMS_HELPER and DRM_GEM_SHMEM_HELPER, so add those here. v3: - Remove FB_CORE from DRM_KMS_HELPER to avoid circular dependency Fixes: dadd28d4142f ("drm/client: Add client-lib module") Signed-off-by: Arnd Bergmann Reviewed-by: Thomas Zimmermann Signed-off-by: Thomas Zimmermann Link: https://patchwork.freedesktop.org/patch/msgid/20241115162323.3555229-1-arnd@kernel.org commit 0bb18e34abdde7bf58fca8542e2dcf621924ea19 Author: Alan Borzeszkowski Date: Wed Dec 4 09:04:15 2024 +0200 gpio: graniterapids: Fix GPIO Ack functionality Interrupt status (GPI_IS) register is cleared by writing 1 to it, not 0. Cc: stable@vger.kernel.org Signed-off-by: Alan Borzeszkowski Signed-off-by: Mika Westerberg Acked-by: Andy Shevchenko Link: https://lore.kernel.org/r/20241204070415.1034449-8-mika.westerberg@linux.intel.com Signed-off-by: Bartosz Golaszewski commit c0ec4890d6454980c53c3cc164140115c4a671f2 Author: Alan Borzeszkowski Date: Wed Dec 4 09:04:14 2024 +0200 gpio: graniterapids: Check if GPIO line can be used for IRQs GPIO line can only be used as interrupt if its INTSEL register is programmed by the BIOS. Cc: stable@vger.kernel.org Signed-off-by: Alan Borzeszkowski Signed-off-by: Mika Westerberg Acked-by: Andy Shevchenko Link: https://lore.kernel.org/r/20241204070415.1034449-7-mika.westerberg@linux.intel.com Signed-off-by: Bartosz Golaszewski commit 0588504d28dedde6789aec17a6ece6fa8e477725 Author: Alan Borzeszkowski Date: Wed Dec 4 09:04:13 2024 +0200 gpio: graniterapids: Determine if GPIO pad can be used by driver Add check of HOSTSW_MODE bit to determine if GPIO pad can be used by the driver. Cc: stable@vger.kernel.org Signed-off-by: Alan Borzeszkowski Signed-off-by: Mika Westerberg Acked-by: Andy Shevchenko Link: https://lore.kernel.org/r/20241204070415.1034449-6-mika.westerberg@linux.intel.com Signed-off-by: Bartosz Golaszewski commit 15636b00a055474033426b94b6372728b2163a1e Author: Shankar Bandal Date: Wed Dec 4 09:04:12 2024 +0200 gpio: graniterapids: Fix invalid RXEVCFG register bitmask Correct RX Level/Edge Configuration register (RXEVCFG) bitmask. Cc: stable@vger.kernel.org Signed-off-by: Shankar Bandal Signed-off-by: Alan Borzeszkowski Signed-off-by: Mika Westerberg Acked-by: Andy Shevchenko Link: https://lore.kernel.org/r/20241204070415.1034449-5-mika.westerberg@linux.intel.com Signed-off-by: Bartosz Golaszewski commit 0fe329b55231cca489f9bed1db0e778d077fdaf9 Author: Shankar Bandal Date: Wed Dec 4 09:04:11 2024 +0200 gpio: graniterapids: Fix invalid GPI_IS register offset Update GPI Interrupt Status register offset to correct value. Cc: stable@vger.kernel.org Signed-off-by: Shankar Bandal Signed-off-by: Alan Borzeszkowski Signed-off-by: Mika Westerberg Acked-by: Andy Shevchenko Link: https://lore.kernel.org/r/20241204070415.1034449-4-mika.westerberg@linux.intel.com Signed-off-by: Bartosz Golaszewski commit 7382d2f0e802077c36495e325da8d253a15fb441 Author: Alan Borzeszkowski Date: Wed Dec 4 09:04:10 2024 +0200 gpio: graniterapids: Fix incorrect BAR assignment Base Address of vGPIO MMIO register is provided directly by the BIOS instead of using offsets. Update address assignment to reflect this change in driver. Cc: stable@vger.kernel.org Signed-off-by: Alan Borzeszkowski Signed-off-by: Mika Westerberg Acked-by: Andy Shevchenko Link: https://lore.kernel.org/r/20241204070415.1034449-3-mika.westerberg@linux.intel.com Signed-off-by: Bartosz Golaszewski commit eb9640fd1ce666610b77f5997596e9570a36378f Author: Alan Borzeszkowski Date: Wed Dec 4 09:04:09 2024 +0200 gpio: graniterapids: Fix vGPIO driver crash Move setting irq_chip.name from probe() function to the initialization of "irq_chip" struct in order to fix vGPIO driver crash during bootup. Crash was caused by unauthorized modification of irq_chip.name field where irq_chip struct was initialized as const. This behavior is a consequence of suboptimal implementation of gpio_irq_chip_set_chip(), which should be changed to avoid casting away const qualifier. Crash log: BUG: unable to handle page fault for address: ffffffffc0ba81c0 /#PF: supervisor write access in kernel mode /#PF: error_code(0x0003) - permissions violation CPU: 33 UID: 0 PID: 1075 Comm: systemd-udevd Not tainted 6.12.0-rc6-00077-g2e1b3cc9d7f7 #1 Hardware name: Intel Corporation Kaseyville RP/Kaseyville RP, BIOS KVLDCRB1.PGS.0026.D73.2410081258 10/08/2024 RIP: 0010:gnr_gpio_probe+0x171/0x220 [gpio_graniterapids] Cc: stable@vger.kernel.org Signed-off-by: Alan Borzeszkowski Signed-off-by: Mika Westerberg Acked-by: Andy Shevchenko Link: https://lore.kernel.org/r/20241204070415.1034449-2-mika.westerberg@linux.intel.com Signed-off-by: Bartosz Golaszewski commit 91da87d38cca46be6f2f4f3c820f5d817c1866dc Author: Jason Gunthorpe Date: Thu Dec 5 20:13:42 2024 -0400 iommu/amd: Add lockdep asserts for domain->dev_list Add an assertion to all the iteration points that don't obviously have the lock held already. These all take the locker higher in their call chains. Signed-off-by: Jason Gunthorpe Reviewed-by: Vasant Hegde Link: https://lore.kernel.org/r/2-v1-3b9edcf8067d+3975-amd_dev_list_locking_jgg@nvidia.com Signed-off-by: Joerg Roedel commit 4a552f7890f0870f6d9fd4fbc6c05cea7bfd4503 Author: Jason Gunthorpe Date: Thu Dec 5 20:13:41 2024 -0400 iommu/amd: Put list_add/del(dev_data) back under the domain->lock The list domain->dev_list is protected by the domain->lock spinlock. Any iteration, addition or removal must be under the lock. Move the list_del() up into the critical section. pdom_is_sva_capable(), and destroy_gcr3_table() do not interact with the list element. Wrap the list_add() in a lock, it would make more sense if this was under the same critical section as adjusting the refcounts earlier, but that requires more complications. Fixes: d6b47dec3684 ("iommu/amd: Reduce domain lock scope in attach device path") Signed-off-by: Jason Gunthorpe Reviewed-by: Vasant Hegde Link: https://lore.kernel.org/r/1-v1-3b9edcf8067d+3975-amd_dev_list_locking_jgg@nvidia.com Signed-off-by: Joerg Roedel commit af47a328e8130c81984cbcd1f771fc4bb777bd0f Author: Geetha sowjanya Date: Thu Dec 5 17:04:35 2024 +0530 octeontx2-af: Fix installation of PF multicast rule Due to target variable is being reassigned in npc_install_flow() function, PF multicast rules are not getting installed. This patch addresses the issue by fixing the "IF" condition checks when rules are installed by AF. Fixes: 6c40ca957fe5 ("octeontx2-pf: Adds TC offload support"). Signed-off-by: Geetha sowjanya Reviewed-by: Simon Horman Link: https://patch.msgid.link/20241205113435.10601-1-gakula@marvell.com Signed-off-by: Paolo Abeni commit a4048c83fd87c65657a4acb17d639092d4b6133d Author: Anumula Murali Mohan Reddy Date: Tue Dec 3 19:30:53 2024 +0530 RDMA/core: Fix ENODEV error for iWARP test over vlan If traffic is over vlan, cma_validate_port() fails to match net_device ifindex with bound_if_index and results in ENODEV error. As iWARP gid table is static, it contains entry corresponding to only one net device which is either real netdev or vlan netdev for cases like siw attached to a vlan interface. This patch fixes the issue by assigning bound_if_index with net device index, if real net device obtained from bound if index matches with net device retrieved from gid table Fixes: f8ef1be816bf ("RDMA/cma: Avoid GID lookups on iWARP devices") Link: https://lore.kernel.org/all/ZzNgdrjo1kSCGbRz@chelsio.com/ Signed-off-by: Anumula Murali Mohan Reddy Signed-off-by: Potnuri Bharat Teja Link: https://patch.msgid.link/20241203140052.3985-1-anumula@chelsio.com Signed-off-by: Leon Romanovsky commit b7ffecbe198e2dfc44abf92ceb90f46150f7527a Author: Shakeel Butt Date: Mon Dec 9 20:06:57 2024 -0800 memcg: slub: fix SUnreclaim for post charged objects Large kmalloc directly allocates from the page allocator and then use lruvec_stat_mod_folio() to increment the unreclaimable slab stats for global and memcg. However when post memcg charging of slab objects was added in commit 9028cdeb38e1 ("memcg: add charging of already allocated slab objects"), it missed to correctly handle the unreclaimable slab stats for memcg. One user visisble effect of that bug is that the node level unreclaimable slab stat will work correctly but the memcg level stat can underflow as kernel correctly handles the free path but the charge path missed to increment the memcg level unreclaimable slab stat. Let's fix by correctly handle in the post charge code path. Fixes: 9028cdeb38e1 ("memcg: add charging of already allocated slab objects") Signed-off-by: Shakeel Butt Cc: Signed-off-by: Vlastimil Babka commit 8644b48714dca8bf2f42a4ff8311de8efc9bd8c3 Author: Mika Westerberg Date: Tue May 14 10:15:14 2024 +0300 thunderbolt: Add support for Intel Panther Lake-M/P Intel Panther Lake-M/P has the same integrated Thunderbolt/USB4 controller as Lunar Lake. Add these PCI IDs to the driver list of supported devices. Cc: stable@vger.kernel.org Signed-off-by: Mika Westerberg commit cd26cd65476711e2c69e0a049c0eeef4b743f5ac Author: Chenghai Huang Date: Sat Nov 30 16:01:31 2024 +0800 crypto: hisilicon/debugfs - fix the struct pointer incorrectly offset problem Offset based on (id * size) is wrong for sqc and cqc. (*sqc/*cqc + 1) can already offset sizeof(struct(Xqc)) length. Fixes: 15f112f9cef5 ("crypto: hisilicon/debugfs - mask the unnecessary info from the dump") Cc: Signed-off-by: Chenghai Huang Signed-off-by: Herbert Xu commit 8552cb04e0831df3ff265c75ad33f705a45bc731 Author: Herbert Xu Date: Fri Nov 29 17:53:16 2024 +0800 crypto: rsassa-pkcs1 - Copy source data for SG list As virtual addresses in general may not be suitable for DMA, always perform a copy before using them in an SG list. Fixes: 1e562deacecc ("crypto: rsassa-pkcs1 - Migrate to sig_alg backend") Reported-by: Zorro Lang Signed-off-by: Herbert Xu commit 919bfa9b2dbf3bc0c478afd4e44445836381dacb Author: K Prateek Nayak Date: Tue Dec 10 03:25:57 2024 +0000 cpufreq/amd-pstate: Detect preferred core support before driver registration Booting with amd-pstate on 3rd Generation EPYC system incorrectly enabled ITMT support despite the system not supporting Preferred Core ranking. amd_pstate_init_prefcore() called during amd_pstate*_cpu_init() requires "amd_pstate_prefcore" to be set correctly however the preferred core support is detected only after driver registration which is too late. Swap the function calls around to detect preferred core support before registring the driver via amd_pstate_register_driver(). This ensures amd_pstate*_cpu_init() sees the correct value of "amd_pstate_prefcore" considering the platform support. Fixes: 279f838a61f9 ("x86/amd: Detect preferred cores in amd_get_boost_ratio_numerator()") Fixes: ff2653ded4d9 ("cpufreq/amd-pstate: Move registration after static function call update") Signed-off-by: K Prateek Nayak Acked-by: Mario Limonciello Link: https://lore.kernel.org/r/20241210032557.754-1-kprateek.nayak@amd.com Signed-off-by: Mario Limonciello commit f103396ae31851d00b561ff9f8a32a441953ff8b Author: liuderong Date: Fri Dec 6 15:29:42 2024 +0800 scsi: ufs: core: Update compl_time_stamp_local_clock after completing a cqe lrbp->compl_time_stamp_local_clock is set to zero after sending a sqe but it is not updated after completing a cqe. Thus the printed information in ufshcd_print_tr() will always be zero. Update lrbp->cmpl_time_stamp_local_clock after completing a cqe. Log sample: ufshcd-qcom 1d84000.ufshc: UPIU[8] - issue time 8750227249 us ufshcd-qcom 1d84000.ufshc: UPIU[8] - complete time 0 us Fixes: c30d8d010b5e ("scsi: ufs: core: Prepare for completion in MCQ") Reviewed-by: Bean Huo Reviewed-by: Peter Wang Signed-off-by: liuderong Link: https://lore.kernel.org/r/1733470182-220841-1-git-send-email-liuderong@oppo.com Reviewed-by: Avri Altman Signed-off-by: Martin K. Petersen commit f136552b7ce3a03bf9c7a8baad78bed8056ed823 Merge: 356983f569c1f5 becc6399ce3b72 Author: Jakub Kicinski Date: Mon Dec 9 18:26:53 2024 -0800 Merge branch 'qca_spi-fix-spi-specific-issues' Stefan Wahren says: ==================== qca_spi: Fix SPI specific issues This small series address two annoying SPI specific issues of the qca_spi driver. ==================== Link: https://patch.msgid.link/20241206184643.123399-1-wahrenst@gmx.net Signed-off-by: Jakub Kicinski commit becc6399ce3b724cffe9ccb7ef0bff440bb1b62b Author: Stefan Wahren Date: Fri Dec 6 19:46:43 2024 +0100 qca_spi: Make driver probing reliable The module parameter qcaspi_pluggable controls if QCA7000 signature should be checked at driver probe (current default) or not. Unfortunately this could fail in case the chip is temporary in reset, which isn't under total control by the Linux host. So disable this check per default in order to avoid unexpected probe failures. Fixes: 291ab06ecf67 ("net: qualcomm: new Ethernet over SPI driver for QCA7000") Signed-off-by: Stefan Wahren Link: https://patch.msgid.link/20241206184643.123399-3-wahrenst@gmx.net Signed-off-by: Jakub Kicinski commit 4dba406fac06b009873fe7a28231b9b7e4288b09 Author: Stefan Wahren Date: Fri Dec 6 19:46:42 2024 +0100 qca_spi: Fix clock speed for multiple QCA7000 Storing the maximum clock speed in module parameter qcaspi_clkspeed has the unintended side effect that the first probed instance defines the value for all other instances. Fix this issue by storing it in max_speed_hz of the relevant SPI device. This fix keeps the priority of the speed parameter (module parameter, device tree property, driver default). Btw this uses the opportunity to get the rid of the unused member clkspeed. Fixes: 291ab06ecf67 ("net: qualcomm: new Ethernet over SPI driver for QCA7000") Signed-off-by: Stefan Wahren Link: https://patch.msgid.link/20241206184643.123399-2-wahrenst@gmx.net Signed-off-by: Jakub Kicinski commit c28dc9fc24f5fa802d44ef7620a511035bdd803e Author: Thomas Weißschuh Date: Sun Dec 8 15:59:28 2024 +0100 power: supply: cros_charge-control: hide start threshold on v2 cmd ECs implementing the v2 command will not stop charging when the end threshold is reached. Instead they will begin discharging until the start threshold is reached, leading to permanent charge and discharge cycles. This defeats the point of the charge control mechanism. Avoid the issue by hiding the start threshold on v2 systems. Instead on those systems program the EC with start == end which forces the EC to reach and stay at that level. v1 does not support thresholds and v3 works correctly, at least judging from the code. Reported-by: Thomas Koch Fixes: c6ed48ef5259 ("power: supply: add ChromeOS EC based charge control driver") Cc: stable@vger.kernel.org Signed-off-by: Thomas Weißschuh Link: https://lore.kernel.org/r/20241208-cros_charge-control-v2-v1-3-8d168d0f08a3@weissschuh.net Signed-off-by: Sebastian Reichel commit e65a1b7fad0e112573eea7d64d4ab4fc513b8695 Author: Thomas Weißschuh Date: Sun Dec 8 15:59:27 2024 +0100 power: supply: cros_charge-control: allow start_threshold == end_threshold Allow setting the start and stop thresholds to the same value. There is no reason to disallow it. Suggested-by: Thomas Koch Fixes: c6ed48ef5259 ("power: supply: add ChromeOS EC based charge control driver") Cc: stable@vger.kernel.org Signed-off-by: Thomas Weißschuh Link: https://lore.kernel.org/r/20241208-cros_charge-control-v2-v1-2-8d168d0f08a3@weissschuh.net Signed-off-by: Sebastian Reichel commit e5f84d1cf562f7b45e28d6e5f6490626f870f81c Author: Thomas Weißschuh Date: Sun Dec 8 15:59:26 2024 +0100 power: supply: cros_charge-control: add mutex for driver data Concurrent accesses through sysfs may lead to inconsistent state in the priv data. Introduce a mutex to avoid this. Fixes: c6ed48ef5259 ("power: supply: add ChromeOS EC based charge control driver") Cc: stable@vger.kernel.org Signed-off-by: Thomas Weißschuh Link: https://lore.kernel.org/r/20241208-cros_charge-control-v2-v1-1-8d168d0f08a3@weissschuh.net Signed-off-by: Sebastian Reichel commit afc6e39e824ad0e44b2af50a97885caec8d213d1 Author: Dimitri Fedrau Date: Mon Dec 9 11:46:15 2024 +0100 power: supply: gpio-charger: Fix set charge current limits Fix set charge current limits for devices which allow to set the lowest charge current limit to be greater zero. If requested charge current limit is below lowest limit, the index equals current_limit_map_size which leads to accessing memory beyond allocated memory. Fixes: be2919d8355e ("power: supply: gpio-charger: add charge-current-limit feature") Cc: stable@vger.kernel.org Signed-off-by: Dimitri Fedrau Link: https://lore.kernel.org/r/20241209-fix-charge-current-limit-v1-1-760d9b8f2af3@liebherr.com Signed-off-by: Sebastian Reichel commit 356983f569c1f5991661fc0050aa263792f50616 Author: Anumula Murali Mohan Reddy Date: Fri Dec 6 11:50:14 2024 +0530 cxgb4: use port number to set mac addr t4_set_vf_mac_acl() uses pf to set mac addr, but t4vf_get_vf_mac_acl() uses port number to get mac addr, this leads to error when an attempt to set MAC address on VF's of PF2 and PF3. This patch fixes the issue by using port number to set mac address. Fixes: e0cdac65ba26 ("cxgb4vf: configure ports accessible by the VF") Signed-off-by: Anumula Murali Mohan Reddy Signed-off-by: Potnuri Bharat Teja Reviewed-by: Simon Horman Link: https://patch.msgid.link/20241206062014.49414-1-anumula@chelsio.com Signed-off-by: Jakub Kicinski commit 7a5f93ea5862da91488975acaa0c7abd508f192b Author: Miguel Ojeda Date: Sat Nov 23 19:03:23 2024 +0100 rust: kbuild: set `bindgen`'s Rust target version Each `bindgen` release may upgrade the list of Rust targets. For instance, currently, in their master branch [1], the latest ones are: Nightly => { vectorcall_abi: #124485, ptr_metadata: #81513, layout_for_ptr: #69835, }, Stable_1_77(77) => { offset_of: #106655 }, Stable_1_73(73) => { thiscall_abi: #42202 }, Stable_1_71(71) => { c_unwind_abi: #106075 }, Stable_1_68(68) => { abi_efiapi: #105795 }, By default, the highest stable release in their list is used, and users are expected to set one if they need to support older Rust versions (e.g. see [2]). Thus, over time, new Rust features are used by default, and at some point, it is likely that `bindgen` will emit Rust code that requires a Rust version higher than our minimum (or perhaps enabling an unstable feature). Currently, there is no problem because the maximum they have, as seen above, is Rust 1.77.0, and our current minimum is Rust 1.78.0. Therefore, set a Rust target explicitly now to prevent going forward in time too much and thus getting potential build failures at some point. Since we also support a minimum `bindgen` version, and since `bindgen` does not support passing unknown Rust target versions, we need to use the list of our minimum `bindgen` version, rather than the latest. So, since `bindgen` 0.65.1 had this list [3], we need to use Rust 1.68.0: /// Rust stable 1.64 /// * `core_ffi_c` ([Tracking issue](https://github.com/rust-lang/rust/issues/94501)) => Stable_1_64 => 1.64; /// Rust stable 1.68 /// * `abi_efiapi` calling convention ([Tracking issue](https://github.com/rust-lang/rust/issues/65815)) => Stable_1_68 => 1.68; /// Nightly rust /// * `thiscall` calling convention ([Tracking issue](https://github.com/rust-lang/rust/issues/42202)) /// * `vectorcall` calling convention (no tracking issue) /// * `c_unwind` calling convention ([Tracking issue](https://github.com/rust-lang/rust/issues/74990)) => Nightly => nightly; ... /// Latest stable release of Rust pub const LATEST_STABLE_RUST: RustTarget = RustTarget::Stable_1_68; Thus add the `--rust-target 1.68` parameter. Add a comment as well explaining this. An alternative would be to use the currently running (i.e. actual) `rustc` and `bindgen` versions to pick a "better" Rust target version. However, that would introduce more moving parts depending on the user setup and is also more complex to implement. Starting with `bindgen` 0.71.0 [4], we will be able to set any future Rust version instead, i.e. we will be able to set here our minimum supported Rust version. Christian implemented it [5] after seeing this patch. Thanks! Cc: Christian Poveda Cc: Emilio Cobos Álvarez Cc: stable@vger.kernel.org # needed for 6.12.y; unneeded for 6.6.y; do not apply to 6.1.y Fixes: c844fa64a2d4 ("rust: start supporting several `bindgen` versions") Link: https://github.com/rust-lang/rust-bindgen/blob/21c60f473f4e824d4aa9b2b508056320d474b110/bindgen/features.rs#L97-L105 [1] Link: https://github.com/rust-lang/rust-bindgen/issues/2960 [2] Link: https://github.com/rust-lang/rust-bindgen/blob/7d243056d335fdc4537f7bca73c06d01aae24ddc/bindgen/features.rs#L131-L150 [3] Link: https://github.com/rust-lang/rust-bindgen/blob/main/CHANGELOG.md#0710-2024-12-06 [4] Link: https://github.com/rust-lang/rust-bindgen/pull/2993 [5] Reviewed-by: Alice Ryhl Link: https://lore.kernel.org/r/20241123180323.255997-1-ojeda@kernel.org Signed-off-by: Miguel Ojeda commit 1f806218164d1bb93f3db21eaf61254b08acdf03 Author: Luis Claudio R. Goncalves Date: Fri Dec 6 10:01:14 2024 -0300 iommu/tegra241-cmdqv: do not use smp_processor_id in preemptible context During boot some of the calls to tegra241_cmdqv_get_cmdq() will happen in preemptible context. As this function calls smp_processor_id(), if CONFIG_DEBUG_PREEMPT is enabled, these calls will trigger a series of "BUG: using smp_processor_id() in preemptible" backtraces. As tegra241_cmdqv_get_cmdq() only calls smp_processor_id() to use the CPU number as a factor to balance out traffic on cmdq usage, it is safe to use raw_smp_processor_id() here. Cc: Fixes: 918eb5c856f6 ("iommu/arm-smmu-v3: Add in-kernel support for NVIDIA Tegra241 (Grace) CMDQV") Signed-off-by: Luis Claudio R. Goncalves Reviewed-by: Jason Gunthorpe Reviewed-by: Nicolin Chen Tested-by: Nicolin Chen Link: https://lore.kernel.org/r/Z1L1mja3nXzsJ0Pk@uudg.org Signed-off-by: Will Deacon commit 4011b351b1b5a953aaa7c6b3915f908b3cc1be96 Author: Miguel Ojeda Date: Tue Nov 26 00:33:32 2024 +0100 drm/panic: remove spurious empty line to clean warning Clippy in the upcoming Rust 1.83.0 spots a spurious empty line since the `clippy::empty_line_after_doc_comments` warning is now enabled by default given it is part of the `suspicious` group [1]: error: empty line after doc comment --> drivers/gpu/drm/drm_panic_qr.rs:931:1 | 931 | / /// They must remain valid for the duration of the function call. 932 | | | |_ 933 | #[no_mangle] 934 | / pub unsafe extern "C" fn drm_panic_qr_generate( 935 | | url: *const i8, 936 | | data: *mut u8, 937 | | data_len: usize, ... | 940 | | tmp_size: usize, 941 | | ) -> u8 { | |_______- the comment documents this function | = help: for further information visit https://rust-lang.github.io/rust-clippy/master/index.html#empty_line_after_doc_comments = note: `-D clippy::empty-line-after-doc-comments` implied by `-D warnings` = help: to override `-D warnings` add `#[allow(clippy::empty_line_after_doc_comments)]` = help: if the empty line is unintentional remove it Thus remove the empty line. Cc: stable@vger.kernel.org Fixes: cb5164ac43d0 ("drm/panic: Add a QR code panic screen") Link: https://github.com/rust-lang/rust-clippy/pull/13091 [1] Reviewed-by: Jocelyn Falempe Link: https://lore.kernel.org/r/20241125233332.697497-1-ojeda@kernel.org Signed-off-by: Miguel Ojeda commit d4e17a322a8fc3266798ec8dee1fbe679078b2bc Author: Ian Rogers Date: Thu Dec 5 20:23:06 2024 -0800 perf test hwmon_pmu: Fix event file location The temp directory is made and a known fake hwmon PMU created within it. Prior to this fix the events were being incorrectly written to the temp directory rather than the fake PMU directory. This didn't impact the test as the directory fd matched the wrong location, but it doesn't mirror what a hwmon PMU would actually look like. Signed-off-by: Ian Rogers Tested-by: Arnaldo Carvalho de Melo Link: https://lore.kernel.org/r/20241206042306.1055913-2-irogers@google.com Signed-off-by: Namhyung Kim commit 3f61a12b08bd84e6cf705484c2cb9d5b891882fa Author: Ian Rogers Date: Thu Dec 5 20:23:05 2024 -0800 perf hwmon_pmu: Use openat rather than dup to refresh directory The hwmon PMU test will make a temp directory, open the directory with O_DIRECTORY then fill it with contents. As the open is before the filling the contents the later fdopendir may reflect the initial empty state, meaning no events are seen. Change to re-open the directory, rather than dup the fd, so the latest contents are seen. Minor tweaks/additions to debug messages. Signed-off-by: Ian Rogers Tested-by: Arnaldo Carvalho de Melo Link: https://lore.kernel.org/r/20241206042306.1055913-1-irogers@google.com Signed-off-by: Namhyung Kim commit 246dfe3dc199246bd64635163115f2691623fc53 Author: Kuan-Wei Chiu Date: Mon Dec 9 21:42:26 2024 +0800 perf ftrace: Fix undefined behavior in cmp_profile_data() The comparison function cmp_profile_data() violates the C standard's requirements for qsort() comparison functions, which mandate symmetry and transitivity: * Symmetry: If x < y, then y > x. * Transitivity: If x < y and y < z, then x < z. When v1 and v2 are equal, the function incorrectly returns 1, breaking symmetry and transitivity. This causes undefined behavior, which can lead to memory corruption in certain versions of glibc [1]. Fix the issue by returning 0 when v1 and v2 are equal, ensuring compliance with the C standard and preventing undefined behavior. Link: https://www.qualys.com/2024/01/30/qsort.txt [1] Fixes: 0f223813edd0 ("perf ftrace: Add 'profile' command") Fixes: 74ae366c37b7 ("perf ftrace profile: Add -s/--sort option") Cc: stable@vger.kernel.org Signed-off-by: Kuan-Wei Chiu Reviewed-by: Namhyung Kim Reviewed-by: Arnaldo Carvalho de Melo Cc: jserv@ccns.ncku.edu.tw Cc: chuang@cs.nycu.edu.tw Link: https://lore.kernel.org/r/20241209134226.1939163-1-visitorckw@gmail.com Signed-off-by: Namhyung Kim commit 6d44a780635b9b3fb6e20f366ee7750a9adfa884 Author: Steve French Date: Mon Dec 9 11:25:04 2024 -0600 smb3: fix compiler warning in reparse code utf8s_to_utf16s() specifies pwcs as a wchar_t pointer (whether big endian or little endian is passed in as an additional parm), so to remove a distracting compile warning it needs to be cast as (wchar_t *) in parse_reparse_wsl_symlink() as done by other callers. Fixes: 06a7adf318a3 ("cifs: Add support for parsing WSL-style symlinks") Reviewed-by: Pali Rohár Signed-off-by: Steve French commit 7899ca9f3bd2b008e9a7c41f2a9f1986052d7e96 Author: Ilpo Järvinen Date: Mon Dec 2 12:06:13 2024 +0200 ACPI: resource: Fix memory resource type union access In acpi_decode_space() addr->info.mem.caching is checked on main level for any resource type but addr->info.mem is part of union and thus valid only if the resource type is memory range. Move the check inside the preceeding switch/case to only execute it when the union is of correct type. Fixes: fcb29bbcd540 ("ACPI: Add prefetch decoding to the address space parser") Signed-off-by: Ilpo Järvinen Link: https://patch.msgid.link/20241202100614.20731-1-ilpo.jarvinen@linux.intel.com Signed-off-by: Rafael J. Wysocki commit 175c71c2aceef173ae6d3dceb41edfc2ac0d5937 Author: Olaf Hering Date: Sun Dec 8 23:47:17 2024 +0000 tools/hv: reduce resource usage in hv_kvp_daemon hv_kvp_daemon uses popen(3) and system(3) as convinience helper to launch external helpers. These helpers are invoked via a temporary shell process. There is no need to keep this temporary process around while the helper runs. Replace this temporary shell with the actual helper process via 'exec'. Signed-off-by: Olaf Hering Link: https://lore.kernel.org/linux-hyperv/20241202123520.27812-1-olaf@aepfle.de/ Signed-off-by: Wei Liu commit becc7fe329c09a7744fa908fca83418fa94a45a0 Author: Olaf Hering Date: Mon Dec 2 13:40:52 2024 +0100 tools/hv: add a .gitignore file Remove generated files from 'git status' output after 'make -C tools/hv'. Signed-off-by: Olaf Hering Link: https://lore.kernel.org/r/20241202124107.28650-1-olaf@aepfle.de Signed-off-by: Wei Liu Message-ID: <20241202124107.28650-1-olaf@aepfle.de> commit a4d024fe2e77063069c5f423f2f9be766450f0f9 Author: Olaf Hering Date: Mon Dec 2 13:04:10 2024 +0100 tools/hv: reduce resouce usage in hv_get_dns_info helper Remove the usage of cat. Replace the shell process with awk with 'exec'. Also use a generic shell because no bash specific features will be used. Signed-off-by: Olaf Hering Acked-by: Wei Liu Link: https://lore.kernel.org/r/20241202120432.21115-1-olaf@aepfle.de Signed-off-by: Wei Liu Message-ID: <20241202120432.21115-1-olaf@aepfle.de> commit 07dfa6e821e1c58cbd0f195173dddbd593721f9b Author: Vitaly Kuznetsov Date: Tue Nov 12 16:04:01 2024 +0100 hv/hv_kvp_daemon: Pass NIC name to hv_get_dns_info as well The reference implementation of hv_get_dns_info which is in the tree uses /etc/resolv.conf to get DNS servers and this does not require to know which NIC is queried. Distro specific implementations, however, may want to provide per-NIC, fine grained information. E.g. NetworkManager keeps track of DNS servers per connection. Similar to hv_get_dhcp_info, pass NIC name as a parameter to hv_get_dns_info script. Signed-off-by: Vitaly Kuznetsov Link: https://lore.kernel.org/r/20241112150401.217094-1-vkuznets@redhat.com Signed-off-by: Wei Liu Message-ID: <20241112150401.217094-1-vkuznets@redhat.com> commit 07a756a49f4b4290b49ea46e089cbe6f79ff8d26 Author: Michael Kelley Date: Wed Nov 6 07:42:47 2024 -0800 Drivers: hv: util: Avoid accessing a ringbuffer not initialized yet If the KVP (or VSS) daemon starts before the VMBus channel's ringbuffer is fully initialized, we can hit the panic below: hv_utils: Registering HyperV Utility Driver hv_vmbus: registering driver hv_utils ... BUG: kernel NULL pointer dereference, address: 0000000000000000 CPU: 44 UID: 0 PID: 2552 Comm: hv_kvp_daemon Tainted: G E 6.11.0-rc3+ #1 RIP: 0010:hv_pkt_iter_first+0x12/0xd0 Call Trace: ... vmbus_recvpacket hv_kvp_onchannelcallback vmbus_on_event tasklet_action_common tasklet_action handle_softirqs irq_exit_rcu sysvec_hyperv_stimer0 asm_sysvec_hyperv_stimer0 ... kvp_register_done hvt_op_read vfs_read ksys_read __x64_sys_read This can happen because the KVP/VSS channel callback can be invoked even before the channel is fully opened: 1) as soon as hv_kvp_init() -> hvutil_transport_init() creates /dev/vmbus/hv_kvp, the kvp daemon can open the device file immediately and register itself to the driver by writing a message KVP_OP_REGISTER1 to the file (which is handled by kvp_on_msg() ->kvp_handle_handshake()) and reading the file for the driver's response, which is handled by hvt_op_read(), which calls hvt->on_read(), i.e. kvp_register_done(). 2) the problem with kvp_register_done() is that it can cause the channel callback to be called even before the channel is fully opened, and when the channel callback is starting to run, util_probe()-> vmbus_open() may have not initialized the ringbuffer yet, so the callback can hit the panic of NULL pointer dereference. To reproduce the panic consistently, we can add a "ssleep(10)" for KVP in __vmbus_open(), just before the first hv_ringbuffer_init(), and then we unload and reload the driver hv_utils, and run the daemon manually within the 10 seconds. Fix the panic by reordering the steps in util_probe() so the char dev entry used by the KVP or VSS daemon is not created until after vmbus_open() has completed. This reordering prevents the race condition from happening. Reported-by: Dexuan Cui Fixes: e0fa3e5e7df6 ("Drivers: hv: utils: fix a race on userspace daemons registration") Cc: stable@vger.kernel.org Signed-off-by: Michael Kelley Acked-by: Wei Liu Link: https://lore.kernel.org/r/20241106154247.2271-3-mhklinux@outlook.com Signed-off-by: Wei Liu Message-ID: <20241106154247.2271-3-mhklinux@outlook.com> commit 96e052d1473843d644ceba2adf46d3d2180b8ca7 Author: Michael Kelley Date: Wed Nov 6 07:42:46 2024 -0800 Drivers: hv: util: Don't force error code to ENODEV in util_probe() If the util_init function call in util_probe() returns an error code, util_probe() always return ENODEV, and the error code from the util_init function is lost. The error message output in the caller, vmbus_probe(), doesn't show the real error code. Fix this by just returning the error code from the util_init function. There doesn't seem to be a reason to force ENODEV, as other errors such as ENOMEM can already be returned from util_probe(). And the code in call_driver_probe() implies that ENODEV should mean that a matching driver wasn't found, which is not the case here. Suggested-by: Dexuan Cui Signed-off-by: Michael Kelley Acked-by: Wei Liu Link: https://lore.kernel.org/r/20241106154247.2271-2-mhklinux@outlook.com Signed-off-by: Wei Liu Message-ID: <20241106154247.2271-2-mhklinux@outlook.com> commit a9640fcdd400463442846677e62b8208b81cb031 Author: Olaf Hering Date: Tue Nov 5 09:14:04 2024 +0100 tools/hv: terminate fcopy daemon if read from uio fails Terminate endless loop in reading fails, to avoid flooding syslog. This happens if the state of "Guest services" integration service is changed from "enabled" to "disabled" at runtime in the VM settings. In this case pread returns EIO. Also handle an interrupted system call, and continue in this case. Signed-off-by: Olaf Hering Reviewed-by: Saurabh Sengar Link: https://lore.kernel.org/r/20241105081437.15689-1-olaf@aepfle.de Signed-off-by: Wei Liu Message-ID: <20241105081437.15689-1-olaf@aepfle.de> commit 67b5e1042d90d8a9814f22312c1147b4c9cd501a Author: Easwar Hariharan Date: Wed Oct 30 17:47:36 2024 +0000 drivers: hv: Convert open-coded timeouts to secs_to_jiffies() We have several places where timeouts are open-coded as N (seconds) * HZ, but best practice is to use the utility functions from jiffies.h. Convert the timeouts to be compliant. This doesn't fix any bugs, it's a simple code improvement. Signed-off-by: Easwar Hariharan Reviewed-by: Michael Kelley Link: https://lore.kernel.org/r/20241030-open-coded-timeouts-v3-2-9ba123facf88@linux.microsoft.com Signed-off-by: Wei Liu Message-ID: <20241030-open-coded-timeouts-v3-2-9ba123facf88@linux.microsoft.com> commit 91ae69c7ed9e262f24240c425ad1eef2cf6639b7 Author: Olaf Hering Date: Wed Oct 16 16:35:10 2024 +0200 tools: hv: change permissions of NetworkManager configuration file Align permissions of the resulting .nmconnection file, instead of the input file from hv_kvp_daemon. To avoid the tiny time frame where the output file is world-readable, use umask instead of chmod. Fixes: 42999c904612 ("hv/hv_kvp_daemon:Support for keyfile based connection profile") Signed-off-by: Olaf Hering Reviewed-by: Shradha Gupta Link: https://lore.kernel.org/r/20241016143521.3735-1-olaf@aepfle.de Signed-off-by: Wei Liu Message-ID: <20241016143521.3735-1-olaf@aepfle.de> commit bcc80dec91ee745b3d66f3e48f0ec2efdea97149 Author: Naman Jain Date: Tue Sep 17 11:09:17 2024 +0530 x86/hyperv: Fix hv tsc page based sched_clock for hibernation read_hv_sched_clock_tsc() assumes that the Hyper-V clock counter is bigger than the variable hv_sched_clock_offset, which is cached during early boot, but depending on the timing this assumption may be false when a hibernated VM starts again (the clock counter starts from 0 again) and is resuming back (Note: hv_init_tsc_clocksource() is not called during hibernation/resume); consequently, read_hv_sched_clock_tsc() may return a negative integer (which is interpreted as a huge positive integer since the return type is u64) and new kernel messages are prefixed with huge timestamps before read_hv_sched_clock_tsc() grows big enough (which typically takes several seconds). Fix the issue by saving the Hyper-V clock counter just before the suspend, and using it to correct the hv_sched_clock_offset in resume. This makes hv tsc page based sched_clock continuous and ensures that post resume, it starts from where it left off during suspend. Override x86_platform.save_sched_clock_state and x86_platform.restore_sched_clock_state routines to correct this as soon as possible. Note: if Invariant TSC is available, the issue doesn't happen because 1) we don't register read_hv_sched_clock_tsc() for sched clock: See commit e5313f1c5404 ("clocksource/drivers/hyper-v: Rework clocksource and sched clock setup"); 2) the common x86 code adjusts TSC similarly: see __restore_processor_state() -> tsc_verify_tsc_adjust(true) and x86_platform.restore_sched_clock_state(). Cc: stable@vger.kernel.org Fixes: 1349401ff1aa ("clocksource/drivers/hyper-v: Suspend/resume Hyper-V clocksource for hibernation") Co-developed-by: Dexuan Cui Signed-off-by: Dexuan Cui Signed-off-by: Naman Jain Reviewed-by: Michael Kelley Link: https://lore.kernel.org/r/20240917053917.76787-1-namjain@linux.microsoft.com Signed-off-by: Wei Liu Message-ID: <20240917053917.76787-1-namjain@linux.microsoft.com> commit cb1b78f1c726c938bd47497c1ab16b01ce967f37 Author: Dexuan Cui Date: Tue Sep 10 00:44:32 2024 +0000 tools: hv: Fix a complier warning in the fcopy uio daemon hv_fcopy_uio_daemon.c:436:53: warning: '%s' directive output may be truncated writing up to 14 bytes into a region of size 10 [-Wformat-truncation=] 436 | snprintf(uio_dev_path, sizeof(uio_dev_path), "/dev/%s", uio_name); Also added 'static' for the array 'desc[]'. Fixes: 82b0945ce2c2 ("tools: hv: Add new fcopy application based on uio driver") Cc: stable@vger.kernel.org # 6.10+ Signed-off-by: Dexuan Cui Reviewed-by: Saurabh Sengar Link: https://lore.kernel.org/r/20240910004433.50254-1-decui@microsoft.com Signed-off-by: Wei Liu Message-ID: <20240910004433.50254-1-decui@microsoft.com> commit 7cb1b466315004af98f6ba6c2546bb713ca3c237 Merge: e4c995f92b210a b4d83c8323b0c4 Author: Linus Torvalds Date: Mon Dec 9 10:34:41 2024 -0800 Merge tag 'locking_urgent_for_v6.13_rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull locking fixes from Borislav Petkov: - Remove if_not_guard() as it is generating incorrect code - Fix the initialization of the fake lockdep_map for the first locked ww_mutex * tag 'locking_urgent_for_v6.13_rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: headers/cleanup.h: Remove the if_not_guard() facility locking/ww_mutex: Fix ww_mutex dummy lockdep map selftest warnings commit e4c995f92b210ab353aa39e4c100ffc5d12eb13c Merge: df9e2102de839c 9f3de72a0c3700 Author: Linus Torvalds Date: Mon Dec 9 10:31:35 2024 -0800 Merge tag 'perf_urgent_for_v6.13_rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull x86 perf fixes from Borislav Petkov: - Make sure the PEBS buffer is drained before reconfiguring the hardware - Add Arrow Lake U support * tag 'perf_urgent_for_v6.13_rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: perf/x86/intel/ds: Unconditionally drain PEBS DS when changing PEBS_DATA_CFG perf/x86/intel: Add Arrow Lake U support commit df9e2102de839c587eb50b2a5d1d19b07a6caaf5 Merge: aeb68937614f4a 82f9cc09497524 Author: Linus Torvalds Date: Mon Dec 9 10:28:55 2024 -0800 Merge tag 'sched_urgent_for_v6.13_rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull scheduler fixes from Borislav Petkov: - Remove wrong enqueueing of a task for a later wakeup when a task blocks on a RT mutex - Do not setup a new deadline entity on a boosted task as that has happened already - Update preempt= kernel command line param - Prevent needless softirqd wakeups in the idle task's context - Detect the case where the idle load balancer CPU becomes busy and avoid unnecessary load balancing invocation - Remove an unnecessary load balancing need_resched() call in nohz_csd_func() - Allow for raising of SCHED_SOFTIRQ softirq type on RT but retain the warning to catch any other cases - Remove a wrong warning when a cpuset update makes the task affinity no longer a subset of the cpuset * tag 'sched_urgent_for_v6.13_rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: locking: rtmutex: Fix wake_q logic in task_blocks_on_rt_mutex sched/deadline: Fix warning in migrate_enable for boosted tasks sched/core: Update kernel boot parameters for LAZY preempt. sched/core: Prevent wakeup of ksoftirqd during idle load balance sched/fair: Check idle_cpu() before need_resched() to detect ilb CPU turning busy sched/core: Remove the unnecessary need_resched() check in nohz_csd_func() softirq: Allow raising SCHED_SOFTIRQ from SMP-call-function on RT kernel sched: fix warning in sched_setaffinity sched/deadline: Fix replenish_dl_new_period dl_server condition commit aeb68937614f4aeceaaa762bd7f0212ce842b797 Author: Damien Le Moal Date: Mon Dec 9 08:53:32 2024 +0900 x86: Fix build regression with CONFIG_KEXEC_JUMP enabled Build 6.13-rc12 for x86_64 with gcc 14.2.1 fails with the error: ld: vmlinux.o: in function `virtual_mapped': linux/arch/x86/kernel/relocate_kernel_64.S:249:(.text+0x5915b): undefined reference to `saved_context_gdt_desc' when CONFIG_KEXEC_JUMP is enabled. This was introduced by commit 07fa619f2a40 ("x86/kexec: Restore GDT on return from ::preserve_context kexec") which introduced a use of saved_context_gdt_desc without a declaration for it. Fix that by including asm/asm-offsets.h where saved_context_gdt_desc is defined (indirectly in include/generated/asm-offsets.h which asm/asm-offsets.h includes). Fixes: 07fa619f2a40 ("x86/kexec: Restore GDT on return from ::preserve_context kexec") Signed-off-by: Damien Le Moal Acked-by: Borislav Petkov (AMD) Acked-by: David Woodhouse Closes: https://lore.kernel.org/oe-kbuild-all/202411270006.ZyyzpYf8-lkp@intel.com/ Signed-off-by: Linus Torvalds commit 32913f348229c9f72dda45fc2c08c6d9dfcd3d6d Author: Linus Torvalds Date: Mon Dec 9 10:00:25 2024 -0800 futex: fix user access on powerpc The powerpc user access code is special, and unlike other architectures distinguishes between user access for reading and writing. And commit 43a43faf5376 ("futex: improve user space accesses") messed that up. It went undetected elsewhere, but caused ppc32 to fail early during boot, because the user access had been started with user_read_access_begin(), but then finished off with just a plain "user_access_end()". Note that the address-masking user access helpers don't even have that read-vs-write distinction, so if powerpc ever wants to do address masking tricks, we'll have to do some extra work for it. [ Make sure to also do it for the EFAULT case, as pointed out by Christophe Leroy ] Reported-by: Andreas Schwab Cc: Christophe Leroy Link: https://lore.kernel.org/all/87bjxl6b0i.fsf@igel.home/ Signed-off-by: Linus Torvalds commit c9bc45b346fc040813c082fc5f2cbdcefaf2fc95 Merge: 90386e1ba4889a 514b2262ade48a Author: Arnd Bergmann Date: Mon Dec 9 16:05:07 2024 +0100 Merge tag 'scmi-fix-6.13' of https://git.kernel.org/pub/scm/linux/kernel/git/sudeep.holla/linux into arm/fixes Arm SCMI fix for v6.13 Fix for the build issue in the ASoC driver with the SCMI support by enforcing the link-time dependency if IMX_SCMI_MISC_DRV is a loadable module but not if that is disabled. * tag 'scmi-fix-6.13' of https://git.kernel.org/pub/scm/linux/kernel/git/sudeep.holla/linux: firmware: arm_scmi: Fix i.MX build dependency Link: https://lore.kernel.org/r/20241205114348.708618-1-sudeep.holla@arm.com Signed-off-by: Arnd Bergmann commit 90386e1ba4889ada34ffc0f9b9e6d82fd9a29fe1 Merge: fac04efc5c793d 4f776d81bf927a Author: Arnd Bergmann Date: Mon Dec 9 16:04:40 2024 +0100 Merge tag 'juno-fix-6.13' of https://git.kernel.org/pub/scm/linux/kernel/git/sudeep.holla/linux into arm/fixes Armv8 Juno fix for v6.13 Just a single fix updating the PCIe bus address range to accommodate the full ECAM window of 256MB available on most of the recent versions of RevC FVP models. * tag 'juno-fix-6.13' of https://git.kernel.org/pub/scm/linux/kernel/git/sudeep.holla/linux: arm64: dts: fvp: Update PCIe bus-range property Link: https://lore.kernel.org/r/20241205114302.708433-1-sudeep.holla@arm.com Signed-off-by: Arnd Bergmann commit b4906787d49b9bfaa277ea919feffbc7cfaee4eb Merge: 09310cfd4ea5c3 ddd7ba006078a2 Author: David S. Miller Date: Mon Dec 9 13:30:17 2024 +0000 Merge branch 'net-sparx5-lan969x-fixes' Daniel Machon says: ==================== net: sparx5: misc fixes for sparx5 and lan969x This series fixes various issues in the Sparx5 and lan969x drivers. Most of the fixes are for new issues introduced by the recent series adding lan969x switch support in the Sparx5 driver. Most notable is patch 1/5 that moves the lan969x dir into the sparx5 dir, in order to address a cyclic dependency issue reported by depmod, when installing modules. Details are in the commit descriptions. To: Andrew Lunn To: David S. Miller To: Eric Dumazet To: Jakub Kicinski To: Paolo Abeni To: Lars Povlsen To: Steen Hegelund To: UNGLinuxDriver@microchip.com To: Richard Cochran To: Bjarni Jonasson To: jensemil.schulzostergaard@microchip.com To: horatiu.vultur@microchip.com To: arnd@arndb.de To: jacob.e.keller@intel.com To: Parthiban.Veerasooran@microchip.com Cc: Calvin Owens Cc: Muhammad Usama Anjum Cc: linux-kernel@vger.kernel.org Cc: netdev@vger.kernel.org Cc: linux-arm-kernel@lists.infradead.org ==================== Signed-off-by: Daniel Machon Signed-off-by: David S. Miller commit ddd7ba006078a2bef5971b2dc5f8383d47f96207 Author: Daniel Machon Date: Thu Dec 5 14:54:28 2024 +0100 net: sparx5: fix the maximum frame length register On port initialization, we configure the maximum frame length accepted by the receive module associated with the port. This value is currently written to the MAX_LEN field of the DEV10G_MAC_ENA_CFG register, when in fact, it should be written to the DEV10G_MAC_MAXLEN_CFG register. Fix this. Fixes: 946e7fd5053a ("net: sparx5: add port module support") Signed-off-by: Daniel Machon Signed-off-by: David S. Miller commit e4d505fda6c81baf9b92a7f32f89912984654983 Author: Daniel Machon Date: Thu Dec 5 14:54:27 2024 +0100 net: sparx5: fix default value of monitor ports When doing port mirroring, the physical port to send the frame to, is written to the FRMC_PORT_VAL field of the QFWD_FRAME_COPY_CFG register. This field is 7 bits wide on sparx5 and 6 bits wide on lan969x, and has a default value of 65 and 30, respectively (the number of front ports). On mirror deletion, we set the default value of the monitor port to 65 for this field, in case no more ports exists for the mirror. Needless to say, this will not fit the 6 bits on lan969x. Fix this by correctly using the n_ports constant instead. Fixes: 3f9e46347a46 ("net: sparx5: use SPX5_CONST for constants which already have a symbol") Signed-off-by: Daniel Machon Signed-off-by: David S. Miller commit f004f2e535e2b66ccbf5ac35f8eaadeac70ad7b7 Author: Daniel Machon Date: Thu Dec 5 14:54:26 2024 +0100 net: sparx5: fix FDMA performance issue The FDMA handler is responsible for scheduling a NAPI poll, which will eventually fetch RX packets from the FDMA queue. Currently, the FDMA handler is run in a threaded context. For some reason, this kills performance. Admittedly, I did not do a thorough investigation to see exactly what causes the issue, however, I noticed that in the other driver utilizing the same FDMA engine, we run the FDMA handler in hard IRQ context. Fix this performance issue, by running the FDMA handler in hard IRQ context, not deferring any work to a thread. Prior to this change, the RX UDP performance was: Interval Transfer Bitrate Jitter 0.00-10.20 sec 44.6 MBytes 36.7 Mbits/sec 0.027 ms After this change, the rx UDP performance is: Interval Transfer Bitrate Jitter 0.00-9.12 sec 1.01 GBytes 953 Mbits/sec 0.020 ms Fixes: 10615907e9b5 ("net: sparx5: switchdev: adding frame DMA functionality") Signed-off-by: Daniel Machon Signed-off-by: David S. Miller commit aa5fc889844ff9f920356c4b6535bf2c625457cd Author: Daniel Machon Date: Thu Dec 5 14:54:25 2024 +0100 net: lan969x: fix the use of spin_lock in PTP handler We are mixing the use of spin_lock() and spin_lock_irqsave() functions in the PTP handler of lan969x. Fix this by correctly using the _irqsave variants. Fixes: 24fe83541755 ("net: lan969x: add PTP handler function") Signed-off-by: Daniel Machon [1]: https://lore.kernel.org/netdev/20241024-sparx5-lan969x-switch-driver-2-v2-10-a0b5fae88a0f@microchip.com/ Signed-off-by: David S. Miller commit 1cd7523f4baaf03026974553978210dc39e96665 Author: Daniel Machon Date: Thu Dec 5 14:54:24 2024 +0100 net: lan969x: fix cyclic dependency reported by depmod Depmod reports a cyclic dependency between modules sparx5-switch.ko and lan969x-switch.ko: depmod: ERROR: Cycle detected: lan969x_switch -> sparx5_switch -> lan969x_switch depmod: ERROR: Found 2 modules in dependency cycles! make[2]: *** [scripts/Makefile.modinst:132: depmod] Error 1 make: *** [Makefile:224: __sub-make] Error 2 This makes sense, as they both require symbols from each other. Fix this by compiling lan969x support into the sparx5-switch.ko module. In order to do this, in a sensible way, we move the lan969x/ dir into the sparx5/ dir and do some code cleanup of code that is no longer required. After this patch, depmod will no longer complain, as lan969x support is compiled into the sparx5-swicth.ko module, and can no longer be compiled as a standalone module. Fixes: 98a01119608d ("net: sparx5: add compatible string for lan969x") Signed-off-by: Daniel Machon Signed-off-by: David S. Miller commit 25fb0e77b90e290a1ca30900d54c6a495eea65e2 Author: Niravkumar L Rabara Date: Wed Dec 4 14:33:38 2024 +0800 spi: spi-cadence-qspi: Disable STIG mode for Altera SoCFPGA. STIG mode is enabled by default for less than 8 bytes data read/write. STIG mode doesn't work with Altera SocFPGA platform due hardware limitation. Add a quirks to disable STIG mode for Altera SoCFPGA platform. Signed-off-by: Niravkumar L Rabara Link: https://patch.msgid.link/20241204063338.296959-1-niravkumar.l.rabara@intel.com Signed-off-by: Mark Brown commit 0bb394067a792e7119abc9e0b7158ef19381f456 Author: Christian Loehle Date: Fri Dec 6 19:50:55 2024 +0000 spi: rockchip: Fix PM runtime count on no-op cs The early bail out that caused an out-of-bounds write was removed with commit 5c018e378f91 ("spi: spi-rockchip: Fix out of bounds array access") Unfortunately that caused the PM runtime count to be unbalanced and underflowed on the first call. To fix that reintroduce a no-op check by reading the register directly. Cc: stable@vger.kernel.org Fixes: 5c018e378f91 ("spi: spi-rockchip: Fix out of bounds array access") Signed-off-by: Christian Loehle Link: https://patch.msgid.link/1f2b3af4-2b7a-4ac8-ab95-c80120ebf44c@arm.com Signed-off-by: Mark Brown commit c84dda3751e945a67d71cbe3af4474aad24a5794 Author: Christophe JAILLET Date: Tue Nov 19 22:30:29 2024 +0100 spi: aspeed: Fix an error handling path in aspeed_spi_[read|write]_user() A aspeed_spi_start_user() is not balanced by a corresponding aspeed_spi_stop_user(). Add the missing call. Fixes: e3228ed92893 ("spi: spi-mem: Convert Aspeed SMC driver to spi-mem") Signed-off-by: Christophe JAILLET Link: https://patch.msgid.link/4052aa2f9a9ea342fa6af83fa991b55ce5d5819e.1732051814.git.christophe.jaillet@wanadoo.fr Signed-off-by: Mark Brown commit f07ae52f5cf6a5584fdf7c8c652f027d90bc8b74 Author: Philippe Simons Date: Sun Dec 8 13:43:08 2024 +0100 regulator: axp20x: AXP717: set ramp_delay AXP717 datasheet says that regulator ramp delay is 15.625 us/step, which is 10mV in our case. Add a AXP_DESC_RANGES_DELAY macro and update AXP_DESC_RANGES macro to expand to AXP_DESC_RANGES_DELAY with ramp_delay = 0 For DCDC4, steps is 100mv Add a AXP_DESC_DELAY macro and update AXP_DESC macro to expand to AXP_DESC_DELAY with ramp_delay = 0 This patch fix crashes when using CPU DVFS. Signed-off-by: Philippe Simons Tested-by: Hironori KIKUCHI Tested-by: Chris Morgan Reviewed-by: Chen-Yu Tsai Fixes: d2ac3df75c3a ("regulator: axp20x: add support for the AXP717") Link: https://patch.msgid.link/20241208124308.5630-1-simons.philippe@gmail.com Signed-off-by: Mark Brown commit 8099b1f7e37e98f73664b883464d54e2e2d9522f Author: Janaki Ramaiah Thota Date: Mon Dec 9 16:04:52 2024 +0530 regulator: dt-bindings: qcom,qca6390-pmu: document wcn6750-pmu Add description of the PMU node for the WCN6750B module. Signed-off-by: Janaki Ramaiah Thota Reviewed-by: Krzysztof Kozlowski Link: https://patch.msgid.link/20241209103455.9675-2-quic_janathot@quicinc.com Signed-off-by: Mark Brown commit 5f122030061db3e5d2bddd9cf5c583deaa6c54ff Author: Jesse Taube Date: Mon Nov 18 10:36:41 2024 -0500 ARM: dts: imxrt1050: Fix clocks for mmc One of the usdhc1 controller's clocks should be IMXRT1050_CLK_AHB_PODF not IMXRT1050_CLK_OSC. Fixes: 1c4f01be3490 ("ARM: dts: imx: Add i.MXRT1050-EVK support") Signed-off-by: Jesse Taube Signed-off-by: Shawn Guo commit 76f2f783294d7d55c2564e2dfb0a7279ba0bc264 Author: Peter Zijlstra Date: Mon Dec 2 18:45:57 2024 +0100 sched/eevdf: More PELT vs DELAYED_DEQUEUE Vincent and Dietmar noted that while commit fc1892becd56 ("sched/eevdf: Fixup PELT vs DELAYED_DEQUEUE") fixes the entity runnable stats, it does not adjust the cfs_rq runnable stats, which are based off of h_nr_running. Track h_nr_delayed such that we can discount those and adjust the signal. Fixes: fc1892becd56 ("sched/eevdf: Fixup PELT vs DELAYED_DEQUEUE") Closes: https://lore.kernel.org/lkml/a9a45193-d0c6-4ba2-a822-464ad30b550e@arm.com/ Closes: https://lore.kernel.org/lkml/CAKfTPtCNUvWE_GX5LyvTF-WdxUT=ZgvZZv-4t=eWntg5uOFqiQ@mail.gmail.com/ [ Fixes checkpatch warnings and rebased ] Signed-off-by: Peter Zijlstra (Intel) Reported-by: Dietmar Eggemann Reported-by: Vincent Guittot Signed-off-by: "Peter Zijlstra (Intel)" Signed-off-by: Vincent Guittot Signed-off-by: Peter Zijlstra (Intel) Reviewed-by: Dietmar Eggemann Tested-by: K Prateek Nayak Link: https://lore.kernel.org/r/20241202174606.4074512-3-vincent.guittot@linaro.org commit c1f43c342e1f2e32f0620bf2e972e2a9ea0a1e60 Author: Vincent Guittot Date: Mon Dec 2 18:45:56 2024 +0100 sched/fair: Fix sched_can_stop_tick() for fair tasks We can't stop the tick of a rq if there are at least 2 tasks enqueued in the whole hierarchy and not only at the root cfs rq. rq->cfs.nr_running tracks the number of sched_entity at one level whereas rq->cfs.h_nr_running tracks all queued tasks in the hierarchy. Fixes: 11cc374f4643b ("sched_ext: Simplify scx_can_stop_tick() invocation in sched_can_stop_tick()") Signed-off-by: Vincent Guittot Signed-off-by: Peter Zijlstra (Intel) Reviewed-by: Dietmar Eggemann Link: https://lore.kernel.org/r/20241202174606.4074512-2-vincent.guittot@linaro.org commit 493afbd187c4c9cc1642792c0d9ba400c3d6d90d Author: K Prateek Nayak Date: Thu Nov 28 12:59:54 2024 +0530 sched/fair: Fix NEXT_BUDDY Adam reports that enabling NEXT_BUDDY insta triggers a WARN in pick_next_entity(). Moving clear_buddies() up before the delayed dequeue bits ensures no ->next buddy becomes delayed. Further ensure no new ->next buddy ever starts as delayed. Fixes: 152e11f6df29 ("sched/fair: Implement delayed dequeue") Reported-by: Adam Li Signed-off-by: K Prateek Nayak Signed-off-by: Peter Zijlstra (Intel) Tested-by: Adam Li Link: https://lkml.kernel.org/r/670a0d54-e398-4b1f-8a6e-90784e2fdf89@amd.com commit 2828e5808bcd5aae7fdcd169cac1efa2701fa2dd Author: Jiasheng Jiang Date: Wed Nov 27 20:10:42 2024 +0000 drm/i915: Fix memory leak by correcting cache object name in error handler Replace "slab_priorities" with "slab_dependencies" in the error handler to avoid memory leak. Fixes: 32eb6bcfdda9 ("drm/i915: Make request allocation caches global") Cc: # v5.2+ Signed-off-by: Jiasheng Jiang Reviewed-by: Nirmoy Das Reviewed-by: Andi Shyti Signed-off-by: Andi Shyti Link: https://patchwork.freedesktop.org/patch/msgid/20241127201042.29620-1-jiashengjiangcool@gmail.com (cherry picked from commit 9bc5e7dc694d3112bbf0fa4c46ef0fa0f114937a) Signed-off-by: Tvrtko Ursulin commit da0b986256ae9a78b0215214ff44f271bfe237c1 Author: Eugene Kobyak Date: Tue Dec 3 14:54:06 2024 +0000 drm/i915: Fix NULL pointer dereference in capture_engine When the intel_context structure contains NULL, it raises a NULL pointer dereference error in drm_info(). Fixes: e8a3319c31a1 ("drm/i915: Allow error capture without a request") Closes: https://gitlab.freedesktop.org/drm/i915/kernel/-/issues/12309 Reviewed-by: Andi Shyti Cc: John Harrison Cc: # v6.3+ Signed-off-by: Eugene Kobyak Signed-off-by: Andi Shyti Link: https://patchwork.freedesktop.org/patch/msgid/xmsgfynkhycw3cf56akp4he2ffg44vuratocsysaowbsnhutzi@augnqbm777at (cherry picked from commit 754302a5bc1bd8fd3b7d85c168b0a1af6d4bba4d) Signed-off-by: Tvrtko Ursulin commit cd3da567e2e46b8f75549637b960a83b024d6b6e Author: Ville Syrjälä Date: Wed Nov 20 18:41:21 2024 +0200 drm/i915/color: Stop using non-posted DSB writes for legacy LUT DSB LUT register writes vs. palette anti-collision logic appear to interact in interesting ways: - posted DSB writes simply vanish into thin air while anti-collision is active - non-posted DSB writes actually get blocked by the anti-collision logic, but unfortunately this ends up hogging the bus for long enough that unrelated parallel CPU MMIO accesses start to disappear instead Even though we are updating the LUT during vblank we aren't immune to the anti-collision logic because it kicks in briefly for pipe prefill (initiated at frame start). The safe time window for performing the LUT update is thus between the undelayed vblank and frame start. Turns out that with low enough CDCLK frequency (DSB execution speed depends on CDCLK) we can exceed that. As we are currently using non-posted writes for the legacy LUT updates, in which case we can hit the far more severe failure mode. The problem is exacerbated by the fact that non-posted writes are much slower than posted writes (~4x it seems). To mititage the problem let's switch to using posted DSB writes for legacy LUT updates (which will involve using the double write approach to avoid other problems with DSB vs. legacy LUT writes). Despite writing each register twice this will in fact make the legacy LUT update faster when compared to the non-posted write approach, making the problem less likely to appear. The failure mode is also less severe. This isn't the 100% solution we need though. That will involve estimating how long the LUT update will take, and pushing frame start and/or delayed vblank forward to guarantee that the update will have finished by the time the pipe prefill starts... Cc: stable@vger.kernel.org Fixes: 34d8311f4a1c ("drm/i915/dsb: Re-instate DSB for LUT updates") Fixes: 25ea3411bd23 ("drm/i915/dsb: Use non-posted register writes for legacy LUT") Closes: https://gitlab.freedesktop.org/drm/i915/kernel/-/issues/12494 Signed-off-by: Ville Syrjälä Link: https://patchwork.freedesktop.org/patch/msgid/20241120164123.12706-3-ville.syrjala@linux.intel.com Reviewed-by: Uma Shankar (cherry picked from commit 2504a316b35d49522f39cf0dc01830d7c36a9be4) Signed-off-by: Tvrtko Ursulin commit 70ec2e8be72c8cb71eb6a18f223484d2a39b708f Author: Ville Syrjälä Date: Wed Nov 20 18:41:20 2024 +0200 drm/i915/dsb: Don't use indexed register writes needlessly Turns out the DSB indexed register write command has rather significant initial overhead compared to the normal MMIO write command. Based on some quick experiments on TGL you have to write the register at least ~5 times for the indexed write command to come out ahead. If you write the register less times than that the MMIO write is faster. So it seems my automagic indexed write logic was a bit misguided. Go back to the original approach only use indexed writes for the cases we know will benefit from it (indexed LUT register updates). Currently we shouldn't have any cases where this truly matters (just some rare double writes to the precision LUT index registers), but we will need to switch the legacy LUT updates to write each LUT register twice (to avoid some palette anti-collision logic troubles). This would be close to the worst case for using indexed writes (two writes per register, and 256 separate registers). Using the MMIO write command should shave off around 30% of the execution time compared to using the indexed write command. Cc: stable@vger.kernel.org Fixes: 34d8311f4a1c ("drm/i915/dsb: Re-instate DSB for LUT updates") Fixes: 25ea3411bd23 ("drm/i915/dsb: Use non-posted register writes for legacy LUT") Signed-off-by: Ville Syrjälä Link: https://patchwork.freedesktop.org/patch/msgid/20241120164123.12706-2-ville.syrjala@linux.intel.com Reviewed-by: Uma Shankar (cherry picked from commit ecba559a88ab8399a41893d7828caf4dccbeab6c) Signed-off-by: Tvrtko Ursulin commit b50a3e98442b8d72f061617c7f7a71f7dba19484 Author: Adrian Ratiu Date: Mon Dec 9 11:05:29 2024 +0200 sound: usb: format: don't warn that raw DSD is unsupported UAC 2 & 3 DAC's set bit 31 of the format to signal support for a RAW_DATA type, typically used for DSD playback. This is correctly tested by (format & UAC*_FORMAT_TYPE_I_RAW_DATA), fp->dsd_raw = true; and call snd_usb_interface_dsd_format_quirks(), however a confusing and unnecessary message gets printed because the bit is not properly tested in the last "unsupported" if test: if (format & ~0x3F) { ... } For example the output: usb 7-1: new high-speed USB device number 5 using xhci_hcd usb 7-1: New USB device found, idVendor=262a, idProduct=9302, bcdDevice=0.01 usb 7-1: New USB device strings: Mfr=1, Product=2, SerialNumber=6 usb 7-1: Product: TC44C usb 7-1: Manufacturer: TC44C usb 7-1: SerialNumber: 5000000001 hid-generic 0003:262A:9302.001E: No inputs registered, leaving hid-generic 0003:262A:9302.001E: hidraw6: USB HID v1.00 Device [DDHIFI TC44C] on usb-0000:08:00.3-1/input0 usb 7-1: 2:4 : unsupported format bits 0x100000000 This last "unsupported format" is actually wrong: we know the format is a RAW_DATA which we assume is DSD, so there is no need to print the confusing message. This we unset bit 31 of the format after recognizing it, to avoid the message. Suggested-by: Takashi Iwai Signed-off-by: Adrian Ratiu Link: https://patch.msgid.link/20241209090529.16134-2-adrian.ratiu@collabora.com Signed-off-by: Takashi Iwai commit c84bd6c810d1880194fea2229c7086e4b73fddc1 Author: Adrian Ratiu Date: Mon Dec 9 11:05:28 2024 +0200 sound: usb: enable DSD output for ddHiFi TC44C This is a UAC 2 DAC capable of raw DSD on intf 2 alt 4: Bus 007 Device 004: ID 262a:9302 SAVITECH Corp. TC44C Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 2.00 bDeviceClass 239 Miscellaneous Device bDeviceSubClass 2 [unknown] bDeviceProtocol 1 Interface Association bMaxPacketSize0 64 idVendor 0x262a SAVITECH Corp. idProduct 0x9302 TC44C bcdDevice 0.01 iManufacturer 1 DDHIFI iProduct 2 TC44C iSerial 6 5000000001 ....... Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 2 bAlternateSetting 4 bNumEndpoints 2 bInterfaceClass 1 Audio bInterfaceSubClass 2 Streaming bInterfaceProtocol 32 iInterface 0 AudioStreaming Interface Descriptor: bLength 16 bDescriptorType 36 bDescriptorSubtype 1 (AS_GENERAL) bTerminalLink 3 bmControls 0x00 bFormatType 1 bmFormats 0x80000000 bNrChannels 2 bmChannelConfig 0x00000000 iChannelNames 0 ....... Signed-off-by: Adrian Ratiu Link: https://patch.msgid.link/20241209090529.16134-1-adrian.ratiu@collabora.com Signed-off-by: Takashi Iwai commit 1ddb61a7c0150ba2ab42ec9cb74c392c5c4616b4 Author: Stefan Eichenberger Date: Fri Nov 8 16:34:34 2024 +0100 ARM: imx_v6_v7_defconfig: enable SND_SOC_SPDIF Enable SND_SOC_SPDIF in imx_v6_v7_defconfig to support SPDIF audio. With commit d469b771afe1 ("ARM: dts: imx6: update spdif sound card node properties"), the more generic audio-codec property is used instead of the old spdif-controller property. Since most i.MX6 boards now use the audio-codec property together with the linux,spdif-dit and linux,spdif-dir compatible driver, it makes sense to enable SND_SOC_SPDIF in the imx_v6_v7_defconfig. This will ensure compatibility with the updated device tree. Without this change, boards that use the audio-codec property will show the following error message during boot when using the imx_v6_v7_defconfig and spdif audio is not working: [ 24.165534] platform sound-spdif: deferred probe pending: fsl-asoc-card: snd_soc_register_card failed Signed-off-by: Stefan Eichenberger Signed-off-by: Shawn Guo commit 2ab0837cb91b7de507daa145d17b3b6b2efb3abf Author: James Bottomley Date: Sun Dec 8 13:34:13 2024 -0500 efivarfs: Fix error on non-existent file When looking up a non-existent file, efivarfs returns -EINVAL if the file does not conform to the NAME-GUID format and -ENOENT if it does. This is caused by efivars_d_hash() returning -EINVAL if the name is not formatted correctly. This error is returned before simple_lookup() returns a negative dentry, and is the error value that the user sees. Fix by removing this check. If the file does not exist, simple_lookup() will return a negative dentry leading to -ENOENT and efivarfs_create() already has a validity check before it creates an entry (and will correctly return -EINVAL) Signed-off-by: James Bottomley Cc: [ardb: make efivarfs_valid_name() static] Signed-off-by: Ard Biesheuvel commit c5b8d2c370842e3f9a15655893d8c597e2d981d9 Author: Wei Fang Date: Tue Nov 5 13:46:02 2024 +0800 arm64: dts: imx95: correct the address length of netcmix_blk_ctrl The netc_blk_ctrl is controlled by the imx95-blk-ctl clock driver and provides relevant clock configurations for NETC, SAI and MQS. Its address length should be 8 bytes instead of 0x1000. Fixes: 7764fef26ea9 ("arm64: dts: imx95: Add NETCMIX block control support") Signed-off-by: Wei Fang Signed-off-by: Shawn Guo commit 50db91fccea0da5c669bc68e2429e8de303758d3 Author: Vasiliy Kovalev Date: Sat Dec 7 23:18:36 2024 +0300 ALSA: hda/realtek: Add new alc2xx-fixup-headset-mic model Introduces the alc2xx-fixup-headset-mic model to simplify enabling headset microphones on ALC2XX codecs. Many recent configurations, as well as older systems that lacked this fix for a long time, leave headset microphones inactive by default. This addition provides a flexible workaround using the existing ALC2XX_FIXUP_HEADSET_MIC quirk. Signed-off-by: Vasiliy Kovalev Link: https://patch.msgid.link/20241207201836.6879-1-kovalev@altlinux.org Signed-off-by: Takashi Iwai commit 7c005292e20ac53dfa601bf2a7375fd4815511ad Author: Takashi Iwai Date: Sat Dec 7 14:37:53 2024 +0100 ALSA: hda/ca0132: Use standard HD-audio quirk matching helpers CA0132 used the PCI SSID lookup helper that doesn't support the model string matching or quirk aliasing. Replace it with the standard HD-audio quirk helpers for supporting those, and add the definition of the model strings for supported quirks, too. There should be no visible change to the outside for the working system, but the driver will parse the model option and apply the quirk based on it from now on. Link: https://patch.msgid.link/20241207133754.3658-1-tiwai@suse.de Signed-off-by: Takashi Iwai commit c70812cb281fd2529051e818ea25eb736b369753 Author: Frank Li Date: Mon Oct 28 15:49:32 2024 -0400 arm64: dts: imx8-ss-audio: add fallback compatible string fsl,imx6ull-esai for esai The ESAI of i.MX8QM is the same as i.MX6ULL. So add fsl,imx6ull-esai for esai. Signed-off-by: Frank Li Acked-by: Rob Herring (Arm) Fixes: adf7ea48ce05 ("ASoC: dt-bindings: fsl-esai: allow fsl,imx8qm-esai fallback to fsl,imx6ull-esai") Signed-off-by: Shawn Guo commit 676fe1f6f74db988191dab5df3bf256908177072 Author: Joe Hattori Date: Thu Dec 5 19:30:14 2024 +0900 ata: sata_highbank: fix OF node reference leak in highbank_initialize_phys() The OF node reference obtained by of_parse_phandle_with_args() is not released on early return. Add a of_node_put() call before returning. Fixes: 8996b89d6bc9 ("ata: add platform driver for Calxeda AHCI controller") Signed-off-by: Joe Hattori Signed-off-by: Damien Le Moal commit fac04efc5c793dccbd07e2d59af9f90b7fc0dca4 Author: Linus Torvalds Date: Sun Dec 8 14:03:39 2024 -0800 Linux 6.13-rc2 commit 0b6809a75ac026d4b569815744ad095b5d5955e1 Merge: eadaac4dd2e072 d8d326d64f6702 Author: Linus Torvalds Date: Sun Dec 8 12:01:06 2024 -0800 Merge tag 'kbuild-fixes-v6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild Pull Kbuild fixes from Masahiro Yamada: - Fix a section mismatch warning in modpost - Fix Debian package build error with the O= option * tag 'kbuild-fixes-v6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild: kbuild: deb-pkg: fix build error with O= modpost: Add .irqentry.text to OTHER_SECTIONS commit eadaac4dd2e07292181d35858047bdb177d5194f Merge: c25ca0c2e42c77 9151299ee5101e Author: Linus Torvalds Date: Sun Dec 8 11:54:04 2024 -0800 Merge tag 'irq_urgent_for_v6.13_rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull irq fixes from Borislav Petkov: - Fix a /proc/interrupts formatting regression - Have the BCM2836 interrupt controller enter power management states properly - Other fixlets * tag 'irq_urgent_for_v6.13_rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: irqchip/stm32mp-exti: CONFIG_STM32MP_EXTI should not default to y when compile-testing genirq/proc: Add missing space separator back irqchip/bcm2836: Enable SKIP_SET_WAKE and MASK_ON_SUSPEND irqchip/gic-v3: Fix irq_complete_ack() comment commit c25ca0c2e42c77e0241411d374d44c41e253b3f5 Merge: 84262262177b98 76031d9536a076 Author: Linus Torvalds Date: Sun Dec 8 11:51:29 2024 -0800 Merge tag 'timers_urgent_for_v6.13_rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull timer fix from Borislav Petkov: - Handle the case where clocksources with small counter width can, in conjunction with overly long idle sleeps, falsely trigger the negative motion detection of clocksources * tag 'timers_urgent_for_v6.13_rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: clocksource: Make negative motion detection more robust commit 84262262177b98cf4e57e8c010119576d3c6bc2b Merge: 553c89ec31746f 492077668fb453 Author: Linus Torvalds Date: Sun Dec 8 11:38:56 2024 -0800 Merge tag 'x86_urgent_for_v6.13_rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull x86 fixes from Borislav Petkov: - Have the Automatic IBRS setting check on AMD does not falsely fire in the guest when it has been set already on the host - Make sure cacheinfo structures memory is allocated to address a boot NULL ptr dereference on Intel Meteor Lake which has different numbers of subleafs in its CPUID(4) leaf - Take care of the GDT restoring on the kexec path too, as expected by the kernel - Make sure SMP is not disabled when IO-APIC is disabled on the kernel cmdline - Add a PGD flag _PAGE_NOPTISHADOW to instruct machinery not to propagate changes to the kernelmode page tables, to the user portion, in PTI - Mark Intel Lunar Lake as affected by an issue where MONITOR wakeups can get lost and thus user-visible delays happen - Make sure PKRU is properly restored with XRSTOR on AMD after a PRKU write of 0 (WRPKRU) which will mark PKRU in its init state and thus lose the actual buffer * tag 'x86_urgent_for_v6.13_rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: x86/CPU/AMD: WARN when setting EFER.AUTOIBRS if and only if the WRMSR fails x86/cacheinfo: Delete global num_cache_leaves cacheinfo: Allocate memory during CPU hotplug if not done from the primary CPU x86/kexec: Restore GDT on return from ::preserve_context kexec x86/cpu/topology: Remove limit of CPUs due to disabled IO/APIC x86/mm: Add _PAGE_NOPTISHADOW bit to avoid updating userspace page tables x86/cpu: Add Lunar Lake to list of CPUs with a broken MONITOR implementation x86/pkeys: Ensure updated PKRU value is XRSTOR'd x86/pkeys: Change caller of update_pkru_in_sigframe() commit 553c89ec31746ff96fc5562943fe5b1c9b1e9276 Merge: 62b5a46999c744 f1ee5483e40881 Author: Linus Torvalds Date: Sun Dec 8 11:26:13 2024 -0800 Merge tag 'mm-hotfixes-stable-2024-12-07-22-39' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Pull misc fixes from Andrew Morton: "24 hotfixes. 17 are cc:stable. 15 are MM and 9 are non-MM. The usual bunch of singletons - please see the relevant changelogs for details" * tag 'mm-hotfixes-stable-2024-12-07-22-39' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm: (24 commits) iio: magnetometer: yas530: use signed integer type for clamp limits sched/numa: fix memory leak due to the overwritten vma->numab_state mm/damon: fix order of arguments in damos_before_apply tracepoint lib: stackinit: hide never-taken branch from compiler mm/filemap: don't call folio_test_locked() without a reference in next_uptodate_folio() scatterlist: fix incorrect func name in kernel-doc mm: correct typo in MMAP_STATE() macro mm: respect mmap hint address when aligning for THP mm: memcg: declare do_memsw_account inline mm/codetag: swap tags when migrate pages ocfs2: update seq_file index in ocfs2_dlm_seq_next stackdepot: fix stack_depot_save_flags() in NMI context mm: open-code page_folio() in dump_page() mm: open-code PageTail in folio_flags() and const_folio_flags() mm: fix vrealloc()'s KASAN poisoning logic Revert "readahead: properly shorten readahead when falling back to do_page_cache_ra()" selftests/damon: add _damon_sysfs.py to TEST_FILES selftest: hugetlb_dio: fix test naming ocfs2: free inode when ocfs2_get_init_inode() fails nilfs2: fix potential out-of-bounds memory access in nilfs_find_entry() ... commit 54d394905c92b9ecc65c1f9b2692c8e10716d8e1 Author: Javier Carrasco Date: Mon Dec 2 20:18:44 2024 +0100 iio: adc: ti-ads1119: fix sample size in scan struct for triggered buffer This device returns signed, 16-bit samples as stated in its datasheet (see 8.5.2 Data Format). That is in line with the scan_type definition for the IIO_VOLTAGE channel, but 'unsigned int' is being used to read and push the data to userspace. Given that the size of that type depends on the architecture (at least 2 bytes to store values up to 65535, but its actual size is often 4 bytes), use the 's16' type to provide the same structure in all cases. Fixes: a9306887eba4 ("iio: adc: ti-ads1119: Add driver") Signed-off-by: Javier Carrasco Reviewed-by: Francesco Dolcini Link: https://patch.msgid.link/20241202-ti-ads1119_s16_chan-v1-1-fafe3136dc90@gmail.com Cc: Signed-off-by: Jonathan Cameron commit 2f43d5200c7330143089bfd1f2440753bac10617 Author: Javier Carrasco Date: Wed Dec 4 00:55:31 2024 +0100 iio: temperature: tmp006: fix information leak in triggered buffer The 'scan' local struct is used to push data to user space from a triggered buffer, but it has a hole between the two 16-bit data channels and the timestamp. This hole is never initialized. Initialize the struct to zero before using it to avoid pushing uninitialized information to userspace. Fixes: 91f75ccf9f03 ("iio: temperature: tmp006: add triggered buffer support") Signed-off-by: Javier Carrasco Link: https://patch.msgid.link/20241204-iio_memset_scan_holes-v2-1-3f941592a76d@gmail.com Signed-off-by: Jonathan Cameron commit 64f43895b4457532a3cc524ab250b7a30739a1b1 Author: Joe Hattori Date: Wed Dec 4 20:13:42 2024 +0900 iio: inkern: call iio_device_put() only on mapped devices In the error path of iio_channel_get_all(), iio_device_put() is called on all IIO devices, which can cause a refcount imbalance. Fix this error by calling iio_device_put() only on IIO devices whose refcounts were previously incremented by iio_device_get(). Fixes: 314be14bb893 ("iio: Rename _st_ functions to loose the bit that meant the staging version.") Signed-off-by: Joe Hattori Link: https://patch.msgid.link/20241204111342.1246706-1-joe@pf.is.s.u-tokyo.ac.jp Cc: Signed-off-by: Jonathan Cameron commit 9d23e48654620fdccfcc74cc2cef04eaf7353d07 Author: Cristian Ciocaltea Date: Wed Oct 23 20:29:54 2024 +0300 phy: rockchip: samsung-hdptx: Set drvdata before enabling runtime PM In some cases, rk_hdptx_phy_runtime_resume() may be invoked before platform_set_drvdata() is executed in ->probe(), leading to a NULL pointer dereference when using the return of dev_get_drvdata(). Ensure platform_set_drvdata() is called before devm_pm_runtime_enable(). Reported-by: Dmitry Osipenko Fixes: 553be2830c5f ("phy: rockchip: Add Samsung HDMI/eDP Combo PHY driver") Signed-off-by: Cristian Ciocaltea Reviewed-by: Heiko Stuebner Link: https://lore.kernel.org/r/20241023-phy-sam-hdptx-rpm-fix-v1-1-87f4c994e346@collabora.com Signed-off-by: Vinod Koul commit 494b332064c0ce2f7392fa92632bc50191c1b517 Author: Masami Hiramatsu (Google) Date: Sat Nov 30 01:47:47 2024 +0900 tracing/eprobe: Fix to release eprobe when failed to add dyn_event Fix eprobe event to unregister event call and release eprobe when it fails to add dynamic event correctly. Link: https://lore.kernel.org/all/173289886698.73724.1959899350183686006.stgit@devnote2/ Fixes: 7491e2c44278 ("tracing: Add a probe that attaches to trace events") Signed-off-by: Masami Hiramatsu (Google) commit d8d326d64f6702caab01ea0cd48f6c0054f3d1b4 Author: Masahiro Yamada Date: Sun Dec 8 16:56:45 2024 +0900 kbuild: deb-pkg: fix build error with O= Since commit 13b25489b6f8 ("kbuild: change working directory to external module directory with M="), the Debian package build fails if a relative path is specified with the O= option. $ make O=build bindeb-pkg [ snip ] dpkg-deb: building package 'linux-image-6.13.0-rc1' in '../linux-image-6.13.0-rc1_6.13.0-rc1-6_amd64.deb'. Rebuilding host programs with x86_64-linux-gnu-gcc... make[6]: Entering directory '/home/masahiro/linux/build' /home/masahiro/linux/Makefile:190: *** specified kernel directory "build" does not exist. Stop. This occurs because the sub_make_done flag is cleared, even though the working directory is already in the output directory. Passing KBUILD_OUTPUT=. resolves the issue. Fixes: 13b25489b6f8 ("kbuild: change working directory to external module directory with M=") Reported-by: Charlie Jenkins Closes: https://lore.kernel.org/all/Z1DnP-GJcfseyrM3@ghost/ Tested-by: Charlie Jenkins Reviewed-by: Charlie Jenkins Signed-off-by: Masahiro Yamada commit 7912405643a14b527cd4a4f33c1d4392da900888 Author: Thomas Gleixner Date: Sun Dec 1 12:17:30 2024 +0100 modpost: Add .irqentry.text to OTHER_SECTIONS The compiler can fully inline the actual handler function of an interrupt entry into the .irqentry.text entry point. If such a function contains an access which has an exception table entry, modpost complains about a section mismatch: WARNING: vmlinux.o(__ex_table+0x447c): Section mismatch in reference ... The relocation at __ex_table+0x447c references section ".irqentry.text" which is not in the list of authorized sections. Add .irqentry.text to OTHER_SECTIONS to cure the issue. Reported-by: Sergey Senozhatsky Signed-off-by: Thomas Gleixner Cc: stable@vger.kernel.org # needed for linux-5.4-y Link: https://lore.kernel.org/all/20241128111844.GE10431@google.com/ Signed-off-by: Masahiro Yamada commit 09310cfd4ea5c3ab2c7a610420205e0a1660bf7e Author: Dan Carpenter Date: Fri Dec 6 15:32:52 2024 +0300 rtnetlink: fix error code in rtnl_newlink() If rtnl_get_peer_net() fails, then propagate the error code. Don't return success. Fixes: 48327566769a ("rtnetlink: fix double call of rtnl_link_get_net_ifla()") Signed-off-by: Dan Carpenter Reviewed-by: Kuniyuki Iwashima Link: https://patch.msgid.link/a2d20cd4-387a-4475-887c-bb7d0e88e25a@stanley.mountain Signed-off-by: Jakub Kicinski commit ab80e715b70a5d585c922862d70cee58de9cb3cd Merge: cdd0b9132d710d 43a4166349a254 Author: Jakub Kicinski Date: Sat Dec 7 17:56:49 2024 -0800 Merge branch 'ocelot-ptp-fixes' Vladimir Oltean says: ==================== Ocelot PTP fixes This is another attempt at "net: mscc: ocelot: be resilient to loss of PTP packets during transmission". https://lore.kernel.org/netdev/20241203164755.16115-1-vladimir.oltean@nxp.com/ The central change is in patch 4/5. It recovers a port from a very reproducible condition where previously, it would become unable to take any hardware TX timestamp. Then we have patches 1/5 and 5/5 which are extra bug fixes. Patches 2/5 and 3/5 are logical changes split out of the monolithic patch previously submitted as v1, so that patch 4/5 is hopefully easier to follow. ==================== Link: https://patch.msgid.link/20241205145519.1236778-1-vladimir.oltean@nxp.com Signed-off-by: Jakub Kicinski commit 43a4166349a254446e7a3db65f721c6a30daccf3 Author: Vladimir Oltean Date: Thu Dec 5 16:55:19 2024 +0200 net: mscc: ocelot: perform error cleanup in ocelot_hwstamp_set() An unsupported RX filter will leave the port with TX timestamping still applied as per the new request, rather than the old setting. When parsing the tx_type, don't apply it just yet, but delay that until after we've parsed the rx_filter as well (and potentially returned -ERANGE for that). Similarly, copy_to_user() may fail, which is a rare occurrence, but should still be treated by unwinding what was done. Fixes: 96ca08c05838 ("net: mscc: ocelot: set up traps for PTP packets") Signed-off-by: Vladimir Oltean Link: https://patch.msgid.link/20241205145519.1236778-6-vladimir.oltean@nxp.com Signed-off-by: Jakub Kicinski commit b454abfab52543c44b581afc807b9f97fc1e7a3a Author: Vladimir Oltean Date: Thu Dec 5 16:55:18 2024 +0200 net: mscc: ocelot: be resilient to loss of PTP packets during transmission The Felix DSA driver presents unique challenges that make the simplistic ocelot PTP TX timestamping procedure unreliable: any transmitted packet may be lost in hardware before it ever leaves our local system. This may happen because there is congestion on the DSA conduit, the switch CPU port or even user port (Qdiscs like taprio may delay packets indefinitely by design). The technical problem is that the kernel, i.e. ocelot_port_add_txtstamp_skb(), runs out of timestamp IDs eventually, because it never detects that packets are lost, and keeps the IDs of the lost packets on hold indefinitely. The manifestation of the issue once the entire timestamp ID range becomes busy looks like this in dmesg: mscc_felix 0000:00:00.5: port 0 delivering skb without TX timestamp mscc_felix 0000:00:00.5: port 1 delivering skb without TX timestamp At the surface level, we need a timeout timer so that the kernel knows a timestamp ID is available again. But there is a deeper problem with the implementation, which is the monotonically increasing ocelot_port->ts_id. In the presence of packet loss, it will be impossible to detect that and reuse one of the holes created in the range of free timestamp IDs. What we actually need is a bitmap of 63 timestamp IDs tracking which one is available. That is able to use up holes caused by packet loss, but also gives us a unique opportunity to not implement an actual timer_list for the timeout timer (very complicated in terms of locking). We could only declare a timestamp ID stale on demand (lazily), aka when there's no other timestamp ID available. There are pros and cons to this approach: the implementation is much more simple than per-packet timers would be, but most of the stale packets would be quasi-leaked - not really leaked, but blocked in driver memory, since this algorithm sees no reason to free them. An improved technique would be to check for stale timestamp IDs every time we allocate a new one. Assuming a constant flux of PTP packets, this avoids stale packets being blocked in memory, but of course, packets lost at the end of the flux are still blocked until the flux resumes (nobody left to kick them out). Since implementing per-packet timers is way too complicated, this should be good enough. Testing procedure: Persistently block traffic class 5 and try to run PTP on it: $ tc qdisc replace dev swp3 parent root taprio num_tc 8 \ map 0 1 2 3 4 5 6 7 queues 1@0 1@1 1@2 1@3 1@4 1@5 1@6 1@7 \ base-time 0 sched-entry S 0xdf 100000 flags 0x2 [ 126.948141] mscc_felix 0000:00:00.5: port 3 tc 5 min gate length 0 ns not enough for max frame size 1526 at 1000 Mbps, dropping frames over 1 octets including FCS $ ptp4l -i swp3 -2 -P -m --socket_priority 5 --fault_reset_interval ASAP --logSyncInterval -3 ptp4l[70.351]: port 1 (swp3): INITIALIZING to LISTENING on INIT_COMPLETE ptp4l[70.354]: port 0 (/var/run/ptp4l): INITIALIZING to LISTENING on INIT_COMPLETE ptp4l[70.358]: port 0 (/var/run/ptp4lro): INITIALIZING to LISTENING on INIT_COMPLETE [ 70.394583] mscc_felix 0000:00:00.5: port 3 timestamp id 0 ptp4l[70.406]: timed out while polling for tx timestamp ptp4l[70.406]: increasing tx_timestamp_timeout or increasing kworker priority may correct this issue, but a driver bug likely causes it ptp4l[70.406]: port 1 (swp3): send peer delay response failed ptp4l[70.407]: port 1 (swp3): clearing fault immediately ptp4l[70.952]: port 1 (swp3): new foreign master d858d7.fffe.00ca6d-1 [ 71.394858] mscc_felix 0000:00:00.5: port 3 timestamp id 1 ptp4l[71.400]: timed out while polling for tx timestamp ptp4l[71.400]: increasing tx_timestamp_timeout or increasing kworker priority may correct this issue, but a driver bug likely causes it ptp4l[71.401]: port 1 (swp3): send peer delay response failed ptp4l[71.401]: port 1 (swp3): clearing fault immediately [ 72.393616] mscc_felix 0000:00:00.5: port 3 timestamp id 2 ptp4l[72.401]: timed out while polling for tx timestamp ptp4l[72.402]: increasing tx_timestamp_timeout or increasing kworker priority may correct this issue, but a driver bug likely causes it ptp4l[72.402]: port 1 (swp3): send peer delay response failed ptp4l[72.402]: port 1 (swp3): clearing fault immediately ptp4l[72.952]: port 1 (swp3): new foreign master d858d7.fffe.00ca6d-1 [ 73.395291] mscc_felix 0000:00:00.5: port 3 timestamp id 3 ptp4l[73.400]: timed out while polling for tx timestamp ptp4l[73.400]: increasing tx_timestamp_timeout or increasing kworker priority may correct this issue, but a driver bug likely causes it ptp4l[73.400]: port 1 (swp3): send peer delay response failed ptp4l[73.400]: port 1 (swp3): clearing fault immediately [ 74.394282] mscc_felix 0000:00:00.5: port 3 timestamp id 4 ptp4l[74.400]: timed out while polling for tx timestamp ptp4l[74.401]: increasing tx_timestamp_timeout or increasing kworker priority may correct this issue, but a driver bug likely causes it ptp4l[74.401]: port 1 (swp3): send peer delay response failed ptp4l[74.401]: port 1 (swp3): clearing fault immediately ptp4l[74.953]: port 1 (swp3): new foreign master d858d7.fffe.00ca6d-1 [ 75.396830] mscc_felix 0000:00:00.5: port 3 invalidating stale timestamp ID 0 which seems lost [ 75.405760] mscc_felix 0000:00:00.5: port 3 timestamp id 0 ptp4l[75.410]: timed out while polling for tx timestamp ptp4l[75.411]: increasing tx_timestamp_timeout or increasing kworker priority may correct this issue, but a driver bug likely causes it ptp4l[75.411]: port 1 (swp3): send peer delay response failed ptp4l[75.411]: port 1 (swp3): clearing fault immediately (...) Remove the blocking condition and see that the port recovers: $ same tc command as above, but use "sched-entry S 0xff" instead $ same ptp4l command as above ptp4l[99.489]: port 1 (swp3): INITIALIZING to LISTENING on INIT_COMPLETE ptp4l[99.490]: port 0 (/var/run/ptp4l): INITIALIZING to LISTENING on INIT_COMPLETE ptp4l[99.492]: port 0 (/var/run/ptp4lro): INITIALIZING to LISTENING on INIT_COMPLETE [ 100.403768] mscc_felix 0000:00:00.5: port 3 invalidating stale timestamp ID 0 which seems lost [ 100.412545] mscc_felix 0000:00:00.5: port 3 invalidating stale timestamp ID 1 which seems lost [ 100.421283] mscc_felix 0000:00:00.5: port 3 invalidating stale timestamp ID 2 which seems lost [ 100.430015] mscc_felix 0000:00:00.5: port 3 invalidating stale timestamp ID 3 which seems lost [ 100.438744] mscc_felix 0000:00:00.5: port 3 invalidating stale timestamp ID 4 which seems lost [ 100.447470] mscc_felix 0000:00:00.5: port 3 timestamp id 0 [ 100.505919] mscc_felix 0000:00:00.5: port 3 timestamp id 0 ptp4l[100.963]: port 1 (swp3): new foreign master d858d7.fffe.00ca6d-1 [ 101.405077] mscc_felix 0000:00:00.5: port 3 timestamp id 0 [ 101.507953] mscc_felix 0000:00:00.5: port 3 timestamp id 0 [ 102.405405] mscc_felix 0000:00:00.5: port 3 timestamp id 0 [ 102.509391] mscc_felix 0000:00:00.5: port 3 timestamp id 0 [ 103.406003] mscc_felix 0000:00:00.5: port 3 timestamp id 0 [ 103.510011] mscc_felix 0000:00:00.5: port 3 timestamp id 0 [ 104.405601] mscc_felix 0000:00:00.5: port 3 timestamp id 0 [ 104.510624] mscc_felix 0000:00:00.5: port 3 timestamp id 0 ptp4l[104.965]: selected best master clock d858d7.fffe.00ca6d ptp4l[104.966]: port 1 (swp3): assuming the grand master role ptp4l[104.967]: port 1 (swp3): LISTENING to GRAND_MASTER on RS_GRAND_MASTER [ 105.106201] mscc_felix 0000:00:00.5: port 3 timestamp id 0 [ 105.232420] mscc_felix 0000:00:00.5: port 3 timestamp id 0 [ 105.359001] mscc_felix 0000:00:00.5: port 3 timestamp id 0 [ 105.405500] mscc_felix 0000:00:00.5: port 3 timestamp id 0 [ 105.485356] mscc_felix 0000:00:00.5: port 3 timestamp id 0 [ 105.511220] mscc_felix 0000:00:00.5: port 3 timestamp id 0 [ 105.610938] mscc_felix 0000:00:00.5: port 3 timestamp id 0 [ 105.737237] mscc_felix 0000:00:00.5: port 3 timestamp id 0 (...) Notice that in this new usage pattern, a non-congested port should basically use timestamp ID 0 all the time, progressing to higher numbers only if there are unacknowledged timestamps in flight. Compare this to the old usage, where the timestamp ID used to monotonically increase modulo OCELOT_MAX_PTP_ID. In terms of implementation, this simplifies the bookkeeping of the ocelot_port :: ts_id and ptp_skbs_in_flight. Since we need to traverse the list of two-step timestampable skbs for each new packet anyway, the information can already be computed and does not need to be stored. Also, ocelot_port->tx_skbs is always accessed under the switch-wide ocelot->ts_id_lock IRQ-unsafe spinlock, so we don't need the skb queue's lock and can use the unlocked primitives safely. This problem was actually detected using the tc-taprio offload, and is causing trouble in TSN scenarios, which Felix (NXP LS1028A / VSC9959) supports but Ocelot (VSC7514) does not. Thus, I've selected the commit to blame as the one adding initial timestamping support for the Felix switch. Fixes: c0bcf537667c ("net: dsa: ocelot: add hardware timestamping support for Felix") Signed-off-by: Vladimir Oltean Link: https://patch.msgid.link/20241205145519.1236778-5-vladimir.oltean@nxp.com Signed-off-by: Jakub Kicinski commit 0c53cdb95eb4a604062e326636971d96dd9b1b26 Author: Vladimir Oltean Date: Thu Dec 5 16:55:17 2024 +0200 net: mscc: ocelot: ocelot->ts_id_lock and ocelot_port->tx_skbs.lock are IRQ-safe ocelot_get_txtstamp() is a threaded IRQ handler, requested explicitly as such by both ocelot_ptp_rdy_irq_handler() and vsc9959_irq_handler(). As such, it runs with IRQs enabled, and not in hardirq context. Thus, ocelot_port_add_txtstamp_skb() has no reason to turn off IRQs, it cannot be preempted by ocelot_get_txtstamp(). For the same reason, dev_kfree_skb_any_reason() will always evaluate as kfree_skb_reason() in this calling context, so just simplify the dev_kfree_skb_any() call to kfree_skb(). Also, ocelot_port_txtstamp_request() runs from NET_TX softirq context, not with hardirqs enabled. Thus, ocelot_get_txtstamp() which shares the ocelot_port->tx_skbs.lock lock with it, has no reason to disable hardirqs. This is part of a larger rework of the TX timestamping procedure. A logical subportion of the rework has been split into a separate change. Signed-off-by: Vladimir Oltean Link: https://patch.msgid.link/20241205145519.1236778-4-vladimir.oltean@nxp.com Signed-off-by: Jakub Kicinski commit b6fba4b3f0becb794e274430f3a0839d8ba31262 Author: Vladimir Oltean Date: Thu Dec 5 16:55:16 2024 +0200 net: mscc: ocelot: improve handling of TX timestamp for unknown skb This condition, theoretically impossible to trigger, is not really handled well. By "continuing", we are skipping the write to SYS_PTP_NXT which advances the timestamp FIFO to the next entry. So we are reading the same FIFO entry all over again, printing stack traces and eventually killing the kernel. No real problem has been observed here. This is part of a larger rework of the timestamp IRQ procedure, with this logical change split out into a patch of its own. We will need to "goto next_ts" for other conditions as well. Fixes: 9fde506e0c53 ("net: mscc: ocelot: warn when a PTP IRQ is raised for an unknown skb") Signed-off-by: Vladimir Oltean Link: https://patch.msgid.link/20241205145519.1236778-3-vladimir.oltean@nxp.com Signed-off-by: Jakub Kicinski commit 4b01bec25bef62544228bce06db6a3afa5d3d6bb Author: Vladimir Oltean Date: Thu Dec 5 16:55:15 2024 +0200 net: mscc: ocelot: fix memory leak on ocelot_port_add_txtstamp_skb() If ocelot_port_add_txtstamp_skb() fails, for example due to a full PTP timestamp FIFO, we must undo the skb_clone_sk() call with kfree_skb(). Otherwise, the reference to the skb clone is lost. Fixes: 52849bcf0029 ("net: mscc: ocelot: avoid overflowing the PTP timestamp FIFO") Signed-off-by: Vladimir Oltean Link: https://patch.msgid.link/20241205145519.1236778-2-vladimir.oltean@nxp.com Signed-off-by: Jakub Kicinski commit cdd0b9132d710d41da2e7d15af8e0da2aca7a22c Author: Kuniyuki Iwashima Date: Fri Dec 6 11:07:15 2024 +0900 ip: Return drop reason if in_dev is NULL in ip_route_input_rcu(). syzkaller reported a warning in __sk_skb_reason_drop(). Commit 61b95c70f344 ("net: ip: make ip_route_input_rcu() return drop reasons") missed a path where -EINVAL is returned. Then, the cited commit started to trigger the warning with the invalid error. Let's fix it by returning SKB_DROP_REASON_NOT_SPECIFIED. [0]: WARNING: CPU: 0 PID: 10 at net/core/skbuff.c:1216 __sk_skb_reason_drop net/core/skbuff.c:1216 [inline] WARNING: CPU: 0 PID: 10 at net/core/skbuff.c:1216 sk_skb_reason_drop+0x97/0x1b0 net/core/skbuff.c:1241 Modules linked in: CPU: 0 UID: 0 PID: 10 Comm: kworker/0:1 Not tainted 6.12.0-10686-gbb18265c3aba #10 1c308307628619808b5a4a0495c4aab5637b0551 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 Workqueue: wg-crypt-wg2 wg_packet_decrypt_worker RIP: 0010:__sk_skb_reason_drop net/core/skbuff.c:1216 [inline] RIP: 0010:sk_skb_reason_drop+0x97/0x1b0 net/core/skbuff.c:1241 Code: 5d 41 5c 41 5d 41 5e e9 e7 9e 95 fd e8 e2 9e 95 fd 31 ff 44 89 e6 e8 58 a1 95 fd 45 85 e4 0f 85 a2 00 00 00 e8 ca 9e 95 fd 90 <0f> 0b 90 e8 c1 9e 95 fd 44 89 e6 bf 01 00 00 00 e8 34 a1 95 fd 41 RSP: 0018:ffa0000000007650 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 000000000000ffff RCX: ffffffff83bc3592 RDX: ff110001002a0000 RSI: ffffffff83bc34d6 RDI: 0000000000000007 RBP: ff11000109ee85f0 R08: 0000000000000001 R09: ffe21c00213dd0da R10: 000000000000ffff R11: 0000000000000000 R12: 00000000ffffffea R13: 0000000000000000 R14: ff11000109ee86d4 R15: ff11000109ee8648 FS: 0000000000000000(0000) GS:ff1100011a000000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020177000 CR3: 0000000108a3d006 CR4: 0000000000771ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000600 PKRU: 55555554 Call Trace: kfree_skb_reason include/linux/skbuff.h:1263 [inline] ip_rcv_finish_core.constprop.0+0x896/0x2320 net/ipv4/ip_input.c:424 ip_list_rcv_finish.constprop.0+0x1b2/0x710 net/ipv4/ip_input.c:610 ip_sublist_rcv net/ipv4/ip_input.c:636 [inline] ip_list_rcv+0x34a/0x460 net/ipv4/ip_input.c:670 __netif_receive_skb_list_ptype net/core/dev.c:5715 [inline] __netif_receive_skb_list_core+0x536/0x900 net/core/dev.c:5762 __netif_receive_skb_list net/core/dev.c:5814 [inline] netif_receive_skb_list_internal+0x77c/0xdc0 net/core/dev.c:5905 gro_normal_list include/net/gro.h:515 [inline] gro_normal_list include/net/gro.h:511 [inline] napi_complete_done+0x219/0x8c0 net/core/dev.c:6256 wg_packet_rx_poll+0xbff/0x1e40 drivers/net/wireguard/receive.c:488 __napi_poll.constprop.0+0xb3/0x530 net/core/dev.c:6877 napi_poll net/core/dev.c:6946 [inline] net_rx_action+0x9eb/0xe30 net/core/dev.c:7068 handle_softirqs+0x1ac/0x740 kernel/softirq.c:554 do_softirq kernel/softirq.c:455 [inline] do_softirq+0x48/0x80 kernel/softirq.c:442 __local_bh_enable_ip+0xed/0x110 kernel/softirq.c:382 spin_unlock_bh include/linux/spinlock.h:396 [inline] ptr_ring_consume_bh include/linux/ptr_ring.h:367 [inline] wg_packet_decrypt_worker+0x3ba/0x580 drivers/net/wireguard/receive.c:499 process_one_work+0x940/0x1a70 kernel/workqueue.c:3229 process_scheduled_works kernel/workqueue.c:3310 [inline] worker_thread+0x639/0xe30 kernel/workqueue.c:3391 kthread+0x283/0x350 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:244 Fixes: 82d9983ebeb8 ("net: ip: make ip_route_input_noref() return drop reasons") Reported-by: syzkaller Signed-off-by: Kuniyuki Iwashima Reviewed-by: David Ahern Link: https://patch.msgid.link/20241206020715.80207-1-kuniyu@amazon.com Signed-off-by: Jakub Kicinski commit 4c49f38e20a57f8abaebdf95b369295b153d1f8e Author: Russell King (Oracle) Date: Fri Dec 6 12:40:11 2024 +0000 net: stmmac: fix TSO DMA API usage causing oops Commit 66600fac7a98 ("net: stmmac: TSO: Fix unbalanced DMA map/unmap for non-paged SKB data") moved the assignment of tx_skbuff_dma[]'s members to be later in stmmac_tso_xmit(). The buf (dma cookie) and len stored in this structure are passed to dma_unmap_single() by stmmac_tx_clean(). The DMA API requires that the dma cookie passed to dma_unmap_single() is the same as the value returned from dma_map_single(). However, by moving the assignment later, this is not the case when priv->dma_cap.addr64 > 32 as "des" is offset by proto_hdr_len. This causes problems such as: dwc-eth-dwmac 2490000.ethernet eth0: Tx DMA map failed and with DMA_API_DEBUG enabled: DMA-API: dwc-eth-dwmac 2490000.ethernet: device driver tries to +free DMA memory it has not allocated [device address=0x000000ffffcf65c0] [size=66 bytes] Fix this by maintaining "des" as the original DMA cookie, and use tso_des to pass the offset DMA cookie to stmmac_tso_allocator(). Full details of the crashes can be found at: https://lore.kernel.org/all/d8112193-0386-4e14-b516-37c2d838171a@nvidia.com/ https://lore.kernel.org/all/klkzp5yn5kq5efgtrow6wbvnc46bcqfxs65nz3qy77ujr5turc@bwwhelz2l4dw/ Reported-by: Jon Hunter Reported-by: Thierry Reding Fixes: 66600fac7a98 ("net: stmmac: TSO: Fix unbalanced DMA map/unmap for non-paged SKB data") Tested-by: Jon Hunter Signed-off-by: Russell King (Oracle) Reviewed-by: Furong Xu <0x1207@gmail.com> Link: https://patch.msgid.link/E1tJXcx-006N4Z-PC@rmk-PC.armlinux.org.uk Signed-off-by: Jakub Kicinski commit 62b5a46999c74497fe10eabd7d19701c505b23e3 Merge: c94cd0248ced49 c32b624fa4f7ca Author: Linus Torvalds Date: Sat Dec 7 17:27:25 2024 -0800 Merge tag '6.13-rc1-smb3-client-fixes' of git://git.samba.org/sfrench/cifs-2.6 Pull smb client fixes from Steve French: - DFS fix (for race with tree disconnect and dfs cache worker) - Four fixes for SMB3.1.1 posix extensions: - improve special file support e.g. to Samba, retrieving the file type earlier - reduce roundtrips (e.g. on ls -l, in some cases) * tag '6.13-rc1-smb3-client-fixes' of git://git.samba.org/sfrench/cifs-2.6: smb: client: fix potential race in cifs_put_tcon() smb3.1.1: fix posix mounts to older servers fs/smb/client: cifs_prime_dcache() for SMB3 POSIX reparse points fs/smb/client: Implement new SMB3 POSIX type fs/smb/client: avoid querying SMB2_OP_QUERY_WSL_EA for SMB3 POSIX commit c94cd0248ced494e0bcf82b21380e8037c4dd26b Merge: 7503345ac5f5e8 6918141d815ace Author: Linus Torvalds Date: Sat Dec 7 17:17:38 2024 -0800 Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi Pull SCSI fixes from James Bottomley: "Large number of small fixes, all in drivers" * tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi: (32 commits) scsi: scsi_debug: Fix hrtimer support for ndelay scsi: storvsc: Do not flag MAINTENANCE_IN return of SRB_STATUS_DATA_OVERRUN as an error scsi: ufs: core: Add missing post notify for power mode change scsi: sg: Fix slab-use-after-free read in sg_release() scsi: ufs: core: sysfs: Prevent div by zero scsi: qla2xxx: Update version to 10.02.09.400-k scsi: qla2xxx: Supported speed displayed incorrectly for VPorts scsi: qla2xxx: Fix NVMe and NPIV connect issue scsi: qla2xxx: Remove check req_sg_cnt should be equal to rsp_sg_cnt scsi: qla2xxx: Fix use after free on unload scsi: qla2xxx: Fix abort in bsg timeout scsi: mpi3mr: Update driver version to 8.12.0.3.50 scsi: mpi3mr: Handling of fault code for insufficient power scsi: mpi3mr: Start controller indexing from 0 scsi: mpi3mr: Fix corrupt config pages PHY state is switched in sysfs scsi: mpi3mr: Synchronize access to ioctl data buffer scsi: mpt3sas: Update driver version to 51.100.00.00 scsi: mpt3sas: Diag-Reset when Doorbell-In-Use bit is set during driver load time scsi: ufs: pltfrm: Dellocate HBA during ufshcd_pltfrm_remove() scsi: ufs: pltfrm: Drop PM runtime reference count after ufshcd_remove() ... commit 7503345ac5f5e82fd9a36d6e6b447c016376403a Merge: aa0274d261cc50 22465bbac53c82 Author: Linus Torvalds Date: Sat Dec 7 10:07:05 2024 -0800 Merge tag 'block-6.13-20241207' of git://git.kernel.dk/linux Pull block fixes from Jens Axboe: - NVMe pull request via Keith: - Target fix using incorrect zero buffer (Nilay) - Device specifc deallocate quirk fixes (Christoph, Keith) - Fabrics fix for handling max command target bugs (Maurizio) - Cocci fix usage for kzalloc (Yu-Chen) - DMA size fix for host memory buffer feature (Christoph) - Fabrics queue cleanup fixes (Chunguang) - CPU hotplug ordering fixes - Add missing MODULE_DESCRIPTION for rnull - bcache error value fix - virtio-blk queue freeze fix * tag 'block-6.13-20241207' of git://git.kernel.dk/linux: blk-mq: move cpuhp callback registering out of q->sysfs_lock blk-mq: register cpuhp callback after hctx is added to xarray table virtio-blk: don't keep queue frozen during system suspend nvme-tcp: simplify nvme_tcp_teardown_io_queues() nvme-tcp: no need to quiesce admin_q in nvme_tcp_teardown_io_queues() nvme-rdma: unquiesce admin_q before destroy it nvme-tcp: fix the memleak while create new ctrl failed nvme-pci: don't use dma_alloc_noncontiguous with 0 merge boundary nvmet: replace kmalloc + memset with kzalloc for data allocation nvme-fabrics: handle zero MAXCMD without closing the connection bcache: revert replacing IS_ERR_OR_NULL with IS_ERR again nvme-pci: remove two deallocate zeroes quirks block: rnull: add missing MODULE_DESCRIPTION nvme: don't apply NVME_QUIRK_DEALLOCATE_ZEROES when DSM is not supported nvmet: use kzalloc instead of ZERO_PAGE in nvme_execute_identify_ns_nvm() commit aa0274d261cc50af416883effdab505fad400485 Merge: a6db2a5d7df3e5 a07d2d7930c75e Author: Linus Torvalds Date: Sat Dec 7 10:01:13 2024 -0800 Merge tag 'io_uring-6.13-20241207' of git://git.kernel.dk/linux Pull io_uring fix from Jens Axboe: "A single fix for a parameter type which affects 32-bit" * tag 'io_uring-6.13-20241207' of git://git.kernel.dk/linux: io_uring: Change res2 parameter type in io_uring_cmd_done commit a6db2a5d7df3e577c268ba7955eb48e913424599 Merge: b5f217084ab3dd b29bf7119d6bbf Author: Linus Torvalds Date: Sat Dec 7 09:57:38 2024 -0800 Merge tag 'ubifs-for-linus-6.13-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/rw/ubifs Pull jffs2 fix from Richard Weinberger: - Fixup rtime compressor bounds checking * tag 'ubifs-for-linus-6.13-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/rw/ubifs: jffs2: Fix rtime decompressor commit bbf6b6d53e29b6db4f31eb25b5533a12b9134302 Author: Christophe JAILLET Date: Fri Dec 6 17:39:28 2024 +0100 iio: adc: ad9467: Fix the "don't allow reading vref if not available" case The commit in Fixes adds a special case when only one possible scale is available. If several scales are available, it sets the .read_avail field of the struct iio_info to ad9467_read_avail(). However, this field already holds this function pointer, so the code is a no-op. Use another struct iio_info instead to actually reflect the intent described in the commit message. This way, the structure to use is selected at runtime and they can be kept as const. This is safer because modifying static structs that are shared between all instances like this, based on the properties of a single instance, is asking for trouble down the road. Fixes: b92f94f74826 ("iio: adc: ad9467: don't allow reading vref if not available") Signed-off-by: Christophe JAILLET Link: https://patch.msgid.link/cc65da19e0578823d29e11996f86042e84d5715c.1733503146.git.christophe.jaillet@wanadoo.fr Signed-off-by: Jonathan Cameron commit de6a73bad1743e9e81ea5a24c178c67429ff510b Author: Joe Hattori Date: Sat Dec 7 13:30:45 2024 +0900 iio: adc: at91: call input_free_device() on allocated iio_dev Current implementation of at91_ts_register() calls input_free_deivce() on st->ts_input, however, the err label can be reached before the allocated iio_dev is stored to st->ts_input. Thus call input_free_device() on input instead of st->ts_input. Fixes: 84882b060301 ("iio: adc: at91_adc: Add support for touchscreens without TSMR") Signed-off-by: Joe Hattori Link: https://patch.msgid.link/20241207043045.1255409-1-joe@pf.is.s.u-tokyo.ac.jp Cc: Signed-off-by: Jonathan Cameron commit 36a44e05cd807a54e5ffad4b96d0d67f68ad8576 Author: David Lechner Date: Wed Nov 27 14:01:53 2024 -0600 iio: adc: ad7173: fix using shared static info struct Fix a possible race condition during driver probe in the ad7173 driver due to using a shared static info struct. If more that one instance of the driver is probed at the same time, some of the info could be overwritten by the other instance, leading to incorrect operation. To fix this, make the static info struct const so that it is read-only and make a copy of the info struct for each instance of the driver that can be modified. Reported-by: Uwe Kleine-König Fixes: 76a1e6a42802 ("iio: adc: ad7173: add AD7173 driver") Signed-off-by: David Lechner Tested-by: Guillaume Ranquet Link: https://patch.msgid.link/20241127-iio-adc-ad7313-fix-non-const-info-struct-v2-1-b6d7022b7466@baylibre.com Cc: Signed-off-by: Jonathan Cameron commit 2a8e34096ec70d73ebb6d9920688ea312700cbd9 Author: Fabio Estevam Date: Fri Nov 22 13:43:08 2024 -0300 iio: adc: ti-ads124s08: Use gpiod_set_value_cansleep() Using gpiod_set_value() to control the reset GPIO causes some verbose warnings during boot when the reset GPIO is controlled by an I2C IO expander. As the caller can sleep, use the gpiod_set_value_cansleep() variant to fix the issue. Tested on a custom i.MX93 board with a ADS124S08 ADC. Cc: stable@kernel.org Fixes: e717f8c6dfec ("iio: adc: Add the TI ads124s08 ADC code") Signed-off-by: Fabio Estevam Link: https://patch.msgid.link/20241122164308.390340-1-festevam@gmail.com Signed-off-by: Jonathan Cameron commit 75f339d3ecd38cb1ce05357d647189d4a7f7ed08 Author: Javier Carrasco Date: Mon Nov 25 22:16:10 2024 +0100 iio: adc: ti-ads1119: fix information leak in triggered buffer The 'scan' local struct is used to push data to user space from a triggered buffer, but it has a hole between the sample (unsigned int) and the timestamp. This hole is never initialized. Initialize the struct to zero before using it to avoid pushing uninitialized information to userspace. Cc: stable@vger.kernel.org Fixes: a9306887eba4 ("iio: adc: ti-ads1119: Add driver") Signed-off-by: Javier Carrasco Reviewed-by: Francesco Dolcini Link: https://patch.msgid.link/20241125-iio_memset_scan_holes-v1-2-0cb6e98d895c@gmail.com Signed-off-by: Jonathan Cameron commit 6007d10c5262f6f71479627c1216899ea7f09073 Author: Javier Carrasco Date: Mon Nov 25 22:16:11 2024 +0100 iio: pressure: zpa2326: fix information leak in triggered buffer The 'sample' local struct is used to push data to user space from a triggered buffer, but it has a hole between the temperature and the timestamp (u32 pressure, u16 temperature, GAP, u64 timestamp). This hole is never initialized. Initialize the struct to zero before using it to avoid pushing uninitialized information to userspace. Cc: stable@vger.kernel.org Fixes: 03b262f2bbf4 ("iio:pressure: initial zpa2326 barometer support") Signed-off-by: Javier Carrasco Link: https://patch.msgid.link/20241125-iio_memset_scan_holes-v1-3-0cb6e98d895c@gmail.com Signed-off-by: Jonathan Cameron commit 38724591364e1e3b278b4053f102b49ea06ee17c Author: Javier Carrasco Date: Mon Nov 25 22:16:12 2024 +0100 iio: adc: rockchip_saradc: fix information leak in triggered buffer The 'data' local struct is used to push data to user space from a triggered buffer, but it does not set values for inactive channels, as it only uses iio_for_each_active_channel() to assign new values. Initialize the struct to zero before using it to avoid pushing uninitialized information to userspace. Cc: stable@vger.kernel.org Fixes: 4e130dc7b413 ("iio: adc: rockchip_saradc: Add support iio buffers") Signed-off-by: Javier Carrasco Link: https://patch.msgid.link/20241125-iio_memset_scan_holes-v1-4-0cb6e98d895c@gmail.com Signed-off-by: Jonathan Cameron commit 6ae053113f6a226a2303caa4936a4c37f3bfff7b Author: Javier Carrasco Date: Mon Nov 25 22:16:13 2024 +0100 iio: imu: kmx61: fix information leak in triggered buffer The 'buffer' local array is used to push data to user space from a triggered buffer, but it does not set values for inactive channels, as it only uses iio_for_each_active_channel() to assign new values. Initialize the array to zero before using it to avoid pushing uninitialized information to userspace. Cc: stable@vger.kernel.org Fixes: c3a23ecc0901 ("iio: imu: kmx61: Add support for data ready triggers") Signed-off-by: Javier Carrasco Link: https://patch.msgid.link/20241125-iio_memset_scan_holes-v1-5-0cb6e98d895c@gmail.com Signed-off-by: Jonathan Cameron commit 47b43e53c0a0edf5578d5d12f5fc71c019649279 Author: Javier Carrasco Date: Mon Nov 25 22:16:14 2024 +0100 iio: light: vcnl4035: fix information leak in triggered buffer The 'buffer' local array is used to push data to userspace from a triggered buffer, but it does not set an initial value for the single data element, which is an u16 aligned to 8 bytes. That leaves at least 4 bytes uninitialized even after writing an integer value with regmap_read(). Initialize the array to zero before using it to avoid pushing uninitialized information to userspace. Cc: stable@vger.kernel.org Fixes: ec90b52c07c0 ("iio: light: vcnl4035: Fix buffer alignment in iio_push_to_buffers_with_timestamp()") Signed-off-by: Javier Carrasco Link: https://patch.msgid.link/20241125-iio_memset_scan_holes-v1-6-0cb6e98d895c@gmail.com Signed-off-by: Jonathan Cameron commit b62fbe3b8eedd3cf3c9ad0b7cb9f72c3f40815f0 Author: Javier Carrasco Date: Mon Nov 25 22:16:15 2024 +0100 iio: light: bh1745: fix information leak in triggered buffer The 'scan' local struct is used to push data to user space from a triggered buffer, but it does not set values for inactive channels, as it only uses iio_for_each_active_channel() to assign new values. Initialize the struct to zero before using it to avoid pushing uninitialized information to userspace. Cc: stable@vger.kernel.org Fixes: eab35358aae7 ("iio: light: ROHM BH1745 colour sensor") Signed-off-by: Javier Carrasco Link: https://patch.msgid.link/20241125-iio_memset_scan_holes-v1-7-0cb6e98d895c@gmail.com Signed-off-by: Jonathan Cameron commit 2a7377ccfd940cd6e9201756aff1e7852c266e69 Author: Javier Carrasco Date: Mon Nov 25 22:16:16 2024 +0100 iio: adc: ti-ads8688: fix information leak in triggered buffer The 'buffer' local array is used to push data to user space from a triggered buffer, but it does not set values for inactive channels, as it only uses iio_for_each_active_channel() to assign new values. Initialize the array to zero before using it to avoid pushing uninitialized information to userspace. Cc: stable@vger.kernel.org Fixes: 61fa5dfa5f52 ("iio: adc: ti-ads8688: Fix alignment of buffer in iio_push_to_buffers_with_timestamp()") Signed-off-by: Javier Carrasco Link: https://patch.msgid.link/20241125-iio_memset_scan_holes-v1-8-0cb6e98d895c@gmail.com Signed-off-by: Jonathan Cameron commit 333be433ee908a53f283beb95585dfc14c8ffb46 Author: Javier Carrasco Date: Mon Nov 25 22:16:17 2024 +0100 iio: dummy: iio_simply_dummy_buffer: fix information leak in triggered buffer The 'data' array is allocated via kmalloc() and it is used to push data to user space from a triggered buffer, but it does not set values for inactive channels, as it only uses iio_for_each_active_channel() to assign new values. Use kzalloc for the memory allocation to avoid pushing uninitialized information to userspace. Cc: stable@vger.kernel.org Fixes: 415f79244757 ("iio: Move IIO Dummy Driver out of staging") Signed-off-by: Javier Carrasco Link: https://patch.msgid.link/20241125-iio_memset_scan_holes-v1-9-0cb6e98d895c@gmail.com Signed-off-by: Jonathan Cameron commit fbeba4364c5619428714625a70cd8444e6b1e4fd Author: Matti Vaittinen Date: Thu Nov 28 10:46:29 2024 +0200 iio: test: Fix GTS test config The test config contained a copy-paste error. The IIO GTS helper test was errorneously titled as "Test IIO formatting functions" in the menuconfig. Change the title of the tests to reflect what is tested. Fixes: cf996f039679 ("iio: test: test gain-time-scale helpers") Signed-off-by: Matti Vaittinen Link: https://patch.msgid.link/Z0gt5R86WdeK73u2@mva-rohm Signed-off-by: Jonathan Cameron commit 55d82a7ac7e9432d2c92ed485c29aad0aa99281d Author: Sean Nyekjaer Date: Fri Nov 29 15:54:42 2024 +0100 dt-bindings: iio: st-sensors: Re-add IIS2MDC magnetometer "iio: st-sensors: Update ST Sensor bindings" accidentially dropped the compatible for the IIS2MDC magnetometer. Fixes: 0cd71145803d ("iio: st-sensors: Update ST Sensor bindings") Signed-off-by: Sean Nyekjaer Acked-by: Conor Dooley Link: https://patch.msgid.link/20241129-stmagdt-v1-1-963f0347fb0a@geanix.com Signed-off-by: Jonathan Cameron commit bcb394bb28e55312cace75362b8e489eb0e02a30 Author: Charles Han Date: Mon Nov 18 17:02:08 2024 +0800 iio: adc: ti-ads1298: Add NULL check in ads1298_init devm_kasprintf() can return a NULL pointer on failure. A check on the return value of such a call in ads1298_init() is missing. Add it. Fixes: 00ef7708fa60 ("iio: adc: ti-ads1298: Add driver") Signed-off-by: Charles Han Link: https://patch.msgid.link/20241118090208.14586-1-hanchunchao@inspur.com Cc: Signed-off-by: Jonathan Cameron commit ad8479ac083b841da42975d79288b25c088c5cc3 Author: Olivier Moysan Date: Thu Nov 14 11:24:59 2024 +0100 iio: adc: stm32-dfsdm: handle label as an optional property The label property is defined as optional in the DFSDM binding. Parse the label property only when it is defined in the device tree. Fixes: 3208fa0cd919 ("iio: adc: stm32-dfsdm: adopt generic channels bindings") Signed-off-by: Olivier Moysan Link: https://patch.msgid.link/20241114102459.2497178-1-olivier.moysan@foss.st.com Signed-off-by: Jonathan Cameron commit dddfd0c489e9a3fde98fedda8832cb9ecaae3abf Author: Trevor Gamblin Date: Wed Nov 13 15:52:58 2024 -0500 iio: adc: ad4695: fix buffered read, single sample timings Modify ad4695_buffer_preenable() by adding an extra SPI transfer after each data read to help ensure that the timing requirement between the last SCLK rising edge and the next CNV rising edge is met. This requires a restructure of the buf_read_xfer array in ad4695_state. Also define AD4695_T_SCK_CNV_DELAY_NS to use for each added transfer. Without this change it is possible for the data to become corrupted on sequential buffered reads due to the device not properly exiting conversion mode. Similarly, make adjustments to ad4695_read_one_sample() so that timings are respected, and clean up the function slightly in the process. Fixes: 6cc7e4bf2e08 ("iio: adc: ad4695: implement triggered buffer") Co-developed-by: David Lechner Signed-off-by: David Lechner Signed-off-by: Trevor Gamblin Reviewed-by: David Lechner Tested-by: David Lechner Link: https://patch.msgid.link/20241113-tgamblin-ad4695_improvements-v2-1-b6bb7c758fc4@baylibre.com Signed-off-by: Jonathan Cameron commit 65a60a590142c54a3f3be11ff162db2d5b0e1e06 Author: Jean-Baptiste Maneyrol Date: Wed Nov 13 21:25:45 2024 +0100 iio: imu: inv_icm42600: fix timestamps after suspend if sensor is on Currently suspending while sensors are one will result in timestamping continuing without gap at resume. It can work with monotonic clock but not with other clocks. Fix that by resetting timestamping. Fixes: ec74ae9fd37c ("iio: imu: inv_icm42600: add accurate timestamping") Cc: stable@vger.kernel.org Signed-off-by: Jean-Baptiste Maneyrol Link: https://patch.msgid.link/20241113-inv_icm42600-fix-timestamps-after-suspend-v1-1-dfc77c394173@tdk.com Signed-off-by: Jonathan Cameron commit c0f866de4ce447bca3191b9cefac60c4b36a7922 Author: Jean-Baptiste Maneyrol Date: Tue Nov 12 10:30:10 2024 +0100 iio: imu: inv_icm42600: fix spi burst write not supported Burst write with SPI is not working for all icm42600 chips. It was only used for setting user offsets with regmap_bulk_write. Add specific SPI regmap config for using only single write with SPI. Fixes: 9f9ff91b775b ("iio: imu: inv_icm42600: add SPI driver for inv_icm42600 driver") Cc: stable@vger.kernel.org Signed-off-by: Jean-Baptiste Maneyrol Link: https://patch.msgid.link/20241112-inv-icm42600-fix-spi-burst-write-not-supported-v2-1-97690dc03607@tdk.com Signed-off-by: Jonathan Cameron commit fa13ac6cdf9b6c358e7d77c29fb60145c7a87965 Author: Carlos Song Date: Sat Nov 16 10:29:45 2024 -0500 iio: gyro: fxas21002c: Fix missing data update in trigger handler The fxas21002c_trigger_handler() may fail to acquire sample data because the runtime PM enters the autosuspend state and sensor can not return sample data in standby mode.. Resume the sensor before reading the sample data into the buffer within the trigger handler. After the data is read, place the sensor back into the autosuspend state. Fixes: a0701b6263ae ("iio: gyro: add core driver for fxas21002c") Signed-off-by: Carlos Song Signed-off-by: Frank Li Link: https://patch.msgid.link/20241116152945.4006374-1-Frank.Li@nxp.com Cc: Signed-off-by: Jonathan Cameron commit aaa90d0751071d38f3e74c4e14bc1083abcb0c15 Author: Pei Xiao Date: Wed Oct 30 11:48:54 2024 +0800 iio: test : check null return of kunit_kmalloc in iio_rescale_test_scale kunit_kmalloc may fail, return value might be NULL and will cause NULL pointer dereference.Add KUNIT_ASSERT_NOT_ERR_OR_NULL fix it. Signed-off-by: Pei Xiao Fixes: 8e74a48d17d5 ("iio: test: add basic tests for the iio-rescale driver") Link: https://patch.msgid.link/ecd56a85e54a96c2f0313c114075a21a76071ea2.1730259869.git.xiaopei01@kylinos.cn Signed-off-by: Jonathan Cameron commit 4be339af334c283a1a1af3cb28e7e448a0aa8a7c Author: Uwe Kleine-König Date: Mon Nov 4 11:19:04 2024 +0100 iio: adc: ad7124: Disable all channels at probe time When during a measurement two channels are enabled, two measurements are done that are reported sequencially in the DATA register. As the code triggered by reading one of the sysfs properties expects that only one channel is enabled it only reads the first data set which might or might not belong to the intended channel. To prevent this situation disable all channels during probe. This fixes a problem in practise because the reset default for channel 0 is enabled. So all measurements before the first measurement on channel 0 (which disables channel 0 at the end) might report wrong values. Fixes: 7b8d045e497a ("iio: adc: ad7124: allow more than 8 channels") Reviewed-by: Nuno Sa Signed-off-by: Uwe Kleine-König Link: https://patch.msgid.link/20241104101905.845737-2-u.kleine-koenig@baylibre.com Cc: Signed-off-by: Jonathan Cameron commit 4636e859ebe0011f41e35fa79bab585b8004e9a3 Author: Zicheng Qu Date: Thu Nov 7 01:10:15 2024 +0000 staging: iio: ad9832: Correct phase range check User Perspective: When a user sets the phase value, the ad9832_write_phase() is called. The phase register has a 12-bit resolution, so the valid range is 0 to 4095. If the phase offset value of 4096 is input, it effectively exactly equals 0 in the lower 12 bits, meaning no offset. Reasons for the Change: 1) Original Condition (phase > BIT(AD9832_PHASE_BITS)): This condition allows a phase value equal to 2^12, which is 4096. However, this value exceeds the valid 12-bit range, as the maximum valid phase value should be 4095. 2) Modified Condition (phase >= BIT(AD9832_PHASE_BITS)): Ensures that the phase value is within the valid range, preventing invalid datafrom being written. Impact on Subsequent Logic: st->data = cpu_to_be16(addr | phase): If the phase value is 2^12, i.e., 4096 (0001 0000 0000 0000), and addr is AD9832_REG_PHASE0 (1100 0000 0000 0000), then addr | phase results in 1101 0000 0000 0000, occupying DB12. According to the section of WRITING TO A PHASE REGISTER in the datasheet, the MSB 12 PHASE0 bits should be DB11. The original condition leads to incorrect DB12 usage, which contradicts the datasheet and could pose potential issues for future updates if DB12 is used in such related cases. Fixes: ea707584bac1 ("Staging: IIO: DDS: AD9832 / AD9835 driver") Cc: stable@vger.kernel.org Signed-off-by: Zicheng Qu Link: https://patch.msgid.link/20241107011015.2472600-3-quzicheng@huawei.com Signed-off-by: Jonathan Cameron commit c0599762f0c7e260b99c6b7bceb8eae69b804c94 Author: Zicheng Qu Date: Thu Nov 7 01:10:14 2024 +0000 staging: iio: ad9834: Correct phase range check User Perspective: When a user sets the phase value, the ad9834_write_phase() is called. The phase register has a 12-bit resolution, so the valid range is 0 to 4095. If the phase offset value of 4096 is input, it effectively exactly equals 0 in the lower 12 bits, meaning no offset. Reasons for the Change: 1) Original Condition (phase > BIT(AD9834_PHASE_BITS)): This condition allows a phase value equal to 2^12, which is 4096. However, this value exceeds the valid 12-bit range, as the maximum valid phase value should be 4095. 2) Modified Condition (phase >= BIT(AD9834_PHASE_BITS)): Ensures that the phase value is within the valid range, preventing invalid datafrom being written. Impact on Subsequent Logic: st->data = cpu_to_be16(addr | phase): If the phase value is 2^12, i.e., 4096 (0001 0000 0000 0000), and addr is AD9834_REG_PHASE0 (1100 0000 0000 0000), then addr | phase results in 1101 0000 0000 0000, occupying DB12. According to the section of WRITING TO A PHASE REGISTER in the datasheet, the MSB 12 PHASE0 bits should be DB11. The original condition leads to incorrect DB12 usage, which contradicts the datasheet and could pose potential issues for future updates if DB12 is used in such related cases. Fixes: 12b9d5bf76bf ("Staging: IIO: DDS: AD9833 / AD9834 driver") Cc: stable@vger.kernel.org Signed-off-by: Zicheng Qu Reviewed-by: Dan Carpenter Link: https://patch.msgid.link/20241107011015.2472600-2-quzicheng@huawei.com Signed-off-by: Jonathan Cameron commit 82fdcf9b518b205da040046fbe7747fb3fd18657 Author: Jaakko Salo Date: Fri Dec 6 18:44:48 2024 +0200 ALSA: usb-audio: Add implicit feedback quirk for Yamaha THR5 Use implicit feedback from the capture endpoint to fix popping sounds during playback. Link: https://bugzilla.kernel.org/show_bug.cgi?id=219567 Signed-off-by: Jaakko Salo Cc: Link: https://patch.msgid.link/20241206164448.8136-1-jaakkos@gmail.com Signed-off-by: Takashi Iwai commit b4d83c8323b0c4a899a996fed919cfe10720d289 Author: Ingo Molnar Date: Fri Dec 6 10:19:31 2024 +0100 headers/cleanup.h: Remove the if_not_guard() facility Linus noticed that the new if_not_guard() definition is fragile: "This macro generates actively wrong code if it happens to be inside an if-statement or a loop without a block. IOW, code like this: for (iterate-over-something) if_not_guard(a) return -BUSY; looks like will build fine, but will generate completely incorrect code." The reason is that the __if_not_guard() macro is multi-statement, so while most kernel developers expect macros to be simple or at least compound statements - but for __if_not_guard() it is not so: #define __if_not_guard(_name, _id, args...) \ BUILD_BUG_ON(!__is_cond_ptr(_name)); \ CLASS(_name, _id)(args); \ if (!__guard_ptr(_name)(&_id)) To add insult to injury, the placement of the BUILD_BUG_ON() line makes the macro appear to compile fine, but it will generate incorrect code as Linus reported, for example if used within iteration or conditional statements that will use the first statement of a macro as a loop body or conditional statement body. [ I'd also like to note that the original submission by David Lechner did not contain the BUILD_BUG_ON() line, so it was safer than what we ended up committing. Mea culpa. ] It doesn't appear to be possible to turn this macro into a robust single or compound statement that could be used in single statements, due to the necessity to define an auto scope variable with an open scope and the necessity of it having to expand to a partial 'if' statement with no body. Instead of trying to work around this fragility, just remove the construct before it gets used. Reported-by: Linus Torvalds Signed-off-by: Ingo Molnar Cc: David Lechner Cc: Peter Zijlstra Link: https://lore.kernel.org/r/Z1LBnX9TpZLR5Dkf@gmail.com commit 0f6ede9fbc747e2553612271bce108f7517e7a45 Author: Eric Dumazet Date: Wed Dec 4 12:54:55 2024 +0000 net: defer final 'struct net' free in netns dismantle Ilya reported a slab-use-after-free in dst_destroy [1] Issue is in xfrm6_net_init() and xfrm4_net_init() : They copy xfrm[46]_dst_ops_template into net->xfrm.xfrm[46]_dst_ops. But net structure might be freed before all the dst callbacks are called. So when dst_destroy() calls later : if (dst->ops->destroy) dst->ops->destroy(dst); dst->ops points to the old net->xfrm.xfrm[46]_dst_ops, which has been freed. See a relevant issue fixed in : ac888d58869b ("net: do not delay dst_entries_add() in dst_release()") A fix is to queue the 'struct net' to be freed after one another cleanup_net() round (and existing rcu_barrier()) [1] BUG: KASAN: slab-use-after-free in dst_destroy (net/core/dst.c:112) Read of size 8 at addr ffff8882137ccab0 by task swapper/37/0 Dec 03 05:46:18 kernel: CPU: 37 UID: 0 PID: 0 Comm: swapper/37 Kdump: loaded Not tainted 6.12.0 #67 Hardware name: Red Hat KVM/RHEL, BIOS 1.16.1-1.el9 04/01/2014 Call Trace: dump_stack_lvl (lib/dump_stack.c:124) print_address_description.constprop.0 (mm/kasan/report.c:378) ? dst_destroy (net/core/dst.c:112) print_report (mm/kasan/report.c:489) ? dst_destroy (net/core/dst.c:112) ? kasan_addr_to_slab (mm/kasan/common.c:37) kasan_report (mm/kasan/report.c:603) ? dst_destroy (net/core/dst.c:112) ? rcu_do_batch (kernel/rcu/tree.c:2567) dst_destroy (net/core/dst.c:112) rcu_do_batch (kernel/rcu/tree.c:2567) ? __pfx_rcu_do_batch (kernel/rcu/tree.c:2491) ? lockdep_hardirqs_on_prepare (kernel/locking/lockdep.c:4339 kernel/locking/lockdep.c:4406) rcu_core (kernel/rcu/tree.c:2825) handle_softirqs (kernel/softirq.c:554) __irq_exit_rcu (kernel/softirq.c:589 kernel/softirq.c:428 kernel/softirq.c:637) irq_exit_rcu (kernel/softirq.c:651) sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1049 arch/x86/kernel/apic/apic.c:1049) asm_sysvec_apic_timer_interrupt (./arch/x86/include/asm/idtentry.h:702) RIP: 0010:default_idle (./arch/x86/include/asm/irqflags.h:37 ./arch/x86/include/asm/irqflags.h:92 arch/x86/kernel/process.c:743) Code: 00 4d 29 c8 4c 01 c7 4c 29 c2 e9 6e ff ff ff 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 66 90 0f 00 2d c7 c9 27 00 fb f4 c3 cc cc cc cc 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 90 RSP: 0018:ffff888100d2fe00 EFLAGS: 00000246 RAX: 00000000001870ed RBX: 1ffff110201a5fc2 RCX: ffffffffb61a3e46 RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffffb3d4d123 RBP: 0000000000000000 R08: 0000000000000001 R09: ffffed11c7e1835d R10: ffff888e3f0c1aeb R11: 0000000000000000 R12: 0000000000000000 R13: ffff888100d20000 R14: dffffc0000000000 R15: 0000000000000000 ? ct_kernel_exit.constprop.0 (kernel/context_tracking.c:148) ? cpuidle_idle_call (kernel/sched/idle.c:186) default_idle_call (./include/linux/cpuidle.h:143 kernel/sched/idle.c:118) cpuidle_idle_call (kernel/sched/idle.c:186) ? __pfx_cpuidle_idle_call (kernel/sched/idle.c:168) ? lock_release (kernel/locking/lockdep.c:467 kernel/locking/lockdep.c:5848) ? lockdep_hardirqs_on_prepare (kernel/locking/lockdep.c:4347 kernel/locking/lockdep.c:4406) ? tsc_verify_tsc_adjust (arch/x86/kernel/tsc_sync.c:59) do_idle (kernel/sched/idle.c:326) cpu_startup_entry (kernel/sched/idle.c:423 (discriminator 1)) start_secondary (arch/x86/kernel/smpboot.c:202 arch/x86/kernel/smpboot.c:282) ? __pfx_start_secondary (arch/x86/kernel/smpboot.c:232) ? soft_restart_cpu (arch/x86/kernel/head_64.S:452) common_startup_64 (arch/x86/kernel/head_64.S:414) Dec 03 05:46:18 kernel: Allocated by task 12184: kasan_save_stack (mm/kasan/common.c:48) kasan_save_track (./arch/x86/include/asm/current.h:49 mm/kasan/common.c:60 mm/kasan/common.c:69) __kasan_slab_alloc (mm/kasan/common.c:319 mm/kasan/common.c:345) kmem_cache_alloc_noprof (mm/slub.c:4085 mm/slub.c:4134 mm/slub.c:4141) copy_net_ns (net/core/net_namespace.c:421 net/core/net_namespace.c:480) create_new_namespaces (kernel/nsproxy.c:110) unshare_nsproxy_namespaces (kernel/nsproxy.c:228 (discriminator 4)) ksys_unshare (kernel/fork.c:3313) __x64_sys_unshare (kernel/fork.c:3382) do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) Dec 03 05:46:18 kernel: Freed by task 11: kasan_save_stack (mm/kasan/common.c:48) kasan_save_track (./arch/x86/include/asm/current.h:49 mm/kasan/common.c:60 mm/kasan/common.c:69) kasan_save_free_info (mm/kasan/generic.c:582) __kasan_slab_free (mm/kasan/common.c:271) kmem_cache_free (mm/slub.c:4579 mm/slub.c:4681) cleanup_net (net/core/net_namespace.c:456 net/core/net_namespace.c:446 net/core/net_namespace.c:647) process_one_work (kernel/workqueue.c:3229) worker_thread (kernel/workqueue.c:3304 kernel/workqueue.c:3391) kthread (kernel/kthread.c:389) ret_from_fork (arch/x86/kernel/process.c:147) ret_from_fork_asm (arch/x86/entry/entry_64.S:257) Dec 03 05:46:18 kernel: Last potentially related work creation: kasan_save_stack (mm/kasan/common.c:48) __kasan_record_aux_stack (mm/kasan/generic.c:541) insert_work (./include/linux/instrumented.h:68 ./include/asm-generic/bitops/instrumented-non-atomic.h:141 kernel/workqueue.c:788 kernel/workqueue.c:795 kernel/workqueue.c:2186) __queue_work (kernel/workqueue.c:2340) queue_work_on (kernel/workqueue.c:2391) xfrm_policy_insert (net/xfrm/xfrm_policy.c:1610) xfrm_add_policy (net/xfrm/xfrm_user.c:2116) xfrm_user_rcv_msg (net/xfrm/xfrm_user.c:3321) netlink_rcv_skb (net/netlink/af_netlink.c:2536) xfrm_netlink_rcv (net/xfrm/xfrm_user.c:3344) netlink_unicast (net/netlink/af_netlink.c:1316 net/netlink/af_netlink.c:1342) netlink_sendmsg (net/netlink/af_netlink.c:1886) sock_write_iter (net/socket.c:729 net/socket.c:744 net/socket.c:1165) vfs_write (fs/read_write.c:590 fs/read_write.c:683) ksys_write (fs/read_write.c:736) do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) Dec 03 05:46:18 kernel: Second to last potentially related work creation: kasan_save_stack (mm/kasan/common.c:48) __kasan_record_aux_stack (mm/kasan/generic.c:541) insert_work (./include/linux/instrumented.h:68 ./include/asm-generic/bitops/instrumented-non-atomic.h:141 kernel/workqueue.c:788 kernel/workqueue.c:795 kernel/workqueue.c:2186) __queue_work (kernel/workqueue.c:2340) queue_work_on (kernel/workqueue.c:2391) __xfrm_state_insert (./include/linux/workqueue.h:723 net/xfrm/xfrm_state.c:1150 net/xfrm/xfrm_state.c:1145 net/xfrm/xfrm_state.c:1513) xfrm_state_update (./include/linux/spinlock.h:396 net/xfrm/xfrm_state.c:1940) xfrm_add_sa (net/xfrm/xfrm_user.c:912) xfrm_user_rcv_msg (net/xfrm/xfrm_user.c:3321) netlink_rcv_skb (net/netlink/af_netlink.c:2536) xfrm_netlink_rcv (net/xfrm/xfrm_user.c:3344) netlink_unicast (net/netlink/af_netlink.c:1316 net/netlink/af_netlink.c:1342) netlink_sendmsg (net/netlink/af_netlink.c:1886) sock_write_iter (net/socket.c:729 net/socket.c:744 net/socket.c:1165) vfs_write (fs/read_write.c:590 fs/read_write.c:683) ksys_write (fs/read_write.c:736) do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) Fixes: a8a572a6b5f2 ("xfrm: dst_entries_init() per-net dst_ops") Reported-by: Ilya Maximets Closes: https://lore.kernel.org/netdev/CANn89iKKYDVpB=MtmfH7nyv2p=rJWSLedO5k7wSZgtY_tO8WQg@mail.gmail.com/T/#m02c98c3009fe66382b73cfb4db9cf1df6fab3fbf Signed-off-by: Eric Dumazet Acked-by: Paolo Abeni Reviewed-by: Kuniyuki Iwashima Link: https://patch.msgid.link/20241204125455.3871859-1-edumazet@google.com Signed-off-by: Jakub Kicinski commit a6d75ecee2bf828ac6a1b52724aba0a977e4eaf4 Author: Eric Dumazet Date: Wed Dec 4 14:10:31 2024 +0000 net: lapb: increase LAPB_HEADER_LEN It is unclear if net/lapb code is supposed to be ready for 8021q. We can at least avoid crashes like the following : skbuff: skb_under_panic: text:ffffffff8aabe1f6 len:24 put:20 head:ffff88802824a400 data:ffff88802824a3fe tail:0x16 end:0x140 dev:nr0.2 ------------[ cut here ]------------ kernel BUG at net/core/skbuff.c:206 ! Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI CPU: 1 UID: 0 PID: 5508 Comm: dhcpcd Not tainted 6.12.0-rc7-syzkaller-00144-g66418447d27b #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/30/2024 RIP: 0010:skb_panic net/core/skbuff.c:206 [inline] RIP: 0010:skb_under_panic+0x14b/0x150 net/core/skbuff.c:216 Code: 0d 8d 48 c7 c6 2e 9e 29 8e 48 8b 54 24 08 8b 0c 24 44 8b 44 24 04 4d 89 e9 50 41 54 41 57 41 56 e8 1a 6f 37 02 48 83 c4 20 90 <0f> 0b 0f 1f 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 RSP: 0018:ffffc90002ddf638 EFLAGS: 00010282 RAX: 0000000000000086 RBX: dffffc0000000000 RCX: 7a24750e538ff600 RDX: 0000000000000000 RSI: 0000000000000201 RDI: 0000000000000000 RBP: ffff888034a86650 R08: ffffffff8174b13c R09: 1ffff920005bbe60 R10: dffffc0000000000 R11: fffff520005bbe61 R12: 0000000000000140 R13: ffff88802824a400 R14: ffff88802824a3fe R15: 0000000000000016 FS: 00007f2a5990d740(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000110c2631fd CR3: 0000000029504000 CR4: 00000000003526f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: skb_push+0xe5/0x100 net/core/skbuff.c:2636 nr_header+0x36/0x320 net/netrom/nr_dev.c:69 dev_hard_header include/linux/netdevice.h:3148 [inline] vlan_dev_hard_header+0x359/0x480 net/8021q/vlan_dev.c:83 dev_hard_header include/linux/netdevice.h:3148 [inline] lapbeth_data_transmit+0x1f6/0x2a0 drivers/net/wan/lapbether.c:257 lapb_data_transmit+0x91/0xb0 net/lapb/lapb_iface.c:447 lapb_transmit_buffer+0x168/0x1f0 net/lapb/lapb_out.c:149 lapb_establish_data_link+0x84/0xd0 lapb_device_event+0x4e0/0x670 notifier_call_chain+0x19f/0x3e0 kernel/notifier.c:93 __dev_notify_flags+0x207/0x400 dev_change_flags+0xf0/0x1a0 net/core/dev.c:8922 devinet_ioctl+0xa4e/0x1aa0 net/ipv4/devinet.c:1188 inet_ioctl+0x3d7/0x4f0 net/ipv4/af_inet.c:1003 sock_do_ioctl+0x158/0x460 net/socket.c:1227 sock_ioctl+0x626/0x8e0 net/socket.c:1346 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl+0xf9/0x170 fs/ioctl.c:893 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Reported-by: syzbot+fb99d1b0c0f81d94a5e2@syzkaller.appspotmail.com Closes: https://lore.kernel.org/netdev/67506220.050a0220.17bd51.006c.GAE@google.com/T/#u Signed-off-by: Eric Dumazet Reviewed-by: Simon Horman Link: https://patch.msgid.link/20241204141031.4030267-1-edumazet@google.com Signed-off-by: Jakub Kicinski commit ff9b30531510b49abee57a4737346acf633d9e38 Merge: 5e7aa97c7acf17 fab4b4d2c90344 Author: Jakub Kicinski Date: Fri Dec 6 17:39:18 2024 -0800 Merge branch 'bnxt_en-bug-fixes' Michael Chan says: ==================== bnxt_en: Bug fixes There are 2 bug fixes in this series. This first one fixes the issue of setting the gso_type incorrectly for HW GRO packets on 5750X (Thor) chips. This can cause HW GRO packets to be dropped by the stack if they are re-segmented. The second one fixes a potential division by zero crash when dumping FW log coredump. ==================== Link: https://patch.msgid.link/20241204215918.1692597-1-michael.chan@broadcom.com Signed-off-by: Jakub Kicinski commit fab4b4d2c903443d605cdf256af2e80571d2d212 Author: Hongguang Gao Date: Wed Dec 4 13:59:18 2024 -0800 bnxt_en: Fix potential crash when dumping FW log coredump If the FW log context memory is retained after FW reset, the existing code is not handling the condition correctly and zeroes out the data structures. This potentially will cause a division by zero crash when the user runs ethtool -w. The last_type is also not set correctly when the context memory is retained. This will cause errors because the last_type signals to the FW that all context memory types have been configured. Oops: divide error: 0000 1 PREEMPT SMP NOPTI CPU: 53 UID: 0 PID: 7019 Comm: ethtool Kdump: loaded Tainted: G OE 6.12.0-rc7+ #1 Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE Hardware name: Supermicro SYS-621C-TN12R/X13DDW-A, BIOS 1.4 08/10/2023 RIP: 0010:__bnxt_copy_ctx_mem.constprop.0.isra.0+0x86/0x160 [bnxt_en] Code: 0a 31 d2 4c 89 6c 24 10 45 8b a5 fc df ff ff 4c 8b 74 24 20 31 db 66 89 44 24 06 48 63 c5 c1 e5 09 4c 0f af e0 48 8b 44 24 30 <49> f7 f4 4c 89 64 24 08 48 63 c5 4d 89 ec 31 ed 48 89 44 24 18 49 RSP: 0018:ff480591603d78b8 EFLAGS: 00010206 RAX: 0000000000100000 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ff23959e46740000 RDI: 0000000000000000 RBP: 0000000000000000 R08: 0000000000100000 R09: ff23959e46740000 R10: ff480591603d7a18 R11: 0000000000000010 R12: 0000000000000000 R13: ff23959e46742008 R14: 0000000000000000 R15: 0000000000000000 FS: 00007f04227c1740(0000) GS:ff2395adbf680000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f04225b33a5 CR3: 000000108b9a4001 CR4: 0000000000773ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: ? die+0x33/0x90 ? do_trap+0xd9/0x100 ? __bnxt_copy_ctx_mem.constprop.0.isra.0+0x86/0x160 [bnxt_en] ? do_error_trap+0x65/0x80 ? __bnxt_copy_ctx_mem.constprop.0.isra.0+0x86/0x160 [bnxt_en] ? exc_divide_error+0x36/0x50 ? __bnxt_copy_ctx_mem.constprop.0.isra.0+0x86/0x160 [bnxt_en] ? asm_exc_divide_error+0x16/0x20 ? __bnxt_copy_ctx_mem.constprop.0.isra.0+0x86/0x160 [bnxt_en] ? __bnxt_copy_ctx_mem.constprop.0.isra.0+0xda/0x160 [bnxt_en] bnxt_get_ctx_coredump.constprop.0+0x1ed/0x390 [bnxt_en] ? __memcg_slab_post_alloc_hook+0x21c/0x3c0 ? __bnxt_get_coredump+0x473/0x4b0 [bnxt_en] __bnxt_get_coredump+0x473/0x4b0 [bnxt_en] ? security_file_alloc+0x74/0xe0 ? cred_has_capability.isra.0+0x78/0x120 bnxt_get_coredump_length+0x4b/0xf0 [bnxt_en] bnxt_get_dump_flag+0x40/0x60 [bnxt_en] __dev_ethtool+0x17e4/0x1fc0 ? syscall_exit_to_user_mode+0xc/0x1d0 ? do_syscall_64+0x85/0x150 ? unmap_page_range+0x299/0x4b0 ? vma_interval_tree_remove+0x215/0x2c0 ? __kmalloc_cache_noprof+0x10a/0x300 dev_ethtool+0xa8/0x170 dev_ioctl+0x1b5/0x580 ? sk_ioctl+0x4a/0x110 sock_do_ioctl+0xab/0xf0 sock_ioctl+0x1ca/0x2e0 __x64_sys_ioctl+0x87/0xc0 do_syscall_64+0x79/0x150 Fixes: 24d694aec139 ("bnxt_en: Allocate backing store memory for FW trace logs") Signed-off-by: Hongguang Gao Signed-off-by: Michael Chan Link: https://patch.msgid.link/20241204215918.1692597-3-michael.chan@broadcom.com Signed-off-by: Jakub Kicinski commit de37faf41ac55619dd329229a9bd9698faeabc52 Author: Michael Chan Date: Wed Dec 4 13:59:17 2024 -0800 bnxt_en: Fix GSO type for HW GRO packets on 5750X chips The existing code is using RSS profile to determine IPV4/IPV6 GSO type on all chips older than 5760X. This won't work on 5750X chips that may be using modified RSS profiles. This commit from 2018 has updated the driver to not use RSS profile for HW GRO packets on newer chips: 50f011b63d8c ("bnxt_en: Update RSS setup and GRO-HW logic according to the latest spec.") However, a recent commit to add support for the newest 5760X chip broke the logic. If the GRO packet needs to be re-segmented by the stack, the wrong GSO type will cause the packet to be dropped. Fix it to only use RSS profile to determine GSO type on the oldest 5730X/5740X chips which cannot use the new method and is safe to use the RSS profiles. Also fix the L3/L4 hash type for RX packets by not using the RSS profile for the same reason. Use the ITYPE field in the RX completion to determine L3/L4 hash types correctly. Fixes: a7445d69809f ("bnxt_en: Add support for new RX and TPA_START completion types for P7") Reviewed-by: Colin Winegarden Reviewed-by: Somnath Kotur Reviewed-by: Kalesh AP Signed-off-by: Michael Chan Link: https://patch.msgid.link/20241204215918.1692597-2-michael.chan@broadcom.com Signed-off-by: Jakub Kicinski commit 5e7aa97c7acf171275ac02a8bb018c31b8918d13 Author: Thomas Weißschuh Date: Tue Dec 3 18:09:55 2024 +0100 ptp: kvm: x86: Return EOPNOTSUPP instead of ENODEV from kvm_arch_ptp_init() The caller, ptp_kvm_init(), emits a warning if kvm_arch_ptp_init() exits with any error which is not EOPNOTSUPP: "fail to initialize ptp_kvm" Replace ENODEV with EOPNOTSUPP to avoid this spurious warning, aligning with the ARM implementation. Fixes: a86ed2cfa13c ("ptp: Don't print an error if ptp_kvm is not supported") Signed-off-by: Thomas Weißschuh Link: https://patch.msgid.link/20241203-kvm_ptp-eopnotsuppp-v2-1-d1d060f27aa6@weissschuh.net Signed-off-by: Jakub Kicinski commit bd0c9070436da98a64f734046b36784eb02e997d Merge: 11776cff0b563c 5f2c7ab15fd806 Author: Jakub Kicinski Date: Fri Dec 6 17:37:46 2024 -0800 Merge branch 'selftests-mlxsw-add-few-fixes-for-sharedbuffer-test' Petr Machata says: ==================== selftests: mlxsw: Add few fixes for sharedbuffer test Danielle Ratson writes: Currently, the sharedbuffer test fails sometimes because it is reading a maximum occupancy that is larger than expected on some different cases. This is happening because the test assumes that the packet it is sending is the only packet being passed to the device. In addition, some duplications on one hand, and redundant test cases on the other hand, were found in the test. Add egress filters on h1 and h2 that will guarantee that the packets in the buffer are sent in the test, and remove the redundant test cases. ==================== Link: https://patch.msgid.link/cover.1733414773.git.petrm@nvidia.com Signed-off-by: Jakub Kicinski commit 5f2c7ab15fd806043db1a7d54b5ec36be0bd93b1 Author: Danielle Ratson Date: Thu Dec 5 17:36:01 2024 +0100 selftests: mlxsw: sharedbuffer: Ensure no extra packets are counted The test assumes that the packet it is sending is the only packet being passed to the device. However, it is not the case and so other packets are filling the buffers as well. Therefore, the test sometimes fails because it is reading a maximum occupancy that is larger than expected. Add egress filters on $h1 and $h2 that will guarantee the above. Fixes: a865ad999603 ("selftests: mlxsw: Add shared buffer traffic test") Signed-off-by: Danielle Ratson Reviewed-by: Ido Schimmel Signed-off-by: Ido Schimmel Signed-off-by: Petr Machata Link: https://patch.msgid.link/64c28bc9b1cc1d78c4a73feda7cedbe9526ccf8b.1733414773.git.petrm@nvidia.com Signed-off-by: Jakub Kicinski commit 6c46ad4d1bb2e8ec2265296e53765190f6e32f33 Author: Danielle Ratson Date: Thu Dec 5 17:36:00 2024 +0100 selftests: mlxsw: sharedbuffer: Remove duplicate test cases On both port_tc_ip_test() and port_tc_arp_test(), the max occupancy is checked on $h2 twice, when only the error message is different and does not match the check itself. Remove the two duplicated test cases from the test. Fixes: a865ad999603 ("selftests: mlxsw: Add shared buffer traffic test") Signed-off-by: Danielle Ratson Reviewed-by: Ido Schimmel Signed-off-by: Ido Schimmel Signed-off-by: Petr Machata Link: https://patch.msgid.link/d9eb26f6fc16a06a30b5c2c16ad80caf502bc561.1733414773.git.petrm@nvidia.com Signed-off-by: Jakub Kicinski commit cf3515c556907b4da290967a2a6cbbd9ee0ee723 Author: Danielle Ratson Date: Thu Dec 5 17:35:59 2024 +0100 selftests: mlxsw: sharedbuffer: Remove h1 ingress test case The test is sending only one packet generated with mausezahn from $h1 to $h2. However, for some reason, it is testing for non-zero maximum occupancy in both the ingress pool of $h1 and $h2. The former only passes when $h2 happens to send a packet. Avoid intermittent failures by removing unintentional test case regarding the ingress pool of $h1. Fixes: a865ad999603 ("selftests: mlxsw: Add shared buffer traffic test") Signed-off-by: Danielle Ratson Reviewed-by: Ido Schimmel Signed-off-by: Ido Schimmel Signed-off-by: Petr Machata Link: https://patch.msgid.link/5b7344608d5e06f38209e48d8af8c92fa11b6742.1733414773.git.petrm@nvidia.com Signed-off-by: Jakub Kicinski commit b5f217084ab3ddd4bdd03cd437f8e3b7e2d1f5b6 Merge: f3ddc438a29f78 509df676c2d79c Author: Linus Torvalds Date: Fri Dec 6 15:07:48 2024 -0800 Merge tag 'bpf-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf Pull bpf fixes from Daniel Borkmann:: - Fix several issues for BPF LPM trie map which were found by syzbot and during addition of new test cases (Hou Tao) - Fix a missing process_iter_arg register type check in the BPF verifier (Kumar Kartikeya Dwivedi, Tao Lyu) - Fix several correctness gaps in the BPF verifier when interacting with the BPF stack without CAP_PERFMON (Kumar Kartikeya Dwivedi, Eduard Zingerman, Tao Lyu) - Fix OOB BPF map writes when deleting elements for the case of xsk map as well as devmap (Maciej Fijalkowski) - Fix xsk sockets to always clear DMA mapping information when unmapping the pool (Larysa Zaremba) - Fix sk_mem_uncharge logic in tcp_bpf_sendmsg to only uncharge after sent bytes have been finalized (Zijian Zhang) - Fix BPF sockmap with vsocks which was missing a queue check in poll and sockmap cleanup on close (Michal Luczaj) - Fix tools infra to override makefile ARCH variable if defined but empty, which addresses cross-building tools. (Björn Töpel) - Fix two resolve_btfids build warnings on unresolved bpf_lsm symbols (Thomas Weißschuh) - Fix a NULL pointer dereference in bpftool (Amir Mohammadi) - Fix BPF selftests to check for CONFIG_PREEMPTION instead of CONFIG_PREEMPT (Sebastian Andrzej Siewior) * tag 'bpf-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf: (31 commits) selftests/bpf: Add more test cases for LPM trie selftests/bpf: Move test_lpm_map.c to map_tests bpf: Use raw_spinlock_t for LPM trie bpf: Switch to bpf mem allocator for LPM trie bpf: Fix exact match conditions in trie_get_next_key() bpf: Handle in-place update for full LPM trie correctly bpf: Handle BPF_EXIST and BPF_NOEXIST for LPM trie bpf: Remove unnecessary kfree(im_node) in lpm_trie_update_elem bpf: Remove unnecessary check when updating LPM trie selftests/bpf: Add test for narrow spill into 64-bit spilled scalar selftests/bpf: Add test for reading from STACK_INVALID slots selftests/bpf: Introduce __caps_unpriv annotation for tests bpf: Fix narrow scalar spill onto 64-bit spilled scalar slots bpf: Don't mark STACK_INVALID as STACK_MISC in mark_stack_slot_misc samples/bpf: Remove unnecessary -I flags from libbpf EXTRA_CFLAGS bpf: Zero index arg error string for dynptr and iter selftests/bpf: Add tests for iter arg check bpf: Ensure reg is PTR_TO_STACK in process_iter_arg tools: Override makefile ARCH variable if defined, but empty selftests/bpf: Add apply_bytes test to test_txmsg_redir_wait_sndmem in test_sockmap ... commit f3ddc438a29f78f0642bfcf84407c236a0b2bdc7 Merge: ddfc146ed500f9 d60624f72d1586 Author: Linus Torvalds Date: Fri Dec 6 13:47:55 2024 -0800 Merge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux Pull arm64 fixes from Catalin Marinas: "Nothing major, some left-overs from the recent merging window (MTE, coco) and some newly found issues like the ptrace() ones. - MTE/hugetlbfs: - Set VM_MTE_ALLOWED in the arch code and remove it from the core code for hugetlbfs mappings - Fix copy_highpage() warning when the source is a huge page but not MTE tagged, taking the wrong small page path - drivers/virt/coco: - Add the pKVM and Arm CCA drivers under the arm64 maintainership - Fix the pkvm driver to fall back to ioremap() (and warn) if the MMIO_GUARD hypercall fails - Keep the Arm CCA driver default 'n' rather than 'm' - A series of fixes for the arm64 ptrace() implementation, potentially leading to the kernel consuming uninitialised stack variables when PTRACE_SETREGSET is invoked with a length of 0 - Fix zone_dma_limit calculation when RAM starts below 4GB and ZONE_DMA is capped to this limit - Fix early boot warning with CONFIG_DEBUG_VIRTUAL=y triggered by a call to page_to_phys() (from patch_map()) which checks pfn_valid() before vmemmap has been set up - Do not clobber bits 15:8 of the ASID used for TTBR1_EL1 and TLBI ops when the kernel assumes 8-bit ASIDs but running under a hypervisor on a system that implements 16-bit ASIDs (found running Linux under Parallels on Apple M4) - ACPI/IORT: Add PMCG platform information for HiSilicon HIP09A as it is using the same SMMU PMCG as HIP09 and suffers from the same errata - Add GCS to cpucap_is_possible(), missed in the recent merge" * tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux: arm64: ptrace: fix partial SETREGSET for NT_ARM_GCS arm64: ptrace: fix partial SETREGSET for NT_ARM_POE arm64: ptrace: fix partial SETREGSET for NT_ARM_FPMR arm64: ptrace: fix partial SETREGSET for NT_ARM_TAGGED_ADDR_CTRL arm64: cpufeature: Add GCS to cpucap_is_possible() coco: virt: arm64: Do not enable cca guest driver by default arm64: mte: Fix copy_highpage() warning on hugetlb folios arm64: Ensure bits ASID[15:8] are masked out when the kernel uses 8-bit ASIDs ACPI/IORT: Add PMCG platform information for HiSilicon HIP09A MAINTAINERS: Add CCA and pKVM CoCO guest support to the ARM64 entry drivers/virt: pkvm: Don't fail ioremap() call if MMIO_GUARD fails arm64: patching: avoid early page_to_phys() arm64: mm: Fix zone_dma_limit calculation arm64: mte: set VM_MTE_ALLOWED for hugetlbfs at correct place commit ddfc146ed500f9aa071f3d913312bdbb0c9eaae0 Merge: c7cde621b2acfd 180bbad6986418 Author: Linus Torvalds Date: Fri Dec 6 13:42:03 2024 -0800 Merge tag 'fixes-2024-12-06' of git://git.kernel.org/pub/scm/linux/kernel/git/rppt/memblock Pull memblock fixes from Mike Rapoport: "Restore check for node validity in arch_numa. The rework of NUMA initialization in arch_numa dropped a check that refused to accept configurations with invalid node IDs. Restore that check to ensure that when firmware passes invalid nodes, such configuration is rejected and kernel gracefully falls back to dummy NUMA" * tag 'fixes-2024-12-06' of git://git.kernel.org/pub/scm/linux/kernel/git/rppt/memblock: arch_numa: Restore nid checks before registering a memblock with a node memblock: allow zero threshold in validate_numa_converage() commit c7cde621b2acfd6bc7d5f002b19b60ad2ed25df8 Merge: 9a6e8c7c3a024b 1995e7d0506209 Author: Linus Torvalds Date: Fri Dec 6 13:16:41 2024 -0800 Merge tag 'drm-fixes-2024-12-06' of https://gitlab.freedesktop.org/drm/kernel Pull more drm fixes from Simona Vetter: "Due to mailing list unreliability we missed the amdgpu pull, hence part two with that now included: - amdgu: mostly display fixes + jpeg vcn 1.0, sriov, dcn4.0 resume fixes - amdkfd fixes" * tag 'drm-fixes-2024-12-06' of https://gitlab.freedesktop.org/drm/kernel: drm/amdgpu: rework resume handling for display (v2) drm/amd/pm: fix and simplify workload handling Revert "drm/amd/pm: correct the workload setting" drm/amdgpu: fix sriov reinit late orders drm/amdgpu: Fix ISP hw init issue drm/amd/display: Add hblank borrowing support drm/amd/display: Limit VTotal range to max hw cap minus fp drm/amd/display: Correct prefetch calculation drm/amd/display: Add option to retrieve detile buffer size drm/amd/display: Add a left edge pixel if in YCbCr422 or YCbCr420 and odm drm/amdkfd: hard-code cacheline for gc943,gc944 drm/amdkfd: add MEC version that supports no PCIe atomics for GFX12 drm/amd/display: Fix programming backlight on OLED panels drm/amd: Sanity check the ACPI EDID drm/amdgpu/hdp7.0: do a posting read when flushing HDP drm/amdgpu/hdp6.0: do a posting read when flushing HDP drm/amdgpu/hdp5.2: do a posting read when flushing HDP drm/amdgpu/hdp5.0: do a posting read when flushing HDP drm/amdgpu/hdp4.0: do a posting read when flushing HDP drm/amdgpu/jpeg1.0: fix idle work handler commit 1995e7d05062097109ea1807778ff8654c2de7f3 Merge: 471f3a21addd4e 73dae652dcac77 Author: Simona Vetter Date: Fri Dec 6 21:54:04 2024 +0100 Merge tag 'amd-drm-fixes-6.13-2024-12-04' of https://gitlab.freedesktop.org/agd5f/linux into drm-fixes amd-drm-fixes-6.13-2024-12-04: amdgpu: - Jpeg work handler fix for VCN 1.0 - HDP flush fixes - ACPI EDID sanity check - OLED panel backlight fix - DC YCbCr fix - DC Detile buffer size debugging - DC prefetch calculation fix - DC VTotal handling fix - DC HBlank fix - ISP fix - SR-IOV fix - Workload profile fixes - DCN 4.0.1 resume fix amdkfd: - GC 12.x fix - GC 9.4.x fix Signed-off-by: Simona Vetter From: Alex Deucher Link: https://patchwork.freedesktop.org/patch/msgid/20241206190452.2571042-1-alexander.deucher@amd.com commit 9a6e8c7c3a024b9e9ec8fd6295c3159504263cb2 Merge: 2b90dcd599b62c 471f3a21addd4e Author: Linus Torvalds Date: Fri Dec 6 11:52:15 2024 -0800 Merge tag 'drm-fixes-2024-12-07' of https://gitlab.freedesktop.org/drm/kernel Pull drm fixes from Dave Airlie: "Pretty quiet week which is probably expected after US holidays, the dma-fence and displayport MST message handling fixes make up the bulk of this, along with a couple of minor xe and other driver fixes. dma-fence: - Fix reference leak on fence-merge failure path - Simplify fence merging with kernel's sort() - Fix dma_fence_array_signaled() to ensure forward progress dp_mst: - Fix MST sideband message body length check - Fix a bunch of locking/state handling with DP MST msgs sti: - Add __iomem for mixer_dbg_mxn()'s parameter xe: - Missing init value and 64-bit write-order check - Fix a memory allocation issue causing lockdep violation v3d: - Performance counter fix" * tag 'drm-fixes-2024-12-07' of https://gitlab.freedesktop.org/drm/kernel: drm/v3d: Enable Performance Counters before clearing them drm/dp_mst: Use reset_msg_rx_state() instead of open coding it drm/dp_mst: Reset message rx state after OOM in drm_dp_mst_handle_up_req() drm/dp_mst: Ensure mst_primary pointer is valid in drm_dp_mst_handle_up_req() drm/dp_mst: Fix down request message timeout handling drm/dp_mst: Simplify error path in drm_dp_mst_handle_down_rep() drm/dp_mst: Verify request type in the corresponding down message reply drm/dp_mst: Fix resetting msg rx state after topology removal drm/xe: Move the coredump registration to the worker thread drm/xe/guc: Fix missing init value and add register order check drm/sti: Add __iomem for mixer_dbg_mxn's parameter drm/dp_mst: Fix MST sideband message body length check dma-buf: fix dma_fence_array_signaled v4 dma-fence: Use kernel's sort for merging fences dma-fence: Fix reference leak on fence merge failure path commit 2b90dcd599b62ccaaa367947037235de8e6bc3a7 Merge: d9e15b25161e07 c34e9ab9a612ee Author: Linus Torvalds Date: Fri Dec 6 11:46:39 2024 -0800 Merge tag 'sound-6.13-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound Pull sound fixes from Takashi Iwai: "A collection of small fixes that have been gathered in the week. - Fix the missing XRUN handling in USB-audio low latency mode - Fix regression by the previous USB-audio hadening change - Clean up old SH sound driver to use the standard helpers - A few further fixes for MIDI 2.0 UMP handling - Various HD-audio and USB-audio quirks - Fix jack handling at PM on ASoC Intel AVS - Misc small fixes for ASoC SOF and Mediatek" * tag 'sound-6.13-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound: ALSA: hda/realtek: Fix spelling mistake "Firelfy" -> "Firefly" ASoC: mediatek: mt8188-mt6359: Remove hardcoded dmic codec ALSA: hda/realtek: fix micmute LEDs don't work on HP Laptops ALSA: usb-audio: Add extra PID for RME Digiface USB ALSA: usb-audio: Fix a DMA to stack memory bug ASoC: SOF: ipc3-topology: fix resource leaks in sof_ipc3_widget_setup_comp_dai() ALSA: hda/realtek: Add support for Samsung Galaxy Book3 360 (NP730QFG) ASoC: Intel: avs: da7219: Remove suspend_pre() and resume_post() ALSA: hda/tas2781: Fix error code tas2781_read_acpi() ALSA: hda/realtek: Enable mute and micmute LED on HP ProBook 430 G8 ALSA: usb-audio: add mixer mapping for Corsair HS80 ALSA: ump: Shut up truncated string warning ALSA: sh: Use standard helper for buffer accesses ALSA: usb-audio: Notify xrun for low-latency mode ALSA: hda/conexant: fix Z60MR100 startup pop issue ALSA: ump: Update legacy substream names upon FB info update ALSA: ump: Indicate the inactive group in legacy substream names ALSA: ump: Don't open legacy substream for an inactive group ALSA: seq: ump: Fix seq port updates per FB info notify commit d9e15b25161e0783def5f852179db38d817c957c Merge: b60500e9022f24 3061e170381af9 Author: Linus Torvalds Date: Fri Dec 6 11:43:22 2024 -0800 Merge tag 'regmap-fix-v6.13-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regmap Pull regmap fixes from Mark Brown: "A couple of small fixes, fixing an incorrect format specifier in a log message and adding missing cleanup of the devres data used to support dev_get_regmap() when a device is unregistered" * tag 'regmap-fix-v6.13-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regmap: regmap: detach regmap from dev on regmap_exit regmap: Use correct format specifier for logging range errors commit b60500e9022f24b6d3e4cb3ff6928891c44a262d Merge: 35b7b337ffad0b 4c6ac5446d060f Author: Linus Torvalds Date: Fri Dec 6 11:36:48 2024 -0800 Merge tag 'spi-fix-v6.13-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi Pull spi fixes from Mark Brown: "A few small driver specific fixes and device ID updates for SPI. The Apple change flags the driver as being compatible with the core's GPIO chip select support, fixing support for some systems" * tag 'spi-fix-v6.13-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi: spi: omap2-mcspi: Fix the IS_ERR() bug for devm_clk_get_optional_enabled() spi: intel: Add Panther Lake SPI controller support spi: apple: Set use_gpio_descriptors to true spi: mpc52xx: Add cancel_work_sync before module remove commit 35b7b337ffad0bb708faaa24d8a18ab908565f5e Merge: fa4c221fa15321 87a0d90fcd31c0 Author: Linus Torvalds Date: Fri Dec 6 11:27:10 2024 -0800 Merge tag 'mmc-v6.13-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc Pull MMC fixes from Ulf Hansson: "Core: - Further prevent card detect during shutdown Host drivers: - sdhci-pci: Add DMI quirk for missing CD GPIO on Vexia Edu Atla 10 tablet" * tag 'mmc-v6.13-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc: mmc: core: Further prevent card detect during shutdown mmc: sdhci-pci: Add DMI quirk for missing CD GPIO on Vexia Edu Atla 10 tablet commit fa4c221fa153211d80acaf54fe5e5b1859c99796 Merge: b8f52214c61a5b 2379fb937de533 Author: Linus Torvalds Date: Fri Dec 6 11:24:00 2024 -0800 Merge tag 'pmdomain-v6.13-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/linux-pm Pull pmdomain fixes from Ulf Hansson: "Core: - Fix a couple of memory-leaks during genpd init/remove Providers: - imx: Adjust delay for gpcv2 to fix power up handshake - mediatek: Fix DT bindings by adding another nested power-domain layer" * tag 'pmdomain-v6.13-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/linux-pm: pmdomain: imx: gpcv2: Adjust delay after power up handshake pmdomain: core: Fix error path in pm_genpd_init() when ida alloc fails pmdomain: core: Add missing put_device() dt-bindings: power: mediatek: Add another nested power-domain layer commit 492077668fb453b8b16c842fcf3fafc2ebc190e9 Author: Sean Christopherson Date: Fri Dec 6 08:20:06 2024 -0800 x86/CPU/AMD: WARN when setting EFER.AUTOIBRS if and only if the WRMSR fails When ensuring EFER.AUTOIBRS is set, WARN only on a negative return code from msr_set_bit(), as '1' is used to indicate the WRMSR was successful ('0' indicates the MSR bit was already set). Fixes: 8cc68c9c9e92 ("x86/CPU/AMD: Make sure EFER[AIBRSE] is set") Reported-by: Nathan Chancellor Signed-off-by: Sean Christopherson Signed-off-by: Ingo Molnar Link: https://lore.kernel.org/r/Z1MkNofJjt7Oq0G6@google.com Closes: https://lore.kernel.org/all/20241205220604.GA2054199@thelio-3990X commit 3396995f9fb6bcbe0004a68118a22f98bab6e2b9 Author: Haoyu Li Date: Tue Dec 3 22:14:51 2024 +0800 gpio: ljca: Initialize num before accessing item in ljca_gpio_config With the new __counted_by annocation in ljca_gpio_packet, the "num" struct member must be set before accessing the "item" array. Failing to do so will trigger a runtime warning when enabling CONFIG_UBSAN_BOUNDS and CONFIG_FORTIFY_SOURCE. Fixes: 1034cc423f1b ("gpio: update Intel LJCA USB GPIO driver") Cc: stable@vger.kernel.org Signed-off-by: Haoyu Li Link: https://lore.kernel.org/stable/20241203141451.342316-1-lihaoyu499%40gmail.com Signed-off-by: Bartosz Golaszewski commit 509df676c2d79c985ec2eaa3e3a3bbe557645861 Merge: e2cf913314b954 04d4ce91b0bed4 Author: Alexei Starovoitov Date: Fri Dec 6 09:14:26 2024 -0800 Merge branch 'fixes-for-lpm-trie' Hou Tao says: ==================== This patch set fixes several issues for LPM trie. These issues were found during adding new test cases or were reported by syzbot. The patch set is structured as follows: Patch #1~#2 are clean-ups for lpm_trie_update_elem(). Patch #3 handles BPF_EXIST and BPF_NOEXIST correctly for LPM trie. Patch #4 fixes the accounting of n_entries when doing in-place update. Patch #5 fixes the exact match condition in trie_get_next_key() and it may skip keys when the passed key is not found in the map. Patch #6~#7 switch from kmalloc() to bpf memory allocator for LPM trie to fix several lock order warnings reported by syzbot. It also enables raw_spinlock_t for LPM trie again. After these changes, the LPM trie will be closer to being usable in any context (though the reentrance check of trie->lock is still missing, but it is on my todo list). Patch #8: move test_lpm_map to map_tests to make it run regularly. Patch #9: add test cases for the issues fixed by patch #3~#5. Please see individual patches for more details. Comments are always welcome. Change Log: v3: * patch #2: remove the unnecessary NULL-init for im_node * patch #6: alloc the leaf node before disabling IRQ to low the possibility of -ENOMEM when leaf_size is large; Free these nodes outside the trie lock (Suggested by Alexei) * collect review and ack tags (Thanks for Toke & Daniel) v2: https://lore.kernel.org/bpf/20241127004641.1118269-1-houtao@huaweicloud.com/ * collect review tags (Thanks for Toke) * drop "Add bpf_mem_cache_is_mergeable() helper" patch * patch #3~#4: add fix tag * patch #4: rename the helper to trie_check_add_elem() and increase n_entries in it. * patch #6: use one bpf mem allocator and update commit message to clarify that using bpf mem allocator is more appropriate. * patch #7: update commit message to add the possible max running time for update operation. * patch #9: update commit message to specify the purpose of these test cases. v1: https://lore.kernel.org/bpf/20241118010808.2243555-1-houtao@huaweicloud.com/ ==================== Link: https://lore.kernel.org/all/20241206110622.1161752-1-houtao@huaweicloud.com/ Signed-off-by: Alexei Starovoitov commit 04d4ce91b0bed4120e0c5fadc5291cebaa9c2a06 Author: Hou Tao Date: Fri Dec 6 19:06:22 2024 +0800 selftests/bpf: Add more test cases for LPM trie Add more test cases for LPM trie in test_maps: 1) test_lpm_trie_update_flags It constructs various use cases for BPF_EXIST and BPF_NOEXIST and check whether the return value of update operation is expected. 2) test_lpm_trie_update_full_maps It tests the update operations on a full LPM trie map. Adding new node will fail and overwriting the value of existed node will succeed. 3) test_lpm_trie_iterate_strs and test_lpm_trie_iterate_ints There two test cases test whether the iteration through get_next_key is sorted and expected. These two test cases delete the minimal key after each iteration and check whether next iteration returns the second minimal key. The only difference between these two test cases is the former one saves strings in the LPM trie and the latter saves integers. Without the fix of get_next_key, these two cases will fail as shown below: test_lpm_trie_iterate_strs(1091):FAIL:iterate #2 got abc exp abS test_lpm_trie_iterate_ints(1142):FAIL:iterate #1 got 0x2 exp 0x1 Signed-off-by: Hou Tao Link: https://lore.kernel.org/r/20241206110622.1161752-10-houtao@huaweicloud.com Signed-off-by: Alexei Starovoitov commit 3e18f5f1e5a152a51dbb6c234e2a0421aec11e31 Author: Hou Tao Date: Fri Dec 6 19:06:21 2024 +0800 selftests/bpf: Move test_lpm_map.c to map_tests Move test_lpm_map.c to map_tests/ to include LPM trie test cases in regular test_maps run. Most code remains unchanged, including the use of assert(). Only reduce n_lookups from 64K to 512, which decreases test_lpm_map runtime from 37s to 0.7s. Signed-off-by: Hou Tao Link: https://lore.kernel.org/r/20241206110622.1161752-9-houtao@huaweicloud.com Signed-off-by: Alexei Starovoitov commit 6a5c63d43c0216d64915baa0e0eacf2beb66b271 Author: Hou Tao Date: Fri Dec 6 19:06:20 2024 +0800 bpf: Use raw_spinlock_t for LPM trie After switching from kmalloc() to the bpf memory allocator, there will be no blocking operation during the update of LPM trie. Therefore, change trie->lock from spinlock_t to raw_spinlock_t to make LPM trie usable in atomic context, even on RT kernels. The max value of prefixlen is 2048. Therefore, update or deletion operations will find the target after at most 2048 comparisons. Constructing a test case which updates an element after 2048 comparisons under a 8 CPU VM, and the average time and the maximal time for such update operation is about 210us and 900us. Signed-off-by: Hou Tao Link: https://lore.kernel.org/r/20241206110622.1161752-8-houtao@huaweicloud.com Signed-off-by: Alexei Starovoitov commit 3d8dc43eb2a3d179809f5fc27c88c93a57ea123d Author: Hou Tao Date: Fri Dec 6 19:06:19 2024 +0800 bpf: Switch to bpf mem allocator for LPM trie Multiple syzbot warnings have been reported. These warnings are mainly about the lock order between trie->lock and kmalloc()'s internal lock. See report [1] as an example: ====================================================== WARNING: possible circular locking dependency detected 6.10.0-rc7-syzkaller-00003-g4376e966ecb7 #0 Not tainted ------------------------------------------------------ syz.3.2069/15008 is trying to acquire lock: ffff88801544e6d8 (&n->list_lock){-.-.}-{2:2}, at: get_partial_node ... but task is already holding lock: ffff88802dcc89f8 (&trie->lock){-.-.}-{2:2}, at: trie_update_elem ... which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #1 (&trie->lock){-.-.}-{2:2}: __raw_spin_lock_irqsave _raw_spin_lock_irqsave+0x3a/0x60 trie_delete_elem+0xb0/0x820 ___bpf_prog_run+0x3e51/0xabd0 __bpf_prog_run32+0xc1/0x100 bpf_dispatcher_nop_func ...... bpf_trace_run2+0x231/0x590 __bpf_trace_contention_end+0xca/0x110 trace_contention_end.constprop.0+0xea/0x170 __pv_queued_spin_lock_slowpath+0x28e/0xcc0 pv_queued_spin_lock_slowpath queued_spin_lock_slowpath queued_spin_lock do_raw_spin_lock+0x210/0x2c0 __raw_spin_lock_irqsave _raw_spin_lock_irqsave+0x42/0x60 __put_partials+0xc3/0x170 qlink_free qlist_free_all+0x4e/0x140 kasan_quarantine_reduce+0x192/0x1e0 __kasan_slab_alloc+0x69/0x90 kasan_slab_alloc slab_post_alloc_hook slab_alloc_node kmem_cache_alloc_node_noprof+0x153/0x310 __alloc_skb+0x2b1/0x380 ...... -> #0 (&n->list_lock){-.-.}-{2:2}: check_prev_add check_prevs_add validate_chain __lock_acquire+0x2478/0x3b30 lock_acquire lock_acquire+0x1b1/0x560 __raw_spin_lock_irqsave _raw_spin_lock_irqsave+0x3a/0x60 get_partial_node.part.0+0x20/0x350 get_partial_node get_partial ___slab_alloc+0x65b/0x1870 __slab_alloc.constprop.0+0x56/0xb0 __slab_alloc_node slab_alloc_node __do_kmalloc_node __kmalloc_node_noprof+0x35c/0x440 kmalloc_node_noprof bpf_map_kmalloc_node+0x98/0x4a0 lpm_trie_node_alloc trie_update_elem+0x1ef/0xe00 bpf_map_update_value+0x2c1/0x6c0 map_update_elem+0x623/0x910 __sys_bpf+0x90c/0x49a0 ... other info that might help us debug this: Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&trie->lock); lock(&n->list_lock); lock(&trie->lock); lock(&n->list_lock); *** DEADLOCK *** [1]: https://syzkaller.appspot.com/bug?extid=9045c0a3d5a7f1b119f7 A bpf program attached to trace_contention_end() triggers after acquiring &n->list_lock. The program invokes trie_delete_elem(), which then acquires trie->lock. However, it is possible that another process is invoking trie_update_elem(). trie_update_elem() will acquire trie->lock first, then invoke kmalloc_node(). kmalloc_node() may invoke get_partial_node() and try to acquire &n->list_lock (not necessarily the same lock object). Therefore, lockdep warns about the circular locking dependency. Invoking kmalloc() before acquiring trie->lock could fix the warning. However, since BPF programs call be invoked from any context (e.g., through kprobe/tracepoint/fentry), there may still be lock ordering problems for internal locks in kmalloc() or trie->lock itself. To eliminate these potential lock ordering problems with kmalloc()'s internal locks, replacing kmalloc()/kfree()/kfree_rcu() with equivalent BPF memory allocator APIs that can be invoked in any context. The lock ordering problems with trie->lock (e.g., reentrance) will be handled separately. Three aspects of this change require explanation: 1. Intermediate and leaf nodes are allocated from the same allocator. Since the value size of LPM trie is usually small, using a single alocator reduces the memory overhead of the BPF memory allocator. 2. Leaf nodes are allocated before disabling IRQs. This handles cases where leaf_size is large (e.g., > 4KB - 8) and updates require intermediate node allocation. If leaf nodes were allocated in IRQ-disabled region, the free objects in BPF memory allocator would not be refilled timely and the intermediate node allocation may fail. 3. Paired migrate_{disable|enable}() calls for node alloc and free. The BPF memory allocator uses per-CPU struct internally, these paired calls are necessary to guarantee correctness. Reviewed-by: Toke Høiland-Jørgensen Signed-off-by: Hou Tao Link: https://lore.kernel.org/r/20241206110622.1161752-7-houtao@huaweicloud.com Signed-off-by: Alexei Starovoitov commit 27abc7b3fa2e09bbe41e2924d328121546865eda Author: Hou Tao Date: Fri Dec 6 19:06:18 2024 +0800 bpf: Fix exact match conditions in trie_get_next_key() trie_get_next_key() uses node->prefixlen == key->prefixlen to identify an exact match, However, it is incorrect because when the target key doesn't fully match the found node (e.g., node->prefixlen != matchlen), these two nodes may also have the same prefixlen. It will return expected result when the passed key exist in the trie. However when a recently-deleted key or nonexistent key is passed to trie_get_next_key(), it may skip keys and return incorrect result. Fix it by using node->prefixlen == matchlen to identify exact matches. When the condition is true after the search, it also implies node->prefixlen equals key->prefixlen, otherwise, the search would return NULL instead. Fixes: b471f2f1de8b ("bpf: implement MAP_GET_NEXT_KEY command for LPM_TRIE map") Reviewed-by: Toke Høiland-Jørgensen Signed-off-by: Hou Tao Link: https://lore.kernel.org/r/20241206110622.1161752-6-houtao@huaweicloud.com Signed-off-by: Alexei Starovoitov commit 532d6b36b2bfac5514426a97a4df8d103d700d43 Author: Hou Tao Date: Fri Dec 6 19:06:17 2024 +0800 bpf: Handle in-place update for full LPM trie correctly When a LPM trie is full, in-place updates of existing elements incorrectly return -ENOSPC. Fix this by deferring the check of trie->n_entries. For new insertions, n_entries must not exceed max_entries. However, in-place updates are allowed even when the trie is full. Fixes: b95a5c4db09b ("bpf: add a longest prefix match trie map implementation") Reviewed-by: Toke Høiland-Jørgensen Signed-off-by: Hou Tao Link: https://lore.kernel.org/r/20241206110622.1161752-5-houtao@huaweicloud.com Signed-off-by: Alexei Starovoitov commit eae6a075e9537dd69891cf77ca5a88fa8a28b4a1 Author: Hou Tao Date: Fri Dec 6 19:06:16 2024 +0800 bpf: Handle BPF_EXIST and BPF_NOEXIST for LPM trie Add the currently missing handling for the BPF_EXIST and BPF_NOEXIST flags. These flags can be specified by users and are relevant since LPM trie supports exact matches during update. Fixes: b95a5c4db09b ("bpf: add a longest prefix match trie map implementation") Reviewed-by: Toke Høiland-Jørgensen Acked-by: Daniel Borkmann Signed-off-by: Hou Tao Link: https://lore.kernel.org/r/20241206110622.1161752-4-houtao@huaweicloud.com Signed-off-by: Alexei Starovoitov commit 3d5611b4d7efbefb85a74fcdbc35c603847cc022 Author: Hou Tao Date: Fri Dec 6 19:06:15 2024 +0800 bpf: Remove unnecessary kfree(im_node) in lpm_trie_update_elem There is no need to call kfree(im_node) when updating element fails, because im_node must be NULL. Remove the unnecessary kfree() for im_node. Reviewed-by: Toke Høiland-Jørgensen Acked-by: Daniel Borkmann Signed-off-by: Hou Tao Link: https://lore.kernel.org/r/20241206110622.1161752-3-houtao@huaweicloud.com Signed-off-by: Alexei Starovoitov commit 156c977c539e87e173f505b23989d7b0ec0bc7d8 Author: Hou Tao Date: Fri Dec 6 19:06:14 2024 +0800 bpf: Remove unnecessary check when updating LPM trie When "node->prefixlen == matchlen" is true, it means that the node is fully matched. If "node->prefixlen == key->prefixlen" is false, it means the prefix length of key is greater than the prefix length of node, otherwise, matchlen will not be equal with node->prefixlen. However, it also implies that the prefix length of node must be less than max_prefixlen. Therefore, "node->prefixlen == trie->max_prefixlen" will always be false when the check of "node->prefixlen == key->prefixlen" returns false. Remove this unnecessary comparison. Reviewed-by: Toke Høiland-Jørgensen Acked-by: Daniel Borkmann Signed-off-by: Hou Tao Link: https://lore.kernel.org/r/20241206110622.1161752-2-houtao@huaweicloud.com Signed-off-by: Alexei Starovoitov commit 22465bbac53c821319089016f268a2437de9b00a Author: Ming Lei Date: Fri Dec 6 19:16:07 2024 +0800 blk-mq: move cpuhp callback registering out of q->sysfs_lock Registering and unregistering cpuhp callback requires global cpu hotplug lock, which is used everywhere. Meantime q->sysfs_lock is used in block layer almost everywhere. It is easy to trigger lockdep warning[1] by connecting the two locks. Fix the warning by moving blk-mq's cpuhp callback registering out of q->sysfs_lock. Add one dedicated global lock for covering registering & unregistering hctx's cpuhp, and it is safe to do so because hctx is guaranteed to be live if our request_queue is live. [1] https://lore.kernel.org/lkml/Z04pz3AlvI4o0Mr8@agluck-desk3/ Cc: Reinette Chatre Cc: Fenghua Yu Cc: Peter Newman Cc: Babu Moger Reported-by: Luck Tony Signed-off-by: Ming Lei Tested-by: Tony Luck Link: https://lore.kernel.org/r/20241206111611.978870-3-ming.lei@redhat.com Signed-off-by: Jens Axboe commit 4bf485a7db5d82ddd0f3ad2b299893199090375e Author: Ming Lei Date: Fri Dec 6 19:16:06 2024 +0800 blk-mq: register cpuhp callback after hctx is added to xarray table We need to retrieve 'hctx' from xarray table in the cpuhp callback, so the callback should be registered after this 'hctx' is added to xarray table. Cc: Reinette Chatre Cc: Fenghua Yu Cc: Peter Newman Cc: Babu Moger Cc: Luck Tony Signed-off-by: Ming Lei Tested-by: Tony Luck Link: https://lore.kernel.org/r/20241206111611.978870-2-ming.lei@redhat.com Signed-off-by: Jens Axboe commit 0b2c29fb68f8bf3e87a9d88404aa6fdd486223e5 Author: Ard Biesheuvel Date: Fri Dec 6 11:41:40 2024 +0100 efi/zboot: Limit compression options to GZIP and ZSTD For historical reasons, the legacy decompressor code on various architectures supports 7 different compression types for the compressed kernel image. EFI zboot is not a compression library museum, and so the options can be limited to what is likely to be useful in practice: - GZIP is tried and tested, and is still one of the fastest at decompression time, although the compression ratio is not very high; moreover, Fedora is already shipping EFI zboot kernels for arm64 that use GZIP, and QEMU implements direct support for it when booting a kernel without firmware loaded; - ZSTD has a very high compression ratio (although not the highest), and is almost as fast as GZIP at decompression time. Reducing the number of options makes it less of a hassle for other consumers of the EFI zboot format (such as QEMU today, and kexec in the future) to support it transparently without having to carry 7 different decompression libraries. Acked-by: Gerd Hoffmann Signed-off-by: Ard Biesheuvel commit 1f8af9712413f456849fdf3f3a782cbe099476d7 Author: Claudiu Beznea Date: Tue Nov 19 10:55:54 2024 +0200 reset: rzg2l-usbphy-ctrl: Assign proper of node to the allocated device The platform device named "rzg2l-usb-vbus-regulator", allocated by the rzg2l-usbphy-ctrl driver, is used to instantiate a regulator driver. This regulator driver is associated with a device tree (DT) node, which is a child of the rzg2l-usbphy-ctrl DT node. The regulator's DT node allows consumer nodes to reference the regulator and configure the regulator as needed. Starting with commit cd7a38c40b23 ("regulator: core: do not silently ignore provided init_data") the struct regulator_dev::dev::of_node is no longer populated using of_node_get(config->of_node) if the regulator does not provide init_data. Since the rzg2l-usb-vbus-regulator does not provide init_data, this behaviour causes the of_find_regulator_by_node() function to fails, resulting in errors when attempting to request the regulator. To fix this issue, call device_set_of_node_from_dev() for the "rzg2l-usb-vbus-regulator" platform device. Fixes: 84fbd6198766 ("regulator: Add Renesas RZ/G2L USB VBUS regulator driver") Signed-off-by: Claudiu Beznea Reviewed-by: Biju Das Link: https://lore.kernel.org/r/20241119085554.1035881-1-claudiu.beznea.uj@bp.renesas.com Signed-off-by: Philipp Zabel commit c32b624fa4f7ca5a2ff217a0b1b2f1352bb4ec11 Author: Paulo Alcantara Date: Fri Dec 6 11:49:07 2024 -0300 smb: client: fix potential race in cifs_put_tcon() dfs_cache_refresh() delayed worker could race with cifs_put_tcon(), so make sure to call list_replace_init() on @tcon->dfs_ses_list after kworker is cancelled or finished. Fixes: 4f42a8b54b5c ("smb: client: fix DFS interlink failover") Signed-off-by: Paulo Alcantara (Red Hat) Signed-off-by: Steve French commit ddca5023091588eb303e3c0097d95c325992d05f Author: Steve French Date: Wed Dec 4 17:46:00 2024 -0600 smb3.1.1: fix posix mounts to older servers Some servers which implement the SMB3.1.1 POSIX extensions did not set the file type in the mode in the infolevel 100 response. With the recent changes for checking the file type via the mode field, this can cause the root directory to be reported incorrectly and mounts (e.g. to ksmbd) to fail. Fixes: 6a832bc8bbb2 ("fs/smb/client: Implement new SMB3 POSIX type") Cc: stable@vger.kernel.org Acked-by: Paulo Alcantara (Red Hat) Cc: Ralph Boehme Signed-off-by: Steve French commit f10bef73fb355e3fc85e63a50386798be68ff486 Author: Filipe Manana Date: Tue Dec 3 11:53:27 2024 +0000 btrfs: flush delalloc workers queue before stopping cleaner kthread during unmount During the unmount path, at close_ctree(), we first stop the cleaner kthread, using kthread_stop() which frees the associated task_struct, and then stop and destroy all the work queues. However after we stopped the cleaner we may still have a worker from the delalloc_workers queue running inode.c:submit_compressed_extents(), which calls btrfs_add_delayed_iput(), which in turn tries to wake up the cleaner kthread - which was already destroyed before, resulting in a use-after-free on the task_struct. Syzbot reported this with the following stack traces: BUG: KASAN: slab-use-after-free in __lock_acquire+0x78/0x2100 kernel/locking/lockdep.c:5089 Read of size 8 at addr ffff8880259d2818 by task kworker/u8:3/52 CPU: 1 UID: 0 PID: 52 Comm: kworker/u8:3 Not tainted 6.13.0-rc1-syzkaller-00002-gcdd30ebb1b9f #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Workqueue: btrfs-delalloc btrfs_work_helper Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0x169/0x550 mm/kasan/report.c:489 kasan_report+0x143/0x180 mm/kasan/report.c:602 __lock_acquire+0x78/0x2100 kernel/locking/lockdep.c:5089 lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5849 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] _raw_spin_lock_irqsave+0xd5/0x120 kernel/locking/spinlock.c:162 class_raw_spinlock_irqsave_constructor include/linux/spinlock.h:551 [inline] try_to_wake_up+0xc2/0x1470 kernel/sched/core.c:4205 submit_compressed_extents+0xdf/0x16e0 fs/btrfs/inode.c:1615 run_ordered_work fs/btrfs/async-thread.c:288 [inline] btrfs_work_helper+0x96f/0xc40 fs/btrfs/async-thread.c:324 process_one_work kernel/workqueue.c:3229 [inline] process_scheduled_works+0xa66/0x1840 kernel/workqueue.c:3310 worker_thread+0x870/0xd30 kernel/workqueue.c:3391 kthread+0x2f0/0x390 kernel/kthread.c:389 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Allocated by task 2: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 unpoison_slab_object mm/kasan/common.c:319 [inline] __kasan_slab_alloc+0x66/0x80 mm/kasan/common.c:345 kasan_slab_alloc include/linux/kasan.h:250 [inline] slab_post_alloc_hook mm/slub.c:4104 [inline] slab_alloc_node mm/slub.c:4153 [inline] kmem_cache_alloc_node_noprof+0x1d9/0x380 mm/slub.c:4205 alloc_task_struct_node kernel/fork.c:180 [inline] dup_task_struct+0x57/0x8c0 kernel/fork.c:1113 copy_process+0x5d1/0x3d50 kernel/fork.c:2225 kernel_clone+0x223/0x870 kernel/fork.c:2807 kernel_thread+0x1bc/0x240 kernel/fork.c:2869 create_kthread kernel/kthread.c:412 [inline] kthreadd+0x60d/0x810 kernel/kthread.c:767 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Freed by task 24: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:582 poison_slab_object mm/kasan/common.c:247 [inline] __kasan_slab_free+0x59/0x70 mm/kasan/common.c:264 kasan_slab_free include/linux/kasan.h:233 [inline] slab_free_hook mm/slub.c:2338 [inline] slab_free mm/slub.c:4598 [inline] kmem_cache_free+0x195/0x410 mm/slub.c:4700 put_task_struct include/linux/sched/task.h:144 [inline] delayed_put_task_struct+0x125/0x300 kernel/exit.c:227 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0xaaa/0x17a0 kernel/rcu/tree.c:2823 handle_softirqs+0x2d4/0x9b0 kernel/softirq.c:554 run_ksoftirqd+0xca/0x130 kernel/softirq.c:943 smpboot_thread_fn+0x544/0xa30 kernel/smpboot.c:164 kthread+0x2f0/0x390 kernel/kthread.c:389 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Last potentially related work creation: kasan_save_stack+0x3f/0x60 mm/kasan/common.c:47 __kasan_record_aux_stack+0xac/0xc0 mm/kasan/generic.c:544 __call_rcu_common kernel/rcu/tree.c:3086 [inline] call_rcu+0x167/0xa70 kernel/rcu/tree.c:3190 context_switch kernel/sched/core.c:5372 [inline] __schedule+0x1803/0x4be0 kernel/sched/core.c:6756 __schedule_loop kernel/sched/core.c:6833 [inline] schedule+0x14b/0x320 kernel/sched/core.c:6848 schedule_timeout+0xb0/0x290 kernel/time/sleep_timeout.c:75 do_wait_for_common kernel/sched/completion.c:95 [inline] __wait_for_common kernel/sched/completion.c:116 [inline] wait_for_common kernel/sched/completion.c:127 [inline] wait_for_completion+0x355/0x620 kernel/sched/completion.c:148 kthread_stop+0x19e/0x640 kernel/kthread.c:712 close_ctree+0x524/0xd60 fs/btrfs/disk-io.c:4328 generic_shutdown_super+0x139/0x2d0 fs/super.c:642 kill_anon_super+0x3b/0x70 fs/super.c:1237 btrfs_kill_super+0x41/0x50 fs/btrfs/super.c:2112 deactivate_locked_super+0xc4/0x130 fs/super.c:473 cleanup_mnt+0x41f/0x4b0 fs/namespace.c:1373 task_work_run+0x24f/0x310 kernel/task_work.c:239 ptrace_notify+0x2d2/0x380 kernel/signal.c:2503 ptrace_report_syscall include/linux/ptrace.h:415 [inline] ptrace_report_syscall_exit include/linux/ptrace.h:477 [inline] syscall_exit_work+0xc7/0x1d0 kernel/entry/common.c:173 syscall_exit_to_user_mode_prepare kernel/entry/common.c:200 [inline] __syscall_exit_to_user_mode_work kernel/entry/common.c:205 [inline] syscall_exit_to_user_mode+0x24a/0x340 kernel/entry/common.c:218 do_syscall_64+0x100/0x230 arch/x86/entry/common.c:89 entry_SYSCALL_64_after_hwframe+0x77/0x7f The buggy address belongs to the object at ffff8880259d1e00 which belongs to the cache task_struct of size 7424 The buggy address is located 2584 bytes inside of freed 7424-byte region [ffff8880259d1e00, ffff8880259d3b00) The buggy address belongs to the physical page: page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x259d0 head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 memcg:ffff88802f4b56c1 flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff) page_type: f5(slab) raw: 00fff00000000040 ffff88801bafe500 dead000000000100 dead000000000122 raw: 0000000000000000 0000000000040004 00000001f5000000 ffff88802f4b56c1 head: 00fff00000000040 ffff88801bafe500 dead000000000100 dead000000000122 head: 0000000000000000 0000000000040004 00000001f5000000 ffff88802f4b56c1 head: 00fff00000000003 ffffea0000967401 ffffffffffffffff 0000000000000000 head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 12, tgid 12 (kworker/u8:1), ts 7328037942, free_ts 0 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1556 prep_new_page mm/page_alloc.c:1564 [inline] get_page_from_freelist+0x3651/0x37a0 mm/page_alloc.c:3474 __alloc_pages_noprof+0x292/0x710 mm/page_alloc.c:4751 alloc_pages_mpol_noprof+0x3e8/0x680 mm/mempolicy.c:2265 alloc_slab_page+0x6a/0x140 mm/slub.c:2408 allocate_slab+0x5a/0x2f0 mm/slub.c:2574 new_slab mm/slub.c:2627 [inline] ___slab_alloc+0xcd1/0x14b0 mm/slub.c:3815 __slab_alloc+0x58/0xa0 mm/slub.c:3905 __slab_alloc_node mm/slub.c:3980 [inline] slab_alloc_node mm/slub.c:4141 [inline] kmem_cache_alloc_node_noprof+0x269/0x380 mm/slub.c:4205 alloc_task_struct_node kernel/fork.c:180 [inline] dup_task_struct+0x57/0x8c0 kernel/fork.c:1113 copy_process+0x5d1/0x3d50 kernel/fork.c:2225 kernel_clone+0x223/0x870 kernel/fork.c:2807 user_mode_thread+0x132/0x1a0 kernel/fork.c:2885 call_usermodehelper_exec_work+0x5c/0x230 kernel/umh.c:171 process_one_work kernel/workqueue.c:3229 [inline] process_scheduled_works+0xa66/0x1840 kernel/workqueue.c:3310 worker_thread+0x870/0xd30 kernel/workqueue.c:3391 page_owner free stack trace missing Memory state around the buggy address: ffff8880259d2700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8880259d2780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8880259d2800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8880259d2880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8880259d2900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== Fix this by flushing the delalloc workers queue before stopping the cleaner kthread. Reported-by: syzbot+b7cf50a0c173770dcb14@syzkaller.appspotmail.com Link: https://lore.kernel.org/linux-btrfs/674ed7e8.050a0220.48a03.0031.GAE@google.com/ Reviewed-by: Qu Wenruo Signed-off-by: Filipe Manana Reviewed-by: David Sterba Signed-off-by: David Sterba commit c7c97ceff98cc459bf5e358e5cbd06fcb651d501 Author: Johannes Thumshirn Date: Mon Dec 2 23:40:22 2024 -0800 btrfs: handle bio_split() errors Commit e546fe1da9bd ("block: Rework bio_split() return value") changed bio_split() so that it can return errors. Add error handling for it in btrfs_split_bio() and ultimately btrfs_submit_chunk(). As the bio is not submitted, the bio counter must be decremented to pair btrfs_bio_counter_inc_blocked(). Reviewed-by: John Garry Signed-off-by: Johannes Thumshirn Reviewed-by: David Sterba Signed-off-by: David Sterba commit c83d77eb0f216867e44da6b257b129582ba23287 Author: Qu Wenruo Date: Tue Dec 3 08:17:53 2024 +1030 btrfs: properly wait for writeback before buffered write [BUG] Before commit e820dbeb6ad1 ("btrfs: convert btrfs_buffered_write() to use folios"), function prepare_one_folio() will always wait for folio writeback to finish before returning the folio. However commit e820dbeb6ad1 ("btrfs: convert btrfs_buffered_write() to use folios") changed to use FGP_STABLE to do the writeback wait, but FGP_STABLE is calling folio_wait_stable(), which only calls folio_wait_writeback() if the address space has AS_STABLE_WRITES, which is not set for btrfs inodes. This means we will not wait for the folio writeback at all. [CAUSE] The cause is FGP_STABLE is not waiting for writeback unconditionally, but only for address spaces with AS_STABLE_WRITES, normally such flag is set when the super block has SB_I_STABLE_WRITES flag. Such super block flag is set when the block device has hardware digest support or has internal checksum requirement. I'd argue btrfs should set such super block due to its default data checksum behavior, but it is not set yet, so this means FGP_STABLE flag will have no effect at all. (For NODATASUM inodes, we can skip the waiting in theory but that should be an optimization in the future.) This can lead to data checksum mismatch, as we can modify the folio while it's still under writeback, this will make the contents differ from the contents at submission and checksum calculation. [FIX] Instead of fully relying on FGP_STABLE, manually do the folio writeback waiting, until we set the address space or super flag. Fixes: e820dbeb6ad1 ("btrfs: convert btrfs_buffered_write() to use folios") Reviewed-by: Filipe Manana Signed-off-by: Qu Wenruo Signed-off-by: David Sterba commit ea6398a5af81e3e7fb3da5d261694d479a321fd9 Author: Michael Neuling Date: Wed Nov 27 04:18:40 2024 +0000 RISC-V: KVM: Fix csr_write -> csr_set for HVIEN PMU overflow bit This doesn't cause a problem currently as HVIEN isn't used elsewhere yet. Found by inspection. Signed-off-by: Michael Neuling Fixes: 16b0bde9a37c ("RISC-V: KVM: Add perf sampling support for guests") Reviewed-by: Atish Patra Reviewed-by: Anup Patel Link: https://lore.kernel.org/r/20241127041840.419940-1-michaelneuling@tenstorrent.com Signed-off-by: Anup Patel commit 1b452c2de5555d832cd51c46824272a44ad7acac Author: Vasiliy Kovalev Date: Fri Dec 6 00:03:06 2024 +0300 ALSA: hda/realtek - Add support for ASUS Zen AIO 27 Z272SD_A272SD audio Introduces necessary quirks to enable audio functionality on the ASUS Zen AIO 27 Z272SD_A272SD: - configures verbs to activate internal speakers and headphone jack. - implements adjustments for headset microphone functionality. The speaker and jack configurations were derived from a dump of the working Windows driver, while the headset microphone functionality was fine-tuned through experimental testing. Link: https://lore.kernel.org/all/CAGGMHBOGDUnMewBTrZgoBKFk_A4sNF4fEXwfH9Ay8SNTzjy0-g@mail.gmail.com/T/ Signed-off-by: Vasiliy Kovalev Link: https://patch.msgid.link/20241205210306.977634-1-kovalev@altlinux.org Signed-off-by: Takashi Iwai commit 5a69e3d0a1b0f07e58c353560cfcb1ea20a6f040 Author: Hridesh MG Date: Thu Dec 5 22:48:42 2024 +0530 ALSA: hda/realtek: Fix headset mic on Acer Nitro 5 Add a PCI quirk to enable microphone input on the headphone jack on the Acer Nitro 5 AN515-58 laptop. Signed-off-by: Hridesh MG Cc: Link: https://patch.msgid.link/20241205171843.7787-1-hridesh699@gmail.com Signed-off-by: Takashi Iwai commit 47b17ba05a463b22fa79f132e6f6899d53538802 Author: Simon Trimmer Date: Fri Dec 6 10:57:57 2024 +0000 ALSA: hda: cs35l56: Remove calls to cs35l56_force_sync_asp1_registers_from_cache() Commit 5d7e328e20b3 ("ASoC: cs35l56: Revert support for dual-ownership of ASP registers") replaced cs35l56_force_sync_asp1_registers_from_cache() with a dummy implementation so that the HDA driver would continue to build. Remove the calls from HDA and remove the stub function. Signed-off-by: Simon Trimmer Signed-off-by: Richard Fitzgerald Link: https://patch.msgid.link/20241206105757.718750-1-rf@opensource.cirrus.com Signed-off-by: Takashi Iwai commit 9677be09e5e4fbe48aeccb06ae3063c5eba331c3 Author: Ricardo Neri Date: Wed Nov 27 16:22:47 2024 -0800 x86/cacheinfo: Delete global num_cache_leaves Linux remembers cpu_cachinfo::num_leaves per CPU, but x86 initializes all CPUs from the same global "num_cache_leaves". This is erroneous on systems such as Meteor Lake, where each CPU has a distinct num_leaves value. Delete the global "num_cache_leaves" and initialize num_leaves on each CPU. init_cache_level() no longer needs to set num_leaves. Also, it never had to set num_levels as it is unnecessary in x86. Keep checking for zero cache leaves. Such condition indicates a bug. [ bp: Cleanup. ] Signed-off-by: Ricardo Neri Signed-off-by: Borislav Petkov (AMD) Cc: stable@vger.kernel.org # 6.3+ Link: https://lore.kernel.org/r/20241128002247.26726-3-ricardo.neri-calderon@linux.intel.com commit b3fce429a1e030b50c1c91351d69b8667eef627b Author: Ricardo Neri Date: Wed Nov 27 16:22:46 2024 -0800 cacheinfo: Allocate memory during CPU hotplug if not done from the primary CPU Commit 5944ce092b97 ("arch_topology: Build cacheinfo from primary CPU") adds functionality that architectures can use to optionally allocate and build cacheinfo early during boot. Commit 6539cffa9495 ("cacheinfo: Add arch specific early level initializer") lets secondary CPUs correct (and reallocate memory) cacheinfo data if needed. If the early build functionality is not used and cacheinfo does not need correction, memory for cacheinfo is never allocated. x86 does not use the early build functionality. Consequently, during the cacheinfo CPU hotplug callback, last_level_cache_is_valid() attempts to dereference a NULL pointer: BUG: kernel NULL pointer dereference, address: 0000000000000100 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not present page PGD 0 P4D 0 Oops: 0000 [#1] PREEPMT SMP NOPTI CPU: 0 PID 19 Comm: cpuhp/0 Not tainted 6.4.0-rc2 #1 RIP: 0010: last_level_cache_is_valid+0x95/0xe0a Allocate memory for cacheinfo during the cacheinfo CPU hotplug callback if not done earlier. Moreover, before determining the validity of the last-level cache info, ensure that it has been allocated. Simply checking for non-zero cache_leaves() is not sufficient, as some architectures (e.g., Intel processors) have non-zero cache_leaves() before allocation. Dereferencing NULL cacheinfo can occur in update_per_cpu_data_slice_size(). This function iterates over all online CPUs. However, a CPU may have come online recently, but its cacheinfo may not have been allocated yet. While here, remove an unnecessary indentation in allocate_cache_info(). [ bp: Massage. ] Fixes: 6539cffa9495 ("cacheinfo: Add arch specific early level initializer") Signed-off-by: Ricardo Neri Signed-off-by: Borislav Petkov (AMD) Reviewed-by: Radu Rendec Reviewed-by: Nikolay Borisov Reviewed-by: Andreas Herrmann Reviewed-by: Sudeep Holla Cc: stable@vger.kernel.org # 6.3+ Link: https://lore.kernel.org/r/20241128002247.26726-2-ricardo.neri-calderon@linux.intel.com commit f1d3334d604cc32db63f6e2b3283011e02294e54 Author: Haoyu Li Date: Tue Dec 3 23:20:49 2024 +0800 wifi: cfg80211: sme: init n_channels before channels[] access With the __counted_by annocation in cfg80211_scan_request struct, the "n_channels" struct member must be set before accessing the "channels" array. Failing to do so will trigger a runtime warning when enabling CONFIG_UBSAN_BOUNDS and CONFIG_FORTIFY_SOURCE. Fixes: e3eac9f32ec0 ("wifi: cfg80211: Annotate struct cfg80211_scan_request with __counted_by") Signed-off-by: Haoyu Li Link: https://patch.msgid.link/20241203152049.348806-1-lihaoyu499@gmail.com Signed-off-by: Johannes Berg commit 07fa619f2a40c221ea27747a3323cabc59ab25eb Author: David Woodhouse Date: Thu Dec 5 15:05:07 2024 +0000 x86/kexec: Restore GDT on return from ::preserve_context kexec The restore_processor_state() function explicitly states that "the asm code that gets us here will have restored a usable GDT". That wasn't true in the case of returning from a ::preserve_context kexec. Make it so. Without this, the kernel was depending on the called function to reload a GDT which is appropriate for the kernel before returning. Test program: #include #include #include #include #include #include #include #include int main (void) { struct kexec_segment segment = {}; unsigned char purgatory[] = { 0x66, 0xba, 0xf8, 0x03, // mov $0x3f8, %dx 0xb0, 0x42, // mov $0x42, %al 0xee, // outb %al, (%dx) 0xc3, // ret }; int ret; segment.buf = &purgatory; segment.bufsz = sizeof(purgatory); segment.mem = (void *)0x400000; segment.memsz = 0x1000; ret = syscall(__NR_kexec_load, 0x400000, 1, &segment, KEXEC_PRESERVE_CONTEXT); if (ret) { perror("kexec_load"); exit(1); } ret = syscall(__NR_reboot, LINUX_REBOOT_MAGIC1, LINUX_REBOOT_MAGIC2, LINUX_REBOOT_CMD_KEXEC); if (ret) { perror("kexec reboot"); exit(1); } printf("Success\n"); return 0; } Signed-off-by: David Woodhouse Signed-off-by: Ingo Molnar Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20241205153343.3275139-2-dwmw2@infradead.org commit 4e450dfd0f968b79204637bf13280892dff287b1 Author: Guenter Roeck Date: Thu Dec 5 06:30:33 2024 -0800 tty: serial: Work around warning backtrace in serial8250_set_defaults Commit 7c7e6c8924e7 ("tty: serial: handle HAS_IOPORT dependencies") triggers warning backtraces on a number of platforms which don't support IO ports. WARNING: CPU: 0 PID: 0 at drivers/tty/serial/8250/8250_port.c:470 serial8250_set_defaults+0x148/0x1d8 Unsupported UART type 0 The problem is seen because serial8250_set_defaults() is called for all members of the serial8250_ports[] array even if that array is not initialized. Work around the problem by only displaying the warning if the port type is not 0 (UPIO_PORT) or if iobase is set for the port. Fixes: 7c7e6c8924e7 ("tty: serial: handle HAS_IOPORT dependencies") Acked-by: Arnd Bergmann Cc: Niklas Schnelle Signed-off-by: Guenter Roeck Tested-by: Stafford Horne Link: https://lore.kernel.org/r/20241205143033.2695333-1-linux@roeck-us.net Signed-off-by: Greg Kroah-Hartman commit f1ee5483e40881d8ad5a63aa148b753b5c6a839b Author: Jakob Hauser Date: Fri Nov 29 22:25:07 2024 +0100 iio: magnetometer: yas530: use signed integer type for clamp limits In the function yas537_measure() there is a clamp_val() with limits of -BIT(13) and BIT(13) - 1. The input clamp value h[] is of type s32. The BIT() is of type unsigned long integer due to its define in include/vdso/bits.h. The lower limit -BIT(13) is recognized as -8192 but expressed as an unsigned long integer. The size of an unsigned long integer differs between 32-bit and 64-bit architectures. Converting this to type s32 may lead to undesired behavior. Additionally, in the calculation lines h[0], h[1] and h[2] the unsigned long integer divisor BIT(13) causes an unsigned division, shifting the left-hand side of the equation back and forth, possibly ending up in large positive values instead of negative values on 32-bit architectures. To solve those two issues, declare a signed integer with a value of BIT(13). There is another omission in the clamp line: clamp_val() returns a value and it's going nowhere here. Self-assign it to h[i] to make use of the clamp macro. Finally, replace clamp_val() macro by clamp() because after changing the limits from type unsigned long integer to signed integer it's fine that way. Link: https://lkml.kernel.org/r/11609b2243c295d65ab4d47e78c239d61ad6be75.1732914810.git.jahau@rocketmail.com Fixes: 65f79b501030 ("iio: magnetometer: yas530: Add YAS537 variant") Signed-off-by: Jakob Hauser Reported-by: kernel test robot Closes: https://lore.kernel.org/oe-kbuild-all/202411230458.dhZwh3TT-lkp@intel.com/ Closes: https://lore.kernel.org/oe-kbuild-all/202411282222.oF0B4110-lkp@intel.com/ Reviewed-by: David Laight Acked-by: Jonathan Cameron Cc: Lars-Peter Clausen Cc: Linus Walleij Signed-off-by: Andrew Morton commit 5f1b64e9a9b7ee9cfd32c6b2fab796e29bfed075 Author: Adrian Huang Date: Wed Nov 13 18:21:46 2024 +0800 sched/numa: fix memory leak due to the overwritten vma->numab_state [Problem Description] When running the hackbench program of LTP, the following memory leak is reported by kmemleak. # /opt/ltp/testcases/bin/hackbench 20 thread 1000 Running with 20*40 (== 800) tasks. # dmesg | grep kmemleak ... kmemleak: 480 new suspected memory leaks (see /sys/kernel/debug/kmemleak) kmemleak: 665 new suspected memory leaks (see /sys/kernel/debug/kmemleak) # cat /sys/kernel/debug/kmemleak unreferenced object 0xffff888cd8ca2c40 (size 64): comm "hackbench", pid 17142, jiffies 4299780315 hex dump (first 32 bytes): ac 74 49 00 01 00 00 00 4c 84 49 00 01 00 00 00 .tI.....L.I..... 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace (crc bff18fd4): [] __kmalloc_cache_noprof+0x2f9/0x3f0 [] task_numa_work+0x725/0xa00 [] task_work_run+0x58/0x90 [] syscall_exit_to_user_mode+0x1c8/0x1e0 [] do_syscall_64+0x85/0x150 [] entry_SYSCALL_64_after_hwframe+0x76/0x7e ... This issue can be consistently reproduced on three different servers: * a 448-core server * a 256-core server * a 192-core server [Root Cause] Since multiple threads are created by the hackbench program (along with the command argument 'thread'), a shared vma might be accessed by two or more cores simultaneously. When two or more cores observe that vma->numab_state is NULL at the same time, vma->numab_state will be overwritten. Although current code ensures that only one thread scans the VMAs in a single 'numa_scan_period', there might be a chance for another thread to enter in the next 'numa_scan_period' while we have not gotten till numab_state allocation [1]. Note that the command `/opt/ltp/testcases/bin/hackbench 50 process 1000` cannot the reproduce the issue. It is verified with 200+ test runs. [Solution] Use the cmpxchg atomic operation to ensure that only one thread executes the vma->numab_state assignment. [1] https://lore.kernel.org/lkml/1794be3c-358c-4cdc-a43d-a1f841d91ef7@amd.com/ Link: https://lkml.kernel.org/r/20241113102146.2384-1-ahuang12@lenovo.com Fixes: ef6a22b70f6d ("sched/numa: apply the scan delay to every new vma") Signed-off-by: Adrian Huang Reported-by: Jiwei Sun Reviewed-by: Raghavendra K T Reviewed-by: Vlastimil Babka Cc: Ben Segall Cc: Dietmar Eggemann Cc: Ingo Molnar Cc: Juri Lelli Cc: Mel Gorman Cc: Peter Zijlstra Cc: Steven Rostedt Cc: Valentin Schneider Cc: Vincent Guittot Cc: Signed-off-by: Andrew Morton commit 6535b8669c1a74078098517174e53fc907ce9d56 Author: Akinobu Mita Date: Fri Nov 15 10:20:23 2024 -0800 mm/damon: fix order of arguments in damos_before_apply tracepoint Since the order of the scheme_idx and target_idx arguments in TP_ARGS is reversed, they are stored in the trace record in reverse. Link: https://lkml.kernel.org/r/20241115182023.43118-1-sj@kernel.org Link: https://patch.msgid.link/20241112154828.40307-1-akinobu.mita@gmail.com Fixes: c603c630b509 ("mm/damon/core: add a tracepoint for damos apply target regions") Signed-off-by: Akinobu Mita Signed-off-by: SeongJae Park Cc: Masami Hiramatsu Cc: Mathieu Desnoyers Cc: Steven Rostedt Cc: Signed-off-by: Andrew Morton commit 5c3793604f91123bf49bc792ce697a0bef4c173c Author: Kees Cook Date: Sun Nov 17 03:38:13 2024 -0800 lib: stackinit: hide never-taken branch from compiler The never-taken branch leads to an invalid bounds condition, which is by design. To avoid the unwanted warning from the compiler, hide the variable from the optimizer. ../lib/stackinit_kunit.c: In function 'do_nothing_u16_zero': ../lib/stackinit_kunit.c:51:49: error: array subscript 1 is outside array bounds of 'u16[0]' {aka 'short unsigned int[]'} [-Werror=array-bounds=] 51 | #define DO_NOTHING_RETURN_SCALAR(ptr) *(ptr) | ^~~~~~ ../lib/stackinit_kunit.c:219:24: note: in expansion of macro 'DO_NOTHING_RETURN_SCALAR' 219 | return DO_NOTHING_RETURN_ ## which(ptr + 1); \ | ^~~~~~~~~~~~~~~~~~ Link: https://lkml.kernel.org/r/20241117113813.work.735-kees@kernel.org Signed-off-by: Kees Cook Cc: Signed-off-by: Andrew Morton commit 3203b3ab0fcf22132caadd72caebfad47bf0dd2b Author: David Hildenbrand Date: Fri Nov 29 13:53:03 2024 +0100 mm/filemap: don't call folio_test_locked() without a reference in next_uptodate_folio() The folio can get freed + buddy-merged + reallocated in the meantime, resulting in us calling folio_test_locked() possibly on a tail page. This makes const_folio_flags VM_BUG_ON_PGFLAGS() when stumbling over the tail page. Could this result in other issues? Doesn't look like it. False positives and false negatives don't really matter, because this folio would get skipped either way when detecting that they have been reallocated in the meantime. Fix it by performing the folio_test_locked() checked after grabbing a reference. If this ever becomes a real problem, we could add a special helper that racily checks if the bit is set even on tail pages ... but let's hope that's not required so we can just handle it cleaner: work on the folio after we hold a reference. Do we really need the folio_test_locked() check if we are going to trylock briefly after? Well, we can at least avoid a xas_reload(). It's a bit unclear which exact change introduced that issue. Likely, ever since we made PG_locked obey to the PF_NO_TAIL policy it could have been triggered in some way. Link: https://lkml.kernel.org/r/20241129125303.4033164-1-david@redhat.com Fixes: 48c935ad88f5 ("page-flags: define PG_locked behavior on compound pages") Signed-off-by: David Hildenbrand Reported-by: syzbot+9f9a7f73fb079b2387a6@syzkaller.appspotmail.com Closes: https://lore.kernel.org/lkml/674184c9.050a0220.1cc393.0001.GAE@google.com/ Acked-by: Kirill A. Shutemov Cc: "Matthew Wilcox (Oracle)" Cc: Hillf Danton Signed-off-by: Andrew Morton commit d89c8ec0546184267cb211b579514ebaf8916100 Author: Randy Dunlap Date: Fri Nov 29 18:24:06 2024 -0800 scatterlist: fix incorrect func name in kernel-doc Fix a kernel-doc warning by making the kernel-doc function description match the function name: include/linux/scatterlist.h:323: warning: expecting prototype for sg_unmark_bus_address(). Prototype was for sg_dma_unmark_bus_address() instead Link: https://lkml.kernel.org/r/20241130022406.537973-1-rdunlap@infradead.org Fixes: 42399301203e ("lib/scatterlist: add flag for indicating P2PDMA segments in an SGL") Signed-off-by: Randy Dunlap Cc: Logan Gunthorpe Cc: Christoph Hellwig Signed-off-by: Andrew Morton commit cbb70e45348769172cb24cca2d2b6437f4c9240b Author: Lorenzo Stoakes Date: Mon Nov 18 17:54:14 2024 +0000 mm: correct typo in MMAP_STATE() macro We mistakenly refer to len rather than len_ here. The only existing caller passes len to the len_ parameter so this has no impact on the code, but it is obviously incorrect to do this, so fix it. Link: https://lkml.kernel.org/r/20241118175414.390827-1-lorenzo.stoakes@oracle.com Signed-off-by: Lorenzo Stoakes Reviewed-by: Liam R. Howlett Reviewed-by: Wei Yang Cc: Jann Horn Cc: Vlastimil Babka Signed-off-by: Andrew Morton commit 249608ee47132cab3b1adacd9e463548f57bd316 Author: Kalesh Singh Date: Mon Nov 18 13:46:48 2024 -0800 mm: respect mmap hint address when aligning for THP Commit efa7df3e3bb5 ("mm: align larger anonymous mappings on THP boundaries") updated __get_unmapped_area() to align the start address for the VMA to a PMD boundary if CONFIG_TRANSPARENT_HUGEPAGE=y. It does this by effectively looking up a region that is of size, request_size + PMD_SIZE, and aligning up the start to a PMD boundary. Commit 4ef9ad19e176 ("mm: huge_memory: don't force huge page alignment on 32 bit") opted out of this for 32bit due to regressions in mmap base randomization. Commit d4148aeab412 ("mm, mmap: limit THP alignment of anonymous mappings to PMD-aligned sizes") restricted this to only mmap sizes that are multiples of the PMD_SIZE due to reported regressions in some performance benchmarks -- which seemed mostly due to the reduced spatial locality of related mappings due to the forced PMD-alignment. Another unintended side effect has emerged: When a user specifies an mmap hint address, the THP alignment logic modifies the behavior, potentially ignoring the hint even if a sufficiently large gap exists at the requested hint location. Example Scenario: Consider the following simplified virtual address (VA) space: ... 0x200000-0x400000 --- VMA A 0x400000-0x600000 --- Hole 0x600000-0x800000 --- VMA B ... A call to mmap() with hint=0x400000 and len=0x200000 behaves differently: - Before THP alignment: The requested region (size 0x200000) fits into the gap at 0x400000, so the hint is respected. - After alignment: The logic searches for a region of size 0x400000 (len + PMD_SIZE) starting at 0x400000. This search fails due to the mapping at 0x600000 (VMA B), and the hint is ignored, falling back to arch_get_unmapped_area[_topdown](). In general the hint is effectively ignored, if there is any existing mapping in the below range: [mmap_hint + mmap_size, mmap_hint + mmap_size + PMD_SIZE) This changes the semantics of mmap hint; from ""Respect the hint if a sufficiently large gap exists at the requested location" to "Respect the hint only if an additional PMD-sized gap exists beyond the requested size". This has performance implications for allocators that allocate their heap using mmap but try to keep it "as contiguous as possible" by using the end of the exisiting heap as the address hint. With the new behavior it's more likely to get a much less contiguous heap, adding extra fragmentation and performance overhead. To restore the expected behavior; don't use thp_get_unmapped_area_vmflags() when the user provided a hint address, for anonymous mappings. Note: As Yang Shi pointed out: the issue still remains for filesystems which are using thp_get_unmapped_area() for their get_unmapped_area() op. It is unclear what worklaods will regress for if we ignore THP alignment when the hint address is provided for such file backed mappings -- so this fix will be handled separately. Link: https://lkml.kernel.org/r/20241118214650.3667577-1-kaleshsingh@google.com Fixes: efa7df3e3bb5 ("mm: align larger anonymous mappings on THP boundaries") Signed-off-by: Kalesh Singh Reviewed-by: Rik van Riel Reviewed-by: Vlastimil Babka Reviewed-by: David Hildenbrand Cc: Kefeng Wang Cc: Vlastimil Babka Cc: Yang Shi Cc: Rik van Riel Cc: Ryan Roberts Cc: Suren Baghdasaryan Cc: Minchan Kim Cc: Hans Boehm Cc: Lokesh Gidra Cc: Signed-off-by: Andrew Morton commit 89dd878282881306c38f7e354e7614fca98cb9a6 Author: John Sperbeck Date: Thu Nov 28 12:39:59 2024 -0800 mm: memcg: declare do_memsw_account inline In commit 66d60c428b23 ("mm: memcg: move legacy memcg event code into memcontrol-v1.c"), the static do_memsw_account() function was moved from a .c file to a .h file. Unfortunately, the traditional inline keyword wasn't added. If a file (e.g., a unit test) includes the .h file, but doesn't refer to do_memsw_account(), it will get a warning like: mm/memcontrol-v1.h:41:13: warning: unused function 'do_memsw_account' [-Wunused-function] 41 | static bool do_memsw_account(void) | ^~~~~~~~~~~~~~~~ Link: https://lkml.kernel.org/r/20241128203959.726527-1-jsperbeck@google.com Fixes: 66d60c428b23 ("mm: memcg: move legacy memcg event code into memcontrol-v1.c") Signed-off-by: John Sperbeck Acked-by: Roman Gushchin Cc: Johannes Weiner Cc: Michal Hocko Cc: Muchun Song Cc: Shakeel Butt Cc: Signed-off-by: Andrew Morton commit 51f43d5d82ed2ba3f9a3f9a2390c52f28e42af32 Author: David Wang <00107082@163.com> Date: Fri Nov 29 10:52:13 2024 +0800 mm/codetag: swap tags when migrate pages Current solution to adjust codetag references during page migration is done in 3 steps: 1. sets the codetag reference of the old page as empty (not pointing to any codetag); 2. subtracts counters of the new page to compensate for its own allocation; 3. sets codetag reference of the new page to point to the codetag of the old page. This does not work if CONFIG_MEM_ALLOC_PROFILING_DEBUG=n because set_codetag_empty() becomes NOOP. Instead, let's simply swap codetag references so that the new page is referencing the old codetag and the old page is referencing the new codetag. This way accounting stays valid and the logic makes more sense. Link: https://lkml.kernel.org/r/20241129025213.34836-1-00107082@163.com Fixes: e0a955bf7f61 ("mm/codetag: add pgalloc_tag_copy()") Signed-off-by: David Wang <00107082@163.com> Closes: https://lore.kernel.org/lkml/20241124074318.399027-1-00107082@163.com/ Acked-by: Suren Baghdasaryan Suggested-by: Suren Baghdasaryan Acked-by: Yu Zhao Cc: Kent Overstreet Signed-off-by: Andrew Morton commit 914eec5e980171bc128e7e24f7a22aa1d803570e Author: Wengang Wang Date: Tue Nov 19 09:45:00 2024 -0800 ocfs2: update seq_file index in ocfs2_dlm_seq_next The following INFO level message was seen: seq_file: buggy .next function ocfs2_dlm_seq_next [ocfs2] did not update position index Fix: Update *pos (so m->index) to make seq_read_iter happy though the index its self makes no sense to ocfs2_dlm_seq_next. Link: https://lkml.kernel.org/r/20241119174500.9198-1-wen.gang.wang@oracle.com Signed-off-by: Wengang Wang Reviewed-by: Joseph Qi Cc: Mark Fasheh Cc: Joel Becker Cc: Junxiao Bi Cc: Changwei Ge Cc: Jun Piao Cc: Signed-off-by: Andrew Morton commit 031e04bdc834cda3b054ef6b698503b2b97e8186 Author: Marco Elver Date: Fri Nov 22 16:39:47 2024 +0100 stackdepot: fix stack_depot_save_flags() in NMI context Per documentation, stack_depot_save_flags() was meant to be usable from NMI context if STACK_DEPOT_FLAG_CAN_ALLOC is unset. However, it still would try to take the pool_lock in an attempt to save a stack trace in the current pool (if space is available). This could result in deadlock if an NMI is handled while pool_lock is already held. To avoid deadlock, only try to take the lock in NMI context and give up if unsuccessful. The documentation is fixed to clearly convey this. Link: https://lkml.kernel.org/r/Z0CcyfbPqmxJ9uJH@elver.google.com Link: https://lkml.kernel.org/r/20241122154051.3914732-1-elver@google.com Fixes: 4434a56ec209 ("stackdepot: make fast paths lock-less again") Signed-off-by: Marco Elver Reported-by: Sebastian Andrzej Siewior Reviewed-by: Sebastian Andrzej Siewior Cc: Alexander Potapenko Cc: Andrey Konovalov Cc: Dmitry Vyukov Cc: Oscar Salvador Cc: Vlastimil Babka Cc: Signed-off-by: Andrew Morton commit 6a7de1bf218d75f27f68d6a3f5ae1eb7332b941e Author: Matthew Wilcox (Oracle) Date: Mon Nov 25 20:17:19 2024 +0000 mm: open-code page_folio() in dump_page() page_folio() calls page_fixed_fake_head() which will misidentify this page as being a fake head and load off the end of 'precise'. We may have a pointer to a fake head, but that's OK because it contains the right information for dump_page(). gcc-15 is smart enough to catch this with -Warray-bounds: In function 'page_fixed_fake_head', inlined from '_compound_head' at ../include/linux/page-flags.h:251:24, inlined from '__dump_page' at ../mm/debug.c:123:11: ../include/asm-generic/rwonce.h:44:26: warning: array subscript 9 is outside +array bounds of 'struct page[1]' [-Warray-bounds=] Link: https://lkml.kernel.org/r/20241125201721.2963278-2-willy@infradead.org Fixes: fae7d834c43c ("mm: add __dump_folio()") Signed-off-by: Matthew Wilcox (Oracle) Reported-by: Kees Cook Cc: Signed-off-by: Andrew Morton commit 4de22b2a6a7477d84d9a01eb6b62a9117309d722 Author: Matthew Wilcox (Oracle) Date: Mon Nov 25 20:17:18 2024 +0000 mm: open-code PageTail in folio_flags() and const_folio_flags() It is unsafe to call PageTail() in dump_page() as page_is_fake_head() will almost certainly return true when called on a head page that is copied to the stack. That will cause the VM_BUG_ON_PGFLAGS() in const_folio_flags() to trigger when it shouldn't. Fortunately, we don't need to call PageTail() here; it's fine to have a pointer to a virtual alias of the page's flag word rather than the real page's flag word. Link: https://lkml.kernel.org/r/20241125201721.2963278-1-willy@infradead.org Fixes: fae7d834c43c ("mm: add __dump_folio()") Signed-off-by: Matthew Wilcox (Oracle) Cc: Kees Cook Cc: Signed-off-by: Andrew Morton commit d699440f58ce9bd71103cc7b692e3ab76a20bfcd Author: Andrii Nakryiko Date: Mon Nov 25 16:52:06 2024 -0800 mm: fix vrealloc()'s KASAN poisoning logic When vrealloc() reuses already allocated vmap_area, we need to re-annotate poisoned and unpoisoned portions of underlying memory according to the new size. This results in a KASAN splat recorded at [1]. A KASAN mis-reporting issue where there is none. Note, hard-coding KASAN_VMALLOC_PROT_NORMAL might not be exactly correct, but KASAN flag logic is pretty involved and spread out throughout __vmalloc_node_range_noprof(), so I'm using the bare minimum flag here and leaving the rest to mm people to refactor this logic and reuse it here. Link: https://lkml.kernel.org/r/20241126005206.3457974-1-andrii@kernel.org Link: https://lore.kernel.org/bpf/67450f9b.050a0220.21d33d.0004.GAE@google.com/ [1] Fixes: 3ddc2fefe6f3 ("mm: vmalloc: implement vrealloc()") Signed-off-by: Andrii Nakryiko Cc: Alexei Starovoitov Cc: Christoph Hellwig Cc: Michal Hocko Cc: Uladzislau Rezki (Sony) Cc: Vlastimil Babka Cc: Signed-off-by: Andrew Morton commit a220d6b95b1ae12c7626283d7609f0a1438e6437 Author: Jan Kara Date: Tue Nov 26 15:52:08 2024 +0100 Revert "readahead: properly shorten readahead when falling back to do_page_cache_ra()" This reverts commit 7c877586da3178974a8a94577b6045a48377ff25. Anders and Philippe have reported that recent kernels occasionally hang when used with NFS in readahead code. The problem has been bisected to 7c877586da3 ("readahead: properly shorten readahead when falling back to do_page_cache_ra()"). The cause of the problem is that ra->size can be shrunk by read_pages() call and subsequently we end up calling do_page_cache_ra() with negative (read huge positive) number of pages. Let's revert 7c877586da3 for now until we can find a proper way how the logic in read_pages() and page_cache_ra_order() can coexist. This can lead to reduced readahead throughput due to readahead window confusion but that's better than outright hangs. Link: https://lkml.kernel.org/r/20241126145208.985-1-jack@suse.cz Fixes: 7c877586da31 ("readahead: properly shorten readahead when falling back to do_page_cache_ra()") Reported-by: Anders Blomdell Reported-by: Philippe Troin Signed-off-by: Jan Kara Tested-by: Philippe Troin Cc: Matthew Wilcox Cc: Signed-off-by: Andrew Morton commit 4a475c0a7eeb3368eca40fe7cb02d157eeddc77a Author: Maximilian Heyne Date: Wed Nov 27 12:08:53 2024 +0000 selftests/damon: add _damon_sysfs.py to TEST_FILES When running selftests I encountered the following error message with some damon tests: # Traceback (most recent call last): # File "[...]/damon/./damos_quota.py", line 7, in # import _damon_sysfs # ModuleNotFoundError: No module named '_damon_sysfs' Fix this by adding the _damon_sysfs.py file to TEST_FILES so that it will be available when running the respective damon selftests. Link: https://lkml.kernel.org/r/20241127-picks-visitor-7416685b-mheyne@amazon.de Fixes: 306abb63a8ca ("selftests/damon: implement a python module for test-purpose DAMON sysfs controls") Signed-off-by: Maximilian Heyne Reviewed-by: SeongJae Park Cc: Shuah Khan Cc: Signed-off-by: Andrew Morton commit 4ae132c693896b0713db572676c90ffd855a4246 Author: Mark Brown Date: Wed Nov 27 16:14:22 2024 +0000 selftest: hugetlb_dio: fix test naming The string logged when a test passes or fails is used by the selftest framework to identify which test is being reported. The hugetlb_dio test not only uses the same strings for every test that is run but it also uses different strings for test passes and failures which means that test automation is unable to follow what the test is doing at all. Pull the existing duplicated logging of the number of free huge pages before and after the test out of the conditional and replace that and the logging of the result with a single ksft_print_result() which incorporates the parameters passed into the test into the output. Link: https://lkml.kernel.org/r/20241127-kselftest-mm-hugetlb-dio-names-v1-1-22aab01bf550@kernel.org Fixes: fae1980347bf ("selftests: hugetlb_dio: fixup check for initial conditions to skip in the start") Signed-off-by: Mark Brown Reviewed-by: Muhammad Usama Anjum Cc: Donet Tom Cc: Ritesh Harjani (IBM) Cc: Shuah Khan Cc: Signed-off-by: Andrew Morton commit 965b5dd1894f4525f38c1b5f99b0106a07dbb5db Author: Tetsuo Handa Date: Sat Nov 23 22:28:34 2024 +0900 ocfs2: free inode when ocfs2_get_init_inode() fails syzbot is reporting busy inodes after unmount, for commit 9c89fe0af826 ("ocfs2: Handle error from dquot_initialize()") forgot to call iput() when new_inode() succeeded and dquot_initialize() failed. Link: https://lkml.kernel.org/r/e68c0224-b7c6-4784-b4fa-a9fc8c675525@I-love.SAKURA.ne.jp Fixes: 9c89fe0af826 ("ocfs2: Handle error from dquot_initialize()") Signed-off-by: Tetsuo Handa Reported-by: syzbot+0af00f6a2cba2058b5db@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=0af00f6a2cba2058b5db Tested-by: syzbot+0af00f6a2cba2058b5db@syzkaller.appspotmail.com Reviewed-by: Joseph Qi Cc: Mark Fasheh Cc: Joel Becker Cc: Junxiao Bi Cc: Changwei Ge Cc: Jun Piao Signed-off-by: Andrew Morton commit 985ebec4ab0a28bb5910c3b1481a40fbf7f9e61d Author: Ryusuke Konishi Date: Wed Nov 20 02:23:37 2024 +0900 nilfs2: fix potential out-of-bounds memory access in nilfs_find_entry() Syzbot reported that when searching for records in a directory where the inode's i_size is corrupted and has a large value, memory access outside the folio/page range may occur, or a use-after-free bug may be detected if KASAN is enabled. This is because nilfs_last_byte(), which is called by nilfs_find_entry() and others to calculate the number of valid bytes of directory data in a page from i_size and the page index, loses the upper 32 bits of the 64-bit size information due to an inappropriate type of local variable to which the i_size value is assigned. This caused a large byte offset value due to underflow in the end address calculation in the calling nilfs_find_entry(), resulting in memory access that exceeds the folio/page size. Fix this issue by changing the type of the local variable causing the bit loss from "unsigned int" to "u64". The return value of nilfs_last_byte() is also of type "unsigned int", but it is truncated so as not to exceed PAGE_SIZE and no bit loss occurs, so no change is required. Link: https://lkml.kernel.org/r/20241119172403.9292-1-konishi.ryusuke@gmail.com Fixes: 2ba466d74ed7 ("nilfs2: directory entry operations") Signed-off-by: Ryusuke Konishi Reported-by: syzbot+96d5d14c47d97015c624@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=96d5d14c47d97015c624 Tested-by: syzbot+96d5d14c47d97015c624@syzkaller.appspotmail.com Cc: Signed-off-by: Andrew Morton commit e30a0361b8515d424c73c67de1a43e45a13b8ba2 Author: Jared Kangas Date: Tue Nov 19 13:02:34 2024 -0800 kasan: make report_lock a raw spinlock If PREEMPT_RT is enabled, report_lock is a sleeping spinlock and must not be locked when IRQs are disabled. However, KASAN reports may be triggered in such contexts. For example: char *s = kzalloc(1, GFP_KERNEL); kfree(s); local_irq_disable(); char c = *s; /* KASAN report here leads to spin_lock() */ local_irq_enable(); Make report_spinlock a raw spinlock to prevent rescheduling when PREEMPT_RT is enabled. Link: https://lkml.kernel.org/r/20241119210234.1602529-1-jkangas@redhat.com Fixes: 342a93247e08 ("locking/spinlock: Provide RT variant header: ") Signed-off-by: Jared Kangas Cc: Alexander Potapenko Cc: Andrey Konovalov Cc: Andrey Ryabinin Cc: Dmitry Vyukov Cc: Vincenzo Frascino Cc: Signed-off-by: Andrew Morton commit 091c1dd2d4df6edd1beebe0e5863d4034ade9572 Author: David Hildenbrand Date: Wed Nov 20 21:11:51 2024 +0100 mm/mempolicy: fix migrate_to_node() assuming there is at least one VMA in a MM We currently assume that there is at least one VMA in a MM, which isn't true. So we might end up having find_vma() return NULL, to then de-reference NULL. So properly handle find_vma() returning NULL. This fixes the report: Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN PTI KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] CPU: 1 UID: 0 PID: 6021 Comm: syz-executor284 Not tainted 6.12.0-rc7-syzkaller-00187-gf868cd251776 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/30/2024 RIP: 0010:migrate_to_node mm/mempolicy.c:1090 [inline] RIP: 0010:do_migrate_pages+0x403/0x6f0 mm/mempolicy.c:1194 Code: ... RSP: 0018:ffffc9000375fd08 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffffc9000375fd78 RCX: 0000000000000000 RDX: ffff88807e171300 RSI: dffffc0000000000 RDI: ffff88803390c044 RBP: ffff88807e171428 R08: 0000000000000014 R09: fffffbfff2039ef1 R10: ffffffff901cf78f R11: 0000000000000000 R12: 0000000000000003 R13: ffffc9000375fe90 R14: ffffc9000375fe98 R15: ffffc9000375fdf8 FS: 00005555919e1380(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00005555919e1ca8 CR3: 000000007f12a000 CR4: 00000000003526f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: kernel_migrate_pages+0x5b2/0x750 mm/mempolicy.c:1709 __do_sys_migrate_pages mm/mempolicy.c:1727 [inline] __se_sys_migrate_pages mm/mempolicy.c:1723 [inline] __x64_sys_migrate_pages+0x96/0x100 mm/mempolicy.c:1723 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f [akpm@linux-foundation.org: add unlikely()] Link: https://lkml.kernel.org/r/20241120201151.9518-1-david@redhat.com Fixes: 39743889aaf7 ("[PATCH] Swap Migration V5: sys_migrate_pages interface") Signed-off-by: David Hildenbrand Reported-by: syzbot+3511625422f7aa637f0d@syzkaller.appspotmail.com Closes: https://lore.kernel.org/lkml/673d2696.050a0220.3c9d61.012f.GAE@google.com/T/ Reviewed-by: Liam R. Howlett Reviewed-by: Christoph Lameter Cc: Liam R. Howlett Cc: Signed-off-by: Andrew Morton commit a1268be280d8e484ab3606d7476edd0f14bb9961 Author: John Hubbard Date: Wed Nov 20 19:49:33 2024 -0800 mm/gup: handle NULL pages in unpin_user_pages() The recent addition of "pofs" (pages or folios) handling to gup has a flaw: it assumes that unpin_user_pages() handles NULL pages in the pages** array. That's not the case, as I discovered when I ran on a new configuration on my test machine. Fix this by skipping NULL pages in unpin_user_pages(), just like unpin_folios() already does. Details: when booting on x86 with "numa=fake=2 movablecore=4G" on Linux 6.12, and running this: tools/testing/selftests/mm/gup_longterm ...I get the following crash: BUG: kernel NULL pointer dereference, address: 0000000000000008 RIP: 0010:sanity_check_pinned_pages+0x3a/0x2d0 ... Call Trace: ? __die_body+0x66/0xb0 ? page_fault_oops+0x30c/0x3b0 ? do_user_addr_fault+0x6c3/0x720 ? irqentry_enter+0x34/0x60 ? exc_page_fault+0x68/0x100 ? asm_exc_page_fault+0x22/0x30 ? sanity_check_pinned_pages+0x3a/0x2d0 unpin_user_pages+0x24/0xe0 check_and_migrate_movable_pages_or_folios+0x455/0x4b0 __gup_longterm_locked+0x3bf/0x820 ? mmap_read_lock_killable+0x12/0x50 ? __pfx_mmap_read_lock_killable+0x10/0x10 pin_user_pages+0x66/0xa0 gup_test_ioctl+0x358/0xb20 __se_sys_ioctl+0x6b/0xc0 do_syscall_64+0x7b/0x150 entry_SYSCALL_64_after_hwframe+0x76/0x7e Link: https://lkml.kernel.org/r/20241121034933.77502-1-jhubbard@nvidia.com Fixes: 94efde1d1539 ("mm/gup: avoid an unnecessary allocation call for FOLL_LONGTERM cases") Signed-off-by: John Hubbard Acked-by: David Hildenbrand Cc: Oscar Salvador Cc: Vivek Kasireddy Cc: Dave Airlie Cc: Gerd Hoffmann Cc: Matthew Wilcox Cc: Christoph Hellwig Cc: Jason Gunthorpe Cc: Peter Xu Cc: Arnd Bergmann Cc: Daniel Vetter Cc: Dongwon Kim Cc: Hugh Dickins Cc: Junxiao Chang Cc: Signed-off-by: Andrew Morton commit def13795928b82ecca4ae3ea16f375114ff88685 Author: Andrew Morton Date: Thu Nov 14 15:44:21 2024 -0800 fs/proc/vmcore.c: fix warning when CONFIG_MMU=n >> fs/proc/vmcore.c:424:19: warning: 'mmap_vmcore_fault' defined but not used [-Wunused-function] 424 | static vm_fault_t mmap_vmcore_fault(struct vm_fault *vmf) Reported-by: kernel test robot Closes: https://lore.kernel.org/oe-kbuild-all/202411140156.2o0nS4fl-lkp@intel.com/ Cc: Qi Xi Signed-off-by: Andrew Morton commit 11776cff0b563c8b8a4fa76cab620bfb633a8cb8 Author: Dan Carpenter Date: Wed Dec 4 15:06:41 2024 +0300 net/mlx5: DR, prevent potential error pointer dereference The dr_domain_add_vport_cap() function generally returns NULL on error but sometimes we want it to return ERR_PTR(-EBUSY) so the caller can retry. The problem here is that "ret" can be either -EBUSY or -ENOMEM and if it's and -ENOMEM then the error pointer is propogated back and eventually dereferenced in dr_ste_v0_build_src_gvmi_qpn_tag(). Fixes: 11a45def2e19 ("net/mlx5: DR, Add support for SF vports") Signed-off-by: Dan Carpenter Reviewed-by: Tariq Toukan Link: https://patch.msgid.link/07477254-e179-43e2-b1b3-3b9db4674195@stanley.mountain Signed-off-by: Jakub Kicinski commit b04d86fff66b15c07505d226431f808c15b1703c Author: Eric Dumazet Date: Wed Dec 4 17:05:48 2024 +0000 tipc: fix NULL deref in cleanup_bearer() syzbot found [1] that after blamed commit, ub->ubsock->sk was NULL when attempting the atomic_dec() : atomic_dec(&tipc_net(sock_net(ub->ubsock->sk))->wq_count); Fix this by caching the tipc_net pointer. [1] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] PREEMPT SMP KASAN PTI KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037] CPU: 0 UID: 0 PID: 5896 Comm: kworker/0:3 Not tainted 6.13.0-rc1-next-20241203-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Workqueue: events cleanup_bearer RIP: 0010:read_pnet include/net/net_namespace.h:387 [inline] RIP: 0010:sock_net include/net/sock.h:655 [inline] RIP: 0010:cleanup_bearer+0x1f7/0x280 net/tipc/udp_media.c:820 Code: 18 48 89 d8 48 c1 e8 03 42 80 3c 28 00 74 08 48 89 df e8 3c f7 99 f6 48 8b 1b 48 83 c3 30 e8 f0 e4 60 00 48 89 d8 48 c1 e8 03 <42> 80 3c 28 00 74 08 48 89 df e8 1a f7 99 f6 49 83 c7 e8 48 8b 1b RSP: 0018:ffffc9000410fb70 EFLAGS: 00010206 RAX: 0000000000000006 RBX: 0000000000000030 RCX: ffff88802fe45a00 RDX: 0000000000000001 RSI: 0000000000000008 RDI: ffffc9000410f900 RBP: ffff88807e1f0908 R08: ffffc9000410f907 R09: 1ffff92000821f20 R10: dffffc0000000000 R11: fffff52000821f21 R12: ffff888031d19980 R13: dffffc0000000000 R14: dffffc0000000000 R15: ffff88807e1f0918 FS: 0000000000000000(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000556ca050b000 CR3: 0000000031c0c000 CR4: 00000000003526f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Fixes: 6a2fa13312e5 ("tipc: Fix use-after-free of kernel socket in cleanup_bearer().") Reported-by: syzbot+46aa5474f179dacd1a3b@syzkaller.appspotmail.com Closes: https://lore.kernel.org/netdev/67508b5f.050a0220.17bd51.0070.GAE@google.com/T/#u Signed-off-by: Eric Dumazet Reviewed-by: Kuniyuki Iwashima Link: https://patch.msgid.link/20241204170548.4152658-1-edumazet@google.com Signed-off-by: Jakub Kicinski commit c33aea446bf555ab2b4e06deb914ba8f87cdb068 Author: Namhyung Kim Date: Thu Dec 5 15:15:29 2024 -0800 perf tools: Fix precise_ip fallback logic Sometimes it returns other than EOPNOTSUPP for invalid precise_ip so it cannot check the error code. Let's move the fallback after the missing feature checks so that it can handle EINVAL as well. This also aligns well with the existing behavior which blindly turns off the precise_ip but we check the missing features correctly now. Fixes: af954f76eea56453 ("perf tools: Check fallback error and order") Reported-by: kernel test robot Reported-by: Arnaldo Carvalho de Melo Closes: https://lore.kernel.org/oe-lkp/202411301431.799e5531-lkp@intel.com Tested-by: Arnaldo Carvalho de Melo Link: https://lore.kernel.org/r/Z1DV0lN8qHSysX7f@google.com Signed-off-by: Namhyung Kim commit b8f52214c61a5b99a54168145378e91b40d10c90 Merge: 6a103867b95ac7 d9381508ea2b59 Author: Linus Torvalds Date: Thu Dec 5 15:11:39 2024 -0800 Merge tag 'audit-pr-20241205' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit Pull audit build problem workaround from Paul Moore: "A minor audit patch that shuffles some code slightly to workaround a GCC bug affecting a number of people. The GCC folks have been able to reproduce the problem and are discussing solutions (see the bug report link in the commit), but since the workaround is trivial let's do that in the kernel so we can unblock people who are hitting this" * tag 'audit-pr-20241205' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit: audit: workaround a GCC bug triggered by task comm changes commit 6a103867b95ac7f9cc7dffe2fcad2f6c0d60b9ae Merge: f65289a87128cf 2ca704f55e22b7 Author: Linus Torvalds Date: Thu Dec 5 15:02:20 2024 -0800 Merge tag 'for-linus-iommufd' of git://git.kernel.org/pub/scm/linux/kernel/git/jgg/iommufd Pull iommufd fixes from Jason Gunthorpe: "One bug fix and some documentation updates: - Correct typos in comments - Elaborate a comment about how the uAPI works for IOMMU_HW_INFO_TYPE_ARM_SMMUV3 - Fix a double free on error path and add test coverage for the bug" * tag 'for-linus-iommufd' of git://git.kernel.org/pub/scm/linux/kernel/git/jgg/iommufd: iommu/arm-smmu-v3: Improve uAPI comment for IOMMU_HW_INFO_TYPE_ARM_SMMUV3 iommufd/selftest: Cover IOMMU_FAULT_QUEUE_ALLOC in iommufd_fail_nth iommufd: Fix out_fput in iommufd_fault_alloc() iommufd: Fix typos in kernel-doc comments commit 471f3a21addd4e5f170ab1364f11c3e4823e687d Merge: 915bac607f02be c98b10496b2f3c Author: Dave Airlie Date: Fri Dec 6 08:40:46 2024 +1000 Merge tag 'drm-misc-fixes-2024-12-05' of https://gitlab.freedesktop.org/drm/misc/kernel into drm-fixes drm-misc-fixes v6.13-rc2: - v3d performance counter fix. - A lot of DP-MST related fixes. Signed-off-by: Dave Airlie From: Maarten Lankhorst Link: https://patchwork.freedesktop.org/patch/msgid/2ce1650d-801f-4265-a876-5a8743f1c82b@linux.intel.com commit f65289a87128cfcf9c40739adbf495cdbb617cb3 Merge: 896d8946da9733 06a025448b572c Author: Linus Torvalds Date: Thu Dec 5 14:38:49 2024 -0800 Merge tag 'v6.13-rc1-ksmbd-server-fixes' of git://git.samba.org/ksmbd Pull smb server fixes from Steve French: - Three fixes for potential out of bound accesses in read and write paths (e.g. when alternate data streams enabled) - GCC 15 build fix * tag 'v6.13-rc1-ksmbd-server-fixes' of git://git.samba.org/ksmbd: ksmbd: align aux_payload_buf to avoid OOB reads in cryptographic operations ksmbd: fix Out-of-Bounds Write in ksmbd_vfs_stream_write ksmbd: fix Out-of-Bounds Read in ksmbd_vfs_stream_read smb: server: Fix building with GCC 15 commit 915bac607f02bede85c08da7c79a733ffc03b7ee Merge: defc06f7ef163b 5dce85fecb8775 Author: Dave Airlie Date: Fri Dec 6 07:53:59 2024 +1000 Merge tag 'drm-xe-fixes-2024-12-04' of https://gitlab.freedesktop.org/drm/xe/kernel into drm-fixes Driver Changes: - Missing init value and 64-bit write-order check (Zhanjung) - Fix a memory allocation issue causing lockdep violation (John) Signed-off-by: Dave Airlie From: Thomas Hellstrom Link: https://patchwork.freedesktop.org/patch/msgid/Z1BidZBFQOLjz__J@fedora commit fff8f17c1a6fc802ca23bbd3a276abfde8cc58e6 Author: Remi Pommarel Date: Fri Nov 22 16:52:50 2024 +0100 batman-adv: Do not let TT changes list grows indefinitely When TT changes list is too big to fit in packet due to MTU size, an empty OGM is sent expected other node to send TT request to get the changes. The issue is that tt.last_changeset was not built thus the originator was responding with previous changes to those TT requests (see batadv_send_my_tt_response). Also the changes list was never cleaned up effectively never ending growing from this point onwards, repeatedly sending the same TT response changes over and over, and creating a new empty OGM every OGM interval expecting for the local changes to be purged. When there is more TT changes that can fit in packet, drop all changes, send empty OGM and wait for TT request so we can respond with a full table instead. Fixes: e1bf0c14096f ("batman-adv: tvlv - convert tt data sent within OGMs") Signed-off-by: Remi Pommarel Acked-by: Antonio Quartulli Signed-off-by: Sven Eckelmann Signed-off-by: Simon Wunderlich commit 8038806db64da15721775d6b834990cacbfcf0b2 Author: Remi Pommarel Date: Fri Nov 22 16:52:49 2024 +0100 batman-adv: Remove uninitialized data in full table TT response The number of entries filled by batadv_tt_tvlv_generate() can be less than initially expected in batadv_tt_prepare_tvlv_{global,local}_data() (changes can be removed by batadv_tt_local_event() in ADD+DEL sequence in the meantime as the lock held during the whole tvlv global/local data generation). Thus tvlv_len could be bigger than the actual TT entry size that need to be sent so full table TT_RESPONSE could hold invalid TT entries such as below. * 00:00:00:00:00:00 -1 [....] ( 0) 88:12:4e:ad:7e:ba (179) (0x45845380) * 00:00:00:00:78:79 4092 [.W..] ( 0) 88:12:4e:ad:7e:3c (145) (0x8ebadb8b) Remove the extra allocated space to avoid sending uninitialized entries for full table TT_RESPONSE in both batadv_send_other_tt_response() and batadv_send_my_tt_response(). Fixes: 7ea7b4a14275 ("batman-adv: make the TT CRC logic VLAN specific") Signed-off-by: Remi Pommarel Signed-off-by: Sven Eckelmann Signed-off-by: Simon Wunderlich commit f2f7358c3890e7366cbcb7512b4bc8b4394b2d61 Author: Remi Pommarel Date: Fri Nov 22 16:52:48 2024 +0100 batman-adv: Do not send uninitialized TT changes The number of TT changes can be less than initially expected in batadv_tt_tvlv_container_update() (changes can be removed by batadv_tt_local_event() in ADD+DEL sequence between reading tt_diff_entries_num and actually iterating the change list under lock). Thus tt_diff_len could be bigger than the actual changes size that need to be sent. Because batadv_send_my_tt_response sends the whole packet, uninitialized data can be interpreted as TT changes on other nodes leading to weird TT global entries on those nodes such as: * 00:00:00:00:00:00 -1 [....] ( 0) 88:12:4e:ad:7e:ba (179) (0x45845380) * 00:00:00:00:78:79 4092 [.W..] ( 0) 88:12:4e:ad:7e:3c (145) (0x8ebadb8b) All of the above also applies to OGM tvlv container buffer's tvlv_len. Remove the extra allocated space to avoid sending uninitialized TT changes in batadv_send_my_tt_response() and batadv_v_ogm_send_softif(). Fixes: e1bf0c14096f ("batman-adv: tvlv - convert tt data sent within OGMs") Signed-off-by: Remi Pommarel Signed-off-by: Sven Eckelmann Signed-off-by: Simon Wunderlich commit 5c3de6b02d38eb9386edf50490e050bb44398e40 Author: Prike Liang Date: Tue Nov 5 09:57:42 2024 +0800 drm/amdkfd: Correct the migration DMA map direction The SVM DMA device map direction should be set the same as the DMA unmap setting, otherwise the DMA core will report the following warning. Before finialize this solution, there're some discussion on the DMA mapping type(stream-based or coherent) in this KFD migration case, followed by https://lore.kernel.org/all/04d4ab32 -45a1-4b88-86ee-fb0f35a0ca40@amd.com/T/. As there's no dma_sync_single_for_*() in the DMA buffer accessed that because this migration operation should be sync properly and automatically. Give that there's might not be a performance problem in various cache sync policy of DMA sync. Therefore, in order to simplify the DMA direction setting alignment, let's set the DMA map direction as BIDIRECTIONAL. [ 150.834218] WARNING: CPU: 8 PID: 1812 at kernel/dma/debug.c:1028 check_unmap+0x1cc/0x930 [ 150.834225] Modules linked in: amdgpu(OE) amdxcp drm_exec(OE) gpu_sched drm_buddy(OE) drm_ttm_helper(OE) ttm(OE) drm_suballoc_helper(OE) drm_display_helper(OE) drm_kms_helper(OE) i2c_algo_bit rpcsec_gss_krb5 auth_rpcgss nfsv4 nfs lockd grace netfs xt_conntrack xt_MASQUERADE nf_conntrack_netlink xfrm_user xfrm_algo iptable_nat xt_addrtype iptable_filter br_netfilter nvme_fabrics overlay nfnetlink_cttimeout nfnetlink openvswitch nsh nf_conncount nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 libcrc32c bridge stp llc sch_fq_codel intel_rapl_msr amd_atl intel_rapl_common snd_hda_codec_realtek snd_hda_codec_generic snd_hda_scodec_component snd_hda_codec_hdmi snd_hda_intel snd_intel_dspcfg edac_mce_amd snd_pci_acp6x snd_hda_codec snd_acp_config snd_hda_core snd_hwdep snd_soc_acpi kvm_amd sunrpc snd_pcm kvm binfmt_misc snd_seq_midi crct10dif_pclmul snd_seq_midi_event ghash_clmulni_intel sha512_ssse3 snd_rawmidi nls_iso8859_1 sha256_ssse3 sha1_ssse3 snd_seq aesni_intel snd_seq_device crypto_simd snd_timer cryptd input_leds [ 150.834310] wmi_bmof serio_raw k10temp rapl snd sp5100_tco ipmi_devintf soundcore ccp ipmi_msghandler cm32181 industrialio mac_hid msr parport_pc ppdev lp parport efi_pstore drm(OE) ip_tables x_tables pci_stub crc32_pclmul nvme ahci libahci i2c_piix4 r8169 nvme_core i2c_designware_pci realtek i2c_ccgx_ucsi video wmi hid_generic cdc_ether usbnet usbhid hid r8152 mii [ 150.834354] CPU: 8 PID: 1812 Comm: rocrtst64 Tainted: G OE 6.10.0-custom #492 [ 150.834358] Hardware name: AMD Majolica-RN/Majolica-RN, BIOS RMJ1009A 06/13/2021 [ 150.834360] RIP: 0010:check_unmap+0x1cc/0x930 [ 150.834363] Code: c0 4c 89 4d c8 e8 34 bf 86 00 4c 8b 4d c8 4c 8b 45 c0 48 8b 4d b8 48 89 c6 41 57 4c 89 ea 48 c7 c7 80 49 b4 84 e8 b4 81 f3 ff <0f> 0b 48 c7 c7 04 83 ac 84 e8 76 ba fc ff 41 8b 76 4c 49 8d 7e 50 [ 150.834365] RSP: 0018:ffffaac5023739e0 EFLAGS: 00010086 [ 150.834368] RAX: 0000000000000000 RBX: ffffffff8566a2e0 RCX: 0000000000000027 [ 150.834370] RDX: ffff8f6a8f621688 RSI: 0000000000000001 RDI: ffff8f6a8f621680 [ 150.834372] RBP: ffffaac502373a30 R08: 00000000000000c9 R09: ffffaac502373850 [ 150.834373] R10: ffffaac502373848 R11: ffffffff84f46328 R12: ffffaac502373a40 [ 150.834375] R13: ffff8f6741045330 R14: ffff8f6741a77700 R15: ffffffff84ac831b [ 150.834377] FS: 00007faf0fc94c00(0000) GS:ffff8f6a8f600000(0000) knlGS:0000000000000000 [ 150.834379] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 150.834381] CR2: 00007faf0b600020 CR3: 000000010a52e000 CR4: 0000000000350ef0 [ 150.834383] Call Trace: [ 150.834385] [ 150.834387] ? show_regs+0x6d/0x80 [ 150.834393] ? __warn+0x8c/0x140 [ 150.834397] ? check_unmap+0x1cc/0x930 [ 150.834400] ? report_bug+0x193/0x1a0 [ 150.834406] ? handle_bug+0x46/0x80 [ 150.834410] ? exc_invalid_op+0x1d/0x80 [ 150.834413] ? asm_exc_invalid_op+0x1f/0x30 [ 150.834420] ? check_unmap+0x1cc/0x930 [ 150.834425] debug_dma_unmap_page+0x86/0x90 [ 150.834431] ? srso_return_thunk+0x5/0x5f [ 150.834435] ? rmap_walk+0x28/0x50 [ 150.834438] ? srso_return_thunk+0x5/0x5f [ 150.834441] ? remove_migration_ptes+0x79/0x80 [ 150.834445] ? srso_return_thunk+0x5/0x5f [ 150.834448] dma_unmap_page_attrs+0xfa/0x1d0 [ 150.834453] svm_range_dma_unmap_dev+0x8a/0xf0 [amdgpu] [ 150.834710] svm_migrate_ram_to_vram+0x361/0x740 [amdgpu] [ 150.834914] svm_migrate_to_vram+0xa8/0xe0 [amdgpu] [ 150.835111] svm_range_set_attr+0xff2/0x1450 [amdgpu] [ 150.835311] svm_ioctl+0x4a/0x50 [amdgpu] [ 150.835510] kfd_ioctl_svm+0x54/0x90 [amdgpu] [ 150.835701] kfd_ioctl+0x3c2/0x530 [amdgpu] [ 150.835888] ? __pfx_kfd_ioctl_svm+0x10/0x10 [amdgpu] [ 150.836075] ? srso_return_thunk+0x5/0x5f [ 150.836080] ? tomoyo_file_ioctl+0x20/0x30 [ 150.836086] __x64_sys_ioctl+0x9c/0xd0 [ 150.836091] x64_sys_call+0x1219/0x20d0 [ 150.836095] do_syscall_64+0x51/0x120 [ 150.836098] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 150.836102] RIP: 0033:0x7faf0f11a94f [ 150.836105] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <41> 89 c0 3d 00 f0 ff ff 77 1f 48 8b 44 24 18 64 48 2b 04 25 28 00 [ 150.836107] RSP: 002b:00007ffeced26bc0 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 150.836110] RAX: ffffffffffffffda RBX: 000055c683528fb0 RCX: 00007faf0f11a94f [ 150.836112] RDX: 00007ffeced26c60 RSI: 00000000c0484b20 RDI: 0000000000000003 [ 150.836114] RBP: 00007ffeced26c50 R08: 0000000000000000 R09: 0000000000000001 [ 150.836115] R10: 0000000000000032 R11: 0000000000000246 R12: 000055c683528bd0 [ 150.836117] R13: 0000000000000000 R14: 0000000000000021 R15: 0000000000000000 [ 150.836122] [ 150.836124] ---[ end trace 0000000000000000 ]--- Signed-off-by: Prike Liang Reviewed-by: Felix Kuehling Signed-off-by: Alex Deucher commit 3912a78cf72eb45f8153a395162b08fef9c5ec3d Author: Kenneth Feng Date: Wed Dec 4 13:22:10 2024 +0530 drm/amd/pm: Set SMU v13.0.7 default workload type Set the default workload type to bootup type on smu v13.0.7. This is because of the constraint on smu v13.0.7. Gfx activity has an even higher set point on 3D fullscreen mode than the one on bootup mode. This causes the 3D fullscreen mode's performance is worse than the bootup mode's performance for the lightweighted/medium workload. For the high workload, the performance is the same between 3D fullscreen mode and bootup mode. v2: set the default workload in ASIC specific file Signed-off-by: Kenneth Feng Reviewed-by: Yang Wang Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org # 6.11.x commit 8eb966f2403abb844e972fb4eb1348640111f121 Author: Lijo Lazar Date: Wed Dec 4 13:11:28 2024 +0530 drm/amd/pm: Initialize power profile mode Refactor such that individual SMU IP versions can choose the startup power profile mode. If no preference, then use the generic default power profile selection logic. Signed-off-by: Lijo Lazar Reviewed-by: Yang Wang Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org # 6.11.x commit 47f402a3e08113e0f5d8e1e6fcc197667a16022f Author: David (Ming Qiang) Wu Date: Wed Dec 4 11:30:01 2024 -0500 amdgpu/uvd: get ring reference from rq scheduler base.sched may not be set for each instance and should not be used for cases such as non-IB tests. Fixes: 2320c9e6a768 ("drm/sched: memset() 'job' in drm_sched_job_init()") Signed-off-by: David (Ming Qiang) Wu Reviewed-by: Christian König Signed-off-by: Alex Deucher commit 12f325bcd2411e571dbb500bf6862c812c479735 Author: Christian König Date: Fri Nov 29 14:19:21 2024 +0100 drm/amdgpu: fix UVD contiguous CS mapping problem When starting the mpv player, Radeon R9 users are observing the below error in dmesg. [drm:amdgpu_uvd_cs_pass2 [amdgpu]] *ERROR* msg/fb buffer ff00f7c000-ff00f7e000 out of 256MB segment! The patch tries to set the TTM_PL_FLAG_CONTIGUOUS for both user flag(AMDGPU_GEM_CREATE_VRAM_CONTIGUOUS) set and not set cases. v2: Make the TTM_PL_FLAG_CONTIGUOUS mandatory for user BO's. v3: revert back to v1, but fix the check instead (chk). Closes:https://gitlab.freedesktop.org/drm/amd/-/issues/3599 Closes:https://gitlab.freedesktop.org/drm/amd/-/issues/3501 Signed-off-by: Arunpravin Paneer Selvam Signed-off-by: Christian König Reviewed-by: Arunpravin Paneer Selvam Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org # 6.10+ commit 9a4ab400f1fad0e6e8686b8f5fc5376383860ce8 Author: Victor Zhao Date: Sat Nov 23 18:37:43 2024 +0800 drm/amdgpu: use sjt mec fw on gfx943 for sriov Use second jump table in sriov for live migration or mulitple VF support so different VF can load different version of MEC as long as they support sjt Signed-off-by: Victor Zhao Reviewed-by: Yang Wang Signed-off-by: Alex Deucher commit 9f4ddfdc2c03956d278bdafca6adc21cf90cc834 Author: Pratap Nirujogi Date: Mon Dec 2 23:29:31 2024 -0500 Revert "drm/amdgpu: Fix ISP hw init issue" This reverts commit 274e3f4596446955bf17680fd4eb5489f5ecac00. Additional review comments to address. Will resubmit. Reviewed-by: Mario Limonciello Signed-off-by: Pratap Nirujogi Signed-off-by: Alex Deucher commit 9c7c5430bca36e9636eabbba0b3b53251479c7ab Author: Yishai Hadas Date: Thu Dec 5 14:26:54 2024 +0200 vfio/mlx5: Align the page tracking max message size with the device capability Align the page tracking maximum message size with the device's capability instead of relying on PAGE_SIZE. This adjustment resolves a mismatch on systems where PAGE_SIZE is 64K, but the firmware only supports a maximum message size of 4K. Now that we rely on the device's capability for max_message_size, we must account for potential future increases in its value. Key considerations include: - Supporting message sizes that exceed a single system page (e.g., an 8K message on a 4K system). - Ensuring the RQ size is adjusted to accommodate at least 4 WQEs/messages, in line with the device specification. The above has been addressed as part of the patch. Fixes: 79c3cf279926 ("vfio/mlx5: Init QP based resources for dirty tracking") Reviewed-by: Cédric Le Goater Tested-by: Yingshun Cui Signed-off-by: Yishai Hadas Link: https://lore.kernel.org/r/20241205122654.235619-1-yishaih@nvidia.com Signed-off-by: Alex Williamson commit 896d8946da97332d4dc80fa1937d8dd6b1c35ad4 Merge: 9d6a414ad31e8e 31f1b55d5d7e53 Author: Linus Torvalds Date: Thu Dec 5 10:25:06 2024 -0800 Merge tag 'net-6.13-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net Pull networking fixes from Paolo Abeni: "Including fixes from can and netfilter. Current release - regressions: - rtnetlink: fix double call of rtnl_link_get_net_ifla() - tcp: populate XPS related fields of timewait sockets - ethtool: fix access to uninitialized fields in set RXNFC command - selinux: use sk_to_full_sk() in selinux_ip_output() Current release - new code bugs: - net: make napi_hash_lock irq safe - eth: - bnxt_en: support header page pool in queue API - ice: fix NULL pointer dereference in switchdev Previous releases - regressions: - core: fix icmp host relookup triggering ip_rt_bug - ipv6: - avoid possible NULL deref in modify_prefix_route() - release expired exception dst cached in socket - smc: fix LGR and link use-after-free issue - hsr: avoid potential out-of-bound access in fill_frame_info() - can: hi311x: fix potential use-after-free - eth: ice: fix VLAN pruning in switchdev mode Previous releases - always broken: - netfilter: - ipset: hold module reference while requesting a module - nft_inner: incorrect percpu area handling under softirq - can: j1939: fix skb reference counting - eth: - mlxsw: use correct key block on Spectrum-4 - mlx5: fix memory leak in mlx5hws_definer_calc_layout" * tag 'net-6.13-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (76 commits) net :mana :Request a V2 response version for MANA_QUERY_GF_STAT net: avoid potential UAF in default_operstate() vsock/test: verify socket options after setting them vsock/test: fix parameter types in SO_VM_SOCKETS_* calls vsock/test: fix failures due to wrong SO_RCVLOWAT parameter net/mlx5e: Remove workaround to avoid syndrome for internal port net/mlx5e: SD, Use correct mdev to build channel param net/mlx5: E-Switch, Fix switching to switchdev mode in MPV net/mlx5: E-Switch, Fix switching to switchdev mode with IB device disabled net/mlx5: HWS: Properly set bwc queue locks lock classes net/mlx5: HWS: Fix memory leak in mlx5hws_definer_calc_layout bnxt_en: handle tpa_info in queue API implementation bnxt_en: refactor bnxt_alloc_rx_rings() to call bnxt_alloc_rx_agg_bmap() bnxt_en: refactor tpa_info alloc/free into helpers geneve: do not assume mac header is set in geneve_xmit_skb() mlxsw: spectrum_acl_flex_keys: Use correct key block on Spectrum-4 ethtool: Fix wrong mod state in case of verbose and no_mask bitset ipmr: tune the ipmr_can_free_table() checks. netfilter: nft_set_hash: skip duplicated elements pending gc run netfilter: ipset: Hold module reference while requesting a module ... commit 9d6a414ad31e8eb296cd6f2c1834b2c6994960a0 Merge: 2a770b49b1bf00 dc1b157b828dfe Author: Linus Torvalds Date: Thu Dec 5 10:17:55 2024 -0800 Merge tag 'trace-v6.13-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace Pull tracing fixes from Steven Rostedt: - Fix trace histogram sort function cmp_entries_dup() The sort function cmp_entries_dup() returns either 1 or 0, and not -1 if parameter "a" is less than "b" by memcmp(). - Fix archs that call trace_hardirqs_off() without RCU watching Both x86 and arm64 no longer call any tracepoints with RCU not watching. It was assumed that it was safe to get rid of trace_*_rcuidle() version of the tracepoint calls. This was needed to get rid of the SRCU protection and be able to implement features like faultable traceponits and add rust tracepoints. Unfortunately, there were a few architectures that still relied on that logic. There's only one file that has tracepoints that are called without RCU watching. Add macro logic around the tracepoints for architectures that do not have CONFIG_ARCH_WANTS_NO_INSTR defined will check if the code is in the idle path (the only place RCU isn't watching), and enable RCU around calling the tracepoint, but only do it if the tracepoint is enabled. * tag 'trace-v6.13-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace: tracing: Fix archs that still call tracepoints without RCU watching tracing: Fix cmp_entries_dup() to respect sort() comparison rules commit 2a770b49b1bf00fca5473cb386eaf36d21d17d4b Merge: 42d52acfb10cfc 8d355b56f29533 Author: Linus Torvalds Date: Thu Dec 5 10:06:47 2024 -0800 Merge tag 'hid-for-linus-2024120501' of git://git.kernel.org/pub/scm/linux/kernel/git/hid/hid Pull HID fixes from Benjamin Tissoires: - regression fix in suspend/resume for i2c-hid (Kenny Levinsen) - fix wacom driver assuming a name can not be null (WangYuli) - a couple of constify changes/fixes (Thomas Weißschuh) - a couple of selftests/hid fixes (Maximilian Heyne & Benjamin Tissoires) * tag 'hid-for-linus-2024120501' of git://git.kernel.org/pub/scm/linux/kernel/git/hid/hid: selftests/hid: fix kfunc inclusions with newer bpftool HID: bpf: drop unneeded casts discarding const HID: bpf: constify hid_ops selftests: hid: fix typo and exit code HID: wacom: fix when get product name maybe null pointer HID: i2c-hid: Revert to using power commands to wake on resume commit d60624f72d15862a96965b945f6ddfee9a1359e7 Author: Mark Rutland Date: Thu Dec 5 12:16:55 2024 +0000 arm64: ptrace: fix partial SETREGSET for NT_ARM_GCS Currently gcs_set() doesn't initialize the temporary 'user_gcs' variable, and a SETREGSET call with a length of 0, 8, or 16 will leave some portion of this uninitialized. Consequently some arbitrary uninitialized values may be written back to the relevant fields in task struct, potentially leaking up to 192 bits of memory from the kernel stack. The read is limited to a specific slot on the stack, and the issue does not provide a write mechanism. As gcs_set() rejects cases where user_gcs::features_enabled has bits set other than PR_SHADOW_STACK_SUPPORTED_STATUS_MASK, a SETREGSET call with a length of zero will randomly succeed or fail depending on the value of the uninitialized value, it isn't possible to leak the full 192 bits. With a length of 8 or 16, user_gcs::features_enabled can be initialized to an accepted value, making it practical to leak 128 or 64 bits. Fix this by initializing the temporary value before copying the regset from userspace, as for other regsets (e.g. NT_PRSTATUS, NT_PRFPREG, NT_ARM_SYSTEM_CALL). In the case of a zero-length or partial write, the existing contents of the fields which are not written to will be retained. To ensure that the extraction and insertion of fields is consistent across the GETREGSET and SETREGSET calls, new task_gcs_to_user() and task_gcs_from_user() helpers are added, matching the style of pac_address_keys_to_user() and pac_address_keys_from_user(). Before this patch: | # ./gcs-test | Attempting to write NT_ARM_GCS::user_gcs = { | .features_enabled = 0x0000000000000000, | .features_locked = 0x0000000000000000, | .gcspr_el0 = 0x900d900d900d900d, | } | SETREGSET(nt=0x410, len=24) wrote 24 bytes | | Attempting to read NT_ARM_GCS::user_gcs | GETREGSET(nt=0x410, len=24) read 24 bytes | Read NT_ARM_GCS::user_gcs = { | .features_enabled = 0x0000000000000000, | .features_locked = 0x0000000000000000, | .gcspr_el0 = 0x900d900d900d900d, | } | | Attempting partial write NT_ARM_GCS::user_gcs = { | .features_enabled = 0x0000000000000000, | .features_locked = 0x1de7ec7edbadc0de, | .gcspr_el0 = 0x1de7ec7edbadc0de, | } | SETREGSET(nt=0x410, len=8) wrote 8 bytes | | Attempting to read NT_ARM_GCS::user_gcs | GETREGSET(nt=0x410, len=24) read 24 bytes | Read NT_ARM_GCS::user_gcs = { | .features_enabled = 0x0000000000000000, | .features_locked = 0x000000000093e780, | .gcspr_el0 = 0xffff800083a63d50, | } After this patch: | # ./gcs-test | Attempting to write NT_ARM_GCS::user_gcs = { | .features_enabled = 0x0000000000000000, | .features_locked = 0x0000000000000000, | .gcspr_el0 = 0x900d900d900d900d, | } | SETREGSET(nt=0x410, len=24) wrote 24 bytes | | Attempting to read NT_ARM_GCS::user_gcs | GETREGSET(nt=0x410, len=24) read 24 bytes | Read NT_ARM_GCS::user_gcs = { | .features_enabled = 0x0000000000000000, | .features_locked = 0x0000000000000000, | .gcspr_el0 = 0x900d900d900d900d, | } | | Attempting partial write NT_ARM_GCS::user_gcs = { | .features_enabled = 0x0000000000000000, | .features_locked = 0x1de7ec7edbadc0de, | .gcspr_el0 = 0x1de7ec7edbadc0de, | } | SETREGSET(nt=0x410, len=8) wrote 8 bytes | | Attempting to read NT_ARM_GCS::user_gcs | GETREGSET(nt=0x410, len=24) read 24 bytes | Read NT_ARM_GCS::user_gcs = { | .features_enabled = 0x0000000000000000, | .features_locked = 0x0000000000000000, | .gcspr_el0 = 0x900d900d900d900d, | } Fixes: 7ec3b57cb29f ("arm64/ptrace: Expose GCS via ptrace and core files") Signed-off-by: Mark Rutland Cc: Mark Brown Cc: Will Deacon Reviewed-by: Mark Brown Link: https://lore.kernel.org/r/20241205121655.1824269-5-mark.rutland@arm.com Signed-off-by: Catalin Marinas commit 594bfc4947c4fcabba1318d8384c61a29a6b89fb Author: Mark Rutland Date: Thu Dec 5 12:16:54 2024 +0000 arm64: ptrace: fix partial SETREGSET for NT_ARM_POE Currently poe_set() doesn't initialize the temporary 'ctrl' variable, and a SETREGSET call with a length of zero will leave this uninitialized. Consequently an arbitrary value will be written back to target->thread.por_el0, potentially leaking up to 64 bits of memory from the kernel stack. The read is limited to a specific slot on the stack, and the issue does not provide a write mechanism. Fix this by initializing the temporary value before copying the regset from userspace, as for other regsets (e.g. NT_PRSTATUS, NT_PRFPREG, NT_ARM_SYSTEM_CALL). In the case of a zero-length write, the existing contents of POR_EL1 will be retained. Before this patch: | # ./poe-test | Attempting to write NT_ARM_POE::por_el0 = 0x900d900d900d900d | SETREGSET(nt=0x40f, len=8) wrote 8 bytes | | Attempting to read NT_ARM_POE::por_el0 | GETREGSET(nt=0x40f, len=8) read 8 bytes | Read NT_ARM_POE::por_el0 = 0x900d900d900d900d | | Attempting to write NT_ARM_POE (zero length) | SETREGSET(nt=0x40f, len=0) wrote 0 bytes | | Attempting to read NT_ARM_POE::por_el0 | GETREGSET(nt=0x40f, len=8) read 8 bytes | Read NT_ARM_POE::por_el0 = 0xffff8000839c3d50 After this patch: | # ./poe-test | Attempting to write NT_ARM_POE::por_el0 = 0x900d900d900d900d | SETREGSET(nt=0x40f, len=8) wrote 8 bytes | | Attempting to read NT_ARM_POE::por_el0 | GETREGSET(nt=0x40f, len=8) read 8 bytes | Read NT_ARM_POE::por_el0 = 0x900d900d900d900d | | Attempting to write NT_ARM_POE (zero length) | SETREGSET(nt=0x40f, len=0) wrote 0 bytes | | Attempting to read NT_ARM_POE::por_el0 | GETREGSET(nt=0x40f, len=8) read 8 bytes | Read NT_ARM_POE::por_el0 = 0x900d900d900d900d Fixes: 175198199262 ("arm64/ptrace: add support for FEAT_POE") Cc: # 6.12.x Signed-off-by: Mark Rutland Cc: Joey Gouly Cc: Will Deacon Reviewed-by: Mark Brown Link: https://lore.kernel.org/r/20241205121655.1824269-4-mark.rutland@arm.com Signed-off-by: Catalin Marinas commit f5d71291841aecfe5d8435da2dfa7f58ccd18bc8 Author: Mark Rutland Date: Thu Dec 5 12:16:53 2024 +0000 arm64: ptrace: fix partial SETREGSET for NT_ARM_FPMR Currently fpmr_set() doesn't initialize the temporary 'fpmr' variable, and a SETREGSET call with a length of zero will leave this uninitialized. Consequently an arbitrary value will be written back to target->thread.uw.fpmr, potentially leaking up to 64 bits of memory from the kernel stack. The read is limited to a specific slot on the stack, and the issue does not provide a write mechanism. Fix this by initializing the temporary value before copying the regset from userspace, as for other regsets (e.g. NT_PRSTATUS, NT_PRFPREG, NT_ARM_SYSTEM_CALL). In the case of a zero-length write, the existing contents of FPMR will be retained. Before this patch: | # ./fpmr-test | Attempting to write NT_ARM_FPMR::fpmr = 0x900d900d900d900d | SETREGSET(nt=0x40e, len=8) wrote 8 bytes | | Attempting to read NT_ARM_FPMR::fpmr | GETREGSET(nt=0x40e, len=8) read 8 bytes | Read NT_ARM_FPMR::fpmr = 0x900d900d900d900d | | Attempting to write NT_ARM_FPMR (zero length) | SETREGSET(nt=0x40e, len=0) wrote 0 bytes | | Attempting to read NT_ARM_FPMR::fpmr | GETREGSET(nt=0x40e, len=8) read 8 bytes | Read NT_ARM_FPMR::fpmr = 0xffff800083963d50 After this patch: | # ./fpmr-test | Attempting to write NT_ARM_FPMR::fpmr = 0x900d900d900d900d | SETREGSET(nt=0x40e, len=8) wrote 8 bytes | | Attempting to read NT_ARM_FPMR::fpmr | GETREGSET(nt=0x40e, len=8) read 8 bytes | Read NT_ARM_FPMR::fpmr = 0x900d900d900d900d | | Attempting to write NT_ARM_FPMR (zero length) | SETREGSET(nt=0x40e, len=0) wrote 0 bytes | | Attempting to read NT_ARM_FPMR::fpmr | GETREGSET(nt=0x40e, len=8) read 8 bytes | Read NT_ARM_FPMR::fpmr = 0x900d900d900d900d Fixes: 4035c22ef7d4 ("arm64/ptrace: Expose FPMR via ptrace") Cc: # 6.9.x Signed-off-by: Mark Rutland Cc: Mark Brown Cc: Will Deacon Reviewed-by: Mark Brown Link: https://lore.kernel.org/r/20241205121655.1824269-3-mark.rutland@arm.com Signed-off-by: Catalin Marinas commit 42d52acfb10cfc53139a1139e1c401a52c3f924c Merge: 5076001689e4f8 4962ee045d8f06 Author: Linus Torvalds Date: Thu Dec 5 10:03:43 2024 -0800 Merge tag 'linux-watchdog-6.13-rc1' of git://www.linux-watchdog.org/linux-watchdog Pull watchdog updates from Wim Van Sebroeck: - Add support for exynosautov920 SoC - Add support for Airoha EN7851 watchdog - Add support for MT6735 TOPRGU/WDT - Delete the cpu5wdt driver - Always print when registering watchdog fails - Several other small fixes and improvements * tag 'linux-watchdog-6.13-rc1' of git://www.linux-watchdog.org/linux-watchdog: (36 commits) watchdog: rti: of: honor timeout-sec property watchdog: s3c2410_wdt: add support for exynosautov920 SoC dt-bindings: watchdog: Document ExynosAutoV920 watchdog bindings watchdog: mediatek: Add support for MT6735 TOPRGU/WDT watchdog: mediatek: Make sure system reset gets asserted in mtk_wdt_restart() dt-bindings: watchdog: fsl-imx-wdt: Add missing 'big-endian' property dt-bindings: watchdog: Document Qualcomm QCS8300 docs: ABI: Fix spelling mistake in pretimeout_avaialable_governors Revert "watchdog: s3c2410_wdt: use exynos_get_pmu_regmap_by_phandle() for PMU regs" watchdog: rzg2l_wdt: Power on the watchdog domain in the restart handler watchdog: Switch back to struct platform_driver::remove() watchdog: it87_wdt: add PWRGD enable quirk for Qotom QCML04 watchdog: da9063: Remove __maybe_unused notations watchdog: da9063: Do not use a global variable watchdog: Delete the cpu5wdt driver watchdog: Add support for Airoha EN7851 watchdog dt-bindings: watchdog: airoha: document watchdog for Airoha EN7581 watchdog: sl28cpld_wdt: don't print out if registering watchdog fails watchdog: rza_wdt: don't print out if registering watchdog fails watchdog: rti_wdt: don't print out if registering watchdog fails ... commit ca62d90085f4af36de745883faab9f8a7cbb45d3 Author: Mark Rutland Date: Thu Dec 5 12:16:52 2024 +0000 arm64: ptrace: fix partial SETREGSET for NT_ARM_TAGGED_ADDR_CTRL Currently tagged_addr_ctrl_set() doesn't initialize the temporary 'ctrl' variable, and a SETREGSET call with a length of zero will leave this uninitialized. Consequently tagged_addr_ctrl_set() will consume an arbitrary value, potentially leaking up to 64 bits of memory from the kernel stack. The read is limited to a specific slot on the stack, and the issue does not provide a write mechanism. As set_tagged_addr_ctrl() only accepts values where bits [63:4] zero and rejects other values, a partial SETREGSET attempt will randomly succeed or fail depending on the value of the uninitialized value, and the exposure is significantly limited. Fix this by initializing the temporary value before copying the regset from userspace, as for other regsets (e.g. NT_PRSTATUS, NT_PRFPREG, NT_ARM_SYSTEM_CALL). In the case of a zero-length write, the existing value of the tagged address ctrl will be retained. The NT_ARM_TAGGED_ADDR_CTRL regset is only visible in the user_aarch64_view used by a native AArch64 task to manipulate another native AArch64 task. As get_tagged_addr_ctrl() only returns an error value when called for a compat task, tagged_addr_ctrl_get() and tagged_addr_ctrl_set() should never observe an error value from get_tagged_addr_ctrl(). Add a WARN_ON_ONCE() to both to indicate that such an error would be unexpected, and error handlnig is not missing in either case. Fixes: 2200aa7154cb ("arm64: mte: ptrace: Add NT_ARM_TAGGED_ADDR_CTRL regset") Cc: # 5.10.x Signed-off-by: Mark Rutland Cc: Will Deacon Reviewed-by: Mark Brown Link: https://lore.kernel.org/r/20241205121655.1824269-2-mark.rutland@arm.com Signed-off-by: Catalin Marinas commit c98b10496b2f3c4f576af3482c71aadcfcbf765e Author: Maíra Canal Date: Wed Dec 4 09:28:31 2024 -0300 drm/v3d: Enable Performance Counters before clearing them On the Raspberry Pi 5, performance counters are not being cleared when `v3d_perfmon_start()` is called, even though we write to the CLR register. As a result, their values accumulate until they overflow. The expected behavior is for performance counters to reset to zero at the start of a job. When the job finishes and the perfmon is stopped, the counters should accurately reflect the values for that specific job. To ensure this behavior, the performance counters are now enabled before being cleared. This allows the CLR register to function as intended, zeroing the counter values when the job begins. Fixes: 26a4dc29b74a ("drm/v3d: Expose performance counters to userspace") Signed-off-by: Maíra Canal Reviewed-by: Iago Toral Quiroga Link: https://patchwork.freedesktop.org/patch/msgid/20241204122831.17015-1-mcanal@igalia.com commit f00b53f1614f7be554fd28b9594ef4e63e2686c5 Author: Robin Murphy Date: Thu Dec 5 13:48:10 2024 +0000 arm64: cpufeature: Add GCS to cpucap_is_possible() Since system_supports_gcs() ends up referring to cpucap_is_possible(), teach the latter about GCS for consistency with similar features. Signed-off-by: Robin Murphy Acked-by: Mark Rutland Reviewed-by: Mark Brown Link: https://lore.kernel.org/r/416c7369fcdce4ebb2a8f12daae234507be27e38.1733406275.git.robin.murphy@arm.com Signed-off-by: Catalin Marinas commit d64fd5f77758d234daf16683e1d4305ffc6a05c5 Merge: 7678abee0867e6 b4e12f5728ff96 Author: Jens Axboe Date: Thu Dec 5 10:14:36 2024 -0700 Merge tag 'nvme-6.13-2024-12-05' of git://git.infradead.org/nvme into block-6.13 Pull NVMe fixess from Keith: "nvme fixes for Linux 6.13 - Target fix using incorrect zero buffer (Nilay) - Device specifc deallocate quirk fixes (Christoph, Keith) - Fabrics fix for handling max command target bugs (Maurizio) - Cocci fix usage for kzalloc (Yu-Chen) - DMA size fix for host memory buffer feature (Christoph) - Fabrics queue cleanup fixes (Chunguang)" * tag 'nvme-6.13-2024-12-05' of git://git.infradead.org/nvme: nvme-tcp: simplify nvme_tcp_teardown_io_queues() nvme-tcp: no need to quiesce admin_q in nvme_tcp_teardown_io_queues() nvme-rdma: unquiesce admin_q before destroy it nvme-tcp: fix the memleak while create new ctrl failed nvme-pci: don't use dma_alloc_noncontiguous with 0 merge boundary nvmet: replace kmalloc + memset with kzalloc for data allocation nvme-fabrics: handle zero MAXCMD without closing the connection nvme-pci: remove two deallocate zeroes quirks nvme: don't apply NVME_QUIRK_DEALLOCATE_ZEROES when DSM is not supported nvmet: use kzalloc instead of ZERO_PAGE in nvme_execute_identify_ns_nvm() commit c34e9ab9a612ee8b18273398ef75c207b01f516d Merge: 20c3b3e5f2641e ec16a3cdf37e50 Author: Takashi Iwai Date: Thu Dec 5 18:09:29 2024 +0100 Merge tag 'asoc-fix-v6.13-rc1' of https://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound into for-linus ASoC: Fixes for v6.13 A few small fixes for v6.13, all system specific - the biggest thing is the fix for jack handling over suspend on some Intel laptops. commit 7678abee0867e6b7fb89aa40f6e9f575f755fb37 Author: Ming Lei Date: Tue Nov 12 20:58:21 2024 +0800 virtio-blk: don't keep queue frozen during system suspend Commit 4ce6e2db00de ("virtio-blk: Ensure no requests in virtqueues before deleting vqs.") replaces queue quiesce with queue freeze in virtio-blk's PM callbacks. And the motivation is to drain inflight IOs before suspending. block layer's queue freeze looks very handy, but it is also easy to cause deadlock, such as, any attempt to call into bio_queue_enter() may run into deadlock if the queue is frozen in current context. There are all kinds of ->suspend() called in suspend context, so keeping queue frozen in the whole suspend context isn't one good idea. And Marek reported lockdep warning[1] caused by virtio-blk's freeze queue in virtblk_freeze(). [1] https://lore.kernel.org/linux-block/ca16370e-d646-4eee-b9cc-87277c89c43c@samsung.com/ Given the motivation is to drain in-flight IOs, it can be done by calling freeze & unfreeze, meantime restore to previous behavior by keeping queue quiesced during suspend. Cc: Yi Sun Cc: Michael S. Tsirkin Cc: Jason Wang Cc: Stefan Hajnoczi Cc: virtualization@lists.linux.dev Reported-by: Marek Szyprowski Signed-off-by: Ming Lei Acked-by: Stefan Hajnoczi Link: https://lore.kernel.org/r/20241112125821.1475793-1-ming.lei@redhat.com Signed-off-by: Jens Axboe commit 48808b55b07c3cea64805267a5547f03e6452a9f Author: Valentina Fernandez Date: Mon Nov 18 15:53:54 2024 +0000 firmware: microchip: fix UL_IAP lock check in mpfs_auto_update_state() To verify that Auto Update is possible, the mpfs_auto_update_state() function performs a "Query Security Service Request" to the system controller. Previously, the check was performed on the first element of the response message, which was accessed using a 32-bit pointer. This caused the bitwise operation to reference incorrect data, as the response should be inspected at the byte level. Fixed this by casting the response to a u8 * pointer, ensuring the check correctly inspects the appropriate byte of the response message. Additionally, rename "UL_Auto Update" to "UL_IAP" to match the PolarFire Family System Services User Guide. Signed-off-by: Valentina Fernandez Signed-off-by: Conor Dooley commit 76031d9536a076bf023bedbdb1b4317fc801dd67 Author: Thomas Gleixner Date: Tue Dec 3 11:16:30 2024 +0100 clocksource: Make negative motion detection more robust Guenter reported boot stalls on a emulated ARM 32-bit platform, which has a 24-bit wide clocksource. It turns out that the calculated maximal idle time, which limits idle sleeps to prevent clocksource wrap arounds, is close to the point where the negative motion detection triggers. max_idle_ns: 597268854 ns negative motion tripping point: 671088640 ns If the idle wakeup is delayed beyond that point, the clocksource advances far enough to trigger the negative motion detection. This prevents the clock to advance and in the worst case the system stalls completely if the consecutive sleeps based on the stale clock are delayed as well. Cure this by calculating a more robust cut-off value for negative motion, which covers 87.5% of the actual clocksource counter width. Compare the delta against this value to catch negative motion. This is specifically for clock sources with a small counter width as their wrap around time is close to the half counter width. For clock sources with wide counters this is not a problem because the maximum idle time is far from the half counter width due to the math overflow protection constraints. For the case at hand this results in a tripping point of 1174405120ns. Note, that this cannot prevent issues when the delay exceeds the 87.5% margin, but that's not different from the previous unchecked version which allowed arbitrary time jumps. Systems with small counter width are prone to invalid results, but this problem is unlikely to be seen on real hardware. If such a system completely stalls for more than half a second, then there are other more urgent problems than the counter wrapping around. Fixes: c163e40af9b2 ("timekeeping: Always check for negative motion") Reported-by: Guenter Roeck Signed-off-by: Thomas Gleixner Tested-by: Guenter Roeck Link: https://lore.kernel.org/all/8734j5ul4x.ffs@tglx Closes: https://lore.kernel.org/all/387b120b-d68a-45e8-b6ab-768cd95d11c2@roeck-us.net commit 16d5306629c06ec2653c12794f344168a0eea809 Author: Suzuki K Poulose Date: Thu Dec 5 14:36:34 2024 +0000 coco: virt: arm64: Do not enable cca guest driver by default As per the guidelines, new drivers may not be set to default on. An expert user can always select it. Reported-by: Dan Williams Cc: Will Deacon Cc: Steven Price Cc: Sami Mujawar Link: https://lore.kernel.org/r/6750c695194cd_2508129427@dwillia2-xfh.jf.intel.com.notmuch Link: https://lore.kernel.org/r/20241205143634.306114-1-suzuki.poulose@arm.com Signed-off-by: Suzuki K Poulose Reviewed-by: Steven Price Signed-off-by: Catalin Marinas commit 59ca0e1c97c5d752f85ca2922ff258ff5e62bc73 Author: Imre Deak Date: Tue Dec 3 18:02:23 2024 +0200 drm/dp_mst: Use reset_msg_rx_state() instead of open coding it Use reset_msg_rx_state() in drm_dp_mst_handle_up_req() instead of open-coding it. Cc: Lyude Paul Reviewed-by: Lyude Paul Signed-off-by: Imre Deak Link: https://patchwork.freedesktop.org/patch/msgid/20241203160223.2926014-8-imre.deak@intel.com commit dc1b157b828dfe412c776ac1dd8db158f6016b39 Author: Steven Rostedt Date: Wed Dec 4 10:04:14 2024 -0500 tracing: Fix archs that still call tracepoints without RCU watching Tracepoints require having RCU "watching" as it uses RCU to do updates to the tracepoints. There are some cases that would call a tracepoint when RCU was not "watching". This was usually in the idle path where RCU has "shutdown". For the few locations that had tracepoints without RCU watching, there was an trace_*_rcuidle() variant that could be used. This used SRCU for protection. There are tracepoints that trace when interrupts and preemption are enabled and disabled. In some architectures, these tracepoints are called in a path where RCU is not watching. When x86 and arm64 removed these locations, it was incorrectly assumed that it would be safe to remove the trace_*_rcuidle() variant and also remove the SRCU logic, as it made the code more complex and harder to implement new tracepoint features (like faultable tracepoints and tracepoints in rust). Instead of bringing back the trace_*_rcuidle(), as it will not be trivial to do as new code has already been added depending on its removal, add a workaround to the one file that still requires it (trace_preemptirq.c). If the architecture does not define CONFIG_ARCH_WANTS_NO_INSTR, then check if the code is in the idle path, and if so, call ct_irq_enter/exit() which will enable RCU around the tracepoint. Cc: Masami Hiramatsu Cc: Mathieu Desnoyers Cc: Peter Zijlstra Cc: Mark Rutland Link: https://lore.kernel.org/20241204100414.4d3e06d0@gandalf.local.home Reported-by: Geert Uytterhoeven Fixes: 48bcda684823 ("tracing: Remove definition of trace_*_rcuidle()") Closes: https://lore.kernel.org/all/bddb02de-957a-4df5-8e77-829f55728ea2@roeck-us.net/ Acked-by: Paul E. McKenney Tested-by: Guenter Roeck Tested-by: Geert Uytterhoeven Tested-by: Madhavan Srinivasan Signed-off-by: Steven Rostedt (Google) commit 2b245c97b1af5d8f04c359e0826cb5a5c81ef704 Author: Imre Deak Date: Tue Dec 3 18:02:22 2024 +0200 drm/dp_mst: Reset message rx state after OOM in drm_dp_mst_handle_up_req() After an out-of-memory error the reception state should be reset, so that the next attempt receiving a message doesn't fail (due to getting a start-of-message packet, while the reception state has already the start-of-message flag set). Cc: Lyude Paul Reviewed-by: Lyude Paul Signed-off-by: Imre Deak Link: https://patchwork.freedesktop.org/patch/msgid/20241203160223.2926014-7-imre.deak@intel.com commit e54b00086f7473dbda1a7d6fc47720ced157c6a8 Author: Imre Deak Date: Wed Dec 4 15:20:07 2024 +0200 drm/dp_mst: Ensure mst_primary pointer is valid in drm_dp_mst_handle_up_req() While receiving an MST up request message from one thread in drm_dp_mst_handle_up_req(), the MST topology could be removed from another thread via drm_dp_mst_topology_mgr_set_mst(false), freeing mst_primary and setting drm_dp_mst_topology_mgr::mst_primary to NULL. This could lead to a NULL deref/use-after-free of mst_primary in drm_dp_mst_handle_up_req(). Avoid the above by holding a reference for mst_primary in drm_dp_mst_handle_up_req() while it's used. v2: Fix kfreeing the request if getting an mst_primary reference fails. Cc: Lyude Paul Reviewed-by: Lyude Paul (v1) Signed-off-by: Imre Deak Link: https://patchwork.freedesktop.org/patch/msgid/20241204132007.3132494-1-imre.deak@intel.com commit 3f611855031f94385c2eeb32b1f99dd7a9fa566b Author: Imre Deak Date: Tue Dec 3 19:46:32 2024 +0200 drm/dp_mst: Fix down request message timeout handling If receiving a reply for an MST down request message times out, the thread receiving the reply in drm_dp_mst_handle_down_rep() could try to dereference the drm_dp_sideband_msg_tx txmsg request message after the thread waiting for the reply - calling drm_dp_mst_wait_tx_reply() - has timed out and freed txmsg, hence leading to a use-after-free in drm_dp_mst_handle_down_rep(). Prevent the above by holding the drm_dp_mst_topology_mgr::qlock in drm_dp_mst_handle_down_rep() for the whole duration txmsg is looked up from the request list and dereferenced. v2: Fix unlocking mgr->qlock after verify_rx_request_type() fails. Cc: Lyude Paul Reviewed-by: Lyude Paul Signed-off-by: Imre Deak Link: https://patchwork.freedesktop.org/patch/msgid/20241203174632.2941402-1-imre.deak@intel.com commit b559b68d2761739b7c2e44d6fa59092b0d03e9ed Author: Imre Deak Date: Tue Dec 3 18:02:19 2024 +0200 drm/dp_mst: Simplify error path in drm_dp_mst_handle_down_rep() Simplify the error return path in drm_dp_mst_handle_down_rep(), preparing for the next patch. While at it use reset_msg_rx_state() instead of open-coding it. Cc: Lyude Paul Reviewed-by: Lyude Paul Signed-off-by: Imre Deak Link: https://patchwork.freedesktop.org/patch/msgid/20241203160223.2926014-4-imre.deak@intel.com commit 4d49e77a973d3b5d1881663c3f122906a0702940 Author: Imre Deak Date: Tue Dec 3 18:02:18 2024 +0200 drm/dp_mst: Verify request type in the corresponding down message reply After receiving the response for an MST down request message, the response should be accepted/parsed only if the response type matches that of the request. Ensure this by checking if the request type code stored both in the request and the reply match, dropping the reply in case of a mismatch. This fixes the topology detection for an MST hub, as described in the Closes link below, where the hub sends an incorrect reply message after a CLEAR_PAYLOAD_TABLE -> LINK_ADDRESS down request message sequence. Cc: Lyude Paul Cc: Closes: https://gitlab.freedesktop.org/drm/i915/kernel/-/issues/12804 Reviewed-by: Lyude Paul Signed-off-by: Imre Deak Link: https://patchwork.freedesktop.org/patch/msgid/20241203160223.2926014-3-imre.deak@intel.com commit a6fa67d26de385c3c7a23c1e109a0e23bfda4ec7 Author: Imre Deak Date: Tue Dec 3 18:02:17 2024 +0200 drm/dp_mst: Fix resetting msg rx state after topology removal If the MST topology is removed during the reception of an MST down reply or MST up request sideband message, the drm_dp_mst_topology_mgr::up_req_recv/down_rep_recv states could be reset from one thread via drm_dp_mst_topology_mgr_set_mst(false), racing with the reading/parsing of the message from another thread via drm_dp_mst_handle_down_rep() or drm_dp_mst_handle_up_req(). The race is possible since the reader/parser doesn't hold any lock while accessing the reception state. This in turn can lead to a memory corruption in the reader/parser as described by commit bd2fccac61b4 ("drm/dp_mst: Fix MST sideband message body length check"). Fix the above by resetting the message reception state if needed before reading/parsing a message. Another solution would be to hold the drm_dp_mst_topology_mgr::lock for the whole duration of the message reception/parsing in drm_dp_mst_handle_down_rep() and drm_dp_mst_handle_up_req(), however this would require a bigger change. Since the fix is also needed for stable, opting for the simpler solution in this patch. Cc: Lyude Paul Cc: Fixes: 1d082618bbf3 ("drm/display/dp_mst: Fix down/up message handling after sink disconnect") Closes: https://gitlab.freedesktop.org/drm/i915/kernel/-/issues/13056 Reviewed-by: Lyude Paul Signed-off-by: Imre Deak Link: https://patchwork.freedesktop.org/patch/msgid/20241203160223.2926014-2-imre.deak@intel.com commit 73da582a476ea6e3512f89f8ed57dfed945829a2 Author: Fernando Fernandez Mancera Date: Mon Dec 2 14:58:45 2024 +0000 x86/cpu/topology: Remove limit of CPUs due to disabled IO/APIC The rework of possible CPUs management erroneously disabled SMP when the IO/APIC is disabled either by the 'noapic' command line parameter or during IO/APIC setup. SMP is possible without IO/APIC. Remove the ioapic_is_disabled conditions from the relevant possible CPU management code paths to restore the orgininal behaviour. Fixes: 7c0edad3643f ("x86/cpu/topology: Rework possible CPU management") Signed-off-by: Fernando Fernandez Mancera Signed-off-by: Thomas Gleixner Cc: stable@vger.kernel.org Link: https://lore.kernel.org/all/20241202145905.1482-1-ffmancera@riseup.net commit 20c3b3e5f2641eff3d85f33e6a468ac052b169bd Author: Colin Ian King Date: Thu Dec 5 10:28:33 2024 +0000 ALSA: hda/realtek: Fix spelling mistake "Firelfy" -> "Firefly" There is a spelling mistake in a literal string in the alc269_fixup_tbl quirk table. Fix it. Fixes: 0d08f0eec961 ("ALSA: hda/realtek: fix micmute LEDs don't work on HP Laptops") Signed-off-by: Colin Ian King Link: https://patch.msgid.link/20241205102833.476190-1-colin.i.king@gmail.com Signed-off-by: Takashi Iwai commit ec16a3cdf37e507013062f9c4a2067eacdd12b62 Author: Nícolas F. R. A. Prado Date: Tue Dec 3 16:20:58 2024 -0300 ASoC: mediatek: mt8188-mt6359: Remove hardcoded dmic codec Remove hardcoded dmic codec from the UL_SRC dai link to avoid requiring a dmic codec to be present for the driver to probe, as not every MT8188-based platform might need a dmic codec. The codec can be assigned to the dai link through the dai-link property in Devicetree on the platforms where it is needed. No Devicetree currently relies on it so it is safe to remove without worrying about backward compatibility. Fixes: 9f08dcbddeb3 ("ASoC: mediatek: mt8188-mt6359: support new board with nau88255") Signed-off-by: Nícolas F. R. A. Prado Reviewed-by: AngeloGioacchino Del Regno Link: https://patch.msgid.link/20241203-mt8188-6359-unhardcode-dmic-v1-1-346e3e5cbe6d@collabora.com Signed-off-by: Mark Brown commit d0ceea662d459726487030237689835fcc0483e5 Author: David Woodhouse Date: Wed Dec 4 11:27:14 2024 +0000 x86/mm: Add _PAGE_NOPTISHADOW bit to avoid updating userspace page tables The set_p4d() and set_pgd() functions (in 4-level or 5-level page table setups respectively) assume that the root page table is actually a 8KiB allocation, with the userspace root immediately after the kernel root page table (so that the former can enforce NX on on all the subordinate page tables, which are actually shared). However, users of the kernel_ident_mapping_init() code do not give it an 8KiB allocation for its PGD. Both swsusp_arch_resume() and acpi_mp_setup_reset() allocate only a single 4KiB page. The kexec code on x86_64 currently gets away with it purely by chance, because it allocates 8KiB for its "control code page" and then actually uses the first half for the PGD, then copies the actual trampoline code into the second half only after the identmap code has finished scribbling over it. Fix this by defining a _PAGE_NOPTISHADOW bit (which can use the same bit as _PAGE_SAVED_DIRTY since one is only for the PGD/P4D root and the other is exclusively for leaf PTEs.). This instructs __pti_set_user_pgtbl() not to write to the userspace 'shadow' PGD. Strictly, the _PAGE_NOPTISHADOW bit doesn't need to be written out to the actual page tables; since __pti_set_user_pgtbl() returns the value to be written to the kernel page table, it could be filtered out. But there seems to be no benefit to actually doing so. Suggested-by: Dave Hansen Signed-off-by: David Woodhouse Signed-off-by: Ingo Molnar Link: https://lore.kernel.org/r/412c90a4df7aef077141d9f68d19cbe5602d6c6d.camel@infradead.org Cc: stable@kernel.org Cc: Linus Torvalds Cc: Andy Lutomirski Cc: Peter Zijlstra Cc: Rik van Riel commit 4c6ac5446d060f0bf435ccc8bc3aa7b7b5f718ad Author: Purushothama Siddaiah Date: Thu Dec 5 12:34:26 2024 +0530 spi: omap2-mcspi: Fix the IS_ERR() bug for devm_clk_get_optional_enabled() The devm_clk_get_optional_enabled() function returns error pointers(PTR_ERR()). So use IS_ERR() to check it. Verified on K3-J7200 EVM board, without clock node mentioned in the device tree. Signed-off-by: Purushothama Siddaiah Reviewed-by: Corey Minyard Link: https://patch.msgid.link/20241205070426.1861048-1-psiddaiah@mvista.com Signed-off-by: Mark Brown commit b29bf7119d6bbfd04aabb8d82b060fe2a33ef890 Author: Richard Weinberger Date: Tue Dec 3 12:27:15 2024 +0100 jffs2: Fix rtime decompressor The fix for a memory corruption contained a off-by-one error and caused the compressor to fail in legit cases. Cc: Kinsey Moore Cc: stable@vger.kernel.org Fixes: fe051552f5078 ("jffs2: Prevent rtime decompress memory corruption") Signed-off-by: Richard Weinberger commit cf3b16dae4cab9dfa2436d76ce010ad4dd55b53a Author: Catalin Marinas Date: Wed Dec 4 17:50:04 2024 +0000 arm64: mte: Fix copy_highpage() warning on hugetlb folios Commit 25c17c4b55de ("hugetlb: arm64: add mte support") improved the copy_highpage() function to update the tags in the destination hugetlb folio. However, when the source folio isn't tagged, the code takes the non-hugetlb path where try_page_mte_tagging() warns as the destination is a hugetlb folio: WARNING: CPU: 0 PID: 363 at arch/arm64/include/asm/mte.h:58 copy_highpage+0x1d4/0x2d8 [...] pc : copy_highpage+0x1d4/0x2d8 lr : copy_highpage+0x78/0x2d8 [...] Call trace: copy_highpage+0x1d4/0x2d8 (P) copy_highpage+0x78/0x2d8 (L) copy_user_highpage+0x20/0x48 copy_user_large_folio+0x1bc/0x268 hugetlb_wp+0x190/0x860 hugetlb_fault+0xa28/0xc10 handle_mm_fault+0x2a0/0x2c0 do_page_fault+0x12c/0x578 do_mem_abort+0x4c/0xa8 el0_da+0x44/0xb0 el0t_64_sync_handler+0xc4/0x138 el0t_64_sync+0x198/0x1a0 Change the check for the tagged status of the source folio so that it does not fall through the non-hugetlb case. In addition, only perform the copy (for the full folio) if the source page is the folio head and warn if the destination folio is already tagged, for symmetry with the non-hugetlb case. Fixes: 25c17c4b55de ("hugetlb: arm64: add mte support") Reported-by: Sasha Levin Cc: Yang Shi Cc: David Hildenbrand Cc: Will Deacon Link: https://lore.kernel.org/r/Z0STR6VLt2MCalnY@sashalap Link: https://lore.kernel.org/r/20241204175004.906754-1-catalin.marinas@arm.com Signed-off-by: Catalin Marinas commit c0900d15d31c2597dd9f634c8be2b71762199890 Author: Catalin Marinas Date: Tue Dec 3 15:19:41 2024 +0000 arm64: Ensure bits ASID[15:8] are masked out when the kernel uses 8-bit ASIDs Linux currently sets the TCR_EL1.AS bit unconditionally during CPU bring-up. On an 8-bit ASID CPU, this is RES0 and ignored, otherwise 16-bit ASIDs are enabled. However, if running in a VM and the hypervisor reports 8-bit ASIDs (ID_AA64MMFR0_EL1.ASIDBits == 0) on a 16-bit ASIDs CPU, Linux uses bits 8 to 63 as a generation number for tracking old process ASIDs. The bottom 8 bits of this generation end up being written to TTBR1_EL1 and also used for the ASID-based TLBI operations as the upper 8 bits of the ASID. Following an ASID roll-over event we can have threads of the same application with the same 8-bit ASID but different generation numbers running on separate CPUs. Both TLB caching and the TLBI operations will end up using different actual 16-bit ASIDs for the same process. A similar scenario can happen in a big.LITTLE configuration if the boot CPU only uses 8-bit ASIDs while secondary CPUs have 16-bit ASIDs. Ensure that the ASID generation is only tracked by bits 16 and up, leaving bits 15:8 as 0 if the kernel uses 8-bit ASIDs. Note that clearing TCR_EL1.AS is not sufficient since the architecture requires that the top 8 bits of the ASID passed to TLBI instructions are 0 rather than ignored in such configuration. Cc: stable@vger.kernel.org Cc: Will Deacon Cc: Mark Rutland Cc: Marc Zyngier Cc: James Morse Acked-by: Mark Rutland Acked-by: Marc Zyngier Link: https://lore.kernel.org/r/20241203151941.353796-1-catalin.marinas@arm.com Signed-off-by: Catalin Marinas commit c2b46ae022704a2d845e59461fa24431ad627022 Author: Qinxin Xia Date: Thu Dec 5 09:33:31 2024 +0800 ACPI/IORT: Add PMCG platform information for HiSilicon HIP09A HiSilicon HIP09A platforms using the same SMMU PMCG with HIP09 and thus suffers the same erratum. List them in the PMCG platform information list without introducing a new SMMU PMCG Model. Update the silicon-errata.rst as well. Reviewed-by: Yicong Yang Acked-by: Hanjun Guo Signed-off-by: Qinxin Xia Link: https://lore.kernel.org/r/20241205013331.1484017-1-xiaqinxin@huawei.com Signed-off-by: Catalin Marinas commit 31f1b55d5d7e531cd827419e5d71c19f24de161c Author: Shradha Gupta Date: Tue Dec 3 21:48:20 2024 -0800 net :mana :Request a V2 response version for MANA_QUERY_GF_STAT The current requested response version(V1) for MANA_QUERY_GF_STAT query results in STATISTICS_FLAGS_TX_ERRORS_GDMA_ERROR value being set to 0 always. In order to get the correct value for this counter we request the response version to be V2. Cc: stable@vger.kernel.org Fixes: e1df5202e879 ("net :mana :Add remaining GDMA stats for MANA to ethtool") Signed-off-by: Shradha Gupta Reviewed-by: Haiyang Zhang Link: https://patch.msgid.link/1733291300-12593-1-git-send-email-shradhagupta@linux.microsoft.com Signed-off-by: Paolo Abeni commit 750e51603395e755537da08f745864c93e3ce741 Author: Eric Dumazet Date: Tue Dec 3 17:09:33 2024 +0000 net: avoid potential UAF in default_operstate() syzbot reported an UAF in default_operstate() [1] Issue is a race between device and netns dismantles. After calling __rtnl_unlock() from netdev_run_todo(), we can not assume the netns of each device is still alive. Make sure the device is not in NETREG_UNREGISTERED state, and add an ASSERT_RTNL() before the call to __dev_get_by_index(). We might move this ASSERT_RTNL() in __dev_get_by_index() in the future. [1] BUG: KASAN: slab-use-after-free in __dev_get_by_index+0x5d/0x110 net/core/dev.c:852 Read of size 8 at addr ffff888043eba1b0 by task syz.0.0/5339 CPU: 0 UID: 0 PID: 5339 Comm: syz.0.0 Not tainted 6.12.0-syzkaller-10296-gaaf20f870da0 #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0x169/0x550 mm/kasan/report.c:489 kasan_report+0x143/0x180 mm/kasan/report.c:602 __dev_get_by_index+0x5d/0x110 net/core/dev.c:852 default_operstate net/core/link_watch.c:51 [inline] rfc2863_policy+0x224/0x300 net/core/link_watch.c:67 linkwatch_do_dev+0x3e/0x170 net/core/link_watch.c:170 netdev_run_todo+0x461/0x1000 net/core/dev.c:10894 rtnl_unlock net/core/rtnetlink.c:152 [inline] rtnl_net_unlock include/linux/rtnetlink.h:133 [inline] rtnl_dellink+0x760/0x8d0 net/core/rtnetlink.c:3520 rtnetlink_rcv_msg+0x791/0xcf0 net/core/rtnetlink.c:6911 netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2541 netlink_unicast_kernel net/netlink/af_netlink.c:1321 [inline] netlink_unicast+0x7f6/0x990 net/netlink/af_netlink.c:1347 netlink_sendmsg+0x8e4/0xcb0 net/netlink/af_netlink.c:1891 sock_sendmsg_nosec net/socket.c:711 [inline] __sock_sendmsg+0x221/0x270 net/socket.c:726 ____sys_sendmsg+0x52a/0x7e0 net/socket.c:2583 ___sys_sendmsg net/socket.c:2637 [inline] __sys_sendmsg+0x269/0x350 net/socket.c:2669 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f2a3cb80809 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f2a3d9cd058 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007f2a3cd45fa0 RCX: 00007f2a3cb80809 RDX: 0000000000000000 RSI: 0000000020000000 RDI: 0000000000000008 RBP: 00007f2a3cbf393e R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f2a3cd45fa0 R15: 00007ffd03bc65c8 Allocated by task 5339: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:394 kasan_kmalloc include/linux/kasan.h:260 [inline] __kmalloc_cache_noprof+0x243/0x390 mm/slub.c:4314 kmalloc_noprof include/linux/slab.h:901 [inline] kmalloc_array_noprof include/linux/slab.h:945 [inline] netdev_create_hash net/core/dev.c:11870 [inline] netdev_init+0x10c/0x250 net/core/dev.c:11890 ops_init+0x31e/0x590 net/core/net_namespace.c:138 setup_net+0x287/0x9e0 net/core/net_namespace.c:362 copy_net_ns+0x33f/0x570 net/core/net_namespace.c:500 create_new_namespaces+0x425/0x7b0 kernel/nsproxy.c:110 unshare_nsproxy_namespaces+0x124/0x180 kernel/nsproxy.c:228 ksys_unshare+0x57d/0xa70 kernel/fork.c:3314 __do_sys_unshare kernel/fork.c:3385 [inline] __se_sys_unshare kernel/fork.c:3383 [inline] __x64_sys_unshare+0x38/0x40 kernel/fork.c:3383 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 12: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:582 poison_slab_object mm/kasan/common.c:247 [inline] __kasan_slab_free+0x59/0x70 mm/kasan/common.c:264 kasan_slab_free include/linux/kasan.h:233 [inline] slab_free_hook mm/slub.c:2338 [inline] slab_free mm/slub.c:4598 [inline] kfree+0x196/0x420 mm/slub.c:4746 netdev_exit+0x65/0xd0 net/core/dev.c:11992 ops_exit_list net/core/net_namespace.c:172 [inline] cleanup_net+0x802/0xcc0 net/core/net_namespace.c:632 process_one_work kernel/workqueue.c:3229 [inline] process_scheduled_works+0xa63/0x1850 kernel/workqueue.c:3310 worker_thread+0x870/0xd30 kernel/workqueue.c:3391 kthread+0x2f0/0x390 kernel/kthread.c:389 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 The buggy address belongs to the object at ffff888043eba000 which belongs to the cache kmalloc-2k of size 2048 The buggy address is located 432 bytes inside of freed 2048-byte region [ffff888043eba000, ffff888043eba800) The buggy address belongs to the physical page: page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x43eb8 head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 flags: 0x4fff00000000040(head|node=1|zone=1|lastcpupid=0x7ff) page_type: f5(slab) raw: 04fff00000000040 ffff88801ac42000 dead000000000122 0000000000000000 raw: 0000000000000000 0000000000080008 00000001f5000000 0000000000000000 head: 04fff00000000040 ffff88801ac42000 dead000000000122 0000000000000000 head: 0000000000000000 0000000000080008 00000001f5000000 0000000000000000 head: 04fff00000000003 ffffea00010fae01 ffffffffffffffff 0000000000000000 head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5339, tgid 5338 (syz.0.0), ts 69674195892, free_ts 69663220888 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1556 prep_new_page mm/page_alloc.c:1564 [inline] get_page_from_freelist+0x3649/0x3790 mm/page_alloc.c:3474 __alloc_pages_noprof+0x292/0x710 mm/page_alloc.c:4751 alloc_pages_mpol_noprof+0x3e8/0x680 mm/mempolicy.c:2265 alloc_slab_page+0x6a/0x140 mm/slub.c:2408 allocate_slab+0x5a/0x2f0 mm/slub.c:2574 new_slab mm/slub.c:2627 [inline] ___slab_alloc+0xcd1/0x14b0 mm/slub.c:3815 __slab_alloc+0x58/0xa0 mm/slub.c:3905 __slab_alloc_node mm/slub.c:3980 [inline] slab_alloc_node mm/slub.c:4141 [inline] __do_kmalloc_node mm/slub.c:4282 [inline] __kmalloc_noprof+0x2e6/0x4c0 mm/slub.c:4295 kmalloc_noprof include/linux/slab.h:905 [inline] sk_prot_alloc+0xe0/0x210 net/core/sock.c:2165 sk_alloc+0x38/0x370 net/core/sock.c:2218 __netlink_create+0x65/0x260 net/netlink/af_netlink.c:629 __netlink_kernel_create+0x174/0x6f0 net/netlink/af_netlink.c:2015 netlink_kernel_create include/linux/netlink.h:62 [inline] uevent_net_init+0xed/0x2d0 lib/kobject_uevent.c:783 ops_init+0x31e/0x590 net/core/net_namespace.c:138 setup_net+0x287/0x9e0 net/core/net_namespace.c:362 page last free pid 1032 tgid 1032 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1127 [inline] free_unref_page+0xdf9/0x1140 mm/page_alloc.c:2657 __slab_free+0x31b/0x3d0 mm/slub.c:4509 qlink_free mm/kasan/quarantine.c:163 [inline] qlist_free_all+0x9a/0x140 mm/kasan/quarantine.c:179 kasan_quarantine_reduce+0x14f/0x170 mm/kasan/quarantine.c:286 __kasan_slab_alloc+0x23/0x80 mm/kasan/common.c:329 kasan_slab_alloc include/linux/kasan.h:250 [inline] slab_post_alloc_hook mm/slub.c:4104 [inline] slab_alloc_node mm/slub.c:4153 [inline] kmem_cache_alloc_node_noprof+0x1d9/0x380 mm/slub.c:4205 __alloc_skb+0x1c3/0x440 net/core/skbuff.c:668 alloc_skb include/linux/skbuff.h:1323 [inline] alloc_skb_with_frags+0xc3/0x820 net/core/skbuff.c:6612 sock_alloc_send_pskb+0x91a/0xa60 net/core/sock.c:2881 sock_alloc_send_skb include/net/sock.h:1797 [inline] mld_newpack+0x1c3/0xaf0 net/ipv6/mcast.c:1747 add_grhead net/ipv6/mcast.c:1850 [inline] add_grec+0x1492/0x19a0 net/ipv6/mcast.c:1988 mld_send_initial_cr+0x228/0x4b0 net/ipv6/mcast.c:2234 ipv6_mc_dad_complete+0x88/0x490 net/ipv6/mcast.c:2245 addrconf_dad_completed+0x712/0xcd0 net/ipv6/addrconf.c:4342 addrconf_dad_work+0xdc2/0x16f0 process_one_work kernel/workqueue.c:3229 [inline] process_scheduled_works+0xa63/0x1850 kernel/workqueue.c:3310 Memory state around the buggy address: ffff888043eba080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888043eba100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff888043eba180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888043eba200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888043eba280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb Fixes: 8c55facecd7a ("net: linkwatch: only report IF_OPER_LOWERLAYERDOWN if iflink is actually down") Reported-by: syzbot+1939f24bdb783e9e43d9@syzkaller.appspotmail.com Closes: https://lore.kernel.org/netdev/674f3a18.050a0220.48a03.0041.GAE@google.com/T/#u Signed-off-by: Eric Dumazet Reviewed-by: Vladimir Oltean Link: https://patch.msgid.link/20241203170933.2449307-1-edumazet@google.com Signed-off-by: Paolo Abeni commit 7b998e073ff217f140acb59bc38e822e3cdf7612 Merge: 0e21a47c8303f9 7ffc7481153bba Author: Paolo Abeni Date: Thu Dec 5 11:49:14 2024 +0100 Merge tag 'nf-24-12-05' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf Pablo Neira Ayuso says: ==================== Netfilter fixes for net The following patchset contains Netfilter fixes for net: 1) Fix esoteric undefined behaviour due to uninitialized stack access in ip_vs_protocol_init(), from Jinghao Jia. 2) Fix iptables xt_LED slab-out-of-bounds due to incorrect sanitization of the led string identifier, reported by syzbot. Patch from Dmitry Antipov. 3) Remove WARN_ON_ONCE reachable from userspace to check for the maximum cgroup level, nft_socket cgroup matching is restricted to 255 levels, but cgroups allow for INT_MAX levels by default. Reported by syzbot. 4) Fix nft_inner incorrect use of percpu area to store tunnel parser context with softirqs, resulting in inconsistent inner header offsets that could lead to bogus rule mismatches, reported by syzbot. 5) Grab module reference on ipset core while requesting set type modules, otherwise kernel crash is possible by removing ipset core module, patch from Phil Sutter. 6) Fix possible double-free in nft_hash garbage collector due to unstable walk interator that can provide twice the same element. Use a sequence number to skip expired/dead elements that have been already scheduled for removal. Based on patch from Laurent Fasnach netfilter pull request 24-12-05 * tag 'nf-24-12-05' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf: netfilter: nft_set_hash: skip duplicated elements pending gc run netfilter: ipset: Hold module reference while requesting a module netfilter: nft_inner: incorrect percpu area handling under softirq netfilter: nft_socket: remove WARN_ON_ONCE on maximum cgroup level netfilter: x_tables: fix LED ID check in led_tg_check() ipvs: fix UB due to uninitialized stack access in ip_vs_protocol_init() ==================== Link: https://patch.msgid.link/20241205002854.162490-1-pablo@netfilter.org Signed-off-by: Paolo Abeni commit 0e21a47c8303f9cc2efe0495f58c2b1ff76080a5 Merge: 4615855ea8c42a 86814d8ffd55fd Author: Paolo Abeni Date: Thu Dec 5 11:39:36 2024 +0100 Merge branch 'vsock-test-fix-wrong-setsockopt-parameters' Konstantin Shkolnyy says: ==================== vsock/test: fix wrong setsockopt() parameters Parameters were created using wrong C types, which caused them to be of wrong size on some architectures, causing problems. The problem with SO_RCVLOWAT was found on s390 (big endian), while x86-64 didn't show it. After the fix, all tests pass on s390. Then Stefano Garzarella pointed out that SO_VM_SOCKETS_* calls might have a similar problem, which turned out to be true, hence, the second patch. Changes for v8: - Fix whitespace warnings from "checkpatch.pl --strict" - Add maintainers to Cc: Changes for v7: - Rebase on top of https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git - Add the "net" tags to the subjects Changes for v6: - rework the patch #3 to avoid creating a new file for new functions, and exclude vsock_perf from calling the new functions. - add "Reviewed-by:" to the patch #2. Changes for v5: - in the patch #2 replace the introduced uint64_t with unsigned long long to match documentation - add a patch #3 that verifies every setsockopt() call. Changes for v4: - add "Reviewed-by:" to the first patch, and add a second patch fixing SO_VM_SOCKETS_* calls, which depends on the first one (hence, it's now a patch series.) Changes for v3: - fix the same problem in vsock_perf and update commit message Changes for v2: - add "Fixes:" lines to the commit message ==================== Link: https://patch.msgid.link/20241203150656.287028-1-kshk@linux.ibm.com Signed-off-by: Paolo Abeni commit 86814d8ffd55fd4ad19c512eccd721522a370fb2 Author: Konstantin Shkolnyy Date: Tue Dec 3 09:06:56 2024 -0600 vsock/test: verify socket options after setting them Replace setsockopt() calls with calls to functions that follow setsockopt() with getsockopt() and check that the returned value and its size are the same as have been set. (Except in vsock_perf.) Signed-off-by: Konstantin Shkolnyy Reviewed-by: Stefano Garzarella Signed-off-by: Paolo Abeni commit 3f36ee29e732b68044d531f47d31f22d265954c6 Author: Konstantin Shkolnyy Date: Tue Dec 3 09:06:55 2024 -0600 vsock/test: fix parameter types in SO_VM_SOCKETS_* calls Change parameters of SO_VM_SOCKETS_* to unsigned long long as documented in the vm_sockets.h, because the corresponding kernel code requires them to be at least 64-bit, no matter what architecture. Otherwise they are too small on 32-bit machines. Fixes: 5c338112e48a ("test/vsock: rework message bounds test") Fixes: 685a21c314a8 ("test/vsock: add big message test") Fixes: 542e893fbadc ("vsock/test: two tests to check credit update logic") Fixes: 8abbffd27ced ("test/vsock: vsock_perf utility") Signed-off-by: Konstantin Shkolnyy Reviewed-by: Stefano Garzarella Signed-off-by: Paolo Abeni commit 7ce1c0921a806ee7d4bb24f74a3b30c89fc5fb39 Author: Konstantin Shkolnyy Date: Tue Dec 3 09:06:54 2024 -0600 vsock/test: fix failures due to wrong SO_RCVLOWAT parameter This happens on 64-bit big-endian machines. SO_RCVLOWAT requires an int parameter. However, instead of int, the test uses unsigned long in one place and size_t in another. Both are 8 bytes long on 64-bit machines. The kernel, having received the 8 bytes, doesn't test for the exact size of the parameter, it only cares that it's >= sizeof(int), and casts the 4 lower-addressed bytes to an int, which, on a big-endian machine, contains 0. 0 doesn't trigger an error, SO_RCVLOWAT returns with success and the socket stays with the default SO_RCVLOWAT = 1, which results in vsock_test failures, while vsock_perf doesn't even notice that it's failed to change it. Fixes: b1346338fbae ("vsock_test: POLLIN + SO_RCVLOWAT test") Fixes: 542e893fbadc ("vsock/test: two tests to check credit update logic") Fixes: 8abbffd27ced ("test/vsock: vsock_perf utility") Signed-off-by: Konstantin Shkolnyy Reviewed-by: Stefano Garzarella Signed-off-by: Paolo Abeni commit 4f776d81bf927a4f25d5e32a4d0df08ee509dd6c Author: Aneesh Kumar K.V (Arm) Date: Thu Nov 28 20:55:43 2024 +0530 arm64: dts: fvp: Update PCIe bus-range property These days, the Fixed Virtual Platforms(FVP) Base RevC model supports more PCI devices. Update the max bus number so that Linux can enumerate them correctly. Without this, the kernel throws the below error while booting with the default hierarchy | pci_bus 0000:01: busn_res: [bus 01] end is updated to 01 | pci_bus 0000:02: busn_res: can not insert [bus 02-01] under | [bus 00-01] (conflicts with (null) [bus 00-01]) | pci_bus 0000:02: busn_res: [bus 02-01] end is updated to 02 | pci_bus 0000:02: busn_res: can not insert [bus 02] under | [bus 00-01] (conflicts with (null) [bus 00-01]) | pci_bus 0000:03: busn_res: can not insert [bus 03-01] under | [bus 00-01] (conflicts with (null) [bus 00-01]) | pci_bus 0000:03: busn_res: [bus 03-01] end is updated to 03 | pci_bus 0000:03: busn_res: can not insert [bus 03] under | [bus 00-01] (conflicts with (null) [bus 00-01]) | pci_bus 0000:04: busn_res: can not insert [bus 04-01] under | [bus 00-01] (conflicts with (null) [bus 00-01]) | pci_bus 0000:04: busn_res: [bus 04-01] end is updated to 04 | pci_bus 0000:04: busn_res: can not insert [bus 04] under | [bus 00-01] (conflicts with (null) [bus 00-01]) | pci 0000:00:01.0: BAR 14: assigned [mem 0x50000000-0x500fffff] | pci-host-generic 40000000.pci: ECAM at [mem 0x40000000-0x4fffffff] | for [bus 00-01] The change is using 0xff as max bus number because the ECAM window is 256MB in size. Below is the lspci output with and without the change: without fix =========== | 00:00.0 Host bridge: ARM Device 00ba (rev 01) | 00:01.0 PCI bridge: ARM Device 0def | 00:02.0 PCI bridge: ARM Device 0def | 00:03.0 PCI bridge: ARM Device 0def | 00:04.0 PCI bridge: ARM Device 0def | 00:1e.0 Unassigned class [ff00]: ARM Device ff80 | 00:1e.1 Unassigned class [ff00]: ARM Device ff80 | 00:1f.0 SATA controller: Device 0abc:aced (rev 01) | 01:00.0 SATA controller: Device 0abc:aced (rev 01) with fix ======== | 00:00.0 Host bridge: ARM Device 00ba (rev 01) | 00:01.0 PCI bridge: ARM Device 0def | 00:02.0 PCI bridge: ARM Device 0def | 00:03.0 PCI bridge: ARM Device 0def | 00:04.0 PCI bridge: ARM Device 0def | 00:1e.0 Unassigned class [ff00]: ARM Device ff80 | 00:1e.1 Unassigned class [ff00]: ARM Device ff80 | 00:1f.0 SATA controller: Device 0abc:aced (rev 01) | 01:00.0 SATA controller: Device 0abc:aced (rev 01) | 02:00.0 Unassigned class [ff00]: ARM Device ff80 | 02:00.4 Unassigned class [ff00]: ARM Device ff80 | 03:00.0 PCI bridge: ARM Device 0def | 04:00.0 PCI bridge: ARM Device 0def | 04:01.0 PCI bridge: ARM Device 0def | 04:02.0 PCI bridge: ARM Device 0def | 05:00.0 SATA controller: Device 0abc:aced (rev 01) | 06:00.0 Unassigned class [ff00]: ARM Device ff80 | 06:00.7 Unassigned class [ff00]: ARM Device ff80 | 07:00.0 Unassigned class [ff00]: ARM Device ff80 | 07:00.3 Unassigned class [ff00]: ARM Device ff80 | 08:00.0 Unassigned class [ff00]: ARM Device ff80 | 08:00.1 Unassigned class [ff00]: ARM Device ff80 Cc: Sudeep Holla Cc: Lorenzo Pieralisi Cc: Rob Herring Cc: Krzysztof Kozlowski Cc: Conor Dooley Reviewed-by: Liviu Dudau Signed-off-by: Aneesh Kumar K.V (Arm) Message-Id: <20241128152543.1821878-1-aneesh.kumar@kernel.org> Signed-off-by: Sudeep Holla commit 140054a25f85036ec847e722c76cc1bfaf3f0d96 Author: Roger Quadros Date: Tue Dec 3 15:33:17 2024 +0200 mtd: rawnand: omap2: Fix build warnings with W=1 Add kernel-doc for functions to get rid of below warnings when built with W=1. drivers/mtd/nand/raw/omap2.c:260: warning: Function parameter or struct member 'chip' not described in 'omap_nand_data_in_pref' drivers/mtd/nand/raw/omap2.c:260: warning: Function parameter or struct member 'buf' not described in 'omap_nand_data_in_pref' drivers/mtd/nand/raw/omap2.c:260: warning: Function parameter or struct member 'len' not described in 'omap_nand_data_in_pref' drivers/mtd/nand/raw/omap2.c:260: warning: Function parameter or struct member 'force_8bit' not described in 'omap_nand_data_in_pref' drivers/mtd/nand/raw/omap2.c:304: warning: Function parameter or struct member 'chip' not described in 'omap_nand_data_out_pref' drivers/mtd/nand/raw/omap2.c:304: warning: Function parameter or struct member 'buf' not described in 'omap_nand_data_out_pref' drivers/mtd/nand/raw/omap2.c:304: warning: Function parameter or struct member 'len' not described in 'omap_nand_data_out_pref' drivers/mtd/nand/raw/omap2.c:304: warning: Function parameter or struct member 'force_8bit' not described in 'omap_nand_data_out_pref' drivers/mtd/nand/raw/omap2.c:446: warning: Function parameter or struct member 'chip' not described in 'omap_nand_data_in_dma_pref' drivers/mtd/nand/raw/omap2.c:446: warning: Function parameter or struct member 'buf' not described in 'omap_nand_data_in_dma_pref' drivers/mtd/nand/raw/omap2.c:446: warning: Function parameter or struct member 'len' not described in 'omap_nand_data_in_dma_pref' drivers/mtd/nand/raw/omap2.c:446: warning: Function parameter or struct member 'force_8bit' not described in 'omap_nand_data_in_dma_pref' drivers/mtd/nand/raw/omap2.c:467: warning: Function parameter or struct member 'chip' not described in 'omap_nand_data_out_dma_pref' drivers/mtd/nand/raw/omap2.c:467: warning: Function parameter or struct member 'buf' not described in 'omap_nand_data_out_dma_pref' drivers/mtd/nand/raw/omap2.c:467: warning: Function parameter or struct member 'len' not described in 'omap_nand_data_out_dma_pref' drivers/mtd/nand/raw/omap2.c:467: warning: Function parameter or struct member 'force_8bit' not described in 'omap_nand_data_out_dma_pref' Reported-by: kernel test robot Closes: https://lore.kernel.org/oe-kbuild-all/202412031716.JfNIh1Uu-lkp@intel.com/ Signed-off-by: Roger Quadros Signed-off-by: Miquel Raynal commit 11e6831fd81468cf48155b9b3c11295c391da723 Author: Maciej Andrzejewski Date: Mon Dec 2 19:58:36 2024 +0100 mtd: rawnand: arasan: Fix missing de-registration of NAND The NAND chip-selects are registered for the Arasan driver during initialization but are not de-registered when the driver is unloaded. As a result, if the driver is loaded again, the chip-selects remain registered and busy, making them unavailable for use. Fixes: 197b88fecc50 ("mtd: rawnand: arasan: Add new Arasan NAND controller") Cc: stable@vger.kernel.org Signed-off-by: Maciej Andrzejewski ICEYE Signed-off-by: Miquel Raynal commit b086a46dae48829e11c0c02580e30d920b76743c Author: Maciej Andrzejewski Date: Mon Dec 2 13:51:07 2024 +0100 mtd: rawnand: arasan: Fix double assertion of chip-select When two chip-selects are configured in the device tree, and the second is a non-native GPIO, both the GPIO-based chip-select and the first native chip-select may be asserted simultaneously. This double assertion causes incorrect read and write operations. The issue occurs because when nfc->ncs <= 2, nfc->spare_cs is always initialized to 0 due to static initialization. Consequently, when the second chip-select (GPIO-based) is selected in anfc_assert_cs(), it is detected by anfc_is_gpio_cs(), and nfc->native_cs is assigned the value 0. This results in both the GPIO-based chip-select being asserted and the NAND controller register receiving 0, erroneously selecting the native chip-select. This patch resolves the issue, as confirmed by oscilloscope testing with configurations involving two or more chip-selects in the device tree. Fixes: acbd3d0945f9 ("mtd: rawnand: arasan: Leverage additional GPIO CS") Cc: stable@vger.kernel.org Signed-off-by: Maciej Andrzejewski Signed-off-by: Miquel Raynal commit 9b458e8be0d13e81ed03fffa23f8f9b528bbd786 Author: Zichen Xie Date: Wed Oct 23 16:13:10 2024 -0500 mtd: diskonchip: Cast an operand to prevent potential overflow There may be a potential integer overflow issue in inftl_partscan(). parts[0].size is defined as "uint64_t" while mtd->erasesize and ip->firstUnit are defined as 32-bit unsigned integer. The result of the calculation will be limited to 32 bits without correct casting. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Zichen Xie Cc: stable@vger.kernel.org Signed-off-by: Miquel Raynal commit d8e4771f99c0400a1873235704b28bb803c83d17 Author: Dan Carpenter Date: Wed Oct 23 11:40:56 2024 +0300 mtd: rawnand: fix double free in atmel_pmecc_create_user() The "user" pointer was converted from being allocated with kzalloc() to being allocated by devm_kzalloc(). Calling kfree(user) will lead to a double free. Fixes: 6d734f1bfc33 ("mtd: rawnand: atmel: Fix possible memory leak") Signed-off-by: Dan Carpenter Signed-off-by: Miquel Raynal commit d507d29bfde3fee6a74d098a9ac640b8fc1a549b Author: Kalesh AP Date: Wed Dec 4 13:24:16 2024 +0530 RDMA/bnxt_re: Don't fail destroy QP and cleanup debugfs earlier Change bnxt_re_destroy_qp to always return 0 and don't fail in case of error during destroy. In addition, delete debugfs QP to earlier stage. Fixes: d7d54769c042 ("RDMA/bnxt_re: Add debugfs hook in the driver") Reviewed-by: Kashyap Desai Signed-off-by: Kalesh AP Signed-off-by: Selvin Xavier Link: https://patch.msgid.link/20241204075416.478431-6-kalesh-anakkur.purayil@broadcom.com Signed-off-by: Leon Romanovsky commit 064c22408a73b9e945139b64614c534cbbefb591 Author: Kashyap Desai Date: Wed Dec 4 13:24:14 2024 +0530 RDMA/bnxt_re: Avoid sending the modify QP workaround for latest adapters The workaround to modify the UD QP from RTS to RTS is required only for older adapters. Issuing this for latest adapters can caus some unexpected behavior. Fix it Fixes: 1801d87b3598 ("RDMA/bnxt_re: Support new 5760X P7 devices") Signed-off-by: Kashyap Desai Signed-off-by: Selvin Xavier Link: https://patch.msgid.link/20241204075416.478431-4-kalesh-anakkur.purayil@broadcom.com Signed-off-by: Leon Romanovsky commit 5effcacc8a8f3eb2a9f069d7e81a9ac793598dfb Author: Selvin Xavier Date: Wed Dec 4 13:24:13 2024 +0530 RDMA/bnxt_re: Avoid initializing the software queue for user queues Software Queues to hold the WRs needs to be created for only kernel queues. Avoid allocating the unnecessary memory for user Queues. Fixes: 1ac5a4047975 ("RDMA/bnxt_re: Add bnxt_re RoCE driver") Fixes: 159fb4ceacd7 ("RDMA/bnxt_re: introduce a function to allocate swq") Signed-off-by: Selvin Xavier Link: https://patch.msgid.link/20241204075416.478431-3-kalesh-anakkur.purayil@broadcom.com Signed-off-by: Leon Romanovsky commit 79d330fbdffd8cee06d8bdf38d82cb62d8363a27 Author: Kashyap Desai Date: Wed Dec 4 13:24:12 2024 +0530 RDMA/bnxt_re: Fix max SGEs for the Work Request Gen P7 supports up to 13 SGEs for now. WQE software structure can hold only 6 now. Since the max send sge is reported as 13, the stack can give requests up to 13 SGEs. This is causing traffic failures and system crashes. Use the define for max SGE supported for variable size. This will work for both static and variable WQEs. Fixes: 227f51743b61 ("RDMA/bnxt_re: Fix the max WQE size for static WQE support") Signed-off-by: Kashyap Desai Signed-off-by: Selvin Xavier Link: https://patch.msgid.link/20241204075416.478431-2-kalesh-anakkur.purayil@broadcom.com Signed-off-by: Leon Romanovsky commit e05feab22fd7dabcd6d272c4e2401ec1acdfdb9b Author: Patrisious Haddad Date: Tue Dec 3 15:45:37 2024 +0200 RDMA/mlx5: Enforce same type port association for multiport RoCE Different core device types such as PFs and VFs shouldn't be affiliated together since they have different capabilities, fix that by enforcing type check before doing the affiliation. Fixes: 32f69e4be269 ("{net, IB}/mlx5: Manage port association for multiport RoCE") Reviewed-by: Mark Bloch Signed-off-by: Patrisious Haddad Link: https://patch.msgid.link/88699500f690dff1c1852c1ddb71f8a1cc8b956e.1733233480.git.leonro@nvidia.com Reviewed-by: Mateusz Polchlopek Signed-off-by: Leon Romanovsky commit d9381508ea2b590aff46d28d432d20bfef1ba64c Author: Yafang shao Date: Thu Dec 5 10:11:00 2024 +0800 audit: workaround a GCC bug triggered by task comm changes A build failure has been reported with the following details: In file included from include/linux/string.h:390, from include/linux/bitmap.h:13, from include/linux/cpumask.h:12, from include/linux/smp.h:13, from include/linux/lockdep.h:14, from include/linux/spinlock.h:63, from include/linux/wait.h:9, from include/linux/wait_bit.h:8, from include/linux/fs.h:6, from kernel/auditsc.c:37: In function 'sized_strscpy', inlined from '__audit_ptrace' at kernel/auditsc.c:2732:2: >> include/linux/fortify-string.h:293:17: error: call to '__write_overflow' declared with attribute error: detected write beyond size of object (1st parameter) 293 | __write_overflow(); | ^~~~~~~~~~~~~~~~~~ In function 'sized_strscpy', inlined from 'audit_signal_info_syscall' at kernel/auditsc.c:2759:3: >> include/linux/fortify-string.h:293:17: error: call to '__write_overflow' declared with attribute error: detected write beyond size of object (1st parameter) 293 | __write_overflow(); | ^~~~~~~~~~~~~~~~~~ The issue appears to be a GCC bug, though the root cause remains unclear at this time. For now, let's implement a workaround. A bug report has also been filed with GCC [0]. Link: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=117912 [0] Reported-by: kernel test robot Closes: https://lore.kernel.org/oe-kbuild-all/202410171420.1V00ICVG-lkp@intel.com/ Reported-by: Steven Rostedt (Google) Closes: https://lore.kernel.org/all/20241128182435.57a1ea6f@gandalf.local.home/ Reported-by: Zhuo, Qiuxu Closes: https://lore.kernel.org/all/CY8PR11MB71348E568DBDA576F17DAFF389362@CY8PR11MB7134.namprd11.prod.outlook.com/ Originally-by: Kees Cook Link: https://lore.kernel.org/linux-hardening/202410171059.C2C395030@keescook/ Signed-off-by: Yafang shao Tested-by: Steven Rostedt (Google) Tested-by: Yafang Shao [PM: subject tweak, description line wrapping] Signed-off-by: Paul Moore commit 4615855ea8c42aff76cc7772509445dc80bcd917 Merge: 18317290b29bbb 0566f83d206c7a Author: Jakub Kicinski Date: Wed Dec 4 19:46:49 2024 -0800 Merge branch '100GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/tnguy/net-queue Tony Nguyen says: ==================== Intel Wired LAN Driver Updates 2024-12-03 (ice, idpf, ixgbe, ixgbevf, igb) This series contains updates to ice, idpf, ixgbe, ixgbevf, and igb drivers. For ice: Arkadiusz corrects search for determining whether PHY clock recovery is supported on the device. Przemyslaw corrects mask used for PHY timestamps on ETH56G devices. Wojciech adds missing virtchnl ops which caused NULL pointer dereference. Marcin fixes VLAN filter settings for uplink VSI in switchdev mode. For idpf: Josh restores setting of completion tag for empty buffers. For ixgbevf: Jake removes incorrect initialization/support of IPSEC for mailbox version 1.5. For ixgbe: Jake rewords and downgrades misleading message when negotiation of VF mailbox version is not supported. Tore Amundsen corrects value for BASE-BX10 capability. For igb: Yuan Can adds proper teardown on failed pci_register_driver() call. * '100GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/tnguy/net-queue: igb: Fix potential invalid memory access in igb_init_module() ixgbe: Correct BASE-BX10 compliance code ixgbe: downgrade logging of unsupported VF API version to debug ixgbevf: stop attempting IPSEC offload on Mailbox API 1.5 idpf: set completion tag for "empty" bufs associated with a packet ice: Fix VLAN pruning in switchdev mode ice: Fix NULL pointer dereference in switchdev ice: fix PHY timestamp extraction for ETH56G ice: fix PHY Clock Recovery availability check ==================== Link: https://patch.msgid.link/20241203215521.1646668-1-anthony.l.nguyen@intel.com Signed-off-by: Jakub Kicinski commit 18317290b29bbb092ab3a9437cb279b7af9b4547 Merge: 5f4d0356f06a73 5085f861b414e4 Author: Jakub Kicinski Date: Wed Dec 4 19:43:48 2024 -0800 Merge branch 'mlx5-misc-fixes-2024-12-03' Tariq Toukan says: ==================== mlx5 misc fixes 2024-12-03 This patchset provides misc bug fixes from the team to the mlx5 core and Eth drivers. ==================== Link: https://patch.msgid.link/20241203204920.232744-1-tariqt@nvidia.com Signed-off-by: Jakub Kicinski commit 5085f861b414e4a51ce28a891dfa32a10a54b64e Author: Jianbo Liu Date: Tue Dec 3 22:49:20 2024 +0200 net/mlx5e: Remove workaround to avoid syndrome for internal port Previously a workaround was added to avoid syndrome 0xcdb051. It is triggered when offload a rule with tunnel encapsulation, and forwarding to another table, but not matching on the internal port in firmware steering mode. The original workaround skips internal tunnel port logic, which is not correct as not all cases are considered. As an example, if vlan is configured on the uplink port, traffic can't pass because vlan header is not added with this workaround. Besides, there is no such issue for software steering. So, this patch removes that, and returns error directly if trying to offload such rule for firmware steering. Fixes: 06b4eac9c4be ("net/mlx5e: Don't offload internal port if filter device is out device") Signed-off-by: Jianbo Liu Tested-by: Frode Nordahl Reviewed-by: Chris Mi Reviewed-by: Ariel Levkovich Signed-off-by: Tariq Toukan Link: https://patch.msgid.link/20241203204920.232744-7-tariqt@nvidia.com Signed-off-by: Jakub Kicinski commit 31f114c3d158dacbeda33f2afb0ca41f4ec6c9f9 Author: Tariq Toukan Date: Tue Dec 3 22:49:19 2024 +0200 net/mlx5e: SD, Use correct mdev to build channel param In a multi-PF netdev, each traffic channel creates its own resources against a specific PF. In the cited commit, where this support was added, the channel_param logic was mistakenly kept unchanged, so it always used the primary PF which is found at priv->mdev. In this patch we fix this by moving the logic to be per-channel, and passing the correct mdev instance. This bug happened to be usually harmless, as the resulting cparam structures would be the same for all channels, due to identical FW logic and decisions. However, in some use cases, like fwreset, this gets broken. This could lead to different symptoms. Example: Error cqe on cqn 0x428, ci 0x0, qn 0x10a9, opcode 0xe, syndrome 0x4, vendor syndrome 0x32 Fixes: e4f9686bdee7 ("net/mlx5e: Let channels be SD-aware") Signed-off-by: Tariq Toukan Reviewed-by: Lama Kayal Reviewed-by: Gal Pressman Link: https://patch.msgid.link/20241203204920.232744-6-tariqt@nvidia.com Signed-off-by: Jakub Kicinski commit d04c81a3e3ced59f68018a7906c82e421bf748a5 Author: Patrisious Haddad Date: Tue Dec 3 22:49:18 2024 +0200 net/mlx5: E-Switch, Fix switching to switchdev mode in MPV Fix the mentioned commit change for MPV mode, since in MPV mode the IB device is shared between different core devices, so under this change when moving both devices simultaneously to switchdev mode the IB device removal and re-addition can race with itself causing unexpected behavior. In such case do rescan_drivers() only once in order to add the ethernet representor auxiliary device, and skip adding and removing IB devices. Fixes: ab85ebf43723 ("net/mlx5: E-switch, refactor eswitch mode change") Signed-off-by: Patrisious Haddad Reviewed-by: Mark Bloch Signed-off-by: Tariq Toukan Link: https://patch.msgid.link/20241203204920.232744-5-tariqt@nvidia.com Signed-off-by: Jakub Kicinski commit 5f9b2bf019b7fb58e883dca7522c606c52612ea4 Author: Patrisious Haddad Date: Tue Dec 3 22:49:17 2024 +0200 net/mlx5: E-Switch, Fix switching to switchdev mode with IB device disabled In case that IB device is already disabled when moving to switchdev mode, which can happen when working with LAG, need to do rescan_drivers() before leaving in order to add ethernet representor auxiliary device. Fixes: ab85ebf43723 ("net/mlx5: E-switch, refactor eswitch mode change") Signed-off-by: Patrisious Haddad Reviewed-by: Mark Bloch Signed-off-by: Tariq Toukan Link: https://patch.msgid.link/20241203204920.232744-4-tariqt@nvidia.com Signed-off-by: Jakub Kicinski commit 10e0f0c018d5ce5ba4f349875c67f99c3253b5c3 Author: Cosmin Ratiu Date: Tue Dec 3 22:49:16 2024 +0200 net/mlx5: HWS: Properly set bwc queue locks lock classes The mentioned "Fixes" patch forgot to do that. Fixes: 9addffa34359 ("net/mlx5: HWS, use lock classes for bwc locks") Signed-off-by: Cosmin Ratiu Reviewed-by: Yevgeny Kliteynik Signed-off-by: Tariq Toukan Link: https://patch.msgid.link/20241203204920.232744-3-tariqt@nvidia.com Signed-off-by: Jakub Kicinski commit 530b69a26952c95ffc9e6dcd1cff6f249032780a Author: Cosmin Ratiu Date: Tue Dec 3 22:49:15 2024 +0200 net/mlx5: HWS: Fix memory leak in mlx5hws_definer_calc_layout It allocates a match template, which creates a compressed definer fc struct, but that is not deallocated. This commit fixes that. Fixes: 74a778b4a63f ("net/mlx5: HWS, added definers handling") Signed-off-by: Cosmin Ratiu Reviewed-by: Yevgeny Kliteynik Signed-off-by: Tariq Toukan Link: https://patch.msgid.link/20241203204920.232744-2-tariqt@nvidia.com Signed-off-by: Jakub Kicinski commit 5f4d0356f06a73a6d99c5c6583abda0e0f9dd5b2 Merge: 8588c99c7d4744 bd649c5cc95816 Author: Jakub Kicinski Date: Wed Dec 4 19:23:36 2024 -0800 Merge branch 'bnxt_en-support-header-page-pool-in-queue-api' David Wei says: ==================== bnxt_en: support header page pool in queue API Commit 7ed816be35ab ("eth: bnxt: use page pool for head frags") added a separate page pool for header frags. Now, frags are allocated from this header page pool e.g. rxr->tpa_info.data. The queue API did not properly handle rxr->tpa_info and so using the queue API to i.e. reset any queues will result in pages being returned to the incorrect page pool, causing inflight != 0 warnings. Fix this bug by properly allocating/freeing tpa_info and copying/freeing head_pool in the queue API implementation. The 1st patch is a prep patch that refactors helpers out to be used by the implementation patch later. The 2nd patch is a drive-by refactor. Happy to take it out and re-send to net-next if there are any objections. The 3rd patch is the implementation patch that will properly alloc/free rxr->tpa_info. ==================== Link: https://patch.msgid.link/20241204041022.56512-1-dw@davidwei.uk Signed-off-by: Jakub Kicinski commit bd649c5cc958169b8a8a3e77ea926d92d472b02a Author: David Wei Date: Tue Dec 3 20:10:22 2024 -0800 bnxt_en: handle tpa_info in queue API implementation Commit 7ed816be35ab ("eth: bnxt: use page pool for head frags") added a page pool for header frags, which may be distinct from the existing pool for the aggregation ring. Prior to this change, frags used in the TPA ring rx_tpa were allocated from system memory e.g. napi_alloc_frag() meaning their lifetimes were not associated with a page pool. They can be returned at any time and so the queue API did not alloc or free rx_tpa. But now frags come from a separate head_pool which may be different to page_pool. Without allocating and freeing rx_tpa, frags allocated from the old head_pool may be returned to a different new head_pool which causes a mismatch between the pp hold/release count. Fix this problem by properly freeing and allocating rx_tpa in the queue API implementation. Signed-off-by: David Wei Reviewed-by: Michael Chan Link: https://patch.msgid.link/20241204041022.56512-4-dw@davidwei.uk Signed-off-by: Jakub Kicinski commit bf1782d70ddd9f23911824e41df8d9b5244f2f30 Author: David Wei Date: Tue Dec 3 20:10:21 2024 -0800 bnxt_en: refactor bnxt_alloc_rx_rings() to call bnxt_alloc_rx_agg_bmap() Refactor bnxt_alloc_rx_rings() to call bnxt_alloc_rx_agg_bmap() for allocating rx_agg_bmap. Reviewed-by: Somnath Kotur Signed-off-by: David Wei Reviewed-by: Michael Chan Link: https://patch.msgid.link/20241204041022.56512-3-dw@davidwei.uk Signed-off-by: Jakub Kicinski commit 5883a3e0babf55d85422fddec3422f211c853f6e Author: David Wei Date: Tue Dec 3 20:10:20 2024 -0800 bnxt_en: refactor tpa_info alloc/free into helpers Refactor bnxt_rx_ring_info->tpa_info operations into helpers that work on a single tpa_info in prep for queue API using them. There are 2 pairs of operations: * bnxt_alloc_one_tpa_info() * bnxt_free_one_tpa_info() These alloc/free the tpa_info array itself. * bnxt_alloc_one_tpa_info_data() * bnxt_free_one_tpa_info_data() These alloc/free the frags stored in tpa_info array. Reviewed-by: Somnath Kotur Signed-off-by: David Wei Reviewed-by: Michael Chan Link: https://patch.msgid.link/20241204041022.56512-2-dw@davidwei.uk Signed-off-by: Jakub Kicinski commit 8588c99c7d47448fcae39e3227d6e2bb97aad86d Author: Eric Dumazet Date: Tue Dec 3 18:21:21 2024 +0000 geneve: do not assume mac header is set in geneve_xmit_skb() We should not assume mac header is set in output path. Use skb_eth_hdr() instead of eth_hdr() to fix the issue. sysbot reported the following : WARNING: CPU: 0 PID: 11635 at include/linux/skbuff.h:3052 skb_mac_header include/linux/skbuff.h:3052 [inline] WARNING: CPU: 0 PID: 11635 at include/linux/skbuff.h:3052 eth_hdr include/linux/if_ether.h:24 [inline] WARNING: CPU: 0 PID: 11635 at include/linux/skbuff.h:3052 geneve_xmit_skb drivers/net/geneve.c:898 [inline] WARNING: CPU: 0 PID: 11635 at include/linux/skbuff.h:3052 geneve_xmit+0x4c38/0x5730 drivers/net/geneve.c:1039 Modules linked in: CPU: 0 UID: 0 PID: 11635 Comm: syz.4.1423 Not tainted 6.12.0-syzkaller-10296-gaaf20f870da0 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 RIP: 0010:skb_mac_header include/linux/skbuff.h:3052 [inline] RIP: 0010:eth_hdr include/linux/if_ether.h:24 [inline] RIP: 0010:geneve_xmit_skb drivers/net/geneve.c:898 [inline] RIP: 0010:geneve_xmit+0x4c38/0x5730 drivers/net/geneve.c:1039 Code: 21 c6 02 e9 35 d4 ff ff e8 a5 48 4c fb 90 0f 0b 90 e9 fd f5 ff ff e8 97 48 4c fb 90 0f 0b 90 e9 d8 f5 ff ff e8 89 48 4c fb 90 <0f> 0b 90 e9 41 e4 ff ff e8 7b 48 4c fb 90 0f 0b 90 e9 cd e7 ff ff RSP: 0018:ffffc90003b2f870 EFLAGS: 00010283 RAX: 000000000000037a RBX: 000000000000ffff RCX: ffffc9000dc3d000 RDX: 0000000000080000 RSI: ffffffff86428417 RDI: 0000000000000003 RBP: ffffc90003b2f9f0 R08: 0000000000000003 R09: 000000000000ffff R10: 000000000000ffff R11: 0000000000000002 R12: ffff88806603c000 R13: 0000000000000000 R14: ffff8880685b2780 R15: 0000000000000e23 FS: 00007fdc2deed6c0(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000001b30a1dff8 CR3: 0000000056b8c000 CR4: 00000000003526f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: __netdev_start_xmit include/linux/netdevice.h:5002 [inline] netdev_start_xmit include/linux/netdevice.h:5011 [inline] __dev_direct_xmit+0x58a/0x720 net/core/dev.c:4490 dev_direct_xmit include/linux/netdevice.h:3181 [inline] packet_xmit+0x1e4/0x360 net/packet/af_packet.c:285 packet_snd net/packet/af_packet.c:3146 [inline] packet_sendmsg+0x2700/0x5660 net/packet/af_packet.c:3178 sock_sendmsg_nosec net/socket.c:711 [inline] __sock_sendmsg net/socket.c:726 [inline] __sys_sendto+0x488/0x4f0 net/socket.c:2197 __do_sys_sendto net/socket.c:2204 [inline] __se_sys_sendto net/socket.c:2200 [inline] __x64_sys_sendto+0xe0/0x1c0 net/socket.c:2200 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Fixes: a025fb5f49ad ("geneve: Allow configuration of DF behaviour") Reported-by: syzbot+3ec5271486d7cb2d242a@syzkaller.appspotmail.com Closes: https://lore.kernel.org/netdev/674f4b72.050a0220.17bd51.004a.GAE@google.com/T/#u Signed-off-by: Eric Dumazet Reviewed-by: Stefano Brivio Link: https://patch.msgid.link/20241203182122.2725517-1-edumazet@google.com Signed-off-by: Jakub Kicinski commit 217bbf156f93ada86b91617489e7ba8a0904233c Author: Ido Schimmel Date: Tue Dec 3 16:16:05 2024 +0100 mlxsw: spectrum_acl_flex_keys: Use correct key block on Spectrum-4 The driver is currently using an ACL key block that is not supported by Spectrum-4. This works because the driver is only using a single field from this key block which is located in the same offset in the equivalent Spectrum-4 key block. The issue was discovered when the firmware started rejecting the use of the unsupported key block. The change has been reverted to avoid breaking users that only update their firmware. Nonetheless, fix the issue by using the correct key block. Fixes: 07ff135958dd ("mlxsw: Introduce flex key elements for Spectrum-4") Signed-off-by: Ido Schimmel Reviewed-by: Petr Machata Signed-off-by: Petr Machata Link: https://patch.msgid.link/35e72c97bdd3bc414fb8e4d747e5fb5d26c29658.1733237440.git.petrm@nvidia.com Signed-off-by: Jakub Kicinski commit 910c4788d6155b2202ec88273376cd7ecdc24f0a Author: Kory Maincent Date: Mon Dec 2 16:33:57 2024 +0100 ethtool: Fix wrong mod state in case of verbose and no_mask bitset A bitset without mask in a _SET request means we want exactly the bits in the bitset to be set. This works correctly for compact format but when verbose format is parsed, ethnl_update_bitset32_verbose() only sets the bits present in the request bitset but does not clear the rest. The commit 6699170376ab ("ethtool: fix application of verbose no_mask bitset") fixes this issue by clearing the whole target bitmap before we start iterating. The solution proposed brought an issue with the behavior of the mod variable. As the bitset is always cleared the old value will always differ to the new value. Fix it by adding a new function to compare bitmaps and a temporary variable which save the state of the old bitmap. Fixes: 6699170376ab ("ethtool: fix application of verbose no_mask bitset") Signed-off-by: Kory Maincent Link: https://patch.msgid.link/20241202153358.1142095-1-kory.maincent@bootlin.com Signed-off-by: Jakub Kicinski commit 50b94204446e1215af081fd713d7d566d9258e35 Author: Paolo Abeni Date: Tue Dec 3 10:48:15 2024 +0100 ipmr: tune the ipmr_can_free_table() checks. Eric reported a syzkaller-triggered splat caused by recent ipmr changes: WARNING: CPU: 2 PID: 6041 at net/ipv6/ip6mr.c:419 ip6mr_free_table+0xbd/0x120 net/ipv6/ip6mr.c:419 Modules linked in: CPU: 2 UID: 0 PID: 6041 Comm: syz-executor183 Not tainted 6.12.0-syzkaller-10681-g65ae975e97d5 #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 RIP: 0010:ip6mr_free_table+0xbd/0x120 net/ipv6/ip6mr.c:419 Code: 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 75 58 49 83 bc 24 c0 0e 00 00 00 74 09 e8 44 ef a9 f7 90 <0f> 0b 90 e8 3b ef a9 f7 48 8d 7b 38 e8 12 a3 96 f7 48 89 df be 0f RSP: 0018:ffffc90004267bd8 EFLAGS: 00010293 RAX: 0000000000000000 RBX: ffff88803c710000 RCX: ffffffff89e4d844 RDX: ffff88803c52c880 RSI: ffffffff89e4d87c RDI: ffff88803c578ec0 RBP: 0000000000000001 R08: 0000000000000005 R09: 0000000000000000 R10: 0000000000000001 R11: 0000000000000001 R12: ffff88803c578000 R13: ffff88803c710000 R14: ffff88803c710008 R15: dead000000000100 FS: 00007f7a855ee6c0(0000) GS:ffff88806a800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f7a85689938 CR3: 000000003c492000 CR4: 0000000000352ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: ip6mr_rules_exit+0x176/0x2d0 net/ipv6/ip6mr.c:283 ip6mr_net_exit_batch+0x53/0xa0 net/ipv6/ip6mr.c:1388 ops_exit_list+0x128/0x180 net/core/net_namespace.c:177 setup_net+0x4fe/0x860 net/core/net_namespace.c:394 copy_net_ns+0x2b4/0x6b0 net/core/net_namespace.c:500 create_new_namespaces+0x3ea/0xad0 kernel/nsproxy.c:110 unshare_nsproxy_namespaces+0xc0/0x1f0 kernel/nsproxy.c:228 ksys_unshare+0x45d/0xa40 kernel/fork.c:3334 __do_sys_unshare kernel/fork.c:3405 [inline] __se_sys_unshare kernel/fork.c:3403 [inline] __x64_sys_unshare+0x31/0x40 kernel/fork.c:3403 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f7a856332d9 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f7a855ee238 EFLAGS: 00000246 ORIG_RAX: 0000000000000110 RAX: ffffffffffffffda RBX: 00007f7a856bd308 RCX: 00007f7a856332d9 RDX: 00007f7a8560f8c6 RSI: 0000000000000000 RDI: 0000000062040200 RBP: 00007f7a856bd300 R08: 00007fff932160a7 R09: 00007f7a855ee6c0 R10: 0000000000000000 R11: 0000000000000246 R12: 00007f7a856bd30c R13: 0000000000000000 R14: 00007fff93215fc0 R15: 00007fff932160a8 The root cause is a network namespace creation failing after successful initialization of the ipmr subsystem. Such a case is not currently matched by the ipmr_can_free_table() helper. New namespaces are zeroed on allocation and inserted into net ns list only after successful creation; when deleting an ipmr table, the list next pointer can be NULL only on netns initialization failure. Update the ipmr_can_free_table() checks leveraging such condition. Reported-by: Eric Dumazet Reported-by: syzbot+6e8cb445d4b43d006e0c@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=6e8cb445d4b43d006e0c Fixes: 11b6e701bce9 ("ipmr: add debug check for mr table cleanup") Signed-off-by: Paolo Abeni Reviewed-by: Eric Dumazet Link: https://patch.msgid.link/8bde975e21bbca9d9c27e36209b2dd4f1d7a3f00.1733212078.git.pabeni@redhat.com Signed-off-by: Jakub Kicinski commit 06a025448b572c3bd78dd23a31488a0907cd9512 Author: Norbert Szetei Date: Sat Nov 30 16:56:14 2024 +0100 ksmbd: align aux_payload_buf to avoid OOB reads in cryptographic operations The aux_payload_buf allocation in SMB2 read is performed without ensuring alignment, which could result in out-of-bounds (OOB) reads during cryptographic operations such as crypto_xor or ghash. This patch aligns the allocation of aux_payload_buf to prevent these issues. (Note that to add this patch to stable would require modifications due to recent patch "ksmbd: use __GFP_RETRY_MAYFAIL") Signed-off-by: Norbert Szetei Acked-by: Namjae Jeon Signed-off-by: Steve French commit 8cb0bc5436351de8a11eef13b7367d64cc0d6c68 Author: Ralph Boehme Date: Mon Nov 25 16:19:56 2024 +0100 fs/smb/client: cifs_prime_dcache() for SMB3 POSIX reparse points Spares an extra revalidation request Cc: stable@vger.kernel.org Acked-by: Paulo Alcantara (Red Hat) Signed-off-by: Ralph Boehme Signed-off-by: Steve French commit 6a832bc8bbb22350f7ffe6ecb2d36f261bb96023 Author: Ralph Boehme Date: Fri Nov 15 19:21:04 2024 +0100 fs/smb/client: Implement new SMB3 POSIX type Fixes special files against current Samba. On the Samba server: insgesamt 20 131958 brw-r--r-- 1 root root 0, 0 15. Nov 12:04 blockdev 131965 crw-r--r-- 1 root root 1, 1 15. Nov 12:04 chardev 131966 prw-r--r-- 1 samba samba 0 15. Nov 12:05 fifo 131953 -rw-rwxrw-+ 2 samba samba 4 18. Nov 11:37 file 131953 -rw-rwxrw-+ 2 samba samba 4 18. Nov 11:37 hardlink 131957 lrwxrwxrwx 1 samba samba 4 15. Nov 12:03 symlink -> file 131954 -rwxrwxr-x+ 1 samba samba 0 18. Nov 15:28 symlinkoversmb Before: ls: cannot access '/mnt/smb3unix/posix/blockdev': No data available ls: cannot access '/mnt/smb3unix/posix/chardev': No data available ls: cannot access '/mnt/smb3unix/posix/symlinkoversmb': No data available ls: cannot access '/mnt/smb3unix/posix/fifo': No data available ls: cannot access '/mnt/smb3unix/posix/symlink': No data available total 16 ? -????????? ? ? ? ? ? blockdev ? -????????? ? ? ? ? ? chardev ? -????????? ? ? ? ? ? fifo 131953 -rw-rwxrw- 2 root samba 4 Nov 18 11:37 file 131953 -rw-rwxrw- 2 root samba 4 Nov 18 11:37 hardlink ? -????????? ? ? ? ? ? symlink ? -????????? ? ? ? ? ? symlinkoversmb After: insgesamt 21 131958 brw-r--r-- 1 root root 0, 0 15. Nov 12:04 blockdev 131965 crw-r--r-- 1 root root 1, 1 15. Nov 12:04 chardev 131966 prw-r--r-- 1 root samba 0 15. Nov 12:05 fifo 131953 -rw-rwxrw- 2 root samba 4 18. Nov 11:37 file 131953 -rw-rwxrw- 2 root samba 4 18. Nov 11:37 hardlink 131957 lrwxrwxrwx 1 root samba 4 15. Nov 12:03 symlink -> file 131954 lrwxrwxr-x 1 root samba 23 18. Nov 15:28 symlinkoversmb -> mnt/smb3unix/posix/file Cc: stable@vger.kernel.org Acked-by: Paulo Alcantara (Red Hat) Signed-off-by: Ralph Boehme Signed-off-by: Steve French commit 968121f0a649ee2ff5ac7b29aa4d4f6b0798ea9e Author: Namhyung Kim Date: Mon Dec 2 19:53:49 2024 -0800 perf tools: Fix build error on generated/fs_at_flags_array.c It should only have generic flags in the array but the recent header sync brought a new flags to fcntl.h and caused a build error. Let's update the shell script to exclude flags specific to name_to_handle_at(). CC trace/beauty/fs_at_flags.o In file included from trace/beauty/fs_at_flags.c:21: tools/perf/trace/beauty/generated/fs_at_flags_array.c:13:30: error: initialized field overwritten [-Werror=override-init] 13 | [ilog2(0x002) + 1] = "HANDLE_CONNECTABLE", | ^~~~~~~~~~~~~~~~~~~~ tools/perf/trace/beauty/generated/fs_at_flags_array.c:13:30: note: (near initialization for ‘fs_at_flags[2]’) Reviewed-by: James Clark Link: https://lore.kernel.org/r/20241203035349.1901262-12-namhyung@kernel.org Signed-off-by: Namhyung Kim commit c994ac74cc3683b1cca45bc425ea1c625da109f3 Author: Namhyung Kim Date: Mon Dec 2 19:53:48 2024 -0800 tools headers: Sync uapi/linux/prctl.h with the kernel sources To pick up the changes in this cset: 09d6775f503b393d riscv: Add support for userspace pointer masking 91e102e79740ae43 prctl: arch-agnostic prctl for shadow stack This addresses these perf build warnings: Warning: Kernel ABI header differences: diff -u tools/perf/trace/beauty/include/uapi/linux/prctl.h include/uapi/linux/prctl.h Please see tools/include/uapi/README for further details. Reviewed-by: James Clark Cc: Mark Brown Cc: Palmer Dabbelt Link: https://lore.kernel.org/r/20241203035349.1901262-11-namhyung@kernel.org Signed-off-by: Namhyung Kim commit 02116fcfd827fe17dbdb543f111cdd9b8b32f18e Author: Namhyung Kim Date: Mon Dec 2 19:53:47 2024 -0800 tools headers: Sync uapi/linux/mount.h with the kernel sources To pick up the changes in this cset: aefff51e1c2986e1 statmount: retrieve security mount options 2f4d4503e9e5ab76 statmount: add flag to retrieve unescaped options 44010543fc8bedad fs: add the ability for statmount() to report the sb_source ed9d95f691c29748 fs: add the ability for statmount() to report the fs_subtype This addresses these perf build warnings: Warning: Kernel ABI header differences: diff -u tools/perf/trace/beauty/include/uapi/linux/mount.h include/uapi/linux/mount.h Please see tools/include/uapi/README for further details. Reviewed-by: James Clark Cc: Christian Brauner Cc: Al Viro Cc: linux-fsdevel@vger.kernel.org Link: https://lore.kernel.org/r/20241203035349.1901262-10-namhyung@kernel.org Signed-off-by: Namhyung Kim commit 6d442c69cbe0f8ab47177b8af125e6c88b9e8cd0 Author: Namhyung Kim Date: Mon Dec 2 19:53:46 2024 -0800 tools headers: Sync uapi/linux/fcntl.h with the kernel sources To pick up the changes in this cset: c374196b2b9f4b80 ("fs: name_to_handle_at() support for "explicit connectable" file handles") 95f567f81e43a1bc ("fs: Simplify getattr interface function checking AT_GETATTR_NOSEC flag") This addresses these perf build warnings: Warning: Kernel ABI header differences: diff -u tools/perf/trace/beauty/include/uapi/linux/fcntl.h include/uapi/linux/fcntl.h Please see tools/include/uapi/README for further details. Reviewed-by: James Clark Cc: Jeff Layton Cc: Chuck Lever Cc: Alexander Aring Cc: Christian Brauner Cc: Al Viro Cc: linux-fsdevel@vger.kernel.org Link: https://lore.kernel.org/r/20241203035349.1901262-9-namhyung@kernel.org Signed-off-by: Namhyung Kim commit 3cef7d8b12811dfd737e77e69d9ef72bc55365cf Author: Namhyung Kim Date: Mon Dec 2 19:53:45 2024 -0800 tools headers: Sync uapi/asm-generic/mman.h with the kernel sources To pick up the changes in this cset: 3630e82ab6bd2642 ("mman: Add map_shadow_stack() flags") This addresses these perf build warnings: Warning: Kernel ABI header differences: diff -u tools/include/uapi/asm-generic/mman.h include/uapi/asm-generic/mman.h Please see tools/include/uapi/README for further details. Reviewed-by: James Clark Cc: Arnd Bergmann Cc: Mark Brown Cc: Catalin Marinas Cc: linux-arch@vger.kernel.org Link: https://lore.kernel.org/r/20241203035349.1901262-8-namhyung@kernel.org Signed-off-by: Namhyung Kim commit 81b483f72289257f5c6f4974150d41e8b499e1e9 Author: Namhyung Kim Date: Mon Dec 2 19:53:44 2024 -0800 tools headers: Sync *xattrat syscall changes with the kernel sources To pick up the changes in this cset: 6140be90ec70c39f ("fs/xattr: add *at family syscalls") This addresses these perf build warnings: Warning: Kernel ABI header differences: diff -u tools/include/uapi/asm-generic/unistd.h include/uapi/asm-generic/unistd.h diff -u tools/perf/arch/x86/entry/syscalls/syscall_32.tbl arch/x86/entry/syscalls/syscall_32.tbl diff -u tools/perf/arch/x86/entry/syscalls/syscall_64.tbl arch/x86/entry/syscalls/syscall_64.tbl diff -u tools/perf/arch/powerpc/entry/syscalls/syscall.tbl arch/powerpc/kernel/syscalls/syscall.tbl diff -u tools/perf/arch/s390/entry/syscalls/syscall.tbl arch/s390/kernel/syscalls/syscall.tbl diff -u tools/perf/arch/mips/entry/syscalls/syscall_n64.tbl arch/mips/kernel/syscalls/syscall_n64.tbl The arm64 changes are not included as it requires more changes in the tools. It'll be worked for the later cycle. Please see tools/include/uapi/README for further details. Reviewed-by: James Clark Cc: Arnd Bergmann Cc: Christian Brauner CC: x86@kernel.org CC: linux-mips@vger.kernel.org CC: linuxppc-dev@lists.ozlabs.org CC: linux-s390@vger.kernel.org Link: https://lore.kernel.org/r/20241203035349.1901262-7-namhyung@kernel.org Signed-off-by: Namhyung Kim commit 76e231997926c8f5707ed5f9c1f91377efe9e484 Author: Namhyung Kim Date: Mon Dec 2 19:53:43 2024 -0800 tools headers: Sync arm64 kvm header with the kernel sources To pick up the changes in this cset: 97413cea1c48cc05 ("KVM: arm64: Add PSCI v1.3 SYSTEM_OFF2 function for hibernation") This addresses these perf build warnings: Warning: Kernel ABI header differences: diff -u tools/arch/arm64/include/uapi/asm/kvm.h arch/arm64/include/uapi/asm/kvm.h Please see tools/include/uapi/README for further details. Reviewed-by: James Clark Cc: Marc Zyngier Cc: Oliver Upton Cc: kvmarm@lists.linux.dev Link: https://lore.kernel.org/r/20241203035349.1901262-6-namhyung@kernel.org Signed-off-by: Namhyung Kim commit e120829dbf927c8b93cd5e06acfec0332cc82e02 Author: Namhyung Kim Date: Mon Dec 2 19:53:42 2024 -0800 tools headers: Sync x86 kvm and cpufeature headers with the kernel To pick up the changes in this cset: a0423af92cb31e6f ("x86: KVM: Advertise CPUIDs for new instructions in Clearwater Forest") 0c487010cb4f79e4 ("x86/cpufeatures: Add X86_FEATURE_AMD_WORKLOAD_CLASS feature bit") 1ad4667066714369 ("x86/cpufeatures: Add X86_FEATURE_AMD_HETEROGENEOUS_CORES") 104edc6efca62838 ("x86/cpufeatures: Rename X86_FEATURE_FAST_CPPC to have AMD prefix") 3ea87dfa31a7b0bb ("x86/cpufeatures: Add a IBPB_NO_RET BUG flag") ff898623af2ed564 ("x86/cpufeatures: Define X86_FEATURE_AMD_IBPB_RET") dcb988cdac85bad1 ("KVM: x86: Quirk initialization of feature MSRs to KVM's max configuration") This addresses these perf build warnings: Warning: Kernel ABI header differences: diff -u tools/arch/x86/include/asm/cpufeatures.h arch/x86/include/asm/cpufeatures.h diff -u tools/arch/x86/include/uapi/asm/kvm.h arch/x86/include/uapi/asm/kvm.h Please see tools/include/uapi/README for further details. Reviewed-by: James Clark Cc: Sean Christopherson Cc: Paolo Bonzini Cc: Thomas Gleixner Cc: Borislav Petkov Cc: Dave Hansen Cc: H. Peter Anvin Cc: x86@kernel.org Cc: kvm@vger.kernel.org Link: https://lore.kernel.org/r/20241203035349.1901262-5-namhyung@kernel.org Signed-off-by: Namhyung Kim commit e2064b7c5d82651a418b86078597e51dea3f3123 Author: Namhyung Kim Date: Mon Dec 2 19:53:41 2024 -0800 tools headers: Sync uapi/linux/kvm.h with the kernel sources To pick up the changes in this cset: e785dfacf7e7fe94 ("LoongArch: KVM: Add PCHPIC device support") 2e8b9df82631e714 ("LoongArch: KVM: Add EIOINTC device support") c532de5a67a70f85 ("LoongArch: KVM: Add IPI device support") This addresses these perf build warnings: Warning: Kernel ABI header differences: diff -u tools/include/uapi/linux/kvm.h include/uapi/linux/kvm.h Please see tools/include/uapi/README for further details. Reviewed-by: James Clark Cc: Sean Christopherson Cc: Paolo Bonzini Cc: Tianrui Zhao Cc: Bibo Mao Cc: Huacai Chen Cc: kvm@vger.kernel.org Cc: loongarch@lists.linux.dev Link: https://lore.kernel.org/r/20241203035349.1901262-4-namhyung@kernel.org Signed-off-by: Namhyung Kim commit 5229df8fb6796ff4aba39b16cf617028fa5d94b7 Author: Namhyung Kim Date: Mon Dec 2 19:53:40 2024 -0800 tools headers: Sync uapi/linux/perf_event.h with the kernel sources To pick up the changes in this cset: 18d92bb57c39504d ("perf/core: Add aux_pause, aux_resume, aux_start_paused") This addresses these perf build warnings: Warning: Kernel ABI header differences: diff -u tools/include/uapi/linux/perf_event.h include/uapi/linux/perf_event.h Please see tools/include/uapi/README for further details. Reviewed-by: James Clark Link: https://lore.kernel.org/r/20241203035349.1901262-3-namhyung@kernel.org Signed-off-by: Namhyung Kim commit 5fc3a088ee2de55a6b39b7ee18484e01f377ab8a Author: Namhyung Kim Date: Mon Dec 2 19:53:39 2024 -0800 tools headers: Sync uapi/drm/drm.h with the kernel sources To pick up the changes in this cset: 56c594d8df64e726 ("drm: add DRM_SET_CLIENT_NAME ioctl") This addresses these perf build warnings: Warning: Kernel ABI header differences: diff -u tools/include/uapi/drm/drm.h include/uapi/drm/drm.h Please see tools/include/uapi/README for further details. Reviewed-by: James Clark Cc: David Airlie Cc: Simona Vetter Cc: Maarten Lankhorst Cc: Maxime Ripard Cc: Thomas Zimmermann Cc: dri-devel@lists.freedesktop.org Link: https://lore.kernel.org/r/20241203035349.1901262-2-namhyung@kernel.org Signed-off-by: Namhyung Kim commit 265e98f72bac6c41a4492d3e30a8e5fd22fe0779 Author: Suraj Sonawane Date: Mon Nov 18 21:56:09 2024 +0530 acpi: nfit: vmalloc-out-of-bounds Read in acpi_nfit_ctl Fix an issue detected by syzbot with KASAN: BUG: KASAN: vmalloc-out-of-bounds in cmd_to_func drivers/acpi/nfit/ core.c:416 [inline] BUG: KASAN: vmalloc-out-of-bounds in acpi_nfit_ctl+0x20e8/0x24a0 drivers/acpi/nfit/core.c:459 The issue occurs in cmd_to_func when the call_pkg->nd_reserved2 array is accessed without verifying that call_pkg points to a buffer that is appropriately sized as a struct nd_cmd_pkg. This can lead to out-of-bounds access and undefined behavior if the buffer does not have sufficient space. To address this, a check was added in acpi_nfit_ctl() to ensure that buf is not NULL and that buf_len is less than sizeof(*call_pkg) before accessing it. This ensures safe access to the members of call_pkg, including the nd_reserved2 array. Reported-by: syzbot+7534f060ebda6b8b51b3@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=7534f060ebda6b8b51b3 Tested-by: syzbot+7534f060ebda6b8b51b3@syzkaller.appspotmail.com Fixes: ebe9f6f19d80 ("acpi/nfit: Fix bus command validation") Signed-off-by: Suraj Sonawane Reviewed-by: Alison Schofield Reviewed-by: Dave Jiang Link: https://patch.msgid.link/20241118162609.29063-1-surajsonawane0215@gmail.com Signed-off-by: Ira Weiny commit 7ffc7481153bbabf3332c6a19b289730c7e1edf5 Author: Pablo Neira Ayuso Date: Mon Dec 2 00:04:49 2024 +0100 netfilter: nft_set_hash: skip duplicated elements pending gc run rhashtable does not provide stable walk, duplicated elements are possible in case of resizing. I considered that checking for errors when calling rhashtable_walk_next() was sufficient to detect the resizing. However, rhashtable_walk_next() returns -EAGAIN only at the end of the iteration, which is too late, because a gc work containing duplicated elements could have been already scheduled for removal to the worker. Add a u32 gc worker sequence number per set, bump it on every workqueue run. Annotate gc worker sequence number on the expired element. Use it to skip those already seen in this gc workqueue run. Note that this new field is never reset in case gc transaction fails, so next gc worker run on the expired element overrides it. Wraparound of gc worker sequence number should not be an issue with stale gc worker sequence number in the element, that would just postpone the element removal in one gc run. Note that it is not possible to use flags to annotate that element is pending gc run to detect duplicates, given that gc transaction can be invalidated in case of update from the control plane, therefore, not allowing to clear such flag. On x86_64, pahole reports no changes in the size of nft_rhash_elem. Fixes: f6c383b8c31a ("netfilter: nf_tables: adapt set backend to use GC transaction API") Reported-by: Laurent Fasnacht Tested-by: Laurent Fasnacht Signed-off-by: Pablo Neira Ayuso commit c9a4b55431e5220347881e148725bed69c84e037 Author: Len Brown Date: Tue Nov 12 21:07:00 2024 -0500 x86/cpu: Add Lunar Lake to list of CPUs with a broken MONITOR implementation Under some conditions, MONITOR wakeups on Lunar Lake processors can be lost, resulting in significant user-visible delays. Add Lunar Lake to X86_BUG_MONITOR so that wake_up_idle_cpu() always sends an IPI, avoiding this potential delay. Reported originally here: https://bugzilla.kernel.org/show_bug.cgi?id=219364 [ dhansen: tweak subject ] Signed-off-by: Len Brown Signed-off-by: Dave Hansen Reviewed-by: Rafael J. Wysocki Cc:stable@vger.kernel.org Link: https://lore.kernel.org/all/a4aa8842a3c3bfdb7fe9807710eef159cbf0e705.1731463305.git.len.brown%40intel.com commit f24d192985cbd6782850fdbb3839039da2f0ee76 Author: guanjing Date: Sun Nov 17 10:51:29 2024 +0800 sched_ext: fix application of sizeof to pointer sizeof when applied to a pointer typed expression gives the size of the pointer. The proper fix in this particular case is to code sizeof(*cpuset) instead of sizeof(cpuset). This issue was detected with the help of Coccinelle. Fixes: 22a920209ab6 ("sched_ext: Implement tickless support") Signed-off-by: guanjing Acked-by: Andrea Righi Signed-off-by: Tejun Heo commit ef7009decc30eb2515a64253791d61b72229c119 Author: Ihor Solodrai Date: Thu Nov 21 21:40:17 2024 +0000 selftests/sched_ext: fix build after renames in sched_ext API The selftests are falining to build on current tip of bpf-next and sched_ext [1]. This has broken BPF CI [2] after merge from upstream. Use appropriate function names in the selftests according to the recent changes in the sched_ext API [3]. [1] https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next.git/commit/?id=fc39fb56917bb3cb53e99560ca3612a84456ada2 [2] https://github.com/kernel-patches/bpf/actions/runs/11959327258/job/33340923745 [3] https://lore.kernel.org/all/20241109194853.580310-1-tj@kernel.org/ Signed-off-by: Ihor Solodrai Acked-by: Andrea Righi Acked-by: David Vernet Signed-off-by: Tejun Heo commit ca4b2c4607433033e9c4f4659f809af4261d8992 Author: Ralph Boehme Date: Fri Nov 15 13:15:50 2024 +0100 fs/smb/client: avoid querying SMB2_OP_QUERY_WSL_EA for SMB3 POSIX Avoid extra roundtrip Cc: stable@vger.kernel.org Acked-by: Paulo Alcantara (Red Hat) Signed-off-by: Ralph Boehme Signed-off-by: Steve French commit 5076001689e4f8b6b178c40d268ed2ecd2eac29d Merge: 0769a8f69ebc46 7f71507851fc77 Author: Linus Torvalds Date: Wed Dec 4 10:31:37 2024 -0800 Merge tag 'loongarch-fixes-6.13-1' of git://git.kernel.org/pub/scm/linux/kernel/git/chenhuacai/linux-loongson Pull LoongArch fixes from Huacai Chen: "Fix bugs about EFI screen info, hugetlb pte clear and Lockdep-RCU splat in KVM, plus some trival cleanups" * tag 'loongarch-fixes-6.13-1' of git://git.kernel.org/pub/scm/linux/kernel/git/chenhuacai/linux-loongson: LoongArch: KVM: Protect kvm_io_bus_{read,write}() with SRCU LoongArch: KVM: Protect kvm_check_requests() with SRCU LoongArch: BPF: Adjust the parameter of emit_jirl() LoongArch: Add architecture specific huge_pte_clear() LoongArch/irq: Use seq_put_decimal_ull_width() for decimal values LoongArch: Fix reserving screen info memory for above-4G firmware commit 0769a8f69ebc4603d5c068112b7caf2f2187a1e6 Merge: feffde684ac29a e9fba20c29e27d Author: Linus Torvalds Date: Wed Dec 4 10:28:30 2024 -0800 Merge tag 'platform-drivers-x86-v6.13-2' of git://git.kernel.org/pub/scm/linux/kernel/git/pdx86/platform-drivers-x86 Pull x86 platform driver fixes from Ilpo Järvinen: - asus-nb-wmi: Silence unknown event warning when charger is plugged in - asus-wmi: Handle return code variations during thermal policy writing graciously - samsung-laptop: Correct module description * tag 'platform-drivers-x86-v6.13-2' of git://git.kernel.org/pub/scm/linux/kernel/git/pdx86/platform-drivers-x86: platform/x86: asus-nb-wmi: Ignore unknown event 0xCF platform/x86: asus-wmi: Ignore return value when writing thermal policy platform/x86: samsung-laptop: Match MODULE_DESCRIPTION() to functionality commit 6918141d815acef056a0d10e966a027d869a922d Author: John Garry Date: Mon Dec 2 13:00:45 2024 +0000 scsi: scsi_debug: Fix hrtimer support for ndelay Since commit 771f712ba5b0 ("scsi: scsi_debug: Fix cmd duration calculation"), ns_from_boot value is only evaluated in schedule_resp() for polled requests. However, ns_from_boot is also required for hrtimer support for when ndelay is less than INCLUSIVE_TIMING_MAX_NS, so fix up the logic to decide when to evaluate ns_from_boot. Fixes: 771f712ba5b0 ("scsi: scsi_debug: Fix cmd duration calculation") Signed-off-by: John Garry Link: https://lore.kernel.org/r/20241202130045.2335194-1-john.g.garry@oracle.com Signed-off-by: Martin K. Petersen commit b1aee7f034615b6824d2c70ddb37ef9fc23493b7 Author: Cathy Avery Date: Wed Nov 27 13:13:24 2024 -0500 scsi: storvsc: Do not flag MAINTENANCE_IN return of SRB_STATUS_DATA_OVERRUN as an error This partially reverts commit 812fe6420a6e ("scsi: storvsc: Handle additional SRB status values"). HyperV does not support MAINTENANCE_IN resulting in FC passthrough returning the SRB_STATUS_DATA_OVERRUN value. Now that SRB_STATUS_DATA_OVERRUN is treated as an error, multipath ALUA paths go into a faulty state as multipath ALUA submits RTPG commands via MAINTENANCE_IN. [ 3.215560] hv_storvsc 1d69d403-9692-4460-89f9-a8cbcc0f94f3: tag#230 cmd 0xa3 status: scsi 0x0 srb 0x12 hv 0xc0000001 [ 3.215572] scsi 1:0:0:32: alua: rtpg failed, result 458752 Make MAINTENANCE_IN return success to avoid the error path as is currently done with INQUIRY and MODE_SENSE. Suggested-by: Michael Kelley Signed-off-by: Cathy Avery Link: https://lore.kernel.org/r/20241127181324.3318443-1-cavery@redhat.com Reviewed-by: Michael Kelley Reviewed-by: Ewan D. Milne Signed-off-by: Martin K. Petersen commit 7f45ed5f0cd5ccbbec79adc6c48a67d6a85fba56 Author: Peter Wang Date: Fri Nov 22 10:49:43 2024 +0800 scsi: ufs: core: Add missing post notify for power mode change When the power mode change is successful but the power mode hasn't actually changed, the post notification was missed. Similar to the approach with hibernate/clock scale/hce enable, having pre/post notifications in the same function will make it easier to maintain. Additionally, supplement the description of power parameters for the pwr_change_notify callback. Fixes: 7eb584db73be ("ufs: refactor configuring power mode") Cc: stable@vger.kernel.org #6.11.x Signed-off-by: Peter Wang Link: https://lore.kernel.org/r/20241122024943.30589-1-peter.wang@mediatek.com Reviewed-by: Bart Van Assche Signed-off-by: Martin K. Petersen commit f10593ad9bc36921f623361c9e3dd96bd52d85ee Author: Suraj Sonawane Date: Wed Nov 20 18:29:44 2024 +0530 scsi: sg: Fix slab-use-after-free read in sg_release() Fix a use-after-free bug in sg_release(), detected by syzbot with KASAN: BUG: KASAN: slab-use-after-free in lock_release+0x151/0xa30 kernel/locking/lockdep.c:5838 __mutex_unlock_slowpath+0xe2/0x750 kernel/locking/mutex.c:912 sg_release+0x1f4/0x2e0 drivers/scsi/sg.c:407 In sg_release(), the function kref_put(&sfp->f_ref, sg_remove_sfp) is called before releasing the open_rel_lock mutex. The kref_put() call may decrement the reference count of sfp to zero, triggering its cleanup through sg_remove_sfp(). This cleanup includes scheduling deferred work via sg_remove_sfp_usercontext(), which ultimately frees sfp. After kref_put(), sg_release() continues to unlock open_rel_lock and may reference sfp or sdp. If sfp has already been freed, this results in a slab-use-after-free error. Move the kref_put(&sfp->f_ref, sg_remove_sfp) call after unlocking the open_rel_lock mutex. This ensures: - No references to sfp or sdp occur after the reference count is decremented. - Cleanup functions such as sg_remove_sfp() and sg_remove_sfp_usercontext() can safely execute without impacting the mutex handling in sg_release(). The fix has been tested and validated by syzbot. This patch closes the bug reported at the following syzkaller link and ensures proper sequencing of resource cleanup and mutex operations, eliminating the risk of use-after-free errors in sg_release(). Reported-by: syzbot+7efb5850a17ba6ce098b@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=7efb5850a17ba6ce098b Tested-by: syzbot+7efb5850a17ba6ce098b@syzkaller.appspotmail.com Fixes: cc833acbee9d ("sg: O_EXCL and other lock handling") Signed-off-by: Suraj Sonawane Link: https://lore.kernel.org/r/20241120125944.88095-1-surajsonawane0215@gmail.com Reviewed-by: Bart Van Assche Signed-off-by: Martin K. Petersen commit eb48e9fc0028bed94a40a9352d065909f19e333c Author: Gwendal Grignou Date: Tue Nov 19 22:25:22 2024 -0800 scsi: ufs: core: sysfs: Prevent div by zero Prevent a division by 0 when monitoring is not enabled. Fixes: 1d8613a23f3c ("scsi: ufs: core: Introduce HBA performance monitor sysfs nodes") Cc: stable@vger.kernel.org Signed-off-by: Gwendal Grignou Link: https://lore.kernel.org/r/20241120062522.917157-1-gwendal@chromium.org Reviewed-by: Can Guo Signed-off-by: Martin K. Petersen commit 35002a8ec557f679e414dae9dec9d08c66f2791a Author: Nilesh Javali Date: Fri Nov 15 18:33:13 2024 +0530 scsi: qla2xxx: Update version to 10.02.09.400-k Signed-off-by: Nilesh Javali Link: https://lore.kernel.org/r/20241115130313.46826-8-njavali@marvell.com Reviewed-by: Himanshu Madhani Signed-off-by: Martin K. Petersen commit e4e268f898c8a08f0a1188677e15eadbc06e98f6 Author: Anil Gurumurthy Date: Fri Nov 15 18:33:12 2024 +0530 scsi: qla2xxx: Supported speed displayed incorrectly for VPorts The fc_function_template for vports was missing the .show_host_supported_speeds. The base port had the same. Add .show_host_supported_speeds to the vport template as well. Cc: stable@vger.kernel.org Fixes: 2c3dfe3f6ad8 ("[SCSI] qla2xxx: add support for NPIV") Signed-off-by: Anil Gurumurthy Signed-off-by: Nilesh Javali Link: https://lore.kernel.org/r/20241115130313.46826-7-njavali@marvell.com Reviewed-by: Himanshu Madhani Signed-off-by: Martin K. Petersen commit 4812b7796c144f63a1094f79a5eb8fbdad8d7ebc Author: Quinn Tran Date: Fri Nov 15 18:33:11 2024 +0530 scsi: qla2xxx: Fix NVMe and NPIV connect issue NVMe controller fails to send connect command due to failure to locate hw context buffer for NVMe queue 0 (blk_mq_hw_ctx, hctx_idx=0). The cause of the issue is NPIV host did not initialize the vha->irq_offset field. This field is given to blk-mq (blk_mq_pci_map_queues) to help locate the beginning of IO Queues which in turn help locate NVMe queue 0. Initialize this field to allow NVMe to work properly with NPIV host. kernel: nvme nvme5: Connect command failed, errno: -18 kernel: nvme nvme5: qid 0: secure concatenation is not supported kernel: nvme nvme5: NVME-FC{5}: create_assoc failed, assoc_id 2e9100 ret 401 kernel: nvme nvme5: NVME-FC{5}: reset: Reconnect attempt failed (401) kernel: nvme nvme5: NVME-FC{5}: Reconnect attempt in 2 seconds Cc: stable@vger.kernel.org Fixes: f0783d43dde4 ("scsi: qla2xxx: Use correct number of vectors for online CPUs") Signed-off-by: Quinn Tran Signed-off-by: Nilesh Javali Link: https://lore.kernel.org/r/20241115130313.46826-6-njavali@marvell.com Reviewed-by: Himanshu Madhani Signed-off-by: Martin K. Petersen commit 833c70e212fc40d3e98da941796f4c7bcaecdf58 Author: Saurav Kashyap Date: Fri Nov 15 18:33:10 2024 +0530 scsi: qla2xxx: Remove check req_sg_cnt should be equal to rsp_sg_cnt Firmware supports multiple sg_cnt for request and response for CT commands, so remove the redundant check. A check is there where sg_cnt for request and response should be same. This is not required as driver and FW have code to handle multiple and different sg_cnt on request and response. Cc: stable@vger.kernel.org Signed-off-by: Saurav Kashyap Signed-off-by: Nilesh Javali Link: https://lore.kernel.org/r/20241115130313.46826-5-njavali@marvell.com Reviewed-by: Himanshu Madhani Signed-off-by: Martin K. Petersen commit b4e12f5728ff963ca5590c48b85a20d076bf517d Author: Chunguang.xu Date: Tue Dec 3 11:34:43 2024 +0800 nvme-tcp: simplify nvme_tcp_teardown_io_queues() As nvme_tcp_teardown_io_queues() is the only one caller of nvme_tcp_destroy_admin_queue(), so we can merge it into nvme_tcp_teardown_io_queues() to simplify the code. Signed-off-by: Chunguang.xu Reviewed-by: Christoph Hellwig Reviewed-by: Hannes Reinecke Signed-off-by: Keith Busch commit fdc5664c690f6e0ee235dbc6b1f17ec59aca55bd Author: Chunguang.xu Date: Tue Dec 3 11:34:42 2024 +0800 nvme-tcp: no need to quiesce admin_q in nvme_tcp_teardown_io_queues() As we quiesce admin_q in nvme_tcp_teardown_admin_queue(), so we should no need to quiesce it in nvme_tcp_reaardown_io_queues(), make things simple. Signed-off-by: Chunguang.xu Reviewed-by: Christoph Hellwig Reviewed-by: Hannes Reinecke Signed-off-by: Keith Busch commit 5858b687559809f05393af745cbadf06dee61295 Author: Chunguang.xu Date: Tue Dec 3 11:34:41 2024 +0800 nvme-rdma: unquiesce admin_q before destroy it Kernel will hang on destroy admin_q while we create ctrl failed, such as following calltrace: PID: 23644 TASK: ff2d52b40f439fc0 CPU: 2 COMMAND: "nvme" #0 [ff61d23de260fb78] __schedule at ffffffff8323bc15 #1 [ff61d23de260fc08] schedule at ffffffff8323c014 #2 [ff61d23de260fc28] blk_mq_freeze_queue_wait at ffffffff82a3dba1 #3 [ff61d23de260fc78] blk_freeze_queue at ffffffff82a4113a #4 [ff61d23de260fc90] blk_cleanup_queue at ffffffff82a33006 #5 [ff61d23de260fcb0] nvme_rdma_destroy_admin_queue at ffffffffc12686ce #6 [ff61d23de260fcc8] nvme_rdma_setup_ctrl at ffffffffc1268ced #7 [ff61d23de260fd28] nvme_rdma_create_ctrl at ffffffffc126919b #8 [ff61d23de260fd68] nvmf_dev_write at ffffffffc024f362 #9 [ff61d23de260fe38] vfs_write at ffffffff827d5f25 RIP: 00007fda7891d574 RSP: 00007ffe2ef06958 RFLAGS: 00000202 RAX: ffffffffffffffda RBX: 000055e8122a4d90 RCX: 00007fda7891d574 RDX: 000000000000012b RSI: 000055e8122a4d90 RDI: 0000000000000004 RBP: 00007ffe2ef079c0 R8: 000000000000012b R9: 000055e8122a4d90 R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000004 R13: 000055e8122923c0 R14: 000000000000012b R15: 00007fda78a54500 ORIG_RAX: 0000000000000001 CS: 0033 SS: 002b This due to we have quiesced admi_q before cancel requests, but forgot to unquiesce before destroy it, as a result we fail to drain the pending requests, and hang on blk_mq_freeze_queue_wait() forever. Here try to reuse nvme_rdma_teardown_admin_queue() to fix this issue and simplify the code. Fixes: 958dc1d32c80 ("nvme-rdma: add clean action for failed reconnection") Reported-by: Yingfu.zhou Signed-off-by: Chunguang.xu Signed-off-by: Yue.zhao Reviewed-by: Christoph Hellwig Reviewed-by: Hannes Reinecke Signed-off-by: Keith Busch commit fec55c29e54d3ca6fe9d7d7d9266098b4514fd34 Author: Chunguang.xu Date: Tue Dec 3 11:34:40 2024 +0800 nvme-tcp: fix the memleak while create new ctrl failed Now while we create new ctrl failed, we have not free the tagset occupied by admin_q, here try to fix it. Fixes: fd1418de10b9 ("nvme-tcp: avoid open-coding nvme_tcp_teardown_admin_queue()") Signed-off-by: Chunguang.xu Reviewed-by: Christoph Hellwig Reviewed-by: Hannes Reinecke Signed-off-by: Keith Busch commit 07c903db0a2ff84b68efa1a74a4de353ea591eb0 Author: Quinn Tran Date: Fri Nov 15 18:33:08 2024 +0530 scsi: qla2xxx: Fix use after free on unload System crash is observed with stack trace warning of use after free. There are 2 signals to tell dpc_thread to terminate (UNLOADING flag and kthread_stop). On setting the UNLOADING flag when dpc_thread happens to run at the time and sees the flag, this causes dpc_thread to exit and clean up itself. When kthread_stop is called for final cleanup, this causes use after free. Remove UNLOADING signal to terminate dpc_thread. Use the kthread_stop as the main signal to exit dpc_thread. [596663.812935] kernel BUG at mm/slub.c:294! [596663.812950] invalid opcode: 0000 [#1] SMP PTI [596663.812957] CPU: 13 PID: 1475935 Comm: rmmod Kdump: loaded Tainted: G IOE --------- - - 4.18.0-240.el8.x86_64 #1 [596663.812960] Hardware name: HP ProLiant DL380p Gen8, BIOS P70 08/20/2012 [596663.812974] RIP: 0010:__slab_free+0x17d/0x360 ... [596663.813008] Call Trace: [596663.813022] ? __dentry_kill+0x121/0x170 [596663.813030] ? _cond_resched+0x15/0x30 [596663.813034] ? _cond_resched+0x15/0x30 [596663.813039] ? wait_for_completion+0x35/0x190 [596663.813048] ? try_to_wake_up+0x63/0x540 [596663.813055] free_task+0x5a/0x60 [596663.813061] kthread_stop+0xf3/0x100 [596663.813103] qla2x00_remove_one+0x284/0x440 [qla2xxx] Cc: stable@vger.kernel.org Signed-off-by: Quinn Tran Signed-off-by: Nilesh Javali Link: https://lore.kernel.org/r/20241115130313.46826-3-njavali@marvell.com Reviewed-by: Himanshu Madhani Signed-off-by: Martin K. Petersen commit c423263082ee8ccfad59ab33e3d5da5dc004c21e Author: Quinn Tran Date: Fri Nov 15 18:33:07 2024 +0530 scsi: qla2xxx: Fix abort in bsg timeout Current abort of bsg on timeout prematurely clears the outstanding_cmds[]. Abort does not allow FW to return the IOCB/SRB. In addition, bsg_job_done() is not called to return the BSG (i.e. leak). Abort the outstanding bsg/SRB and wait for the completion. The completion IOCB will wake up the bsg_timeout thread. If abort is not successful, then driver will forcibly call bsg_job_done() and free the srb. Err Inject: - qaucli -z - assign CT Passthru IOCB's NportHandle with another initiator nport handle to trigger timeout. Remote port will drop CT request. - bsg_job_done is properly called as part of cleanup kernel: qla2xxx [0000:21:00.1]-7012:7: qla2x00_process_ct : 286 : Error Inject. kernel: qla2xxx [0000:21:00.1]-7016:7: bsg rqst type: FC_BSG_HST_CT else type: 101 - loop-id=1 portid=fffffa. kernel: qla2xxx [0000:21:00.1]-70bb:7: qla24xx_bsg_timeout CMD timeout. bsg ptr ffff9971a42f0838 msgcode 80000004 vendor cmd fa010000 kernel: qla2xxx [0000:21:00.1]-507c:7: Abort command issued - hdl=4b, type=5 kernel: qla2xxx [0000:21:00.1]-5040:7: ELS-CT pass-through-ct pass-through error hdl=4b comp_status-status=0x5 error subcode 1=0x0 error subcode 2=0xaf882e80. kernel: qla2xxx [0000:21:00.1]-7009:7: qla2x00_bsg_job_done: sp hdl 4b, result=70000 bsg ptr ffff9971a42f0838 kernel: qla2xxx [0000:21:00.1]-802c:7: Aborting bsg ffff9971a42f0838 sp=ffff99760b87ba80 handle=4b rval=0 kernel: qla2xxx [0000:21:00.1]-708a:7: bsg abort success. bsg ffff9971a42f0838 sp=ffff99760b87ba80 handle=0x4b kernel: qla2xxx [0000:21:00.1]-7012:7: qla2x00_process_ct : 286 : Error Inject. kernel: qla2xxx [0000:21:00.1]-7016:7: bsg rqst type: FC_BSG_HST_CT else type: 101 - loop-id=1 portid=fffffa. kernel: qla2xxx [0000:21:00.1]-70bb:7: qla24xx_bsg_timeout CMD timeout. bsg ptr ffff9971a42f43b8 msgcode 80000004 vendor cmd fa010000 kernel: qla2xxx [0000:21:00.1]-7012:7: qla_bsg_found : 2206 : Error Inject 2. kernel: qla2xxx [0000:21:00.1]-802c:7: Aborting bsg ffff9971a42f43b8 sp=ffff99762c304440 handle=5e rval=5 kernel: qla2xxx [0000:21:00.1]-704f:7: bsg abort fail. bsg=ffff9971a42f43b8 sp=ffff99762c304440 rval=5. kernel: qla2xxx [0000:21:00.1]-7051:7: qla_bsg_found bsg_job_done : bsg ffff9971a42f43b8 result 0xfffffffa sp ffff99762c304440. Cc: stable@vger.kernel.org Fixes: c449b4198701 ("scsi: qla2xxx: Use QP lock to search for bsg") Signed-off-by: Quinn Tran Signed-off-by: Nilesh Javali Link: https://lore.kernel.org/r/20241115130313.46826-2-njavali@marvell.com Reviewed-by: Himanshu Madhani Signed-off-by: Martin K. Petersen commit ad0cf42e1fc4810170a8e8e232e85d69073e4d25 Author: Christoph Hellwig Date: Wed Dec 4 09:42:40 2024 +0900 nvme-pci: don't use dma_alloc_noncontiguous with 0 merge boundary Only call into nvme_alloc_host_mem_single which uses dma_alloc_noncontiguous when there is non-null dma merge boundary. Without this we'll call into dma_alloc_noncontiguous for device using dma-direct, which can work fine as long as the preferred size is below the MAX_ORDER of the page allocator, but blows up with a warning if it is too large. Fixes: 63a5c7a4b4c4 ("nvme-pci: use dma_alloc_noncontigous if possible") Reported-by: Leon Romanovsky Reported-by: Chaitanya Kumar Borah Signed-off-by: Christoph Hellwig Reviewed-by: Leon Romanovsky Tested-by: Chaitanya Kumar Borah Signed-off-by: Keith Busch commit 0deb37c2f42a54610dd3569b01413378f430bfea Author: Ranjan Kumar Date: Mon Nov 11 01:14:05 2024 +0530 scsi: mpi3mr: Update driver version to 8.12.0.3.50 Update driver version to 8.12.0.3.50. Signed-off-by: Ranjan Kumar Link: https://lore.kernel.org/r/20241110194405.10108-6-ranjan.kumar@broadcom.com Signed-off-by: Martin K. Petersen commit fb6eb98f3965e2ee92cbcb466051d2f2acf552d1 Author: Ranjan Kumar Date: Mon Nov 11 01:14:04 2024 +0530 scsi: mpi3mr: Handling of fault code for insufficient power Before retrying initialization, check and abort if the fault code indicates insufficient power. Also mark the controller as unrecoverable instead of issuing reset in the watch dog timer if the fault code indicates insufficient power. Signed-off-by: Prayas Patel Signed-off-by: Ranjan Kumar Link: https://lore.kernel.org/r/20241110194405.10108-5-ranjan.kumar@broadcom.com Signed-off-by: Martin K. Petersen commit 0d32014f1e3e7a7adf1583c45387f26b9bb3a49d Author: Ranjan Kumar Date: Mon Nov 11 01:14:03 2024 +0530 scsi: mpi3mr: Start controller indexing from 0 Instead of displaying the controller index starting from '1' make the driver display the controller index starting from '0'. Signed-off-by: Sumit Saxena Signed-off-by: Ranjan Kumar Link: https://lore.kernel.org/r/20241110194405.10108-4-ranjan.kumar@broadcom.com Signed-off-by: Martin K. Petersen commit 711201a8b8334a397440ac0b859df0054e174bc9 Author: Ranjan Kumar Date: Mon Nov 11 01:14:02 2024 +0530 scsi: mpi3mr: Fix corrupt config pages PHY state is switched in sysfs The driver, through the SAS transport, exposes a sysfs interface to enable/disable PHYs in a controller/expander setup. When multiple PHYs are disabled and enabled in rapid succession, the persistent and current config pages related to SAS IO unit/SAS Expander pages could get corrupted. Use separate memory for each config request. Signed-off-by: Prayas Patel Signed-off-by: Ranjan Kumar Link: https://lore.kernel.org/r/20241110194405.10108-3-ranjan.kumar@broadcom.com Signed-off-by: Martin K. Petersen commit 367ac16e5ff2dcd6b7f00a8f94e6ba98875cb397 Author: Ranjan Kumar Date: Mon Nov 11 01:14:01 2024 +0530 scsi: mpi3mr: Synchronize access to ioctl data buffer The driver serializes ioctls through a mutex lock but access to the ioctl data buffer is not guarded by the mutex. This results in multiple user threads being able to write to the driver's ioctl buffer simultaneously. Protect the ioctl buffer with the ioctl mutex. Signed-off-by: Sumit Saxena Signed-off-by: Ranjan Kumar Link: https://lore.kernel.org/r/20241110194405.10108-2-ranjan.kumar@broadcom.com Signed-off-by: Martin K. Petersen commit 41d826c8a9de37af5d1710a37b55720bd5ad8709 Author: Yu-Chun Lin Date: Sun Dec 1 01:02:58 2024 +0800 nvmet: replace kmalloc + memset with kzalloc for data allocation cocci warnings: (new ones prefixed by >>) >> drivers/nvme/target/pr.c:831:8-15: WARNING: kzalloc should be used for data, instead of kmalloc/memset The pattern of using 'kmalloc' followed by 'memset' is replaced with 'kzalloc', which is functionally equivalent to 'kmalloc' + 'memset', but more efficient. 'kzalloc' automatically zeroes the allocated memory, making it a faster and more streamlined solution. Reported-by: kernel test robot Closes: https://lore.kernel.org/oe-kbuild-all/202411301434.LEckbcWx-lkp@intel.com/ Reviewed-by: Kuan-Wei Chiu Reviewed-by: Chaitanya Kulkarni Reviewed-by: Christoph Hellwig Signed-off-by: Yu-Chun Lin Signed-off-by: Keith Busch commit 88c23a32b851e36adc4ab36f796d9b711f47e2bb Author: Maurizio Lombardi Date: Fri Nov 29 15:17:06 2024 +0100 nvme-fabrics: handle zero MAXCMD without closing the connection The NVMe specification states that MAXCMD is mandatory for NVMe-over-Fabrics implementations. However, some NVMe/TCP and NVMe/FC arrays from major vendors have buggy firmware that reports MAXCMD as zero in the Identify Controller data structure. Currently, the implementation closes the connection in such cases, completely preventing the host from connecting to the target. Fix the issue by printing a clear error message about the firmware bug and allowing the connection to proceed. It assumes that the target supports a MAXCMD value of SQSIZE + 1. If any issues arise, the user can manually adjust SQSIZE to mitigate them. Fixes: 4999568184e5 ("nvme-fabrics: check max outstanding commands") Signed-off-by: Maurizio Lombardi Reviewed-by: Laurence Oberman Reviewed-by: Christoph Hellwig Signed-off-by: Keith Busch commit e2cf913314b9543f4479788443c7e9009c6c56d8 Merge: 5a6ea7022ff4d2 19b6dbc006ecc1 Author: Alexei Starovoitov Date: Wed Dec 4 09:19:50 2024 -0800 Merge branch 'fixes-for-stack-with-allow_ptr_leaks' Kumar Kartikeya Dwivedi says: ==================== Fixes for stack with allow_ptr_leaks Two fixes for usability/correctness gaps when interacting with the stack without CAP_PERFMON (i.e. with allow_ptr_leaks = false). See the commits for details. I've verified that the tests fail when run without the fixes. Changelog: ---------- v3 -> v4 v3: https://lore.kernel.org/bpf/20241202083814.1888784-1-memxor@gmail.com * Address Andrii's comments * Fix bug paperered over by missing CAP_NET_ADMIN in verifier_mtu test * Add warning when undefined CAP_ constant is specified, and fail test * Reorder annotations to be more clear * Verify that fixes fail without patches again * Add Acked-by from Andrii v2 -> v3 v2: https://lore.kernel.org/bpf/20241127212026.3580542-1-memxor@gmail.com * Address comments from Eduard * Fix comment for mark_stack_slot_misc * We can simply always return early when stype == STACK_INVALID * Drop allow_ptr_leaks conditionals * Add Eduard's __caps_unpriv patch into the series * Convert test_verifier_mtu to use it * Move existing tests to __caps_unpriv annotation and verifier_spill_fill.c * Add Acked-by from Eduard v1 -> v2 v1: https://lore.kernel.org/bpf/20241127185135.2753982-1-memxor@gmail.com * Fix CI errors in selftest by removing dependence on BPF_ST ==================== Link: https://patch.msgid.link/20241204044757.1483141-1-memxor@gmail.com Signed-off-by: Alexei Starovoitov commit 19b6dbc006ecc1f2c8d7fa2d5afbfb7e7eba7920 Author: Kumar Kartikeya Dwivedi Date: Tue Dec 3 20:47:57 2024 -0800 selftests/bpf: Add test for narrow spill into 64-bit spilled scalar Add a test case to verify that without CAP_PERFMON, the test now succeeds instead of failing due to a verification error. Acked-by: Eduard Zingerman Signed-off-by: Kumar Kartikeya Dwivedi Link: https://lore.kernel.org/r/20241204044757.1483141-6-memxor@gmail.com Signed-off-by: Alexei Starovoitov commit f513c3635078fc184af66b1af9e4f2b2d19b7d79 Author: Kumar Kartikeya Dwivedi Date: Tue Dec 3 20:47:56 2024 -0800 selftests/bpf: Add test for reading from STACK_INVALID slots Ensure that when CAP_PERFMON is dropped, and the verifier sees allow_ptr_leaks as false, we are not permitted to read from a STACK_INVALID slot. Without the fix, the test will report unexpected success in loading. Signed-off-by: Kumar Kartikeya Dwivedi Link: https://lore.kernel.org/r/20241204044757.1483141-5-memxor@gmail.com Signed-off-by: Alexei Starovoitov commit adfdd9c68566120debc622712888c4d084539081 Author: Eduard Zingerman Date: Tue Dec 3 20:47:55 2024 -0800 selftests/bpf: Introduce __caps_unpriv annotation for tests Add a __caps_unpriv annotation so that tests requiring specific capabilities while dropping the rest can conveniently specify them during selftest declaration instead of munging with capabilities at runtime from the testing binary. While at it, let us convert test_verifier_mtu to use this new support instead. Since we do not want to include linux/capability.h, we only defined the four main capabilities BPF subsystem deals with in bpf_misc.h for use in tests. If the user passes a CAP_SYS_NICE or anything else that's not defined in the header, capability parsing code will return a warning. Also reject strtol returning 0. CAP_CHOWN = 0 but we'll never need to use it, and strtol doesn't errno on failed conversion. Fail the test in such a case. The original diff for this idea is available at link [0]. [0]: https://lore.kernel.org/bpf/a1e48f5d9ae133e19adc6adf27e19d585e06bab4.camel@gmail.com Signed-off-by: Eduard Zingerman [ Kartikeya: rebase on bpf-next, add warn to parse_caps, convert test_verifier_mtu ] Signed-off-by: Kumar Kartikeya Dwivedi Link: https://lore.kernel.org/r/20241204044757.1483141-4-memxor@gmail.com Signed-off-by: Alexei Starovoitov commit b0e66977dc072906bb76555fb1a64261d7f63d0f Author: Tao Lyu Date: Tue Dec 3 20:47:54 2024 -0800 bpf: Fix narrow scalar spill onto 64-bit spilled scalar slots When CAP_PERFMON and CAP_SYS_ADMIN (allow_ptr_leaks) are disabled, the verifier aims to reject partial overwrite on an 8-byte stack slot that contains a spilled pointer. However, in such a scenario, it rejects all partial stack overwrites as long as the targeted stack slot is a spilled register, because it does not check if the stack slot is a spilled pointer. Incomplete checks will result in the rejection of valid programs, which spill narrower scalar values onto scalar slots, as shown below. 0: R1=ctx() R10=fp0 ; asm volatile ( @ repro.bpf.c:679 0: (7a) *(u64 *)(r10 -8) = 1 ; R10=fp0 fp-8_w=1 1: (62) *(u32 *)(r10 -8) = 1 attempt to corrupt spilled pointer on stack processed 2 insns (limit 1000000) max_states_per_insn 0 total_states 0 peak_states 0 mark_read 0. Fix this by expanding the check to not consider spilled scalar registers when rejecting the write into the stack. Previous discussion on this patch is at link [0]. [0]: https://lore.kernel.org/bpf/20240403202409.2615469-1-tao.lyu@epfl.ch Fixes: ab125ed3ec1c ("bpf: fix check for attempt to corrupt spilled pointer") Acked-by: Eduard Zingerman Acked-by: Andrii Nakryiko Signed-off-by: Tao Lyu Signed-off-by: Kumar Kartikeya Dwivedi Link: https://lore.kernel.org/r/20241204044757.1483141-3-memxor@gmail.com Signed-off-by: Alexei Starovoitov commit 69772f509e084ec6bca12dbcdeeeff41b0103774 Author: Kumar Kartikeya Dwivedi Date: Tue Dec 3 20:47:53 2024 -0800 bpf: Don't mark STACK_INVALID as STACK_MISC in mark_stack_slot_misc Inside mark_stack_slot_misc, we should not upgrade STACK_INVALID to STACK_MISC when allow_ptr_leaks is false, since invalid contents shouldn't be read unless the program has the relevant capabilities. The relaxation only makes sense when env->allow_ptr_leaks is true. However, such conversion in privileged mode becomes unnecessary, as invalid slots can be read without being upgraded to STACK_MISC. Currently, the condition is inverted (i.e. checking for true instead of false), simply remove it to restore correct behavior. Fixes: eaf18febd6eb ("bpf: preserve STACK_ZERO slots on partial reg spills") Acked-by: Andrii Nakryiko Reported-by: Tao Lyu Signed-off-by: Kumar Kartikeya Dwivedi Link: https://lore.kernel.org/r/20241204044757.1483141-2-memxor@gmail.com Signed-off-by: Alexei Starovoitov commit 6050471545eecec214ca9ceb38a63e98e9003338 Author: Ranjan Kumar Date: Sun Nov 10 23:03:41 2024 +0530 scsi: mpt3sas: Update driver version to 51.100.00.00 Update driver version to 51.100.00.00. Signed-off-by: Ranjan Kumar Link: https://lore.kernel.org/r/20241110173341.11595-3-ranjan.kumar@broadcom.com Signed-off-by: Martin K. Petersen commit 3f5eb062e8aa335643181c480e6c590c6cedfd22 Author: Ranjan Kumar Date: Sun Nov 10 23:03:40 2024 +0530 scsi: mpt3sas: Diag-Reset when Doorbell-In-Use bit is set during driver load time Issue a Diag-Reset when the "Doorbell-In-Use" bit is set during the driver load/initialization. Signed-off-by: Ranjan Kumar Link: https://lore.kernel.org/r/20241110173341.11595-2-ranjan.kumar@broadcom.com Signed-off-by: Martin K. Petersen commit 48e8a8160dba523af7074e668b2a458250838a3d Author: Dave Penkler Date: Wed Dec 4 17:21:28 2024 +0100 staging: gpib: Fix i386 build issue These drivers cast resource_type_t to void * causing the build to fail. With CONFIG_X86_PAE enabled the resource_size_t type is a 64bit unsigned int which cannot be cast to a 32 bit pointer. Disable these drivers if X68_PAE is enabled Reported-by: Guenter Roeck Closes: https://lore.kernel.org/all/f10e976e-7a04-4454-b38d-39cd18f142da@roeck-us.net/ Fixes: e9dc69956d4d ("staging: gpib: Add Computer Boards GPIB driver") Fixes: e1339245eba3 ("staging: gpib: Add Computer Equipment Corporation GPIB driver") Fixes: bb1bd92fa0f2 ("staging: gpib: Add ines GPIB driver") Fixes: 0cd5b05551e0 ("staging: gpib: Add TNT4882 chip based GPIB driver") Signed-off-by: Dave Penkler Link: https://lore.kernel.org/r/20241204162128.25617-1-dpenkler@gmail.com Signed-off-by: Greg Kroah-Hartman commit 1d8c2d4b89b40f49ef4a70dcb2eaea43695025ce Author: Dave Penkler Date: Wed Dec 4 15:57:13 2024 +0100 staging: gpib: Fix faulty workaround for assignment in if This was detected by Coverity. Add the missing assignment in the else branch of the if Reported-by: Kees Bakker Fixes: fce79512a96a ("staging: gpib: Add LPVO DIY USB GPIB driver") Signed-off-by: Dave Penkler Link: https://lore.kernel.org/r/20241204145713.11889-5-dpenkler@gmail.com Signed-off-by: Greg Kroah-Hartman commit 80242c4a9d50e71a4df1b7fa19b922ac88aab22b Author: Dave Penkler Date: Wed Dec 4 14:47:36 2024 +0100 staging: gpib: Workaround for ppc build failure Make GPIB_FMH depend on !PPC Reported_by: Stephen Rothwell Link: https://lore.kernel.org/all/20241015165538.634707e5@canb.auug.org.au/ Link: https://lore.kernel.org/r/20241204134736.6660-1-dpenkler@gmail.com Signed-off-by: Dave Penkler Signed-off-by: Greg Kroah-Hartman commit f580786ea900c74ed8046e617e5030d4c37a578b Author: Nathan Chancellor Date: Sat Nov 23 13:03:25 2024 -0700 staging: gpib: Make GPIB_NI_PCI_ISA depend on HAS_IOPORT After commit 78ecb0375685 ("staging: gpib: make port I/O code conditional"), building tnt4882.ko on platforms without HAS_IOPORT (such as hexagon and s390) fails with: ERROR: modpost: "inb_wrapper" [drivers/staging/gpib/tnt4882/tnt4882.ko] undefined! ERROR: modpost: "inw_wrapper" [drivers/staging/gpib/tnt4882/tnt4882.ko] undefined! ERROR: modpost: "nec7210_locking_ioport_write_byte" [drivers/staging/gpib/tnt4882/tnt4882.ko] undefined! ERROR: modpost: "nec7210_locking_ioport_read_byte" [drivers/staging/gpib/tnt4882/tnt4882.ko] undefined! ERROR: modpost: "outb_wrapper" [drivers/staging/gpib/tnt4882/tnt4882.ko] undefined! ERROR: modpost: "outw_wrapper" [drivers/staging/gpib/tnt4882/tnt4882.ko] undefined! Only allow tnt4882.ko to be built when CONFIG_HAS_IOPORT is set to avoid this build failure, as this driver unconditionally needs it. Fixes: 78ecb0375685 ("staging: gpib: make port I/O code conditional") Signed-off-by: Nathan Chancellor Tested-by: Geert Uytterhoeven Link: https://lore.kernel.org/r/20241123-gpib-tnt4882-depends-on-has_ioport-v1-1-033c58b64751@kernel.org Signed-off-by: Greg Kroah-Hartman commit 7cc0e0a43a91052477c2921f924a37d9c3891f0c Author: Claudiu Beznea Date: Mon Nov 25 13:58:56 2024 +0200 serial: sh-sci: Check if TX data was written to device in .tx_empty() On the Renesas RZ/G3S, when doing suspend to RAM, the uart_suspend_port() is called. The uart_suspend_port() calls 3 times the struct uart_port::ops::tx_empty() before shutting down the port. According to the documentation, the struct uart_port::ops::tx_empty() API tests whether the transmitter FIFO and shifter for the port is empty. The Renesas RZ/G3S SCIFA IP reports the number of data units stored in the transmit FIFO through the FDR (FIFO Data Count Register). The data units in the FIFOs are written in the shift register and transmitted from there. The TEND bit in the Serial Status Register reports if the data was transmitted from the shift register. In the previous code, in the tx_empty() API implemented by the sh-sci driver, it is considered that the TX is empty if the hardware reports the TEND bit set and the number of data units in the FIFO is zero. According to the HW manual, the TEND bit has the following meaning: 0: Transmission is in the waiting state or in progress. 1: Transmission is completed. It has been noticed that when opening the serial device w/o using it and then switch to a power saving mode, the tx_empty() call in the uart_port_suspend() function fails, leading to the "Unable to drain transmitter" message being printed on the console. This is because the TEND=0 if nothing has been transmitted and the FIFOs are empty. As the TEND=0 has double meaning (waiting state, in progress) we can't determined the scenario described above. Add a software workaround for this. This sets a variable if any data has been sent on the serial console (when using PIO) or if the DMA callback has been called (meaning something has been transmitted). In the tx_empty() API the status of the DMA transaction is also checked and if it is completed or in progress the code falls back in checking the hardware registers instead of relying on the software variable. Fixes: 73a19e4c0301 ("serial: sh-sci: Add DMA support.") Cc: stable@vger.kernel.org Signed-off-by: Claudiu Beznea Link: https://lore.kernel.org/r/20241125115856.513642-1-claudiu.beznea.uj@bp.renesas.com Signed-off-by: Greg Kroah-Hartman commit e63fbd5f6810ed756bbb8a1549c7d4132968baa9 Author: Kuan-Wei Chiu Date: Wed Dec 4 04:22:28 2024 +0800 tracing: Fix cmp_entries_dup() to respect sort() comparison rules The cmp_entries_dup() function used as the comparator for sort() violated the symmetry and transitivity properties required by the sorting algorithm. Specifically, it returned 1 whenever memcmp() was non-zero, which broke the following expectations: * Symmetry: If x < y, then y > x. * Transitivity: If x < y and y < z, then x < z. These violations could lead to incorrect sorting and failure to correctly identify duplicate elements. Fix the issue by directly returning the result of memcmp(), which adheres to the required comparison properties. Cc: stable@vger.kernel.org Fixes: 08d43a5fa063 ("tracing: Add lock-free tracing_map") Link: https://lore.kernel.org/20241203202228.1274403-1-visitorckw@gmail.com Signed-off-by: Kuan-Wei Chiu Signed-off-by: Steven Rostedt (Google) commit 33ead7e538183b1348ba60af90027240a10de751 Author: Lucas De Marchi Date: Tue Dec 3 12:00:10 2024 -0800 usb: typec: ucsi: Fix connector status writing past buffer size Similar to commit 65c4c9447bfc ("usb: typec: ucsi: Fix a missing bits to bytes conversion in ucsi_init()"), there was a missing conversion from bits to bytes. Here the outcome is worse though: since the value is lower than UCSI_MAX_DATA_LENGTH, instead of bailing out with an error, it writes past the buffer size. The error is then seen in other places like below: Oops: general protection fault, probably for non-canonical address 0x891e812cd0ed968: 0000 [#1] PREEMPT SMP NOPTI CPU: 3 UID: 110 PID: 906 Comm: prometheus-node Not tainted 6.13.0-rc1-xe #1 Hardware name: Intel Corporation Lunar Lake Client Platform/LNL-M LP5 RVP1, BIOS LNLMFWI1.R00.3222.D84.2410171025 10/17/2024 RIP: 0010:power_supply_get_property+0x3e/0xe0 Code: 85 c0 7e 4f 4c 8b 07 89 f3 49 89 d4 49 8b 48 20 48 85 c9 74 72 49 8b 70 18 31 d2 31 c0 eb 0b 83 c2 01 48 63 c2 48 39 c8 73 5d <3b> 1c 86 75 f0 49 8b 40 28 4c 89 e2 89 de ff d0 0f 1f 00 5b 41 5c RSP: 0018:ffffc900017dfa50 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 0000000000000011 RCX: c963b02c06092008 RDX: 0000000000000000 RSI: 0891e812cd0ed968 RDI: ffff888121dd6800 RBP: ffffc900017dfa68 R08: ffff88810a4024b8 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: ffffc900017dfa78 R13: ffff888121dd6800 R14: ffff888138ad2c00 R15: ffff88810c57c528 FS: 00007713a2ffd6c0(0000) GS:ffff88846f380000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000c0004b1000 CR3: 0000000121ce8003 CR4: 0000000000f72ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000ffff07f0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: ? show_regs+0x6c/0x80 ? die_addr+0x37/0xa0 ? exc_general_protection+0x1c1/0x440 ? asm_exc_general_protection+0x27/0x30 ? power_supply_get_property+0x3e/0xe0 power_supply_hwmon_read+0x50/0xe0 hwmon_attr_show+0x46/0x170 dev_attr_show+0x1a/0x70 sysfs_kf_seq_show+0xaa/0x120 kernfs_seq_show+0x41/0x60 Just use the buffer size as argument to fix it. Fixes: 226ff2e681d0 ("usb: typec: ucsi: Convert connector specific commands to bitmaps") Signed-off-by: Lucas De Marchi Reviewed-by: Thomas Weißschuh Reviewed-by: Sebastian Reichel Reported-by: Chaitanya Kumar Borah Closes: https://lore.kernel.org/all/SJ1PR11MB6129CCD82CD78D8EE6E27EF4B9362@SJ1PR11MB6129.namprd11.prod.outlook.com/ Suggested-by: Thomas Weißschuh Reviewed-by: Heikki Krogerus Tested-by: Chaitanya Kumar Borah Link: https://lore.kernel.org/r/20241203200010.2821132-1-lucas.demarchi@intel.com Signed-off-by: Greg Kroah-Hartman commit e37b383df91ba9bde9c6a31bf3ea9072561c5126 Author: Łukasz Bartosik Date: Tue Dec 3 10:23:18 2024 +0000 usb: typec: ucsi: Fix completion notifications OPM PPM LPM | 1.send cmd | | |-------------------------->| | | |-- | | | | 2.set busy bit in CCI | | |<- | | 3.notify the OPM | | |<--------------------------| | | | 4.send cmd to be executed | | |-------------------------->| | | | | | 5.cmd completed | | |<--------------------------| | | | | |-- | | | | 6.set cmd completed | | |<- bit in CCI | | | | | 7.notify the OPM | | |<--------------------------| | | | | | 8.handle notification | | | from point 3, read CCI | | |<--------------------------| | | | | When the PPM receives command from the OPM (p.1) it sets the busy bit in the CCI (p.2), sends notification to the OPM (p.3) and forwards the command to be executed by the LPM (p.4). When the PPM receives command completion from the LPM (p.5) it sets command completion bit in the CCI (p.6) and sends notification to the OPM (p.7). If command execution by the LPM is fast enough then when the OPM starts handling the notification from p.3 in p.8 and reads the CCI value it will see command completion bit set and will call complete(). Then complete() might be called again when the OPM handles notification from p.7. This fix replaces test_bit() with test_and_clear_bit() in ucsi_notify_common() in order to call complete() only once per request. This fix also reinitializes completion variable in ucsi_sync_control_common() before a command is sent. Fixes: 584e8df58942 ("usb: typec: ucsi: extract common code for command handling") Cc: stable@vger.kernel.org Signed-off-by: Łukasz Bartosik Reviewed-by: Dmitry Baryshkov Reviewed-by: Heikki Krogerus Reviewed-by: Benson Leung Link: https://lore.kernel.org/r/20241203102318.3386345-1-ukaszb@chromium.org Signed-off-by: Greg Kroah-Hartman commit 1cf1bd88f129f3bd647fead4dca270a5894274bb Author: Stefan Wahren Date: Mon Dec 2 01:16:31 2024 +0100 usb: dwc2: Fix HCD port connection race On Raspberry Pis without onboard USB hub frequent device reconnects can trigger a interrupt storm after DWC2 entered host clock gating. This is caused by a race between _dwc2_hcd_suspend() and the port interrupt, which sets port_connect_status. The issue occurs if port_connect_status is still 1, but there is no connection anymore: usb 1-1: USB disconnect, device number 25 dwc2 3f980000.usb: _dwc2_hcd_suspend: port_connect_status: 1 dwc2 3f980000.usb: Entering host clock gating. Disabling IRQ #66 irq 66: nobody cared (try booting with the "irqpoll" option) CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.12.0-gc1bb81b13202-dirty #322 Hardware name: BCM2835 Call trace: unwind_backtrace from show_stack+0x10/0x14 show_stack from dump_stack_lvl+0x50/0x64 dump_stack_lvl from __report_bad_irq+0x38/0xc0 __report_bad_irq from note_interrupt+0x2ac/0x2f4 note_interrupt from handle_irq_event+0x88/0x8c handle_irq_event from handle_level_irq+0xb4/0x1ac handle_level_irq from generic_handle_domain_irq+0x24/0x34 generic_handle_domain_irq from bcm2836_chained_handle_irq+0x24/0x28 bcm2836_chained_handle_irq from generic_handle_domain_irq+0x24/0x34 generic_handle_domain_irq from generic_handle_arch_irq+0x34/0x44 generic_handle_arch_irq from __irq_svc+0x88/0xb0 Exception stack(0xc1d01f20 to 0xc1d01f68) 1f20: 0004ef3c 00000001 00000000 00000000 c1d09780 c1f6bb5c c1d04e54 c1c60ca8 1f40: c1d04e94 00000000 00000000 c1d092a8 c1f6af20 c1d01f70 c1211b98 c1212f40 1f60: 60000013 ffffffff __irq_svc from default_idle_call+0x1c/0xb0 default_idle_call from do_idle+0x21c/0x284 do_idle from cpu_startup_entry+0x28/0x2c cpu_startup_entry from kernel_init+0x0/0x12c handlers: [] dwc2_handle_common_intr [<58bf98a3>] usb_hcd_irq Disabling IRQ #66 So avoid this by reading the connection status directly. Fixes: 113f86d0c302 ("usb: dwc2: Update partial power down entering by system suspend") Signed-off-by: Stefan Wahren Link: https://lore.kernel.org/r/20241202001631.75473-4-wahrenst@gmx.net Signed-off-by: Greg Kroah-Hartman commit a8d3e4a734599c7d0f6735f8db8a812e503395dd Author: Stefan Wahren Date: Mon Dec 2 01:16:30 2024 +0100 usb: dwc2: hcd: Fix GetPortStatus & SetPortFeature On Rasperry Pis without onboard USB hub the power cycle during power connect init only disable the port but never enabled it again: usb usb1-port1: attempt power cycle The port relevant part in dwc2_hcd_hub_control() is skipped in case port_connect_status = 0 under the assumption the core is or will be soon in device mode. But this assumption is wrong, because after ClearPortFeature USB_PORT_FEAT_POWER the port_connect_status will also be 0 and SetPortFeature (incl. USB_PORT_FEAT_POWER) will be a no-op. Fix the behavior of dwc2_hcd_hub_control() by replacing the port_connect_status check with dwc2_is_device_mode(). Link: https://github.com/raspberrypi/linux/issues/6247 Fixes: 7359d482eb4d ("staging: HCD files for the DWC2 driver") Signed-off-by: Stefan Wahren Link: https://lore.kernel.org/r/20241202001631.75473-3-wahrenst@gmx.net Signed-off-by: Greg Kroah-Hartman commit 336f72d3cbf5cc17df2947bbbd2ba6e2509f17e8 Author: Stefan Wahren Date: Mon Dec 2 01:16:29 2024 +0100 usb: dwc2: Fix HCD resume The Raspberry Pi can suffer on interrupt storms on HCD resume. The dwc2 driver sometimes misses to enable HCD_FLAG_HW_ACCESSIBLE before re-enabling the interrupts. This causes a situation where both handler ignore a incoming port interrupt and force the upper layers to disable the dwc2 interrupt line. This leaves the USB interface in a unusable state: irq 66: nobody cared (try booting with the "irqpoll" option) CPU: 0 PID: 0 Comm: swapper/0 Tainted: G W 6.10.0-rc3 Hardware name: BCM2835 Call trace: unwind_backtrace from show_stack+0x10/0x14 show_stack from dump_stack_lvl+0x50/0x64 dump_stack_lvl from __report_bad_irq+0x38/0xc0 __report_bad_irq from note_interrupt+0x2ac/0x2f4 note_interrupt from handle_irq_event+0x88/0x8c handle_irq_event from handle_level_irq+0xb4/0x1ac handle_level_irq from generic_handle_domain_irq+0x24/0x34 generic_handle_domain_irq from bcm2836_chained_handle_irq+0x24/0x28 bcm2836_chained_handle_irq from generic_handle_domain_irq+0x24/0x34 generic_handle_domain_irq from generic_handle_arch_irq+0x34/0x44 generic_handle_arch_irq from __irq_svc+0x88/0xb0 Exception stack(0xc1b01f20 to 0xc1b01f68) 1f20: 0005c0d4 00000001 00000000 00000000 c1b09780 c1d6b32c c1b04e54 c1a5eae8 1f40: c1b04e90 00000000 00000000 00000000 c1d6a8a0 c1b01f70 c11d2da8 c11d4160 1f60: 60000013 ffffffff __irq_svc from default_idle_call+0x1c/0xb0 default_idle_call from do_idle+0x21c/0x284 do_idle from cpu_startup_entry+0x28/0x2c cpu_startup_entry from kernel_init+0x0/0x12c handlers: [] dwc2_handle_common_intr [<75cd278b>] usb_hcd_irq Disabling IRQ #66 So enable the HCD_FLAG_HW_ACCESSIBLE flag in case there is a port connection. Fixes: c74c26f6e398 ("usb: dwc2: Fix partial power down exiting by system resume") Closes: https://lore.kernel.org/linux-usb/3fd0c2fb-4752-45b3-94eb-42352703e1fd@gmx.net/T/ Link: https://lore.kernel.org/all/5e8cbce0-3260-2971-484f-fc73a3b2bd28@synopsys.com/ Signed-off-by: Stefan Wahren Link: https://lore.kernel.org/r/20241202001631.75473-2-wahrenst@gmx.net Signed-off-by: Greg Kroah-Hartman commit 4cfbca86f6a8b801f3254e0e3c8f2b1d2d64be2b Author: Lianqin Hu Date: Tue Dec 3 12:14:16 2024 +0000 usb: gadget: u_serial: Fix the issue that gs_start_io crashed due to accessing null pointer Considering that in some extreme cases, when u_serial driver is accessed by multiple threads, Thread A is executing the open operation and calling the gs_open, Thread B is executing the disconnect operation and calling the gserial_disconnect function,The port->port_usb pointer will be set to NULL. E.g. Thread A Thread B gs_open() gadget_unbind_driver() gs_start_io() composite_disconnect() gs_start_rx() gserial_disconnect() ... ... spin_unlock(&port->port_lock) status = usb_ep_queue() spin_lock(&port->port_lock) spin_lock(&port->port_lock) port->port_usb = NULL gs_free_requests(port->port_usb->in) spin_unlock(&port->port_lock) Crash This causes thread A to access a null pointer (port->port_usb is null) when calling the gs_free_requests function, causing a crash. If port_usb is NULL, the release request will be skipped as it will be done by gserial_disconnect. So add a null pointer check to gs_start_io before attempting to access the value of the pointer port->port_usb. Call trace: gs_start_io+0x164/0x25c gs_open+0x108/0x13c tty_open+0x314/0x638 chrdev_open+0x1b8/0x258 do_dentry_open+0x2c4/0x700 vfs_open+0x2c/0x3c path_openat+0xa64/0xc60 do_filp_open+0xb8/0x164 do_sys_openat2+0x84/0xf0 __arm64_sys_openat+0x70/0x9c invoke_syscall+0x58/0x114 el0_svc_common+0x80/0xe0 do_el0_svc+0x1c/0x28 el0_svc+0x38/0x68 Fixes: c1dca562be8a ("usb gadget: split out serial core") Cc: stable@vger.kernel.org Suggested-by: Prashanth K Signed-off-by: Lianqin Hu Acked-by: Prashanth K Link: https://lore.kernel.org/r/TYUPR06MB62178DC3473F9E1A537DCD02D2362@TYUPR06MB6217.apcprd06.prod.outlook.com Signed-off-by: Greg Kroah-Hartman commit ce15d6b3d5c3c6f78290066be0f0a4fd89cdeb5b Author: Radhey Shyam Pandey Date: Tue Dec 3 00:18:22 2024 +0530 usb: misc: onboard_usb_dev: skip suspend/resume sequence for USB5744 SMBus support USB5744 SMBus initialization is done once in probe() and doing it in resume is not supported so avoid going into suspend and reset the HUB. There is a sysfs property 'always_powered_in_suspend' to implement this feature but since default state should be set to a working configuration so override this property value. It fixes the suspend/resume testcase on Kria KR260 Robotics Starter Kit. Fixes: 6782311d04df ("usb: misc: onboard_usb_dev: add Microchip usb5744 SMBus programming support") Cc: stable@vger.kernel.org Signed-off-by: Radhey Shyam Pandey Link: https://lore.kernel.org/r/1733165302-1694891-1-git-send-email-radhey.shyam.pandey@amd.com Signed-off-by: Greg Kroah-Hartman commit a48f744bef9ee74814a9eccb030b02223e48c76c Author: Neal Frager Date: Mon Dec 2 23:41:51 2024 +0530 usb: dwc3: xilinx: make sure pipe clock is deselected in usb2 only mode When the USB3 PHY is not defined in the Linux device tree, there could still be a case where there is a USB3 PHY active on the board and enabled by the first stage bootloader. If serdes clock is being used then the USB will fail to enumerate devices in 2.0 only mode. To solve this, make sure that the PIPE clock is deselected whenever the USB3 PHY is not defined and guarantees that the USB2 only mode will work in all cases. Fixes: 9678f3361afc ("usb: dwc3: xilinx: Skip resets and USB3 register settings for USB2.0 mode") Cc: stable@vger.kernel.org Signed-off-by: Neal Frager Signed-off-by: Radhey Shyam Pandey Acked-by: Peter Korsgaard Link: https://lore.kernel.org/r/1733163111-1414816-1-git-send-email-radhey.shyam.pandey@amd.com Signed-off-by: Greg Kroah-Hartman commit d2ec94fbc431cc77ed53d4480bdc856669c2b5aa Author: Xu Yang Date: Tue Nov 5 17:01:20 2024 +0800 usb: core: hcd: only check primary hcd skip_phy_initialization Before commit 53a2d95df836 ("usb: core: add phy notify connect and disconnect"), phy initialization will be skipped even when shared hcd doesn't set skip_phy_initialization flag. However, the situation is changed after the commit. The hcd.c will initialize phy when add shared hcd. This behavior is unexpected for some platforms which will handle phy initialization by themselves. To avoid the issue, this will only check skip_phy_initialization flag of primary hcd since shared hcd normally follow primary hcd setting. Fixes: 53a2d95df836 ("usb: core: add phy notify connect and disconnect") Cc: stable@vger.kernel.org Signed-off-by: Xu Yang Link: https://lore.kernel.org/r/20241105090120.2438366-1-xu.yang_2@nxp.com Signed-off-by: Greg Kroah-Hartman commit 82937056967da052cbc04b4435c13db84192dc52 Author: Takashi Iwai Date: Wed Nov 27 08:02:11 2024 +0100 usb: gadget: midi2: Fix interpretation of is_midi1 bits The UMP Function Block info m1.0 field (represented by is_midi1 sysfs entry) is an enumeration from 0 to 2, while the midi2 gadget driver incorrectly copies it to the corresponding snd_ump_block_info.flags bits as-is. This made the wrong bit flags set when m1.0 = 2. This patch corrects the wrong interpretation of is_midi1 bits. Fixes: 29ee7a4dddd5 ("usb: gadget: midi2: Add configfs support") Cc: stable@vger.kernel.org Signed-off-by: Takashi Iwai Link: https://lore.kernel.org/r/20241127070213.8232-1-tiwai@suse.de Signed-off-by: Greg Kroah-Hartman commit a4faee01179a4d9cbad9ba6be2da8637c68c1438 Author: Xu Yang Date: Tue Nov 26 11:28:41 2024 +0800 usb: dwc3: imx8mp: fix software node kernel dump When unbind and bind the device again, kernel will dump below warning: [ 173.972130] sysfs: cannot create duplicate filename '/devices/platform/soc/4c010010.usb/software_node' [ 173.981564] CPU: 2 UID: 0 PID: 536 Comm: sh Not tainted 6.12.0-rc6-06344-g2aed7c4a5c56 #144 [ 173.989923] Hardware name: NXP i.MX95 15X15 board (DT) [ 173.995062] Call trace: [ 173.997509] dump_backtrace+0x90/0xe8 [ 174.001196] show_stack+0x18/0x24 [ 174.004524] dump_stack_lvl+0x74/0x8c [ 174.008198] dump_stack+0x18/0x24 [ 174.011526] sysfs_warn_dup+0x64/0x80 [ 174.015201] sysfs_do_create_link_sd+0xf0/0xf8 [ 174.019656] sysfs_create_link+0x20/0x40 [ 174.023590] software_node_notify+0x90/0x100 [ 174.027872] device_create_managed_software_node+0xec/0x108 ... The '4c010010.usb' device is a platform device created during the initcall and is never removed, which causes its associated software node to persist indefinitely. The existing device_create_managed_software_node() does not provide a corresponding removal function. Replace device_create_managed_software_node() with the device_add_software_node() and device_remove_software_node() pair to ensure proper addition and removal of software nodes, addressing this issue. Fixes: a9400f1979a0 ("usb: dwc3: imx8mp: add 2 software managed quirk properties for host mode") Cc: stable@vger.kernel.org Reviewed-by: Frank Li Signed-off-by: Xu Yang Acked-by: Thinh Nguyen Link: https://lore.kernel.org/r/20241126032841.2458338-1-xu.yang_2@nxp.com Signed-off-by: Greg Kroah-Hartman commit ef42b906df5c57d0719b69419df9dfd25f25c161 Author: Joe Hattori Date: Tue Nov 26 10:49:09 2024 +0900 usb: typec: anx7411: fix OF node reference leaks in anx7411_typec_switch_probe() The refcounts of the OF nodes obtained by of_get_child_by_name() calls in anx7411_typec_switch_probe() are not decremented. Replace them with device_get_named_child_node() calls and store the return values to the newly created fwnode_handle fields in anx7411_data, and call fwnode_handle_put() on them in the error path and in the unregister functions. Fixes: e45d7337dc0e ("usb: typec: anx7411: Use of_get_child_by_name() instead of of_find_node_by_name()") Cc: stable@vger.kernel.org Signed-off-by: Joe Hattori Reviewed-by: Heikki Krogerus Link: https://lore.kernel.org/r/20241126014909.3687917-1-joe@pf.is.s.u-tokyo.ac.jp Signed-off-by: Greg Kroah-Hartman commit 645d56e4cc74e953284809d096532c1955918a28 Author: Joe Hattori Date: Thu Nov 21 11:34:29 2024 +0900 usb: typec: anx7411: fix fwnode_handle reference leak An fwnode_handle and usb_role_switch are obtained with an incremented refcount in anx7411_typec_port_probe(), however the refcounts are not decremented in the error path. The fwnode_handle is also not decremented in the .remove() function. Therefore, call fwnode_handle_put() and usb_role_switch_put() accordingly. Fixes: fe6d8a9c8e64 ("usb: typec: anx7411: Add Analogix PD ANX7411 support") Cc: stable@vger.kernel.org Signed-off-by: Joe Hattori Reviewed-by: Heikki Krogerus Link: https://lore.kernel.org/r/20241121023429.962848-1-joe@pf.is.s.u-tokyo.ac.jp Signed-off-by: Greg Kroah-Hartman commit 0d2ada05227881f3d0722ca2364e3f7a860a301f Author: Mark Tomlinson Date: Mon Nov 25 11:14:30 2024 +1300 usb: host: max3421-hcd: Correctly abort a USB request. If the current USB request was aborted, the spi thread would not respond to any further requests. This is because the "curr_urb" pointer would not become NULL, so no further requests would be taken off the queue. The solution here is to set the "urb_done" flag, as this will cause the correct handling of the URB. Also clear interrupts that should only be expected if an URB is in progress. Fixes: 2d53139f3162 ("Add support for using a MAX3421E chip as a host driver.") Cc: stable Signed-off-by: Mark Tomlinson Link: https://lore.kernel.org/r/20241124221430.1106080-1-mark.tomlinson@alliedtelesis.co.nz Signed-off-by: Greg Kroah-Hartman commit 282615d1334494063ff8dc70f35168d3f6b9c4c9 Author: Xu Yang Date: Tue Nov 19 18:50:17 2024 +0800 dt-bindings: phy: imx8mq-usb: correct reference to usb-switch.yaml The i.MX95 usb-phy can work with or without orientation-switch. With current setting, if usb-phy works without orientation-switch, the dt-schema check will show below error: phy@4c1f0040: 'oneOf' conditional failed, one must be fixed: 'port' is a required property 'ports' is a required property from schema $id: http://devicetree.org/schemas/phy/fsl,imx8mq-usb-phy.yaml# This will correct the behavior of referring to usb-switch.yaml. Signed-off-by: Xu Yang Acked-by: Rob Herring (Arm) Link: https://lore.kernel.org/r/20241119105017.917833-1-xu.yang_2@nxp.com Signed-off-by: Greg Kroah-Hartman commit 97264eaaba0122a5b7e8ddd7bf4ff3ac57c2b170 Author: Vitalii Mordan Date: Thu Nov 21 14:47:00 2024 +0300 usb: ehci-hcd: fix call balance of clocks handling routines If the clocks priv->iclk and priv->fclk were not enabled in ehci_hcd_sh_probe, they should not be disabled in any path. Conversely, if they was enabled in ehci_hcd_sh_probe, they must be disabled in all error paths to ensure proper cleanup. Found by Linux Verification Center (linuxtesting.org) with Klever. Fixes: 63c845522263 ("usb: ehci-hcd: Add support for SuperH EHCI.") Cc: stable@vger.kernel.org # ff30bd6a6618: sh: clk: Fix clk_enable() to return 0 on NULL clk Signed-off-by: Vitalii Mordan Reviewed-by: Alan Stern Link: https://lore.kernel.org/r/20241121114700.2100520-1-mordan@ispras.ru Signed-off-by: Greg Kroah-Hartman commit 456f010bfaefde84d3390c755eedb1b0a5857c3c Author: Phil Sutter Date: Fri Nov 29 16:30:38 2024 +0100 netfilter: ipset: Hold module reference while requesting a module User space may unload ip_set.ko while it is itself requesting a set type backend module, leading to a kernel crash. The race condition may be provoked by inserting an mdelay() right after the nfnl_unlock() call. Fixes: a7b4f989a629 ("netfilter: ipset: IP set core support") Signed-off-by: Phil Sutter Acked-by: Jozsef Kadlecsik Signed-off-by: Pablo Neira Ayuso commit 2de679ecd724b823c2cb58caab8508c7eec8aefc Author: Arnd Bergmann Date: Mon Nov 11 11:37:02 2024 +0100 phy: stm32: work around constant-value overflow assertion FIELD_PREP() checks that a constant fits into the available bitfield, but if one of the two lookup tables in stm32_impedance_tune() does not find a matching entry, the index is out of range, which gcc correctly complains about: In file included from : In function 'stm32_impedance_tune', inlined from 'stm32_combophy_pll_init' at drivers/phy/st/phy-stm32-combophy.c:247:9: include/linux/compiler_types.h:517:38: error: call to '__compiletime_assert_447' declared with attribute error: FIELD_PREP: value too large for the field 517 | _compiletime_assert(condition, msg, __compiletime_assert_, __COUNTER__) | ^ include/linux/bitfield.h:68:3: note: in expansion of macro 'BUILD_BUG_ON_MSG' 68 | BUILD_BUG_ON_MSG(__builtin_constant_p(_val) ? \ 115 | __BF_FIELD_CHECK(_mask, 0ULL, _val, "FIELD_PREP: "); \ | ^~~~~~~~~~~~~~~~ drivers/phy/st/phy-stm32-combophy.c:162:8: note: in expansion of macro 'FIELD_PREP' 162 | FIELD_PREP(STM32MP25_PCIEPRG_IMPCTRL_VSWING, vswing_of)); | ^~~~~~~~~~ Rework this so the field value gets set inside of the loop and otherwise set to zero. Fixes: 47e1bb6b4ba0 ("phy: stm32: Add support for STM32MP25 COMBOPHY.") Signed-off-by: Arnd Bergmann Link: https://lore.kernel.org/r/20241111103712.3520611-1-arnd@kernel.org Signed-off-by: Vinod Koul commit 8886fb3240931a0afce82dea87edfe46bcb0a586 Author: Krishna Kurapati Date: Tue Nov 12 14:58:31 2024 +0530 phy: qcom-qmp: Fix register name in RX Lane config of SC8280XP In RX Lane configuration sequence of SC8280XP, the register V5_RX_UCDR_FO_GAIN is incorrectly spelled as RX_UCDR_SO_GAIN and hence the programming sequence is wrong. Fix the register sequence accordingly to avoid any compliance failures. This has been tested on SA8775P by checking device mode enumeration in SuperSpeed. Cc: stable@vger.kernel.org Fixes: c0c7769cdae2 ("phy: qcom-qmp: Add SC8280XP USB3 UNI phy") Signed-off-by: Krishna Kurapati Reviewed-by: Konrad Dybcio Link: https://lore.kernel.org/r/20241112092831.4110942-1-quic_kriskura@quicinc.com Signed-off-by: Vinod Koul commit 70327137eb3eb64f346191dcd0ee5140d5ab34d8 Author: Geert Uytterhoeven Date: Tue Dec 3 17:23:16 2024 +0100 gpio: GPIO_MVEBU should not default to y when compile-testing Merely enabling compile-testing should not enable additional functionality. Fixes: 956ee0c5c969c9ca ("gpio: mvebu: allow building the module with COMPILE_TEST=y") Signed-off-by: Geert Uytterhoeven Link: https://lore.kernel.org/r/6b9e55dbf544297d5acf743f6fa473791ab10644.1733242798.git.geert+renesas@glider.be Signed-off-by: Bartosz Golaszewski commit d0257e089d1bbd35c69b6c97ff73e3690ab149a9 Author: Dan Carpenter Date: Sat Nov 30 13:06:41 2024 +0300 RDMA/uverbs: Prevent integer overflow issue In the expression "cmd.wqe_size * cmd.wr_count", both variables are u32 values that come from the user so the multiplication can lead to integer wrapping. Then we pass the result to uverbs_request_next_ptr() which also could potentially wrap. The "cmd.sge_count * sizeof(struct ib_uverbs_sge)" multiplication can also overflow on 32bit systems although it's fine on 64bit systems. This patch does two things. First, I've re-arranged the condition in uverbs_request_next_ptr() so that the use controlled variable "len" is on one side of the comparison by itself without any math. Then I've modified all the callers to use size_mul() for the multiplications. Fixes: 67cdb40ca444 ("[IB] uverbs: Implement more commands") Cc: stable@vger.kernel.org Signed-off-by: Dan Carpenter Link: https://patch.msgid.link/b8765ab3-c2da-4611-aae0-ddd6ba173d23@stanley.mountain Signed-off-by: Leon Romanovsky commit fbcbffbac994aca1264e3c14da96ac9bfd90466e Author: Chukun Pan Date: Fri Nov 22 15:30:06 2024 +0800 phy: rockchip: naneng-combphy: fix phy reset Currently, the USB port via combophy on the RK3528/RK3588 SoC is broken. usb usb8-port1: Cannot enable. Maybe the USB cable is bad? This is due to the combphy of RK3528/RK3588 SoC has multiple resets, but only "phy resets" need assert and deassert, "apb resets" don't need. So change the driver to only match the phy resets, which is also what the vendor kernel does. Fixes: 7160820d742a ("phy: rockchip: add naneng combo phy for RK3568") Cc: FUKAUMI Naoki Cc: Michael Zimmermann Signed-off-by: Chukun Pan Reviewed-by: Heiko Stuebner Tested-by: FUKAUMI Naoki Link: https://lore.kernel.org/r/20241122073006.99309-2-amadeus@jmu.edu.cn Signed-off-by: Vinod Koul commit 0a92ea87bdd6f77ca4e17fe19649882cf5209edd Author: Justin Chen Date: Thu Oct 24 14:35:40 2024 -0700 phy: usb: Toggle the PHY power during init When bringing up the PHY, it might be in a bad state if left powered. One case is we lose the PLL lock if the PLL is gated while the PHY is powered. Toggle the PHY power so we can start from a known state. Fixes: 4e5b9c9a73b3 ("phy: usb: Add support for new Synopsys USB controller on the 7216") Signed-off-by: Justin Chen Acked-by: Florian Fainelli Link: https://lore.kernel.org/r/20241024213540.1059412-1-justin.chen@broadcom.com Signed-off-by: Vinod Koul commit eb867d797d294a00a092b5027d08439da68940b2 Author: Leon Romanovsky Date: Tue Nov 26 15:10:31 2024 +0200 RDMA/bnxt_re: Remove always true dattr validity check res->dattr is always valid at this point as it was initialized during device addition in bnxt_re_add_device(). This change is fixing the following smatch error: drivers/infiniband/hw/bnxt_re/qplib_fp.c:1090 bnxt_qplib_create_qp() error: we previously assumed 'res->dattr' could be null (see line 985) Fixes: 07f830ae4913 ("RDMA/bnxt_re: Adds MSN table capability for Gen P7 adapters") Reported-by: kernel test robot Reported-by: Dan Carpenter Closes: https://lore.kernel.org/r/202411222329.YTrwonWi-lkp@intel.com/ Link: https://patch.msgid.link/be0d8836b64cba3e479fbcbca717acad04aae02e.1732626579.git.leonro@nvidia.com Acked-by: Selvin Xavier Signed-off-by: Leon Romanovsky commit ceb259e43bf572ba7d766e1679ba73861d16203a Author: Aapo Vienamo Date: Wed Dec 4 10:02:08 2024 +0200 spi: intel: Add Panther Lake SPI controller support The Panther Lake SPI controllers are compatible with the Cannon Lake controllers. Add support for following SPI controller device IDs: - H-series: 0xe323 - P-series: 0xe423 - U-series: 0xe423 Signed-off-by: Aapo Vienamo Signed-off-by: Mika Westerberg Link: https://patch.msgid.link/20241204080208.1036537-1-mika.westerberg@linux.intel.com Signed-off-by: Mark Brown commit dcbef0798eb825cd584f7a93f62bed63f7fbbfc9 Author: Lizhi Hou Date: Wed Sep 18 11:10:22 2024 -0700 dmaengine: amd: qdma: Remove using the private get and set dma_ops APIs The get_dma_ops and set_dma_ops APIs were never for driver to use. Remove these calls from QDMA driver. Instead, pass the DMA device pointer from the qdma_platdata structure. Fixes: 73d5fc92a11c ("dmaengine: amd: qdma: Add AMD QDMA driver") Signed-off-by: Lizhi Hou Reviewed-by: Christoph Hellwig Link: https://lore.kernel.org/r/20240918181022.2155715-1-lizhi.hou@amd.com Signed-off-by: Vinod Koul commit 5eb7de8cd58e73851cd37ff8d0666517d9926948 Author: Lion Ackermann Date: Mon Dec 2 17:22:57 2024 +0100 net: sched: fix ordering of qlen adjustment Changes to sch->q.qlen around qdisc_tree_reduce_backlog() need to happen _before_ a call to said function because otherwise it may fail to notify parent qdiscs when the child is about to become empty. Signed-off-by: Lion Ackermann Acked-by: Toke Høiland-Jørgensen Signed-off-by: David S. Miller commit 8d55e8a16f019211163f1180fd9f9fbe05901900 Author: Sasha Finkelstein Date: Sun Nov 24 16:48:28 2024 +0100 dmaengine: apple-admac: Avoid accessing registers in probe The ADMAC attached to the AOP has complex power sequencing, and is power gated when the probe callback runs. Move the register reads to other functions, where we can guarantee that the hardware is switched on. Fixes: 568aa6dd641f ("dmaengine: apple-admac: Allocate cache SRAM to channels") Signed-off-by: Sasha Finkelstein Link: https://lore.kernel.org/r/20241124-admac-power-v1-1-58f2165a4d55@gmail.com Signed-off-by: Vinod Koul commit 790fb9956eead785b720ccc0851f09a5ca3a093e Author: Randy Dunlap Date: Mon Dec 2 09:20:04 2024 -0800 linux/dmaengine.h: fix a few kernel-doc warnings The comment block for "Interleaved Transfer Request" should not begin with "/**" since it is not in kernel-doc format. Fix doc name for enum sum_check_flags. Fix all (4) missing struct member warnings. Use "Warning:" for one "Note:" in enum dma_desc_metadata_mode since scripts/kernel-doc does not allow more than one Note: per function or identifier description. This leaves around 49 kernel-doc warnings like: include/linux/dmaengine.h:43: warning: Enum value 'DMA_OUT_OF_ORDER' not described in enum 'dma_status' and another scripts/kernel-doc problem with it not being able to parse some typedefs. Fixes: b14dab792dee ("DMAEngine: Define interleaved transfer request api") Fixes: ad283ea4a3ce ("async_tx: add sum check flags") Fixes: 272420214d26 ("dmaengine: Add DMA_CTRL_REUSE") Fixes: f067025bc676 ("dmaengine: add support to provide error result from a DMA transation") Fixes: d38a8c622a1b ("dmaengine: prepare for generic 'unmap' data") Fixes: 5878853fc938 ("dmaengine: Add API function dmaengine_prep_peripheral_dma_vec()") Signed-off-by: Randy Dunlap Cc: Dan Williams Cc: Dave Jiang Cc: Paul Cercueil Cc: Nuno Sa Cc: Vinod Koul Cc: dmaengine@vger.kernel.org Link: https://lore.kernel.org/r/20241202172004.76020-1-rdunlap@infradead.org Signed-off-by: Vinod Koul commit 930e7c209b77a9006db9590320e8dea5aa433c81 Merge: 989e0cdc0f18a5 a0851ea9cd555c Author: Christian Brauner Date: Wed Dec 4 12:00:12 2024 +0100 Merge patch series "jbd2: two straightforward fixes" Two simple fixes for jdb2. * patches from https://lore.kernel.org/r/20241203014407.805916-1-yi.zhang@huaweicloud.com: jbd2: flush filesystem device before updating tail sequence jbd2: increase IO priority for writing revoke records Link: https://lore.kernel.org/r/20241203014407.805916-1-yi.zhang@huaweicloud.com Signed-off-by: Christian Brauner commit a0851ea9cd555c333795b85ddd908898b937c4e1 Author: Zhang Yi Date: Tue Dec 3 09:44:07 2024 +0800 jbd2: flush filesystem device before updating tail sequence When committing transaction in jbd2_journal_commit_transaction(), the disk caches for the filesystem device should be flushed before updating the journal tail sequence. However, this step is missed if the journal is not located on the filesystem device. As a result, the filesystem may become inconsistent following a power failure or system crash. Fix it by ensuring that the filesystem device is flushed appropriately. Fixes: 3339578f0578 ("jbd2: cleanup journal tail after transaction commit") Signed-off-by: Zhang Yi Link: https://lore.kernel.org/r/20241203014407.805916-3-yi.zhang@huaweicloud.com Reviewed-by: Jan Kara Signed-off-by: Christian Brauner commit ac1e21bd8c883aeac2f1835fc93b39c1e6838b35 Author: Zhang Yi Date: Tue Dec 3 09:44:06 2024 +0800 jbd2: increase IO priority for writing revoke records Commit '6a3afb6ac6df ("jbd2: increase the journal IO's priority")' increases the priority of journal I/O by marking I/O with the JBD2_JOURNAL_REQ_FLAGS. However, that commit missed the revoke buffers, so also addresses that kind of I/Os. Fixes: 6a3afb6ac6df ("jbd2: increase the journal IO's priority") Signed-off-by: Zhang Yi Link: https://lore.kernel.org/r/20241203014407.805916-2-yi.zhang@huaweicloud.com Reviewed-by: Kemeng Shi Reviewed-by: Jan Kara Signed-off-by: Christian Brauner commit 292207809486d99c78068d3f459cbbbffde88415 Author: Xin Long Date: Mon Dec 2 10:21:38 2024 -0500 net: sched: fix erspan_opt settings in cls_flower When matching erspan_opt in cls_flower, only the (version, dir, hwid) fields are relevant. However, in fl_set_erspan_opt() it initializes all bits of erspan_opt and its mask to 1. This inadvertently requires packets to match not only the (version, dir, hwid) fields but also the other fields that are unexpectedly set to 1. This patch resolves the issue by ensuring that only the (version, dir, hwid) fields are configured in fl_set_erspan_opt(), leaving the other fields to 0 in erspan_opt. Fixes: 79b1011cb33d ("net: sched: allow flower to match erspan options") Reported-by: Shuang Li Signed-off-by: Xin Long Reviewed-by: Cong Wang Signed-off-by: David S. Miller commit 6fe437cfe2cdc797b03f63b338a13fac96ed6a08 Author: Levi Yun Date: Tue Dec 3 14:31:08 2024 +0000 firmware: arm_ffa: Fix the race around setting ffa_dev->properties Currently, ffa_dev->properties is set after the ffa_device_register() call return in ffa_setup_partitions(). This could potentially result in a race where the partition's properties is accessed while probing struct ffa_device before it is set. Update the ffa_device_register() to receive ffa_partition_info so all the data from the partition information received from the firmware can be updated into the struct ffa_device before the calling device_register() in ffa_device_register(). Fixes: e781858488b9 ("firmware: arm_ffa: Add initial FFA bus support for device enumeration") Signed-off-by: Levi Yun Message-Id: <20241203143109.1030514-2-yeoreum.yun@arm.com> Signed-off-by: Sudeep Holla commit 94071909477677fc2a1abf3fb281f203f66cf3ca Author: Gal Pressman Date: Mon Dec 2 18:48:05 2024 +0200 ethtool: Fix access to uninitialized fields in set RXNFC command The check for non-zero ring with RSS is only relevant for ETHTOOL_SRXCLSRLINS command, in other cases the check tries to access memory which was not initialized by the userspace tool. Only perform the check in case of ETHTOOL_SRXCLSRLINS. Without this patch, filter deletion (for example) could statistically result in a false error: # ethtool --config-ntuple eth3 delete 484 rmgr: Cannot delete RX class rule: Invalid argument Cannot delete classification rule Fixes: 9e43ad7a1ede ("net: ethtool: only allow set_rxnfc with rss + ring_cookie if driver opts in") Link: https://lore.kernel.org/netdev/871a9ecf-1e14-40dd-bbd7-e90c92f89d47@nvidia.com/ Reviewed-by: Dragos Tatulea Reviewed-by: Tariq Toukan Signed-off-by: Gal Pressman Reviewed-by: Edward Cree Link: https://patch.msgid.link/20241202164805.1637093-1-gal@nvidia.com Signed-off-by: Jakub Kicinski commit 3d501f562f63b290351169e3e9931ffe3d57b2ae Author: Fernando Fernandez Mancera Date: Mon Dec 2 15:56:08 2024 +0000 Revert "udp: avoid calling sock_def_readable() if possible" This reverts commit 612b1c0dec5bc7367f90fc508448b8d0d7c05414. On a scenario with multiple threads blocking on a recvfrom(), we need to call sock_def_readable() on every __udp_enqueue_schedule_skb() otherwise the threads won't be woken up as __skb_wait_for_more_packets() is using prepare_to_wait_exclusive(). Link: https://bugzilla.redhat.com/2308477 Fixes: 612b1c0dec5b ("udp: avoid calling sock_def_readable() if possible") Signed-off-by: Fernando Fernandez Mancera Reviewed-by: Eric Dumazet Link: https://patch.msgid.link/20241202155620.1719-1-ffmancera@riseup.net Signed-off-by: Jakub Kicinski commit cecc1555a8c2acd65f9d36182c28ae463db0ad7e Author: Joe Damato Date: Mon Dec 2 18:21:02 2024 +0000 net: Make napi_hash_lock irq safe Make napi_hash_lock IRQ safe. It is used during the control path, and is taken and released in napi_hash_add and napi_hash_del, which will typically be called by calls to napi_enable and napi_disable. This change avoids a deadlock in pcnet32 (and other any other drivers which follow the same pattern): CPU 0: pcnet32_open spin_lock_irqsave(&lp->lock, ...) napi_enable napi_hash_add <- before this executes, CPU 1 proceeds spin_lock(napi_hash_lock) [...] spin_unlock_irqrestore(&lp->lock, flags); CPU 1: pcnet32_close napi_disable napi_hash_del spin_lock(napi_hash_lock) < INTERRUPT > pcnet32_interrupt spin_lock(lp->lock) <- DEADLOCK Changing the napi_hash_lock to be IRQ safe prevents the IRQ from firing on CPU 1 until napi_hash_lock is released, preventing the deadlock. Cc: stable@vger.kernel.org Fixes: 86e25f40aa1e ("net: napi: Add napi_config") Reported-by: Guenter Roeck Closes: https://lore.kernel.org/netdev/85dd4590-ea6b-427d-876a-1d8559c7ad82@roeck-us.net/ Suggested-by: Jakub Kicinski Signed-off-by: Joe Damato Tested-by: Guenter Roeck Reviewed-by: Eric Dumazet Link: https://patch.msgid.link/20241202182103.363038-1-jdamato@fastly.com Signed-off-by: Jakub Kicinski commit be7e611274224b23776469d7f7ce50e25ac53142 Author: Keisuke Nishimura Date: Sat Nov 30 15:49:53 2024 +0100 KVM: arm64: vgic-its: Add error handling in vgic_its_cache_translation The return value of xa_store() needs to be checked. This fix adds an error handling path that resolves the kref inconsistency on failure. As suggested by Oliver Upton, this function does not return the error code intentionally because the translation cache is best effort. Fixes: 8201d1028caa ("KVM: arm64: vgic-its: Maintain a translation cache per ITS") Signed-off-by: Keisuke Nishimura Suggested-by: Oliver Upton Acked-by: Marc Zyngier Link: https://lore.kernel.org/r/20241130144952.23729-1-keisuke.nishimura@inria.fr Signed-off-by: Oliver Upton commit 03c7527e97f73081633d773f9f8c2373f9854b25 Author: Marc Zyngier Date: Tue Dec 3 19:02:36 2024 +0000 KVM: arm64: Do not allow ID_AA64MMFR0_EL1.ASIDbits to be overridden Catalin reports that a hypervisor lying to a guest about the size of the ASID field may result in unexpected issues: - if the underlying HW does only supports 8 bit ASIDs, the ASID field in a TLBI VAE1* operation is only 8 bits, and the HW will ignore the other 8 bits - if on the contrary the HW is 16 bit capable, the ASID field in the same TLBI operation is always 16 bits, irrespective of the value of TCR_ELx.AS. This could lead to missed invalidations if the guest was lead to assume that the HW had 8 bit ASIDs while they really are 16 bit wide. In order to avoid any potential disaster that would be hard to debug, prenent the migration between a host with 8 bit ASIDs to one with wider ASIDs (the converse was obviously always forbidden). This is also consistent with what we already do for VMIDs. If it becomes absolutely mandatory to support such a migration path in the future, we will have to trap and emulate all TLBIs, something that nobody should look forward to. Fixes: d5a32b60dc18 ("KVM: arm64: Allow userspace to change ID_AA64MMFR{0-2}_EL1") Reported-by: Catalin Marinas Signed-off-by: Marc Zyngier Cc: stable@vger.kernel.org Cc: Will Deacon Cc: Mark Rutland Cc: Marc Zyngier Cc: James Morse Cc: Oliver Upton Acked-by: Catalin Marinas Link: https://lore.kernel.org/r/20241203190236.505759-1-maz@kernel.org Signed-off-by: Oliver Upton commit 73dae652dcac776296890da215ee7dec357a1032 Author: Alex Deucher Date: Mon Nov 25 13:59:09 2024 -0500 drm/amdgpu: rework resume handling for display (v2) Split resume into a 3rd step to handle displays when DCC is enabled on DCN 4.0.1. Move display after the buffer funcs have been re-enabled so that the GPU will do the move and properly set the DCC metadata for DCN. v2: fix fence irq resume ordering Reviewed-by: Christian König Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org # 6.11.x commit defc06f7ef163b64cff11990e8847bc225bcdd46 Merge: 8cc4d0f0f2b1c5 86e8f94789dd6f Author: Dave Airlie Date: Wed Dec 4 09:13:03 2024 +1000 Merge tag 'drm-misc-fixes-2024-11-28' of https://gitlab.freedesktop.org/drm/misc/kernel into drm-fixes Short summary of fixes pull: dma-buf: - Fix dma_fence_array_signaled() to ensure forward progress dp_mst: - Fix MST sideband message body length check sti: - Add __iomem for mixer_dbg_mxn()'s parameter Signed-off-by: Dave Airlie From: Thomas Zimmermann Link: https://patchwork.freedesktop.org/patch/msgid/20241128135958.GA244627@linux.fritz.box commit 8cc4d0f0f2b1c59f7dd1738deb246da9de1ada0f Merge: 40384c840ea194 fe52c649438b84 Author: Dave Airlie Date: Wed Dec 4 09:12:31 2024 +1000 Merge tag 'drm-misc-fixes-2024-11-21' of https://gitlab.freedesktop.org/drm/misc/kernel into drm-fixes Short summary of fixes pull: dma-fence: - Fix reference leak on fence-merge failure path - Simplify fence merging with kernel's sort() Signed-off-by: Dave Airlie From: Thomas Zimmermann Link: https://patchwork.freedesktop.org/patch/msgid/20241121131810.GA54208@linux.fritz.box commit 52fd1709e41d3a85b48bcfe2404a024ebaf30c3b Author: Haoyu Li Date: Tue Dec 3 22:29:15 2024 +0800 clk: en7523: Initialize num before accessing hws in en7523_register_clocks() With the new __counted_by annotation in clk_hw_onecell_data, the "num" struct member must be set before accessing the "hws" array. Failing to do so will trigger a runtime warning when enabling CONFIG_UBSAN_BOUNDS and CONFIG_FORTIFY_SOURCE. Fixes: f316cdff8d67 ("clk: Annotate struct clk_hw_onecell_data with __counted_by") Signed-off-by: Haoyu Li Link: https://lore.kernel.org/r/20241203142915.345523-1-lihaoyu499@gmail.com Signed-off-by: Stephen Boyd commit 2eb75f86d52565367211c51334d15fe672633085 Author: Christian Marangi Date: Sat Nov 16 11:56:53 2024 +0100 clk: en7523: Fix wrong BUS clock for EN7581 The Documentation for EN7581 had a typo and still referenced the EN7523 BUS base source frequency. This was in conflict with a different page in the Documentration that state that the BUS runs at 300MHz (600MHz source with divisor set to 2) and the actual watchdog that tick at half the BUS clock (150MHz). This was verified with the watchdog by timing the seconds that the system takes to reboot (due too watchdog) and by operating on different values of the BUS divisor. The correct values for source of BUS clock are 600MHz and 540MHz. This was also confirmed by Airoha. Cc: stable@vger.kernel.org Fixes: 66bc47326ce2 ("clk: en7523: Add EN7581 support") Signed-off-by: Christian Marangi Link: https://lore.kernel.org/r/20241116105710.19748-1-ansuelsmth@gmail.com Acked-by: Lorenzo Bianconi Signed-off-by: Stephen Boyd commit b2e382ae12a63560fca35050498e19e760adf8c0 Author: Liequan Che Date: Mon Dec 2 19:56:38 2024 +0800 bcache: revert replacing IS_ERR_OR_NULL with IS_ERR again Commit 028ddcac477b ("bcache: Remove unnecessary NULL point check in node allocations") leads a NULL pointer deference in cache_set_flush(). 1721 if (!IS_ERR_OR_NULL(c->root)) 1722 list_add(&c->root->list, &c->btree_cache); >From the above code in cache_set_flush(), if previous registration code fails before allocating c->root, it is possible c->root is NULL as what it is initialized. __bch_btree_node_alloc() never returns NULL but c->root is possible to be NULL at above line 1721. This patch replaces IS_ERR() by IS_ERR_OR_NULL() to fix this. Fixes: 028ddcac477b ("bcache: Remove unnecessary NULL point check in node allocations") Signed-off-by: Liequan Che Cc: stable@vger.kernel.org Cc: Zheng Wang Reviewed-by: Mingzhe Zou Signed-off-by: Coly Li Link: https://lore.kernel.org/r/20241202115638.28957-1-colyli@suse.de Signed-off-by: Jens Axboe commit 5a6ea7022ff4d2a65ae328619c586d6a8909b48b Author: Eduard Zingerman Date: Tue Dec 3 10:22:22 2024 -0800 samples/bpf: Remove unnecessary -I flags from libbpf EXTRA_CFLAGS Commit [0] breaks samples/bpf build: $ make M=samples/bpf ... make -C /path/to/kernel/samples/bpf/../../tools/lib/bpf \ ... EXTRA_CFLAGS=" \ ... -fsanitize=bounds \ -I/path/to/kernel/usr/include \ ... /path/to/kernel/samples/bpf/libbpf/libbpf.a install_headers CC /path/to/kernel/samples/bpf/libbpf/staticobjs/libbpf.o In file included from libbpf.c:29: /path/to/kernel/tools/include/linux/err.h:35:8: error: 'inline' can only appear on functions 35 | static inline void * __must_check ERR_PTR(long error_) | ^ The error is caused by `objtree` variable changing definition from `.` (dot) to an absolute path: - The variable TPROGS_CFLAGS is constructed as follows: ... TPROGS_CFLAGS += -I$(objtree)/usr/include - It is passed as EXTRA_CFLAGS for libbpf compilation: $(LIBBPF): ... ... $(MAKE) -C $(LIBBPF_SRC) RM='rm -rf' EXTRA_CFLAGS="$(TPROGS_CFLAGS)" - Before commit [0], the line passed to libbpf makefile was '-I./usr/include', where '.' referred to LIBBPF_SRC due to -C flag. The directory $(LIBBPF_SRC)/usr/include does not exist and thus was never resolved by C compiler. - After commit [0], the line passed to libbpf makefile became: '/usr/include', this directory exists and is resolved by C compiler. - Both 'tools/include' and 'usr/include' define files err.h and types.h. - libbpf expects headers like 'linux/err.h' and 'linux/types.h' defined in 'tools/include', not 'usr/include', hence the compilation error. This commit removes unnecessary -I flags from libbpf compilation. (libbpf sets up the necessary includes at lib/bpf/Makefile:63). Changes v1 [1] -> v2: - dropped unnecessary replacement of KBUILD_OUTPUT with $(objtree) (Andrii) Changes v2 [2] -> v3: - make sure --sysroot option is set for libbpf's EXTRA_CFLAGS, if $(SYSROOT) is set (Stanislav) [0] commit 13b25489b6f8 ("kbuild: change working directory to external module directory with M=") [1] https://lore.kernel.org/bpf/20241202212154.3174402-1-eddyz87@gmail.com/ [2] https://lore.kernel.org/bpf/20241202234741.3492084-1-eddyz87@gmail.com/ Fixes: 13b25489b6f8 ("kbuild: change working directory to external module directory with M=") Signed-off-by: Eduard Zingerman Signed-off-by: Andrii Nakryiko Acked-by: Stanislav Fomichev Link: https://lore.kernel.org/bpf/20241203182222.3915763-1-eddyz87@gmail.com commit 7b1d83da254be3bf054965c8f3b1ad976f460ae5 Author: Pablo Neira Ayuso Date: Wed Nov 27 12:46:54 2024 +0100 netfilter: nft_inner: incorrect percpu area handling under softirq Softirq can interrupt ongoing packet from process context that is walking over the percpu area that contains inner header offsets. Disable bh and perform three checks before restoring the percpu inner header offsets to validate that the percpu area is valid for this skbuff: 1) If the NFT_PKTINFO_INNER_FULL flag is set on, then this skbuff has already been parsed before for inner header fetching to register. 2) Validate that the percpu area refers to this skbuff using the skbuff pointer as a cookie. If there is a cookie mismatch, then this skbuff needs to be parsed again. 3) Finally, validate if the percpu area refers to this tunnel type. Only after these three checks the percpu area is restored to a on-stack copy and bh is enabled again. After inner header fetching, the on-stack copy is stored back to the percpu area. Fixes: 3a07327d10a0 ("netfilter: nft_inner: support for inner tunnel header matching") Reported-by: syzbot+84d0441b9860f0d63285@syzkaller.appspotmail.com Signed-off-by: Pablo Neira Ayuso commit b03917e02bf9861be887a7e67c399b3b014f88be Author: Konstantin Andrikopoulos Date: Wed Nov 27 15:07:38 2024 +0000 rust: add safety comment in workqueue traits Add missing safety comments for the implementation of the unsafe traits WorkItemPointer and RawWorkItem for Arc in workqueue.rs Link: https://github.com/Rust-for-Linux/linux/issues/351. Co-developed-by: Vangelis Mamalakis Signed-off-by: Vangelis Mamalakis Suggested-by: Miguel Ojeda Reviewed-by: Alice Ryhl Signed-off-by: Konstantin Andrikopoulos Signed-off-by: Tejun Heo commit 793baff3f24f16dab9061045e23eea67724feae6 Author: Honglei Wang Date: Fri Nov 29 17:10:03 2024 +0800 sched_ext: Add __weak to fix the build errors commit 5cbb302880f5 ("sched_ext: Rename scx_bpf_dispatch[_vtime]_from_dsq*() -> scx_bpf_dsq_move[_vtime]*()") introduced several new functions which caused compilation errors when compiled with clang. Let's fix this by adding __weak markers. Signed-off-by: Honglei Wang Signed-off-by: Tejun Heo Fixes: 5cbb302880f5 ("sched_ext: Rename scx_bpf_dispatch[_vtime]_from_dsq*() -> scx_bpf_dsq_move[_vtime]*()") Acked-by: Andrii Nakryiko commit 9c803c474c6c002d8ade68ebe99026cc39c37f85 Author: Filipe Manana Date: Fri Nov 29 13:33:03 2024 +0000 btrfs: fix missing snapshot drew unlock when root is dead during swap activation When activating a swap file we acquire the root's snapshot drew lock and then check if the root is dead, failing and returning with -EPERM if it's dead but without unlocking the root's snapshot lock. Fix this by adding the missing unlock. Fixes: 60021bd754c6 ("btrfs: prevent subvol with swapfile from being deleted") Reviewed-by: Johannes Thumshirn Reviewed-by: David Sterba Reviewed-by: Qu Wenruo Signed-off-by: Filipe Manana Signed-off-by: David Sterba commit 951a3f59d268fe1397aaeb9a96fcb1944890c4cb Author: Qu Wenruo Date: Wed Oct 30 11:25:48 2024 +1030 btrfs: fix mount failure due to remount races [BUG] The following reproducer can cause btrfs mount to fail: dev="/dev/test/scratch1" mnt1="/mnt/test" mnt2="/mnt/scratch" mkfs.btrfs -f $dev mount $dev $mnt1 btrfs subvolume create $mnt1/subvol1 btrfs subvolume create $mnt1/subvol2 umount $mnt1 mount $dev $mnt1 -o subvol=subvol1 while mount -o remount,ro $mnt1; do mount -o remount,rw $mnt1; done & bg=$! while mount $dev $mnt2 -o subvol=subvol2; do umount $mnt2; done kill $bg wait umount -R $mnt1 umount -R $mnt2 The script will fail with the following error: mount: /mnt/scratch: /dev/mapper/test-scratch1 already mounted on /mnt/test. dmesg(1) may have more information after failed mount system call. umount: /mnt/test: target is busy. umount: /mnt/scratch/: not mounted And there is no kernel error message. [CAUSE] During the btrfs mount, to support mounting different subvolumes with different RO/RW flags, we need to detect that and retry if needed: Retry with matching RO flags if the initial mount fail with -EBUSY. The problem is, during that retry we do not hold any super block lock (s_umount), this means there can be a remount process changing the RO flags of the original fs super block. If so, we can have an EBUSY error during retry. And this time we treat any failure as an error, without any retry and cause the above EBUSY mount failure. [FIX] The current retry behavior is racy because we do not have a super block thus no way to hold s_umount to prevent the race with remount. Solve the root problem by allowing fc->sb_flags to mismatch from the sb->s_flags at btrfs_get_tree_super(). Then at the re-entry point btrfs_get_tree_subvol(), manually check the fc->s_flags against sb->s_flags, if it's a RO->RW mismatch, then reconfigure with s_umount lock hold. Reported-by: Enno Gotthold Reported-by: Fabian Vogt [ Special thanks for the reproducer and early analysis pointing to btrfs. ] Fixes: f044b318675f ("btrfs: handle the ro->rw transition for mounting different subvolumes") Link: https://bugzilla.suse.com/show_bug.cgi?id=1231836 Signed-off-by: Qu Wenruo Reviewed-by: David Sterba Signed-off-by: David Sterba commit feffde684ac29a3b7aec82d2df850fbdbdee55e4 Merge: 3d246949091212 22d2e48e318564 Author: Linus Torvalds Date: Tue Dec 3 11:02:17 2024 -0800 Merge tag 'for-6.13-rc1-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux Pull btrfs fixes from David Sterba: - add lockdep annotations for io_uring/encoded read integration, inode lock is held when returning to userspace - properly reflect experimental config option to sysfs - handle NULL root in case the rescue mode accepts invalid/damaged tree roots (rescue=ibadroot) - regression fix of a deadlock between transaction and extent locks - fix pending bio accounting bug in encoded read ioctl - fix NOWAIT mode when checking references for NOCOW files - fix use-after-free in a rb-tree cleanup in ref-verify debugging tool * tag 'for-6.13-rc1-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux: btrfs: fix lockdep warnings on io_uring encoded reads btrfs: ref-verify: fix use-after-free after invalid ref action btrfs: add a sanity check for btrfs root in btrfs_search_slot() btrfs: don't loop for nowait writes when checking for cross references btrfs: sysfs: advertise experimental features only if CONFIG_BTRFS_EXPERIMENTAL=y btrfs: fix deadlock between transaction commits and extent locks btrfs: fix use-after-free in btrfs_encoded_read_endio() commit b0de5456e201c475d6a860ceeb3ed8ee2923695a Author: Keith Busch Date: Mon Dec 2 09:45:48 2024 -0800 nvme-pci: remove two deallocate zeroes quirks The quirk was initially used as a signal to set the discard_zeroes_data queue limit because there were some use cases that relied on that behavior. The queue limit no longer exists as every user of it has been converted to use the write zeroes operation instead. The quirk now means to use a discard command as an alias to a write zeroes request. Two of the devices previously using the quirk support the write zeroes command directly, so these don't need or want to use discard when the desired operation is to write zeroes. Reviewed-by: Christoph Hellwig Signed-off-by: Keith Busch commit 3d2469490912122b1e619c46b720d9cde047b2a7 Merge: 9141c5d389a9ec 6756af923e06aa Author: Linus Torvalds Date: Tue Dec 3 10:50:22 2024 -0800 Merge tag 'fs_for_v6.13-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs Pull quota and udf fixes from Jan Kara: "Two small UDF fixes for better handling of corrupted filesystem and a quota fix to fix handling of filesystem freezing" * tag 'fs_for_v6.13-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs: udf: Verify inode link counts before performing rename udf: Skip parent dir link count update if corrupted quota: flush quota_release_work upon quota writeback commit 9141c5d389a9ec80121de3125cde7c713726ceea Merge: ceb8bf2ceaa77f cc2dba08cc33da Author: Linus Torvalds Date: Tue Dec 3 10:46:49 2024 -0800 Merge tag 'xfs-fixes-6.13-rc2' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux Pull xfs fixes from Carlos Maiolino: - Use xchg() in xlog_cil_insert_pcp_aggregate() - Fix ABBA deadlock on a race between mount and log shutdown - Fix quota softlimit incoherency on delalloc - Fix sparse inode limits on runt AG - remove unknown compat feature checks in SB write valdation - Eliminate a lockdep false positive * tag 'xfs-fixes-6.13-rc2' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux: xfs: don't call xfs_bmap_same_rtgroup in xfs_bmap_add_extent_hole_delay xfs: Use xchg() in xlog_cil_insert_pcp_aggregate() xfs: prevent mount and log shutdown race xfs: delalloc and quota softlimit timers are incoherent xfs: fix sparse inode limits on runt AG xfs: remove unknown compat feature check in superblock write validation xfs: eliminate lockdep false positives in xfs_attr_shortform_list commit 0566f83d206c7a864abcd741fe39d6e0ae5eef29 Author: Yuan Can Date: Wed Oct 23 20:10:48 2024 +0800 igb: Fix potential invalid memory access in igb_init_module() The pci_register_driver() can fail and when this happened, the dca_notifier needs to be unregistered, otherwise the dca_notifier can be called when igb fails to install, resulting to invalid memory access. Fixes: bbd98fe48a43 ("igb: Fix DCA errors and do not use context index for 82576") Signed-off-by: Yuan Can Tested-by: Pucha Himasekhar Reddy (A Contingent worker at Intel) Signed-off-by: Tony Nguyen commit f72ce14b231f7bf06088e4e50f1875f1e35f79d7 Author: Tore Amundsen Date: Fri Nov 15 14:17:36 2024 +0000 ixgbe: Correct BASE-BX10 compliance code SFF-8472 (section 5.4 Transceiver Compliance Codes) defines bit 6 as BASE-BX10. Bit 6 means a value of 0x40 (decimal 64). The current value in the source code is 0x64, which appears to be a mix-up of hex and decimal values. A value of 0x64 (binary 01100100) incorrectly sets bit 2 (1000BASE-CX) and bit 5 (100BASE-FX) as well. Fixes: 1b43e0d20f2d ("ixgbe: Add 1000BASE-BX support") Signed-off-by: Tore Amundsen Reviewed-by: Paul Menzel Acked-by: Ernesto Castellotti Tested-by: Pucha Himasekhar Reddy (A Contingent worker at Intel) Signed-off-by: Tony Nguyen commit 15915b43a7fb938934bb7fc4290127218859d795 Author: Jacob Keller Date: Fri Nov 1 16:05:43 2024 -0700 ixgbe: downgrade logging of unsupported VF API version to debug The ixgbe PF driver logs an info message when a VF attempts to negotiate an API version which it does not support: VF 0 requested invalid api version 6 The ixgbevf driver attempts to load with mailbox API v1.5, which is required for best compatibility with other hosts such as the ESX VMWare PF. The Linux PF only supports API v1.4, and does not currently have support for the v1.5 API. The logged message can confuse users, as the v1.5 API is valid, but just happens to not currently be supported by the Linux PF. Downgrade the info message to a debug message, and fix the language to use 'unsupported' instead of 'invalid' to improve message clarity. Long term, we should investigate whether the improvements in the v1.5 API make sense for the Linux PF, and if so implement them properly. This may require yet another API version to resolve issues with negotiating IPSEC offload support. Fixes: 339f28964147 ("ixgbevf: Add support for new mailbox communication between PF and VF") Reported-by: Yifei Liu Link: https://lore.kernel.org/intel-wired-lan/20240301235837.3741422-1-yifei.l.liu@oracle.com/ Signed-off-by: Jacob Keller Reviewed-by: Przemek Kitszel Tested-by: Rafal Romanowski Signed-off-by: Tony Nguyen commit d0725312adf5a803de8f621bd1b12ba7a6464a29 Author: Jacob Keller Date: Fri Nov 1 16:05:42 2024 -0700 ixgbevf: stop attempting IPSEC offload on Mailbox API 1.5 Commit 339f28964147 ("ixgbevf: Add support for new mailbox communication between PF and VF") added support for v1.5 of the PF to VF mailbox communication API. This commit mistakenly enabled IPSEC offload for API v1.5. No implementation of the v1.5 API has support for IPSEC offload. This offload is only supported by the Linux PF as mailbox API v1.4. In fact, the v1.5 API is not implemented in any Linux PF. Attempting to enable IPSEC offload on a PF which supports v1.5 API will not work. Only the Linux upstream ixgbe and ixgbevf support IPSEC offload, and only as part of the v1.4 API. Fix the ixgbevf Linux driver to stop attempting IPSEC offload when the mailbox API does not support it. The existing API design choice makes it difficult to support future API versions, as other non-Linux hosts do not implement IPSEC offload. If we add support for v1.5 to the Linux PF, then we lose support for IPSEC offload. A full solution likely requires a new mailbox API with a proper negotiation to check that IPSEC is actually supported by the host. Fixes: 339f28964147 ("ixgbevf: Add support for new mailbox communication between PF and VF") Signed-off-by: Jacob Keller Reviewed-by: Przemek Kitszel Tested-by: Rafal Romanowski Signed-off-by: Tony Nguyen commit 4c69c77aafe74cf755af55070584b643e5c4e4d8 Author: Joshua Hay Date: Mon Oct 7 13:24:35 2024 -0700 idpf: set completion tag for "empty" bufs associated with a packet Commit d9028db618a6 ("idpf: convert to libeth Tx buffer completion") inadvertently removed code that was necessary for the tx buffer cleaning routine to iterate over all buffers associated with a packet. When a frag is too large for a single data descriptor, it will be split across multiple data descriptors. This means the frag will span multiple buffers in the buffer ring in order to keep the descriptor and buffer ring indexes aligned. The buffer entries in the ring are technically empty and no cleaning actions need to be performed. These empty buffers can precede other frags associated with the same packet. I.e. a single packet on the buffer ring can look like: buf[0]=skb0.frag0 buf[1]=skb0.frag1 buf[2]=empty buf[3]=skb0.frag2 The cleaning routine iterates through these buffers based on a matching completion tag. If the completion tag is not set for buf2, the loop will end prematurely. Frag2 will be left uncleaned and next_to_clean will be left pointing to the end of packet, which will break the cleaning logic for subsequent cleans. This consequently leads to tx timeouts. Assign the empty bufs the same completion tag for the packet to ensure the cleaning routine iterates over all of the buffers associated with the packet. Fixes: d9028db618a6 ("idpf: convert to libeth Tx buffer completion") Signed-off-by: Joshua Hay Acked-by: Alexander Lobakin Reviewed-by: Madhu chittim Reviewed-by: Simon Horman Tested-by: Krishneil Singh Signed-off-by: Tony Nguyen commit 761e0be2888a931465e0d7bbeecce797f9c311a3 Author: Marcin Szycik Date: Mon Nov 4 19:49:09 2024 +0100 ice: Fix VLAN pruning in switchdev mode In switchdev mode the uplink VSI should receive all unmatched packets, including VLANs. Therefore, VLAN pruning should be disabled if uplink is in switchdev mode. It is already being done in ice_eswitch_setup_env(), however the addition of ice_up() in commit 44ba608db509 ("ice: do switchdev slow-path Rx using PF VSI") caused VLAN pruning to be re-enabled after disabling it. Add a check to ice_set_vlan_filtering_features() to ensure VLAN filtering will not be enabled if uplink is in switchdev mode. Note that ice_is_eswitch_mode_switchdev() is being used instead of ice_is_switchdev_running(), as the latter would only return true after the whole switchdev setup completes. Fixes: 44ba608db509 ("ice: do switchdev slow-path Rx using PF VSI") Reviewed-by: Michal Swiatkowski Signed-off-by: Marcin Szycik Tested-by: Priya Singh Signed-off-by: Tony Nguyen commit 9ee87d2b21990f0bc590da9dff9258e9a8895cb3 Author: Wojciech Drewek Date: Tue Oct 29 10:42:59 2024 +0100 ice: Fix NULL pointer dereference in switchdev Commit 608a5c05c39b ("virtchnl: support queue rate limit and quanta size configuration") introduced new virtchnl ops: - get_qos_caps - cfg_q_bw - cfg_q_quanta New ops were added to ice_virtchnl_dflt_ops, in commit 015307754a19 ("ice: Support VF queue rate limit and quanta size configuration"), but not to the ice_virtchnl_repr_ops. Because of that, if we get one of those messages in switchdev mode we end up with NULL pointer dereference: [ 1199.794701] BUG: kernel NULL pointer dereference, address: 0000000000000000 [ 1199.794804] Workqueue: ice ice_service_task [ice] [ 1199.794878] RIP: 0010:0x0 [ 1199.795027] Call Trace: [ 1199.795033] [ 1199.795039] ? __die+0x20/0x70 [ 1199.795051] ? page_fault_oops+0x140/0x520 [ 1199.795064] ? exc_page_fault+0x7e/0x270 [ 1199.795074] ? asm_exc_page_fault+0x22/0x30 [ 1199.795086] ice_vc_process_vf_msg+0x6e5/0xd30 [ice] [ 1199.795165] __ice_clean_ctrlq+0x734/0x9d0 [ice] [ 1199.795207] ice_service_task+0xccf/0x12b0 [ice] [ 1199.795248] process_one_work+0x21a/0x620 [ 1199.795260] worker_thread+0x18d/0x330 [ 1199.795269] ? __pfx_worker_thread+0x10/0x10 [ 1199.795279] kthread+0xec/0x120 [ 1199.795288] ? __pfx_kthread+0x10/0x10 [ 1199.795296] ret_from_fork+0x2d/0x50 [ 1199.795305] ? __pfx_kthread+0x10/0x10 [ 1199.795312] ret_from_fork_asm+0x1a/0x30 [ 1199.795323] Fixes: 015307754a19 ("ice: Support VF queue rate limit and quanta size configuration") Reviewed-by: Przemek Kitszel Reviewed-by: Michal Swiatkowski Signed-off-by: Wojciech Drewek Reviewed-by: Simon Horman Tested-by: Sujai Buvaneswaran Signed-off-by: Tony Nguyen commit 3214fae85e8336fe13e20cf78fc9b6a668bdedff Author: Przemyslaw Korba Date: Fri Nov 15 13:25:37 2024 +0100 ice: fix PHY timestamp extraction for ETH56G Fix incorrect PHY timestamp extraction for ETH56G. It's better to use FIELD_PREP() than manual shift. Fixes: 7cab44f1c35f ("ice: Introduce ETH56G PHY model for E825C products") Reviewed-by: Przemek Kitszel Reviewed-by: Simon Horman Signed-off-by: Przemyslaw Korba Tested-by: Pucha Himasekhar Reddy (A Contingent worker at Intel) Signed-off-by: Tony Nguyen commit 01fd68e54794fb1e1fe95be38facf9bbafee9ca3 Author: Arkadiusz Kubalewski Date: Mon Sep 30 20:36:22 2024 +0200 ice: fix PHY Clock Recovery availability check To check if PHY Clock Recovery mechanic is available for a device, there is a need to verify if given PHY is available within the netlist, but the netlist node type used for the search is wrong, also the search context shall be specified. Modify the search function to allow specifying the context in the search. Use the PHY node type instead of CLOCK CONTROLLER type, also use proper search context which for PHY search is PORT, as defined in E810 Datasheet [1] ('3.3.8.2.4 Node Part Number and Node Options (0x0003)' and 'Table 3-105. Program Topology Device NVM Admin Command'). [1] https://cdrdv2.intel.com/v1/dl/getContent/613875?explicitVersion=true Fixes: 91e43ca0090b ("ice: fix linking when CONFIG_PTP_1588_CLOCK=n") Reviewed-by: Aleksandr Loktionov Signed-off-by: Arkadiusz Kubalewski Tested-by: Pucha Himasekhar Reddy (A Contingent worker at Intel) Signed-off-by: Tony Nguyen commit 92230596252ab6155f2d7f7ff9fa61425800a13f Author: Will Deacon Date: Mon Dec 2 14:57:30 2024 +0000 MAINTAINERS: Add CCA and pKVM CoCO guest support to the ARM64 entry Commits 7999edc484ca ("virt: arm-cca-guest: TSM_REPORT support for realm") and a06c3fad49a5 ("drivers/virt: pkvm: Add initial support for running as a protected guest") added arm64 guest-side support for running in CCA and pKVM confidential computing environments respectively. Unfortunately, these changes were not accompanied by a MAINTAINERS entry and so aren't automatically picked up by the get_maintainer.pl script. Since the initial support was merged via the arm64 tree, extend the ARM64 entry to cover the two new directories. Cc: Marc Zyngier Cc: Oliver Upton Cc: Suzuki K Poulose Signed-off-by: Will Deacon Acked-by: Suzuki K Poulose Acked-by: Catalin Marinas Link: https://lore.kernel.org/r/20241202145731.6422-3-will@kernel.org Signed-off-by: Catalin Marinas commit d44679fb954ffea961036ed1aeb7d65035f78489 Author: Will Deacon Date: Mon Dec 2 14:57:29 2024 +0000 drivers/virt: pkvm: Don't fail ioremap() call if MMIO_GUARD fails Calling the MMIO_GUARD hypercall from guests which have not been enrolled (e.g. because they are running without pvmfw) results in -EINVAL being returned. In this case, MMIO_GUARD is not active and so we can simply proceed with the normal ioremap() routine. Don't fail ioremap() if MMIO_GUARD fails; instead WARN_ON_ONCE() to highlight that the pvm environment is slightly wonky. Fixes: 0f1269495800 ("drivers/virt: pkvm: Intercept ioremap using pKVM MMIO_GUARD hypercall") Signed-off-by: Will Deacon Link: https://lore.kernel.org/r/20241202145731.6422-2-will@kernel.org Signed-off-by: Catalin Marinas commit 88a6e2f67cc94f751a74409ab4c21e5fc8ea6757 Author: Arnaldo Carvalho de Melo Date: Tue Nov 26 11:47:25 2024 -0300 perf machine: Initialize machine->env to address a segfault Its used from trace__run(), for the 'perf trace' live mode, i.e. its strace-like, non-perf.data file processing mode, the most common one. The trace__run() function will set trace->host using machine__new_host() that is supposed to give a machine instance representing the running machine, and since we'll use perf_env__arch_strerrno() to get the right errno -> string table, we need to use machine->env, so initialize it in machine__new_host(). Before the patch: (gdb) run trace --errno-summary -a sleep 1 Summary of events: gvfs-afc-volume (3187), 2 events, 0.0% syscall calls errors total min avg max stddev (msec) (msec) (msec) (msec) (%) --------------- -------- ------ -------- --------- --------- --------- ------ pselect6 1 0 0.000 0.000 0.000 0.000 0.00% GUsbEventThread (3519), 2 events, 0.0% syscall calls errors total min avg max stddev (msec) (msec) (msec) (msec) (%) --------------- -------- ------ -------- --------- --------- --------- ------ poll 1 0 0.000 0.000 0.000 0.000 0.00% Program received signal SIGSEGV, Segmentation fault. 0x00000000005caba0 in perf_env__arch_strerrno (env=0x0, err=110) at util/env.c:478 478 if (env->arch_strerrno == NULL) (gdb) bt #0 0x00000000005caba0 in perf_env__arch_strerrno (env=0x0, err=110) at util/env.c:478 #1 0x00000000004b75d2 in thread__dump_stats (ttrace=0x14f58f0, trace=0x7fffffffa5b0, fp=0x7ffff6ff74e0 <_IO_2_1_stderr_>) at builtin-trace.c:4673 #2 0x00000000004b78bf in trace__fprintf_thread (fp=0x7ffff6ff74e0 <_IO_2_1_stderr_>, thread=0x10fa0b0, trace=0x7fffffffa5b0) at builtin-trace.c:4708 #3 0x00000000004b7ad9 in trace__fprintf_thread_summary (trace=0x7fffffffa5b0, fp=0x7ffff6ff74e0 <_IO_2_1_stderr_>) at builtin-trace.c:4747 #4 0x00000000004b656e in trace__run (trace=0x7fffffffa5b0, argc=2, argv=0x7fffffffde60) at builtin-trace.c:4456 #5 0x00000000004ba43e in cmd_trace (argc=2, argv=0x7fffffffde60) at builtin-trace.c:5487 #6 0x00000000004c0414 in run_builtin (p=0xec3068 , argc=5, argv=0x7fffffffde60) at perf.c:351 #7 0x00000000004c06bb in handle_internal_command (argc=5, argv=0x7fffffffde60) at perf.c:404 #8 0x00000000004c0814 in run_argv (argcp=0x7fffffffdc4c, argv=0x7fffffffdc40) at perf.c:448 #9 0x00000000004c0b5d in main (argc=5, argv=0x7fffffffde60) at perf.c:560 (gdb) After: root@number:~# perf trace -a --errno-summary sleep 1 pw-data-loop (2685), 1410 events, 16.0% syscall calls errors total min avg max stddev (msec) (msec) (msec) (msec) (%) --------------- -------- ------ -------- --------- --------- --------- ------ epoll_wait 188 0 983.428 0.000 5.231 15.595 8.68% ioctl 94 0 0.811 0.004 0.009 0.016 2.82% read 188 0 0.322 0.001 0.002 0.006 5.15% write 141 0 0.280 0.001 0.002 0.018 8.39% timerfd_settime 94 0 0.138 0.001 0.001 0.007 6.47% gnome-control-c (179406), 1848 events, 20.9% syscall calls errors total min avg max stddev (msec) (msec) (msec) (msec) (%) --------------- -------- ------ -------- --------- --------- --------- ------ poll 222 0 959.577 0.000 4.322 21.414 11.40% recvmsg 150 0 0.539 0.001 0.004 0.013 5.12% write 300 0 0.442 0.001 0.001 0.007 3.29% read 150 0 0.183 0.001 0.001 0.009 5.53% getpid 102 0 0.101 0.000 0.001 0.008 7.82% root@number:~# Fixes: 54373b5d53c1f6aa ("perf env: Introduce perf_env__arch_strerrno()") Reported-by: Veronika Molnarova Signed-off-by: Arnaldo Carvalho de Melo Acked-by: Veronika Molnarova Acked-by: Michael Petlan Tested-by: Michael Petlan Link: https://lore.kernel.org/r/Z0XffUgNSv_9OjOi@x1 Signed-off-by: Namhyung Kim commit 8d09e2d569f6e34301387f24433b42062517ca85 Author: Mark Rutland Date: Mon Dec 2 17:03:59 2024 +0000 arm64: patching: avoid early page_to_phys() When arm64 is configured with CONFIG_DEBUG_VIRTUAL=y, a warning is printed from the patching code because patch_map(), e.g. | ------------[ cut here ]------------ | WARNING: CPU: 0 PID: 0 at arch/arm64/kernel/patching.c:45 patch_map.constprop.0+0x120/0xd00 | CPU: 0 UID: 0 PID: 0 Comm: swapper Not tainted 6.13.0-rc1-00002-ge1a5d6c6be55 #1 | Hardware name: linux,dummy-virt (DT) | pstate: 800003c5 (Nzcv DAIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--) | pc : patch_map.constprop.0+0x120/0xd00 | lr : patch_map.constprop.0+0x120/0xd00 | sp : ffffa9bb312a79a0 | x29: ffffa9bb312a79a0 x28: 0000000000000001 x27: 0000000000000001 | x26: 0000000000000000 x25: 0000000000000000 x24: 00000000000402e8 | x23: ffffa9bb2c94c1c8 x22: ffffa9bb2c94c000 x21: ffffa9bb222e883c | x20: 0000000000000002 x19: ffffc1ffc100ba40 x18: ffffa9bb2cf0f21c | x17: 0000000000000006 x16: 0000000000000000 x15: 0000000000000004 | x14: 1ffff5376625b4ac x13: ffff753766a67fb8 x12: ffff753766919cd1 | x11: 0000000000000003 x10: 1ffff5376625b4c3 x9 : 1ffff5376625b4af | x8 : ffff753766254f0a x7 : 0000000041b58ab3 x6 : ffff753766254f18 | x5 : ffffa9bb312d9bc0 x4 : 0000000000000000 x3 : ffffa9bb29bd90e4 | x2 : 0000000000000002 x1 : ffffa9bb312d9bc0 x0 : 0000000000000000 | Call trace: | patch_map.constprop.0+0x120/0xd00 (P) | patch_map.constprop.0+0x120/0xd00 (L) | __aarch64_insn_write+0xa8/0x120 | aarch64_insn_patch_text_nosync+0x4c/0xb8 | arch_jump_label_transform_queue+0x7c/0x100 | jump_label_update+0x154/0x460 | static_key_enable_cpuslocked+0x1d8/0x280 | static_key_enable+0x2c/0x48 | early_randomize_kstack_offset+0x104/0x168 | do_early_param+0xe4/0x148 | parse_args+0x3a4/0x838 | parse_early_options+0x50/0x68 | parse_early_param+0x58/0xe0 | setup_arch+0x78/0x1f0 | start_kernel+0xa0/0x530 | __primary_switched+0x8c/0xa0 | irq event stamp: 0 | hardirqs last enabled at (0): [<0000000000000000>] 0x0 | hardirqs last disabled at (0): [<0000000000000000>] 0x0 | softirqs last enabled at (0): [<0000000000000000>] 0x0 | softirqs last disabled at (0): [<0000000000000000>] 0x0 | ---[ end trace 0000000000000000 ]--- The warning has been produced since commit: 3e25d5a49f99b75b ("asm-generic: add an optional pfn_valid check to page_to_phys") ... which added a pfn_valid() check into page_to_phys(), and at this point in boot pfn_valid() will always return false because the vmemmap has not yet been initialized and there are no valid mem_sections yet. Before that commit, the arithmetic performed by page_to_phys() would give the expected physical address, though it is somewhat dubious to use vmemmap addresses before the vmemmap has been initialized. Aside from kernel image addresses, all executable code should be allocated from execmem (where all allocations will fall within the vmalloc area), and so there's no need for the fallback case when CONFIG_EXECMEM=n. Simplify patch_map() accordingly, directly converting kernel image addresses and removing the redundant fallback case. Fixes: 3e25d5a49f99 ("asm-generic: add an optional pfn_valid check to page_to_phys") Signed-off-by: Mark Rutland Cc: Arnd Bergmann Cc: Christoph Hellwig Cc: Mike Rapoport Cc: Thomas Huth Cc: Will Deacon Link: https://lore.kernel.org/r/20241202170359.1475019-1-mark.rutland@arm.com Signed-off-by: Catalin Marinas commit d7dfa7fde63dde4d2ec0083133efe2c6686c03ff Author: Herve Codina Date: Mon Dec 2 17:58:19 2024 +0100 of: Fix error path in of_parse_phandle_with_args_map() The current code uses some 'goto put;' to cancel the parsing operation and can lead to a return code value of 0 even on error cases. Indeed, some goto calls are done from a loop without setting the ret value explicitly before the goto call and so the ret value can be set to 0 due to operation done in previous loop iteration. For instance match can be set to 0 in the previous loop iteration (leading to a new iteration) but ret can also be set to 0 it the of_property_read_u32() call succeed. In that case if no match are found or if an error is detected the new iteration, the return value can be wrongly 0. Avoid those cases setting the ret value explicitly before the goto calls. Fixes: bd6f2fd5a1d5 ("of: Support parsing phandle argument lists through a nexus node") Cc: stable@vger.kernel.org Signed-off-by: Herve Codina Link: https://lore.kernel.org/r/20241202165819.158681-1-herve.codina@bootlin.com Signed-off-by: Rob Herring (Arm) commit 239521712b2b568b99d5f0ef7c1f874d797f4a29 Author: Rob Herring (Arm) Date: Wed Nov 13 16:56:31 2024 -0600 dt-bindings: mtd: fixed-partitions: Fix "compression" typo The example erroneously has "compress" property rather than the documented "compression" property. Acked-by: Conor Dooley Link: https://lore.kernel.org/r/20241113225632.1783241-1-robh@kernel.org Signed-off-by: Rob Herring (Arm) commit 2ca704f55e22b7b00cc7025953091af3c82fa5c0 Author: Jason Gunthorpe Date: Tue Nov 12 14:51:36 2024 -0400 iommu/arm-smmu-v3: Improve uAPI comment for IOMMU_HW_INFO_TYPE_ARM_SMMUV3 Be specific about what fields should be accessed in the idr result and give other guidance to the VMM on how it should generate the vIDR. Discussion on the list, and review of the qemu implementation understood this needs to be clearer and more detailed. Link: https://patch.msgid.link/r/0-v1-191e5e24cec3+3b0-iommufd_smmuv3_hwinf_jgg@nvidia.com Reviewed-by: Kevin Tian Signed-off-by: Jason Gunthorpe commit 56a708742a8bf127eb66798bfc9c9516c61f9930 Author: Yang Shi Date: Mon Nov 25 09:16:50 2024 -0800 arm64: mm: Fix zone_dma_limit calculation Commit ba0fb44aed47 ("dma-mapping: replace zone_dma_bits by zone_dma_limit") and subsequent patches changed how zone_dma_limit is calculated to allow a reduced ZONE_DMA even when RAM starts above 4GB. Commit 122c234ef4e1 ("arm64: mm: keep low RAM dma zone") further fixed this to ensure ZONE_DMA remains below U32_MAX if RAM starts below 4GB, especially on platforms that do not have IORT or DT description of the device DMA ranges. While zone boundaries calculation was fixed by the latter commit, zone_dma_limit, used to determine the GFP_DMA flag in the core code, was not updated. This results in excessive use of GFP_DMA and unnecessary ZONE_DMA allocations on some platforms. Update zone_dma_limit to match the actual upper bound of ZONE_DMA. Fixes: ba0fb44aed47 ("dma-mapping: replace zone_dma_bits by zone_dma_limit") Cc: # 6.12.x Reported-by: Yutang Jiang Tested-by: Yutang Jiang Signed-off-by: Yang Shi Link: https://lore.kernel.org/r/20241125171650.77424-1-yang@os.amperecomputing.com [catalin.marinas@arm.com: some tweaking of the commit log] Signed-off-by: Catalin Marinas commit 9151299ee5101e03eeed544c1280b0e14b89a8a4 Author: Geert Uytterhoeven Date: Tue Dec 3 17:27:40 2024 +0100 irqchip/stm32mp-exti: CONFIG_STM32MP_EXTI should not default to y when compile-testing Merely enabling compile-testing should not enable additional functionality. Fixes: 0be58e0553812fcb ("irqchip/stm32mp-exti: Allow building as module") Signed-off-by: Geert Uytterhoeven Signed-off-by: Thomas Gleixner Link: https://lore.kernel.org/all/ef5ec063b23522058f92087e072419ea233acfe9.1733243115.git.geert+renesas@glider.be commit ceb8bf2ceaa77fe222fe8fe32cb7789c9099ddf1 Author: Masahiro Yamada Date: Tue Dec 3 19:21:07 2024 +0900 module: Convert default symbol namespace to string literal Commit cdd30ebb1b9f ("module: Convert symbol namespace to string literal") only converted MODULE_IMPORT_NS() and EXPORT_SYMBOL_NS(), leaving DEFAULT_SYMBOL_NAMESPACE as a macro expansion. This commit converts DEFAULT_SYMBOL_NAMESPACE in the same way to avoid annoyance for the default namespace as well. Signed-off-by: Masahiro Yamada Reviewed-by: Uwe Kleine-König Signed-off-by: Linus Torvalds commit 3727b1a7ca23050f8c7fe3d6a6884fc8038b8336 Author: Masahiro Yamada Date: Tue Dec 3 19:21:06 2024 +0900 doc: module: revert misconversions for MODULE_IMPORT_NS() This reverts the misconversions introduced by commit cdd30ebb1b9f ("module: Convert symbol namespace to string literal"). The affected descriptions refer to MODULE_IMPORT_NS() tags in general, rather than suggesting the use of the empty string ("") as the namespace. Fixes: cdd30ebb1b9f ("module: Convert symbol namespace to string literal") Signed-off-by: Masahiro Yamada Signed-off-by: Linus Torvalds commit 62aa6f2ede976dfb3539e59ee55c62cfd3c3faa3 Author: Masahiro Yamada Date: Tue Dec 3 19:21:05 2024 +0900 scripts/nsdeps: get 'make nsdeps' working again Since commit cdd30ebb1b9f ("module: Convert symbol namespace to string literal"), when MODULE_IMPORT_NS() is missing, 'make nsdeps' inserts pointless code: MODULE_IMPORT_NS("ns"); Here, "ns" is not a namespace, but the variable in the semantic patch. It must not be quoted. Instead, a string literal must be passed to Coccinelle. Fixes: cdd30ebb1b9f ("module: Convert symbol namespace to string literal") Signed-off-by: Masahiro Yamada Signed-off-by: Linus Torvalds commit a8c9df25f90e5155b70f5e2474c7299841e3335a Author: Nicolin Chen Date: Tue Dec 3 00:02:55 2024 -0800 iommufd/selftest: Cover IOMMU_FAULT_QUEUE_ALLOC in iommufd_fail_nth This was missing in the series introducing the fault object. Thus, add it. Link: https://patch.msgid.link/r/d61b9b7f73276cc8f1aef9602bd35c486917506e.1733212723.git.nicolinc@nvidia.com Signed-off-by: Nicolin Chen Signed-off-by: Jason Gunthorpe commit af7f4780514f850322b2959032ecaa96e4b26472 Author: Nicolin Chen Date: Tue Dec 3 00:02:54 2024 -0800 iommufd: Fix out_fput in iommufd_fault_alloc() As fput() calls the file->f_op->release op, where fault obj and ictx are getting released, there is no need to release these two after fput() one more time, which would result in imbalanced refcounts: refcount_t: decrement hit 0; leaking memory. WARNING: CPU: 48 PID: 2369 at lib/refcount.c:31 refcount_warn_saturate+0x60/0x230 Call trace: refcount_warn_saturate+0x60/0x230 (P) refcount_warn_saturate+0x60/0x230 (L) iommufd_fault_fops_release+0x9c/0xe0 [iommufd] ... VFS: Close: file count is 0 (f_op=iommufd_fops [iommufd]) WARNING: CPU: 48 PID: 2369 at fs/open.c:1507 filp_flush+0x3c/0xf0 Call trace: filp_flush+0x3c/0xf0 (P) filp_flush+0x3c/0xf0 (L) __arm64_sys_close+0x34/0x98 ... imbalanced put on file reference count WARNING: CPU: 48 PID: 2369 at fs/file.c:74 __file_ref_put+0x100/0x138 Call trace: __file_ref_put+0x100/0x138 (P) __file_ref_put+0x100/0x138 (L) __fput_sync+0x4c/0xd0 Drop those two lines to fix the warnings above. Cc: stable@vger.kernel.org Fixes: 07838f7fd529 ("iommufd: Add iommufd fault object") Link: https://patch.msgid.link/r/b5651beb3a6b1adeef26fffac24607353bf67ba1.1733212723.git.nicolinc@nvidia.com Signed-off-by: Nicolin Chen Reviewed-by: Yi Liu Signed-off-by: Jason Gunthorpe commit 514b2262ade48a0503ac6aa03c3bfb8c5be69b21 Author: Arnd Bergmann Date: Sat Nov 16 00:05:18 2024 +0100 firmware: arm_scmi: Fix i.MX build dependency The newly added SCMI vendor driver references functions in the protocol driver but needs a Kconfig dependency to ensure it can link, essentially the Kconfig dependency needs to be reversed to match the link time dependency: | arm-linux-gnueabi-ld: sound/soc/fsl/fsl_mqs.o: in function `fsl_mqs_sm_write': | fsl_mqs.c:(.text+0x1aa): undefined reference to `scmi_imx_misc_ctrl_set' | arm-linux-gnueabi-ld: sound/soc/fsl/fsl_mqs.o: in function `fsl_mqs_sm_read': | fsl_mqs.c:(.text+0x1ee): undefined reference to `scmi_imx_misc_ctrl_get' This however only works after changing the dependency in the SND_SOC_FSL_MQS driver as well, which uses 'select IMX_SCMI_MISC_DRV' to turn on a driver it depends on. This is generally a bad idea, so the best solution is to change that into a dependency. To allow the ASoC driver to keep building with the SCMI support, this needs to be an optional dependency that enforces the link-time dependency if IMX_SCMI_MISC_DRV is a loadable module but not depend on it if that is disabled. Fixes: 61c9f03e22fc ("firmware: arm_scmi: Add initial support for i.MX MISC protocol") Fixes: 101c9023594a ("ASoC: fsl_mqs: Support accessing registers by scmi interface") Signed-off-by: Arnd Bergmann Acked-by: Mark Brown Acked-by: Shengjiu Wang Message-Id: <20241115230555.2435004-1-arnd@kernel.org> Signed-off-by: Sudeep Holla commit 7937a1bf32e31f80032c71511cc24d707753d07d Author: Randy Dunlap Date: Wed Nov 27 19:51:59 2024 -0800 iommufd: Fix typos in kernel-doc comments Fix typos/spellos in kernel-doc comments for readability. Fixes: aad37e71d5c4 ("iommufd: IOCTLs for the io_pagetable") Fixes: b7a0855eb95f ("iommu: Add new flag to explictly request PASID capable domain") Fixes: d68beb276ba2 ("iommu/arm-smmu-v3: Support IOMMU_HWPT_INVALIDATE using a VIOMMU object") Link: https://patch.msgid.link/r/20241128035159.374624-1-rdunlap@infradead.org Signed-off-by: Randy Dunlap Acked-by: Nicolin Chen Signed-off-by: Jason Gunthorpe commit 9d9f204bdf7243bfc2c6a023d63c63f7cbf8ef0b Author: Thomas Gleixner Date: Tue Dec 3 11:40:43 2024 +0100 genirq/proc: Add missing space separator back The recent conversion of show_interrupts() to seq_put_decimal_ull_width() caused a formatting regression as it drops a previosuly existing space separator. Add it back by unconditionally inserting a space after the interrupt counts and removing the extra leading space from the chip name prints. Fixes: f9ed1f7c2e26 ("genirq/proc: Use seq_put_decimal_ull_width() for decimal values") Reported-by: Geert Uytterhoeven Signed-off-by: Thomas Gleixner Tested-by: Geert Uytterhoeven Reviewed-by: David Wang <00107082@163.com> Link: https://lore.kernel.org/all/87zfldt5g4.ffs@tglx Closes: https://lore.kernel.org/all/4ce18851-6e9f-bbe-8319-cc5e69fb45c@linux-m68k.org commit 3c93e4e4a2aeb92ea99e1eac3e1180f5ed49538c Author: FUJITA Tomonori Date: Sat Nov 30 18:45:21 2024 +0900 block: rnull: add missing MODULE_DESCRIPTION Add the missing description to fix the following warning: WARNING: modpost: missing MODULE_DESCRIPTION() in drivers/block/rnull_mod.o Signed-off-by: FUJITA Tomonori Acked-by: Andreas Hindborg Link: https://lore.kernel.org/r/20241130094521.193924-1-fujita.tomonori@gmail.com Signed-off-by: Jens Axboe commit a07d2d7930c75e6bf88683b376d09ab1f3fed2aa Author: Bernd Schubert Date: Tue Dec 3 11:31:05 2024 +0100 io_uring: Change res2 parameter type in io_uring_cmd_done Change the type of the res2 parameter in io_uring_cmd_done from ssize_t to u64. This aligns the parameter type with io_req_set_cqe32_extra, which expects u64 arguments. The change eliminates potential issues on 32-bit architectures where ssize_t might be 32-bit. Only user of passing res2 is drivers/nvme/host/ioctl.c and it actually passes u64. Fixes: ee692a21e9bf ("fs,io_uring: add infrastructure for uring-cmd") Cc: stable@vger.kernel.org Reviewed-by: Kanchan Joshi Tested-by: Li Zetao Reviewed-by: Li Zetao Signed-off-by: Bernd Schubert Link: https://lore.kernel.org/r/20241203-io_uring_cmd_done-res2-as-u64-v2-1-5e59ae617151@ddn.com Signed-off-by: Jens Axboe commit 7f71507851fc7764b36a3221839607d3a45c2025 Author: Huacai Chen Date: Tue Dec 3 19:49:28 2024 +0800 LoongArch: KVM: Protect kvm_io_bus_{read,write}() with SRCU When we enable lockdep we get such a warning: ============================= WARNING: suspicious RCU usage 6.12.0-rc7+ #1891 Tainted: G W ----------------------------- arch/loongarch/kvm/../../../virt/kvm/kvm_main.c:5945 suspicious rcu_dereference_check() usage! other info that might help us debug this: rcu_scheduler_active = 2, debug_locks = 1 1 lock held by qemu-system-loo/948: #0: 90000001184a00a8 (&vcpu->mutex){+.+.}-{4:4}, at: kvm_vcpu_ioctl+0xf4/0xe20 [kvm] stack backtrace: CPU: 2 UID: 0 PID: 948 Comm: qemu-system-loo Tainted: G W 6.12.0-rc7+ #1891 Tainted: [W]=WARN Hardware name: Loongson Loongson-3A5000-7A1000-1w-CRB/Loongson-LS3A5000-7A1000-1w-CRB, BIOS vUDK2018-LoongArch-V2.0.0-prebeta9 10/21/2022 Stack : 0000000000000089 9000000005a0db9c 90000000071519c8 900000012c578000 900000012c57b940 0000000000000000 900000012c57b948 9000000007e53788 900000000815bcc8 900000000815bcc0 900000012c57b7b0 0000000000000001 0000000000000001 4b031894b9d6b725 0000000005dec000 9000000100427b00 00000000000003d2 0000000000000001 000000000000002d 0000000000000003 0000000000000030 00000000000003b4 0000000005dec000 0000000000000000 900000000806d000 9000000007e53788 00000000000000b4 0000000000000004 0000000000000004 0000000000000000 0000000000000000 9000000107baf600 9000000008916000 9000000007e53788 9000000005924778 000000001fe001e5 00000000000000b0 0000000000000007 0000000000000000 0000000000071c1d ... Call Trace: [<9000000005924778>] show_stack+0x38/0x180 [<90000000071519c4>] dump_stack_lvl+0x94/0xe4 [<90000000059eb754>] lockdep_rcu_suspicious+0x194/0x240 [] kvm_io_bus_read+0x19c/0x1e0 [kvm] [] kvm_emu_mmio_read+0xd8/0x440 [kvm] [] kvm_handle_read_fault+0x3c/0xe0 [kvm] [] kvm_handle_exit+0x228/0x480 [kvm] Fix it by protecting kvm_io_bus_{read,write}() with SRCU. Cc: stable@vger.kernel.org Reviewed-by: Bibo Mao Signed-off-by: Huacai Chen commit ee3878b84cc27ee62cdf78d2842830f4dcdab117 Author: Stefan Wahren Date: Mon Dec 2 12:54:37 2024 +0100 irqchip/bcm2836: Enable SKIP_SET_WAKE and MASK_ON_SUSPEND The BCM2836 interrupt controller doesn't provide any facility to configure the wakeup sources. That's the reason why the driver lacks the irq_set_wake() callback for the interrupt chip. Enable the flags IRQCHIP_SKIP_SET_WAKE and IRQCHIP_MASK_ON_SUSPEND so the interrupt suspend logic can handle the chip correctly equivalently to the corresponding bcm2835 change (9a58480e5e53 ("irqchip/bcm2835: Enable SKIP_SET_WAKE and MASK_ON_SUSPEND"). Signed-off-by: Stefan Wahren Signed-off-by: Thomas Gleixner Acked-by: Florian Fainelli Link: https://lore.kernel.org/all/20241202115437.33552-1-wahrenst@gmx.net commit f58326c70df0dc413bb58848b188523b3662cf0f Author: Lorenzo Pieralisi Date: Mon Dec 2 12:25:18 2024 +0100 irqchip/gic-v3: Fix irq_complete_ack() comment When the GIC is in EOImode == 1 in irq_complete_ack() it executes a priority drop not a deactivation. Fix the function comment to clarify the behaviour. Signed-off-by: Lorenzo Pieralisi Signed-off-by: Thomas Gleixner Link: https://lore.kernel.org/all/20241202112518.51178-1-lpieralisi@kernel.org commit af8edaeddbc52e53207d859c912b017fd9a77629 Author: Eric Dumazet Date: Mon Dec 2 10:05:58 2024 +0000 net: hsr: must allocate more bytes for RedBox support Blamed commit forgot to change hsr_init_skb() to allocate larger skb for RedBox case. Indeed, send_hsr_supervision_frame() will add two additional components (struct hsr_sup_tlv and struct hsr_sup_payload) syzbot reported the following crash: skbuff: skb_over_panic: text:ffffffff8afd4b0a len:34 put:6 head:ffff88802ad29e00 data:ffff88802ad29f22 tail:0x144 end:0x140 dev:gretap0 ------------[ cut here ]------------ kernel BUG at net/core/skbuff.c:206 ! Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI CPU: 2 UID: 0 PID: 7611 Comm: syz-executor Not tainted 6.12.0-syzkaller #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 RIP: 0010:skb_panic+0x157/0x1d0 net/core/skbuff.c:206 Code: b6 04 01 84 c0 74 04 3c 03 7e 21 8b 4b 70 41 56 45 89 e8 48 c7 c7 a0 7d 9b 8c 41 57 56 48 89 ee 52 4c 89 e2 e8 9a 76 79 f8 90 <0f> 0b 4c 89 4c 24 10 48 89 54 24 08 48 89 34 24 e8 94 76 fb f8 4c RSP: 0018:ffffc90000858ab8 EFLAGS: 00010282 RAX: 0000000000000087 RBX: ffff8880598c08c0 RCX: ffffffff816d3e69 RDX: 0000000000000000 RSI: ffffffff816de786 RDI: 0000000000000005 RBP: ffffffff8c9b91c0 R08: 0000000000000005 R09: 0000000000000000 R10: 0000000000000302 R11: ffffffff961cc1d0 R12: ffffffff8afd4b0a R13: 0000000000000006 R14: ffff88804b938130 R15: 0000000000000140 FS: 000055558a3d6500(0000) GS:ffff88806a800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f1295974ff8 CR3: 000000002ab6e000 CR4: 0000000000352ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: skb_over_panic net/core/skbuff.c:211 [inline] skb_put+0x174/0x1b0 net/core/skbuff.c:2617 send_hsr_supervision_frame+0x6fa/0x9e0 net/hsr/hsr_device.c:342 hsr_proxy_announce+0x1a3/0x4a0 net/hsr/hsr_device.c:436 call_timer_fn+0x1a0/0x610 kernel/time/timer.c:1794 expire_timers kernel/time/timer.c:1845 [inline] __run_timers+0x6e8/0x930 kernel/time/timer.c:2419 __run_timer_base kernel/time/timer.c:2430 [inline] __run_timer_base kernel/time/timer.c:2423 [inline] run_timer_base+0x111/0x190 kernel/time/timer.c:2439 run_timer_softirq+0x1a/0x40 kernel/time/timer.c:2449 handle_softirqs+0x213/0x8f0 kernel/softirq.c:554 __do_softirq kernel/softirq.c:588 [inline] invoke_softirq kernel/softirq.c:428 [inline] __irq_exit_rcu kernel/softirq.c:637 [inline] irq_exit_rcu+0xbb/0x120 kernel/softirq.c:649 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1049 [inline] sysvec_apic_timer_interrupt+0xa4/0xc0 arch/x86/kernel/apic/apic.c:1049 Fixes: 5055cccfc2d1 ("net: hsr: Provide RedBox support (HSR-SAN)") Reported-by: syzbot+7f4643b267cc680bfa1c@syzkaller.appspotmail.com Signed-off-by: Eric Dumazet Cc: Lukasz Majewski Link: https://patch.msgid.link/20241202100558.507765-1-edumazet@google.com Signed-off-by: Paolo Abeni commit 48327566769a6ff2e873b6bf075392bd756625ca Author: Cong Wang Date: Fri Nov 29 13:25:19 2024 -0800 rtnetlink: fix double call of rtnl_link_get_net_ifla() Currently rtnl_link_get_net_ifla() gets called twice when we create peer devices, once in rtnl_add_peer_net() and once in each ->newlink() implementation. This looks safer, however, it leads to a classic Time-of-Check to Time-of-Use (TOCTOU) bug since IFLA_NET_NS_PID is very dynamic. And because of the lack of checking error pointer of the second call, it also leads to a kernel crash as reported by syzbot. Fix this by getting rid of the second call, which already becomes redudant after Kuniyuki's work. We have to propagate the result of the first rtnl_link_get_net_ifla() down to each ->newlink(). Reported-by: syzbot+21ba4d5adff0b6a7cfc6@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=21ba4d5adff0b6a7cfc6 Fixes: 0eb87b02a705 ("veth: Set VETH_INFO_PEER to veth_link_ops.peer_type.") Fixes: 6b84e558e95d ("vxcan: Set VXCAN_INFO_PEER to vxcan_link_ops.peer_type.") Fixes: fefd5d082172 ("netkit: Set IFLA_NETKIT_PEER_INFO to netkit_link_ops.peer_type.") Cc: Kuniyuki Iwashima Signed-off-by: Cong Wang Reviewed-by: Kuniyuki Iwashima Link: https://patch.msgid.link/20241129212519.825567-1-xiyou.wangcong@gmail.com Signed-off-by: Paolo Abeni commit 819e0f1e58e0ba3800cd9eb96b2a39e44e49df97 Author: Benjamin Lin Date: Mon Nov 18 16:07:22 2024 +0800 wifi: mac80211: fix station NSS capability initialization order Station's spatial streaming capability should be initialized before handling VHT OMN, because the handling requires the capability information. Fixes: a8bca3e9371d ("wifi: mac80211: track capability/opmode NSS separately") Signed-off-by: Benjamin Lin Link: https://patch.msgid.link/20241118080722.9603-1-benjamin-jw.lin@mediatek.com [rewrite subject] Signed-off-by: Johannes Berg commit 52cebabb1264a51c80b2461d52e71600c1c58df2 Author: Felix Fietkau Date: Fri Nov 15 12:58:50 2024 +0100 wifi: mac80211: fix vif addr when switching from monitor to station Since adding support for opting out of virtual monitor support, a zero vif addr was used to indicate passive vs active monitor to the driver. This would break the vif->addr when changing the netdev mac address before switching the interface from monitor to sta mode. Fix the regression by adding a separate flag to indicate whether vif->addr is valid. Reported-by: syzbot+9ea265d998de25ac6a46@syzkaller.appspotmail.com Fixes: 9d40f7e32774 ("wifi: mac80211: add flag to opt out of virtual monitor support") Signed-off-by: Felix Fietkau Link: https://patch.msgid.link/20241115115850.37449-1-nbd@nbd.name Signed-off-by: Johannes Berg commit 11ac0d7c3b5ba58232fb7dacb54371cbe75ec183 Author: Emmanuel Grumbach Date: Tue Nov 19 17:35:40 2024 +0200 wifi: mac80211: fix a queue stall in certain cases of CSA If we got an unprotected action frame with CSA and then we heard the beacon with the CSA IE, we'll block the queues with the CSA reason twice. Since this reason is refcounted, we won't wake up the queues since we wake them up only once and the ref count will never reach 0. This led to blocked queues that prevented any activity (even disconnection wouldn't reset the queue state and the only way to recover would be to reload the kernel module. Fix this by not refcounting the CSA reason. It becomes now pointless to maintain the csa_blocked_queues state. Remove it. Signed-off-by: Emmanuel Grumbach Fixes: 414e090bc41d ("wifi: mac80211: restrict public action ECSA frame handling") Closes: https://bugzilla.kernel.org/show_bug.cgi?id=219447 Signed-off-by: Miri Korenblit Link: https://patch.msgid.link/20241119173108.5ea90828c2cc.I4f89e58572fb71ae48e47a81e74595cac410fbac@changeid Signed-off-by: Johannes Berg commit 220bf000530f9b1114fa2a1022a871c7ce8a0b38 Author: Emmanuel Grumbach Date: Tue Nov 19 17:35:39 2024 +0200 wifi: mac80211: wake the queues in case of failure in resume In case we fail to resume, we'll WARN with "Hardware became unavailable during restart." and we'll wait until user space does something. It'll typically bring the interface down and up to recover. This won't work though because the queues are still stopped on IEEE80211_QUEUE_STOP_REASON_SUSPEND reason. Make sure we clear that reason so that we give a chance to the recovery to succeed. Signed-off-by: Emmanuel Grumbach Closes: https://bugzilla.kernel.org/show_bug.cgi?id=219447 Signed-off-by: Miri Korenblit Link: https://patch.msgid.link/20241119173108.cd628f560f97.I76a15fdb92de450e5329940125f3c58916be3942@changeid Signed-off-by: Johannes Berg commit b5c32ff6a3a38c74facdd1fe34c0d709a55527fd Author: Aditya Kumar Singh Date: Thu Nov 21 09:45:30 2024 +0530 wifi: cfg80211: clear link ID from bitmap during link delete after clean up Currently, during link deletion, the link ID is first removed from the valid_links bitmap before performing any clean-up operations. However, some functions require the link ID to remain in the valid_links bitmap. One such example is cfg80211_cac_event(). The flow is - nl80211_remove_link() cfg80211_remove_link() ieee80211_del_intf_link() ieee80211_vif_set_links() ieee80211_vif_update_links() ieee80211_link_stop() cfg80211_cac_event() cfg80211_cac_event() requires link ID to be present but it is cleared already in cfg80211_remove_link(). Ultimately, WARN_ON() is hit. Therefore, clear the link ID from the bitmap only after completing the link clean-up. Signed-off-by: Aditya Kumar Singh Link: https://patch.msgid.link/20241121-mlo_dfs_fix-v2-1-92c3bf7ab551@quicinc.com Signed-off-by: Johannes Berg commit 496db69fd860570145f7c266b31f3af85fca5b00 Author: Haoyu Li Date: Sun Nov 24 01:25:00 2024 +0800 wifi: mac80211: init cnt before accessing elem in ieee80211_copy_mbssid_beacon With the new __counted_by annocation in cfg80211_mbssid_elems, the "cnt" struct member must be set before accessing the "elem" array. Failing to do so will trigger a runtime warning when enabling CONFIG_UBSAN_BOUNDS and CONFIG_FORTIFY_SOURCE. Fixes: c14679d7005a ("wifi: cfg80211: Annotate struct cfg80211_mbssid_elems with __counted_by") Signed-off-by: Haoyu Li Link: https://patch.msgid.link/20241123172500.311853-1-lihaoyu499@gmail.com Signed-off-by: Johannes Berg commit 49dba1ded8dd5a6a12748631403240b2ab245c34 Author: Issam Hamdi Date: Mon Nov 25 17:29:20 2024 +0100 wifi: mac80211: fix mbss changed flags corruption on 32 bit systems On 32-bit systems, the size of an unsigned long is 4 bytes, while a u64 is 8 bytes. Therefore, when using or_each_set_bit(bit, &bits, sizeof(changed) * BITS_PER_BYTE), the code is incorrectly searching for a bit in a 32-bit variable that is expected to be 64 bits in size, leading to incorrect bit finding. Solution: Ensure that the size of the bits variable is correctly adjusted for each architecture. Call Trace: ? show_regs+0x54/0x58 ? __warn+0x6b/0xd4 ? ieee80211_link_info_change_notify+0xcc/0xd4 [mac80211] ? report_bug+0x113/0x150 ? exc_overflow+0x30/0x30 ? handle_bug+0x27/0x44 ? exc_invalid_op+0x18/0x50 ? handle_exception+0xf6/0xf6 ? exc_overflow+0x30/0x30 ? ieee80211_link_info_change_notify+0xcc/0xd4 [mac80211] ? exc_overflow+0x30/0x30 ? ieee80211_link_info_change_notify+0xcc/0xd4 [mac80211] ? ieee80211_mesh_work+0xff/0x260 [mac80211] ? cfg80211_wiphy_work+0x72/0x98 [cfg80211] ? process_one_work+0xf1/0x1fc ? worker_thread+0x2c0/0x3b4 ? kthread+0xc7/0xf0 ? mod_delayed_work_on+0x4c/0x4c ? kthread_complete_and_exit+0x14/0x14 ? ret_from_fork+0x24/0x38 ? kthread_complete_and_exit+0x14/0x14 ? ret_from_fork_asm+0xf/0x14 ? entry_INT80_32+0xf0/0xf0 Signed-off-by: Issam Hamdi Link: https://patch.msgid.link/20241125162920.2711462-1-ih@simonwunderlich.de [restore no-op path for no changes] Signed-off-by: Johannes Berg commit 2e3dbf938656986cce73ac4083500d0bcfbffe24 Author: Lin Ma Date: Sun Dec 1 01:05:26 2024 +0800 wifi: nl80211: fix NL80211_ATTR_MLO_LINK_ID off-by-one Since the netlink attribute range validation provides inclusive checking, the *max* of attribute NL80211_ATTR_MLO_LINK_ID should be IEEE80211_MLD_MAX_NUM_LINKS - 1 otherwise causing an off-by-one. One crash stack for demonstration: ================================================================== BUG: KASAN: wild-memory-access in ieee80211_tx_control_port+0x3b6/0xca0 net/mac80211/tx.c:5939 Read of size 6 at addr 001102080000000c by task fuzzer.386/9508 CPU: 1 PID: 9508 Comm: syz.1.386 Not tainted 6.1.70 #2 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x177/0x231 lib/dump_stack.c:106 print_report+0xe0/0x750 mm/kasan/report.c:398 kasan_report+0x139/0x170 mm/kasan/report.c:495 kasan_check_range+0x287/0x290 mm/kasan/generic.c:189 memcpy+0x25/0x60 mm/kasan/shadow.c:65 ieee80211_tx_control_port+0x3b6/0xca0 net/mac80211/tx.c:5939 rdev_tx_control_port net/wireless/rdev-ops.h:761 [inline] nl80211_tx_control_port+0x7b3/0xc40 net/wireless/nl80211.c:15453 genl_family_rcv_msg_doit+0x22e/0x320 net/netlink/genetlink.c:756 genl_family_rcv_msg net/netlink/genetlink.c:833 [inline] genl_rcv_msg+0x539/0x740 net/netlink/genetlink.c:850 netlink_rcv_skb+0x1de/0x420 net/netlink/af_netlink.c:2508 genl_rcv+0x24/0x40 net/netlink/genetlink.c:861 netlink_unicast_kernel net/netlink/af_netlink.c:1326 [inline] netlink_unicast+0x74b/0x8c0 net/netlink/af_netlink.c:1352 netlink_sendmsg+0x882/0xb90 net/netlink/af_netlink.c:1874 sock_sendmsg_nosec net/socket.c:716 [inline] __sock_sendmsg net/socket.c:728 [inline] ____sys_sendmsg+0x5cc/0x8f0 net/socket.c:2499 ___sys_sendmsg+0x21c/0x290 net/socket.c:2553 __sys_sendmsg net/socket.c:2582 [inline] __do_sys_sendmsg net/socket.c:2591 [inline] __se_sys_sendmsg+0x19e/0x270 net/socket.c:2589 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x45/0x90 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x63/0xcd Update the policy to ensure correct validation. Fixes: 7b0a0e3c3a88 ("wifi: cfg80211: do some rework towards MLO link APIs") Signed-off-by: Lin Ma Suggested-by: Cengiz Can Link: https://patch.msgid.link/20241130170526.96698-1-linma@zju.edu.cn Signed-off-by: Johannes Berg commit b77bd3ba762f34e5eb731134cf50e233d1060053 Author: Fabio Estevam Date: Wed Nov 27 16:06:05 2024 -0300 ARM: imx: Re-introduce the PINCTRL selection Since commit 17d210018914 ("ARM: imx: Allow user to disable pinctrl"), the CONFIG_PINCTRL option is no longer implicitly selected, causing several i.MX SoC pinctrl drivers no longer getting selected by default. This causes boot regressions on the ARMv4, ARMv5, ARMv6 and ARMv7 i.MX SoCs. Fix it by selecting CONFIG_PINCTRL as before. This defeats the purpose of 7d210018914 ("ARM: imx: Allow user to disable pinctrl"), but it is the less invasive fix for the boot regressions. The attempt to build Layerscape without pinctrl can still be explored later as suggested by Arnd: "Overall, my best advice here is still to not change the way i.MX pinctrl works at all, but just fix Layerscape to not depend on i.MX. The reason for the 'select' here is clearly that the i.MX machines would fail to boot without pinctrl, and changing that because of Layerscape seems backwards." Fixes: 17d210018914 ("ARM: imx: Allow user to disable pinctrl") Reported-by: Guenter Roeck Closes: https://lore.kernel.org/linux-arm-kernel/49ff070a-ce67-42d7-84ec-8b54fd7e9742@roeck-us.net/ Signed-off-by: Fabio Estevam Acked-by: Arnd Bergmann Reviewed-by: Linus Walleij Tested-by: Guenter Roeck Link: https://lore.kernel.org/20241127190605.1367157-1-festevam@gmail.com Signed-off-by: Linus Walleij commit 7a0ea70da56ee8c2716d0b79e9959d3c47efab62 Author: Louis Leseur Date: Thu Nov 28 09:33:58 2024 +0100 net/qed: allow old cards not supporting "num_images" to work Commit 43645ce03e00 ("qed: Populate nvm image attribute shadow.") added support for populating flash image attributes, notably "num_images". However, some cards were not able to return this information. In such cases, the driver would return EINVAL, causing the driver to exit. Add check to return EOPNOTSUPP instead of EINVAL when the card is not able to return these information. The caller function already handles EOPNOTSUPP without error. Fixes: 43645ce03e00 ("qed: Populate nvm image attribute shadow.") Co-developed-by: Florian Forestier Signed-off-by: Florian Forestier Signed-off-by: Louis Leseur Link: https://patch.msgid.link/20241128083633.26431-1-louis.leseur@gmail.com Signed-off-by: Paolo Abeni commit 77e6077026fc24a34d38defe3ff4b8063ae5e273 Merge: 6a2fa13312e51a 2c7f14ed9c19ec Author: Paolo Abeni Date: Tue Dec 3 10:42:36 2024 +0100 Merge branch 'two-fixes-for-smc' Wen Gu says: ==================== two fixes for SMC This patch set contains two bugfixes, to fix SMC warning and panic issues in race conditions. ==================== Link: https://patch.msgid.link/20241127133014.100509-1-guwen@linux.alibaba.com Signed-off-by: Paolo Abeni commit 2c7f14ed9c19ec0f149479d1c2842ec1f9bf76d7 Author: Wen Gu Date: Wed Nov 27 21:30:14 2024 +0800 net/smc: fix LGR and link use-after-free issue We encountered a LGR/link use-after-free issue, which manifested as the LGR/link refcnt reaching 0 early and entering the clear process, making resource access unsafe. refcount_t: addition on 0; use-after-free. WARNING: CPU: 14 PID: 107447 at lib/refcount.c:25 refcount_warn_saturate+0x9c/0x140 Workqueue: events smc_lgr_terminate_work [smc] Call trace: refcount_warn_saturate+0x9c/0x140 __smc_lgr_terminate.part.45+0x2a8/0x370 [smc] smc_lgr_terminate_work+0x28/0x30 [smc] process_one_work+0x1b8/0x420 worker_thread+0x158/0x510 kthread+0x114/0x118 or refcount_t: underflow; use-after-free. WARNING: CPU: 6 PID: 93140 at lib/refcount.c:28 refcount_warn_saturate+0xf0/0x140 Workqueue: smc_hs_wq smc_listen_work [smc] Call trace: refcount_warn_saturate+0xf0/0x140 smcr_link_put+0x1cc/0x1d8 [smc] smc_conn_free+0x110/0x1b0 [smc] smc_conn_abort+0x50/0x60 [smc] smc_listen_find_device+0x75c/0x790 [smc] smc_listen_work+0x368/0x8a0 [smc] process_one_work+0x1b8/0x420 worker_thread+0x158/0x510 kthread+0x114/0x118 It is caused by repeated release of LGR/link refcnt. One suspect is that smc_conn_free() is called repeatedly because some smc_conn_free() from server listening path are not protected by sock lock. e.g. Calls under socklock | smc_listen_work ------------------------------------------------------- lock_sock(sk) | smc_conn_abort smc_conn_free | \- smc_conn_free \- smcr_link_put | \- smcr_link_put (duplicated) release_sock(sk) So here add sock lock protection in smc_listen_work() path, making it exclusive with other connection operations. Fixes: 3b2dec2603d5 ("net/smc: restructure client and server code in af_smc") Co-developed-by: Guangguan Wang Signed-off-by: Guangguan Wang Co-developed-by: Kai Signed-off-by: Kai Signed-off-by: Wen Gu Reviewed-by: Wenjia Zhang Signed-off-by: Paolo Abeni commit 0541db8ee32c09463a72d0987382b3a3336b0043 Author: Wen Gu Date: Wed Nov 27 21:30:13 2024 +0800 net/smc: initialize close_work early to avoid warning We encountered a warning that close_work was canceled before initialization. WARNING: CPU: 7 PID: 111103 at kernel/workqueue.c:3047 __flush_work+0x19e/0x1b0 Workqueue: events smc_lgr_terminate_work [smc] RIP: 0010:__flush_work+0x19e/0x1b0 Call Trace: ? __wake_up_common+0x7a/0x190 ? work_busy+0x80/0x80 __cancel_work_timer+0xe3/0x160 smc_close_cancel_work+0x1a/0x70 [smc] smc_close_active_abort+0x207/0x360 [smc] __smc_lgr_terminate.part.38+0xc8/0x180 [smc] process_one_work+0x19e/0x340 worker_thread+0x30/0x370 ? process_one_work+0x340/0x340 kthread+0x117/0x130 ? __kthread_cancel_work+0x50/0x50 ret_from_fork+0x22/0x30 This is because when smc_close_cancel_work is triggered, e.g. the RDMA driver is rmmod and the LGR is terminated, the conn->close_work is flushed before initialization, resulting in WARN_ON(!work->func). __smc_lgr_terminate | smc_connect_{rdma|ism} ------------------------------------------------------------- | smc_conn_create | \- smc_lgr_register_conn for conn in lgr->conns_all | \- smc_conn_kill | \- smc_close_active_abort | \- smc_close_cancel_work | \- cancel_work_sync | \- __flush_work | (close_work) | | smc_close_init | \- INIT_WORK(&close_work) So fix this by initializing close_work before establishing the connection. Fixes: 46c28dbd4c23 ("net/smc: no socket state changes in tasklet context") Fixes: 413498440e30 ("net/smc: add SMC-D support in af_smc") Signed-off-by: Wen Gu Reviewed-by: Wenjia Zhang Reviewed-by: Alexandra Winter Signed-off-by: Paolo Abeni commit 989e0cdc0f18a594b25cabc60426d29659aeaf58 Author: Brahmajit Das Date: Sat Oct 5 01:21:32 2024 +0530 fs/qnx6: Fix building with GCC 15 qnx6_checkroot() had been using weirdly spelled initializer - it needed to initialize 3-element arrays of char and it used NUL-padded 3-character string literals (i.e. 4-element initializers, with completely pointless zeroes at the end). That had been spotted by gcc-15[*]; prior to that gcc quietly dropped the 4th element of initializers. However, none of that had been needed in the first place - all this array is used for is checking that the first directory entry in root directory is "." and the second - "..". The check had been expressed as a loop, using that match_root[] array. Since there is no chance that we ever want to extend that list of entries, the entire thing is much too fancy for its own good; what we need is just a couple of explicit memcmp() and that's it. [*]: fs/qnx6/inode.c: In function ‘qnx6_checkroot’: fs/qnx6/inode.c:182:41: error: initializer-string for array of ‘char’ is too long [-Werror=unterminated-string-initialization] 182 | static char match_root[2][3] = {".\0\0", "..\0"}; | ^~~~~~~ fs/qnx6/inode.c:182:50: error: initializer-string for array of ‘char’ is too long [-Werror=unterminated-string-initialization] 182 | static char match_root[2][3] = {".\0\0", "..\0"}; | ^~~~~~ Signed-off-by: Brahmajit Das Link: https://lore.kernel.org/r/20241004195132.1393968-1-brahmajit.xyz@gmail.com Acked-by: Al Viro Signed-off-by: Christian Brauner commit 5dce85fecb87751ec94526e1ac516dd7871e2e0c Author: John Harrison Date: Thu Nov 28 13:08:23 2024 -0800 drm/xe: Move the coredump registration to the worker thread Adding lockdep checking to the coredump code showed that there was an existing violation. The dev_coredumpm_timeout() call is used to register the dump with the base coredump subsystem. However, that makes multiple memory allocations, only some of which use the GFP_ flags passed in. So that also needs to be deferred to the worker function where it is safe to allocate with arbitrary flags. In order to not add protoypes for the callback functions, moving the _timeout call also means moving the worker thread function to later in the file. v2: Rebased after other changes to the worker function. Fixes: e799485044cb ("drm/xe: Introduce the dev_coredump infrastructure.") Cc: Thomas Hellström Cc: Matthew Brost Cc: Jani Nikula Cc: Daniel Vetter Cc: Francois Dugast Cc: Rodrigo Vivi Cc: Lucas De Marchi Cc: "Thomas Hellström" Cc: Sumit Semwal Cc: "Christian König" Cc: intel-xe@lists.freedesktop.org Cc: linux-media@vger.kernel.org Cc: dri-devel@lists.freedesktop.org Cc: linaro-mm-sig@lists.linaro.org Cc: # v6.8+ Signed-off-by: John Harrison Reviewed-by: Matthew Brost Link: https://patchwork.freedesktop.org/patch/msgid/20241128210824.3302147-3-John.C.Harrison@Intel.com (cherry picked from commit 90f51a7f4ec1004fc4ddfbc6d1f1068d85ef4771) Signed-off-by: Thomas Hellström commit 4495816122cc39c428ebbc4ffd30110bb2877df9 Author: Zhanjun Dong Date: Tue Nov 26 12:10:52 2024 -0800 drm/xe/guc: Fix missing init value and add register order check Fix missing initial value for last_value. For GuC capture register definition, it is required to define 64bit register in a pair of 2 consecutive 32bit register entries, low first, then hi. Add code to check this order. Changes from prior revs: v5:- Correct cross-line comment format v4:- Fix warn on condition and remove skipping v3:- Move break inside brace v2:- Correct the fix tag pointed commit Add examples in comments for warning Add 1 missing hi condition check Fixes: ecb633646391 ("drm/xe/guc: Plumb GuC-capture into dev coredump") Signed-off-by: Zhanjun Dong Reviewed-by: Daniele Ceraolo Spurio Signed-off-by: Daniele Ceraolo Spurio Link: https://patchwork.freedesktop.org/patch/msgid/20241126201052.1937079-1-zhanjun.dong@intel.com (cherry picked from commit 6f59fbcfa041e7d69e5e5f39d4c8cffa06fdc50b) Signed-off-by: Thomas Hellström commit 6a2fa13312e51a621f652d522d7e2df7066330b6 Author: Kuniyuki Iwashima Date: Wed Nov 27 14:05:12 2024 +0900 tipc: Fix use-after-free of kernel socket in cleanup_bearer(). syzkaller reported a use-after-free of UDP kernel socket in cleanup_bearer() without repro. [0][1] When bearer_disable() calls tipc_udp_disable(), cleanup of the UDP kernel socket is deferred by work calling cleanup_bearer(). tipc_net_stop() waits for such works to finish by checking tipc_net(net)->wq_count. However, the work decrements the count too early before releasing the kernel socket, unblocking cleanup_net() and resulting in use-after-free. Let's move the decrement after releasing the socket in cleanup_bearer(). [0]: ref_tracker: net notrefcnt@000000009b3d1faf has 1/1 users at sk_alloc+0x438/0x608 inet_create+0x4c8/0xcb0 __sock_create+0x350/0x6b8 sock_create_kern+0x58/0x78 udp_sock_create4+0x68/0x398 udp_sock_create+0x88/0xc8 tipc_udp_enable+0x5e8/0x848 __tipc_nl_bearer_enable+0x84c/0xed8 tipc_nl_bearer_enable+0x38/0x60 genl_family_rcv_msg_doit+0x170/0x248 genl_rcv_msg+0x400/0x5b0 netlink_rcv_skb+0x1dc/0x398 genl_rcv+0x44/0x68 netlink_unicast+0x678/0x8b0 netlink_sendmsg+0x5e4/0x898 ____sys_sendmsg+0x500/0x830 [1]: BUG: KMSAN: use-after-free in udp_hashslot include/net/udp.h:85 [inline] BUG: KMSAN: use-after-free in udp_lib_unhash+0x3b8/0x930 net/ipv4/udp.c:1979 udp_hashslot include/net/udp.h:85 [inline] udp_lib_unhash+0x3b8/0x930 net/ipv4/udp.c:1979 sk_common_release+0xaf/0x3f0 net/core/sock.c:3820 inet_release+0x1e0/0x260 net/ipv4/af_inet.c:437 inet6_release+0x6f/0xd0 net/ipv6/af_inet6.c:489 __sock_release net/socket.c:658 [inline] sock_release+0xa0/0x210 net/socket.c:686 cleanup_bearer+0x42d/0x4c0 net/tipc/udp_media.c:819 process_one_work kernel/workqueue.c:3229 [inline] process_scheduled_works+0xcaf/0x1c90 kernel/workqueue.c:3310 worker_thread+0xf6c/0x1510 kernel/workqueue.c:3391 kthread+0x531/0x6b0 kernel/kthread.c:389 ret_from_fork+0x60/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:244 Uninit was created at: slab_free_hook mm/slub.c:2269 [inline] slab_free mm/slub.c:4580 [inline] kmem_cache_free+0x207/0xc40 mm/slub.c:4682 net_free net/core/net_namespace.c:454 [inline] cleanup_net+0x16f2/0x19d0 net/core/net_namespace.c:647 process_one_work kernel/workqueue.c:3229 [inline] process_scheduled_works+0xcaf/0x1c90 kernel/workqueue.c:3310 worker_thread+0xf6c/0x1510 kernel/workqueue.c:3391 kthread+0x531/0x6b0 kernel/kthread.c:389 ret_from_fork+0x60/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:244 CPU: 0 UID: 0 PID: 54 Comm: kworker/0:2 Not tainted 6.12.0-rc1-00131-gf66ebf37d69c #7 91723d6f74857f70725e1583cba3cf4adc716cfa Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 Workqueue: events cleanup_bearer Fixes: 26abe14379f8 ("net: Modify sk_alloc to not reference count the netns of kernel sockets.") Reported-by: syzkaller Signed-off-by: Kuniyuki Iwashima Link: https://patch.msgid.link/20241127050512.28438-1-kuniyu@amazon.com Signed-off-by: Paolo Abeni commit 22be4727a8f898442066bcac34f8a1ad0bc72e14 Author: Ivan Solodovnikov Date: Tue Nov 26 17:39:02 2024 +0300 dccp: Fix memory leak in dccp_feat_change_recv If dccp_feat_push_confirm() fails after new value for SP feature was accepted without reconciliation ('entry == NULL' branch), memory allocated for that value with dccp_feat_clone_sp_val() is never freed. Here is the kmemleak stack for this: unreferenced object 0xffff88801d4ab488 (size 8): comm "syz-executor310", pid 1127, jiffies 4295085598 (age 41.666s) hex dump (first 8 bytes): 01 b4 4a 1d 80 88 ff ff ..J..... backtrace: [<00000000db7cabfe>] kmemdup+0x23/0x50 mm/util.c:128 [<0000000019b38405>] kmemdup include/linux/string.h:465 [inline] [<0000000019b38405>] dccp_feat_clone_sp_val net/dccp/feat.c:371 [inline] [<0000000019b38405>] dccp_feat_clone_sp_val net/dccp/feat.c:367 [inline] [<0000000019b38405>] dccp_feat_change_recv net/dccp/feat.c:1145 [inline] [<0000000019b38405>] dccp_feat_parse_options+0x1196/0x2180 net/dccp/feat.c:1416 [<00000000b1f6d94a>] dccp_parse_options+0xa2a/0x1260 net/dccp/options.c:125 [<0000000030d7b621>] dccp_rcv_state_process+0x197/0x13d0 net/dccp/input.c:650 [<000000001f74c72e>] dccp_v4_do_rcv+0xf9/0x1a0 net/dccp/ipv4.c:688 [<00000000a6c24128>] sk_backlog_rcv include/net/sock.h:1041 [inline] [<00000000a6c24128>] __release_sock+0x139/0x3b0 net/core/sock.c:2570 [<00000000cf1f3a53>] release_sock+0x54/0x1b0 net/core/sock.c:3111 [<000000008422fa23>] inet_wait_for_connect net/ipv4/af_inet.c:603 [inline] [<000000008422fa23>] __inet_stream_connect+0x5d0/0xf70 net/ipv4/af_inet.c:696 [<0000000015b6f64d>] inet_stream_connect+0x53/0xa0 net/ipv4/af_inet.c:735 [<0000000010122488>] __sys_connect_file+0x15c/0x1a0 net/socket.c:1865 [<00000000b4b70023>] __sys_connect+0x165/0x1a0 net/socket.c:1882 [<00000000f4cb3815>] __do_sys_connect net/socket.c:1892 [inline] [<00000000f4cb3815>] __se_sys_connect net/socket.c:1889 [inline] [<00000000f4cb3815>] __x64_sys_connect+0x6e/0xb0 net/socket.c:1889 [<00000000e7b1e839>] do_syscall_64+0x33/0x40 arch/x86/entry/common.c:46 [<0000000055e91434>] entry_SYSCALL_64_after_hwframe+0x67/0xd1 Clean up the allocated memory in case of dccp_feat_push_confirm() failure and bail out with an error reset code. Found by Linux Verification Center (linuxtesting.org) with Syzkaller. Fixes: e77b8363b2ea ("dccp: Process incoming Change feature-negotiation options") Signed-off-by: Ivan Solodovnikov Link: https://patch.msgid.link/20241126143902.190853-1-solodovnikov.ia@phystech.edu Signed-off-by: Paolo Abeni commit 3301ab7d5aeb0fe270f73a3d4810c9d1b6a9f045 Author: Jiri Wiesner Date: Thu Nov 28 09:59:50 2024 +0100 net/ipv6: release expired exception dst cached in socket Dst objects get leaked in ip6_negative_advice() when this function is executed for an expired IPv6 route located in the exception table. There are several conditions that must be fulfilled for the leak to occur: * an ICMPv6 packet indicating a change of the MTU for the path is received, resulting in an exception dst being created * a TCP connection that uses the exception dst for routing packets must start timing out so that TCP begins retransmissions * after the exception dst expires, the FIB6 garbage collector must not run before TCP executes ip6_negative_advice() for the expired exception dst When TCP executes ip6_negative_advice() for an exception dst that has expired and if no other socket holds a reference to the exception dst, the refcount of the exception dst is 2, which corresponds to the increment made by dst_init() and the increment made by the TCP socket for which the connection is timing out. The refcount made by the socket is never released. The refcount of the dst is decremented in sk_dst_reset() but that decrement is counteracted by a dst_hold() intentionally placed just before the sk_dst_reset() in ip6_negative_advice(). After ip6_negative_advice() has finished, there is no other object tied to the dst. The socket lost its reference stored in sk_dst_cache and the dst is no longer in the exception table. The exception dst becomes a leaked object. As a result of this dst leak, an unbalanced refcount is reported for the loopback device of a net namespace being destroyed under kernels that do not contain e5f80fcf869a ("ipv6: give an IPv6 dev to blackhole_netdev"): unregister_netdevice: waiting for lo to become free. Usage count = 2 Fix the dst leak by removing the dst_hold() in ip6_negative_advice(). The patch that introduced the dst_hold() in ip6_negative_advice() was 92f1655aa2b22 ("net: fix __dst_negative_advice() race"). But 92f1655aa2b22 merely refactored the code with regards to the dst refcount so the issue was present even before 92f1655aa2b22. The bug was introduced in 54c1a859efd9f ("ipv6: Don't drop cache route entry unless timer actually expired.") where the expired cached route is deleted and the sk_dst_cache member of the socket is set to NULL by calling dst_negative_advice() but the refcount belonging to the socket is left unbalanced. The IPv4 version - ipv4_negative_advice() - is not affected by this bug. When the TCP connection times out ipv4_negative_advice() merely resets the sk_dst_cache of the socket while decrementing the refcount of the exception dst. Fixes: 92f1655aa2b22 ("net: fix __dst_negative_advice() race") Fixes: 54c1a859efd9f ("ipv6: Don't drop cache route entry unless timer actually expired.") Link: https://lore.kernel.org/netdev/20241113105611.GA6723@incl/T/#u Signed-off-by: Jiri Wiesner Reviewed-by: Eric Dumazet Link: https://patch.msgid.link/20241128085950.GA4505@incl Signed-off-by: Jakub Kicinski commit ccb989e4d1efe0dd81b28c437443532d80d9ecee Author: Oleksij Rempel Date: Mon Nov 25 09:40:50 2024 +0100 net: phy: microchip: Reset LAN88xx PHY to ensure clean link state on LAN7800/7850 Fix outdated MII_LPA data in the LAN88xx PHY, which is used in LAN7800 and LAN7850 USB Ethernet controllers. Due to a hardware limitation, the PHY cannot reliably update link status after parallel detection when the link partner does not support auto-negotiation. To mitigate this, add a PHY reset in `lan88xx_link_change_notify()` when `phydev->state` is `PHY_NOLINK`, ensuring the PHY starts in a clean state and reports accurate fixed link parallel detection results. Fixes: 792aec47d59d9 ("add microchip LAN88xx phy driver") Signed-off-by: Oleksij Rempel Link: https://patch.msgid.link/20241125084050.414352-1-o.rempel@pengutronix.de Signed-off-by: Jakub Kicinski commit bd74e238ae6944b462f57ce8752440a011ba4530 Author: Kumar Kartikeya Dwivedi Date: Mon Dec 2 16:22:35 2024 -0800 bpf: Zero index arg error string for dynptr and iter Andrii spotted that process_dynptr_func's rejection of incorrect argument register type will print an error string where argument numbers are not zero-indexed, unlike elsewhere in the verifier. Fix this by subtracting 1 from regno. The same scenario exists for iterator messages. Fix selftest error strings that match on the exact argument number while we're at it to ensure clean bisection. Suggested-by: Andrii Nakryiko Signed-off-by: Kumar Kartikeya Dwivedi Link: https://lore.kernel.org/r/20241203002235.3776418-1-memxor@gmail.com Signed-off-by: Alexei Starovoitov commit 51ee075d698bb3e8df8287ac80447a18c723dd5a Merge: c889aa2e7c2f00 a8c695005bfe65 Author: Jakub Kicinski Date: Mon Dec 2 18:04:10 2024 -0800 Merge tag 'linux-can-fixes-for-6.13-20241202' of git://git.kernel.org/pub/scm/linux/kernel/git/mkl/linux-can Marc Kleine-Budde says: ==================== pull-request: can 2024-12-02 The first patch is by me and allows the use of sleeping GPIOs to set termination GPIOs. Alexander Kozhinov fixes the gs_usb driver to use the endpoints provided by the usb endpoint descriptions instead of hard coded ones. Dario Binacchi contributes 11 statistics related patches for various CAN driver. A potential use after free in the hi311x is fixed. The statistics for the c_can, sun4i_can, hi311x, m_can, ifi_canfd, sja1000, sun4i_can, ems_usb, f81604 are fixed: update statistics even if the allocation of the error skb fails and fix the incrementing of the rx,tx error counters. A patch by me fixes the workaround for DS80000789E 6 erratum in the mcp251xfd driver. The last patch is by Dmitry Antipov, targets the j1939 CAN protocol and fixes a skb reference counting issue. * tag 'linux-can-fixes-for-6.13-20241202' of git://git.kernel.org/pub/scm/linux/kernel/git/mkl/linux-can: can: j1939: j1939_session_new(): fix skb reference counting can: mcp251xfd: mcp251xfd_get_tef_len(): work around erratum DS80000789E 6. can: f81604: f81604_handle_can_bus_errors(): fix {rx,tx}_errors statistics can: ems_usb: ems_usb_rx_err(): fix {rx,tx}_errors statistics can: sun4i_can: sun4i_can_err(): fix {rx,tx}_errors statistics can: sja1000: sja1000_err(): fix {rx,tx}_errors statistics can: hi311x: hi3110_can_ist(): fix {rx,tx}_errors statistics can: ifi_canfd: ifi_canfd_handle_lec_err(): fix {rx,tx}_errors statistics can: m_can: m_can_handle_lec_err(): fix {rx,tx}_errors statistics can: hi311x: hi3110_can_ist(): update state error statistics if skb allocation fails can: hi311x: hi3110_can_ist(): fix potential use-after-free can: sun4i_can: sun4i_can_err(): call can_change_state() even if cf is NULL can: c_can: c_can_handle_bus_err(): update statistics if skb allocation fails can: gs_usb: add usb endpoint address detection at driver probe step can: dev: can_set_termination(): allow sleeping GPIOs ==================== Link: https://patch.msgid.link/20241202090040.1110280-1-mkl@pengutronix.de Signed-off-by: Jakub Kicinski commit d4c44354bcaffed729c4eba8c0f2ecfd61fea743 Merge: 537a2525eaf76e 7f71197001e35f Author: Alexei Starovoitov Date: Mon Dec 2 17:47:57 2024 -0800 Merge branch 'fix-missing-process_iter_arg-type-check' Kumar Kartikeya Dwivedi says: ==================== Fix missing process_iter_arg type check I am taking over Tao's earlier patch set that can be found at [0], after an offline discussion. The bug reported in that thread is that process_iter_arg missed a reg->type == PTR_TO_STACK check. Fix this by adding it in, and also address comments from Andrii on the earlier attempt. Include more selftests to ensure the error is caught. [0]: https://lore.kernel.org/bpf/20241107214736.347630-1-tao.lyu@epfl.ch Changelog: ---------- v1 -> v2: v1: https://lore.kernel.org/bpf/20241127230147.4158201-1-memxor@gmail.com ==================== Link: https://patch.msgid.link/20241203000238.3602922-1-memxor@gmail.com Signed-off-by: Alexei Starovoitov commit 7f71197001e35f46aca97204986edf9301f8dd09 Author: Kumar Kartikeya Dwivedi Date: Mon Dec 2 16:02:38 2024 -0800 selftests/bpf: Add tests for iter arg check Add selftests to cover argument type check for iterator kfuncs, and cover all three kinds (new, next, destroy). Without the fix in the previous patch, the selftest would not cause a verifier error. Signed-off-by: Kumar Kartikeya Dwivedi Link: https://lore.kernel.org/r/20241203000238.3602922-3-memxor@gmail.com Signed-off-by: Alexei Starovoitov commit 12659d28615d606b36e382f4de2dd05550d202af Author: Tao Lyu Date: Mon Dec 2 16:02:37 2024 -0800 bpf: Ensure reg is PTR_TO_STACK in process_iter_arg Currently, KF_ARG_PTR_TO_ITER handling missed checking the reg->type and ensuring it is PTR_TO_STACK. Instead of enforcing this in the caller of process_iter_arg, move the check into it instead so that all callers will gain the check by default. This is similar to process_dynptr_func. An existing selftest in verifier_bits_iter.c fails due to this change, but it's because it was passing a NULL pointer into iter_next helper and getting an error further down the checks, but probably meant to pass an uninitialized iterator on the stack (as is done in the subsequent test below it). We will gain coverage for non-PTR_TO_STACK arguments in later patches hence just change the declaration to zero-ed stack object. Fixes: 06accc8779c1 ("bpf: add support for open-coded iterator loops") Suggested-by: Andrii Nakryiko Signed-off-by: Tao Lyu [ Kartikeya: move check into process_iter_arg, rewrite commit log ] Signed-off-by: Kumar Kartikeya Dwivedi Link: https://lore.kernel.org/r/20241203000238.3602922-2-memxor@gmail.com Signed-off-by: Alexei Starovoitov commit 5ae1a43486fb3febd5ce78da13eb354f16d049e0 Author: Jerome Brunet Date: Thu Nov 28 18:30:42 2024 +0100 clk: amlogic: axg-audio: revert reset implementation The audio subsystem of axg based platform is not probing anymore. This is due to the introduction of RESET_MESON_AUX and the config not being enabled with the default arm64 defconfig. This brought another discussion around proper decoupling between the clock and reset part. While this discussion gets sorted out, revert back to the initial implementation. This reverts * commit 681ed497d676 ("clk: amlogic: axg-audio: fix Kconfig dependency on RESET_MESON_AUX") * commit 664988eb47dd ("clk: amlogic: axg-audio: use the auxiliary reset driver") Both are reverted with single change to avoid creating more compilation problems. Fixes: 681ed497d676 ("clk: amlogic: axg-audio: fix Kconfig dependency on RESET_MESON_AUX") Cc: Arnd Bergmann Reported-by: Mark Brown Signed-off-by: Jerome Brunet Link: https://lore.kernel.org/r/20241128-clk-audio-fix-rst-missing-v2-1-cf437d1a73da@baylibre.com Signed-off-by: Stephen Boyd commit 06fec99d4d2cb92bc6f107fdfd5e5c776375c68a Author: Johan Hovold Date: Mon Dec 2 11:06:21 2024 +0100 Revert "clk: Fix invalid execution of clk_set_rate" This reverts commit 25f1c96a0e841013647d788d4598e364e5c2ebb7. The offending commit results in errors like cpu cpu0: _opp_config_clk_single: failed to set clock rate: -22 spamming the logs on the Lenovo ThinkPad X13s and other Qualcomm machines when cpufreq tries to update the CPUFreq HW Engine clocks. As mentioned in commit 4370232c727b ("cpufreq: qcom-hw: Add CPU clock provider support"): [T]he frequency supplied by the driver is the actual frequency that comes out of the EPSS/OSM block after the DCVS operation. This frequency is not same as what the CPUFreq framework has set but it is the one that gets supplied to the CPUs after throttling by LMh. which seems to suggest that the driver relies on the previous behaviour of clk_set_rate(). Since this affects many Qualcomm machines, let's revert for now. Fixes: 25f1c96a0e84 ("clk: Fix invalid execution of clk_set_rate") Reported-by: Aishwarya TCV Link: https://lore.kernel.org/all/e2d83e57-ad07-411b-99f6-a4fc3c4534fa@arm.com/ Cc: Chuan Liu Cc: Manivannan Sadhasivam Signed-off-by: Johan Hovold Link: https://lore.kernel.org/r/20241202100621.29209-1-johan+linaro@kernel.org Signed-off-by: Stephen Boyd commit c889aa2e7c2f0040484182d6cbbc0837b193a93f Author: Jakub Kicinski Date: Sat Nov 30 13:41:00 2024 -0800 MAINTAINERS: list PTP drivers under networking PTP patches go via the netdev trees, add drivers/ptp/ to the networking entry so that get_maintainer.pl --scm lists those trees above Linus's tree. Thanks to the real entry using drivers/ptp/* the original entry will still be considered more specific / higher prio. Acked-by: Richard Cochran Link: https://patch.msgid.link/20241130214100.125325-1-kuba@kernel.org Signed-off-by: Jakub Kicinski commit 1443dd3c67f6d1a8bd1f810e598e2f0c6f19205c Author: Alex Deucher Date: Sat Nov 16 08:20:59 2024 -0500 drm/amd/pm: fix and simplify workload handling smu->workload_mask is IP specific and should not be messed with in the common code. The mask bits vary across SMU versions. Move all handling of smu->workload_mask in to the backends and simplify the code. Store the user's preference in smu->power_profile_mode which will be reflected in sysfs. For internal driver profile switches for KFD or VCN, just update the workload mask so that the user's preference is retained. Remove all of the extra now unused workload related elements in the smu structure. v2: use refcounts for workload profiles v3: rework based on feedback from Lijo v4: fix the refcount on failure, drop backend mask v5: rework custom handling v6: handle failure cleanup with custom profile v7: Update documentation Reviewed-by: Lijo Lazar Signed-off-by: Alex Deucher Cc: Kenneth Feng Cc: Lijo Lazar Cc: stable@vger.kernel.org # 6.11.x commit c3d06a3b6acd6b8c9595d677d049555f475703df Author: Alex Deucher Date: Sat Nov 16 09:22:14 2024 -0500 Revert "drm/amd/pm: correct the workload setting" This reverts commit 74e1006430a5377228e49310f6d915628609929e. This causes a regression in the workload selection. A more extensive fix is being worked on. For now, revert. This came back after a merge in 6.13-rc1, so revert again. Link: https://gitlab.freedesktop.org/drm/amd/-/issues/3618 Fixes: 74e1006430a5 ("drm/amd/pm: correct the workload setting") Signed-off-by: Alex Deucher (cherry picked from commit 44f392fbf628a7ff2d8bb8e83ca1851261f81a6f) commit f3bb57b66dc439dd129eb509a4965f1e1aeea2b8 Author: Yiqing Yao Date: Tue Nov 26 18:36:11 2024 +0800 drm/amdgpu: fix sriov reinit late orders Use found block to call correct init/resume function on the block. Set status.hw for resume and init. Print re-init result again. Change to use dev_info. Use amdgpu_device_ip_get_ip_block to get target block instead of loop. Fixes: 502d76308d45 ("drm/amdgpu: validate resume before function call") Signed-off-by: Yiqing Yao Reviewed-by: Lijo Lazar Signed-off-by: Alex Deucher commit 274e3f4596446955bf17680fd4eb5489f5ecac00 Author: Pratap Nirujogi Date: Fri Nov 29 14:52:08 2024 -0500 drm/amdgpu: Fix ISP hw init issue ISP hw_init is not called with the recent changes related to hw init levels. AMDGPU_INIT_LEVEL_DEFAULT is ignoring the ISP IP block as AMDGPU_IP_BLK_MASK_ALL is derived using incorrect max number of IP blocks. Update AMDGPU_IP_BLK_MASK_ALL to use AMDGPU_MAX_IP_NUM instead of (AMDGPU_MAX_IP_NUM - 1) to fix the issue. Reviewed-by: Mario Limonciello Fixes: 14f2fe34f5c6 ("drm/amdgpu: Add init levels") Signed-off-by: Pratap Nirujogi Signed-off-by: Alex Deucher commit 0c0a19430bfdfedab437e77b9262e8e62ced384e Author: Chris Park Date: Fri Nov 15 15:44:52 2024 -0500 drm/amd/display: Add hblank borrowing support [WHY] Some DSC timing failed at bandwidth validation due to hactive can't be evenly divided on each ODM segment. [HOW] Borrow from hblank to increase hactive to support these timing. Cc: Mario Limonciello Cc: Alex Deucher Cc: stable@vger.kernel.org Reviewed-by: Wenjing Liu Signed-off-by: Chris Park Signed-off-by: Alex Hung Tested-by: Daniel Wheeler Signed-off-by: Alex Deucher commit a29997b7ac1f5c816b543e0c56aa2b5b56baac24 Author: Dillon Varone Date: Wed Nov 13 16:44:15 2024 -0500 drm/amd/display: Limit VTotal range to max hw cap minus fp [WHY & HOW] Hardware does not support the VTotal to be between fp2 lines of the maximum possible VTotal, so add a capability flag to track it and apply where necessary. Cc: Mario Limonciello Cc: Alex Deucher Cc: stable@vger.kernel.org Reviewed-by: Jun Lei Reviewed-by: Anthony Koo Signed-off-by: Dillon Varone Signed-off-by: Alex Hung Tested-by: Daniel Wheeler Signed-off-by: Alex Deucher commit 24d3749c11d949972d8c22e75567dc90ff5482e7 Author: Lo-an Chen Date: Thu Nov 14 17:53:41 2024 +0800 drm/amd/display: Correct prefetch calculation [WHY] The minimum value of the dst_y_prefetch_equ was not correct in prefetch calculation whice causes OPTC underflow. [HOW] Add the min operation of dst_y_prefetch_equ in prefetch calculation. Cc: Mario Limonciello Cc: Alex Deucher Cc: stable@vger.kernel.org Reviewed-by: Nicholas Kazlauskas Signed-off-by: Lo-an Chen Signed-off-by: Alex Hung Tested-by: Daniel Wheeler Signed-off-by: Alex Deucher commit 6a7fd76b949efe40fb6d6677f480e624e0cb6e40 Author: Sung Lee Date: Thu Nov 14 14:18:13 2024 -0500 drm/amd/display: Add option to retrieve detile buffer size [WHY] For better power profiling knowing the detile buffer size at a given point in time would be useful. [HOW] Add interface to retrieve detile buffer from dc state. Cc: Mario Limonciello Cc: Alex Deucher Cc: stable@vger.kernel.org Reviewed-by: Aric Cyr Signed-off-by: Sung Lee Signed-off-by: Alex Hung Tested-by: Daniel Wheeler Signed-off-by: Alex Deucher commit 63e7ee677c74e981257cedfdd8543510d09096ba Author: Peterson Guo Date: Thu Nov 7 19:20:02 2024 -0500 drm/amd/display: Add a left edge pixel if in YCbCr422 or YCbCr420 and odm [WHY] On some cards when odm is used, the monitor will have 2 separate pipes split vertically. When compression is used on the YCbCr colour space on the second pipe to have correct colours, we need to read a pixel from the end of first pipe to accurately display colours. Hardware was programmed properly to account for this extra pixel but it was not calculated properly in software causing a split screen on some monitors. [HOW] The fix adjusts the second pipe's viewport and timings if the pixel encoding is YCbCr422 or YCbCr420. Cc: Mario Limonciello Cc: Alex Deucher Cc: stable@vger.kernel.org Reviewed-by: George Shen Signed-off-by: Peterson Guo Signed-off-by: Alex Hung Tested-by: Daniel Wheeler Signed-off-by: Alex Deucher commit 55ed120dcfdde2478c3ebfa1c0ac4ed1e430053b Author: David Yat Sin Date: Tue Nov 26 15:18:47 2024 -0500 drm/amdkfd: hard-code cacheline for gc943,gc944 Cacheline size is not available in IP discovery for gc943,gc944. Signed-off-by: David Yat Sin Reviewed-by: Harish Kasiviswanathan Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org commit 33114f1057ea5cf40e604021711a9711a060fcb6 Author: Sreekant Somasekharan Date: Thu Nov 28 12:05:56 2024 -0500 drm/amdkfd: add MEC version that supports no PCIe atomics for GFX12 Add MEC version from which alternate support for no PCIe atomics is provided so that device is not skipped during KFD device init in GFX1200/GFX1201. Signed-off-by: Sreekant Somasekharan Reviewed-by: Harish Kasiviswanathan Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org # 6.11.x commit 1c0938620176f451b814e9611b5444cd272b2a65 Author: Mario Limonciello Date: Wed Nov 27 21:22:00 2024 -0600 drm/amd/display: Fix programming backlight on OLED panels commit 38077562e059 ("drm/amd/display: Implement new backlight_level_params structure") adjusted DC core to require the backlight type to be programmed in the dc link when changing brightness. This isn't initialized in amdgpu_dm for OLED panels though which broke brightness. Explicitly initialize when aux support is enabled. Reported-and-tested-by: Luke Jones Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/3792 Fixes: 38077562e059 ("drm/amd/display: Implement new backlight_level_params structure") Reviewed-by: Harry Wentland Link: https://lore.kernel.org/r/20241128032200.2085398-1-superm1@kernel.org Signed-off-by: Mario Limonciello Signed-off-by: Alex Deucher commit 0f15cbc203712ccad363611eded31a2c700f3974 Author: Mario Limonciello Date: Wed Nov 27 21:25:00 2024 -0600 drm/amd: Sanity check the ACPI EDID An HP Pavilion Aero Laptop 13-be0xxx/8916 has an ACPI EDID, but using it is causing corruption. It's got illogical values of not specifying a digital interface. Sanity check the ACPI EDID to avoid tripping such problems. Suggested-by: Tobias Jakobi Reported-and-tested-by: Chris Bainbridge Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/3782 Fixes: c6a837088bed ("drm/amd/display: Fetch the EDID from _DDC if available for eDP") Reviewed-by: Harry Wentland Link: https://lore.kernel.org/r/20241128032500.2088288-1-superm1@kernel.org Signed-off-by: Mario Limonciello Signed-off-by: Alex Deucher commit 2ddd93481bce86c6a46223f45accdb3b149a43e4 Author: FUKAUMI Naoki Date: Thu Nov 28 12:06:30 2024 +0000 arm64: dts: rockchip: rename rfkill label for Radxa ROCK 5B on ROCK 5B, there is no PCIe slot, instead there is a M.2 slot. rfkill pin is not exclusive to PCIe devices, there is SDIO Wi-Fi devices. rename rfkill label from "rfkill-pcie-wlan" to "rfkill-m2-wlan", it matches with rfkill-bt. Fixes: 82d40b141a4c ("arm64: dts: rockchip: add rfkill node for M.2 Key E WiFi on rock-5b") Reviewed-by: Dragan Simic Signed-off-by: FUKAUMI Naoki Fixes: 82d40b141a4c ("arm64: dts: rockchip: add rfkill node for M.2 Key E WiFi on rock-5b") Link: https://lore.kernel.org/r/20241128120631.37458-1-naoki@radxa.com Signed-off-by: Heiko Stuebner commit 8b9c12757f919157752646faf3821abf2b7d2a64 Author: Chukun Pan Date: Fri Nov 22 15:30:05 2024 +0800 arm64: dts: rockchip: add reset-names for combphy on rk3568 The reset-names of combphy are missing, add it. Signed-off-by: Chukun Pan Fixes: fd3ac6e80497 ("dt-bindings: phy: rockchip: rk3588 has two reset lines") Link: https://lore.kernel.org/r/20241122073006.99309-1-amadeus@jmu.edu.cn Signed-off-by: Heiko Stuebner commit ae6012d72fa60c9ff92de5bac7a8021a47458e5b Author: Aruna Ramakrishna Date: Tue Nov 19 17:45:20 2024 +0000 x86/pkeys: Ensure updated PKRU value is XRSTOR'd When XSTATE_BV[i] is 0, and XRSTOR attempts to restore state component 'i' it ignores any value in the XSAVE buffer and instead restores the state component's init value. This means that if XSAVE writes XSTATE_BV[PKRU]=0 then XRSTOR will ignore the value that update_pkru_in_sigframe() writes to the XSAVE buffer. XSTATE_BV[PKRU] only gets written as 0 if PKRU is in its init state. On Intel CPUs, basically never happens because the kernel usually overwrites the init value (aside: this is why we didn't notice this bug until now). But on AMD, the init tracker is more aggressive and will track PKRU as being in its init state upon any wrpkru(0x0). Unfortunately, sig_prepare_pkru() does just that: wrpkru(0x0). This writes XSTATE_BV[PKRU]=0 which makes XRSTOR ignore the PKRU value in the sigframe. To fix this, always overwrite the sigframe XSTATE_BV with a value that has XSTATE_BV[PKRU]==1. This ensures that XRSTOR will not ignore what update_pkru_in_sigframe() wrote. The problematic sequence of events is something like this: Userspace does: * wrpkru(0xffff0000) (or whatever) * Hardware sets: XINUSE[PKRU]=1 Signal happens, kernel is entered: * sig_prepare_pkru() => wrpkru(0x00000000) * Hardware sets: XINUSE[PKRU]=0 (aggressive AMD init tracker) * XSAVE writes most of XSAVE buffer, including XSTATE_BV[PKRU]=XINUSE[PKRU]=0 * update_pkru_in_sigframe() overwrites PKRU in XSAVE buffer ... signal handling * XRSTOR sees XSTATE_BV[PKRU]==0, ignores just-written value from update_pkru_in_sigframe() Fixes: 70044df250d0 ("x86/pkeys: Update PKRU to enable all pkeys before XSAVE") Suggested-by: Rudi Horn Signed-off-by: Aruna Ramakrishna Signed-off-by: Dave Hansen Acked-by: Dave Hansen Link: https://lore.kernel.org/all/20241119174520.3987538-3-aruna.ramakrishna%40oracle.com commit 6a1853bdf17874392476b552398df261f75503e0 Author: Aruna Ramakrishna Date: Tue Nov 19 17:45:19 2024 +0000 x86/pkeys: Change caller of update_pkru_in_sigframe() update_pkru_in_sigframe() will shortly need some information which is only available inside xsave_to_user_sigframe(). Move update_pkru_in_sigframe() inside the other function to make it easier to provide it that information. No functional changes. Signed-off-by: Aruna Ramakrishna Signed-off-by: Dave Hansen Link: https://lore.kernel.org/all/20241119174520.3987538-2-aruna.ramakrishna%40oracle.com commit 689275140cb8e9f8ae59e545086fce51fb0b994a Author: Alex Deucher Date: Thu Nov 28 16:05:24 2024 +0800 drm/amdgpu/hdp7.0: do a posting read when flushing HDP Need to read back to make sure the write goes through. Cc: David Belanger Reviewed-by: Frank Min Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org commit abe1cbaec6cfe9fde609a15cd6a12c812282ce77 Author: Alex Deucher Date: Fri Nov 22 11:24:38 2024 -0500 drm/amdgpu/hdp6.0: do a posting read when flushing HDP Need to read back to make sure the write goes through. Cc: David Belanger Reviewed-by: Frank Min Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org commit f756dbac1ce1d5f9a2b35e3b55fa429cf6336437 Author: Alex Deucher Date: Fri Nov 22 11:24:13 2024 -0500 drm/amdgpu/hdp5.2: do a posting read when flushing HDP Need to read back to make sure the write goes through. Cc: David Belanger Reviewed-by: Frank Min Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org commit cf424020e040be35df05b682b546b255e74a420f Author: Alex Deucher Date: Fri Nov 22 11:23:56 2024 -0500 drm/amdgpu/hdp5.0: do a posting read when flushing HDP Need to read back to make sure the write goes through. Cc: David Belanger Reviewed-by: Frank Min Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org commit c9b8dcabb52afe88413ff135a0953e3cc4128483 Author: Alex Deucher Date: Fri Nov 22 11:22:51 2024 -0500 drm/amdgpu/hdp4.0: do a posting read when flushing HDP Need to read back to make sure the write goes through. Cc: David Belanger Reviewed-by: Frank Min Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org commit c6c2f66372d5cba5ce85eed686901259333ed816 Author: Alex Deucher Date: Fri Nov 22 14:00:05 2024 -0500 drm/amdgpu/jpeg1.0: fix idle work handler On VCN 1.0, VCN and JPEG use the same worker thread so cancel the vcn worker rather than jpeg. On VCN 2.0 and newer there are separate workers for each. Fixes: 93df74873703 ("drm/amdgpu/jpeg: cancel the jpeg worker") Tested-by: George Zhang Signed-off-by: Alex Deucher commit f54cd8f43f55c0274c5b51509aff39675639c2e1 Author: James Clark Date: Fri Nov 29 15:19:48 2024 +0000 perf test: Don't signal all processes on system when interrupting tests This signal handler loops over all tests on ctrl-C, but it's active while the test list is being constructed. process.pid is 0, then -1, then finally set to the child pid on fork. If the Ctrl-C is received during this point a kill(-1, SIGINT) can be sent which affects all processes. Make sure the child has forked first before forwarding the signal. This can be reproduced with ctrl-C immediately after launching perf test which terminates the ssh connection. Fixes: 553d5efeb341 ("perf test: Add a signal handler to kill forked child processes") Signed-off-by: James Clark Reviewed-by: Ian Rogers Link: https://lore.kernel.org/r/20241129151948.3199732-1-james.clark@linaro.org Signed-off-by: Namhyung Kim commit 23c44f6c83257923b179461694edcf62749bedd5 Author: Namhyung Kim Date: Tue Nov 26 19:13:31 2024 -0800 perf tools: Fix build-id event recording The build-id events written at the end of the record session are broken due to unexpected data. The write_buildid() writes the fixed length event first and then variable length filename. But a recent change made it write more data in the padding area accidentally. So readers of the event see zero-filled data for the next entry and treat it incorrectly. This resulted in wrong kernel symbols because the kernel DSO loaded a random vmlinux image in the path as it didn't have a valid build-id. Fixes: ae39ba16554e ("perf inject: Fix build ID injection") Reported-by: Linus Torvalds Tested-by: Arnaldo Carvalho de Melo Reviewed-by: Ian Rogers Link: https://lore.kernel.org/r/Z0aRFFW9xMh3mqKB@google.com Signed-off-by: Namhyung Kim commit cdd30ebb1b9f36159d66f088b61aee264e649d7a Author: Peter Zijlstra Date: Mon Dec 2 15:59:47 2024 +0100 module: Convert symbol namespace to string literal Clean up the existing export namespace code along the same lines of commit 33def8498fdd ("treewide: Convert macro and uses of __section(foo) to __section("foo")") and for the same reason, it is not desired for the namespace argument to be a macro expansion itself. Scripted using git grep -l -e MODULE_IMPORT_NS -e EXPORT_SYMBOL_NS | while read file; do awk -i inplace ' /^#define EXPORT_SYMBOL_NS/ { gsub(/__stringify\(ns\)/, "ns"); print; next; } /^#define MODULE_IMPORT_NS/ { gsub(/__stringify\(ns\)/, "ns"); print; next; } /MODULE_IMPORT_NS/ { $0 = gensub(/MODULE_IMPORT_NS\(([^)]*)\)/, "MODULE_IMPORT_NS(\"\\1\")", "g"); } /EXPORT_SYMBOL_NS/ { if ($0 ~ /(EXPORT_SYMBOL_NS[^(]*)\(([^,]+),/) { if ($0 !~ /(EXPORT_SYMBOL_NS[^(]*)\(([^,]+), ([^)]+)\)/ && $0 !~ /(EXPORT_SYMBOL_NS[^(]*)\(\)/ && $0 !~ /^my/) { getline line; gsub(/[[:space:]]*\\$/, ""); gsub(/[[:space:]]/, "", line); $0 = $0 " " line; } $0 = gensub(/(EXPORT_SYMBOL_NS[^(]*)\(([^,]+), ([^)]+)\)/, "\\1(\\2, \"\\3\")", "g"); } } { print }' $file; done Requested-by: Masahiro Yamada Signed-off-by: Peter Zijlstra (Intel) Link: https://mail.google.com/mail/u/2/#inbox/FMfcgzQXKWgMmjdFwwdsfgxzKpVHWPlc Acked-by: Greg KH Signed-off-by: Linus Torvalds commit 58a0c875ce028678c9594c7bdf3fe33462392808 Author: Christoph Hellwig Date: Wed Nov 27 07:42:18 2024 +0100 nvme: don't apply NVME_QUIRK_DEALLOCATE_ZEROES when DSM is not supported Commit 63dfa1004322 ("nvme: move NVME_QUIRK_DEALLOCATE_ZEROES out of nvme_config_discard") started applying the NVME_QUIRK_DEALLOCATE_ZEROES quirk even then the Dataset Management is not supported. It turns out that there versions of these old Intel SSDs that have DSM support disabled in the firmware, which will now lead to errors everytime a Write Zeroes command is issued. Fix this by checking for DSM support before applying the quirk. Reported-by: Saeed Mirzamohammadi Fixes: 63dfa1004322 ("nvme: move NVME_QUIRK_DEALLOCATE_ZEROES out of nvme_config_discard") Tested-by: Saeed Mirzamohammadi Signed-off-by: Christoph Hellwig Reviewed-by: Nitesh Shetty Reviewed-by: Chaitanya Kulkarni Signed-off-by: Keith Busch commit 84909f7decbd8981a24be829f110c248ecb8c51a Author: Nilay Shroff Date: Sun Nov 24 18:25:53 2024 +0530 nvmet: use kzalloc instead of ZERO_PAGE in nvme_execute_identify_ns_nvm() The nvme_execute_identify_ns_nvm function uses ZERO_PAGE for copying SG list with all zeros. As ZERO_PAGE would not necessarily return the virtual-address of the zero page, we need to first convert the page address to kernel virtual-address and then use it as source address for copying the data to SG list with all zeros. Using return address of ZERO_PAGE(0) as source address for copying data to SG list would fill the target buffer with random/garbage value and causes the undesired side effect. As other identify implemenations uses kzalloc for allocating a zero filled buffer, we decided use kzalloc for allocating a zero filled buffer in nvme_execute_identify_ns_nvm function and then use this buffer for copying all zeros to SG list buffers. So esentially, we now avoid using ZERO_PAGE. Reported-by: Yi Zhang Fixes: 64a51080eaba ("nvmet: implement id ns for nvm command set") Link: https://lore.kernel.org/all/CAHj4cs8OVyxmn4XTvA=y4uQ3qWpdw-x3M3FSUYr-KpE-nhaFEA@mail.gmail.com/ Signed-off-by: Nilay Shroff Tested-by: Yi Zhang Reviewed-by: Christoph Hellwig Reviewed-by: Chaitanya Kulkarni Signed-off-by: Keith Busch commit e7d3b4079d01c60568a45237224df4447f140189 Merge: 40384c840ea194 019880c08d059f Author: Martin K. Petersen Date: Mon Dec 2 12:36:18 2024 -0500 Merge branch '6.13/scsi-queue' into 6.13/scsi-fixes Pull in outstanding changes from 6.13/scsi-queue. Signed-off-by: Martin K. Petersen commit 4b65d5322e1d8994acfdb9b867aa00bdb30d177b Author: Binbin Zhou Date: Mon Oct 28 17:34:13 2024 +0800 dmaengine: loongson2-apb: Change GENMASK to GENMASK_ULL Fix the following smatch static checker warning: drivers/dma/loongson2-apb-dma.c:189 ls2x_dma_write_cmd() warn: was expecting a 64 bit value instead of '~(((0)) + (((~((0))) - (((1)) << (0)) + 1) & (~((0)) >> ((8 * 4) - 1 - (4)))))' The GENMASK macro used "unsigned long", which caused build issues when using a 32-bit toolchain because it would try to access bits > 31. This patch switches GENMASK to GENMASK_ULL, which uses "unsigned long long". Fixes: 71e7d3cb6e55 ("dmaengine: ls2x-apb: New driver for the Loongson LS2X APB DMA controller") Reported-by: Dan Carpenter Closes: https://lore.kernel.org/all/87cdc025-7246-4548-85ca-3d36fdc2be2d@stanley.mountain/ Signed-off-by: Binbin Zhou Link: https://lore.kernel.org/r/20241028093413.1145820-1-zhoubinbin@loongson.cn Signed-off-by: Vinod Koul commit f0e870a0e9c5521f2952ea9f3ea9d3d122631a89 Author: Andy Shevchenko Date: Mon Nov 4 11:50:50 2024 +0200 dmaengine: dw: Select only supported masters for ACPI devices The recently submitted fix-commit revealed a problem in the iDMA 32-bit platform code. Even though the controller supported only a single master the dw_dma_acpi_filter() method hard-coded two master interfaces with IDs 0 and 1. As a result the sanity check implemented in the commit b336268dde75 ("dmaengine: dw: Add peripheral bus width verification") got incorrect interface data width and thus prevented the client drivers from configuring the DMA-channel with the EINVAL error returned. E.g., the next error was printed for the PXA2xx SPI controller driver trying to configure the requested channels: > [ 164.525604] pxa2xx_spi_pci 0000:00:07.1: DMA slave config failed > [ 164.536105] pxa2xx_spi_pci 0000:00:07.1: failed to get DMA TX descriptor > [ 164.543213] spidev spi-SPT0001:00: SPI transfer failed: -16 The problem would have been spotted much earlier if the iDMA 32-bit controller supported more than one master interfaces. But since it supports just a single master and the iDMA 32-bit specific code just ignores the master IDs in the CTLLO preparation method, the issue has been gone unnoticed so far. Fix the problem by specifying the default master ID for both memory and peripheral devices in the driver data. Thus the issue noticed for the iDMA 32-bit controllers will be eliminated and the ACPI-probed DW DMA controllers will be configured with the correct master ID by default. Cc: stable@vger.kernel.org Fixes: b336268dde75 ("dmaengine: dw: Add peripheral bus width verification") Fixes: 199244d69458 ("dmaengine: dw: add support of iDMA 32-bit hardware") Reported-by: Ferry Toth Closes: https://lore.kernel.org/dmaengine/ZuXbCKUs1iOqFu51@black.fi.intel.com/ Reported-by: Andy Shevchenko Closes: https://lore.kernel.org/dmaengine/ZuXgI-VcHpMgbZ91@black.fi.intel.com/ Tested-by: Ferry Toth Signed-off-by: Andy Shevchenko Link: https://lore.kernel.org/r/20241104095142.157925-1-andriy.shevchenko@linux.intel.com Signed-off-by: Vinod Koul commit e9fba20c29e27dc99e55e1c550573a114561bf8c Author: Armin Wolf Date: Sat Nov 23 23:47:00 2024 +0100 platform/x86: asus-nb-wmi: Ignore unknown event 0xCF On the Asus X541UAK an unknown event 0xCF is emited when the charger is plugged in. This is caused by the following AML code: If (ACPS ()) { ACPF = One Local0 = 0x58 If (ATKP) { ^^^^ATKD.IANE (0xCF) } } Else { ACPF = Zero Local0 = 0x57 } Notify (AC0, 0x80) // Status Change If (ATKP) { ^^^^ATKD.IANE (Local0) } Sleep (0x64) PNOT () Sleep (0x0A) NBAT (0x80) Ignore the 0xCF event to silence the unknown event warning. Reported-by: Pau Espin Pedrol Closes: https://lore.kernel.org/platform-driver-x86/54d4860b-ec9c-4992-acf6-db3f90388293@espeweb.net Signed-off-by: Armin Wolf Reviewed-by: Hans de Goede Link: https://lore.kernel.org/r/20241123224700.18530-1-W_Armin@gmx.de Reviewed-by: Ilpo Järvinen Signed-off-by: Ilpo Järvinen commit 25fb5f47f34d90aceda2c47a4230315536e97fa8 Author: Armin Wolf Date: Sun Nov 24 18:19:41 2024 +0100 platform/x86: asus-wmi: Ignore return value when writing thermal policy On some machines like the ASUS Vivobook S14 writing the thermal policy returns the currently writen thermal policy instead of an error code. Ignore the return code to avoid falsely returning an error when the thermal policy was written successfully. Reported-by: auslands-kv@gmx.de Closes: https://bugzilla.kernel.org/show_bug.cgi?id=219517 Fixes: 2daa86e78c49 ("platform/x86: asus_wmi: Support throttle thermal policy") Signed-off-by: Armin Wolf Reviewed-by: Hans de Goede Link: https://lore.kernel.org/r/20241124171941.29789-1-W_Armin@gmx.de Reviewed-by: Ilpo Järvinen Signed-off-by: Ilpo Järvinen commit c43ec96e8d34399bd9dab2f2dc316b904892133f Author: Chen Ridong Date: Tue Oct 29 08:28:45 2024 +0000 dmaengine: at_xdmac: avoid null_prt_deref in at_xdmac_prep_dma_memset The at_xdmac_memset_create_desc may return NULL, which will lead to a null pointer dereference. For example, the len input is error, or the atchan->free_descs_list is empty and memory is exhausted. Therefore, add check to avoid this. Fixes: b206d9a23ac7 ("dmaengine: xdmac: Add memset support") Signed-off-by: Chen Ridong Link: https://lore.kernel.org/r/20241029082845.1185380-1-chenridong@huaweicloud.com Signed-off-by: Vinod Koul commit 3510398032b445abd034753ce86a60882f41fe27 Author: Sedat Dilek Date: Sat Nov 23 14:29:28 2024 +0100 platform/x86: samsung-laptop: Match MODULE_DESCRIPTION() to functionality Change module description from "Samsung Backlight driver" to "Samsung Laptop driver" to better match driver's functionality. Signed-off-by: Sedat Dilek Acked-by: Greg Kroah-Hartman Link: https://lore.kernel.org/r/20241123133041.16042-1-sedat.dilek@gmail.com Reviewed-by: Ilpo Järvinen Signed-off-by: Ilpo Järvinen commit 2379fb937de5333991c567eefd7d11b98977d059 Author: Shengjiu Wang Date: Thu Nov 21 15:52:31 2024 +0800 pmdomain: imx: gpcv2: Adjust delay after power up handshake The udelay(5) is not enough, sometimes below kernel panic still be triggered: [ 4.012973] Kernel panic - not syncing: Asynchronous SError Interrupt [ 4.012976] CPU: 2 UID: 0 PID: 186 Comm: (udev-worker) Not tainted 6.12.0-rc2-0.0.0-devel-00004-g8b1b79e88956 #1 [ 4.012982] Hardware name: Toradex Verdin iMX8M Plus WB on Dahlia Board (DT) [ 4.012985] Call trace: [...] [ 4.013029] arm64_serror_panic+0x64/0x70 [ 4.013034] do_serror+0x3c/0x70 [ 4.013039] el1h_64_error_handler+0x30/0x54 [ 4.013046] el1h_64_error+0x64/0x68 [ 4.013050] clk_imx8mp_audiomix_runtime_resume+0x38/0x48 [ 4.013059] __genpd_runtime_resume+0x30/0x80 [ 4.013066] genpd_runtime_resume+0x114/0x29c [ 4.013073] __rpm_callback+0x48/0x1e0 [ 4.013079] rpm_callback+0x68/0x80 [ 4.013084] rpm_resume+0x3bc/0x6a0 [ 4.013089] __pm_runtime_resume+0x50/0x9c [ 4.013095] pm_runtime_get_suppliers+0x60/0x8c [ 4.013101] __driver_probe_device+0x4c/0x14c [ 4.013108] driver_probe_device+0x3c/0x120 [ 4.013114] __driver_attach+0xc4/0x200 [ 4.013119] bus_for_each_dev+0x7c/0xe0 [ 4.013125] driver_attach+0x24/0x30 [ 4.013130] bus_add_driver+0x110/0x240 [ 4.013135] driver_register+0x68/0x124 [ 4.013142] __platform_driver_register+0x24/0x30 [ 4.013149] sdma_driver_init+0x20/0x1000 [imx_sdma] [ 4.013163] do_one_initcall+0x60/0x1e0 [ 4.013168] do_init_module+0x5c/0x21c [ 4.013175] load_module+0x1a98/0x205c [ 4.013181] init_module_from_file+0x88/0xd4 [ 4.013187] __arm64_sys_finit_module+0x258/0x350 [ 4.013194] invoke_syscall.constprop.0+0x50/0xe0 [ 4.013202] do_el0_svc+0xa8/0xe0 [ 4.013208] el0_svc+0x3c/0x140 [ 4.013215] el0t_64_sync_handler+0x120/0x12c [ 4.013222] el0t_64_sync+0x190/0x194 [ 4.013228] SMP: stopping secondary CPUs The correct way is to wait handshake, but it needs BUS clock of BLK-CTL be enabled, which is in separate driver. So delay is the only option here. The udelay(10) is a data got by experiment. Fixes: e8dc41afca16 ("pmdomain: imx: gpcv2: Add delay after power up handshake") Reported-by: Francesco Dolcini Closes: https://lore.kernel.org/lkml/20241007132555.GA53279@francesco-nb/ Signed-off-by: Shengjiu Wang Cc: stable@vger.kernel.org Message-ID: <20241121075231.3910922-1-shengjiu.wang@nxp.com> Signed-off-by: Ulf Hansson commit 3e3b71d35a02cee4b2cc3d4255668a6609165518 Author: Ulf Hansson Date: Fri Nov 22 14:42:03 2024 +0100 pmdomain: core: Fix error path in pm_genpd_init() when ida alloc fails When the ida allocation fails we need to free up the previously allocated memory before returning the error code. Let's fix this and while at it, let's also move the ida allocation to genpd_alloc_data() and the freeing to genpd_free_data(), as it better belongs there. Fixes: 899f44531fe6 ("pmdomain: core: Add GENPD_FLAG_DEV_NAME_FW flag") Signed-off-by: Ulf Hansson Message-ID: <20241122134207.157283-3-ulf.hansson@linaro.org> commit b8f7bbd1f4ecff6d6277b8c454f62bb0a1c6dbe4 Author: Ulf Hansson Date: Fri Nov 22 14:42:02 2024 +0100 pmdomain: core: Add missing put_device() When removing a genpd we don't clean up the genpd->dev correctly. Let's add the missing put_device() in genpd_free_data() to fix this. Fixes: 401ea1572de9 ("PM / Domain: Add struct device to genpd") Cc: stable@vger.kernel.org Signed-off-by: Ulf Hansson Message-ID: <20241122134207.157283-2-ulf.hansson@linaro.org> commit f00582aa4a449dbaefa8df9bb5f3b713928e5a1b Author: Fei Shao Date: Tue Oct 1 19:27:19 2024 +0800 dt-bindings: power: mediatek: Add another nested power-domain layer The MT8188 SoC has a more in-depth power-domain tree, and the CHECK_DTBS=y check could fail because the current MediaTek power dt-binding is insufficient to cover its CAM_SUBA and CAM_SUBB sub-domains. Add one more nested power-domain layer to pass the check. Acked-by: Rob Herring (Arm) Signed-off-by: Fei Shao Message-ID: <20241001113052.3124869-2-fshao@chromium.org> Signed-off-by: Ulf Hansson commit 0d08f0eec961acdb0424a3e2cfb37cfb89154833 Author: Chris Chiu Date: Mon Dec 2 22:46:59 2024 +0800 ALSA: hda/realtek: fix micmute LEDs don't work on HP Laptops These HP laptops use Realtek HDA codec ALC3315 combined CS35L56 Amplifiers. They need the quirk ALC285_FIXUP_HP_GPIO_LED to get the micmute LED working. Signed-off-by: Chris Chiu Reviewed-by: Simon Trimmer Cc: Link: https://patch.msgid.link/20241202144659.1553504-1-chris.chiu@canonical.com Signed-off-by: Takashi Iwai commit f09f0397db641f99f6c3e109283d82e3584bfb50 Author: Asahi Lina Date: Mon Dec 2 22:17:15 2024 +0900 ALSA: usb-audio: Add extra PID for RME Digiface USB It seems there is an alternate version of the hardware with a different PID. User testing reveals this still works with the same interface as far as the kernel is concerned, so just add the extra PID. Thanks to Heiko Engemann for testing with this version. Due to the way quirks-table.h is structured, that means we have to turn the entire quirk struct into a macro to avoid duplicating it... Cc: stable@vger.kernel.org Signed-off-by: Asahi Lina Link: https://patch.msgid.link/20241202-rme-digiface-usb-id-v1-1-50f730d7a46e@asahilina.net Signed-off-by: Takashi Iwai commit f7d306b47a24367302bd4fe846854e07752ffcd9 Author: Dan Carpenter Date: Mon Dec 2 15:57:54 2024 +0300 ALSA: usb-audio: Fix a DMA to stack memory bug The usb_get_descriptor() function does DMA so we're not allowed to use a stack buffer for that. Doing DMA to the stack is not portable all architectures. Move the "new_device_descriptor" from being stored on the stack and allocate it with kmalloc() instead. Fixes: b909df18ce2a ("ALSA: usb-audio: Fix potential out-of-bound accesses for Extigy and Mbox devices") Cc: stable@kernel.org Signed-off-by: Dan Carpenter Link: https://patch.msgid.link/60e3aa09-039d-46d2-934c-6f123026c2eb@stanley.mountain Signed-off-by: Takashi Iwai commit 60bc447c85f80d3184c7ac327e1d29e0b0a11d46 Author: Herve Codina Date: Mon Dec 2 14:15:17 2024 +0100 of: Add #address-cells/#size-cells in the device-tree root empty node On systems where ACPI is enabled or when a device-tree is not passed to the kernel by the bootloader, a device-tree root empty node is created. This device-tree root empty node does not have the #address-cells and the #size-cells properties This leads to the use of the default address cells and size cells values which are defined in the code to 1 for the address cells value and 1 for the size cells value. According to the devicetree specification and the OpenFirmware standard (IEEE 1275-1994) the default value for #address-cells should be 2. Also, according to the devicetree specification, the #address-cells and the #size-cells are required properties in the root node. The device tree compiler already uses 2 as default value for address cells and 1 for size cells. The powerpc PROM code also uses 2 as default value for address cells and 1 for size cells. Modern implementation should have the #address-cells and the #size-cells properties set and should not rely on default values. On x86, this root empty node is used and the code default values are used. In preparation of the support for device-tree overlay on PCI devices feature on x86 (i.e. the creation of the PCI root bus device-tree node), the default value for #address-cells needs to be updated. Indeed, on x86_64, addresses are on 64bits and the upper part of an address is needed for correct address translations. On x86_32 having the default value updated does not lead to issues while the upper part of a 64-bit value is zero. Changing the default value for all architectures may break device-tree compatibility. Indeed, existing dts file without the #address-cells property set in the root node will not be compatible with this modification. Instead of updating default values, add both required #address-cells and #size-cells properties in the device-tree empty node. Use 2 for both properties value in order to fully support 64-bit addresses and sizes on systems using this empty root node. Signed-off-by: Herve Codina Link: https://lore.kernel.org/r/20241202131522.142268-6-herve.codina@bootlin.com Signed-off-by: Rob Herring (Arm) commit 87a0d90fcd31c0f36da0332428c9e1a1e0f97432 Author: Ulf Hansson Date: Mon Nov 25 13:24:46 2024 +0100 mmc: core: Further prevent card detect during shutdown Disabling card detect from the host's ->shutdown_pre() callback turned out to not be the complete solution. More precisely, beyond the point when the mmc_bus->shutdown() has been called, to gracefully power off the card, we need to prevent card detect. Otherwise the mmc_rescan work may poll for the card with a CMD13, to see if it's still alive, which then will fail and hang as the card has already been powered off. To fix this problem, let's disable mmc_rescan prior to power off the card during shutdown. Reported-by: Anthony Pighin Fixes: 66c915d09b94 ("mmc: core: Disable card detect during shutdown") Cc: stable@vger.kernel.org Signed-off-by: Ulf Hansson Reviewed-by: Adrian Hunter Closes: https://lore.kernel.org/all/BN0PR08MB695133000AF116F04C3A9FFE83212@BN0PR08MB6951.namprd08.prod.outlook.com/ Tested-by: Anthony Pighin Message-ID: <20241125122446.18684-1-ulf.hansson@linaro.org> commit b905bafdea21a75d75a96855edd9e0b6051eee30 Author: Leo Stone Date: Sat Nov 30 21:14:19 2024 -0800 hfs: Sanity check the root record In the syzbot reproducer, the hfs_cat_rec for the root dir has type HFS_CDR_FIL after being read with hfs_bnode_read() in hfs_super_fill(). This indicates it should be used as an hfs_cat_file, which is 102 bytes. Only the first 70 bytes of that struct are initialized, however, because the entrylength passed into hfs_bnode_read() is still the length of a directory record. This causes uninitialized values to be used later on, when the hfs_cat_rec union is treated as the larger hfs_cat_file struct. Add a check to make sure the retrieved record has the correct type for the root directory (HFS_CDR_DIR), and make sure we load the correct number of bytes for a directory record. Reported-by: syzbot+2db3c7526ba68f4ea776@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=2db3c7526ba68f4ea776 Tested-by: syzbot+2db3c7526ba68f4ea776@syzkaller.appspotmail.com Tested-by: Leo Stone Signed-off-by: Leo Stone Link: https://lore.kernel.org/r/20241201051420.77858-1-leocstone@gmail.com Reviewed-by: Jan Kara Signed-off-by: Christian Brauner commit 7f0fa47ceebcff0e3591bb7e32a71a2cd7846149 Author: Hans de Goede Date: Mon Nov 18 22:00:49 2024 +0100 mmc: sdhci-pci: Add DMI quirk for missing CD GPIO on Vexia Edu Atla 10 tablet The Vexia Edu Atla 10 tablet distributed to schools in the Spanish Andalucía region has no ACPI fwnode associated with the SDHCI controller for its microsd-slot and thus has no ACPI GPIO resource info. This causes the following error to be logged and the slot to not work: [ 10.572113] sdhci-pci 0000:00:12.0: failed to setup card detect gpio Add a DMI quirk table for providing gpiod_lookup_tables with manually provided CD GPIO info and use this DMI table to provide the CD GPIO info on this tablet. This fixes the microsd-slot not working. Signed-off-by: Hans de Goede Acked-by: Adrian Hunter Cc: stable@vger.kernel.org Message-ID: <20241118210049.311079-1-hdegoede@redhat.com> Signed-off-by: Ulf Hansson commit 6d544ea21d367cbd9746ae882e67a839391a6594 Author: Dan Carpenter Date: Sat Nov 30 13:09:06 2024 +0300 ASoC: SOF: ipc3-topology: fix resource leaks in sof_ipc3_widget_setup_comp_dai() These error paths should free comp_dai before returning. Fixes: 909dadf21aae ("ASoC: SOF: topology: Make DAI widget parsing IPC agnostic") Signed-off-by: Dan Carpenter Link: https://patch.msgid.link/67d185cf-d139-4f8c-970a-dbf0542246a8@stanley.mountain Signed-off-by: Mark Brown commit 28866d6e84b8d36a76b2cde221391aed1294e5cd Author: Geetha sowjanya Date: Tue Nov 26 17:14:31 2024 +0530 octeontx2-af: Fix SDP MAC link credits configuration Current driver allows only packet size < 512B as SDP_LINK_CREDIT register is set to default value. This patch fixes this issue by configure the register with maximum HW supported value to allow packet size > 512B. Fixes: 2f7f33a09516 ("octeontx2-pf: Add representors for sdp MAC") Signed-off-by: Geetha sowjanya Signed-off-by: David S. Miller commit 49ccf2c3cafb5774a4562d61294afcf492bed487 Author: Yang Shi Date: Tue Nov 19 12:09:14 2024 -0800 arm64: mte: set VM_MTE_ALLOWED for hugetlbfs at correct place The commit 5de195060b2e ("mm: resolve faulty mmap_region() error path behaviour") moved vm flags validation before fop->mmap for file mappings. But when commit 25c17c4b55de ("hugetlb: arm64: add mte support") was rebased on top of it, the hugetlbfs part was missed. Mmapping hugetlbfs file may not have MAP_HUGETLB set. Fixes: 25c17c4b55de ("hugetlb: arm64: add mte support") Signed-off-by: Yang Shi Reviewed-by: Catalin Marinas Link: https://lore.kernel.org/r/20241119200914.1145249-1-yang@os.amperecomputing.com Signed-off-by: Catalin Marinas commit 0302d2fd6efb0c386e521df0134eb2679a9a138f Author: Thomas Hellström Date: Wed Nov 27 09:54:30 2024 +0100 locking/ww_mutex: Fix ww_mutex dummy lockdep map selftest warnings The below commit introduces a dummy lockdep map, but didn't get the initialization quite right (it should mimic the initialization of the real ww_mutex lockdep maps). It also introduced a separate locking api selftest failure. Fix these. Closes: https://lore.kernel.org/lkml/Zw19sMtnKdyOVQoh@boqun-archlinux/ Fixes: 823a566221a5 ("locking/ww_mutex: Adjust to lockdep nest_lock requirements") Reported-by: Boqun Feng Suggested-by: Boqun Feng Signed-off-by: Thomas Hellström Signed-off-by: Peter Zijlstra (Intel) Link: https://lkml.kernel.org/r/20241127085430.3045-1-thomas.hellstrom@linux.intel.com commit 9f3de72a0c37005f897d69e4bdd59c25b8898447 Author: Kan Liang Date: Tue Nov 19 05:55:01 2024 -0800 perf/x86/intel/ds: Unconditionally drain PEBS DS when changing PEBS_DATA_CFG The PEBS kernel warnings can still be observed with the below case. when the below commands are running in parallel for a while. while true; do perf record --no-buildid -a --intr-regs=AX \ -e cpu/event=0xd0,umask=0x81/pp \ -c 10003 -o /dev/null ./triad; done & while true; do perf record -e 'cpu/mem-loads,ldlat=3/uP' -W -d -- ./dtlb done The commit b752ea0c28e3 ("perf/x86/intel/ds: Flush PEBS DS when changing PEBS_DATA_CFG") intends to flush the entire PEBS buffer before the hardware is reprogrammed. However, it fails in the above case. The first perf command utilizes the large PEBS, while the second perf command only utilizes a single PEBS. When the second perf event is added, only the n_pebs++. The intel_pmu_pebs_enable() is invoked after intel_pmu_pebs_add(). So the cpuc->n_pebs == cpuc->n_large_pebs check in the intel_pmu_drain_large_pebs() fails. The PEBS DS is not flushed. The new PEBS event should not be taken into account when flushing the existing PEBS DS. The check is unnecessary here. Before the hardware is reprogrammed, all the stale records must be drained unconditionally. For single PEBS or PEBS-vi-pt, the DS must be empty. The drain_pebs() can handle the empty case. There is no harm to unconditionally drain the PEBS DS. Fixes: b752ea0c28e3 ("perf/x86/intel/ds: Flush PEBS DS when changing PEBS_DATA_CFG") Signed-off-by: Kan Liang Signed-off-by: Peter Zijlstra (Intel) Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20241119135504.1463839-2-kan.liang@linux.intel.com commit 4e54ed496343702837ddca5f5af720161c6a5407 Author: Kan Liang Date: Thu Nov 21 10:05:26 2024 -0800 perf/x86/intel: Add Arrow Lake U support From PMU's perspective, the new Arrow Lake U is the same as the Meteor Lake. Signed-off-by: Kan Liang Signed-off-by: Peter Zijlstra (Intel) Link: https://lkml.kernel.org/r/20241121180526.2364759-1-kan.liang@linux.intel.com commit 82f9cc094975240885c93effbca7f4603f5de1bf Author: John Stultz Date: Thu Nov 14 11:00:47 2024 -0800 locking: rtmutex: Fix wake_q logic in task_blocks_on_rt_mutex Anders had bisected a crash using PREEMPT_RT with linux-next and isolated it down to commit 894d1b3db41c ("locking/mutex: Remove wakeups from under mutex::wait_lock"), where it seemed the wake_q structure was somehow getting corrupted causing a null pointer traversal. I was able to easily repoduce this with PREEMPT_RT and managed to isolate down that through various call stacks we were actually calling wake_up_q() twice on the same wake_q. I found that in the problematic commit, I had added the wake_up_q() call in task_blocks_on_rt_mutex() around __ww_mutex_add_waiter(), following a similar pattern in __mutex_lock_common(). However, its just wrong. We haven't dropped the lock->wait_lock, so its contrary to the point of the original patch. And it didn't match the __mutex_lock_common() logic of re-initializing the wake_q after calling it midway in the stack. Looking at it now, the wake_up_q() call is incorrect and should just be removed. So drop the erronious logic I had added. Fixes: 894d1b3db41c ("locking/mutex: Remove wakeups from under mutex::wait_lock") Closes: https://lore.kernel.org/lkml/6afb936f-17c7-43fa-90e0-b9e780866097@app.fastmail.com/ Reported-by: Anders Roxell Reported-by: Arnd Bergmann Signed-off-by: John Stultz Signed-off-by: Peter Zijlstra (Intel) Reviewed-by: Juri Lelli Tested-by: Anders Roxell Tested-by: K Prateek Nayak Link: https://lore.kernel.org/r/20241114190051.552665-1-jstultz@google.com commit 0664e2c311b9fa43b33e3e81429cd0c2d7f9c638 Author: Wander Lairson Costa Date: Wed Jul 24 11:22:47 2024 -0300 sched/deadline: Fix warning in migrate_enable for boosted tasks When running the following command: while true; do stress-ng --cyclic 30 --timeout 30s --minimize --quiet done a warning is eventually triggered: WARNING: CPU: 43 PID: 2848 at kernel/sched/deadline.c:794 setup_new_dl_entity+0x13e/0x180 ... Call Trace: ? show_trace_log_lvl+0x1c4/0x2df ? enqueue_dl_entity+0x631/0x6e0 ? setup_new_dl_entity+0x13e/0x180 ? __warn+0x7e/0xd0 ? report_bug+0x11a/0x1a0 ? handle_bug+0x3c/0x70 ? exc_invalid_op+0x14/0x70 ? asm_exc_invalid_op+0x16/0x20 enqueue_dl_entity+0x631/0x6e0 enqueue_task_dl+0x7d/0x120 __do_set_cpus_allowed+0xe3/0x280 __set_cpus_allowed_ptr_locked+0x140/0x1d0 __set_cpus_allowed_ptr+0x54/0xa0 migrate_enable+0x7e/0x150 rt_spin_unlock+0x1c/0x90 group_send_sig_info+0xf7/0x1a0 ? kill_pid_info+0x1f/0x1d0 kill_pid_info+0x78/0x1d0 kill_proc_info+0x5b/0x110 __x64_sys_kill+0x93/0xc0 do_syscall_64+0x5c/0xf0 entry_SYSCALL_64_after_hwframe+0x6e/0x76 RIP: 0033:0x7f0dab31f92b This warning occurs because set_cpus_allowed dequeues and enqueues tasks with the ENQUEUE_RESTORE flag set. If the task is boosted, the warning is triggered. A boosted task already had its parameters set by rt_mutex_setprio, and a new call to setup_new_dl_entity is unnecessary, hence the WARN_ON call. Check if we are requeueing a boosted task and avoid calling setup_new_dl_entity if that's the case. Fixes: 295d6d5e3736 ("sched/deadline: Fix switching to -deadline") Signed-off-by: Wander Lairson Costa Signed-off-by: Peter Zijlstra (Intel) Acked-by: Juri Lelli Link: https://lore.kernel.org/r/20240724142253.27145-2-wander@redhat.com commit f66e4a996582d59b6f5ce88078b0ad2a328aa532 Author: Sebastian Andrzej Siewior Date: Fri Nov 22 18:35:57 2024 +0100 sched/core: Update kernel boot parameters for LAZY preempt. Update the documentation for the `preempt=' parameter which now also accepts `lazy'. Fixes: 7c70cb94d29cd ("sched: Add Lazy preemption model") Reported-by: Shrikanth Hegde Signed-off-by: Sebastian Andrzej Siewior Signed-off-by: Peter Zijlstra (Intel) Reviewed-by: Shrikanth Hegde Link: https://lore.kernel.org/r/20241122173557.MYOtT95Q@linutronix.de commit e932c4ab38f072ce5894b2851fea8bc5754bb8e5 Author: K Prateek Nayak Date: Tue Nov 19 05:44:32 2024 +0000 sched/core: Prevent wakeup of ksoftirqd during idle load balance Scheduler raises a SCHED_SOFTIRQ to trigger a load balancing event on from the IPI handler on the idle CPU. If the SMP function is invoked from an idle CPU via flush_smp_call_function_queue() then the HARD-IRQ flag is not set and raise_softirq_irqoff() needlessly wakes ksoftirqd because soft interrupts are handled before ksoftirqd get on the CPU. Adding a trace_printk() in nohz_csd_func() at the spot of raising SCHED_SOFTIRQ and enabling trace events for sched_switch, sched_wakeup, and softirq_entry (for SCHED_SOFTIRQ vector alone) helps observing the current behavior: -0 [000] dN.1.: nohz_csd_func: Raising SCHED_SOFTIRQ from nohz_csd_func -0 [000] dN.4.: sched_wakeup: comm=ksoftirqd/0 pid=16 prio=120 target_cpu=000 -0 [000] .Ns1.: softirq_entry: vec=7 [action=SCHED] -0 [000] .Ns1.: softirq_exit: vec=7 [action=SCHED] -0 [000] d..2.: sched_switch: prev_comm=swapper/0 prev_pid=0 prev_prio=120 prev_state=R ==> next_comm=ksoftirqd/0 next_pid=16 next_prio=120 ksoftirqd/0-16 [000] d..2.: sched_switch: prev_comm=ksoftirqd/0 prev_pid=16 prev_prio=120 prev_state=S ==> next_comm=swapper/0 next_pid=0 next_prio=120 ... Use __raise_softirq_irqoff() to raise the softirq. The SMP function call is always invoked on the requested CPU in an interrupt handler. It is guaranteed that soft interrupts are handled at the end. Following are the observations with the changes when enabling the same set of events: -0 [000] dN.1.: nohz_csd_func: Raising SCHED_SOFTIRQ for nohz_idle_balance -0 [000] dN.1.: softirq_raise: vec=7 [action=SCHED] -0 [000] .Ns1.: softirq_entry: vec=7 [action=SCHED] No unnecessary ksoftirqd wakeups are seen from idle task's context to service the softirq. Fixes: b2a02fc43a1f ("smp: Optimize send_call_function_single_ipi()") Closes: https://lore.kernel.org/lkml/fcf823f-195e-6c9a-eac3-25f870cb35ac@inria.fr/ [1] Reported-by: Julia Lawall Suggested-by: Sebastian Andrzej Siewior Signed-off-by: K Prateek Nayak Signed-off-by: Peter Zijlstra (Intel) Reviewed-by: Sebastian Andrzej Siewior Link: https://lore.kernel.org/r/20241119054432.6405-5-kprateek.nayak@amd.com commit ff47a0acfcce309cf9e175149c75614491953c8f Author: K Prateek Nayak Date: Tue Nov 19 05:44:31 2024 +0000 sched/fair: Check idle_cpu() before need_resched() to detect ilb CPU turning busy Commit b2a02fc43a1f ("smp: Optimize send_call_function_single_ipi()") optimizes IPIs to idle CPUs in TIF_POLLING_NRFLAG mode by setting the TIF_NEED_RESCHED flag in idle task's thread info and relying on flush_smp_call_function_queue() in idle exit path to run the call-function. A softirq raised by the call-function is handled shortly after in do_softirq_post_smp_call_flush() but the TIF_NEED_RESCHED flag remains set and is only cleared later when schedule_idle() calls __schedule(). need_resched() check in _nohz_idle_balance() exists to bail out of load balancing if another task has woken up on the CPU currently in-charge of idle load balancing which is being processed in SCHED_SOFTIRQ context. Since the optimization mentioned above overloads the interpretation of TIF_NEED_RESCHED, check for idle_cpu() before going with the existing need_resched() check which can catch a genuine task wakeup on an idle CPU processing SCHED_SOFTIRQ from do_softirq_post_smp_call_flush(), as well as the case where ksoftirqd needs to be preempted as a result of new task wakeup or slice expiry. In case of PREEMPT_RT or threadirqs, although the idle load balancing may be inhibited in some cases on the ilb CPU, the fact that ksoftirqd is the only fair task going back to sleep will trigger a newidle balance on the CPU which will alleviate some imbalance if it exists if idle balance fails to do so. Fixes: b2a02fc43a1f ("smp: Optimize send_call_function_single_ipi()") Signed-off-by: K Prateek Nayak Signed-off-by: Peter Zijlstra (Intel) Link: https://lore.kernel.org/r/20241119054432.6405-4-kprateek.nayak@amd.com commit ea9cffc0a154124821531991d5afdd7e8b20d7aa Author: K Prateek Nayak Date: Tue Nov 19 05:44:30 2024 +0000 sched/core: Remove the unnecessary need_resched() check in nohz_csd_func() The need_resched() check currently in nohz_csd_func() can be tracked to have been added in scheduler_ipi() back in 2011 via commit ca38062e57e9 ("sched: Use resched IPI to kick off the nohz idle balance") Since then, it has travelled quite a bit but it seems like an idle_cpu() check currently is sufficient to detect the need to bail out from an idle load balancing. To justify this removal, consider all the following case where an idle load balancing could race with a task wakeup: o Since commit f3dd3f674555b ("sched: Remove the limitation of WF_ON_CPU on wakelist if wakee cpu is idle") a target perceived to be idle (target_rq->nr_running == 0) will return true for ttwu_queue_cond(target) which will offload the task wakeup to the idle target via an IPI. In all such cases target_rq->ttwu_pending will be set to 1 before queuing the wake function. If an idle load balance races here, following scenarios are possible: - The CPU is not in TIF_POLLING_NRFLAG mode in which case an actual IPI is sent to the CPU to wake it out of idle. If the nohz_csd_func() queues before sched_ttwu_pending(), the idle load balance will bail out since idle_cpu(target) returns 0 since target_rq->ttwu_pending is 1. If the nohz_csd_func() is queued after sched_ttwu_pending() it should see rq->nr_running to be non-zero and bail out of idle load balancing. - The CPU is in TIF_POLLING_NRFLAG mode and instead of an actual IPI, the sender will simply set TIF_NEED_RESCHED for the target to put it out of idle and flush_smp_call_function_queue() in do_idle() will execute the call function. Depending on the ordering of the queuing of nohz_csd_func() and sched_ttwu_pending(), the idle_cpu() check in nohz_csd_func() should either see target_rq->ttwu_pending = 1 or target_rq->nr_running to be non-zero if there is a genuine task wakeup racing with the idle load balance kick. o The waker CPU perceives the target CPU to be busy (targer_rq->nr_running != 0) but the CPU is in fact going idle and due to a series of unfortunate events, the system reaches a case where the waker CPU decides to perform the wakeup by itself in ttwu_queue() on the target CPU but target is concurrently selected for idle load balance (XXX: Can this happen? I'm not sure, but we'll consider the mother of all coincidences to estimate the worst case scenario). ttwu_do_activate() calls enqueue_task() which would increment "rq->nr_running" post which it calls wakeup_preempt() which is responsible for setting TIF_NEED_RESCHED (via a resched IPI or by setting TIF_NEED_RESCHED on a TIF_POLLING_NRFLAG idle CPU) The key thing to note in this case is that rq->nr_running is already non-zero in case of a wakeup before TIF_NEED_RESCHED is set which would lead to idle_cpu() check returning false. In all cases, it seems that need_resched() check is unnecessary when checking for idle_cpu() first since an impending wakeup racing with idle load balancer will either set the "rq->ttwu_pending" or indicate a newly woken task via "rq->nr_running". Chasing the reason why this check might have existed in the first place, I came across Peter's suggestion on the fist iteration of Suresh's patch from 2011 [1] where the condition to raise the SCHED_SOFTIRQ was: sched_ttwu_do_pending(list); if (unlikely((rq->idle == current) && rq->nohz_balance_kick && !need_resched())) raise_softirq_irqoff(SCHED_SOFTIRQ); Since the condition to raise the SCHED_SOFIRQ was preceded by sched_ttwu_do_pending() (which is equivalent of sched_ttwu_pending()) in the current upstream kernel, the need_resched() check was necessary to catch a newly queued task. Peter suggested modifying it to: if (idle_cpu() && rq->nohz_balance_kick && !need_resched()) raise_softirq_irqoff(SCHED_SOFTIRQ); where idle_cpu() seems to have replaced "rq->idle == current" check. Even back then, the idle_cpu() check would have been sufficient to catch a new task being enqueued. Since commit b2a02fc43a1f ("smp: Optimize send_call_function_single_ipi()") overloads the interpretation of TIF_NEED_RESCHED for TIF_POLLING_NRFLAG idling, remove the need_resched() check in nohz_csd_func() to raise SCHED_SOFTIRQ based on Peter's suggestion. Fixes: b2a02fc43a1f ("smp: Optimize send_call_function_single_ipi()") Suggested-by: Peter Zijlstra Signed-off-by: K Prateek Nayak Signed-off-by: Peter Zijlstra (Intel) Link: https://lore.kernel.org/r/20241119054432.6405-3-kprateek.nayak@amd.com commit 6675ce20046d149e1e1ffe7e9577947dee17aad5 Author: K Prateek Nayak Date: Tue Nov 19 05:44:29 2024 +0000 softirq: Allow raising SCHED_SOFTIRQ from SMP-call-function on RT kernel do_softirq_post_smp_call_flush() on PREEMPT_RT kernels carries a WARN_ON_ONCE() for any SOFTIRQ being raised from an SMP-call-function. Since do_softirq_post_smp_call_flush() is called with preempt disabled, raising a SOFTIRQ during flush_smp_call_function_queue() can lead to longer preempt disabled sections. Since commit b2a02fc43a1f ("smp: Optimize send_call_function_single_ipi()") IPIs to an idle CPU in TIF_POLLING_NRFLAG mode can be optimized out by instead setting TIF_NEED_RESCHED bit in idle task's thread_info and relying on the flush_smp_call_function_queue() in the idle-exit path to run the SMP-call-function. To trigger an idle load balancing, the scheduler queues nohz_csd_function() responsible for triggering an idle load balancing on a target nohz idle CPU and sends an IPI. Only now, this IPI is optimized out and the SMP-call-function is executed from flush_smp_call_function_queue() in do_idle() which can raise a SCHED_SOFTIRQ to trigger the balancing. So far, this went undetected since, the need_resched() check in nohz_csd_function() would make it bail out of idle load balancing early as the idle thread does not clear TIF_POLLING_NRFLAG before calling flush_smp_call_function_queue(). The need_resched() check was added with the intent to catch a new task wakeup, however, it has recently discovered to be unnecessary and will be removed in the subsequent commit after which nohz_csd_function() can raise a SCHED_SOFTIRQ from flush_smp_call_function_queue() to trigger an idle load balance on an idle target in TIF_POLLING_NRFLAG mode. nohz_csd_function() bails out early if "idle_cpu()" check for the target CPU, and does not lock the target CPU's rq until the very end, once it has found tasks to run on the CPU and will not inhibit the wakeup of, or running of a newly woken up higher priority task. Account for this and prevent a WARN_ON_ONCE() when SCHED_SOFTIRQ is raised from flush_smp_call_function_queue(). Signed-off-by: K Prateek Nayak Signed-off-by: Peter Zijlstra (Intel) Link: https://lore.kernel.org/r/20241119054432.6405-2-kprateek.nayak@amd.com commit 70ee7947a29029736a1a06c73a48ff37674a851b Author: Josh Don Date: Mon Nov 11 10:27:38 2024 -0800 sched: fix warning in sched_setaffinity Commit 8f9ea86fdf99b added some logic to sched_setaffinity that included a WARN when a per-task affinity assignment races with a cpuset update. Specifically, we can have a race where a cpuset update results in the task affinity no longer being a subset of the cpuset. That's fine; we have a fallback to instead use the cpuset mask. However, we have a WARN set up that will trigger if the cpuset mask has no overlap at all with the requested task affinity. This shouldn't be a warning condition; its trivial to create this condition. Reproduced the warning by the following setup: - $PID inside a cpuset cgroup - another thread repeatedly switching the cpuset cpus from 1-2 to just 1 - another thread repeatedly setting the $PID affinity (via taskset) to 2 Fixes: 8f9ea86fdf99b ("sched: Always preserve the user requested cpumask") Signed-off-by: Josh Don Acked-and-tested-by: Vincent Guittot Signed-off-by: Peter Zijlstra (Intel) Acked-by: Waiman Long Tested-by: Madadi Vineeth Reddy Link: https://lkml.kernel.org/r/20241111182738.1832953-1-joshdon@google.com commit 22368fe1f9bbf39db2b5b52859589883273e80ce Author: Juri Lelli Date: Wed Nov 27 07:37:40 2024 +0100 sched/deadline: Fix replenish_dl_new_period dl_server condition The condition in replenish_dl_new_period() that checks if a reservation (dl_server) is deferred and is not handling a starvation case is obviously wrong. Fix it. Fixes: a110a81c52a9 ("sched/deadline: Deferrable dl server") Signed-off-by: Juri Lelli Signed-off-by: Peter Zijlstra (Intel) Cc: stable@vger.kernel.org Link: https://lkml.kernel.org/r/20241127063740.8278-1-juri.lelli@redhat.com commit 098d8374033f323dae87a1d792a3c8911c2cf57f Author: Johan Hovold Date: Sun Dec 1 18:11:20 2024 +0100 bus: mhi: host: pci_generic: fix MHI BAR mapping A recent change converting the MHI pci_generic driver to use pcim_iomap_region() failed to update the BAR parameter which is an index rather than a mask. This specifically broke the modem on machines like the Lenovo ThinkPad X13s and x1e80100 CRD: mhi-pci-generic 0004:01:00.0: failed to map pci region: -22 mhi-pci-generic 0004:01:00.0: probe with driver mhi-pci-generic failed with error -22 Fixes: bd23e836423e ("bus: mhi: host: pci_generic: Use pcim_iomap_region() to request and map MHI BAR") Signed-off-by: Johan Hovold Signed-off-by: Manivannan Sadhasivam Reviewed-by: Manivannan Sadhasivam Cc: Manivannan Sadhasivam Cc: Mayank Rana Link: https://lore.kernel.org/r/20241201171120.31616-1-johan+linaro@kernel.org commit e2974a220594c06f536e65dfd7b2447e0e83a1cb Author: Sahas Leelodharry Date: Mon Dec 2 03:28:33 2024 +0000 ALSA: hda/realtek: Add support for Samsung Galaxy Book3 360 (NP730QFG) Fixes the 3.5mm headphone jack on the Samsung Galaxy Book 3 360 NP730QFG laptop. Unlike the other Galaxy Book3 series devices, this device only needs the ALC298_FIXUP_SAMSUNG_HEADPHONE_VERY_QUIET quirk. Verified changes on the device and compared with codec state in Windows. [ white-space fixes by tiwai ] Signed-off-by: Sahas Leelodharry Cc: Link: https://patch.msgid.link/QB1PR01MB40047D4CC1282DB7F1333124CC352@QB1PR01MB4004.CANPRD01.PROD.OUTLOOK.COM Signed-off-by: Takashi Iwai commit a8c695005bfe6569acd73d777ca298ddddd66105 Author: Dmitry Antipov Date: Tue Nov 5 12:48:23 2024 +0300 can: j1939: j1939_session_new(): fix skb reference counting Since j1939_session_skb_queue() does an extra skb_get() for each new skb, do the same for the initial one in j1939_session_new() to avoid refcount underflow. Reported-by: syzbot+d4e8dc385d9258220c31@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=d4e8dc385d9258220c31 Fixes: 9d71dd0c7009 ("can: add support of SAE J1939 protocol") Signed-off-by: Dmitry Antipov Tested-by: Oleksij Rempel Acked-by: Oleksij Rempel Link: https://patch.msgid.link/20241105094823.2403806-1-dmantipov@yandex.ru [mkl: clean up commit message] Signed-off-by: Marc Kleine-Budde commit 589e6cc7597655bed7b8543b8286925f631f597c Author: Huacai Chen Date: Mon Dec 2 16:42:10 2024 +0800 LoongArch: KVM: Protect kvm_check_requests() with SRCU When we enable lockdep we get such a warning: ============================= WARNING: suspicious RCU usage 6.12.0-rc7+ #1891 Tainted: G W ----------------------------- include/linux/kvm_host.h:1043 suspicious rcu_dereference_check() usage! other info that might help us debug this: rcu_scheduler_active = 2, debug_locks = 1 1 lock held by qemu-system-loo/948: #0: 90000001184a00a8 (&vcpu->mutex){+.+.}-{4:4}, at: kvm_vcpu_ioctl+0xf4/0xe20 [kvm] stack backtrace: CPU: 0 UID: 0 PID: 948 Comm: qemu-system-loo Tainted: G W 6.12.0-rc7+ #1891 Tainted: [W]=WARN Hardware name: Loongson Loongson-3A5000-7A1000-1w-CRB/Loongson-LS3A5000-7A1000-1w-CRB, BIOS vUDK2018-LoongArch-V2.0.0-prebeta9 10/21/2022 Stack : 0000000000000089 9000000005a0db9c 90000000071519c8 900000012c578000 900000012c57b920 0000000000000000 900000012c57b928 9000000007e53788 900000000815bcc8 900000000815bcc0 900000012c57b790 0000000000000001 0000000000000001 4b031894b9d6b725 0000000004dec000 90000001003299c0 0000000000000414 0000000000000001 000000000000002d 0000000000000003 0000000000000030 00000000000003b4 0000000004dec000 90000001184a0000 900000000806d000 9000000007e53788 00000000000000b4 0000000000000004 0000000000000004 0000000000000000 0000000000000000 9000000107baf600 9000000008916000 9000000007e53788 9000000005924778 0000000010000044 00000000000000b0 0000000000000004 0000000000000000 0000000000071c1d ... Call Trace: [<9000000005924778>] show_stack+0x38/0x180 [<90000000071519c4>] dump_stack_lvl+0x94/0xe4 [<90000000059eb754>] lockdep_rcu_suspicious+0x194/0x240 [] kvm_gfn_to_hva_cache_init+0xfc/0x120 [kvm] [] kvm_pre_enter_guest+0x3a4/0x520 [kvm] [] kvm_handle_exit+0x23c/0x480 [kvm] Fix it by protecting kvm_check_requests() with SRCU. Cc: stable@vger.kernel.org Signed-off-by: Huacai Chen commit c1474bb0b7cff4e8481095bd0618b8f6c2f0aeb4 Author: Tiezhu Yang Date: Mon Dec 2 16:42:08 2024 +0800 LoongArch: BPF: Adjust the parameter of emit_jirl() The branch instructions beq, bne, blt, bge, bltu, bgeu and jirl belong to the format reg2i16, but the sequence of oprand is different for the instruction jirl. So adjust the parameter order of emit_jirl() to make it more readable correspond with the Instruction Set Architecture manual. Here are the instruction formats: beq rj, rd, offs16 bne rj, rd, offs16 blt rj, rd, offs16 bge rj, rd, offs16 bltu rj, rd, offs16 bgeu rj, rd, offs16 jirl rd, rj, offs16 Link: https://loongson.github.io/LoongArch-Documentation/LoongArch-Vol1-EN.html#branch-instructions Suggested-by: Huacai Chen Signed-off-by: Tiezhu Yang Signed-off-by: Huacai Chen commit 7cd1f5f77925ae905a57296932f0f9ef0dc364f8 Author: Bibo Mao Date: Mon Dec 2 16:42:08 2024 +0800 LoongArch: Add architecture specific huge_pte_clear() When executing mm selftests run_vmtests.sh, there is such an error: BUG: Bad page state in process uffd-unit-tests pfn:00000 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x0 flags: 0xffff0000002000(reserved|node=0|zone=0|lastcpupid=0xffff) raw: 00ffff0000002000 ffffbf0000000008 ffffbf0000000008 0000000000000000 raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: PAGE_FLAGS_CHECK_AT_FREE flag(s) set Modules linked in: snd_seq_dummy snd_seq snd_seq_device rfkill vfat fat virtio_balloon efi_pstore virtio_net pstore net_failover failover fuse nfnetlink virtio_scsi virtio_gpu virtio_dma_buf dm_multipath efivarfs CPU: 2 UID: 0 PID: 1913 Comm: uffd-unit-tests Not tainted 6.12.0 #184 Hardware name: QEMU QEMU Virtual Machine, BIOS unknown 2/2/2022 Stack : 900000047c8ac000 0000000000000000 9000000000223a7c 900000047c8ac000 900000047c8af690 900000047c8af698 0000000000000000 900000047c8af7d8 900000047c8af7d0 900000047c8af7d0 900000047c8af5b0 0000000000000001 0000000000000001 900000047c8af698 10b3c7d53da40d26 0000010000000000 0000000000000022 0000000fffffffff fffffffffe000000 ffff800000000000 000000000000002f 0000800000000000 000000017a6d4000 90000000028f8940 0000000000000000 0000000000000000 90000000025aa5e0 9000000002905000 0000000000000000 90000000028f8940 ffff800000000000 0000000000000000 0000000000000000 0000000000000000 9000000000223a94 000000012001839c 00000000000000b0 0000000000000004 0000000000000000 0000000000071c1d ... Call Trace: [<9000000000223a94>] show_stack+0x5c/0x180 [<9000000001c3fd64>] dump_stack_lvl+0x6c/0xa0 [<900000000056aa08>] bad_page+0x1a0/0x1f0 [<9000000000574978>] free_unref_folios+0xbf0/0xd20 [<90000000004e65cc>] folios_put_refs+0x1a4/0x2b8 [<9000000000599a0c>] free_pages_and_swap_cache+0x164/0x260 [<9000000000547698>] tlb_batch_pages_flush+0xa8/0x1c0 [<9000000000547f30>] tlb_finish_mmu+0xa8/0x218 [<9000000000543cb8>] exit_mmap+0x1a0/0x360 [<9000000000247658>] __mmput+0x78/0x200 [<900000000025583c>] do_exit+0x43c/0xde8 [<9000000000256490>] do_group_exit+0x68/0x110 [<9000000000256554>] sys_exit_group+0x1c/0x20 [<9000000001c413b4>] do_syscall+0x94/0x130 [<90000000002216d8>] handle_syscall+0xb8/0x158 Disabling lock debugging due to kernel taint BUG: non-zero pgtables_bytes on freeing mm: -16384 On LoongArch system, invalid huge pte entry should be invalid_pte_table or a single _PAGE_HUGE bit rather than a zero value. And it should be the same with invalid pmd entry, since pmd_none() is called by function free_pgd_range() and pmd_none() return 0 by huge_pte_clear(). So single _PAGE_HUGE bit is also treated as a valid pte table and free_pte_range() will be called in free_pmd_range(). free_pmd_range() pmd = pmd_offset(pud, addr); do { next = pmd_addr_end(addr, end); if (pmd_none_or_clear_bad(pmd)) continue; free_pte_range(tlb, pmd, addr); } while (pmd++, addr = next, addr != end); Here invalid_pte_table is used for both invalid huge pte entry and pmd entry. Cc: stable@vger.kernel.org Fixes: 09cfefb7fa70 ("LoongArch: Add memory management") Signed-off-by: Bibo Mao Signed-off-by: Huacai Chen commit ad2a05a6d287aef7e069c06e329f1355756415c2 Author: David Wang <00107082@163.com> Date: Mon Dec 2 16:42:08 2024 +0800 LoongArch/irq: Use seq_put_decimal_ull_width() for decimal values Performance improvement for reading /proc/interrupts on LoongArch. On a system with n CPUs and m interrupts, there will be n*m decimal values yielded via seq_printf(.."%10u "..) which is less efficient than seq_put_decimal_ull_width(), stress reading /proc/interrupts indicates ~30% performance improvement with this patch (and its friends). Signed-off-by: David Wang <00107082@163.com> Signed-off-by: Huacai Chen commit 55dc2f8f263448f1e6c7ef135d08e640d5a4826e Author: Huacai Chen Date: Mon Dec 2 16:42:07 2024 +0800 LoongArch: Fix reserving screen info memory for above-4G firmware Since screen_info.lfb_base is a __u32 type, an above-4G address need an ext_lfb_base to present its higher 32bits. In init_screen_info() we can use __screen_info_lfb_base() to handle this case for reserving screen info memory. Signed-off-by: Xuefeng Zhao Signed-off-by: Jianmin Lv Signed-off-by: Tianyang Zhang Signed-off-by: Huacai Chen commit e60b14f47d779edc38bc1f14d2c995d477cec6f9 Author: Manivannan Sadhasivam Date: Thu Nov 28 20:21:47 2024 +0530 arm64: dts: qcom: sa8775p: Fix the size of 'addr_space' regions For both the controller instances, size of the 'addr_space' region should be 0x1fe00000 as per the hardware memory layout. Otherwise, endpoint drivers cannot request even reasonable BAR size of 1MB. Cc: stable@vger.kernel.org # 6.11 Fixes: c5f5de8434ec ("arm64: dts: qcom: sa8775p: Add ep pcie1 controller node") Fixes: 1924f5518224 ("arm64: dts: qcom: sa8775p: Add ep pcie0 controller node") Signed-off-by: Manivannan Sadhasivam Reviewed-by: Konrad Dybcio Link: https://lore.kernel.org/r/20241128145147.145618-1-manivannan.sadhasivam@linaro.org Signed-off-by: Bjorn Andersson commit 1b299bd0c22887543b276bcc5b4ed26f5bd83ae4 Author: Sasha Finkelstein Date: Wed Nov 27 23:18:29 2024 +0100 spi: apple: Set use_gpio_descriptors to true There is at least one peripheral that is attached to this controller and can not use native CS. Make it possible to use a GPIO instead. Signed-off-by: Sasha Finkelstein Reviewed-by: Janne Grunau Link: https://patch.msgid.link/20241127-gpio-descs-v1-1-c586b518a7d5@gmail.com Signed-off-by: Mark Brown commit 984836621aad98802d92c4a3047114cf518074c8 Author: Pei Xiao Date: Thu Nov 28 16:38:17 2024 +0800 spi: mpc52xx: Add cancel_work_sync before module remove If we remove the module which will call mpc52xx_spi_remove it will free 'ms' through spi_unregister_controller. while the work ms->work will be used. The sequence of operations that may lead to a UAF bug. Fix it by ensuring that the work is canceled before proceeding with the cleanup in mpc52xx_spi_remove. Fixes: ca632f556697 ("spi: reorganize drivers") Signed-off-by: Pei Xiao Link: https://patch.msgid.link/1f16f8ae0e50ca9adb1dc849bf2ac65a40c9ceb9.1732783000.git.xiaopei01@kylinos.cn Signed-off-by: Mark Brown commit 3061e170381af96d1e66799d34264e6414d428a7 Author: Cosmin Tanislav Date: Thu Nov 28 15:16:23 2024 +0200 regmap: detach regmap from dev on regmap_exit At the end of __regmap_init(), if dev is not NULL, regmap_attach_dev() is called, which adds a devres reference to the regmap, to be able to retrieve a dev's regmap by name using dev_get_regmap(). When calling regmap_exit, the opposite does not happen, and the reference is kept until the dev is detached. Add a regmap_detach_dev() function and call it in regmap_exit() to make sure that the devres reference is not kept. Cc: stable@vger.kernel.org Fixes: 72b39f6f2b5a ("regmap: Implement dev_get_regmap()") Signed-off-by: Cosmin Tanislav Rule: add Link: https://lore.kernel.org/stable/20241128130554.362486-1-demonsingur%40gmail.com Link: https://patch.msgid.link/20241128131625.363835-1-demonsingur@gmail.com Signed-off-by: Mark Brown commit 3f1aa0c533d9dd8a835caf9a6824449c463ee7e2 Author: Mark Brown Date: Wed Nov 27 13:35:06 2024 +0000 regmap: Use correct format specifier for logging range errors The register addresses are unsigned ints so we should use %u not %d to log them. Signed-off-by: Mark Brown Link: https://patch.msgid.link/20241127-regmap-test-high-addr-v1-1-74a48a9e0dc5@kernel.org Signed-off-by: Mark Brown commit 04c319e05d0b08cc789db7abccce0fcb13dbab16 Author: Marek Maslanka Date: Thu Nov 28 20:52:09 2024 +0000 ASoC: Intel: avs: da7219: Remove suspend_pre() and resume_post() The presence of a plugged jack is not detected after resuming the device if the jack was plugged before the device was suspended. This problem is caused by calling the sound/soc/codecs/da7219-aad.c:da7219_aad_jack_det() function on resume, which forces the jack insertion state to be unplugged. Signed-off-by: Marek Maslanka Link: https://patch.msgid.link/20241128205215.2435485-1-mmaslanka@google.com Reviewed-by: Cezary Rojewski Signed-off-by: Mark Brown commit 313dab082289e460391c82d855430ec8a28ddf81 Author: Jordy Zomer Date: Thu Nov 28 09:33:25 2024 +0900 ksmbd: fix Out-of-Bounds Write in ksmbd_vfs_stream_write An offset from client could be a negative value, It could allows to write data outside the bounds of the allocated buffer. Note that this issue is coming when setting 'vfs objects = streams_xattr parameter' in ksmbd.conf. Cc: stable@vger.kernel.org # v5.15+ Reported-by: Jordy Zomer Signed-off-by: Jordy Zomer Signed-off-by: Namjae Jeon Signed-off-by: Steve French commit fc342cf86e2dc4d2edb0fc2ff5e28b6c7845adb9 Author: Jordy Zomer Date: Thu Nov 28 09:32:45 2024 +0900 ksmbd: fix Out-of-Bounds Read in ksmbd_vfs_stream_read An offset from client could be a negative value, It could lead to an out-of-bounds read from the stream_buf. Note that this issue is coming when setting 'vfs objects = streams_xattr parameter' in ksmbd.conf. Cc: stable@vger.kernel.org # v5.15+ Reported-by: Jordy Zomer Signed-off-by: Jordy Zomer Signed-off-by: Namjae Jeon Signed-off-by: Steve French commit e18655cf35a5958fbf4ae9ca3ebf28871a3a1801 Author: Brahmajit Das Date: Tue Nov 26 11:41:35 2024 +0530 smb: server: Fix building with GCC 15 GCC 15 introduces -Werror=unterminated-string-initialization by default, this results in the following build error fs/smb/server/smb_common.c:21:35: error: initializer-string for array of 'char' is too long [-Werror=unterminated-string-ini tialization] 21 | static const char basechars[43] = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ_-!@#$%"; | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ cc1: all warnings being treated as errors To this we are replacing char basechars[43] with a character pointer and then using strlen to get the length. Signed-off-by: Brahmajit Das Acked-by: Namjae Jeon Signed-off-by: Steve French commit e70140ba0d2b1a30467d4af6bcfe761327b9ec95 Author: Linus Torvalds Date: Sun Dec 1 15:12:43 2024 -0800 Get rid of 'remove_new' relic from platform driver struct The continual trickle of small conversion patches is grating on me, and is really not helping. Just get rid of the 'remove_new' member function, which is just an alias for the plain 'remove', and had a comment to that effect: /* * .remove_new() is a relic from a prototype conversion of .remove(). * New drivers are supposed to implement .remove(). Once all drivers are * converted to not use .remove_new any more, it will be dropped. */ This was just a tree-wide 'sed' script that replaced '.remove_new' with '.remove', with some care taken to turn a subsequent tab into two tabs to make things line up. I did do some minimal manual whitespace adjustment for places that used spaces to line things up. Then I just removed the old (sic) .remove_new member function, and this is the end result. No more unnecessary conversion noise. Signed-off-by: Linus Torvalds commit 40384c840ea1944d7c5a392e8975ed088ecf0b37 Author: Linus Torvalds Date: Sun Dec 1 14:28:56 2024 -0800 Linux 6.13-rc1 commit a14bf463e7dfa389850b9d47d38dda4fa71c8ade Merge: 88862eeb476375 caf4bdb558cbc9 Author: Linus Torvalds Date: Sun Dec 1 13:38:24 2024 -0800 Merge tag 'i2c-for-6.13-rc1-part3' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux Pull i2c component probing support from Wolfram Sang: "Add OF component probing. Some devices are designed and manufactured with some components having multiple drop-in replacement options. These components are often connected to the mainboard via ribbon cables, having the same signals and pin assignments across all options. These may include the display panel and touchscreen on laptops and tablets, and the trackpad on laptops. Sometimes which component option is used in a particular device can be detected by some firmware provided identifier, other times that information is not available, and the kernel has to try to probe each device. Instead of a delicate dance between drivers and device tree quirks, this change introduces a simple I2C component probe function. For a given class of devices on the same I2C bus, it will go through all of them, doing a simple I2C read transfer and see which one of them responds. It will then enable the device that responds" * tag 'i2c-for-6.13-rc1-part3' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux: MAINTAINERS: fix typo in I2C OF COMPONENT PROBER of: base: Document prefix argument for of_get_next_child_with_prefix() i2c: Fix whitespace style issue arm64: dts: mediatek: mt8173-elm-hana: Mark touchscreens and trackpads as fail platform/chrome: Introduce device tree hardware prober i2c: of-prober: Add GPIO support to simple helpers i2c: of-prober: Add simple helpers for regulator support i2c: Introduce OF component probe function of: base: Add for_each_child_of_node_with_prefix() of: dynamic: Add of_changeset_update_prop_string commit 88862eeb476375687a1de5f45528a437ea598338 Merge: f788b5ef1ca9b1 f69e63756f7822 Author: Linus Torvalds Date: Sun Dec 1 13:10:51 2024 -0800 Merge tag 'trace-printf-v6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace Pull bprintf() removal from Steven Rostedt: - Remove unused bprintf() function, that was added with the rest of the "bin-printf" functions. These are functions that are used by trace_printk() that allows to quickly save the format and arguments into the ring buffer without the expensive processing of converting numbers to ASCII. Then on output, at a much later time, the ring buffer is read and the string processing occurs then. The bprintf() was added for consistency but was never used. It can be safely removed. * tag 'trace-printf-v6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace: printf: Remove unused 'bprintf' commit a747e02430dfb3657141f99aa6b09331283fa493 Author: Eric Dumazet Date: Tue Nov 26 19:28:27 2024 +0000 ipv6: avoid possible NULL deref in modify_prefix_route() syzbot found a NULL deref [1] in modify_prefix_route(), caused by one fib6_info without a fib6_table pointer set. This can happen for net->ipv6.fib6_null_entry [1] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] PREEMPT SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037] CPU: 1 UID: 0 PID: 5837 Comm: syz-executor888 Not tainted 6.12.0-syzkaller-09567-g7eef7e306d3c #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 RIP: 0010:__lock_acquire+0xe4/0x3c40 kernel/locking/lockdep.c:5089 Code: 08 84 d2 0f 85 15 14 00 00 44 8b 0d ca 98 f5 0e 45 85 c9 0f 84 b4 0e 00 00 48 b8 00 00 00 00 00 fc ff df 4c 89 e2 48 c1 ea 03 <80> 3c 02 00 0f 85 96 2c 00 00 49 8b 04 24 48 3d a0 07 7f 93 0f 84 RSP: 0018:ffffc900035d7268 EFLAGS: 00010006 RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 0000000000000006 RSI: 1ffff920006bae5f RDI: 0000000000000030 RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000001 R10: ffffffff90608e17 R11: 0000000000000001 R12: 0000000000000030 R13: ffff888036334880 R14: 0000000000000000 R15: 0000000000000000 FS: 0000555579e90380(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007ffc59cc4278 CR3: 0000000072b54000 CR4: 00000000003526f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: lock_acquire.part.0+0x11b/0x380 kernel/locking/lockdep.c:5849 __raw_spin_lock_bh include/linux/spinlock_api_smp.h:126 [inline] _raw_spin_lock_bh+0x33/0x40 kernel/locking/spinlock.c:178 spin_lock_bh include/linux/spinlock.h:356 [inline] modify_prefix_route+0x30b/0x8b0 net/ipv6/addrconf.c:4831 inet6_addr_modify net/ipv6/addrconf.c:4923 [inline] inet6_rtm_newaddr+0x12c7/0x1ab0 net/ipv6/addrconf.c:5055 rtnetlink_rcv_msg+0x3c7/0xea0 net/core/rtnetlink.c:6920 netlink_rcv_skb+0x16b/0x440 net/netlink/af_netlink.c:2541 netlink_unicast_kernel net/netlink/af_netlink.c:1321 [inline] netlink_unicast+0x53c/0x7f0 net/netlink/af_netlink.c:1347 netlink_sendmsg+0x8b8/0xd70 net/netlink/af_netlink.c:1891 sock_sendmsg_nosec net/socket.c:711 [inline] __sock_sendmsg net/socket.c:726 [inline] ____sys_sendmsg+0xaaf/0xc90 net/socket.c:2583 ___sys_sendmsg+0x135/0x1e0 net/socket.c:2637 __sys_sendmsg+0x16e/0x220 net/socket.c:2669 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fd1dcef8b79 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 c1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ffc59cc4378 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fd1dcef8b79 RDX: 0000000000040040 RSI: 0000000020000140 RDI: 0000000000000004 RBP: 00000000000113fd R08: 0000000000000006 R09: 0000000000000006 R10: 0000000000000006 R11: 0000000000000246 R12: 00007ffc59cc438c R13: 431bde82d7b634db R14: 0000000000000001 R15: 0000000000000001 Fixes: 5eb902b8e719 ("net/ipv6: Remove expired routes with a separated list of routes.") Reported-by: syzbot+1de74b0794c40c8eb300@syzkaller.appspotmail.com Closes: https://lore.kernel.org/netdev/67461f7f.050a0220.1286eb.0021.GAE@google.com/T/#u Signed-off-by: Eric Dumazet CC: Kui-Feng Lee Cc: David Ahern Reviewed-by: David Ahern Signed-off-by: David S. Miller commit f788b5ef1ca9b1c2f8d4e1beb2b25edc2db43ef4 Merge: 63f4993b792efe 63dffecfba3edd Author: Linus Torvalds Date: Sun Dec 1 12:41:21 2024 -0800 Merge tag 'timers_urgent_for_v6.13_rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull timer fixes from Borislav Petkov: - Fix a case where posix timers with a thread-group-wide target would miss signals if some of the group's threads are exiting - Fix a hang caused by ndelay() calling the wrong delay function __udelay() - Fix a wrong offset calculation in adjtimex(2) when using ADJ_MICRO (microsecond resolution) and a negative offset * tag 'timers_urgent_for_v6.13_rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: posix-timers: Target group sigqueue to current task only if not exiting delay: Fix ndelay() spuriously treated as udelay() ntp: Remove invalid cast in time offset math commit 63f4993b792efe9ccde7302184d0184d2c52a9b7 Merge: 58ac609b99db0b cc47268cb4841c Author: Linus Torvalds Date: Sun Dec 1 12:37:58 2024 -0800 Merge tag 'irq_urgent_for_v6.13_rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull irq fixes from Borislav Petkov: - Move the ->select callback to the correct ops structure in irq-mvebu-sei to fix some Marvell Armada platforms - Add a workaround for Hisilicon ITS erratum 162100801 which can cause some virtual interrupts to get lost - More platform_driver::remove() conversion * tag 'irq_urgent_for_v6.13_rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: irqchip: Switch back to struct platform_driver::remove() irqchip/gicv3-its: Add workaround for hip09 ITS erratum 162100801 irqchip/irq-mvebu-sei: Move misplaced select() callback to SEI CP domain commit 58ac609b99db0b03f3b09299c8fa3a76face3370 Merge: 9022ed0e7e6573 ff6cdc407f4179 Author: Linus Torvalds Date: Sun Dec 1 12:35:37 2024 -0800 Merge tag 'x86_urgent_for_v6.13_rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull x86 fixes from Borislav Petkov: - Add a terminating zero end-element to the array describing AMD CPUs affected by erratum 1386 so that the matching loop actually terminates instead of going off into the weeds - Update the boot protocol documentation to mention the fact that the preferred address to load the kernel to is considered in the relocatable kernel case too - Flush the memory buffer containing the microcode patch after applying microcode on AMD Zen1 and Zen2, to avoid unnecessary slowdowns - Make sure the PPIN CPU feature flag is cleared on all CPUs if PPIN has been disabled * tag 'x86_urgent_for_v6.13_rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: x86/CPU/AMD: Terminate the erratum_1386_microcode array x86/Documentation: Update algo in init_size description of boot protocol x86/microcode/AMD: Flush patch buffer mapping after application x86/mm: Carve out INVLPG inline asm for use by others x86/cpu: Fix PPIN initialization commit 9022ed0e7e65734d83a0648648589b9fbea8e8c9 Author: Linus Torvalds Date: Sun Dec 1 09:23:33 2024 -0800 strscpy: write destination buffer only once The point behind strscpy() was to once and for all avoid all the problems with 'strncpy()' and later broken "fixed" versions like strlcpy() that just made things worse. So strscpy not only guarantees NUL-termination (unlike strncpy), it also doesn't do unnecessary padding at the destination. But at the same time also avoids byte-at-a-time reads and writes by _allowing_ some extra NUL writes - within the size, of course - so that the whole copy can be done with word operations. It is also stable in the face of a mutable source string: it explicitly does not read the source buffer multiple times (so an implementation using "strnlen()+memcpy()" would be wrong), and does not read the source buffer past the size (like the mis-design that is strlcpy does). Finally, the return value is designed to be simple and unambiguous: if the string cannot be copied fully, it returns an actual negative error, making error handling clearer and simpler (and the caller already knows the size of the buffer). Otherwise it returns the string length of the result. However, there was one final stability issue that can be important to callers: the stability of the destination buffer. In particular, the same way we shouldn't read the source buffer more than once, we should avoid doing multiple writes to the destination buffer: first writing a potentially non-terminated string, and then terminating it with NUL at the end does not result in a stable result buffer. Yes, it gives the right result in the end, but if the rule for the destination buffer was that it is _always_ NUL-terminated even when accessed concurrently with updates, the final byte of the buffer needs to always _stay_ as a NUL byte. [ Note that "final byte is NUL" here is literally about the final byte in the destination array, not the terminating NUL at the end of the string itself. There is no attempt to try to make concurrent reads and writes give any kind of consistent string length or contents, but we do want to guarantee that there is always at least that final terminating NUL character at the end of the destination array if it existed before ] This is relevant in the kernel for the tsk->comm[] array, for example. Even without locking (for either readers or writers), we want to know that while the buffer contents may be garbled, it is always a valid C string and always has a NUL character at 'comm[TASK_COMM_LEN-1]' (and never has any "out of thin air" data). So avoid any "copy possibly non-terminated string, and terminate later" behavior, and write the destination buffer only once. Signed-off-by: Linus Torvalds commit 180bbad698641873120a48857bb3b9f3166bf684 Author: Marc Zyngier Date: Sun Dec 1 09:27:02 2024 +0000 arch_numa: Restore nid checks before registering a memblock with a node Commit 767507654c22 ("arch_numa: switch over to numa_memblks") significantly cleaned up the NUMA registration code, but also dropped a significant check that was refusing to accept to configure a memblock with an invalid nid. On "quality hardware" such as my ThunderX machine, this results in a kernel that dies immediately: [ 0.000000] Booting Linux on physical CPU 0x0000000000 [0x431f0a10] [ 0.000000] Linux version 6.12.0-00013-g8920d74cf8db (maz@valley-girl) (gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40) #3872 SMP PREEMPT Wed Nov 27 15:25:49 GMT 2024 [ 0.000000] KASLR disabled due to lack of seed [ 0.000000] Machine model: Cavium ThunderX CN88XX board [ 0.000000] efi: EFI v2.4 by American Megatrends [ 0.000000] efi: ESRT=0xffce0ff18 SMBIOS 3.0=0xfffb0000 ACPI 2.0=0xffec60000 MEMRESERVE=0xffc905d98 [ 0.000000] esrt: Reserving ESRT space from 0x0000000ffce0ff18 to 0x0000000ffce0ff50. [ 0.000000] earlycon: pl11 at MMIO 0x000087e024000000 (options '115200n8') [ 0.000000] printk: legacy bootconsole [pl11] enabled [ 0.000000] NODE_DATA(0) allocated [mem 0xff6754580-0xff67566bf] [ 0.000000] Unable to handle kernel paging request at virtual address 0000000000001d40 [ 0.000000] Mem abort info: [ 0.000000] ESR = 0x0000000096000004 [ 0.000000] EC = 0x25: DABT (current EL), IL = 32 bits [ 0.000000] SET = 0, FnV = 0 [ 0.000000] EA = 0, S1PTW = 0 [ 0.000000] FSC = 0x04: level 0 translation fault [ 0.000000] Data abort info: [ 0.000000] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 [ 0.000000] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 0.000000] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 0.000000] [0000000000001d40] user address but active_mm is swapper [ 0.000000] Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP [ 0.000000] Modules linked in: [ 0.000000] CPU: 0 UID: 0 PID: 0 Comm: swapper Not tainted 6.12.0-00013-g8920d74cf8db #3872 [ 0.000000] Hardware name: Cavium ThunderX CN88XX board (DT) [ 0.000000] pstate: a00000c5 (NzCv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 0.000000] pc : sparse_init_nid+0x54/0x428 [ 0.000000] lr : sparse_init+0x118/0x240 [ 0.000000] sp : ffff800081da3cb0 [ 0.000000] x29: ffff800081da3cb0 x28: 0000000fedbab10c x27: 0000000000000001 [ 0.000000] x26: 0000000ffee250f8 x25: 0000000000000001 x24: ffff800082102cd0 [ 0.000000] x23: 0000000000000001 x22: 0000000000000000 x21: 00000000001fffff [ 0.000000] x20: 0000000000000001 x19: 0000000000000000 x18: ffffffffffffffff [ 0.000000] x17: 0000000001b00000 x16: 0000000ffd130000 x15: 0000000000000000 [ 0.000000] x14: 00000000003e0000 x13: 00000000000001c8 x12: 0000000000000014 [ 0.000000] x11: ffff800081e82860 x10: ffff8000820fb2c8 x9 : ffff8000820fb490 [ 0.000000] x8 : 0000000000ffed20 x7 : 0000000000000014 x6 : 00000000001fffff [ 0.000000] x5 : 00000000ffffffff x4 : 0000000000000000 x3 : 0000000000000000 [ 0.000000] x2 : 0000000000000000 x1 : 0000000000000040 x0 : 0000000000000007 [ 0.000000] Call trace: [ 0.000000] sparse_init_nid+0x54/0x428 [ 0.000000] sparse_init+0x118/0x240 [ 0.000000] bootmem_init+0x70/0x1c8 [ 0.000000] setup_arch+0x184/0x270 [ 0.000000] start_kernel+0x74/0x670 [ 0.000000] __primary_switched+0x80/0x90 [ 0.000000] Code: f865d804 d37df060 cb030000 d2800003 (b95d4084) [ 0.000000] ---[ end trace 0000000000000000 ]--- [ 0.000000] Kernel panic - not syncing: Attempted to kill the idle task! [ 0.000000] ---[ end Kernel panic - not syncing: Attempted to kill the idle task! ]--- while previous kernel versions were able to recognise how brain-damaged the machine is, and only build a fake node. Use the memblock_validate_numa_coverage() helper to restore some sanity and a "working" system. Fixes: 767507654c22 ("arch_numa: switch over to numa_memblks") Suggested-by: Mike Rapoport Signed-off-by: Marc Zyngier Cc: Catalin Marinas Cc: Will Deacon Cc: Zi Yan Cc: Dan Williams Cc: David Hildenbrand Cc: Andrew Morton Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20241201092702.3792845-1-maz@kernel.org Signed-off-by: Mike Rapoport (Microsoft) commit 9cdc6423acb49055efb444ecd895d853a70ef931 Author: Mike Rapoport (Microsoft) Date: Fri Nov 29 11:13:47 2024 +0200 memblock: allow zero threshold in validate_numa_converage() Currently memblock validate_numa_converage() returns false negative when threshold set to zero. Make the check if the memory size with invalid node ID is greater than the threshold exclusive to fix that. Link: https://lore.kernel.org/all/Z0mIDBD4KLyxyOCm@kernel.org/ Signed-off-by: Mike Rapoport (Microsoft) commit a0cd2b265fe3f675c121df848aec2e79ff7c100f Author: Dan Carpenter Date: Sat Nov 30 13:08:18 2024 +0300 ALSA: hda/tas2781: Fix error code tas2781_read_acpi() Return an error code if acpi_get_subsystem_id() fails. Don't return success. Fixes: 4e7035a75da9 ("ALSA: hda/tas2781: Add speaker id check for ASUS projects") Signed-off-by: Dan Carpenter Link: https://patch.msgid.link/ef773f8a-a61d-478b-9e81-41a38a75c77b@stanley.mountain Signed-off-by: Takashi Iwai commit 3a83f7baf1346aca885cb83cb888e835fef7c472 Author: Nazar Bilinskyi Date: Sun Dec 1 01:16:31 2024 +0200 ALSA: hda/realtek: Enable mute and micmute LED on HP ProBook 430 G8 HP ProBook 430 G8 has a mute and micmute LEDs that can be made to work using quirk ALC236_FIXUP_HP_GPIO_LED. Enable already existing quirk. Signed-off-by: Nazar Bilinskyi Cc: Link: https://patch.msgid.link/20241130231631.8929-1-nbilinskyi@gmail.com Signed-off-by: Takashi Iwai commit a7de2b873f3dbcda02d504536f1ec6dc50e3f6c4 Author: Marie Ramlow Date: Sat Nov 30 17:52:40 2024 +0100 ALSA: usb-audio: add mixer mapping for Corsair HS80 The Corsair HS80 RGB Wireless is a USB headset with a mic and a sidetone feature. It has the same quirk as the Virtuoso series. This labels the mixers appropriately, so applications don't move the sidetone volume when they actually intend to move the main headset volume. Signed-off-by: Marie Ramlow cc: Link: https://patch.msgid.link/20241130165240.17838-1-me@nycode.dev Signed-off-by: Takashi Iwai commit f69e63756f7822fcdad8a34f9967e8b243e883ee Author: Dr. David Alan Gilbert Date: Wed Oct 2 18:31:47 2024 +0100 printf: Remove unused 'bprintf' bprintf() is unused. Remove it. It was added in the commit 4370aa4aa753 ("vsprintf: add binary printf") but as far as I can see was never used, unlike the other two functions in that patch. Link: https://lore.kernel.org/20241002173147.210107-1-linux@treblig.org Reviewed-by: Andy Shevchenko Acked-by: Petr Mladek Signed-off-by: Dr. David Alan Gilbert Signed-off-by: Steven Rostedt (Google) commit bcc8eda6d34934d80b96adb8dc4ff5dfc632a53a Merge: 0cb71708c58165 86d23773409120 Author: Linus Torvalds Date: Sat Nov 30 18:30:22 2024 -0800 Merge tag 'turbostat-2024.11.30' of git://git.kernel.org/pub/scm/linux/kernel/git/lenb/linux Pull turbostat updates from Len Brown: - assorted minor bug fixes - assorted platform specific tweaks - initial RAPL PSYS (SysWatt) support * tag 'turbostat-2024.11.30' of git://git.kernel.org/pub/scm/linux/kernel/git/lenb/linux: tools/power turbostat: 2024.11.30 tools/power turbostat: Add RAPL psys as a built-in counter tools/power turbostat: Fix child's argument forwarding tools/power turbostat: Force --no-perf in --dump mode tools/power turbostat: Add support for /sys/class/drm/card1 tools/power turbostat: Cache graphics sysfs file descriptors during probe tools/power turbostat: Consolidate graphics sysfs access tools/power turbostat: Remove unnecessary fflush() call tools/power turbostat: Enhance platform divergence description tools/power turbostat: Add initial support for GraniteRapids-D tools/power turbostat: Remove PC3 support on Lunarlake tools/power turbostat: Rename arl_features to lnl_features tools/power turbostat: Add back PC8 support on Arrowlake tools/power turbostat: Remove PC7/PC9 support on MTL tools/power turbostat: Honor --show CPU, even when even when num_cpus=1 tools/power turbostat: Fix trailing '\n' parsing tools/power turbostat: Allow using cpu device in perf counters on hybrid platforms tools/power turbostat: Fix column printing for PMT xtal_time counters tools/power turbostat: fix GCC9 build regression commit 0cb71708c5816569f8addd5c6f33cb9679e73b5b Merge: 8a6a03ad5b04a2 5c8418cf402538 Author: Linus Torvalds Date: Sat Nov 30 18:23:05 2024 -0800 Merge tag 'pci-v6.13-fixes-1' of git://git.kernel.org/pub/scm/linux/kernel/git/pci/pci Pull PCI fix from Bjorn Helgaas: - When removing a PCI device, only look up and remove a platform device if there is an associated device node for which there could be a platform device, to fix a merge window regression (Brian Norris) * tag 'pci-v6.13-fixes-1' of git://git.kernel.org/pub/scm/linux/kernel/git/pci/pci: PCI/pwrctrl: Unregister platform device only if one actually exists commit 8a6a03ad5b04a29f07fb79d2990d93c82394f730 Merge: cfd47302ac64b5 a65d9d1d893b12 Author: Linus Torvalds Date: Sat Nov 30 18:14:56 2024 -0800 Merge tag 'lsm-pr-20241129' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/lsm Pull ima fix from Paul Moore: "One small patch to fix a function parameter / local variable naming snafu that went up to you in the current merge window" * tag 'lsm-pr-20241129' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/lsm: ima: uncover hidden variable in ima_match_rules() commit cfd47302ac64b595beb0a67a337b81942146448a Merge: dd54fcced81d47 82734209bedd65 Author: Linus Torvalds Date: Sat Nov 30 15:47:29 2024 -0800 Merge tag 'block-6.13-20242901' of git://git.kernel.dk/linux Pull more block updates from Jens Axboe: - NVMe pull request via Keith: - Use correct srcu list traversal (Breno) - Scatter-gather support for metadata (Keith) - Fabrics shutdown race condition fix (Nilay) - Persistent reservations updates (Guixin) - Add the required bits for MD atomic write support for raid0/1/10 - Correct return value for unknown opcode in ublk - Fix deadlock with zone revalidation - Fix for the io priority request vs bio cleanups - Use the correct unsigned int type for various limit helpers - Fix for a race in loop - Cleanup blk_rq_prep_clone() to prevent uninit-value warning and make it easier for actual humans to read - Fix potential UAF when iterating tags - A few fixes for bfq-iosched UAF issues - Fix for brd discard not decrementing the allocated page count - Various little fixes and cleanups * tag 'block-6.13-20242901' of git://git.kernel.dk/linux: (36 commits) brd: decrease the number of allocated pages which discarded block, bfq: fix bfqq uaf in bfq_limit_depth() block: Don't allow an atomic write be truncated in blkdev_write_iter() mq-deadline: don't call req_get_ioprio from the I/O completion handler block: Prevent potential deadlock in blk_revalidate_disk_zones() block: Remove extra part pointer NULLify in blk_rq_init() nvme: tuning pr code by using defined structs and macros nvme: introduce change ptpl and iekey definition block: return bool from get_disk_ro and bdev_read_only block: remove a duplicate definition for bdev_read_only block: return bool from blk_rq_aligned block: return unsigned int from blk_lim_dma_alignment_and_pad block: return unsigned int from queue_dma_alignment block: return unsigned int from bdev_io_opt block: req->bio is always set in the merge code block: don't bother checking the data direction for merges block: blk-mq: fix uninit-value in blk_rq_prep_clone and refactor Revert "block, bfq: merge bfq_release_process_ref() into bfq_put_cooperator()" md/raid10: Atomic write support md/raid1: Atomic write support ... commit dd54fcced81d479d77acbeb4eea74b9ab9276bff Merge: 133577cad6bf48 7eb75ce7527129 Author: Linus Torvalds Date: Sat Nov 30 15:43:02 2024 -0800 Merge tag 'io_uring-6.13-20242901' of git://git.kernel.dk/linux Pull more io_uring updates from Jens Axboe: - Remove a leftover struct from when the cqwait registered waiting was transitioned to regions. - Fix for an issue introduced in this merge window, where nop->fd might be used uninitialized. Ensure it's always set. - Add capping of the task_work run in local task_work mode, to prevent bursty and long chains from adding too much latency. - Work around xa_store() leaving ->head non-NULL if it encounters an allocation error during storing. Just a debug trigger, and can go away once xa_store() behaves in a more expected way for this condition. Not a major thing as it basically requires fault injection to trigger it. - Fix a few mapping corner cases - Fix KCSAN complaint on reading the table size post unlock. Again not a "real" issue, but it's easy to silence by just keeping the reading inside the lock that protects it. * tag 'io_uring-6.13-20242901' of git://git.kernel.dk/linux: io_uring/tctx: work around xa_store() allocation error issue io_uring: fix corner case forgetting to vunmap io_uring: fix task_work cap overshooting io_uring: check for overflows in io_pin_pages io_uring/nop: ensure nop->fd is always initialized io_uring: limit local tw done io_uring: add io_local_work_pending() io_uring/region: return negative -E2BIG in io_create_region() io_uring: protect register tracing io_uring: remove io_uring_cqwait_reg_arg commit 133577cad6bf48e5a7848c4338124081393bfe8a Merge: c4bb3a2d641c02 aef7ee7649e02f Author: Linus Torvalds Date: Sat Nov 30 15:36:17 2024 -0800 Merge tag 'dma-mapping-6.13-2024-11-30' of git://git.infradead.org/users/hch/dma-mapping Pull dma-mapping fix from Christoph Hellwig: - fix physical address calculation for struct dma_debug_entry (Fedor Pchelkin) * tag 'dma-mapping-6.13-2024-11-30' of git://git.infradead.org/users/hch/dma-mapping: dma-debug: fix physical address calculation for struct dma_debug_entry commit c4bb3a2d641c02ac2c7aa45534b4cefdf9bf416b Merge: 0ff86d8da707c5 4d911c7abee567 Author: Linus Torvalds Date: Sat Nov 30 14:51:08 2024 -0800 Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm Pull more kvm updates from Paolo Bonzini: - ARM fixes - RISC-V Svade and Svadu (accessed and dirty bit) extension support for host and guest * tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm: KVM: riscv: selftests: Add Svade and Svadu Extension to get-reg-list test RISC-V: KVM: Add Svade and Svadu Extensions Support for Guest/VM dt-bindings: riscv: Add Svade and Svadu Entries RISC-V: Add Svade and Svadu Extensions Support KVM: arm64: Use MDCR_EL2.HPME to evaluate overflow of hyp counters KVM: arm64: Ignore PMCNTENSET_EL0 while checking for overflow status KVM: arm64: Mark set_sysreg_masks() as inline to avoid build failure KVM: arm64: vgic-its: Add stronger type-checking to the ITS entry sizes KVM: arm64: vgic: Kill VGIC_MAX_PRIVATE definition KVM: arm64: vgic: Make vgic_get_irq() more robust KVM: arm64: vgic-v3: Sanitise guest writes to GICR_INVLPIR commit 0ff86d8da707c5620cd8f363e88bf49a24730b52 Merge: 50ee4a6fe3529f 63e72e55194264 Author: Linus Torvalds Date: Sat Nov 30 14:45:29 2024 -0800 Merge tag 'sh-for-v6.13-tag1' of git://git.kernel.org/pub/scm/linux/kernel/git/glaubitz/sh-linux Pull sh updates from John Paul Adrian Glaubitz: "Two small fixes. The first one by Huacai Chen addresses a runtime warning when CONFIG_CPUMASK_OFFSTACK and CONFIG_DEBUG_PER_CPU_MAPS are selected which occurs because the cpuinfo code on sh incorrectly uses NR_CPUS when iterating CPUs instead of the runtime limit nr_cpu_ids. A second fix by Dan Carpenter fixes a use-after-free bug in register_intc_controller() which occurred as a result of improper error handling in the interrupt controller driver code when registering an interrupt controller during plat_irq_setup() on sh" * tag 'sh-for-v6.13-tag1' of git://git.kernel.org/pub/scm/linux/kernel/git/glaubitz/sh-linux: sh: intc: Fix use-after-free bug in register_intc_controller() sh: cpuinfo: Fix a warning for CONFIG_CPUMASK_OFFSTACK commit 50ee4a6fe3529fc98820f466ec6000aa333a4539 Merge: 6a34dfa15d6edf dfdf714fed559c Author: Linus Torvalds Date: Sat Nov 30 14:33:44 2024 -0800 Merge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux Pull arm64 fixes from Catalin Marinas: - Deselect ARCH_CORRECT_STACKTRACE_ON_KRETPROBE so that tests depending on it don't run (and fail) on arm64 - Fix lockdep assert in the Arm SMMUv3 PMU driver - Fix the port and device ID bits setting in the Arm CMN perf driver * tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux: perf/arm-cmn: Ensure port and device id bits are set properly perf/arm-smmuv3: Fix lockdep assert in ->event_init() arm64: disable ARCH_CORRECT_STACKTRACE_ON_KRETPROBE tests commit c44daa7e3c73229f7ac74985acb8c7fb909c4e0a Author: Dong Chenchen Date: Wed Nov 27 12:08:50 2024 +0800 net: Fix icmp host relookup triggering ip_rt_bug arp link failure may trigger ip_rt_bug while xfrm enabled, call trace is: WARNING: CPU: 0 PID: 0 at net/ipv4/route.c:1241 ip_rt_bug+0x14/0x20 Modules linked in: CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.12.0-rc6-00077-g2e1b3cc9d7f7 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 RIP: 0010:ip_rt_bug+0x14/0x20 Call Trace: ip_send_skb+0x14/0x40 __icmp_send+0x42d/0x6a0 ipv4_link_failure+0xe2/0x1d0 arp_error_report+0x3c/0x50 neigh_invalidate+0x8d/0x100 neigh_timer_handler+0x2e1/0x330 call_timer_fn+0x21/0x120 __run_timer_base.part.0+0x1c9/0x270 run_timer_softirq+0x4c/0x80 handle_softirqs+0xac/0x280 irq_exit_rcu+0x62/0x80 sysvec_apic_timer_interrupt+0x77/0x90 The script below reproduces this scenario: ip xfrm policy add src 0.0.0.0/0 dst 0.0.0.0/0 \ dir out priority 0 ptype main flag localok icmp ip l a veth1 type veth ip a a 192.168.141.111/24 dev veth0 ip l s veth0 up ping 192.168.141.155 -c 1 icmp_route_lookup() create input routes for locally generated packets while xfrm relookup ICMP traffic.Then it will set input route (dst->out = ip_rt_bug) to skb for DESTUNREACH. For ICMP err triggered by locally generated packets, dst->dev of output route is loopback. Generally, xfrm relookup verification is not required on loopback interfaces (net.ipv4.conf.lo.disable_xfrm = 1). Skip icmp relookup for locally generated packets to fix it. Fixes: 8b7817f3a959 ("[IPSEC]: Add ICMP host relookup support") Signed-off-by: Dong Chenchen Reviewed-by: David Ahern Reviewed-by: Eric Dumazet Link: https://patch.msgid.link/20241127040850.1513135-1-dongchenchen2@huawei.com Signed-off-by: Jakub Kicinski commit 84812c846aea158017b793a02c74dc8d6b25a1ae Merge: b9653d19e556c6 7078d43b2374da Author: Jakub Kicinski Date: Sat Nov 30 14:16:13 2024 -0800 Merge branch 'bnxt-fix-failure-to-report-rss-context-in-ntuple-rule' Daniel Xu says: ==================== bnxt: Fix failure to report RSS context in ntuple rule This patchset fixes a bug where bnxt driver was failing to report that an ntuple rule is redirecting to an RSS context. First commit is the fix, then second commit extends selftests to detect if other/new drivers are compliant with ntuple/rss_ctx API. ==================== Link: https://patch.msgid.link/cover.1732748253.git.dxu@dxuuu.xyz Signed-off-by: Jakub Kicinski commit 7078d43b2374daedf254662053e924c938eb86b3 Author: Daniel Xu Date: Wed Nov 27 15:58:30 2024 -0700 selftests: drv-net: rss_ctx: Add test for ntuple rule Extend the rss_ctx test suite to test that an ntuple action that redirects to an RSS context contains that information in `ethtool -n`. Otherwise the output from ethtool is highly deceiving. This test helps ensure drivers are compliant with the API. Signed-off-by: Daniel Xu Link: https://patch.msgid.link/759870e430b7c93ecaae6e448f30a47284c59637.1732748253.git.dxu@dxuuu.xyz Signed-off-by: Jakub Kicinski commit be75cda92a65a13db242117d674cd5584477a168 Author: Daniel Xu Date: Wed Nov 27 15:58:29 2024 -0700 bnxt_en: ethtool: Supply ntuple rss context action Commit 2f4f9fe5bf5f ("bnxt_en: Support adding ntuple rules on RSS contexts") added support for redirecting to an RSS context as an ntuple rule action. However, it forgot to update the ETHTOOL_GRXCLSRULE codepath. This caused `ethtool -n` to always report the action as "Action: Direct to queue 0" which is wrong. Fix by teaching bnxt driver to report the RSS context when applicable. Fixes: 2f4f9fe5bf5f ("bnxt_en: Support adding ntuple rules on RSS contexts") Reviewed-by: Michael Chan Signed-off-by: Daniel Xu Link: https://patch.msgid.link/2e884ae39e08dc5123be7c170a6089cefe6a78f7.1732748253.git.dxu@dxuuu.xyz Signed-off-by: Jakub Kicinski commit b9653d19e556c6afd035602927a93d100a0d7644 Author: Eric Dumazet Date: Tue Nov 26 14:43:44 2024 +0000 net: hsr: avoid potential out-of-bound access in fill_frame_info() syzbot is able to feed a packet with 14 bytes, pretending it is a vlan one. Since fill_frame_info() is relying on skb->mac_len already, extend the check to cover this case. BUG: KMSAN: uninit-value in fill_frame_info net/hsr/hsr_forward.c:709 [inline] BUG: KMSAN: uninit-value in hsr_forward_skb+0x9ee/0x3b10 net/hsr/hsr_forward.c:724 fill_frame_info net/hsr/hsr_forward.c:709 [inline] hsr_forward_skb+0x9ee/0x3b10 net/hsr/hsr_forward.c:724 hsr_dev_xmit+0x2f0/0x350 net/hsr/hsr_device.c:235 __netdev_start_xmit include/linux/netdevice.h:5002 [inline] netdev_start_xmit include/linux/netdevice.h:5011 [inline] xmit_one net/core/dev.c:3590 [inline] dev_hard_start_xmit+0x247/0xa20 net/core/dev.c:3606 __dev_queue_xmit+0x366a/0x57d0 net/core/dev.c:4434 dev_queue_xmit include/linux/netdevice.h:3168 [inline] packet_xmit+0x9c/0x6c0 net/packet/af_packet.c:276 packet_snd net/packet/af_packet.c:3146 [inline] packet_sendmsg+0x91ae/0xa6f0 net/packet/af_packet.c:3178 sock_sendmsg_nosec net/socket.c:711 [inline] __sock_sendmsg+0x30f/0x380 net/socket.c:726 __sys_sendto+0x594/0x750 net/socket.c:2197 __do_sys_sendto net/socket.c:2204 [inline] __se_sys_sendto net/socket.c:2200 [inline] __x64_sys_sendto+0x125/0x1d0 net/socket.c:2200 x64_sys_call+0x346a/0x3c30 arch/x86/include/generated/asm/syscalls_64.h:45 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was created at: slab_post_alloc_hook mm/slub.c:4091 [inline] slab_alloc_node mm/slub.c:4134 [inline] kmem_cache_alloc_node_noprof+0x6bf/0xb80 mm/slub.c:4186 kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:587 __alloc_skb+0x363/0x7b0 net/core/skbuff.c:678 alloc_skb include/linux/skbuff.h:1323 [inline] alloc_skb_with_frags+0xc8/0xd00 net/core/skbuff.c:6612 sock_alloc_send_pskb+0xa81/0xbf0 net/core/sock.c:2881 packet_alloc_skb net/packet/af_packet.c:2995 [inline] packet_snd net/packet/af_packet.c:3089 [inline] packet_sendmsg+0x74c6/0xa6f0 net/packet/af_packet.c:3178 sock_sendmsg_nosec net/socket.c:711 [inline] __sock_sendmsg+0x30f/0x380 net/socket.c:726 __sys_sendto+0x594/0x750 net/socket.c:2197 __do_sys_sendto net/socket.c:2204 [inline] __se_sys_sendto net/socket.c:2200 [inline] __x64_sys_sendto+0x125/0x1d0 net/socket.c:2200 x64_sys_call+0x346a/0x3c30 arch/x86/include/generated/asm/syscalls_64.h:45 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Fixes: 48b491a5cc74 ("net: hsr: fix mac_len checks") Reported-by: syzbot+671e2853f9851d039551@syzkaller.appspotmail.com Closes: https://lore.kernel.org/netdev/6745dc7f.050a0220.21d33d.0018.GAE@google.com/T/#u Signed-off-by: Eric Dumazet Cc: WingMan Kwok Cc: Murali Karicheri Cc: MD Danish Anwar Cc: Jiri Pirko Cc: George McCollister Link: https://patch.msgid.link/20241126144344.4177332-1-edumazet@google.com Signed-off-by: Jakub Kicinski commit 16ed454515a4fdcb8050a399bdcba6961aca089d Author: Vyshnav Ajith Date: Fri Nov 22 04:18:27 2024 +0530 docs: net: bareudp: fix spelling and grammar mistakes The BareUDP documentation had several grammar and spelling mistakes, making it harder to read. This patch fixes those errors to improve clarity and readability for developers. Signed-off-by: Vyshnav Ajith Link: https://patch.msgid.link/20241121224827.12293-1-puthen1977@gmail.com Signed-off-by: Jakub Kicinski commit 86d237734091201d2ab2c1d2e1063893621c770f Author: Len Brown Date: Sat Nov 30 16:22:00 2024 -0500 tools/power turbostat: 2024.11.30 since 2024.07.26: assorted minor bug fixes assorted platform specific tweaks initial RAPL PSYS (SysWatt) support Signed-off-by: Len Brown commit e5f687b89bc2a892256f48e14a568970b59a4812 Author: Patryk Wlazlyn Date: Wed Oct 2 15:05:15 2024 +0200 tools/power turbostat: Add RAPL psys as a built-in counter Introduce the counter as a part of global, platform counters structure. We open the counter for only one cpu, but otherwise treat it as an ordinary RAPL counter, allowing for grouped perf read. The counter is disabled by default, because it's interpretation may require additional, platform specific information, making it unsuitable for general use. Signed-off-by: Patryk Wlazlyn Signed-off-by: Len Brown commit 1da0daf746342dfdc114e4dc8fbf3ece28666d4f Author: Patryk Wlazlyn Date: Wed Nov 13 15:48:22 2024 +0100 tools/power turbostat: Fix child's argument forwarding Add '+' to optstring when early scanning for --no-msr and --no-perf. It causes option processing to stop as soon as a nonoption argument is encountered, effectively skipping child's arguments. Fixes: 3e4048466c39 ("tools/power turbostat: Add --no-msr option") Signed-off-by: Patryk Wlazlyn Signed-off-by: Len Brown commit bcfab87108b33f20d847fd71a2a93114dd2ce83e Author: Patryk Wlazlyn Date: Thu Oct 24 15:17:45 2024 +0200 tools/power turbostat: Force --no-perf in --dump mode Force the --no-perf early to prevent using it as a source. User asks for raw values, but perf returns them relative to the opening of the file descriptor. Signed-off-by: Patryk Wlazlyn Signed-off-by: Len Brown commit 03109e2f0d18dcb84218bd91c4fbf864193ca934 Author: Zhang Rui Date: Thu Nov 14 15:59:46 2024 +0800 tools/power turbostat: Add support for /sys/class/drm/card1 On some machines, the graphics device is enumerated as /sys/class/drm/card1 instead of /sys/class/drm/card0. The current implementation does not handle this scenario, resulting in the loss of graphics C6 residency and frequency information. Add support for /sys/class/drm/card1, ensuring that turbostat can retrieve and display the graphics columns for these platforms. Signed-off-by: Zhang Rui Signed-off-by: Len Brown commit c7538f33853b11d0ff2a81efb78bde125d1fc49f Author: Zhang Rui Date: Thu Nov 14 15:59:45 2024 +0800 tools/power turbostat: Cache graphics sysfs file descriptors during probe Snapshots of the graphics sysfs knobs are taken based on file descriptors. To optimize this process, open the files and cache the file descriptors during the graphics probe phase. As a result, the previously cached pathnames become redundant and are removed. This change aims to streamline the code without altering its functionality. No functional change intended. Signed-off-by: Zhang Rui Signed-off-by: Len Brown commit d071004e623b7433573019d67cba79e345d83006 Author: Zhang Rui Date: Thu Nov 14 15:59:44 2024 +0800 tools/power turbostat: Consolidate graphics sysfs access Currently, there is an inconsistency in how graphics sysfs knobs are accessed: graphics residency sysfs knobs are opened and closed for each read, while graphics frequency sysfs knobs are opened once and remain open until turbostat exits. This inconsistency is confusing and adds unnecessary code complexity. Consolidate the access method by opening the sysfs files once and reusing the file pointers for subsequent accesses. This approach simplifies the code and ensures a consistent method for accessing graphics sysfs knobs. Signed-off-by: Zhang Rui Signed-off-by: Len Brown commit ba99a4fc8c24dc7d35f18edb6e3b0a65345fbfa3 Author: Zhang Rui Date: Thu Nov 14 15:59:43 2024 +0800 tools/power turbostat: Remove unnecessary fflush() call The graphics sysfs knobs are read-only, making the use of fflush() before reading them redundant. Remove the unnecessary fflush() call. Signed-off-by: Zhang Rui Signed-off-by: Len Brown commit 1958f4e16864f78ab121de08ba4d7a984ed46891 Author: Zhang Rui Date: Thu Nov 14 15:59:42 2024 +0800 tools/power turbostat: Enhance platform divergence description In various generations, platforms often share a majority of features, diverging only in a few specific aspects. The current approach of using hardcoded values in 'platform_features' structure fails to effectively represent these divergences. To improve the description of platform divergence: 1. Each newly introduced 'platform_features' structure must have a base, typically derived from the previous generation. 2. Platform feature values should be inherited from the base structure rather than being hardcoded. This approach ensures a more accurate and maintainable representation of platform-specific features across different generations. Converts `adl_features` and `lnl_features` to follow this new scheme. No functional change. Signed-off-by: Zhang Rui Signed-off-by: Len Brown commit d39d586ee44407ec89b9527a9c1f27a91d6b05d1 Author: Zhang Rui Date: Thu Nov 14 15:59:41 2024 +0800 tools/power turbostat: Add initial support for GraniteRapids-D Add initial support for GraniteRapids-D. It shares the same features with SapphireRapids. Signed-off-by: Zhang Rui Signed-off-by: Len Brown commit 26c57a152bb4ab21757cb0cf439c4e8e0b5f61a9 Author: Zhang Rui Date: Thu Nov 14 15:59:40 2024 +0800 tools/power turbostat: Remove PC3 support on Lunarlake Lunarlake supports CC1/CC6/CC7/PC2/PC6/PC10. Remove PC3 support on Lunarlake. Signed-off-by: Zhang Rui Signed-off-by: Len Brown commit 3ae5f34384176a4a8742dd11ab0e1e062dcc6ce2 Author: Zhang Rui Date: Thu Nov 14 15:59:39 2024 +0800 tools/power turbostat: Rename arl_features to lnl_features As ARL shares the same features with ADL/RPL/MTL, now 'arl_features' is used by Lunarlake platform only. Rename 'arl_features' to 'lnl_features'. No functional change. Signed-off-by: Zhang Rui Signed-off-by: Len Brown commit b082e07aec468c4564ceff83a6739d2407d1979d Author: Zhang Rui Date: Thu Nov 14 15:59:38 2024 +0800 tools/power turbostat: Add back PC8 support on Arrowlake Similar to ADL/RPL/MTL, ARL supports CC1/CC6/CC7/PC2/PC3/PC6/PC8/PC10. Add back PC8 support on Arrowlake. Signed-off-by: Zhang Rui Signed-off-by: Len Brown commit f5e2cf228f185fe3ede98caf2b28e8a1c2103262 Author: Zhang Rui Date: Thu Nov 14 15:59:37 2024 +0800 tools/power turbostat: Remove PC7/PC9 support on MTL Similar to ADL/RPL, MTL support CC1/CC6/CC7/PC2/PC3/PC6/PC8/CP10. Remove PC7/PC9 support on MTL. Signed-off-by: Zhang Rui Signed-off-by: Len Brown commit c808624e2db2234991d948aa9bb9cd05bc3851a9 Author: Patryk Wlazlyn Date: Tue Sep 17 22:33:26 2024 +0200 tools/power turbostat: Honor --show CPU, even when even when num_cpus=1 Honor --show CPU and --show Core when "topo.num_cpus == 1". Previously turbostat assumed that on a 1-CPU system, these columns should never appear. Honoring these flags makes it easier for several programs that parse turbostat output. Signed-off-by: Patryk Wlazlyn Signed-off-by: Len Brown commit fed8511cc8996989178823052dc0200643e1389a Author: Zhang Rui Date: Tue Aug 27 13:07:51 2024 +0800 tools/power turbostat: Fix trailing '\n' parsing parse_cpu_string() parses the string input either from command line or from /sys/fs/cgroup/cpuset.cpus.effective to get a list of CPUs that turbostat can run with. The cpu string returned by /sys/fs/cgroup/cpuset.cpus.effective contains a trailing '\n', but strtoul() fails to treat this as an error. That says, for the code below val = ("\n", NULL, 10); val returns 0, and errno is also not set. As a result, CPU0 is erroneously considered as allowed CPU and this causes failures when turbostat tries to run on CPU0. get_counters: Could not migrate to CPU 0 ... turbostat: re-initialized with num_cpus 8, allowed_cpus 5 get_counters: Could not migrate to CPU 0 Add a check to return immediately if '\n' or '\0' is detected. Fixes: 8c3dd2c9e542 ("tools/power/turbostat: Abstrct function for parsing cpu string") Signed-off-by: Zhang Rui Signed-off-by: Len Brown commit ae2cdf8d92ffc326104524a1f9da4cf75b6ea996 Author: Patryk Wlazlyn Date: Tue Aug 20 18:47:59 2024 +0200 tools/power turbostat: Allow using cpu device in perf counters on hybrid platforms Intel hybrid platforms expose different perf devices for P and E cores. Instead of one, "/sys/bus/event_source/devices/cpu" device, there are "/sys/bus/event_source/devices/{cpu_core,cpu_atom}". This, however makes it more complicated for the user, because most of the counters are available on both and had to be handled manually. This patch allows users to use "virtual" cpu device that is seemingly translated to cpu_core and cpu_atom perf devices, depending on the type of a CPU we are opening the counter for. Signed-off-by: Patryk Wlazlyn Signed-off-by: Len Brown commit ea8614c08d7f725729910f464c01577d036f38f5 Author: Patryk Wlazlyn Date: Wed Aug 7 13:43:39 2024 +0200 tools/power turbostat: Fix column printing for PMT xtal_time counters If the very first printed column was for a PMT counter of type xtal_time we would misalign the column header, because we were always printing the delimiter. Signed-off-by: Patryk Wlazlyn Signed-off-by: Len Brown commit d4a058762f3d931aa1159b64ba94a09a04024f8c Author: Todd Brandt Date: Wed Jul 31 12:24:09 2024 -0400 tools/power turbostat: fix GCC9 build regression Fix build regression seen when using old gcc-9 compiler. Signed-off-by: Todd Brandt Reviewed-by: Chen Yu Signed-off-by: Len Brown commit 6a34dfa15d6edf7e78b8118d862d2db0889cf669 Merge: 0e287d31b62bb5 e6064da6461f98 Author: Linus Torvalds Date: Sat Nov 30 13:41:50 2024 -0800 Merge tag 'kbuild-v6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild Pull Kbuild updates from Masahiro Yamada: - Add generic support for built-in boot DTB files - Enable TAB cycling for dialog buttons in nconfig - Fix issues in streamline_config.pl - Refactor Kconfig - Add support for Clang's AutoFDO (Automatic Feedback-Directed Optimization) - Add support for Clang's Propeller, a profile-guided optimization. - Change the working directory to the external module directory for M= builds - Support building external modules in a separate output directory - Enable objtool for *.mod.o and additional kernel objects - Use lz4 instead of deprecated lz4c - Work around a performance issue with "git describe" - Refactor modpost * tag 'kbuild-v6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild: (85 commits) kbuild: rename .tmp_vmlinux.kallsyms0.syms to .tmp_vmlinux0.syms gitignore: Don't ignore 'tags' directory kbuild: add dependency from vmlinux to resolve_btfids modpost: replace tdb_hash() with hash_str() kbuild: deb-pkg: add python3:native to build dependency genksyms: reduce indentation in export_symbol() modpost: improve error messages in device_id_check() modpost: rename alias symbol for MODULE_DEVICE_TABLE() modpost: rename variables in handle_moddevtable() modpost: move strstarts() to modpost.h modpost: convert do_usb_table() to a generic handler modpost: convert do_of_table() to a generic handler modpost: convert do_pnp_device_entry() to a generic handler modpost: convert do_pnp_card_entries() to a generic handler modpost: call module_alias_printf() from all do_*_entry() functions modpost: pass (struct module *) to do_*_entry() functions modpost: remove DEF_FIELD_ADDR_VAR() macro modpost: deduplicate MODULE_ALIAS() for all drivers modpost: introduce module_alias_printf() helper modpost: remove unnecessary check in do_acpi_entry() ... commit eedcad2f2a371786f8a32d0046794103dadcedf3 Author: Eric Dumazet Date: Tue Nov 26 14:59:11 2024 +0000 selinux: use sk_to_full_sk() in selinux_ip_output() In blamed commit, TCP started to attach timewait sockets to some skbs. syzbot reported that selinux_ip_output() was not expecting them yet. Note that using sk_to_full_sk() is still allowing the following sk_listener() check to work as before. BUG: KASAN: slab-out-of-bounds in selinux_sock security/selinux/include/objsec.h:207 [inline] BUG: KASAN: slab-out-of-bounds in selinux_ip_output+0x1e0/0x1f0 security/selinux/hooks.c:5761 Read of size 8 at addr ffff88804e86e758 by task syz-executor347/5894 CPU: 0 UID: 0 PID: 5894 Comm: syz-executor347 Not tainted 6.12.0-syzkaller-05480-gfcc79e1714e8 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/30/2024 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:377 [inline] print_report+0xc3/0x620 mm/kasan/report.c:488 kasan_report+0xd9/0x110 mm/kasan/report.c:601 selinux_sock security/selinux/include/objsec.h:207 [inline] selinux_ip_output+0x1e0/0x1f0 security/selinux/hooks.c:5761 nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline] nf_hook_slow+0xbb/0x200 net/netfilter/core.c:626 nf_hook+0x386/0x6d0 include/linux/netfilter.h:269 __ip_local_out+0x339/0x640 net/ipv4/ip_output.c:119 ip_local_out net/ipv4/ip_output.c:128 [inline] ip_send_skb net/ipv4/ip_output.c:1505 [inline] ip_push_pending_frames+0xa0/0x5b0 net/ipv4/ip_output.c:1525 ip_send_unicast_reply+0xd0e/0x1650 net/ipv4/ip_output.c:1672 tcp_v4_send_ack+0x976/0x13f0 net/ipv4/tcp_ipv4.c:1024 tcp_v4_timewait_ack net/ipv4/tcp_ipv4.c:1077 [inline] tcp_v4_rcv+0x2f96/0x4390 net/ipv4/tcp_ipv4.c:2428 ip_protocol_deliver_rcu+0xba/0x4c0 net/ipv4/ip_input.c:205 ip_local_deliver_finish+0x316/0x570 net/ipv4/ip_input.c:233 NF_HOOK include/linux/netfilter.h:314 [inline] NF_HOOK include/linux/netfilter.h:308 [inline] ip_local_deliver+0x18e/0x1f0 net/ipv4/ip_input.c:254 dst_input include/net/dst.h:460 [inline] ip_rcv_finish net/ipv4/ip_input.c:447 [inline] NF_HOOK include/linux/netfilter.h:314 [inline] NF_HOOK include/linux/netfilter.h:308 [inline] ip_rcv+0x2c3/0x5d0 net/ipv4/ip_input.c:567 __netif_receive_skb_one_core+0x199/0x1e0 net/core/dev.c:5672 __netif_receive_skb+0x1d/0x160 net/core/dev.c:5785 process_backlog+0x443/0x15f0 net/core/dev.c:6117 __napi_poll.constprop.0+0xb7/0x550 net/core/dev.c:6877 napi_poll net/core/dev.c:6946 [inline] net_rx_action+0xa94/0x1010 net/core/dev.c:7068 handle_softirqs+0x213/0x8f0 kernel/softirq.c:554 do_softirq kernel/softirq.c:455 [inline] do_softirq+0xb2/0xf0 kernel/softirq.c:442 __local_bh_enable_ip+0x100/0x120 kernel/softirq.c:382 local_bh_enable include/linux/bottom_half.h:33 [inline] rcu_read_unlock_bh include/linux/rcupdate.h:919 [inline] __dev_queue_xmit+0x8af/0x43e0 net/core/dev.c:4461 dev_queue_xmit include/linux/netdevice.h:3168 [inline] neigh_hh_output include/net/neighbour.h:523 [inline] neigh_output include/net/neighbour.h:537 [inline] ip_finish_output2+0xc6c/0x2150 net/ipv4/ip_output.c:236 __ip_finish_output net/ipv4/ip_output.c:314 [inline] __ip_finish_output+0x49e/0x950 net/ipv4/ip_output.c:296 ip_finish_output+0x35/0x380 net/ipv4/ip_output.c:324 NF_HOOK_COND include/linux/netfilter.h:303 [inline] ip_output+0x13b/0x2a0 net/ipv4/ip_output.c:434 dst_output include/net/dst.h:450 [inline] ip_local_out+0x33e/0x4a0 net/ipv4/ip_output.c:130 __ip_queue_xmit+0x777/0x1970 net/ipv4/ip_output.c:536 __tcp_transmit_skb+0x2b39/0x3df0 net/ipv4/tcp_output.c:1466 tcp_transmit_skb net/ipv4/tcp_output.c:1484 [inline] tcp_write_xmit+0x12b1/0x8560 net/ipv4/tcp_output.c:2827 __tcp_push_pending_frames+0xaf/0x390 net/ipv4/tcp_output.c:3010 tcp_send_fin+0x154/0xc70 net/ipv4/tcp_output.c:3616 __tcp_close+0x96b/0xff0 net/ipv4/tcp.c:3130 tcp_close+0x28/0x120 net/ipv4/tcp.c:3221 inet_release+0x13c/0x280 net/ipv4/af_inet.c:435 __sock_release net/socket.c:640 [inline] sock_release+0x8e/0x1d0 net/socket.c:668 smc_clcsock_release+0xb7/0xe0 net/smc/smc_close.c:34 __smc_release+0x5c2/0x880 net/smc/af_smc.c:301 smc_release+0x1fc/0x5f0 net/smc/af_smc.c:344 __sock_release+0xb0/0x270 net/socket.c:640 sock_close+0x1c/0x30 net/socket.c:1408 __fput+0x3f8/0xb60 fs/file_table.c:450 __fput_sync+0xa1/0xc0 fs/file_table.c:535 __do_sys_close fs/open.c:1550 [inline] __se_sys_close fs/open.c:1535 [inline] __x64_sys_close+0x86/0x100 fs/open.c:1535 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f6814c9ae10 Code: ff f7 d8 64 89 02 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 80 3d b1 e2 07 00 00 74 17 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 48 c3 0f 1f 80 00 00 00 00 48 83 ec 18 89 7c RSP: 002b:00007fffb2389758 EFLAGS: 00000202 ORIG_RAX: 0000000000000003 RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00007f6814c9ae10 RDX: 0000000000000010 RSI: 0000000020000000 RDI: 0000000000000003 RBP: 00000000000f4240 R08: 0000000000000001 R09: 0000000000000001 R10: 0000000000000001 R11: 0000000000000202 R12: 00007fffb23897b0 R13: 00000000000141c3 R14: 00007fffb238977c R15: 00007fffb2389790 Fixes: 79636038d37e ("ipv4: tcp: give socket pointer to control skbs") Reported-by: syzbot+2d9f5f948c31dcb7745e@syzkaller.appspotmail.com Closes: https://lore.kernel.org/lkml/6745e1a2.050a0220.1286eb.001c.GAE@google.com/T/#u Signed-off-by: Eric Dumazet Acked-by: Paul Moore Reviewed-by: Kuniyuki Iwashima Link: https://patch.msgid.link/20241126145911.4187198-1-edumazet@google.com Signed-off-by: Jakub Kicinski commit 1596a135e3180c92e42dd1fbcad321f4fb3e3b17 Author: Martin Ottens Date: Mon Nov 25 18:46:07 2024 +0100 net/sched: tbf: correct backlog statistic for GSO packets When the length of a GSO packet in the tbf qdisc is larger than the burst size configured the packet will be segmented by the tbf_segment function. Whenever this function is used to enqueue SKBs, the backlog statistic of the tbf is not increased correctly. This can lead to underflows of the 'backlog' byte-statistic value when these packets are dequeued from tbf. Reproduce the bug: Ensure that the sender machine has GSO enabled. Configured the tbf on the outgoing interface of the machine as follows (burstsize = 1 MTU): $ tc qdisc add dev root handle 1: tbf rate 50Mbit burst 1514 latency 50ms Send bulk TCP traffic out via this interface, e.g., by running an iPerf3 client on this machine. Check the qdisc statistics: $ tc -s qdisc show dev The 'backlog' byte-statistic has incorrect values while traffic is transferred, e.g., high values due to u32 underflows. When the transfer is stopped, the value is != 0, which should never happen. This patch fixes this bug by updating the statistics correctly, even if single SKBs of a GSO SKB cannot be enqueued. Fixes: e43ac79a4bc6 ("sch_tbf: segment too big GSO packets") Signed-off-by: Martin Ottens Reviewed-by: Eric Dumazet Link: https://patch.msgid.link/20241125174608.1484356-1-martin.ottens@fau.de Signed-off-by: Jakub Kicinski commit 98337d7c87577ded71114f6976edb70a163e27bc Author: Ajay Kaher Date: Mon Nov 25 10:59:54 2024 +0000 ptp: Add error handling for adjfine callback in ptp_clock_adjtime ptp_clock_adjtime sets ptp->dialed_frequency even when adjfine callback returns an error. This causes subsequent reads to return an incorrect value. Fix this by adding error check before ptp->dialed_frequency is set. Fixes: 39a8cbd9ca05 ("ptp: remember the adjusted frequency") Signed-off-by: Ajay Kaher Acked-by: Richard Cochran Link: https://patch.msgid.link/20241125105954.1509971-1-ajay.kaher@broadcom.com Signed-off-by: Jakub Kicinski commit 0a4cc4accf00b49b4728bb7639cb90a6a5b674e2 Author: Eric Dumazet Date: Mon Nov 25 09:30:39 2024 +0000 tcp: populate XPS related fields of timewait sockets syzbot reported that netdev_core_pick_tx() was reading an uninitialized field [1]. This is indeed hapening for timewait sockets after recent commits. We can copy the original established socket sk_tx_queue_mapping and sk_rx_queue_mapping fields, instead of adding more checks in fast paths. As a bonus, packets will use the same transmit queue than prior ones, this potentially can avoid reordering. [1] BUG: KMSAN: uninit-value in netdev_pick_tx+0x5c7/0x1550 netdev_pick_tx+0x5c7/0x1550 netdev_core_pick_tx+0x1d2/0x4a0 net/core/dev.c:4312 __dev_queue_xmit+0x128a/0x57d0 net/core/dev.c:4394 dev_queue_xmit include/linux/netdevice.h:3168 [inline] neigh_hh_output include/net/neighbour.h:523 [inline] neigh_output include/net/neighbour.h:537 [inline] ip_finish_output2+0x187c/0x1b70 net/ipv4/ip_output.c:236 __ip_finish_output+0x287/0x810 ip_finish_output+0x4b/0x600 net/ipv4/ip_output.c:324 NF_HOOK_COND include/linux/netfilter.h:303 [inline] ip_output+0x15f/0x3f0 net/ipv4/ip_output.c:434 dst_output include/net/dst.h:450 [inline] ip_local_out net/ipv4/ip_output.c:130 [inline] ip_send_skb net/ipv4/ip_output.c:1505 [inline] ip_push_pending_frames+0x444/0x570 net/ipv4/ip_output.c:1525 ip_send_unicast_reply+0x18c1/0x1b30 net/ipv4/ip_output.c:1672 tcp_v4_send_reset+0x238d/0x2a40 net/ipv4/tcp_ipv4.c:910 tcp_v4_rcv+0x48f8/0x5750 net/ipv4/tcp_ipv4.c:2431 ip_protocol_deliver_rcu+0x2a3/0x13d0 net/ipv4/ip_input.c:205 ip_local_deliver_finish+0x336/0x500 net/ipv4/ip_input.c:233 NF_HOOK include/linux/netfilter.h:314 [inline] ip_local_deliver+0x21f/0x490 net/ipv4/ip_input.c:254 dst_input include/net/dst.h:460 [inline] ip_sublist_rcv_finish net/ipv4/ip_input.c:578 [inline] ip_list_rcv_finish net/ipv4/ip_input.c:628 [inline] ip_sublist_rcv+0x15f3/0x17f0 net/ipv4/ip_input.c:636 ip_list_rcv+0x9ef/0xa40 net/ipv4/ip_input.c:670 __netif_receive_skb_list_ptype net/core/dev.c:5715 [inline] __netif_receive_skb_list_core+0x15c5/0x1670 net/core/dev.c:5762 __netif_receive_skb_list net/core/dev.c:5814 [inline] netif_receive_skb_list_internal+0x1085/0x1700 net/core/dev.c:5905 gro_normal_list include/net/gro.h:515 [inline] napi_complete_done+0x3d4/0x810 net/core/dev.c:6256 virtqueue_napi_complete drivers/net/virtio_net.c:758 [inline] virtnet_poll+0x5d80/0x6bf0 drivers/net/virtio_net.c:3013 __napi_poll+0xe7/0x980 net/core/dev.c:6877 napi_poll net/core/dev.c:6946 [inline] net_rx_action+0xa5a/0x19b0 net/core/dev.c:7068 handle_softirqs+0x1a0/0x7c0 kernel/softirq.c:554 __do_softirq kernel/softirq.c:588 [inline] invoke_softirq kernel/softirq.c:428 [inline] __irq_exit_rcu+0x68/0x180 kernel/softirq.c:655 irq_exit_rcu+0x12/0x20 kernel/softirq.c:671 common_interrupt+0x97/0xb0 arch/x86/kernel/irq.c:278 asm_common_interrupt+0x2b/0x40 arch/x86/include/asm/idtentry.h:693 __preempt_count_sub arch/x86/include/asm/preempt.h:84 [inline] kmsan_virt_addr_valid arch/x86/include/asm/kmsan.h:95 [inline] virt_to_page_or_null+0xfb/0x150 mm/kmsan/shadow.c:75 kmsan_get_metadata+0x13e/0x1c0 mm/kmsan/shadow.c:141 kmsan_get_shadow_origin_ptr+0x4d/0xb0 mm/kmsan/shadow.c:102 get_shadow_origin_ptr mm/kmsan/instrumentation.c:38 [inline] __msan_metadata_ptr_for_store_4+0x27/0x40 mm/kmsan/instrumentation.c:93 rcu_preempt_read_enter kernel/rcu/tree_plugin.h:390 [inline] __rcu_read_lock+0x46/0x70 kernel/rcu/tree_plugin.h:413 rcu_read_lock include/linux/rcupdate.h:847 [inline] batadv_nc_purge_orig_hash net/batman-adv/network-coding.c:408 [inline] batadv_nc_worker+0x114/0x19e0 net/batman-adv/network-coding.c:719 process_one_work kernel/workqueue.c:3229 [inline] process_scheduled_works+0xae0/0x1c40 kernel/workqueue.c:3310 worker_thread+0xea7/0x14f0 kernel/workqueue.c:3391 kthread+0x3e2/0x540 kernel/kthread.c:389 ret_from_fork+0x6d/0x90 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Uninit was created at: __alloc_pages_noprof+0x9a7/0xe00 mm/page_alloc.c:4774 alloc_pages_mpol_noprof+0x299/0x990 mm/mempolicy.c:2265 alloc_pages_noprof+0x1bf/0x1e0 mm/mempolicy.c:2344 alloc_slab_page mm/slub.c:2412 [inline] allocate_slab+0x320/0x12e0 mm/slub.c:2578 new_slab mm/slub.c:2631 [inline] ___slab_alloc+0x12ef/0x35e0 mm/slub.c:3818 __slab_alloc mm/slub.c:3908 [inline] __slab_alloc_node mm/slub.c:3961 [inline] slab_alloc_node mm/slub.c:4122 [inline] kmem_cache_alloc_noprof+0x57a/0xb20 mm/slub.c:4141 inet_twsk_alloc+0x11f/0x9d0 net/ipv4/inet_timewait_sock.c:188 tcp_time_wait+0x83/0xf50 net/ipv4/tcp_minisocks.c:309 tcp_rcv_state_process+0x145a/0x49d0 tcp_v4_do_rcv+0xbf9/0x11a0 net/ipv4/tcp_ipv4.c:1939 tcp_v4_rcv+0x51df/0x5750 net/ipv4/tcp_ipv4.c:2351 ip_protocol_deliver_rcu+0x2a3/0x13d0 net/ipv4/ip_input.c:205 ip_local_deliver_finish+0x336/0x500 net/ipv4/ip_input.c:233 NF_HOOK include/linux/netfilter.h:314 [inline] ip_local_deliver+0x21f/0x490 net/ipv4/ip_input.c:254 dst_input include/net/dst.h:460 [inline] ip_sublist_rcv_finish net/ipv4/ip_input.c:578 [inline] ip_list_rcv_finish net/ipv4/ip_input.c:628 [inline] ip_sublist_rcv+0x15f3/0x17f0 net/ipv4/ip_input.c:636 ip_list_rcv+0x9ef/0xa40 net/ipv4/ip_input.c:670 __netif_receive_skb_list_ptype net/core/dev.c:5715 [inline] __netif_receive_skb_list_core+0x15c5/0x1670 net/core/dev.c:5762 __netif_receive_skb_list net/core/dev.c:5814 [inline] netif_receive_skb_list_internal+0x1085/0x1700 net/core/dev.c:5905 gro_normal_list include/net/gro.h:515 [inline] napi_complete_done+0x3d4/0x810 net/core/dev.c:6256 virtqueue_napi_complete drivers/net/virtio_net.c:758 [inline] virtnet_poll+0x5d80/0x6bf0 drivers/net/virtio_net.c:3013 __napi_poll+0xe7/0x980 net/core/dev.c:6877 napi_poll net/core/dev.c:6946 [inline] net_rx_action+0xa5a/0x19b0 net/core/dev.c:7068 handle_softirqs+0x1a0/0x7c0 kernel/softirq.c:554 __do_softirq kernel/softirq.c:588 [inline] invoke_softirq kernel/softirq.c:428 [inline] __irq_exit_rcu+0x68/0x180 kernel/softirq.c:655 irq_exit_rcu+0x12/0x20 kernel/softirq.c:671 common_interrupt+0x97/0xb0 arch/x86/kernel/irq.c:278 asm_common_interrupt+0x2b/0x40 arch/x86/include/asm/idtentry.h:693 CPU: 0 UID: 0 PID: 3962 Comm: kworker/u8:18 Not tainted 6.12.0-syzkaller-09073-g9f16d5e6f220 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Workqueue: bat_events batadv_nc_worker Fixes: 79636038d37e ("ipv4: tcp: give socket pointer to control skbs") Fixes: 507a96737d99 ("ipv6: tcp: give socket pointer to control skbs") Reported-by: syzbot+8b0959fc16551d55896b@syzkaller.appspotmail.com Link: https://lore.kernel.org/netdev/674442bd.050a0220.1cc393.0072.GAE@google.com/T/#u Signed-off-by: Eric Dumazet Reviewed-by: Kuniyuki Iwashima Reviewed-by: Brian Vazquez Link: https://patch.msgid.link/20241125093039.3095790-1-edumazet@google.com Signed-off-by: Jakub Kicinski commit 0e287d31b62bb53ad81d5e59778384a40f8b6f56 Merge: 831c1926ee728c e0779a0dcf41a6 Author: Linus Torvalds Date: Sat Nov 30 11:18:16 2024 -0800 Merge tag 'rtc-6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/abelloni/linux Pull RTC updates from Alexandre Belloni: "New drivers: - Amlogic A4 and A5 RTC - Marvell 88PM886 PMIC RTC - Renesas RTCA-3 for Renesas RZ/G3S Driver updates: - ab-eoz9: fix temperature and alarm support - cmos: improve locking behaviour - isl12022: add alarm support - m48t59: improve epoch handling - mt6359: add range - rzn1: fix BCD conversions and simplify driver" * tag 'rtc-6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/abelloni/linux: (38 commits) rtc: ab-eoz9: don't fail temperature reads on undervoltage notification rtc: rzn1: reduce register access rtc: rzn1: drop superfluous wday calculation m68k: mvme147, mvme16x: Adopt rtc-m48t59 platform driver rtc: brcmstb-waketimer: don't include 'pm_wakeup.h' directly rtc: m48t59: Use platform_data struct for year offset value rtc: ab-eoz9: fix abeoz9_rtc_read_alarm rtc: rv3028: fix RV3028_TS_COUNT type rtc: rzn1: update Michel's email rtc: rzn1: fix BCD to rtc_time conversion errors rtc: amlogic-a4: fix compile error rtc: amlogic-a4: drop error messages MAINTAINERS: Add an entry for Amlogic RTC driver rtc: support for the Amlogic on-chip RTC dt-bindings: rtc: Add Amlogic A4 and A5 RTC rtc: add driver for Marvell 88PM886 PMIC RTC rtc: check if __rtc_read_time was successful in rtc_timer_do_work() rtc: pcf8563: Switch to regmap rtc: pcf8563: Sort headers alphabetically rtc: abx80x: Fix WDT bit position of the status register ... commit 831c1926ee728c3e747255f7c0f434762e8e863d Merge: 04b43ea325d21c bed2cc48260029 Author: Linus Torvalds Date: Sat Nov 30 10:34:54 2024 -0800 Merge tag 'uml-for-linus-6.13-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/uml/linux Pull UML updates from Richard Weinberger: - Lots of cleanups, mostly from Benjamin Berg and Tiwei Bie - Removal of unused code - Fix for sparse warnings - Cleanup around stub_exe() * tag 'uml-for-linus-6.13-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/uml/linux: (68 commits) hostfs: Fix the NULL vs IS_ERR() bug for __filemap_get_folio() um: move thread info into task um: Always dump trace for specified task in show_stack um: vector: Do not use drvdata in release um: net: Do not use drvdata in release um: ubd: Do not use drvdata in release um: ubd: Initialize ubd's disk pointer in ubd_add um: virtio_uml: query the number of vqs if supported um: virtio_uml: fix call_fd IRQ allocation um: virtio_uml: send SET_MEM_TABLE message with the exact size um: remove broken double fault detection um: remove duplicate UM_NSEC_PER_SEC definition um: remove file sync for stub data um: always include kconfig.h and compiler-version.h um: set DONTDUMP and DONTFORK flags on KASAN shadow memory um: fix sparse warnings in signal code um: fix sparse warnings from regset refactor um: Remove double zero check um: fix stub exe build with CONFIG_GCOV um: Use os_set_pdeathsig helper in winch thread/process ... commit 04b43ea325d21c4c98e831383a1b7d540721898a Merge: e864effa1fe240 bcdcb115eaed5e Author: Linus Torvalds Date: Sat Nov 30 10:32:47 2024 -0800 Merge tag 'ubifs-for-linus-6.13-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/rw/ubifs Pull JFFS2, UBI and UBIFS updates from Richard Weinberger: "JFFS2: - Bug fix for rtime compression - Various cleanups UBI: - Cleanups for fastmap and wear leveling UBIFS: - Add support for FS_IOC_GETFSSYSFSPATH - Remove dead ioctl code - Fix UAF in ubifs_tnc_end_commit()" * tag 'ubifs-for-linus-6.13-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/rw/ubifs: (25 commits) ubifs: Fix uninitialized use of err in ubifs_jnl_write_inode() jffs2: Prevent rtime decompress memory corruption jffs2: remove redundant check on outpos > pos fs: jffs2: Fix inconsistent indentation in jffs2_mark_node_obsolete jffs2: Correct some typos in comments jffs2: fix use of uninitialized variable jffs2: Use str_yes_no() helper function mtd: ubi: remove redundant check on bytes_left at end of function mtd: ubi: fix unreleased fwnode_handle in find_volume_fwnode() ubifs: authentication: Fix use-after-free in ubifs_tnc_end_commit ubi: fastmap: Fix duplicate slab cache names while attaching ubifs: xattr: remove unused anonymous enum ubifs: Reduce kfree() calls in ubifs_purge_xattrs() ubifs: Call iput(xino) only once in ubifs_purge_xattrs() ubi: wl: Close down wear-leveling before nand is suspended mtd: ubi: Rmove unused declaration in header file ubifs: Correct the total block count by deducting journal reservation ubifs: Convert to use ERR_CAST() ubifs: add support for FS_IOC_GETFSSYSFSPATH ubifs: remove unused ioctl flags GETFLAGS/SETFLAGS ... commit e864effa1fe240473e023fc8e8d243045a7763e0 Merge: 9d0ad045533ee3 e0260d530b73ee Author: Linus Torvalds Date: Sat Nov 30 10:28:14 2024 -0800 Merge tag '9p-for-6.13-rc1' of https://github.com/martinetd/linux Pull 9p updates from Dominique Martinet: - usbg: fix alloc failure handling & build-as-module - xen: couple of fixes - v9fs_cache_register/unregister code cleanup * tag '9p-for-6.13-rc1' of https://github.com/martinetd/linux: net/9p/usbg: allow building as standalone module 9p/xen: fix release of IRQ 9p/xen: fix init sequence net/9p/usbg: fix handling of the failed kzalloc() memory allocation fs/9p: replace functions v9fs_cache_{register|unregister} with direct calls commit 9d0ad045533ee37a208991ac5baaf6641e60a9ed Merge: baf67f6aa9d295 c5cf420303256d Author: Linus Torvalds Date: Sat Nov 30 10:22:38 2024 -0800 Merge tag 'ceph-for-6.13-rc1' of https://github.com/ceph/ceph-client Pull ceph updates from Ilya Dryomov: "A fix for the mount "device" string parser from Patrick and two cred reference counting fixups from Max, marked for stable. Also included a number of cleanups and a tweak to MAINTAINERS to avoid unnecessarily CCing netdev list" * tag 'ceph-for-6.13-rc1' of https://github.com/ceph/ceph-client: ceph: fix cred leak in ceph_mds_check_access() ceph: pass cred pointer to ceph_mds_auth_match() ceph: improve caps debugging output ceph: correct ceph_mds_cap_peer field name ceph: correct ceph_mds_cap_item field name ceph: miscellaneous spelling fixes ceph: Use strscpy() instead of strcpy() in __get_snap_name() ceph: Use str_true_false() helper in status_show() ceph: requalify some char pointers as const ceph: extract entity name from device id MAINTAINERS: exclude net/ceph from networking ceph: Remove fs/ceph deadcode libceph: Remove unused ceph_crypto_key_encode libceph: Remove unused ceph_osdc_watch_check libceph: Remove unused pagevec functions libceph: Remove unused ceph_pagelist functions commit baf67f6aa9d29512809f1b1fbab624fce57fd16d Merge: 0235da0faeeec1 38a125b31504f9 Author: Linus Torvalds Date: Sat Nov 30 10:17:53 2024 -0800 Merge tag 'nfs-for-6.13-1' of git://git.linux-nfs.org/projects/trondmy/linux-nfs Pull NFS client updates from Trond Myklebust: "Bugfixes: - nfs/localio: fix for a memory corruption in nfs_local_read_done - Revert "nfs: don't reuse partially completed requests in nfs_lock_and_join_requests" - nfsv4: - ignore SB_RDONLY when mounting nfs - Fix a use-after-free problem in open() - sunrpc: - clear XPRT_SOCK_UPD_TIMEOUT when reseting the transport - timeout and cancel TLS handshake with -ETIMEDOUT - fix one UAF issue caused by sunrpc kernel tcp socket - Fix a hang in TLS sock_close if sk_write_pending - pNFS/blocklayout: Fix device registration issues Features and cleanups: - localio cleanups from Mike Snitzer - Clean up refcounting on the nfs version modules - __counted_by() annotations - nfs: make processes that are waiting for an I/O lock killable" * tag 'nfs-for-6.13-1' of git://git.linux-nfs.org/projects/trondmy/linux-nfs: (24 commits) fs/nfs/io: make nfs_start_io_*() killable nfs/blocklayout: Limit repeat device registration on failure nfs/blocklayout: Don't attempt unregister for invalid block device sunrpc: fix one UAF issue caused by sunrpc kernel tcp socket SUNRPC: timeout and cancel TLS handshake with -ETIMEDOUT sunrpc: clear XPRT_SOCK_UPD_TIMEOUT when reset transport nfs: ignore SB_RDONLY when mounting nfs Revert "nfs: don't reuse partially completed requests in nfs_lock_and_join_requests" Revert "fs: nfs: fix missing refcnt by replacing folio_set_private by folio_attach_private" nfs/localio: must clear res.replen in nfs_local_read_done NFSv4.0: Fix a use-after-free problem in the asynchronous open() NFSv4.0: Fix the wake up of the next waiter in nfs_release_seqid() SUNRPC: Fix a hang in TLS sock_close if sk_write_pending sunrpc: remove newlines from tracepoints nfs: Annotate struct pnfs_commit_array with __counted_by() nfs/localio: eliminate need for nfs_local_fsync_work forward declaration nfs/localio: remove extra indirect nfs_to call to check {read,write}_iter nfs/localio: eliminate unnecessary kref in nfs_local_fsync_ctx nfs/localio: remove redundant suid/sgid handling NFS: Implement get_nfs_version() ... commit 0235da0faeeec1c1ce2265fc627f5d5d9cae7ce8 Merge: 109daa2356efe7 8d7690b3c146f8 Author: Linus Torvalds Date: Sat Nov 30 10:14:42 2024 -0800 Merge tag '6.13-rc-part2-smb3-client-fixes' of git://git.samba.org/sfrench/cifs-2.6 Pull smb client updates from Steve French: - directory lease fixes - password rotation fixes - reconnect fix - fix for SMB3.02 mounts - DFS (global namespace) fixes - fixes for special file handling (most relating to better handling various types of symlinks) - two minor cleanups * tag '6.13-rc-part2-smb3-client-fixes' of git://git.samba.org/sfrench/cifs-2.6: (22 commits) cifs: update internal version number cifs: unlock on error in smb3_reconfigure() cifs: during remount, make sure passwords are in sync cifs: support mounting with alternate password to allow password rotation smb: Initialize cfid->tcon before performing network ops smb: During unmount, ensure all cached dir instances drop their dentry smb: client: fix noisy message when mounting shares smb: client: don't try following DFS links in cifs_tree_connect() smb: client: allow reconnect when sending ioctl smb: client: get rid of @nlsc param in cifs_tree_connect() smb: client: allow more DFS referrals to be cached cifs: Fix parsing reparse point with native symlink in SMB1 non-UNICODE session cifs: Validate content of WSL reparse point buffers cifs: Improve guard for excluding $LXDEV xattr cifs: Add support for parsing WSL-style symlinks cifs: Validate content of native symlink cifs: Fix parsing native symlinks relative to the export smb: client: fix NULL ptr deref in crypto_aead_setkey() Update misleading comment in cifs_chan_update_iface smb: client: change return value in open_cached_dir_by_dentry() if !cfids ... commit 109daa2356efe73491e32a3b2431c8bf57a6c58e Merge: d8b78066f4c9c8 9a8c5d89d327ff Author: Linus Torvalds Date: Sat Nov 30 10:06:56 2024 -0800 Merge tag '6.13-rc-ksmbd-server-fixes' of git://git.samba.org/ksmbd Pull smb server updates from Steve French: - fix use after free due to race in ksmd workqueue handler - debugging improvements - fix incorrectly formatted response when client attempts SMB1 - improve memory allocation to reduce chance of OOM - improve delays between retries when killing sessions * tag '6.13-rc-ksmbd-server-fixes' of git://git.samba.org/ksmbd: ksmbd: fix use-after-free in SMB request handling ksmbd: add debug print for pending request during server shutdown ksmbd: add netdev-up/down event debug print ksmbd: add debug prints to know what smb2 requests were received ksmbd: add debug print for rdma capable ksmbd: use msleep instaed of schedule_timeout_interruptible() ksmbd: use __GFP_RETRY_MAYFAIL ksmbd: fix malformed unsupported smb1 negotiate response commit 5c8418cf4025388bedd4d65ada993f7d3786cc3a Author: Brian Norris Date: Tue Nov 26 13:04:34 2024 -0800 PCI/pwrctrl: Unregister platform device only if one actually exists If a PCI device has an associated device_node with power supplies, pci_bus_add_device() creates platform devices for use by pwrctrl. When the PCI device is removed, pci_stop_dev() uses of_find_device_by_node() to locate the related platform device, then unregisters it. But when we remove a PCI device with no associated device node, dev_of_node(dev) is NULL, and of_find_device_by_node(NULL) returns the first device with "dev->of_node == NULL". The result is that we (a) mistakenly unregister a completely unrelated platform device, leading to issues like the first trace below, and (b) dereference the NULL pointer from dev_of_node() when clearing OF_POPULATED, as in the second trace. Unregister a platform device only if there is one associated with this PCI device. This resolves issues seen when doing: # echo 1 > /sys/bus/pci/devices/.../remove Sample issue from unregistering the wrong platform device: WARNING: CPU: 0 PID: 5095 at drivers/regulator/core.c:5885 regulator_unregister+0x140/0x160 Call trace: regulator_unregister+0x140/0x160 devm_rdev_release+0x1c/0x30 release_nodes+0x68/0x100 devres_release_all+0x98/0xf8 device_unbind_cleanup+0x20/0x70 device_release_driver_internal+0x1f4/0x240 device_release_driver+0x20/0x40 bus_remove_device+0xd8/0x170 device_del+0x154/0x380 device_unregister+0x28/0x88 of_device_unregister+0x1c/0x30 pci_stop_bus_device+0x154/0x1b0 pci_stop_and_remove_bus_device_locked+0x28/0x48 remove_store+0xa0/0xb8 dev_attr_store+0x20/0x40 sysfs_kf_write+0x4c/0x68 Later NULL pointer dereference for of_node_clear_flag(NULL, OF_POPULATED): Unable to handle kernel NULL pointer dereference at virtual address 00000000000000c0 Call trace: pci_stop_bus_device+0x190/0x1b0 pci_stop_and_remove_bus_device_locked+0x28/0x48 remove_store+0xa0/0xb8 dev_attr_store+0x20/0x40 sysfs_kf_write+0x4c/0x68 Link: https://lore.kernel.org/r/20241126210443.4052876-1-briannorris@chromium.org Fixes: 681725afb6b9 ("PCI/pwrctl: Remove pwrctl device without iterating over all children of pwrctl parent") Reported-by: Saurabh Sengar Closes: https://lore.kernel.org/r/1732890621-19656-1-git-send-email-ssengar@linux.microsoft.com Signed-off-by: Brian Norris [bhelgaas: commit log] Signed-off-by: Bjorn Helgaas commit d8b78066f4c9c8ec898bd4246fc4db31d476dd88 Merge: 2ba9f676d0a2e4 718632467d88e9 Author: Linus Torvalds Date: Sat Nov 30 09:03:16 2024 -0800 Merge tag 'tty-6.13-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty Pull tty / serial driver updates from Greg KH: "Here is a small set of tty and serial driver updates for 6.13-rc1. Nothing major at all this time, only some small changes: - few device tree binding updates - 8250_exar serial driver updates - imx serial driver updates - sprd_serial driver updates - other tiny serial driver updates, full details in the shortlog All of these have been in linux-next for a while with one reported issue, but that commit has now been reverted" * tag 'tty-6.13-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty: (37 commits) Revert "serial: sh-sci: Clean sci_ports[0] after at earlycon exit" serial: amba-pl011: fix build regression dt-bindings: serial: Add a new compatible string for ums9632 serial: sprd: Add support for sc9632 tty/serial/altera_uart: unwrap error log string tty/serial/altera_jtaguart: unwrap error log string serial: amba-pl011: Fix RX stall when DMA is used tty: ldsic: fix tty_ldisc_autoload sysctl's proc_handler serial: 8250_fintek: Add support for F81216E serial: sh-sci: Clean sci_ports[0] after at earlycon exit tty: atmel_serial: Fix typo retreives to retrieves tty: atmel_serial: Use devm_platform_ioremap_resource() serial: 8250: omap: Move pm_runtime_get_sync tty: serial: samsung: Add Exynos8895 compatible dt-bindings: serial: samsung: Add samsung,exynos8895-uart compatible serial: 8250_dw: Add Sophgo SG2044 quirk dt-bindings: serial: snps-dw-apb-uart: Add Sophgo SG2044 uarts dt-bindings: serial: snps,dw-apb-uart: merge duplicate compatible entry. altera_jtaguart: Use dev_err() to report error attaching IRQ altera_uart: Use dev_err() to report error attaching IRQ handler ... commit 718632467d88e98816fa01ab12681ef1c2aa56f8 Author: Greg Kroah-Hartman Date: Sat Nov 30 16:55:56 2024 +0100 Revert "serial: sh-sci: Clean sci_ports[0] after at earlycon exit" This reverts commit 3791ea69a4858b81e0277f695ca40f5aae40f312. It was reported to cause boot-time issues, so revert it for now. Reported-by: Geert Uytterhoeven Fixes: 3791ea69a485 ("serial: sh-sci: Clean sci_ports[0] after at earlycon exit") Cc: stable Cc: Claudiu Beznea Signed-off-by: Greg Kroah-Hartman commit 63e72e551942642c48456a4134975136cdcb9b3c Author: Dan Carpenter Date: Wed Oct 23 11:41:59 2024 +0300 sh: intc: Fix use-after-free bug in register_intc_controller() In the error handling for this function, d is freed without ever removing it from intc_list which would lead to a use after free. To fix this, let's only add it to the list after everything has succeeded. Fixes: 2dcec7a988a1 ("sh: intc: set_irq_wake() support") Signed-off-by: Dan Carpenter Reviewed-by: John Paul Adrian Glaubitz Signed-off-by: John Paul Adrian Glaubitz commit 3c891f7c6a4e90bb1199497552f24b26e46383bc Author: Huacai Chen Date: Thu Jul 14 16:41:36 2022 +0800 sh: cpuinfo: Fix a warning for CONFIG_CPUMASK_OFFSTACK When CONFIG_CPUMASK_OFFSTACK and CONFIG_DEBUG_PER_CPU_MAPS are selected, cpu_max_bits_warn() generates a runtime warning similar as below when showing /proc/cpuinfo. Fix this by using nr_cpu_ids (the runtime limit) instead of NR_CPUS to iterate CPUs. [ 3.052463] ------------[ cut here ]------------ [ 3.059679] WARNING: CPU: 3 PID: 1 at include/linux/cpumask.h:108 show_cpuinfo+0x5e8/0x5f0 [ 3.070072] Modules linked in: efivarfs autofs4 [ 3.076257] CPU: 0 PID: 1 Comm: systemd Not tainted 5.19-rc5+ #1052 [ 3.099465] Stack : 9000000100157b08 9000000000f18530 9000000000cf846c 9000000100154000 [ 3.109127] 9000000100157a50 0000000000000000 9000000100157a58 9000000000ef7430 [ 3.118774] 90000001001578e8 0000000000000040 0000000000000020 ffffffffffffffff [ 3.128412] 0000000000aaaaaa 1ab25f00eec96a37 900000010021de80 900000000101c890 [ 3.138056] 0000000000000000 0000000000000000 0000000000000000 0000000000aaaaaa [ 3.147711] ffff8000339dc220 0000000000000001 0000000006ab4000 0000000000000000 [ 3.157364] 900000000101c998 0000000000000004 9000000000ef7430 0000000000000000 [ 3.167012] 0000000000000009 000000000000006c 0000000000000000 0000000000000000 [ 3.176641] 9000000000d3de08 9000000001639390 90000000002086d8 00007ffff0080286 [ 3.186260] 00000000000000b0 0000000000000004 0000000000000000 0000000000071c1c [ 3.195868] ... [ 3.199917] Call Trace: [ 3.203941] [<90000000002086d8>] show_stack+0x38/0x14c [ 3.210666] [<9000000000cf846c>] dump_stack_lvl+0x60/0x88 [ 3.217625] [<900000000023d268>] __warn+0xd0/0x100 [ 3.223958] [<9000000000cf3c90>] warn_slowpath_fmt+0x7c/0xcc [ 3.231150] [<9000000000210220>] show_cpuinfo+0x5e8/0x5f0 [ 3.238080] [<90000000004f578c>] seq_read_iter+0x354/0x4b4 [ 3.245098] [<90000000004c2e90>] new_sync_read+0x17c/0x1c4 [ 3.252114] [<90000000004c5174>] vfs_read+0x138/0x1d0 [ 3.258694] [<90000000004c55f8>] ksys_read+0x70/0x100 [ 3.265265] [<9000000000cfde9c>] do_syscall+0x7c/0x94 [ 3.271820] [<9000000000202fe4>] handle_syscall+0xc4/0x160 [ 3.281824] ---[ end trace 8b484262b4b8c24c ]--- Cc: stable@vger.kernel.org Signed-off-by: Huacai Chen Reviewed-by: John Paul Adrian Glaubitz Tested-by: John Paul Adrian Glaubitz Signed-off-by: John Paul Adrian Glaubitz commit ed990c07af70d286f5736021c6e25d8df6f2f7b0 Author: Takashi Iwai Date: Sat Nov 30 10:00:08 2024 +0100 ALSA: ump: Shut up truncated string warning The recent change for the legacy substream name update brought a compile warning for some compilers due to the nature of snprintf(). Use scnprintf() to shut up the warning since the truncation is intentional. Fixes: e29e504e7890 ("ALSA: ump: Indicate the inactive group in legacy substream names") Reported-by: kernel test robot Closes: https://lore.kernel.org/oe-kbuild-all/202411300103.FrGuTAYp-lkp@intel.com/ Link: https://patch.msgid.link/20241130090009.19849-1-tiwai@suse.de Signed-off-by: Takashi Iwai commit 2ba9f676d0a2e408aef14d679984c26373bf37b7 Merge: 517363b4949e44 9794b89c50f7fc Author: Linus Torvalds Date: Fri Nov 29 13:06:06 2024 -0800 Merge tag 'drm-next-2024-11-29' of https://gitlab.freedesktop.org/drm/kernel Pull drm fixes from Dave Airlie: "Merge window fixes, mostly amdgpu and xe, with a few other minor ones, all looks fairly normal, i915: - hdcp: Fix when the first read and write are retried xe: - Wake up waiters after wait condition set to true - Mark the preempt fence workqueue as reclaim - Update xe2 graphics name string - Fix a couple of guc submit races - Fix pat index usage in migrate - Ensure non-cached migrate pagetable bo mappings - Take a PM ref in the delayed snapshot capture worker amdgpu: - SMU 13.0.6 fixes - XGMI fixes - SMU 13.0.7 fixes - Misc code cleanups - Plane refcount fixes - DCN 4.0.1 fixes - DC power fixes - DTO fixes - NBIO 7.11 fixes - SMU 14.0.x fixes - Reset fixes - Enable DC on LoongArch - Sysfs hotplug warning fix - Misc small fixes - VCN 4.0.3 fix - Slab usage fix - Jpeg delayed work fix amdkfd: - wptr handling fixes radeon: - Use ttm_bo_move_null() - Constify struct pci_device_id - Fix spurious hotplug - HPD fix rockchip - fix 32-bit build" * tag 'drm-next-2024-11-29' of https://gitlab.freedesktop.org/drm/kernel: (48 commits) drm/xe: Take PM ref in delayed snapshot capture worker drm/xe/migrate: use XE_BO_FLAG_PAGETABLE drm/xe/migrate: fix pat index usage drm/xe/guc_submit: fix race around suspend_pending drm/xe/guc_submit: fix race around pending_disable drm/xe: Update xe2_graphics name string drm/rockchip: avoid 64-bit division Revert "drm/radeon: Delay Connector detecting when HPD singals is unstable" drm/amdgpu/jpeg: cancel the jpeg worker drm/amdgpu: fix usage slab after free drm/amdgpu/vcn: reset fw_shared when VCPU buffers corrupted on vcn v4.0.3 drm/amdgpu: Fix sysfs warning when hotplugging drm/amdgpu: Add sysfs interface for vcn reset mask drm/amdgpu/gmc7: fix wait_for_idle callers drm/amd/pm: Remove arcturus min power limit drm/amd/pm: skip setting the power source on smu v14.0.2/3 drm/amd/pm: disable pcie speed switching on Intel platform for smu v14.0.2/3 drm/amdkfd: Use the correct wptr size drm/xe: Mark preempt fence workqueue as reclaim drm/xe/ufence: Wake up waiters after setting ufence->signalled ... commit 517363b4949e4442dfe54b281ef5a8bbfafa3bbb Merge: 2eff01ee2881be 2e5bf5b6d2617a Author: Linus Torvalds Date: Fri Nov 29 13:01:05 2024 -0800 Merge tag 'sound-fix-6.13-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound Pull sound fixes from Takashi Iwai: "A collection of small fixes. Majority of changes are device-specific fixes and quirks, while there are a few core fixes to address regressions and corner cases spotted by fuzzers. - Fix of spinlock range that wrongly covered kvfree() call in rawmidi - Fix potential NULL dereference at PCM mmap - Fix incorrectly advertised MIDI 2.0 UMP Function Block info - Various ASoC AMD quirks and fixes - ASoC SOF Intel, Mediatek, HDMI-codec fixes - A few more quirks and TAS2781 codec fix for HD-audio - A couple of fixes for USB-audio for malicious USB descriptors" * tag 'sound-fix-6.13-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound: (30 commits) ALSA: hda: improve bass speaker support for ASUS Zenbook UM5606WA ALSA: hda/realtek: Apply quirk for Medion E15433 ASoC: amd: yc: Add a quirk for microfone on Lenovo ThinkPad P14s Gen 5 21MES00B00 ASoC: SOF: ipc3-topology: Convert the topology pin index to ALH dai index ASoC: mediatek: Check num_codecs is not zero to avoid panic during probe ASoC: amd: yc: Fix for enabling DMIC on acp6x via _DSD entry ALSA: ump: Fix evaluation of MIDI 1.0 FB info ALSA: core: Fix possible NULL dereference caused by kunit_kzalloc() ALSA: hda: Show the codec quirk info at probing ALSA: asihpi: Remove unused variable ALSA: hda/realtek: Set PCBeep to default value for ALC274 ALSA: hda/tas2781: Add speaker id check for ASUS projects ALSA: hda/realtek: Update ALC225 depop procedure ALSA: hda/realtek: Enable speaker pins for Medion E15443 platform ALSA: hda/realtek: fix mute/micmute LEDs don't work for EliteBook X G1i ALSA: usb-audio: Fix out of bounds reads when finding clock sources ALSA: rawmidi: Fix kvfree() call in spinlock ALSA: hda/realtek: Fix Internal Speaker and Mic boost of Infinix Y4 Max ASoC: amd: yc: Add quirk for microphone on Lenovo Thinkpad T14s Gen 6 21M1CTO1WW ASoC: doc: dapm: Add location information for dapm-graph tool ... commit 2eff01ee2881becc9daaa0d53477ec202136b1f4 Merge: 55cb93fd243bad 5a6c35258d10a4 Author: Linus Torvalds Date: Fri Nov 29 11:58:27 2024 -0800 Merge tag 'char-misc-6.13-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc Pull char/misc/IIO/whatever driver subsystem updates from Greg KH: "Here is the 'big and hairy' char/misc/iio and other small driver subsystem updates for 6.13-rc1. Loads of things in here, and even a fun merge conflict! - rust misc driver bindings and other rust changes to make misc drivers actually possible. I think this is the tipping point, expect to see way more rust drivers going forward now that these bindings are present. Next merge window hopefully we will have pci and platform drivers working, which will fully enable almost all driver subsystems to start accepting (or at least getting) rust drivers. This is the end result of a lot of work from a lot of people, congrats to all of them for getting this far, you've proved many of us wrong in the best way possible, working code :) - IIO driver updates, too many to list individually, that subsystem keeps growing and growing... - Interconnect driver updates - nvmem driver updates - pwm driver updates - platform_driver::remove() fixups, loads of them - counter driver updates - misc driver updates (keba?) - binder driver updates and fixes - loads of other small char/misc/etc driver updates and additions, full details in the shortlog. All of these have been in linux-next for a while, with no other reported issues other than that merge conflict" * tag 'char-misc-6.13-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc: (401 commits) mei: vsc: Fix typo "maintstepping" -> "mainstepping" firmware: Switch back to struct platform_driver::remove() misc: isl29020: Fix the wrong format specifier scripts/tags.sh: Don't tag usages of DEFINE_MUTEX fpga: Switch back to struct platform_driver::remove() mei: vsc: Improve error logging in vsc_identify_silicon() mei: vsc: Do not re-enable interrupt from vsc_tp_reset() dt-bindings: spmi: qcom,x1e80100-spmi-pmic-arb: Add SAR2130P compatible dt-bindings: spmi: spmi-mtk-pmif: Add compatible for MT8188 spmi: pmic-arb: fix return path in for_each_available_child_of_node() iio: Move __private marking before struct element priv in struct iio_dev docs: iio: ad7380: add adaq4370-4 and adaq4380-4 iio: adc: ad7380: add support for adaq4370-4 and adaq4380-4 iio: adc: ad7380: use local dev variable to shorten long lines iio: adc: ad7380: fix oversampling formula dt-bindings: iio: adc: ad7380: add adaq4370-4 and adaq4380-4 compatible parts bus: mhi: host: pci_generic: Use pcim_iomap_region() to request and map MHI BAR bus: mhi: host: Switch trace_mhi_gen_tre fields to native endian misc: atmel-ssc: Use of_property_present() for non-boolean properties misc: keba: Add hardware dependency ... commit 55cb93fd243bad2c6e15f9151a32f575d2f5371f Merge: a0c1ca3934ddff acfeb6defcb931 Author: Linus Torvalds Date: Fri Nov 29 11:43:29 2024 -0800 Merge tag 'driver-core-6.13-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core Pull driver core updates from Greg KH: "Here is a small set of driver core changes for 6.13-rc1. Nothing major for this merge cycle, except for the two simple merge conflicts are here just to make life interesting. Included in here are: - sysfs core changes and preparations for more sysfs api cleanups that can come through all driver trees after -rc1 is out - fw_devlink fixes based on many reports and debugging sessions - list_for_each_reverse() removal, no one was using it! - last-minute seq_printf() format string bug found and fixed in many drivers all at once. - minor bugfixes and changes full details in the shortlog" * tag 'driver-core-6.13-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core: (35 commits) Fix a potential abuse of seq_printf() format string in drivers cpu: Remove spurious NULL in attribute_group definition s390/con3215: Remove spurious NULL in attribute_group definition perf: arm-ni: Remove spurious NULL in attribute_group definition driver core: Constify bin_attribute definitions sysfs: attribute_group: allow registration of const bin_attribute firmware_loader: Fix possible resource leak in fw_log_firmware_info() drivers: core: fw_devlink: Fix excess parameter description in docstring driver core: class: Correct WARN() message in APIs class_(for_each|find)_device() cacheinfo: Use of_property_present() for non-boolean properties cdx: Fix cdx_mmap_resource() after constifying attr in ->mmap() drivers: core: fw_devlink: Make the error message a bit more useful phy: tegra: xusb: Set fwnode for xusb port devices drm: display: Set fwnode for aux bus devices driver core: fw_devlink: Stop trying to optimize cycle detection logic driver core: Constify attribute arguments of binary attributes sysfs: bin_attribute: add const read/write callback variants sysfs: implement all BIN_ATTR_* macros in terms of __BIN_ATTR() sysfs: treewide: constify attribute callback of bin_attribute::llseek() sysfs: treewide: constify attribute callback of bin_attribute::mmap() ... commit a0c1ca3934ddffe4f3f2a2bd860283a7b0ca5439 Merge: e33a6d83e1786d 114eae3c9fde35 Author: Linus Torvalds Date: Fri Nov 29 11:36:13 2024 -0800 Merge tag 'staging-6.13-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging Pull staging driver updates from Greg KH: "Here is the big set of staging driver changes for 6.13-rc1. Lots of changes this merge cycle, drivers removed and drivers added. Highlights include: - removals of the following staging drivers due to no forward progress and no one having either the hardware or the time/energy to deal with them anymore: - fieldbus - gdm724x - olpc_dcon - rtl8712 - rts5208 - vt6655 - vt6656 If anyone has this hardware and wants to work on the drivers, it can be an easy revert to get them back. - addition of the gpib driver subsystem. Lots of drivers for really old and semi-old interfaces to lab equipments. We expect lots of churn in these drivers as they get cleaned up to "working" order. These were added at the request of a user and the maintainer/author of them is helping out with the effort - loads and loads of tiny coding style cleanups for almost all staging drivers. Too many to list, see the shortlog for details. All of these have been in linux-next for a very long time with no reported issues" * tag 'staging-6.13-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging: (216 commits) Staging: gpib: gpib_os.c - Remove unnecessary OOM message staging: gpib: avoid unintended sign extension staging: vchiq_debugfs: Use forward declarations staging: vchiq_core: Rectify header include for vchiq_dump_state() staging: vc04_services: Cleanup TODO entry staging: most: Remove TODO contact information staging: rtl8723bs: Remove TODO contact information staging: sm750fb: Remove TODO contact information staging: iio: Remove TODO file staging: greybus: uart: Fix atomicity violation in get_serial_info() staging: rtl8723bs: Remove unused function Efuse_GetCurrentSize staging: rtl8723bs: Remove unused function efuse_WordEnableDataRead staging: rtl8723bs: Remove function hal_EfusePgPacketWrite1ByteHeader staging: rtl8723bs: Remove function hal_EfusePgPacketWrite2ByteHeader staging: rtl8723bs: Remove unused function hal_EfusePgCheckAvailableAddr staging: rtl8723bs: Remove unused function hal_EfuseConstructPGPkt staging: rtl8723bs: Remove unused function hal_EfusePartialWriteCheck staging: rtl8723bs: Remove unused function hal_EfusePgPacketWriteHeader staging: rtl8723bs: Remove unused function hal_EfusePgPacketWriteData staging: rtl8723bs: Remove unused function Hal_EfusePgPacketWrite_BT ... commit e33a6d83e1786d5e310ae746c67f5f4e2f93ba35 Merge: 93e064ce854abf 237d4e0f41130a Author: Linus Torvalds Date: Fri Nov 29 11:19:31 2024 -0800 Merge tag 'usb-6.13-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb Pull USB / Thunderbolt updates from Greg KH: "Here is the big set of USB and Thunderbolt changes for 6.13-rc1. Overall, a pretty slow development cycle, the majority of the work going into the debugfs interface for the thunderbolt (i.e. USB4) code, to help with debugging the myrad ways that hardware vendors get their interfaces messed up. Other than that, here's the highlights: - thunderbolt changes and additions to debugfs interfaces - lots of device tree updates for new and old hardware - UVC configfs gadget updates and new apis for features - xhci driver updates and fixes - dwc3 driver updates and fixes - typec driver updates and fixes - lots of other small updates and fixes, full details in the shortlog All of these have been in linux-next for a while with no reported problems" * tag 'usb-6.13-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb: (148 commits) usb: typec: tcpm: Add support for sink-bc12-completion-time-ms DT property dt-bindings: usb: maxim,max33359: add usage of sink bc12 time property dt-bindings: connector: Add time property for Sink BC12 detection completion usb: dwc3: gadget: Remove dwc3_request->needs_extra_trb usb: dwc3: gadget: Cleanup SG handling usb: dwc3: gadget: Fix looping of queued SG entries usb: dwc3: gadget: Fix checking for number of TRBs left usb: dwc3: ep0: Don't clear ep0 DWC3_EP_TRANSFER_STARTED Revert "usb: gadget: composite: fix OS descriptors w_value logic" usb: ehci-spear: fix call balance of sehci clk handling routines USB: make to_usb_device_driver() use container_of_const() USB: make to_usb_driver() use container_of_const() USB: properly lock dynamic id list when showing an id USB: make single lock for all usb dynamic id lists drivers/usb/storage: refactor min with min_t drivers/usb/serial: refactor min with min_t drivers/usb/musb: refactor min/max with min_t/max_t drivers/usb/mon: refactor min with min_t drivers/usb/misc: refactor min with min_t drivers/usb/host: refactor min/max with min_t/max_t ... commit 93e064ce854abfacdeb0ac526a13ad29d093e813 Merge: 29caf07e9dc6d5 c5efad88a94613 Author: Linus Torvalds Date: Fri Nov 29 11:15:07 2024 -0800 Merge tag 'modules-6.13-rc1-v2' of git://git.kernel.org/pub/scm/linux/kernel/git/modules/linux Pull modules fixes from Luis Chamberlain: "Three fixes, the main one build that we build the kallsyms test modules all over again if we just run make twice" * tag 'modules-6.13-rc1-v2' of git://git.kernel.org/pub/scm/linux/kernel/git/modules/linux: selftests: find_symbol: Actually use load_mod() parameter selftests: kallsyms: fix and clarify current test boundaries selftests: kallsyms: fix double build stupidity commit 29caf07e9dc6d585f784e094c766a3cfceea3822 Merge: 509f806f7f70db 04b5f0a5bfee5a Author: Linus Torvalds Date: Fri Nov 29 11:10:30 2024 -0800 Merge tag 'apparmor-pr-2024-11-27' of git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor Pull apparmor updates from John Johansen: "Features: - extend next/check table to add support for 2^24 states to the state machine. - rework capability audit cache to use broader cred information instead of just the profile. Also add a time stamp so old entries can be aged out of the cache. Bug Fixes: - fix 'Do simple duplicate message elimination' to clear previous state when updating in capability audit cache - Fix memory leak for aa_unpack_strdup() - properly handle cx/px lookup failure when in complain mode - allocate xmatch for nullpdb inside aa_alloc_null fixing a NULL ptr deref of tracking profiles in when in complain mode Cleanups: - Remove everything being reported as deadcode - replace misleading 'scrubbing environment' phrase in debug print - Remove unnecessary NULL check before kvfree() - clean up duplicated parts of handle_onexec() - Use IS_ERR_OR_NULL() helper function - move new_profile declaration to top of block instead immediately after label to remove C23 extension warning Documentation: - add comment to document capability.c:profile_capable ad ptr parameter can not be NULL - add comment to document first entry is in packed perms struct is reserved for future planned expansion. - Update LSM/apparmor.rst add blurb for DEFAULT_SECURITY_APPARMOR" * tag 'apparmor-pr-2024-11-27' of git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor: apparmor: lift new_profile declaration to remove C23 extension warning apparmor: replace misleading 'scrubbing environment' phrase in debug print parser: drop dead code for XXX_comb macros apparmor: Remove unused parameter L1 in macro next_comb Docs: Update LSM/apparmor.rst apparmor: audit_cap dedup based on subj_cred instead of profile apparmor: add a cache entry expiration time aging out capability audit cache apparmor: document capability.c:profile_capable ad ptr not being NULL apparmor: fix 'Do simple duplicate message elimination' apparmor: document first entry is in packed perms struct is reserved apparmor: test: Fix memory leak for aa_unpack_strdup() apparmor: Remove deadcode apparmor: Remove unnecessary NULL check before kvfree() apparmor: domain: clean up duplicated parts of handle_onexec() apparmor: Use IS_ERR_OR_NULL() helper function apparmor: add support for 2^24 states to the dfa state machine. apparmor: properly handle cx/px lookup failure for complain apparmor: allocate xmatch for nullpdb inside aa_alloc_null commit 509f806f7f70db42cbb95856d32a9a0d6700b2e5 Merge: 63c81af15cf8e6 cc00550b2ae7ab Author: Linus Torvalds Date: Fri Nov 29 10:40:52 2024 -0800 Merge tag 's390-6.13-2' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux Pull more s390 updates from Heiko Carstens: - Add swap entry for hugetlbfs support - Add PTE_MARKER support for hugetlbs mappings; this fixes a regression (possible page fault loop) which was introduced when support for UFFDIO_POISON for hugetlbfs was added - Add ARCH_HAS_PREEMPT_LAZY and PREEMPT_DYNAMIC support - Mark IRQ entries in entry code, so that stack tracers can filter out the non-IRQ parts of stack traces. This fixes stack depot capacity limit warnings, since without filtering the number of unique stack traces is huge - In PCI code fix leak of struct zpci_dev object, and fix potential double remove of hotplug slot - Fix pagefault_disable() / pagefault_enable() unbalance in arch_stack_user_walk_common() - A couple of inline assembly optimizations, more cmpxchg() to try_cmpxchg() conversions, and removal of usages of xchg() and cmpxchg() on one and two byte memory areas - Various other small improvements and cleanups * tag 's390-6.13-2' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux: (27 commits) Revert "s390/mm: Allow large pages for KASAN shadow mapping" s390/spinlock: Use flag output constraint for arch_cmpxchg_niai8() s390/spinlock: Use R constraint for arch_load_niai4() s390/spinlock: Generate shorter code for arch_spin_unlock() s390/spinlock: Remove condition code clobber from arch_spin_unlock() s390/spinlock: Use symbolic names in inline assemblies s390: Support PREEMPT_DYNAMIC s390/pci: Fix potential double remove of hotplug slot s390/pci: Fix leak of struct zpci_dev when zpci_add_device() fails s390/mm/hugetlbfs: Add missing includes s390/mm: Add PTE_MARKER support for hugetlbfs mappings s390/mm: Introduce region-third and segment table swap entries s390/mm: Introduce region-third and segment table entry present bits s390/mm: Rearrange region-third and segment table entry SW bits KVM: s390: Increase size of union sca_utility to four bytes KVM: s390: Remove one byte cmpxchg() usage KVM: s390: Use try_cmpxchg() instead of cmpxchg() loops s390/ap: Replace xchg() with WRITE_ONCE() s390/mm: Allow large pages for KASAN shadow mapping s390: Add ARCH_HAS_PREEMPT_LAZY support ... commit 63c81af15cf8e64045e8ec55991363ef569a267a Merge: 9d5daef3b3a675 4fbd66d8254ced Author: Linus Torvalds Date: Fri Nov 29 10:36:01 2024 -0800 Merge tag 'mips_6.13_1' of git://git.kernel.org/pub/scm/linux/kernel/git/mips/linux Pull MIPS updates from Thomas Bogendoerfer: - fix for loongson64 device tree - add SPI nand to realtek device tree - change clock tree for mobileye * tag 'mips_6.13_1' of git://git.kernel.org/pub/scm/linux/kernel/git/mips/linux: MIPS: Loongson64: DTS: Really fix PCIe port nodes for ls7a mips: dts: realtek: Add SPI NAND controller MIPS: mobileye: eyeq6h: add OLB nodes OLB and remove fixed clocks MIPS: mobileye: eyeq5: use OLB as provider for fixed factor clocks commit 9d5daef3b3a67535825dcdf1bfe078fdbada5606 Merge: fbb3c22f908acc 93ee385254d538 Author: Linus Torvalds Date: Fri Nov 29 10:31:18 2024 -0800 Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rmk/linux Pull ARM updates from Russell King: - add dev_is_amba() function to allow conversions during the next cycle - improve PREEMPT_RT performance with VFP - KASAN fixes for vmap stack * tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rmk/linux: ARM: 9431/1: mm: Pair atomic_set_release() with _read_acquire() ARM: 9430/1: entry: Do a dummy read from VMAP shadow ARM: 9429/1: ioremap: Sync PGDs for VMALLOC shadow ARM: 9426/1: vfp: Move sending signals outside of vfp_state_hold()ed section. ARM: 9425/1: vfp: Use vfp_state_hold() in vfp_support_entry(). ARM: 9424/1: vfp: Use vfp_state_hold() in vfp_sync_hwstate(). ARM: 9423/1: vfp: Provide vfp_state_hold() for VFP locking. ARM: 9415/1: amba: Add dev_is_amba() function and export it for modules commit fbb3c22f908accfd6fd34b1dbdd304fc2609c78a Merge: f15167014a1532 b6370b338e71cf Author: Linus Torvalds Date: Fri Nov 29 10:27:49 2024 -0800 Merge tag 'sparc-for-6.13-tag1' of git://git.kernel.org/pub/scm/linux/kernel/git/alarsson/linux-sparc Pull sparc updates from Andreas Larsson: - Make sparc64 compilable with clang - Replace one-element array with flexible array member * tag 'sparc-for-6.13-tag1' of git://git.kernel.org/pub/scm/linux/kernel/git/alarsson/linux-sparc: sparc/vdso: Add helper function for 64-bit right shift on 32-bit target sparc: Replace one-element array with flexible array member sparc/build: Add SPARC target flags for compiling with clang sparc/build: Put usage of -fcall-used* flags behind cc-option commit f15167014a15324f1439ea5ca375468e23c77633 Merge: 7af08b57bcb9eb cf89c9434af122 Author: Linus Torvalds Date: Fri Nov 29 10:25:44 2024 -0800 Merge tag 'powerpc-6.13-2' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux Pull powerpc fixes from Madhavan Srinivasan: - Fix htmldocs errors in sysfs-bus-event_source-devices-vpa-pmu - Fix warning due to missing #size-cells on powermac Thanks to Michael Ellerman, Yang Li, Rob Herring, and Stephen Rothwell. * tag 'powerpc-6.13-2' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux: powerpc/prom_init: Fixup missing powermac #size-cells docs: ABI: sysfs-bus-event_source-devices-vpa-pmu: Fix htmldocs errors powerpc/machdep: Remove duplicated include in svm.c commit 537a2525eaf76ea9b0dca62b994500d8670b39d5 Author: Björn Töpel Date: Wed Nov 27 11:17:46 2024 +0100 tools: Override makefile ARCH variable if defined, but empty There are a number of tools (bpftool, selftests), that require a "bootstrap" build. Here, a bootstrap build is a build host variant of a target. E.g., assume that you're performing a bpftool cross-build on x86 to riscv, a bootstrap build would then be an x86 variant of bpftool. The typical way to perform the host build variant, is to pass "ARCH=" in a sub-make. However, if a variable has been set with a command argument, then ordinary assignments in the makefile are ignored. This side-effect results in that ARCH, and variables depending on ARCH are not set. Workaround by overriding ARCH to the host arch, if ARCH is empty. Fixes: 8859b0da5aac ("tools/bpftool: Fix cross-build") Signed-off-by: Björn Töpel Signed-off-by: Daniel Borkmann Tested-by: Alexandre Ghiti Reviewed-by: Jean-Philippe Brucker Reviewed-by: Namhyung Kim Reviewed-by: Toke Høiland-Jørgensen Acked-by: Quentin Monnet Acked-by: Jiri Olsa Cc: Arnaldo Carvalho de Melo Link: https://lore.kernel.org/bpf/20241127101748.165693-1-bjorn@kernel.org commit 22d2e48e318564f8c9b09faf03ecb4f03fb44dd5 Author: Mark Harmstone Date: Fri Nov 15 15:49:17 2024 +0000 btrfs: fix lockdep warnings on io_uring encoded reads Lockdep doesn't like the fact that btrfs_uring_read_extent() returns to userspace still holding the inode lock, even though we release it once the I/O finishes. Add calls to rwsem_release() and rwsem_acquire_read() to work round this. Reported-by: Johannes Thumshirn 34310c442e17 ("btrfs: add io_uring command for encoded reads (ENCODED_READ ioctl)") Signed-off-by: Mark Harmstone Reviewed-by: David Sterba Signed-off-by: David Sterba commit 7c4e39f9d2af4abaf82ca0e315d1fd340456620f Author: Filipe Manana Date: Fri Nov 15 11:29:21 2024 +0000 btrfs: ref-verify: fix use-after-free after invalid ref action At btrfs_ref_tree_mod() after we successfully inserted the new ref entry (local variable 'ref') into the respective block entry's rbtree (local variable 'be'), if we find an unexpected action of BTRFS_DROP_DELAYED_REF, we error out and free the ref entry without removing it from the block entry's rbtree. Then in the error path of btrfs_ref_tree_mod() we call btrfs_free_ref_cache(), which iterates over all block entries and then calls free_block_entry() for each one, and there we will trigger a use-after-free when we are called against the block entry to which we added the freed ref entry to its rbtree, since the rbtree still points to the block entry, as we didn't remove it from the rbtree before freeing it in the error path at btrfs_ref_tree_mod(). Fix this by removing the new ref entry from the rbtree before freeing it. Syzbot report this with the following stack traces: BTRFS error (device loop0 state EA): Ref action 2, root 5, ref_root 0, parent 8564736, owner 0, offset 0, num_refs 18446744073709551615 __btrfs_mod_ref+0x7dd/0xac0 fs/btrfs/extent-tree.c:2523 update_ref_for_cow+0x9cd/0x11f0 fs/btrfs/ctree.c:512 btrfs_force_cow_block+0x9f6/0x1da0 fs/btrfs/ctree.c:594 btrfs_cow_block+0x35e/0xa40 fs/btrfs/ctree.c:754 btrfs_search_slot+0xbdd/0x30d0 fs/btrfs/ctree.c:2116 btrfs_insert_empty_items+0x9c/0x1a0 fs/btrfs/ctree.c:4314 btrfs_insert_empty_item fs/btrfs/ctree.h:669 [inline] btrfs_insert_orphan_item+0x1f1/0x320 fs/btrfs/orphan.c:23 btrfs_orphan_add+0x6d/0x1a0 fs/btrfs/inode.c:3482 btrfs_unlink+0x267/0x350 fs/btrfs/inode.c:4293 vfs_unlink+0x365/0x650 fs/namei.c:4469 do_unlinkat+0x4ae/0x830 fs/namei.c:4533 __do_sys_unlinkat fs/namei.c:4576 [inline] __se_sys_unlinkat fs/namei.c:4569 [inline] __x64_sys_unlinkat+0xcc/0xf0 fs/namei.c:4569 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f BTRFS error (device loop0 state EA): Ref action 1, root 5, ref_root 5, parent 0, owner 260, offset 0, num_refs 1 __btrfs_mod_ref+0x76b/0xac0 fs/btrfs/extent-tree.c:2521 update_ref_for_cow+0x96a/0x11f0 btrfs_force_cow_block+0x9f6/0x1da0 fs/btrfs/ctree.c:594 btrfs_cow_block+0x35e/0xa40 fs/btrfs/ctree.c:754 btrfs_search_slot+0xbdd/0x30d0 fs/btrfs/ctree.c:2116 btrfs_lookup_inode+0xdc/0x480 fs/btrfs/inode-item.c:411 __btrfs_update_delayed_inode+0x1e7/0xb90 fs/btrfs/delayed-inode.c:1030 btrfs_update_delayed_inode fs/btrfs/delayed-inode.c:1114 [inline] __btrfs_commit_inode_delayed_items+0x2318/0x24a0 fs/btrfs/delayed-inode.c:1137 __btrfs_run_delayed_items+0x213/0x490 fs/btrfs/delayed-inode.c:1171 btrfs_commit_transaction+0x8a8/0x3740 fs/btrfs/transaction.c:2313 prepare_to_relocate+0x3c4/0x4c0 fs/btrfs/relocation.c:3586 relocate_block_group+0x16c/0xd40 fs/btrfs/relocation.c:3611 btrfs_relocate_block_group+0x77d/0xd90 fs/btrfs/relocation.c:4081 btrfs_relocate_chunk+0x12c/0x3b0 fs/btrfs/volumes.c:3377 __btrfs_balance+0x1b0f/0x26b0 fs/btrfs/volumes.c:4161 btrfs_balance+0xbdc/0x10c0 fs/btrfs/volumes.c:4538 BTRFS error (device loop0 state EA): Ref action 2, root 5, ref_root 0, parent 8564736, owner 0, offset 0, num_refs 18446744073709551615 __btrfs_mod_ref+0x7dd/0xac0 fs/btrfs/extent-tree.c:2523 update_ref_for_cow+0x9cd/0x11f0 fs/btrfs/ctree.c:512 btrfs_force_cow_block+0x9f6/0x1da0 fs/btrfs/ctree.c:594 btrfs_cow_block+0x35e/0xa40 fs/btrfs/ctree.c:754 btrfs_search_slot+0xbdd/0x30d0 fs/btrfs/ctree.c:2116 btrfs_lookup_inode+0xdc/0x480 fs/btrfs/inode-item.c:411 __btrfs_update_delayed_inode+0x1e7/0xb90 fs/btrfs/delayed-inode.c:1030 btrfs_update_delayed_inode fs/btrfs/delayed-inode.c:1114 [inline] __btrfs_commit_inode_delayed_items+0x2318/0x24a0 fs/btrfs/delayed-inode.c:1137 __btrfs_run_delayed_items+0x213/0x490 fs/btrfs/delayed-inode.c:1171 btrfs_commit_transaction+0x8a8/0x3740 fs/btrfs/transaction.c:2313 prepare_to_relocate+0x3c4/0x4c0 fs/btrfs/relocation.c:3586 relocate_block_group+0x16c/0xd40 fs/btrfs/relocation.c:3611 btrfs_relocate_block_group+0x77d/0xd90 fs/btrfs/relocation.c:4081 btrfs_relocate_chunk+0x12c/0x3b0 fs/btrfs/volumes.c:3377 __btrfs_balance+0x1b0f/0x26b0 fs/btrfs/volumes.c:4161 btrfs_balance+0xbdc/0x10c0 fs/btrfs/volumes.c:4538 ================================================================== BUG: KASAN: slab-use-after-free in rb_first+0x69/0x70 lib/rbtree.c:473 Read of size 8 at addr ffff888042d1af38 by task syz.0.0/5329 CPU: 0 UID: 0 PID: 5329 Comm: syz.0.0 Not tainted 6.12.0-rc7-syzkaller #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:377 [inline] print_report+0x169/0x550 mm/kasan/report.c:488 kasan_report+0x143/0x180 mm/kasan/report.c:601 rb_first+0x69/0x70 lib/rbtree.c:473 free_block_entry+0x78/0x230 fs/btrfs/ref-verify.c:248 btrfs_free_ref_cache+0xa3/0x100 fs/btrfs/ref-verify.c:917 btrfs_ref_tree_mod+0x139f/0x15e0 fs/btrfs/ref-verify.c:898 btrfs_free_extent+0x33c/0x380 fs/btrfs/extent-tree.c:3544 __btrfs_mod_ref+0x7dd/0xac0 fs/btrfs/extent-tree.c:2523 update_ref_for_cow+0x9cd/0x11f0 fs/btrfs/ctree.c:512 btrfs_force_cow_block+0x9f6/0x1da0 fs/btrfs/ctree.c:594 btrfs_cow_block+0x35e/0xa40 fs/btrfs/ctree.c:754 btrfs_search_slot+0xbdd/0x30d0 fs/btrfs/ctree.c:2116 btrfs_lookup_inode+0xdc/0x480 fs/btrfs/inode-item.c:411 __btrfs_update_delayed_inode+0x1e7/0xb90 fs/btrfs/delayed-inode.c:1030 btrfs_update_delayed_inode fs/btrfs/delayed-inode.c:1114 [inline] __btrfs_commit_inode_delayed_items+0x2318/0x24a0 fs/btrfs/delayed-inode.c:1137 __btrfs_run_delayed_items+0x213/0x490 fs/btrfs/delayed-inode.c:1171 btrfs_commit_transaction+0x8a8/0x3740 fs/btrfs/transaction.c:2313 prepare_to_relocate+0x3c4/0x4c0 fs/btrfs/relocation.c:3586 relocate_block_group+0x16c/0xd40 fs/btrfs/relocation.c:3611 btrfs_relocate_block_group+0x77d/0xd90 fs/btrfs/relocation.c:4081 btrfs_relocate_chunk+0x12c/0x3b0 fs/btrfs/volumes.c:3377 __btrfs_balance+0x1b0f/0x26b0 fs/btrfs/volumes.c:4161 btrfs_balance+0xbdc/0x10c0 fs/btrfs/volumes.c:4538 btrfs_ioctl_balance+0x493/0x7c0 fs/btrfs/ioctl.c:3673 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl+0xf9/0x170 fs/ioctl.c:893 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f996df7e719 RSP: 002b:00007f996ede7038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007f996e135f80 RCX: 00007f996df7e719 RDX: 0000000020000180 RSI: 00000000c4009420 RDI: 0000000000000004 RBP: 00007f996dff139e R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f996e135f80 R15: 00007fff79f32e68 Allocated by task 5329: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:394 kasan_kmalloc include/linux/kasan.h:257 [inline] __kmalloc_cache_noprof+0x19c/0x2c0 mm/slub.c:4295 kmalloc_noprof include/linux/slab.h:878 [inline] kzalloc_noprof include/linux/slab.h:1014 [inline] btrfs_ref_tree_mod+0x264/0x15e0 fs/btrfs/ref-verify.c:701 btrfs_free_extent+0x33c/0x380 fs/btrfs/extent-tree.c:3544 __btrfs_mod_ref+0x7dd/0xac0 fs/btrfs/extent-tree.c:2523 update_ref_for_cow+0x9cd/0x11f0 fs/btrfs/ctree.c:512 btrfs_force_cow_block+0x9f6/0x1da0 fs/btrfs/ctree.c:594 btrfs_cow_block+0x35e/0xa40 fs/btrfs/ctree.c:754 btrfs_search_slot+0xbdd/0x30d0 fs/btrfs/ctree.c:2116 btrfs_lookup_inode+0xdc/0x480 fs/btrfs/inode-item.c:411 __btrfs_update_delayed_inode+0x1e7/0xb90 fs/btrfs/delayed-inode.c:1030 btrfs_update_delayed_inode fs/btrfs/delayed-inode.c:1114 [inline] __btrfs_commit_inode_delayed_items+0x2318/0x24a0 fs/btrfs/delayed-inode.c:1137 __btrfs_run_delayed_items+0x213/0x490 fs/btrfs/delayed-inode.c:1171 btrfs_commit_transaction+0x8a8/0x3740 fs/btrfs/transaction.c:2313 prepare_to_relocate+0x3c4/0x4c0 fs/btrfs/relocation.c:3586 relocate_block_group+0x16c/0xd40 fs/btrfs/relocation.c:3611 btrfs_relocate_block_group+0x77d/0xd90 fs/btrfs/relocation.c:4081 btrfs_relocate_chunk+0x12c/0x3b0 fs/btrfs/volumes.c:3377 __btrfs_balance+0x1b0f/0x26b0 fs/btrfs/volumes.c:4161 btrfs_balance+0xbdc/0x10c0 fs/btrfs/volumes.c:4538 btrfs_ioctl_balance+0x493/0x7c0 fs/btrfs/ioctl.c:3673 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl+0xf9/0x170 fs/ioctl.c:893 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 5329: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579 poison_slab_object mm/kasan/common.c:247 [inline] __kasan_slab_free+0x59/0x70 mm/kasan/common.c:264 kasan_slab_free include/linux/kasan.h:230 [inline] slab_free_hook mm/slub.c:2342 [inline] slab_free mm/slub.c:4579 [inline] kfree+0x1a0/0x440 mm/slub.c:4727 btrfs_ref_tree_mod+0x136c/0x15e0 btrfs_free_extent+0x33c/0x380 fs/btrfs/extent-tree.c:3544 __btrfs_mod_ref+0x7dd/0xac0 fs/btrfs/extent-tree.c:2523 update_ref_for_cow+0x9cd/0x11f0 fs/btrfs/ctree.c:512 btrfs_force_cow_block+0x9f6/0x1da0 fs/btrfs/ctree.c:594 btrfs_cow_block+0x35e/0xa40 fs/btrfs/ctree.c:754 btrfs_search_slot+0xbdd/0x30d0 fs/btrfs/ctree.c:2116 btrfs_lookup_inode+0xdc/0x480 fs/btrfs/inode-item.c:411 __btrfs_update_delayed_inode+0x1e7/0xb90 fs/btrfs/delayed-inode.c:1030 btrfs_update_delayed_inode fs/btrfs/delayed-inode.c:1114 [inline] __btrfs_commit_inode_delayed_items+0x2318/0x24a0 fs/btrfs/delayed-inode.c:1137 __btrfs_run_delayed_items+0x213/0x490 fs/btrfs/delayed-inode.c:1171 btrfs_commit_transaction+0x8a8/0x3740 fs/btrfs/transaction.c:2313 prepare_to_relocate+0x3c4/0x4c0 fs/btrfs/relocation.c:3586 relocate_block_group+0x16c/0xd40 fs/btrfs/relocation.c:3611 btrfs_relocate_block_group+0x77d/0xd90 fs/btrfs/relocation.c:4081 btrfs_relocate_chunk+0x12c/0x3b0 fs/btrfs/volumes.c:3377 __btrfs_balance+0x1b0f/0x26b0 fs/btrfs/volumes.c:4161 btrfs_balance+0xbdc/0x10c0 fs/btrfs/volumes.c:4538 btrfs_ioctl_balance+0x493/0x7c0 fs/btrfs/ioctl.c:3673 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl+0xf9/0x170 fs/ioctl.c:893 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f The buggy address belongs to the object at ffff888042d1af00 which belongs to the cache kmalloc-64 of size 64 The buggy address is located 56 bytes inside of freed 64-byte region [ffff888042d1af00, ffff888042d1af40) The buggy address belongs to the physical page: page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x42d1a anon flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff) page_type: f5(slab) raw: 04fff00000000000 ffff88801ac418c0 0000000000000000 dead000000000001 raw: 0000000000000000 0000000000200020 00000001f5000000 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52c40(GFP_NOFS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 5055, tgid 5055 (dhcpcd-run-hook), ts 40377240074, free_ts 40376848335 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1541 prep_new_page mm/page_alloc.c:1549 [inline] get_page_from_freelist+0x3649/0x3790 mm/page_alloc.c:3459 __alloc_pages_noprof+0x292/0x710 mm/page_alloc.c:4735 alloc_pages_mpol_noprof+0x3e8/0x680 mm/mempolicy.c:2265 alloc_slab_page+0x6a/0x140 mm/slub.c:2412 allocate_slab+0x5a/0x2f0 mm/slub.c:2578 new_slab mm/slub.c:2631 [inline] ___slab_alloc+0xcd1/0x14b0 mm/slub.c:3818 __slab_alloc+0x58/0xa0 mm/slub.c:3908 __slab_alloc_node mm/slub.c:3961 [inline] slab_alloc_node mm/slub.c:4122 [inline] __do_kmalloc_node mm/slub.c:4263 [inline] __kmalloc_noprof+0x25a/0x400 mm/slub.c:4276 kmalloc_noprof include/linux/slab.h:882 [inline] kzalloc_noprof include/linux/slab.h:1014 [inline] tomoyo_encode2 security/tomoyo/realpath.c:45 [inline] tomoyo_encode+0x26f/0x540 security/tomoyo/realpath.c:80 tomoyo_realpath_from_path+0x59e/0x5e0 security/tomoyo/realpath.c:283 tomoyo_get_realpath security/tomoyo/file.c:151 [inline] tomoyo_check_open_permission+0x255/0x500 security/tomoyo/file.c:771 security_file_open+0x777/0x990 security/security.c:3109 do_dentry_open+0x369/0x1460 fs/open.c:945 vfs_open+0x3e/0x330 fs/open.c:1088 do_open fs/namei.c:3774 [inline] path_openat+0x2c84/0x3590 fs/namei.c:3933 page last free pid 5055 tgid 5055 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1112 [inline] free_unref_page+0xcfb/0xf20 mm/page_alloc.c:2642 free_pipe_info+0x300/0x390 fs/pipe.c:860 put_pipe_info fs/pipe.c:719 [inline] pipe_release+0x245/0x320 fs/pipe.c:742 __fput+0x23f/0x880 fs/file_table.c:431 __do_sys_close fs/open.c:1567 [inline] __se_sys_close fs/open.c:1552 [inline] __x64_sys_close+0x7f/0x110 fs/open.c:1552 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Memory state around the buggy address: ffff888042d1ae00: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ffff888042d1ae80: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc >ffff888042d1af00: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ^ ffff888042d1af80: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc ffff888042d1b000: 00 00 00 00 00 fc fc 00 00 00 00 00 fc fc 00 00 Reported-by: syzbot+7325f164162e200000c1@syzkaller.appspotmail.com Link: https://lore.kernel.org/linux-btrfs/673723eb.050a0220.1324f8.00a8.GAE@google.com/T/#u Fixes: fd708b81d972 ("Btrfs: add a extent ref verify tool") CC: stable@vger.kernel.org # 4.19+ Reviewed-by: Johannes Thumshirn Signed-off-by: Filipe Manana Reviewed-by: David Sterba Signed-off-by: David Sterba commit 3ed51857a50f530ac7a1482e069dfbd1298558d4 Author: Lizhi Xu Date: Fri Oct 25 12:55:53 2024 +0800 btrfs: add a sanity check for btrfs root in btrfs_search_slot() Syzbot reports a null-ptr-deref in btrfs_search_slot(). The reproducer is using rescue=ibadroots, and the extent tree root is corrupted thus the extent tree is NULL. When scrub tries to search the extent tree to gather the needed extent info, btrfs_search_slot() doesn't check if the target root is NULL or not, resulting the null-ptr-deref. Add sanity check for btrfs root before using it in btrfs_search_slot(). Reported-by: syzbot+3030e17bd57a73d39bd7@syzkaller.appspotmail.com Fixes: 42437a6386ff ("btrfs: introduce mount option rescue=ignorebadroots") Link: https://syzkaller.appspot.com/bug?extid=3030e17bd57a73d39bd7 CC: stable@vger.kernel.org # 5.15+ Reviewed-by: Qu Wenruo Tested-by: syzbot+3030e17bd57a73d39bd7@syzkaller.appspotmail.com Signed-off-by: Lizhi Xu Reviewed-by: David Sterba Signed-off-by: David Sterba commit ed67f2a913a4f0fc505db29805c41dd07d3cb356 Author: Filipe Manana Date: Fri Nov 15 15:46:13 2024 +0000 btrfs: don't loop for nowait writes when checking for cross references When checking for delayed refs when verifying if there are cross references for a data extent, we stop if the path has nowait set and we can't try lock the delayed ref head's mutex, returning -EAGAIN with the goal of making a write fallback to a blocking context. However we ignore the -EAGAIN at btrfs_cross_ref_exist() when check_delayed_ref() returns it, and keep looping instead of immediately returning the -EAGAIN to the caller. Fix this by not looping if we get -EAGAIN and we have a nowait path. Fixes: 26ce91144631 ("btrfs: make can_nocow_extent nowait compatible") CC: stable@vger.kernel.org # 6.1+ Reviewed-by: Josef Bacik Signed-off-by: Filipe Manana Signed-off-by: David Sterba commit 82734209bedd65a8b508844bab652b464379bfdd Author: Zhang Xianwei Date: Thu Nov 28 17:00:56 2024 +0800 brd: decrease the number of allocated pages which discarded The number of allocated pages which discarded will not decrease. Fix it. Fixes: 9ead7efc6f3f ("brd: implement discard support") Signed-off-by: Zhang Xianwei Reviewed-by: Ming Lei Link: https://lore.kernel.org/r/20241128170056565nPKSz2vsP8K8X2uk2iaDG@zte.com.cn Signed-off-by: Jens Axboe commit e8b8344de3980709080d86c157d24e7de07d70ad Author: Yu Kuai Date: Fri Nov 29 17:15:09 2024 +0800 block, bfq: fix bfqq uaf in bfq_limit_depth() Set new allocated bfqq to bic or remove freed bfqq from bic are both protected by bfqd->lock, however bfq_limit_depth() is deferencing bfqq from bic without the lock, this can lead to UAF if the io_context is shared by multiple tasks. For example, test bfq with io_uring can trigger following UAF in v6.6: ================================================================== BUG: KASAN: slab-use-after-free in bfqq_group+0x15/0x50 Call Trace: dump_stack_lvl+0x47/0x80 print_address_description.constprop.0+0x66/0x300 print_report+0x3e/0x70 kasan_report+0xb4/0xf0 bfqq_group+0x15/0x50 bfqq_request_over_limit+0x130/0x9a0 bfq_limit_depth+0x1b5/0x480 __blk_mq_alloc_requests+0x2b5/0xa00 blk_mq_get_new_requests+0x11d/0x1d0 blk_mq_submit_bio+0x286/0xb00 submit_bio_noacct_nocheck+0x331/0x400 __block_write_full_folio+0x3d0/0x640 writepage_cb+0x3b/0xc0 write_cache_pages+0x254/0x6c0 write_cache_pages+0x254/0x6c0 do_writepages+0x192/0x310 filemap_fdatawrite_wbc+0x95/0xc0 __filemap_fdatawrite_range+0x99/0xd0 filemap_write_and_wait_range.part.0+0x4d/0xa0 blkdev_read_iter+0xef/0x1e0 io_read+0x1b6/0x8a0 io_issue_sqe+0x87/0x300 io_wq_submit_work+0xeb/0x390 io_worker_handle_work+0x24d/0x550 io_wq_worker+0x27f/0x6c0 ret_from_fork_asm+0x1b/0x30 Allocated by task 808602: kasan_save_stack+0x1e/0x40 kasan_set_track+0x21/0x30 __kasan_slab_alloc+0x83/0x90 kmem_cache_alloc_node+0x1b1/0x6d0 bfq_get_queue+0x138/0xfa0 bfq_get_bfqq_handle_split+0xe3/0x2c0 bfq_init_rq+0x196/0xbb0 bfq_insert_request.isra.0+0xb5/0x480 bfq_insert_requests+0x156/0x180 blk_mq_insert_request+0x15d/0x440 blk_mq_submit_bio+0x8a4/0xb00 submit_bio_noacct_nocheck+0x331/0x400 __blkdev_direct_IO_async+0x2dd/0x330 blkdev_write_iter+0x39a/0x450 io_write+0x22a/0x840 io_issue_sqe+0x87/0x300 io_wq_submit_work+0xeb/0x390 io_worker_handle_work+0x24d/0x550 io_wq_worker+0x27f/0x6c0 ret_from_fork+0x2d/0x50 ret_from_fork_asm+0x1b/0x30 Freed by task 808589: kasan_save_stack+0x1e/0x40 kasan_set_track+0x21/0x30 kasan_save_free_info+0x27/0x40 __kasan_slab_free+0x126/0x1b0 kmem_cache_free+0x10c/0x750 bfq_put_queue+0x2dd/0x770 __bfq_insert_request.isra.0+0x155/0x7a0 bfq_insert_request.isra.0+0x122/0x480 bfq_insert_requests+0x156/0x180 blk_mq_dispatch_plug_list+0x528/0x7e0 blk_mq_flush_plug_list.part.0+0xe5/0x590 __blk_flush_plug+0x3b/0x90 blk_finish_plug+0x40/0x60 do_writepages+0x19d/0x310 filemap_fdatawrite_wbc+0x95/0xc0 __filemap_fdatawrite_range+0x99/0xd0 filemap_write_and_wait_range.part.0+0x4d/0xa0 blkdev_read_iter+0xef/0x1e0 io_read+0x1b6/0x8a0 io_issue_sqe+0x87/0x300 io_wq_submit_work+0xeb/0x390 io_worker_handle_work+0x24d/0x550 io_wq_worker+0x27f/0x6c0 ret_from_fork+0x2d/0x50 ret_from_fork_asm+0x1b/0x30 Fix the problem by protecting bic_to_bfqq() with bfqd->lock. CC: Jan Kara Fixes: 76f1df88bbc2 ("bfq: Limit number of requests consumed by each cgroup") Signed-off-by: Yu Kuai Link: https://lore.kernel.org/r/20241129091509.2227136-1-yukuai1@huaweicloud.com Signed-off-by: Jens Axboe commit 8d355b56f29533e0b0db0d9a2de8bdc05ab27375 Author: Benjamin Tissoires Date: Thu Nov 28 14:27:16 2024 +0100 selftests/hid: fix kfunc inclusions with newer bpftool bpftool now embeds the kfuncs definitions directly in the generated vmlinux.h This is great, but because the selftests dir might be compiled with HID_BPF disabled, we have no guarantees to be able to compile the sources with the generated kfuncs. If we have the kfuncs, because we have the `__not_used` hack, the newly defined kfuncs do not match the ones from vmlinux.h and things go wrong. Prevent vmlinux.h to define its kfuncs and also add the missing `__weak` symbols for our custom kfuncs definitions Link: https://patch.msgid.link/20241128-fix-new-bpftool-v1-1-c9abdf94a719@kernel.org Signed-off-by: Benjamin Tissoires commit 7eb75ce7527129d7f1fee6951566af409a37a1c4 Author: Jens Axboe Date: Fri Nov 29 07:20:28 2024 -0700 io_uring/tctx: work around xa_store() allocation error issue syzbot triggered the following WARN_ON: WARNING: CPU: 0 PID: 16 at io_uring/tctx.c:51 __io_uring_free+0xfa/0x140 io_uring/tctx.c:51 which is the WARN_ON_ONCE(!xa_empty(&tctx->xa)); sanity check in __io_uring_free() when a io_uring_task is going through its final put. The syzbot test case includes injecting memory allocation failures, and it very much looks like xa_store() can fail one of its memory allocations and end up with ->head being non-NULL even though no entries exist in the xarray. Until this issue gets sorted out, work around it by attempting to iterate entries in our xarray, and WARN_ON_ONCE() if one is found. Reported-by: syzbot+cc36d44ec9f368e443d3@syzkaller.appspotmail.com Link: https://lore.kernel.org/io-uring/673c1643.050a0220.87769.0066.GAE@google.com/ Signed-off-by: Jens Axboe commit 9b5f8ee43e48c25fbe1a10163ec04343d750acd0 Author: Takashi Iwai Date: Thu Nov 28 11:49:38 2024 +0100 ALSA: sh: Use standard helper for buffer accesses The SH DAC audio driver uses the kmalloc'ed buffer as the main PCM buffer, and the data is transferred via hrtimer callbacks manually from there to the hardware. Meanwhile, some of its code are written as if the buffer is on iomem and use the special helpers for the iomem (e.g. copy_from_iter_toio() or memset_io()). Those are rather useless and the standard helpers should be used. Similarly, the PCM mmap callback is set to a special one with snd_pcm_lib_mmap_iomem, but this is also nonsense, because SH architecture doesn't support this function, hence it leads just to NULL -- the fallback to the standard helper. This patch replaces those special setups with the standard ones. Reported-by: kernel test robot Closes: https://lore.kernel.org/oe-kbuild-all/202411281337.I4M07b7i-lkp@intel.com/ Link: https://patch.msgid.link/20241128104939.13755-1-tiwai@suse.de Signed-off-by: Takashi Iwai commit 4f9d674377d090e38d93360bd4df21b67534d622 Author: Takashi Iwai Date: Thu Nov 28 09:04:16 2024 +0100 ALSA: usb-audio: Notify xrun for low-latency mode The low-latency mode of USB-audio driver uses a similar approach like the implicit feedback mode but it has an explicit queuing at the trigger start time. The difference is, however, that no packet will be handled any longer after all queued packets are handled but no enough data is fed. In the case of implicit feedback mode, the capture-side packet handling triggers the re-queuing, and this checks the XRUN. OTOH, in the low-latency mode, it just stops without XRUN notification unless any new action is taken from user-space via ack callback. For example, when you stop the stream in aplay, no XRUN is reported. This patch adds the XRUN check at the packet complete callback in the case all pending URBs are exhausted. Strictly speaking, this state doesn't match really with XRUN; in theory the application may queue immediately after this happens. But such behavior is only for 1-period configuration, which the USB-audio driver doesn't support. So we may conclude that this situation leads certainly to XRUN. A caveat is that the XRUN should be triggered only for the PCM RUNNING state, and not during DRAINING. This additional state check is put in notify_xrun(), too. Fixes: d5f871f89e21 ("ALSA: usb-audio: Improved lowlatency playback support") Reported-by: Leonard Crestez Link: https://lore.kernel.org/25d5b0d8-4efd-4630-9d33-7a9e3fa9dc2b@gmail.com Link: https://patch.msgid.link/20241128080446.1181-1-tiwai@suse.de Signed-off-by: Takashi Iwai commit f1cd565ce57760923d5e0fbd9e9914b415c0620a Merge: 65ae975e97d5aa b2420b8c81ec67 Author: David S. Miller Date: Fri Nov 29 12:52:04 2024 +0000 Merge branch 'enetc-mqprio-fixes' Wei Fang sayus: ==================== fix crash issue when setting MQPRIO for VFs There is a crash issue when setting MQPRIO for ENETC VFs, the root casue is that ENETC VFs don't like ENETC PFs, they don't have port registers, so hw->port of VFs is NULL. However, this NULL pointer will be accessed without any checks in enetc_mm_commit_preemptible_tcs() when configuring MQPRIO for VFs. Therefore, two patches are added to fix this issue. The first patch sets ENETC_SI_F_QBU flag only for SIs that support 802.1Qbu. The second patch adds a check in enetc_change_preemptible_tcs() to ensure that SIs that do not support 802.1Qbu do not configure preemptible TCs. --- v1 Link: https://lore.kernel.org/imx/20241030082117.1172634-1-wei.fang@nxp.com/ v2 Link: https://lore.kernel.org/imx/20241104054309.1388433-1-wei.fang@nxp.com/ --- ==================== Signed-off-by: David S. Miller commit b2420b8c81ec674552d00c55d46245e5c184b260 Author: Wei Fang Date: Mon Nov 25 17:07:19 2024 +0800 net: enetc: Do not configure preemptible TCs if SIs do not support Both ENETC PF and VF drivers share enetc_setup_tc_mqprio() to configure MQPRIO. And enetc_setup_tc_mqprio() calls enetc_change_preemptible_tcs() to configure preemptible TCs. However, only PF is able to configure preemptible TCs. Because only PF has related registers, while VF does not have these registers. So for VF, its hw->port pointer is NULL. Therefore, VF will access an invalid pointer when accessing a non-existent register, which will cause a crash issue. The simplified log is as follows. root@ls1028ardb:~# tc qdisc add dev eno0vf0 parent root handle 100: \ mqprio num_tc 4 map 0 0 1 1 2 2 3 3 queues 1@0 1@1 1@2 1@3 hw 1 [ 187.290775] Unable to handle kernel paging request at virtual address 0000000000001f00 [ 187.424831] pc : enetc_mm_commit_preemptible_tcs+0x1c4/0x400 [ 187.430518] lr : enetc_mm_commit_preemptible_tcs+0x30c/0x400 [ 187.511140] Call trace: [ 187.513588] enetc_mm_commit_preemptible_tcs+0x1c4/0x400 [ 187.518918] enetc_setup_tc_mqprio+0x180/0x214 [ 187.523374] enetc_vf_setup_tc+0x1c/0x30 [ 187.527306] mqprio_enable_offload+0x144/0x178 [ 187.531766] mqprio_init+0x3ec/0x668 [ 187.535351] qdisc_create+0x15c/0x488 [ 187.539023] tc_modify_qdisc+0x398/0x73c [ 187.542958] rtnetlink_rcv_msg+0x128/0x378 [ 187.547064] netlink_rcv_skb+0x60/0x130 [ 187.550910] rtnetlink_rcv+0x18/0x24 [ 187.554492] netlink_unicast+0x300/0x36c [ 187.558425] netlink_sendmsg+0x1a8/0x420 [ 187.606759] ---[ end trace 0000000000000000 ]--- In addition, some PFs also do not support configuring preemptible TCs, such as eno1 and eno3 on LS1028A. It won't crash like it does for VFs, but we should prevent these PFs from accessing these unimplemented registers. Fixes: 827145392a4a ("net: enetc: only commit preemptible TCs to hardware when MM TX is active") Signed-off-by: Wei Fang Suggested-by: Vladimir Oltean Reviewed-by: Frank Li Signed-off-by: David S. Miller commit 8e00072c31e28e7de1ffd9b28c773a3143aa4167 Author: Vladimir Oltean Date: Mon Nov 25 17:07:18 2024 +0800 net: enetc: read TSN capabilities from port register, not SI Configuring TSN (Qbv, Qbu, PSFP) capabilities requires access to port registers, which are available to the PSI but not the VSI. Yet, the SI port capability register 0 (PSICAPR0), exposed to both PSIs and VSIs, presents the same capabilities to the VF as to the PF, thus leading the VF driver into thinking it can configure these features. In the case of ENETC_SI_F_QBU, having it set in the VF leads to a crash: root@ls1028ardb:~# tc qdisc add dev eno0vf0 parent root handle 100: \ mqprio num_tc 4 map 0 0 1 1 2 2 3 3 queues 1@0 1@1 1@2 1@3 hw 1 [ 187.290775] Unable to handle kernel paging request at virtual address 0000000000001f00 [ 187.424831] pc : enetc_mm_commit_preemptible_tcs+0x1c4/0x400 [ 187.430518] lr : enetc_mm_commit_preemptible_tcs+0x30c/0x400 [ 187.511140] Call trace: [ 187.513588] enetc_mm_commit_preemptible_tcs+0x1c4/0x400 [ 187.518918] enetc_setup_tc_mqprio+0x180/0x214 [ 187.523374] enetc_vf_setup_tc+0x1c/0x30 [ 187.527306] mqprio_enable_offload+0x144/0x178 [ 187.531766] mqprio_init+0x3ec/0x668 [ 187.535351] qdisc_create+0x15c/0x488 [ 187.539023] tc_modify_qdisc+0x398/0x73c [ 187.542958] rtnetlink_rcv_msg+0x128/0x378 [ 187.547064] netlink_rcv_skb+0x60/0x130 [ 187.550910] rtnetlink_rcv+0x18/0x24 [ 187.554492] netlink_unicast+0x300/0x36c [ 187.558425] netlink_sendmsg+0x1a8/0x420 [ 187.606759] ---[ end trace 0000000000000000 ]--- while the other TSN features in the VF are harmless, because the net_device_ops used for the VF driver do not expose entry points for these other features. These capability bits are in the process of being defeatured from the SI registers. We should read them from the port capability register, where they are also present, and which is naturally only exposed to the PF. The change to blame (relevant for stable backports) is the one where this started being a problem, aka when the kernel started to crash due to the wrong capability seen by the VF driver. Fixes: 827145392a4a ("net: enetc: only commit preemptible TCs to hardware when MM TX is active") Reported-by: Wei Fang Signed-off-by: Vladimir Oltean Reviewed-by: Frank Li Signed-off-by: David S. Miller commit cc00550b2ae7ab1c7c56669fc004a13d880aaf0a Author: Vasily Gorbik Date: Fri Nov 29 01:07:01 2024 +0100 Revert "s390/mm: Allow large pages for KASAN shadow mapping" This reverts commit ff123eb7741638d55abf82fac090bb3a543c1e74. Allowing large pages for KASAN shadow mappings isn't inherently wrong, but adding POPULATE_KASAN_MAP_SHADOW to large_allowed() exposes an issue in can_large_pud() and can_large_pmd(). Since commit d8073dc6bc04 ("s390/mm: Allow large pages only for aligned physical addresses"), both can_large_pud() and can_large_pmd() call _pa() to check if large page physical addresses are aligned. However, _pa() has a side effect: it allocates memory in POPULATE_KASAN_MAP_SHADOW mode. This results in massive memory leaks. The proper fix would be to address both large_allowed() and _pa()'s side effects, but for now, revert this change to avoid the leaks. Fixes: ff123eb77416 ("s390/mm: Allow large pages for KASAN shadow mapping") Signed-off-by: Vasily Gorbik Signed-off-by: Heiko Carstens commit 63dffecfba3eddcf67a8f76d80e0c141f93d44a5 Author: Frederic Weisbecker Date: Sat Nov 23 00:48:11 2024 +0100 posix-timers: Target group sigqueue to current task only if not exiting A sigqueue belonging to a posix timer, which target is not a specific thread but a whole thread group, is preferrably targeted to the current task if it is part of that thread group. However nothing prevents a posix timer event from queueing such a sigqueue from a reaped yet running task. The interruptible code space between exit_notify() and the final call to schedule() is enough for posix_timer_fn() hrtimer to fire. If that happens while the current task is part of the thread group target, it is proposed to handle it but since its sighand pointer may have been cleared already, the sigqueue is dropped even if there are other tasks running within the group that could handle it. As a result posix timers with thread group wide target may miss signals when some of their threads are exiting. Fix this with verifying that the current task hasn't been through exit_notify() before proposing it as a preferred target so as to ensure that its sighand is still here and stable. complete_signal() might still reconsider the choice and find a better target within the group if current has passed retarget_shared_pending() already. Fixes: bcb7ee79029d ("posix-timers: Prefer delivery of signals to the current thread") Reported-by: Anthony Mallet Suggested-by: Oleg Nesterov Signed-off-by: Frederic Weisbecker Signed-off-by: Thomas Gleixner Acked-by: Oleg Nesterov Cc: stable@vger.kernel.org Link: https://lore.kernel.org/all/20241122234811.60455-1-frederic@kernel.org Closes: https://lore.kernel.org/all/26411.57288.238690.681680@gargle.gargle.HOWL commit caf4bdb558cbc9893524b0a15e6423ee6305cb0c Author: Lukas Bulwahn Date: Fri Nov 29 10:52:38 2024 +0100 MAINTAINERS: fix typo in I2C OF COMPONENT PROBER Commit 157ce8f381ef ("i2c: Introduce OF component probe function") adds the header file include/linux/i2c-of-prober.h and a corresponding file entry in the newly added MAINTAINERS section I2C OF COMPONENT PROBER. This file entry unfortunately has a typo. Fortunately, ./scripts/get_maintainer.pl --self-test=patterns detects this broken reference. Fix the typo in this file entry in the I2C OF COMPONENT PROBER section. Fixes: 157ce8f381ef ("i2c: Introduce OF component probe function") Signed-off-by: Lukas Bulwahn Signed-off-by: Wolfram Sang commit 4d17c25eaf5d8b95d70726e6946e8eb94619e139 Author: Frederic Weisbecker Date: Thu Nov 21 16:29:31 2024 +0100 delay: Fix ndelay() spuriously treated as udelay() A recent rework on delay functions wrongly ended up calling __udelay() instead of __ndelay() for nanosecond delays, increasing those by 1000. As a result hangs have been observed on boot Restore the right function calls. Fixes: 19e2d91d8cb1 ("delay: Rework udelay and ndelay") Reported-by: Chen-Yu Tsai Signed-off-by: Frederic Weisbecker Signed-off-by: Thomas Gleixner Tested-by: Chen-Yu Tsai Reviewed-by: AngeloGioacchino Del Regno Reviewed-by: Chen-Yu Tsai Link: https://lore.kernel.org/all/20241121152931.51884-1-frederic@kernel.org commit 947c4012f8f03a8bb946beb6e5294d5e32817d67 Author: bo liu Date: Fri Nov 29 09:44:41 2024 +0800 ALSA: hda/conexant: fix Z60MR100 startup pop issue When Z60MR100 startup, speaker will output a pop. To fix this issue, we mute codec by init verbs in bios when system startup, and set GPIO to low to unmute codec in codec driver when it loaded . [ white space fixes and compile warning fix by tiwai ] Signed-off-by: bo liu Link: https://patch.msgid.link/20241129014441.437205-1-bo.liu@senarytech.com Signed-off-by: Takashi Iwai commit edad3f9519fcacb926d0e3f3217aecaf628a593f Author: Takashi Iwai Date: Fri Nov 29 10:45:44 2024 +0100 ALSA: ump: Update legacy substream names upon FB info update The legacy rawmidi substreams should be updated when UMP FB Info or UMP FB Name are received, too. Link: https://patch.msgid.link/20241129094546.32119-4-tiwai@suse.de Signed-off-by: Takashi Iwai commit e29e504e7890b9ee438ca6370d0180d607c473f9 Author: Takashi Iwai Date: Fri Nov 29 10:45:43 2024 +0100 ALSA: ump: Indicate the inactive group in legacy substream names Since the legacy rawmidi has no proper way to know the inactive group, indicate it in the rawmidi substream names with "[Inactive]" suffix when the corresponding UMP group is inactive. Link: https://patch.msgid.link/20241129094546.32119-3-tiwai@suse.de Signed-off-by: Takashi Iwai commit 3978d53df7236f0a517c2abeb43ddf6ac162cdd8 Author: Takashi Iwai Date: Fri Nov 29 10:45:42 2024 +0100 ALSA: ump: Don't open legacy substream for an inactive group When a UMP Group is inactive, we shouldn't allow users to access it via the legacy MIDI access. Add the group active flag check and return -ENODEV if it's inactive. Link: https://patch.msgid.link/20241129094546.32119-2-tiwai@suse.de Signed-off-by: Takashi Iwai commit aaa55faa2495320e44bc643a917c701f2cc89ee7 Author: Takashi Iwai Date: Thu Nov 28 18:04:22 2024 +0100 ALSA: seq: ump: Fix seq port updates per FB info notify update_port_infos() is called when a UMP FB Info update notification is received, and this function is supposed to update the attributes of the corresponding sequencer port. However, the function had a few issues and it brought to the incorrect states. Namely: - It tried to get a wrong sequencer info for the update without correcting the port number with the group-offset 1 - The loop exited immediately when a sequencer port isn't present; this ended up with the truncation if a sequencer port in the middle goes away This patch addresses those bugs. Fixes: 4a16a3af0571 ("ALSA: seq: ump: Handle FB info update") Link: https://patch.msgid.link/20241128170423.23351-1-tiwai@suse.de Signed-off-by: Takashi Iwai commit 0d40daa1c1369c2fef6a40f44640b2e5f3453daa Author: Chen-Yu Tsai Date: Thu Nov 28 12:26:30 2024 +0800 of: base: Document prefix argument for of_get_next_child_with_prefix() When of_get_next_child_with_prefix() was added, the prefix argument was left undocumented. This caused a new warning to be generated during the kerneldoc build process: drivers/of/base.c:661: warning: Function parameter or struct member 'prefix' not described in 'of_get_next_child_with_prefix' Properly document the argument to fix this. Reported-by: kernel test robot Closes: https://lore.kernel.org/oe-kbuild-all/202411280010.KGSDBOUE-lkp@intel.com/ Fixes: 1fcc67e3a354 ("of: base: Add for_each_child_of_node_with_prefix()") Signed-off-by: Chen-Yu Tsai Signed-off-by: Wolfram Sang commit b188ad7791899da8afe937e439e3086ffddd84a8 Author: Filipe Manana Date: Thu Nov 14 15:38:27 2024 +0000 btrfs: sysfs: advertise experimental features only if CONFIG_BTRFS_EXPERIMENTAL=y We are advertising experimental features through sysfs if CONFIG_BTRFS_DEBUG is set, without looking if CONFIG_BTRFS_EXPERIMENTAL is set. This is wrong as it will result in reporting experimental features as supported when CONFIG_BTRFS_EXPERIMENTAL is not set but CONFIG_BTRFS_DEBUG is set. Fix this by checking for CONFIG_BTRFS_EXPERIMENTAL instead of CONFIG_BTRFS_DEBUG. Fixes: 67cd3f221769 ("btrfs: split out CONFIG_BTRFS_EXPERIMENTAL from CONFIG_BTRFS_DEBUG") Reviewed-by: Neal Gompa Reviewed-by: Qu Wenruo Reviewed-by: Johannes Thumshirn Signed-off-by: Filipe Manana Reviewed-by: David Sterba Signed-off-by: David Sterba commit 7d6872ccbd56c310d2b9658ecaeafeda258727b6 Author: Filipe Manana Date: Thu Nov 14 12:11:26 2024 +0000 btrfs: fix deadlock between transaction commits and extent locks When running a workload with fsstress and duperemove (generic/561) we can hit a deadlock related to transaction commits and locking extent ranges, as described below. Task A hanging during a transaction commit, waiting for all other writers to complete: [178317.334817] INFO: task fsstress:555623 blocked for more than 120 seconds. [178317.335693] Not tainted 6.12.0-rc6-btrfs-next-179+ #1 [178317.336528] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. [178317.337673] task:fsstress state:D stack:0 pid:555623 tgid:555623 ppid:555620 flags:0x00004002 [178317.337679] Call Trace: [178317.337681] [178317.337685] __schedule+0x364/0xbe0 [178317.337691] schedule+0x26/0xa0 [178317.337695] btrfs_commit_transaction+0x5c5/0x1050 [btrfs] [178317.337769] ? start_transaction+0xc4/0x800 [btrfs] [178317.337815] ? __pfx_autoremove_wake_function+0x10/0x10 [178317.337819] btrfs_mksubvol+0x381/0x640 [btrfs] [178317.337878] btrfs_mksnapshot+0x7a/0xb0 [btrfs] [178317.337935] __btrfs_ioctl_snap_create+0x1bb/0x1d0 [btrfs] [178317.337995] btrfs_ioctl_snap_create_v2+0x103/0x130 [btrfs] [178317.338053] btrfs_ioctl+0x29b/0x2a90 [btrfs] [178317.338118] ? kmem_cache_alloc_noprof+0x5f/0x2c0 [178317.338126] ? getname_flags+0x45/0x1f0 [178317.338133] ? _raw_spin_unlock+0x15/0x30 [178317.338145] ? __x64_sys_ioctl+0x88/0xc0 [178317.338149] __x64_sys_ioctl+0x88/0xc0 [178317.338152] do_syscall_64+0x4a/0x110 [178317.338160] entry_SYSCALL_64_after_hwframe+0x76/0x7e [178317.338190] RIP: 0033:0x7f13c28e271b Which corresponds to line 2361 of transaction.c: $ cat -n fs/btrfs/transaction.c (...) 2162 int btrfs_commit_transaction(struct btrfs_trans_handle *trans) 2163 { (...) 2349 spin_lock(&fs_info->trans_lock); 2350 add_pending_snapshot(trans); 2351 cur_trans->state = TRANS_STATE_COMMIT_DOING; 2352 spin_unlock(&fs_info->trans_lock); 2353 2354 /* 2355 * The thread has started/joined the transaction thus it holds the 2356 * lockdep map as a reader. It has to release it before acquiring the 2357 * lockdep map as a writer. 2358 */ 2359 btrfs_lockdep_release(fs_info, btrfs_trans_num_writers); 2360 btrfs_might_wait_for_event(fs_info, btrfs_trans_num_writers); 2361 wait_event(cur_trans->writer_wait, 2362 atomic_read(&cur_trans->num_writers) == 1); (...) The transaction is in the TRANS_STATE_COMMIT_DOING state and so it's waiting for all other existing writers to complete and release their transaction handle. Task B is running ordered extent completion and blocked waiting to lock an extent range in an inode's io tree: [178317.327411] INFO: task kworker/u48:8:554545 blocked for more than 120 seconds. [178317.328630] Not tainted 6.12.0-rc6-btrfs-next-179+ #1 [178317.329635] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. [178317.330872] task:kworker/u48:8 state:D stack:0 pid:554545 tgid:554545 ppid:2 flags:0x00004000 [178317.330878] Workqueue: btrfs-endio-write btrfs_work_helper [btrfs] [178317.330944] Call Trace: [178317.330945] [178317.330947] __schedule+0x364/0xbe0 [178317.330952] schedule+0x26/0xa0 [178317.330955] __lock_extent+0x337/0x3a0 [btrfs] [178317.331014] ? __pfx_autoremove_wake_function+0x10/0x10 [178317.331017] btrfs_finish_one_ordered+0x47a/0xaa0 [btrfs] [178317.331074] ? psi_group_change+0x132/0x2d0 [178317.331078] btrfs_work_helper+0xbd/0x370 [btrfs] [178317.331140] process_scheduled_works+0xd3/0x460 [178317.331144] ? __pfx_worker_thread+0x10/0x10 [178317.331146] worker_thread+0x121/0x250 [178317.331149] ? __pfx_worker_thread+0x10/0x10 [178317.331151] kthread+0xe9/0x120 [178317.331154] ? __pfx_kthread+0x10/0x10 [178317.331157] ret_from_fork+0x2d/0x50 [178317.331159] ? __pfx_kthread+0x10/0x10 [178317.331162] ret_from_fork_asm+0x1a/0x30 This extent range locking happens after joining the current transaction, so task A is waiting for task B to release its transaction handle (decrementing the transaction's num_writers counter). Task C while doing a fiemap it tries to join the current transaction: [242682.812815] task:pool state:D stack:0 pid:560767 tgid:560724 ppid:555622 flags:0x00004006 [242682.812827] Call Trace: [242682.812856] [242682.812864] __schedule+0x364/0xbe0 [242682.812879] ? _raw_spin_unlock_irqrestore+0x23/0x40 [242682.812897] schedule+0x26/0xa0 [242682.812909] wait_current_trans+0xd6/0x130 [btrfs] [242682.813148] ? __pfx_autoremove_wake_function+0x10/0x10 [242682.813162] start_transaction+0x3d4/0x800 [btrfs] [242682.813399] btrfs_is_data_extent_shared+0xd2/0x440 [btrfs] [242682.813723] fiemap_process_hole+0x2a2/0x300 [btrfs] [242682.813995] extent_fiemap+0x9b8/0xb80 [btrfs] [242682.814249] btrfs_fiemap+0x78/0xc0 [btrfs] [242682.814501] do_vfs_ioctl+0x2db/0xa50 [242682.814519] __x64_sys_ioctl+0x6a/0xc0 [242682.814531] do_syscall_64+0x4a/0x110 [242682.814544] entry_SYSCALL_64_after_hwframe+0x76/0x7e [242682.814556] RIP: 0033:0x7efff595e71b It tries to join the current transaction, but it can't because the transaction is in the TRANS_STATE_COMMIT_DOING state, so join_transaction() returns -EBUSY to start_transaction() and makes it wait for the current transaction to complete. And while it's waiting for the transaction to complete, it's holding an extent range locked in the same inode that task B is operating, which causes a deadlock between these 3 tasks. The extent range for the inode was locked at the start of the fiemap operation, early at extent_fiemap(). In short these tasks deadlock because: 1) Task A is waiting for task B to release its transaction handle; 2) Task B is waiting to lock an extent range for an inode while holding a transaction handle open; 3) Task C is waiting for the current transaction to complete (for task A to finish the transaction commit) while holding the extent range for the inode locked, so task B can't progress and release its transaction handle. This results in an ABBA deadlock involving transaction commits and extent locks. Extent locks are higher level locks, like inode VFS locks, and should always be acquired before joining or starting a transaction, but recently commit 2206265f41e9 ("btrfs: remove code duplication in ordered extent finishing") accidentally changed btrfs_finish_one_ordered() to do the transaction join before locking the extent range. Fix this by making sure that btrfs_finish_one_ordered() always locks the extent before joining a transaction and add an explicit comment about the need for this order. Fixes: 2206265f41e9 ("btrfs: remove code duplication in ordered extent finishing") Reviewed-by: Johannes Thumshirn Signed-off-by: Filipe Manana Signed-off-by: David Sterba commit 7af08b57bcb9ebf78675c50069c54125c0a8b795 Merge: 65ae975e97d5aa 2bd9b57d04df41 Author: Linus Torvalds Date: Thu Nov 28 11:46:13 2024 -0800 Merge tag 'trace-v6.13-2' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace Pull more tracing updates from Steven Rostedt: - Add trace flag for NEED_RESCHED_LAZY Now that NEED_RESCHED_LAZY is upstream, add it to the status bits of the common_flags. This will now show when the NEED_RESCHED_LAZY flag is set that is used for debugging latency issues in the kernel via a trace. - Remove leftover "__idx" variable when SRCU was removed from the tracepoint code - Add rcu_tasks_trace guard To add a guard() around the tracepoint code, a rcu_tasks_trace guard needs to be created first. - Remove __DO_TRACE() macro and just call __DO_TRACE_CALL() directly The DO_TRACE() macro has conditional locking depending on what was passed into the macro parameters. As the guts of the macro has been moved to __DO_TRACE_CALL() to handle static call logic, there's no reason to keep the __DO_TRACE() macro around. It is better to just do the locking in place without the conditionals and call __DO_TRACE_CALL() from those locations. The "cond" passed in can also be moved out of that macro. This simplifies the code. - Remove the "cond" from the system call tracepoint macros The "cond" variable was added to allow some tracepoints to check a condition within the static_branch (jump/nop) logic. The system calls do not need this. Removing it simplifies the code. - Replace scoped_guard() with just guard() in the tracepoint logic guard() works just as well as scoped_guard() in the tracepoint logic and the scoped_guard() causes some issues. * tag 'trace-v6.13-2' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace: tracing: Use guard() rather than scoped_guard() tracing: Remove cond argument from __DECLARE_TRACE_SYSCALL tracing: Remove conditional locking from __DO_TRACE() rcupdate_trace: Define rcu_tasks_trace lock guard tracing: Remove __idx variable from __DO_TRACE tracing: Move it_func[0] comment to the relevant context tracing: Record task flag NEED_RESCHED_LAZY. commit 05b36b04d74a517d6675bf2f90829ff1ac7e28dc Author: Johannes Thumshirn Date: Wed Nov 13 18:16:48 2024 +0100 btrfs: fix use-after-free in btrfs_encoded_read_endio() Shinichiro reported the following use-after free that sometimes is happening in our CI system when running fstests' btrfs/284 on a TCMU runner device: BUG: KASAN: slab-use-after-free in lock_release+0x708/0x780 Read of size 8 at addr ffff888106a83f18 by task kworker/u80:6/219 CPU: 8 UID: 0 PID: 219 Comm: kworker/u80:6 Not tainted 6.12.0-rc6-kts+ #15 Hardware name: Supermicro Super Server/X11SPi-TF, BIOS 3.3 02/21/2020 Workqueue: btrfs-endio btrfs_end_bio_work [btrfs] Call Trace: dump_stack_lvl+0x6e/0xa0 ? lock_release+0x708/0x780 print_report+0x174/0x505 ? lock_release+0x708/0x780 ? __virt_addr_valid+0x224/0x410 ? lock_release+0x708/0x780 kasan_report+0xda/0x1b0 ? lock_release+0x708/0x780 ? __wake_up+0x44/0x60 lock_release+0x708/0x780 ? __pfx_lock_release+0x10/0x10 ? __pfx_do_raw_spin_lock+0x10/0x10 ? lock_is_held_type+0x9a/0x110 _raw_spin_unlock_irqrestore+0x1f/0x60 __wake_up+0x44/0x60 btrfs_encoded_read_endio+0x14b/0x190 [btrfs] btrfs_check_read_bio+0x8d9/0x1360 [btrfs] ? lock_release+0x1b0/0x780 ? trace_lock_acquire+0x12f/0x1a0 ? __pfx_btrfs_check_read_bio+0x10/0x10 [btrfs] ? process_one_work+0x7e3/0x1460 ? lock_acquire+0x31/0xc0 ? process_one_work+0x7e3/0x1460 process_one_work+0x85c/0x1460 ? __pfx_process_one_work+0x10/0x10 ? assign_work+0x16c/0x240 worker_thread+0x5e6/0xfc0 ? __pfx_worker_thread+0x10/0x10 kthread+0x2c3/0x3a0 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x31/0x70 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 Allocated by task 3661: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 __kasan_kmalloc+0xaa/0xb0 btrfs_encoded_read_regular_fill_pages+0x16c/0x6d0 [btrfs] send_extent_data+0xf0f/0x24a0 [btrfs] process_extent+0x48a/0x1830 [btrfs] changed_cb+0x178b/0x2ea0 [btrfs] btrfs_ioctl_send+0x3bf9/0x5c20 [btrfs] _btrfs_ioctl_send+0x117/0x330 [btrfs] btrfs_ioctl+0x184a/0x60a0 [btrfs] __x64_sys_ioctl+0x12e/0x1a0 do_syscall_64+0x95/0x180 entry_SYSCALL_64_after_hwframe+0x76/0x7e Freed by task 3661: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3b/0x70 __kasan_slab_free+0x4f/0x70 kfree+0x143/0x490 btrfs_encoded_read_regular_fill_pages+0x531/0x6d0 [btrfs] send_extent_data+0xf0f/0x24a0 [btrfs] process_extent+0x48a/0x1830 [btrfs] changed_cb+0x178b/0x2ea0 [btrfs] btrfs_ioctl_send+0x3bf9/0x5c20 [btrfs] _btrfs_ioctl_send+0x117/0x330 [btrfs] btrfs_ioctl+0x184a/0x60a0 [btrfs] __x64_sys_ioctl+0x12e/0x1a0 do_syscall_64+0x95/0x180 entry_SYSCALL_64_after_hwframe+0x76/0x7e The buggy address belongs to the object at ffff888106a83f00 which belongs to the cache kmalloc-rnd-07-96 of size 96 The buggy address is located 24 bytes inside of freed 96-byte region [ffff888106a83f00, ffff888106a83f60) The buggy address belongs to the physical page: page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888106a83800 pfn:0x106a83 flags: 0x17ffffc0000000(node=0|zone=2|lastcpupid=0x1fffff) page_type: f5(slab) raw: 0017ffffc0000000 ffff888100053680 ffffea0004917200 0000000000000004 raw: ffff888106a83800 0000000080200019 00000001f5000000 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888106a83e00: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc ffff888106a83e80: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc >ffff888106a83f00: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc ^ ffff888106a83f80: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc ffff888106a84000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ================================================================== Further analyzing the trace and the crash dump's vmcore file shows that the wake_up() call in btrfs_encoded_read_endio() is calling wake_up() on the wait_queue that is in the private data passed to the end_io handler. Commit 4ff47df40447 ("btrfs: move priv off stack in btrfs_encoded_read_regular_fill_pages()") moved 'struct btrfs_encoded_read_private' off the stack. Before that commit one can see a corruption of the private data when analyzing the vmcore after a crash: *(struct btrfs_encoded_read_private *)0xffff88815626eec8 = { .wait = (wait_queue_head_t){ .lock = (spinlock_t){ .rlock = (struct raw_spinlock){ .raw_lock = (arch_spinlock_t){ .val = (atomic_t){ .counter = (int)-2005885696, }, .locked = (u8)0, .pending = (u8)157, .locked_pending = (u16)40192, .tail = (u16)34928, }, .magic = (unsigned int)536325682, .owner_cpu = (unsigned int)29, .owner = (void *)__SCT__tp_func_btrfs_transaction_commit+0x0 = 0x0, .dep_map = (struct lockdep_map){ .key = (struct lock_class_key *)0xffff8881575a3b6c, .class_cache = (struct lock_class *[2]){ 0xffff8882a71985c0, 0xffffea00066f5d40 }, .name = (const char *)0xffff88815626f100 = "", .wait_type_outer = (u8)37, .wait_type_inner = (u8)178, .lock_type = (u8)154, }, }, .__padding = (u8 [24]){ 0, 157, 112, 136, 50, 174, 247, 31, 29 }, .dep_map = (struct lockdep_map){ .key = (struct lock_class_key *)0xffff8881575a3b6c, .class_cache = (struct lock_class *[2]){ 0xffff8882a71985c0, 0xffffea00066f5d40 }, .name = (const char *)0xffff88815626f100 = "", .wait_type_outer = (u8)37, .wait_type_inner = (u8)178, .lock_type = (u8)154, }, }, .head = (struct list_head){ .next = (struct list_head *)0x112cca, .prev = (struct list_head *)0x47, }, }, .pending = (atomic_t){ .counter = (int)-1491499288, }, .status = (blk_status_t)130, } Here we can see several indicators of in-memory data corruption, e.g. the large negative atomic values of ->pending or ->wait->lock->rlock->raw_lock->val, as well as the bogus spinlock magic 0x1ff7ae32 (decimal 536325682 above) instead of 0xdead4ead or the bogus pointer values for ->wait->head. To fix this, change atomic_dec_return() to atomic_dec_and_test() to fix the corruption, as atomic_dec_return() is defined as two instructions on x86_64, whereas atomic_dec_and_test() is defined as a single atomic operation. This can lead to a situation where counter value is already decremented but the if statement in btrfs_encoded_read_endio() is not completely processed, i.e. the 0 test has not completed. If another thread continues executing btrfs_encoded_read_regular_fill_pages() the atomic_dec_return() there can see an already updated ->pending counter and continues by freeing the private data. Continuing in the endio handler the test for 0 succeeds and the wait_queue is woken up, resulting in a use-after-free. Reported-by: Shinichiro Kawasaki Suggested-by: Damien Le Moal Fixes: 1881fba89bd5 ("btrfs: add BTRFS_IOC_ENCODED_READ ioctl") CC: stable@vger.kernel.org # 6.1+ Reviewed-by: Filipe Manana Reviewed-by: Qu Wenruo Signed-off-by: Johannes Thumshirn Reviewed-by: David Sterba Signed-off-by: David Sterba commit c5efad88a94613cf60fed010b96dbc3044389316 Author: Geert Uytterhoeven Date: Thu Nov 28 15:04:52 2024 +0100 selftests: find_symbol: Actually use load_mod() parameter The parameter passed to load_mod() is stored in $MOD, but never used. Obviously it was intended to be used instead of the hardcoded "test_kallsyms_b" module name. Fixes: 84b4a51fce4ccc66 ("selftests: add new kallsyms selftests") Signed-off-by: Geert Uytterhoeven Signed-off-by: Luis Chamberlain commit 3e1d95b63c97506d0d98c75fc72a60662981a3c6 Author: Luis Chamberlain Date: Wed Nov 27 19:06:03 2024 -0800 selftests: kallsyms: fix and clarify current test boundaries Provide and clarify the existing ranges and what you should expect. Fix the gen_test_kallsyms.sh script to accept different ranges. Fixes: 84b4a51fce4ccc66 ("selftests: add new kallsyms selftests") Signed-off-by: Luis Chamberlain commit 7ea13556f7d287fb55f7cacc316ff7647550c702 Author: Luis Chamberlain Date: Wed Nov 27 14:10:57 2024 -0800 selftests: kallsyms: fix double build stupidity The current arrangement will have the test modules rebuilt on any make without having the script or code actually change. Take Masahiro Yamada's suggested fix and cleanups on the Makefile to fix this. Suggested-by: Masahiro Yamada Reported-by: Linus Torvalds Fixes: 84b4a51fce4ccc66 ("selftests: add new kallsyms selftests") Closes: https://lore.kernel.org/all/CAK7LNATRDODmfz1tE=inV-DQqPA4G9vKH+38zMbaGdpTuFWZFw@mail.gmail.com/T/#me6c8f98e82acbee6e75a31b34bbb543eb4940b15 Signed-off-by: Luis Chamberlain commit 9794b89c50f7fc972c6b4ddc69693c9f9d1ae7d7 Merge: c54fdcc57b74eb aef0b4a07277f7 Author: Dave Airlie Date: Fri Nov 29 04:59:21 2024 +1000 Merge tag 'drm-xe-next-fixes-2024-11-28' of https://gitlab.freedesktop.org/drm/xe/kernel into drm-next Driver Changes: - Update xe2 graphics name string (Matt Roper) - Fix a couple of guc submit races (Matt Auld) - Fix pat index usage in migrate (Matt Auld) - Ensure non-cached migrate pagetable bo mappings (Matt Auld) - Take a PM ref in the delayed snapshot capture worker (Matt Brost) Signed-off-by: Dave Airlie From: Thomas Hellstrom Link: https://patchwork.freedesktop.org/patch/msgid/Z0iOjKwEGVo_DmgY@fedora commit c54fdcc57b74ebaf7a507f43e278918c6efeb1a8 Merge: f2fdcd5868656d 818956c76517e1 Author: Dave Airlie Date: Fri Nov 29 04:49:43 2024 +1000 Merge tag 'drm-misc-next-fixes-2024-11-28' of https://gitlab.freedesktop.org/drm/misc/kernel into drm-next A single buildfix for 32-bits rockchip compilation. Signed-off-by: Dave Airlie From: Maarten Lankhorst Link: https://patchwork.freedesktop.org/patch/msgid/1f91eeaa-d3e4-4eca-9375-24c467f6976d@linux.intel.com commit 65ae975e97d5aab3ee9dc5ec701b12090572ed43 Merge: 86f419707c26e8 f6d7695b5ae220 Author: Linus Torvalds Date: Thu Nov 28 10:15:20 2024 -0800 Merge tag 'net-6.13-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net Pull networking fixes from Paolo Abeni: "Including fixes from bluetooth. Current release - regressions: - rtnetlink: fix rtnl_dump_ifinfo() error path - bluetooth: remove the redundant sco_conn_put Previous releases - regressions: - netlink: fix false positive warning in extack during dumps - sched: sch_fq: don't follow the fast path if Tx is behind now - ipv6: delete temporary address if mngtmpaddr is removed or unmanaged - tcp: fix use-after-free of nreq in reqsk_timer_handler(). - bluetooth: fix slab-use-after-free Read in set_powered_sync - l2tp: fix warning in l2tp_exit_net found - eth: - bnxt_en: fix receive ring space parameters when XDP is active - lan78xx: fix double free issue with interrupt buffer allocation - tg3: set coherent DMA mask bits to 31 for BCM57766 chipsets Previous releases - always broken: - ipmr: fix tables suspicious RCU usage - iucv: MSG_PEEK causes memory leak in iucv_sock_destruct() - eth: - octeontx2-af: fix low network performance - stmmac: dwmac-socfpga: set RX watchdog interrupt as broken - rtase: correct the speed for RTL907XD-V1 Misc: - some documentation fixup" * tag 'net-6.13-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (49 commits) ipmr: fix build with clang and DEBUG_NET disabled. Documentation: tls_offload: fix typos and grammar Fix spelling mistake ipmr: fix tables suspicious RCU usage ip6mr: fix tables suspicious RCU usage ipmr: add debug check for mr table cleanup selftests: rds: move test.py to TEST_FILES net_sched: sch_fq: don't follow the fast path if Tx is behind now tcp: Fix use-after-free of nreq in reqsk_timer_handler(). net: phy: fix phy_ethtool_set_eee() incorrectly enabling LPI net: Comment copy_from_sockptr() explaining its behaviour rxrpc: Improve setsockopt() handling of malformed user input llc: Improve setsockopt() handling of malformed user input Bluetooth: SCO: remove the redundant sco_conn_put Bluetooth: MGMT: Fix possible deadlocks Bluetooth: MGMT: Fix slab-use-after-free Read in set_powered_sync bnxt_en: Unregister PTP during PCI shutdown and suspend bnxt_en: Refactor bnxt_ptp_init() bnxt_en: Fix receive ring space parameters when XDP is active bnxt_en: Fix queue start to update vnic RSS table ... commit 86f419707c26e802287963f73c27bdaa4b21977e Merge: d83ec4afd209a0 d24cfee7f63d6b Author: Linus Torvalds Date: Thu Nov 28 10:06:00 2024 -0800 Merge tag 'spi-fix-v6.13-merge-window' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi Pull spi fixes from Mark Brown: "A few fairly minor driver specific fixes, plus one core fix for the handling of deferred probe on ACPI systems - ignoring probe deferral and incorrectly treating it like a fatal error while parsing the generic ACPI bindings for SPI devices" * tag 'spi-fix-v6.13-merge-window' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi: spi: Fix acpi deferred irq probe spi: atmel-quadspi: Fix register name in verbose logging function spi-imx: prevent overflow when estimating transfer time spi: rockchip-sfc: Embedded DMA only support 4B aligned address commit 38a125b31504f91bf6fdd3cfc3a3e9a721e6c97a Author: Max Kellermann Date: Thu Nov 21 14:53:51 2024 +0100 fs/nfs/io: make nfs_start_io_*() killable This allows killing processes that wait for a lock when one process is stuck waiting for the NFS server. This aims to complete the coverage of NFS operations being killable, like nfs_direct_wait() does, for example. Signed-off-by: Max Kellermann Signed-off-by: Trond Myklebust commit 614733f9441ed53bb442d4734112ec1e24bd6da7 Author: Benjamin Coddington Date: Fri Nov 22 10:11:12 2024 -0500 nfs/blocklayout: Limit repeat device registration on failure Every pNFS SCSI IO wants to do LAYOUTGET, then within the layout find the device which can drive GETDEVINFO, then finally may need to prep the device with a reservation. This slow work makes a mess of IO latencies if one of the later steps is going to fail for awhile. If we're unable to register a SCSI device, ensure we mark the device as unavailable so that it will timeout and be re-added via GETDEVINFO. This avoids repeated doomed attempts to register a device in the IO path. Add some clarifying comments as well. Fixes: d869da91cccb ("nfs/blocklayout: Fix premature PR key unregistration") Signed-off-by: Benjamin Coddington Reviewed-by: Christoph Hellwig Reviewed-by: Chuck Lever Signed-off-by: Trond Myklebust commit 3a4ce14d9a6b868e0787e4582420b721c04ee41e Author: Benjamin Coddington Date: Fri Nov 22 10:11:11 2024 -0500 nfs/blocklayout: Don't attempt unregister for invalid block device Since commit d869da91cccb ("nfs/blocklayout: Fix premature PR key unregistration") an unmount of a pNFS SCSI layout-enabled NFS may dereference a NULL block_device in: bl_unregister_scsi+0x16/0xe0 [blocklayoutdriver] bl_free_device+0x70/0x80 [blocklayoutdriver] bl_free_deviceid_node+0x12/0x30 [blocklayoutdriver] nfs4_put_deviceid_node+0x60/0xc0 [nfsv4] nfs4_deviceid_purge_client+0x132/0x190 [nfsv4] unset_pnfs_layoutdriver+0x59/0x60 [nfsv4] nfs4_destroy_server+0x36/0x70 [nfsv4] nfs_free_server+0x23/0xe0 [nfs] deactivate_locked_super+0x30/0xb0 cleanup_mnt+0xba/0x150 task_work_run+0x59/0x90 syscall_exit_to_user_mode+0x217/0x220 do_syscall_64+0x8e/0x160 This happens because even though we were able to create the nfs4_deviceid_node, the lookup for the device was unable to attach the block device to the pnfs_block_dev. If we never found a block device to register, we can avoid this case with the PNFS_BDEV_REGISTERED flag. Move the deref behind the test for the flag. Fixes: d869da91cccb ("nfs/blocklayout: Fix premature PR key unregistration") Signed-off-by: Benjamin Coddington Reviewed-by: Christoph Hellwig Reviewed-by: Chuck Lever Signed-off-by: Trond Myklebust commit 3f23f96528e8fcf8619895c4c916c52653892ec1 Author: Liu Jian Date: Tue Nov 12 21:54:34 2024 +0800 sunrpc: fix one UAF issue caused by sunrpc kernel tcp socket BUG: KASAN: slab-use-after-free in tcp_write_timer_handler+0x156/0x3e0 Read of size 1 at addr ffff888111f322cd by task swapper/0/0 CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.12.0-rc4-dirty #7 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 Call Trace: dump_stack_lvl+0x68/0xa0 print_address_description.constprop.0+0x2c/0x3d0 print_report+0xb4/0x270 kasan_report+0xbd/0xf0 tcp_write_timer_handler+0x156/0x3e0 tcp_write_timer+0x66/0x170 call_timer_fn+0xfb/0x1d0 __run_timers+0x3f8/0x480 run_timer_softirq+0x9b/0x100 handle_softirqs+0x153/0x390 __irq_exit_rcu+0x103/0x120 irq_exit_rcu+0xe/0x20 sysvec_apic_timer_interrupt+0x76/0x90 asm_sysvec_apic_timer_interrupt+0x1a/0x20 RIP: 0010:default_idle+0xf/0x20 Code: 4c 01 c7 4c 29 c2 e9 72 ff ff ff 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 66 90 0f 00 2d 33 f8 25 00 fb f4 c3 cc cc cc cc 66 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90 RSP: 0018:ffffffffa2007e28 EFLAGS: 00000242 RAX: 00000000000f3b31 RBX: 1ffffffff4400fc7 RCX: ffffffffa09c3196 RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffff9f00590f RBP: 0000000000000000 R08: 0000000000000001 R09: ffffed102360835d R10: ffff88811b041aeb R11: 0000000000000001 R12: 0000000000000000 R13: ffffffffa202d7c0 R14: 0000000000000000 R15: 00000000000147d0 default_idle_call+0x6b/0xa0 cpuidle_idle_call+0x1af/0x1f0 do_idle+0xbc/0x130 cpu_startup_entry+0x33/0x40 rest_init+0x11f/0x210 start_kernel+0x39a/0x420 x86_64_start_reservations+0x18/0x30 x86_64_start_kernel+0x97/0xa0 common_startup_64+0x13e/0x141 Allocated by task 595: kasan_save_stack+0x24/0x50 kasan_save_track+0x14/0x30 __kasan_slab_alloc+0x87/0x90 kmem_cache_alloc_noprof+0x12b/0x3f0 copy_net_ns+0x94/0x380 create_new_namespaces+0x24c/0x500 unshare_nsproxy_namespaces+0x75/0xf0 ksys_unshare+0x24e/0x4f0 __x64_sys_unshare+0x1f/0x30 do_syscall_64+0x70/0x180 entry_SYSCALL_64_after_hwframe+0x76/0x7e Freed by task 100: kasan_save_stack+0x24/0x50 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x54/0x70 kmem_cache_free+0x156/0x5d0 cleanup_net+0x5d3/0x670 process_one_work+0x776/0xa90 worker_thread+0x2e2/0x560 kthread+0x1a8/0x1f0 ret_from_fork+0x34/0x60 ret_from_fork_asm+0x1a/0x30 Reproduction script: mkdir -p /mnt/nfsshare mkdir -p /mnt/nfs/netns_1 mkfs.ext4 /dev/sdb mount /dev/sdb /mnt/nfsshare systemctl restart nfs-server chmod 777 /mnt/nfsshare exportfs -i -o rw,no_root_squash *:/mnt/nfsshare ip netns add netns_1 ip link add name veth_1_peer type veth peer veth_1 ifconfig veth_1_peer 11.11.0.254 up ip link set veth_1 netns netns_1 ip netns exec netns_1 ifconfig veth_1 11.11.0.1 ip netns exec netns_1 /root/iptables -A OUTPUT -d 11.11.0.254 -p tcp \ --tcp-flags FIN FIN -j DROP (note: In my environment, a DESTROY_CLIENTID operation is always sent immediately, breaking the nfs tcp connection.) ip netns exec netns_1 timeout -s 9 300 mount -t nfs -o proto=tcp,vers=4.1 \ 11.11.0.254:/mnt/nfsshare /mnt/nfs/netns_1 ip netns del netns_1 The reason here is that the tcp socket in netns_1 (nfs side) has been shutdown and closed (done in xs_destroy), but the FIN message (with ack) is discarded, and the nfsd side keeps sending retransmission messages. As a result, when the tcp sock in netns_1 processes the received message, it sends the message (FIN message) in the sending queue, and the tcp timer is re-established. When the network namespace is deleted, the net structure accessed by tcp's timer handler function causes problems. To fix this problem, let's hold netns refcnt for the tcp kernel socket as done in other modules. This is an ugly hack which can easily be backported to earlier kernels. A proper fix which cleans up the interfaces will follow, but may not be so easy to backport. Fixes: 26abe14379f8 ("net: Modify sk_alloc to not reference count the netns of kernel sockets.") Signed-off-by: Liu Jian Acked-by: Jeff Layton Reviewed-by: Kuniyuki Iwashima Signed-off-by: Trond Myklebust commit d7bdd849ef1b681da03ac05ca0957b2cbe2d24b6 Author: Benjamin Coddington Date: Fri Nov 15 08:59:36 2024 -0500 SUNRPC: timeout and cancel TLS handshake with -ETIMEDOUT We've noticed a situation where an unstable TCP connection can cause the TLS handshake to timeout waiting for userspace to complete it. When this happens, we don't want to return from xs_tls_handshake_sync() with zero, as this will cause the upper xprt to be set CONNECTED, and subsequent attempts to transmit will be returned with -EPIPE. The sunrpc machine does not recover from this situation and will spin attempting to transmit. The return value of tls_handshake_cancel() can be used to detect a race with completion: * tls_handshake_cancel - cancel a pending handshake * Return values: * %true - Uncompleted handshake request was canceled * %false - Handshake request already completed or not found If true, we do not want the upper xprt to be connected, so return -ETIMEDOUT. If false, its possible the handshake request was lost and that may be the reason for our timeout. Again we do not want the upper xprt to be connected, so return -ETIMEDOUT. Ensure that we alway return an error from xs_tls_handshake_sync() if we call tls_handshake_cancel(). Signed-off-by: Benjamin Coddington Reviewed-by: Chuck Lever Fixes: 75eb6af7acdf ("SUNRPC: Add a TCP-with-TLS RPC transport class") Signed-off-by: Trond Myklebust commit 4db9ad82a6c823094da27de4825af693a3475d51 Author: Liu Jian Date: Fri Nov 15 17:38:04 2024 +0800 sunrpc: clear XPRT_SOCK_UPD_TIMEOUT when reset transport Since transport->sock has been set to NULL during reset transport, XPRT_SOCK_UPD_TIMEOUT also needs to be cleared. Otherwise, the xs_tcp_set_socket_timeouts() may be triggered in xs_tcp_send_request() to dereference the transport->sock that has been set to NULL. Fixes: 7196dbb02ea0 ("SUNRPC: Allow changing of the TCP timeout parameters on the fly") Signed-off-by: Li Lingfeng Signed-off-by: Liu Jian Signed-off-by: Trond Myklebust commit 52cb7f8f177878b4f22397b9c4d2c8f743766be3 Author: Li Lingfeng Date: Thu Nov 14 12:53:03 2024 +0800 nfs: ignore SB_RDONLY when mounting nfs When exporting only one file system with fsid=0 on the server side, the client alternately uses the ro/rw mount options to perform the mount operation, and a new vfsmount is generated each time. It can be reproduced as follows: [root@localhost ~]# mount /dev/sda /mnt2 [root@localhost ~]# echo "/mnt2 *(rw,no_root_squash,fsid=0)" >/etc/exports [root@localhost ~]# systemctl restart nfs-server [root@localhost ~]# mount -t nfs -o ro,vers=4 127.0.0.1:/ /mnt/sdaa [root@localhost ~]# mount -t nfs -o rw,vers=4 127.0.0.1:/ /mnt/sdaa [root@localhost ~]# mount -t nfs -o ro,vers=4 127.0.0.1:/ /mnt/sdaa [root@localhost ~]# mount -t nfs -o rw,vers=4 127.0.0.1:/ /mnt/sdaa [root@localhost ~]# mount | grep nfs4 127.0.0.1:/ on /mnt/sdaa type nfs4 (ro,relatime,vers=4.2,rsize=1048576,... 127.0.0.1:/ on /mnt/sdaa type nfs4 (rw,relatime,vers=4.2,rsize=1048576,... 127.0.0.1:/ on /mnt/sdaa type nfs4 (ro,relatime,vers=4.2,rsize=1048576,... 127.0.0.1:/ on /mnt/sdaa type nfs4 (rw,relatime,vers=4.2,rsize=1048576,... [root@localhost ~]# We expected that after mounting with the ro option, using the rw option to mount again would return EBUSY, but the actual situation was not the case. As shown above, when mounting for the first time, a superblock with the ro flag will be generated, and at the same time, in do_new_mount_fc --> do_add_mount, it detects that the superblock corresponding to the current target directory is inconsistent with the currently generated one (path->mnt->mnt_sb != newmnt->mnt.mnt_sb), and a new vfsmount will be generated. When mounting with the rw option for the second time, since no matching superblock can be found in the fs_supers list, a new superblock with the rw flag will be generated again. The superblock in use (ro) is different from the newly generated superblock (rw), and a new vfsmount will be generated again. When mounting with the ro option for the third time, the superblock (ro) is found in fs_supers, the superblock in use (rw) is different from the found superblock (ro), and a new vfsmount will be generated again. We can switch between ro/rw through remount, and only one superblock needs to be generated, thus avoiding the problem of repeated generation of vfsmount caused by switching superblocks. Furthermore, This can also resolve the issue described in the link. Fixes: 275a5d24bf56 ("NFS: Error when mounting the same filesystem with different options") Link: https://lore.kernel.org/all/20240604112636.236517-3-lilingfeng@huaweicloud.com/ Signed-off-by: Li Lingfeng Signed-off-by: Trond Myklebust commit d83ec4afd209a0619b32b867f45c845d4dddc2eb Merge: 448ecd5771e255 351f2bfe6362c6 Author: Linus Torvalds Date: Thu Nov 28 09:40:53 2024 -0800 Merge tag 'regulator-fix-v6.13-merge-window' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regulator Pull regulator fixes from Mark Brown: "A couple of fixes that came in during the merge window, plus documetation of a new device ID for the Qualcomm LABIBB driver. There's a core fix for the rarely used current constraints and a fix for the Qualcomm RPMH driver which had described only one of the two voltage ranges that the hardware could control, creating a potential incompatibility with the configuration left by firmware" * tag 'regulator-fix-v6.13-merge-window' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regulator: regulator: core: Ignore unset max_uA constraints in current limit check dt-bindings: regulator: qcom-labibb-regulator: document the pmi8950 labibb regulator regulator: qcom-rpmh: Update ranges for FTSMPS525 commit 448ecd5771e255629bef0fb16c9b78c4bbd7bd56 Merge: 1fdae000a3db85 b6d445f6724ded Author: Linus Torvalds Date: Thu Nov 28 09:28:09 2024 -0800 Merge tag 'for-v6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/sre/linux-power-supply Pull power supply and reset updates from Sebastian Reichel: "Power-supply core: - replace power_supply_register_no_ws() with power_supply_register() and a new "no_wakeup_source" field in struct power_supply_config - constify battery info tables in the core and all drivers - switch back to remove callback for all platform drivers - allow power_supply_put() to be called from atomic context - mark attribute arrays read-only after init Power-supply drivers: - new driver for TWL6030 and TWL6032 - rk817: improve battery capacity calibration - misc small cleanups and fixes" * tag 'for-v6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/sre/linux-power-supply: (42 commits) power: reset: ep93xx: add AUXILIARY_BUS dependency dt-bindings: power: reset: Convert mode-.* properties to array power: supply: sc27xx: Fix battery detect GPIO probe dt-bindings: power: supply: sc27xx-fg: document deprecated bat-detect-gpio reset: keystone-reset: remove unused macros power: supply: axp20x_battery: Use scaled iio_read_channel power: supply: axp20x_usb_power: Use scaled iio_read_channel power: supply: generic-adc-battery: change my gmail power: supply: pmu_battery: Set power supply type to BATTERY power: Switch back to struct platform_driver::remove() power: supply: hwmon: move interface to private header power: supply: rk817: Update battery capacity calibration power: supply: rk817: stop updating info in suspend power: supply: rt9471: Use IC status regfield to report real charger status power: supply: rt9471: Fix wrong WDT function regfield declaration dt-bindings: power/supply: qcom,pmi8998-charger: Drop incorrect "#interrupt-cells" from example power: supply: core: mark attribute arrays as ro_after_init power: supply: core: unexport power_supply_property_is_writeable() power: supply: core: use device mutex wrappers power: supply: bq27xxx: Fix registers of bq27426 ... commit 1fdae000a3db8569430aa9189a30f8a3b7480c58 Merge: 8170a99c0bc610 bac89bb33d91cd Author: Linus Torvalds Date: Thu Nov 28 09:22:00 2024 -0800 Merge tag 'ntfs3_for_6.13' of https://github.com/Paragon-Software-Group/linux-ntfs3 Pull ntfs3 updates from Konstantin Komarov: - additional checks to address issues identified by syzbot - continuation of the transition from 'page' to 'folio' * tag 'ntfs3_for_6.13' of https://github.com/Paragon-Software-Group/linux-ntfs3: fs/ntfs3: Accumulated refactoring changes fs/ntfs3: Switch to folio to release resources fs/ntfs3: Add check in ntfs_extend_initialized_size fs/ntfs3: Add more checks in mi_enum_attr (part 2) fs/ntfs3: Equivalent transition from page to folio fs/ntfs3: Fix case when unmarked clusters intersect with zone fs/ntfs3: Fix warning in ni_fiemap commit 8170a99c0bc6109566f001e3a6f3c76b672c9fad Merge: b86545e02e8c22 8a3f5711ad74db Author: Linus Torvalds Date: Thu Nov 28 09:18:11 2024 -0800 Merge tag 'exfat-for-6.13-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/linkinjeon/exfat Pull exfat updates from Namjae Jeon: - If the start cluster of stream entry is invalid, treat it as the empty directory - Valid size of steam entry cannot be greater than data size. If valid_size is invalid, use data_size - Move Direct-IO alignment check to before extending the valid size - Fix uninit-value issue reported by syzbot - Optimize finding directory entry-set in write_inode, rename, unlink * tag 'exfat-for-6.13-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/linkinjeon/exfat: exfat: reduce FAT chain traversal exfat: code cleanup for exfat_readdir() exfat: remove argument 'p_dir' from exfat_add_entry() exfat: move exfat_chain_set() out of __exfat_resolve_path() exfat: add exfat_get_dentry_set_by_ei() helper exfat: rename argument name for exfat_move_file and exfat_rename_file exfat: remove unnecessary read entry in __exfat_rename() exfat: fix file being changed by unaligned direct write exfat: fix uninit-value in __exfat_get_dentry_set exfat: fix out-of-bounds access of directory entries commit f6d7695b5ae22092fa2cc42529bb7462f7e0c4ad Author: Paolo Abeni Date: Thu Nov 28 17:18:04 2024 +0100 ipmr: fix build with clang and DEBUG_NET disabled. Sasha reported a build issue in ipmr:: net/ipv4/ipmr.c:320:13: error: function 'ipmr_can_free_table' is not \ needed and will not be emitted \ [-Werror,-Wunneeded-internal-declaration] 320 | static bool ipmr_can_free_table(struct net *net) Apparently clang is too smart with BUILD_BUG_ON_INVALID(), let's fallback to a plain WARN_ON_ONCE(). Reported-by: Sasha Levin Closes: https://qa-reports.linaro.org/lkft/sashal-linus-next/build/v6.11-25635-g6813e2326f1e/testrun/26111580/suite/build/test/clang-nightly-lkftconfig/details/ Fixes: 11b6e701bce9 ("ipmr: add debug check for mr table cleanup") Signed-off-by: Paolo Abeni Link: https://patch.msgid.link/ee75faa926b2446b8302ee5fc30e129d2df73b90.1732810228.git.pabeni@redhat.com Signed-off-by: Paolo Abeni commit 8d7690b3c146f8ae3089918226697bf4e3943032 Author: Steve French Date: Wed Nov 20 10:01:35 2024 -0600 cifs: update internal version number To 2.52 Signed-off-by: Steve French commit cda88d2fef7aa7de80b5697e8009fcbbb436f42d Author: Dan Carpenter Date: Fri Nov 15 12:13:58 2024 +0300 cifs: unlock on error in smb3_reconfigure() Unlock before returning if smb3_sync_session_ctx_passwords() fails. Fixes: 7e654ab7da03 ("cifs: during remount, make sure passwords are in sync") Signed-off-by: Dan Carpenter Reviewed-by: Bharath SM Signed-off-by: Steve French commit 0f0e357902957fba28ed31bde0d6921c6bd1485d Author: Shyam Prasad N Date: Wed Oct 30 06:45:50 2024 +0000 cifs: during remount, make sure passwords are in sync This fixes scenarios where remount can overwrite the only currently working password, breaking reconnect. We recently introduced a password2 field in both ses and ctx structs. This was done so as to allow the client to rotate passwords for a mount without any downtime. However, when the client transparently handles password rotation, it can swap the values of the two password fields in the ses struct, but not in smb3_fs_context struct that hangs off cifs_sb. This can lead to a situation where a remount unintentionally overwrites a working password in the ses struct. In order to fix this, we first get the passwords in ctx struct in-sync with ses struct, before replacing them with what the passwords that could be passed as a part of remount. Also, in order to avoid race condition between smb2_reconnect and smb3_reconfigure, we make sure to lock session_mutex before changing password and password2 fields of the ses structure. Fixes: 35f834265e0d ("smb3: fix broken reconnect when password changing on the server by allowing password rotation") Signed-off-by: Shyam Prasad N Signed-off-by: Meetakshi Setiya Signed-off-by: Steve French commit b9aef1b13a0a92aa7058ba235afb24b5b89153ca Author: Meetakshi Setiya Date: Wed Oct 30 05:37:21 2024 -0400 cifs: support mounting with alternate password to allow password rotation Fixes the case for example where the password specified on mount is a recently expired password, but password2 is valid. Without this patch this mount scenario would fail. This patch introduces the following changes to support password rotation on mount: 1. If an existing session is not found and the new session setup results in EACCES, EKEYEXPIRED or EKEYREVOKED, swap password and password2 (if available), and retry the mount. 2. To match the new mount with an existing session, add conditions to check if a) password and password2 of the new mount and the existing session are the same, or b) password of the new mount is the same as the password2 of the existing session, and password2 of the new mount is the same as the password of the existing session. 3. If an existing session is found, but needs reconnect, retry the session setup after swapping password and password2 (if available), in case the previous attempt results in EACCES, EKEYEXPIRED or EKEYREVOKED. Cc: stable@vger.kernel.org Signed-off-by: Meetakshi Setiya Signed-off-by: Steve French commit aef0b4a07277f715bfc2a0d76a16da2bc4e89205 Author: Matthew Brost Date: Tue Nov 26 09:46:11 2024 -0800 drm/xe: Take PM ref in delayed snapshot capture worker The delayed snapshot capture worker can access the GPU or VRAM both of which require a PM reference. Take a reference in this worker. Cc: Rodrigo Vivi Cc: Maarten Lankhorst Fixes: 4f04d07c0a94 ("drm/xe: Faster devcoredump") Signed-off-by: Matthew Brost Reviewed-by: Matthew Auld Link: https://patchwork.freedesktop.org/patch/msgid/20241126174615.2665852-5-matthew.brost@intel.com (cherry picked from commit 1c6878af115a4586a40d6c14d530fa9f93e0bd83) Signed-off-by: Thomas Hellström commit c78f4399188369a55eed69cbf19a8aad2a65ac75 Author: Matthew Auld Date: Tue Nov 26 18:13:01 2024 +0000 drm/xe/migrate: use XE_BO_FLAG_PAGETABLE On some HW we want to avoid the host caching PTEs, since access from GPU side can be incoherent. However here the special migrate object is mapping PTEs which are written from the host and potentially cached. Use XE_BO_FLAG_PAGETABLE to ensure that non-cached mapping is used, on platforms where this matters. Fixes: 7a060d786cc1 ("drm/xe/mtl: Map PPGTT as CPU:WC") Signed-off-by: Matthew Auld Cc: Matthew Brost Cc: Nirmoy Das Cc: # v6.8+ Reviewed-by: Nirmoy Das Reviewed-by: Matthew Brost Link: https://patchwork.freedesktop.org/patch/msgid/20241126181259.159713-4-matthew.auld@intel.com (cherry picked from commit febc689b27d28973cd02f667548a5dca383d859a) Signed-off-by: Thomas Hellström commit 23346f85163de83aca6dc30dde3944131cf54706 Author: Matthew Auld Date: Tue Nov 26 18:13:00 2024 +0000 drm/xe/migrate: fix pat index usage XE_CACHE_WB must be converted into the per-platform pat index for that particular caching mode, otherwise we are just encoding whatever happens to be the value of that enum. Fixes: e8babb280b5e ("drm/xe: Convert multiple bind ops into single job") Signed-off-by: Matthew Auld Cc: Matthew Brost Cc: Nirmoy Das Cc: # v6.12+ Reviewed-by: Nirmoy Das Reviewed-by: Matthew Brost Link: https://patchwork.freedesktop.org/patch/msgid/20241126181259.159713-3-matthew.auld@intel.com (cherry picked from commit f3dc9246f9c3cd5a7d8fd70cfd805bfc52214e2e) Signed-off-by: Thomas Hellström commit 87651f31ae4e6e6e7e6c7270b9b469405e747407 Author: Matthew Auld Date: Fri Nov 22 16:19:17 2024 +0000 drm/xe/guc_submit: fix race around suspend_pending Currently in some testcases we can trigger: xe 0000:03:00.0: [drm] Assertion `exec_queue_destroyed(q)` failed! .... WARNING: CPU: 18 PID: 2640 at drivers/gpu/drm/xe/xe_guc_submit.c:1826 xe_guc_sched_done_handler+0xa54/0xef0 [xe] xe 0000:03:00.0: [drm] *ERROR* GT1: DEREGISTER_DONE: Unexpected engine state 0x00a1, guc_id=57 Looking at a snippet of corresponding ftrace for this GuC id we can see: 162.673311: xe_sched_msg_add: dev=0000:03:00.0, gt=1 guc_id=57, opcode=3 162.673317: xe_sched_msg_recv: dev=0000:03:00.0, gt=1 guc_id=57, opcode=3 162.673319: xe_exec_queue_scheduling_disable: dev=0000:03:00.0, 1:0x2, gt=1, width=1, guc_id=57, guc_state=0x29, flags=0x0 162.674089: xe_exec_queue_kill: dev=0000:03:00.0, 1:0x2, gt=1, width=1, guc_id=57, guc_state=0x29, flags=0x0 162.674108: xe_exec_queue_close: dev=0000:03:00.0, 1:0x2, gt=1, width=1, guc_id=57, guc_state=0xa9, flags=0x0 162.674488: xe_exec_queue_scheduling_done: dev=0000:03:00.0, 1:0x2, gt=1, width=1, guc_id=57, guc_state=0xa9, flags=0x0 162.678452: xe_exec_queue_deregister: dev=0000:03:00.0, 1:0x2, gt=1, width=1, guc_id=57, guc_state=0xa1, flags=0x0 It looks like we try to suspend the queue (opcode=3), setting suspend_pending and triggering a disable_scheduling. The user then closes the queue. However the close will also forcefully signal the suspend fence after killing the queue, later when the G2H response for disable_scheduling comes back we have now cleared suspend_pending when signalling the suspend fence, so the disable_scheduling now incorrectly tries to also deregister the queue. This leads to warnings since the queue has yet to even be marked for destruction. We also seem to trigger errors later with trying to double unregister the same queue. To fix this tweak the ordering when handling the response to ensure we don't race with a disable_scheduling that didn't actually intend to perform an unregister. The destruction path should now also correctly wait for any pending_disable before marking as destroyed. Fixes: dd08ebf6c352 ("drm/xe: Introduce a new DRM driver for Intel GPUs") Closes: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/3371 Signed-off-by: Matthew Auld Cc: Matthew Brost Cc: # v6.8+ Reviewed-by: Matthew Brost Link: https://patchwork.freedesktop.org/patch/msgid/20241122161914.321263-6-matthew.auld@intel.com (cherry picked from commit f161809b362f027b6d72bd998e47f8f0bad60a2e) Signed-off-by: Thomas Hellström commit 6965f91a000a24b2c25480a92696a007545d97ec Author: Matthew Auld Date: Fri Nov 22 16:19:16 2024 +0000 drm/xe/guc_submit: fix race around pending_disable Currently in some testcases we can trigger: [drm] *ERROR* GT0: SCHED_DONE: Unexpected engine state 0x02b1, guc_id=8, runnable_state=0 [drm] *ERROR* GT0: G2H action 0x1002 failed (-EPROTO) len 3 msg 02 10 00 90 08 00 00 00 00 00 00 00 Looking at a snippet of corresponding ftrace for this GuC id we can see: 498.852891: xe_sched_msg_add: dev=0000:03:00.0, gt=0 guc_id=8, opcode=3 498.854083: xe_sched_msg_recv: dev=0000:03:00.0, gt=0 guc_id=8, opcode=3 498.855389: xe_exec_queue_kill: dev=0000:03:00.0, 5:0x1, gt=0, width=1, guc_id=8, guc_state=0x3, flags=0x0 498.855436: xe_exec_queue_lr_cleanup: dev=0000:03:00.0, 5:0x1, gt=0, width=1, guc_id=8, guc_state=0x83, flags=0x0 498.856767: xe_exec_queue_close: dev=0000:03:00.0, 5:0x1, gt=0, width=1, guc_id=8, guc_state=0x83, flags=0x0 498.862889: xe_exec_queue_scheduling_disable: dev=0000:03:00.0, 5:0x1, gt=0, width=1, guc_id=8, guc_state=0xa9, flags=0x0 498.863032: xe_exec_queue_scheduling_disable: dev=0000:03:00.0, 5:0x1, gt=0, width=1, guc_id=8, guc_state=0x2b9, flags=0x0 498.875596: xe_exec_queue_scheduling_done: dev=0000:03:00.0, 5:0x1, gt=0, width=1, guc_id=8, guc_state=0x2b9, flags=0x0 498.875604: xe_exec_queue_deregister: dev=0000:03:00.0, 5:0x1, gt=0, width=1, guc_id=8, guc_state=0x2b1, flags=0x0 499.074483: xe_exec_queue_deregister_done: dev=0000:03:00.0, 5:0x1, gt=0, width=1, guc_id=8, guc_state=0x2b1, flags=0x0 This looks to be the two scheduling_disable racing with each other, one from the suspend (opcode=3) and then again during lr cleanup. While those two operations are serialized, the G2H portion is not, therefore when marking the queue as pending_disabled and then firing off the first request, we proceed do the same again, however the first disable response only fires after this which then clears the pending_disabled. At this point the second comes back and is processed, however the pending_disabled is no longer set, hence triggering the warning. To fix this wait for pending_disabled when doing the lr cleanup and calling disable_scheduling_deregister. Also do the same for all other disable_scheduling callers. Fixes: dd08ebf6c352 ("drm/xe: Introduce a new DRM driver for Intel GPUs") Closes: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/3515 Signed-off-by: Matthew Auld Cc: Matthew Brost Cc: # v6.8+ Reviewed-by: Matthew Brost Link: https://patchwork.freedesktop.org/patch/msgid/20241122161914.321263-5-matthew.auld@intel.com (cherry picked from commit ddb106d2120a0bf1c5ff87c71d059d193814da41) Signed-off-by: Thomas Hellström commit ece45026b057edb91bc2a38f0be05309b2b13ba6 Author: Matt Roper Date: Mon Nov 25 11:48:39 2024 -0800 drm/xe: Update xe2_graphics name string Since both Xe2 and Xe3 platforms currently use the same set of graphics IP feature flags, we associate the "graphics_xe2" structure with both IPs. Update the name string on that IP structure to clarify this and avoid confusion as Xe3 platforms start going into public CI. Fixes: 800d75bf20ae ("drm/xe/xe3: Define Xe3 feature flags") Signed-off-by: Matt Roper Reviewed-by: Vinay Belgaumkar Link: https://patchwork.freedesktop.org/patch/msgid/20241125194838.1190599-2-matthew.d.roper@intel.com (cherry picked from commit 4fe70f664a105391321c85b2af241001e8118d24) Signed-off-by: Thomas Hellström commit 2e5bf5b6d2617aff3bd6577bbc8e024cca436d76 Merge: a7df7f909cec96 b682aa788e5f9f Author: Takashi Iwai Date: Thu Nov 28 14:55:21 2024 +0100 Merge tag 'asoc-fix-v6.13-merge-window' of https://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound into for-linus ASoC: Fixes for v6.13 A pile of driver specific quirks and fixes that came in since the merge window. One of the AMD fixes is a bit broken for some systems, I'm expecting an incremental change to fix that but it seems better overall to merge the rest of the fixes. There's also one small documentation update that seemed sensible to apply now, pointing to the dapm-graph tool. commit a7df7f909cec96e2fb7813a9b0b7e06a976983ab Author: Jaroslav Kysela Date: Thu Nov 28 12:21:45 2024 +0100 ALSA: hda: improve bass speaker support for ASUS Zenbook UM5606WA This hardware has ALC294 codec with speaker NID 0x17 and bass speaker NID 0x15. This patch removes DAC NID 0x06 (without volume control) from the connection list for bass speaker NID 0x15. Both speaker PINs are routed to DAC NID 0x03 with this change. Link: https://github.com/alsa-project/alsa-ucm-conf/issues/467 Signed-off-by: Jaroslav Kysela Link: https://patch.msgid.link/20241128112145.3409492-1-perex@perex.cz Signed-off-by: Takashi Iwai commit 0b1b0c112437d7547a6588009e08face31b22c47 Author: Thomas Weißschuh Date: Wed Nov 27 17:42:47 2024 +0100 HID: bpf: drop unneeded casts discarding const In commit 33c0fb85b571 ("HID: bpf: make part of struct hid_device writable") the const qualifier was dropped from struct hid_bpf_ctx::hid. The casts are now unnecessary. Signed-off-by: Thomas Weißschuh Link: https://patch.msgid.link/20241127-hid-bpf-cast-v1-1-f26424960e84@weissschuh.net Signed-off-by: Benjamin Tissoires commit f9a11da1d92f78279afafdc811214b88cfe54a77 Author: Thomas Weißschuh Date: Wed Nov 27 17:41:56 2024 +0100 HID: bpf: constify hid_ops The hid_ops struct is never modified. Mark it as const. Signed-off-by: Thomas Weißschuh Link: https://patch.msgid.link/20241127-hid-bpf-ops-v1-1-f9e41bfa3afd@weissschuh.net Signed-off-by: Benjamin Tissoires commit e8f34747bddedaf3895e5d5066e0f71713fff811 Author: Maximilian Heyne Date: Tue Nov 26 13:58:50 2024 +0000 selftests: hid: fix typo and exit code The correct exit code to mark a test as skipped is 4. Fixes: ffb85d5c9e80 ("selftests: hid: import hid-tools hid-core tests") Signed-off-by: Maximilian Heyne Link: https://patch.msgid.link/20241126135850.76493-1-mheyne@amazon.de Signed-off-by: Benjamin Tissoires commit 59548215b76be98cf3422eea9a67d6ea578aca3d Author: WangYuli Date: Mon Nov 25 13:26:16 2024 +0800 HID: wacom: fix when get product name maybe null pointer Due to incorrect dev->product reporting by certain devices, null pointer dereferences occur when dev->product is empty, leading to potential system crashes. This issue was found on EXCELSIOR DL37-D05 device with Loongson-LS3A6000-7A2000-DL37 motherboard. Kernel logs: [ 56.470885] usb 4-3: new full-speed USB device number 4 using ohci-pci [ 56.671638] usb 4-3: string descriptor 0 read error: -22 [ 56.671644] usb 4-3: New USB device found, idVendor=056a, idProduct=0374, bcdDevice= 1.07 [ 56.671647] usb 4-3: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 56.678839] hid-generic 0003:056A:0374.0004: hiddev0,hidraw3: USB HID v1.10 Device [HID 056a:0374] on usb-0000:00:05.0-3/input0 [ 56.697719] CPU 2 Unable to handle kernel paging request at virtual address 0000000000000000, era == 90000000066e35c8, ra == ffff800004f98a80 [ 56.697732] Oops[#1]: [ 56.697734] CPU: 2 PID: 2742 Comm: (udev-worker) Tainted: G OE 6.6.0-loong64-desktop #25.00.2000.015 [ 56.697737] Hardware name: Inspur CE520L2/C09901N000000000, BIOS 2.09.00 10/11/2024 [ 56.697739] pc 90000000066e35c8 ra ffff800004f98a80 tp 9000000125478000 sp 900000012547b8a0 [ 56.697741] a0 0000000000000000 a1 ffff800004818b28 a2 0000000000000000 a3 0000000000000000 [ 56.697743] a4 900000012547b8f0 a5 0000000000000000 a6 0000000000000000 a7 0000000000000000 [ 56.697745] t0 ffff800004818b2d t1 0000000000000000 t2 0000000000000003 t3 0000000000000005 [ 56.697747] t4 0000000000000000 t5 0000000000000000 t6 0000000000000000 t7 0000000000000000 [ 56.697748] t8 0000000000000000 u0 0000000000000000 s9 0000000000000000 s0 900000011aa48028 [ 56.697750] s1 0000000000000000 s2 0000000000000000 s3 ffff800004818e80 s4 ffff800004810000 [ 56.697751] s5 90000001000b98d0 s6 ffff800004811f88 s7 ffff800005470440 s8 0000000000000000 [ 56.697753] ra: ffff800004f98a80 wacom_update_name+0xe0/0x300 [wacom] [ 56.697802] ERA: 90000000066e35c8 strstr+0x28/0x120 [ 56.697806] CRMD: 000000b0 (PLV0 -IE -DA +PG DACF=CC DACM=CC -WE) [ 56.697816] PRMD: 0000000c (PPLV0 +PIE +PWE) [ 56.697821] EUEN: 00000000 (-FPE -SXE -ASXE -BTE) [ 56.697827] ECFG: 00071c1d (LIE=0,2-4,10-12 VS=7) [ 56.697831] ESTAT: 00010000 [PIL] (IS= ECode=1 EsubCode=0) [ 56.697835] BADV: 0000000000000000 [ 56.697836] PRID: 0014d000 (Loongson-64bit, Loongson-3A6000) [ 56.697838] Modules linked in: wacom(+) bnep bluetooth rfkill qrtr nls_iso8859_1 nls_cp437 snd_hda_codec_conexant snd_hda_codec_generic ledtrig_audio snd_hda_codec_hdmi snd_hda_intel snd_intel_dspcfg snd_hda_codec snd_hda_core snd_hwdep snd_pcm snd_timer snd soundcore input_leds mousedev led_class joydev deepin_netmonitor(OE) fuse nfnetlink dmi_sysfs ip_tables x_tables overlay amdgpu amdxcp drm_exec gpu_sched drm_buddy radeon drm_suballoc_helper i2c_algo_bit drm_ttm_helper r8169 ttm drm_display_helper spi_loongson_pci xhci_pci cec xhci_pci_renesas spi_loongson_core hid_generic realtek gpio_loongson_64bit [ 56.697887] Process (udev-worker) (pid: 2742, threadinfo=00000000aee0d8b4, task=00000000a9eff1f3) [ 56.697890] Stack : 0000000000000000 ffff800004817e00 0000000000000000 0000251c00000000 [ 56.697896] 0000000000000000 00000011fffffffd 0000000000000000 0000000000000000 [ 56.697901] 0000000000000000 1b67a968695184b9 0000000000000000 90000001000b98d0 [ 56.697906] 90000001000bb8d0 900000011aa48028 0000000000000000 ffff800004f9d74c [ 56.697911] 90000001000ba000 ffff800004f9ce58 0000000000000000 ffff800005470440 [ 56.697916] ffff800004811f88 90000001000b98d0 9000000100da2aa8 90000001000bb8d0 [ 56.697921] 0000000000000000 90000001000ba000 900000011aa48028 ffff800004f9d74c [ 56.697926] ffff8000054704e8 90000001000bb8b8 90000001000ba000 0000000000000000 [ 56.697931] 90000001000bb8d0 9000000006307564 9000000005e666e0 90000001752359b8 [ 56.697936] 9000000008cbe400 900000000804d000 9000000005e666e0 0000000000000000 [ 56.697941] ... [ 56.697944] Call Trace: [ 56.697945] [<90000000066e35c8>] strstr+0x28/0x120 [ 56.697950] [] wacom_update_name+0xe0/0x300 [wacom] [ 56.698000] [] wacom_parse_and_register+0x338/0x900 [wacom] [ 56.698050] [] wacom_probe+0x32c/0x420 [wacom] [ 56.698099] [<9000000006307564>] hid_device_probe+0x144/0x260 [ 56.698103] [<9000000005e65d68>] really_probe+0x208/0x540 [ 56.698109] [<9000000005e661dc>] __driver_probe_device+0x13c/0x1e0 [ 56.698112] [<9000000005e66620>] driver_probe_device+0x40/0x100 [ 56.698116] [<9000000005e6680c>] __device_attach_driver+0x12c/0x180 [ 56.698119] [<9000000005e62bc8>] bus_for_each_drv+0x88/0x160 [ 56.698123] [<9000000005e66468>] __device_attach+0x108/0x260 [ 56.698126] [<9000000005e63918>] device_reprobe+0x78/0x100 [ 56.698129] [<9000000005e62a68>] bus_for_each_dev+0x88/0x160 [ 56.698132] [<9000000006304e54>] __hid_bus_driver_added+0x34/0x80 [ 56.698134] [<9000000005e62bc8>] bus_for_each_drv+0x88/0x160 [ 56.698137] [<9000000006304df0>] __hid_register_driver+0x70/0xa0 [ 56.698142] [<9000000004e10fe4>] do_one_initcall+0x104/0x320 [ 56.698146] [<9000000004f38150>] do_init_module+0x90/0x2c0 [ 56.698151] [<9000000004f3a3d8>] init_module_from_file+0xb8/0x120 [ 56.698155] [<9000000004f3a590>] idempotent_init_module+0x150/0x3a0 [ 56.698159] [<9000000004f3a890>] sys_finit_module+0xb0/0x140 [ 56.698163] [<900000000671e4e8>] do_syscall+0x88/0xc0 [ 56.698166] [<9000000004e12404>] handle_syscall+0xc4/0x160 [ 56.698171] Code: 0011958f 00150224 5800cd85 <2a00022c> 00150004 4000c180 0015022c 03400000 03400000 [ 56.698192] ---[ end trace 0000000000000000 ]--- Fixes: 09dc28acaec7 ("HID: wacom: Improve generic name generation") Reported-by: Zhenxing Chen Co-developed-by: Xu Rao Signed-off-by: Xu Rao Signed-off-by: WangYuli Link: https://patch.msgid.link/B31757FE8E1544CF+20241125052616.18261-1-wangyuli@uniontech.com Cc: stable@vger.kernel.org Signed-off-by: Benjamin Tissoires commit 889221c4d78d754023bec8edec13d11a13b3fb51 Author: Heiko Carstens Date: Tue Nov 26 14:28:27 2024 +0100 s390/spinlock: Use flag output constraint for arch_cmpxchg_niai8() Add a new variant of arch_cmpxchg_niai8() which makes use of the flag output constraint, which allows the compiler to generate slightly better code. Also rename arch_cmpxchg_niai8() to arch_try_cmpxchg_niai8() which reflects the purpose of the function and makes it consistent with other "try" variants. Signed-off-by: Heiko Carstens commit 84ac96587b2a7a27d2aba250009c45dffb8ab4b6 Author: Heiko Carstens Date: Tue Nov 26 14:28:26 2024 +0100 s390/spinlock: Use R constraint for arch_load_niai4() The load instruction used within arch_load_niai4() has a short displacement and index register. Therefore use the R constraint to reflect this. The used Q constraint does consider an index register. Signed-off-by: Heiko Carstens commit 1200f216a3043ad78e89ce1f573fe6d62ed5e5d0 Author: Heiko Carstens Date: Tue Nov 26 14:28:25 2024 +0100 s390/spinlock: Generate shorter code for arch_spin_unlock() Use mvhhi instead of sth to write a zero to spinlocks. Compared to the sth variant this avoids the load of zero to a register, and reduces register pressure. Signed-off-by: Heiko Carstens commit 2c3bc137f1e339c4fa9485ec4028433b8cb7374b Author: Heiko Carstens Date: Tue Nov 26 14:28:24 2024 +0100 s390/spinlock: Remove condition code clobber from arch_spin_unlock() Both instructions in arch_spin_unlock() do not clobber the condition code. Therefore remove the condition code clobber from the inline assembly. Signed-off-by: Heiko Carstens commit 78486ed9e76b72d81e7bb142adb47194f95e188d Author: Heiko Carstens Date: Tue Nov 26 14:28:23 2024 +0100 s390/spinlock: Use symbolic names in inline assemblies Improve readability and use symbolic names. Signed-off-by: Heiko Carstens commit b5f463486b212c56d837c2592d87de7fb4833662 Author: Heiko Carstens Date: Wed Nov 27 17:17:12 2024 +0100 s390: Support PREEMPT_DYNAMIC Select HAVE_PREEMPT_DYNAMIC_KEY and add the pieces which are required to support PREEMPT_DYNAMIC. See commit 99cf983cc8bc ("sched/preempt: Add PREEMPT_DYNAMIC using static keys") and commit 1b2d3451ee50 ("arm64: Support PREEMPT_DYNAMIC") for more details. Signed-off-by: Heiko Carstens commit c4a585e952ca403a370586d3f16e8331a7564901 Author: Niklas Schnelle Date: Mon Nov 25 16:02:38 2024 +0100 s390/pci: Fix potential double remove of hotplug slot In commit 6ee600bfbe0f ("s390/pci: remove hotplug slot when releasing the device") the zpci_exit_slot() was moved from zpci_device_reserved() to zpci_release_device() with the intention of keeping the hotplug slot around until the device is actually removed. Now zpci_release_device() is only called once all references are dropped. Since the zPCI subsystem only drops its reference once the device is in the reserved state it follows that zpci_release_device() must only deal with devices in the reserved state. Despite that it contains code to tear down from both configured and standby state. For the standby case this already includes the removal of the hotplug slot so would cause a double removal if a device was ever removed in either configured or standby state. Instead of causing a potential double removal in a case that should never happen explicitly WARN_ON() if a device in non-reserved state is released and get rid of the dead code cases. Fixes: 6ee600bfbe0f ("s390/pci: remove hotplug slot when releasing the device") Reviewed-by: Matthew Rosato Reviewed-by: Gerd Bayer Tested-by: Gerd Bayer Signed-off-by: Niklas Schnelle Signed-off-by: Heiko Carstens commit 48796104c864cf4dafa80bd8c2ce88f9c92a65ea Author: Niklas Schnelle Date: Mon Nov 25 10:35:10 2024 +0100 s390/pci: Fix leak of struct zpci_dev when zpci_add_device() fails Prior to commit 0467cdde8c43 ("s390/pci: Sort PCI functions prior to creating virtual busses") the IOMMU was initialized and the device was registered as part of zpci_create_device() with the struct zpci_dev freed if either resulted in an error. With that commit this was moved into a separate function called zpci_add_device(). While this new function logs when adding failed, it expects the caller not to use and to free the struct zpci_dev on error. This difference between it and zpci_create_device() was missed while changing the callers and the incompletely initialized struct zpci_dev may get used in zpci_scan_configured_device in the error path. This then leads to a crash due to the device not being registered with the zbus. It was also not freed in this case. Fix this by handling the error return of zpci_add_device(). Since in this case the zdev was not added to the zpci_list it can simply be discarded and freed. Also make this more explicit by moving the kref_init() into zpci_add_device() and document that zpci_zdev_get()/zpci_zdev_put() must be used after adding. Cc: stable@vger.kernel.org Fixes: 0467cdde8c43 ("s390/pci: Sort PCI functions prior to creating virtual busses") Reviewed-by: Gerd Bayer Reviewed-by: Matthew Rosato Signed-off-by: Niklas Schnelle Signed-off-by: Heiko Carstens commit adb44a4bfc8a3312d2a13cc09d2b89d5828e7702 Author: Heiko Carstens Date: Thu Nov 28 09:43:29 2024 +0100 s390/mm/hugetlbfs: Add missing includes Add missing includes to fix this randconfig compile error: All errors (new ones prefixed by >>): In file included from mm/pagewalk.c:5: In file included from include/linux/hugetlb.h:798: >> arch/s390/include/asm/hugetlb.h:94:31: error: call to undeclared function 'is_pte_marker'; ISO C99 and later do not support implicit function declarations [-Wimplicit-function-declaration] 94 | return huge_pte_none(pte) || is_pte_marker(pte); | ^ Reported-by: kernel test robot Closes: https://lore.kernel.org/oe-kbuild-all/202411281002.IPkRpIcR-lkp@intel.com/ Fixes: 487ef5d4d912 ("s390/mm: Add PTE_MARKER support for hugetlbfs mappings") Signed-off-by: Heiko Carstens commit b7529880cb961d515642ce63f9d7570869bbbdc3 Author: Pablo Neira Ayuso Date: Tue Nov 26 11:59:06 2024 +0100 netfilter: nft_socket: remove WARN_ON_ONCE on maximum cgroup level cgroup maximum depth is INT_MAX by default, there is a cgroup toggle to restrict this maximum depth to a more reasonable value not to harm performance. Remove unnecessary WARN_ON_ONCE which is reachable from userspace. Fixes: 7f3287db6543 ("netfilter: nft_socket: make cgroupsv2 matching work with namespaces") Reported-by: syzbot+57bac0866ddd99fe47c0@syzkaller.appspotmail.com Signed-off-by: Pablo Neira Ayuso commit 04317f4eb2aad312ad85c1a17ad81fe75f1f9bc7 Author: Dmitry Antipov Date: Thu Nov 21 09:55:42 2024 +0300 netfilter: x_tables: fix LED ID check in led_tg_check() Syzbot has reported the following BUG detected by KASAN: BUG: KASAN: slab-out-of-bounds in strlen+0x58/0x70 Read of size 1 at addr ffff8881022da0c8 by task repro/5879 ... Call Trace: dump_stack_lvl+0x241/0x360 ? __pfx_dump_stack_lvl+0x10/0x10 ? __pfx__printk+0x10/0x10 ? _printk+0xd5/0x120 ? __virt_addr_valid+0x183/0x530 ? __virt_addr_valid+0x183/0x530 print_report+0x169/0x550 ? __virt_addr_valid+0x183/0x530 ? __virt_addr_valid+0x183/0x530 ? __virt_addr_valid+0x45f/0x530 ? __phys_addr+0xba/0x170 ? strlen+0x58/0x70 kasan_report+0x143/0x180 ? strlen+0x58/0x70 strlen+0x58/0x70 kstrdup+0x20/0x80 led_tg_check+0x18b/0x3c0 xt_check_target+0x3bb/0xa40 ? __pfx_xt_check_target+0x10/0x10 ? stack_depot_save_flags+0x6e4/0x830 ? nft_target_init+0x174/0xc30 nft_target_init+0x82d/0xc30 ? __pfx_nft_target_init+0x10/0x10 ? nf_tables_newrule+0x1609/0x2980 ? nf_tables_newrule+0x1609/0x2980 ? rcu_is_watching+0x15/0xb0 ? nf_tables_newrule+0x1609/0x2980 ? nf_tables_newrule+0x1609/0x2980 ? __kmalloc_noprof+0x21a/0x400 nf_tables_newrule+0x1860/0x2980 ? __pfx_nf_tables_newrule+0x10/0x10 ? __nla_parse+0x40/0x60 nfnetlink_rcv+0x14e5/0x2ab0 ? __pfx_validate_chain+0x10/0x10 ? __pfx_nfnetlink_rcv+0x10/0x10 ? __lock_acquire+0x1384/0x2050 ? netlink_deliver_tap+0x2e/0x1b0 ? __pfx_lock_release+0x10/0x10 ? netlink_deliver_tap+0x2e/0x1b0 netlink_unicast+0x7f8/0x990 ? __pfx_netlink_unicast+0x10/0x10 ? __virt_addr_valid+0x183/0x530 ? __check_object_size+0x48e/0x900 netlink_sendmsg+0x8e4/0xcb0 ? __pfx_netlink_sendmsg+0x10/0x10 ? aa_sock_msg_perm+0x91/0x160 ? __pfx_netlink_sendmsg+0x10/0x10 __sock_sendmsg+0x223/0x270 ____sys_sendmsg+0x52a/0x7e0 ? __pfx_____sys_sendmsg+0x10/0x10 __sys_sendmsg+0x292/0x380 ? __pfx___sys_sendmsg+0x10/0x10 ? lockdep_hardirqs_on_prepare+0x43d/0x780 ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10 ? exc_page_fault+0x590/0x8c0 ? do_syscall_64+0xb6/0x230 do_syscall_64+0xf3/0x230 entry_SYSCALL_64_after_hwframe+0x77/0x7f ... Since an invalid (without '\0' byte at all) byte sequence may be passed from userspace, add an extra check to ensure that such a sequence is rejected as possible ID and so never passed to 'kstrdup()' and further. Reported-by: syzbot+6c8215822f35fdb35667@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=6c8215822f35fdb35667 Fixes: 268cb38e1802 ("netfilter: x_tables: add LED trigger target") Signed-off-by: Dmitry Antipov Signed-off-by: Pablo Neira Ayuso commit 146b6f1112eb30a19776d6c323c994e9d67790db Author: Jinghao Jia Date: Sat Nov 23 03:42:56 2024 -0600 ipvs: fix UB due to uninitialized stack access in ip_vs_protocol_init() Under certain kernel configurations when building with Clang/LLVM, the compiler does not generate a return or jump as the terminator instruction for ip_vs_protocol_init(), triggering the following objtool warning during build time: vmlinux.o: warning: objtool: ip_vs_protocol_init() falls through to next function __initstub__kmod_ip_vs_rr__935_123_ip_vs_rr_init6() At runtime, this either causes an oops when trying to load the ipvs module or a boot-time panic if ipvs is built-in. This same issue has been reported by the Intel kernel test robot previously. Digging deeper into both LLVM and the kernel code reveals this to be a undefined behavior problem. ip_vs_protocol_init() uses a on-stack buffer of 64 chars to store the registered protocol names and leaves it uninitialized after definition. The function calls strnlen() when concatenating protocol names into the buffer. With CONFIG_FORTIFY_SOURCE strnlen() performs an extra step to check whether the last byte of the input char buffer is a null character (commit 3009f891bb9f ("fortify: Allow strlen() and strnlen() to pass compile-time known lengths")). This, together with possibly other configurations, cause the following IR to be generated: define hidden i32 @ip_vs_protocol_init() local_unnamed_addr #5 section ".init.text" align 16 !kcfi_type !29 { %1 = alloca [64 x i8], align 16 ... 14: ; preds = %11 %15 = getelementptr inbounds i8, ptr %1, i64 63 %16 = load i8, ptr %15, align 1 %17 = tail call i1 @llvm.is.constant.i8(i8 %16) %18 = icmp eq i8 %16, 0 %19 = select i1 %17, i1 %18, i1 false br i1 %19, label %20, label %23 20: ; preds = %14 %21 = call i64 @strlen(ptr noundef nonnull dereferenceable(1) %1) #23 ... 23: ; preds = %14, %11, %20 %24 = call i64 @strnlen(ptr noundef nonnull dereferenceable(1) %1, i64 noundef 64) #24 ... } The above code calculates the address of the last char in the buffer (value %15) and then loads from it (value %16). Because the buffer is never initialized, the LLVM GVN pass marks value %16 as undefined: %13 = getelementptr inbounds i8, ptr %1, i64 63 br i1 undef, label %14, label %17 This gives later passes (SCCP, in particular) more DCE opportunities by propagating the undef value further, and eventually removes everything after the load on the uninitialized stack location: define hidden i32 @ip_vs_protocol_init() local_unnamed_addr #0 section ".init.text" align 16 !kcfi_type !11 { %1 = alloca [64 x i8], align 16 ... 12: ; preds = %11 %13 = getelementptr inbounds i8, ptr %1, i64 63 unreachable } In this way, the generated native code will just fall through to the next function, as LLVM does not generate any code for the unreachable IR instruction and leaves the function without a terminator. Zero the on-stack buffer to avoid this possible UB. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Reported-by: kernel test robot Closes: https://lore.kernel.org/oe-kbuild-all/202402100205.PWXIz1ZK-lkp@intel.com/ Co-developed-by: Ruowen Qin Signed-off-by: Ruowen Qin Signed-off-by: Jinghao Jia Acked-by: Julian Anastasov Signed-off-by: Pablo Neira Ayuso commit cc2dba08cc33daf8acd6e560957ef0e0f4d034ed Author: Christoph Hellwig Date: Tue Nov 26 13:31:06 2024 +0100 xfs: don't call xfs_bmap_same_rtgroup in xfs_bmap_add_extent_hole_delay xfs_bmap_add_extent_hole_delay works entirely on delalloc extents, for which xfs_bmap_same_rtgroup doesn't make sense. Signed-off-by: Christoph Hellwig Reviewed-by: Darrick J. Wong Signed-off-by: Carlos Maiolino commit 214093534f3c046bf5acc9affbf4e6bd9af4538b Author: Uros Bizjak Date: Wed Nov 20 16:06:22 2024 +0100 xfs: Use xchg() in xlog_cil_insert_pcp_aggregate() try_cmpxchg() loop with constant "new" value can be substituted with just xchg() to atomically get and clear the location. The code on x86_64 improves from: 1e7f: 48 89 4c 24 10 mov %rcx,0x10(%rsp) 1e84: 48 03 14 c5 00 00 00 add 0x0(,%rax,8),%rdx 1e8b: 00 1e88: R_X86_64_32S __per_cpu_offset 1e8c: 8b 02 mov (%rdx),%eax 1e8e: 41 89 c5 mov %eax,%r13d 1e91: 31 c9 xor %ecx,%ecx 1e93: f0 0f b1 0a lock cmpxchg %ecx,(%rdx) 1e97: 75 f5 jne 1e8e 1e99: 48 8b 4c 24 10 mov 0x10(%rsp),%rcx 1e9e: 45 01 e9 add %r13d,%r9d to just: 1e7f: 48 03 14 cd 00 00 00 add 0x0(,%rcx,8),%rdx 1e86: 00 1e83: R_X86_64_32S __per_cpu_offset 1e87: 31 c9 xor %ecx,%ecx 1e89: 87 0a xchg %ecx,(%rdx) 1e8b: 41 01 cb add %ecx,%r11d No functional change intended. Signed-off-by: Uros Bizjak Cc: Chandan Babu R Cc: Darrick J. Wong Cc: Christoph Hellwig Cc: Dave Chinner Reviewed-by: Alex Elder Reviewed-by: Dave Chinner Signed-off-by: Carlos Maiolino commit 04f5cb48995d51deed0af71aaba1b8699511313f Author: Leo Stone Date: Sun Nov 24 15:00:02 2024 -0800 Documentation: tls_offload: fix typos and grammar Fix typos and grammar where it improves readability. Signed-off-by: Leo Stone Reviewed-by: Bagas Sanjaya Link: https://patch.msgid.link/20241124230002.56058-1-leocstone@gmail.com Signed-off-by: Paolo Abeni commit 6e33123a18bf6c69c941d09e091e8bfef5fb0d41 Author: Vyshnav Ajith Date: Fri Nov 22 03:48:52 2024 +0530 Fix spelling mistake Changed from reequires to require. A minute typo. Signed-off-by: Vyshnav Ajith Link: https://patch.msgid.link/20241121221852.10754-1-puthen1977@gmail.com Signed-off-by: Paolo Abeni commit f5807b0606da7ac7c1b74a386b22134ec7702d05 Author: Marcelo Dalmas Date: Mon Nov 25 12:16:09 2024 +0000 ntp: Remove invalid cast in time offset math Due to an unsigned cast, adjtimex() returns the wrong offest when using ADJ_MICRO and the offset is negative. In this case a small negative offset returns approximately 4.29 seconds (~ 2^32/1000 milliseconds) due to the unsigned cast of the negative offset. This cast was added when the kernel internal struct timex was changed to use type long long for the time offset value to address the problem of a 64bit/32bit division on 32bit systems. The correct cast would have been (s32), which is correct as time_offset can only be in the range of [INT_MIN..INT_MAX] because the shift constant used for calculating it is 32. But that's non-obvious. Remove the cast and use div_s64() to cure the issue. [ tglx: Fix white space damage, use div_s64() and amend the change log ] Fixes: ead25417f82e ("timex: use __kernel_timex internally") Signed-off-by: Marcelo Dalmas Signed-off-by: Thomas Gleixner Cc: stable@vger.kernel.org Link: https://lore.kernel.org/all/SJ0P101MB03687BF7D5A10FD3C49C51E5F42E2@SJ0P101MB0368.NAMP101.PROD.OUTLOOK.COM commit 34851431ceca1bf457d85895bd38a4e7967e2055 Author: Kenny Levinsen Date: Wed Nov 20 00:53:17 2024 +0100 HID: i2c-hid: Revert to using power commands to wake on resume commit 7d6f065de37c ("HID: i2c-hid: Use address probe to wake on resume") replaced the retry of power commands with the dummy read "bus probe" we use on boot which accounts for a necessary delay before retry. This made at least one Weida device (2575:0910 in an ASUS Vivobook S14) very unhappy, as the bus probe despite being successful somehow lead to the following power command failing so hard that the device never lets go of the bus. This means that even retries of the power command would fail on a timeout as the bus remains busy. Remove the bus probe on resume and instead reintroduce retry of the power command for wake-up purposes while respecting the newly established wake-up retry timings. Fixes: 7d6f065de37c ("HID: i2c-hid: Use address probe to wake on resume") Cc: stable@vger.kernel.org Reported-by: Michael Closes: https://bugzilla.kernel.org/show_bug.cgi?id=219440 Link: https://lore.kernel.org/r/d5acb485-7377-4139-826d-4df04d21b5ed@leemhuis.info/ Signed-off-by: Kenny Levinsen Link: https://patch.msgid.link/20241119235615.23902-1-kl@kl.wtf Signed-off-by: Benjamin Tissoires commit 0dd298579794d88f872bdf6a4f48d3a368353d4b Merge: 663a917475530f fc9c273d6daaa9 Author: Paolo Abeni Date: Thu Nov 28 10:23:26 2024 +0100 Merge branch 'net-fix-mcast-rcu-splats' Paolo Abeni says: ==================== net: fix mcast RCU splats This series addresses the RCU splat triggered by the forwarding mroute tests. The first patch does not address any specific issue, but makes the following ones more clear. Patch 2 and 3 address the issue for ipv6 and ipv4 respectively. ==================== Link: https://patch.msgid.link/cover.1732289799.git.pabeni@redhat.com Signed-off-by: Paolo Abeni commit fc9c273d6daaa9866f349bbe8cae25c67764c456 Author: Paolo Abeni Date: Sun Nov 24 16:40:58 2024 +0100 ipmr: fix tables suspicious RCU usage Similar to the previous patch, plumb the RCU lock inside the ipmr_get_table(), provided a lockless variant and apply the latter in the few spots were the lock is already held. Fixes: 709b46e8d90b ("net: Add compat ioctl support for the ipv4 multicast ioctl SIOCGETSGCNT") Fixes: f0ad0860d01e ("ipv4: ipmr: support multiple tables") Reviewed-by: David Ahern Signed-off-by: Paolo Abeni commit f1553c9894b4dbeb10a2ab15ab1aa113b3b4047c Author: Paolo Abeni Date: Sun Nov 24 16:40:57 2024 +0100 ip6mr: fix tables suspicious RCU usage Several places call ip6mr_get_table() with no RCU nor RTNL lock. Add RCU protection inside such helper and provide a lockless variant for the few callers that already acquired the relevant lock. Note that some users additionally reference the table outside the RCU lock. That is actually safe as the table deletion can happen only after all table accesses are completed. Fixes: e2d57766e674 ("net: Provide compat support for SIOCGETMIFCNT_IN6 and SIOCGETSGCNT_IN6.") Fixes: d7c31cbde4bc ("net: ip6mr: add RTM_GETROUTE netlink op") Reviewed-by: David Ahern Signed-off-by: Paolo Abeni commit 11b6e701bce96f98474084f26821157cb0dccf69 Author: Paolo Abeni Date: Sun Nov 24 16:40:56 2024 +0100 ipmr: add debug check for mr table cleanup The multicast route tables lifecycle, for both ipv4 and ipv6, is protected by RCU using the RTNL lock for write access. In many places a table pointer escapes the RCU (or RTNL) protected critical section, but such scenarios are actually safe because tables are deleted only at namespace cleanup time or just after allocation, in case of default rule creation failure. Tables freed at namespace cleanup time are assured to be alive for the whole netns lifetime; tables freed just after creation time are never exposed to other possible users. Ensure that the free conditions are respected in ip{,6}mr_free_table, to document the locking schema and to prevent future possible introduction of 'table del' operation from breaking it. Reviewed-by: David Ahern Signed-off-by: Paolo Abeni commit 663a917475530feff868a4f2bda286ea4171f420 Author: Hangbin Liu Date: Sun Nov 24 07:32:43 2024 +0000 selftests: rds: move test.py to TEST_FILES The test.py should not be run separately. It should be run via run.sh, which will do some sanity checks first. Move the test.py from TEST_PROGS to TEST_FILES. Reported-by: Maximilian Heyne Closes: https://lore.kernel.org/netdev/20241122150129.GB18887@dev-dsk-mheyne-1b-55676e6a.eu-west-1.amazon.com Fixes: 3ade6ce1255e ("selftests: rds: add testing infrastructure") Signed-off-by: Hangbin Liu Reviewed-by: Allison Henderson Link: https://patch.msgid.link/20241124073243.847932-1-liuhangbin@gmail.com Signed-off-by: Paolo Abeni commit aef7ee7649e02f7fc0d2e5e532f352496976dcb1 Author: Fedor Pchelkin Date: Wed Nov 27 21:59:26 2024 +0300 dma-debug: fix physical address calculation for struct dma_debug_entry Offset into the page should also be considered while calculating a physical address for struct dma_debug_entry. page_to_phys() just shifts the value PAGE_SHIFT bits to the left so offset part is zero-filled. An example (wrong) debug assertion failure with CONFIG_DMA_API_DEBUG enabled which is observed during systemd boot process after recent dma-debug changes: DMA-API: e1000 0000:00:03.0: cacheline tracking EEXIST, overlapping mappings aren't supported WARNING: CPU: 4 PID: 941 at kernel/dma/debug.c:596 add_dma_entry CPU: 4 UID: 0 PID: 941 Comm: ip Not tainted 6.12.0+ #288 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 RIP: 0010:add_dma_entry kernel/dma/debug.c:596 Call Trace: debug_dma_map_page kernel/dma/debug.c:1236 dma_map_page_attrs kernel/dma/mapping.c:179 e1000_alloc_rx_buffers drivers/net/ethernet/intel/e1000/e1000_main.c:4616 ... Found by Linux Verification Center (linuxtesting.org). Fixes: 9d4f645a1fd4 ("dma-debug: store a phys_addr_t in struct dma_debug_entry") Signed-off-by: Fedor Pchelkin [hch: added a little helper to clean up the code] Signed-off-by: Christoph Hellwig commit 122aba8c80618eca904490b1733af27fb8f07528 Author: Jakub Kicinski Date: Sat Nov 23 18:21:48 2024 -0800 net_sched: sch_fq: don't follow the fast path if Tx is behind now Recent kernels cause a lot of TCP retransmissions [ ID] Interval Transfer Bitrate Retr Cwnd [ 5] 0.00-1.00 sec 2.24 GBytes 19.2 Gbits/sec 2767 442 KBytes [ 5] 1.00-2.00 sec 2.23 GBytes 19.1 Gbits/sec 2312 350 KBytes ^^^^ Replacing the qdisc with pfifo makes retransmissions go away. It appears that a flow may have a delayed packet with a very near Tx time. Later, we may get busy processing Rx and the target Tx time will pass, but we won't service Tx since the CPU is busy with Rx. If Rx sees an ACK and we try to push more data for the delayed flow we may fastpath the skb, not realizing that there are already "ready to send" packets for this flow sitting in the qdisc. Don't trust the fastpath if we are "behind" according to the projected Tx time for next flow waiting in the Qdisc. Because we consider anything within the offload window to be okay for fastpath we must consider the entire offload window as "now". Qdisc config: qdisc fq 8001: dev eth0 parent 1234:1 limit 10000p flow_limit 100p \ buckets 32768 orphan_mask 1023 bands 3 \ priomap 1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1 \ weights 589824 196608 65536 quantum 3028b initial_quantum 15140b \ low_rate_threshold 550Kbit \ refill_delay 40ms timer_slack 10us horizon 10s horizon_drop For iperf this change seems to do fine, the reordering is gone. The fastpath still gets used most of the time: gc 0 highprio 0 fastpath 142614 throttled 418309 latency 19.1us xx_behind 2731 where "xx_behind" counts how many times we hit the new "return false". CC: stable@vger.kernel.org Fixes: 076433bd78d7 ("net_sched: sch_fq: add fast path for mostly idle qdisc") Signed-off-by: Jakub Kicinski Reviewed-by: Eric Dumazet Link: https://patch.msgid.link/20241124022148.3126719-1-kuba@kernel.org Signed-off-by: Paolo Abeni commit c31e72d021db2714df03df6c42855a1db592716c Author: Kuniyuki Iwashima Date: Sat Nov 23 09:42:36 2024 -0800 tcp: Fix use-after-free of nreq in reqsk_timer_handler(). The cited commit replaced inet_csk_reqsk_queue_drop_and_put() with __inet_csk_reqsk_queue_drop() and reqsk_put() in reqsk_timer_handler(). Then, oreq should be passed to reqsk_put() instead of req; otherwise use-after-free of nreq could happen when reqsk is migrated but the retry attempt failed (e.g. due to timeout). Let's pass oreq to reqsk_put(). Fixes: e8c526f2bdf1 ("tcp/dccp: Don't use timer_pending() in reqsk_queue_unlink().") Reported-by: Liu Jian Closes: https://lore.kernel.org/netdev/1284490f-9525-42ee-b7b8-ccadf6606f6d@huawei.com/ Signed-off-by: Kuniyuki Iwashima Reviewed-by: Vadim Fedorenko Reviewed-by: Liu Jian Reviewed-by: Eric Dumazet Reviewed-by: Martin KaFai Lau Link: https://patch.msgid.link/20241123174236.62438-1-kuniyu@amazon.com Signed-off-by: Paolo Abeni commit e2668c34b7e1a2288ea0a97ccf3cd12e2870ca18 Author: Russell King (Oracle) Date: Sat Nov 23 14:50:12 2024 +0000 net: phy: fix phy_ethtool_set_eee() incorrectly enabling LPI When phy_ethtool_set_eee_noneg() detects a change in the LPI parameters, it attempts to update phylib state and trigger the link to cycle so the MAC sees the updated parameters. However, in doing so, it sets phydev->enable_tx_lpi depending on whether the EEE configuration allows the MAC to generate LPI without taking into account the result of negotiation. This can be demonstrated with a 1000base-T FD interface by: # ethtool --set-eee eno0 advertise 8 # cause EEE to be not negotiated # ethtool --set-eee eno0 tx-lpi off # ethtool --set-eee eno0 tx-lpi on This results in being true, despite EEE not having been negotiated and: # ethtool --show-eee eno0 EEE status: enabled - inactive Tx LPI: 250 (us) Supported EEE link modes: 100baseT/Full 1000baseT/Full Advertised EEE link modes: 100baseT/Full 1000baseT/Full Fix this by keeping track of whether EEE was negotiated via a new eee_active member in struct phy_device, and include this state in the decision whether phydev->enable_tx_lpi should be set. Fixes: 3e43b903da04 ("net: phy: Immediately call adjust_link if only tx_lpi_enabled changes") Signed-off-by: Russell King (Oracle) Link: https://patch.msgid.link/E1tErSe-005RhB-2R@rmk-PC.armlinux.org.uk Signed-off-by: Paolo Abeni commit 8d5c1b8c3e716e8f45ab7b65e8c3929cad2beb81 Merge: d1524d040b12e5 ed958855494309 Author: Paolo Abeni Date: Thu Nov 28 09:23:02 2024 +0100 Merge tag 'for-net-2024-11-26' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth Luiz Augusto von Dentz says: ==================== bluetooth pull request for net: - SCO: remove the redundant sco_conn_put - MGMT: Fix slab-use-after-free Read in set_powered_sync - MGMT: Fix possible deadlocks * tag 'for-net-2024-11-26' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth: Bluetooth: SCO: remove the redundant sco_conn_put Bluetooth: MGMT: Fix possible deadlocks Bluetooth: MGMT: Fix slab-use-after-free Read in set_powered_sync ==================== Link: https://patch.msgid.link/20241126165149.899213-1-luiz.dentz@gmail.com Signed-off-by: Paolo Abeni commit d1524d040b12e5bee1ee1d04ce50122a1ea35258 Merge: 5dfd7d940094e1 49b2b973325add Author: Paolo Abeni Date: Thu Nov 28 08:57:42 2024 +0100 Merge branch 'net-fix-some-callers-of-copy_from_sockptr' Michal Luczaj says: ==================== net: Fix some callers of copy_from_sockptr() Some callers misinterpret copy_from_sockptr()'s return value. The function follows copy_from_user(), i.e. returns 0 for success, or the number of bytes not copied on error. Simply returning the result in a non-zero case isn't usually what was intended. Compile tested with CONFIG_LLC, CONFIG_AF_RXRPC, CONFIG_BT enabled. Last patch probably belongs more to net-next, if any. Here as an RFC. Suggested-by: Jakub Kicinski Signed-off-by: Michal Luczaj ==================== Link: https://patch.msgid.link/20241119-sockptr-copy-fixes-v3-0-d752cac4be8e@rbox.co Signed-off-by: Paolo Abeni commit 49b2b973325add467270e906d4d794aa6679b38b Author: Michal Luczaj Date: Tue Nov 19 14:31:43 2024 +0100 net: Comment copy_from_sockptr() explaining its behaviour copy_from_sockptr() has a history of misuse. Add a comment explaining that the function follows API of copy_from_user(), i.e. returns 0 for success, or number of bytes not copied on error. Signed-off-by: Michal Luczaj Signed-off-by: Paolo Abeni commit 02020056647017e70509bb58c3096448117099e1 Author: Michal Luczaj Date: Tue Nov 19 14:31:42 2024 +0100 rxrpc: Improve setsockopt() handling of malformed user input copy_from_sockptr() does not return negative value on error; instead, it reports the number of bytes that failed to copy. Since it's deprecated, switch to copy_safe_from_sockptr(). Note: Keeping the `optlen != sizeof(unsigned int)` check as copy_safe_from_sockptr() by itself would also accept optlen > sizeof(unsigned int). Which would allow a more lenient handling of inputs. Fixes: 17926a79320a ("[AF_RXRPC]: Provide secure RxRPC sockets for use by userspace and kernel both") Signed-off-by: Michal Luczaj Signed-off-by: Paolo Abeni commit 1465036b10be4b8b00eb31c879e86de633ad74c1 Author: Michal Luczaj Date: Tue Nov 19 14:31:41 2024 +0100 llc: Improve setsockopt() handling of malformed user input copy_from_sockptr() is used incorrectly: return value is the number of bytes that could not be copied. Since it's deprecated, switch to copy_safe_from_sockptr(). Note: Keeping the `optlen != sizeof(int)` check as copy_safe_from_sockptr() by itself would also accept optlen > sizeof(int). Which would allow a more lenient handling of inputs. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Suggested-by: David Wei Signed-off-by: Michal Luczaj Signed-off-by: Paolo Abeni commit ca0f79f0286046f6a91c099dc941cf7afae198d6 Author: Takashi Iwai Date: Thu Nov 28 08:26:45 2024 +0100 ALSA: hda/realtek: Apply quirk for Medion E15433 Medion E15433 laptop wich ALC269VC (SSID 2782:1705) needs the same workaround for the missing speaker as another model. Link: https://bugzilla.suse.com/show_bug.cgi?id=1233298 Cc: Link: https://patch.msgid.link/20241128072646.15659-1-tiwai@suse.de Signed-off-by: Takashi Iwai commit e6064da6461f989a357f2e280d7f8d4155267c4c Author: Sedat Dilek Date: Tue Nov 26 16:58:01 2024 +0100 kbuild: rename .tmp_vmlinux.kallsyms0.syms to .tmp_vmlinux0.syms Change the naming for consistency. While at this, fix the comments in scripts/link-vmlinux.sh. Signed-off-by: Sedat Dilek Signed-off-by: Masahiro Yamada commit 4198a4d25141c76021ae65368a5841843ee66098 Author: Li Zhijian Date: Mon Nov 25 16:37:36 2024 +0800 gitignore: Don't ignore 'tags' directory W=1 builds reported warnings regarding files being ignored: tools/testing/selftests/arm64/tags/.gitignore: warning: ignored by one of the .gitignore files tools/testing/selftests/arm64/tags/Makefile: warning: ignored by one of the .gitignore files tools/testing/selftests/arm64/tags/tags_test.c: warning: ignored by one of the .gitignore files Adjusting the .gitignore entries will prevent these warnings and ensure a smoother script execution. Reported-by: kernel test robot Signed-off-by: Li Zhijian Signed-off-by: Masahiro Yamada commit 18e9944e56f68423e52505066f79939e7d12a62b Author: Thomas Weißschuh Date: Sat Nov 23 14:33:37 2024 +0100 kbuild: add dependency from vmlinux to resolve_btfids resolve_btfids is used by link-vmlinux.sh. In contrast to other configuration options and targets no transitive dependency between resolve_btfids and vmlinux. Add an explicit one. Signed-off-by: Thomas Weißschuh Acked-by: Jiri Olsa Signed-off-by: Masahiro Yamada commit 5eaea85187bf2132d1af916010fa9e26bb63f97f Author: Masahiro Yamada Date: Sat Nov 23 17:36:08 2024 +0900 modpost: replace tdb_hash() with hash_str() Use a helper available in scripts/include/hash.h. Signed-off-by: Masahiro Yamada commit 6b1fabce7313dcd4d95e541dd400ba5748b09b94 Author: Masahiro Yamada Date: Sat Nov 23 17:26:45 2024 +0900 kbuild: deb-pkg: add python3:native to build dependency Python3 is necessary for running some scripts such as drivers/gpu/drm/msm/registers/gen_header.py Both scripts/package/kernel.spec and scripts/package/PKGBUILD already list Python as the build dependency. Do likewise for scripts/package/mkdebian. Signed-off-by: Masahiro Yamada Reviewed-by: Nicolas Schier commit 091aa11a2983cdc608f3978d365f5479e78917d8 Author: Masahiro Yamada Date: Fri Nov 22 08:22:55 2024 +0900 genksyms: reduce indentation in export_symbol() Modify this function to return earlier when find_symbol() returns NULL, reducing the level of improve readability. No functional changes are intended. Signed-off-by: Masahiro Yamada commit 2b1bd507542a6ec1506a847da8e81fc764a4e707 Author: Masahiro Yamada Date: Wed Nov 20 08:56:53 2024 +0900 modpost: improve error messages in device_id_check() The first error message in device_id_check() is obscure and can be misleading because the cause of the error is unlikely to be found in the struct definition in mod_devicetable.h. This type of error occurs when an array is passed to an incorrect type of MODULE_DEVICE_TABLE(). [Example 1] static const struct acpi_device_id foo_ids[] = { { "FOO" }, { /* sentinel */ }, }; MODULE_DEVICE_TABLE(of, foo_ids); Currently, modpost outputs a meaningless suggestion: ERROR: modpost: ...: sizeof(struct of_device_id)=200 is not a modulo of the size of section __mod_device_table__of__=64. Fix definition of struct of_device_id in mod_devicetable.h The root cause here is that MODULE_DEVICE_TABLE(of, ...) is used instead of the correct MODULE_DEVICE_TABLE(acpi, ...). This commit provides a more intuitive error message: ERROR: modpost: ...: type mismatch between foo_ids[] and MODULE_DEVICE_TABLE(of, ...) The second error message, related to a missing terminator, is too verbose. [Example 2] static const struct acpi_device_id foo_ids[] = { { "FOO" }, }; MODULE_DEVICE_TABLE(acpi, foo_ids); The current error message is overly long, and does not pinpoint the incorrect array: ...: struct acpi_device_id is 32 bytes. The last of 1 is: 0x46 0x4f 0x4f 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 ERROR: modpost: ...: struct acpi_device_id is not terminated with a NULL entry! This commit changes it to a more concise error message, sufficient to identify the incorrect array: ERROR: modpost: ...: foo_ids[] is not terminated with a NULL entry Lastly, this commit squashes device_id_check() into do_table() and changes fatal() into error(), allowing modpost to continue processing other modules. Signed-off-by: Masahiro Yamada commit 054a9cd395a79f4a5595f2cd24542e9bca8723c8 Author: Masahiro Yamada Date: Wed Nov 20 08:56:52 2024 +0900 modpost: rename alias symbol for MODULE_DEVICE_TABLE() This commit renames the alias symbol, __mod____device_table to __mod_device_table____. This change simplifies the code slightly, as there is no longer a need to check both the prefix and suffix. Signed-off-by: Masahiro Yamada commit 9a8ace8bb2efa0ca43a77866fa9c835294b1e045 Author: Masahiro Yamada Date: Wed Nov 20 08:56:51 2024 +0900 modpost: rename variables in handle_moddevtable() This commit renames the variables in handle_moddevtable() as follows: name -> type namelen -> typelen identifier -> name These changes align with the definition in include/linux/module.h: extern typeof(name) __mod_##type##__##name##_device_table Signed-off-by: Masahiro Yamada commit 9d98038d438d8515473a75a29bc524e9a4a5882a Author: Masahiro Yamada Date: Wed Nov 20 08:56:50 2024 +0900 modpost: move strstarts() to modpost.h This macro is useful in file2alias.c as well. Signed-off-by: Masahiro Yamada commit abd20428c3f2f8b97a2a0414343faf0ff246a018 Author: Masahiro Yamada Date: Wed Nov 20 08:56:49 2024 +0900 modpost: convert do_usb_table() to a generic handler do_usb_table() no longer needs to iterate over the usb_device_id array. Convert it to a generic ->do_entry() handler. This is the last special case. Clean up handle_moddevtable(). Signed-off-by: Masahiro Yamada commit c58854c8e0b50c2f30c729b82b92b3fd8cc8f2c1 Author: Masahiro Yamada Date: Wed Nov 20 08:56:48 2024 +0900 modpost: convert do_of_table() to a generic handler do_of_table() no longer needs to iterate over the of_device_id array. Convert it to a generic ->do_entry() handler. Signed-off-by: Masahiro Yamada commit 600dbaf1e2f0c0b70b2d3e7513a161b884e7718f Author: Masahiro Yamada Date: Wed Nov 20 08:56:47 2024 +0900 modpost: convert do_pnp_device_entry() to a generic handler do_pnp_device_entry() no longer needs to iterate over the pnp_device_id array. Convert it to a generic ->do_entry() handler. Signed-off-by: Masahiro Yamada commit a5d8d417e62ab3823a06e1bc08634d737d810e59 Author: Masahiro Yamada Date: Wed Nov 20 08:56:46 2024 +0900 modpost: convert do_pnp_card_entries() to a generic handler do_pnp_card_entries() no longer needs to iterate over the pnp_card_device_id array. Convert it to a generic ->do_entry() handler. Signed-off-by: Masahiro Yamada commit 6d3b3dd26fd71dde0b41478755a59ca30aaeb664 Author: Masahiro Yamada Date: Wed Nov 20 08:56:45 2024 +0900 modpost: call module_alias_printf() from all do_*_entry() functions The do_*_entry() functions cannot check the length of the given buffer. Use module_alias_printf() helper consistently for these functions. Signed-off-by: Masahiro Yamada commit c7c24d60151c022bd8e357f5395a327d354a676a Author: Masahiro Yamada Date: Wed Nov 20 08:56:44 2024 +0900 modpost: pass (struct module *) to do_*_entry() functions Replace the first argument with a pointer to struct module. 'filename' can be replaced with mod->name. Signed-off-by: Masahiro Yamada commit c4d1a9f9d11b5d7c5cf4fab33f86f7d7a978801e Author: Masahiro Yamada Date: Wed Nov 20 08:56:43 2024 +0900 modpost: remove DEF_FIELD_ADDR_VAR() macro With the former cleanups in do_pnp_card_entries(), this macro is no longer used by anyone. Signed-off-by: Masahiro Yamada commit d92b7a3b528bb4b69fa8b6f99c63fe8ad7927cec Author: Masahiro Yamada Date: Wed Nov 20 08:56:42 2024 +0900 modpost: deduplicate MODULE_ALIAS() for all drivers MODULE_DEVICE_TABLE(pnp_card, ...) may have duplicated IDs. For instance, snd_ad1816a_pnpids[] in sound/isa/ad1816a/ad1816a.c includes multiple occurrences of the "ADS7180" string within its .devs fields. Currently, do_pnp_card_entries() handles deduplication on its own, but this logic should be moved to a common helper function, as drivers in other subsystems might also have similar duplication issues. For example, drivers/media/i2c/s5c73m3/s5c73m3.mod.c contains duplicated MODULE_ALIAS() entries because both s5c73m3-core.c and s5c73m3-spi.c define the same compatible string. This commit eliminates redundant MODULE_ALIAS() entries across all drivers. [Before] $ grep MODULE_ALIAS drivers/media/i2c/s5c73m3/s5c73m3.mod.c MODULE_ALIAS("i2c:S5C73M3"); MODULE_ALIAS("of:N*T*Csamsung,s5c73m3"); MODULE_ALIAS("of:N*T*Csamsung,s5c73m3C*"); MODULE_ALIAS("of:N*T*Csamsung,s5c73m3"); MODULE_ALIAS("of:N*T*Csamsung,s5c73m3C*"); [After] $ grep MODULE_ALIAS drivers/media/i2c/s5c73m3/s5c73m3.mod.c MODULE_ALIAS("i2c:S5C73M3"); MODULE_ALIAS("of:N*T*Csamsung,s5c73m3"); MODULE_ALIAS("of:N*T*Csamsung,s5c73m3C*"); Signed-off-by: Masahiro Yamada commit f4fdb17ca5a5285d4a0ed81b25d5a3d7b9b3ebf3 Author: Masahiro Yamada Date: Wed Nov 20 08:56:41 2024 +0900 modpost: introduce module_alias_printf() helper The generic ->do_entry() handler is currently limited to returning a single alias string. However, this is not flexible enough for several subsystems, which currently require their own implementations: - do_usb_table() - do_of_table() - do_pnp_device_entry() - do_pnp_card_entries() This commit introduces a helper function so that these special cases can add multiple MODULE_ALIAS() and then migrate to the generic framework. Signed-off-by: Masahiro Yamada commit b7bca42d101d8d9678068cde645bd6d0afa8a20f Author: Masahiro Yamada Date: Wed Nov 20 08:56:40 2024 +0900 modpost: remove unnecessary check in do_acpi_entry() The 'id' pointer is never NULL since it has the same address as 'symval'. Also, checking (*id)[0] is simpler than calling strlen(). Signed-off-by: Masahiro Yamada commit 0c3e091319e4748cb36ac9a50848903dc6f54054 Author: Masahiro Yamada Date: Wed Nov 20 08:56:39 2024 +0900 modpost: remove incorrect code in do_eisa_entry() This function contains multiple bugs after the following commits:  - ac551828993e ("modpost: i2c aliases need no trailing wildcard")  - 6543becf26ff ("mod/file2alias: make modalias generation safe for cross compiling") Commit ac551828993e inserted the following code to do_eisa_entry():     else             strcat(alias, "*"); This is incorrect because 'alias' is uninitialized. If it is not NULL-terminated, strcat() could cause a buffer overrun. Even if 'alias' happens to be zero-filled, it would output: MODULE_ALIAS("*"); This would match anything. As a result, the module could be loaded by any unrelated uevent from an unrelated subsystem. Commit ac551828993e introduced another bug.             Prior to that commit, the conditional check was:     if (eisa->sig[0]) This checked if the first character of eisa_device_id::sig was not '\0'. However, commit ac551828993e changed it as follows:     if (sig[0]) sig[0] is NOT the first character of the eisa_device_id::sig. The type of 'sig' is 'char (*)[8]', meaning that the type of 'sig[0]' is 'char [8]' instead of 'char'. 'sig[0]' and 'symval' refer to the same address, which never becomes NULL. The correct conversion would have been:     if ((*sig)[0]) However, this if-conditional was meaningless because the earlier change in commit ac551828993e was incorrect. This commit removes the entire incorrect code, which should never have been executed. Fixes: ac551828993e ("modpost: i2c aliases need no trailing wildcard") Fixes: 6543becf26ff ("mod/file2alias: make modalias generation safe for cross compiling") Signed-off-by: Masahiro Yamada commit e2ff1219a5541a22921016219c4d86a6d0190d15 Author: Masahiro Yamada Date: Tue Nov 19 08:09:06 2024 +0900 setlocalversion: add -e option Set the -e option to ensure this script fails on any unexpected errors. Without this change, the kernel build may continue running with an incorrect string in include/config/kernel.release. Currently, try_tag() returns 1 when the expected tag is not found as an ancestor, but this is a case where the script should continue. Signed-off-by: Masahiro Yamada commit 523f3dbc187a9618d4fd80c2b438e4d490705dcd Author: Rasmus Villemoes Date: Mon Nov 18 12:01:54 2024 +0100 setlocalversion: work around "git describe" performance Contrary to expectations, passing a single candidate tag to "git describe" is slower than not passing any --match options. $ time git describe --debug ... traversed 10619 commits ... v6.12-rc5-63-g0fc810ae3ae1 real 0m0.169s $ time git describe --match=v6.12-rc5 --debug ... traversed 1310024 commits v6.12-rc5-63-g0fc810ae3ae1 real 0m1.281s In fact, the --debug output shows that git traverses all or most of history. For some repositories and/or git versions, those 1.3s are actually 10-15 seconds. This has been acknowledged as a performance bug in git [1], and a fix is on its way [2]. However, no solution is yet in git.git, and even when one lands, it will take quite a while before it finds its way to a release and for $random_kernel_developer to pick that up. So rewrite the logic to use plumbing commands. For each of the candidate values of $tag, we ask: (1) is $tag even an annotated tag? (2) Is it eligible to describe HEAD, i.e. an ancestor of HEAD? (3) If so, how many commits are in $tag..HEAD? I have tested that this produces the same output as the current script for ~700 random commits between v6.9..v6.10. For those 700 commits, and in my git repo, the 'make -s kernelrelease' command is on average ~4 times faster with this patch applied (geometric mean of ratios). For the commit mentioned in Josh's original report [3], the time-consuming part of setlocalversion goes from $ time git describe --match=v6.12-rc5 c1e939a21eb1 v6.12-rc5-44-gc1e939a21eb1 real 0m1.210s to $ time git rev-list --count --left-right v6.12-rc5..c1e939a21eb1 0 44 real 0m0.037s [1] https://lore.kernel.org/git/20241101113910.GA2301440@coredump.intra.peff.net/ [2] https://lore.kernel.org/git/20241106192236.GC880133@coredump.intra.peff.net/ [3] https://lore.kernel.org/lkml/309549cafdcfe50c4fceac3263220cc3d8b109b2.1730337435.git.jpoimboe@kernel.org/ Reported-by: Sean Christopherson Closes: https://lore.kernel.org/lkml/ZPtlxmdIJXOe0sEy@google.com/ Reported-by: Josh Poimboeuf Closes: https://lore.kernel.org/lkml/309549cafdcfe50c4fceac3263220cc3d8b109b2.1730337435.git.jpoimboe@kernel.org/ Tested-by: Josh Poimboeuf Signed-off-by: Rasmus Villemoes Signed-off-by: Masahiro Yamada commit e397a603e49cc7c7c113fad9f55a09637f290c34 Author: Parth Pancholi Date: Thu Nov 14 15:56:44 2024 +0100 kbuild: switch from lz4c to lz4 for compression Replace lz4c with lz4 for kernel image compression. Although lz4 and lz4c are functionally similar, lz4c has been deprecated upstream since 2018. Since as early as Ubuntu 16.04 and Fedora 25, lz4 and lz4c have been packaged together, making it safe to update the requirement from lz4c to lz4. Consequently, some distributions and build systems, such as OpenEmbedded, have fully transitioned to using lz4. OpenEmbedded core adopted this change in commit fe167e082cbd ("bitbake.conf: require lz4 instead of lz4c"), causing compatibility issues when building the mainline kernel in the latest OpenEmbedded environment, as seen in the errors below. This change also updates the LZ4 compression commands to make it backward compatible by replacing stdin and stdout with the '-' option, due to some unclear reason, the stdout keyword does not work for lz4 and '-' works for both. In addition, this modifies the legacy '-c1' with '-9' which is also compatible with both. This fixes the mainline kernel build failures with the latest master OpenEmbedded builds associated with the mentioned compatibility issues. LZ4 arch/arm/boot/compressed/piggy_data /bin/sh: 1: lz4c: not found ... ... ERROR: oe_runmake failed Link: https://github.com/lz4/lz4/pull/553 Suggested-by: Francesco Dolcini Signed-off-by: Parth Pancholi Signed-off-by: Masahiro Yamada commit 1b466b29a3bf02ed95f28682a975f41ae47bce7d Author: Masahiro Yamada Date: Thu Nov 14 08:45:23 2024 +0900 kbuild: re-enable KCSAN for autogenerated *.mod.c intermediaries This reverts commit 54babdc0343f ("kbuild: Disable KCSAN for autogenerated *.mod.c intermediaries"). Now that objtool is enabled for *.mod.c, there is no need to filter out CFLAGS_KCSAN. I no longer see "Unpatched return thunk in use. This should not happen!" error with KCSAN when loading a module. Signed-off-by: Masahiro Yamada commit bede169618c68379e1be7ace14e8ac85b964a9ec Author: Masahiro Yamada Date: Thu Nov 14 08:45:22 2024 +0900 kbuild: enable objtool for *.mod.o and additional kernel objects Currently, objtool is disabled in scripts/Makefile.{modfinal,vmlinux}. This commit moves rule_cc_o_c and rule_as_o_S to scripts/Makefile.lib and set objtool-enabled to y there. With this change, *.mod.o, .module-common.o, builtin-dtb.o, and vmlinux.export.o will now be covered by objtool. Signed-off-by: Masahiro Yamada commit 000e22a80de0727839bb753159ac05c8ba20c3e3 Author: Masahiro Yamada Date: Thu Nov 14 08:45:21 2024 +0900 kbuild: move cmd_cc_o_c and cmd_as_o_S to scripts/Malefile.lib The cmd_cc_o_c and cmd_as_o_S macros are duplicated in scripts/Makefile.{build,modfinal,vmlinux}. This commit factors them out to scripts/Makefile.lib. No functional changes are intended. Signed-off-by: Masahiro Yamada commit 91ca8be3c402c566de75685ce99c714b0e8638bf Author: Masahiro Yamada Date: Tue Nov 12 02:17:41 2024 +0900 kbuild: remove support for single %.symtypes build rule This rule is unnecessary because you can generate foo/bar.symtypes as a side effect using: $ make KBUILD_SYMTYPES=1 foo/bar.o While compiling *.o is slower than preprocessing, the impact is negligible. I prioritize keeping the code simpler. Signed-off-by: Masahiro Yamada Reviewed-by: Nicolas Schier commit c2386abf55616b979b07a63b4eb2a14eedb4c9e5 Author: Masahiro Yamada Date: Tue Nov 12 02:17:40 2024 +0900 kbuild: do not pass -r to genksyms when *.symref does not exist There is no need to pass '-r /dev/null', which is no-op. Signed-off-by: Masahiro Yamada Reviewed-by: Nicolas Schier commit 8cd07cc6c88cab5cbfe5dd83aacf860a209eb521 Author: Masahiro Yamada Date: Sun Nov 10 10:34:39 2024 +0900 kbuild: allow to start building external modules in any directory Unless an explicit O= option is provided, external module builds must start from the kernel directory. This can be achieved by using the -C option: $ make -C /path/to/kernel M=/path/to/external/module This commit allows starting external module builds from any directory, so you can also do the following: $ make -f /path/to/kernel/Makefile M=/path/to/external/module The key difference is that the -C option changes the working directory and parses the Makefile located there, while the -f option only specifies the Makefile to use. As shown in the examples in Documentation/kbuild/modules.rst, external modules usually have a wrapper Makefile that allows you to build them without specifying any make arguments. The Makefile typically contains a rule as follows: KDIR ?= /path/to/kernel default: $(MAKE) -C $(KDIR) M=$(CURDIR) $(MAKECMDGOALS) The log will appear as follows: $ make make -C /path/to/kernel M=/path/to/external/module make[1]: Entering directory '/path/to/kernel' make[2]: Entering directory '/path/to/external/module' CC [M] helloworld.o MODPOST Module.symvers CC [M] helloworld.mod.o CC [M] .module-common.o LD [M] helloworld.ko make[2]: Leaving directory '/path/to/external/module' make[1]: Leaving directory '/path/to/kernel' This changes the working directory twice because the -C option first switches to the kernel directory, and then Kbuild internally recurses back to the external module directory. With this commit, the wrapper Makefile can directly include the kernel Makefile: KDIR ?= /path/to/kernel export KBUILD_EXTMOD := $(realpath $(dir $(lastword $(MAKEFILE_LIST)))) include $(KDIR)/Makefile This avoids unnecessary sub-make invocations: $ make CC [M] helloworld.o MODPOST Module.symvers CC [M] helloworld.mod.o CC [M] .module-common.o LD [M] helloworld.ko Signed-off-by: Masahiro Yamada Reviewed-by: Nicolas Schier commit a2a45ebee0969b804b1d474a930001a83c954140 Author: Masahiro Yamada Date: Sun Nov 10 10:34:38 2024 +0900 kbuild: make wrapper Makefile more convenient for external modules When Kbuild starts building in a separate output directory, it generates a wrapper Makefile, allowing you to invoke 'make' from the output directory. This commit makes it more convenient, so you can invoke 'make' without M= or MO=. First, you need to build external modules in a separate directory: $ make M=/path/to/module/source/dir MO=/path/to/module/build/dir Once the wrapper Makefile is generated in /path/to/module/build/dir, you can proceed as follows: $ cd /path/to/module/build/dir $ make Signed-off-by: Masahiro Yamada Reviewed-by: Nicolas Schier commit 822b11a74ba2bc79ddd4165d55e988514c053d71 Author: Masahiro Yamada Date: Sun Nov 10 10:34:37 2024 +0900 kbuild: use absolute path in the generated wrapper Makefile Keep the consistent behavior when this Makefile is invoked from another directory. Signed-off-by: Masahiro Yamada Reviewed-by: Nicolas Schier commit 1d3730f0012fa04ec392b52cc21f945704ac2e16 Author: Masahiro Yamada Date: Sun Nov 10 10:34:36 2024 +0900 kbuild: support -fmacro-prefix-map for external modules This commit makes -fmacro-prefix-map work for external modules built in a separate output directory. It improves the reproducibility of external modules and provides the benefits described in commit a73619a845d5 ("kbuild: use -fmacro-prefix-map to make __FILE__ a relative path"). When building_out_of_srctree is not defined (e.g., when the kernel or external module is built in the source directory), this option is unnecessary. Signed-off-by: Masahiro Yamada Reviewed-by: Nicolas Schier commit 11b3d5175e6bc3779159228e6077be202d2b0069 Author: Masahiro Yamada Date: Sun Nov 10 10:34:35 2024 +0900 kbuild: support building external modules in a separate build directory There has been a long-standing request to support building external modules in a separate build directory. This commit introduces a new environment variable, KBUILD_EXTMOD_OUTPUT, and its shorthand Make variable, MO. A simple usage: $ make -C M= MO= Signed-off-by: Masahiro Yamada Reviewed-by: Nicolas Schier commit bad6beb2c0bb982b830f592a7b3e3eee76cbb85a Author: Masahiro Yamada Date: Sun Nov 10 10:34:34 2024 +0900 kbuild: remove extmod_prefix, MODORDER, MODULES_NSDEPS variables With the previous changes, $(extmod_prefix), $(MODORDER), and $(MODULES_NSDEPS) are constant. (empty, modules.order, and modules.nsdeps, respectively). Remove these variables and hard-code their values. Signed-off-by: Masahiro Yamada Reviewed-by: Nicolas Schier commit 13b25489b6f8bd73ed65f07928f7c27a481f1820 Author: Masahiro Yamada Date: Sun Nov 10 10:34:33 2024 +0900 kbuild: change working directory to external module directory with M= Currently, Kbuild always operates in the output directory of the kernel, even when building external modules. This increases the risk of external module Makefiles attempting to write to the kernel directory. This commit switches the working directory to the external module directory, allowing the removal of the $(KBUILD_EXTMOD)/ prefix from some build artifacts. The command for building external modules maintains backward compatibility, but Makefiles that rely on working in the kernel directory may break. In such cases, $(objtree) and $(srctree) should be used to refer to the output and source directories of the kernel. The appearance of the build log will change as follows: [Before] $ make -C /path/to/my/linux M=/path/to/my/externel/module make: Entering directory '/path/to/my/linux' CC [M] /path/to/my/externel/module/helloworld.o MODPOST /path/to/my/externel/module/Module.symvers CC [M] /path/to/my/externel/module/helloworld.mod.o CC [M] /path/to/my/externel/module/.module-common.o LD [M] /path/to/my/externel/module/helloworld.ko make: Leaving directory '/path/to/my/linux' [After] $ make -C /path/to/my/linux M=/path/to/my/externel/module make: Entering directory '/path/to/my/linux' make[1]: Entering directory '/path/to/my/externel/module' CC [M] helloworld.o MODPOST Module.symvers CC [M] helloworld.mod.o CC [M] .module-common.o LD [M] helloworld.ko make[1]: Leaving directory '/path/to/my/externel/module' make: Leaving directory '/path/to/my/linux' Printing "Entering directory" twice is cumbersome. This will be addressed later. Signed-off-by: Masahiro Yamada Reviewed-by: Nicolas Schier commit b86545e02e8c22fb89218f29d381fa8e8b91d815 Merge: 79525e24af2f30 6f683c7feea45c Author: Linus Torvalds Date: Wed Nov 27 14:50:31 2024 -0800 Merge tag 'acpi-6.13-rc1-2' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm Pull more ACPI updates from Rafael Wysocki: "These add a common init function for arch-specific ACPI initialization, clean up idle states initialization in the ACPI processor_idle driver and update quirks: - Introduce acpi_arch_init() for architecture-specific ACPI subsystem initialization (Miao Wang) - Clean up Asus quirks in acpi_quirk_skip_dmi_ids[] and add a quirk to skip I2C clients on Acer Iconia One 8 A1-840 (Hans de Goede) - Make the ACPI processor_idle driver use acpi_idle_play_dead() for all idle states regardless of their types (Rafael Wysocki)" * tag 'acpi-6.13-rc1-2' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm: ACPI: introduce acpi_arch_init() ACPI: x86: Clean up Asus entries in acpi_quirk_skip_dmi_ids[] ACPI: x86: Add skip i2c clients quirk for Acer Iconia One 8 A1-840 ACPI: processor_idle: Use acpi_idle_play_dead() for all C-states commit 79525e24af2f3046a5b4ed39a0ac6d0c00aa0892 Merge: 92b459d82a6ec4 07d66acad26bad Author: Linus Torvalds Date: Wed Nov 27 14:40:33 2024 -0800 Merge tag 'pm-6.13-rc1-3' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm Pull morepower management updates from Rafael Wysocki: "These update the OPP (Operating Performance Points) DT bindings for ti-cpu (Dhruva Gole) and remove unused declarations from the OPP header file (Zhang Zekun)" * tag 'pm-6.13-rc1-3' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm: dt-bindings: opp: operating-points-v2-ti-cpu: Describe opp-supported-hw OPP: Remove unused declarations in header file commit 92b459d82a6ec472d01f18edd532946aea80df6a Merge: 64e6fc27d60f8b 4dc333c6c28c49 Author: Linus Torvalds Date: Wed Nov 27 14:36:00 2024 -0800 Merge tag 'thermal-6.13-rc1-3' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm Pull more thermal control updates from Rafael Wysocki: "These fix a Power Allocator thermal governor issue reported recently, update the Intel int3400 thermal driver and simplify DT data parsing in the thermal control subsystem: - Add a NULL pointer check that was missed by recent modifications of the Power Allocator thermal governor (Rafael Wysocki) - Remove the data_vault attribute_group from int3400 because it is only used for exposing one binary file that can be exposed directly (Thomas Weißschuh) - Prevent the current_uuid sysfs attribute in int3400 from mistakenly treating valid UUID values as invalid on some older systems (Srinivas Pandruvada) - Use the cleanup.h mechanics to simplify DT data parsing in the thermal core and some drivers (Krzysztof Kozlowski)" * tag 'thermal-6.13-rc1-3' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm: thermal: sun8i: Use scoped device node handling to simplify error paths thermal: tegra: Simplify with scoped for each OF child loop thermal: qcom-spmi-adc-tm5: Simplify with scoped for each OF child loop thermal: of: Use scoped device node handling to simplify of_thermal_zone_find() thermal: of: Use scoped memory and OF handling to simplify thermal_of_trips_init() thermal: of: Simplify thermal_of_should_bind with scoped for each OF child thermal: gov_power_allocator: Add missing NULL pointer check thermal: int3400: Remove unneeded data_vault attribute_group thermal: int3400: Fix reading of current_uuid for active policy commit 64e6fc27d60f8b186bd4d071a6266f8c4d5aa2f7 Merge: 9ad55a67a788c0 d53764723ecd63 Author: Linus Torvalds Date: Wed Nov 27 14:24:34 2024 -0800 Merge tag 'for-linus-iommufd' of git://git.kernel.org/pub/scm/linux/kernel/git/jgg/iommufd Pull more iommufd updates from Jason Gunthorpe: "Change the driver callback op domain_alloc_user() into two ops: domain_alloc_paging_flags() and domain_alloc_nesting() that better describe what the ops are expected to do. There will be per-driver cleanup based on this going into the next cycle via the driver trees" * tag 'for-linus-iommufd' of git://git.kernel.org/pub/scm/linux/kernel/git/jgg/iommufd: iommu: Rename ops->domain_alloc_user() to domain_alloc_paging_flags() iommu: Add ops->domain_alloc_nested() commit 2cbd51f1f8739fd2fdf4bae1386bcf75ce0176ba Author: John Garry Date: Wed Nov 27 09:23:18 2024 +0000 block: Don't allow an atomic write be truncated in blkdev_write_iter() A write which goes past the end of the bdev in blkdev_write_iter() will be truncated. Truncating cannot tolerated for an atomic write, so error that condition. Fixes: caf336f81b3a ("block: Add fops atomic write support") Signed-off-by: John Garry Reviewed-by: Christoph Hellwig Link: https://lore.kernel.org/r/20241127092318.632790-1-john.g.garry@oracle.com Signed-off-by: Jens Axboe commit 43eef70e7e2ac74e7767731dd806720c7fb5e010 Author: Pavel Begunkov Date: Mon Nov 25 23:10:31 2024 +0000 io_uring: fix corner case forgetting to vunmap io_pages_unmap() is a bit tricky in trying to figure whether the pages were previously vmap'ed or not. In particular If there is juts one page it belives there is no need to vunmap. Paired io_pages_map(), however, could've failed io_mem_alloc_compound() and attempted to io_mem_alloc_single(), which does vmap, and that leads to unpaired vmap. The solution is to fail if io_mem_alloc_compound() can't allocate a single page. That's the easiest way to deal with it, and those two functions are getting removed soon, so no need to overcomplicate it. Cc: stable@vger.kernel.org Fixes: 3ab1db3c6039e ("io_uring: get rid of remap_pfn_range() for mapping rings/sqes") Signed-off-by: Pavel Begunkov Link: https://lore.kernel.org/r/477e75a3907a2fe83249e49c0a92cd480b2c60e0.1732569842.git.asml.silence@gmail.com Signed-off-by: Jens Axboe commit 9ad55a67a788c0806b0fe23be36fae6dbfbc3fc5 Merge: 0ce9a5ffca7cb7 dd690b31de0ed4 Author: Linus Torvalds Date: Wed Nov 27 13:38:09 2024 -0800 Merge tag 'soundwire-6.13-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/vkoul/soundwire Pull soundwire updates from Vinod Koul: - structure optimization of few bus structures and header updates - support for 2.0 disco spec - amd driver updates for acp revision, refactoring code and support for acp6.3 - soft reset support for cadence driver * tag 'soundwire-6.13-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/vkoul/soundwire: (24 commits) soundwire: Minor formatting fixups in sdw.h header soundwire: Update the includes on the sdw.h header soundwire: cadence: clear MCP BLOCK_WAKEUP in init soundwire: cadence: add soft-reset on startup soundwire: intel_auxdevice: add kernel parameter for mclk divider soundwire: mipi-disco: add support for DP0/DPn 'lane-list' property soundwire: mipi-disco: add new properties from 2.0 spec soundwire: mipi-disco: add comment on DP0-supported property soundwire: mipi-disco: add support for peripheral channelprepare timeout soundwire: mipi_disco: add support for clock-scales property soundwire: mipi-disco: add error handling for property array read soundwire: mipi-disco: remove DPn audio-modes soundwire: optimize sdw_dpn_prop soundwire: optimize sdw_dp0_prop soundwire: optimize sdw_slave_prop soundwire: optimize sdw_bus structure soundwire: optimize sdw_master_prop soundwire: optimize sdw_stream_runtime memory layout soundwire: mipi_disco: add MIPI-specific property_read_bool() helpers soundwire: Correct some typos in comments ... commit 0ce9a5ffca7cb74efe6e981e42f82d0838fd31cd Merge: 7536c1a50ea592 32f4a76b8e7ced Author: Linus Torvalds Date: Wed Nov 27 13:33:43 2024 -0800 Merge tag 'phy-for-6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/phy/linux-phy Pull phy updates from Vinod Koul: "New hardware support: - ST STM32MP25 combophy support - Sparx5 support for lan969x serdes and updates to driver to support this - NXP PTN3222 eUSB2 to USB2 redriver - Qualcomm SAR2130P eusb2 support, QCS8300 USB DW3 and QMP USB2 support, X1E80100 QMP PCIe PHY Gen4 support, QCS615 and QCS8300 QMP UFS PHY support and SA8775P eDP PHY support - Rockchip rk3576 usbdp and rk3576 usb2 phy support - Binding for Microchip ATA6561 can phy Updates: - Freescale driver updates from hdmi support - Conversion of rockchip rk3228 hdmi phy binding to yaml - Broadcom usb2-phy deprecated support dropped and USB init array update for BCM4908 - TI USXGMII mode support in J7200 - Switch back to platform_driver::remove() subsystem update" * tag 'phy-for-6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/phy/linux-phy: (59 commits) phy: qcom: qmp: Fix lecacy-legacy typo phy: lan969x-serdes: add support for lan969x serdes driver dt-bindings: phy: sparx5: document lan969x phy: sparx5-serdes: add support for branching on chip type phy: sparx5-serdes: add indirection layer to register macros phy: sparx5-serdes: add function for getting the CMU index phy: sparx5-serdes: add ops to match data phy: sparx5-serdes: add constant for the number of CMU's phy: sparx5-serdes: add constants to match data phy: sparx5-serdes: add support for private match data phy: bcm-ns-usb2: drop support for old binding variant dt-bindings: phy: bcm-ns-usb2-phy: drop deprecated variant dt-bindings: phy: Add QMP UFS PHY compatible for QCS8300 dt-bindings: phy: qcom: snps-eusb2: Add SAR2130P compatible dt-bindings: phy: ti,tcan104x-can: Document Microchip ATA6561 phy: airoha: Fix REG_CSR_2L_RX{0,1}_REV0 definitions phy: airoha: Fix REG_CSR_2L_JCPLL_SDM_HREN config in airoha_pcie_phy_init_ssc_jcpll() phy: airoha: Fix REG_PCIE_PMA_TX_RESET config in airoha_pcie_phy_init_csr_2l() phy: airoha: Fix REG_CSR_2L_PLL_CMN_RESERVE0 config in airoha_pcie_phy_init_clk_out() phy: phy-rockchip-samsung-hdptx: Don't request RST_PHY/RST_ROPLL/RST_LCPLL ... commit 7536c1a50ea592967b0db8292b44d4b86bca35bc Merge: 6b867c475ec98c 8974f34de2ef17 Author: Linus Torvalds Date: Wed Nov 27 13:25:47 2024 -0800 Merge tag 'dmaengine-6.13-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/vkoul/dmaengine Pull dmaengine updates from Vinod Koul: "New hardware support: - Qualcomm SAR2130P GPI dma support - Sifive PIC64GX pdma support - Rcar r7s72100 support and associated updates Updates: - STM32 DMA3 updates for packing/unpacking mode and prevention of additional xfers - Simplification of devm_acpi_dma_controller_register() and associate cleanup including headers - loongson prefix renames - Switch back to platform_driver::remove() subsystem update" * tag 'dmaengine-6.13-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/vkoul/dmaengine: dmaengine: loongson2-apb: Rename the prefix ls2x to loongson2 dt-bindings: dma: sifive pdma: Add PIC64GX to compatibles dmaengine: fix typo in the comment dmaengine: stm32-dma3: clamp AXI burst using match data dmaengine: stm32-dma3: prevent LL refactoring thanks to DT configuration dt-bindings: dma: stm32-dma3: prevent additional transfers dmaengine: stm32-dma3: refactor HW linked-list to optimize memory accesses dmaengine: stm32-dma3: prevent pack/unpack thanks to DT configuration dt-bindings: dma: stm32-dma3: prevent packing/unpacking mode dmaengine: idxd: Move DSA/IAA device IDs to IDXD driver dt-bindings: dma: qcom,gpi: Add SAR2130P compatible dmaengine: Switch back to struct platform_driver::remove() dmaengine: ep93xx: Fix unsigned compared against 0 dmaengine: acpi: Clean up headers dmaengine: acpi: Simplify devm_acpi_dma_controller_register() dmaengine: acpi: Drop unused devm_acpi_dma_controller_free() dmaengine: sh: rz-dmac: add r7s72100 support dt-bindings: dma: rz-dmac: Document RZ/A1H SoC commit 6b867c475ec98c9436c4b7cc6f2cdd12e8ff43ca Merge: 2a50b1e766a09f f57c0849286619 Author: Linus Torvalds Date: Wed Nov 27 13:23:13 2024 -0800 Merge tag 'gpio-fixes-for-v6.13-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/brgl/linux Pull gpio fixes from Bartosz Golaszewski: "Apart from the gpio-exar fix which addresses an older issue, they all fix regressions from this release cycle: - fix missing GPIO chip labels in gpio-zevio and gpio-altera - for the latter: also set GPIO base to -1 to use dynamic range allocation - fix value setting with external pull-up/down resistor in gpio-exar - use the recommended IDA interfaces in gpio-mpsse" * tag 'gpio-fixes-for-v6.13-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/brgl/linux: gpio: mpsse: Remove usage of the deprecated ida_simple_xx() API gpio: exar: set value when external pull-up or pull-down is present gpio: altera: Add missed base and label initialisations gpio: zevio: Add missed label initialisation commit 2a50b1e766a09f1a2da5f291956b8dceb58b5d54 Merge: 4aca98a8a150f3 6a39bb15b3d1c3 Author: Linus Torvalds Date: Wed Nov 27 13:11:58 2024 -0800 Merge tag 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost Pull virtio updates from Michael Tsirkin: "A small number of improvements all over the place" * tag 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost: virtio_vdpa: remove redundant check on desc virtio_fs: store actual queue index in mq_map virtio_fs: add informative log for new tag discovery virtio: Make vring_new_virtqueue support packed vring virtio_pmem: Add freeze/restore callbacks vdpa/mlx5: Fix suboptimal range on iotlb iteration commit 4aca98a8a150f3531fea782c3040ada0ad1ce3b6 Merge: 91dbbe6c9ffe5e fe4bf8d0b6716a Author: Linus Torvalds Date: Wed Nov 27 12:57:03 2024 -0800 Merge tag 'vfio-v6.13-rc1' of https://github.com/awilliam/linux-vfio Pull VFIO updates from Alex Williamson: - Constify an unmodified structure used in linking vfio and kvm (Christophe JAILLET) - Add ID for an additional hardware SKU supported by the nvgrace-gpu vfio-pci variant driver (Ankit Agrawal) - Fix incorrect signed cast in QAT vfio-pci variant driver, negating test in check_add_overflow(), though still caught by later tests (Giovanni Cabiddu) - Additional debugfs attributes exposed in hisi_acc vfio-pci variant driver for migration debugging (Longfang Liu) - Migration support is added to the virtio vfio-pci variant driver, becoming the primary feature of the driver while retaining emulation of virtio legacy support as a secondary option (Yishai Hadas) - Fixes to a few unwind flows in the mlx5 vfio-pci driver discovered through reviews of the virtio variant driver (Yishai Hadas) - Fix an unlikely issue where a PCI device exposed to userspace with an unknown capability at the base of the extended capability chain can overflow an array index (Avihai Horon) * tag 'vfio-v6.13-rc1' of https://github.com/awilliam/linux-vfio: vfio/pci: Properly hide first-in-list PCIe extended capability vfio/mlx5: Fix unwind flows in mlx5vf_pci_save/resume_device_data() vfio/mlx5: Fix an unwind issue in mlx5vf_add_migration_pages() vfio/virtio: Enable live migration once VIRTIO_PCI was configured vfio/virtio: Add PRE_COPY support for live migration vfio/virtio: Add support for the basic live migration functionality virtio-pci: Introduce APIs to execute device parts admin commands virtio: Manage device and driver capabilities via the admin commands virtio: Extend the admin command to include the result size virtio_pci: Introduce device parts access commands Documentation: add debugfs description for hisi migration hisi_acc_vfio_pci: register debugfs for hisilicon migration driver hisi_acc_vfio_pci: create subfunction for data reading hisi_acc_vfio_pci: extract public functions for container_of vfio/qat: fix overflow check in qat_vf_resume_write() vfio/nvgrace-gpu: Add a new GH200 SKU to the devid table kvm/vfio: Constify struct kvm_device_ops commit 91dbbe6c9ffe5eded9a3e75d773ff92da8d2bc57 Merge: c94696977527f6 8d4f1e05ff821a Author: Linus Torvalds Date: Wed Nov 27 11:19:09 2024 -0800 Merge tag 'riscv-for-linus-6.13-mw1' of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux Pull RISC-v updates from Palmer Dabbelt: - Support for pointer masking in userspace - Support for probing vector misaligned access performance - Support for qspinlock on systems with Zacas and Zabha * tag 'riscv-for-linus-6.13-mw1' of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux: (38 commits) RISC-V: Remove unnecessary include from compat.h riscv: Fix default misaligned access trap riscv: Add qspinlock support dt-bindings: riscv: Add Ziccrse ISA extension description riscv: Add ISA extension parsing for Ziccrse asm-generic: ticket-lock: Add separate ticket-lock.h asm-generic: ticket-lock: Reuse arch_spinlock_t of qspinlock riscv: Implement xchg8/16() using Zabha riscv: Implement arch_cmpxchg128() using Zacas riscv: Improve zacas fully-ordered cmpxchg() riscv: Implement cmpxchg8/16() using Zabha dt-bindings: riscv: Add Zabha ISA extension description riscv: Implement cmpxchg32/64() using Zacas riscv: Do not fail to build on byte/halfword operations with Zawrs riscv: Move cpufeature.h macros into their own header KVM: riscv: selftests: Add Smnpm and Ssnpm to get-reg-list test RISC-V: KVM: Allow Smnpm and Ssnpm extensions for guests riscv: hwprobe: Export the Supm ISA extension riscv: selftests: Add a pointer masking test riscv: Allow ptrace control of the tagged address ABI ... commit c94696977527f69cbb41aa6a9af9d1991895d002 Merge: ab952fc5c736c5 3c272a7551af1c Author: Linus Torvalds Date: Wed Nov 27 11:15:27 2024 -0800 Merge tag 'loongarch-6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/chenhuacai/linux-loongson Pull LoongArch updates from Huacai Chen: - Fix build failure with GCC 15 due to default -std=gnu23 - Add PREEMPT_RT/PREEMPT_LAZY support - Add I2S in DTS for Loongson-2K1000/Loongson-2K2000 - Some bug fixes and other small changes * tag 'loongarch-6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/chenhuacai/linux-loongson: LoongArch: Update Loongson-3 default config file LoongArch: dts: Add I2S support to Loongson-2K2000 LoongArch: dts: Add I2S support to Loongson-2K1000 LoongArch: Allow to enable PREEMPT_LAZY LoongArch: Allow to enable PREEMPT_RT LoongArch: Select HAVE_POSIX_CPU_TIMERS_TASK_WORK LoongArch: Fix sleeping in atomic context for PREEMPT_RT LoongArch: Reduce min_delta for the arch clockevent device LoongArch: BPF: Sign-extend return values LoongArch: Fix build failure with GCC 15 (-std=gnu23) LoongArch: Explicitly specify code model in Makefile commit ab952fc5c736c54e3ffd577c3ffd54a2a1eb7803 Merge: b5361254c9027c 98b7beba1ee6fb Author: Linus Torvalds Date: Wed Nov 27 11:13:25 2024 -0800 Merge tag 'memblock-v6.13-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/rppt/memblock Pull memblock updates from Mike Rapoport: - replace hardcoded strings with str_on_off() in report_meminit() - initialize reserved pages to MIGRATE_MOVABLE when deferred struct page initialization is enabled so that if the reserved pages are freed they are put on movable free lists like it is done now when deferred struct page initialization is disabled * tag 'memblock-v6.13-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/rppt/memblock: memblock: uniformly initialize all reserved pages to MIGRATE_MOVABLE mm: Use str_on_off() helper function in report_meminit() commit b5361254c9027c2b3730be1bebcdb37eed42e9a5 Merge: 7d4050728c83aa 2466b31201424c Author: Linus Torvalds Date: Wed Nov 27 10:20:50 2024 -0800 Merge tag 'modules-6.13-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/modules/linux Pull modules updates from Luis Chamberlain: - The whole caching of module code into huge pages by Mike Rapoport is going in through Andrew Morton's tree due to some other code dependencies. That's really the biggest highlight for Linux kernel modules in this release. With it we share huge pages for modules, starting off with x86. Expect to see that soon through Andrew! - Helge Deller addressed some lingering low hanging fruit alignment enhancements by. It is worth pointing out that from his old patch series I dropped his vmlinux.lds.h change at Masahiro's request as he would prefer this to be specified in asm code [0]. [0] https://lore.kernel.org/all/20240129192644.3359978-5-mcgrof@kernel.org/T/#m9efef5e700fbecd28b7afb462c15eed8ba78ef5a - Matthew Maurer and Sami Tolvanen have been tag teaming to help get us closer to a modversions for Rust. In this cycle we take in quite a lot of the refactoring for ELF validation. I expect modversions for Rust will be merged by v6.14 as that code is mostly ready now. - Adds a new modules selftests: kallsyms which helps us tests find_symbol() and the limits of kallsyms on Linux today. - We have a realtime mailing list to kernel-ci testing for modules now which relies and combines patchwork, kpd and kdevops: https://patchwork.kernel.org/project/linux-modules/list/ https://github.com/linux-kdevops/kdevops/blob/main/docs/kernel-ci/README.md https://github.com/linux-kdevops/kdevops/blob/main/docs/kernel-ci/kernel-ci-kpd.md https://github.com/linux-kdevops/kdevops/blob/main/docs/kernel-ci/linux-modules-kdevops-ci.md If you want to help avoid Linux kernel modules regressions, now its simple, just add a new Linux modules sefltests under tools/testing/selftests/module/ That is it. All new selftests will be used and leveraged automatically by the CI. * tag 'modules-6.13-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/modules/linux: tests/module/gen_test_kallsyms.sh: use 0 value for variables scripts: Remove export_report.pl selftests: kallsyms: add MODULE_DESCRIPTION selftests: add new kallsyms selftests module: Reformat struct for code style module: Additional validation in elf_validity_cache_strtab module: Factor out elf_validity_cache_strtab module: Group section index calculations together module: Factor out elf_validity_cache_index_str module: Factor out elf_validity_cache_index_sym module: Factor out elf_validity_cache_index_mod module: Factor out elf_validity_cache_index_info module: Factor out elf_validity_cache_secstrings module: Factor out elf_validity_cache_sechdrs module: Factor out elf_validity_ehdr module: Take const arg in validate_section_offset modules: Add missing entry for __ex_table modules: Ensure 64-bit alignment on __ksymtab_* sections commit 4dc333c6c28c49943a571f09c3868e5058552016 Merge: c79886c540b57a 13f3cbfbb8c9f3 Author: Rafael J. Wysocki Date: Wed Nov 27 18:59:16 2024 +0100 Merge branch 'thermal-intel' Merge updates of Intel int3400 thermal driver for 6.13-rc1: - Remove the data_vault attribute_group from int3400 because it is only used for exposing one binary file that can be exposed directly (Thomas Weißschuh). - Prevent the current_uuid sysfs attribute in int3400 from mistakenly treating valid UUID values as invalid on some older systems (Srinivas Pandruvada). * thermal-intel: thermal: int3400: Remove unneeded data_vault attribute_group thermal: int3400: Fix reading of current_uuid for active policy commit 6f683c7feea45cbcd8748aafe73b0c79a6909e26 Merge: bf1d33dfb1055d 9d8a2b033db179 bd8aa15848f5f2 Author: Rafael J. Wysocki Date: Wed Nov 27 18:49:48 2024 +0100 Merge branches 'acpi-misc' and 'acpi-x86' Merge miscellaneous ACPI changes and x86-specific ACPI updates for 6.13-rc1: - Introduce acpi_arch_init() for architecture-specific ACPI subsystem initialization (Miao Wang). - Clean up Asus quirks in acpi_quirk_skip_dmi_ids[] and add a quirk to skip I2C clients on Acer Iconia One 8 A1-840 (Hans de Goede). * acpi-misc: ACPI: introduce acpi_arch_init() * acpi-x86: ACPI: x86: Clean up Asus entries in acpi_quirk_skip_dmi_ids[] ACPI: x86: Add skip i2c clients quirk for Acer Iconia One 8 A1-840 commit 07d66acad26bad33defbf26516d0a84261ae6adc Merge: f3e66e78f2ecb1 1a93226619dc57 Author: Rafael J. Wysocki Date: Wed Nov 27 18:41:48 2024 +0100 Merge branch 'pm-opp' Merge OPP (Operating Performance Points) changes for 6.13-rc1: - Describe opp-supported-hw property for ti-cpu (Dhruva Gole). - Remove unused declarations from the OPP header file (Zhang Zekun). * pm-opp: dt-bindings: opp: operating-points-v2-ti-cpu: Describe opp-supported-hw OPP: Remove unused declarations in header file commit 4d911c7abee56771b0219a9fbf0120d06bdc9c14 Merge: c1668520c9aa40 c74bfe4ffe8c1c Author: Paolo Bonzini Date: Wed Nov 27 12:00:28 2024 -0500 Merge tag 'kvm-riscv-6.13-2' of https://github.com/kvm-riscv/linux into HEAD KVM/riscv changes for 6.13 part #2 - Svade and Svadu extension support for Host and Guest/VM commit c1668520c9aa4019738f27097b187a5460646cbc Merge: 1508bae37044eb 8d4f1e05ff821a Author: Paolo Bonzini Date: Wed Nov 27 11:49:44 2024 -0500 Merge tag 'riscv-for-linus-6.13-mw1' of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux into HEAD RISC-V Paches for the 6.13 Merge Window, Part 1 * Support for pointer masking in userspace, * Support for probing vector misaligned access performance. * Support for qspinlock on systems with Zacas and Zabha. commit 7d4050728c83aa63828494ad0f4d0eb4faf5f97a Merge: b5287c55dedae8 cf87766dd6f9dd Author: Linus Torvalds Date: Wed Nov 27 08:11:46 2024 -0800 Merge tag 'vfs-6.13-rc1.fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs Pull vfs fixes from Christian Brauner: - Fix a few iomap bugs - Fix a wrong argument in backing file callback - Fix security mount option retrieval in statmount() - Cleanup how statmount() handles unescaped options - Add a missing inode_owner_or_capable() check for setting write hints - Clear the return value in read_kcore_iter() after a successful iov_iter_zero() - Fix a mount_setattr() selftest - Fix function signature in mount api documentation - Remove duplicate include header in the fscache code * tag 'vfs-6.13-rc1.fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs: fs/backing_file: fix wrong argument in callback fs_parser: update mount_api doc to match function signature fs: require inode_owner_or_capable for F_SET_RW_HINT fs/proc/kcore.c: Clear ret value in read_kcore_iter after successful iov_iter_zero statmount: fix security option retrieval statmount: clean up unescaped option handling fscache: Remove duplicate included header iomap: elide flush from partial eof zero range iomap: lift zeroed mapping handling into iomap_zero_range() iomap: reset per-iter state on non-error iter advances iomap: warn on zero range of a post-eof folio selftests/mount_setattr: Fix failures on 64K PAGE_SIZE kernels commit b5287c55dedae89f273f505197244d9ece1d42d9 Merge: aaf20f870da056 3b832035387ff5 Author: Linus Torvalds Date: Wed Nov 27 08:03:38 2024 -0800 Merge tag 'vfs-6.13.exec.deny_write_access.revert' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs Pull deny_write_access revert from Christian Brauner: "It turns out that the mold linker relies on the deny_write_access() mechanism for executables. The mold linker tries to open a file for writing and if ETXTBSY is returned mold falls back to creating a new file" * tag 'vfs-6.13.exec.deny_write_access.revert' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs: Revert "fs: don't block i_writecount during exec" commit 61a6ba233fe1198e9eacc9ca1d1cbdb27f70cee5 Author: Rob Herring (Arm) Date: Wed Nov 13 16:56:13 2024 -0600 dt-bindings: Unify "fsl,liodn" type definitions The type definition of "fsl,liodn" is defined as uint32 in crypto/fsl,sec-v4.0.yaml and uint32-array in soc/fsl/fsl,bman.yaml, soc/fsl/fsl,qman-portal.yaml, and soc/fsl/fsl,qman.yaml. Unify the type to be uint32-array and constraint the single entry cases. Reviewed-by: Conor Dooley Link: https://lore.kernel.org/r/20241113225614.1782862-1-robh@kernel.org Signed-off-by: Rob Herring (Arm) commit 7f05e20b989ac33c9c0f8c2028ec0a566493548f Author: Andrea della Porta Date: Sun Nov 24 11:05:37 2024 +0100 of: address: Preserve the flags portion on 1:1 dma-ranges mapping A missing or empty dma-ranges in a DT node implies a 1:1 mapping for dma translations. In this specific case, the current behaviour is to zero out the entire specifier so that the translation could be carried on as an offset from zero. This includes address specifier that has flags (e.g. PCI ranges). Once the flags portion has been zeroed, the translation chain is broken since the mapping functions will check the upcoming address specifier against mismatching flags, always failing the 1:1 mapping and its entire purpose of always succeeding. Set to zero only the address portion while passing the flags through. Fixes: dbbdee94734b ("of/address: Merge all of the bus translation code") Cc: stable@vger.kernel.org Signed-off-by: Andrea della Porta Tested-by: Herve Codina Link: https://lore.kernel.org/r/e51ae57874e58a9b349c35e2e877425ebc075d7a.1732441813.git.andrea.porta@suse.com Signed-off-by: Rob Herring (Arm) commit 1a75e81baf4f1b322f3498ffd373eaada8e60589 Author: Andrea della Porta Date: Sun Nov 24 11:05:36 2024 +0100 of/unittest: Add empty dma-ranges address translation tests Intermediate DT PCI nodes dynamically generated by enabling CONFIG_PCI_DYNAMIC_OF_NODES have empty dma-ranges property. PCI address specifiers have 3 cells and when dma-ranges is missing or empty, of_translate_one() is currently dropping the flag portion of PCI addresses which are subnodes of the aforementioned ones, failing the translation. Add new tests covering this case. With this test, we get 1 new failure which is fixed in subsequent commit: FAIL of_unittest_pci_empty_dma_ranges():1245 for_each_of_pci_range wrong CPU addr (ffffffffffffffff) on node /testcase-data/address-tests2/pcie@d1070000/pci@0,0/dev@0,0/local-bus@0 Signed-off-by: Andrea della Porta Link: https://lore.kernel.org/r/08f8fee4fdc0379240fda2f4a0e6f11ebf9647a8.1732441813.git.andrea.porta@suse.com Signed-off-by: Rob Herring (Arm) commit b682aa788e5f9f1ddacdfbb453e49fd3f4e83721 Author: Ilya Zverev Date: Wed Nov 27 15:44:20 2024 +0200 ASoC: amd: yc: Add a quirk for microfone on Lenovo ThinkPad P14s Gen 5 21MES00B00 New ThinkPads need new quirk entries. Ilya has tested this one. Laptop product id is 21MES00B00, though the shorthand 21ME works. Closes: https://bugzilla.kernel.org/show_bug.cgi?id=219533 Cc: stable@vger.kernel.org Signed-off-by: Ilya Zverev Link: https://patch.msgid.link/20241127134420.14471-1-ilya@zverev.info Signed-off-by: Mark Brown commit 487ef5d4d912f6a32556d8a61cede17870925295 Author: Gerald Schaefer Date: Thu Nov 21 18:45:23 2024 +0100 s390/mm: Add PTE_MARKER support for hugetlbfs mappings Commit 8a13897fb0daa ("mm: userfaultfd: support UFFDIO_POISON for hugetlbfs") added support for PTE_MARKER_POISONED for hugetlbfs, but PTE_MARKER also needs support for swap entries. For s390, swap entries were only supported on PTE level, not on the PMD/PUD levels that are used for large hugetlbfs mappings. Therefore, when writing a PTE_MARKER_POISONED entry, the resulting entry on PMD/PUD level would be an invalid / empty entry. Further access would then generate a pagefault loop, instead of the expected SIGBUS. It is a loop inside the kernel, but interruptible and uffd fault handling also calls schedule() in between, so at least it won't completely block the system. Previous commits prepared support for swap entries on PMD/PUD levels. PTE_MARKER support for hugetlbfs can now be enabled by simply adding an extra is_pte_marker() check to huge_pte_none_mostly(). Fault handling code also needs to be adjusted to expect the VM_FAULT_HWPOISON_LARGE fault flag, which was not possible on s390 before. Reviewed-by: Alexander Gordeev Signed-off-by: Gerald Schaefer Signed-off-by: Heiko Carstens commit f934f6be76c1d033692f7fbfcbb06ec44a25bf3f Author: Gerald Schaefer Date: Thu Nov 21 18:45:22 2024 +0100 s390/mm: Introduce region-third and segment table swap entries Introduce region-third (PUD) and segment table (PMD) swap entries, and make hugetlbfs RSTE <-> PTE conversion code aware of them, so that they can be used for hugetlbfs PTE_MARKER entries. Future work could also build on this to enable THP_SWAP and THP_MIGRATION for s390. Similar to PTE swap entries, bits 0-51 can be used to store the swap offset, but bits 57-61 cannot be used for swap type because that overlaps with the INVALID and TABLE TYPE bits. PMD/PUD swap entries must be invalid, and have a correct table type so that pud_folded() check still works. Bits 53-57 can be used for swap type, but those include the PROTECT bit. So unlike swap PTEs, the PROTECT bit cannot be used to mark the swap entry. Use the "Common-Segment/Region" bit 59 instead for that. Also remove the !MACHINE_HAS_NX check in __set_huge_pte_at(). Otherwise, that would clear the _SEGMENT_ENTRY_NOEXEC bit also for swap entries, where it is used for encoding the swap type. The architecture only requires this bit to be 0 for PTEs, with !MACHINE_HAS_NX, not for segment or region-third entries. And the check is also redundant, because after __pte_to_rste() conversion, for non-swap PTEs it would only be set if it was already set in the PTE, which should never be the case for !MACHINE_HAS_NX. This is a prerequisite for hugetlbfs PTE_MARKER support on s390, which is needed to fix a regression introduced with commit 8a13897fb0da ("mm: userfaultfd: support UFFDIO_POISON for hugetlbfs"). That commit depends on the availability of swap entries for hugetlbfs, which were not available for s390 so far. Reviewed-by: Alexander Gordeev Signed-off-by: Gerald Schaefer Signed-off-by: Heiko Carstens commit 03e6db16b808afbe23e10617f2d18578846bdce0 Author: Gerald Schaefer Date: Thu Nov 21 18:45:21 2024 +0100 s390/mm: Introduce region-third and segment table entry present bits Introduce region-third and segment table entry present SW bits, and adjust pmd/pud_present() accordingly. Also add pmd/pud_present() checks to pmd/pud_leaf(), to return false for future swap entries. Same logic applies to pmd_trans_huge(), make that return pmd_leaf() instead of duplicating the same check. huge_pte_offset() also needs to be adjusted, current code would return NULL for !pud_present(). Use the same logic as in the generic version, which allows for !pud_present() swap entries. Similar to PTE, bit 63 can be used for the new SW present bit in region and segment table entries. For segment-table entries (PMD) the architecture says that "Bits 62-63 are available for programming", so they are safe to use. The same is true for large leaf region-third-table entries (PUD). However, for non-leaf region-third-table entries, bits 62-63 indicate the TABLE LENGTH and both must be set to 1. But such entries would always be considered as present, so it is safe to use bit 63 as PRESENT bit for PUD. They also should not conflict with bit 62 potentially later used for preserving SOFT_DIRTY in swap entries, because they are not swap entries. Valid PMDs / PUDs should always have the present bit set, so add it to the various pgprot defines, and also _SEGMENT_ENTRY which is OR'ed e.g. in pmd_populate(). _REGION3_ENTRY wouldn't need any change, as the present bit is already included in the TABLE LENGTH, but also explicitly add it there, for completeness, and just in case the bit would ever be changed. gmap code needs some adjustment, to also OR the _SEGMENT_ENTRY, like it is already done gmap_shadow_pgt() when creating new PMDs, but not in __gmap_link(). Otherwise, the gmap PMDs would not be considered present, e.g. when using pmd_leaf() checks in gmap code. The various WARN_ON checks in gmap code also need adjustment, to tolerate the new present bit. This is a prerequisite for hugetlbfs PTE_MARKER support on s390, which is needed to fix a regression introduced with commit 8a13897fb0da ("mm: userfaultfd: support UFFDIO_POISON for hugetlbfs"). That commit depends on the availability of swap entries for hugetlbfs, which were not available for s390 so far. Reviewed-by: Alexander Gordeev Signed-off-by: Gerald Schaefer Signed-off-by: Heiko Carstens commit ae1b9fb2d556e95001399dcd4e228525aead5122 Author: Gerald Schaefer Date: Thu Nov 21 18:45:20 2024 +0100 s390/mm: Rearrange region-third and segment table entry SW bits Rearrange region-third and segment table entry SW bits, in order to make room for future encoding of region/segment table swap entries. Also adjust _SEGMENT_ENTRY_GMAP_UC and _SEGMENT_ENTRY_GMAP_IN bits in gmap code. Those should only apply for gmap PMDs, and not really depend on or conflict with host PMD bits, but for consistency also adjust them: - _SEGMENT_ENTRY_GMAP_UC "dirty (migration)" was using the same bit as _SEGMENT_ENTRY_SOFT_DIRTY in the host PMD -> make it use the new SOFT_DIRTY bit 63 (0x0002) - _SEGMENT_ENTRY_GMAP_IN "invalidation notify bit" was using 0x8000, which was an unused bit in the host PMD, that is now used for _SEGMENT_ENTRY_WRITE -> make it use bit 52 (0x0800) instead, which is still unused in the host PMD This is a prerequisite for hugetlbfs PTE_MARKER support on s390, which is needed to fix a regression introduced with commit 8a13897fb0da ("mm: userfaultfd: support UFFDIO_POISON for hugetlbfs"). That commit depends on the availability of swap entries for hugetlbfs, which were not available for s390 so far. Reviewed-by: Alexander Gordeev Signed-off-by: Gerald Schaefer Signed-off-by: Heiko Carstens commit f93d6d62e4697b0df1474f0b1314c3c158335f0a Author: Heiko Carstens Date: Tue Nov 26 11:25:15 2024 +0100 KVM: s390: Increase size of union sca_utility to four bytes kvm_s390_update_topology_change_report() modifies a single bit within sca_utility using cmpxchg(). Given that the size of the sca_utility union is two bytes this generates very inefficient code. Change the size to four bytes, so better code can be generated. Even though the size of sca_utility doesn't reflect architecture anymore this seems to be the easiest and most pragmatic approach to avoid inefficient code. Acked-by: Claudio Imbrenda Acked-by: Janosch Frank Link: https://lore.kernel.org/r/20241126102515.3178914-4-hca@linux.ibm.com Signed-off-by: Heiko Carstens commit 7061c63919bde3bb0daa63e700a117ab1f2c97b1 Author: Heiko Carstens Date: Tue Nov 26 11:25:14 2024 +0100 KVM: s390: Remove one byte cmpxchg() usage Within sca_clear_ext_call() cmpxchg() is used to clear one or two bytes (depending on sca format). The cmpxchg() calls are not supposed to fail; if so that would be a bug. Given that cmpxchg() usage on one and two byte areas generates very inefficient code, replace them with block concurrent WRITE_ONCE() calls, and remove the WARN_ON(). Acked-by: Claudio Imbrenda Acked-by: Janosch Frank Link: https://lore.kernel.org/r/20241126102515.3178914-3-hca@linux.ibm.com Signed-off-by: Heiko Carstens commit 5618c53d96d1bf2df07df8b9204773db28acbc1b Author: Heiko Carstens Date: Tue Nov 26 11:25:13 2024 +0100 KVM: s390: Use try_cmpxchg() instead of cmpxchg() loops Convert all cmpxchg() loops to try_cmpxchg() loops. With gcc 14 and the usage of flag output operands in try_cmpxchg() this allows the compiler to generate slightly better code. Acked-by: Claudio Imbrenda Acked-by: Janosch Frank Link: https://lore.kernel.org/r/20241126102515.3178914-2-hca@linux.ibm.com Signed-off-by: Heiko Carstens commit 7726b55b5d6c22dc0e66570597bf6e43d410d093 Author: Heiko Carstens Date: Mon Nov 25 12:54:30 2024 +0100 s390/ap: Replace xchg() with WRITE_ONCE() The result of xchg() is not used, and in addition it is used on a one byte memory area which leads to inefficient code. Use WRITE_ONCE() instead to achieve the same result with much less generated code. Acked-by: Harald Freudenberger Acked-by: Alexander Gordeev Signed-off-by: Heiko Carstens commit 3b832035387ff508fdcf0fba66701afc78f79e3d Author: Christian Brauner Date: Wed Nov 27 12:45:02 2024 +0100 Revert "fs: don't block i_writecount during exec" This reverts commit 2a010c41285345da60cece35575b4e0af7e7bf44. Rui Ueyama writes: > I'm the creator and the maintainer of the mold linker > (https://github.com/rui314/mold). Recently, we discovered that mold > started causing process crashes in certain situations due to a change > in the Linux kernel. Here are the details: > > - In general, overwriting an existing file is much faster than > creating an empty file and writing to it on Linux, so mold attempts to > reuse an existing executable file if it exists. > > - If a program is running, opening the executable file for writing > previously failed with ETXTBSY. If that happens, mold falls back to > creating a new file. > > - However, the Linux kernel recently changed the behavior so that > writing to an executable file is now always permitted > (https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=2a010c412853). > > That caused mold to write to an executable file even if there's a > process running that file. Since changes to mmap'ed files are > immediately visible to other processes, any processes running that > file would almost certainly crash in a very mysterious way. > Identifying the cause of these random crashes took us a few days. > > Rejecting writes to an executable file that is currently running is a > well-known behavior, and Linux had operated that way for a very long > time. So, I don’t believe relying on this behavior was our mistake; > rather, I see this as a regression in the Linux kernel. Quoting myself from commit 2a010c412853 ("fs: don't block i_writecount during exec") > Yes, someone in userspace could potentially be relying on this. It's not > completely out of the realm of possibility but let's find out if that's > actually the case and not guess. It seems we found out that someone is relying on this obscure behavior. So revert the change. Link: https://github.com/rui314/mold/issues/1361 Link: https://lore.kernel.org/r/4a2bc207-76be-4715-8e12-7fc45a76a125@leemhuis.info Cc: Signed-off-by: Christian Brauner commit e9db1b551774037ebe39dde4a658d89ba95e260b Author: Bard Liao Date: Wed Nov 27 17:29:54 2024 +0800 ASoC: SOF: ipc3-topology: Convert the topology pin index to ALH dai index Intel SoundWire machine driver always uses Pin number 2 and above. Currently, the pin number is used as the FW DAI index directly. As a result, FW DAI 0 and 1 are never used. That worked fine because we use up to 2 DAIs in a SDW link. Convert the topology pin index to ALH dai index, the mapping is using 2-off indexing, iow, pin #2 is ALH dai #0. The issue exists since beginning. And the Fixes tag is the first commit that this commit can be applied. Fixes: b66bfc3a9810 ("ASoC: SOF: sof-audio: Fix broken early bclk feature for SSP") Signed-off-by: Bard Liao Reviewed-by: Péter Ujfalusi Reviewed-by: Liam Girdwood Reviewed-by: Kai Vehmanen Reviewed-by: Ranjani Sridharan Link: https://patch.msgid.link/20241127092955.20026-1-yung-chuan.liao@linux.intel.com Signed-off-by: Mark Brown commit 2f2020327cc8561d7c520d2f2d9acea84fa7b3a3 Author: Nícolas F. R. A. Prado Date: Tue Nov 26 15:09:43 2024 -0500 ASoC: mediatek: Check num_codecs is not zero to avoid panic during probe Following commit 13f58267cda3 ("ASoC: soc.h: don't create dummy Component via COMP_DUMMY()"), COMP_DUMMY() became an array with zero length, and only gets populated with the dummy struct after the card is registered. Since the sound card driver's probe happens before the card registration, accessing any of the members of a dummy component during probe will result in undefined behavior. This can be observed in the mt8188 and mt8195 machine sound drivers. By omitting a dai link subnode in the sound card's node in the Devicetree, the default uninitialized dummy codec is used, and when its dai_name pointer gets passed to strcmp() it results in a null pointer dereference and a kernel panic. In addition to that, set_card_codec_info() in the generic helpers file, mtk-soundcard-driver.c, will populate a dai link with a dummy codec when a dai link node is present in DT but with no codec property. The result is that at probe time, a dummy codec can either be uninitialized with num_codecs = 0, or be an initialized dummy codec, with num_codecs = 1 and dai_name = "snd-soc-dummy-dai". In order to accommodate for both situations, check that num_codecs is not zero before accessing the codecs' fields but still check for the codec's dai name against "snd-soc-dummy-dai" as needed. While at it, also drop the check that dai_name is not null in the mt8192 driver, introduced in commit 4d4e1b6319e5 ("ASoC: mediatek: mt8192: Check existence of dai_name before dereferencing"), as it is actually redundant given the preceding num_codecs != 0 check. Fixes: 13f58267cda3 ("ASoC: soc.h: don't create dummy Component via COMP_DUMMY()") Signed-off-by: Nícolas F. R. A. Prado Reviewed-by: AngeloGioacchino Del Regno Acked-by: Kuninori Morimoto Reviewed-by: Fei Shao Acked-by: Trevor Wu Link: https://patch.msgid.link/20241126-asoc-mtk-dummy-panic-v1-1-42d53e168d2e@collabora.com Signed-off-by: Mark Brown commit 4095cf872084ecfdfdb0e681f3e9ff9745acfa75 Author: Venkata Prasad Potturu Date: Wed Nov 27 16:52:25 2024 +0530 ASoC: amd: yc: Fix for enabling DMIC on acp6x via _DSD entry Add condition check to register ACP PDM sound card by reading _WOV acpi entry. Fixes: 5426f506b584 ("ASoC: amd: Add support for enabling DMIC on acp6x via _DSD") Signed-off-by: Venkata Prasad Potturu Link: https://patch.msgid.link/20241127112227.227106-1-venkataprasad.potturu@amd.com Signed-off-by: Mark Brown commit 44b682694a0ca366bf15c26c3c3c16d26c9e9f6d Author: Liam Zuiderhoek Date: Tue Oct 22 20:46:59 2024 +0200 i2c: Fix whitespace style issue This patch fixes a coding style issue in the alignment of parameters in the function i2c_smbus_write_bytes(). It replaces spaces with tabs for alignment, as per the coding style guidelines. Signed-off-by: Liam Zuiderhoek Signed-off-by: Wolfram Sang commit aac9e2afa807e862073e9536099a3184b0e936d2 Author: Chen-Yu Tsai Date: Wed Nov 6 17:33:34 2024 +0800 arm64: dts: mediatek: mt8173-elm-hana: Mark touchscreens and trackpads as fail Instead of having them all available, mark them all as "fail-needs-probe" and have the implementation try to probe which one is present. Also remove the shared resource workaround by moving the pinctrl entry for the trackpad interrupt line back into the individual trackpad nodes. Cc: # Needs accompanying new driver to work Signed-off-by: Chen-Yu Tsai Reviewed-by: Douglas Anderson Reviewed-by: AngeloGioacchino Del Regno Acked-by: AngeloGioacchino Del Regno Signed-off-by: Wolfram Sang commit 3fc361af8ab0a96619ba0146a5f694f59ae3f4c2 Author: Chen-Yu Tsai Date: Wed Nov 6 17:33:33 2024 +0800 platform/chrome: Introduce device tree hardware prober Some devices are designed and manufactured with some components having multiple drop-in replacement options. These components are often connected to the mainboard via ribbon cables, having the same signals and pin assignments across all options. These may include the display panel and touchscreen on laptops and tablets, and the trackpad on laptops. Sometimes which component option is used in a particular device can be detected by some firmware provided identifier, other times that information is not available, and the kernel has to try to probe each device. This change attempts to make the "probe each device" case cleaner. The current approach is to have all options added and enabled in the device tree. The kernel would then bind each device and run each driver's probe function. This works, but has been broken before due to the introduction of asynchronous probing, causing multiple instances requesting "shared" resources, such as pinmuxes, GPIO pins, interrupt lines, at the same time, with only one instance succeeding. Work arounds for these include moving the pinmux to the parent I2C controller, using GPIO hogs or pinmux settings to keep the GPIO pins in some fixed configuration, and requesting the interrupt line very late. Such configurations can be seen on the MT8183 Krane Chromebook tablets, and the Qualcomm sc8280xp-based Lenovo Thinkpad 13S. Instead of this delicate dance between drivers and device tree quirks, this change introduces a simple I2C component prober. For any given class of devices on the same I2C bus, it will go through all of them, doing a simple I2C read transfer and see which one of them responds. It will then enable the device that responds. This requires some minor modifications in the existing device tree. The status for all the device nodes for the component options must be set to "fail-needs-probe". This makes it clear that some mechanism is needed to enable one of them, and also prevents the prober and device drivers running at the same time. Signed-off-by: Chen-Yu Tsai Acked-by: Tzung-Bi Shih Reviewed-by: Douglas Anderson Reviewed-by: AngeloGioacchino Del Regno Signed-off-by: Wolfram Sang commit 39b415f84654892003cebb7c026b7daa3380610b Author: Chen-Yu Tsai Date: Wed Nov 6 17:33:32 2024 +0800 i2c: of-prober: Add GPIO support to simple helpers Add GPIO support to the simple helpers for the I2C OF component prober. Components that the prober intends to probe likely require their regulator supplies be enabled, and GPIOs be toggled to enable them or bring them out of reset before they will respond to probe attempts. Regulator supplies were handled in the previous patch. The assumption is that the same class of components to be probed are always connected in the same fashion with the same regulator supply and GPIO. The names may vary due to binding differences, but the physical layout does not change. This supports at most one GPIO pin. The user must specify the GPIO name, the polarity, and the amount of time to wait after the GPIO is toggled. Devices with more than one GPIO pin likely require specific power sequencing beyond what generic code can easily support. Signed-off-by: Chen-Yu Tsai Reviewed-by: Douglas Anderson Reviewed-by: Andy Shevchenko Tested-by: Andrey Skvortsov Reviewed-by: AngeloGioacchino Del Regno Signed-off-by: Wolfram Sang commit 897261149d255d03fc90bec6782e3835cacbfdde Author: Chen-Yu Tsai Date: Wed Nov 6 17:33:31 2024 +0800 i2c: of-prober: Add simple helpers for regulator support Add helpers to do regulator management for the I2C OF component prober. Components that the prober intends to probe likely require their regulator supplies be enabled, and GPIOs be toggled to enable them or bring them out of reset before they will respond to probe attempts. GPIOs will be handled in the next patch. The assumption is that the same class of components to be probed are always connected in the same fashion with the same regulator supply and GPIO. The names may vary due to binding differences, but the physical layout does not change. This set of helpers supports at most one regulator supply. The user must specify the node from which the supply is retrieved. The supply name and the amount of time to wait after the supply is enabled are also given by the user. Signed-off-by: Chen-Yu Tsai Reviewed-by: Douglas Anderson Reviewed-by: Andy Shevchenko Reviewed-by: AngeloGioacchino Del Regno Signed-off-by: Wolfram Sang commit 157ce8f381efe264933e9366db828d845bade3a1 Author: Chen-Yu Tsai Date: Wed Nov 6 17:33:30 2024 +0800 i2c: Introduce OF component probe function Some devices are designed and manufactured with some components having multiple drop-in replacement options. These components are often connected to the mainboard via ribbon cables, having the same signals and pin assignments across all options. These may include the display panel and touchscreen on laptops and tablets, and the trackpad on laptops. Sometimes which component option is used in a particular device can be detected by some firmware provided identifier, other times that information is not available, and the kernel has to try to probe each device. This change attempts to make the "probe each device" case cleaner. The current approach is to have all options added and enabled in the device tree. The kernel would then bind each device and run each driver's probe function. This works, but has been broken before due to the introduction of asynchronous probing, causing multiple instances requesting "shared" resources, such as pinmuxes, GPIO pins, interrupt lines, at the same time, with only one instance succeeding. Work arounds for these include moving the pinmux to the parent I2C controller, using GPIO hogs or pinmux settings to keep the GPIO pins in some fixed configuration, and requesting the interrupt line very late. Such configurations can be seen on the MT8183 Krane Chromebook tablets, and the Qualcomm sc8280xp-based Lenovo Thinkpad 13S. Instead of this delicate dance between drivers and device tree quirks, this change introduces a simple I2C component probe function. For a given class of devices on the same I2C bus, it will go through all of them, doing a simple I2C read transfer and see which one of them responds. It will then enable the device that responds. This requires some minor modifications in the existing device tree. The status for all the device nodes for the component options must be set to "fail-needs-probe". This makes it clear that some mechanism is needed to enable one of them, and also prevents the prober and device drivers running at the same time. Signed-off-by: Chen-Yu Tsai Reviewed-by: Andy Shevchenko Reviewed-by: Douglas Anderson Reviewed-by: AngeloGioacchino Del Regno Signed-off-by: Wolfram Sang commit 1fcc67e3a354865775355eafec1fb061a755c971 Author: Chen-Yu Tsai Date: Wed Nov 6 17:33:29 2024 +0800 of: base: Add for_each_child_of_node_with_prefix() There are cases where drivers would go through child device nodes and operate on only the ones whose node name starts with a given prefix. Provide a helper for these users. This will mainly be used in a subsequent patch that implements a hardware component prober for I2C busses. Signed-off-by: Chen-Yu Tsai Reviewed-by: Rob Herring (Arm) Reviewed-by: AngeloGioacchino Del Regno Signed-off-by: Wolfram Sang commit 81de291d86b704de1809cfb06672902d003cf3a3 Author: Chen-Yu Tsai Date: Wed Nov 6 17:33:28 2024 +0800 of: dynamic: Add of_changeset_update_prop_string Add a helper function to add string property updates to an OF changeset. This is similar to of_changeset_add_prop_string(), but instead of adding the property (and failing if it exists), it will update the property. This shall be used later in the DT hardware prober. Signed-off-by: Chen-Yu Tsai Reviewed-by: Rob Herring (Arm) Reviewed-by: AngeloGioacchino Del Regno Signed-off-by: Wolfram Sang commit 7be34f6feedd60e418de1c2c48e661d70416635f Author: Takashi Iwai Date: Wed Nov 27 08:00:58 2024 +0100 ALSA: ump: Fix evaluation of MIDI 1.0 FB info The m1.0 field of UMP Function Block info specifies whether the given FB is a MIDI 1.0 port or not. When implementing the UMP support on Linux, I somehow interpreted as if it were bit flags, but the field is actually an enumeration from 0 to 2, where 2 means MIDI 1.0 *and* low speed. This patch corrects the interpretation and sets the right bit flags depending on the m1.0 field of FB Info. This effectively fixes the missing detection of MIDI 1.0 FB when m1.0 is 2. Fixes: 37e0e14128e0 ("ALSA: ump: Support UMP Endpoint and Function Block parsing") Cc: Link: https://patch.msgid.link/20241127070059.8099-1-tiwai@suse.de Signed-off-by: Takashi Iwai commit 9ad467a2b2716d4ed12f003b041aa6c776a13ff5 Author: Zichen Xie Date: Tue Nov 26 13:24:49 2024 -0600 ALSA: core: Fix possible NULL dereference caused by kunit_kzalloc() kunit_kzalloc() may return a NULL pointer, dereferencing it without NULL check may lead to NULL dereference. Add NULL checks for all the kunit_kzalloc() in sound_kunit.c Fixes: 3e39acf56ede ("ALSA: core: Add sound core KUnit test") Signed-off-by: Zichen Xie Link: https://patch.msgid.link/20241126192448.12645-1-zichenxie0106@gmail.com Signed-off-by: Takashi Iwai commit c353ee4fb119a2582d0e011f66a76a38f5cf984d Author: Paul Aurich Date: Tue Nov 26 18:50:31 2024 -0600 smb: Initialize cfid->tcon before performing network ops Avoid leaking a tcon ref when a lease break races with opening the cached directory. Processing the leak break might take a reference to the tcon in cached_dir_lease_break() and then fail to release the ref in cached_dir_offload_close, since cfid->tcon is still NULL. Fixes: ebe98f1447bb ("cifs: enable caching of directories for which a lease is held") Signed-off-by: Paul Aurich Signed-off-by: Steve French commit cf89c9434af122f28a3552e6f9cc5158c33ce50a Author: Michael Ellerman Date: Tue Nov 26 13:57:10 2024 +1100 powerpc/prom_init: Fixup missing powermac #size-cells On some powermacs `escc` nodes are missing `#size-cells` properties, which is deprecated and now triggers a warning at boot since commit 045b14ca5c36 ("of: WARN on deprecated #address-cells/#size-cells handling"). For example: Missing '#size-cells' in /pci@f2000000/mac-io@c/escc@13000 WARNING: CPU: 0 PID: 0 at drivers/of/base.c:133 of_bus_n_size_cells+0x98/0x108 Hardware name: PowerMac3,1 7400 0xc0209 PowerMac ... Call Trace: of_bus_n_size_cells+0x98/0x108 (unreliable) of_bus_default_count_cells+0x40/0x60 __of_get_address+0xc8/0x21c __of_address_to_resource+0x5c/0x228 pmz_init_port+0x5c/0x2ec pmz_probe.isra.0+0x144/0x1e4 pmz_console_init+0x10/0x48 console_init+0xcc/0x138 start_kernel+0x5c4/0x694 As powermacs boot via prom_init it's possible to add the missing properties to the device tree during boot, avoiding the warning. Note that `escc-legacy` nodes are also missing `#size-cells` properties, but they are skipped by the macio driver, so leave them alone. Depends-on: 045b14ca5c36 ("of: WARN on deprecated #address-cells/#size-cells handling") Signed-off-by: Michael Ellerman Reviewed-by: Rob Herring Signed-off-by: Madhavan Srinivasan Link: https://patch.msgid.link/20241126025710.591683-1-mpe@ellerman.id.au commit a74769564eb0a94c41a6224ee81230554c167f71 Author: Michael Ellerman Date: Sun Nov 24 21:30:06 2024 +1100 docs: ABI: sysfs-bus-event_source-devices-vpa-pmu: Fix htmldocs errors Fix errors during `make htmldocs`, eg: Documentation/ABI/testing/sysfs-bus-event_source-devices-vpa-pmu:2: ERROR: Unexpected indentation. Fixes: 4ae0b32ecee7 ("docs: ABI: sysfs-bus-event_source-devices-vpa-pmu: Document sysfs event format entries for vpa_pmu") Reported-by: Stephen Rothwell Closes: https://lore.kernel.org/all/20241120171302.2053439c@canb.auug.org.au/ Signed-off-by: Michael Ellerman Signed-off-by: Madhavan Srinivasan Link: https://patch.msgid.link/20241124103006.2236073-1-mpe@ellerman.id.au commit e4a4565489622b29cc4208d117828596207ee6f6 Author: Yang Li Date: Thu Nov 7 09:02:59 2024 +0800 powerpc/machdep: Remove duplicated include in svm.c The header files linux/mem_encrypt.h is included twice in svm.c, so one inclusion of each can be removed. Reported-by: Abaci Robot Closes: https://bugzilla.openanolis.cn/show_bug.cgi?id=11750 Signed-off-by: Yang Li Signed-off-by: Madhavan Srinivasan Link: https://patch.msgid.link/20241107010259.46308-1-yang.lee@linux.alibaba.com commit a65d9d1d893b124917141bd8cdf0e0e47ff96438 Author: Casey Schaufler Date: Tue Nov 26 10:21:20 2024 -0800 ima: uncover hidden variable in ima_match_rules() The variable name "prop" is inadvertently used twice in ima_match_rules(), resulting in incorrect use of the local variable when the function parameter should have been. Rename the local variable and correct the use of the parameter. Suggested-by: Roberto Sassu Signed-off-by: Casey Schaufler Acked-by: Roberto Sassu [PM: subj tweak, Roberto's ACK] Signed-off-by: Paul Moore commit 04b5f0a5bfee5a5886dc19296c90d9a6964275e4 Author: John Johansen Date: Sun Nov 10 04:29:31 2024 -0800 apparmor: lift new_profile declaration to remove C23 extension warning the kernel test robot reports a C23 extension warning: label followed by a declaration is a C23 extension [-Wc23-extensions] 696 | struct aa_profile *new_profile = NULL; Instead of adding a null statement creating a C99 style inline var declaration lift the label declaration out of the block so that it no longer immediatedly follows the label. Reported-by: kernel test robot Closes: https://lore.kernel.org/oe-kbuild-all/202411101808.AI8YG6cs-lkp@intel.com/ Fixes: ee650b3820f3 ("apparmor: properly handle cx/px lookup failure for complain") Signed-off-by: John Johansen commit 8acf7ad02d1b1bc6dbb1fc78a295582d0d336502 Author: Ryan Lee Date: Wed Aug 28 15:24:46 2024 -0700 apparmor: replace misleading 'scrubbing environment' phrase in debug print The wording of 'scrubbing environment' implied that all environment variables would be removed, when instead secure-execution mode only removes a small number of environment variables. This patch updates the wording to describe what actually occurs instead: setting AT_SECURE for ld.so's secure-execution mode. Link: https://gitlab.com/apparmor/apparmor/-/merge_requests/1315 is a merge request that does similar updating for apparmor userspace. Signed-off-by: Ryan Lee Signed-off-by: John Johansen commit 9133493a76d741e1ce00a140be3d2d7791ca3a04 Author: John Johansen Date: Sat Nov 9 12:47:24 2024 -0800 parser: drop dead code for XXX_comb macros The macros for label combination XXX_comb are no longer used and there are no plans to use them so remove the dead code. Signed-off-by: John Johansen commit 211551768291a9accdd0d033c6d9ff51dc4e9840 Author: Jinjie Ruan Date: Mon Sep 2 15:39:04 2024 +0800 apparmor: Remove unused parameter L1 in macro next_comb In the macro definition of next_comb(), a parameter L1 is accepted, but it is not used. Hence, it should be removed. Signed-off-by: Jinjie Ruan Signed-off-by: John Johansen commit d00c2359fc1852258d8ce218cf2f509086da720c Author: Siddharth Menon Date: Wed Oct 2 15:19:40 2024 +0530 Docs: Update LSM/apparmor.rst After the deprecation of CONFIG_DEFAULT_SECURITY, it is no longer used to enable and configure AppArmor. Since kernel 5.0, `CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE` is not used either. Instead, the CONFIG_LSM parameter manages the order and selection of LSMs. Signed-off-by: Siddharth Menon Signed-off-by: John Johansen commit 74a96bbe1294b0a118e173ce20f60f5838aabaed Author: Ryan Lee Date: Wed Sep 25 11:30:11 2024 -0700 apparmor: audit_cap dedup based on subj_cred instead of profile The previous audit_cap cache deduping was based on the profile that was being audited. This could cause confusion due to the deduplication then occurring across multiple processes, which could happen if multiple instances of binaries matched the same profile attachment (and thus ran under the same profile) or a profile was attached to a container and its processes. Instead, perform audit_cap deduping over ad->subj_cred, which ensures the deduping only occurs across a single process, instead of across all processes that match the current one's profile. Signed-off-by: Ryan Lee Signed-off-by: John Johansen commit fee7a2340f18f48713a4ac7dd5e42b77d963062f Author: Ryan Lee Date: Fri Sep 20 12:53:15 2024 -0700 apparmor: add a cache entry expiration time aging out capability audit cache When auditing capabilities, AppArmor uses a per-CPU, per-profile cache such that the same capability for the same profile doesn't get repeatedly audited, with the original goal of reducing audit logspam. However, this cache does not have an expiration time, resulting in confusion when a profile is shared across binaries (for example) and an expected DENIED audit entry doesn't appear, despite the cache entry having been populated much longer ago. This confusion was exacerbated by the per-CPU nature of the cache resulting in the expected entries sporadically appearing when the later denial+audit occurred on a different CPU. To resolve this, record the last time a capability was audited for a profile and add a timestamp expiration check before doing the audit. v1 -> v2: - Hardcode a longer timeout and drop the patches making it a sysctl, after discussion with John Johansen. - Cache the expiration time instead of the last-audited time. This value can never be zero, which lets us drop the kernel_cap_t caps field from the cache struct. Signed-off-by: Ryan Lee Signed-off-by: John Johansen commit 8532503eac69c65182939d2aefc6d01c9f421a46 Author: Ryan Lee Date: Tue Sep 24 17:56:05 2024 -0700 apparmor: document capability.c:profile_capable ad ptr not being NULL The profile_capabile function takes a struct apparmor_audit_data *ad, which is documented as possibly being NULL. However, the single place that calls this function never passes it a NULL ad. If we were ever to call profile_capable with a NULL ad elsewhere, we would need to rework the function, as its very first use of ad is to dereference ad->class without checking if ad is NULL. Thus, document profile_capable's ad parameter as not accepting NULL. Signed-off-by: Ryan Lee Signed-off-by: John Johansen commit 9b897132424fe76bf6c61f22f9cf12af7f1d1e6a Author: chao liu Date: Tue Jun 27 10:03:16 2023 +0800 apparmor: fix 'Do simple duplicate message elimination' Multiple profiles shared 'ent->caps', so some logs missed. Fixes: 0ed3b28ab8bf ("AppArmor: mediation of non file objects") Signed-off-by: chao liu Signed-off-by: John Johansen commit a2081b78e212a4cc0e8cfb64ed26cb494d8af574 Author: John Johansen Date: Sat Nov 9 11:45:58 2024 -0800 apparmor: document first entry is in packed perms struct is reserved Add a comment to unpack_perm to document the first entry in the packed perms struct is reserved, and make a non-functional change of unpacking to a temporary stack variable named "reserved" to help suppor the documentation of which value is reserved. Suggested-by: Serge E. Hallyn Signed-off-by: John Johansen commit 7290f59231910ccba427d441a6e8b8c6f6112448 Author: Jinjie Ruan Date: Fri Oct 11 09:22:41 2024 +0800 apparmor: test: Fix memory leak for aa_unpack_strdup() The string allocated by kmemdup() in aa_unpack_strdup() is not freed and cause following memory leaks, free them to fix it. unreferenced object 0xffffff80c6af8a50 (size 8): comm "kunit_try_catch", pid 225, jiffies 4294894407 hex dump (first 8 bytes): 74 65 73 74 69 6e 67 00 testing. backtrace (crc 5eab668b): [<0000000001e3714d>] kmemleak_alloc+0x34/0x40 [<000000006e6c7776>] __kmalloc_node_track_caller_noprof+0x300/0x3e0 [<000000006870467c>] kmemdup_noprof+0x34/0x60 [<000000001176bb03>] aa_unpack_strdup+0xd0/0x18c [<000000008ecde918>] policy_unpack_test_unpack_strdup_with_null_name+0xf8/0x3ec [<0000000032ef8f77>] kunit_try_run_case+0x13c/0x3ac [<00000000f3edea23>] kunit_generic_run_threadfn_adapter+0x80/0xec [<00000000adf936cf>] kthread+0x2e8/0x374 [<0000000041bb1628>] ret_from_fork+0x10/0x20 unreferenced object 0xffffff80c2a29090 (size 8): comm "kunit_try_catch", pid 227, jiffies 4294894409 hex dump (first 8 bytes): 74 65 73 74 69 6e 67 00 testing. backtrace (crc 5eab668b): [<0000000001e3714d>] kmemleak_alloc+0x34/0x40 [<000000006e6c7776>] __kmalloc_node_track_caller_noprof+0x300/0x3e0 [<000000006870467c>] kmemdup_noprof+0x34/0x60 [<000000001176bb03>] aa_unpack_strdup+0xd0/0x18c [<0000000046a45c1a>] policy_unpack_test_unpack_strdup_with_name+0xd0/0x3c4 [<0000000032ef8f77>] kunit_try_run_case+0x13c/0x3ac [<00000000f3edea23>] kunit_generic_run_threadfn_adapter+0x80/0xec [<00000000adf936cf>] kthread+0x2e8/0x374 [<0000000041bb1628>] ret_from_fork+0x10/0x20 Cc: stable@vger.kernel.org Fixes: 4d944bcd4e73 ("apparmor: add AppArmor KUnit tests for policy unpack") Signed-off-by: Jinjie Ruan Signed-off-by: John Johansen commit 75535669c9c1647e8098947f045c95db1bbdfa8c Author: Dr. David Alan Gilbert Date: Sat Sep 21 00:55:17 2024 +0100 apparmor: Remove deadcode aa_label_audit, aa_label_find, aa_label_seq_print and aa_update_label_name were added by commit f1bd904175e8 ("apparmor: add the base fns() for domain labels") but never used. aa_profile_label_perm was added by commit 637f688dc3dc ("apparmor: switch from profiles to using labels on contexts") but never used. aa_secid_update was added by commit c092921219d2 ("apparmor: add support for mapping secids and using secctxes") but never used. aa_split_fqname has been unused since commit 3664268f19ea ("apparmor: add namespace lookup fns()") aa_lookup_profile has been unused since commit 93c98a484c49 ("apparmor: move exec domain mediation to using labels") aa_audit_perms_cb was only used by aa_profile_label_perm (see above). All of these commits are from around 2017. Remove them. Signed-off-by: Dr. David Alan Gilbert Signed-off-by: John Johansen commit 648e45d724ed8d84064fa214028835dc02b0336e Author: Thorsten Blum Date: Thu Nov 7 12:25:27 2024 +0100 apparmor: Remove unnecessary NULL check before kvfree() Since kvfree() already checks if its argument is NULL, an additional check before calling kvfree() is unnecessary and can be removed. Remove it and the following Coccinelle/coccicheck warning reported by ifnullfree.cocci: WARNING: NULL check before some freeing functions is not needed Signed-off-by: Thorsten Blum Signed-off-by: John Johansen commit ab6875fbb9d318f56ed0c393c455e9f48293b00f Author: Leesoo Ahn Date: Tue Jul 9 12:07:51 2024 +0900 apparmor: domain: clean up duplicated parts of handle_onexec() Regression test of AppArmor finished without any failures. PASSED: aa_exec access attach_disconnected at_secure introspect capabilities changeprofile onexec changehat changehat_fork changehat_misc chdir clone coredump deleted e2e environ exec exec_qual fchdir fd_inheritance fork i18n link link_subset mkdir mmap mount mult_mount named_pipe namespaces net_raw open openat pipe pivot_root posix_ipc ptrace pwrite query_label regex rename readdir rw socketpair swap sd_flags setattr symlink syscall sysv_ipc tcp unix_fd_server unix_socket_pathname unix_socket_abstract unix_socket_unnamed unix_socket_autobind unlink userns xattrs xattrs_profile longpath nfs exec_stack aa_policy_cache nnp stackonexec stackprofile FAILED: make: Leaving directory '/apparmor/tests/regression/apparmor' Signed-off-by: Leesoo Ahn Signed-off-by: John Johansen commit c03093730616a0ce23b1f25f0c5a7f3f613ca94a Author: Hongbo Li Date: Wed Aug 28 20:26:18 2024 +0800 apparmor: Use IS_ERR_OR_NULL() helper function Use the IS_ERR_OR_NULL() helper instead of open-coding a NULL and an error pointer checks to simplify the code and improve readability. Signed-off-by: Hongbo Li Signed-off-by: John Johansen commit 9208c05f9fdfd927ea160b97dfef3c379049fff2 Author: John Johansen Date: Fri Aug 23 21:40:47 2024 -0700 apparmor: add support for 2^24 states to the dfa state machine. Currently the dfa state machine is limited by its default, next, and check tables using u16. Allow loading of u32 tables, and if u16 tables are loaded map them to u32. The number of states allowed does not increase to 2^32 because the base table uses the top 8 bits of its u32 for flags. Moving the flags into a separate table allowing a full 2^32 bit range wil be done in a separate patch. Link: https://gitlab.com/apparmor/apparmor/-/issues/419 Signed-off-by: John Johansen commit db93ca15e5aefe868ef095ee830a205f70f38b6e Author: Ryan Lee Date: Fri Aug 23 10:14:02 2024 -0700 apparmor: properly handle cx/px lookup failure for complain mode profiles When a cx/px lookup fails, apparmor would deny execution of the binary even in complain mode (where it would audit as allowing execution while actually denying it). Instead, in complain mode, create a new learning profile, just as would have been done if the cx/px line wasn't there. Signed-off-by: Ryan Lee Signed-off-by: John Johansen commit 17d0d04f3c999e7784648bad70ce1766c3b49d69 Author: Ryan Lee Date: Wed Aug 21 11:01:56 2024 -0700 apparmor: allocate xmatch for nullpdb inside aa_alloc_null attach->xmatch was not set when allocating a null profile, which is used in complain mode to allocate a learning profile. This was causing downstream failures in find_attach, which expected a valid xmatch but did not find one under a certain sequence of profile transitions in complain mode. This patch ensures the xmatch is set up properly for null profiles. Signed-off-by: Ryan Lee Signed-off-by: John Johansen commit aaf20f870da056752f6386693cc0d8e25421ef35 Merge: 08906abc8c6e3a 06c59d97f63c1b Author: Linus Torvalds Date: Tue Nov 26 18:36:55 2024 -0800 Merge tag 'rpmsg-v6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/remoteproc/linux Pull rpmsg update from Bjorn Andersson: "Correct GLINK driver's decoding of the CMD_OPEN message, as upper half of the second parameter encodes 'priority', and 'length' is only the lower half" * tag 'rpmsg-v6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/remoteproc/linux: rpmsg: glink: use only lower 16-bits of param2 for CMD_OPEN name length commit 08906abc8c6e3a64f7d02965b657a3c6c159cd96 Merge: 727968ff2e8c9c 44024ebf25918e Author: Linus Torvalds Date: Tue Nov 26 18:34:13 2024 -0800 Merge tag 'rproc-v6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/remoteproc/linux Pull remoteproc updates from Bjorn Andersson: "Make Qualcomm TrustZone Peripherial Authentication Service-remoteproc identifier/name human friendly. Add audio DSP support for the Qualcomm SAR2130P. Ensure IMEM access in the Qualcomm modem remoteproc driver is performed prior to the firmware enabling the XPU and locking us out. Improve error handling, error logging, compile testing support, and a few other stylistic things across a variety of the drivers" * tag 'rproc-v6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/remoteproc/linux: (30 commits) remoteproc: qcom: wcss: Remove double assignment in q6v5_wcss_probe() remoteproc: qcom_q6v5_mss: Re-order writes to the IMEM region remoteproc: qcom_wcnss_iris: Simplify with dev_err_probe() remoteproc: qcom_q6v5_wcss: Simplify with dev_err_probe() remoteproc: qcom_q6v5_pas: Simplify with dev_err_probe() remoteproc: qcom_q6v5_mss: Drop redundant error printks in probe remoteproc: qcom_q6v5_mss: Simplify with dev_err_probe() remoteproc: qcom_q6v5_adsp: Simplify with dev_err_probe() remoteproc: qcom_q6v5_pas: disable auto boot for wpss remoteproc: qcom: pas: Make remoteproc name human friendly remoteproc: qcom: pas: enable SAR2130P audio DSP support remoteproc: qcom: pas: add minidump_id to SM8350 resources dt-bindings: remoteproc: qcom,sm8350-pas: add SAR2130P aDSP compatible dt-bindings: remoteproc: qcom,sm8550-pas: Add SM8750 ADSP remoteproc: qcom: wcss: Remove subdevs on the error path of q6v5_wcss_probe() remoteproc: qcom: adsp: Remove subdevs on the error path of adsp_probe() remoteproc: qcom: pas: Remove subdevs on the error path of adsp_probe() remoteproc: Switch back to struct platform_driver::remove() remoteproc: k3-dsp: Force cast from iomem address space remoteproc: k3-r5: Force cast from iomem address space ... commit 727968ff2e8c9c30f9b2c6f290494fa11a71706d Merge: 750909d55a9dd5 998b5a78a9ce1c Author: Linus Torvalds Date: Tue Nov 26 18:28:11 2024 -0800 Merge tag 'hwmon-for-v6.13-rc1-take2' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging Pull hwmon fixes from Guenter Roeck: - aquacomputer_d5next: Fix length of speed_input array - tps23861: Fix reporting of negative temperatures - tmp108: Do not fail in I3C probe when I3C regmap is a module * tag 'hwmon-for-v6.13-rc1-take2' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging: hwmon: (aquacomputer_d5next) Fix length of speed_input array hwmon: (tps23861) Fix reporting of negative temperatures hwmon: (tmp108) Do not fail in I3C probe when I3C regmap is a module commit 750909d55a9dd555e28148739d3e8ef17a0b8ee5 Merge: 1746db26f85e4f 6cf7b65f702991 Author: Linus Torvalds Date: Tue Nov 26 18:23:31 2024 -0800 Merge tag 'i3c/for-6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/i3c/linux Pull i3c updates from Alexandre Belloni: "Core: - avoid possible deadlock on probe - ensured preferred address is used on hot-join Drivers: - dw: add AMD I3C controller support - mipi-i3c-hci: fix SETDASA, DMA interrupts fixes - svc: many fixes for IBI and hotjoin" * tag 'i3c/for-6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/i3c/linux: i3c: Use i3cdev->desc->info instead of calling i3c_device_get_info() to avoid deadlock i3c: mipi-i3c-hci: Support SETDASA CCC i3c: dw: Add quirk to address OD/PP timing issue on AMD platform i3c: dw: Add support for AMDI0015 ACPI ID i3c: master: svc: Modify enabled_events bit 7:0 to act as IBI enable counter i3c: Document I3C_ADDR_SLOT_EXT_STATUS_MASK i3c: master: svc: Fix pm_runtime_set_suspended() with runtime pm enabled i3c: mipi-i3c-hci: Handle interrupts according to current specifications i3c: mipi-i3c-hci: Mask ring interrupts before ring stop request i3c: master: Fix miss free init_dyn_addr at i3c_master_put_i3c_addrs() i3c: master: Remove i3c_dev_disable_ibi_locked(olddev) on device hotjoin i3c: master: svc: fix possible assignment of the same address to two devices i3c: master: svc: wait for Manual ACK/NACK Done before next step i3c: master: svc: use spin_lock_irqsave at svc_i3c_master_ibi_work() i3c: master: svc: need check IBIWON for dynamic address assignment i3c: master: svc: manually emit NACK/ACK for hotjoin i3c: master: svc: use repeat start when IBI WIN happens i3c: master: Fix dynamic address leak when 'assigned-address' is present i3c: master: Extend address status bit to 4 and add I3C_ADDR_SLOT_EXT_DESIRED i3c: master: Replace hard code 2 with macro I3C_ADDR_SLOT_STATUS_BITS commit 1746db26f85e4f4b3dd11d7b55f4eff4b0423884 Merge: 1dc707e647bc91 10099266dec827 Author: Linus Torvalds Date: Tue Nov 26 18:05:44 2024 -0800 Merge tag 'pci-v6.13-changes' of git://git.kernel.org/pub/scm/linux/kernel/git/pci/pci Pull PCI updates from Bjorn Helgaas: "Enumeration: - Make pci_stop_dev() and pci_destroy_dev() safe so concurrent callers can't stop a device multiple times, even as we migrate from the global pci_rescan_remove_lock to finer-grained locking (Keith Busch) - Improve pci_walk_bus() implementation by making it recursive and moving locking up to avoid need for a 'locked' parameter (Keith Busch) - Unexport pci_walk_bus_locked(), which is only used internally by the PCI core (Keith Busch) - Detect some Thunderbolt chips that are built-in and hence 'trustworthy' by a heuristic since the 'ExternalFacingPort' and 'usb4-host-interface' ACPI properties are not quite enough (Esther Shimanovich) Resource management: - Use PCI bus addresses (not CPU addresses) in 'ranges' properties when building dynamic DT nodes so systems where PCI and CPU addresses differ work correctly (Andrea della Porta) - Tidy resource sizing and assignment with helpers to reduce redundancy (Ilpo Järvinen) - Improve pdev_sort_resources() 'bogus alignment' warning to be more specific (Ilpo Järvinen) Driver binding: - Convert driver .remove_new() callbacks to .remove() again to finish the conversion from returning 'int' to being 'void' (Sergio Paracuellos) - Export pcim_request_all_regions(), a managed interface to request all BARs (Philipp Stanner) - Replace pcim_iomap_regions_request_all() with pcim_request_all_regions(), and pcim_iomap_table()[n] with pcim_iomap(n), in the following drivers: ahci, crypto qat, crypto octeontx2, intel_th, iwlwifi, ntb idt, serial rp2, ALSA korg1212 (Philipp Stanner) - Remove the now unused pcim_iomap_regions_request_all() (Philipp Stanner) - Export pcim_iounmap_region(), a managed interface to unmap and release a PCI BAR (Philipp Stanner) - Replace pcim_iomap_regions(mask) with pcim_iomap_region(n), and pcim_iounmap_regions(mask) with pcim_iounmap_region(n), in the following drivers: fpga dfl-pci, block mtip32xx, gpio-merrifield, cavium (Philipp Stanner) Error handling: - Add sysfs 'reset_subordinate' to reset the entire hierarchy below a bridge; previously Secondary Bus Reset could only be used when there was a single device below a bridge (Keith Busch) - Warn if we reset a running device where the driver didn't register pci_error_handlers notification callbacks (Keith Busch) ASPM: - Disable ASPM L1 before touching L1 PM Substates to follow the spec closer and avoid a CPU load timeout on some platforms (Ajay Agarwal) - Set devices below Intel VMD to D0 before enabling ASPM L1 Substates as required per spec for all L1 Substates changes (Jian-Hong Pan) Power management: - Enable starfive controller runtime PM before probing host bridge (Mayank Rana) - Enable runtime power management for host bridges (Krishna chaitanya chundru) Power control: - Use of_platform_device_create() instead of of_platform_populate() to create pwrctl platform devices so we can control it based on the child nodes (Manivannan Sadhasivam) - Create pwrctrl platform devices only if there's a relevant power supply property (Manivannan Sadhasivam) - Add device link from the pwrctl supplier to the PCI dev to ensure pwrctl drivers are probed before the PCI dev driver; this avoids a race where pwrctl could change device power state while the PCI driver was active (Manivannan Sadhasivam) - Find pwrctl device for removal with of_find_device_by_node() instead of searching all children of the parent (Manivannan Sadhasivam) - Rename 'pwrctl' to 'pwrctrl' to match new bandwidth controller ('bwctrl') and hotplug files (Bjorn Helgaas) Bandwidth control: - Add read/modify/write locking for Link Control 2, which is used to manage Link speed (Ilpo Järvinen) - Extract Link Bandwidth Management Status check into pcie_lbms_seen(), where it can be shared between the bandwidth controller and quirks that use it to help retrain failed links (Ilpo Järvinen) - Re-add Link Bandwidth notification support with updates to address the reasons it was previously reverted (Alexandru Gagniuc, Ilpo Järvinen) - Add pcie_set_target_speed() and related functionality so drivers can manage PCIe Link speed based on thermal or other constraints (Ilpo Järvinen) - Add a thermal cooling driver to throttle PCIe Links via the existing thermal management framework (Ilpo Järvinen) - Add a userspace selftest for the PCIe bandwidth controller (Ilpo Järvinen) PCI device hotplug: - Add hotplug controller driver for Marvell OCTEON multi-function device where function 0 has a management console interface to enable/disable and provision various personalities for the other functions (Shijith Thotton) - Retain a reference to the pci_bus for the lifetime of a pci_slot to avoid a use-after-free when the thunderbolt driver resets USB4 host routers on boot, causing hotplug remove/add of downstream docks or other devices (Lukas Wunner) - Remove unused cpcihp struct cpci_hp_controller_ops.hardware_test (Guilherme Giacomo Simoes) - Remove unused cpqphp struct ctrl_dbg.ctrl (Christophe JAILLET) - Use pci_bus_read_dev_vendor_id() instead of hand-coded presence detection in cpqphp (Ilpo Järvinen) - Simplify cpqphp enumeration, which is already simple-minded and doesn't handle devices below hot-added bridges (Ilpo Järvinen) Virtualization: - Add ACS quirk for Wangxun FF5xxx NICs, which don't advertise an ACS capability but do isolate functions as though PCI_ACS_RR and PCI_ACS_CR were set, so the functions can be in independent IOMMU groups (Mengyuan Lou) TLP Processing Hints (TPH): - Add and document TLP Processing Hints (TPH) support so drivers can enable and disable TPH and the kernel can save/restore TPH configuration (Wei Huang) - Add TPH Steering Tag support so drivers can retrieve Steering Tag values associated with specific CPUs via an ACPI _DSM to improve performance by directing DMA writes closer to their consumers (Wei Huang) Data Object Exchange (DOE): - Wait up to 1 second for DOE Busy bit to clear before writing a request to the mailbox to avoid failures if the mailbox is still busy from a previous transfer (Gregory Price) Endpoint framework: - Skip attempts to allocate from endpoint controller memory window if the requested size is larger than the window (Damien Le Moal) - Add and document pci_epc_mem_map() and pci_epc_mem_unmap() to handle controller-specific size and alignment constraints, and add test cases to the endpoint test driver (Damien Le Moal) - Implement dwc pci_epc_ops.align_addr() so pci_epc_mem_map() can observe DWC-specific alignment requirements (Damien Le Moal) - Synchronously cancel command handler work in endpoint test before cleaning up DMA and BARs (Damien Le Moal) - Respect endpoint page size in dw_pcie_ep_align_addr() (Niklas Cassel) - Use dw_pcie_ep_align_addr() in dw_pcie_ep_raise_msi_irq() and dw_pcie_ep_raise_msix_irq() instead of open coding the equivalent (Niklas Cassel) - Avoid NULL dereference if Modem Host Interface Endpoint lacks 'mmio' DT property (Zhongqiu Han) - Release PCI domain ID of Endpoint controller parent (not controller itself) and before unregistering the controller, to avoid use-after-free (Zijun Hu) - Clear secondary (not primary) EPC in pci_epc_remove_epf() when removing the secondary controller associated with an NTB (Zijun Hu) Cadence PCIe controller driver: - Lower severity of 'phy-names' message (Bartosz Wawrzyniak) Freescale i.MX6 PCIe controller driver: - Fix suspend/resume support on i.MX6QDL, which has a hardware erratum that prevents use of L2 (Stefan Eichenberger) Intel VMD host bridge driver: - Add 0xb60b and 0xb06f Device IDs for client SKUs (Nirmal Patel) MediaTek PCIe Gen3 controller driver: - Update mediatek-gen3 DT binding to require the exact number of clocks for each SoC (Fei Shao) - Add support for DT 'max-link-speed' and 'num-lanes' properties to restrict the link speed and width (AngeloGioacchino Del Regno) Microchip PolarFlare PCIe controller driver: - Add DT and driver support for using either of the two PolarFire Root Ports (Conor Dooley) NVIDIA Tegra194 PCIe controller driver: - Move endpoint controller cleanups that depend on refclk from the host to the notifier that tells us the host has deasserted PERST#, when refclk should be valid (Manivannan Sadhasivam) Qualcomm PCIe controller driver: - Add qcom SAR2130P DT binding with an additional clock (Dmitry Baryshkov) - Enable MSI interrupts if 'global' IRQ is supported, since a previous commit unintentionally masked them (Manivannan Sadhasivam) - Move endpoint controller cleanups that depend on refclk from the host to the notifier that tells us the host has deasserted PERST#, when refclk should be valid (Manivannan Sadhasivam) - Add DT binding and driver support for IPQ9574, with Synopsys IP v5.80a and Qcom IP 1.27.0 (devi priya) - Move the OPP "operating-points-v2" table from the qcom,pcie-sm8450.yaml DT binding to qcom,pcie-common.yaml, where it can be used by other Qcom platforms (Qiang Yu) - Add 'global' SPI interrupt for events like link-up, link-down to qcom,pcie-x1e80100 DT binding so we can start enumeration when the link comes up (Qiang Yu) - Disable ASPM L0s for qcom,pcie-x1e80100 since the PHY is not tuned to support this (Qiang Yu) - Add ops_1_21_0 for SC8280X family SoC, which doesn't use the 'iommu-map' DT property and doesn't need BDF-to-SID translation (Qiang Yu) Rockchip PCIe controller driver: - Define ROCKCHIP_PCIE_AT_SIZE_ALIGN to replace magic 256 endpoint .align value (Damien Le Moal) - When unmapping an endpoint window, compute the region index instead of searching for it, and verify that the address was mapped (Damien Le Moal) - When mapping an endpoint window, verify that the address hasn't been mapped already (Damien Le Moal) - Implement pci_epc_ops.align_addr() for rockchip-ep (Damien Le Moal) - Fix MSI IRQ data mapping to observe the alignment constraint, which fixes intermittent page faults in memcpy_toio() and memcpy_fromio() (Damien Le Moal) - Rename rockchip_pcie_parse_ep_dt() to rockchip_pcie_ep_get_resources() for consistency with similar DT interfaces (Damien Le Moal) - Skip the unnecessary link train in rockchip_pcie_ep_probe() and do it only in the endpoint start operation (Damien Le Moal) - Implement pci_epc_ops.stop_link() to disable link training and controller configuration (Damien Le Moal) - Attempt link training at 5 GT/s when both partners support it (Damien Le Moal) - Add a handler for PERST# signal so we can detect host-initiated resets and start link training after PERST# is deasserted (Damien Le Moal) Synopsys DesignWare PCIe controller driver: - Clear outbound address on unmap so dw_pcie_find_index() won't match an ATU index that was already unmapped (Damien Le Moal) - Use of_property_present() instead of of_property_read_bool() when testing for presence of non-boolean DT properties (Rob Herring) - Advertise 1MB size if endpoint supports Resizable BARs, which was inadvertently lost in v6.11 (Niklas Cassel) TI J721E PCIe driver: - Add PCIe support for J722S SoC (Siddharth Vadapalli) - Delay PCIE_T_PVPERL_MS (100 ms), not just PCIE_T_PERST_CLK_US (100 us), before deasserting PERST# to ensure power and refclk are stable (Siddharth Vadapalli) TI Keystone PCIe controller driver: - Set the 'ti,keystone-pcie' mode so v3.65a devices work in Root Complex mode (Kishon Vijay Abraham I) - Try to avoid unrecoverable SError for attempts to issue config transactions when the link is down; this is racy but the best we can do (Kishon Vijay Abraham I) Miscellaneous: - Reorganize kerneldoc parameter names to match order in function signature (Julia Lawall) - Fix sysfs reset_method_store() memory leak (Todd Kjos) - Simplify pci_create_slot() (Ilpo Järvinen) - Fix incorrect printf format specifiers in pcitest (Luo Yifan)" * tag 'pci-v6.13-changes' of git://git.kernel.org/pub/scm/linux/kernel/git/pci/pci: (127 commits) PCI: rockchip-ep: Handle PERST# signal in EP mode PCI: rockchip-ep: Improve link training PCI: rockship-ep: Implement the pci_epc_ops::stop_link() operation PCI: rockchip-ep: Refactor endpoint link training enable PCI: rockchip-ep: Refactor rockchip_pcie_ep_probe() MSI-X hiding PCI: rockchip-ep: Refactor rockchip_pcie_ep_probe() memory allocations PCI: rockchip-ep: Rename rockchip_pcie_parse_ep_dt() PCI: rockchip-ep: Fix MSI IRQ data mapping PCI: rockchip-ep: Implement the pci_epc_ops::align_addr() operation PCI: rockchip-ep: Improve rockchip_pcie_ep_map_addr() PCI: rockchip-ep: Improve rockchip_pcie_ep_unmap_addr() PCI: rockchip-ep: Use a macro to define EP controller .align feature PCI: rockchip-ep: Fix address translation unit programming PCI/pwrctrl: Rename pwrctrl functions and structures PCI/pwrctrl: Rename pwrctl files to pwrctrl PCI/pwrctl: Remove pwrctl device without iterating over all children of pwrctl parent PCI/pwrctl: Ensure that pwrctl drivers are probed before PCI client drivers PCI/pwrctl: Create pwrctl device only if at least one power supply is present PCI/pwrctl: Use of_platform_device_create() to create pwrctl devices tools: PCI: Fix incorrect printf format specifiers ... commit f2fdcd5868656dabf291ee3f531f76f17f8df82f Merge: b8126f24b4a23d 979bfe291b5b30 Author: Dave Airlie Date: Wed Nov 27 11:58:55 2024 +1000 Merge tag 'amd-drm-fixes-6.13-2024-11-22' of https://gitlab.freedesktop.org/agd5f/linux into drm-next amd-drm-fixes-6.13-2024-11-22: amdgpu: - SMU 13.0.6 fixes - XGMI fixes - SMU 13.0.7 fixes - Misc code cleanups - Plane refcount fixes - DCN 4.0.1 fixes - DC power fixes - DTO fixes - NBIO 7.11 fixes - SMU 14.0.x fixes - Reset fixes - Enable DC on LoongArch - Sysfs hotplug warning fix - Misc small fixes - VCN 4.0.3 fix - Slab usage fix - Jpeg delayed work fix amdkfd: - wptr handling fixes radeon: - Use ttm_bo_move_null() - Constify struct pci_device_id - Fix spurious hotplug - HPD fix Signed-off-by: Dave Airlie From: Alex Deucher Link: https://patchwork.freedesktop.org/patch/msgid/20241122154441.636075-1-alexander.deucher@amd.com commit b8126f24b4a23df3e4f6c0e96b27c63412fecefa Merge: 85f720f77bab28 ed31ba0aa7e93e Author: Dave Airlie Date: Wed Nov 27 11:04:47 2024 +1000 Merge tag 'drm-xe-next-fixes-2024-11-21' of https://gitlab.freedesktop.org/drm/xe/kernel into drm-next Driver Changes: - Wake up waiters after wait condition set to true (Nirmoy Das) - Mark the preempt fence workqueue as reclaim. (Matthew Brost) Signed-off-by: Dave Airlie From: Thomas Hellstrom Link: https://patchwork.freedesktop.org/patch/msgid/Zz-MiVLFjOZQLrlc@fedora commit 1dc707e647bc919834eff9636c8d00b78c782545 Author: Linus Torvalds Date: Tue Nov 26 17:54:58 2024 -0800 rust: fix up formatting after merge When I merged the rust 'use' imports, I didn't realize that there's an offical preferred idiomatic format - so while it all worked fine, it doesn't match what 'make rustfmt' wants to make it. Fix it up appropriately. Suggested-by: Miguel Ojeda Signed-off-by: Linus Torvalds commit 85f720f77bab2802399b6cf24c27ffcc93fa8264 Merge: a163b895077861 376a33c4a0d834 Author: Dave Airlie Date: Wed Nov 27 11:04:06 2024 +1000 Merge tag 'drm-intel-next-fixes-2024-11-21' of https://gitlab.freedesktop.org/drm/i915/kernel into drm-next - Fix when the first read and write are retried [hdcp] (Suraj Kandpal) Signed-off-by: Dave Airlie From: Tvrtko Ursulin Link: https://patchwork.freedesktop.org/patch/msgid/Zz7xWbodMn9zZD_C@linux commit 3fa640d035e5ae526769615c35cb9ed4be6e3662 Author: Paul Aurich Date: Mon Nov 18 13:50:28 2024 -0800 smb: During unmount, ensure all cached dir instances drop their dentry The unmount process (cifs_kill_sb() calling close_all_cached_dirs()) can race with various cached directory operations, which ultimately results in dentries not being dropped and these kernel BUGs: BUG: Dentry ffff88814f37e358{i=1000000000080,n=/} still in use (2) [unmount of cifs cifs] VFS: Busy inodes after unmount of cifs (cifs) ------------[ cut here ]------------ kernel BUG at fs/super.c:661! This happens when a cfid is in the process of being cleaned up when, and has been removed from the cfids->entries list, including: - Receiving a lease break from the server - Server reconnection triggers invalidate_all_cached_dirs(), which removes all the cfids from the list - The laundromat thread decides to expire an old cfid. To solve these problems, dropping the dentry is done in queued work done in a newly-added cfid_put_wq workqueue, and close_all_cached_dirs() flushes that workqueue after it drops all the dentries of which it's aware. This is a global workqueue (rather than scoped to a mount), but the queued work is minimal. The final cleanup work for cleaning up a cfid is performed via work queued in the serverclose_wq workqueue; this is done separate from dropping the dentries so that close_all_cached_dirs() doesn't block on any server operations. Both of these queued works expect to invoked with a cfid reference and a tcon reference to avoid those objects from being freed while the work is ongoing. While we're here, add proper locking to close_all_cached_dirs(), and locking around the freeing of cfid->dentry. Fixes: ebe98f1447bb ("cifs: enable caching of directories for which a lease is held") Cc: stable@vger.kernel.org Signed-off-by: Paul Aurich Signed-off-by: Steve French commit 796733054e4a55c78c1c58c6121a550667ebccbf Author: Paulo Alcantara Date: Tue Nov 26 12:43:24 2024 -0300 smb: client: fix noisy message when mounting shares When the client unconditionally attempts to get an DFS referral to check if share is DFS, some servers may return different errors that aren't handled in smb2_get_dfs_refer(), so the following will be logged in dmesg: CIFS: VFS: \\srv\IPC$ smb2_get_dfs_refer: ioctl error... which can confuse some users while mounting an SMB share. Fix this by logging such error with FYI. Signed-off-by: Paulo Alcantara (Red Hat) Signed-off-by: Steve French commit 36008fe6e3dc588e5e9ceae6e82c7f69399eb5d8 Author: Paulo Alcantara Date: Tue Nov 26 15:55:53 2024 -0300 smb: client: don't try following DFS links in cifs_tree_connect() We can't properly support chasing DFS links in cifs_tree_connect() because (1) We don't support creating new sessions while we're reconnecting, which would be required for DFS interlinks. (2) ->is_path_accessible() can't be called from cifs_tree_connect() as it would deadlock with smb2_reconnect(). This is required for checking if new DFS target is a nested DFS link. By unconditionally trying to get an DFS referral from new DFS target isn't correct because if the new DFS target (interlink) is an DFS standalone namespace, then we would end up getting -ELOOP and then potentially leaving tcon disconnected. Signed-off-by: Paulo Alcantara (Red Hat) Signed-off-by: Steve French commit e1481075981d25634961c973ed991ba6ab393e67 Author: Paulo Alcantara Date: Tue Nov 26 17:11:47 2024 -0300 smb: client: allow reconnect when sending ioctl cifs_tree_connect() no longer uses ioctl, so allow sessions to be reconnected when sending ioctls. Signed-off-by: Paulo Alcantara (Red Hat) Signed-off-by: Steve French commit b2fe4a8fa0f6b9dbb7d4965f71ec72191cda34f1 Author: Paulo Alcantara Date: Tue Nov 26 17:40:11 2024 -0300 smb: client: get rid of @nlsc param in cifs_tree_connect() We can access local_nls directly from @tcon->ses, so there is no need to pass it as parameter in cifs_tree_connect(). Signed-off-by: Paulo Alcantara (Red Hat) Signed-off-by: Steve French commit 28ec614f2f9bfb57a76dd387be67bb6054f96b04 Author: Paulo Alcantara Date: Tue Nov 26 17:19:18 2024 -0300 smb: client: allow more DFS referrals to be cached In some DFS setups, a single DFS share may contain hundreds of DFS links and increasing the DFS cache to allow more referrals to be cached improves DFS failover as the client will likely find a cached DFS referral when reconnecting and then avoiding unnecessary remounts. Signed-off-by: Paulo Alcantara (Red Hat) Signed-off-by: Steve French commit d17113601909eb43c29cbb3449fd49db427ff6be Author: Masahiro Yamada Date: Sun Nov 10 10:34:32 2024 +0900 kbuild: use 'output' variable to create the output directory $(KBUILD_OUTPUT) specifies the output directory of kernel builds. Use a more generic name, 'output', to better reflect this code hunk in the context of external module builds. Signed-off-by: Masahiro Yamada Reviewed-by: Nicolas Schier commit 5ea172165400e6efaa88989c837d2077c49161d8 Author: Masahiro Yamada Date: Sun Nov 10 10:34:31 2024 +0900 kbuild: rename abs_objtree to abs_output 'objtree' refers to the top of the output directory of kernel builds. Rename abs_objtree to a more generic name, to better reflect its use in the context of external module builds. Signed-off-by: Masahiro Yamada Reviewed-by: Nicolas Schier commit 214c0eea43b2ea66bcd6467ea57e47ce8874191b Author: Masahiro Yamada Date: Sun Nov 10 10:34:30 2024 +0900 kbuild: add $(objtree)/ prefix to some in-kernel build artifacts $(objtree) refers to the top of the output directory of kernel builds. This commit adds the explicit $(objtree)/ prefix to build artifacts needed for building external modules. This change has no immediate impact, as the top-level Makefile currently defines: objtree := . This commit prepares for supporting the building of external modules in a different directory. Signed-off-by: Masahiro Yamada Reviewed-by: Nicolas Schier commit 0afd73c5f5c606b0f8f8ff036e4f5d6c4b788d02 Author: Masahiro Yamada Date: Sun Nov 10 10:34:29 2024 +0900 kbuild: replace two $(abs_objtree) with $(CURDIR) in top Makefile Kbuild changes the working directory until it matches $(abs_objtree). When $(need-sub-make) is empty, $(abs_objtree) is the same as $(CURDIR). Signed-off-by: Masahiro Yamada Reviewed-by: Nicolas Schier commit bcbbf493f2fa6fa1f0832f6b5b4c80a65de242d6 Author: Matt Fleming Date: Thu Nov 7 15:05:08 2024 +0000 kbuild: deb-pkg: Don't fail if modules.order is missing Kernels built without CONFIG_MODULES might still want to create -dbg deb packages but install_linux_image_dbg() assumes modules.order always exists. This obviously isn't true if no modules were built, so we should skip reading modules.order in that case. Fixes: 16c36f8864e3 ("kbuild: deb-pkg: use build ID instead of debug link for dbg package") Signed-off-by: Matt Fleming Signed-off-by: Masahiro Yamada commit dbefa1f31a91670c9e7dac9b559625336206466f Author: Masahiro Yamada Date: Thu Nov 7 01:14:41 2024 +0900 Rename .data.once to .data..once to fix resetting WARN*_ONCE Commit b1fca27d384e ("kernel debug: support resetting WARN*_ONCE") added support for clearing the state of once warnings. However, it is not functional when CONFIG_LD_DEAD_CODE_DATA_ELIMINATION or CONFIG_LTO_CLANG is enabled, because .data.once matches the .data.[0-9a-zA-Z_]* pattern in the DATA_MAIN macro. Commit cb87481ee89d ("kbuild: linker script do not match C names unless LD_DEAD_CODE_DATA_ELIMINATION is configured") was introduced to suppress the issue for the default CONFIG_LD_DEAD_CODE_DATA_ELIMINATION=n case, providing a minimal fix for stable backporting. We were aware this did not address the issue for CONFIG_LD_DEAD_CODE_DATA_ELIMINATION=y. The plan was to apply correct fixes and then revert cb87481ee89d. [1] Seven years have passed since then, yet the #ifdef workaround remains in place. Meanwhile, commit b1fca27d384e introduced the .data.once section, and commit dc5723b02e52 ("kbuild: add support for Clang LTO") extended the #ifdef. Using a ".." separator in the section name fixes the issue for CONFIG_LD_DEAD_CODE_DATA_ELIMINATION and CONFIG_LTO_CLANG. [1]: https://lore.kernel.org/linux-kbuild/CAK7LNASck6BfdLnESxXUeECYL26yUDm0cwRZuM4gmaWUkxjL5g@mail.gmail.com/ Fixes: b1fca27d384e ("kernel debug: support resetting WARN*_ONCE") Fixes: dc5723b02e52 ("kbuild: add support for Clang LTO") Signed-off-by: Masahiro Yamada commit bb43a59944f45e89aa158740b8a16ba8f0b0fa2b Author: Masahiro Yamada Date: Thu Nov 7 01:14:40 2024 +0900 Rename .data.unlikely to .data..unlikely Commit 7ccaba5314ca ("consolidate WARN_...ONCE() static variables") was intended to collect all .data.unlikely sections into one chunk. However, this has not worked when CONFIG_LD_DEAD_CODE_DATA_ELIMINATION or CONFIG_LTO_CLANG is enabled, because .data.unlikely matches the .data.[0-9a-zA-Z_]* pattern in the DATA_MAIN macro. Commit cb87481ee89d ("kbuild: linker script do not match C names unless LD_DEAD_CODE_DATA_ELIMINATION is configured") was introduced to suppress the issue for the default CONFIG_LD_DEAD_CODE_DATA_ELIMINATION=n case, providing a minimal fix for stable backporting. We were aware this did not address the issue for CONFIG_LD_DEAD_CODE_DATA_ELIMINATION=y. The plan was to apply correct fixes and then revert cb87481ee89d. [1] Seven years have passed since then, yet the #ifdef workaround remains in place. Using a ".." separator in the section name fixes the issue for CONFIG_LD_DEAD_CODE_DATA_ELIMINATION and CONFIG_LTO_CLANG. [1]: https://lore.kernel.org/linux-kbuild/CAK7LNASck6BfdLnESxXUeECYL26yUDm0cwRZuM4gmaWUkxjL5g@mail.gmail.com/ Fixes: cb87481ee89d ("kbuild: linker script do not match C names unless LD_DEAD_CODE_DATA_ELIMINATION is configured") Signed-off-by: Masahiro Yamada commit d63b852430be7fa2b6d7c550ea67e94b6681d0b5 Author: Rong Xu Date: Fri Nov 8 13:49:53 2024 -0800 kbuild: Fix Propeller build option The '-fbasic-block-sections=labels' option has been deprecated in tip of tree clang (20.0.0) [1]. While the option still works, a warning is emitted: clang: warning: argument '-fbasic-block-sections=labels' is deprecated, use '-fbasic-block-address-map' instead [-Wdeprecated] Add a version check to set the proper option. Link: https://github.com/llvm/llvm-project/pull/110039 [1] Signed-off-by: Rong Xu Reported-by: Nathan Chancellor Suggested-by: Nathan Chancellor Reviewed-by: Nathan Chancellor Tested-by: Nathan Chancellor Signed-off-by: Masahiro Yamada commit d5dc95836147f2e25b134c0ca3a0bc1a5867ea29 Author: Rong Xu Date: Sat Nov 2 10:51:14 2024 -0700 kbuild: Add Propeller configuration for kernel build Add the build support for using Clang's Propeller optimizer. Like AutoFDO, Propeller uses hardware sampling to gather information about the frequency of execution of different code paths within a binary. This information is then used to guide the compiler's optimization decisions, resulting in a more efficient binary. The support requires a Clang compiler LLVM 19 or later, and the create_llvm_prof tool (https://github.com/google/autofdo/releases/tag/v0.30.1). This commit is limited to x86 platforms that support PMU features like LBR on Intel machines and AMD Zen3 BRS. Here is an example workflow for building an AutoFDO+Propeller optimized kernel: 1) Build the kernel on the host machine, with AutoFDO and Propeller build config CONFIG_AUTOFDO_CLANG=y CONFIG_PROPELLER_CLANG=y then $ make LLVM=1 CLANG_AUTOFDO_PROFILE=” is the profile collected when doing a non-Propeller AutoFDO build. This step builds a kernel that has the same optimization level as AutoFDO, plus a metadata section that records basic block information. This kernel image runs as fast as an AutoFDO optimized kernel. 2) Install the kernel on test/production machines. 3) Run the load tests. The '-c' option in perf specifies the sample event period. We suggest using a suitable prime number, like 500009, for this purpose. For Intel platforms: $ perf record -e BR_INST_RETIRED.NEAR_TAKEN:k -a -N -b -c \ -o -- For AMD platforms: The supported system are: Zen3 with BRS, or Zen4 with amd_lbr_v2 # To see if Zen3 support LBR: $ cat proc/cpuinfo | grep " brs" # To see if Zen4 support LBR: $ cat proc/cpuinfo | grep amd_lbr_v2 # If the result is yes, then collect the profile using: $ perf record --pfm-events RETIRED_TAKEN_BRANCH_INSTRUCTIONS:k -a \ -N -b -c -o -- 4) (Optional) Download the raw perf file to the host machine. 5) Generate Propeller profile: $ create_llvm_prof --binary= --profile= \ --format=propeller --propeller_output_module_name \ --out=_cc_profile.txt \ --propeller_symorder=_ld_profile.txt “create_llvm_prof” is the profile conversion tool, and a prebuilt binary for linux can be found on https://github.com/google/autofdo/releases/tag/v0.30.1 (can also build from source). "" can be something like "/home/user/dir/any_string". This command generates a pair of Propeller profiles: "_cc_profile.txt" and "_ld_profile.txt". 6) Rebuild the kernel using the AutoFDO and Propeller profile files. CONFIG_AUTOFDO_CLANG=y CONFIG_PROPELLER_CLANG=y and $ make LLVM=1 CLANG_AUTOFDO_PROFILE= \ CLANG_PROPELLER_PROFILE_PREFIX= Co-developed-by: Han Shen Signed-off-by: Han Shen Signed-off-by: Rong Xu Suggested-by: Sriraman Tallam Suggested-by: Krzysztof Pszeniczny Suggested-by: Nick Desaulniers Suggested-by: Stephane Eranian Tested-by: Yonghong Song Tested-by: Nathan Chancellor Reviewed-by: Kees Cook Signed-off-by: Masahiro Yamada commit 2fd65f7afd5a73b685a1651cb651ade120b53e15 Author: Rong Xu Date: Sat Nov 2 10:51:13 2024 -0700 AutoFDO: Enable machine function split optimization for AutoFDO Enable the machine function split optimization for AutoFDO in Clang. Machine function split (MFS) is a pass in the Clang compiler that splits a function into hot and cold parts. The linker groups all cold blocks across functions together. This decreases hot code fragmentation and improves iCache and iTLB utilization. MFS requires a profile so this is enabled only for the AutoFDO builds. Co-developed-by: Han Shen Signed-off-by: Han Shen Signed-off-by: Rong Xu Suggested-by: Sriraman Tallam Suggested-by: Krzysztof Pszeniczny Tested-by: Yonghong Song Tested-by: Yabin Cui Tested-by: Nathan Chancellor Reviewed-by: Kees Cook Signed-off-by: Masahiro Yamada commit 0847420f5e499a7ab518942fff71482179290163 Author: Rong Xu Date: Sat Nov 2 10:51:12 2024 -0700 AutoFDO: Enable -ffunction-sections for the AutoFDO build Enable -ffunction-sections by default for the AutoFDO build. With -ffunction-sections, the compiler places each function in its own section named .text.function_name instead of placing all functions in the .text section. In the AutoFDO build, this allows the linker to utilize profile information to reorganize functions for improved utilization of iCache and iTLB. Co-developed-by: Han Shen Signed-off-by: Han Shen Signed-off-by: Rong Xu Suggested-by: Sriraman Tallam Tested-by: Yonghong Song Tested-by: Yabin Cui Tested-by: Nathan Chancellor Reviewed-by: Kees Cook Signed-off-by: Masahiro Yamada commit db0b2991ae1aac5ca985ec6fd8ff9bd9b2126c9b Author: Rong Xu Date: Sat Nov 2 10:51:11 2024 -0700 vmlinux.lds.h: Add markers for text_unlikely and text_hot sections Add markers like __hot_text_start, __hot_text_end, __unlikely_text_start, and __unlikely_text_end which will be included in System.map. These markers indicate how the compiler groups functions, providing valuable information to developers about the layout and optimization of the code. Co-developed-by: Han Shen Signed-off-by: Han Shen Signed-off-by: Rong Xu Suggested-by: Sriraman Tallam Tested-by: Yonghong Song Tested-by: Yabin Cui Tested-by: Nathan Chancellor Reviewed-by: Kees Cook Signed-off-by: Masahiro Yamada commit 0043ecea2399ffc8bfd99ed9dbbe766e7c79293c Author: Rong Xu Date: Sat Nov 2 10:51:10 2024 -0700 vmlinux.lds.h: Adjust symbol ordering in text output section When the -ffunction-sections compiler option is enabled, each function is placed in a separate section named .text.function_name rather than putting all functions in a single .text section. However, using -function-sections can cause problems with the linker script. The comments included in include/asm-generic/vmlinux.lds.h note these issues.: “TEXT_MAIN here will match .text.fixup and .text.unlikely if dead code elimination is enabled, so these sections should be converted to use ".." first.” It is unclear whether there is a straightforward method for converting a suffix to "..". This patch modifies the order of subsections within the text output section. Specifically, it changes current order: .text.hot, .text, .text_unlikely, .text.unknown, .text.asan to the new order: .text.asan, .text.unknown, .text_unlikely, .text.hot, .text Here is the rationale behind the new layout: The majority of the code resides in three sections: .text.hot, .text, and .text.unlikely, with .text.unknown containing a negligible amount. .text.asan is only generated in ASAN builds. The primary goal is to group code segments based on their execution frequency (hotness). First, we want to place .text.hot adjacent to .text. Since we cannot put .text.hot after .text (Due to constraints with -ffunction-sections, placing .text.hot after .text is problematic), we need to put .text.hot before .text. Then it comes to .text.unlikely, we cannot put it after .text (same -ffunction-sections issue) . Therefore, we position .text.unlikely before .text.hot. .text.unknown and .tex.asan follow the same logic. This revised ordering effectively reverses the original arrangement (for .text.unlikely, .text.unknown, and .tex.asan), maintaining a similar level of affinity between sections. It also places .text.hot section at the beginning of a page to better utilize the TLB entry. Note that the limitation arises because the linker script employs glob patterns instead of regular expressions for string matching. While there is a method to maintain the current order using complex patterns, this significantly complicates the pattern and increases the likelihood of errors. This patch also changes vmlinux.lds.S for the sparc64 architecture to accommodate specific symbol placement requirements. Co-developed-by: Han Shen Signed-off-by: Han Shen Signed-off-by: Rong Xu Suggested-by: Sriraman Tallam Suggested-by: Krzysztof Pszeniczny Tested-by: Yonghong Song Tested-by: Yabin Cui Tested-by: Nathan Chancellor Reviewed-by: Kees Cook Signed-off-by: Masahiro Yamada commit 52892ed6b03a14b961c1df783ed05763758abc73 Author: Rong Xu Date: Tue Nov 26 09:34:09 2024 -0800 MIPS: Place __kernel_entry at the beginning of text section Mark __kernel_entry as ".head.text" and place HEAD_TEXT before TEXT_TEXT in the linker script. This ensures that __kernel_entry will be placed at the beginning of text section. Drop mips from scripts/head-object-list.txt. Signed-off-by: Rong Xu Reported-by: Chris Packham Closes: https://lore.kernel.org/lkml/c6719149-8531-4174-824e-a3caf4bc6d0e@alliedtelesis.co.nz/T/ Tested-by: Chris Packham Signed-off-by: Masahiro Yamada commit b50ecc5aca4d18f1f0c4942f5c797bc85edef144 Merge: 9160b68e0cf8d5 6d78089da98057 Author: Linus Torvalds Date: Tue Nov 26 14:54:00 2024 -0800 Merge tag 'perf-tools-for-v6.13-2024-11-24' of git://git.kernel.org/pub/scm/linux/kernel/git/perf/perf-tools Pull perf tools updates from Namhyung Kim: "perf record: - Enable leader sampling for inherited task events. It was supported only for system-wide events but the kernel started to support such a setup since v6.12. This is to reduce the number of PMU interrupts. The samples of the leader event will contain counts of other events and no samples will be generated for the other member events. $ perf record -e '{cycles,instructions}:S' ${MYPROG} perf report: - Fix --branch-history option to display more branch-related information like prediction, abort and cycles which is available on Intel machines. $ perf record -bg -- perf test -w brstack $ perf report --branch-history ... # # Overhead Source:Line Symbol Shared Object Predicted Abort Cycles IPC [IPC Coverage] # ........ ........................ .............. .................... ......... ..... ...... .................... # 8.17% copy_page_64.S:19 [k] copy_page [kernel.kallsyms] 50.0% 0 5 - - | ---xas_load xarray.h:171 | |--5.68%--xas_load xarray.c:245 (cycles:1) | xas_load xarray.c:242 | xas_load xarray.h:1260 (cycles:1) | xas_descend xarray.c:146 | xas_load xarray.c:244 (cycles:2) | xas_load xarray.c:245 | xas_descend xarray.c:218 (cycles:10) ... perf stat: - Add HWMON PMU support. The HWMON provides various system information like CPU/GPU temperature, fan speed and so on. Expose them as PMU events so that users can see the values using perf stat commands. $ perf stat -e temp_cpu,fan1 true Performance counter stats for 'true': 60.00 'C temp_cpu 0 rpm fan1 0.000745382 seconds time elapsed 0.000883000 seconds user 0.000000000 seconds sys - Display metric threshold in JSON output. Some metrics define thresholds to classify value ranges. It used to be in a different color but it won't work for JSON. Add "metric-threshold" field to the JSON that can be one of "good", "less good", "nearly bad" and "bad". # perf stat -a -M TopdownL1 -j true {"counter-value" : "18693525.000000", "unit" : "", "event" : "TOPDOWN.SLOTS", "event-runtime" : 5552708, "pcnt-running" : 100.00, "metric-value" : "43.226002", "metric-unit" : "% tma_backend_bound", "metric-threshold" : "bad"} {"metric-value" : "29.212267", "metric-unit" : "% tma_frontend_bound", "metric-threshold" : "bad"} {"metric-value" : "7.138972", "metric-unit" : "% tma_bad_speculation", "metric-threshold" : "good"} {"metric-value" : "20.422759", "metric-unit" : "% tma_retiring", "metric-threshold" : "good"} {"counter-value" : "3817732.000000", "unit" : "", "event" : "topdown-retiring", "event-runtime" : 5552708, "pcnt-running" : 100.00, } {"counter-value" : "5472824.000000", "unit" : "", "event" : "topdown-fe-bound", "event-runtime" : 5552708, "pcnt-running" : 100.00, } {"counter-value" : "7984780.000000", "unit" : "", "event" : "topdown-be-bound", "event-runtime" : 5552708, "pcnt-running" : 100.00, } {"counter-value" : "1418181.000000", "unit" : "", "event" : "topdown-bad-spec", "event-runtime" : 5552708, "pcnt-running" : 100.00, } ... perf sched: - Add -P/--pre-migrations option for 'timehist' sub-command to track time a task waited on a run-queue before migrating to a different CPU. $ perf sched timehist -P time cpu task name wait time sch delay run time pre-mig time [tid/pid] (msec) (msec) (msec) (msec) --------------- ------ ------------------------------ --------- --------- --------- --------- 585940.535527 [0000] perf[584885] 0.000 0.000 0.000 0.000 585940.535535 [0000] migration/0[20] 0.000 0.002 0.008 0.000 585940.535559 [0001] perf[584885] 0.000 0.000 0.000 0.000 585940.535563 [0001] migration/1[25] 0.000 0.001 0.004 0.000 585940.535678 [0002] perf[584885] 0.000 0.000 0.000 0.000 585940.535686 [0002] migration/2[31] 0.000 0.002 0.008 0.000 585940.535905 [0001] 0.000 0.000 0.342 0.000 585940.535938 [0003] perf[584885] 0.000 0.000 0.000 0.000 585940.537048 [0001] sleep[584886] 0.000 0.019 1.142 0.001 585940.537749 [0002] 0.000 0.000 2.062 0.000 ... Build: - Make libunwind opt-in (LIBUNWIND=1) rather than opt-out. The perf tools are generally built with libelf and libdw which has unwinder functionality. The libunwind support predates it and no need to have duplicate unwinders by default. - Rename NO_DWARF=1 build option to NO_LIBDW=1 in order to clarify it's using libdw for handling DWARF information. Internals: - Do not set exclude_guest bit in the perf_event_attr by default. This was causing a trouble in AMD IBS PMU as it doesn't support the bit. The bit will be set when it's needed later by the fallback logic. Also update the missing feature detection logic to make sure not clear supported bits unnecessarily. - Run perf test in parallel by default and mark flaky tests "exclusive" to run them serially at the end. Some test numbers are changed but the test can complete in less than half the time. JSON vendor events: - Add AMD Zen 5 events and metrics. - Add i.MX91 and i.MX95 DDR metrics - Fix HiSilicon HIP08 Topdown metric name. - Support compat events on PowerPC" * tag 'perf-tools-for-v6.13-2024-11-24' of git://git.kernel.org/pub/scm/linux/kernel/git/perf/perf-tools: (232 commits) perf tests: Fix hwmon parsing with PMU name test perf hwmon_pmu: Ensure hwmon key union is zeroed before use perf tests hwmon_pmu: Remove double evlist__delete() perf/test: fix perf ftrace test on s390 perf bpf-filter: Return -ENOMEM directly when pfi allocation fails perf test: Correct hwmon test PMU detection perf: Remove unused del_perf_probe_events() perf pmu: Move pmu_metrics_table__find and remove ARM override perf jevents: Add map_for_cpu() perf header: Pass a perf_cpu rather than a PMU to get_cpuid_str perf header: Avoid transitive PMU includes perf arm64 header: Use cpu argument in get_cpuid perf header: Refactor get_cpuid to take a CPU for ARM perf header: Move is_cpu_online to numa bench perf jevents: fix breakage when do perf stat on system metric perf test: Add missing __exit calls in tool/hwmon tests perf tests: Make leader sampling test work without branch event perf util: Remove kernel version deadcode perf test shell trace_exit_race: Use --no-comm to avoid cases where COMM isn't resolved perf test shell trace_exit_race: Show what went wrong in verbose mode ... commit 9160b68e0cf8d57243f17debcb564ce01e327ada Merge: 7ebe7afed71639 a5f05a138a8cac Author: Linus Torvalds Date: Tue Nov 26 14:49:20 2024 -0800 Merge tag 'parisc-for-6.13-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/deller/parisc-linux Pull parisc architecture update from Helge Deller: - Fix function graph tracing disablement on parisc * tag 'parisc-for-6.13-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/deller/parisc-linux: parisc/ftrace: Fix function graph tracing disablement commit 7ebe7afed716391a9831de8adc910fff65001ef2 Merge: 798bb342e0416d 63a24cf8cc330e Author: Linus Torvalds Date: Tue Nov 26 14:47:58 2024 -0800 Merge tag 'm68knommu-for-v6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/gerg/m68knommu Pull m68knommu updates from Greg Ungerer: - only include FEC platform entries when hardware supports it - fix typo in ifdef config name * tag 'm68knommu-for-v6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/gerg/m68knommu: m68k: coldfire/device.c: only build FEC when HW macros are defined m68k: mcfgpio: Fix incorrect register offset for CONFIG_M5441x commit 798bb342e0416d846cf67f4725a3428f39bfb96b Merge: e68ce9474a1dac b7ed2b6f4e8d7f Author: Linus Torvalds Date: Tue Nov 26 14:00:26 2024 -0800 Merge tag 'rust-6.13' of https://github.com/Rust-for-Linux/linux Pull rust updates from Miguel Ojeda: "Toolchain and infrastructure: - Enable a series of lints, including safety-related ones, e.g. the compiler will now warn about missing safety comments, as well as unnecessary ones. How safety documentation is organized is a frequent source of review comments, thus having the compiler guide new developers on where they are expected (and where not) is very nice. - Start using '#[expect]': an interesting feature in Rust (stabilized in 1.81.0) that makes the compiler warn if an expected warning was _not_ emitted. This is useful to avoid forgetting cleaning up locally ignored diagnostics ('#[allow]'s). - Introduce '.clippy.toml' configuration file for Clippy, the Rust linter, which will allow us to tweak its behaviour. For instance, our first use cases are declaring a disallowed macro and, more importantly, enabling the checking of private items. - Lints-related fixes and cleanups related to the items above. - Migrate from 'receiver_trait' to 'arbitrary_self_types': to get the kernel into stable Rust, one of the major pieces of the puzzle is the support to write custom types that can be used as 'self', i.e. as receivers, since the kernel needs to write types such as 'Arc' that common userspace Rust would not. 'arbitrary_self_types' has been accepted to become stable, and this is one of the steps required to get there. - Remove usage of the 'new_uninit' unstable feature. - Use custom C FFI types. Includes a new 'ffi' crate to contain our custom mapping, instead of using the standard library 'core::ffi' one. The actual remapping will be introduced in a later cycle. - Map '__kernel_{size_t,ssize_t,ptrdiff_t}' to 'usize'/'isize' instead of 32/64-bit integers. - Fix 'size_t' in bindgen generated prototypes of C builtins. - Warn on bindgen < 0.69.5 and libclang >= 19.1 due to a double issue in the projects, which we managed to trigger with the upcoming tracepoint support. It includes a build test since some distributions backported the fix (e.g. Debian -- thanks!). All major distributions we list should be now OK except Ubuntu non-LTS. 'macros' crate: - Adapt the build system to be able run the doctests there too; and clean up and enable the corresponding doctests. 'kernel' crate: - Add 'alloc' module with generic kernel allocator support and remove the dependency on the Rust standard library 'alloc' and the extension traits we used to provide fallible methods with flags. Add the 'Allocator' trait and its implementations '{K,V,KV}malloc'. Add the 'Box' type (a heap allocation for a single value of type 'T' that is also generic over an allocator and considers the kernel's GFP flags) and its shorthand aliases '{K,V,KV}Box'. Add 'ArrayLayout' type. Add 'Vec' (a contiguous growable array type) and its shorthand aliases '{K,V,KV}Vec', including iterator support. For instance, now we may write code such as: let mut v = KVec::new(); v.push(1, GFP_KERNEL)?; assert_eq!(&v, &[1]); Treewide, move as well old users to these new types. - 'sync' module: add global lock support, including the 'GlobalLockBackend' trait; the 'Global{Lock,Guard,LockedBy}' types and the 'global_lock!' macro. Add the 'Lock::try_lock' method. - 'error' module: optimize 'Error' type to use 'NonZeroI32' and make conversion functions public. - 'page' module: add 'page_align' function. - Add 'transmute' module with the existing 'FromBytes' and 'AsBytes' traits. - 'block::mq::request' module: improve rendered documentation. - 'types' module: extend 'Opaque' type documentation and add simple examples for the 'Either' types. drm/panic: - Clean up a series of Clippy warnings. Documentation: - Add coding guidelines for lints and the '#[expect]' feature. - Add Ubuntu to the list of distributions in the Quick Start guide. MAINTAINERS: - Add Danilo Krummrich as maintainer of the new 'alloc' module. And a few other small cleanups and fixes" * tag 'rust-6.13' of https://github.com/Rust-for-Linux/linux: (82 commits) rust: alloc: Fix `ArrayLayout` allocations docs: rust: remove spurious item in `expect` list rust: allow `clippy::needless_lifetimes` rust: warn on bindgen < 0.69.5 and libclang >= 19.1 rust: use custom FFI integer types rust: map `__kernel_size_t` and friends also to usize/isize rust: fix size_t in bindgen prototypes of C builtins rust: sync: add global lock support rust: macros: enable the rest of the tests rust: macros: enable paste! use from macro_rules! rust: enable macros::module! tests rust: kbuild: expand rusttest target for macros rust: types: extend `Opaque` documentation rust: block: fix formatting of `kernel::block::mq::request` module rust: macros: fix documentation of the paste! macro rust: kernel: fix THIS_MODULE header path in ThisModule doc comment rust: page: add Rust version of PAGE_ALIGN rust: helpers: remove unnecessary header includes rust: exports: improve grammar in commentary drm/panic: allow verbose version check ... commit 6756af923e06aa33ad8894aaecbf9060953ba00f Author: Jan Kara Date: Tue Nov 26 12:55:12 2024 +0100 udf: Verify inode link counts before performing rename During rename, we are updating link counts of various inodes either when rename deletes target or when moving directory across directories. Verify involved link counts are sane so that we don't trip warnings in VFS. Reported-by: syzbot+3ff7365dc04a6bcafa66@syzkaller.appspotmail.com Signed-off-by: Jan Kara commit c5566903af56dd1abb092f18dcb0c770d6cd8dcb Author: Jan Kara Date: Tue Nov 26 12:46:00 2024 +0100 udf: Skip parent dir link count update if corrupted If the parent directory link count is too low (likely directory inode corruption), just skip updating its link count as if it goes to 0 too early it can cause unexpected issues. Signed-off-by: Jan Kara commit ac6f420291b3fee1113f21d612fa88b628afab5b Author: Ojaswin Mujoo Date: Thu Nov 21 18:08:54 2024 +0530 quota: flush quota_release_work upon quota writeback One of the paths quota writeback is called from is: freeze_super() sync_filesystem() ext4_sync_fs() dquot_writeback_dquots() Since we currently don't always flush the quota_release_work queue in this path, we can end up with the following race: 1. dquot are added to releasing_dquots list during regular operations. 2. FS Freeze starts, however, this does not flush the quota_release_work queue. 3. Freeze completes. 4. Kernel eventually tries to flush the workqueue while FS is frozen which hits a WARN_ON since transaction gets started during frozen state: ext4_journal_check_start+0x28/0x110 [ext4] (unreliable) __ext4_journal_start_sb+0x64/0x1c0 [ext4] ext4_release_dquot+0x90/0x1d0 [ext4] quota_release_workfn+0x43c/0x4d0 Which is the following line: WARN_ON(sb->s_writers.frozen == SB_FREEZE_COMPLETE); Which ultimately results in generic/390 failing due to dmesg noise. This was detected on powerpc machine 15 cores. To avoid this, make sure to flush the workqueue during dquot_writeback_dquots() so we dont have any pending workitems after freeze. Reported-by: Disha Goel CC: stable@vger.kernel.org Fixes: dabc8b207566 ("quota: fix dqput() to follow the guarantees dquot_srcu should provide") Reviewed-by: Baokun Li Signed-off-by: Ojaswin Mujoo Signed-off-by: Jan Kara Link: https://patch.msgid.link/20241121123855.645335-2-ojaswin@linux.ibm.com commit e68ce9474a1dac72ea9b1eab25bcd7a5b28adc79 Merge: 6daf0882c63a9f 83a474c11e8cb5 Author: Linus Torvalds Date: Tue Nov 26 13:44:27 2024 -0800 Merge tag 'docs-6.13-2' of git://git.lwn.net/linux Pull more documentation updates from Jonathan Corbet: "A few late-arriving fixes, plus two more significant changes that were *almost* ready at the beginning of the merge window: - A new document on debugging techniques from Sebastian Fricke - A clarification on MODULE_LICENSE terms meant to head off the sort of confusion that led to the recent Tuxedo Computers mess" * tag 'docs-6.13-2' of git://git.lwn.net/linux: docs: Add debugging guide for the media subsystem docs: Add debugging section to process docs/licensing: Clarify wording about "GPL" and "Proprietary" docs: core-api/gfp_mask-from-fs-io: indicate that vmalloc supports GFP_NOFS/GFP_NOIO Documentation: kernel-doc: enumerate identifier *type*s Documentation: pwrseq: Fix trivial misspellings Documentation: filesystems: update filename extensions commit 6daf0882c63a9f9347a1268a042652fffaa99509 Merge: 1675db5c42b780 7ff3e945a35ac4 Author: Linus Torvalds Date: Tue Nov 26 13:39:02 2024 -0800 Merge tag 'vfs-6.13.ecryptfs.mount.api' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs Pull ecryptfs mount api conversion from Christian Brauner: "Convert ecryptfs to the new mount api" * tag 'vfs-6.13.ecryptfs.mount.api' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs: ecryptfs: Fix spelling mistake "validationg" -> "validating" ecryptfs: Convert ecryptfs to use the new mount API ecryptfs: Factor out mount option validation commit 1675db5c42b780f8a6d45d080d5ac037d9714f7a Merge: 9ad8d22f2f3fad a312c10c0186b3 Author: Linus Torvalds Date: Tue Nov 26 13:26:15 2024 -0800 Merge tag 'vfs-6.13.exportfs' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs Pull vfs exportfs updates from Christian Brauner: "This contains work to bring NFS connectable file handles to userspace servers. The name_to_handle_at() system call is extended to encode connectable file handles. Such file handles can be resolved to an open file with a connected path. So far userspace NFS servers couldn't make use of this functionality even though the kernel does already support it. This is achieved by introducing a new flag for name_to_handle_at(). Similarly, the open_by_handle_at() system call is tought to understand connectable file handles explicitly created via name_to_handle_at()" * tag 'vfs-6.13.exportfs' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs: fs: open_by_handle_at() support for decoding "explicit connectable" file handles fs: name_to_handle_at() support for "explicit connectable" file handles fs: prepare for "explicit connectable" file handles commit 9ad8d22f2f3fad7a366c9772362795ef6d6a2d51 Merge: 445d9f05fa1495 e0020ba6cbcbfb Author: Linus Torvalds Date: Tue Nov 26 13:18:00 2024 -0800 Merge tag 'vfs-6.13.rust.pid_namespace' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs Pull pid_namespace rust bindings from Christian Brauner: "This contains my Rust bindings for pid namespaces needed for various rust drivers. Here's a description of the basic C semantics and how they are mapped to Rust. The pid namespace of a task doesn't ever change once the task is alive. A unshare(CLONE_NEWPID) or setns(fd_pidns/pidfd, CLONE_NEWPID) will not have an effect on the calling task's pid namespace. It will only effect the pid namespace of children created by the calling task. This invariant guarantees that after having acquired a reference to a task's pid namespace it will remain unchanged. When a task has exited and been reaped release_task() will be called. This will set the pid namespace of the task to NULL. So retrieving the pid namespace of a task that is dead will return NULL. Note, that neither holding the RCU lock nor holding a reference count to the task will prevent release_task() from being called. In order to retrieve the pid namespace of a task the task_active_pid_ns() function can be used. There are two cases to consider: (1) retrieving the pid namespace of the current task (2) retrieving the pid namespace of a non-current task From system call context retrieving the pid namespace for case (1) is always safe and requires neither RCU locking nor a reference count to be held. Retrieving the pid namespace after release_task() for current will return NULL but no codepath like that is exposed to Rust. Retrieving the pid namespace from system call context for (2) requires RCU protection. Accessing a pid namespace outside of RCU protection requires a reference count that must've been acquired while holding the RCU lock. Note that accessing a non-current task means NULL can be returned as the non-current task could have already passed through release_task(). To retrieve (1) the current_pid_ns!() macro should be used. It ensures that the returned pid namespace cannot outlive the calling scope. The associated current_pid_ns() function should not be called directly as it could be abused to created an unbounded lifetime for the pid namespace. The current_pid_ns!() macro allows Rust to handle the common case of accessing current's pid namespace without RCU protection and without having to acquire a reference count. For (2) the task_get_pid_ns() method must be used. This will always acquire a reference on the pid namespace and will return an Option to force the caller to explicitly handle the case where pid namespace is None. Something that tends to be forgotten when doing the equivalent operation in C. Missing RCU primitives make it difficult to perform operations that are otherwise safe without holding a reference count as long as RCU protection is guaranteed. But it is not important currently. But we do want it in the future. Note that for (2) the required RCU protection around calling task_active_pid_ns() synchronizes against putting the last reference of the associated struct pid of task->thread_pid. The struct pid stored in that field is used to retrieve the pid namespace of the caller. When release_task() is called task->thread_pid will be NULLed and put_pid() on said struct pid will be delayed in free_pid() via call_rcu() allowing everyone with an RCU protected access to the struct pid acquired from task->thread_pid to finish" * tag 'vfs-6.13.rust.pid_namespace' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs: rust: add PidNamespace commit 445d9f05fa149556422f7fdd52dacf487cc8e7be Merge: 44b4d13b70f682 583772eec7b009 Author: Linus Torvalds Date: Tue Nov 26 12:59:30 2024 -0800 Merge tag 'nfsd-6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/cel/linux Pull nfsd updates from Chuck Lever: "Jeff Layton contributed a scalability improvement to NFSD's NFSv4 backchannel session implementation. This improvement is intended to increase the rate at which NFSD can safely recall NFSv4 delegations from clients, to avoid the need to revoke them. Revoking requires a slow state recovery process. A wide variety of bug fixes and other incremental improvements make up the bulk of commits in this series. As always I am grateful to the NFSD contributors, reviewers, testers, and bug reporters who participated during this cycle" * tag 'nfsd-6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/cel/linux: (72 commits) nfsd: allow for up to 32 callback session slots nfs_common: must not hold RCU while calling nfsd_file_put_local nfsd: get rid of include ../internal.h nfsd: fix nfs4_openowner leak when concurrent nfsd4_open occur NFSD: Add nfsd4_copy time-to-live NFSD: Add a laundromat reaper for async copy state NFSD: Block DESTROY_CLIENTID only when there are ongoing async COPY operations NFSD: Handle an NFS4ERR_DELAY response to CB_OFFLOAD NFSD: Free async copy information in nfsd4_cb_offload_release() NFSD: Fix nfsd4_shutdown_copy() NFSD: Add a tracepoint to record canceled async COPY operations nfsd: make nfsd4_session->se_flags a bool nfsd: remove nfsd4_session->se_bchannel nfsd: make use of warning provided by refcount_t nfsd: Don't fail OP_SETCLIENTID when there are too many clients. svcrdma: fix miss destroy percpu_counter in svc_rdma_proc_init() xdrgen: Remove program_stat_to_errno() call sites xdrgen: Update the files included in client-side source code xdrgen: Remove check for "nfs_ok" in C templates xdrgen: Remove tracepoint call site ... commit 44b4d13b70f682a86fee356786cc3e17987fae4d Merge: fb527fc1f36e25 bc8aeb04fd80cb Author: Linus Torvalds Date: Tue Nov 26 12:50:58 2024 -0800 Merge tag 'f2fs-for-6.13-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/jaegeuk/f2fs Pull f2fs updates from Jaegeuk Kim: "This series introduces a device aliasing feature where user can carve out partitions but reclaim the space back by deleting aliased file in root dir. In addition to that, there're numerous minor bug fixes in zoned device support, checkpoint=disable, extent cache management, fiemap, and lazytime mount option. The full list of noticeable changes can be found below. Enhancements: - introduce device aliasing file - add stats in debugfs to show multiple devices - add a sysfs node to limit max read extent count per-inode - modify f2fs_is_checkpoint_ready logic to allow more data to be written with the CP disable - decrease spare area for pinned files for zoned devices Fixes: - Revert "f2fs: remove unreachable lazytime mount option parsing" - adjust unusable cap before checkpoint=disable mode - fix to drop all discards after creating snapshot on lvm device - fix to shrink read extent node in batches - fix changing cursegs if recovery fails on zoned device - fix to adjust appropriate length for fiemap - fix fiemap failure issue when page size is 16KB - fix to avoid forcing direct write to use buffered IO on inline_data inode - fix to map blocks correctly for direct write - fix to account dirty data in __get_secs_required() - fix null-ptr-deref in f2fs_submit_page_bio() - fix inconsistent update of i_blocks in release_compress_blocks and reserve_compress_blocks" * tag 'f2fs-for-6.13-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/jaegeuk/f2fs: (40 commits) f2fs: fix to drop all discards after creating snapshot on lvm device f2fs: add a sysfs node to limit max read extent count per-inode f2fs: fix to shrink read extent node in batches f2fs: print message if fscorrupted was found in f2fs_new_node_page() f2fs: clear SBI_POR_DOING before initing inmem curseg f2fs: fix changing cursegs if recovery fails on zoned device f2fs: adjust unusable cap before checkpoint=disable mode f2fs: fix to requery extent which cross boundary of inquiry f2fs: fix to adjust appropriate length for fiemap f2fs: clean up w/ F2FS_{BLK_TO_BYTES,BTYES_TO_BLK} f2fs: fix to do cast in F2FS_{BLK_TO_BYTES, BTYES_TO_BLK} to avoid overflow f2fs: replace deprecated strcpy with strscpy Revert "f2fs: remove unreachable lazytime mount option parsing" f2fs: fix to avoid forcing direct write to use buffered IO on inline_data inode f2fs: fix to map blocks correctly for direct write f2fs: fix race in concurrent f2fs_stop_gc_thread f2fs: fix fiemap failure issue when page size is 16KB f2fs: remove redundant atomic file check in defragment f2fs: fix to convert log type to segment data type correctly f2fs: clean up the unused variable additional_reserved_segments ... commit 49c5c63d48eb5b110580e4c4b937f0006fcc9b10 Author: Jens Axboe Date: Tue Nov 26 13:42:27 2024 -0700 io_uring: fix task_work cap overshooting A previous commit fixed task_work overrunning by a lot more than what the user asked for, by adding a retry list. However, it didn't cap the overall count, hence for multiple task_work runs inside the same wait loop, it'd still overshoot the target by potentially a large amount. Cap it generally inside the wait path. Note that this will still overshoot the default limit of 20, but should overshoot by no more than limit-1 in addition to the limit. That still provides a ceiling over how much task_work will be run, rather than still having gaps where it was uncapped essentially. Fixes: f46b9cdb22f7 ("io_uring: limit local tw done") Signed-off-by: Jens Axboe commit fb527fc1f36e252cd1f62a26be4906949e7708ff Merge: ff2a7a064a6906 d1dfb5f52ffc4a Author: Linus Torvalds Date: Tue Nov 26 12:41:27 2024 -0800 Merge tag 'fuse-update-6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/fuse Pull fuse updates from Miklos Szeredi: - Add page -> folio conversions (Joanne Koong, Josef Bacik) - Allow max size of fuse requests to be configurable with a sysctl (Joanne Koong) - Allow FOPEN_DIRECT_IO to take advantage of async code path (yangyun) - Fix large kernel reads (like a module load) in virtio_fs (Hou Tao) - Fix attribute inconsistency in case readdirplus (and plain lookup in corner cases) is racing with inode eviction (Zhang Tianci) - Fix a WARN_ON triggered by virtio_fs (Asahi Lina) * tag 'fuse-update-6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/fuse: (30 commits) virtiofs: dax: remove ->writepages() callback fuse: check attributes staleness on fuse_iget() fuse: remove pages for requests and exclusively use folios fuse: convert direct io to use folios mm/writeback: add folio_mark_dirty_lock() fuse: convert writebacks to use folios fuse: convert retrieves to use folios fuse: convert ioctls to use folios fuse: convert writes (non-writeback) to use folios fuse: convert reads to use folios fuse: convert readdir to use folios fuse: convert readlink to use folios fuse: convert cuse to use folios fuse: add support in virtio for requests using folios fuse: support folios in struct fuse_args_pages and fuse_copy_pages() fuse: convert fuse_notify_store to use folios fuse: convert fuse_retrieve to use folios fuse: use the folio based vmstat helpers fuse: convert fuse_writepage_need_send to take a folio fuse: convert fuse_do_readpage to use folios ... commit ff2a7a064a69069554564f52b6a84fc8a8c7d688 Merge: 7eef7e306d3c40 ffd1cf0443a208 Author: Linus Torvalds Date: Tue Nov 26 12:34:50 2024 -0800 Merge tag 'gfs2-for-6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/gfs2/linux-gfs2 Pull gfs2 updates from Andreas Gruenbacher: - Fix the code that cleans up left-over unlinked files. Various fixes and minor improvements in deleting files cached or held open remotely. - Simplify the use of dlm's DLM_LKF_QUECVT flag. - A few other minor cleanups. * tag 'gfs2-for-6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/gfs2/linux-gfs2: (21 commits) gfs2: Prevent inode creation race gfs2: Only defer deletes when we have an iopen glock gfs2: Simplify DLM_LKF_QUECVT use gfs2: gfs2_evict_inode clarification gfs2: Make gfs2_inode_refresh static gfs2: Use get_random_u32 in gfs2_orlov_skip gfs2: Randomize GLF_VERIFY_DELETE work delay gfs2: Use mod_delayed_work in gfs2_queue_try_to_evict gfs2: Update to the evict / remote delete documentation gfs2: Call gfs2_queue_verify_delete from gfs2_evict_inode gfs2: Clean up delete work processing gfs2: Minor delete_work_func cleanup gfs2: Return enum evict_behavior from gfs2_upgrade_iopen_glock gfs2: Rename dinode_demise to evict_behavior gfs2: Rename GIF_{DEFERRED -> DEFER}_DELETE gfs2: Faster gfs2_upgrade_iopen_glock wakeups KMSAN: uninit-value in inode_go_dump (5) gfs2: Fix unlinked inode cleanup gfs2: Allow immediate GLF_VERIFY_DELETE work gfs2: Initialize gl_no_formal_ino earlier ... commit 8d4f1e05ff821a5d59116ab8c3a30fcae81d8597 Author: Palmer Dabbelt Date: Tue Nov 26 06:32:50 2024 -0800 RISC-V: Remove unnecessary include from compat.h Without this I get a bunch of build errors like In file included from ./include/linux/sched/task_stack.h:12, from ./arch/riscv/include/asm/compat.h:12, from ./arch/riscv/include/asm/pgtable.h:115, from ./include/linux/pgtable.h:6, from ./include/linux/mm.h:30, from arch/riscv/kernel/asm-offsets.c:8: ./include/linux/kasan.h:50:37: error: ‘MAX_PTRS_PER_PTE’ undeclared here (not in a function); did you mean ‘PTRS_PER_PTE’? 50 | extern pte_t kasan_early_shadow_pte[MAX_PTRS_PER_PTE + PTE_HWTABLE_PTRS]; | ^~~~~~~~~~~~~~~~ | PTRS_PER_PTE ./include/linux/kasan.h:51:8: error: unknown type name ‘pmd_t’; did you mean ‘pgd_t’? 51 | extern pmd_t kasan_early_shadow_pmd[MAX_PTRS_PER_PMD]; | ^~~~~ | pgd_t ./include/linux/kasan.h:51:37: error: ‘MAX_PTRS_PER_PMD’ undeclared here (not in a function); did you mean ‘PTRS_PER_PGD’? 51 | extern pmd_t kasan_early_shadow_pmd[MAX_PTRS_PER_PMD]; | ^~~~~~~~~~~~~~~~ | PTRS_PER_PGD ./include/linux/kasan.h:52:8: error: unknown type name ‘pud_t’; did you mean ‘pgd_t’? 52 | extern pud_t kasan_early_shadow_pud[MAX_PTRS_PER_PUD]; | ^~~~~ | pgd_t ./include/linux/kasan.h:52:37: error: ‘MAX_PTRS_PER_PUD’ undeclared here (not in a function); did you mean ‘PTRS_PER_PGD’? 52 | extern pud_t kasan_early_shadow_pud[MAX_PTRS_PER_PUD]; | ^~~~~~~~~~~~~~~~ | PTRS_PER_PGD ./include/linux/kasan.h:53:8: error: unknown type name ‘p4d_t’; did you mean ‘pgd_t’? 53 | extern p4d_t kasan_early_shadow_p4d[MAX_PTRS_PER_P4D]; | ^~~~~ | pgd_t ./include/linux/kasan.h:53:37: error: ‘MAX_PTRS_PER_P4D’ undeclared here (not in a function); did you mean ‘PTRS_PER_PGD’? 53 | extern p4d_t kasan_early_shadow_p4d[MAX_PTRS_PER_P4D]; | ^~~~~~~~~~~~~~~~ | PTRS_PER_PGD Link: https://lore.kernel.org/r/20241126143250.29708-1-palmer@rivosinc.com Signed-off-by: Palmer Dabbelt commit 3448ad23b34e43a2526bd0f9e1221e8de876adec Author: Zijian Zhang Date: Wed Oct 16 23:48:37 2024 +0000 selftests/bpf: Add apply_bytes test to test_txmsg_redir_wait_sndmem in test_sockmap Add this to more comprehensively test the socket memory accounting logic in the __SK_REDIRECT and __SK_DROP cases of tcp_bpf_sendmsg. We don't have test when apply_bytes are not zero in test_txmsg_redir_wait_sndmem. test_send_large has opt->rate=2, it will invoke sendmsg two times. Specifically, the first sendmsg will trigger the case where the ret value of tcp_bpf_sendmsg_redir is less than 0; while the second sendmsg happens after the 3 seconds timeout, and it will trigger __SK_DROP because socket c2 has been removed from the sockmap/hash. Signed-off-by: Zijian Zhang Signed-off-by: Daniel Borkmann Acked-by: John Fastabend Link: https://lore.kernel.org/bpf/20241016234838.3167769-2-zijianzhang@bytedance.com commit ca70b8baf2bd125b2a4d96e76db79375c07d7ff2 Author: Zijian Zhang Date: Wed Oct 16 23:48:38 2024 +0000 tcp_bpf: Fix the sk_mem_uncharge logic in tcp_bpf_sendmsg The current sk memory accounting logic in __SK_REDIRECT is pre-uncharging tosend bytes, which is either msg->sg.size or a smaller value apply_bytes. Potential problems with this strategy are as follows: - If the actual sent bytes are smaller than tosend, we need to charge some bytes back, as in line 487, which is okay but seems not clean. - When tosend is set to apply_bytes, as in line 417, and (ret < 0), we may miss uncharging (msg->sg.size - apply_bytes) bytes. [...] 415 tosend = msg->sg.size; 416 if (psock->apply_bytes && psock->apply_bytes < tosend) 417 tosend = psock->apply_bytes; [...] 443 sk_msg_return(sk, msg, tosend); 444 release_sock(sk); 446 origsize = msg->sg.size; 447 ret = tcp_bpf_sendmsg_redir(sk_redir, redir_ingress, 448 msg, tosend, flags); 449 sent = origsize - msg->sg.size; [...] 454 lock_sock(sk); 455 if (unlikely(ret < 0)) { 456 int free = sk_msg_free_nocharge(sk, msg); 458 if (!cork) 459 *copied -= free; 460 } [...] 487 if (eval == __SK_REDIRECT) 488 sk_mem_charge(sk, tosend - sent); [...] When running the selftest test_txmsg_redir_wait_sndmem with txmsg_apply, the following warning will be reported: ------------[ cut here ]------------ WARNING: CPU: 6 PID: 57 at net/ipv4/af_inet.c:156 inet_sock_destruct+0x190/0x1a0 Modules linked in: CPU: 6 UID: 0 PID: 57 Comm: kworker/6:0 Not tainted 6.12.0-rc1.bm.1-amd64+ #43 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014 Workqueue: events sk_psock_destroy RIP: 0010:inet_sock_destruct+0x190/0x1a0 RSP: 0018:ffffad0a8021fe08 EFLAGS: 00010206 RAX: 0000000000000011 RBX: ffff9aab4475b900 RCX: ffff9aab481a0800 RDX: 0000000000000303 RSI: 0000000000000011 RDI: ffff9aab4475b900 RBP: ffff9aab4475b990 R08: 0000000000000000 R09: ffff9aab40050ec0 R10: 0000000000000000 R11: ffff9aae6fdb1d01 R12: ffff9aab49c60400 R13: ffff9aab49c60598 R14: ffff9aab49c60598 R15: dead000000000100 FS: 0000000000000000(0000) GS:ffff9aae6fd80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007ffec7e47bd8 CR3: 00000001a1a1c004 CR4: 0000000000770ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: ? __warn+0x89/0x130 ? inet_sock_destruct+0x190/0x1a0 ? report_bug+0xfc/0x1e0 ? handle_bug+0x5c/0xa0 ? exc_invalid_op+0x17/0x70 ? asm_exc_invalid_op+0x1a/0x20 ? inet_sock_destruct+0x190/0x1a0 __sk_destruct+0x25/0x220 sk_psock_destroy+0x2b2/0x310 process_scheduled_works+0xa3/0x3e0 worker_thread+0x117/0x240 ? __pfx_worker_thread+0x10/0x10 kthread+0xcf/0x100 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x31/0x40 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 ---[ end trace 0000000000000000 ]--- In __SK_REDIRECT, a more concise way is delaying the uncharging after sent bytes are finalized, and uncharge this value. When (ret < 0), we shall invoke sk_msg_free. Same thing happens in case __SK_DROP, when tosend is set to apply_bytes, we may miss uncharging (msg->sg.size - apply_bytes) bytes. The same warning will be reported in selftest. [...] 468 case __SK_DROP: 469 default: 470 sk_msg_free_partial(sk, msg, tosend); 471 sk_msg_apply_bytes(psock, tosend); 472 *copied -= (tosend + delta); 473 return -EACCES; [...] So instead of sk_msg_free_partial we can do sk_msg_free here. Fixes: 604326b41a6f ("bpf, sockmap: convert to generic sk_msg interface") Fixes: 8ec95b94716a ("bpf, sockmap: Fix the sk->sk_forward_alloc warning of sk_stream_kill_queues") Signed-off-by: Zijian Zhang Signed-off-by: Daniel Borkmann Acked-by: John Fastabend Link: https://lore.kernel.org/bpf/20241016234838.3167769-3-zijianzhang@bytedance.com commit cc47268cb4841c84d54f0ac73858986bcd515eb4 Author: Uwe Kleine-König Date: Sat Nov 9 18:38:27 2024 +0100 irqchip: Switch back to struct platform_driver::remove() After commit 0edb555a65d1 ("platform: Make platform_driver::remove() return void") .remove() is (again) the right callback to implement for platform drivers. Convert all platform drivers below drivers/irqchip/ to use .remove(), with the eventual goal to drop struct platform_driver::remove_new(). As .remove() and .remove_new() have the same prototypes, conversion is done by just changing the structure member name in the driver initializer. Signed-off-by: Uwe Kleine-König Signed-off-by: Thomas Gleixner Link: https://lore.kernel.org/all/20241109173828.291172-2-u.kleine-koenig@baylibre.com commit f82e62d470cc990ebd9d691f931dd418e4e9cea9 Author: Zhou Wang Date: Sat Nov 16 16:01:26 2024 +0800 irqchip/gicv3-its: Add workaround for hip09 ITS erratum 162100801 When enabling GICv4.1 in hip09, VMAPP fails to clear some caches during the unmap operation, which can causes vSGIs to be lost. To fix the issue, invalidate the related vPE cache through GICR_INVALLR after VMOVP. Suggested-by: Marc Zyngier Co-developed-by: Nianyao Tang Signed-off-by: Nianyao Tang Signed-off-by: Zhou Wang Signed-off-by: Thomas Gleixner Reviewed-by: Marc Zyngier commit 12aaf67584cf19dc84615b7aba272fe642c35b8b Author: Russell King (Oracle) Date: Thu Nov 21 12:48:25 2024 +0000 irqchip/irq-mvebu-sei: Move misplaced select() callback to SEI CP domain Commit fbdf14e90ce4 ("irqchip/irq-mvebu-sei: Switch to MSI parent") introduced in v6.11-rc1 broke Mavell Armada platforms (and possibly others) by incorrectly switching irq-mvebu-sei to MSI parent. In the above commit, msi_parent_ops is set for the sei->cp_domain, but rather than adding a .select method to mvebu_sei_cp_domain_ops (which is associated with sei->cp_domain), it was added to mvebu_sei_domain_ops which is associated with sei->sei_domain, which doesn't have any msi_parent_ops. This makes the call to msi_lib_irq_domain_select() always fail. This bug manifests itself with the following kernel messages on Armada 8040 based systems: platform f21e0000.interrupt-controller:interrupt-controller@50: deferred probe pending: (reason unknown) platform f41e0000.interrupt-controller:interrupt-controller@50: deferred probe pending: (reason unknown) Move the select callback to mvebu_sei_cp_domain_ops to cure it. Fixes: fbdf14e90ce4 ("irqchip/irq-mvebu-sei: Switch to MSI parent") Signed-off-by: Russell King (Oracle) Signed-off-by: Thomas Gleixner Cc: stable@vger.kernel.org Link: https://lore.kernel.org/all/E1tE6bh-004CmX-QU@rmk-PC.armlinux.org.uk commit cf87766dd6f9ddcceaa8ee26e3cbd7538e42dd19 Merge: c66f759832a83c 2957fa4931a3b6 Author: Christian Brauner Date: Tue Nov 26 18:15:06 2024 +0100 Merge branch 'ovl.fixes' Bring in an overlayfs fix for v6.13-rc1 that fixes a bug introduced by the overlayfs changes merged for v6.13. Signed-off-by: Christian Brauner commit 2957fa4931a3b658d8e54eda9439d4c57967e8ad Author: Amir Goldstein Date: Tue Nov 26 15:53:42 2024 +0100 fs/backing_file: fix wrong argument in callback Commit 48b50624aec4 ("backing-file: clean up the API") unintentionally changed the argument in the ->accessed() callback from the user file to the backing file. Fixes: 48b50624aec4 ("backing-file: clean up the API") Reported-by: syzbot+8d1206605b05ca9a0e6a@syzkaller.appspotmail.com Closes: https://lore.kernel.org/linux-unionfs/67447b3c.050a0220.1cc393.0085.GAE@google.com/ Tested-by: syzbot+8d1206605b05ca9a0e6a@syzkaller.appspotmail.com Signed-off-by: Amir Goldstein Link: https://lore.kernel.org/r/20241126145342.364869-1-amir73il@gmail.com Acked-by: Miklos Szeredi Signed-off-by: Christian Brauner commit 6b64128a74ebcacc5a0de5a74834e3b9f47a354c Author: Sebastian Andrzej Siewior Date: Tue Nov 19 17:18:19 2024 +0100 selftests/bpf: Check for PREEMPTION instead of PREEMPT CONFIG_PREEMPT is a preemtion model the so called "Low-Latency Desktop". A different preemption model is PREEMPT_RT the so called "Real-Time". Both implement preemption in kernel and set CONFIG_PREEMPTION. There is also the so called "LAZY PREEMPT" which the "Scheduler controlled preemption model". Here we have also preemption in the kernel the rules are slightly different. Therefore the testsuite should not check for CONFIG_PREEMPT (as one model) but for CONFIG_PREEMPTION to figure out if preemption in the kernel is possible. Signed-off-by: Sebastian Andrzej Siewior Link: https://lore.kernel.org/r/20241119161819.qvEcs-n_@linutronix.de Signed-off-by: Alexei Starovoitov commit ed9588554943097bdf09588a8a105fbb058869c5 Author: Edward Adam Davis Date: Tue Nov 26 07:58:43 2024 +0800 Bluetooth: SCO: remove the redundant sco_conn_put When adding conn, it is necessary to increase and retain the conn reference count at the same time. Another problem was fixed along the way, conn_put is missing when hcon is NULL in the timeout routine. Fixes: e6720779ae61 ("Bluetooth: SCO: Use kref to track lifetime of sco_conn") Reported-and-tested-by: syzbot+489f78df4709ac2bfdd3@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=489f78df4709ac2bfdd3 Signed-off-by: Edward Adam Davis Signed-off-by: Luiz Augusto von Dentz commit a66dfaf18fd61bb75ef8cee83db46b2aadf153d0 Author: Luiz Augusto von Dentz Date: Thu Nov 21 11:09:22 2024 -0500 Bluetooth: MGMT: Fix possible deadlocks This fixes possible deadlocks like the following caused by hci_cmd_sync_dequeue causing the destroy function to run: INFO: task kworker/u19:0:143 blocked for more than 120 seconds. Tainted: G W O 6.8.0-2024-03-19-intel-next-iLS-24ww14 #1 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:kworker/u19:0 state:D stack:0 pid:143 tgid:143 ppid:2 flags:0x00004000 Workqueue: hci0 hci_cmd_sync_work [bluetooth] Call Trace: __schedule+0x374/0xaf0 schedule+0x3c/0xf0 schedule_preempt_disabled+0x1c/0x30 __mutex_lock.constprop.0+0x3ef/0x7a0 __mutex_lock_slowpath+0x13/0x20 mutex_lock+0x3c/0x50 mgmt_set_connectable_complete+0xa4/0x150 [bluetooth] ? kfree+0x211/0x2a0 hci_cmd_sync_dequeue+0xae/0x130 [bluetooth] ? __pfx_cmd_complete_rsp+0x10/0x10 [bluetooth] cmd_complete_rsp+0x26/0x80 [bluetooth] mgmt_pending_foreach+0x4d/0x70 [bluetooth] __mgmt_power_off+0x8d/0x180 [bluetooth] ? _raw_spin_unlock_irq+0x23/0x40 hci_dev_close_sync+0x445/0x5b0 [bluetooth] hci_set_powered_sync+0x149/0x250 [bluetooth] set_powered_sync+0x24/0x60 [bluetooth] hci_cmd_sync_work+0x90/0x150 [bluetooth] process_one_work+0x13e/0x300 worker_thread+0x2f7/0x420 ? __pfx_worker_thread+0x10/0x10 kthread+0x107/0x140 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x3d/0x60 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1b/0x30 Tested-by: Kiran K Fixes: f53e1c9c726d ("Bluetooth: MGMT: Fix possible crash on mgmt_index_removed") Signed-off-by: Luiz Augusto von Dentz commit 0b882940665ca2849386ee459d4331aa2f8c4e7d Author: Luiz Augusto von Dentz Date: Fri Nov 15 10:45:31 2024 -0500 Bluetooth: MGMT: Fix slab-use-after-free Read in set_powered_sync This fixes the following crash: ================================================================== BUG: KASAN: slab-use-after-free in set_powered_sync+0x3a/0xc0 net/bluetooth/mgmt.c:1353 Read of size 8 at addr ffff888029b4dd18 by task kworker/u9:0/54 CPU: 1 UID: 0 PID: 54 Comm: kworker/u9:0 Not tainted 6.11.0-rc6-syzkaller-01155-gf723224742fc #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 Workqueue: hci0 hci_cmd_sync_work Call Trace: __dump_stack lib/dump_stack.c:93 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119 print_address_description mm/kasan/report.c:377 [inline] print_report+0x169/0x550 mm/kasan/report.c:488 q kasan_report+0x143/0x180 mm/kasan/report.c:601 set_powered_sync+0x3a/0xc0 net/bluetooth/mgmt.c:1353 hci_cmd_sync_work+0x22b/0x400 net/bluetooth/hci_sync.c:328 process_one_work kernel/workqueue.c:3231 [inline] process_scheduled_works+0xa2c/0x1830 kernel/workqueue.c:3312 worker_thread+0x86d/0xd10 kernel/workqueue.c:3389 kthread+0x2f0/0x390 kernel/kthread.c:389 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Allocated by task 5247: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:370 [inline] __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:387 kasan_kmalloc include/linux/kasan.h:211 [inline] __kmalloc_cache_noprof+0x19c/0x2c0 mm/slub.c:4193 kmalloc_noprof include/linux/slab.h:681 [inline] kzalloc_noprof include/linux/slab.h:807 [inline] mgmt_pending_new+0x65/0x250 net/bluetooth/mgmt_util.c:269 mgmt_pending_add+0x36/0x120 net/bluetooth/mgmt_util.c:296 set_powered+0x3cd/0x5e0 net/bluetooth/mgmt.c:1394 hci_mgmt_cmd+0xc47/0x11d0 net/bluetooth/hci_sock.c:1712 hci_sock_sendmsg+0x7b8/0x11c0 net/bluetooth/hci_sock.c:1832 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0x221/0x270 net/socket.c:745 sock_write_iter+0x2dd/0x400 net/socket.c:1160 new_sync_write fs/read_write.c:497 [inline] vfs_write+0xa72/0xc90 fs/read_write.c:590 ksys_write+0x1a0/0x2c0 fs/read_write.c:643 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 5246: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579 poison_slab_object+0xe0/0x150 mm/kasan/common.c:240 __kasan_slab_free+0x37/0x60 mm/kasan/common.c:256 kasan_slab_free include/linux/kasan.h:184 [inline] slab_free_hook mm/slub.c:2256 [inline] slab_free mm/slub.c:4477 [inline] kfree+0x149/0x360 mm/slub.c:4598 settings_rsp+0x2bc/0x390 net/bluetooth/mgmt.c:1443 mgmt_pending_foreach+0xd1/0x130 net/bluetooth/mgmt_util.c:259 __mgmt_power_off+0x112/0x420 net/bluetooth/mgmt.c:9455 hci_dev_close_sync+0x665/0x11a0 net/bluetooth/hci_sync.c:5191 hci_dev_do_close net/bluetooth/hci_core.c:483 [inline] hci_dev_close+0x112/0x210 net/bluetooth/hci_core.c:508 sock_do_ioctl+0x158/0x460 net/socket.c:1222 sock_ioctl+0x629/0x8e0 net/socket.c:1341 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:893 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83gv entry_SYSCALL_64_after_hwframe+0x77/0x7f Reported-by: syzbot+03d6270b6425df1605bf@syzkaller.appspotmail.com Tested-by: syzbot+03d6270b6425df1605bf@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=03d6270b6425df1605bf Fixes: 275f3f648702 ("Bluetooth: Fix not checking MGMT cmd pending queue") Signed-off-by: Luiz Augusto von Dentz commit 6fc3a49f23856fdf155ab35f2244295f7870bf83 Author: Marc Zyngier Date: Mon Nov 25 09:47:56 2024 +0000 KVM: arm64: Fix S1/S2 combination when FWB==1 and S2 has Device memory type The G.a revision of the ARM ARM had it pretty clear that HCR_EL2.FWB had no influence on "The way that stage 1 memory types and attributes are combined with stage 2 Device type and attributes." (D5.5.5). However, this wording was lost in further revisions of the architecture. Restore the intended behaviour, which is to take the strongest memory type of S1 and S2 in this case, as if FWB was 0. The specification is being fixed accordingly. Fixes: be04cebf3e788 ("KVM: arm64: nv: Add emulation of AT S12E{0,1}{R,W}") Signed-off-by: Marc Zyngier Link: https://lore.kernel.org/r/20241125094756.609590-1-maz@kernel.org Signed-off-by: Oliver Upton commit 0c0a4eae26ac78379d0c1db053de168a8febc6c9 Author: Pavel Begunkov Date: Tue Nov 26 00:34:18 2024 +0000 io_uring: check for overflows in io_pin_pages WARNING: CPU: 0 PID: 5834 at io_uring/memmap.c:144 io_pin_pages+0x149/0x180 io_uring/memmap.c:144 CPU: 0 UID: 0 PID: 5834 Comm: syz-executor825 Not tainted 6.12.0-next-20241118-syzkaller #0 Call Trace: __io_uaddr_map+0xfb/0x2d0 io_uring/memmap.c:183 io_rings_map io_uring/io_uring.c:2611 [inline] io_allocate_scq_urings+0x1c0/0x650 io_uring/io_uring.c:3470 io_uring_create+0x5b5/0xc00 io_uring/io_uring.c:3692 io_uring_setup io_uring/io_uring.c:3781 [inline] ... io_pin_pages()'s uaddr parameter came directly from the user and can be garbage. Don't just add size to it as it can overflow. Cc: stable@vger.kernel.org Reported-by: syzbot+2159cbb522b02847c053@syzkaller.appspotmail.com Signed-off-by: Pavel Begunkov Link: https://lore.kernel.org/r/1b7520ddb168e1d537d64be47414a0629d0d8f8f.1732581026.git.asml.silence@gmail.com Signed-off-by: Jens Axboe commit 1b0cab327e060ccf397ae634a34c84dd1d4d2bb2 Author: Christoph Hellwig Date: Tue Nov 26 11:21:36 2024 +0100 mq-deadline: don't call req_get_ioprio from the I/O completion handler req_get_ioprio looks at req->bio to find the I/O priority, which is not set when completing bios that the driver fully iterated through. Stash away the dd_per_prio in the elevator private data instead of looking it up again to optimize the code a bit while fixing the regression from removing the per-request ioprio value. Fixes: 6975c1a486a4 ("block: remove the ioprio field from struct request") Reported-by: Chris Bainbridge Reported-by: Sam Protsenko Signed-off-by: Christoph Hellwig Tested-by: Chris Bainbridge Tested-by: Sam Protsenko Reviewed-by: Bart Van Assche Link: https://lore.kernel.org/r/20241126102136.619067-1-hch@lst.de Signed-off-by: Jens Axboe commit 0b83c86b444ab467134b0e618f45ad2216a4973c Author: Damien Le Moal Date: Tue Nov 26 19:47:05 2024 +0900 block: Prevent potential deadlock in blk_revalidate_disk_zones() The function blk_revalidate_disk_zones() calls the function disk_update_zone_resources() after freezing the device queue. In turn, disk_update_zone_resources() calls queue_limits_start_update() which takes a queue limits mutex lock, resulting in the ordering: q->q_usage_counter check -> q->limits_lock. However, the usual ordering is to always take a queue limit lock before freezing the queue to commit the limits updates, e.g., the code pattern: lim = queue_limits_start_update(q); ... blk_mq_freeze_queue(q); ret = queue_limits_commit_update(q, &lim); blk_mq_unfreeze_queue(q); Thus, blk_revalidate_disk_zones() introduces a potential circular locking dependency deadlock that lockdep sometimes catches with the splat: [ 51.934109] ====================================================== [ 51.935916] WARNING: possible circular locking dependency detected [ 51.937561] 6.12.0+ #2107 Not tainted [ 51.938648] ------------------------------------------------------ [ 51.940351] kworker/u16:4/157 is trying to acquire lock: [ 51.941805] ffff9fff0aa0bea8 (&q->limits_lock){+.+.}-{4:4}, at: disk_update_zone_resources+0x86/0x170 [ 51.944314] but task is already holding lock: [ 51.945688] ffff9fff0aa0b890 (&q->q_usage_counter(queue)#3){++++}-{0:0}, at: blk_revalidate_disk_zones+0x15f/0x340 [ 51.948527] which lock already depends on the new lock. [ 51.951296] the existing dependency chain (in reverse order) is: [ 51.953708] -> #1 (&q->q_usage_counter(queue)#3){++++}-{0:0}: [ 51.956131] blk_queue_enter+0x1c9/0x1e0 [ 51.957290] blk_mq_alloc_request+0x187/0x2a0 [ 51.958365] scsi_execute_cmd+0x78/0x490 [scsi_mod] [ 51.959514] read_capacity_16+0x111/0x410 [sd_mod] [ 51.960693] sd_revalidate_disk.isra.0+0x872/0x3240 [sd_mod] [ 51.962004] sd_probe+0x2d7/0x520 [sd_mod] [ 51.962993] really_probe+0xd5/0x330 [ 51.963898] __driver_probe_device+0x78/0x110 [ 51.964925] driver_probe_device+0x1f/0xa0 [ 51.965916] __driver_attach_async_helper+0x60/0xe0 [ 51.967017] async_run_entry_fn+0x2e/0x140 [ 51.968004] process_one_work+0x21f/0x5a0 [ 51.968987] worker_thread+0x1dc/0x3c0 [ 51.969868] kthread+0xe0/0x110 [ 51.970377] ret_from_fork+0x31/0x50 [ 51.970983] ret_from_fork_asm+0x11/0x20 [ 51.971587] -> #0 (&q->limits_lock){+.+.}-{4:4}: [ 51.972479] __lock_acquire+0x1337/0x2130 [ 51.973133] lock_acquire+0xc5/0x2d0 [ 51.973691] __mutex_lock+0xda/0xcf0 [ 51.974300] disk_update_zone_resources+0x86/0x170 [ 51.975032] blk_revalidate_disk_zones+0x16c/0x340 [ 51.975740] sd_zbc_revalidate_zones+0x73/0x160 [sd_mod] [ 51.976524] sd_revalidate_disk.isra.0+0x465/0x3240 [sd_mod] [ 51.977824] sd_probe+0x2d7/0x520 [sd_mod] [ 51.978917] really_probe+0xd5/0x330 [ 51.979915] __driver_probe_device+0x78/0x110 [ 51.981047] driver_probe_device+0x1f/0xa0 [ 51.982143] __driver_attach_async_helper+0x60/0xe0 [ 51.983282] async_run_entry_fn+0x2e/0x140 [ 51.984319] process_one_work+0x21f/0x5a0 [ 51.985873] worker_thread+0x1dc/0x3c0 [ 51.987289] kthread+0xe0/0x110 [ 51.988546] ret_from_fork+0x31/0x50 [ 51.989926] ret_from_fork_asm+0x11/0x20 [ 51.991376] other info that might help us debug this: [ 51.994127] Possible unsafe locking scenario: [ 51.995651] CPU0 CPU1 [ 51.996694] ---- ---- [ 51.997716] lock(&q->q_usage_counter(queue)#3); [ 51.998817] lock(&q->limits_lock); [ 52.000043] lock(&q->q_usage_counter(queue)#3); [ 52.001638] lock(&q->limits_lock); [ 52.002485] *** DEADLOCK *** Prevent this issue by moving the calls to blk_mq_freeze_queue() and blk_mq_unfreeze_queue() around the call to queue_limits_commit_update() in disk_update_zone_resources(). In case of revalidation failure, the call to disk_free_zone_resources() in blk_revalidate_disk_zones() is still done with the queue frozen as before. Fixes: 843283e96e5a ("block: Fake max open zones limit when there is no limit") Cc: stable@vger.kernel.org Signed-off-by: Damien Le Moal Reviewed-by: Christoph Hellwig Link: https://lore.kernel.org/r/20241126104705.183996-1-dlemoal@kernel.org Signed-off-by: Jens Axboe commit db2eee61434808d66233a9d3ea5ec31b8867de23 Author: Takashi Iwai Date: Tue Nov 26 15:10:10 2024 +0100 ALSA: hda: Show the codec quirk info at probing Lots of HD-audio devices need the device-specific quirk, and it's often helpful to know which quirk is applied. But currently the driver shows it only as a debug output, hence we'd have to enable the debug option at each time we want to see it (and the output becomes too messy due to other debug messages). This patch changes the messages to the info level, so that they appear at probing normally. Link: https://patch.msgid.link/20241126141010.12567-1-tiwai@suse.de Signed-off-by: Takashi Iwai commit d798bc6f3c174c61837862cb9778d73cccd92a8e Author: James Clark Date: Fri Nov 22 16:46:35 2024 +0000 arm64: Fix usage of new shifted MDCR_EL2 values Since the linked fixes commit, these masks are already shifted so remove the shifts. One issue that this fixes is SPE and TRBE not being available anymore: arm_spe_pmu arm,spe-v1: profiling buffer owned by higher exception level Fixes: 641630313e9c ("arm64: sysreg: Migrate MDCR_EL2 definition to table") Signed-off-by: James Clark Acked-by: Marc Zyngier Link: https://lore.kernel.org/r/20241122164636.2944180-1-james.clark@linaro.org Signed-off-by: Oliver Upton commit 5dfd7d940094e1a1ec974d90f6d28162d372b56b Merge: 9cfb5e7f0ded2b 3661c05c54e8db Author: Paolo Abeni Date: Tue Nov 26 15:29:33 2024 +0100 Merge branch 'bnxt_en-bug-fixes' Michael Chan says: ==================== bnxt_en: Bug fixes This patchset fixes several things: 1. AER recovery for RoCE when NIC interface is down. 2. Set ethtool backplane link modes correctly. 3. Update RSS ring ID during RX queue restart. 4. Crash with XDP and MTU change. 5. PCIe completion timeout when reading PHC after shutdown. ==================== Link: https://patch.msgid.link/20241122224547.984808-1-michael.chan@broadcom.com Signed-off-by: Paolo Abeni commit 3661c05c54e8db7064aa96a0774654740974dffc Author: Michael Chan Date: Fri Nov 22 14:45:46 2024 -0800 bnxt_en: Unregister PTP during PCI shutdown and suspend If we go through the PCI shutdown or suspend path, we shutdown the NIC but PTP remains registered. If the kernel continues to run for a little bit, the periodic PTP .do_aux_work() function may be called and it will read the PHC from the BAR register. Since the device has already been disabled, it will cause a PCIe completion timeout. Fix it by calling bnxt_ptp_clear() in the PCI shutdown/suspend handlers. bnxt_ptp_clear() will unregister from PTP and .do_aux_work() will be canceled. In bnxt_resume(), we need to re-initialize PTP. Fixes: a521c8a01d26 ("bnxt_en: Move bnxt_ptp_init() from bnxt_open() back to bnxt_init_one()") Cc: Richard Cochran Reviewed-by: Somnath Kotur Reviewed-by: Pavan Chebbi Reviewed-by: Kalesh AP Signed-off-by: Michael Chan Signed-off-by: Paolo Abeni commit 1e9614cd956268e10a669c0593e7e54d03d0c087 Author: Michael Chan Date: Fri Nov 22 14:45:45 2024 -0800 bnxt_en: Refactor bnxt_ptp_init() Instead of passing the 2nd parameter phc_cfg to bnxt_ptp_init(). Store it in bp->ptp_cfg so that the caller doesn't need to know what the value should be. In the next patch, we'll need to call bnxt_ptp_init() in bnxt_resume() and this will make it easier. Reviewed-by: Somnath Kotur Reviewed-by: Pavan Chebbi Reviewed-by: Kalesh AP Signed-off-by: Michael Chan Signed-off-by: Paolo Abeni commit 3051a77a09dfe3022aa012071346937fdf059033 Author: Shravya KN Date: Fri Nov 22 14:45:44 2024 -0800 bnxt_en: Fix receive ring space parameters when XDP is active The MTU setting at the time an XDP multi-buffer is attached determines whether the aggregation ring will be used and the rx_skb_func handler. This is done in bnxt_set_rx_skb_mode(). If the MTU is later changed, the aggregation ring setting may need to be changed and it may become out-of-sync with the settings initially done in bnxt_set_rx_skb_mode(). This may result in random memory corruption and crashes as the HW may DMA data larger than the allocated buffer size, such as: BUG: kernel NULL pointer dereference, address: 00000000000003c0 PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP NOPTI CPU: 17 PID: 0 Comm: swapper/17 Kdump: loaded Tainted: G S OE 6.1.0-226bf9805506 #1 Hardware name: Wiwynn Delta Lake PVT BZA.02601.0150/Delta Lake-Class1, BIOS F0E_3A12 08/26/2021 RIP: 0010:bnxt_rx_pkt+0xe97/0x1ae0 [bnxt_en] Code: 8b 95 70 ff ff ff 4c 8b 9d 48 ff ff ff 66 41 89 87 b4 00 00 00 e9 0b f7 ff ff 0f b7 43 0a 49 8b 95 a8 04 00 00 25 ff 0f 00 00 <0f> b7 14 42 48 c1 e2 06 49 03 95 a0 04 00 00 0f b6 42 33f RSP: 0018:ffffa19f40cc0d18 EFLAGS: 00010202 RAX: 00000000000001e0 RBX: ffff8e2c805c6100 RCX: 00000000000007ff RDX: 0000000000000000 RSI: ffff8e2c271ab990 RDI: ffff8e2c84f12380 RBP: ffffa19f40cc0e48 R08: 000000000001000d R09: 974ea2fcddfa4cbf R10: 0000000000000000 R11: ffffa19f40cc0ff8 R12: ffff8e2c94b58980 R13: ffff8e2c952d6600 R14: 0000000000000016 R15: ffff8e2c271ab990 FS: 0000000000000000(0000) GS:ffff8e3b3f840000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000000003c0 CR3: 0000000e8580a004 CR4: 00000000007706e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: __bnxt_poll_work+0x1c2/0x3e0 [bnxt_en] To address the issue, we now call bnxt_set_rx_skb_mode() within bnxt_change_mtu() to properly set the AGG rings configuration and update rx_skb_func based on the new MTU value. Additionally, BNXT_FLAG_NO_AGG_RINGS is cleared at the beginning of bnxt_set_rx_skb_mode() to make sure it gets set or cleared based on the current MTU. Fixes: 08450ea98ae9 ("bnxt_en: Fix max_mtu setting for multi-buf XDP") Co-developed-by: Somnath Kotur Signed-off-by: Somnath Kotur Signed-off-by: Shravya KN Signed-off-by: Michael Chan Signed-off-by: Paolo Abeni commit 5ac066b7b062ee753a14557ea11bdc62364c8090 Author: Somnath Kotur Date: Fri Nov 22 14:45:43 2024 -0800 bnxt_en: Fix queue start to update vnic RSS table HWRM_RING_FREE followed by a HWRM_RING_ALLOC is not guaranteed to have the same FW ring ID as before. So we must reinitialize the RSS table with the correct ring IDs. Otherwise, traffic may not resume properly if the restarted ring ID is stale. Since this feature is only supported on P5_PLUS chips, we call bnxt_vnic_set_rss_p5() to update the HW RSS table. Fixes: 2d694c27d32e ("bnxt_en: implement netdev_queue_mgmt_ops") Cc: David Wei Reviewed-by: Kalesh AP Reviewed-by: Andy Gospodarek Signed-off-by: Somnath Kotur Signed-off-by: Michael Chan Signed-off-by: Paolo Abeni commit 5007991670941c132fb3bc0484c009cf4bcea30f Author: Shravya KN Date: Fri Nov 22 14:45:42 2024 -0800 bnxt_en: Set backplane link modes correctly for ethtool Use the return value from bnxt_get_media() to determine the port and link modes. bnxt_get_media() returns the proper BNXT_MEDIA_KR when the PHY is backplane. This will correct the ethtool settings for backplane devices. Fixes: 5d4e1bf60664 ("bnxt_en: extend media types to supported and autoneg modes") Reviewed-by: Somnath Kotur Signed-off-by: Shravya KN Signed-off-by: Michael Chan Signed-off-by: Paolo Abeni commit 5311598f7f3293683cdc761df71ae3469327332c Author: Saravanan Vajravel Date: Fri Nov 22 14:45:41 2024 -0800 bnxt_en: Reserve rings after PCIe AER recovery if NIC interface is down After successful PCIe AER recovery, FW will reset all resource reservations. If it is IF_UP, the driver will call bnxt_open() and all resources will be reserved again. It it is IF_DOWN, we should call bnxt_reserve_rings() so that we can reserve resources including RoCE resources to allow RoCE to resume after AER. Without this patch, RoCE fails to resume in this IF_DOWN scenario. Later, if it becomes IF_UP, bnxt_open() will see that resources have been reserved and will not reserve again. Fixes: fb1e6e562b37 ("bnxt_en: Fix AER recovery.") Reviewed-by: Somnath Kotur Reviewed-by: Pavan Chebbi Reviewed-by: Kashyap Desai Signed-off-by: Saravanan Vajravel Signed-off-by: Michael Chan Signed-off-by: Paolo Abeni commit a166f80343cd436d6d414199d18ad0ab291caaa5 Author: Zhu Jun Date: Tue Nov 26 01:32:45 2024 -0800 ALSA: asihpi: Remove unused variable the variable is never referenced in the code, just remove it. Signed-off-by: Zhu Jun Link: https://patch.msgid.link/20241126093245.3228-1-zhujun2@cmss.chinamobile.com Signed-off-by: Takashi Iwai commit ff6cdc407f4179748f4673c39b0921503199a0ad Author: Sebastian Andrzej Siewior Date: Tue Nov 26 14:47:22 2024 +0100 x86/CPU/AMD: Terminate the erratum_1386_microcode array The erratum_1386_microcode array requires an empty entry at the end. Otherwise x86_match_cpu_with_stepping() will continue iterate the array after it ended. Add an empty entry to erratum_1386_microcode to its end. Fixes: 29ba89f189528 ("x86/CPU/AMD: Improve the erratum 1386 workaround") Signed-off-by: Sebastian Andrzej Siewior Signed-off-by: Borislav Petkov (AMD) Cc: Link: https://lore.kernel.org/r/20241126134722.480975-1-bigeasy@linutronix.de commit 86e8f94789dd6f3e705bfa821e1e416f97a2f863 Author: Pei Xiao Date: Wed Nov 20 15:21:36 2024 +0800 drm/sti: Add __iomem for mixer_dbg_mxn's parameter Sparse complains about incorrect type in argument 1. expected void const volatile __iomem *ptr but got void *. so modify mixer_dbg_mxn's addr parameter. Reported-by: kernel test robot Closes: https://lore.kernel.org/oe-kbuild-all/202411191809.6V3c826r-lkp@intel.com/ Fixes: a5f81078a56c ("drm/sti: add debugfs entries for MIXER crtc") Signed-off-by: Pei Xiao Acked-by: Raphael Gallais-Pou Link: https://patchwork.freedesktop.org/patch/msgid/c28f0dcb6a4526721d83ba1f659bba30564d3d54.1732087094.git.xiaopei01@kylinos.cn Signed-off-by: Raphael Gallais-Pou commit bd2fccac61b40eaf08d9546acc9fef958bfe4763 Author: Imre Deak Date: Mon Nov 25 22:53:14 2024 +0200 drm/dp_mst: Fix MST sideband message body length check Fix the MST sideband message body length check, which must be at least 1 byte accounting for the message body CRC (aka message data CRC) at the end of the message. This fixes a case where an MST branch device returns a header with a correct header CRC (indicating a correctly received body length), with the body length being incorrectly set to 0. This will later lead to a memory corruption in drm_dp_sideband_append_payload() and the following errors in dmesg: UBSAN: array-index-out-of-bounds in drivers/gpu/drm/display/drm_dp_mst_topology.c:786:25 index -1 is out of range for type 'u8 [48]' Call Trace: drm_dp_sideband_append_payload+0x33d/0x350 [drm_display_helper] drm_dp_get_one_sb_msg+0x3ce/0x5f0 [drm_display_helper] drm_dp_mst_hpd_irq_handle_event+0xc8/0x1580 [drm_display_helper] memcpy: detected field-spanning write (size 18446744073709551615) of single field "&msg->msg[msg->curlen]" at drivers/gpu/drm/display/drm_dp_mst_topology.c:791 (size 256) Call Trace: drm_dp_sideband_append_payload+0x324/0x350 [drm_display_helper] drm_dp_get_one_sb_msg+0x3ce/0x5f0 [drm_display_helper] drm_dp_mst_hpd_irq_handle_event+0xc8/0x1580 [drm_display_helper] Cc: Cc: Lyude Paul Reviewed-by: Lyude Paul Signed-off-by: Imre Deak Link: https://patchwork.freedesktop.org/patch/msgid/20241125205314.1725887-1-imre.deak@intel.com commit c79886c540b57a86df8b0465cc1b71dc32144abf Author: Krzysztof Kozlowski Date: Thu Oct 10 20:06:22 2024 +0200 thermal: sun8i: Use scoped device node handling to simplify error paths Obtain the device node reference with scoped/cleanup.h to reduce error handling and make the code a bit simpler. Reviewed-by: Chen-Yu Tsai Reviewed-by: Jonathan Cameron Signed-off-by: Krzysztof Kozlowski Link: https://patch.msgid.link/20241010-b4-cleanup-h-of-node-put-thermal-v4-6-bfbe29ad81f4@linaro.org Signed-off-by: Rafael J. Wysocki commit 2ff772f4a93f7b5abd9d1feaa9624a6006257b71 Author: Krzysztof Kozlowski Date: Thu Oct 10 20:06:21 2024 +0200 thermal: tegra: Simplify with scoped for each OF child loop Use scoped for_each_child_of_node_scoped() when iterating over device nodes to make code a bit simpler. Reviewed-by: Chen-Yu Tsai Reviewed-by: Jonathan Cameron Signed-off-by: Krzysztof Kozlowski Link: https://patch.msgid.link/20241010-b4-cleanup-h-of-node-put-thermal-v4-5-bfbe29ad81f4@linaro.org Signed-off-by: Rafael J. Wysocki commit 4dc00afc20ddb676aedc0ab776397c99e4025e30 Author: Krzysztof Kozlowski Date: Thu Oct 10 20:06:20 2024 +0200 thermal: qcom-spmi-adc-tm5: Simplify with scoped for each OF child loop Use scoped for_each_available_child_of_node_scoped() when iterating over device nodes to make code a bit simpler. Reviewed-by: Chen-Yu Tsai Reviewed-by: Jonathan Cameron Signed-off-by: Krzysztof Kozlowski Link: https://patch.msgid.link/20241010-b4-cleanup-h-of-node-put-thermal-v4-4-bfbe29ad81f4@linaro.org Signed-off-by: Rafael J. Wysocki commit 8309135a39de73af2b4bbaa8385e40ffccbfc42c Author: Krzysztof Kozlowski Date: Thu Oct 10 20:06:19 2024 +0200 thermal: of: Use scoped device node handling to simplify of_thermal_zone_find() Obtain the device node reference with scoped/cleanup.h to reduce error handling and make the code a bit simpler. Reviewed-by: Chen-Yu Tsai Reviewed-by: Jonathan Cameron Signed-off-by: Krzysztof Kozlowski Link: https://patch.msgid.link/20241010-b4-cleanup-h-of-node-put-thermal-v4-3-bfbe29ad81f4@linaro.org Signed-off-by: Rafael J. Wysocki commit a094ccfa5277cb9b92040016f3abf22408405820 Author: Krzysztof Kozlowski Date: Thu Oct 10 20:06:18 2024 +0200 thermal: of: Use scoped memory and OF handling to simplify thermal_of_trips_init() Obtain the device node reference and allocate memory with scoped/cleanup.h to reduce error handling and make the code a bit simpler. The code is not equivalent in one minor aspect: outgoing parameter "*ntrips" will not be zeroed on errors of memory allocation. This difference is not important, because code was already not zeroing it in case of earlier errors and the only caller does not rely on ntrips being 0 in case of errors. Signed-off-by: Krzysztof Kozlowski Reviewed-by: Chen-Yu Tsai Reviewed-by: Jonathan Cameron Link: https://patch.msgid.link/20241010-b4-cleanup-h-of-node-put-thermal-v4-2-bfbe29ad81f4@linaro.org [ rjw: Rebase ] Signed-off-by: Rafael J. Wysocki commit 69f3aa6ad92447d6e9f50c5b5aea85b56e80b198 Author: Krzysztof Kozlowski Date: Thu Oct 10 20:06:17 2024 +0200 thermal: of: Simplify thermal_of_should_bind with scoped for each OF child Use scoped for_each_child_of_node_scoped() when iterating over device nodes to make code a bit simpler. Reviewed-by: Jonathan Cameron Signed-off-by: Krzysztof Kozlowski Link: https://patch.msgid.link/20241010-b4-cleanup-h-of-node-put-thermal-v4-1-bfbe29ad81f4@linaro.org Signed-off-by: Rafael J. Wysocki commit ac1f43c03fc91eee53cc95683245350d4d87781e Author: Rafael J. Wysocki Date: Mon Nov 25 12:24:46 2024 +0100 thermal: gov_power_allocator: Add missing NULL pointer check Commit 0dc23567c206 ("thermal: core: Move lists of thermal instances to trip descriptors") overlooked the case in which the Power Allocator governor attempts to bind to a tripless thermal zone and params->trip_max is NULL in check_power_actors(). No power actors can be found in that case, so check_power_actors() needs to be made return 0 then to restore its previous behavior. Fixes: 0dc23567c206 ("thermal: core: Move lists of thermal instances to trip descriptors") Closes: https://lore.kernel.org/linux-pm/Z0NeGF4ryCe_b5rr@sashalap/ Reported-by: Sasha Levin Signed-off-by: Rafael J. Wysocki Reviewed-by: Lukasz Luba Link: https://patch.msgid.link/2761105.mvXUDI8C0e@rjwysocki.net commit 9cfb5e7f0ded2bfaabc270ceb5f91d13f0e805b9 Author: Eric Dumazet Date: Fri Nov 22 17:13:43 2024 +0000 net: hsr: fix hsr_init_sk() vs network/transport headers. Following sequence in hsr_init_sk() is invalid : skb_reset_mac_header(skb); skb_reset_mac_len(skb); skb_reset_network_header(skb); skb_reset_transport_header(skb); It is invalid because skb_reset_mac_len() needs the correct network header, which should be after the mac header. This patch moves the skb_reset_network_header() and skb_reset_transport_header() before the call to dev_hard_header(). As a result skb->mac_len is no longer set to a value close to 65535. Fixes: 48b491a5cc74 ("net: hsr: fix mac_len checks") Signed-off-by: Eric Dumazet Cc: George McCollister Link: https://patch.msgid.link/20241122171343.897551-1-edumazet@google.com Signed-off-by: Paolo Abeni commit d24cfee7f63d6b44d45a67c5662bd1cc48e8b3ca Author: Stanislaw Gruszka Date: Fri Nov 22 10:42:24 2024 +0100 spi: Fix acpi deferred irq probe When probing spi device take care of deferred probe of ACPI irq gpio similar like for OF/DT case. >From practical standpoint this fixes issue with vsc-tp driver on Dell XP 9340 laptop, which try to request interrupt with spi->irq equal to -EPROBE_DEFER and fail to probe with the following error: vsc-tp spi-INTC10D0:00: probe with driver vsc-tp failed with error -22 Suggested-by: Hans de Goede Fixes: 33ada67da352 ("ACPI / spi: attach GPIO IRQ from ACPI description to SPI device") Cc: stable@vger.kernel.org Signed-off-by: Stanislaw Gruszka Reviewed-by: Hans de Goede Tested-by: Alexis Lothoré # Dell XPS9320, ov01a10 Link: https://patch.msgid.link/20241122094224.226773-1-stanislaw.gruszka@linux.intel.com Signed-off-by: Mark Brown commit 2ac40e6d0ccdd93031f8b1af61b0fe5cdd704923 Author: Csókás, Bence Date: Fri Nov 22 15:13:02 2024 +0100 spi: atmel-quadspi: Fix register name in verbose logging function `atmel_qspi_reg_name()` is used for pretty-printing register offsets for verbose logging of register accesses. However, due to a typo (likely a copy-paste error), QSPI_RD's offset prints as "MR", the name of the previous register. Fix this typo. Fixes: c528ecfbef04 ("spi: atmel-quadspi: Add verbose debug facilities to monitor register accesses") Signed-off-by: Csókás, Bence Reviewed-by: Alexander Dahl Link: https://patch.msgid.link/20241122141302.2599636-1-csokas.bence@prolan.hu Signed-off-by: Mark Brown commit 05cff25eb32ce375a59431afe47a6fe0b9548b78 Merge: 407618d66dba55 762ca6eed02634 Author: Paolo Abeni Date: Tue Nov 26 12:15:07 2024 +0100 Merge branch 'octeontx2-af-misc-rpm-fixes' Hariprasad Kelam says: ==================== octeontx2-af: misc RPM fixes There are few issues with the RPM driver, such as FIFO overflow and network performance problems due to wrong FIFO values. This patchset adds fixes for the same. Patch1: Fixes the mismatch between the lmac type reported by the driver and the actual hardware configuration. Patch2: Addresses low network performance observed even on RPMs with larger FIFO lengths. Patch 3 & 4: Fix the stale FEC counters reported by the driver by accessing the correct CSRs Patch 5: Resolves the issue related to RPM FIFO overflow during system reboots ==================== Link: https://patch.msgid.link/20241122162035.5842-1-hkelam@marvell.com Signed-off-by: Paolo Abeni commit 762ca6eed026346d9d41ed5ac633083c4f1e5071 Author: Hariprasad Kelam Date: Fri Nov 22 21:50:35 2024 +0530 octeontx2-af: Quiesce traffic before NIX block reset During initialization, the AF driver resets all blocks. The RPM (MAC) block and NIX block operate on a credit-based model. When the NIX block resets during active traffic flow, it doesn't release credits to the RPM block. This causes the RPM FIFO to overflow, leading to receive traffic struck. To address this issue, the patch introduces the following changes: 1. Stop receiving traffic at the MAC level during AF driver initialization. 2. Perform an X2P reset (prevents RXFIFO of all LMACS from pushing data) 3. Reset the NIX block. 4. Clear the X2P reset and re-enable receiving traffic. Fixes: 54d557815e15 ("octeontx2-af: Reset all RVU blocks") Signed-off-by: Hariprasad Kelam Signed-off-by: Paolo Abeni commit 6fc2164108462b913a1290fa2c44054c70b060ef Author: Hariprasad Kelam Date: Fri Nov 22 21:50:34 2024 +0530 octeontx2-af: RPM: fix stale FCFEC counters The corrected words register(FCFECX_VL0_CCW_LO)/Uncorrected words register (FCFECX_VL0_NCCW_LO) of FCFEC counter has different LMAC offset which needs to be accessed differently. Fixes: 84ad3642115d ("octeontx2-af: Add FEC stats for RPM/RPM_USX block") Signed-off-by: Hariprasad Kelam Signed-off-by: Paolo Abeni commit 07cd1eb166a3fa7244afa74d48bd13c9df7c559d Author: Hariprasad Kelam Date: Fri Nov 22 21:50:33 2024 +0530 octeontx2-af: RPM: fix stale RSFEC counters The earlier patch sets the 'Stats control register' for RPM receive/transmit statistics instead of RSFEC statistics, causing the driver to return stale FEC counters. Fixes: 84ad3642115d ("octeontx2-af: Add FEC stats for RPM/RPM_USX block") Signed-off-by: Hariprasad Kelam Signed-off-by: Paolo Abeni commit d1e8884e050c1255a9ceb477f5ff926ee9214a23 Author: Hariprasad Kelam Date: Fri Nov 22 21:50:32 2024 +0530 octeontx2-af: RPM: Fix low network performance Low network performance is observed even on RPMs with larger FIFO lengths. The cn10kb silicon has three RPM blocks with the following FIFO sizes: -------------------- | RPM0 | 256KB | | RPM1 | 256KB | | RPM2 | 128KB | -------------------- The current design stores the FIFO length in a common structure for all RPMs (mac_ops). As a result, the FIFO length of the last RPM is applied to all RPMs, leading to reduced network performance. This patch resolved the problem by storing the fifo length in per MAC structure (cgx). Fixes: b9d0fedc6234 ("octeontx2-af: cn10kb: Add RPM_USX MAC support") Signed-off-by: Hariprasad Kelam Signed-off-by: Paolo Abeni commit 7ebbbb23ea5b6d051509cb11399afac5042c9266 Author: Hariprasad Kelam Date: Fri Nov 22 21:50:31 2024 +0530 octeontx2-af: RPM: Fix mismatch in lmac type Due to a bug in the previous patch, there is a mismatch between the lmac type reported by the driver and the actual hardware configuration. Fixes: 3ad3f8f93c81 ("octeontx2-af: cn10k: MAC internal loopback support") Signed-off-by: Hariprasad Kelam Signed-off-by: Paolo Abeni commit 407618d66dba55e7db1278872e8be106808bbe91 Author: Maxime Chevallier Date: Fri Nov 22 15:12:55 2024 +0100 net: stmmac: dwmac-socfpga: Set RX watchdog interrupt as broken On DWMAC3 and later, there's a RX Watchdog interrupt that's used for interrupt coalescing. It's known to be buggy on some platforms, and dwmac-socfpga appears to be one of them. Changing the interrupt coalescing from ethtool doesn't appear to have any effect here. Without disabling RIWT (Received Interrupt Watchdog Timer, I believe...), we observe latencies while receiving traffic that amount to around ~0.4ms. This was discovered with NTP but can be easily reproduced with a simple ping. Without this patch : 64 bytes from 192.168.5.2: icmp_seq=1 ttl=64 time=0.657 ms With this patch : 64 bytes from 192.168.5.2: icmp_seq=1 ttl=64 time=0.254 ms Fixes: 801d233b7302 ("net: stmmac: Add SOCFPGA glue driver") Signed-off-by: Maxime Chevallier Link: https://patch.msgid.link/20241122141256.764578-1-maxime.chevallier@bootlin.com Signed-off-by: Paolo Abeni commit b032ae57d4fe2b2445e3bc190db6fcaa8c102f68 Author: Vitalii Mordan Date: Thu Nov 21 23:06:58 2024 +0300 marvell: pxa168_eth: fix call balance of pep->clk handling routines If the clock pep->clk was not enabled in pxa168_eth_probe, it should not be disabled in any path. Conversely, if it was enabled in pxa168_eth_probe, it must be disabled in all error paths to ensure proper cleanup. Use the devm_clk_get_enabled helper function to ensure proper call balance for pep->clk. Found by Linux Verification Center (linuxtesting.org) with Klever. Fixes: a49f37eed22b ("net: add Fast Ethernet driver for PXA168.") Signed-off-by: Vitalii Mordan Link: https://patch.msgid.link/20241121200658.2203871-1-mordan@ispras.ru Signed-off-by: Paolo Abeni commit 30447a1bc0e066e492552b3e5ffeb63c1605dfe2 Author: Marc Kleine-Budde Date: Sun Nov 24 18:42:56 2024 +0100 can: mcp251xfd: mcp251xfd_get_tef_len(): work around erratum DS80000789E 6. Commit b8e0ddd36ce9 ("can: mcp251xfd: tef: prepare to workaround broken TEF FIFO tail index erratum") introduced mcp251xfd_get_tef_len() to get the number of unhandled transmit events from the Transmit Event FIFO (TEF). As the TEF has no head index, the driver uses the TX-FIFO's tail index instead, assuming that send frames are completed. When calculating the number of unhandled TEF events, that commit didn't take mcp2518fd erratum DS80000789E 6. into account. According to that erratum, the FIFOCI bits of a FIFOSTA register, here the TX-FIFO tail index might be corrupted. However here it seems the bit indicating that the TX-FIFO is empty (MCP251XFD_REG_FIFOSTA_TFERFFIF) is not correct while the TX-FIFO tail index is. Assume that the TX-FIFO is indeed empty if: - Chip's head and tail index are equal (len == 0). - The TX-FIFO is less than half full. (The TX-FIFO empty case has already been checked at the beginning of this function.) - No free buffers in the TX ring. If the TX-FIFO is assumed to be empty, assume that the TEF is full and return the number of elements in the TX-FIFO (which equals the number of TEF elements). If these assumptions are false, the driver might read to many objects from the TEF. mcp251xfd_handle_tefif_one() checks the sequence numbers and will refuse to process old events. Reported-by: Renjaya Raga Zenta Closes: https://patch.msgid.link/CAJ7t6HgaeQ3a_OtfszezU=zB-FqiZXqrnATJ3UujNoQJJf7GgA@mail.gmail.com Fixes: b8e0ddd36ce9 ("can: mcp251xfd: tef: prepare to workaround broken TEF FIFO tail index erratum") Tested-by: Renjaya Raga Zenta Cc: stable@vger.kernel.org Link: https://patch.msgid.link/20241126-mcp251xfd-fix-length-calculation-v2-1-c2ed516ed6ba@pengutronix.de Signed-off-by: Marc Kleine-Budde commit a39dc2e20a214a51e07be87ba3e868575ed67407 Merge: 889b2ae9139a87 d7b916540c2ba3 Author: Marc Kleine-Budde Date: Tue Nov 26 11:09:07 2024 +0100 Merge patch series "Fix {rx,tx}_errors CAN statistics" Dario Binacchi says: This series extends the patch 4d6d26537940 ("can: c_can: fix {rx,tx}_errors statistics"), already merged into the mainline, to other CAN devices that similarly do not correctly increment the error counters for reception/transmission. Changes in v2: - Fix patches 7 through 12 to ensure that statistics are updated even if the allocation of skb fails. - Add five new patches (i. e. 1-5), created during the further analysis of the code while correcting patches from the v1 series (i. e. 7-12). Link: https://patch.msgid.link/20241122221650.633981-1-dario.binacchi@amarulasolutions.com [mkl: omitted patch 3] Signed-off-by: Marc Kleine-Budde commit 3c272a7551af1c10f6dbba0e71add7dccc7733fa Author: Huacai Chen Date: Tue Nov 26 18:06:54 2024 +0800 LoongArch: Update Loongson-3 default config file 1, Enable ACPI_BGRT. 2, Enable MODULE COMPRESS. 3, Enable common DM targets. 4, Enable FS_ENCRYPTION and FS_VERITY. 5, Enable CPUFreq governors and drivers. 6, Enable PVPANIC MMIO and PCI drivers. 7, Enable some HID input drivers. 8, Enable some ASoC codec drivers. 9, Enable some Realtek WiFi drivers. 10, Remove some obsolete config options. Signed-off-by: Huacai Chen commit 900f6267e9e39f9f601f5eaf0ea32d620b9130d2 Author: Binbin Zhou Date: Fri Nov 22 15:47:58 2024 +0800 LoongArch: dts: Add I2S support to Loongson-2K2000 The module is supported, adding it. Not all Loongson-2K1000 boards have an i2s interface, here is an example of enabling it: sound { compatible = "loongson,ls-audio-card"; model = "Loongson-ASoC"; mclk-fs = <512>; cpu { sound-dai = <&i2s>; }; codec { sound-dai = <&es8323>; }; }; &i2c1 { status = "okay"; #address-cells = <1>; #size-cells = <0>; es8323:es8323@10 { compatible = "everest,es8323"; reg = <0x10>; #sound-dai-cells = <0>; }; }; &i2s { status = "okay"; clock-frequency = <175000000>; #sound-dai-cells = <0>; }; Signed-off-by: Binbin Zhou Signed-off-by: Huacai Chen commit b7915af6e73b2ec896f3c811a1dba4348269d272 Author: Binbin Zhou Date: Fri Nov 22 15:47:58 2024 +0800 LoongArch: dts: Add I2S support to Loongson-2K1000 The module is supported, adding it. Not all Loongson-2K1000 boards have an i2s interface, here is an example of enabling it: sound { compatible = "loongson,ls-audio-card"; model = "Loongson-ASoC"; mclk-fs = <512>; cpu { sound-dai = <&i2s>; }; codec { sound-dai = <&uda1342>; }; }; &apbdma2 { status = "okay"; }; &apbdma3 { status = "okay"; }; &i2c3 { status = "okay"; pinctrl-0 = <&i2c1_pins_default>; pinctrl-names = "default"; #address-cells = <1>; #size-cells = <0>; uda1342: codec@1a { compatible = "nxp,uda1342"; reg = <0x1a>; #sound-dai-cells = <0>; }; }; &i2s { status = "okay"; pinctrl-0 = <&hda_pins_default>; pinctrl-names = "default"; }; Signed-off-by: Binbin Zhou Signed-off-by: Huacai Chen commit 704f06eeff65f898364981e6803e587cd941a3ed Author: Huacai Chen Date: Fri Nov 22 15:47:53 2024 +0800 LoongArch: Allow to enable PREEMPT_LAZY LoongArch has supported PREEMPT_RT now. It uses GENERIC_ENTRY, so just add the TIF bit (TIF_NEED_RESCHED_LAZY) related definitions and select the Kconfig symbol (ARCH_HAS_PREEMPT_LAZY) is enough to make it go. Signed-off-by: Xi Ruoyao Signed-off-by: Huacai Chen commit be2ea982bb83a34003909bdfcac1d107339f5dcf Author: Huacai Chen Date: Fri Nov 22 15:47:53 2024 +0800 LoongArch: Allow to enable PREEMPT_RT It is really time. LoongArch has all the required architecture related changes, that have been identified over time, in order to enable PREEMPT_RT. With the recent printk changes, the last known road block has been addressed. Allow to enable PREEMPT_RT on LoongArch. Below are the latency data from cyclictest on a 4-core Loongson-3A5000 machine, with a "make -j8" kernel building workload in the background. 1. PREEMPT kernel with default configuration: ./cyclictest -a -t -m -i200 -d0 -p99 policy: fifo: loadavg: 8.78 8.96 8.64 10/296 64800 T: 0 ( 4592) P:99 I:200 C:14838617 Min: 3 Act: 6 Avg: 8 Max: 844 T: 1 ( 4593) P:99 I:200 C:14838765 Min: 3 Act: 9 Avg: 8 Max: 909 T: 2 ( 4594) P:99 I:200 C:14838510 Min: 3 Act: 7 Avg: 8 Max: 832 T: 3 ( 4595) P:99 I:200 C:14838631 Min: 3 Act: 8 Avg: 8 Max: 931 2. PREEMPT_RT kernel with default configuration: ./cyclictest -a -t -m -i200 -d0 -p99 policy: fifo: loadavg: 10.38 10.47 10.35 9/336 77788 T: 0 ( 3941) P:99 I:200 C:19439626 Min: 3 Act: 12 Avg: 8 Max: 227 T: 1 ( 3942) P:99 I:200 C:19439624 Min: 2 Act: 11 Avg: 8 Max: 184 T: 2 ( 3943) P:99 I:200 C:19439623 Min: 3 Act: 4 Avg: 7 Max: 223 T: 3 ( 3944) P:99 I:200 C:19439623 Min: 2 Act: 10 Avg: 7 Max: 226 3. PREEMPT_RT kernel with tuned configuration: ./cyclictest -a -t -m -i200 -d0 -p99 policy: fifo: loadavg: 10.52 10.66 10.62 12/334 109397 T: 0 ( 4765) P:99 I:200 C:29335186 Min: 3 Act: 6 Avg: 8 Max: 62 T: 1 ( 4766) P:99 I:200 C:29335185 Min: 3 Act: 10 Avg: 8 Max: 52 T: 2 ( 4767) P:99 I:200 C:29335184 Min: 3 Act: 8 Avg: 8 Max: 64 T: 3 ( 4768) P:99 I:200 C:29335183 Min: 3 Act: 12 Avg: 8 Max: 53 Main instruments of tuned configuration include: Disable the boot rom space in BIOS, in order to avoid kernel's speculative access to low- speed memory (i.e. boot rom space); Disable CPUFreq scaling; Disable RTC synchronization in the ntpd/chronyd service (also avoid other RTC accesses when running low-latency workloads). Signed-off-by: Huacai Chen commit 826d2af6949f9c48fb5a249be0645e4b48b01a53 Author: Huacai Chen Date: Fri Nov 22 15:47:53 2024 +0800 LoongArch: Select HAVE_POSIX_CPU_TIMERS_TASK_WORK Move POSIX CPU timer expiry and signal delivery into task context to allow PREEMPT_RT setups to coexist with KVM. Signed-off-by: Huacai Chen commit 88fd2b70120d52c1010257d36776876941375490 Author: Huacai Chen Date: Fri Nov 22 15:47:48 2024 +0800 LoongArch: Fix sleeping in atomic context for PREEMPT_RT Commit bab1c299f3945ffe79 ("LoongArch: Fix sleeping in atomic context in setup_tlb_handler()") changes the gfp flag from GFP_KERNEL to GFP_ATOMIC for alloc_pages_node(). However, for PREEMPT_RT kernels we can still get a "sleeping in atomic context" error: [ 0.372259] BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48 [ 0.372266] in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 0, name: swapper/1 [ 0.372268] preempt_count: 1, expected: 0 [ 0.372270] RCU nest depth: 1, expected: 1 [ 0.372272] 3 locks held by swapper/1/0: [ 0.372274] #0: 900000000c9f5e60 (&pcp->lock){+.+.}-{3:3}, at: get_page_from_freelist+0x524/0x1c60 [ 0.372294] #1: 90000000087013b8 (rcu_read_lock){....}-{1:3}, at: rt_spin_trylock+0x50/0x140 [ 0.372305] #2: 900000047fffd388 (&zone->lock){+.+.}-{3:3}, at: __rmqueue_pcplist+0x30c/0xea0 [ 0.372314] irq event stamp: 0 [ 0.372316] hardirqs last enabled at (0): [<0000000000000000>] 0x0 [ 0.372322] hardirqs last disabled at (0): [<9000000005947320>] copy_process+0x9c0/0x26e0 [ 0.372329] softirqs last enabled at (0): [<9000000005947320>] copy_process+0x9c0/0x26e0 [ 0.372335] softirqs last disabled at (0): [<0000000000000000>] 0x0 [ 0.372341] CPU: 1 UID: 0 PID: 0 Comm: swapper/1 Not tainted 6.12.0-rc7+ #1891 [ 0.372346] Hardware name: Loongson Loongson-3A5000-7A1000-1w-CRB/Loongson-LS3A5000-7A1000-1w-CRB, BIOS vUDK2018-LoongArch-V2.0.0-prebeta9 10/21/2022 [ 0.372349] Stack : 0000000000000089 9000000005a0db9c 90000000071519c8 9000000100388000 [ 0.372486] 900000010038b890 0000000000000000 900000010038b898 9000000007e53788 [ 0.372492] 900000000815bcc8 900000000815bcc0 900000010038b700 0000000000000001 [ 0.372498] 0000000000000001 4b031894b9d6b725 00000000055ec000 9000000100338fc0 [ 0.372503] 00000000000000c4 0000000000000001 000000000000002d 0000000000000003 [ 0.372509] 0000000000000030 0000000000000003 00000000055ec000 0000000000000003 [ 0.372515] 900000000806d000 9000000007e53788 00000000000000b0 0000000000000004 [ 0.372521] 0000000000000000 0000000000000000 900000000c9f5f10 0000000000000000 [ 0.372526] 90000000076f12d8 9000000007e53788 9000000005924778 0000000000000000 [ 0.372532] 00000000000000b0 0000000000000004 0000000000000000 0000000000070000 [ 0.372537] ... [ 0.372540] Call Trace: [ 0.372542] [<9000000005924778>] show_stack+0x38/0x180 [ 0.372548] [<90000000071519c4>] dump_stack_lvl+0x94/0xe4 [ 0.372555] [<900000000599b880>] __might_resched+0x1a0/0x260 [ 0.372561] [<90000000071675cc>] rt_spin_lock+0x4c/0x140 [ 0.372565] [<9000000005cbb768>] __rmqueue_pcplist+0x308/0xea0 [ 0.372570] [<9000000005cbed84>] get_page_from_freelist+0x564/0x1c60 [ 0.372575] [<9000000005cc0d98>] __alloc_pages_noprof+0x218/0x1820 [ 0.372580] [<900000000593b36c>] tlb_init+0x1ac/0x298 [ 0.372585] [<9000000005924b74>] per_cpu_trap_init+0x114/0x140 [ 0.372589] [<9000000005921964>] cpu_probe+0x4e4/0xa60 [ 0.372592] [<9000000005934874>] start_secondary+0x34/0xc0 [ 0.372599] [<900000000715615c>] smpboot_entry+0x64/0x6c This is because in PREEMPT_RT kernels normal spinlocks are replaced by rt spinlocks and rt_spin_lock() will cause sleeping. Fix it by disabling NUMA optimization completely for PREEMPT_RT kernels. Signed-off-by: Huacai Chen commit af4b67da652214f06fde48cca7bb438fa829741f Author: Huacai Chen Date: Fri Nov 22 15:47:48 2024 +0800 LoongArch: Reduce min_delta for the arch clockevent device Now the min_delta is 0x600 (1536) for LoongArch's constant clockevent device. For a 100MHz hardware timer this means ~15us. This is a little big, especially for PREEMPT_RT enabled kernels. So reduce it to 100 for PREEMPT_RT kernel, and 1000 for others (we don't want too small values to affect performance). Signed-off-by: Huacai Chen commit 73c359d1d356cf10236ccd358bd55edab33e9424 Author: Tiezhu Yang Date: Fri Nov 22 15:47:48 2024 +0800 LoongArch: BPF: Sign-extend return values (1) Description of Problem: When testing BPF JIT with the latest compiler toolchains on LoongArch, there exist some strange failed test cases, dmesg shows something like this: # dmesg -t | grep FAIL | head -1 ... ret -3 != -3 (0xfffffffd != 0xfffffffd)FAIL ... (2) Steps to Reproduce: # echo 1 > /proc/sys/net/core/bpf_jit_enable # modprobe test_bpf (3) Additional Info: There are no failed test cases compiled with the lower version of GCC such as 13.3.0, while the problems only appear with higher version of GCC such as 14.2.0. This is because the problems were hidden by the lower version of GCC due to redundant sign extension instructions generated by compiler, but with optimization of higher version of GCC, the sign extension instructions have been removed. (4) Root Cause Analysis: The LoongArch architecture does not expose sub-registers, and hold all 32-bit values in a sign-extended format. While BPF, on the other hand, exposes sub-registers, and use zero-extension (similar to arm64/x86). This has led to some subtle bugs, where a BPF JITted program has not sign-extended the a0 register (return value in LoongArch land), passed the return value up the kernel, for example: | int from_bpf(void); | | long foo(void) | { | return from_bpf(); | } Here, a0 would be 0xffffffff instead of the expected 0xffffffffffffffff. Internally, the LoongArch JIT uses a5 as a dedicated register for BPF return values. That is to say, the LoongArch BPF uses a5 for BPF return values, which are zero-extended, whereas the LoongArch ABI uses a0 which is sign-extended. (5) Final Solution: Keep a5 zero-extended, but explicitly sign-extend a0 (which is used outside BPF land). Because libbpf currently defines the return value of an ebpf program as a 32-bit unsigned integer, just use addi.w to extend bit 31 into bits 63 through 32 of a5 to a0. This is similar to commit 2f1b0d3d7331 ("riscv, bpf: Sign-extend return values"). Fixes: 5dc615520c4d ("LoongArch: Add BPF JIT support") Acked-by: John Fastabend Signed-off-by: Tiezhu Yang Signed-off-by: Huacai Chen commit 947d5d036c788156f09e83e7f16322ffe8124384 Author: Tiezhu Yang Date: Fri Nov 22 15:47:47 2024 +0800 LoongArch: Fix build failure with GCC 15 (-std=gnu23) Whenever I try to build the kernel with upcoming GCC 15 which defaults to -std=gnu23 I get a build failure: CC arch/loongarch/vdso/vgetcpu.o In file included from ./include/uapi/linux/posix_types.h:5, from ./include/uapi/linux/types.h:14, from ./include/linux/types.h:6, from ./include/linux/kasan-checks.h:5, from ./include/asm-generic/rwonce.h:26, from ./arch/loongarch/include/generated/asm/rwonce.h:1, from ./include/linux/compiler.h:317, from ./include/asm-generic/bug.h:5, from ./arch/loongarch/include/asm/bug.h:60, from ./include/linux/bug.h:5, from ./include/linux/mmdebug.h:5, from ./include/linux/mm.h:6, from ./arch/loongarch/include/asm/vdso.h:10, from arch/loongarch/vdso/vgetcpu.c:6: ./include/linux/stddef.h:11:9: error: expected identifier before 'false' 11 | false = 0, | ^~~~~ ./include/linux/types.h:35:33: error: two or more data types in declaration specifiers 35 | typedef _Bool bool; | ^~~~ ./include/linux/types.h:35:1: warning: useless type name in empty declaration 35 | typedef _Bool bool; | ^~~~~~~ The kernel builds explicitly with -std=gnu11 in top Makefile, but arch/loongarch/vdso does not use KBUILD_CFLAGS from the rest of the kernel, just add -std=gnu11 flag to arch/loongarch/vdso/Makefile. By the way, commit e8c07082a810 ("Kbuild: move to -std=gnu11") did a similar change for arch/arm64/kernel/vdso32/Makefile. Fixes: c6b99bed6b8f ("LoongArch: Add VDSO and VSYSCALL support") Signed-off-by: Tiezhu Yang Signed-off-by: Huacai Chen commit e67e0eb6a98b261caf45048f9eb95fd7609289c0 Author: Huacai Chen Date: Fri Nov 22 15:47:47 2024 +0800 LoongArch: Explicitly specify code model in Makefile LoongArch's toolchain may change the default code model from normal to medium. This is unnecessary for kernel, and generates some relocations which cannot be handled by the module loader. So explicitly specify the code model to normal in Makefile (for Rust 'normal' is 'small'). Cc: stable@vger.kernel.org Tested-by: Haiyong Sun Signed-off-by: Huacai Chen commit 9cc8d0ecdd2aad42e377e971e3bb114339df609e Author: Rosen Penev Date: Thu Nov 21 11:31:52 2024 -0800 net: mdio-ipq4019: add missing error check If an optional resource is found but fails to remap, return on failure. Avoids any potential problems when using the iomapped resource as the assumption is that it's available. Fixes: 23a890d493e3 ("net: mdio: Add the reset function for IPQ MDIO driver") Signed-off-by: Rosen Penev Reviewed-by: Andrew Lunn Link: https://patch.msgid.link/20241121193152.8966-1-rosenp@gmail.com Signed-off-by: Paolo Abeni commit d7b916540c2ba3d2a88c27b2a6287b39d8eac052 Author: Dario Binacchi Date: Fri Nov 22 23:15:53 2024 +0100 can: f81604: f81604_handle_can_bus_errors(): fix {rx,tx}_errors statistics The f81604_handle_can_bus_errors() function only incremented the receive error counter and never the transmit error counter, even if the ECC_DIR flag reported that an error had occurred during transmission. Increment the receive/transmit error counter based on the value of the ECC_DIR flag. Fixes: 88da17436973 ("can: usb: f81604: add Fintek F81604 support") Signed-off-by: Dario Binacchi Link: https://patch.msgid.link/20241122221650.633981-13-dario.binacchi@amarulasolutions.com Signed-off-by: Marc Kleine-Budde commit 72a7e2e74b3075959f05e622bae09b115957dffe Author: Dario Binacchi Date: Fri Nov 22 23:15:52 2024 +0100 can: ems_usb: ems_usb_rx_err(): fix {rx,tx}_errors statistics The ems_usb_rx_err() function only incremented the receive error counter and never the transmit error counter, even if the ECC_DIR flag reported that an error had occurred during transmission. Increment the receive/transmit error counter based on the value of the ECC_DIR flag. Fixes: 702171adeed3 ("ems_usb: Added support for EMS CPC-USB/ARM7 CAN/USB interface") Signed-off-by: Dario Binacchi Link: https://patch.msgid.link/20241122221650.633981-12-dario.binacchi@amarulasolutions.com Signed-off-by: Marc Kleine-Budde commit 595a81988a6fe06eb5849e972c8b9cb21c4e0d54 Author: Dario Binacchi Date: Fri Nov 22 23:15:51 2024 +0100 can: sun4i_can: sun4i_can_err(): fix {rx,tx}_errors statistics The sun4i_can_err() function only incremented the receive error counter and never the transmit error counter, even if the STA_ERR_DIR flag reported that an error had occurred during transmission. Increment the receive/transmit error counter based on the value of the STA_ERR_DIR flag. Fixes: 0738eff14d81 ("can: Allwinner A10/A20 CAN Controller support - Kernel module") Signed-off-by: Dario Binacchi Link: https://patch.msgid.link/20241122221650.633981-11-dario.binacchi@amarulasolutions.com Signed-off-by: Marc Kleine-Budde commit 2c4ef3af4b028a0eaaf378df511d3b425b1df61f Author: Dario Binacchi Date: Fri Nov 22 23:15:50 2024 +0100 can: sja1000: sja1000_err(): fix {rx,tx}_errors statistics The sja1000_err() function only incremented the receive error counter and never the transmit error counter, even if the ECC_DIR flag reported that an error had occurred during transmission. Increment the receive/transmit error counter based on the value of the ECC_DIR flag. Fixes: 429da1cc841b ("can: Driver for the SJA1000 CAN controller") Signed-off-by: Dario Binacchi Link: https://patch.msgid.link/20241122221650.633981-10-dario.binacchi@amarulasolutions.com Signed-off-by: Marc Kleine-Budde commit 3e4645931655776e757f9fb5ae29371cd7cb21a2 Author: Dario Binacchi Date: Fri Nov 22 23:15:49 2024 +0100 can: hi311x: hi3110_can_ist(): fix {rx,tx}_errors statistics The hi3110_can_ist() function was incorrectly incrementing only the receive error counter, even in cases of bit or acknowledgment errors that occur during transmission. The fix the issue by incrementing the appropriate counter based on the type of error. Fixes: 57e83fb9b746 ("can: hi311x: Add Holt HI-311x CAN driver") Signed-off-by: Dario Binacchi Link: https://patch.msgid.link/20241122221650.633981-9-dario.binacchi@amarulasolutions.com Signed-off-by: Marc Kleine-Budde commit bb03d568bb21b4afe7935d1943bcf68ddea3ea45 Author: Dario Binacchi Date: Fri Nov 22 23:15:48 2024 +0100 can: ifi_canfd: ifi_canfd_handle_lec_err(): fix {rx,tx}_errors statistics The ifi_canfd_handle_lec_err() function was incorrectly incrementing only the receive error counter, even in cases of bit or acknowledgment errors that occur during transmission. Fix the issue by incrementing the appropriate counter based on the type of error. Fixes: 5bbd655a8bd0 ("can: ifi: Add more detailed error reporting") Signed-off-by: Dario Binacchi Reviewed-by: Marek Vasut Link: https://patch.msgid.link/20241122221650.633981-8-dario.binacchi@amarulasolutions.com Signed-off-by: Marc Kleine-Budde commit 988d4222bf9039a875a3d48f2fe35c317831ff68 Author: Dario Binacchi Date: Fri Nov 22 23:15:47 2024 +0100 can: m_can: m_can_handle_lec_err(): fix {rx,tx}_errors statistics The m_can_handle_lec_err() function was incorrectly incrementing only the receive error counter, even in cases of bit or acknowledgment errors that occur during transmission. Fix the issue by incrementing the appropriate counter based on the type of error. Fixes: e0d1f4816f2a ("can: m_can: add Bosch M_CAN controller support") Signed-off-by: Dario Binacchi Link: https://patch.msgid.link/20241122221650.633981-7-dario.binacchi@amarulasolutions.com Signed-off-by: Marc Kleine-Budde commit ef5034aed9e03c649386f50e67a0867062d00d7f Author: Dario Binacchi Date: Fri Nov 22 23:15:46 2024 +0100 can: hi311x: hi3110_can_ist(): update state error statistics if skb allocation fails Ensure that the statistics related to state error counters (i. e. warning, passive, and bus-off) are updated even in case the skb allocation fails. Additionally, also handle bus-off state is now. Signed-off-by: Dario Binacchi Link: https://patch.msgid.link/20241122221650.633981-6-dario.binacchi@amarulasolutions.com Signed-off-by: Marc Kleine-Budde commit 9ad86d377ef4a19c75a9c639964879a5b25a433b Author: Dario Binacchi Date: Fri Nov 22 23:15:45 2024 +0100 can: hi311x: hi3110_can_ist(): fix potential use-after-free The commit a22bd630cfff ("can: hi311x: do not report txerr and rxerr during bus-off") removed the reporting of rxerr and txerr even in case of correct operation (i. e. not bus-off). The error count information added to the CAN frame after netif_rx() is a potential use after free, since there is no guarantee that the skb is in the same state. It might be freed or reused. Fix the issue by postponing the netif_rx() call in case of txerr and rxerr reporting. Fixes: a22bd630cfff ("can: hi311x: do not report txerr and rxerr during bus-off") Signed-off-by: Dario Binacchi Link: https://patch.msgid.link/20241122221650.633981-5-dario.binacchi@amarulasolutions.com Signed-off-by: Marc Kleine-Budde commit ee6bf3677ae03569d833795064e17f605c2163c7 Author: Dario Binacchi Date: Fri Nov 22 23:15:43 2024 +0100 can: sun4i_can: sun4i_can_err(): call can_change_state() even if cf is NULL Call the function can_change_state() if the allocation of the skb fails, as it handles the cf parameter when it is null. Additionally, this ensures that the statistics related to state error counters (i. e. warning, passive, and bus-off) are updated. Fixes: 0738eff14d81 ("can: Allwinner A10/A20 CAN Controller support - Kernel module") Signed-off-by: Dario Binacchi Link: https://patch.msgid.link/20241122221650.633981-3-dario.binacchi@amarulasolutions.com Signed-off-by: Marc Kleine-Budde commit 9e66242504f49e17481d8e197730faba7d99c934 Author: Dario Binacchi Date: Fri Nov 22 23:15:42 2024 +0100 can: c_can: c_can_handle_bus_err(): update statistics if skb allocation fails Ensure that the statistics are always updated, even if the skb allocation fails. Fixes: 4d6d26537940 ("can: c_can: fix {rx,tx}_errors statistics") Signed-off-by: Dario Binacchi Link: https://patch.msgid.link/20241122221650.633981-2-dario.binacchi@amarulasolutions.com Signed-off-by: Marc Kleine-Budde commit c66f759832a83cb273ba5a55c66dcc99384efa74 Author: Randy Dunlap Date: Mon Nov 25 13:50:21 2024 -0800 fs_parser: update mount_api doc to match function signature Add the missing 'name' parameter to the mount_api documentation for fs_validate_description(). Fixes: 96cafb9ccb15 ("fs_parser: remove fs_parameter_description name field") Signed-off-by: Randy Dunlap Link: https://lore.kernel.org/r/20241125215021.231758-1-rdunlap@infradead.org Cc: Eric Sandeen Cc: David Howells Cc: Al Viro Cc: Christian Brauner Cc: Jan Kara Cc: Jonathan Corbet Cc: linux-doc@vger.kernel.org Signed-off-by: Christian Brauner commit 82159e6ab409bd7c3de4fafdc27d64a58bcb154a Merge: 59c5e1411a0a13 f6e1dcd6444485 Author: Paolo Abeni Date: Tue Nov 26 10:29:14 2024 +0100 Merge branch 'ipv6-fix-temporary-address-not-removed-correctly' Hangbin Liu says: ==================== ipv6: fix temporary address not removed correctly Currently the temporary address is not removed when mngtmpaddr is deleted or becomes unmanaged. The patch set fixed this issue and add a related test. v2: 1) delete the tempaddrs directly instead of remove them in addrconf_verify_rtnl(Sam Edwards) 2) Update the test case by checking the address including, add Sam in SOB (Sam Edwards) ==================== Link: https://patch.msgid.link/20241120095108.199779-1-liuhangbin@gmail.com Signed-off-by: Paolo Abeni commit f6e1dcd6444485356d1df9d29df702acc7bba00c Author: Hangbin Liu Date: Wed Nov 20 09:51:08 2024 +0000 selftests/rtnetlink.sh: add mngtempaddr test Add a test to check the temporary address could be added/removed correctly when mngtempaddr is set or removed/unmanaged. Signed-off-by: Sam Edwards Signed-off-by: Hangbin Liu Reviewed-by: David Ahern Signed-off-by: Paolo Abeni commit 00b5b7aab9e422d00d5a9d03d7e0760a76b5d57f Author: Hangbin Liu Date: Wed Nov 20 09:51:07 2024 +0000 net/ipv6: delete temporary address if mngtmpaddr is removed or unmanaged RFC8981 section 3.4 says that existing temporary addresses must have their lifetimes adjusted so that no temporary addresses should ever remain "valid" or "preferred" longer than the incoming SLAAC Prefix Information. This would strongly imply in Linux's case that if the "mngtmpaddr" address is deleted or un-flagged as such, its corresponding temporary addresses must be cleared out right away. But now the temporary address is renewed even after ‘mngtmpaddr’ is removed or becomes unmanaged as manage_tempaddrs() set temporary addresses prefered/valid time to 0, and later in addrconf_verify_rtnl() all checkings failed to remove the addresses. Fix this by deleting the temporary address directly for these situations. Fixes: 778964f2fdf0 ("ipv6/addrconf: fix timing bug in tempaddr regen") Signed-off-by: Hangbin Liu Reviewed-by: David Ahern Signed-off-by: Paolo Abeni commit 59c5e1411a0a13ebb930f4ebba495cc4eb14f8f2 Author: Choong Yong Liang Date: Wed Nov 20 16:38:18 2024 +0800 net: stmmac: set initial EEE policy configuration Set the initial eee_cfg values to have 'ethtool --show-eee ' display the initial EEE configuration. Fixes: 49168d1980e2 ("net: phy: Add phy_support_eee() indicating MAC support EEE") Cc: Signed-off-by: Choong Yong Liang Reviewed-by: Jacob Keller Link: https://patch.msgid.link/20241120083818.1079456-1-yong.liang.choong@linux.intel.com Signed-off-by: Paolo Abeni commit 889b2ae9139a87b3390f7003cb1bb3d65bf90a26 Author: Alexander Kozhinov Date: Fri Oct 18 23:24:26 2024 +0200 can: gs_usb: add usb endpoint address detection at driver probe step There is an approach made to implement gs_usb firmware/driver based on Zephyr RTOS. It was found that USB stack of Zephyr RTOS overwrites USB EP addresses, if they have different last 4 bytes in absence of other endpoints. For example in case of gs_usb candlelight firmware EP-IN is 0x81 and EP-OUT 0x02. If there are no additional USB endpoints, Zephyr RTOS will overwrite EP-OUT to 0x01. More information can be found in the discussion with Zephyr RTOS USB stack maintainer here: https://github.com/zephyrproject-rtos/zephyr/issues/67812 There are already two different gs_usb FW driver implementations based on Zephyr RTOS: 1. https://github.com/CANnectivity/cannectivity (by: https://github.com/henrikbrixandersen) 2. https://github.com/zephyrproject-rtos/zephyr/compare/main...KozhinovAlexander:zephyr:gs_usb (by: https://github.com/KozhinovAlexander) At the moment both Zephyr RTOS implementations use dummy USB endpoint, to overcome described USB stack behavior from Zephyr itself. Since Zephyr RTOS is intended to be used on microcontrollers with very constrained amount of resources (ROM, RAM) and additional endpoint requires memory, it is more convenient to update the gs_usb driver in the Linux kernel. To fix this problem, update the gs_usb driver from using hard coded endpoint numbers to evaluate the endpoint descriptors and use the endpoints provided there. Fixes: d08e973a77d1 ("can: gs_usb: Added support for the GS_USB CAN devices") Reviewed-by: Vincent Mailhol Signed-off-by: Alexander Kozhinov Link: https://patch.msgid.link/20241018212450.31746-1-ak.alexander.kozhinov@gmail.com Signed-off-by: Marc Kleine-Budde commit ee1dfbdd8b4b6de85e96ae2059dc9c1bdb6b49b5 Author: Marc Kleine-Budde Date: Thu Nov 21 11:08:25 2024 +0100 can: dev: can_set_termination(): allow sleeping GPIOs In commit 6e86a1543c37 ("can: dev: provide optional GPIO based termination support") GPIO based termination support was added. For no particular reason that patch uses gpiod_set_value() to set the GPIO. This leads to the following warning, if the systems uses a sleeping GPIO, i.e. behind an I2C port expander: | WARNING: CPU: 0 PID: 379 at /drivers/gpio/gpiolib.c:3496 gpiod_set_value+0x50/0x6c | CPU: 0 UID: 0 PID: 379 Comm: ip Not tainted 6.11.0-20241016-1 #1 823affae360cc91126e4d316d7a614a8bf86236c Replace gpiod_set_value() by gpiod_set_value_cansleep() to allow the use of sleeping GPIOs. Cc: Nicolai Buchwitz Cc: Lino Sanfilippo Cc: stable@vger.kernel.org Reported-by: Leonard Göhrs Tested-by: Leonard Göhrs Fixes: 6e86a1543c37 ("can: dev: provide optional GPIO based termination support") Link: https://patch.msgid.link/20241121-dev-fix-can_set_termination-v1-1-41fa6e29216d@pengutronix.de Signed-off-by: Marc Kleine-Budde commit 70ab873797aa41217625a3fe15b00d2089f76b3e Merge: ebaf81317e42aa a01cfcfda5cc78 Author: Paolo Abeni Date: Tue Nov 26 10:13:01 2024 +0100 Merge branch 'correcting-switch-hardware-versions-and-reported-speeds' Justin Lai says: ==================== Correcting switch hardware versions and reported speeds This patch set mainly involves correcting switch hardware versions and reported speeds. Details are as follows: 1. Refactor the rtase_check_mac_version_valid() function. 2. Correct the speed for RTL907XD-V1 3. Corrects error handling of the rtase_check_mac_version_valid() v1 -> v2: - Add Fixes: tag. - Add defines for hardware version id. - Modify the error message for an invalid hardware version ID. v2 -> v3: - Remove the patch "Add support for RTL907XD-VA PCIe port". v3 -> v4: - Modify commit message to describe the main reason for the fix. v4 -> v5 - Integrate the addition of defines for hardware version ID into the patch "rtase: Refactor the rtase_check_mac_version_valid() function." ==================== Link: https://patch.msgid.link/20241120075624.499464-1-justinlai0215@realtek.com Signed-off-by: Paolo Abeni commit a01cfcfda5cc787552b344cbc92f9c363c81ad4f Author: Justin Lai Date: Wed Nov 20 15:56:24 2024 +0800 rtase: Corrects error handling of the rtase_check_mac_version_valid() Previously, when the hardware version ID was determined to be invalid, only an error message was printed without any further handling. Therefore, this patch makes the necessary corrections to address this. Fixes: a36e9f5cfe9e ("rtase: Add support for a pci table in this module") Signed-off-by: Justin Lai Signed-off-by: Paolo Abeni commit c1fc14c4df801fe2d9ec3160b52fa63569ce164c Author: Justin Lai Date: Wed Nov 20 15:56:23 2024 +0800 rtase: Correct the speed for RTL907XD-V1 Previously, the reported speed was uniformly set to SPEED_5000, but the RTL907XD-V1 actually operates at a speed of SPEED_10000. Therefore, this patch makes the necessary correction. Fixes: dd7f17c40fd1 ("rtase: Implement ethtool function") Signed-off-by: Justin Lai Signed-off-by: Paolo Abeni commit a1f8609ff1f658e410f78d800ca947d57e51996a Author: Justin Lai Date: Wed Nov 20 15:56:22 2024 +0800 rtase: Refactor the rtase_check_mac_version_valid() function Different hardware requires different configurations, but this distinction was not made previously. Additionally, the error message was not clear enough. Therefore, this patch will address the issues mentioned above. Fixes: a36e9f5cfe9e ("rtase: Add support for a pci table in this module") Signed-off-by: Justin Lai Signed-off-by: Paolo Abeni commit ebaf81317e42aa990ad20b113cfe3a7b20d4e937 Author: Sidraya Jayagond Date: Tue Nov 19 16:22:19 2024 +0100 s390/iucv: MSG_PEEK causes memory leak in iucv_sock_destruct() Passing MSG_PEEK flag to skb_recv_datagram() increments skb refcount (skb->users) and iucv_sock_recvmsg() does not decrement skb refcount at exit. This results in skb memory leak in skb_queue_purge() and WARN_ON in iucv_sock_destruct() during socket close. To fix this decrease skb refcount by one if MSG_PEEK is set in order to prevent memory leak and WARN_ON. WARNING: CPU: 2 PID: 6292 at net/iucv/af_iucv.c:286 iucv_sock_destruct+0x144/0x1a0 [af_iucv] CPU: 2 PID: 6292 Comm: afiucv_test_msg Kdump: loaded Tainted: G W 6.10.0-rc7 #1 Hardware name: IBM 3931 A01 704 (z/VM 7.3.0) Call Trace: [<001587c682c4aa98>] iucv_sock_destruct+0x148/0x1a0 [af_iucv] [<001587c682c4a9d0>] iucv_sock_destruct+0x80/0x1a0 [af_iucv] [<001587c704117a32>] __sk_destruct+0x52/0x550 [<001587c704104a54>] __sock_release+0xa4/0x230 [<001587c704104c0c>] sock_close+0x2c/0x40 [<001587c702c5f5a8>] __fput+0x2e8/0x970 [<001587c7024148c4>] task_work_run+0x1c4/0x2c0 [<001587c7023b0716>] do_exit+0x996/0x1050 [<001587c7023b13aa>] do_group_exit+0x13a/0x360 [<001587c7023b1626>] __s390x_sys_exit_group+0x56/0x60 [<001587c7022bccca>] do_syscall+0x27a/0x380 [<001587c7049a6a0c>] __do_syscall+0x9c/0x160 [<001587c7049ce8a8>] system_call+0x70/0x98 Last Breaking-Event-Address: [<001587c682c4a9d4>] iucv_sock_destruct+0x84/0x1a0 [af_iucv] Fixes: eac3731bd04c ("[S390]: Add AF_IUCV socket support") Reviewed-by: Alexandra Winter Reviewed-by: Thorsten Winkler Signed-off-by: Sidraya Jayagond Signed-off-by: Alexandra Winter Reviewed-by: David Wei Link: https://patch.msgid.link/20241119152219.3712168-1-wintera@linux.ibm.com Signed-off-by: Paolo Abeni commit 5d066766c5f1252f98ff859265bcd1a5b52ac46c Author: James Chapman Date: Mon Nov 18 14:04:11 2024 +0000 net/l2tp: fix warning in l2tp_exit_net found by syzbot In l2tp's net exit handler, we check that an IDR is empty before destroying it: WARN_ON_ONCE(!idr_is_empty(&pn->l2tp_tunnel_idr)); idr_destroy(&pn->l2tp_tunnel_idr); By forcing memory allocation failures in idr_alloc_32, syzbot is able to provoke a condition where idr_is_empty returns false despite there being no items in the IDR. This turns out to be because the radix tree of the IDR contains only internal radix-tree nodes and it is this that causes idr_is_empty to return false. The internal nodes are cleaned by idr_destroy. Use idr_for_each to check that the IDR is empty instead of idr_is_empty to avoid the problem. Reported-by: syzbot+332fe1e67018625f63c9@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=332fe1e67018625f63c9 Fixes: 73d33bd063c4 ("l2tp: avoid using drain_workqueue in l2tp_pre_exit_net") Signed-off-by: James Chapman Link: https://patch.msgid.link/20241118140411.1582555-1-jchapman@katalix.com Signed-off-by: Paolo Abeni commit 155699ccab7c78cbba69798242b68bc8ac66d5d2 Author: Kailang Yang Date: Thu Nov 21 16:16:26 2024 +0800 ALSA: hda/realtek: Set PCBeep to default value for ALC274 BIOS Enable PC beep path cause pop noise via speaker during boot time. Set to default value from driver will solve the issue. Signed-off-by: Kailang Yang Cc: Link: https://lore.kernel.org/2721bb57e20a44c3826c473e933f9105@realtek.com Signed-off-by: Takashi Iwai commit 4e7035a75da9371c93dabcb789883e31d2765dcf Author: Baojun Xu Date: Sat Nov 23 15:37:18 2024 +0800 ALSA: hda/tas2781: Add speaker id check for ASUS projects Add speaker id check by gpio in ACPI for ASUS projects. In other vendors, speaker id was checked by BIOS, and was applied in last bit of subsys id, so we can load corresponding firmware binary file for its speaker by subsys id. But in ASUS project, the firmware binary name will be appended an extra number to tell the speakers from different vendors. And this single digit come from gpio level of speaker id in BIOS. Signed-off-by: Baojun Xu Link: https://patch.msgid.link/20241123073718.475-1-baojun.xu@ti.com Signed-off-by: Takashi Iwai commit 1fd50509fe14a9adc9329e0454b986157a4c155a Author: Kailang Yang Date: Thu Nov 14 15:08:07 2024 +0800 ALSA: hda/realtek: Update ALC225 depop procedure Old procedure has a chance to meet Headphone no output. Fixes: da911b1f5e98 ("ALSA: hda/realtek - update ALC225 depop optimize") Signed-off-by: Kailang Yang Cc: Link: https://lore.kernel.org/5a27b016ba9d42b4a4e6dadce50a3ba4@realtek.com Signed-off-by: Takashi Iwai commit 31917b7bd892de730ab67b215c62aeeea778112e Author: Kailang Yang Date: Thu Nov 21 16:10:42 2024 +0800 ALSA: hda/realtek: Enable speaker pins for Medion E15443 platform Speaker has no sound for Medion E15443. Added another speaker pins for Medion E15443 platform. Signed-off-by: Kailang Yang Cc: Link: https://lore.kernel.org/eac4f3aca2ab45e59ccd207a90ee60e9@realtek.com Signed-off-by: Takashi Iwai commit 7ba81e4c3aa0ca25f06dc4456e7d36fa8e76385f Author: Dirk Su Date: Tue Nov 26 14:05:24 2024 +0800 ALSA: hda/realtek: fix mute/micmute LEDs don't work for EliteBook X G1i HP EliteBook X G1i needs ALC285_FIXUP_HP_GPIO_LED quirk to make mic-mute/audio-mute working. Signed-off-by: Dirk Su Cc: Link: https://patch.msgid.link/20241126060531.22759-1-dirk.su@canonical.com Signed-off-by: Takashi Iwai commit 7eef7e306d3c40a0c5b9ff6adc9b273cc894dbd5 Merge: 0637a68b9c6c1d a573e404cbf269 Author: Linus Torvalds Date: Mon Nov 25 18:54:00 2024 -0800 Merge tag 'for-6.13/dm-changes' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm Pull device mapper updates from Mikulas Patocka: - remove unused functions and variables - rate-limit error messages in syslog - fix typo - remove u64 alignment requirement for murmurhash - reset bi_ioprio to the default for dm-vdo - add support for get_unique_id - Add missing destroy_work_on_stack() to dm-thin - use kmalloc to allocate power-of-two sized buffers in bufio * tag 'for-6.13/dm-changes' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm: dm-verity: remove the unused "data_start" variable dm-bufio: use kmalloc to allocate power-of-two sized buffers dm thin: Add missing destroy_work_on_stack() dm: add support for get_unique_id dm vdo: fix function doc comment formatting dm vdo int-map: remove unused parameters dm-vdo: reset bi_ioprio to the default value when the bio is reset dm-vdo murmurhash: remove u64 alignment requirement dm: Fix typo in error message dm ioctl: rate limit a couple of ioctl based error messages dm vdo: Remove unused uds_compute_index_size dm vdo: Remove unused functions dm: zoned: Remove unused functions dm: Remove unused dm_table_bio_based dm: Remove unused dm_set_md_type dm cache: Remove unused functions in bio-prison-v1 dm cache: Remove unused dm_cache_size dm cache: Remove unused dm_cache_dump dm cache: Remove unused btracker_nr_writebacks_queued commit 0637a68b9c6c1dfffcc1fca003cb7cd3257c3c03 Merge: 222974c6ec9d90 8e3b6345d113cc Author: Linus Torvalds Date: Mon Nov 25 18:50:55 2024 -0800 Merge tag 'scsi-misc' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi Pull SCSI updates from James Bottomley: "Updates to the usual drivers (ufs, lpfc, hisi_sas, st). Amazingly enough, no core changes with the biggest set of driver changes being ufs (which conflicted with it's own fixes a bit, hence the merges) and the rest being minor fixes and updates" * tag 'scsi-misc' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi: (97 commits) scsi: st: New session only when Unit Attention for new tape scsi: st: Add MTIOCGET and MTLOAD to ioctls allowed after device reset scsi: st: Don't modify unknown block number in MTIOCGET scsi: ufs: core: Restore SM8650 support scsi: sun3: Mark driver struct with __refdata to prevent section mismatch scsi: sg: Enable runtime power management scsi: qedi: Fix a possible memory leak in qedi_alloc_and_init_sb() scsi: qedf: Fix a possible memory leak in qedf_alloc_and_init_sb() scsi: fusion: Remove unused variable 'rc' scsi: bfa: Fix use-after-free in bfad_im_module_exit() scsi: esas2r: Remove unused esas2r_build_cli_req() scsi: target: Fix incorrect function name in pscsi_create_type_disk() scsi: ufs: Replace deprecated PCI functions scsi: Switch back to struct platform_driver::remove() scsi: pm8001: Increase request sg length to support 4MiB requests scsi: pm8001: Initialize devices in pm8001_alloc_dev() scsi: pm8001: Use module param to set pcs event log severity scsi: ufs: ufs-mediatek: Configure individual LU queue flags scsi: MAINTAINERS: Update UFS Exynos entry scsi: lpfc: Copyright updates for 14.4.0.6 patches ... commit 222974c6ec9d901f7ad13bbe6e505ec1f1d822d4 Author: Linus Torvalds Date: Mon Nov 25 18:45:33 2024 -0800 iommu: remove stale declaration left over by a merge conflict The merge commit ae3325f752ef ("Merge branches 'arm/smmu', 'mediatek', 's390', 'ti/omap', 'riscv' and 'core' into next") left a stale declaration of 'iommu_present()' even though the 'core' branch that was merged had removed the function (and the declaration). Remove it for real. Reported-by: Dmitry Safonov <0x7f454c46@gmail.com> Cc: Joerg Roedel Signed-off-by: Linus Torvalds commit 78a2cbd809ef834b680f2825d3e4c16ec66f8ffa Merge: 2c22dc1ee3a1d1 f3dd9ae7f03aef Author: Linus Torvalds Date: Mon Nov 25 18:31:48 2024 -0800 Merge tag 'libnvdimm-for-6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/nvdimm/nvdimm Pull nvdimm and DAX updates from Ira Weiny: "Most represent minor cleanups and code removals. One patch fixes potential NULL pointer arithmetic which was benign because the offset of the member was 0. Nevertheless it should be cleaned up. - typo fixes - clarify logic to remove potential NULL pointer math - remove dead code" * tag 'libnvdimm-for-6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/nvdimm/nvdimm: dax: Remove an unused field in struct dax_operations dax: delete a stale directory pmem nvdimm: rectify the illogical code within nd_dax_probe() nvdimm: Correct some typos in comments commit 2c22dc1ee3a1d1c50bee5f0f71ebffa86c33e172 Merge: 2d32fba02e0e5b 7f9e19f207be0c Author: Linus Torvalds Date: Mon Nov 25 17:31:39 2024 -0800 Merge tag 'mailbox-v6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/jassibrar/mailbox Pull mailbox updates from Jassi Brar: "Common: - switch back from remove_new() to remove() callback imx: - fix format specifier zynqmp: - setup IPI for each child node thead: - Add th1520 driver and bindings qcom: - add SM8750 and SAR2130p compatibles - fix expected clocks for callbacks - use IRQF_NO_SUSPEND for cpucp mtk-cmdq: - switch to __pm_runtime_put_autosuspend() - fix alloc size of clocks mpfs: - fix reg properties ti-msgmgr: - don't use of_match_ptr helper - enable COMPILE_TEST build pcc: - consider the PCC_ACK_FLAG arm_mhuv2: - fix non-fatal improper reuse of variable" * tag 'mailbox-v6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/jassibrar/mailbox: mailbox: pcc: Check before sending MCTP PCC response ACK mailbox: Switch back to struct platform_driver::remove() mailbox: imx: Modify the incorrect format specifier mailbox: arm_mhuv2: clean up loop in get_irq_chan_comb() mailbox: zynqmp: setup IPI for each valid child node dt-bindings: mailbox: Add thead,th1520-mailbox bindings mailbox: Introduce support for T-head TH1520 Mailbox driver mailbox: mtk-cmdq: fix wrong use of sizeof in cmdq_get_clocks() dt-bindings: mailbox: qcom-ipcc: Add SM8750 dt-bindings: mailbox: qcom,apcs-kpss-global: correct expected clocks for fallbacks dt-bindings: mailbox: qcom-ipcc: Add SAR2130P compatible mailbox: ti-msgmgr: Allow building under COMPILE_TEST mailbox: ti-msgmgr: Remove use of of_match_ptr() helper mailbox: qcom-cpucp: Mark the irq with IRQF_NO_SUSPEND flag mailbox: mtk-cmdq-mailbox: Switch to __pm_runtime_put_autosuspend() mailbox: mpfs: support new, syscon based, devicetree configuration dt-bindings: mailbox: mpfs: fix reg properties commit 2d32fba02e0e5b67fb3a4ea51dde80c0db83f1c1 Merge: 70dbb12e95ec75 ac6f0825e582f2 Author: Linus Torvalds Date: Mon Nov 25 17:24:51 2024 -0800 Merge tag 'pinctrl-v6.13-1' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl Pull pin control updates from Linus Walleij: "No core changes this time. New drivers: - Xlinix Versal pin control driver - Ocelot LAN969x pin control driver - T-Head TH1520 RISC-V SoC pin control driver - Qualcomm SM8750, IPQ5424, QCS8300, SAR2130P and QCS615 SoC pin control drivers - Qualcomm SM8750 LPASS (low power audio subsystem) pin control driver - Qualcomm PM8937 mixsig IC pin control support, GPIO and MPP (multi-purpose-pin) - Samsung Exynos8895 and Exynos9810 SoC pin control driver - SpacemiT K1 SoC pin control driver - Airhoa EN7581 IC pin control driver Improvements: - The Renesas subdriver now supports schmitt-trigger and open drain pin configurations if the hardware supports it - Support GPIOF and GPIOG banks in the Aspeed G6 SoC - Support the DSW community in the Intel Elkhartlake SoC" * tag 'pinctrl-v6.13-1' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl: (105 commits) pinctrl: airoha: Use unsigned long for bit search pinctrl: k210: Undef K210_PC_DEFAULT pinctrl: qcom: spmi: fix debugfs drive strength pinctrl: qcom: Add sm8750 pinctrl driver dt-bindings: pinctrl: qcom: Add sm8750 pinctrl pinctrl: cy8c95x0: remove unneeded goto labels pinctrl: cy8c95x0: embed iterator to the for-loop pinctrl: cy8c95x0: Use temporary variable for struct device pinctrl: cy8c95x0: use flexible sleeping in reset function pinctrl: cy8c95x0: switch to using devm_regulator_get_enable() pinctrl: cy8c95x0: Use 2-argument strscpy() dt-bindings: pinctrl: sx150xq: allow gpio line naming pinctrl: single: add marvell,pxa1908-padconf compatible dt-bindings: pinctrl: pinctrl-single: add marvell,pxa1908-padconf compatible dt-bindings: pinctrl: correct typo of description for cv1800 pinctrl: qcom: spmi-mpp: Add PM8937 compatible dt-bindings: pinctrl: qcom,pmic-mpp: Document PM8937 compatible pinctrl: qcom-pmic-gpio: add support for PM8937 dt-bindings: pinctrl: qcom,pmic-gpio: add PM8937 pinctrl: Use of_property_present() for non-boolean properties ... commit 2bd9b57d04df417f31ef54448477c212fcdd14fc Author: Mathieu Desnoyers Date: Mon Nov 25 09:25:14 2024 -0500 tracing: Use guard() rather than scoped_guard() Using scoped_guard() in the implementation of trace_##name() adds an unnecessary level of indentation. Cc: Steven Rostedt Cc: Linus Torvalds Cc: Thomas Gleixner Cc: Michael Jeanson Cc: Masami Hiramatsu Cc: Peter Zijlstra Cc: Alexei Starovoitov Cc: Yonghong Song Cc: Paul E. McKenney Cc: Ingo Molnar Cc: Arnaldo Carvalho de Melo Cc: Mark Rutland Cc: Alexander Shishkin Cc: Namhyung Kim Cc: Andrii Nakryiko Cc: bpf@vger.kernel.org Cc: Joel Fernandes Cc: Jordan Rife Link: https://lore.kernel.org/20241125142514.2897143-1-mathieu.desnoyers@efficios.com Signed-off-by: Mathieu Desnoyers Signed-off-by: Steven Rostedt (Google) commit 70dbb12e95ec7585c68cb3ceae971688915021e3 Merge: 5d38cb9bee7396 16470f60666618 Author: Linus Torvalds Date: Mon Nov 25 17:15:12 2024 -0800 Merge tag 'i2c-for-6.13-part2' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux Pull more i2c updates from Wolfram Sang: "Andi was super busy the last weeks, so this pull requests contains one series (nomadik) and a number of smaller additions which were ready to go but nearly overlooked. New feature support: - Added support for frequencies up to 3.4 MHz on Nomadik I2C - DesignWare now accounts for bus capacitance and clock optimisation (declared as new parameters in the binding) to improve the calculation of signal rise and fall times (t_high and t_low) New Hardware support: - DWAPB I2C controller on FUJITSU-MONAKA (new ACPI HID) - Allwinner A523 (new compatible ID) - Mobileye EyeQ6H (new compatible ID)" * tag 'i2c-for-6.13-part2' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux: MAINTAINERS: transfer i2c-aspeed maintainership from Brendan to Ryan i2c: designware: determine HS tHIGH and tLOW based on HW parameters dt-bindings: i2c: snps,designware-i2c: declare bus capacitance and clk freq optimized i2c: nomadik: support >=1MHz speed modes i2c: nomadik: fix BRCR computation i2c: nomadik: support Mobileye EyeQ6H I2C controller i2c: nomadik: switch from of_device_is_compatible() to of_match_device() dt-bindings: i2c: nomadik: support 400kHz < clock-frequency <= 3.4MHz dt-bindings: i2c: nomadik: add mobileye,eyeq6h-i2c bindings dt-bindings: i2c: mv64xxx: Add Allwinner A523 compatible string i2c: designware: Add ACPI HID for DWAPB I2C controller on FUJITSU-MONAKA i2c: qup: use generic device property accessors commit 5d38cb9bee73969125c7818a9f9e3358e0db07d6 Merge: e06635e26cd814 4752e8cde8344c Author: Linus Torvalds Date: Mon Nov 25 17:12:54 2024 -0800 Merge tag 'firewire-updates-6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/ieee1394/linux1394 Pull firewire updates from Takashi Sakamoto: "A few updates for the 6.13 kernel, including some typo corrections in the software stack and some fixes for tools. Additionally, it includes a change resulting from the deprecation of a kernel API in the PCI subsystem" * tag 'firewire-updates-6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/ieee1394/linux1394: tools/firewire: Fix several incorrect format specifiers firewire: ohci: Replace deprecated PCI functions firewire: Correct some typos commit 9a8c5d89d327ff58e9b2517f8a6afb4181d32c6e Author: Yunseong Kim Date: Mon Nov 25 16:45:55 2024 +0900 ksmbd: fix use-after-free in SMB request handling A race condition exists between SMB request handling in `ksmbd_conn_handler_loop()` and the freeing of `ksmbd_conn` in the workqueue handler `handle_ksmbd_work()`. This leads to a UAF. - KASAN: slab-use-after-free Read in handle_ksmbd_work - KASAN: slab-use-after-free in rtlock_slowlock_locked This race condition arises as follows: - `ksmbd_conn_handler_loop()` waits for `conn->r_count` to reach zero: `wait_event(conn->r_count_q, atomic_read(&conn->r_count) == 0);` - Meanwhile, `handle_ksmbd_work()` decrements `conn->r_count` using `atomic_dec_return(&conn->r_count)`, and if it reaches zero, calls `ksmbd_conn_free()`, which frees `conn`. - However, after `handle_ksmbd_work()` decrements `conn->r_count`, it may still access `conn->r_count_q` in the following line: `waitqueue_active(&conn->r_count_q)` or `wake_up(&conn->r_count_q)` This results in a UAF, as `conn` has already been freed. The discovery of this UAF can be referenced in the following PR for syzkaller's support for SMB requests. Link: https://github.com/google/syzkaller/pull/5524 Fixes: ee426bfb9d09 ("ksmbd: add refcnt to ksmbd_conn struct") Cc: linux-cifs@vger.kernel.org Cc: stable@vger.kernel.org # v6.6.55+, v6.10.14+, v6.11.3+ Cc: syzkaller@googlegroups.com Signed-off-by: Yunseong Kim Acked-by: Namjae Jeon Signed-off-by: Steve French commit db5f8243067f87138888a6842acbce5340d1626c Author: Namjae Jeon Date: Fri Nov 22 16:15:20 2024 +0900 ksmbd: add debug print for pending request during server shutdown We need to know how many pending requests are left at the end of server shutdown. That means we need to know how long the server will wait to process pending requests in case of a server shutdown. Signed-off-by: Namjae Jeon Signed-off-by: Steve French commit 5f3f274e2ce68999b49901de4794c4b04125b154 Author: Namjae Jeon Date: Fri Nov 22 16:14:37 2024 +0900 ksmbd: add netdev-up/down event debug print Add netdev-up/down event debug print to find what netdev is connected or disconnected. Signed-off-by: Namjae Jeon Signed-off-by: Steve French commit e333e77638b3cc8b591664a1e8718a267466f974 Author: Namjae Jeon Date: Fri Nov 22 16:13:53 2024 +0900 ksmbd: add debug prints to know what smb2 requests were received Add debug prints to know what smb2 requests were received. Signed-off-by: Namjae Jeon Signed-off-by: Steve French commit fc61a5db2dfbdeebc7c11f70ed4db58d7c20b976 Author: Namjae Jeon Date: Fri Nov 22 16:13:04 2024 +0900 ksmbd: add debug print for rdma capable Add debug print to know if netdevice is RDMA-capable network adapter. Signed-off-by: Namjae Jeon Signed-off-by: Steve French commit f75f8bdd4ff4830abe31a1b94892eb12b85b9535 Author: Namjae Jeon Date: Fri Nov 22 16:16:00 2024 +0900 ksmbd: use msleep instaed of schedule_timeout_interruptible() use msleep instaed of schedule_timeout_interruptible() to guarantee the task delays as expected. Signed-off-by: Namjae Jeon Signed-off-by: Steve French commit 0066f623bce8f98b69b752ee03d46a5047c281b8 Author: Namjae Jeon Date: Fri Nov 22 16:33:25 2024 +0900 ksmbd: use __GFP_RETRY_MAYFAIL Prefer to report ENOMEM rather than incur the oom for allocations in ksmbd. __GFP_NORETRY could not achieve that, It would fail the allocations just too easily. __GFP_RETRY_MAYFAIL will keep retrying the allocation until there is no more progress and fail the allocation instead go OOM and let the caller to deal with it. Signed-off-by: Namjae Jeon Signed-off-by: Steve French commit e06635e26cd8144eee17e9f256e8fde8aed3ba4f Merge: f5f4745a7f057b 9008fe8fad8255 Author: Linus Torvalds Date: Mon Nov 25 16:51:24 2024 -0800 Merge tag 'slab-for-6.13-v2' of git://git.kernel.org/pub/scm/linux/kernel/git/vbabka/slab Pull slab updates from Vlastimil Babka: - Add new slab_strict_numa boot parameter to enforce per-object memory policies on top of slab folio policies, for systems where saving cost of remote accesses is more important than minimizing slab allocation overhead (Christoph Lameter) - Fix for freeptr_offset alignment check being too strict for m68k (Geert Uytterhoeven) - krealloc() fixes for not violating __GFP_ZERO guarantees on krealloc() when slub_debug (redzone and object tracking) is enabled (Feng Tang) - Fix a memory leak in case sysfs registration fails for a slab cache, and also no longer fail to create the cache in that case (Hyeonggon Yoo) - Fix handling of detected consistency problems (due to buggy slab user) with slub_debug enabled, so that it does not cause further list corruption bugs (yuan.gao) - Code cleanup and kerneldocs polishing (Zhen Lei, Vlastimil Babka) * tag 'slab-for-6.13-v2' of git://git.kernel.org/pub/scm/linux/kernel/git/vbabka/slab: slab: Fix too strict alignment check in create_cache() mm/slab: Allow cache creation to proceed even if sysfs registration fails mm/slub: Avoid list corruption when removing a slab from the full list mm/slub, kunit: Add testcase for krealloc redzone and zeroing mm/slub: Improve redzone check and zeroing for krealloc() mm/slub: Consider kfence case for get_orig_size() SLUB: Add support for per object memory policies mm, slab: add kerneldocs for common SLAB_ flags mm/slab: remove duplicate check in create_cache() mm/slub: Move krealloc() and related code to slub.c mm/kasan: Don't store metadata inside kmalloc object when slub_debug_orig_size is on commit f5f4745a7f057b58c9728ee4e2c5d6d79f382fe7 Merge: 7f4f3b14e8079e 2c259a91d8d23a Author: Linus Torvalds Date: Mon Nov 25 16:09:48 2024 -0800 Merge tag 'mm-nonmm-stable-2024-11-24-02-05' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Pull non-MM updates from Andrew Morton: - The series "resource: A couple of cleanups" from Andy Shevchenko performs some cleanups in the resource management code - The series "Improve the copy of task comm" from Yafang Shao addresses possible race-induced overflows in the management of task_struct.comm[] - The series "Remove unnecessary header includes from {tools/}lib/list_sort.c" from Kuan-Wei Chiu adds some cleanups and a small fix to the list_sort library code and to its selftest - The series "Enhance min heap API with non-inline functions and optimizations" also from Kuan-Wei Chiu optimizes and cleans up the min_heap library code - The series "nilfs2: Finish folio conversion" from Ryusuke Konishi finishes off nilfs2's folioification - The series "add detect count for hung tasks" from Lance Yang adds more userspace visibility into the hung-task detector's activity - Apart from that, singelton patches in many places - please see the individual changelogs for details * tag 'mm-nonmm-stable-2024-11-24-02-05' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm: (71 commits) gdb: lx-symbols: do not error out on monolithic build kernel/reboot: replace sprintf() with sysfs_emit() lib: util_macros_kunit: add kunit test for util_macros.h util_macros.h: fix/rework find_closest() macros Improve consistency of '#error' directive messages ocfs2: fix uninitialized value in ocfs2_file_read_iter() hung_task: add docs for hung_task_detect_count hung_task: add detect count for hung tasks dma-buf: use atomic64_inc_return() in dma_buf_getfile() fs/proc/kcore.c: fix coccinelle reported ERROR instances resource: avoid unnecessary resource tree walking in __region_intersects() ocfs2: remove unused errmsg function and table ocfs2: cluster: fix a typo lib/scatterlist: use sg_phys() helper checkpatch: always parse orig_commit in fixes tag nilfs2: convert metadata aops from writepage to writepages nilfs2: convert nilfs_recovery_copy_block() to take a folio nilfs2: convert nilfs_page_count_clean_buffers() to take a folio nilfs2: remove nilfs_writepage nilfs2: convert checkpoint file to be folio-based ... commit 7f4f3b14e8079ecde096bd734af10e30d40c27b7 Merge: 36843bfbf7fdea 8af7a50167833b Author: Linus Torvalds Date: Mon Nov 25 15:44:29 2024 -0800 Merge tag 'trace-rust-v6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace Pull rust trace event support from Steven Rostedt: "Allow Rust code to have trace events Trace events is a popular way to debug what is happening inside the kernel or just to find out what is happening. Rust code is being added to the Linux kernel but it currently does not support the tracing infrastructure. Add support of trace events inside Rust code" * tag 'trace-rust-v6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace: rust: jump_label: skip formatting generated file jump_label: rust: pass a mut ptr to `static_key_count` samples: rust: fix `rust_print` build making it a combined module rust: add arch_static_branch jump_label: adjust inline asm to be consistent rust: samples: add tracepoint to Rust sample rust: add tracepoint support rust: add static_branch_unlikely for static_key_false commit 36843bfbf7fdeab459e164b0ed8bb939660c378b Merge: 573f45a9f9a47f f06e108a3dc53c Author: Linus Torvalds Date: Mon Nov 25 15:22:35 2024 -0800 Merge tag 'hardening-v6.13-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux Pull hardening updates from Kees Cook: - Disable __counted_by in Clang < 19.1.3 (Jan Hendrik Farr) - string_helpers: Silence output truncation warning (Bartosz Golaszewski) - compiler.h: Avoid needing BUILD_BUG_ON_ZERO() (Philipp Reisner) - MAINTAINERS: Add kernel hardening keywords __counted_by{_le|_be} (Thorsten Blum) * tag 'hardening-v6.13-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux: Compiler Attributes: disable __counted_by for clang < 19.1.3 compiler.h: Fix undefined BUILD_BUG_ON_ZERO() lib: string_helpers: silence snprintf() output truncation warning MAINTAINERS: Add kernel hardening keywords __counted_by{_le|_be} commit e0779a0dcf41a6452ac0a169cd96863feb5787c7 Author: Maxime Chevallier Date: Fri Nov 22 11:10:30 2024 +0100 rtc: ab-eoz9: don't fail temperature reads on undervoltage notification The undervoltage flags reported by the RTC are useful to know if the time and date are reliable after a reboot. Although the threshold VLOW1 indicates that the thermometer has been shutdown and time compensation is off, it doesn't mean that the temperature readout is currently impossible. As the system is running, the RTC voltage is now fully established and we can read the temperature. Fixes: 67075b63cce2 ("rtc: add AB-RTCMC-32.768kHz-EOZ9 RTC support") Signed-off-by: Maxime Chevallier Link: https://lore.kernel.org/r/20241122101031.68916-3-maxime.chevallier@bootlin.com Signed-off-by: Alexandre Belloni commit 3ed345c948ef6ccd0f5dc85c5b6731593b4591f7 Author: Wolfram Sang Date: Fri Nov 22 11:14:48 2024 +0100 rtc: rzn1: reduce register access This RTC has special 32bit registers which return multiple of the same 8bit registers at once. Use these to minimize register access. Also, do the to/from BCD conversions right away, so 'tm' always contains values as described in time.h. Signed-off-by: Wolfram Sang Acked-by: Miquel Raynal Link: https://lore.kernel.org/r/20241122101448.4374-3-wsa+renesas@sang-engineering.com Signed-off-by: Alexandre Belloni commit 692f983b2dc933f9c4f6255dc0a5f3df42110a2a Author: Wolfram Sang Date: Fri Nov 22 11:14:47 2024 +0100 rtc: rzn1: drop superfluous wday calculation The week register simply counts from 0 to 6 where the numbers do not even represent a specific weekday. So we can adopt 'tm_wday' numbering of the RTC core without converting it. Signed-off-by: Wolfram Sang Link: https://lore.kernel.org/r/20241122101448.4374-2-wsa+renesas@sang-engineering.com Signed-off-by: Alexandre Belloni commit ef3ba8c258ee368a5343fa9329df85b4bcb9e8b5 Author: Amir Mohammadi Date: Thu Nov 21 12:04:13 2024 +0330 bpftool: fix potential NULL pointer dereferencing in prog_dump() A NULL pointer dereference could occur if ksyms is not properly checked before usage in the prog_dump() function. Fixes: b053b439b72a ("bpf: libbpf: bpftool: Print bpf_line_info during prog dump") Signed-off-by: Amir Mohammadi Reviewed-by: Quentin Monnet Acked-by: John Fastabend Link: https://lore.kernel.org/r/20241121083413.7214-1-amiremohamadi@yahoo.com Signed-off-by: Alexei Starovoitov commit ac9a48a6f1610b094072b815e884e1668aea4401 Author: Larysa Zaremba Date: Fri Nov 22 12:29:09 2024 +0100 xsk: always clear DMA mapping information when unmapping the pool When the umem is shared, the DMA mapping is also shared between the xsk pools, therefore it should stay valid as long as at least 1 user remains. However, the pool also keeps the copies of DMA-related information that are initialized in the same way in xp_init_dma_info(), but cleared by xp_dma_unmap() only for the last remaining pool, this causes the problems below. The first one is that the commit adbf5a42341f ("ice: remove af_xdp_zc_qps bitmap") relies on pool->dev to determine the presence of a ZC pool on a given queue, avoiding internal bookkeeping. This works perfectly fine if the UMEM is not shared, but reliably fails otherwise as stated in the linked report. The second one is pool->dma_pages which is dynamically allocated and only freed in xp_dma_unmap(), this leads to a small memory leak. kmemleak does not catch it, but by printing the allocation results after terminating the userspace program it is possible to see that all addresses except the one belonging to the last detached pool are still accessible through the kmemleak dump functionality. Always clear the DMA mapping information from the pool and free pool->dma_pages when unmapping the pool, so that the only difference between results of the last remaining user's call and the ones before would be the destruction of the DMA mapping. Fixes: adbf5a42341f ("ice: remove af_xdp_zc_qps bitmap") Fixes: 921b68692abb ("xsk: Enable sharing of dma mappings") Reported-by: Alasdair McWilliam Closes: https://lore.kernel.org/PA4P194MB10056F208AF221D043F57A3D86512@PA4P194MB1005.EURP194.PROD.OUTLOOK.COM Acked-by: Maciej Fijalkowski Signed-off-by: Larysa Zaremba Link: https://lore.kernel.org/r/20241122112912.89881-1-larysa.zaremba@intel.com Signed-off-by: Alexei Starovoitov commit 7ca088420084cbceb9ebdee8c5ff9bfc9eac8dae Merge: 20a39ea37751f8 ab244dd7cf4c29 Author: Alexei Starovoitov Date: Mon Nov 25 14:25:49 2024 -0800 Merge branch 'bpf-fix-oob-accesses-in-map_delete_elem-callbacks' Maciej Fijalkowski says: ==================== bpf: fix OOB accesses in map_delete_elem callbacks v1->v2: - CC stable and collect tags from Toke & John Hi, Jordy reported that for big enough XSKMAPs and DEVMAPs, when deleting elements, OOB writes occur. Reproducer below: // compile with gcc -o map_poc map_poc.c -lbpf #include #include #include #include #include #include #include int main() { // Create a large enough BPF XSK map int map_fd; union bpf_attr create_attr = { .map_type = BPF_MAP_TYPE_XSKMAP, .key_size = sizeof(int), .value_size = sizeof(int), .max_entries = 0x80000000 + 2, }; map_fd = syscall(SYS_bpf, BPF_MAP_CREATE, &create_attr, sizeof(create_attr)); if (map_fd < 0) { fprintf(stderr, "Failed to create BPF map: %s\n", strerror(errno)); return 1; } // Delete an element from the map using syscall unsigned int key = 0x80000000 + 1; if (syscall(SYS_bpf, BPF_MAP_DELETE_ELEM, &(union bpf_attr){ .map_fd = map_fd, .key = &key, }, sizeof(union bpf_attr)) < 0) { fprintf(stderr, "Failed to delete element from BPF map: %s\n", strerror(errno)); return 1; } close(map_fd); return 0; } This tiny series changes data types from int to u32 of keys being used for map accesses. Thanks, Maciej ==================== Link: https://patch.msgid.link/20241122121030.716788-1-maciej.fijalkowski@intel.com Signed-off-by: Alexei Starovoitov commit ab244dd7cf4c291f82faacdc50b45cc0f55b674d Author: Maciej Fijalkowski Date: Fri Nov 22 13:10:30 2024 +0100 bpf: fix OOB devmap writes when deleting elements Jordy reported issue against XSKMAP which also applies to DEVMAP - the index used for accessing map entry, due to being a signed integer, causes the OOB writes. Fix is simple as changing the type from int to u32, however, when compared to XSKMAP case, one more thing needs to be addressed. When map is released from system via dev_map_free(), we iterate through all of the entries and an iterator variable is also an int, which implies OOB accesses. Again, change it to be u32. Example splat below: [ 160.724676] BUG: unable to handle page fault for address: ffffc8fc2c001000 [ 160.731662] #PF: supervisor read access in kernel mode [ 160.736876] #PF: error_code(0x0000) - not-present page [ 160.742095] PGD 0 P4D 0 [ 160.744678] Oops: Oops: 0000 [#1] PREEMPT SMP [ 160.749106] CPU: 1 UID: 0 PID: 520 Comm: kworker/u145:12 Not tainted 6.12.0-rc1+ #487 [ 160.757050] Hardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.02.01.0008.031920191559 03/19/2019 [ 160.767642] Workqueue: events_unbound bpf_map_free_deferred [ 160.773308] RIP: 0010:dev_map_free+0x77/0x170 [ 160.777735] Code: 00 e8 fd 91 ed ff e8 b8 73 ed ff 41 83 7d 18 19 74 6e 41 8b 45 24 49 8b bd f8 00 00 00 31 db 85 c0 74 48 48 63 c3 48 8d 04 c7 <48> 8b 28 48 85 ed 74 30 48 8b 7d 18 48 85 ff 74 05 e8 b3 52 fa ff [ 160.796777] RSP: 0018:ffffc9000ee1fe38 EFLAGS: 00010202 [ 160.802086] RAX: ffffc8fc2c001000 RBX: 0000000080000000 RCX: 0000000000000024 [ 160.809331] RDX: 0000000000000000 RSI: 0000000000000024 RDI: ffffc9002c001000 [ 160.816576] RBP: 0000000000000000 R08: 0000000000000023 R09: 0000000000000001 [ 160.823823] R10: 0000000000000001 R11: 00000000000ee6b2 R12: dead000000000122 [ 160.831066] R13: ffff88810c928e00 R14: ffff8881002df405 R15: 0000000000000000 [ 160.838310] FS: 0000000000000000(0000) GS:ffff8897e0c40000(0000) knlGS:0000000000000000 [ 160.846528] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 160.852357] CR2: ffffc8fc2c001000 CR3: 0000000005c32006 CR4: 00000000007726f0 [ 160.859604] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 160.866847] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 160.874092] PKRU: 55555554 [ 160.876847] Call Trace: [ 160.879338] [ 160.881477] ? __die+0x20/0x60 [ 160.884586] ? page_fault_oops+0x15a/0x450 [ 160.888746] ? search_extable+0x22/0x30 [ 160.892647] ? search_bpf_extables+0x5f/0x80 [ 160.896988] ? exc_page_fault+0xa9/0x140 [ 160.900973] ? asm_exc_page_fault+0x22/0x30 [ 160.905232] ? dev_map_free+0x77/0x170 [ 160.909043] ? dev_map_free+0x58/0x170 [ 160.912857] bpf_map_free_deferred+0x51/0x90 [ 160.917196] process_one_work+0x142/0x370 [ 160.921272] worker_thread+0x29e/0x3b0 [ 160.925082] ? rescuer_thread+0x4b0/0x4b0 [ 160.929157] kthread+0xd4/0x110 [ 160.932355] ? kthread_park+0x80/0x80 [ 160.936079] ret_from_fork+0x2d/0x50 [ 160.943396] ? kthread_park+0x80/0x80 [ 160.950803] ret_from_fork_asm+0x11/0x20 [ 160.958482] Fixes: 546ac1ffb70d ("bpf: add devmap, a map for storing net device references") CC: stable@vger.kernel.org Reported-by: Jordy Zomer Suggested-by: Jordy Zomer Reviewed-by: Toke Høiland-Jørgensen Acked-by: John Fastabend Signed-off-by: Maciej Fijalkowski Link: https://lore.kernel.org/r/20241122121030.716788-3-maciej.fijalkowski@intel.com Signed-off-by: Alexei Starovoitov commit 32cd3db7de97c0c7a018756ce66244342fd583f0 Author: Maciej Fijalkowski Date: Fri Nov 22 13:10:29 2024 +0100 xsk: fix OOB map writes when deleting elements Jordy says: " In the xsk_map_delete_elem function an unsigned integer (map->max_entries) is compared with a user-controlled signed integer (k). Due to implicit type conversion, a large unsigned value for map->max_entries can bypass the intended bounds check: if (k >= map->max_entries) return -EINVAL; This allows k to hold a negative value (between -2147483648 and -2), which is then used as an array index in m->xsk_map[k], which results in an out-of-bounds access. spin_lock_bh(&m->lock); map_entry = &m->xsk_map[k]; // Out-of-bounds map_entry old_xs = unrcu_pointer(xchg(map_entry, NULL)); // Oob write if (old_xs) xsk_map_sock_delete(old_xs, map_entry); spin_unlock_bh(&m->lock); The xchg operation can then be used to cause an out-of-bounds write. Moreover, the invalid map_entry passed to xsk_map_sock_delete can lead to further memory corruption. " It indeed results in following splat: [76612.897343] BUG: unable to handle page fault for address: ffffc8fc2e461108 [76612.904330] #PF: supervisor write access in kernel mode [76612.909639] #PF: error_code(0x0002) - not-present page [76612.914855] PGD 0 P4D 0 [76612.917431] Oops: Oops: 0002 [#1] PREEMPT SMP [76612.921859] CPU: 11 UID: 0 PID: 10318 Comm: a.out Not tainted 6.12.0-rc1+ #470 [76612.929189] Hardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.02.01.0008.031920191559 03/19/2019 [76612.939781] RIP: 0010:xsk_map_delete_elem+0x2d/0x60 [76612.944738] Code: 00 00 41 54 55 53 48 63 2e 3b 6f 24 73 38 4c 8d a7 f8 00 00 00 48 89 fb 4c 89 e7 e8 2d bf 05 00 48 8d b4 eb 00 01 00 00 31 ff <48> 87 3e 48 85 ff 74 05 e8 16 ff ff ff 4c 89 e7 e8 3e bc 05 00 31 [76612.963774] RSP: 0018:ffffc9002e407df8 EFLAGS: 00010246 [76612.969079] RAX: 0000000000000000 RBX: ffffc9002e461000 RCX: 0000000000000000 [76612.976323] RDX: 0000000000000001 RSI: ffffc8fc2e461108 RDI: 0000000000000000 [76612.983569] RBP: ffffffff80000001 R08: 0000000000000000 R09: 0000000000000007 [76612.990812] R10: ffffc9002e407e18 R11: ffff888108a38858 R12: ffffc9002e4610f8 [76612.998060] R13: ffff888108a38858 R14: 00007ffd1ae0ac78 R15: ffffc9002e4610c0 [76613.005303] FS: 00007f80b6f59740(0000) GS:ffff8897e0ec0000(0000) knlGS:0000000000000000 [76613.013517] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [76613.019349] CR2: ffffc8fc2e461108 CR3: 000000011e3ef001 CR4: 00000000007726f0 [76613.026595] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [76613.033841] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [76613.041086] PKRU: 55555554 [76613.043842] Call Trace: [76613.046331] [76613.048468] ? __die+0x20/0x60 [76613.051581] ? page_fault_oops+0x15a/0x450 [76613.055747] ? search_extable+0x22/0x30 [76613.059649] ? search_bpf_extables+0x5f/0x80 [76613.063988] ? exc_page_fault+0xa9/0x140 [76613.067975] ? asm_exc_page_fault+0x22/0x30 [76613.072229] ? xsk_map_delete_elem+0x2d/0x60 [76613.076573] ? xsk_map_delete_elem+0x23/0x60 [76613.080914] __sys_bpf+0x19b7/0x23c0 [76613.084555] __x64_sys_bpf+0x1a/0x20 [76613.088194] do_syscall_64+0x37/0xb0 [76613.091832] entry_SYSCALL_64_after_hwframe+0x4b/0x53 [76613.096962] RIP: 0033:0x7f80b6d1e88d [76613.100592] Code: 5b 41 5c c3 66 0f 1f 84 00 00 00 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 73 b5 0f 00 f7 d8 64 89 01 48 [76613.119631] RSP: 002b:00007ffd1ae0ac68 EFLAGS: 00000206 ORIG_RAX: 0000000000000141 [76613.131330] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f80b6d1e88d [76613.142632] RDX: 0000000000000098 RSI: 00007ffd1ae0ad20 RDI: 0000000000000003 [76613.153967] RBP: 00007ffd1ae0adc0 R08: 0000000000000000 R09: 0000000000000000 [76613.166030] R10: 00007f80b6f77040 R11: 0000000000000206 R12: 00007ffd1ae0aed8 [76613.177130] R13: 000055ddf42ce1e9 R14: 000055ddf42d0d98 R15: 00007f80b6fab040 [76613.188129] Fix this by simply changing key type from int to u32. Fixes: fbfc504a24f5 ("bpf: introduce new bpf AF_XDP map type BPF_MAP_TYPE_XSKMAP") CC: stable@vger.kernel.org Reported-by: Jordy Zomer Suggested-by: Jordy Zomer Reviewed-by: Toke Høiland-Jørgensen Acked-by: John Fastabend Signed-off-by: Maciej Fijalkowski Link: https://lore.kernel.org/r/20241122121030.716788-2-maciej.fijalkowski@intel.com Signed-off-by: Alexei Starovoitov commit 20a39ea37751f8d7c0437c23ed92b3b25e7206b9 Merge: 8618f5ffba4d38 515745445e9250 Author: Alexei Starovoitov Date: Mon Nov 25 14:19:14 2024 -0800 Merge branch 'bpf-vsock-fix-poll-and-close' Michal Luczaj says: ==================== bpf, vsock: Fix poll() and close() Two small fixes for vsock: poll() missing a queue check, and close() not invoking sockmap cleanup. Signed-off-by: Michal Luczaj Acked-by: John Fastabend --- ==================== Link: https://patch.msgid.link/20241118-vsock-bpf-poll-close-v1-0-f1b9669cacdc@rbox.co Signed-off-by: Alexei Starovoitov commit 515745445e92500e8916ffe29cc4893ad97517b8 Author: Michal Luczaj Date: Mon Nov 18 22:03:44 2024 +0100 selftest/bpf: Add test for vsock removal from sockmap on close() Make sure the proto::close callback gets invoked on vsock release. Signed-off-by: Michal Luczaj Acked-by: Stefano Garzarella Link: https://lore.kernel.org/r/20241118-vsock-bpf-poll-close-v1-4-f1b9669cacdc@rbox.co Signed-off-by: Alexei Starovoitov Acked-by: John Fastabend commit 135ffc7becc82cfb84936ae133da7969220b43b2 Author: Michal Luczaj Date: Mon Nov 18 22:03:43 2024 +0100 bpf, vsock: Invoke proto::close on close() vsock defines a BPF callback to be invoked when close() is called. However, this callback is never actually executed. As a result, a closed vsock socket is not automatically removed from the sockmap/sockhash. Introduce a dummy vsock_close() and make vsock_release() call proto::close. Note: changes in __vsock_release() look messy, but it's only due to indent level reduction and variables xmas tree reorder. Fixes: 634f1a7110b4 ("vsock: support sockmap") Signed-off-by: Michal Luczaj Reviewed-by: Stefano Garzarella Reviewed-by: Luigi Leonardi Link: https://lore.kernel.org/r/20241118-vsock-bpf-poll-close-v1-3-f1b9669cacdc@rbox.co Signed-off-by: Alexei Starovoitov Acked-by: John Fastabend commit 9c2a2a45136de428b73907195a4a99eb78dc3aca Author: Michal Luczaj Date: Mon Nov 18 22:03:42 2024 +0100 selftest/bpf: Add test for af_vsock poll() Verify that vsock's poll() notices when sk_psock::ingress_msg isn't empty. Signed-off-by: Michal Luczaj Acked-by: Stefano Garzarella Link: https://lore.kernel.org/r/20241118-vsock-bpf-poll-close-v1-2-f1b9669cacdc@rbox.co Signed-off-by: Alexei Starovoitov Acked-by: John Fastabend commit 9f0fc98145218ff8f50d8cfa3b393785056c53e1 Author: Michal Luczaj Date: Mon Nov 18 22:03:41 2024 +0100 bpf, vsock: Fix poll() missing a queue When a verdict program simply passes a packet without redirection, sk_msg is enqueued on sk_psock::ingress_msg. Add a missing check to poll(). Fixes: 634f1a7110b4 ("vsock: support sockmap") Signed-off-by: Michal Luczaj Reviewed-by: Stefano Garzarella Reviewed-by: Luigi Leonardi Link: https://lore.kernel.org/r/20241118-vsock-bpf-poll-close-v1-1-f1b9669cacdc@rbox.co Signed-off-by: Alexei Starovoitov Acked-by: John Fastabend commit 8618f5ffba4d381610f6bb4c472a6148c2bfde96 Author: Thomas Weißschuh Date: Mon Nov 25 20:53:07 2024 +0100 bpf, lsm: Remove getlsmprop hooks BTF IDs These hooks are not useful for BPF LSM currently. Furthermore a recent renaming introduced build warnings: BTFIDS vmlinux WARN: resolve_btfids: unresolved symbol bpf_lsm_task_getsecid_obj WARN: resolve_btfids: unresolved symbol bpf_lsm_current_getsecid_subj Link: https://lore.kernel.org/lkml/20241123-bpf_lsm_task_getsecid_obj-v1-1-0d0f94649e05@weissschuh.net/ Fixes: 37f670aacd48 ("lsm: use lsm_prop in security_current_getsecid") Signed-off-by: Thomas Weißschuh Link: https://lore.kernel.org/r/20241125-bpf_lsm_task_getsecid_obj-v2-1-c8395bde84e0@weissschuh.net Signed-off-by: Alexei Starovoitov commit f4ca4f5a36eac9b4da378a0f28cbbe38534a0901 Author: Pali Rohár Date: Sun Oct 6 19:30:01 2024 +0200 cifs: Fix parsing reparse point with native symlink in SMB1 non-UNICODE session SMB1 NT_TRANSACT_IOCTL/FSCTL_GET_REPARSE_POINT even in non-UNICODE mode returns reparse buffer in UNICODE/UTF-16 format. This is because FSCTL_GET_REPARSE_POINT is NT-based IOCTL which does not distinguish between 8-bit non-UNICODE and 16-bit UNICODE modes and its path buffers are always encoded in UTF-16. This change fixes reading of native symlinks in SMB1 when UNICODE session is not active. Fixes: ed3e0a149b58 ("smb: client: implement ->query_reparse_point() for SMB1") Signed-off-by: Pali Rohár Signed-off-by: Steve French commit 1f48660667efb97c3cf70485c7e1977af718b48b Author: Pali Rohár Date: Sat Sep 21 01:29:33 2024 +0200 cifs: Validate content of WSL reparse point buffers WSL socket, fifo, char and block devices have empty reparse buffer. Validate the length of the reparse buffer. Signed-off-by: Pali Rohár Signed-off-by: Steve French commit d3d797e326533794c3f707ce1761da7a8895458c Author: Pali Rohár Date: Thu Sep 12 15:06:22 2024 +0200 cifs: Improve guard for excluding $LXDEV xattr $LXDEV xattr is for storing block/char device's major and minor number. Change guard which excludes storing $LXDEV xattr to explicitly filter everything except block and char device. Current guard is opposite, which is currently correct but is less-safe. This change is required for adding support for creating WSL-style symlinks as symlinks also do not use device's major and minor numbers. Signed-off-by: Pali Rohár Signed-off-by: Steve French commit 06a7adf318a30bdcfa1222ed6d2640e6bb266d7b Author: Pali Rohár Date: Sat Sep 28 13:21:24 2024 +0200 cifs: Add support for parsing WSL-style symlinks Linux CIFS client currently does not implement readlink() for WSL-style symlinks. It is only able to detect that file is of WSL-style symlink, but is not able to read target symlink location. Add this missing functionality and implement support for parsing content of WSL-style symlink. The important note is that symlink target location stored for WSL symlink reparse point (IO_REPARSE_TAG_LX_SYMLINK) is in UTF-8 encoding instead of UTF-16 (which is used in whole SMB protocol and also in all other symlink styles). So for proper locale/cp support it is needed to do conversion from UTF-8 to local_nls. Signed-off-by: Pali Rohár Signed-off-by: Steve French commit dd26bc067e44956e43a273e6e0a9c1fc4ed32cb7 Author: Pali Rohár Date: Mon Sep 23 22:56:46 2024 +0200 cifs: Validate content of native symlink Check that path buffer has correct length (it is non-zero and in UNICODE mode it has even number of bytes) and check that buffer does not contain null character (UTF-16 null codepoint in UNICODE mode or null byte in non-unicode mode) because Linux cannot process symlink with null byte. Signed-off-by: Pali Rohár Signed-off-by: Steve French commit 723f4ef90452aa629f3d923e92e0449d69362b1d Author: Pali Rohár Date: Mon Sep 23 22:40:38 2024 +0200 cifs: Fix parsing native symlinks relative to the export SMB symlink which has SYMLINK_FLAG_RELATIVE set is relative (as opposite of the absolute) and it can be relative either to the current directory (where is the symlink stored) or relative to the top level export path. To what it is relative depends on the first character of the symlink target path. If the first character is path separator then symlink is relative to the export, otherwise to the current directory. Linux (and generally POSIX systems) supports only symlink paths relative to the current directory where is symlink stored. Currently if Linux SMB client reads relative SMB symlink with first character as path separator (slash), it let as is. Which means that Linux interpret it as absolute symlink pointing from the root (/). But this location is different than the top level directory of SMB export (unless SMB export was mounted to the root) and thefore SMB symlinks relative to the export are interpreted wrongly by Linux SMB client. Fix this problem. As Linux does not have equivalent of the path relative to the top of the mount point, convert such symlink target path relative to the current directory. Do this by prepending "../" pattern N times before the SMB target path, where N is the number of path separators found in SMB symlink path. So for example, if SMB share is mounted to Linux path /mnt/share/, symlink is stored in file /mnt/share/test/folder1/symlink (so SMB symlink path is test\folder1\symlink) and SMB symlink target points to \test\folder2\file, then convert symlink target path to Linux path ../../test/folder2/file. Deduplicate code for parsing SMB symlinks in native form from functions smb2_parse_symlink_response() and parse_reparse_native_symlink() into new function smb2_parse_native_symlink() and pass into this new function a new full_path parameter from callers, which specify SMB full path where is symlink stored. This change fixes resolving of the native Windows symlinks relative to the top level directory of the SMB share. Signed-off-by: Pali Rohár Signed-off-by: Steve French commit 4bdec0d1f658f7c98749bd2c5a486e6cfa8565d2 Author: Paulo Alcantara Date: Mon Nov 25 17:17:23 2024 -0300 smb: client: fix NULL ptr deref in crypto_aead_setkey() Neither SMB3.0 or SMB3.02 supports encryption negotiate context, so when SMB2_GLOBAL_CAP_ENCRYPTION flag is set in the negotiate response, the client uses AES-128-CCM as the default cipher. See MS-SMB2 3.3.5.4. Commit b0abcd65ec54 ("smb: client: fix UAF in async decryption") added a @server->cipher_type check to conditionally call smb3_crypto_aead_allocate(), but that check would always be false as @server->cipher_type is unset for SMB3.02. Fix the following KASAN splat by setting @server->cipher_type for SMB3.02 as well. mount.cifs //srv/share /mnt -o vers=3.02,seal,... BUG: KASAN: null-ptr-deref in crypto_aead_setkey+0x2c/0x130 Read of size 8 at addr 0000000000000020 by task mount.cifs/1095 CPU: 1 UID: 0 PID: 1095 Comm: mount.cifs Not tainted 6.12.0 #1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-3.fc41 04/01/2014 Call Trace: dump_stack_lvl+0x5d/0x80 ? crypto_aead_setkey+0x2c/0x130 kasan_report+0xda/0x110 ? crypto_aead_setkey+0x2c/0x130 crypto_aead_setkey+0x2c/0x130 crypt_message+0x258/0xec0 [cifs] ? __asan_memset+0x23/0x50 ? __pfx_crypt_message+0x10/0x10 [cifs] ? mark_lock+0xb0/0x6a0 ? hlock_class+0x32/0xb0 ? mark_lock+0xb0/0x6a0 smb3_init_transform_rq+0x352/0x3f0 [cifs] ? lock_acquire.part.0+0xf4/0x2a0 smb_send_rqst+0x144/0x230 [cifs] ? __pfx_smb_send_rqst+0x10/0x10 [cifs] ? hlock_class+0x32/0xb0 ? smb2_setup_request+0x225/0x3a0 [cifs] ? __pfx_cifs_compound_last_callback+0x10/0x10 [cifs] compound_send_recv+0x59b/0x1140 [cifs] ? __pfx_compound_send_recv+0x10/0x10 [cifs] ? __create_object+0x5e/0x90 ? hlock_class+0x32/0xb0 ? do_raw_spin_unlock+0x9a/0xf0 cifs_send_recv+0x23/0x30 [cifs] SMB2_tcon+0x3ec/0xb30 [cifs] ? __pfx_SMB2_tcon+0x10/0x10 [cifs] ? lock_acquire.part.0+0xf4/0x2a0 ? __pfx_lock_release+0x10/0x10 ? do_raw_spin_trylock+0xc6/0x120 ? lock_acquire+0x3f/0x90 ? _get_xid+0x16/0xd0 [cifs] ? __pfx_SMB2_tcon+0x10/0x10 [cifs] ? cifs_get_smb_ses+0xcdd/0x10a0 [cifs] cifs_get_smb_ses+0xcdd/0x10a0 [cifs] ? __pfx_cifs_get_smb_ses+0x10/0x10 [cifs] ? cifs_get_tcp_session+0xaa0/0xca0 [cifs] cifs_mount_get_session+0x8a/0x210 [cifs] dfs_mount_share+0x1b0/0x11d0 [cifs] ? __pfx___lock_acquire+0x10/0x10 ? __pfx_dfs_mount_share+0x10/0x10 [cifs] ? lock_acquire.part.0+0xf4/0x2a0 ? find_held_lock+0x8a/0xa0 ? hlock_class+0x32/0xb0 ? lock_release+0x203/0x5d0 cifs_mount+0xb3/0x3d0 [cifs] ? do_raw_spin_trylock+0xc6/0x120 ? __pfx_cifs_mount+0x10/0x10 [cifs] ? lock_acquire+0x3f/0x90 ? find_nls+0x16/0xa0 ? smb3_update_mnt_flags+0x372/0x3b0 [cifs] cifs_smb3_do_mount+0x1e2/0xc80 [cifs] ? __pfx_vfs_parse_fs_string+0x10/0x10 ? __pfx_cifs_smb3_do_mount+0x10/0x10 [cifs] smb3_get_tree+0x1bf/0x330 [cifs] vfs_get_tree+0x4a/0x160 path_mount+0x3c1/0xfb0 ? kasan_quarantine_put+0xc7/0x1d0 ? __pfx_path_mount+0x10/0x10 ? kmem_cache_free+0x118/0x3e0 ? user_path_at+0x74/0xa0 __x64_sys_mount+0x1a6/0x1e0 ? __pfx___x64_sys_mount+0x10/0x10 ? mark_held_locks+0x1a/0x90 do_syscall_64+0xbb/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Cc: Tom Talpey Reported-by: Jianhong Yin Cc: stable@vger.kernel.org # v6.12 Fixes: b0abcd65ec54 ("smb: client: fix UAF in async decryption") Signed-off-by: Paulo Alcantara (Red Hat) Signed-off-by: Steve French commit be4ca6c53e66cb275cf0d71f32dac0c4606b9dc0 Author: Andy Shevchenko Date: Mon Nov 25 12:49:14 2024 +0200 x86/Documentation: Update algo in init_size description of boot protocol The init_size description of boot protocol has an example of the runtime start address for the compressed bzImage. For non-relocatable kernel it relies on the pref_address value (if not 0), but for relocatable case only pays respect to the load_addres and kernel_alignment, and it is inaccurate for the latter. Boot loader must consider the pref_address as the Linux kernel relocates to it before being decompressed as nicely described in this commit message a year ago: 43b1d3e68ee7 ("kexec: Allocate kernel above bzImage's pref_address") Due to this documentation inaccuracy some of the bootloaders (*) made a mistake in the calculations and if kernel image is big enough, this may lead to unbootable configurations. *) In particular, kexec-tools missed that and resently got a couple of changes which will be part of v2.0.30 release. For the record, commit 43b1d3e68ee7 only fixed the kernel kexec implementation and also missed to update the init_size description. While at it, make an example C-like looking as it's done elsewhere in the document and fix indentation as presribed by the reStructuredText specifications, so the syntax highliting will work properly. Fixes: 43b1d3e68ee7 ("kexec: Allocate kernel above bzImage's pref_address") Fixes: d297366ba692 ("x86: document new bzImage fields") Signed-off-by: Andy Shevchenko Signed-off-by: Ingo Molnar Acked-by: Randy Dunlap Cc: "H. Peter Anvin" Link: https://lore.kernel.org/r/20241125105005.1616154-1-andriy.shevchenko@linux.intel.com commit 573f45a9f9a47fed4c7957609689b772121b33d7 Author: David Laight Date: Sun Nov 24 15:39:00 2024 +0000 x86: fix off-by-one in access_ok() When the size isn't a small constant, __access_ok() will call valid_user_address() with the address after the last byte of the user buffer. It is valid for a buffer to end with the last valid user address so valid_user_address() must allow accesses to the base of the guard page. [ This introduces an off-by-one in the other direction for the plain non-sized accesses, but since we have that guard region that is a whole page, those checks "allowing" accesses to that guard region don't really matter. The access will fault anyway, whether to the guard page or if the address has been masked to all ones - Linus ] Fixes: 86e6b1547b3d0 ("x86: fix user address masking non-canonical speculation issue") Signed-off-by: David Laight Signed-off-by: Linus Torvalds commit 43a43faf5376114161aa684834d24e06da596287 Author: Linus Torvalds Date: Fri Nov 22 11:18:25 2024 -0800 futex: improve user space accesses Josh Poimboeuf reports that he got a "will-it-scale.per_process_ops 1.9% improvement" report for his patch that changed __get_user() to use pointer masking instead of the explicit speculation barrier. However, that patch doesn't actually work in the general case, because some (very bad) architecture-specific code actually depends on __get_user() also working on kernel addresses. A profile showed that the offending __get_user() was the futex code, which really should be fixed up to not use that horrid legacy case. Rewrite futex_get_value_locked() to use the modern user acccess helpers, and inline it so that the compiler not only avoids the function call for a few instructions, but can do CSE on the address masking. It also turns out the x86 futex functions have unnecessary barriers in other places, so let's fix those up too. Link: https://lore.kernel.org/all/20241115230653.hfvzyf3aqqntgp63@jpoimboe/ Reported-by: Josh Poimboeuf Signed-off-by: Linus Torvalds commit 4e07155dd58cab024813e97dc384d48f34e3d16e Merge: 3e51108c72e8ad 8d7493133bfd89 Author: Linus Torvalds Date: Mon Nov 25 12:07:45 2024 -0800 Merge tag 'fbdev-for-6.13-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/deller/linux-fbdev Pull fbdev updates from Helge Deller: - omapfb: Remove unused code (Dr. David Alan Gilbert) - sh7760fb: Fix memory leak in error path of sh7760fb_alloc_mem() (Zhen Lei) * tag 'fbdev-for-6.13-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/deller/linux-fbdev: fbdev: omapfb: Remove some deadcode fbdev: sh7760fb: Fix a possible memory leak in sh7760fb_alloc_mem() commit 10099266dec8275a6899e6a27dcdfebbcc726cc7 Merge: 2d564279899028 31457d4cea19dc Author: Bjorn Helgaas Date: Mon Nov 25 13:41:00 2024 -0600 Merge branch 'pci/typos' - Fix typos and whitespace errors (Bjorn Helgaas) * pci/typos: PCI: Fix typos commit 2d564279899028a98a854dbc78e2fdb7db4b4f00 Merge: e6b95ef1afc88e d9db393f2b9ed6 Author: Bjorn Helgaas Date: Mon Nov 25 13:41:00 2024 -0600 Merge branch 'pci/misc' - Reorganize kerneldoc parameter names to match order in function signature (Julia Lawall) - Remove kerneldoc return value descriptions from hotplug registration interfaces that don't return anything (Ilpo Järvinen) - Fix sysfs reset_method_store() memory leak (Todd Kjos) - Simplify pci_create_slot() (Ilpo Järvinen) - Fix incorrect printf format specifiers in pcitest (Luo Yifan) * pci/misc: tools: PCI: Fix incorrect printf format specifiers PCI: Simplify pci_create_slot() logic PCI: Fix reset_method_store() memory leak PCI: hotplug: Remove "Returns" kerneldoc from void functions PCI: hotplug: Reorganize kerneldoc parameter names commit e6b95ef1afc88e80139d3a69f6fe26c0ca4239f1 Merge: c60603ca1d2c8d b727484cace4be Author: Bjorn Helgaas Date: Mon Nov 25 13:41:00 2024 -0600 Merge branch 'pci/controller/vmd' - Add 0xb60b and 0xb06f Device IDs for client SKUs (Nirmal Patel) * pci/controller/vmd: PCI: vmd: Add DID 8086:B06F and 8086:B60B for Intel client SKUs commit c60603ca1d2c8da9a7a6cdc1872b9cc6cb00a987 Merge: 72ae381b00ab38 40e2125381dc11 Author: Bjorn Helgaas Date: Mon Nov 25 13:41:00 2024 -0600 Merge branch 'pci/controller/tegra194' - Move endpoint controller cleanups that depend on refclk from the host to the notifier that tells us the host has deasserted PERST# (Manivannan Sadhasivam) * pci/controller/tegra194: PCI: tegra194: Move controller cleanups to pex_ep_event_pex_rst_deassert() commit 72ae381b00ab3897c55f7fb493ba229dacfaac6f Merge: f54ff407e6238a a7137cbf6bd53a Author: Bjorn Helgaas Date: Mon Nov 25 13:40:59 2024 -0600 Merge branch 'pci/controller/rockchip' - Fix address translation unit programming (Damien Le Moal) - Define ROCKCHIP_PCIE_AT_SIZE_ALIGN to replace magic 256 endpoint .align value (Damien Le Moal) - When unmapping an endpoint window, compute the region index instead of searching for it, and verify that the address was mapped (Damien Le Moal) - When mapping an endpoint window, verify that the address hasn't been mapped already (Damien Le Moal) - Implement pci_epc_ops.align_addr() for rockchip-ep (Damien Le Moal) - Fix MSI IRQ data mapping to observe the alignment constraint, which fixes intermittent page faults in memcpy_toio() and memcpy_fromio() (Damien Le Moal) - Rename rockchip_pcie_parse_ep_dt() to rockchip_pcie_ep_get_resources() for consistency with similar DT interfaces (Damien Le Moal) - Factor out memory allocations to tidy rockchip_pcie_ep_probe() (Damien Le Moal) - Factor out MSI-X quirk to tidy rockchip_pcie_ep_probe() (Damien Le Moal) - Skip the unnecessary link train in rockchip_pcie_ep_probe() and only in the endpoint start operation (Damien Le Moal) - Implement pci_epc_ops.stop_link() to disable link training and controller configuration (Damien Le Moal) - Attempt link training at 5 GT/s when both partners support it (Damien Le Moal) - Add a handler for PERST# signal so we can detect host resets and start link training when exiting reset (Damien Le Moal) * pci/controller/rockchip: PCI: rockchip-ep: Handle PERST# signal in EP mode PCI: rockchip-ep: Improve link training PCI: rockship-ep: Implement the pci_epc_ops::stop_link() operation PCI: rockchip-ep: Refactor endpoint link training enable PCI: rockchip-ep: Refactor rockchip_pcie_ep_probe() MSI-X hiding PCI: rockchip-ep: Refactor rockchip_pcie_ep_probe() memory allocations PCI: rockchip-ep: Rename rockchip_pcie_parse_ep_dt() PCI: rockchip-ep: Fix MSI IRQ data mapping PCI: rockchip-ep: Implement the pci_epc_ops::align_addr() operation PCI: rockchip-ep: Improve rockchip_pcie_ep_map_addr() PCI: rockchip-ep: Improve rockchip_pcie_ep_unmap_addr() PCI: rockchip-ep: Use a macro to define EP controller .align feature PCI: rockchip-ep: Fix address translation unit programming commit f54ff407e6238a3a8e167000726942c1f2c2415a Merge: 7b5d234e69f708 fba6045161d686 Author: Bjorn Helgaas Date: Mon Nov 25 13:40:59 2024 -0600 Merge branch 'pci/controller/qcom' - Enable MSI interrupts if 'global' IRQ is supported, since a previous commit unintentionally masked them (Manivannan Sadhasivam) - Move endpoint controller cleanups that depend on refclk from the host to the notifier that tells us the host has deasserted PERST# (Manivannan Sadhasivam) - Add DT binding and driver support for IPQ9574, with Synopsys IP v5.80a and Qcom IP 1.27.0 (devi priya) - Move the OPP "operating-points-v2" table from the qcom,pcie-sm8450.yaml DT binding to qcom,pcie-common.yaml, where it can be used by other Qcom platforms (Qiang Yu) - Add 'global' SPI interrupt for events like link-up, link-down to qcom,pcie-x1e80100 DT binding so we can start enumeration when the link comes up (Qiang Yu) - Disable ASPM L0s for qcom,pcie-x1e80100 since the PHY is not tuned to support this (Qiang Yu) - Add ops_1_21_0 for SC8280X family SoC, which doesn't use the 'iommu-map' DT property and doesn't need BDF-to-SID translation (Qiang Yu) * pci/controller/qcom: PCI: qcom: Disable ASPM L0s for X1E80100 PCI: qcom: Remove BDF2SID mapping config for SC8280X family SoC dt-bindings: PCI: qcom,pcie-x1e80100: Add 'global' interrupt dt-bindings: PCI: qcom: Move OPP table to qcom,pcie-common.yaml PCI: qcom: Add support for IPQ9574 dt-bindings: PCI: qcom: Document the IPQ9574 PCIe controller PCI: qcom-ep: Move controller cleanups to qcom_pcie_perst_deassert() PCI: qcom: Enable MSI interrupts together with Link up if 'Global IRQ' is supported commit 7b5d234e69f708c63eecff78e6befab85149216c Merge: 4268106135aa2b ac7f53b7e7283f Author: Bjorn Helgaas Date: Mon Nov 25 13:40:59 2024 -0600 Merge branch 'pci/controller/microchip' - Add DT and driver support for using either of the two PolarFire Root Ports (Conor Dooley) * pci/controller/microchip: PCI: microchip: Add support for using either Root Port 1 or 2 dt-bindings: PCI: microchip,pcie-host: Add reg for Root Port 2 commit 4268106135aa2b32398a53c82e954ec0fd95551d Merge: c1787c3e41e5de d19ea320d3029a Author: Bjorn Helgaas Date: Mon Nov 25 13:40:58 2024 -0600 Merge branch 'pci/controller/mediatek' - Add support for DT 'max-link-speed' and 'num-lanes' properties to restrict the link speed and width (AngeloGioacchino Del Regno) * pci/controller/mediatek: PCI: mediatek-gen3: Remove unneeded semicolon PCI: mediatek-gen3: Add support for restricting link width PCI: mediatek-gen3: Add support for setting max-link-speed limit commit c1787c3e41e5de4c491b7bc455d752c5861753d2 Merge: 5c8bd7f27704f1 9e9ec8d8692a6f Author: Bjorn Helgaas Date: Mon Nov 25 13:40:58 2024 -0600 Merge branch 'pci/controller/keystone' - Set the 'ti,keystone-pcie' mode so v3.65a devices work in Root Complex mode (Kishon Vijay Abraham I) - Try to avoid unrecoverable SError for attempts to issue config transactions when the link is down; this is racy but the best we can do (Kishon Vijay Abraham I) * pci/controller/keystone: PCI: keystone: Add link up check to ks_pcie_other_map_bus() PCI: keystone: Set mode as Root Complex for "ti,keystone-pcie" compatible commit 5c8bd7f27704f1c8ba088f719a4346d4f51383a8 Merge: 7b86e0a589b122 22a9120479a40a Author: Bjorn Helgaas Date: Mon Nov 25 13:40:58 2024 -0600 Merge branch 'pci/controller/j721e' - Add PCIe support for J722S SoC (Siddharth Vadapalli) - Delay PCIE_T_PVPERL_MS (100 ms), not just PCIE_T_PERST_CLK_US (100 us), before deasserting PERST# to ensure power and refclk are stable (Siddharth Vadapalli) * pci/controller/j721e: PCI: j721e: Deassert PERST# after a delay of PCIE_T_PVPERL_MS milliseconds PCI: j721e: Add PCIe support for J722S SoC commit 7b86e0a589b12208e20e45e36c94785db0745aef Merge: 2b4049d1921334 0a726f542d7c8c Author: Bjorn Helgaas Date: Mon Nov 25 13:40:57 2024 -0600 Merge branch 'pci/controller/imx6' - Fix suspend/resume support on i.MX6QDL, which has a hardware erratum that prevents use of L2 (Stefan Eichenberger) * pci/controller/imx6: PCI: imx6: Fix suspend/resume support on i.MX6QDL commit 2b4049d192133483dd029ef1f987b28da0c9e83a Merge: 5b8d59ca272721 118397c9baaac0 Author: Bjorn Helgaas Date: Mon Nov 25 13:40:57 2024 -0600 Merge branch 'pci/controller/dwc' - Clear outbound address on unmap so dw_pcie_find_index() won't match an ATU index that was already unmapped (Damien Le Moal) - Use of_property_present() instead of of_property_read_bool() when testing for presence of non-boolean DT properties (Rob Herring) - Advertise 1MB size if endpoint supports Resizable BARs, which was inadvertently lost in v6.11 (Niklas Cassel) * pci/controller/dwc: PCI: dwc: ep: Fix advertised resizable BAR size regression PCI: dwc: Use of_property_present() for non-boolean properties PCI: dwc: endpoint: Clear outbound address on unmap commit 5b8d59ca2727214884b07bda208e101b6b18e364 Merge: bd4334887265c2 e3e309b2bea8d2 Author: Bjorn Helgaas Date: Mon Nov 25 13:40:57 2024 -0600 Merge branch 'pci/controller/cadence' - Lower severity of 'phy-names' message (Bartosz Wawrzyniak) * pci/controller/cadence: PCI: cadence: Lower severity of message when phy-names property is absent in DTS commit bd4334887265c26b798c3aa999d3574af0800ba6 Merge: 0683141812ce93 28b6acd75e3cef Author: Bjorn Helgaas Date: Mon Nov 25 13:40:56 2024 -0600 Merge branch 'pci/endpoint' - Add pci_epc_function_is_valid() to avoid repeating common validation checks (Damien Le Moal) - Skip attempts to allocate from endpoint controller memory window if the requested size is larger than the window (Damien Le Moal) - Add and document pci_epc_mem_map() and pci_epc_mem_unmap() to handle controller-specific size and alignment constraints, and add test cases to the endpoint test driver (Damien Le Moal) - Implement dwc pci_epc_ops.align_addr() so pci_epc_mem_map() can observe DWC-specific alignment requirements (Damien Le Moal) - Synchronously cancel command handler work in endpoint test before cleaning up DMA and BARs (Damien Le Moal) - Respect endpoint page size in dw_pcie_ep_align_addr() (Niklas Cassel) - Use dw_pcie_ep_align_addr() in dw_pcie_ep_raise_msi_irq() and dw_pcie_ep_raise_msix_irq() instead of open coding the equivalent (Niklas Cassel) - Remove superfluous 'return' from pci_epf_test_clean_dma_chan() (Wang Jiang) - Avoid NULL dereference if Modem Host Interface Endpoint lacks 'mmio' DT property (Zhongqiu Han) - Release PCI domain ID of Endpoint controller parent (not controller itself) and before unregistering the controller, to avoid use-after-free (Zijun Hu) - Clear secondary (not primary) EPC in pci_epc_remove_epf() when removing the secondary controller associated with an NTB (Zijun Hu) - Fix pci_epc_map map_size kerneldoc (Rick Wertenbroek) * pci/endpoint: PCI: endpoint: Fix pci_epc_map map_size kerneldoc string PCI: endpoint: Clear secondary (not primary) EPC in pci_epc_remove_epf() PCI: endpoint: Fix PCI domain ID release in pci_epc_destroy() PCI: endpoint: epf-mhi: Avoid NULL dereference if DT lacks 'mmio' PCI: endpoint: Remove surplus return statement from pci_epf_test_clean_dma_chan() PCI: dwc: ep: Use align addr function for dw_pcie_ep_raise_{msi,msix}_irq() PCI: endpoint: test: Synchronously cancel command handler work PCI: dwc: endpoint: Implement the pci_epc_ops::align_addr() operation PCI: endpoint: test: Use pci_epc_mem_map/unmap() PCI: endpoint: Update documentation PCI: endpoint: Introduce pci_epc_mem_map()/unmap() PCI: endpoint: Improve pci_epc_mem_alloc_addr() PCI: endpoint: Introduce pci_epc_function_is_valid() commit 0683141812ce93a6604c51b60101744577c65154 Merge: 5cdd50dc109998 718c157a0b941f Author: Bjorn Helgaas Date: Mon Nov 25 13:40:56 2024 -0600 Merge branch 'pci/dt-bindings' - Update mediatek-gen3 DT binding to require the exact number of clocks for each SoC (Fei Shao) - Add qcom SAR2130P DT binding with an additional clock (Dmitry Baryshkov) * pci/dt-bindings: dt-bindings: PCI: snps,dw-pcie: Drop "#interrupt-cells" from example dt-bindings: PCI: qcom,pcie-sm8550: Add SAR2130P compatible dt-bindings: PCI: mediatek-gen3: Allow exact number of clocks only commit 5cdd50dc1099983eff4e6b30cf0c290469c0d283 Merge: ab02bafcecedcd aa46a3736afcb7 Author: Bjorn Helgaas Date: Mon Nov 25 13:40:56 2024 -0600 Merge branch 'pci/virtualization' - Add ACS quirk for Wangxun FF5xxx NICs, which don't advertise and ACS capability but do isolate functions as though PCI_ACS_RR and PCI_ACS_CR were set, so the functions can be in independent IOMMU groups (Mengyuan Lou) * pci/virtualization: PCI: Add ACS quirk for Wangxun FF5xxx NICs commit ab02bafcecedcd936d9e8526bcf1542642ad2947 Merge: efcbd9d3975f03 48d0fd2b903e39 Author: Bjorn Helgaas Date: Mon Nov 25 13:40:55 2024 -0600 Merge branch 'pci/tph' - Add and document TLP Processing Hints (TPH) support so drivers can enable and disable TPH and the kernel can save/restore TPH configuration (Wei Huang) - Add TPH Steering Tag support so drivers can retrieve Steering Tag values associated with specific CPUs via an ACPI _DSM to direct DMA writes closer to their consumers (Wei Huang) * pci/tph: PCI/TPH: Add TPH documentation PCI/TPH: Add Steering Tag support PCI: Add TLP Processing Hints (TPH) support commit efcbd9d3975f03c600f42a018f2453f2957042ad Merge: c03d361c2036f3 3b96b895127b7c Author: Bjorn Helgaas Date: Mon Nov 25 13:40:55 2024 -0600 Merge branch 'pci/thunderbolt' - Detect some Thunderbolt chips that are built-in and hence 'trustworthy' by a heuristic since the 'ExternalFacingPort' and 'usb4-host-interface' ACPI properties are not quite enough (Esther Shimanovich) * pci/thunderbolt: PCI: Detect and trust built-in Thunderbolt chips commit c03d361c2036f3289a45834fce8372864a4576b3 Merge: d985e2beb9cac5 19f73e938df2b8 Author: Bjorn Helgaas Date: Mon Nov 25 13:40:55 2024 -0600 Merge branch 'pci/resource' - Add resource_set_size() to set resource size when start has already been set (Ilpo Järvinen) - Add resource_set_range() helper to set both resource start and size (Ilpo Järvinen) - Use IS_ALIGNED() and resource_size() in quirk_s3_64M() instead of open-coding them (Ilpo Järvinen) - Add ALIGN_DOWN_IF_NONZERO() to avoid code duplication when distributing resources across devices (Ilpo Järvinen) - Improve pdev_sort_resources() warning message to be more specific (Ilpo Järvinen) * pci/resource: PCI: Improve pdev_sort_resources() warning message PCI: Add ALIGN_DOWN_IF_NONZERO() helper PCI: Use align and resource helpers, and SZ_* in quirk_s3_64M() PCI: Use resource_set_{range,size}() helpers resource: Add resource set range and size helpers commit d985e2beb9cac53ff190883f2b7ae3085f0586f6 Merge: ce1deca962e3f6 a3151e6daaec17 Author: Bjorn Helgaas Date: Mon Nov 25 13:40:54 2024 -0600 Merge branch 'pci/reset' - Add sysfs 'reset_subordinate' to reset hierarchy below bridge (Keith Busch) - Warn if we reset a running device where driver didn't register pci_error_handlers notification callbacks (Keith Busch) * pci/reset: PCI: Warn if a running device is unaware of reset PCI: Add 'reset_subordinate' to reset hierarchy below bridge commit ce1deca962e3f67442dba834c8e1ba3629db6159 Merge: 95e93032badb21 3f925cd6287401 Author: Bjorn Helgaas Date: Mon Nov 25 13:40:54 2024 -0600 Merge branch 'pci/pwrctl' - Use of_platform_device_create() instead of of_platform_populate() to create pwrctl platform devices so we can control it based on the child nodes (Manivannan Sadhasivam) - Create pwrctrl platform devices only if there's a relevant power supply property (Manivannan Sadhasivam) - Add device link from the pwrctl supplier to the PCI dev to ensure pwrctl drivers are probed before the PCI dev driver; this avoids a race where pwrctl could change device power state while the PCI driver was active (Manivannan Sadhasivam) - Find pwrctl device for removal with of_find_device_by_node() instead of searching all children of the parent (Manivannan Sadhasivam) - Rename 'pwrctl' to 'pwrctrl' to use the same 'ctrl' suffix as 'bwctrl' and other PCI files to reduce confusion (Bjorn Helgaas) * pci/pwrctl: PCI/pwrctrl: Rename pwrctrl functions and structures PCI/pwrctrl: Rename pwrctl files to pwrctrl PCI/pwrctl: Remove pwrctl device without iterating over all children of pwrctl parent PCI/pwrctl: Ensure that pwrctl drivers are probed before PCI client drivers PCI/pwrctl: Create pwrctl device only if at least one power supply is present PCI/pwrctl: Use of_platform_device_create() to create pwrctl devices # Conflicts: # drivers/pci/bus.c # drivers/pci/remove.c commit 95e93032badb21e1d232c7e4a882fc359fa18a55 Merge: 2438a745717995 dc421bb3c0db2a Author: Bjorn Helgaas Date: Mon Nov 25 13:40:46 2024 -0600 Merge branch 'pci/pm' - Enable starfive controller runtime PM before probing host bridge (Mayank Rana) - Enable runtime power management for host bridges (Krishna chaitanya chundru) * pci/pm: PCI: Enable runtime PM of the host bridge PCI: starfive: Enable controller runtime PM before probing host bridge commit 2438a7457179957b273e76e3090a82b19a60a287 Merge: 5d756f3fa82ff9 5e316d34b53039 Author: Bjorn Helgaas Date: Mon Nov 25 13:40:46 2024 -0600 Merge branch 'pci/of' - Use PCI bus addresses (not CPU addresses) in 'ranges' properties when building dynamic DT nodes so systems where the PCI and CPU addresses space differ work correctly (Andrea della Porta) * pci/of: PCI: of_property: Assign PCI instead of CPU bus address to dynamic PCI nodes commit 5d756f3fa82ff907d875b57e194bb89beff63c4b Merge: 665e4a3456d467 38a18dfe9035d5 Author: Bjorn Helgaas Date: Mon Nov 25 13:40:45 2024 -0600 Merge branch 'pci/locking' - Make pci_stop_dev() and pci_destroy_dev() concurrent safe (Keith Busch) - Move __pci_walk_bus() mutex up into the caller, which avoids the need for a parameter to control locking (Keith Busch) - Simplify __pci_walk_bus() by making it recursive (Keith Busch) - Unexport pci_walk_bus_locked(), which is only used internally by the PCI core (Keith Busch) * pci/locking: PCI: Unexport pci_walk_bus_locked() PCI: Convert __pci_walk_bus() to be recursive PCI: Move __pci_walk_bus() mutex to where we need it PCI: Make pci_destroy_dev() concurrent safe PCI: Make pci_stop_dev() concurrent safe commit 665e4a3456d467e739a0879139114930397726eb Merge: dcd12456b356c0 e434e54d3ffcd1 Author: Bjorn Helgaas Date: Mon Nov 25 13:40:45 2024 -0600 Merge branch 'pci/hotplug-octeon' - Add hotplug controller driver for Marvell OCTEON multi-function device where function 0 has a management console interface to enable/disable and provision various personalities for the other functions (Shijith Thotton) * pci/hotplug-octeon: PCI: hotplug: Add OCTEON PCI hotplug controller driver commit dcd12456b356c0e132a9219ffe6e6e538975381d Merge: 77ac2e28f13f18 c7acef99642b76 Author: Bjorn Helgaas Date: Mon Nov 25 13:40:44 2024 -0600 Merge branch 'pci/hotplug' - Remove unused cpcihp struct cpci_hp_controller_ops.hardware_test (Guilherme Giacomo Simoes) - Remove unused cpqphp struct ctrl_dbg.ctrl (Christophe JAILLET) - Clean up cpqphp PCIBIOS_* return value confusion (Ilpo Järvinen) - Use pci_bus_read_dev_vendor_id() instead of hand-coded presence detection in cpqphp (Ilpo Järvinen) - Simplify cpqphp enumeration, which is already simple-minded and doesn't handle devices below hot-added bridges (Ilpo Järvinen) - Retain a reference to the pci_bus for the lifetime of a pci_slot to avoid a use-after-free when the thunderbolt driver resets USB4 host routers on boot, causing hotplug remove/add of downstream docks or other devices (Lukas Wunner) * pci/hotplug: PCI: Fix use-after-free of slot->bus on hot remove PCI: cpqphp: Simplify PCI_ScanBusForNonBridge() PCI: cpqphp: Use define to read class/revision dword PCI: cpqphp: Use pci_bus_read_dev_vendor_id() to detect presence PCI: cpqphp: Fix PCIBIOS_* return value confusion PCI: cpqphp: Remove unused struct ctrl_dbg.ctrl PCI: cpcihp: Remove unused struct cpci_hp_controller_ops.hardware_test commit 77ac2e28f13f18b50c7ecf9cbfec392e9d871f14 Merge: dd976123685753 32ec7b362d904c Author: Bjorn Helgaas Date: Mon Nov 25 13:40:44 2024 -0600 Merge branch 'pci/enumeration' - Simplify pci_read_bridge_bases() logic (Ilpo Järvinen) * pci/enumeration: PCI: Simplify pci_read_bridge_bases() logic PCI: Move struct pci_bus_resource into bus.c PCI: Remove unused PCI_SUBTRACTIVE_DECODE commit dd976123685753fcc1d6221cfe5b06c04c8f6143 Merge: f326ce1693a7b8 43d6961cdf1d06 Author: Bjorn Helgaas Date: Mon Nov 25 13:40:44 2024 -0600 Merge branch 'pci/driver-remove' - Convert driver .remove_new() callbacks to .remove() again to finish the conversion from returning 'int' to being 'void' (Sergio Paracuellos) * pci/driver-remove: PCI: acpiphp_ampere_altra: Switch back to struct platform_driver::remove() PCI: controller: Switch back to struct platform_driver::remove() commit f326ce1693a7b813bdc082d3c16f3f9264237f54 Merge: 73bdd7304a0120 64fe9bc34f7815 Author: Bjorn Helgaas Date: Mon Nov 25 13:40:43 2024 -0600 Merge branch 'pci/devm' - Export pcim_request_all_regions(), a managed interface to request all BARs (Philipp Stanner) - Replace pcim_iomap_regions_request_all() with pcim_request_all_regions(), and pcim_iomap_table()[n] with pcim_iomap(n), in the following drivers: ahci, crypto qat, crypto octeontx2, intel_th, iwlwifi, ntb idt, serial rp2, ALSA korg1212 (Philipp Stanner) - Remove the now unused pcim_iomap_regions_request_all() (Philipp Stanner) - Export pcim_iounmap_region(), a managed interface to unmap and release a PCI BAR (Philipp Stanner) - Replace pcim_iomap_regions(mask) with pcim_iomap_region(n), and pcim_iounmap_regions(mask) with pcim_iounmap_region(n), in the following drivers: fpga dfl-pci, block mtip32xx, gpio-merrifield, cavium (Philipp Stanner) * pci/devm: ethernet: cavium: Replace deprecated PCI functions gpio: Replace deprecated PCI functions fpga/dfl-pci.c: Replace deprecated PCI functions PCI: Deprecate pcim_iounmap_regions() PCI: Make pcim_iounmap_region() a public function PCI: Remove pcim_iomap_regions_request_all() ALSA: korg1212: Replace deprecated PCI functions serial: rp2: Replace deprecated PCI functions ntb: idt: Replace deprecated PCI functions wifi: iwlwifi: replace deprecated PCI functions intel_th: pci: Replace deprecated PCI functions crypto: marvell - replace deprecated PCI functions crypto: qat - replace deprecated PCI functions ata: ahci: Replace deprecated PCI functions PCI: Make pcim_request_all_regions() a public function commit 73bdd7304a0120cf6e6fa3d20cf9e5ef7823f51f Merge: d957ff7acaf276 86efc62d031307 Author: Bjorn Helgaas Date: Mon Nov 25 13:40:43 2024 -0600 Merge branch 'pci/doe' - Wait up to 1 second for DOE Busy bit to clear before writing a request to the mailbox to avoid failures if the mailbox is still busy from a previous transfer (Gregory Price) * pci/doe: PCI/DOE: Poll DOE Busy bit for up to 1 second in pci_doe_send_req() commit d957ff7acaf27674e73db716a2dc0ae8170144cd Merge: 018247100d90e6 ba58eee1c57b2a Author: Bjorn Helgaas Date: Mon Nov 25 13:40:43 2024 -0600 Merge branch 'pci/bwctrl' - Add read/modify/write locking for Link Control 2, which is used to manage Link speed (Ilpo Järvinen) - Cache all supported Link speeds for use by the PCIe bandwidth controller (Ilpo Järvinen) - Extract the Link Bandwidth Management Status check into pcie_lbms_seen(), where it can be shared between the bandwidth controller and quirks that use it to help retrain failed links (Ilpo Järvinen) - Re-add Link Bandwidth notification support with updates to address the reasons it was previously reverted (Alexandru Gagniuc, Ilpo Järvinen) - Add pcie_set_target_speed() and related functionality to manage PCIe Link speed based on thermal constraints (Ilpo Järvinen) - Add a thermal cooling driver to throttle PCIe Links via the existing thermal management framework (Ilpo Järvinen) - Add a userspace selftest for the PCIe bandwidth controller (Ilpo Järvinen) - Drop duplicate pcie_get_speed_cap(), pcie_get_width_cap() declarations (Bjorn Helgaas) * pci/bwctrl: PCI: Drop duplicate pcie_get_speed_cap(), pcie_get_width_cap() declarations selftests/pcie_bwctrl: Create selftests thermal: Add PCIe cooling driver PCI/bwctrl: Add pcie_set_target_speed() to set PCIe Link Speed PCI/bwctrl: Re-add BW notification portdrv as PCIe BW controller PCI: Abstract LBMS seen check into pcie_lbms_seen() PCI: Refactor pcie_update_link_speed() PCI: Store all PCIe Supported Link Speeds PCI: Protect Link Control 2 Register with RMW locking Documentation PCI: Reformat RMW ops documentation commit 018247100d90e6f4a219150bc89792d9ed6a5ac0 Merge: 9852d85ec9d492 d6604106319249 Author: Bjorn Helgaas Date: Mon Nov 25 13:40:42 2024 -0600 Merge branch 'pci/aspm' - Disable ASPM L1 before touching L1 PM Substates to follow the spec closer and avoid a CPU load timeout on some platforms (Ajay Agarwal) - Set devices below Intel VMD to D0 before enabling ASPM L1 Substates (Jian-Hong Pan) * pci/aspm: PCI: vmd: Set devices to D0 before enabling PM L1 Substates PCI/ASPM: Add notes about enabling PCI-PM L1SS to pci_enable_link_state(_locked) PCI/ASPM: Disable L1 before disabling L1 PM Substates commit ab02d8774181b2834247e913f61e471af149979e Author: Marco Crivellari Date: Thu Nov 7 17:40:29 2024 +0100 Update misleading comment in cifs_chan_update_iface Since commit 8da33fd11c05 ("cifs: avoid deadlocks while updating iface") cifs_chan_update_iface now takes the chan_lock itself, so update the comment accordingly. Reviewed-by: Enzo Matsumiya Signed-off-by: Marco Crivellari Signed-off-by: Steve French commit 07bdf9272a01741b43461d666fb870ee00b02480 Author: Henrique Carvalho Date: Fri Nov 22 22:14:37 2024 -0300 smb: client: change return value in open_cached_dir_by_dentry() if !cfids Change return value from -ENOENT to -EOPNOTSUPP to maintain consistency with the return value of open_cached_dir() for the same case. This change is safe as the only calling function does not differentiate between these return values. Reviewed-by: Paulo Alcantara (Red Hat) Reviewed-by: Enzo Matsumiya Signed-off-by: Henrique Carvalho Signed-off-by: Steve French commit ceaf1451990e3ea7fb50aebb5a149f57945f6e9f Author: Henrique Carvalho Date: Fri Nov 22 22:14:35 2024 -0300 smb: client: disable directory caching when dir_cache_timeout is zero Setting dir_cache_timeout to zero should disable the caching of directory contents. Currently, even when dir_cache_timeout is zero, some caching related functions are still invoked, which is unintended behavior. Fix the issue by setting tcon->nohandlecache to true when dir_cache_timeout is zero, ensuring that directory handle caching is properly disabled. Fixes: 238b351d0935 ("smb3: allow controlling length of time directory entries are cached with dir leases") Reviewed-by: Paulo Alcantara (Red Hat) Reviewed-by: Enzo Matsumiya Signed-off-by: Henrique Carvalho Signed-off-by: Steve French commit f6e88838400d8872be090c0bc14b36d3a7a12975 Author: Henrique Carvalho Date: Fri Nov 22 22:14:36 2024 -0300 smb: client: remove unnecessary checks in open_cached_dir() Checks inside open_cached_dir() can be removed because if dir caching is disabled then tcon->cfids is necessarily NULL. Therefore, all other checks are redundant. Signed-off-by: Henrique Carvalho Reviewed-by: Paulo Alcantara (Red Hat) Reviewed-by: Enzo Matsumiya Signed-off-by: Steve French commit a7137cbf6bd53a9f9c40c64fc8b12b88289b3d4a Author: Damien Le Moal Date: Thu Oct 17 10:58:48 2024 +0900 PCI: rockchip-ep: Handle PERST# signal in EP mode Currently, the Rockchip PCIe endpoint controller driver does not handle the PERST# signal, which prevents detecting when link training should actually be started or if the host resets the device. This however can be supported using the controller reset_gpios property set as an input GPIO for endpoint mode. Modify the Rockchip PCI endpoint controller driver to get the reset_gpio and its associated interrupt which is serviced using a threaded IRQ with the function rockchip_pcie_ep_perst_irq_thread() as handler. This handler function notifies a link down event corresponding to the RC side asserting the PERST# signal using pci_epc_linkdown() when the gpio is high. Once the gpio value goes down, corresponding to the RC de-asserting the PERST# signal, link training is started. The polarity of the gpio interrupt trigger is changed from high to low after the RC asserted PERST#, and conversely changed from low to high after the RC de-asserts PERST#. Also, given that the host mode controller and the endpoint mode controller use two different property names for the same PERST# signal (ep_gpios property and reset_gpios property respectively), for clarity, rename the ep_gpio field of struct rockchip_pcie to perst_gpio. Link: https://lore.kernel.org/r/20241017015849.190271-14-dlemoal@kernel.org Signed-off-by: Damien Le Moal [kwilczynski: make log messages consistent, add missing include] Signed-off-by: Krzysztof Wilczyński Signed-off-by: Bjorn Helgaas commit bd6e61df4b2e69985daa312ce28b6af629b30870 Author: Damien Le Moal Date: Thu Oct 17 10:58:47 2024 +0900 PCI: rockchip-ep: Improve link training The Rockchip RK3399 TRM V1.3 Part2, Section 17.5.8.1.2, step 7, describes the endpoint mode link training process clearly and states that: Insure link training completion and success by observing link_st field in PCIe Client BASIC_STATUS1 register change to 2'b11. If both side support PCIe Gen2 speed, re-train can be Initiated by asserting the Retrain Link field in Link Control and Status Register. The software should insure the BASIC_STATUS0[negotiated_speed] changes to "1", that indicates re-train to Gen2 successfully. This procedure is very similar to what is done for the root-port mode in rockchip_pcie_host_init_port(). Implement this link training procedure for the endpoint mode as well. Given that the RK3399 SoC does not have an interrupt signaling link status changes, training is implemented as a delayed work which is rescheduled until the link training completes or the endpoint controller is stopped. The link training work is first scheduled in rockchip_pcie_ep_start() when the endpoint function is started. Link training completion is signaled to the function using pci_epc_linkup(). Accordingly, the linkup_notifier field of the Rockchip pci_epc_features structure is changed to true. Link: https://lore.kernel.org/r/20241017015849.190271-13-dlemoal@kernel.org Signed-off-by: Damien Le Moal [kwilczynski: update log messages to make them consistent] Signed-off-by: Krzysztof Wilczyński Signed-off-by: Bjorn Helgaas commit 00080d0887df8c197c5b89e38215c14980eae544 Author: Damien Le Moal Date: Thu Oct 17 10:58:46 2024 +0900 PCI: rockship-ep: Implement the pci_epc_ops::stop_link() operation Define the EPC operation ->stop() for the Rockchip endpoint driver with the function rockchip_pcie_ep_stop(). This function disables link training and the controller configuration, as the reverse to what the start operation defined with rockchip_pcie_ep_start() does. Link: https://lore.kernel.org/r/20241017015849.190271-12-dlemoal@kernel.org Signed-off-by: Damien Le Moal Signed-off-by: Krzysztof Wilczyński Signed-off-by: Bjorn Helgaas Reviewed-by: Manivannan Sadhasivam commit 091022f5f94513e5f11aa9e2f1cd9fdb4d00f83c Author: Damien Le Moal Date: Thu Oct 17 10:58:45 2024 +0900 PCI: rockchip-ep: Refactor endpoint link training enable The function rockchip_pcie_init_port() enables link training for a controller configured in EP mode. Enabling link training is again done in rockchip_pcie_ep_probe() after that function executed rockchip_pcie_init_port(). Enabling link training only needs to be done once, and doing so at the probe stage before the controller is actually started by the user serves no purpose. Refactor this by removing the link training enablement from both rockchip_pcie_init_port() and rockchip_pcie_ep_probe() and moving it to the endpoint start operation defined with rockchip_pcie_ep_start(). Enabling the controller configuration using the PCIE_CLIENT_CONF_ENABLE bit in the same PCIE_CLIENT_CONFIG register is also moved to rockchip_pcie_ep_start() and both the controller configuration and link training enable bits are set with a single call to rockchip_pcie_write(). Link: https://lore.kernel.org/r/20241017015849.190271-11-dlemoal@kernel.org Signed-off-by: Damien Le Moal Signed-off-by: Krzysztof Wilczyński Signed-off-by: Bjorn Helgaas commit 8efda8aebeed59bab984489407a94008f65f4d1e Author: Damien Le Moal Date: Thu Oct 17 10:58:44 2024 +0900 PCI: rockchip-ep: Refactor rockchip_pcie_ep_probe() MSI-X hiding Move the code in rockchip_pcie_ep_probe() to hide the MSI-X capability to its own function, rockchip_pcie_ep_hide_broken_msix_cap(). No functional changes. Link: https://lore.kernel.org/r/20241017015849.190271-10-dlemoal@kernel.org Signed-off-by: Damien Le Moal Signed-off-by: Krzysztof Wilczyński Signed-off-by: Bjorn Helgaas Reviewed-by: Manivannan Sadhasivam commit 945648019466db06dca189a639af913f2834ee9b Author: Damien Le Moal Date: Thu Oct 17 10:58:43 2024 +0900 PCI: rockchip-ep: Refactor rockchip_pcie_ep_probe() memory allocations Introduce the function rockchip_pcie_ep_init_ob_mem() allocate the outbound memory regions and memory needed for IRQ handling. These changes tidy up rockchip_pcie_ep_probe(). No functional change. Link: https://lore.kernel.org/r/20241017015849.190271-9-dlemoal@kernel.org Signed-off-by: Damien Le Moal Signed-off-by: Krzysztof Wilczyński Signed-off-by: Bjorn Helgaas commit 2968534e63e5bbe3d3f3c317ba32012393ee6637 Author: Damien Le Moal Date: Thu Oct 17 10:58:42 2024 +0900 PCI: rockchip-ep: Rename rockchip_pcie_parse_ep_dt() To be consistent with the usual "get_resources" naming of driver functions that acquire controller resources like clocks, PHY etc, rename the function rockchip_pcie_parse_ep_dt() to rockchip_pcie_ep_get_resources(). No functional changes. Link: https://lore.kernel.org/r/20241017015849.190271-8-dlemoal@kernel.org Signed-off-by: Damien Le Moal Signed-off-by: Krzysztof Wilczyński Signed-off-by: Bjorn Helgaas commit 9f737cca6c54edd0af0a29bb0a702837f1fc9645 Author: Damien Le Moal Date: Thu Oct 17 10:58:41 2024 +0900 PCI: rockchip-ep: Fix MSI IRQ data mapping The call to rockchip_pcie_prog_ep_ob_atu() used to map the PCI address of MSI data to the memory window allocated on probe for IRQs is done in rockchip_pcie_ep_send_msi_irq() assuming a fixed alignment to a 256B boundary of the PCI address. This is not correct as the alignment constraint for the RK3399 PCI mapping depends on the number of bits of address changing in the mapped region. This leads to an unstable system which sometimes work and sometimes does not (crashing on paging faults when memcpy_toio() or memcpy_fromio() are used). Similar to regular data mapping, the MSI data mapping must thus be handled according to the information provided by rockchip_pcie_ep_align_addr(). Modify rockchip_pcie_ep_send_msi_irq() to use rockchip_pcie_ep_align_addr() to correctly program entry 0 of the ATU for sending MSI IRQs. Link: https://lore.kernel.org/r/20241017015849.190271-7-dlemoal@kernel.org Signed-off-by: Damien Le Moal Signed-off-by: Krzysztof Wilczyński Signed-off-by: Bjorn Helgaas commit b21255326db2d736089b3df26c3cd4e4a131d75f Author: Damien Le Moal Date: Thu Oct 17 10:58:40 2024 +0900 PCI: rockchip-ep: Implement the pci_epc_ops::align_addr() operation The Rockchip PCIe endpoint controller handles PCIe transfers addresses by masking the lower bits of the programmed PCI address and using the same number of lower bits from the CPU address space used for the mapping. For a PCI mapping of size bytes starting from pci_addr, the number of bits masked is the number of address bits changing in the address range [pci_addr..pci_addr + size - 1], up to 20 bits, that is, up to 1MB mappings. This means that when preparing a PCI address mapping, an endpoint function driver must use an offset into the allocated controller memory region that is equal to the mask of the starting PCI address over rockchip_pcie_ep_ob_atu_num_bits() bits. This offset also determines the maximum size of the mapping given the starting PCI address and the fixed 1MB controller memory window size. Implement the ->align_addr() endpoint controller operation to allow the mapping alignment to be transparently handled by endpoint function drivers through the function pci_epc_mem_map(). Link: https://lore.kernel.org/r/20241017015849.190271-6-dlemoal@kernel.org Co-developed-by: Rick Wertenbroek Signed-off-by: Rick Wertenbroek Signed-off-by: Damien Le Moal [kwilczynski: change local variable name for address offset] Signed-off-by: Krzysztof Wilczyński Signed-off-by: Bjorn Helgaas commit d8dbd21cfafd653b02ec187e59e0bcfaebd9a884 Author: Damien Le Moal Date: Thu Oct 17 10:58:39 2024 +0900 PCI: rockchip-ep: Improve rockchip_pcie_ep_map_addr() Add a check to verify that the outbound region to be used for mapping an address is not already in use. Link: https://lore.kernel.org/r/20241017015849.190271-5-dlemoal@kernel.org Signed-off-by: Damien Le Moal Signed-off-by: Krzysztof Wilczyński Signed-off-by: Bjorn Helgaas Reviewed-by: Manivannan Sadhasivam commit 57ed93fe799b3564388fd61279fc274ae2716508 Author: Damien Le Moal Date: Thu Oct 17 10:58:38 2024 +0900 PCI: rockchip-ep: Improve rockchip_pcie_ep_unmap_addr() There is no need to loop over all regions to find the memory window used to map an address. We can use rockchip_ob_region() to determine the region index, together with a check that the address passed as argument is the address used to create the mapping. Furthermore, the ob_region_map bitmap should also be checked to ensure that we are not attempting to unmap an address that is not mapped. Link: https://lore.kernel.org/r/20241017015849.190271-4-dlemoal@kernel.org Signed-off-by: Damien Le Moal Signed-off-by: Krzysztof Wilczyński Signed-off-by: Bjorn Helgaas commit 739e25f51aedaebf20496fbc99c6ef43fc6d6ca1 Author: Damien Le Moal Date: Thu Oct 17 10:58:37 2024 +0900 PCI: rockchip-ep: Use a macro to define EP controller .align feature Introduce the macro ROCKCHIP_PCIE_AT_SIZE_ALIGN to initialize the .align field of the controller epc_features structure to 256. This is defined as a shift using the macro ROCKCHIP_PCIE_AT_MIN_NUM_BITS (to avoid using the "magic" value 8 directly). Link: https://lore.kernel.org/r/20241017015849.190271-3-dlemoal@kernel.org Signed-off-by: Damien Le Moal Signed-off-by: Krzysztof Wilczyński Signed-off-by: Bjorn Helgaas Reviewed-by: Manivannan Sadhasivam commit 64f093c4d99d797b68b407a9d8767aadc3e3ea7a Author: Damien Le Moal Date: Thu Oct 17 10:58:36 2024 +0900 PCI: rockchip-ep: Fix address translation unit programming The Rockchip PCIe endpoint controller handles PCIe transfers addresses by masking the lower bits of the programmed PCI address and using the same number of lower bits masked from the CPU address space used for the mapping. For a PCI mapping of bytes starting from , the number of bits masked is the number of address bits changing in the address range [pci_addr..pci_addr + size - 1]. However, rockchip_pcie_prog_ep_ob_atu() calculates num_pass_bits only using the size of the mapping, resulting in an incorrect number of mask bits depending on the value of the PCI address to map. Fix this by introducing the helper function rockchip_pcie_ep_ob_atu_num_bits() to correctly calculate the number of mask bits to use to program the address translation unit. The number of mask bits is calculated depending on both the PCI address and size of the mapping, and clamped between 8 and 20 using the macros ROCKCHIP_PCIE_AT_MIN_NUM_BITS and ROCKCHIP_PCIE_AT_MAX_NUM_BITS. As defined in the Rockchip RK3399 TRM V1.3 Part2, Sections 17.5.5.1.1 and 17.6.8.2.1, this clamping is necessary because: 1) The lower 8 bits of the PCI address to be mapped by the outbound region are ignored. So a minimum of 8 address bits are needed and imply that the PCI address must be aligned to 256. 2) The outbound memory regions are 1MB in size. So while we can specify up to 63-bits for the PCI address (num_bits filed uses bits 0 to 5 of the outbound address region 0 register), we must limit the number of valid address bits to 20 to match the memory window maximum size (1 << 20 = 1MB). Fixes: cf590b078391 ("PCI: rockchip: Add EP driver for Rockchip PCIe controller") Link: https://lore.kernel.org/r/20241017015849.190271-2-dlemoal@kernel.org Signed-off-by: Damien Le Moal Signed-off-by: Krzysztof Wilczyński Signed-off-by: Bjorn Helgaas Cc: stable@vger.kernel.org commit 78ac1c3558810486d90aa533b0039aa70487a3da Author: Christian König Date: Fri Nov 8 09:29:48 2024 +0100 dma-buf: fix dma_fence_array_signaled v4 The function silently assumed that signaling was already enabled for the dma_fence_array. This meant that without enabling signaling first we would never see forward progress. Fix that by falling back to testing each individual fence when signaling isn't enabled yet. v2: add the comment suggested by Boris why this is done this way v3: fix the underflow pointed out by Tvrtko v4: atomic_read_acquire() as suggested by Tvrtko Signed-off-by: Christian König Reviewed-by: Boris Brezillon Tested-by: Chia-I Wu Reviewed-by: Tvrtko Ursulin Closes: https://gitlab.freedesktop.org/mesa/mesa/-/issues/12094 Cc: Link: https://patchwork.freedesktop.org/patch/msgid/20241112121925.18464-1-christian.koenig@amd.com commit dfdf714fed559c09021df1d2a4bb64c0ad5f53bc Author: Namhyung Kim Date: Wed Nov 20 16:13:34 2024 -0800 perf/arm-cmn: Ensure port and device id bits are set properly The portid_bits and deviceid_bits were set only for XP type nodes in the arm_cmn_discover() and it confused other nodes to find XP nodes. Copy the both bits from the XP nodes directly when it sets up a new node. Fixes: e79634b53e39 ("perf/arm-cmn: Refactor node ID handling. Again.") Signed-off-by: Namhyung Kim Acked-by: Will Deacon Reviewed-by: Robin Murphy Link: https://lore.kernel.org/r/20241121001334.331334-1-namhyung@kernel.org Signed-off-by: Catalin Marinas commit 02a55f2743012a8089f09f6867220c3d57f16564 Author: Chun-Tse Shao Date: Fri Nov 8 05:08:05 2024 +0000 perf/arm-smmuv3: Fix lockdep assert in ->event_init() Same as https://lore.kernel.org/all/20240514180050.182454-1-namhyung@kernel.org/, we should skip `for_each_sibling_event()` for group leader since it doesn't have the ctx yet. Fixes: f3c0eba28704 ("perf: Add a few assertions") Reported-by: Greg Thelen Cc: Namhyung Kim Cc: Robin Murphy Cc: Tuan Phan Signed-off-by: Chun-Tse Shao Acked-by: Will Deacon Link: https://lore.kernel.org/r/20241108050806.3730811-1-ctshao@google.com Signed-off-by: Catalin Marinas commit 3e51108c72e8adbcf3180ed40527a2a9d2d0123b Merge: 919464deeca24e 0201710ba6308a Author: Linus Torvalds Date: Mon Nov 25 10:31:39 2024 -0800 Merge tag 'input-for-v6.13-rc0' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input Pull input updates from Dmitry Torokhov: - support for NT36672A touchscreen added to novatek-nvt-ts driver - a change to ads7846 driver to prevent XPT2046 from locking up - a change switching platform input dirves back to using remove() method (from remove_new()) - updates to a number of input drivers to use the new cleanup facilities (__free(...), guard(), and scoped-guard()) which ensure that the resources and locks are released properly and automatically - other assorted driver cleanups and fixes. * tag 'input-for-v6.13-rc0' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input: (109 commits) Input: mpr121 - use devm_regulator_get_enable_read_voltage() Input: sun4i-lradc-keys - don't include 'pm_wakeup.h' directly Input: spear-keyboard - don't include 'pm_wakeup.h' directly Input: cypress-sf - constify struct i2c_device_id Input: ads7846 - increase xfer array size in 'struct ser_req' Input: fix the input_event struct documentation Input: i8042 - fix typo dublicate to duplicate Input: ads7846 - add dummy command register clearing cycle Input: cs40l50 - fix wrong usage of INIT_WORK() Input: introduce notion of passive observers for input handlers Input: maple_keyb - use guard notation when acquiring mutex Input: locomokbd - use guard notation when acquiring spinlock Input: hilkbd - use guard notation when acquiring spinlock Input: synaptics-rmi4 - switch to using cleanup functions in F34 Input: synaptics - fix a typo dt-bindings: input: rotary-encoder: Fix "rotary-encoder,rollover" type Input: omap-keypad - use guard notation when acquiring mutex Input: imagis - fix warning regarding 'imagis_3038_data' being unused Input: userio - remove unneeded semicolon Input: sparcspkr - use cleanup facility for device_node ... commit 919464deeca24e5bf13b6c8efd0b1d25cc43866f Author: Linus Torvalds Date: Mon Nov 25 09:21:21 2024 -0800 Revert "HID: bpf: allow write access to quirks field in struct hid_device" This reverts commit 6fd47effe92b, and the related self-test update commit e14e0eaeb040 ("selftests/hid: add test for assigning a given device to hid-generic"). It results in things like the scroll wheel on Logitech mice not working after a reboot due to the kernel being confused about the state of the high-resolution mode. Quoting Benjamin Tissoires: "The idea of 6fd47effe92b was to be able to call hid_bpf_rdesc_fixup() once per reprobe of the device. However, because the bpf filter can now change the quirk value, the call had to be moved before the driver gets bound (which was previously ensuring the unicity of the call). The net effect is that now, in the case hid-generic gets loaded first and then the specific driver gets loaded once the disk is available, the value of ->quirks is not reset, but kept to the value that was set by hid-generic (HID_QUIRK_INPUT_PER_APP). Once hid-logitech-hidpp kicks in, that quirk is now set, which creates two inputs for the single mouse: one keyboard for fancy shortcuts, and one mouse node. However, hid-logitech-hidpp expects only one input node to be attached (it stores it into hidpp->input), and when a wheel event is received, because there is some processing with high-resolution wheel events, the wheel event is injected into hidpp->input. And of course, when HID_QUIRK_INPUT_PER_APP is set, hidpp->input gets the keyboard node, which doesn't have wheel event type, and the events are ignored" Reported-and-bisected-by: Mike Galbraith Link: https://lore.kernel.org/all/CAHk-=wiUkQM3uheit2cNM0Y0OOY5qqspJgC8LkmOkJ2p2LDxcw@mail.gmail.com/ Acked-by: Benjamin Tissoires Signed-off-by: Linus Torvalds commit edc80c585772cac59ef780899269436a0823fe67 Author: John Garry Date: Mon Nov 25 10:02:58 2024 +0000 block: Remove extra part pointer NULLify in blk_rq_init() The rq->part pointer is already NULLified in the memset() call, so - like for other pointers in rq - don't re-NULLify. Signed-off-by: John Garry Link: https://lore.kernel.org/r/20241125100258.4172774-1-john.g.garry@oracle.com Signed-off-by: Jens Axboe commit fe4bf8d0b6716a423b16495d55b35d3fe515905d Author: Avihai Horon Date: Sun Nov 24 16:27:39 2024 +0200 vfio/pci: Properly hide first-in-list PCIe extended capability There are cases where a PCIe extended capability should be hidden from the user. For example, an unknown capability (i.e., capability with ID greater than PCI_EXT_CAP_ID_MAX) or a capability that is intentionally chosen to be hidden from the user. Hiding a capability is done by virtualizing and modifying the 'Next Capability Offset' field of the previous capability so it points to the capability after the one that should be hidden. The special case where the first capability in the list should be hidden is handled differently because there is no previous capability that can be modified. In this case, the capability ID and version are zeroed while leaving the next pointer intact. This hides the capability and leaves an anchor for the rest of the capability list. However, today, hiding the first capability in the list is not done properly if the capability is unknown, as struct vfio_pci_core_device->pci_config_map is set to the capability ID during initialization but the capability ID is not properly checked later when used in vfio_config_do_rw(). This leads to the following warning [1] and to an out-of-bounds access to ecap_perms array. Fix it by checking cap_id in vfio_config_do_rw(), and if it is greater than PCI_EXT_CAP_ID_MAX, use an alternative struct perm_bits for direct read only access instead of the ecap_perms array. Note that this is safe since the above is the only case where cap_id can exceed PCI_EXT_CAP_ID_MAX (except for the special capabilities, which are already checked before). [1] WARNING: CPU: 118 PID: 5329 at drivers/vfio/pci/vfio_pci_config.c:1900 vfio_pci_config_rw+0x395/0x430 [vfio_pci_core] CPU: 118 UID: 0 PID: 5329 Comm: simx-qemu-syste Not tainted 6.12.0+ #1 (snip) Call Trace: ? show_regs+0x69/0x80 ? __warn+0x8d/0x140 ? vfio_pci_config_rw+0x395/0x430 [vfio_pci_core] ? report_bug+0x18f/0x1a0 ? handle_bug+0x63/0xa0 ? exc_invalid_op+0x19/0x70 ? asm_exc_invalid_op+0x1b/0x20 ? vfio_pci_config_rw+0x395/0x430 [vfio_pci_core] ? vfio_pci_config_rw+0x244/0x430 [vfio_pci_core] vfio_pci_rw+0x101/0x1b0 [vfio_pci_core] vfio_pci_core_read+0x1d/0x30 [vfio_pci_core] vfio_device_fops_read+0x27/0x40 [vfio] vfs_read+0xbd/0x340 ? vfio_device_fops_unl_ioctl+0xbb/0x740 [vfio] ? __rseq_handle_notify_resume+0xa4/0x4b0 __x64_sys_pread64+0x96/0xc0 x64_sys_call+0x1c3d/0x20d0 do_syscall_64+0x4d/0x120 entry_SYSCALL_64_after_hwframe+0x76/0x7e Fixes: 89e1f7d4c66d ("vfio: Add PCI device driver") Signed-off-by: Avihai Horon Reviewed-by: Yi Liu Tested-by: Yi Liu Link: https://lore.kernel.org/r/20241124142739.21698-1-avihaih@nvidia.com Signed-off-by: Alex Williamson commit c5cf420303256dcd6ff175643e9e9558543c2047 Author: Max Kellermann Date: Sat Nov 23 08:21:21 2024 +0100 ceph: fix cred leak in ceph_mds_check_access() get_current_cred() increments the reference counter, but the put_cred() call was missing. Cc: stable@vger.kernel.org Fixes: 596afb0b8933 ("ceph: add ceph_mds_check_access() helper") Signed-off-by: Max Kellermann Reviewed-by: Xiubo Li Signed-off-by: Ilya Dryomov commit 23426309a4064b25a961e1c72961d8bfc7c8c990 Author: Max Kellermann Date: Sat Nov 23 08:21:20 2024 +0100 ceph: pass cred pointer to ceph_mds_auth_match() This eliminates a redundant get_current_cred() call, because ceph_mds_check_access() has already obtained this pointer. As a side effect, this also fixes a reference leak in ceph_mds_auth_match(): by omitting the get_current_cred() call, no additional cred reference is taken. Cc: stable@vger.kernel.org Fixes: 596afb0b8933 ("ceph: add ceph_mds_check_access() helper") Signed-off-by: Max Kellermann Reviewed-by: Xiubo Li Signed-off-by: Ilya Dryomov commit a3dd4d63eeb452cfb064a13862fb376ab108f6a6 Author: Takashi Iwai Date: Mon Nov 25 15:46:16 2024 +0100 ALSA: usb-audio: Fix out of bounds reads when finding clock sources The current USB-audio driver code doesn't check bLength of each descriptor at traversing for clock descriptors. That is, when a device provides a bogus descriptor with a shorter bLength, the driver might hit out-of-bounds reads. For addressing it, this patch adds sanity checks to the validator functions for the clock descriptor traversal. When the descriptor length is shorter than expected, it's skipped in the loop. For the clock source and clock multiplier descriptors, we can just check bLength against the sizeof() of each descriptor type. OTOH, the clock selector descriptor of UAC2 and UAC3 has an array of bNrInPins elements and two more fields at its tail, hence those have to be checked in addition to the sizeof() check. Reported-by: Benoît Sevens Cc: Link: https://lore.kernel.org/20241121140613.3651-1-bsevens@google.com Link: https://patch.msgid.link/20241125144629.20757-1-tiwai@suse.de Signed-off-by: Takashi Iwai commit 20c0c49720dc4e205d4c1d64add56a5043c5ec5f Author: Takashi Iwai Date: Mon Nov 25 15:20:25 2024 +0100 ALSA: rawmidi: Fix kvfree() call in spinlock At the conversion of locking with guard(), I overlooked that kvfree() must not be called inside the spinlock unlike kfree(), and this was caught by syzkaller now. This patch reverts the conversion partially for restoring the kvfree() call outside the spinlock. It's not trivial to use guard() in this context, unfortunately. Fixes: 84bb065b316e ("ALSA: rawmidi: Use guard() for locking") Reported-by: syzbot+351f8764833934c68836@syzkaller.appspotmail.com Reported-by: Eric Dumazet Closes: https://lore.kernel.org/6744737b.050a0220.1cc393.007e.GAE@google.com Cc: Link: https://patch.msgid.link/20241125142041.16578-1-tiwai@suse.de Signed-off-by: Takashi Iwai commit 5ebe792a5139f1ce6e4aed22bef12e7e2660df96 Author: Dinesh Kumar Date: Mon Nov 25 14:58:42 2024 +0530 ALSA: hda/realtek: Fix Internal Speaker and Mic boost of Infinix Y4 Max Internal Speaker of Infinix Y4 Max remains muted due to incorrect Pin configuration, and the Internal Mic records high noise. This patch corrects the Pin configuration for the Internal Speaker and limits the Internal Mic boost. HW Probe for device: https://linux-hardware.org/?probe=6d4386c347 Test: Internal Speaker works fine, Mic has low noise. Signed-off-by: Dinesh Kumar Cc: Link: https://patch.msgid.link/20241125092842.13208-1-desikumar81@gmail.com Signed-off-by: Takashi Iwai commit bc7acc0bd0f94c26bc0defc902311794a3d0fae9 Author: Samuel Holland Date: Wed Nov 20 15:31:16 2024 -0800 of: property: fw_devlink: Do not use interrupt-parent directly commit 7f00be96f125 ("of: property: Add device link support for interrupt-parent, dmas and -gpio(s)") started adding device links for the interrupt-parent property. commit 4104ca776ba3 ("of: property: Add fw_devlink support for interrupts") and commit f265f06af194 ("of: property: Fix fw_devlink handling of interrupts/interrupts-extended") later added full support for parsing the interrupts and interrupts-extended properties, which includes looking up the node of the parent domain. This made the handler for the interrupt-parent property redundant. In fact, creating device links based solely on interrupt-parent is problematic, because it can create spurious cycles. A node may have this property without itself being an interrupt controller or consumer. For example, this property is often present in the root node or a /soc bus node to set the default interrupt parent for child nodes. However, it is incorrect for the bus to depend on the interrupt controller, as some of the bus's children may not be interrupt consumers at all or may have a different interrupt parent. Resolving these spurious dependency cycles can cause an incorrect probe order for interrupt controller drivers. This was observed on a RISC-V system with both an APLIC and IMSIC under /soc, where interrupt-parent in /soc points to the APLIC, and the APLIC msi-parent points to the IMSIC. fw_devlink found three dependency cycles and attempted to probe the APLIC before the IMSIC. After applying this patch, there were no dependency cycles and the probe order was correct. Acked-by: Marc Zyngier Cc: stable@vger.kernel.org Fixes: 4104ca776ba3 ("of: property: Add fw_devlink support for interrupts") Signed-off-by: Samuel Holland Link: https://lore.kernel.org/r/20241120233124.3649382-1-samuel.holland@sifive.com Signed-off-by: Rob Herring (Arm) commit b6512519496e29270bca6b2df9baa3cc2d9d5356 Author: Christoph Hellwig Date: Fri Nov 22 13:29:24 2024 +0100 fs: require inode_owner_or_capable for F_SET_RW_HINT F_SET_RW_HINT controls data placement in the file system and / or device and should not be available to everyone who can read a given file. Signed-off-by: Christoph Hellwig Link: https://lore.kernel.org/r/20241122122931.90408-2-hch@lst.de Reviewed-by: Jan Kara Signed-off-by: Christian Brauner commit 13f3cbfbb8c9f3825a1e4e4371fe040fb35e41d5 Author: Thomas Weißschuh Date: Thu Nov 21 17:29:32 2024 +0100 thermal: int3400: Remove unneeded data_vault attribute_group The group only contains a single entry and the conditionals around its lifecycle make clear that this won't change. Remove the unnecessary group. This saves some memory and it's easier to read. The removal of a non-const bin_attribute[] instance is also a preparation for the constification of struct bin_attributes. Signed-off-by: Thomas Weißschuh Link: https://patch.msgid.link/20241121-sysfs-const-bin_attr-int340x_thermal-v1-1-2436facf9dae@weissschuh.net Signed-off-by: Rafael J. Wysocki commit cbc86dd0a4fe9f8c41075328c2e740b68419d639 Author: Uwe Kleine-König Date: Fri Nov 22 08:56:05 2024 +0100 ASoC: amd: yc: Add quirk for microphone on Lenovo Thinkpad T14s Gen 6 21M1CTO1WW Add a quirk for Tova's Lenovo Thinkpad T14s with product name 21M1. Suggested-by: Tova Link: https://bugs.debian.org/1087673 Signed-off-by: Uwe Kleine-König Link: https://patch.msgid.link/20241122075606.213132-2-ukleinek@debian.org Signed-off-by: Mark Brown commit 8697ecc3274214c65ff271a58e7abb601216f2a8 Author: anish kumar Date: Thu Nov 21 15:29:58 2024 -0800 ASoC: doc: dapm: Add location information for dapm-graph tool To help developers debug DAPM issues and visualize widget connectivity, the dapm-graph tool provides a graphical representation of how widgets and routes are connected. This commit adds the location information for the tool to the documentation, making it easier for users to find and use it for troubleshooting DAPM-related problems. Signed-off-by: anish kumar Link: https://patch.msgid.link/20241121232958.46179-1-yesanishhere@gmail.com Signed-off-by: Mark Brown commit 7082503622986537f57bdb5ef23e69e70cfad881 Author: Srinivas Pandruvada Date: Thu Nov 14 12:02:13 2024 -0800 thermal: int3400: Fix reading of current_uuid for active policy When the current_uuid attribute is set to the active policy UUID, reading back the same attribute is returning "INVALID" instead of the active policy UUID on some platforms before Ice Lake. In platforms before Ice Lake, firmware provides a list of supported thermal policies. In this case, user space can select any of the supported thermal policies via a write to attribute "current_uuid". In commit c7ff29763989 ("thermal: int340x: Update OS policy capability handshake")', the OS policy handshake was updated to support Ice Lake and later platforms and it treated priv->current_uuid_index=0 as invalid. However, priv->current_uuid_index=0 is for the active policy, only priv->current_uuid_index=-1 is invalid. Fix this issue by updating the priv->current_uuid_index check. Fixes: c7ff29763989 ("thermal: int340x: Update OS policy capability handshake") Signed-off-by: Srinivas Pandruvada Cc: 5.18+ # 5.18+ Link: https://patch.msgid.link/20241114200213.422303-1-srinivas.pandruvada@linux.intel.com [ rjw: Subject and changelog edits ] Signed-off-by: Rafael J. Wysocki commit c809b0d0e52d01c30066367b2952c4c4186b1047 Author: Borislav Petkov (AMD) Date: Tue Nov 19 12:21:33 2024 +0100 x86/microcode/AMD: Flush patch buffer mapping after application Due to specific requirements while applying microcode patches on Zen1 and 2, the patch buffer mapping needs to be flushed from the TLB after application. Do so. If not, unnecessary and unnatural delays happen in the boot process. Reported-by: Thomas De Schampheleire Signed-off-by: Borislav Petkov (AMD) Tested-by: Thomas De Schampheleire Cc: # f1d84b59cbb9 ("x86/mm: Carve out INVLPG inline asm for use by others") Link: https://lore.kernel.org/r/ZyulbYuvrkshfsd2@antipodes commit f1d84b59cbb9547c243d93991acf187fdbe9fbe9 Author: Borislav Petkov (AMD) Date: Tue Nov 19 12:21:32 2024 +0100 x86/mm: Carve out INVLPG inline asm for use by others No functional changes. Signed-off-by: Borislav Petkov (AMD) Link: https://lore.kernel.org/r/ZyulbYuvrkshfsd2@antipodes commit d9bb40544653cf039fe79225ec1d742183e2339a Author: Tony Luck Date: Fri Nov 22 15:42:12 2024 -0800 x86/cpu: Fix PPIN initialization On systems that enumerate PPIN (protected processor inventory number) using CPUID, but where the BIOS locked the MSR to prevent access /proc/cpuinfo reports "intel_ppin" feature as present on all logical CPUs except for CPU 0. This happens because ppin_init() uses x86_match_cpu() to determine whether PPIN is supported. When called on CPU 0 the test for locked PPIN MSR results in: clear_cpu_cap(c, info->feature); This clears the X86 FEATURE bit in boot_cpu_data. When other CPUs are brought online the x86_match_cpu() fails, and the PPIN FEATURE bit remains set for those other CPUs. Fix by using setup_clear_cpu_cap() instead of clear_cpu_cap() which force clears the FEATURE bit for all CPUS. Reported-by: Adeel Ashad Signed-off-by: Tony Luck Signed-off-by: Ingo Molnar Link: https://lore.kernel.org/r/20241122234212.27451-1-tony.luck@intel.com commit 8a3f5711ad74db9881b289a6e34d7f3b700df720 Author: Yuezhang Mo Date: Thu Sep 12 16:57:06 2024 +0800 exfat: reduce FAT chain traversal Before this commit, ->dir and ->entry of exfat_inode_info record the first cluster of the parent directory and the directory entry index starting from this cluster. The directory entry set will be gotten during write-back-inode/rmdir/ unlink/rename. If the clusters of the parent directory are not continuous, the FAT chain will be traversed from the first cluster of the parent directory to find the cluster where ->entry is located. After this commit, ->dir records the cluster where the first directory entry in the directory entry set is located, and ->entry records the directory entry index in the cluster, so that there is almost no need to access the FAT when getting the directory entry set. Signed-off-by: Yuezhang Mo Reviewed-by: Aoyama Wataru Reviewed-by: Daniel Palmer Reviewed-by: Sungjong Seo Signed-off-by: Namjae Jeon commit 6b151eb5df78dc1a1ea7c862834199e08ea11c7b Author: Yuezhang Mo Date: Thu Sep 12 17:07:01 2024 +0800 exfat: code cleanup for exfat_readdir() For the root directory and other directories, the clusters allocated to them can be obtained from exfat_inode_info, and there is no need to distinguish them. And there is no need to initialize atime/ctime/mtime/size in exfat_readdir(), because exfat_iterate() does not use them. Signed-off-by: Yuezhang Mo Reviewed-by: Aoyama Wataru Reviewed-by: Daniel Palmer Reviewed-by: Sungjong Seo Signed-off-by: Namjae Jeon commit 33a86666d37ed44a7280adcc6ca293f7718507b2 Author: Yuezhang Mo Date: Fri Sep 6 14:55:53 2024 +0800 exfat: remove argument 'p_dir' from exfat_add_entry() The output of argument 'p_dir' of exfat_add_entry() is not used in either exfat_mkdir() or exfat_create(), remove the argument. Code refinement, no functional changes. Signed-off-by: Yuezhang Mo Reviewed-by: Aoyama Wataru Reviewed-by: Daniel Palmer Reviewed-by: Sungjong Seo Signed-off-by: Namjae Jeon commit 0891c7313d87a1b6baf7162bc2f0d755ce70383f Author: Yuezhang Mo Date: Fri Sep 13 18:02:39 2024 +0800 exfat: move exfat_chain_set() out of __exfat_resolve_path() __exfat_resolve_path() mixes two functions. The first one is to resolve and check if the path is valid. The second one is to output the cluster assigned to the directory. The second one is only needed when need to traverse the directory entries, and calling exfat_chain_set() so early causes p_dir to be passed as an argument multiple times, increasing the complexity of the code. This commit moves the call to exfat_chain_set() before traversing directory entries. Signed-off-by: Yuezhang Mo Reviewed-by: Aoyama Wataru Reviewed-by: Daniel Palmer Reviewed-by: Sungjong Seo Signed-off-by: Namjae Jeon commit ac844e91364a03c35838fd488437605fbe56f8c3 Author: Yuezhang Mo Date: Fri Sep 13 13:13:54 2024 +0800 exfat: add exfat_get_dentry_set_by_ei() helper This helper gets the directory entry set of the file for the exfat inode which has been created. It's used to remove all the instances of the pattern it replaces making the code cleaner, it's also a preparation for changing ->dir to record the cluster where the directory entry set is located and changing ->entry to record the index of the directory entry within the cluster. Signed-off-by: Yuezhang Mo Reviewed-by: Aoyama Wataru Reviewed-by: Daniel Palmer Reviewed-by: Sungjong Seo Signed-off-by: Namjae Jeon commit 06a2b0b3b490a6103376652c01c3ac6e8e22e654 Author: Yuezhang Mo Date: Fri Nov 15 09:43:10 2024 +0800 exfat: rename argument name for exfat_move_file and exfat_rename_file In this exfat implementation, the relationship between inode and ei is ei=EXFAT_I(inode). However, in the arguments of exfat_move_file() and exfat_rename_file(), argument 'inode' indicates the parent directory, but argument 'ei' indicates the target file to be renamed. They do not have the above relationship, which is not friendly to code readers. So this commit renames 'inode' to 'parent_inode', making the argument name match its role. Signed-off-by: Yuezhang Mo Reviewed-by: Sungjong Seo Signed-off-by: Namjae Jeon commit 30ef0e0d7ff5b6dceda19d18a85d9d72a4909784 Author: Yuezhang Mo Date: Thu Aug 8 15:37:13 2024 +0800 exfat: remove unnecessary read entry in __exfat_rename() To determine whether it is a directory, there is no need to read its directory entry, just use S_ISDIR(inode->i_mode). Signed-off-by: Yuezhang Mo Reviewed-by: Aoyama Wataru Reviewed-by: Daniel Palmer Reviewed-by: Sungjong Seo Signed-off-by: Namjae Jeon commit 2e94e5bb94a3e641a25716a560bf474225fda83c Author: Yuezhang Mo Date: Thu Oct 17 09:25:06 2024 +0800 exfat: fix file being changed by unaligned direct write Unaligned direct writes are invalid and should return an error without making any changes, rather than extending ->valid_size and then returning an error. Therefore, alignment checking is required before extending ->valid_size. Fixes: 11a347fb6cef ("exfat: change to get file size from DataLength") Signed-off-by: Yuezhang Mo Co-developed-by: Namjae Jeon Signed-off-by: Namjae Jeon commit 02dffe9ab092fc4c8800aee68cb7eafd37a980c4 Author: Namjae Jeon Date: Sat Oct 26 13:06:15 2024 +0900 exfat: fix uninit-value in __exfat_get_dentry_set There is no check if stream size and start_clu are invalid. If start_clu is EOF cluster and stream size is 4096, It will cause uninit value access. because ei->hint_femp.eidx could be 128(if cluster size is 4K) and wrong hint will allocate next cluster. and this cluster will be same with the cluster that is allocated by exfat_extend_valid_size(). The previous patch will check invalid start_clu, but for clarity, initialize hint_femp.eidx to zero. Cc: stable@vger.kernel.org Reported-by: syzbot+01218003be74b5e1213a@syzkaller.appspotmail.com Tested-by: syzbot+01218003be74b5e1213a@syzkaller.appspotmail.com Reviewed-by: Yuezhang Mo Signed-off-by: Namjae Jeon commit 184fa506e392eb78364d9283c961217ff2c0617b Author: Yuezhang Mo Date: Mon Oct 28 11:23:36 2024 +0800 exfat: fix out-of-bounds access of directory entries In the case of the directory size is greater than or equal to the cluster size, if start_clu becomes an EOF cluster(an invalid cluster) due to file system corruption, then the directory entry where ei->hint_femp.eidx hint is outside the directory, resulting in an out-of-bounds access, which may cause further file system corruption. This commit adds a check for start_clu, if it is an invalid cluster, the file or directory will be treated as empty. Cc: stable@vger.kernel.org Signed-off-by: Yuezhang Mo Co-developed-by: Namjae Jeon Signed-off-by: Namjae Jeon commit 0201710ba6308a61f1a775c418fe74b8a31ace08 Merge: 5c822c0ce5cc83 04337738629e80 Author: Dmitry Torokhov Date: Sun Nov 24 17:05:27 2024 -0800 Merge branch 'next' into for-linus Prepare input updates for 6.13 merge window. commit 9bb88c659673003453fd42e0ddf95c9628409094 Author: Jakub Kicinski Date: Tue Nov 19 14:44:32 2024 -0800 selftests: net: test extacks in netlink dumps Test that extacks in dumps work. The test fills up the receive buffer to test both the inline dump (as part of sendmsg()) and delayed one (run during recvmsg()). Use YNL helpers to parse the messages. We need to add the test to YNL file to make sure the right include path are used. Reviewed-by: Jacob Keller Link: https://patch.msgid.link/20241119224432.1713040-2-kuba@kernel.org Signed-off-by: Jakub Kicinski commit 3bf39fa849ab8ed52abb6715922e6102d3df9f97 Author: Jakub Kicinski Date: Tue Nov 19 14:44:31 2024 -0800 netlink: fix false positive warning in extack during dumps Commit under fixes extended extack reporting to dumps. It works under normal conditions, because extack errors are usually reported during ->start() or the first ->dump(), it's quite rare that the dump starts okay but fails later. If the dump does fail later, however, the input skb will already have the initiating message pulled, so checking if bad attr falls within skb->data will fail. Switch the check to using nlh, which is always valid. syzbot found a way to hit that scenario by filling up the receive queue. In this case we initiate a dump but don't call ->dump() until there is read space for an skb. WARNING: CPU: 1 PID: 5845 at net/netlink/af_netlink.c:2210 netlink_ack_tlv_fill+0x1a8/0x560 net/netlink/af_netlink.c:2209 RIP: 0010:netlink_ack_tlv_fill+0x1a8/0x560 net/netlink/af_netlink.c:2209 Call Trace: netlink_dump_done+0x513/0x970 net/netlink/af_netlink.c:2250 netlink_dump+0x91f/0xe10 net/netlink/af_netlink.c:2351 netlink_recvmsg+0x6bb/0x11d0 net/netlink/af_netlink.c:1983 sock_recvmsg_nosec net/socket.c:1051 [inline] sock_recvmsg+0x22f/0x280 net/socket.c:1073 __sys_recvfrom+0x246/0x3d0 net/socket.c:2267 __do_sys_recvfrom net/socket.c:2285 [inline] __se_sys_recvfrom net/socket.c:2281 [inline] __x64_sys_recvfrom+0xde/0x100 net/socket.c:2281 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7ff37dd17a79 Reported-by: syzbot+d4373fa8042c06cefa84@syzkaller.appspotmail.com Fixes: 8af4f60472fc ("netlink: support all extack types in dumps") Reviewed-by: Jacob Keller Link: https://patch.msgid.link/20241119224432.1713040-1-kuba@kernel.org Signed-off-by: Jakub Kicinski commit f164b296638d1eb1fb1c537e93ab5c8b49966546 Author: Guenter Roeck Date: Tue Nov 19 13:32:02 2024 -0800 net: microchip: vcap: Add typegroup table terminators in kunit tests VCAP API unit tests fail randomly with errors such as # vcap_api_iterator_init_test: EXPECTATION FAILED at drivers/net/ethernet/microchip/vcap/vcap_api_kunit.c:387 Expected 134 + 7 == iter.offset, but 134 + 7 == 141 (0x8d) iter.offset == 17214 (0x433e) # vcap_api_iterator_init_test: EXPECTATION FAILED at drivers/net/ethernet/microchip/vcap/vcap_api_kunit.c:388 Expected 5 == iter.reg_idx, but iter.reg_idx == 702 (0x2be) # vcap_api_iterator_init_test: EXPECTATION FAILED at drivers/net/ethernet/microchip/vcap/vcap_api_kunit.c:389 Expected 11 == iter.reg_bitpos, but iter.reg_bitpos == 15 (0xf) # vcap_api_iterator_init_test: pass:0 fail:1 skip:0 total:1 Comments in the code state that "A typegroup table ends with an all-zero terminator". Add the missing terminators. Some of the typegroups did have a terminator of ".offset = 0, .width = 0, .value = 0,". Replace those terminators with "{ }" (no trailing ',') for consistency and to excplicitly state "this is a terminator". Fixes: 67d637516fa9 ("net: microchip: sparx5: Adding KUNIT test for the VCAP API") Cc: Steen Hegelund Signed-off-by: Guenter Roeck Reviewed-by: Daniel Machon Reviewed-by: Jacob Keller Link: https://patch.msgid.link/20241119213202.2884639-1-linux@roeck-us.net Signed-off-by: Jakub Kicinski commit e863ff806f72098bccaf8fa89c80d9ad6187c3b0 Author: Oleksij Rempel Date: Mon Nov 18 15:03:51 2024 +0100 net: usb: lan78xx: Fix refcounting and autosuspend on invalid WoL configuration Validate Wake-on-LAN (WoL) options in `lan78xx_set_wol` before calling `usb_autopm_get_interface`. This prevents USB autopm refcounting issues and ensures the adapter can properly enter autosuspend when invalid WoL options are provided. Fixes: eb9ad088f966 ("lan78xx: Check for supported Wake-on-LAN modes") Signed-off-by: Oleksij Rempel Acked-by: Florian Fainelli Link: https://patch.msgid.link/20241118140351.2398166-1-o.rempel@pengutronix.de Signed-off-by: Jakub Kicinski commit 614f4d166eeeb9bd709b0ad29552f691c0f45776 Author: Pavan Chebbi Date: Mon Nov 18 21:57:41 2024 -0800 tg3: Set coherent DMA mask bits to 31 for BCM57766 chipsets The hardware on Broadcom 1G chipsets have a known limitation where they cannot handle DMA addresses that cross over 4GB. When such an address is encountered, the hardware sets the address overflow error bit in the DMA status register and triggers a reset. However, BCM57766 hardware is setting the overflow bit and triggering a reset in some cases when there is no actual underlying address overflow. The hardware team analyzed the issue and concluded that it is happening when the status block update has an address with higher (b16 to b31) bits as 0xffff following a previous update that had lowest bits as 0xffff. To work around this bug in the BCM57766 hardware, set the coherent dma mask from the current 64b to 31b. This will ensure that upper bits of the status block DMA address are always at most 0x7fff, thus avoiding the improper overflow check described above. This work around is intended for only status block and ring memories and has no effect on TX and RX buffers as they do not require coherent memory. Fixes: 72f2afb8a685 ("[TG3]: Add DMA address workaround") Reported-by: Salam Noureddine Reviewed-by: Kalesh AP Reviewed-by: Somnath Kotur Signed-off-by: Pavan Chebbi Reviewed-by: Michal Kubiak Link: https://patch.msgid.link/20241119055741.147144-1-pavan.chebbi@broadcom.com Signed-off-by: Jakub Kicinski commit 9b234a97b10cf1385d451a3824539b774abbcdaf Author: Eric Dumazet Date: Thu Nov 21 19:41:05 2024 +0000 rtnetlink: fix rtnl_dump_ifinfo() error path syzbot found that rtnl_dump_ifinfo() could return with a lock held [1] Move code around so that rtnl_link_ops_put() and put_net() can be called at the end of this function. [1] WARNING: lock held when returning to user space! 6.12.0-rc7-syzkaller-01681-g38f83a57aa8e #0 Not tainted syz-executor399/5841 is leaving the kernel with locks still held! 1 lock held by syz-executor399/5841: #0: ffffffff8f46c2a0 (&ops->srcu#2){.+.+}-{0:0}, at: rcu_lock_acquire include/linux/rcupdate.h:337 [inline] #0: ffffffff8f46c2a0 (&ops->srcu#2){.+.+}-{0:0}, at: rcu_read_lock include/linux/rcupdate.h:849 [inline] #0: ffffffff8f46c2a0 (&ops->srcu#2){.+.+}-{0:0}, at: rtnl_link_ops_get+0x22/0x250 net/core/rtnetlink.c:555 Fixes: 43c7ce69d28e ("rtnetlink: Protect struct rtnl_link_ops with SRCU.") Reported-by: syzbot Signed-off-by: Eric Dumazet Reviewed-by: Joe Damato Reviewed-by: Kuniyuki Iwashima Link: https://patch.msgid.link/20241121194105.3632507-1-edumazet@google.com Signed-off-by: Jakub Kicinski commit 078f644cb81b78afdfbc42b9cc2c11959f2ed65c Author: David Wei Date: Thu Nov 21 22:48:21 2024 -0800 selftests: fix nested double quotes in f-string Replace nested double quotes in f-string with outer single quotes. Fixes: 6116075e18f7 ("selftests: nic_link_layer: Add link layer selftest for NIC driver") Signed-off-by: David Wei Link: https://patch.msgid.link/20241122064821.2821199-1-dw@davidwei.uk Signed-off-by: Jakub Kicinski commit ae7370e61c5d8f5bcefc2d4fca724bd4e9bbf789 Author: Oleksij Rempel Date: Sat Nov 16 14:05:58 2024 +0100 net: usb: lan78xx: Fix memory leak on device unplug by freeing PHY device Add calls to `phy_device_free` after `fixed_phy_unregister` to fix a memory leak that occurs when the device is unplugged. This ensures proper cleanup of pseudo fixed-link PHYs. Fixes: 89b36fb5e532 ("lan78xx: Lan7801 Support for Fixed PHY") Cc: Raghuram Chary J Signed-off-by: Oleksij Rempel Link: https://patch.msgid.link/20241116130558.1352230-2-o.rempel@pengutronix.de Signed-off-by: Jakub Kicinski commit 03819abbeb11117dcbba40bfe322b88c0c88a6b6 Author: Oleksij Rempel Date: Sat Nov 16 14:05:57 2024 +0100 net: usb: lan78xx: Fix double free issue with interrupt buffer allocation In lan78xx_probe(), the buffer `buf` was being freed twice: once implicitly through `usb_free_urb(dev->urb_intr)` with the `URB_FREE_BUFFER` flag and again explicitly by `kfree(buf)`. This caused a double free issue. To resolve this, reordered `kmalloc()` and `usb_alloc_urb()` calls to simplify the initialization sequence and removed the redundant `kfree(buf)`. Now, `buf` is allocated after `usb_alloc_urb()`, ensuring it is correctly managed by `usb_fill_int_urb()` and freed by `usb_free_urb()` as intended. Fixes: a6df95cae40b ("lan78xx: Fix memory allocation bug") Cc: John Efstathiades Signed-off-by: Oleksij Rempel Link: https://patch.msgid.link/20241116130558.1352230-1-o.rempel@pengutronix.de Signed-off-by: Jakub Kicinski commit b7ed2b6f4e8d7f64649795e76ee9db67300de8eb Author: Asahi Lina Date: Sat Nov 23 19:29:38 2024 +0900 rust: alloc: Fix `ArrayLayout` allocations We were accidentally allocating a layout for the *square* of the object size due to a variable shadowing mishap. Fixes memory bloat and page allocation failures in drm/asahi. Reported-by: Janne Grunau Fixes: 9e7bbfa18276 ("rust: alloc: introduce `ArrayLayout`") Signed-off-by: Asahi Lina Acked-by: Danilo Krummrich Reviewed-by: Neal Gompa Link: https://lore.kernel.org/r/20241123-rust-fix-arraylayout-v1-1-197e64c95bd4@asahilina.net Signed-off-by: Miguel Ojeda commit b160dc46dd9af4001c802cc9c7d68b6ba58d27c4 Author: Miguel Ojeda Date: Sun Nov 17 14:31:27 2024 +0100 docs: rust: remove spurious item in `expect` list This list started as a "when to prefer `expect`" list, but at some point during writing I changed it to a "prefer `expect` unless..." one. However, the first bullet remained, which does not make sense anymore. Thus remove it. In addition, fix nearby typo. Fixes: 04866494e936 ("Documentation: rust: discuss `#[expect(...)]` in the guidelines") Reviewed-by: Alice Ryhl Reviewed-by: Andreas Hindborg Link: https://lore.kernel.org/r/20241117133127.473937-1-ojeda@kernel.org Signed-off-by: Miguel Ojeda commit 60fc1e6750133620e404d40b93df5afe32e3e6c6 Author: Miguel Ojeda Date: Sat Nov 16 19:15:37 2024 +0100 rust: allow `clippy::needless_lifetimes` In beta Clippy (i.e. Rust 1.83.0), the `needless_lifetimes` lint has been extended [1] to suggest eliding `impl` lifetimes, e.g. error: the following explicit lifetimes could be elided: 'a --> rust/kernel/list.rs:647:6 | 647 | impl<'a, T: ?Sized + ListItem, const ID: u64> FusedIterator for Iter<'a, T, ID> {} | ^^ ^^ | = help: for further information visit https://rust-lang.github.io/rust-clippy/master/index.html#needless_lifetimes = note: `-D clippy::needless-lifetimes` implied by `-D warnings` = help: to override `-D warnings` add `#[allow(clippy::needless_lifetimes)]` help: elide the lifetimes | 647 - impl<'a, T: ?Sized + ListItem, const ID: u64> FusedIterator for Iter<'a, T, ID> {} 647 + impl, const ID: u64> FusedIterator for Iter<'_, T, ID> {} A possibility would have been to clean them -- the RFC patch [2] did this, while asking if we wanted these cleanups. There is an open issue [3] in Clippy about being able to differentiate some of the new cases, e.g. those that do not involve introducing `'_`. Thus it seems others feel similarly. Thus, for the time being, we decided to `allow` the lint. Link: https://github.com/rust-lang/rust-clippy/pull/13286 [1] Link: https://lore.kernel.org/rust-for-linux/20241012231300.397010-1-ojeda@kernel.org/ [2] Link: https://github.com/rust-lang/rust-clippy/issues/13514 [3] Reviewed-by: Alice Ryhl Reviewed-by: Andreas Hindborg Link: https://lore.kernel.org/r/20241116181538.369355-1-ojeda@kernel.org Signed-off-by: Miguel Ojeda commit 7f9e19f207be0c534d517d65e01417ba968cdd34 Author: Adam Young Date: Wed Nov 20 14:02:14 2024 -0500 mailbox: pcc: Check before sending MCTP PCC response ACK Type 4 PCC channels have an option to send back a response to the platform when they are done processing the request. The flag to indicate whether or not to respond is inside the message body, and thus is not available to the pcc mailbox. If the flag is not set, still set command completion bit after processing message. In order to read the flag, this patch maps the shared buffer to virtual memory. To avoid duplication of mapping the shared buffer is then made available to be used by the driver that uses the mailbox. Signed-off-by: Adam Young Cc: Sudeep Holla Signed-off-by: Jassi Brar commit 81f939db2a44d82d3709faa45cab727c8cf7fc27 Author: Uwe Kleine-König Date: Tue Nov 19 09:16:51 2024 +0100 mailbox: Switch back to struct platform_driver::remove() After commit 0edb555a65d1 ("platform: Make platform_driver::remove() return void") .remove() is (again) the right callback to implement for platform drivers. Convert all platform drivers below drivers/mailbox to use .remove(), with the eventual goal to drop struct platform_driver::remove_new(). As .remove() and .remove_new() have the same prototypes, conversion is done by just changing the structure member name in the driver initializer. Make a few indentions consistent while touching these struct initializers. Signed-off-by: Uwe Kleine-König Reviewed-by: AngeloGioacchino Del Regno Acked-by: Chen-Yu Tsai Signed-off-by: Jassi Brar commit e52673554cf2cd94472be0b3cade4d0eb771dfb1 Author: zhang jiao Date: Fri Nov 15 09:18:46 2024 +0800 mailbox: imx: Modify the incorrect format specifier Replace %i with %u in snprintf() because it is "unsigned int". Signed-off-by: zhang jiao Reviewed-by: Frank Li Signed-off-by: Jassi Brar commit 192a16a3430ca459c4e986f3d10758c4d6b1aa29 Author: Dan Carpenter Date: Thu Nov 14 12:00:12 2024 +0300 mailbox: arm_mhuv2: clean up loop in get_irq_chan_comb() Both the inner and outer loops in this code use the "i" iterator. The inner loop should really use a different iterator. It doesn't affect things in practice because the data comes from the device tree. The "protocol" and "windows" variables are going to be zero. That means we're always going to hit the "return &chans[channel];" statement and we're not going to want to iterate through the outer loop again. Still it's worth fixing this for future use cases. Fixes: 5a6338cce9f4 ("mailbox: arm_mhuv2: Add driver") Signed-off-by: Dan Carpenter Acked-by: Viresh Kumar Signed-off-by: Jassi Brar commit 98fc87fe2937db5a4948c553f69b5a3cc94c230a Author: Tanmay Shah Date: Tue Nov 12 09:06:12 2024 -0800 mailbox: zynqmp: setup IPI for each valid child node As per zynqmp-ipi bindings, zynqmp IPI node can have multiple child nodes. Current IPI setup function is set only for first child node. If IPI node has multiple child nodes in the device-tree, then IPI setup fails for child nodes other than first child node. In such case kernel will crash. Fix this crash by registering IPI setup function for each available child node. Signed-off-by: Tanmay Shah Signed-off-by: Jassi Brar commit b2cf36e4a2ac7a7a35e0e7025a6897e4e4fcf4f3 Author: Michal Wilczynski Date: Mon Nov 4 11:07:33 2024 +0100 dt-bindings: mailbox: Add thead,th1520-mailbox bindings Add bindings for the mailbox controller. This work is based on the vendor kernel. [1] Link: https://github.com/revyos/thead-kernel.git [1] Signed-off-by: Michal Wilczynski Reviewed-by: Krzysztof Kozlowski Signed-off-by: Jassi Brar commit 5d4d263e1c6b6b18acb4d67fd3b9af71b7404924 Author: Michal Wilczynski Date: Mon Nov 4 11:07:32 2024 +0100 mailbox: Introduce support for T-head TH1520 Mailbox driver This driver was tested using the drm/imagination GPU driver. It was able to successfully power on the GPU, by passing a command through mailbox from E910 core to E902 that's responsible for powering up the GPU. The GPU driver was able to read the BVNC version from control registers, which confirms it was successfully powered on. [ 33.957467] powervr ffef400000.gpu: [drm] loaded firmware powervr/rogue_36.52.104.182_v1.fw [ 33.966008] powervr ffef400000.gpu: [drm] FW version v1.0 (build 6621747 OS) [ 38.978542] powervr ffef400000.gpu: [drm] *ERROR* Firmware failed to boot Though the driver still fails to boot the firmware, the mailbox driver works when used with the not-yet-upstreamed firmware AON driver. There is ongoing work to get the BXM-4-64 supported with the drm/imagination driver [1], though it's not completed yet. This work is based on the driver from the vendor kernel [2]. Link: https://gitlab.freedesktop.org/imagination/linux-firmware/-/issues/2 [1] Link: https://github.com/revyos/thead-kernel.git [2] Signed-off-by: Michal Wilczynski Signed-off-by: Jassi Brar commit 271ee263cc8771982809185007181ca10346fe73 Author: Yang Yingliang Date: Tue Oct 29 21:16:28 2024 +0800 mailbox: mtk-cmdq: fix wrong use of sizeof in cmdq_get_clocks() It should be size of the struct clk_bulk_data, not data pointer pass to devm_kcalloc(). Fixes: aa1609f571ca ("mailbox: mtk-cmdq: Dynamically allocate clk_bulk_data structure") Signed-off-by: Yang Yingliang Signed-off-by: Jassi Brar commit f8809b1f48531b2698a2c10ac874eb35222b4cc1 Author: Krzysztof Kozlowski Date: Tue Oct 22 08:42:38 2024 +0200 dt-bindings: mailbox: qcom-ipcc: Add SM8750 Document compatible for Qualcomm SM8750 SoC IPCC, compatible with existing generic fallback. Signed-off-by: Krzysztof Kozlowski Acked-by: Conor Dooley Signed-off-by: Jassi Brar commit cba781d79df85282041b2066df4d653b62157ad8 Author: Krzysztof Kozlowski Date: Thu Oct 17 11:14:47 2024 +0200 dt-bindings: mailbox: qcom,apcs-kpss-global: correct expected clocks for fallbacks Commit 1e9cb7e007dc ("dt-bindings: mailbox: qcom,apcs-kpss-global: use fallbacks") and commit 34d8775a0edc ("dt-bindings: mailbox: qcom,apcs-kpss-global: use fallbacks for few variants") added fallbacks to few existing compatibles. Neither devices with these existing compatibles nor devices using fallbacks alone, have clocks, so the "if:then:" block defining this constrain should be written as "contains:". Signed-off-by: Krzysztof Kozlowski Acked-by: Rob Herring (Arm) Signed-off-by: Jassi Brar commit 71987bc9225252e5f9de020042eca2fd22f71f32 Author: Dmitry Baryshkov Date: Thu Oct 17 21:17:23 2024 +0300 dt-bindings: mailbox: qcom-ipcc: Add SAR2130P compatible Document compatible for the IPCC mailbox controller on SAR2130P platform. Signed-off-by: Dmitry Baryshkov Acked-by: Krzysztof Kozlowski Acked-by: Manivannan Sadhasivam Signed-off-by: Jassi Brar commit ff391d4537585912032eaf7722ca235228660787 Author: Andrew Davis Date: Tue Oct 15 16:33:22 2024 -0500 mailbox: ti-msgmgr: Allow building under COMPILE_TEST The TI message manager driver can be compiled without ARCH_KEYSTONE nor ARCH_K3 enabled. Allow it to be built under COMPILE_TEST. Signed-off-by: Andrew Davis Acked-by: Arnd Bergmann Reviewed-by: Nishanth Menon Signed-off-by: Jassi Brar commit ad55c5c00ff9aac1ee0e7f6ca1205bfa79789d0b Author: Andrew Davis Date: Tue Oct 15 16:33:21 2024 -0500 mailbox: ti-msgmgr: Remove use of of_match_ptr() helper When OF support is disabled the of_device_id struct match table can be conditionally compiled out, this helper allows the assignment to also be turned into a NULL conditionally. When the of_device_id struct is not conditionally defined based on OF then the table will be unused causing a warning. The two options are to either set the table as _maybe_unused, or to just remove this helper since the table will always be defined. Do the latter here. Signed-off-by: Andrew Davis Acked-by: Arnd Bergmann Reviewed-by: Nishanth Menon Signed-off-by: Jassi Brar commit bfa0e78da8ef59bac5db664bcf9b5662940d928d Author: Sibi Sankar Date: Wed Oct 30 18:25:12 2024 +0530 mailbox: qcom-cpucp: Mark the irq with IRQF_NO_SUSPEND flag The qcom-cpucp mailbox irq is expected to function during suspend-resume cycle particularly when the scmi cpufreq driver can query the current frequency using the get_level message after the cpus are brought up during resume. Hence mark the irq with IRQF_NO_SUSPEND flag to fix the do_xfer failures we see during resume. Err Logs: arm-scmi firmware:scmi: timed out in resp(caller:do_xfer+0x164/0x568) cpufreq: cpufreq_online: ->get() failed Reported-by: Johan Hovold Closes: https://lore.kernel.org/lkml/ZtgFj1y5ggipgEOS@hovoldconsulting.com/ Fixes: 0e2a9a03106c ("mailbox: Add support for QTI CPUCP mailbox controller") Signed-off-by: Sibi Sankar Reviewed-by: Konrad Dybcio Tested-by: Johan Hovold Signed-off-by: Jassi Brar commit 08fb6d8ff900a1d06ef2f4a6ded45cdaa7140c01 Author: Sakari Ailus Date: Fri Oct 4 12:41:23 2024 +0300 mailbox: mtk-cmdq-mailbox: Switch to __pm_runtime_put_autosuspend() pm_runtime_put_autosuspend() will soon be changed to include a call to pm_runtime_mark_last_busy(). This patch switches the current users to __pm_runtime_put_autosuspend() which will continue to have the functionality of old pm_runtime_put_autosuspend(). Signed-off-by: Sakari Ailus Reviewed-by: Matthias Brugger Signed-off-by: Jassi Brar commit a4123ffab9ece0c2d3d5c460724d49c4051fd279 Author: Conor Dooley Date: Wed Oct 2 11:48:00 2024 +0100 mailbox: mpfs: support new, syscon based, devicetree configuration The two previous bindings for this hardware were incorrect, as the control/status and interrupt register regions should have been described as syscons and dealt with via regmap in the driver. Add support for accessing these registers using that method now, so that the hwmon driver can be supported without using auxdev or hacks with io_remap(). Signed-off-by: Conor Dooley Signed-off-by: Jassi Brar commit 8edd00b06f21800c547a9fc3a4cf83dc084fd104 Author: Conor Dooley Date: Wed Oct 2 11:47:59 2024 +0100 dt-bindings: mailbox: mpfs: fix reg properties When the binding for this was originally written, and later modified, mistakes were made - and the precise nature of the later modification should have been a giveaway, but alas I was naive at the time. A more correct modelling of the hardware is to use two syscons and have a single reg entry for the mailbox, containing the mailbox region. The two syscons contain the general control/status registers for the mailbox and the interrupt related registers respectively. The reason for two syscons is that the same mailbox is present on the non-SoC version of the FPGA, which has no interrupt controller, and the shared part of the rtl was unchanged between devices. This is now coming to a head, because the control/status registers share a register region with the "tvs" (temperature & voltage sensors) registers and, as it turns out, people do want to monitor temperatures and voltages... Signed-off-by: Conor Dooley Acked-by: Rob Herring (Arm) Signed-off-by: Jassi Brar commit ff123eb7741638d55abf82fac090bb3a543c1e74 Author: Vasily Gorbik Date: Fri Nov 22 13:41:33 2024 +0100 s390/mm: Allow large pages for KASAN shadow mapping Commit c98d2ecae08f ("s390/mm: Uncouple physical vs virtual address spaces") introduced a large_allowed() helper that restricts which mapping modes can use large pages. This change unintentionally prevented KASAN shadow mappings from using large pages, despite there being no reason to avoid them. In fact, large pages are preferred for performance. Add POPULATE_KASAN_MAP_SHADOW to the allowed list in large_allowed() to restore large page mappings for KASAN shadows. While large_allowed() isn't strictly necessary with current mapping modes since disallowed modes either don't map anything or fail alignment and size checks, keep it for clarity. Fixes: c98d2ecae08f ("s390/mm: Uncouple physical vs virtual address spaces") Acked-by: Alexander Gordeev Signed-off-by: Vasily Gorbik Signed-off-by: Heiko Carstens commit 9de3e4bf6cfbcb62e9ec658e3b291cd479018b43 Author: Heiko Carstens Date: Thu Nov 21 12:41:08 2024 +0100 s390: Add ARCH_HAS_PREEMPT_LAZY support Just add the required TIF bit for ARCH_HAS_PREEMPT_LAZY support. Shuffle TIF bits to get TIF_NEED_RESCHED_LAZY next to TIF_NEED_RESCHED. Signed-off-by: Heiko Carstens commit 546d7bd47973790073b824d69ee59440337b407b Author: Heiko Carstens Date: Thu Nov 21 12:41:07 2024 +0100 s390: Add missing _TIF defines Add missing _TIF defines so that for every TIF bit its corresponding _TIF mask exists. Sort the _TIF list to match the TIF order. Also remove two leftover comments from the pre generic entry time. Signed-off-by: Heiko Carstens commit 998b5a78a9ce1cc4378e7281e4ea310e37596170 Author: Aleksa Savic Date: Sun Nov 24 16:27:24 2024 +0100 hwmon: (aquacomputer_d5next) Fix length of speed_input array Commit 120584c728a6 ("hwmon: (aquacomputer_d5next) Add support for Octo flow sensor") added support for reading Octo flow sensor, but didn't update the priv->speed_input array length. Since Octo has 8 fans, with the addition of the flow sensor the proper length for speed_input is 9. Reported by Arne Schwabe on Github [1], who received a UBSAN warning. Fixes: 120584c728a6 ("hwmon: (aquacomputer_d5next) Add support for Octo flow sensor") Closes: https://github.com/aleksamagicka/aquacomputer_d5next-hwmon/issues/100 [1] Reported-by: Arne Schwabe Signed-off-by: Aleksa Savic Message-ID: <20241124152725.7205-1-savicaleksa83@gmail.com> Signed-off-by: Guenter Roeck commit 16470f60666618830cb9f0b8dfafd34a838c6dbd Author: Brendan Higgins Date: Fri Nov 15 04:43:03 2024 +0000 MAINTAINERS: transfer i2c-aspeed maintainership from Brendan to Ryan Remove Brendan Higgins from i2c-aspeed entry and replace with Ryan Chen . Signed-off-by: Brendan Higgins Acked-by: Ryan Chen Signed-off-by: Andi Shyti Signed-off-by: Wolfram Sang commit 61ab42c7f32d6d881a62e5cf76c46f95cb7ca2bd Author: Michael Wu Date: Thu Oct 3 19:15:24 2024 +0800 i2c: designware: determine HS tHIGH and tLOW based on HW parameters In commit 35eba185fd1a ("i2c: designware: Calculate SCL timing parameter for High Speed Mode") the SCL high period count and low period count for high speed mode are calculated based on fixed tHIGH = 160 and tLOW = 120. However, the set of two fixed values is only applicable to the combination of hardware parameters IC_CAP_LOADING is 400 and IC_CLK_FREQ_OPTIMIZATION is true. Outside of this combination, the SCL frequency may not reach 3.4 MHz because the fixed tHIGH and tLOW are not small enough. If IC_CAP_LOADING is 400, it means the bus capacitance is 400pF; Otherwise, 100 pF. If IC_CLK_FREQ_OPTIMIZATION is true, it means that the hardware reduces its internal clock frequency by reducing the internal latency required to generate the high period and low period of the SCL line. Section 3.15.4.5 in DesignWare DW_apb_i2b Databook v2.03 says that when IC_CLK_FREQ_OPTIMIZATION = 0, MIN_SCL_HIGHtime = 60 ns for 3.4 Mbps, bus loading = 100pF = 120 ns for 3.4 Mbps, bus loading = 400pF MIN_SCL_LOWtime = 160 ns for 3.4 Mbps, bus loading = 100pF = 320 ns for 3.4 Mbps, bus loading = 400pF and section 3.15.4.6 says that when IC_CLK_FREQ_OPTIMIZATION = 1, MIN_SCL_HIGHtime = 60 ns for 3.4 Mbps, bus loading = 100pF = 160 ns for 3.4 Mbps, bus loading = 400pF MIN_SCL_LOWtime = 120 ns for 3.4 Mbps, bus loading = 100pF = 320 ns for 3.4 Mbps, bus loading = 400pF In order to calculate more accurate SCL high period count and low period count for high speed mode, two hardware parameters IC_CAP_LOADING and IC_CLK_FREQ_OPTIMIZATION must be considered together. Since there're no registers controlliing these these two hardware parameters, users can declare them in the device tree so that the driver can obtain them. Signed-off-by: Michael Wu Reviewed-by: Andy Shevchenko Acked-by: Jarkko Nikula Signed-off-by: Andi Shyti Signed-off-by: Wolfram Sang commit bbc89a6e837f291e7ad04cea50915c71110e781a Author: Michael Wu Date: Thu Oct 3 19:15:23 2024 +0800 dt-bindings: i2c: snps,designware-i2c: declare bus capacitance and clk freq optimized Since there are no registers controlling the hardware parameters IC_CAP_LOADING and IC_CLK_FREQ_OPTIMIZATION, their values can only be declared in the device tree. snps,bus-capacitance-pf indicates the bus capacitance in picofarads (pF). It affects the high and low pulse width of SCL line in high speed mode. The legal values for this property are 100 and 400 only, and default value is 100. This property corresponds to IC_CAP_LOADING. snps,clk-freq-optimized indicates whether the hardware reduce its internal clock frequency by reducing the internal latency required to generate the high period and low period of SCL line. This property corresponds to IC_CLK_FREQ_OPTIMIZATION. The driver can calculate the high period count and low period count of SCL line for high speed mode based on these two properties. Signed-off-by: Michael Wu Reviewed-by: Krzysztof Kozlowski Signed-off-by: Andi Shyti Signed-off-by: Wolfram Sang commit 4fb1b640d68dba271e6b580582ac5c1381c6157a Author: Théo Lebrun Date: Wed Oct 9 16:01:12 2024 +0200 i2c: nomadik: support >=1MHz speed modes - BRCR value must go into the BRCR1 field when in high-speed mode. It goes into BRCR2 otherwise. - Remove fallback to standard mode if priv->sm > I2C_FREQ_MODE_FAST. - Set SM properly in probe; previously it only checked STANDARD versus FAST. Now we set STANDARD, FAST, FAST_PLUS or HIGH_SPEED. - Remove all comment sections saying we only support low-speeds. Reviewed-by: Linus Walleij Signed-off-by: Théo Lebrun Signed-off-by: Andi Shyti Signed-off-by: Wolfram Sang commit 16674c8c488ec40cbf15806658a22a68bb15a810 Author: Théo Lebrun Date: Wed Oct 9 16:01:11 2024 +0200 i2c: nomadik: fix BRCR computation Current BRCR computation is: brcr = floor(i2cclk / (clkfreq * div)) With brcr: "baud rate counter", an internal clock divider, and i2cclk: input clock rate (24MHz, 38.4MHz or 48MHz), and clkfreq: desired bus rate, and div: speed-mode dependent divider (2 for standard, 3 otherwise). Assume i2cclk=48MHz, clkfreq=3.4MHz, div=3, then brcr = floor(48MHz / (3.4MHz * 3)) = 4 and resulting bus rate = 48MHz / (4 * 3) = 4MHz Assume i2cclk=38.4MHz, clkfreq=1.0MHz, div=3, then brcr = floor(38.4MHz / (1.0MHz * 3)) = 12 and resulting bus rate = 38.4MHz / (12 * 3) = 1066kHz The current computation means we always pick the smallest divider that gives a bus rate above target. We should instead pick the largest divider that gives a bus rate below target, using: brcr = floor(i2cclk / (clkfreq * div)) + 1 If we redo the above examples: Assume i2cclk=48MHz, clkfreq=3.4MHz, div=3, then brcr = floor(48MHz / (3.4MHz * 3)) + 1 = 5 and resulting bus rate = 48MHz / (5 * 3) = 3.2MHz Assume i2cclk=38.4MHz, clkfreq=1.0MHz, div=3, then brcr = floor(38.4MHz / (1.0MHz * 3)) + 1 = 13 and resulting bus rate = 38.4MHz / (13 * 3) = 985kHz In kernel C code, floor(x) is DIV_ROUND_DOWN() and, floor(x)+1 is DIV_ROUND_UP(). This is much less of an issue with slower bus rates (ie those currently supported), because the gap from one divider to the next is much smaller. It however keeps us from always using bus rates superior to the target. This fix is required for later on supporting faster bus rates: I2C_FREQ_MODE_FAST_PLUS (1MHz) and I2C_FREQ_MODE_HIGH_SPEED (3.4MHz). Signed-off-by: Théo Lebrun Reviewed-by: Linus Walleij Signed-off-by: Andi Shyti Signed-off-by: Wolfram Sang commit 814a3225f4e9b3631369029ed5ecf35e7a2999bc Author: Théo Lebrun Date: Wed Oct 9 16:01:10 2024 +0200 i2c: nomadik: support Mobileye EyeQ6H I2C controller Add EyeQ6H support to the nmk-i2c AMBA driver. It shares the same quirk as EyeQ5: the memory bus only supports 32-bit accesses. Avoid writeb() and readb() by reusing the same `priv->has_32b_bus` flag. It does NOT need to write speed-mode specific value into a register; therefore it does not depend on the mobileye,olb DT property. Reviewed-by: Linus Walleij Signed-off-by: Théo Lebrun Signed-off-by: Andi Shyti Signed-off-by: Wolfram Sang commit a0d15cc47f29be6d588fa55bdbe116c26549178d Author: Théo Lebrun Date: Wed Oct 9 16:01:09 2024 +0200 i2c: nomadik: switch from of_device_is_compatible() to of_match_device() Compatible-specific behavior is implemented using a if-condition on the return value from of_device_is_compatible(), from probe. It does not scale well when compatible number increases. Switch to using a match table and a call to of_match_device(). We DO NOT attach a .of_match_table field to our amba driver, as we do not use the table to match our driver to devices. Sort probe variable declarations in reverse christmas tree to try and introduce some logic into the ordering. Reviewed-by: Linus Walleij Signed-off-by: Théo Lebrun Signed-off-by: Andi Shyti Signed-off-by: Wolfram Sang commit 54202106c0fe23693c5e9e81e7587ce89e6dd182 Author: Théo Lebrun Date: Wed Oct 9 16:01:08 2024 +0200 dt-bindings: i2c: nomadik: support 400kHz < clock-frequency <= 3.4MHz Hardware is not limited to 400kHz, its documentation does mention how to configure it for high-speed (a specific Speed-Mode enum value and a different bus rate clock divider register to be used). Reviewed-by: Linus Walleij Signed-off-by: Théo Lebrun Reviewed-by: Rob Herring (Arm) Signed-off-by: Andi Shyti Signed-off-by: Wolfram Sang commit 2eec351eed02da9955ac7a79dd9481f61c355c9a Author: Théo Lebrun Date: Wed Oct 9 16:01:07 2024 +0200 dt-bindings: i2c: nomadik: add mobileye,eyeq6h-i2c bindings After EyeQ5, it is time for Mobileye EyeQ6H to reuse the Nomadik I2C controller. Add a specific compatible because its HW integration is slightly different from EyeQ5. Do NOT add an example as it looks like EyeQ5 from a DT standpoint (without the mobileye,olb property). Reviewed-by: Linus Walleij Signed-off-by: Théo Lebrun Reviewed-by: Rob Herring (Arm) Signed-off-by: Andi Shyti Signed-off-by: Wolfram Sang commit efdc7828b7cc8cb8a1c2a83ff6f7741ca055b1b1 Author: Andre Przywara Date: Mon Nov 11 01:30:24 2024 +0000 dt-bindings: i2c: mv64xxx: Add Allwinner A523 compatible string The I2C controller IP used in the Allwinner A523/T527 SoCs is compatible with the ones used in the other recent Allwinner SoCs. Add the A523 specific compatible string to the list of existing names falling back to the allwinner,sun8i-v536-i2c string. Signed-off-by: Andre Przywara Acked-by: Conor Dooley Signed-off-by: Andi Shyti Signed-off-by: Wolfram Sang commit 7c3a833a1da6ab1e29fcb4740edf770aea816c6f Author: Yoshihiro Furudera Date: Thu Oct 24 07:15:53 2024 +0000 i2c: designware: Add ACPI HID for DWAPB I2C controller on FUJITSU-MONAKA Enable DWAPB I2C controller support on FUJITSU-MONAKA. This will be used in the FUJITSU-MONAKA server scheduled for shipment in 2027. The DSDT information obtained when verified using an in-house simulator is presented below. Device (SMB0) { Name (_HID, "FUJI200B") // _HID: Hardware ID Name (_UID, Zero) // _UID: Unique ID ... Name (_CRS, ResourceTemplate () { Memory32Fixed (ReadWrite, 0x2A4B0000, // Address Base 0x00010000, // Address Length ) Interrupt (ResourceConsumer, Level, ActiveHigh, Exclusive, ,, ) { 0x00000159, } }) ... } The expression SMB0 is used to indicate SMBus HC#0, a string of up to four characters. Created the SMB0 object according to the following specifications: ACPI Specification 13.2. Accessing the SMBus from ASL Code https://uefi.org/htmlspecs/ACPI_Spec_6_4_html/13_ACPI_System_Mgmt_Bus_Interface_Spec/accessing-the-smbus-from-asl-code.html IPMI Specification Example 4: SSIF Interface(P574) https://www.intel.co.jp/content/www/jp/ja/products/docs/servers/ipmi/ipmi-second-gen-interface-spec-v2-rev1-1.html Signed-off-by: Yoshihiro Furudera Reviewed-by: Andy Shevchenko Acked-by: Jarkko Nikula Signed-off-by: Andi Shyti Signed-off-by: Wolfram Sang commit 50b9d43e6ceaaaa59c54c95aca5f8dfc862fe48e Author: Bartosz Golaszewski Date: Tue Oct 8 18:09:47 2024 +0200 i2c: qup: use generic device property accessors There's no reason for this driver to use OF-specific property helpers. Drop the last one in favor of the generic variant and no longer include of.h. Signed-off-by: Bartosz Golaszewski Reviewed-by: Neil Armstrong Signed-off-by: Andi Shyti Signed-off-by: Wolfram Sang commit f26a29a038ee3982099e867bec2260576a19720f Author: Heiner Kallweit Date: Sat Nov 16 21:52:15 2024 +0100 net: phy: ensure that genphy_c45_an_config_eee_aneg() sees new value of phydev->eee_cfg.eee_enabled This is a follow-up to 41ffcd95015f ("net: phy: fix phylib's dual eee_enabled") and resolves an issue with genphy_c45_an_config_eee_aneg() (called from genphy_c45_ethtool_set_eee) not seeing the new value of phydev->eee_cfg.eee_enabled. Fixes: 49168d1980e2 ("net: phy: Add phy_support_eee() indicating MAC support EEE") Signed-off-by: Heiner Kallweit Reported-by: Choong Yong Liang Reviewed-by: Russell King (Oracle) Signed-off-by: David S. Miller commit 9d5ce1aa91db1b9dec9e06128b1ba241aeb004c2 Author: Li Zhijian Date: Fri Nov 22 15:36:00 2024 +0800 selftests/alsa: Add a few missing gitignore files Compiled binary files should be added to .gitignore 'git status' complains: Untracked files: (use "git add ..." to include in what will be committed) alsa/global-timer alsa/utimer-test Cc: Mark Brown Cc: Jaroslav Kysela Cc: Takashi Iwai Cc: Shuah Khan Signed-off-by: Li Zhijian Link: https://patch.msgid.link/20241122073600.1530791-1-lizhijian@fujitsu.com Signed-off-by: Takashi Iwai commit 9f16d5e6f220661f73b36a4be1b21575651d8833 Merge: 42d9e8b7ccddee 9ee62c33c0fe01 Author: Linus Torvalds Date: Sat Nov 23 16:00:50 2024 -0800 Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm Pull kvm updates from Paolo Bonzini: "The biggest change here is eliminating the awful idea that KVM had of essentially guessing which pfns are refcounted pages. The reason to do so was that KVM needs to map both non-refcounted pages (for example BARs of VFIO devices) and VM_PFNMAP/VM_MIXMEDMAP VMAs that contain refcounted pages. However, the result was security issues in the past, and more recently the inability to map VM_IO and VM_PFNMAP memory that _is_ backed by struct page but is not refcounted. In particular this broke virtio-gpu blob resources (which directly map host graphics buffers into the guest as "vram" for the virtio-gpu device) with the amdgpu driver, because amdgpu allocates non-compound higher order pages and the tail pages could not be mapped into KVM. This requires adjusting all uses of struct page in the per-architecture code, to always work on the pfn whenever possible. The large series that did this, from David Stevens and Sean Christopherson, also cleaned up substantially the set of functions that provided arch code with the pfn for a host virtual addresses. The previous maze of twisty little passages, all different, is replaced by five functions (__gfn_to_page, __kvm_faultin_pfn, the non-__ versions of these two, and kvm_prefetch_pages) saving almost 200 lines of code. ARM: - Support for stage-1 permission indirection (FEAT_S1PIE) and permission overlays (FEAT_S1POE), including nested virt + the emulated page table walker - Introduce PSCI SYSTEM_OFF2 support to KVM + client driver. This call was introduced in PSCIv1.3 as a mechanism to request hibernation, similar to the S4 state in ACPI - Explicitly trap + hide FEAT_MPAM (QoS controls) from KVM guests. As part of it, introduce trivial initialization of the host's MPAM context so KVM can use the corresponding traps - PMU support under nested virtualization, honoring the guest hypervisor's trap configuration and event filtering when running a nested guest - Fixes to vgic ITS serialization where stale device/interrupt table entries are not zeroed when the mapping is invalidated by the VM - Avoid emulated MMIO completion if userspace has requested synchronous external abort injection - Various fixes and cleanups affecting pKVM, vCPU initialization, and selftests LoongArch: - Add iocsr and mmio bus simulation in kernel. - Add in-kernel interrupt controller emulation. - Add support for virtualization extensions to the eiointc irqchip. PPC: - Drop lingering and utterly obsolete references to PPC970 KVM, which was removed 10 years ago. - Fix incorrect documentation references to non-existing ioctls RISC-V: - Accelerate KVM RISC-V when running as a guest - Perf support to collect KVM guest statistics from host side s390: - New selftests: more ucontrol selftests and CPU model sanity checks - Support for the gen17 CPU model - List registers supported by KVM_GET/SET_ONE_REG in the documentation x86: - Cleanup KVM's handling of Accessed and Dirty bits to dedup code, improve documentation, harden against unexpected changes. Even if the hardware A/D tracking is disabled, it is possible to use the hardware-defined A/D bits to track if a PFN is Accessed and/or Dirty, and that removes a lot of special cases. - Elide TLB flushes when aging secondary PTEs, as has been done in x86's primary MMU for over 10 years. - Recover huge pages in-place in the TDP MMU when dirty page logging is toggled off, instead of zapping them and waiting until the page is re-accessed to create a huge mapping. This reduces vCPU jitter. - Batch TLB flushes when dirty page logging is toggled off. This reduces the time it takes to disable dirty logging by ~3x. - Remove the shrinker that was (poorly) attempting to reclaim shadow page tables in low-memory situations. - Clean up and optimize KVM's handling of writes to MSR_IA32_APICBASE. - Advertise CPUIDs for new instructions in Clearwater Forest - Quirk KVM's misguided behavior of initialized certain feature MSRs to their maximum supported feature set, which can result in KVM creating invalid vCPU state. E.g. initializing PERF_CAPABILITIES to a non-zero value results in the vCPU having invalid state if userspace hides PDCM from the guest, which in turn can lead to save/restore failures. - Fix KVM's handling of non-canonical checks for vCPUs that support LA57 to better follow the "architecture", in quotes because the actual behavior is poorly documented. E.g. most MSR writes and descriptor table loads ignore CR4.LA57 and operate purely on whether the CPU supports LA57. - Bypass the register cache when querying CPL from kvm_sched_out(), as filling the cache from IRQ context is generally unsafe; harden the cache accessors to try to prevent similar issues from occuring in the future. The issue that triggered this change was already fixed in 6.12, but was still kinda latent. - Advertise AMD_IBPB_RET to userspace, and fix a related bug where KVM over-advertises SPEC_CTRL when trying to support cross-vendor VMs. - Minor cleanups - Switch hugepage recovery thread to use vhost_task. These kthreads can consume significant amounts of CPU time on behalf of a VM or in response to how the VM behaves (for example how it accesses its memory); therefore KVM tried to place the thread in the VM's cgroups and charge the CPU time consumed by that work to the VM's container. However the kthreads did not process SIGSTOP/SIGCONT, and therefore cgroups which had KVM instances inside could not complete freezing. Fix this by replacing the kthread with a PF_USER_WORKER thread, via the vhost_task abstraction. Another 100+ lines removed, with generally better behavior too like having these threads properly parented in the process tree. - Revert a workaround for an old CPU erratum (Nehalem/Westmere) that didn't really work; there was really nothing to work around anyway: the broken patch was meant to fix nested virtualization, but the PERF_GLOBAL_CTRL MSR is virtualized and therefore unaffected by the erratum. - Fix 6.12 regression where CONFIG_KVM will be built as a module even if asked to be builtin, as long as neither KVM_INTEL nor KVM_AMD is 'y'. x86 selftests: - x86 selftests can now use AVX. Documentation: - Use rST internal links - Reorganize the introduction to the API document Generic: - Protect vcpu->pid accesses outside of vcpu->mutex with a rwlock instead of RCU, so that running a vCPU on a different task doesn't encounter long due to having to wait for all CPUs become quiescent. In general both reads and writes are rare, but userspace that supports confidential computing is introducing the use of "helper" vCPUs that may jump from one host processor to another. Those will be very happy to trigger a synchronize_rcu(), and the effect on performance is quite the disaster" * tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm: (298 commits) KVM: x86: Break CONFIG_KVM_X86's direct dependency on KVM_INTEL || KVM_AMD KVM: x86: add back X86_LOCAL_APIC dependency Revert "KVM: VMX: Move LOAD_IA32_PERF_GLOBAL_CTRL errata handling out of setup_vmcs_config()" KVM: x86: switch hugepage recovery thread to vhost_task KVM: x86: expose MSR_PLATFORM_INFO as a feature MSR x86: KVM: Advertise CPUIDs for new instructions in Clearwater Forest Documentation: KVM: fix malformed table irqchip/loongson-eiointc: Add virt extension support LoongArch: KVM: Add irqfd support LoongArch: KVM: Add PCHPIC user mode read and write functions LoongArch: KVM: Add PCHPIC read and write functions LoongArch: KVM: Add PCHPIC device support LoongArch: KVM: Add EIOINTC user mode read and write functions LoongArch: KVM: Add EIOINTC read and write functions LoongArch: KVM: Add EIOINTC device support LoongArch: KVM: Add IPI user mode read and write function LoongArch: KVM: Add IPI read and write function LoongArch: KVM: Add IPI device support LoongArch: KVM: Add iocsr and mmio bus simulation in kernel KVM: arm64: Pass on SVE mapping failures ... commit ef0d4186083127d2f99ed04e051fd94ba061d253 Author: Mathieu Desnoyers Date: Sat Nov 23 10:30:31 2024 -0500 tracing: Remove cond argument from __DECLARE_TRACE_SYSCALL Syscall tracepoints do not require a "cond" argument, because they are meant to be used only for sys_enter and sys_exit instrumentation, which don't require condition evaluation. Cc: Linus Torvalds Cc: Thomas Gleixner Cc: Michael Jeanson Cc: Masami Hiramatsu Cc: Peter Zijlstra Cc: Alexei Starovoitov Cc: Yonghong Song Cc: Paul E. McKenney Cc: Ingo Molnar Cc: Arnaldo Carvalho de Melo Cc: Mark Rutland Cc: Alexander Shishkin Cc: Namhyung Kim Cc: Andrii Nakryiko Cc: bpf@vger.kernel.org Cc: Joel Fernandes Cc: Jordan Rife Cc: linux-trace-kernel@vger.kernel.org Link: https://lore.kernel.org/20241123153031.2884933-6-mathieu.desnoyers@efficios.com Signed-off-by: Mathieu Desnoyers Signed-off-by: Steven Rostedt (Google) commit 98bf0fbb65226809a8df4d1948c5b6cf0c91590f Author: Mathieu Desnoyers Date: Sat Nov 23 10:30:30 2024 -0500 tracing: Remove conditional locking from __DO_TRACE() Remove conditional locking by moving the __DO_TRACE() code into trace_##name(). When the faultable syscall tracepoints were implemented, __DO_TRACE() had a rcuidle argument which selected between SRCU and preempt disable. Therefore, the RCU tasks trace protection for faultable syscall tracepoints was introduced using the same pattern. At that point, it did not appear obvious that this feedback from Linus [1] applied here as well, because the __DO_TRACE() modification was extending a pre-existing pattern. Shortly before pulling the faultable syscall tracepoints modifications, Steven removed the rcuidle argument and SRCU protection scheme entirely from tracepoint.h: commit 48bcda684823 ("tracing: Remove definition of trace_*_rcuidle()") This required a rebase of the faultable syscall tracepoints series, which missed a perfect opportunity to integrate the prior recommendation from Linus. In response to the pull request, Linus pointed out [2] that he was not pleased by the implementation, expecting this to be fixed in a follow up patch series. Move __DO_TRACE() code into trace_##name() within each of __DECLARE_TRACE() and __DECLARE_TRACE_SYSCALL(). Use a scoped guard to guard the preempt disable notrace and RCU tasks trace critical sections. Link: https://lore.kernel.org/all/CAHk-=wggDLDeTKbhb5hh--x=-DQd69v41137M72m6NOTmbD-cw@mail.gmail.com/ [1] Link: https://lore.kernel.org/lkml/CAHk-=witPrLcu22dZ93VCyRQonS7+-dFYhQbna=KBa-TAhayMw@mail.gmail.com/ [2] Fixes: a363d27cdbc2 ("tracing: Allow system call tracepoints to handle page faults") Cc: Linus Torvalds Cc: Thomas Gleixner Cc: Michael Jeanson Cc: Masami Hiramatsu Cc: Peter Zijlstra Cc: Alexei Starovoitov Cc: Yonghong Song Cc: Paul E. McKenney Cc: Ingo Molnar Cc: Arnaldo Carvalho de Melo Cc: Mark Rutland Cc: Alexander Shishkin Cc: Namhyung Kim Cc: Andrii Nakryiko Cc: bpf@vger.kernel.org Cc: Joel Fernandes Cc: Jordan Rife Cc: linux-trace-kernel@vger.kernel.org Link: https://lore.kernel.org/20241123153031.2884933-5-mathieu.desnoyers@efficios.com Signed-off-by: Mathieu Desnoyers Signed-off-by: Steven Rostedt (Google) commit 7c565a4d4e437034755a06b7d61361add3b98882 Author: Mathieu Desnoyers Date: Sat Nov 23 10:30:29 2024 -0500 rcupdate_trace: Define rcu_tasks_trace lock guard Define a rcu_tasks_trace lock guard for use by the syscall enter/exit tracepoints. Cc: Linus Torvalds Cc: Thomas Gleixner Cc: Michael Jeanson Cc: Masami Hiramatsu Cc: Peter Zijlstra Cc: Alexei Starovoitov Cc: Yonghong Song Cc: Paul E. McKenney Cc: Ingo Molnar Cc: Arnaldo Carvalho de Melo Cc: Mark Rutland Cc: Alexander Shishkin Cc: Namhyung Kim Cc: Andrii Nakryiko Cc: bpf@vger.kernel.org Cc: Joel Fernandes Cc: Jordan Rife Cc: linux-trace-kernel@vger.kernel.org Link: https://lore.kernel.org/20241123153031.2884933-4-mathieu.desnoyers@efficios.com Signed-off-by: Mathieu Desnoyers Signed-off-by: Steven Rostedt (Google) commit 89c7e17f303e2d56d50a162bb65d786d3a43963e Author: Mathieu Desnoyers Date: Sat Nov 23 10:30:28 2024 -0500 tracing: Remove __idx variable from __DO_TRACE Since the removal of SRCU-protected tracepoints, the __idx variable in __DO_TRACE is unused. Remove this variable. Fixes: 48bcda684823 ("tracing: Remove definition of trace_*_rcuidle()") Cc: Linus Torvalds Cc: Thomas Gleixner Cc: Michael Jeanson Cc: Masami Hiramatsu Cc: Peter Zijlstra Cc: Alexei Starovoitov Cc: Yonghong Song Cc: Paul E. McKenney Cc: Ingo Molnar Cc: Arnaldo Carvalho de Melo Cc: Mark Rutland Cc: Alexander Shishkin Cc: Namhyung Kim Cc: Andrii Nakryiko Cc: bpf@vger.kernel.org Cc: Joel Fernandes Cc: Jordan Rife Link: https://lore.kernel.org/20241123153031.2884933-3-mathieu.desnoyers@efficios.com Signed-off-by: Mathieu Desnoyers Signed-off-by: Steven Rostedt (Google) commit 306d40aa53b671ea72c3bf272f85ccb6c1b0bc65 Author: Mathieu Desnoyers Date: Sat Nov 23 10:30:27 2024 -0500 tracing: Move it_func[0] comment to the relevant context When introducing __DO_TRACE_CALL(), the iteration over it_func moved from __DO_TRACE() to __tracepoint_iter_##_name(), but the comment relevant for this iterator was left in its original location. Move the comment to the relevant context. Fixes: d25e37d89dd2 ("tracepoint: Optimize using static_call()") Cc: Linus Torvalds Cc: Thomas Gleixner Cc: Michael Jeanson Cc: Masami Hiramatsu Cc: Peter Zijlstra Cc: Alexei Starovoitov Cc: Yonghong Song Cc: Paul E. McKenney Cc: Ingo Molnar Cc: Arnaldo Carvalho de Melo Cc: Mark Rutland Cc: Alexander Shishkin Cc: Namhyung Kim Cc: Andrii Nakryiko Cc: bpf@vger.kernel.org Cc: Joel Fernandes Cc: Jordan Rife Link: https://lore.kernel.org/20241123153031.2884933-2-mathieu.desnoyers@efficios.com Signed-off-by: Mathieu Desnoyers Signed-off-by: Steven Rostedt (Google) commit 42d9e8b7ccddee75989283cf7477305cfe3776ff Merge: 5c00ff742bf5ca 3c592ce7991cdf Author: Linus Torvalds Date: Sat Nov 23 10:44:31 2024 -0800 Merge tag 'powerpc-6.13-1' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux Pull powerpc updates from Michael Ellerman: - Rework kfence support for the HPT MMU to work on systems with >= 16TB of RAM. - Remove the powerpc "maple" platform, used by the "Yellow Dog Powerstation". - Add support for DYNAMIC_FTRACE_WITH_CALL_OPS, DYNAMIC_FTRACE_WITH_DIRECT_CALLS & BPF Trampolines. - Add support for running KVM nested guests on Power11. - Other small features, cleanups and fixes. Thanks to Amit Machhiwal, Arnd Bergmann, Christophe Leroy, Costa Shulyupin, David Hunter, David Wang, Disha Goel, Gautam Menghani, Geert Uytterhoeven, Hari Bathini, Julia Lawall, Kajol Jain, Keith Packard, Lukas Bulwahn, Madhavan Srinivasan, Markus Elfring, Michal Suchanek, Ming Lei, Mukesh Kumar Chaurasiya, Nathan Chancellor, Naveen N Rao, Nicholas Piggin, Nysal Jan K.A, Paulo Miguel Almeida, Pavithra Prakash, Ritesh Harjani (IBM), Rob Herring (Arm), Sachin P Bappalige, Shen Lichuan, Simon Horman, Sourabh Jain, Thomas Weißschuh, Thorsten Blum, Thorsten Leemhuis, Venkat Rao Bagalkote, Zhang Zekun, and zhang jiao. * tag 'powerpc-6.13-1' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux: (89 commits) EDAC/powerpc: Remove PPC_MAPLE drivers powerpc/perf: Add per-task/process monitoring to vpa_pmu driver powerpc/kvm: Add vpa latency counters to kvm_vcpu_arch docs: ABI: sysfs-bus-event_source-devices-vpa-pmu: Document sysfs event format entries for vpa_pmu powerpc/perf: Add perf interface to expose vpa counters MAINTAINERS: powerpc: Mark Maddy as "M" powerpc/Makefile: Allow overriding CPP powerpc-km82xx.c: replace of_node_put() with __free ps3: Correct some typos in comments powerpc/kexec: Fix return of uninitialized variable macintosh: Use common error handling code in via_pmu_led_init() powerpc/powermac: Use of_property_match_string() in pmac_has_backlight_type() powerpc: remove dead config options for MPC85xx platform support powerpc/xive: Use cpumask_intersects() selftests/powerpc: Remove the path after initialization. powerpc/xmon: symbol lookup length fixed powerpc/ep8248e: Use %pa to format resource_size_t powerpc/ps3: Reorganize kerneldoc parameter names KVM: PPC: Book3S HV: Fix kmv -> kvm typo powerpc/sstep: make emulate_vsx_load and emulate_vsx_store static ... commit 5c00ff742bf5caf85f60e1c73999f99376fb865d Merge: 228a1157fb9fec 2532e6c74a67e6 Author: Linus Torvalds Date: Sat Nov 23 09:58:07 2024 -0800 Merge tag 'mm-stable-2024-11-18-19-27' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Pull MM updates from Andrew Morton: - The series "zram: optimal post-processing target selection" from Sergey Senozhatsky improves zram's post-processing selection algorithm. This leads to improved memory savings. - Wei Yang has gone to town on the mapletree code, contributing several series which clean up the implementation: - "refine mas_mab_cp()" - "Reduce the space to be cleared for maple_big_node" - "maple_tree: simplify mas_push_node()" - "Following cleanup after introduce mas_wr_store_type()" - "refine storing null" - The series "selftests/mm: hugetlb_fault_after_madv improvements" from David Hildenbrand fixes this selftest for s390. - The series "introduce pte_offset_map_{ro|rw}_nolock()" from Qi Zheng implements some rationaizations and cleanups in the page mapping code. - The series "mm: optimize shadow entries removal" from Shakeel Butt optimizes the file truncation code by speeding up the handling of shadow entries. - The series "Remove PageKsm()" from Matthew Wilcox completes the migration of this flag over to being a folio-based flag. - The series "Unify hugetlb into arch_get_unmapped_area functions" from Oscar Salvador implements a bunch of consolidations and cleanups in the hugetlb code. - The series "Do not shatter hugezeropage on wp-fault" from Dev Jain takes away the wp-fault time practice of turning a huge zero page into small pages. Instead we replace the whole thing with a THP. More consistent cleaner and potentiall saves a large number of pagefaults. - The series "percpu: Add a test case and fix for clang" from Andy Shevchenko enhances and fixes the kernel's built in percpu test code. - The series "mm/mremap: Remove extra vma tree walk" from Liam Howlett optimizes mremap() by avoiding doing things which we didn't need to do. - The series "Improve the tmpfs large folio read performance" from Baolin Wang teaches tmpfs to copy data into userspace at the folio size rather than as individual pages. A 20% speedup was observed. - The series "mm/damon/vaddr: Fix issue in damon_va_evenly_split_region()" fro Zheng Yejian fixes DAMON splitting. - The series "memcg-v1: fully deprecate charge moving" from Shakeel Butt removes the long-deprecated memcgv2 charge moving feature. - The series "fix error handling in mmap_region() and refactor" from Lorenzo Stoakes cleanup up some of the mmap() error handling and addresses some potential performance issues. - The series "x86/module: use large ROX pages for text allocations" from Mike Rapoport teaches x86 to use large pages for read-only-execute module text. - The series "page allocation tag compression" from Suren Baghdasaryan is followon maintenance work for the new page allocation profiling feature. - The series "page->index removals in mm" from Matthew Wilcox remove most references to page->index in mm/. A slow march towards shrinking struct page. - The series "damon/{self,kunit}tests: minor fixups for DAMON debugfs interface tests" from Andrew Paniakin performs maintenance work for DAMON's self testing code. - The series "mm: zswap swap-out of large folios" from Kanchana Sridhar improves zswap's batching of compression and decompression. It is a step along the way towards using Intel IAA hardware acceleration for this zswap operation. - The series "kasan: migrate the last module test to kunit" from Sabyrzhan Tasbolatov completes the migration of the KASAN built-in tests over to the KUnit framework. - The series "implement lightweight guard pages" from Lorenzo Stoakes permits userapace to place fault-generating guard pages within a single VMA, rather than requiring that multiple VMAs be created for this. Improved efficiencies for userspace memory allocators are expected. - The series "memcg: tracepoint for flushing stats" from JP Kobryn uses tracepoints to provide increased visibility into memcg stats flushing activity. - The series "zram: IDLE flag handling fixes" from Sergey Senozhatsky fixes a zram buglet which potentially affected performance. - The series "mm: add more kernel parameters to control mTHP" from Maíra Canal enhances our ability to control/configuremultisize THP from the kernel boot command line. - The series "kasan: few improvements on kunit tests" from Sabyrzhan Tasbolatov has a couple of fixups for the KASAN KUnit tests. - The series "mm/list_lru: Split list_lru lock into per-cgroup scope" from Kairui Song optimizes list_lru memory utilization when lockdep is enabled. * tag 'mm-stable-2024-11-18-19-27' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm: (215 commits) cma: enforce non-zero pageblock_order during cma_init_reserved_mem() mm/kfence: add a new kunit test test_use_after_free_read_nofault() zram: fix NULL pointer in comp_algorithm_show() memcg/hugetlb: add hugeTLB counters to memcg vmstat: call fold_vm_zone_numa_events() before show per zone NUMA event mm: mmap_lock: check trace_mmap_lock_$type_enabled() instead of regcount zram: ZRAM_DEF_COMP should depend on ZRAM MAINTAINERS/MEMORY MANAGEMENT: add document files for mm Docs/mm/damon: recommend academic papers to read and/or cite mm: define general function pXd_init() kmemleak: iommu/iova: fix transient kmemleak false positive mm/list_lru: simplify the list_lru walk callback function mm/list_lru: split the lock to per-cgroup scope mm/list_lru: simplify reparenting and initial allocation mm/list_lru: code clean up for reparenting mm/list_lru: don't export list_lru_add mm/list_lru: don't pass unnecessary key parameters kasan: add kunit tests for kmalloc_track_caller, kmalloc_node_track_caller kasan: change kasan_atomics kunit test as KUNIT_CASE_SLOW kasan: use EXPORT_SYMBOL_IF_KUNIT to export symbols ... commit de2bf507fabba9c0c678cf5ed54beb546f5ca29a Author: Murad Masimov Date: Thu Nov 21 20:36:03 2024 +0300 hwmon: (tps23861) Fix reporting of negative temperatures Negative temperatures are reported as large positive temperatures due to missing sign extension from unsigned int to long. Cast unsigned raw register values to signed before performing the calculations to fix the problem. Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: fff7b8ab2255 ("hwmon: add Texas Instruments TPS23861 driver") Signed-off-by: Murad Masimov Message-ID: <20241121173604.2021-1-m.masimov@maxima.ru> [groeck: Updated subject and description] Signed-off-by: Guenter Roeck commit 8281d627905dc72241ca3969ee18f3e029e96d00 Author: Jarkko Nikula Date: Thu Nov 21 14:18:19 2024 +0200 hwmon: (tmp108) Do not fail in I3C probe when I3C regmap is a module I3C device probe fails when CONFIG_REGMAP_I3C=m: p3t1085_i3c 0-23615290090: error -ENODEV: Failed to register i3c regmap Fix this by using the IS_ENABLED(CONFIG_REGMAP_I3C) macro in the code. Fixes: c40655e33106 ("hwmon: (tmp108) Add support for I3C device") Signed-off-by: Jarkko Nikula Message-ID: <20241121121819.393104-1-jarkko.nikula@linux.intel.com> [groeck: Remove #ifdef entirely; it is not needed due to dead code elimination] Signed-off-by: Guenter Roeck commit bc8aeb04fd80cb8cfae3058445c84410fd0beb5e Author: Chao Yu Date: Thu Nov 21 22:17:16 2024 +0800 f2fs: fix to drop all discards after creating snapshot on lvm device Piergiorgio reported a bug in bugzilla as below: ------------[ cut here ]------------ WARNING: CPU: 2 PID: 969 at fs/f2fs/segment.c:1330 RIP: 0010:__submit_discard_cmd+0x27d/0x400 [f2fs] Call Trace: __issue_discard_cmd+0x1ca/0x350 [f2fs] issue_discard_thread+0x191/0x480 [f2fs] kthread+0xcf/0x100 ret_from_fork+0x31/0x50 ret_from_fork_asm+0x1a/0x30 w/ below testcase, it can reproduce this bug quickly: - pvcreate /dev/vdb - vgcreate myvg1 /dev/vdb - lvcreate -L 1024m -n mylv1 myvg1 - mount /dev/myvg1/mylv1 /mnt/f2fs - dd if=/dev/zero of=/mnt/f2fs/file bs=1M count=20 - sync - rm /mnt/f2fs/file - sync - lvcreate -L 1024m -s -n mylv1-snapshot /dev/myvg1/mylv1 - umount /mnt/f2fs The root cause is: it will update discard_max_bytes of mounted lvm device to zero after creating snapshot on this lvm device, then, __submit_discard_cmd() will pass parameter @nr_sects w/ zero value to __blkdev_issue_discard(), it returns a NULL bio pointer, result in panic. This patch changes as below for fixing: 1. Let's drop all remained discards in f2fs_unfreeze() if snapshot of lvm device is created. 2. Checking discard_max_bytes before submitting discard during __submit_discard_cmd(). Cc: stable@vger.kernel.org Fixes: 35ec7d574884 ("f2fs: split discard command in prior to block layer") Reported-by: Piergiorgio Sartor Closes: https://bugzilla.kernel.org/show_bug.cgi?id=219484 Signed-off-by: Chao Yu Signed-off-by: Jaegeuk Kim commit 009a8241a8e5a14ea2dd0b8db42dbf283527dd44 Author: Chao Yu Date: Fri Nov 22 14:50:05 2024 +0800 f2fs: add a sysfs node to limit max read extent count per-inode Quoted: "at this time, there are still 1086911 extent nodes in this zombie extent tree that need to be cleaned up. crash_arm64_sprd_v8.0.3++> extent_tree.node_cnt ffffff80896cc500 node_cnt = { counter = 1086911 }, " As reported by Xiuhong, there will be a huge number of extent nodes in extent tree, it may potentially cause: - slab memory fragments - extreme long time shrink on extent tree - low mapping efficiency Let's add a sysfs node to limit max read extent count for each inode, by default, value of this threshold is 10240, it can be updated according to user's requirement. Reported-by: Xiuhong Wang Closes: https://lore.kernel.org/linux-f2fs-devel/20241112110627.1314632-1-xiuhong.wang@unisoc.com/ Signed-off-by: Xiuhong Wang Signed-off-by: Zhiguo Niu Signed-off-by: Chao Yu Signed-off-by: Jaegeuk Kim commit 4fbd66d8254cedfd1218393f39d83b6c07a01917 Author: Xi Ruoyao Date: Sat Nov 23 11:57:37 2024 +0800 MIPS: Loongson64: DTS: Really fix PCIe port nodes for ls7a Fix the dtc warnings: arch/mips/boot/dts/loongson/ls7a-pch.dtsi:68.16-416.5: Warning (interrupt_provider): /bus@10000000/pci@1a000000: '#interrupt-cells' found, but node is not an interrupt provider arch/mips/boot/dts/loongson/ls7a-pch.dtsi:68.16-416.5: Warning (interrupt_provider): /bus@10000000/pci@1a000000: '#interrupt-cells' found, but node is not an interrupt provider arch/mips/boot/dts/loongson/loongson64g_4core_ls7a.dtb: Warning (interrupt_map): Failed prerequisite 'interrupt_provider' And a runtime warning introduced in commit 045b14ca5c36 ("of: WARN on deprecated #address-cells/#size-cells handling"): WARNING: CPU: 0 PID: 1 at drivers/of/base.c:106 of_bus_n_addr_cells+0x9c/0xe0 Missing '#address-cells' in /bus@10000000/pci@1a000000/pci_bridge@9,0 The fix is similar to commit d89a415ff8d5 ("MIPS: Loongson64: DTS: Fix PCIe port nodes for ls7a"), which has fixed the issue for ls2k (despite its subject mentions ls7a). Signed-off-by: Xi Ruoyao Signed-off-by: Thomas Bogendoerfer commit 228a1157fb9fec47eb135b51c0202b574e079ebf Merge: e7675238b9bf4d a9685b409a03b7 Author: Linus Torvalds Date: Fri Nov 22 21:54:14 2024 -0800 Merge tag '6.13-rc-part1-SMB3-client-fixes' of git://git.samba.org/sfrench/cifs-2.6 Pull smb client updates from Steve French: - Fix two SMB3.1.1 POSIX Extensions problems - Fixes for special file handling (symlinks and FIFOs) - Improve compounding - Four cleanup patches - Fix use after free in signing - Add support for handling namespaces for reconnect related upcalls (e.g. for DNS names resolution and auth) - Fix various directory lease problems (directory entry caching), including some important potential use after frees * tag '6.13-rc-part1-SMB3-client-fixes' of git://git.samba.org/sfrench/cifs-2.6: smb: prevent use-after-free due to open_cached_dir error paths smb: Don't leak cfid when reconnect races with open_cached_dir smb: client: handle max length for SMB symlinks smb: client: get rid of bounds check in SMB2_ioctl_init() smb: client: improve compound padding in encryption smb3: request handle caching when caching directories cifs: Recognize SFU char/block devices created by Windows NFS server on Windows Server <<2012 CIFS: New mount option for cifs.upcall namespace resolution smb/client: Prevent error pointer dereference fs/smb/client: implement chmod() for SMB3 POSIX Extensions smb: cached directories can be more than root file handle smb: client: fix use-after-free of signing key smb: client: Use str_yes_no() helper function smb: client: memcpy() with surrounding object base address cifs: Remove pre-historic unused CIFSSMBCopy commit e7675238b9bf4db0b872d5dbcd53efa31914c98f Merge: 060fc106b6854d c8b359dddb418c Author: Linus Torvalds Date: Fri Nov 22 20:55:42 2024 -0800 Merge tag 'ovl-update-6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/overlayfs/vfs Pull overlayfs updates from Amir Goldstein: - Fix a syzbot reported NULL pointer deref with bfs lower layers - Fix a copy up failure of large file from lower fuse fs - Followup cleanup of backing_file API from Miklos - Introduction and use of revert/override_creds_light() helpers, that were suggested by Christian as a mitigation to cache line bouncing and false sharing of fields in overlayfs creator_cred long lived struct cred copy. - Store up to two backing file references (upper and lower) in an ovl_file container instead of storing a single backing file in file->private_data. This is used to avoid the practice of opening a short lived backing file for the duration of some file operations and to avoid the specialized use of FDPUT_FPUT in such occasions, that was getting in the way of Al's fd_file() conversions. * tag 'ovl-update-6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/overlayfs/vfs: ovl: Filter invalid inodes with missing lookup function ovl: convert ovl_real_fdget() callers to ovl_real_file() ovl: convert ovl_real_fdget_path() callers to ovl_real_file_path() ovl: store upper real file in ovl_file struct ovl: allocate a container struct ovl_file for ovl private context ovl: do not open non-data lower file for fsync ovl: Optimize override/revert creds ovl: pass an explicit reference of creators creds to callers ovl: use wrapper ovl_revert_creds() fs/backing-file: Convert to revert/override_creds_light() cred: Add a light version of override/revert_creds() backing-file: clean up the API ovl: properly handle large files in ovl_security_fileattr commit 060fc106b6854d3289d838ac3c98eb17afb261d7 Merge: 980f8f8fd42288 6b56a63d286f6f Author: Linus Torvalds Date: Fri Nov 22 20:50:55 2024 -0800 Merge tag 'unicode-next-6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/krisman/unicode Pull unicode updates from Gabriel Krisman Bertazi: - constify a read-only struct (Thomas Weißschuh) - fix the error path of unicode_load, avoiding a possible kernel oops if it fails to find the unicode module (André Almeida) - documentation fix, updating a filename in the README (Gan Jie) - add the link of my tree to MAINTAINERS (André Almeida) * tag 'unicode-next-6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/krisman/unicode: MAINTAINERS: Add Unicode tree unicode: change the reference of database file unicode: Fix utf8_load() error path unicode: constify utf8 data table commit 980f8f8fd4228839f3d811521a27d4f9c2ead123 Merge: 2a163a4cea1533 9c738dae9534fb Author: Linus Torvalds Date: Fri Nov 22 20:36:11 2024 -0800 Merge tag 'sysctl-6.13-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/sysctl/sysctl Pull sysctl updates from Joel Granados: "sysctl ctl_table constification: - Constifying ctl_table structs prevents the modification of proc_handler function pointers. All ctl_table struct arguments are const qualified in the sysctl API in such a way that the ctl_table arrays being defined elsewhere and passed through sysctl can be constified one-by-one. We kick the constification off by qualifying user_table in kernel/ucount.c and expect all the ctl_tables to be constified in the coming releases. Misc fixes: - Adjust comments in two places to better reflect the code - Remove superfluous dput calls - Remove Luis from sysctl maintainership - Replace comments about holding a lock with calls to lockdep_assert_held" * tag 'sysctl-6.13-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/sysctl/sysctl: sysctl: Reduce dput(child) calls in proc_sys_fill_cache() sysctl: Reorganize kerneldoc parameter names ucounts: constify sysctl table user_table sysctl: update comments to new registration APIs MAINTAINERS: remove me from sysctl sysctl: Convert locking comments to lockdep assertions const_structs.checkpatch: add ctl_table sysctl: make internal ctl_tables const sysctl: allow registration of const struct ctl_table sysctl: move internal interfaces to const struct ctl_table bpf: Constify ctl_table argument of filter function commit 2a163a4cea153348172e260a0c5b5569103a66a3 Merge: ceba6f6f33f29a 68b3bca2df00f0 Author: Linus Torvalds Date: Fri Nov 22 20:03:57 2024 -0800 Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma Pull rdma updates from Jason Gunthorpe: "Seveal fixes scattered across the drivers and a few new features: - Minor updates and bug fixes to hfi1, efa, iopob, bnxt, hns - Force disassociate the userspace FD when hns does an async reset - bnxt new features for optimized modify QP to skip certain stayes, CQ coalescing, better debug dumping - mlx5 new data placement ordering feature - Faster destruction of mlx5 devx HW objects - Improvements to RDMA CM mad handling" * tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma: (51 commits) RDMA/bnxt_re: Correct the sequence of device suspend RDMA/bnxt_re: Use the default mode of congestion control RDMA/bnxt_re: Support different traffic class IB/cm: Rework sending DREQ when destroying a cm_id IB/cm: Do not hold reference on cm_id unless needed IB/cm: Explicitly mark if a response MAD is a retransmission RDMA/mlx5: Move events notifier registration to be after device registration RDMA/bnxt_re: Cache MSIx info to a local structure RDMA/bnxt_re: Refurbish CQ to NQ hash calculation RDMA/bnxt_re: Refactor NQ allocation RDMA/bnxt_re: Fail probe early when not enough MSI-x vectors are reserved RDMA/hns: Fix different dgids mapping to the same dip_idx RDMA/bnxt_re: Add set_func_resources support for P5/P7 adapters RDMA/bnxt_re: Enhance RoCE SRIOV resource configuration design bnxt_en: Add support for RoCE sriov configuration RDMA/hns: Fix NULL pointer derefernce in hns_roce_map_mr_sg() RDMA/hns: Fix out-of-order issue of requester when setting FENCE RDMA/nldev: Add IB device and net device rename events RDMA/mlx5: Add implementation for ufile_hw_cleanup device operation RDMA/core: Move ib_uverbs_file struct to uverbs_types.h ... commit ceba6f6f33f29ab838b23a567621b847e527d085 Merge: eb78332b106777 42f0cbb2a253bc Author: Linus Torvalds Date: Fri Nov 22 19:55:10 2024 -0800 Merge tag 'iommu-updates-v6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/iommu/linux Pull iommu updates from Joerg Roedel: "Core Updates: - Convert call-sites using iommu_domain_alloc() to more specific versions and remove function - Introduce iommu_paging_domain_alloc_flags() - Extend support for allocating PASID-capable domains to more drivers - Remove iommu_present() - Some smaller improvements New IOMMU driver for RISC-V Intel VT-d Updates: - Add domain_alloc_paging support - Enable user space IOPFs in non-PASID and non-svm cases - Small code refactoring and cleanups - Add domain replacement support for pasid AMD-Vi Updates: - Adapt to iommu_paging_domain_alloc_flags() interface and alloc V2 page-tables by default - Replace custom domain ID allocator with IDA allocator - Add ops->release_domain() support - Other improvements to device attach and domain allocation code paths ARM-SMMU Updates: - SMMUv2: - Return -EPROBE_DEFER for client devices probing before their SMMU - Devicetree binding updates for Qualcomm MMU-500 implementations - SMMUv3: - Minor fixes and cleanup for NVIDIA's virtual command queue driver - IO-PGTable: - Fix indexing of concatenated PGDs and extend selftest coverage - Remove unused block-splitting support S390 IOMMU: - Implement support for blocking domain Mediatek IOMMU: - Enable 35-bit physical address support for mt8186 OMAP IOMMU driver: - Adapt to recent IOMMU core changes and unbreak driver" * tag 'iommu-updates-v6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/iommu/linux: (92 commits) iommu/tegra241-cmdqv: Fix alignment failure at max_n_shift iommu: Make set_dev_pasid op support domain replacement iommu/arm-smmu-v3: Make set_dev_pasid() op support replace iommu/vt-d: Add set_dev_pasid callback for nested domain iommu/vt-d: Make identity_domain_set_dev_pasid() to handle domain replacement iommu/vt-d: Make intel_svm_set_dev_pasid() support domain replacement iommu/vt-d: Limit intel_iommu_set_dev_pasid() for paging domain iommu/vt-d: Make intel_iommu_set_dev_pasid() to handle domain replacement iommu/vt-d: Add iommu_domain_did() to get did iommu/vt-d: Consolidate the struct dev_pasid_info add/remove iommu/vt-d: Add pasid replace helpers iommu/vt-d: Refactor the pasid setup helpers iommu/vt-d: Add a helper to flush cache for updating present pasid entry iommu: Pass old domain to set_dev_pasid op iommu/iova: Fix typo 'adderss' iommu: Add a kdoc to iommu_unmap() iommu/io-pgtable-arm-v7s: Remove split on unmap behavior iommu/io-pgtable-arm: Remove split on unmap behavior iommu/vt-d: Drain PRQs when domain removed from RID iommu/vt-d: Drop pasid requirement for prq initialization ... commit eb78332b1067776ca4a474ccfd92460014e8d8e3 Merge: 6f9baa9b92c2e4 fef664fd73c12c Author: Linus Torvalds Date: Fri Nov 22 19:43:18 2024 -0800 Merge tag 'thermal-6.13-rc1-2' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm Pull more thermal control updates from Rafael Wysocki: "These update a few thermal drivers used on ARM platforms and thermal tools: - Add SAR2130P compatible to DT bindings in the QCom Tsens driver (Dmitry Baryshkov) - Add static annotation to arrays describing platform sensors in the LVTS Mediatek driver (Colin Ian King) - Switch back to struct platform_driver::remove() from the previous callbacks prototype rework (Uwe Kleine-König) - Add MSM8937 compatible to DT bindings and its support in the QCom Tsens driver (Barnabás Czémán) - Remove a pointless sign test on an unsigned value in k3_bgp_read_temp() in the k3_j72xx_bandgap driver (Rex Nie) - Fix a pointer reference loss when realloc() fails in the thermal library (Zhang Jiao)" * tag 'thermal-6.13-rc1-2' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm: tools/thermal: Fix common realloc mistake thermal/drivers/k3_j72xx_bandgap: Simplify code in k3_bgp_read_temp() thermal/drivers/qcom/tsens-v1: Add support for MSM8937 tsens dt-bindings: thermal: tsens: Add MSM8937 thermal: Switch back to struct platform_driver::remove() thermal/drivers/mediatek/lvts_thermal: Make read-only arrays static const dt-bindings: thermal: qcom-tsens: Add SAR2130P compatible commit 6f9baa9b92c2e4e28e385fa581f0511621db3f9a Merge: 619d996c86421d f3e66e78f2ecb1 Author: Linus Torvalds Date: Fri Nov 22 19:29:48 2024 -0800 Merge tag 'pm-6.13-rc1-2' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm Pull more power management updates from Rafael Wysocki: "These mostly are updates of cpufreq drivers used on ARM platforms plus one new DT-based cpufreq driver for virtualized guests and two cpuidle changes that should not make any difference on systems currently in the field, but will be needed for future development: - Add virtual cpufreq driver for guest kernels (David Dai) - Minor cleanup to various cpufreq drivers (Andy Shevchenko, Dhruva Gole, Jie Zhan, Jinjie Ruan, Shuosheng Huang, Sibi Sankar, and Yuan Can) - Revert "cpufreq: brcmstb-avs-cpufreq: Fix initial command check" (Colin Ian King) - Improve DT bindings for qcom-hw driver (Dmitry Baryshkov, Konrad Dybcio, and Nikunj Kela) - Make cpuidle_play_dead() try all idle states with :enter_dead() callbacks and change their return type to void (Rafael Wysocki)" * tag 'pm-6.13-rc1-2' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm: (22 commits) cpuidle: Change :enter_dead() driver callback return type to void cpuidle: Do not return from cpuidle_play_dead() on callback failures arm64: dts: qcom: sc8180x: Add a SoC-specific compatible to cpufreq-hw dt-bindings: cpufreq: cpufreq-qcom-hw: Add SC8180X compatible cpufreq: sun50i: add a100 cpufreq support cpufreq: mediatek-hw: Fix wrong return value in mtk_cpufreq_get_cpu_power() cpufreq: CPPC: Fix wrong return value in cppc_get_cpu_power() cpufreq: CPPC: Fix wrong return value in cppc_get_cpu_cost() cpufreq: loongson3: Check for error code from devm_mutex_init() call cpufreq: scmi: Fix cleanup path when boost enablement fails cpufreq: CPPC: Fix possible null-ptr-deref for cppc_get_cpu_cost() cpufreq: CPPC: Fix possible null-ptr-deref for cpufreq_cpu_get_raw() Revert "cpufreq: brcmstb-avs-cpufreq: Fix initial command check" dt-bindings: cpufreq: cpufreq-qcom-hw: Add SAR2130P compatible cpufreq: add virtual-cpufreq driver dt-bindings: cpufreq: add virtual cpufreq device cpufreq: loongson2: Unregister platform_driver on failure cpufreq: ti-cpufreq: Remove revision offsets in AM62 family cpufreq: ti-cpufreq: Allow backward compatibility for efuse syscon cppc_cpufreq: Remove HiSilicon CPPC workaround ... commit 619d996c86421da1057d589123a28e2da0bf0785 Merge: d0c9a21c8e0b2d 5578b4347bb5d5 Author: Linus Torvalds Date: Fri Nov 22 17:25:32 2024 -0800 Merge tag 'tpmdd-next-6.13-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/jarkko/linux-tpmdd Pull TPM updates from Jarkko Sakkinen: "Only some minor tweaks" * tag 'tpmdd-next-6.13-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/jarkko/linux-tpmdd: tpm: atmel: Drop PPC64 specific MMIO setup char: tpm: cr50: Add new device/vendor ID 0x50666666 char: tpm: cr50: Move i2c locking to request/relinquish locality ops char: tpm: cr50: Use generic request/relinquish locality ops tpm: ibmvtpm: Set TPM_OPS_AUTO_STARTUP flag on driver commit d0c9a21c8e0b2d7c55a2174f47bd0ea1d7302de6 Merge: 9f3a2ba62c7226 944477516bda30 Author: Linus Torvalds Date: Fri Nov 22 17:06:59 2024 -0800 Merge tag 'mtd/for-6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/mtd/linux Pull MTD updates from Miquel Raynal: "MTD device changes: - switch platform_driver back to remove() - misc fixes SPI-NAND changes: - a load of fixes to Winbond manufacturer driver - structure constification Raw NAND changes: - improve the power management of the GPMI driver - Davinci driver clean-ups - fix leak in the Atmel driver - fix some typos in the core SPI NOR changes: - Introduce byte swap support for 8D-8D-8D mode and a user for it: macronix. SPI NOR flashes may swap the bytes on a 16-bit boundary when configured in Octal DTR mode. For such cases the byte order is propagated through SPI MEM to the SPI controllers so that the controllers swap the bytes back at runtime. This avoids breaking the boot sequence because of the endianness problems that appear when the bootloaders use 1-1-1 and the kernel uses 8D-8D-8D with byte swap support. Along with the SPI MEM byte swap support we queue a patch for the SPI MXIC controller that swaps the bytes back at runtime" * tag 'mtd/for-6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/mtd/linux: (25 commits) mtd: spi-nor: core: replace dummy buswidth from addr to data mtd: spi-nor: winbond: add "w/ and w/o SFDP" comment mtd: spi-nor: spansion: Use nor->addr_nbytes in octal DTR mode in RD_ANY_REG_OP mtd: Switch back to struct platform_driver::remove() mtd: cfi_cmdset_0002: remove redundant assignment to variable ret mtd: spinand: Constify struct nand_ecc_engine_ops MAINTAINERS: add mailing list for GPMI NAND driver mtd: spinand: winbond: Sort the devices mtd: spinand: winbond: Ignore the last ID characters mtd: spinand: winbond: Fix 512GW, 01GW, 01JW and 02JW ECC information mtd: spinand: winbond: Fix 512GW and 02JW OOB layout mtd: nand: raw: gpmi: improve power management handling mtd: nand: raw: gpmi: switch to SYSTEM_SLEEP_PM_OPS mtd: rawnand: davinci: use generic device property helpers mtd: rawnand: davinci: break the line correctly mtd: rawnand: davinci: order headers alphabetically mtd: rawnand: atmel: Fix possible memory leak mtd: rawnand: Correct multiple typos in comments mtd: hyperbus: rpc-if: Add missing MODULE_DEVICE_TABLE mtd: spi-nor: add support for Macronix Octal flash ... commit 9f3a2ba62c7226a6604b8aaeb92b5ff906fa4e6b Merge: 2fb7eb3d7e8c5c 21a5352dc702d8 Author: Linus Torvalds Date: Fri Nov 22 17:02:25 2024 -0800 Merge tag 'clk-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux Pull clk updates from Stephen Boyd: "The core framework gained a clk provider helper, a clk consumer helper, and some unit tests for the assigned clk rates feature in DeviceTree. On the vendor driver side, we gained a whole pile of SoC driver support detailed below. The majority in the diffstat is Qualcomm, but there's also quite a few Samsung and Mediatek clk driver additions in here as well. The top vendors is quite common, but the sheer amount of new drivers is uncommon, so I'm anticipating a larger number of fixes for clk drivers this cycle. Core: - devm_clk_bulk_get_all_enabled() to return number of clks acquired - devm_clk_hw_register_gate_parent_hw() helper to modernize drivers - KUnit tests for clk-assigned-rates{,-u64} New Drivers: - Marvell PXA1908 SoC clks - Mobileye EyeQ5, EyeQ6L and EyeQ6H clk driver - TWL6030 clk driver - Nuvoton Arbel BMC NPCM8XX SoC clks - MediaTek MT6735 SoC clks - MediaTek MT7620, MT7628 and MT7688 MMC clks - Add a driver for gated fixed rate clocks - Global clock controllers for Qualcomm QCS8300 and IPQ5424 SoCs - Camera, display and video clock controllers for Qualcomm SA8775P SoCs - Global, display, GPU, TCSR, and RPMh clock controllers for Qualcomm SAR2130P - Global, camera, display, GPU, and video clock controllers for Qualcomm SM8475 SoCs - RTC power domain and Battery Backup Function (VBATTB) clock support for the Renesas RZ/G3S SoC - Qualcomm IPQ9574 alpha PLLs - Support for i.MX91 CCM in the i.MX93 driver - Microchip LAN969X SoC clks - Cortex-A55 core clocks and Interrupt Control Unit (ICU) clock and reset on Renesas RZ/V2H(P) - Samsung ExynosAutov920 clk drivers for PERIC1, MISC, HSI0 and HSI1 - Samsung Exynos8895 clk drivers for FSYS0/1, PERIC0/1, PERIS and TOP Updates: - Convert more clk bindings to YAML - Various clk driver cleanups: NULL checks, add const, etc. - Remove END/NUM #defines that count number of clks in various binding headers - Continue moving reset drivers to drivers/reset via auxiliary bus" * tag 'clk-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux: (162 commits) clk: clk-loongson2: Fix potential buffer overflow in flexible-array member access clk: Fix invalid execution of clk_set_rate clk: clk-loongson2: Fix memory corruption bug in struct loongson2_clk_provider clk: lan966x: make it selectable for ARCH_LAN969X clk: eyeq: add EyeQ6H west fixed factor clocks clk: eyeq: add EyeQ6H central fixed factor clocks clk: eyeq: add EyeQ5 fixed factor clocks clk: eyeq: add fixed factor clocks infrastructure clk: eyeq: require clock index with phandle in all cases clk: fixed-factor: add clk_hw_register_fixed_factor_index() function dt-bindings: clock: eyeq: add more Mobileye EyeQ5/EyeQ6H clocks dt-bindings: soc: mobileye: set `#clock-cells = <1>` for all compatibles clk: clk-axi-clkgen: make sure to enable the AXI bus clock dt-bindings: clock: axi-clkgen: include AXI clk clk: mmp: Add Marvell PXA1908 MPMU driver clk: mmp: Add Marvell PXA1908 APMU driver clk: mmp: Add Marvell PXA1908 APBCP driver clk: mmp: Add Marvell PXA1908 APBC driver dt-bindings: clock: Add Marvell PXA1908 clock bindings clk: mmp: Switch to use struct u32_fract instead of custom one ... commit 2fb7eb3d7e8c5c0375c726c7d5c443e6f7e53741 Merge: 93251bdf7a771c 3adec6f907b698 Author: Linus Torvalds Date: Fri Nov 22 16:29:57 2024 -0800 Merge tag 'backlight-next-6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/lee/backlight Pull backlight updates from Lee Jones: - Improve handling of LCD power states and interactions with the fbdev subsystem - Introduce new LCD_POWER_ constants to decouple the LCD subsystem from fbdev - Update several drivers to use the new LCD_POWER_ constants - Clarify the semantics of the lcd_ops.controls_device callback - Remove unnecessary includes and dependencies - Remove unused notifier functionality - Simplify code with scoped for-each loops - Fix module autoloading for the ktz8866 driver - Update device tree bindings to yaml format - Minor cleanups and improvements in various drivers * tag 'backlight-next-6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/lee/backlight: (33 commits) MAINTAINERS: Use Daniel Thompson's korg address for Backlight work dt-bindings: backlight: Convert zii,rave-sp-backlight.txt to yaml backlight: Remove notifier backlight: ktz8866: Fix module autoloading backlight: 88pm860x_bl: Simplify with scoped for each OF child loop backlight: lcd: Do not include in lcd header backlight: lcd: Remove struct fb_videomode from set_mode callback backlight: lcd: Replace check_fb with controls_device HID: picoLCD: Replace check_fb in favor of struct fb_info.lcd_dev fbdev: omap: Use lcd power constants fbdev: imxfb: Use lcd power constants fbdev: imxfb: Replace check_fb in favor of struct fb_info.lcd_dev fbdev: clps711x-fb: Use lcd power constants fbdev: clps711x-fb: Replace check_fb in favor of struct fb_info.lcd_dev backlight: tdo24m: Use lcd power constants backlight: platform_lcd: Use lcd power constants backlight: platform_lcd: Remove match_fb from struct plat_lcd_data backlight: platform_lcd: Remove include statement for backlight: otm3225a: Use lcd power constants backlight: ltv350qv: Use lcd power constants ... commit 93251bdf7a771c4eeb0f95fa38ded92e95154ef7 Merge: 80739fd00c7ea1 e8501858035b1f Author: Linus Torvalds Date: Fri Nov 22 16:25:20 2024 -0800 Merge tag 'leds-next-6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/lee/leds PULL LED updates from Lee Jones: - Remove unused local header files from various drivers - Revert platform driver removal to the original method for consistency - Introduce ordered workqueues for LED events, replacing the less efficient system_wq - Switch to a safer iteration macro in several drivers to prevent potential memory leaks - Fix a refcounting bug in the mt6360 flash LED driver - Fix an uninitialized variable in the mt6370_mc_pattern_clear() function - Resolve Smatch warnings in the leds-bcm6328 driver - Address a potential NULL pointer dereference in the brightness_show() function - Fix an incorrect format specifier in the ss4200 driver - Prevent a resource leak in the max5970 driver's probe function - Add support for specifying the number of serial shift bits in the device tree for the BCM63138 family - Implement multicolor brightness control in the lp5562 driver - Add a device tree property to override the default LED pin polarity - Add a property to specify the default brightness value when the LED is initially on - Set missing timing properties for the ktd2692 driver - Document the "rc-feedback" trigger for controlling LEDs based on remote control activity - Convert text bindings to YAML for the pca955x driver to enable device tree validation - Remove redundant checks for invalid channel numbers in the lp55xx driver - Update the MAINTAINERS file with current contact information * tag 'leds-next-6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/lee/leds: (46 commits) leds: ss4200: Fix the wrong format specifier for 'blinking' leds: pwm: Add optional DT property default-brightness dt-bindings: leds: pwm: Add default-brightness property leds: class: Protect brightness_show() with led_cdev->led_access mutex leds: ktd2692: Set missing timing properties leds: max5970: Fix unreleased fwnode_handle in probe function leds: Introduce ordered workqueue for LEDs events instead of system_wq MAINTAINERS: Replace Siemens IPC related bouncing maintainers leds: bcm6328: Replace divide condition with comparison for shift value leds: lp55xx: Remove redundant test for invalid channel number dt-bindings: leds: pca955x: Convert text bindings to YAML leds: rgb: leds-mt6370-rgb: Fix uninitialized variable 'ret' in mt6370_mc_pattern_clear leds: lp5562: Add multicolor brightness control dt-bindings: leds: Add 'active-high' property leds: Switch back to struct platform_driver::remove() leds: bcm63138: Add some register defines leds: bcm63138: Handle shift register config leds: bcm63138: Use scopes and guards dt-bindings: leds: bcm63138: Add shift register bits leds: leds-gpio-register: Reorganize kerneldoc parameter names ... commit 80739fd00c7ea1315d362ce889bef499452913ef Merge: e288c352a4a571 8ece9d248b851b Author: Linus Torvalds Date: Fri Nov 22 16:19:47 2024 -0800 Merge tag 'mfd-next-6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/lee/mfd Pull MFD updates from Lee Jones: - Several drivers, including atmel-flexcom/rk8xx-core, palmas, and tps65010, have undergone minor code improvements to enhance consistency and fix race conditions. - The syscon driver now utilizes the regmap max_register_is_0 capability for consistent register map configuration across syscons of all sizes. - New device support has been added for QCS8300, qcs615, SA8255p, and samsung,s2dos05, expanding the range of compatible hardware. - The cros_ec driver now supports loading cros_ec_ucsi on supported ECs and avoids loading the charger with UCSI, streamlining functionality. - The bd96801 driver now utilizes the more modern maple tree register cache, improving performance. - The da9052-spi driver has undergone a fix to change the read-mask to write-mask, preventing potential issues. - Unused declarations in max77693 have been removed, and support for samsung,s2dos05 has been added, enhancing code clarity and device compatibility. - Error handling in cs42l43 has been fixed to avoid unbalanced regulator put and ensure proper synchronization during driver removal. - The wcd934x driver now uses MODULE_DEVICE_TABLE() instead of MODULE_ALIAS(), improving code consistency. - Documentation for qcom,tcsr, syscon, and atmel-smc has been updated and reorganized for better clarity and maintainability. - The intel_soc_pmic_bxtwc driver has undergone significant improvements, including the use of IRQ domains for various devices, fixing IRQ domain names duplication, and code refactoring for better consistency and maintainability. - The ipaq-micro driver has received a fix for a missing break statement in the default case, enhancing code robustness. - Support for the AXP323 PMIC has been added to the axp20x driver, along with ensuring a clear relationship between IDs and model names, and allowing multiple regulators, broadening hardware compatibility. - The cs42l43 driver now disables IRQs during suspend for improved power management. - The adp5585 driver has reduced its dependencies by dropping the obsolete dependency on COMPILE_TEST. - Initial support for the MT6328 PMIC has been added to the mt6397 driver, expanding the range of supported hardware. - The rtc-bd70528 driver has been simplified by dropping the IC name from IRQ, improving code readability. - Documentation for qcom,spmi-pmic, ti,twl, and zii,rave-sp has been updated to enhance clarity and incorporate new features. - The rt5033 driver has received a fix for a missing regmap_del_irq_chip() in the error handling path. - New device support has been added for MSM8917, and the intel_soc_pmic_crc driver now supports non-ACPI instantiated i2c_client. - The 88pm886 driver has added support for the RTC cell, and the tqmx86 driver has improved its GPIO IRQ setup and added I2C IRQ support, increasing functionality. - The sprd,sc2731 DT schema has been updated and converted to YAML format for better readability and maintainability. * tag 'mfd-next-6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/lee/mfd: (62 commits) dt-bindings: mfd: bd71828: Use charger resistor in mOhm instead of MOhm dt-bindings: mfd: sprd,sc2731: Convert to YAML mfd: tqmx86: Add I2C IRQ support mfd: tqmx86: Make IRQ setup errors non-fatal mfd: tqmx86: Refactor GPIO IRQ setup mfd: tqmx86: Improve gpio_irq module parameter description mfd: tqmx86: Add board definitions for TQMx120UC, TQMx130UC and TQMxE41S mfd: 88pm886: Add the RTC cell dt-bindings: mfd: Add Realtek RTL9300 switch peripherals mfd: intel_soc_pmic_crc: Add support for non ACPI instantiated i2c_client mfd: intel_soc_pmic_*: Consistently use filename as driver name dt-bindings: mfd: qcom,tcsr: Add compatible for MSM8917 mfd: rt5033: Fix missing regmap_del_irq_chip() mfd: cgbc-core: Fix error handling paths in cgbc_init_device() dt-bindings: mfd: aspeed: Support for AST2700 mfd: Switch back to struct platform_driver::remove() dt-bindings: mfd: qcom,spmi-pmic: Document PMICs added in SM8750 mfd: rtc: bd7xxxx Drop IC name from IRQ mfd: mt6397: Add initial support for MT6328 mfd: adp5585: Drop obsolete dependency on COMPILE_TEST ... commit e288c352a4a5716babf2edad4cba10ec6002a20a Merge: 06afb0f36106ec 62adcae479fe5b Author: Linus Torvalds Date: Fri Nov 22 16:11:56 2024 -0800 Merge tag 'linux_kselftest-kunit-6.13-rc1-fixed' of git://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest Pull kunit updates from Shuah Khan: - fix user-after-free (UAF) bug in kunit_init_suite() - add option to kunit tool to print just the summary of test results - add option to kunit tool to print just the failed test results - fix kunit_zalloc_skb() to use user passed in gfp value instead of hardcoding GFP_KERNEL - fixe kunit_zalloc_skb() kernel doc to include allocation flags variable - update KUnit email address for Brendan Higgins - add LoongArch config to qemu_configs - allow overriding the shutdown mode from qemu config - enable shutdown in loongarch qemu_config - fix potential null dereference in kunit_device_driver_test() - fix debugfs to use IS_ERR() for alloc_string_stream() error check * tag 'linux_kselftest-kunit-6.13-rc1-fixed' of git://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest: kunit: qemu_configs: loongarch: Enable shutdown kunit: tool: Allow overriding the shutdown mode from qemu config kunit: qemu_configs: Add LoongArch config kunit: debugfs: Use IS_ERR() for alloc_string_stream() error check kunit: Fix potential null dereference in kunit_device_driver_test() MAINTAINERS: Update KUnit email address for Brendan Higgins kunit: string-stream: Fix a UAF bug in kunit_init_suite() kunit: tool: print failed tests only kunit: tool: Only print the summary kunit: skb: add gfp to kernel doc for kunit_zalloc_skb() kunit: skb: use "gfp" variable instead of hardcoding GFP_KERNEL commit 0172afefbfbdd8987787c926b40b68400bd1c3d1 Author: Thomas Gleixner Date: Fri Nov 22 21:28:49 2024 +0100 tracing: Record task flag NEED_RESCHED_LAZY. The scheduler added NEED_RESCHED_LAZY scheduling. Record this state as part of trace flags and expose it in the need_resched field. Record and expose NEED_RESCHED_LAZY. [bigeasy: Commit description, documentation bits.] Cc: Peter Zijlstra Cc: Masami Hiramatsu Cc: Mathieu Desnoyers Link: https://lore.kernel.org/20241122202849.7DfYpJR0@linutronix.de Reviewed-by: Ankur Arora Reviewed-by: Steven Rostedt (Google) Signed-off-by: Thomas Gleixner Signed-off-by: Sebastian Andrzej Siewior Signed-off-by: Steven Rostedt (Google) commit 6d78089da9805787a72e52604ad4b2ed7380be3f Author: Ian Rogers Date: Wed Nov 20 16:09:55 2024 -0800 perf tests: Fix hwmon parsing with PMU name test Incorrectly the hwmon with PMU name test didn't pass "true". Fix and address issue with hwmon_pmu__config_terms needing to load events - a load bearing assert fired. Also fix missing list deletion when putting the hwmon test PMU and lower some debug warnings to make the hwmon PMU less spammy in verbose mode. Signed-off-by: Ian Rogers Tested-by: Namhyung Kim Link: https://lore.kernel.org/r/20241121000955.536930-1-irogers@google.com Signed-off-by: Namhyung Kim commit 62878b400f5b02416368eda361277c045c675466 Author: Ian Rogers Date: Tue Nov 19 15:00:33 2024 -0800 perf hwmon_pmu: Ensure hwmon key union is zeroed before use Non-zero values led to mismatches in testing. This was reproducible with -fsanitize=undefined. Reported-by: Arnaldo Carvalho de Melo Closes: https://lore.kernel.org/lkml/Zzdtj0PEWEX3ATwL@x1/ Signed-off-by: Ian Rogers Acked-by: Namhyung Kim Link: https://lore.kernel.org/r/20241119230033.115369-1-irogers@google.com Signed-off-by: Namhyung Kim commit 870748fa1fac5a397c26126bc32662e9249762c7 Author: Arnaldo Carvalho de Melo Date: Tue Nov 19 16:34:31 2024 -0300 perf tests hwmon_pmu: Remove double evlist__delete() In the error path when failing to parse events the evlist is being deleted twice, keep the one after the out label. Fixes: 531ee0fd4836994f ("perf test: Add hwmon "PMU" test") Signed-off-by: Arnaldo Carvalho de Melo Link: https://lore.kernel.org/r/ZzzoJNNcJJVnPCCe@x1 Signed-off-by: Namhyung Kim commit 5f2c8f4e1070e474642b9dea104f531b8be52e1e Author: Thomas Richter Date: Tue Nov 19 07:48:56 2024 +0100 perf/test: fix perf ftrace test on s390 On s390 the perf test case ftrace sometimes fails as follows: # ./perf test ftrace 79: perf ftrace tests : FAILED! # The failure depends on the kernel .config file. Some configurations always work fine, some do not. The ftrace profile test mostly fails, because the ring buffer was not large enough, and some lines (especially the interesting ones with nanosleep in it) where dropped. To achieve success for all tested kernel configurations, enlarge the buffer to store the traces completely without wrapping. The default buffer size is too small for all kernel configurations. Set the buffer size of for the ftrace profile test to 16 MB. Output after: # ./perf test ftrace 79: perf ftrace tests : Ok # Signed-off-by: Thomas Richter Acked-by: Namhyung Kim Cc: agordeev@linux.ibm.com Cc: gor@linux.ibm.com Cc: hca@linux.ibm.com Cc: sumanthk@linux.ibm.com Link: https://lore.kernel.org/r/20241119064856.641446-1-tmricht@linux.ibm.com Suggested-by: Sven Schnelle Suggested-by: Namhyung Kim Signed-off-by: Namhyung Kim commit bd077a53ad87cb111632e564cdfe8dfbe96786de Author: Hao Ge Date: Wed Nov 13 11:05:37 2024 +0800 perf bpf-filter: Return -ENOMEM directly when pfi allocation fails Directly return -ENOMEM when pfi allocation fails, instead of performing other operations on pfi. Fixes: 0fe2b18ddc40 ("perf bpf-filter: Support multiple events properly") Signed-off-by: Hao Ge Acked-by: Namhyung Kim Cc: hao.ge@linux.dev Cc: bpf@vger.kernel.org Link: https://lore.kernel.org/r/20241113030537.26732-1-hao.ge@linux.dev Signed-off-by: Namhyung Kim commit fc26637d70d3f1ba9df8cd0f7c22b8b331c564e7 Author: Ian Rogers Date: Sun Nov 17 21:26:38 2024 -0800 perf test: Correct hwmon test PMU detection Use name to avoid potential other hwmon PMUs. Signed-off-by: Ian Rogers Link: https://lore.kernel.org/r/20241118052638.754981-1-irogers@google.com Signed-off-by: Namhyung Kim commit 06afb0f36106ecb839c5e2509905e68c1e2677de Merge: 4b01712311c6e2 45af52e7d3b856 Author: Linus Torvalds Date: Fri Nov 22 13:27:01 2024 -0800 Merge tag 'trace-v6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace Pull tracing updates from Steven Rostedt: - Addition of faultable tracepoints There's a tracepoint attached to both a system call entry and exit. This location is known to allow page faults. The tracepoints are called under an rcu_read_lock() which does not allow faults that can sleep. This limits the ability of tracepoint handlers to page fault in user space system call parameters. Now these tracepoints have been made "faultable", allowing the callbacks to fault in user space parameters and record them. Note, only the infrastructure has been implemented. The consumers (perf, ftrace, BPF) now need to have their code modified to allow faults. - Fix up of BPF code for the tracepoint faultable logic - Update tracepoints to use the new static branch API - Remove trace_*_rcuidle() variants and the SRCU protection they used - Remove unused TRACE_EVENT_FL_FILTERED logic - Replace strncpy() with strscpy() and memcpy() - Use replace per_cpu_ptr(smp_processor_id()) with this_cpu_ptr() - Fix perf events to not duplicate samples when tracing is enabled - Replace atomic64_add_return(1, counter) with atomic64_inc_return(counter) - Make stack trace buffer 4K instead of PAGE_SIZE - Remove TRACE_FLAG_IRQS_NOSUPPORT flag as it was never used - Get the true return address for function tracer when function graph tracer is also running. When function_graph trace is running along with function tracer, the parent function of the function tracer sometimes is "return_to_handler", which is the function graph trampoline to record the exit of the function. Use existing logic that calls into the fgraph infrastructure to find the real return address. - Remove (un)regfunc pointers out of tracepoint structure - Added last minute bug fix for setting pending modules in stack function filter. echo "write*:mod:ext3" > /sys/kernel/tracing/stack_trace_filter Would cause a kernel NULL dereference. - Minor clean ups * tag 'trace-v6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace: (31 commits) ftrace: Fix regression with module command in stack_trace_filter tracing: Fix function name for trampoline ftrace: Get the true parent ip for function tracer tracing: Remove redundant check on field->field in histograms bpf: ensure RCU Tasks Trace GP for sleepable raw tracepoint BPF links bpf: decouple BPF link/attach hook and BPF program sleepable semantics bpf: put bpf_link's program when link is safe to be deallocated tracing: Replace strncpy() with strscpy() when copying comm tracing: Add might_fault() check in __DECLARE_TRACE_SYSCALL tracing: Fix syscall tracepoint use-after-free tracing: Introduce tracepoint_is_faultable() tracing: Introduce tracepoint extended structure tracing: Remove TRACE_FLAG_IRQS_NOSUPPORT tracing: Replace multiple deprecated strncpy with memcpy tracing: Make percpu stack trace buffer invariant to PAGE_SIZE tracing: Use atomic64_inc_return() in trace_clock_counter() trace/trace_event_perf: remove duplicate samples on the first tracepoint event tracing/bpf: Add might_fault check to syscall probes tracing/perf: Add might_fault check to syscall probes tracing/ftrace: Add might_fault check to syscall probes ... commit 4b01712311c6e209137c4fa3e7d7920ec509456a Merge: f1db825805d48c 571f8b3f866a6d Author: Linus Torvalds Date: Fri Nov 22 13:24:22 2024 -0800 Merge tag 'trace-tools-v6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace Pull tracing tools updates from Steven Rostedt: - Add ':' to getopt option 'trace-buffer-size' in timerlat_hist for consistency - Remove unused sched_getattr define - Rename sched_setattr() helper to syscall_sched_setattr() to avoid conflicts - Update counters to long from int to avoid overflow - Add libcpupower dependency detection - Add --deepest-idle-state to timerlat to limit deep idle sleeps - Other minor clean ups and documentation changes * tag 'trace-tools-v6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace: verification/dot2: Improve dot parser robustness tools/rtla: Improve exception handling in timerlat_load.py tools/rtla: Enhance argument parsing in timerlat_load.py tools/rtla: Improve code readability in timerlat_load.py rtla/timerlat: Do not set params->user_workload with -U rtla: Documentation: Mention --deepest-idle-state rtla/timerlat: Add --deepest-idle-state for hist rtla/timerlat: Add --deepest-idle-state for top rtla/utils: Add idle state disabling via libcpupower rtla: Add optional dependency on libcpupower tools/build: Add libcpupower dependency detection rtla/timerlat: Make timerlat_hist_cpu->*_count unsigned long long rtla/timerlat: Make timerlat_top_cpu->*_count unsigned long long tools/rtla: fix collision with glibc sched_attr/sched_set_attr tools/rtla: drop __NR_sched_getattr rtla: Fix consistency in getopt_long for timerlat_hist rv: Fix a typo tools/rv: Correct the grammatical errors in the comments tools/rv: Correct the grammatical errors in the comments rtla: use the definition for stdout fd when calling isatty() commit f1db825805d48cee6826b7dc082a04112c1f0c8d Merge: be4202228e685d 537affea1672a8 Author: Linus Torvalds Date: Fri Nov 22 13:11:17 2024 -0800 Merge tag 'trace-ring-buffer-v6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace Pull trace ring-buffer updates from Steven Rostedt: - Limit time interrupts are disabled in rb_check_pages() rb_check_pages() is called after the ring buffer size is updated to make sure that the ring buffer has not been corrupted. Commit c2274b908db0 ("ring-buffer: Fix a race between readers and resize checks") fixed a race with the check pages and simultaneous resizes to the ring buffer by adding a raw_spin_lock_irqsave() around the check operation. Although this was a simple fix, it would hold interrupts disabled for non determinative amount of time. This could harm PREEMPT_RT operations. Instead, modify the logic by adding a counter when the buffer is modified and to release the raw_spin_lock() at each iteration. It checks the counter under the lock to see if a modification happened during the loop, and if it did, it would restart the loop up to 3 times. After 3 times, it will simply exit the check, as it is unlikely that would ever happen as buffer resizes are rare occurrences. - Replace some open coded str_low_high() with the helper - Fix some documentation/comments * tag 'trace-ring-buffer-v6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace: ring-buffer: Correct a grammatical error in a comment ring-buffer: Use str_low_high() helper in ring_buffer_producer() ring-buffer: Reorganize kerneldoc parameter names ring-buffer: Limit time with disabled interrupts in rb_check_pages() commit be4202228e685d580d75ac7597c0e7e50a63dd6c Merge: 5af5d43f848e95 7ae15e2f69bad0 Author: Linus Torvalds Date: Fri Nov 22 13:07:19 2024 -0800 Merge tag 'x86_tdx_for_6.13-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull tdx updates from Dave Hansen: "These essentially refine some interactions between TDX guests and VMMs. The first leverages a new TDX module feature to runtime disable the ability for a VM to inject #VE exceptions. Before this feature, there was only a static on/off switch and the guest had to panic if it was configured in a bad state. The second lets the guest opt in to be able to access the topology CPUID leaves. Before this, accesses to those leaves would #VE. For both of these, it would have been nicest to just change the default behavior, but some pesky "other" OSes evidently need to retain the legacy behavior. Summary: - Add new infrastructure for reading TDX metadata - Use the newly-available metadata to: - Disable potentially nasty #VE exceptions - Get more complete CPU topology information from the VMM" * tag 'x86_tdx_for_6.13-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: x86/tdx: Enable CPU topology enumeration x86/tdx: Dynamically disable SEPT violations from causing #VEs x86/tdx: Rename tdx_parse_tdinfo() to tdx_setup() x86/tdx: Introduce wrappers to read and write TD metadata commit 5af5d43f848e95019d0e018e67a7a341c6a5e00d Merge: be9318cd5a36ff 62e724494db795 Author: Linus Torvalds Date: Fri Nov 22 12:52:03 2024 -0800 Merge tag 'x86_misc_for_6.13-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull misc x86 updates from Dave Hansen: "As usual for this branch, these are super random: a compile fix for some newish LLVM checks and making sure a Kconfig text reference to 'RSB' matches the normal definition: - Rework some CPU setup code to keep LLVM happy on 32-bit - Correct RSB terminology in Kconfig text" * tag 'x86_misc_for_6.13-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: x86/cpu: Make sure flag_is_changeable_p() is always being used x86/bugs: Correct RSB terminology in Kconfig commit be9318cd5a36ff67689e0fb0f8f5007a56290ac7 Merge: 563cb0b1e73685 f060c89dc1a3cf Author: Linus Torvalds Date: Fri Nov 22 12:50:00 2024 -0800 Merge tag 'x86_sgx_for_6.13-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull sgx update from Dave Hansen: - Use vmalloc_array() instead of vmalloc() * tag 'x86_sgx_for_6.13-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: x86/sgx: Use vmalloc_array() instead of vmalloc() commit 563cb0b1e736853cfc78956b9de362d2aae74887 Merge: 28eb75e178d389 a83383e2ae7c49 Author: Linus Torvalds Date: Fri Nov 22 12:33:52 2024 -0800 Merge tag 'cxl-for-6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/cxl/cxl Pull cxl updates from Dave Jiang: - Constify range_contains() input parameters to prevent changes - Add support for displaying RCD capabilities in sysfs to support lspci for CXL device - Downgrade warning message to debug in cxl_probe_component_regs() - Add support for adding a printf specifier '%pra' to emit 'struct range' content: - Add sanity tests for 'struct resource' - Add documentation for special case - Add %pra for 'struct range' - Add %pra usage in CXL code - Add preparation code for DCD support: - Add range_overlaps() - Add CDAT DSMAS table shared and read only flag in ACPICA - Add documentation to 'struct dev_dax_range' - Delay event buffer allocation in CXL PCI code until needed - Use guard() in cxl_dpa_set_mode() - Refactor create region code to consolidate common code * tag 'cxl-for-6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/cxl/cxl: cxl/region: Refactor common create region code cxl/hdm: Use guard() in cxl_dpa_set_mode() cxl/pci: Delay event buffer allocation dax: Document struct dev_dax_range ACPI/CDAT: Add CDAT/DSMAS shared and read only flag values range: Add range_overlaps() cxl/cdat: Use %pra for dpa range outputs printf: Add print format (%pra) for struct range Documentation/printf: struct resource add start == end special case test printf: Add very basic struct resource tests cxl: downgrade a warning message to debug level in cxl_probe_component_regs() cxl/pci: Add sysfs attribute for CXL 1.1 device link status cxl/core/regs: Add rcd_pcie_cap initialization kernel/range: Const-ify range_contains parameters commit 9d8a2b033db179bef9b6b5bad492f611a0fe89b7 Author: Miao Wang Date: Thu Nov 21 22:25:21 2024 +0800 ACPI: introduce acpi_arch_init() To avoid arch-specific code in general ACPI initialization flow, introduce a weak symbol acpi_arch_init(). Currently, arm64 and riscv can utillize this to insert their arch-specific flow. In the future, other architectures can also have a chance to define their own arch-specific ACPI initialization process if necessary. Reviewed-by: Sunil V L Reviewed-by: Sudeep Holla Acked-by: Hanjun Guo Signed-off-by: Miao Wang Link: https://patch.msgid.link/20241121-intro-acpi-arch-init-v4-1-b1fb517e7d8b@gmail.com [ rjw: Subject and changelog edits ] Signed-off-by: Rafael J. Wysocki commit f3e66e78f2ecb18a55374f7d58030556b751dd79 Merge: baf4ae80382350 9cf9f2e70bea4e Author: Rafael J. Wysocki Date: Fri Nov 22 21:17:18 2024 +0100 Merge branch 'pm-cpuidle' Merge additional cpuidle changes for 6.13-rc1: - Make cpuidle_play_dead() try all idle states with :enter_dead() callbacks and change their return type to void (Rafael Wysocki). * pm-cpuidle: cpuidle: Change :enter_dead() driver callback return type to void cpuidle: Do not return from cpuidle_play_dead() on callback failures commit bd8aa15848f5f21951cd0b0d01510b3ad1f777d4 Author: Hans de Goede Date: Sat Nov 16 10:58:25 2024 +0100 ACPI: x86: Clean up Asus entries in acpi_quirk_skip_dmi_ids[] The Asus entries in the acpi_quirk_skip_dmi_ids[] table are the only entries without a comment which model they apply to. Add these comments. The Asus TF103C entry also is in the wrong place for what is supposed to be an alphabetically sorted list. Move it up so that the list is properly sorted and add a comment that the list is alphabetically sorted. Signed-off-by: Hans de Goede Link: https://patch.msgid.link/20241116095825.11660-2-hdegoede@redhat.com [ rjw: Changelog and subject edits ] Signed-off-by: Rafael J. Wysocki commit 82f250ed1a1dcde0ad2a1513f85af7f9514635e8 Author: Hans de Goede Date: Sat Nov 16 10:58:24 2024 +0100 ACPI: x86: Add skip i2c clients quirk for Acer Iconia One 8 A1-840 The Acer Iconia One 8 A1-840 (not to be confused with the A1-840FHD which is a different model) ships with Android 4.4 as factory OS and has the usual broken DSDT issues for x86 Android tablets. Add quirks to skip ACPI I2C client enumeration and disable ACPI battery/AC and ACPI GPIO event handlers. Also add the "INT33F5" HID for the TI PMIC used on this tablet to the list of HIDs for which not to skip i2c_client instantiation, since we do want an ACPI instantiated i2c_client for the PMIC. Signed-off-by: Hans de Goede Link: https://patch.msgid.link/20241116095825.11660-1-hdegoede@redhat.com Signed-off-by: Rafael J. Wysocki commit 1ec371bab200de8510c893cd22865eb517577e83 Author: Finn Thain Date: Wed Nov 13 09:32:15 2024 +1100 m68k: mvme147, mvme16x: Adopt rtc-m48t59 platform driver Both mvme147 and mvme16x platforms have their own RTC driver implementations that duplicate functionality provided by the rtc-m48t59 driver. Adopt the rtc-m48t59 driver and remove the other ones. Tested-by: Daniel Palmer Signed-off-by: Finn Thain Reviewed-by: Geert Uytterhoeven Acked-by: Geert Uytterhoeven Link: https://lore.kernel.org/r/19a16bcc94c42ea9c5397b37b1918c2937e3faab.1731450735.git.fthain@linux-m68k.org Signed-off-by: Alexandre Belloni commit d53764723ecd639a0cc0c5ad24146847fc09f78d Author: Jason Gunthorpe Date: Thu Nov 14 15:55:31 2024 -0400 iommu: Rename ops->domain_alloc_user() to domain_alloc_paging_flags() Now that the main domain allocating path is calling this function it doesn't make sense to leave it named _user. Change the name to alloc_paging_flags() to mirror the new iommu_paging_domain_alloc_flags() function. A driver should implement only one of ops->domain_alloc_paging() or ops->domain_alloc_paging_flags(). The former is a simpler interface with less boiler plate that the majority of drivers use. The latter is for drivers with a greater feature set (PASID, multiple page table support, advanced iommufd support, nesting, etc). Additional patches will be needed to achieve this. Link: https://patch.msgid.link/r/2-v1-c252ebdeb57b+329-iommu_paging_flags_jgg@nvidia.com Reviewed-by: Lu Baolu Signed-off-by: Jason Gunthorpe commit 64214c2b95364d26cdff045d8bbefd37380edbe1 Author: Jason Gunthorpe Date: Thu Nov 14 15:55:30 2024 -0400 iommu: Add ops->domain_alloc_nested() It turns out all the drivers that are using this immediately call into another function, so just make that function directly into the op. This makes paging=NULL for domain_alloc_user and we can remove the argument in the next patch. The function mirrors the similar op in the viommu that allocates a nested domain on top of the viommu's nesting parent. This version supports cases where a viommu is not being used. Link: https://patch.msgid.link/r/1-v1-c252ebdeb57b+329-iommu_paging_flags_jgg@nvidia.com Reviewed-by: Lu Baolu Signed-off-by: Jason Gunthorpe commit 2d762281950877eb450ac98bc77a6d340f6b5249 Merge: 6d026e6d48cd2a 42f0cbb2a253bc Author: Jason Gunthorpe Date: Fri Nov 22 14:37:25 2024 -0400 Merge tag 'iommu-updates-v6.13' of ssh://gitolite.kernel.org/pub/scm/linux/kernel/git/iommu/linux into iommufd.git Merge with Joerg's tree for dependencies on the next patches. ====================================== IOMMU Updates for Linux v6.13: Including: - Core Updates: - Convert call-sites using iommu_domain_alloc() to more specific versions and remove function. - Introduce iommu_paging_domain_alloc_flags(). - Extend support for allocating PASID-capable domains to more drivers. - Remove iommu_present(). - Some smaller improvements. - New IOMMU driver for RISC-V. - Intel VT-d Updates: - Add domain_alloc_paging support. - Enable user space IOPFs in non-PASID and non-svm cases. - Small code refactoring and cleanups. - Add domain replacement support for pasid. - AMD-Vi Updates: - Adapt to iommu_paging_domain_alloc_flags() interface and alloc V2 page-tables by default. - Replace custom domain ID allocator with IDA allocator. - Add ops->release_domain() support. - Other improvements to device attach and domain allocation code paths. - ARM-SMMU Updates: - SMMUv2: - Return -EPROBE_DEFER for client devices probing before their SMMU. - Devicetree binding updates for Qualcomm MMU-500 implementations. - SMMUv3: - Minor fixes and cleanup for NVIDIA's virtual command queue driver. - IO-PGTable: - Fix indexing of concatenated PGDs and extend selftest coverage. - Remove unused block-splitting support. - S390 IOMMU: - Implement support for blocking domain. - Mediatek IOMMU: - Enable 35-bit physical address support for mt8186. - OMAP IOMMU driver: - Adapt to recent IOMMU core changes and unbreak driver. ====================================== Signed-off-by: Jason Gunthorpe commit 83a474c11e8cb59e230a43365cb42fa00d3bddaa Author: Sebastian Fricke Date: Mon Nov 18 08:03:51 2024 +0100 docs: Add debugging guide for the media subsystem Provide a guide for developers on how to debug code with a focus on the media subsystem. This document aims to provide a rough overview over the possibilities and a rational to help choosing the right tool for the given circumstances. Signed-off-by: Sebastian Fricke Signed-off-by: Jonathan Corbet Link: https://lore.kernel.org/r/20241028-media_docs_improve_v3-v3-2-edf5c5b3746f@collabora.com commit a037699da0a17e99832875a936b5a6285d8de849 Author: Sebastian Fricke Date: Mon Nov 18 08:03:50 2024 +0100 docs: Add debugging section to process This idea was formed after noticing that new developers experience certain difficulty to navigate within the multitude of different debugging options in the Kernel and while there often is good documentation for the tools, the developer has to know first that they exist and where to find them. Add a general debugging section to the Kernel documentation, as an easily locatable entry point to other documentation and as a general guideline for the topic. Signed-off-by: Sebastian Fricke Reviewed-by: Randy Dunlap Signed-off-by: Jonathan Corbet Link: https://lore.kernel.org/r/20241028-media_docs_improve_v3-v3-1-edf5c5b3746f@collabora.com commit d8c949c577b5adb9fb87923b5429767aae4be590 Author: Uwe Kleine-König Date: Fri Nov 15 11:38:41 2024 +0100 docs/licensing: Clarify wording about "GPL" and "Proprietary" There are currently some doubts about out-of-tree kernel modules licensed under GPLv3 and if they are supposed to be able to use symbols exported using EXPORT_SYMBOL_GPL. Clarify that "Proprietary" means anything non-GPL2 even though the license might be an open source license. Also disambiguate "GPL compatible" to "GPLv2 compatible". Signed-off-by: Uwe Kleine-König Signed-off-by: Jonathan Corbet Link: https://lore.kernel.org/r/20241115103842.585207-2-ukleinek@kernel.org commit 21e500138b6f3040423bb1959ac9ffe68d138733 Author: Pavel Tikhomirov Date: Tue Nov 19 17:39:01 2024 +0800 docs: core-api/gfp_mask-from-fs-io: indicate that vmalloc supports GFP_NOFS/GFP_NOIO After the commit 451769ebb7e79 ("mm/vmalloc: alloc GFP_NO{FS,IO} for vmalloc") in v5.17 it is now safe to use GFP_NOFS/GFP_NOIO flags in [k]vmalloc, let's reflect it in documentation. Signed-off-by: Pavel Tikhomirov Acked-by: Michal Hocko Signed-off-by: Jonathan Corbet Link: https://lore.kernel.org/r/20241119093922.567138-1-ptikhomirov@virtuozzo.com commit 9e6c5870bb44950d7a636db1af1948d71244e616 Author: Randy Dunlap Date: Tue Nov 19 12:32:01 2024 -0800 Documentation: kernel-doc: enumerate identifier *type*s Explain that a kernel-doc :identifiers: line can refer to a struct, union, enum, or typedef as well as functions. Signed-off-by: Randy Dunlap Cc: Jonathan Corbet Signed-off-by: Jonathan Corbet Link: https://lore.kernel.org/r/20241119203201.110953-1-rdunlap@infradead.org commit 72471fc769e4590cd6b662aa0a987eeae2be7d3b Author: Javier Carrasco Date: Wed Nov 20 02:14:07 2024 +0100 Documentation: pwrseq: Fix trivial misspellings Use proper spelling for 'discrete'. When at it, capitalize 'Linux', which is common practice in the documentation. Signed-off-by: Javier Carrasco Reviewed-by: Randy Dunlap Signed-off-by: Jonathan Corbet Link: https://lore.kernel.org/r/20241120-pwrseq-doc-trivial-fixes-v1-1-19a70f4dd156@gmail.com commit 1e726223be5bdedc59ccf9df3bed53456cb2fb05 Author: Randy Dunlap Date: Tue Nov 19 21:52:46 2024 -0800 Documentation: filesystems: update filename extensions Update references to most txt files to rst files. Update one reference to an md file to a rst file. Update one file path to its current location. Signed-off-by: Randy Dunlap Cc: Jonathan Corbet Cc: linux-doc@vger.kernel.org Cc: Alexander Viro Cc: Christian Brauner Cc: Jan Kara Cc: linux-fsdevel@vger.kernel.org Cc: Ian Kent Cc: autofs@vger.kernel.org Cc: Alexander Aring Cc: David Teigland Cc: gfs2@lists.linux.dev Cc: Eric Biggers Cc: Theodore Y. Ts'o Cc: fsverity@lists.linux.dev Cc: Mark Fasheh Cc: Joel Becker Cc: Joseph Qi Cc: ocfs2-devel@lists.linux.dev Reviewed-by: Christian Brauner (Microsoft) Signed-off-by: Jonathan Corbet Link: https://lore.kernel.org/r/20241120055246.158368-1-rdunlap@infradead.org commit e0260d530b73ee969ae971d14daa02376dcfc93f Author: Dominique Martinet Date: Fri Nov 22 23:43:02 2024 +0900 net/9p/usbg: allow building as standalone module There is no reason only the usbg transport would not be its own module, so make it tristate. In particular, this fixes a couple of issues the current bool had: - trans_usbg was apparently not compiled at all when NET_9P=m - the workaround added in commit 2193ede180dd ("net/9p/usbg: fix CONFIG_USB_GADGET dependency") became redundant because a tristate item cannot be built-in when its dependency is a module, so we can depend on USB_GADGET "normally" again. Cc: Michael Grzeschik Link: https://lkml.kernel.org/r/ZzhWRPDNwu225NWz@codewreck.org Message-ID: <20241122144754.1231919-1-asmadeus@codewreck.org> Signed-off-by: Dominique Martinet commit e43c608f40c065b30964f0a806348062991b802d Author: Alex Zenla Date: Thu Nov 21 22:51:00 2024 +0000 9p/xen: fix release of IRQ Kernel logs indicate an IRQ was double-freed. Pass correct device ID during IRQ release. Fixes: 71ebd71921e45 ("xen/9pfs: connect to the backend") Signed-off-by: Alex Zenla Signed-off-by: Alexander Merritt Signed-off-by: Ariadne Conill Reviewed-by: Juergen Gross Message-ID: <20241121225100.5736-1-alexander@edera.dev> [Dominique: remove confusing variable reset to 0] Signed-off-by: Dominique Martinet commit acfeb6defcb9310b1ff44db1e633798ba766337d Author: David Wang <00107082@163.com> Date: Wed Nov 20 13:30:55 2024 +0800 Fix a potential abuse of seq_printf() format string in drivers Using device name as format string of seq_printf() is proned to "Format string attack", opens possibility for exploitation. Seq_puts() is safer and more efficient. Signed-off-by: David Wang <00107082@163.com> Reviewed-by: Kees Cook Link: https://lore.kernel.org/r/20241120053055.225195-1-00107082@163.com Signed-off-by: Greg Kroah-Hartman commit f57c084928661969a337c731cd05e1da97320829 Author: Christophe JAILLET Date: Fri Nov 22 13:45:45 2024 +0100 gpio: mpsse: Remove usage of the deprecated ida_simple_xx() API ida_alloc() and ida_free() should be preferred to the deprecated ida_simple_get() and ida_simple_remove(). This is less verbose. Signed-off-by: Christophe JAILLET Link: https://lore.kernel.org/r/2ce706d3242b9d3e4b9c20c0a7d9a8afcf8897ec.1729423829.git.christophe.jaillet@wanadoo.fr Signed-off-by: Bartosz Golaszewski commit 088f294609d8f8816dc316681aef2eb61982e0da Author: Jiri Olsa Date: Fri Nov 22 00:11:18 2024 +0100 fs/proc/kcore.c: Clear ret value in read_kcore_iter after successful iov_iter_zero If iov_iter_zero succeeds after failed copy_from_kernel_nofault, we need to reset the ret value to zero otherwise it will be returned as final return value of read_kcore_iter. This fixes objdump -d dump over /proc/kcore for me. Cc: stable@vger.kernel.org Cc: Alexander Gordeev Fixes: 3d5854d75e31 ("fs/proc/kcore.c: allow translation of physical memory addresses") Signed-off-by: Jiri Olsa Link: https://lore.kernel.org/r/20241121231118.3212000-1-jolsa@kernel.org Acked-by: Alexander Gordeev Signed-off-by: Christian Brauner commit a8581099604dfa609a34a3fac8ef5af0d300d2c1 Author: Dave Chinner Date: Wed Nov 13 11:11:40 2024 +0100 xfs: prevent mount and log shutdown race I recently had an fstests hang where there were two internal tasks stuck like so: [ 6559.010870] task:kworker/24:45 state:D stack:12152 pid:631308 tgid:631308 ppid:2 flags:0x00004000 [ 6559.016984] Workqueue: xfs-buf/dm-2 xfs_buf_ioend_work [ 6559.020349] Call Trace: [ 6559.022002] [ 6559.023426] __schedule+0x650/0xb10 [ 6559.025734] schedule+0x6d/0xf0 [ 6559.027835] schedule_timeout+0x31/0x180 [ 6559.030582] wait_for_common+0x10c/0x1e0 [ 6559.033495] wait_for_completion+0x1d/0x30 [ 6559.036463] __flush_workqueue+0xeb/0x490 [ 6559.039479] ? mempool_alloc_slab+0x15/0x20 [ 6559.042537] xlog_cil_force_seq+0xa1/0x2f0 [ 6559.045498] ? bio_alloc_bioset+0x1d8/0x510 [ 6559.048578] ? submit_bio_noacct+0x2f2/0x380 [ 6559.051665] ? xlog_force_shutdown+0x3b/0x170 [ 6559.054819] xfs_log_force+0x77/0x230 [ 6559.057455] xlog_force_shutdown+0x3b/0x170 [ 6559.060507] xfs_do_force_shutdown+0xd4/0x200 [ 6559.063798] ? xfs_buf_rele+0x1bd/0x580 [ 6559.066541] xfs_buf_ioend_handle_error+0x163/0x2e0 [ 6559.070099] xfs_buf_ioend+0x61/0x200 [ 6559.072728] xfs_buf_ioend_work+0x15/0x20 [ 6559.075706] process_scheduled_works+0x1d4/0x400 [ 6559.078814] worker_thread+0x234/0x2e0 [ 6559.081300] kthread+0x147/0x170 [ 6559.083462] ? __pfx_worker_thread+0x10/0x10 [ 6559.086295] ? __pfx_kthread+0x10/0x10 [ 6559.088771] ret_from_fork+0x3e/0x50 [ 6559.091153] ? __pfx_kthread+0x10/0x10 [ 6559.093624] ret_from_fork_asm+0x1a/0x30 [ 6559.096227] [ 6559.109304] Workqueue: xfs-cil/dm-2 xlog_cil_push_work [ 6559.112673] Call Trace: [ 6559.114333] [ 6559.115760] __schedule+0x650/0xb10 [ 6559.118084] schedule+0x6d/0xf0 [ 6559.120175] schedule_timeout+0x31/0x180 [ 6559.122776] ? call_rcu+0xee/0x2f0 [ 6559.125034] __down_common+0xbe/0x1f0 [ 6559.127470] __down+0x1d/0x30 [ 6559.129458] down+0x48/0x50 [ 6559.131343] ? xfs_buf_item_unpin+0x8d/0x380 [ 6559.134213] xfs_buf_lock+0x3d/0xe0 [ 6559.136544] xfs_buf_item_unpin+0x8d/0x380 [ 6559.139253] xlog_cil_committed+0x287/0x520 [ 6559.142019] ? sched_clock+0x10/0x30 [ 6559.144384] ? sched_clock_cpu+0x10/0x190 [ 6559.147039] ? psi_group_change+0x48/0x310 [ 6559.149735] ? _raw_spin_unlock+0xe/0x30 [ 6559.152340] ? finish_task_switch+0xbc/0x310 [ 6559.155163] xlog_cil_process_committed+0x6d/0x90 [ 6559.158265] xlog_state_shutdown_callbacks+0x53/0x110 [ 6559.161564] ? xlog_cil_push_work+0xa70/0xaf0 [ 6559.164441] xlog_state_release_iclog+0xba/0x1b0 [ 6559.167483] xlog_cil_push_work+0xa70/0xaf0 [ 6559.170260] process_scheduled_works+0x1d4/0x400 [ 6559.173286] worker_thread+0x234/0x2e0 [ 6559.175779] kthread+0x147/0x170 [ 6559.177933] ? __pfx_worker_thread+0x10/0x10 [ 6559.180748] ? __pfx_kthread+0x10/0x10 [ 6559.183231] ret_from_fork+0x3e/0x50 [ 6559.185601] ? __pfx_kthread+0x10/0x10 [ 6559.188092] ret_from_fork_asm+0x1a/0x30 [ 6559.190692] This is an ABBA deadlock where buffer IO completion is triggering a forced shutdown with the buffer lock held. It is waiting for the CIL to flush as part of the log force. The CIL flush is blocked doing shutdown processing of all it's objects, trying to unpin a buffer item. That requires taking the buffer lock.... For the CIL to be doing shutdown processing, the log must be marked with XLOG_IO_ERROR, but that doesn't happen until after the log force is issued. Hence for xfs_do_force_shutdown() to be forcing the log on a shut down log, we must have had a racing xlog_force_shutdown and xfs_force_shutdown like so: p0 p1 CIL push xlog_force_shutdown xfs_log_force test_and_set_bit(XLOG_IO_ERROR) xlog_state_release_iclog() sees XLOG_IO_ERROR xlog_state_shutdown_callbacks .... xfs_buf_item_unpin xfs_buf_lock xfs_force_shutdown xfs_set_shutdown(mp) wins xlog_force_shutdown xfs_log_force xfs_set_shutdown(mp) fails The deadlock can be mitigated by avoiding the log force on the second pass through xlog_force_shutdown. Do this by adding another atomic state bit (XLOG_OP_PENDING_SHUTDOWN) that is set on entry to xlog_force_shutdown() but doesn't mark the log as shutdown. Signed-off-by: Dave Chinner Reviewed-by: Darrick J. Wong Reviewed-by: Christoph Hellwig Signed-off-by: Carlos Maiolino commit c9c293240e4351aa2678186cd88a08141fc6ce9e Author: Dave Chinner Date: Wed May 15 22:44:44 1996 +0000 xfs: delalloc and quota softlimit timers are incoherent I've been seeing this failure on during xfs/050 recently: XFS: Assertion failed: dst->d_spc_timer != 0, file: fs/xfs/xfs_qm_syscalls.c, line: 435 .... Call Trace: xfs_qm_scall_getquota_fill_qc+0x2a2/0x2b0 xfs_qm_scall_getquota_next+0x69/0xa0 xfs_fs_get_nextdqblk+0x62/0xf0 quota_getnextxquota+0xbf/0x320 do_quotactl+0x1a1/0x410 __se_sys_quotactl+0x126/0x310 __x64_sys_quotactl+0x21/0x30 x64_sys_call+0x2819/0x2ee0 do_syscall_64+0x68/0x130 entry_SYSCALL_64_after_hwframe+0x76/0x7e It turns out that the _qmount call has silently been failing to unmount and mount the filesystem, so when the softlimit is pushed past with a buffered write, it is not getting synced to disk before the next quota report is being run. Hence when the quota report runs, we have 300 blocks of delalloc data on an inode, with a soft limit of 200 blocks. XFS dquots account delalloc reservations as used space, hence the dquot is over the soft limit. However, we don't update the soft limit timers until we do a transactional update of the dquot. That is, the dquot sits over the soft limit without a softlimit timer being started until writeback occurs and the allocation modifies the dquot and we call xfs_qm_adjust_dqtimers() from xfs_trans_apply_dquot_deltas() in xfs_trans_commit() context. This isn't really a problem, except for this debug code in xfs_qm_scall_getquota_fill_qc(): if (xfs_dquot_is_enforced(dqp) && dqp->q_id != 0) { if ((dst->d_space > dst->d_spc_softlimit) && (dst->d_spc_softlimit > 0)) { ASSERT(dst->d_spc_timer != 0); } .... It asserts taht if the used block count is over the soft limit, it *must* have a soft limit timer running. This is clearly not the case, because we haven't committed the delalloc space to disk yet. Hence the soft limit is only exceeded temporarily in memory (which isn't an issue) and we start the timer the moment we exceed the soft limit in journalled metadata. This debug was introduced in: commit 0d5ad8383061fbc0a9804fbb98218750000fe032 Author: Supriya Wickrematillake Date: Wed May 15 22:44:44 1996 +0000 initial checkin quotactl syscall functions. The very first quota support commit back in 1996. This is zero-day debug for Irix and, as it turns out, a zero-day bug in the debug code because the delalloc code on Irix didn't update the softlimit timers, either. IOWs, this issue has been in the code for 28 years. We obviously don't care if soft limit timers are a bit rubbery when we have delalloc reservations in memory. Production systems running quota reports have been exposed to this situation for 28 years and nobody has noticed it, so the debug code is essentially worthless at this point in time. We also have the on-disk dquot verifiers checking that the soft limit timer is running whenever the dquot is over the soft limit before we write it to disk and after we read it from disk. These aren't firing, so it is clear the issue is purely a temporary in-memory incoherency that I never would have noticed had the test not silently failed to unmount the filesystem. Hence I'm simply going to trash this runtime debug because it isn't useful in the slightest for catching quota bugs. Signed-off-by: Dave Chinner Reviewed-by: Darrick J. Wong Reviewed-by: Christoph Hellwig Signed-off-by: Carlos Maiolino commit 13325333582d4820d39b9e8f63d6a54e745585d9 Author: Dave Chinner Date: Wed Nov 13 11:11:20 2024 +0100 xfs: fix sparse inode limits on runt AG The runt AG at the end of a filesystem is almost always smaller than the mp->m_sb.sb_agblocks. Unfortunately, when setting the max_agbno limit for the inode chunk allocation, we do not take this into account. This means we can allocate a sparse inode chunk that overlaps beyond the end of an AG. When we go to allocate an inode from that sparse chunk, the irec fails validation because the agbno of the start of the irec is beyond valid limits for the runt AG. Prevent this from happening by taking into account the size of the runt AG when allocating inode chunks. Also convert the various checks for valid inode chunk agbnos to use xfs_ag_block_count() so that they will also catch such issues in the future. Fixes: 56d1115c9bc7 ("xfs: allocate sparse inode chunks on full chunk allocation failure") Signed-off-by: Dave Chinner Reviewed-by: Darrick J. Wong Signed-off-by: Carlos Maiolino commit 652f03db897ba24f9c4b269e254ccc6cc01ff1b7 Author: Long Li Date: Wed Nov 13 17:17:15 2024 +0800 xfs: remove unknown compat feature check in superblock write validation Compat features are new features that older kernels can safely ignore, allowing read-write mounts without issues. The current sb write validation implementation returns -EFSCORRUPTED for unknown compat features, preventing filesystem write operations and contradicting the feature's definition. Additionally, if the mounted image is unclean, the log recovery may need to write to the superblock. Returning an error for unknown compat features during sb write validation can cause mount failures. Although XFS currently does not use compat feature flags, this issue affects current kernels' ability to mount images that may use compat feature flags in the future. Since superblock read validation already warns about unknown compat features, it's unnecessary to repeat this warning during write validation. Therefore, the relevant code in write validation is being removed. Fixes: 9e037cb7972f ("xfs: check for unknown v5 feature bits in superblock write verifier") Cc: stable@vger.kernel.org # v4.19+ Signed-off-by: Long Li Reviewed-by: Darrick J. Wong Reviewed-by: Christoph Hellwig Signed-off-by: Carlos Maiolino commit 818956c76517e127fad8cf02cd29866e0a852072 Author: Arnd Bergmann Date: Fri Oct 18 15:10:10 2024 +0000 drm/rockchip: avoid 64-bit division Dividing a 64-bit integer prevents building this for 32-bit targets: ERROR: modpost: "__aeabi_uldivmod" [drivers/gpu/drm/rockchip/rockchipdrm.ko] undefined! As this function is not performance criticial, just Use the div_u64() helper. Fixes: 128a9bf8ace2 ("drm/rockchip: Add basic RK3588 HDMI output support") Signed-off-by: Arnd Bergmann Reviewed-by: Dmitry Baryshkov Reviewed-by: Nathan Chancellor Link: https://lore.kernel.org/r/20241018151016.3496613-1-arnd@kernel.org Signed-off-by: Liviu Dudau (cherry picked from commit 4b64b4a81fcd51f570c046cf904aef19ec756d45) Signed-off-by: Maxime Ripard commit 45f69d091bab64a332fe751da9829dcd136348fd Author: Long Li Date: Sat Jun 22 16:26:31 2024 +0800 xfs: eliminate lockdep false positives in xfs_attr_shortform_list xfs_attr_shortform_list() only called from a non-transactional context, it hold ilock before alloc memory and maybe trapped in memory reclaim. Since commit 204fae32d5f7("xfs: clean up remaining GFP_NOFS users") removed GFP_NOFS flag, lockdep warning will be report as [1]. Eliminate lockdep false positives by use __GFP_NOLOCKDEP to alloc memory in xfs_attr_shortform_list(). [1] https://lore.kernel.org/linux-xfs/000000000000e33add0616358204@google.com/ Reported-by: syzbot+4248e91deb3db78358a2@syzkaller.appspotmail.com Signed-off-by: Long Li Reviewed-by: Dave Chinner Signed-off-by: Carlos Maiolino commit 1b9bc4207e81206ea6b6a906e01438b7782c3a58 Merge: adc218676eef25 771d271b2b908c Author: Huacai Chen Date: Fri Nov 22 15:44:09 2024 +0800 Merge tag 'sched-core-2024-11-18' into loongarch-next LoongArch architecture changes for 6.13 depend on the sched-core changes (PREEMPT_LAZY) to completely support RT, so merge them to create a base. commit 5578b4347bb5d5dfc8eeb8ee2eb8248658707d9b Author: Rob Herring (Arm) Date: Wed Nov 6 20:17:42 2024 +0200 tpm: atmel: Drop PPC64 specific MMIO setup The PPC64 specific MMIO setup open codes DT address functions rather than using standard address parsing functions. The open-coded version fails to handle any address translation and is not endian safe. I haven't found any evidence of what platform used this. The only thing that turned up was a PPC405 platform, but that is 32-bit and PPC405 support is being removed as well. CONFIG_TCG_ATMEL is not enabled for any powerpc config and never was. The support was added in 2005 and hasn't been touched since. Rather than try to modernize and fix this code, just remove it. [jarkko: fixed couple of style issues reported by checkpatch.pl --strict and put offset into parentheses in the macro declarations.] Signed-off-by: Rob Herring (Arm) Acked-by: Michael Ellerman Reviewed-by: Jarkko Sakkinen Signed-off-by: Jarkko Sakkinen commit 28eb75e178d389d325f1666e422bc13bbbb9804c Merge: 071b34dcf71523 a163b895077861 Author: Linus Torvalds Date: Thu Nov 21 14:56:17 2024 -0800 Merge tag 'drm-next-2024-11-21' of https://gitlab.freedesktop.org/drm/kernel Pull drm updates from Dave Airlie: "There's a lot of rework, the panic helper support is being added to more drivers, v3d gets support for HW superpages, scheduler documentation, drm client and video aperture reworks, some new MAINTAINERS added, amdgpu has the usual lots of IP refactors, Intel has some Pantherlake enablement and xe is getting some SRIOV bits, but just lots of stuff everywhere. core: - split DSC helpers from DP helpers - clang build fixes for drm/mm test - drop simple pipeline support for gem vram - document submission error signaling - move drm_rect to drm core module from kms helper - add default client setup to most drivers - move to video aperture helpers instead of drm ones tests: - new framebuffer tests ttm: - remove swapped and pinned BOs from TTM lru panic: - fix uninit spinlock - add ABGR2101010 support bridge: - add TI TDP158 support - use standard PM OPS dma-fence: - use read_trylock instead of read_lock to help lockdep scheduler: - add errno to sched start to report different errors - add locking to drm_sched_entity_modify_sched - improve documentation xe: - add drm_line_printer - lots of refactoring - Enable Xe2 + PES disaggregation - add new ARL PCI ID - SRIOV development work - fix exec unnecessary implicit fence - define and parse OA sync props - forcewake refactoring i915: - Enable BMG/LNL ultra joiner - Enable 10bpx + CCS scanout on ICL+, fp16/CCS on TGL+ - use DSB for plane/color mgmt - Arrow lake PCI IDs - lots of i915/xe display refactoring - enable PXP GuC autoteardown - Pantherlake (PTL) Xe3 LPD display enablement - Allow fastset HDR infoframe changes - write DP source OUI for non-eDP sinks - share PCI IDs between i915 and xe amdgpu: - SDMA queue reset support - SMU 13.0.6, JPEG 4.0.3 updates - Initial runtime repartitioning support - rework IP structs for multiple IP instances - Fetch EDID from _DDC if available - SMU13 zero rpm user control - lots of fixes/cleanups amdkfd: - Increase event FIFO size - add topology cap flag for per queue reset msm: - DPU: - SA8775P support - (disabled by default) MSM8917, MSM8937, MSM8953 and MSM8996 support - Enable large framebuffer support - Drop MSM8998 and SDM845 - DP: - SA8775P support - GPU: - a7xx preemption support - Adreno A663 support ast: - warn about unsupported TX chips ivpu: - add coredump - add pantherlake support rockchip: - 4K@60Hz display enablement - generate pll programming tables panthor: - add timestamp query API - add realtime group priority - add fdinfo support etnaviv: - improve handling of DMA address limits - improve GPU hangcheck exynos: - Decon Exynos7870 support mediatek: - add OF graph support omap: - locking fixes bochs: - convert to gem/shmem from simpledrm v3d: - support big/super pages - add gemfs vc4: - BCM2712 support refactoring - add YUV444 format support udmabuf: - folio related fixes nouveau: - add panic support on nv50+" * tag 'drm-next-2024-11-21' of https://gitlab.freedesktop.org/drm/kernel: (1583 commits) drm/xe/guc: Fix dereference before NULL check drm/amd: Fix initialization mistake for NBIO 7.7.0 Revert "drm/amd/display: parse umc_info or vram_info based on ASIC" drm/amd/display: Fix failure to read vram info due to static BP_RESULT drm/amdgpu: enable GTT fallback handling for dGPUs only drm/amd/amdgpu: limit single process inside MES drm/fourcc: add AMD_FMT_MOD_TILE_GFX9_4K_D_X drm/amdgpu/mes12: correct kiq unmap latency drm/amdgpu: Support vcn and jpeg error info parsing drm/amd : Update MES API header file for v11 & v12 drm/amd/amdkfd: add/remove kfd queues on start/stop KFD scheduling drm/amdkfd: change kfd process kref count at creation drm/amdgpu: Cleanup shift coding style drm/amd/amdgpu: Increase MES log buffer to dump mes scratch data drm/amdgpu: Implement virt req_ras_err_count drm/amdgpu: VF Query RAS Caps from Host if supported drm/amdgpu: Add msg handlers for SRIOV RAS Telemetry drm/amdgpu: Update SRIOV Exchange Headers for RAS Telemetry Support drm/amd/display: 3.2.309 drm/amd/display: Adjust VSDB parser for replay feature ... commit 2e1827de1b0f22b420c9446a3c94e6cce8eb4da4 Author: Jett Rink Date: Tue Sep 10 19:11:14 2024 +0000 char: tpm: cr50: Add new device/vendor ID 0x50666666 Accept another DID:VID for the next generation Google TPM. This TPM has the same Ti50 firmware and fulfills the same interface. Suggested-by: Jarkko Sakkinen Signed-off-by: Jett Rink Reviewed-by: Jarkko Sakkinen Signed-off-by: Jarkko Sakkinen commit 44637b0b40f47629ff78a73744755e6535e0970e Author: Jan Dabros Date: Thu Oct 10 09:15:59 2024 +0000 char: tpm: cr50: Move i2c locking to request/relinquish locality ops Move i2c locking primitives to request_locality and relinquish_locality callbacks, what effectively blocks TPM bus for the whole duration of logical TPM operation. With this in place, cr50-equipped TPM may be shared with external CPUs - assuming that underneath i2c controller driver is aware of this setup (see i2c-designware-amdpsp as an example). Signed-off-by: Jan Dabros Signed-off-by: Jarkko Sakkinen commit 932e3a5e1ea31712c91e6b4c64d0c7f675315ab4 Author: Jan Dabros Date: Thu Oct 10 09:15:58 2024 +0000 char: tpm: cr50: Use generic request/relinquish locality ops Instead of using static functions tpm_cr50_request_locality and tpm_cr50_release_locality register callbacks from tpm class chip->ops created for this purpose. Signed-off-by: Jan Dabros Signed-off-by: Grzegorz Bernacki Signed-off-by: Jarkko Sakkinen commit 02e9bda80d66cdd53364b9b32166ac0be1ced58f Author: Stefan Berger Date: Mon Oct 14 10:16:43 2024 -0400 tpm: ibmvtpm: Set TPM_OPS_AUTO_STARTUP flag on driver Set the TPM_OPS_AUTO_STARTUP on the driver so that the ibmvtpm driver now uses tpm2_auto_startup and tpm1_auto_startup like many other drivers do. Remove tpm_get_timeouts, tpm2_get_cc_attrs_tbl, and tpm2_sessions_init calls from it since these will all be called in tpm2_auto_startup and tpm1_auto_startup. The exporting of the tpm2_session_init symbol was only necessary while the ibmvtpm driver was calling this function. Since this is not the case anymore, remove this symbol from being exported. What is new for the ibmvtpm driver is that now tpm2_do_selftest and tpm1_do_selftest will be called that send commands to the TPM to perform or continue its selftest. However, the firmware should already have sent these commands so that the TPM will not do much work at this time. Signed-off-by: Stefan Berger Reviewed-by: Jarkko Sakkinen Signed-off-by: Jarkko Sakkinen commit 071b34dcf71523a559b6c39f5d21a268a9531b50 Merge: 55ae3eef10ae81 e3f8064d8b2903 Author: Linus Torvalds Date: Thu Nov 21 14:39:31 2024 -0800 Merge tag 'sound-6.13-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound Pull sound updates from Takashi Iwai: "This is a relatively calm cycle, and majority of changes are about ASoC. There are little changes in the core side but we received lots of new drivers for new vendors. ALSA Core: - The new accel operation mode for compress-offload API; only the core part, the actual user will follow later ASoC: - Continued API simplification works - Renaming of the sh directory to Renesas - Factoring out of some of the common code for Realtek devices - Ussal ASoC Intel SOF, AMD and SoundWire updates - Support for Allwinner H616, AMD ACP 6.3 systems, AWInic AW88081, Cirrus Logic CS32L84, Everest ES8328, Iron Devices SMA1307, Longsoon I2S, NeoFidelity NTP8918 and NTP8835, Philips UDA1342, Qualcomm SM8750, RealTek RT721, and ST Microelectronics STM32MP25 HD- and USB-audio: - Clean up of IRQ handling in legacy HD-audio driver - Fix soft lockup at disconnection of non-standard USB drivers - Scarlett2 mixer improvements - New quirks and cleanups in HD- and USB-audio" * tag 'sound-6.13-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound: (278 commits) ALSA: hda: Poll jack events for LS7A HD-Audio ASoC: hdmi-codec: reorder channel allocation list ALSA: ump: Fix the wrong format specifier ASoC: Intel: soc-acpi-intel-lnl-match: add rt712_vb + rt1320 support ASoC: stm32: dfsdm: change rate upper limits ASoC: sma1307: fix uninitialized variable refence ASoC: dt-bindings: simple-mux: add idle-state property ASoc: simple-mux: add idle-state support ASoC: sdca: test adev before calling acpi_dev_for_each_child ASoC: SOF: ipc4-topology: remove redundant assignment to variable ret ASoC: amd: ps: fix the pcm device numbering for acp 6.3 platform ASoC: amd: acp: add soundwire machine driver for legacy stack ASoC: amd: acp: move get_acp63_cpu_pin_id() to common file ASoC: amd: ps: add soundwire machines for acp6.3 platform ASoC: amd: acp: add RT711, RT714 & RT1316 support for acp 6.3 platform ASoC: amd: acp: add rt722 based soundwire machines ALSA: compress_offload: Add missing descriptions in structs ALSA: 6fire: Release resources at card release ALSA: caiaq: Use snd_card_free_when_closed() at disconnection ALSA: us122l: Drop mmap_count field ... commit 55ae3eef10ae813616bd8a421e318d4b0e2f4a0b Merge: 341d041daae52c 1b3073291ddbe2 Author: Linus Torvalds Date: Thu Nov 21 13:19:29 2024 -0800 Merge tag 'i2c-for-6.13-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux Pull i2c updates from Wolfram Sang: "Core: - drivers can now use a GPIO as a side channel for SMBus Alerts using a generic binding - regular stuff like mem leak fix, Makefile maintenance... Host improvements and refactoring: - All controllers using the 'remove_new' callback have been reverted to use the 'remove' callback - Intel SCH controller underwent significant refactoring, this brings love and a modern look to the driver - PIIX4 driver refactored to enable usage by other drivers (e.g., AMD ASF) - iMX/MXC improved message handling to reduce protocol overhead: Refactored DMA/non-DMA read/write and bus polling mechanisms to achieve this. - ACPI documentation for PIIX4 New host features: - i2c-cadence support for atomic transfers - Qualcomm CII support for a 32MHz serial engine clock Deprecated features: - Dropped outdated support for AMD756 S4882 and NFORCE2 S4985. If somebody misses this, Jean will rewrite support using the proper i2c mux framework. New hardware IDs for existing drivers: - Intel Panther Lake - S32G2/S32G3 SoCs - HJMC01 DesignWare ACPI HID - PIC64GX to Microchip Core - Qualcomm SDM670 to Qualcomm CCI New drivers: - AMD ASF - Realtek RTL I2C Controller at24 updates: - add support for the lockable page on ST M24256E" * tag 'i2c-for-6.13-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux: (59 commits) docs: i2c: piix4: Add ACPI section i2c: Add driver for the RTL9300 I2C controller i2c: qcom-cci: Remove unused struct member cci_clk_rate dt-bindings: i2c: Add Realtek RTL I2C Controller i2c: busses: Use *-y instead of *-objs in Makefile i2c: imx: add support for S32G2/S32G3 SoCs dt-bindings: i2c: imx: add SoC specific compatible strings for S32G i2c: qcom-cci: Remove the unused variable cci_clk_rate i2c: Drop legacy muxing pseudo-drivers i2c: imx: prevent rescheduling in non dma mode i2c: imx: separate atomic, dma and non-dma use case i2c: imx: do not poll for bus busy in single master mode i2c: designware: Add a new ACPI HID for HJMC01 I2C controller i2c: qcom-geni: Keep comment why interrupts start disabled dt-bindings: i2c: microchip: corei2c: Add PIC64GX as compatible with driver i2c: designware: constify abort_sources i2c: Switch back to struct platform_driver::remove() i2c: qcom-geni: Support systems with 32MHz serial engine clock i2c: qcom-cci: Stop complaining about DT set clock rate dt-bindings: i2c: qcom-cci: Document SDM670 compatible ... commit 979bfe291b5b30a9132c2fd433247e677b24c6aa Author: Alex Deucher Date: Thu Nov 14 16:23:45 2024 -0500 Revert "drm/radeon: Delay Connector detecting when HPD singals is unstable" This reverts commit 949658cb9b69ab9d22a42a662b2fdc7085689ed8. This causes a blank screen on boot. Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/3696 Signed-off-by: Alex Deucher Cc: Shixiong Ou Cc: stable@vger.kernel.org commit 93df74873703694f7c977bc13ff3baa667819b22 Author: Alex Deucher Date: Wed Nov 13 14:28:54 2024 -0500 drm/amdgpu/jpeg: cancel the jpeg worker Looks like these got missed when jpeg was split from vcn. Cancel the jpeg workers rather than vcn workers. Reviewed-by: Lijo Lazar Signed-off-by: Alex Deucher commit b61badd20b443eabe132314669bb51a263982e5c Author: Vitaly Prosyak Date: Mon Nov 11 17:24:08 2024 -0500 drm/amdgpu: fix usage slab after free [ +0.000021] BUG: KASAN: slab-use-after-free in drm_sched_entity_flush+0x6cb/0x7a0 [gpu_sched] [ +0.000027] Read of size 8 at addr ffff8881b8605f88 by task amd_pci_unplug/2147 [ +0.000023] CPU: 6 PID: 2147 Comm: amd_pci_unplug Not tainted 6.10.0+ #1 [ +0.000016] Hardware name: ASUS System Product Name/ROG STRIX B550-F GAMING (WI-FI), BIOS 1401 12/03/2020 [ +0.000016] Call Trace: [ +0.000008] [ +0.000009] dump_stack_lvl+0x76/0xa0 [ +0.000017] print_report+0xce/0x5f0 [ +0.000017] ? drm_sched_entity_flush+0x6cb/0x7a0 [gpu_sched] [ +0.000019] ? srso_return_thunk+0x5/0x5f [ +0.000015] ? kasan_complete_mode_report_info+0x72/0x200 [ +0.000016] ? drm_sched_entity_flush+0x6cb/0x7a0 [gpu_sched] [ +0.000019] kasan_report+0xbe/0x110 [ +0.000015] ? drm_sched_entity_flush+0x6cb/0x7a0 [gpu_sched] [ +0.000023] __asan_report_load8_noabort+0x14/0x30 [ +0.000014] drm_sched_entity_flush+0x6cb/0x7a0 [gpu_sched] [ +0.000020] ? srso_return_thunk+0x5/0x5f [ +0.000013] ? __kasan_check_write+0x14/0x30 [ +0.000016] ? __pfx_drm_sched_entity_flush+0x10/0x10 [gpu_sched] [ +0.000020] ? srso_return_thunk+0x5/0x5f [ +0.000013] ? __kasan_check_write+0x14/0x30 [ +0.000013] ? srso_return_thunk+0x5/0x5f [ +0.000013] ? enable_work+0x124/0x220 [ +0.000015] ? __pfx_enable_work+0x10/0x10 [ +0.000013] ? srso_return_thunk+0x5/0x5f [ +0.000014] ? free_large_kmalloc+0x85/0xf0 [ +0.000016] drm_sched_entity_destroy+0x18/0x30 [gpu_sched] [ +0.000020] amdgpu_vce_sw_fini+0x55/0x170 [amdgpu] [ +0.000735] ? __kasan_check_read+0x11/0x20 [ +0.000016] vce_v4_0_sw_fini+0x80/0x110 [amdgpu] [ +0.000726] amdgpu_device_fini_sw+0x331/0xfc0 [amdgpu] [ +0.000679] ? mutex_unlock+0x80/0xe0 [ +0.000017] ? __pfx_amdgpu_device_fini_sw+0x10/0x10 [amdgpu] [ +0.000662] ? srso_return_thunk+0x5/0x5f [ +0.000014] ? __kasan_check_write+0x14/0x30 [ +0.000013] ? srso_return_thunk+0x5/0x5f [ +0.000013] ? mutex_unlock+0x80/0xe0 [ +0.000016] amdgpu_driver_release_kms+0x16/0x80 [amdgpu] [ +0.000663] drm_minor_release+0xc9/0x140 [drm] [ +0.000081] drm_release+0x1fd/0x390 [drm] [ +0.000082] __fput+0x36c/0xad0 [ +0.000018] __fput_sync+0x3c/0x50 [ +0.000014] __x64_sys_close+0x7d/0xe0 [ +0.000014] x64_sys_call+0x1bc6/0x2680 [ +0.000014] do_syscall_64+0x70/0x130 [ +0.000014] ? srso_return_thunk+0x5/0x5f [ +0.000014] ? irqentry_exit_to_user_mode+0x60/0x190 [ +0.000015] ? srso_return_thunk+0x5/0x5f [ +0.000014] ? irqentry_exit+0x43/0x50 [ +0.000012] ? srso_return_thunk+0x5/0x5f [ +0.000013] ? exc_page_fault+0x7c/0x110 [ +0.000015] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ +0.000014] RIP: 0033:0x7ffff7b14f67 [ +0.000013] Code: ff e8 0d 16 02 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 41 c3 48 83 ec 18 89 7c 24 0c e8 73 ba f7 ff [ +0.000026] RSP: 002b:00007fffffffe378 EFLAGS: 00000246 ORIG_RAX: 0000000000000003 [ +0.000019] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007ffff7b14f67 [ +0.000014] RDX: 0000000000000000 RSI: 00007ffff7f6f47a RDI: 0000000000000003 [ +0.000014] RBP: 00007fffffffe3a0 R08: 0000555555569890 R09: 0000000000000000 [ +0.000014] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fffffffe5c8 [ +0.000013] R13: 00005555555552a9 R14: 0000555555557d48 R15: 00007ffff7ffd040 [ +0.000020] [ +0.000016] Allocated by task 383 on cpu 7 at 26.880319s: [ +0.000014] kasan_save_stack+0x28/0x60 [ +0.000008] kasan_save_track+0x18/0x70 [ +0.000007] kasan_save_alloc_info+0x38/0x60 [ +0.000007] __kasan_kmalloc+0xc1/0xd0 [ +0.000007] kmalloc_trace_noprof+0x180/0x380 [ +0.000007] drm_sched_init+0x411/0xec0 [gpu_sched] [ +0.000012] amdgpu_device_init+0x695f/0xa610 [amdgpu] [ +0.000658] amdgpu_driver_load_kms+0x1a/0x120 [amdgpu] [ +0.000662] amdgpu_pci_probe+0x361/0xf30 [amdgpu] [ +0.000651] local_pci_probe+0xe7/0x1b0 [ +0.000009] pci_device_probe+0x248/0x890 [ +0.000008] really_probe+0x1fd/0x950 [ +0.000008] __driver_probe_device+0x307/0x410 [ +0.000007] driver_probe_device+0x4e/0x150 [ +0.000007] __driver_attach+0x223/0x510 [ +0.000006] bus_for_each_dev+0x102/0x1a0 [ +0.000007] driver_attach+0x3d/0x60 [ +0.000006] bus_add_driver+0x2ac/0x5f0 [ +0.000006] driver_register+0x13d/0x490 [ +0.000008] __pci_register_driver+0x1ee/0x2b0 [ +0.000007] llc_sap_close+0xb0/0x160 [llc] [ +0.000009] do_one_initcall+0x9c/0x3e0 [ +0.000008] do_init_module+0x241/0x760 [ +0.000008] load_module+0x51ac/0x6c30 [ +0.000006] __do_sys_init_module+0x234/0x270 [ +0.000007] __x64_sys_init_module+0x73/0xc0 [ +0.000006] x64_sys_call+0xe3/0x2680 [ +0.000006] do_syscall_64+0x70/0x130 [ +0.000007] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ +0.000015] Freed by task 2147 on cpu 6 at 160.507651s: [ +0.000013] kasan_save_stack+0x28/0x60 [ +0.000007] kasan_save_track+0x18/0x70 [ +0.000007] kasan_save_free_info+0x3b/0x60 [ +0.000007] poison_slab_object+0x115/0x1c0 [ +0.000007] __kasan_slab_free+0x34/0x60 [ +0.000007] kfree+0xfa/0x2f0 [ +0.000007] drm_sched_fini+0x19d/0x410 [gpu_sched] [ +0.000012] amdgpu_fence_driver_sw_fini+0xc4/0x2f0 [amdgpu] [ +0.000662] amdgpu_device_fini_sw+0x77/0xfc0 [amdgpu] [ +0.000653] amdgpu_driver_release_kms+0x16/0x80 [amdgpu] [ +0.000655] drm_minor_release+0xc9/0x140 [drm] [ +0.000071] drm_release+0x1fd/0x390 [drm] [ +0.000071] __fput+0x36c/0xad0 [ +0.000008] __fput_sync+0x3c/0x50 [ +0.000007] __x64_sys_close+0x7d/0xe0 [ +0.000007] x64_sys_call+0x1bc6/0x2680 [ +0.000007] do_syscall_64+0x70/0x130 [ +0.000007] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ +0.000014] The buggy address belongs to the object at ffff8881b8605f80 which belongs to the cache kmalloc-64 of size 64 [ +0.000020] The buggy address is located 8 bytes inside of freed 64-byte region [ffff8881b8605f80, ffff8881b8605fc0) [ +0.000028] The buggy address belongs to the physical page: [ +0.000011] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1b8605 [ +0.000008] anon flags: 0x17ffffc0000000(node=0|zone=2|lastcpupid=0x1fffff) [ +0.000007] page_type: 0xffffefff(slab) [ +0.000009] raw: 0017ffffc0000000 ffff8881000428c0 0000000000000000 dead000000000001 [ +0.000006] raw: 0000000000000000 0000000000200020 00000001ffffefff 0000000000000000 [ +0.000006] page dumped because: kasan: bad access detected [ +0.000012] Memory state around the buggy address: [ +0.000011] ffff8881b8605e80: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ +0.000015] ffff8881b8605f00: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ +0.000015] >ffff8881b8605f80: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ +0.000013] ^ [ +0.000011] ffff8881b8606000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc [ +0.000014] ffff8881b8606080: fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb fb [ +0.000013] ================================================================== The issue reproduced on VG20 during the IGT pci_unplug test. The root cause of the issue is that the function drm_sched_fini is called before drm_sched_entity_kill. In drm_sched_fini, the drm_sched_rq structure is freed, but this structure is later accessed by each entity within the run queue, leading to invalid memory access. To resolve this, the order of cleanup calls is updated: Before: amdgpu_fence_driver_sw_fini amdgpu_device_ip_fini After: amdgpu_device_ip_fini amdgpu_fence_driver_sw_fini This updated order ensures that all entities in the IPs are cleaned up first, followed by proper cleanup of the schedulers. Additional Investigation: During debugging, another issue was identified in the amdgpu_vce_sw_fini function. The vce.vcpu_bo buffer must be freed only as the final step in the cleanup process to prevent any premature access during earlier cleanup stages. v2: Using Christian suggestion call drm_sched_entity_destroy before drm_sched_fini. Cc: Christian König Cc: Alex Deucher Signed-off-by: Vitaly Prosyak Reviewed-by: Christian König Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org commit 928cd772e18ffbd7723cb2361db4a8ccf2222235 Author: Xiang Liu Date: Fri Nov 15 16:59:30 2024 +0800 drm/amdgpu/vcn: reset fw_shared when VCPU buffers corrupted on vcn v4.0.3 It is not necessarily corrupted. When there is RAS fatal error, device memory access is blocked. Hence vcpu bo cannot be saved to system memory as in a regular suspend sequence before going for reset. In other full device reset cases, that gets saved and restored during resume. v2: Remove redundant code like vcn_v4_0 did v2: Refine commit message v3: Drop the volatile v3: Refine commit message Signed-off-by: Xiang Liu Acked-by: Christian König Reviewed-by: Stanley.Yang Signed-off-by: Alex Deucher commit 2f1b13521d2a64967530623dc0a3ecd8fd653722 Author: Jesse.zhang@amd.com Date: Mon Nov 18 12:06:30 2024 +0800 drm/amdgpu: Fix sysfs warning when hotplugging Fix the similar warning when hotplugging: [ 155.585721] kernfs: can not remove 'enforce_isolation', no directory [ 155.592201] WARNING: CPU: 3 PID: 6960 at fs/kernfs/dir.c:1683 kernfs_remove_by_name_ns+0xb9/0xc0 [ 155.601145] Modules linked in: xt_MASQUERADE xt_comment nft_compat veth bridge stp llc overlay nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip_set nf_tables nfnetlink qrtr intel_rapl_msr amd_atl intel_rapl_common amd64_edac edac_mce_amd amdgpu kvm_amd kvm ipmi_ssif amdxcp rapl drm_exec gpu_sched drm_buddy i2c_algo_bit drm_suballoc_helper drm_ttm_helper ttm pcspkr drm_display_helper acpi_cpufreq drm_kms_helper video wmi k10temp i2c_piix4 acpi_ipmi ipmi_si drm zram ip_tables loop squashfs dm_multipath crct10dif_pclmul crc32_pclmul crc32c_intel ghash_clmulni_intel sha512_ssse3 sha256_ssse3 sha1_ssse3 sp5100_tco ixgbe rfkill ccp dca sunrpc be2iscsi bnx2i cnic uio cxgb4i cxgb4 tls cxgb3i cxgb3 mdio libcxgbi libcxgb qla4xxx iscsi_boot_sysfs iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi ipmi_devintf ipmi_msghandler fuse [ 155.685224] systemd-journald[1354]: Compressed data object 957 -> 524 using ZSTD [ 155.685687] CPU: 3 PID: 6960 Comm: amd_pci_unplug Not tainted 6.10.0-1148853.1.zuul.164395107d6642bdb451071313e9378d #1 [ 155.704149] Hardware name: TYAN B8021G88V2HR-2T/S8021GM2NR-2T, BIOS V1.03.B10 04/01/2019 [ 155.712383] RIP: 0010:kernfs_remove_by_name_ns+0xb9/0xc0 [ 155.717805] Code: a0 00 48 89 ef e8 37 96 c7 ff 5b b8 fe ff ff ff 5d 41 5c 41 5d e9 f7 96 a0 00 0f 0b eb ab 48 c7 c7 48 ba 7e 8f e8 f7 66 bf ff <0f> 0b eb dc 0f 1f 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 [ 155.736766] RSP: 0018:ffffb1685d7a3e20 EFLAGS: 00010296 [ 155.742108] RAX: 0000000000000038 RBX: ffff929e94c80000 RCX: 0000000000000000 [ 155.749363] RDX: ffff928e1efaf200 RSI: ffff928e1efa18c0 RDI: ffff928e1efa18c0 [ 155.756612] RBP: 0000000000000008 R08: 0000000000000000 R09: 0000000000000003 [ 155.763855] R10: ffffb1685d7a3cd8 R11: ffffffff8fb3e1c8 R12: ffffffffc1ef5341 [ 155.771104] R13: ffff929e94cc5530 R14: 0000000000000000 R15: 0000000000000000 [ 155.778357] FS: 00007fd9dd8d9c40(0000) GS:ffff928e1ef80000(0000) knlGS:0000000000000000 [ 155.786594] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 155.792450] CR2: 0000561245ceee38 CR3: 0000000113018000 CR4: 00000000003506f0 [ 155.799702] Call Trace: [ 155.802254] [ 155.804460] ? __warn+0x80/0x120 [ 155.807798] ? kernfs_remove_by_name_ns+0xb9/0xc0 [ 155.812617] ? report_bug+0x164/0x190 [ 155.816393] ? handle_bug+0x3c/0x80 [ 155.819994] ? exc_invalid_op+0x17/0x70 [ 155.823939] ? asm_exc_invalid_op+0x1a/0x20 [ 155.828235] ? kernfs_remove_by_name_ns+0xb9/0xc0 [ 155.833058] amdgpu_gfx_sysfs_fini+0x59/0xd0 [amdgpu] [ 155.838637] gfx_v9_0_sw_fini+0x123/0x1c0 [amdgpu] [ 155.843887] amdgpu_device_fini_sw+0xbc/0x3e0 [amdgpu] [ 155.849432] amdgpu_driver_release_kms+0x16/0x30 [amdgpu] [ 155.855235] drm_dev_put.part.0+0x3c/0x60 [drm] [ 155.859914] drm_release+0x8b/0xc0 [drm] [ 155.863978] __fput+0xf1/0x2c0 [ 155.867141] __x64_sys_close+0x3c/0x80 [ 155.870998] do_syscall_64+0x64/0x170 V2: Add details in comments (Tim) Signed-off-by: Jesse Zhang Reported-by: Andy Dong Reviewed-by: Tim Huang Signed-off-by: Alex Deucher commit fb9898243a7b8133c969c9bbd5d5470f7c2e1374 Author: Jesse.zhang@amd.com Date: Thu Nov 7 22:53:47 2024 +0800 drm/amdgpu: Add sysfs interface for vcn reset mask Add the sysfs interface for vcn: vcn_reset_mask The interface is read-only and show the resets supported by the IP. For example, full adapter reset (mode1/mode2/BACO/etc), soft reset, queue reset, and pipe reset. V2: the sysfs node returns a text string instead of some flags (Christian) V2: the sysfs node returns a text string instead of some flags (Christian) v3: add a generic helper which takes the ring as parameter and print the strings in the order they are applied (Christian) check amdgpu_gpu_recovery before creating sysfs file itself, and initialize supported_reset_types in IP version files (Lijo) v4: s/sdma/vcn/ in the reset mask setup Acked-by: Christian König Signed-off-by: Jesse Zhang Suggested-by: Alex Deucher Reviewed-by: Tim Huang Signed-off-by: Alex Deucher commit 4c28e645aa3e4d697a02fc291b363702b8a6c921 Author: Alex Deucher Date: Tue Nov 19 14:19:07 2024 -0500 drm/amdgpu/gmc7: fix wait_for_idle callers The wait_for_idle signature was changed, but the callers were not. Reviewed-by: Sunil Khatri Reported-by: Michel Dänzer Fixes: 82ae6619a450 ("drm/amdgpu: update the handle ptr in wait_for_idle") Signed-off-by: Alex Deucher Cc: Sunil Khatri commit da868898cf4c5ddbd1f7406e356edce5d7211eb5 Author: Lijo Lazar Date: Wed Nov 20 08:34:39 2024 +0530 drm/amd/pm: Remove arcturus min power limit As per power team, there is no need to impose a lower bound on arcturus power limit. Any unreasonable limit set will result in frequent throttling. Signed-off-by: Lijo Lazar Reviewed-by: Kenneth Feng Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org commit 76c7f08094767b5df3b60e18d1bdecddd4a5c844 Author: Kenneth Feng Date: Tue Nov 19 15:03:22 2024 +0800 drm/amd/pm: skip setting the power source on smu v14.0.2/3 skip setting power source on smu v14.0.2/3 Signed-off-by: Kenneth Feng Reviewed-by: Lijo Lazar Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org # 6.11.x commit b0df0e777874549c128b43f7bf4989a2ed24b37a Author: Kenneth Feng Date: Tue Nov 19 14:26:58 2024 +0800 drm/amd/pm: disable pcie speed switching on Intel platform for smu v14.0.2/3 disable pcie speed switching on Intel platform for smu v14.0.2/3 based on Intel's requirement. v2: align the setting with smu v13. Signed-off-by: Kenneth Feng Reviewed-by: Lijo Lazar Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org # 6.11.x commit cdc6705f98ea3f854a60ba8c9b19228e197ae384 Author: Lijo Lazar Date: Mon Nov 11 20:11:38 2024 +0530 drm/amdkfd: Use the correct wptr size Write pointer could be 32-bit or 64-bit. Use the correct size during initialization. Signed-off-by: Lijo Lazar Acked-by: Alex Deucher Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org commit 341d041daae52cd5f014f68c1c7d9039db818fca Merge: 51ae62a12c242e 6d026e6d48cd2a Author: Linus Torvalds Date: Thu Nov 21 12:40:50 2024 -0800 Merge tag 'for-linus-iommufd' of git://git.kernel.org/pub/scm/linux/kernel/git/jgg/iommufd Pull iommufd updates from Jason Gunthorpe: "Several new features and uAPI for iommufd: - IOMMU_IOAS_MAP_FILE allows passing in a file descriptor as the backing memory for an iommu mapping. To date VFIO/iommufd have used VMA's and pin_user_pages(), this now allows using memfds and memfd_pin_folios(). Notably this creates a pure folio path from the memfd to the iommu page table where memory is never broken down to PAGE_SIZE. - IOMMU_IOAS_CHANGE_PROCESS moves the pinned page accounting between two processes. Combined with the above this allows iommufd to support a VMM re-start using exec() where something like qemu would exec() a new version of itself and fd pass the memfds/iommufd/etc to the new process. The memfd allows DMA access to the memory to continue while the new process is getting setup, and the CHANGE_PROCESS updates all the accounting. - Support for fault reporting to userspace on non-PRI HW, such as ARM stall-mode embedded devices. - IOMMU_VIOMMU_ALLOC introduces the concept of a HW/driver backed virtual iommu. This will be used by VMMs to access hardware features that are contained with in a VM. The first use is to inform the kernel of the virtual SID to physical SID mapping when issuing SID based invalidation on ARM. Further uses will tie HW features that are directly accessed by the VM, such as invalidation queue assignment and others. - IOMMU_VDEVICE_ALLOC informs the kernel about the mapping of virtual device to physical device within a VIOMMU. Minimially this is used to translate VM issued cache invalidation commands from virtual to physical device IDs. - Enhancements to IOMMU_HWPT_INVALIDATE and IOMMU_HWPT_ALLOC to work with the VIOMMU - ARM SMMuv3 support for nested translation. Using the VIOMMU and VDEVICE the driver can model this HW's behavior for nested translation. This includes a shared branch from Will" * tag 'for-linus-iommufd' of git://git.kernel.org/pub/scm/linux/kernel/git/jgg/iommufd: (51 commits) iommu/arm-smmu-v3: Import IOMMUFD module namespace iommufd: IOMMU_IOAS_CHANGE_PROCESS selftest iommufd: Add IOMMU_IOAS_CHANGE_PROCESS iommufd: Lock all IOAS objects iommufd: Export do_update_pinned iommu/arm-smmu-v3: Support IOMMU_HWPT_INVALIDATE using a VIOMMU object iommu/arm-smmu-v3: Allow ATS for IOMMU_DOMAIN_NESTED iommu/arm-smmu-v3: Use S2FWB for NESTED domains iommu/arm-smmu-v3: Support IOMMU_DOMAIN_NESTED iommu/arm-smmu-v3: Support IOMMU_VIOMMU_ALLOC Documentation: userspace-api: iommufd: Update vDEVICE iommufd/selftest: Add vIOMMU coverage for IOMMU_HWPT_INVALIDATE ioctl iommufd/selftest: Add IOMMU_TEST_OP_DEV_CHECK_CACHE test command iommufd/selftest: Add mock_viommu_cache_invalidate iommufd/viommu: Add iommufd_viommu_find_dev helper iommu: Add iommu_copy_struct_from_full_user_array helper iommufd: Allow hwpt_id to carry viommu_id for IOMMU_HWPT_INVALIDATE iommu/viommu: Add cache_invalidate to iommufd_viommu_ops iommufd/selftest: Add IOMMU_VDEVICE_ALLOC test coverage iommufd/viommu: Add IOMMUFD_OBJ_VDEVICE and IOMMU_VDEVICE_ALLOC ioctl ... commit 51ae62a12c242e49229db23b96d03ecc15efc0d1 Merge: 40f48f82a13907 22293c33738c14 Author: Linus Torvalds Date: Thu Nov 21 11:28:39 2024 -0800 Merge tag 'dma-mapping-6.13-2024-11-19' of git://git.infradead.org/users/hch/dma-mapping Pull dma-mapping updates from Christoph Hellwig: - improve the DMA API tracing code (Sean Anderson) - misc cleanups (Christoph Hellwig, Sui Jingfeng) - fix pointer abuse when finding the shared DMA pool (Geert Uytterhoeven) - fix a deadlock in dma-debug (Levi Yun) * tag 'dma-mapping-6.13-2024-11-19' of git://git.infradead.org/users/hch/dma-mapping: dma-mapping: save base/size instead of pointer to shared DMA pool dma-mapping: fix swapped dir/flags arguments to trace_dma_alloc_sgt_err dma-mapping: drop unneeded includes from dma-mapping.h dma-mapping: trace more error paths dma-mapping: use trace_dma_alloc for dma_alloc* instead of using trace_dma_map dma-mapping: trace dma_alloc/free direction dma-mapping: use macros to define events in a class dma-mapping: remove an outdated comment from dma-map-ops.h dma-debug: remove DMA_API_DEBUG_SG dma-debug: store a phys_addr_t in struct dma_debug_entry dma-debug: fix a possible deadlock on radix_lock commit 40f48f82a1390709207ee6b06939dfae5521316e Merge: fc39fb56917bb3 84147f4e84c4f4 Author: Linus Torvalds Date: Thu Nov 21 11:26:38 2024 -0800 Merge tag 'configfs-6.13-2024-11-19' of git://git.infradead.org/users/hch/configfs Pull configfs updates from Christoph Hellwig: - remove unused code (Dr. David Alan Gilbert) - improve item creation performance (Seamus Connor) * tag 'configfs-6.13-2024-11-19' of git://git.infradead.org/users/hch/configfs: configfs: improve item creation performance configfs: remove unused configfs_hash_and_remove commit a63d7408afbd108944a6b05bdf0b0d75f32755b9 Author: Mark Rutland Date: Mon Nov 18 12:02:04 2024 +0000 arm64: disable ARCH_CORRECT_STACKTRACE_ON_KRETPROBE tests The kprobes_test suite's test_stacktrace_on_nested_kretprobe() test currently fails on arm64, e.g. | KTAP version 1 | 1..1 | KTAP version 1 | # Subtest: kprobes_test | # module: test_kprobes | 1..7 | ok 1 test_kprobe | ok 2 test_kprobes | ok 3 test_kprobe_missed | ok 4 test_kretprobe | ok 5 test_kretprobes | ok 6 test_stacktrace_on_kretprobe | # test_stacktrace_on_nested_kretprobe: EXPECTATION FAILED at lib/test_kprobes.c:327 | Expected stack_buf[i + 1] == target_return_address[1], but | stack_buf[i + 1] == -96519936577004 (0xffffa83733777214) | target_return_address[1] == -96519936577136 (0xffffa83733777190) | # test_stacktrace_on_nested_kretprobe: EXPECTATION FAILED at lib/test_kprobes.c:338 | Expected stack_buf[1] == target_return_address[1], but | stack_buf[1] == -96519936577004 (0xffffa83733777214) | target_return_address[1] == -96519936577136 (0xffffa83733777190) | not ok 7 test_stacktrace_on_nested_kretprobe | # kprobes_test: pass:6 fail:1 skip:0 total:7 | # Totals: pass:6 fail:1 skip:0 total:7 | not ok 1 kprobes_test The test assumes that when a stacktrace straddles an exception boundary, no necessary entries will be omitted and no extraneous entries will be reported, and when unwinding from a kretprobed callee, the next entry in the trace will be its immediate caller (whether kretprobed or not). Recently the arm64 stacktrace code was changed to always report the LR at an exception boundary, where we don't know whether the LR is live. In the case of the kretprobe trampoline the LR is not live at the time the stacktrace is performed, and so the entry in the trace for the LR is extraneous. This can be seen if a call to show_stack() is added to stacktrace_internal_return_handler(): | Call trace: | show_stack+0x18/0x30 (C) | stacktrace_internal_return_handler+0x130/0x43c | __kretprobe_trampoline_handler+0xa0/0x130 | kretprobe_breakpoint_handler+0x50/0x70 | call_break_hook+0x74/0x8c | brk_handler+0x1c/0x60 | do_debug_exception+0x68/0x114 | el1_dbg+0x70/0x94 | el1h_64_sync_handler+0xc4/0xe4 | el1h_64_sync+0x6c/0x70 | kprobe_stacktrace_target+0x34/0x48 (P) | kprobe_stacktrace_target+0x34/0x48 (LK) <-------- extra entry here | kprobe_stacktrace_driver+0x24/0x40 (K) | test_stacktrace_on_nested_kretprobe+0x84/0x160 | kunit_try_run_case+0x6c/0x160 | kunit_generic_run_threadfn_adapter+0x28/0x4c | kthread+0x110/0x114 | ret_from_fork+0x10/0x20 This breaks test_stacktrace_on_nested_kretprobe() because while the caller (kprobe_stacktrace_driver()) appears in the trace, it doesn't occur *immediately* after the first instance of callee (kprobe_stacktrace_target()). While this behaviour is unfortunate for the kretprobes tests, the behaviour is desirable elsewhere (e.g. anywhere a human will read the trace), and is otherwise not harmful. For the moment, deselect ARCH_CORRECT_STACKTRACE_ON_KRETPROBE on arm64 to disable the tests which depend on this behaviour. With ARCH_CORRECT_STACKTRACE_ON_KRETPROBE deselected, the remaining tests work as expected, e.g. | KTAP version 1 | 1..1 | KTAP version 1 | # Subtest: kprobes_test | # module: test_kprobes | 1..5 | ok 1 test_kprobe | ok 2 test_kprobes | ok 3 test_kprobe_missed | ok 4 test_kretprobe | ok 5 test_kretprobes | # kprobes_test: pass:5 fail:0 skip:0 total:5 | # Totals: pass:5 fail:0 skip:0 total:5 | ok 1 kprobes_test In future we have several options to improve matters, e.g. * Add metadata and update arm64's unwinder to skip the LR in this case. This is likely to happen as part of work for RELIABLE_STACKTRACE for other reasons, and might solve this case by coincidence. * Modify the kretprobes tests to only require that the caller appears in the trace after the callee, rather than requiring that it is *immediately* after the callee. We might want separate strict/not-strict options for this. * Use reliable stacktrace for these tests, so that architectures which cannot unwind across exception boundaries can explicitly handle this by returning an error. Fixes: c2c6b27b5aa1 ("arm64: stacktrace: unwind exception boundaries") Signed-off-by: Mark Rutland Reported-by: Kristina Martsenko Cc: Ard Biesheuvel Cc: Josh Poimboeuf Cc: Kalesh Singh Cc: Madhavan T. Venkataraman Cc: Marc Zyngier Cc: Mark Brown Cc: Masami Hiramatsu Cc: Miroslav Benes Cc: Puranjay Mohan Cc: Steven Rostedt Cc: Will Deacon Reviewed-by: Mark Brown Link: https://lore.kernel.org/r/20241118120204.3961548-1-mark.rutland@arm.com Signed-off-by: Catalin Marinas commit fc39fb56917bb3cb53e99560ca3612a84456ada2 Merge: 6a550ae5560f72 a174706ba4dad8 Author: Linus Torvalds Date: Thu Nov 21 09:59:59 2024 -0800 Merge tag 'jfs-6.13' of github.com:kleikamp/linux-shaggy Pull jfs updates from Dave Kleikamp: "A few more patches to add sanity checks in jfs" * tag 'jfs-6.13' of github.com:kleikamp/linux-shaggy: jfs: add a check to prevent array-index-out-of-bounds in dbAdjTree jfs: xattr: check invalid xattr size more strictly jfs: fix array-index-out-of-bounds in jfs_readdir jfs: fix shift-out-of-bounds in dbSplit jfs: array-index-out-of-bounds fix in dtReadFirst commit 6a550ae5560f7237c82dc9c0c128ba1d593c4dde Merge: 2dde263d81dc6d 200b977ebbc313 Author: Linus Torvalds Date: Thu Nov 21 09:57:46 2024 -0800 Merge tag 'dlm-6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/teigland/linux-dlm Pull dlm updates from David Teigland: - Fix recovery of locks that are being converted between PR/CW modes - Fix cleanup of rsb list if recovery is interrupted during recover_members - Fix null dereference in debug code if dlm api is called improperly - Fix wrong args passed to trace function - Move error checks out of add_to_waiters so the function can't fail - Clean up some code for configfs * tag 'dlm-6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/teigland/linux-dlm: dlm: fix dlm_recover_members refcount on error dlm: fix recovery of middle conversions dlm: make add_to_waiters() that it can't fail dlm: dlm_config_info config fields to unsigned int dlm: use dlm_config as only cluster configuration dlm: handle port as __be16 network byte order dlm: disallow different configs nodeid storages dlm: fix possible lkb_resource null dereference dlm: fix swapped args sb_flags vs sb_status commit ec9b3ac6e5630e320d926ea13a06d86d2a6bdde1 Merge: 766a71ef65bb21 029cc98dec2ead Author: Jens Axboe Date: Thu Nov 21 10:57:34 2024 -0700 Merge tag 'nvme-6.13-2024-11-21' of git://git.infradead.org/nvme into for-6.13/block Pull NVMe updates from Keith: "nvme updates for Linux 6.13 - Use correct srcu list traversal (Breno) - Scatter-gather support for metadata (Keith) - Fabrics shutdown race condition fix (Nilay) - Persistent reservations updates (Guixin)" * tag 'nvme-6.13-2024-11-21' of git://git.infradead.org/nvme: nvme: tuning pr code by using defined structs and macros nvme: introduce change ptpl and iekey definition nvme-fabrics: fix kernel crash while shutting down controller Revert "nvme: make keep-alive synchronous operation" nvme-pci: use sgls for all user requests if possible nvme: define the remaining used sgls constants nvme-pci: add support for sgl metadata nvme/multipath: Fix RCU list traversal to use SRCU primitive commit 2dde263d81dc6ded2df086bf9db05396c7c215ee Merge: c01f664e4ca210 21d1b618b6b9da Author: Linus Torvalds Date: Thu Nov 21 09:55:45 2024 -0800 Merge tag 'fsnotify_for_v6.13-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs Pull fsnotify updates from Jan Kara: "A couple of smaller random fsnotify fixes" * tag 'fsnotify_for_v6.13-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs: fsnotify: Fix ordering of iput() and watched_objects decrement fsnotify: fix sending inotify event with unexpected filename fanotify: allow reporting errors on failure to open fd fsnotify, lsm: Decouple fsnotify from lsm commit c01f664e4ca210823b7594b50669bbd9b0a3c3b0 Merge: 597861d6cd343a fb6f20ecb121ce Author: Linus Torvalds Date: Thu Nov 21 09:50:18 2024 -0800 Merge tag 'reiserfs_delete' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs Pull reiserfs removal from Jan Kara: "The deprecation period of reiserfs is ending at the end of this year so it is time to remove it" * tag 'reiserfs_delete' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs: reiserfs: The last commit commit 597861d6cd343a6ded4cf0302f6fc25ec548e1cc Merge: 2edc8f933df7df 344044d8c9e256 Author: Linus Torvalds Date: Thu Nov 21 09:47:44 2024 -0800 Merge tag 'for_v6.13-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs Pull quota and isofs updates from Jan Kara: "Fix a memory leak in isofs and a cleanup of includes in quota" * tag 'for_v6.13-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs: dquot.c: get rid of include ../internal.h isofs: avoid memory leak in iocharset commit 2edc8f933df7dfc7f9f7e0af8aa68c3b9e8cbade Merge: 90a19b744de3a4 5877dc24be5dad Author: Linus Torvalds Date: Thu Nov 21 09:20:07 2024 -0800 Merge tag 'xfs-6.13-merge-1' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux Pull xfs updates from Carlos Maiolino: "The bulk of this pull request is a major rework that Darrick and Christoph have been doing on XFS's real-time volume, coupled with a few features to support this rework. It does also includes some bug fixes. - convert perag to use xarrays - create a new generic allocation group structure - add metadata inode dir trees - create in-core rt allocation groups - shard the RT section into allocation groups - persist quota options with the enw metadata dir tree - enable quota for RT volumes - enable metadata directory trees - some bugfixes" * tag 'xfs-6.13-merge-1' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux: (146 commits) xfs: port ondisk structure checks from xfs/122 to the kernel xfs: separate space btree structures in xfs_ondisk.h xfs: convert struct typedefs in xfs_ondisk.h xfs: enable metadata directory feature xfs: enable realtime quota again xfs: update sb field checks when metadir is turned on xfs: reserve quota for realtime files correctly xfs: create quota preallocation watermarks for realtime quota xfs: report realtime block quota limits on realtime directories xfs: persist quota flags with metadir xfs: advertise realtime quota support in the xqm stat files xfs: scrub quota file metapaths xfs: fix chown with rt quota xfs: use metadir for quota inodes xfs: refactor xfs_qm_destroy_quotainos xfs: use rtgroup busy extent list for FITRIM xfs: implement busy extent tracking for rtgroups xfs: port the perag discard code to handle generic groups xfs: move the min and max group block numbers to xfs_group xfs: adjust min_block usage in xfs_verify_agbno ... commit 90a19b744de3a4fb51aee2edd8f2b9a4b14c9878 Merge: fcc79e1714e8c2 0bc8061ffc733a Author: Linus Torvalds Date: Thu Nov 21 09:17:33 2024 -0800 Merge tag 'erofs-for-6.13-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/xiang/erofs Pull erofs updates from Gao Xiang: "There is no outstanding feature for this cycle. The most useful changes are SEEK_{DATA,HOLE} support and some decompression micro-optimization. Other than those, there are some bugfixes and cleanups as usual: - Add SEEK_{DATA,HOLE} support - Free redundant pclusters if no cached compressed data is valid - Add sysfs entry to drop internal caches - Several bugfixes & cleanups" * tag 'erofs-for-6.13-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/xiang/erofs: erofs: handle NONHEAD !delta[1] lclusters gracefully erofs: clarify direct I/O support erofs: fix blksize < PAGE_SIZE for file-backed mounts erofs: get rid of `buf->kmap_type` erofs: fix file-backed mounts over FUSE erofs: simplify definition of the log functions erofs: add sysfs node to drop internal caches erofs: free pclusters if no cached folio is attached erofs: sunset `struct erofs_workgroup` erofs: move erofs_workgroup operations into zdata.c erofs: get rid of erofs_{find,insert}_workgroup erofs: add SEEK_{DATA,HOLE} support commit 029cc98dec2eadb5d0978b5fea9ae6c427f2a020 Author: Guixin Liu Date: Wed Nov 20 15:10:08 2024 +0800 nvme: tuning pr code by using defined structs and macros All the modifications are simply to make the code more readable, and this patch does not include any functional changes. Signed-off-by: Guixin Liu Reviewed-by: Christoph Hellwig Signed-off-by: Keith Busch commit 7d2f9f870f26798699585f96fa7a2a2cab38dc02 Author: Guixin Liu Date: Wed Nov 20 15:10:07 2024 +0800 nvme: introduce change ptpl and iekey definition This is for the next tuning pr code more readble patch, make linux/nvme.h's changes separately. Signed-off-by: Guixin Liu Reviewed-by: Christoph Hellwig Signed-off-by: Keith Busch commit a9685b409a03b73d2980bbfa53eb47555802d0a9 Author: Paul Aurich Date: Mon Nov 18 13:50:27 2024 -0800 smb: prevent use-after-free due to open_cached_dir error paths If open_cached_dir() encounters an error parsing the lease from the server, the error handling may race with receiving a lease break, resulting in open_cached_dir() freeing the cfid while the queued work is pending. Update open_cached_dir() to drop refs rather than directly freeing the cfid. Have cached_dir_lease_break(), cfids_laundromat_worker(), and invalidate_all_cached_dirs() clear has_lease immediately while still holding cfids->cfid_list_lock, and then use this to also simplify the reference counting in cfids_laundromat_worker() and invalidate_all_cached_dirs(). Fixes this KASAN splat (which manually injects an error and lease break in open_cached_dir()): ================================================================== BUG: KASAN: slab-use-after-free in smb2_cached_lease_break+0x27/0xb0 Read of size 8 at addr ffff88811cc24c10 by task kworker/3:1/65 CPU: 3 UID: 0 PID: 65 Comm: kworker/3:1 Not tainted 6.12.0-rc6-g255cf264e6e5-dirty #87 Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020 Workqueue: cifsiod smb2_cached_lease_break Call Trace: dump_stack_lvl+0x77/0xb0 print_report+0xce/0x660 kasan_report+0xd3/0x110 smb2_cached_lease_break+0x27/0xb0 process_one_work+0x50a/0xc50 worker_thread+0x2ba/0x530 kthread+0x17c/0x1c0 ret_from_fork+0x34/0x60 ret_from_fork_asm+0x1a/0x30 Allocated by task 2464: kasan_save_stack+0x33/0x60 kasan_save_track+0x14/0x30 __kasan_kmalloc+0xaa/0xb0 open_cached_dir+0xa7d/0x1fb0 smb2_query_path_info+0x43c/0x6e0 cifs_get_fattr+0x346/0xf10 cifs_get_inode_info+0x157/0x210 cifs_revalidate_dentry_attr+0x2d1/0x460 cifs_getattr+0x173/0x470 vfs_statx_path+0x10f/0x160 vfs_statx+0xe9/0x150 vfs_fstatat+0x5e/0xc0 __do_sys_newfstatat+0x91/0xf0 do_syscall_64+0x95/0x1a0 entry_SYSCALL_64_after_hwframe+0x76/0x7e Freed by task 2464: kasan_save_stack+0x33/0x60 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x51/0x70 kfree+0x174/0x520 open_cached_dir+0x97f/0x1fb0 smb2_query_path_info+0x43c/0x6e0 cifs_get_fattr+0x346/0xf10 cifs_get_inode_info+0x157/0x210 cifs_revalidate_dentry_attr+0x2d1/0x460 cifs_getattr+0x173/0x470 vfs_statx_path+0x10f/0x160 vfs_statx+0xe9/0x150 vfs_fstatat+0x5e/0xc0 __do_sys_newfstatat+0x91/0xf0 do_syscall_64+0x95/0x1a0 entry_SYSCALL_64_after_hwframe+0x76/0x7e Last potentially related work creation: kasan_save_stack+0x33/0x60 __kasan_record_aux_stack+0xad/0xc0 insert_work+0x32/0x100 __queue_work+0x5c9/0x870 queue_work_on+0x82/0x90 open_cached_dir+0x1369/0x1fb0 smb2_query_path_info+0x43c/0x6e0 cifs_get_fattr+0x346/0xf10 cifs_get_inode_info+0x157/0x210 cifs_revalidate_dentry_attr+0x2d1/0x460 cifs_getattr+0x173/0x470 vfs_statx_path+0x10f/0x160 vfs_statx+0xe9/0x150 vfs_fstatat+0x5e/0xc0 __do_sys_newfstatat+0x91/0xf0 do_syscall_64+0x95/0x1a0 entry_SYSCALL_64_after_hwframe+0x76/0x7e The buggy address belongs to the object at ffff88811cc24c00 which belongs to the cache kmalloc-1k of size 1024 The buggy address is located 16 bytes inside of freed 1024-byte region [ffff88811cc24c00, ffff88811cc25000) Cc: stable@vger.kernel.org Signed-off-by: Paul Aurich Signed-off-by: Steve French commit 7afb86733685c64c604d32faf00fa4a1f22c2ab1 Author: Paul Aurich Date: Mon Nov 18 13:50:26 2024 -0800 smb: Don't leak cfid when reconnect races with open_cached_dir open_cached_dir() may either race with the tcon reconnection even before compound_send_recv() or directly trigger a reconnection via SMB2_open_init() or SMB_query_info_init(). The reconnection process invokes invalidate_all_cached_dirs() via cifs_mark_open_files_invalid(), which removes all cfids from the cfids->entries list but doesn't drop a ref if has_lease isn't true. This results in the currently-being-constructed cfid not being on the list, but still having a refcount of 2. It leaks if returned from open_cached_dir(). Fix this by setting cfid->has_lease when the ref is actually taken; the cfid will not be used by other threads until it has a valid time. Addresses these kmemleaks: unreferenced object 0xffff8881090c4000 (size 1024): comm "bash", pid 1860, jiffies 4295126592 hex dump (first 32 bytes): 00 01 00 00 00 00 ad de 22 01 00 00 00 00 ad de ........"....... 00 ca 45 22 81 88 ff ff f8 dc 4f 04 81 88 ff ff ..E"......O..... backtrace (crc 6f58c20f): [] __kmalloc_cache_noprof+0x2be/0x350 [] open_cached_dir+0x993/0x1fb0 [] cifs_readdir+0x15a0/0x1d50 [] iterate_dir+0x28f/0x4b0 [] __x64_sys_getdents64+0xfd/0x200 [] do_syscall_64+0x95/0x1a0 [] entry_SYSCALL_64_after_hwframe+0x76/0x7e unreferenced object 0xffff8881044fdcf8 (size 8): comm "bash", pid 1860, jiffies 4295126592 hex dump (first 8 bytes): 00 cc cc cc cc cc cc cc ........ backtrace (crc 10c106a9): [] __kmalloc_node_track_caller_noprof+0x363/0x480 [] kstrdup+0x36/0x60 [] open_cached_dir+0x9b0/0x1fb0 [] cifs_readdir+0x15a0/0x1d50 [] iterate_dir+0x28f/0x4b0 [] __x64_sys_getdents64+0xfd/0x200 [] do_syscall_64+0x95/0x1a0 [] entry_SYSCALL_64_after_hwframe+0x76/0x7e And addresses these BUG splats when unmounting the SMB filesystem: BUG: Dentry ffff888140590ba0{i=1000000000080,n=/} still in use (2) [unmount of cifs cifs] WARNING: CPU: 3 PID: 3433 at fs/dcache.c:1536 umount_check+0xd0/0x100 Modules linked in: CPU: 3 UID: 0 PID: 3433 Comm: bash Not tainted 6.12.0-rc4-g850925a8133c-dirty #49 Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020 RIP: 0010:umount_check+0xd0/0x100 Code: 8d 7c 24 40 e8 31 5a f4 ff 49 8b 54 24 40 41 56 49 89 e9 45 89 e8 48 89 d9 41 57 48 89 de 48 c7 c7 80 e7 db ac e8 f0 72 9a ff <0f> 0b 58 31 c0 5a 5b 5d 41 5c 41 5d 41 5e 41 5f e9 2b e5 5d 01 41 RSP: 0018:ffff88811cc27978 EFLAGS: 00010286 RAX: 0000000000000000 RBX: ffff888140590ba0 RCX: ffffffffaaf20bae RDX: dffffc0000000000 RSI: 0000000000000008 RDI: ffff8881f6fb6f40 RBP: ffff8881462ec000 R08: 0000000000000001 R09: ffffed1023984ee3 R10: ffff88811cc2771f R11: 00000000016cfcc0 R12: ffff888134383e08 R13: 0000000000000002 R14: ffff8881462ec668 R15: ffffffffaceab4c0 FS: 00007f23bfa98740(0000) GS:ffff8881f6f80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000556de4a6f808 CR3: 0000000123c80000 CR4: 0000000000350ef0 Call Trace: d_walk+0x6a/0x530 shrink_dcache_for_umount+0x6a/0x200 generic_shutdown_super+0x52/0x2a0 kill_anon_super+0x22/0x40 cifs_kill_sb+0x159/0x1e0 deactivate_locked_super+0x66/0xe0 cleanup_mnt+0x140/0x210 task_work_run+0xfb/0x170 syscall_exit_to_user_mode+0x29f/0x2b0 do_syscall_64+0xa1/0x1a0 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7f23bfb93ae7 Code: ff ff ff ff c3 66 0f 1f 44 00 00 48 8b 0d 11 93 0d 00 f7 d8 64 89 01 b8 ff ff ff ff eb bf 0f 1f 44 00 00 b8 50 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d e9 92 0d 00 f7 d8 64 89 01 48 RSP: 002b:00007ffee9138598 EFLAGS: 00000246 ORIG_RAX: 0000000000000050 RAX: 0000000000000000 RBX: 0000558f1803e9a0 RCX: 00007f23bfb93ae7 RDX: 0000000000000000 RSI: 0000000000000004 RDI: 0000558f1803e9a0 RBP: 0000558f1803e600 R08: 0000000000000007 R09: 0000558f17fab610 R10: d91d5ec34ab757b0 R11: 0000000000000246 R12: 0000000000000001 R13: 0000000000000000 R14: 0000000000000015 R15: 0000000000000000 irq event stamp: 1163486 hardirqs last enabled at (1163485): [] _raw_spin_unlock_irqrestore+0x34/0x60 hardirqs last disabled at (1163486): [] __schedule+0xc7c/0x19a0 softirqs last enabled at (1163482): [] __smb_send_rqst+0x3de/0x990 softirqs last disabled at (1163480): [] release_sock+0x21/0xf0 ---[ end trace 0000000000000000 ]--- VFS: Busy inodes after unmount of cifs (cifs) ------------[ cut here ]------------ kernel BUG at fs/super.c:661! Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI CPU: 1 UID: 0 PID: 3433 Comm: bash Tainted: G W 6.12.0-rc4-g850925a8133c-dirty #49 Tainted: [W]=WARN Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020 RIP: 0010:generic_shutdown_super+0x290/0x2a0 Code: e8 15 7c f7 ff 48 8b 5d 28 48 89 df e8 09 7c f7 ff 48 8b 0b 48 89 ee 48 8d 95 68 06 00 00 48 c7 c7 80 7f db ac e8 00 69 af ff <0f> 0b 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 90 90 90 90 90 90 RSP: 0018:ffff88811cc27a50 EFLAGS: 00010246 RAX: 000000000000003e RBX: ffffffffae994420 RCX: 0000000000000027 RDX: 0000000000000000 RSI: ffffffffab06180e RDI: ffff8881f6eb18c8 RBP: ffff8881462ec000 R08: 0000000000000001 R09: ffffed103edd6319 R10: ffff8881f6eb18cb R11: 00000000016d3158 R12: ffff8881462ec9c0 R13: ffff8881462ec050 R14: 0000000000000001 R15: 0000000000000000 FS: 00007f23bfa98740(0000) GS:ffff8881f6e80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f8364005d68 CR3: 0000000123c80000 CR4: 0000000000350ef0 Call Trace: kill_anon_super+0x22/0x40 cifs_kill_sb+0x159/0x1e0 deactivate_locked_super+0x66/0xe0 cleanup_mnt+0x140/0x210 task_work_run+0xfb/0x170 syscall_exit_to_user_mode+0x29f/0x2b0 do_syscall_64+0xa1/0x1a0 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7f23bfb93ae7 Modules linked in: ---[ end trace 0000000000000000 ]--- RIP: 0010:generic_shutdown_super+0x290/0x2a0 Code: e8 15 7c f7 ff 48 8b 5d 28 48 89 df e8 09 7c f7 ff 48 8b 0b 48 89 ee 48 8d 95 68 06 00 00 48 c7 c7 80 7f db ac e8 00 69 af ff <0f> 0b 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 90 90 90 90 90 90 RSP: 0018:ffff88811cc27a50 EFLAGS: 00010246 RAX: 000000000000003e RBX: ffffffffae994420 RCX: 0000000000000027 RDX: 0000000000000000 RSI: ffffffffab06180e RDI: ffff8881f6eb18c8 RBP: ffff8881462ec000 R08: 0000000000000001 R09: ffffed103edd6319 R10: ffff8881f6eb18cb R11: 00000000016d3158 R12: ffff8881462ec9c0 R13: ffff8881462ec050 R14: 0000000000000001 R15: 0000000000000000 FS: 00007f23bfa98740(0000) GS:ffff8881f6e80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f8364005d68 CR3: 0000000123c80000 CR4: 0000000000350ef0 This reproduces eventually with an SMB mount and two shells running these loops concurrently - while true; do cd ~; sleep 1; for i in {1..3}; do cd /mnt/test/subdir; echo $PWD; sleep 1; cd ..; echo $PWD; sleep 1; done; echo ...; done - while true; do iptables -F OUTPUT; mount -t cifs -a; for _ in {0..2}; do ls /mnt/test/subdir/ | wc -l; done; iptables -I OUTPUT -p tcp --dport 445 -j DROP; sleep 10 echo "unmounting"; umount -l -t cifs -a; echo "done unmounting"; sleep 20 echo "recovering"; iptables -F OUTPUT; sleep 10; done Fixes: ebe98f1447bb ("cifs: enable caching of directories for which a lease is held") Fixes: 5c86919455c1 ("smb: client: fix use-after-free in smb2_query_info_compound()") Cc: stable@vger.kernel.org Signed-off-by: Paul Aurich Signed-off-by: Steve French commit 0812340811e45ec4039d409049be53056182a552 Author: Paulo Alcantara Date: Mon Nov 18 12:35:16 2024 -0300 smb: client: handle max length for SMB symlinks We can't use PATH_MAX for SMB symlinks because (1) Windows Server will fail FSCTL_SET_REPARSE_POINT with STATUS_IO_REPARSE_DATA_INVALID when input buffer is larger than 16K, as specified in MS-FSA 2.1.5.10.37. (2) The client won't be able to parse large SMB responses that includes SMB symlink path within SMB2_CREATE or SMB2_IOCTL responses. Fix this by defining a maximum length value (4060) for SMB symlinks that both client and server can handle. Cc: David Howells Cc: stable@vger.kernel.org Signed-off-by: Paulo Alcantara (Red Hat) Signed-off-by: Steve French commit 9f544d26b15bfc52cf3a6e6a655f759e76c1a01a Author: Paulo Alcantara Date: Mon Nov 18 12:35:15 2024 -0300 smb: client: get rid of bounds check in SMB2_ioctl_init() smb2_set_next_command() no longer squashes request iovs into a single iov, so the bounds check can be dropped. Cc: David Howells Signed-off-by: Paulo Alcantara (Red Hat) Signed-off-by: Steve French commit bc925c1216f0848da96ac642fba3cb92ae1f4e06 Author: Paulo Alcantara Date: Mon Nov 18 12:35:14 2024 -0300 smb: client: improve compound padding in encryption After commit f7f291e14dde ("cifs: fix oops during encryption"), the encryption layer can handle vmalloc'd buffers as well as kmalloc'd buffers, so there is no need to inefficiently squash request iovs into a single one to handle padding in compound requests. Cc: David Howells Signed-off-by: Paulo Alcantara (Red Hat) Signed-off-by: Steve French commit 9ed9d83a51a9636d367c796252409e7b2f4de4d4 Author: Steve French Date: Mon Nov 18 12:19:46 2024 -0600 smb3: request handle caching when caching directories This client was only requesting READ caching, not READ and HANDLE caching in the LeaseState on the open requests we send for directories. To delay closing a handle (e.g. for caching directory contents) we should be requesting HANDLE as well as READ (as we already do for deferred close of files). See MS-SMB2 3.3.1.4 e.g. Cc: stable@vger.kernel.org Signed-off-by: Steve French commit 0d6b0d2e38167f4a3aa177191e3a10a9c3681a0c Author: Pali Rohár Date: Thu Oct 3 21:39:03 2024 +0200 cifs: Recognize SFU char/block devices created by Windows NFS server on Windows Server <<2012 Windows NFS server versions on Windows Server older than 2012 release use for storing char and block devices modified SFU format, not compatible with the original SFU. Windows NFS server on Windows Server 2012 and new versions use different format (reparse points), not related to SFU-style. SFU / SUA / Interix subsystem stores the major and major numbers as pair of 64-bit integer, but Windows NFS server stores as pair of 32-bit integers. Which makes char and block devices between Windows NFS server <<2012 and Windows SFU/SUA/Interix subsytem incompatible. So improve Linux SMB client. When SFU mode is enabled (mount option -o sfu is specified) then recognize also these kind of char and block devices and its major and minor numbers, which are used by Windows Server versions older than 2012. Signed-off-by: Pali Rohár Signed-off-by: Steve French commit db363b0a1d9e6b9dc556296f1b1007aeb496a8cf Author: Ritvik Budhiraja Date: Mon Nov 11 11:43:51 2024 +0000 CIFS: New mount option for cifs.upcall namespace resolution In the current implementation, the SMB filesystem on a mount point can trigger upcalls from the kernel to the userspace to enable certain functionalities like spnego, dns_resolution, amongst others. These upcalls usually either happen in the context of the mount or in the context of an application/user. The upcall handler for cifs, cifs.upcall already has existing code which switches the namespaces to the caller's namespace before handling the upcall. This behaviour is expected for scenarios like multiuser mounts, but might not cover all single user scenario with services such as Kubernetes, where the mount can happen from different locations such as on the host, from an app container, or a driver pod which does the mount on behalf of a different pod. This patch introduces a new mount option called upcall_target, to customise the upcall behaviour. upcall_target can take 'mount' and 'app' as possible values. This aids use cases like Kubernetes where the mount happens on behalf of the application in another container altogether. Having this new mount option allows the mount command to specify where the upcall should happen: 'mount' for resolving the upcall to the host namespace, and 'app' for resolving the upcall to the ns of the calling thread. This will enable both the scenarios where the Kerberos credentials can be found on the application namespace or the host namespace to which just the mount operation is "delegated". Reviewed-by: Shyam Prasad Reviewed-by: Bharath S M Reviewed-by: Ronnie Sahlberg Signed-off-by: Ritvik Budhiraja Signed-off-by: Steve French commit 7a2158b73c36903e8822dae5442c27d6d0e1014b Author: Dan Carpenter Date: Wed Nov 20 20:18:31 2024 +0300 smb/client: Prevent error pointer dereference The cifs_sb_tlink() function can return error pointers, but this code dereferences it before checking for error pointers. Re-order the code to fix that. Fixes: 0f9b6b045bb2 ("fs/smb/client: implement chmod() for SMB3 POSIX Extensions") Signed-off-by: Dan Carpenter Reviewed-by: Bharath SM Signed-off-by: Steve French commit d413eabff18d640031fc955d107ad9c03c3bf9f1 Author: Ralph Boehme Date: Thu Nov 14 11:05:13 2024 +0100 fs/smb/client: implement chmod() for SMB3 POSIX Extensions The NT ACL format for an SMB3 POSIX Extensions chmod() is a single ACE with the magic S-1-5-88-3-mode SID: NT Security Descriptor Revision: 1 Type: 0x8004, Self Relative, DACL Present Offset to owner SID: 56 Offset to group SID: 124 Offset to SACL: 0 Offset to DACL: 20 Owner: S-1-5-21-3177838999-3893657415-1037673384-1000 Group: S-1-22-2-1000 NT User (DACL) ACL Revision: NT4 (2) Size: 36 Num ACEs: 1 NT ACE: S-1-5-88-3-438, flags 0x00, Access Allowed, mask 0x00000000 Type: Access Allowed NT ACE Flags: 0x00 Size: 28 Access required: 0x00000000 SID: S-1-5-88-3-438 Owner and Group should be NULL, but the server is not required to fail the request if they are present. Signed-off-by: Ralph Boehme Cc: stable@vger.kernel.org Signed-off-by: Steve French commit 128630e1dbec8074c7707aad107299169047e68f Author: Paul Aurich Date: Fri Nov 8 14:29:02 2024 -0800 smb: cached directories can be more than root file handle Update this log message since cached fids may represent things other than the root of a mount. Fixes: e4029e072673 ("cifs: find and use the dentry for cached non-root directories also") Signed-off-by: Paul Aurich Reviewed-by: Bharath SM Signed-off-by: Steve French commit fcc79e1714e8c2b8e216dc3149812edd37884eef Merge: 6e95ef0258ff4e dd7207838d3878 Author: Linus Torvalds Date: Thu Nov 21 08:28:08 2024 -0800 Merge tag 'net-next-6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next Pull networking updates from Paolo Abeni: "The most significant set of changes is the per netns RTNL. The new behavior is disabled by default, regression risk should be contained. Notably the new config knob PTP_1588_CLOCK_VMCLOCK will inherit its default value from PTP_1588_CLOCK_KVM, as the first is intended to be a more reliable replacement for the latter. Core: - Started a very large, in-progress, effort to make the RTNL lock scope per network-namespace, thus reducing the lock contention significantly in the containerized use-case, comprising: - RCU-ified some relevant slices of the FIB control path - introduce basic per netns locking helpers - namespacified the IPv4 address hash table - remove rtnl_register{,_module}() in favour of rtnl_register_many() - refactor rtnl_{new,del,set}link() moving as much validation as possible out of RTNL lock - convert all phonet doit() and dumpit() handlers to RCU - convert IPv4 addresses manipulation to per-netns RTNL - convert virtual interface creation to per-netns RTNL the per-netns lock infrastructure is guarded by the CONFIG_DEBUG_NET_SMALL_RTNL knob, disabled by default ad interim. - Introduce NAPI suspension, to efficiently switching between busy polling (NAPI processing suspended) and normal processing. - Migrate the IPv4 routing input, output and control path from direct ToS usage to DSCP macros. This is a work in progress to make ECN handling consistent and reliable. - Add drop reasons support to the IPv4 rotue input path, allowing better introspection in case of packets drop. - Make FIB seqnum lockless, dropping RTNL protection for read access. - Make inet{,v6} addresses hashing less predicable. - Allow providing timestamp OPT_ID via cmsg, to correlate TX packets and timestamps Things we sprinkled into general kernel code: - Add small file operations for debugfs, to reduce the struct ops size. - Refactoring and optimization for the implementation of page_frag API, This is a preparatory work to consolidate the page_frag implementation. Netfilter: - Optimize set element transactions to reduce memory consumption - Extended netlink error reporting for attribute parser failure. - Make legacy xtables configs user selectable, giving users the option to configure iptables without enabling any other config. - Address a lot of false-positive RCU issues, pointed by recent CI improvements. BPF: - Put xsk sockets on a struct diet and add various cleanups. Overall, this helps to bump performance by 12% for some workloads. - Extend BPF selftests to increase coverage of XDP features in combination with BPF cpumap. - Optimize and homogenize bpf_csum_diff helper for all archs and also add a batch of new BPF selftests for it. - Extend netkit with an option to delegate skb->{mark,priority} scrubbing to its BPF program. - Make the bpf_get_netns_cookie() helper available also to tc(x) BPF programs. Protocols: - Introduces 4-tuple hash for connected udp sockets, speeding-up significantly connected sockets lookup. - Add a fastpath for some TCP timers that usually expires after close, the socket lock contention. - Add inbound and outbound xfrm state caches to speed up state lookups. - Avoid sending MPTCP advertisements on stale subflows, reducing risks on loosing them. - Make neighbours table flushing more scalable, maintaining per device neigh lists. Driver API: - Introduce a unified interface to configure transmission H/W shaping, and expose it to user-space via generic-netlink. - Add support for per-NAPI config via netlink. This makes napi configuration persistent across queues removal and re-creation. Requires driver updates, currently supported drivers are: nVidia/Mellanox mlx4 and mlx5, Broadcom brcm and Intel ice. - Add ethtool support for writing SFP / PHY firmware blocks. - Track RSS context allocation from ethtool core. - Implement support for mirroring to DSA CPU port, via TC mirror offload. - Consolidate FDB updates notification, to avoid duplicates on device-specific entries. - Expose DPLL clock quality level to the user-space. - Support master-slave PHY config via device tree. Tests and tooling: - forwarding: introduce deferred commands, to simplify the cleanup phase Drivers: - Updated several drivers - Amazon vNic, Google vNic, Microsoft vNic, Intel e1000e and Broadcom Tigon3 - to use netdev-genl to link the IRQs and queues to NAPI IDs, allowing busy polling and better introspection. - Ethernet high-speed NICs: - nVidia/Mellanox: - mlx5: - a large refactor to implement support for cross E-Switch scheduling - refactor H/W conter management to let it scale better - H/W GRO cleanups - Intel (100G, ice):: - add support for ethtool reset - implement support for per TX queue H/W shaping - AMD/Solarflare: - implement per device queue stats support - Broadcom (bnxt): - improve wildcard l4proto on IPv4/IPv6 ntuple rules - Marvell Octeon: - Add representor support for each Resource Virtualization Unit (RVU) device. - Hisilicon: - add support for the BMC Gigabit Ethernet - IBM (EMAC): - driver cleanup and modernization - Cisco (VIC): - raise the queues number limit to 256 - Ethernet virtual: - Google vNIC: - implement page pool support - macsec: - inherit lower device's features and TSO limits when offloading - virtio_net: - enable premapped mode by default - support for XDP socket(AF_XDP) zerocopy TX - wireguard: - set the TSO max size to be GSO_MAX_SIZE, to aggregate larger packets. - Ethernet NICs embedded and virtual: - Broadcom ASP: - enable software timestamping - Freescale: - add enetc4 PF driver - MediaTek: Airoha SoC: - implement BQL support - RealTek r8169: - enable TSO by default on r8168/r8125 - implement extended ethtool stats - Renesas AVB: - enable TX checksum offload - Synopsys (stmmac): - support header splitting for vlan tagged packets - move common code for DWMAC4 and DWXGMAC into a separate FPE module. - add dwmac driver support for T-HEAD TH1520 SoC - Synopsys (xpcs): - driver refactor and cleanup - TI: - icssg_prueth: add VLAN offload support - Xilinx emaclite: - add clock support - Ethernet switches: - Microchip: - implement support for the lan969x Ethernet switch family - add LAN9646 switch support to KSZ DSA driver - Ethernet PHYs: - Marvel: 88q2x: enable auto negotiation - Microchip: add support for LAN865X Rev B1 and LAN867X Rev C1/C2 - PTP: - Add support for the Amazon virtual clock device - Add PtP driver for s390 clocks - WiFi: - mac80211 - EHT 1024 aggregation size for transmissions - new operation to indicate that a new interface is to be added - support radio separation of multi-band devices - move wireless extension spy implementation to libiw - Broadcom: - brcmfmac: optional LPO clock support - Microchip: - add support for Atmel WILC3000 - Qualcomm (ath12k): - firmware coredump collection support - add debugfs support for a multitude of statistics - Qualcomm (ath5k): - Arcadyan ARV45XX AR2417 & Gigaset SX76[23] AR241[34]A support - Realtek: - rtw88: 8821au and 8812au USB adapters support - rtw89: add thermal protection - rtw89: fine tune BT-coexsitence to improve user experience - rtw89: firmware secure boot for WiFi 6 chip - Bluetooth - add Qualcomm WCN785x support for ids Foxconn 0xe0fc/0xe0f3 and 0x13d3:0x3623 - add Realtek RTL8852BE support for id Foxconn 0xe123 - add MediaTek MT7920 support for wireless module ids - btintel_pcie: add handshake between driver and firmware - btintel_pcie: add recovery mechanism - btnxpuart: add GPIO support to power save feature" * tag 'net-next-6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next: (1475 commits) mm: page_frag: fix a compile error when kernel is not compiled Documentation: tipc: fix formatting issue in tipc.rst selftests: nic_performance: Add selftest for performance of NIC driver selftests: nic_link_layer: Add selftest case for speed and duplex states selftests: nic_link_layer: Add link layer selftest for NIC driver bnxt_en: Add FW trace coredump segments to the coredump bnxt_en: Add a new ethtool -W dump flag bnxt_en: Add 2 parameters to bnxt_fill_coredump_seg_hdr() bnxt_en: Add functions to copy host context memory bnxt_en: Do not free FW log context memory bnxt_en: Manage the FW trace context memory bnxt_en: Allocate backing store memory for FW trace logs bnxt_en: Add a 'force' parameter to bnxt_free_ctx_mem() bnxt_en: Refactor bnxt_free_ctx_mem() bnxt_en: Add mem_valid bit to struct bnxt_ctx_mem_type bnxt_en: Update firmware interface spec to 1.10.3.85 selftests/bpf: Add some tests with sockmap SK_PASS bpf: fix recursive lock when verdict program return SK_PASS wireguard: device: support big tcp GSO wireguard: selftests: load nf_conntrack if not present ... commit 3fc5d5a182f6a1f8bd4dc775feb54c369dd2c343 Author: Chao Yu Date: Thu Nov 21 09:57:50 2024 +0800 f2fs: fix to shrink read extent node in batches We use rwlock to protect core structure data of extent tree during its shrink, however, if there is a huge number of extent nodes in extent tree, during shrink of extent tree, it may hold rwlock for a very long time, which may trigger kernel hang issue. This patch fixes to shrink read extent node in batches, so that, critical region of the rwlock can be shrunk to avoid its extreme long time hold. Reported-by: Xiuhong Wang Closes: https://lore.kernel.org/linux-f2fs-devel/20241112110627.1314632-1-xiuhong.wang@unisoc.com/ Signed-off-by: Xiuhong Wang Signed-off-by: Zhiguo Niu Signed-off-by: Chao Yu Signed-off-by: Jaegeuk Kim commit 81520c684ca67aea6a589461a3caebb9b11dcc90 Author: Chao Yu Date: Wed Nov 20 14:58:50 2024 +0800 f2fs: print message if fscorrupted was found in f2fs_new_node_page() If fs corruption occurs in f2fs_new_node_page(), let's print more information about corrupted metadata into kernel log. Meanwhile, it updates to record ERROR_INCONSISTENT_NAT instead of ERROR_INVALID_BLKADDR if blkaddr in nat entry is not NULL_ADDR which means nat bitmap and nat entry is inconsistent. Signed-off-by: Chao Yu Signed-off-by: Jaegeuk Kim commit ed31ba0aa7e93ecac62cfd445c3228345bdd87e6 Author: Matthew Brost Date: Wed Nov 13 09:17:51 2024 -0800 drm/xe: Mark preempt fence workqueue as reclaim Preempt fences are in the path of reclaim, and we signal these fences in the preempt workqueue. With that, we need to mark the preempt fence workqueue with reclaim so that this workqueue can make forward progress during reclaim. Fixes: dd08ebf6c352 ("drm/xe: Introduce a new DRM driver for Intel GPUs") Signed-off-by: Matthew Brost Reviewed-by: Rodrigo Vivi Link: https://patchwork.freedesktop.org/patch/msgid/20241113171751.1677784-1-matthew.brost@intel.com (cherry picked from commit 15cf53ece41748a102f4b5ee26947c2ec059bf95) Signed-off-by: Thomas Hellström commit 37a1cf288e4538eb39b38dbc745fe0da7ae53d94 Author: Nirmoy Das Date: Thu Nov 14 16:05:37 2024 +0100 drm/xe/ufence: Wake up waiters after setting ufence->signalled If a previous ufence is not signalled, vm_bind will return -EBUSY. Delaying the modification of ufence->signalled can cause issues if the UMD reuses the same ufence so update ufence->signalled before waking up waiters. Cc: Matthew Brost Link: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/3233 Fixes: 977e5b82e090 ("drm/xe: Expose user fence from xe_sync_entry") Reviewed-by: Matthew Brost Link: https://patchwork.freedesktop.org/patch/msgid/20241114150537.4161573-1-nirmoy.das@intel.com Signed-off-by: Nirmoy Das (cherry picked from commit 553a5d14fcd927194c409b10faced6a6dbc678d1) Signed-off-by: Thomas Hellström commit f88c7904b5c7e35ab8037e2a59e10d80adf6fd7e Author: Sheng Yong Date: Thu Nov 21 16:26:57 2024 +0800 f2fs: clear SBI_POR_DOING before initing inmem curseg SBI_POR_DOING can be cleared after recovery is completed, so that changes made before recovery can be persistent, and subsequent errors can be recorded into cp/sb. Signed-off-by: Song Feng Signed-off-by: Yongpeng Yang Signed-off-by: Sheng Yong Reviewed-by: Chao Yu Signed-off-by: Jaegeuk Kim commit 1015035609e4ccb32e967015a600e01158377dfc Author: Sheng Yong Date: Thu Nov 21 16:26:56 2024 +0800 f2fs: fix changing cursegs if recovery fails on zoned device Fsync data recovery attempts to check and fix write pointer consistency of cursegs and all other zones. If the write pointers of cursegs are unaligned, cursegs are changed to new sections. If recovery fails, zone write pointers are still checked and fixed, but the latest checkpoint cannot be written back. Additionally, retry- mount skips recovery and rolls back to reuse the old cursegs whose zones are already finished. This can lead to unaligned write later. This patch addresses the issue by leaving writer pointers untouched if recovery fails. When retry-mount is performed, cursegs and other zones are checked and fixed after skipping recovery. Signed-off-by: Song Feng Signed-off-by: Yongpeng Yang Signed-off-by: Sheng Yong Reviewed-by: Chao Yu Signed-off-by: Jaegeuk Kim commit a35749b1ed64ec7f4df0364fcc6002082d366486 Author: Daeho Jeong Date: Mon Nov 18 10:45:35 2024 -0800 f2fs: adjust unusable cap before checkpoint=disable mode The unusable cap value must be adjusted before checking whether checkpoint=disable is feasible. Signed-off-by: Daeho Jeong Reviewed-by: Chao Yu Signed-off-by: Jaegeuk Kim commit 6787a82245857271133b63ae7f72f1dc9f29e985 Author: Chao Yu Date: Fri Nov 8 09:25:57 2024 +0800 f2fs: fix to requery extent which cross boundary of inquiry dd if=/dev/zero of=file bs=4k count=5 xfs_io file -c "fiemap -v 2 16384" file: EXT: FILE-OFFSET BLOCK-RANGE TOTAL FLAGS 0: [0..31]: 139272..139303 32 0x1000 1: [32..39]: 139304..139311 8 0x1001 xfs_io file -c "fiemap -v 0 16384" file: EXT: FILE-OFFSET BLOCK-RANGE TOTAL FLAGS 0: [0..31]: 139272..139303 32 0x1000 xfs_io file -c "fiemap -v 0 16385" file: EXT: FILE-OFFSET BLOCK-RANGE TOTAL FLAGS 0: [0..39]: 139272..139311 40 0x1001 There are two problems: - continuous extent is split to two - FIEMAP_EXTENT_LAST is missing in last extent The root cause is: if upper boundary of inquiry crosses extent, f2fs_map_blocks() will truncate length of returned extent to F2FS_BYTES_TO_BLK(len), and also, it will stop to query latter extent or hole to make sure current extent is last or not. In order to fix this issue, once we found an extent locates in the end of inquiry range by f2fs_map_blocks(), we need to expand inquiry range to requiry. Cc: stable@vger.kernel.org Fixes: 7f63eb77af7b ("f2fs: report unwritten area in f2fs_fiemap") Reported-by: Zhiguo Niu Signed-off-by: Chao Yu Signed-off-by: Jaegeuk Kim commit 77569f785c8624fa4189795fb52e635a973672e5 Author: Zhiguo Niu Date: Fri Nov 8 09:25:56 2024 +0800 f2fs: fix to adjust appropriate length for fiemap If user give a file size as "length" parameter for fiemap operations, but if this size is non-block size aligned, it will show 2 segments fiemap results even this whole file is contiguous on disk, such as the following results: ./f2fs_io fiemap 0 19034 ylog/analyzer.py Fiemap: offset = 0 len = 19034 logical addr. physical addr. length flags 0 0000000000000000 0000000020baa000 0000000000004000 00001000 1 0000000000004000 0000000020bae000 0000000000001000 00001001 after this patch: ./f2fs_io fiemap 0 19034 ylog/analyzer.py Fiemap: offset = 0 len = 19034 logical addr. physical addr. length flags 0 0000000000000000 00000000315f3000 0000000000005000 00001001 Signed-off-by: Zhiguo Niu Signed-off-by: Jaegeuk Kim commit 7461f37094180200cb2f98e60ef99a0cea97beec Author: Chao Yu Date: Fri Nov 8 09:25:55 2024 +0800 f2fs: clean up w/ F2FS_{BLK_TO_BYTES,BTYES_TO_BLK} f2fs doesn't support different blksize in one instance, so bytes_to_blks() and blks_to_bytes() are equal to F2FS_BYTES_TO_BLK and F2FS_BLK_TO_BYTES, let's use F2FS_BYTES_TO_BLK/F2FS_BLK_TO_BYTES instead for cleanup. Reviewed-by: Zhiguo Niu Signed-off-by: Chao Yu Signed-off-by: Jaegeuk Kim commit 3273d8ad947dea925a65a78ca29e5351c960c801 Author: Chao Yu Date: Fri Nov 8 09:25:54 2024 +0800 f2fs: fix to do cast in F2FS_{BLK_TO_BYTES, BTYES_TO_BLK} to avoid overflow It missed to cast variable to unsigned long long type before bit shift, which will cause overflow, fix it. Fixes: f7ef9b83b583 ("f2fs: introduce macros to convert bytes and blocks in f2fs") Signed-off-by: Chao Yu Signed-off-by: Jaegeuk Kim commit 789ca0eb47f7782b3230ab0957eabd7967b78cae Author: Daniel Yang Date: Sun Nov 17 23:01:40 2024 -0800 f2fs: replace deprecated strcpy with strscpy strcpy is deprecated. Kernel docs recommend replacing strcpy with strscpy. The function strcpy() return value isn't used so there shouldn't be an issue replacing with the safer alternative strscpy. Signed-off-by: Daniel Yang Reviewed-by: Chao Yu Signed-off-by: Jaegeuk Kim commit acff9409dd40beaca2bd982678d222e2740ad84b Author: Jaegeuk Kim Date: Tue Nov 12 01:04:58 2024 +0000 Revert "f2fs: remove unreachable lazytime mount option parsing" This reverts commit 54f43a10fa257ad4af02a1d157fefef6ebcfa7dc. The above commit broke the lazytime mount, given mount("/dev/vdb", "/mnt/test", "f2fs", 0, "lazytime"); CC: stable@vger.kernel.org # 6.11+ Signed-off-by: Daniel Rosenberg Reviewed-by: Chao Yu Signed-off-by: Jaegeuk Kim commit 6e95ef0258ff4ee23ae3b06bf6b00b33dbbd5ef7 Merge: 43fb83c17ba2d6 2c8b09ac253729 Author: Linus Torvalds Date: Thu Nov 21 08:11:04 2024 -0800 Merge tag 'bpf-next-6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next Pull bpf updates from Alexei Starovoitov: - Add BPF uprobe session support (Jiri Olsa) - Optimize uprobe performance (Andrii Nakryiko) - Add bpf_fastcall support to helpers and kfuncs (Eduard Zingerman) - Avoid calling free_htab_elem() under hash map bucket lock (Hou Tao) - Prevent tailcall infinite loop caused by freplace (Leon Hwang) - Mark raw_tracepoint arguments as nullable (Kumar Kartikeya Dwivedi) - Introduce uptr support in the task local storage map (Martin KaFai Lau) - Stringify errno log messages in libbpf (Mykyta Yatsenko) - Add kmem_cache BPF iterator for perf's lock profiling (Namhyung Kim) - Support BPF objects of either endianness in libbpf (Tony Ambardar) - Add ksym to struct_ops trampoline to fix stack trace (Xu Kuohai) - Introduce private stack for eligible BPF programs (Yonghong Song) - Migrate samples/bpf tests to selftests/bpf test_progs (Daniel T. Lee) - Migrate test_sock to selftests/bpf test_progs (Jordan Rife) * tag 'bpf-next-6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next: (152 commits) libbpf: Change hash_combine parameters from long to unsigned long selftests/bpf: Fix build error with llvm 19 libbpf: Fix memory leak in bpf_program__attach_uprobe_multi bpf: use common instruction history across all states bpf: Add necessary migrate_disable to range_tree. bpf: Do not alloc arena on unsupported arches selftests/bpf: Set test path for token/obj_priv_implicit_token_envvar selftests/bpf: Add a test for arena range tree algorithm bpf: Introduce range_tree data structure and use it in bpf arena samples/bpf: Remove unused variable in xdp2skb_meta_kern.c samples/bpf: Remove unused variables in tc_l2_redirect_kern.c bpftool: Cast variable `var` to long long bpf, x86: Propagate tailcall info only for subprogs bpf: Add kernel symbol for struct_ops trampoline bpf: Use function pointers count as struct_ops links count bpf: Remove unused member rcu from bpf_struct_ops_map selftests/bpf: Add struct_ops prog private stack tests bpf: Support private stack for struct_ops progs selftests/bpf: Add tracing prog private stack tests bpf, x86: Support private stack in jit ... commit 944477516bda30bc11e2c30e355da8dd6df48aaf Merge: 34267d3c26fe5e af264e5989055a Author: Miquel Raynal Date: Thu Nov 21 17:04:19 2024 +0100 Merge tag 'nand/for-6.13' into mtd/next SPI-NAND changes: A load of fixes to Winbond manufacturer driver have been done, plus a structure constification. Raw NAND changes: The GPMI driver has been improved on the power management side. The Davinci driver has been cleaned up. A leak in the Atmel driver plus some typos in the core have been fixed. commit 3f925cd6287401bbc9d568f56d796a69c8bd292a Author: Bjorn Helgaas Date: Fri Nov 15 15:44:28 2024 -0600 PCI/pwrctrl: Rename pwrctrl functions and structures Rename pwrctrl functions and structures from "pwrctl" to "pwrctrl" to match the similar file renames. Link: https://lore.kernel.org/r/20241115214428.2061153-3-helgaas@kernel.org Signed-off-by: Bjorn Helgaas Signed-off-by: Krzysztof Wilczyński Acked-by: Krzysztof Wilczyński commit b88cbaaa6fa109c2eb455d8fe2a318de0d197ea2 Author: Bjorn Helgaas Date: Fri Nov 15 15:44:27 2024 -0600 PCI/pwrctrl: Rename pwrctl files to pwrctrl To slightly reduce confusion between "pwrctl" (the power controller and power sequencing framework) and "bwctrl" (the bandwidth controller), rename "pwrctl" to "pwrctrl" so they use the same "ctrl" suffix. Rename drivers/pci/pwrctl/ to drivers/pci/pwrctrl/, including the related MAINTAINERS, include file (include/linux/pci-pwrctl.h), Makefile, and Kconfig changes. This is the minimal rename of files only. A subsequent commit will rename functions and data structures. Link: https://lore.kernel.org/r/20241115214428.2061153-2-helgaas@kernel.org Signed-off-by: Bjorn Helgaas Signed-off-by: Krzysztof Wilczyński Acked-by: Krzysztof Wilczyński commit 681725afb6b91dfa581f4eba5f256ac5e953b463 Author: Manivannan Sadhasivam Date: Fri Oct 25 13:24:55 2024 +0530 PCI/pwrctl: Remove pwrctl device without iterating over all children of pwrctl parent There is no need to iterate over all children of the pwrctl device parent to remove the pwrctl device. Since the pwrctl device associated with the PCI device can be found using of_find_device_by_node() API, use it directly instead. Any pwrctl devices lying around without getting associated with the PCI devices will be removed once their parent device gets removed. Link: https://lore.kernel.org/r/20241025-pci-pwrctl-rework-v2-5-568756156cbe@linaro.org Tested-by: Bartosz Golaszewski Tested-by: Krishna chaitanya chundru Signed-off-by: Manivannan Sadhasivam [bhelgaas: commit log] Signed-off-by: Bjorn Helgaas Signed-off-by: Krzysztof Wilczyński Reviewed-by: Bartosz Golaszewski commit b458ff7e8176523b9d5a8d33f2487f29d7096eb1 Author: Manivannan Sadhasivam Date: Fri Oct 25 13:24:53 2024 +0530 PCI/pwrctl: Ensure that pwrctl drivers are probed before PCI client drivers As per the kernel device driver model, a pwrctl device is the supplier for the PCI device, but the device link that enforces the supplier-consumer relationship was previously created by the pwrctl driver. Therefore, the driver model didn't prevent probing PCI client drivers before probing the corresponding pwrctl drivers. This may lead to a race condition if the PCI device was already powered on by the bootloader (before the pwrctl driver). If the bootloader did not power on the PCI device, this wouldn't create any problem as the pwrctl driver will be the one powering on the device, so the PCI client driver always gets probed afterward. But if the device was already powered on, then the device will be seen by the PCI core and the PCI client driver may get probed before its pwrctl driver. This creates a race condition as the pwrctl driver may change the device power state while the device is being accessed by the client driver. One such issue was already reported on the Qcom X13s platform with the WLAN device and fixed with a hack in the WCN pwrseq driver by a9aaf1ff88a8 ("power: sequencing: request the WLAN enable GPIO as-is"). A cleaner way to fix the above mentioned race condition is to ensure that the pwrctl drivers are always probed before the client drivers. If the PCI device is associated with a pwrctl platform device with a power supply, add a device link between the PCI device and the pwrctl device before device_attach() in pci_bus_add_device(). Note that there is no need to explicitly remove the device link as that will be taken care of by the driver core when the PCI device gets removed. Fixes: 4565d2652a37 ("PCI/pwrctl: Add PCI power control core code") Fixes: 8fb18619d910 ("PCI/pwrctl: Create platform devices for child OF nodes of the port node") Link: https://lore.kernel.org/r/20241025-pci-pwrctl-rework-v2-3-568756156cbe@linaro.org Tested-by: Bartosz Golaszewski Tested-by: Krishna chaitanya chundru Signed-off-by: Manivannan Sadhasivam [bhelgaas: squash fix from https://lore.kernel.org/r/20241120062459.6371-1-manivannan.sadhasivam@linaro.org for SPARCv9 issue reported by Jonathan Currier ] Signed-off-by: Bjorn Helgaas [kwilczynski: wrap code to 80 columns] Signed-off-by: Krzysztof Wilczyński Reviewed-by: Bartosz Golaszewski Cc: stable+noautosel@kernel.org # Depends on power supply check commit 278dd091e95d428eea0a2c3c517d895b052de5ff Author: Manivannan Sadhasivam Date: Fri Oct 25 13:24:52 2024 +0530 PCI/pwrctl: Create pwrctl device only if at least one power supply is present Currently, pwrctl devices are created if the corresponding PCI nodes are defined in devicetree. But this is not correct, because not all PCI nodes require pwrctl support. Pwrctl comes into the picture only when the device requires kernel to manage its power state. This can be determined using the power supply properties present in the devicetree node of the device. Add of_pci_supply_present() to check whether the devicetree contains at least one power supply property for a device. If one is present, create a pwrctl device for that PCI node. Suggested-by: Dmitry Baryshkov Fixes: 8fb18619d910 ("PCI/pwrctl: Create platform devices for child OF nodes of the port node") Link: https://lore.kernel.org/r/20241025-pci-pwrctl-rework-v2-2-568756156cbe@linaro.org Tested-by: Bartosz Golaszewski Tested-by: Krishna chaitanya chundru Signed-off-by: Manivannan Sadhasivam [bhelgaas: rename of_pci_is_supply_present() to of_pci_supply_present() for readability] Signed-off-by: Bjorn Helgaas Signed-off-by: Krzysztof Wilczyński Reviewed-by: Bartosz Golaszewski Cc: stable+noautosel@kernel.org # Depends on of_platform_device_create() rework commit 7582fe07f4ca4c560eb47800b640997f06a8baa2 Author: Manivannan Sadhasivam Date: Fri Oct 25 13:24:51 2024 +0530 PCI/pwrctl: Use of_platform_device_create() to create pwrctl devices The of_platform_populate() API creates platform devices by descending through the children of the parent node. But it provides no control over the child nodes, which makes it difficult to add checks for the child nodes in the future. Use of_platform_device_create() and for_each_child_of_node_scoped() to make it possible to add checks for each node before creating the platform device. Link: https://lore.kernel.org/r/20241025-pci-pwrctl-rework-v2-1-568756156cbe@linaro.org Tested-by: Bartosz Golaszewski Tested-by: Krishna chaitanya chundru Signed-off-by: Manivannan Sadhasivam Signed-off-by: Bjorn Helgaas Signed-off-by: Krzysztof Wilczyński Reviewed-by: Bartosz Golaszewski commit 351f2bfe6362c663f45f5c6111f14365cfd094ab Author: Kory Maincent (Dent Project) Date: Thu Nov 21 15:42:28 2024 +0100 regulator: core: Ignore unset max_uA constraints in current limit check We should only consider max_uA constraints if they are explicitly defined. In cases where it is not set, we should assume the regulator has no current limit. Signed-off-by: Kory Maincent Link: https://patch.msgid.link/20241121-feature_poe_port_prio-v3-2-83299fa6967c@bootlin.com Signed-off-by: Mark Brown commit ee116574de8415b0673c466e6cd28ba5f70c41a2 Author: Jens Axboe Date: Thu Nov 21 07:12:17 2024 -0700 io_uring/nop: ensure nop->fd is always initialized A previous commit added file support for nop, but it only initializes nop->fd if IORING_NOP_FIXED_FILE is set. That check should be IORING_NOP_FILE. Fix up the condition in nop preparation, and initialize it to a sane value even if we're not going to be directly using it. While in there, do the same thing for the nop->buffer field. Reported-by: syzbot+9a8500a45c2cabdf9577@syzkaller.appspotmail.com Fixes: a85f31052bce ("io_uring/nop: add support for testing registered files and buffers") Signed-off-by: Jens Axboe commit f46b9cdb22f7a167c36b6bcddaef7e8aee2598fa Author: David Wei Date: Wed Nov 20 14:14:52 2024 -0800 io_uring: limit local tw done Instead of eagerly running all available local tw, limit the amount of local tw done to the max of IO_LOCAL_TW_DEFAULT_MAX (20) or wait_nr. The value of 20 is chosen as a reasonable heuristic to allow enough work batching but also keep latency down. Add a retry_llist that maintains a list of local tw that couldn't be done in time. No synchronisation is needed since it is only modified within the task context. Signed-off-by: David Wei Link: https://lore.kernel.org/r/20241120221452.3762588-3-dw@davidwei.uk Signed-off-by: Jens Axboe commit 40cfe553240b32333b42652370ef5232e6ac59e1 Author: David Wei Date: Wed Nov 20 14:14:51 2024 -0800 io_uring: add io_local_work_pending() In preparation for adding a new llist of tw to retry due to hitting the tw limit, add a helper io_local_work_pending(). This function returns true if there is any local tw pending. For now it only checks ctx->work_llist. Signed-off-by: David Wei Reviewed-by: Pavel Begunkov Link: https://lore.kernel.org/r/20241120221452.3762588-2-dw@davidwei.uk Signed-off-by: Jens Axboe commit f32c3f01c21cdd6a354988006aaca5e3dfe478f9 Author: liujing Date: Wed Nov 13 09:57:58 2024 +0800 ASoC: apple: Fix the wrong format specifier In the mca_fe_hw_params(), the variable tdm_slot_width is of type unsigned int, so the output should be %u Signed-off-by: liujing Link: https://patch.msgid.link/20241113015758.5441-1-liujing@cmss.chinamobile.com Signed-off-by: Mark Brown commit e038f43edaf0083f6aa7c9415d86cf28dfd152f9 Author: Charles Han Date: Mon Nov 18 16:45:53 2024 +0800 ASoC: imx-audmix: Add NULL check in imx_audmix_probe devm_kasprintf() can return a NULL pointer on failure,but this returned value in imx_audmix_probe() is not checked. Add NULL check in imx_audmix_probe(), to handle kernel NULL pointer dereference error. Fixes: 05d996e11348 ("ASoC: imx-audmix: Split capture device for audmix") Signed-off-by: Charles Han Link: https://patch.msgid.link/20241118084553.4195-1-hanchunchao@inspur.com Signed-off-by: Mark Brown commit 9e141955ede223d82251a59644ff9448a5aba580 Author: Antonio Quartulli Date: Fri Nov 15 23:02:02 2024 +0100 spi-imx: prevent overflow when estimating transfer time The words delay is computed by multiplying two unsigned ints and by adding up the result to a u64 variable. The multiplication, however, is performed with 32bit math thus losing data when the actual result is larger than UINT32_MAX. Fix the operation by casting the first operand to u64, thus forcing the multiplication to be performed with 64bit math. This fixes 1 OVERFLOW_BEFORE_WIDEN issue reported by Coverity Report: CID 1601859: Integer handling issues (OVERFLOW_BEFORE_WIDEN) Cc: Mark Brown Cc: Shawn Guo Cc: Sascha Hauer Cc: Pengutronix Kernel Team Cc: Fabio Estevam Cc: imx@lists.linux.dev Cc: linux-arm-kernel@lists.infradead.org Cc: linux-kernel@vger.kernel.org Signed-off-by: Antonio Quartulli Link: https://patch.msgid.link/20241115220202.31086-1-antonio@mandelbit.com Signed-off-by: Mark Brown commit 7ef3ae82a6ebbf4750967d1ce43bcdb7e44ff74b Author: Alex Zenla Date: Tue Nov 19 21:16:33 2024 +0000 9p/xen: fix init sequence Large amount of mount hangs observed during hotplugging of 9pfs devices. The 9pfs Xen driver attempts to initialize itself more than once, causing the frontend and backend to disagree: the backend listens on a channel that the frontend does not send on, resulting in stalled processing. Only allow initialization of 9p frontend once. Fixes: c15fe55d14b3b ("9p/xen: fix connection sequence") Signed-off-by: Alex Zenla Signed-off-by: Alexander Merritt Signed-off-by: Ariadne Conill Reviewed-by: Juergen Gross Message-ID: <20241119211633.38321-1-alexander@edera.dev> Signed-off-by: Dominique Martinet commit c74bfe4ffe8c1ca94e3d60ec7af06cf679e23583 Author: Yong-Xuan Wang Date: Fri Jul 26 16:49:30 2024 +0800 KVM: riscv: selftests: Add Svade and Svadu Extension to get-reg-list test Update the get-reg-list test to test the Svade and Svadu Extensions are available for guest OS. Signed-off-by: Yong-Xuan Wang Reviewed-by: Andrew Jones Acked-by: Palmer Dabbelt Link: https://lore.kernel.org/r/20240726084931.28924-6-yongxuan.wang@sifive.com Signed-off-by: Anup Patel commit 97eccf7db4f2e5e59d16bca45f7803ae3aeff6e1 Author: Yong-Xuan Wang Date: Fri Jul 26 16:49:28 2024 +0800 RISC-V: KVM: Add Svade and Svadu Extensions Support for Guest/VM We extend the KVM ISA extension ONE_REG interface to allow VMM tools to detect and enable Svade and Svadu extensions for Guest/VM. Since the henvcfg.ADUE is read-only zero if the menvcfg.ADUE is zero, the Svadu extension is available for Guest/VM and the Svade extension is allowed to disabledonly when arch_has_hw_pte_young() is true. Signed-off-by: Yong-Xuan Wang Reviewed-by: Andrew Jones Reviewed-by: Samuel Holland Acked-by: Palmer Dabbelt Link: https://lore.kernel.org/r/20240726084931.28924-4-yongxuan.wang@sifive.com Signed-off-by: Anup Patel commit b8d481671703c4ba24bb250a99225e0e3d8aedac Author: Yong-Xuan Wang Date: Fri Jul 26 16:49:27 2024 +0800 dt-bindings: riscv: Add Svade and Svadu Entries Add entries for the Svade and Svadu extensions to the riscv,isa-extensions property. Signed-off-by: Yong-Xuan Wang Acked-by: Conor Dooley Reviewed-by: Alexandre Ghiti Reviewed-by: Samuel Holland Acked-by: Palmer Dabbelt Link: https://lore.kernel.org/r/20240726084931.28924-3-yongxuan.wang@sifive.com Signed-off-by: Anup Patel commit 94a7734d0967e89fac5be1fd5115f5194e4a4017 Author: Yong-Xuan Wang Date: Fri Jul 26 16:49:26 2024 +0800 RISC-V: Add Svade and Svadu Extensions Support Svade and Svadu extensions represent two schemes for managing the PTE A/D bits. When the PTE A/D bits need to be set, Svade extension intdicates that a related page fault will be raised. In contrast, the Svadu extension supports hardware updating of PTE A/D bits. Since the Svade extension is mandatory and the Svadu extension is optional in RVA23 profile, by default the M-mode firmware will enable the Svadu extension in the menvcfg CSR when only Svadu is present in DT. This patch detects Svade and Svadu extensions from DT and adds arch_has_hw_pte_young() to enable optimization in MGLRU and __wp_page_copy_user() when we have the PTE A/D bits hardware updating support. Co-developed-by: Jinyu Tang Signed-off-by: Jinyu Tang Signed-off-by: Yong-Xuan Wang Reviewed-by: Andrew Jones Reviewed-by: Alexandre Ghiti Acked-by: Palmer Dabbelt Link: https://lore.kernel.org/r/20240726084931.28924-2-yongxuan.wang@sifive.com Signed-off-by: Anup Patel commit 45c9f2b856a075a34873d00788d2e8a250c1effd Author: Vasily Gorbik Date: Tue Nov 19 14:54:07 2024 +0100 s390/entry: Mark IRQ entries to fix stack depot warnings The stack depot filters out everything outside of the top interrupt context as an uninteresting or irrelevant part of the stack traces. This helps with stack trace de-duplication, avoiding an explosion of saved stack traces that share the same IRQ context code path but originate from different randomly interrupted points, eventually exhausting the stack depot. Filtering uses in_irqentry_text() to identify functions within the .irqentry.text and .softirqentry.text sections, which then become the last stack trace entries being saved. While __do_softirq() is placed into the .softirqentry.text section by common code, populating .irqentry.text is architecture-specific. Currently, the .irqentry.text section on s390 is empty, which prevents stack depot filtering and de-duplication and could result in warnings like: Stack depot reached limit capacity WARNING: CPU: 0 PID: 286113 at lib/stackdepot.c:252 depot_alloc_stack+0x39a/0x3c8 with PREEMPT and KASAN enabled. Fix this by moving the IO/EXT interrupt handlers from .kprobes.text into the .irqentry.text section and updating the kprobes blacklist to include the .irqentry.text section. This is done only for asynchronous interrupts and explicitly not for program checks, which are synchronous and where the context beyond the program check is important to preserve. Despite machine checks being somewhat in between, they are extremely rare, and preserving context when possible is also of value. SVCs and Restart Interrupts are not relevant, one being always at the boundary to user space and the other being a one-time thing. IRQ entries filtering is also optionally used in ftrace function graph, where the same logic applies. Cc: stable@vger.kernel.org # 5.15+ Reviewed-by: Heiko Carstens Signed-off-by: Vasily Gorbik Signed-off-by: Heiko Carstens commit 7bc1ee28f4d21fc1e2f3d09534baf86ce7f3ba5e Author: Thomas Richter Date: Tue Nov 19 13:22:47 2024 +0100 s390/cpum_sf: Simplify release of SDBs and SDBTs Free_sampling_buffer() releases the Sampling Data Buffers (SDBs) and Sampling Data Buffer Table (SDBTs) allocated at event initialization. Both buffers are of PAGE_SIZE bytes. Each SDBT consists of 512 entries. The first 511 entries point to SDBs the last entry points to a successor SDBT. The last SDBT in the list points to the origin of all SDBTs. SDBTs do not contain holes, that is an entry always points to a SDB. If less than 511 SDBs have been allocation, the last entry points to the origin SDBT. Simplify the release of the SDBs and SDBTs, walk along the SDBT chain, release SDBs and SDBTs and stop when reaching the origin again. Signed-off-by: Thomas Richter Reviewed-by: Sumanth Korikkar Signed-off-by: Heiko Carstens commit 9c7260b527f0f7c75a9c0fee297663d1acc40937 Author: Claudio Imbrenda Date: Fri Nov 15 14:56:11 2024 +0100 s390/vfio-ap: Remove gmap_convert_to_secure() from vfio_ap_ops If the page has been exported, do not re-import it. Imports should only be triggered by the guest. The guest will import the page automatically when it will need it again, there is no advantage in importing it manually. Moreover, vfio_pin_pages() will take an extra reference on the page and thus will cause the import to always fail. The extra reference would be dropped only after pointlessly trying to import the page. Fixes: f88fb1335733 ("s390/vfio-ap: make sure nib is shared") Signed-off-by: Claudio Imbrenda Reviewed-by: Halil Pasic Link: https://lore.kernel.org/r/20241115135611.87836-1-imbrenda@linux.ibm.com Signed-off-by: Heiko Carstens commit 588a9836a4ef7ec3bfcffda526dfa399637e6cfc Author: Heiko Carstens Date: Mon Nov 18 13:14:07 2024 +0100 s390/stacktrace: Use break instead of return statement arch_stack_walk_user_common() contains a return statement instead of a break statement in case store_ip() fails while trying to store a callchain entry of a user space process. This may lead to a missing pagefault_enable() call. If this happens any subsequent page fault of the process won't be resolved by the page fault handler and this in turn will lead to the process being killed. Use a break instead of a return statement to fix this. Fixes: ebd912ff9919 ("s390/stacktrace: Merge perf_callchain_user() and arch_stack_walk_user()") Cc: stable@vger.kernel.org Reviewed-by: Jens Remus Signed-off-by: Heiko Carstens commit 2f32cc40f1440a6aa9e7396af41db79bece67bb2 Author: Alexander Gordeev Date: Fri Nov 8 14:27:43 2024 +0100 s390/mm: Remove bogus comment in __tlb_flush_mm() Since commit b3e5dc45fd1e ("s390/mm: fix local TLB flushing vs. detach of an mm address space") __tlb_flush_mm() does not flush local CPU, but the comment suggests it does, which is misleading. Signed-off-by: Alexander Gordeev Acked-by: Heiko Carstens Signed-off-by: Heiko Carstens commit 897614f90f7cd9fd7f5b7acca24dfb55b6c0c4ae Author: Niklas Schnelle Date: Thu Nov 14 16:46:02 2024 +0100 s390/debug: Pass in and enforce output buffer size for format handlers The s390dbf format handler rely on being passed an output buffer sized such that their output will always fit and then use plain sprintf() to write to it. While only supplied data from other kernel components this still potentially allows buffer overwrite if callers are not careful. Instead just pass in the size of the output buffer and use scnprintf() instead of sprintf() and strscpy() instead of strcpy(). The latter also allows us to get rid of a separate strlen() call. Signed-off-by: Niklas Schnelle Reviewed-by: Heiko Carstens Signed-off-by: Heiko Carstens commit d2913a07d9037fe7aed4b7e680684163eaed6bc4 Author: Takashi Iwai Date: Wed Nov 20 15:11:02 2024 +0100 ALSA: pcm: Add sanity NULL check for the default mmap fault handler A driver might allow the mmap access before initializing its runtime->dma_area properly. Add a proper NULL check before passing to virt_to_page() for avoiding a panic. Reported-by: syzbot+4bf62a7b1d0f4fdb7ae2@syzkaller.appspotmail.com Cc: Link: https://patch.msgid.link/20241120141104.7060-1-tiwai@suse.de Signed-off-by: Takashi Iwai commit 56386292a0b44b550432aaff92f28e0d0d0f0209 Author: Hridesh MG Date: Wed Nov 20 21:25:51 2024 +0530 ALSA: docs: fix dead hyperlink to Intel HD-Audio spec Update the hyperlink as it currently redirects to a generic site instead of the actual specification. Signed-off-by: Hridesh MG Link: https://patch.msgid.link/20241120155553.21099-1-hridesh699@gmail.com Signed-off-by: Takashi Iwai commit 1508bae37044ebffd7c7e09915f041936f338123 Merge: 9ee62c33c0fe01 13905f4547b050 Author: Paolo Bonzini Date: Thu Nov 21 06:00:16 2024 -0500 Merge tag 'kvmarm-fixes-6.13-1' of https://git.kernel.org/pub/scm/linux/kernel/git/kvmarm/kvmarm into HEAD KVM/arm64 changes for 6.13, part #2 - Constrain invalidations from GICR_INVLPIR to only affect the LPI INTID space - Set of robustness improvements to the management of vgic irqs and GIC ITS table entries - Fix compilation issue w/ CONFIG_CC_OPTIMIZE_FOR_SIZE=y where set_sysreg_masks() wasn't getting inlined, breaking check for a constant sysreg index - Correct KVM's vPMU overflow condition to match the architecture for hyp and non-hyp counters commit 3e5360167ac3bccdc032cdafa68d4904a8fa0c75 Author: Christian Brauner Date: Wed Nov 20 09:17:25 2024 +0100 statmount: fix security option retrieval Fix the inverted check for security_sb_show_options(). Link: https://lore.kernel.org/r/c8eaa647-5d67-49b6-9401-705afcb7e4d7@stanley.mountain Link: https://lore.kernel.org/r/20241120-verehren-rhabarber-83a11b297bcc@brauner Fixes: aefff51e1c29 ("statmount: retrieve security mount options") Reviewed-by: Jeff Layton Reported-by: Dan Carpenter Cc: stable@vger.kernel.org # mainline only Signed-off-by: Christian Brauner commit d18516a0218da360dd27ae204acbd8d1440f6d6b Author: Miklos Szeredi Date: Wed Nov 20 15:27:23 2024 +0100 statmount: clean up unescaped option handling Move common code from opt_array/opt_sec_array to helper. This helper does more than just unescape options, so rename to statmount_opt_process(). Handle corner case of just a single character in options. Rename some local variables to better describe their function. Signed-off-by: Miklos Szeredi Link: https://lore.kernel.org/r/20241120142732.55210-1-mszeredi@redhat.com Reviewed-by: Jeff Layton Signed-off-by: Christian Brauner commit b3e2963916ec70e4c6927e68d1b5d0916afb139a Merge: a514e6f8f5caa2 fde4c4c3ec1c15 Author: Christian Brauner Date: Wed Nov 20 09:32:29 2024 +0100 Merge patch series "iomap: zero range flush fixes" Brian Foster says: Here's v4 of the zero range flush improvements. No real major changes here, mostly minor whitespace, naming issues, etc. * patches from https://lore.kernel.org/r/20241115200155.593665-1-bfoster@redhat.com: iomap: elide flush from partial eof zero range iomap: lift zeroed mapping handling into iomap_zero_range() iomap: reset per-iter state on non-error iter advances Link: https://lore.kernel.org/r/20241115200155.593665-1-bfoster@redhat.com Signed-off-by: Christian Brauner commit a514e6f8f5caa24413731bed54b322bd34d918dd Author: Thorsten Blum Date: Fri Jun 28 08:23:30 2024 +0200 fscache: Remove duplicate included header Remove duplicate included header file linux/uio.h Reviewed-by: Simon Horman Signed-off-by: Thorsten Blum Link: https://lore.kernel.org/r/20240628062329.321162-2-thorsten.blum@toblux.com Reviewed-by: Jeff Layton Signed-off-by: Christian Brauner commit fde4c4c3ec1c1590eb09f97f9525fa7dd8df8343 Author: Brian Foster Date: Fri Nov 15 15:01:55 2024 -0500 iomap: elide flush from partial eof zero range iomap zero range flushes pagecache in certain situations to determine which parts of the range might require zeroing if dirty data is present in pagecache. The kernel robot recently reported a regression associated with this flushing in the following stress-ng workload on XFS: stress-ng --timeout 60 --times --verify --metrics --no-rand-seed --metamix 64 This workload involves repeated small, strided, extending writes. On XFS, this produces a pattern of post-eof speculative preallocation, conversion of preallocation from delalloc to unwritten, dirtying pagecache over newly unwritten blocks, and then rinse and repeat from the new EOF. This leads to repetitive flushing of the EOF folio via the zero range call XFS uses for writes that start beyond current EOF. To mitigate this problem, special case EOF block zeroing to prefer zeroing the folio over a flush when the EOF folio is already dirty. To do this, split out and open code handling of an unaligned start offset. This brings most of the performance back by avoiding flushes on zero range calls via write and truncate extension operations. The flush doesn't occur in these situations because the entire range is post-eof and therefore the folio that overlaps EOF is the only one in the range. Signed-off-by: Brian Foster Link: https://lore.kernel.org/r/20241115200155.593665-4-bfoster@redhat.com Reviewed-by: Darrick J. Wong Reviewed-by: Christoph Hellwig Signed-off-by: Christian Brauner commit 889ac75787cbeb129df7faf917ce7d53a32ea696 Author: Brian Foster Date: Fri Nov 15 15:01:54 2024 -0500 iomap: lift zeroed mapping handling into iomap_zero_range() In preparation for special handling of subranges, lift the zeroed mapping logic from the iterator into the caller. Since this puts the pagecache dirty check and flushing in the same place, streamline the comments a bit as well. Signed-off-by: Brian Foster Link: https://lore.kernel.org/r/20241115200155.593665-3-bfoster@redhat.com Reviewed-by: Darrick J. Wong Signed-off-by: Christian Brauner commit 2519369201f36a6b2571bc672c4e48f88c6b68d6 Author: Brian Foster Date: Fri Nov 15 15:01:53 2024 -0500 iomap: reset per-iter state on non-error iter advances iomap_iter_advance() zeroes the processed and mapping fields on every non-error iteration except for the last expected iteration (i.e. return 0 expected to terminate the iteration loop). This appears to be circumstantial as nothing currently relies on these fields after the final iteration. Therefore to better faciliate iomap_iter reuse in subsequent patches, update iomap_iter_advance() to always reset per-iteration state on successful completion. Signed-off-by: Brian Foster Link: https://lore.kernel.org/r/20241115200155.593665-2-bfoster@redhat.com Reviewed-by: Darrick J. Wong Reviewed-by: Christoph Hellwig Signed-off-by: Christian Brauner commit eb65540aa9fc828e9f3f8b30d6dc37f1ed35263d Author: Brian Foster Date: Fri Nov 15 09:59:31 2024 -0500 iomap: warn on zero range of a post-eof folio iomap_zero_range() uses buffered writes for manual zeroing, no longer updates i_size for such writes, but is still explicitly called for post-eof ranges. The historical use case for this is zeroing post-eof speculative preallocation on extending writes from XFS. However, XFS also recently changed to convert all post-eof delalloc mappings to unwritten in the iomap_begin() handler, which means it now never expects manual zeroing of post-eof mappings. In other words, all post-eof mappings should be reported as holes or unwritten. This is a subtle dependency that can be hard to detect if violated because associated codepaths are likely to update i_size after folio locks are dropped, but before writeback happens to occur. For example, if XFS reverts back to some form of manual zeroing of post-eof blocks on write extension, writeback of those zeroed folios will now race with the presumed i_size update from the subsequent buffered write. Since iomap_zero_range() can't correctly zero post-eof mappings beyond EOF without updating i_size, warn if this ever occurs. This serves as minimal indication that if this use case is reintroduced by a filesystem, iomap_zero_range() might need to reconsider i_size updates for write extending use cases. Signed-off-by: Brian Foster Link: https://lore.kernel.org/r/20241115145931.535207-1-bfoster@redhat.com Reviewed-by: Christoph Hellwig Reviewed-by: Darrick J. Wong Signed-off-by: Christian Brauner commit 72cef64180de04a7b055b4773c138d78f4ebdb77 Author: Sai Kumar Cholleti Date: Tue Nov 5 12:45:23 2024 +0530 gpio: exar: set value when external pull-up or pull-down is present Setting GPIO direction = high, sometimes results in GPIO value = 0. If a GPIO is pulled high, the following construction results in the value being 0 when the desired value is 1: $ echo "high" > /sys/class/gpio/gpio336/direction $ cat /sys/class/gpio/gpio336/value 0 Before the GPIO direction is changed from an input to an output, exar_set_value() is called with value = 1, but since the GPIO is an input when exar_set_value() is called, _regmap_update_bits() reads a 1 due to an external pull-up. regmap_set_bits() sets force_write = false, so the value (1) is not written. When the direction is then changed, the GPIO becomes an output with the value of 0 (the hardware default). regmap_write_bits() sets force_write = true, so the value is always written by exar_set_value() and an external pull-up doesn't affect the outcome of setting direction = high. The same can happen when a GPIO is pulled low, but the scenario is a little more complicated. $ echo high > /sys/class/gpio/gpio351/direction $ cat /sys/class/gpio/gpio351/value 1 $ echo in > /sys/class/gpio/gpio351/direction $ cat /sys/class/gpio/gpio351/value 0 $ echo low > /sys/class/gpio/gpio351/direction $ cat /sys/class/gpio/gpio351/value 1 Fixes: 36fb7218e878 ("gpio: exar: switch to using regmap") Co-developed-by: Matthew McClain Signed-off-by: Matthew McClain Signed-off-by: Sai Kumar Cholleti Cc: stable@vger.kernel.org Reviewed-by: Andy Shevchenko Link: https://lore.kernel.org/r/20241105071523.2372032-1-skmr537@gmail.com Signed-off-by: Bartosz Golaszewski commit c7899503ad9c06a0c6ee2796301139731cf1f5ab Author: Andy Shevchenko Date: Mon Nov 18 11:28:02 2024 +0200 gpio: altera: Add missed base and label initialisations During conversion driver to modern APIs the base field initial value of the GPIO chip was moved from -1 to 0, which triggers a warning. Add missed base initialisation as it was in the original code. Initialise the GPIO chip label correctly as it was done by of_mm_gpiochip_add_data() before the below mentioned change. Fixes: 50dded8d9d62 ("gpio: altera: Drop legacy-of-mm-gpiochip.h header") Signed-off-by: Andy Shevchenko Link: https://lore.kernel.org/r/20241118095402.516989-1-andriy.shevchenko@linux.intel.com Signed-off-by: Bartosz Golaszewski commit 5bbed54ba66925ebca19092d0750630f943d7bf2 Author: Andy Shevchenko Date: Mon Nov 18 11:27:07 2024 +0200 gpio: zevio: Add missed label initialisation Initialise the GPIO chip label correctly as it was done by of_mm_gpiochip_add_data() before the below mentioned change. Fixes: cf8f4462e5fa ("gpio: zevio: drop of_gpio.h header") Signed-off-by: Andy Shevchenko Link: https://lore.kernel.org/r/20241118092729.516736-1-andriy.shevchenko@linux.intel.com Signed-off-by: Bartosz Golaszewski commit 019880c08d059f214327fd0dc92e9be3707286f2 Merge: 60b4dd1460f6d6 897df60c16d54a Author: Martin K. Petersen Date: Wed Nov 20 22:04:15 2024 -0500 Merge patch series "scsi: ufs: Bug fixes for ufs core and platform drivers" Manivannan Sadhasivam says: Hi, This series has several bug fixes that I encountered when the ufs-qcom driver was removed and inserted back. But the fixes are applicable to other platform glue drivers as well. This series is tested on Qcom RB5 development board based on SM8250 SoC. Signed-off-by: Manivannan Sadhasivam Link: https://lore.kernel.org/r/20241111-ufs_bug_fix-v1-0-45ad8b62f02e@linaro.org Signed-off-by: Martin K. Petersen commit 897df60c16d54ad515a3d0887edab5c63da06d1f Author: Manivannan Sadhasivam Date: Mon Nov 11 23:18:34 2024 +0530 scsi: ufs: pltfrm: Dellocate HBA during ufshcd_pltfrm_remove() This will ensure that the scsi host is cleaned up properly using scsi_host_dev_release(). Otherwise, it may lead to memory leaks. Cc: stable@vger.kernel.org # 4.4 Fixes: 03b1781aa978 ("[SCSI] ufs: Add Platform glue driver for ufshcd") Signed-off-by: Manivannan Sadhasivam Link: https://lore.kernel.org/r/20241111-ufs_bug_fix-v1-5-45ad8b62f02e@linaro.org Reviewed-by: Peter Wang Reviewed-by: Bean Huo Reviewed-by: Bart Van Assche Signed-off-by: Martin K. Petersen commit 1745dcdb7227102e16248a324c600b9121c8f6df Author: Manivannan Sadhasivam Date: Mon Nov 11 23:18:33 2024 +0530 scsi: ufs: pltfrm: Drop PM runtime reference count after ufshcd_remove() During the remove stage of glue drivers, some of them are incrementing the reference count using pm_runtime_get_sync(), before removing the ufshcd using ufshcd_remove(). But they are not dropping that reference count after ufshcd_remove() to balance the refcount. So drop the reference count by calling pm_runtime_put_noidle() after ufshcd_remove(). Since the behavior is applicable to all glue drivers, move the PM handling to ufshcd_pltfrm_remove(). Cc: stable@vger.kernel.org # 3.12 Fixes: 62694735ca95 ("[SCSI] ufs: Add runtime PM support for UFS host controller driver") Signed-off-by: Manivannan Sadhasivam Link: https://lore.kernel.org/r/20241111-ufs_bug_fix-v1-4-45ad8b62f02e@linaro.org Reviewed-by: Peter Wang Reviewed-by: Bean Huo Reviewed-by: Bart Van Assche Signed-off-by: Martin K. Petersen commit d3326e6a3f9bf1e075be2201fb704c2fdf19e2b7 Author: Manivannan Sadhasivam Date: Mon Nov 11 23:18:32 2024 +0530 scsi: ufs: pltfrm: Disable runtime PM during removal of glue drivers When the UFSHCD platform glue drivers are removed, runtime PM should be disabled using pm_runtime_disable() to balance the enablement done in ufshcd_pltfrm_init(). This is also reported by PM core when the glue driver is removed and inserted again: ufshcd-qcom 1d84000.ufshc: Unbalanced pm_runtime_enable! So disable runtime PM using a new helper API ufshcd_pltfrm_remove(), that also takes care of removing ufshcd. This helper should be called during the remove() stage of glue drivers. Cc: stable@vger.kernel.org # 3.12 Fixes: 62694735ca95 ("[SCSI] ufs: Add runtime PM support for UFS host controller driver") Signed-off-by: Manivannan Sadhasivam Link: https://lore.kernel.org/r/20241111-ufs_bug_fix-v1-3-45ad8b62f02e@linaro.org Reviewed-by: Peter Wang Reviewed-by: Bean Huo Reviewed-by: Bart Van Assche Signed-off-by: Martin K. Petersen commit 64506b3d23a337e98a74b18dcb10c8619365f2bd Author: Manivannan Sadhasivam Date: Mon Nov 11 23:18:31 2024 +0530 scsi: ufs: qcom: Only free platform MSIs when ESI is enabled Otherwise, it will result in a NULL pointer dereference as below: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000008 Call trace: mutex_lock+0xc/0x54 platform_device_msi_free_irqs_all+0x14/0x20 ufs_qcom_remove+0x34/0x48 [ufs_qcom] platform_remove+0x28/0x44 device_remove+0x4c/0x80 device_release_driver_internal+0xd8/0x178 driver_detach+0x50/0x9c bus_remove_driver+0x6c/0xbc driver_unregister+0x30/0x60 platform_driver_unregister+0x14/0x20 ufs_qcom_pltform_exit+0x18/0xb94 [ufs_qcom] __arm64_sys_delete_module+0x180/0x260 invoke_syscall+0x44/0x100 el0_svc_common.constprop.0+0xc0/0xe0 do_el0_svc+0x1c/0x28 el0_svc+0x34/0xdc el0t_64_sync_handler+0xc0/0xc4 el0t_64_sync+0x190/0x194 Cc: stable@vger.kernel.org # 6.3 Fixes: 519b6274a777 ("scsi: ufs: qcom: Add MCQ ESI config vendor specific ops") Signed-off-by: Manivannan Sadhasivam Link: https://lore.kernel.org/r/20241111-ufs_bug_fix-v1-2-45ad8b62f02e@linaro.org Reviewed-by: Bean Huo Reviewed-by: Bart Van Assche Signed-off-by: Martin K. Petersen commit 1695c4361d35b7bdadd7b34f99c9c07741e181e5 Author: Manivannan Sadhasivam Date: Mon Nov 11 23:18:30 2024 +0530 scsi: ufs: core: Cancel RTC work during ufshcd_remove() Currently, RTC work is only cancelled during __ufshcd_wl_suspend(). When ufshcd is removed in ufshcd_remove(), RTC work is not cancelled. Due to this, any further trigger of the RTC work after ufshcd_remove() would result in a NULL pointer dereference as below: Unable to handle kernel NULL pointer dereference at virtual address 00000000000002a4 Workqueue: events ufshcd_rtc_work Call trace: _raw_spin_lock_irqsave+0x34/0x8c pm_runtime_get_if_active+0x24/0xb4 ufshcd_rtc_work+0x124/0x19c process_scheduled_works+0x18c/0x2d8 worker_thread+0x144/0x280 kthread+0x11c/0x128 ret_from_fork+0x10/0x20 Since RTC work accesses the ufshcd internal structures, it should be cancelled when ufshcd is removed. So do that in ufshcd_remove(), as per the order in ufshcd_init(). Cc: stable@vger.kernel.org # 6.8 Fixes: 6bf999e0eb41 ("scsi: ufs: core: Add UFS RTC support") Signed-off-by: Manivannan Sadhasivam Link: https://lore.kernel.org/r/20241111-ufs_bug_fix-v1-1-45ad8b62f02e@linaro.org Reviewed-by: Peter Wang Reviewed-by: Bean Huo Reviewed-by: Bart Van Assche Signed-off-by: Martin K. Petersen commit 60b4dd1460f6d65739acb0f28d12bd9abaeb34b4 Author: Ziqi Chen Date: Tue Nov 19 17:56:04 2024 +0800 scsi: ufs: core: Add ufshcd_send_bsg_uic_cmd() for UFS BSG User layer applications can send UIC GET/SET commands via the BSG framework, and if the user layer application sends a UIC SET command to the PA_PWRMODE attribute, a power mode change shall be initiated in UniPro and two interrupts shall be triggered if the power mode is successfully changed, i.e., UIC Command Completion interrupt and UIC Power Mode interrupt. The current UFS BSG code calls ufshcd_send_uic_cmd() directly, with which the second interrupt, i.e., UIC Power Mode interrupt, shall be treated as unhandled interrupt. In addition, after the UIC command is completed, user layer application has to poll UniPro and/or M-PHY state machine to confirm the power mode change is finished. Add a new wrapper function ufshcd_send_bsg_uic_cmd() and call it from ufs_bsg_request() so that if a UIC SET command is targeting the PA_PWRMODE attribute it can be redirected to ufshcd_uic_pwr_ctrl(). Fixes: e77044c5a842 ("scsi: ufs-bsg: Add support for uic commands in ufs_bsg_request()") Co-developed-by: Can Guo Signed-off-by: Can Guo Signed-off-by: Ziqi Chen Link: https://lore.kernel.org/r/20241119095613.121385-1-quic_ziqichen@quicinc.com Reviewed-by: Bean Huo Reviewed-by: Avri Altman Reviewed-by: Peter Wang Signed-off-by: Martin K. Petersen commit 5cd3167a5ebbbe49516f29e5dd16317ab6ff479a Author: Christophe JAILLET Date: Mon Nov 11 14:10:56 2024 +0100 scsi: target: tcmu: Constify some structures 'struct nla_policy' and 'struct match_table_t' are not modified in this driver. Constifying these structures moves some data to a read-only section, so increase overall security, especially when the structure holds some function pointers, which is the case of struct nla_policy. On a x86_64, with allmodconfig: Before: ====== text data bss dec hex filename 93188 6933 338 100459 1886b drivers/target/target_core_user.o After: ===== text data bss dec hex filename 93508 6581 338 100427 1884b drivers/target/target_core_user.o Signed-off-by: Christophe JAILLET Link: https://lore.kernel.org/r/f83cd8469cc17391178e1181e8c26c4c1fb6028f.1731330634.git.christophe.jaillet@wanadoo.fr Reviewed-by: Bodo Stroesser Signed-off-by: Martin K. Petersen commit 50740f4dc78b41dec7c8e39772619d5ba841ddd7 Author: Tomas Henzl Date: Mon Sep 23 19:48:33 2024 +0200 scsi: megaraid_sas: Fix for a potential deadlock This fixes a 'possible circular locking dependency detected' warning CPU0 CPU1 ---- ---- lock(&instance->reset_mutex); lock(&shost->scan_mutex); lock(&instance->reset_mutex); lock(&shost->scan_mutex); Fix this by temporarily releasing the reset_mutex. Signed-off-by: Tomas Henzl Link: https://lore.kernel.org/r/20240923174833.45345-1-thenzl@redhat.com Acked-by: Chandrakanth Patil Signed-off-by: Martin K. Petersen commit 2c354d12307e58a748ade2802b4d26fd0d8c34a9 Author: liujing Date: Fri Nov 8 15:09:35 2024 +0800 scsi: lpfc: Fix spelling errors 'asynchronously' Signed-off-by: liujing Link: https://lore.kernel.org/r/20241108070935.10427-1-liujing@cmss.chinamobile.com Signed-off-by: Martin K. Petersen commit 5fe4e16fdbb8ca7dd6daea0031a0a84e6eb1e18d Author: Uwe Kleine-König Date: Tue Nov 19 19:28:56 2024 +0100 scsi: ufs: Switch back to struct platform_driver::remove() After commit 0edb555a65d1 ("platform: Make platform_driver::remove() return void") .remove() is (again) the right callback to implement for platform drivers. Convert all platform drivers below drivers/ufs to use .remove(), with the eventual goal to drop struct platform_driver::remove_new(). As .remove() and .remove_new() have the same prototypes, conversion is done by just changing the structure member name in the driver initializer. Signed-off-by: Uwe Kleine-König Link: https://lore.kernel.org/r/20241119182856.55743-2-u.kleine-koenig@baylibre.com Signed-off-by: Martin K. Petersen commit 575143abcbbc7e291e5ef5c4fc031d94f8501918 Author: Dr. David Alan Gilbert Date: Sun Nov 17 13:52:15 2024 +0000 scsi: bfa: Remove unused parsers bfa has a set of structure parsers, of which quite a few are unused. Remove the unused set. Signed-off-by: Dr. David Alan Gilbert Link: https://lore.kernel.org/r/20241117135215.38771-3-linux@treblig.org Signed-off-by: Martin K. Petersen commit 52172a352c97d39ee2658f6503b065b9896d48ad Author: Dr. David Alan Gilbert Date: Sun Nov 17 13:52:14 2024 +0000 scsi: bfa: Remove unused structure builders bfa has a large set of structure builders, of which only about 60% are used; remove the rest. Signed-off-by: Dr. David Alan Gilbert Link: https://lore.kernel.org/r/20241117135215.38771-2-linux@treblig.org Signed-off-by: Martin K. Petersen commit e953835c1d41bbb660d7069dc9e61ea6bd7874f3 Author: Christophe JAILLET Date: Fri Nov 15 22:12:42 2024 +0100 scsi: message: fusion: Constify struct pci_device_id 'struct pci_device_id' is not modified in these drivers. Constifying this structure moves some data to a read-only section, so increase overall security. On a x86_64, with allmodconfig, as an example: Before: ====== text data bss dec hex filename 36999 2451 88 39538 9a72 drivers/message/fusion/mptfc.o After: ===== text data bss dec hex filename 37415 2043 88 39546 9a7a drivers/message/fusion/mptfc.o Signed-off-by: Christophe JAILLET Link: https://lore.kernel.org/r/fe8f17a999b6def2649b2ef52ea5c9ee61e28bd0.1731705152.git.christophe.jaillet@wanadoo.fr Signed-off-by: Martin K. Petersen commit c064de86d2a3909222d5996c5047f64c7a8f791b Author: Magnus Lindholm Date: Wed Nov 13 23:51:49 2024 +0100 scsi: qla1280: Fix hw revision numbering for ISP1020/1040 Fix the hardware revision numbering for Qlogic ISP1020/1040 boards. HWMASK suggests that the revision number only needs four bits, this is consistent with how NetBSD does things in their ISP driver. Verified on a IPS1040B which is seen as rev 5 not as BIT_4. Signed-off-by: Magnus Lindholm Link: https://lore.kernel.org/r/20241113225636.2276-1-linmag7@gmail.com Reviewed-by: Christoph Hellwig Signed-off-by: Martin K. Petersen commit 8e3b6345d113cc917e64b0349dc486b5d8f55e70 Merge: 128faa1845a2d5 54c814c8b23bc7 Author: Martin K. Petersen Date: Wed Nov 20 21:26:59 2024 -0500 Merge branch '6.12/scsi-fixes' into 6.13/scsi-staging Pull in the fixes branch to resolve conflict in UFS core. Signed-off-by: Martin K. Petersen commit 13905f4547b050316262d54a5391d50e83ce613a Author: Oliver Upton Date: Tue Nov 19 16:52:30 2024 -0800 KVM: arm64: Use MDCR_EL2.HPME to evaluate overflow of hyp counters The 'global enable control' (as it is termed in the architecture) for counters reserved by EL2 is MDCR_EL2.HPME. Use that instead of PMCR_EL0.E when evaluating the overflow state for hyp counters. Change the return value to a bool while at it, which better reflects the fact that the overflow state is a shared signal and not a per-counter property. Reviewed-by: Marc Zyngier Link: https://lore.kernel.org/r/20241120005230.2335682-3-oliver.upton@linux.dev Signed-off-by: Oliver Upton commit 54bbee190d42166209185d89070c58a343bf514b Author: Raghavendra Rao Ananta Date: Tue Nov 19 16:52:29 2024 -0800 KVM: arm64: Ignore PMCNTENSET_EL0 while checking for overflow status DDI0487K.a D13.3.1 describes the PMU overflow condition, which evaluates to true if any counter's global enable (PMCR_EL0.E), overflow flag (PMOVSSET_EL0[n]), and interrupt enable (PMINTENSET_EL1[n]) are all 1. Of note, this does not require a counter to be enabled (i.e. PMCNTENSET_EL0[n] = 1) to generate an overflow. Align kvm_pmu_overflow_status() with the reality of the architecture and stop using PMCNTENSET_EL0 as part of the overflow condition. The bug was discovered while running an SBSA PMU test [*], which only sets PMCR.E, PMOVSSET<0>, PMINTENSET<0>, and expects an overflow interrupt. Cc: stable@vger.kernel.org Fixes: 76d883c4e640 ("arm64: KVM: Add access handler for PMOVSSET and PMOVSCLR register") Link: https://github.com/ARM-software/sbsa-acs/blob/master/test_pool/pmu/operating_system/test_pmu001.c Signed-off-by: Raghavendra Rao Ananta [ oliver: massaged changelog ] Reviewed-by: Marc Zyngier Link: https://lore.kernel.org/r/20241120005230.2335682-2-oliver.upton@linux.dev Signed-off-by: Oliver Upton commit 0f3a0f23f5621b9a5a28c9235c950caf6e2012d5 Author: Marc Zyngier Date: Wed Nov 20 11:15:16 2024 +0000 KVM: arm64: Mark set_sysreg_masks() as inline to avoid build failure When compiling with CONFIG_CC_OPTIMIZE_FOR_SIZE=y, set_sysreg_masks() fails to compile thanks to: BUILD_BUG_ON(!__builtin_constant_p(sr)); as the compiler doesn't identify sr as a constant, despite all the callers passing constants. Fix the issue by always inlining this function, which allows GCC to do the right thing. Reported-by: kernel test robot Closes: https://lore.kernel.org/oe-kbuild-all/202411201857.ZNudtGJl-lkp@intel.com/ Fixes: a0162020095e2 ("KVM: arm64: Extend masking facility to arbitrary registers") Signed-off-by: Marc Zyngier Reviewed-by: Joey Gouly Link: https://lore.kernel.org/r/20241120111516.304250-1-maz@kernel.org Signed-off-by: Oliver Upton commit 3b2c81d5feb250dfdcb0ef5825319f36c29f8336 Author: Marc Zyngier Date: Sun Nov 17 16:57:57 2024 +0000 KVM: arm64: vgic-its: Add stronger type-checking to the ITS entry sizes The ITS ABI infrastructure allows for some pretty lax code, where the size of the data doesn't have to match the size of the entry, potentially leading to a collection of interesting bugs. Commit 7fe28d7e68f9 ("KVM: arm64: vgic-its: Add a data length check in vgic_its_save_*") added some checks, but starts by implicitly casting all writes to a 64bit value, hiding some of the issues. Instead, introduce macros that will check the data type actually used for dealing with the table entries. The macros are taking a symbolic entry type that is used to fetch the size of the entry type for the current ABI. This immediately catches a couple of low-impact gotchas (zero values that are implicitly 32bit), easy enough to fix. Given that we currently only have a single ABI, hardcode a couple of BUILD_BUG_ON()s that will fire if we use anything but a 64bit quantity, and some (currently unreachable) fallback code that may become useful one day. Signed-off-by: Marc Zyngier Link: https://lore.kernel.org/r/20241117165757.247686-5-maz@kernel.org Signed-off-by: Oliver Upton commit e7619f2a2f8f9b10feb784ec6b8ea5320ad3b97e Author: Marc Zyngier Date: Sun Nov 17 16:57:56 2024 +0000 KVM: arm64: vgic: Kill VGIC_MAX_PRIVATE definition VGIC_MAX_PRIVATE is a pretty useless definition, and is better replaced with VGIC_NR_PRIVATE_IRQS. Signed-off-by: Marc Zyngier Link: https://lore.kernel.org/r/20241117165757.247686-4-maz@kernel.org Signed-off-by: Oliver Upton commit add570b39f9fc4b830e7f4b487bbc16d74c388ad Author: Marc Zyngier Date: Sun Nov 17 16:57:55 2024 +0000 KVM: arm64: vgic: Make vgic_get_irq() more robust vgic_get_irq() has an awkward signature, as it takes both a kvm *and* a vcpu, where the vcpu is allowed to be NULL if the INTID being looked up is a global interrupt (SPI or LPI). This leads to potentially problematic situations where the INTID passed is a private interrupt, but that there is no vcpu. In order to make things less ambiguous, let have *two* helpers instead: - vgic_get_irq(struct kvm *kvm, u32 intid), which is only concerned with *global* interrupts, as indicated by the lack of vcpu. - vgic_get_vcpu_irq(struct kvm_vcpu *vcpu, u32 intid), which can return *any* interrupt class, but must have of course a non-NULL vcpu. Most of the code nicely falls under one or the other situations, except for a couple of cases (close to the UABI or in the debug code) where we have to distinguish between the two cases. Signed-off-by: Marc Zyngier Link: https://lore.kernel.org/r/20241117165757.247686-3-maz@kernel.org Signed-off-by: Oliver Upton commit d561491ba927cb5634094ff311795e9d618e9b86 Author: Marc Zyngier Date: Sun Nov 17 16:57:54 2024 +0000 KVM: arm64: vgic-v3: Sanitise guest writes to GICR_INVLPIR Make sure we filter out non-LPI invalidation when handling writes to GICR_INVLPIR. Fixes: 4645d11f4a553 ("KVM: arm64: vgic-v3: Implement MMIO-based LPI invalidation") Reported-by: Alexander Potapenko Tested-by: Alexander Potapenko Signed-off-by: Marc Zyngier Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20241117165757.247686-2-maz@kernel.org Signed-off-by: Oliver Upton commit 43fb83c17ba2d63dfb798f0be7453ed55ca3f9c2 Merge: 06e47dce8fc3ab 9c6cb0377534e7 Author: Linus Torvalds Date: Wed Nov 20 15:47:22 2024 -0800 Merge tag 'soc-arm-6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc Pull ARM SoC updates from Arnd Bergmann: "The SoC specific code updates for 6.13 are fairly minimal. One Broadcom SoC model gains automatic configuration for the debug uarg as we have on many other machines, the remaining changes are trivial cleanups" * tag 'soc-arm-6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc: ARM: imx: Switch to new sys-off handler API ARM: bcm: brcmstb: Drop custom init_irq callback ARM: bcm: Support BCMBCA debug UART ARM: zynq: Remove unused zynq_slcr_init() declaration ASoC: samsung: Remove obsoleted declaration for s3c64xx_ac97_setup_gpio ARM: samsung: Remove obsoleted declaration for s3c_hwmon_set_platdata commit 06e47dce8fc3ab68c2ea3b5082caab99e8002b80 Merge: 14d0e1a09fe97a de6dff2090ddfa Author: Linus Torvalds Date: Wed Nov 20 15:44:56 2024 -0800 Merge tag 'soc-defconfig-6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc Pull SoC defconfig updates from Arnd Bergmann: "As usual, a few newly added device drivers get enabled in the arm32 multi_v7_defconfig and arm64 defconfig as well as a few of the SoC specific config files. The main visible change is the inclusion of (reduced) debug info by default in the 32-bit defconfig" * tag 'soc-defconfig-6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc: ARM: imx_v6_v7_defconfig: Enable drivers for Kobo Clara 2E arm64: defconfig: Enable VBATTB clock and Renesas RTCA-3 arm64: defconfig: Enable PCF857X GPIO expander arm64: defconfig: Enable sc7280 clock controllers ARM: configs: at91: enable PAC1934 driver as module ARM: multi_v7_defconfig: Enable debugging symbols by default commit 14d0e1a09fe97a7524ff36baa695900cb0c10c23 Merge: 9c39d5ab450f71 b77587ac51d2fe Author: Linus Torvalds Date: Wed Nov 20 15:40:54 2024 -0800 Merge tag 'soc-drivers-6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc Pull SoC driver updates from Arnd Bergmann: "Nothing particular important in the SoC driver updates, just the usual improvements to for drivers/soc and a couple of subsystems that don't fit anywhere else: - The largest set of updates is for Qualcomm SoC drivers, extending the set of supported features for additional SoCs in the QSEECOM, LLCC and socinfo drivers.a - The ti_sci firmware driver gains support for power managment - The drivers/reset subsystem sees a rework of the microchip sparx5 and amlogic reset drivers to support additional chips, plus a few minor updates on other platforms - The SCMI firmware interface driver gains support for two protocol extensions, allowing more flexible use of the shared memory area and new DT binding properties for configurability. - Mediatek SoC drivers gain support for power managment on the MT8188 SoC and a new driver for DVFS. - The AMD/Xilinx ZynqMP SoC drivers gain support for system reboot and a few bugfixes - The Hisilicon Kunpeng HCCS driver gains support for configuring lanes through sysfs Finally, there are cleanups and minor fixes for drivers/{soc, bus, memory}, including changing back the .remove_new callback to .remove, as well as a few other updates for freescale (powerpc) soc drivers, NXP i.MX soc drivers, cznic turris platform driver, memory controller drviers, TI OMAP SoC drivers, and Tegra firmware drivers" * tag 'soc-drivers-6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc: (116 commits) soc: fsl: cpm1: qmc: Set the ret error code on platform_get_irq() failure soc: fsl: rcpm: fix missing of_node_put() in copy_ippdexpcr1_setting() soc: fsl: cpm1: tsa: switch to for_each_available_child_of_node_scoped() platform: cznic: turris-omnia-mcu: Rename variable holding GPIO line names platform: cznic: turris-omnia-mcu: Document the driver private data structure firmware: turris-mox-rwtm: Document the driver private data structure bus: Switch back to struct platform_driver::remove() soc: qcom: ice: Remove the device_link field in qcom_ice drm/msm/adreno: Setup SMMU aparture for per-process page table firmware: qcom: scm: Introduce CP_SMMU_APERTURE_ID firmware: arm_scpi: Check the DVFS OPP count returned by the firmware soc: qcom: socinfo: add IPQ5424/IPQ5404 SoC ID dt-bindings: arm: qcom,ids: add SoC ID for IPQ5424/IPQ5404 soc: qcom: llcc: Flip the manual slice configuration condition dt-bindings: firmware: qcom,scm: Document sm8750 SCM firmware: qcom: uefisecapp: Allow X1E Devkit devices misc: lan966x_pci: Fix dtc warn 'Missing interrupt-parent' misc: lan966x_pci: Fix dtc warns 'missing or empty reg/ranges property' soc: qcom: llcc: Add LLCC configuration for the QCS8300 platform dt-bindings: cache: qcom,llcc: Document the QCS8300 LLCC ... commit 9c39d5ab450f7181775957000f4aff33bfef9f7b Merge: 79caa6c88ac484 9f5cbdaae5f760 Author: Linus Torvalds Date: Wed Nov 20 15:26:46 2024 -0800 Merge tag 'soc-dt-6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc Pull SoC devicetree updates from Arnd Bergmann: "This release adds the devicetree files for an impressive number of new SoC variants, though as expected these are all related to others we already support: - The microchip sam9x7 devicetree is now added, after the device driver and platform code has already made it in. This is likely the last ARMv5 (!) platform to ever get added, updating the 20+ year old at91/sam9 platform with DDR3 memory and gigabit ethernet. - On the Apple platform, there are now devicetree files for a number of A-series SoCs in addition to the M-series ones, these are used primarily in phones and tablets, but are closely related to the already supported chips. - Samsung Exynos 8895 and Exynos 990 are more phone SoCs used in older Samsung Galaxy phones. - Qualcomm Snapdragon 778G (SM7325) is another phone SoC, closely related to the Snapdragon 7c+ Gen 3 (SC7280) used in low-end laptops. - Rockchip RK3528 and RK3576 are new variants of their TV box and Tablet chips, still using the older ARMv8.0 cores from RK3328/RK3399 but with a newer process and other improvements from the RK35xx (otherwise ARMv8.2) chips. RK3566T and RK3399-S are also added, these are just lower-cost versions of their normal counterparts. - TI J742S2 is a feature-reduced version of the J784s4 industrial/automotive SoC, with fewer CPU cores. - Sophgo SG2002 is an embedded SoC with one RISC-V (C906) and one ARM (Cortex-A53) core, at this point support is only added for running on the RISC-V side on the LicheeRV Nano board. A total of 92 new .dts files describing individual machines is added, which must be a new record. The majority of these is for the newly added chips above, notably all the Apple phones and tablets. The other new machines include nine industrial/embedded boards with NXP i.MX6 or i.MX8 SoCs, eight for Rockchips RK35XX and one or two each for Rockchips RV1109, RK3308, Allwinner A33, Tegra 234, Qualcomm qcs9100/sc8280xp/x1e80100, TI AM625 and Starfive JH7110. As usual there are also many newly added features in existing boards as well as cleanups and minor bugfixes" * tag 'soc-dt-6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc: (718 commits) arm64: dts: apm: Remove unused and undocumented "bus_num" property arm: dts: spear13xx: Remove unused and undocumented "pl022,slave-tx-disable" property arm64: dts: amd: Remove unused and undocumented "amd,zlib-support" property arm64: dts: lg131x: Update spi clock properties arm64: dts: seattle: Update spi clock properties arm64: dts: rockchip: use less broad pinctrl for pcie3x1 on Radxa E25 arm64: dts: rockchip: add Radxa ROCK 5C dt-bindings: arm: rockchip: add Radxa ROCK 5C arm64: dts: rockchip: orangepi-5-plus: Enable GPU arm64: dts: rockchip: enable USB3 on NanoPC-T6 arm64: dts: rockchip: adapt regulator nodenames to preferred form arm64: dts: rockchip: Enable HDMI display for rk3588 Cool Pi GenBook arm64: dts: rockchip: Enable HDMI display for rk3588 Cool Pi 4B arm64: dts: rockchip: Enable HDMI0 for rk3588 Cool Pi CM5 EVB arm64: dts: rockchip: Enable HDMI on NanoPi R6C/R6S arm64: dts: rockchip: Enable GPU on NanoPi R6C/R6S arm64: dts: rockchip: Enable HDMI on Hardkernel ODROID-M2 arm64: dts: rockchip: Remove non-removable flag from sdmmc on rk3576-sige5 arm64: dts: allwinner: a100: perf1: Add eMMC and MMC node arm64: dts: allwinner: pinephone: Add mount matrix to accelerometer ... commit 79caa6c88ac484111b24488eb9fe1c86a3d18016 Merge: c66fbc6c3df9cc 0af8e32343f8d0 Author: Linus Torvalds Date: Wed Nov 20 15:13:02 2024 -0800 Merge tag 'asm-generic-3.13' of git://git.kernel.org/pub/scm/linux/kernel/git/arnd/asm-generic Pull asm-generic updates from Arnd Bergmann: "These are a number of unrelated cleanups, generally simplifying the architecture specific header files: - A series from Al Viro simplifies asm/vga.h, after it turns out that most of it can be generalized. - A series from Julian Vetter adds a common version of memcpy_{to,from}io() and memset_io() and changes most architectures to use that instead of their own implementation - A series from Niklas Schnelle concludes his work to make PC style inb()/outb() optional - Nicolas Pitre contributes improvements for the generic do_div() helper - Christoph Hellwig adds a generic version of page_to_phys() and phys_to_page(), replacing the slightly different architecture specific definitions. - Uwe Kleine-Koenig has a minor cleanup for ioctl definitions" * tag 'asm-generic-3.13' of git://git.kernel.org/pub/scm/linux/kernel/git/arnd/asm-generic: (24 commits) empty include/asm-generic/vga.h sparc: get rid of asm/vga.h asm/vga.h: don't bother with scr_mem{cpy,move}v() unless we need to vt_buffer.h: get rid of dead code in default scr_...() instances tty: serial: export serial_8250_warn_need_ioport lib/iomem_copy: fix kerneldoc format style hexagon: simplify asm/io.h for !HAS_IOPORT loongarch: Use new fallback IO memcpy/memset csky: Use new fallback IO memcpy/memset arm64: Use new fallback IO memcpy/memset New implementation for IO memcpy and IO memset watchdog: Add HAS_IOPORT dependency for SBC8360 and SBC7240 __arch_xprod64(): make __always_inline when optimizing for performance ARM: div64: improve __arch_xprod_64() asm-generic/div64: optimize/simplify __div64_const32() lib/math/test_div64: add some edge cases relevant to __div64_const32() asm-generic: add an optional pfn_valid check to page_to_phys asm-generic: provide generic page_to_phys and phys_to_page implementations asm-generic/io.h: Remove I/O port accessors for HAS_IOPORT=n tty: serial: handle HAS_IOPORT dependencies ... commit c66fbc6c3df9ccefbb896695cfc4db279d517ff1 Merge: f103749785a76c 1037d186edfc55 Author: Linus Torvalds Date: Wed Nov 20 14:56:02 2024 -0800 Merge tag 'for-linus' of https://github.com/openrisc/linux Pull OpenRISC update from Stafford Horne: "A single fixup from me: Fix bug with earlycon being broken due to removal of early_ioremap" * tag 'for-linus' of https://github.com/openrisc/linux: openrisc: Implement fixmap to fix earlycon commit f103749785a76c3e06d52fc08bdb695fbde6e042 Merge: 7e7f65647e5216 eb01f8f3c446ed Author: Linus Torvalds Date: Wed Nov 20 14:54:05 2024 -0800 Merge tag 'microblaze-v6.13' of git://git.monstr.eu/linux-2.6-microblaze Pull microblaze updates from Michal Simek: - Export xmb_manager functions - Remove empty #ifndef __ASSEMBLY__ statement - Use str_yes_no() helper in show_cpuinfo() * tag 'microblaze-v6.13' of git://git.monstr.eu/linux-2.6-microblaze: microblaze: mb: Use str_yes_no() helper in show_cpuinfo() microblaze: Remove empty #ifndef __ASSEMBLY__ statement microblaze: Export xmb_manager functions commit 7e7f65647e5216b667d7d98a74446a80a9adcfc0 Merge: df66aeadd8f844 9080d11a6c5c1f Author: Linus Torvalds Date: Wed Nov 20 14:51:08 2024 -0800 Merge tag 'ipe-pr-20241119' of git://git.kernel.org/pub/scm/linux/kernel/git/wufan/ipe Pull IPE update from Fan Wu: "One commit from Colin Ian King, which removes unnecessary error handling code in the IPE boot policy generation helper program" * tag 'ipe-pr-20241119' of git://git.kernel.org/pub/scm/linux/kernel/git/wufan/ipe: scripts: ipe: polgen: remove redundant close and error exit path commit 5a38a5d40f2fa01591ab961ff37385a74b1ec7e1 Author: Chris Packham Date: Wed Oct 16 11:54:33 2024 +1300 mips: dts: realtek: Add SPI NAND controller Add the SPI-NAND controller on the RTL9300 family of devices. This supports serial/dual/quad data width and DMA for read/program operations. Signed-off-by: Chris Packham Signed-off-by: Thomas Bogendoerfer commit df66aeadd8f8445a1a73c39f5ec62c61c89f7e9a Merge: 18a411cc5d5ce5 8cf8dfceebdaf2 Author: Linus Torvalds Date: Wed Nov 20 14:36:28 2024 -0800 Merge tag 'seccomp-v6.13-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux Pull seccomp update from Kees Cook: - Provide stub for !HAVE_ARCH_SECCOMP_FILTER (Linus Walleij) This will make it easier to port arm32 to the generic entry code. * tag 'seccomp-v6.13-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux: seccomp: Stub for !HAVE_ARCH_SECCOMP_FILTER commit 18a411cc5d5ce57d483718b1341a3ca69079bee2 Merge: fcb3ad4366b9c8 c5d91b16f525ea Author: Linus Torvalds Date: Wed Nov 20 14:13:28 2024 -0800 Merge tag 'efi-next-for-v6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/efi/efi Pull EFI updates from Ard Biesheuvel: "Just some cleanups and bug fixes this time around: - Align handling of the compiled-in command line with the core kernel - Measure the initrd into the TPM also when it was loaded via the EFI file I/O protocols - Clean up TPM event log handling - Sanity check the EFI memory attributes table, and apply it after kexec too - Assorted other fixes" * tag 'efi-next-for-v6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/efi/efi: efi: Fix memory leak in efivar_ssdt_load efi/libstub: Take command line overrides into account for loaded files efi/libstub: Fix command line fallback handling when loading files efi/libstub: Parse builtin command line after bootloader provided one x86/efi: Apply EFI Memory Attributes after kexec x86/efi: Drop support for the EFI_PROPERTIES_TABLE efi/memattr: Ignore table if the size is clearly bogus efi/zboot: Fix outdated comment about using LoadImage/StartImage efi/libstub: Free correct pointer on failure libstub,tpm: do not ignore failure case when reading final event log tpm: fix unsigned/signed mismatch errors related to __calc_tpm2_event_size tpm: do not ignore memblock_reserve return value tpm: fix signed/unsigned bug when checking event logs efi/libstub: measure initrd to PCR9 independent of source efi/libstub: remove unnecessary cmd_line_len from efi_convert_cmdline() efi/libstub: fix efi_parse_options() ignoring the default command line commit fcb3ad4366b9c810cbb9da34c076a9a52d8aa1e0 Merge: 70e8ef2d6762ce c6a2b4fcec5f2d Author: Linus Torvalds Date: Wed Nov 20 14:07:55 2024 -0800 Merge tag 'platform-drivers-x86-v6.13-1' of git://git.kernel.org/pub/scm/linux/kernel/git/pdx86/platform-drivers-x86 Pull x86 platform driver updates from Ilpo Järvinen: - alienware WMAX thermal interface support - Split ACPI and platform device based amd/hsmp drivers - AMD X3D frequency/cache mode switching support - asus thermal policy fixes - Disable C1 auto-demotion in suspend to allow entering the deepest C-states - Fix volume buttons on Thinkpad X12 Detachable Tablet Gen 1 - Replace intel_scu_ipc "workaround" with 32-bit IO - Correct *_show() function error handling in panasonic-laptop - Gemini Lake P2SB devfn correction - think-lmi Admin/System certificate authentication support - Disable WMI devices for shutdown, refactoring continues - Vexia EDU ATLA 10 tablet support - Surface Pro 9 5G (Arm/QCOM) support - Misc cleanups / refactoring / improvements * tag 'platform-drivers-x86-v6.13-1' of git://git.kernel.org/pub/scm/linux/kernel/git/pdx86/platform-drivers-x86: (69 commits) platform/x86: p2sb: Cache correct PCI bar for P2SB on Gemini Lake platform/x86: panasonic-laptop: Return errno correctly in show callback Documentation: alienware-wmi: Describe THERMAL_INFORMATION operation 0x02 alienware-wmi: create_thermal_profile() no longer brute-forces IDs alienware-wmi: Adds support to Alienware x17 R2 alienware-wmi: extends the list of supported models alienware-wmi: order alienware_quirks[] alphabetically platform/x86/intel/pmt: allow user offset for PMT callbacks platform/x86/amd/hsmp: Change the error type platform/x86/amd/hsmp: Add new error code and error logs platform/x86/amd: amd_3d_vcache: Add sysfs ABI documentation platform/x86/amd: amd_3d_vcache: Add AMD 3D V-Cache optimizer driver intel-hid: fix volume buttons on Thinkpad X12 Detachable Tablet Gen 1 platform/x86/amd/hsmp: mark hsmp_msg_desc_table[] as maybe_unused platform/x86: asus-wmi: Use platform_profile_cycle() platform/x86: asus-wmi: Fix inconsistent use of thermal policies platform/x86: hp: hp-bioscfg: remove redundant if statement MAINTAINERS: Update ISHTP ECLITE maintainer entry platform/x86: x86-android-tablets: Add support for Vexia EDU ATLA 10 tablet platform/x86: x86-android-tablets: Add support for getting i2c_adapter by PCI parent devname() ... commit 70e8ef2d6762cecfc868296fa9e0a3848b926efc Merge: 9f5a6a1fe690a4 ecf2b43018da95 Author: Linus Torvalds Date: Wed Nov 20 14:05:34 2024 -0800 Merge tag 'media/v6.13-2' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media Pull media fix from Mauro Carvalho Chehab: - uvcvideo: Skip parsing frames of type UVC_VS_UNDEFINED in uvc_parse_format * tag 'media/v6.13-2' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media: media: uvcvideo: Skip parsing frames of type UVC_VS_UNDEFINED in uvc_parse_format commit 9f5a6a1fe690a43896e0235377c7eb0b657c05a9 Merge: b57807cbbf36f1 72ad4ff638047b Author: Linus Torvalds Date: Wed Nov 20 14:01:15 2024 -0800 Merge tag 'media/v6.13-1' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media Pull media updates from Mauro Carvalho Chehab: - removal of the old omap4iss media driver - mantis: remove orphan mantis_core.h - add support for Raspberypi CFE - uvc driver got a co-maintainer - main media tree moved to git://linuxtv.org/media.git - lots of driver cleanups, updates and fixes * tag 'media/v6.13-1' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media: (233 commits) docs: media: update location of the media patches MAINTAINERS: update location of media main tree media: MAINTAINERS: Add Hans de Goede as USB VIDEO CLASS co-maintainer media: platform: samsung: s5p-jpeg: Remove deadcode media: qcom: camss: Add MSM8953 resources media: dt-bindings: Add qcom,msm8953-camss media: qcom: camss: implement pm domain ops for VFE v4.1 media: platform: exynos4-is: Fix an OF node reference leak in fimc_md_is_isp_available media: adv7180: Also check for "adi,force-bt656-4" media: dt-bindings: adv7180: Document 'adi,force-bt656-4' media: mgb4: Fix inconsistent input/output alignment in loopback mode media: replace obsolete hans.verkuil@cisco.com alias Documentation: media: improve V4L2_CID_MIN_BUFFERS_FOR_*, doc media: vicodec: add V4L2_CID_MIN_BUFFERS_FOR_* controls media: atomisp: Add check for rgby_data memory allocation failure media: atomisp: remove redundant re-checking of err media: atomisp: Fix spelling errors reported by codespell media: atomisp: Remove License information boilerplate media: atomisp: Fix typos in comment media: atomisp: hmm_bo: Fix spelling errors in hmm_bo.h ... commit b57807cbbf36f17448cdb42e69a949aa76605440 Merge: e6de688e93a93b 903796855b6152 Author: Linus Torvalds Date: Wed Nov 20 13:57:40 2024 -0800 Merge tag 'hid-for-linus-2024111801' of git://git.kernel.org/pub/scm/linux/kernel/git/hid/hid Pull HID updates from Jiri Kosina: - improvement in the way hid-bpf coexists with specific drivers (others than hid-generic) that are already bound to devices (Benjamin Tissoires) - removal of three way-too-aggressive BUG_ON()s from HID drivers (He Lugang) - assorted cleanups and small code fixes to HID core (Dmitry Torokhov, Yan Zhen, Nathan Chancellor, Andy Shevchenko) - support for Corsair Void headset family (Stuart Hayhurst) - Support for Goodix GT7986U SPI (Charles Wang) - initial vendor-specific driver for Kysona, currently adding support for Kysona M600 (Lode Willems) - other assorted code cleanups and small bugfixes all over the place * tag 'hid-for-linus-2024111801' of git://git.kernel.org/pub/scm/linux/kernel/git/hid/hid: (40 commits) HID: multitouch: make mt_set_mode() less cryptic HID: hid-goodix-spi: Add OF supports dt-bindings: input: Goodix GT7986U SPI HID Touchscreen HID: hyperv: streamline driver probe to avoid devres issues HID: magicmouse: Apple Magic Trackpad 2 USB-C driver support HID: rmi: Add select RMI4_F3A in Kconfig HID: wacom: Interpret tilt data from Intuos Pro BT as signed values HID: steelseries: Add capacity_level mapping HID: steelseries: Fix battery requests stopping after some time HID: hid-goodix: Fix HID get/set feature operation overwritten problem HID: hid-goodix: Return 0 when receiving an empty HID feature package HID: bpf: drop use of Logical|Physical|UsageRange HID: bpf: Fix Rapoo M50 Plus Silent side buttons HID: bpf: Fix NKRO on Mistel MD770 HID: replace BUG_ON() with WARN_ON() HID: wacom: Set eraser status when either 'Eraser' or 'Invert' usage is set HID: Kysona: add basic online status HID: Kysona: check battery status every 5s using a workqueue HID: Kysona: Add basic battery reporting for Kysona M600 HID: Add IDs for Kysona ... commit e6de688e93a93b98db2ba4929af773038a999e9e Merge: 80db457e8d28d2 28b513b5a683cf Author: Linus Torvalds Date: Wed Nov 20 13:19:25 2024 -0800 Merge tag 'devicetree-for-6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/robh/linux Pull devicetree updates from Rob Herring: "Bindings: - Enable dtc "interrupt_provider" warnings for binding examples. Fix the warnings in fsl,mu-msi and ti,sci-inta due to this. - Convert zii,rave-sp-wdt, zii,rave-sp-pwrbutton, and altr,fpga-passive-serial to DT schema format - Add some documentation on the different forms of YAML text blocks which are a constant source of review comments - Fix some schema errors in constraints for arrays - Add compatibles for qcom,sar2130p-pdc and onnn,adt7462 DT core: - Allow overlay kunit tests to run CONFIG_OF_OVERLAY=n - Add some warnings on deprecated address handling - Rework early_init_dt_scan() so the arch can pass in the phys address of the DTB as __pa() is not always valid to use. This fixes a warning for arm64 with kexec. - Add and use some new DT graph iterators for iterating over ports and endpoints - Rework reserved-memory handling to be sized dynamically for fixed regions - Optimize of_modalias() to avoid a strlen() call - Constify struct device_node and property pointers where ever possible" * tag 'devicetree-for-6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/robh/linux: (36 commits) of: Allow overlay kunit tests to run CONFIG_OF_OVERLAY=n dt-bindings: interrupt-controller: qcom,pdc: Add SAR2130P compatible of/address: Rework bus matching to avoid warnings of: WARN on deprecated #address-cells/#size-cells handling of/fdt: Don't use default address cell sizes for address translation dt-bindings: Enable dtc "interrupt_provider" warnings of/fdt: add dt_phys arg to early_init_dt_scan and early_init_dt_verify dt-bindings: cache: qcom,llcc: Fix X1E80100 reg entries dt-bindings: watchdog: convert zii,rave-sp-wdt.txt to yaml format dt-bindings: input: convert zii,rave-sp-pwrbutton.txt to yaml media: xilinx-tpg: use new of_graph functions fbdev: omapfb: use new of_graph functions gpu: drm: omapdrm: use new of_graph functions ASoC: audio-graph-card2: use new of_graph functions ASoC: audio-graph-card: use new of_graph functions ASoC: test-component: use new of_graph functions of: property: use new of_graph functions of: property: add of_graph_get_next_port_endpoint() of: property: add of_graph_get_next_port() of: module: remove strlen() call in of_modalias() ... commit 80db457e8d28d24ca7e19fbd2d5050f7298803d6 Merge: 38556294b83f5c 0b028ff7e70ecb Author: Linus Torvalds Date: Wed Nov 20 12:55:41 2024 -0800 Merge tag 'auxdisplay-v6.13-1' of git://git.kernel.org/pub/scm/linux/kernel/git/andy/linux-auxdisplay Pull auxdisplay update from Andy Shevchenko: - Move Holtek 16k33 driver to use agnostic i2c_get_match_data() - Miscellaneuous cleanups * tag 'auxdisplay-v6.13-1' of git://git.kernel.org/pub/scm/linux/kernel/git/andy/linux-auxdisplay: auxdisplay: Remove unused functions auxdisplay: ht16k33: Make use of i2c_get_match_data() auxdisplay: Drop explicit initialization of struct i2c_device_id::driver_data to 0 commit 38556294b83f5c5818041c98a00e3a0e88fbb58c Merge: 75f2b37dd0a0ea c0baf6ead75d6d Author: Linus Torvalds Date: Wed Nov 20 12:51:32 2024 -0800 Merge tag 'mmc-v6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc Pull MMC updates from Ulf Hansson: "MMC core: - Add support for Ultra Capacity SD cards (SDUC, 2TB to 128TB) - Add support for Ultra High-Speed II SD cards (UHS-II) - Use a reset control for pwrseq_simple - Add SD card quirk for broken poweroff notification - Use GFP_NOIO for SD ACMD22 MMC host: - bcm2835: Introduce proper clock handling - mtk-sd: Add support for the Host-Software-Queue interface - mtk-sd: Add support for the mt7988/mt8196 variants - mtk-sd: Fix a couple of error paths in ->probe() - sdhci: Add interface to support UHS-II SD cards - sdhci_am654: Fixup support for changing the signal voltage level - sdhci-cadence: Add support for the Microchip PIC64GX variant - sdhci-esdhc-imx: Add support for eMMC HW-reset - sdhci-msm: Add support for the X1E80100/IPQ5424/SAR2130P/QCS615 variants - sdhci-of-arasan: Add support for eMMC HW-reset - sdhci-pci-gli: Add UHS-II support for the GL9767/GL9755 variants MEMSTICK: - A couple of minor updates" * tag 'mmc-v6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc: (78 commits) mmc: pwrseq_simple: Handle !RESET_CONTROLLER properly mmc: mtk-sd: Fix MMC_CAP2_CRYPTO flag setting mmc: mtk-sd: Fix error handle of probe function mmc: core: Correction a warning caused by incorrect type in assignment for UHS-II mmc: sdhci-esdhc-imx: Update esdhc sysctl dtocv bitmask mmc: sdhci-esdhc-imx: Implement emmc hardware reset mmc: core: Correct type in variable assignment for UHS-II mmc: sdhci-uhs2: correction a warning caused by incorrect type in argument mmc: sdhci-uhs2: Remove unnecessary variables mmc: sdhci-uhs2: Correct incorrect type in argument mmc: sdhci: Make MMC_SDHCI_UHS2 config symbol invisible mmc: sdhci-uhs2: Remove unnecessary NULL check mmc: core: Fix error paths for UHS-II card init and re-init mmc: core: Add error handling of sd_uhs2_power_up() mmc: core: Simplify sd_uhs2_power_up() mmc: bcm2835: Introduce proper clock handling mmc: bcm2835: Fix type of current clock speed dt-bindings: mmc: Add sdhci compatible for QCS615 mmc: core: Use GFP_NOIO in ACMD22 dt-bindings: mmc: sdhci-msm: Add SAR2130P compatible ... commit 75f2b37dd0a0eab8e6b179d745d79824893f39fa Merge: 0cea11025519f8 5812b95b7ff47d Author: Linus Torvalds Date: Wed Nov 20 12:44:59 2024 -0800 Merge tag 'pmdomain-v6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/linux-pm Pull pmdomain updates from Ulf Hansson: "pmdomain core: - Set the required dev for a required OPP during genpd attach - Add support for required OPPs to dev_pm_domain_attach_list() pmdomain providers: - ti: Enable GENPD_FLAG_ACTIVE_WAKEUP flag for ti_sci PM domains - mediatek: Add support for MT6735 PM domains - mediatek: Use OF-specific regulator API to get power domain supply - qcom: Add support for the SM8750/SAR2130P/qcs615/qcs8300 rpmhpds pmdomain consumers: - Convert a couple of consumer drivers to *_pm_domain_attach|detach_list() opp core: - Rework and cleanup some code that manages required OPPs - Remove *_opp_attach|detach_genpd()" * tag 'pmdomain-v6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/linux-pm: (25 commits) pmdomain: qcom: rpmhpd: Add rpmhpd support for SM8750 dt-bindings: power: qcom,rpmpd: document the SM8750 RPMh Power Domains pmdomain: imx: Use of_property_present() for non-boolean properties pmdomain: imx: gpcv2: replace dev_err() with dev_err_probe() pmdomain: ti-sci: Use scope based of_node_put() to simplify code. pmdomain: ti-sci: Add missing of_node_put() for args.np pmdomain: ti-sci: set the GENPD_FLAG_ACTIVE_WAKEUP flag for all PM domains pmdomain: mediatek: Add support for MT6735 pmdomain: qcom: rpmhpd: add support for SAR2130P dt-bindings: power: Add binding for MediaTek MT6735 power controller dt-bindings: power: rpmpd: Add SAR2130P compatible OPP: Drop redundant *_opp_attach|detach_genpd() cpufreq: qcom-nvmem: Convert to dev_pm_domain_attach|detach_list() media: venus: Convert into devm_pm_domain_attach_list() for OPP PM domain drm/tegra: gr3d: Convert into devm_pm_domain_attach_list() OPP: Drop redundant code in _link_required_opps() pmdomain: core: Set the required dev for a required OPP during genpd attach pmdomain: core: Manage the default required OPP from a separate function PM: domains: Support required OPPs in dev_pm_domain_attach_list() OPP: Rework _set_required_devs() to manage a single device per call ... commit 0cea11025519f8f658963d8e835c7234450500bf Merge: 131561f2ca075f bd4c8bafcf50b6 Author: Linus Torvalds Date: Wed Nov 20 12:41:03 2024 -0800 Merge tag 'pwrseq-updates-for-v6.13-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/brgl/linux Pull power sequencing updates from Bartosz Golaszewski: - extend support for the wcn6855 model in the pwrseq-qcom-wcn driver - make this driver depend on CONFIG_OF=y as it uses some very OF-specific interfaces and depends on phandle parsing * tag 'pwrseq-updates-for-v6.13-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/brgl/linux: power: sequencing: qcom-wcn: improve support for wcn6855 power: sequencing: make the QCom PMU pwrseq driver depend on CONFIG_OF commit 131561f2ca075f3737c2b4821c4d067dfba0f55f Merge: 7d756066651585 bef29ca3a64585 Author: Linus Torvalds Date: Wed Nov 20 12:37:06 2024 -0800 Merge tag 'gpio-updates-for-v6.13-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/brgl/linux Pull gpio updates from Bartosz Golaszewski: "Three new drivers, support for some new models in existing ones and lots of various tweaks and improvements across the board (switching to using recommended APIs, code shrink and simplification, etc.). Also a new feature in the character device uAPI where we now notify the user-space about changes triggered by in-kernel users as well, not only when they were done by other user-space agents. Summary: GPIOLIB core: - use the new mem_is_zero() instead of memchr_inv(s, 0, n) - don't store debounce period twice needlessly - clean-up debugfs handling - remove leftover comments referring to no longer used spinlocks - unduplicate some operations like SRCU locks and initializing GPIO descriptors - constify the sysfs class struct - use lock guards in GPIO sysfs code - update GPIO uAPI internal flags all at once atomically for consistency with other places - modify the behavior of the sysfs interface by no longer exporting lines that are named inside the driver code or board files with the sysfs links bearing the line names as this has for many years been largely unused due to the prevalence of DT, ACPI and firmware nodes over board files and made the API inconsistent - for GPIO interrupt providers: free irqs that are still requested by users when removing the chip GPIO uAPI: - notify user-space about changes to GPIO lines' state (requested, released, reconfigured) triggered from the kernel as well (until now we'd only do this for changes triggered from user-space) - to that end: modify the internal workings of the notification mechanism by switching to an atomic notifier which allows us to send events from atomic context - also to that end store the debounce period in the GPIO descriptor struct and not in the character device context struct - while at it, also cover the corner-case of users introducing changes over sysfs while others watch them via the character device - don't report GPIO lines requested as interrupts as "used" to user-space as it can still request them as GPIOs New drivers: - GPIO part of the MFD Congatec Board Controller - PolarFire GPIO controller - GPIOs on FTDI FT2232H Driver improvements: - use generic device property accessors instead of OF-specific ones across many GPIO drivers (mpc8xxx, vf610, eic-sprd, davinci, ts4900, xilinx, mvebu) - use devres helpers to simplify error paths and either shrink or entirely remove the driver's remove() callback (grgpio, amdpt, menz127, max730x, ftgpio010, 74x164, ljca) - use helper variables to store the address of pdev->dev and avoid some line-breaks - use device_for_each_child_node_scoped() to avoid having to put the fwnode on breaks or errors (gpio-sim, gpio-dwapb, gpiolib-acpi) - use a scoped bitmap to simplify the code and drop goto labels in gpio-aggregator - drop unneeded Kconfig dependencies on OF_GPIO (grgpio, mveby, xilinx) - add support for new models to gpio-aspeed, gpio-rockchip and gpio-dwapb - clean-up ACPI handling and some other bits in gpio-xgene-sb - replace deprecated PCI functions in pcie-idio-24 and pci-idio-16 - allow to build davinci and mvebu drivers with COMPILE_TEST=y - remove dead code in gpio-mb86s7x - switch back to using platform_driver::remove() (after the conversion to remove_new()) across the GPIO drivers - remove remaining uses of GPIOF_ACTIVE_LOW across the tree and drop this deprecated symbol - convert the gpio-altera driver to no longer pull in the deprecated legacy-of-mm-gpiochip.h header - use of_property_present() instead of of_property_read_bool() in gpiolib-of and gpio-rockchip - allow to build the tegra186 driver on Tegra234 platforms in Kconfig Late fixes: - add a missing return value check after devm_kasprintf() to gpio-grgpio DT bindings: - document the ngpios property of gpio-mmio - add support for a new aspeed model - fix the example for st,nomadik-gpio Other: - kernel doc and comments tweaks - fix typos in TODO - reorder headers alphabetically in some drivers - fix incorrect format specifiers in gpio tools" * tag 'gpio-updates-for-v6.13-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/brgl/linux: (98 commits) gpio: tegra186: Allow to enable driver on Tegra234 gpio: grgpio: Add NULL check in grgpio_probe tools: gpio: Fix several incorrect format specifiers gpio: mpfs: add CoreGPIO support gpio: rockchip: support new version GPIO gpio: rockchip: change the GPIO version judgment logic gpio: rockchip: explan the format of the GPIO version ID gpiolib: cdev: use !mem_is_zero() instead of memchr_inv(s, 0, n) MAINTAINERS: add gpio driver to PolarFire entry gpio: Get rid of GPIOF_ACTIVE_LOW USB: gadget: pxa27x_udc: Avoid using GPIOF_ACTIVE_LOW pcmcia: soc_common: Avoid using GPIOF_ACTIVE_LOW leds: gpio: Avoid using GPIOF_ACTIVE_LOW Input: gpio_keys_polled - avoid using GPIOF_ACTIVE_LOW Input: gpio_keys - avoid using GPIOF_ACTIVE_LOW gpio: Use of_property_present() for non-boolean properties gpio: mpfs: add polarfire soc gpio support gpio: altera: Drop legacy-of-mm-gpiochip.h header gpio: pcie-idio-24: Replace deprecated PCI functions gpio: pci-idio-16: Replace deprecated PCI functions ... commit 7d7560666515855f67df6b0a78fecf2007d35dcc Merge: f2ef39727a229d b2eaa1170e45dc Author: Linus Torvalds Date: Wed Nov 20 12:34:22 2024 -0800 Merge tag 'pwm/for-6.13-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/ukleinek/linux Pull pwm updates from Uwe Kleine-König: "This contains a new abstraction for PWM waveforms that is more expressive that the legacy one. Compared to the old abstraction it contains a duty_offset member instead of polarity. This new abstraction is already used in an ADC driver merged into the iio tree. The new API requires changes to the lowlevel drivers. For now there are two drivers that are converted to the new API (axi-pwmgen and stm32). Converted drivers continue to work with the old API. Drivers not yet converted only work with the older API. Otherwise it's the usual collection of fixes, cleanups and dt doc updates. This time around thanks go to Andy Shevchenko, Clark Wang, Conor Dooley, David Lechner, Dimitri Fedrau, Frank Li, Jun Li, Kelvin Zhang, Krzysztof Kozlowski, Nuno Sa, Shen Lichuan and Trevor Gamblin for code contributions, testing and review" * tag 'pwm/for-6.13-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/ukleinek/linux: pwm: Assume a disabled PWM to emit a constant inactive output pwm: core: export pwm_get_state_hw() pwm: core: use device_match_name() instead of strcmp(dev_name(... dt-bindings: pwm: adi,axi-pwmgen: Increase #pwm-cells to 3 pwm: imx27: Use clk_bulk_*() API to simplify clock handling pwm: imx27: Workaround of the pwm output bug when decrease the duty cycle pwm: axi-pwmgen: Enable FORCE_ALIGN by default pwm: axi-pwmgen: Rename 0x10 register dt-bindings: pwm: amlogic: Document C3 PWM pwm: axi-pwmgen: Create a dedicated function for getting driver data from a chip pwm: atmel-tcb: Use min() macro pwm: stm32: Fix error checking for a regmap_read() call pwm: Add kernel doc for members added to pwm_ops recently pwm: Reorder symbols in core.c pwm: stm32: Implementation of the waveform callbacks pwm: axi-pwmgen: Implementation of the waveform callbacks pwm: Add tracing for waveform callbacks pwm: Provide new consumer API functions for waveforms pwm: New abstraction for PWM waveforms pwm: Add more locking commit f2ef39727a229ddd127e3538b58f4f5bdc5eeea6 Merge: 4bd37a902ab66d 26470a2e87a6fc Author: Linus Torvalds Date: Wed Nov 20 12:23:06 2024 -0800 Merge tag 'spi-v6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi Pull spi updates from Mark Brown: "The only real core work we've got this time around is the completion of the transition to the new host/target naming for the core APIs, Kconfig still needs doing but that's a lot less invasive. Otherwise the big changes are the new drivers that have been added: - Completion of the conversion to spi_alloc_host()/_target() and removal of the old naming. - Cleanups for Rockchip drivers, these brought in a new logging helper in the driver core for warnings during probe. - Support for configuration of the word delay via spidev_test. - Support for AMD HID2 controllers, Apple SPI controller and Realtek SPI-NAND controllers" * tag 'spi-v6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi: (58 commits) spi: imx: support word delay spi: imx: pass struct spi_transfer to prepare_transfer() spi: cs42l43: Add GPIO speaker id support to the bridge configuration spi: Delete useless checks spi: apple: Remove unnecessary .owner for apple_spi_driver spi: spidev_test: add support for word delay spi: apple: Add driver for Apple SPI controller spi: dt-bindings: apple,spi: Add binding for Apple SPI controllers spi: Use of_property_present() for non-boolean properties spi: zynqmp-gqspi: Undo runtime PM changes at driver exit time​ spi: spi-mem: rtl-snand: Correctly handle DMA transfers spi: tegra210-quad: Avoid shift-out-of-bounds spi: axi-spi-engine: Emit trace events for spi transfers dt-bindings: spi: sprd,sc9860-spi: convert to YAML spi: Replace deprecated PCI functions spi: dt-bindings: samsung: Add a compatible for samsung,exynos8895-spi spi: spi-mem: Add Realtek SPI-NAND controller dt-bindings: spi: Add realtek,rtl9301-snand spi: make class structs const spi: dt-bindings: brcm,bcm2835-aux-spi: Convert to dtschema ... commit d9db393f2b9ed674f965dd823c1692b41bad7bfb Author: Luo Yifan Date: Tue Nov 12 17:09:24 2024 +0800 tools: PCI: Fix incorrect printf format specifiers Fix several incorrect printf format specifiers that misused signed and unsigned versions. Link: https://lore.kernel.org/r/20241112090924.287056-1-luoyifan@cmss.chinamobile.com Signed-off-by: Luo Yifan Signed-off-by: Bjorn Helgaas Reviewed-by: Manivannan Sadhasivam commit 4bd37a902ab66d63f20e75d42f17aaec81de2263 Merge: 37c7d3538af469 21ccadc64dae18 Author: Linus Torvalds Date: Wed Nov 20 12:18:50 2024 -0800 Merge tag 'regulator-v6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regulator Pull regulator updates from Mark Brown: "This was a quite quiet release for regulators on the drivers front, but we do have two small but useful core improvements: - Improve handling of cases where DT platforms specify both DT and init_data based configuration for a single regulator. - A helper of_regulator_get_optional() to simplify writing generic bindings for regulator consumers in subsystems. There's also some YAML conversions for the DT bindings which are a big part of the diffstat" * tag 'regulator-v6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regulator: regulator: dt-bindings: qcom,rpmh: Correct PM8550VE supplies regulator: Switch back to struct platform_driver::remove() regulator: doc: remove documentation comment for regulator_init regulator: doc: add missing documentation for init_cb regulator: rk808: Restrict DVS GPIOs to the RK808 variant only regulator: rk808: Use dev_err_probe() in the probe path regulator: rk808: Perform trivial code cleanups regulator: dt-bindings: qcom,qca6390-pmu: add more properties for wcn6855 regulator: dt-bindings: lltc,ltc3676: convert to YAML regulator: core: Use fsleep() to get best sleep mechanism regulator: core: remove machine init callback from config regulator: core: add callback to perform runtime init regulator: core: do not silently ignore provided init_data regulator: max5970: Drop unused structs regulator: dt-bindings: vctrl-regulator: convert to YAML regulator: qcom-smd: make smd_vreg_rpm static regulator: Call of_node_put() only once in rzg2l_usb_vbus_regulator_probe() regulator: isl6271a: Drop explicit initialization of struct i2c_device_id::driver_data to 0 regulator: Add devres version of of_regulator_get_optional() regulator: Add of_regulator_get_optional() for pure DT regulator lookup commit 37c7d3538af469c2ac8d2d379f699e71aa3c6f37 Merge: 856385e0c56e77 d1f4390dd28ba1 Author: Linus Torvalds Date: Wed Nov 20 12:09:47 2024 -0800 Merge tag 'regmap-v6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regmap Pull regmap updates from Mark Brown: "The main thing for regmap this time around is some improvements of the lockdep annotations which stop some false positives. We also have one new helper for setting a bitmask to the same value, and several test improvements" * tag 'regmap-v6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regmap: regmap: provide regmap_assign_bits() regmap: irq: Set lockdep class for hierarchical IRQ domains regmap: maple: Provide lockdep (sub)class for maple tree's internal lock regmap: kunit: Fix repeated test param regcache: Improve documentation of available cache types regmap: Specifically test writing 0 as a value to sparse caches regmap-irq: Consistently use memset32() in regmap_irq_thread() commit 856385e0c56e7739bddea869e7a17f040211a2fc Merge: f89a687aaeae54 a44c26d7fa74a5 Author: Linus Torvalds Date: Wed Nov 20 11:54:39 2024 -0800 Merge tag 'linux_kselftest-next-6.13-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest Pull kselftest update from Shuah Khan: "timer test: - remove duplicate defines - fixes to improve error reporting rtc test: - check rtc alarm status in alarm test resctrl test: - add array overrun checks during iMC config parsing code and when reading strings - fixes and reorganizing code" * tag 'linux_kselftest-next-6.13-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest: (23 commits) selftests/resctrl: Replace magic constants used as array size selftests/resctrl: Keep results from first test run selftests/resctrl: Do not compare performance counters and resctrl at low bandwidth selftests/resctrl: Use cache size to determine "fill_buf" buffer size selftests/resctrl: Ensure measurements skip initialization of default benchmark selftests/resctrl: Make benchmark parameter passing robust selftests/resctrl: Remove unused measurement code selftests/resctrl: Only support measured read operation selftests/resctrl: Remove "once" parameter required to be false selftests/resctrl: Make wraparound handling obvious selftests/resctrl: Protect against array overflow when reading strings selftests/resctrl: Protect against array overrun during iMC config parsing selftests/resctrl: Fix memory overflow due to unhandled wraparound selftests/resctrl: Print accurate buffer size as part of MBM results selftests/resctrl: Make functions only used in same file static selftests: Add a test mangling with uc_sigmask selftests: Rename sigaltstack to generic signal selftest: rtc: Add to check rtc alarm status for alarm related test selftests:timers: remove local CLOCKID defines selftests: timers: Remove unneeded semicolon ... commit f89a687aaeae54fb59e8e8aa619bd448a9c235a2 Merge: aad3a0d084513e 24b2455fe8fce1 Author: Linus Torvalds Date: Wed Nov 20 11:47:43 2024 -0800 Merge tag 'kgdb-6.13-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/danielt/linux Pull kgdb updates from Daniel Thompson: "A relatively modest collection of changes: - Adopt kstrtoint() and kstrtol() instead of the simple_strtoXX family for better error checking of user input. - Align the print behavour when breakpoints are enabled and disabled by adopting the current behaviour of breakpoint disable for both. - Remove some of the (rather odd and user hostile) hex fallbacks and require kdb users to prefix with 0x instead. - Tidy up (and fix) control code handling in kdb's keyboard code. This makes the control code handling at the keyboard behave the same way as it does via the UART. - Switch my own entry in MAINTAINERS to my @kernel.org address" * tag 'kgdb-6.13-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/danielt/linux: kdb: fix ctrl+e/a/f/b/d/p/n broken in keyboard mode MAINTAINERS: Use Daniel Thompson's korg address for kgdb work kdb: Fix breakpoint enable to be silent if already enabled kdb: Remove fallback interpretation of arbitrary numbers as hex trace: kdb: Replace simple_strtoul with kstrtoul in kdb_ftdump kdb: Replace the use of simple_strto with safer kstrto in kdb_main commit aad3a0d084513e811233ad48bf234fbfcfcd0a14 Merge: 8f7c8b88bda498 36a367b8912a3a Author: Linus Torvalds Date: Wed Nov 20 11:34:10 2024 -0800 Merge tag 'ftrace-v6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace Pull ftrace updates from Steven Rostedt: - Restructure the function graph shadow stack to prepare it for use with kretprobes With the goal of merging the shadow stack logic of function graph and kretprobes, some more restructuring of the function shadow stack is required. Move out function graph specific fields from the fgraph infrastructure and store it on the new stack variables that can pass data from the entry callback to the exit callback. Hopefully, with this change, the merge of kretprobes to use fgraph shadow stacks will be ready by the next merge window. - Make shadow stack 4k instead of using PAGE_SIZE. Some architectures have very large PAGE_SIZE values which make its use for shadow stacks waste a lot of memory. - Give shadow stacks its own kmem cache. When function graph is started, every task on the system gets a shadow stack. In the future, shadow stacks may not be 4K in size. Have it have its own kmem cache so that whatever size it becomes will still be efficient in allocations. - Initialize profiler graph ops as it will be needed for new updates to fgraph - Convert to use guard(mutex) for several ftrace and fgraph functions - Add more comments and documentation - Show function return address in function graph tracer Add an option to show the caller of a function at each entry of the function graph tracer, similar to what the function tracer does. - Abstract out ftrace_regs from being used directly like pt_regs ftrace_regs was created to store a partial pt_regs. It holds only the registers and stack information to get to the function arguments and return values. On several archs, it is simply a wrapper around pt_regs. But some users would access ftrace_regs directly to get the pt_regs which will not work on all archs. Make ftrace_regs an abstract structure that requires all access to its fields be through accessor functions. - Show how long it takes to do function code modifications When code modification for function hooks happen, it always had the time recorded in how long it took to do the conversion. But this value was never exported. Recently the code was touched due to new ROX modification handling that caused a large slow down in doing the modifications and had a significant impact on boot times. Expose the timings in the dyn_ftrace_total_info file. This file was created a while ago to show information about memory usage and such to implement dynamic function tracing. It's also an appropriate file to store the timings of this modification as well. This will make it easier to see the impact of changes to code modification on boot up timings. - Other clean ups and small fixes * tag 'ftrace-v6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace: (22 commits) ftrace: Show timings of how long nop patching took ftrace: Use guard to take ftrace_lock in ftrace_graph_set_hash() ftrace: Use guard to take the ftrace_lock in release_probe() ftrace: Use guard to lock ftrace_lock in cache_mod() ftrace: Use guard for match_records() fgraph: Use guard(mutex)(&ftrace_lock) for unregister_ftrace_graph() fgraph: Give ret_stack its own kmem cache fgraph: Separate size of ret_stack from PAGE_SIZE ftrace: Rename ftrace_regs_return_value to ftrace_regs_get_return_value selftests/ftrace: Fix check of return value in fgraph-retval.tc test ftrace: Use arch_ftrace_regs() for ftrace_regs_*() macros ftrace: Consolidate ftrace_regs accessor functions for archs using pt_regs ftrace: Make ftrace_regs abstract from direct use fgragh: No need to invoke the function call_filter_check_discard() fgraph: Simplify return address printing in function graph tracer function_graph: Remove unnecessary initialization in ftrace_graph_ret_addr() function_graph: Support recording and printing the function return address ftrace: Have calltime be saved in the fgraph storage ftrace: Use a running sleeptime instead of saving on shadow stack fgraph: Use fgraph data to store subtime for profiler ... commit 8af7a50167833b6b22e30c008bbf95ab3ff1a5fb Author: Miguel Ojeda Date: Wed Nov 20 18:59:16 2024 +0100 rust: jump_label: skip formatting generated file After a source tree build of the kernel, and having used the `RSCPP` rule, running `rustfmt` fails with: error: macros that expand to items must be delimited with braces or followed by a semicolon --> rust/kernel/arch_static_branch_asm.rs:1:27 | 1 | ...ls!("1: jmp " ... ".popsection \n\t") | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ | help: change the delimiters to curly braces | 1 | ::kernel::concat_literals!{"1: jmp " ... ".popsection \n\t"} | ~ ~ help: add a semicolon | 1 | ::kernel::concat_literals!("1: jmp " ... ".popsection \n\t"); | + This file is not meant to be formatted nor works on its own since it is meant to be textually included. Thus skip formatting it by prefixing its name with `generated_`. Cc: Masami Hiramatsu Cc: Alex Gaynor Cc: Mathieu Desnoyers Cc: Boqun Feng Cc: Gary Guo Cc: Björn Roy Baron Cc: Benno Lossin Cc: Andreas Hindborg Cc: Alice Ryhl Cc: Trevor Gross Link: https://lore.kernel.org/20241120175916.58860-1-ojeda@kernel.org Fixes: 169484ab6677 ("rust: add arch_static_branch") Signed-off-by: Miguel Ojeda Signed-off-by: Steven Rostedt (Google) commit 9008fe8fad8255edfdbecea32d7eb0485d939d0d Author: Geert Uytterhoeven Date: Wed Nov 20 13:46:21 2024 +0100 slab: Fix too strict alignment check in create_cache() On m68k, where the minimum alignment of unsigned long is 2 bytes: Kernel panic - not syncing: __kmem_cache_create_args: Failed to create slab 'io_kiocb'. Error -22 CPU: 0 UID: 0 PID: 1 Comm: swapper Not tainted 6.12.0-atari-03776-g7eaa1f99261a #1783 Stack from 0102fe5c: 0102fe5c 00514a2b 00514a2b ffffff00 00000001 0051f5ed 00425e78 00514a2b 0041eb74 ffffffea 00000310 0051f5ed ffffffea ffffffea 00601f60 00000044 0102ff20 000e7a68 0051ab8e 004383b8 0051f5ed ffffffea 000000b8 00000007 01020c00 00000000 000e77f0 0041e5f0 005f67c0 0051f5ed 000000b6 0102fef4 00000310 0102fef4 00000000 00000016 005f676c 0060a34c 00000010 00000004 00000038 0000009a 01000000 000000b8 005f668e 0102e000 00001372 0102ff88 Call Trace: [<00425e78>] dump_stack+0xc/0x10 [<0041eb74>] panic+0xd8/0x26c [<000e7a68>] __kmem_cache_create_args+0x278/0x2e8 [<000e77f0>] __kmem_cache_create_args+0x0/0x2e8 [<0041e5f0>] memset+0x0/0x8c [<005f67c0>] io_uring_init+0x54/0xd2 The minimal alignment of an integral type may differ from its size, hence is not safe to assume that an arbitrary freeptr_t (which is basically an unsigned long) is always aligned to 4 or 8 bytes. As nothing seems to require the additional alignment, it is safe to fix this by relaxing the check to the actual minimum alignment of freeptr_t. Fixes: aaa736b186239b7d ("io_uring: specify freeptr usage for SLAB_TYPESAFE_BY_RCU io_kiocb cache") Fixes: d345bd2e9834e2da ("mm: add kmem_cache_create_rcu()") Reported-by: Guenter Roeck Closes: https://lore.kernel.org/37c588d4-2c32-4aad-a19e-642961f200d7@roeck-us.net Cc: Signed-off-by: Geert Uytterhoeven Tested-by: Guenter Roeck Reviewed-by: Jens Axboe Signed-off-by: Vlastimil Babka commit 8f7c8b88bda4988f44e595a760438febf51c92c8 Merge: 7586d5276515a5 6b8950ef993bcf Author: Linus Torvalds Date: Wed Nov 20 10:08:00 2024 -0800 Merge tag 'sched_ext-for-6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/sched_ext Pull sched_ext updates from Tejun Heo: - Improve the default select_cpu() implementation making it topology aware and handle WAKE_SYNC better. - set_arg_maybe_null() was used to inform the verifier which ops args could be NULL in a rather hackish way. Use the new __nullable CFI stub tags instead. - On Sapphire Rapids multi-socket systems, a BPF scheduler, by hammering on the same queue across sockets, could live-lock the system to the point where the system couldn't make reasonable forward progress. This could lead to soft-lockup triggered resets or stalling out bypass mode switch and thus BPF scheduler ejection for tens of minutes if not hours. After trying a number of mitigations, the following set worked reliably: - Injecting artificial cpu_relax() loops in two places while sched_ext is trying to turn on the bypass mode. - Triggering scheduler ejection when soft-lockup detection is imminent (a quarter of threshold left). While not the prettiest, the impact both in terms of code complexity and overhead is minimal. - A common complaint on the API is the overuse of the word "dispatch" and the confusion around "consume". This is due to how the dispatch queues became more generic over time. Rename the affected kfuncs for clarity. Thanks to BPF's compatibility features, this change can be made in a way that's both forward and backward compatible. The compatibility code will be dropped in a few releases. - Other misc changes * tag 'sched_ext-for-6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/sched_ext: (21 commits) sched_ext: Replace scx_next_task_picked() with switch_class() in comment sched_ext: Rename scx_bpf_dispatch[_vtime]_from_dsq*() -> scx_bpf_dsq_move[_vtime]*() sched_ext: Rename scx_bpf_consume() to scx_bpf_dsq_move_to_local() sched_ext: Rename scx_bpf_dispatch[_vtime]() to scx_bpf_dsq_insert[_vtime]() sched_ext: scx_bpf_dispatch_from_dsq_set_*() are allowed from unlocked context sched_ext: add a missing rcu_read_lock/unlock pair at scx_select_cpu_dfl() sched_ext: Clarify sched_ext_ops table for userland scheduler sched_ext: Enable the ops breather and eject BPF scheduler on softlockup sched_ext: Avoid live-locking bypass mode switching sched_ext: Fix incorrect use of bitwise AND sched_ext: Do not enable LLC/NUMA optimizations when domains overlap sched_ext: Introduce NUMA awareness to the default idle selection policy sched_ext: Replace set_arg_maybe_null() with __nullable CFI stub tags sched_ext: Rename CFI stubs to names that are recognized by BPF sched_ext: Introduce LLC awareness to the default idle selection policy sched_ext: Clarify ops.select_cpu() for single-CPU tasks sched_ext: improve WAKE_SYNC behavior for default idle CPU selection sched_ext: Use btf_ids to resolve task_struct sched/ext: Use tg_cgroup() to elieminate duplicate code sched/ext: Fix unmatch trailing comment of CONFIG_EXT_GROUP_SCHED ... commit 7586d5276515a54656bc46530b32e10913c44b1f Merge: d6b6d39054fa3d fbfbf86685b327 Author: Linus Torvalds Date: Wed Nov 20 09:54:49 2024 -0800 Merge tag 'cgroup-for-6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/cgroup Pull cgroup updates from Tejun Heo: - cpu.stat now also shows niced CPU time - Freezer and cpuset optimizations - Other misc changes * tag 'cgroup-for-6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/cgroup: cgroup/cpuset: Disable cpuset_cpumask_can_shrink() test if not load balancing cgroup/cpuset: Further optimize code if CONFIG_CPUSETS_V1 not set cgroup/cpuset: Enforce at most one rebuild_sched_domains_locked() call per operation cgroup/cpuset: Revert "Allow suppression of sched domain rebuild in update_cpumasks_hier()" MAINTAINERS: remove Zefan Li cgroup/freezer: Add cgroup CGRP_FROZEN flag update helper cgroup/freezer: Reduce redundant traversal for cgroup_freeze cgroup/bpf: only cgroup v2 can be attached by bpf programs Revert "cgroup: Fix memory leak caused by missing cgroup_bpf_offline" selftests/cgroup: Fix compile error in test_cpu.c cgroup/rstat: Selftests for niced CPU statistics cgroup/rstat: Tracking cgroup-level niced CPU time cgroup/cpuset: Fix spelling errors in file kernel/cgroup/cpuset.c commit d6b6d39054fa3db4326e73e09576ed5f758ecd2b Merge: a0e752bda210e7 85f0d8e39affb7 Author: Linus Torvalds Date: Wed Nov 20 09:41:11 2024 -0800 Merge tag 'wq-for-6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/wq Pull workqueue updates from Tejun Heo: - The maximum concurrency limit of 512 which was set a long time ago is too low now. A legitimate use (BPF cgroup release) of system_wq could saturate it under stress test conditions leading to false dependencies and deadlocks. While the offending use was switched to a dedicated workqueue, use the opportunity to bump WQ_MAX_ACTIVE four fold and document that system workqueue shouldn't be saturated. Workqueue should add at least a warning mechanism for cases where system workqueues are saturated. - Recent workqueue updates to support more flexible execution topology made unbound workqueues use per-cpu worker pool frontends which pushed up workqueue flush overhead. As consecutive CPUs are likely to be pointing to the same worker pool, reduce overhead by switching locks only when necessary. * tag 'wq-for-6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/wq: workqueue: Reduce expensive locks for unbound workqueue workqueue: Adjust WQ_MAX_ACTIVE from 512 to 2048 workqueue: doc: Add a note saturating the system_wq is not permitted commit a0e752bda210e7ff61c37ef3f7898bcbcd2693cb Merge: aa44f41470450f 4638d7ebeff5a7 Author: Linus Torvalds Date: Wed Nov 20 09:36:05 2024 -0800 Merge tag 'probes-v6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace Pull probes updates from Masami Hiramatsu: "Kprobes cleanups. Functionality does not change. - kprobes: Cleanup the config comment Adjust #endif comments. - kprobes: Cleanup collect_one_slot() and __disable_kprobe() Make fail fast to reduce code nested level. - kprobes: Use struct_size() in __get_insn_slot() Use struct_size() to avoid special macro. - x86/kprobes: Cleanup kprobes on ftrace code Use macro instead of direct field access/magic number, and avoid redundant instruction pointer setting" * tag 'probes-v6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace: x86/kprobes: Cleanup kprobes on ftrace code kprobes: Use struct_size() in __get_insn_slot() kprobes: Cleanup collect_one_slot() and __disable_kprobe() kprobes: Cleanup the config comment commit aa44f41470450f3f4fc74526c1f7369771545205 Merge: 7d66d3ab139c8c 62597edf634019 Author: Linus Torvalds Date: Wed Nov 20 09:33:23 2024 -0800 Merge tag 'livepatching-for-6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/livepatching/livepatching Pull livepatching update from Petr Mladek: - A new selftest for livepatching of a kprobed function * tag 'livepatching-for-6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/livepatching/livepatching: selftests: livepatch: test livepatching a kprobed function selftests: livepatch: save and restore kprobe state selftests: livepatch: rename KLP_SYSFS_DIR to SYSFS_KLP_DIR commit 7d66d3ab139c8c195dbb603e21043b6e2d120fa3 Merge: c3cda60e83c803 34767e5357fc80 Author: Linus Torvalds Date: Wed Nov 20 09:21:11 2024 -0800 Merge tag 'printk-for-6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/printk/linux Pull printk updates from Petr Mladek: - Print more precise information about the printk log buffer memory usage. - Make sure that the sysrq title is shown on the console even when deferred. - Do not enable earlycon by `console=` which is meant to disable the default console. * tag 'printk-for-6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/printk/linux: printk: add dummy printk_force_console_enter/exit helpers tty: sysrq: Use printk_force_console context on __handle_sysrq printk: Introduce FORCE_CON flag printk: Improve memory usage logging during boot init: Don't proxy `console=` to earlycon commit c3cda60e83c803a3b3b832f371c776e57194b2f0 Merge: bf9aa14fc523d2 c818d5c64c9a8c Author: Linus Torvalds Date: Wed Nov 20 09:16:45 2024 -0800 Merge tag 'docs-6.13' of git://git.lwn.net/linux Pull documentation updates from Jonathan Corbet: "Another moderately busy cycle in docsland: - Work on Chinese translations has picked up again. Happily, they are maintaining the existing translations and not just adding new ones. - Some maintenance of the Japanese and Italian translations as well. - The removal of the venerable "dontdiff" file. It has long outlived its usefulness and contained entries ("parse.*") that would actively mask actual source change. - The addition of enforcement information to the code-of-conduct documentation. Along with some build-system fixes and a lot of typo and language fixes" * tag 'docs-6.13' of git://git.lwn.net/linux: (52 commits) Documentation/CoC: spell out enforcement for unacceptable behaviors docs: fix typos and whitespace in Documentation/process/backporting.rst docs/zh_CN: fix one sentence in llvm.rst docs: bug-bisect: add a note about bisecting -next docs/zh_CN: add the translation of kbuild/llvm.rst Documentation: Fix incorrect paths/magic in magic numbers rst Documentation/maintainer-tip: Fix typos Documentation: Improve crash_kexec_post_notifiers description Docs/zh_CN: Translate physical_memory.rst to Simplified Chinese Documentation: admin: reorganize kernel-parameters intro docs/zh_CN: update the translation of process/programming-language.rst docs/zh_CN: update the translation of mm/page_owner.rst docs/zh_CN: update the translation of mm/page_table_check.rst docs/zh_CN: update the translation of mm/overcommit-accounting.rst docs/zh_CN: update the translation of mm/admon/faq.rst docs/zh_CN: update the translation of mm/active_mm.rst docs/zh_CN: update the translation of mm/hmm.rst docs: remove Documentation/dontdiff docs/zh_CN: Add a entry in Chinese glossary Docs/zh_CN: Fix the pfn calculation error in page_tables.rst ... commit 45af52e7d3b8560f21d139b3759735eead8b1653 Author: guoweikang Date: Wed Nov 20 13:27:49 2024 +0800 ftrace: Fix regression with module command in stack_trace_filter When executing the following command: # echo "write*:mod:ext3" > /sys/kernel/tracing/stack_trace_filter The current mod command causes a null pointer dereference. While commit 0f17976568b3f ("ftrace: Fix regression with module command in stack_trace_filter") has addressed part of the issue, it left a corner case unhandled, which still results in a kernel crash. Cc: stable@vger.kernel.org Cc: Masami Hiramatsu Cc: Mark Rutland Cc: Mathieu Desnoyers Link: https://lore.kernel.org/20241120052750.275463-1-guoweikang.kernel@gmail.com Fixes: 04ec7bb642b77 ("tracing: Have the trace_array hold the list of registered func probes"); Signed-off-by: guoweikang Signed-off-by: Steven Rostedt (Google) commit 4217ef9ab763dbf8af2b0ecd3f74c0caa135668c Author: Huacai Chen Date: Fri Nov 15 23:02:25 2024 +0800 drm/amd/display: Allow building DC with clang on LoongArch Clang on LoongArch (18+) appears to be unaffected by the bug causing excessive stack usage in calculate_bandwidth(). But when building DC_FP support the stack frame size can be as large as 2816 bytes, which causes the FRAME_WARN build warnings. So on LoongArch we allow building DC with clang, but disable DC_FP by default. The help message is also updated. Tested-by: Rui Wang Signed-off-by: Huacai Chen Signed-off-by: Alex Deucher commit 2bc96c95070571c6c824e0d4c7783bee25a37876 Author: Zicheng Qu Date: Tue Nov 5 14:01:37 2024 +0000 drm/amd/display: Fix null check for pipe_ctx->plane_state in hwss_setup_dpp This commit addresses a null pointer dereference issue in hwss_setup_dpp(). The issue could occur when pipe_ctx->plane_state is null. The fix adds a check to ensure `pipe_ctx->plane_state` is not null before accessing. This prevents a null pointer dereference. Fixes: 0baae6246307 ("drm/amd/display: Refactor fast update to use new HWSS build sequence") Reviewed-by: Tom Chung Signed-off-by: Zicheng Qu Signed-off-by: Alex Deucher commit 6a057072ddd127255350357dd880903e8fa23f36 Author: Zicheng Qu Date: Tue Nov 5 14:01:36 2024 +0000 drm/amd/display: Fix null check for pipe_ctx->plane_state in dcn20_program_pipe This commit addresses a null pointer dereference issue in dcn20_program_pipe(). Previously, commit 8e4ed3cf1642 ("drm/amd/display: Add null check for pipe_ctx->plane_state in dcn20_program_pipe") partially fixed the null pointer dereference issue. However, in dcn20_update_dchubp_dpp(), the variable pipe_ctx is passed in, and plane_state is accessed again through pipe_ctx. Multiple if statements directly call attributes of plane_state, leading to potential null pointer dereference issues. This patch adds necessary null checks to ensure stability. Fixes: 8e4ed3cf1642 ("drm/amd/display: Add null check for pipe_ctx->plane_state in dcn20_program_pipe") Reviewed-by: Tom Chung Signed-off-by: Zicheng Qu Signed-off-by: Alex Deucher commit 7037bb04265ef05c6ffad56d884b0df76f57b095 Author: Steven 'Steve' Kendall Date: Fri Nov 15 21:17:58 2024 +0000 drm/radeon: Fix spurious unplug event on radeon HDMI On several HP models (tested on HP 3125 and HP Probook 455 G2), spurious unplug events are emitted upon login on Chrome OS. This is likely due to the way Chrome OS restarts graphics upon login, so it's possible it's an issue on other distributions but not as common, though I haven't reproduced the issue elsewhere. Use logic from an earlier version of the merged change (see link below) which iterates over connectors and finds matching encoders, rather than the other way around. Also fixes an issue with screen mirroring on Chrome OS. I've deployed this patch on Fedora and did not observe any regression on these devices. Link: https://gitlab.freedesktop.org/drm/amd/-/issues/1569#note_1603002 Link: https://gitlab.freedesktop.org/drm/amd/-/issues/3771 Fixes: 20ea34710f7b ("drm/radeon: Add HD-audio component notifier support (v6)") Signed-off-by: Steven 'Steve' Kendall Signed-off-by: Alex Deucher commit c3e3c1aac0bf25e0f3f9b1557766fc9b89fb318b Author: Christophe JAILLET Date: Fri Nov 15 18:26:06 2024 +0100 drm/radeon: Constify struct pci_device_id 'struct pci_device_id' is not modified in this driver. Constifying this structure moves some data to a read-only section, so increase overall security. On a x86_64, with allmodconfig: Before: ====== text data bss dec hex filename 11984 28672 44 40700 9efc drivers/gpu/drm/radeon/radeon_drv.o After: ===== text data bss dec hex filename 40000 664 44 40708 9f04 drivers/gpu/drm/radeon/radeon_drv.o Acked-by: Christian König Signed-off-by: Christophe JAILLET Signed-off-by: Alex Deucher commit e283f4fb0862647f4bb02e78d728bc8fb9eef18d Author: Lijo Lazar Date: Fri Nov 15 11:35:50 2024 +0530 drm/amdgpu: Use reset recovery state checks Some in_reset checks are infact checking whether the state is reinitialization after reset. Replace with reset_in_recovery calls to identify that it's really checking for recovery stage after reset. Signed-off-by: Lijo Lazar Acked-by: Tao Zhou Signed-off-by: Alex Deucher commit a86e0c0e94373aebc39c2efedaefc408f6a49fe3 Author: Lijo Lazar Date: Fri Nov 15 11:08:02 2024 +0530 drm/amdgpu: Add init level for post reset reinit When device needs to be reset before initialization, it's not required for all IPs to be initialized before a reset. In such cases, it needs to identify whether the IP/feature is initialized for the first time or whether it's reinitialized after a reset. Add RESET_RECOVERY init level to identify post reset reinitialization phase. This only provides a device level identification, IP/features may choose to track their state independently also. Signed-off-by: Lijo Lazar Acked-by: Tao Zhou Signed-off-by: Alex Deucher commit 6719ab8234ce4b0c0e9aa93aaa94961e5b2bc852 Author: Kenneth Feng Date: Tue Nov 19 11:10:47 2024 +0800 drm/amdgpu/pm: add gen5 display to the user on smu v14.0.2/3 add gen5 display to the user on smu v14.0.2/3 Signed-off-by: Kenneth Feng Reviewed-by: Yang Wang Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org # 6.11.x commit 097c69d46ce01d25b9bd6a680a9c5e1c9e58c1da Author: Victor Zhao Date: Thu Nov 14 17:45:34 2024 +0800 drm/amdkfd: make sure ring buffer is flushed before update wptr In a consecutive packet submission, for example unmap and query status, when CP is reading wptr caused by unmap packet doorbell ring, if in some case CP operates slower (e.g. doorbell_mode=1) and wptr has been updated to next packet (query status), but the query status packet content has not been flushed to memory yet, it will cause CP fetched stalled data. Adding mb to ensure ring buffer has been updated before updating wptr. Also adding a mb to ensure wptr updated before doorbell ring. Signed-off-by: Victor Zhao Reviewed-by: Christian König Signed-off-by: Alex Deucher commit 349af06a3abd0bb3787ee2daf3ac508412fe8dcc Author: Mario Limonciello Date: Mon Nov 18 11:46:11 2024 -0600 drm/amd: Fix initialization mistake for NBIO 7.11 devices There is a strapping issue on NBIO 7.11.x that can lead to spurious PME events while in the D0 state. Cc: stable@vger.kernel.org Reviewed-by: Alex Deucher Link: https://lore.kernel.org/r/20241118174611.10700-2-mario.limonciello@amd.com Signed-off-by: Mario Limonciello Signed-off-by: Alex Deucher commit 902fbbf429b8213232b18de0ddfd5c0f3851cb8f Author: Mario Limonciello Date: Mon Nov 18 11:46:10 2024 -0600 drm/amd: Add some missing straps from NBIO 7.11.0 Earlier ASICs have strap information exported, and this is missing for NBIO 7.11.0. Cc: stable@vger.kernel.org Reviewed-by: Alex Deucher Fixes: ca8c68142ad8 ("drm/amdgpu: add nbio 7.11 registers") Link: https://lore.kernel.org/r/20241118174611.10700-1-mario.limonciello@amd.com Signed-off-by: Mario Limonciello Signed-off-by: Alex Deucher commit 2ae6bdb1e145af0a47253953132decbd2d52f4b2 Author: Dan Carpenter Date: Wed Nov 20 12:15:05 2024 +0300 io_uring/region: return negative -E2BIG in io_create_region() This code accidentally returns positivie E2BIG instead of negative -E2BIG. The callers treat negatives and positives the same so this doesn't affect the kernel. The error code is returned to userspace via the system call. Fixes: dfbbfbf19187 ("io_uring: introduce concept of memory regions") Signed-off-by: Dan Carpenter Link: https://lore.kernel.org/r/d8ea3bef-74d8-4f77-8223-6d36464dd4dc@stanley.mountain Signed-off-by: Jens Axboe commit 1c1929d6ab957f8bd61981154935c283c349d455 Author: Aric Cyr Date: Sun Nov 10 20:09:27 2024 -0500 drm/amd/display: 3.2.310 This version brings along the following: - DC core fixes - DCN35 fix - DCN4+ fixes - DML2 fix - New SPL features Reviewed-by: Alex Hung Signed-off-by: Aric Cyr Signed-off-by: Hamza Mahfooz Tested-by: Daniel Wheeler Signed-off-by: Alex Deucher commit a3e6079bd93d5c66a43bf6a5f90e5b98465dc7b3 Author: Ovidiu Bunea Date: Wed Nov 6 16:25:18 2024 -0500 drm/amd/display: Remove PIPE_DTO_SRC_SEL programming from set_dtbclk_dto There are cases where an OTG is remapped from driving a regular HDMI display to a DP/eDP display. There are also cases where DTBCLK needs to be enabled for HPO, but DTBCLK DTO programming may be done while OTG is still enabled which is dangerous as the PIPE_DTO_SRC_SEL programming may change the pixel clock generator source for a mapped and running OTG and cause it to hang. Remove the PIPE_DTO_SRC_SEL programming from this sequence since it is already done in program_pixel_clk(). Additionally, make sure that program_pixel_clk sets DTBCLK DTO as source for special HDMI cases. Cc: stable@vger.kernel.org # 6.11+ Reviewed-by: Nicholas Kazlauskas Signed-off-by: Ovidiu Bunea Signed-off-by: Hamza Mahfooz Tested-by: Daniel Wheeler Signed-off-by: Alex Deucher commit 1df1d452d24fc8ff05d0a8567a3dbc8def8981b3 Author: Samson Tam Date: Thu Nov 7 19:05:03 2024 -0500 drm/amd/display: allow chroma 1:1 scaling when sharpness is off [Why] SPL code forces taps to 1 when ratio is 1:1 and sharpness is off But for chroma 1:1, need taps > 1 to handle cositing [How] Do not force chroma taps to 1 when ratio is 1:1 for YUV420 Remove 420_CHROMA_BYPASS mode for scaler Reviewed-by: Navid Assadian Signed-off-by: Samson Tam Signed-off-by: Hamza Mahfooz Tested-by: Daniel Wheeler Signed-off-by: Alex Deucher commit c3ea03c2a1557644386e38aaf2b5a9c261e0be1a Author: Austin Zheng Date: Tue Nov 5 10:22:02 2024 -0500 drm/amd/display: Populate Power Profile In Case of Early Return Early return possible if context has no clk_mgr. This will lead to an invalid power profile being returned which looks identical to a profile with the lowest power level. Add back logic that populated the power profile and overwrite the value if needed. Cc: stable@vger.kernel.org Fixes: d016d0dd5a57 ("drm/amd/display: Update Interface to Check UCLK DPM") Reviewed-by: Dillon Varone Signed-off-by: Austin Zheng Signed-off-by: Hamza Mahfooz Tested-by: Daniel Wheeler Signed-off-by: Alex Deucher commit e0179588d6eeb74eb87981c07a405524a1f0a677 Author: Samson Tam Date: Tue Nov 5 10:15:19 2024 -0500 drm/amd/display: add public taps API in SPL [Why] Add public API to obtain number of taps in SPL. [How] Isolate function to calculate recout, ratios and viewport before calculating taps. Call function in both public taps API call and private scaling call. Reviewed-by: Jun Lei Signed-off-by: Samson Tam Signed-off-by: Hamza Mahfooz Tested-by: Daniel Wheeler Signed-off-by: Alex Deucher commit 89713ce5518eda6b370c7a17edbcab4f97a39f68 Author: Dillon Varone Date: Fri Nov 1 10:51:02 2024 -0400 drm/amd/display: Enable Request rate limiter during C-State on dcn401 [WHY] When C-State entry is requested, the rate limiter will be disabled which can result in high contention in the DCHUB return path. [HOW] Enable the rate limiter during C-state requests to prevent contention. Cc: stable@vger.kernel.org # 6.11+ Reviewed-by: Alvin Lee Signed-off-by: Dillon Varone Signed-off-by: Hamza Mahfooz Tested-by: Daniel Wheeler Signed-off-by: Alex Deucher commit 27227a234c1487cb7a684615f0749c455218833a Author: Joshua Aberback Date: Mon Oct 28 17:12:22 2024 -0400 drm/amd/display: Fix handling of plane refcount [Why] The mechanism to backup and restore plane states doesn't maintain refcount, which can cause issues if the refcount of the plane changes in between backup and restore operations, such as memory leaks if the refcount was supposed to go down, or double frees / invalid memory accesses if the refcount was supposed to go up. [How] Cache and re-apply current refcount when restoring plane states. Cc: stable@vger.kernel.org Reviewed-by: Josip Pavic Signed-off-by: Joshua Aberback Signed-off-by: Hamza Mahfooz Tested-by: Daniel Wheeler Signed-off-by: Alex Deucher commit c33a93201ca07119de90e8c952fbdf65920ab55d Author: Chris Park Date: Mon Nov 4 13:18:39 2024 -0500 drm/amd/display: Ignore scalar validation failure if pipe is phantom [Why] There are some pipe scaler validation failure when the pipe is phantom and causes crash in DML validation. Since, scalar parameters are not as important in phantom pipe and we require this plane to do successful MCLK switches, the failure condition can be ignored. [How] Ignore scalar validation failure if the pipe validation is marked as phantom pipe. Cc: stable@vger.kernel.org # 6.11+ Reviewed-by: Dillon Varone Signed-off-by: Chris Park Signed-off-by: Hamza Mahfooz Tested-by: Daniel Wheeler Signed-off-by: Alex Deucher commit 8fef253c94a5312b9150b2ff8e633b331bac7e88 Author: Yihan Zhu Date: Wed Oct 30 16:20:21 2024 -0400 drm/amd/display: update pipe selection policy to check head pipe [Why] No check on head pipe during the dml to dc hw mapping will allow illegal pipe usage. This will result in a wrong pipe topology to cause mpcc tree totally mess up then cause a display hang. [How] Avoid to use the pipe is head in all check and avoid ODM slice during preferred pipe check. Cc: stable@vger.kernel.org Reviewed-by: Nicholas Kazlauskas Signed-off-by: Yihan Zhu Signed-off-by: Hamza Mahfooz Tested-by: Daniel Wheeler Signed-off-by: Alex Deucher commit 6104112693011990a19d971c4c419de6c29adc54 Author: Bhavin Sharma Date: Thu Nov 14 20:41:11 2024 +0530 drm/amd/display: remove redundant is_dsc_possible check Since is_dsc_possible is already checked just above, there's no need to check it again before filling out the DSC settings. Signed-off-by: Bhavin Sharma Signed-off-by: Alex Deucher commit 6ecccc093ec439c04d62b40bda76240389d104a8 Author: Bhavin Sharma Date: Thu Nov 14 20:41:12 2024 +0530 drm/amd/pm: remove redundant tools_size check The check for tools_size being non-zero is redundant as tools_size is explicitly set to a non-zero value (0x19000). Removing the if condition simplifies the code without altering functionality. Signed-off-by: Bhavin Sharma Signed-off-by: Alex Deucher commit 2abf2f7032df4c4e7f6cf7906da59d0e614897d6 Author: Umio Yasuno Date: Thu Nov 14 16:15:27 2024 +0900 drm/amd/pm: update current_socclk and current_uclk in gpu_metrics on smu v13.0.7 These were missed before. Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/3751 Signed-off-by: Umio Yasuno Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org commit 18ab7e88778fdbee3221d6ce8acefe55feaa09d1 Author: Huacai Chen Date: Wed Nov 13 20:51:58 2024 +0800 drm/radeon: Use ttm_bo_move_null() in radeon_bo_move() Since ttm_bo_move_null() is exactly the same as ttm_resource_free() + ttm_bo_assign_mem(), we use ttm_bo_move_null() for the GTT --> SYSTEM move case too. Then the code is more consistent as the SYSTEM --> GTT move case. Acked-by: Christian König Signed-off-by: Huacai Chen Signed-off-by: Alex Deucher commit 466a59abacc6590487faf21bd572d704f7283d47 Author: Asad Kamal Date: Mon Nov 11 21:16:01 2024 +0800 drm/amd/pm: Get xgmi link status for XGMI_v_6_4_0 Get XGMI_v_6_4_0 link status and populate it to metrics v1_7 for SMU_v_13_0_6 v2: Get link status register value for each soc from separate function (Lijo) Signed-off-by: Asad Kamal Reviewed-by: Lijo Lazar Reviewed-by: Yang Wang Signed-off-by: Alex Deucher commit e2259b5a8c2754d9134fa5a92f69a9de75d7536c Author: Asad Kamal Date: Mon Nov 11 20:11:48 2024 +0800 drm/amd/pm: Add gpu_metrics_v1_7 Add new gpu_metrics_v1_7 to acquire xgmi link status, application counter and max vram bandwidth v2: Use gpu_metrics_v1_7 for SMU_v_13_0_6 (Lijo) Signed-off-by: Asad Kamal Reviewed-by: Lijo Lazar Reviewed-by: Yang Wang Signed-off-by: Alex Deucher commit 85270776f65d27b1c9720324745ab7da3ed71b3e Author: Asad Kamal Date: Wed Nov 13 17:17:23 2024 +0800 drm/amd/pm: Update data types used for uapi i/f Update member's data type in amdgpu_xcp_metrics from linux specific to the ones compatible to uapi interface Fixes: 4c07ff7d07f7 ("drm/amd/pm: Add gpu_metrics_v1_6") Signed-off-by: Asad Kamal Reviewed-by: Yang Wang Signed-off-by: Alex Deucher commit b909df18ce2a998afef81d58bbd1a05dc0788c40 Author: Benoît Sevens Date: Wed Nov 20 12:41:44 2024 +0000 ALSA: usb-audio: Fix potential out-of-bound accesses for Extigy and Mbox devices A bogus device can provide a bNumConfigurations value that exceeds the initial value used in usb_get_configuration for allocating dev->config. This can lead to out-of-bounds accesses later, e.g. in usb_destroy_configuration. Signed-off-by: Benoît Sevens Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: stable@kernel.org Link: https://patch.msgid.link/20241120124144.3814457-1-bsevens@google.com Signed-off-by: Takashi Iwai commit cc3d0b5dd989d3238d456f9fd385946379a9c13d Author: Kailang Yang Date: Thu Nov 14 15:21:09 2024 +0800 ALSA: hda/realtek: Update ALC256 depop procedure Old procedure has a chance to meet Headphone no output. Fixes: 4a219ef8f370 ("ALSA: hda/realtek - Add ALC256 HP depop function") Signed-off-by: Kailang Yang Link: https://lore.kernel.org/463c5f93715d4714967041a0a8cec28e@realtek.com Signed-off-by: Takashi Iwai commit 0e84b414ca3778fd9308df52241a3617d82c20d2 Author: Pei Xiao Date: Wed Nov 20 14:30:19 2024 +0800 ALSA: ac97: bus: Fix the mistake in the comment Fix mistake in the comment. sound/ac97/bus.c:192: warning: Function parameter or member 'drv' not described in 'snd_ac97_codec_driver_register' sound/ac97/bus.c:192: warning: Excess function parameter 'dev' description in 'snd_ac97_codec_driver_register' sound/ac97/bus.c:205: warning: Function parameter or member 'drv' not described in 'snd_ac97_codec_driver_unregister' sound/ac97/bus.c:205: warning: Excess function parameter 'dev' description in 'snd_ac97_codec_driver_unregister' sound/ac97/bus.c:351: warning: Function parameter or member 'codecs_pdata' not described in 'snd_ac97_controller_register' Reported-by: kernel test robot Closes: https://lore.kernel.org/oe-kbuild-all/202411180804.FUfdymYO-lkp@intel.com/ Fixes: 74426fbff66e ("ALSA: ac97: add an ac97 bus") Signed-off-by: Pei Xiao Link: https://patch.msgid.link/3990bfc8cd47637908eaa179802c1d91459d829b.1732083924.git.xiaopei01@kylinos.cn Signed-off-by: Takashi Iwai commit a573e404cbf269d46b3a96b18f7316aa57161fdf Author: Mikulas Patocka Date: Mon Nov 18 16:15:20 2024 +0100 dm-verity: remove the unused "data_start" variable Remove the unused "data_start" variable. It is always set to zero and the user can't override it. If the user needs to use some existing offset within a block device, it is possible to use the linear target. Signed-off-by: Mikulas Patocka commit 61a57254a942705ca0a13d71a0b8387b299a65da Author: Mikulas Patocka Date: Mon Nov 18 16:14:27 2024 +0100 dm-bufio: use kmalloc to allocate power-of-two sized buffers Vlastimil Babka said [1] that kmalloc will return a power-of-two-aligned buffer if it was called with a power-of-two size. So, we can use kmalloc instead of our own slab cache in dm-bufio. Note that the code for the slab cache was not removed because dm-bufio supports non-power-of-two buffer sizes. Link: https://lore.kernel.org/linux-mm/e7fca292-7c79-4f97-a90c-d68178d8ca59@suse.cz/ [1] Signed-off-by: Mikulas Patocka commit e74fa2447bf9ed03d085b6d91f0256cc1b53f1a8 Author: Yuan Can Date: Wed Nov 6 09:03:12 2024 +0800 dm thin: Add missing destroy_work_on_stack() This commit add missed destroy_work_on_stack() operations for pw->worker in pool_work_wait(). Fixes: e7a3e871d895 ("dm thin: cleanup noflush_work to use a proper completion") Cc: stable@vger.kernel.org Signed-off-by: Yuan Can Signed-off-by: Mikulas Patocka commit d5f01ace542de62af857fa0bd405cc16f2c45bd6 Author: Benjamin Coddington Date: Thu Oct 31 11:06:48 2024 -0400 dm: add support for get_unique_id This adds support to obtain a device's unique id through dm, similar to the existing ioctl and persistent resevation handling. We limit this to single-target devices. This enables knfsd to export pNFS SCSI luns that have been exported from multipath devices. Signed-off-by: Benjamin Coddington Signed-off-by: Mikulas Patocka Reviewed-by: Christoph Hellwig commit 19ac19e02ffa318e77f6b086b8fb3917da0aa893 Author: Matthew Sakai Date: Wed Oct 2 11:52:33 2024 -0400 dm vdo: fix function doc comment formatting Signed-off-by: Matthew Sakai Signed-off-by: Mikulas Patocka commit 7e976b2b9d0abf36665b8681e7396db2fd6412fc Author: Matthew Sakai Date: Tue Oct 1 18:42:41 2024 -0400 dm vdo int-map: remove unused parameters Remove __always_unused parameters from static functions. Also fix minor formatting issues. Reported-by: kernel test robot Closes: https://lore.kernel.org/oe-kbuild-all/202407141607.M3E2XQ0Z-lkp@intel.com/ Closes: https://lore.kernel.org/oe-kbuild-all/202409101018.B75pIBKR-lkp@intel.com/ Closes: https://lore.kernel.org/oe-kbuild-all/202410011107.U2xbVLRA-lkp@intel.com/ Signed-off-by: Matthew Sakai Signed-off-by: Mikulas Patocka commit bd7e677c6bc4b577192f96ffeb6f965f2dbc8ecb Author: Susan LeGendre-McGhee Date: Tue Sep 24 12:11:43 2024 -0400 dm-vdo: reset bi_ioprio to the default value when the bio is reset Signed-off-by: Susan LeGendre-McGhee Signed-off-by: Matthew Sakai Signed-off-by: Mikulas Patocka commit 87d76d286c00ae93282b6f1c8d6ed4d973c911f9 Author: Susan LeGendre-McGhee Date: Tue Sep 24 11:46:24 2024 -0400 dm-vdo murmurhash: remove u64 alignment requirement Signed-off-by: Susan LeGendre-McGhee Signed-off-by: Matthew Sakai Signed-off-by: Mikulas Patocka commit 2deb70d3e66d538404d9e71bff236e6d260da66e Author: Ssuhung Yeh Date: Thu Oct 31 18:25:59 2024 +0800 dm: Fix typo in error message Remove the redundant "i" at the beginning of the error message. This "i" came from commit 1c1318866928 ("dm: prefer '"%s...", __func__'"), the "i" is accidentally left. Signed-off-by: Ssuhung Yeh Signed-off-by: Mikulas Patocka Fixes: 1c1318866928 ("dm: prefer '"%s...", __func__'") Cc: stable@vger.kernel.org # v6.3+ commit 51f0659f8777fe8ba9feef26e1d34f18edd1687c Author: Colin Ian King Date: Thu Oct 24 12:04:31 2024 +0100 dm ioctl: rate limit a couple of ioctl based error messages It is possible to spam the kernel log with a misbehaving user process that is passing incorrect dm ioctls to /dev/mapper/control. Use a rate limit on these error messages to reduce the noise. These errors were hit when running the stress-ng's device test. Signed-off-by: Colin Ian King Acked-by: Mike Snitzer Signed-off-by: Mikulas Patocka commit b0e6210e7e616cdd045492576b92417aebcdde99 Author: Dr. David Alan Gilbert Date: Thu Oct 3 02:15:54 2024 +0100 dm vdo: Remove unused uds_compute_index_size uds_compute_index_size() has been unused since it was added in commit b46d79bdb82a ("dm vdo: add deduplication index storage interface") Remove it. Signed-off-by: Dr. David Alan Gilbert Reviewed-by: Matthew Sakai Signed-off-by: Mikulas Patocka commit 295815f679cef55e364b9d44fff9201a373cdefa Author: Dr. David Alan Gilbert Date: Thu Oct 3 02:15:53 2024 +0100 dm vdo: Remove unused functions get_data_vio_pool_active_discards() get_data_vio_pool_discard_limit() get_data_vio_pool_maximum_discards() set_data_vio_pool_discard_limit() are all unused since commit a9da0fb6d8c6 ("dm vdo: remove all sysfs interfaces") Remove them. Signed-off-by: Dr. David Alan Gilbert Reviewed-by: Matthew Sakai Signed-off-by: Mikulas Patocka commit 3571fc2f9d6feb34bd355bd55129712cab41cc03 Author: Dr. David Alan Gilbert Date: Thu Oct 3 02:15:52 2024 +0100 dm: zoned: Remove unused functions dmz_resume_metadata() is unused since it was added in commit 3b1a94c88b79 ("dm zoned: drive-managed zoned block device target") dmz_zone_nr_blocks_shift is unused since it was added in commit 368205601375 ("dm zoned: move fields from struct dmz_dev to dmz_metadata") Remove them. Signed-off-by: Dr. David Alan Gilbert Signed-off-by: Mikulas Patocka commit ad9266118c2bb24437eb5764eb058855f93a60bc Author: Dr. David Alan Gilbert Date: Thu Oct 3 02:15:51 2024 +0100 dm: Remove unused dm_table_bio_based dm_table_bio_based() is unused since commit 29dec90a0f1d ("dm: fix bio_set allocation") Remove it. Signed-off-by: Dr. David Alan Gilbert Signed-off-by: Mikulas Patocka commit feb83afa4e074a67b24811c9c00b688ca5c64b90 Author: Dr. David Alan Gilbert Date: Thu Oct 3 02:15:50 2024 +0100 dm: Remove unused dm_set_md_type dm_set_md_type() has been unused since commit ba30585936b0 ("dm: move setting md->type into dm_setup_md_queue") Remove it. Signed-off-by: Dr. David Alan Gilbert Signed-off-by: Mikulas Patocka commit 047b821ca37d262a4aca3133ced66455272cb03e Author: Dr. David Alan Gilbert Date: Thu Oct 3 02:15:49 2024 +0100 dm cache: Remove unused functions in bio-prison-v1 dm_cache_size() and dm_cache_dump() are unused since commit b29d4986d0da ("dm cache: significant rework to leverage dm-bio-prison-v2") Remove them. Signed-off-by: Dr. David Alan Gilbert Signed-off-by: Mikulas Patocka commit 0153b7965d55478504708a0813cc6fe1f08cc9cd Author: Dr. David Alan Gilbert Date: Thu Oct 3 02:15:48 2024 +0100 dm cache: Remove unused dm_cache_size dm_cache_size() has been unused since the original commit c6b4fcbad044 ("dm: add cache target") Remove it. Signed-off-by: Dr. David Alan Gilbert Signed-off-by: Mikulas Patocka commit 253bacc057bab6424c08a54dfcefc30e00e8d86b Author: Dr. David Alan Gilbert Date: Thu Oct 3 02:15:47 2024 +0100 dm cache: Remove unused dm_cache_dump dm_cache_dump() has been unused since the original commit c6b4fcbad044 ("dm: add cache target") Remove it. Signed-off-by: Dr. David Alan Gilbert Signed-off-by: Mikulas Patocka commit 2133ebea6b0d99e9a6ad5ea3c8df89a8881190e0 Author: Dr. David Alan Gilbert Date: Thu Oct 3 02:15:46 2024 +0100 dm cache: Remove unused btracker_nr_writebacks_queued btracker_nr_writebacks_queued() has been unused since commit 2e63309507c8 ("dm cache policy smq: don't do any writebacks unless IDLE") Remove it. Signed-off-by: Dr. David Alan Gilbert Signed-off-by: Mikulas Patocka commit c8b359dddb418c60df1a69beea01d1b3322bfe83 Author: Vasiliy Kovalev Date: Tue Nov 19 18:58:17 2024 +0300 ovl: Filter invalid inodes with missing lookup function Add a check to the ovl_dentry_weird() function to prevent the processing of directory inodes that lack the lookup function. This is important because such inodes can cause errors in overlayfs when passed to the lowerstack. Reported-by: syzbot+a8c9d476508bd14a90e5@syzkaller.appspotmail.com Link: https://syzkaller.appspot.com/bug?extid=a8c9d476508bd14a90e5 Suggested-by: Miklos Szeredi Link: https://lore.kernel.org/linux-unionfs/CAJfpegvx-oS9XGuwpJx=Xe28_jzWx5eRo1y900_ZzWY+=gGzUg@mail.gmail.com/ Signed-off-by: Vasiliy Kovalev Cc: Signed-off-by: Amir Goldstein commit f13242a46438e690067a4bf47068fde4d5719947 Author: Michael Ellerman Date: Sat Nov 16 00:41:14 2024 +1100 selftests/mount_setattr: Fix failures on 64K PAGE_SIZE kernels Currently the mount_setattr_test fails on machines with a 64K PAGE_SIZE, with errors such as: # RUN mount_setattr_idmapped.invalid_fd_negative ... mkfs.ext4: No space left on device while writing out and closing file system # mount_setattr_test.c:1055:invalid_fd_negative:Expected system("mkfs.ext4 -q /mnt/C/ext4.img") (256) == 0 (0) # invalid_fd_negative: Test terminated by assertion # FAIL mount_setattr_idmapped.invalid_fd_negative not ok 12 mount_setattr_idmapped.invalid_fd_negative The code creates a 100,000 byte tmpfs: ASSERT_EQ(mount("testing", "/mnt", "tmpfs", MS_NOATIME | MS_NODEV, "size=100000,mode=700"), 0); And then a little later creates a 2MB ext4 filesystem in that tmpfs: ASSERT_EQ(ftruncate(img_fd, 1024 * 2048), 0); ASSERT_EQ(system("mkfs.ext4 -q /mnt/C/ext4.img"), 0); At first glance it seems like that should never work, after all 2MB is larger than 100,000 bytes. However the filesystem image doesn't actually occupy 2MB on "disk" (actually RAM, due to tmpfs). On 4K kernels the ext4.img uses ~84KB of actual space (according to du), which just fits. However on 64K PAGE_SIZE kernels the ext4.img takes at least 256KB, which is too large to fit in the tmpfs, hence the errors. It seems fraught to rely on the ext4.img taking less space on disk than the allocated size, so instead create the tmpfs with a size of 2MB. With that all 21 tests pass on 64K PAGE_SIZE kernels. Fixes: 01eadc8dd96d ("tests: add mount_setattr() selftests") Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20241115134114.1219555-1-mpe@ellerman.id.au Reviewed-by: Ritesh Harjani (IBM) Signed-off-by: Christian Brauner commit 04337738629e8020c272c0dfcd56b9ae0a55ce98 Author: David Lechner Date: Tue Nov 19 16:27:40 2024 -0600 Input: mpr121 - use devm_regulator_get_enable_read_voltage() We can reduce boilerplate code by using devm_regulator_get_enable_read_voltage(). Reviewed-by: Jonathan Cameron Signed-off-by: David Lechner Link: https://lore.kernel.org/r/20241119-input-mpr121-regulator-get-enable-read-voltage-v3-1-1d8ee5c22f6c@baylibre.com Signed-off-by: Dmitry Torokhov commit 048b3ae0339ef8fe9f11bc59265e5ed0027c948b Author: Wolfram Sang Date: Mon Nov 18 08:29:05 2024 +0100 Input: sun4i-lradc-keys - don't include 'pm_wakeup.h' directly The header clearly states that it does not want to be included directly, only via 'device.h'. 'platform_device.h' works equally well. Remove the direct inclusion. Signed-off-by: Wolfram Sang Link: https://lore.kernel.org/r/20241118072917.3853-7-wsa+renesas@sang-engineering.com Signed-off-by: Dmitry Torokhov commit a39fbef7c411235a5caf48de3c49d4d406fd118b Author: Wolfram Sang Date: Mon Nov 18 08:29:04 2024 +0100 Input: spear-keyboard - don't include 'pm_wakeup.h' directly The header clearly states that it does not want to be included directly, only via 'device.h'. 'platform_device.h' works equally well. Remove the direct inclusion. Signed-off-by: Wolfram Sang Link: https://lore.kernel.org/r/20241118072917.3853-6-wsa+renesas@sang-engineering.com Signed-off-by: Dmitry Torokhov commit 766a71ef65bb217ed8bf1c068ac14c7d3c15d487 Author: Christoph Hellwig Date: Tue Nov 19 17:09:23 2024 +0100 block: return bool from get_disk_ro and bdev_read_only get_disk_ro and bdev_read_only return boolean conditions, don't masquerade them as int. Signed-off-by: Christoph Hellwig Reviewed-by: John Garry Reviewed-by: Martin K. Petersen Reviewed-by: Johannes Thumshirn Link: https://lore.kernel.org/r/20241119160932.1327864-7-hch@lst.de Signed-off-by: Jens Axboe commit e888810bc4f471f85989a0991aff28d2ac9f783b Author: Christoph Hellwig Date: Tue Nov 19 17:09:22 2024 +0100 block: remove a duplicate definition for bdev_read_only bdev_read_only is already defined as an inline function in blkdev.h. Signed-off-by: Christoph Hellwig Reviewed-by: John Garry Reviewed-by: Martin K. Petersen Reviewed-by: Johannes Thumshirn Link: https://lore.kernel.org/r/20241119160932.1327864-6-hch@lst.de Signed-off-by: Jens Axboe commit da77d9b23700708d0d22a4407d32a8755a3596e8 Author: Christoph Hellwig Date: Tue Nov 19 17:09:21 2024 +0100 block: return bool from blk_rq_aligned blk_rq_aligned returns a boolean condition, don't mascquerade it as int. Signed-off-by: Christoph Hellwig Reviewed-by: John Garry Reviewed-by: Martin K. Petersen Reviewed-by: Johannes Thumshirn Link: https://lore.kernel.org/r/20241119160932.1327864-5-hch@lst.de Signed-off-by: Jens Axboe commit e769489a54401d0c89555f7ad8672038b5c2b767 Author: Christoph Hellwig Date: Tue Nov 19 17:09:20 2024 +0100 block: return unsigned int from blk_lim_dma_alignment_and_pad The underlying limits are defined as unsigned int, so return that from blk_lim_dma_alignment_and_pad as well. Signed-off-by: Christoph Hellwig Reviewed-by: John Garry Reviewed-by: Martin K. Petersen Reviewed-by: Johannes Thumshirn Link: https://lore.kernel.org/r/20241119160932.1327864-4-hch@lst.de Signed-off-by: Jens Axboe commit ed5db174cf39374215934f21b04639a7a1513023 Author: Christoph Hellwig Date: Tue Nov 19 17:09:19 2024 +0100 block: return unsigned int from queue_dma_alignment The underlying limit is defined as an unsigned int, so return that from queue_dma_alignment as well. Signed-off-by: Christoph Hellwig Reviewed-by: John Garry Reviewed-by: Martin K. Petersen Reviewed-by: Johannes Thumshirn Link: https://lore.kernel.org/r/20241119160932.1327864-3-hch@lst.de Signed-off-by: Jens Axboe commit 5a9d1b83e5334915c651604648c20a9fc64d47a3 Author: Christoph Hellwig Date: Tue Nov 19 17:09:18 2024 +0100 block: return unsigned int from bdev_io_opt The underlying limit is defined as an unsigned int, so return that from bdev_io_opt as well. Signed-off-by: Christoph Hellwig Reviewed-by: John Garry Reviewed-by: Martin K. Petersen Reviewed-by: Johannes Thumshirn Link: https://lore.kernel.org/r/20241119160932.1327864-2-hch@lst.de Signed-off-by: Jens Axboe commit 81314bfbde9d089fa2318adba54891dfaadb1c05 Author: Christoph Hellwig Date: Tue Nov 19 17:11:51 2024 +0100 block: req->bio is always set in the merge code As smatch, which is a lot smarter than me noticed. So remove the checks for it, and condense these checks a bit including the comments stating the obvious. Reported-by: Dan Carpenter Signed-off-by: Christoph Hellwig Reviewed-by: John Garry Reviewed-by: Martin K. Petersen Reviewed-by: Johannes Thumshirn Link: https://lore.kernel.org/r/20241119161157.1328171-3-hch@lst.de Signed-off-by: Jens Axboe commit 9f8d68283342a48f692f2c02231318bb4a7b207f Author: Christoph Hellwig Date: Tue Nov 19 17:11:50 2024 +0100 block: don't bother checking the data direction for merges Because it already is encoded in the opcode. Signed-off-by: Christoph Hellwig Reviewed-by: John Garry Reviewed-by: Martin K. Petersen Reviewed-by: Johannes Thumshirn Link: https://lore.kernel.org/r/20241119161157.1328171-2-hch@lst.de Signed-off-by: Jens Axboe commit dcbb598e689e30d4636201d35582e167d1b8dfa4 Author: Suraj Sonawane Date: Tue Nov 19 22:14:12 2024 +0530 block: blk-mq: fix uninit-value in blk_rq_prep_clone and refactor Fix an issue detected by the `smatch` tool: block/blk-mq.c:3314 blk_rq_prep_clone() error: uninitialized symbol 'bio'. This patch refactors `blk_rq_prep_clone()` to improve code readability and ensure safety by addressing potential misuse of the `bio` variable: - Move the bio_put(bio); call to the bio_ctr error handling block, which is the only place where it can be triggered. - Move the bio variable into the __rq_for_each_bio loop scope. This change removes the need to set bio to NULL at the loop's end. discussion on why bio remains uninitialized: https://lore.kernel.org/lkml/20241004141037.43277-1-surajsonawane0215@gmail.com Summary of above discussion: - I pointed out that `bio` can remain uninitialized if the allocation with `bio_alloc_clone` fails. - Keith Busch explained that `bio` is initialized to `NULL` when `bio_alloc_clone()` fails, preventing uninitialized usage. - John Garry questioned whether `rq_src->bio` being `NULL` could leave `bio` uninitialized. Keith clarified that in such cases, `bio` is not referenced, so it does not need initialization. - Christoph Hellwig recommended code improvements: - move the bio_put to the bio_ctr error handling, which is the only case where it can happen - move the bio variable into the __rq_for_each_bio scope, which also removed the need to zero it at the end of the loop These changes enhance code clarity, address static analysis tool warnings, and make the function more maintainable. thread of previous version patch discussion: https://lore.kernel.org/lkml/20241004100842.9052-1-surajsonawane0215@gmail.com Signed-off-by: Suraj Sonawane Reviewed-by: Christoph Hellwig Link: https://lore.kernel.org/r/20241119164412.37609-1-surajsonawane0215@gmail.com Signed-off-by: Jens Axboe commit cf5a60d971c7b59efb89927919404be655a9e35a Author: Zach Wade Date: Tue Nov 19 23:34:10 2024 +0800 Revert "block, bfq: merge bfq_release_process_ref() into bfq_put_cooperator()" This reverts commit bc3b1e9e7c50e1de0f573eea3871db61dd4787de. The bic is associated with sync_bfqq, and bfq_release_process_ref cannot be put into bfq_put_cooperator. kasan report: [ 400.347277] ================================================================== [ 400.347287] BUG: KASAN: slab-use-after-free in bic_set_bfqq+0x200/0x230 [ 400.347420] Read of size 8 at addr ffff88881cab7d60 by task dockerd/5800 [ 400.347430] [ 400.347436] CPU: 24 UID: 0 PID: 5800 Comm: dockerd Kdump: loaded Tainted: G E 6.12.0 #32 [ 400.347450] Tainted: [E]=UNSIGNED_MODULE [ 400.347454] Hardware name: VMware, Inc. VMware20,1/440BX Desktop Reference Platform, BIOS VMW201.00V.20192059.B64.2207280713 07/28/2022 [ 400.347460] Call Trace: [ 400.347464] [ 400.347468] dump_stack_lvl+0x5d/0x80 [ 400.347490] print_report+0x174/0x505 [ 400.347521] kasan_report+0xe0/0x160 [ 400.347541] bic_set_bfqq+0x200/0x230 [ 400.347549] bfq_bic_update_cgroup+0x419/0x740 [ 400.347560] bfq_bio_merge+0x133/0x320 [ 400.347584] blk_mq_submit_bio+0x1761/0x1e20 [ 400.347625] __submit_bio+0x28b/0x7b0 [ 400.347664] submit_bio_noacct_nocheck+0x6b2/0xd30 [ 400.347690] iomap_readahead+0x50c/0x680 [ 400.347731] read_pages+0x17f/0x9c0 [ 400.347785] page_cache_ra_unbounded+0x366/0x4a0 [ 400.347795] filemap_fault+0x83d/0x2340 [ 400.347819] __xfs_filemap_fault+0x11a/0x7d0 [xfs] [ 400.349256] __do_fault+0xf1/0x610 [ 400.349270] do_fault+0x977/0x11a0 [ 400.349281] __handle_mm_fault+0x5d1/0x850 [ 400.349314] handle_mm_fault+0x1f8/0x560 [ 400.349324] do_user_addr_fault+0x324/0x970 [ 400.349337] exc_page_fault+0x76/0xf0 [ 400.349350] asm_exc_page_fault+0x26/0x30 [ 400.349360] RIP: 0033:0x55a480d77375 [ 400.349384] Code: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 49 3b 66 10 0f 86 ae 02 00 00 55 48 89 e5 48 83 ec 58 48 8b 10 <83> 7a 10 00 0f 84 27 02 00 00 44 0f b6 42 28 44 0f b6 4a 29 41 80 [ 400.349392] RSP: 002b:00007f18c37fd8b8 EFLAGS: 00010216 [ 400.349401] RAX: 00007f18c37fd9d0 RBX: 0000000000000000 RCX: 0000000000000000 [ 400.349407] RDX: 000055a484407d38 RSI: 000000c000e8b0c0 RDI: 0000000000000000 [ 400.349412] RBP: 00007f18c37fd910 R08: 000055a484017f60 R09: 000055a484066f80 [ 400.349417] R10: 0000000000194000 R11: 0000000000000005 R12: 0000000000000008 [ 400.349422] R13: 0000000000000000 R14: 000000c000476a80 R15: 0000000000000000 [ 400.349430] [ 400.349452] [ 400.349454] Allocated by task 5800: [ 400.349459] kasan_save_stack+0x30/0x50 [ 400.349469] kasan_save_track+0x14/0x30 [ 400.349475] __kasan_slab_alloc+0x89/0x90 [ 400.349482] kmem_cache_alloc_node_noprof+0xdc/0x2a0 [ 400.349492] bfq_get_queue+0x1ef/0x1100 [ 400.349502] __bfq_get_bfqq_handle_split+0x11a/0x510 [ 400.349511] bfq_insert_requests+0xf55/0x9030 [ 400.349519] blk_mq_flush_plug_list+0x446/0x14c0 [ 400.349527] __blk_flush_plug+0x27c/0x4e0 [ 400.349534] blk_finish_plug+0x52/0xa0 [ 400.349540] _xfs_buf_ioapply+0x739/0xc30 [xfs] [ 400.350246] __xfs_buf_submit+0x1b2/0x640 [xfs] [ 400.350967] xfs_buf_read_map+0x306/0xa20 [xfs] [ 400.351672] xfs_trans_read_buf_map+0x285/0x7d0 [xfs] [ 400.352386] xfs_imap_to_bp+0x107/0x270 [xfs] [ 400.353077] xfs_iget+0x70d/0x1eb0 [xfs] [ 400.353786] xfs_lookup+0x2ca/0x3a0 [xfs] [ 400.354506] xfs_vn_lookup+0x14e/0x1a0 [xfs] [ 400.355197] __lookup_slow+0x19c/0x340 [ 400.355204] lookup_one_unlocked+0xfc/0x120 [ 400.355211] ovl_lookup_single+0x1b3/0xcf0 [overlay] [ 400.355255] ovl_lookup_layer+0x316/0x490 [overlay] [ 400.355295] ovl_lookup+0x844/0x1fd0 [overlay] [ 400.355351] lookup_one_qstr_excl+0xef/0x150 [ 400.355357] do_unlinkat+0x22a/0x620 [ 400.355366] __x64_sys_unlinkat+0x109/0x1e0 [ 400.355375] do_syscall_64+0x82/0x160 [ 400.355384] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 400.355393] [ 400.355395] Freed by task 5800: [ 400.355400] kasan_save_stack+0x30/0x50 [ 400.355407] kasan_save_track+0x14/0x30 [ 400.355413] kasan_save_free_info+0x3b/0x70 [ 400.355422] __kasan_slab_free+0x4f/0x70 [ 400.355429] kmem_cache_free+0x176/0x520 [ 400.355438] bfq_put_queue+0x67e/0x980 [ 400.355447] bfq_bic_update_cgroup+0x407/0x740 [ 400.355454] bfq_bio_merge+0x133/0x320 [ 400.355460] blk_mq_submit_bio+0x1761/0x1e20 [ 400.355467] __submit_bio+0x28b/0x7b0 [ 400.355473] submit_bio_noacct_nocheck+0x6b2/0xd30 [ 400.355480] iomap_readahead+0x50c/0x680 [ 400.355490] read_pages+0x17f/0x9c0 [ 400.355498] page_cache_ra_unbounded+0x366/0x4a0 [ 400.355505] filemap_fault+0x83d/0x2340 [ 400.355514] __xfs_filemap_fault+0x11a/0x7d0 [xfs] [ 400.356204] __do_fault+0xf1/0x610 [ 400.356213] do_fault+0x977/0x11a0 [ 400.356221] __handle_mm_fault+0x5d1/0x850 [ 400.356230] handle_mm_fault+0x1f8/0x560 [ 400.356238] do_user_addr_fault+0x324/0x970 [ 400.356248] exc_page_fault+0x76/0xf0 [ 400.356258] asm_exc_page_fault+0x26/0x30 [ 400.356266] [ 400.356269] The buggy address belongs to the object at ffff88881cab7bc0 which belongs to the cache bfq_queue of size 576 [ 400.356276] The buggy address is located 416 bytes inside of freed 576-byte region [ffff88881cab7bc0, ffff88881cab7e00) [ 400.356285] [ 400.356287] The buggy address belongs to the physical page: [ 400.356292] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88881cab0b00 pfn:0x81cab0 [ 400.356300] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 400.356323] flags: 0x50000000000040(head|node=1|zone=2) [ 400.356331] page_type: f5(slab) [ 400.356340] raw: 0050000000000040 ffff88880a00c280 dead000000000122 0000000000000000 [ 400.356347] raw: ffff88881cab0b00 00000000802e0025 00000001f5000000 0000000000000000 [ 400.356354] head: 0050000000000040 ffff88880a00c280 dead000000000122 0000000000000000 [ 400.356359] head: ffff88881cab0b00 00000000802e0025 00000001f5000000 0000000000000000 [ 400.356365] head: 0050000000000003 ffffea002072ac01 ffffffffffffffff 0000000000000000 [ 400.356370] head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000 [ 400.356378] page dumped because: kasan: bad access detected [ 400.356381] [ 400.356383] Memory state around the buggy address: [ 400.356387] ffff88881cab7c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 400.356392] ffff88881cab7c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 400.356397] >ffff88881cab7d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 400.356400] ^ [ 400.356405] ffff88881cab7d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 400.356409] ffff88881cab7e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 400.356413] ================================================================== Cc: stable@vger.kernel.org Fixes: bc3b1e9e7c50 ("block, bfq: merge bfq_release_process_ref() into bfq_put_cooperator()") Signed-off-by: Zach Wade Cc: Ding Hui Reviewed-by: Yu Kuai Link: https://lore.kernel.org/r/20241119153410.2546-1-zachwade.k@gmail.com Signed-off-by: Jens Axboe commit bf9aa14fc523d2763fc9a10672a709224e8fcaf4 Merge: 035238752319a5 cdc905d16b0798 Author: Linus Torvalds Date: Tue Nov 19 16:35:06 2024 -0800 Merge tag 'timers-core-2024-11-18' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull timer updates from Thomas Gleixner: "A rather large update for timekeeping and timers: - The final step to get rid of auto-rearming posix-timers posix-timers are currently auto-rearmed by the kernel when the signal of the timer is ignored so that the timer signal can be delivered once the corresponding signal is unignored. This requires to throttle the timer to prevent a DoS by small intervals and keeps the system pointlessly out of low power states for no value. This is a long standing non-trivial problem due to the lock order of posix-timer lock and the sighand lock along with life time issues as the timer and the sigqueue have different life time rules. Cure this by: - Embedding the sigqueue into the timer struct to have the same life time rules. Aside of that this also avoids the lookup of the timer in the signal delivery and rearm path as it's just a always valid container_of() now. - Queuing ignored timer signals onto a seperate ignored list. - Moving queued timer signals onto the ignored list when the signal is switched to SIG_IGN before it could be delivered. - Walking the ignored list when SIG_IGN is lifted and requeue the signals to the actual signal lists. This allows the signal delivery code to rearm the timer. This also required to consolidate the signal delivery rules so they are consistent across all situations. With that all self test scenarios finally succeed. - Core infrastructure for VFS multigrain timestamping This is required to allow the kernel to use coarse grained time stamps by default and switch to fine grained time stamps when inode attributes are actively observed via getattr(). These changes have been provided to the VFS tree as well, so that the VFS specific infrastructure could be built on top. - Cleanup and consolidation of the sleep() infrastructure - Move all sleep and timeout functions into one file - Rework udelay() and ndelay() into proper documented inline functions and replace the hardcoded magic numbers by proper defines. - Rework the fsleep() implementation to take the reality of the timer wheel granularity on different HZ values into account. Right now the boundaries are hard coded time ranges which fail to provide the requested accuracy on different HZ settings. - Update documentation for all sleep/timeout related functions and fix up stale documentation links all over the place - Fixup a few usage sites - Rework of timekeeping and adjtimex(2) to prepare for multiple PTP clocks A system can have multiple PTP clocks which are participating in seperate and independent PTP clock domains. So far the kernel only considers the PTP clock which is based on CLOCK TAI relevant as that's the clock which drives the timekeeping adjustments via the various user space daemons through adjtimex(2). The non TAI based clock domains are accessible via the file descriptor based posix clocks, but their usability is very limited. They can't be accessed fast as they always go all the way out to the hardware and they cannot be utilized in the kernel itself. As Time Sensitive Networking (TSN) gains traction it is required to provide fast user and kernel space access to these clocks. The approach taken is to utilize the timekeeping and adjtimex(2) infrastructure to provide this access in a similar way how the kernel provides access to clock MONOTONIC, REALTIME etc. Instead of creating a duplicated infrastructure this rework converts timekeeping and adjtimex(2) into generic functionality which operates on pointers to data structures instead of using static variables. This allows to provide time accessors and adjtimex(2) functionality for the independent PTP clocks in a subsequent step. - Consolidate hrtimer initialization hrtimers are set up by initializing the data structure and then seperately setting the callback function for historical reasons. That's an extra unnecessary step and makes Rust support less straight forward than it should be. Provide a new set of hrtimer_setup*() functions and convert the core code and a few usage sites of the less frequently used interfaces over. The bulk of the htimer_init() to hrtimer_setup() conversion is already prepared and scheduled for the next merge window. - Drivers: - Ensure that the global timekeeping clocksource is utilizing the cluster 0 timer on MIPS multi-cluster systems. Otherwise CPUs on different clusters use their cluster specific clocksource which is not guaranteed to be synchronized with other clusters. - Mostly boring cleanups, fixes, improvements and code movement" * tag 'timers-core-2024-11-18' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: (140 commits) posix-timers: Fix spurious warning on double enqueue versus do_exit() clocksource/drivers/arm_arch_timer: Use of_property_present() for non-boolean properties clocksource/drivers/gpx: Remove redundant casts clocksource/drivers/timer-ti-dm: Fix child node refcount handling dt-bindings: timer: actions,owl-timer: convert to YAML clocksource/drivers/ralink: Add Ralink System Tick Counter driver clocksource/drivers/mips-gic-timer: Always use cluster 0 counter as clocksource clocksource/drivers/timer-ti-dm: Don't fail probe if int not found clocksource/drivers:sp804: Make user selectable clocksource/drivers/dw_apb: Remove unused dw_apb_clockevent functions hrtimers: Delete hrtimer_init_on_stack() alarmtimer: Switch to use hrtimer_setup() and hrtimer_setup_on_stack() io_uring: Switch to use hrtimer_setup_on_stack() sched/idle: Switch to use hrtimer_setup_on_stack() hrtimers: Delete hrtimer_init_sleeper_on_stack() wait: Switch to use hrtimer_setup_sleeper_on_stack() timers: Switch to use hrtimer_setup_sleeper_on_stack() net: pktgen: Switch to use hrtimer_setup_sleeper_on_stack() futex: Switch to use hrtimer_setup_sleeper_on_stack() fs/aio: Switch to use hrtimer_setup_sleeper_on_stack() ... commit 9ee62c33c0fe017ee02501a877f6f562363122fa Author: Sean Christopherson Date: Mon Nov 18 09:20:02 2024 -0800 KVM: x86: Break CONFIG_KVM_X86's direct dependency on KVM_INTEL || KVM_AMD Rework CONFIG_KVM_X86's dependency to only check if KVM_INTEL or KVM_AMD is selected, i.e. not 'n'. Having KVM_X86 depend directly on the vendor modules results in KVM_X86 being set to 'm' if at least one of KVM_INTEL or KVM_AMD is enabled, but neither is 'y', regardless of the value of KVM itself. The documentation for def_tristate doesn't explicitly state that this is the intended behavior, but it does clearly state that the "if" section is parsed as a dependency, i.e. the behavior is consistent with how tristate dependencies are handled in general. Optionally dependencies for this default value can be added with "if". Fixes: ea4290d77bda ("KVM: x86: leave kvm.ko out of the build if no vendor module is requested") Cc: stable@vger.kernel.org Signed-off-by: Sean Christopherson Message-ID: <20241118172002.1633824-3-seanjc@google.com> Signed-off-by: Paolo Bonzini commit 1331343af6f502aecd274d522dd34bf7c965f484 Author: Arnd Bergmann Date: Mon Nov 18 09:20:01 2024 -0800 KVM: x86: add back X86_LOCAL_APIC dependency Enabling KVM now causes a build failure on x86-32 if X86_LOCAL_APIC is disabled: arch/x86/kvm/svm/svm.c: In function 'svm_emergency_disable_virtualization_cpu': arch/x86/kvm/svm/svm.c:597:9: error: 'kvm_rebooting' undeclared (first use in this function); did you mean 'kvm_irq_routing'? 597 | kvm_rebooting = true; | ^~~~~~~~~~~~~ | kvm_irq_routing arch/x86/kvm/svm/svm.c:597:9: note: each undeclared identifier is reported only once for each function it appears in make[6]: *** [scripts/Makefile.build:221: arch/x86/kvm/svm/svm.o] Error 1 In file included from include/linux/rculist.h:11, from include/linux/hashtable.h:14, from arch/x86/kvm/svm/avic.c:18: arch/x86/kvm/svm/avic.c: In function 'avic_pi_update_irte': arch/x86/kvm/svm/avic.c:909:38: error: 'struct kvm' has no member named 'irq_routing' 909 | irq_rt = srcu_dereference(kvm->irq_routing, &kvm->irq_srcu); | ^~ include/linux/rcupdate.h:538:17: note: in definition of macro '__rcu_dereference_check' 538 | typeof(*p) *local = (typeof(*p) *__force)READ_ONCE(p); \ Move the dependency to the same place as before. Fixes: ea4290d77bda ("KVM: x86: leave kvm.ko out of the build if no vendor module is requested") Cc: stable@vger.kernel.org Reported-by: kernel test robot Closes: https://lore.kernel.org/oe-kbuild-all/202410060426.e9Xsnkvi-lkp@intel.com/ Signed-off-by: Arnd Bergmann Acked-by: Sean Christopherson [sean: add Cc to stable, tweak shortlog scope] Signed-off-by: Sean Christopherson Message-ID: <20241118172002.1633824-2-seanjc@google.com> Signed-off-by: Paolo Bonzini commit 85434c3c73fcad58870016ddfe5eaa5036672675 Author: Sean Christopherson Date: Mon Nov 18 17:14:33 2024 -0800 Revert "KVM: VMX: Move LOAD_IA32_PERF_GLOBAL_CTRL errata handling out of setup_vmcs_config()" Revert back to clearing VM_{ENTRY,EXIT}_LOAD_IA32_PERF_GLOBAL_CTRL in KVM's golden VMCS config, as applying the workaround during vCPU creation is pointless and broken. KVM *unconditionally* clears the controls in the values returned by vmx_vmentry_ctrl() and vmx_vmexit_ctrl(), as KVM loads PERF_GLOBAL_CTRL if and only if its necessary to do so. E.g. if KVM wants to run the guest with the same PERF_GLOBAL_CTRL as the host, then there's no need to re-load the MSR on entry and exit. Even worse, the buggy commit failed to apply the erratum where it's actually needed, add_atomic_switch_msr(). As a result, KVM completely ignores the erratum for all intents and purposes, i.e. uses the flawed VMCS controls to load PERF_GLOBAL_CTRL. To top things off, the patch was intended to be dropped, as the premise of an L1 VMM being able to pivot on FMS is flawed, and KVM can (and now does) fully emulate the controls in software. Simply revert the commit, as all upstream supported kernels that have the buggy commit should also have commit f4c93d1a0e71 ("KVM: nVMX: Always emulate PERF_GLOBAL_CTRL VM-Entry/VM-Exit controls"), i.e. the (likely theoretical) live migration concern is a complete non-issue. Opportunistically drop the manual "kvm: " scope from the warning about the erratum, as KVM now uses pr_fmt() to provide the correct scope (v6.1 kernels and earlier don't, but the erratum only applies to CPUs that are 15+ years old; it's not worth a separate patch). This reverts commit 9d78d6fb186bc4aff41b5d6c4726b76649d3cb53. Link: https://lore.kernel.org/all/YtnZmCutdd5tpUmz@google.com Fixes: 9d78d6fb186b ("KVM: VMX: Move LOAD_IA32_PERF_GLOBAL_CTRL errata handling out of setup_vmcs_config()") Cc: stable@vger.kernel.org Cc: Vitaly Kuznetsov Cc: Maxim Levitsky Signed-off-by: Sean Christopherson Reviewed-by: Vitaly Kuznetsov Message-ID: <20241119011433.1797921-1-seanjc@google.com> Signed-off-by: Paolo Bonzini commit 035238752319a58244d86facd442c5f40b0e97e2 Merge: 5c2b050848337f 7fa3c36ea2707c Author: Linus Torvalds Date: Tue Nov 19 16:09:13 2024 -0800 Merge tag 'timers-vdso-2024-11-18' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull vdso data page handling updates from Thomas Gleixner: "First steps of consolidating the VDSO data page handling. The VDSO data page handling is architecture specific for historical reasons, but there is no real technical reason to do so. Aside of that VDSO data has become a dump ground for various mechanisms and fail to provide a clear separation of the functionalities. Clean this up by: - consolidating the VDSO page data by getting rid of architecture specific warts especially in x86 and PowerPC. - removing the last includes of header files which are pulling in other headers outside of the VDSO namespace. - seperating timekeeping and other VDSO data accordingly. Further consolidation of the VDSO page handling is done in subsequent changes scheduled for the next merge window. This also lays the ground for expanding the VDSO time getters for independent PTP clocks in a generic way without making every architecture add support seperately" * tag 'timers-vdso-2024-11-18' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: (42 commits) x86/vdso: Add missing brackets in switch case vdso: Rename struct arch_vdso_data to arch_vdso_time_data powerpc: Split systemcfg struct definitions out from vdso powerpc: Split systemcfg data out of vdso data page powerpc: Add kconfig option for the systemcfg page powerpc/pseries/lparcfg: Use num_possible_cpus() for potential processors powerpc/pseries/lparcfg: Fix printing of system_active_processors powerpc/procfs: Propagate error of remap_pfn_range() powerpc/vdso: Remove offset comment from 32bit vdso_arch_data x86/vdso: Split virtual clock pages into dedicated mapping x86/vdso: Delete vvar.h x86/vdso: Access vdso data without vvar.h x86/vdso: Move the rng offset to vsyscall.h x86/vdso: Access rng vdso data without vvar.h x86/vdso: Access timens vdso data without vvar.h x86/vdso: Allocate vvar page from C code x86/vdso: Access rng data from kernel without vvar x86/vdso: Place vdso_data at beginning of vvar page x86/vdso: Use __arch_get_vdso_data() to access vdso data x86/mm/mmap: Remove arch_vma_name() ... commit 5c2b050848337f393011ee7fcd2e9f2663eec40d Merge: fb1dd1403c7b22 1f181d1cda56c2 Author: Linus Torvalds Date: Tue Nov 19 15:54:19 2024 -0800 Merge tag 'irq-core-2024-11-18' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull interrupt subsystem updates from Thomas Gleixner: "Tree wide: - Make nr_irqs static to the core code and provide accessor functions to remove existing and prevent future aliasing problems with local variables or function arguments of the same name. Core code: - Prevent freeing an interrupt in the devres code which is not managed by devres in the first place. - Use seq_put_decimal_ull_width() for decimal values output in /proc/interrupts which increases performance significantly as it avoids parsing the format strings over and over. - Optimize raising the timer and hrtimer soft interrupts by using the 'set bit only' variants instead of the combined version which checks whether ksoftirqd should be woken up. The latter is a pointless exercise as both soft interrupts are raised in the context of the timer interrupt and therefore never wake up ksoftirqd. - Delegate timer/hrtimer soft interrupt processing to a dedicated thread on RT. Timer and hrtimer soft interrupts are always processed in ksoftirqd on RT enabled kernels. This can lead to high latencies when other soft interrupts are delegated to ksoftirqd as well. The separate thread allows to run them seperately under a RT scheduling policy to reduce the latency overhead. Drivers: - New drivers or extensions of existing drivers to support Renesas RZ/V2H(P), Aspeed AST27XX, T-HEAD C900 and ATMEL sam9x7 interrupt chips - Support for multi-cluster GICs on MIPS. MIPS CPUs can come with multiple CPU clusters, where each CPU cluster has its own GIC (Generic Interrupt Controller). This requires to access the GIC of a remote cluster through a redirect register block. This is encapsulated into a set of helper functions to keep the complexity out of the actual code paths which handle the GIC details. - Support for encrypted guests in the ARM GICV3 ITS driver The ITS page needs to be shared with the hypervisor and therefore must be decrypted. - Small cleanups and fixes all over the place" * tag 'irq-core-2024-11-18' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: (50 commits) irqchip/riscv-aplic: Prevent crash when MSI domain is missing genirq/proc: Use seq_put_decimal_ull_width() for decimal values softirq: Use a dedicated thread for timer wakeups on PREEMPT_RT. timers: Use __raise_softirq_irqoff() to raise the softirq. hrtimer: Use __raise_softirq_irqoff() to raise the softirq riscv: defconfig: Enable T-HEAD C900 ACLINT SSWI drivers irqchip: Add T-HEAD C900 ACLINT SSWI driver dt-bindings: interrupt-controller: Add T-HEAD C900 ACLINT SSWI device irqchip/stm32mp-exti: Use of_property_present() for non-boolean properties irqchip/mips-gic: Fix selection of GENERIC_IRQ_EFFECTIVE_AFF_MASK irqchip/mips-gic: Prevent indirect access to clusters without CPU cores irqchip/mips-gic: Multi-cluster support irqchip/mips-gic: Setup defaults in each cluster irqchip/mips-gic: Support multi-cluster in for_each_online_cpu_gic() irqchip/mips-gic: Replace open coded online CPU iterations genirq/irqdesc: Use str_enabled_disabled() helper in wakeup_show() genirq/devres: Don't free interrupt which is not managed by devres irqchip/gic-v3-its: Fix over allocation in itt_alloc_pool() irqchip/aspeed-intc: Add AST27XX INTC support dt-bindings: interrupt-controller: Add support for ASPEED AST27XX INTC ... commit fb1dd1403c7b2219b8c1524c909938bd4b3f401f Merge: a5c93bfec0beca ff8d523cc4520a Author: Linus Torvalds Date: Tue Nov 19 15:20:04 2024 -0800 Merge tag 'core-debugobjects-2024-11-18' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull debugobjects updates from Thomas Gleixner: - Prevent destroying the kmem_cache on early failure. Destroying a kmem_cache requires work queues to be set up, but in the early failure case they are not yet initializated. So rather leak the cache instead of triggering a BUG. - Reduce parallel pool fill attempts. Refilling the object pool requires to take the global pool lock, which causes a massive performance issue when a large number of CPUs attempt to refill concurrently. It turns out that it's sufficient to let one CPU handle the refill from the to free list and in case there are not enough objects on it to allocate new objects from the kmem cache. This also splits the free list handling from the actual allocation path as that yields better results on RT where allocation is restricted to preemptible code paths. The refill from free list has no such restrictions. - Consolidate the global and the per CPU pools to use the same data structure, so all helper functions can be shared. - Simplify the object allocation/free logic. The allocation/free logic is an incomprehensible maze, which tries to utilize the to free list and the global pool in the best way. This all can be simplified into a straight forward comprehensible code flow. - Convert the allocation/free mechanism to batch mode. Transferring objects from the global pool to the per CPU pools or vice versa is done by walking the hlist and moving object by object. That not only increases the pool lock held time, it also dirties up to 17 cache lines. This can be avoided by storing the pointer to the first object in a batch of 16 objects in the objects themself and propagate it through the batch when an object is enqueued into a pool or to a temporary hlist head on allocation. This allows to move batches of objects with at max four cache lines dirtied and reduces the pool lock held time and therefore contention significantly. - Improve the object reusage The current implementation is too agressively freeing unused objects, which is counterproductive on bursty workloads like a kernel compile. Address this by: * increasing the per CPU pool size * refilling the per CPU pool from the to be freed pool when the per CPU pool emptied a batch * keeping track of object usage with a exponentially wheighted moving average which prevents the work queue callback to free objects prematuraly. This combined reduces the allocation/free rate for a full kernel compile significantly: kmem_cache_alloc() kmem_cache_free() Baseline: 380k 330k Improved: 170k 117k - A few cleanups and a more cache line friendly layout of debug information on top. * tag 'core-debugobjects-2024-11-18' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: (25 commits) debugobjects: Track object usage to avoid premature freeing of objects debugobjects: Refill per CPU pool more agressively debugobjects: Double the per CPU slots debugobjects: Move pool statistics into global_pool struct debugobjects: Implement batch processing debugobjects: Prepare kmem_cache allocations for batching debugobjects: Prepare for batching debugobjects: Use static key for boot pool selection debugobjects: Rework free_object_work() debugobjects: Rework object freeing debugobjects: Rework object allocation debugobjects: Move min/max count into pool struct debugobjects: Rename and tidy up per CPU pools debugobjects: Use separate list head for boot pool debugobjects: Move pools into a datastructure debugobjects: Reduce parallel pool fill attempts debugobjects: Make debug_objects_enabled bool debugobjects: Provide and use free_object_list() debugobjects: Remove pointless debug printk debugobjects: Reuse put_objects() on OOM ... commit a5c93bfec0beca4435d1995bc3ff2ac003fe7552 Merge: 89c45f3823d05f 7e33001b8b9a78 Author: Linus Torvalds Date: Tue Nov 19 14:48:31 2024 -0800 Merge tag 'x86-mm-2024-11-18' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull x86 mm updates from Ingo Molnar: - Put cpumask_test_cpu() check in switch_mm_irqs_off() under CONFIG_DEBUG_VM, to micro-optimize the context-switching code (Rik van Riel) - Add missing details in virtual memory layout (Kirill A. Shutemov) * tag 'x86-mm-2024-11-18' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: x86/mm/tlb: Put cpumask_test_cpu() check in switch_mm_irqs_off() under CONFIG_DEBUG_VM x86/mm/doc: Add missing details in virtual memory layout commit 89c45f3823d05fae1896ee2d1adb6926ab6be3c2 Merge: 0892d742132e09 97ecb260d9c19a Author: Linus Torvalds Date: Tue Nov 19 14:46:39 2024 -0800 Merge tag 'x86-cleanups-2024-11-18' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull x86 cleanups from Ingo Molnar: - x86/boot: Remove unused function atou() (Dr. David Alan Gilbert) - x86/cpu: Use str_yes_no() helper in show_cpuinfo_misc() (Thorsten Blum) - x86/platform: Switch back to struct platform_driver::remove() (Uwe Kleine-König) * tag 'x86-cleanups-2024-11-18' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: x86/boot: Remove unused function atou() x86/cpu: Use str_yes_no() helper in show_cpuinfo_misc() x86/platform: Switch back to struct platform_driver::remove() commit 0892d742132e09e132a501d3f54428f8ffd4b2b5 Merge: 3f020399e4f1c6 408eb7417a92c5 Author: Linus Torvalds Date: Tue Nov 19 14:34:02 2024 -0800 Merge tag 'x86-splitlock-2024-11-18' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull x86 splitlock updates from Ingo Molnar: - Move Split and Bus lock code to a dedicated file (Ravi Bangoria) - Add split/bus lock support for AMD (Ravi Bangoria) * tag 'x86-splitlock-2024-11-18' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: x86/bus_lock: Add support for AMD x86/split_lock: Move Split and Bus lock code to a dedicated file commit 62adcae479fe5bc04fa3b6c3f93bd340441f8b25 Author: Thomas Weißschuh Date: Mon Nov 11 06:29:20 2024 +0100 kunit: qemu_configs: loongarch: Enable shutdown QEMU for LoongArch does not yet support shutdown/restart through ACPI. Use the pvpanic driver to enable shutdowns. This requires 9.1.0 for shutdown support in pvpanic, but that is the requirement of kunit on LoongArch anyways. Link: https://lore.kernel.org/r/20241111-kunit-loongarch-v2-3-7676eb5f2da3@linutronix.de Signed-off-by: Thomas Weißschuh Reviewed-by: Bibo Mao Reviewed-by: David Gow Signed-off-by: Shuah Khan commit 0a1111d4cbaf45100e30ebd98d1e1a175b8ce22d Author: Thomas Weißschuh Date: Mon Nov 11 06:29:19 2024 +0100 kunit: tool: Allow overriding the shutdown mode from qemu config Not all platforms support machine reboot. If it a proper reboot is not supported the machine will hang. Allow the QEMU configuration to override the necessary shutdown mode for the specific system under test. Link: https://lore.kernel.org/r/20241111-kunit-loongarch-v2-2-7676eb5f2da3@linutronix.de Signed-off-by: Thomas Weißschuh Reviewed-by: David Gow Signed-off-by: Shuah Khan commit d28252440428d37076de166c3d576a5d2f4a53e8 Author: Thomas Weißschuh Date: Mon Nov 11 06:29:18 2024 +0100 kunit: qemu_configs: Add LoongArch config Add a basic config to run kunit tests on LoongArch. This requires QEMU 9.1.0 or later for the necessary direct kernel boot support. Link: https://lore.kernel.org/r/20241111-kunit-loongarch-v2-1-7676eb5f2da3@linutronix.de Signed-off-by: Thomas Weißschuh Reviewed-by: Bibo Mao Reviewed-by: David Gow Signed-off-by: Shuah Khan commit 95b6d723a00710f129b81556c93fdd994c105ab1 Author: Kuan-Wei Chiu Date: Fri Nov 15 00:55:58 2024 +0800 kunit: debugfs: Use IS_ERR() for alloc_string_stream() error check The alloc_string_stream() function only returns ERR_PTR(-ENOMEM) on failure and never returns NULL. Therefore, switching the error check in the caller from IS_ERR_OR_NULL to IS_ERR improves clarity, indicating that this function will return an error pointer (not NULL) when an error occurs. This change avoids any ambiguity regarding the function's return behavior. Link: https://lore.kernel.org/lkml/Zy9deU5VK3YR+r9N@visitorckw-System-Product-Name Signed-off-by: Kuan-Wei Chiu Reviewed-by: David Gow Signed-off-by: Shuah Khan commit 435c20eed572a95709b1536ff78832836b2f91b1 Author: Zichen Xie Date: Thu Nov 14 23:43:36 2024 -0600 kunit: Fix potential null dereference in kunit_device_driver_test() kunit_kzalloc() may return a NULL pointer, dereferencing it without NULL check may lead to NULL dereference. Add a NULL check for test_state. Link: https://lore.kernel.org/r/20241115054335.21673-1-zichenxie0106@gmail.com Fixes: d03c720e03bd ("kunit: Add APIs for managing devices") Signed-off-by: Zichen Xie Cc: stable@vger.kernel.org Reviewed-by: David Gow Signed-off-by: Shuah Khan commit aadf9cb1f0864bff45e3a3e5590af97097dd7317 Author: Brendan Higgins Date: Fri Nov 15 05:05:10 2024 +0000 MAINTAINERS: Update KUnit email address for Brendan Higgins Update Brendan's email address for the KUnit entry. Link: https://lore.kernel.org/r/20241115050510.56569-1-brendanhiggins@google.com Signed-off-by: Brendan Higgins Reviewed-by: David Gow Signed-off-by: Shuah Khan commit 39e21403c978862846fa68b7f6d06f9cca235194 Author: Jinjie Ruan Date: Tue Nov 12 16:03:14 2024 +0800 kunit: string-stream: Fix a UAF bug in kunit_init_suite() In kunit_debugfs_create_suite(), if alloc_string_stream() fails in the kunit_suite_for_each_test_case() loop, the "suite->log = stream" has assigned before, and the error path only free the suite->log's stream memory but not set it to NULL, so the later string_stream_clear() of suite->log in kunit_init_suite() will cause below UAF bug. Set stream pointer to NULL after free to fix it. Unable to handle kernel paging request at virtual address 006440150000030d Mem abort info: ESR = 0x0000000096000004 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x04: level 0 translation fault Data abort info: ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 CM = 0, WnR = 0, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [006440150000030d] address between user and kernel address ranges Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP Dumping ftrace buffer: (ftrace buffer empty) Modules linked in: iio_test_gts industrialio_gts_helper cfg80211 rfkill ipv6 [last unloaded: iio_test_gts] CPU: 5 UID: 0 PID: 6253 Comm: modprobe Tainted: G B W N 6.12.0-rc4+ #458 Tainted: [B]=BAD_PAGE, [W]=WARN, [N]=TEST Hardware name: linux,dummy-virt (DT) pstate: 40000005 (nZcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : string_stream_clear+0x54/0x1ac lr : string_stream_clear+0x1a8/0x1ac sp : ffffffc080b47410 x29: ffffffc080b47410 x28: 006440550000030d x27: ffffff80c96b5e98 x26: ffffff80c96b5e80 x25: ffffffe461b3f6c0 x24: 0000000000000003 x23: ffffff80c96b5e88 x22: 1ffffff019cdf4fc x21: dfffffc000000000 x20: ffffff80ce6fa7e0 x19: 032202a80000186d x18: 0000000000001840 x17: 0000000000000000 x16: 0000000000000000 x15: ffffffe45c355cb4 x14: ffffffe45c35589c x13: ffffffe45c03da78 x12: ffffffb810168e75 x11: 1ffffff810168e74 x10: ffffffb810168e74 x9 : dfffffc000000000 x8 : 0000000000000004 x7 : 0000000000000003 x6 : 0000000000000001 x5 : ffffffc080b473a0 x4 : 0000000000000000 x3 : 0000000000000000 x2 : 0000000000000001 x1 : ffffffe462fbf620 x0 : dfffffc000000000 Call trace: string_stream_clear+0x54/0x1ac __kunit_test_suites_init+0x108/0x1d8 kunit_exec_run_tests+0xb8/0x100 kunit_module_notify+0x400/0x55c notifier_call_chain+0xfc/0x3b4 blocking_notifier_call_chain+0x68/0x9c do_init_module+0x24c/0x5c8 load_module+0x4acc/0x4e90 init_module_from_file+0xd4/0x128 idempotent_init_module+0x2d4/0x57c __arm64_sys_finit_module+0xac/0x100 invoke_syscall+0x6c/0x258 el0_svc_common.constprop.0+0x160/0x22c do_el0_svc+0x44/0x5c el0_svc+0x48/0xb8 el0t_64_sync_handler+0x13c/0x158 el0t_64_sync+0x190/0x194 Code: f9400753 d2dff800 f2fbffe0 d343fe7c (38e06b80) ---[ end trace 0000000000000000 ]--- Kernel panic - not syncing: Oops: Fatal exception Link: https://lore.kernel.org/r/20241112080314.407966-1-ruanjinjie@huawei.com Cc: stable@vger.kernel.org Fixes: a3fdf784780c ("kunit: string-stream: Decouple string_stream from kunit") Suggested-by: Kuan-Wei Chiu Signed-off-by: Jinjie Ruan Reviewed-by: Kuan-Wei Chiu Reviewed-by: David Gow Signed-off-by: Shuah Khan commit 3f020399e4f1c690ce87b4c472f75b1fc89e07d5 Merge: f41dac3efb7582 771d271b2b908c Author: Linus Torvalds Date: Tue Nov 19 14:16:06 2024 -0800 Merge tag 'sched-core-2024-11-18' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull scheduler updates from Ingo Molnar: "Core facilities: - Add the "Lazy preemption" model (CONFIG_PREEMPT_LAZY=y), which optimizes fair-class preemption by delaying preemption requests to the tick boundary, while working as full preemption for RR/FIFO/DEADLINE classes. (Peter Zijlstra) - x86: Enable Lazy preemption (Peter Zijlstra) - riscv: Enable Lazy preemption (Jisheng Zhang) - Initialize idle tasks only once (Thomas Gleixner) - sched/ext: Remove sched_fork() hack (Thomas Gleixner) Fair scheduler: - Optimize the PLACE_LAG when se->vlag is zero (Huang Shijie) Idle loop: - Optimize the generic idle loop by removing unnecessary memory barrier (Zhongqiu Han) RSEQ: - Improve cache locality of RSEQ concurrency IDs for intermittent workloads (Mathieu Desnoyers) Waitqueues: - Make wake_up_{bit,var} less fragile (Neil Brown) PSI: - Pass enqueue/dequeue flags to psi callbacks directly (Johannes Weiner) Preparatory patches for proxy execution: - Add move_queued_task_locked helper (Connor O'Brien) - Consolidate pick_*_task to task_is_pushable helper (Connor O'Brien) - Split out __schedule() deactivate task logic into a helper (John Stultz) - Split scheduler and execution contexts (Peter Zijlstra) - Make mutex::wait_lock irq safe (Juri Lelli) - Expose __mutex_owner() (Juri Lelli) - Remove wakeups from under mutex::wait_lock (Peter Zijlstra) Misc fixes and cleanups: - Remove unused __HAVE_THREAD_FUNCTIONS hook support (David Disseldorp) - Update the comment for TIF_NEED_RESCHED_LAZY (Sebastian Andrzej Siewior) - Remove unused bit_wait_io_timeout (Dr. David Alan Gilbert) - remove the DOUBLE_TICK feature (Huang Shijie) - fix the comment for PREEMPT_SHORT (Huang Shijie) - Fix unnused variable warning (Christian Loehle) - No PREEMPT_RT=y for all{yes,mod}config" * tag 'sched-core-2024-11-18' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: (33 commits) sched, x86: Update the comment for TIF_NEED_RESCHED_LAZY. sched: No PREEMPT_RT=y for all{yes,mod}config riscv: add PREEMPT_LAZY support sched, x86: Enable Lazy preemption sched: Enable PREEMPT_DYNAMIC for PREEMPT_RT sched: Add Lazy preemption model sched: Add TIF_NEED_RESCHED_LAZY infrastructure sched/ext: Remove sched_fork() hack sched: Initialize idle tasks only once sched: psi: pass enqueue/dequeue flags to psi callbacks directly sched/uclamp: Fix unnused variable warning sched: Split scheduler and execution contexts sched: Split out __schedule() deactivate task logic into a helper sched: Consolidate pick_*_task to task_is_pushable helper sched: Add move_queued_task_locked helper locking/mutex: Expose __mutex_owner() locking/mutex: Make mutex::wait_lock irq safe locking/mutex: Remove wakeups from under mutex::wait_lock sched: Improve cache locality of RSEQ concurrency IDs for intermittent workloads sched: idle: Optimize the generic idle loop by removing needless memory barrier ... commit 9080d11a6c5c1fbf27127afdef84d8dcd65b91ff Author: Colin Ian King Date: Thu Oct 31 15:58:57 2024 +0000 scripts: ipe: polgen: remove redundant close and error exit path Currently if an fopen fails the error exit path is via code that checks if fp is not null and closes the file, however, fp is null so this check and close is redundant. Since the only use of the err exit label is on the fopen check, remove it and replace the code with a simple return of errno. Also remove variable rc since it's no longer required. Signed-off-by: Colin Ian King Signed-off-by: Fan Wu commit 3c67a2c09b3c32fd9fc5caf2afacd15267d08071 Author: Rae Moar Date: Wed Nov 13 22:24:06 2024 +0000 kunit: tool: print failed tests only Add flag --failed to kunit.py to print only failed tests. This printing is done after running is over. This patch also adds the method print_test() that will also print your Test object. Before, all printing of tests occurred during parsing. This method could be useful in the future when converting to/from KTAP to this pretty-print output. Link: https://lore.kernel.org/r/20241113222406.1590372-2-rmoar@google.com Signed-off-by: Rae Moar Reviewed-by: David Gow Signed-off-by: Shuah Khan commit 062a9dd9bad7d802a6f6f23b09118b69d8766c61 Author: David Gow Date: Wed Nov 13 22:24:05 2024 +0000 kunit: tool: Only print the summary Allow only printing the summary at the end of a test run, rather than all individual test results. This summary will list a few failing tests if there are any. To use: ./tools/testing/kunit/kunit.py run --summary Link: https://lore.kernel.org/r/20241113222406.1590372-1-rmoar@google.com Signed-off-by: Rae Moar Signed-off-by: David Gow Signed-off-by: Shuah Khan commit 5017ec667b48464a301d34db9b63fa5ab8765d49 Author: Dan Carpenter Date: Mon Nov 11 13:54:09 2024 +0300 kunit: skb: add gfp to kernel doc for kunit_zalloc_skb() Kuan-Wei Chiu pointed out that the kernel doc for kunit_zalloc_skb() needs to include the @gfp information. Add it. Reported-by: Kuan-Wei Chiu Closes: https://lore.kernel.org/all/Zy+VIXDPuU613fFd@visitorckw-System-Product-Name/ Signed-off-by: Dan Carpenter Reviewed-by: Kuan-Wei Chiu Reviewed-by: David Gow Signed-off-by: Shuah Khan commit f41dac3efb7582cd3f518fadf7764d424f453788 Merge: 9d7d4ad222aea8 2c47e7a74f4454 Author: Linus Torvalds Date: Tue Nov 19 13:34:06 2024 -0800 Merge tag 'perf-core-2024-11-18' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull performance events updates from Ingo Molnar: "Uprobes: - Add BPF session support (Jiri Olsa) - Switch to RCU Tasks Trace flavor for better performance (Andrii Nakryiko) - Massively increase uretprobe SMP scalability by SRCU-protecting the uretprobe lifetime (Andrii Nakryiko) - Kill xol_area->slot_count (Oleg Nesterov) Core facilities: - Implement targeted high-frequency profiling by adding the ability for an event to "pause" or "resume" AUX area tracing (Adrian Hunter) VM profiling/sampling: - Correct perf sampling with guest VMs (Colton Lewis) New hardware support: - x86/intel: Add PMU support for Intel ArrowLake-H CPUs (Dapeng Mi) Misc fixes and enhancements: - x86/intel/pt: Fix buffer full but size is 0 case (Adrian Hunter) - x86/amd: Warn only on new bits set (Breno Leitao) - x86/amd/uncore: Avoid a false positive warning about snprintf truncation in amd_uncore_umc_ctx_init (Jean Delvare) - uprobes: Re-order struct uprobe_task to save some space (Christophe JAILLET) - x86/rapl: Move the pmu allocation out of CPU hotplug (Kan Liang) - x86/rapl: Clean up cpumask and hotplug (Kan Liang) - uprobes: Deuglify xol_get_insn_slot/xol_free_insn_slot paths (Oleg Nesterov)" * tag 'perf-core-2024-11-18' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: (32 commits) perf/core: Correct perf sampling with guest VMs perf/x86: Refactor misc flag assignments perf/powerpc: Use perf_arch_instruction_pointer() perf/core: Hoist perf_instruction_pointer() and perf_misc_flags() perf/arm: Drop unused functions uprobes: Re-order struct uprobe_task to save some space perf/x86/amd/uncore: Avoid a false positive warning about snprintf truncation in amd_uncore_umc_ctx_init perf/x86/intel: Do not enable large PEBS for events with aux actions or aux sampling perf/x86/intel/pt: Add support for pause / resume perf/core: Add aux_pause, aux_resume, aux_start_paused perf/x86/intel/pt: Fix buffer full but size is 0 case uprobes: SRCU-protect uretprobe lifetime (with timeout) uprobes: allow put_uprobe() from non-sleepable softirq context perf/x86/rapl: Clean up cpumask and hotplug perf/x86/rapl: Move the pmu allocation out of CPU hotplug uprobe: Add support for session consumer uprobe: Add data pointer to consumer handlers perf/x86/amd: Warn only on new bits set uprobes: fold xol_take_insn_slot() into xol_get_insn_slot() uprobes: kill xol_area->slot_count ... commit 9d7d4ad222aea8ab482e78858d03b10221c7fe78 Merge: 364eeb79a213fc d5173f75375053 Author: Linus Torvalds Date: Tue Nov 19 13:27:52 2024 -0800 Merge tag 'objtool-core-2024-11-18' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull objtool updates from Ingo Molnar: - Detect non-relocated text references for more robust IBT sealing (Josh Poimboeuf) - Fix build error when building stripped down UAPI headers (HONG Yifan) - Exclude __tracepoints data from ENDBR checks to fix false positives on clang builds (Peter Zijlstra) - Fix ORC unwind for newly forked tasks (Zheng Yejian) - Fix readelf related faddr2line regression (Carlos Llamas) * tag 'objtool-core-2024-11-18' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: objtool: Exclude __tracepoints data from ENDBR checks Revert "scripts/faddr2line: Check only two symbols when calculating symbol size" x86/unwind/orc: Fix unwind for newly forked tasks objtool: Also include tools/include/uapi objtool: Detect non-relocated text references commit 9cf9f2e70bea4e66a2c8b8c4743489beb21258a8 Author: Rafael J. Wysocki Date: Fri Nov 15 22:00:25 2024 +0100 cpuidle: Change :enter_dead() driver callback return type to void After a previous change, cpuidle_play_dead(), which is the only caller of idle state :enter_dead() callbacks, ignores their return values, so they may as well be void. Suggested-by: Peter Zijlstra Signed-off-by: Rafael J. Wysocki Reviewed-by: Gautham R. Shenoy Reviewed-by: Mario Limonciello Link: https://patch.msgid.link/2285569.iZASKD2KPV@rjwysocki.net commit f65ee094eda6e5897172a1276ffee88cf5489928 Author: Rafael J. Wysocki Date: Fri Nov 15 21:58:31 2024 +0100 cpuidle: Do not return from cpuidle_play_dead() on callback failures If the :enter_dead() idle state callback fails for a certain state, there may be still a shallower state for which it will work. Because the only caller of cpuidle_play_dead(), native_play_dead(), falls back to hlt_play_dead() if it returns an error, it should better try all of the idle states for which :enter_dead() is present before failing, so change it accordingly. Also notice that the :enter_dead() state callback is not expected to return on success (the CPU should be "dead" then), so make cpuidle_play_dead() ignore its return value. Signed-off-by: Rafael J. Wysocki Reviewed-by: Mario Limonciello Tested-by: Mario Limonciello # 6.12-rc7 Reviewed-by: Gautham R. Shenoy Link: https://patch.msgid.link/3318440.aeNJFYEL58@rjwysocki.net commit bf1d33dfb1055d008b927db5f067c647cc845930 Author: Rafael J. Wysocki Date: Thu Nov 14 18:47:55 2024 +0100 ACPI: processor_idle: Use acpi_idle_play_dead() for all C-states Notice that acpi_processor_setup_cstates() can set state->enter_dead to acpi_idle_play_dead() for all C-states unconditionally and remove the confusing C-state type check done before setting it. No intentional functional impact. Suggested-by: Peter Zijlstra Signed-off-by: Rafael J. Wysocki Reviewed-by: Mario Limonciello Tested-by: Mario Limonciello # 6.12-rc7 Acked-by: Peter Zijlstra (Intel) Link: https://patch.msgid.link/2373563.ElGaqSPkdT@rjwysocki.net commit 364eeb79a213fcf9164208b53764223ad522d6b3 Merge: d8d78a90e7fca1 3b49a347d75155 Author: Linus Torvalds Date: Tue Nov 19 12:43:11 2024 -0800 Merge tag 'locking-core-2024-11-18' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull locking updates from Ingo Molnar: "Lockdep: - Enable PROVE_RAW_LOCK_NESTING with PROVE_LOCKING (Sebastian Andrzej Siewior) - Add lockdep_cleanup_dead_cpu() (David Woodhouse) futexes: - Use atomic64_inc_return() in get_inode_sequence_number() (Uros Bizjak) - Use atomic64_try_cmpxchg_relaxed() in get_inode_sequence_number() (Uros Bizjak) RT locking: - Add sparse annotation PREEMPT_RT's locking (Sebastian Andrzej Siewior) spinlocks: - Use atomic_try_cmpxchg_release() in osq_unlock() (Uros Bizjak) atomics: - x86: Use ALT_OUTPUT_SP() for __alternative_atomic64() (Uros Bizjak) - x86: Use ALT_OUTPUT_SP() for __arch_{,try_}cmpxchg64_emu() (Uros Bizjak) KCSAN, seqlocks: - Support seqcount_latch_t (Marco Elver) : - Add if_not_guard() conditional guard helper (David Lechner) - Adjust scoped_guard() macros to avoid potential warning (Przemek Kitszel) - Remove address space of returned pointer (Uros Bizjak) WW mutexes: - locking/ww_mutex: Adjust to lockdep nest_lock requirements (Thomas Hellström) Rust integration: - Fix raw_spin_lock initialization on PREEMPT_RT (Eder Zulian) Misc cleanups & fixes: - lockdep: Fix wait-type check related warnings (Ahmed Ehab) - lockdep: Use info level for initial info messages (Jiri Slaby) - spinlocks: Make __raw_* lock ops static (Geert Uytterhoeven) - pvqspinlock: Convert fields of 'enum vcpu_state' to uppercase (Qiuxu Zhuo) - iio: magnetometer: Fix if () scoped_guard() formatting (Stephen Rothwell) - rtmutex: Fix misleading comment (Peter Zijlstra) - percpu-rw-semaphores: Fix grammar in percpu-rw-semaphore.rst (Xiu Jianfeng)" * tag 'locking-core-2024-11-18' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: (29 commits) locking/Documentation: Fix grammar in percpu-rw-semaphore.rst iio: magnetometer: fix if () scoped_guard() formatting rust: helpers: Avoid raw_spin_lock initialization for PREEMPT_RT kcsan, seqlock: Fix incorrect assumption in read_seqbegin() seqlock, treewide: Switch to non-raw seqcount_latch interface kcsan, seqlock: Support seqcount_latch_t time/sched_clock: Broaden sched_clock()'s instrumentation coverage time/sched_clock: Swap update_clock_read_data() latch writes locking/atomic/x86: Use ALT_OUTPUT_SP() for __arch_{,try_}cmpxchg64_emu() locking/atomic/x86: Use ALT_OUTPUT_SP() for __alternative_atomic64() cleanup: Add conditional guard helper cleanup: Adjust scoped_guard() macros to avoid potential warning locking/osq_lock: Use atomic_try_cmpxchg_release() in osq_unlock() cleanup: Remove address space of returned pointer locking/rtmutex: Fix misleading comment locking/rt: Annotate unlock followed by lock for sparse. locking/rt: Add sparse annotation for RCU. locking/rt: Remove one __cond_lock() in RT's spin_trylock_irqsave() locking/rt: Add sparse annotation PREEMPT_RT's sleeping locks. locking/pvqspinlock: Convert fields of 'enum vcpu_state' to uppercase ... commit fef664fd73c12c11a4c4a40bd38beb8542505573 Merge: cd7fa3e1b0bc9c d303e3dd8d4648 Author: Rafael J. Wysocki Date: Tue Nov 19 21:40:05 2024 +0100 Merge tag 'thermal-v6.13-rc1' of ssh://gitolite.kernel.org/pub/scm/linux/kernel/git/thermal/linux Merge updates of thermal drivers for 6.13-rc1 from Daniel Lezcano: "- Add the SAR2130P compatible in the DT bindings for the QCom Tsens driver (Dmitry Baryshkov) - Add the static annotation to the arrays describing the platform sensors on the LVTS Mediatek driver (Colin Ian King) - Switch back to the struct platform_driver::remove() from the previous callbacks prototype rework (Uwe Kleine-König) - Add the MSM8937 compatible in the DT bindings and its support in the QCom Tsens driver (Barnabás Czémán) - Remove a pointless sign test on an unsigned value in k3_bgp_read_temp() function on the k3_j72xx_bandgap driver (Rex Nie) - Fix a pointer reference lost when the call to realloc() fails in the thermal library (Zhang Jiao)" * tag 'thermal-v6.13-rc1' of ssh://gitolite.kernel.org/pub/scm/linux/kernel/git/thermal/linux: tools/thermal: Fix common realloc mistake thermal/drivers/k3_j72xx_bandgap: Simplify code in k3_bgp_read_temp() thermal/drivers/qcom/tsens-v1: Add support for MSM8937 tsens dt-bindings: thermal: tsens: Add MSM8937 thermal: Switch back to struct platform_driver::remove() thermal/drivers/mediatek/lvts_thermal: Make read-only arrays static const dt-bindings: thermal: qcom-tsens: Add SAR2130P compatible commit 1a93226619dc5798dacee0734a5f1f886b358953 Merge: ad52c55e1d3a2e 53205a7903666d Author: Rafael J. Wysocki Date: Tue Nov 19 21:37:56 2024 +0100 Merge tag 'opp-updates-6.13' of ssh://gitolite.kernel.org/pub/scm/linux/kernel/git/vireshk/pm Merge OPP (Operating Performance Points) Updates for 6.13 from Viresh Kumar: "- Describe opp-supported-hw property for ti-cpu (Dhruva Gole). - Remove unused declarations in header file (Zhang Zekun)." * tag 'opp-updates-6.13' of ssh://gitolite.kernel.org/pub/scm/linux/kernel/git/vireshk/pm: dt-bindings: opp: operating-points-v2-ti-cpu: Describe opp-supported-hw OPP: Remove unused declarations in header file commit baf4ae80382350ec314f5ce6742c5281a812fe00 Merge: ad52c55e1d3a2e 5df30684415d5a Author: Rafael J. Wysocki Date: Tue Nov 19 21:35:14 2024 +0100 Merge tag 'cpufreq-arm-updates-6.13' of ssh://gitolite.kernel.org/pub/scm/linux/kernel/git/vireshk/pm Merge ARM cpufreq updates for 6.13 from Viresh Kumar: "- Add virtual cpufreq driver for guest kernels (David Dai). - Minor cleanup to various cpufreq drivers (Andy Shevchenko, Dhruva Gole, Jie Zhan, Jinjie Ruan, Shuosheng Huang, Sibi Sankar, and Yuan Can). - Revert "cpufreq: brcmstb-avs-cpufreq: Fix initial command check" (Colin Ian King). - Improve DT bindings for qcom-hw driver (Dmitry Baryshkov, Konrad Dybcio, and Nikunj Kela)." * tag 'cpufreq-arm-updates-6.13' of ssh://gitolite.kernel.org/pub/scm/linux/kernel/git/vireshk/pm: arm64: dts: qcom: sc8180x: Add a SoC-specific compatible to cpufreq-hw dt-bindings: cpufreq: cpufreq-qcom-hw: Add SC8180X compatible cpufreq: sun50i: add a100 cpufreq support cpufreq: mediatek-hw: Fix wrong return value in mtk_cpufreq_get_cpu_power() cpufreq: CPPC: Fix wrong return value in cppc_get_cpu_power() cpufreq: CPPC: Fix wrong return value in cppc_get_cpu_cost() cpufreq: loongson3: Check for error code from devm_mutex_init() call cpufreq: scmi: Fix cleanup path when boost enablement fails cpufreq: CPPC: Fix possible null-ptr-deref for cppc_get_cpu_cost() cpufreq: CPPC: Fix possible null-ptr-deref for cpufreq_cpu_get_raw() Revert "cpufreq: brcmstb-avs-cpufreq: Fix initial command check" dt-bindings: cpufreq: cpufreq-qcom-hw: Add SAR2130P compatible cpufreq: add virtual-cpufreq driver dt-bindings: cpufreq: add virtual cpufreq device cpufreq: loongson2: Unregister platform_driver on failure cpufreq: ti-cpufreq: Remove revision offsets in AM62 family cpufreq: ti-cpufreq: Allow backward compatibility for efuse syscon cppc_cpufreq: Remove HiSilicon CPPC workaround cppc_cpufreq: Use desired perf if feedback ctrs are 0 or unchanged dt-bindings: cpufreq: qcom-hw: document support for SA8255p commit d8d78a90e7fca1ce7c90fa791400b287bc5b42a1 Merge: 55db8eb4565f94 f74642d81c24d9 Author: Linus Torvalds Date: Tue Nov 19 12:27:19 2024 -0800 Merge tag 'x86_cpu_for_v6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull x86 cpuid updates from Borislav Petkov: - Add a feature flag which denotes AMD CPUs supporting workload classification with the purpose of using such hints when making scheduling decisions - Determine the boost enumerator for each AMD core based on its type: efficiency or performance, in the cppc driver - Add the type of a CPU to the topology CPU descriptor with the goal of supporting and making decisions based on the type of the respective core - Add a feature flag to denote AMD cores which have heterogeneous topology and enable SD_ASYM_PACKING for those - Check microcode revisions before disabling PCID on Intel - Cleanups and fixlets * tag 'x86_cpu_for_v6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: x86/cpu: Remove redundant CONFIG_NUMA guard around numa_add_cpu() x86/cpu: Fix FAM5_QUARK_X1000 to use X86_MATCH_VFM() x86/cpu: Fix formatting of cpuid_bits[] in scattered.c x86/cpufeatures: Add X86_FEATURE_AMD_WORKLOAD_CLASS feature bit x86/amd: Use heterogeneous core topology for identifying boost numerator x86/cpu: Add CPU type to struct cpuinfo_topology x86/cpu: Enable SD_ASYM_PACKING for PKG domain on AMD x86/cpufeatures: Add X86_FEATURE_AMD_HETEROGENEOUS_CORES x86/cpufeatures: Rename X86_FEATURE_FAST_CPPC to have AMD prefix x86/mm: Don't disable PCID when INVLPG has been fixed by microcode commit 55db8eb4565f943dc0ebd1327cbe3d9d684f74e8 Merge: 9db8b240704cf6 8bca85cc1eb72e Author: Linus Torvalds Date: Tue Nov 19 12:21:35 2024 -0800 Merge tag 'x86_sev_for_v6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull x86 SEV updates from Borislav Petkov: - Do the proper memory conversion of guest memory in order to be able to kexec kernels in SNP guests along with other adjustments and cleanups to that effect - Start converting and moving functionality from the sev-guest driver into core code with the purpose of supporting the secure TSC SNP feature where the hypervisor cannot influence the TSC exposed to the guest anymore - Add a "nosnp" cmdline option in order to be able to disable SNP support in the hypervisor and thus free-up resources which are not going to be used - Cleanups [ Reminding myself about the endless TLA's again: SEV is the AMD Secure Encrypted Virtualization - Linus ] * tag 'x86_sev_for_v6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: x86/sev: Cleanup vc_handle_msr() x86/sev: Convert shared memory back to private on kexec x86/mm: Refactor __set_clr_pte_enc() x86/boot: Skip video memory access in the decompressor for SEV-ES/SNP virt: sev-guest: Carve out SNP message context structure virt: sev-guest: Reduce the scope of SNP command mutex virt: sev-guest: Consolidate SNP guest messaging parameters to a struct x86/sev: Cache the secrets page address x86/sev: Handle failures from snp_init() virt: sev-guest: Use AES GCM crypto library x86/virt: Provide "nosnp" boot option for sev kernel command line x86/virt: Move SEV-specific parsing into arch/x86/virt/svm commit 9db8b240704cf66b8c9caaad586034399ac39641 Merge: ab713e709938ec 90f1b42b179487 Author: Linus Torvalds Date: Tue Nov 19 12:19:59 2024 -0800 Merge tag 'x86_platform_for_v6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull x86 platform cleanup from Borislav Petkov: - Replace deprecated PCI functions used in intel-mid * tag 'x86_platform_for_v6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: x86/platform/intel-mid: Replace deprecated PCI functions commit ab713e709938ec4045b4cddcd850a0135ae343b4 Merge: 5a4b3fbb4849c6 9a819753b0209c Author: Linus Torvalds Date: Tue Nov 19 12:13:16 2024 -0800 Merge tag 'x86_microcode_for_v6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull x86 microcode loader update from Borislav Petkov: - Remove the unconditional cache writeback and invalidation after loading the microcode patch on Intel as this was addressing a microcode bug for which there is a concrete microcode revision check instead * tag 'x86_microcode_for_v6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: x86/microcode/intel: Remove unnecessary cache writeback and invalidation commit 5a4b3fbb4849c66814e89772dad2e71fc9160805 Merge: c1f2ffe207a23b 9bce6e94c4b39b Author: Linus Torvalds Date: Tue Nov 19 12:11:28 2024 -0800 Merge tag 'x86_cache_for_v6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull x86 cache resource control updates from Borislav Petkov: - Add support for 6-node sub-NUMA clustering on Intel - Cleanup * tag 'x86_cache_for_v6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: x86/resctrl: Support Sub-NUMA cluster mode SNC6 x86/resctrl: Slightly clean-up mbm_config_show() commit c1f2ffe207a23b52d58923b1b34c2fd3d1b30494 Merge: 77286b868f93a5 612c2addff367e Author: Linus Torvalds Date: Tue Nov 19 12:04:51 2024 -0800 Merge tag 'ras_core_for_v6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull RAS updates from Borislav Petkov: - Log and handle twp new AMD-specific MCA registers: SYND1 and SYND2 and report the Field Replaceable Unit text info reported through them - Add support for handling variable-sized SMCA BERT records - Add the capability for reporting vendor-specific RAS error info without adding vendor-specific fields to struct mce - Cleanups * tag 'ras_core_for_v6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: EDAC/mce_amd: Add support for FRU text in MCA x86/mce/apei: Handle variable SMCA BERT record size x86/MCE/AMD: Add support for new MCA_SYND{1,2} registers tracing: Add __print_dynamic_array() helper x86/mce: Add wrapper for struct mce to export vendor specific info x86/mce/intel: Use MCG_BANKCNT_MASK instead of 0xff x86/mce/mcelog: Use xchg() to get and clear the flags commit 77286b868f93a590313b449b25a49ef2ad0c0308 Merge: 769ca7d4d29748 1b38da0115598e Author: Linus Torvalds Date: Tue Nov 19 12:00:10 2024 -0800 Merge tag 'edac_updates_for_v6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/ras/ras Pull EDAC updates from Borislav Petkov: - Add support for Bluefield-2 SOCs to bluefield_edac - Add support for Intel Panther Lake-H to igen6_edac - Add polling support to igen6_edac as some Intel M100 chips have trouble with error interrupts - Add Kaby Lake-S support to ie31200_edac - Fix memory source detection in the SKX common module which is used by a couple of Intel EDAC drivers - Add support for the NXP i.MX9 memory controller to fsl_edac - The usual fixes and cleanups all over the place * tag 'edac_updates_for_v6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/ras/ras: EDAC/igen6: Add polling support EDAC/igen6: Initialize edac_op_state according to the configuration data EDAC/igen6: Avoid segmentation fault on module unload EDAC/ie31200: Add Kaby Lake-S dual-core host bridge ID MAINTAINERS: Change FSL DDR EDAC maintainership EDAC/{skx_common,i10nm}: Fix incorrect far-memory error source indicator EDAC/skx_common: Differentiate memory error sources EDAC/fsl_ddr: Add support for i.MX9 DDR controller dt-bindings: memory: fsl: Add compatible string nxp,imx9-memory-controller EDAC/fsl_ddr: Fix bad bit shift operations EDAC/fsl_ddr: Move global variables into struct fsl_mc_pdata EDAC/fsl_ddr: Pass down fsl_mc_pdata in ddr_in32() and ddr_out32() RAS/AMD/ATL: Add debug prints for DF register reads EDAC/bluefield: Use Arm SMC for EMI access on BlueField-2 EDAC/bluefield: Fix potential integer overflow EDAC/igen6: Add Intel Panther Lake-H SoCs support commit 769ca7d4d29748f1c95b4ae4ce325ba4ea8cd2b4 Merge: 8cdf2d19038fa2 b86f7c9fad06b9 Author: Linus Torvalds Date: Tue Nov 19 11:44:17 2024 -0800 Merge tag 'kcsan-20241112-v6.13-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/melver/linux Pull Kernel Concurrency Sanitizer (KCSAN) updates from Marco Elver: - Make KCSAN compatible with PREEMPT_RT - Minor cleanup * tag 'kcsan-20241112-v6.13-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/melver/linux: kcsan: Remove redundant call of kallsyms_lookup_name() kcsan: Turn report_filterlist_lock into a raw_spinlock commit 8cdf2d19038fa266806d15603d691dc2fd774858 Merge: 2b5d5f23d40565 d8dfba2c606ac9 Author: Linus Torvalds Date: Tue Nov 19 11:27:07 2024 -0800 Merge tag 'rcu.release.v6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/rcu/linux Pull RCU updates from Frederic Weisbecker: "SRCU: - Introduction of the new SRCU-lite flavour with a new pair of srcu_read_[un]lock_lite() APIs. In practice the read side using this flavour becomes lighter by removing a full memory barrier on LOCK and a full memory barrier on UNLOCK. This comes at the expense of a higher latency write side with two (in the best case of a snaphot of unused read-sides) or more RCU grace periods on the update side which now assumes by itself the whole full ordering guarantee against the LOCK/UNLOCK counters on both indexes, along with the accesses performed inside. Uretprobes is a known potential user. Note this doesn't replace the default normal flavour of SRCU which still behaves the same as usual. - Add testing of SRCU-lite through rcutorture and rcuscale - Various cleanups on the way. Fixes: - Allow short-circuiting RCU-TASKS-RUDE grace periods on architectures that have sane noinstr boundaries forbidding tracing on low-level idle and kernel entry code. RCU-TASKS is enough on such configurations because it involves an RCU grace period that waits for all idle tasks to either schedule out voluntarily or enter into RCU unwatched noinstr code. - Allow and test start_poll_synchronize_rcu() with IRQs disabled. - Mention rcuog kthreads in relevant documentation and Kconfig help - Various fixes and consolidations rcutorture: - Add --no-affinity on tools to leave the affinity setting of guests up to the user. - Add guest_os_delay parameter to rcuscale for better warm-up control. - Fix and improve some rcuscale error handling. - Various cleanups and fixes stall: - Remove dead code - Stop dumping tasks if a stalled grace period eventually ended midway as that only produces confusing output. - Optimize detection of stalling CPUs and avoid useless node locking otherwise. NOCB: - Fix rcu_barrier() hang due to a race against callbacks deoffloading. This is not yet used, except by rcutorture, and waits for its promised cpusets interface. - Remove leftover function declaration" * tag 'rcu.release.v6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/rcu/linux: (42 commits) rcuscale: Remove redundant WARN_ON_ONCE() splat rcuscale: Do a proper cleanup if kfree_scale_init() fails srcu: Unconditionally record srcu_read_lock_lite() in ->srcu_reader_flavor srcu: Check for srcu_read_lock_lite() across all CPUs srcu: Remove smp_mb() from srcu_read_unlock_lite() rcutorture: Avoid printing cpu=-1 for no-fault RCU boost failure rcuscale: Add guest_os_delay module parameter refscale: Correct affinity check torture: Add --no-affinity parameter to kvm.sh rcu/nocb: Fix missed RCU barrier on deoffloading rcu/kvfree: Fix data-race in __mod_timer / kvfree_call_rcu rcu/srcutiny: don't return before reenabling preemption rcu-tasks: Remove open-coded one-byte cmpxchg() emulation doc: Remove kernel-parameters.txt entry for rcutorture.read_exit rcutorture: Test start-poll primitives with interrupts disabled rcu: Permit start_poll_synchronize_rcu*() with interrupts disabled rcu: Allow short-circuiting of synchronize_rcu_tasks_rude() doc: Add rcuog kthreads to kernel-per-CPU-kthreads.rst rcu: Add rcuog kthreads to RCU_NOCB_CPU help text rcu: Use the BITS_PER_LONG macro ... commit 2b5d5f23d4056543757919bb2db06d0829835f7e Merge: 4e9ad033b40533 3996187f80a0e2 Author: Linus Torvalds Date: Tue Nov 19 11:23:52 2024 -0800 Merge tag 'hwmon-for-v6.13-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging Pull hmon updates from Guenter Roeck: "New drivers: - ISL28022 power monitor - Nuvoton NCT7363Y Added support for new chips to existing drivers: - The tmp180 driver now supports NXP p3t1085, including its I3C mode - The ina2xx driver now supports SY24655 and INA260 - The amc6821 driver now supports tsd,mule Other notable improvements: - The sht4x driver now supports the chip heater - The pmbus/isl68137 driver now supports a voltage divider on Vout - The cros_ec driver registers with the thermal framework - The pmbus/ltc2978 driver now supports LTC7841 - The PMBus core now allow drivers to override WRITE_PROTECT Various other minor improvements and cleanups" * tag 'hwmon-for-v6.13-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging: (51 commits) hwmon: (pmbus/isl68137) add support for voltage divider on Vout dt-bindings: hwmon: isl68137: add bindings to support voltage dividers hwmon: tmp108: fix I3C dependency hwmon: (cros_ec) register thermal sensors to thermal framework hwmon: (tmp108) Add support for I3C device hwmon: (tmp108) Add helper function tmp108_common_probe() to prepare I3C support hwmon: (acpi_power_meter) Fix fail to load module on platform without _PMD method hwmon: (nct6775-core) Fix overflows seen when writing limit attributes hwmon: (pwm-fan) Introduce start from stopped state handling dt-bindings: hwmon: pwm-fan: Document start from stopped state properties hwmon: (tmp108) Add NXP p3t1085 support dt-bindings: hwmon: ti,tmp108: Add nxp,p3t1085 compatible string hwmon: (sch5627, max31827) Fix typos in driver documentation hwmon: (jc42) Drop of_match_ptr() protection hwmon: (f71882fg) Fix grammar in fan speed trip points explanation dt-bindings: hwmon: pmbus: add ti tps25990 support hwmon: (pmbus/core) clear faults after setting smbalert mask hwmon: (pmbus/core) allow drivers to override WRITE_PROTECT hwmon: (pmbus) add documentation for existing flags hwmon: (ina226) Add support for SY24655 ... commit 4e9ad033b405336cea3c19b68e2acdf47d88c339 Merge: cd7fa3e1b0bc9c d47a60e487fbb6 Author: Linus Torvalds Date: Tue Nov 19 11:17:53 2024 -0800 Merge tag 'acpi-6.13-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm Pull ACPI updates from Rafael Wysocki: "These include a couple of fixes, a new ACPI backlight quirk for Apple MacbookPro11,2 and Air7,2 and a bunch of cleanups: - Fix _CPC register setting issue for registers located in memory in the ACPI CPPC library code (Lifeng Zheng) - Use DEFINE_SIMPLE_DEV_PM_OPS in the ACPI battery driver, make it use devm_ for initializing mutexes and allocating driver data, and make it check the register_pm_notifier() return value (Thomas Weißschuh, Andy Shevchenko) - Make the ACPI EC driver support compile-time conditional and allow ACPI to be built without CONFIG_HAS_IOPORT (Arnd Bergmann) - Remove a redundant error check from the pfr_telemetry driver (Colin Ian King) - Rearrange the processor_perflib code in the ACPI processor driver to avoid compiling x86-specific code on other architectures (Arnd Bergmann) - Add adev NULL check to acpi_quirk_skip_serdev_enumeration() and make UART skip quirks work on PCI UARTs without an UID (Hans de Goede) - Force native backlight handling Apple MacbookPro11,2 and Air7,2 in the ACPI video driver (Jonathan Denose) - Switch several ACPI platform drivers back to using struct platform_driver::remove() (Uwe Kleine-König) - Replace strcpy() with strscpy() in multiple places in the ACPI subsystem (Muhammad Qasim Abdul Majeed, Abdul Rahim)" * tag 'acpi-6.13-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm: (24 commits) ACPI: video: force native for Apple MacbookPro11,2 and Air7,2 ACPI: CPPC: Fix _CPC register setting issue ACPI: Switch back to struct platform_driver::remove() ACPI: x86: Add adev NULL check to acpi_quirk_skip_serdev_enumeration() ACPI: x86: Make UART skip quirks work on PCI UARTs without an UID ACPI: allow building without CONFIG_HAS_IOPORT ACPI: processor_perflib: extend X86 dependency ACPI: scan: Use strscpy() instead of strcpy() ACPI: SBSHC: Use strscpy() instead of strcpy() ACPI: SBS: Use strscpy() instead of strcpy() ACPI: power: Use strscpy() instead of strcpy() ACPI: pci_root: Use strscpy() instead of strcpy() ACPI: pci_link: Use strscpy() instead of strcpy() ACPI: event: Use strscpy() instead of strcpy() ACPI: EC: Use strscpy() instead of strcpy() ACPI: APD: Use strscpy() instead of strcpy() ACPI: thermal: Use strscpy() instead of strcpy() ACPI: battery: Check for error code from devm_mutex_init() call ACPI: EC: make EC support compile-time conditional ACPI: pfr_telemetry: remove redundant error check on ret ... commit cd7fa3e1b0bc9c210eba23edbe8d6884f0368281 Merge: ad52c55e1d3a2e 0104dcdaad3a7a Author: Linus Torvalds Date: Tue Nov 19 11:15:40 2024 -0800 Merge tag 'thermal-6.13-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm Pull thermal control updates from Rafael Wysocki: "These are thermal core changes, including the addition of support for temperature thresholds that can be set from user space, fixes related to thermal zone initialization, suspend/resume and exit, locking rework and rearrangement of the code handling thermal zone temperature updates. Specifics: - Add support for thermal thresholds that can be added and removed from user space via netlink along with a related library update (Daniel Lezcano) - Fix thermal zone initialization, suspend/resume and exit synchronization issues (Rafael Wysocki) - Rearrange locking in the thermal core to use guards (Rafael Wysocki) - Make the code handling thermal zone temperature updates use sorted lists of trip points to reduce the number of trip points table walks in the thermal core (Rafael Wysocki) - Fix and clean up the thermal testing facility code (Rafael Wysocki) - Fix a Power Allocator thermal governor issue (ZhengShaobo)" * tag 'thermal-6.13-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm: (45 commits) thermal: testing: Initialize some variables annoteded with _free() thermal: testing: Use DEFINE_FREE() and __free() to simplify code thermal: testing: Simplify tt_get_tt_zone() thermal: gov_power_allocator: Granted power set to max when nobody request power thermal: core: Relocate thermal zone initialization routine thermal: core: Use trip lists for trip crossing detection thermal: core: Eliminate thermal_zone_trip_down() thermal: core: Relocate functions that update trip points thermal: core: Move some trip processing to thermal_trip_crossed() thermal: core: Pass trip descriptor to thermal_trip_crossed() thermal: core: Rearrange __thermal_zone_device_update() thermal: core: Prepare for moving trips between sorted lists thermal: core: Rename trip list node in struct thermal_trip_desc thermal: core: Build sorted lists instead of sorting them later thermal/lib: Fix memory leak on error in thermal_genl_auto() thermal: thresholds: Fix thermal lock annotation issue tools/thermal/thermal-engine: Take into account the thresholds API tools/lib/thermal: Add the threshold netlink ABI tools/lib/thermal: Make more generic the command encoding function thermal: netlink: Add the commands and the events for the thresholds ... commit ad52c55e1d3a2e85e05e47b6d7056c662a9c0246 Merge: 8a7fa81137fabb c6e2a4c9eed524 Author: Linus Torvalds Date: Tue Nov 19 11:05:00 2024 -0800 Merge tag 'pm-6.13-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm Pull power management updates from Rafael Wysocki: "The amd-pstate cpufreq driver gets the majority of changes this time. They are mostly fixes and cleanups, but one of them causes it to become the default cpufreq driver on some AMD server platforms. Apart from that, the menu cpuidle governor is modified to not use iowait any more, the intel_idle gets a custom C-states table for Granite Rapids Xeon D, and the intel_pstate driver will use a more aggressive Balance- performance default EPP value on Granite Rapids now. There are also some fixes, cleanups and tooling updates. Specifics: - Update the amd-pstate driver to set the initial scaling frequency policy lower bound to be the lowest non-linear frequency (Dhananjay Ugwekar) - Enable amd-pstate by default on servers starting with newer AMD Epyc processors (Swapnil Sapkal) - Align more codepaths between shared memory and MSR designs in amd-pstate (Dhananjay Ugwekar) - Clean up amd-pstate code to rename functions and remove redundant calls (Dhananjay Ugwekar, Mario Limonciello) - Do other assorted fixes and cleanups in amd-pstate (Dhananjay Ugwekar and Mario Limonciello) - Change the Balance-performance EPP value for Granite Rapids in the intel_pstate driver to a more performance-biased one (Srinivas Pandruvada) - Simplify MSR read on the boot CPU in the ACPI cpufreq driver (Chang S. Bae) - Ensure sugov_eas_rebuild_sd() is always called when sugov_init() succeeds to always enforce sched domains rebuild in case EAS needs to be enabled (Christian Loehle) - Switch cpufreq back to platform_driver::remove() (Uwe Kleine-König) - Use proper frequency unit names in cpufreq (Marcin Juszkiewicz) - Add a built-in idle states table for Granite Rapids Xeon D to the intel_idle driver (Artem Bityutskiy) - Fix some typos in comments in the cpuidle core and drivers (Shen Lichuan) - Remove iowait influence from the menu cpuidle governor (Christian Loehle) - Add min/max available performance state limits to the Energy Model management code (Lukasz Luba) - Update pm-graph to v5.13 (Todd Brandt) - Add documentation for some recently introduced cpupower utility options (Tor Vic) - Make cpupower inform users where cpufreq-bench.conf should be located when opening it fails (Peng Fan) - Allow overriding cross-compiling env params in cpupower (Peng Fan) - Add compile_commands.json to .gitignore in cpupower (John B. Wyatt IV) - Improve disable c_state block in cpupower bindings and add a test to confirm that CPU state is disabled to it (John B. Wyatt IV) - Add Chinese Simplified translation to cpupower (Kieran Moy) - Add checks for xgettext and msgfmt to cpupower (Siddharth Menon)" * tag 'pm-6.13-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm: (38 commits) cpufreq: intel_pstate: Update Balance-performance EPP for Granite Rapids cpufreq: ACPI: Simplify MSR read on the boot CPU sched/cpufreq: Ensure sd is rebuilt for EAS check intel_idle: add Granite Rapids Xeon D support PM: EM: Add min/max available performance state limits cpufreq/amd-pstate: Move registration after static function call update cpufreq/amd-pstate: Push adjust_perf vfunc init into cpu_init cpufreq/amd-pstate: Align offline flow of shared memory and MSR based systems cpufreq/amd-pstate: Call cppc_set_epp_perf in the reenable function cpufreq/amd-pstate: Do not attempt to clear MSR_AMD_CPPC_ENABLE cpufreq/amd-pstate: Rename functions that enable CPPC cpufreq/amd-pstate-ut: Add fix for min freq unit test amd-pstate: Switch to amd-pstate by default on some Server platforms amd-pstate: Set min_perf to nominal_perf for active mode performance gov cpufreq/amd-pstate: Remove the redundant amd_pstate_set_driver() call cpufreq/amd-pstate: Remove the switch case in amd_pstate_init() cpufreq/amd-pstate: Call amd_pstate_set_driver() in amd_pstate_register_driver() cpufreq/amd-pstate: Call amd_pstate_register() in amd_pstate_init() cpufreq/amd-pstate: Set the initial min_freq to lowest_nonlinear_freq cpufreq/amd-pstate: Remove the redundant verify() function ... commit 8a7fa81137fabb5d86be5825e03d28c371d178d6 Merge: 02b2f1a7b8ef34 d18c13697b4dcb Author: Linus Torvalds Date: Tue Nov 19 10:43:44 2024 -0800 Merge tag 'random-6.13-rc1-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/crng/random Pull random number generator updates from Jason Donenfeld: "This contains a single series from Uros to replace uses of with prandom.h or other more specific headers as needed, in order to avoid a circular header issue. Uros' goal is to be able to use percpu.h from prandom.h, which will then allow him to define __percpu in percpu.h rather than in compiler_types.h" * tag 'random-6.13-rc1-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/crng/random: prandom: Include in random: Do not include in netem: Include in sch_netem.c lib/test_scanf: Include instead of lib/test_parman: Include instead of bpf/tests: Include instead of lib/rbtree-test: Include instead of random32: Include instead of kunit: string-stream-test: Include lib/interval_tree_test.c: Include instead of bpf: Include instead of scsi: libfcoe: Include instead of fscrypt: Include in fs/crypto/keyring.c mtd: tests: Include instead of media: vivid: Include in vivid-vid-cap.c drm/lib: Include instead of drm/i915/selftests: Include instead of crypto: testmgr: Include instead of x86/kaslr: Include instead of commit 02b2f1a7b8ef340e57cae640a52ec7199b0b887d Merge: 1af29b34ea7f63 4223414efeae3a Author: Linus Torvalds Date: Tue Nov 19 10:28:41 2024 -0800 Merge tag 'v6.13-p1' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 Pull crypto updates from Herbert Xu: "API: - Add sig driver API - Remove signing/verification from akcipher API - Move crypto_simd_disabled_for_test to lib/crypto - Add WARN_ON for return values from driver that indicates memory corruption Algorithms: - Provide crc32-arch and crc32c-arch through Crypto API - Optimise crc32c code size on x86 - Optimise crct10dif on arm/arm64 - Optimise p10-aes-gcm on powerpc - Optimise aegis128 on x86 - Output full sample from test interface in jitter RNG - Retry without padata when it fails in pcrypt Drivers: - Add support for Airoha EN7581 TRNG - Add support for STM32MP25x platforms in stm32 - Enable iproc-r200 RNG driver on BCMBCA - Add Broadcom BCM74110 RNG driver" * tag 'v6.13-p1' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6: (112 commits) crypto: marvell/cesa - fix uninit value for struct mv_cesa_op_ctx crypto: cavium - Fix an error handling path in cpt_ucode_load_fw() crypto: aesni - Move back to module_init crypto: lib/mpi - Export mpi_set_bit crypto: aes-gcm-p10 - Use the correct bit to test for P10 hwrng: amd - remove reference to removed PPC_MAPLE config crypto: arm/crct10dif - Implement plain NEON variant crypto: arm/crct10dif - Macroify PMULL asm code crypto: arm/crct10dif - Use existing mov_l macro instead of __adrl crypto: arm64/crct10dif - Remove remaining 64x64 PMULL fallback code crypto: arm64/crct10dif - Use faster 16x64 bit polynomial multiply crypto: arm64/crct10dif - Remove obsolete chunking logic crypto: bcm - add error check in the ahash_hmac_init function crypto: caam - add error check to caam_rsa_set_priv_key_form hwrng: bcm74110 - Add Broadcom BCM74110 RNG driver dt-bindings: rng: add binding for BCM74110 RNG padata: Clean up in padata_do_multithreaded() crypto: inside-secure - Fix the return value of safexcel_xcbcmac_cra_init() crypto: qat - Fix missing destroy_workqueue in adf_init_aer() crypto: rsassa-pkcs1 - Reinstate support for legacy protocols ... commit 1af29b34ea7f63c3e7225c324ffa86c9748874e4 Merge: 78516f4aefff40 32b0901e141f6d Author: Linus Torvalds Date: Tue Nov 19 10:25:47 2024 -0800 Merge tag 'chrome-platform-firmware-for-6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/chrome-platform/linux Pull chrome platform firmware updates from Tzung-Bi Shih: - Do not double register "simple-framebuffer" platform device if Generic System Framebuffers (sysfb) already did that - Fix a missing of unregistering platform driver in error handling path * tag 'chrome-platform-firmware-for-6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/chrome-platform/linux: firmware: google: Unregister driver_info on failure firmware: coreboot: Don't register a pdev if screen_info data is present firmware: sysfb: Add a sysfb_handles_screen_info() helper function commit 78516f4aefff408bdc2e867b996065279c5dc89a Merge: 311e062ad504bd ea45f3f46734a4 Author: Linus Torvalds Date: Tue Nov 19 10:24:12 2024 -0800 Merge tag 'chrome-platform-for-6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/chrome-platform/linux Pull chrome platform updates from Tzung-Bi Shih: "Fixes: - Fix a leak of fwnode refcount. Cleanups: - Drop unused I2C driver data - Move back from platform_driver::remove_new() to platform_driver::remove()" * tag 'chrome-platform-for-6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/chrome-platform/linux: platform/chrome: Switch back to struct platform_driver::remove() platform/chrome: cros_ec_typec: fix missing fwnode reference decrement platform/chrome: Drop explicit initialization of struct i2c_device_id::driver_data to 0 commit 311e062ad504bdf49e93cb88a22ba04d5134111c Merge: d7d4102f0a4a01 9861f7f66f98a6 Author: Linus Torvalds Date: Tue Nov 19 10:18:45 2024 -0800 Merge tag 'csd-lock.2024.11.16a' of git://git.kernel.org/pub/scm/linux/kernel/git/paulmck/linux-rcu Pull CSD-lock update from Paul McKenney: "This switches from sched_clock() to ktime_get_mono_fast_ns(), which on x86 switches from the rdtsc instruction to the rdtscp instruction, thus avoiding instruction reorderings that cause false-positive reports of CSD-lock stalls of almost 2^46 nanoseconds. These false positives are rare, but really are seen in the wild" * tag 'csd-lock.2024.11.16a' of git://git.kernel.org/pub/scm/linux/kernel/git/paulmck/linux-rcu: locking/csd-lock: Switch from sched_clock() to ktime_get_mono_fast_ns() commit d7d4102f0a4a015528c0be61688bf6edf72f81f4 Merge: 26c9fdd6f3a4ab f946cae86d088d Author: Linus Torvalds Date: Tue Nov 19 10:16:59 2024 -0800 Merge tag 'scftorture.2024.11.16a' of git://git.kernel.org/pub/scm/linux/kernel/git/paulmck/linux-rcu Pull scftorture updates from Paul McKenney: - Avoid divide operation - Fix cleanup code waiting for IPI handlers - Move memory allocations out of preempt-disable region of code for PREEMPT_RT compatibility - Use a lockless list to avoid freeing memory while interrupts are disabled, again for PREEMPT_RT compatibility - Make lockless list scf_add_to_free_list() correctly handle freeing a NULL pointer * tag 'scftorture.2024.11.16a' of git://git.kernel.org/pub/scm/linux/kernel/git/paulmck/linux-rcu: scftorture: Handle NULL argument passed to scf_add_to_free_list(). scftorture: Use a lock-less list to free memory. scftorture: Move memory allocation outside of preempt_disable region. scftorture: Wait until scf_cleanup_handler() completes. scftorture: Avoid additional div operation. commit 26c9fdd6f3a4ab6c49500b6bb0fdd0a87c63932d Merge: 158f238aa69d91 ad0558f3883130 Author: Linus Torvalds Date: Tue Nov 19 10:13:53 2024 -0800 Merge tag 'nolibc.2024.11.01a' of git://git.kernel.org/pub/scm/linux/kernel/git/paulmck/linux-rcu Pull nolibc updates from Paul McKenney: - Fix potential error due to missing #include on s390 - Compatibility with -Wmissing-fallthrough - Run qemu with more memory during tests * tag 'nolibc.2024.11.01a' of git://git.kernel.org/pub/scm/linux/kernel/git/paulmck/linux-rcu: selftests/nolibc: start qemu with 1 GiB of memory tools/nolibc: compiler: add macro __nolibc_fallthrough tools/nolibc: s390: include std.h commit 0109ee00788e0ad7b888a799c26b5a93b343876b Author: Mario Limonciello Date: Sun Nov 17 20:55:27 2024 -0600 ASoC: amd: Fix build dependencies for `SND_SOC_AMD_PS` The pci-ps module now must have `SND_SOC_ACPI_AMD_MATCH` selected to reference the `snd_soc_acpi_amd_acp63_sdw_machines` symbol. Fixes: 56d540befd59 ("ASoC: amd: ps: add soundwire machines for acp6.3 platform") Cc: Vijendar.Mukunda@amd.com Reported-by: kernel test robot Closes: https://lore.kernel.org/oe-kbuild-all/202411180658.mIeWje2V-lkp@intel.com/ Signed-off-by: Mario Limonciello Link: https://patch.msgid.link/20241118025527.3318493-1-superm1@kernel.org Signed-off-by: Mark Brown commit a1d9b4fd42d93f46c11e7e9d919a55a3f6ca6126 Author: John Garry Date: Mon Nov 18 10:50:18 2024 +0000 md/raid10: Atomic write support Set BLK_FEAT_ATOMIC_WRITES_STACKED to enable atomic writes. For an attempt to atomic write to a region which has bad blocks, error the write as we just cannot do this. It is unlikely to find devices which support atomic writes and bad blocks. Reviewed-by: Yu Kuai Signed-off-by: John Garry Reviewed-by: Martin K. Petersen Link: https://lore.kernel.org/r/20241118105018.1870052-6-john.g.garry@oracle.com Signed-off-by: Jens Axboe commit f2a38abf5f1c5aeb3be8e9f4d3d815c867fff7ca Author: John Garry Date: Mon Nov 18 10:50:17 2024 +0000 md/raid1: Atomic write support Set BLK_FEAT_ATOMIC_WRITES_STACKED to enable atomic writes. For an attempt to atomic write to a region which has bad blocks, error the write as we just cannot do this. It is unlikely to find devices which support atomic writes and bad blocks. Reviewed-by: Yu Kuai Signed-off-by: John Garry Reviewed-by: Martin K. Petersen Link: https://lore.kernel.org/r/20241118105018.1870052-5-john.g.garry@oracle.com Signed-off-by: Jens Axboe commit fa6fec82811bc6ebd3c4337ae4dae36c802c0fc1 Author: John Garry Date: Mon Nov 18 10:50:16 2024 +0000 md/raid0: Atomic write support Set BLK_FEAT_ATOMIC_WRITES_STACKED to enable atomic writes. All other stacked device request queue limits should automatically be set properly. With regards to atomic write max bytes limit, this will be set at hw_max_sectors and this is limited by the stripe width, which we want. Reviewed-by: Yu Kuai Signed-off-by: John Garry Reviewed-by: Martin K. Petersen Link: https://lore.kernel.org/r/20241118105018.1870052-4-john.g.garry@oracle.com Signed-off-by: Jens Axboe commit d7f36dc446e894e0f57b5f05c5628f03c5f9e2d2 Author: John Garry Date: Mon Nov 18 10:50:15 2024 +0000 block: Support atomic writes limits for stacked devices Allow stacked devices to support atomic writes by aggregating the minimum capability of all bottom devices. Flag BLK_FEAT_ATOMIC_WRITES_STACKED is set for stacked devices which have been enabled to support atomic writes. Some things to note on the implementation: - For simplicity, all bottom devices must have same atomic write boundary value (if any) - The atomic write boundary must be a power-of-2 already, but this restriction could be relaxed. Furthermore, it is now required that the chunk sectors for a top device must be aligned with this boundary. - If a bottom device atomic write unit min/max are not aligned with the top device chunk sectors, the top device atomic write unit min/max are reduced to a value which works for the chunk sectors. Reviewed-by: Christoph Hellwig Signed-off-by: John Garry Reviewed-by: Martin K. Petersen Link: https://lore.kernel.org/r/20241118105018.1870052-3-john.g.garry@oracle.com Signed-off-by: Jens Axboe commit d00eea91deaf363f83599532cb49fa528ab8e00e Author: John Garry Date: Mon Nov 18 10:50:14 2024 +0000 block: Add extra checks in blk_validate_atomic_write_limits() It is so far expected that the limits passed are valid. In future atomic writes will be supported for stacked block devices, and calculating the limits there will be complicated, so add extra sanity checks to ensure that the values are always valid. Reviewed-by: Christoph Hellwig Signed-off-by: John Garry Reviewed-by: Martin K. Petersen Link: https://lore.kernel.org/r/20241118105018.1870052-2-john.g.garry@oracle.com Signed-off-by: Jens Axboe commit 5262bcbb41d526f944a91a6a6c88dfb6fba3889b Author: Neil Armstrong Date: Fri Nov 15 11:04:26 2024 +0100 dt-bindings: regulator: qcom-labibb-regulator: document the pmi8950 labibb regulator Document the pmi8950 labibb regulator with the pmi8998 compatible as fallback since they share the same hardware settings. Signed-off-by: Neil Armstrong Acked-by: Rob Herring (Arm) Link: https://patch.msgid.link/20241115-topic-sdm450-upstream-lab-ibb-bindings-v1-1-1f4bff4583b0@linaro.org Signed-off-by: Mark Brown commit 9f5cbdaae5f760c218c82e0a5e0f9c58bac56f0c Author: Rob Herring (Arm) Date: Fri Nov 15 13:50:49 2024 -0600 arm64: dts: apm: Remove unused and undocumented "bus_num" property Remove "bus_num" property which is both unused in the kernel and undocumented. Most likely they are leftovers from downstream. Signed-off-by: Rob Herring (Arm) Link: https://lore.kernel.org/r/20241115195049.3637454-2-robh@kernel.org Signed-off-by: Arnd Bergmann commit a21b2eb7cfe28227ecc2e702b4a2aad8068d4ad2 Author: Rob Herring (Arm) Date: Fri Nov 15 13:38:34 2024 -0600 arm: dts: spear13xx: Remove unused and undocumented "pl022,slave-tx-disable" property Remove "pl022,slave-tx-disable" property which is both unused in the kernel and undocumented. Most likely they are leftovers from downstream. Signed-off-by: Rob Herring (Arm) Acked-by: Viresh Kumar Link: https://lore.kernel.org/r/20241115193835.3623725-1-robh@kernel.org Signed-off-by: Arnd Bergmann commit 26bda0dff9ca74ae071643e0176f248d72f43580 Author: Rob Herring (Arm) Date: Fri Nov 15 13:37:40 2024 -0600 arm64: dts: amd: Remove unused and undocumented "amd,zlib-support" property Remove "amd,zlib-support" property which is both unused in the kernel and undocumented. Most likely they are leftovers from downstream. Signed-off-by: Rob Herring (Arm) Link: https://lore.kernel.org/r/20241115193740.3622591-2-robh@kernel.org Signed-off-by: Arnd Bergmann commit 44a50de51b8273ca90f7476cd21a529ee9a545db Merge: a1cc63408f72f0 dd36ad71ad6596 Author: Arnd Bergmann Date: Tue Nov 19 18:01:29 2024 +0100 Merge tag 'sunxi-fixes-for-6.12' of https://git.kernel.org/pub/scm/linux/kernel/git/sunxi/linux into soc/dt Allwinner fixes for 6.12 - Fix DCDC5 voltage range on Cubieboard 4 * tag 'sunxi-fixes-for-6.12' of https://git.kernel.org/pub/scm/linux/kernel/git/sunxi/linux: ARM: dts: cubieboard4: Fix DCDC5 regulator constraints commit f06e108a3dc53c0f5234d18de0bd224753db5019 Author: Jan Hendrik Farr Date: Tue Oct 29 15:00:36 2024 +0100 Compiler Attributes: disable __counted_by for clang < 19.1.3 This patch disables __counted_by for clang versions < 19.1.3 because of the two issues listed below. It does this by introducing CONFIG_CC_HAS_COUNTED_BY. 1. clang < 19.1.2 has a bug that can lead to __bdos returning 0: https://github.com/llvm/llvm-project/pull/110497 2. clang < 19.1.3 has a bug that can lead to __bdos being off by 4: https://github.com/llvm/llvm-project/pull/112636 Fixes: c8248faf3ca2 ("Compiler Attributes: counted_by: Adjust name and identifier expansion") Cc: stable@vger.kernel.org # 6.6.x: 16c31dd7fdf6: Compiler Attributes: counted_by: bump min gcc version Cc: stable@vger.kernel.org # 6.6.x: 2993eb7a8d34: Compiler Attributes: counted_by: fixup clang URL Cc: stable@vger.kernel.org # 6.6.x: 231dc3f0c936: lkdtm/bugs: Improve warning message for compilers without counted_by support Cc: stable@vger.kernel.org # 6.6.x Reported-by: Nathan Chancellor Closes: https://lore.kernel.org/all/20240913164630.GA4091534@thelio-3990X/ Reported-by: kernel test robot Closes: https://lore.kernel.org/oe-lkp/202409260949.a1254989-oliver.sang@intel.com Link: https://lore.kernel.org/all/Zw8iawAF5W2uzGuh@archlinux/T/#m204c09f63c076586a02d194b87dffc7e81b8de7b Suggested-by: Nathan Chancellor Signed-off-by: Jan Hendrik Farr Reviewed-by: Nathan Chancellor Tested-by: Nathan Chancellor Reviewed-by: Miguel Ojeda Reviewed-by: Thorsten Blum Link: https://lore.kernel.org/r/20241029140036.577804-2-kernel@jfarr.cc Signed-off-by: Kees Cook commit 34c1227035b3ab930a1ae6ab6f22fec1af8ab09e Author: Ming Lei Date: Tue Nov 19 11:06:46 2024 +0800 ublk: fix error code for unsupported command ENOTSUPP is for kernel use only, and shouldn't be sent to userspace. Fix it by replacing it with EOPNOTSUPP. Cc: stable@vger.kernel.org Fixes: bfbcef036396 ("ublk_drv: move ublk_get_device_from_id into ublk_ctrl_uring_cmd") Signed-off-by: Ming Lei Link: https://lore.kernel.org/r/20241119030646.2319030-1-ming.lei@redhat.com Signed-off-by: Jens Axboe commit e924da7d6622b72f9eee78a3aad3e75b859da341 Author: John Garry Date: Tue Nov 12 09:21:44 2024 +0000 block: Drop granularity check in queue_limit_discard_alignment() lim->discard_granularity is always at least SECTOR_SIZE, so drop the pointless check for granularity less than SECTOR_SIZE. Signed-off-by: John Garry Reviewed-by: Christoph Hellwig Link: https://lore.kernel.org/r/20241112092144.4059847-1-john.g.garry@oracle.com Signed-off-by: Jens Axboe commit e9869c85c81168a1275f909d5972a3fc435304be Author: Nilay Shroff Date: Tue Nov 5 11:42:09 2024 +0530 nvme-fabrics: fix kernel crash while shutting down controller The nvme keep-alive operation, which executes at a periodic interval, could potentially sneak in while shutting down a fabric controller. This may lead to a race between the fabric controller admin queue destroy code path (invoked while shutting down controller) and hw/hctx queue dispatcher called from the nvme keep-alive async request queuing operation. This race could lead to the kernel crash shown below: Call Trace: autoremove_wake_function+0x0/0xbc (unreliable) __blk_mq_sched_dispatch_requests+0x114/0x24c blk_mq_sched_dispatch_requests+0x44/0x84 blk_mq_run_hw_queue+0x140/0x220 nvme_keep_alive_work+0xc8/0x19c [nvme_core] process_one_work+0x200/0x4e0 worker_thread+0x340/0x504 kthread+0x138/0x140 start_kernel_thread+0x14/0x18 While shutting down fabric controller, if nvme keep-alive request sneaks in then it would be flushed off. The nvme_keep_alive_end_io function is then invoked to handle the end of the keep-alive operation which decrements the admin->q_usage_counter and assuming this is the last/only request in the admin queue then the admin->q_usage_counter becomes zero. If that happens then blk-mq destroy queue operation (blk_mq_destroy_ queue()) which could be potentially running simultaneously on another cpu (as this is the controller shutdown code path) would forward progress and deletes the admin queue. So, now from this point onward we are not supposed to access the admin queue resources. However the issue here's that the nvme keep-alive thread running hw/hctx queue dispatch operation hasn't yet finished its work and so it could still potentially access the admin queue resource while the admin queue had been already deleted and that causes the above crash. The above kernel crash is regression caused due to changes implemented in commit a54a93d0e359 ("nvme: move stopping keep-alive into nvme_uninit_ctrl()"). Ideally we should stop keep-alive before destroyin g the admin queue and freeing the admin tagset so that it wouldn't sneak in during the shutdown operation. However we removed the keep alive stop operation from the beginning of the controller shutdown code path in commit a54a93d0e359 ("nvme: move stopping keep-alive into nvme_uninit_ctrl()") and added it under nvme_uninit_ctrl() which executes very late in the shutdown code path after the admin queue is destroyed and its tagset is removed. So this change created the possibility of keep-alive sneaking in and interfering with the shutdown operation and causing observed kernel crash. To fix the observed crash, we decided to move nvme_stop_keep_alive() from nvme_uninit_ctrl() to nvme_remove_admin_tag_set(). This change would ensure that we don't forward progress and delete the admin queue until the keep- alive operation is finished (if it's in-flight) or cancelled and that would help contain the race condition explained above and hence avoid the crash. Moving nvme_stop_keep_alive() to nvme_remove_admin_tag_set() instead of adding nvme_stop_keep_alive() to the beginning of the controller shutdown code path in nvme_stop_ctrl(), as was the case earlier before commit a54a93d0e359 ("nvme: move stopping keep-alive into nvme_uninit_ctrl()"), would help save one callsite of nvme_stop_keep_alive(). Fixes: a54a93d0e359 ("nvme: move stopping keep-alive into nvme_uninit_ctrl()") Link: https://lore.kernel.org/all/1a21f37b-0f2a-4745-8c56-4dc8628d3983@linux.ibm.com/ Reviewed-by: Ming Lei Signed-off-by: Nilay Shroff Signed-off-by: Keith Busch commit 84488282166de6b6760ada8030e87aaa08bce3aa Author: Nilay Shroff Date: Tue Nov 5 11:42:08 2024 +0530 Revert "nvme: make keep-alive synchronous operation" This reverts commit d06923670b5a5f609603d4a9fee4dec02d38de9c. It was realized that the fix implemented to contain the race condition among the keep alive task and the fabric shutdown code path in the commit d06923670b5ia ("nvme: make keep-alive synchronous operation") is not optimal. The reason being keep-alive runs under the workqueue and making it synchronous would waste a workqueue context. Furthermore, we later found that the above race condition is a regression caused due to the changes implemented in commit a54a93d0e359 ("nvme: move stopping keep-alive into nvme_uninit_ctrl()"). So we decided to revert the commit d06923670b5a ("nvme: make keep-alive synchronous operation") and then fix the regression. Link: https://lore.kernel.org/all/196f4013-3bbf-43ff-98b4-9cb2a96c20c2@grimberg.me/ Reviewed-by: Ming Lei Signed-off-by: Nilay Shroff Signed-off-by: Keith Busch commit b49125574cae26458d4aa02ce8f4523ba9a2a328 Author: OGAWA Hirofumi Date: Tue Nov 19 23:42:23 2024 +0900 loop: Fix ABBA locking race Current loop calls vfs_statfs() while holding the q->limits_lock. If FS takes some locking in vfs_statfs callback, this may lead to ABBA locking bug (at least, FAT fs has this issue actually). So this patch calls vfs_statfs() outside q->limits_locks instead, because looks like no reason to hold q->limits_locks while getting discord configs. Chain exists of: &sbi->fat_lock --> &q->q_usage_counter(io)#17 --> &q->limits_lock Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&q->limits_lock); lock(&q->q_usage_counter(io)#17); lock(&q->limits_lock); lock(&sbi->fat_lock); *** DEADLOCK *** Reported-by: syzbot+a5d8c609c02f508672cc@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=a5d8c609c02f508672cc Reviewed-by: Ming Lei Signed-off-by: OGAWA Hirofumi Signed-off-by: Jens Axboe commit 46fd48ab3ea3eb3bb215684bd66ea3d260b091a9 Author: Christoph Hellwig Date: Tue Nov 19 08:26:02 2024 +0100 block: return unsigned int from bdev_io_min The underlying limit is defined as an unsigned int, so return that from bdev_io_min as well. Fixes: ac481c20ef8f ("block: Topology ioctls") Signed-off-by: Christoph Hellwig Reviewed-by: Martin K. Petersen Reviewed-by: John Garry Link: https://lore.kernel.org/r/20241119072602.1059488-1-hch@lst.de Signed-off-by: Jens Axboe commit 571f8b3f866a6d990a50fe5c89fe0ea78784d70b Author: Gabriele Monaco Date: Thu Oct 17 08:42:39 2024 +0200 verification/dot2: Improve dot parser robustness This patch makes the dot parser used by dot2c and dot2k slightly more robust, namely: * allows parsing files with the gv extension (GraphViz) * correctly parses edges with any indentation * used to work only with a single character (e.g. '\t') Additionally it fixes a couple of warnings reported by pylint such as wrong indentation and comparison to False instead of `not ...` Link: https://lore.kernel.org/20241017064238.41394-2-gmonaco@redhat.com Signed-off-by: Gabriele Monaco Signed-off-by: Steven Rostedt (Google) commit 4d8c1ba0790b4341a58e2042810a952c62df06e9 Author: furkanonder Date: Mon Oct 21 15:13:57 2024 +0000 tools/rtla: Improve exception handling in timerlat_load.py The enhancements made to timerlat_load.py are intended to improve the script's exception handling. Summary of the changes: - Specific exceptions are now caught for CPU affinity and priority settings, with clearer error messages provided. - The timerlat file descriptor opening now includes handling for PermissionError and OSError, with informative messages. - In the infinite loop, generic exceptions have been replaced with specific types like KeyboardInterrupt and IOError, improving feedback. Before: $ sudo python timerlat_load.py 122 Error setting affinity After: $ sudo python timerlat_load.py 122 Error setting affinity: [Errno 22] Invalid argument Before: $ sudo python timerlat_load.py 1 -p 950 Error setting priority After: $ sudo python timerlat_load.py 1 -p 950 Error setting priority: [Errno 22] Invalid argument Before: $ python timerlat_load.py 1 Error opening timerlat fd, did you run timerlat -U? After: $ python timerlat_load.py 1 Permission denied. Please check your access rights. Cc: "lgoncalv@redhat.com" Cc: "jkacur@redhat.com" Link: https://lore.kernel.org/Q_k1s4hBtUy2px8ou0QKenjEK2_T_LoV8IxAE79aBakBogb-7uHp2fpET3oWtI1t3dy8uKjWeRzQOdKNzIzOOpyM4OjutJOriZ9TrGY6b-g=@protonmail.com Signed-off-by: Furkan Onder Reviewed-by: Tomas Glozar Signed-off-by: Steven Rostedt (Google) commit bd26818343dc02936a4f2f7b63368d5e1e1773c8 Author: furkanonder Date: Mon Oct 21 15:12:30 2024 +0000 tools/rtla: Enhance argument parsing in timerlat_load.py The enhancements made to timerlat_load.py are aimed at improving the clarity of argument parsing. Summary of Changes: - The cpu argument is now specified as an integer type in the argument parser to enforce input validation, and the construction of affinity_mask has been simplified to directly use the integer value of args.cpu. - The prio argument is similarly updated to be of integer type for consistency and validation, eliminating the need for the conversion of args.prio to an integer, as this is now handled by the argument parser. Cc: "jkacur@redhat.com" Cc: "lgoncalv@redhat.com" Link: https://lore.kernel.org/QfgO7ayKD9dsLk8_ZDebkAV0OF7wla7UmasbP9CBmui_sChOeizy512t3RqCHTjvQoUBUDP8dwEOVCdHQ5KvVNEiP69CynMY94SFDERWl94=@protonmail.com Signed-off-by: Furkan Onder Reviewed-by: Tomas Glozar Signed-off-by: Steven Rostedt (Google) commit fc5f5aef9f97788f085651923789e3c53c065f58 Author: furkanonder Date: Mon Oct 21 15:09:49 2024 +0000 tools/rtla: Improve code readability in timerlat_load.py The enhancements made to timerlat_load.py are intended to improve the script's robustness and readability. Summary of the changes: - Unnecessary semicolons at the end of lines have been removed. - Parentheses surrounding the if statement checking args.prio have been eliminated. - String concatenation for constructing timerlat_path has been replaced with an f-string. - Spacing in a multiplication expression has been adjusted for improved clarity. Cc: "jkacur@redhat.com" Cc: "lgoncalv@redhat.com" Link: https://lore.kernel.org/j2B-ted7pv3TaldTyqfIHrMmjq2fVyBFgnu3TskiQJsyRzy9loPTVVJoqHnrCWu5T88MDIFc612jUglH6Sxkdg9LN-I1XuITmoL70uECmus=@protonmail.com Signed-off-by: Furkan Onder Reviewed-by: Tomas Glozar Signed-off-by: Steven Rostedt (Google) commit fcbc60d7dc4b125c8de130aa1512e5d20726c06e Author: Tomas Glozar Date: Mon Oct 21 14:31:40 2024 +0200 rtla/timerlat: Do not set params->user_workload with -U Since commit fb9e90a67ee9 ("rtla/timerlat: Make user-space threads the default"), rtla-timerlat has been defaulting to params->user_workload if neither that or params->kernel_workload is set. This has unintentionally made -U, which sets only params->user_hist/top but not params->user_workload, to behave like -u unless -k is set, preventing the user from running a custom workload. Example: $ rtla timerlat hist -U -c 0 & [1] 7413 $ python sample/timerlat_load.py 0 Error opening timerlat fd, did you run timerlat -U? $ ps | grep timerlatu 7415 pts/4 00:00:00 timerlatu/0 Fix the issue by checking for params->user_top/hist instead of params->user_workload when setting default thread mode. Link: https://lore.kernel.org/20241021123140.14652-1-tglozar@redhat.com Fixes: fb9e90a67ee9 ("rtla/timerlat: Make user-space threads the default") Signed-off-by: Tomas Glozar Signed-off-by: Steven Rostedt (Google) commit dd7207838d38780b51e4690ee508ab2d5057e099 Merge: 96ed62ea02984f 66418447d27b7f Author: Paolo Abeni Date: Tue Nov 19 13:27:50 2024 +0100 Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net Merge in late fixes to prepare for the 6.13 net-next PR. Conflicts: include/linux/phy.h 41ffcd95015f net: phy: fix phylib's dual eee_enabled 721aa69e708b net: phy: convert eee_broken_modes to a linkmode bitmap https://lore.kernel.org/all/20241118135512.1039208b@canb.auug.org.au/ drivers/net/ethernet/wangxun/txgbe/txgbe_phy.c 2160428bcb20 net: txgbe: fix null pointer to pcs 2160428bcb20 net: txgbe: remove GPIO interrupt controller Adjacent commits: include/linux/phy.h 41ffcd95015f net: phy: fix phylib's dual eee_enabled 516a5f11eb97 net: phy: respect cached advertising when re-enabling EEE Signed-off-by: Paolo Abeni commit ffd1cf0443a208b80e40100ed02892d2ec74c7e9 Author: Andreas Gruenbacher Date: Tue Nov 19 12:15:26 2024 +0100 gfs2: Prevent inode creation race When a request to evict an inode comes in over the network, we are trying to grab an inode reference via the iopen glock's gl_object pointer. There is a very small probability that by the time such a request comes in, inode creation hasn't completed and the I_NEW flag is still set. To deal with that, wait for the inode and then check if inode creation was successful. Signed-off-by: Andreas Gruenbacher commit c752e87b9c3982b78dddcdd70dcb826df3cfd75d Author: Jon Lin Date: Mon Nov 18 22:56:46 2024 +0800 spi: rockchip-sfc: Embedded DMA only support 4B aligned address Controller limitations. Signed-off-by: Jon Lin Link: https://patch.msgid.link/20241118145646.2609039-1-jon.lin@rock-chips.com Signed-off-by: Mark Brown commit c5b7a2400edc458b22133d5e5394bea26eab1923 Author: Andreas Gruenbacher Date: Tue Nov 19 10:44:56 2024 +0100 gfs2: Only defer deletes when we have an iopen glock The mechanism to defer deleting unlinked inodes is tied to delete_work_func(), which is tied to iopen glocks. When we don't have an iopen glock, we must carry out deletes immediately instead. Fixes a NULL pointer dereference in gfs2_evict_inode(). Fixes: 8c21c2c71e66 ("gfs2: Call gfs2_queue_verify_delete from gfs2_evict_inode") Signed-off-by: Andreas Gruenbacher commit 96ed62ea02984f14b6d4f2e4aed327d803875b7a Author: Yunsheng Lin Date: Tue Nov 19 11:30:11 2024 +0800 mm: page_frag: fix a compile error when kernel is not compiled page_frag test module is an out of tree module, but built using KDIR as the main kernel tree, the mm test suite is just getting skipped if newly added page_frag test module fails to compile due to kernel not yet compiled. Fix the above problem by ensuring both kernel is built first and a newer kernel which has page_frag_cache.h is used. CC: Andrew Morton CC: Alexander Duyck CC: Linux-MM Fixes: 7fef0dec415c ("mm: page_frag: add a test module for page_frag") Fixes: 65941f10caf2 ("mm: move the page fragment allocator from page_alloc into its own file") Reported-by: Mark Brown Signed-off-by: Yunsheng Lin Tested-by: Mark Brown Link: https://patch.msgid.link/20241119033012.257525-1-linyunsheng@huawei.com Signed-off-by: Paolo Abeni commit 34267d3c26fe5e43589fc8c2b50ab033b261ee8e Merge: f8470006c4d6bd 98d1fb94ce75f3 Author: Miquel Raynal Date: Tue Nov 19 12:15:24 2024 +0100 Merge tag 'spi-nor/for-6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/mtd/linux into mtd/next SPI NOR introduces byte swap support for 8D-8D-8D mode and a user for it: macronix. SPI NOR flashes may swap the bytes on a 16-bit boundary when configured in Octal DTR mode. For such cases the byte order is propagated through SPI MEM to the SPI controllers so that the controllers swap the bytes back at runtime. This avoids breaking the boot sequence because of the endianness problems that appear when the bootloaders use 1-1-1 and the kernel uses 8D-8D-8D with byte swap support. Along with the SPI MEM byte swap support we queue a patch for the SPI MXIC controller that swaps the bytes back at runtime. # -----BEGIN PGP SIGNATURE----- # # iQEzBAABCgAdFiEEHUIqys8OyG1eHf7fS1VPR6WNFOkFAmczG/oACgkQS1VPR6WN # FOnTCAf/YjH9AimQAFJLRKoGqsf6boh1JppcRh1YTRS+D6+Ap9+s1gJoZZYs5VWA # vNfBzGqDXknBvpmOgoXnuDu2zFs9FUvdN5Kf7w6LiS5qtz7uOxHdVoDQyDgnN6w5 # 9ts7qF7LViBHg/HgTEzQT2Zj6qmvIwUbccIkmJeehWjEP/urzOML5nPnM9g4HZVB # W8B5KQ4TiOY1GxkXvIP6EQS6mDKznP3yl2Hnsmk0HPpSm6D807O2zvT+z1SCxpjy # C8+mYRKsRxHoFGL6UzWgqREGBn2wzF7Ral1CR9SpSZZLLtr6S0shqRzKiiH8eiZK # 1hFpXzMS3OWi4a/5724AWaqcR0Qgqw== # =jf3Q # -----END PGP SIGNATURE----- # gpg: Signature made Tue 12 Nov 2024 10:12:26 AM CET # gpg: using RSA key 1D422ACACF0EC86D5E1DFEDF4B554F47A58D14E9 # gpg: Good signature from "Tudor Ambarus (4096-bit rsa key) " [full] # gpg: aka "Tudor Ambarus " [full] # gpg: tudor.ambarus@microchip.com: Verified 15 signatures in the past 5 years. # Encrypted 0 messages. # gpg: tudor.ambarus@gmail.com: Verified 15 signatures in the past 5 years. # Encrypted 0 messages. commit 8ea412e181310666b4b36573480fc64425313d8b Author: Patrick Donnelly Date: Sat Oct 12 13:23:02 2024 -0400 ceph: improve caps debugging output This improves uniformity and exposes important sequence numbers. Now looks like: <7>[ 73.749563] ceph: caps.c:4465 : [c9653bca-110b-4f70-9f84-5a195b205e9a 15290] caps mds2 op export ino 20000000000.fffffffffffffffe inode 0000000008d2e5ea seq 0 iseq 0 mseq 0 ... <7>[ 73.749574] ceph: caps.c:4102 : [c9653bca-110b-4f70-9f84-5a195b205e9a 15290] cap 20000000000.fffffffffffffffe export to peer 1 piseq 1 pmseq 1 ... <7>[ 73.749645] ceph: caps.c:4465 : [c9653bca-110b-4f70-9f84-5a195b205e9a 15290] caps mds1 op import ino 20000000000.fffffffffffffffe inode 0000000008d2e5ea seq 1 iseq 1 mseq 1 ... <7>[ 73.749681] ceph: caps.c:4244 : [c9653bca-110b-4f70-9f84-5a195b205e9a 15290] cap 20000000000.fffffffffffffffe import from peer 2 piseq 686 pmseq 0 ... <7>[ 248.645596] ceph: caps.c:4465 : [c9653bca-110b-4f70-9f84-5a195b205e9a 15290] caps mds1 op revoke ino 20000000000.fffffffffffffffe inode 0000000008d2e5ea seq 2538 iseq 1 mseq 1 See also ceph.git commit cb4ff28af09f ("mds: add issue_seq to all cap messages"). Link: https://tracker.ceph.com/issues/66704 Signed-off-by: Patrick Donnelly Reviewed-by: Ilya Dryomov Signed-off-by: Ilya Dryomov commit a202e6014709d329346b0766e89f797ef0d1eccf Author: tuqiang Date: Fri Nov 15 10:47:31 2024 +0800 Documentation: tipc: fix formatting issue in tipc.rst The hyphen is removed to have the same style as the others. Fixes: 09ef17863f37 ("Documentation: add more details in tipc.rst") Signed-off-by: tuqiang Signed-off-by: Jiang Kun Reviewed-by: Simon Horman Cc: xu xin Cc: David S. Miller Cc: Eric Dumazet Cc: Jakub Kicinski Cc: Paolo Abeni Cc: Jonathan Corbet Cc: Jon Maloy Cc: Xin Long Link: https://patch.msgid.link/20241115104731435HuFjZOmkaqumuFhB7mrwe@zte.com.cn Signed-off-by: Paolo Abeni commit 8b41ac43c7bb902786eae09cc23bcc9964ef2386 Author: Patrick Donnelly Date: Wed Jun 26 12:57:27 2024 -0400 ceph: correct ceph_mds_cap_peer field name The peer seq is used as the issue_seq. Use that name for consistency. See also ceph.git commit 1da6ef237fc7 ("include/ceph_fs: correct ceph_mds_cap_peer field name"). Link: https://tracker.ceph.com/issues/66704 Signed-off-by: Patrick Donnelly Reviewed-by: Ilya Dryomov Signed-off-by: Ilya Dryomov commit 50f42c489528566ea2d8a9561ee54748b0441d51 Author: Patrick Donnelly Date: Wed Jun 26 09:49:10 2024 -0400 ceph: correct ceph_mds_cap_item field name The issue_seq is sent with bulk cap releases, not the current sequence number. See also ceph.git commit 655cddb7c9f3 ("include/ceph_fs: correct ceph_mds_cap_item field name"). Link: https://tracker.ceph.com/issues/66704 Signed-off-by: Patrick Donnelly Reviewed-by: Ilya Dryomov Signed-off-by: Ilya Dryomov commit eb09fbeb48709fe66c0d708aed81e910a577a30a Author: Lizhi Xu Date: Wed Nov 13 17:51:29 2024 +0800 mac802154: check local interfaces before deleting sdata list syzkaller reported a corrupted list in ieee802154_if_remove. [1] Remove an IEEE 802.15.4 network interface after unregister an IEEE 802.15.4 hardware device from the system. CPU0 CPU1 ==== ==== genl_family_rcv_msg_doit ieee802154_unregister_hw ieee802154_del_iface ieee802154_remove_interfaces rdev_del_virtual_intf_deprecated list_del(&sdata->list) ieee802154_if_remove list_del_rcu The net device has been unregistered, since the rcu grace period, unregistration must be run before ieee802154_if_remove. To avoid this issue, add a check for local->interfaces before deleting sdata list. [1] kernel BUG at lib/list_debug.c:58! Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI CPU: 0 UID: 0 PID: 6277 Comm: syz-executor157 Not tainted 6.12.0-rc6-syzkaller-00005-g557329bcecc2 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 RIP: 0010:__list_del_entry_valid_or_report+0xf4/0x140 lib/list_debug.c:56 Code: e8 a1 7e 00 07 90 0f 0b 48 c7 c7 e0 37 60 8c 4c 89 fe e8 8f 7e 00 07 90 0f 0b 48 c7 c7 40 38 60 8c 4c 89 fe e8 7d 7e 00 07 90 <0f> 0b 48 c7 c7 a0 38 60 8c 4c 89 fe e8 6b 7e 00 07 90 0f 0b 48 c7 RSP: 0018:ffffc9000490f3d0 EFLAGS: 00010246 RAX: 000000000000004e RBX: dead000000000122 RCX: d211eee56bb28d00 RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000 RBP: ffff88805b278dd8 R08: ffffffff8174a12c R09: 1ffffffff2852f0d R10: dffffc0000000000 R11: fffffbfff2852f0e R12: dffffc0000000000 R13: dffffc0000000000 R14: dead000000000100 R15: ffff88805b278cc0 FS: 0000555572f94380(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000056262e4a3000 CR3: 0000000078496000 CR4: 00000000003526f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: __list_del_entry_valid include/linux/list.h:124 [inline] __list_del_entry include/linux/list.h:215 [inline] list_del_rcu include/linux/rculist.h:157 [inline] ieee802154_if_remove+0x86/0x1e0 net/mac802154/iface.c:687 rdev_del_virtual_intf_deprecated net/ieee802154/rdev-ops.h:24 [inline] ieee802154_del_iface+0x2c0/0x5c0 net/ieee802154/nl-phy.c:323 genl_family_rcv_msg_doit net/netlink/genetlink.c:1115 [inline] genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline] genl_rcv_msg+0xb14/0xec0 net/netlink/genetlink.c:1210 netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2551 genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219 netlink_unicast_kernel net/netlink/af_netlink.c:1331 [inline] netlink_unicast+0x7f6/0x990 net/netlink/af_netlink.c:1357 netlink_sendmsg+0x8e4/0xcb0 net/netlink/af_netlink.c:1901 sock_sendmsg_nosec net/socket.c:729 [inline] __sock_sendmsg+0x221/0x270 net/socket.c:744 ____sys_sendmsg+0x52a/0x7e0 net/socket.c:2607 ___sys_sendmsg net/socket.c:2661 [inline] __sys_sendmsg+0x292/0x380 net/socket.c:2690 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Reported-and-tested-by: syzbot+985f827280dc3a6e7e92@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=985f827280dc3a6e7e92 Signed-off-by: Lizhi Xu Reviewed-by: Miquel Raynal Link: https://lore.kernel.org/20241113095129.1457225-1-lizhi.xu@windriver.com Signed-off-by: Stefan Schmidt commit 2c87309ea741341c6722efdf1fb3f50dd427c823 Author: Keisuke Nishimura Date: Tue Oct 29 19:27:12 2024 +0100 ieee802154: ca8210: Add missing check for kfifo_alloc() in ca8210_probe() ca8210_test_interface_init() returns the result of kfifo_alloc(), which can be non-zero in case of an error. The caller, ca8210_probe(), should check the return value and do error-handling if it fails. Fixes: ded845a781a5 ("ieee802154: Add CA8210 IEEE 802.15.4 device driver") Signed-off-by: Keisuke Nishimura Reviewed-by: Simon Horman Reviewed-by: Miquel Raynal Link: https://lore.kernel.org/20241029182712.318271-1-keisuke.nishimura@inria.fr Signed-off-by: Stefan Schmidt commit 16fe012a1359bf5ce2c6bc5e5e2cb3f628cd551b Merge: c664e2136f083b fbbf93556f0c1a Author: Paolo Abeni Date: Tue Nov 19 10:15:51 2024 +0100 Merge branch 'selftests-add-selftest-for-link-layer-and-performance-testing' Mohan Prasad says: ==================== selftests: Add selftest for link layer and performance testing The series of patches are for doing basic tests of NIC driver. Test comprises checks for auto-negotiation, speed, duplex state and throughput between local NIC and partner. Tools such as ethtool, iperf3 are used. Signed-off-by: Mohan Prasad J ==================== Link: https://patch.msgid.link/20241114192545.1742514-1-mohan.prasad@microchip.com Signed-off-by: Paolo Abeni commit fbbf93556f0c1ad9b53fd1ec8fd2e67b2debb740 Author: Mohan Prasad J Date: Fri Nov 15 00:55:20 2024 +0530 selftests: nic_performance: Add selftest for performance of NIC driver Add selftest case to check the send and receive throughput. Supported link modes between local NIC driver and partner are varied. Then send and receive throughput is captured and verified. Test uses iperf3 tool. Add iperf3 server/client function in GenerateTraffic class. Signed-off-by: Mohan Prasad J Signed-off-by: Paolo Abeni commit c087dc54394b3f8a2950007fb17a8937a38fe73a Author: Mohan Prasad J Date: Fri Nov 15 00:55:19 2024 +0530 selftests: nic_link_layer: Add selftest case for speed and duplex states Add selftest case for testing the speed and duplex state of local NIC driver and the partner based on the supported link modes obtained from the ethtool. Speed and duplex states are varied and verified using ethtool. Signed-off-by: Mohan Prasad J Signed-off-by: Paolo Abeni commit 6116075e18f79698419f2606d9cb34d23198f7e3 Author: Mohan Prasad J Date: Fri Nov 15 00:55:18 2024 +0530 selftests: nic_link_layer: Add link layer selftest for NIC driver Add selftest file for the link layer tests of a NIC driver. Test for auto-negotiation is added. Add LinkConfig class for changing link layer configs. Selftest makes use of ksft modules and ethtool. Include selftest file in the Makefile. Signed-off-by: Mohan Prasad J Signed-off-by: Paolo Abeni commit 376a33c4a0d8344bb575e1a6eeb748ee4d4675d3 Author: Suraj Kandpal Date: Mon Nov 4 09:29:51 2024 +0530 drm/i915/hdcp: Fix when the first read and write are retried Make sure that the first read/write in hdcp2_authentication_key_exchange are only retried when we have either DP/DPMST encoder connected, since we do this to give docks and dp encoders some extra time to get their HDCP DPCD registers ready only for DP/DPMST encoders as this issue is only observed here no need to burden other encoders with extra retries as this causes the HDMI connector to have some other timing issue and fails HDCP authentication. --v2 -Add intent of patch [Chaitanya] -Add reasoning for loop [Jani] -Make sure we forfiet the 50ms wait for non DP/DPMST encoders. --v3 -Remove the is_dp_encoder check [Jani/Chaitanya] -Make the commit message more clearer [Jani] Fixes: 9d5a05f86d2f ("drm/i915/hdcp: Retry first read and writes to downstream") Signed-off-by: Suraj Kandpal Reviewed-by: Chaitanya Kumar Borah Link: https://patchwork.freedesktop.org/patch/msgid/20241104035951.517837-1-suraj.kandpal@intel.com (cherry picked from commit 44499559496c1dac43583f4387d38de1b612a69b) Signed-off-by: Tvrtko Ursulin commit 3c592ce7991cdf03bc7d139d790ce58c82c5903b Author: Michael Ellerman Date: Tue Nov 12 19:41:34 2024 +1100 EDAC/powerpc: Remove PPC_MAPLE drivers These two drivers are only buildable for the powerpc "maple" platform (CONFIG_PPC_MAPLE), which has now been removed, see commit 62f8f307c80e ("powerpc/64: Remove maple platform"). Remove the drivers. Acked-by: Borislav Petkov (AMD) Signed-off-by: Michael Ellerman Link: https://patch.msgid.link/20241112084134.411964-1-mpe@ellerman.id.au commit 21a5352dc702d8e6dc874e0eb6ba6d81291a788a Merge: 0cf32b1f37180b ebac87cdd23068 c64ef7e4851d1a 4adb9201884d66 51e32e89753966 Author: Stephen Boyd Date: Mon Nov 18 20:01:35 2024 -0800 Merge branches 'clk-marvell', 'clk-adi', 'clk-qcom' and 'clk-devm' into clk-next - Add devm_clk_bulk_get_all_enabled() to return number of clks acquired - Marvell PXA1908 SoC clks * clk-marvell: clk: mmp: Add Marvell PXA1908 MPMU driver clk: mmp: Add Marvell PXA1908 APMU driver clk: mmp: Add Marvell PXA1908 APBCP driver clk: mmp: Add Marvell PXA1908 APBC driver dt-bindings: clock: Add Marvell PXA1908 clock bindings clk: mmp: Switch to use struct u32_fract instead of custom one * clk-adi: clk: clk-axi-clkgen: make sure to enable the AXI bus clock dt-bindings: clock: axi-clkgen: include AXI clk * clk-qcom: (43 commits) clk: qcom: remove unused data from gcc-ipq5424.c clk: qcom: Add support for Global Clock Controller on QCS8300 dt-bindings: clock: qcom: Add GCC clocks for QCS8300 clk: qcom: add Global Clock controller (GCC) driver for IPQ5424 SoC clk: qcom: clk-alpha-pll: Add NSS HUAYRA ALPHA PLL support for ipq9574 dt-bindings: clock: Add Qualcomm IPQ5424 GCC binding clk: qcom: add SAR2130P GPU Clock Controller support clk: qcom: dispcc-sm8550: enable support for SAR2130P clk: qcom: tcsrcc-sm8550: add SAR2130P support clk: qcom: add support for GCC on SAR2130P clk: qcom: rpmh: add support for SAR2130P clk: qcom: rcg2: add clk_rcg2_shared_floor_ops dt-bindings: clk: qcom,sm8450-gpucc: add SAR2130P compatibles dt-bindings: clock: qcom,sm8550-dispcc: Add SAR2130P compatible dt-bindings: clock: qcom,sm8550-tcsr: Add SAR2130P compatible dt-bindings: clock: qcom: document SAR2130P Global Clock Controller dt-bindings: clock: qcom,rpmhcc: Add SAR2130P compatible clk: qcom: Make GCC_6125 depend on QCOM_GDSC dt-bindings: clock: qcom: gcc-ipq9574: remove q6 bring up clock macros dt-bindings: clock: qcom: gcc-ipq5332: remove q6 bring up clock macros ... * clk-devm: clk: Provide devm_clk_bulk_get_all_enabled() helper commit 0cf32b1f37180bba9b7d2c54e902eadc44a4f7a7 Merge: b2f8240153fb76 31062ea8c850d9 9d0af685ca5025 dd8cbf41a61a83 681ed497d676db ea1ba200488107 Author: Stephen Boyd Date: Mon Nov 18 20:01:28 2024 -0800 Merge branches 'clk-samsung', 'clk-microchip', 'clk-imx', 'clk-amlogic' and 'clk-allwinner' into clk-next * clk-samsung: clk: samsung: Introduce Exynos8895 clock driver clk: samsung: clk-pll: Add support for pll_{1051x,1052x} dt-bindings: clock: samsung: Add Exynos8895 SoC clk: samsung: gs101: make all ufs related clocks critical clk: samsung: exynosautov920: add peric1, misc and hsi0/1 clock support dt-bindings: clock: exynosautov920: add peric1, misc and hsi0/1 clock definitions clk: samsung: Fix out-of-bound access of of_match_node() dt-bindings: clock: samsung: remove define with number of clocks for FSD clk: samsung: fsd: do not define number of clocks in bindings clk: samsung: Fix errors reported by checkpatch clk: samsung: Fix block comment style warnings reported by checkpatch * clk-microchip: clk: lan966x: add support for lan969x SoC clock driver clk: lan966x: prepare driver for lan969x support clk: lan966x: make clk_names const char * const dt-bindings: clock: add support for lan969x * clk-imx: clk: imx: imx8-acm: Fix return value check in clk_imx_acm_attach_pm_domains() clk: imx: lpcg-scu: Skip HDMI LPCG clock save/restore clk: imx: clk-scu: fix clk enable state save and restore clk: imx: fracn-gppll: fix pll power up clk: imx: fracn-gppll: correct PLL initialization flow clk: imx: lpcg-scu: SW workaround for errata (e10858) clk: imx: add i.MX91 clk dt-bindings: clock: Add i.MX91 clock support dt-bindings: clock: imx93: Drop IMX93_CLK_END macro definition clk: imx93: Move IMX93_CLK_END macro to clk driver clk: imx95-blk-ctl: Add one clock gate for HSIO block dt-bindings: clock: nxp,imx95-blk-ctl: Add compatible string for i.MX95 HSIO BLK CTRL * clk-amlogic: clk: amlogic: axg-audio: fix Kconfig dependency on RESET_MESON_AUX clk: amlogic: axg-audio: use the auxiliary reset driver reset: amlogic: Fix small whitespace issue reset: amlogic: add auxiliary reset driver support reset: amlogic: split the device core and platform probe reset: amlogic: move drivers to a dedicated directory reset: amlogic: add reset status support reset: amlogic: use reset number instead of register count reset: amlogic: add driver parameters reset: amlogic: make parameters unsigned reset: amlogic: use generic data matching function reset: amlogic: convert driver to regmap dt-bindings: clock: convert amlogic,meson8b-clkc.txt to dtschema clk: meson: meson8b: remove spinlock clk: meson: mpll: Delete a useless spinlock from the MPLL clk: meson: s4: pll: fix frac maximum value for hifi_pll clk: meson: c3: pll: fix frac maximum value for hifi_pll clk: meson: Support PLL with fixed fractional denominators clk: meson: s4: pll: hifi_pll support fractional multiplier * clk-allwinner: clk: sunxi-ng: Use of_property_present() for non-boolean properties clk: sunxi-ng: d1: Fix PLL_AUDIO0 preset clk: sunxi-ng: Constify struct ccu_reset_map clk: sunxi-ng: h616: Add sigma-delta modulation settings for audio PLL commit b2f8240153fb762e23dfc3dd1b042c299b3e265b Merge: 6af88ccfcbdce7 1cbdfcfd08c4f4 9abc1eb62aa155 e0b255df027e97 0c159634c9a0c8 53454b7a410478 Author: Stephen Boyd Date: Mon Nov 18 20:00:28 2024 -0800 Merge branches 'clk-mobileye', 'clk-twl', 'clk-nuvoton', 'clk-renesas' and 'clk-bindings' into clk-next - Mobileye EyeQ5, EyeQ6L and EyeQ6H clk driver - TWL6030 clk driver - Nuvoton Arbel BMC NPCM8XX SoC clks - Convert more clk bindings to YAML * clk-mobileye: clk: eyeq: add EyeQ6H west fixed factor clocks clk: eyeq: add EyeQ6H central fixed factor clocks clk: eyeq: add EyeQ5 fixed factor clocks clk: eyeq: add fixed factor clocks infrastructure clk: eyeq: require clock index with phandle in all cases clk: fixed-factor: add clk_hw_register_fixed_factor_index() function dt-bindings: clock: eyeq: add more Mobileye EyeQ5/EyeQ6H clocks dt-bindings: soc: mobileye: set `#clock-cells = <1>` for all compatibles clk: eyeq: add driver clk: divider: Introduce CLK_DIVIDER_EVEN_INTEGERS flag dt-bindings: clock: add Mobileye EyeQ6L/EyeQ6H clock indexes Revert "dt-bindings: clock: mobileye,eyeq5-clk: add bindings" * clk-twl: clk: twl: add TWL6030 support clk: twl: remove is_prepared * clk-nuvoton: clk: npcm8xx: add clock controller reset: npcm: register npcm8xx clock auxiliary bus device dt-bindings: reset: npcm: add clock properties * clk-renesas: clk: renesas: vbattb: Add VBATTB clock driver clk: Add devm_clk_hw_register_gate_parent_hw() clk: renesas: rzg2l: Fix FOUTPOSTDIV clk dt-bindings: clock: renesas,r9a08g045-vbattb: Document VBATTB clk: renesas: r9a08g045: Add power domain for RTC clk: renesas: r9a08g045: Mark the watchdog and always-on PM domains as IRQ safe clk: renesas: rzg2l-cpg: Use GENPD_FLAG_* flags instead of local ones clk: renesas: rzg2l-cpg: Move PM domain power on in rzg2l_cpg_pd_setup() dt-bindings: clock: r9a08g045-cpg: Add power domain ID for RTC clk: renesas: r8a779h0: Drop CLK_PLL2_DIV2 to clarify ZCn clocks clk: renesas: r9a09g057: Add clock and reset entries for ICU clk: renesas: r9a09g057: Add CA55 core clocks clk: renesas: Remove duplicate and trailing empty lines * clk-bindings: dt-bindings: clock: actions,owl-cmu: convert to YAML dt-bindings: clock: ti: Convert mux.txt to json-schema dt-bindings: clock: ti: Convert divider.txt to json-schema dt-bindings: clock: ti: Convert interface.txt to json-schema dt-bindings: clock: convert rockchip,rk3328-cru.txt to YAML commit 6af88ccfcbdce7a28ba45b1884d69a579e54e00c Merge: 02fb4f0084331e a9eaf305017a5e 94e6fdd028a12f 8e742c6e1b0309 4940071d962827 Author: Stephen Boyd Date: Mon Nov 18 20:00:03 2024 -0800 Merge branches 'clk-cleanup', 'clk-mediatek', 'clk-kunit', 'clk-xilinx' and 'clk-fixed-gate' into clk-next - Various clk driver cleanups - MediaTek MT6735 SoC clks - MediaTek MT7620, MT7628 and MT7688 MMC clks - KUnit tests for clk-assigned-rates{,-u64} - Add a driver for gated fixed rate clocks * clk-cleanup: clk: clk-loongson2: Fix potential buffer overflow in flexible-array member access clk: Fix invalid execution of clk_set_rate clk: clk-loongson2: Fix memory corruption bug in struct loongson2_clk_provider clk: lan966x: make it selectable for ARCH_LAN969X clk: clk-apple-nco: Add NULL check in applnco_probe clk: starfive: jh7110-pll: Mark the probe function as __init clk: sophgo: avoid integer overflow in sg2042_pll_recalc_rate() clk: tegra: use clamp() in tegra_bpmp_clk_determine_rate() clk: cdce925: make regmap_cdce925_bus constant clk: Drop explicit initialization of struct i2c_device_id::driver_data to 0 clk: clk-qoriq: Replace of_node_put() with __free() clk: Remove unused clk_hw_rate_is_protected * clk-mediatek: clk: en7523: map io region in a single block clk: en7523: move en7581_reset_register() in en7581_clk_hw_init() clk: en7523: fix estimation of fixed rate for EN7581 clk: en7523: introduce chip_scu regmap clk: en7523: move clock_register in hw_init callback clk: en7523: remove REG_PCIE*_{MEM,MEM_MASK} configuration dt-bindings: clock: airoha: Update reg mapping for EN7581 SoC. clk: mediatek: Add drivers for MT6735 syscon clock and reset controllers dt-bindings: clock: mediatek: Add bindings for MT6735 syscon clock and reset controllers clk: mediatek: mt6735-apmixedsys: Fix an error handling path in clk_mt6735_apmixed_probe() clk: ralink: mtmips: add mmc related clocks for SoCs MT7620, MT7628 and MT7688 clk: ralink: mtmips: fix clocks probe order in oldest ralink SoCs clk: ralink: mtmips: fix clock plan for Ralink SoC RT3883 clk: mediatek: clk-mt8188-topckgen: Remove univpll from parents of mfg_core_tmp clk: mediatek: Add drivers for MediaTek MT6735 main clock and reset drivers dt-bindings: clock: Add MediaTek MT6735 clock and reset bindings clk: mediatek: drop two dead config options * clk-kunit: clk: Allow kunit tests to run without OF_OVERLAY enabled clk: test: Add KUnit tests for clock-assigned-rates{-u64} DT properties of: kunit: Extract some overlay boiler plate into macros clk: test: Add test managed of_clk_add_hw_provider() * clk-xilinx: clk: clocking-wizard: move dynamic reconfig setup behind flag dt-bindings: clock: xilinx: describe whether dynamic reconfig is enabled clk: clocking-wizard: move clock registration to separate function clk: clocking-wizard: use devres versions of clk_hw API clk: clocking-wizard: use newer clk_hw API clk: clocking-wizard: simplify probe/remove with devres helpers * clk-fixed-gate: clk: clk-gpio: add driver for gated-fixed-clocks clk: clk-gpio: use dev_err_probe for gpio-get failure clk: clk-gpio: update documentation for gpio-gate clock dt-bindings: clocks: add binding for gated-fixed-clocks commit 02fb4f0084331ef72c28d0c70fcb15d1bea369ec Author: Gustavo A. R. Silva Date: Thu Nov 14 17:55:16 2024 -0600 clk: clk-loongson2: Fix potential buffer overflow in flexible-array member access Flexible-array member `hws` in `struct clk_hw_onecell_data` is annotated with the `counted_by()` attribute. This means that when memory is allocated for this array, the _counter_, which in this case is member `num` in the flexible structure, should be set to the maximum number of elements the flexible array can contain, or fewer. In this case, the total number of elements for the flexible array is determined by variable `clks_num` when allocating heap space via `devm_kzalloc()`, as shown below: 289 struct loongson2_clk_provider *clp; ... 296 for (p = data; p->name; p++) 297 clks_num++; 298 299 clp = devm_kzalloc(dev, struct_size(clp, clk_data.hws, clks_num), 300 GFP_KERNEL); So, `clp->clk_data.num` should be set to `clks_num` or less, and not exceed `clks_num`, as is currently the case. Otherwise, if data is written into `clp->clk_data.hws[clks_num]`, the instrumentation provided by the compiler won't detect the overflow, leading to a memory corruption bug at runtime. Fix this issue by setting `clp->clk_data.num` to `clks_num`. Fixes: 9796ec0bd04b ("clk: clk-loongson2: Refactor driver for adding new platforms") Cc: stable@vger.kernel.org Signed-off-by: Gustavo A. R. Silva Link: https://lore.kernel.org/r/ZzaN5MpmMr0hwHw9@kspp Signed-off-by: Stephen Boyd commit 25f1c96a0e841013647d788d4598e364e5c2ebb7 Author: Chuan Liu Date: Tue Sep 10 13:53:44 2024 +0800 clk: Fix invalid execution of clk_set_rate Some clocks have rates that can be changed elsewhere, so add a flag CLK_GET_RATE_NOCACHE(such as scmi_clk) to these clocks to ensure that the real-time rate is obtained. When clk_set_rate is called, it is returned if the request to set rate is consistent with the current rate. Getting the current rate in clk_set_rate returns the rate stored in clk_core. CLK_GET_RATE_NOCACHE does not take effect here. Signed-off-by: Chuan Liu Link: https://lore.kernel.org/r/20240910-fix_clk-v1-1-111443baaeaa@amlogic.com Signed-off-by: Stephen Boyd commit 6e4bf018bb040955da53dae9f8628ef8fcec2dbe Author: Gustavo A. R. Silva Date: Thu Nov 14 16:49:21 2024 -0600 clk: clk-loongson2: Fix memory corruption bug in struct loongson2_clk_provider Some heap space is allocated for the flexible structure `struct clk_hw_onecell_data` and its flexible-array member `hws` through the composite structure `struct loongson2_clk_provider` in function `loongson2_clk_probe()`, as shown below: 289 struct loongson2_clk_provider *clp; ... 296 for (p = data; p->name; p++) 297 clks_num++; 298 299 clp = devm_kzalloc(dev, struct_size(clp, clk_data.hws, clks_num), 300 GFP_KERNEL); Then some data is written into the flexible array: 350 clp->clk_data.hws[p->id] = hw; This corrupts `clk_lock`, which is the spinlock variable immediately following the `clk_data` member in `struct loongson2_clk_provider`: struct loongson2_clk_provider { void __iomem *base; struct device *dev; struct clk_hw_onecell_data clk_data; spinlock_t clk_lock; /* protect access to DIV registers */ }; The problem is that the flexible structure is currently placed in the middle of `struct loongson2_clk_provider` instead of at the end. Fix this by moving `struct clk_hw_onecell_data clk_data;` to the end of `struct loongson2_clk_provider`. Also, add a code comment to help prevent this from happening again in case new members are added to the structure in the future. This change also fixes the following -Wflex-array-member-not-at-end warning: drivers/clk/clk-loongson2.c:32:36: warning: structure containing a flexible array member is not at the end of another structure [-Wflex-array-member-not-at-end] Fixes: 9796ec0bd04b ("clk: clk-loongson2: Refactor driver for adding new platforms") Cc: stable@vger.kernel.org Signed-off-by: Gustavo A. R. Silva Link: https://lore.kernel.org/r/ZzZ-cd_EFXs6qFaH@kspp Signed-off-by: Stephen Boyd commit e7b012cb4db7253d186fd485ab07c7346c645dab Author: Robert Marko Date: Fri Nov 8 12:22:34 2024 +0100 clk: lan966x: make it selectable for ARCH_LAN969X LAN969x uses the same LAN966x clock driver so make it selectable for ARCH_LAN969X. Signed-off-by: Robert Marko Link: https://lore.kernel.org/r/20241108112355.20251-1-robert.marko@sartura.hr Signed-off-by: Stephen Boyd commit c664e2136f083b9135057b4a3c83a5a0a467af23 Merge: 84ad4825605982 3c2179e66355a2 Author: Jakub Kicinski Date: Mon Nov 18 19:48:57 2024 -0800 Merge branch 'bnxt_en-add-context-memory-dump-to-coredump' Michael Chan says: ==================== bnxt_en: Add context memory dump to coredump The driver currently supports Live FW dump and crashed FW dump. On the newer chips, the driver allocates host backing store context memory for the chip and FW to store various states. The content of this context memory will be useful for debugging. This patchset adds the context memory contents to the ethtool -w coredump using a new dump flag. The first patch is the FW interface update, followed by some refactoring of the context memory logic. Next, we add support for some new context memory types that contain various FW debug logs. After that, we add a new dump flag and the code to dump all the available context memory during ethtool -w coredump. v1: https://lore.kernel.org/20241113053649.405407-1-michael.chan@broadcom.com ==================== Link: https://patch.msgid.link/20241115151438.550106-1-michael.chan@broadcom.com Signed-off-by: Jakub Kicinski commit 3c2179e66355a2f85ff86a73719f0ce7dcf4a226 Author: Shruti Parab Date: Fri Nov 15 07:14:37 2024 -0800 bnxt_en: Add FW trace coredump segments to the coredump The FW trace coredump segments are very similar to the context memory segments in the previous patch. The main difference is to call HWRM_DBG_LOG_BUFFER_FLUSH to flush the FW data to host memory and to include an additional record in the coredump that contains the head and tail information of the trace data. Reviewed-by: Hongguang Gao Signed-off-by: Shruti Parab Signed-off-by: Michael Chan Link: https://patch.msgid.link/20241115151438.550106-12-michael.chan@broadcom.com Signed-off-by: Jakub Kicinski commit bda2e63a508b7f728c2386c9a0de234113e8b809 Author: Michael Chan Date: Fri Nov 15 07:14:36 2024 -0800 bnxt_en: Add a new ethtool -W dump flag Add a new ethtool -W dump flag (2) to include driver coredump segments. This patch adds the host backing store context memory pages used by the chip and FW to store various states to the coredump. The pages for each context memory type is dumped into a separate coredump segment. Reviewed-by: Andy Gospodarek Reviewed-by: Selvin Thyparampil Xavier Reviewed-by: Shruti Parab Reviewed-by: Kalesh AP Reviewed-by: Saravanan Vajravel Reviewed-by: Kashyap Desai Signed-off-by: Michael Chan Link: https://patch.msgid.link/20241115151438.550106-11-michael.chan@broadcom.com Signed-off-by: Jakub Kicinski commit a854a17097b9e05d25e0c6354d5150acb4d841a5 Author: Shruti Parab Date: Fri Nov 15 07:14:35 2024 -0800 bnxt_en: Add 2 parameters to bnxt_fill_coredump_seg_hdr() Pass the component ID and segment ID to this function to create the coredump segment header. This will be needed in the next patches to create more segments for the coredump. Reviewed-by: Hongguang Gao Signed-off-by: Shruti Parab Signed-off-by: Michael Chan Link: https://patch.msgid.link/20241115151438.550106-10-michael.chan@broadcom.com Signed-off-by: Jakub Kicinski commit 23a18b91b609ea640fba0b1d1dabc3a4cc2ba817 Author: Sreekanth Reddy Date: Fri Nov 15 07:14:34 2024 -0800 bnxt_en: Add functions to copy host context memory Host context memory is used by the newer chips to store context information for various L2 and RoCE states and FW logs. This information will be useful for debugging. This patch adds the functions to copy all pages of a context memory type to a contiguous buffer. The next patches will include the context memory dump during ethtool -w coredump. Reviewed-by: Pavan Chebbi Reviewed-by: Hongguang Gao Co-developed-by: Shruti Parab Signed-off-by: Shruti Parab Signed-off-by: Sreekanth Reddy Signed-off-by: Michael Chan Link: https://patch.msgid.link/20241115151438.550106-9-michael.chan@broadcom.com Signed-off-by: Jakub Kicinski commit de999362ad33d80ae5162670795d990f275960dd Author: Hongguang Gao Date: Fri Nov 15 07:14:33 2024 -0800 bnxt_en: Do not free FW log context memory If FW supports appending new FW logs to an offset in the context memory after FW reset, then do not free this type of context memory during reset. The driver will provide the initial offset to the FW when configuring this type of context memory. This way, we don't lose the older FW logs after reset. Signed-off-by: Hongguang Gao Signed-off-by: Michael Chan Link: https://patch.msgid.link/20241115151438.550106-8-michael.chan@broadcom.com Signed-off-by: Jakub Kicinski commit 84fcd9449fd7882ddfb05ba64d75f9be2d29b2e9 Author: Shruti Parab Date: Fri Nov 15 07:14:32 2024 -0800 bnxt_en: Manage the FW trace context memory The FW trace memory pages will be added to the ethtool -w coredump in later patches. In addition to the raw data, the driver has to add a header to provide the head and tail information on each FW trace log segment when creating the coredump. The FW sends an async message to the driver after DMAing a chunk of logs to the context memory to indicate the last offset containing the tail of the logs. The driver needs to keep track of that. Reviewed-by: Hongguang Gao Signed-off-by: Shruti Parab Signed-off-by: Michael Chan Link: https://patch.msgid.link/20241115151438.550106-7-michael.chan@broadcom.com Signed-off-by: Jakub Kicinski commit 24d694aec139e9e0a31c60993db79bd8ad575afe Author: Shruti Parab Date: Fri Nov 15 07:14:31 2024 -0800 bnxt_en: Allocate backing store memory for FW trace logs Allocate the new FW trace log backing store context memory types if they are supported by the FW. FW debug logs are DMA'ed to the host backing store memory when the on-chip buffers are full. If host memory cannot be allocated for these memory types, the driver will not abort. Reviewed-by: Hongguang Gao Signed-off-by: Shruti Parab Signed-off-by: Michael Chan Link: https://patch.msgid.link/20241115151438.550106-6-michael.chan@broadcom.com Signed-off-by: Jakub Kicinski commit 46010d43ab7b18fbc8a3a0bf4d65c775f8d2adbd Author: Hongguang Gao Date: Fri Nov 15 07:14:30 2024 -0800 bnxt_en: Add a 'force' parameter to bnxt_free_ctx_mem() If 'force' is false, it will keep the memory pages and all data structures for the context memory type if the memory is valid. This patch always passes true for the 'force' parameter so there is no change in behavior. Later patches will adjust the 'force' parameter for the FW log context memory types so that the logs will not be reset after FW reset. Signed-off-by: Hongguang Gao Signed-off-by: Michael Chan Link: https://patch.msgid.link/20241115151438.550106-5-michael.chan@broadcom.com Signed-off-by: Jakub Kicinski commit 968d2cc07c2fc9a508a53bd2de61200f50206fbc Author: Hongguang Gao Date: Fri Nov 15 07:14:29 2024 -0800 bnxt_en: Refactor bnxt_free_ctx_mem() Add a new function bnxt_free_one_ctx_mem() to free one context memory type. bnxt_free_ctx_mem() now calls the new function in the loop to free each context memory type. There is no change in behavior. Later patches will further make use of the new function. Signed-off-by: Hongguang Gao Signed-off-by: Michael Chan Link: https://patch.msgid.link/20241115151438.550106-4-michael.chan@broadcom.com Signed-off-by: Jakub Kicinski commit 0b350b4927e69d66629099dbb32cad8d2d56a26d Author: Shruti Parab Date: Fri Nov 15 07:14:28 2024 -0800 bnxt_en: Add mem_valid bit to struct bnxt_ctx_mem_type Add a new bit to struct bnxt_ctx_mem_type to indicate that host memory has been successfully allocated for this context memory type. In the next patches, we'll be adding some additional context memory types for FW debugging/logging. If memory cannot be allocated for any of these new types, we will not abort and the cleared mem_valid bit will indicate to skip configuring the memory type. Reviewed-by: Hongguang Gao Signed-off-by: Shruti Parab Signed-of-by: Michael Chan Link: https://patch.msgid.link/20241115151438.550106-3-michael.chan@broadcom.com Signed-off-by: Jakub Kicinski commit ff00bcc9ecccf4a1ce3a06eb38a9b4592f870f80 Author: Michael Chan Date: Fri Nov 15 07:14:27 2024 -0800 bnxt_en: Update firmware interface spec to 1.10.3.85 The major change is the new firmware command to flush the FW debug logs to the host backing store context memory buffers. Reviewed-by: Hongguang Gao Reviewed-by: Kalesh AP Signed-off-by: Michael Chan Link: https://patch.msgid.link/20241115151438.550106-2-michael.chan@broadcom.com Signed-off-by: Jakub Kicinski commit 4adb9201884d668546fe5d12cab2fcff6ef54caa Merge: 9852d85ec9d492 f1f49cc505bc99 Author: Stephen Boyd Date: Mon Nov 18 19:41:46 2024 -0800 Merge tag 'qcom-clk-for-6.13' of https://git.kernel.org/pub/scm/linux/kernel/git/qcom/linux into clk-qcom Pull Qualcomm clk driver updates from Bjorn Andersson: - Global clock controllers for Qualcomm QCS8300 and IPQ5424 SoCs - Camera, display and video clock controllers for Qualcomm SA8775P SoCs - Global, display, GPU, TCSR, and RPMh clock controllers for Qualcomm SAR2130P - Global, camera, display, GPU, and video clock controllers for Qualcomm SM8475 SoCs - Support for Qualcomm IPQ9574 in the Alpha PLL clock driver - Cleanup checks for already configured PLLs at boot in the Qualcomm Alpha PLL driver - Fix the initial rate for Qualcomm QCS404 GPLL3 - Add shared rcg2 floor clk_ops for shared SDCC clks on Qualcomm SoCs * tag 'qcom-clk-for-6.13' of https://git.kernel.org/pub/scm/linux/kernel/git/qcom/linux: (43 commits) clk: qcom: remove unused data from gcc-ipq5424.c clk: qcom: Add support for Global Clock Controller on QCS8300 dt-bindings: clock: qcom: Add GCC clocks for QCS8300 clk: qcom: add Global Clock controller (GCC) driver for IPQ5424 SoC clk: qcom: clk-alpha-pll: Add NSS HUAYRA ALPHA PLL support for ipq9574 dt-bindings: clock: Add Qualcomm IPQ5424 GCC binding clk: qcom: add SAR2130P GPU Clock Controller support clk: qcom: dispcc-sm8550: enable support for SAR2130P clk: qcom: tcsrcc-sm8550: add SAR2130P support clk: qcom: add support for GCC on SAR2130P clk: qcom: rpmh: add support for SAR2130P clk: qcom: rcg2: add clk_rcg2_shared_floor_ops dt-bindings: clk: qcom,sm8450-gpucc: add SAR2130P compatibles dt-bindings: clock: qcom,sm8550-dispcc: Add SAR2130P compatible dt-bindings: clock: qcom,sm8550-tcsr: Add SAR2130P compatible dt-bindings: clock: qcom: document SAR2130P Global Clock Controller dt-bindings: clock: qcom,rpmhcc: Add SAR2130P compatible clk: qcom: Make GCC_6125 depend on QCOM_GDSC dt-bindings: clock: qcom: gcc-ipq9574: remove q6 bring up clock macros dt-bindings: clock: qcom: gcc-ipq5332: remove q6 bring up clock macros ... commit 66418447d27b7f4c027587582a133dd0bc0a663b Merge: 21742be898fb6d 0c4d5cb9a1c358 Author: Jakub Kicinski Date: Mon Nov 18 19:40:01 2024 -0800 Merge branch 'bpf-fix-recursive-lock-and-add-test' Jiayuan Chen says: ==================== bpf: fix recursive lock and add test 1. fix recursive lock when ebpf prog return SK_PASS. 2. add selftest to reproduce recursive lock. Note that the test code can reproduce the 'dead-lock' and if just the selftest merged without first patch, the test case will definitely fail, because the issue of deadlock is inevitable. v1: https://lore.kernel.org/55fc6114-7e64-4b65-86d2-92cfd1e9e92f@linux.dev/ ==================== Acked-by: Martin KaFai Lau Link: https://patch.msgid.link/20241118030910.36230-1-mrpre@163.com Signed-off-by: Jakub Kicinski commit 0c4d5cb9a1c3583b61df199a51eccebe759e3c18 Author: Jiayuan Chen Date: Mon Nov 18 11:09:10 2024 +0800 selftests/bpf: Add some tests with sockmap SK_PASS Add a new tests in sockmap_basic.c to test SK_PASS for sockmap Signed-off-by: Jiayuan Chen Acked-by: Martin KaFai Lau Link: https://patch.msgid.link/20241118030910.36230-3-mrpre@163.com Signed-off-by: Jakub Kicinski commit 8ca2a1eeadf09862190b2810697702d803ceef2d Author: Jiayuan Chen Date: Mon Nov 18 11:09:09 2024 +0800 bpf: fix recursive lock when verdict program return SK_PASS When the stream_verdict program returns SK_PASS, it places the received skb into its own receive queue, but a recursive lock eventually occurs, leading to an operating system deadlock. This issue has been present since v6.9. ''' sk_psock_strp_data_ready write_lock_bh(&sk->sk_callback_lock) strp_data_ready strp_read_sock read_sock -> tcp_read_sock strp_recv cb.rcv_msg -> sk_psock_strp_read # now stream_verdict return SK_PASS without peer sock assign __SK_PASS = sk_psock_map_verd(SK_PASS, NULL) sk_psock_verdict_apply sk_psock_skb_ingress_self sk_psock_skb_ingress_enqueue sk_psock_data_ready read_lock_bh(&sk->sk_callback_lock) <= dead lock ''' This topic has been discussed before, but it has not been fixed. Previous discussion: https://lore.kernel.org/all/6684a5864ec86_403d20898@john.notmuch Fixes: 6648e613226e ("bpf, skmsg: Fix NULL pointer dereference in sk_psock_skb_ingress_enqueue") Reported-by: Vincent Whitchurch Signed-off-by: Jiayuan Chen Signed-off-by: John Fastabend Acked-by: Martin KaFai Lau Link: https://patch.msgid.link/20241118030910.36230-2-mrpre@163.com Signed-off-by: Jakub Kicinski commit 34e77144308ff1efe2e865e68a033ce166f6411e Author: Christophe JAILLET Date: Fri Nov 15 17:50:37 2024 +0100 Input: cypress-sf - constify struct i2c_device_id 'struct i2c_device_id' is not modified in this driver. Constifying this structure moves some data to a read-only section, so increase overall security. On a x86_64, with allmodconfig: Before: ====== text data bss dec hex filename 6438 618 0 7056 1b90 drivers/input/keyboard/cypress-sf.o After: ===== text data bss dec hex filename 6502 554 0 7056 1b90 drivers/input/keyboard/cypress-sf.o Signed-off-by: Christophe JAILLET Link: https://lore.kernel.org/r/4bc3e3b4d10223d9df850fe4ba48f1cefd197082.1731689418.git.christophe.jaillet@wanadoo.fr Signed-off-by: Dmitry Torokhov commit 84ad4825605982e68f781d5d180b0a148c9c81a1 Merge: 85c7975acd970d 06a34f7db773e0 Author: Jakub Kicinski Date: Mon Nov 18 19:32:33 2024 -0800 Merge branch 'wireguard-updates-and-fixes-for-6-13' Jason A. Donenfeld says: ==================== wireguard updates and fixes for 6.13 This tiny series (+3/-2) fixes one bug and has three small improvements. 1) Fix running the netns.sh test suite on systems that haven't yet inserted the nf_conntrack module. 2) Remove a stray useless function call in a selftest. 3) There's no need to zero out the netdev private data in recent kernels. 4) Set the TSO max size to be GSO_MAX_SIZE, so that we aggregate larger packets. Daniel reports seeing a 15% improvement in a simple load and suggested the speedups would be even better in more complex loads. ==================== Link: https://patch.msgid.link/20241117212030.629159-1-Jason@zx2c4.com Signed-off-by: Jakub Kicinski commit 06a34f7db773e01efa8a90c5b4d912207a80dd60 Author: Daniel Borkmann Date: Sun Nov 17 22:20:30 2024 +0100 wireguard: device: support big tcp GSO Advertise GSO_MAX_SIZE as TSO max size in order support BIG TCP for wireguard. This helps to improve wireguard performance a bit when enabled as it allows wireguard to aggregate larger skbs in wg_packet_consume_data_done() via napi_gro_receive(), but also allows the stack to build larger skbs on xmit where the driver then segments them before encryption inside wg_xmit(). We've seen a 15% improvement in TCP stream performance. Signed-off-by: Daniel Borkmann Signed-off-by: Jason A. Donenfeld Link: https://patch.msgid.link/20241117212030.629159-5-Jason@zx2c4.com Signed-off-by: Jakub Kicinski commit 0290abc9860917f1ee8b58309c2bbd740a39ee8e Author: Hangbin Liu Date: Sun Nov 17 22:20:29 2024 +0100 wireguard: selftests: load nf_conntrack if not present Some distros may not load nf_conntrack by default, which will cause subsequent nf_conntrack sets to fail. Load this module if it is not already loaded. Fixes: e7096c131e51 ("net: WireGuard secure network tunnel") Signed-off-by: Hangbin Liu Reviewed-by: Simon Horman [ Jason: add [[ -e ... ]] check so this works in the qemu harness. ] Signed-off-by: Jason A. Donenfeld Link: https://patch.msgid.link/20241117212030.629159-4-Jason@zx2c4.com Signed-off-by: Jakub Kicinski commit c1822fb64f678ba5bf04dff2bea361537c6f7278 Author: Dheeraj Reddy Jonnalagadda Date: Sun Nov 17 22:20:28 2024 +0100 wireguard: allowedips: remove redundant selftest call This commit fixes a useless call issue detected by Coverity (CID 1508092). The call to horrible_allowedips_lookup_v4 is unnecessary as its return value is never checked. Signed-off-by: Dheeraj Reddy Jonnalagadda Fixes: e7096c131e51 ("net: WireGuard secure network tunnel") Signed-off-by: Jason A. Donenfeld Link: https://patch.msgid.link/20241117212030.629159-3-Jason@zx2c4.com Signed-off-by: Jakub Kicinski commit 2c862914fbcf85609147401ea8674ae9a9e3b8cc Author: Tobias Klauser Date: Sun Nov 17 22:20:27 2024 +0100 wireguard: device: omit unnecessary memset of netdev private data The memory for netdev_priv is allocated using kvzalloc in alloc_netdev_mqs before rtnl_link_ops->setup is called so there is no need to zero it again in wg_setup. Signed-off-by: Tobias Klauser Reviewed-by: Simon Horman Signed-off-by: Jason A. Donenfeld Link: https://patch.msgid.link/20241117212030.629159-2-Jason@zx2c4.com Signed-off-by: Jakub Kicinski commit f26f9933e3e31b2117b804b6b8932388db88a131 Author: Kajol Jain Date: Mon Nov 18 17:11:14 2024 +0530 powerpc/perf: Add per-task/process monitoring to vpa_pmu driver Enhance the vpa_pmu driver with a feature to observe context switch latency event for both per-task (tid) and per-pid (pid) option. Couple of new helper functions are added to hide the abstraction of reading the context switch latency counter from kvm_vcpu_arch struct and these helper functions are defined in the "kvm/book3s_hv.c". "PERF_ATTACH_TASK" flag is used to decide whether to read the counter values from lppaca or kvm_vcpu_arch struct. Signed-off-by: Kajol Jain Co-developed-by: Madhavan Srinivasan Signed-off-by: Madhavan Srinivasan Signed-off-by: Michael Ellerman Link: https://patch.msgid.link/20241118114114.208964-4-kjain@linux.ibm.com commit 5f0b48c6a168994cc09d02888c2d939eba2af193 Author: Kajol Jain Date: Mon Nov 18 17:11:13 2024 +0530 powerpc/kvm: Add vpa latency counters to kvm_vcpu_arch Commit e1f288d2f9c69 ("KVM: PPC: Book3S HV nestedv2: Add support for reading VPA counters for pseries guests") introduced support for new Virtual Process Area(VPA) based software counters. These counters are useful when observing context switch latency of L1 <-> L2. It also added access to counters in lppaca, which is good enough to understand latency details per-cpu level. But to extend and aggregate per-process level(qemu) or per-pid/tid level(vcpu), these counters also needs to be added as part of kvm_vcpu_arch struct. Additional code added to update these new kvm_vcpu_arch variables in do_trace_nested_cs_time function. Signed-off-by: Kajol Jain Co-developed-by: Madhavan Srinivasan Signed-off-by: Madhavan Srinivasan Signed-off-by: Michael Ellerman Link: https://patch.msgid.link/20241118114114.208964-3-kjain@linux.ibm.com commit 4ae0b32ecee730a41f65eb122bbb40fda7dca34a Author: Kajol Jain Date: Mon Nov 18 17:11:12 2024 +0530 docs: ABI: sysfs-bus-event_source-devices-vpa-pmu: Document sysfs event format entries for vpa_pmu Details are added for the vpa_pmu event and format attributes in the ABI documentation. Signed-off-by: Kajol Jain Co-developed-by: Madhavan Srinivasan Signed-off-by: Madhavan Srinivasan Signed-off-by: Michael Ellerman Link: https://patch.msgid.link/20241118114114.208964-2-kjain@linux.ibm.com commit 176cda0619b6c17a553625f6e2fcbc3981ad667d Author: Kajol Jain Date: Mon Nov 18 17:11:11 2024 +0530 powerpc/perf: Add perf interface to expose vpa counters To support performance measurement for KVM on PowerVM(KoP) feature, PowerVM hypervisor has added couple of new software counters in Virtual Process Area(VPA) of the partition. Commit e1f288d2f9c69 ("KVM: PPC: Book3S HV nestedv2: Add support for reading VPA counters for pseries guests") have updated the paca fields with corresponding changes. Proposed perf interface is to expose these new software counters for monitoring of context switch latencies and runtime aggregate. Perf interface driver is called "vpa_pmu" and it has dependency on KVM and perf, hence added new config called "VPA_PMU" which depends on "CONFIG_KVM_BOOK3S_64_HV" and "CONFIG_HV_PERF_CTRS". Since, kvm and kvm_host are currently compiled as built-in modules, this perf interface takes the same path and registered as a module. vpa_pmu perf interface needs access to some of the kvm functions and structures like kvmhv_get_l2_counters_status(), hence kvm_book3s_64.h and kvm_ppc.h are included. Below are the events added to monitor KoP: vpa_pmu/l1_to_l2_lat/ vpa_pmu/l2_to_l1_lat/ vpa_pmu/l2_runtime_agg/ and vpa_pmu driver supports only per-cpu monitoring with this patch. Example usage: [command]# perf stat -e vpa_pmu/l1_to_l2_lat/ -a -I 1000 1.001017682 727,200 vpa_pmu/l1_to_l2_lat/ 2.003540491 1,118,824 vpa_pmu/l1_to_l2_lat/ 3.005699458 1,919,726 vpa_pmu/l1_to_l2_lat/ 4.007827011 2,364,630 vpa_pmu/l1_to_l2_lat/ Signed-off-by: Kajol Jain Co-developed-by: Madhavan Srinivasan Signed-off-by: Madhavan Srinivasan Signed-off-by: Michael Ellerman Link: https://patch.msgid.link/20241118114114.208964-1-kjain@linux.ibm.com commit 21742be898fb6d99d4d85e293bd501b6870b503a Merge: 4262bacb748fda a57d5a72f8dec7 Author: Jakub Kicinski Date: Mon Nov 18 18:59:34 2024 -0800 Merge branch 'netpoll-use-rcu-primitives-for-npinfo-pointer-access' Breno Leitao says: ==================== netpoll: Use RCU primitives for npinfo pointer access The net_device->npinfo pointer is marked with __rcu, indicating it requires proper RCU access primitives: struct net_device { ... struct netpoll_info __rcu *npinfo; ... }; Direct access to this pointer can lead to issues such as: - Compiler incorrectly caching/reusing stale pointer values - Missing memory ordering guarantees - Non-atomic pointer loads Replace direct NULL checks of npinfo with rcu_access_pointer(), which provides the necessary memory ordering guarantees without the overhead of a full RCU dereference, since we only need to verify if the pointer is NULL. In both cases, the RCU read lock is not held when the function is being called. I checked that by using lockdep_assert_in_rcu_read_lock(), and seeing the warning on both cases. ==================== Link: https://patch.msgid.link/20241118-netpoll_rcu-v1-0-a1888dcb4a02@debian.org Signed-off-by: Jakub Kicinski commit a57d5a72f8dec7db8a79d0016fb0a3bdecc82b56 Author: Breno Leitao Date: Mon Nov 18 03:15:18 2024 -0800 netpoll: Use rcu_access_pointer() in netpoll_poll_lock The ndev->npinfo pointer in netpoll_poll_lock() is RCU-protected but is being accessed directly for a NULL check. While no RCU read lock is held in this context, we should still use proper RCU primitives for consistency and correctness. Replace the direct NULL check with rcu_access_pointer(), which is the appropriate primitive when only checking for NULL without dereferencing the pointer. This function provides the necessary ordering guarantees without requiring RCU read-side protection. Fixes: bea3348eef27 ("[NET]: Make NAPI polling independent of struct net_device objects.") Signed-off-by: Breno Leitao Reviewed-by: Michal Kubiak Link: https://patch.msgid.link/20241118-netpoll_rcu-v1-2-a1888dcb4a02@debian.org Signed-off-by: Jakub Kicinski commit c69c5e10adb903ae2438d4f9c16eccf43d1fcbc1 Author: Breno Leitao Date: Mon Nov 18 03:15:17 2024 -0800 netpoll: Use rcu_access_pointer() in __netpoll_setup The ndev->npinfo pointer in __netpoll_setup() is RCU-protected but is being accessed directly for a NULL check. While no RCU read lock is held in this context, we should still use proper RCU primitives for consistency and correctness. Replace the direct NULL check with rcu_access_pointer(), which is the appropriate primitive when only checking for NULL without dereferencing the pointer. This function provides the necessary ordering guarantees without requiring RCU read-side protection. Reviewed-by: Michal Kubiak Signed-off-by: Breno Leitao Link: https://patch.msgid.link/20241118-netpoll_rcu-v1-1-a1888dcb4a02@debian.org Signed-off-by: Jakub Kicinski commit 85c7975acd970dac0fd7b0813763faade027c55e Author: Menglong Dong Date: Mon Nov 18 17:14:27 2024 +0800 net: ip: fix unexpected return in fib_validate_source() The errno should be replaced with drop reasons in fib_validate_source(), and the "-EINVAL" shouldn't be returned. And this causes a warning, which is reported by syzkaller: netlink: 'syz-executor371': attribute type 4 has an invalid length. ------------[ cut here ]------------ WARNING: CPU: 0 PID: 5842 at net/core/skbuff.c:1219 __sk_skb_reason_drop net/core/skbuff.c:1216 [inline] WARNING: CPU: 0 PID: 5842 at net/core/skbuff.c:1219 sk_skb_reason_drop+0x87/0x380 net/core/skbuff.c:1241 Modules linked in: CPU: 0 UID: 0 PID: 5842 Comm: syz-executor371 Not tainted 6.12.0-rc6-syzkaller-01362-ga58f00ed24b8 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/30/2024 RIP: 0010:__sk_skb_reason_drop net/core/skbuff.c:1216 [inline] RIP: 0010:sk_skb_reason_drop+0x87/0x380 net/core/skbuff.c:1241 Code: 00 00 00 fc ff df 41 8d 9e 00 00 fc ff bf 01 00 fc ff 89 de e8 ea 9f 08 f8 81 fb 00 00 fc ff 77 3a 4c 89 e5 e8 9a 9b 08 f8 90 <0f> 0b 90 eb 5e bf 01 00 00 00 89 ee e8 c8 9f 08 f8 85 ed 0f 8e 49 RSP: 0018:ffffc90003d57078 EFLAGS: 00010293 RAX: ffffffff898c3ec6 RBX: 00000000fffbffea RCX: ffff8880347a5a00 RDX: 0000000000000000 RSI: 00000000fffbffea RDI: 00000000fffc0001 RBP: dffffc0000000000 R08: ffffffff898c3eb6 R09: 1ffff110023eb7d4 R10: dffffc0000000000 R11: ffffed10023eb7d5 R12: dffffc0000000000 R13: ffff888011f5bdc0 R14: 00000000ffffffea R15: 0000000000000000 FS: 000055557d41e380(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000056519d31d608 CR3: 000000007854e000 CR4: 00000000003526f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: kfree_skb_reason include/linux/skbuff.h:1263 [inline] ip_rcv_finish_core+0xfde/0x1b50 net/ipv4/ip_input.c:424 ip_list_rcv_finish net/ipv4/ip_input.c:610 [inline] ip_sublist_rcv+0x3b1/0xab0 net/ipv4/ip_input.c:636 ip_list_rcv+0x42b/0x480 net/ipv4/ip_input.c:670 __netif_receive_skb_list_ptype net/core/dev.c:5715 [inline] __netif_receive_skb_list_core+0x94e/0x980 net/core/dev.c:5762 __netif_receive_skb_list net/core/dev.c:5814 [inline] netif_receive_skb_list_internal+0xa51/0xe30 net/core/dev.c:5905 netif_receive_skb_list+0x55/0x4b0 net/core/dev.c:5957 xdp_recv_frames net/bpf/test_run.c:280 [inline] xdp_test_run_batch net/bpf/test_run.c:361 [inline] bpf_test_run_xdp_live+0x1b5e/0x21b0 net/bpf/test_run.c:390 bpf_prog_test_run_xdp+0x805/0x11e0 net/bpf/test_run.c:1318 bpf_prog_test_run+0x2e4/0x360 kernel/bpf/syscall.c:4266 __sys_bpf+0x48d/0x810 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f18af25a8e9 Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ffee4090af8 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f18af25a8e9 RDX: 0000000000000048 RSI: 0000000020000600 RDI: 000000000000000a RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 Fix it by returning "-SKB_DROP_REASON_IP_LOCAL_SOURCE" instead of "-EINVAL" in fib_validate_source(). Reported-by: syzbot+52fbd90f020788ec7709@syzkaller.appspotmail.com Closes: https://lore.kernel.org/netdev/6738e539.050a0220.e1c64.0002.GAE@google.com/ Fixes: 82d9983ebeb8 ("net: ip: make ip_route_input_noref() return drop reasons") Signed-off-by: Menglong Dong Acked-by: Paolo Abeni Signed-off-by: Jakub Kicinski commit 78a36139fcec1b22594257d6c7cca98455077094 Author: Dr. David Alan Gilbert Date: Sat Nov 16 15:26:44 2024 +0000 net/fungible: Remove unused fun_create_queue fun_create_queue was added in 2022 by commit e1ffcc66818f ("net/fungible: Add service module for Fungible drivers") but hasn't been used. Remove it. Also remove the static helper functions it was the only user of. Signed-off-by: Dr. David Alan Gilbert Signed-off-by: Jakub Kicinski commit a537cfdaa78ebda7a0f5f8c6f39be19b0bf92551 Merge: 920efe3e13f7eb 96c677fca54a28 Author: Jakub Kicinski Date: Mon Nov 18 18:52:14 2024 -0800 Merge branch 'uapi-ethtool-avoid-flex-array-in-struct-ethtool_link_settings' Kees Cook says: ==================== UAPI: ethtool: Avoid flex-array in struct ethtool_link_settings This reverts the tagged struct group in struct ethtool_link_settings and instead just removes the flexible array member from Linux's view as it is entirely unused. ==================== Link: https://patch.msgid.link/20241115204115.work.686-kees@kernel.org Signed-off-by: Jakub Kicinski commit 96c677fca54a28fcfea4dbab9c1f2530bd0a08d1 Author: Kees Cook Date: Fri Nov 15 12:43:05 2024 -0800 UAPI: ethtool: Avoid flex-array in struct ethtool_link_settings struct ethtool_link_settings tends to be used as a header for other structures that have trailing bytes[1], but has a trailing flexible array itself. Using this overlapped with other structures leads to ambiguous object sizing in the compiler, so we want to avoid such situations (which have caused real bugs in the past). Detecting this can be done with -Wflex-array-member-not-at-end, which will need to be enabled globally. Using a tagged struct_group() to create a new ethtool_link_settings_hdr structure isn't possible as it seems we cannot use the tagged variant of struct_group() due to syntax issues from C++'s perspective (even within "extern C")[2]. Instead, we can just leave the offending member defined in UAPI and remove it from the kernel's view of the structure, as Linux doesn't actually use this member at all. There is also no change in size since it was already a flexible array that didn't contribute to size returned by any use of sizeof(). Reported-by: Jakub Kicinski Closes: https://lore.kernel.org/lkml/20241109100213.262a2fa0@kernel.org/ [2] Link: https://lore.kernel.org/lkml/0bc2809fe2a6c11dd4c8a9a10d9bd65cccdb559b.1730238285.git.gustavoars@kernel.org/ [1] Signed-off-by: Kees Cook Reviewed-by: Jakub Kicinski Link: https://patch.msgid.link/20241115204308.3821419-3-kees@kernel.org Signed-off-by: Jakub Kicinski commit ebda123fe703f492d7d557a4da00888ddec4779e Author: Kees Cook Date: Fri Nov 15 12:43:04 2024 -0800 Revert "UAPI: ethtool: Use __struct_group() in struct ethtool_link_settings" This reverts commit 43d3487035e9a86fad952de4240a518614240d43. We cannot use tagged struct groups in UAPI because C++ will throw syntax errors even under "extern C". Signed-off-by: Kees Cook Link: https://patch.msgid.link/20241115204308.3821419-2-kees@kernel.org Signed-off-by: Jakub Kicinski commit 1cfb5e57886aa69a992ff0ebd32e4651eb0fc995 Author: Kees Cook Date: Fri Nov 15 12:43:03 2024 -0800 Revert "net: ethtool: Avoid thousands of -Wflex-array-member-not-at-end warnings" This reverts commit 3bd9b9abdf1563a22041b7255baea6d449902f1a. We cannot use the new tagged struct group because it throws C++ errors even under "extern C". Signed-off-by: Kees Cook Link: https://patch.msgid.link/20241115204308.3821419-1-kees@kernel.org Signed-off-by: Jakub Kicinski commit 920efe3e13f7eb5711d4ad8ecc0cced16b1a84cf Author: Jakub Kicinski Date: Fri Nov 15 12:12:36 2024 -0800 selftests: net: add more info to error in bpf_offload bpf_offload caught a spurious warning in TC recently, but the error message did not provide enough information to know what the problem is: FAIL: Found 'netdevsim' in command output, leaky extack? Add the extack to the output: FAIL: Unexpected command output, leaky extack? ('netdevsim', 'Warning: Filter with specified priority/protocol not found.') Acked-by: Stanislav Fomichev Signed-off-by: Jakub Kicinski commit 4262bacb748fdab129dfbe1e93af75119a9c2775 Author: Jakub Kicinski Date: Fri Nov 15 11:56:09 2024 -0800 MAINTAINERS: exclude can core, drivers and DT bindings from netdev ML CAN networking and drivers are maintained by Marc, Oliver and Vincent. Marc sends us already pull requests with reviewed and validated code. Exclude the CAN patch postings from the netdev@ mailing list to lower the patch volume there. Link: https://lore.kernel.org/20241113193709.395c18b0@kernel.org Acked-by: Vincent Mailhol Acked-by: Marc Kleine-Budde Link: https://patch.msgid.link/20241115195609.981049-1-kuba@kernel.org Signed-off-by: Jakub Kicinski commit 16a04d043baa963d9f192ea5cae3556d1859974c Author: Gerd Bayer Date: Fri Nov 15 18:44:57 2024 +0100 net/smc: Run patches also by RDMA ML Commits for the SMC protocol usually get carried through the netdev mailing list. Some portions use InfiniBand verbs that are discussed on the RDMA mailing list. So run patches by that list too to increase the likelihood that all interested parties can see them. Signed-off-by: Gerd Bayer Reviewed-by: Leon Romanovsky Signed-off-by: Jakub Kicinski commit 5b7cfe06333db98f67bd1c259ffe94829851809c Merge: cc84d89ad8d411 1d7fa6ceb91fdd Author: Jakub Kicinski Date: Mon Nov 18 18:50:14 2024 -0800 Merge branch 'mptcp-pm-lockless-list-traversal-and-cleanup' Matthieu Baerts says: ==================== mptcp: pm: lockless list traversal and cleanup Here are two patches improving the MPTCP in-kernel path-manager. - Patch 1: the get and dump endpoints operations are iterating over the endpoints list in a lockless way. - Patch 2: reduce the code duplication to lookup an endpoint. ==================== Link: https://patch.msgid.link/20241115-net-next-mptcp-pm-lockless-dump-v1-0-f4a1bcb4ca2c@kernel.org Signed-off-by: Jakub Kicinski commit 1d7fa6ceb91fddbe38cae3521d5d1075bce6a00e Author: Geliang Tang Date: Fri Nov 15 17:52:35 2024 +0100 mptcp: pm: avoid code duplication to lookup endp The helper __lookup_addr() can be used in mptcp_pm_nl_get_local_id() and mptcp_pm_nl_is_backup() to simplify the code, and avoid code duplication. Co-developed-by: Matthieu Baerts (NGI0) Signed-off-by: Matthieu Baerts (NGI0) Signed-off-by: Geliang Tang Signed-off-by: Matthieu Baerts (NGI0) Link: https://patch.msgid.link/20241115-net-next-mptcp-pm-lockless-dump-v1-2-f4a1bcb4ca2c@kernel.org Signed-off-by: Jakub Kicinski commit 3fbb27b7f87e60324cec7d2d10a40884182c99d4 Author: Matthieu Baerts (NGI0) Date: Fri Nov 15 17:52:34 2024 +0100 mptcp: pm: lockless list traversal to dump endp To return an endpoint to the userspace via Netlink, and to dump all of them, the endpoint list was iterated while holding the pernet->lock, but only to read the content of the list. In these cases, the spin locks can be replaced by RCU read ones, and use the _rcu variants to iterate over the entries list in a lockless way. Note that the __lookup_addr_by_id() helper has been modified to use the _rcu variants of list_for_each_entry(), but with an extra conditions, so it can be called either while the RCU read lock is held, or when the associated pernet->lock is held. Reviewed-by: Geliang Tang Signed-off-by: Matthieu Baerts (NGI0) Link: https://patch.msgid.link/20241115-net-next-mptcp-pm-lockless-dump-v1-1-f4a1bcb4ca2c@kernel.org Signed-off-by: Jakub Kicinski commit cc84d89ad8d411d52ec4d000c3ed5cce52683fbd Author: Vitalii Mordan Date: Fri Nov 15 16:26:32 2024 +0300 stmmac: dwmac-intel-plat: remove redundant dwmac->data check in probe The driver’s compatibility with devices is confirmed earlier in platform_match(). Since reaching probe means the device is valid, the extra check can be removed to simplify the code. Signed-off-by: Vitalii Mordan Reviewed-by: Andrew Lunn Signed-off-by: Jakub Kicinski commit 2160428bcb20f2f70a72ee84aba91a1264dc4ff3 Author: Jiawen Wu Date: Fri Nov 15 15:35:08 2024 +0800 net: txgbe: fix null pointer to pcs For 1000BASE-X or SGMII interface mode, the PCS also need to be selected. Only return null pointer when there is a copper NIC with external PHY. Fixes: 02b2a6f91b90 ("net: txgbe: support copper NIC with external PHY") Signed-off-by: Jiawen Wu Link: https://patch.msgid.link/20241115073508.1130046-1-jiawenwu@trustnetic.com Signed-off-by: Jakub Kicinski commit e867ed3ac8aa50945170723a450b5c068a56339a Author: Jiawen Wu Date: Fri Nov 15 15:15:27 2024 +0800 net: txgbe: remove GPIO interrupt controller Since the GPIO interrupt controller is always not working properly, we need to constantly add workaround to cope with hardware deficiencies. So just remove GPIO interrupt controller, and let the SFP driver poll the GPIO status. Fixes: b4a2496c17ed ("net: txgbe: fix GPIO interrupt blocking") Signed-off-by: Jiawen Wu Link: https://patch.msgid.link/20241115071527.1129458-1-jiawenwu@trustnetic.com Signed-off-by: Jakub Kicinski commit 4be4a91d53b6e3a1c392aa10aa4f72f3dea86459 Merge: 357c52ff860b3d 79da2aaa08ee99 Author: Jakub Kicinski Date: Mon Nov 18 18:43:45 2024 -0800 Merge branch 'eth-fbnic-cleanup-and-add-a-few-stats' Jakub Kicinski says: ==================== eth: fbnic: cleanup and add a few stats Cleanup trival problems with fbnic and add the PCIe and RPC (Rx parser) stats. All stats are read under rtnl_lock for now, so the code is pretty trivial. We'll need to add more locking when we start gathering drops used by .ndo_get_stats64. ==================== Link: https://patch.msgid.link/20241115015344.757567-1-kuba@kernel.org Signed-off-by: Jakub Kicinski commit 79da2aaa08ee9980ac3f750f8b3d3db389714257 Author: Sanman Pradhan Date: Thu Nov 14 17:53:44 2024 -0800 eth: fbnic: add RPC hardware statistics Report Rx parser statistics via ethtool -S. The parser stats are 32b, so we need to add refresh to the service task to make sure we don't miss overflows. Signed-off-by: Sanman Pradhan Reviewed-by: Andrew Lunn Link: https://patch.msgid.link/20241115015344.757567-6-kuba@kernel.org Signed-off-by: Jakub Kicinski commit 25ba596d137db208ace697e3adc7cc35b3b2882b Author: Sanman Pradhan Date: Thu Nov 14 17:53:43 2024 -0800 eth: fbnic: add PCIe hardware statistics Add PCIe hardware statistics support to the fbnic driver. These stats provide insight into PCIe transaction performance and error conditions. Which includes, read/write and completion TLP counts and DWORD counts and debug counters for tag, completion credit and NP credit exhaustion The stats are exposed via debugfs and can be used to monitor PCIe performance and debug PCIe issues. Signed-off-by: Sanman Pradhan Reviewed-by: Andrew Lunn Link: https://patch.msgid.link/20241115015344.757567-5-kuba@kernel.org Signed-off-by: Jakub Kicinski commit 08606cb528bed9f265ea8a99b0c310f3eba0ca89 Author: Jakub Kicinski Date: Thu Nov 14 17:53:42 2024 -0800 eth: fbnic: add basic debugfs structure Add the usual debugfs structure: fbnic/ $pci-id/ device-fileA device-fileB This patch only adds the directories, subsequent changes will add files. Reviewed-by: Andrew Lunn Reviewed-by: Kalesh AP Link: https://patch.msgid.link/20241115015344.757567-4-kuba@kernel.org Signed-off-by: Jakub Kicinski commit 2a0d6c1705c42b81efd927f0bad91e68245dba7f Author: Jakub Kicinski Date: Thu Nov 14 17:53:41 2024 -0800 eth: fbnic: add missing header guards While adding the SPDX headers I noticed we're also missing a header guard. Reviewed-by: Andrew Lunn Reviewed-by: Kalesh AP Link: https://patch.msgid.link/20241115015344.757567-3-kuba@kernel.org Signed-off-by: Jakub Kicinski commit e1a897ef4e9e633b8ad657063799707aa2d818a8 Author: Jakub Kicinski Date: Thu Nov 14 17:53:40 2024 -0800 eth: fbnic: add missing SPDX headers Paolo noticed that we are missing SPDX headers, add them. Reviewed-by: Andrew Lunn Reviewed-by: Kalesh AP Link: https://patch.msgid.link/20241115015344.757567-2-kuba@kernel.org Signed-off-by: Jakub Kicinski commit 62e9c00ea868ceb71156c517747dc69316c25bf1 Author: Jakub Kicinski Date: Thu Nov 14 17:48:09 2024 -0800 eth: fbnic: don't disable the PCI device twice We use pcim_enable_device(), there is no need to call pci_disable_device(). Fixes: 546dd90be979 ("eth: fbnic: Add scaffolding for Meta's NIC driver") Reviewed-by: Simon Horman Link: https://patch.msgid.link/20241115014809.754860-1-kuba@kernel.org Signed-off-by: Jakub Kicinski commit 357c52ff860b3d047de5d2c605c46dd9a8448821 Author: Jakub Kicinski Date: Thu Nov 14 16:32:48 2024 -0800 selftests: net: netlink-dumps: validation checks The sanity checks are going to get silently cast to unsigned and always pass. Cast the sizeof to signed size. Reviewed-by: Simon Horman Link: https://patch.msgid.link/20241115003248.733862-1-kuba@kernel.org Signed-off-by: Jakub Kicinski commit 0de6a472c3b38432b2f184bd64eb70d9ea36d107 Author: Jakub Kicinski Date: Thu Nov 14 16:32:21 2024 -0800 net/neighbor: clear error in case strict check is not set Commit 51183d233b5a ("net/neighbor: Update neigh_dump_info for strict data checking") added strict checking. The err variable is not cleared, so if we find no table to dump we will return the validation error even if user did not want strict checking. I think the only way to hit this is to send an buggy request, and ask for a table which doesn't exist, so there's no point treating this as a real fix. I only noticed it because a syzbot repro depended on it to trigger another bug. Reviewed-by: Simon Horman Link: https://patch.msgid.link/20241115003221.733593-1-kuba@kernel.org Signed-off-by: Jakub Kicinski commit e64285ff41bb7a934bd815bd38f31119be62ac37 Author: Dmitry Antipov Date: Thu Nov 14 18:19:46 2024 +0300 rocker: fix link status detection in rocker_carrier_init() Since '1 << rocker_port->pport' may be undefined for port >= 32, cast the left operand to 'unsigned long long' like it's done in 'rocker_port_set_enable()' above. Compile tested only. Found by Linux Verification Center (linuxtesting.org) with SVACE. Signed-off-by: Dmitry Antipov Link: https://patch.msgid.link/20241114151946.519047-1-dmantipov@yandex.ru Signed-off-by: Jakub Kicinski commit a0c80d5108ab36cf6cc974a24ce9c522f271d754 Author: Jack Wu Date: Thu Nov 14 18:20:02 2024 +0800 net: wwan: t7xx: Change PM_AUTOSUSPEND_MS to 5000 Because optimizing the power consumption of t7XX, change auto suspend time to 5000. The Tests uses a script to loop through the power_state of t7XX. (for example: /sys/bus/pci/devices/0000\:72\:00.0/power_state) * If Auto suspend is 20 seconds, test script show power_state have 0~5% of the time was in D3 state when host don't have data packet transmission. * Changed auto suspend time to 5 seconds, test script show power_state have 50%~80% of the time was in D3 state when host don't have data packet transmission. We tested Fibocom FM350 and our products using the t7xx and they all benefited from this. Signed-off-by: Jack Wu Reviewed-by: Andrew Lunn Reviewed-by: Sergey Ryazanov Link: https://patch.msgid.link/20241114102002.481081-1-wojackbb@gmail.com Signed-off-by: Jakub Kicinski commit 6204656478bec37a3c801cbd6a451e085bbaca41 Author: Jakub Kicinski Date: Wed Nov 13 11:32:38 2024 -0800 tools: ynl-gen: allow uapi headers in sub-dirs Binder places its headers under include/uapi/linux/android/ Make sure replace / with _ in the uAPI header guard, the c_upper() is more strict and only converts - to _. This is likely a good constraint to have, to enforce sane naming in enums etc. But paths may include /. Signed-off-by: Li Li Link: https://patch.msgid.link/20241113193239.2113577-2-dualli@chromium.org Signed-off-by: Jakub Kicinski commit 158f238aa69d91ad74e535c73f552bd4b025109c Merge: ba1f9c8fe3d443 afc545da381ba0 Author: Linus Torvalds Date: Mon Nov 18 18:26:57 2024 -0800 Merge tag 'for-linus-6.13-rc1-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip Pull xen updates from Juergen Gross: - a series for booting as a PVH guest, doing some cleanups after the previous work to make PVH boot code position independent - a fix of the xenbus driver avoiding a leak in an error case * tag 'for-linus-6.13-rc1-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip: xen: Fix the issue of resource not being properly released in xenbus_dev_probe() x86/pvh: Avoid absolute symbol references in .head.text x86/xen: Avoid relocatable quantities in Xen ELF notes x86/pvh: Omit needless clearing of phys_base x86/pvh: Use correct size value in GDT descriptor x86/pvh: Call C code via the kernel virtual mapping commit ba1f9c8fe3d443a78814cdf8ac8f9829b5ca7095 Merge: 9aa4c37f71b9a0 83ef4a378e563d Author: Linus Torvalds Date: Mon Nov 18 18:10:37 2024 -0800 Merge tag 'arm64-upstream' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux Pull arm64 updates from Catalin Marinas: - Support for running Linux in a protected VM under the Arm Confidential Compute Architecture (CCA) - Guarded Control Stack user-space support. Current patches follow the x86 ABI of implicitly creating a shadow stack on clone(). Subsequent patches (already on the list) will add support for clone3() allowing finer-grained control of the shadow stack size and placement from libc - AT_HWCAP3 support (not running out of HWCAP2 bits yet but we are getting close with the upcoming dpISA support) - Other arch features: - In-kernel use of the memcpy instructions, FEAT_MOPS (previously only exposed to user; uaccess support not merged yet) - MTE: hugetlbfs support and the corresponding kselftests - Optimise CRC32 using the PMULL instructions - Support for FEAT_HAFT enabling ARCH_HAS_NONLEAF_PMD_YOUNG - Optimise the kernel TLB flushing to use the range operations - POE/pkey (permission overlays): further cleanups after bringing the signal handler in line with the x86 behaviour for 6.12 - arm64 perf updates: - Support for the NXP i.MX91 PMU in the existing IMX driver - Support for Ampere SoCs in the Designware PCIe PMU driver - Support for Marvell's 'PEM' PCIe PMU present in the 'Odyssey' SoC - Support for Samsung's 'Mongoose' CPU PMU - Support for PMUv3.9 finer-grained userspace counter access control - Switch back to platform_driver::remove() now that it returns 'void' - Add some missing events for the CXL PMU driver - Miscellaneous arm64 fixes/cleanups: - Page table accessors cleanup: type updates, drop unused macros, reorganise arch_make_huge_pte() and clean up pte_mkcont(), sanity check addresses before runtime P4D/PUD folding - Command line override for ID_AA64MMFR0_EL1.ECV (advertising the FEAT_ECV for the generic timers) allowing Linux to boot with firmware deployments that don't set SCTLR_EL3.ECVEn - ACPI/arm64: tighten the check for the array of platform timer structures and adjust the error handling procedure in gtdt_parse_timer_block() - Optimise the cache flush for the uprobes xol slot (skip if no change) and other uprobes/kprobes cleanups - Fix the context switching of tpidrro_el0 when kpti is enabled - Dynamic shadow call stack fixes - Sysreg updates - Various arm64 kselftest improvements * tag 'arm64-upstream' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux: (168 commits) arm64: tls: Fix context-switching of tpidrro_el0 when kpti is enabled kselftest/arm64: Try harder to generate different keys during PAC tests kselftest/arm64: Don't leak pipe fds in pac.exec_sign_all() arm64/ptrace: Clarify documentation of VL configuration via ptrace kselftest/arm64: Corrupt P0 in the irritator when testing SSVE acpi/arm64: remove unnecessary cast arm64/mm: Change protval as 'pteval_t' in map_range() kselftest/arm64: Fix missing printf() argument in gcs/gcs-stress.c kselftest/arm64: Add FPMR coverage to fp-ptrace kselftest/arm64: Expand the set of ZA writes fp-ptrace does kselftets/arm64: Use flag bits for features in fp-ptrace assembler code kselftest/arm64: Enable build of PAC tests with LLVM=1 kselftest/arm64: Check that SVCR is 0 in signal handlers selftests/mm: Fix unused function warning for aarch64_write_signal_pkey() kselftest/arm64: Fix printf() compiler warnings in the arm64 syscall-abi.c tests kselftest/arm64: Fix printf() warning in the arm64 MTE prctl() test kselftest/arm64: Fix printf() compiler warnings in the arm64 fp tests kselftest/arm64: Fix build with stricter assemblers arm64/scs: Drop unused prototype __pi_scs_patch_vmlinux() arm64/scs: Deal with 64-bit relative offsets in FDE frames ... commit 9aa4c37f71b9a0a4f51692fbb874888c139805ce Merge: ae4336e20b8acb 647619b6bd27d2 Author: Linus Torvalds Date: Mon Nov 18 18:00:18 2024 -0800 Merge tag 'm68k-for-v6.13-tag1' of git://git.kernel.org/pub/scm/linux/kernel/git/geert/linux-m68k Pull m68k updates from Geert Uytterhoeven: - Revive SCSI and early console support on MVME147 - Fix early kernel parameters using static keys - Prevent and improve handling of kernel configurations that lack specific platform, CPU, or MMU support, to avoid build failures - Miscellaneous fixes and improvements - Defconfig updates * tag 'm68k-for-v6.13-tag1' of git://git.kernel.org/pub/scm/linux/kernel/git/geert/linux-m68k: m68k: defconfig: Update defconfigs for v6.12-rc1 m68k: mvme147: Reinstate early console m68k: Make sure NR_IRQS is never zero m68k: Select M68020 as fallback for classic m68k: Move Sun 3 into a top-level platform option m68k: kernel: Use str_read_write() helper function m68k: Initialize jump labels early during setup_arch() m68k: mvme147: Fix SCSI controller IRQ numbers m68k: mvme147: Make mvme147_sched_init() __init commit ae4336e20b8acb4d67205273645d27bd4d4392d4 Merge: 0338cd9c22d1bc 56131e6d1fcce8 Author: Linus Torvalds Date: Mon Nov 18 17:48:39 2024 -0800 Merge tag 'mips_6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/mips/linux Pull MIPS updates from Thomas Bogendoerfer: "Just cleanups and fixes" * tag 'mips_6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/mips/linux: mips: dts: realtek: Add I2C controllers mips: dts: realtek: Add syscon-reboot node MIPS: loongson3_defconfig: Enable blk_dev_nvme by default MIPS: loongson3_defconfig: Update configs dependencies MAINTAINERS: Remove linux-mips.org references MAINTAINERS: Retire Ralf Baechle TC: Fix the wrong format specifier MIPS: kernel: proc: Use str_yes_no() helper function MIPS: mobileye: eyeq6h-epm6: Use eyeq6h in the board device tree mips: bmips: bcm6358/6368: define required brcm,bmips-cbr-reg MIPS: Allow using more than 32-bit addresses for reset vectors when possible mips: asm: fix warning when disabling MIPS_FP_SUPPORT mips: sgi-ip22: Replace "s[n]?printf" with sysfs_emit in sysfs callbacks commit 0338cd9c22d1bce7dc4a6641d4215a50f476f429 Merge: 5591fd5e034819 e200565d434b66 Author: Linus Torvalds Date: Mon Nov 18 17:45:41 2024 -0800 Merge tag 's390-6.13-1' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux Pull s390 updates from Heiko Carstens: - Add firmware sysfs interface which allows user space to retrieve the dump area size of the machine - Add 'measurement_chars_full' CHPID sysfs attribute to make the complete associated Channel-Measurements Characteristics Block available - Add virtio-mem support - Move gmap aka KVM page fault handling from the main fault handler to KVM code. This is the first step to make s390 KVM page fault handling similar to other architectures. With this first step the main fault handler does not have any special handling anymore, and therefore convert it to support LOCK_MM_AND_FIND_VMA - With gcc 14 s390 support for flag output operand support for inline assemblies was added. This allows for several optimizations: - Provide a cmpxchg inline assembly which makes use of this, and provide all variants of arch_try_cmpxchg() so that the compiler can generate slightly better code - Convert a few cmpxchg() loops to try_cmpxchg() loops - Similar to x86 add a CC_OUT() helper macro (and other macros), and convert all inline assemblies to make use of them, so that depending on compiler version better code can be generated - List installed host-key hashes in sysfs if the machine supports the Query Ultravisor Keys UVC - Add 'Retrieve Secret' ioctl which allows user space in protected execution guests to retrieve previously stored secrets from the Ultravisor - Add pkey-uv module which supports the conversion of Ultravisor retrievable secrets to protected keys - Extend the existing paes cipher to exploit the full AES-XTS hardware acceleration introduced with message-security assist extension 10 - Convert hopefully all sysfs show functions to use sysfs_emit() so that the constant flow of such patches stop - For PCI devices make use of the newly added Topology ID attribute to enable whole card multi-function support despite the change to PCHID per port. Additionally improve the overall robustness and usability of the multifunction support - Various other small improvements, fixes, and cleanups * tag 's390-6.13-1' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux: (133 commits) s390/cio/ioasm: Convert to use flag output macros s390/cio/qdio: Convert to use flag output macros s390/sclp: Convert to use flag output macros s390/dasd: Convert to use flag output macros s390/boot/physmem: Convert to use flag output macros s390/pci: Convert to use flag output macros s390/kvm: Convert to use flag output macros s390/extmem: Convert to use flag output macros s390/string: Convert to use flag output macros s390/diag: Convert to use flag output macros s390/irq: Convert to use flag output macros s390/smp: Convert to use flag output macros s390/uv: Convert to use flag output macros s390/pai: Convert to use flag output macros s390/mm: Convert to use flag output macros s390/cpu_mf: Convert to use flag output macros s390/cpcmd: Convert to use flag output macros s390/topology: Convert to use flag output macros s390/time: Convert to use flag output macros s390/pageattr: Convert to use flag output macros ... commit 5591fd5e034819a89ac93c0ccc6be2a930042f71 Merge: 8ffc7dbce2d54d 8afd8c8faa2424 Author: Linus Torvalds Date: Mon Nov 18 17:34:05 2024 -0800 Merge tag 'lsm-pr-20241112' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/lsm Pull lsm updates from Paul Moore: "Thirteen patches, all focused on moving away from the current 'secid' LSM identifier to a richer 'lsm_prop' structure. This move will help reduce the translation that is necessary in many LSMs, offering better performance, and make it easier to support different LSMs in the future" * tag 'lsm-pr-20241112' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/lsm: lsm: remove lsm_prop scaffolding netlabel,smack: use lsm_prop for audit data audit: change context data from secid to lsm_prop lsm: create new security_cred_getlsmprop LSM hook audit: use an lsm_prop in audit_names lsm: use lsm_prop in security_inode_getsecid lsm: use lsm_prop in security_current_getsecid audit: update shutdown LSM data lsm: use lsm_prop in security_ipc_getsecid audit: maintain an lsm_prop in audit_context lsm: add lsmprop_to_secctx hook lsm: use lsm_prop in security_audit_rule_match lsm: add the lsm_prop data structure commit 3802f73bd80766d70f319658f334754164075bc3 Author: Yu Kuai Date: Mon Nov 4 19:00:05 2024 +0800 block: fix uaf for flush rq while iterating tags blk_mq_clear_flush_rq_mapping() is not called during scsi probe, by checking blk_queue_init_done(). However, QUEUE_FLAG_INIT_DONE is cleared in del_gendisk by commit aec89dc5d421 ("block: keep q_usage_counter in atomic mode after del_gendisk"), hence for disk like scsi, following blk_mq_destroy_queue() will not clear flush rq from tags->rqs[] as well, cause following uaf that is found by our syzkaller for v6.6: ================================================================== BUG: KASAN: slab-use-after-free in blk_mq_find_and_get_req+0x16e/0x1a0 block/blk-mq-tag.c:261 Read of size 4 at addr ffff88811c969c20 by task kworker/1:2H/224909 CPU: 1 PID: 224909 Comm: kworker/1:2H Not tainted 6.6.0-ga836a5060850 #32 Workqueue: kblockd blk_mq_timeout_work Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x91/0xf0 lib/dump_stack.c:106 print_address_description.constprop.0+0x66/0x300 mm/kasan/report.c:364 print_report+0x3e/0x70 mm/kasan/report.c:475 kasan_report+0xb8/0xf0 mm/kasan/report.c:588 blk_mq_find_and_get_req+0x16e/0x1a0 block/blk-mq-tag.c:261 bt_iter block/blk-mq-tag.c:288 [inline] __sbitmap_for_each_set include/linux/sbitmap.h:295 [inline] sbitmap_for_each_set include/linux/sbitmap.h:316 [inline] bt_for_each+0x455/0x790 block/blk-mq-tag.c:325 blk_mq_queue_tag_busy_iter+0x320/0x740 block/blk-mq-tag.c:534 blk_mq_timeout_work+0x1a3/0x7b0 block/blk-mq.c:1673 process_one_work+0x7c4/0x1450 kernel/workqueue.c:2631 process_scheduled_works kernel/workqueue.c:2704 [inline] worker_thread+0x804/0xe40 kernel/workqueue.c:2785 kthread+0x346/0x450 kernel/kthread.c:388 ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:293 Allocated by task 942: kasan_save_stack+0x22/0x50 mm/kasan/common.c:45 kasan_set_track+0x25/0x30 mm/kasan/common.c:52 ____kasan_kmalloc mm/kasan/common.c:374 [inline] __kasan_kmalloc mm/kasan/common.c:383 [inline] __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:380 kasan_kmalloc include/linux/kasan.h:198 [inline] __do_kmalloc_node mm/slab_common.c:1007 [inline] __kmalloc_node+0x69/0x170 mm/slab_common.c:1014 kmalloc_node include/linux/slab.h:620 [inline] kzalloc_node include/linux/slab.h:732 [inline] blk_alloc_flush_queue+0x144/0x2f0 block/blk-flush.c:499 blk_mq_alloc_hctx+0x601/0x940 block/blk-mq.c:3788 blk_mq_alloc_and_init_hctx+0x27f/0x330 block/blk-mq.c:4261 blk_mq_realloc_hw_ctxs+0x488/0x5e0 block/blk-mq.c:4294 blk_mq_init_allocated_queue+0x188/0x860 block/blk-mq.c:4350 blk_mq_init_queue_data block/blk-mq.c:4166 [inline] blk_mq_init_queue+0x8d/0x100 block/blk-mq.c:4176 scsi_alloc_sdev+0x843/0xd50 drivers/scsi/scsi_scan.c:335 scsi_probe_and_add_lun+0x77c/0xde0 drivers/scsi/scsi_scan.c:1189 __scsi_scan_target+0x1fc/0x5a0 drivers/scsi/scsi_scan.c:1727 scsi_scan_channel drivers/scsi/scsi_scan.c:1815 [inline] scsi_scan_channel+0x14b/0x1e0 drivers/scsi/scsi_scan.c:1791 scsi_scan_host_selected+0x2fe/0x400 drivers/scsi/scsi_scan.c:1844 scsi_scan+0x3a0/0x3f0 drivers/scsi/scsi_sysfs.c:151 store_scan+0x2a/0x60 drivers/scsi/scsi_sysfs.c:191 dev_attr_store+0x5c/0x90 drivers/base/core.c:2388 sysfs_kf_write+0x11c/0x170 fs/sysfs/file.c:136 kernfs_fop_write_iter+0x3fc/0x610 fs/kernfs/file.c:338 call_write_iter include/linux/fs.h:2083 [inline] new_sync_write+0x1b4/0x2d0 fs/read_write.c:493 vfs_write+0x76c/0xb00 fs/read_write.c:586 ksys_write+0x127/0x250 fs/read_write.c:639 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x70/0x120 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x78/0xe2 Freed by task 244687: kasan_save_stack+0x22/0x50 mm/kasan/common.c:45 kasan_set_track+0x25/0x30 mm/kasan/common.c:52 kasan_save_free_info+0x2b/0x50 mm/kasan/generic.c:522 ____kasan_slab_free mm/kasan/common.c:236 [inline] __kasan_slab_free+0x12a/0x1b0 mm/kasan/common.c:244 kasan_slab_free include/linux/kasan.h:164 [inline] slab_free_hook mm/slub.c:1815 [inline] slab_free_freelist_hook mm/slub.c:1841 [inline] slab_free mm/slub.c:3807 [inline] __kmem_cache_free+0xe4/0x520 mm/slub.c:3820 blk_free_flush_queue+0x40/0x60 block/blk-flush.c:520 blk_mq_hw_sysfs_release+0x4a/0x170 block/blk-mq-sysfs.c:37 kobject_cleanup+0x136/0x410 lib/kobject.c:689 kobject_release lib/kobject.c:720 [inline] kref_put include/linux/kref.h:65 [inline] kobject_put+0x119/0x140 lib/kobject.c:737 blk_mq_release+0x24f/0x3f0 block/blk-mq.c:4144 blk_free_queue block/blk-core.c:298 [inline] blk_put_queue+0xe2/0x180 block/blk-core.c:314 blkg_free_workfn+0x376/0x6e0 block/blk-cgroup.c:144 process_one_work+0x7c4/0x1450 kernel/workqueue.c:2631 process_scheduled_works kernel/workqueue.c:2704 [inline] worker_thread+0x804/0xe40 kernel/workqueue.c:2785 kthread+0x346/0x450 kernel/kthread.c:388 ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:293 Other than blk_mq_clear_flush_rq_mapping(), the flag is only used in blk_register_queue() from initialization path, hence it's safe not to clear the flag in del_gendisk. And since QUEUE_FLAG_REGISTERED already make sure that queue should only be registered once, there is no need to test the flag as well. Fixes: 6cfeadbff3f8 ("blk-mq: don't clear flush_rq from tags->rqs[]") Depends-on: commit aec89dc5d421 ("block: keep q_usage_counter in atomic mode after del_gendisk") Signed-off-by: Yu Kuai Reviewed-by: Ming Lei Link: https://lore.kernel.org/r/20241104110005.1412161-1-yukuai1@huaweicloud.com Signed-off-by: Jens Axboe commit 8ffc7dbce2d54d2ac1fac9f79a94cb84b0cba1f5 Merge: a8220b0ca79844 d7b6918e22c74f Author: Linus Torvalds Date: Mon Nov 18 17:30:52 2024 -0800 Merge tag 'selinux-pr-20241112' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux Pull selinux updates from Paul Moore: - Add support for netlink xperms Some time ago we added the concept of "xperms" to the SELinux policy so that we could write policy for individual ioctls, this builds upon this by using extending xperms to netlink so that we can write SELinux policy for individual netlnk message types and not rely on the fairly coarse read/write mapping tables we currently have. There are limitations involving generic netlink due to the multiplexing that is done, but it's no worse that what we currently have. As usual, more information can be found in the commit message. - Deprecate /sys/fs/selinux/user We removed the only known userspace use of this back in 2020 and now that several years have elapsed we're starting down the path of deprecating it in the kernel. - Cleanup the build under scripts/selinux A couple of patches to move the genheaders tool under security/selinux and correct our usage of kernel headers in the tools located under scripts/selinux. While these changes originated out of an effort to build Linux on different systems, they are arguably the right thing to do regardless. - Minor code cleanups and style fixes Not much to say here, two minor cleanup patches that came out of the netlink xperms work * tag 'selinux-pr-20241112' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux: selinux: Deprecate /sys/fs/selinux/user selinux: apply clang format to security/selinux/nlmsgtab.c selinux: streamline selinux_nlmsg_lookup() selinux: Add netlink xperm support selinux: move genheaders to security/selinux/ selinux: do not include headers from host programs commit a8220b0ca79844bf5abb40ff067fb1db18eb79f0 Merge: 8350142a4b4ced 89282beaf75d81 Author: Linus Torvalds Date: Mon Nov 18 17:28:52 2024 -0800 Merge tag 'audit-pr-20241112' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit Pull audit updates from Paul Moore: "The audit patches are minimal this time around with one patch to correct some kdoc function parameters and one to leverage the `str_yes_no()` function; nothing very exciting" * tag 'audit-pr-20241112' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit: audit: Use str_yes_no() helper function audit: Reorganize kerneldoc parameter names commit 583772eec7b0096516a8ee8b1cc31401894f1e3a Author: Jeff Layton Date: Mon Nov 18 09:54:34 2024 -0500 nfsd: allow for up to 32 callback session slots nfsd currently only uses a single slot in the callback channel, which is proving to be a bottleneck in some cases. Widen the callback channel to a max of 32 slots (subject to the client's target_maxreqs value). Change the cb_holds_slot boolean to an integer that tracks the current slot number (with -1 meaning "unassigned"). Move the callback slot tracking info into the session. Add a new u32 that acts as a bitmap to track which slots are in use, and a u32 to track the latest callback target_slotid that the client reports. To protect the new fields, add a new per-session spinlock (the se_lock). Fix nfsd41_cb_get_slot to always search for the lowest slotid (using ffs()). Finally, convert the session->se_cb_seq_nr field into an array of ints and add the necessary handling to ensure that the seqids get reset when the slot table grows after shrinking. Signed-off-by: Jeff Layton Signed-off-by: Chuck Lever commit c840b8e1f039e90f97ca55525667eb961422f86c Author: Mike Snitzer Date: Wed Nov 13 22:59:38 2024 -0500 nfs_common: must not hold RCU while calling nfsd_file_put_local Move holding the RCU from nfs_to_nfsd_file_put_local to nfs_to_nfsd_net_put. It is the call to nfs_to->nfsd_serv_put that requires the RCU anyway (the puts for nfsd_file and netns were combined to avoid an extra indirect reference but that micro-optimization isn't possible now). This fixes xfstests generic/013 and it triggering: "Voluntary context switch within RCU read-side critical section!" [ 143.545738] Call Trace: [ 143.546206] [ 143.546625] ? show_regs+0x6d/0x80 [ 143.547267] ? __warn+0x91/0x140 [ 143.547951] ? rcu_note_context_switch+0x496/0x5d0 [ 143.548856] ? report_bug+0x193/0x1a0 [ 143.549557] ? handle_bug+0x63/0xa0 [ 143.550214] ? exc_invalid_op+0x1d/0x80 [ 143.550938] ? asm_exc_invalid_op+0x1f/0x30 [ 143.551736] ? rcu_note_context_switch+0x496/0x5d0 [ 143.552634] ? wakeup_preempt+0x62/0x70 [ 143.553358] __schedule+0xaa/0x1380 [ 143.554025] ? _raw_spin_unlock_irqrestore+0x12/0x40 [ 143.554958] ? try_to_wake_up+0x1fe/0x6b0 [ 143.555715] ? wake_up_process+0x19/0x20 [ 143.556452] schedule+0x2e/0x120 [ 143.557066] schedule_preempt_disabled+0x19/0x30 [ 143.557933] rwsem_down_read_slowpath+0x24d/0x4a0 [ 143.558818] ? xfs_efi_item_format+0x50/0xc0 [xfs] [ 143.559894] down_read+0x4e/0xb0 [ 143.560519] xlog_cil_commit+0x1b2/0xbc0 [xfs] [ 143.561460] ? _raw_spin_unlock+0x12/0x30 [ 143.562212] ? xfs_inode_item_precommit+0xc7/0x220 [xfs] [ 143.563309] ? xfs_trans_run_precommits+0x69/0xd0 [xfs] [ 143.564394] __xfs_trans_commit+0xb5/0x330 [xfs] [ 143.565367] xfs_trans_roll+0x48/0xc0 [xfs] [ 143.566262] xfs_defer_trans_roll+0x57/0x100 [xfs] [ 143.567278] xfs_defer_finish_noroll+0x27a/0x490 [xfs] [ 143.568342] xfs_defer_finish+0x1a/0x80 [xfs] [ 143.569267] xfs_bunmapi_range+0x4d/0xb0 [xfs] [ 143.570208] xfs_itruncate_extents_flags+0x13d/0x230 [xfs] [ 143.571353] xfs_free_eofblocks+0x12e/0x190 [xfs] [ 143.572359] xfs_file_release+0x12d/0x140 [xfs] [ 143.573324] __fput+0xe8/0x2d0 [ 143.573922] __fput_sync+0x1d/0x30 [ 143.574574] nfsd_filp_close+0x33/0x60 [nfsd] [ 143.575430] nfsd_file_free+0x96/0x150 [nfsd] [ 143.576274] nfsd_file_put+0xf7/0x1a0 [nfsd] [ 143.577104] nfsd_file_put_local+0x18/0x30 [nfsd] [ 143.578070] nfs_close_local_fh+0x101/0x110 [nfs_localio] [ 143.579079] __put_nfs_open_context+0xc9/0x180 [nfs] [ 143.580031] nfs_file_clear_open_context+0x4a/0x60 [nfs] [ 143.581038] nfs_file_release+0x3e/0x60 [nfs] [ 143.581879] __fput+0xe8/0x2d0 [ 143.582464] __fput_sync+0x1d/0x30 [ 143.583108] __x64_sys_close+0x41/0x80 [ 143.583823] x64_sys_call+0x189a/0x20d0 [ 143.584552] do_syscall_64+0x64/0x170 [ 143.585240] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 143.586185] RIP: 0033:0x7f3c5153efd7 Fixes: 65f2a5c36635 ("nfs_common: fix race in NFS calls to nfsd_file_put_local() and nfsd_serv_put()") Signed-off-by: Mike Snitzer Reviewed-by: NeilBrown Reviewed-by: Jeff Layton Signed-off-by: Chuck Lever commit 07442ec85bded6692f2e5909f16ab8bbc86fb3be Author: Al Viro Date: Tue Nov 12 21:35:24 2024 +0000 nfsd: get rid of include ../internal.h added back in 2015 for the sake of vfs_clone_file_range(), which is in linux/fs.h these days Signed-off-by: Al Viro Signed-off-by: Chuck Lever commit 98100e88dd8865999dc6379a3356cd799795fe7b Author: Yang Erkun Date: Tue Nov 5 19:03:14 2024 +0800 nfsd: fix nfs4_openowner leak when concurrent nfsd4_open occur The action force umount(umount -f) will attempt to kill all rpc_task even umount operation may ultimately fail if some files remain open. Consequently, if an action attempts to open a file, it can potentially send two rpc_task to nfs server. NFS CLIENT thread1 thread2 open("file") ... nfs4_do_open _nfs4_do_open _nfs4_open_and_get_state _nfs4_proc_open nfs4_run_open_task /* rpc_task1 */ rpc_run_task rpc_wait_for_completion_task umount -f nfs_umount_begin rpc_killall_tasks rpc_signal_task rpc_task1 been wakeup and return -512 _nfs4_do_open // while loop ... nfs4_run_open_task /* rpc_task2 */ rpc_run_task rpc_wait_for_completion_task While processing an open request, nfsd will first attempt to find or allocate an nfs4_openowner. If it finds an nfs4_openowner that is not marked as NFS4_OO_CONFIRMED, this nfs4_openowner will released. Since two rpc_task can attempt to open the same file simultaneously from the client to server, and because two instances of nfsd can run concurrently, this situation can lead to lots of memory leak. Additionally, when we echo 0 to /proc/fs/nfsd/threads, warning will be triggered. NFS SERVER nfsd1 nfsd2 echo 0 > /proc/fs/nfsd/threads nfsd4_open nfsd4_process_open1 find_or_alloc_open_stateowner // alloc oo1, stateid1 nfsd4_open nfsd4_process_open1 find_or_alloc_open_stateowner // find oo1, without NFS4_OO_CONFIRMED release_openowner unhash_openowner_locked list_del_init(&oo->oo_perclient) // cannot find this oo // from client, LEAK!!! alloc_stateowner // alloc oo2 nfsd4_process_open2 init_open_stateid // associate oo1 // with stateid1, stateid1 LEAK!!! nfs4_get_vfs_file // alloc nfsd_file1 and nfsd_file_mark1 // all LEAK!!! nfsd4_process_open2 ... write_threads ... nfsd_destroy_serv nfsd_shutdown_net nfs4_state_shutdown_net nfs4_state_destroy_net destroy_client __destroy_client // won't find oo1!!! nfsd_shutdown_generic nfsd_file_cache_shutdown kmem_cache_destroy for nfsd_file_slab and nfsd_file_mark_slab // bark since nfsd_file1 // and nfsd_file_mark1 // still alive ======================================================================= BUG nfsd_file (Not tainted): Objects remaining in nfsd_file on __kmem_cache_shutdown() ----------------------------------------------------------------------- Slab 0xffd4000004438a80 objects=34 used=1 fp=0xff11000110e2ad28 flags=0x17ffffc0000240(workingset|head|node=0|zone=2|lastcpupid=0x1fffff) CPU: 4 UID: 0 PID: 757 Comm: sh Not tainted 6.12.0-rc6+ #19 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014 Call Trace: dump_stack_lvl+0x53/0x70 slab_err+0xb0/0xf0 __kmem_cache_shutdown+0x15c/0x310 kmem_cache_destroy+0x66/0x160 nfsd_file_cache_shutdown+0xac/0x210 [nfsd] nfsd_destroy_serv+0x251/0x2a0 [nfsd] nfsd_svc+0x125/0x1e0 [nfsd] write_threads+0x16a/0x2a0 [nfsd] nfsctl_transaction_write+0x74/0xa0 [nfsd] vfs_write+0x1ae/0x6d0 ksys_write+0xc1/0x160 do_syscall_64+0x5f/0x170 entry_SYSCALL_64_after_hwframe+0x76/0x7e Disabling lock debugging due to kernel taint Object 0xff11000110e2ac38 @offset=3128 Allocated in nfsd_file_do_acquire+0x20f/0xa30 [nfsd] age=1635 cpu=3 pid=800 nfsd_file_do_acquire+0x20f/0xa30 [nfsd] nfsd_file_acquire_opened+0x5f/0x90 [nfsd] nfs4_get_vfs_file+0x4c9/0x570 [nfsd] nfsd4_process_open2+0x713/0x1070 [nfsd] nfsd4_open+0x74b/0x8b0 [nfsd] nfsd4_proc_compound+0x70b/0xc20 [nfsd] nfsd_dispatch+0x1b4/0x3a0 [nfsd] svc_process_common+0x5b8/0xc50 [sunrpc] svc_process+0x2ab/0x3b0 [sunrpc] svc_handle_xprt+0x681/0xa20 [sunrpc] nfsd+0x183/0x220 [nfsd] kthread+0x199/0x1e0 ret_from_fork+0x31/0x60 ret_from_fork_asm+0x1a/0x30 Add nfs4_openowner_unhashed to help found unhashed nfs4_openowner, and break nfsd4_open process to fix this problem. Cc: stable@vger.kernel.org # v5.4+ Reviewed-by: Jeff Layton Signed-off-by: Yang Erkun Signed-off-by: Chuck Lever commit aa0ebd21df9c90a69f8bf00e3fa49d476be8e290 Author: Chuck Lever Date: Thu Oct 31 09:40:08 2024 -0400 NFSD: Add nfsd4_copy time-to-live Keep async copy state alive for a few lease cycles after the copy completes so that OFFLOAD_STATUS returns something meaningful. This means that NFSD's client shutdown processing needs to purge any of this state that happens to be waiting to die. Reviewed-by: Jeff Layton Signed-off-by: Chuck Lever commit ac0514f4d198b5d1d5ba367b122cdf5a68e711d4 Author: Chuck Lever Date: Thu Oct 31 09:40:07 2024 -0400 NFSD: Add a laundromat reaper for async copy state RFC 7862 Section 4.8 states: > A copy offload stateid will be valid until either (A) the client > or server restarts or (B) the client returns the resource by > issuing an OFFLOAD_CANCEL operation or the client replies to a > CB_OFFLOAD operation. Instead of releasing async copy state when the CB_OFFLOAD callback completes, now let it live until the next laundromat run after the callback completes. Reviewed-by: Jeff Layton Signed-off-by: Chuck Lever commit b44ffa4c4f57ffe8a0967963538689fed169f1c8 Author: Chuck Lever Date: Thu Oct 31 09:40:06 2024 -0400 NFSD: Block DESTROY_CLIENTID only when there are ongoing async COPY operations Currently __destroy_client() consults the nfs4_client's async_copies list to determine whether there are ongoing async COPY operations. However, NFSD now keeps copy state in that list even when the async copy has completed, to enable OFFLOAD_STATUS to find the COPY results for a while after the COPY has completed. DESTROY_CLIENTID should not be blocked if the client's async_copies list contains state for only completed copy operations. Reviewed-by: Jeff Layton Signed-off-by: Chuck Lever commit 5c41f321470a5400641d3a271014ddd9b9868373 Author: Chuck Lever Date: Thu Oct 31 09:40:05 2024 -0400 NFSD: Handle an NFS4ERR_DELAY response to CB_OFFLOAD RFC 7862 permits callback services to respond to CB_OFFLOAD with NFS4ERR_DELAY. Currently NFSD drops the CB_OFFLOAD in that case. To improve the reliability of COPY offload, NFSD should rather send another CB_OFFLOAD completion notification. Reviewed-by: Jeff Layton Signed-off-by: Chuck Lever commit 409d6f52bd6b4fb43fbb4db9daeb5022e2e1d00c Author: Chuck Lever Date: Thu Oct 31 09:40:04 2024 -0400 NFSD: Free async copy information in nfsd4_cb_offload_release() RFC 7862 Section 4.8 states: > A copy offload stateid will be valid until either (A) the client > or server restarts or (B) the client returns the resource by > issuing an OFFLOAD_CANCEL operation or the client replies to a > CB_OFFLOAD operation. Currently, NFSD purges the metadata for an async COPY operation as soon as the CB_OFFLOAD callback has been sent. It does not wait even for the client's CB_OFFLOAD response, as the paragraph above suggests that it should. This makes the OFFLOAD_STATUS operation ineffective during the window between the completion of an asynchronous COPY and the server's receipt of the corresponding CB_OFFLOAD response. This is important if, for example, the client responds with NFS4ERR_DELAY, or the transport is lost before the server receives the response. A client might use OFFLOAD_STATUS to query the server about the still pending asynchronous COPY, but NFSD will respond to OFFLOAD_STATUS as if it had never heard of the presented copy stateid. This patch starts to address this issue by extending the lifetime of struct nfsd4_copy at least until the server has seen the client's CB_OFFLOAD response, or the CB_OFFLOAD has timed out. Reviewed-by: Jeff Layton Signed-off-by: Chuck Lever commit 62a8642ba00aa8ceb0a02ade942f5ec52e877c95 Author: Chuck Lever Date: Thu Oct 31 09:40:03 2024 -0400 NFSD: Fix nfsd4_shutdown_copy() nfsd4_shutdown_copy() is just this: while ((copy = nfsd4_get_copy(clp)) != NULL) nfsd4_stop_copy(copy); nfsd4_get_copy() bumps @copy's reference count, preventing nfsd4_stop_copy() from releasing @copy. A while loop like this usually works by removing the first element of the list, but neither nfsd4_get_copy() nor nfsd4_stop_copy() alters the async_copies list. Best I can tell, then, is that nfsd4_shutdown_copy() continues to loop until other threads manage to remove all the items from this list. The spinning loop blocks shutdown until these items are gone. Possibly the reason we haven't seen this issue in the field is because client_has_state() prevents __destroy_client() from calling nfsd4_shutdown_copy() if there are any items on this list. In a subsequent patch I plan to remove that restriction. Fixes: e0639dc5805a ("NFSD introduce async copy feature") Reviewed-by: Jeff Layton Signed-off-by: Chuck Lever commit a4452e661bc8ee56b2a893df6f523607c63f6de8 Author: Chuck Lever Date: Thu Oct 31 09:40:02 2024 -0400 NFSD: Add a tracepoint to record canceled async COPY operations Reviewed-by: Jeff Layton Signed-off-by: Chuck Lever commit 10c93b5101ca61d03351da678b395b48678840c2 Author: Jeff Layton Date: Wed Oct 30 10:48:46 2024 -0400 nfsd: make nfsd4_session->se_flags a bool While this holds the flags from the CREATE_SESSION request, nothing ever consults them. The only flag used is NFS4_SESSION_DEAD. Make it a simple bool instead. Signed-off-by: Jeff Layton Signed-off-by: Chuck Lever commit 53f9ba78e07cb19f0895b9cf905fb08b70a126f4 Author: Jeff Layton Date: Mon Oct 28 10:26:26 2024 -0400 nfsd: remove nfsd4_session->se_bchannel This field is written and is never consulted again. Remove it. Signed-off-by: Jeff Layton Signed-off-by: Chuck Lever commit 6a404f475f65c3b74799f4652dc15753834b3be0 Author: NeilBrown Date: Mon Oct 28 09:04:43 2024 +1100 nfsd: make use of warning provided by refcount_t refcount_t, by design, checks for unwanted situations and provides warnings. It is rarely useful to have explicit warnings with refcount usage. In this case we have an explicit warning if a refcount_t reaches zero when decremented. Simply using refcount_dec() will provide a similar warning and also mark the refcount_t as saturated to avoid any possible use-after-free. This patch drops the warning and uses refcount_dec() instead of refcount_dec_and_test(). Signed-off-by: NeilBrown Reviewed-by: Jeff Layton Signed-off-by: Chuck Lever commit a2c0412c051ee279d338b2c288938e484ed9a6df Author: NeilBrown Date: Thu Oct 24 09:10:42 2024 +1100 nfsd: Don't fail OP_SETCLIENTID when there are too many clients. Failing OP_SETCLIENTID or OP_EXCHANGE_ID should only happen if there is memory allocation failure. Putting a hard limit on the number of clients is not really helpful as it will either happen too early and prevent clients that the server can easily handle, or too late and allow clients when the server is swamped. The calculated limit is still useful for expiring courtesy clients where there are "too many" clients, but it shouldn't prevent the creation of active clients. Testing of lots of clients against small-mem servers reports repeated NFS4ERR_DELAY responses which doesn't seem helpful. There may have been reports of similar problems in production use. Also remove an outdated comment - we do use a slab cache. Signed-off-by: NeilBrown Signed-off-by: Chuck Lever commit ce89e742a4c12b20f09a43fec1b21db33f2166cd Author: Ye Bin Date: Thu Oct 24 09:55:20 2024 +0800 svcrdma: fix miss destroy percpu_counter in svc_rdma_proc_init() There's issue as follows: RPC: Registered rdma transport module. RPC: Registered rdma backchannel transport module. RPC: Unregistered rdma transport module. RPC: Unregistered rdma backchannel transport module. BUG: unable to handle page fault for address: fffffbfff80c609a PGD 123fee067 P4D 123fee067 PUD 123fea067 PMD 10c624067 PTE 0 Oops: Oops: 0000 [#1] PREEMPT SMP KASAN NOPTI RIP: 0010:percpu_counter_destroy_many+0xf7/0x2a0 Call Trace: __die+0x1f/0x70 page_fault_oops+0x2cd/0x860 spurious_kernel_fault+0x36/0x450 do_kern_addr_fault+0xca/0x100 exc_page_fault+0x128/0x150 asm_exc_page_fault+0x26/0x30 percpu_counter_destroy_many+0xf7/0x2a0 mmdrop+0x209/0x350 finish_task_switch.isra.0+0x481/0x840 schedule_tail+0xe/0xd0 ret_from_fork+0x23/0x80 ret_from_fork_asm+0x1a/0x30 If register_sysctl() return NULL, then svc_rdma_proc_cleanup() will not destroy the percpu counters which init in svc_rdma_proc_init(). If CONFIG_HOTPLUG_CPU is enabled, residual nodes may be in the 'percpu_counters' list. The above issue may occur once the module is removed. If the CONFIG_HOTPLUG_CPU configuration is not enabled, memory leakage occurs. To solve above issue just destroy all percpu counters when register_sysctl() return NULL. Fixes: 1e7e55731628 ("svcrdma: Restore read and write stats") Fixes: 22df5a22462e ("svcrdma: Convert rdma_stat_sq_starve to a per-CPU counter") Fixes: df971cd853c0 ("svcrdma: Convert rdma_stat_recv to a per-CPU counter") Signed-off-by: Ye Bin Signed-off-by: Chuck Lever commit 573954a996c0056b25eda4638edfee8c010e27f7 Author: Chuck Lever Date: Tue Oct 22 13:44:15 2024 -0400 xdrgen: Remove program_stat_to_errno() call sites Refactor: Translating an on-the-wire value to a local host errno is architecturally a job for the proc function, not the XDR decoder. Signed-off-by: Chuck Lever commit 903a7d37d9ea03cfed21040467d3d345d1e6fc76 Author: Chuck Lever Date: Tue Oct 22 13:44:08 2024 -0400 xdrgen: Update the files included in client-side source code In particular, client-side source code needs the definition of "struct rpc_procinfo" and does not want header files that pull in "struct svc_rqst". Otherwise, the source does not compile. Signed-off-by: Chuck Lever commit 82c2a36179d9bd00b792f4215cc4f71ca2d4c3a8 Author: Chuck Lever Date: Tue Oct 22 13:44:01 2024 -0400 xdrgen: Remove check for "nfs_ok" in C templates Obviously, "nfs_ok" is defined only for NFS protocols. Other XDR protocols won't know "nfs_ok" from Adam. Signed-off-by: Chuck Lever commit 07decac0ac6282672af182521ef0b4b61605c4b9 Author: Chuck Lever Date: Tue Oct 22 13:43:54 2024 -0400 xdrgen: Remove tracepoint call site This tracepoint was a "note to self" and is not operational. It is added only to client-side code, which so far we haven't needed. It will cause immediate breakage once we start generating client code, though, so remove it now. Signed-off-by: Chuck Lever commit f8c989a0c89a75d30f899a7cabdc14d72522bb8d Author: Yang Erkun Date: Mon Oct 21 22:23:43 2024 +0800 nfsd: release svc_expkey/svc_export with rcu_work The last reference for `cache_head` can be reduced to zero in `c_show` and `e_show`(using `rcu_read_lock` and `rcu_read_unlock`). Consequently, `svc_export_put` and `expkey_put` will be invoked, leading to two issues: 1. The `svc_export_put` will directly free ex_uuid. However, `e_show`/`c_show` will access `ex_uuid` after `cache_put`, which can trigger a use-after-free issue, shown below. ================================================================== BUG: KASAN: slab-use-after-free in svc_export_show+0x362/0x430 [nfsd] Read of size 1 at addr ff11000010fdc120 by task cat/870 CPU: 1 UID: 0 PID: 870 Comm: cat Not tainted 6.12.0-rc3+ #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014 Call Trace: dump_stack_lvl+0x53/0x70 print_address_description.constprop.0+0x2c/0x3a0 print_report+0xb9/0x280 kasan_report+0xae/0xe0 svc_export_show+0x362/0x430 [nfsd] c_show+0x161/0x390 [sunrpc] seq_read_iter+0x589/0x770 seq_read+0x1e5/0x270 proc_reg_read+0xe1/0x140 vfs_read+0x125/0x530 ksys_read+0xc1/0x160 do_syscall_64+0x5f/0x170 entry_SYSCALL_64_after_hwframe+0x76/0x7e Allocated by task 830: kasan_save_stack+0x20/0x40 kasan_save_track+0x14/0x30 __kasan_kmalloc+0x8f/0xa0 __kmalloc_node_track_caller_noprof+0x1bc/0x400 kmemdup_noprof+0x22/0x50 svc_export_parse+0x8a9/0xb80 [nfsd] cache_do_downcall+0x71/0xa0 [sunrpc] cache_write_procfs+0x8e/0xd0 [sunrpc] proc_reg_write+0xe1/0x140 vfs_write+0x1a5/0x6d0 ksys_write+0xc1/0x160 do_syscall_64+0x5f/0x170 entry_SYSCALL_64_after_hwframe+0x76/0x7e Freed by task 868: kasan_save_stack+0x20/0x40 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x37/0x50 kfree+0xf3/0x3e0 svc_export_put+0x87/0xb0 [nfsd] cache_purge+0x17f/0x1f0 [sunrpc] nfsd_destroy_serv+0x226/0x2d0 [nfsd] nfsd_svc+0x125/0x1e0 [nfsd] write_threads+0x16a/0x2a0 [nfsd] nfsctl_transaction_write+0x74/0xa0 [nfsd] vfs_write+0x1a5/0x6d0 ksys_write+0xc1/0x160 do_syscall_64+0x5f/0x170 entry_SYSCALL_64_after_hwframe+0x76/0x7e 2. We cannot sleep while using `rcu_read_lock`/`rcu_read_unlock`. However, `svc_export_put`/`expkey_put` will call path_put, which subsequently triggers a sleeping operation due to the following `dput`. ============================= WARNING: suspicious RCU usage 5.10.0-dirty #141 Not tainted ----------------------------- ... Call Trace: dump_stack+0x9a/0xd0 ___might_sleep+0x231/0x240 dput+0x39/0x600 path_put+0x1b/0x30 svc_export_put+0x17/0x80 e_show+0x1c9/0x200 seq_read_iter+0x63f/0x7c0 seq_read+0x226/0x2d0 vfs_read+0x113/0x2c0 ksys_read+0xc9/0x170 do_syscall_64+0x33/0x40 entry_SYSCALL_64_after_hwframe+0x67/0xd1 Fix these issues by using `rcu_work` to help release `svc_expkey`/`svc_export`. This approach allows for an asynchronous context to invoke `path_put` and also facilitates the freeing of `uuid/exp/key` after an RCU grace period. Fixes: 9ceddd9da134 ("knfsd: Allow lockless lookups of the exports") Signed-off-by: Yang Erkun Reviewed-by: Jeff Layton Signed-off-by: Chuck Lever commit 2862eee078a4d2d1f584e7f24fa50dddfa5f3471 Author: Yang Erkun Date: Mon Oct 21 22:23:42 2024 +0800 SUNRPC: make sure cache entry active before cache_show The function `c_show` was called with protection from RCU. This only ensures that `cp` will not be freed. Therefore, the reference count for `cp` can drop to zero, which will trigger a refcount use-after-free warning when `cache_get` is called. To resolve this issue, use `cache_get_rcu` to ensure that `cp` remains active. ------------[ cut here ]------------ refcount_t: addition on 0; use-after-free. WARNING: CPU: 7 PID: 822 at lib/refcount.c:25 refcount_warn_saturate+0xb1/0x120 CPU: 7 UID: 0 PID: 822 Comm: cat Not tainted 6.12.0-rc3+ #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014 RIP: 0010:refcount_warn_saturate+0xb1/0x120 Call Trace: c_show+0x2fc/0x380 [sunrpc] seq_read_iter+0x589/0x770 seq_read+0x1e5/0x270 proc_reg_read+0xe1/0x140 vfs_read+0x125/0x530 ksys_read+0xc1/0x160 do_syscall_64+0x5f/0x170 entry_SYSCALL_64_after_hwframe+0x76/0x7e Cc: stable@vger.kernel.org # v4.20+ Signed-off-by: Yang Erkun Reviewed-by: Jeff Layton Signed-off-by: Chuck Lever commit be8f982c369c965faffa198b46060f8853e0f1f0 Author: Yang Erkun Date: Mon Oct 21 22:23:41 2024 +0800 nfsd: make sure exp active before svc_export_show The function `e_show` was called with protection from RCU. This only ensures that `exp` will not be freed. Therefore, the reference count for `exp` can drop to zero, which will trigger a refcount use-after-free warning when `exp_get` is called. To resolve this issue, use `cache_get_rcu` to ensure that `exp` remains active. ------------[ cut here ]------------ refcount_t: addition on 0; use-after-free. WARNING: CPU: 3 PID: 819 at lib/refcount.c:25 refcount_warn_saturate+0xb1/0x120 CPU: 3 UID: 0 PID: 819 Comm: cat Not tainted 6.12.0-rc3+ #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014 RIP: 0010:refcount_warn_saturate+0xb1/0x120 ... Call Trace: e_show+0x20b/0x230 [nfsd] seq_read_iter+0x589/0x770 seq_read+0x1e5/0x270 vfs_read+0x125/0x530 ksys_read+0xc1/0x160 do_syscall_64+0x5f/0x170 entry_SYSCALL_64_after_hwframe+0x76/0x7e Fixes: bf18f163e89c ("NFSD: Using exp_get for export getting") Cc: stable@vger.kernel.org # 4.20+ Signed-off-by: Yang Erkun Reviewed-by: Jeff Layton Signed-off-by: Chuck Lever commit 9189d23b835cec646ba5010db35d1557a77c5857 Author: Chuck Lever Date: Thu Oct 17 09:36:31 2024 -0400 lockd: Remove unneeded initialization of file_lock::c.flc_flags Since commit 75c7940d2a86 ("lockd: set missing fl_flags field when retrieving args"), nlmsvc_retrieve_args() initializes the flc_flags field. svcxdr_decode_lock() no longer needs to do this. This clean up removes one dependency on the nlm_lock:fl field. No behavior change is expected. Analysis: svcxdr_decode_lock() is called by: nlm4svc_decode_testargs() nlm4svc_decode_lockargs() nlm4svc_decode_cancargs() nlm4svc_decode_unlockargs() nlm4svc_decode_testargs() is used by: - NLMPROC4_TEST and NLMPROC4_TEST_MSG, which call nlmsvc_retrieve_args() - NLMPROC4_GRANTED and NLMPROC4_GRANTED_MSG, which don't pass the lock's file_lock to the generic lock API nlm4svc_decode_lockargs() is used by: - NLMPROC4_LOCK and NLM4PROC4_LOCK_MSG, which call nlmsvc_retrieve_args() - NLMPROC4_UNLOCK and NLM4PROC4_UNLOCK_MSG, which call nlmsvc_retrieve_args() - NLMPROC4_NM_LOCK, which calls nlmsvc_retrieve_args() nlm4svc_decode_cancargs() is used by: - NLMPROC4_CANCEL and NLMPROC4_CANCEL_MSG, which call nlmsvc_retrieve_args() nlm4svc_decode_unlockargs() is used by: - NLMPROC4_UNLOCK and NLMPROC4_UNLOCK_MSG, which call nlmsvc_retrieve_args() All callers except GRANTED/GRANTED_MSG eventually call nlmsvc_retrieve_args() before using nlm_lock::fl.c.flc_flags. Thus this change is safe. Reviewed-by: Jeff Layton Reviewed-by: NeilBrown Signed-off-by: Chuck Lever commit 8994a512e2598c0bf1b6e9ece1e8292976b0dd65 Author: Chuck Lever Date: Thu Oct 17 09:36:30 2024 -0400 lockd: Remove unused parameter to nlmsvc_testlock() The nlm_cookie parameter has been unused since commit 09802fd2a8ca ("lockd: rip out deferred lock handling from testlock codepath"). Reviewed-by: Jeff Layton Reviewed-by: NeilBrown Signed-off-by: Chuck Lever commit a872c7313ec55263e11026163f081069a8c896c6 Author: Chuck Lever Date: Thu Oct 17 09:36:29 2024 -0400 lockd: Remove some snippets of unfinished code Clean up. Reviewed-by: Jeff Layton Reviewed-by: NeilBrown Signed-off-by: Chuck Lever commit e5948841285b1ad5bc3234a2f6d0586eceabfbdc Author: Chuck Lever Date: Thu Oct 17 09:36:28 2024 -0400 lockd: Remove unnecessary memset() Since commit 103cc1fafee4 ("SUNRPC: Parametrize how much of argsize should be zeroed") (and possibly long before that, even) all of the memory underlying rqstp->rq_argp is zeroed already. There's no need for the memset() in nlm4svc_decode_shareargs(). Reviewed-by: Jeff Layton Reviewed-by: NeilBrown Signed-off-by: Chuck Lever commit 2f746e40e9baae878f8193e09d8f6d601dce42bb Author: Chuck Lever Date: Thu Oct 17 09:36:27 2024 -0400 lockd: Remove unused typedef Clean up: Looks like the last usage of this typedef was removed by commit 026fec7e7c47 ("sunrpc: properly type pc_decode callbacks") in 2017. Reviewed-by: Jeff Layton Reviewed-by: NeilBrown Signed-off-by: Chuck Lever commit f64ea4af43161bb86ffc77e6aeb5bcf5c3229df0 Author: Chuck Lever Date: Thu Oct 17 11:03:56 2024 -0400 NFSD: Cap the number of bytes copied by nfs4_reset_recoverydir() It's only current caller already length-checks the string, but let's be safe. Fixes: 0964a3d3f1aa ("[PATCH] knfsd: nfsd4 reboot dirname fix") Reviewed-by: Jeff Layton Signed-off-by: Chuck Lever commit 30c1d2411acd6d9d987f5f804aa173abb3b097ce Author: Chuck Lever Date: Thu Oct 17 11:03:55 2024 -0400 NFSD: Remove unused values from nfsd4_encode_components_esc() Clean up. The computed value of @p is saved each time through the loop but is never used. Reviewed-by: Jeff Layton Signed-off-by: Chuck Lever commit 6b9c1080a69ee4d37e88f3743c13a45cce6afcbf Author: Chuck Lever Date: Thu Oct 17 11:03:54 2024 -0400 NFSD: Remove unused results in nfsd4_encode_pathname4() Clean up. The result of "*p++" is saved, but is not used before it is overwritten. The result of xdr_encode_opaque() is saved each time through the loop but is never used. Reviewed-by: Jeff Layton Signed-off-by: Chuck Lever commit 1e02c641c3a43c88cecc08402000418e15578d38 Author: Chuck Lever Date: Thu Oct 17 11:03:53 2024 -0400 NFSD: Prevent NULL dereference in nfsd4_process_cb_update() @ses is initialized to NULL. If __nfsd4_find_backchannel() finds no available backchannel session, setup_callback_client() will try to dereference @ses and segfault. Fixes: dcbeaa68dbbd ("nfsd4: allow backchannel recovery") Reviewed-by: Jeff Layton Signed-off-by: Chuck Lever commit da4f777e623936d4d93427b69fca37baefd62669 Author: Chuck Lever Date: Thu Oct 17 11:03:52 2024 -0400 NFSD: Remove a never-true comparison fh_size is an unsigned int, thus it can never be less than 0. Fixes: d8b26071e65e ("NFSD: simplify struct nfsfh") Reviewed-by: Jeff Layton Signed-off-by: Chuck Lever commit d08bf5ea649c045175c191609ccd52644b85985f Author: Chuck Lever Date: Thu Oct 17 11:03:51 2024 -0400 NFSD: Remove dead code in nfsd4_create_session() Clean up. AFAICT, there is no way to reach the out_free_conn label with @old set to a non-NULL value, so the expire_client(old) call is never reached and can be removed. Reviewed-by: Jeff Layton Signed-off-by: Chuck Lever commit 4cc9b9f2bf4dfe13fe573da978e626e2248df388 Author: NeilBrown Date: Fri Oct 18 08:42:31 2024 +1100 nfsd: refine and rename NFSD_MAY_LOCK NFSD_MAY_LOCK means a few different things. - it means that GSS is not required. - it means that with NFSEXP_NOAUTHNLM, authentication is not required - it means that OWNER_OVERRIDE is allowed. None of these are specific to locking, they are specific to the NLM protocol. So: - rename to NFSD_MAY_NLM - set NFSD_MAY_OWNER_OVERRIDE and NFSD_MAY_BYPASS_GSS in nlm_fopen() so that NFSD_MAY_NLM doesn't need to imply these. - move the test on NFSEXP_NOAUTHNLM out of nfsd_permission() and into fh_verify where other special-case tests on the MAY flags happen. nfsd_permission() can be called from other places than fh_verify(), but none of these will have NFSD_MAY_NLM. Signed-off-by: NeilBrown Signed-off-by: Chuck Lever commit 6640556b0c80edc66d6f50abe53f00311a873536 Author: Chuck Lever Date: Sun Oct 13 16:02:28 2024 -0400 NFSD: Replace use of NFSD_MAY_LOCK in nfsd4_lock() NFSv4 LOCK operations should not avoid the set of authorization checks that apply to all other NFSv4 operations. Also, the "no_auth_nlm" export option should apply only to NLM LOCK requests. It's not necessary or sensible to apply it to NFSv4 LOCK operations. Instead, set no permission bits when calling fh_verify(). Subsequent stateid processing handles authorization checks. Reported-by: NeilBrown Signed-off-by: Chuck Lever commit ed9887b876c957c9c9a0486cf0edf7c964e99cb9 Author: Julia Lawall Date: Sun Oct 13 22:16:59 2024 +0200 nfsd: replace call_rcu by kfree_rcu for simple kmem_cache_free callback Since SLOB was removed and since commit 6c6c47b063b5 ("mm, slab: call kvfree_rcu_barrier() from kmem_cache_destroy()"), it is not necessary to use call_rcu when the callback only performs kmem_cache_free. Use kfree_rcu() directly. The changes were made using Coccinelle. Signed-off-by: Julia Lawall Reviewed-by: Jeff Layton Acked-by: Paul E. McKenney Acked-by: Vlastimil Babka Signed-off-by: Chuck Lever commit a32442f6ca32cf402a76856d5e713bd742481ba2 Author: Chuck Lever Date: Mon Oct 7 14:07:54 2024 -0400 xdrgen: Add a utility for extracting XDR from RFCs For convenience, copy the XDR extraction script from RFC Reviewed-by: Jeff Layton Signed-off-by: Chuck Lever commit bb4f07f2409c26c01e97e6f9b432545f353e3b66 Author: Pali Rohár Date: Sat Oct 5 18:40:39 2024 +0200 nfsd: Fix NFSD_MAY_BYPASS_GSS and NFSD_MAY_BYPASS_GSS_ON_ROOT Currently NFSD_MAY_BYPASS_GSS and NFSD_MAY_BYPASS_GSS_ON_ROOT do not bypass only GSS, but bypass any method. This is a problem specially for NFS3 AUTH_NULL-only exports. The purpose of NFSD_MAY_BYPASS_GSS_ON_ROOT is described in RFC 2623, section 2.3.2, to allow mounting NFS2/3 GSS-only export without authentication. So few procedures which do not expose security risk used during mount time can be called also with AUTH_NONE or AUTH_SYS, to allow client mount operation to finish successfully. The problem with current implementation is that for AUTH_NULL-only exports, the NFSD_MAY_BYPASS_GSS_ON_ROOT is active also for NFS3 AUTH_UNIX mount attempts which confuse NFS3 clients, and make them think that AUTH_UNIX is enabled and is working. Linux NFS3 client never switches from AUTH_UNIX to AUTH_NONE on active mount, which makes the mount inaccessible. Fix the NFSD_MAY_BYPASS_GSS and NFSD_MAY_BYPASS_GSS_ON_ROOT implementation and really allow to bypass only exports which have enabled some real authentication (GSS, TLS, or any other). The result would be: For AUTH_NULL-only export if client attempts to do mount with AUTH_UNIX flavor then it will receive access errors, which instruct client that AUTH_UNIX flavor is not usable and will either try other auth flavor (AUTH_NULL if enabled) or fails mount procedure. Similarly if client attempt to do mount with AUTH_NULL flavor and only AUTH_UNIX flavor is enabled then the client will receive access error. This should fix problems with AUTH_NULL-only or AUTH_UNIX-only exports if client attempts to mount it with other auth flavor (e.g. with AUTH_NULL for AUTH_UNIX-only export, or with AUTH_UNIX for AUTH_NULL-only export). Signed-off-by: Pali Rohár Reviewed-by: NeilBrown Signed-off-by: Chuck Lever commit 600020927b004f027e737e6bf57c450d48f2405e Author: Pali Rohár Date: Sat Oct 5 20:33:49 2024 +0200 nfsd: Fill NFSv4.1 server implementation fields in OP_EXCHANGE_ID response NFSv4.1 OP_EXCHANGE_ID response from server may contain server implementation details (domain, name and build time) in optional nfs_impl_id4 field. Currently nfsd does not fill this field. Send these information in NFSv4.1 OP_EXCHANGE_ID response. Fill them with the same values as what is Linux NFSv4.1 client doing. Domain is hardcoded to "kernel.org", name is composed in the same way as "uname -srvm" output and build time is hardcoded to zeros. NFSv4.1 client and server implementation fields are useful for statistic purposes or for identifying type of clients and servers. Signed-off-by: Pali Rohár Signed-off-by: Chuck Lever commit 2dc84a75229c37e350dd1a83aaf4a63dc2ba86f3 Author: Pali Rohár Date: Fri Sep 13 00:53:20 2024 +0200 lockd: Fix comment about NLMv3 backwards compatibility NLMv2 is completely different protocol than NLMv1 and NLMv3, and in original Sun implementation is used for RPC loopback callbacks from statd to lockd services. Linux does not use nor does not implement NLMv2. Hence, NLMv3 is not backward compatible with NLMv2. But NLMv3 is backward compatible with NLMv1. Fix comment. Signed-off-by: Pali Rohár Reviewed-by: NeilBrown Signed-off-by: Chuck Lever commit b9376c7e42ca22644085332fd450b153cd4e9bde Author: Jeff Layton Date: Fri Oct 18 14:45:01 2024 -0400 nfsd: new tracepoint for after op_func in compound processing Turn nfsd_compound_encode_err tracepoint into a class and add a new nfsd_compound_op_err tracepoint. Signed-off-by: Jeff Layton Signed-off-by: Chuck Lever commit 8350142a4b4cedebfa76cd4cc6e5a7ba6a330629 Merge: 77a0cfafa9af9c a652958888fb1a Author: Linus Torvalds Date: Mon Nov 18 17:02:57 2024 -0800 Merge tag 'for-6.13/io_uring-20241118' of git://git.kernel.dk/linux Pull io_uring updates from Jens Axboe: - Cleanups of the eventfd handling code, making it fully private. - Support for sending a sync message to another ring, without having a ring available to send a normal async message. - Get rid of the separate unlocked hash table, unify everything around the single locked one. - Add support for ring resizing. It can be hard to appropriately size the CQ ring upfront, if the application doesn't know how busy it will be. This results in applications sizing rings for the most busy case, which can be wasteful. With ring resizing, they can start small and grow the ring, if needed. - Add support for fixed wait regions, rather than needing to copy the same wait data tons of times for each wait operation. - Rewrite the resource node handling, which before was serialized per ring. This caused issues with particularly fixed files, where one file waiting on IO could hold up putting and freeing of other unrelated files. Now each node is handled separately. New code is much simpler too, and was a net 250 line reduction in code. - Add support for just doing partial buffer clones, rather than always cloning the entire buffer table. - Series adding static NAPI support, where a specific NAPI instance is used rather than having a list of them available that need lookup. - Add support for mapped regions, and also convert the fixed wait support mentioned above to that concept. This avoids doing special mappings for various planned features, and folds the existing registered wait into that too. - Add support for hybrid IO polling, which is a variant of strict IOPOLL but with an initial sleep delay to avoid spinning too early and wasting resources on devices that aren't necessarily in the < 5 usec category wrt latencies. - Various cleanups and little fixes. * tag 'for-6.13/io_uring-20241118' of git://git.kernel.dk/linux: (79 commits) io_uring/region: fix error codes after failed vmap io_uring: restore back registered wait arguments io_uring: add memory region registration io_uring: introduce concept of memory regions io_uring: temporarily disable registered waits io_uring: disable ENTER_EXT_ARG_REG for IOPOLL io_uring: fortify io_pin_pages with a warning switch io_msg_ring() to CLASS(fd) io_uring: fix invalid hybrid polling ctx leaks io_uring/uring_cmd: fix buffer index retrieval io_uring/rsrc: add & apply io_req_assign_buf_node() io_uring/rsrc: remove '->ctx_ptr' of 'struct io_rsrc_node' io_uring/rsrc: pass 'struct io_ring_ctx' reference to rsrc helpers io_uring: avoid normal tw intermediate fallback io_uring/napi: add static napi tracking strategy io_uring/napi: clean up __io_napi_do_busy_loop io_uring/napi: Use lock guards io_uring/napi: improve __io_napi_add io_uring/napi: fix io_napi_entry RCU accesses io_uring/napi: protect concurrent io_napi_entry timeout accesses ... commit 77a0cfafa9af9c0d5b43534eb90d530c189edca1 Merge: 3d1b536c13f7cd 88d47f62931373 Author: Linus Torvalds Date: Mon Nov 18 16:50:08 2024 -0800 Merge tag 'for-6.13/block-20241118' of git://git.kernel.dk/linux Pull block updates from Jens Axboe: - NVMe updates via Keith: - Use uring_cmd helper (Pavel) - Host Memory Buffer allocation enhancements (Christoph) - Target persistent reservation support (Guixin) - Persistent reservation tracing (Guixen) - NVMe 2.1 specification support (Keith) - Rotational Meta Support (Matias, Wang, Keith) - Volatile cache detection enhancment (Guixen) - MD updates via Song: - Maintainers update - raid5 sync IO fix - Enhance handling of faulty and blocked devices - raid5-ppl atomic improvement - md-bitmap fix - Support for manually defining embedded partition tables - Zone append fixes and cleanups - Stop sending the queued requests in the plug list to the driver ->queue_rqs() handle in reverse order. - Zoned write plug cleanups - Cleanups disk stats tracking and add support for disk stats for passthrough IO - Add preparatory support for file system atomic writes - Add lockdep support for queue freezing. Already found a bunch of issues, and some fixes for that are in here. More will be coming. - Fix race between queue stopping/quiescing and IO queueing - ublk recovery improvements - Fix ublk mmap for 64k pages - Various fixes and cleanups * tag 'for-6.13/block-20241118' of git://git.kernel.dk/linux: (118 commits) MAINTAINERS: Update git tree for mdraid subsystem block: make struct rq_list available for !CONFIG_BLOCK block/genhd: use seq_put_decimal_ull for diskstats decimal values block: don't reorder requests in blk_mq_add_to_batch block: don't reorder requests in blk_add_rq_to_plug block: add a rq_list type block: remove rq_list_move virtio_blk: reverse request order in virtio_queue_rqs nvme-pci: reverse request order in nvme_queue_rqs btrfs: validate queue limits block: export blk_validate_limits nvmet: add tracing of reservation commands nvme: parse reservation commands's action and rtype to string nvmet: report ns's vwc not present md/raid5: Increase r5conf.cache_name size block: remove the ioprio field from struct request block: remove the write_hint field from struct request nvme: check ns's volatile write cache not present nvme: add rotational support nvme: use command set independent id ns if available ... commit 3d1b536c13f7cd966aa660d1730855b26d01c9ae Merge: c14a8a4c04c585 e8a2389ea808c3 Author: Linus Torvalds Date: Mon Nov 18 16:45:28 2024 -0800 Merge tag 'ata-6.13-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/libata/linux Pull ata updates from Niklas Cassel: - Fix typos in comments (Yan Zhen) - Remove unused macro definitions (Damien Le Moal) - Switch back to the .remove() callback (Uwe Kleine-König) - Make use of the get_unaligned_be24() helper instead of open coding (Andy Shevchenko) - Refactor and cleanup ata_scsi_simulate() command emulation, such that all commands use ata_scsi_rbuf_fill() with its own callback (Damien Le Moal) - Improve ata_scsi_simulate() command emulation by accurately setting the SCSI command residual (number of bytes not filled) in the command reply (Damien Le Moal) - Add missing iommus property in ahci-platform device tree binding (Frank Wunderlich) * tag 'ata-6.13-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/libata/linux: dt-bindings: ata: ahci-platform: add missing iommus property ata: libata-scsi: Return residual for emulated SCSI commands ata: libata-scsi: Remove struct ata_scsi_args ata: libata-scsi: Document all VPD page inquiry actors ata: libata-scsi: Refactor ata_scsiop_maint_in() ata: libata-scsi: Refactor ata_scsiop_read_cap() ata: libata-scsi: Refactor ata_scsi_simulate() ata: libata-scsi: Refactor scsi_6_lba_len() with use of get_unaligned_be24() ata: Switch back to struct platform_driver::remove() ata: libata: Remove unused macro definitions ata: Fix typos in the comment commit c14a8a4c04c5859322eb5801db662b56b2294f67 Merge: 3e7447ab48d101 e82c936293aafb Author: Linus Torvalds Date: Mon Nov 18 16:37:41 2024 -0800 Merge tag 'for-6.13-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux Pull btrfs updates from David Sterba: "Changes outside of btrfs: add io_uring command flag to track a dying task (the rest will go via the block git tree). User visible changes: - wire encoded read (ioctl) to io_uring commands, this can be used on itself, in the future this will allow 'send' to be asynchronous. As a consequence, the encoded read ioctl can also work in non-blocking mode - new ioctl to wait for cleaned subvolumes, no need to use the generic and root-only SEARCH_TREE ioctl, will be used by "btrfs subvol sync" - recognize different paths/symlinks for the same devices and don't report them during rescanning, this can be observed with LVM or DM - seeding device use case change, the sprout device (the one capturing new writes) will not clear the read-only status of the super block; this prevents accumulating space from deleted snapshots Performance improvements: - reduce lock contention when traversing extent buffers - reduce extent tree lock contention when searching for inline backref - switch from rb-trees to xarray for delayed ref tracking, improvements due to better cache locality, branching factors and more compact data structures - enable extent map shrinker again (prevent memory exhaustion under some types of IO load), reworked to run in a single worker thread (there used to be problems causing long stalls under memory pressure) Core changes: - raid-stripe-tree feature updates: - make device replace and scrub work - implement partial deletion of stripe extents - new selftests - split the config option BTRFS_DEBUG and add EXPERIMENTAL for features that are experimental or with known problems so we don't misuse debugging config for that - subpage mode updates (sector < page): - update compression implementations - update writepage, writeback - continued folio API conversions: - buffered writes - make buffered write copy one page at a time, preparatory work for future integration with large folios, may cause performance drop - proper locking of root item regarding starting send - error handling improvements - code cleanups and refactoring: - dead code removal - unused parameter reduction - lockdep assertions" * tag 'for-6.13-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux: (119 commits) btrfs: send: check for read-only send root under critical section btrfs: send: check for dead send root under critical section btrfs: remove check for NULL fs_info at btrfs_folio_end_lock_bitmap() btrfs: fix warning on PTR_ERR() against NULL device at btrfs_control_ioctl() btrfs: fix a typo in btrfs_use_zone_append btrfs: avoid superfluous calls to free_extent_map() in btrfs_encoded_read() btrfs: simplify logic to decrement snapshot counter at btrfs_mksnapshot() btrfs: remove hole from struct btrfs_delayed_node btrfs: update stale comment for struct btrfs_delayed_ref_node::add_list btrfs: add new ioctl to wait for cleaned subvolumes btrfs: simplify range tracking in cow_file_range() btrfs: remove conditional path allocation in btrfs_read_locked_inode() btrfs: push cleanup into btrfs_read_locked_inode() io_uring/cmd: let cmds to know about dying task btrfs: add struct io_btrfs_cmd as type for io_uring_cmd_to_pdu() btrfs: add io_uring command for encoded reads (ENCODED_READ ioctl) btrfs: move priv off stack in btrfs_encoded_read_regular_fill_pages() btrfs: don't sleep in btrfs_encoded_read() if IOCB_NOWAIT is set btrfs: change btrfs_encoded_read() so that reading of extent is done by caller btrfs: remove pointless iocb::ki_pos addition in btrfs_encoded_read() ... commit 3e7447ab48d101353c3e5be29e6ff0d322fa5a95 Merge: c6d64479d6093a 3e7c69cdb053f9 Author: Linus Torvalds Date: Mon Nov 18 16:32:58 2024 -0800 Merge tag 'ext4_for_linus-6.13-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4 Pull ext4 updates from Ted Ts'o: "A lot of miscellaneous ext4 bug fixes and cleanups this cycle, most notably in the journaling code, bufered I/O, and compiler warning cleanups" * tag 'ext4_for_linus-6.13-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4: (33 commits) jbd2: Fix comment describing journal_init_common() ext4: prevent an infinite loop in the lazyinit thread ext4: use struct_size() to improve ext4_htree_store_dirent() ext4: annotate struct fname with __counted_by() jbd2: avoid dozens of -Wflex-array-member-not-at-end warnings ext4: use str_yes_no() helper function ext4: prevent delalloc to nodelalloc on remount jbd2: make b_frozen_data allocation always succeed ext4: cleanup variable name in ext4_fc_del() ext4: use string choices helpers jbd2: remove the 'success' parameter from the jbd2_do_replay() function jbd2: remove useless 'block_error' variable jbd2: factor out jbd2_do_replay() jbd2: refactor JBD2_COMMIT_BLOCK process in do_one_pass() jbd2: unified release of buffer_head in do_one_pass() jbd2: remove redundant judgments for check v1 checksum ext4: use ERR_CAST to return an error-valued pointer mm: zero range of eof folio exposed by inode size extension ext4: partial zero eof block on unaligned inode size extension ext4: disambiguate the return value of ext4_dio_write_end_io() ... commit 5bf99baefb3ebebb13128ebfe58ebc6add5afd43 Author: Rob Herring (Arm) Date: Wed Nov 13 16:57:42 2024 -0600 dt-bindings: net: renesas,ether: Drop undocumented "micrel,led-mode" "micrel,led-mode" is not yet documented by a schema. It's irrelevant to the example, so just drop it. Signed-off-by: Rob Herring (Arm) Reviewed-by: Geert Uytterhoeven Acked-by: Conor Dooley Link: https://patch.msgid.link/20241113225742.1784723-2-robh@kernel.org Signed-off-by: Jakub Kicinski commit ac6f0825e582f2216a582c9edf0cee7bfe347ba6 Author: Kees Cook Date: Sun Nov 17 03:45:38 2024 -0800 pinctrl: airoha: Use unsigned long for bit search Instead of risking alignment problems and causing (false positive) array bound warnings when casting a u32 to (64-bit) unsigned long, just use a native unsigned long for doing bit searches. Avoids warning with GCC 15's -Warray-bounds -fdiagnostics-details: In file included from ../include/linux/bitmap.h:11, from ../include/linux/cpumask.h:12, from ../arch/x86/include/asm/paravirt.h:21, from ../arch/x86/include/asm/irqflags.h:80, from ../include/linux/irqflags.h:18, from ../include/linux/spinlock.h:59, from ../include/linux/irq.h:14, from ../include/linux/irqchip/chained_irq.h:10, from ../include/linux/gpio/driver.h:8, from ../drivers/pinctrl/mediatek/pinctrl-airoha.c:11: In function 'find_next_bit', inlined from 'airoha_irq_handler' at ../drivers/pinctrl/mediatek/pinctrl-airoha.c:2394:3: ../include/linux/find.h:65:23: error: array subscript 'long unsigned int[0]' is partly outside array bounds of 'u32[1]' {aka 'unsigned int[1]'} [-Werror=array-bounds=] 65 | val = *addr & GENMASK(size - 1, offset); | ^~~~~ ../drivers/pinctrl/mediatek/pinctrl-airoha.c: In function 'airoha_irq_handler': ../drivers/pinctrl/mediatek/pinctrl-airoha.c:2387:21: note: object 'status' of size 4 2387 | u32 status; | ^~~~~~ Signed-off-by: Kees Cook Reviewed-by: AngeloGioacchino Del Regno Link: https://lore.kernel.org/20241117114534.work.292-kees@kernel.org Signed-off-by: Linus Walleij commit c6d64479d6093a5c3d709d4cc992a5344877cc3c Merge: 9fb2cfa4635ab7 6c056ae4b27575 Author: Linus Torvalds Date: Mon Nov 18 14:54:10 2024 -0800 Merge tag 'pull-statx' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs Pull statx updates from Al Viro: "Sanitize struct filename and lookup flags handling in statx and friends" * tag 'pull-statx' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs: libfs: kill empty_dir_getattr() fs: Simplify getattr interface function checking AT_GETATTR_NOSEC flag fs/stat.c: switch to CLASS(fd_raw) kill getname_statx_lookup_flags() io_statx_prep(): use getname_uflags() commit 7e86490c5dee5c41a55f32d0dc34269e200e6909 Author: zhang jiao Date: Wed Nov 13 15:12:01 2024 +0800 pinctrl: k210: Undef K210_PC_DEFAULT When the temporary macro K210_PC_DEFAULT is not needed anymore, use its name in the #undef statement instead of the incorrect "DEFAULT" name. Fixes: d4c34d09ab03 ("pinctrl: Add RISC-V Canaan Kendryte K210 FPIOA driver") Signed-off-by: zhang jiao Reviewed-by: Damien Le Moal Link: https://lore.kernel.org/20241113071201.5440-1-zhangjiao2@cmss.chinamobile.com Signed-off-by: Linus Walleij commit 7643155dce1428fd63e47d7afe8bf3dbca20cc25 Author: Alice Ryhl Date: Mon Nov 18 20:27:26 2024 +0000 jump_label: rust: pass a mut ptr to `static_key_count` When building the rust_print sample with CONFIG_JUMP_LABEL=n, the Rust static key support falls back to using static_key_count. This function accepts a mutable pointer to the `struct static_key`, but the Rust abstractions are incorrectly passing a const pointer. This means that builds using CONFIG_JUMP_LABEL=n and SAMPLE_RUST_PRINT=y fail with the following error message: error[E0308]: mismatched types --> /samples/rust/rust_print_main.rs:87:5 | 87 | / kernel::declare_trace! { 88 | | /// # Safety 89 | | /// 90 | | /// Always safe to call. 91 | | unsafe fn rust_sample_loaded(magic: c_int); 92 | | } | | ^ | | | | |_____types differ in mutability | arguments to this function are incorrect | = note: expected raw pointer `*mut kernel::bindings::static_key` found raw pointer `*const kernel::bindings::static_key` note: function defined here --> /rust/bindings/bindings_helpers_generated.rs:33:12 | 33 | pub fn static_key_count(key: *mut static_key) -> c_int; | ^^^^^^^^^^^^^^^^ To fix this, insert a pointer cast so that the pointer is mutable. Link: https://lore.kernel.org/20241118202727.73646-1-aliceryhl@google.com Reported-by: kernel test robot Closes: https://lore.kernel.org/oe-kbuild-all/202411181440.qEdcuyh6-lkp@intel.com/ Fixes: 169484ab6677 ("rust: add arch_static_branch") Signed-off-by: Alice Ryhl Acked-by: Miguel Ojeda Signed-off-by: Steven Rostedt (Google) commit 9c0ba14828d64744ccd195c610594ba254a1a9ab Author: Mikulas Patocka Date: Mon Nov 18 15:52:50 2024 +0100 blk-settings: round down io_opt to physical_block_size There was a bug report [1] where the user got a warning alignment inconsistency. The user has optimal I/O 16776704 (0xFFFE00) and physical block size 4096. Note that the optimal I/O size may be set by the DMA engines or SCSI controllers and they have no knowledge about the disks attached to them, so the situation with optimal I/O not aligned to physical block size may happen. This commit makes blk_validate_limits round down optimal I/O size to the physical block size of the block device. Closes: https://lore.kernel.org/dm-devel/1426ad71-79b4-4062-b2bf-84278be66a5d@redhat.com/T/ [1] Signed-off-by: Mikulas Patocka Fixes: a23634644afc ("block: take io_opt and io_min into account for max_sectors") Cc: stable@vger.kernel.org # v6.11+ Reviewed-by: Christoph Hellwig Link: https://lore.kernel.org/r/3dc0014b-9690-dc38-81c9-4a316a2d4fb2@redhat.com Signed-off-by: Jens Axboe commit 903796855b6152c479bae07dcebded77897f9e1c Merge: ffca1be9b4b3a7 b6d8c474e26517 Author: Jiri Kosina Date: Mon Nov 18 22:02:17 2024 +0100 Merge branch 'for-6.13/bpf' into for-linus - improvement of the way hid-bpf coexists with specific drivers (others than hid-generic) that are already bound to devices (Benjamin Tissoires) commit ffca1be9b4b3a72cf0c2796413101ba425225f48 Merge: 22380b5f03ae24 2e592244c4874c Author: Jiri Kosina Date: Mon Nov 18 22:00:08 2024 +0100 Merge branch 'for-6.13/bug-on-to-warn-on' into for-linus - removal of three way-too-aggressive BUG_ON()s from HID drivers (He Lugang) commit 22380b5f03ae246c02abe361d0a075cd674ca3fe Merge: 359bfdc3c99191 7b2daa648eb75e Author: Jiri Kosina Date: Mon Nov 18 21:58:55 2024 +0100 Merge branch 'for-6.13/core' into for-linus - assorted cleanups and small code fixes (Dmitry Torokhov, Yan Zhen, Nathan Chancellor, Andy Shevchenko) commit 359bfdc3c99191aa4266ad582f6bbc182841d11e Merge: 390b059ac7f6b8 6ea2a6fd3872e6 Author: Jiri Kosina Date: Mon Nov 18 21:58:24 2024 +0100 Merge branch 'for-6.13/corsair' into for-linus - support for Corsair Void headset family (Stuart Hayhurst) commit 9fb2cfa4635ab7b3d44e88104666e599cd163692 Merge: 82339c49119f5e 6cfe56fbad32c8 Author: Linus Torvalds Date: Mon Nov 18 12:58:23 2024 -0800 Merge tag 'pull-ufs' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs Pull ufs updates from Al Viro: "ufs cleanups, fixes and folio conversion" * tag 'pull-ufs' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs: ufs: ufs_sb_private_info: remove unused s_{2,3}apb fields ufs: Convert ufs_change_blocknr() to take a folio ufs: Pass a folio to ufs_new_fragments() ufs: Convert ufs_inode_getfrag() to take a folio ufs: Convert ufs_extend_tail() to take a folio ufs: Convert ufs_inode_getblock() to take a folio ufs: take the handling of free block counters into a helper clean ufs_trunc_direct() up a bit... ufs: get rid of ubh_{ubhcpymem,memcpyubh}() ufs_inode_getfrag(): remove junk comment ufs_free_fragments(): fix the braino in sanity check ufs_clusteracct(): switch to passing fragment number ufs: untangle ubh_...block...(), part 3 ufs: untangle ubh_...block...(), part 2 ufs: untangle ubh_...block...() macros, part 1 ufs: fix ufs_read_cylinder() failure handling ufs: missing ->splice_write() ufs: fix handling of delete_entry and set_link failures commit 390b059ac7f6b8289dc56f6fe402e40a5072d75b Merge: d273b820f71146 c8eb2faef11866 Author: Jiri Kosina Date: Mon Nov 18 21:57:27 2024 +0100 Merge branch 'for-6.13/goodix' into for-linus - Support for Goodix GT7986U SPI (Charles Wang) - assorted code cleanups and fixes (Charles Wang) commit d273b820f71146aa30aa48f77ba1996b0ff2c7c5 Merge: 9411aacd72b619 4005667d3a09d8 Author: Jiri Kosina Date: Mon Nov 18 21:56:39 2024 +0100 Merge branch 'for-6.13/i2c-hid' into for-linus - code cleanup (Uwe Kleine-König) commit 9411aacd72b619dc9b349a227d9db46c1f3c28c4 Merge: b14927b3300f46 ac0cba68377299 Author: Jiri Kosina Date: Mon Nov 18 21:55:04 2024 +0100 Merge branch 'for-6.13/intel-ish' into for-linus - exposing firmware versions for Intel-ISH devices that load firmware from the host (Zhang Lixu) - switch to flex-array members (Erick Archer) commit b14927b3300f46231938e5c04817eb3dbda7227f Merge: a737d9d62d55db 9372b6c4ed80f4 Author: Jiri Kosina Date: Mon Nov 18 21:53:30 2024 +0100 Merge branch 'for-6.13/kysona' into for-linus - initial vendor-specific driver for Kysona, currently adding support for Kysona M600 (Lode Willems) commit a737d9d62d55db4fe1a8ccf184ceb54a64f85ede Merge: 65578513c3a996 fb6c0583a1435a Author: Jiri Kosina Date: Mon Nov 18 21:52:49 2024 +0100 Merge branch 'for-6.13/logitech' into for-linus - unused variable removal in hidpp_root_get_feature() (Bastien Nocera) commit 65578513c3a996cc0fa23526050cddeed08d8d64 Merge: 873c578324c708 e8a0581914bd2e Author: Jiri Kosina Date: Mon Nov 18 21:51:47 2024 +0100 Merge branch 'for-6.13/multitouch-v2' into for-linus - code cleanup for mt_set_mode() (Dmitry Torokhov) commit e8a0581914bd2e28f7af8d333ddc73fd78b1ef84 Author: Dmitry Torokhov Date: Mon Oct 28 12:07:50 2024 -0700 HID: multitouch: make mt_set_mode() less cryptic mt_set_mode() accepts 2 boolean switches indicating whether the device (if it follows Windows Precision Touchpad specification) should report hardware buttons and/or surface contacts. For a casual reader it is completely not clear, as they look at the call site, which exact mode is being requested. Define report_mode enum and change mt_set_mode() to accept is as an argument instead. This allows to write: mt_set_modes(hdev, HID_LATENCY_NORMAL, TOUCHPAD_REPORT_ALL); or mt_set_modes(hdev, HID_LATENCY_HIGH, TOUCHPAD_REPORT_BUTTONS); which makes intent much more clear. Reviewed-by: Benjamin Tissoires Signed-off-by: Dmitry Torokhov Link: https://patch.msgid.link/Zx_hBvg5Qa3KU3ta@google.com Signed-off-by: Benjamin Tissoires commit 82339c49119f5e38ca3c81d698b84134c342373f Merge: 0f25f0e4efaeb6 46a7fcec097da5 Author: Linus Torvalds Date: Mon Nov 18 12:44:25 2024 -0800 Merge tag 'pull-xattr' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs Pull xattr updates from Al Viro: "Sanitize xattr and io_uring interactions with it, add *xattrat() syscalls, sanitize struct filename handling in there" * tag 'pull-xattr' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs: xattr: remove redundant check on variable err fs/xattr: add *at family syscalls new helpers: file_removexattr(), filename_removexattr() new helpers: file_listxattr(), filename_listxattr() replace do_getxattr() with saner helpers. replace do_setxattr() with saner helpers. new helper: import_xattr_name() fs: rename struct xattr_ctx to kernel_xattr_ctx xattr: switch to CLASS(fd) io_[gs]etxattr_prep(): just use getname() io_uring: IORING_OP_F[GS]ETXATTR is fine with REQ_F_FIXED_FILE getname_maybe_null() - the third variant of pathname copy-in teach filename_lookup() to treat NULL filename as "" commit 873c578324c7082677303e2921b71fe0f5737ccc Merge: f33e46a0c6bddd 8ee0f23e2672f0 Author: Jiri Kosina Date: Mon Nov 18 21:31:09 2024 +0100 Merge branch 'for-6.13/steelseries' into for-linus - bugfixes for Steelseries Arctis 1 battery level handling (Bastien Nocera) commit f33e46a0c6bddd341d0989484a2546bba7ac4a3c Merge: 66ef47faa90d83 a025b0dbd83f85 Author: Jiri Kosina Date: Mon Nov 18 21:29:33 2024 +0100 Merge branch 'for-6.13/wacom' into for-linus - Sanitization of BTN_TOOL_RUBBER handling (Jason Gerecke) commit 0f25f0e4efaeb68086f7e65c442f2d648b21736f Merge: 23acd177540d7b 38052c2dd71f54 Author: Linus Torvalds Date: Mon Nov 18 12:24:06 2024 -0800 Merge tag 'pull-fd' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs Pull 'struct fd' class updates from Al Viro: "The bulk of struct fd memory safety stuff Making sure that struct fd instances are destroyed in the same scope where they'd been created, getting rid of reassignments and passing them by reference, converting to CLASS(fd{,_pos,_raw}). We are getting very close to having the memory safety of that stuff trivial to verify" * tag 'pull-fd' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs: (28 commits) deal with the last remaing boolean uses of fd_file() css_set_fork(): switch to CLASS(fd_raw, ...) memcg_write_event_control(): switch to CLASS(fd) assorted variants of irqfd setup: convert to CLASS(fd) do_pollfd(): convert to CLASS(fd) convert do_select() convert vfs_dedupe_file_range(). convert cifs_ioctl_copychunk() convert media_request_get_by_fd() convert spu_run(2) switch spufs_calls_{get,put}() to CLASS() use convert cachestat(2) convert do_preadv()/do_pwritev() fdget(), more trivial conversions fdget(), trivial conversions privcmd_ioeventfd_assign(): don't open-code eventfd_ctx_fdget() o2hb_region_dev_store(): avoid goto around fdget()/fdput() introduce "fd_pos" class, convert fdget_pos() users to it. fdget_raw() users: switch to CLASS(fd_raw) convert vmsplice() to CLASS(fd) ... commit 6ce5a6f0a07d37cc377df08a8d8a9c283420f323 Author: Tatsuya S Date: Mon Oct 21 07:14:53 2024 +0000 tracing: Fix function name for trampoline The issue that unrelated function name is shown on stack trace like following even though it should be trampoline code address is caused by the creation of trampoline code in the area where .init.text section of module was freed after module is loaded. bash-1344 [002] ..... 43.644608: => (MODULE INIT FUNCTION) => vfs_write => ksys_write => do_syscall_64 => entry_SYSCALL_64_after_hwframe To resolve this, when function address of stack trace entry is in trampoline, output without looking up symbol name. Cc: Mathieu Desnoyers Link: https://lore.kernel.org/20241021071454.34610-2-tatsuya.s2862@gmail.com Signed-off-by: Tatsuya S Acked-by: Masami Hiramatsu (Google) Signed-off-by: Steven Rostedt (Google) commit 23acd177540d7ba929cdc801b73d15d799f654f4 Merge: 241c7ed4d4815c b4201b51d93eac Author: Linus Torvalds Date: Mon Nov 18 11:44:06 2024 -0800 Merge tag 'vfs-6.13.ecryptfs' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs Pull ecryptfs updates from Christian Brauner: "The folio project is about to remove page->index. This contains the work required for ecryptfs" * tag 'vfs-6.13.ecryptfs' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs: ecryptfs: Pass the folio index to crypt_extent() ecryptfs: Convert lower_offset_for_page() to take a folio ecryptfs: Convert ecryptfs_decrypt_page() to take a folio ecryptfs: Convert ecryptfs_encrypt_page() to take a folio ecryptfs: Convert ecryptfs_write_lower_page_segment() to take a folio ecryptfs: Convert ecryptfs_write() to use a folio ecryptfs: Convert ecryptfs_read_lower_page_segment() to take a folio ecryptfs: Convert ecryptfs_copy_up_encrypted_with_header() to take a folio ecryptfs: Use a folio throughout ecryptfs_read_folio() ecryptfs: Convert ecryptfs_writepage() to ecryptfs_writepages() commit 241c7ed4d4815cd7d9c52c8f97bf13181e32ca29 Merge: 7956186e751bc1 54079430c5dbf0 Author: Linus Torvalds Date: Mon Nov 18 11:30:09 2024 -0800 Merge tag 'vfs-6.13.untorn.writes' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs Pull vfs untorn write support from Christian Brauner: "An atomic write is a write issed with torn-write protection. This means for a power failure or any hardware failure all or none of the data from the write will be stored, never a mix of old and new data. This work is already supported for block devices. If a block device is opened with O_DIRECT and the block device supports atomic write, then FMODE_CAN_ATOMIC_WRITE is added to the file of the opened block device. This contains the work to expand atomic write support to filesystems, specifically ext4 and XFS. Currently, only support for writing exactly one filesystem block atomically is added. Since it's now possible to have filesystem block size > page size for XFS, it's possible to write 4K+ blocks atomically on x86" * tag 'vfs-6.13.untorn.writes' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs: iomap: drop an obsolete comment in iomap_dio_bio_iter ext4: Do not fallback to buffered-io for DIO atomic write ext4: Support setting FMODE_CAN_ATOMIC_WRITE ext4: Check for atomic writes support in write iter ext4: Add statx support for atomic writes xfs: Support setting FMODE_CAN_ATOMIC_WRITE xfs: Validate atomic writes xfs: Support atomic write for statx fs: iomap: Atomic write support fs: Export generic_atomic_write_valid() block: Add bdev atomic write limits helpers fs/block: Check for IOCB_DIRECT in generic_atomic_write_valid() block/fs: Pass an iocb to generic_atomic_write_valid() commit 7956186e751bc15541ede638008feedc0e427883 Merge: a5ca57479656f2 552b15103db404 Author: Linus Torvalds Date: Mon Nov 18 11:05:26 2024 -0800 Merge tag 'vfs-6.13.tmpfs' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs Pull tmpfs case folding updates from Christian Brauner: "This adds case-insensitive support for tmpfs. The work contained in here adds support for case-insensitive file names lookups in tmpfs. The main difference from other casefold filesystems is that tmpfs has no information on disk, just on RAM, so we can't use mkfs to create a case-insensitive tmpfs. For this implementation, there's a mount option for casefolding. The rest of the patchset follows a similar approach as ext4 and f2fs. The use case for this feature is similar to the use case for ext4, to better support compatibility layers (like Wine), particularly in combination with sandboxing/container tools (like Flatpak). Those containerization tools can share a subset of the host filesystem with an application. In the container, the root directory and any parent directories required for a shared directory are on tmpfs, with the shared directories bind-mounted into the container's view of the filesystem. If the host filesystem is using case-insensitive directories, then the application can do lookups inside those directories in a case-insensitive way, without this needing to be implemented in user-space. However, if the host is only sharing a subset of a case-insensitive directory with the application, then the parent directories of the mount point will be part of the container's root tmpfs. When the application tries to do case-insensitive lookups of those parent directories on a case-sensitive tmpfs, the lookup will fail" * tag 'vfs-6.13.tmpfs' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs: tmpfs: Initialize sysfs during tmpfs init tmpfs: Fix type for sysfs' casefold attribute libfs: Fix kernel-doc warning in generic_ci_validate_strict_name docs: tmpfs: Add casefold options tmpfs: Expose filesystem features via sysfs tmpfs: Add flag FS_CASEFOLD_FL support for tmpfs dirs tmpfs: Add casefold lookup support libfs: Export generic_ci_ dentry functions unicode: Recreate utf8_parse_version() unicode: Export latest available UTF-8 version number ext4: Use generic_ci_validate_strict_name helper libfs: Create the helper function generic_ci_validate_strict_name() commit a5ca57479656f2562f164d650c6646debbe2f99b Merge: 909d3b571e5a77 112cca098a7010 Author: Linus Torvalds Date: Mon Nov 18 10:50:09 2024 -0800 Merge tag 'vfs-6.13.usercopy' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs Pull copy_struct_to_user helper from Christian Brauner: "This adds a copy_struct_to_user() helper which is a companion helper to the already widely used copy_struct_from_user(). It copies a struct from kernel space to userspace, in a way that guarantees backwards-compatibility for struct syscall arguments as long as future struct extensions are made such that all new fields are appended to the old struct, and zeroed-out new fields have the same meaning as the old struct. The first user is sched_getattr() system call but the new extensible pidfs ioctl will be ported to it as well" * tag 'vfs-6.13.usercopy' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs: sched_getattr: port to copy_struct_to_user uaccess: add copy_struct_to_user helper commit 909d3b571e5a77aef0949818de1efda129dcddbd Merge: a29835c9d0ba53 cdda1f26e74bac Author: Linus Torvalds Date: Mon Nov 18 10:47:46 2024 -0800 Merge tag 'vfs-6.13.pidfs' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs Pull pidfs update from Christian Brauner: "This adds a new ioctl to retrieve information about a pidfd. A common pattern when using pidfds is having to get information about the process, which currently requires /proc being mounted, resolving the fd to a pid, and then do manual string parsing of /proc/N/status and friends. This needs to be reimplemented over and over in all userspace projects (e.g.: it has been reimplemented in systemd, dbus, dbus-daemon, polkit so far), and requires additional care in checking that the fd is still valid after having parsed the data, to avoid races. Having a programmatic API that can be used directly removes all these requirements, including having /proc mounted. As discussed at LPC24, add an ioctl with an extensible struct so that more parameters can be added later if needed. Start with returning pid/tgid/ppid and some creds unconditionally, and cgroupid optionally" * tag 'vfs-6.13.pidfs' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs: pidfd: add ioctl to retrieve pid info commit a29835c9d0ba5365d64b56883692d0e8675fb615 Merge: 4c797b11a88297 d59dfd625a8bae Author: Linus Torvalds Date: Mon Nov 18 10:45:06 2024 -0800 Merge tag 'vfs-6.13.ovl' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs Pull overlayfs updates from Christian Brauner: "Make overlayfs support specifying layers through file descriptors. Currently overlayfs only allows specifying layers through path names. This is inconvenient for users that want to assemble an overlayfs mount purely based on file descriptors: This enables user to specify both: fsconfig(fd_overlay, FSCONFIG_SET_FD, "upperdir+", NULL, fd_upper); fsconfig(fd_overlay, FSCONFIG_SET_FD, "workdir+", NULL, fd_work); fsconfig(fd_overlay, FSCONFIG_SET_FD, "lowerdir+", NULL, fd_lower1); fsconfig(fd_overlay, FSCONFIG_SET_FD, "lowerdir+", NULL, fd_lower2); in addition to: fsconfig(fd_overlay, FSCONFIG_SET_STRING, "upperdir+", "/upper", 0); fsconfig(fd_overlay, FSCONFIG_SET_STRING, "workdir+", "/work", 0); fsconfig(fd_overlay, FSCONFIG_SET_STRING, "lowerdir+", "/lower1", 0); fsconfig(fd_overlay, FSCONFIG_SET_STRING, "lowerdir+", "/lower2", 0); There's also a large set of new overlayfs selftests to test new features and some older properties" * tag 'vfs-6.13.ovl' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs: selftests: add test for specifying 500 lower layers selftests: add overlayfs fd mounting selftests selftests: use shared header Documentation,ovl: document new file descriptor based layers ovl: specify layers via file descriptors fs: add helper to use mount option as path or fd commit 4c797b11a88297b9b0010b2c6645b191bac2350c Merge: 8dcf44fcad5ef5 aab154a442f9ba Author: Linus Torvalds Date: Mon Nov 18 10:30:29 2024 -0800 Merge tag 'vfs-6.13.file' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs Pull vfs file updates from Christian Brauner: "This contains changes the changes for files for this cycle: - Introduce a new reference counting mechanism for files. As atomic_inc_not_zero() is implemented with a try_cmpxchg() loop it has O(N^2) behaviour under contention with N concurrent operations and it is in a hot path in __fget_files_rcu(). The rcuref infrastructures remedies this problem by using an unconditional increment relying on safe- and dead zones to make this work and requiring rcu protection for the data structure in question. This not just scales better it also introduces overflow protection. However, in contrast to generic rcuref, files require a memory barrier and thus cannot rely on *_relaxed() atomic operations and also require to be built on atomic_long_t as having massive amounts of reference isn't unheard of even if it is just an attack. This adds a file specific variant instead of making this a generic library. This has been tested by various people and it gives consistent improvement up to 3-5% on workloads with loads of threads. - Add a fastpath for find_next_zero_bit(). Skip 2-levels searching via find_next_zero_bit() when there is a free slot in the word that contains the next fd. This improves pts/blogbench-1.1.0 read by 8% and write by 4% on Intel ICX 160. - Conditionally clear full_fds_bits since it's very likely that a bit in full_fds_bits has been cleared during __clear_open_fds(). This improves pts/blogbench-1.1.0 read up to 13%, and write up to 5% on Intel ICX 160. - Get rid of all lookup_*_fdget_rcu() variants. They were used to lookup files without taking a reference count. That became invalid once files were switched to SLAB_TYPESAFE_BY_RCU and now we're always taking a reference count. Switch to an already existing helper and remove the legacy variants. - Remove pointless includes of . - Avoid cmpxchg() in close_files() as nobody else has a reference to the files_struct at that point. - Move close_range() into fs/file.c and fold __close_range() into it. - Cleanup calling conventions of alloc_fdtable() and expand_files(). - Merge __{set,clear}_close_on_exec() into one. - Make __set_open_fd() set cloexec as well instead of doing it in two separate steps" * tag 'vfs-6.13.file' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs: selftests: add file SLAB_TYPESAFE_BY_RCU recycling stressor fs: port files to file_ref fs: add file_ref expand_files(): simplify calling conventions make __set_open_fd() set cloexec state as well fs: protect backing files with rcu file.c: merge __{set,clear}_close_on_exec() alloc_fdtable(): change calling conventions. fs/file.c: add fast path in find_next_fd() fs/file.c: conditionally clear full_fds fs/file.c: remove sanity_check and add likely/unlikely in alloc_fd() move close_range(2) into fs/file.c, fold __close_range() into it close_files(): don't bother with xchg() remove pointless includes of get rid of ...lookup...fdget_rcu() family commit 8dcf44fcad5ef5c1ff915628255c19cbe91f2588 Merge: 56be9aaf98d58b a4b2923376be06 Author: Linus Torvalds Date: Mon Nov 18 10:26:49 2024 -0800 Merge tag 'vfs-6.13.netfs' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs Pull netfs updates from Christian Brauner: "Various fixes for the netfs library and related infrastructure: cachefiles: - Fix a dentry leak in cachefiles_open_file() - Fix incorrect length return value in cachefiles_ondemand_fd_write_iter() - Fix missing pos updates in cachefiles_ondemand_fd_write_iter() - Clean up in cachefiles_commit_tmpfile() - Fix NULL pointer dereference in object->file - Add a memory barrier for FSCACHE_VOLUME_CREATING netfs: - Remove call to folio_index() - Fix a few minor bugs in netfs_page_mkwrite() - Remove unnecessary references to pages" * tag 'vfs-6.13.netfs' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs: netfs/fscache: Add a memory barrier for FSCACHE_VOLUME_CREATING cachefiles: Fix NULL pointer dereference in object->file cachefiles: Clean up in cachefiles_commit_tmpfile() cachefiles: Fix missing pos updates in cachefiles_ondemand_fd_write_iter() cachefiles: Fix incorrect length return value in cachefiles_ondemand_fd_write_iter() netfs: Remove unnecessary references to pages netfs: Fix a few minor bugs in netfs_page_mkwrite() netfs: Remove call to folio_index() commit 56be9aaf98d58bf69e2c948c183001d77e63fbbb Merge: 5bb6ba448fe359 c6bbfc7ce1567e Author: Linus Torvalds Date: Mon Nov 18 09:54:32 2024 -0800 Merge tag 'vfs-6.13.pagecache' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs Pull vfs pagecache updates from Christian Brauner: "Cleanup filesystem page flag usage: This continues the work to make the mappedtodisk/owner_2 flag available to filesystems which don't use buffer heads. Further patches remove uses of Private2. This brings us very close to being rid of it entirely" * tag 'vfs-6.13.pagecache' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs: migrate: Remove references to Private2 ceph: Remove call to PagePrivate2() btrfs: Switch from using the private_2 flag to owner_2 mm: Remove PageMappedToDisk nilfs2: Convert nilfs_copy_buffer() to use folios fs: Move clearing of mappedtodisk to buffer.c commit 5bb6ba448fe3598a7668838942db1f008beb581b Merge: 70e7730c2a7831 fe95f58320e6c8 Author: Linus Torvalds Date: Mon Nov 18 09:51:32 2024 -0800 Merge tag 'vfs-6.13.rust.file' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs Pull vfs rust file abstractions from Christian Brauner: "This contains the file abstractions needed by the Rust implementation of the Binder driver and other parts of the kernel. Let's treat this as a first attempt at getting something working but I do expect the actual interfaces to change significantly over time. Simply because we are still figuring out what actually works. But there's no point in further theorizing. Let's see how it holds up with actual users" * tag 'vfs-6.13.rust.file' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs: rust: task: adjust safety comments in Task methods rust: add seqfile abstraction rust: file: add abstraction for `poll_table` rust: file: add `Kuid` wrapper rust: file: add `FileDescriptorReservation` rust: security: add abstraction for secctx rust: cred: add Rust abstraction for `struct cred` rust: file: add Rust abstraction for `struct file` rust: task: add `Task::current_raw` rust: types: add `NotThreadSafe` commit 70e7730c2a78313e3ccc932410c939816e3ba1bc Merge: 4eb98b7760e807 aefff51e1c2986 Author: Linus Torvalds Date: Mon Nov 18 09:35:30 2024 -0800 Merge tag 'vfs-6.13.misc' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs Pull misc vfs updates from Christian Brauner: "Features: - Fixup and improve NLM and kNFSD file lock callbacks Last year both GFS2 and OCFS2 had some work done to make their locking more robust when exported over NFS. Unfortunately, part of that work caused both NLM (for NFS v3 exports) and kNFSD (for NFSv4.1+ exports) to no longer send lock notifications to clients This in itself is not a huge problem because most NFS clients will still poll the server in order to acquire a conflicted lock It's important for NLM and kNFSD that they do not block their kernel threads inside filesystem's file_lock implementations because that can produce deadlocks. We used to make sure of this by only trusting that posix_lock_file() can correctly handle blocking lock calls asynchronously, so the lock managers would only setup their file_lock requests for async callbacks if the filesystem did not define its own lock() file operation However, when GFS2 and OCFS2 grew the capability to correctly handle blocking lock requests asynchronously, they started signalling this behavior with EXPORT_OP_ASYNC_LOCK, and the check for also trusting posix_lock_file() was inadvertently dropped, so now most filesystems no longer produce lock notifications when exported over NFS Fix this by using an fop_flag which greatly simplifies the problem and grooms the way for future uses by both filesystems and lock managers alike - Add a sysctl to delete the dentry when a file is removed instead of making it a negative dentry Commit 681ce8623567 ("vfs: Delete the associated dentry when deleting a file") introduced an unconditional deletion of the associated dentry when a file is removed. However, this led to performance regressions in specific benchmarks, such as ilebench.sum_operations/s, prompting a revert in commit 4a4be1ad3a6e ("Revert "vfs: Delete the associated dentry when deleting a file""). This reintroduces the concept conditionally through a sysctl - Expand the statmount() system call: * Report the filesystem subtype in a new fs_subtype field to e.g., report fuse filesystem subtypes * Report the superblock source in a new sb_source field * Add a new way to return filesystem specific mount options in an option array that returns filesystem specific mount options separated by zero bytes and unescaped. This allows caller's to retrieve filesystem specific mount options and immediately pass them to e.g., fsconfig() without having to unescape or split them * Report security (LSM) specific mount options in a separate security option array. We don't lump them together with filesystem specific mount options as security mount options are generic and most users aren't interested in them The format is the same as for the filesystem specific mount option array - Support relative paths in fsconfig()'s FSCONFIG_SET_STRING command - Optimize acl_permission_check() to avoid costly {g,u}id ownership checks if possible - Use smp_mb__after_spinlock() to avoid full smp_mb() in evict() - Add synchronous wakeup support for ep_poll_callback. Currently, epoll only uses wake_up() to wake up task. But sometimes there are epoll users which want to use the synchronous wakeup flag to give a hint to the scheduler, e.g., the Android binder driver. So add a wake_up_sync() define, and use wake_up_sync() when sync is true in ep_poll_callback() Fixes: - Fix kernel documentation for inode_insert5() and iget5_locked() - Annotate racy epoll check on file->f_ep - Make F_DUPFD_QUERY associative - Avoid filename buffer overrun in initramfs - Don't let statmount() return empty strings - Add a cond_resched() to dump_user_range() to avoid hogging the CPU - Don't query the device logical blocksize multiple times for hfsplus - Make filemap_read() check that the offset is positive or zero Cleanups: - Various typo fixes - Cleanup wbc_attach_fdatawrite_inode() - Add __releases annotation to wbc_attach_and_unlock_inode() - Add hugetlbfs tracepoints - Fix various vfs kernel doc parameters - Remove obsolete TODO comment from io_cancel() - Convert wbc_account_cgroup_owner() to take a folio - Fix comments for BANDWITH_INTERVAL and wb_domain_writeout_add() - Reorder struct posix_acl to save 8 bytes - Annotate struct posix_acl with __counted_by() - Replace one-element array with flexible array member in freevxfs - Use idiomatic atomic64_inc_return() in alloc_mnt_ns()" * tag 'vfs-6.13.misc' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs: (35 commits) statmount: retrieve security mount options vfs: make evict() use smp_mb__after_spinlock instead of smp_mb statmount: add flag to retrieve unescaped options fs: add the ability for statmount() to report the sb_source writeback: wbc_attach_fdatawrite_inode out of line writeback: add a __releases annoation to wbc_attach_and_unlock_inode fs: add the ability for statmount() to report the fs_subtype fs: don't let statmount return empty strings fs:aio: Remove TODO comment suggesting hash or array usage in io_cancel() hfsplus: don't query the device logical block size multiple times freevxfs: Replace one-element array with flexible array member fs: optimize acl_permission_check() initramfs: avoid filename buffer overrun fs/writeback: convert wbc_account_cgroup_owner to take a folio acl: Annotate struct posix_acl with __counted_by() acl: Realign struct posix_acl to save 8 bytes epoll: Add synchronous wakeup support for ep_poll_callback coredump: add cond_resched() to dump_user_range mm/page-writeback.c: Fix comment of wb_domain_writeout_add() mm/page-writeback.c: Update comment for BANDWIDTH_INTERVAL ... commit 4eb98b7760e8078dbc984ee08b02b5b4c3cff088 Merge: 6ac81fd55e8af8 51ceeb1a814253 Author: Linus Torvalds Date: Mon Nov 18 09:33:34 2024 -0800 Merge tag 'vfs-6.13.mount.api' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs Pull vfs mount api conversions from Christian Brauner: "Convert adfs, affs, befs, hfs, hfsplus, jfs, and hpfs to the new mount api" * tag 'vfs-6.13.mount.api' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs: efs: fix the efs new mount api implementation ubifs: Convert ubifs to use the new mount API hpfs: convert hpfs to use the new mount api jfs: convert jfs to use the new mount api hfsplus: convert hfsplus to use the new mount api hfs: convert hfs to use the new mount api befs: convert befs to use the new mount api affs: convert affs to use the new mount api adfs: convert adfs to use the new mount api commit 6fad84a4d624c300d03ebba457cc641765050c43 Author: Keith Busch Date: Fri Nov 8 15:41:08 2024 -0800 nvme-pci: use sgls for all user requests if possible If the device supports SGLs, use these for all user requests. This format encodes the expected transfer length so it can catch short buffer errors in a user command, whether it occurred accidently or maliciously. For controllers that support SGL data mode, this is a viable mitigation to CVE-2023-6238. For controllers that don't support SGLs, log a warning in the passthrough path since not having the capability can corrupt data if the interface is not used correctly. Reviewed-by: Christoph Hellwig Signed-off-by: Keith Busch commit 28b6acd75e3cefbe746ec7402c7ff4fdb114f327 Author: Rick Wertenbroek Date: Thu Nov 14 17:10:32 2024 +0100 PCI: endpoint: Fix pci_epc_map map_size kerneldoc string Because some endpoint controllers have requirements on the alignment of the controller physical memory address that must be used to map a RC PCI address region, the map PCI start address is not necessarily the desired PCI base address to be mapped. This can result in map_pci_addr being lower than pci_addr as documented. This results in map_size covering the range map_pci_addr..pci_addr+pci_size. The old text had the pci_addr twice instead of map_pci_addr..pci_addr, so replace the erroneous kerneldoc string to reflect the actual range. Link: https://lore.kernel.org/r/20241114161032.3046202-1-rick.wertenbroek@gmail.com Signed-off-by: Rick Wertenbroek Signed-off-by: Krzysztof Wilczyński commit 688d2eb4c6fcfdcdaed0592f9df9196573ff5ce2 Author: Zijun Hu Date: Thu Nov 7 08:53:09 2024 +0800 PCI: endpoint: Clear secondary (not primary) EPC in pci_epc_remove_epf() In addition to a primary endpoint controller, an endpoint function may be associated with a secondary endpoint controller, epf->sec_epc, to provide NTB (non-transparent bridge) functionality. Previously, pci_epc_remove_epf() incorrectly cleared epf->epc instead of epf->sec_epc when removing from the secondary endpoint controller. Extend the epc->list_lock coverage and clear either epf->epc or epf->sec_epc as indicated. Link: https://lore.kernel.org/r/20241107-epc_rfc-v2-2-da5b6a99a66f@quicinc.com Fixes: 63840ff53223 ("PCI: endpoint: Add support to associate secondary EPC with EPF") Signed-off-by: Zijun Hu Reviewed-by: Manivannan Sadhasivam [mani: reworded subject and description] Signed-off-by: Manivannan Sadhasivam [bhelgaas: commit log] Signed-off-by: Bjorn Helgaas Signed-off-by: Krzysztof Wilczyński Cc: stable@vger.kernel.org commit 6399a0db8cd61eedbfb4b7809a4f4699157a9bf8 Author: Keith Busch Date: Wed Nov 13 13:57:04 2024 -0800 nvme: define the remaining used sgls constants This provides a little more context when reading the code than hardcoded magic numbers. Reviewed-by: Christoph Hellwig Signed-off-by: Keith Busch commit 979c6342f9c0a48696a6420f14f9dd409591657f Author: Keith Busch Date: Fri Nov 15 13:41:21 2024 -0800 nvme-pci: add support for sgl metadata Supporting this mode allows creating and merging multi-segment metadata requests that wouldn't be possible otherwise. It also allows directly using user space requests that straddle physically discontiguous pages. Reviewed-by: Christoph Hellwig Signed-off-by: Keith Busch commit 4acc902ed3743edd4ac2d3846604a99d17104359 Author: Zijun Hu Date: Thu Nov 7 08:53:08 2024 +0800 PCI: endpoint: Fix PCI domain ID release in pci_epc_destroy() pci_epc_destroy() invokes pci_bus_release_domain_nr() to release the PCI domain ID, but there are two issues: - 'epc->dev' is passed to pci_bus_release_domain_nr() which was already freed by device_unregister(), leading to a use-after-free issue. - Domain ID corresponds to the EPC device parent, so passing 'epc->dev' is also wrong. Fix these issues by passing 'epc->dev.parent' to pci_bus_release_domain_nr() and also do it before device_unregister(). Fixes: 0328947c5032 ("PCI: endpoint: Assign PCI domain number for endpoint controllers") Signed-off-by: Zijun Hu Reviewed-by: Manivannan Sadhasivam Link: https://lore.kernel.org/r/20241107-epc_rfc-v2-1-da5b6a99a66f@quicinc.com [mani: reworded subject and description] Signed-off-by: Manivannan Sadhasivam Signed-off-by: Bjorn Helgaas Signed-off-by: Krzysztof Wilczyński Cc: stable@vger.kernel.org commit 6ac81fd55e8af8e78a716b4ba213c8c6381d94fd Merge: adc218676eef25 9fed2c0f2f0771 Author: Linus Torvalds Date: Mon Nov 18 09:15:39 2024 -0800 Merge tag 'vfs-6.13.mgtime' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs Pull vfs multigrain timestamps from Christian Brauner: "This is another try at implementing multigrain timestamps. This time with significant help from the timekeeping maintainers to reduce the performance impact. Thomas provided a base branch that contains the required timekeeping interfaces for the VFS. It serves as the base for the multi-grain timestamp work: - Multigrain timestamps allow the kernel to use fine-grained timestamps when an inode's attributes is being actively observed via ->getattr(). With this support, it's possible for a file to get a fine-grained timestamp, and another modified after it to get a coarse-grained stamp that is earlier than the fine-grained time. If this happens then the files can appear to have been modified in reverse order, which breaks VFS ordering guarantees. To prevent this, a floor value is maintained for multigrain timestamps. Whenever a fine-grained timestamp is handed out, record it, and when later coarse-grained stamps are handed out, ensure they are not earlier than that value. If the coarse-grained timestamp is earlier than the fine-grained floor, return the floor value instead. The timekeeper changes add a static singleton atomic64_t into timekeeper.c that is used to keep track of the latest fine-grained time ever handed out. This is tracked as a monotonic ktime_t value to ensure that it isn't affected by clock jumps. Because it is updated at different times than the rest of the timekeeper object, the floor value is managed independently of the timekeeper via a cmpxchg() operation, and sits on its own cacheline. Two new public timekeeper interfaces are added: (1) ktime_get_coarse_real_ts64_mg() fills a timespec64 with the later of the coarse-grained clock and the floor time (2) ktime_get_real_ts64_mg() gets the fine-grained clock value, and tries to swap it into the floor. A timespec64 is filled with the result. - The VFS has always used coarse-grained timestamps when updating the ctime and mtime after a change. This has the benefit of allowing filesystems to optimize away a lot metadata updates, down to around 1 per jiffy, even when a file is under heavy writes. Unfortunately, this has always been an issue when we're exporting via NFSv3, which relies on timestamps to validate caches. A lot of changes can happen in a jiffy, so timestamps aren't sufficient to help the client decide when to invalidate the cache. Even with NFSv4, a lot of exported filesystems don't properly support a change attribute and are subject to the same problems with timestamp granularity. Other applications have similar issues with timestamps (e.g backup applications). If we were to always use fine-grained timestamps, that would improve the situation, but that becomes rather expensive, as the underlying filesystem would have to log a lot more metadata updates. This adds a way to only use fine-grained timestamps when they are being actively queried. Use the (unused) top bit in inode->i_ctime_nsec as a flag that indicates whether the current timestamps have been queried via stat() or the like. When it's set, we allow the kernel to use a fine-grained timestamp iff it's necessary to make the ctime show a different value. This solves the problem of being able to distinguish the timestamp between updates, but introduces a new problem: it's now possible for a file being changed to get a fine-grained timestamp. A file that is altered just a bit later can then get a coarse-grained one that appears older than the earlier fine-grained time. This violates timestamp ordering guarantees. This is where the earlier mentioned timkeeping interfaces help. A global monotonic atomic64_t value is kept that acts as a timestamp floor. When we go to stamp a file, we first get the latter of the current floor value and the current coarse-grained time. If the inode ctime hasn't been queried then we just attempt to stamp it with that value. If it has been queried, then first see whether the current coarse time is later than the existing ctime. If it is, then we accept that value. If it isn't, then we get a fine-grained time and try to swap that into the global floor. Whether that succeeds or fails, we take the resulting floor time, convert it to realtime and try to swap that into the ctime. We take the result of the ctime swap whether it succeeds or fails, since either is just as valid. Filesystems can opt into this by setting the FS_MGTIME fstype flag. Others should be unaffected (other than being subject to the same floor value as multigrain filesystems)" * tag 'vfs-6.13.mgtime' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs: fs: reduce pointer chasing in is_mgtime() test tmpfs: add support for multigrain timestamps btrfs: convert to multigrain timestamps ext4: switch to multigrain timestamps xfs: switch to multigrain timestamps Documentation: add a new file documenting multigrain timestamps fs: add percpu counters for significant multigrain timestamp events fs: tracepoints around multigrain timestamp events fs: handle delegated timestamps in setattr_copy_mgtime timekeeping: Add percpu counter for tracking floor swap events timekeeping: Add interfaces for handling timestamps with a floor value fs: have setattr_copy handle multigrain timestamps appropriately fs: add infrastructure for multigrain timestamps commit 5dd18f09ce7399df6fffe80d1598add46c395ae9 Author: Breno Leitao Date: Tue Nov 5 06:42:46 2024 -0800 nvme/multipath: Fix RCU list traversal to use SRCU primitive The code currently uses list_for_each_entry_rcu() while holding an SRCU lock, triggering false positive warnings with CONFIG_PROVE_RCU=y enabled: drivers/nvme/host/multipath.c:168 RCU-list traversed in non-reader section!! drivers/nvme/host/multipath.c:227 RCU-list traversed in non-reader section!! drivers/nvme/host/multipath.c:260 RCU-list traversed in non-reader section!! While the list is properly protected by SRCU lock, the code uses the wrong list traversal primitive. Replace list_for_each_entry_rcu() with list_for_each_entry_srcu() to correctly indicate SRCU-based protection and eliminate the false warning. Signed-off-by: Breno Leitao Fixes: be647e2c76b2 ("nvme: use srcu for iterating namespace list") Signed-off-by: Keith Busch commit cdc905d16b07981363e53a21853ba1cf6cd8e92a Author: Frederic Weisbecker Date: Sun Nov 17 00:48:23 2024 +0100 posix-timers: Fix spurious warning on double enqueue versus do_exit() A timer sigqueue may find itself already pending when it is tried to be enqueued. This situation can happen if the timer sigqueue is enqueued but then the timer is reset afterwards and fires before the pending signal managed to be delivered. However when such a double enqueue occurs while the corresponding signal is ignored, the sigqueue is expected to be found either on the dedicated ignored list if the timer was periodic or dropped if the timer was one-shot. In any case it is not supposed to be queued on the real signal queue. An assertion verifies the latter expectation on top of the return value of prepare_signal(), assuming "false" means that the signal is being ignored. But prepare_signal() may also fail if the target is exiting as the last task of its group. In this case the double enqueue observes the sigqueue queued, as in such a situation: TASK A (same group as B) TASK B (same group as A) ------------------------ ------------------------ // timer event // queue signal to TASK B posix_timer_queue_signal() // reset timer through syscall do_timer_settime() // exit, leaving task B alone do_exit() do_exit() synchronize_group_exit() signal->flags = SIGNAL_GROUP_EXIT // ========> timer event posix_timer_queue_signal() // return false due to SIGNAL_GROUP_EXIT if (!prepare_signal()) WARN_ON_ONCE(!list_empty(&q->list)) And this spuriously triggers this warning: WARNING: CPU: 0 PID: 5854 at kernel/signal.c:2008 posixtimer_send_sigqueue CPU: 0 UID: 0 PID: 5854 Comm: syz-executor139 Not tainted 6.12.0-rc6-next-20241108-syzkaller #0 RIP: 0010:posixtimer_send_sigqueue+0x9da/0xbc0 kernel/signal.c:2008 Call Trace: alarm_handle_timer alarmtimer_fired __run_hrtimer __hrtimer_run_queues hrtimer_interrupt local_apic_timer_interrupt __sysvec_apic_timer_interrupt instr_sysvec_apic_timer_interrupt sysvec_apic_timer_interrupt Fortunately the recovery code in that case already does the right thing: just exit from posixtimer_send_sigqueue() and wait for __exit_signal() to flush the pending signal. Just make sure to warn only the case when the sigqueue is queued and the signal is really ignored. Fixes: df7a996b4dab ("signal: Queue ignored posixtimers on ignore list") Reported-by: syzbot+852e935b899bde73626e@syzkaller.appspotmail.com Signed-off-by: Frederic Weisbecker Signed-off-by: Thomas Gleixner Tested-by: syzbot+852e935b899bde73626e@syzkaller.appspotmail.com Link: https://lore.kernel.org/all/20241116234823.28497-1-frederic@kernel.org Closes: https://lore.kernel.org/all/673549c6.050a0220.1324f8.008c.GAE@google.com commit 60b1f578b5789730d81460d1836dec7fa60510bf Author: Jeff Xie Date: Tue Oct 8 11:31:59 2024 +0800 ftrace: Get the true parent ip for function tracer When using both function tracer and function graph simultaneously, it is found that function tracer sometimes captures a fake parent ip (return_to_handler) instead of the true parent ip. This issue is easy to reproduce. Below are my reproduction steps: jeff-labs:~/bin # ./trace-net.sh jeff-labs:~/bin # cat /sys/kernel/debug/tracing/instances/foo/trace | grep return_to_handler trace-net.sh-405 [001] ...2. 31.859501: avc_has_perm+0x4/0x190 <-return_to_handler+0x0/0x40 trace-net.sh-405 [001] ...2. 31.859503: simple_setattr+0x4/0x70 <-return_to_handler+0x0/0x40 trace-net.sh-405 [001] ...2. 31.859503: truncate_pagecache+0x4/0x60 <-return_to_handler+0x0/0x40 trace-net.sh-405 [001] ...2. 31.859505: unmap_mapping_range+0x4/0x140 <-return_to_handler+0x0/0x40 trace-net.sh-405 [001] ...3. 31.859508: _raw_spin_unlock+0x4/0x30 <-return_to_handler+0x0/0x40 [...] The following is my simple trace script: jeff-labs:~/bin # cat ./trace-net.sh TRACE_PATH="/sys/kernel/tracing" set_events() { echo 1 > $1/events/net/enable echo 1 > $1/events/tcp/enable echo 1 > $1/events/sock/enable echo 1 > $1/events/napi/enable echo 1 > $1/events/fib/enable echo 1 > $1/events/neigh/enable } set_events ${TRACE_PATH} echo 1 > ${TRACE_PATH}/options/sym-offset echo 1 > ${TRACE_PATH}/options/funcgraph-tail echo 1 > ${TRACE_PATH}/options/funcgraph-proc echo 1 > ${TRACE_PATH}/options/funcgraph-abstime echo 'tcp_orphan*' > ${TRACE_PATH}/set_ftrace_notrace echo function_graph > ${TRACE_PATH}/current_tracer INSTANCE_FOO=${TRACE_PATH}/instances/foo if [ ! -e $INSTANCE_FOO ]; then mkdir ${INSTANCE_FOO} fi set_events ${INSTANCE_FOO} echo 1 > ${INSTANCE_FOO}/options/sym-offset echo 'tcp_orphan*' > ${INSTANCE_FOO}/set_ftrace_notrace echo function > ${INSTANCE_FOO}/current_tracer echo 1 > ${TRACE_PATH}/tracing_on echo 1 > ${INSTANCE_FOO}/tracing_on echo > ${TRACE_PATH}/trace echo > ${INSTANCE_FOO}/trace Link: https://lore.kernel.org/20241008033159.22459-1-jeff.xie@linux.dev Acked-by: Masami Hiramatsu (Google) Signed-off-by: Jeff Xie Signed-off-by: Steven Rostedt (Google) commit 3500000bb13d300e8d7fdf4a1212abdd0de2b5c1 Author: Dmitry Antipov Date: Fri Nov 15 16:11:56 2024 +0300 ceph: miscellaneous spelling fixes Correct spelling here and there as suggested by codespell. Signed-off-by: Dmitry Antipov Reviewed-by: Ilya Dryomov Signed-off-by: Ilya Dryomov commit c152737be22b103bff5987e03136a69710c2e68f Author: Abdul Rahim Date: Fri Nov 15 16:54:19 2024 +0530 ceph: Use strscpy() instead of strcpy() in __get_snap_name() strcpy() performs no bounds checking on the destination buffer. This could result in linear overflows beyond the end of the buffer, leading to all kinds of misbehaviors [1]. This fixes checkpatch warning: WARNING: Prefer strscpy over strcpy [1] https://www.kernel.org/doc/html/latest/process/deprecated.html#strcpy [ idryomov: formatting ] Signed-off-by: Abdul Rahim Reviewed-by: Ilya Dryomov Signed-off-by: Ilya Dryomov commit e50f960bea7a25da0848fa8e1eec715670c4be70 Author: Thorsten Blum Date: Tue Nov 12 22:14:39 2024 +0100 ceph: Use str_true_false() helper in status_show() Remove hard-coded strings by using the str_true_false() helper function. Signed-off-by: Thorsten Blum Reviewed-by: Ilya Dryomov Signed-off-by: Ilya Dryomov commit 64cf95d0b1084860f75f7bf24fdaa88794dccc80 Author: Patrick Donnelly Date: Sat Oct 12 21:13:13 2024 -0400 ceph: requalify some char pointers as const Signed-off-by: Patrick Donnelly Reviewed-by: Ilya Dryomov Signed-off-by: Ilya Dryomov commit 955710afcb3bb63e21e186451ed5eba85fa14d0b Author: Patrick Donnelly Date: Sat Oct 12 20:54:11 2024 -0400 ceph: extract entity name from device id Previously, the "name" in the new device syntax "@." was ignored because (presumably) tests were done using mount.ceph which also passed the entity name using "-o name=foo". If mounting is done without the mount.ceph helper, the new device id syntax fails to set the name properly. Cc: stable@vger.kernel.org Link: https://tracker.ceph.com/issues/68516 Signed-off-by: Patrick Donnelly Reviewed-by: Ilya Dryomov Signed-off-by: Ilya Dryomov commit 6779c9d59a0709de5c679a268c4f3d034f22c956 Author: Ilya Dryomov Date: Sun Oct 27 21:12:12 2024 +0100 MAINTAINERS: exclude net/ceph from networking net/ceph (libceph) patches have always gone through the Ceph tree. Avoid CCing netdev in addition to ceph-devel list. Signed-off-by: Ilya Dryomov Acked-by: Jakub Kicinski commit 6025b482e48041cd71111ab4f7cc28e0371b2e3e Author: Dr. David Alan Gilbert Date: Sun Oct 6 02:19:56 2024 +0100 ceph: Remove fs/ceph deadcode ceph_caps_revoking() has been unused since 2017's commit 3fb99d483e61 ("ceph: nuke startsync op") ceph_mdsc_open_export_target_sessions() has been unused since 2013's commit 11df2dfb610d ("ceph: add imported caps when handling cap export message") Remove them. Signed-off-by: Dr. David Alan Gilbert Reviewed-by: Ilya Dryomov Signed-off-by: Ilya Dryomov commit 3e0f59f09e3f319b6652e5b4523fe02d965515a5 Author: Dr. David Alan Gilbert Date: Sun Oct 6 02:19:55 2024 +0100 libceph: Remove unused ceph_crypto_key_encode ceph_crypto_key_encode() was added in 2010's commit 8b6e4f2d8b21 ("ceph: aes crypto and base64 encode/decode helpers") but has remained unused (the decode is used). Remove it. Signed-off-by: Dr. David Alan Gilbert Reviewed-by: Ilya Dryomov Signed-off-by: Ilya Dryomov commit 32844fd72b879d02f1f6b4394025349d31a09fd3 Author: Dr. David Alan Gilbert Date: Sun Oct 6 02:19:54 2024 +0100 libceph: Remove unused ceph_osdc_watch_check ceph_osdc_watch_check() has been unused since it was added in commit b07d3c4bd727 ("libceph: support for checking on status of watch") Remove it. Signed-off-by: Dr. David Alan Gilbert Reviewed-by: Ilya Dryomov Signed-off-by: Ilya Dryomov commit ee1eb8ccaab8cc2ef4bda8e11a40409ee20f6405 Author: Dr. David Alan Gilbert Date: Sun Oct 6 02:19:53 2024 +0100 libceph: Remove unused pagevec functions ceph_copy_user_to_page_vector() has been unused since 2013's commit e8344e668915 ("ceph: Implement writev/pwritev for sync operation.") ceph_copy_to_page_vector() has been unused since 2012's commit 913d2fdcf605 ("rbd: always pass ops array to rbd_req_sync_op()") Remove them. Signed-off-by: Dr. David Alan Gilbert Reviewed-by: Ilya Dryomov Signed-off-by: Ilya Dryomov commit 03854920c39c62b88c0b540c92cf35746d059af2 Author: Dr. David Alan Gilbert Date: Sun Oct 6 02:19:52 2024 +0100 libceph: Remove unused ceph_pagelist functions ceph_pagelist_truncate() and ceph_pagelist_set_cursor() have been unused since commit 39be95e9c8c0 ("ceph: ceph_pagelist_append might sleep while atomic") Remove them. Signed-off-by: Dr. David Alan Gilbert Reviewed-by: Ilya Dryomov Signed-off-by: Ilya Dryomov commit 21d1b618b6b9da46c5116c640ac4b1cc8d40d63a Author: Jann Horn Date: Mon Nov 18 17:33:13 2024 +0100 fsnotify: Fix ordering of iput() and watched_objects decrement Ensure the superblock is kept alive until we're done with iput(). Holding a reference to an inode is not allowed unless we ensure the superblock stays alive, which fsnotify does by keeping the watched_objects count elevated, so iput() must happen before the watched_objects decrement. This can lead to a UAF of something like sb->s_fs_info in tmpfs, but the UAF is hard to hit because race orderings that oops are more likely, thanks to the CHECK_DATA_CORRUPTION() block in generic_shutdown_super(). Also, ensure that fsnotify_put_sb_watched_objects() doesn't call fsnotify_sb_watched_objects() on a superblock that may have already been freed, which would cause a UAF read of sb->s_fsnotify_info. Cc: stable@kernel.org Fixes: d2f277e26f52 ("fsnotify: rename fsnotify_{get,put}_sb_connectors()") Signed-off-by: Jann Horn Signed-off-by: Jan Kara commit e358e09a894dbcd51fdbbcf62bec1df249915834 Author: Pavel Begunkov Date: Mon Nov 18 15:14:50 2024 +0000 io_uring: protect register tracing Syz reports: BUG: KCSAN: data-race in __se_sys_io_uring_register / io_sqe_files_register read-write to 0xffff8881021940b8 of 4 bytes by task 5923 on cpu 1: io_sqe_files_register+0x2c4/0x3b0 io_uring/rsrc.c:713 __io_uring_register io_uring/register.c:403 [inline] __do_sys_io_uring_register io_uring/register.c:611 [inline] __se_sys_io_uring_register+0x8d0/0x1280 io_uring/register.c:591 __x64_sys_io_uring_register+0x55/0x70 io_uring/register.c:591 x64_sys_call+0x202/0x2d60 arch/x86/include/generated/asm/syscalls_64.h:428 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xc9/0x1c0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f read to 0xffff8881021940b8 of 4 bytes by task 5924 on cpu 0: __do_sys_io_uring_register io_uring/register.c:613 [inline] __se_sys_io_uring_register+0xe4a/0x1280 io_uring/register.c:591 __x64_sys_io_uring_register+0x55/0x70 io_uring/register.c:591 x64_sys_call+0x202/0x2d60 arch/x86/include/generated/asm/syscalls_64.h:428 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xc9/0x1c0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Which should be due to reading the table size after unlock. We don't care much as it's just to print it in trace, but we might as well do it under the lock. Reported-by: syzbot+5a486fef3de40e0d8c76@syzkaller.appspotmail.com Signed-off-by: Pavel Begunkov Link: https://lore.kernel.org/r/8233af2886a37b57f79e444e3db88fcfda1817ac.1731942203.git.asml.silence@gmail.com Signed-off-by: Jens Axboe commit c750629caeca01979da3403f4bebecda88713233 Author: Pavel Begunkov Date: Mon Nov 18 15:14:34 2024 +0000 io_uring: remove io_uring_cqwait_reg_arg A separate wait argument registration API was removed, also delete leftover uapi definitions. Signed-off-by: Pavel Begunkov Link: https://lore.kernel.org/r/143b6a53591badac23632d3e6fa3e5db4b342ee2.1731942445.git.asml.silence@gmail.com Signed-off-by: Jens Axboe commit a3f143c461444c0b56360bbf468615fa814a8372 Author: Manas Date: Mon Nov 18 20:06:58 2024 +0530 rust: block: simplify Result<()> in validate_block_size return `Result` is used in place of `Result<()>` because the default type parameters are unit `()` and `Error` types, which are automatically inferred. Thus keep the usage consistent throughout codebase. Suggested-by: Miguel Ojeda Link: https://github.com/Rust-for-Linux/linux/issues/1128 Signed-off-by: Manas Reviewed-by: Miguel Ojeda Link: https://lore.kernel.org/r/20241118-simplify-result-v3-1-6b1566a77eab@iiitd.ac.in Signed-off-by: Jens Axboe commit 200b977ebbc313a59174ba971006a231b3533dc5 Author: Alexander Aring Date: Mon Nov 18 11:01:49 2024 -0500 dlm: fix dlm_recover_members refcount on error If dlm_recover_members() fails we don't drop the references of the previous created root_list that holds and keep all rsbs alive during the recovery. It might be not an unlikely event because ping_members() could run into an -EINTR if another recovery progress was triggered again. Fixes: 3a747f4a2ee8 ("dlm: move rsb root_list to ls_recover() stack") Signed-off-by: Alexander Aring Signed-off-by: David Teigland commit eeecf953d697cb7f0d916f9908a2b9f451bb2667 Author: Melody Olvera Date: Mon Nov 11 16:26:45 2024 -0800 regulator: qcom-rpmh: Update ranges for FTSMPS525 All FTSMPS525 regulators support LV and MV ranges; however, the boot loader firmware will determine which range to use as the device boots. Nonetheless, the driver cannot determine which range was selected, so hardcoding the ranges as either LV or MV will not cover all cases as it's possible for the firmware to select a range not supported by the driver's current hardcoded values. To this end, combine the ranges for the FTSMPS525s into one struct and point all regulators to the updated combined struct. This should work on all boards regardless of which range is selected by the firmware and more accurately caputres the capability of this regulator on a hardware level. Signed-off-by: Melody Olvera Reviewed-by: Dmitry Baryshkov Link: https://patch.msgid.link/20241112002645.2803506-1-quic_molvera@quicinc.com Signed-off-by: Mark Brown commit e7240bd91f96f925a3bb8d2b9348fcb1db457b10 Author: Thomas Weißschuh Date: Mon Nov 18 16:02:49 2024 +0100 cpu: Remove spurious NULL in attribute_group definition This NULL value is most-likely a copy-paste error from an array definition. The NULL doesn't have any effect. Signed-off-by: Thomas Weißschuh Link: https://lore.kernel.org/r/20241118-sysfs-const-attribute_group-fixes-v1-3-48e0b0ad8cba@weissschuh.net Signed-off-by: Greg Kroah-Hartman commit b22fd46830c24f5a5833b60f9fac1682afc201ec Author: Thomas Weißschuh Date: Mon Nov 18 16:02:48 2024 +0100 s390/con3215: Remove spurious NULL in attribute_group definition This NULL value is most-likely a copy-paste error from an array definition. So far the NULL didn't have any effect. As there will be a union in struct attribute_group at this location, it will trigger a compiler warning. Signed-off-by: Thomas Weißschuh Link: https://lore.kernel.org/r/20241118-sysfs-const-attribute_group-fixes-v1-2-48e0b0ad8cba@weissschuh.net Signed-off-by: Greg Kroah-Hartman commit 573bcbe17e98f2cc4d398a15c8ef32dd685cda85 Author: Thomas Weißschuh Date: Mon Nov 18 16:02:47 2024 +0100 perf: arm-ni: Remove spurious NULL in attribute_group definition This NULL value is most-likely a copy-paste error from an array definition. So far the NULL didn't have any effect. As there will be a union in struct attribute_group at this location, it will trigger a compiler warning. Signed-off-by: Thomas Weißschuh Link: https://lore.kernel.org/r/20241118-sysfs-const-attribute_group-fixes-v1-1-48e0b0ad8cba@weissschuh.net Signed-off-by: Greg Kroah-Hartman commit 24b2455fe8fce17258fab4bb945d8e6929baeb77 Author: Nir Lichtman Date: Mon Nov 11 21:56:22 2024 +0000 kdb: fix ctrl+e/a/f/b/d/p/n broken in keyboard mode Problem: When using kdb via keyboard it does not react to control characters which are supported in serial mode. Example: Chords such as ctrl+a/e/d/p do not work in keyboard mode Solution: Before disregarding non-printable key characters, check if they are one of the supported control characters, I have took the control characters from the switch case upwards in this function that translates scan codes of arrow keys/backspace/home/.. to the control characters. Suggested-by: Douglas Anderson Signed-off-by: Nir Lichtman Reviewed-by: Douglas Anderson Link: https://lore.kernel.org/r/20241111215622.GA161253@lichtman.org Signed-off-by: Daniel Thompson commit 9c98750eb3079ee6e47a448fe095347821a21b45 Author: Daniel Thompson Date: Fri Nov 8 08:30:45 2024 +0000 MAINTAINERS: Use Daniel Thompson's korg address for kgdb work Going forward, I'll be using my kernel.org address for upstream work. Reviewed-by: Douglas Anderson Link: https://lore.kernel.org/r/20241108-new-maintainer-address-2-v1-2-47c9d71aac11@linaro.org Signed-off-by: Daniel Thompson commit 67a0463d339059eeeead9cd015afa594659cfdaf Author: Alex Far Date: Sat Nov 16 21:58:45 2024 +0300 ASoC: amd: yc: fix internal mic on Redmi G 2022 This laptop model requires an additional detection quirk to enable the internal microphone Signed-off-by: Alex Far Link: https://patch.msgid.link/ZzjrZY3sImcqTtGx@RedmiG Signed-off-by: Mark Brown commit 66f9dac9077c9c063552e465212abeb8f97d28a7 Author: Trond Myklebust Date: Mon Nov 4 21:09:21 2024 -0500 Revert "nfs: don't reuse partially completed requests in nfs_lock_and_join_requests" This reverts commit b571cfcb9dcac187c6d967987792d37cb0688610. This patch appears to assume that if one request is complete, then the others will complete too before unlocking. That is not a valid assumption, since other requests could hit a non-fatal error or a short write that would cause them not to complete. Reported-by: Igor Raits Link: https://bugzilla.kernel.org/show_bug.cgi?id=219508 Fixes: b571cfcb9dca ("nfs: don't reuse partially completed requests in nfs_lock_and_join_requests") Signed-off-by: Trond Myklebust commit 537affea1672a841cd5b87b208c193a3a542c7cf Author: liujing Date: Thu Nov 7 17:53:27 2024 +0800 ring-buffer: Correct a grammatical error in a comment The word "trace" begins with a consonant sound, so "a" should be used instead of "an". Link: https://lore.kernel.org/20241107095327.6390-1-liujing@cmss.chinamobile.com Signed-off-by: liujing Signed-off-by: Steven Rostedt (Google) commit 5b42edefd733371092ac771d4b1af031c8bbe4ba Author: Wolfram Sang Date: Mon Nov 18 08:29:12 2024 +0100 rtc: brcmstb-waketimer: don't include 'pm_wakeup.h' directly The header clearly states that it does not want to be included directly, only via 'device.h'. 'platform_device.h' works equally well. Remove the direct inclusion. Signed-off-by: Wolfram Sang Link: https://lore.kernel.org/r/20241118072917.3853-14-wsa+renesas@sang-engineering.com Signed-off-by: Alexandre Belloni commit e3f8064d8b29036f037fd1ff6000e5d959d84843 Author: Huacai Chen Date: Fri Nov 15 23:06:53 2024 +0800 ALSA: hda: Poll jack events for LS7A HD-Audio LS7A HD-Audio disable interrupts and use polling mode due to hardware drawbacks. As a result, unsolicited jack events are also unusable. If we want to support headphone hotplug, we need to also poll jack events. Here we use 1500ms as the poll interval if no module parameter specify it. Cc: stable@vger.kernel.org Signed-off-by: Huacai Chen Link: https://patch.msgid.link/20241115150653.2819100-1-chenhuacai@loongson.cn Signed-off-by: Takashi Iwai commit 40d6b7e0f42d15c7338824d15fa39bf926a39cf4 Merge: 1a7585c3a45047 5ec23a1b53a98d Author: Takashi Iwai Date: Mon Nov 18 14:39:29 2024 +0100 Merge branch 'for-linus' into for-next Pull 6.12 devel branch for further HD-audio and USB-audio fixes. Signed-off-by: Takashi Iwai commit 1a7585c3a4504705a97c1560ff67d589b693115d Merge: 9b4662d0df9f44 82ff5abc2edcfb Author: Takashi Iwai Date: Mon Nov 18 14:34:54 2024 +0100 Merge tag 'asoc-v6.13' of https://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound into for-next ASoC: Updates for v6.13 This release was mainly about new drivers, there's a very large batch of new drivers and devices including quite a few from newer vendors which is great to see. Other than the new drivers and the usual routine fixes and enhancements the bulk of the work has been Morimoto-san's continuing work on simplifiying APIs, plus a few other bits: - More API simplifications from Morimoto-san. - Renaming of the sh directory to Renesas to reflect the focus on other architectures. - Factoring out of some of the common code for Realtek devices. - Support for Allwinner H616, AMD ACP 6.3 systems, AWInic AW88081, Cirrus Logic CS32L84, Everest ES8328, Iron Devices SMA1307, Longsoon I2S, NeoFidelity NTP8918 and NTP8835, Philips UDA1342, Qualcomm SM8750, RealTek RT721, and ST Microelectronics STM32MP25. commit a06e4a93067cd8f55a74638d45146ddde76574f2 Author: Finn Thain Date: Wed Nov 13 09:32:15 2024 +1100 rtc: m48t59: Use platform_data struct for year offset value Instead of hard-coded values and ifdefs, store the year offset in the platform_data struct. Tested-by: Daniel Palmer Reviewed-by: Geert Uytterhoeven Signed-off-by: Finn Thain Tested-by: Andreas Larsson Acked-by: Andreas Larsson Link: https://lore.kernel.org/r/665c3526184a8d0c4a6373297d8e7d9a12591d8b.1731450735.git.fthain@linux-m68k.org Signed-off-by: Alexandre Belloni commit 6cf7b65f7029914dc0cd7db86fac9ee5159008c6 Author: Defa Li Date: Thu Nov 7 21:25:39 2024 +0800 i3c: Use i3cdev->desc->info instead of calling i3c_device_get_info() to avoid deadlock A deadlock may happen since the i3c_master_register() acquires &i3cbus->lock twice. See the log below. Use i3cdev->desc->info instead of calling i3c_device_info() to avoid acquiring the lock twice. v2: - Modified the title and commit message ============================================ WARNING: possible recursive locking detected 6.11.0-mainline -------------------------------------------- init/1 is trying to acquire lock: f1ffff80a6a40dc0 (&i3cbus->lock){++++}-{3:3}, at: i3c_bus_normaluse_lock but task is already holding lock: f1ffff80a6a40dc0 (&i3cbus->lock){++++}-{3:3}, at: i3c_master_register other info that might help us debug this: Possible unsafe locking scenario: CPU0 ---- lock(&i3cbus->lock); lock(&i3cbus->lock); *** DEADLOCK *** May be due to missing lock nesting notation 2 locks held by init/1: #0: fcffff809b6798f8 (&dev->mutex){....}-{3:3}, at: __driver_attach #1: f1ffff80a6a40dc0 (&i3cbus->lock){++++}-{3:3}, at: i3c_master_register stack backtrace: CPU: 6 UID: 0 PID: 1 Comm: init Call trace: dump_backtrace+0xfc/0x17c show_stack+0x18/0x28 dump_stack_lvl+0x40/0xc0 dump_stack+0x18/0x24 print_deadlock_bug+0x388/0x390 __lock_acquire+0x18bc/0x32ec lock_acquire+0x134/0x2b0 down_read+0x50/0x19c i3c_bus_normaluse_lock+0x14/0x24 i3c_device_get_info+0x24/0x58 i3c_device_uevent+0x34/0xa4 dev_uevent+0x310/0x384 kobject_uevent_env+0x244/0x414 kobject_uevent+0x14/0x20 device_add+0x278/0x460 device_register+0x20/0x34 i3c_master_register_new_i3c_devs+0x78/0x154 i3c_master_register+0x6a0/0x6d4 mtk_i3c_master_probe+0x3b8/0x4d8 platform_probe+0xa0/0xe0 really_probe+0x114/0x454 __driver_probe_device+0xa0/0x15c driver_probe_device+0x3c/0x1ac __driver_attach+0xc4/0x1f0 bus_for_each_dev+0x104/0x160 driver_attach+0x24/0x34 bus_add_driver+0x14c/0x294 driver_register+0x68/0x104 __platform_driver_register+0x20/0x30 init_module+0x20/0xfe4 do_one_initcall+0x184/0x464 do_init_module+0x58/0x1ec load_module+0xefc/0x10c8 __arm64_sys_finit_module+0x238/0x33c invoke_syscall+0x58/0x10c el0_svc_common+0xa8/0xdc do_el0_svc+0x1c/0x28 el0_svc+0x50/0xac el0t_64_sync_handler+0x70/0xbc el0t_64_sync+0x1a8/0x1ac Signed-off-by: Defa Li Link: https://lore.kernel.org/r/20241107132549.25439-1-defa.li@mediatek.com Signed-off-by: Alexandre Belloni commit 2b50719dd92f4ba8feccb4542e675060241a4d27 Author: Billy Tsai Date: Wed Nov 13 11:58:26 2024 +0800 i3c: mipi-i3c-hci: Support SETDASA CCC When the I3C subsystem wants to assign a dynamic address using the SETDASA CCC, it needs to attach the I3C device with device info that includes only the static address. In the HCI, if the driver want to send this SETDASA CCC, a DAT entry is required to temporarily fill the device's static address into the dynamic address field. Afterward, the reattach API will be executed to update the DAT with the correct dynamic addrees value. Signed-off-by: Billy Tsai Reviewed-by: Jarkko Nikula Link: https://lore.kernel.org/r/20241113035826.923918-1-billy_tsai@aspeedtech.com Signed-off-by: Alexandre Belloni commit 473d0cb485876b29b71da34a0ea4b36e496cb1ea Author: Shyam Sundar S K Date: Thu Nov 14 16:32:39 2024 +0530 i3c: dw: Add quirk to address OD/PP timing issue on AMD platform The AMD Legacy I3C is having a problem with its IP, specifically with the push-pull and open-drain pull-up registers. These registers need to be manually programmed for every CCC submission to align with the duty cycle. Therefore, add a quirk to address this issue. Reviewed-by: Jarkko Nikula Co-developed-by: Sanket Goswami Signed-off-by: Sanket Goswami Signed-off-by: Shyam Sundar S K Link: https://lore.kernel.org/r/20241114110239.660551-3-Shyam-sundar.S-k@amd.com Signed-off-by: Alexandre Belloni commit 0a0d851ce1bc3f0dc0cdfc429c3b0a9ed6e9272e Author: Shyam Sundar S K Date: Thu Nov 14 16:32:38 2024 +0530 i3c: dw: Add support for AMDI0015 ACPI ID Add AMDI0015 _HID for Designware I3C driver so that the dw-i3c-master driver can be probed on AMD platforms. Reviewed-by: Jarkko Nikula Signed-off-by: Shyam Sundar S K Link: https://lore.kernel.org/r/20241114110239.660551-2-Shyam-sundar.S-k@amd.com Signed-off-by: Alexandre Belloni commit 34767e5357fc8051b192ff3fd921ade7c1b37c46 Merge: a961ec4e2860af da115c4ee29f58 Author: Petr Mladek Date: Mon Nov 18 14:07:05 2024 +0100 Merge branch 'for-6.13-force-console' into for-linus commit d7ef9eeef0723cc47601923c508ecbebd864f0c0 Merge: ac60031f7988a9 a208f417582ffc Author: David S. Miller Date: Mon Nov 18 12:00:22 2024 +0000 Merge branch 'am65-cpsw-rx-dscp-prio-map' Roger Quadros says: ==================== net: ethernet: ti: am65-cpsw: enable DSCP to priority map for RX Configure default DSCP to User Priority mapping registers as per: https://datatracker.ietf.org/doc/html/rfc8325#section-4.3 and https://datatracker.ietf.org/doc/html/rfc8622#section-11 Also update Priority to Thread maping to be compliant with IEEE802.1Q-2014. Priority Code Point (PCP) 2 is higher priority than PCP 0 (Best Effort). PCP 1 (Background) is lower priority than PCP 0 (Best Effort). --- Changes in v4: - Updated default DSCP to User Priority mapping as per https://datatracker.ietf.org/doc/html/rfc8325#section-4.3 and https://datatracker.ietf.org/doc/html/rfc8622#section-11 - Link to v3: https://lore.kernel.org/r/20241109-am65-cpsw-multi-rx-dscp-v3-0-1cfb76928490@kernel.org Changes in v3: - Added Reviewed-by tag to patch 1 - Added macros for DSCP PRI field size and DSCP PRI per register - Drop unnecessary readl() in am65_cpsw_port_set_dscp_map() - Link to v2: https://lore.kernel.org/r/20241107-am65-cpsw-multi-rx-dscp-v2-0-9e9cd1920035@kernel.org Changes in v2: - Updated references to more recent standard IEEE802.1Q-2014. - Dropped reference to web link which might change in the future. - Typo fix in commit log. - Link to v1: https://lore.kernel.org/r/20241105-am65-cpsw-multi-rx-dscp-v1-0-38db85333c88@kernel.org ==================== Signed-off-by: Roger Quadros Signed-off-by: David S. Miller commit a208f417582ffc9e73d2e27a41d1d5c67528be5f Author: Roger Quadros Date: Thu Nov 14 15:36:53 2024 +0200 net: ethernet: ti: am65-cpsw: enable DSCP to priority map for RX AM65 CPSW hardware can map the 6-bit DSCP/TOS field to appropriate priority queue via DSCP to Priority mapping registers (CPSW_PN_RX_PRI_MAP_REG). Use a default DSCP to User Priority (UP) mapping as per https://datatracker.ietf.org/doc/html/rfc8325#section-4.3 and https://datatracker.ietf.org/doc/html/rfc8622#section-11 Signed-off-by: Roger Quadros Reviewed-by: Guillaume Nault Signed-off-by: David S. Miller commit 01a45daebb2e9c93e0704d9e1b5954c5c63c49c4 Author: Roger Quadros Date: Thu Nov 14 15:36:52 2024 +0200 net: ethernet: ti: am65-cpsw: update pri_thread_map as per IEEE802.1Q-2014 IEEE802.1Q-2014 supersedes IEEE802.1D-2004. Now Priority Code Point (PCP) 2 is no longer at a lower priority than PCP 0. PCP 1 (Background) is still at a lower priority than PCP 0 (Best Effort). Reference: IEEE802.1Q-2014, Standard for Local and metropolitan area networks Table I-2 - Traffic type acronyms Table I-3 - Defining traffic types Signed-off-by: Roger Quadros Reviewed-by: Siddharth Vadapalli Reviewed-by: Guillaume Nault Signed-off-by: David S. Miller commit ac60031f7988a9ff1a977afccb7f5e01da1bbc09 Merge: 296a681def3e10 1b29a730ef8b6f Author: David S. Miller Date: Mon Nov 18 11:56:21 2024 +0000 Merge branch 'udp-4tuple-hash' Philo Lu says: ==================== udp: Add 4-tuple hash for connected sockets This patchset introduces 4-tuple hash for connected udp sockets, to make connected udp lookup faster. Stress test results (with 1 cpu fully used) are shown below, in pps: (1) _un-connected_ socket as server [a] w/o hash4: 1,825176 [b] w/ hash4: 1,831750 (+0.36%) (2) 500 _connected_ sockets as server [c] w/o hash4: 290860 (only 16% of [a]) [d] w/ hash4: 1,889658 (+3.1% compared with [b]) With hash4, compute_score is skipped when lookup, so [d] is slightly better than [b]. Patch1: Add a new counter for hslot2 named hash4_cnt, to avoid cache line miss when lookup. Patch2: Add hslot/hlist_nulls for 4-tuple hash. Patch3 and 4: Implement 4-tuple hash for ipv4 and ipv6. The detailed motivation is described in Patch 3. The 4-tuple hash increases the size of udp_sock and udp_hslot. Thus add it with CONFIG_BASE_SMALL, i.e., it's a no op with CONFIG_BASE_SMALL. Intentionally, the feature is not available for udplite. Though udplite shares some structs and functions with udp, its connect() keeps unchanged. So all udplite sockets perform the same as un-connected udp sockets. Besides, udplite also shares the additional memory consumption in udp_sock and udptable. changelogs: v8 -> v9 (Paolo Abeni): - Add explanation about udplite in cover letter - Update tags for co-developers - Add acked-by tags of Paolo and Willem v7 -> v8: - add EXPORT_SYMBOL for ipv6.ko build v6 -> v7 (Kuniyuki Iwashima): - export udp_ehashfn to be used by udpv6 rehash v5 -> v6 (Paolo Abeni): - move udp_table_hash4_init from patch2 to patch1 - use hlist_nulls for lookup-rehash race - add test results in commit log - add more comment, e.g., for rehash4 used in hash4 - add ipv6 support (Patch4), and refactor some functions for better sharing, without functionality change v4 -> v5 (Paolo Abeni): - add CONFIG_BASE_SMALL with which udp hash4 does nothing v3 -> v4 (Willem de Bruijn): - fix mistakes in udp_pernet_table_alloc() RFCv2 -> v3 (Gur Stavi): - minor fix in udp_hashslot2() and udp_table_init() - add rcu sync in rehash4() RFCv1 -> RFCv2: - add a new struct for hslot2 - remove the sockopt UDP_HASH4 because it has little side effect for unconnected sockets - add rehash in connect() - re-organize the patch into 3 smaller ones - other minor fix v8: https://lore.kernel.org/all/20241108054836.123484-1-lulie@linux.alibaba.com/ v7: https://lore.kernel.org/all/20241105121225.12513-1-lulie@linux.alibaba.com/ v6: https://lore.kernel.org/all/20241031124550.20227-1-lulie@linux.alibaba.com/ v5: https://lore.kernel.org/all/20241018114535.35712-1-lulie@linux.alibaba.com/ v4: https://lore.kernel.org/all/20241012012918.70888-1-lulie@linux.alibaba.com/ v3: https://lore.kernel.org/all/20241010090351.79698-1-lulie@linux.alibaba.com/ RFCv2: https://lore.kernel.org/all/20240924110414.52618-1-lulie@linux.alibaba.com/ RFCv1: https://lore.kernel.org/all/20240913100941.8565-1-lulie@linux.alibaba.com/ ==================== Signed-off-by: David S. Miller commit 1b29a730ef8b6fd3aa3e11c2f6d409cf201cd913 Author: Philo Lu Date: Thu Nov 14 18:52:07 2024 +0800 ipv6/udp: Add 4-tuple hash for connected socket Implement ipv6 udp hash4 like that in ipv4. The major difference is that the hash value should be calculated with udp6_ehashfn(). Besides, ipv4-mapped ipv6 address is handled before hash() and rehash(). Export udp_ehashfn because now we use it in udpv6 rehash. Core procedures of hash/unhash/rehash are same as ipv4, and udpv4 and udpv6 share the same udptable, so some functions in ipv4 hash4 can also be shared. Co-developed-by: Cambda Zhu Signed-off-by: Cambda Zhu Co-developed-by: Fred Chen Signed-off-by: Fred Chen Co-developed-by: Yubing Qiu Signed-off-by: Yubing Qiu Signed-off-by: Philo Lu Acked-by: Willem de Bruijn Acked-by: Paolo Abeni Signed-off-by: David S. Miller commit 78c91ae2c6deb5d236a5a93ff2995cdd05514380 Author: Philo Lu Date: Thu Nov 14 18:52:06 2024 +0800 ipv4/udp: Add 4-tuple hash for connected socket Currently, the udp_table has two hash table, the port hash and portaddr hash. Usually for UDP servers, all sockets have the same local port and addr, so they are all on the same hash slot within a reuseport group. In some applications, UDP servers use connect() to manage clients. In particular, when firstly receiving from an unseen 4 tuple, a new socket is created and connect()ed to the remote addr:port, and then the fd is used exclusively by the client. Once there are connected sks in a reuseport group, udp has to score all sks in the same hash2 slot to find the best match. This could be inefficient with a large number of connections, resulting in high softirq overhead. To solve the problem, this patch implement 4-tuple hash for connected udp sockets. During connect(), hash4 slot is updated, as well as a corresponding counter, hash4_cnt, in hslot2. In __udp4_lib_lookup(), hslot4 will be searched firstly if the counter is non-zero. Otherwise, hslot2 is used like before. Note that only connected sockets enter this hash4 path, while un-connected ones are not affected. hlist_nulls is used for hash4, because we probably move to another hslot wrongly when lookup with concurrent rehash. Then we check nulls at the list end to see if we should restart lookup. Because udp does not use SLAB_TYPESAFE_BY_RCU, we don't need to touch sk_refcnt when lookup. Stress test results (with 1 cpu fully used) are shown below, in pps: (1) _un-connected_ socket as server [a] w/o hash4: 1,825176 [b] w/ hash4: 1,831750 (+0.36%) (2) 500 _connected_ sockets as server [c] w/o hash4: 290860 (only 16% of [a]) [d] w/ hash4: 1,889658 (+3.1% compared with [b]) With hash4, compute_score is skipped when lookup, so [d] is slightly better than [b]. Co-developed-by: Cambda Zhu Signed-off-by: Cambda Zhu Co-developed-by: Fred Chen Signed-off-by: Fred Chen Co-developed-by: Yubing Qiu Signed-off-by: Yubing Qiu Signed-off-by: Philo Lu Acked-by: Willem de Bruijn Acked-by: Paolo Abeni Signed-off-by: David S. Miller commit dab78a1745ab3c6001e1e4d50a9d09efef8e260d Author: Philo Lu Date: Thu Nov 14 18:52:05 2024 +0800 net/udp: Add 4-tuple hash list basis Add a new hash list, hash4, in udp table. It will be used to implement 4-tuple hash for connected udp sockets. This patch adds the hlist to table, and implements helpers and the initialization. 4-tuple hash is implemented in the following patch. hash4 uses hlist_nulls to avoid moving wrongly onto another hlist due to concurrent rehash, because rehash() can happen with lookup(). Co-developed-by: Cambda Zhu Signed-off-by: Cambda Zhu Co-developed-by: Fred Chen Signed-off-by: Fred Chen Co-developed-by: Yubing Qiu Signed-off-by: Yubing Qiu Signed-off-by: Philo Lu Acked-by: Willem de Bruijn Acked-by: Paolo Abeni Signed-off-by: David S. Miller commit accdd51dc74ff65b7b7be1961b11723d228fbbbd Author: Philo Lu Date: Thu Nov 14 18:52:04 2024 +0800 net/udp: Add a new struct for hash2 slot Preparing for udp 4-tuple hash (uhash4 for short). To implement uhash4 without cache line missing when lookup, hslot2 is used to record the number of hashed sockets in hslot4. Thus adding a new struct udp_hslot_main with field hash4_cnt, which is used by hash2. The new struct is used to avoid doubling the size of udp_hslot. Before uhash4 lookup, firstly checking hash4_cnt to see if there are hashed sks in hslot4. Because hslot2 is always used in lookup, there is no cache line miss. Related helpers are updated, and use the helpers as possible. uhash4 is implemented in following patches. Signed-off-by: Philo Lu Acked-by: Willem de Bruijn Acked-by: Paolo Abeni Signed-off-by: David S. Miller commit c6a2b4fcec5f2d80b0183fae1117f06127584c28 Author: Hans de Goede Date: Sat Nov 16 16:45:46 2024 +0100 platform/x86: p2sb: Cache correct PCI bar for P2SB on Gemini Lake Gemini Lake (Goldmont Plus) is an Apollo Lake (Goldmont) derived design and as such has the P2SB at device.function 13.0, rather then at the default 31.1, just like Apollo Lake. At a mapping to P2SB_DEVFN_GOLDMONT to p2sb_cpu_ids[] for Goldmont Plus, so that the correct PCI bar gets cached. This fixes P2SB unhiding not working on these devices, which fixes SPI support for the bootrom SPI controller not working. Fixes: 2841631a0365 ("platform/x86: p2sb: Allow p2sb_bar() calls during PCI device probe") Reviewed-by: Andy Shevchenko Signed-off-by: Hans de Goede Link: https://lore.kernel.org/r/20241116154546.85761-1-hdegoede@redhat.com Reviewed-by: Ilpo Järvinen Signed-off-by: Ilpo Järvinen commit 296a681def3e105f8535c8b3cb0f37f22f710e62 Merge: 38f83a57aa8e64 a35672819f8d85 Author: David S. Miller Date: Mon Nov 18 11:52:49 2024 +0000 Merge tag 'ipsec-next-2024-11-15' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec-next Steffen Klassert says: ==================== ipsec-next-11-15 1) Add support for RFC 9611 per cpu xfrm state handling. 2) Add inbound and outbound xfrm state caches to speed up state lookups. 3) Convert xfrm to dscp_t. From Guillaume Nault. 4) Fix error handling in build_aevent. From Everest K.C. 5) Replace strncpy with strscpy_pad in copy_to_user_auth. From Daniel Yang. 6) Fix an uninitialized symbol during acquire state insertion. ==================== Signed-off-by: David S. Miller commit 5c7bebc1a3f0661db558d60e14dde27fc216d9dc Author: Yao Zi Date: Mon Nov 18 06:46:39 2024 +0000 platform/x86: panasonic-laptop: Return errno correctly in show callback When an error occurs in sysfs show callback, we should return the errno directly instead of formatting it as the result, which produces meaningless output and doesn't inform the userspace of the error. Fixes: 468f96bfa3a0 ("platform/x86: panasonic-laptop: Add support for battery charging threshold (eco mode)") Fixes: d5a81d8e864b ("platform/x86: panasonic-laptop: Add support for optical driver power in Y and W series") Signed-off-by: Yao Zi Reviewed-by: Hans de Goede Link: https://lore.kernel.org/r/20241118064637.61832-3-ziyao@disroot.org Reviewed-by: Ilpo Järvinen Signed-off-by: Ilpo Järvinen commit 72ad4ff638047bbbdf3232178fea4bec1f429319 Author: Mauro Carvalho Chehab Date: Mon Nov 18 07:05:54 2024 +0100 docs: media: update location of the media patches Due to recent changes on the way we're maintaining media, the location of the main tree was updated. Change docs accordingly. Cc: stable@vger.kernel.org Signed-off-by: Mauro Carvalho Chehab Reviewed-by: Hans Verkuil commit dc51b3cc9d4d2a04bdbfe34f7746fc9122cc3f49 Author: Mauro Carvalho Chehab Date: Mon Nov 18 07:04:18 2024 +0100 MAINTAINERS: update location of media main tree There were some recent changes on the way we're handling media patches. Now, the official tree is located at: https://git.linuxtv.org/media.git/ Update it at MAINTAINERS file. Cc: stable@vger.kernel.org Signed-off-by: Mauro Carvalho Chehab Reviewed-by: Hans Verkuil commit d1dfb5f52ffc4a142d88da5c0ed0514f3602c4b8 Author: Asahi Lina Date: Wed Nov 13 04:55:32 2024 +0900 virtiofs: dax: remove ->writepages() callback When using FUSE DAX with virtiofs, cache coherency is managed by the host. Disk persistence is handled via fsync() and friends, which are passed directly via the FUSE layer to the host. Therefore, there's no need to do dax_writeback_mapping_range(). All that ends up doing is a cache flush operation, which is not caught by KVM and doesn't do much, since the host and guest are already cache-coherent. Since dax_writeback_mapping_range() checks that the inode block size is equal to PAGE_SIZE, this fixes a spurious WARN when virtiofs is used with a mismatched guest PAGE_SIZE and virtiofs backing FS block size (this happens, for example, when it's a tmpfs and the host and guest have a different PAGE_SIZE). FUSE DAX does not require any particular FS block size, since it always performs DAX mappings in aligned 2MiB blocks. See discussion in [1]. [1] https://lore.kernel.org/lkml/20241101-dax-page-size-v1-1-eedbd0c6b08f@asahilina.net/T/#u [SzM: remove the empty callback] Suggested-by: Dan Williams Signed-off-by: Asahi Lina Acked-by: Dan Williams Signed-off-by: Miklos Szeredi commit 69eb56f69efb866c791cc87fd7bf62adf2ffcbb3 Author: Zhang Tianci Date: Mon Nov 18 18:16:00 2024 +0800 fuse: check attributes staleness on fuse_iget() Function fuse_direntplus_link() might call fuse_iget() to initialize a new fuse_inode and change its attributes. If fi->attr_version is always initialized with 0, even if the attributes returned by the FUSE_READDIR request is staled, as the new fi->attr_version is 0, fuse_change_attributes will still set the staled attributes to inode. This wrong behaviour may cause file size inconsistency even when there is no changes from server-side. To reproduce the issue, consider the following 2 programs (A and B) are running concurrently, A B ---------------------------------- -------------------------------- { /fusemnt/dir/f is a file path in a fuse mount, the size of f is 0. } readdir(/fusemnt/dir) start //Daemon set size 0 to f direntry fallocate(f, 1024) stat(f) // B see size 1024 echo 2 > /proc/sys/vm/drop_caches readdir(/fusemnt/dir) reply to kernel Kernel set 0 to the I_NEW inode stat(f) // B see size 0 In the above case, only program B is modifying the file size, however, B observes file size changing between the 2 'readonly' stat() calls. To fix this issue, we should make sure readdirplus still follows the rule of attr_version staleness checking even if the fi->attr_version is lost due to inode eviction. To identify this situation, the new fc->evict_ctr is used to record whether the eviction of inodes occurs during the readdirplus request processing. If it does, the result of readdirplus may be inaccurate; otherwise, the result of readdirplus can be trusted. Although this may still lead to incorrect invalidation, considering the relatively low frequency of evict occurrences, it should be acceptable. Link: https://lore.kernel.org/lkml/20230711043405.66256-2-zhangjiachen.jaycee@bytedance.com/ Link: https://lore.kernel.org/lkml/20241114070905.48901-1-zhangtianci.1997@bytedance.com/ Reported-by: Jiachen Zhang Suggested-by: Miklos Szeredi Signed-off-by: Zhang Tianci Signed-off-by: Miklos Szeredi commit fb1283bfa25e65c2d1e3c916b3d67af6609573e9 Author: Alexandre Belloni Date: Tue Nov 12 16:11:18 2024 +0100 rtc: ab-eoz9: fix abeoz9_rtc_read_alarm abeoz9_rtc_read_alarm assumes we always read the alarm in 12-hour mode while abeoz9_rtc_set_alarm will always set it in 24-hour mode. We could support 12-hour mode in both functions but it seems very unlikely that the RTC would be set to 12-hour mode now as the driver has been setting it to 24-hour mode for a while now. The setting is undefined at power-up and unchanged by subsequent resets which doesn't help us. Link: https://lore.kernel.org/r/20241112151119.3451611-1-alexandre.belloni@bootlin.com Signed-off-by: Alexandre Belloni commit bb3d498f013e8d31a774c9a8f363baf1eb16ea01 Author: Alexandre Belloni Date: Mon Nov 11 11:47:10 2024 +0100 rtc: rv3028: fix RV3028_TS_COUNT type Read RV3028_TS_COUNT in an unsigned int so static checkers stop reporting a mismatch between the format specifier and the type. Reported-by: Zhu Jun Link: https://lore.kernel.org/r/20241111104711.3170865-1-alexandre.belloni@bootlin.com Signed-off-by: Alexandre Belloni commit 1f7a0c64834484de5950dd85367ce7e483696442 Author: Wolfram Sang Date: Thu Nov 14 20:34:50 2024 +0100 rtc: rzn1: update Michel's email The Renesas address bounces, use the alternative one. Signed-off-by: Wolfram Sang Link: https://lore.kernel.org/r/20241114193450.13982-1-wsa+renesas@sang-engineering.com Signed-off-by: Alexandre Belloni commit 55727188dfa3572aecd946e58fab9e4a64f06894 Author: Wolfram Sang Date: Wed Nov 13 12:30:32 2024 +0100 rtc: rzn1: fix BCD to rtc_time conversion errors tm_mon describes months from 0 to 11, but the register contains BCD from 1 to 12. tm_year contains years since 1900, but the BCD contains 20XX. Apply the offsets when converting these numbers. Fixes: deeb4b5393e1 ("rtc: rzn1: Add new RTC driver") Signed-off-by: Wolfram Sang Reviewed-by: Miquel Raynal Link: https://lore.kernel.org/r/20241113113032.27409-1-wsa+renesas@sang-engineering.com Signed-off-by: Alexandre Belloni commit 0bc8061ffc733a0a246b8689b2d32a3e9204f43c Author: Gao Xiang Date: Sat Nov 16 01:36:51 2024 +0800 erofs: handle NONHEAD !delta[1] lclusters gracefully syzbot reported a WARNING in iomap_iter_done: iomap_fiemap+0x73b/0x9b0 fs/iomap/fiemap.c:80 ioctl_fiemap fs/ioctl.c:220 [inline] Generally, NONHEAD lclusters won't have delta[1]==0, except for crafted images and filesystems created by pre-1.0 mkfs versions. Previously, it would immediately bail out if delta[1]==0, which led to inadequate decompressed lengths (thus FIEMAP is impacted). Treat it as delta[1]=1 to work around these legacy mkfs versions. `lclusterbits > 14` is illegal for compact indexes, error out too. Reported-by: syzbot+6c0b301317aa0156f9eb@syzkaller.appspotmail.com Closes: https://lore.kernel.org/r/67373c0c.050a0220.2a2fcc.0079.GAE@google.com Tested-by: syzbot+6c0b301317aa0156f9eb@syzkaller.appspotmail.com Fixes: d95ae5e25326 ("erofs: add support for the full decompressed length") Fixes: 001b8ccd0650 ("erofs: fix compact 4B support for 16k block size") Signed-off-by: Gao Xiang Link: https://lore.kernel.org/r/20241115173651.3339514-1-hsiangkao@linux.alibaba.com commit b49c0215b176e9c2e0998e7929eeb9261c9a7919 Author: Gao Xiang Date: Fri Nov 15 15:46:25 2024 +0800 erofs: clarify direct I/O support Currently, only filesystems backed by block devices support direct I/O. Also remove the unnecessary strict checks that can be supported with iomap. Signed-off-by: Gao Xiang Link: https://lore.kernel.org/r/20241115074625.2520728-1-hsiangkao@linux.alibaba.com commit bae0854160939a64a092516ff1b2f221402b843b Author: Hongzhen Luo Date: Tue Oct 15 18:38:36 2024 +0800 erofs: fix blksize < PAGE_SIZE for file-backed mounts Adjust sb->s_blocksize{,_bits} directly for file-backed mounts when the fs block size is smaller than PAGE_SIZE. Previously, EROFS used sb_set_blocksize(), which caused a panic if bdev-backed mounts is not used. Fixes: fb176750266a ("erofs: add file-backed mount support") Signed-off-by: Hongzhen Luo Link: https://lore.kernel.org/r/20241015103836.3757438-1-hongzhen@linux.alibaba.com Signed-off-by: Gao Xiang commit ec4f59d1a99de86e5c14cf97946e94d5cef98ab0 Author: Gao Xiang Date: Thu Nov 14 17:58:13 2024 +0800 erofs: get rid of `buf->kmap_type` After commit 927e5010ff5b ("erofs: use kmap_local_page() only for erofs_bread()"), `buf->kmap_type` actually has no use at all. Let's get rid of `buf->kmap_type` now. Suggested-by: Al Viro Signed-off-by: Gao Xiang Link: https://lore.kernel.org/r/20241114095813.839866-1-hsiangkao@linux.alibaba.com commit 3a23787ca8756920d65fda39f41353a4be1d1642 Author: Gao Xiang Date: Fri Nov 15 07:49:05 2024 +0800 erofs: fix file-backed mounts over FUSE syzbot reported a null-ptr-deref in fuse_read_args_fill: fuse_read_folio+0xb0/0x100 fs/fuse/file.c:905 filemap_read_folio+0xc6/0x2a0 mm/filemap.c:2367 do_read_cache_folio+0x263/0x5c0 mm/filemap.c:3825 read_mapping_folio include/linux/pagemap.h:1011 [inline] erofs_bread+0x34d/0x7e0 fs/erofs/data.c:41 erofs_read_superblock fs/erofs/super.c:281 [inline] erofs_fc_fill_super+0x2b9/0x2500 fs/erofs/super.c:625 Unlike most filesystems, some network filesystems and FUSE need unavoidable valid `file` pointers for their read I/Os [1]. Anyway, those use cases need to be supported too. [1] https://docs.kernel.org/filesystems/vfs.html Reported-by: syzbot+0b1279812c46e48bb0c1@syzkaller.appspotmail.com Closes: https://lore.kernel.org/r/6727bbdf.050a0220.3c8d68.0a7e.GAE@google.com Fixes: fb176750266a ("erofs: add file-backed mount support") Tested-by: syzbot+0b1279812c46e48bb0c1@syzkaller.appspotmail.com Signed-off-by: Gao Xiang Link: https://lore.kernel.org/r/20241114234905.1873723-1-hsiangkao@linux.alibaba.com commit 90655ee279b299c33dc51be87787b54222d3d2fb Author: Gou Hao Date: Thu Nov 14 09:32:47 2024 +0800 erofs: simplify definition of the log functions Use printk instead of pr_info/err to reduce redundant code. Signed-off-by: Gou Hao Reviewed-by: Gao Xiang Link: https://lore.kernel.org/r/20241114013247.30821-1-gouhao@uniontech.com Signed-off-by: Gao Xiang commit db80b98305f73ca83891e4228ead5f0324118b00 Author: Chunhai Guo Date: Tue Nov 12 21:11:48 2024 -0700 erofs: add sysfs node to drop internal caches Add a sysfs node to drop compression-related caches, currently used to drop in-memory pclusters and cached compressed folios. Signed-off-by: Chunhai Guo Reviewed-by: Gao Xiang Link: https://lore.kernel.org/r/20241113041148.749129-1-guochunhai@vivo.com Signed-off-by: Gao Xiang commit f5ad9f9a603f829d11ca31a0a4049e16091e8c13 Author: Chunhai Guo Date: Mon Nov 11 21:32:35 2024 -0700 erofs: free pclusters if no cached folio is attached Once a pcluster is fully decompressed and there are no attached cached folios, its corresponding `struct z_erofs_pcluster` will be freed. This will significantly reduce the frequency of calls to erofs_shrink_scan() and the memory allocated for `struct z_erofs_pcluster`. The tables below show approximately a 96% reduction in the calls to erofs_shrink_scan() and in the memory allocated for `struct z_erofs_pcluster` after applying this patch. The results were obtained by performing a test to copy a 4.1GB partition on ARM64 Android devices running the 6.6 kernel with an 8-core CPU and 12GB of memory. 1. The reduction in calls to erofs_shrink_scan(): +-----------------+-----------+----------+---------+ | | w/o patch | w/ patch | diff | +-----------------+-----------+----------+---------+ | Average (times) | 11390 | 390 | -96.57% | +-----------------+-----------+----------+---------+ 2. The reduction in memory released by erofs_shrink_scan(): +-----------------+-----------+----------+---------+ | | w/o patch | w/ patch | diff | +-----------------+-----------+----------+---------+ | Average (Byte) | 133612656 | 4434552 | -96.68% | +-----------------+-----------+----------+---------+ Signed-off-by: Chunhai Guo Reviewed-by: Gao Xiang Link: https://lore.kernel.org/r/20241112043235.546164-1-guochunhai@vivo.com Signed-off-by: Gao Xiang commit bf1aa03980f4eb1599b866ccd2c4ac577ef56a8a Author: Gao Xiang Date: Mon Oct 21 11:53:23 2024 +0800 erofs: sunset `struct erofs_workgroup` `struct erofs_workgroup` was introduced to provide a unique header for all physically indexed objects. However, after big pclusters and shared pclusters are implemented upstream, it seems that all EROFS encoded data (which requires transformation) can be represented with `struct z_erofs_pcluster` directly. Move all members into `struct z_erofs_pcluster` for simplicity. Reviewed-by: Chao Yu Signed-off-by: Gao Xiang Link: https://lore.kernel.org/r/20241021035323.3280682-3-hsiangkao@linux.alibaba.com commit 9c91f959626e6d9f460b8906e27c37fca1b6456a Author: Gao Xiang Date: Mon Oct 21 11:53:22 2024 +0800 erofs: move erofs_workgroup operations into zdata.c Move related helpers into zdata.c as an intermediate step of getting rid of `struct erofs_workgroup`, and rename: erofs_workgroup_put => z_erofs_put_pcluster erofs_workgroup_get => z_erofs_get_pcluster erofs_try_to_release_workgroup => erofs_try_to_release_pcluster erofs_shrink_workstation => z_erofs_shrink_scan Reviewed-by: Chao Yu Signed-off-by: Gao Xiang Link: https://lore.kernel.org/r/20241021035323.3280682-2-hsiangkao@linux.alibaba.com commit b091e8ed24b7965953147a389bac1dc7c3e8a11c Author: Gao Xiang Date: Mon Oct 21 11:53:21 2024 +0800 erofs: get rid of erofs_{find,insert}_workgroup Just fold them into the only two callers since they are simple enough. Reviewed-by: Chao Yu Signed-off-by: Gao Xiang Link: https://lore.kernel.org/r/20241021035323.3280682-1-hsiangkao@linux.alibaba.com commit bef29ca3a6458582ac13320d47bf2646e5734dc8 Author: Lars-Peter Clausen Date: Wed Nov 13 08:29:39 2024 -0800 gpio: tegra186: Allow to enable driver on Tegra234 Support for Tegra234 was added to the tegra186 driver in 1db9b241bb56 ( "gpio: tegra186: Add support for Tegra234"). But the driver is not selectable on Tegra234. Update the Kconfig entry to allow the driver to be enabled on Tegra234. Enable the driver by default on Tegra 234 as well, similar to the other platforms it supports. Signed-off-by: Lars-Peter Clausen Acked-by: Linus Walleij Link: https://lore.kernel.org/r/20241113162939.886242-1-lars@metafoo.de Signed-off-by: Bartosz Golaszewski commit 050b23d081da0f29474de043e9538c1f7a351b3b Author: Charles Han Date: Thu Nov 14 17:18:22 2024 +0800 gpio: grgpio: Add NULL check in grgpio_probe devm_kasprintf() can return a NULL pointer on failure,but this returned value in grgpio_probe is not checked. Add NULL check in grgpio_probe, to handle kernel NULL pointer dereference error. Cc: stable@vger.kernel.org Fixes: 7eb6ce2f2723 ("gpio: Convert to using %pOF instead of full_name") Signed-off-by: Charles Han Link: https://lore.kernel.org/r/20241114091822.78199-1-hanchunchao@inspur.com Signed-off-by: Bartosz Golaszewski commit 1b38da0115598e30cc7cdd84761fc427c18b281f Merge: e14232afa94445 1164f23fbb5086 Author: Borislav Petkov (AMD) Date: Mon Nov 18 11:33:23 2024 +0100 Merge branch 'edac-misc' into edac-updates * edac-misc: MAINTAINERS: Change FSL DDR EDAC maintainership RAS/AMD/ATL: Add debug prints for DF register reads EDAC/bluefield: Use Arm SMC for EMI access on BlueField-2 EDAC/bluefield: Fix potential integer overflow EDAC/igen6: Add Intel Panther Lake-H SoCs support Signed-off-by: Borislav Petkov (AMD) commit b6370b338e71cf24c61e33880b8f1a0dd5ad0a44 Author: Koakuma Date: Thu Aug 8 09:05:00 2024 +0700 sparc/vdso: Add helper function for 64-bit right shift on 32-bit target Add helper function for 64-bit right shift on 32-bit target so that clang does not emit a runtime library call. Signed-off-by: Koakuma Reviewed-by: Andreas Larsson Link: https://lore.kernel.org/r/20240808-sparc-shr64-v2-1-fd18f1b2cea9@protonmail.com Signed-off-by: Andreas Larsson commit 1b3073291ddbe23fede7e0dd1b6f5635e370f8ba Merge: 48730a9d04ffcc 1922bc245541bd Author: Wolfram Sang Date: Mon Nov 18 08:35:47 2024 +0100 Merge tag 'i2c-host-6.13-p1' of git://git.kernel.org/pub/scm/linux/kernel/git/andi.shyti/linux into i2c/for-mergewindow i2c-host updates for v6.13, part 1 Major Improvements and Refactoring: - All controllers using the 'remove_new' callback have been reverted to use the 'remove' callback. - Intel SCH controller underwent significant refactoring, this brings love and a modern look to the driver. - PIIX4 driver refactored to enable usage by other drivers (e.g., AMD ASF). - iMX/MXC improved message handling to reduce protocol overhead: Refactored DMA/non-DMA read/write and bus polling mechanisms to achieve this. - ACPI documentation for PIIX4. New Features: - i2c-cadence added support for atomic transfers. - Qualcomm CII added support for a 32MHz serial engine clock. Deprecated Features: - Dropped outdated support for AMD756 S4882 and NFORCE2 S4985. If somebody misses this, Jean will rewrite support using the proper i2c mux framework. New Hardware Support: - Added support for: - Intel Panther Lake (new ID) - AMD ASF (new driver) - S32G2/S32G3 SoCs (new ID) - Realtek RTL I2C Controller (new driver) - HJMC01 DesignWare ACPI HID (new ID) - PIC64GX to Microchip Core (new ID) - Qualcomm SDM670 to Qualcomm CCI (new ID) commit 5e02c393b7fdb7e43a06acb22e71665f0d901335 Author: Hans de Goede Date: Sat Nov 16 12:38:55 2024 +0100 media: MAINTAINERS: Add Hans de Goede as USB VIDEO CLASS co-maintainer Add myself as co-maintainer for the UVC driver. Link: https://lore.kernel.org/linux-media/20241116113855.50976-1-hdegoede@redhat.com Signed-off-by: Hans de Goede Acked-by: Laurent Pinchart Signed-off-by: Mauro Carvalho Chehab commit 5df30684415d5a902f23862ab5bbed2a2df7fbf1 Author: Konrad Dybcio Date: Sat Nov 16 12:31:18 2024 +0100 arm64: dts: qcom: sc8180x: Add a SoC-specific compatible to cpufreq-hw Comply with bindings guidelines and get rid of errors such as: cpufreq@18323000: compatible: 'oneOf' conditional failed, one must be fixed: ['qcom,cpufreq-hw'] is too short Fixes: 8575f197b077 ("arm64: dts: qcom: Introduce the SC8180x platform") Signed-off-by: Konrad Dybcio Reviewed-by: Dmitry Baryshkov Signed-off-by: Viresh Kumar commit b1c48de36ba65504b616cd567ef62dad07760fb1 Author: Konrad Dybcio Date: Sat Nov 16 12:31:17 2024 +0100 dt-bindings: cpufreq: cpufreq-qcom-hw: Add SC8180X compatible Add a SoC-specific compatible for SC8180X. It has 2 domains and uses the older, non-EPSS hardware. Signed-off-by: Konrad Dybcio Signed-off-by: Viresh Kumar commit 343d7fe6df9e247671440a932b6a73af4fa86d95 Author: Paulo Alcantara Date: Mon Nov 11 10:40:55 2024 -0300 smb: client: fix use-after-free of signing key Customers have reported use-after-free in @ses->auth_key.response with SMB2.1 + sign mounts which occurs due to following race: task A task B cifs_mount() dfs_mount_share() get_session() cifs_mount_get_session() cifs_send_recv() cifs_get_smb_ses() compound_send_recv() cifs_setup_session() smb2_setup_request() kfree_sensitive() smb2_calc_signature() crypto_shash_setkey() *UAF* Fix this by ensuring that we have a valid @ses->auth_key.response by checking whether @ses->ses_status is SES_GOOD or SES_EXITING with @ses->ses_lock held. After commit 24a9799aa8ef ("smb: client: fix UAF in smb2_reconnect_server()"), we made sure to call ->logoff() only when @ses was known to be good (e.g. valid ->auth_key.response), so it's safe to access signing key when @ses->ses_status == SES_EXITING. Cc: stable@vger.kernel.org Reported-by: Jay Shin Signed-off-by: Paulo Alcantara (Red Hat) Signed-off-by: Steve French commit 7460bf441656cebc2636189ab9ba9a65a0a8ab86 Author: Thorsten Blum Date: Tue Nov 12 11:58:38 2024 +0100 smb: client: Use str_yes_no() helper function Remove hard-coded strings by using the str_yes_no() helper function. Signed-off-by: Thorsten Blum Signed-off-by: Steve French commit f69b0187f8745a7a9584f6b13f5e792594b88b2e Author: Kees Cook Date: Sun Nov 17 03:32:09 2024 -0800 smb: client: memcpy() with surrounding object base address Like commit f1f047bd7ce0 ("smb: client: Fix -Wstringop-overflow issues"), adjust the memcpy() destination address to be based off the surrounding object rather than based off the 4-byte "Protocol" member. This avoids a build-time warning when compiling under CONFIG_FORTIFY_SOURCE with GCC 15: In function 'fortify_memcpy_chk', inlined from 'CIFSSMBSetPathInfo' at ../fs/smb/client/cifssmb.c:5358:2: ../include/linux/fortify-string.h:571:25: error: call to '__write_overflow_field' declared with attribute warning: detected write beyond size of field (1st parameter); maybe use struct_group()? [-Werror=attribute-warning] 571 | __write_overflow_field(p_size_field, size); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Signed-off-by: Kees Cook Reviewed-by: Gustavo A. R. Silva Signed-off-by: Steve French commit 6c9903c330ab91d83b7be6102847e5eabf81b710 Author: Dr. David Alan Gilbert Date: Mon Oct 7 22:02:14 2024 +0100 cifs: Remove pre-historic unused CIFSSMBCopy CIFSSMBCopy() is unused, remove it. It seems to have been that way pre-git; looking in a historic archive, I think it landed around May 2004 in Linus' BKrev: 40ab7591J_OgkpHW-qhzZukvAUAw9g and was unused back then. Signed-off-by: Dr. David Alan Gilbert Acked-by: Tom Talpey Signed-off-by: Steve French commit a163b895077861598be48c1cf7f4a88413c28b22 Merge: ade5add00da20d 6d9f9115c091c8 Author: Dave Airlie Date: Mon Nov 18 13:38:42 2024 +1000 Merge tag 'drm-xe-next-fixes-2024-11-15' of https://gitlab.freedesktop.org/drm/xe/kernel into drm-next Driver Changes: - Fix a NULL pointer deref (Everest K.C.) Signed-off-by: Dave Airlie From: Thomas Hellstrom Link: https://patchwork.freedesktop.org/patch/msgid/ZzcsMT_FEqBE0cAW@fedora commit ade5add00da20de40f63d097345bddea24d924f4 Merge: 56b70bf9ec460a 447a54a0f79c9a Author: Dave Airlie Date: Mon Nov 18 12:36:34 2024 +1000 Merge tag 'amd-drm-next-6.13-2024-11-15' of https://gitlab.freedesktop.org/agd5f/linux into drm-next amd-drm-next-6.13-2024-11-15: amdgpu: - Parition fixes - GFX 12 fixes - SR-IOV fixes - MES fixes - RAS fixes - GC queue handling fixes - VCN fixes - Add sysfs reset masks - Better error messages for P2P failurs - SMU fixes - Documentation updates - GFX11 enforce isolation updates - Display HPD fixes - PSR fixes - Panel replay fixes - DP MST fixes - USB4 fixes - Misc display fixes and cleanups - VRAM handling fix for APUs - NBIO fix amdkfd: - INIT_WORK fix - Refcount fix - KFD MES scheduling fixes drm/fourcc: - Add missing tiling mode Signed-off-by: Dave Airlie From: Alex Deucher Link: https://patchwork.freedesktop.org/patch/msgid/20241115165012.573465-1-alexander.deucher@amd.com commit 6bc0ebfb1d920f13c522545f114cdabb49e9408a Author: Johan Hovold Date: Fri Oct 25 14:16:22 2024 +0200 pinctrl: qcom: spmi: fix debugfs drive strength Commit 723e8462a4fe ("pinctrl: qcom: spmi-gpio: Fix the GPIO strength mapping") fixed a long-standing issue in the Qualcomm SPMI PMIC gpio driver which had the 'low' and 'high' drive strength settings switched but failed to update the debugfs interface which still gets this wrong. Fix the debugfs code so that the exported values match the hardware settings. Note that this probably means that most devicetrees that try to describe the firmware settings got this wrong if the settings were derived from debugfs. Before the above mentioned commit the settings would have actually matched the firmware settings even if they were described incorrectly, but now they are inverted. Fixes: 723e8462a4fe ("pinctrl: qcom: spmi-gpio: Fix the GPIO strength mapping") Fixes: eadff3024472 ("pinctrl: Qualcomm SPMI PMIC GPIO pin controller driver") Cc: Anjelique Melendez Cc: stable@vger.kernel.org # 3.19 Signed-off-by: Johan Hovold Reviewed-by: Konrad Dybcio Link: https://lore.kernel.org/20241025121622.1496-1-johan+linaro@kernel.org Signed-off-by: Linus Walleij commit d6eb09fb46707a060209f077abede8c0e2c21b73 Author: Namjae Jeon Date: Wed Nov 13 08:49:44 2024 +0900 ksmbd: fix malformed unsupported smb1 negotiate response When mounting with vers=1.0, ksmbd should return unsupported smb1 negotiate response. But this response is malformed. [ 6010.586702] CIFS: VFS: Bad protocol string signature header 0x25000000 [ 6010.586708] 00000000: 25000000 25000000 424d53ff 00000072 ...%...%.SMBr... [ 6010.586711] 00000010: c8408000 00000000 00000000 00000000 ..@............. [ 6010.586713] 00000020: 00 00 b9 32 00 00 01 00 01 ...2..... Signed-off-by: Namjae Jeon Signed-off-by: Steve French commit a652958888fb1ada3e4f6b548576c2d2c1b60d66 Author: Pavel Begunkov Date: Sun Nov 17 00:38:33 2024 +0000 io_uring/region: fix error codes after failed vmap io_create_region() jumps after a vmap failure without setting the return code, it could be 0 or just uninitialised. Fixes: dfbbfbf191878 ("io_uring: introduce concept of memory regions") Signed-off-by: Pavel Begunkov Link: https://lore.kernel.org/r/0abac19dbf81c061cffaa9534a2471ed5460ad3e.1731803848.git.asml.silence@gmail.com Signed-off-by: Jens Axboe commit 1922bc245541bd08e3282d8199c8ac703e366111 Author: Konstantin Aladyshev Date: Mon Nov 11 17:02:31 2024 +0300 docs: i2c: piix4: Add ACPI section Provide information how to reference I2C busses created by the PIIX4 chip driver from the ACPI code. Signed-off-by: Konstantin Aladyshev Reviewed-by: Andy Shevchenko Reviewed-by: Bagas Sanjaya Signed-off-by: Andi Shyti commit c366be720235301fdadf67e6f1ea6ff32669c074 Author: Chris Packham Date: Wed Nov 6 13:18:35 2024 +1300 i2c: Add driver for the RTL9300 I2C controller Add support for the I2C controller on the RTL9300 SoC. There are two I2C controllers in the RTL9300 that are part of the Ethernet switch register block. Each of these controllers owns a SCL pin (GPIO8 for the fiorst I2C controller, GPIO17 for the second). There are 8 possible SDA pins (GPIO9-16) that can be assigned to either I2C controller. This relationship is represented in the device tree with a child node for each SDA line in use. This is based on the openwrt implementation[1] but has been significantly modified [1] - https://git.openwrt.org/?p=openwrt/openwrt.git;a=blob;f=target/linux/realtek/files-5.15/drivers/i2c/busses/i2c-rtl9300.c Signed-off-by: Chris Packham Reviewed-by: Andi Shyti Signed-off-by: Andi Shyti commit b641af684fc28a07bee9c808eb6c433f9d9bcec6 Author: Vladimir Zapolskiy Date: Thu Oct 31 13:30:43 2024 +0200 i2c: qcom-cci: Remove unused struct member cci_clk_rate The removal of the supply clock rate check implies a need to remove some unnecessary left-over data from the driver as well. Signed-off-by: Vladimir Zapolskiy Signed-off-by: Andi Shyti commit c5eda0333076e031197816454998a918f1de0831 Author: Chris Packham Date: Fri Nov 1 09:03:46 2024 +1300 dt-bindings: i2c: Add Realtek RTL I2C Controller Add dt-schema for the I2C controller on the RTL9300 Ethernet switch with integrated SoC. Signed-off-by: Chris Packham Reviewed-by: Krzysztof Kozlowski Signed-off-by: Andi Shyti commit 51616b0c4db5903c61936f6c1830fab526d08aa4 Author: Andy Shevchenko Date: Mon Nov 4 12:39:14 2024 +0200 i2c: busses: Use *-y instead of *-objs in Makefile *-objs suffix is reserved rather for (user-space) host programs while usually *-y suffix is used for kernel drivers (although *-objs works for that purpose for now). Let's correct the old usages of *-objs in Makefiles. While at it, fix an obvious typo in help section of the Kconfig. Signed-off-by: Andy Shevchenko Signed-off-by: Andi Shyti commit 311499ee56bf120722a56981caeba14ce829bd1a Author: Ciprian Marian Costea Date: Mon Nov 4 12:00:44 2024 +0200 i2c: imx: add support for S32G2/S32G3 SoCs Some S32G2/S32G3 SoC I2C particularities exist such as different pairs. Those are addressed by adding specific S32G2 and S32G3 compatible strings. Co-developed-by: Ionut Vicovan Signed-off-by: Ionut Vicovan Signed-off-by: Ciprian Marian Costea Reviewed-by: Frank Li Signed-off-by: Andi Shyti commit f3ed495940de0b1d766bd0f9a470f5241a422960 Author: Ciprian Marian Costea Date: Mon Nov 4 12:00:43 2024 +0200 dt-bindings: i2c: imx: add SoC specific compatible strings for S32G S32G2 and S32G3 SoCs use the same I2C controller as i.MX. But there are small differences such as specific pairs. So add new compatible strings 'nxp,s32g2-i2c'and 'nxp,s32g3-i2c' for S32G2/S32G3 Socs. Signed-off-by: Ciprian Marian Costea Reviewed-by: Frank Li Acked-by: Conor Dooley Signed-off-by: Andi Shyti commit b88c79699d72caa947ecaae85839b3563662ccce Author: Jiapeng Chong Date: Thu Oct 31 17:53:39 2024 +0800 i2c: qcom-cci: Remove the unused variable cci_clk_rate Variable cci_clk_rate is not effectively used, so delete it. drivers/i2c/busses/i2c-qcom-cci.c:526:16: warning: variable ‘cci_clk_rate’ set but not used. Reported-by: Abaci Robot Closes: https://bugzilla.openanolis.cn/show_bug.cgi?id=11532 Fixes: 8284750a1829 ("i2c: qcom-cci: Stop complaining about DT set clock rate") Signed-off-by: Jiapeng Chong Reviewed-by: Dmitry Baryshkov Reviewed-by: Vladimir Zapolskiy Signed-off-by: Andi Shyti commit b7ef4e0b1fb548e166303cb6c16580e6ccffa2bb Author: Jean Delvare Date: Tue Oct 22 12:00:27 2024 +0200 i2c: Drop legacy muxing pseudo-drivers The i2c-amd756-s4882 and i2c-nforce2-s4985 muxing pseudo-drivers were written at a time when the i2c core did not support muxing. They are essentially board-specific hacks. If we had to add support for these boards today, we would implement it in a completely different way. These Tyan server boards are 19 years old by now, so I very much doubt any of these is still running today. So let's just drop this clumsy code. If anyone really still needs this support and complains, I'll rewrite it in a proper way on top of i2c-mux. This also fixes the following warnings: drivers/i2c/busses/i2c-amd756.c:286:20: warning: symbol 'amd756_smbus' was not declared. Should it be static? drivers/i2c/busses/i2c-nforce2.c:123:20: warning: symbol 'nforce2_smbus' was not declared. Should it be static? Signed-off-by: Jean Delvare Cc: Andi Shyti Cc: Nick Desaulniers Acked-by: Wolfram Sang Signed-off-by: Andi Shyti commit 5f5c2d4579ca6836f5604cca979debd68ecfe23f Author: Stefan Eichenberger Date: Mon Oct 14 15:15:14 2024 +0200 i2c: imx: prevent rescheduling in non dma mode We are experiencing a problem with the i.MX I2C controller when communicating with SMBus devices. We are seeing devices time-out because the time between sending/receiving two bytes is too long, and the SMBus device returns to the idle state. This happens because the i.MX I2C controller sends and receives byte by byte. When a byte is sent or received, we get an interrupt and can send or receive the next byte. The current implementation sends a byte and then waits for an event generated by the interrupt subroutine. After the event is received, the next byte is sent and we wait again. This waiting allows the scheduler to reschedule other tasks, with the disadvantage that we may not send the next byte for a long time because the send task is not immediately scheduled. For example, if the rescheduling takes more than 25ms, this can cause SMBus devices to timeout and communication to fail. This patch changes the behavior so that we do not reschedule the send/receive task, but instead send or receive the next byte in the interrupt subroutine. This prevents rescheduling and drastically reduces the time between sending/receiving bytes. The cost in the interrupt subroutine is relatively small, we check what state we are in and then send/receive the next byte. Before we had to call wake_up, which is even less expensive. However, we also had to do some scheduling, which increased the overall cost compared to the new solution. The wake_up function to wake up the send/receive task is now only called when an error occurs or when the transfer is complete. Signed-off-by: Stefan Eichenberger Acked-by: Oleksij Rempel Signed-off-by: Andi Shyti commit b460b15b3cc23ef3639cc51043bf8b2a70ca1878 Author: Stefan Eichenberger Date: Mon Oct 14 15:15:13 2024 +0200 i2c: imx: separate atomic, dma and non-dma use case Separate the atomic, dma and non-dma use case as a preparation step for moving the non-dma use case to the isr to avoid rescheduling while a transfer is in progress. Signed-off-by: Stefan Eichenberger Reviewed-by: Frank Li Acked-by: Oleksij Rempel Signed-off-by: Andi Shyti commit 6692694aca86ddf6831e2be86e5089258c2789bf Author: Stefan Eichenberger Date: Mon Oct 14 15:15:12 2024 +0200 i2c: imx: do not poll for bus busy in single master mode According to the i.MX8M Mini reference manual chapter "16.1.4.2 Generation of Start" it is only necessary to poll for bus busy and arbitration lost in multi master mode. This helps to avoid rescheduling while the i2c bus is busy and avoids SMBus devices to timeout. For backward compatibility, the single-master property needs to be explicitly set to disable the bus busy polling. Signed-off-by: Stefan Eichenberger Reviewed-by: Frank Li Acked-by: Oleksij Rempel Signed-off-by: Andi Shyti commit 6816ce57c479653122145793bb45ff58e0805a56 Author: Hunter Yu Date: Thu Sep 26 10:40:06 2024 +0800 i2c: designware: Add a new ACPI HID for HJMC01 I2C controller Define a new ACPI HID for HJMC01 Signed-off-by: Hunter Yu Acked-by: Jarkko Nikula Reviewed-by: Andy Shevchenko Signed-off-by: Andi Shyti commit e586685c38b3278fbdbcb39f963687c9610f76fc Author: Wolfram Sang Date: Tue Oct 1 15:36:20 2024 +0200 i2c: qcom-geni: Keep comment why interrupts start disabled The to-be-fixed commit rightfully reduced a race window, but also removed a comment which is still helpful after the fix. Bring the comment back. Signed-off-by: Wolfram Sang Reviewed-by: Bjorn Andersson Signed-off-by: Andi Shyti commit fff8b0eda23276f1197e0787ee4726c6e6b8a057 Author: Pierre-Henry Moussay Date: Mon Sep 30 10:54:39 2024 +0100 dt-bindings: i2c: microchip: corei2c: Add PIC64GX as compatible with driver PIC64GX i2c is compatible with the microchip corei2c, just add fallback Signed-off-by: Pierre-Henry Moussay Acked-by: Conor Dooley Signed-off-by: Andi Shyti commit 1953ebef60f695a048d81fe4232d5d187e5fb59a Author: Raag Jadav Date: Mon Jan 22 09:01:07 2024 +0530 i2c: designware: constify abort_sources We never modify abort_sources, mark it as const. Signed-off-by: Raag Jadav Acked-by: Jarkko Nikula Signed-off-by: Andi Shyti commit 32a0a94aa09e7095fccec1ffc969911f492cc7b9 Author: Uwe Kleine-König Date: Sun Sep 29 09:21:57 2024 +0200 i2c: Switch back to struct platform_driver::remove() After commit 0edb555a65d1 ("platform: Make platform_driver::remove() return void") .remove() is (again) the right callback to implement for platform drivers. Convert all platform drivers below drivers/i2c to use .remove(), with the eventual goal to drop struct platform_driver::remove_new(). As .remove() and .remove_new() have the same prototypes, conversion is done by just changing the structure member name in the driver initializer. Signed-off-by: Uwe Kleine-König Signed-off-by: Andi Shyti commit 506bb2ab00753a59c8a63b02e898098815dc3141 Author: Manikanta Mylavarapu Date: Mon Sep 30 20:17:09 2024 +0530 i2c: qcom-geni: Support systems with 32MHz serial engine clock In existing socs, I2C serial engine is sourced from XO (19.2MHz). Where as in IPQ5424, I2C serial engine is sourced from GPLL0 (32MHz). The existing map table is based on 19.2MHz. This patch incorporates the clock map table to derive the SCL clock from the 32MHz source clock frequency. Signed-off-by: Manikanta Mylavarapu Reviewed-by: Bjorn Andersson Signed-off-by: Andi Shyti commit 8284750a182937bf805f703311501730f02eb40e Author: Bryan O'Donoghue Date: Mon Sep 30 22:35:24 2024 -0400 i2c: qcom-cci: Stop complaining about DT set clock rate It is common practice in the downstream and upstream CCI dt to set CCI clock rates to 19.2 MHz. It appears to be fairly common for initial code to set the CCI clock rate to 37.5 MHz. Applying the widely used CCI clock rates from downstream ought not to cause warning messages in the upstream kernel where our general policy is to usually copy downstream hardware clock rates across the range of Qualcomm drivers. Drop the warning it is pervasive across CAMSS users but doesn't add any information or warrant any changes to the DT to align the DT clock rate to the bootloader clock rate. Signed-off-by: Bryan O'Donoghue Reviewed-by: Vladimir Zapolskiy Link: https://lore.kernel.org/linux-arm-msm/20240824115900.40702-1-bryan.odonoghue@linaro.org Signed-off-by: Richard Acayan Signed-off-by: Andi Shyti commit 5110445332f1e25a0dc200e38066966e385aa3fd Author: Richard Acayan Date: Mon Sep 30 22:35:23 2024 -0400 dt-bindings: i2c: qcom-cci: Document SDM670 compatible The CCI on the Snapdragon 670 is the interface for controlling camera hardware over I2C. Add the compatible so it can be added to the SDM670 device tree. Signed-off-by: Richard Acayan Reviewed-by: Vladimir Zapolskiy Reviewed-by: Krzysztof Kozlowski Signed-off-by: Andi Shyti commit b0118105725eb30a96102d135dafcb94956b05bf Author: Tyrone Ting Date: Tue Oct 1 14:28:51 2024 +0800 i2c: npcm: use a software flag to indicate a BER condition If not clearing the BB (bus busy) condition in the BER (bus error) interrupt, the driver causes a timeout and hence the i2c core doesn't do the i2c transfer retry but returns the driver's return value to the upper layer instead. Clear the BB condition in the BER interrupt and a software flag is used. The driver does an i2c recovery without causing the timeout if the flag is set. Signed-off-by: Tyrone Ting Reviewed-by: Tali Perry Signed-off-by: Andi Shyti commit e365422cef1ca2c964e25d26536120aab17991e2 Author: Tyrone Ting Date: Tue Oct 1 14:28:50 2024 +0800 i2c: npcm: correct the read/write operation procedure Originally the driver uses the XMIT bit in SMBnST register to decide the upcoming i2c transaction. If XMIT bit is 1, then it will be an i2c write operation. If it's 0, then a read operation will be executed. In slave mode the XMIT bit can simply be used directly to set the state. XMIT bit can be used as an indication to the current state of the state machine during slave operation. (meaning XMIT = 1 during writing and XMIT = 0 during reading). In master operation XMIT is valid only if there are no bus errors. For example: in a multi master where the same module is switching from master to slave at runtime, and there are collisions, the XMIT bit cannot be trusted. However the maser already "knows" what the bus state is, so this bit is not needed and the driver can just track what it is currently doing. Signed-off-by: Tyrone Ting Reviewed-by: Tali Perry Signed-off-by: Andi Shyti commit a5089cd23b10c5c861bf5834170c75f9b4c36e08 Author: Qianqiang Liu Date: Fri Sep 27 21:34:44 2024 +0800 i2c: amd-asf: Fix uninitialized variables issue in amd_asf_process_target The len variable is not initialized, which may cause the for loop to behave unexpectedly. Fixes: 9b25419ad397 ("i2c: amd-asf: Add routine to handle the ASF slave process") Signed-off-by: Qianqiang Liu Reviewed-by: Dan Carpenter Acked-by: Shyam Sundar S K Signed-off-by: Andi Shyti commit ba6d8efb1bd7318f173846a8f5730a54c93f3ff5 Merge: 27aef9391bd3bc 590d2f9347f797 Author: Michael Ellerman Date: Sun Nov 17 21:39:59 2024 +1100 Merge branch 'topic/ppc-kvm' into next commit 4962ee045d8f06638714d801ab0fb72f89c16690 Author: Alexander Sverdlin Date: Thu Nov 7 21:38:28 2024 +0100 watchdog: rti: of: honor timeout-sec property Currently "timeout-sec" Device Tree property is being silently ignored: even though watchdog_init_timeout() is being used, the driver always passes "heartbeat" == DEFAULT_HEARTBEAT == 60 as argument. Fix this by setting struct watchdog_device::timeout to DEFAULT_HEARTBEAT and passing real module parameter value to watchdog_init_timeout() (which may now be 0 if not specified). Cc: stable@vger.kernel.org Fixes: 2d63908bdbfb ("watchdog: Add K3 RTI watchdog support") Signed-off-by: Alexander Sverdlin Reviewed-by: Vignesh Raghavendra Reviewed-by: Guenter Roeck Link: https://lore.kernel.org/r/20241107203830.1068456-1-alexander.sverdlin@siemens.com Signed-off-by: Guenter Roeck Signed-off-by: Wim Van Sebroeck commit 27aef9391bd3bc08eb07fe23e6c4d7c9afabe1e8 Author: Michael Ellerman Date: Fri Nov 15 15:54:42 2024 +1100 MAINTAINERS: powerpc: Mark Maddy as "M" Mark Maddy as a co-maintainer, so that he can get a kernel.org account and help manage the powerpc tree on kernel.org. Acked-by: Madhavan Srinivasan Signed-off-by: Michael Ellerman Link: https://patch.msgid.link/20241115045442.675721-1-mpe@ellerman.id.au commit 68b3bca2df00f0a63f0aa2db2b2adc795665229e Author: Kalesh AP Date: Fri Nov 15 00:47:44 2024 -0800 RDMA/bnxt_re: Correct the sequence of device suspend When in fatal error condition, mark device as detached first and then complete all pending HWRM commands as firmware is not going to process them and eventually time out. Move the device to error only if suspend is called when device is in Fatal state. Also, remove some outdated comments. Remove the stop_irq call which is no longer required. Fixes: cc5b9b48d447 ("RDMA/bnxt_re: Recover the device when FW error is detected") Signed-off-by: Kalesh AP Signed-off-by: Selvin Xavier Link: https://patch.msgid.link/1731660464-27838-4-git-send-email-selvin.xavier@broadcom.com Signed-off-by: Leon Romanovsky commit bfb27ae6d0f9a1229ab15c2f13616e96b4a4419e Author: Kalesh AP Date: Fri Nov 15 00:47:43 2024 -0800 RDMA/bnxt_re: Use the default mode of congestion control Instead of driver setting the congestion mode, use the default values setup by Firmware. Enable the tos_ecn field in FW. Signed-off-by: Kalesh AP Signed-off-by: Selvin Xavier Link: https://patch.msgid.link/1731660464-27838-3-git-send-email-selvin.xavier@broadcom.com Signed-off-by: Leon Romanovsky commit c64b16a37b6d240f6baefd7061970a01c23da61d Author: Chandramohan Akula Date: Fri Nov 15 00:47:42 2024 -0800 RDMA/bnxt_re: Support different traffic class Adding support for different traffic class passed to driver. Fix the traffic class setting in modify_qp by skipping the ECN bits. Pass the service level received from applications to the firmware. Signed-off-by: Chandramohan Akula Reviewed-by: Kalesh AP Signed-off-by: Selvin Xavier Link: https://patch.msgid.link/1731660464-27838-2-git-send-email-selvin.xavier@broadcom.com Signed-off-by: Leon Romanovsky commit fc0856c3a32576fb21c494f38b9c6c8dc3bf58ab Author: Sean Hefty Date: Wed Nov 13 13:12:56 2024 +0200 IB/cm: Rework sending DREQ when destroying a cm_id A DREQ is sent in 2 situations: 1. When requested by the user. This DREQ has to wait for a DREP, which will be routed to the user. 2. When the cm_id is destroyed. This DREQ is generated by the CM to notify the peer that the connection has been destroyed. In the latter case, any DREP that is received will be discarded. There's no need to hold a reference on the cm_id. Today, both situations are covered by the same function: cm_send_dreq_locked(). When invoked in the cm_id destroy path, the cm_id reference would be held until the DREQ completes, blocking the destruction. Because it could take several seconds to minutes before the DREQ receives a DREP, the destroy call posts a send for the DREQ then immediately cancels the MAD. However, cancellation is not immediate in the MAD layer. There could still be a delay before the MAD layer returns the DREQ to the CM. Moreover, the only guarantee is that the DREQ will be sent at most once. Introduce a separate flow for sending a DREQ when destroying the cm_id. The new flow will not hold a reference on the cm_id, allowing it to be cleaned up immediately. The cancellation trick is no longer needed. The MAD layer will send the DREQ exactly once. Signed-off-by: Sean Hefty Signed-off-by: Or Har-Toov Signed-off-by: Vlad Dumitrescu Link: https://patch.msgid.link/a288a098b8e0550305755fd4a7937431699317f4.1731495873.git.leon@kernel.org Signed-off-by: Leon Romanovsky commit 1e5159219076ddb2e44338c667c83fd1bd43dfef Author: Sean Hefty Date: Wed Nov 13 13:12:55 2024 +0200 IB/cm: Do not hold reference on cm_id unless needed Typically, when the CM sends a MAD it bumps a reference count on the associated cm_id. There are some exceptions, such as when the MAD is a direct response to a receive MAD. For example, the CM may generate an MRA in response to a duplicate REQ. But, in general, if a MAD may be sent as a result of the user invoking an API call (e.g. ib_send_cm_rep(), ib_send_cm_rtu(), etc.), a reference is taken on the cm_id. This reference is necessary if the MAD requires a response. The reference allows routing a response MAD back to the cm_id, or, if no response is received, allows updating the cm_id state to reflect the failure. For MADs which do not generate a response from the target, however, there's no need to hold a reference on the cm_id. Such MADs will not be retried by the MAD layer and their completions do not change the state of the cm_id. There are 2 internal calls used to allocate MADs which take a reference on the cm_id: cm_alloc_msg() and cm_alloc_priv_msg(). The latter calls the former. It turns out that all other places where cm_alloc_msg() is called are for MADs that do not generate a response from the target: sending an RTU, DREP, REJ, MRA, or SIDR REP. In all of these cases, there's no need to hold a reference on the cm_id. The benefit of dropping unneeded references is that it allows destruction of the cm_id to proceed immediately. Currently, the cm_destroy_id() call blocks as long as there's a reference held on the cm_id. Worse, is that cm_destroy_id() will send MADs, which it then needs to complete. Sending the MADs is beneficial, as they notify the peer that a connection is being destroyed. However, since the MADs hold a reference on the cm_id, they block destruction and cannot be retried. Move cm_id referencing from cm_alloc_msg() to cm_alloc_priv_msg(). The latter should hold a reference on the cm_id in all cases but one, which will be handled in a separate patch. cm_alloc_priv_msg() is used when sending a REQ, REP, DREQ, and SIDR REQ, all of which require a response. Also, merge common code into cm_alloc_priv_msg() and combine the freeing of all messages which do not need a response. Signed-off-by: Sean Hefty Signed-off-by: Or Har-Toov Signed-off-by: Vlad Dumitrescu Link: https://patch.msgid.link/1f0f96acace72790ecf89087fc765dead960189e.1731495873.git.leon@kernel.org Signed-off-by: Leon Romanovsky commit 0492458750c9fbd69cfc7baddd3ddcac77f2a0c8 Author: Sean Hefty Date: Wed Nov 13 13:12:54 2024 +0200 IB/cm: Explicitly mark if a response MAD is a retransmission In several situations the CM may send a reply to a received MAD without the reply being directly linked with a cm_id. For example, it may send a REJ in response to a REQ which does not match a listener. Or, it may send a DREP in response to a DREQ if the cm_id has already been destroyed. This can happen if the original DREP was lost and the DREQ was retried. When such a response MAD completes, it updates a counter tracking how many MADs were retried. However, not all response MADs issued directly by the CM may be retries. The REJ mentioned in the example above is such a case. To distinguish between responses which were retries versus those that are not, the send_handler performs the following check: is a retry if the response is not associated with a cm_id and the response is not a REJ message. Replace this indirect method of checking if a response is a retry with an explicit check. Note that these retries are generated directly by the CM, rather than retried by the MAD layer. This change will be needed by later changes which would otherwise break the indirect check. Signed-off-by: Sean Hefty Signed-off-by: Or Har-Toov Signed-off-by: Vlad Dumitrescu Link: https://patch.msgid.link/1ee6e2a68f8de1992b9da23aa1d7e3f9f25e0036.1731495873.git.leon@kernel.org Signed-off-by: Leon Romanovsky commit c5d91b16f525ea8c98b3fd8efc5105106d17fe9a Author: Cyrill Gorcunov Date: Mon Nov 4 15:13:55 2024 +0300 efi: Fix memory leak in efivar_ssdt_load When we load SSDT from efi variable (specified with efivar_ssdt= boot command line argument) a name for the variable is allocated dynamically because we traverse all EFI variables. Unlike ACPI table data, which is later used by ACPI engine, the name is no longer needed once traverse is complete -- don't forget to free this memory. Same time we silently ignore any errors happened here let's print a message if something went wrong (but do not exit since this is not a critical error and the system should continue to boot). Also while here -- add a note why we keep SSDT table on success. Signed-off-by: Cyrill Gorcunov Signed-off-by: Ard Biesheuvel commit 851062278436c9a887749e7b73598a28dd902ac0 Author: Ard Biesheuvel Date: Sun Oct 13 13:10:38 2024 +0200 efi/libstub: Take command line overrides into account for loaded files When CONFIG_CMDLINE_OVERRIDE or CONFIG_CMDLINE_FORCE are configured, the command line provided by the boot stack should be ignored, and only the built-in command line should be taken into account. Add the required handling of this when dealing with initrd= or dtb= command line options in the EFI stub. Signed-off-by: Ard Biesheuvel commit 80d01ce607cbffd8fa6ceb8a91ce07667bc51d5a Author: Ard Biesheuvel Date: Sun Oct 13 11:20:45 2024 +0200 efi/libstub: Fix command line fallback handling when loading files CONFIG_CMDLINE, when set, is supposed to serve either as a fallback when no command line is provided by the bootloader, or to be taken into account unconditionally, depending on the configured options. The initrd and dtb loader ignores CONFIG_CMDLINE in either case, and only takes the EFI firmware provided load options into account. This means that configuring the kernel with initrd= or dtb= on the built-in command line does not produce the expected result. Fix this by doing a separate pass over the built-in command line when dealing with initrd= or dtb= options. Signed-off-by: Ard Biesheuvel commit d7a516c6eeae29144649f1c3f586fa580ec9e040 Author: Philipp Reisner Date: Fri Nov 15 21:46:02 2024 +0100 compiler.h: Fix undefined BUILD_BUG_ON_ZERO() defines __must_be_array() and __must_be_cstr() and both expand to BUILD_BUG_ON_ZERO(), but defines BUILD_BUG_ON_ZERO(). Including in would create a cyclic dependency as already includes . Fix that by defining __BUILD_BUG_ON_ZERO_MSG() in and using that for __must_be_array() and __must_be_cstr(). Signed-off-by: Philipp Reisner Link: https://lore.kernel.org/r/20241115204602.249590-1-philipp.reisner@linbit.com Signed-off-by: Kees Cook commit a5f05a138a8cac035bf9da9b6ed0e532bc7942c8 Author: Josh Poimboeuf Date: Wed Oct 2 14:32:04 2024 -0700 parisc/ftrace: Fix function graph tracing disablement Due to an apparent copy-paste bug, the parisc implementation of ftrace_disable_ftrace_graph_caller() doesn't actually do anything. It enables the (already-enabled) static key rather than disabling it. The result is that after function graph tracing has been "disabled", any subsequent (non-graph) function tracing will inadvertently also enable the slow fgraph return address hijacking. Fixes: 98f2926171ae ("parisc/ftrace: use static key to enable/disable function graph tracer") Cc: stable@vger.kernel.org # 5.16+ Signed-off-by: Josh Poimboeuf Signed-off-by: Helge Deller commit 9e19aa165cb5b8f976d073cdc12cfe9a8da2bd12 Merge: 2420baa8e0460b f7c80fad6c2b64 Author: Vlastimil Babka Date: Sat Nov 16 21:21:51 2024 +0100 Merge branch 'slab/for-6.13/features' into slab/for-next Merge the slab feature branch for 6.13: - Add new slab_strict_numa parameter for per-object memory policies (Christoph Lameter) commit 2420baa8e0460b1c35008d6bf21b4e6bff023867 Author: Hyeonggon Yoo <42.hyeyoo@gmail.com> Date: Fri Nov 1 22:08:44 2024 +0900 mm/slab: Allow cache creation to proceed even if sysfs registration fails When kobject_init_and_add() fails during cache creation, kobj->name can be leaked because SLUB does not call kobject_put(), which should be invoked per the kobject API documentation. This has a bit of historical context, though; SLUB does not call kobject_put() to avoid double-free for struct kmem_cache because 1) simply calling it would free all resources related to the cache, and 2) struct kmem_cache descriptor is always freed by cache_cache()'s error handling path, causing struct kmem_cache to be freed twice. This issue can be reproduced by creating new slab caches while applying failslab for kernfs_node_cache. This makes kobject_add_varg() succeed, but causes kobject_add_internal() to fail in kobject_init_and_add() during cache creation. Historically, this issue has attracted developers' attention several times. Each time a fix addressed either the leak or the double-free, it caused the other issue. Let's summarize a bit of history here: The leak has existed since the early days of SLUB. Commit 54b6a731025f ("slub: fix leak of 'name' in sysfs_slab_add") introduced a double-free bug while fixing the leak. Commit 80da026a8e5d ("mm/slub: fix slab double-free in case of duplicate sysfs filename") re-introduced the leak while fixing the double-free error. Commit dde3c6b72a16 ("mm/slub: fix a memory leak in sysfs_slab_add()") fixed the memory leak, but it was later reverted by commit 757fed1d0898 ("Revert "mm/slub: fix a memory leak in sysfs_slab_add()"") to avoid the double-free error. This is where we are now: we've chosen a memory leak over a double-free. To resolve this memory leak, skip creating sysfs files if it fails and continue with cache creation regardless (as suggested by Christoph). This resolves the memory leak because both the cache and the kobject remain alive on kobject_init_and_add() failure. If SLUB tries to create an alias for a cache without sysfs files, its symbolic link will not be generated. Since a slab cache might not have associated sysfs files, call kobject_del() only if such files exist. Signed-off-by: Hyeonggon Yoo <42.hyeyoo@gmail.com> Signed-off-by: Vlastimil Babka commit dbc16915279a548a204154368da23d402c141c81 Author: yuan.gao Date: Fri Oct 18 14:44:35 2024 +0800 mm/slub: Avoid list corruption when removing a slab from the full list Boot with slub_debug=UFPZ. If allocated object failed in alloc_consistency_checks, all objects of the slab will be marked as used, and then the slab will be removed from the partial list. When an object belonging to the slab got freed later, the remove_full() function is called. Because the slab is neither on the partial list nor on the full list, it eventually lead to a list corruption (actually a list poison being detected). So we need to mark and isolate the slab page with metadata corruption, do not put it back in circulation. Because the debug caches avoid all the fastpaths, reusing the frozen bit to mark slab page with metadata corruption seems to be fine. [ 4277.385669] list_del corruption, ffffea00044b3e50->next is LIST_POISON1 (dead000000000100) [ 4277.387023] ------------[ cut here ]------------ [ 4277.387880] kernel BUG at lib/list_debug.c:56! [ 4277.388680] invalid opcode: 0000 [#1] PREEMPT SMP PTI [ 4277.389562] CPU: 5 PID: 90 Comm: kworker/5:1 Kdump: loaded Tainted: G OE 6.6.1-1 #1 [ 4277.392113] Workqueue: xfs-inodegc/vda1 xfs_inodegc_worker [xfs] [ 4277.393551] RIP: 0010:__list_del_entry_valid_or_report+0x7b/0xc0 [ 4277.394518] Code: 48 91 82 e8 37 f9 9a ff 0f 0b 48 89 fe 48 c7 c7 28 49 91 82 e8 26 f9 9a ff 0f 0b 48 89 fe 48 c7 c7 58 49 91 [ 4277.397292] RSP: 0018:ffffc90000333b38 EFLAGS: 00010082 [ 4277.398202] RAX: 000000000000004e RBX: ffffea00044b3e50 RCX: 0000000000000000 [ 4277.399340] RDX: 0000000000000002 RSI: ffffffff828f8715 RDI: 00000000ffffffff [ 4277.400545] RBP: ffffea00044b3e40 R08: 0000000000000000 R09: ffffc900003339f0 [ 4277.401710] R10: 0000000000000003 R11: ffffffff82d44088 R12: ffff888112cf9910 [ 4277.402887] R13: 0000000000000001 R14: 0000000000000001 R15: ffff8881000424c0 [ 4277.404049] FS: 0000000000000000(0000) GS:ffff88842fd40000(0000) knlGS:0000000000000000 [ 4277.405357] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 4277.406389] CR2: 00007f2ad0b24000 CR3: 0000000102a3a006 CR4: 00000000007706e0 [ 4277.407589] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 4277.408780] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 4277.410000] PKRU: 55555554 [ 4277.410645] Call Trace: [ 4277.411234] [ 4277.411777] ? die+0x32/0x80 [ 4277.412439] ? do_trap+0xd6/0x100 [ 4277.413150] ? __list_del_entry_valid_or_report+0x7b/0xc0 [ 4277.414158] ? do_error_trap+0x6a/0x90 [ 4277.414948] ? __list_del_entry_valid_or_report+0x7b/0xc0 [ 4277.415915] ? exc_invalid_op+0x4c/0x60 [ 4277.416710] ? __list_del_entry_valid_or_report+0x7b/0xc0 [ 4277.417675] ? asm_exc_invalid_op+0x16/0x20 [ 4277.418482] ? __list_del_entry_valid_or_report+0x7b/0xc0 [ 4277.419466] ? __list_del_entry_valid_or_report+0x7b/0xc0 [ 4277.420410] free_to_partial_list+0x515/0x5e0 [ 4277.421242] ? xfs_iext_remove+0x41a/0xa10 [xfs] [ 4277.422298] xfs_iext_remove+0x41a/0xa10 [xfs] [ 4277.423316] ? xfs_inodegc_worker+0xb4/0x1a0 [xfs] [ 4277.424383] xfs_bmap_del_extent_delay+0x4fe/0x7d0 [xfs] [ 4277.425490] __xfs_bunmapi+0x50d/0x840 [xfs] [ 4277.426445] xfs_itruncate_extents_flags+0x13a/0x490 [xfs] [ 4277.427553] xfs_inactive_truncate+0xa3/0x120 [xfs] [ 4277.428567] xfs_inactive+0x22d/0x290 [xfs] [ 4277.429500] xfs_inodegc_worker+0xb4/0x1a0 [xfs] [ 4277.430479] process_one_work+0x171/0x340 [ 4277.431227] worker_thread+0x277/0x390 [ 4277.431962] ? __pfx_worker_thread+0x10/0x10 [ 4277.432752] kthread+0xf0/0x120 [ 4277.433382] ? __pfx_kthread+0x10/0x10 [ 4277.434134] ret_from_fork+0x2d/0x50 [ 4277.434837] ? __pfx_kthread+0x10/0x10 [ 4277.435566] ret_from_fork_asm+0x1b/0x30 [ 4277.436280] Fixes: 643b113849d8 ("slub: enable tracking of full slabs") Suggested-by: Hyeonggon Yoo <42.hyeyoo@gmail.com> Suggested-by: Vlastimil Babka Cc: Signed-off-by: yuan.gao Reviewed-by: Hyeonggon Yoo <42.hyeyoo@gmail.com> Acked-by: Christoph Lameter Signed-off-by: Vlastimil Babka commit 080c8579c37ec9c11cfb8b9eb25b74912b33dc06 Author: Feng Tang Date: Wed Oct 16 23:41:52 2024 +0800 mm/slub, kunit: Add testcase for krealloc redzone and zeroing Danilo Krummrich raised issue about krealloc+GFP_ZERO [1], and Vlastimil suggested to add some test case which can sanity test the kmalloc-redzone and zeroing by utilizing the kmalloc's 'orig_size' debug feature. It covers the grow and shrink case of krealloc() re-using current kmalloc object, and the case of re-allocating a new bigger object. [1]. https://lore.kernel.org/lkml/20240812223707.32049-1-dakr@kernel.org/ Suggested-by: Vlastimil Babka Signed-off-by: Feng Tang Signed-off-by: Vlastimil Babka commit 5474d33ca48e7764ccc38b2ac089863cca83280a Author: Feng Tang Date: Wed Oct 16 23:41:51 2024 +0800 mm/slub: Improve redzone check and zeroing for krealloc() For current krealloc(), one problem is its caller doesn't pass the old request size, say the object is 64 bytes kmalloc one, but caller may only requested 48 bytes. Then when krealloc() shrinks or grows in the same object, or allocate a new bigger object, it lacks this 'original size' information to do accurate data preserving or zeroing (when __GFP_ZERO is set). Thus with slub debug redzone and object tracking enabled, parts of the object after krealloc() might contain redzone data instead of zeroes, which is violating the __GFP_ZERO guarantees. Good thing is in this case, kmalloc caches do have this 'orig_size' feature. So solve the problem by utilize 'org_size' to do accurate data zeroing and preserving. [Thanks to syzbot and V, Narasimhan for discovering kfence and big kmalloc related issues in early patch version] Suggested-by: Vlastimil Babka Signed-off-by: Feng Tang Reviewed-by: Hyeonggon Yoo <42.hyeyoo@gmail.com> Signed-off-by: Vlastimil Babka commit 9ef8568bd7cddf59e1ff6ee1b7d799539e331b73 Author: Feng Tang Date: Wed Oct 16 23:41:50 2024 +0800 mm/slub: Consider kfence case for get_orig_size() When 'orig_size' of kmalloc object is enabled by debug option, it should either contains the actual requested size or the cache's 'object_size'. But it's not true if that object is a kfence-allocated one, and the data at 'orig_size' offset of metadata could be zero or other values. This is not a big issue for current 'orig_size' usage, as init_object() and check_object() during alloc/free process will be skipped for kfence addresses. But it could cause trouble for other usage in future. Use the existing kfence helper kfence_ksize() which can return the real original request size. Signed-off-by: Feng Tang Reviewed-by: Hyeonggon Yoo <42.hyeyoo@gmail.com> Signed-off-by: Vlastimil Babka commit 85c60a01b85ee956adf8d46c253fc50f75363e8f Author: Dr. David Alan Gilbert Date: Tue Oct 22 01:29:40 2024 +0100 perf: Remove unused del_perf_probe_events() del_perf_probe_events() last use was removed by commit 3d6dfae889174340 ("perf parse-events: Remove BPF event support") Remove it. It was the last user of probe_file__del_events(), so remove it as well. Signed-off-by: Dr. David Alan Gilbert Cc: Adrian Hunter Cc: Alexander Shishkin Cc: Ian Rogers Cc: Ingo Molnar Cc: Jiri Olsa Cc: Kan Liang Cc: Mark Rutland Cc: Namhyung Kim Cc: Peter Zijlstra Link: https://lore.kernel.org/r/20241022002940.302946-1-linux@treblig.org Signed-off-by: Arnaldo Carvalho de Melo commit 8f997865ee9e73281a92a7ab7ebcab84e1a36d83 Author: Ian Rogers Date: Thu Nov 7 08:20:35 2024 -0800 perf pmu: Move pmu_metrics_table__find and remove ARM override Move pmu_metrics_table__find() to the jevents.py generated pmu-events.c and remove indirection override for ARM. The movement removes perf_pmu__find_metrics_table that exists to enable the ARM override. The ARM override isn't necessary as just the CPUID, not PMU, is used in the metric table lookup. On non-ARM the CPU argument is just ignored for the CPUID, for ARM -1 is passed so that the CPUID for the first logical CPU is read. Reviewed-by: James Clark Signed-off-by: Ian Rogers Tested-by: Xu Yang Cc: Adrian Hunter Cc: Albert Ou Cc: Alexander Shishkin Cc: Alexandre Ghiti Cc: Athira Rajeev Cc: Ben Zong-You Xie Cc: Benjamin Gray Cc: Bibo Mao Cc: Clément Le Goffic Cc: Dima Kogan Cc: Dr. David Alan Gilbert Cc: Huacai Chen Cc: Ingo Molnar Cc: Jiri Olsa Cc: John Garry Cc: Kan Liang Cc: Leo Yan Cc: Mark Rutland Cc: Masami Hiramatsu Cc: Mike Leach Cc: Namhyung Kim Cc: Palmer Dabbelt Cc: Paul Walmsley Cc: Peter Zijlstra Cc: Ravi Bangoria Cc: Sandipan Das Cc: Will Deacon Cc: Yicong Yang Cc: linux-arm-kernel@lists.infradead.org Cc: linux-riscv@lists.infradead.org Link: https://lore.kernel.org/r/20241107162035.52206-9-irogers@google.com Signed-off-by: Arnaldo Carvalho de Melo commit 0434410fa45c9aff6183bb99e0fbc255d75fcf95 Author: Ian Rogers Date: Thu Nov 7 08:20:34 2024 -0800 perf jevents: Add map_for_cpu() The PMU is no longer part of the map finding process and for metrics doesn't make sense as they lack a PMU. Reviewed-by: James Clark Signed-off-by: Ian Rogers Tested-by: Xu Yang Cc: Adrian Hunter Cc: Albert Ou Cc: Alexander Shishkin Cc: Alexandre Ghiti Cc: Athira Rajeev Cc: Ben Zong-You Xie Cc: Benjamin Gray Cc: Bibo Mao Cc: Clément Le Goffic Cc: Dima Kogan Cc: Dr. David Alan Gilbert Cc: Huacai Chen Cc: Ingo Molnar Cc: Jiri Olsa Cc: John Garry Cc: Kan Liang Cc: Leo Yan Cc: Mark Rutland Cc: Masami Hiramatsu Cc: Mike Leach Cc: Namhyung Kim Cc: Palmer Dabbelt Cc: Paul Walmsley Cc: Peter Zijlstra Cc: Ravi Bangoria Cc: Sandipan Das Cc: Will Deacon Cc: Yicong Yang Cc: linux-arm-kernel@lists.infradead.org Cc: linux-riscv@lists.infradead.org Link: https://lore.kernel.org/r/20241107162035.52206-8-irogers@google.com Signed-off-by: Arnaldo Carvalho de Melo commit 494c403ff159fdfdb41c364acbe79f2f53ad585d Author: Ian Rogers Date: Thu Nov 7 08:20:33 2024 -0800 perf header: Pass a perf_cpu rather than a PMU to get_cpuid_str On ARM the cpuid is dependent on the core type of the CPU in question. The PMU was passed for the sake of the CPU map but this means in places a temporary PMU is created just to pass a CPU value. Just pass the CPU and fix up the callers. As there are no longer PMU users in header.h, shuffle forward declarations earlier to work around build failures. Reviewed-by: James Clark Signed-off-by: Ian Rogers Tested-by: Xu Yang Cc: Adrian Hunter Cc: Albert Ou Cc: Alexander Shishkin Cc: Alexandre Ghiti Cc: Athira Rajeev Cc: Ben Zong-You Xie Cc: Benjamin Gray Cc: Bibo Mao Cc: Clément Le Goffic Cc: Dima Kogan Cc: Dr. David Alan Gilbert Cc: Huacai Chen Cc: Ingo Molnar Cc: Jiri Olsa Cc: John Garry Cc: Kan Liang Cc: Leo Yan Cc: Mark Rutland Cc: Masami Hiramatsu Cc: Mike Leach Cc: Namhyung Kim Cc: Palmer Dabbelt Cc: Paul Walmsley Cc: Peter Zijlstra Cc: Ravi Bangoria Cc: Sandipan Das Cc: Will Deacon Cc: Yicong Yang Cc: linux-arm-kernel@lists.infradead.org Cc: linux-riscv@lists.infradead.org Link: https://lore.kernel.org/r/20241107162035.52206-7-irogers@google.com Signed-off-by: Arnaldo Carvalho de Melo commit 7463ee17a74090081f0f013fa514904a01fcc954 Author: Ian Rogers Date: Thu Nov 7 08:20:32 2024 -0800 perf header: Avoid transitive PMU includes Currently satisfied via header.h. Note, pmu.h includes parse-events.h. Reviewed-by: James Clark Signed-off-by: Ian Rogers Tested-by: Xu Yang Cc: Adrian Hunter Cc: Albert Ou Cc: Alexander Shishkin Cc: Alexandre Ghiti Cc: Athira Rajeev Cc: Ben Zong-You Xie Cc: Benjamin Gray Cc: Bibo Mao Cc: Clément Le Goffic Cc: Dima Kogan Cc: Dr. David Alan Gilbert Cc: Huacai Chen Cc: Ingo Molnar Cc: Jiri Olsa Cc: John Garry Cc: Kan Liang Cc: Leo Yan Cc: Mark Rutland Cc: Masami Hiramatsu Cc: Mike Leach Cc: Namhyung Kim Cc: Palmer Dabbelt Cc: Paul Walmsley Cc: Peter Zijlstra Cc: Ravi Bangoria Cc: Sandipan Das Cc: Will Deacon Cc: Yicong Yang Cc: linux-arm-kernel@lists.infradead.org Cc: linux-riscv@lists.infradead.org Link: https://lore.kernel.org/r/20241107162035.52206-6-irogers@google.com Signed-off-by: Arnaldo Carvalho de Melo commit 538737da9625d5cceeec3ae90e66afa0792cab50 Author: Ian Rogers Date: Thu Nov 7 08:20:31 2024 -0800 perf arm64 header: Use cpu argument in get_cpuid Use the cpu to read the MIDR file requested. If the "any" value (-1) is passed that keep the behavior of returning the first MIDR file that can be read. Reviewed-by: James Clark Signed-off-by: Ian Rogers Tested-by: Xu Yang Cc: Adrian Hunter Cc: Albert Ou Cc: Alexander Shishkin Cc: Alexandre Ghiti Cc: Athira Rajeev Cc: Ben Zong-You Xie Cc: Benjamin Gray Cc: Bibo Mao Cc: Clément Le Goffic Cc: Dima Kogan Cc: Dr. David Alan Gilbert Cc: Huacai Chen Cc: Ingo Molnar Cc: Jiri Olsa Cc: John Garry Cc: Kan Liang Cc: Leo Yan Cc: Mark Rutland Cc: Masami Hiramatsu Cc: Mike Leach Cc: Namhyung Kim Cc: Palmer Dabbelt Cc: Paul Walmsley Cc: Peter Zijlstra Cc: Ravi Bangoria Cc: Sandipan Das Cc: Will Deacon Cc: Yicong Yang Cc: linux-arm-kernel@lists.infradead.org Cc: linux-riscv@lists.infradead.org Link: https://lore.kernel.org/r/20241107162035.52206-5-irogers@google.com Signed-off-by: Arnaldo Carvalho de Melo commit cec0d6572a4472848b87d016105634e4eef76d13 Author: Ian Rogers Date: Thu Nov 7 08:20:30 2024 -0800 perf header: Refactor get_cpuid to take a CPU for ARM ARM BIG.little has no notion of a constant CPUID for both core types. To reflect this reality, change the get_cpuid function to also pass in a possibly unused logical cpu. If the dummy value (-1) is passed in then ARM can, as currently happens, select the first logical CPU's "CPUID". The changes to ARM getcpuid happen in a follow up change. Reviewed-by: James Clark Signed-off-by: Ian Rogers Tested-by: Xu Yang Cc: Adrian Hunter Cc: Albert Ou Cc: Alexander Shishkin Cc: Alexandre Ghiti Cc: Athira Rajeev Cc: Ben Zong-You Xie Cc: Benjamin Gray Cc: Bibo Mao Cc: Clément Le Goffic Cc: Dima Kogan Cc: Dr. David Alan Gilbert Cc: Huacai Chen Cc: Ingo Molnar Cc: Jiri Olsa Cc: John Garry Cc: Kan Liang Cc: Leo Yan Cc: Mark Rutland Cc: Masami Hiramatsu Cc: Mike Leach Cc: Namhyung Kim Cc: Palmer Dabbelt Cc: Paul Walmsley Cc: Peter Zijlstra Cc: Ravi Bangoria Cc: Sandipan Das Cc: Will Deacon Cc: Yicong Yang Cc: linux-arm-kernel@lists.infradead.org Cc: linux-riscv@lists.infradead.org Link: https://lore.kernel.org/r/20241107162035.52206-4-irogers@google.com Signed-off-by: Arnaldo Carvalho de Melo commit c6fafe36bab32b9b24941fe381f0b66751021c25 Author: Ian Rogers Date: Thu Nov 7 08:20:29 2024 -0800 perf header: Move is_cpu_online to numa bench The helper function is only used in the NUMA benchmark as typically online CPUs are determined through perf_cpu_map__new_online_cpus(). Reduce the scope of the function for now. Reviewed-by: James Clark Signed-off-by: Ian Rogers Tested-by: Xu Yang Cc: Adrian Hunter Cc: Albert Ou Cc: Alexander Shishkin Cc: Alexandre Ghiti Cc: Athira Rajeev Cc: Ben Zong-You Xie Cc: Benjamin Gray Cc: Bibo Mao Cc: Clément Le Goffic Cc: Dima Kogan Cc: Dr. David Alan Gilbert Cc: Huacai Chen Cc: Ingo Molnar Cc: Jiri Olsa Cc: John Garry Cc: Kan Liang Cc: Leo Yan Cc: Mark Rutland Cc: Masami Hiramatsu Cc: Mike Leach Cc: Namhyung Kim Cc: Palmer Dabbelt Cc: Paul Walmsley Cc: Peter Zijlstra Cc: Ravi Bangoria Cc: Sandipan Das Cc: Will Deacon Cc: Yicong Yang Cc: linux-arm-kernel@lists.infradead.org Cc: linux-riscv@lists.infradead.org Link: https://lore.kernel.org/r/20241107162035.52206-3-irogers@google.com Signed-off-by: Arnaldo Carvalho de Melo commit 4a159e6049f319bef6f9e6d2ccdd322f57d24830 Author: Xu Yang Date: Thu Nov 7 08:20:28 2024 -0800 perf jevents: fix breakage when do perf stat on system metric When do perf stat on sys metric, perf tool output nothing now: $ perf stat -a -M imx95_ddr_read.all -I 1000 $ This command runs on an arm64 machine and the Soc has one DDR hw pmu except one armv8_cortex_a55 pmu. Their maps show as follows: const struct pmu_events_map pmu_events_map[] = { { .arch = "arm64", .cpuid = "0x00000000410fd050", .event_table = { .pmus = pmu_events__arm_cortex_a55, .num_pmus = ARRAY_SIZE(pmu_events__arm_cortex_a55) }, .metric_table = { .pmus = NULL, .num_pmus = 0 } }, static const struct pmu_sys_events pmu_sys_event_tables[] = { { .event_table = { .pmus = pmu_events__freescale_imx95_sys, .num_pmus = ARRAY_SIZE(pmu_events__freescale_imx95_sys) }, .metric_table = { .pmus = pmu_metrics__freescale_imx95_sys, .num_pmus = ARRAY_SIZE(pmu_metrics__freescale_imx95_sys) }, .name = "pmu_events__freescale_imx95_sys", }, Currently, pmu_metrics_table__find() will return NULL when only do perf stat on sys metric. Then parse_groups() will never be called to parse sys metric_name, finally perf tool will exit directly. This should be a common problem. To fix the issue, this will keep the logic before commit f20c15d13f01 ("perf pmu-events: Remember the perf_events_map for a PMU") to return a empty metric table rather than a NULL pointer. This should be fine since the removed part just check if the table match provided metric_name. Without these code, the code in parse_groups() will also check the validity of metrci_name too. Fixes: f20c15d13f017d4b ("perf pmu-events: Remember the perf_events_map for a PMU") Reviewed-by: James Clark Signed-off-by: Xu Yang Tested-by: Xu Yang Acked-by: Ian Rogers Cc: Adrian Hunter Cc: Albert Ou Cc: Alexander Shishkin Cc: Alexandre Ghiti Cc: Athira Rajeev Cc: Benjamin Gray Cc: Ben Zong-You Xie Cc: Bibo Mao Cc: Clément Le Goffic Cc: Dima Kogan Cc: Dr. David Alan Gilbert Cc: Huacai Chen Cc: Ingo Molnar Cc: Jiri Olsa Cc: John Garry Cc: Kan Liang Cc: Leo Yan Cc: Mark Rutland Cc: Masami Hiramatsu Cc: Mike Leach Cc: Namhyung Kim Cc: Palmer Dabbelt Cc: Paul Walmsley Cc: Peter Zijlstra Cc: Ravi Bangoria Cc: Sandipan Das Cc: Will Deacon Cc: Yicong Yang Cc: linux-arm-kernel@lists.infradead.org Cc: linux-riscv@lists.infradead.org Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20241107162035.52206-2-irogers@google.com Signed-off-by: Ian Rogers Signed-off-by: Arnaldo Carvalho de Melo commit db26a8c9e3c285092ed3e14a33755582c04e0269 Author: Ian Rogers Date: Fri Nov 15 12:12:58 2024 -0800 perf test: Add missing __exit calls in tool/hwmon tests Address sanitizer flagged the missing parse_events_error__exit when testing on ARM. Signed-off-by: Ian Rogers Cc: Adrian Hunter Cc: Alexander Shishkin Cc: Athira Rajeev Cc: Ingo Molnar Cc: Jiri Olsa Cc: Kan Liang Cc: Mark Rutland Cc: Namhyung Kim Cc: Peter Zijlstra Link: https://lore.kernel.org/r/20241115201258.509477-1-irogers@google.com Signed-off-by: Arnaldo Carvalho de Melo commit 180fd0c1eac7cd8c5aa9a9f8b54088a61d9e05db Author: James Clark Date: Fri Nov 15 16:15:59 2024 +0000 perf tests: Make leader sampling test work without branch event Arm a57 only has speculative branch events so this test fails there. The test doesn't depend on branch instructions so change it to instructions which is pretty much guaranteed to be everywhere. The test_branch_counter() test above already tests for the existence of the branches event and skips if its not present. Reviewed-by: Ian Rogers Signed-off-by: James Clark Cc: Adrian Hunter Cc: Alexander Shishkin Cc: Dapeng Mi Cc: Ingo Molnar Cc: Jiri Olsa Cc: Kan Liang Cc: Mark Rutland Cc: Namhyung Kim Cc: Peter Zijlstra Cc: Veronika Molnarova Link: https://lore.kernel.org/r/20241115161600.228994-1-james.clark@linaro.org Signed-off-by: Arnaldo Carvalho de Melo commit 264708b8ac6cce132c61865bfe0463adeb80d7ef Author: Dr. David Alan Gilbert Date: Sat Nov 16 15:58:50 2024 +0000 perf util: Remove kernel version deadcode fetch_kernel_version() has been unused since Ian's 2023 commit 3d6dfae889174340 ("perf parse-events: Remove BPF event support") Remove it, and it's helpers. I noticed there are a bunch of kernel-version macros that are also unused nearby. Also remove them. Reviewed-by: Ian Rogers Signed-off-by: Dr. David Alan Gilbert Cc: Adrian Hunter Cc: Alexander Shishkin Cc: Ingo Molnar Cc: Jiri Olsa Cc: Kan Liang Cc: Mark Rutland Cc: Namhyung Kim Cc: Peter Zijlstra Link: https://lore.kernel.org/r/20241116155850.113129-1-linux@treblig.org Signed-off-by: Arnaldo Carvalho de Melo commit 0b687912c94181fdf530aa33036871cd8a26eb72 Author: Arnaldo Carvalho de Melo Date: Fri Nov 15 12:18:21 2024 -0300 perf test shell trace_exit_race: Use --no-comm to avoid cases where COMM isn't resolved The purpose of this test is to test for races in the exit of 'perf trace' missing the last events, it was failing when the COMM wasn't resolved either because we missed some PERF_RECORD_COMM or somehow raced on getting it from procfs. Add --no-comm to the 'perf trace' command line so that we get a consistent, pid only output, which allows the test to achieve its goal. This is the output from 'perf trace --no-comm -e syscalls:sys_enter_exit_group': 0.000 21953 syscalls:sys_enter_exit_group() 0.000 21955 syscalls:sys_enter_exit_group() 0.000 21957 syscalls:sys_enter_exit_group() 0.000 21959 syscalls:sys_enter_exit_group() 0.000 21961 syscalls:sys_enter_exit_group() 0.000 21963 syscalls:sys_enter_exit_group() 0.000 21965 syscalls:sys_enter_exit_group() 0.000 21967 syscalls:sys_enter_exit_group() 0.000 21969 syscalls:sys_enter_exit_group() 0.000 21971 syscalls:sys_enter_exit_group() Now it passes: root@number:~# perf test "trace exit race" 110: perf trace exit race : Ok root@number:~# root@number:~# perf test -v "trace exit race" 110: perf trace exit race : Ok root@number:~# If we artificially make it run just 9 times instead of the 10 it runs, i.e. by manually doing: trace_shutdown_race() { for _ in $(seq 9); do that 9 is $iter, 10 in the patch, we get: root@number:~# vim ~acme/libexec/perf-core/tests/shell/trace_exit_race.sh root@number:~# perf test -v "trace exit race" --- start --- test child forked, pid 24629 Missing output, expected 10 but only got 9 ---- end(-1) ---- 110: perf trace exit race : FAILED! root@number:~# I.e. 9 'perf trace' calls produced the expected output, the inverse grep didn't show anything, so the patch provided by Howard for the previous patch kicks in and shows a more informative message. Tested-by: Howard Chu Cc: Adrian Hunter Cc: Alexander Shishkin Cc: Benjamin Peterson Cc: Ian Rogers Cc: Ingo Molnar Cc: Jiri Olsa Cc: Kan Liang Cc: Mark Rutland Cc: Namhyung Kim Cc: Peter Zijlstra Link: https://lore.kernel.org/lkml/ZzdknoHqrJbojb6P@x1 Signed-off-by: Arnaldo Carvalho de Melo commit 2c8b09ac2537299511c898bc71b1a5f2756c831c Author: Sidong Yang Date: Sat Nov 16 17:10:52 2024 +0900 libbpf: Change hash_combine parameters from long to unsigned long The hash_combine() could be trapped when compiled with sanitizer like "zig cc" or clang with signed-integer-overflow option. This patch parameters and return type to unsigned long to remove the potential overflow. Signed-off-by: Sidong Yang Acked-by: Yonghong Song Link: https://lore.kernel.org/r/20241116081054.65195-1-sidong.yang@furiosa.ai Signed-off-by: Alexei Starovoitov commit 608e99f7869e3a6e028c7cba14a896c7797e8746 Author: Alexei Starovoitov Date: Sat Nov 16 10:56:17 2024 -0800 selftests/bpf: Fix build error with llvm 19 llvm 19 fails to compile arena self test: CLNG-BPF [test_progs] verifier_arena_large.bpf.o progs/verifier_arena_large.c:90:24: error: unsupported signed division, please convert to unsigned div/mod. 90 | pg_idx = (pg - base) / PAGE_SIZE; Though llvm <= 18 and llvm >= 20 don't have this issue, fix the test to avoid the build error. Reported-by: Jiri Olsa Signed-off-by: Alexei Starovoitov commit 118397c9baaac0b7ec81896f8d755d09aa82c485 Author: Niklas Cassel Date: Sat Nov 16 01:59:51 2024 +0100 PCI: dwc: ep: Fix advertised resizable BAR size regression The advertised resizable BAR size was fixed in commit 72e34b8593e0 ("PCI: dwc: endpoint: Fix advertised resizable BAR size"). Commit 867ab111b242 ("PCI: dwc: ep: Add a generic dw_pcie_ep_linkdown() API to handle Link Down event") was included shortly after this, and moved the code to another function. When the code was moved, this fix was mistakenly lost. According to the spec, it is illegal to not have a bit set in PCI_REBAR_CAP, and 1 MB is the smallest size allowed. So, set bit 4 in PCI_REBAR_CAP, so that we actually advertise support for a 1 MB BAR size. Fixes: 867ab111b242 ("PCI: dwc: ep: Add a generic dw_pcie_ep_linkdown() API to handle Link Down event") Link: https://lore.kernel.org/r/20241116005950.2480427-2-cassel@kernel.org Link: https://lore.kernel.org/r/20240606-pci-deinit-v1-3-4395534520dc@linaro.org Link: https://lore.kernel.org/r/20240307111520.3303774-1-cassel@kernel.org Signed-off-by: Niklas Cassel Signed-off-by: Krzysztof Wilczyński Cc: stable@vger.kernel.org commit 154fc1f6420840e8aa65e5b43a456ae8f34816dd Author: Rob Herring (Arm) Date: Mon Nov 4 13:07:13 2024 -0600 PCI: dwc: Use of_property_present() for non-boolean properties The use of of_property_read_bool() for non-boolean properties is deprecated in favor of of_property_present() when testing for property presence. Link: https://lore.kernel.org/r/20241104190714.275977-1-robh@kernel.org Signed-off-by: Rob Herring (Arm) Signed-off-by: Krzysztof Wilczyński Signed-off-by: Bjorn Helgaas Acked-by: Manivannan Sadhasivam commit 5089b3d874e9933d9842e90410d3af1520494757 Author: Zhongqiu Han Date: Tue Nov 5 20:07:35 2024 +0800 PCI: endpoint: epf-mhi: Avoid NULL dereference if DT lacks 'mmio' If platform_get_resource_byname() fails and returns NULL because DT lacks an 'mmio' property for the MHI endpoint, dereferencing res->start will cause a NULL pointer access. Add a check to prevent it. Fixes: 1bf5f25324f7 ("PCI: endpoint: Add PCI Endpoint function driver for MHI bus") Link: https://lore.kernel.org/r/20241105120735.1240728-1-quic_zhonhan@quicinc.com Signed-off-by: Zhongqiu Han [kwilczynski: error message update per the review feedback] Signed-off-by: Krzysztof Wilczyński [bhelgaas: commit log] Signed-off-by: Bjorn Helgaas Reviewed-by: Niklas Cassel commit 9b80bdb10aee04ce7289896e6bdad13e33972636 Author: Wang Jiang Date: Mon Nov 4 18:05:14 2024 +0800 PCI: endpoint: Remove surplus return statement from pci_epf_test_clean_dma_chan() Remove a surplus return statement from the void function that has been added in the commit commit 8353813c88ef ("PCI: endpoint: Enable DMA tests for endpoints with DMA capabilities"). Especially, as an empty return statements at the end of a void functions serve little purpose. This fixes the following checkpatch.pl script warning: WARNING: void function return statements are not generally useful #296: FILE: drivers/pci/endpoint/functions/pci-epf-test.c:296: + return; +} Link: https://lore.kernel.org/r/tencent_F250BEE2A65745A524E2EFE70CF615CA8F06@qq.com Signed-off-by: Wang Jiang [kwilczynski: commit log] Signed-off-by: Krzysztof Wilczyński commit 3fafc38b77bebeeea5faa2a588b92353775bb390 Author: Niklas Cassel Date: Thu Oct 17 15:20:55 2024 +0200 PCI: dwc: ep: Use align addr function for dw_pcie_ep_raise_{msi,msix}_irq() Use the dw_pcie_ep_align_addr() function to calculate the alignment in dw_pcie_ep_raise_{msi,msix}_irq() instead of open coding the same. Link: https://lore.kernel.org/r/20241017132052.4014605-6-cassel@kernel.org Link: https://lore.kernel.org/r/20241104205144.409236-2-cassel@kernel.org Tested-by: Damien Le Moal Signed-off-by: Niklas Cassel [kwilczynski: squashed patch that fixes memory map sizes] Signed-off-by: Krzysztof Wilczyński Reviewed-by: Damien Le Moal Reviewed-by: Frank Li Reviewed-by: Manivannan Sadhasivam commit ba58eee1c57b2ad45c36f782861c18faef170a55 Author: Bjorn Helgaas Date: Mon Nov 11 14:21:33 2024 -0600 PCI: Drop duplicate pcie_get_speed_cap(), pcie_get_width_cap() declarations 6cf57be0f78e ("PCI: Add pcie_get_speed_cap() to find max supported link speed") and c70b65fb7f12 ("PCI: Add pcie_get_width_cap() to find max supported link width") added declarations to drivers/pci/pci.h. 576c7218a154 ("PCI: Export pcie_get_speed_cap and pcie_get_width_cap") subsequently added duplicates to include/linux/pci.h. Remove the originals from drivers/pci/pci.h. Both interfaces are used by amdgpu, so they must be in include/linux/pci.h. Signed-off-by: Bjorn Helgaas Acked-by: Alex Deucher Acked-by: Krzysztof Wilczyński commit 838f12c3d551f8941295ed7085ad360c3d3ad665 Author: Ilpo Järvinen Date: Fri Oct 18 17:47:55 2024 +0300 selftests/pcie_bwctrl: Create selftests Create selftests for PCIe BW control through the PCIe cooling device sysfs interface. First, the BW control selftest finds the PCIe Port to test with. By default, the PCIe Port with the highest Link Speed is selected but another PCIe Port can be provided with -d parameter. The actual test steps the cur_state of the cooling device one-by-one from max_state to what the cur_state was initially. The speed change is confirmed by observing the current_link_speed for the corresponding PCIe Port. Link: https://lore.kernel.org/r/20241018144755.7875-10-ilpo.jarvinen@linux.intel.com Signed-off-by: Ilpo Järvinen Signed-off-by: Bjorn Helgaas Reviewed-by: Jonathan Cameron commit d278b098282d1327f6e1be82aacb18457a4d244d Author: Ilpo Järvinen Date: Fri Oct 18 17:47:54 2024 +0300 thermal: Add PCIe cooling driver Add a thermal cooling driver to provide path to access PCIe bandwidth controller using the usual thermal interfaces. A cooling device is instantiated for controllable PCIe Ports from the bwctrl service driver. If registering the cooling device fails, allow bwctrl's probe to succeed regardless. As cdev in that case contains IS_ERR() pseudo "pointer", clean that up inside the probe function so the remove side doesn't need to suddenly make an odd looking IS_ERR() check. The thermal side state 0 means no throttling, i.e., maximum supported PCIe Link Speed. Link: https://lore.kernel.org/r/20241018144755.7875-9-ilpo.jarvinen@linux.intel.com Signed-off-by: Ilpo Järvinen [bhelgaas: dropped data->cdev test per https://lore.kernel.org/r/ZzRm1SJTwEMRsAr8@wunner.de] Signed-off-by: Bjorn Helgaas Reviewed-by: Jonathan Cameron Acked-by: Rafael J. Wysocki # From the cooling device interface perspective commit de9a6c8d5dbfedb5eb3722c822da0490f6a59a45 Author: Ilpo Järvinen Date: Fri Oct 18 17:47:53 2024 +0300 PCI/bwctrl: Add pcie_set_target_speed() to set PCIe Link Speed Currently, PCIe Link Speeds are adjusted by custom code rather than in a common function provided in PCI core. The PCIe bandwidth controller (bwctrl) introduces an in-kernel API, pcie_set_target_speed(), to set PCIe Link Speed. Convert Target Speed quirk to use the new API. The Target Speed quirk runs very early when bwctrl is not yet probed for a Port and can also run later when bwctrl is already setup for the Port, which requires the per port mutex (set_speed_mutex) to be only taken if the bwctrl setup is already complete. The new API is also intended to be used in an upcoming commit that adds a thermal cooling device to throttle PCIe bandwidth when thermal thresholds are reached. The PCIe bandwidth control procedure is as follows. The highest speed supported by the Port and the PCIe device which is not higher than the requested speed is selected and written into the Target Link Speed in the Link Control 2 Register. Then bandwidth controller retrains the PCIe Link. Bandwidth Notifications enable the cur_bus_speed in the struct pci_bus to keep track PCIe Link Speed changes. While Bandwidth Notifications should also be generated when bandwidth controller alters the PCIe Link Speed, a few platforms do not deliver LMBS interrupt after Link Training as expected. Thus, after changing the Link Speed, bandwidth controller makes additional read for the Link Status Register to ensure cur_bus_speed is consistent with the new PCIe Link Speed. Link: https://lore.kernel.org/r/20241018144755.7875-8-ilpo.jarvinen@linux.intel.com Signed-off-by: Ilpo Järvinen [bhelgaas: squash devm_mutex_init() error checking from https://lore.kernel.org/r/20241030163139.2111689-1-andriy.shevchenko@linux.intel.com, drop export of pcie_set_target_speed()] Signed-off-by: Bjorn Helgaas Reviewed-by: Jonathan Cameron commit 665745f274870c921020f610e2c99a3b1613519b Author: Ilpo Järvinen Date: Fri Oct 18 17:47:52 2024 +0300 PCI/bwctrl: Re-add BW notification portdrv as PCIe BW controller This mostly reverts the commit b4c7d2076b4e ("PCI/LINK: Remove bandwidth notification"). An upcoming commit extends this driver building PCIe bandwidth controller on top of it. PCIe bandwidth notifications were first added in the commit e8303bb7a75c ("PCI/LINK: Report degraded links via link bandwidth notification") but later had to be removed. The significant changes compared with the old bandwidth notification driver include: 1) Don't print the notifications into kernel log, just keep the Link Speed cached in struct pci_bus updated. While somewhat unfortunate, the log spam was the source of complaints that eventually lead to the removal of the bandwidth notifications driver (see the links below for further information). 2) Besides the Link Bandwidth Management Interrupt, also enable Link Autonomous Bandwidth Interrupt to cover the other source of bandwidth changes. 3) Handle Link Speed updates robustly. Refresh the cached Link Speed when enabling Bandwidth Notification Interrupts, and solve the race between Link Speed read and LBMS/LABS update in pcie_bwnotif_irq_thread(). 4) Use concurrency safe LNKCTL RMW operations. 5) The driver is now called PCIe bwctrl (bandwidth controller) instead of just bandwidth notifications because of increased scope and functionality within the driver. 6) Coexist with the Target Link Speed quirk in pcie_failed_link_retrain(). Provide LBMS counting API for it. 7) Tweaks to variable/functions names for consistency and length reasons. Bandwidth Notifications enable the cur_bus_speed in the struct pci_bus to keep track PCIe Link Speed changes. [bhelgaas: This is based on previous work by Alexandru Gagniuc ; see e8303bb7a75c ("PCI/LINK: Report degraded links via link bandwidth notification")] Link: https://lore.kernel.org/r/20241018144755.7875-7-ilpo.jarvinen@linux.intel.com Link: https://lore.kernel.org/all/20190429185611.121751-1-helgaas@kernel.org/ Link: https://lore.kernel.org/linux-pci/20190501142942.26972-1-keith.busch@intel.com/ Link: https://lore.kernel.org/linux-pci/20200115221008.GA191037@google.com/ Suggested-by: Lukas Wunner # Building bwctrl on top of bwnotif Signed-off-by: Ilpo Järvinen [bhelgaas: squash fix to drop IRQF_ONESHOT and convert to hardirq handler: https://lore.kernel.org/r/20241115165717.15233-1-ilpo.jarvinen@linux.intel.com] Signed-off-by: Bjorn Helgaas Tested-by: Stefan Wahren Reviewed-by: Jonathan Cameron commit 6674c5a0eeb55143cd10514d0083624e056e7d13 Author: Kurt Borja Date: Mon Nov 11 15:36:39 2024 -0300 Documentation: alienware-wmi: Describe THERMAL_INFORMATION operation 0x02 This operation is used by alienware-wmi driver to avoid brute-forcing operation 0x03. Signed-off-by: Kurt Borja Reviewed-by: Ilpo Järvinen Link: https://lore.kernel.org/r/20241111183639.14726-1-kuurtb@gmail.com Signed-off-by: Ilpo Järvinen commit bfcda5cbcdb642a64d5b8a0229842dca7917ac6e Author: Kurt Borja Date: Mon Nov 11 15:36:23 2024 -0300 alienware-wmi: create_thermal_profile() no longer brute-forces IDs WMAX_METHOD_THERMAL_INFORMATION has a *system description* operation that outputs a buffer with the following structure: out[0] -> Number of fans out[1] -> Number of sensors out[2] -> 0x00 out[3] -> Number of thermal modes This is now used by create_thermal_profile() to retrieve available thermal codes instead of brute-forcing every ID. Tested on an Alienware x15 R1. Verified by checking ACPI tables of supported models. Signed-off-by: Kurt Borja Reviewed-by: Ilpo Järvinen Link: https://lore.kernel.org/r/20241111183623.14691-1-kuurtb@gmail.com Signed-off-by: Ilpo Järvinen commit 01bd181d21cf65e43f30948f9216571218732a12 Author: Kurt Borja Date: Mon Nov 11 15:36:09 2024 -0300 alienware-wmi: Adds support to Alienware x17 R2 Adds support to Alienware x17 R2 Tested-by: Samith Castro Signed-off-by: Kurt Borja Reviewed-by: Ilpo Järvinen Link: https://lore.kernel.org/r/20241111183609.14653-1-kuurtb@gmail.com Signed-off-by: Ilpo Järvinen commit 1c1eb70e7d235f5feb7b68861637a5fd0b52a9fd Author: Kurt Borja Date: Mon Nov 11 15:35:46 2024 -0300 alienware-wmi: extends the list of supported models Adds thermal + gmode quirk to: - Dell G15 5510 - Dell G15 5511 - Dell G15 5515 - Dell G3 3500 - Dell G3 3590 - Dell G5 5500 Adds thermal quirk to: - Alienware m18 R2 - Alienware m17 R5 AMD Support for these models was manually verified by reading their respective ACPI tables. Signed-off-by: Kurt Borja Reviewed-by: Ilpo Järvinen Link: https://lore.kernel.org/r/20241111183546.14617-1-kuurtb@gmail.com Signed-off-by: Ilpo Järvinen commit 2b8dc45b8ca31e3a0ed1d71cfc042b9b7af85dfb Author: Kurt Borja Date: Mon Nov 11 15:35:20 2024 -0300 alienware-wmi: order alienware_quirks[] alphabetically alienware_quirks[] entries are now ordered alphabetically Signed-off-by: Kurt Borja Reviewed-by: Ilpo Järvinen Link: https://lore.kernel.org/r/20241111183520.14573-1-kuurtb@gmail.com Signed-off-by: Ilpo Järvinen commit 8467d8b282b54d87121f70ce78061af004471d0c Author: Thorsten Blum Date: Mon Nov 11 21:47:21 2024 +0100 sparc: Replace one-element array with flexible array member Replace the deprecated one-element array with a modern flexible array member in the struct hvtramp_descr. Additionally, 15 unnecessary bytes were allocated for hdesc, but instead of fixing the parentheses in the open-coded version, use struct_size() to calculate the correct number of bytes. Link: https://github.com/KSPP/linux/issues/79 Signed-off-by: Thorsten Blum Fixes: 64658743fdd4 ("[SPARC64]: Remove most limitations to kernel image size.") Reviewed-by: Andreas Larsson Link: https://lore.kernel.org/r/20241111204724.165263-2-thorsten.blum@linux.dev Signed-off-by: Andreas Larsson commit f6dee26d26e3ef2a00620703fb5bf272dd459f47 Author: Koakuma Date: Tue Oct 29 21:49:08 2024 +0700 sparc/build: Add SPARC target flags for compiling with clang clang only supports building 64-bit kernel, so we use the sparc64-linux-gnu target. See also: https://lore.kernel.org/lkml/e26PTXUXEz8OYXmaeKn4Mpuejr4IOlFfFwdB5vpsluXlYiqDdlyQTYcDtdAny_o4gO4SfPeQCCN2qpyT6e0nog5EaP3xk2SeUPTrF54p1gM=@protonmail.com/T/#m068e010dcf8b99d3510a90d7532bcdb70e2e2c6b Signed-off-by: Koakuma Acked-by: Masahiro Yamada Acked-by: Nathan Chancellor Reviewed-by: Andreas Larsson Link: https://lore.kernel.org/r/20241029-sparc-cflags-v3-2-b28745a6bd71@protonmail.com Signed-off-by: Andreas Larsson commit 69114be15b35a4d7ff084a6415fad018da648942 Author: Koakuma Date: Tue Oct 29 21:49:07 2024 +0700 sparc/build: Put usage of -fcall-used* flags behind cc-option Place -fcall-used* flags behind cc-option so that clang (which doesn't support them) can still compile the kernel. This is a safe change, the reasoning is as follows: In the (normal) 32-bit ABI, %g5 and %g7 is normally reserved, and in the 64-bit ABI, %g7 is the reserved one. Linux turns them into volatile registers by the way of -fcall-used-*, but on the other hand, omitting the flags shouldn't be harmful; compilers will now simply refuse to touch them, and any assembly code that happens to touch them would still work like usual (because Linux' conventions already treats them as volatile anyway). Signed-off-by: Koakuma Reviewed-by: Nathan Chancellor Tested-by: Nathan Chancellor Reviewed-by: Andreas Larsson Link: https://lore.kernel.org/r/20241029-sparc-cflags-v3-1-b28745a6bd71@protonmail.com Signed-off-by: Andreas Larsson commit b5a23a60e8ab5711f4952912424347bf3864ce8d Author: Arnd Bergmann Date: Fri Nov 15 11:59:54 2024 +0100 serial: amba-pl011: fix build regression When CONFIG_DMA_ENGINE is disabled, the driver now fails to build: drivers/tty/serial/amba-pl011.c: In function 'pl011_unthrottle_rx': drivers/tty/serial/amba-pl011.c:1822:16: error: 'struct uart_amba_port' has no member named 'using_rx_dma' 1822 | if (uap->using_rx_dma) { | ^~ drivers/tty/serial/amba-pl011.c:1823:20: error: 'struct uart_amba_port' has no member named 'dmacr' 1823 | uap->dmacr |= UART011_RXDMAE; | ^~ drivers/tty/serial/amba-pl011.c:1824:32: error: 'struct uart_amba_port' has no member named 'dmacr' 1824 | pl011_write(uap->dmacr, uap, REG_DMACR); | ^~ Add the missing #ifdef check around these field accesses, matching what other parts of this driver do. Fixes: 2bcacc1c87ac ("serial: amba-pl011: Fix RX stall when DMA is used") Cc: stable Reported-by: kernel test robot Closes: https://lore.kernel.org/oe-kbuild-all/202411140617.nkjeHhsK-lkp@intel.com/ Signed-off-by: Arnd Bergmann Link: https://lore.kernel.org/r/20241115110021.744332-1-arnd@kernel.org Signed-off-by: Greg Kroah-Hartman commit ff1060813d9347e8c45c8b8cff93a4dfdb6726ad Author: Mirsad Todorovac Date: Sat Nov 9 22:18:41 2024 +0100 net/9p/usbg: fix handling of the failed kzalloc() memory allocation On the linux-next, next-20241108 vanilla kernel, the coccinelle tool gave the following error report: ./net/9p/trans_usbg.c:912:5-11: ERROR: allocation function on line 911 returns NULL not ERR_PTR on failure kzalloc() failure is fixed to handle the NULL return case on the memory exhaustion. Fixes: a3be076dc174d ("net/9p/usbg: Add new usb gadget function transport") Cc: Michael Grzeschik Cc: Eric Van Hensbergen Cc: Latchesar Ionkov Cc: Dominique Martinet Cc: Christian Schoenebeck Cc: v9fs@lists.linux.dev Cc: linux-kernel@vger.kernel.org Signed-off-by: Mirsad Todorovac Message-ID: <20241109211840.721226-2-mtodorovac69@gmail.com> Signed-off-by: Dominique Martinet commit 45c5b88ba96c344fbd7336919696dfc4d5e0d760 Author: Colin Ian King Date: Thu Nov 7 09:57:56 2024 +0000 fs/9p: replace functions v9fs_cache_{register|unregister} with direct calls The helper functions v9fs_cache_register and v9fs_cache_unregister are trivial helper functions that don't offer any extra functionality and are unncessary. Replace them with direct calls to v9fs_init_inode_cache and v9fs_destroy_inode_cache respectively to simplify the code. Signed-off-by: Colin Ian King Message-ID: <20241107095756.10261-1-colin.i.king@gmail.com> Signed-off-by: Dominique Martinet commit 237d4e0f41130a5ff0e1c7dc1cb41ee2fe21cd2a Author: Amit Sunil Dhamne Date: Sat Nov 2 20:43:30 2024 -0700 usb: typec: tcpm: Add support for sink-bc12-completion-time-ms DT property Add support for parsing DT time property "sink-bc12-completion-time-ms". This timer is used to relax the PD state machine during Sink attach to allow completion of Battery Charging (BC1.2) charger type detection in TCPC before PD negotiations. BC1.2 detection is a hardware mechanism to detect charger port type that is run by some controllers (such as "maxim,max33359") in parallel to Type-C connection state machines. This is to ensure that BC1.2 completes before PD is enabled as running BC1.2 in parallel with PD negotiation results in delays violating timer constraints in PD spec. This is an optional timer and will not add any delay unless explicitly set. Signed-off-by: Amit Sunil Dhamne Reviewed-by: Badhri Jagan Sridharan Reviewed-by: Heikki Krogerus Link: https://lore.kernel.org/r/20241103034402.2460252-4-amitsd@google.com Signed-off-by: Greg Kroah-Hartman commit 3b9d67e7e9237cb91f4830456e45f7e213ce42c3 Author: Amit Sunil Dhamne Date: Sat Nov 2 20:43:29 2024 -0700 dt-bindings: usb: maxim,max33359: add usage of sink bc12 time property Add usage of "sink-bc12-completion-time-ms" connector property to max33359 controller for delaying PD negotiation till BC1.2 detection completes. This overcomes the occasional delays observed while receiving PD messages where BC1.2 detection runs in parallel. Signed-off-by: Amit Sunil Dhamne Reviewed-by: Badhri Jagan Sridharan Reviewed-by: Krzysztof Kozlowski Link: https://lore.kernel.org/r/20241103034402.2460252-3-amitsd@google.com Signed-off-by: Greg Kroah-Hartman commit 9e5cb0978f7fc828363c55c58698a43b26069fec Author: Amit Sunil Dhamne Date: Sat Nov 2 20:43:28 2024 -0700 dt-bindings: connector: Add time property for Sink BC12 detection completion This commit adds a new time property for Battery charger (BC1.2) type detection completion process (based on BCv1.2 detection spec) when typec port connects in a potential sink role. BC1.2 detection is used by some Type C port controllers implementations (such as "maxim,max33359") to detect the type of charger port. Signed-off-by: Amit Sunil Dhamne Reviewed-by: Krzysztof Kozlowski Link: https://lore.kernel.org/r/20241103034402.2460252-2-amitsd@google.com Signed-off-by: Greg Kroah-Hartman commit f5313c8b418c2efb9c0581d8066c5ae8c60c47de Author: Thinh Nguyen Date: Thu Nov 14 01:02:30 2024 +0000 usb: dwc3: gadget: Remove dwc3_request->needs_extra_trb Now that we track TRBs base on request->num_trbs on reclaim, we don't need to save the dwc3_request->needs_extra_trb check. Remove it. Signed-off-by: Thinh Nguyen Link: https://lore.kernel.org/r/08dd88a3308ac7894267c52340eaf0e1564bbf36.1731545781.git.Thinh.Nguyen@synopsys.com Signed-off-by: Greg Kroah-Hartman commit 61440628a4ffe0639c4f69a6ffa46c3a0bead3d5 Author: Thinh Nguyen Date: Thu Nov 14 01:02:24 2024 +0000 usb: dwc3: gadget: Cleanup SG handling The current logic in dwc3 driver is tracking req->num_queued_sgs and req->sg. But they can be checked base on the num_pending_sgs and num_trbs. They are redundant and can complicate the SG logic. Let's remove them. Signed-off-by: Thinh Nguyen Link: https://lore.kernel.org/r/96c7bf8f6b3e91e607d5b78ea51cb1d00c614eaf.1731545781.git.Thinh.Nguyen@synopsys.com Signed-off-by: Greg Kroah-Hartman commit b7fc65f5141c24785dc8c19249ca4efcf71b3524 Author: Thinh Nguyen Date: Thu Nov 14 01:02:18 2024 +0000 usb: dwc3: gadget: Fix looping of queued SG entries The dwc3_request->num_queued_sgs is decremented on completion. If a partially completed request is handled, then the dwc3_request->num_queued_sgs no longer reflects the total number of num_queued_sgs (it would be cleared). Correctly check the number of request SG entries remained to be prepare and queued. Failure to do this may cause null pointer dereference when accessing non-existent SG entry. Cc: stable@vger.kernel.org Fixes: c96e6725db9d ("usb: dwc3: gadget: Correct the logic for queuing sgs") Signed-off-by: Thinh Nguyen Link: https://lore.kernel.org/r/d07a7c4aa0fcf746cdca0515150dbe5c52000af7.1731545781.git.Thinh.Nguyen@synopsys.com Signed-off-by: Greg Kroah-Hartman commit 02a6982b0ccfcdc39e20016f5fc9a1b7826a6ee7 Author: Thinh Nguyen Date: Thu Nov 14 01:02:12 2024 +0000 usb: dwc3: gadget: Fix checking for number of TRBs left The check whether the TRB ring is full or empty in dwc3_calc_trbs_left() is insufficient. It assumes there are active TRBs if there's any request in the started_list. However, that's not the case for requests with a large SG list. That is, if we have a single usb request that requires more TRBs than the total TRBs in the TRB ring, the queued TRBs will be available when all the TRBs in the ring are completed. But the request is only partially completed and remains in the started_list. With the current logic, the TRB ring is empty, but dwc3_calc_trbs_left() returns 0. Fix this by additionally checking for the request->num_trbs for active TRB count. Cc: stable@vger.kernel.org Fixes: 51f1954ad853 ("usb: dwc3: gadget: Fix dwc3_calc_trbs_left()") Signed-off-by: Thinh Nguyen Link: https://lore.kernel.org/r/708dc62b56b77da1f704cc2ae9b6ddb1f2dbef1f.1731545781.git.Thinh.Nguyen@synopsys.com Signed-off-by: Greg Kroah-Hartman commit 5d2fb074dea289c41f5aaf2c3f68286bee370634 Author: Thinh Nguyen Date: Thu Nov 14 01:02:06 2024 +0000 usb: dwc3: ep0: Don't clear ep0 DWC3_EP_TRANSFER_STARTED The driver cannot issue the End Transfer command to the SETUP transfer. Don't clear DWC3_EP_TRANSFER_STARTED flag to make sure that the driver won't send Start Transfer command again, which can cause no-resource error. For example this can occur if the host issues a reset to the device. Cc: stable@vger.kernel.org Fixes: 76cb323f80ac ("usb: dwc3: ep0: clear all EP0 flags") Signed-off-by: Thinh Nguyen Link: https://lore.kernel.org/r/d3d618185fd614bb7426352a9fc1199641d3b5f5.1731545781.git.Thinh.Nguyen@synopsys.com Signed-off-by: Greg Kroah-Hartman commit 51cdd69d6a857f527d6d0697a2e1f0fa8bca1005 Author: Michal Vrastil Date: Wed Nov 13 15:54:33 2024 -0800 Revert "usb: gadget: composite: fix OS descriptors w_value logic" This reverts commit ec6ce7075ef879b91a8710829016005dc8170f17. Fix installation of WinUSB driver using OS descriptors. Without the fix the drivers are not installed correctly and the property 'DeviceInterfaceGUID' is missing on host side. The original change was based on the assumption that the interface number is in the high byte of wValue but it is in the low byte, instead. Unfortunately, the fix is based on MS documentation which is also wrong. The actual USB request for OS descriptors (using USB analyzer) looks like: Offset 0 1 2 3 4 5 6 7 0x000 C1 A1 02 00 05 00 0A 00 C1: bmRequestType (device to host, vendor, interface) A1: nas magic number 0002: wValue (2: nas interface) 0005: wIndex (5: get extended property i.e. nas interface GUID) 008E: wLength (142) The fix was tested on Windows 10 and Windows 11. Cc: stable@vger.kernel.org Fixes: ec6ce7075ef8 ("usb: gadget: composite: fix OS descriptors w_value logic") Signed-off-by: Michal Vrastil Signed-off-by: Elson Roy Serrao Acked-by: Peter korsgaard Link: https://lore.kernel.org/r/20241113235433.20244-1-quic_eserrao@quicinc.com Signed-off-by: Greg Kroah-Hartman commit 40c974826734836402abfd44efbf04f63a2cc1c1 Author: Vitalii Mordan Date: Fri Nov 15 02:03:10 2024 +0300 usb: ehci-spear: fix call balance of sehci clk handling routines If the clock sehci->clk was not enabled in spear_ehci_hcd_drv_probe, it should not be disabled in any path. Conversely, if it was enabled in spear_ehci_hcd_drv_probe, it must be disabled in all error paths to ensure proper cleanup. Found by Linux Verification Center (linuxtesting.org) with Klever. Fixes: 7675d6ba436f ("USB: EHCI: make ehci-spear a separate driver") Cc: stable@vger.kernel.org Signed-off-by: Vitalii Mordan Acked-by: Alan Stern Link: https://lore.kernel.org/r/20241114230310.432213-1-mordan@ispras.ru Signed-off-by: Greg Kroah-Hartman commit 44024ebf25918efb8c771e1b496250bc9c4ef893 Author: Yuesong Li Date: Fri Aug 23 14:55:46 2024 +0800 remoteproc: qcom: wcss: Remove double assignment in q6v5_wcss_probe() cocci report a double assignment warning.'wcss->version' was assigned twice in 'q6v5_wcss_probe()'. Signed-off-by: Yuesong Li Link: https://lore.kernel.org/r/20240823065546.3371378-1-liyuesong@vivo.com Signed-off-by: Bjorn Andersson commit 7b22b7719fc17d5979a991c918c868ab041be5c8 Author: Sibi Sankar Date: Mon Aug 19 13:00:20 2024 +0530 remoteproc: qcom_q6v5_mss: Re-order writes to the IMEM region Any write access to the IMEM region when the Q6 is setting up XPU protection on it will result in a XPU violation. Fix this by ensuring IMEM writes related to the MBA post-mortem logs happen before the Q6 is brought out of reset. Fixes: 318130cc9362 ("remoteproc: qcom_q6v5_mss: Add MBA log extraction support") Signed-off-by: Sibi Sankar Reviewed-by: Douglas Anderson Tested-by: Douglas Anderson Link: https://lore.kernel.org/r/20240819073020.3291287-1-quic_sibis@quicinc.com Signed-off-by: Bjorn Andersson commit 06c59d97f63c1b8af521fa5aef8a716fb988b285 Author: Jonathan Marek Date: Mon Oct 7 19:59:35 2024 -0400 rpmsg: glink: use only lower 16-bits of param2 for CMD_OPEN name length The name len field of the CMD_OPEN packet is only 16-bits and the upper 16-bits of "param2" are a different "prio" field, which can be nonzero in certain situations, and CMD_OPEN packets can be unexpectedly dropped because of this. Fix this by masking out the upper 16 bits of param2. Fixes: b4f8e52b89f6 ("rpmsg: Introduce Qualcomm RPM glink driver") Signed-off-by: Jonathan Marek Reviewed-by: Dmitry Baryshkov Link: https://lore.kernel.org/r/20241007235935.6216-1-jonathan@marek.ca Signed-off-by: Bjorn Andersson commit 70d35819531875a14f12fe341486992676df5c6d Author: Krzysztof Kozlowski Date: Fri Oct 11 15:09:18 2024 +0200 remoteproc: qcom_wcnss_iris: Simplify with dev_err_probe() Use dev_err_probe() to make error and defer code handling simpler. Signed-off-by: Krzysztof Kozlowski Reviewed-by: Dmitry Baryshkov Link: https://lore.kernel.org/r/20241011-remote-proc-dev-err-probe-v1-10-5abb4fc61eca@linaro.org Signed-off-by: Bjorn Andersson commit f21e504de8eaf30b534e2b7db25d140842a920ed Author: Krzysztof Kozlowski Date: Fri Oct 11 15:09:17 2024 +0200 remoteproc: qcom_q6v5_wcss: Simplify with dev_err_probe() Use dev_err_probe() to make error and defer code handling simpler. Signed-off-by: Krzysztof Kozlowski Reviewed-by: Dmitry Baryshkov Link: https://lore.kernel.org/r/20241011-remote-proc-dev-err-probe-v1-9-5abb4fc61eca@linaro.org Signed-off-by: Bjorn Andersson commit 427442e873d7af7a06ff4382b57197f43afa8ed4 Author: Krzysztof Kozlowski Date: Fri Oct 11 15:09:16 2024 +0200 remoteproc: qcom_q6v5_pas: Simplify with dev_err_probe() Use dev_err_probe() to make error and defer code handling simpler. Signed-off-by: Krzysztof Kozlowski Reviewed-by: Dmitry Baryshkov Link: https://lore.kernel.org/r/20241011-remote-proc-dev-err-probe-v1-8-5abb4fc61eca@linaro.org Signed-off-by: Bjorn Andersson commit 576dac284e7168307169f62d3f3f1a98235a2d2d Author: Krzysztof Kozlowski Date: Fri Oct 11 15:09:15 2024 +0200 remoteproc: qcom_q6v5_mss: Drop redundant error printks in probe Do not print errors of getting clocks and regulators in probe twice: once in q6v5_init_clocks() or q6v5_regulator_init() and then again in the probe function. This also avoids dmesg flood on deferred probe. Signed-off-by: Krzysztof Kozlowski Reviewed-by: Dmitry Baryshkov Link: https://lore.kernel.org/r/20241011-remote-proc-dev-err-probe-v1-7-5abb4fc61eca@linaro.org Signed-off-by: Bjorn Andersson commit 63b07ee3377b8c4ce7f8aa678c80d78c2526bb28 Author: Krzysztof Kozlowski Date: Fri Oct 11 15:09:14 2024 +0200 remoteproc: qcom_q6v5_mss: Simplify with dev_err_probe() Use dev_err_probe() to make error and defer code handling simpler. Signed-off-by: Krzysztof Kozlowski Reviewed-by: Dmitry Baryshkov Link: https://lore.kernel.org/r/20241011-remote-proc-dev-err-probe-v1-6-5abb4fc61eca@linaro.org Signed-off-by: Bjorn Andersson commit 85865e839049c5d443eef4279d711bc292bee84c Author: Krzysztof Kozlowski Date: Fri Oct 11 15:09:13 2024 +0200 remoteproc: qcom_q6v5_adsp: Simplify with dev_err_probe() Use dev_err_probe() to make error and defer code handling simpler. Signed-off-by: Krzysztof Kozlowski Reviewed-by: Dmitry Baryshkov Link: https://lore.kernel.org/r/20241011-remote-proc-dev-err-probe-v1-5-5abb4fc61eca@linaro.org Signed-off-by: Bjorn Andersson commit 8a47704d64c9afda80e7f399ba2cf898cfcc45b2 Author: Balaji Pothunoori Date: Fri Oct 18 16:29:11 2024 +0530 remoteproc: qcom_q6v5_pas: disable auto boot for wpss Currently, the rproc "atomic_t power" variable is incremented during: a. WPSS rproc auto boot. b. AHB power on for ath11k. During AHB power off (rmmod ath11k_ahb.ko), rproc_shutdown fails to unload the WPSS firmware because the rproc->power value is '2', causing the atomic_dec_and_test(&rproc->power) condition to fail. Consequently, during AHB power on (insmod ath11k_ahb.ko), QMI_WLANFW_HOST_CAP_REQ_V01 fails due to the host and firmware QMI states being out of sync. Fixes: 300ed425dfa9 ("remoteproc: qcom_q6v5_pas: Add SC7280 ADSP, CDSP & WPSS") Cc: stable@vger.kernel.org Signed-off-by: Balaji Pothunoori Reviewed-by: Dmitry Baryshkov Link: https://lore.kernel.org/r/20241018105911.165415-1-quic_bpothuno@quicinc.com Signed-off-by: Bjorn Andersson commit b64b1266d6195d9bbfa75a93b4265fba2d447c86 Author: Bjorn Andersson Date: Tue Oct 22 04:21:03 2024 +0000 remoteproc: qcom: pas: Make remoteproc name human friendly The remoteproc "name" property is supposed to present the "human readable" name of the remoteproc, while using the device name is readable, it's not "friendly". Instead, use the "sysmon_name" as the identifier for the remoteproc instance. It matches the typical names used when we speak about each instance, while still being unique. Signed-off-by: Bjorn Andersson Reviewed-by: Dmitry Baryshkov Reviewed-by: Chris Lew Link: https://lore.kernel.org/r/20241022-rproc-friendly-name-v1-1-350c82b075cb@oss.qualcomm.com Signed-off-by: Bjorn Andersson commit 009e288c989b3fe548a45c82da407d7bd00418a9 Author: Dmitry Baryshkov Date: Sun Oct 27 01:09:45 2024 +0300 remoteproc: qcom: pas: enable SAR2130P audio DSP support Enable support for the Audio DSP on the Qualcomm SAR2130P platform, reusing the SM8350 resources. Signed-off-by: Dmitry Baryshkov Reviewed-by: Neil Armstrong Link: https://lore.kernel.org/r/20241027-sar2130p-adsp-v1-3-bd204e39d24e@linaro.org Signed-off-by: Bjorn Andersson commit e8983156d54f59f57e648ecd44f01c16572da842 Author: Dmitry Baryshkov Date: Sun Oct 27 01:09:44 2024 +0300 remoteproc: qcom: pas: add minidump_id to SM8350 resources Specify minidump_id for the SM8350 DSPs. It was omitted for in the original commit e8b4e9a21af7 ("remoteproc: qcom: pas: Add SM8350 PAS remoteprocs"). Fixes: e8b4e9a21af7 ("remoteproc: qcom: pas: Add SM8350 PAS remoteprocs") Signed-off-by: Dmitry Baryshkov Reviewed-by: Neil Armstrong Link: https://lore.kernel.org/r/20241027-sar2130p-adsp-v1-2-bd204e39d24e@linaro.org Signed-off-by: Bjorn Andersson commit e45dd409a81a5f6f5e2b2337b0e10091f054fe11 Author: Dmitry Baryshkov Date: Sun Oct 27 01:09:43 2024 +0300 dt-bindings: remoteproc: qcom,sm8350-pas: add SAR2130P aDSP compatible Document compatible for audio DSP on Qualcomm SAR2130P platform. Signed-off-by: Dmitry Baryshkov Reviewed-by: Krzysztof Kozlowski Link: https://lore.kernel.org/r/20241027-sar2130p-adsp-v1-1-bd204e39d24e@linaro.org Signed-off-by: Bjorn Andersson commit ec257dd3d36b49f34bf29551d2964f7a0cd6be66 Author: Krzysztof Kozlowski Date: Fri Nov 1 18:03:09 2024 +0100 dt-bindings: remoteproc: qcom,sm8550-pas: Add SM8750 ADSP Document compatible for Qualcomm SM8750 SoC ADSP PAS which looks fully compatible with SM8550 variant. The only difference from bindings point of view is one more interrupt ("shutdown-ack"). Marking devices as compatible, using SM8550 ADSP PAS fallback, requires changing some of the conditionals in "if:then:" to "contains". Signed-off-by: Krzysztof Kozlowski Reviewed-by: Melody Olvera Acked-by: Rob Herring (Arm) Link: https://lore.kernel.org/r/20241101170309.382782-1-krzysztof.kozlowski@linaro.org Signed-off-by: Bjorn Andersson commit 60e7c43e61c9a64253fc90f54fee0c92b3d1e3fe Author: Joe Hattori Date: Fri Nov 8 13:13:55 2024 +0900 remoteproc: qcom: wcss: Remove subdevs on the error path of q6v5_wcss_probe() Current implementation of q6v5_wcss_probe() in qcom_q6v5_wcss.c and does not remove the subdevs on the error path. Fix this bug by calling qcom_remove_{ssr,sysmon,pdm,glink}_subdev(), and qcom_q6v5_deinit() appropriately. Signed-off-by: Joe Hattori Link: https://lore.kernel.org/r/c4437393bfaeda69351157849b5e0a904586b1c2.1731038950.git.joe@pf.is.s.u-tokyo.ac.jp Signed-off-by: Bjorn Andersson commit fe80d3205e91e36e67f4d3d6c326793298d15766 Author: Joe Hattori Date: Fri Nov 8 13:13:54 2024 +0900 remoteproc: qcom: adsp: Remove subdevs on the error path of adsp_probe() Current implementation of adsp_probe() in qcom_q6v5_adsp.c and does not remove the subdevs of adsp on the error path. Fix this bug by calling qcom_remove_{ssr,sysmon,pdm,smd,glink}_subdev(), and qcom_q6v5_deinit() appropriately. Fixes: dc160e449122 ("remoteproc: qcom: Introduce Non-PAS ADSP PIL driver") Signed-off-by: Joe Hattori Link: https://lore.kernel.org/r/fed3df4219543d46b88bacf87990d947f3fac8d7.1731038950.git.joe@pf.is.s.u-tokyo.ac.jp Signed-off-by: Bjorn Andersson commit 587b67cf62a91b10a47f41c20ed8ad71db375334 Author: Joe Hattori Date: Fri Nov 8 13:13:53 2024 +0900 remoteproc: qcom: pas: Remove subdevs on the error path of adsp_probe() Current implementation of adsp_probe() in qcom_q6v5_pas.c does not remove the subdevs of adsp on the error path. Fix this bug by calling qcom_remove_{ssr,sysmon,pdm,smd,glink}_subdev(), qcom_q6v5_deinit(), and adsp_unassign_memory_region() appropriately. Fixes: 4b48921a8f74 ("remoteproc: qcom: Use common SMD edge handler") Signed-off-by: Joe Hattori Link: https://lore.kernel.org/r/a1cabc64240022a7f1d5237aa2aa6f72d8fb7052.1731038950.git.joe@pf.is.s.u-tokyo.ac.jp Signed-off-by: Bjorn Andersson commit 38f83a57aa8e644f37a88d4771d756303cfa7365 Merge: 1c9786163b8904 37e0ca657a3dd2 Author: Jakub Kicinski Date: Fri Nov 15 18:47:07 2024 -0800 Merge branch 'virtio-net-support-af_xdp-zero-copy-tx' Xuan Zhuo says: ==================== virtio-net: support AF_XDP zero copy (tx) XDP socket(AF_XDP) is an excellent bypass kernel network framework. The zero copy feature of xsk (XDP socket) needs to be supported by the driver. The performance of zero copy is very good. mlx5 and intel ixgbe already support this feature, This patch set allows virtio-net to support xsk's zerocopy xmit feature. At present, we have completed some preparation: 1. vq-reset (virtio spec and kernel code) 2. virtio-core premapped dma 3. virtio-net xdp refactor So it is time for Virtio-Net to complete the support for the XDP Socket Zerocopy. Virtio-net can not increase the queue num at will, so xsk shares the queue with kernel. This patch set includes some refactor to the virtio-net to let that to support AF_XDP. The current configuration sets the virtqueue (vq) to premapped mode, implying that all buffers submitted to this queue must be mapped ahead of time. This presents a challenge for the virtnet send queue (sq): the virtnet driver would be required to keep track of dma information for vq size * 17, which can be substantial. However, if the premapped mode were applied on a per-buffer basis, the complexity would be greatly reduced. With AF_XDP enabled, AF_XDP buffers would become premapped, while kernel skb buffers could remain unmapped. We can distinguish them by sg_page(sg), When sg_page(sg) is NULL, this indicates that the driver has performed DMA mapping in advance, allowing the Virtio core to directly utilize sg_dma_address(sg) without conducting any internal DMA mapping. Additionally, DMA unmap operations for this buffer will be bypassed. ENV: Qemu with vhost-user(polling mode). Host CPU: Intel(R) Xeon(R) Platinum 8163 CPU @ 2.50GHz testpmd> show port stats all ######################## NIC statistics for port 0 ######################## RX-packets: 19531092064 RX-missed: 0 RX-bytes: 1093741155584 RX-errors: 0 RX-nombuf: 0 TX-packets: 5959955552 TX-errors: 0 TX-bytes: 371030645664 Throughput (since last show) Rx-pps: 8861574 Rx-bps: 3969985208 Tx-pps: 8861493 Tx-bps: 3969962736 ############################################################################ testpmd> show port stats all ######################## NIC statistics for port 0 ######################## RX-packets: 68152727 RX-missed: 0 RX-bytes: 3816552712 RX-errors: 0 RX-nombuf: 0 TX-packets: 68114967 TX-errors: 33216 TX-bytes: 3814438152 Throughput (since last show) Rx-pps: 6333196 Rx-bps: 2837272088 Tx-pps: 6333227 Tx-bps: 2837285936 ############################################################################ But AF_XDP consumes more CPU for tx and rx napi(100% and 86%). ==================== Link: https://patch.msgid.link/20241112012928.102478-1-xuanzhuo@linux.alibaba.com Signed-off-by: Jakub Kicinski commit 37e0ca657a3dd23338beed218d0f51a57057df42 Author: Xuan Zhuo Date: Tue Nov 12 09:29:28 2024 +0800 virtio_net: xdp_features add NETDEV_XDP_ACT_XSK_ZEROCOPY Now, we support AF_XDP(xsk). Add NETDEV_XDP_ACT_XSK_ZEROCOPY to xdp_features. Signed-off-by: Xuan Zhuo Acked-by: Jason Wang Link: https://patch.msgid.link/20241112012928.102478-14-xuanzhuo@linux.alibaba.com Signed-off-by: Jakub Kicinski commit e2c5c57f1af86ba773a88251ba20ee29028bfae5 Author: Xuan Zhuo Date: Tue Nov 12 09:29:27 2024 +0800 virtio_net: update tx timeout record If send queue sent some packets, we update the tx timeout record to prevent the tx timeout. Signed-off-by: Xuan Zhuo Acked-by: Jason Wang Link: https://patch.msgid.link/20241112012928.102478-13-xuanzhuo@linux.alibaba.com Signed-off-by: Jakub Kicinski commit 89f86675cb0348c9c7acf77263c2359e772a6768 Author: Xuan Zhuo Date: Tue Nov 12 09:29:26 2024 +0800 virtio_net: xsk: tx: support xmit xsk buffer The driver's tx napi is very important for XSK. It is responsible for obtaining data from the XSK queue and sending it out. At the beginning, we need to trigger tx napi. virtnet_free_old_xmit distinguishes three type ptr(skb, xdp frame, xsk buffer) by the last bits of the pointer. Signed-off-by: Xuan Zhuo Acked-by: Jason Wang Link: https://patch.msgid.link/20241112012928.102478-12-xuanzhuo@linux.alibaba.com Signed-off-by: Jakub Kicinski commit 1df5116a41a823f6c6755b1d04062f56ba4ea1e5 Author: Xuan Zhuo Date: Tue Nov 12 09:29:25 2024 +0800 virtio_net: xsk: prevent disable tx napi Since xsk's TX queue is consumed by TX NAPI, if sq is bound to xsk, then we must stop tx napi from being disabled. Signed-off-by: Xuan Zhuo Acked-by: Jason Wang Link: https://patch.msgid.link/20241112012928.102478-11-xuanzhuo@linux.alibaba.com Signed-off-by: Jakub Kicinski commit 21a4e3ce6dc7b0a3bc882ebe1cb921a40235ddb0 Author: Xuan Zhuo Date: Tue Nov 12 09:29:24 2024 +0800 virtio_net: xsk: bind/unbind xsk for tx This patch implement the logic of bind/unbind xsk pool to sq and rq. Signed-off-by: Xuan Zhuo Acked-by: Jason Wang Link: https://patch.msgid.link/20241112012928.102478-10-xuanzhuo@linux.alibaba.com Signed-off-by: Jakub Kicinski commit 7db956707f5f57e18c5ebf1681db2923eb6144e1 Author: Xuan Zhuo Date: Tue Nov 12 09:29:23 2024 +0800 virtio_net: refactor the xmit type Because the af-xdp will introduce a new xmit type, so I refactor the xmit type mechanism first. We know both xdp_frame and sk_buff are at least 4 bytes aligned. For the xdp tx, we do not pass any pointer to virtio core as data, we just need to pass the len of the packet. So we will push len to the void pointer. We can make sure the pointer is 4 bytes aligned. And the data structure of AF_XDP also is at least 4 bytes aligned. So the last two bits of the pointers are free, we can't use these to distinguish them. 00 for skb 01 for SKB_ORPHAN 10 for XDP 11 for AF-XDP tx Signed-off-by: Xuan Zhuo Acked-by: Jason Wang Link: https://patch.msgid.link/20241112012928.102478-9-xuanzhuo@linux.alibaba.com Signed-off-by: Jakub Kicinski commit 880ebcbe06636c42cfb328039581e177c6cd6ba5 Author: Xuan Zhuo Date: Tue Nov 12 09:29:22 2024 +0800 virtio_ring: remove API virtqueue_set_dma_premapped Now, this API is useless. remove it. Signed-off-by: Xuan Zhuo Acked-by: Jason Wang Link: https://patch.msgid.link/20241112012928.102478-8-xuanzhuo@linux.alibaba.com Signed-off-by: Jakub Kicinski commit 31f3cd4e5756b5ae2bbc05e1ea28d2242dd2c03f Author: Xuan Zhuo Date: Tue Nov 12 09:29:21 2024 +0800 virtio-net: rq submits premapped per-buffer virtio-net rq submits premapped per-buffer by setting sg page to NULL; Signed-off-by: Xuan Zhuo Acked-by: Jason Wang Link: https://patch.msgid.link/20241112012928.102478-7-xuanzhuo@linux.alibaba.com Signed-off-by: Jakub Kicinski commit 3ef66af31feaf5ff5dd73e63b1327789822ed476 Author: Xuan Zhuo Date: Tue Nov 12 09:29:20 2024 +0800 virtio_ring: introduce add api for premapped Two APIs are introduced to submit premapped per-buffers. int virtqueue_add_inbuf_premapped(struct virtqueue *vq, struct scatterlist *sg, unsigned int num, void *data, void *ctx, gfp_t gfp); int virtqueue_add_outbuf_premapped(struct virtqueue *vq, struct scatterlist *sg, unsigned int num, void *data, gfp_t gfp); Signed-off-by: Xuan Zhuo Acked-by: Jason Wang Link: https://patch.msgid.link/20241112012928.102478-6-xuanzhuo@linux.alibaba.com Signed-off-by: Jakub Kicinski commit c7e1b422afac5385832297af8ad86e63742c6e40 Author: Xuan Zhuo Date: Tue Nov 12 09:29:19 2024 +0800 virtio_ring: perform premapped operations based on per-buffer The current configuration sets the virtqueue (vq) to premapped mode, implying that all buffers submitted to this queue must be mapped ahead of time. This presents a challenge for the virtnet send queue (sq): the virtnet driver would be required to keep track of dma information for vq size * 17, which can be substantial. However, if the premapped mode were applied on a per-buffer basis, the complexity would be greatly reduced. With AF_XDP enabled, AF_XDP buffers would become premapped, while kernel skb buffers could remain unmapped. And consider that some sgs are not generated by the virtio driver, that may be passed from the block stack. So we can not change the sgs, new APIs are the better way. So we pass the new argument 'premapped' to indicate the buffers submitted to virtio are premapped in advance. Additionally, DMA unmap operations for these buffers will be bypassed. Suggested-by: Jason Wang Signed-off-by: Xuan Zhuo Acked-by: Jason Wang Link: https://patch.msgid.link/20241112012928.102478-5-xuanzhuo@linux.alibaba.com Signed-off-by: Jakub Kicinski commit aaa789843a93faa7e2bb309b7647f1cc0a083158 Author: Xuan Zhuo Date: Tue Nov 12 09:29:18 2024 +0800 virtio_ring: packed: record extras for indirect buffers The subsequent commit needs to know whether every indirect buffer is premapped or not. So we need to introduce an extra struct for every indirect buffer to record this info. Signed-off-by: Xuan Zhuo Acked-by: Jason Wang Link: https://patch.msgid.link/20241112012928.102478-4-xuanzhuo@linux.alibaba.com Signed-off-by: Jakub Kicinski commit bc2b4c3401c6acaba6c35837c415874cff91b124 Author: Xuan Zhuo Date: Tue Nov 12 09:29:17 2024 +0800 virtio_ring: split: record extras for indirect buffers The subsequent commit needs to know whether every indirect buffer is premapped or not. So we need to introduce an extra struct for every indirect buffer to record this info. Signed-off-by: Xuan Zhuo Acked-by: Jason Wang Link: https://patch.msgid.link/20241112012928.102478-3-xuanzhuo@linux.alibaba.com Signed-off-by: Jakub Kicinski commit 9f19c084057abfb8e4676e6e91866bfa5a6a5577 Author: Xuan Zhuo Date: Tue Nov 12 09:29:16 2024 +0800 virtio_ring: introduce vring_need_unmap_buffer To make the code readable, introduce vring_need_unmap_buffer() to replace do_unmap. use_dma_api premapped -> vring_need_unmap_buffer() 1. false false false 2. true false true 3. true true false Signed-off-by: Xuan Zhuo Acked-by: Jason Wang Link: https://patch.msgid.link/20241112012928.102478-2-xuanzhuo@linux.alibaba.com Signed-off-by: Jakub Kicinski commit 1c9786163b89042483fd9f9c9ad48df8edf79cfe Merge: e709d44241634a e400c7444d84b0 Author: Jakub Kicinski Date: Fri Nov 15 18:21:34 2024 -0800 Merge branch '100GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/tnguy/next-queue Tony Nguyen says: ==================== Intel Wired LAN Driver Updates 2024-11-05 (ice, ixgbe, igc. igb, igbvf, e1000) For ice: Mateusz refactors and adds additional SerDes configuration values to be output. Przemek refactors processing of DDP and adds support for a flag field in the DDP's signature segment header. Joe Damato adds support for persistent NAPI config. Brett adjusts setting of Tx promiscuous based on unicast/multicast setting. Jake moves setting of pf->supported_rxdids to occur directly after DDP load and changes a small struct to use stack memory. Frederic Weisbecker adds WQ_UNBOUND flag to the workqueue. For ixgbe: Diomidis Spinellis removes a circular dependency. For igc: Vitaly removes an unneeded autoneg parameter. For igb: Johnny Park fixes a couple of typos. For igbvf: Wander Lairson Costa removes an unused spinlock. For e1000: Joe Damato adds RTNL lock to some calls where it is expected to be held. * '100GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/tnguy/next-queue: e1000: Hold RTNL when e1000_down can be called igbvf: remove unused spinlock igb: Fix 2 typos in comments in igb_main.c igc: remove autoneg parameter from igc_mac_info ixgbe: Break include dependency cycle ice: Unbind the workqueue ice: use stack variable for virtchnl_supported_rxdids ice: initialize pf->supported_rxdids immediately after loading DDP ice: only allow Tx promiscuous for multicast ice: Add support for persistent NAPI config ice: support optional flags in signature segment header ice: refactor "last" segment of DDP pkg ice: extend dump serdes equalizer values feature ice: rework of dump serdes equalizer values feature ==================== Link: https://patch.msgid.link/20241113185431.1289708-1-anthony.l.nguyen@intel.com Signed-off-by: Jakub Kicinski commit e709d44241634a2bec45b3638e58c71e986a98ff Merge: 2a8ce470c59e6a 15880bec9bc32d Author: Jakub Kicinski Date: Fri Nov 15 16:39:21 2024 -0800 Merge branch 'net-ndo_fdb_add-del-have-drivers-report-whether-they-notified' Petr Machata says: ==================== net: ndo_fdb_add/del: Have drivers report whether they notified Currently when FDB entries are added to or deleted from a VXLAN netdevice, the VXLAN driver emits one notification, including the VXLAN-specific attributes. The core however always sends a notification as well, a generic one. Thus two notifications are unnecessarily sent for these operations. A similar situation comes up with bridge driver, which also emits notifications on its own. # ip link add name vx type vxlan id 1000 dstport 4789 # bridge monitor fdb & [1] 1981693 # bridge fdb add de:ad:be:ef:13:37 dev vx self dst 192.0.2.1 de:ad:be:ef:13:37 dev vx dst 192.0.2.1 self permanent de:ad:be:ef:13:37 dev vx self permanent In order to prevent this duplicity, add a parameter, bool *notified, to ndo_fdb_add and ndo_fdb_del. The flag is primed to false, and if the callee sends a notification on its own, it sets the flag to true, thus informing the core that it should not generate another notification. Patches #1 to #2 are concerned with the above. In the remaining patches, #3 to #7, add a selftest. This takes place across several patches. Many of the helpers we would like to use for the test are in forwarding/lib.sh, whereas net/ is a more suitable place for the test, so the libraries need to be massaged a bit first. ==================== Link: https://patch.msgid.link/cover.1731589511.git.petrm@nvidia.com Signed-off-by: Jakub Kicinski commit 15880bec9bc32ddc8f70f8c551745c2344233372 Author: Petr Machata Date: Thu Nov 14 15:09:59 2024 +0100 selftests: net: fdb_notify: Add a test for FDB notifications Check that only one notification is produced for various FDB edit operations. Regarding the ip_link_add() and ip_link_master() helpers. This pattern of action plus corresponding defer is bound to come up often, and a dedicated vocabulary to capture it will be handy. tunnel_create() and vlan_create() from forwarding/lib.sh are somewhat opaque and perhaps too kitchen-sinky, so I tried to go in the opposite direction with these ones, and wrapped only the bare minimum to schedule a corresponding cleanup. Signed-off-by: Petr Machata Reviewed-by: Amit Cohen Acked-by: Shuah Khan Link: https://patch.msgid.link/910c5880ae6d3b558d6889cbdba2be690c2615c6.1731589511.git.petrm@nvidia.com Signed-off-by: Jakub Kicinski commit 46f6569cf0754e27816403c3701c7070ff281ad0 Author: Petr Machata Date: Thu Nov 14 15:09:58 2024 +0100 selftests: net: lib: Add kill_process A number of selftests run processes in the background and need to kill them afterwards. Instead for everyone to open-code the kill / wait / redirect mantra, add a helper in net/lib.sh. Convert existing open-code sites. Signed-off-by: Petr Machata Acked-by: Shuah Khan Reviewed-by: Amit Cohen Link: https://patch.msgid.link/a9db102067d741c118f0bd93b10c75e2a34665ea.1731589511.git.petrm@nvidia.com Signed-off-by: Jakub Kicinski commit af76b4431818cf7a73cf0ec19465ad3b01cdb159 Author: Petr Machata Date: Thu Nov 14 15:09:57 2024 +0100 selftests: net: lib: Move checks from forwarding/lib.sh here For logging to be useful, something has to set RET and retmsg by calling ret_set_ksft_status(). There is a suite of functions to that end in forwarding/lib: check_err, check_fail et.al. Move them to net/lib.sh so that every net test can use them. Existing lib.sh users might be using these same names for their functions. However lib.sh is always sourced near the top of the file (checked), and whatever new definitions will simply override the ones provided by lib.sh. Signed-off-by: Petr Machata Reviewed-by: Amit Cohen Acked-by: Shuah Khan Link: https://patch.msgid.link/f488a00dc85b8e0c1f3c71476b32b21b5189a847.1731589511.git.petrm@nvidia.com Signed-off-by: Jakub Kicinski commit 601d9d70a40a8ccf93f41a153dd4c9aa1db60d57 Author: Petr Machata Date: Thu Nov 14 15:09:56 2024 +0100 selftests: net: lib: Move tests_run from forwarding/lib.sh here It would be good to use the same mechanism for scheduling and dispatching general net tests as the many forwarding tests already use. To that end, move the logging helpers to net/lib.sh so that every net test can use them. Existing lib.sh users might be using the name themselves. However lib.sh is always sourced near the top of the file (checked), and whatever new definition will simply override the one provided by lib.sh. Signed-off-by: Petr Machata Reviewed-by: Amit Cohen Acked-by: Shuah Khan Link: https://patch.msgid.link/a6fc083486493425b2c61185c327845b6ce3233a.1731589511.git.petrm@nvidia.com Signed-off-by: Jakub Kicinski commit b219bcfcc92e9bd50c6277ac68cb75f64b403e5e Author: Petr Machata Date: Thu Nov 14 15:09:55 2024 +0100 selftests: net: lib: Move logging from forwarding/lib.sh here Many net selftests invent their own logging helpers. These really should be in a library sourced by these tests. Currently forwarding/lib.sh has a suite of perfectly fine logging helpers, but sourcing a forwarding/ library from a higher-level directory smells of layering violation. In this patch, move the logging helpers to net/lib.sh so that every net test can use them. Together with the logging helpers, it's also necessary to move pause_on_fail(), and EXIT_STATUS and RET. Existing lib.sh users might be using these same names for their functions or variables. However lib.sh is always sourced near the top of the file (checked), and whatever new definitions will simply override the ones provided by lib.sh. Signed-off-by: Petr Machata Reviewed-by: Amit Cohen Acked-by: Shuah Khan Link: https://patch.msgid.link/edd3785a3bd72ffbe1409300989e993ee50ae98b.1731589511.git.petrm@nvidia.com Signed-off-by: Jakub Kicinski commit 42575ad5aab932273475d1ec3e7881cb5a05420e Author: Petr Machata Date: Thu Nov 14 15:09:54 2024 +0100 ndo_fdb_del: Add a parameter to report whether notification was sent In a similar fashion to ndo_fdb_add, which was covered in the previous patch, add the bool *notified argument to ndo_fdb_del. Callees that send a notification on their own set the flag to true. Signed-off-by: Petr Machata Reviewed-by: Amit Cohen Reviewed-by: Nikolay Aleksandrov Link: https://patch.msgid.link/06b1acf4953ef0a5ed153ef1f32d7292044f2be6.1731589511.git.petrm@nvidia.com Signed-off-by: Jakub Kicinski commit 4b42fbc6bd8f73d9ded535d8c61ccaa837ff3bd4 Author: Petr Machata Date: Thu Nov 14 15:09:53 2024 +0100 ndo_fdb_add: Add a parameter to report whether notification was sent Currently when FDB entries are added to or deleted from a VXLAN netdevice, the VXLAN driver emits one notification, including the VXLAN-specific attributes. The core however always sends a notification as well, a generic one. Thus two notifications are unnecessarily sent for these operations. A similar situation comes up with bridge driver, which also emits notifications on its own: # ip link add name vx type vxlan id 1000 dstport 4789 # bridge monitor fdb & [1] 1981693 # bridge fdb add de:ad:be:ef:13:37 dev vx self dst 192.0.2.1 de:ad:be:ef:13:37 dev vx dst 192.0.2.1 self permanent de:ad:be:ef:13:37 dev vx self permanent In order to prevent this duplicity, add a paremeter to ndo_fdb_add, bool *notified. The flag is primed to false, and if the callee sends a notification on its own, it sets it to true, thus informing the core that it should not generate another notification. Signed-off-by: Petr Machata Reviewed-by: Amit Cohen Reviewed-by: Nikolay Aleksandrov Link: https://patch.msgid.link/cbf6ae8195e85cbf922f8058ce4eba770f3b71ed.1731589511.git.petrm@nvidia.com Signed-off-by: Jakub Kicinski commit 2a8ce470c59e6a0822291ec6cf5fd5fde5561fdf Merge: bf3c76b4c46a53 39007e1c1c7cb2 Author: Jakub Kicinski Date: Fri Nov 15 16:26:56 2024 -0800 Merge branch 'modifying-format-and-renaming-goto-labels' Justin Lai says: ==================== Modifying format and renaming goto labels This patch set primarily involves modifying the enum rtase_registers format and renaming the goto labels in rtase_init_one. ==================== Link: https://patch.msgid.link/20241114112549.376101-1-justinlai0215@realtek.com Signed-off-by: Jakub Kicinski commit 39007e1c1c7cb28104bf2b8f1f3e73aee3dea4c4 Author: Justin Lai Date: Thu Nov 14 19:25:49 2024 +0800 rtase: Modify the content format of the enum rtase_registers Remove unnecessary spaces. Signed-off-by: Justin Lai Reviewed-by: Simon Horman Link: https://patch.msgid.link/20241114112549.376101-3-justinlai0215@realtek.com Signed-off-by: Jakub Kicinski commit fdb53791195ce8fe99ba5e538689f5b3e5968ced Author: Justin Lai Date: Thu Nov 14 19:25:48 2024 +0800 rtase: Modify the name of the goto label Modify the name of the goto label in rtase_init_one(). Signed-off-by: Justin Lai Reviewed-by: Simon Horman Link: https://patch.msgid.link/20241114112549.376101-2-justinlai0215@realtek.com Signed-off-by: Jakub Kicinski commit bf3c76b4c46a532c78e2b26e0dfde1f58231261f Merge: 11ee317d883ef1 6c59f16f177048 Author: Jakub Kicinski Date: Fri Nov 15 16:25:39 2024 -0800 Merge branch 'net-netpoll-improve-skb-pool-management' Breno Leitao says: ==================== net: netpoll: Improve SKB pool management The netpoll subsystem pre-allocates 32 SKBs in a pool for emergency use during out-of-memory conditions. However, the current implementation has several inefficiencies: * The SKB pool, once allocated, is never freed: * Resources remain allocated even after netpoll users are removed * Failed initialization can leave pool populated forever * The global pool design makes resource tracking difficult This series addresses these issues through three patches: Patch 1 ("net: netpoll: Individualize the skb pool"): - Replace global pool with per-user pools in netpoll struct Patch 2 ("net: netpoll: flush skb pool during cleanup"): - Properly free pool resources during netconsole cleanup These changes improve resource management and make the code more maintainable. As a side benefit, the improved structure would allow netpoll to be modularized if desired in the future. v2: https://lore.kernel.org/20241107-skb_buffers_v2-v2-0-288c6264ba4f@debian.org v1: https://lore.kernel.org/20241025142025.3558051-1-leitao@debian.org ==================== Link: https://patch.msgid.link/20241114-skb_buffers_v2-v3-0-9be9f52a8b69@debian.org Signed-off-by: Jakub Kicinski commit 6c59f16f1770481a6ee684720ec55b1e38b3a4b2 Author: Breno Leitao Date: Thu Nov 14 03:00:12 2024 -0800 net: netpoll: flush skb pool during cleanup The netpoll subsystem maintains a pool of 32 pre-allocated SKBs per instance, but these SKBs are not freed when the netpoll user is brought down. This leads to memory waste as these buffers remain allocated but unused. Add skb_pool_flush() to properly clean up these SKBs when netconsole is terminated, improving memory efficiency. Signed-off-by: Breno Leitao Link: https://patch.msgid.link/20241114-skb_buffers_v2-v3-2-9be9f52a8b69@debian.org Signed-off-by: Jakub Kicinski commit 221a9c1df790fa711d65daf5ba05d0addc279153 Author: Breno Leitao Date: Thu Nov 14 03:00:11 2024 -0800 net: netpoll: Individualize the skb pool The current implementation of the netpoll system uses a global skb pool, which can lead to inefficient memory usage and waste when targets are disabled or no longer in use. This can result in a significant amount of memory being unnecessarily allocated and retained, potentially causing performance issues and limiting the availability of resources for other system components. Modify the netpoll system to assign a skb pool to each target instead of using a global one. This approach allows for more fine-grained control over memory allocation and deallocation, ensuring that resources are only allocated and retained as needed. Signed-off-by: Breno Leitao Link: https://patch.msgid.link/20241114-skb_buffers_v2-v3-1-9be9f52a8b69@debian.org Signed-off-by: Jakub Kicinski commit 11ee317d883ef111b8c36228437eaffea7b49bbc Author: Colin Ian King Date: Thu Nov 14 10:20:12 2024 +0000 octeontx2-pf: Fix spelling mistake "reprentator" -> "representor" There is a spelling mistake in a NL_SET_ERR_MSG_MOD error message. Fix it. Signed-off-by: Colin Ian King Link: https://patch.msgid.link/20241114102012.1868514-1-colin.i.king@gmail.com Signed-off-by: Jakub Kicinski commit e51edeaf3506654ebd62c16e0ddf58da271b5200 Author: Dmitry Safonov <0x7f454c46@gmail.com> Date: Wed Nov 13 18:46:44 2024 +0000 net/netlink: Correct the comment on netlink message max cap Since commit d35c99ff77ec ("netlink: do not enter direct reclaim from netlink_dump()") the cap is 32KiB. Signed-off-by: Dmitry Safonov <0x7f454c46@gmail.com> Link: https://patch.msgid.link/20241113-tcp-md5-diag-prep-v2-5-00a2a7feb1fa@gmail.com Signed-off-by: Jakub Kicinski commit 1f181d1cda56c2fbe379c5ace1aa1fac6306669e Author: Samuel Holland Date: Thu Nov 14 12:01:30 2024 -0800 irqchip/riscv-aplic: Prevent crash when MSI domain is missing If the APLIC driver is probed before the IMSIC driver, the parent MSI domain will be missing, which causes a NULL pointer dereference in msi_create_device_irq_domain(). Avoid this by deferring probe until the parent MSI domain is available. Use dev_err_probe() to avoid printing an error message when returning -EPROBE_DEFER. Fixes: ca8df97fe679 ("irqchip/riscv-aplic: Add support for MSI-mode") Signed-off-by: Samuel Holland Signed-off-by: Thomas Gleixner Link: https://lore.kernel.org/all/20241114200133.3069460-1-samuel.holland@sifive.com commit 253239044808e0036f4e36b0347d161b893c4767 Merge: 025b2bbc5ab1c9 a28ccf1d6c102c Author: Jakub Kicinski Date: Fri Nov 15 15:38:48 2024 -0800 Merge branch 'enic-use-all-the-resources-configured-on-vic' Nelson Escobar says: ==================== enic: Use all the resources configured on VIC Allow users to configure and use more than 8 rx queues and 8 tx queues on the Cisco VIC. This series changes the maximum number of tx and rx queues supported from 8 to the hardware limit of 256, and allocates memory based on the number of resources configured on the VIC. v3: https://lore.kernel.org/20241108-remove_vic_resource_limits-v3-0-3ba8123bcffc@cisco.com v2: https://lore.kernel.org/20241024-remove_vic_resource_limits-v2-0-039b8cae5fdd@cisco.com v1: https://lore.kernel.org/20241022041707.27402-2-neescoba@cisco.com ==================== Link: https://patch.msgid.link/20241113-remove_vic_resource_limits-v4-0-a34cf8570c67@cisco.com Signed-off-by: Jakub Kicinski commit a28ccf1d6c102c8d874e8d75d676a2f870b75fa9 Author: Nelson Escobar Date: Wed Nov 13 23:56:39 2024 +0000 enic: Move kdump check into enic_adjust_resources() Move the kdump check into enic_adjust_resources() so that everything that modifies resources is in the same function. Co-developed-by: John Daley Signed-off-by: John Daley Co-developed-by: Satish Kharat Signed-off-by: Satish Kharat Reviewed-by: Simon Horman Signed-off-by: Nelson Escobar Reviewed-by: Vadim Fedorenko Link: https://patch.msgid.link/20241113-remove_vic_resource_limits-v4-7-a34cf8570c67@cisco.com Signed-off-by: Jakub Kicinski commit 374f6c04df8e03c6f60eafbd1e02ac875017b85e Author: Nelson Escobar Date: Wed Nov 13 23:56:38 2024 +0000 enic: Move enic resource adjustments to separate function Move the enic resource adjustments out of enic_set_intr_mode() and into its own function, enic_adjust_resources(). Co-developed-by: John Daley Signed-off-by: John Daley Co-developed-by: Satish Kharat Signed-off-by: Satish Kharat Reviewed-by: Simon Horman Signed-off-by: Nelson Escobar Reviewed-by: Vadim Fedorenko Link: https://patch.msgid.link/20241113-remove_vic_resource_limits-v4-6-a34cf8570c67@cisco.com Signed-off-by: Jakub Kicinski commit cc94d6c4d40c070ca95db8e43e92c4ee1fff5009 Author: Nelson Escobar Date: Wed Nov 13 23:56:37 2024 +0000 enic: Adjust used MSI-X wq/rq/cq/interrupt resources in a more robust way Instead of failing to use MSI-X if resources aren't configured exactly right, use the resources we do have. Since we could start using large numbers of rq resources, we do limit the rq count to what netif_get_num_default_rss_queues() recommends. Co-developed-by: John Daley Signed-off-by: John Daley Co-developed-by: Satish Kharat Signed-off-by: Satish Kharat Reviewed-by: Simon Horman Signed-off-by: Nelson Escobar Reviewed-by: Vadim Fedorenko Link: https://patch.msgid.link/20241113-remove_vic_resource_limits-v4-5-a34cf8570c67@cisco.com Signed-off-by: Jakub Kicinski commit a64e5492ca908bb4f8c286b5761507792a0e03cd Author: Nelson Escobar Date: Wed Nov 13 23:56:36 2024 +0000 enic: Allocate arrays in enic struct based on VIC config Allocate wq, rq, cq, intr, and napi arrays based on the number of resources configured in the VIC. Co-developed-by: John Daley Signed-off-by: John Daley Co-developed-by: Satish Kharat Signed-off-by: Satish Kharat Signed-off-by: Nelson Escobar Reviewed-by: Simon Horman Reviewed-by: Vadim Fedorenko Link: https://patch.msgid.link/20241113-remove_vic_resource_limits-v4-4-a34cf8570c67@cisco.com Signed-off-by: Jakub Kicinski commit 5aee3324724a7a449a1f2bdaee209cfa80fa80b1 Author: Nelson Escobar Date: Wed Nov 13 23:56:35 2024 +0000 enic: Save resource counts we read from HW Save the resources counts for wq,rq,cq, and interrupts in *_avail variables so that we don't lose the information when adjusting the counts we are actually using. Report the wq_avail and rq_avail as the channel maximums in 'ethtool -l' output. Co-developed-by: John Daley Signed-off-by: John Daley Co-developed-by: Satish Kharat Signed-off-by: Satish Kharat Signed-off-by: Nelson Escobar Reviewed-by: Simon Horman Reviewed-by: Vadim Fedorenko Link: https://patch.msgid.link/20241113-remove_vic_resource_limits-v4-3-a34cf8570c67@cisco.com Signed-off-by: Jakub Kicinski commit 231646cb6a8cc4e94943daf223d72aefe242ec23 Author: Nelson Escobar Date: Wed Nov 13 23:56:34 2024 +0000 enic: Make MSI-X I/O interrupts come after the other required ones The VIC hardware has a constraint that the MSIX interrupt used for errors be specified as a 7 bit number. Before this patch, it was allocated after the I/O interrupts, which would cause a problem if 128 or more I/O interrupts are in use. So make the required interrupts come before the I/O interrupts to guarantee the error interrupt offset never exceeds 7 bits. Co-developed-by: John Daley Signed-off-by: John Daley Co-developed-by: Satish Kharat Signed-off-by: Satish Kharat Reviewed-by: Simon Horman Signed-off-by: Nelson Escobar Reviewed-by: Vadim Fedorenko Link: https://patch.msgid.link/20241113-remove_vic_resource_limits-v4-2-a34cf8570c67@cisco.com Signed-off-by: Jakub Kicinski commit b67609c9315397789a3c497e08779b00d8cf4621 Author: Nelson Escobar Date: Wed Nov 13 23:56:33 2024 +0000 enic: Create enic_wq/rq structures to bundle per wq/rq data Bundling the wq/rq specific data into dedicated enic_wq/rq structures cleans up the enic structure and simplifies future changes related to wq/rq. Co-developed-by: John Daley Signed-off-by: John Daley Co-developed-by: Satish Kharat Signed-off-by: Satish Kharat Signed-off-by: Nelson Escobar Reviewed-by: Simon Horman Reviewed-by: Vadim Fedorenko Link: https://patch.msgid.link/20241113-remove_vic_resource_limits-v4-1-a34cf8570c67@cisco.com Signed-off-by: Jakub Kicinski commit 8ffade77b6337a8767fae9820d57d7a6413dd1a1 Author: Ziwei Xiao Date: Wed Nov 13 09:59:30 2024 -0800 gve: Flow steering trigger reset only for timeout error When configuring flow steering rules, the driver is currently going through a reset for all errors from the device. Instead, the driver should only reset when there's a timeout error from the device. Fixes: 57718b60df9b ("gve: Add flow steering adminq commands") Cc: stable@vger.kernel.org Signed-off-by: Ziwei Xiao Signed-off-by: Jeroen de Borst Reviewed-by: Harshitha Ramamurthy Reviewed-by: Simon Horman Link: https://patch.msgid.link/20241113175930.2585680-1-jeroendb@google.com Signed-off-by: Jakub Kicinski commit aa46a3736afcb7b0793766d22479b8b99fc1b322 Author: Mengyuan Lou Date: Fri Nov 15 10:46:04 2024 +0800 PCI: Add ACS quirk for Wangxun FF5xxx NICs Wangxun FF5xxx NICs are similar to SFxxx, RP1000 and RP2000 NICs. They may be multi-function devices, but they do not advertise an ACS capability. But the hardware does isolate FF5xxx functions as though it had an ACS capability and PCI_ACS_RR and PCI_ACS_CR were set in the ACS Control register, i.e., all peer-to-peer traffic is directed upstream instead of being routed internally. Add ACS quirk for FF5xxx NICs in pci_quirk_wangxun_nic_acs() so the functions can be in independent IOMMU groups. Link: https://lore.kernel.org/r/E16053DB2B80E9A5+20241115024604.30493-1-mengyuanlou@net-swift.com Signed-off-by: Mengyuan Lou Signed-off-by: Bjorn Helgaas commit 025b2bbc5ab1c9ccd50189cae028d1b2bf3d433e Author: Tarun Alle Date: Thu Nov 14 15:49:51 2024 +0530 net: phy: microchip_t1: Clause-45 PHY loopback support for LAN887x Adds support for clause-45 PHY loopback for the Microchip LAN887x driver. Signed-off-by: Tarun Alle Reviewed-by: Andrew Lunn Link: https://patch.msgid.link/20241114101951.382996-1-Tarun.Alle@microchip.com Signed-off-by: Jakub Kicinski commit 6bbdb903db082fbb43bc1c2bbc7d2f6921cf031b Author: Rob Herring (Arm) Date: Wed Nov 13 16:56:43 2024 -0600 dt-bindings: net: dsa: microchip,ksz: Drop undocumented "id" "id" is not a documented property, so drop it. Signed-off-by: Rob Herring (Arm) Acked-by: Conor Dooley Link: https://patch.msgid.link/20241113225642.1783485-2-robh@kernel.org Signed-off-by: Jakub Kicinski commit 41ffcd95015f18178ddc53fed919c2842d52fe38 Author: Russell King (Oracle) Date: Thu Nov 14 10:33:27 2024 +0000 net: phy: fix phylib's dual eee_enabled phylib has two eee_enabled members. Some parts of the code are using phydev->eee_enabled, other parts are using phydev->eee_cfg.eee_enabled. This leads to incorrect behaviour as their state goes out of sync. ethtool --show-eee shows incorrect information, and --set-eee sometimes doesn't take effect. Fix this by only having one eee_enabled member - that in eee_cfg. Fixes: 49168d1980e2 ("net: phy: Add phy_support_eee() indicating MAC support EEE") Signed-off-by: Russell King (Oracle) Reviewed-by: Heiner Kallweit Link: https://patch.msgid.link/E1tBXAF-00341F-EQ@rmk-PC.armlinux.org.uk Signed-off-by: Jakub Kicinski commit 0c0d0f42ffa6ac94cd79893b7ed419c15e1b45de Author: Felix Maurer Date: Thu Nov 14 12:30:05 2024 +0100 xsk: Free skb when TX metadata options are invalid When a new skb is allocated for transmitting an xsk descriptor, i.e., for every non-multibuf descriptor or the first frag of a multibuf descriptor, but the descriptor is later found to have invalid options set for the TX metadata, the new skb is never freed. This can leak skbs until the send buffer is full which makes sending more packets impossible. Fix this by freeing the skb in the error path if we are currently dealing with the first frag, i.e., an skb allocated in this iteration of xsk_build_skb. Fixes: 48eb03dd2630 ("xsk: Add TX timestamp and TX checksum offload support") Reported-by: Michal Schmidt Signed-off-by: Felix Maurer Reviewed-by: Toke Høiland-Jørgensen Acked-by: Stanislav Fomichev Acked-by: Martin KaFai Lau Link: https://patch.msgid.link/edb9b00fb19e680dff5a3350cd7581c5927975a8.1731581697.git.fmaurer@redhat.com Signed-off-by: Jakub Kicinski commit c7a21af711e846a844095ae474f0f7e0ea8c6967 Author: Vadim Fedorenko Date: Thu Nov 14 03:48:20 2024 -0800 bnxt_en: optimize gettimex64 Current implementation of gettimex64() makes at least 3 PCIe reads to get current PHC time. It takes at least 2.2us to get this value back to userspace. At the same time there is cached value of upper bits of PHC available for packet timestamps already. This patch reuses cached value to speed up reading of PHC time. Signed-off-by: Vadim Fedorenko Reviewed-by: Michael Chan Reviewed-by: Jacob Keller Link: https://patch.msgid.link/20241114114820.1411660-1-vadfed@meta.com Signed-off-by: Jakub Kicinski commit 8807850697715b6ed3498adf6b6b2411ccfa52c6 Merge: c53bf100f68619 35f56c554eb1b5 Author: Jakub Kicinski Date: Fri Nov 15 14:24:36 2024 -0800 Merge tag 'nf-24-11-14' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf Pablo Neira Ayuso says: ==================== Netfilter fixes for net The following patchset contains Netfilter fixes for net: 1) Update .gitignore in selftest to skip conntrack_reverse_clash, from Li Zhijian. 2) Fix conntrack_dump_flush return values, from Guan Jing. 3) syzbot found that ipset's bitmap type does not properly checks for bitmap's first ip, from Jeongjun Park. * tag 'nf-24-11-14' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf: netfilter: ipset: add missing range check in bitmap_ip_uadt selftests: netfilter: Fix missing return values in conntrack_dump_flush selftests: netfilter: Add missing gitignore file ==================== Link: https://patch.msgid.link/20241114125723.82229-1-pablo@netfilter.org Signed-off-by: Jakub Kicinski commit ed7231f56cd7f795ff3a831e32946a96661bfee9 Author: Joe Damato Date: Thu Nov 14 17:55:59 2024 +0000 netdev-genl: Hold rcu_read_lock in napi_set Hold rcu_read_lock during netdev_nl_napi_set_doit, which calls napi_by_id and requires rcu_read_lock to be held. Closes: https://lore.kernel.org/netdev/719083c2-e277-447b-b6ea-ca3acb293a03@redhat.com/ Fixes: 1287c1ae0fc2 ("netdev-genl: Support setting per-NAPI config values") Signed-off-by: Joe Damato Link: https://patch.msgid.link/20241114175600.18882-1-jdamato@fastly.com Signed-off-by: Jakub Kicinski commit c53bf100f68619acf6cedcf4cf5249a1ca2db0b4 Author: Joe Damato Date: Thu Nov 14 17:51:56 2024 +0000 netdev-genl: Hold rcu_read_lock in napi_get Hold rcu_read_lock in netdev_nl_napi_get_doit, which calls napi_by_id and is required to be called under rcu_read_lock. Cc: stable@vger.kernel.org Fixes: 27f91aaf49b3 ("netdev-genl: Add netlink framework functions for napi") Signed-off-by: Joe Damato Link: https://patch.msgid.link/20241114175157.16604-1-jdamato@fastly.com Signed-off-by: Jakub Kicinski commit 6cd663f03fa6993588af641af7a5a508cf1de4a9 Merge: 26a3beee2435cd 827af4787e74e8 Author: Jakub Kicinski Date: Fri Nov 15 14:16:28 2024 -0800 Merge tag 'for-net-next-2024-11-14' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next Luiz Augusto von Dentz says: ==================== bluetooth-next pull request for net-next: - btusb: add Foxconn 0xe0fc for Qualcomm WCN785x - btmtk: Fix ISO interface handling - Add quirk for ATS2851 - btusb: Add RTL8852BE device 0489:e123 - ISO: Do not emit LE PA/BIG Create Sync if previous is pending - btusb: Add USB HW IDs for MT7920/MT7925 - btintel_pcie: Add handshake between driver and firmware - btintel_pcie: Add recovery mechanism - hci_conn: Use disable_delayed_work_sync - SCO: Use kref to track lifetime of sco_conn - ISO: Use kref to track lifetime of iso_conn - btnxpuart: Add GPIO support to power save feature - btusb: Add 0x0489:0xe0f3 and 0x13d3:0x3623 for Qualcomm WCN785x * tag 'for-net-next-2024-11-14' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next: (51 commits) Bluetooth: MGMT: Add initial implementation of MGMT_OP_HCI_CMD_SYNC Bluetooth: fix use-after-free in device_for_each_child() Bluetooth: btintel: Direct exception event to bluetooth stack Bluetooth: hci_core: Fix calling mgmt_device_connected Bluetooth: hci_bcm: Use the devm_clk_get_optional() helper Bluetooth: ISO: Send BIG Create Sync via hci_sync Bluetooth: hci_conn: Remove alloc from critical section Bluetooth: ISO: Use kref to track lifetime of iso_conn Bluetooth: SCO: Use kref to track lifetime of sco_conn Bluetooth: HCI: Add IPC(11) bus type Bluetooth: btusb: Add 3 HWIDs for MT7925 Bluetooth: btusb: Add new VID/PID 0489/e124 for MT7925 Bluetooth: ISO: Update hci_conn_hash_lookup_big for Broadcast slave Bluetooth: ISO: Do not emit LE BIG Create Sync if previous is pending Bluetooth: ISO: Fix matching parent socket for BIS slave Bluetooth: ISO: Do not emit LE PA Create Sync if previous is pending Bluetooth: btrtl: Decrease HCI_OP_RESET timeout from 10 s to 2 s Bluetooth: btbcm: fix missing of_node_put() in btbcm_get_board_name() Bluetooth: btusb: Add new VID/PID 0489/e111 for MT7925 Bluetooth: btmtk: adjust the position to init iso data anchor ... ==================== Link: https://patch.msgid.link/20241114214731.1994446-1-luiz.dentz@gmail.com Signed-off-by: Jakub Kicinski commit 26a3beee2435cd712f7bc94664ec0550fb2da24d Merge: dfc14664794a47 b0ccf4f53d968e Author: Jakub Kicinski Date: Fri Nov 15 14:09:20 2024 -0800 Merge tag 'nf-next-24-11-15' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf-next Pablo Neira Ayuso says: ==================== Netfilter updates for net-next The following patchset contains Netfilter updates for net-next: 1) Extended netlink error reporting if nfnetlink attribute parser fails, from Donald Hunter. 2) Incorrect request_module() module, from Simon Horman. 3) A series of patches to reduce memory consumption for set element transactions. Florian Westphal says: "When doing a flush on a set or mass adding/removing elements from a set, each element needs to allocate 96 bytes to hold the transactional state. In such cases, virtually all the information in struct nft_trans_elem is the same. Change nft_trans_elem to a flex-array, i.e. a single nft_trans_elem can hold multiple set element pointers. The number of elements that can be stored in one nft_trans_elem is limited by the slab allocator, this series limits the compaction to at most 62 elements as it caps the reallocation to 2048 bytes of memory." 4) A series of patches to prepare the transition to dscp_t in .flowi_tos. From Guillaume Nault. 5) Support for bitwise operations with two source registers, from Jeremy Sowden. * tag 'nf-next-24-11-15' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf-next: netfilter: bitwise: add support for doing AND, OR and XOR directly netfilter: bitwise: rename some boolean operation functions netfilter: nf_dup4: Convert nf_dup_ipv4_route() to dscp_t. netfilter: nft_fib: Convert nft_fib4_eval() to dscp_t. netfilter: rpfilter: Convert rpfilter_mt() to dscp_t. netfilter: flow_offload: Convert nft_flow_route() to dscp_t. netfilter: ipv4: Convert ip_route_me_harder() to dscp_t. netfilter: nf_tables: allocate element update information dynamically netfilter: nf_tables: switch trans_elem to real flex array netfilter: nf_tables: prepare nft audit for set element compaction netfilter: nf_tables: prepare for multiple elements in nft_trans_elem structure netfilter: nf_tables: add nft_trans_commit_list_add_elem helper netfilter: bpf: Pass string literal as format argument of request_module() netfilter: nfnetlink: Report extack policy errors for batched ops ==================== Link: https://patch.msgid.link/20241115133207.8907-1-pablo@netfilter.org Signed-off-by: Jakub Kicinski commit d8dfba2c606ac9fa763ce3c51dcbf7335544b815 Merge: a23da88c6c80e4 2996980e20b7a5 c229d579d047f9 9650edd9bf1d15 9407f5c3ec10c1 Author: Frederic Weisbecker Date: Fri Nov 15 22:38:53 2024 +0100 Merge branches 'rcu/fixes', 'rcu/nocb', 'rcu/torture', 'rcu/stall' and 'rcu/srcu' into rcu/dev commit c818d5c64c9a8cc14853d716bf7ce6674a6126d0 Author: Shuah Khan Date: Thu Nov 14 13:56:49 2024 -0700 Documentation/CoC: spell out enforcement for unacceptable behaviors The Code of Conduct committee's goal first and foremost is to bring about change to ensure our community continues to foster respectful discussions. In the interest of transparency, the CoC enforcement policy is formalized for unacceptable behaviors. Update the Code of Conduct Interpretation document with the enforcement information. Acked-by: Linus Torvalds Acked-by: Greg Kroah-Hartman Acked-by: Miguel Ojeda Acked-by: Dave Hansen Acked-by: Jonathan Corbet Acked-by: Steven Rostedt Acked-by: Dan Williams Acked-by: Theodore Ts'o Acked-by: Konstantin Ryabitsev Signed-off-by: Shuah Khan Acked-by: Kees Cook Signed-off-by: Jonathan Corbet Link: https://lore.kernel.org/r/20241114205649.44179-1-skhan@linuxfoundation.org commit c229d579d047f9c4fb4d6c37d9d04b88a398e461 Author: Uladzislau Rezki (Sony) Date: Wed Nov 13 12:00:09 2024 +0100 rcuscale: Remove redundant WARN_ON_ONCE() splat There are two places where WARN_ON_ONCE() is called two times in the error paths. One which is encapsulated into if() condition and another one, which is unnecessary, is placed in the brackets. Remove an extra WARN_ON_ONCE() splat which is in brackets. Reviewed-by: Paul E. McKenney Reviewed-by: Neeraj Upadhyay Signed-off-by: Uladzislau Rezki (Sony) Signed-off-by: Frederic Weisbecker commit 812a1c3b9f7c36d9255f0d29d0a3d324e2f52321 Author: Uladzislau Rezki (Sony) Date: Wed Nov 13 12:00:08 2024 +0100 rcuscale: Do a proper cleanup if kfree_scale_init() fails A static analyzer for C, Smatch, reports and triggers below warnings: kernel/rcu/rcuscale.c:1215 rcu_scale_init() warn: inconsistent returns 'global &fullstop_mutex'. The checker complains about, we do not unlock the "fullstop_mutex" mutex, in case of hitting below error path: ... if (WARN_ON_ONCE(jiffies_at_lazy_cb - jif_start < 2 * HZ)) { pr_alert("ERROR: call_rcu() CBs are not being lazy as expected!\n"); WARN_ON_ONCE(1); return -1; ^^^^^^^^^^ ... it happens because "-1" is returned right away instead of doing a proper unwinding. Fix it by jumping to "unwind" label instead of returning -1. Reported-by: Dan Carpenter Reviewed-by: Paul E. McKenney Reviewed-by: Neeraj Upadhyay Closes: https://lore.kernel.org/rcu/ZxfTrHuEGtgnOYWp@pc636/T/ Fixes: 084e04fff160 ("rcuscale: Add laziness and kfree tests") Signed-off-by: Uladzislau Rezki (Sony) Signed-off-by: Frederic Weisbecker commit 9407f5c3ec10c155aae61fc4496a7c17a96907b4 Author: Paul E. McKenney Date: Mon Nov 11 16:28:51 2024 -0800 srcu: Unconditionally record srcu_read_lock_lite() in ->srcu_reader_flavor Currently, srcu_read_lock_lite() uses the SRCU_READ_FLAVOR_LITE bit in ->srcu_reader_flavor to communicate to the grace-period processing in srcu_readers_active_idx_check() that the smp_mb() must be replaced by a synchronize_rcu(). Unfortunately, ->srcu_reader_flavor is not updated unless the kernel is built with CONFIG_PROVE_RCU=y. Therefore in all kernels built with CONFIG_PROVE_RCU=n, srcu_readers_active_idx_check() incorrectly uses smp_mb() instead of synchronize_rcu() for srcu_struct structures whose readers use srcu_read_lock_lite(). This commit therefore causes Tree SRCU srcu_read_lock_lite() to unconditionally update ->srcu_reader_flavor so that srcu_readers_active_idx_check() can make the correct choice. Reported-by: Neeraj Upadhyay Closes: https://lore.kernel.org/all/d07e8f4a-d5ff-4c8e-8e61-50db285c57e9@amd.com/ Fixes: c0f08d6b5a61 ("srcu: Add srcu_read_lock_lite() and srcu_read_unlock_lite()") Signed-off-by: Paul E. McKenney Cc: Frederic Weisbecker Reviewed-by: Neeraj Upadhyay Signed-off-by: Frederic Weisbecker commit 31457d4cea19dc807e3beab15883c912f19acef7 Author: Bjorn Helgaas Date: Sat Nov 2 12:45:37 2024 -0500 PCI: Fix typos Fix typos and whitespace errors. Link: https://lore.kernel.org/r/20241102174537.1362183-1-helgaas@kernel.org Signed-off-by: Bjorn Helgaas commit 28b513b5a683cf1e7125ba54ffe7ecb206ef4984 Merge: 919e0dd4118ee6 332857fdac73f1 Author: Rob Herring (Arm) Date: Fri Nov 15 14:03:59 2024 -0600 Merge branch 'dt/linus' into dt/next Pull-in kunit kconfig fix commit 332857fdac73f1c7b74ad962c07bb39e4c0c145a Author: Stephen Boyd Date: Wed Oct 16 14:20:15 2024 -0700 of: Allow overlay kunit tests to run CONFIG_OF_OVERLAY=n Some configurations want to enable CONFIG_KUNIT without enabling CONFIG_OF_OVERLAY. The kunit overlay code already skips if CONFIG_OF_OVERLAY isn't enabled, so this select here isn't really doing anything besides making it easier to run the tests without them skipping. Remove the select and move the config setting to the drivers/of/.kunitconfig file so that the overlay tests can be run with or without CONFIG_OF_OVERLAY set to test either behavior. Fixes: 5c9dd72d8385 ("of: Add a KUnit test for overlays and test managed APIs") Signed-off-by: Stephen Boyd Acked-by: Geert Uytterhoeven Link: https://lore.kernel.org/r/20241016212016.887552-1-sboyd@kernel.org Signed-off-by: Rob Herring (Arm) commit bed2cc482600296fe04edbc38005ba2851449c10 Author: ZhangPeng Date: Mon Nov 4 20:34:40 2024 +0800 hostfs: Fix the NULL vs IS_ERR() bug for __filemap_get_folio() The __filemap_get_folio() function returns error pointers. It never returns NULL. So use IS_ERR() to check it. Fixes: 1da86618bdce ("fs: Convert aops->write_begin to take a folio") Signed-off-by: ZhangPeng Acked-by: Johannes Berg Signed-off-by: Richard Weinberger commit d47a60e487fbb65bbbca3d99e59009f0a4acf34d Merge: 563c87f58f5367 927df4cae36207 Author: Rafael J. Wysocki Date: Fri Nov 15 20:52:02 2024 +0100 Merge branch 'acpi-misc' Merge miscellaneous ACPI changes for 6.13-rc1: - Switch several ACPI platform drivers back to using struct platform_driver::remove() (Uwe Kleine-König). - Replace strcpy() with strscpy() in multiple places in the ACPI subsystem (Muhammad Qasim Abdul Majeed, Abdul Rahim). * acpi-misc: ACPI: Switch back to struct platform_driver::remove() ACPI: scan: Use strscpy() instead of strcpy() ACPI: SBSHC: Use strscpy() instead of strcpy() ACPI: SBS: Use strscpy() instead of strcpy() ACPI: power: Use strscpy() instead of strcpy() ACPI: pci_root: Use strscpy() instead of strcpy() ACPI: pci_link: Use strscpy() instead of strcpy() ACPI: event: Use strscpy() instead of strcpy() ACPI: EC: Use strscpy() instead of strcpy() ACPI: APD: Use strscpy() instead of strcpy() ACPI: thermal: Use strscpy() instead of strcpy() commit 563c87f58f5367a583a61d4b78a74d09d7c69cb4 Merge: 1c58e3a528c2c2 2076cba2ed3664 4a49194f587a62 295991836b23c1 Author: Rafael J. Wysocki Date: Fri Nov 15 20:46:13 2024 +0100 Merge branches 'acpi-processor', 'acpi-x86' and 'acpi-video' Merge and ACPI processor driver update, ACPI x86-specific code updates, and an ACPI backlight (video) driver quirk for 6.13-rc1: - Rearrange the processor_perflib code in the ACPI processor driver to avoid compiling x86-specific code on other architectures (Arnd Bergmann). - Add adev NULL check to acpi_quirk_skip_serdev_enumeration() and make UART skip quirks work on PCI UARTs without an UID (Hans de Goede). - Force native backlight handling Apple MacbookPro11,2 and Air7,2 in the ACPI video driver (Jonathan Denose). * acpi-processor: ACPI: processor_perflib: extend X86 dependency * acpi-x86: ACPI: x86: Add adev NULL check to acpi_quirk_skip_serdev_enumeration() ACPI: x86: Make UART skip quirks work on PCI UARTs without an UID * acpi-video: ACPI: video: force native for Apple MacbookPro11,2 and Air7,2 commit 1c58e3a528c2c2b8b8a6798f8d3b742c42c56313 Merge: 2388b266c9fcc7 815daedc318b2f a6021aa24f6417 f8dc4394fc51ce 4435a125015d3c Author: Rafael J. Wysocki Date: Fri Nov 15 20:45:14 2024 +0100 Merge branches 'acpi-battery', 'acpi-ec', 'acpi-pfr' and 'acpi-osl' Merge updates of the ACPI battery and EC drivers, an ACPI Platform Firmware Runtime (PFR) telemetry driver update and an ACPI OS support layer change for 6.13-rc1: - Use DEFINE_SIMPLE_DEV_PM_OPS in the ACPI battery driver, make it use devm_ for initializing mutexes and allocating driver data, and make it check the register_pm_notifier() return value (Thomas Weißschuh, Andy Shevchenko). - Make the ACPI EC driver support compile-time conditional and allow ACPI to be built without CONFIG_HAS_IOPORT (Arnd Bergmann). - Remove a redundant error check from the pfr_telemetry driver (Colin Ian King). * acpi-battery: ACPI: battery: Check for error code from devm_mutex_init() call ACPI: battery: use DEFINE_SIMPLE_DEV_PM_OPS ACPI: battery: initialize mutexes through devm_ APIs ACPI: battery: allocate driver data through devm_ APIs ACPI: battery: check result of register_pm_notifier() * acpi-ec: ACPI: EC: make EC support compile-time conditional * acpi-pfr: ACPI: pfr_telemetry: remove redundant error check on ret * acpi-osl: ACPI: allow building without CONFIG_HAS_IOPORT commit f74dacb4c81164d7578a11d5f8b660ad87059e6a Author: Alexander Aring Date: Wed Nov 13 11:46:42 2024 -0500 dlm: fix recovery of middle conversions In one special case, recovery is unable to reliably rebuild lock state by simply recreating lkb structs as sent from the lock holders. That case is when the lkb's include conversions between PR and CW modes. The recovery code has always recognized this special case, but the implemention has always been broken, and would set invalid modes in recovered lkb's. Unpredictable or bogus errors could then be returned for further locking calls on these locks. This bug has gone unnoticed for so long due to some combination of: - applications never or infrequently converting between PR/CW - recovery not occuring during these conversions - if the recovery bug does occur, the caller may not notice, depending on what further locking calls are made, e.g. if the lock is simply unlocked it may go unnoticed However, a core analysis from a recent gfs2 bug report points to this broken code. PR = Protected Read CW = Concurrent Write PR and CW are incompatible PR and PR are compatible CW and CW are compatible Example 1 node C, resource R granted: PR node A granted: PR node B granted: NL node C granted: NL node D - A sends convert PR->CW to C - C fails before A gets a reply - recovery occurs At this point, A does not know if it still holds the lock in PR, or if its conversion to CW was granted: - If A's conversion to CW was granted, then another node's CW lock may also have been granted. - If A's conversion to CW was not granted, it still holds a PR lock, and other nodes may also hold PR locks. So, the new master of R cannot simply recreate the lock from A using granted mode PR and requested mode CW. The new master must look at all the recovered locks to determine the correct granted modes, and ensure that all the recovered locks are recreated in compatible states. The correct lock recovery steps in this example are: - node D becomes the new master of R - node B sends D its lkb, granted PR - node A sends D its lkb, convert PR->CW - D determines the correct lock state is: granted: PR node B convert: PR->CW node A The lkb sent by each node was recreated without any change on the new master node. Example 2 node C, resource R granted: PR node A granted: NL node C granted: NL node D waiting: CW node B - A sends convert PR->CW to C - C grants the conversion to CW for A - C grants the waiting request for CW to B - C sends granted message to B, but fails before it can send the granted message to A - B receives the granted message from C At this point: - A believes it is converting PR->CW - B believes it is holding a CW lock The correct lock recovery steps in this example are: - node D becomes the new master of R - node A sends D its lkb, convert PR->CW - node B sends D its lkb, granted CW - D determins the correct lock state is: granted: CW node B granted: CW node A The lkb sent by B is recreated without change, but the lkb sent by A is changed because the granted mode was not compatible. Fixes to make this work correctly: recover_convert_waiter: should not make any changes to a converting lkb that is still waiting for a reply message. It was previously setting grmode to IV, which is invalid state, so the lkb would not be handled correctly by other code. receive_rcom_lock_args: was checking the wrong lkb field (wait_type instead of status) to determine if the lkb is being converted, and in need of inspection for this special recovery. It was also setting grmode to IV in the lkb, causing it to be mishandled by other code. Now, this function just puts the lkb, directly as sent, onto the convert queue of the resource being recovered, and corrects it in recover_conversion() later, if needed. recover_conversion: the job of this function is to detect and correct lkb states for the special PR/CW conversions. The new code now checks for recovered lkbs on the granted queue with grmode PR or CW, and takes the real grmode from that. Then it looks for lkbs on the convert queue with an incompatible grmode (i.e. grmode PR when the real grmode is CW, or v.v.) These converting lkbs need to be fixed. They are fixed by temporarily setting their grmode to NL, so that grmodes are not incompatible and won't confuse other locking code. The converting lkb will then be granted at the end of recovery, replacing the temporary NL grmode. Signed-off-by: Alexander Aring Signed-off-by: David Teigland commit 88d47f629313730f26a3b00224d1e1a5e3b7bb79 Merge: 957860cbc1dc89 886e4757f42e57 Author: Jens Axboe Date: Fri Nov 15 12:37:33 2024 -0700 Merge tag 'md-6.13-20241115' of https://git.kernel.org/pub/scm/linux/kernel/git/mdraid/linux into for-6.13/block Pull MD fixes from Song: "This set contains a fix for a W=1 warning, by John Garry, and a MAINTAINERS update." * tag 'md-6.13-20241115' of https://git.kernel.org/pub/scm/linux/kernel/git/mdraid/linux: MAINTAINERS: Update git tree for mdraid subsystem md/raid5: Increase r5conf.cache_name size commit fab974e6487475c2fca0a79918e8e75bd6bafffc Author: Jiri Olsa Date: Fri Nov 15 12:58:43 2024 +0100 libbpf: Fix memory leak in bpf_program__attach_uprobe_multi Andrii reported memory leak detected by Coverity on error path in bpf_program__attach_uprobe_multi. Fixing that by moving the check earlier before the offsets allocations. Reported-by: Andrii Nakryiko Signed-off-by: Jiri Olsa Signed-off-by: Andrii Nakryiko Link: https://lore.kernel.org/bpf/20241115115843.694337-1-jolsa@kernel.org commit d617b3147d54c42351eac63b5398d4ddf4f4011b Author: Pavel Begunkov Date: Fri Nov 15 16:54:43 2024 +0000 io_uring: restore back registered wait arguments Now we've got a more generic region registration API, place IORING_ENTER_EXT_ARG_REG and re-enable it. First, the user has to register a region with the IORING_MEM_REGION_REG_WAIT_ARG flag set. It can only be done for a ring in a disabled state, aka IORING_SETUP_R_DISABLED, to avoid races with already running waiters. With that we should have stable constant values for ctx->cq_wait_{size,arg} in io_get_ext_arg_reg() and hence no READ_ONCE required. The other API difference is that we're now passing byte offsets instead of indexes. The user _must_ align all offsets / pointers to the native word size, failing to do so might but not necessarily has to lead to a failure usually returned as -EFAULT. liburing will be hiding this details from users. Signed-off-by: Pavel Begunkov Link: https://lore.kernel.org/r/81822c1b4ffbe8ad391b4f9ad1564def0d26d990.1731689588.git.asml.silence@gmail.com Signed-off-by: Jens Axboe commit c6e2a4c9eed5249c4158bc621882d44e94af3371 Merge: 923c256e37e682 7954c4fd0de11c Author: Rafael J. Wysocki Date: Fri Nov 15 19:57:57 2024 +0100 Merge branch 'pm-tools' Merge power management utilities updates for 6.13-rc1: - Update pm-graph to v5.13 (Todd Brandt). - Add documentation for some recently introduced cpupower utility options (Tor Vic). - Make cpupower inform users where cpufreq-bench.conf should be located when opening it fails (Peng Fan). - Allow overriding cross-compiling env params in cpupower (Peng Fan). - Add compile_commands.json to .gitignore in cpupower (John B. Wyatt IV). - Improve disable c_state block in cpupower bindings and add a test to confirm that CPU state is disabled to it (John B. Wyatt IV). - Add Chinese Simplified translation to cpupower (Kieran Moy). - Add checks for xgettext and msgfmt to cpupower (Siddharth Menon). * pm-tools: cpupower: add checks for xgettext and msgfmt cpupower: Add Chinese Simplified translation pm-graph v5.13 pm: cpupower: bindings: Add test to confirm cpu state is disabled pm: cpupower: bindings: Improve disable c_state block pm: cpupower: gitignore: Add compile_commands.json pm: cpupower: Makefile: Allow overriding cross-compiling env params pm: cpupower: bench: print config file path when open cpufreq-bench.conf fails tools/power/cpupower: Add documentation for some recently introduced options commit 923c256e37e6821e03a105fa77570124e35181d8 Merge: a8aaea4f6e1a33 f557e0d1c2e6eb 5609296750afd6 Author: Rafael J. Wysocki Date: Fri Nov 15 19:54:05 2024 +0100 Merge branches 'pm-cpuidle' and 'pm-em' Merge cpuidle and Energy Model changes for 6.13-rc1: - Add a built-in idle states table for Granite Rapids Xeon D to the intel_idle driver (Artem Bityutskiy). - Fix some typos in comments in the cpuidle core and drivers (Shen Lichuan). - Remove iowait influence from the menu cpuidle governor (Christian Loehle). - Add min/max available performance state limits to the Energy Model management code (Lukasz Luba). * pm-cpuidle: intel_idle: add Granite Rapids Xeon D support cpuidle: Correct some typos in comments cpuidle: menu: Remove iowait influence * pm-em: PM: EM: Add min/max available performance state limits commit 5943c0dc7912210be1ab2732e0b663c1082ab543 Author: Thomas Weißschuh Date: Fri Nov 15 17:42:49 2024 +0100 driver core: Constify bin_attribute definitions Mark all 'struct bin_attribute' instances as const to protect against accidental and malicious modifications. Signed-off-by: Thomas Weißschuh Link: https://lore.kernel.org/r/20241115-b4-sysfs-const-bin_attr-group-v1-2-2c9bb12dfc48@weissschuh.net Signed-off-by: Greg Kroah-Hartman commit 906c508afdca3487c4273bfeda8abedc8e21047b Author: Thomas Weißschuh Date: Fri Nov 15 17:42:48 2024 +0100 sysfs: attribute_group: allow registration of const bin_attribute To be able to constify instances of struct bin_attribute it has to be possible to add them to string attribute_group. The current type of the bin_attrs member however is not compatible with that. Introduce a union that allows registration of both const and non-const attributes to enable a piecewise transition. As both union member types are compatible no logic needs to be adapted. Technically it is now possible register a const struct bin_attribute and receive it as mutable pointer in the callbacks. This is a soundness issue. But this same soundness issue already exists today in sysfs_create_bin_file(). Also the struct definition and callback implementation are always closely linked and are meant to be moved to const in lockstep. Signed-off-by: Thomas Weißschuh Link: https://lore.kernel.org/r/20241115-b4-sysfs-const-bin_attr-group-v1-1-2c9bb12dfc48@weissschuh.net Signed-off-by: Greg Kroah-Hartman commit 886e4757f42e5775b7c2a6e0e5e2dc9a78177b0a Author: Song Liu Date: Fri Nov 15 10:25:53 2024 -0800 MAINTAINERS: Update git tree for mdraid subsystem Moving the official git tree to the MDRAID Group account. Signed-off-by: Song Liu commit 96a30e469ca1d2b8cc7811b40911f8614b558241 Author: Andrii Nakryiko Date: Thu Nov 14 16:13:03 2024 -0800 bpf: use common instruction history across all states Instead of allocating and copying instruction history each time we enqueue child verifier state, switch to a model where we use one common dynamically sized array of instruction history entries across all states. The key observation for proving this is correct is that instruction history is only relevant while state is active, which means it either is a current state (and thus we are actively modifying instruction history and no other state can interfere with us) or we are checkpointed state with some children still active (either enqueued or being current). In the latter case our portion of instruction history is finalized and won't change or grow, so as long as we keep it immutable until the state is finalized, we are good. Now, when state is finalized and is put into state hash for potentially future pruning lookups, instruction history is not used anymore. This is because instruction history is only used by precision marking logic, and we never modify precision markings for finalized states. So, instead of each state having its own small instruction history, we keep a global dynamically-sized instruction history, where each state in current DFS path from root to active state remembers its portion of instruction history. Current state can append to this history, but cannot modify any of its parent histories. Async callback state enqueueing, while logically detached from parent state, still is part of verification backtracking tree, so has to follow the same schema as normal state checkpoints. Because the insn_hist array can be grown through realloc, states don't keep pointers, they instead maintain two indices, [start, end), into global instruction history array. End is exclusive index, so `start == end` means there is no relevant instruction history. This eliminates a lot of allocations and minimizes overall memory usage. For instance, running a worst-case test from [0] (but without the heuristics-based fix [1]), it took 12.5 minutes until we get -ENOMEM. With the changes in this patch the whole test succeeds in 10 minutes (very slow, so heuristics from [1] is important, of course). To further validate correctness, veristat-based comparison was performed for Meta production BPF objects and BPF selftests objects. In both cases there were no differences *at all* in terms of verdict or instruction and state counts, providing a good confidence in the change. Having this low-memory-overhead solution of keeping dynamic per-instruction history cheaply opens up some new possibilities, like keeping extra information for literally every single validated instruction. This will be used for simplifying precision backpropagation logic in follow up patches. [0] https://lore.kernel.org/bpf/20241029172641.1042523-2-eddyz87@gmail.com/ [1] https://lore.kernel.org/bpf/20241029172641.1042523-1-eddyz87@gmail.com/ Acked-by: Eduard Zingerman Signed-off-by: Andrii Nakryiko Link: https://lore.kernel.org/r/20241115001303.277272-1-andrii@kernel.org Signed-off-by: Alexei Starovoitov commit 5e316d34b53039346e252d0019e2f4167af2c0ef Author: Andrea della Porta Date: Fri Nov 8 10:42:56 2024 +0100 PCI: of_property: Assign PCI instead of CPU bus address to dynamic PCI nodes When populating "ranges" property for a PCI bridge or endpoint, of_pci_prop_ranges() incorrectly uses the CPU address of the resource. In such PCI nodes, the window should instead be in PCI address space. Call pci_bus_address() on the resource in order to obtain the PCI bus address. [Previous discussion at: https://lore.kernel.org/all/8b4fa91380fc4754ea80f47330c613e4f6b6592c.1724159867.git.andrea.porta@suse.com/] Link: https://lore.kernel.org/r/20241108094256.28933-1-andrea.porta@suse.com Fixes: 407d1a51921e ("PCI: Create device tree node for bridge") Tested-by: Herve Codina Signed-off-by: Andrea della Porta Signed-off-by: Bjorn Helgaas Cc: stable@vger.kernel.org commit 93238e66185524aad925acefb2312203b9e26d63 Author: Pavel Begunkov Date: Fri Nov 15 16:54:42 2024 +0000 io_uring: add memory region registration Regions will serve multiple purposes. First, with it we can decouple ring/etc. object creation from registration / mapping of the memory they will be placed in. We already have hacks that allow to put both SQ and CQ into the same huge page, in the future we should be able to: region = create_region(io_ring); create_pbuf_ring(io_uring, region, offset=0); create_pbuf_ring(io_uring, region, offset=N); The second use case is efficiently passing parameters. The following patch enables back on top of regions IORING_ENTER_EXT_ARG_REG, which optimises wait arguments. It'll also be useful for request arguments replacing iovecs, msghdr, etc. pointers. Eventually it would also be handy for BPF as well if it comes to fruition. Signed-off-by: Pavel Begunkov Link: https://lore.kernel.org/r/0798cf3a14fad19cfc96fc9feca5f3e11481691d.1731689588.git.asml.silence@gmail.com Signed-off-by: Jens Axboe commit dfbbfbf191878e8dd422768ce009858d8b5b761e Author: Pavel Begunkov Date: Fri Nov 15 16:54:41 2024 +0000 io_uring: introduce concept of memory regions We've got a good number of mappings we share with the userspace, that includes the main rings, provided buffer rings, upcoming rings for zerocopy rx and more. All of them duplicate user argument parsing and some internal details as well (page pinnning, huge page optimisations, mmap'ing, etc.) Introduce a notion of regions. For userspace for now it's just a new structure called struct io_uring_region_desc which is supposed to parameterise all such mapping / queue creations. A region either represents a user provided chunk of memory, in which case the user_addr field should point to it, or a request for the kernel to allocate the memory, in which case the user would need to mmap it after using the offset returned in the mmap_offset field. With a uniform userspace API we can avoid additional boiler plate code and apply future optimisation to all of them at once. Internally, there is a new structure struct io_mapped_region holding all relevant runtime information and some helpers to work with it. This patch limits it to user provided regions. Signed-off-by: Pavel Begunkov Link: https://lore.kernel.org/r/0e6fe25818dfbaebd1bd90b870a6cac503fe1a24.1731689588.git.asml.silence@gmail.com Signed-off-by: Jens Axboe commit 83e041522eb9c45479f4490b212687cf1e7e9999 Author: Pavel Begunkov Date: Fri Nov 15 16:54:40 2024 +0000 io_uring: temporarily disable registered waits Disable wait argument registration as it'll be replaced with a more generic feature. We'll still need IORING_ENTER_EXT_ARG_REG parsing in a few commits so leave it be. Signed-off-by: Pavel Begunkov Link: https://lore.kernel.org/r/70b1d1d218c41ba77a76d1789c8641dab0b0563e.1731689588.git.asml.silence@gmail.com Signed-off-by: Jens Axboe commit 3730aebbdac8770f64ab66eb5e7129bc8dae731d Author: Pavel Begunkov Date: Fri Nov 15 16:54:39 2024 +0000 io_uring: disable ENTER_EXT_ARG_REG for IOPOLL IOPOLL doesn't use the extended arguments, no need for it to support IORING_ENTER_EXT_ARG_REG. Let's disable it for IOPOLL, if anything it leaves more space for future extensions. Signed-off-by: Pavel Begunkov Link: https://lore.kernel.org/r/a35ecd919dbdc17bd5b7932273e317832c531b45.1731689588.git.asml.silence@gmail.com Signed-off-by: Jens Axboe commit 68685fa20edc5307fc893a06473c19661c236f29 Author: Pavel Begunkov Date: Fri Nov 15 16:54:38 2024 +0000 io_uring: fortify io_pin_pages with a warning We're a bit too frivolous with types of nr_pages arguments, converting it to long and back to int, passing an unsigned int pointer as an int pointer and so on. Shouldn't cause any problem but should be carefully reviewed, but until then let's add a WARN_ON_ONCE check to be more confident callers don't pass poorely checked arguents. Signed-off-by: Pavel Begunkov Link: https://lore.kernel.org/r/d48e0c097cbd90fb47acaddb6c247596510d8cfc.1731689588.git.asml.silence@gmail.com Signed-off-by: Jens Axboe commit 56cec28dc4da396d6032c59ae9614c5a6ae7d7a8 Author: Al Viro Date: Fri Nov 15 03:49:02 2024 +0000 switch io_msg_ring() to CLASS(fd) Use CLASS(fd) to get the file for sync message ring requests, rather than open-code the file retrieval dance. Signed-off-by: Al Viro Link: https://lore.kernel.org/r/20241115034902.GP3387508@ZenIV [axboe: make a more coherent commit message] Signed-off-by: Jens Axboe commit bcdcb115eaed5e988cf37cc9a1dd5f5dd200e927 Author: Nathan Chancellor Date: Fri Nov 15 09:10:04 2024 -0700 ubifs: Fix uninitialized use of err in ubifs_jnl_write_inode() Clang warns (or errors with CONFIG_WERROR=y): fs/ubifs/journal.c:986:20: error: variable 'err' is uninitialized when used here [-Werror,-Wuninitialized] 986 | ubifs_ro_mode(c, err); | ^~~ Set err to -EPERM before the call to ubifs_ro_mode() and reuse it in the return statement to resolve the warning. Fixes: 957e1c4e1779 ("ubifs: ubifs_jnl_write_inode: Only check once for the limitation of xattr count") Signed-off-by: Nathan Chancellor Signed-off-by: Richard Weinberger commit aa03bda68af74e2079ae5e064f61a3d3d0b0ffc4 Merge: d6fa15bbcf9604 8b524944f92cca Author: Greg Kroah-Hartman Date: Fri Nov 15 17:45:04 2024 +0100 Merge tag 'usb-serial-6.13-rc1' of ssh://gitolite.kernel.org/pub/scm/linux/kernel/git/johan/usb-serial into usb-next Johan writes: USB-serial updates for 6.13-rc1 Here are the USB-serial updates for 6.13-rc1, including: - improved support for quirky pl2303 hxd devices - make sure ftdi_sio TIOCGSERIAL returns consistent data Everything has been in linux-next with no reported issues. * tag 'usb-serial-6.13-rc1' of ssh://gitolite.kernel.org/pub/scm/linux/kernel/git/johan/usb-serial: USB: serial: ftdi_sio: Fix atomicity violation in get_serial_info() USB: serial: pl2303: account for deficits of clones commit 85f0d8e39affb7b88401b1e0542230a7af985b96 Author: Wangyang Guo Date: Fri Nov 15 13:49:36 2024 +0800 workqueue: Reduce expensive locks for unbound workqueue For unbound workqueue, pwqs usually map to just a few pools. Most of the time, pwqs will be linked sequentially to wq->pwqs list by cpu index. Usually, consecutive CPUs have the same workqueue attribute (e.g. belong to the same NUMA node). This makes pwqs with the same pool cluster together in the pwq list. Only do lock/unlock if the pool has changed in flush_workqueue_prep_pwqs(). This reduces the number of expensive lock operations. The performance data shows this change boosts FIO by 65x in some cases when multiple concurrent threads write to xfs mount points with fsync. FIO Benchmark Details - FIO version: v3.35 - FIO Options: ioengine=libaio,iodepth=64,norandommap=1,rw=write, size=128M,bs=4k,fsync=1 - FIO Job Configs: 64 jobs in total writing to 4 mount points (ramdisks formatted as xfs file system). - Kernel Codebase: v6.12-rc5 - Test Platform: Xeon 8380 (2 sockets) Reviewed-by: Tim Chen Signed-off-by: Wangyang Guo Reviewed-by: Lai Jiangshan Signed-off-by: Tejun Heo commit e6384c398459c40e9304fbb478079884a5967bd4 Author: Ard Biesheuvel Date: Sun Oct 13 15:50:03 2024 +0200 efi/libstub: Parse builtin command line after bootloader provided one When CONFIG_CMDLINE_EXTEND is set, the core kernel command line handling logic appends CONFIG_CMDLINE to the bootloader provided command line. The EFI stub does the opposite, and parses the builtin one first. The usual behavior of command line options is that the last one takes precedence if it appears multiple times, unless there is a meaningful way to combine them. In either case, parsing the builtin command line first while the core kernel does it in the opposite order is likely to produce inconsistent results in such cases. Therefore, switch the order in the stub to match the core kernel. Signed-off-by: Ard Biesheuvel commit 21b1a7f7ae2f53c914f584a72a85cb4f71227e28 Author: Nicolas Saenz Julienne Date: Tue Nov 12 18:52:17 2024 +0000 x86/efi: Apply EFI Memory Attributes after kexec Kexec bypasses EFI's switch to virtual mode. In exchange, it has its own routine, kexec_enter_virtual_mode(), which replays the mappings made by the original kernel. Unfortunately, that function fails to reinstate EFI's memory attributes, which would've otherwise been set after entering virtual mode. Remediate this by calling efi_runtime_update_mappings() within kexec's routine. Signed-off-by: Nicolas Saenz Julienne Signed-off-by: Ard Biesheuvel commit 7eb4e1dd71009472215bc1f8226ee9a041da8d37 Author: Nicolas Saenz Julienne Date: Tue Nov 12 18:52:16 2024 +0000 x86/efi: Drop support for the EFI_PROPERTIES_TABLE Drop support for the EFI_PROPERTIES_TABLE. It was a failed, short-lived experiment that broke the boot both on Linux and Windows, and was replaced by the EFI_MEMORY_ATTRIBUTES_TABLE shortly after. Suggested-by: Ard Biesheuvel Signed-off-by: Nicolas Saenz Julienne Signed-off-by: Ard Biesheuvel commit 4ff04abf9d5bc33d33c7a799887517619188b068 Author: Yonghong Song Date: Thu Nov 14 22:03:54 2024 -0800 bpf: Add necessary migrate_disable to range_tree. When running bpf selftest (./test_progs -j), the following warnings showed up: $ ./test_progs -t arena_atomics ... BUG: using smp_processor_id() in preemptible [00000000] code: kworker/u19:0/12501 caller is bpf_mem_free+0x128/0x330 ... Call Trace: dump_stack_lvl check_preemption_disabled bpf_mem_free range_tree_destroy arena_map_free bpf_map_free_deferred process_scheduled_works ... For selftests arena_htab and arena_list, similar smp_process_id() BUGs are dumped, and the following are two stack trace: dump_stack_lvl check_preemption_disabled bpf_mem_alloc range_tree_set arena_map_alloc map_create ... dump_stack_lvl check_preemption_disabled bpf_mem_alloc range_tree_clear arena_vm_fault do_pte_missing handle_mm_fault do_user_addr_fault ... Add migrate_{disable,enable}() around related bpf_mem_{alloc,free}() calls to fix the issue. Fixes: b795379757eb ("bpf: Introduce range_tree data structure and use it in bpf arena") Signed-off-by: Yonghong Song Link: https://lore.kernel.org/r/20241115060354.2832495-1-yonghong.song@linux.dev Signed-off-by: Alexei Starovoitov commit ab4dc30c5322fc46d0db938d1c0bdd56d7adcea1 Author: Viktor Malik Date: Fri Nov 15 09:25:48 2024 +0100 bpf: Do not alloc arena on unsupported arches Do not allocate BPF arena on arches that do not support it, instead return EOPNOTSUPP. This is useful to prevent bugs such as soft lockups while trying to free the arena which we have witnessed on ppc64le [1]. [1] https://lore.kernel.org/bpf/4afdcb50-13f2-4772-8db1-3fd02bd985b3@redhat.com/ Signed-off-by: Viktor Malik Link: https://lore.kernel.org/r/20241115082548.74972-1-vmalik@redhat.com Signed-off-by: Alexei Starovoitov commit 7ca41faa5f5b9784ae2ef27e1c6902cddbc530ef Author: Arnaldo Carvalho de Melo Date: Thu Nov 14 18:13:17 2024 -0300 perf test shell trace_exit_race: Show what went wrong in verbose mode If it fails we need to check what was the reason, what were the lines that didn't match the expected format, so: root@number:~# perf test -v "trace exit race" --- start --- test child forked, pid 2028724 Lines not matching the expected regexp: ' +[0-9]+\.[0-9]+ +true/[0-9]+ syscalls:sys_enter_exit_group\(\)$': 0.000 :2028750/2028750 syscalls:sys_enter_exit_group() ---- end(-1) ---- 110: perf trace exit race : FAILED! root@number:~# In this case we're not resolving the process COMM for some reason and fallback to printing just the pid/tid, this will be fixed in a followup patch. Howard Chu spotted a problem with single code surrounding a regexp, that made the test always fail, but since there were some failures when I tested (COMM not being resolved in some of the results) the end inverse grep would show some lines and thus didn't notice the single quote problem. He also provided a patch to test if less than the number of expected matches took place but all of them with the expected output, in which case the inverse grep wouldn't show anything, confusing the tester. Reviewed-by: Howard Chu Cc: Adrian Hunter Cc: Alexander Shishkin Cc: Benjamin Peterson Cc: Ian Rogers Cc: Ingo Molnar Cc: Jiri Olsa Cc: Kan Liang Cc: Mark Rutland Cc: Namhyung Kim Cc: Peter Zijlstra Link: https://lore.kernel.org/lkml/ZzdknoHqrJbojb6P@x1 Signed-off-by: Arnaldo Carvalho de Melo commit b77587ac51d2fe4b9d5751662ddc083d19153662 Merge: 1876c788bba174 cb3daa51db819a Author: Arnd Bergmann Date: Fri Nov 15 15:19:42 2024 +0100 Merge tag 'soc_fsl-6.13-1' of https://github.com/chleroy/linux into soc/drivers FSL SOC changes for 6.13: - Fix a missing of_node_put() in RCPM - Fix a missing error code on failure in CPM1 QMC - Switch to using for_each_available_child_of_node_scoped() in CPM1 TSA * tag 'soc_fsl-6.13-1' of https://github.com/chleroy/linux: soc: fsl: cpm1: qmc: Set the ret error code on platform_get_irq() failure soc: fsl: rcpm: fix missing of_node_put() in copy_ippdexpcr1_setting() soc: fsl: cpm1: tsa: switch to for_each_available_child_of_node_scoped() Link: https://lore.kernel.org/r/c3c4961b-fe2a-4fcc-a7a1-f8b5352e09a2@csgroup.eu Signed-off-by: Arnd Bergmann commit 957860cbc1dc89f79f2acc193470224e350dfd03 Author: Jens Axboe Date: Fri Nov 15 07:14:03 2024 -0700 block: make struct rq_list available for !CONFIG_BLOCK A previous commit changed how requests are linked in the plug structure, but unlike the previous method, it uses a new type for it rather than struct request. The latter is available even for !CONFIG_BLOCK, while struct rq_list is now. Move it outside CONFIG_BLOCK. Reported-by: Nathan Chancellor Fixes: a3396b99990d ("block: add a rq_list type") Signed-off-by: Jens Axboe commit 82ff5abc2edcfba0c0f1a1be807795e2876f46e9 Author: Jonas Karlman Date: Fri Nov 15 04:43:44 2024 +0000 ASoC: hdmi-codec: reorder channel allocation list The ordering in hdmi_codec_get_ch_alloc_table_idx() results in wrong channel allocation for a number of cases, e.g. when ELD reports FL|FR|LFE|FC|RL|RR or FL|FR|LFE|FC|RL|RR|RC|RLC|RRC: ca_id 0x01 with speaker mask FL|FR|LFE is selected instead of ca_id 0x03 with speaker mask FL|FR|LFE|FC for 4 channels and ca_id 0x04 with speaker mask FL|FR|RC gets selected instead of ca_id 0x0b with speaker mask FL|FR|LFE|FC|RL|RR for 6 channels Fix this by reordering the channel allocation list with most specific speaker masks at the top. Signed-off-by: Jonas Karlman Signed-off-by: Christian Hewitt Link: https://patch.msgid.link/20241115044344.3510979-1-christianshewitt@gmail.com Signed-off-by: Mark Brown commit d303e3dd8d4648f2a1bb19944d4fb1c4a5030354 Author: zhang jiao Date: Thu Nov 14 16:40:39 2024 +0800 tools/thermal: Fix common realloc mistake If the 'realloc' fails, the thermal zones pointer is set to NULL. This makes all thermal zones references which were previously successfully initialized to be lost. [dlezcano] : Fixed indentation Signed-off-by: zhang jiao Link: https://lore.kernel.org/r/20241114084039.42149-1-zhangjiao2@cmss.chinamobile.com Signed-off-by: Daniel Lezcano commit fe52c649438b8489c9456681d93a9b3de3d38263 Author: Tvrtko Ursulin Date: Fri Nov 15 10:21:50 2024 +0000 dma-fence: Use kernel's sort for merging fences One alternative to the fix Christian proposed in https://lore.kernel.org/dri-devel/20241024124159.4519-3-christian.koenig@amd.com/ is to replace the rather complex open coded sorting loops with the kernel standard sort followed by a context squashing pass. Proposed advantage of this would be readability but one concern Christian raised was that there could be many fences, that they are typically mostly sorted, and so the kernel's heap sort would be much worse by the proposed algorithm. I had a look running some games and vkcube to see what are the typical number of input fences. Tested scenarios: 1) Hogwarts Legacy under Gamescope 450 calls per second to __dma_fence_unwrap_merge. Percentages per number of fences buckets, before and after checking for signalled status, sorting and flattening: N Before After 0 0.91% 1 69.40% 2-3 28.72% 9.4% (90.6% resolved to one fence) 4-5 0.93% 6-9 0.03% 10+ 2) Cyberpunk 2077 under Gamescope 1050 calls per second, amounting to 0.01% CPU time according to perf top. N Before After 0 1.13% 1 52.30% 2-3 40.34% 55.57% 4-5 1.46% 0.50% 6-9 2.44% 10+ 2.34% 3) vkcube under Plasma 90 calls per second. N Before After 0 1 2-3 100% 0% (Ie. all resolved to a single fence) 4-5 6-9 10+ In the case of vkcube all invocations in the 2-3 bucket were actually just two input fences. From these numbers it looks like the heap sort should not be a disadvantage, given how the dominant case is <= 2 input fences which heap sort solves with just one compare and swap. (And for the case of one input fence we have a fast path in the previous patch.) A complementary possibility is to implement a different sorting algorithm under the same API as the kernel's sort() and so keep the simplicity, potentially moving the new sort under lib/ if it would be found more widely useful. v2: * Hold on to fence references and reduce commentary. (Christian) * Record and use latest signaled timestamp in the 2nd loop too. * Consolidate zero or one fences fast paths. v3: * Reverse the seqno sort order for a simpler squashing pass. (Christian) Signed-off-by: Tvrtko Ursulin Fixes: 245a4a7b531c ("dma-buf: generalize dma_fence unwrap & merging v3") Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/3617 Cc: Christian König Cc: Daniel Vetter Cc: Sumit Semwal Cc: Gustavo Padovan Cc: Friedrich Vock Cc: linux-media@vger.kernel.org Cc: dri-devel@lists.freedesktop.org Cc: linaro-mm-sig@lists.linaro.org Cc: # v6.0+ Reviewed-by: Christian König Signed-off-by: Christian König Link: https://patchwork.freedesktop.org/patch/msgid/20241115102153.1980-3-tursulin@igalia.com commit 949291c5314009b4f6e252391edbb40fdd5d5414 Author: Tvrtko Ursulin Date: Fri Nov 15 10:21:49 2024 +0000 dma-fence: Fix reference leak on fence merge failure path Release all fence references if the output dma-fence-array could not be allocated. Signed-off-by: Tvrtko Ursulin Fixes: 245a4a7b531c ("dma-buf: generalize dma_fence unwrap & merging v3") Cc: Christian König Cc: Daniel Vetter Cc: Sumit Semwal Cc: Gustavo Padovan Cc: Friedrich Vock Cc: linux-media@vger.kernel.org Cc: dri-devel@lists.freedesktop.org Cc: linaro-mm-sig@lists.linaro.org Cc: # v6.0+ Reviewed-by: Christian König Signed-off-by: Christian König Link: https://patchwork.freedesktop.org/patch/msgid/20241115102153.1980-2-tursulin@igalia.com commit 4223414efeae3a8efb4da1e9c9c52a1a44c1c5bf Author: Karol Przybylski Date: Sun Nov 10 19:50:58 2024 +0100 crypto: marvell/cesa - fix uninit value for struct mv_cesa_op_ctx In cesa/cipher.c most declarations of struct mv_cesa_op_ctx are uninitialized. This causes one of the values in the struct to be left unitialized in later usages. This patch fixes it by adding initializations in the same way it is done in cesa/hash.c. Fixes errors discovered in coverity: 1600942, 1600939, 1600935, 1600934, 1600929, 1600927, 1600925, 1600921, 1600920, 1600919, 1600915, 1600914 Signed-off-by: Karol Przybylski Signed-off-by: Herbert Xu commit 572b7cf08403b6c67dfe0dc3e0f2efb42443254f Author: Christophe JAILLET Date: Fri Nov 8 18:22:27 2024 +0100 crypto: cavium - Fix an error handling path in cpt_ucode_load_fw() If do_cpt_init() fails, a previous dma_alloc_coherent() call needs to be undone. Add the needed dma_free_coherent() before returning. Fixes: 9e2c7d99941d ("crypto: cavium - Add Support for Octeon-tx CPT Engine") Signed-off-by: Christophe JAILLET Signed-off-by: Herbert Xu commit dccd55892bbbcac5b6320745c809bd310b843f2f Author: Herbert Xu Date: Thu Nov 7 17:57:06 2024 +0800 crypto: aesni - Move back to module_init This patch reverts commit 0fbafd06bdde938884f7326548d3df812b267c3c ("crypto: aesni - fix failing setkey for rfc4106-gcm-aesni") by moving the aesni init function back to module_init from late_initcall. The original patch was needed because tests were synchronous. This is no longer the case so there is no need to postpone the registration. Signed-off-by: Herbert Xu commit 0594ad6184598b5b9a6eb5619785f37f825e6ffd Author: Herbert Xu Date: Thu Nov 7 13:37:35 2024 +0800 crypto: lib/mpi - Export mpi_set_bit This function is part of the exposed API and should be exported. Otherwise a modular user would fail to build, e.g., crypto/rsa. Signed-off-by: Herbert Xu commit 3574a5168ff3b6bddc4cd235878491f75967c8d4 Author: Michal Suchanek Date: Wed Nov 6 13:09:33 2024 +0100 crypto: aes-gcm-p10 - Use the correct bit to test for P10 A hwcap feature bit is passed to cpu_has_feature, resulting in testing for CPU_FTR_MMCRA instead of the 3.1 platform revision. Fixes: c954b252dee9 ("crypto: powerpc/p10-aes-gcm - Register modules as SIMD") Reported-by: Nicolai Stange Signed-off-by: Michal Suchanek Acked-by: Michael Ellerman (powerpc) Signed-off-by: Herbert Xu commit 5465951e3f539aaff21823706d631b75407fb8d5 Author: Lukas Bulwahn Date: Wed Nov 6 09:13:43 2024 +0100 hwrng: amd - remove reference to removed PPC_MAPLE config Commit 62f8f307c80e ("powerpc/64: Remove maple platform") removes the PPC_MAPLE config as a consequence of the platform’s removal. The config definition of HW_RANDOM_AMD refers to this removed config option in its dependencies. Remove the reference to the removed config option. Signed-off-by: Lukas Bulwahn Acked-by: Michael Ellerman (powerpc) Signed-off-by: Herbert Xu commit e7c1d1c9b2023decb855ec4c921a7d78abbf64eb Author: Ard Biesheuvel Date: Tue Nov 5 17:09:06 2024 +0100 crypto: arm/crct10dif - Implement plain NEON variant The CRC-T10DIF algorithm produces a 16-bit CRC, and this is reflected in the folding coefficients, which are also only 16 bits wide. This means that the polynomial multiplications involving these coefficients can be performed using 8-bit long polynomial multiplication (8x8 -> 16) in only a few steps, and this is an instruction that is part of the base NEON ISA, which is all most real ARMv7 cores implement. (The 64-bit PMULL instruction is part of the crypto extensions, which are only implemented by 64-bit cores) The final reduction is a bit more involved, but we can delegate that to the generic CRC-T10DIF implementation after folding the entire input into a 16 byte vector. This results in a speedup of around 6.6x on Cortex-A72 running in 32-bit mode. On Cortex-A8 (BeagleBone White), the results are substantially better than that, but not sufficiently reproducible (with tcrypt) to quote a number here. Signed-off-by: Ard Biesheuvel Signed-off-by: Herbert Xu commit 802d8d110ce2b3ae979221551f4cb168e2f5e464 Author: Ard Biesheuvel Date: Tue Nov 5 17:09:05 2024 +0100 crypto: arm/crct10dif - Macroify PMULL asm code To allow an alternative version to be created of the PMULL based CRC-T10DIF algorithm, turn the bulk of it into a macro, except for the final reduction, which will only be used by the existing version. Reviewed-by: Eric Biggers Signed-off-by: Ard Biesheuvel Signed-off-by: Herbert Xu commit fcf27785ae51b259ea2a9b340f10f9d393954887 Author: Ard Biesheuvel Date: Tue Nov 5 17:09:04 2024 +0100 crypto: arm/crct10dif - Use existing mov_l macro instead of __adrl Reviewed-by: Eric Biggers Signed-off-by: Ard Biesheuvel Signed-off-by: Herbert Xu commit 779cee8209c67aae195a81c3a72bac9e127fdaee Author: Ard Biesheuvel Date: Tue Nov 5 17:09:03 2024 +0100 crypto: arm64/crct10dif - Remove remaining 64x64 PMULL fallback code The only remaining user of the fallback implementation of 64x64 polynomial multiplication using 8x8 PMULL instructions is the final reduction from a 16 byte vector to a 16-bit CRC. The fallback code is complicated and messy, and this reduction has little impact on the overall performance, so instead, let's calculate the final CRC by passing the 16 byte vector to the generic CRC-T10DIF implementation when running the fallback version. Signed-off-by: Ard Biesheuvel Signed-off-by: Herbert Xu commit 67dfb1b73f423622a0096ea43fb1f5b7336f49e0 Author: Ard Biesheuvel Date: Tue Nov 5 17:09:02 2024 +0100 crypto: arm64/crct10dif - Use faster 16x64 bit polynomial multiply The CRC-T10DIF implementation for arm64 has a version that uses 8x8 polynomial multiplication, for cores that lack the crypto extensions, which cover the 64x64 polynomial multiplication instruction that the algorithm was built around. This fallback version rather naively adopted the 64x64 polynomial multiplication algorithm that I ported from ARM for the GHASH driver, which needs 8 PMULL8 instructions to implement one PMULL64. This is reasonable, given that each 8-bit vector element needs to be multiplied with each element in the other vector, producing 8 vectors with partial results that need to be combined to yield the correct result. However, most PMULL64 invocations in the CRC-T10DIF code involve multiplication by a pair of 16-bit folding coefficients, and so all the partial results from higher order bytes will be zero, and there is no need to calculate them to begin with. Then, the CRC-T10DIF algorithm always XORs the output values of the PMULL64 instructions being issued in pairs, and so there is no need to faithfully implement each individual PMULL64 instruction, as long as XORing the results pairwise produces the expected result. Implementing these improvements results in a speedup of 3.3x on low-end platforms such as Raspberry Pi 4 (Cortex-A72) Signed-off-by: Ard Biesheuvel Signed-off-by: Herbert Xu commit 7048c21e6b50e4dec0de1ed48b12db50b94b3f57 Author: Ard Biesheuvel Date: Tue Nov 5 17:09:01 2024 +0100 crypto: arm64/crct10dif - Remove obsolete chunking logic This is a partial revert of commit fc754c024a343b, which moved the logic into C code which ensures that kernel mode NEON code does not hog the CPU for too long. This is no longer needed now that kernel mode NEON no longer disables preemption, so we can drop this. Reviewed-by: Eric Biggers Signed-off-by: Ard Biesheuvel Signed-off-by: Herbert Xu commit 19630cf57233e845b6ac57c9c969a4888925467b Author: Chen Ridong Date: Mon Nov 4 12:17:45 2024 +0000 crypto: bcm - add error check in the ahash_hmac_init function The ahash_init functions may return fails. The ahash_hmac_init should not return ok when ahash_init returns error. For an example, ahash_init will return -ENOMEM when allocation memory is error. Fixes: 9d12ba86f818 ("crypto: brcm - Add Broadcom SPU driver") Signed-off-by: Chen Ridong Signed-off-by: Herbert Xu commit b64140c74e954f1db6eae5548ca3a1f41b6fad79 Author: Chen Ridong Date: Mon Nov 4 12:15:11 2024 +0000 crypto: caam - add error check to caam_rsa_set_priv_key_form The caam_rsa_set_priv_key_form did not check for memory allocation errors. Add the checks to the caam_rsa_set_priv_key_form functions. Fixes: 52e26d77b8b3 ("crypto: caam - add support for RSA key form 2") Signed-off-by: Chen Ridong Reviewed-by: Gaurav Jain Reviewed-by: Horia Geantă Signed-off-by: Herbert Xu commit b0ccf4f53d968e794a4ea579d5135cc1aaf1a53f Author: Jeremy Sowden Date: Thu Nov 14 22:08:13 2024 +0100 netfilter: bitwise: add support for doing AND, OR and XOR directly Hitherto, these operations have been converted in user space to mask-and-xor operations on one register and two immediate values, and it is the latter which have been evaluated by the kernel. We add support for evaluating these operations directly in kernel space on one register and either an immediate value or a second register. Pablo made a few changes to the original patch: - EINVAL if NFTA_BITWISE_SREG2 is used with fast version. - Allow _AND,_OR,_XOR with _DATA != sizeof(u32) - Dump _SREG2 or _DATA with _AND,_OR,_XOR Signed-off-by: Jeremy Sowden Signed-off-by: Pablo Neira Ayuso commit 8fbe4c49c0ccac9a6a3cff35a45fa55d4ae35d6e Author: Ard Biesheuvel Date: Thu Oct 31 18:58:23 2024 +0100 efi/memattr: Ignore table if the size is clearly bogus There are reports [0] of cases where a corrupt EFI Memory Attributes Table leads to out of memory issues at boot because the descriptor size and entry count in the table header are still used to reserve the entire table in memory, even though the resulting region is gigabytes in size. Given that the EFI Memory Attributes Table is supposed to carry up to 3 entries for each EfiRuntimeServicesCode region in the EFI memory map, and given that there is no reason for the descriptor size used in the table to exceed the one used in the EFI memory map, 3x the size of the entire EFI memory map is a reasonable upper bound for the size of this table. This means that sizes exceeding that are highly likely to be based on corrupted data, and the table should just be ignored instead. [0] https://bugzilla.suse.com/show_bug.cgi?id=1231465 Cc: Gregory Price Cc: Usama Arif Acked-by: Jiri Slaby Acked-by: Breno Leitao Link: https://lore.kernel.org/all/20240912155159.1951792-2-ardb+git@google.com/ Signed-off-by: Ard Biesheuvel commit 7ff3e945a35ac472c6783403eae1e7519d96f1cf Author: Colin Ian King Date: Fri Nov 8 11:25:09 2024 +0000 ecryptfs: Fix spelling mistake "validationg" -> "validating" There is a spelling mistake in an error message literal string. Fix it. Signed-off-by: Colin Ian King Link: https://lore.kernel.org/r/20241108112509.109891-1-colin.i.king@gmail.com Signed-off-by: Christian Brauner commit 2cc789654a36e2561c2c96332a684e351b10f13f Merge: b4201b51d93eac 92f3da0d9276f9 Author: Christian Brauner Date: Fri Nov 15 11:50:59 2024 +0100 Merge patch series "ecryptfs: convert to the new mount API" Eric Sandeen says: This is lightly tested with the kernel tests present in ecryptfs-utils, but it could certainly use a bit more testing and review, particularly with invalid mount option sets. This one is a little unique compared to other filesystems in that I allocate both an fs context and the *sbi in .init_fs_context; the *sbi is long-lived, and the context is only present during the initial mount. Allocating sbi with the filesystem context means we can set options into it directly, rather than needing to do it after parsing. And it's particularly simple to do it this way given that there is no remount. * patches from https://lore.kernel.org/r/20241028143359.605061-1-sandeen@redhat.com: ecryptfs: Convert ecryptfs to use the new mount API ecryptfs: Factor out mount option validation Link: https://lore.kernel.org/r/20241028143359.605061-1-sandeen@redhat.com Signed-off-by: Christian Brauner commit 92f3da0d9276f921af49a05c2684fca45e1f1c21 Author: Eric Sandeen Date: Mon Oct 28 09:32:39 2024 -0500 ecryptfs: Convert ecryptfs to use the new mount API Convert ecryptfs to the new mount API. Signed-off-by: Eric Sandeen Link: https://lore.kernel.org/r/20241028143359.605061-3-sandeen@redhat.com Acked-by: Tyler Hicks Signed-off-by: Christian Brauner commit 56bd06c2640b78cef985159e03f42bf3897013ff Author: Eric Sandeen Date: Mon Oct 28 09:32:38 2024 -0500 ecryptfs: Factor out mount option validation Under the new mount API, mount options are parsed one at a time. Any validation that examines multiple options must be done after parsing is complete, so factor out a ecryptfs_validate_options() which can be called separately. To facilitate this, temporarily move the local variables that tracked whether various options have been set in the parsing function, into the ecryptfs_mount_crypt_stat structure so that they can be examined later. These will be moved to a more ephemeral struct in the mount api conversion patch to follow. Signed-off-by: Eric Sandeen Link: https://lore.kernel.org/r/20241028143359.605061-2-sandeen@redhat.com Acked-by: Tyler Hicks Signed-off-by: Christian Brauner commit a312c10c0186b3fa6e6f9d4ca696913372804fae Merge: 8e929cb546ee42 a20853ab8296d4 Author: Christian Brauner Date: Fri Nov 15 11:35:16 2024 +0100 Merge patch series "API for exporting connectable file handles to userspace" Amir Goldstein says: These patches bring the NFS connectable file handles feature to userspace servers. They rely on Christian's and Aleksa's changes recently merged to v6.12. The API I chose for encoding conenctable file handles is pretty conventional (AT_HANDLE_CONNECTABLE). open_by_handle_at(2) does not have AT_ flags argument, but also, I find it more useful API that encoding a connectable file handle can mandate the resolving of a connected fd, without having to opt-in for a connected fd independently. I chose to implemnent this by using upper bits in the handle type field It may be that out-of-tree filesystems return a handle type with upper bits set, but AFAIK, no in-tree filesystem does that. I added some warnings just in case we encouter that. I have written an fstest [1] and a man page draft [2] for the feature. [1] https://github.com/amir73il/xfstests/commits/connectable-fh/ [2] https://github.com/amir73il/man-pages/commits/connectable-fh/ * patches from https://lore.kernel.org/r/20241011090023.655623-1-amir73il@gmail.com: fs: open_by_handle_at() support for decoding "explicit connectable" file handles fs: name_to_handle_at() support for "explicit connectable" file handles fs: prepare for "explicit connectable" file handles Link: https://lore.kernel.org/r/20241011090023.655623-1-amir73il@gmail.com Signed-off-by: Christian Brauner commit a20853ab8296d4a8754482cb5e9adde8ab426a25 Author: Amir Goldstein Date: Fri Oct 11 11:00:23 2024 +0200 fs: open_by_handle_at() support for decoding "explicit connectable" file handles Teach open_by_handle_at(2) about the type format of "explicit connectable" file handles that were created using the AT_HANDLE_CONNECTABLE flag to name_to_handle_at(2). When decoding an "explicit connectable" file handles, name_to_handle_at(2) should fail if it cannot open a "connected" fd with known path, which is accessible (to capable user) from mount fd path. Note that this does not check if the path is accessible to the calling user, just that it is accessible wrt the mount namesapce, so if there is no "connected" alias, or if parts of the path are hidden in the mount namespace, open_by_handle_at(2) will return -ESTALE. Signed-off-by: Amir Goldstein Link: https://lore.kernel.org/r/20241011090023.655623-4-amir73il@gmail.com Fixes: 570df4e9c23f ("ceph: snapshot nfs re-export") Acked-by: Reviewed-by: Jeff Layton Signed-off-by: Christian Brauner commit c374196b2b9f4b803fccd59ed82f0712041e21e1 Author: Amir Goldstein Date: Fri Oct 11 11:00:22 2024 +0200 fs: name_to_handle_at() support for "explicit connectable" file handles nfsd encodes "connectable" file handles for the subtree_check feature, which can be resolved to an open file with a connected path. So far, userspace nfs server could not make use of this functionality. Introduce a new flag AT_HANDLE_CONNECTABLE to name_to_handle_at(2). When used, the encoded file handle is "explicitly connectable". The "explicitly connectable" file handle sets bits in the high 16bit of the handle_type field, so open_by_handle_at(2) will know that it needs to open a file with a connected path. old kernels will now recognize the handle_type with high bits set, so "explicitly connectable" file handles cannot be decoded by open_by_handle_at(2) on old kernels. The flag AT_HANDLE_CONNECTABLE is not allowed together with either AT_HANDLE_FID or AT_EMPTY_PATH. Signed-off-by: Amir Goldstein Link: https://lore.kernel.org/r/20241011090023.655623-3-amir73il@gmail.com Fixes: 570df4e9c23f ("ceph: snapshot nfs re-export") Acked-by: Reviewed-by: Jeff Layton Signed-off-by: Christian Brauner commit 4a530a7c751d27f9dbd70b7fc45670cd11713b13 Author: Amir Goldstein Date: Fri Oct 11 11:00:21 2024 +0200 fs: prepare for "explicit connectable" file handles We would like to use the high 16bit of the handle_type field to encode file handle traits, such as "connectable". In preparation for this change, make sure that filesystems do not return a handle_type value with upper bits set and that the open_by_handle_at(2) syscall rejects these handle types. Signed-off-by: Amir Goldstein Link: https://lore.kernel.org/r/20241011090023.655623-2-amir73il@gmail.com Fixes: 570df4e9c23f ("ceph: snapshot nfs re-export") Acked-by: Reviewed-by: Jan Kara Reviewed-by: Jeff Layton Signed-off-by: Christian Brauner commit a12143e6084c502fc3cfaa8b717bffc8c14cf806 Author: Jeremy Sowden Date: Thu Nov 14 22:07:51 2024 +0100 netfilter: bitwise: rename some boolean operation functions In the next patch we add support for doing AND, OR and XOR operations directly in the kernel, so rename some functions and an enum constant related to mask-and-xor boolean operations. Signed-off-by: Jeremy Sowden Signed-off-by: Pablo Neira Ayuso commit f0d839c13ed50175a6e8b3a5ccd591ed15307995 Author: Guillaume Nault Date: Thu Nov 14 17:03:52 2024 +0100 netfilter: nf_dup4: Convert nf_dup_ipv4_route() to dscp_t. Use ip4h_dscp() instead of reading iph->tos directly. ip4h_dscp() returns a dscp_t value which is temporarily converted back to __u8 with inet_dscp_to_dsfield(). When converting ->flowi4_tos to dscp_t in the future, we'll only have to remove that inet_dscp_to_dsfield() call. Signed-off-by: Guillaume Nault Signed-off-by: Pablo Neira Ayuso commit f12b67cc7d1b67fe9ecee537df5b55625889ca9f Author: Guillaume Nault Date: Thu Nov 14 17:03:45 2024 +0100 netfilter: nft_fib: Convert nft_fib4_eval() to dscp_t. Use ip4h_dscp() instead of reading iph->tos directly. ip4h_dscp() returns a dscp_t value which is temporarily converted back to __u8 with inet_dscp_to_dsfield(). When converting ->flowi4_tos to dscp_t in the future, we'll only have to remove that inet_dscp_to_dsfield() call. Signed-off-by: Guillaume Nault Signed-off-by: Pablo Neira Ayuso commit f694ce6de58930146037aa3f69a534e98b007ff3 Author: Guillaume Nault Date: Thu Nov 14 17:03:38 2024 +0100 netfilter: rpfilter: Convert rpfilter_mt() to dscp_t. Use ip4h_dscp() instead of reading iph->tos directly. ip4h_dscp() returns a dscp_t value which is temporarily converted back to __u8 with inet_dscp_to_dsfield(). When converting ->flowi4_tos to dscp_t in the future, we'll only have to remove that inet_dscp_to_dsfield() call. Signed-off-by: Guillaume Nault Signed-off-by: Pablo Neira Ayuso commit 6f9615a6e686bc0acfb5a02050a50782a6a378b2 Author: Guillaume Nault Date: Thu Nov 14 17:03:31 2024 +0100 netfilter: flow_offload: Convert nft_flow_route() to dscp_t. Use ip4h_dscp()instead of reading ip_hdr()->tos directly. ip4h_dscp() returns a dscp_t value which is temporarily converted back to __u8 with inet_dscp_to_dsfield(). When converting ->flowi4_tos to dscp_t in the future, we'll only have to remove that inet_dscp_to_dsfield() call. Also, remove the comment about the net/ip.h include file, since it's now required for the ip4h_dscp() helper too. Signed-off-by: Guillaume Nault Signed-off-by: Pablo Neira Ayuso commit 0608746f95b29402421c0e0e96005afba45178ec Author: Guillaume Nault Date: Thu Nov 14 17:03:21 2024 +0100 netfilter: ipv4: Convert ip_route_me_harder() to dscp_t. Use ip4h_dscp()instead of reading iph->tos directly. ip4h_dscp() returns a dscp_t value which is temporarily converted back to __u8 with inet_dscp_to_dsfield(). When converting ->flowi4_tos to dscp_t in the future, we'll only have to remove that inet_dscp_to_dsfield() call. Signed-off-by: Guillaume Nault Signed-off-by: Pablo Neira Ayuso commit 6fce6e9791685e95b70144a414eb90132e497489 Author: Ard Biesheuvel Date: Sun Oct 13 13:09:09 2024 +0200 efi/zboot: Fix outdated comment about using LoadImage/StartImage EFI zboot no longer uses LoadImage/StartImage, but subsumes the arch code to load and start the bare metal image directly. Fix the Kconfig description accordingly. Signed-off-by: Ard Biesheuvel commit 06d39d79cbd5a91a33707951ebf2512d0e759847 Author: Ard Biesheuvel Date: Sun Oct 13 15:19:04 2024 +0200 efi/libstub: Free correct pointer on failure cmdline_ptr is an out parameter, which is not allocated by the function itself, and likely points into the caller's stack. cmdline refers to the pool allocation that should be freed when cleaning up after a failure, so pass this instead to free_pool(). Fixes: 42c8ea3dca09 ("efi: libstub: Factor out EFI stub entrypoint ...") Cc: Signed-off-by: Ard Biesheuvel commit eb01f8f3c446ed81e3b2c44b7fbed8a5d6be9d3d Author: Thorsten Blum Date: Thu Nov 14 23:46:49 2024 +0100 microblaze: mb: Use str_yes_no() helper in show_cpuinfo() Remove hard-coded strings by using the str_yes_no() helper function. Signed-off-by: Thorsten Blum Link: https://lore.kernel.org/r/20241114224649.57946-4-thorsten.blum@linux.dev Signed-off-by: Michal Simek commit 1be858f7fafe73afba1e2af9fc6dfce04f411354 Author: Théo Lebrun Date: Wed Nov 6 17:04:01 2024 +0100 MIPS: mobileye: eyeq6h: add OLB nodes OLB and remove fixed clocks Change the declaration of clocks: remove all fixed clocks and declare system-controllers (OLB) as clock providers. Remove eyeq6h-fixed-clocks.dtsi and move the crystal clock to the main eyeq6h.dtsi file. Signed-off-by: Théo Lebrun Signed-off-by: Thomas Bogendoerfer commit d3c3c283afbe17a656d546c6881b8e01071b906c Author: Théo Lebrun Date: Wed Nov 6 17:04:00 2024 +0100 MIPS: mobileye: eyeq5: use OLB as provider for fixed factor clocks Change the structure of the clock tree: rather than individual devicetree nodes registering each fixed factor clock derived from OLB PLLs, have the OLB node provide the necessary clocks. Remove eyeq5-clocks.dtsi and move the three remaining "fixed-clock"s to the main eyeq5.dtsi file. Signed-off-by: Théo Lebrun Signed-off-by: Thomas Bogendoerfer commit 42f0cbb2a253bcd7d4f20e80462014622f19d88e Merge: ae3325f752ef6d 980e3016ebcc00 18f5a6b34b0696 f6681abd413919 Author: Joerg Roedel Date: Fri Nov 15 09:27:43 2024 +0100 Merge branches 'intel/vt-d', 'amd/amd-vi' and 'iommufd/arm-smmuv3-nested' into next commit ae3325f752ef6d278fc8901c3d6bba5715481d57 Merge: 2d5404caa8c7bb 9af48bbbae2a10 3ab21ad3d5cfcd ecda483339a515 95b6235e36953e 488ffbf181718b fcdb982e935b38 Author: Joerg Roedel Date: Fri Nov 15 09:27:02 2024 +0100 Merge branches 'arm/smmu', 'mediatek', 's390', 'ti/omap', 'riscv' and 'core' into next commit 9af48bbbae2a105697817dea4c1bc4992d4ef692 Merge: 6ac7dffe7cca9b a3799717b881aa Author: Joerg Roedel Date: Fri Nov 15 09:25:00 2024 +0100 Merge tag 'arm-smmu-updates' of git://git.kernel.org/pub/scm/linux/kernel/git/will/linux into arm/smmu Arm SMMU updates for 6.13 - SMMUv2: * Return -EPROBE_DEFER for client devices probing before their SMMU. * Devicetree binding updates for Qualcomm MMU-500 implementations. - SMMUv3: * Minor fixes and cleanup for NVIDIA's virtual command queue driver. - IO-PGTable: * Fix indexing of concatenated PGDs and extend selftest coverage. * Remove unused block-splitting support. commit d66907b51ba07450bf9c6fb94364e3bf3f5e4c04 Author: Amir Goldstein Date: Tue Nov 5 21:29:36 2024 +0100 ovl: convert ovl_real_fdget() callers to ovl_real_file() Stop using struct fd to return a real file from ovl_real_fdget(), because we no longer return a temporary file object and the callers always get a borrowed file reference. Rename the helper to ovl_real_file(), return a borrowed reference of the real file that is referenced from the overlayfs file or an error. Signed-off-by: Amir Goldstein commit 4333e42ed44448898a31665339702591284d1698 Author: Amir Goldstein Date: Tue Nov 5 21:28:49 2024 +0100 ovl: convert ovl_real_fdget_path() callers to ovl_real_file_path() Stop using struct fd to return a real file from ovl_real_fdget_path(), because we no longer return a temporary file object and the callers always get a borrowed file reference. Rename the helper to ovl_real_file_path(), return a borrowed reference of the real file that is referenced from the overlayfs file or an error. Signed-off-by: Amir Goldstein commit 18e48d0e2c7b137be532fedbb5fba31b43e043b2 Author: Amir Goldstein Date: Mon Oct 14 17:25:26 2024 +0200 ovl: store upper real file in ovl_file struct When an overlayfs file is opened as lower and then the file is copied up, every operation on the overlayfs open file will open a temporary backing file to the upper dentry and close it at the end of the operation. Store the upper real file along side the original (lower) real file in ovl_file instead of opening a temporary upper file on every operation. Signed-off-by: Amir Goldstein commit 87a8a76c34a2ae6f667cc33249dc99705e363d1f Author: Amir Goldstein Date: Mon Oct 7 15:22:29 2024 +0200 ovl: allocate a container struct ovl_file for ovl private context Instead of using ->private_data to point at realfile directly, so that we can add more context per ovl open file. Signed-off-by: Amir Goldstein commit c2c54b5f34f6341f24d06689d4b986bd75b4b41c Author: Amir Goldstein Date: Tue Nov 5 21:28:06 2024 +0100 ovl: do not open non-data lower file for fsync ovl_fsync() with !datasync opens a backing file from the top most dentry in the stack, checks if this dentry is non-upper and skips the fsync. In case of an overlay dentry stack with lower data and lower metadata above it, but without an upper metadata above it, the backing file is opened from the top most lower metadata dentry and never used. Refactor the helper ovl_real_fdget_meta() into ovl_real_fdget_path() and open code the checks for non-upper inode in ovl_fsync(), so in that case we can avoid the unneeded backing file open. Signed-off-by: Amir Goldstein commit c5b28fc161c5402da2e10cc11637c2dff727ac23 Author: Vinicius Costa Gomes Date: Thu Nov 14 09:52:23 2024 +0100 ovl: Optimize override/revert creds Use override_creds_light() in ovl_override_creds() and revert_creds_light() in ovl_revert_creds(). The _light() functions do not change the 'usage' of the credentials in question, as they refer to the credentials associated with the mounter, which have a longer lifetime. In ovl_setup_cred_for_create(), do not need to modify the mounter credentials (returned by override_creds_light()) 'usage' counter. Add a warning to verify that we are indeed working with the mounter credentials (stored in the superblock). Failure in this assumption means that creds may leak. Suggested-by: Christian Brauner Signed-off-by: Vinicius Costa Gomes Signed-off-by: Amir Goldstein commit 2c259a91d8d23a8266092b0dd51b8092877717a4 Author: Etienne Buira Date: Fri Nov 8 17:45:32 2024 +0100 gdb: lx-symbols: do not error out on monolithic build This avoids spurious message: (gdb) lx-symbols loading vmlinux No source file named kernel/module/main.c. Link: https://lkml.kernel.org/r/Zy5ALByQtpO-ddh4@Z926fQmE5jqhFMgp6 Signed-off-by: Etienne Buira Cc: Andrew Ballance Cc: Kieran Bingham Signed-off-by: Andrew Morton commit 2532e6c74a67e65b95f310946e0c0e0a41b3a34b Author: Ritesh Harjani (IBM) Date: Wed Nov 13 19:49:54 2024 +0530 cma: enforce non-zero pageblock_order during cma_init_reserved_mem() cma_init_reserved_mem() checks base and size alignment with CMA_MIN_ALIGNMENT_BYTES. However, some users might call this during early boot when pageblock_order is 0. That means if base and size does not have pageblock_order alignment, it can cause functional failures during cma activate area. So let's enforce pageblock_order to be non-zero during cma_init_reserved_mem() to catch such wrong usages. 1. This was seen with fadump on PowerPC which was calling cma_init_reserved_mem() before the pageblock_order was initialized. This is now fixed in the fadump on PowerPC itself. The details of that can be found in the patch including the userspace-visible effect of the issue [1]. 2. However it was also decided that we should add a stronger enforcement check within cma_init_reserved_mem() to catch such wrong usages [2]. Hence this patch. This is ok to be in -next and there is no "Fixes" tag required for this patch. [1]: https://lore.kernel.org/all/3ae208e48c0d9cefe53d2dc4f593388067405b7d.1729146153.git.ritesh.list@gmail.com/ [2]: https://lore.kernel.org/all/83eb128e-4f06-4725-a843-a4563f246a44@redhat.com/ Link: https://lkml.kernel.org/r/e274344b44d5f80fa54c52f530387257fe99ec65.1731505681.git.ritesh.list@gmail.com Signed-off-by: Ritesh Harjani (IBM) Acked-by: David Hildenbrand Acked-by: Zi Yan Reviewed-by: Anshuman Khandual Signed-off-by: Andrew Morton commit 811808d365398680b628d2b88aafeba77c88691a Author: Nirjhar Roy Date: Fri Oct 18 23:16:01 2024 +0530 mm/kfence: add a new kunit test test_use_after_free_read_nofault() Faults from copy_from_kernel_nofault() need to be handled by fixup table and should not be handled by kfence. Otherwise while reading /proc/kcore which uses copy_from_kernel_nofault(), kfence can generate false negatives. This can happen when /proc/kcore ends up reading an unmapped address from kfence pool. Let's add a testcase to cover this case. Link: https://lkml.kernel.org/r/210e561f7845697a32de44b643393890f180069f.1729272697.git.ritesh.list@gmail.com Signed-off-by: Nirjhar Roy Co-developed-by: Ritesh Harjani (IBM) Signed-off-by: Ritesh Harjani (IBM) Tested-by: Marco Elver Reviewed-by: Marco Elver Cc: Alexander Potapenko Cc: Dmitry Vyukov Signed-off-by: Andrew Morton commit f364cdeb38938f9d03061682b8ff3779dd1730e5 Author: Liu Shixin Date: Fri Nov 8 18:01:47 2024 +0800 zram: fix NULL pointer in comp_algorithm_show() LTP reported a NULL pointer dereference as followed: CPU: 7 UID: 0 PID: 5995 Comm: cat Kdump: loaded Not tainted 6.12.0-rc6+ #3 Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015 pstate: 40400005 (nZcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : __pi_strcmp+0x24/0x140 lr : zcomp_available_show+0x60/0x100 [zram] sp : ffff800088b93b90 x29: ffff800088b93b90 x28: 0000000000000001 x27: 0000000000400cc0 x26: 0000000000000ffe x25: ffff80007b3e2388 x24: 0000000000000000 x23: ffff80007b3e2390 x22: ffff0004041a9000 x21: ffff80007b3e2900 x20: 0000000000000000 x19: 0000000000000000 x18: 0000000000000000 x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 x11: 0000000000000000 x10: ffff80007b3e2900 x9 : ffff80007b3cb280 x8 : 0101010101010101 x7 : 0000000000000000 x6 : 0000000000000000 x5 : 0000000000000040 x4 : 0000000000000000 x3 : 00656c722d6f7a6c x2 : 0000000000000000 x1 : ffff80007b3e2900 x0 : 0000000000000000 Call trace: __pi_strcmp+0x24/0x140 comp_algorithm_show+0x40/0x70 [zram] dev_attr_show+0x28/0x80 sysfs_kf_seq_show+0x90/0x140 kernfs_seq_show+0x34/0x48 seq_read_iter+0x1d4/0x4e8 kernfs_fop_read_iter+0x40/0x58 new_sync_read+0x9c/0x168 vfs_read+0x1a8/0x1f8 ksys_read+0x74/0x108 __arm64_sys_read+0x24/0x38 invoke_syscall+0x50/0x120 el0_svc_common.constprop.0+0xc8/0xf0 do_el0_svc+0x24/0x38 el0_svc+0x38/0x138 el0t_64_sync_handler+0xc0/0xc8 el0t_64_sync+0x188/0x190 The zram->comp_algs[ZRAM_PRIMARY_COMP] can be NULL in zram_add() if comp_algorithm_set() has not been called. User can access the zram device by sysfs after device_add_disk(), so there is a time window to trigger the NULL pointer dereference. Move it ahead device_add_disk() to make sure when user can access the zram device, it is ready. comp_algorithm_set() is protected by zram->init_lock in other places and no such problem. Link: https://lkml.kernel.org/r/20241108100147.3776123-1-liushixin2@huawei.com Fixes: 7ac07a26dea7 ("zram: preparation for multi-zcomp support") Signed-off-by: Liu Shixin Reviewed-by: Sergey Senozhatsky Cc: Jens Axboe Cc: Minchan Kim Signed-off-by: Andrew Morton commit 05d4532b60e3e6e2a094ec56a88d1def50bd2430 Author: Joshua Hahn Date: Fri Nov 1 13:44:02 2024 -0700 memcg/hugetlb: add hugeTLB counters to memcg This patch introduces a new counter to memory.stat that tracks hugeTLB usage, only if hugeTLB accounting is done to memory.current. This feature is enabled the same way hugeTLB accounting is enabled, via the memory_hugetlb_accounting mount flag for cgroupsv2. 1. Why is this patch necessary? Currently, memcg hugeTLB accounting is an opt-in feature [1] that adds hugeTLB usage to memory.current. However, the metric is not reported in memory.stat. Given that users often interpret memory.stat as a breakdown of the value reported in memory.current, the disparity between the two reports can be confusing. This patch solves this problem by including the metric in memory.stat as well, but only if it is also reported in memory.current (it would also be confusing if the value was reported in memory.stat, but not in memory.current) Aside from the consistency between the two files, we also see benefits in observability. Userspace might be interested in the hugeTLB footprint of cgroups for many reasons. For instance, system admins might want to verify that hugeTLB usage is distributed as expected across tasks: i.e. memory-intensive tasks are using more hugeTLB pages than tasks that don't consume a lot of memory, or are seen to fault frequently. Note that this is separate from wanting to inspect the distribution for limiting purposes (in which case, hugeTLB controller makes more sense). 2. We already have a hugeTLB controller. Why not use that? It is true that hugeTLB tracks the exact value that we want. In fact, by enabling the hugeTLB controller, we get all of the observability benefits that I mentioned above, and users can check the total hugeTLB usage, verify if it is distributed as expected, etc. With this said, there are 2 problems: (a) They are still not reported in memory.stat, which means the disparity between the memcg reports are still there. (b) We cannot reasonably expect users to enable the hugeTLB controller just for the sake of hugeTLB usage reporting, especially since they don't have any use for hugeTLB usage enforcing [2]. 3. Implementation Details: In the alloc / free hugetlb functions, we call lruvec_stat_mod_folio regardless of whether memcg accounts hugetlb. mem_cgroup_commit_charge which is called from alloc_hugetlb_folio will set memcg for the folio only if the CGRP_ROOT_MEMORY_HUGETLB_ACCOUNTING cgroup mount option is used, so lruvec_stat_mod_folio accounts per-memcg hugetlb counters only if the feature is enabled. Regardless of whether memcg accounts for hugetlb, the newly added global counter is updated and shown in /proc/vmstat. The global counter is added because vmstats is the preferred framework for cgroup stats. It makes stat items consistent between global and cgroups. It also provides a per-node breakdown, which is useful. Because it does not use cgroup-specific hooks, we also keep generic MM code separate from memcg code. [1] https://lore.kernel.org/all/20231006184629.155543-1-nphamcs@gmail.com/ [2] Of course, we can't make a new patch for every feature that can be duplicated. However, since the existing solution of enabling the hugeTLB controller is an imperfect solution that still leaves a discrepancy between memory.stat and memory.curent, I think that it is reasonable to isolate the feature in this case. Link: https://lkml.kernel.org/r/20241101204402.1885383-1-joshua.hahnjy@gmail.com Signed-off-by: Joshua Hahn Suggested-by: Nhat Pham Suggested-by: Shakeel Butt Suggested-by: Johannes Weiner Acked-by: Shakeel Butt Acked-by: Johannes Weiner Acked-by: Chris Down Acked-by: Michal Hocko Reviewed-by: Roman Gushchin Reviewed-by: Nhat Pham Cc: Jonathan Corbet Cc: Michal Koutný Cc: Muchun Song Cc: Zefan Li Signed-off-by: Andrew Morton commit 2ea80b039b9af0b71c00378523b71c254fb99c23 Author: MengEn Sun Date: Fri Nov 1 12:06:38 2024 +0800 vmstat: call fold_vm_zone_numa_events() before show per zone NUMA event Since 5.14-rc1, NUMA events will only be folded from per-CPU statistics to per zone and global statistics when the user actually needs it. Currently, the kernel has performs the fold operation when reading /proc/vmstat, but does not perform the fold operation in /proc/zoneinfo. This can lead to inaccuracies in the following statistics in zoneinfo: - numa_hit - numa_miss - numa_foreign - numa_interleave - numa_local - numa_other Therefore, before printing per-zone vm_numa_event when reading /proc/zoneinfo, we should also perform the fold operation. Link: https://lkml.kernel.org/r/1730433998-10461-1-git-send-email-mengensun@tencent.com Fixes: f19298b9516c ("mm/vmstat: convert NUMA statistics to basic NUMA counters") Signed-off-by: MengEn Sun Reviewed-by: JinLiang Zheng Cc: Signed-off-by: Andrew Morton commit a35672819f8d85e2ae38b80d40b923e3ef81e4ea Author: Steffen Klassert Date: Thu Nov 14 12:06:56 2024 +0100 xfrm: Fix acquire state insertion. A recent commit jumped over the dst hash computation and left the symbol uninitialized. Fix this by explicitly computing the dst hash before it is used. Fixes: 0045e3d80613 ("xfrm: Cache used outbound xfrm states at the policy.") Reported-by: Dan Carpenter Reviewed-by: Simon Horman Signed-off-by: Steffen Klassert commit dfc14664794a4706e0c2186a0c082386e6b14c4d Merge: b52a8deea530f0 29a4bc1fe961ca Author: Jakub Kicinski Date: Thu Nov 14 19:53:43 2024 -0800 Merge branch 'net-make-rss-rxnfc-semantics-more-explicit' Edward Cree says: ==================== net: make RSS+RXNFC semantics more explicit The original semantics of ntuple filters with FLOW_RSS were not fully understood by all drivers, some ignoring the ring_cookie from the flow rule. Require this support to be explicitly declared by the driver for filters relying on it to be inserted, and add self- test coverage for this functionality. Also teach ethtool_check_max_channel() about this. ==================== Link: https://patch.msgid.link/cover.1731499021.git.ecree.xilinx@gmail.com Signed-off-by: Jakub Kicinski commit 29a4bc1fe961caea52a5b945be2b4267b02002d7 Author: Edward Cree Date: Wed Nov 13 12:13:13 2024 +0000 selftest: extend test_rss_context_queue_reconfigure for action addition The combination of ntuple action (ring_cookie) and RSS context can cause an ntuple rule to target a higher queue than appears in any RSS indirection table or directly in the ntuple rule, since the two numbers are added together. Verify the logic that prevents reducing the queue count in this case. Signed-off-by: Edward Cree Link: https://patch.msgid.link/58276b800ab78c0a79c1918046ccae7fe45ba802.1731499022.git.ecree.xilinx@gmail.com Signed-off-by: Jakub Kicinski commit e9e8abfec214b6a47f6c21d533c43c7f3c1f8887 Author: Edward Cree Date: Wed Nov 13 12:13:12 2024 +0000 selftest: validate RSS+ntuple filters with nonzero ring_cookie Test creates an ntuple filter with 'action 2' and an RSS context whose indirection table has entries 0 and 1. Resulting traffic should go to queues 2 and 3; verify that it never hits queues 0 and 1. Signed-off-by: Edward Cree Link: https://patch.msgid.link/114afdf4d2867f72ed27751e8e08fe8b128a8529.1731499022.git.ecree.xilinx@gmail.com Signed-off-by: Jakub Kicinski commit b2d5b4c468568b60916bdd5e7c10ab11b09bd164 Author: Edward Cree Date: Wed Nov 13 12:13:11 2024 +0000 selftest: include dst-ip in ethtool ntuple rules sfc hardware does not support filters with only ipproto + dst-port; adding dst-ip to the flow spec allows the rss_ctx test to be run on these devices. Signed-off-by: Edward Cree Reviewed-by: Martin Habets Link: https://patch.msgid.link/8e5d23c8f21310c23c080cc7bcd31b76f8fd3096.1731499022.git.ecree.xilinx@gmail.com Signed-off-by: Jakub Kicinski commit a64499f618b2e3ace083727237f8802aabc73008 Author: Edward Cree Date: Wed Nov 13 12:13:10 2024 +0000 net: ethtool: account for RSS+RXNFC add semantics when checking channel count In ethtool_check_max_channel(), the new RX count must not only cover the max queue indices in RSS indirection tables and RXNFC destinations separately, but must also, for RXNFC rules with FLOW_RSS, cover the sum of the destination queue and the maximum index in the associated RSS context's indirection table, since that is the highest queue that the rule can actually deliver traffic to. It could be argued that the max queue across all custom RSS contexts (ethtool_get_max_rss_ctx_channel()) need no longer be considered, since any context to which packets can actually be delivered will be targeted by some RXNFC rule and its max will thus be allowed for by ethtool_get_max_rxnfc_channel(). For simplicity we keep both checks, so even RSS contexts unused by any RXNFC rule must fit the channel count. Signed-off-by: Edward Cree Link: https://patch.msgid.link/43257d375434bef388e36181492aa4c458b88336.1731499022.git.ecree.xilinx@gmail.com Signed-off-by: Jakub Kicinski commit 9e43ad7a1edef268acac603e1975c8f50a20d02f Author: Edward Cree Date: Wed Nov 13 12:13:09 2024 +0000 net: ethtool: only allow set_rxnfc with rss + ring_cookie if driver opts in Ethtool ntuple filters with FLOW_RSS were originally defined as adding the base queue ID (ring_cookie) to the value from the indirection table, so that the same table could distribute over more than one set of queues when used by different filters. However, some drivers / hardware ignore the ring_cookie, and simply use the indirection table entries as queue IDs directly. Thus, for drivers which have not opted in by setting ethtool_ops.cap_rss_rxnfc_adds to declare that they support the original (addition) semantics, reject in ethtool_set_rxnfc any filter which combines FLOW_RSS and a nonzero ring. (For a ring_cookie of zero, both behaviours are equivalent.) Set the cap bit in sfc, as it is known to support this feature. Signed-off-by: Edward Cree Reviewed-by: Martin Habets Link: https://patch.msgid.link/cc3da0844083b0e301a33092a6299e4042b65221.1731499022.git.ecree.xilinx@gmail.com Signed-off-by: Jakub Kicinski commit ea301aec8bb718b02b68761d2229fc12c9fefa29 Author: Peter Große Date: Wed Nov 13 13:07:04 2024 -0800 i40e: Fix handling changed priv flags After assembling the new private flags on a PF, the operation to determine the changed flags uses the wrong bitmaps. Instead of xor-ing orig_flags with new_flags, it uses the still unchanged pf->flags, thus changed_flags is always 0. Fix it by using the correct bitmaps. The issue was discovered while debugging why disabling source pruning stopped working with release 6.7. Although the new flags will be copied to pf->flags later on in that function, disabling source pruning requires a reset of the PF, which was skipped due to this bug. Disabling source pruning: $ sudo ethtool --set-priv-flags eno1 disable-source-pruning on $ sudo ethtool --show-priv-flags eno1 Private flags for eno1: MFP : off total-port-shutdown : off LinkPolling : off flow-director-atr : on veb-stats : off hw-atr-eviction : off link-down-on-close : off legacy-rx : off disable-source-pruning: on disable-fw-lldp : off rs-fec : off base-r-fec : off vf-vlan-pruning : off Regarding reproducing: I observed the issue with a rather complicated lab setup, where * two VLAN interfaces are created on eno1 * each with a different MAC address assigned * each moved into a separate namespace * both VLANs are bridged externally, so they form a single layer 2 network The external bridge is done via a channel emulator adding packet loss and delay and the application in the namespaces tries to send/receive traffic and measure the performance. Sender and receiver are separated by namespaces, yet the network card "sees its own traffic" send back to it. To make that work, source pruning has to be disabled. Cc: stable@vger.kernel.org Fixes: 70756d0a4727 ("i40e: Use DECLARE_BITMAP for flags and hw_features fields in i40e_pf") Signed-off-by: Peter Große Reviewed-by: Paul Menzel Reviewed-by: Przemek Kitszel Tested-by: Pucha Himasekhar Reddy (A Contingent worker at Intel) Signed-off-by: Tony Nguyen Link: https://patch.msgid.link/20241113210705.1296408-1-anthony.l.nguyen@intel.com Signed-off-by: Jakub Kicinski commit b52a8deea530f027e4bd0d2444f068ff8a86ea4e Author: Rob Herring (Arm) Date: Wed Nov 13 16:58:25 2024 -0600 dt-bindings: net: sff,sfp: Fix "interrupts" property typo The example has "interrupt" property which is not a defined property. It should be "interrupts" instead. "interrupts" also should not contain a phandle. Signed-off-by: Rob Herring (Arm) Reviewed-by: Andrew Lunn Acked-by: Conor Dooley Link: https://patch.msgid.link/20241113225825.1785588-2-robh@kernel.org Signed-off-by: Jakub Kicinski commit ac0928d5b6ffedb42465fd3c5e112e340b9c8292 Author: Rob Herring (Arm) Date: Wed Nov 13 16:57:13 2024 -0600 dt-bindings: net: mdio-mux-gpio: Drop undocumented "marvell,reg-init" "marvell,reg-init" is not yet documented by schema. It's irrelevant to the example, so just drop it. Signed-off-by: Rob Herring (Arm) Reviewed-by: Andrew Lunn Acked-by: Conor Dooley Link: https://patch.msgid.link/20241113225713.1784118-2-robh@kernel.org Signed-off-by: Jakub Kicinski commit 4c54e9497d9abbaca814a963f805884f02dc89ec Author: Arnd Bergmann Date: Wed Nov 13 12:55:08 2024 +0100 net: sparx5: add missing lan969x Kconfig dependency The sparx5 switchdev driver can be built either with or without support for the Lan969x switch. However, it cannot be built-in when the lan969x driver is a loadable module because of a link-time dependency: arm-linux-gnueabi-ld: drivers/net/ethernet/microchip/sparx5/sparx5_main.o:(.rodata+0xd44): undefined reference to `lan969x_desc' Add a Kconfig dependency to reflect this in Kconfig, allowing all the valid configurations but forcing sparx5 to be a loadable module as well if lan969x is. Fixes: 98a01119608d ("net: sparx5: add compatible string for lan969x") Signed-off-by: Arnd Bergmann Reviewed-by: Daniel Machon Link: https://patch.msgid.link/20241113115513.4132548-1-arnd@kernel.org Signed-off-by: Jakub Kicinski commit f01750aecdfb8bfb02842f60af3d805a3ae7267a Author: Ihor Solodrai Date: Fri Nov 15 00:38:55 2024 +0000 selftests/bpf: Set test path for token/obj_priv_implicit_token_envvar token/obj_priv_implicit_token_envvar test may fail in an environment where the process executing tests can not write to the root path. Example: https://github.com/libbpf/libbpf/actions/runs/11844507007/job/33007897936 Change default path used by the test to /tmp/bpf-token-fs, and make it runtime configurable via an environment variable. Signed-off-by: Ihor Solodrai Signed-off-by: Andrii Nakryiko Link: https://lore.kernel.org/bpf/20241115003853.864397-1-ihor.solodrai@pm.me commit f66af9616148e10e04eb172c7616ad79912b446e Author: Dan Carpenter Date: Wed Nov 13 10:31:25 2024 +0300 net: enetc: clean up before returning in probe() We recently added this error path. We need to call enetc_pci_remove() before returning. It cleans up the resources from enetc_pci_probe(). Fixes: 99100d0d9922 ("net: enetc: add preliminary support for i.MX95 ENETC PF") Signed-off-by: Dan Carpenter Reviewed-by: Wei Fang Link: https://patch.msgid.link/93888efa-c838-4682-a7e5-e6bf318e844e@stanley.mountain Signed-off-by: Jakub Kicinski commit 378e8feea9a70d37a5dc1678b7ec27df21099fa5 Author: Romain Gantois Date: Tue Nov 12 15:06:08 2024 +0100 net: phy: dp83869: fix status reporting for 1000base-x autonegotiation The DP83869 PHY transceiver supports converting from RGMII to 1000base-x. In this operation mode, autonegotiation can be performed, as described in IEEE802.3. The DP83869 has a set of fiber-specific registers located at offset 0xc00. When the transceiver is configured in RGMII-to-1000base-x mode, these registers are mapped onto offset 0, which should make reading the autonegotiation status transparent. However, the fiber registers at offset 0xc04 and 0xc05 follow the bit layout specified in Clause 37, and genphy_read_status() assumes a Clause 22 layout. Thus, genphy_read_status() doesn't properly read the capabilities advertised by the link partner, resulting in incorrect link parameters. Similarly, genphy_config_aneg() doesn't properly write advertised capabilities. Fix the 1000base-x autonegotiation procedure by replacing genphy_read_status() and genphy_config_aneg() with their Clause 37 equivalents. Fixes: a29de52ba2a1 ("net: dp83869: Add ability to advertise Fiber connection") Cc: stable@vger.kernel.org Signed-off-by: Romain Gantois Link: https://patch.msgid.link/20241112-dp83869-1000base-x-v3-1-36005f4ab0d9@bootlin.com Signed-off-by: Jakub Kicinski commit 575092a7f0ce4c6d5907cd908d28c0f69690a136 Author: Alistair Francis Date: Tue Nov 12 20:54:30 2024 +1000 mdio: Remove mdio45_ethtool_gset_npage() The mdio45_ethtool_gset_npage() function isn't called, so let's remove it. Signed-off-by: Alistair Francis Link: https://patch.msgid.link/20241112105430.438491-2-alistair@alistair23.me Signed-off-by: Jakub Kicinski commit e7cb7cf43afb96a4fd8f68c2dfb9b2fbdd444654 Author: Alistair Francis Date: Tue Nov 12 20:54:29 2024 +1000 include: mdio: Remove mdio45_ethtool_gset() mdio45_ethtool_gset() is never called, so let's remove it. Signed-off-by: Alistair Francis Link: https://patch.msgid.link/20241112105430.438491-1-alistair@alistair23.me Signed-off-by: Jakub Kicinski commit 55c8590129b5d29591ed699fb64c32788d794e6f Merge: 66dae28aeb1108 141b4d6a8049ce Author: Jakub Kicinski Date: Thu Nov 14 19:08:04 2024 -0800 Merge tag 'for-netdev' of https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next Martin KaFai Lau says: ==================== pull-request: bpf-next 2024-11-14 We've added 9 non-merge commits during the last 4 day(s) which contain a total of 3 files changed, 226 insertions(+), 84 deletions(-). The main changes are: 1) Fixes to bpf_msg_push/pop_data and test_sockmap. The changes has dependency on the other changes in the bpf-next/net branch, from Zijian Zhang. 2) Drop netns codes from mptcp test. Reuse the common helpers in test_progs, from Geliang Tang. * tag 'for-netdev' of https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next: bpf, sockmap: Fix sk_msg_reset_curr bpf, sockmap: Several fixes to bpf_msg_pop_data bpf, sockmap: Several fixes to bpf_msg_push_data selftests/bpf: Add more tests for test_txmsg_push_pop in test_sockmap selftests/bpf: Add push/pop checking for msg_verify_data in test_sockmap selftests/bpf: Fix total_bytes in msg_loop_rx in test_sockmap selftests/bpf: Fix SENDPAGE data logic in test_sockmap selftests/bpf: Add txmsg_pass to pull/push/pop in test_sockmap selftests/bpf: Drop netns helpers in mptcp ==================== Link: https://patch.msgid.link/20241114202832.3187927-1-martin.lau@linux.dev Signed-off-by: Jakub Kicinski commit 66dae28aeb11083c173f615069863ffa8d24230d Merge: 59b6c043da0bb1 dab9c6307161ad Author: Jakub Kicinski Date: Thu Nov 14 19:07:50 2024 -0800 Merge branch 'ipv4-prepare-bpf-helpers-to-flowi4_tos-conversion' Guillaume Nault says: ==================== ipv4: Prepare bpf helpers to .flowi4_tos conversion. Continue the process of making a dscp_t variable available when setting .flowi4_tos. This series focuses on the BPF helpers that initialise a struct flowi4 manually. The objective is to eventually convert .flowi4_tos to dscp_t, (to get type annotation and prevent ECN bits from interfering with DSCP). ==================== Link: https://patch.msgid.link/cover.1731064982.git.gnault@redhat.com Signed-off-by: Jakub Kicinski commit dab9c6307161adc626dd21b8e9596a289e714155 Author: Guillaume Nault Date: Fri Nov 8 17:47:15 2024 +0100 bpf: lwtunnel: Prepare bpf_lwt_xmit_reroute() to future .flowi4_tos conversion. Use ip4h_dscp() to get the DSCP from the IPv4 header, then convert the dscp_t value to __u8 with inet_dscp_to_dsfield(). Then, when we'll convert .flowi4_tos to dscp_t, we'll just have to drop the inet_dscp_to_dsfield() call. Signed-off-by: Guillaume Nault Reviewed-by: Ido Schimmel Link: https://patch.msgid.link/8338a12377c44f698a651d1ce357dd92bdf18120.1731064982.git.gnault@redhat.com Signed-off-by: Jakub Kicinski commit bfe086be5c4c644602e26840683dfdd893f22d04 Author: Guillaume Nault Date: Fri Nov 8 17:47:12 2024 +0100 bpf: ipv4: Prepare __bpf_redirect_neigh_v4() to future .flowi4_tos conversion. Use ip4h_dscp() to get the DSCP from the IPv4 header, then convert the dscp_t value to __u8 with inet_dscp_to_dsfield(). Then, when we'll convert .flowi4_tos to dscp_t, we'll just have to drop the inet_dscp_to_dsfield() call. Signed-off-by: Guillaume Nault Reviewed-by: Ido Schimmel Link: https://patch.msgid.link/35eacc8955003e434afb1365d404193cc98a9579.1731064982.git.gnault@redhat.com Signed-off-by: Jakub Kicinski commit 59b6c043da0bb12631cf4e84e0be58727c0eab17 Merge: 76e81a5a1749e6 8aefcfa04beaab Author: Jakub Kicinski Date: Thu Nov 14 18:09:08 2024 -0800 Merge branch 'tools-net-ynl-rework-async-notification-handling' Donald Hunter says: ==================== tools/net/ynl: rework async notification handling Revert patch 1bf70e6c3a53 which modified check_ntf() and instead add a new poll_ntf() with async notification semantics. See patch 2 for a detailed description. ==================== Link: https://patch.msgid.link/20241113090843.72917-1-donald.hunter@gmail.com Signed-off-by: Jakub Kicinski commit 8aefcfa04beaab070a2009828da40bdd4888eee6 Author: Donald Hunter Date: Wed Nov 13 09:08:43 2024 +0000 tools/net/ynl: add async notification handling The notification handling in ynl is currently very simple, using sleep() to wait a period of time and then handling all the buffered messages in a single batch. This patch adds async notification handling so that messages can be processed as they are received. This makes it possible to use ynl as a library that supplies notifications in a timely manner. - Add poll_ntf() to be a generator that yields 1 notification at a time and blocks until a notification is available. - Add a --duration parameter to the CLI, with --sleep as an alias. ./tools/net/ynl/cli.py \ --spec --subscribe [ --duration ] The cli will report any notifications for duration seconds and then exit. If duration is not specified, then it will poll forever, until interrupted. Here is an example python snippet that shows how to use ynl as a library for receiving notifications: ynl = YnlFamily(f"{dir}/rt_route.yaml") ynl.ntf_subscribe('rtnlgrp-ipv4-route') for event in ynl.poll_ntf(): handle(event) Signed-off-by: Donald Hunter Link: https://patch.msgid.link/20241113090843.72917-3-donald.hunter@gmail.com Signed-off-by: Jakub Kicinski commit cef009cc4a76c5bfd28d68eab2b3273243fddcdc Author: Donald Hunter Date: Wed Nov 13 09:08:42 2024 +0000 Revert "tools/net/ynl: improve async notification handling" This reverts commit 1bf70e6c3a5346966c25e0a1ff492945b25d3f80. This modification to check_ntf() is being reverted so that its behaviour remains equivalent to ynl_ntf_check() in the C YNL. Instead a new poll_ntf() will be added in a separate patch. Signed-off-by: Donald Hunter Link: https://patch.msgid.link/20241113090843.72917-2-donald.hunter@gmail.com Signed-off-by: Jakub Kicinski commit 470a271627e8c4e2b5357fd0f5759cf6e33cc145 Author: Nathan Chancellor Date: Mon Nov 11 08:09:55 2024 -0700 Input: ads7846 - increase xfer array size in 'struct ser_req' Clang warns (or errors with CONFIG_WERROR=y, trimmed for brevity): drivers/input/touchscreen/ads7846.c:412:2: error: array index 6 is past the end of the array (that has type 'struct spi_transfer[6]') [-Werror,-Warray-bounds] 412 | req->xfer[6].tx_buf = &req->scratch; | ^ ~ ... drivers/input/touchscreen/ads7846.c:416:2: error: array index 7 is past the end of the array (that has type 'struct spi_transfer[6]') [-Werror,-Warray-bounds] 416 | req->xfer[7].rx_buf = &req->scratch; | ^ ~ drivers/input/touchscreen/ads7846.c:334:2: note: array 'xfer' declared here 334 | struct spi_transfer xfer[6]; | ^ Increase the size of xfer in 'struct ser_req' to ensure that there is enough space for all necessary members and there are no out of bounds accesses, clearing up the warning. Fixes: 781a07da9bb9 ("Input: ads7846 - add dummy command register clearing cycle") Signed-off-by: Nathan Chancellor Reviewed-by: Marek Vasut Link: https://lore.kernel.org/r/20241111-input-ads7846-increase-xfer-array-size-v1-1-06cd92e9f20f@kernel.org Signed-off-by: Dmitry Torokhov commit a5f040cfcfdd8cd10591d50fb6280dffe07c7a8e Author: Maud Spierings Date: Sun Nov 10 19:05:02 2024 +0100 Input: fix the input_event struct documentation Fix the datatype of the value field of the input_event struct which is signed instead of unsigned. Signed-off-by: Maud Spierings Link: https://lore.kernel.org/r/20241110-fix_input_doc-v1-1-745d5f908e61@hotmail.com Signed-off-by: Dmitry Torokhov commit 76e81a5a1749e638a09b424641f0b9d3ece1f2a7 Merge: a79993b5fce69e e340bff27e63ed Author: Jakub Kicinski Date: Thu Nov 14 18:01:40 2024 -0800 Merge branch 'net-phy-switch-eee_broken_modes-to-linkmode-bitmap-and-add-accessor' Heiner Kallweit says: ==================== net: phy: switch eee_broken_modes to linkmode bitmap and add accessor eee_broken_modes has a eee_cap1 register layout currently. This doesn't allow to flag e.g. 2.5Gbps or 5Gbps BaseT EEE as broken. To overcome this limitation switch eee_broken_modes to a linkmode bitmap. Add an accessor for the bitmap and use it in r8169. ==================== Link: https://patch.msgid.link/405734c5-0ed4-40e4-9ac9-91084b9536d6@gmail.com Signed-off-by: Jakub Kicinski commit e340bff27e63ed61a1e9895bed546107859e48a7 Author: Heiner Kallweit Date: Fri Nov 8 08:08:24 2024 +0100 r8169: copy vendor driver 2.5G/5G EEE advertisement constraints Vendor driver r8125 doesn't advertise 2.5G EEE on RTL8125A, and r8126 doesn't advertise 5G EEE. Likely there are compatibility issues, therefore do the same in r8169. With this change we don't have to disable 2.5G EEE advertisement in rtl8125a_config_eee_phy() any longer. We use new phylib accessor phy_set_eee_broken() to mark the respective EEE modes as broken. Signed-off-by: Heiner Kallweit Link: https://patch.msgid.link/ce185e10-8a2f-4cf8-a49b-fd8fb3c3c8a1@gmail.com Signed-off-by: Jakub Kicinski commit ed623fb8e38e2a241da12864778ec9c9cf930c65 Author: Heiner Kallweit Date: Fri Nov 8 08:07:10 2024 +0100 net: phy: add phy_set_eee_broken Add an accessor for eee_broken_modes, so that drivers don't have to deal with phylib internals. Signed-off-by: Heiner Kallweit Link: https://patch.msgid.link/0f8ee279-d40d-4489-a3b0-d993472d744a@gmail.com Signed-off-by: Jakub Kicinski commit 721aa69e708b7432af83c4bb00a30e2b7c27da28 Author: Heiner Kallweit Date: Fri Nov 8 07:54:47 2024 +0100 net: phy: convert eee_broken_modes to a linkmode bitmap eee_broken_modes has a eee_cap1 register layout currently. This doen't allow to flag e.g. 2.5Gbps or 5Gbps BaseT EEE as broken. To overcome this limitation switch eee_broken_modes to a linkmode bitmap. Signed-off-by: Heiner Kallweit Link: https://patch.msgid.link/dfe0c9ff-84b0-4328-86d7-e917ebc084a1@gmail.com Signed-off-by: Jakub Kicinski commit 6b8950ef993bcf198d4a80cde0b2da805b75ed70 Author: Zhao Mengmeng Date: Fri Nov 15 09:17:09 2024 +0800 sched_ext: Replace scx_next_task_picked() with switch_class() in comment scx_next_task_picked() has been replaced with siwtch_class(), but comment is still referencing old one, so replace it. Signed-off-by: Zhao Mengmeng Signed-off-by: Tejun Heo commit 6d026e6d48cd2a95407c8fdd8d6187b871401c23 Author: Nathan Chancellor Date: Thu Nov 14 10:42:29 2024 -0700 iommu/arm-smmu-v3: Import IOMMUFD module namespace Commit 69d9b312f38a ("iommu/arm-smmu-v3: Support IOMMU_VIOMMU_ALLOC") started using _iommufd_object_alloc() without importing the IOMMUFD module namespace, resulting in a modpost warning: WARNING: modpost: module arm_smmu_v3 uses symbol _iommufd_object_alloc from namespace IOMMUFD, but does not import it. Commit d68beb276ba2 ("iommu/arm-smmu-v3: Support IOMMU_HWPT_INVALIDATE using a VIOMMU object") added another warning by using iommufd_viommu_find_dev(): WARNING: modpost: module arm_smmu_v3 uses symbol iommufd_viommu_find_dev from namespace IOMMUFD, but does not import it. Import the IOMMUFD module namespace to resolve the warnings. Fixes: 69d9b312f38a ("iommu/arm-smmu-v3: Support IOMMU_VIOMMU_ALLOC") Link: https://patch.msgid.link/r/20241114-arm-smmu-v3-import-iommufd-module-ns-v1-1-c551e7b972e9@kernel.org Signed-off-by: Nathan Chancellor Signed-off-by: Jason Gunthorpe commit a5371018eefdd81f4152926a6d2b9480a75ac2a6 Author: Arnd Bergmann Date: Thu Nov 7 22:26:46 2024 +1100 powerpc/Makefile: Allow overriding CPP Unlike all other arches, powerpc doesn't allow the user to override CPP, because it sets it unconditionally in the arch Makefile. This can lead to strange build failures. Instead add the required flags to KBUILD_CPPFLAGS, which are passed to CPP, CC and AS invocations by the generic Makefile logic. Reported-by: Arnd Bergmann Tested-by: Nathan Chancellor Reviewed-by: Nathan Chancellor Closes: https://lore.kernel.org/all/20240607061629.530301-1-arnd@kernel.org Signed-off-by: Arnd Bergmann [mpe: Rebase, write change log, add Arnd's SoB as communicated privately] Signed-off-by: Michael Ellerman Link: https://patch.msgid.link/20241107112646.32401-1-mpe@ellerman.id.au commit f946cae86d088d02a2f9c0ae0bf8a80359d3f454 Author: Sebastian Andrzej Siewior Date: Tue Nov 12 17:20:23 2024 +0100 scftorture: Handle NULL argument passed to scf_add_to_free_list(). Dan reported that after the rework the newly introduced scf_add_to_free_list() may get a NULL pointer passed. This replaced kfree() which was fine with a NULL pointer but scf_add_to_free_list() isn't. Let scf_add_to_free_list() handle NULL pointer. Reported-by: Dan Carpenter Closes: https://lore.kernel.org/all/2375aa2c-3248-4ffa-b9b0-f0a24c50f237@stanley.mountain Fixes: 4788c861ad7e9 ("scftorture: Use a lock-less list to free memory.") Signed-off-by: Sebastian Andrzej Siewior Signed-off-by: Paul E. McKenney commit 4aa5cc1e0012f784bc7f637458e597564833b425 Author: David Hunter Date: Tue Jul 9 10:35:53 2024 -0400 powerpc-km82xx.c: replace of_node_put() with __free The use of the __free macro allows the cleanup to be based on scope instead of on another function called later. This makes the cleanup automatic and less susceptible to errors later. Signed-off-by: David Hunter [mpe: Fix over-long line & change log wording] Signed-off-by: Michael Ellerman Link: https://patch.msgid.link/20240709143553.117053-1-david.hunter.linux@gmail.com commit 1cbdfcfd08c4f47b8019c4f34a2c87fe6c444a31 Author: Théo Lebrun Date: Wed Nov 6 17:03:59 2024 +0100 clk: eyeq: add EyeQ6H west fixed factor clocks Previous setup was: - pll-west clock registered from driver at of_clk_init(); - Both OCC and UART clocks registered from DT using fixed-factor-clock compatible. Now that drivers/clk/clk-eyeq.c supports registering fixed factors, use that capability to register west-per-occ and west-per-uart (giving them proper names at the same time). Also switch from hard-coded index 0 for pll-west to using the EQ6HC_WEST_PLL_PER constant by exposed dt-bindings headers. All get exposed at of_clk_init() because they get used by the AMBA PL011 serial ports. Those are instantiated before platform bus infrastructure. Signed-off-by: Théo Lebrun Link: https://lore.kernel.org/r/20241106-mbly-clk-v2-8-84cfefb3f485@bootlin.com Signed-off-by: Stephen Boyd commit 0b28f9ee4b993621258615b591f0175c30340b06 Author: Théo Lebrun Date: Wed Nov 6 17:03:58 2024 +0100 clk: eyeq: add EyeQ6H central fixed factor clocks Previous setup was: - pll-cpu clock registered from driver at of_clk_init(); - occ-cpu clock registered from DT using fixed-factor-clock compatible. Now that drivers/clk/clk-eyeq.c supports registering fixed factors, use that capability to register occ-cpu. Also switch from hard-coded index 0 for pll-cpu to using the EQ6HC_CENTRAL_PLL_CPU constant by exposed dt-bindings headers. occ-cpu is exposed at of_clk_init() because it gets used by both the DT CPU nodes and the GIC timer. Signed-off-by: Théo Lebrun Link: https://lore.kernel.org/r/20241106-mbly-clk-v2-7-84cfefb3f485@bootlin.com Signed-off-by: Stephen Boyd commit 5e01124a2c0a42dc6b587b0b09b204a5389f8d7b Author: Théo Lebrun Date: Wed Nov 6 17:03:57 2024 +0100 clk: eyeq: add EyeQ5 fixed factor clocks Expose additional clocks on EyeQ5. Some indexes come from dt-bindings headers, others are private to the driver. Few clocks are early (of_clk_init() stage: core clocks and UART clock), others can wait until platform device probe. The source for this list is downstream Mobileye kernel and some internal documentation. Signed-off-by: Théo Lebrun Link: https://lore.kernel.org/r/20241106-mbly-clk-v2-6-84cfefb3f485@bootlin.com Signed-off-by: Stephen Boyd commit 4a1ae0486dfee0aa3dcf3d312ece326870341f57 Author: Théo Lebrun Date: Wed Nov 6 17:03:56 2024 +0100 clk: eyeq: add fixed factor clocks infrastructure Driver can currently host two types of clocks: - PLLs derived directly from the main crystal (taken using a fwhandle). - Divider clocks derived from those PLLs. PLLs can be instantiated from of_clk_init() or platform device probe, using two separate clock providers. Divider clocks are all instantiated at platform device probe. Add a third type of clocks: fixed factors. Those can be instantiated at both stages. They can be parented to any clock from the driver. Early match data and match data store the list of fixed factor clocks. Signed-off-by: Théo Lebrun Link: https://lore.kernel.org/r/20241106-mbly-clk-v2-5-84cfefb3f485@bootlin.com Signed-off-by: Stephen Boyd commit d75fbc82ee9c0c5441a51aecd36d8f42e8f6b2fa Author: Théo Lebrun Date: Wed Nov 6 17:03:55 2024 +0100 clk: eyeq: require clock index with phandle in all cases We used to let compatibles with a single clock exposed to not have a cell. Switch away from that and enforce a cell in all cases. This is done at the same time as some compatibles (mobileye,eyeq6h-{central,west}-olb) go from one to more clocks exposed. Let's do the same switch and avoid future devicetree work if/when others follow. Signed-off-by: Théo Lebrun Link: https://lore.kernel.org/r/20241106-mbly-clk-v2-4-84cfefb3f485@bootlin.com Signed-off-by: Stephen Boyd commit 4eb5e9c6c4cdfca9fb0577f62580db46f5acd1a5 Author: Théo Lebrun Date: Wed Nov 6 17:03:54 2024 +0100 clk: fixed-factor: add clk_hw_register_fixed_factor_index() function Add non-devres version of clk_hw_register_fixed_factor(), with parent targeted using its index. Signed-off-by: Théo Lebrun Link: https://lore.kernel.org/r/20241106-mbly-clk-v2-3-84cfefb3f485@bootlin.com Signed-off-by: Stephen Boyd commit 6a46b75a91a4347e50b25fb4a150a8f34b026034 Author: Théo Lebrun Date: Wed Nov 6 17:03:53 2024 +0100 dt-bindings: clock: eyeq: add more Mobileye EyeQ5/EyeQ6H clocks Add #defines for Mobileye clock controller: - EyeQ5 core 0 thru 3 clocks. Internally: EQ5C_PLL_CPU: already exposed └── EQ5C_CPU_OCC: unexposed, no reason to do so ├── EQ5C_CPU_CORE0: new! ├── EQ5C_CPU_CORE1: new! ├── EQ5C_CPU_CORE2: new! └── EQ5C_CPU_CORE3: new! - EyeQ5 peripheral clocks. Internally: EQ5C_PLL_PER: already exposed ├── EQ5C_PER_OCC: new! │ ├── EQ5C_PER_SPI: new! │ ├── EQ5C_PER_I2C: new! │ ├── EQ5C_PER_GPIO: new! │ └── EQ5C_PER_UART: new! ├── EQ5C_PER_EMMC: new! └── EQ5C_PER_OCC_PCI: new! - EyeQ6H central OLB. Internally: EQ6HC_CENTRAL_PLL_CPU: new! └── EQ6HC_CENTRAL_CPU_OCC: new! - EyeQ6H west OLB. Internally: EQ6HC_WEST_PLL_PER: new! └── EQ6HC_WEST_PER_OCC: new! └── EQ6HC_WEST_PER_UART: new! Signed-off-by: Théo Lebrun Link: https://lore.kernel.org/r/20241106-mbly-clk-v2-2-84cfefb3f485@bootlin.com Acked-by: Krzysztof Kozlowski Signed-off-by: Stephen Boyd commit a370b2d22dc0a68631fadca5080cd78fa99e4284 Author: Théo Lebrun Date: Wed Nov 6 17:03:52 2024 +0100 dt-bindings: soc: mobileye: set `#clock-cells = <1>` for all compatibles Some compatibles expose a single clock. For those, we used to let them using `#clock-cells = <0>` (ie <&olb> reference rather than <&olb 0>). Switch away from that: enforce a cell for all compatibles. This is more straight forward, and avoids devicetree changes whenever a compatible goes from exposing a single clock to multiple ones. Also, dt-bindings get simpler. *This is an ABI break*. Change it while EyeQ5 platform support is at its infancy, without any user. More clocks might hide in each OLB as some registers are still unknown. Signed-off-by: Théo Lebrun Link: https://lore.kernel.org/r/20241106-mbly-clk-v2-1-84cfefb3f485@bootlin.com Reviewed-by: Krzysztof Kozlowski Reviewed-by: Rob Herring (Arm) Signed-off-by: Stephen Boyd commit c64ef7e4851d1a9abbb7f7833e4936973ac5ba79 Author: Nuno Sa Date: Tue Oct 29 14:59:42 2024 +0100 clk: clk-axi-clkgen: make sure to enable the AXI bus clock In order to access the registers of the HW, we need to make sure that the AXI bus clock is enabled. Hence let's increase the number of clocks by one. In order to keep backward compatibility and make sure old DTs still work we check if clock-names is available or not. If it is, then we can disambiguate between really having the AXI clock or a parent clock and so we can enable the bus clock. If not, we fallback to what was done before and don't explicitly enable the AXI bus clock. Note that if clock-names is given, the axi clock must be the last one in the phandle array (also enforced in the DT bindings) so that we can reuse as much code as possible. Fixes: 0e646c52cf0e ("clk: Add axi-clkgen driver") Signed-off-by: Nuno Sa Link: https://lore.kernel.org/r/20241029-axi-clkgen-fix-axiclk-v2-2-bc5e0733ad76@analog.com Signed-off-by: Stephen Boyd commit 47f3f5a82a31527e027929c5cec3dd1ef5ef30f5 Author: Nuno Sa Date: Tue Oct 29 14:59:41 2024 +0100 dt-bindings: clock: axi-clkgen: include AXI clk In order to access the registers of the HW, we need to make sure that the AXI bus clock is enabled. Hence let's increase the number of clocks by one and add clock-names to differentiate between parent clocks and the bus clock. Fixes: 0e646c52cf0e ("clk: Add axi-clkgen driver") Signed-off-by: Nuno Sa Link: https://lore.kernel.org/r/20241029-axi-clkgen-fix-axiclk-v2-1-bc5e0733ad76@analog.com Reviewed-by: Conor Dooley Signed-off-by: Stephen Boyd commit 53454b7a4104786a7902603727140c276f325738 Merge: 0c193c2424daeb 5011cc7ad9aeea Author: Stephen Boyd Date: Thu Nov 14 14:41:18 2024 -0800 Merge tag 'v6.13-rockchip-clk1' of git://git.kernel.org/pub/scm/linux/kernel/git/mmind/linux-rockchip into clk-bindings Pull a YAML conversion of the rk3328 clock controller binding from Heiko Stuebner. * tag 'v6.13-rockchip-clk1' of git://git.kernel.org/pub/scm/linux/kernel/git/mmind/linux-rockchip: dt-bindings: clock: convert rockchip,rk3328-cru.txt to YAML commit ebac87cdd230685fc5245a61bde79c9100ac348a Author: Duje Mihanović Date: Mon Nov 4 17:37:10 2024 +0100 clk: mmp: Add Marvell PXA1908 MPMU driver Add driver for the MPMU controller block on Marvell's PXA1908 SoC. The driver is incomplete, currently only supporting the fixed PLL1; dynamic PLLs 2-4 and CPU/DDR/AXI clock support is missing. Signed-off-by: Duje Mihanović Link: https://lore.kernel.org/r/20241104-pxa1908-lkml-v13-8-e050609b8d6c@skole.hr Signed-off-by: Stephen Boyd commit 03437e857b0a5db36f2364475125b546bddfa2ac Author: Duje Mihanović Date: Mon Nov 4 17:37:09 2024 +0100 clk: mmp: Add Marvell PXA1908 APMU driver Add driver for the APMU controller block found on Marvell's PXA1908 SoC. This driver is incomplete, lacking support for (at least) GPU, VPU, DSI and CCIC (camera related) clocks. Signed-off-by: Duje Mihanović Link: https://lore.kernel.org/r/20241104-pxa1908-lkml-v13-7-e050609b8d6c@skole.hr Signed-off-by: Stephen Boyd commit a89233dbd4df521094caa0dbcd03338259f8ead6 Author: Duje Mihanović Date: Mon Nov 4 17:37:08 2024 +0100 clk: mmp: Add Marvell PXA1908 APBCP driver Add driver for the APBCP controller block found on Marvell's PXA1908 SoC. Signed-off-by: Duje Mihanović Link: https://lore.kernel.org/r/20241104-pxa1908-lkml-v13-6-e050609b8d6c@skole.hr Signed-off-by: Stephen Boyd commit 51ce5591927389985451c0875f576701664f0a38 Author: Duje Mihanović Date: Mon Nov 4 17:37:07 2024 +0100 clk: mmp: Add Marvell PXA1908 APBC driver Add driver for the APBC controller block found on Marvell's PXA1908 SoC. Signed-off-by: Duje Mihanović Link: https://lore.kernel.org/r/20241104-pxa1908-lkml-v13-5-e050609b8d6c@skole.hr Signed-off-by: Stephen Boyd commit f03b086624aa7cfbc6f3bf4ac728639602b4c478 Author: Duje Mihanović Date: Mon Nov 4 17:37:06 2024 +0100 dt-bindings: clock: Add Marvell PXA1908 clock bindings Add dt bindings and documentation for the Marvell PXA1908 clock controller. Reviewed-by: Conor Dooley Reviewed-by: Stephen Boyd Signed-off-by: Duje Mihanović Link: https://lore.kernel.org/r/20241104-pxa1908-lkml-v13-4-e050609b8d6c@skole.hr Signed-off-by: Stephen Boyd commit 4d6da8233ba5f498fde9e57704f08465ca5a1336 Author: Andy Shevchenko Date: Mon Nov 4 17:37:03 2024 +0100 clk: mmp: Switch to use struct u32_fract instead of custom one The struct mmp_clk_factor_tbl repeats the generic struct u32_fract. Kill the custom one and use the generic one instead. Signed-off-by: Andy Shevchenko Tested-by: Duje Mihanović Reviewed-by: Linus Walleij Reviewed-by: Stephen Boyd Signed-off-by: Duje Mihanović Link: https://lore.kernel.org/r/20241104-pxa1908-lkml-v13-1-e050609b8d6c@skole.hr Signed-off-by: Stephen Boyd commit f72bcb92e9a1402baedad45dd34abb686ae1e8cb Author: Benjamin Peterson Date: Thu Nov 7 23:21:28 2024 +0000 perf tests: Add test for trace output loss Add a test that checks that trace output is not lost to races. This is accomplished by tracing the exit_group syscall of "true" multiple times and checking for correct output. Signed-off-by: Benjamin Peterson Tested-by: Arnaldo Carvalho de Melo Tested-by: Howard Chu Cc: Adrian Hunter Cc: Alexander Shishkin Cc: Ian Rogers Cc: Ingo Molnar Cc: Jiri Olsa Cc: Kan Liang Cc: Mark Rutland Cc: Namhyung Kim Cc: Peter Zijlstra Link: https://lore.kernel.org/r/20241107232128.108981-3-benjamin@engflow.com [ Addressed two ShellCheck warnings ] Signed-off-by: Arnaldo Carvalho de Melo commit 1302e352b26f34991b619b5d0b621b76d20a3883 Author: Benjamin Peterson Date: Thu Nov 7 23:21:27 2024 +0000 perf trace: Avoid garbage when not printing a syscall's arguments syscall__scnprintf_args may not place anything in the output buffer (e.g., because the arguments are all zero). If that happened in trace__fprintf_sys_enter, its fprintf would receive an unitialized buffer leading to garbage output. Fix the problem by passing the (possibly zero) bounds of the argument buffer to the output fprintf. Fixes: a98392bb1e169a04 ("perf trace: Use beautifiers on syscalls:sys_enter_ handlers") Signed-off-by: Benjamin Peterson Tested-by: Arnaldo Carvalho de Melo Tested-by: Howard Chu Cc: Adrian Hunter Cc: Alexander Shishkin Cc: Ian Rogers Cc: Ingo Molnar Cc: Jiri Olsa Cc: Kan Liang Cc: Mark Rutland Cc: Namhyung Kim Cc: Peter Zijlstra Link: https://lore.kernel.org/r/20241107232128.108981-2-benjamin@engflow.com Signed-off-by: Arnaldo Carvalho de Melo commit 3fd7c36973a250e17a4ee305a31545a9426021f4 Author: Benjamin Peterson Date: Thu Nov 7 23:21:26 2024 +0000 perf trace: Do not lose last events in a race If a perf trace event selector specifies a maximum number of events to output (i.e., "/nr=N/" syntax), the event printing handler, trace__event_handler, disables the event selector after the maximum number events are printed. Furthermore, trace__event_handler checked if the event selector was disabled before doing any work. This avoided exceeding the maximum number of events to print if more events were in the buffer before the selector was disabled. However, the event selector can be disabled for reasons other than exceeding the maximum number of events. In particular, when the traced subprocess exits, the main loop disables all event selectors. This meant the last events of a traced subprocess might be lost to the printing handler's short-circuiting logic. This nondeterministic problem could be seen by running the following many times: $ perf trace -e syscalls:sys_enter_exit_group true trace__event_handler should simply check for exceeding the maximum number of events to print rather than the state of the event selector. Fixes: a9c5e6c1e9bff42c ("perf trace: Introduce per-event maximum number of events property") Signed-off-by: Benjamin Peterson Tested-by: Howard Chu Cc: Adrian Hunter Cc: Alexander Shishkin Cc: Ian Rogers Cc: Ingo Molnar Cc: Jiri Olsa Cc: Kan Liang Cc: Mark Rutland Cc: Namhyung Kim Cc: Peter Zijlstra Link: https://lore.kernel.org/r/20241107232128.108981-1-benjamin@engflow.com Signed-off-by: Arnaldo Carvalho de Melo commit a9eaf305017a5ebe73ab34e85bd5414055a88f29 Author: Lorenzo Bianconi Date: Tue Nov 12 01:08:54 2024 +0100 clk: en7523: map io region in a single block Map all clock-controller memory region in a single block. This patch does not introduce any backward incompatibility since the dts for EN7581 SoC is not upstream yet. Signed-off-by: Lorenzo Bianconi Link: https://lore.kernel.org/r/20241112-clk-en7581-syscon-v2-7-8ada5e394ae4@kernel.org Signed-off-by: Stephen Boyd commit 82e6bf912d5846646892becea659b39d178d79e3 Author: Lorenzo Bianconi Date: Tue Nov 12 01:08:53 2024 +0100 clk: en7523: move en7581_reset_register() in en7581_clk_hw_init() Move en7581_reset_register routine in en7581_clk_hw_init() since reset feature is supported just by EN7581 SoC. Get rid of reset struct in en_clk_soc_data data struct. Signed-off-by: Lorenzo Bianconi Link: https://lore.kernel.org/r/20241112-clk-en7581-syscon-v2-6-8ada5e394ae4@kernel.org Signed-off-by: Stephen Boyd commit f98eded9e9ab048c88ff59c5523e703a6ced5523 Author: Lorenzo Bianconi Date: Tue Nov 12 01:08:52 2024 +0100 clk: en7523: fix estimation of fixed rate for EN7581 Introduce en7581_base_clks array in order to define per-SoC fixed-rate clock parameters and fix wrong parameters for emi, npu and crypto EN7581 clocks Fixes: 66bc47326ce2 ("clk: en7523: Add EN7581 support") Signed-off-by: Lorenzo Bianconi Link: https://lore.kernel.org/r/20241112-clk-en7581-syscon-v2-5-8ada5e394ae4@kernel.org Signed-off-by: Stephen Boyd commit f72fc22038dd544fa4d39c06e8c81c09c0041ed4 Author: Lorenzo Bianconi Date: Tue Nov 12 01:08:51 2024 +0100 clk: en7523: introduce chip_scu regmap Introduce chip_scu regmap pointer since EN7581 SoC will access chip-scu memory area via a syscon node. Remove first memory region mapping for EN7581 SoC. This patch does not introduce any backward incompatibility since the dts for EN7581 SoC is not upstream yet. Signed-off-by: Lorenzo Bianconi Link: https://lore.kernel.org/r/20241112-clk-en7581-syscon-v2-4-8ada5e394ae4@kernel.org Signed-off-by: Stephen Boyd commit b8bdfc666bc5f58caf46e67b615132fccbaca3d4 Author: Lorenzo Bianconi Date: Tue Nov 12 01:08:50 2024 +0100 clk: en7523: move clock_register in hw_init callback Move en7523_register_clocks routine in hw_init callback. Introduce en7523_clk_hw_init callback for EN7523 SoC. This is a preliminary patch to differentiate IO mapped region between EN7523 and EN7581 SoCs in order to access chip-scu IO region <0x1fa20000 0x384> on EN7581 SoC as syscon device since it contains miscellaneous registers needed by multiple devices (clock, pinctrl ..). Signed-off-by: Lorenzo Bianconi Link: https://lore.kernel.org/r/20241112-clk-en7581-syscon-v2-3-8ada5e394ae4@kernel.org Signed-off-by: Stephen Boyd commit c31d1cdd7bff1d2c13d435bb9d0c76bfaa332097 Author: Lorenzo Bianconi Date: Tue Nov 12 01:08:49 2024 +0100 clk: en7523: remove REG_PCIE*_{MEM,MEM_MASK} configuration REG_PCIE*_MEM and REG_PCIE*_MEM_MASK regs (PBUS_CSR memory region) are not part of the scu block on the EN7581 SoC and they are used to select the PCIE ports on the PBUS, so remove this configuration from the clock driver and set these registers in the PCIE host driver instead. This patch does not introduce any backward incompatibility since the dts for EN7581 SoC is not upstream yet. Signed-off-by: Lorenzo Bianconi Link: https://lore.kernel.org/r/20241112-clk-en7581-syscon-v2-2-8ada5e394ae4@kernel.org Signed-off-by: Stephen Boyd commit 0f7c637d1103d79829dec198e5f1b678c1feb5f2 Author: Lorenzo Bianconi Date: Tue Nov 12 01:08:48 2024 +0100 dt-bindings: clock: airoha: Update reg mapping for EN7581 SoC. clk-en7523 driver for EN7581 SoC is mapping all the scu memory region while it is configuring the chip-scu one via a syscon. Update the reg mapping definition for this device. This patch does not introduce any backward incompatibility since the dts for EN7581 SoC is not upstream yet. Signed-off-by: Lorenzo Bianconi Link: https://lore.kernel.org/r/20241112-clk-en7581-syscon-v2-1-8ada5e394ae4@kernel.org Reviewed-by: Rob Herring (Arm) Signed-off-by: Stephen Boyd commit 0bd9b1211f741fd4caa611e3b39275d58b73fbcf Author: Yassine Oudjana Date: Wed Nov 6 11:14:37 2024 +0000 clk: mediatek: Add drivers for MT6735 syscon clock and reset controllers Add drivers for IMGSYS, MFGCFG, VDECSYS and VENCSYS clocks and resets on MT6735. Signed-off-by: Yassine Oudjana Link: https://lore.kernel.org/r/20241106111402.200940-3-y.oudjana@protonmail.com Signed-off-by: Stephen Boyd commit a7479860bb4099a8eef64999e843c085838248e4 Author: Yassine Oudjana Date: Wed Nov 6 11:14:30 2024 +0000 dt-bindings: clock: mediatek: Add bindings for MT6735 syscon clock and reset controllers Add device tree bindings for syscon clock and reset controllers (IMGSYS, MFGCFG, VDECSYS and VENCSYS). Signed-off-by: Yassine Oudjana Reviewed-by: AngeloGioacchino Del Regno Acked-by: Conor Dooley Link: https://lore.kernel.org/r/20241106111402.200940-2-y.oudjana@protonmail.com Signed-off-by: Stephen Boyd commit be530c3fc296f35e67f0f799029ba17880dd3f50 Author: Christophe JAILLET Date: Fri Oct 25 17:46:08 2024 +0200 clk: mediatek: mt6735-apmixedsys: Fix an error handling path in clk_mt6735_apmixed_probe() If an error occurs after a successful mtk_alloc_clk_data(), mtk_free_clk_data() should be called, as already done in the .remove() function. Switch to mtk_devm_alloc_clk_data() in order to fix the memory leak in the probe function, and simplify the remove function. Fixes: 43c04ed79189 ("clk: mediatek: Add drivers for MediaTek MT6735 main clock and reset drivers") Signed-off-by: Christophe JAILLET Link: https://lore.kernel.org/r/89ad840e7a484eaf4727470824acfe0fdc60fcef.1729871146.git.christophe.jaillet@wanadoo.fr Tested-by: Yassine Oudjana Signed-off-by: Stephen Boyd commit 198675bbc03d437fb80a35d781ad13d622d0ff68 Author: Sergio Paracuellos Date: Tue Sep 10 06:40:24 2024 +0200 clk: ralink: mtmips: add mmc related clocks for SoCs MT7620, MT7628 and MT7688 Original architecture clock code from where this driver was derived did not include nothing related to mmc clocks. OpenWRT people started to use mtk-sd upstream driver recently and they were forced to use a dts 'fixed-clock' node with 48 MHz clock: - https://github.com/openwrt/openwrt/pull/15896 The proper thing to do to avoid that is to add the mmc related clocks to the driver to avoid a dts with fixed clocks nodes. The minimal documentation in the mt7620 programming guide says that there is a BBP_PLL clock of 480 MHz derived from the 40 MHz XTAL and from there a clock divider by ten produces the desired SDHC clock of 48 MHz for the mmc. Hence add a fixed clock 'bbppll' and factor clock 'sdhc' ten divider child to properly set the 'mmc' peripheral clock with the desired 48 Mhz rate. Signed-off-by: Sergio Paracuellos Link: https://lore.kernel.org/r/20240910044024.120009-4-sergio.paracuellos@gmail.com Signed-off-by: Stephen Boyd commit d34db686a3d74bd564bfce2ada15011c556269fc Author: Sergio Paracuellos Date: Tue Sep 10 06:40:23 2024 +0200 clk: ralink: mtmips: fix clocks probe order in oldest ralink SoCs Base clocks are the first in being probed and are real dependencies of the rest of fixed, factor and peripheral clocks. For old ralink SoCs RT2880, RT305x and RT3883 'xtal' must be defined first since in any other case, when fixed clocks are probed they are delayed until 'xtal' is probed so the following warning appears: WARNING: CPU: 0 PID: 0 at drivers/clk/ralink/clk-mtmips.c:499 rt3883_bus_recalc_rate+0x98/0x138 Modules linked in: CPU: 0 PID: 0 Comm: swapper Not tainted 6.6.43 #0 Stack : 805e58d0 00000000 00000004 8004f950 00000000 00000004 00000000 00000000 80669c54 80830000 80700000 805ae570 80670068 00000001 80669bf8 00000000 00000000 00000000 805ae570 80669b38 00000020 804db7dc 00000000 00000000 203a6d6d 80669b78 80669e48 70617773 00000000 805ae570 00000000 00000009 00000000 00000001 00000004 00000001 00000000 00000000 83fe43b0 00000000 ... Call Trace: [<800065d0>] show_stack+0x64/0xf4 [<804bca14>] dump_stack_lvl+0x38/0x60 [<800218ac>] __warn+0x94/0xe4 [<8002195c>] warn_slowpath_fmt+0x60/0x94 [<80259ff8>] rt3883_bus_recalc_rate+0x98/0x138 [<80254530>] __clk_register+0x568/0x688 [<80254838>] of_clk_hw_register+0x18/0x2c [<8070b910>] rt2880_clk_of_clk_init_driver+0x18c/0x594 [<8070b628>] of_clk_init+0x1c0/0x23c [<806fc448>] plat_time_init+0x58/0x18c [<806fdaf0>] time_init+0x10/0x6c [<806f9bc4>] start_kernel+0x458/0x67c ---[ end trace 0000000000000000 ]--- When this driver was mainlined we could not find any active users of old ralink SoCs so we cannot perform any real tests for them. Now, one user of a Belkin f9k1109 version 1 device which uses RT3883 SoC appeared and reported some issues in openWRT: - https://github.com/openwrt/openwrt/issues/16054 Thus, define a 'rt2880_xtal_recalc_rate()' just returning the expected frequency 40Mhz and use it along the old ralink SoCs to have a correct boot trace with no warnings and a working clock plan from the beggining. Fixes: 6f3b15586eef ("clk: ralink: add clock and reset driver for MTMIPS SoCs") Signed-off-by: Sergio Paracuellos Link: https://lore.kernel.org/r/20240910044024.120009-3-sergio.paracuellos@gmail.com Signed-off-by: Stephen Boyd commit 33239152305567b3e9bf052f71fd4baecd626341 Author: Sergio Paracuellos Date: Tue Sep 10 06:40:22 2024 +0200 clk: ralink: mtmips: fix clock plan for Ralink SoC RT3883 Clock plan for Ralink SoC RT3883 needs an extra 'periph' clock to properly set some peripherals that has this clock as their parent. When this driver was mainlined we could not find any active users of this SoC so we cannot perform any real tests for it. Now, one user of a Belkin f9k1109 version 1 device which uses this SoC appear and reported some issues in openWRT: - https://github.com/openwrt/openwrt/issues/16054 The peripherals that are wrong are 'uart', 'i2c', 'i2s' and 'uartlite' which has a not defined 'periph' clock as parent. Hence, introduce it to have a properly working clock plan for this SoC. Fixes: 6f3b15586eef ("clk: ralink: add clock and reset driver for MTMIPS SoCs") Signed-off-by: Sergio Paracuellos Link: https://lore.kernel.org/r/20240910044024.120009-2-sergio.paracuellos@gmail.com Signed-off-by: Stephen Boyd commit 827af4787e74e8df9e8e0677a69fbb15e0856d2f Author: Luiz Augusto von Dentz Date: Wed Oct 23 16:55:57 2024 -0400 Bluetooth: MGMT: Add initial implementation of MGMT_OP_HCI_CMD_SYNC This adds the initial implementation of MGMT_OP_HCI_CMD_SYNC as documented in mgmt-api (BlueZ tree): Send HCI command and wait for event Command =========================================== Command Code: 0x005B Controller Index: Command Parameters: Opcode (2 Octets) Event (1 Octet) Timeout (1 Octet) Parameter Length (2 Octets) Parameter (variable) Return Parameters: Response (1-variable Octets) This command may be used to send a HCI command and wait for an (optional) event. The HCI command is specified by the Opcode, any arbitrary is supported including vendor commands, but contrary to the like of Raw/User channel it is run as an HCI command send by the kernel since it uses its command synchronization thus it is possible to wait for a specific event as a response. Setting event to 0x00 will cause the command to wait for either HCI Command Status or HCI Command Complete. Timeout is specified in seconds, setting it to 0 will cause the default timeout to be used. Possible errors: Failed Invalid Parameters Signed-off-by: Luiz Augusto von Dentz commit 27aabf27fd014ae037cc179c61b0bee7cff55b3d Author: Dmitry Antipov Date: Fri Nov 1 14:44:10 2024 +0300 Bluetooth: fix use-after-free in device_for_each_child() Syzbot has reported the following KASAN splat: BUG: KASAN: slab-use-after-free in device_for_each_child+0x18f/0x1a0 Read of size 8 at addr ffff88801f605308 by task kbnepd bnep0/4980 CPU: 0 UID: 0 PID: 4980 Comm: kbnepd bnep0 Not tainted 6.12.0-rc4-00161-gae90f6a6170d #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014 Call Trace: dump_stack_lvl+0x100/0x190 ? device_for_each_child+0x18f/0x1a0 print_report+0x13a/0x4cb ? __virt_addr_valid+0x5e/0x590 ? __phys_addr+0xc6/0x150 ? device_for_each_child+0x18f/0x1a0 kasan_report+0xda/0x110 ? device_for_each_child+0x18f/0x1a0 ? __pfx_dev_memalloc_noio+0x10/0x10 device_for_each_child+0x18f/0x1a0 ? __pfx_device_for_each_child+0x10/0x10 pm_runtime_set_memalloc_noio+0xf2/0x180 netdev_unregister_kobject+0x1ed/0x270 unregister_netdevice_many_notify+0x123c/0x1d80 ? __mutex_trylock_common+0xde/0x250 ? __pfx_unregister_netdevice_many_notify+0x10/0x10 ? trace_contention_end+0xe6/0x140 ? __mutex_lock+0x4e7/0x8f0 ? __pfx_lock_acquire.part.0+0x10/0x10 ? rcu_is_watching+0x12/0xc0 ? unregister_netdev+0x12/0x30 unregister_netdevice_queue+0x30d/0x3f0 ? __pfx_unregister_netdevice_queue+0x10/0x10 ? __pfx_down_write+0x10/0x10 unregister_netdev+0x1c/0x30 bnep_session+0x1fb3/0x2ab0 ? __pfx_bnep_session+0x10/0x10 ? __pfx_lock_release+0x10/0x10 ? __pfx_woken_wake_function+0x10/0x10 ? __kthread_parkme+0x132/0x200 ? __pfx_bnep_session+0x10/0x10 ? kthread+0x13a/0x370 ? __pfx_bnep_session+0x10/0x10 kthread+0x2b7/0x370 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x48/0x80 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 Allocated by task 4974: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 __kasan_kmalloc+0xaa/0xb0 __kmalloc_noprof+0x1d1/0x440 hci_alloc_dev_priv+0x1d/0x2820 __vhci_create_device+0xef/0x7d0 vhci_write+0x2c7/0x480 vfs_write+0x6a0/0xfc0 ksys_write+0x12f/0x260 do_syscall_64+0xc7/0x250 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 4979: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x4f/0x70 kfree+0x141/0x490 hci_release_dev+0x4d9/0x600 bt_host_release+0x6a/0xb0 device_release+0xa4/0x240 kobject_put+0x1ec/0x5a0 put_device+0x1f/0x30 vhci_release+0x81/0xf0 __fput+0x3f6/0xb30 task_work_run+0x151/0x250 do_exit+0xa79/0x2c30 do_group_exit+0xd5/0x2a0 get_signal+0x1fcd/0x2210 arch_do_signal_or_restart+0x93/0x780 syscall_exit_to_user_mode+0x140/0x290 do_syscall_64+0xd4/0x250 entry_SYSCALL_64_after_hwframe+0x77/0x7f In 'hci_conn_del_sysfs()', 'device_unregister()' may be called when an underlying (kobject) reference counter is greater than 1. This means that reparenting (happened when the device is actually freed) is delayed and, during that delay, parent controller device (hciX) may be deleted. Since the latter may create a dangling pointer to freed parent, avoid that scenario by reparenting to NULL explicitly. Reported-by: syzbot+6cf5652d3df49fae2e3f@syzkaller.appspotmail.com Tested-by: syzbot+6cf5652d3df49fae2e3f@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=6cf5652d3df49fae2e3f Fixes: a85fb91e3d72 ("Bluetooth: Fix double free in hci_conn_cleanup") Signed-off-by: Dmitry Antipov Signed-off-by: Luiz Augusto von Dentz commit acece9d1ca9283154cc4fcc778579059119ccb90 Author: Kiran K Date: Tue Oct 22 14:41:34 2024 +0530 Bluetooth: btintel: Direct exception event to bluetooth stack Have exception event part of HCI traces which helps for debug. snoop traces: > HCI Event: Vendor (0xff) plen 79 Vendor Prefix (0x8780) Intel Extended Telemetry (0x03) Unknown extended telemetry event type (0xde) 01 01 de Unknown extended subevent 0x07 01 01 de 07 01 de 06 1c ef be ad de ef be ad de ef be ad de ef be ad de ef be ad de ef be ad de ef be ad de 05 14 ef be ad de ef be ad de ef be ad de ef be ad de ef be ad de 43 10 ef be ad de ef be ad de ef be ad de ef be ad de Fixes: af395330abed ("Bluetooth: btintel: Add Intel devcoredump support") Signed-off-by: Kiran K Signed-off-by: Luiz Augusto von Dentz commit 55abbd148dfb604ebf3f72d6c3dd2a8063d40718 Author: Luiz Augusto von Dentz Date: Fri Nov 8 11:19:54 2024 -0500 Bluetooth: hci_core: Fix calling mgmt_device_connected Since 61a939c68ee0 ("Bluetooth: Queue incoming ACL data until BT_CONNECTED state is reached") there is no long the need to call mgmt_device_connected as ACL data will be queued until BT_CONNECTED state. Link: https://bugzilla.kernel.org/show_bug.cgi?id=219458 Link: https://github.com/bluez/bluez/issues/1014 Fixes: 333b4fd11e89 ("Bluetooth: L2CAP: Fix uaf in l2cap_connect") Signed-off-by: Luiz Augusto von Dentz commit 2de33a21a136ccfcf5ebd956537eec0637e067d3 Author: Andy Shevchenko Date: Fri Nov 8 17:33:49 2024 +0200 Bluetooth: hci_bcm: Use the devm_clk_get_optional() helper Use devm_clk_get_optional() instead of hand writing it. This saves some LoC and improves the semantic. Signed-off-by: Andy Shevchenko Signed-off-by: Luiz Augusto von Dentz commit 07a9342b94a91b306ed1cf6aa8254aea210764c9 Author: Iulia Tanasescu Date: Mon Nov 11 13:47:08 2024 +0200 Bluetooth: ISO: Send BIG Create Sync via hci_sync Before issuing the LE BIG Create Sync command, an available BIG handle is chosen by iterating through the conn_hash list and finding the first unused value. If a BIG is terminated, the associated hcons are removed from the list and the LE BIG Terminate Sync command is sent via hci_sync queue. However, a new LE BIG Create sync command might be issued via hci_send_cmd, before the previous BIG sync was terminated. This can cause the same BIG handle to be reused and the LE BIG Create Sync to fail with Command Disallowed. < HCI Command: LE Broadcast Isochronous Group Create Sync (0x08|0x006b) BIG Handle: 0x00 BIG Sync Handle: 0x0002 Encryption: Unencrypted (0x00) Broadcast Code[16]: 00000000000000000000000000000000 Maximum Number Subevents: 0x00 Timeout: 20000 ms (0x07d0) Number of BIS: 1 BIS ID: 0x01 > HCI Event: Command Status (0x0f) plen 4 LE Broadcast Isochronous Group Create Sync (0x08|0x006b) ncmd 1 Status: Command Disallowed (0x0c) < HCI Command: LE Broadcast Isochronous Group Terminate Sync (0x08|0x006c) BIG Handle: 0x00 This commit fixes the ordering of the LE BIG Create Sync/LE BIG Terminate Sync commands, to make sure that either the previous BIG sync is terminated before reusing the handle, or that a new handle is chosen for a new sync. Fixes: eca0ae4aea66 ("Bluetooth: Add initial implementation of BIS connections") Signed-off-by: Iulia Tanasescu Signed-off-by: Luiz Augusto von Dentz commit 25ab2db3e60e0e84d7cdc740ea6ae3c10fe61eaa Author: Iulia Tanasescu Date: Mon Nov 11 13:47:07 2024 +0200 Bluetooth: hci_conn: Remove alloc from critical section This removes the kzalloc memory allocation inside critical section in create_pa_sync, fixing the following message that appears when the kernel is compiled with CONFIG_DEBUG_ATOMIC_SLEEP enabled: BUG: sleeping function called from invalid context at include/linux/sched/mm.h:321 Signed-off-by: Iulia Tanasescu Signed-off-by: Luiz Augusto von Dentz commit dc26097bdb864a0d5955b9a25e43376ffc1af99b Author: Luiz Augusto von Dentz Date: Tue Oct 1 16:15:51 2024 -0400 Bluetooth: ISO: Use kref to track lifetime of iso_conn This make use of kref to keep track of reference of iso_conn which allows better tracking of its lifetime with usage of things like kref_get_unless_zero in a similar way as used in l2cap_chan. In addition to it remove call to iso_sock_set_timer on iso_sock_disconn since at that point it is useless to set a timer as the sk will be freed there is nothing to be done in iso_sock_timeout. Fixes: ccf74f2390d6 ("Bluetooth: Add BTPROTO_ISO socket type") Signed-off-by: Luiz Augusto von Dentz commit e6720779ae612a14ac4ba7fe4fd5b27d900d932c Author: Luiz Augusto von Dentz Date: Tue Oct 1 15:46:10 2024 -0400 Bluetooth: SCO: Use kref to track lifetime of sco_conn This make use of kref to keep track of reference of sco_conn which allows better tracking of its lifetime with usage of things like kref_get_unless_zero in a similar way as used in l2cap_chan. In addition to it remove call to sco_sock_set_timer on __sco_sock_close since at that point it is useless to set a timer as the sk will be freed there is nothing to be done in sco_sock_timeout. Signed-off-by: Luiz Augusto von Dentz commit 96e7c4273560be4744ba8c444bc6969745315251 Author: Luiz Augusto von Dentz Date: Wed Nov 6 09:53:45 2024 -0500 Bluetooth: HCI: Add IPC(11) bus type Zephyr(1) has been using the same bus defines as Linux so tools likes of btmon, etc, are able to decode the bus used by the driver to transport HCI packets. Link: https://github.com/zephyrproject-rtos/zephyr/pull/80808 Signed-off-by: Luiz Augusto von Dentz commit de7dcf9d1df4b0009735756d0a2adff09c3f21d4 Author: Jiande Lu Date: Mon Nov 4 22:59:31 2024 +0800 Bluetooth: btusb: Add 3 HWIDs for MT7925 Add below HWIDs for MediaTek MT7925 USB Bluetooth chip. VID 0x0489, PID 0xe14f VID 0x0489, PID 0xe150 VID 0x0489, PID 0xe151 Patch has been tested successfully and controller is recognized device pair successfully. MT7925 module bring up message as below. Bluetooth: Core ver 2.22 Bluetooth: HCI device and connection manager initialized Bluetooth: HCI socket layer initialized Bluetooth: L2CAP socket layer initialized Bluetooth: SCO socket layer initialized Bluetooth: hci0: HW/SW Version: 0x00000000, Build Time: 20240816133202 Bluetooth: hci0: Device setup in 286558 usecs Bluetooth: hci0: HCI Enhanced Setup Synchronous Connection command is advertised, but not supported. Bluetooth: hci0: AOSP extensions version v1.00 Bluetooth: BNEP (Ethernet Emulation) ver 1.3 Bluetooth: BNEP filters: protocol multicast Bluetooth: BNEP socket layer initialized Bluetooth: MGMT ver 1.22 Bluetooth: RFCOMM TTY layer initialized Bluetooth: RFCOMM socket layer initialized Bluetooth: RFCOMM ver 1.11 Signed-off-by: Jiande Lu Signed-off-by: Luiz Augusto von Dentz commit 679cb60fd60774798719c3e449874a168642a8e6 Author: Jonathan McCrohan Date: Sat Nov 2 01:10:14 2024 +0000 Bluetooth: btusb: Add new VID/PID 0489/e124 for MT7925 Add VID 0489 & PID e124 for MediaTek MT7925 USB Bluetooth chip. The information in /sys/kernel/debug/usb/devices about the Bluetooth device is listed as the below. T: Bus=01 Lev=01 Prnt=01 Port=08 Cnt=02 Dev#= 3 Spd=480 MxCh= 0 D: Ver= 2.10 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs= 1 P: Vendor=0489 ProdID=e124 Rev= 1.00 S: Manufacturer=MediaTek Inc. S: Product=Wireless_Device S: SerialNumber=000000000 C:* #Ifs= 3 Cfg#= 1 Atr=e0 MxPwr=100mA A: FirstIf#= 0 IfCount= 3 Cls=e0(wlcon) Sub=01 Prot=01 I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=81(I) Atr=03(Int.) MxPS= 16 Ivl=125us E: Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms I:* If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=83(I) Atr=01(Isoc) MxPS= 0 Ivl=1ms E: Ad=03(O) Atr=01(Isoc) MxPS= 0 Ivl=1ms I: If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=83(I) Atr=01(Isoc) MxPS= 9 Ivl=1ms E: Ad=03(O) Atr=01(Isoc) MxPS= 9 Ivl=1ms I: If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=83(I) Atr=01(Isoc) MxPS= 17 Ivl=1ms E: Ad=03(O) Atr=01(Isoc) MxPS= 17 Ivl=1ms I: If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=83(I) Atr=01(Isoc) MxPS= 25 Ivl=1ms E: Ad=03(O) Atr=01(Isoc) MxPS= 25 Ivl=1ms I: If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=83(I) Atr=01(Isoc) MxPS= 33 Ivl=1ms E: Ad=03(O) Atr=01(Isoc) MxPS= 33 Ivl=1ms I: If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=83(I) Atr=01(Isoc) MxPS= 49 Ivl=1ms E: Ad=03(O) Atr=01(Isoc) MxPS= 49 Ivl=1ms I: If#= 1 Alt= 6 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=83(I) Atr=01(Isoc) MxPS= 63 Ivl=1ms E: Ad=03(O) Atr=01(Isoc) MxPS= 63 Ivl=1ms I:* If#= 2 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=(none) E: Ad=8a(I) Atr=03(Int.) MxPS= 64 Ivl=125us E: Ad=0a(O) Atr=03(Int.) MxPS= 64 Ivl=125us I: If#= 2 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=(none) E: Ad=8a(I) Atr=03(Int.) MxPS= 512 Ivl=125us E: Ad=0a(O) Atr=03(Int.) MxPS= 512 Ivl=125us Signed-off-by: Jonathan McCrohan Signed-off-by: Luiz Augusto von Dentz commit 83d328a72eff3268ea4c19deb0a6cf4c7da15746 Author: Iulia Tanasescu Date: Fri Nov 1 10:23:39 2024 +0200 Bluetooth: ISO: Update hci_conn_hash_lookup_big for Broadcast slave Currently, hci_conn_hash_lookup_big only checks for BIS master connections, by filtering out connections with the destination address set. This commit updates this function to also consider BIS slave connections, since it is also used for a Broadcast Receiver to set an available BIG handle before issuing the LE BIG Create Sync command. Signed-off-by: Iulia Tanasescu Signed-off-by: Luiz Augusto von Dentz commit 42ecf1947135110ea08abeaca39741636f9a2285 Author: Iulia Tanasescu Date: Fri Nov 1 10:23:38 2024 +0200 Bluetooth: ISO: Do not emit LE BIG Create Sync if previous is pending The Bluetooth Core spec does not allow a LE BIG Create sync command to be sent to Controller if another one is pending (Vol 4, Part E, page 2586). In order to avoid this issue, the HCI_CONN_CREATE_BIG_SYNC was added to mark that the LE BIG Create Sync command has been sent for a hcon. Once the BIG Sync Established event is received, the hcon flag is erased and the next pending hcon is handled. Signed-off-by: Iulia Tanasescu Signed-off-by: Luiz Augusto von Dentz commit 79321b06a03e395ab1fc19a47549e9d70ddac115 Author: Iulia Tanasescu Date: Fri Nov 1 10:23:37 2024 +0200 Bluetooth: ISO: Fix matching parent socket for BIS slave Currently, when a BIS slave connection is notified to the ISO layer, the parent socket is tried to be matched by the HCI_EVT_LE_BIG_SYNC_ESTABILISHED event. However, a BIS slave connection is notified to the ISO layer after the Command Complete for the LE Setup ISO Data Path command is received. This causes the parent to be incorrectly matched if multiple listen sockets are present. This commit adds a fix by matching the parent based on the BIG handle set in the notified connection. Signed-off-by: Iulia Tanasescu Signed-off-by: Luiz Augusto von Dentz commit 4a5e0ba68676b3a77298cf646cd2b39c94fbd2f5 Author: Iulia Tanasescu Date: Fri Nov 1 10:23:36 2024 +0200 Bluetooth: ISO: Do not emit LE PA Create Sync if previous is pending The Bluetooth Core spec does not allow a LE PA Create sync command to be sent to Controller if another one is pending (Vol 4, Part E, page 2493). In order to avoid this issue, the HCI_CONN_CREATE_PA_SYNC was added to mark that the LE PA Create Sync command has been sent for a hcon. Once the PA Sync Established event is received, the hcon flag is erased and the next pending hcon is handled. Signed-off-by: Iulia Tanasescu Signed-off-by: Luiz Augusto von Dentz commit 2dc98ac1cb9ce8a8ab9967aaaf0abb3496e7fedb Author: Hilda Wu Date: Wed Oct 30 16:43:34 2024 +0800 Bluetooth: btrtl: Decrease HCI_OP_RESET timeout from 10 s to 2 s The original timeout setting for HCI Reset on shutdown is 10 seconds. HCI Reset shouldn't take 10 seconds to complete so instead use the default timeout for commands. Signed-off-by: Hilda Wu Signed-off-by: Luiz Augusto von Dentz commit e42eec0f182ac0605e658145f6fe3b6a7c256c45 Author: Javier Carrasco Date: Thu Oct 31 13:11:23 2024 +0100 Bluetooth: btbcm: fix missing of_node_put() in btbcm_get_board_name() of_find_node_by_path() returns a pointer to a device_node with its refcount incremented, and a call to of_node_put() is required to decrement the refcount again and avoid leaking the resource. If 'of_property_read_string_index(root, "compatible", 0, &tmp)' fails, the function returns without calling of_node_put(root) before doing so. The automatic cleanup attribute can be used by means of the __free() macro to automatically call of_node_put() when the variable goes out of scope, fixing the issue and also accounting for new error paths. Fixes: 63fac3343b99 ("Bluetooth: btbcm: Support per-board firmware variants") Signed-off-by: Javier Carrasco Signed-off-by: Luiz Augusto von Dentz commit faa5fd605d2081b6c9fa2355b59582d4ccd24b16 Author: Hao Qin Date: Sat Oct 26 11:18:18 2024 +0800 Bluetooth: btusb: Add new VID/PID 0489/e111 for MT7925 Add VID 0489 & PID e111 for MediaTek MT7925 USB Bluetooth chip. The information in /sys/kernel/debug/usb/devices about the Bluetooth device is listed as the below. T: Bus=02 Lev=02 Prnt=02 Port=04 Cnt=02 Dev#= 4 Spd=480 MxCh= 0 D: Ver= 2.10 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs= 1 P: Vendor=0489 ProdID=e111 Rev= 1.00 S: Manufacturer=MediaTek Inc. S: Product=Wireless_Device S: SerialNumber=000000000 C:* #Ifs= 3 Cfg#= 1 Atr=e0 MxPwr=100mA A: FirstIf#= 0 IfCount= 3 Cls=e0(wlcon) Sub=01 Prot=01 I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=81(I) Atr=03(Int.) MxPS= 16 Ivl=125us E: Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms I:* If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=83(I) Atr=01(Isoc) MxPS= 0 Ivl=1ms E: Ad=03(O) Atr=01(Isoc) MxPS= 0 Ivl=1ms I: If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=83(I) Atr=01(Isoc) MxPS= 9 Ivl=1ms E: Ad=03(O) Atr=01(Isoc) MxPS= 9 Ivl=1ms I: If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=83(I) Atr=01(Isoc) MxPS= 17 Ivl=1ms E: Ad=03(O) Atr=01(Isoc) MxPS= 17 Ivl=1ms I: If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=83(I) Atr=01(Isoc) MxPS= 25 Ivl=1ms E: Ad=03(O) Atr=01(Isoc) MxPS= 25 Ivl=1ms I: If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=83(I) Atr=01(Isoc) MxPS= 33 Ivl=1ms E: Ad=03(O) Atr=01(Isoc) MxPS= 33 Ivl=1ms I: If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=83(I) Atr=01(Isoc) MxPS= 49 Ivl=1ms E: Ad=03(O) Atr=01(Isoc) MxPS= 49 Ivl=1ms I: If#= 1 Alt= 6 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=83(I) Atr=01(Isoc) MxPS= 63 Ivl=1ms E: Ad=03(O) Atr=01(Isoc) MxPS= 63 Ivl=1ms I:* If#= 2 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=(none) E: Ad=8a(I) Atr=03(Int.) MxPS= 64 Ivl=125us E: Ad=0a(O) Atr=03(Int.) MxPS= 64 Ivl=125us I: If#= 2 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=(none) E: Ad=8a(I) Atr=03(Int.) MxPS= 512 Ivl=125us E: Ad=0a(O) Atr=03(Int.) MxPS= 512 Ivl=125us Signed-off-by: Hao Qin Signed-off-by: Luiz Augusto von Dentz commit 61c5a3def90ac729a538e5ca5ff7f461cff72776 Author: Chris Lu Date: Fri Oct 25 14:07:17 2024 +0800 Bluetooth: btmtk: adjust the position to init iso data anchor MediaTek iso data anchor init should be moved to where MediaTek claims iso data interface. If there is an unexpected BT usb disconnect during setup flow, it will cause a NULL pointer crash issue when releasing iso anchor since the anchor wasn't been init yet. Adjust the position to do iso data anchor init. [ 17.137991] pc : usb_kill_anchored_urbs+0x60/0x168 [ 17.137998] lr : usb_kill_anchored_urbs+0x44/0x168 [ 17.137999] sp : ffffffc0890cb5f0 [ 17.138000] x29: ffffffc0890cb5f0 x28: ffffff80bb6c2e80 [ 17.144081] gpio gpiochip0: registered chardev handle for 1 lines [ 17.148421] x27: 0000000000000000 [ 17.148422] x26: ffffffd301ff4298 x25: 0000000000000003 x24: 00000000000000f0 [ 17.148424] x23: 0000000000000000 x22: 00000000ffffffff x21: 0000000000000001 [ 17.148425] x20: ffffffffffffffd8 x19: ffffff80c0f25560 x18: 0000000000000000 [ 17.148427] x17: ffffffd33864e408 x16: ffffffd33808f7c8 x15: 0000000000200000 [ 17.232789] x14: e0cd73cf80ffffff x13: 50f2137c0a0338c9 x12: 0000000000000001 [ 17.239912] x11: 0000000080150011 x10: 0000000000000002 x9 : 0000000000000001 [ 17.247035] x8 : 0000000000000000 x7 : 0000000000008080 x6 : 8080000000000000 [ 17.254158] x5 : ffffffd33808ebc0 x4 : fffffffe033dcf20 x3 : 0000000080150011 [ 17.261281] x2 : ffffff8087a91400 x1 : 0000000000000000 x0 : ffffff80c0f25588 [ 17.268404] Call trace: [ 17.270841] usb_kill_anchored_urbs+0x60/0x168 [ 17.275274] btusb_mtk_release_iso_intf+0x2c/0xd8 [btusb (HASH:5afe 6)] [ 17.284226] btusb_mtk_disconnect+0x14/0x28 [btusb (HASH:5afe 6)] [ 17.292652] btusb_disconnect+0x70/0x140 [btusb (HASH:5afe 6)] [ 17.300818] usb_unbind_interface+0xc4/0x240 [ 17.305079] device_release_driver_internal+0x18c/0x258 [ 17.310296] device_release_driver+0x1c/0x30 [ 17.314557] bus_remove_device+0x140/0x160 [ 17.318643] device_del+0x1c0/0x330 [ 17.322121] usb_disable_device+0x80/0x180 [ 17.326207] usb_disconnect+0xec/0x300 [ 17.329948] hub_quiesce+0x80/0xd0 [ 17.333339] hub_disconnect+0x44/0x190 [ 17.337078] usb_unbind_interface+0xc4/0x240 [ 17.341337] device_release_driver_internal+0x18c/0x258 [ 17.346551] device_release_driver+0x1c/0x30 [ 17.350810] usb_driver_release_interface+0x70/0x88 [ 17.355677] proc_ioctl+0x13c/0x228 [ 17.359157] proc_ioctl_default+0x50/0x80 [ 17.363155] usbdev_ioctl+0x830/0xd08 [ 17.366808] __arm64_sys_ioctl+0x94/0xd0 [ 17.370723] invoke_syscall+0x6c/0xf8 [ 17.374377] el0_svc_common+0x84/0xe0 [ 17.378030] do_el0_svc+0x20/0x30 [ 17.381334] el0_svc+0x34/0x60 [ 17.384382] el0t_64_sync_handler+0x88/0xf0 [ 17.388554] el0t_64_sync+0x180/0x188 [ 17.392208] Code: f9400677 f100a2f4 54fffea0 d503201f (b8350288) [ 17.398289] ---[ end trace 0000000000000000 ]--- Fixes: ceac1cb0259d ("Bluetooth: btusb: mediatek: add ISO data transmission functions") Signed-off-by: Chris Lu Signed-off-by: Luiz Augusto von Dentz commit 41f4ff86e795bf2e51ba5c86a6f3a06564a23f18 Author: Philipp Stanner Date: Thu Oct 24 13:15:10 2024 +0200 Bluetooth: btintel_pcie: Replace deprecated PCI functions pcim_iomap_regions() and pcim_iomap_table() have been deprecated in commit e354bb84a4c1 ("PCI: Deprecate pcim_iomap_table(), pcim_iomap_regions_request_all()"). Replace these functions with pcim_iomap_region(). Signed-off-by: Philipp Stanner Signed-off-by: Luiz Augusto von Dentz commit 677a55ba11a82c2835550a82324cec5fcb2f9e2d Author: Danil Pylaev Date: Mon Oct 21 12:22:46 2024 +0000 Bluetooth: Set quirks for ATS2851 This adds quirks for broken ats2851 features. Signed-off-by: Danil Pylaev Signed-off-by: Luiz Augusto von Dentz commit 5bd3135924b4570dcecc8793f7771cb8d42d8b19 Author: Danil Pylaev Date: Mon Oct 21 12:22:45 2024 +0000 Bluetooth: Support new quirks for ATS2851 This adds support for quirks for broken extended create connection, and write auth payload timeout. Signed-off-by: Danil Pylaev Signed-off-by: Luiz Augusto von Dentz commit 94464a7b71634037b13d54021e0dfd0fb0d8c1f0 Author: Danil Pylaev Date: Mon Oct 21 12:22:44 2024 +0000 Bluetooth: Add new quirks for ATS2851 This adds quirks for broken extended create connection, and write auth payload timeout. Signed-off-by: Danil Pylaev Signed-off-by: Luiz Augusto von Dentz commit 681ed497d676db1677605b2f9deacf2ab2cba040 Author: Arnd Bergmann Date: Mon Nov 11 11:29:21 2024 +0100 clk: amlogic: axg-audio: fix Kconfig dependency on RESET_MESON_AUX As in most cases, using 'imply' is wrong here and does not prevent build failures since that code may not be visible to a built-in clk driver: axg-audio.c:(.text+0x15c): undefined reference to `devm_meson_rst_aux_register' Replace the incorrt 'imply' with the necessary 'depends on'. Fixes: 664988eb47dd ("clk: amlogic: axg-audio: use the auxiliary reset driver") Signed-off-by: Arnd Bergmann Link: https://lore.kernel.org/r/20241111102932.3209861-1-arnd@kernel.org Reviewed-by: Jerome Brunet Signed-off-by: Stephen Boyd commit 4900e041c3f05dac47c6bce0844203a0703baaa2 Author: Colin Ian King Date: Mon Oct 7 17:10:35 2024 +0100 Bluetooth: btintel_pcie: remove redundant assignment to variable ret The variable ret is being assigned -ENOMEM however this is never read and it is being re-assigned a new value when the code jumps to label resubmit. The assignment is redundant and can be removed. Signed-off-by: Colin Ian King Signed-off-by: Luiz Augusto von Dentz commit 5fe6caa62b07fd39cd6a28acc8f92ba2955e11a6 Author: Andrej Shadura Date: Wed Oct 9 14:14:24 2024 +0200 Bluetooth: Fix type of len in rfcomm_sock_getsockopt{,_old}() Commit 9bf4e919ccad worked around an issue introduced after an innocuous optimisation change in LLVM main: > len is defined as an 'int' because it is assigned from > '__user int *optlen'. However, it is clamped against the result of > sizeof(), which has a type of 'size_t' ('unsigned long' for 64-bit > platforms). This is done with min_t() because min() requires compatible > types, which results in both len and the result of sizeof() being casted > to 'unsigned int', meaning len changes signs and the result of sizeof() > is truncated. From there, len is passed to copy_to_user(), which has a > third parameter type of 'unsigned long', so it is widened and changes > signs again. This excessive casting in combination with the KCSAN > instrumentation causes LLVM to fail to eliminate the __bad_copy_from() > call, failing the build. The same issue occurs in rfcomm in functions rfcomm_sock_getsockopt and rfcomm_sock_getsockopt_old. Change the type of len to size_t in both rfcomm_sock_getsockopt and rfcomm_sock_getsockopt_old and replace min_t() with min(). Cc: stable@vger.kernel.org Co-authored-by: Aleksei Vetrov Improves: 9bf4e919ccad ("Bluetooth: Fix type of len in {l2cap,sco}_sock_getsockopt_old()") Link: https://github.com/ClangBuiltLinux/linux/issues/2007 Link: https://github.com/llvm/llvm-project/issues/85647 Signed-off-by: Andrej Shadura Reviewed-by: Nathan Chancellor Signed-off-by: Luiz Augusto von Dentz commit 510e8380b0382ee3b070748656b00f83c9a5bf80 Author: Kiran K Date: Thu Oct 17 17:21:56 2024 +0530 Bluetooth: btintel: Do no pass vendor events to stack During firmware download, vendor specific events like boot up and secure send result are generated. These events can be safely processed at the driver level. Passing on these events to stack prints unnecessary log as below. Bluetooth: hci0: Malformed MSFT vendor event: 0x02 Fixes: 3368aa357f3b ("Bluetooth: msft: Handle MSFT Monitor Device Event") Signed-off-by: Kiran K Signed-off-by: Luiz Augusto von Dentz commit 9b49561f6c35d97f20abc178fece5868dd5e3338 Author: Everest K.C. Date: Wed Oct 16 15:39:55 2024 -0600 Bluetooth: btintel_pcie: Remove deadcode The switch case statement has a default branch. Thus, the return statement at the end of the function can never be reached. Fix it by removing the return statement at the end of the function. This issue was reported by Coverity Scan. Signed-off-by: Everest K.C. Reviewed-by: Shuah Khan Signed-off-by: Luiz Augusto von Dentz commit c6256ec2165fe8b8e8757a32a66837623e51d442 Author: Bartosz Golaszewski Date: Mon Sep 30 10:09:38 2024 +0200 Bluetooth: hci_qca: use devm_clk_get_optional_enabled_with_rate() Use the new devm_clk_get_optional_enabled_with_rate() clock helper to shrink the code a bit. Signed-off-by: Bartosz Golaszewski Signed-off-by: Luiz Augusto von Dentz commit d88a8bb8bbbec9d57b84232a2d6f8dab84221959 Author: Kiran K Date: Tue Oct 15 17:57:07 2024 +0530 Bluetooth: btintel: Add DSBR support for BlazarIW, BlazarU and GaP Add DSBR support for BlazarIW, BlazarU and Gale Peak2 cores. Refer commit eb9e749c0182 ("Bluetooth: btintel: Allow configuring drive strength of BRI") for details about DSBR. Signed-off-by: Kiran K Signed-off-by: Luiz Augusto von Dentz commit 6d83d955f6a1538aeeb810c2fa9c1aa91322839b Author: Chen-Yu Tsai Date: Tue Oct 8 16:27:20 2024 +0800 Bluetooth: btmtksdio: Lookup device node only as fallback If the device tree is properly written, the SDIO function device node should be correctly defined, and the mmc core in Linux should correctly tie it to the device being probed. Only fall back to searching for the device node by compatible if the original device node tied to the device is incorrect, as seen in older device trees. Signed-off-by: Chen-Yu Tsai Tested-by: AngeloGioacchino Del Regno # Reviewed-by: AngeloGioacchino Del Regno Signed-off-by: Luiz Augusto von Dentz commit 969c765e2b508cca9099d246c010a1e48dcfd089 Author: Charles Han Date: Thu Nov 14 15:28:20 2024 +0800 clk: clk-apple-nco: Add NULL check in applnco_probe Add NULL check in applnco_probe, to handle kernel NULL pointer dereference error. Fixes: 6641057d5dba ("clk: clk-apple-nco: Add driver for Apple NCO") Signed-off-by: Charles Han Link: https://lore.kernel.org/r/20241114072820.3071-1-hanchunchao@inspur.com Reviewed-by: Martin Povišer Signed-off-by: Stephen Boyd commit a430c2a10c743dab5a3a07bc4e9544c55bd010fd Author: Kiran K Date: Tue Oct 1 16:14:51 2024 +0530 Bluetooth: btintel_pcie: Add recovery mechanism This patch adds a recovery mechanism to recover controller if firmware download fails due to unresponsive controller, command timeout, firmware signature verification failure etc. Driver attmepts maximum of 5 times before giving up. Signed-off-by: Kiran K Signed-off-by: Luiz Augusto von Dentz commit 05c200c8f0295c9c91beeb3ee0552331c1f8adbe Author: Kiran K Date: Tue Oct 1 16:14:50 2024 +0530 Bluetooth: btintel_pcie: Add handshake between driver and firmware The following handshake mechanism needs be followed after firmware download is completed to bring the firmware to running state. After firmware fragments of Operational image are downloaded and secure sends result of the image succeeds, 1. Driver sends HCI Intel reset with boot option #1 to switch FW image. 2. FW sends Alive GP[0] MSIx 3. Driver enables data path (doorbell 0x460 for RBDs, etc...) 4. Driver gets Bootup event from firmware 5. Driver performs D0 entry to device (WRITE to IPC_Sleep_Control =0x0) 6. FW sends Alive GP[0] MSIx 7. Device host interface is fully set for BT protocol stack operation. 8. Driver may optionally get debug event with ID 0x97 which can be dropped For Intermediate loadger image, all the above steps are applicable expcept #5 and #6. On HCI_OP_RESET, firmware raises alive interrupt. Driver needs to wait for it before passing control over to bluetooth stack. Co-developed-by: Devegowda Chandrashekar Signed-off-by: Devegowda Chandrashekar Signed-off-by: Kiran K Signed-off-by: Luiz Augusto von Dentz commit 59437cbb5781227567dec226aaa88c66a09ccc5a Author: Luiz Augusto von Dentz Date: Tue Oct 8 11:33:15 2024 -0400 Bluetooth: hci_core: Fix not checking skb length on hci_scodata_packet This fixes not checking if skb really contains an SCO header otherwise the code may attempt to access some uninitilized/invalid memory past the valid skb->data. Signed-off-by: Luiz Augusto von Dentz commit 3fe288a8214e7dd784d1f9b7c9e448244d316b47 Author: Luiz Augusto von Dentz Date: Tue Oct 8 10:16:48 2024 -0400 Bluetooth: hci_core: Fix not checking skb length on hci_acldata_packet This fixes not checking if skb really contains an ACL header otherwise the code may attempt to access some uninitilized/invalid memory past the valid skb->data. Reported-by: syzbot+6ea290ba76d8c1eb1ac2@syzkaller.appspotmail.com Tested-by: syzbot+6ea290ba76d8c1eb1ac2@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=6ea290ba76d8c1eb1ac2 Signed-off-by: Luiz Augusto von Dentz commit c135a5bc34a89a75a739d07964ff3d1c4fa1b154 Author: Neeraj Sanjay Kale Date: Tue Oct 8 14:41:59 2024 +0530 Bluetooth: btnxpuart: Add GPIO support to power save feature This adds support for driving the chip into sleep or wakeup with a GPIO. If the device tree property device-wakeup-gpios is defined, the driver utilizes this GPIO for controlling the chip's power save state, else it uses the default UART-break method. Signed-off-by: Neeraj Sanjay Kale Signed-off-by: Luiz Augusto von Dentz commit 6db0cd55432e157949a179e9d569b4515fc6e42f Author: Neeraj Sanjay Kale Date: Tue Oct 8 14:41:58 2024 +0530 dt-bindings: net: bluetooth: nxp: Add support for power save feature using GPIO This adds a new optional device tree property device-wakeup-gpios, which specifies the GPIO connected to BT_WAKE_IN pin of the NXP chipset. If this property is defined, the driver will use this GPIO for driving chip into sleep/wakeup state, else use the UART break signal by default. Signed-off-by: Neeraj Sanjay Kale Reviewed-by: Rob Herring (Arm) Signed-off-by: Luiz Augusto von Dentz commit 2b0f2fc9ed62e73c95df1fa8ed2ba3dac54699df Author: Luiz Augusto von Dentz Date: Tue Oct 1 12:34:06 2024 -0400 Bluetooth: hci_conn: Use disable_delayed_work_sync This makes use of disable_delayed_work_sync instead cancel_delayed_work_sync as it not only cancel the ongoing work but also disables new submit which is disarable since the object holding the work is about to be freed. Reported-by: syzbot+2446dd3cb07277388db6@syzkaller.appspotmail.com Tested-by: syzbot+2446dd3cb07277388db6@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=2446dd3cb07277388db6 Signed-off-by: Luiz Augusto von Dentz commit a94bc93a305bdcb20cc62978c334cace932b1be0 Author: Jiande Lu Date: Mon Sep 30 18:47:50 2024 +0800 Bluetooth: btusb: Add USB HW IDs for MT7920/MT7925 Add HW IDs for wireless module. These HW IDs are extracted from Windows driver inf file and the test for card bring up successful. MT7920 HW IDs test with below patch. https://patchwork.kernel.org/project/bluetooth/ patch/20240930081257.23975-1-chris.lu@mediatek.com/ Patch has been tested successfully and controller is recognized devices pair successfully. MT7920 module bring up message as below. Bluetooth: Core ver 2.22 Bluetooth: HCI device and connection manager initialized Bluetooth: HCI socket layer initialized Bluetooth: L2CAP socket layer initialized Bluetooth: SCO socket layer initialized Bluetooth: hci0: HW/SW Version: 0x008a008a, Build Time: 20240930111457 Bluetooth: hci0: Device setup in 143004 usecs Bluetooth: hci0: HCI Enhanced Setup Synchronous Connection command is advertised, but not supported. Bluetooth: hci0: AOSP extensions version v1.00 Bluetooth: hci0: AOSP quality report is supported Bluetooth: BNEP (Ethernet Emulation) ver 1.3 Bluetooth: BNEP filters: protocol multicast Bluetooth: BNEP socket layer initialized Bluetooth: MGMT ver 1.22 Bluetooth: RFCOMM TTY layer initialized Bluetooth: RFCOMM socket layer initialized Bluetooth: RFCOMM ver 1.11 MT7925 module bring up message as below. Bluetooth: Core ver 2.22 Bluetooth: HCI device and connection manager initialized Bluetooth: HCI socket layer initialized Bluetooth: L2CAP socket layer initialized Bluetooth: SCO socket layer initialized Bluetooth: hci0: HW/SW Version: 0x00000000, Build Time: 20240816133202 Bluetooth: hci0: Device setup in 286558 usecs Bluetooth: hci0: HCI Enhanced Setup Synchronous Connection command is advertised, but not supported. Bluetooth: hci0: AOSP extensions version v1.00 Bluetooth: BNEP (Ethernet Emulation) ver 1.3 Bluetooth: BNEP filters: protocol multicast Bluetooth: BNEP socket layer initialized Bluetooth: MGMT ver 1.22 Bluetooth: RFCOMM TTY layer initialized Bluetooth: RFCOMM socket layer initialized Bluetooth: RFCOMM ver 1.11 Signed-off-by: Jiande Lu Signed-off-by: Luiz Augusto von Dentz commit 69b84ffce260ff13826dc10aeb3c3e5c2288a552 Author: Hilda Wu Date: Tue Oct 1 16:37:29 2024 +0800 Bluetooth: btusb: Add RTL8852BE device 0489:e123 to device tables Add the support ID 0489:e123 to usb_device_id table for Realtek RTL8852B chip. The device info from /sys/kernel/debug/usb/devices as below. T: Bus=01 Lev=01 Prnt=01 Port=07 Cnt=04 Dev#= 7 Spd=12 MxCh= 0 D: Ver= 1.00 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1 P: Vendor=0489 ProdID=e123 Rev= 0.00 S: Manufacturer=Realtek S: Product=Bluetooth Radio S: SerialNumber=00e04c000001 C:* #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=500mA I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=81(I) Atr=03(Int.) MxPS= 16 Ivl=1ms E: Ad=02(O) Atr=02(Bulk) MxPS= 64 Ivl=0ms E: Ad=82(I) Atr=02(Bulk) MxPS= 64 Ivl=0ms I:* If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=03(O) Atr=01(Isoc) MxPS= 0 Ivl=1ms E: Ad=83(I) Atr=01(Isoc) MxPS= 0 Ivl=1ms I: If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=03(O) Atr=01(Isoc) MxPS= 9 Ivl=1ms E: Ad=83(I) Atr=01(Isoc) MxPS= 9 Ivl=1ms I: If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=03(O) Atr=01(Isoc) MxPS= 17 Ivl=1ms E: Ad=83(I) Atr=01(Isoc) MxPS= 17 Ivl=1ms I: If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=03(O) Atr=01(Isoc) MxPS= 25 Ivl=1ms E: Ad=83(I) Atr=01(Isoc) MxPS= 25 Ivl=1ms I: If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=03(O) Atr=01(Isoc) MxPS= 33 Ivl=1ms E: Ad=83(I) Atr=01(Isoc) MxPS= 33 Ivl=1ms I: If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=03(O) Atr=01(Isoc) MxPS= 49 Ivl=1ms E: Ad=83(I) Atr=01(Isoc) MxPS= 49 Ivl=1ms Signed-off-by: Hilda Wu Signed-off-by: Luiz Augusto von Dentz commit e623e2a066e2f6ee5c3a7f817ed6429650466a37 Author: Yan Zhen Date: Sun Sep 29 16:57:27 2024 +0800 bluetooth: Fix typos in the comments Correctly spelled comments make it easier for the reader to understand the code. Fix typos: 'fragement' ==> 'fragment', 'genration' ==> 'generation', 'funciton' ==> 'function', 'Explitly' ==> 'Explicitly', 'explaination' ==> 'explanation', 'Tranlate' ==> 'Translate', 'immediatelly' ==> 'immediately', 'isntance' ==> 'instance', 'transmittion' ==> 'transmission', 'recevie' ==> 'receive', 'outselves' ==> 'ourselves', 'conrol' ==> 'control'. Signed-off-by: Yan Zhen Reviewed-by: AngeloGioacchino Del Regno Signed-off-by: Luiz Augusto von Dentz commit d96b543c6f3b78b6440b68b5a5bbface553eff28 Author: Markus Elfring Date: Tue Oct 1 09:21:25 2024 +0200 Bluetooth: hci_conn: Reduce hci_conn_drop() calls in two functions An hci_conn_drop() call was immediately used after a null pointer check for an hci_conn_link() call in two function implementations. Thus call such a function only once instead directly before the checks. This issue was transformed by using the Coccinelle software. Signed-off-by: Markus Elfring Signed-off-by: Luiz Augusto von Dentz commit 8c52d2f8dc98e6acac253dbf69a690c7026fb0a6 Author: Neeraj Sanjay Kale Date: Thu Sep 26 09:37:57 2024 +0530 Bluetooth: btnxpuart: Rename IW615 to IW610 This changes the chip name of IW615 to IW610. IW610 (formerly called IW615) is yet to be released to broad market, hence there is no issue of backward compatibility. Signed-off-by: Neeraj Sanjay Kale Signed-off-by: Luiz Augusto von Dentz commit c5da9bd6e8053cec636f0e212887390ac614d123 Author: Neeraj Sanjay Kale Date: Thu Sep 26 09:37:56 2024 +0530 Bluetooth: btnxpuart: Drop _v0 suffix from FW names This updates all FW names by dropping the _v0 suffix. Its been decided that all NXP BT/ WiFi FW names won't support _v0 suffix. The suffix would be kept for next HW versions such as v1, v2 and so on, which do not have backward compatible FW. This change affects W8987, IW416 and IW615 chipsets, out of which new FW files for W8987 and IW615 are yet to be released to broad market. For IW416, old and new FW names are added to maintain backward compatibility for existing customers. Signed-off-by: Neeraj Sanjay Kale Signed-off-by: Luiz Augusto von Dentz commit 0c193c2424daebffdfc64e5c0a5544b02867702e Author: Ivaylo Ivanov Date: Thu Nov 14 09:26:00 2024 +0200 dt-bindings: clock: actions,owl-cmu: convert to YAML Convert the Actions Semi Owl CMU bindings to DT schema. Changes during conversion: - Since all Actions Semi Owl SoCs utilize the internal low frequency oscillator as a parent for some clocks, require it. Signed-off-by: Ivaylo Ivanov Reviewed-by: Conor Dooley Reviewed-by: Krzysztof Kozlowski Acked-by: Manivannan Sadhasivam Link: https://lore.kernel.org/r/20241114072601.265011-1-ivo.ivanov.ivanov1@gmail.com Signed-off-by: Stephen Boyd commit e69bcffce21c649a23645b20eb527b3d1ce6fc49 Author: Zijun Hu Date: Thu Sep 26 04:08:49 2024 -0700 Bluetooth: btusb: Add one more ID 0x13d3:0x3623 for Qualcomm WCN785x Add one more part with ID (0x13d3, 0x3623) to usb_device_id table for Qualcomm WCN785x, and its device info from /sys/kernel/debug/usb/devices is shown below: T: Bus=01 Lev=01 Prnt=01 Port=02 Cnt=01 Dev#= 2 Spd=12 MxCh= 0 D: Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1 P: Vendor=13d3 ProdID=3623 Rev= 0.01 C:* #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=81(I) Atr=03(Int.) MxPS= 16 Ivl=1ms E: Ad=82(I) Atr=02(Bulk) MxPS= 64 Ivl=0ms E: Ad=02(O) Atr=02(Bulk) MxPS= 64 Ivl=0ms I:* If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=83(I) Atr=01(Isoc) MxPS= 0 Ivl=1ms E: Ad=03(O) Atr=01(Isoc) MxPS= 0 Ivl=1ms I: If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=83(I) Atr=01(Isoc) MxPS= 9 Ivl=1ms E: Ad=03(O) Atr=01(Isoc) MxPS= 9 Ivl=1ms I: If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=83(I) Atr=01(Isoc) MxPS= 17 Ivl=1ms E: Ad=03(O) Atr=01(Isoc) MxPS= 17 Ivl=1ms I: If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=83(I) Atr=01(Isoc) MxPS= 25 Ivl=1ms E: Ad=03(O) Atr=01(Isoc) MxPS= 25 Ivl=1ms I: If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=83(I) Atr=01(Isoc) MxPS= 33 Ivl=1ms E: Ad=03(O) Atr=01(Isoc) MxPS= 33 Ivl=1ms I: If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=83(I) Atr=01(Isoc) MxPS= 49 Ivl=1ms E: Ad=03(O) Atr=01(Isoc) MxPS= 49 Ivl=1ms I: If#= 1 Alt= 6 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=83(I) Atr=01(Isoc) MxPS= 63 Ivl=1ms E: Ad=03(O) Atr=01(Isoc) MxPS= 63 Ivl=1ms I: If#= 1 Alt= 7 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=83(I) Atr=01(Isoc) MxPS= 65 Ivl=1ms E: Ad=03(O) Atr=01(Isoc) MxPS= 65 Ivl=1ms Signed-off-by: Zijun Hu Signed-off-by: Luiz Augusto von Dentz commit 45f745dd1ac880ce299c0f92b874cda090ddade6 Author: Zijun Hu Date: Fri Sep 20 02:58:14 2024 -0700 Bluetooth: btusb: Add one more ID 0x0489:0xe0f3 for Qualcomm WCN785x Add one more part with ID (0x0489, 0xe0f3) to usb_device_id table for Qualcomm WCN785x, and its device info from /sys/kernel/debug/usb/devices is shown below: T: Bus=01 Lev=01 Prnt=01 Port=13 Cnt=03 Dev#= 4 Spd=12 MxCh= 0 D: Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1 P: Vendor=0489 ProdID=e0f3 Rev= 0.01 C:* #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=81(I) Atr=03(Int.) MxPS= 16 Ivl=1ms E: Ad=82(I) Atr=02(Bulk) MxPS= 64 Ivl=0ms E: Ad=02(O) Atr=02(Bulk) MxPS= 64 Ivl=0ms I:* If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=83(I) Atr=01(Isoc) MxPS= 0 Ivl=1ms E: Ad=03(O) Atr=01(Isoc) MxPS= 0 Ivl=1ms I: If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=83(I) Atr=01(Isoc) MxPS= 9 Ivl=1ms E: Ad=03(O) Atr=01(Isoc) MxPS= 9 Ivl=1ms I: If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=83(I) Atr=01(Isoc) MxPS= 17 Ivl=1ms E: Ad=03(O) Atr=01(Isoc) MxPS= 17 Ivl=1ms I: If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=83(I) Atr=01(Isoc) MxPS= 25 Ivl=1ms E: Ad=03(O) Atr=01(Isoc) MxPS= 25 Ivl=1ms I: If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=83(I) Atr=01(Isoc) MxPS= 33 Ivl=1ms E: Ad=03(O) Atr=01(Isoc) MxPS= 33 Ivl=1ms I: If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=83(I) Atr=01(Isoc) MxPS= 49 Ivl=1ms E: Ad=03(O) Atr=01(Isoc) MxPS= 49 Ivl=1ms I: If#= 1 Alt= 6 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=83(I) Atr=01(Isoc) MxPS= 63 Ivl=1ms E: Ad=03(O) Atr=01(Isoc) MxPS= 63 Ivl=1ms I: If#= 1 Alt= 7 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=83(I) Atr=01(Isoc) MxPS= 65 Ivl=1ms E: Ad=03(O) Atr=01(Isoc) MxPS= 65 Ivl=1ms Signed-off-by: Zijun Hu Signed-off-by: Luiz Augusto von Dentz commit add1b1656f909c41aa0186fe75e7a42e2c0d2188 Author: Aaron Ma Date: Mon Sep 23 16:55:19 2024 +0800 Bluetooth: btusb: add Foxconn 0xe0fc for Qualcomm WCN785x Firmwares are already in upstream. kernel boot log as following: Bluetooth: hci0: using rampatch file: qca/rampatch_usb_00190200.bin Bluetooth: hci0: QCA: patch rome 0x190200 build 0x5656, firmware rome 0x190200 build 0x43fb Bluetooth: hci0: using NVM file: qca/nvm_usb_00190200.bin Paired BT headphone, output is good. T: Bus=01 Lev=02 Prnt=02 Port=00 Cnt=01 Dev#= 4 Spd=12 MxCh= 0 D: Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1 P: Vendor=0489 ProdID=e0fc Rev= 0.01 C:* #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=81(I) Atr=03(Int.) MxPS= 16 Ivl=1ms E: Ad=82(I) Atr=02(Bulk) MxPS= 64 Ivl=0ms E: Ad=02(O) Atr=02(Bulk) MxPS= 64 Ivl=0ms I:* If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=83(I) Atr=01(Isoc) MxPS= 0 Ivl=1ms E: Ad=03(O) Atr=01(Isoc) MxPS= 0 Ivl=1ms I: If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=83(I) Atr=01(Isoc) MxPS= 9 Ivl=1ms E: Ad=03(O) Atr=01(Isoc) MxPS= 9 Ivl=1ms I: If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=83(I) Atr=01(Isoc) MxPS= 17 Ivl=1ms E: Ad=03(O) Atr=01(Isoc) MxPS= 17 Ivl=1ms I: If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=83(I) Atr=01(Isoc) MxPS= 25 Ivl=1ms E: Ad=03(O) Atr=01(Isoc) MxPS= 25 Ivl=1ms I: If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=83(I) Atr=01(Isoc) MxPS= 33 Ivl=1ms E: Ad=03(O) Atr=01(Isoc) MxPS= 33 Ivl=1ms I: If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=83(I) Atr=01(Isoc) MxPS= 49 Ivl=1ms E: Ad=03(O) Atr=01(Isoc) MxPS= 49 Ivl=1ms I: If#= 1 Alt= 6 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=83(I) Atr=01(Isoc) MxPS= 63 Ivl=1ms E: Ad=03(O) Atr=01(Isoc) MxPS= 63 Ivl=1ms I: If#= 1 Alt= 7 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=83(I) Atr=01(Isoc) MxPS= 65 Ivl=1ms E: Ad=03(O) Atr=01(Isoc) MxPS= 65 Ivl=1ms Signed-off-by: Aaron Ma Signed-off-by: Luiz Augusto von Dentz commit defc33b5541e0a7e45cc2d99d72fbe80a597afc5 Author: Chris Lu Date: Mon Sep 23 16:47:05 2024 +0800 Bluetooth: btusb: mediatek: change the conditions for ISO interface Change conditions for Bluetooth driver claiming and releasing usb ISO interface for MediaTek ISO data transmission. Signed-off-by: Chris Lu Signed-off-by: Luiz Augusto von Dentz commit 489304e67087abddc2666c5af0159cb95afdcf59 Author: Chris Lu Date: Mon Sep 23 16:47:04 2024 +0800 Bluetooth: btusb: mediatek: add intf release flow when usb disconnect MediaTek claim an special usb intr interface for ISO data transmission. The interface need to be released before unregistering hci device when usb disconnect. Removing BT usb dongle without properly releasing the interface may cause Kernel panic while unregister hci device. Signed-off-by: Chris Lu Signed-off-by: Luiz Augusto von Dentz commit cea1805f165cdd783dd21f26df957118cb8641b4 Author: Chris Lu Date: Mon Sep 23 16:47:03 2024 +0800 Bluetooth: btusb: mediatek: add callback function in btusb_disconnect Add disconnect callback function in btusb_disconnect which is reserved for vendor specific usage before deregister hci in btusb_disconnect. Signed-off-by: Chris Lu Signed-off-by: Luiz Augusto von Dentz commit 5fbe6f51ca987dfbeab3d06144afc2d2cd835c66 Author: Andreas Kemnade Date: Tue Nov 12 17:26:18 2024 +0100 dt-bindings: clock: ti: Convert mux.txt to json-schema Convert the OMAP mux clock device tree binding to json-schema. Specify the creator of the original binding as a maintainer. Choose GPL-only license because original binding was also GPL. Signed-off-by: Andreas Kemnade Reviewed-by: Conor Dooley Link: https://lore.kernel.org/r/20241112162618.400194-1-andreas@kemnade.info Signed-off-by: Stephen Boyd commit ad0c6f603bb0b07846fda484c59a176a8cd02838 Author: Chris Lu Date: Mon Sep 23 16:47:02 2024 +0800 Bluetooth: btusb: mediatek: move Bluetooth power off command position Move MediaTek Bluetooth power off command before releasing usb ISO interface. Signed-off-by: Chris Lu Signed-off-by: Luiz Augusto von Dentz commit 080e47b2a2377f9cfad7bc7fa074e9819eafa394 Author: Masami Hiramatsu (Google) Date: Thu Nov 7 23:52:49 2024 +0900 perf probe: Introduce quotation marks support In non-C languages, it is possible to have ':' in the function names. It is possible to escape it with backslashes, but if there are too many backslashes, it is annoying. This introduce quotation marks (`"` or `'`) support. For example, without quotes, we have to pass it as below $ perf probe -x cro3 -L "cro3\:\:cmd\:\:servo\:\:run_show" 0 fn run_show(args: &ArgsShow) -> Result<()> { 1 let list = ServoList::discover()?; 2 let s = list.find_by_serial(&args.servo)?; 3 if args.json { 4 println!("{s}"); With quotes, we can more naturally write the function name as below; $ perf probe -x cro3 -L \"cro3::cmd::servo::run_show\" 0 fn run_show(args: &ArgsShow) -> Result<()> { 1 let list = ServoList::discover()?; 2 let s = list.find_by_serial(&args.servo)?; 3 if args.json { 4 println!("{s}"); Signed-off-by: Masami Hiramatsu Cc: Alexander Lobakin Cc: Dima Kogan Cc: Ian Rogers Cc: Ingo Molnar Cc: Namhyung Kim Cc: Peter Zijlstra Cc: Przemek Kitszel Link: https://lore.kernel.org/r/173099116941.2431889.11609129616090100386.stgit@mhiramat.roam.corp.google.com Signed-off-by: Arnaldo Carvalho de Melo commit 313026f3ced102a9ef044fbde4a806554ccfe959 Author: Masami Hiramatsu (Google) Date: Thu Nov 7 23:52:40 2024 +0900 perf string: Add strpbrk_esq() and strdup_esq() for escape and quote strpbrk_esq() and strdup_esq() are new variants for strpbrk() and strdup() which handles escaped characters and quoted strings. - strpbrk_esq() searches specified set of characters but ignores the escaped characters and quoted strings. e.g. strpbrk_esq("'quote\d' \queue quiz", "qd") returns "quiz". - strdup_esq() duplicates string but removes backslash and quotes which is used for quotation. It also keeps the string (including backslash) in the quoted part. e.g. strdup_esq("'quote\d' \queue quiz") returns "quote\d queue quiz". The (single, double) quotes in the quoted part should be escaped by backslash. In this case, strdup_esq() removes that backslash. The same quotes must be paired. If you use double quotation, you need to use the double quotation to close the quoted part. Signed-off-by: Masami Hiramatsu Cc: Alexander Lobakin Cc: Dima Kogan Cc: Ian Rogers Cc: Ingo Molnar Cc: Namhyung Kim Cc: Peter Zijlstra Cc: Przemek Kitszel Link: https://lore.kernel.org/r/173099116045.2431889.15772916605719019533.stgit@mhiramat.roam.corp.google.com Signed-off-by: Arnaldo Carvalho de Melo commit b9e577225c16fae9f5e4d3d642153c64b538c44e Author: Masami Hiramatsu (Google) Date: Thu Nov 7 23:52:31 2024 +0900 perf probe: Accept FUNC@* to specify function name explicitly In Golang, the function name will have the '.', and 'perf probe' misinterprets it as a file name. To mitigate this situation, introduce `function@*` so that user can explicitly specify that it is a function name. Signed-off-by: Masami Hiramatsu Cc: Alexander Lobakin Cc: Dima Kogan Cc: Ian Rogers Cc: Ingo Molnar Cc: Namhyung Kim Cc: Peter Zijlstra Cc: Przemek Kitszel Link: https://lore.kernel.org/r/173099115149.2431889.13682110856853358354.stgit@mhiramat.roam.corp.google.com Signed-off-by: Arnaldo Carvalho de Melo commit 47fa0f99a9aa962bac8e6da09cb104e8da94e4df Author: Masami Hiramatsu (Google) Date: Thu Nov 7 23:52:22 2024 +0900 perf probe: Fix to ignore escaped characters in --lines option Use strbprk_esc() and strdup_esc() to ignore escaped characters in --lines option. This has been done for other options, but only --lines option doesn't. Signed-off-by: Masami Hiramatsu Cc: Alexander Lobakin Cc: Dima Kogan Cc: Ian Rogers Cc: Ingo Molnar Cc: Namhyung Kim Cc: Peter Zijlstra Cc: Przemek Kitszel Link: https://lore.kernel.org/r/173099114272.2431889.4820591557298941207.stgit@mhiramat.roam.corp.google.com Signed-off-by: Arnaldo Carvalho de Melo commit e7c70ee7c9aa7420d22b47d8951f4b5fef4554ea Author: Masami Hiramatsu (Google) Date: Thu Nov 7 23:52:13 2024 +0900 perf probe: Fix error message for failing to find line range With --lines option, if perf-probe fails to find the specified line, it warns as "Debuginfo analysis failed." but this misleads user as the debuginfo is broken. Fix this message to "Specified source line(LINESPEC) is not found." so that user can understand the error correctly. Signed-off-by: Masami Hiramatsu Cc: Alexander Lobakin Cc: Dima Kogan Cc: Ian Rogers Cc: Ingo Molnar Cc: Namhyung Kim Cc: Peter Zijlstra Cc: Przemek Kitszel Link: https://lore.kernel.org/r/173099113381.2431889.16263147678401426107.stgit@mhiramat.roam.corp.google.com Signed-off-by: Arnaldo Carvalho de Melo commit fe051552f5078fa02d593847529a3884305a6ffe Author: Kinsey Moore Date: Tue Jul 23 15:58:05 2024 -0500 jffs2: Prevent rtime decompress memory corruption The rtime decompression routine does not fully check bounds during the entirety of the decompression pass and can corrupt memory outside the decompression buffer if the compressed data is corrupted. This adds the required check to prevent this failure mode. Cc: stable@vger.kernel.org Signed-off-by: Kinsey Moore Signed-off-by: Richard Weinberger commit fe4f9b4124967ffb75d66994520831231b779550 Author: Howard Chu Date: Tue Oct 29 22:24:31 2024 -0700 perf trace: Fix tracing itself, creating feedback loops There exists a pids_filtered map in augmented_raw_syscalls.bpf.c that ceases to provide functionality after the BPF skeleton migration done in: 5e6da6be3082f77b ("perf trace: Migrate BPF augmentation to use a skeleton") Before the migration, pid_filtered map works, courtesy of Arnaldo Carvalho de Melo : ⬢ [acme@toolbox perf-tools]$ git log --oneline -5 6f769c3458b6cf2d (HEAD) perf tests trace+probe_vfs_getname.sh: Accept quotes surrounding the filename 7777ac3dfe29f55d perf test trace+probe_vfs_getname.sh: Remove stray \ before / 33d9c5062113a4bd perf script python: Add stub for PMU symbol to the python binding e59fea47f83e8a9a perf symbols: Fix DSO kernel load and symbol process to correctly map DSO to its long_name, type and adjust_symbols 878460e8d0ff84a0 perf build: Remove -Wno-unused-but-set-variable from the flex flags when building with clang < 13.0.0 root@x1:/home/acme/git/perf-tools# perf trace -e /tmp/augmented_raw_syscalls.o -e write* --max-events=30 & [1] 180632 root@x1:/home/acme/git/perf-tools# 0.000 ( 0.051 ms): NetworkManager/1127 write(fd: 3, buf: 0x7ffeb508ef70, count: 8) = 8 0.115 ( 0.010 ms): NetworkManager/1127 write(fd: 3, buf: 0x7ffeb508ef70, count: 8) = 8 0.916 ( 0.068 ms): sudo/156867 write(fd: 8, buf: 0x55cb4cd2f650, count: 246) = 246 1.699 ( 0.047 ms): sudo/156867 write(fd: 8, buf: 0x55cb4cd2f650, count: 121) = 121 2.167 ( 0.041 ms): sudo/156867 write(fd: 8, buf: 0x55cb4cd2f650, count: 121) = 121 2.739 ( 0.042 ms): sudo/156867 write(fd: 8, buf: 0x55cb4cd2f650, count: 121) = 121 3.138 ( 0.027 ms): sudo/156867 write(fd: 8, buf: 0x55cb4cd2f650, count: 121) = 121 3.477 ( 0.027 ms): sudo/156867 write(fd: 8, buf: 0x55cb4cd2f650, count: 121) = 121 3.738 ( 0.023 ms): sudo/156867 write(fd: 8, buf: 0x55cb4cd2f650, count: 121) = 121 3.946 ( 0.024 ms): sudo/156867 write(fd: 8, buf: 0x55cb4cd2f650, count: 121) = 121 4.195 ( 0.024 ms): sudo/156867 write(fd: 8, buf: 0x55cb4cd2f650, count: 121) = 121 4.212 ( 0.026 ms): NetworkManager/1127 write(fd: 3, buf: 0x7ffeb508ef70, count: 8) = 8 4.285 ( 0.006 ms): NetworkManager/1127 write(fd: 3, buf: 0x7ffeb508ef70, count: 8) = 8 4.445 ( 0.018 ms): sudo/156867 write(fd: 8, buf: 0x55cb4cd2f650, count: 260) = 260 4.508 ( 0.009 ms): sudo/156867 write(fd: 8, buf: 0x55cb4cd2f650, count: 124) = 124 4.592 ( 0.010 ms): sudo/156867 write(fd: 8, buf: 0x55cb4cd2f650, count: 116) = 116 4.666 ( 0.009 ms): sudo/156867 write(fd: 8, buf: 0x55cb4cd2f650, count: 130) = 130 4.715 ( 0.010 ms): sudo/156867 write(fd: 8, buf: 0x55cb4cd2f650, count: 95) = 95 4.765 ( 0.007 ms): sudo/156867 write(fd: 8, buf: 0x55cb4cd2f650, count: 102) = 102 4.815 ( 0.009 ms): sudo/156867 write(fd: 8, buf: 0x55cb4cd2f650, count: 79) = 79 4.890 ( 0.008 ms): sudo/156867 write(fd: 8, buf: 0x55cb4cd2f650, count: 57) = 57 4.937 ( 0.007 ms): sudo/156867 write(fd: 8, buf: 0x55cb4cd2f650, count: 89) = 89 5.009 ( 0.010 ms): sudo/156867 write(fd: 8, buf: 0x55cb4cd2f650, count: 112) = 112 5.059 ( 0.010 ms): sudo/156867 write(fd: 8, buf: 0x55cb4cd2f650, count: 112) = 112 5.116 ( 0.007 ms): sudo/156867 write(fd: 8, buf: 0x55cb4cd2f650, count: 79) = 79 5.152 ( 0.009 ms): sudo/156867 write(fd: 8, buf: 0x55cb4cd2f650, count: 33) = 33 5.215 ( 0.008 ms): sudo/156867 write(fd: 8, buf: 0x55cb4cd2f650, count: 37) = 37 5.293 ( 0.010 ms): sudo/156867 write(fd: 8, buf: 0x55cb4cd2f650, count: 128) = 128 5.339 ( 0.009 ms): sudo/156867 write(fd: 8, buf: 0x55cb4cd2f650, count: 89) = 89 5.384 ( 0.008 ms): sudo/156867 write(fd: 8, buf: 0x55cb4cd2f650, count: 100) = 100 [1]+ Done perf trace -e /tmp/augmented_raw_syscalls.o -e write* --max-events=30 root@x1:/home/acme/git/perf-tools# No events for the 'perf trace' (pid 180632), i.e. no feedback loop. If we leave it running: root@x1:/home/acme/git/perf-tools# perf trace -e /tmp/augmented_raw_syscalls.o -e landlock_add_rule & [1] 181068 root@x1:/home/acme/git/perf-tools# And then look at what maps it sets up: root@x1:/home/acme/git/perf-tools# bpftool map | grep pids_filtered -A3 1190: hash name pids_filtered flags 0x0 key 4B value 1B max_entries 64 memlock 7264B btf_id 1613 pids perf(181068) root@x1:/home/acme/git/perf-tools# And ask for dumping its contents: We see that we are _also_ setting it to filter those: root@x1:/home/acme/git/perf-tools# bpftool map dump id 1190 [{ "key": 181068, "value": 1 },{ "key": 156801, "value": 1 } ] Now testing the migration commit: perf $ git log commit 5e6da6be3082f77be06894a1a94d52a90b4007dc (HEAD) Author: Ian Rogers Date: Thu Aug 10 11:48:51 2023 -0700 perf trace: Migrate BPF augmentation to use a skeleton perf $ ./perf trace -e write --max-events=10 & echo #! [1] 1808653 perf $ 0.000 ( 0.010 ms): :1808671/1808671 write(fd: 1, buf: 0x6003f5b26fc0, count: 11) = 11 0.162 ( ): perf/1808653 write(fd: 2, buf: 0x7fffc2174e50, count: 11) ... 0.174 ( ): perf/1808653 write(fd: 2, buf: 0x74ce21804563, count: 1) ... 0.184 ( ): perf/1808653 write(fd: 2, buf: 0x57b936589052, count: 5) The feedback loop is there. Keep it running, look into the bpf map: perf $ bpftool map | grep pids_filtered 10675: hash name pids_filtered flags 0x0 perf $ bpftool map dump id 10675 [] The map is empty. Now, this commit: 64917f4df048a064 ("perf trace: Use heuristic when deciding if a syscall tracepoint "const char *" field is really a string") Temporarily fixed the feedback loop for perf trace -e write, that's because before using the heuristic, write is hooked to sys_enter_openat: perf $ git log commit 83a0943b1870944612a8aa0049f910826ebfd4f7 (HEAD) Author: Arnaldo Carvalho de Melo Date: Thu Aug 17 12:11:51 2023 -0300 perf trace: Use the augmented_raw_syscall BPF skel only for tracing syscalls perf $ ./perf trace -e write --max-events=10 -v 2>&1 | grep Reusing Reusing "openat" BPF sys_enter augmenter for "write" And after the heuristic fix, it's unaugmented: perf $ git log commit 64917f4df048a0649ea7901c2321f020e71e6f24 (HEAD) Author: Arnaldo Carvalho de Melo Date: Thu Aug 17 15:14:21 2023 -0300 perf trace: Use heuristic when deciding if a syscall tracepoint "const char *" field is really a string perf $ ./perf trace -e write --max-events=10 -v 2>&1 | grep Reusing perf $ After using the heuristic, write is hooked to syscall_unaugmented, which returns 1. SEC("tp/raw_syscalls/sys_enter") int syscall_unaugmented(struct syscall_enter_args *args) { return 1; } If the BPF program returns 1, the tracepoint filter will filter it (since the tracepoint filter for perf is correctly set), but before the heuristic, when it was hooked to a sys_enter_openat(), which is a BPF program that calls bpf_perf_event_output() and writes to the buffer, it didn't get filtered, thus creating feedback loop. So switching write to unaugmented accidentally fixed the problem. But some syscalls are not so lucky, for example newfstatat: perf $ ./perf trace -e newfstatat --max-events=100 & echo #! [1] 2166948 457.718 ( ): perf/2166948 newfstatat(dfd: CWD, filename: "/proc/self/ns/mnt", statbuf: 0x7fff0132a9f0) ... 457.749 ( ): perf/2166948 newfstatat(dfd: CWD, filename: "/proc/2166950/ns/mnt", statbuf: 0x7fff0132aa80) ... 457.962 ( ): perf/2166948 newfstatat(dfd: CWD, filename: "/proc/self/ns/mnt", statbuf: 0x7fff0132a9f0) ... Currently, write is augmented by the new BTF general augmenter (which calls bpf_perf_event_output()). The problem, which luckily got fixed, resurfaced, and that’s how it was discovered. Fixes: 5e6da6be3082f77b ("perf trace: Migrate BPF augmentation to use a skeleton") Signed-off-by: Howard Chu Tested-by: Arnaldo Carvalho de Melo Cc: Adrian Hunter Cc: Alexander Shishkin Cc: Ian Rogers Cc: Ingo Molnar Cc: James Clark Cc: Jiri Olsa Cc: Kan Liang Cc: Mark Rutland Cc: Namhyung Kim Cc: Peter Zijlstra Link: https://lore.kernel.org/r/20241030052431.2220130-1-howardchu95@gmail.com [ Check if trace->skel is non-NULL, as it is only initialized if trace->trace_syscalls is set ] Signed-off-by: Arnaldo Carvalho de Melo commit a79993b5fce69e97f900bb975f6127e25cebf130 Merge: 3d12862b216d39 cfaaa7d010d1fc Author: Jakub Kicinski Date: Thu Nov 14 11:27:36 2024 -0800 Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net Cross-merge networking fixes after downstream PR (net-6.12-rc8). Conflicts: tools/testing/selftests/net/.gitignore 252e01e68241 ("selftests: net: add netlink-dumps to .gitignore") be43a6b23829 ("selftests: ncdevmem: Move ncdevmem under drivers/net/hw") https://lore.kernel.org/all/20241113122359.1b95180a@canb.auug.org.au/ drivers/net/phy/phylink.c 671154f174e0 ("net: phylink: ensure PHY momentary link-fails are handled") 7530ea26c810 ("net: phylink: remove "using_mac_select_pcs"") Adjacent changes: drivers/net/ethernet/stmicro/stmmac/dwmac-intel-plat.c 5b366eae7193 ("stmmac: dwmac-intel-plat: fix call balance of tx_clk handling routines") e96321fad3ad ("net: ethernet: Switch back to struct platform_driver::remove()") Signed-off-by: Jakub Kicinski commit 7c8e694bdb7ba75d13854b59f3af6d66f0ea6df2 Author: Colin Ian King Date: Tue Oct 29 22:20:15 2024 +0000 jffs2: remove redundant check on outpos > pos The check for outpos > pos is always false because outpos is zero and pos is at least zero; outpos can never be greater than pos. The check is redundant and can be removed. Signed-off-by: Colin Ian King Signed-off-by: Richard Weinberger commit ef027aca2961b5b60ec9e91e3758af751396ad3d Author: Suraj Sonawane Date: Tue Oct 8 23:54:11 2024 +0530 fs: jffs2: Fix inconsistent indentation in jffs2_mark_node_obsolete Fix the indentation to ensure consistent code style and improve readability, and to fix this warnings: fs/jffs2/nodemgmt.c:635 jffs2_mark_node_obsolete() warn: inconsistent indenting fs/jffs2/nodemgmt.c:646 jffs2_mark_node_obsolete() warn: inconsistent indenting Signed-off-by: Suraj Sonawane Reviewed-by: Zhihao Cheng Signed-off-by: Richard Weinberger commit 1eb4a820791ea1b7d65d86516218cded4e01b79c Author: Shen Lichuan Date: Mon Sep 23 16:33:22 2024 +0800 jffs2: Correct some typos in comments Fixed some confusing spelling errors, the details are as follows: -in the code comments: wating -> waiting succefully -> successfully Signed-off-by: Shen Lichuan Reviewed-by: Zhihao Cheng Signed-off-by: Richard Weinberger commit 3ba44ee966bc3c41dd8a944f963466c8fcc60dc8 Author: Qingfang Deng Date: Mon Jul 1 12:52:05 2024 +0800 jffs2: fix use of uninitialized variable When building the kernel with -Wmaybe-uninitialized, the compiler reports this warning: In function 'jffs2_mark_erased_block', inlined from 'jffs2_erase_pending_blocks' at fs/jffs2/erase.c:116:4: fs/jffs2/erase.c:474:9: warning: 'bad_offset' may be used uninitialized [-Wmaybe-uninitialized] 474 | jffs2_erase_failed(c, jeb, bad_offset); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ fs/jffs2/erase.c: In function 'jffs2_erase_pending_blocks': fs/jffs2/erase.c:402:18: note: 'bad_offset' was declared here 402 | uint32_t bad_offset; | ^~~~~~~~~~ When mtd->point() is used, jffs2_erase_pending_blocks can return -EIO without initializing bad_offset, which is later used at the filebad label in jffs2_mark_erased_block. Fix it by initializing this variable. Fixes: 8a0f572397ca ("[JFFS2] Return values of jffs2_block_check_erase error paths") Signed-off-by: Qingfang Deng Reviewed-by: Zhihao Cheng Signed-off-by: Richard Weinberger commit 3c90e90029f11cc1cb6b01542ee5f6892963bce1 Author: Thorsten Blum Date: Tue Nov 12 19:31:11 2024 +0100 jffs2: Use str_yes_no() helper function Remove hard-coded strings by using the str_yes_no() helper function. Reviewed-by: Zhihao Cheng Signed-off-by: Thorsten Blum Signed-off-by: Richard Weinberger commit 67efb77cb0692ec40c416eae2dfbc70116e8ea4e Author: Colin Ian King Date: Thu Nov 7 15:23:57 2024 +0000 mtd: ubi: remove redundant check on bytes_left at end of function In function ubi_nvmem_reg_read the while-loop can only be exiting of bytes_left is zero or an error has occurred. There is an exit return path if an error occurs, so the bytes_left can only be zero after that point. Hence the check for a non-zero bytes_left at the end of the function is redundant and can be removed. Remove the check and just return 0. Signed-off-by: Colin Ian King Reviewed-by: Zhihao Cheng Signed-off-by: Richard Weinberger commit 07593293ffabba14125c8998525adde5a832bfa3 Author: Javier Carrasco Date: Sat Oct 19 22:27:03 2024 +0200 mtd: ubi: fix unreleased fwnode_handle in find_volume_fwnode() The 'fw_vols' fwnode_handle initialized via device_get_named_child_node() requires explicit calls to fwnode_handle_put() when the variable is no longer required. Add the missing calls to fwnode_handle_put() before the function returns. Cc: stable@vger.kernel.org Fixes: 51932f9fc487 ("mtd: ubi: populate ubi volume fwnode") Signed-off-by: Javier Carrasco Reviewed-by: Zhihao Cheng Signed-off-by: Richard Weinberger commit 4617fb8fc15effe8eda4dd898d4e33eb537a7140 Author: Waqar Hameed Date: Wed Oct 9 16:46:59 2024 +0200 ubifs: authentication: Fix use-after-free in ubifs_tnc_end_commit After an insertion in TNC, the tree might split and cause a node to change its `znode->parent`. A further deletion of other nodes in the tree (which also could free the nodes), the aforementioned node's `znode->cparent` could still point to a freed node. This `znode->cparent` may not be updated when getting nodes to commit in `ubifs_tnc_start_commit()`. This could then trigger a use-after-free when accessing the `znode->cparent` in `write_index()` in `ubifs_tnc_end_commit()`. This can be triggered by running rm -f /etc/test-file.bin dd if=/dev/urandom of=/etc/test-file.bin bs=1M count=60 conv=fsync in a loop, and with `CONFIG_UBIFS_FS_AUTHENTICATION`. KASAN then reports: BUG: KASAN: use-after-free in ubifs_tnc_end_commit+0xa5c/0x1950 Write of size 32 at addr ffffff800a3af86c by task ubifs_bgt0_20/153 Call trace: dump_backtrace+0x0/0x340 show_stack+0x18/0x24 dump_stack_lvl+0x9c/0xbc print_address_description.constprop.0+0x74/0x2b0 kasan_report+0x1d8/0x1f0 kasan_check_range+0xf8/0x1a0 memcpy+0x84/0xf4 ubifs_tnc_end_commit+0xa5c/0x1950 do_commit+0x4e0/0x1340 ubifs_bg_thread+0x234/0x2e0 kthread+0x36c/0x410 ret_from_fork+0x10/0x20 Allocated by task 401: kasan_save_stack+0x38/0x70 __kasan_kmalloc+0x8c/0xd0 __kmalloc+0x34c/0x5bc tnc_insert+0x140/0x16a4 ubifs_tnc_add+0x370/0x52c ubifs_jnl_write_data+0x5d8/0x870 do_writepage+0x36c/0x510 ubifs_writepage+0x190/0x4dc __writepage+0x58/0x154 write_cache_pages+0x394/0x830 do_writepages+0x1f0/0x5b0 filemap_fdatawrite_wbc+0x170/0x25c file_write_and_wait_range+0x140/0x190 ubifs_fsync+0xe8/0x290 vfs_fsync_range+0xc0/0x1e4 do_fsync+0x40/0x90 __arm64_sys_fsync+0x34/0x50 invoke_syscall.constprop.0+0xa8/0x260 do_el0_svc+0xc8/0x1f0 el0_svc+0x34/0x70 el0t_64_sync_handler+0x108/0x114 el0t_64_sync+0x1a4/0x1a8 Freed by task 403: kasan_save_stack+0x38/0x70 kasan_set_track+0x28/0x40 kasan_set_free_info+0x28/0x4c __kasan_slab_free+0xd4/0x13c kfree+0xc4/0x3a0 tnc_delete+0x3f4/0xe40 ubifs_tnc_remove_range+0x368/0x73c ubifs_tnc_remove_ino+0x29c/0x2e0 ubifs_jnl_delete_inode+0x150/0x260 ubifs_evict_inode+0x1d4/0x2e4 evict+0x1c8/0x450 iput+0x2a0/0x3c4 do_unlinkat+0x2cc/0x490 __arm64_sys_unlinkat+0x90/0x100 invoke_syscall.constprop.0+0xa8/0x260 do_el0_svc+0xc8/0x1f0 el0_svc+0x34/0x70 el0t_64_sync_handler+0x108/0x114 el0t_64_sync+0x1a4/0x1a8 The offending `memcpy()` in `ubifs_copy_hash()` has a use-after-free when a node becomes root in TNC but still has a `cparent` to an already freed node. More specifically, consider the following TNC: zroot / / zp1 / / zn Inserting a new node `zn_new` with a key smaller then `zn` will trigger a split in `tnc_insert()` if `zp1` is full: zroot / \ / \ zp1 zp2 / \ / \ zn_new zn `zn->parent` has now been moved to `zp2`, *but* `zn->cparent` still points to `zp1`. Now, consider a removal of all the nodes _except_ `zn`. Just when `tnc_delete()` is about to delete `zroot` and `zp2`: zroot \ \ zp2 \ \ zn `zroot` and `zp2` get freed and the tree collapses: zn `zn` now becomes the new `zroot`. `get_znodes_to_commit()` will now only find `zn`, the new `zroot`, and `write_index()` will check its `znode->cparent` that wrongly points to the already freed `zp1`. `ubifs_copy_hash()` thus gets wrongly called with `znode->cparent->zbranch[znode->iip].hash` that triggers the use-after-free! Fix this by explicitly setting `znode->cparent` to `NULL` in `get_znodes_to_commit()` for the root node. The search for the dirty nodes is bottom-up in the tree. Thus, when `find_next_dirty(znode)` returns NULL, the current `znode` _is_ the root node. Add an assert for this. Fixes: 16a26b20d2af ("ubifs: authentication: Add hashes to index nodes") Tested-by: Waqar Hameed Co-developed-by: Zhihao Cheng Signed-off-by: Zhihao Cheng Signed-off-by: Waqar Hameed Reviewed-by: Zhihao Cheng Signed-off-by: Richard Weinberger commit bcddf52b7a17adcebc768d26f4e27cf79adb424c Author: Zhihao Cheng Date: Fri Oct 11 12:50:02 2024 +0800 ubi: fastmap: Fix duplicate slab cache names while attaching Since commit 4c39529663b9 ("slab: Warn on duplicate cache names when DEBUG_VM=y"), the duplicate slab cache names can be detected and a kernel WARNING is thrown out. In UBI fast attaching process, alloc_ai() could be invoked twice with the same slab cache name 'ubi_aeb_slab_cache', which will trigger following warning messages: kmem_cache of name 'ubi_aeb_slab_cache' already exists WARNING: CPU: 0 PID: 7519 at mm/slab_common.c:107 __kmem_cache_create_args+0x100/0x5f0 Modules linked in: ubi(+) nandsim [last unloaded: nandsim] CPU: 0 UID: 0 PID: 7519 Comm: modprobe Tainted: G 6.12.0-rc2 RIP: 0010:__kmem_cache_create_args+0x100/0x5f0 Call Trace: __kmem_cache_create_args+0x100/0x5f0 alloc_ai+0x295/0x3f0 [ubi] ubi_attach+0x3c3/0xcc0 [ubi] ubi_attach_mtd_dev+0x17cf/0x3fa0 [ubi] ubi_init+0x3fb/0x800 [ubi] do_init_module+0x265/0x7d0 __x64_sys_finit_module+0x7a/0xc0 The problem could be easily reproduced by loading UBI device by fastmap with CONFIG_DEBUG_VM=y. Fix it by using different slab names for alloc_ai() callers. Fixes: d2158f69a7d4 ("UBI: Remove alloc_ai() slab name from parameter list") Fixes: fdf10ed710c0 ("ubi: Rework Fastmap attach base code") Signed-off-by: Zhihao Cheng Signed-off-by: Richard Weinberger commit fbfbf86685b3270dc27d1c5d6108532334aaf329 Author: Waiman Long Date: Thu Nov 14 13:19:15 2024 -0500 cgroup/cpuset: Disable cpuset_cpumask_can_shrink() test if not load balancing With some recent proposed changes [1] in the deadline server code, it has caused a test failure in test_cpuset_prs.sh when a change is being made to an isolated partition. This is due to failing the cpuset_cpumask_can_shrink() check for SCHED_DEADLINE tasks at validate_change(). This is actually a false positive as the failed test case involves an isolated partition with load balancing disabled. The deadline check is not meaningful in this case and the users should know what they are doing. Fix this by doing the cpuset_cpumask_can_shrink() check only when loading balanced is enabled. Also change its arguments to use effective_cpus for the current cpuset and user_xcpus() as an approiximation for the target effective_cpus as the real effective_cpus hasn't been fully computed yet as this early stage. As the check isn't comprehensive, there may be false positives or negatives. We may have to revise the code to do a more thorough check in the future if this becomes a concern. [1] https://lore.kernel.org/lkml/82be06c1-6d6d-4651-86c9-bcc828cbcb80@redhat.com/T/#t Signed-off-by: Waiman Long Signed-off-by: Tejun Heo commit cb04444c243c001fc27f275e84792ff1c2b96867 Author: Yishai Hadas Date: Thu Nov 14 11:53:18 2024 +0200 vfio/mlx5: Fix unwind flows in mlx5vf_pci_save/resume_device_data() Fix unwind flows in mlx5vf_pci_save_device_data() and mlx5vf_pci_resume_device_data() to avoid freeing the migf pointer at the 'end' label, as this will be handled by fput(migf->filp) through mlx5vf_release_file(). To ensure mlx5vf_release_file() functions correctly, move the initialization of migf fields (such as migf->lock) to occur before any potential unwind flow, as these fields may be accessed within mlx5vf_release_file(). Fixes: 9945a67ea4b3 ("vfio/mlx5: Refactor PD usage") Signed-off-by: Yishai Hadas Reviewed-by: Jason Gunthorpe Link: https://lore.kernel.org/r/20241114095318.16556-3-yishaih@nvidia.com Signed-off-by: Alex Williamson commit 22e87bf3f77c18f5982c19ffe2732ef0c7a25f16 Author: Yishai Hadas Date: Thu Nov 14 11:53:17 2024 +0200 vfio/mlx5: Fix an unwind issue in mlx5vf_add_migration_pages() Fix an unwind issue in mlx5vf_add_migration_pages(). If a set of pages is allocated but fails to be added to the SG table, they need to be freed to prevent a memory leak. Any pages successfully added to the SG table will be freed as part of mlx5vf_free_data_buffer(). Fixes: 6fadb021266d ("vfio/mlx5: Implement vfio_pci driver for mlx5 devices") Signed-off-by: Yishai Hadas Reviewed-by: Jason Gunthorpe Link: https://lore.kernel.org/r/20241114095318.16556-2-yishaih@nvidia.com Signed-off-by: Alex Williamson commit 8214951280a25e1260ee6dbf472b261b63b29af2 Author: Pascal Eberhard Date: Fri Sep 27 16:57:56 2024 +0200 ubifs: xattr: remove unused anonymous enum commit 2b88fc21cae9 ("ubifs: Switch to generic xattr handlers") removes usage of this anonymous enum. Delete the enum as well. Signed-off-by: Pascal Eberhard Reviewed-by: Zhihao Cheng Signed-off-by: Richard Weinberger commit d96c77bd4eeba469bddbbb14323d2191684da82a Author: Paolo Bonzini Date: Fri Nov 8 04:56:31 2024 -0500 KVM: x86: switch hugepage recovery thread to vhost_task kvm_vm_create_worker_thread() is meant to be used for kthreads that can consume significant amounts of CPU time on behalf of a VM or in response to how the VM behaves (for example how it accesses its memory). Therefore it wants to charge the CPU time consumed by that work to the VM's container. However, because of these threads, cgroups which have kvm instances inside never complete freezing. This can be trivially reproduced: root@test ~# mkdir /sys/fs/cgroup/test root@test ~# echo $$ > /sys/fs/cgroup/test/cgroup.procs root@test ~# qemu-system-x86_64 -nographic -enable-kvm and in another terminal: root@test ~# echo 1 > /sys/fs/cgroup/test/cgroup.freeze root@test ~# cat /sys/fs/cgroup/test/cgroup.events populated 1 frozen 0 The cgroup freezing happens in the signal delivery path but kvm_nx_huge_page_recovery_worker, while joining non-root cgroups, never calls into the signal delivery path and thus never gets frozen. Because the cgroup freezer determines whether a given cgroup is frozen by comparing the number of frozen threads to the total number of threads in the cgroup, the cgroup never becomes frozen and users waiting for the state transition may hang indefinitely. Since the worker kthread is tied to a user process, it's better if it behaves similarly to user tasks as much as possible, including being able to send SIGSTOP and SIGCONT. In fact, vhost_task is all that kvm_vm_create_worker_thread() wanted to be and more: not only it inherits the userspace process's cgroups, it has other niceties like being parented properly in the process tree. Use it instead of the homegrown alternative. Incidentally, the new code is also better behaved when you flip recovery back and forth to disabled and back to enabled. If your recovery period is 1 minute, it will run the next recovery after 1 minute independent of how many times you flipped the parameter. (Commit message based on emails from Tejun). Reported-by: Tejun Heo Reported-by: Luca Boccassi Acked-by: Tejun Heo Tested-by: Luca Boccassi Cc: stable@vger.kernel.org Reviewed-by: Sean Christopherson Signed-off-by: Paolo Bonzini commit 79d3e562cb47864a10851328cbdfa0ee2177d9f6 Author: Markus Elfring Date: Thu Sep 26 11:28:48 2024 +0200 ubifs: Reduce kfree() calls in ubifs_purge_xattrs() Move a pair of kfree() calls behind the label “out_err” so that two statements can be better reused at the end of this function implementation. Signed-off-by: Markus Elfring Reviewed-by: Zhihao Cheng Signed-off-by: Richard Weinberger commit c6fa76da34ae4f2eb95ce3fb6c939285082515de Author: Markus Elfring Date: Thu Sep 26 11:05:29 2024 +0200 ubifs: Call iput(xino) only once in ubifs_purge_xattrs() An iput(xino) call was immediately used after a return value check for a remove_xattr() call in this function implementation. Thus call such a function only once instead directly before the check. This issue was transformed by using the Coccinelle software. Signed-off-by: Markus Elfring Reviewed-by: Zhihao Cheng Signed-off-by: Richard Weinberger commit 5580cdae05aefa96deebd7f5ade9d70c92adabd7 Author: Mårten Lindahl Date: Sat Sep 7 21:28:26 2024 +0200 ubi: wl: Close down wear-leveling before nand is suspended If a reboot/shutdown signal with double force (-ff) is triggered when the erase worker or wear-leveling worker function runs we may end up in a race condition since the MTD device gets a reboot notification and suspends the nand flash before the erase or wear-leveling is done. This will reject all accesses to the flash with -EBUSY. Sequence for the erase worker function: systemctl reboot -ff ubi_thread do_work __do_sys_reboot blocking_notifier_call_chain mtd_reboot_notifier nand_shutdown nand_suspend __erase_worker ubi_sync_erase mtd_erase nand_erase_nand # Blocked by suspended chip nand_get_device => EBUSY Similar sequence for the wear-leveling function: systemctl reboot -ff ubi_thread do_work __do_sys_reboot blocking_notifier_call_chain mtd_reboot_notifier nand_shutdown nand_suspend wear_leveling_worker ubi_eba_copy_leb ubi_io_write mtd_write nand_write_oob # Blocked by suspended chip nand_get_device => EBUSY systemd-shutdown[1]: Rebooting. ubi0 error: ubi_io_write: error -16 while writing 2048 bytes to PEB CPU: 1 PID: 82 Comm: ubi_bgt0d Kdump: loaded Tainted: G O (unwind_backtrace) from [<80107b9f>] (show_stack+0xb/0xc) (show_stack) from [<8033641f>] (dump_stack_lvl+0x2b/0x34) (dump_stack_lvl) from [<803b7f3f>] (ubi_io_write+0x3ab/0x4a8) (ubi_io_write) from [<803b817d>] (ubi_io_write_vid_hdr+0x71/0xb4) (ubi_io_write_vid_hdr) from [<803b6971>] (ubi_eba_copy_leb+0x195/0x2f0) (ubi_eba_copy_leb) from [<803b939b>] (wear_leveling_worker+0x2ff/0x738) (wear_leveling_worker) from [<803b86ef>] (do_work+0x5b/0xb0) (do_work) from [<803b9ee1>] (ubi_thread+0xb1/0x11c) (ubi_thread) from [<8012c113>] (kthread+0x11b/0x134) (kthread) from [<80100139>] (ret_from_fork+0x11/0x38) Exception stack(0x80c43fb0 to 0x80c43ff8) ... ubi0 error: ubi_dump_flash: err -16 while reading 2048 bytes from PEB ubi0 error: wear_leveling_worker: error -16 while moving PEB 246 to PEB ubi0 warning: ubi_ro_mode.part.0: switch to read-only mode ... ubi0 error: do_work: work failed with error code -16 ubi0 error: ubi_thread: ubi_bgt0d: work failed with error code -16 ... Kernel panic - not syncing: Software Watchdog Timer expired Add a reboot notification for the ubi/wear-leveling to shutdown any potential flash work actions before the nand is suspended. Signed-off-by: Mårten Lindahl Signed-off-by: Richard Weinberger commit c0dec4b848ce5110e95095d0d0ae46724beb70ec Author: Steve Sistare Date: Wed Nov 13 11:51:37 2024 -0800 iommufd: IOMMU_IOAS_CHANGE_PROCESS selftest Add selftest cases for IOMMU_IOAS_CHANGE_PROCESS. Link: https://patch.msgid.link/r/1731527497-16091-5-git-send-email-steven.sistare@oracle.com Signed-off-by: Steve Sistare Reviewed-by: Jason Gunthorpe Signed-off-by: Jason Gunthorpe commit cb33ade753a6e2d629b4f87d2375ee9063d21bc7 Author: Zhang Zekun Date: Sat Sep 7 16:00:25 2024 +0800 mtd: ubi: Rmove unused declaration in header file The definition of ubi_destroy_ai() has been removed since commit dac6e2087a41 ("UBI: Add fastmap stuff to attach.c"). Remove the empty declaration in header file. Signed-off-by: Zhang Zekun Reviewed-by: Zhihao Cheng Signed-off-by: Richard Weinberger commit 84a2bee9c49769310efa19601157ef50a1df1267 Author: Zhihao Cheng Date: Thu Sep 5 09:09:09 2024 +0800 ubifs: Correct the total block count by deducting journal reservation Since commit e874dcde1cbf ("ubifs: Reserve one leb for each journal head while doing budget"), available space is calulated by deducting reservation for all journal heads. However, the total block count ( which is only used by statfs) is not updated yet, which will cause the wrong displaying for used space(total - available). Fix it by deducting reservation for all journal heads from total block count. Fixes: e874dcde1cbf ("ubifs: Reserve one leb for each journal head while doing budget") Signed-off-by: Zhihao Cheng Signed-off-by: Richard Weinberger commit 94f5b1571ec8d90224675dd27e921053ff4f2370 Author: Shen Lichuan Date: Wed Aug 28 16:59:08 2024 +0800 ubifs: Convert to use ERR_CAST() As opposed to open-code, using the ERR_CAST macro clearly indicates that this is a pointer to an error value and a type conversion was performed. Signed-off-by: Shen Lichuan Reviewed-by: Zhihao Cheng Signed-off-by: Richard Weinberger commit d6fa15bbcf9604e3c14816410550d2cf22b955e4 Author: Greg Kroah-Hartman Date: Wed Nov 13 15:04:41 2024 +0100 USB: make to_usb_device_driver() use container_of_const() Turns out that we have some const pointers being passed to to_usb_device_driver() but were not catching this. Change the macro to properly propagate the const-ness of the pointer so that we will notice when we try to write to memory that we shouldn't be writing to. This requires fixing up the usb_driver_applicable() function as well, because it can handle a const * to struct usb_driver. Cc: Johan Hovold Cc: Alan Stern Cc: Grant Grundler Cc: Yajun Deng Cc: Oliver Neukum Cc: Douglas Anderson Cc: linux-usb@vger.kernel.org Link: https://lore.kernel.org/r/2024111342-lagoon-reapprove-5e49@gregkh Signed-off-by: Greg Kroah-Hartman commit 2f3aab7aecb827ba93c6222646eb0faa8228d590 Author: Greg Kroah-Hartman Date: Wed Nov 13 15:04:40 2024 +0100 USB: make to_usb_driver() use container_of_const() Turns out that we have some const pointers being passed to to_usb_driver() but were not catching this. Change the macro to properly propagate the const-ness of the pointer so that we will notice when we try to write to memory that we shouldn't be writing to. This requires fixing up the usb_match_dynamic_id() function as well, because it can handle a const * to struct usb_driver. Cc: Johan Hovold Cc: Alan Stern Cc: Grant Grundler Cc: Yajun Deng Cc: Oliver Neukum Cc: Douglas Anderson Cc: linux-usb@vger.kernel.org Link: https://lore.kernel.org/r/2024111339-shaky-goldsmith-b233@gregkh Signed-off-by: Greg Kroah-Hartman commit 39ba2b9ac6fd61c67c83b8fd2a3ec6b0bea89490 Author: Hongbo Li Date: Mon Aug 26 17:17:00 2024 +0800 ubifs: add support for FS_IOC_GETFSSYSFSPATH In commit ae8c51175730 ("fs: add FS_IOC_GETFSSYSFSPATH"), a new fs ioctl was introduced to standardize exporting data from sysfs across filesystems. The returned path will always be of the form "$FSTYP/$SYSFS_IDENTIFIER", where the sysfs identifier may be a UUID or a device name. The ubifs is a file system based on char device, and the common method to fill s_sysfs_name (super_set_sysfs_name_bdev) is unavialable. So in order to support FS_IOC_GETFSSYSFSPATH ioctl, we fill the s_sysfs_name with ubi_volume_info member which keeps the format defined in macro UBIFS_DFS_DIR_NAME by using super_set_sysfs_name_generic. That's for ubifs, it will output "ubifs/". ``` $ ./ioctl_getfssysfs_path /mnt/ubifs/testfile path: ubifs/ubi0_0 $ ls /sys/fs/ubifs/ubi0_0/ errors_crc errors_magic errors_node ``` Signed-off-by: Hongbo Li Reviewed-by: Zhihao Cheng Signed-off-by: Richard Weinberger commit 829ed626499c11c9d11c65e93febc1e0da7cd61b Author: Steve Sistare Date: Wed Nov 13 11:51:36 2024 -0800 iommufd: Add IOMMU_IOAS_CHANGE_PROCESS Add an ioctl that updates all DMA mappings to reflect the current process, Change the mm and transfer locked memory accounting from old to current mm. This will be used for live update, allowing an old process to hand the iommufd device descriptor to a new process. The new process calls the ioctl. IOMMU_IOAS_CHANGE_PROCESS only supports DMA mappings created with IOMMU_IOAS_MAP_FILE, because the kernel metadata for such mappings does not depend on the userland VA of the pages (which is different in the new process). IOMMU_IOAS_CHANGE_PROCESS fails if other types of mappings are present. This is a revised version of code originally provided by Jason. Link: https://patch.msgid.link/r/1731527497-16091-4-git-send-email-steven.sistare@oracle.com Suggested-by: Jason Gunthorpe Signed-off-by: Steve Sistare Reviewed-by: Jason Gunthorpe Reviewed-by: Kevin Tian Signed-off-by: Jason Gunthorpe commit 919cc964abdb071f50c8f03e3b36fe0b5c60ef0d Author: Hongbo Li Date: Mon Aug 26 17:16:59 2024 +0800 ubifs: remove unused ioctl flags GETFLAGS/SETFLAGS In the ubifs, ubifs_fileattr_get and ubifs_fileattr_set have been implemented, GETFLAGS and SETFLAGS ioctl are not handled in filesystem's own ioctl helper. Additionally, these flags' cases are not handled in ubifs's ioctl helper, so we can remove them. Signed-off-by: Hongbo Li Reviewed-by: Zhihao Cheng Signed-off-by: Richard Weinberger commit d969811d45cc4133ca61212b2ac3d14f2bdfc0ac Author: Liu Mingrui Date: Wed Aug 21 06:30:59 2024 +0000 ubifs: Display the inode number when orphan twice happens Display the inode number in error message when the same orphan inode is added twice, which could provide more information for debugging. Signed-off-by: Liu Mingrui Reviewed-by: Zhihao Cheng Signed-off-by: Richard Weinberger commit c4595fe394a289927077e3da561db27811919ee0 Author: Zhihao Cheng Date: Mon Aug 19 11:26:22 2024 +0800 ubi: fastmap: wl: Schedule fm_work if wear-leveling pool is empty Since commit 14072ee33d5a ("ubi: fastmap: Check wl_pool for free peb before wear leveling"), wear_leveling_worker() won't schedule fm_work if wear-leveling pool is empty, which could temporarily disable the wear-leveling until the fastmap is updated(eg. pool becomes empty). Fix it by scheduling fm_work if wl_pool is empty during wear-leveing. Fixes: 14072ee33d5a ("ubi: fastmap: Check wl_pool for free peb before wear leveling") Signed-off-by: Zhihao Cheng Signed-off-by: Richard Weinberger commit 051ae5aa73d782a8be2699a11e17c68f28b4e758 Author: Steve Sistare Date: Wed Nov 13 11:51:35 2024 -0800 iommufd: Lock all IOAS objects Define helpers to lock and unlock all IOAS objects. This will allow DMA mappings to be updated atomically during live update. This code is substantially the same as an initial version provided by Jason, plus fixes. Link: https://patch.msgid.link/r/1731527497-16091-3-git-send-email-steven.sistare@oracle.com Signed-off-by: Steve Sistare Reviewed-by: Jason Gunthorpe Reviewed-by: Kevin Tian Signed-off-by: Jason Gunthorpe commit 10caa8b45119fa19fa98ea304d49f7e1283062fc Author: Steve Sistare Date: Wed Nov 13 11:51:34 2024 -0800 iommufd: Export do_update_pinned Export do_update_pinned. No functional change. Link: https://patch.msgid.link/r/1731527497-16091-2-git-send-email-steven.sistare@oracle.com Signed-off-by: Steve Sistare Reviewed-by: Jason Gunthorpe Reviewed-by: Kevin Tian Signed-off-by: Jason Gunthorpe commit d610020f030bec819f42de327c2bd5437d2766b3 Author: Zhihao Cheng Date: Mon Aug 19 11:26:21 2024 +0800 ubi: wl: Put source PEB into correct list if trying locking LEB failed During wear-leveing work, the source PEB will be moved into scrub list when source LEB cannot be locked in ubi_eba_copy_leb(), which is wrong for non-scrub type source PEB. The problem could bring extra and ineffective wear-leveing jobs, which makes more or less negative effects for the life time of flash. Specifically, the process is divided 2 steps: 1. wear_leveling_worker // generate false scrub type PEB ubi_eba_copy_leb // MOVE_RETRY is returned leb_write_trylock // trylock failed scrubbing = 1; e1 is put into ubi->scrub 2. wear_leveling_worker // schedule false scrub type PEB for wl scrubbing = 1 e1 = rb_entry(rb_first(&ubi->scrub)) The problem can be reproduced easily by running fsstress on a small UBIFS partition(<64M, simulated by nandsim) for 5~10mins (CONFIG_MTD_UBI_FASTMAP=y,CONFIG_MTD_UBI_WL_THRESHOLD=50). Following message is shown: ubi0: scrubbed PEB 66 (LEB 0:10), data moved to PEB 165 Since scrub type source PEB has set variable scrubbing as '1', and variable scrubbing is checked before variable keep, so the problem can be fixed by setting keep variable as 1 directly if the source LEB cannot be locked. Fixes: e801e128b220 ("UBI: fix missing scrub when there is a bit-flip") CC: stable@vger.kernel.org Signed-off-by: Zhihao Cheng Signed-off-by: Richard Weinberger commit 0104dcdaad3a7afd141e79a5fb817a92ada910ac Author: Rafael J. Wysocki Date: Thu Nov 14 17:25:09 2024 +0100 thermal: testing: Initialize some variables annoteded with _free() Variables annotated with __free() need to be initialized if the function can return before they get updated for the first time or the attempt to free the memory pointed to by them upon function return may crash the kernel. Fix this issue in some places in the thermal testing code. Fixes: f6a034f2df42 ("thermal: Introduce a debugfs-based testing facility") Reported-by: Dan Carpenter Signed-off-by: Rafael J. Wysocki Link: https://patch.msgid.link/12576267.O9o76ZdvQC@rjwysocki.net commit 3c50701fd37ffc265d28e7cb4db2ff0cd33241d7 Author: Zhihao Cheng Date: Fri Jul 12 14:36:25 2024 +0800 ubifs: Remove ineffective function ubifs_evict_xattr_inode() Function ubifs_evict_xattr_inode() is imported by commit 272eda8298dc ("ubifs: Correctly evict xattr inodes") to reclaim xattr inode when the host inode is deleted. The xattr inode is evicted in the host inode deleting process since commit 7959cf3a7506 ("ubifs: journal: Handle xattrs like files"). So the ineffective function ubifs_evict_xattr_inode() can be deleted safely. Signed-off-by: Zhihao Cheng Signed-off-by: Richard Weinberger commit 957e1c4e1779bffda4aac7a28efa68012a6d4b53 Author: Zhihao Cheng Date: Fri Jul 12 14:36:24 2024 +0800 ubifs: ubifs_jnl_write_inode: Only check once for the limitation of xattr count No need to check the limitation of xattr count every time in function ubifs_jnl_write_inode(), because the 'ui->xattr_cnt' won't be modified by others in the inode evicting process. Signed-off-by: Zhihao Cheng Signed-off-by: Richard Weinberger commit 81f5c72d041b92490261354a528b60e66ed2fa3b Author: Greg Kroah-Hartman Date: Wed Nov 13 07:49:23 2024 +0100 USB: properly lock dynamic id list when showing an id When walking the list of dynamic ids for a driver, no lock was being held, which meant that an id could be removed or added while the list was being iterated. Fix this up by properly grabing the lock while we walk the list. Reported-by: Alan Stern Cc: linux-usb@vger.kernel.org Link: https://lore.kernel.org/r/2024111324-tubby-facecloth-d4a0@gregkh Signed-off-by: Greg Kroah-Hartman commit 0b3144da31f855fce652303f588416a60991bdef Author: Greg Kroah-Hartman Date: Wed Nov 13 07:49:22 2024 +0100 USB: make single lock for all usb dynamic id lists There are a number of places where we accidentally pass in a constant structure to later cast it off to a dynamic one, and then attempt to grab a lock on it, which is not a good idea. To help resolve this, move the dynamic id lock out of the dynamic id structure for the driver and into one single lock for all USB dynamic ids. As this lock should never have any real contention (it's only every accessed when a device is added or removed, which is always serialized) there should not be any difference except for some memory savings. Note, this just converts the existing use of the dynamic id lock to the new static lock, there is one place that is accessing the dynamic id list without grabbing the lock, that will be fixed up in a follow-on change. Cc: Johan Hovold Cc: Herve Codina Cc: Rob Herring Cc: Alan Stern Cc: Grant Grundler Cc: Oliver Neukum Cc: Yajun Deng Cc: Douglas Anderson Cc: linux-usb@vger.kernel.org Link: https://lore.kernel.org/r/2024111322-kindly-finalist-d247@gregkh Signed-off-by: Greg Kroah-Hartman commit aefff51e1c2986e16f2780ca8e4c97b784800ab5 Author: Christian Brauner Date: Thu Nov 14 16:31:27 2024 +0100 statmount: retrieve security mount options Add the ability to retrieve security mount options. Keep them separate from filesystem specific mount options so it's easy to tell them apart. Also allow to retrieve them separate from other mount options as most of the time users won't be interested in security specific mount options. Link: https://lore.kernel.org/r/20241114-radtour-ofenrohr-ff34b567b40a@brauner Reviewed-by: Jeff Layton Signed-off-by: Christian Brauner commit 9a5a75bf1f485e2d109303a996d147b94c5e79c9 Merge: f3f9f0de30a510 3b7e11a0116c30 Author: Mark Brown Date: Thu Nov 14 15:36:46 2024 +0000 ASoc: simple-mux: Allow to specify an idle-state Merge series from "Hendrik v. Raven" : This series adds support for the idle-state property from the mux framework to the simple-mux audio variant. It allows to specify the state of the mux when it is not in use. commit f3f9f0de30a5106078cd610f80eaa6f9386b2186 Merge: a59360466a712d 76b5a3b2afdce1 Author: Mark Brown Date: Thu Nov 14 15:36:39 2024 +0000 Add generic AMD Soundwire machine driver for Legacy(No Merge series from Vijendar Mukunda : This patch series add SoundWire machines for RT711, RT714, RT1316 and RT722 codecs for ACP 6.3 platform. Also, it adds a generic SoundWire machine driver code for legacy(No DSP) stack. commit ede132a5cf559f3ab35a4c28bac4f4a6c20334d8 Author: Patrisious Haddad Date: Wed Nov 13 13:23:19 2024 +0200 RDMA/mlx5: Move events notifier registration to be after device registration Move pkey change work initialization and cleanup from device resources stage to notifier stage, since this is the stage which handles this work events. Fix a race between the device deregistration and pkey change work by moving MLX5_IB_STAGE_DEVICE_NOTIFIER to be after MLX5_IB_STAGE_IB_REG in order to ensure that the notifier is deregistered before the device during cleanup. Which ensures there are no works that are being executed after the device has already unregistered which can cause the panic below. BUG: kernel NULL pointer dereference, address: 0000000000000000 PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP PTI CPU: 1 PID: 630071 Comm: kworker/1:2 Kdump: loaded Tainted: G W OE --------- --- 5.14.0-162.6.1.el9_1.x86_64 #1 Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS 090008 02/27/2023 Workqueue: events pkey_change_handler [mlx5_ib] RIP: 0010:setup_qp+0x38/0x1f0 [mlx5_ib] Code: ee 41 54 45 31 e4 55 89 f5 53 48 89 fb 48 83 ec 20 8b 77 08 65 48 8b 04 25 28 00 00 00 48 89 44 24 18 48 8b 07 48 8d 4c 24 16 <4c> 8b 38 49 8b 87 80 0b 00 00 4c 89 ff 48 8b 80 08 05 00 00 8b 40 RSP: 0018:ffffbcc54068be20 EFLAGS: 00010282 RAX: 0000000000000000 RBX: ffff954054494128 RCX: ffffbcc54068be36 RDX: ffff954004934000 RSI: 0000000000000001 RDI: ffff954054494128 RBP: 0000000000000023 R08: ffff954001be2c20 R09: 0000000000000001 R10: ffff954001be2c20 R11: ffff9540260133c0 R12: 0000000000000000 R13: 0000000000000023 R14: 0000000000000000 R15: ffff9540ffcb0905 FS: 0000000000000000(0000) GS:ffff9540ffc80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 000000010625c001 CR4: 00000000003706e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: mlx5_ib_gsi_pkey_change+0x20/0x40 [mlx5_ib] process_one_work+0x1e8/0x3c0 worker_thread+0x50/0x3b0 ? rescuer_thread+0x380/0x380 kthread+0x149/0x170 ? set_kthread_struct+0x50/0x50 ret_from_fork+0x22/0x30 Modules linked in: rdma_ucm(OE) rdma_cm(OE) iw_cm(OE) ib_ipoib(OE) ib_cm(OE) ib_umad(OE) mlx5_ib(OE) mlx5_fwctl(OE) fwctl(OE) ib_uverbs(OE) mlx5_core(OE) mlxdevm(OE) ib_core(OE) mlx_compat(OE) psample mlxfw(OE) tls knem(OE) netconsole nfsv3 nfs_acl nfs lockd grace fscache netfs qrtr rfkill sunrpc intel_rapl_msr intel_rapl_common rapl hv_balloon hv_utils i2c_piix4 pcspkr joydev fuse ext4 mbcache jbd2 sr_mod sd_mod cdrom t10_pi sg ata_generic pci_hyperv pci_hyperv_intf hyperv_drm drm_shmem_helper drm_kms_helper hv_storvsc syscopyarea hv_netvsc sysfillrect sysimgblt hid_hyperv fb_sys_fops scsi_transport_fc hyperv_keyboard drm ata_piix crct10dif_pclmul crc32_pclmul crc32c_intel libata ghash_clmulni_intel hv_vmbus serio_raw [last unloaded: ib_core] CR2: 0000000000000000 ---[ end trace f6f8be4eae12f7bc ]--- Fixes: 7722f47e71e5 ("IB/mlx5: Create GSI transmission QPs when P_Key table is changed") Signed-off-by: Patrisious Haddad Reviewed-by: Michael Guralnik Link: https://patch.msgid.link/d271ceeff0c08431b3cbbbb3e2d416f09b6d1621.1731496944.git.leon@kernel.org Signed-off-by: Leon Romanovsky commit 31bad59805c388f92f3a13174a149c2228301c15 Author: Kalesh AP Date: Thu Nov 14 01:49:08 2024 -0800 RDMA/bnxt_re: Cache MSIx info to a local structure L2 driver allocates the vectors for RoCE and pass it through the en_dev structure to RoCE. During probe, cache the MSIx related info to a local structure. Signed-off-by: Selvin Xavier Signed-off-by: Kalesh AP Link: https://patch.msgid.link/1731577748-1804-5-git-send-email-selvin.xavier@broadcom.com Signed-off-by: Leon Romanovsky commit cb97b377a13589b4880eeb1524dbc47087c3244b Author: Kalesh AP Date: Thu Nov 14 01:49:07 2024 -0800 RDMA/bnxt_re: Refurbish CQ to NQ hash calculation There are few use cases where CQ create and destroy is seen before re-creating the CQ, this kind of use case is disturbing the RR distribution and all the active CQ getting mapped to only 2 NQ alternatively. Fixing the CQ to NQ hash calculation by implementing a quick load sorting mechanism under a mutex. Using this, if the CQ was allocated and destroyed before using it, the nq selecting algorithm still obtains the least loaded CQ. Thus balancing the load on NQs. Signed-off-by: Selvin Xavier Signed-off-by: Kalesh AP Link: https://patch.msgid.link/1731577748-1804-4-git-send-email-selvin.xavier@broadcom.com Signed-off-by: Leon Romanovsky commit 30b871338c3ebab4c5efb74f6b23b59f1ac4ca1f Author: Kalesh AP Date: Thu Nov 14 01:49:06 2024 -0800 RDMA/bnxt_re: Refactor NQ allocation Move NQ related data structures from rdev to a new structure named "struct bnxt_re_nq_record" by keeping a pointer to in the rdev structure. Allocate the memory for it dynamically. This change is needed for subsequent patches in the series. Also, removed the nq_task variable from rdev structure as it is redundant and no longer used. This change would help to reduce the size of the driver private structure as well. Reviewed-by: Chandramohan Akula Signed-off-by: Kalesh AP Signed-off-by: Selvin Xavier Link: https://patch.msgid.link/1731577748-1804-3-git-send-email-selvin.xavier@broadcom.com Signed-off-by: Leon Romanovsky commit 65ecee132774e0f15cd76a766eb39ec21118bffc Author: Kalesh AP Date: Thu Nov 14 01:49:05 2024 -0800 RDMA/bnxt_re: Fail probe early when not enough MSI-x vectors are reserved L2 driver allocates and populates the MSI-x vector details for RoCE in the en_dev structure. RoCE driver requires minimum 2 MSIx vectors. Hence during probe, driver has to check and bail out if there are not enough MSI-x vectors reserved for it before proceeding further initialization. Reviewed-by: Andy Gospodarek Reviewed-by: Ajit Khaparde Reviewed-by: Hongguang Gao Reviewed-by: Bhargava Chenna Marreddy Reviewed-by: Kashyap Desai Reviewed-by: Chandramohan Akula Signed-off-by: Kalesh AP Signed-off-by: Selvin Xavier Link: https://patch.msgid.link/1731577748-1804-2-git-send-email-selvin.xavier@broadcom.com Signed-off-by: Leon Romanovsky commit 8d7493133bfd89322349be3daaf39a256e4354ac Author: Dr. David Alan Gilbert Date: Sat Oct 26 23:01:33 2024 +0100 fbdev: omapfb: Remove some deadcode commit f76ee892a99e ("omapfb: copy omapdss & displays for omapfb") took a copy of the omapdrm code into omapfb, however at that point a couple of functions were already unused at that point. Remove dispc_mgr_get_clock_div() and dispc_enable_fifomerge() from the omapfb copy. Signed-off-by: Dr. David Alan Gilbert Signed-off-by: Helge Deller commit 3d12862b216d39670500f6bd44b8be312b2ee4fb Author: Mohsin Bashir Date: Tue Nov 12 14:26:05 2024 -0800 eth: fbnic: Add support to dump registers Add support for the 'ethtool -d ' command to retrieve and print a register dump for fbnic. The dump defaults to version 1 and consists of two parts: all the register sections that can be dumped linearly, and an RPC RAM section that is structured in an interleaved fashion and requires special handling. For each register section, the dump also contains the start and end boundary information which can simplify parsing. Signed-off-by: Mohsin Bashir Link: https://patch.msgid.link/20241112222605.3303211-1-mohsin.bashr@gmail.com Signed-off-by: Paolo Abeni commit f89d17ae2ac42931be2a0153fecbf8533280c927 Author: Zhen Lei Date: Sat Oct 26 11:56:34 2024 +0800 fbdev: sh7760fb: Fix a possible memory leak in sh7760fb_alloc_mem() When information such as info->screen_base is not ready, calling sh7760fb_free_mem() does not release memory correctly. Call dma_free_coherent() instead. Fixes: 4a25e41831ee ("video: sh7760fb: SH7760/SH7763 LCDC framebuffer driver") Signed-off-by: Zhen Lei Reviewed-by: Dmitry Baryshkov Signed-off-by: Helge Deller commit 6d9f9115c091c88cacf78734d8ea34c8609e8680 Author: Everest K.C. Date: Wed Oct 23 17:33:55 2024 -0600 drm/xe/guc: Fix dereference before NULL check The pointer list->list is dereferenced before the NULL check. Fix this by moving the NULL check outside the for loop, so that the check is performed before the dereferencing. The list->list pointer cannot be NULL so this has no effect on runtime. It's just a correctness issue. This issue was reported by Coverity Scan. https://scan7.scan.coverity.com/#/project-view/51525/11354?selectedIssue=1600335 Fixes: 0f1fdf559225 ("drm/xe/guc: Save manual engine capture into capture list") Signed-off-by: Everest K.C. Reviewed-by: Dan Carpenter Signed-off-by: John Harrison Link: https://patchwork.freedesktop.org/patch/msgid/20241023233356.5479-1-everestkc@everestkc.com.np (cherry picked from commit 2aff81e039de5b0b7ef6bdcb2c320f121f69e2b4) Signed-off-by: Thomas Hellström commit 9b4662d0df9f4433f1828904ba5e8733c1ad5158 Author: zhang jiao Date: Thu Nov 14 15:58:22 2024 +0800 ALSA: ump: Fix the wrong format specifier The format specifier of "unsigned int" in snprintf() should be "%u", not "%d". Signed-off-by: zhang jiao Link: https://patch.msgid.link/20241114075822.41614-1-zhangjiao2@cmss.chinamobile.com Signed-off-by: Takashi Iwai commit e9d3270007b13acd34de4256970ffe457efc6c65 Author: Shen Lichuan Date: Mon Sep 30 10:32:34 2024 +0800 ps3: Correct some typos in comments Fixed some typos that were currently identified with codespell, the details are as follows: drivers/ps3/ps3-lpm.c:94: rigths ==> rights drivers/ps3/ps3-sys-manager.c:365: acnowledge ==> acknowledge drivers/ps3/ps3-vuart.c:470: remaning ==> remaining drivers/ps3/ps3-vuart.c:471: transmision ==> transmission drivers/ps3/sys-manager-core.c:15: Staticly ==> Statically Signed-off-by: Shen Lichuan Acked-by: Geoff Levand Signed-off-by: Michael Ellerman Link: https://patch.msgid.link/20240930023234.7457-1-shenlichuan@vivo.com commit 83b5a407fbb73e6965adfb4bd0a803724bf87f96 Author: Zhang Zekun Date: Mon Sep 30 15:56:28 2024 +0800 powerpc/kexec: Fix return of uninitialized variable of_property_read_u64() can fail and leave the variable uninitialized, which will then be used. Return error if reading the property failed. Fixes: 2e6bd221d96f ("powerpc/kexec_file: Enable early kernel OPAL calls") Signed-off-by: Zhang Zekun Signed-off-by: Michael Ellerman Link: https://patch.msgid.link/20240930075628.125138-1-zhangzekun11@huawei.com commit 0c32840763b1579c923b4216c18bb756ca4ba473 Author: Michael J. Ruhl Date: Thu Nov 14 08:03:57 2024 -0500 platform/x86/intel/pmt: allow user offset for PMT callbacks Usage of the telem sysfs file allows for partial reads at an offset. The current callback method returns the buffer starting from offset 0 only. Include the requested offset in the callback and update the necessary address calculations with the offset. Note: offset addition is moved from the caller to the local usage. For non-callback usage this is unchanged behavior. Fixes: e92affc74cd8 ("platform/x86/intel/vsec: Add PMT read callbacks") Reviewed-by: Andy Shevchenko Signed-off-by: Michael J. Ruhl Link: https://lore.kernel.org/r/20241114130358.2467787-2-michael.j.ruhl@intel.com Reviewed-by: Ilpo Järvinen Signed-off-by: Ilpo Järvinen commit 35f56c554eb1b56b77b3cf197a6b00922d49033d Author: Jeongjun Park Date: Wed Nov 13 22:02:09 2024 +0900 netfilter: ipset: add missing range check in bitmap_ip_uadt When tb[IPSET_ATTR_IP_TO] is not present but tb[IPSET_ATTR_CIDR] exists, the values of ip and ip_to are slightly swapped. Therefore, the range check for ip should be done later, but this part is missing and it seems that the vulnerability occurs. So we should add missing range checks and remove unnecessary range checks. Cc: Reported-by: syzbot+58c872f7790a4d2ac951@syzkaller.appspotmail.com Fixes: 72205fc68bd1 ("netfilter: ipset: bitmap:ip set type support") Signed-off-by: Jeongjun Park Acked-by: Jozsef Kadlecsik Signed-off-by: Pablo Neira Ayuso commit 041bd1e4f2d82859690cd8b41c35f0f9404c3770 Author: guanjing Date: Fri Nov 8 16:13:58 2024 +0800 selftests: netfilter: Fix missing return values in conntrack_dump_flush Fix the bug of some functions were missing return values. Fixes: eff3c558bb7e ("netfilter: ctnetlink: support filtering by zone") Signed-off-by: Guan Jing Signed-off-by: Pablo Neira Ayuso commit df6cb25f07794b39e7993938ee3ca6749a88f300 Author: Li Zhijian Date: Wed Oct 30 09:00:02 2024 +0800 selftests: netfilter: Add missing gitignore file Compiled binary files should be added to .gitignore 'git status' complains: Untracked files: (use "git add ..." to include in what will be committed) net/netfilter/conntrack_reverse_clash Signed-off-by: Li Zhijian Signed-off-by: Pablo Neira Ayuso commit 711747e204ead127235aa41b350e518e92a87fcc Author: Amir Goldstein Date: Thu Nov 14 09:36:35 2024 +0100 ovl: pass an explicit reference of creators creds to callers ovl_setup_cred_for_create() decrements one refcount of new creds and ovl_revert_creds() in callers decrements the last refcount. In preparation to revert_creds_light() back to caller creds, pass an explicit reference of the creators creds to the callers and drop the refcount explicitly in the callers after ovl_revert_creds(). Reviewed-by: Christian Brauner Signed-off-by: Amir Goldstein commit 83ef4a378e563d085ddd7214c2a393116b5f3435 Merge: 437330d90c507b 929bbc16abfb01 Author: Catalin Marinas Date: Thu Nov 14 12:07:30 2024 +0000 Merge branch 'for-next/pkey-signal' into for-next/core * for-next/pkey-signal: : Bring arm64 pkey signal delivery in line with the x86 behaviour selftests/mm: Fix unused function warning for aarch64_write_signal_pkey() selftests/mm: Define PKEY_UNRESTRICTED for pkey_sighandler_tests selftests/mm: Enable pkey_sighandler_tests on arm64 selftests/mm: Use generic pkey register manipulation arm64: signal: Remove unused macro arm64: signal: Remove unnecessary check when saving POE state arm64: signal: Improve POR_EL0 handling to avoid uaccess failures firmware: arm_sdei: Fix the input parameter of cpuhp_remove_state() Revert "kasan: Disable Software Tag-Based KASAN with GCC" kasan: Fix Software Tag-Based KASAN with GCC kasan: Disable Software Tag-Based KASAN with GCC Documentation/protection-keys: add AArch64 to documentation arm64: set POR_EL0 for kernel threads # Conflicts: # arch/arm64/kernel/signal.c commit 437330d90c507be109a161667a77eaf61be0edac Merge: 5a4332062e9e71 2cfdb799dc7681 Author: Catalin Marinas Date: Thu Nov 14 12:07:28 2024 +0000 Merge branch 'for-next/mops' into for-next/core * for-next/mops: : More FEAT_MOPS (memcpy instructions) uses - in-kernel routines arm64: mops: Document requirements for hypervisors arm64: lib: Use MOPS for copy_page() and clear_page() arm64: lib: Use MOPS for memcpy() routines arm64: mops: Document booting requirement for HCR_EL2.MCE2 arm64: mops: Handle MOPS exceptions from EL1 arm64: probes: Disable kprobes/uprobes on MOPS instructions # Conflicts: # arch/arm64/kernel/entry-common.c commit 5a4332062e9e71de8e78dc1b389d21e0dd44848b Merge: 845fd2cbedaf29 016d659e62ad9d ac4ad5c09b34ad 7bb32dc788ddd0 a923705c69f7f4 67ab51cbdfee02 27879e8cb6b0fd 0349934618907a f260c442676310 ddadbcdaaed5c3 91a6533811bb81 a6478d69cf56d5 972d755f01954b b349a5a2b6e236 47965a49a2c88e Author: Catalin Marinas Date: Thu Nov 14 12:07:16 2024 +0000 Merge branches 'for-next/gcs', 'for-next/probes', 'for-next/asm-offsets', 'for-next/tlb', 'for-next/misc', 'for-next/mte', 'for-next/sysreg', 'for-next/stacktrace', 'for-next/hwcap3', 'for-next/kselftest', 'for-next/crc32', 'for-next/guest-cca', 'for-next/haft' and 'for-next/scs', remote-tracking branch 'arm64/for-next/perf' into for-next/core * arm64/for-next/perf: perf: Switch back to struct platform_driver::remove() perf: arm_pmuv3: Add support for Samsung Mongoose PMU dt-bindings: arm: pmu: Add Samsung Mongoose core compatible perf/dwc_pcie: Fix typos in event names perf/dwc_pcie: Add support for Ampere SoCs ARM: pmuv3: Add missing write_pmuacr() perf/marvell: Marvell PEM performance monitor support perf/arm_pmuv3: Add PMUv3.9 per counter EL0 access control perf/dwc_pcie: Convert the events with mixed case to lowercase perf/cxlpmu: Support missing events in 3.1 spec perf: imx_perf: add support for i.MX91 platform dt-bindings: perf: fsl-imx-ddr: Add i.MX91 compatible drivers perf: remove unused field pmu_node * for-next/gcs: (42 commits) : arm64 Guarded Control Stack user-space support kselftest/arm64: Fix missing printf() argument in gcs/gcs-stress.c arm64/gcs: Fix outdated ptrace documentation kselftest/arm64: Ensure stable names for GCS stress test results kselftest/arm64: Validate that GCS push and write permissions work kselftest/arm64: Enable GCS for the FP stress tests kselftest/arm64: Add a GCS stress test kselftest/arm64: Add GCS signal tests kselftest/arm64: Add test coverage for GCS mode locking kselftest/arm64: Add a GCS test program built with the system libc kselftest/arm64: Add very basic GCS test program kselftest/arm64: Always run signals tests with GCS enabled kselftest/arm64: Allow signals tests to specify an expected si_code kselftest/arm64: Add framework support for GCS to signal handling tests kselftest/arm64: Add GCS as a detected feature in the signal tests kselftest/arm64: Verify the GCS hwcap arm64: Add Kconfig for Guarded Control Stack (GCS) arm64/ptrace: Expose GCS via ptrace and core files arm64/signal: Expose GCS state in signal frames arm64/signal: Set up and restore the GCS context for signal handlers arm64/mm: Implement map_shadow_stack() ... * for-next/probes: : Various arm64 uprobes/kprobes cleanups arm64: insn: Simulate nop instruction for better uprobe performance arm64: probes: Remove probe_opcode_t arm64: probes: Cleanup kprobes endianness conversions arm64: probes: Move kprobes-specific fields arm64: probes: Fix uprobes for big-endian kernels arm64: probes: Fix simulate_ldr*_literal() arm64: probes: Remove broken LDR (literal) uprobe support * for-next/asm-offsets: : arm64 asm-offsets.c cleanup (remove unused offsets) arm64: asm-offsets: remove PREEMPT_DISABLE_OFFSET arm64: asm-offsets: remove DMA_{TO,FROM}_DEVICE arm64: asm-offsets: remove VM_EXEC and PAGE_SZ arm64: asm-offsets: remove MM_CONTEXT_ID arm64: asm-offsets: remove COMPAT_{RT_,SIGFRAME_REGS_OFFSET arm64: asm-offsets: remove VMA_VM_* arm64: asm-offsets: remove TSK_ACTIVE_MM * for-next/tlb: : TLB flushing optimisations arm64: optimize flush tlb kernel range arm64: tlbflush: add __flush_tlb_range_limit_excess() * for-next/misc: : Miscellaneous patches arm64: tls: Fix context-switching of tpidrro_el0 when kpti is enabled arm64/ptrace: Clarify documentation of VL configuration via ptrace acpi/arm64: remove unnecessary cast arm64/mm: Change protval as 'pteval_t' in map_range() arm64: uprobes: Optimize cache flushes for xol slot acpi/arm64: Adjust error handling procedure in gtdt_parse_timer_block() arm64: fix .data.rel.ro size assertion when CONFIG_LTO_CLANG arm64/ptdump: Test both PTE_TABLE_BIT and PTE_VALID for block mappings arm64/mm: Sanity check PTE address before runtime P4D/PUD folding arm64/mm: Drop setting PTE_TYPE_PAGE in pte_mkcont() ACPI: GTDT: Tighten the check for the array of platform timer structures arm64/fpsimd: Fix a typo arm64: Expose ID_AA64ISAR1_EL1.XS to sanitised feature consumers arm64: Return early when break handler is found on linked-list arm64/mm: Re-organize arch_make_huge_pte() arm64/mm: Drop _PROT_SECT_DEFAULT arm64: Add command-line override for ID_AA64MMFR0_EL1.ECV arm64: head: Drop SWAPPER_TABLE_SHIFT arm64: cpufeature: add POE to cpucap_is_possible() arm64/mm: Change pgattr_change_is_safe() arguments as pteval_t * for-next/mte: : Various MTE improvements selftests: arm64: add hugetlb mte tests hugetlb: arm64: add mte support * for-next/sysreg: : arm64 sysreg updates arm64/sysreg: Update ID_AA64MMFR1_EL1 to DDI0601 2024-09 * for-next/stacktrace: : arm64 stacktrace improvements arm64: preserve pt_regs::stackframe during exec*() arm64: stacktrace: unwind exception boundaries arm64: stacktrace: split unwind_consume_stack() arm64: stacktrace: report recovered PCs arm64: stacktrace: report source of unwind data arm64: stacktrace: move dump_backtrace() to kunwind_stack_walk() arm64: use a common struct frame_record arm64: pt_regs: swap 'unused' and 'pmr' fields arm64: pt_regs: rename "pmr_save" -> "pmr" arm64: pt_regs: remove stale big-endian layout arm64: pt_regs: assert pt_regs is a multiple of 16 bytes * for-next/hwcap3: : Add AT_HWCAP3 support for arm64 (also wire up AT_HWCAP4) arm64: Support AT_HWCAP3 binfmt_elf: Wire up AT_HWCAP3 at AT_HWCAP4 * for-next/kselftest: (30 commits) : arm64 kselftest fixes/cleanups kselftest/arm64: Try harder to generate different keys during PAC tests kselftest/arm64: Don't leak pipe fds in pac.exec_sign_all() kselftest/arm64: Corrupt P0 in the irritator when testing SSVE kselftest/arm64: Add FPMR coverage to fp-ptrace kselftest/arm64: Expand the set of ZA writes fp-ptrace does kselftets/arm64: Use flag bits for features in fp-ptrace assembler code kselftest/arm64: Enable build of PAC tests with LLVM=1 kselftest/arm64: Check that SVCR is 0 in signal handlers kselftest/arm64: Fix printf() compiler warnings in the arm64 syscall-abi.c tests kselftest/arm64: Fix printf() warning in the arm64 MTE prctl() test kselftest/arm64: Fix printf() compiler warnings in the arm64 fp tests kselftest/arm64: Fix build with stricter assemblers kselftest/arm64: Test signal handler state modification in fp-stress kselftest/arm64: Provide a SIGUSR1 handler in the kernel mode FP stress test kselftest/arm64: Implement irritators for ZA and ZT kselftest/arm64: Remove unused ADRs from irritator handlers kselftest/arm64: Correct misleading comments on fp-stress irritators kselftest/arm64: Poll less often while waiting for fp-stress children kselftest/arm64: Increase frequency of signal delivery in fp-stress kselftest/arm64: Fix encoding for SVE B16B16 test ... * for-next/crc32: : Optimise CRC32 using PMULL instructions arm64/crc32: Implement 4-way interleave using PMULL arm64/crc32: Reorganize bit/byte ordering macros arm64/lib: Handle CRC-32 alternative in C code * for-next/guest-cca: : Support for running Linux as a guest in Arm CCA arm64: Document Arm Confidential Compute virt: arm-cca-guest: TSM_REPORT support for realms arm64: Enable memory encrypt for Realms arm64: mm: Avoid TLBI when marking pages as valid arm64: Enforce bounce buffers for realm DMA efi: arm64: Map Device with Prot Shared arm64: rsi: Map unprotected MMIO as decrypted arm64: rsi: Add support for checking whether an MMIO is protected arm64: realm: Query IPA size from the RMM arm64: Detect if in a realm and set RIPAS RAM arm64: rsi: Add RSI definitions * for-next/haft: : Support for arm64 FEAT_HAFT arm64: pgtable: Warn unexpected pmdp_test_and_clear_young() arm64: Enable ARCH_HAS_NONLEAF_PMD_YOUNG arm64: Add support for FEAT_HAFT arm64: setup: name 'tcr2' register arm64/sysreg: Update ID_AA64MMFR1_EL1 register * for-next/scs: : Dynamic shadow call stack fixes arm64/scs: Drop unused prototype __pi_scs_patch_vmlinux() arm64/scs: Deal with 64-bit relative offsets in FDE frames arm64/scs: Fix handling of DWARF augmentation data in CIE/FDE frames commit 0586ade9e7f9491ccbe1e00975978cb9c2093006 Merge: 7b541d557f705c 9899b8201025d0 Author: Paolo Bonzini Date: Thu Nov 14 07:06:24 2024 -0500 Merge tag 'loongarch-kvm-6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/chenhuacai/linux-loongson into HEAD LoongArch KVM changes for v6.13 1. Add iocsr and mmio bus simulation in kernel. 2. Add in-kernel interrupt controller emulation. 3. Add virt extension support for eiointc irqchip. commit 508180850b732c7a0e3a728460cf3f95f25e1fbd Author: Florian Westphal Date: Wed Nov 13 16:35:53 2024 +0100 netfilter: nf_tables: allocate element update information dynamically Move the timeout/expire/flag members from nft_trans_one_elem struct into a dybamically allocated structure, only needed when timeout update was requested. This halves size of nft_trans_one_elem struct and allows to compact up to 124 elements in one transaction container rather than 62. This halves memory requirements for a large flush or insert transaction, where ->update remains NULL. Care has to be taken to release the extra data in all spots, including abort path. Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso commit 7b541d557f705c7e5bcd874f3b960c8fb8dee562 Merge: b467ab82a9fde4 60ad25e14ab5a4 Author: Paolo Bonzini Date: Thu Nov 14 07:05:36 2024 -0500 Merge tag 'kvmarm-6.13' of https://git.kernel.org/pub/scm/linux/kernel/git/kvmarm/kvmarm into HEAD KVM/arm64 changes for 6.13, part #1 - Support for stage-1 permission indirection (FEAT_S1PIE) and permission overlays (FEAT_S1POE), including nested virt + the emulated page table walker - Introduce PSCI SYSTEM_OFF2 support to KVM + client driver. This call was introduced in PSCIv1.3 as a mechanism to request hibernation, similar to the S4 state in ACPI - Explicitly trap + hide FEAT_MPAM (QoS controls) from KVM guests. As part of it, introduce trivial initialization of the host's MPAM context so KVM can use the corresponding traps - PMU support under nested virtualization, honoring the guest hypervisor's trap configuration and event filtering when running a nested guest - Fixes to vgic ITS serialization where stale device/interrupt table entries are not zeroed when the mapping is invalidated by the VM - Avoid emulated MMIO completion if userspace has requested synchronous external abort injection - Various fixes and cleanups affecting pKVM, vCPU initialization, and selftests commit 67ab51cbdfee02ef07fb9d7d14cc0bf6cb5a5e5c Author: Will Deacon Date: Thu Nov 14 09:53:32 2024 +0000 arm64: tls: Fix context-switching of tpidrro_el0 when kpti is enabled Commit 18011eac28c7 ("arm64: tls: Avoid unconditional zeroing of tpidrro_el0 for native tasks") tried to optimise the context switching of tpidrro_el0 by eliding the clearing of the register when switching to a native task with kpti enabled, on the erroneous assumption that the kpti trampoline entry code would already have taken care of the write. Although the kpti trampoline does zero the register on entry from a native task, the check in tls_thread_switch() is on the *next* task and so we can end up leaving a stale, non-zero value in the register if the previous task was 32-bit. Drop the broken optimisation and zero tpidrro_el0 unconditionally when switching to a native 64-bit task. Cc: Mark Rutland Cc: stable@vger.kernel.org Fixes: 18011eac28c7 ("arm64: tls: Avoid unconditional zeroing of tpidrro_el0 for native tasks") Signed-off-by: Will Deacon Acked-by: Mark Rutland Link: https://lore.kernel.org/r/20241114095332.23391-1-will@kernel.org Signed-off-by: Catalin Marinas commit 352268dc6da7b422022541c2cf846663110f775c Author: Markus Elfring Date: Thu Oct 3 21:06:42 2024 +0200 macintosh: Use common error handling code in via_pmu_led_init() Add a jump target so that a bit of exception handling can be better reused at the end of this function implementation. This issue was detected by using the Coccinelle software. Signed-off-by: Markus Elfring Signed-off-by: Michael Ellerman Link: https://patch.msgid.link/189b93e2-4e81-438d-9c77-cbe4d9d7a0d9@web.de commit 2e716f5cdebed2fb98cafffaf626645c2e922dbb Author: Markus Elfring Date: Fri Oct 11 18:10:06 2024 +0200 powerpc/powermac: Use of_property_match_string() in pmac_has_backlight_type() Replace an of_get_property() call by of_property_match_string() so that this function implementation can be simplified. Suggested-by: Christophe Leroy Link: https://lore.kernel.org/linuxppc-dev/d9bdc1b6-ea7e-47aa-80aa-02ae649abf72@csgroup.eu/ Suggested-by: Michael Ellerman Link: https://lore.kernel.org/linuxppc-dev/87cyk97ufp.fsf@mail.lhotse/ Signed-off-by: Markus Elfring Reviewed-by: Christophe Leroy Signed-off-by: Michael Ellerman Link: https://patch.msgid.link/ede25e03-7a14-4787-ae1b-4fc9290add5a@web.de commit f20b0a03674cef555a5f48b65f81b82868b17cdd Author: Lukas Bulwahn Date: Fri Sep 27 11:52:03 2024 +0200 powerpc: remove dead config options for MPC85xx platform support Commit 384e338a9187 ("powerpc: drop MPC8540_ADS and MPC8560_ADS platform support") and commit b751ed04bc5e ("powerpc: drop MPC85xx_CDS platform support") removes the platform support for MPC8540_ADS, MPC8560_ADS and MPC85xx_CDS in the source tree, but misses to remove the config options in the Kconfig file. Hence, these three config options are without any effect since then. Drop these three dead config options. Fixes: 384e338a9187 ("powerpc: drop MPC8540_ADS and MPC8560_ADS platform support") Fixes: b751ed04bc5e ("powerpc: drop MPC85xx_CDS platform support") Signed-off-by: Lukas Bulwahn Reviewed-by: Ritesh Harjani (IBM) Signed-off-by: Michael Ellerman Link: https://patch.msgid.link/20240927095203.392365-1-lukas.bulwahn@redhat.com commit 6da1cab4f5f8eb778fd61f0eb6ca5b0a011dd44d Author: Costa Shulyupin Date: Thu Sep 26 12:26:22 2024 +0300 powerpc/xive: Use cpumask_intersects() Replace `cpumask_any_and(a, b) >= nr_cpu_ids` with the more readable `!cpumask_intersects(a, b)`. Comparison between cpumask_any_and() and cpumask_intersects() The cpumask_any_and() function expands using FIND_FIRST_BIT(), resulting in a loop that iterates through each bit of the bitmask: for (idx = 0; idx * BITS_PER_LONG < sz; idx++) { val = (FETCH); if (val) { sz = min(idx * BITS_PER_LONG + __ffs(MUNGE(val)), sz); break; } } The cpumask_intersects() function expands using __bitmap_intersects(), resulting in that the first loop iterates through each long word of the bitmask, and the second through each bit within a long word: unsigned int k, lim = bits/BITS_PER_LONG; for (k = 0; k < lim; ++k) if (bitmap1[k] & bitmap2[k]) return true; if (bits % BITS_PER_LONG) if ((bitmap1[k] & bitmap2[k]) & BITMAP_LAST_WORD_MASK(bits)) return true; Conclusion: cpumask_intersects() is at least as efficient as cpumask_any_and(), if not more so, as it typically performs fewer loops and comparisons. Signed-off-by: Costa Shulyupin Reviewed-by: Ming Lei Reviewed-by: Ritesh Harjani (IBM) Signed-off-by: Michael Ellerman Link: https://patch.msgid.link/20240926092623.399577-2-costa.shul@redhat.com commit 26470a2e87a6fc40750f4bfe962519e9ae9a9e72 Merge: f3c605147741e0 a3bb4e663df318 Author: Mark Brown Date: Thu Nov 14 11:43:39 2024 +0000 spi: imx: support word delay in ecspi Merge series from Jonas Rebmann : The i.MX SPI controller supports inserting a configurable delay between subsequent words, which is needed for some slower devices that couldn't keep up otherwise. This patch series introduces support for the word delay parameters for i.MX51 onwards. The SPI clock (CSRC=0) was chosen as the clock source over the also available 32.768 KHz Low-Frequency Reference Clock (CSRC=1). The sample period control bits (SAMPLE_PERIOD) are set to the selected word delay converted to SPI clock cycles. A deviation from the requested number of wait cycles and the actual word delay was observed via both software timings and oscilloscope measurements and accounted for. The Chip Select Delay Control bits in the Sample Period Control Register remain zero. Behaviour on i.MX35 and earlier, where the CSPI interface is used, remains unchanged. commit a59360466a712d416f8cddfa4e52e118c53aa3a3 Author: Bard Liao Date: Wed Nov 13 14:44:17 2024 +0800 ASoC: Intel: soc-acpi-intel-lnl-match: add rt712_vb + rt1320 support Realtek Gen6 AIOC supports rt712_vb on SoundWire link 2 and rt1320 on SoundWire link 1. Signed-off-by: Bard Liao Reviewed-by: Ranjani Sridharan Reviewed-by: Liam Girdwood Reviewed-by: Péter Ujfalusi Link: https://patch.msgid.link/20241113064418.162592-1-yung-chuan.liao@linux.intel.com Signed-off-by: Mark Brown commit ba888450828befb0607219f34c03aa8645625447 Author: Olivier Moysan Date: Thu Nov 14 11:28:51 2024 +0100 ASoC: stm32: dfsdm: change rate upper limits Increase rate upper limit to 192kHz to reflect the rate range actually supported by the STM32 DFSDM peripheral. Signed-off-by: Olivier Moysan Link: https://patch.msgid.link/20241114102851.2497942-1-olivier.moysan@foss.st.com Signed-off-by: Mark Brown commit c48a4497356f701f94f1951626637ae240af909e Author: Arnd Bergmann Date: Wed Nov 13 18:57:13 2024 +0100 ASoC: sma1307: fix uninitialized variable refence When firmware loading is disabled, gcc warns that the local 'fw' variable fails to get initialized: sound/soc/codecs/sma1307.c: In function 'sma1307_setting_loaded.isra': sound/soc/codecs/sma1307.c:1717:12: error: 'fw' is used uninitialized [-Werror=uninitialized] 1717 | if (!fw) { | ^ sound/soc/codecs/sma1307.c:1712:32: note: 'fw' was declared here 1712 | const struct firmware *fw; Check the return code from request_firmware() to ensure that the firmware is correctly set, and drop the incorrect release_firmware() on that uninitialized data. Fixes: 576c57e6b4c1 ("ASoC: sma1307: Add driver for Iron Device SMA1307") Signed-off-by: Arnd Bergmann Link: https://patch.msgid.link/20241113175734.2443315-1-arnd@kernel.org Signed-off-by: Mark Brown commit 7ca93aa9204b706e4afcd4fae0dc8798500598d5 Author: zhang jiao Date: Mon Sep 30 09:27:57 2024 +0800 selftests/powerpc: Remove the path after initialization. If there were no anamolies noted, then we can simply remove the log file and return, but only after the path variable has been initialized. Signed-off-by: zhang jiao Reviewed-by: Ritesh Harjani (IBM) Signed-off-by: Michael Ellerman Link: https://patch.msgid.link/20240930012757.2395-1-zhangjiao2@cmss.chinamobile.com commit b0c49466043a4878d8ef1263a4c9020698958a4c Author: Florian Westphal Date: Wed Nov 13 16:35:52 2024 +0100 netfilter: nf_tables: switch trans_elem to real flex array When queueing a set element add or removal operation to the transaction log, check if the previous operation already asks for a the identical operation on the same set. If so, store the element reference in the preceding operation. This significantlty reduces memory consumption when many set add/delete operations appear in a single transaction. Example: 10k elements require 937kb of memory (10k allocations from kmalloc-96 slab). Assuming we can compact 4 elements in the same set, 468 kbytes are needed (64 bytes for base struct, nft_trans_elemn, 32 bytes for nft_trans_one_elem structure, so 2500 allocations from kmalloc-192 slab). For large batch updates we can compact up to 62 elements into one single nft_trans_elem structure (~65% mem reduction): (64 bytes for base struct, nft_trans_elem, 32 byte for nft_trans_one_elem struct). We can halve size of nft_trans_one_elem struct by moving timeout/expire/update_flags into a dynamically allocated structure, this allows to store 124 elements in a 2k slab nft_trans_elem struct. This is done in a followup patch. Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso commit 466c9b3b2a92602360e9fa25943b8aa191122dfc Author: Florian Westphal Date: Wed Nov 13 16:35:51 2024 +0100 netfilter: nf_tables: prepare nft audit for set element compaction nftables audit log format emits the number of added/deleted rules, sets, set elements and so on, to userspace: table=t1 family=2 entries=4 op=nft_register_set ~~~~~~~~~ At this time, the 'entries' key is the number of transactions that will be applied. The upcoming set element compression will coalesce subsequent adds/deletes to the same set requests in the same transaction request to conseve memory. Without this patch, we'd under-report the number of altered elements. Increment the audit counter by the number of elements to keep the reported entries value the same. Without this, nft_audit.sh selftest fails because the recorded (expected) entries key is smaller than the expected one. Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso commit a8ee6b900c147d3bedced6c52ba6cb603226aaa3 Author: Florian Westphal Date: Wed Nov 13 16:35:50 2024 +0100 netfilter: nf_tables: prepare for multiple elements in nft_trans_elem structure Add helpers to release the individual elements contained in the trans_elem container structure. No functional change intended. Followup patch will add 'nelems' member and will turn 'priv' into a flexible array. These helpers can then loop over all elements. Care needs to be taken to handle a mix of new elements and existing elements that are being updated (e.g. timeout refresh). Before this patch, NEWSETELEM transaction with update is released early so nft_trans_set_elem_destroy() won't get called, so we need to skip elements marked as update. Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso commit 4ee29181216d2acb7be210126324ec3bc0e3bd01 Author: Florian Westphal Date: Wed Nov 13 16:35:49 2024 +0100 netfilter: nf_tables: add nft_trans_commit_list_add_elem helper Add and use a wrapper to append trans_elem structures to the transaction log. Unlike the existing helper, pass a gfp_t to indicate if sleeping is allowed. This will be used by a followup patch to realloc nft_trans_elem structures after they gain a flexible array member to reduce number of such container structures on the transaction list. Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso commit 8340b0056ac723d04918573761b5d8f979d15a75 Author: Simon Horman Date: Mon Nov 11 14:47:51 2024 +0000 netfilter: bpf: Pass string literal as format argument of request_module() Both gcc-14 and clang-18 report that passing a non-string literal as the format argument of request_module() is potentially insecure. E.g. clang-18 says: .../nf_bpf_link.c:46:24: warning: format string is not a string literal (potentially insecure) [-Wformat-security] 46 | err = request_module(mod); | ^~~ .../kmod.h:25:55: note: expanded from macro 'request_module' 25 | #define request_module(mod...) __request_module(true, mod) | ^~~ .../nf_bpf_link.c:46:24: note: treat the string as an argument to avoid this 46 | err = request_module(mod); | ^ | "%s", .../kmod.h:25:55: note: expanded from macro 'request_module' 25 | #define request_module(mod...) __request_module(true, mod) | ^ It is always the case where the contents of mod is safe to pass as the format argument. That is, in my understanding, it never contains any format escape sequences. But, it seems better to be safe than sorry. And, as a bonus, compiler output becomes less verbose by addressing this issue as suggested by clang-18. Compile tested only. Signed-off-by: Simon Horman Reviewed-by: Toke Høiland-Jørgensen Signed-off-by: Pablo Neira Ayuso commit 07db6d5e12bbc2d698ca01113b0db62bc7b80e3f Merge: de35b06bf15cb5 2ae6da569e34e1 Author: Mark Brown Date: Thu Nov 14 11:39:47 2024 +0000 ASoC: Merge up fixes Needed for new Intel board file changes. commit 3f5495962824fbef3b9a577ccd9b02f967452c11 Author: Donald Hunter Date: Fri Nov 1 14:32:07 2024 +0000 netfilter: nfnetlink: Report extack policy errors for batched ops The nftables batch processing does not currently populate extack with policy errors. Fix this by passing extack when parsing batch messages. Signed-off-by: Donald Hunter Reviewed-by: Simon Horman Signed-off-by: Pablo Neira Ayuso commit 3b7e11a0116c30848d44429650ad80f9cc3bd963 Author: Hendrik v. Raven Date: Thu Nov 14 12:01:26 2024 +0100 ASoC: dt-bindings: simple-mux: add idle-state property simple-mux immediately activates the new output, even when it is powered down. This can be undesirable in some cases, for example when a mechanical relais is used. Adds "idle-state" property from the mux controller to select the output state to be used when the mux is powered down. Signed-off-by: Hendrik v. Raven Link: https://patch.msgid.link/20241114-simple-mux-idle-state-v2-2-a30cb37d2be2@merzmedtech.de Signed-off-by: Mark Brown commit 2b974284aa073d6e2936f9032e8ad7b99480b5b8 Author: Hendrik v. Raven Date: Thu Nov 14 12:01:25 2024 +0100 ASoc: simple-mux: add idle-state support So far the mux changes it state immediately, even when not in use. Allow overriding this behaviour by specifying an optional idle-state. This state is used whenever the mux is powered down, only switching to the selected state on power up. If unspecified it defaults to as-is, maintaining the previous behaviour. Signed-off-by: Hendrik v. Raven Link: https://patch.msgid.link/20241114-simple-mux-idle-state-v2-1-a30cb37d2be2@merzmedtech.de Signed-off-by: Mark Brown commit b196db2f536645eda7684655f3fae913e33fda4b Author: Mukesh Kumar Chaurasiya Date: Fri Oct 25 00:42:33 2024 +0530 powerpc/xmon: symbol lookup length fixed Currently this cannot lookup symbol beyond 64 characters in some cases like "ls", "lp" and "t" Fix this by using KSYM_NAME_LEN instead of fixed 64 characters Signed-off-by: Mukesh Kumar Chaurasiya Signed-off-by: Michael Ellerman Link: https://patch.msgid.link/20241024191232.1570894-2-mchauras@linux.ibm.com commit bfd9c145533ba9cb6f504670aa8e75542c8ee54f Author: Simon Horman Date: Mon Oct 14 11:55:03 2024 +0100 powerpc/ep8248e: Use %pa to format resource_size_t The correct format string for resource_size_t is %pa which acts on the address of the variable to be formatted [1]. [1] https://elixir.bootlin.com/linux/v6.11.3/source/Documentation/core-api/printk-formats.rst#L229 Introduced by commit 9d9326d3bc0e ("phy: Change mii_bus id field to a string") Flagged by gcc-14 as: arch/powerpc/platforms/82xx/ep8248e.c: In function 'ep8248e_mdio_probe': arch/powerpc/platforms/82xx/ep8248e.c:131:46: warning: format '%x' expects argument of type 'unsigned int', but argument 4 has type 'resource_size_t' {aka 'long long unsigned int'} [-Wformat=] 131 | snprintf(bus->id, MII_BUS_ID_SIZE, "%x", res.start); | ~^ ~~~~~~~~~ | | | | | resource_size_t {aka long long unsigned int} | unsigned int | %llx No functional change intended. Compile tested only. Reported-by: Geert Uytterhoeven Link: https://lore.kernel.org/netdev/711d7f6d-b785-7560-f4dc-c6aad2cce99@linux-m68k.org/ Signed-off-by: Simon Horman Signed-off-by: Michael Ellerman Link: https://patch.msgid.link/20241014-ep8248e-pa-fmt-v1-1-009ea0dcc18f@kernel.org commit 276e036e5844116e563fa90f676c625bb742cc57 Author: Julia Lawall Date: Mon Sep 30 13:20:57 2024 +0200 powerpc/ps3: Reorganize kerneldoc parameter names Reorganize kerneldoc parameter names to match the parameter order in the function header. Problems identified using Coccinelle. Signed-off-by: Julia Lawall Reviewed-by: Geert Uytterhoeven Acked-by: Geoff Levand Signed-off-by: Michael Ellerman Link: https://patch.msgid.link/20240930112121.95324-12-Julia.Lawall@inria.fr commit a8aaea4f6e1a33614854414ad37144f6eb61c6aa Merge: 1a1030d10a6335 00e2c199cb3780 Author: Rafael J. Wysocki Date: Thu Nov 14 12:23:32 2024 +0100 Merge back cpufreq material for 6.13 commit 590d2f9347f7974d7954400e5d937672fd844a8b Author: Kajol Jain Date: Thu Nov 14 14:20:20 2024 +0530 KVM: PPC: Book3S HV: Fix kmv -> kvm typo Fix typo in the following kvm function names from: kmvhv_counters_tracepoint_regfunc -> kvmhv_counters_tracepoint_regfunc kmvhv_counters_tracepoint_unregfunc -> kvmhv_counters_tracepoint_unregfunc Fixes: e1f288d2f9c6 ("KVM: PPC: Book3S HV nestedv2: Add support for reading VPA counters for pseries guests") Reported-by: Madhavan Srinivasan Reviewed-by: Ritesh Harjani (IBM) Reviewed-by: Amit Machhiwal Signed-off-by: Kajol Jain Signed-off-by: Michael Ellerman Link: https://patch.msgid.link/20241114085020.1147912-1-kjain@linux.ibm.com commit 1c426fd09ca85fb77f120f7933e39eb9df99a39a Author: Rafael J. Wysocki Date: Sun Nov 10 14:06:01 2024 +0100 thermal: testing: Use DEFINE_FREE() and __free() to simplify code Use DEFINE_FREE() to define a __free function for dropping thermal zone template reference counters and use it along with __free() to simplify code in some places. No intentional functional impact. Signed-off-by: Rafael J. Wysocki Link: https://patch.msgid.link/4628747.LvFx2qVVIh@rjwysocki.net [ rjw: Add variable initialization to address compiler warning ] Signed-off-by: Rafael J. Wysocki commit 9e1a6db68e3ccc5c20fd2d6243285d1cc7215fe4 Author: Daniel Yang Date: Wed Nov 13 01:20:58 2024 -0800 xfrm: replace deprecated strncpy with strscpy_pad The function strncpy is deprecated since it does not guarantee the destination buffer is NULL terminated. Recommended replacement is strscpy. The padded version was used to remain consistent with the other strscpy_pad usage in the modified function. Signed-off-by: Daniel Yang Signed-off-by: Steffen Klassert commit 48730a9d04ffccda541602d722d1ff81920a85d8 Author: Igor Pylypiv Date: Fri Nov 8 00:15:42 2024 +0000 i2c: dev: Fix memory leak when underlying adapter does not support I2C Early return in i2cdev_ioctl_rdwr() failed to free the memory allocated by the caller. Move freeing the memory to the function where it has been allocated to prevent similar leaks in the future. Fixes: 97ca843f6ad3 ("i2c: dev: Check for I2C_FUNC_I2C before calling i2c_transfer") Signed-off-by: Igor Pylypiv [wsa: replaced '== NULL' with '!'] Signed-off-by: Wolfram Sang commit faa62440a5772b40bb7d78bf9e29556a82ecf153 Author: Feng Fang Date: Tue Nov 12 13:55:53 2024 +0800 RDMA/hns: Fix different dgids mapping to the same dip_idx DIP algorithm requires a one-to-one mapping between dgid and dip_idx. Currently a queue 'spare_idx' is used to store QPN of QPs that use DIP algorithm. For a new dgid, use a QPN from spare_idx as dip_idx. This method lacks a mechanism for deduplicating QPN, which may result in different dgids sharing the same dip_idx and break the one-to-one mapping requirement. This patch replaces spare_idx with xarray and introduces a refcnt of a dip_idx to indicate the number of QPs that using this dip_idx. The state machine for dip_idx management is implemented as: * The entry at an index in xarray is empty -- This indicates that the corresponding dip_idx hasn't been created. * The entry at an index in xarray is not empty but with 0 refcnt -- This indicates that the corresponding dip_idx has been created but not used as dip_idx yet. * The entry at an index in xarray is not empty and with non-0 refcnt -- This indicates that the corresponding dip_idx is being used by refcnt number of DIP QPs. Fixes: eb653eda1e91 ("RDMA/hns: Bugfix for incorrect association between dip_idx and dgid") Fixes: f91696f2f053 ("RDMA/hns: Support congestion control type selection according to the FW") Signed-off-by: Feng Fang Signed-off-by: Junxian Huang Link: https://patch.msgid.link/20241112055553.3681129-1-huangjunxian6@hisilicon.com Signed-off-by: Leon Romanovsky commit 9fed2c0f2f0771b990d068ef0a2b32e770ae6d48 Author: Jeff Layton Date: Wed Nov 13 09:17:51 2024 -0500 fs: reduce pointer chasing in is_mgtime() test The is_mgtime test checks whether the FS_MGTIME flag is set in the fstype. To get there from the inode though, we have to dereference 3 pointers. Add a new IOP_MGTIME flag, and have inode_init_always() set that flag when the fstype flag is set. Then, make is_mgtime test for IOP_MGTIME instead. Signed-off-by: Jeff Layton Link: https://lore.kernel.org/r/20241113-mgtime-v1-1-84e256980e11@kernel.org Reviewed-by: Jan Kara Signed-off-by: Christian Brauner commit 22293c33738c14bb84b9d3e771bc37150e7cf8e7 Author: Geert Uytterhoeven Date: Tue Nov 12 19:39:37 2024 +0100 dma-mapping: save base/size instead of pointer to shared DMA pool On RZ/Five, which is non-coherent, and uses CONFIG_DMA_GLOBAL_POOL=y: Oops - store (or AMO) access fault [#1] CPU: 0 UID: 0 PID: 1 Comm: swapper Not tainted 6.12.0-rc1-00015-g8a6e02d0c00e #201 Hardware name: Renesas SMARC EVK based on r9a07g043f01 (DT) epc : __memset+0x60/0x100 ra : __dma_alloc_from_coherent+0x150/0x17a epc : ffffffff8062d2bc ra : ffffffff80053a94 sp : ffffffc60000ba20 gp : ffffffff812e9938 tp : ffffffd601920000 t0 : ffffffc6000d0000 t1 : 0000000000000000 t2 : ffffffffe9600000 s0 : ffffffc60000baa0 s1 : ffffffc6000d0000 a0 : ffffffc6000d0000 a1 : 0000000000000000 a2 : 0000000000001000 a3 : ffffffc6000d1000 a4 : 0000000000000000 a5 : 0000000000000000 a6 : ffffffd601adacc0 a7 : ffffffd601a841a8 s2 : ffffffd6018573c0 s3 : 0000000000001000 s4 : ffffffd6019541e0 s5 : 0000000200000022 s6 : ffffffd6018f8410 s7 : ffffffd6018573e8 s8 : 0000000000000001 s9 : 0000000000000001 s10: 0000000000000010 s11: 0000000000000000 t3 : 0000000000000000 t4 : ffffffffdefe62d1 t5 : 000000001cd6a3a9 t6 : ffffffd601b2aad6 status: 0000000200000120 badaddr: ffffffc6000d0000 cause: 0000000000000007 [] __memset+0x60/0x100 [] dma_alloc_from_global_coherent+0x1c/0x28 [] dma_direct_alloc+0x98/0x112 [] dma_alloc_attrs+0x78/0x86 [] rz_dmac_probe+0x3f6/0x50a [] platform_probe+0x4c/0x8a If CONFIG_DMA_GLOBAL_POOL=y, the reserved_mem structure passed to rmem_dma_setup() is saved for later use, by saving the passed pointer. However, when dma_init_reserved_memory() is called later, the pointer has become stale, causing a crash. E.g. in the RZ/Five case, the referenced memory now contains the reserved_mem structure for the "mmode_resv0@30000" node (with base 0x30000 and size 0x10000), instead of the correct "pma_resv0@58000000" node (with base 0x58000000 and size 0x8000000). Fix this by saving the needed reserved_mem structure's contents instead. Fixes: 8a6e02d0c00e7b62 ("of: reserved_mem: Restructure how the reserved memory regions are processed") Signed-off-by: Geert Uytterhoeven Reviewed-by: Oreoluwa Babatunde Tested-by: Lad Prabhakar Signed-off-by: Christoph Hellwig commit 45c9faf50665812a14fc9b40ab9d6cb893792ffd Author: Mateusz Guzik Date: Wed Nov 13 16:51:03 2024 +0100 vfs: make evict() use smp_mb__after_spinlock instead of smp_mb It literally directly follows a spin_lock() call. This whacks an explicit barrier on x86-64. Signed-off-by: Mateusz Guzik Link: https://lore.kernel.org/r/20241113155103.4194099-1-mjguzik@gmail.com Reviewed-by: Jan Kara Signed-off-by: Christian Brauner commit 2c47e7a74f445426d156278e339b7abb259e50de Author: Colton Lewis Date: Wed Nov 13 19:01:55 2024 +0000 perf/core: Correct perf sampling with guest VMs Previously any PMU overflow interrupt that fired while a VCPU was loaded was recorded as a guest event whether it truly was or not. This resulted in nonsense perf recordings that did not honor perf_event_attr.exclude_guest and recorded guest IPs where it should have recorded host IPs. Rework the sampling logic to only record guest samples for events with exclude_guest = 0. This way any host-only events with exclude_guest set will never see unexpected guest samples. The behaviour of events with exclude_guest = 0 is unchanged. Note that events configured to sample both host and guest may still misattribute a PMI that arrived in the host as a guest event depending on KVM arch and vendor behavior. Signed-off-by: Colton Lewis Signed-off-by: Ingo Molnar Reviewed-by: Oliver Upton Acked-by: Mark Rutland Acked-by: Kan Liang Cc: Peter Zijlstra Cc: Arnaldo Carvalho de Melo Cc: Jiri Olsa Cc: Alexander Shishkin Cc: Namhyung Kim Link: https://lore.kernel.org/r/20241113190156.2145593-6-coltonlewis@google.com commit baff01f3d75ff3948a0465853dcaa71c394c5c46 Author: Colton Lewis Date: Wed Nov 13 19:01:54 2024 +0000 perf/x86: Refactor misc flag assignments Break the assignment logic for misc flags into their own respective functions to reduce the complexity of the nested logic. Signed-off-by: Colton Lewis Signed-off-by: Ingo Molnar Reviewed-by: Oliver Upton Acked-by: Kan Liang Link: https://lore.kernel.org/r/20241113190156.2145593-5-coltonlewis@google.com commit 3e807cf07d96eedb57d91a91f611f828e8918aab Author: Colton Lewis Date: Wed Nov 13 19:01:53 2024 +0000 perf/powerpc: Use perf_arch_instruction_pointer() Make sure PowerPC uses the arch-specific function now that those have been reorganized. Signed-off-by: Colton Lewis Signed-off-by: Ingo Molnar Reviewed-by: Oliver Upton Acked-by: Madhavan Srinivasan Link: https://lore.kernel.org/r/20241113190156.2145593-4-coltonlewis@google.com commit 04782e63917dbcb60932fe93df52c4a4e3859d07 Author: Colton Lewis Date: Wed Nov 13 19:01:52 2024 +0000 perf/core: Hoist perf_instruction_pointer() and perf_misc_flags() For clarity, rename the arch-specific definitions of these functions to perf_arch_* to denote they are arch-specifc. Define the generic-named functions in one place where they can call the arch-specific ones as needed. Signed-off-by: Colton Lewis Signed-off-by: Ingo Molnar Reviewed-by: Oliver Upton Acked-by: Thomas Richter Acked-by: Mark Rutland Acked-by: Madhavan Srinivasan Acked-by: Kan Liang Link: https://lore.kernel.org/r/20241113190156.2145593-3-coltonlewis@google.com commit e33ed362cf9e35db6082f7a776b7e8d557407e19 Author: Colton Lewis Date: Wed Nov 13 19:01:51 2024 +0000 perf/arm: Drop unused functions For ARM's implementation, perf_instruction_pointer() and perf_misc_flags() are equivalent to the generic versions in include/linux/perf_event.h so arch/arm doesn't need to provide its own versions. Drop them here. Signed-off-by: Colton Lewis Signed-off-by: Ingo Molnar Reviewed-by: Oliver Upton Acked-by: Will Deacon Link: https://lore.kernel.org/r/20241113190156.2145593-2-coltonlewis@google.com commit 433c6916628e5e2ba47e618d96c23e8a9c5a6b9e Merge: 397295d1be753c 339cb28b9ee667 Author: Wolfram Sang Date: Thu Nov 14 10:37:04 2024 +0100 Merge tag 'at24-updates-for-v6.13-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/brgl/linux into i2c/for-mergewindow at24 updates for v6.13-rc1 - add support for the lockable page on ST M24256E commit 397295d1be753cf0c798cacba0f8083413641dc1 Author: Christophe JAILLET Date: Tue Nov 12 22:01:00 2024 +0100 Documentation: i2c: Constify struct i2c_device_id Constify the i2c_device_id structure in the doc to give a cleaner starting point. Also remove an empty line which is usually not added. Signed-off-by: Christophe JAILLET Signed-off-by: Wolfram Sang commit cb3daa51db819a172e9524e96e2ed96b4237e51a Author: Herve Codina Date: Tue Nov 5 15:56:23 2024 +0100 soc: fsl: cpm1: qmc: Set the ret error code on platform_get_irq() failure A kernel test robot detected a missing error code: qmc.c:1942 qmc_probe() warn: missing error code 'ret' Indeed, the error returned by platform_get_irq() is checked and the operation is aborted in case of failure but the ret error code is not set in that case. Set the ret error code. Reported-by: kernel test robot Reported-by: Dan Carpenter Closes: https://lore.kernel.org/r/202411051350.KNy6ZIWA-lkp@intel.com/ Fixes: 3178d58e0b97 ("soc: fsl: cpm1: Add support for QMC") Cc: stable@vger.kernel.org Signed-off-by: Herve Codina Link: https://lore.kernel.org/r/20241105145623.401528-1-herve.codina@bootlin.com Signed-off-by: Christophe Leroy commit c9f1efabf8e3b3ff886a42669f7093789dbeca94 Author: Javier Carrasco Date: Sun Oct 13 15:29:17 2024 +0200 soc: fsl: rcpm: fix missing of_node_put() in copy_ippdexpcr1_setting() of_find_compatible_node() requires a call to of_node_put() when the pointer to the node is not required anymore to decrement its refcount and avoid leaking memory. Add the missing call to of_node_put() after the node has been used. Cc: stable@vger.kernel.org Fixes: e95f287deed2 ("soc: fsl: handle RCPM errata A-008646 on SoC LS1021A") Signed-off-by: Javier Carrasco Link: https://lore.kernel.org/r/20241013-rcpm-of_node_put-v1-1-9a8e55a01eae@gmail.com Signed-off-by: Christophe Leroy commit 844d098b6f33666ff544f18d7a256a46fe19328d Author: Javier Carrasco Date: Wed Oct 2 22:21:51 2024 +0200 soc: fsl: cpm1: tsa: switch to for_each_available_child_of_node_scoped() The non-scoped variant of this macro turns error-prone as soon as error paths are included, because explicit calls to of_node_put() are required to avoid leaking memory. Using its scoped counterpart simplifies the code by removing the need of explicit calls to of_node_put(), as they are automatically triggered as soon as the child node goes out of scope. Moreover, it is more robust as it accounts for new error paths without having to worry about decrementing the object's refcount. Note that the device_node is declared within the macro, and its explicit declaration can be dropped as well if it is not used anywhere else. Signed-off-by: Javier Carrasco Acked-by: Herve Codina Link: https://lore.kernel.org/r/20241002-tsa-scoped-v1-1-ba6a6d657f82@gmail.com Signed-off-by: Christophe Leroy commit 9d287e70c51f1c141ac588add261ed2efdd6fc6b Author: Everest K.C Date: Tue Nov 12 16:36:06 2024 -0700 xfrm: Add error handling when nla_put_u32() returns an error Error handling is missing when call to nla_put_u32() fails. Handle the error when the call to nla_put_u32() returns an error. The error was reported by Coverity Scan. Report: CID 1601525: (#1 of 1): Unused value (UNUSED_VALUE) returned_value: Assigning value from nla_put_u32(skb, XFRMA_SA_PCPU, x->pcpu_num) to err here, but that stored value is overwritten before it can be used Fixes: 1ddf9916ac09 ("xfrm: Add support for per cpu xfrm state handling.") Signed-off-by: Everest K.C. Reviewed-by: Simon Horman Reviewed-by: Przemek Kitszel Signed-off-by: Steffen Klassert commit 84147f4e84c4f4822006161c5ad43612ac906407 Author: Seamus Connor Date: Thu Nov 14 06:29:22 2024 +0100 configfs: improve item creation performance As the size of a directory increases item creation slows down. Optimizing access to s_children removes this bottleneck. dirents are already pinned into the cache, there is no need to scan the s_children list looking for duplicate Items. The configfs_dirent_exists check is moved to a location where it is called only during subsystem initialization. d_lookup will only need to call configfs_lookup in the case where the item in question is not pinned to dcache. The only items not pinned to dcache are attributes. These are placed at the front of the s_children list, whilst pinned items are inserted at the back. configfs_lookup stops scanning when it encounters the first pinned entry in s_children. The assumption of the above optimizations is that there will be few attributes, but potentially many Items in a given directory. Signed-off-by: Seamus Connor Reviewed-by: Joel Becker Signed-off-by: Christoph Hellwig commit 8312c879e10cd2c29739f875a9f743db13a583b5 Author: Dr. David Alan Gilbert Date: Thu Oct 10 21:56:55 2024 +0100 configfs: remove unused configfs_hash_and_remove configfs_hash_and_remove() has been unused since it was added in 2005 by commit 7063fbf22611 ("[PATCH] configfs: User-driven configuration filesystem") Remove it. Signed-off-by: Dr. David Alan Gilbert Signed-off-by: Christoph Hellwig commit dd690b31de0ed46adc5856698880560b900386ba Author: Charles Keepax Date: Tue Nov 12 12:56:46 2024 +0000 soundwire: Minor formatting fixups in sdw.h header Fixup some minor formatting and whitespace in the sdw.h header file. Signed-off-by: Charles Keepax Link: https://lore.kernel.org/r/20241112125646.590240-2-ckeepax@opensource.cirrus.com Signed-off-by: Vinod Koul commit e311b04db66aaed1819bdd479d42c4f338f105b9 Author: Charles Keepax Date: Tue Nov 12 12:56:45 2024 +0000 soundwire: Update the includes on the sdw.h header There are quite a few things used in the sdw.h header that it relies on the consumer to include. If something is used directly in the header it should be included by the header. Update the includes to cover the missing items, or add forward declarations for things that are only used as pointers. Whilst making the change also alphabetise the list of includes. Signed-off-by: Charles Keepax Link: https://lore.kernel.org/r/20241112125646.590240-1-ckeepax@opensource.cirrus.com Signed-off-by: Vinod Koul commit a71c69f51d1119db5f7812b35f16e8ef7786b3f2 Merge: 1975aa0d76e39d 16220cb315a0a1 Author: Jakub Kicinski Date: Wed Nov 13 19:55:02 2024 -0800 Merge branch 'net-dsa-microchip-add-lan9646-switch-support' Tristram Ha says: ==================== net: dsa: microchip: Add LAN9646 switch support This series of patches is to add LAN9646 switch support to the KSZ DSA driver. ==================== Link: https://patch.msgid.link/20241109015705.82685-1-Tristram.Ha@microchip.com Signed-off-by: Jakub Kicinski commit 16220cb315a0a10d2a003d9af534988686e675ea Author: Tristram Ha Date: Fri Nov 8 17:57:05 2024 -0800 net: dsa: microchip: Add LAN9646 switch support to KSZ DSA driver LAN9646 switch is a 6-port switch with functions like KSZ9897. It has 4 internal PHYs and 1 SGMII port. The chip id read from hardware is same as KSZ9477, so software driver needs to create a new chip id and group allowable functions under its chip data structure to differentiate the product. Signed-off-by: Tristram Ha Link: https://patch.msgid.link/20241109015705.82685-3-Tristram.Ha@microchip.com Signed-off-by: Jakub Kicinski commit 3a371e10521de2e98f5e264a27b5af3d231b4261 Author: Tristram Ha Date: Fri Nov 8 17:57:04 2024 -0800 dt-bindings: net: dsa: microchip: Add LAN9646 switch support LAN9646 switch is a 6-port switch with functions like KSZ9897. It has 4 internal PHYs and 1 SGMII port. Signed-off-by: Tristram Ha Acked-by: Krzysztof Kozlowski Link: https://patch.msgid.link/20241109015705.82685-2-Tristram.Ha@microchip.com Signed-off-by: Jakub Kicinski commit a26c4dbb3d9c1821cb0fc11cb2dbc32d5bf3463b Author: Michal Suchanek Date: Tue Oct 1 15:03:49 2024 +0200 powerpc/sstep: make emulate_vsx_load and emulate_vsx_store static These functions are not used outside of sstep.c Fixes: 350779a29f11 ("powerpc: Handle most loads and stores in instruction emulation code") Signed-off-by: Michal Suchanek Signed-off-by: Michael Ellerman Link: https://patch.msgid.link/20241001130356.14664-1-msuchanek@suse.de commit 1975aa0d76e39d7e9c5a9594fa461dfb28352005 Merge: 3bf8163a36adb5 b818268d92503c Author: Jakub Kicinski Date: Wed Nov 13 18:52:16 2024 -0800 Merge branch 'support-external-snapshots-on-dwmac1000' Maxime Chevallier says: ==================== Support external snapshots on dwmac1000 The main change since v3 is the move of the fifo flush wait in the ptp_clock_info enable() function within the mutex that protects the ptp registers. Thanks Jakub and Paolo for spotting this. This series also aggregates Daniel's reviews, except for the patch 4 which was modified since then. This series is another take on the previous work [1] done by Alexis Lothoré, that fixes the support for external snapshots timestamping in GMAC3-based devices. Details on why this is needed are mentionned on the cover [2] from V1. [1]: https://lore.kernel.org/netdev/20230616100409.164583-1-alexis.lothore@bootlin.com/ [2]: https://lore.kernel.org/netdev/20241029115419.1160201-1-maxime.chevallier@bootlin.com/ Link to V1: https://lore.kernel.org/netdev/20241029115419.1160201-1-maxime.chevallier@bootlin.com/ Link to V2: https://lore.kernel.org/netdev/20241104170251.2202270-1-maxime.chevallier@bootlin.com/ Link to V3: https://lore.kernel.org/netdev/20241106090331.56519-1-maxime.chevallier@bootlin.com/ ==================== Link: https://patch.msgid.link/20241112170658.2388529-1-maxime.chevallier@bootlin.com Signed-off-by: Jakub Kicinski commit b818268d92503c41d85e516f8e6dde4fdb34939b Author: Maxime Chevallier Date: Tue Nov 12 18:06:57 2024 +0100 net: stmmac: dwmac_socfpga: This platform has GMAC Indicate that dwmac_socfpga has a gmac. This will make sure that gmac-specific interrupt processing is done, including timestamp interrupt handling. Without this, the external snapshot interrupt is never ack'd and we have an interrupt storm on external snapshot event. Reviewed-by: Daniel Machon Signed-off-by: Maxime Chevallier Link: https://patch.msgid.link/20241112170658.2388529-10-maxime.chevallier@bootlin.com Signed-off-by: Jakub Kicinski commit 62935443214eef45604dd58f0534eb28d235eb83 Author: Maxime Chevallier Date: Tue Nov 12 18:06:56 2024 +0100 net: stmmac: Configure only the relevant bits for timestamping setup The PTP_TCR (Timestamp Control Register) is used to configure several features related to packet timestamping. On one hand, it configures the 1588 packet processing, to indicate what types of frames should be timestamped (all, only 1588v1 or 1588v2, using L2 or L4 timestamping, on IPv4 or IPv6, etc.). This is congfigured usually through the ioctl / ndo dedicated for such setup. This configuration is done by setting some fields in that register, that seem to behave the same way on all dwmac variants, including DWMAC1000. On the other hand, and only on DWMAC1000 apparently, some fields in that register are used to configure external snapshots (bits 24/25). On DWMAC4 and others, these fields are reserved and external snapshots are configured through a dedicated register that simply doesn't seem to exist on DWMAC1000. This configuration is done in the dwmac1000-specific ptp_clock_info ops (cf dwmac1000_ptp_enable()). So to avoid the timestamping configuration interfering with the external snapshots, this commit makes sure that the config_hw_tstamping only configures the relevant bits in PTP_TCR, so that the DWMAC1000 timestamping can correctly rely on these otherwise reserved fields. Reviewed-by: Daniel Machon Signed-off-by: Maxime Chevallier Link: https://patch.msgid.link/20241112170658.2388529-9-maxime.chevallier@bootlin.com Signed-off-by: Jakub Kicinski commit 85cebb7279e8ccbd5f37fb7ae7eae3a56c3f9346 Author: Maxime Chevallier Date: Tue Nov 12 18:06:55 2024 +0100 net: stmmac: Don't include dwmac4 definitions in stmmac_ptp The stmmac_ptp code doesn't need the dwmac4 register definitions, remove the inclusion. Reviewed-by: Daniel Machon Signed-off-by: Maxime Chevallier Link: https://patch.msgid.link/20241112170658.2388529-8-maxime.chevallier@bootlin.com Signed-off-by: Jakub Kicinski commit 774f57d6562d615d887dddfe00fb4d05d48d897b Author: Maxime Chevallier Date: Tue Nov 12 18:06:54 2024 +0100 net: stmmac: Enable timestamping interrupt on dwmac1000 The default configuration for the interrupts on dwmac1000 have the timestamping interrupt masked. Now that the timestamping has been adapted to dwmac1000, enable the timestamping interrupt on these platforms. On dwmac1000, the external snapshot interrupt is configured through a dedicated bit, that is set as reserved on other dwmac variants. The timestaming interrupt is acknowledged by reading the GMAC3_X_TIMESTAMP_STATUS register. Make sure that this interrupt is enabled when snapshot is enabled, and masked when disabled. Reviewed-by: Daniel Machon Signed-off-by: Maxime Chevallier Link: https://patch.msgid.link/20241112170658.2388529-7-maxime.chevallier@bootlin.com Signed-off-by: Jakub Kicinski commit 477c3e1f63638a26cf5debbe3dad5e5929b4c31e Author: Maxime Chevallier Date: Tue Nov 12 18:06:53 2024 +0100 net: stmmac: Introduce dwmac1000 timestamping operations In GMAC3_X, the timestamping configuration differs from GMAC4 in the layout of the registers accessed to grab the number of snapshots in FIFO as well as the register offset to grab the aux snapshot timestamp. Introduce dedicated ops to configure timestamping on dwmac100 and dwmac1000. The latency correction doesn't seem to exist on GMAC3, so its corresponding operation isn't populated. Reviewed-by: Daniel Machon Signed-off-by: Maxime Chevallier Link: https://patch.msgid.link/20241112170658.2388529-6-maxime.chevallier@bootlin.com Signed-off-by: Jakub Kicinski commit 8e7620726beb800d6806dbe7bf0b8cc13c1feb97 Author: Maxime Chevallier Date: Tue Nov 12 18:06:52 2024 +0100 net: stmmac: Introduce dwmac1000 ptp_clock_info and operations The PTP configuration for GMAC3_X differs from the other implementations in several ways : - There's only one external snapshot trigger - The snapshot configuration is done through the PTP_TCR register, whereas the other dwmac variants have a dedicated ACR (auxiliary control reg) for that purpose - The layout for the PTP_TCR register also differs, as bits 24/25 are used for the snapshot configuration. These bits are reserved on other variants. On GMAC3_X, we also can't discover the number of snapshot triggers automatically. The GMAC3_X has one PPS output, however it's configuration isn't supported yet so report 0 n_per_out for now. Introduce a dedicated set of ptp_clock_info ops and configuration parameters to reflect these differences specific to GMAC3_X. This was tested on dwmac_socfpga. Signed-off-by: Maxime Chevallier Link: https://patch.msgid.link/20241112170658.2388529-5-maxime.chevallier@bootlin.com Signed-off-by: Jakub Kicinski commit 0bfd0afc746c3531c5ac716edca3899e907e54df Author: Maxime Chevallier Date: Tue Nov 12 18:06:51 2024 +0100 net: stmmac: Only update the auto-discovered PTP clock features Some DWMAC variants such as dwmac1000 don't support discovering the number of output pps and auxiliary snapshots. Allow these parameters to be defined in default ptp_clock_info, and let them be updated only when the feature discovery yielded a result. Reviewed-by: Daniel Machon Signed-off-by: Maxime Chevallier Link: https://patch.msgid.link/20241112170658.2388529-4-maxime.chevallier@bootlin.com Signed-off-by: Jakub Kicinski commit 13e908800c0d5b0177cc2915519fc8b512925bb8 Author: Maxime Chevallier Date: Tue Nov 12 18:06:50 2024 +0100 net: stmmac: Use per-hw ptp clock ops The auxiliary snapshot configuration was found to differ depending on the dwmac version. To prepare supporting this, allow specifying the ptp_clock_info ops in the hwif array Reviewed-by: Daniel Machon Signed-off-by: Maxime Chevallier Link: https://patch.msgid.link/20241112170658.2388529-3-maxime.chevallier@bootlin.com Signed-off-by: Jakub Kicinski commit 80dc1ff787a9f9d124445574bc40f45849ba7f41 Author: Maxime Chevallier Date: Tue Nov 12 18:06:49 2024 +0100 net: stmmac: Don't modify the global ptp ops directly The stmmac_ptp_clock_ops are copied into the stmmac_priv structure before being registered to the PTP core. Some adjustments are made prior to that, such as the number of snapshots or max adjustment parameters. Instead of modifying the global definition, then copying into the local private data, let's first copy then modify the local parameters. Reviewed-by: Daniel Machon Signed-off-by: Maxime Chevallier Link: https://patch.msgid.link/20241112170658.2388529-2-maxime.chevallier@bootlin.com Signed-off-by: Jakub Kicinski commit 3bf8163a36adb550536c0de8ae00685f050edf53 Author: Heiner Kallweit Date: Tue Nov 12 21:33:11 2024 +0100 net: phy: c45: don't use temporary linkmode bitmaps in genphy_c45_ethtool_get_eee genphy_c45_eee_is_active() populates both bitmaps only if it returns successfully. So we can avoid the overhead of the temporary bitmaps. Signed-off-by: Heiner Kallweit Reviewed-by: Russell King (Oracle) Link: https://patch.msgid.link/b0832102-28ab-4223-b879-91fb1fc11278@gmail.com Signed-off-by: Jakub Kicinski commit 6b998404c71ecff9ebeed343c1ce21f9df3ef131 Author: Heiner Kallweit Date: Tue Nov 12 21:36:29 2024 +0100 net: simplify eeecfg_mac_can_tx_lpi Simplify the function. Signed-off-by: Heiner Kallweit Reviewed-by: Russell King (Oracle) Link: https://patch.msgid.link/f9a4623b-b94c-466c-8733-62057c6d9a17@gmail.com Signed-off-by: Jakub Kicinski commit a8c300ccd2e7441f7209e5ee58918091fedb241f Author: Luo Yifan Date: Wed Nov 13 09:11:42 2024 +0800 ynl: samples: Fix the wrong format specifier Make a minor change to eliminate a static checker warning. The type of s->ifc is unsigned int, so the correct format specifier should be %u instead of %d. Signed-off-by: Luo Yifan Reviewed-by: Simon Horman Link: https://patch.msgid.link/20241113011142.290474-1-luoyifan@cmss.chinamobile.com Signed-off-by: Jakub Kicinski commit f6fa7da1d1edcfc8b952aa0453abe73346aa7dd1 Merge: 5c46638540f087 05a318b4fc13f7 Author: Jakub Kicinski Date: Wed Nov 13 18:43:47 2024 -0800 Merge branch 'tools-ynl-two-patches-to-ease-building-with-rpmbuild' Jan Stancek says: ==================== tools: ynl: two patches to ease building with rpmbuild I'm looking to build and package ynl for Fedora and Centos Stream users. Default rpmbuild has couple hardening options enabled by default [1][2], which currently prevent ynl from building. This series contains 2 small patches to address it. [1] https://fedoraproject.org/wiki/Changes/Harden_All_Packages [2] https://fedoraproject.org/wiki/Changes/PythonSafePath ==================== Link: https://patch.msgid.link/cover.1731399562.git.jstancek@redhat.com Signed-off-by: Jakub Kicinski commit 05a318b4fc13f7eef85e22780a274cb206664533 Author: Jan Stancek Date: Tue Nov 12 09:21:33 2024 +0100 tools: ynl: extend CFLAGS to keep options from environment Package build environments like Fedora rpmbuild introduced hardening options (e.g. -pie -Wl,-z,now) by passing a -spec option to CFLAGS and LDFLAGS. ynl Makefiles currently override CFLAGS but not LDFLAGS, which leads to a mismatch and build failure: CC sample devlink /usr/bin/ld: devlink.o: relocation R_X86_64_32 against symbol `ynl_devlink_family' can not be used when making a PIE object; recompile with -fPIE /usr/bin/ld: failed to set dynamic section sizes: bad value collect2: error: ld returned 1 exit status Extend CFLAGS to support hardening options set by build environment. Signed-off-by: Jan Stancek Acked-by: Jakub Kicinski Reviewed-by: Donald Hunter Link: https://patch.msgid.link/265b2d5d3a6d4721a161219f081058ed47dc846a.1731399562.git.jstancek@redhat.com Signed-off-by: Jakub Kicinski commit c3b3eb565bd773b67d4789bf8a8b164e2b5e03be Author: Jan Stancek Date: Tue Nov 12 09:21:32 2024 +0100 tools: ynl: add script dir to sys.path Python options like PYTHONSAFEPATH or -P [1] do not add script directory to PYTHONPATH. ynl depends on this path to build and run. [1] This option is default for Fedora rpmbuild since introduction of https://fedoraproject.org/wiki/Changes/PythonSafePath Signed-off-by: Jan Stancek Acked-by: Jakub Kicinski Reviewed-by: Donald Hunter Link: https://patch.msgid.link/b26537cdb6e1b24435b50b2ef81d71f31c630bc1.1731399562.git.jstancek@redhat.com Signed-off-by: Jakub Kicinski commit 5c46638540f0874ab3f5a52fbe9de33973fda508 Merge: 31a1f8752f7df7 11597043d74809 Author: Jakub Kicinski Date: Wed Nov 13 18:35:18 2024 -0800 Merge tag 'wireless-next-2024-11-13' of git://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless-next Kalle Valo says: ==================== wireless-next patches for v6.13 Most likely the last -next pull request for v6.13. Most changes are in Realtek and Qualcomm drivers, otherwise not really anything noteworthy. Major changes: mac80211 * EHT 1024 aggregation size for transmissions ath12k * switch to using wiphy_lock() and remove ar->conf_mutex * firmware coredump collection support * add debugfs support for a multitude of statistics ath11k * dt: document WCN6855 hardware inputs ath9k * remove include/linux/ath9k_platform.h ath5k * Arcadyan ARV45XX AR2417 & Gigaset SX76[23] AR241[34]A support rtw88: * 8821au and 8812au USB adapters support rtw89 * thermal protection * firmware secure boot for WiFi 6 chip * tag 'wireless-next-2024-11-13' of git://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless-next: (154 commits) Revert "wifi: iwlegacy: do not skip frames with bad FCS" wifi: mac80211: pass MBSSID config by reference wifi: mac80211: Support EHT 1024 aggregation size in TX net: rfkill: gpio: Add check for clk_enable() wifi: brcmfmac: Fix oops due to NULL pointer dereference in brcmf_sdiod_sglist_rw() wifi: Switch back to struct platform_driver::remove() wifi: ipw2x00: libipw_rx_any(): fix bad alignment wifi: brcmfmac: release 'root' node in all execution paths wifi: iwlwifi: mvm: don't call power_update_mac in fast suspend wifi: iwlwifi: s/IWL_MVM_INVALID_STA/IWL_INVALID_STA wifi: iwlwifi: bump minimum API version in BZ/SC to 92 wifi: iwlwifi: move IWL_LMAC_*_INDEX to fw/api/context.h wifi: iwlwifi: be less noisy if the NIC is dead in S3 wifi: iwlwifi: mvm: tell iwlmei when we finished suspending wifi: iwlwifi: allow fast resume on ax200 wifi: iwlwifi: mvm: support new initiator and responder command version wifi: iwlwifi: mvm: use wiphy locked debugfs for low-latency wifi: iwlwifi: mvm: MLO scan upon channel condition degradation wifi: iwlwifi: mvm: support new versions of the wowlan APIs wifi: iwlwifi: mvm: allow always calling iwl_mvm_get_bss_vif() ... ==================== Link: https://patch.msgid.link/20241113172918.A8A11C4CEC3@smtp.kernel.org Signed-off-by: Jakub Kicinski commit 26686db69917399fa30e3b3135360771e90f83ec Author: Gautam Menghani Date: Sat Nov 9 12:02:57 2024 +0530 KVM: PPC: Book3S HV: Avoid returning to nested hypervisor on pending doorbells Commit 6398326b9ba1 ("KVM: PPC: Book3S HV P9: Stop using vc->dpdes") dropped the use of vcore->dpdes for msgsndp / SMT emulation. Prior to that commit, the below code at L1 level (see [1] for terminology) was responsible for setting vc->dpdes for the respective L2 vCPU: if (!nested) { kvmppc_core_prepare_to_enter(vcpu); if (vcpu->arch.doorbell_request) { vc->dpdes = 1; smp_wmb(); vcpu->arch.doorbell_request = 0; } L1 then sent vc->dpdes to L0 via kvmhv_save_hv_regs(), and while servicing H_ENTER_NESTED at L0, the below condition at L0 level made sure to abort and go back to L1 if vcpu->arch.doorbell_request = 1 so that L1 sets vc->dpdes as per above if condition: } else if (vcpu->arch.pending_exceptions || vcpu->arch.doorbell_request || xive_interrupt_pending(vcpu)) { vcpu->arch.ret = RESUME_HOST; goto out; } This worked fine since vcpu->arch.doorbell_request was used more like a flag and vc->dpdes was used to pass around the doorbell state. But after Commit 6398326b9ba1 ("KVM: PPC: Book3S HV P9: Stop using vc->dpdes"), vcpu->arch.doorbell_request is the only variable used to pass around doorbell state. With the plumbing for handling doorbells for nested guests updated to use vcpu->arch.doorbell_request over vc->dpdes, the above "else if" stops doorbells from working correctly as L0 aborts execution of L2 and instead goes back to L1. Remove vcpu->arch.doorbell_request from the above "else if" condition as it is no longer needed for L0 to correctly handle the doorbell status while running L2. [1] Terminology 1. L0 : PowerNV linux running with HV privileges 2. L1 : Pseries KVM guest running on top of L0 2. L2 : Nested KVM guest running on top of L1 Fixes: 6398326b9ba1 ("KVM: PPC: Book3S HV P9: Stop using vc->dpdes") Signed-off-by: Gautam Menghani Signed-off-by: Michael Ellerman Link: https://patch.msgid.link/20241109063301.105289-4-gautam@linux.ibm.com commit 0d3c6b28896f9889c8864dab469e0343a0ad1c0c Author: Gautam Menghani Date: Sat Nov 9 12:02:56 2024 +0530 KVM: PPC: Book3S HV: Stop using vc->dpdes for nested KVM guests commit 6398326b9ba1 ("KVM: PPC: Book3S HV P9: Stop using vc->dpdes") introduced an optimization to use only vcpu->doorbell_request for SMT emulation for Power9 and above guests, but the code for nested guests still relies on the old way of handling doorbells, due to which an L2 guest (see [1]) cannot be booted with XICS with SMT>1. The command to repro this issue is: // To be run in L1 qemu-system-ppc64 \ -drive file=rhel.qcow2,format=qcow2 \ -m 20G \ -smp 8,cores=1,threads=8 \ -cpu host \ -nographic \ -machine pseries,ic-mode=xics -accel kvm Fix the plumbing to utilize vcpu->doorbell_request instead of vcore->dpdes for nested KVM guests on P9 and above. [1] Terminology 1. L0 : PowerNV linux running with HV privileges 2. L1 : Pseries KVM guest running on top of L0 2. L2 : Nested KVM guest running on top of L1 Fixes: 6398326b9ba1 ("KVM: PPC: Book3S HV P9: Stop using vc->dpdes") Signed-off-by: Gautam Menghani Signed-off-by: Michael Ellerman Link: https://patch.msgid.link/20241109063301.105289-3-gautam@linux.ibm.com commit ed351c57432122c4499be4f4aee8711d6fa93f3b Author: Gautam Menghani Date: Sat Nov 9 12:02:55 2024 +0530 Revert "KVM: PPC: Book3S HV Nested: Stop forwarding all HFUs to L1" This reverts commit 7c3ded5735141ff4d049747c9f76672a8b737c49. On PowerNV, when a nested guest tries to use a feature prohibited by HFSCR, the nested hypervisor (L1) should get a H_FAC_UNAVAILABLE trap so that L1 can emulate the feature. But with the change introduced by commit 7c3ded573514 ("KVM: PPC: Book3S HV Nested: Stop forwarding all HFUs to L1") the L1 ends up getting a H_EMUL_ASSIST because of which, the L1 ends up injecting a SIGILL when L2 (nested guest) tries to use doorbells. Reviewed-by: Nicholas Piggin Signed-off-by: Gautam Menghani Signed-off-by: Michael Ellerman Link: https://patch.msgid.link/20241109063301.105289-2-gautam@linux.ibm.com commit d7a82238cb8c77d4ed8cc97cd556c5f3e64bc749 Author: Thomas Weißschuh Date: Wed Nov 13 09:06:58 2024 +0100 powerpc/vdso: Remove unused clockmode asm offsets These offsets are not used anymore, delete them. Fixes: c39b1dcf055d ("powerpc/vdso: Add a page for non-time data") Signed-off-by: Thomas Weißschuh Reviewed-by: Christophe Leroy Signed-off-by: Michael Ellerman Link: https://patch.msgid.link/20241113-vdso-powerpc-asm-offsets-v1-1-3f7e589f090d@linutronix.de commit 4752e8cde8344cb8673abdefe0dd74e9a2fe23ad Author: Luo Yifan Date: Wed Nov 13 10:31:37 2024 +0800 tools/firewire: Fix several incorrect format specifiers Make a minor change to eliminate static checker warnings. Fix several incorrect format specifiers that misused signed and unsigned versions. Signed-off-by: Luo Yifan Link: https://lore.kernel.org/r/20241113023137.291661-1-luoyifan@cmss.chinamobile.com Signed-off-by: Takashi Sakamoto commit e434e54d3ffcd17eeadfcf3cf434bc1dff36daff Author: Shijith Thotton Date: Mon Nov 11 19:15:11 2024 +0530 PCI: hotplug: Add OCTEON PCI hotplug controller driver Add a PCI hotplug controller driver for the OCTEON PCIe device. The OCTEON PCIe device is a multi-function device where function 0 serves as the PCI hotplug controller. There is an out-of-band management console interface to firmware running on function 0 whereby an administrator can disable functions to save power or enable them with one of several personalities (virtio-net, virtio-crypto, NVMe, etc) for the other functions. Function 0 initiates hotplug events handled by this driver when the other functions are enabled or disabled. +--------------------------------+ | Root Port | +--------------------------------+ | PCIe | +---------------------------------------------------------------+ | OCTEON PCIe Multifunction Device | +---------------------------------------------------------------+ | | | | | | | | +---------------------+ +----------------+ +-----+ +----------------+ | Function 0 | | Function 1 | | ... | | Function 7 | | (Hotplug controller)| | (Hotplug slot) | | | | (Hotplug slot) | +---------------------+ +----------------+ +-----+ +----------------+ | | +-------------------------+ | Controller Firmware | +-------------------------+ The hotplug controller driver enables hotplugging of non-controller functions within the same device. During probing, the driver removes the non-controller functions and registers them as PCI hotplug slots. These slots are added back by the driver, only upon request from the device firmware. The controller uses MSI-X interrupts to notify the host of hotplug events initiated by the OCTEON firmware. Additionally, the driver allows users to enable or disable individual functions via sysfs slot entries, as provided by the PCI hotplug framework. Link: https://lore.kernel.org/r/20241111134523.2796699-1-sthotton@marvell.com Co-developed-by: Vamsi Attunuru Signed-off-by: Vamsi Attunuru Signed-off-by: Shijith Thotton [bhelgaas: use pci_info() when possible] Signed-off-by: Bjorn Helgaas commit a1cc63408f72f038e7aa4b5c735270261daf9691 Merge: 2b7fda346ee8ff d1312c5c06f5cf Author: Arnd Bergmann Date: Thu Nov 14 00:37:41 2024 +0100 Merge tag 'at91-soc-6.13' of https://git.kernel.org/pub/scm/linux/kernel/git/at91/linux into soc/dt Microchip AT91 SoC updates for v6.13 It contains: - DT bindings update for the SAM9X7 TCB block * tag 'at91-soc-6.13' of https://git.kernel.org/pub/scm/linux/kernel/git/at91/linux: dt-bindings: microchip: atmel,at91rm9200-tcb: add sam9x7 compatible Link: https://lore.kernel.org/r/20241113182050.2176500-3-claudiu.beznea@tuxon.dev Signed-off-by: Arnd Bergmann commit 2b7fda346ee8ff8e7137862f28370ab30a13e487 Merge: bc329f394bbddf 371a47c9a58a13 Author: Arnd Bergmann Date: Thu Nov 14 00:35:44 2024 +0100 Merge tag 'at91-dt-6.13' of https://git.kernel.org/pub/scm/linux/kernel/git/at91/linux into soc/dt Microchip AT91 device tree updates for v6.13 It contains: - device tree support for the Microchip SAM9X7 SoC and the Microchip SAM9X75 Curiosity board - enable power monitor support for SAM9X60-EK, SAMA5D2-ICP, SAMA7G45 Curiosity, SAMA7G5-EK boards - updates the uart nodes with missing properties - device tree cleanups * tag 'at91-dt-6.13' of https://git.kernel.org/pub/scm/linux/kernel/git/at91/linux: ARM: dts: microchip: sam9x75_curiosity: add sam9x75 curiosity board dt-bindings: arm: add sam9x75 curiosity board ARM: dts: at91: sam9x7: add device tree for SoC ARM: dts: microchip: Rename LED sub nodes name ARM: dts: microchip: Rename the pmic node ARM: dts: microchip: Rename the eeprom nodename ARM: dts: microchip: sama7g5ek: Add power monitor support ARM: dts: microchip: sama7g54_curiosity: Add power monitor support ARM: dts: microchip: sama5d2_icp: Add power monitor support ARM: dts: microchip: sam9x60ek: Add power monitor support ARM: dts: microchip: Unify rng node names ARM: dts: microchip: Add trng labels for all at91 SoCs ARM: dts: microchip: sam9x60: Add missing property atmel,usart-mode Link: https://lore.kernel.org/r/20241113182050.2176500-2-claudiu.beznea@tuxon.dev Signed-off-by: Arnd Bergmann commit 40bcdb12c68dbb6f457deb0adab5008ef61c13d7 Author: Yishai Hadas Date: Wed Nov 13 13:52:00 2024 +0200 vfio/virtio: Enable live migration once VIRTIO_PCI was configured Now that the driver supports live migration, only the legacy IO functionality depends on config VIRTIO_PCI_ADMIN_LEGACY. As part of that we introduce a bool configuration option as a sub menu under the driver's main live migration feature named VIRTIO_VFIO_PCI_ADMIN_LEGACY, to control the legacy IO functionality. This will let users configuring the kernel, know which features from the description might be available in the resulting driver. As of that, move the legacy IO into a separate file to be compiled only once CONFIG_VIRTIO_VFIO_PCI_ADMIN_LEGACY was configured and let the live migration depends only on VIRTIO_PCI. Signed-off-by: Yishai Hadas Link: https://lore.kernel.org/r/20241113115200.209269-8-yishaih@nvidia.com Signed-off-by: Alex Williamson commit 6cea64b1db8885b82c226f9f80c2325f39d9d309 Author: Yishai Hadas Date: Wed Nov 13 13:51:59 2024 +0200 vfio/virtio: Add PRE_COPY support for live migration Add PRE_COPY support for live migration. This functionality may reduce the downtime upon STOP_COPY as of letting the target machine to get some 'initial data' from the source once the machine is still in its RUNNING state and let it prepares itself pre-ahead to get the final STOP_COPY data. As the Virtio specification does not support reading partial or incremental device contexts. This means that during the PRE_COPY state, the vfio-virtio driver reads the full device state. As the device state can be changed and the benefit is highest when the pre copy data closely matches the final data we read it in a rate limiter mode. This means we avoid reading new data from the device for a specified time interval after the last read. With PRE_COPY enabled, we observed a downtime reduction of approximately 70-75% in various scenarios compared to when PRE_COPY was disabled, while keeping the total migration time nearly the same. Signed-off-by: Yishai Hadas Link: https://lore.kernel.org/r/20241113115200.209269-7-yishaih@nvidia.com Signed-off-by: Alex Williamson commit 0bbc82e4ec79df437de49d45c512335d97f9c7ce Author: Yishai Hadas Date: Wed Nov 13 13:51:58 2024 +0200 vfio/virtio: Add support for the basic live migration functionality Add support for basic live migration functionality in VFIO over virtio-net devices, aligned with the virtio device specification 1.4. This includes the following VFIO features: VFIO_MIGRATION_STOP_COPY, VFIO_MIGRATION_P2P. The implementation registers with the VFIO subsystem using vfio_pci_core and then incorporates the virtio-specific logic for the migration process. The migration follows the definitions in uapi/vfio.h and leverages the virtio VF-to-PF admin queue command channel for execution device parts related commands. Additional Notes: ----------------- The kernel protocol between the source and target devices contains a header with metadata, including record size, tag, and flags. The record size allows the target to recognize and read a complete image from the source before passing the device part data. This adheres to the virtio device specification, which mandates that partial device parts cannot be supplied. The tag and flags serve as placeholders for future extensions of the kernel protocol between the source and target, ensuring backward and forward compatibility. Both the source and target comply with the virtio device specification by using a device part object with a unique ID as part of the migration process. Since this resource is limited to a maximum of 255, its lifecycle is confined to periods with an active live migration flow. According to the virtio specification, a device has only two modes: RUNNING and STOPPED. As a result, certain VFIO transitions (i.e., RUNNING_P2P->STOP, STOP->RUNNING_P2P) are treated as no-ops. When transitioning to RUNNING_P2P, the device state is set to STOP, and it will remain STOPPED until the transition out of RUNNING_P2P->RUNNING, at which point it returns to RUNNING. During transition to STOP, the virtio device only stops initiating outgoing requests(e.g. DMA, MSIx, etc.) but still must accept incoming operations. Signed-off-by: Yishai Hadas Link: https://lore.kernel.org/r/20241113115200.209269-6-yishaih@nvidia.com Signed-off-by: Alex Williamson commit a3151e6daaec171b7d46ac79170ec420ad874cae Author: Keith Busch Date: Fri Oct 25 15:27:55 2024 -0700 PCI: Warn if a running device is unaware of reset If a reset is issued to a running device with a driver that didn't register the notification callbacks, the driver may be unaware of this event and have an inconsistent view of the device's state. Log a warning of this event because there's nothing else indicating the event occured, which could be confusing when debugging such situations. Link: https://lore.kernel.org/r/20241025222755.3756162-2-kbusch@meta.com Signed-off-by: Keith Busch Signed-off-by: Bjorn Helgaas Reviewed-by: Amey Narkhede Reviewed-by: Alex Williamson commit 2fa046449a82a7d0f6d9721dd83e348816038444 Author: Keith Busch Date: Fri Oct 25 15:27:54 2024 -0700 PCI: Add 'reset_subordinate' to reset hierarchy below bridge The "bus" and "cxl_bus" reset methods reset a device by asserting Secondary Bus Reset on the bridge leading to the device. These only work if the device is the only device below the bridge. Add a sysfs 'reset_subordinate' attribute on bridges that can assert Secondary Bus Reset regardless of how many devices are below the bridge. This resets all the devices below a bridge in a single command, including the locking and config space save/restore that reset methods normally do. This may be the only way to reset devices that don't support other reset methods (ACPI, FLR, PM reset, etc). Link: https://lore.kernel.org/r/20241025222755.3756162-1-kbusch@meta.com Signed-off-by: Keith Busch [bhelgaas: commit log, add capable(CAP_SYS_ADMIN) check] Signed-off-by: Bjorn Helgaas Reviewed-by: Alex Williamson Reviewed-by: Amey Narkhede commit 63ae99f7e66ebdc483bc0cf029b46cb3b036dace Author: Andy Shevchenko Date: Wed Sep 25 15:44:23 2024 +0300 i2c: designware: Fix spelling and other issues in the comments Fix spelling and other issues, such as kernel-doc reported about, in the comments. While at it, fix some indentation issues as well. Reviewed-by: Mario Limonciello Signed-off-by: Andy Shevchenko Acked-by: Jarkko Nikula Signed-off-by: Andi Shyti commit 7a48e71397c7401f913597688bed5156aa5305b2 Author: Andy Shevchenko Date: Wed Sep 25 15:44:22 2024 +0300 i2c: designware: Use sda_hold_time variable name everywhere Currently the PCI glue driver uses sda_hold variable name, while the rest of the driver use sda_hold_time. This makes things harder to grep. Use sda_hold_time variable name everywhere. Signed-off-by: Andy Shevchenko Acked-by: Jarkko Nikula Signed-off-by: Andi Shyti commit 86bdd8e0338133b7f0fd59a9262ef09d89864f8b Author: Andy Shevchenko Date: Wed Sep 25 15:44:21 2024 +0300 i2c: designware: Remove 'cond' from i2c_dw_scl_hcnt() The 'cond' parameter is not being used (always default, hence drop it and hence make it consistent with i2c_dw_scl_lcnt(). Signed-off-by: Andy Shevchenko Acked-by: Jarkko Nikula Signed-off-by: Andi Shyti commit dd05a76e694027998c8a7a568c44e67cf0bfe04e Author: Andy Shevchenko Date: Wed Sep 25 15:44:20 2024 +0300 i2c: designware: Get rid of redundant 'else' In the snippets like the following if (...) return / goto / break / continue ...; else ... the 'else' is redundant. Get rid of it. Reviewed-by: Andi Shyti Reviewed-by: Mario Limonciello Signed-off-by: Andy Shevchenko Acked-by: Jarkko Nikula Tested-by: Serge Semin Signed-off-by: Andi Shyti commit d2f94dccab8319063dd1fbc1738b4a280c2e4009 Author: Andy Shevchenko Date: Wed Sep 25 15:44:19 2024 +0300 i2c: designware: Use temporary variable for struct device Use temporary variable for struct device to make code neater. Reviewed-by: Mario Limonciello Reviewed-by: Andi Shyti Signed-off-by: Andy Shevchenko Acked-by: Jarkko Nikula Signed-off-by: Andi Shyti commit 157a6849d2892c7b3ae479670652bb444bf064f5 Author: Shyam Sundar S K Date: Mon Sep 23 13:34:01 2024 +0530 MAINTAINERS: Add AMD ASF driver entry Update the MAINTAINERS file with AMD ASF driver details. Signed-off-by: Shyam Sundar S K Acked-by: Andi Shyti Signed-off-by: Andi Shyti commit b1f8921dfbaa6d3aaee0598b20043d28fac876a9 Author: Shyam Sundar S K Date: Mon Sep 23 13:34:00 2024 +0530 i2c: amd-asf: Clear remote IRR bit to get successive interrupt To ensure successive interrupts upon packet reception, it is necessary to clear the remote IRR bit by writing the interrupt number to the EOI register. The base address for this operation is provided by the BIOS and retrieved by the driver by traversing the ASF object's namespace. Reviewed-by: Andy Shevchenko Co-developed-by: Sanket Goswami Signed-off-by: Sanket Goswami Signed-off-by: Shyam Sundar S K Signed-off-by: Andi Shyti commit 9b25419ad397149e66e92ded58523e57f98eec2c Author: Shyam Sundar S K Date: Mon Sep 23 13:33:59 2024 +0530 i2c: amd-asf: Add routine to handle the ASF slave process Add support for handling ASF slave process events as described in the AMD ASF databook. This involves implementing the correct programming sequence to manage each ASF packet appropriately. Reviewed-by: Andy Shevchenko Co-developed-by: Sanket Goswami Signed-off-by: Sanket Goswami Signed-off-by: Shyam Sundar S K Signed-off-by: Andi Shyti commit 78a78b321528b6e395b5c4bd9eacd09e6767a475 Author: Shyam Sundar S K Date: Mon Sep 23 13:33:58 2024 +0530 i2c: amd-asf: Add i2c_algorithm operations to support AMD ASF with SMBus Implement the i2c_algorithm operations to enable support for AMD ASF (Alert Standard Format) with SMBus. This enhancement includes: - Adding functionality to identify and select the supported ASF functions. - Implementing mechanisms for registering and deregistering I2C slave devices. - Providing support for data transfer operations over ASF. Additionally, include a 'select' Kconfig entry as the current patch utilizes .reg_slave() and .unreg_slave() callbacks, which are controlled by CONFIG_I2C_SLAVE. Reviewed-by: Andy Shevchenko Co-developed-by: Sanket Goswami Signed-off-by: Sanket Goswami Signed-off-by: Shyam Sundar S K Signed-off-by: Andi Shyti commit c509ebdb95ee7713a771e7b99d17194dcbecd0d6 Author: Shyam Sundar S K Date: Mon Sep 23 13:33:57 2024 +0530 i2c: amd-asf: Add ACPI support for AMD ASF Controller The AMD ASF controller is presented to the operating system as an ACPI device. The AMD ASF driver can use ACPI to obtain information about the ASF controller's attributes, such as the ASF address space and interrupt number, and to handle ASF interrupts. Currently, the piix4 driver assumes that a specific port address is designated for AUX operations. However, with the introduction of ASF, the same port address may also be used by the ASF controller. Therefore, a check needs to be added to ensure that if ASF is advertised and enabled in ACPI, the AUX port should not be configured. Reviewed-by: Andy Shevchenko Co-developed-by: Sanket Goswami Signed-off-by: Sanket Goswami Signed-off-by: Shyam Sundar S K Signed-off-by: Andi Shyti commit 05d980046f5a202977f903db4ba67f3816dbcc7a Author: Shyam Sundar S K Date: Mon Sep 23 13:33:56 2024 +0530 i2c: piix4: Export i2c_piix4 driver functions as library Export the following i2c_piix4 driver functions as a library so that the AMD ASF driver can utilize these core functionalities from the i2c_piix4 driver: - piix4_sb800_region_request(): Request access to a specific SMBus region on the SB800 chipset. - piix4_sb800_region_release(): Release the previously requested SMBus region on the SB800 chipset. - piix4_transaction(): Handle SMBus transactions between the SMBus controller and connected devices. - piix4_sb800_port_sel(): Select the appropriate SMBus port on the SB800 chipset. By making these functions available as a library, enable the AMD ASF driver to leverage the established mechanisms in the i2c_piix4 driver, promoting code reuse and consistency across different drivers. Reviewed-by: Andy Shevchenko Co-developed-by: Sanket Goswami Signed-off-by: Sanket Goswami Signed-off-by: Shyam Sundar S K Signed-off-by: Andi Shyti commit 650e2c396a9847d8f946810fba3f0e9f3d8c27de Author: Shyam Sundar S K Date: Mon Sep 23 13:33:55 2024 +0530 i2c: piix4: Move i2c_piix4 macros and structures to common header Add a separate header file to relocate the common code from the i2c_piix4 driver, allowing the AMD ASF driver to utilize the same code. Update the MAINTAINERS file to include information about the new common header file. Reviewed-by: Andy Shevchenko Co-developed-by: Sanket Goswami Signed-off-by: Sanket Goswami Signed-off-by: Shyam Sundar S K Signed-off-by: Andi Shyti commit 9d9929e9929ff6caa310e3ac3d85bd086124efc6 Author: Shyam Sundar S K Date: Mon Sep 23 13:33:54 2024 +0530 i2c: piix4: Change the parameter list of piix4_transaction function Currently, `piix4_transaction()` accepts only one parameter, which is the `i2c_adapter` information. This approach works well as long as SB800 SMBus port accesses are confined to the piix4 driver. However, with the implementation of a separate ASF driver and the varying address spaces across drivers, it is necessary to change the function parameter list of `piix4_transaction()` to include the port address. This modification allows other drivers that use piix4 to pass the specific port details they need to operate on. Reviewed-by: Andy Shevchenko Co-developed-by: Sanket Goswami Signed-off-by: Sanket Goswami Signed-off-by: Shyam Sundar S K Signed-off-by: Andi Shyti commit bd492b58371295d3ae26162b9666be584abad68a Author: Jarkko Nikula Date: Mon Sep 23 16:27:19 2024 +0300 i2c: i801: Add support for Intel Panther Lake Add SMBus PCI IDs on Intel Panther Lake-P and -U. Signed-off-by: Jarkko Nikula Signed-off-by: Andi Shyti commit 71754212c06e64b3dd740641c391776e73408818 Author: Andy Shevchenko Date: Mon Sep 16 15:01:38 2024 +0300 i2c: isch: Convert to kernel-doc Convert existing descriptions to kernel-doc format and unify the rest of the comments to follow the modern style. Signed-off-by: Andy Shevchenko Signed-off-by: Andi Shyti commit e1d9e16c396b346c7301ef101e1ddf5173820096 Author: Andy Shevchenko Date: Mon Sep 16 15:01:37 2024 +0300 i2c: isch: Prefer to use octal permission Octal permissions are preferred over the symbolics ones for readbility. This ceases warning message pointed by checkpatch. Signed-off-by: Andy Shevchenko Signed-off-by: Andi Shyti commit f7c6153f61e46ab8e1fe39ba2897fff0dbff8845 Author: Andy Shevchenko Date: Mon Sep 16 15:01:36 2024 +0300 i2c: isch: Don't use "proxy" headers Update header inclusions to follow IWYU (Include What You Use) principle. Signed-off-by: Andy Shevchenko Signed-off-by: Andi Shyti commit a8d9aabcaa9fba678b8057f4cf6a2095e2b73b51 Author: Andy Shevchenko Date: Mon Sep 16 15:01:35 2024 +0300 i2c: isch: Unify the name of the variable to hold an error code There are two different names used for the variable that holds an error code. Unify to use one variant in all cases. Signed-off-by: Andy Shevchenko Signed-off-by: Andi Shyti commit 9dca29ee9b869f9de155e1968dafec2f1e69bd47 Author: Andy Shevchenko Date: Mon Sep 16 15:01:34 2024 +0300 i2c: isch: Use read_poll_timeout() Simplify the code by using read_poll_timeout(). Signed-off-by: Andy Shevchenko Signed-off-by: Andi Shyti commit 78ea39e6e939c610b1878673082fc115bfc121c9 Author: Andy Shevchenko Date: Mon Sep 16 15:01:33 2024 +0300 i2c: isch: Utilize temporary variable to hold device pointer Introduce a temporary variable to hold a device pointer. It can be utilized in the ->probe() and save a bit of LoCs. To make it consistent, rename currently used dev to pdev. While at it, convert the only error message to dev_err_probe(). Signed-off-by: Andy Shevchenko Signed-off-by: Andi Shyti commit cc97ef79fc235fede65b02c08a9c9b93249622c9 Author: Andy Shevchenko Date: Mon Sep 16 15:01:32 2024 +0300 i2c: isch: switch i2c registration to devm functions Switch from i2c_add_adapter() to resource managed devm_i2c_add_adapter() for matching rest of driver initialization, and more concise code. Signed-off-by: Andy Shevchenko Signed-off-by: Andi Shyti commit d8e1ac747c7469aff17f739fb667d1d40c9ee426 Author: Andy Shevchenko Date: Mon Sep 16 15:01:31 2024 +0300 i2c: isch: Use custom private data structure Use custom private data structure instead of global variables. With that, remove not anymore true comment. Signed-off-by: Andy Shevchenko Signed-off-by: Andi Shyti commit 0da6d937202fb081f7775c34c7a0db635213abb5 Author: Andy Shevchenko Date: Mon Sep 16 15:01:30 2024 +0300 i2c: isch: Switch to memory mapped IO accessors Convert driver to use memory mapped IO accessors. Signed-off-by: Andy Shevchenko Signed-off-by: Andi Shyti commit 4b91878d9206f8ca9f6d08ee13c4bbcf2c459f54 Author: Andy Shevchenko Date: Mon Sep 16 15:01:29 2024 +0300 i2c: isch: Use string_choices API instead of ternary operator Use modern string_choices API instead of manually determining the output using ternary operator. Signed-off-by: Andy Shevchenko Signed-off-by: Andi Shyti commit 3fe09719a06b0dd69e9b971152d2424196e48ef0 Author: Andy Shevchenko Date: Mon Sep 16 15:01:28 2024 +0300 i2c: isch: Pass pointer to struct i2c_adapter down There are a lot of messaging calls that use global variable of struct i2c_adapter. Instead, to make code better and flexible for further improvements, pass the pointer to the actual adapter used for transfers. Signed-off-by: Andy Shevchenko Signed-off-by: Andi Shyti commit 7cfe1a45de8d506d0722abda25430986376d3676 Author: Manikanta Guntupalli Date: Wed Sep 11 16:08:52 2024 +0530 i2c: cadence: Add atomic transfer support for controller version 1.4 Rework the read and write code paths in the driver to support operation in atomic contexts in master mode. This change does not apply to slave mode because there is no way to handle interruptions in that context. Adjust the message timeout to include some extra time. For non-atomic contexts, 500 ms is added to the timeout. For atomic contexts, 2000 ms is added because transfers happen in polled mode, requiring more time to account for the polling overhead. Similar changes have been implemented in other drivers, including: commit 3a5ee18d2a32 ("i2c: imx: implement master_xfer_atomic callback") commit 445094c8a9fb ("i2c: exynos5: add support for atomic transfers") commit ede2299f7101 ("i2c: tegra: Support atomic transfers") commit fe402bd09049 ("i2c: meson: implement the master_xfer_atomic callback") Signed-off-by: Manikanta Guntupalli Reviewed-by: Andi Shyti Signed-off-by: Andi Shyti commit ed866f41612a3f3934d0fbeb193fad334adcbc94 Author: Manikanta Guntupalli Date: Wed Sep 11 16:08:51 2024 +0530 i2c: cadence: Split cdns_i2c_master_xfer for Atomic Mode The cdns_i2c_master_xfer function has been refactored to separate the common code. This change facilitates better support for atomic mode operations by isolating the shared logic. Signed-off-by: Manikanta Guntupalli Reviewed-by: Andi Shyti Acked-by: Michal Simek Signed-off-by: Andi Shyti commit ae8ec9dd19b3b55505a09b9d605efa5509d4c6fa Author: Manikanta Guntupalli Date: Wed Sep 11 16:08:50 2024 +0530 i2c: cadence: Relocate cdns_i2c_runtime_suspend and cdns_i2c_runtime_resume to facilitate atomic mode Relocate cdns_i2c_runtime_suspend, cdns_i2c_runtime_resume and cdns_i2c_init functions to avoid prototype statement in atomic mode changes. Signed-off-by: Manikanta Guntupalli Reviewed-by: Andi Shyti Acked-by: Michal Simek Signed-off-by: Andi Shyti commit 52a22c0ed03ce23f20df81f79b23cb6637716fae Author: Yishai Hadas Date: Wed Nov 13 13:51:57 2024 +0200 virtio-pci: Introduce APIs to execute device parts admin commands Introduce APIs to handle the execution of device parts admin commands. These APIs cover functionalities such as mode setting, object creation and destruction, and operations like parts get/set and metadata retrieval. These APIs will be utilized in upcoming patches within this series. Acked-by: Michael S. Tsirkin Signed-off-by: Yishai Hadas Link: https://lore.kernel.org/r/20241113115200.209269-5-yishaih@nvidia.com Signed-off-by: Alex Williamson commit bfcad518605d927eff17ffb8ce0a828d7b7ac79f Author: Yishai Hadas Date: Wed Nov 13 13:51:56 2024 +0200 virtio: Manage device and driver capabilities via the admin commands Manage device and driver capabilities via the admin commands. The device exposes its supported features and resource object limits via an administrative command called VIRTIO_ADMIN_CMD_CAP_ID_LIST_QUERY, using the 'self group type.' Each capability is identified by a unique ID, and the driver communicates the functionality and resource limits it plans to utilize. The capability VIRTIO_DEV_PARTS_CAP specifically represents the device's parts resource object limit. Manage the device's parts resource object ID using a common IDA for both get and set operations. Acked-by: Michael S. Tsirkin Signed-off-by: Yishai Hadas Link: https://lore.kernel.org/r/20241113115200.209269-4-yishaih@nvidia.com Signed-off-by: Alex Williamson commit 704806ca400e5daa86c110f14bfdda9d28203bb7 Author: Yishai Hadas Date: Wed Nov 13 13:51:55 2024 +0200 virtio: Extend the admin command to include the result size Extend the admin command by incorporating a result size field. This allows higher layers to determine the actual result size from the backend when this information is not included in the result_sg. The additional information introduced here will be used in subsequent patches of this series. Acked-by: Michael S. Tsirkin Signed-off-by: Yishai Hadas Link: https://lore.kernel.org/r/20241113115200.209269-3-yishaih@nvidia.com Signed-off-by: Alex Williamson commit 7c1ae151e81268db1fe8c8a473d922fc5ba47b72 Author: Yishai Hadas Date: Wed Nov 13 13:51:54 2024 +0200 virtio_pci: Introduce device parts access commands Introduce device parts access commands via the admin queue. These commands and their structure adhere to the Virtio 1.4 specification. Acked-by: Michael S. Tsirkin Signed-off-by: Yishai Hadas Link: https://lore.kernel.org/r/20241113115200.209269-2-yishaih@nvidia.com Signed-off-by: Alex Williamson commit a13bf78feebd432c31cff9d0d84968c8b78bcbfb Author: Longfang Liu Date: Tue Nov 12 15:33:22 2024 +0800 Documentation: add debugfs description for hisi migration Add a debugfs document description file to help users understand how to use the hisilicon accelerator live migration driver's debugfs. Update the file paths that need to be maintained in MAINTAINERS Signed-off-by: Longfang Liu Reviewed-by: Shameer Kolothum Link: https://lore.kernel.org/r/20241112073322.54550-5-liulongfang@huawei.com Signed-off-by: Alex Williamson commit b398f91779b86e5f285d9f0df5d2e753ddcdac3f Author: Longfang Liu Date: Tue Nov 12 15:33:21 2024 +0800 hisi_acc_vfio_pci: register debugfs for hisilicon migration driver On the debugfs framework of VFIO, if the CONFIG_VFIO_DEBUGFS macro is enabled, the debug function is registered for the live migration driver of the HiSilicon accelerator device. After registering the HiSilicon accelerator device on the debugfs framework of live migration of vfio, a directory file "hisi_acc" of debugfs is created, and then three debug function files are created in this directory: vfio | +--- | +---migration | +--state | +--hisi_acc | +--dev_data | +--migf_data | +--cmd_state | +--- +---migration +--state +--hisi_acc +--dev_data +--migf_data +--cmd_state dev_data file: read device data that needs to be migrated from the current device in real time migf_data file: read the migration data of the last live migration from the current driver. cmd_state: used to get the cmd channel state for the device. +----------------+ +--------------+ +---------------+ | migration dev | | src dev | | dst dev | +-------+--------+ +------+-------+ +-------+-------+ | | | | +------v-------+ +-------v-------+ | | saving_migf | | resuming_migf | read | | file | | file | | +------+-------+ +-------+-------+ | | copy | | +------------+----------+ | | +-------v--------+ +-------v--------+ | data buffer | | debug_migf | +-------+--------+ +-------+--------+ | | cat | cat | +-------v--------+ +-------v--------+ | dev_data | | migf_data | +----------------+ +----------------+ When accessing debugfs, user can obtain the most recent status data of the device through the "dev_data" file. It can read recent complete status data of the device. If the current device is being migrated, it will wait for it to complete. The data for the last completed migration function will be stored in debug_migf. Users can read it via "migf_data". Signed-off-by: Longfang Liu Reviewed-by: Shameer Kolothum Link: https://lore.kernel.org/r/20241112073322.54550-4-liulongfang@huawei.com Signed-off-by: Alex Williamson commit 379d5ee624eda6a897d9e1f7f88c68ea482bd5fa Merge: 871438170326dc e58358afa84e8e Author: Andrii Nakryiko Date: Wed Nov 13 13:51:10 2024 -0800 Merge branch 'bpf-range_tree-for-bpf-arena' Alexei Starovoitov says: ==================== bpf: range_tree for bpf arena From: Alexei Starovoitov Introduce range_tree (interval tree plus rbtree) to track unallocated ranges in bpf arena and replace maple_tree with it. This is a step towards making bpf_arena|free_alloc_pages non-sleepable. The previous approach to reuse drm_mm to replace maple_tree reached dead end, since sizeof(struct drm_mm_node) = 168 and sizeof(struct maple_node) = 256 while sizeof(struct range_node) = 64 introduced in this patch. Not only it's smaller, but the algorithm splits and merges adjacent ranges. Ultimate performance doesn't matter. The main objective of range_tree is to work in context where kmalloc/kfree are not safe. It achieves that via bpf_mem_alloc. ==================== Link: https://patch.msgid.link/20241108025616.17625-1-alexei.starovoitov@gmail.com Signed-off-by: Andrii Nakryiko commit e58358afa84e8e271a296459d35d1715c7572013 Author: Alexei Starovoitov Date: Thu Nov 7 18:56:16 2024 -0800 selftests/bpf: Add a test for arena range tree algorithm Add a test that verifies specific behavior of arena range tree algorithm and adjust existing big_alloc1 test due to use of global data in arena. Signed-off-by: Alexei Starovoitov Signed-off-by: Andrii Nakryiko Acked-by: Kumar Kartikeya Dwivedi Link: https://lore.kernel.org/bpf/20241108025616.17625-3-alexei.starovoitov@gmail.com commit b795379757eb054925fbb6783559c86f01c1a614 Author: Alexei Starovoitov Date: Thu Nov 7 18:56:15 2024 -0800 bpf: Introduce range_tree data structure and use it in bpf arena Introduce range_tree data structure and use it in bpf arena to track ranges of allocated pages. range_tree is a large bitmap that is implemented as interval tree plus rbtree. The contiguous sequence of bits represents unallocated pages. Signed-off-by: Alexei Starovoitov Signed-off-by: Andrii Nakryiko Acked-by: Kumar Kartikeya Dwivedi Link: https://lore.kernel.org/bpf/20241108025616.17625-2-alexei.starovoitov@gmail.com commit de6dff2090ddfa74ae53e3e52243a9b9f3ff8526 Merge: 3fba54700b5321 07891907687e3c Author: Arnd Bergmann Date: Wed Nov 13 22:49:35 2024 +0100 Merge tag 'at91-defconfig-6.13' of https://git.kernel.org/pub/scm/linux/kernel/git/at91/linux into soc/defconfig Microchip AT91 defconfig updates for v6.13 It contains: - enable PAC1934 power monitor driver for the Microchip AT91 defconfigs * tag 'at91-defconfig-6.13' of https://git.kernel.org/pub/scm/linux/kernel/git/at91/linux: ARM: configs: at91: enable PAC1934 driver as module Link: https://lore.kernel.org/r/20241113182050.2176500-1-claudiu.beznea@tuxon.dev Signed-off-by: Arnd Bergmann commit dc421bb3c0db2aac926b548d259d3b550394908e Author: Krishna chaitanya chundru Date: Mon Nov 11 14:11:53 2024 +0530 PCI: Enable runtime PM of the host bridge The controller driver is the parent device of the PCIe host bridge, PCI-PCI bridge and PCIe endpoint as shown below. PCIe controller (Top level parent & parent of host bridge) | v PCIe Host bridge (Parent of PCI-PCI bridge) | v PCI-PCI bridge (Parent of endpoint driver) | v PCIe endpoint driver Now, when the controller device goes to runtime suspend, PM framework will check the runtime PM state of the child device (host bridge) and will find it to be disabled. So it will allow the parent (controller device) to go to runtime suspend. Only if the child device's state was 'active' it will prevent the parent to get suspended. It is a property of the runtime PM framework that it can only follow continuous dependency chains. That is, if there is a device with runtime PM disabled in a dependency chain, runtime PM cannot be enabled for devices below it and above it in that chain both at the same time. Since runtime PM is disabled for host bridge, the state of the child devices under the host bridge is not taken into account by PM framework for the top level parent, PCIe controller. So the PM framework allows the controller driver to enter runtime PM irrespective of the state of the devices under the host bridge. And this causes the topology breakage and also possible PM issues like controller driver going to runtime suspend while the endpoint driver is doing transfers. Because of the above, in order to enable runtime PM for a PCIe controller device, one needs to ensure that runtime PM is enabled for all devices in every dependency chain between it and any PCIe endpoint (as runtime PM is enabled for PCIe endpoints). This means that runtime PM needs to be enabled for the host bridge device, which is present in all of these dependency chains. After this change, the host bridge device will be runtime-suspended by the runtime PM framework automatically after suspending its last child and it will be runtime-resumed automatically before resuming its first child which will allow the runtime PM framework to track dependencies between the host bridge device and all of its descendants. The PM framework expects parent runtime PM to be enabled before enabling runtime PM of the child. Ensure pm_runtime_enable() is called for the controller drivers before calling pci_host_probe(). Link: https://lore.kernel.org/r/20241111-runtime_pm-v7-2-9c164eefcd87@quicinc.com Signed-off-by: Krishna chaitanya chundru Signed-off-by: Bjorn Helgaas Reviewed-by: Manivannan Sadhasivam commit 6168efbebace0db443185d4c6701ca8170a8788d Author: Mayank Rana Date: Mon Nov 11 14:11:52 2024 +0530 PCI: starfive: Enable controller runtime PM before probing host bridge A PCI controller device, e.g., StarFive, is parent to PCI host bridge device. We must enable runtime PM of the controller before enabling runtime PM of the host bridge, which will happen in pci_host_probe(), to avoid this warning: pcie-starfive 940000000.pcie: Enabling runtime PM for inactive device with active children Fix this issue by enabling StarFive controller device's runtime PM before calling pci_host_probe() in plda_pcie_host_init(). Link: https://lore.kernel.org/r/20241111-runtime_pm-v7-1-9c164eefcd87@quicinc.com Tested-by: Marek Szyprowski Signed-off-by: Mayank Rana [bhelgaas: commit log] Signed-off-by: Bjorn Helgaas Reviewed-by: Manivannan Sadhasivam commit bda9c7d92f24b693eaf0262c090de4c8c108a28e Author: David Wang <00107082@163.com> Date: Fri Nov 8 13:45:00 2024 +0800 block/genhd: use seq_put_decimal_ull for diskstats decimal values seq_printf is costly. For each block device, 19 decimal values are yielded in /proc/diskstats via seq_printf. On a system with 16 logical block devices, profiling for open/read/close sequences shows seq_printf took ~75% samples of diskstats_show: diskstats_show(92.626% 2269372/2450040) seq_printf(76.026% 1725313/2269372) vsnprintf(99.163% 1710866/1725313) format_decode(26.597% 455040/1710866) number(19.554% 334542/1710866) memcpy_orig(4.183% 71570/1710866) ... srso_return_thunk(0.009% 148/1725313) part_stat_read_all(8.030% 182236/2269372) One million rounds of open/read/close /proc/diskstats takes: real 0m37.687s user 0m0.264s sys 0m32.911s On average, each sequence tooks ~0.032ms With this patch, most decimal values are yield via seq_put_decimal_ull, performance is significantly improved: real 0m20.792s user 0m0.316s sys 0m20.463s On average, each sequence tooks ~0.020ms, a ~37.5% improvement. Signed-off-by: David Wang <00107082@163.com> Link: https://lore.kernel.org/r/20241108054500.4251-1-00107082@163.com Signed-off-by: Jens Axboe commit 871438170326dc28125cb823d19c1d5c5304474d Merge: b41ec3e6053a1e 9f8e716d46c681 Author: Alexei Starovoitov Date: Wed Nov 13 12:51:15 2024 -0800 Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf Cross-merge bpf fixes after downstream PR. In particular to bring the fix in commit aa30eb3260b2 ("bpf: Force checkpoint when jmp history is too long"). The follow up verifier work depends on it. And the fix in commit 6801cf7890f2 ("selftests/bpf: Use -4095 as the bad address for bits iterator"). It's fixing instability of BPF CI on s390 arch. No conflicts. Adjacent changes in: Auto-merging arch/Kconfig Auto-merging kernel/bpf/helpers.c Auto-merging kernel/bpf/memalloc.c Auto-merging kernel/bpf/verifier.c Auto-merging mm/slab_common.c Signed-off-by: Alexei Starovoitov commit 6cc79a6295719ff917b1fe191c681f642854b3f9 Author: Xianwei Zhao Date: Wed Nov 13 13:57:15 2024 +0800 rtc: amlogic-a4: fix compile error When compile rtc-a4, build error as following: ERROR: modpost: drivers/rtc/rtc-amlogic-a4: struct of_device_id is not terminated with a NULL entry! This commit is to fix it. Fixes: c89ac9182ee2 ("rtc: support for the Amlogic on-chip RTC") Reported-by: Stephen Rothwell Signed-off-by: Xianwei Zhao Link: https://lore.kernel.org/r/20241113-fix_a4_rtc-v1-1-307af26449a8@amlogic.com Signed-off-by: Alexandre Belloni commit b41ec3e6053a1e408da8ce02be6cc8885aa41848 Author: Zhu Jun Date: Sun Nov 10 22:15:14 2024 -0800 samples/bpf: Remove unused variable in xdp2skb_meta_kern.c The variable is never referenced in the code, just remove it. Signed-off-by: Zhu Jun Signed-off-by: Andrii Nakryiko Link: https://lore.kernel.org/bpf/20241111061514.3257-1-zhujun2@cmss.chinamobile.com commit 3fcfbfe307ddc0bc02053ef17ecf29a3b3f9463e Author: Zhu Jun Date: Sun Nov 10 22:23:12 2024 -0800 samples/bpf: Remove unused variables in tc_l2_redirect_kern.c These variables are never referenced in the code, just remove them. Signed-off-by: Zhu Jun Signed-off-by: Andrii Nakryiko Link: https://lore.kernel.org/bpf/20241111062312.3541-1-zhujun2@cmss.chinamobile.com commit b7b31f184f88c0cbd5d53dfc9a6532d851311135 Author: Luo Yifan Date: Tue Nov 12 15:37:01 2024 +0800 bpftool: Cast variable `var` to long long When the SIGNED condition is met, the variable `var` should be cast to `long long` instead of `unsigned long long`. Signed-off-by: Luo Yifan Signed-off-by: Andrii Nakryiko Reviewed-by: Quentin Monnet Link: https://lore.kernel.org/bpf/20241112073701.283362-1-luoyifan@cmss.chinamobile.com commit 228ad72e7660e99821fd430a04ac31d7f8fe9fc4 Merge: 3c2fb0152175f9 08b97fbd13de79 Author: Thomas Gleixner Date: Wed Nov 13 21:09:35 2024 +0100 Merge tag 'timers-v6.13-rc1' of https://git.linaro.org/people/daniel.lezcano/linux into timers/core Pull clocksource/event updates from Daniel Lezcano: - Remove unused dw_apb_clockevent_[pause|resume|stop] functions as they are unused since 2021 (David Alan Gilbert) - Make the sp804 driver user selectable as they may be unused on some platforms (Mark Brown) - Don't fail if the ti-dm does not describe an interrupt in the DT as this could be a normal situation if the PWM is used (Judith Mendez) - Always use cluster 0 counter as a clocksource on a multi-cluster system to prevent problems related to the time shifting between clusters if multiple per cluster clocksource is used (Paul Burton) - Move the RaLink system tick counter from the arch directory to the clocksource directory (Sergio Paracuellos) - Convert the owl-timer bindings into yaml schema (Ivaylo Ivanov) - Fix child node refcount handling on the TI DM by relying on the __free annotation to automatically release the refcount on the node (Javier Carrasco) - Remove pointless cast in the GPX driver as PTR_ERR already does that (Tang Bin) - Use of_property_present() for non-boolean properties where it is possible in the different drivers (Rob Herring) Link: https://lore.kernel.org/lkml/8d402321-96f1-47f7-9347-a850350d60de@linaro.org commit 3996187f80a0e24bff1959609065d49041cf648d Author: Grant Peltier Date: Tue Nov 12 14:09:28 2024 -0600 hwmon: (pmbus/isl68137) add support for voltage divider on Vout Some applications require Vout to be higher than the detectable voltage range of the Vsense pin for a given rail. In such applications, a voltage divider may be placed between Vout and the Vsense pin, but this results in erroneous telemetry being read back from the part. This change adds support for a voltage divider to be defined in the devicetree for a (or multiple) specific rail(s) for a supported digital multiphase device and for the applicable Vout telemetry to be scaled based on the voltage divider configuration. This change copies the implementation of the vout-voltage-divider devicetree property defined in the maxim,max20730 bindings schema since it is the best fit for the use case of scaling hwmon PMBus telemetry. The generic voltage-divider property used by many iio drivers was determined to be a poor fit because that schema is tied directly to iio and the isl68137 driver is not an iio driver. Signed-off-by: Grant Peltier Message-ID: <8c2d048f87282bcf66313afbf5e923d8fc17b4d7.1731439797.git.grantpeltier93@gmail.com> Signed-off-by: Guenter Roeck commit 71d689f60b51113a9a6de343bde35d9375c22c57 Author: Grant Peltier Date: Tue Nov 12 14:10:06 2024 -0600 dt-bindings: hwmon: isl68137: add bindings to support voltage dividers Add devicetree bindings to support declaring optional voltage dividers to the rail outputs of supported digital multiphase regulators. Some applications require Vout to exceed the voltage range that the Vsense pin can detect. This binding definition allows users to define the characteristics of a voltage divider placed between Vout and the Vsense pin for any rail powered by the device. These bindings copy the vout-voltage-divider property defined in the maxim,max20730 bindings schema since it is the best fit for the use case of scaling hwmon PMBus telemetry. The generic voltage-divider property used by many iio drivers was determined to be a poor fit because that schema is tied directly to iio for the purpose of scaling io-channel voltages and the isl68137 driver is not an iio driver. New schema file named isil,isl68137.yaml to align with the corresponding driver name and pre-existing bindings ported from trivial bindings. However, all new device bindings use renesas as the vendor prefix since Renesas acquired Intersil and now maintains all documentation for the devices. Signed-off-by: Grant Peltier Reviewed-by: Rob Herring (Arm) Message-ID: Signed-off-by: Guenter Roeck commit 83b645ee43f796dc765cc541d5cafa6fe2b1f3fa Author: Arnd Bergmann Date: Wed Nov 13 18:55:33 2024 +0100 hwmon: tmp108: fix I3C dependency It's possible to build a kernel with tmp108 built-in but i3c support in a loadable module, but that results in a link failure: x86_64-linux-ld: drivers/hwmon/tmp108.o: in function `p3t1085_i3c_probe': tmp108.c:(.text+0x5f9): undefined reference to `i3cdev_to_dev' Add a Kconfig dependency to ensure only the working configurations are allowed. Fixes: c40655e33106 ("hwmon: (tmp108) Add support for I3C device") Signed-off-by: Arnd Bergmann Message-ID: <20241113175615.2442851-1-arnd@kernel.org> Signed-off-by: Guenter Roeck commit b467ab82a9fde4b46c0cd2c299220857afb0e0d4 Author: Paolo Bonzini Date: Wed Nov 13 12:39:45 2024 +0100 KVM: x86: expose MSR_PLATFORM_INFO as a feature MSR For userspace that wants to disable KVM_X86_QUIRK_STUFF_FEATURE_MSRS, it is useful to know what bits can be set to 1 in MSR_PLATFORM_INFO (apart from the TSC ratio). The right way to do that is via /dev/kvm's feature MSR mechanism. In fact, MSR_PLATFORM_INFO is already a feature MSR for the purpose of blocking updates after the vCPU is run, but KVM_GET_MSRS did not return a valid value for it. Just like in a VM that leaves KVM_X86_QUIRK_STUFF_FEATURE_MSRS enabled, the TSC ratio field is left to 0. Only bit 31 is set. Signed-off-by: Paolo Bonzini commit a0423af92cb31e6fc4f53ef9b6e19fdf08ad4395 Author: Tao Su Date: Tue Nov 5 13:48:25 2024 +0800 x86: KVM: Advertise CPUIDs for new instructions in Clearwater Forest Latest Intel platform Clearwater Forest has introduced new instructions enumerated by CPUIDs of SHA512, SM3, SM4 and AVX-VNNI-INT16. Advertise these CPUIDs to userspace so that guests can query them directly. SHA512, SM3 and SM4 are on an expected-dense CPUID leaf and some other bits on this leaf have kernel usages. Considering they have not truly kernel usages, hide them in /proc/cpuinfo. These new instructions only operate in xmm, ymm registers and have no new VMX controls, so there is no additional host enabling required for guests to use these instructions, i.e. advertising these CPUIDs to userspace is safe. Tested-by: Jiaan Lu Tested-by: Xuelian Guo Signed-off-by: Tao Su Message-ID: <20241105054825.870939-1-tao1.su@linux.intel.com> Signed-off-by: Paolo Bonzini commit 31bedc1fb1d93250ae1900ee92ccd56689956d22 Author: Luo Yifan Date: Mon Nov 11 17:17:01 2024 +0800 libsubcmd: Move va_end() before exit This patch makes a minor adjustment by moving the va_end call before exit. Since the exit() function terminates the program, any code after exit(128) (i.e., va_end(params)) is unreachable and thus not executed. Placing va_end before exit ensures that the va_list is properly cleaned up. Signed-off-by: Luo Yifan Cc: Josh Poimboeuf Link: https://lore.kernel.org/r/20241111091701.275496-1-luoyifan@cmss.chinamobile.com Signed-off-by: Arnaldo Carvalho de Melo commit b81bb703372837a6d6b4cc964b6db58d1dfdba8b Author: Luo Yifan Date: Mon Nov 11 17:52:09 2024 +0800 perf timechart: Remove redundant variable assignment This patch makes a minor change that removes a redundant variable assignment. The assignment before the for loop is duplicated by the initialization within the loop header. Signed-off-by: Luo Yifan Cc: Adrian Hunter Cc: Alexander Shishkin Cc: Ian Rogers Cc: Ingo Molnar Cc: Jiri Olsa Cc: Kan Liang Cc: Mark Rutland Cc: Namhyung Kim Cc: Peter Zijlstra Link: https://lore.kernel.org/r/20241111095209.276332-1-luoyifan@cmss.chinamobile.com Signed-off-by: Arnaldo Carvalho de Melo commit d99b3125726aade4f5ec4aae04805134ab4b0abd Author: Jean-Philippe Romain Date: Fri Nov 8 18:58:01 2024 -0800 perf list: Fix topic and pmu_name argument order Fix function definitions to match header file declaration. Fix two callers to pass the arguments in the right order. On Intel Tigerlake, before: ``` $ perf list -j|grep "\"Topic\""|sort|uniq "Topic": "cache", "Topic": "cpu", "Topic": "floating point", "Topic": "frontend", "Topic": "memory", "Topic": "other", "Topic": "pfm icl", "Topic": "pfm ix86arch", "Topic": "pfm perf_raw", "Topic": "pipeline", "Topic": "tool", "Topic": "uncore interconnect", "Topic": "uncore memory", "Topic": "uncore other", "Topic": "virtual memory", $ perf list -j|grep "\"Unit\""|sort|uniq "Unit": "cache", "Unit": "cpu", "Unit": "cstate_core", "Unit": "cstate_pkg", "Unit": "i915", "Unit": "icl", "Unit": "intel_bts", "Unit": "intel_pt", "Unit": "ix86arch", "Unit": "msr", "Unit": "perf_raw", "Unit": "power", "Unit": "tool", "Unit": "uncore_arb", "Unit": "uncore_clock", "Unit": "uncore_imc_free_running_0", "Unit": "uncore_imc_free_running_1", ``` After: ``` $ perf list -j|grep "\"Topic\""|sort|uniq "Topic": "cache", "Topic": "floating point", "Topic": "frontend", "Topic": "memory", "Topic": "other", "Topic": "pfm icl", "Topic": "pfm ix86arch", "Topic": "pfm perf_raw", "Topic": "pipeline", "Topic": "tool", "Topic": "uncore interconnect", "Topic": "uncore memory", "Topic": "uncore other", "Topic": "virtual memory", $ perf list -j|grep "\"Unit\""|sort|uniq "Unit": "cpu", "Unit": "cstate_core", "Unit": "cstate_pkg", "Unit": "i915", "Unit": "icl", "Unit": "intel_bts", "Unit": "intel_pt", "Unit": "ix86arch", "Unit": "msr", "Unit": "perf_raw", "Unit": "power", "Unit": "tool", "Unit": "uncore_arb", "Unit": "uncore_clock", "Unit": "uncore_imc_free_running_0", "Unit": "uncore_imc_free_running_1", ``` Fixes: e5c6109f4813246a ("perf list: Reorganize to use callbacks to allow honouring command line options") Reviewed-by: Kan Liang Signed-off-by: Jean-Philippe Romain Tested-by: Ian Rogers Cc: Adrian Hunter Cc: Alexander Shishkin Cc: Ingo Molnar Cc: Jiri Olsa Cc: Junhao He Cc: Mark Rutland Cc: Namhyung Kim Cc: Peter Zijlstra Link: https://lore.kernel.org/r/20241109025801.560378-1-irogers@google.com [ I fixed the two callers and added it to Jean-Phillippe's original change. ] Signed-off-by: Ian Rogers Signed-off-by: Arnaldo Carvalho de Melo commit 463c2031655c08007401b0eefed817ed2da2ebfb Author: Andrew Kreimer Date: Fri Nov 8 15:47:15 2024 +0200 perf tools: Fix typos Muliplier -> Multiplier There are some typos in fprintf messages. Fix them via codespell. Reviewed-by: Adrian Hunter Signed-off-by: Andrew Kreimer Cc: Alexander Shishkin Cc: Ian Rogers Cc: Ingo Molnar Cc: Jiri Olsa Cc: Kan Liang Cc: Mark Rutland Cc: Namhyung Kim Cc: Peter Zijlstra Link: https://lore.kernel.org/r/20241108134728.25515-1-algonell@gmail.com Signed-off-by: Arnaldo Carvalho de Melo commit a6e8a58de6294578195447596fb975a9027b4d2c Author: Arnaldo Carvalho de Melo Date: Mon Nov 11 12:17:34 2024 -0300 perf disasm: Allow configuring what disassemblers to use The perf tools annotation code used for a long time parsing the output of binutils's objdump (or its reimplementations, like llvm's) to then parse and augment it with samples, allow navigation, etc. More recently disassemblers from the capstone and llvm (libraries, not parsing the output of tools using those libraries to mimic binutils's objdump output) were introduced. So when all those methods are available, there is a static preference for a series of attempts of disassembling a binary, with the 'llvm, capstone, objdump' sequence being hard coded. This patch allows users to change that sequence, specifying via a 'perf config' 'annotate.disassemblers' entry which and in what order disassemblers should be attempted. As alluded to in the comments in the source code of this series, this flexibility is useful for users and developers alike, elliminating the requirement to rebuild the tool with some specific set of libraries to see how the output of disassembling would be for one of these methods. root@x1:~# rm -f ~/.perfconfig root@x1:~# perf annotate -v --stdio2 update_load_avg symbol__disassemble: filename=/usr/lib/debug/lib/modules/6.11.4-201.fc40.x86_64/vmlinux, sym=update_load_avg, start=0xffffffffb6148fe0, en> annotating [0x6ff7170] /usr/lib/debug/lib/modules/6.11.4-201.fc40.x86_64/vmlinux : [0x7407ca0] update_load_avg Disassembled with llvm annotate.disassemblers=llvm,capstone,objdump Samples: 66 of event 'cpu_atom/cycles/P', 10000 Hz, Event count (approx.): 5185444, [percent: local period] update_load_avg() /usr/lib/debug/lib/modules/6.11.4-201.fc40.x86_64/vmlinux Percent 0xffffffff81148fe0 : 1.61 pushq %r15 pushq %r14 1.00 pushq %r13 movl %edx,%r13d 1.90 pushq %r12 pushq %rbp movq %rsi,%rbp pushq %rbx movq %rdi,%rbx subq $0x18,%rsp 15.14 movl 0x1a4(%rdi),%eax root@x1:~# perf config annotate.disassemblers=capstone root@x1:~# cat ~/.perfconfig # this file is auto-generated. [annotate] disassemblers = capstone root@x1:~# root@x1:~# perf annotate -v --stdio2 update_load_avg Disassembled with capstone annotate.disassemblers=capstone Samples: 66 of event 'cpu_atom/cycles/P', 10000 Hz, Event count (approx.): 5185444, [percent: local period] update_load_avg() /usr/lib/debug/lib/modules/6.11.4-201.fc40.x86_64/vmlinux Percent 0xffffffff81148fe0 : 1.61 pushq %r15 pushq %r14 1.00 pushq %r13 movl %edx,%r13d 1.90 pushq %r12 pushq %rbp movq %rsi,%rbp pushq %rbx movq %rdi,%rbx subq $0x18,%rsp 15.14 movl 0x1a4(%rdi),%eax root@x1:~# perf config annotate.disassemblers=objdump,capstone root@x1:~# perf config annotate.disassemblers annotate.disassemblers=objdump,capstone root@x1:~# cat ~/.perfconfig # this file is auto-generated. [annotate] disassemblers = objdump,capstone root@x1:~# perf annotate -v --stdio2 update_load_avg Executing: objdump --start-address=0xffffffff81148fe0 \ --stop-address=0xffffffff811497aa \ -d --no-show-raw-insn -S -C "$1" Disassembled with objdump annotate.disassemblers=objdump,capstone Samples: 66 of event 'cpu_atom/cycles/P', 10000 Hz, Event count (approx.): 5185444, [percent: local period] update_load_avg() /usr/lib/debug/lib/modules/6.11.4-201.fc40.x86_64/vmlinux Percent Disassembly of section .text: ffffffff81148fe0 : #define DO_ATTACH 0x4 ffffffff81148fe0 : #define DO_ATTACH 0x4 #define DO_DETACH 0x8 /* Update task and its cfs_rq load average */ static inline void update_load_avg(struct cfs_rq *cfs_rq, struct sched_entity *se, int flags) { 1.61 push %r15 push %r14 1.00 push %r13 mov %edx,%r13d 1.90 push %r12 push %rbp mov %rsi,%rbp push %rbx mov %rdi,%rbx sub $0x18,%rsp } /* rq->task_clock normalized against any time this cfs_rq has spent throttled */ static inline u64 cfs_rq_clock_pelt(struct cfs_rq *cfs_rq) { if (unlikely(cfs_rq->throttle_count)) 15.14 mov 0x1a4(%rdi),%eax root@x1:~# After adding a way to select the disassembler from the command line a 'perf test' comparing the output of the various diassemblers should be introduced, to test these codebases. Acked-by: Ian Rogers Cc: Adrian Hunter Cc: Athira Rajeev Cc: Jiri Olsa Cc: Kan Liang Cc: Namhyung Kim Cc: Steinar H. Gunderson Link: https://lore.kernel.org/r/20241111151734.1018476-4-acme@kernel.org Signed-off-by: Arnaldo Carvalho de Melo commit 1f7393adf67de6897b1ee614903e1900d7cf069b Author: Arnaldo Carvalho de Melo Date: Mon Nov 11 12:17:33 2024 -0300 perf disasm: Define stubs for the LLVM and capstone disassemblers This reduces the number of ifdefs in the main symbol__disassemble() method and paves the way for allowing the user to configure the disassemblers of preference. Acked-by: Ian Rogers Cc: Adrian Hunter Cc: Aditya Bodkhe Cc: Athira Rajeev Cc: Jiri Olsa Cc: Kan Liang Cc: Masami Hiramatsu (Google) Cc: Namhyung Kim Cc: Steinar H. Gunderson Link: https://lore.kernel.org/r/20241111151734.1018476-3-acme@kernel.org [ Applied fixes from Masami Hiramatsu and Aditya Bodkhe for when capstone devel files are not available ] Link: https://lore.kernel.org/r/B78FB6DF-24E9-4A3C-91C9-535765EC0E2A@ibm.com Link: https://lore.kernel.org/r/173145729034.2747044.453926054000880254.stgit@mhiramat.roam.corp.google.com Signed-off-by: Arnaldo Carvalho de Melo commit afc545da381ba0c651b2658966ac737032676f01 Author: Qiu-ji Chen Date: Tue Nov 5 21:09:19 2024 +0800 xen: Fix the issue of resource not being properly released in xenbus_dev_probe() This patch fixes an issue in the function xenbus_dev_probe(). In the xenbus_dev_probe() function, within the if (err) branch at line 313, the program incorrectly returns err directly without releasing the resources allocated by err = drv->probe(dev, id). As the return value is non-zero, the upper layers assume the processing logic has failed. However, the probe operation was performed earlier without a corresponding remove operation. Since the probe actually allocates resources, failing to perform the remove operation could lead to problems. To fix this issue, we followed the resource release logic of the xenbus_dev_remove() function by adding a new block fail_remove before the fail_put block. After entering the branch if (err) at line 313, the function will use a goto statement to jump to the fail_remove block, ensuring that the previously acquired resources are correctly released, thus preventing the reference count leak. This bug was identified by an experimental static analysis tool developed by our team. The tool specializes in analyzing reference count operations and detecting potential issues where resources are not properly managed. In this case, the tool flagged the missing release operation as a potential problem, which led to the development of this patch. Fixes: 4bac07c993d0 ("xen: add the Xenbus sysfs and virtual device hotplug driver") Cc: stable@vger.kernel.org Signed-off-by: Qiu-ji Chen Reviewed-by: Juergen Gross Message-ID: <20241105130919.4621-1-chenqiuji666@gmail.com> Signed-off-by: Juergen Gross commit 00e8d290b55f2fa5c5a0500b4dccf9e090650447 Author: Christoph Hellwig Date: Wed Nov 13 16:20:46 2024 +0100 block: don't reorder requests in blk_mq_add_to_batch LIFO ordering for batched completions is a bit unexpected and also defeats some merging optimizations in e.g. the XFS buffered write code. Now that we can easily add the request to the tail of the list do that. Signed-off-by: Christoph Hellwig Link: https://lore.kernel.org/r/20241113152050.157179-7-hch@lst.de Signed-off-by: Jens Axboe commit e70c301faece15b618e54b613b1fd6ece3dd05b4 Author: Christoph Hellwig Date: Wed Nov 13 16:20:45 2024 +0100 block: don't reorder requests in blk_add_rq_to_plug Add requests to the tail of the list instead of the front so that they are queued up in submission order. Remove the re-reordering in blk_mq_dispatch_plug_list, virtio_queue_rqs and nvme_queue_rqs now that the list is ordered as expected. Signed-off-by: Christoph Hellwig Link: https://lore.kernel.org/r/20241113152050.157179-6-hch@lst.de Signed-off-by: Jens Axboe commit a3396b99990d8b4e5797e7b16fdeb64c15ae97bb Author: Christoph Hellwig Date: Wed Nov 13 16:20:44 2024 +0100 block: add a rq_list type Replace the semi-open coded request list helpers with a proper rq_list type that mirrors the bio_list and has head and tail pointers. Besides better type safety this actually allows to insert at the tail of the list, which will be useful soon. Signed-off-by: Christoph Hellwig Link: https://lore.kernel.org/r/20241113152050.157179-5-hch@lst.de Signed-off-by: Jens Axboe commit e8225ab15006fbcdb14cef426a0a54475292fbbc Author: Christoph Hellwig Date: Wed Nov 13 16:20:43 2024 +0100 block: remove rq_list_move Unused now. Signed-off-by: Christoph Hellwig Link: https://lore.kernel.org/r/20241113152050.157179-4-hch@lst.de Signed-off-by: Jens Axboe commit 7f212e997edbb7a2cb85cef2ac14265dfaf88717 Author: Christoph Hellwig Date: Wed Nov 13 16:20:42 2024 +0100 virtio_blk: reverse request order in virtio_queue_rqs blk_mq_flush_plug_list submits requests in the reverse order that they were submitted, which leads to a rather suboptimal I/O pattern especially in rotational devices. Fix this by rewriting virtio_queue_rqs so that it always pops the requests from the passed in request list, and then adds them to the head of a local submit list. This actually simplifies the code a bit as it removes the complicated list splicing, at the cost of extra updates of the rq_next pointer. As that should be cache hot anyway it should be an easy price to pay. Fixes: 0e9911fa768f ("virtio-blk: support mq_ops->queue_rqs()") Signed-off-by: Christoph Hellwig Link: https://lore.kernel.org/r/20241113152050.157179-3-hch@lst.de Signed-off-by: Jens Axboe commit f3dd9ae7f03aefa5bb12a4606f3d6cca87863622 Author: Christophe JAILLET Date: Sun Sep 1 17:17:09 2024 +0200 dax: Remove an unused field in struct dax_operations .dax_supported() was apparently removed by commit 7b0800d00dae ("dax: remove dax_capable") on 2021-11. Remove the now unused function pointer from the struct dax_operations. Signed-off-by: Christophe JAILLET Reviewed-by: Jan Kara Link: https://patch.msgid.link/56b92b722ca0a6fd1387c871a6ec01bcb9bd525e.1725203804.git.christophe.jaillet@wanadoo.fr Signed-off-by: Ira Weiny commit b8e6d7ce50673c39514921ac61f7af00bbb58b87 Author: Harshit Mogalapalli Date: Thu Oct 17 03:11:25 2024 -0700 dax: delete a stale directory pmem After commit: 83762cb5c7c4 ("dax: Kill DEV_DAX_PMEM_COMPAT") the pmem/ directory is not needed anymore and Makefile changes were made accordingly in this commit, but there is a Makefile and pmem.c in pmem/ which are now stale and pmem.c is empty, remove them. Fixes: 83762cb5c7c4 ("dax: Kill DEV_DAX_PMEM_COMPAT") Suggested-by: Vegard Nossum Signed-off-by: Harshit Mogalapalli Reviewed-by: Dan Williams Reviewed-by: Ira Weiny Link: https://patch.msgid.link/20241017101144.1654085-1-harshit.m.mogalapalli@oracle.com Signed-off-by: Ira Weiny commit b61352101470f8b68c98af674e187cfaa7c43504 Author: Yi Yang Date: Fri Nov 8 08:55:26 2024 +0000 nvdimm: rectify the illogical code within nd_dax_probe() When nd_dax is NULL, nd_pfn is consequently NULL as well. Nevertheless, it is inadvisable to perform pointer arithmetic or address-taking on a NULL pointer. Introduce the nd_dax_devinit() function to enhance the code's logic and improve its readability. Signed-off-by: Yi Yang Reviewed-by: Dave Jiang Link: https://patch.msgid.link/20241108085526.527957-1-yiyang13@huawei.com Signed-off-by: Ira Weiny commit beadf0088501d9dcf2454b05d90d5d31ea3ba55f Author: Christoph Hellwig Date: Wed Nov 13 16:20:41 2024 +0100 nvme-pci: reverse request order in nvme_queue_rqs blk_mq_flush_plug_list submits requests in the reverse order that they were submitted, which leads to a rather suboptimal I/O pattern especially in rotational devices. Fix this by rewriting nvme_queue_rqs so that it always pops the requests from the passed in request list, and then adds them to the head of a local submit list. This actually simplifies the code a bit as it removes the complicated list splicing, at the cost of extra updates of the rq_next pointer. As that should be cache hot anyway it should be an easy price to pay. Fixes: d62cbcf62f2f ("nvme: add support for mq_ops->queue_rqs()") Signed-off-by: Christoph Hellwig Link: https://lore.kernel.org/r/20241113152050.157179-2-hch@lst.de Signed-off-by: Jens Axboe commit e559ee022658c70bdc07c4846bf279f5a5abc494 Author: Christoph Hellwig Date: Wed Nov 13 09:45:36 2024 +0100 btrfs: validate queue limits Call blk_validate_limits on the queue limits used for zone append splitting so that calculated values get filled in and any stacking conflicts get cought. Without this there isn't a max_zone_append_sectors limits as of commit 559218d43ec9 ("block: pre-calculate max_zone_append_sectors"). Fixes: 559218d43ec9 ("block: pre-calculate max_zone_append_sectors") Reported-by: Yi Zhang Signed-off-by: Christoph Hellwig Reviewed-by: Johannes Thumshirn Link: https://lore.kernel.org/r/20241113084541.34315-3-hch@lst.de Signed-off-by: Jens Axboe commit 470d2bc3a0bc19a849cc7478c02d3f5ecaa1233e Author: Christoph Hellwig Date: Wed Nov 13 09:45:35 2024 +0100 block: export blk_validate_limits While block drivers do the validation as part of committing them to the queue, users that use the limit outside of a block device context have to validate the limits and fill in the calculated values as well. So far btrfs is the only user of queue limits without a block device, and it has gotten away with that more or less by accident. But with commit 559218d43ec9 ("block: pre-calculate max_zone_append_sectors") this became fatal for setups that have small max zone append size, as it won't be limited now. Export blk_validate_limits so that it can be called directly from btrfs. Signed-off-by: Christoph Hellwig Reviewed-by: Johannes Thumshirn Link: https://lore.kernel.org/r/20241113084541.34315-2-hch@lst.de Signed-off-by: Jens Axboe commit f7f50742a6bb5f70b0e41cf9ed6255c7fded69b5 Author: Shen Lichuan Date: Thu Sep 26 15:57:00 2024 +0800 nvdimm: Correct some typos in comments Fixed some confusing typos that were currently identified with codespell, the details are as follows: -in the code comments: drivers/nvdimm/nd_virtio.c:100: repsonse ==> response drivers/nvdimm/pfn_devs.c:542: namepace ==> namespace drivers/nvdimm/pmem.c:319: reenable ==> re-enable Signed-off-by: Shen Lichuan Reviewed-by: Dave Jiang Reviewed-by: Pankaj Gupta Link: https://patch.msgid.link/20240926075700.10122-1-shenlichuan@vivo.com Signed-off-by: Ira Weiny commit e400c7444d84b0fd2ebb34e618f83abe05917543 Author: Joe Damato Date: Wed Oct 23 17:27:45 2024 +0000 e1000: Hold RTNL when e1000_down can be called e1000_down calls netif_queue_set_napi, which assumes that RTNL is held. There are a few paths for e1000_down to be called in e1000 where RTNL is not currently being held: - e1000_shutdown (pci shutdown) - e1000_suspend (power management) - e1000_reinit_locked (via e1000_reset_task delayed work) - e1000_io_error_detected (via pci error handler) Hold RTNL in three places to fix this issue: - e1000_reset_task: igc, igb, and e100e all hold rtnl in this path. - e1000_io_error_detected (pci error handler): e1000e and ixgbe hold rtnl in this path. A patch has been posted for igc to do the same [1]. - __e1000_shutdown (which is called from both e1000_shutdown and e1000_suspend): igb, ixgbe, and e1000e all hold rtnl in the same path. The other paths which call e1000_down seemingly hold RTNL and are OK: - e1000_close (ndo_stop) - e1000_change_mtu (ndo_change_mtu) Based on the above analysis and mailing list discussion [2], I believe adding rtnl in the three places mentioned above is correct. Fixes: 8f7ff18a5ec7 ("e1000: Link NAPI instances to queues and IRQs") Reported-by: Dmitry Antipov Closes: https://lore.kernel.org/netdev/8cf62307-1965-46a0-a411-ff0080090ff9@yandex.ru/ Link: https://lore.kernel.org/netdev/20241022215246.307821-3-jdamato@fastly.com/ [1] Link: https://lore.kernel.org/netdev/ZxgVRX7Ne-lTjwiJ@LQ3V64L9R2/ [2] Signed-off-by: Joe Damato Signed-off-by: Tony Nguyen commit 4d26b6eccdc273af02742771e4805755396477fe Author: Wander Lairson Costa Date: Fri Sep 20 15:59:17 2024 -0300 igbvf: remove unused spinlock tx_queue_lock and stats_lock are declared and initialized, but never used. Remove them. Signed-off-by: Wander Lairson Costa Reviewed-by: Paul Menzel Signed-off-by: Tony Nguyen commit f40b0acad68852d475d034f20df3f6bcac7bdbc4 Author: Johnny Park Date: Wed Oct 23 23:45:26 2024 -0600 igb: Fix 2 typos in comments in igb_main.c Fix 2 spelling mistakes in comments in `igb_main.c`. Signed-off-by: Johnny Park Acked-by: Przemek Kitszel Signed-off-by: Tony Nguyen commit ade6fded7957fd10a152de98513e4af3ff76ab71 Author: Vitaly Lifshits Date: Tue Oct 1 20:05:31 2024 +0300 igc: remove autoneg parameter from igc_mac_info Since the igc driver doesn't support forced speed configuration and its current related hardware doesn't support it either, there is no use of the mac.autoneg parameter. Moreover, in one case this usage might result in a NULL pointer dereference due to an uninitialized function pointer, phy.ops.force_speed_duplex. Therefore, remove this parameter from the igc code. Signed-off-by: Vitaly Lifshits Tested-by: Mor Bar-Gabay Signed-off-by: Tony Nguyen commit 4b2c75ffeaadfce0ffdd97fbd0bbcad5c4f83131 Author: Diomidis Spinellis Date: Thu Oct 17 11:58:53 2024 +0300 ixgbe: Break include dependency cycle Header ixgbe_type.h includes ixgbe_mbx.h. Also, header ixgbe_mbx.h included ixgbe_type.h, thus introducing a circular dependency. - Remove ixgbe_mbx.h inclusion from ixgbe_type.h. - ixgbe_mbx.h requires the definition of struct ixgbe_mbx_operations so move its definition there. While at it, add missing argument identifier names. - Add required forward structure declarations. - Include ixgbe_mbx.h in the .c files that need it, for the following reasons: ixgbe_sriov.c uses ixgbe_check_for_msg ixgbe_main.c uses ixgbe_init_mbx_params_pf ixgbe_82599.c uses mbx_ops_generic ixgbe_x540.c uses mbx_ops_generic ixgbe_x550.c uses mbx_ops_generic Signed-off-by: Diomidis Spinellis Reviewed-by: Jacob Keller Tested-by: Rafal Romanowski Signed-off-by: Tony Nguyen commit fcc17a3ba0ceef76cb2197742f9e90fb17e89b2e Author: Frederic Weisbecker Date: Mon Oct 7 14:44:07 2024 -0700 ice: Unbind the workqueue The ice workqueue doesn't seem to rely on any CPU locality and should therefore be able to run on any CPU. In practice this is already happening through the unbound ice_service_timer that may fire anywhere and queue the workqueue accordingly to any CPU. Make this official so that the ice workqueue is only ever queued to housekeeping CPUs on nohz_full. Signed-off-by: Frederic Weisbecker Tested-by: Pucha Himasekhar Reddy (A Contingent worker at Intel) Signed-off-by: Tony Nguyen commit eaa3e9876bbc2f260cf17167a194bd412e80f177 Author: Jacob Keller Date: Mon Sep 9 16:05:44 2024 -0700 ice: use stack variable for virtchnl_supported_rxdids The ice_vc_query_rxdid() function allocates memory to store the virtchnl_supported_rxdids structure used to communicate the bitmap of supported RXDIDs to a VF. This structure is only 8 bytes in size. The function must hold the allocated length on the stack as well as the pointer to the structure which itself is 8 bytes. Allocating this storage on the heap adds unnecessary overhead including a potential error path that must be handled in case kzalloc fails. Because this structure is so small, we're not saving stack space. Additionally, because we must ensure that we free the allocated memory, the return value from ice_vc_send_msg_to_vf() must also be saved in the stack ret variable. Depending on compiler optimization, this means allocating the 8-byte structure is requiring up to 16-bytes of stack memory! Simplify this function to keep the rxdid variable on the stack, saving memory and removing a potential failure exit path from this function. Signed-off-by: Jacob Keller Reviewed-by: Przemek Kitszel Signed-off-by: Tony Nguyen commit 8cca16be5efc6a481487e34a0fe542cc480fc720 Author: Jacob Keller Date: Mon Sep 9 16:05:43 2024 -0700 ice: initialize pf->supported_rxdids immediately after loading DDP The pf->supported_rxdids field is used to populate the list of valid RXDIDs that a VF may use when negotiating VIRTCHNL_VF_OFFLOAD_RX_FLEX_DESC. The set of supported RXDIDs is dependent on the DDP, and can be read from the GLXFLXP_RXDID_FLAGS register. The PF needs to send this list to the VF upon receiving the VIRTCHNL_OP_GET_SUPPORTED_RXDIDs. It also needs to use this list to validate the requested descriptor ID from the VF when programming the Rx queues. A future update to support VF live migration will also want to validate that the target VF can support the same descriptor ID when migrating. Currently, pf->supported_rxdids is initialized inside the ice_vc_query_rxdid() function. This means that it is only ever initialized if at least one VF actually tries to negotiate VIRTCHNL_VF_OFFLOAD_RX_FLEX_DESC. It is also unnecessarily re-initialized every time the VF loads and requests the descriptor list. This worked before because the PF only checks pf->suppported_rxdids when programming the Rx queue if the VF actually negotiates the VIRTCHNL_VF_OFFLOAD_RX_FLEX_DESC feature. This will be problematic for VF live migration. We need the list of supported Rx descriptor IDs when migrating. It is possible that no VF on the target PF has ever actually issued a VIRTCHNL_OP_GET_SUPPORTED_RXDIDs. Refactor the driver to initialize pf->supported_rxdids during driver initialization after the DDP is loaded. This is simpler, avoids unnecessary duplicate work, and avoids issues with the live migration process. Signed-off-by: Jacob Keller Reviewed-by: Przemek Kitszel Signed-off-by: Tony Nguyen commit 2a52984c53f3df46db58d50557fda4580aa2aad6 Author: Brett Creeley Date: Thu Oct 17 09:08:16 2024 +0200 ice: only allow Tx promiscuous for multicast Currently when any VF is trusted and true promiscuous mode is enabled on the PF, the VF will receive all unicast traffic directed to the device's internal switch. This includes traffic external to the NIC and also from other VSI (i.e. VFs). This does not match the expected behavior as unicast traffic should only be visible from external sources in this case. Disable the Tx promiscuous mode bits for unicast promiscuous mode. Reviewed-by: Mateusz Polchlopek Signed-off-by: Brett Creeley Signed-off-by: Michal Swiatkowski Reviewed-by: Simon Horman Tested-by: Rafal Romanowski Signed-off-by: Tony Nguyen commit 492a044508ad13a490a24c66f311339bf891cb5f Author: Joe Damato Date: Mon Oct 21 22:35:51 2024 +0000 ice: Add support for persistent NAPI config Use netif_napi_add_config to assign persistent per-NAPI config when initializing NAPIs. This preserves NAPI config settings when queue counts are adjusted. Tested with an E810-2CQDA2 NIC. Begin by setting the queue count to 4: $ sudo ethtool -L eth4 combined 4 Check the queue settings: $ ./tools/net/ynl/cli.py --spec Documentation/netlink/specs/netdev.yaml \ --dump napi-get --json='{"ifindex": 4}' [{'defer-hard-irqs': 0, 'gro-flush-timeout': 0, 'id': 8452, 'ifindex': 4, 'irq': 2782}, {'defer-hard-irqs': 0, 'gro-flush-timeout': 0, 'id': 8451, 'ifindex': 4, 'irq': 2781}, {'defer-hard-irqs': 0, 'gro-flush-timeout': 0, 'id': 8450, 'ifindex': 4, 'irq': 2780}, {'defer-hard-irqs': 0, 'gro-flush-timeout': 0, 'id': 8449, 'ifindex': 4, 'irq': 2779}] Now, set the queue with NAPI ID 8451 to have a gro-flush-timeout of 1111: $ sudo ./tools/net/ynl/cli.py \ --spec Documentation/netlink/specs/netdev.yaml \ --do napi-set --json='{"id": 8451, "gro-flush-timeout": 1111}' None Check that worked: $ ./tools/net/ynl/cli.py --spec Documentation/netlink/specs/netdev.yaml \ --dump napi-get --json='{"ifindex": 4}' [{'defer-hard-irqs': 0, 'gro-flush-timeout': 0, 'id': 8452, 'ifindex': 4, 'irq': 2782}, {'defer-hard-irqs': 0, 'gro-flush-timeout': 1111, 'id': 8451, 'ifindex': 4, 'irq': 2781}, {'defer-hard-irqs': 0, 'gro-flush-timeout': 0, 'id': 8450, 'ifindex': 4, 'irq': 2780}, {'defer-hard-irqs': 0, 'gro-flush-timeout': 0, 'id': 8449, 'ifindex': 4, 'irq': 2779}] Now reduce the queue count to 2, which would destroy the queue with NAPI ID 8451: $ sudo ethtool -L eth4 combined 2 Check the queue settings, noting that NAPI ID 8451 is gone: $ ./tools/net/ynl/cli.py --spec Documentation/netlink/specs/netdev.yaml \ --dump napi-get --json='{"ifindex": 4}' [{'defer-hard-irqs': 0, 'gro-flush-timeout': 0, 'id': 8450, 'ifindex': 4, 'irq': 2780}, {'defer-hard-irqs': 0, 'gro-flush-timeout': 0, 'id': 8449, 'ifindex': 4, 'irq': 2779}] Now, increase the number of queues back to 4: $ sudo ethtool -L eth4 combined 4 Dump the settings, expecting to see the same NAPI IDs as above and for NAPI ID 8451 to have its gro-flush-timeout set to 1111: $ ./tools/net/ynl/cli.py --spec Documentation/netlink/specs/netdev.yaml \ --dump napi-get --json='{"ifindex": 4}' [{'defer-hard-irqs': 0, 'gro-flush-timeout': 0, 'id': 8452, 'ifindex': 4, 'irq': 2782}, {'defer-hard-irqs': 0, 'gro-flush-timeout': 1111, 'id': 8451, 'ifindex': 4, 'irq': 2781}, {'defer-hard-irqs': 0, 'gro-flush-timeout': 0, 'id': 8450, 'ifindex': 4, 'irq': 2780}, {'defer-hard-irqs': 0, 'gro-flush-timeout': 0, 'id': 8449, 'ifindex': 4, 'irq': 2779}] Signed-off-by: Joe Damato Reviewed-by: Simon Horman Tested-by: Pucha Himasekhar Reddy (A Contingent worker at Intel) Signed-off-by: Tony Nguyen commit 09ec79d42e42beacf23bad5d388f4692f5f4c7d8 Author: Przemek Kitszel Date: Fri Oct 18 16:17:37 2024 +0200 ice: support optional flags in signature segment header An optional flag field has been added to the signature segment header. The field contains two flags, a "valid" bit, and a "last segment" bit that indicates whether the segment is the last segment that will be sent to firmware. If the flag field's valid bit is NOT set, then as was done before, assume that this is the last segment being downloaded. However, if the flag field's valid bit IS set, then use the last segment flag to determine if this segment is the last segment to download. Signed-off-by: Paul Greenwalt Signed-off-by: Ahmed Zaki Co-developed-by: Dan Nowlin Signed-off-by: Dan Nowlin Reviewed-by: Michal Swiatkowski Tested-by: Pucha Himasekhar Reddy (A Contingent worker at Intel) Signed-off-by: Przemek Kitszel Reviewed-by: Simon Horman Signed-off-by: Tony Nguyen commit d6920900398a604841d3662b05c76f5e3317de82 Author: Przemek Kitszel Date: Fri Oct 18 16:17:36 2024 +0200 ice: refactor "last" segment of DDP pkg Add ice_ddp_send_hunk() that buffers "sent FW hunk" calls to AQ in order to mark the "last" one in more elegant way. Next commit will add even more complicated "sent FW" flow, so it's better to untangle a bit before. Note that metadata buffers were not skipped for NOT-@indicate_last segments, this is fixed now. Minor: + use ice_is_buffer_metadata() instead of open coding it in ice_dwnld_cfg_bufs(); + ice_dwnld_cfg_bufs_no_lock() + dependencies were moved up a bit to have better git-diff, as this function was rewritten (in terms of git-blame) CC: Paul Greenwalt CC: Dan Nowlin CC: Ahmed Zaki CC: Simon Horman Reviewed-by: Michal Swiatkowski Tested-by: Pucha Himasekhar Reddy (A Contingent worker at Intel) Signed-off-by: Przemek Kitszel Reviewed-by: Simon Horman Signed-off-by: Tony Nguyen commit 99dbcab0cdd60e35d9f208b2f7515a19ba523ff6 Author: Mateusz Polchlopek Date: Tue Oct 1 06:26:05 2024 -0400 ice: extend dump serdes equalizer values feature Extend the work done in commit 70838938e89c ("ice: Implement driver functionality to dump serdes equalizer values") by adding the new set of Rx registers that can be read using command: $ ethtool -d interface_name Rx equalization parameters are E810 PHY registers used by end user to gather information about configuration and status to debug link and connection issues in the field. Reviewed-by: Przemek Kitszel Signed-off-by: Mateusz Polchlopek Tested-by: Pucha Himasekhar Reddy (A Contingent worker at Intel) Reviewed-by: Simon Horman Signed-off-by: Tony Nguyen commit 8ea085937dad2d0b5399bc58722934f562b9abef Author: Mateusz Polchlopek Date: Tue Oct 1 06:26:04 2024 -0400 ice: rework of dump serdes equalizer values feature Refactor function ice_get_tx_rx_equa() to iterate over new table of params instead of multiple calls to ice_aq_get_phy_equalization(). Subsequent commit will extend that function by add more serdes equalizer values to dump. Shorten the fields of struct ice_serdes_equalization_to_ethtool for readability purposes. Reviewed-by: Przemek Kitszel Signed-off-by: Mateusz Polchlopek Tested-by: Pucha Himasekhar Reddy (A Contingent worker at Intel) Reviewed-by: Simon Horman Signed-off-by: Tony Nguyen commit 3e7c69cdb053f9edea95502853f35952ab6cbf06 Author: Daniel Martín Gómez Date: Thu Nov 7 15:45:38 2024 +0100 jbd2: Fix comment describing journal_init_common() The code indicates that journal_init_common() fills the journal_t object it returns while the comment incorrectly states that only a few fields are initialised. Also, the comment claims that journal structures could be created from scratch which isn't possible as journal_init_common() calls journal_load_superblock() which loads and checks journal superblock from disk. Signed-off-by: Daniel Martín Gómez Reviewed-by: Jan Kara Reviewed-by: Zhang Yi Link: https://patch.msgid.link/20241107144538.3544-1-dalme@riseup.net Signed-off-by: Theodore Ts'o commit e06a8c24f6445c2f1b5255caa4f63b38e31c43fa Author: Mathieu Othacehe Date: Wed Nov 6 14:47:41 2024 +0100 ext4: prevent an infinite loop in the lazyinit thread Use ktime_get_ns instead of ktime_get_real_ns when computing the lr_timeout not to be affected by system time jumps. Use a boolean instead of the MAX_JIFFY_OFFSET value to determine whether the next_wakeup value has been set. Comparing elr->lr_next_sched to MAX_JIFFY_OFFSET can cause the lazyinit thread to loop indefinitely. Co-developed-by: Lukas Skupinski Signed-off-by: Lukas Skupinski Signed-off-by: Mathieu Othacehe Reviewed-by: Jan Kara Link: https://patch.msgid.link/20241106134741.26948-2-othacehe@gnu.org Signed-off-by: Theodore Ts'o commit d5e9836e13a53ef36af702d87ab20d1a126b0fb8 Author: Thorsten Blum Date: Tue Nov 5 11:33:54 2024 +0100 ext4: use struct_size() to improve ext4_htree_store_dirent() Inline and use struct_size() to calculate the number of bytes to allocate for new_fn and remove the local variable len. Reviewed-by: Jan Kara Signed-off-by: Thorsten Blum Link: https://patch.msgid.link/20241105103353.11590-2-thorsten.blum@linux.dev Signed-off-by: Theodore Ts'o commit de183b2baf90f0acc1854a3998c14b8b228f9643 Author: Thorsten Blum Date: Tue Nov 5 11:18:14 2024 +0100 ext4: annotate struct fname with __counted_by() Add the __counted_by compiler attribute to the flexible array member name to improve access bounds-checking via CONFIG_UBSAN_BOUNDS and CONFIG_FORTIFY_SOURCE. Reviewed-by: Jan Kara Signed-off-by: Thorsten Blum Link: https://patch.msgid.link/20241105101813.10864-2-thorsten.blum@linux.dev Signed-off-by: Theodore Ts'o commit 2bd9077b6261b8f1281d0fa74d51afe090319263 Author: Gustavo A. R. Silva Date: Fri Nov 1 14:45:23 2024 -0600 jbd2: avoid dozens of -Wflex-array-member-not-at-end warnings -Wflex-array-member-not-at-end was introduced in GCC-14, and we are getting ready to enable it, globally. Use the `DEFINE_RAW_FLEX()` helper for an on-stack definition of a flexible structure (`struct shash_desc`) where the size of the flexible-array member (`__ctx`) is known at compile-time, and refactor the rest of the code, accordingly. So, with this, fix 77 of the following warnings: include/linux/jbd2.h:1800:35: warning: structure containing a flexible array member is not at the end of another structure [-Wflex-array-member-not-at-end] Signed-off-by: Gustavo A. R. Silva Reviewed-by: Jan Kara Link: https://patch.msgid.link/ZyU94w0IALVhc9Jy@kspp Signed-off-by: Theodore Ts'o commit 6a0c5887a54318eaaafb00825ebb10d1f7c8f0cf Author: Thorsten Blum Date: Mon Oct 21 12:00:57 2024 +0200 ext4: use str_yes_no() helper function Remove hard-coded strings by using the str_yes_no() helper function. Signed-off-by: Thorsten Blum Link: https://patch.msgid.link/20241021100056.5521-2-thorsten.blum@linux.dev Signed-off-by: Theodore Ts'o commit 15da3dd3f5d22328654a690db1f9ed211aaecfd6 Merge: 6975c1a486a404 50bee3857d081a Author: Jens Axboe Date: Wed Nov 13 10:43:11 2024 -0700 Merge tag 'nvme-6.13-2024-11-13' of git://git.infradead.org/nvme into for-6.13/block Pull NVMe updates from Keith: "nvme updates for Linux 6.13 - Use uring_cmd helper (Pavel) - Host Memory Buffer allocation enhancements (Christoph) - Target persistent reservation support (Guixin) - Persistent reservation tracing (Guixen) - NVMe 2.1 specification support (Keith) - Rotational Meta Support (Matias, Wang, Keith) - Volatile cache detection enhancment (Guixen)" * tag 'nvme-6.13-2024-11-13' of git://git.infradead.org/nvme: (22 commits) nvmet: add tracing of reservation commands nvme: parse reservation commands's action and rtype to string nvmet: report ns's vwc not present nvme: check ns's volatile write cache not present nvme: add rotational support nvme: use command set independent id ns if available nvmet: support for csi identify ns nvmet: implement rotational media information log nvmet: implement endurance groups nvmet: declare 2.1 version compliance nvmet: implement crto property nvmet: implement supported features log nvmet: implement supported log pages nvmet: implement active command set ns list nvmet: implement id ns for nvm command set nvmet: support reservation feature nvme: add reservation command's defines nvme-core: remove repeated wq flags nvmet: make nvmet_wq visible in sysfs nvme-pci: use dma_alloc_noncontigous if possible ... commit bc329f394bbddf7975f46b1ccc897c6679e1cc45 Merge: 16023977b9e0f7 22e027cc74488d Author: Arnd Bergmann Date: Wed Nov 13 18:40:35 2024 +0100 Merge tag 'v6.13-armsoc/drivers1' of https://git.kernel.org/pub/scm/linux/kernel/git/mmind/linux-rockchip into soc/dt Compatibles for some additional "General Register Files" syscons * tag 'v6.13-armsoc/drivers1' of https://git.kernel.org/pub/scm/linux/kernel/git/mmind/linux-rockchip: dt-bindings: soc: rockchip: add rk3588 mipi dcphy syscon dt-bindings: soc: rockchip: add rk3576 usb2phy syscon dt-bindings: soc: rockchip: add rk3576 vo1-grf syscon Link: https://lore.kernel.org/r/4605658.LvFx2qVVIh@phil Signed-off-by: Arnd Bergmann commit 1876c788bba174660b538dcf5d1bc2b75d7f6d66 Merge: f335e015771749 54a8cd0f92068a Author: Arnd Bergmann Date: Wed Nov 13 18:38:51 2024 +0100 Merge tag 'qcom-drivers-for-6.13-2' of https://git.kernel.org/pub/scm/linux/kernel/git/qcom/linux into soc/drivers A few more Qualcomm driver updates for v6.13 Make the Adreno driver invoke the SMMU aperture setup firmware function, which is required to allow the GPU to manage per-process page tables in some firmware versions - as an example Rb3Gen2 has no GPU without this. Add X1E Devkit to the list of devices that has functional EFI variable access through the uefisecapp. Flip the "manual slice configuration quirk" in the Qualcomm LLCC driver, as this only applies to a single platform, and introduce support for QCS8300, QCS615, SAR2130P, and SAR1130P. Lastly, add IPQ5424 and IPQ5404 to the Qualcomm socinfo driver. * tag 'qcom-drivers-for-6.13-2' of https://git.kernel.org/pub/scm/linux/kernel/git/qcom/linux: soc: qcom: ice: Remove the device_link field in qcom_ice drm/msm/adreno: Setup SMMU aparture for per-process page table firmware: qcom: scm: Introduce CP_SMMU_APERTURE_ID soc: qcom: socinfo: add IPQ5424/IPQ5404 SoC ID dt-bindings: arm: qcom,ids: add SoC ID for IPQ5424/IPQ5404 soc: qcom: llcc: Flip the manual slice configuration condition dt-bindings: firmware: qcom,scm: Document sm8750 SCM firmware: qcom: uefisecapp: Allow X1E Devkit devices soc: qcom: llcc: Add LLCC configuration for the QCS8300 platform dt-bindings: cache: qcom,llcc: Document the QCS8300 LLCC soc: qcom: llcc: Add configuration data for QCS615 dt-bindings: cache: qcom,llcc: Document the QCS615 LLCC soc: qcom: llcc: add support for SAR2130P and SAR1130P soc: qcom: llcc: use deciman integers for bit shift values dt-bindings: cache: qcom,llcc: document SAR2130P and SAR1130P Link: https://lore.kernel.org/r/20241113032425.356306-1-andersson@kernel.org Signed-off-by: Arnd Bergmann commit d8afb8cc8bbab13f97cd76aaf716de97f222cd71 Author: Rex Nie Date: Wed Nov 13 08:54:12 2024 +0800 thermal/drivers/k3_j72xx_bandgap: Simplify code in k3_bgp_read_temp() The return value of vtm_get_best_value() always >= 0, remove always false expression 'dtemp < 0' in if statement. Signed-off-by: Rex Nie Link: https://lore.kernel.org/r/20241113005412.2254-1-rex.nie@jaguarmicro.com Signed-off-by: Daniel Lezcano commit d19ea320d3029a12993c671f4815bf6c02ae0727 Author: Yang Li Date: Mon Nov 11 09:09:35 2024 +0800 PCI: mediatek-gen3: Remove unneeded semicolon Remove a surplus semicolon and fix the following warning: ./drivers/pci/controller/pcie-mediatek-gen3.c:414:2-3: Unneeded semicolon Closes: https://bugzilla.openanolis.cn/show_bug.cgi?id=11789 Link: https://lore.kernel.org/r/20241111010935.20208-1-yang.lee@linux.alibaba.com Reported-by: Abaci Robot Signed-off-by: Yang Li [kwilczynski: commit log] Signed-off-by: Krzysztof Wilczyński Reviewed-by: Matthias Brugger Reviewed-by: AngeloGioacchino Del Regno commit e3e309b2bea8d2c37ed6f52c837848b601d3245e Author: Bartosz Wawrzyniak Date: Fri Oct 18 11:30:43 2024 +0000 PCI: cadence: Lower severity of message when phy-names property is absent in DTS The "phy-names" property is optional, so the message indicating its absence during the probe should be of "info" severity rather than "error" severity. Link: https://lore.kernel.org/r/20241018113045.2050295-1-bwawrzyn@cisco.com Signed-off-by: Bartosz Wawrzyniak [kwilczynski: update log messages wording, commit log] Signed-off-by: Krzysztof Wilczyński commit aa52c54da40d9eee3ba87c05cdcb0cd07c04fa13 Author: Amir Goldstein Date: Wed Nov 13 16:40:34 2024 +0100 fsnotify: fix sending inotify event with unexpected filename We got a report that adding a fanotify filsystem watch prevents tail -f from receiving events. Reproducer: 1. Create 3 windows / login sessions. Become root in each session. 2. Choose a mounted filesystem that is pretty quiet; I picked /boot. 3. In the first window, run: fsnotifywait -S -m /boot 4. In the second window, run: echo data >> /boot/foo 5. In the third window, run: tail -f /boot/foo 6. Go back to the second window and run: echo more data >> /boot/foo 7. Observe that the tail command doesn't show the new data. 8. In the first window, hit control-C to interrupt fsnotifywait. 9. In the second window, run: echo still more data >> /boot/foo 10. Observe that the tail command in the third window has now printed the missing data. When stracing tail, we observed that when fanotify filesystem mark is set, tail does get the inotify event, but the event is receieved with the filename: read(4, "\1\0\0\0\2\0\0\0\0\0\0\0\20\0\0\0foo\0\0\0\0\0\0\0\0\0\0\0\0\0", 50) = 32 This is unexpected, because tail is watching the file itself and not its parent and is inconsistent with the inotify event received by tail when fanotify filesystem mark is not set: read(4, "\1\0\0\0\2\0\0\0\0\0\0\0\0\0\0\0", 50) = 16 The inteference between different fsnotify groups was caused by the fact that the mark on the sb requires the filename, so the filename is passed to fsnotify(). Later on, fsnotify_handle_event() tries to take care of not passing the filename to groups (such as inotify) that are interested in the filename only when the parent is watching. But the logic was incorrect for the case that no group is watching the parent, some groups are watching the sb and some watching the inode. Reported-by: Miklos Szeredi Fixes: 7372e79c9eb9 ("fanotify: fix logic of reporting name info with watched parent") Cc: stable@vger.kernel.org # 5.10+ Signed-off-by: Amir Goldstein Signed-off-by: Jan Kara commit 50bee3857d081ab1b83f93c64cb5c10a4babe2d9 Author: Guixin Liu Date: Mon Oct 14 18:14:58 2024 +0800 nvmet: add tracing of reservation commands Add tracing of reservation commands, including register, acquire, release and report, and also parse the action and rtype to string to make the trace log more human-readable. Signed-off-by: Guixin Liu Reviewed-by: Sagi Grimberg Reviewed-by: Christoph Hellwig Reviewed-by: Chaitanya Kulkarni Signed-off-by: Keith Busch commit 8a502b5c1689862b1fce1ef3019dcd284cc98aa8 Author: Guixin Liu Date: Mon Oct 14 18:14:57 2024 +0800 nvme: parse reservation commands's action and rtype to string Parse reservation commands's action(including rrega, racqa and rrela) and rtype to string to make the trace log more human-readable. Signed-off-by: Guixin Liu Reviewed-by: Sagi Grimberg Reviewed-by: Christoph Hellwig Reviewed-by: Chaitanya Kulkarni Signed-off-by: Keith Busch commit 609e60a3a9f4053b420d3ece565dee273bfdc2e8 Author: Guixin Liu Date: Wed Nov 13 18:18:39 2024 +0800 nvmet: report ns's vwc not present Currently, we report that controller has vwc even though the ns may not have vwc. Report ns's vwc not present when not buffered_io or backdev doesn't have vwc. Signed-off-by: Guixin Liu Reviewed-by: Christoph Hellwig Reviewed-by: Chaitanya Kulkarni Signed-off-by: Keith Busch commit 6c056ae4b27575d9230b883498d3cd02315ce6cc Author: Al Viro Date: Sun Nov 3 15:20:15 2024 -0500 libfs: kill empty_dir_getattr() It's used only to initialize ->getattr in one inode_operations instance (empty_dir_inode_operations) and its behaviour had always been equivalent to what we get with NULL ->getattr. Just remove that initializer, along with empty_dir_getattr() itself. While we are at it, the same instance has ->permission initialized to generic_permission, which is what NULL ->permission ends up doing. Again, no point keeping it. Reviewed-by: Christian Brauner Signed-off-by: Al Viro commit 95f567f81e43a1bcb5fbf0559e55b7505707300d Author: Stefan Berger Date: Fri Nov 1 15:37:03 2024 -0400 fs: Simplify getattr interface function checking AT_GETATTR_NOSEC flag Commit 8a924db2d7b5 ("fs: Pass AT_GETATTR_NOSEC flag to getattr interface function")' introduced the AT_GETATTR_NOSEC flag to ensure that the call paths only call vfs_getattr_nosec if it is set instead of vfs_getattr. Now, simplify the getattr interface functions of filesystems where the flag AT_GETATTR_NOSEC is checked. There is only a single caller of inode_operations getattr function and it is located in fs/stat.c in vfs_getattr_nosec. The caller there is the only one from which the AT_GETATTR_NOSEC flag is passed from. Two filesystems are checking this flag in .getattr and the flag is always passed to them unconditionally from only vfs_getattr_nosec: - ecryptfs: Simplify by always calling vfs_getattr_nosec in ecryptfs_getattr. From there the flag is passed to no other function and this function is not called otherwise. - overlayfs: Simplify by always calling vfs_getattr_nosec in ovl_getattr. From there the flag is passed to no other function and this function is not called otherwise. The query_flags in vfs_getattr_nosec will mask-out AT_GETATTR_NOSEC from any caller using AT_STATX_SYNC_TYPE as mask so that the flag is not important inside this function. Also, since no filesystem is checking the flag anymore, remove the flag entirely now, including the BUG_ON check that never triggered. The net change of the changes here combined with the original commit is that ecryptfs and overlayfs do not call vfs_getattr but only vfs_getattr_nosec. Fixes: 8a924db2d7b5 ("fs: Pass AT_GETATTR_NOSEC flag to getattr interface function") Reported-by: Al Viro Closes: https://lore.kernel.org/linux-fsdevel/20241101011724.GN1350452@ZenIV/T/#u Cc: Tyler Hicks Cc: ecryptfs@vger.kernel.org Cc: Miklos Szeredi Cc: Amir Goldstein Cc: linux-unionfs@vger.kernel.org Cc: Christian Brauner Cc: linux-fsdevel@vger.kernel.org Reviewed-by: Christian Brauner Signed-off-by: Stefan Berger Signed-off-by: Al Viro commit 0dd4fb733132f8f934390647ba064c51e34f99fa Author: Al Viro Date: Sat Oct 19 20:48:30 2024 -0400 fs/stat.c: switch to CLASS(fd_raw) ... and use fd_empty() consistently Reviewed-by: Christian Brauner Signed-off-by: Al Viro commit 88a20626d8ed708432cf51afb1f92070459f6165 Author: Al Viro Date: Fri Sep 20 00:38:59 2024 -0400 kill getname_statx_lookup_flags() LOOKUP_EMPTY is ignored by the only remaining user, and without that 'getname_' prefix makes no sense. Remove LOOKUP_EMPTY part, rename to statx_lookup_flags() and make static. It most likely is _not_ statx() specific, either, but that's the next step. Reviewed-by: Christian Brauner Signed-off-by: Al Viro commit 8e15e12d37f21c03dacac0c37561db5a222690c0 Author: Al Viro Date: Fri Sep 20 00:26:57 2024 -0400 io_statx_prep(): use getname_uflags() the only thing in flags getname_flags() ever cares about is LOOKUP_EMPTY; anything else is none of its damn business. Reviewed-by: Jens Axboe Reviewed-by: Christian Brauner Signed-off-by: Al Viro commit f9ed1f7c2e26fcd19781774e310a6236d7525c11 Author: David Wang <00107082@163.com> Date: Sat Nov 9 00:07:17 2024 +0800 genirq/proc: Use seq_put_decimal_ull_width() for decimal values seq_printf() is more expensive than seq_put_decimal_ull_width() due to the format string parsing costs. Profiling on a x86 8-core system indicates seq_printf() takes ~47% samples of show_interrupts(). Replacing it with seq_put_decimal_ull_width() yields almost 30% performance gain. [ tglx: Massaged changelog and fixed up coding style ] Signed-off-by: David Wang <00107082@163.com> Signed-off-by: Thomas Gleixner Link: https://lore.kernel.org/all/20241108160717.9547-1-00107082@163.com commit 2f4d4503e9e5ab765a7948f98bc5deef7850f607 Author: Miklos Szeredi Date: Tue Nov 12 11:10:04 2024 +0100 statmount: add flag to retrieve unescaped options Filesystem options can be retrieved with STATMOUNT_MNT_OPTS, which returns a string of comma separated options, where some characters are escaped using the \OOO notation. Add a new flag, STATMOUNT_OPT_ARRAY, which instead returns the raw option values separated with '\0' charaters. Since escaped charaters are rare, this inteface is preferable for non-libmount users which likley don't want to deal with option de-escaping. Example code: if (st->mask & STATMOUNT_OPT_ARRAY) { const char *opt = st->str + st->opt_array; for (unsigned int i = 0; i < st->opt_num; i++) { printf("opt_array[%i]: <%s>\n", i, opt); opt += strlen(opt) + 1; } } Example ouput: (1) mnt_opts: (2) opt_array[0]: opt_array[1]: opt_array[2]: opt_array[3]: opt_array[4]: opt_array[5]: Signed-off-by: Miklos Szeredi Link: https://lore.kernel.org/r/20241112101006.30715-1-mszeredi@redhat.com Acked-by: Jeff Layton [brauner: tweak variable naming and parsing add example output] Signed-off-by: Christian Brauner commit a3bb4e663df318b232746478e7b191bcf6e3af40 Author: Jonas Rebmann Date: Wed Nov 13 13:18:32 2024 +0100 spi: imx: support word delay Implement support for the word delay feature of i.MX51 (and onwards) via the ECSPI interface. Convert the requested delay to SPI cycles and account for an extra inter-word delay inserted by the controller in addition to the requested number of cycles, which was observed when testing this patch. Disable dynamic burst when word delay is set. As the configurable delay period in the controller is inserted after bursts, the burst length must equal the word length. Account for word delay in the transfer time estimation for polling_limit_us. Signed-off-by: Jonas Rebmann Reviewed-by: Frank Li Link: https://patch.msgid.link/20241113-imx-spi-word-delay-v2-2-2b65b737bf29@pengutronix.de Signed-off-by: Mark Brown commit 7b94af24a7a4d12a76183f1b2f0d363d2c9ced43 Author: Jonas Rebmann Date: Wed Nov 13 13:18:31 2024 +0100 spi: imx: pass struct spi_transfer to prepare_transfer() In an upcoming patch, mx51_ecspi_prepare_transfer() needs access to the word_delay parameter. To enable controller-specific handling of such per-transfer parameters, extend the prepare_transfer() function of the spi_imx_devtype_data interface to take a struct spi_transfer argument, update all controller-specific implementations accordingly. Signed-off-by: Jonas Rebmann Reviewed-by: Frank Li Link: https://patch.msgid.link/20241113-imx-spi-word-delay-v2-1-2b65b737bf29@pengutronix.de Signed-off-by: Mark Brown commit b6621b1d4b1d0459ba6b49c0bc498c352ac115ab Author: Luo Yifan Date: Wed Nov 13 10:14:58 2024 +0800 tools: gpio: Fix several incorrect format specifiers Make a minor change to eliminate static checker warnings. The variable lines[] is unsigned, so the correct format specifier should be %u instead of %d. Signed-off-by: Luo Yifan Link: https://lore.kernel.org/r/20241113021458.291252-1-luoyifan@cmss.chinamobile.com Signed-off-by: Bartosz Golaszewski commit 65e936372d8f56f9faf3879925738cecc0a5f7e7 Author: Conor Dooley Date: Wed Nov 13 12:01:04 2024 +0000 gpio: mpfs: add CoreGPIO support coreGPIO, which the "hard" core in PolarFire SoC is based on, has different offsets for inp/outp. Add some match_data handling to account for the differences. Signed-off-by: Conor Dooley Link: https://lore.kernel.org/r/20241113-jovial-atlantic-cd07f05eb2e5@spud Signed-off-by: Bartosz Golaszewski commit e2ffb6c3a40ee714160e35e61f0a984028b5d550 Author: Barnabás Czémán Date: Wed Nov 13 16:11:46 2024 +0100 thermal/drivers/qcom/tsens-v1: Add support for MSM8937 tsens Add support for tsens v1.4 block what can be found in MSM8937 and MSM8917. Reviewed-by: Dmitry Baryshkov Signed-off-by: Barnabás Czémán Link: https://lore.kernel.org/r/20241113-msm8917-v6-5-c348fb599fef@mainlining.org Signed-off-by: Daniel Lezcano commit fd9d75ef4686a55e8436f8f07983b7a4fdcaa309 Author: Barnabás Czémán Date: Wed Nov 13 16:11:45 2024 +0100 dt-bindings: thermal: tsens: Add MSM8937 Document the compatible string for tsens v1.4 block found in MSM8937. Acked-by: Krzysztof Kozlowski Signed-off-by: Barnabás Czémán Link: https://lore.kernel.org/r/20241113-msm8917-v6-4-c348fb599fef@mainlining.org Signed-off-by: Daniel Lezcano commit dd64594ca2c5b952570c3b885763b93ebe26fe9a Author: Uwe Kleine-König Date: Sat Oct 19 18:34:11 2024 +0200 thermal: Switch back to struct platform_driver::remove() After commit 0edb555a65d1 ("platform: Make platform_driver::remove() return void") .remove() is (again) the right callback to implement for platform drivers. Convert all platform drivers below drivers/thermal to use .remove(), with the eventual goal to drop struct platform_driver::remove_new(). As .remove() and .remove_new() have the same prototypes, conversion is done by just changing the structure member name in the driver initializer. On the way make a few whitespace changes to make indention consistent. Signed-off-by: Uwe Kleine-König Link: https://lore.kernel.org/r/20241019163412.304422-2-u.kleine-koenig@baylibre.com Signed-off-by: Daniel Lezcano commit 62d9748fa1eea751400518b5ffe6825ce3e48deb Author: Colin Ian King Date: Tue Oct 22 19:46:22 2024 +0100 thermal/drivers/mediatek/lvts_thermal: Make read-only arrays static const Don't populate the read-only arrays on the stack at run time, instead make them static const. Signed-off-by: Colin Ian King Reviewed-by: Nicolas Pitre Link: https://lore.kernel.org/r/20241022184622.1296044-1-colin.i.king@gmail.com Signed-off-by: Daniel Lezcano commit 59e127d58c8df64efb76ff61e0622287b5234933 Author: Dmitry Baryshkov Date: Sun Oct 27 01:06:50 2024 +0300 dt-bindings: thermal: qcom-tsens: Add SAR2130P compatible Document compatible for thermal sensors on Qualcomm SAR2130P platform. Signed-off-by: Dmitry Baryshkov Acked-by: Krzysztof Kozlowski Link: https://lore.kernel.org/r/20241027-sar2130p-tsens-v1-1-8dee27fc02ae@linaro.org Signed-off-by: Daniel Lezcano commit b9d69371e8fa90fa3ab100f4fcb4815b13b3673a Author: Pavel Begunkov Date: Wed Nov 13 03:26:01 2024 +0000 io_uring: fix invalid hybrid polling ctx leaks It has already allocated the ctx by the point where it checks the hybrid poll configuration, plain return leaks the memory. Fixes: 01ee194d1aba1 ("io_uring: add support for hybrid IOPOLL") Signed-off-by: Pavel Begunkov Reviewed-by: Anuj Gupta Link: https://lore.kernel.org/r/b57f2608088020501d352fcdeebdb949e281d65b.1731468230.git.asml.silence@gmail.com Signed-off-by: Jens Axboe commit 344044d8c9e256f86d51fd30212dd63ecb9f3333 Author: Al Viro Date: Tue Nov 12 21:38:42 2024 +0000 dquot.c: get rid of include ../internal.h Ugh, indeed - and not needed nearly a decade. It had been added for the sake of inode_sb_list_lock and that spinlock had become a per-superblock (->s_inode_list_lock) in March 2015... Signed-off-by: Al Viro Signed-off-by: Jan Kara Link: https://patch.msgid.link/20241112213842.GC3387508@ZenIV commit 027a4f81102a39ea835bac599519b311ed3497e3 Author: Wenhua Lin Date: Wed Nov 13 19:05:16 2024 +0800 dt-bindings: serial: Add a new compatible string for ums9632 The UMS9632 uses the SC9632 serial device. Signed-off-by: Wenhua Lin Link: https://lore.kernel.org/r/20241113110516.2166328-3-Wenhua.Lin@unisoc.com Signed-off-by: Greg Kroah-Hartman commit 8f9eeb5cfbfe171384759ececea49e92415103a4 Author: Wenhua Lin Date: Wed Nov 13 19:05:15 2024 +0800 serial: sprd: Add support for sc9632 Due to the platform's new project uart ip upgrade, the new project's timeout interrupt needs to use bit17 while other projects' timeout interrupt needs to use bit13, using private data to adapt and be compatible with all projects. Signed-off-by: Wenhua Lin Link: https://lore.kernel.org/r/20241113110516.2166328-2-Wenhua.Lin@unisoc.com Signed-off-by: Greg Kroah-Hartman commit b3a882e814e007bfd0d50dc2150d48d47cb1973b Author: Tobias Klauser Date: Wed Nov 13 12:43:19 2024 +0100 tty/serial/altera_uart: unwrap error log string The error log string should be a single line, unwrap it. Suggested-by: Jiri Slaby Link: https://lore.kernel.org/all/26034117-26b6-4eeb-bd66-969955b70e9b@kernel.org/ Signed-off-by: Tobias Klauser Link: https://lore.kernel.org/r/20241113114319.16636-1-tklauser@distanz.ch Signed-off-by: Greg Kroah-Hartman commit 3f356922d4cb9c7bd0871e27dcc3b357bfb14181 Author: Tobias Klauser Date: Wed Nov 13 12:43:30 2024 +0100 tty/serial/altera_jtaguart: unwrap error log string The error log string should be a single line, unwrap it. Suggested-by: Jiri Slaby Link: https://lore.kernel.org/all/26034117-26b6-4eeb-bd66-969955b70e9b@kernel.org/ Signed-off-by: Tobias Klauser Link: https://lore.kernel.org/r/20241113114330.16995-1-tklauser@distanz.ch Signed-off-by: Greg Kroah-Hartman commit 2bcacc1c87acf9a8ebc17de18cb2b3cfeca547cf Author: Kartik Rajput Date: Wed Nov 13 14:56:29 2024 +0530 serial: amba-pl011: Fix RX stall when DMA is used Function pl011_throttle_rx() calls pl011_stop_rx() to disable RX, which also disables the RX DMA by clearing the RXDMAE bit of the DMACR register. However, to properly unthrottle RX when DMA is used, the function pl011_unthrottle_rx() is expected to set the RXDMAE bit of the DMACR register, which it currently lacks. This causes RX to stall after the throttle API is called. Set RXDMAE bit in the DMACR register while unthrottling RX if RX DMA is used. Fixes: 211565b10099 ("serial: pl011: UPSTAT_AUTORTS requires .throttle/unthrottle") Cc: stable@vger.kernel.org Signed-off-by: Kartik Rajput Reviewed-by: Linus Walleij Link: https://lore.kernel.org/r/20241113092629.60226-1-kkartik@nvidia.com Signed-off-by: Greg Kroah-Hartman commit 635a9fca54f4f4148be1ae1c7c6bd37af80f5773 Author: Nicolas Bouchinet Date: Tue Nov 12 14:13:31 2024 +0100 tty: ldsic: fix tty_ldisc_autoload sysctl's proc_handler Commit 7c0cca7c847e ("tty: ldisc: add sysctl to prevent autoloading of ldiscs") introduces the tty_ldisc_autoload sysctl with the wrong proc_handler. .extra1 and .extra2 parameters are set to avoid other values thant SYSCTL_ZERO or SYSCTL_ONE to be set but proc_dointvec do not uses them. This commit fixes this by using proc_dointvec_minmax instead of proc_dointvec. Fixes: 7c0cca7c847e ("tty: ldisc: add sysctl to prevent autoloading of ldiscs") Cc: stable Signed-off-by: Nicolas Bouchinet Reviewed-by: Lin Feng Reviewed-by: Jiri Slaby Link: https://lore.kernel.org/r/20241112131357.49582-4-nicolas.bouchinet@clip-os.org Signed-off-by: Greg Kroah-Hartman commit 528ea1aca24fba5616f397d43ccb2de99d2a41d7 Author: Sabyrzhan Tasbolatov Date: Tue Nov 12 20:58:17 2024 +0500 drivers/usb/storage: refactor min with min_t Ensure type safety by using min_t() instead of casted min(). Signed-off-by: Sabyrzhan Tasbolatov Link: https://lore.kernel.org/r/20241112155817.3512577-9-snovitoll@gmail.com Signed-off-by: Greg Kroah-Hartman commit 6d8a67e3954fe2a66ca726d1ce80ab7fe0c2998b Author: Sabyrzhan Tasbolatov Date: Tue Nov 12 20:58:16 2024 +0500 drivers/usb/serial: refactor min with min_t Ensure type safety by using min_t() instead of casted min(). Signed-off-by: Sabyrzhan Tasbolatov Link: https://lore.kernel.org/r/20241112155817.3512577-8-snovitoll@gmail.com Signed-off-by: Greg Kroah-Hartman commit a05e885dd2254bf0c31e00b74089d261e2a5a01e Author: Sabyrzhan Tasbolatov Date: Tue Nov 12 20:58:15 2024 +0500 drivers/usb/musb: refactor min/max with min_t/max_t Ensure type safety by using min_t()/max_t() instead of casted min()/max(). Signed-off-by: Sabyrzhan Tasbolatov Link: https://lore.kernel.org/r/20241112155817.3512577-7-snovitoll@gmail.com Signed-off-by: Greg Kroah-Hartman commit fa3b4b9bc74c999457bce3a06d595e9aca814646 Author: Sabyrzhan Tasbolatov Date: Tue Nov 12 20:58:14 2024 +0500 drivers/usb/mon: refactor min with min_t Ensure type safety by using min_t() instead of casted min(). Signed-off-by: Sabyrzhan Tasbolatov Link: https://lore.kernel.org/r/20241112155817.3512577-6-snovitoll@gmail.com Signed-off-by: Greg Kroah-Hartman commit 9a0c58d025e8a01e726432006788a4b6f3179da2 Author: Sabyrzhan Tasbolatov Date: Tue Nov 12 20:58:13 2024 +0500 drivers/usb/misc: refactor min with min_t Ensure type safety by using min_t() instead of min(). Also add the explicit `unsigned int` as scripts/checkpatch.pl warns about: WARNING: Prefer 'unsigned int' to bare use of 'unsigned' Signed-off-by: Sabyrzhan Tasbolatov Link: https://lore.kernel.org/r/20241112155817.3512577-5-snovitoll@gmail.com Signed-off-by: Greg Kroah-Hartman commit 982883b010d7fe485e7772d6e9347365df66130a Author: Sabyrzhan Tasbolatov Date: Tue Nov 12 20:58:12 2024 +0500 drivers/usb/host: refactor min/max with min_t/max_t Ensure type safety by using min_t/max_t instead of casted min/max. Signed-off-by: Sabyrzhan Tasbolatov Link: https://lore.kernel.org/r/20241112155817.3512577-4-snovitoll@gmail.com Signed-off-by: Greg Kroah-Hartman commit 28d96b7a925309a6a8024620d83a113f75a02b0d Author: Sabyrzhan Tasbolatov Date: Tue Nov 12 20:58:11 2024 +0500 drivers/usb/core: refactor max with max_t Ensure type safety by using max_t() instead of max(). Signed-off-by: Sabyrzhan Tasbolatov Link: https://lore.kernel.org/r/20241112155817.3512577-3-snovitoll@gmail.com Signed-off-by: Greg Kroah-Hartman commit b7d49096d595c3413420b02e7851e8b5524353bf Author: Sabyrzhan Tasbolatov Date: Tue Nov 12 20:58:10 2024 +0500 drivers/usb/gadget: refactor min with min_t Ensure type safety by using min_t() instead of casted min(). Signed-off-by: Sabyrzhan Tasbolatov Link: https://lore.kernel.org/r/20241112155817.3512577-2-snovitoll@gmail.com Signed-off-by: Greg Kroah-Hartman commit 21ccadc64dae18bd092f1255bdbaf595f53381d5 Author: Melody Olvera Date: Mon Nov 11 16:35:44 2024 -0800 regulator: dt-bindings: qcom,rpmh: Correct PM8550VE supplies The PM8550VE has two more supplies (s1-8) than the PM8550VS (s1-6), so move to a correct if:then: clause to accurately reflect that. Fixes: 902f8c9830c3 ("regulator: dt-bindings: qcom,rpmh: Correct PM8550 family supplies") Signed-off-by: Melody Olvera Acked-by: Rob Herring (Arm) Link: https://patch.msgid.link/20241112003544.2807368-1-quic_molvera@quicinc.com Signed-off-by: Mark Brown commit de35b06bf15cb56c96c7a69474e305852cc170e3 Author: Bard Liao Date: Wed Nov 13 14:41:33 2024 +0800 ASoC: sdca: test adev before calling acpi_dev_for_each_child sdca_lookup_functions may be called by a Peripheral that is not listed in the ACPI table. Testing adev is required to avoid kernel NULL pointer dereference. Fixes: 3a513da1ae33 ("ASoC: SDCA: add initial module") Signed-off-by: Bard Liao Reviewed-by: Péter Ujfalusi Reviewed-by: Liam Girdwood Reviewed-by: Ranjani Sridharan Link: https://patch.msgid.link/20241113064133.162501-1-yung-chuan.liao@linux.intel.com Signed-off-by: Mark Brown commit fb5e67c9d03b4a65fd43acc18cbafffff15bd8f9 Author: Colin Ian King Date: Wed Nov 13 13:08:07 2024 +0000 ASoC: SOF: ipc4-topology: remove redundant assignment to variable ret The variable ret is being assigned a zero value however the value is never read because ret is being re-assigned later after the end of the switch statement. The assignment is redundant and can be removed. Signed-off-by: Colin Ian King Link: https://patch.msgid.link/20241113130807.1386754-1-colin.i.king@gmail.com Signed-off-by: Mark Brown commit 76b5a3b2afdce1460dcd06221f7aa8eb2b807b1f Author: Vijendar Mukunda Date: Wed Nov 13 17:22:23 2024 +0530 ASoC: amd: ps: fix the pcm device numbering for acp 6.3 platform Fixed PCM device numbering is required for defining common alsa ucm changes for generic soundwire machine driver for legacy(No DSP) stack. Ex: For Headphone playback use case, use PCM device number as 0. For Headset mic Capture use case, PCM device number as 1. Set the 'use_dai_pcm_id' flag true in soundwire dma driver for acp 6.3 platform. This will fix the pcm device numbering based on dai_link->id. Signed-off-by: Vijendar Mukunda Link: https://patch.msgid.link/20241113115223.3274868-7-Vijendar.Mukunda@amd.com Signed-off-by: Mark Brown commit 2981d9b0789c44b7375e7d599caf71bd843afc9e Author: Vijendar Mukunda Date: Wed Nov 13 17:22:22 2024 +0530 ASoC: amd: acp: add soundwire machine driver for legacy stack Add SoundWire machine driver for legacy(No DSP) stack for ACP6.3 platform. Signed-off-by: Vijendar Mukunda Link: https://patch.msgid.link/20241113115223.3274868-6-Vijendar.Mukunda@amd.com Signed-off-by: Mark Brown commit 393347cc10ea24c9f93b45e8e2f90fcc48ab1d8e Author: Vijendar Mukunda Date: Wed Nov 13 17:22:21 2024 +0530 ASoC: amd: acp: move get_acp63_cpu_pin_id() to common file get_acp63_cpu_pin_id() is the common SoundWire machine driver helper function will be used for AMD Legacy(No DSP) generic SoundWire machine driver as well. Move get_acp63_cpu_pin_id() function to common place holder. Signed-off-by: Vijendar Mukunda Link: https://patch.msgid.link/20241113115223.3274868-5-Vijendar.Mukunda@amd.com Signed-off-by: Mark Brown commit 56d540befd5940dc34b4e22cc9b8ce9bb45946f7 Author: Vijendar Mukunda Date: Wed Nov 13 17:22:20 2024 +0530 ASoC: amd: ps: add soundwire machines for acp6.3 platform Add SoundWire machines for acp 6.3 platform for legacy(No DSP) stack. Signed-off-by: Vijendar Mukunda Link: https://patch.msgid.link/20241113115223.3274868-4-Vijendar.Mukunda@amd.com Signed-off-by: Mark Brown commit 7d3fe292efb637d1f748926390a3a4cc90c4c4e9 Author: Vijendar Mukunda Date: Wed Nov 13 17:22:19 2024 +0530 ASoC: amd: acp: add RT711, RT714 & RT1316 support for acp 6.3 platform This patch add supports for corresponding codecs on acp6.3 platform hardware configuration. SDW0: RT711 Jack SDW0: RT1316 Left Speaker SDW0: RT1316 Right Speaker SDW1: RT714 DMIC Signed-off-by: Vijendar Mukunda Link: https://patch.msgid.link/20241113115223.3274868-3-Vijendar.Mukunda@amd.com Signed-off-by: Mark Brown commit 804aaa9df6c3bf9744205ae51cad084ee97567bc Author: Vijendar Mukunda Date: Wed Nov 13 17:22:18 2024 +0530 ASoC: amd: acp: add rt722 based soundwire machines Add RT722 based soundwire machines for legacy(NO DSP) stack for acp 6.3 platform. Signed-off-by: Vijendar Mukunda Link: https://patch.msgid.link/20241113115223.3274868-2-Vijendar.Mukunda@amd.com Signed-off-by: Mark Brown commit afe9803e3b82f0d05b6848a854604dcaaeb5ded0 Author: Melody Olvera Date: Mon Nov 11 16:28:43 2024 -0800 pinctrl: qcom: Add sm8750 pinctrl driver Add TLMM pinctrl driver to support pin configuration with pinctrl framework for sm8750 SoC. Signed-off-by: Melody Olvera Reviewed-by: Bjorn Andersson Link: https://lore.kernel.org/20241112002843.2804490-3-quic_molvera@quicinc.com Signed-off-by: Linus Walleij commit b02e9f9172cedc0d0e0417fb91b79f24794cbf02 Author: Melody Olvera Date: Mon Nov 11 16:28:42 2024 -0800 dt-bindings: pinctrl: qcom: Add sm8750 pinctrl Add documentation for the Qualcomm sm8750 tlmm. Signed-off-by: Melody Olvera Reviewed-by: Krzysztof Kozlowski Reviewed-by: Bjorn Andersson Link: https://lore.kernel.org/20241112002843.2804490-2-quic_molvera@quicinc.com Signed-off-by: Linus Walleij commit 8560b2775a08bf511576a18922c3bde920e69494 Author: Suma Hegde Date: Tue Nov 12 12:04:50 2024 +0000 platform/x86/amd/hsmp: Change the error type When file is opened in WRITE only mode, then GET messages are not allowed and when file is opened in READ only mode, SET messages are not allowed. In these scenerios, return error EPERM to userspace instead of EINVAL. Signed-off-by: Suma Hegde Reviewed-by: Naveen Krishna Chatradhi Link: https://lore.kernel.org/r/20241112120450.2407125-2-suma.hegde@amd.com Reviewed-by: Ilpo Järvinen Signed-off-by: Ilpo Järvinen commit 996b318e6fce255035efd555837d1250433bb0e7 Author: Suma Hegde Date: Tue Nov 12 12:04:49 2024 +0000 platform/x86/amd/hsmp: Add new error code and error logs Firmware is updated to send HSMP_ERR_PREREQ_NOT_SATISFIED(0xFD) and HSMP_ERR_SMU_BUSY(0xFC) error codes. Add them here. Add error logs to make it easy to understand the failure reason for different error conditions. Replace pr_err() with dev_err() to identify the driver printing the error. Signed-off-by: Suma Hegde Reviewed-by: Naveen Krishna Chatradhi Link: https://lore.kernel.org/r/20241112120450.2407125-1-suma.hegde@amd.com Reviewed-by: Ilpo Järvinen Signed-off-by: Ilpo Järvinen commit bd17863a708692bbd7a265212daf8a3aa4a3d0b7 Author: Basavaraj Natikar Date: Tue Nov 12 22:33:07 2024 +0530 platform/x86/amd: amd_3d_vcache: Add sysfs ABI documentation Add documentation for the amd_3d_vcache sysfs bus platform driver interface so that userspace applications can use it to change mode preferences, either frequency or cache. Co-developed-by: Perry Yuan Signed-off-by: Perry Yuan Co-developed-by: Mario Limonciello Signed-off-by: Mario Limonciello Reviewed-by: Shyam Sundar S K Reviewed-by: Armin Wolf Reviewed-by: Ilpo Järvinen Signed-off-by: Basavaraj Natikar Link: https://lore.kernel.org/r/20241112170307.3745777-3-Basavaraj.Natikar@amd.com Signed-off-by: Ilpo Järvinen commit 5a67c0d1c8bdcdba5dff49cfbf0d4c453b827a9d Author: Basavaraj Natikar Date: Tue Nov 12 22:33:06 2024 +0530 platform/x86/amd: amd_3d_vcache: Add AMD 3D V-Cache optimizer driver AMD X3D processors, also known as AMD 3D V-Cache, feature dual Core Complex Dies (CCDs) and enlarged L3 cache, enabling dynamic mode switching between Frequency and Cache modes. To optimize performance, implement the AMD 3D V-Cache Optimizer, which allows selecting either: Frequency mode: cores within the faster CCD are prioritized before those in the slower CCD. Cache mode: cores within the larger L3 CCD are prioritized before those in the smaller L3 CCD. Co-developed-by: Perry Yuan Signed-off-by: Perry Yuan Co-developed-by: Mario Limonciello Signed-off-by: Mario Limonciello Reviewed-by: Shyam Sundar S K Reviewed-by: Armin Wolf Signed-off-by: Basavaraj Natikar Link: https://lore.kernel.org/r/20241112170307.3745777-2-Basavaraj.Natikar@amd.com Reviewed-by: Ilpo Järvinen Signed-off-by: Ilpo Järvinen commit e200565d434b66e5b2bfc3b143b66b8ca29666ad Author: Heiko Carstens Date: Thu Nov 7 16:11:53 2024 +0100 s390/cio/ioasm: Convert to use flag output macros Use flag output macros in inline asm to allow for better code generation if the compiler has support for the flag output constraint. Reviewed-by: Juergen Christ Signed-off-by: Heiko Carstens commit f62ad9073ae3f3a024a1abe7860d5356b2ec868e Author: Heiko Carstens Date: Thu Nov 7 16:11:52 2024 +0100 s390/cio/qdio: Convert to use flag output macros Use flag output macros in inline asm to allow for better code generation if the compiler has support for the flag output constraint. Reviewed-by: Juergen Christ Signed-off-by: Heiko Carstens commit 6816e2124d6a23158af8eef27ca0b93c740e1634 Author: Heiko Carstens Date: Thu Nov 7 16:11:51 2024 +0100 s390/sclp: Convert to use flag output macros Use flag output macros in inline asm to allow for better code generation if the compiler has support for the flag output constraint. Reviewed-by: Juergen Christ Signed-off-by: Heiko Carstens commit cd5e5a3723001aa750ed64c97e36872f8b0a6fb0 Author: Heiko Carstens Date: Thu Nov 7 16:11:50 2024 +0100 s390/dasd: Convert to use flag output macros Use flag output macros in inline asm to allow for better code generation if the compiler has support for the flag output constraint. Reviewed-by: Juergen Christ Signed-off-by: Heiko Carstens commit d80888232e44a4a648a719c5fc1658d8776c3f5b Author: Heiko Carstens Date: Thu Nov 7 16:11:49 2024 +0100 s390/boot/physmem: Convert to use flag output macros Use flag output macros in inline asm to allow for better code generation if the compiler has support for the flag output constraint. Reviewed-by: Juergen Christ Signed-off-by: Heiko Carstens commit 0eb597bd81ac8aa6803bd9ca91849f627a16396f Author: Heiko Carstens Date: Thu Nov 7 16:11:48 2024 +0100 s390/pci: Convert to use flag output macros Use flag output macros in inline asm to allow for better code generation if the compiler has support for the flag output constraint. Reviewed-by: Niklas Schnelle Tested-by: Niklas Schnelle Reviewed-by: Juergen Christ Signed-off-by: Heiko Carstens commit 4e20996f0dc51acd37ea4c2fbcb53df3e33dc9f7 Author: Heiko Carstens Date: Thu Nov 7 16:11:47 2024 +0100 s390/kvm: Convert to use flag output macros Use flag output macros in inline asm to allow for better code generation if the compiler has support for the flag output constraint. Reviewed-by: Juergen Christ Signed-off-by: Heiko Carstens commit 0b7265ae169ac64bdc3ac3de536c32e38ec249af Author: Heiko Carstens Date: Thu Nov 7 16:11:46 2024 +0100 s390/extmem: Convert to use flag output macros Use flag output macros in inline asm to allow for better code generation if the compiler has support for the flag output constraint. Reviewed-by: Juergen Christ Signed-off-by: Heiko Carstens commit 0caf91f6d695dac811b7959c98625238390ad075 Author: Heiko Carstens Date: Thu Nov 7 16:11:45 2024 +0100 s390/string: Convert to use flag output macros Use flag output macros in inline asm to allow for better code generation if the compiler has support for the flag output constraint. Reviewed-by: Juergen Christ Signed-off-by: Heiko Carstens commit a6122f690af6deefc67cc95a7d8139e63bdbdb39 Author: Heiko Carstens Date: Thu Nov 7 16:11:44 2024 +0100 s390/diag: Convert to use flag output macros Use flag output macros in inline asm to allow for better code generation if the compiler has support for the flag output constraint. Reviewed-by: Juergen Christ Signed-off-by: Heiko Carstens commit 5a5897d65b6f7b3c0f2dd39dcffa9b08317942a9 Author: Heiko Carstens Date: Thu Nov 7 16:11:43 2024 +0100 s390/irq: Convert to use flag output macros Use flag output macros in inline asm to allow for better code generation if the compiler has support for the flag output constraint. Reviewed-by: Juergen Christ Signed-off-by: Heiko Carstens commit 553ed6d88a31fce30656ae5dab50a2f0625f9008 Author: Heiko Carstens Date: Thu Nov 7 16:11:42 2024 +0100 s390/smp: Convert to use flag output macros Use flag output macros in inline asm to allow for better code generation if the compiler has support for the flag output constraint. Reviewed-by: Juergen Christ Signed-off-by: Heiko Carstens commit 3611a2367c3f9192f3fb14c51020fc7476c174fe Author: Heiko Carstens Date: Thu Nov 7 16:11:41 2024 +0100 s390/uv: Convert to use flag output macros Use flag output macros in inline asm to allow for better code generation if the compiler has support for the flag output constraint. Reviewed-by: Juergen Christ Signed-off-by: Heiko Carstens commit f07a788895bf16a8dd5468a7b3bb3125c110800f Author: Heiko Carstens Date: Thu Nov 7 16:11:40 2024 +0100 s390/pai: Convert to use flag output macros Use flag output macros in inline asm to allow for better code generation if the compiler has support for the flag output constraint. Reviewed-by: Juergen Christ Signed-off-by: Heiko Carstens commit 9ce8bc0cb42b5054a005d4012e7672b078855a28 Author: Heiko Carstens Date: Thu Nov 7 16:11:39 2024 +0100 s390/mm: Convert to use flag output macros Use flag output macros in inline asm to allow for better code generation if the compiler has support for the flag output constraint. Reviewed-by: Juergen Christ Signed-off-by: Heiko Carstens commit fbe057e874c7037982dea38235e8b9a9be05a8d5 Author: Heiko Carstens Date: Thu Nov 7 16:11:38 2024 +0100 s390/cpu_mf: Convert to use flag output macros Use flag output macros in inline asm to allow for better code generation if the compiler has support for the flag output constraint. Reviewed-by: Juergen Christ Signed-off-by: Heiko Carstens commit ca6dd1faa0220483cb2f9d22e0556ba9d48c90bd Author: Heiko Carstens Date: Thu Nov 7 16:11:37 2024 +0100 s390/cpcmd: Convert to use flag output macros Use flag output macros in inline asm to allow for better code generation if the compiler has support for the flag output constraint. Reviewed-by: Juergen Christ Signed-off-by: Heiko Carstens commit d4e50cfe9c75f4d3caab62c7227152db10d23c82 Author: Heiko Carstens Date: Thu Nov 7 16:11:36 2024 +0100 s390/topology: Convert to use flag output macros Use flag output macros in inline asm to allow for better code generation if the compiler has support for the flag output constraint. Reviewed-by: Juergen Christ Signed-off-by: Heiko Carstens commit 81c54fc570fe7eb5ab66f8a4f7b8d515e2426cf4 Author: Heiko Carstens Date: Thu Nov 7 16:11:35 2024 +0100 s390/time: Convert to use flag output macros Use flag output macros in inline asm to allow for better code generation if the compiler has support for the flag output constraint. Reviewed-by: Juergen Christ Signed-off-by: Heiko Carstens commit 34c4812366edaa8383efc3221f35d713a3ee1ced Author: Heiko Carstens Date: Thu Nov 7 16:11:34 2024 +0100 s390/pageattr: Convert to use flag output macros Use flag output macros in inline asm to allow for better code generation if the compiler has support for the flag output constraint. Reviewed-by: Juergen Christ Signed-off-by: Heiko Carstens commit eade39cc724c3ba08541ebca4b1b4c4bf19c49a5 Author: Heiko Carstens Date: Thu Nov 7 16:11:33 2024 +0100 s390/sthyi: Convert to use flag output macros Use flag output macros in inline asm to allow for better code generation if the compiler has support for the flag output constraint. Reviewed-by: Juergen Christ Signed-off-by: Heiko Carstens commit e7583c5f8d0e0aa34178b6f34a89f81090393c64 Author: Heiko Carstens Date: Thu Nov 7 16:11:32 2024 +0100 s390/asm: Helper macros for flag output operand handling Since gcc supports flag out operands for inline assemblies there is always the question when this feature should be used and if it is worth all the ifdefs that come with that. In order to avoid that provide similar macros like x86 which can be used for all inline assemblies which extract the condition code. Depending on compiler features the generated code will either always contain an ipm+srl instruction pair, which extracts the condition code, or alternatively let the compiler handle this completely. Suggested-by: Juergen Christ Reviewed-by: Juergen Christ Signed-off-by: Heiko Carstens commit 2f4b3b83b8c6e798a2e581521f00933d0f9ec777 Author: Peter Oberparleiter Date: Thu Nov 7 15:50:36 2024 +0100 s390/cio: Externalize full CMG characteristics The current "measurement_chars" CHPID sysfs attribute exposes only a limited, validity-filtered portion of data from the associated Channel- Measurements Characteristics Block (CMCB). New machine models add data that is relevant for userspace tooling to the "header"-portion of the CMCB. This data that is not currently accessible to userspace. To prevent having to add new sysfs attributes whenever a new bit of data is added to the CMCB "header", add a new sysfs attribute named "measurement_chars_full" that exposes the full, unfiltered CMCB. Signed-off-by: Peter Oberparleiter Reviewed-by: Vineeth Vijayan Signed-off-by: Heiko Carstens commit f3c605147741e0ad8f1c51a7decef2040debfd16 Author: Simon Trimmer Date: Tue Nov 12 13:14:34 2024 +0000 spi: cs42l43: Add GPIO speaker id support to the bridge configuration OEMs can use the spk-id-gpios ACPI property to indicate the type of speakers fitted to a device. Attempt to read a spk-id value using the GPIO method when a usable spk-id value is not obtained from the 01fa-spk-id-val ACPI property. Obtaining the spk-id value has been moved earlier in the function to the other sidecar block, so that an -EPROBE_DEFER from a GPIO driver is handled more efficiently. Signed-off-by: Simon Trimmer Signed-off-by: Charles Keepax Link: https://patch.msgid.link/20241112131434.678882-1-ckeepax@opensource.cirrus.com Signed-off-by: Mark Brown commit 581d24052a4e5ee59c8b1b08b640365ffb2d6386 Author: Andy Shevchenko Date: Sun Nov 10 22:59:46 2024 +0200 pinctrl: cy8c95x0: remove unneeded goto labels In some cases the code uses goto labels to just return an error code. Replace those with direct return:s and drop unneeded goto labels. Signed-off-by: Andy Shevchenko Link: https://lore.kernel.org/20241110210040.18918-7-andy.shevchenko@gmail.com Signed-off-by: Linus Walleij commit ab899a0ec3cb0748f67ca66a14615dadfa6304e7 Author: Andy Shevchenko Date: Sun Nov 10 22:59:45 2024 +0200 pinctrl: cy8c95x0: embed iterator to the for-loop When we iterate through nports the iterator variable is effectively being not used outside of the loop. Make it clear by moving its definition into the for-loop. This makes code cleaner as well. Signed-off-by: Andy Shevchenko Link: https://lore.kernel.org/20241110210040.18918-6-andy.shevchenko@gmail.com Signed-off-by: Linus Walleij commit e1b47291bdcf0416337a535a52786fb55810f00d Author: Andy Shevchenko Date: Sun Nov 10 22:59:44 2024 +0200 pinctrl: cy8c95x0: Use temporary variable for struct device Use a temporary variable for the struct device pointers to avoid dereferencing. This makes code a bit neater. Signed-off-by: Andy Shevchenko Link: https://lore.kernel.org/20241110210040.18918-5-andy.shevchenko@gmail.com Signed-off-by: Linus Walleij commit f8bd5383d8b67e08153123718d0fb6e92a70f838 Author: Andy Shevchenko Date: Sun Nov 10 22:59:43 2024 +0200 pinctrl: cy8c95x0: use flexible sleeping in reset function The device reset assert and deassert length was created by usleep_range() but that does not ensure optimal handling of all the different values from device tree properties. By switching to the new flexible sleeping helper function, fsleep(), the correct delay function is called depending on delay length, e.g. udelay(), usleep_range() or msleep(). While at it, move out GPIO consumer name setting of the reset conditional, the all necessary checks are already done there, so logically that call is not related to the reset sequence. Signed-off-by: Andy Shevchenko Link: https://lore.kernel.org/20241110210040.18918-4-andy.shevchenko@gmail.com Signed-off-by: Linus Walleij commit c13411c6fae68f8e4b35d111d955eaa1d49a8f5f Author: Andy Shevchenko Date: Sun Nov 10 22:59:42 2024 +0200 pinctrl: cy8c95x0: switch to using devm_regulator_get_enable() The driver does not actively manage regulator state past probe() time, so we can use devm_regulator_get_enable() to simplify the code. Signed-off-by: Andy Shevchenko Link: https://lore.kernel.org/20241110210040.18918-3-andy.shevchenko@gmail.com Signed-off-by: Linus Walleij commit b7e9fc3361c3f0836833dc2edba3dfef054a338a Author: Andy Shevchenko Date: Sun Nov 10 22:59:41 2024 +0200 pinctrl: cy8c95x0: Use 2-argument strscpy() Use 2-argument strscpy(), which is not only shorter but also provides an additional check that destination buffer is an array. Signed-off-by: Andy Shevchenko Link: https://lore.kernel.org/20241110210040.18918-2-andy.shevchenko@gmail.com Signed-off-by: Linus Walleij commit 39bb1bf0b49495e70d0763a143ad889925c3d373 Merge: 3a6ffeb1279738 8182a8b39aa227 Author: Christian Brauner Date: Tue Nov 12 14:44:36 2024 +0100 Merge patch series "two little writeback cleanups v2" Christoph Hellwig says: This fixes one (of multiple) sparse warnings in fs-writeback.c, and then reshuffles the code a bit that only the proper high level API instead of low-level helpers is exported. * patches from https://lore.kernel.org/r/20241112054403.1470586-1-hch@lst.de: writeback: wbc_attach_fdatawrite_inode out of line writeback: add a __releases annoation to wbc_attach_and_unlock_inode Link: https://lore.kernel.org/r/20241112054403.1470586-1-hch@lst.de Signed-off-by: Christian Brauner commit 3a6ffeb127973806704655fe5fcd92141a5e83d5 Merge: c4d7d90747f4e8 44010543fc8bed Author: Christian Brauner Date: Tue Nov 12 14:37:27 2024 +0100 Merge patch series "fs: allow statmount to fetch the fs_subtype and sb_source" Jeff Layton says: Meta has some internal logging that scrapes /proc/self/mountinfo today. I'd like to convert it to use listmount()/statmount(), so we can do a better job of monitoring with containers. We're missing some fields though. This patchset adds them. * patches from https://lore.kernel.org/r/20241111-statmount-v4-0-2eaf35d07a80@kernel.org: fs: add the ability for statmount() to report the sb_source fs: add the ability for statmount() to report the fs_subtype fs: don't let statmount return empty strings Link: https://lore.kernel.org/r/20241111-statmount-v4-0-2eaf35d07a80@kernel.org Signed-off-by: Christian Brauner commit 44010543fc8bedad172aa5b6c43480e5d2124497 Author: Jeff Layton Date: Mon Nov 11 10:09:57 2024 -0500 fs: add the ability for statmount() to report the sb_source /proc/self/mountinfo displays the source for the mount, but statmount() doesn't yet have a way to return it. Add a new STATMOUNT_SB_SOURCE flag, claim the 32-bit __spare1 field to hold the offset into the str[] array. Reviewed-by: Jan Kara Signed-off-by: Jeff Layton Link: https://lore.kernel.org/r/20241111-statmount-v4-3-2eaf35d07a80@kernel.org Acked-by: Miklos Szeredi Signed-off-by: Christian Brauner commit 31a1f8752f7df7e3d8122054fbef02a9a8bff38f Merge: 8545b75bc414f0 219cecbb3e8646 Author: David S. Miller Date: Wed Nov 13 13:06:04 2024 +0000 Merge branch 'phy-mediatek-reorg' Sky Huang says: ==================== Re-organize MediaTek ethernet phy drivers and propose mtk-phy-lib This patchset comes from patch 1/9, 3/9, 4/9, 5/9 and 7/9 of: https://lore.kernel.org/netdev/20241004102413.5838-1-SkyLake.Huang@mediatek.com/ This patchset changes MediaTek's ethernet phy's folder structure and integrates helper functions, including LED & token ring manipulation, into mtk-phy-lib. --- Change in v2: - Add correct Reviewed-by tag in each patch. Change in v3: [patch 4/5] - Fix kernel test robot error by adding missing MTK_NET_PHYLIB. ==================== Signed-off-by: Sky Huang commit 219cecbb3e864685a1f08bcb79ce07d9bc4f506e Author: SkyLake.Huang Date: Sat Nov 9 00:34:55 2024 +0800 net: phy: mediatek: add MT7530 & MT7531's PHY ID macros This patch adds MT7530 & MT7531's PHY ID macros in mtk-ge.c so that it follows the same rule of mtk-ge-soc.c. Reviewed-by: Andrew Lunn Signed-off-by: SkyLake.Huang Signed-off-by: David S. Miller commit 3cb1a3c9cbaaadaf91437374b96ec72256c40db2 Author: SkyLake.Huang Date: Sat Nov 9 00:34:54 2024 +0800 net: phy: mediatek: Integrate read/write page helper functions This patch integrates read/write page helper functions as MTK phy lib. They are basically the same in mtk-ge.c & mtk-ge-soc.c. Signed-off-by: SkyLake.Huang Signed-off-by: David S. Miller commit 477c200aa7d2b17e0909e6394fe020867fed8f48 Author: SkyLake.Huang Date: Sat Nov 9 00:34:53 2024 +0800 net: phy: mediatek: Improve readability of mtk-phy-lib.c's mtk_phy_led_hw_ctrl_set() This patch removes parens around TRIGGER_NETDEV_RX/TRIGGER_NETDEV_TX in mtk_phy_led_hw_ctrl_set(), which improves readability. Reviewed-by: Andrew Lunn Signed-off-by: SkyLake.Huang Signed-off-by: David S. Miller commit 7f9c320c98dbca18934afa80306015eb71c05a6c Author: SkyLake.Huang Date: Sat Nov 9 00:34:52 2024 +0800 net: phy: mediatek: Move LED helper functions into mtk phy lib This patch creates mtk-phy-lib.c & mtk-phy.h and integrates mtk-ge-soc.c's LED helper functions so that we can use those helper functions in other MTK's ethernet phy driver. Reviewed-by: Andrew Lunn Signed-off-by: SkyLake.Huang Signed-off-by: David S. Miller commit 4c452f7ea86212934ae896842847d1671e13a18b Author: SkyLake.Huang Date: Sat Nov 9 00:34:51 2024 +0800 net: phy: mediatek: Re-organize MediaTek ethernet phy drivers Re-organize MediaTek ethernet phy driver files and get ready to integrate some common functions and add new 2.5G phy driver. mtk-ge.c: MT7530 Gphy on MT7621 & MT7531 Gphy mtk-ge-soc.c: Built-in Gphy on MT7981 & Built-in switch Gphy on MT7988 mtk-2p5ge.c: Planned for built-in 2.5G phy on MT7988 Reviewed-by: Andrew Lunn Signed-off-by: SkyLake.Huang Signed-off-by: David S. Miller commit b773c086ed58c7e9111a4d4f251a98db3d4165d8 Author: Takashi Iwai Date: Wed Nov 13 08:23:03 2024 +0100 ALSA: compress_offload: Add missing descriptions in structs Add the missing descriptions for snd_compr_ops, snd_compr_task and snd_compr_task_status fields, in order to shut up the build warnings. Fixes: 04177158cf98 ("ALSA: compress_offload: introduce accel operation mode") Reported-by: Stephen Rothwell Closes: https://lore.kernel.org/20241028193731.4b0c3788@canb.auug.org.au Link: https://patch.msgid.link/20241113072304.4447-1-tiwai@suse.de Signed-off-by: Takashi Iwai commit 08b97fbd13de79744b31d2b3c8a0ab1a409b94fa Author: Rob Herring (Arm) Date: Mon Nov 4 13:05:06 2024 -0600 clocksource/drivers/arm_arch_timer: Use of_property_present() for non-boolean properties The use of of_property_read_bool() for non-boolean properties is deprecated in favor of of_property_present() when testing for property presence. Signed-off-by: Rob Herring (Arm) Link: https://lore.kernel.org/r/20241104190505.272805-2-robh@kernel.org Signed-off-by: Daniel Lezcano commit 5569d7348b4a927eb5a2449ddc175ec7c3930c4d Author: Tang Bin Date: Thu Nov 7 15:46:19 2024 +0800 clocksource/drivers/gpx: Remove redundant casts In the function gxp_timer_init, the 'int' type cast in front of the PTR_ERR() macro is redundant, thus remove it. Signed-off-by: Tang Bin Link: https://lore.kernel.org/r/20241107074619.2714-1-tangbin@cmss.chinamobile.com Signed-off-by: Daniel Lezcano commit e5cfc0989d9a2849c51c720a16b90b2c061a1aeb Author: Javier Carrasco Date: Thu Oct 31 13:54:23 2024 +0100 clocksource/drivers/timer-ti-dm: Fix child node refcount handling of_find_compatible_node() increments the node's refcount, and it must be decremented again with a call to of_node_put() when the pointer is no longer required to avoid leaking the resource. Instead of adding the missing calls to of_node_put() in all execution paths, use the cleanup attribute for 'arm_timer' by means of the __free() macro, which automatically calls of_node_put() when the variable goes out of scope. Fixes: 25de4ce5ed02 ("clocksource/drivers/timer-ti-dm: Handle dra7 timer wrap errata i940") Signed-off-by: Javier Carrasco Link: https://lore.kernel.org/r/20241031-timer-ti-dm-systimer-of_node_put-v3-1-063ee822b73a@gmail.com Signed-off-by: Daniel Lezcano commit ae4705e1b1bc4dedceb6b0956509e3eb2fedaaf1 Author: Ivaylo Ivanov Date: Sun Nov 3 14:35:11 2024 +0200 dt-bindings: timer: actions,owl-timer: convert to YAML Convert the Actions Semi Owl timer bindings to DT schema. Changes during conversion: - Add a description - Add "clocks" as a required property, since the driver searches for it - Correct the given example according to owl-s500.dtsi Signed-off-by: Ivaylo Ivanov Reviewed-by: Krzysztof Kozlowski Link: https://lore.kernel.org/r/20241103123513.2890107-1-ivo.ivanov.ivanov1@gmail.com Signed-off-by: Daniel Lezcano commit cd5375610baadd3a0842a9e83ca502684f938be8 Author: Sergio Paracuellos Date: Mon Oct 28 21:36:43 2024 +0100 clocksource/drivers/ralink: Add Ralink System Tick Counter driver System Tick Counter is present on Ralink SoCs RT3352 and MT7620. This driver has been in 'arch/mips/ralink' directory since the beggining of Ralink architecture support. However, it can be moved into a more proper place in 'drivers/clocksource'. Hence add it here adding also support for compile test targets and reducing LOC in architecture code folder. Signed-off-by: Sergio Paracuellos Link: https://lore.kernel.org/r/20241028203643.191268-2-sergio.paracuellos@gmail.com Signed-off-by: Daniel Lezcano commit dfe101bcad840d025deb5e43150d54050ab7724d Author: Paul Burton Date: Sat Oct 19 09:10:30 2024 +0200 clocksource/drivers/mips-gic-timer: Always use cluster 0 counter as clocksource In a multi-cluster MIPS system, there are multiple GICs - one in each cluster - each of which has its independent counter. The counters in each GIC are not synchronized in any way, so they can drift relative to one another through the lifetime of the system. This is problematic for a clock source which ought to be global. Avoid problems by always accessing cluster 0's counter, using cross-cluster register access. This adds overhead so it is applied only on multi-cluster systems. Signed-off-by: Paul Burton Signed-off-by: Chao-ying Fu Signed-off-by: Dragan Mladjenovic Signed-off-by: Aleksandar Rikalo Tested-by: Serge Semin Acked-by: Thomas Bogendoerfer Tested-by: Gregory CLEMENT Link: https://lore.kernel.org/r/20241019071037.145314-6-arikalo@gmail.com Signed-off-by: Daniel Lezcano commit 314413317b6d78cc76cd48f0296fde9fcfdec400 Author: Judith Mendez Date: Fri Oct 11 12:52:03 2024 -0500 clocksource/drivers/timer-ti-dm: Don't fail probe if int not found Some timers may not have an interrupt routed to the A53 GIC, but the timer PWM functionality can still be used by Linux Kernel. Therefore, do not fail probe if interrupt is not found and ti,timer-pwm exists. Signed-off-by: Judith Mendez Link: https://lore.kernel.org/r/20241011175203.1040568-1-jm@ti.com Signed-off-by: Daniel Lezcano commit 0309f714a0908e947af1c902cf6a330cb593e75e Author: Mark Brown Date: Tue Oct 1 12:23:56 2024 +0100 clocksource/drivers:sp804: Make user selectable The sp804 is currently only user selectable if COMPILE_TEST, this was done by commit dfc82faad725 ("clocksource/drivers/sp804: Add COMPILE_TEST to CONFIG_ARM_TIMER_SP804") in order to avoid it being spuriously offered on platforms that won't have the hardware since it's generally only seen on Arm based platforms. This config is overly restrictive, while platforms that rely on the SP804 do select it in their Kconfig there are others such as the Arm fast models which have a SP804 available but currently unused by Linux. Relax the dependency to allow it to be user selectable on arm and arm64 to avoid surprises and in case someone comes up with a use for extra timer hardware. Fixes: dfc82faad725 ("clocksource/drivers/sp804: Add COMPILE_TEST to CONFIG_ARM_TIMER_SP804") Reported-by: Ross Burton Reviewed-by: Sudeep Holla Acked-by: Mark Rutland Signed-off-by: Mark Brown Link: https://lore.kernel.org/r/20241001-arm64-vexpress-sp804-v3-1-0a2d3f7883e4@kernel.org Signed-off-by: Daniel Lezcano commit 1d58f7f3a1373734b2e86a246edcf1cd39359f3e Author: Dr. David Alan Gilbert Date: Fri Oct 25 21:31:01 2024 +0100 clocksource/drivers/dw_apb: Remove unused dw_apb_clockevent functions dw_apb_clockevent_pause(), dw_apb_clockevent_resume() and dw_apb_clockevent_stop() have been unused since 2021's commit 1b79fc4f2bfd ("x86/apb_timer: Remove driver for deprecated platform") Remove them. (Some of the other clockevent functions are still called by dw_apb_timer_of.c so I guess it is still in use?) Signed-off-by: Dr. David Alan Gilbert Link: https://lore.kernel.org/r/20241025203101.241709-1-linux@treblig.org Signed-off-by: Daniel Lezcano commit a0810c3d6dd2d29a9b92604d682eacd2902ce947 Author: Takashi Iwai Date: Wed Nov 13 12:10:39 2024 +0100 ALSA: 6fire: Release resources at card release The current 6fire code tries to release the resources right after the call of usb6fire_chip_abort(). But at this moment, the card object might be still in use (as we're calling snd_card_free_when_closed()). For avoid potential UAFs, move the release of resources to the card's private_free instead of the manual call of usb6fire_chip_destroy() at the USB disconnect callback. Fixes: c6d43ba816d1 ("ALSA: usb/6fire - Driver for TerraTec DMX 6Fire USB") Signed-off-by: Takashi Iwai Link: https://patch.msgid.link/20241113111042.15058-6-tiwai@suse.de commit b04dcbb7f7b1908806b7dc22671cdbe78ff2b82c Author: Takashi Iwai Date: Wed Nov 13 12:10:38 2024 +0100 ALSA: caiaq: Use snd_card_free_when_closed() at disconnection The USB disconnect callback is supposed to be short and not too-long waiting. OTOH, the current code uses snd_card_free() at disconnection, but this waits for the close of all used fds, hence it can take long. It eventually blocks the upper layer USB ioctls, which may trigger a soft lockup. An easy workaround is to replace snd_card_free() with snd_card_free_when_closed(). This variant returns immediately while the release of resources is done asynchronously by the card device release at the last close. This patch also splits the code to the disconnect and the free phases; the former is called immediately at the USB disconnect callback while the latter is called from the card destructor. Fixes: 523f1dce3743 ("[ALSA] Add Native Instrument usb audio device support") Signed-off-by: Takashi Iwai Link: https://patch.msgid.link/20241113111042.15058-5-tiwai@suse.de commit f86af06306a7c36451b0174e3c64bc935d04f5e5 Author: Takashi Iwai Date: Wed Nov 13 12:10:37 2024 +0100 ALSA: us122l: Drop mmap_count field us122l.mmap_count field was used for counting the hwdep mmap opens and syncing at disconnection. But such a manual sync isn't needed, as the refcount check is done in the ALSA core side. So let's drop it. Signed-off-by: Takashi Iwai Link: https://patch.msgid.link/20241113111042.15058-4-tiwai@suse.de commit b7df09bb348016943f56b09dcaafe221e3f73947 Author: Takashi Iwai Date: Wed Nov 13 12:10:36 2024 +0100 ALSA: us122l: Use snd_card_free_when_closed() at disconnection The USB disconnect callback is supposed to be short and not too-long waiting. OTOH, the current code uses snd_card_free() at disconnection, but this waits for the close of all used fds, hence it can take long. It eventually blocks the upper layer USB ioctls, which may trigger a soft lockup. An easy workaround is to replace snd_card_free() with snd_card_free_when_closed(). This variant returns immediately while the release of resources is done asynchronously by the card device release at the last close. The loop of us122l->mmap_count check is dropped as well. The check is useless for the asynchronous operation with *_when_closed(). Fixes: 030a07e44129 ("ALSA: Add USB US122L driver") Signed-off-by: Takashi Iwai Link: https://patch.msgid.link/20241113111042.15058-3-tiwai@suse.de commit dafb28f02be407e07a6f679e922a626592b481b0 Author: Takashi Iwai Date: Wed Nov 13 12:10:35 2024 +0100 ALSA: usx2y: Use snd_card_free_when_closed() at disconnection The USB disconnect callback is supposed to be short and not too-long waiting. OTOH, the current code uses snd_card_free() at disconnection, but this waits for the close of all used fds, hence it can take long. It eventually blocks the upper layer USB ioctls, which may trigger a soft lockup. An easy workaround is to replace snd_card_free() with snd_card_free_when_closed(). This variant returns immediately while the release of resources is done asynchronously by the card device release at the last close. Fixes: 230cd5e24853 ("[ALSA] prevent oops & dead keyboard on usb unplugging while the device is be ing used") Reported-by: syzbot+73582d08864d8268b6fd@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=73582d08864d8268b6fd Signed-off-by: Takashi Iwai Link: https://patch.msgid.link/20241113111042.15058-2-tiwai@suse.de commit f69c2861b05e29c69abed6aafe0cefd224d9d4db Author: Takashi Iwai Date: Wed Nov 13 12:16:27 2024 +0100 ALSA: pcm: Define snd_pcm_mmap_data_{open|close}() locally snd_pcm_mmap_data_open() and _close() are defined as inline functions in the public sound/pcm.h, but those are used only locally in pcm_native.c, hence they should be better placed there. Also, those are referred as callbacks, the useless inline is dropped. Link: https://patch.msgid.link/20241113111628.17069-1-tiwai@suse.de Signed-off-by: Takashi Iwai commit 35ff7bfb04af6d07af677357a15493ca0fbd739e Author: Paolo Bonzini Date: Wed Nov 13 07:19:23 2024 -0500 Documentation: KVM: fix malformed table Reported-by: Stephen Rothwell Fixes: 5f6a3badbb74 ("KVM: x86/mmu: Mark page/folio accessed only when zapping leaf SPTEs") Signed-off-by: Paolo Bonzini commit 2e9a2c624e5249d6ee754c372677a93c6d9ebd42 Merge: bb4409a9e78aa5 5b47f5a7257423 Author: Paolo Bonzini Date: Wed Nov 13 07:04:53 2024 -0500 Merge branch 'kvm-docs-6.13' into HEAD - Drop obsolete references to PPC970 KVM, which was removed 10 years ago. - Fix incorrect references to non-existing ioctls - List registers supported by KVM_GET/SET_ONE_REG on s390 - Use rST internal links - Reorganize the introduction to the API document commit 00e2c199cb3780357790852502a74719d14554ec Author: Srinivas Pandruvada Date: Tue Nov 12 15:59:46 2024 -0800 cpufreq: intel_pstate: Update Balance-performance EPP for Granite Rapids Update EPP default for balance_performance to 32. This will give better performance out of the box using Intel P-State powersave governor while still offering power savings compared to performance governor. This is in line with what has already been done for Emerald Rapids and Sapphire Rapids. Signed-off-by: Srinivas Pandruvada Link: https://patch.msgid.link/20241112235946.368082-1-srinivas.pandruvada@linux.intel.com [ rjw: Subject and changelog edits ] Signed-off-by: Rafael J. Wysocki commit 8545b75bc414f0fb57d822c36a55c9a2c8608a22 Merge: ef04d290c01301 6050b04dca8e21 Author: David S. Miller Date: Wed Nov 13 11:57:12 2024 +0000 Merge branch 'octeontx2-rvu-rep' Geetha sowjanya says: ==================== Introduce RVU representors This series adds representor support for each rvu devices. When switchdev mode is enabled, representor netdev is registered for each rvu device. In implementation of representor model, one NIX HW LF with multiple SQ and RQ is reserved, where each RQ and SQ of the LF are mapped to a representor. A loopback channel is reserved to support packet path between representors and VFs. CN10K silicon supports 2 types of MACs, RPM and SDP. This patch set adds representor support for both RPM and SDP MAC interfaces. - Patch 1: Implements basic representor driver. - Patch 2: Add devlink support to create representor netdevs that can be used to manage VFs. - Patch 3: Implements basec netdev_ndo_ops. - Patch 4: Installs tcam rules to route packets between representor and VFs. - Patch 5: Enables fetching VF stats via representor interface - Patch 6: Adds support to sync link state between representors and VFs . - Patch 7: Enables configuring VF MTU via representor netdevs. - Patch 8: Adds representors for sdp MAC. - Patch 9: Adds devlink port support. - Patch 10: Implements offload stats. - Patch 11: Implements tc offload support. - patch 12: Adds documentation for rvu port representor. pci/0002:1c:00.0 Command to create PF/VF representor Rpf1vf0: mtu 1500 qdisc pfifo_fast state DOWN mode DEFAULT group default qlen 1000 link/ether f6:43:83:ee:26:21 brd ff:ff:ff:ff:ff:ff Rpf1vf1: mtu 1500 qdisc pfifo_fast state DOWN mode DEFAULT group default qlen 1000 link/ether 12:b2:54:0e:24:54 brd ff:ff:ff:ff:ff:ff Rpf1vf2: mtu 1500 qdisc pfifo_fast state DOWN mode DEFAULT group default qlen 1000 link/ether 4a:12:c4:4c:32:62 brd ff:ff:ff:ff:ff:ff Rpf1vf3: mtu 1500 qdisc pfifo_fast state DOWN mode DEFAULT group default qlen 1000 link/ether ca:cb:68:0e:e2:6e brd ff:ff:ff:ff:ff:ff Rpf2vf0: mtu 1500 qdisc pfifo_fast state DOWN mode DEFAULT group default qlen 1000 link/ether 06:cc:ad:b4:f0:93 brd ff:ff:ff:ff:ff:ff ~# devlink port pci/0002:1c:00.0/0: type eth netdev Rpf1vf0 flavour physical port 0 splittable false pci/0002:1c:00.0/1: type eth netdev Rpf1vf1 flavour pcivf controller 0 pfnum 1 vfnum 1 external false splittable false pci/0002:1c:00.0/2: type eth netdev Rpf1vf2 flavour pcivf controller 0 pfnum 1 vfnum 2 external false splittable false pci/0002:1c:00.0/3: type eth netdev Rpf1vf3 flavour pcivf controller 0 pfnum 1 vfnum 3 external false splittable false ----------- v11:v1: - Submitted refactoring changes as a separate patch set. https://lore.kernel.org/netdev/20241023161843.15543-1-gakula@marvell.com/T/ - Moved documentation to a separate patch. - patch 9: Added code changes to forward updated mac address to VF. - Implemented TC offload support. v10-v11: - As suggested by "Jiri Pirko" adjusted the documentation. - Added more commit description to patch1. v9-v10: - Fixed build warning w.r.t documentation. v8-v9: - Updated the documentation. v7-v8: - Implemented offload stats ndo. - Added documentation. v6-v7: - Rebased on top net-next branch. v5-v6: - Addressed review comments provided by "Simon Horman". - Added review tag. v4-v5: - Patch 3: Removed devm_* usage in rvu_rep_create() - Patch 3: Fixed build warnings. v3-v4: - Patch 2 & 3: Fixed coccinelle reported warnings. - Patch 10: Added devlink port support. v2-v3: - Used extack for error messages. - As suggested reworked commit messages. - Fixed sparse warning. v1-v2: -Fixed build warnings. -Address review comments provided by "Kalesh Anakkur Purayil". ==================== Signed-off-by: David S. Miller commit 6050b04dca8e21146adc12b6553dd143dc8cb45c Author: Geetha sowjanya Date: Thu Nov 7 21:38:39 2024 +0530 Documentation: octeontx2: Add Documentation for RVU representors Adds documentation for creating and configuring rvu port representors Signed-off-by: Geetha sowjanya Signed-off-by: David S. Miller commit 6c40ca957fe5d5982d55fc77d86d9f8ea0b6bba6 Author: Geetha sowjanya Date: Thu Nov 7 21:38:38 2024 +0530 octeontx2-pf: Adds TC offload support Implements tc offload support for rvu representors. Usage example: - Add tc rule to drop packets with vlan id 3 using port representor(Rpf1vf0). # tc filter add dev Rpf1vf0 protocol 802.1Q parent ffff: flower vlan_id 3 vlan_ethtype ipv4 skip_sw action drop - Redirect packets with vlan id 5 and IPv4 packets to eth1, after stripping vlan header. # tc filter add dev Rpf1vf0 ingress protocol 802.1Q flower vlan_id 5 vlan_ethtype ipv4 skip_sw action vlan pop action mirred ingress redirect dev eth1 Signed-off-by: Geetha sowjanya Signed-off-by: David S. Miller commit d8dec30b51655bdab2657978982e49b6c13ce3d3 Author: Geetha sowjanya Date: Thu Nov 7 21:38:37 2024 +0530 octeontx2-pf: Implement offload stats ndo for representors Implement the offload stat ndo by fetching the HW stats of rx/tx queues attached to the representor. Signed-off-by: Geetha sowjanya Reviewed-by: Simon Horman Signed-off-by: David S. Miller commit 9ed0343f561ebcbbedb120ac9e4cc886ea41eb0c Author: Geetha sowjanya Date: Thu Nov 7 21:38:36 2024 +0530 octeontx2-pf: Add devlink port support Register devlink port for the rvu representors. Signed-off-by: Geetha sowjanya Reviewed-by: Simon Horman Signed-off-by: David S. Miller commit 2f7f33a09516a4e1857950da8c94bbd31349921d Author: Geetha sowjanya Date: Thu Nov 7 21:38:35 2024 +0530 octeontx2-pf: Add representors for sdp MAC Hardware supports different types of MACs eg RPM, SDP, LBK. LBK is for internal Tx->Rx HW loopback path. RPM and SDP MACs support ingress/egress pkt IO on interfaces with different set of capabilities like interface modes. At the time of netdev driver registration PF will seek MAC related information from Admin function driver 'drivers/net/ethernet/marvell/octeontx2/af' and sets up ingress/egress queues etc such that pkt IO on the channels of these different MACs is possible. This patch add representors for SDP MAC. Signed-off-by: Geetha sowjanya Reviewed-by: Simon Horman Signed-off-by: David S. Miller commit 3392f9190373e12cb48514a49805a7c75076b619 Author: Geetha sowjanya Date: Thu Nov 7 21:38:34 2024 +0530 octeontx2-pf: Configure VF mtu via representor Adds support to manage the mtu configuration for VF through representor. On update of representor mtu a mbox notification is send to VF to update its mtu. This feature is implemented based on the "Network Function Representors" kernel documentation. " Setting an MTU on the representor should cause that same MTU to be reported to the representee. " Signed-off-by: Sai Krishna Signed-off-by: Geetha sowjanya Reviewed-by: Simon Horman Signed-off-by: David S. Miller commit b8fea84a0468404fe3b3327ad54d583950be9dec Author: Geetha sowjanya Date: Thu Nov 7 21:38:33 2024 +0530 octeontx2-pf: Add support to sync link state between representor and VFs Implements the below requirement mentioned in the representors documentation. " The representee's link state is controlled through the representor. Setting the representor administratively UP or DOWN should cause carrier ON or OFF at the representee. " This patch enables - Reflecting the link state of representor based on the VF state and link state of VF based on representor. - On VF interface up/down a notification is sent via mbox to representor to update the link state. eg: ip link set eth0 up/down will disable carrier on/off of the corresponding representor(r0p1) interface. - On representor interface up/down will cause the link state update of VF. eg: ip link set r0p1 up/down will disable carrier on/off of the corresponding representee(eth0) interface. Signed-off-by: Harman Kalra Signed-off-by: Geetha sowjanya Reviewed-by: Simon Horman Signed-off-by: David S. Miller commit 940754a21decb9fe60901f34a9ac0b3bb8d1f778 Author: Geetha sowjanya Date: Thu Nov 7 21:38:32 2024 +0530 octeontx2-pf: Get VF stats via representor Adds support to export VF port statistics via representor netdev. Defines new mbox "NIX_LF_STATS" to fetch VF hw stats. Signed-off-by: Geetha sowjanya Reviewed-by: Simon Horman Signed-off-by: David S. Miller commit 683645a2317e59ed74f1494b6cba19ea17ac8f0e Author: Geetha sowjanya Date: Thu Nov 7 21:38:31 2024 +0530 octeontx2-af: Add packet path between representor and VF Current HW, do not support in-built switch which will forward pkts between representee and representor. When representor is put under a bridge and pkts needs to be sent to representee, then pkts from representor are sent on a HW internal loopback channel, which again will be punted to ingress pkt parser. Now the rules that this patch installs are the MCAM filters/rules which will match against these pkts and forward them to representee. The rules that this patch installs are for basic representor <=> representee path similar to Tun/TAP between VM and Host. Signed-off-by: Geetha sowjanya Reviewed-by: Simon Horman Signed-off-by: David S. Miller commit 22f858796758b5580d10b1e4f51eba39b3702b5c Author: Geetha sowjanya Date: Thu Nov 7 21:38:30 2024 +0530 octeontx2-pf: Add basic net_device_ops Implements basic set of net_device_ops. Signed-off-by: Geetha sowjanya Reviewed-by: Simon Horman Signed-off-by: David S. Miller commit 3937b7308d4fce2793fa7fa56ed0faf0f8b6dc7a Author: Geetha sowjanya Date: Thu Nov 7 21:38:29 2024 +0530 octeontx2-pf: Create representor netdev Adds initial devlink support to set/get the switchdev mode. Representor netdevs are created for each rvu devices when the switch mode is set to 'switchdev'. These netdevs are be used to control and configure VFs. Signed-off-by: Geetha sowjanya Signed-off-by: David S. Miller commit 222a4eea9c6b58897c64128366843f668292ded5 Author: Geetha sowjanya Date: Thu Nov 7 21:38:28 2024 +0530 octeontx2-pf: RVU representor driver Adds basic driver for the RVU representor. Driver on probe does pci specific initialization and does hw resources configuration. Introduces RVU_ESWITCH kernel config to enable/disable the driver. Representor and NIC shares the code but representors netdev support subset of NIC functionality. Hence "otx2_rep_dev" API helps to skip the features initialization that are not supported by the representors. Signed-off-by: Geetha sowjanya Reviewed-by: Simon Horman Signed-off-by: David S. Miller commit 295991836b23c12ddb447f7f583a17fd3616ad7d Author: Jonathan Denose Date: Tue Nov 12 22:25:17 2024 +0000 ACPI: video: force native for Apple MacbookPro11,2 and Air7,2 There is a bug in the Macbook Pro 11,2 and Air 7,2 firmware similar to what is described in: commit 7dc918daaf29 ("ACPI: video: force native for Apple MacbookPro9,2") This bug causes their backlights not to come back after resume. Add DMI quirks to select the working native Intel firmware interface such that the backlght comes back on after resume. Signed-off-by: Jonathan Denose Link: https://patch.msgid.link/20241112222516.1.I7fa78e6acbbed56ed5677f5e2dacc098a269d955@changeid [ rjw: Changelog edits ] Signed-off-by: Rafael J. Wysocki commit 2388b266c9fcc7c9169ba85c7f9ebe325b7622d7 Author: Lifeng Zheng Date: Wed Nov 13 18:33:09 2024 +0800 ACPI: CPPC: Fix _CPC register setting issue Since commit 60949b7b8054 ("ACPI: CPPC: Fix MASK_VAL() usage"), _CPC registers cannot be changed from 1 to 0. It turns out that there is an extra OR after MASK_VAL_WRITE(), which has already ORed prev_val with the register mask. Remove the extra OR to fix the problem. Fixes: 60949b7b8054 ("ACPI: CPPC: Fix MASK_VAL() usage") Signed-off-by: Lifeng Zheng Link: https://patch.msgid.link/20241113103309.761031-1-zhenglifeng1@huawei.com [ rjw: Subject and changelog edits ] Signed-off-by: Rafael J. Wysocki commit bb4409a9e78aa5f70d4cf6c2ca2d771c5a77313f Merge: ef6fdc0e4c556b a75b7bb46a83a2 Author: Paolo Bonzini Date: Wed Nov 13 06:33:00 2024 -0500 Merge tag 'kvm-x86-misc-6.13' of https://github.com/kvm-x86/linux into HEAD KVM x86 misc changes for 6.13 - Clean up and optimize KVM's handling of writes to MSR_IA32_APICBASE. - Quirk KVM's misguided behavior of initialized certain feature MSRs to their maximum supported feature set, which can result in KVM creating invalid vCPU state. E.g. initializing PERF_CAPABILITIES to a non-zero value results in the vCPU having invalid state if userspace hides PDCM from the guest, which can lead to save/restore failures. - Fix KVM's handling of non-canonical checks for vCPUs that support LA57 to better follow the "architecture", in quotes because the actual behavior is poorly documented. E.g. most MSR writes and descriptor table loads ignore CR4.LA57 and operate purely on whether the CPU supports LA57. - Bypass the register cache when querying CPL from kvm_sched_out(), as filling the cache from IRQ context is generally unsafe, and harden the cache accessors to try to prevent similar issues from occuring in the future. - Advertise AMD_IBPB_RET to userspace, and fix a related bug where KVM over-advertises SPEC_CTRL when trying to support cross-vendor VMs. - Minor cleanups commit ef6fdc0e4c556b3b7abc38d062ca70183a80e4dc Merge: edd1e598787234 bc17fccb37c8c1 Author: Paolo Bonzini Date: Wed Nov 13 06:32:43 2024 -0500 Merge tag 'kvm-x86-vmx-6.13' of https://github.com/kvm-x86/linux into HEAD KVM VMX change for 6.13 - Remove __invept()'s unused @gpa param, which was left behind when KVM dropped code for invalidating a specific GPA (Intel never officially documented support for single-address INVEPT; presumably pre-production CPUs supported it at some point). commit edd1e5987872343a08ace29fa92a39701baeaf96 Merge: c59de141339186 89f8869835e4da Author: Paolo Bonzini Date: Wed Nov 13 06:32:15 2024 -0500 Merge tag 'kvm-x86-selftests-6.13' of https://github.com/kvm-x86/linux into HEAD KVM selftests changes for 6.13 - Enable XFAM-based features by default for all selftests VMs, which will allow removing the "no AVX" restriction. commit c59de1413391868057cfe70b45dbce66de643064 Merge: b39d1578d50412 4cf20d42543cff Author: Paolo Bonzini Date: Wed Nov 13 06:31:54 2024 -0500 Merge tag 'kvm-x86-mmu-6.13' of https://github.com/kvm-x86/linux into HEAD KVM x86 MMU changes for 6.13 - Cleanup KVM's handling of Accessed and Dirty bits to dedup code, improve documentation, harden against unexpected changes, and to simplify A/D-disabled MMUs by using the hardware-defined A/D bits to track if a PFN is Accessed and/or Dirty. - Elide TLB flushes when aging SPTEs, as has been done in x86's primary MMU for over 10 years. - Batch TLB flushes when zapping collapsible TDP MMU SPTEs, i.e. when dirty logging is toggled off, which reduces the time it takes to disable dirty logging by ~3x. - Recover huge pages in-place in the TDP MMU instead of zapping the SP and waiting until the page is re-accessed to create a huge mapping. Proactively installing huge pages can reduce vCPU jitter in extreme scenarios. - Remove support for (poorly) reclaiming page tables in shadow MMUs via the primary MMU's shrinker interface. commit b39d1578d504122527e88127fdafb6109c3916be Merge: 185e02d61e991b 3e7f43188ee227 Author: Paolo Bonzini Date: Wed Nov 13 06:24:19 2024 -0500 Merge tag 'kvm-x86-generic-6.13' of https://github.com/kvm-x86/linux into HEAD KVM generic changes for 6.13 - Rework kvm_vcpu_on_spin() to use a single for-loop instead of making two partial poasses over "all" vCPUs. Opportunistically expand the comment to better explain the motivation and logic. - Protect vcpu->pid accesses outside of vcpu->mutex with a rwlock instead of RCU, so that running a vCPU on a different task doesn't encounter long stalls due to having to wait for all CPUs become quiescent. commit da115c4ee29f589bb72ec2e86eb5e196b6bbcb41 Author: Arnd Bergmann Date: Tue Nov 12 15:29:15 2024 +0100 printk: add dummy printk_force_console_enter/exit helpers The newly added interface is broken when PRINTK is disabled: drivers/tty/sysrq.c: In function '__handle_sysrq': drivers/tty/sysrq.c:601:9: error: implicit declaration of function 'printk_force_console_enter' [-Wimplicit-function-declaration] 601 | printk_force_console_enter(); | ^~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/tty/sysrq.c:611:25: error: implicit declaration of function 'printk_force_console_exit' [-Wimplicit-function-declaration] 611 | printk_force_console_exit(); | ^~~~~~~~~~~~~~~~~~~~~~~~~ Add empty stub functions for both. Fixes: ed76c07c6885 ("printk: Introduce FORCE_CON flag") Signed-off-by: Arnd Bergmann Reviewed-by: Andy Shevchenko Reviewed-by: Marcos Paulo de Souza Tested-by: Marcos Paulo de Souza Link: https://lore.kernel.org/r/20241112142939.724093-1-arnd@kernel.org Signed-off-by: Petr Mladek commit 3b49a347d751553b1d1be69c8619ae2e85fdc28d Author: Xiu Jianfeng Date: Tue Nov 12 02:57:24 2024 +0000 locking/Documentation: Fix grammar in percpu-rw-semaphore.rst s/'is initialized'/'is initialized with' Signed-off-by: Xiu Jianfeng Signed-off-by: Ingo Molnar Link: https://lore.kernel.org/r/20241112025724.474881-1-xiujianfeng@huaweicloud.com commit c8eb2faef11866be7802ff2ce9852890bcfcde16 Author: Charles Wang Date: Mon Nov 11 15:50:00 2024 +0800 HID: hid-goodix-spi: Add OF supports This patch introduces the following changes: - Adds OF match table. - Hardcodes hid-report-addr in the driver rather than fetching it from the device property. Signed-off-by: Charles Wang Reviewed-by: Douglas Anderson Signed-off-by: Jiri Kosina commit 20bcb2734bafa2adfbf8fc62542c742df9c46cfd Author: Charles Wang Date: Mon Nov 11 15:49:59 2024 +0800 dt-bindings: input: Goodix GT7986U SPI HID Touchscreen The Goodix GT7986U touch controller report touch data according to the HID protocol through the SPI bus. However, it is incompatible with Microsoft's HID-over-SPI protocol. NOTE: these bindings are distinct from the bindings used with the GT7986U when the chip is running I2C firmware. For some background, see discussion on the mailing lists in the thread: https://lore.kernel.org/r/20241018020815.3098263-2-charles.goodix@gmail.com Signed-off-by: Charles Wang Reviewed-by: Douglas Anderson Reviewed-by: Rob Herring (Arm) Signed-off-by: Jiri Kosina commit 9899b8201025d00b23aee143594a30c55cc4cc35 Author: Bibo Mao Date: Wed Nov 13 16:18:27 2024 +0800 irqchip/loongson-eiointc: Add virt extension support Interrupts can be routed to maximal four virtual CPUs with real HW EIOINTC interrupt controller model, since interrupt routing is encoded with CPU bitmap and EIOINTC node combined method. Here add the EIOINTC virt extension support so that interrupts can be routed to 256 vCPUs in virtual machine mode. CPU bitmap is replaced with normal encoding and EIOINTC node type is removed, so there are 8 bits for cpu selection, at most 256 vCPUs are supported for interrupt routing. Reviewed-by: Thomas Gleixner Co-developed-by: Song Gao Signed-off-by: Song Gao Signed-off-by: Bibo Mao Signed-off-by: Huacai Chen commit 1928254c5ccb7bdffd7f0334e1ce250e9ce4de94 Author: Xianglai Li Date: Wed Nov 13 16:18:27 2024 +0800 LoongArch: KVM: Add irqfd support Enable the KVM_IRQ_ROUTING/KVM_IRQCHIP/KVM_MSI configuration items, add the KVM_CAP_IRQCHIP capability, and implement the query interface of the in-kernel irqchip. Signed-off-by: Xianglai Li Signed-off-by: Huacai Chen commit d206d951487326b535007639d58e2a98d18e3dee Author: Xianglai Li Date: Wed Nov 13 16:18:27 2024 +0800 LoongArch: KVM: Add PCHPIC user mode read and write functions Implement the communication interface between the user mode programs and the kernel in PCHPIC interrupt control simulation, which is used to obtain or send the simulation data of the interrupt controller in the user mode process, and is also used in VM migration or VM saving and restoration. Signed-off-by: Tianrui Zhao Signed-off-by: Xianglai Li Signed-off-by: Huacai Chen commit f5f31efa3c2d51c03afab5ab6e3f004d2d529013 Author: Xianglai Li Date: Wed Nov 13 16:18:27 2024 +0800 LoongArch: KVM: Add PCHPIC read and write functions Add implementation of IPI interrupt controller's address space read and write function simulation. Implement interrupt injection interface under loongarch. Signed-off-by: Tianrui Zhao Signed-off-by: Xianglai Li Signed-off-by: Huacai Chen commit e785dfacf7e7fe94370fa0e8e3ff1bc8fe179831 Author: Xianglai Li Date: Wed Nov 13 16:18:27 2024 +0800 LoongArch: KVM: Add PCHPIC device support Add device model for PCHPIC interrupt controller, implemente basic create & destroy interface, and register device model to kvm device table. Signed-off-by: Tianrui Zhao Signed-off-by: Xianglai Li Signed-off-by: Huacai Chen commit 1ad7efa552fd5cf4e8c49fea863c5c6a5dcf9f00 Author: Xianglai Li Date: Wed Nov 13 16:18:27 2024 +0800 LoongArch: KVM: Add EIOINTC user mode read and write functions Implement the communication interface between the user mode programs and the kernel in EIOINTC interrupt controller simulation, which is used to obtain or send the simulation data of the interrupt controller in the user mode process, and is also used in VM migration or VM saving and restoration. Signed-off-by: Xianglai Li Signed-off-by: Huacai Chen commit 3956a52bc05bd811082a3c9d2b423ee957e6fefc Author: Xianglai Li Date: Wed Nov 13 16:18:27 2024 +0800 LoongArch: KVM: Add EIOINTC read and write functions Add implementation of EIOINTC interrupt controller's address space read and write function simulation. Signed-off-by: Tianrui Zhao Signed-off-by: Xianglai Li Signed-off-by: Huacai Chen commit 2e8b9df82631e714cc2b7bf302772c8259673180 Author: Xianglai Li Date: Wed Nov 13 16:18:27 2024 +0800 LoongArch: KVM: Add EIOINTC device support Add device model for EIOINTC interrupt controller, implement basic create & destroy interfaces, and register device model to kvm device table. Signed-off-by: Tianrui Zhao Signed-off-by: Xianglai Li Signed-off-by: Huacai Chen commit 8e3054261bc373f50122b2bc2d726d66a344bf29 Author: Xianglai Li Date: Wed Nov 13 16:18:27 2024 +0800 LoongArch: KVM: Add IPI user mode read and write function Implement the communication interface between the user mode programs and the kernel in IPI interrupt controller simulation, which is used to obtain or send the simulation data of the interrupt controller in the user mode process, and is also used in VM migration or VM saving and restoration. Signed-off-by: Min Zhou Signed-off-by: Tianrui Zhao Signed-off-by: Xianglai Li Signed-off-by: Huacai Chen commit daee2f9cae5510ba1bd9eed6b0cf0ca8dc276118 Author: Xianglai Li Date: Wed Nov 13 16:18:27 2024 +0800 LoongArch: KVM: Add IPI read and write function Add implementation of IPI interrupt controller's address space read and write function simulation. Signed-off-by: Min Zhou Signed-off-by: Tianrui Zhao Signed-off-by: Xianglai Li Signed-off-by: Huacai Chen commit c532de5a67a70f8533d495f8f2aaa9a0491c3ad0 Author: Xianglai Li Date: Wed Nov 13 16:18:27 2024 +0800 LoongArch: KVM: Add IPI device support Add device model for IPI interrupt controller, implement basic create & destroy interfaces, and register device model to kvm device table. Signed-off-by: Tianrui Zhao Signed-off-by: Xianglai Li Signed-off-by: Huacai Chen commit 948ccbd95016f50ce01df5eef9440eede3b8c713 Author: Xianglai Li Date: Wed Nov 13 16:18:26 2024 +0800 LoongArch: KVM: Add iocsr and mmio bus simulation in kernel Add iocsr and mmio memory read and write simulation to the kernel. When the VM accesses the device address space through iocsr instructions or mmio, it does not need to return to the qemu user mode but can directly completes the access in the kernel mode. Signed-off-by: Tianrui Zhao Signed-off-by: Xianglai Li Signed-off-by: Huacai Chen commit 93ee385254d53849c01dd8ab9bc9d02790ee7f0e Author: Linus Walleij Date: Wed Oct 23 13:05:34 2024 +0100 ARM: 9431/1: mm: Pair atomic_set_release() with _read_acquire() The code for syncing vmalloc memory PGD pointers is using atomic_read() in pair with atomic_set_release() but the proper pairing is atomic_read_acquire() paired with atomic_set_release(). This is done to clearly instruct the compiler to not reorder the memcpy() or similar calls inside the section so that we do not observe changes to init_mm. memcpy() calls should be identified by the compiler as having unpredictable side effects, but let's try to be on the safe side. Cc: stable@vger.kernel.org Fixes: d31e23aff011 ("ARM: mm: make vmalloc_seq handling SMP safe") Suggested-by: Mark Rutland Signed-off-by: Linus Walleij Signed-off-by: Russell King (Oracle) commit 44e9a3bb76e5f2eecd374c8176b2c5163c8bb2e2 Author: Linus Walleij Date: Wed Oct 23 13:04:44 2024 +0100 ARM: 9430/1: entry: Do a dummy read from VMAP shadow When switching task, in addition to a dummy read from the new VMAP stack, also do a dummy read from the VMAP stack's corresponding KASAN shadow memory to sync things up in the new MM context. Cc: stable@vger.kernel.org Fixes: a1c510d0adc6 ("ARM: implement support for vmap'ed stacks") Link: https://lore.kernel.org/linux-arm-kernel/a1a1d062-f3a2-4d05-9836-3b098de9db6d@foss.st.com/ Reported-by: Clement LE GOFFIC Suggested-by: Ard Biesheuvel Signed-off-by: Linus Walleij Signed-off-by: Russell King (Oracle) commit d6e6a74d4cea853b5321eeabb69c611148eedefe Author: Linus Walleij Date: Wed Oct 23 13:03:14 2024 +0100 ARM: 9429/1: ioremap: Sync PGDs for VMALLOC shadow When sync:ing the VMALLOC area to other CPUs, make sure to also sync the KASAN shadow memory for the VMALLOC area, so that we don't get stale entries for the shadow memory in the top level PGD. Since we are now copying PGDs in two instances, create a helper function named memcpy_pgd() to do the actual copying, and create a helper to map the addresses of VMALLOC_START and VMALLOC_END into the corresponding shadow memory. Co-developed-by: Melon Liu Cc: stable@vger.kernel.org Fixes: 565cbaad83d8 ("ARM: 9202/1: kasan: support CONFIG_KASAN_VMALLOC") Link: https://lore.kernel.org/linux-arm-kernel/a1a1d062-f3a2-4d05-9836-3b098de9db6d@foss.st.com/ Reported-by: Clement LE GOFFIC Suggested-by: Mark Rutland Suggested-by: Russell King (Oracle) Acked-by: Mark Rutland Signed-off-by: Linus Walleij Signed-off-by: Russell King (Oracle) commit 8f80f378e77eafdcdb7ea9a76cc645ecd04fb4e5 Author: Kuninori Morimoto Date: Wed Nov 13 01:17:25 2024 +0000 ALSA: tidyup SNDRV_PCM_TRIGGER_xxx numbering pcm.h has SNDRV_PCM_TRIGGER_xxx, but it is missing "2". Fixup it. Signed-off-by: Kuninori Morimoto Link: https://patch.msgid.link/87ed3gsziy.wl-kuninori.morimoto.gx@renesas.com Signed-off-by: Takashi Iwai commit 12bbabd3cab8a7dab0ddad8ed1e671f40c7cdeeb Author: Andy Shevchenko Date: Tue Nov 12 18:01:25 2024 +0200 usb: cdns3: Synchronise PCI IDs via common data base There are a few places in the kernel where PCI IDs for different Cadence USB controllers are being used. Besides different naming, they duplicate each other. Make this all in order by providing common definitions via PCI IDs database and use in all users. While doing that, rename definitions as Roger suggested. Suggested-by: Roger Quadros Suggested-by: Greg Kroah-Hartman Signed-off-by: Andy Shevchenko Acked-by: Bjorn Helgaas Link: https://lore.kernel.org/r/20241112160125.2340972-1-andriy.shevchenko@linux.intel.com Signed-off-by: Greg Kroah-Hartman commit 369a9c046c2fdfe037f05b43b84c386bdbccc103 Author: Gaosheng Cui Date: Wed Oct 16 19:03:35 2024 +0800 firmware_loader: Fix possible resource leak in fw_log_firmware_info() The alg instance should be released under the exception path, otherwise there may be resource leak here. To mitigate this, free the alg instance with crypto_free_shash when kmalloc fails. Fixes: 02fe26f25325 ("firmware_loader: Add debug message with checksum for FW file") Signed-off-by: Gaosheng Cui Reviewed-by: Amadeusz Sławiński Reviewed-by: Russ Weight Link: https://lore.kernel.org/r/20241016110335.3677924-1-cuigaosheng1@huawei.com Signed-off-by: Greg Kroah-Hartman commit ce25e2a8d82de7f8bcbedd18973e5b8030749d45 Author: Krishna Kurapati Date: Tue Nov 12 23:50:18 2024 +0530 usb: dwc3: core: Set force_gen1 bit for all applicable SuperSpeed ports Currently if the maximum-speed is set to Super Speed for a 3.1 Gen2 capable controller, the FORCE_GEN1 bit of LLUCTL register is set only for one SuperSpeed port (or the first port) present. Modify the logic to set the FORCE_GEN1 bit for all ports if speed is being limited to Gen-1. Suggested-by: Thinh Nguyen Signed-off-by: Krishna Kurapati Acked-by: Thinh Nguyen Link: https://lore.kernel.org/r/20241112182018.199392-1-quic_kriskura@quicinc.com Signed-off-by: Greg Kroah-Hartman commit 61eb055cd3048ee01ca43d1be924167d33e16fdc Author: Selvarasu Ganesan Date: Tue Nov 12 10:18:02 2024 +0530 usb: dwc3: gadget: Add missing check for single port RAM in TxFIFO resizing logic The existing implementation of the TxFIFO resizing logic only supports scenarios where more than one port RAM is used. However, there is a need to resize the TxFIFO in USB2.0-only mode where only a single port RAM is available. This commit introduces the necessary changes to support TxFIFO resizing in such scenarios by adding a missing check for single port RAM. This fix addresses certain platform configurations where the existing TxFIFO resizing logic does not work properly due to the absence of support for single port RAM. By adding this missing check, we ensure that the TxFIFO resizing logic works correctly in all scenarios, including those with a single port RAM. Fixes: 9f607a309fbe ("usb: dwc3: Resize TX FIFOs to meet EP bursting requirements") Cc: stable@vger.kernel.org # 6.12.x: fad16c82: usb: dwc3: gadget: Refine the logic for resizing Tx FIFOs Signed-off-by: Selvarasu Ganesan Acked-by: Thinh Nguyen Link: https://lore.kernel.org/r/20241112044807.623-1-selvarasu.g@samsung.com Signed-off-by: Greg Kroah-Hartman commit fa518772fb63e201207bcdab7ea108198dc15f3c Author: Rex Nie Date: Tue Nov 12 23:20:22 2024 +0800 USB: core: remove dead code in do_proc_bulk() Since len1 is unsigned int, len1 < 0 always false. Remove it keep code simple. Signed-off-by: Rex Nie Rule: add Link: https://lore.kernel.org/stable/20241108094255.2133-1-rex.nie%40jaguarmicro.com Acked-by: Alan Stern Link: https://lore.kernel.org/r/20241112152021.2236-1-rex.nie@jaguarmicro.com Signed-off-by: Greg Kroah-Hartman commit 97f5ec3b166db4e47ee2c0bdb0deb027413d4f2a Author: Nicolas Bretz Date: Sun Oct 13 20:41:43 2024 -0700 ext4: prevent delalloc to nodelalloc on remount Implemented the suggested solution mentioned in the bug https://bugzilla.kernel.org/show_bug.cgi?id=218820 Preventing the disabling of delayed allocation mode on remount. delalloc to nodelalloc not permitted anymore nodelalloc to delalloc permitted, not affected Signed-off-by: Nicolas Bretz Link: https://patch.msgid.link/20241014034143.59779-1-bretznic@gmail.com Signed-off-by: Theodore Ts'o commit abe1ac7ca84236513a3d8ede02cc47584437f24f Author: Zhihao Cheng Date: Sat Oct 12 16:55:30 2024 +0800 jbd2: make b_frozen_data allocation always succeed The b_frozen_data allocation should not be failed during journal committing process, otherwise jbd2 will abort. Since commit 490c1b444ce653d("jbd2: do not fail journal because of frozen_buffer allocation failure") already added '__GFP_NOFAIL' flag in do_get_write_access(), just add '__GFP_NOFAIL' flag for all allocations in jbd2_journal_write_metadata_buffer(), like 'new_bh' allocation does. Besides, remove all error handling branches for do_get_write_access(). Signed-off-by: Zhihao Cheng Reviewed-by: Jan Kara Reviewed-by: Zhang Yi Link: https://patch.msgid.link/20241012085530.2147846-1-chengzhihao@huaweicloud.com Signed-off-by: Theodore Ts'o commit 27349b4d2ed072cabedd5115f0542b3b7b538aa8 Author: Dan Carpenter Date: Fri Oct 11 22:43:44 2024 +0300 ext4: cleanup variable name in ext4_fc_del() The variables "&EXT4_SB(inode->i_sb)->s_fc_lock" and "&sbi->s_fc_lock" are the same lock. This function uses a mix of both, which is a bit unsightly and confuses Smatch. Signed-off-by: Dan Carpenter Link: https://patch.msgid.link/96008557-8ff4-44cc-b5e3-ce242212f1a3@stanley.mountain Signed-off-by: Theodore Ts'o commit 867b73909ae0fb6a44552f22ad589c0511c9f2a4 Author: R Sundar Date: Mon Oct 7 22:50:06 2024 +0530 ext4: use string choices helpers Use string choice helpers for better readability and to fix cocci warning Reported-by: kernel test robot Reported-by: Julia Lawall Closes: https://lore.kernel.org/r/202410062256.BoynX3c2-lkp@intel.com/ Signed-off-by: R Sundar Link: https://patch.msgid.link/20241007172006.83339-1-prosunofficial@gmail.com Signed-off-by: Theodore Ts'o commit 22d26f9b0c3ee2ef75daf2feee8f0a9eac385939 Author: Ye Bin Date: Mon Sep 30 08:59:42 2024 +0800 jbd2: remove the 'success' parameter from the jbd2_do_replay() function Keep 'success' internally to track if any error happened and then return it at the end in do_one_pass(). If jbd2_do_replay() return -ENOMEM then stop replay journal. Signed-off-by: Ye Bin Reviewed-by: Zhang Yi Reviewed-by: Jan Kara Link: https://patch.msgid.link/20240930005942.626942-7-yebin@huaweicloud.com Signed-off-by: Theodore Ts'o commit 0f67827bf44fdf2a4426cc918ee8cfc1274f8efa Author: Ye Bin Date: Mon Sep 30 08:59:41 2024 +0800 jbd2: remove useless 'block_error' variable The judgement 'if (block_error && success == 0)' is never valid. Just remove useless 'block_error' variable. Signed-off-by: Ye Bin Reviewed-by: Jan Kara Reviewed-by: Zhang Yi Link: https://patch.msgid.link/20240930005942.626942-6-yebin@huaweicloud.com Signed-off-by: Theodore Ts'o commit ac626a3d52ac097cb22d8450fadd8706b3f2533c Author: Ye Bin Date: Mon Sep 30 08:59:40 2024 +0800 jbd2: factor out jbd2_do_replay() Factor out jbd2_do_replay() no funtional change. Signed-off-by: Ye Bin Reviewed-by: Zhang Yi Reviewed-by: Jan Kara Link: https://patch.msgid.link/20240930005942.626942-5-yebin@huaweicloud.com Signed-off-by: Theodore Ts'o commit a805ae3ab9dc75079686cd2889fd563915e90b9d Author: Ye Bin Date: Mon Sep 30 08:59:39 2024 +0800 jbd2: refactor JBD2_COMMIT_BLOCK process in do_one_pass() To make JBD2_COMMIT_BLOCK process more clean, no functional change. Signed-off-by: Ye Bin Reviewed-by: Jan Kara Reviewed-by: Zhang Yi Link: https://patch.msgid.link/20240930005942.626942-4-yebin@huaweicloud.com Signed-off-by: Theodore Ts'o commit 4c199241b662c7c992dbb2d5176b48a77d8c9291 Author: Ye Bin Date: Mon Sep 30 08:59:38 2024 +0800 jbd2: unified release of buffer_head in do_one_pass() Now buffer_head free is very fragmented in do_one_pass(), unified release of buffer_head in do_one_pass() Signed-off-by: Ye Bin Reviewed-by: Jan Kara Reviewed-by: Zhang Yi Link: https://patch.msgid.link/20240930005942.626942-3-yebin@huaweicloud.com Signed-off-by: Theodore Ts'o commit 4309a94da7937775613bba2aa794e13c9e837cdd Author: Ye Bin Date: Mon Sep 30 08:59:37 2024 +0800 jbd2: remove redundant judgments for check v1 checksum 'need_check_commit_time' is only used by v2/v3 checksum, so there isn't need to add 'need_check_commit_time' judegement for v1 checksum logic. Signed-off-by: Ye Bin Reviewed-by: Jan Kara Reviewed-by: Zhang Yi Link: https://patch.msgid.link/20240930005942.626942-2-yebin@huaweicloud.com Signed-off-by: Theodore Ts'o commit 5ad585bcfe24d840f6d324951e4c18b0014c0178 Author: Yu Jiaoliang Date: Fri Sep 20 10:14:40 2024 +0800 ext4: use ERR_CAST to return an error-valued pointer Instead of directly casting and returning an error-valued pointer, use ERR_CAST to make the error handling more explicit and improve code clarity. Signed-off-by: Yu Jiaoliang Link: https://patch.msgid.link/20240920021440.1959243-1-yujiaoliang@vivo.com Signed-off-by: Theodore Ts'o commit 52aecaee1c26409ebafe080293e0841884f6e9fb Author: Brian Foster Date: Thu Sep 19 12:07:41 2024 -0400 mm: zero range of eof folio exposed by inode size extension On some filesystems, it is currently possible to create a transient data inconsistency between pagecache and on-disk state. For example, on a 1k block size ext4 filesystem: $ xfs_io -fc "pwrite 0 2k" -c "mmap 0 4k" -c "mwrite 2k 2k" \ -c "truncate 8k" -c "fiemap -v" -c "pread -v 2k 16" ... EXT: FILE-OFFSET BLOCK-RANGE TOTAL FLAGS 0: [0..3]: 17410..17413 4 0x1 1: [4..15]: hole 12 00000800: 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX $ umount ; mount $ xfs_io -c "pread -v 2k 16" 00000800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ This allocates and writes two 1k blocks, map writes to the post-eof portion of the (4k) eof folio, extends the file, and then shows that the post-eof data is not cleared before the file size is extended. The result is pagecache with a clean and uptodate folio over a hole that returns non-zero data. Once reclaimed, pagecache begins to return valid data. Some filesystems avoid this problem by flushing the EOF folio before inode size extension. This triggers writeback time partial post-eof zeroing. XFS explicitly zeroes newly exposed file ranges via iomap_zero_range(), but this includes a hack to flush dirty but hole-backed folios, which means writeback actually does the zeroing in this particular case as well. bcachefs explicitly flushes the eof folio on truncate extension to the same effect, but doesn't handle the analogous write extension case (i.e., replace "truncate 8k" with "pwrite 4k 4k" in the above example command to reproduce the same problem on bcachefs). btrfs doesn't seem to support subpage block sizes. The two main options to avoid this behavior are to either flush or do the appropriate zeroing during size extending operations. Zeroing is only required when the size change exposes ranges of the file that haven't been directly written, such as a write or truncate that starts beyond the current eof. The pagecache_isize_extended() helper is already used for this particular scenario. It currently cleans any pte's for the eof folio to ensure preexisting mappings fault and allow the filesystem to take action based on the updated inode size. This is required to ensure the folio is fully backed by allocated blocks, for example, but this also happens to be the same scenario zeroing is required. Update pagecache_isize_extended() to zero the post-eof range of the eof folio if it is dirty at the time of the size change, since writeback now won't have the chance. If non-dirty, the folio has either not been written or the post-eof portion was zeroed by writeback. Signed-off-by: Brian Foster Link: https://patch.msgid.link/20240919160741.208162-3-bfoster@redhat.com Signed-off-by: Theodore Ts'o commit c7fc0366c65628fd69bfc310affec4918199aae2 Author: Brian Foster Date: Thu Sep 19 12:07:40 2024 -0400 ext4: partial zero eof block on unaligned inode size extension Using mapped writes, it's technically possible to expose stale post-eof data on a truncate up operation. Consider the following example: $ xfs_io -fc "pwrite 0 2k" -c "mmap 0 4k" -c "mwrite 2k 2k" \ -c "truncate 8k" -c "pread -v 2k 16" ... 00000800: 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX ... This shows that the post-eof data written via mwrite lands within EOF after a truncate up. While this is deliberate of the test case, behavior is somewhat unpredictable because writeback does post-eof zeroing, and writeback can occur at any time in the background. For example, an fsync inserted between the mwrite and truncate causes the subsequent read to instead return zeroes. This basically means that there is a race window in this situation between any subsequent extending operation and writeback that dictates whether post-eof data is exposed to the file or zeroed. To prevent this problem, perform partial block zeroing as part of the various inode size extending operations that are susceptible to it. For truncate extension, zero around the original eof similar to how truncate down does partial zeroing of the new eof. For extension via writes and fallocate related operations, zero the newly exposed range of the file to cover any partial zeroing that must occur at the original and new eof blocks. Signed-off-by: Brian Foster Link: https://patch.msgid.link/20240919160741.208162-2-bfoster@redhat.com Signed-off-by: Theodore Ts'o commit 25f51ea8ac8144af2fefb743c3439547610368ff Author: Jinliang Zheng Date: Thu Sep 19 16:25:39 2024 +0800 ext4: disambiguate the return value of ext4_dio_write_end_io() The commit 91562895f803 ("ext4: properly sync file size update after O_SYNC direct IO") causes confusion about the meaning of the return value of ext4_dio_write_end_io(). Specifically, when the ext4_handle_inode_extension() operation succeeds, ext4_dio_write_end_io() directly returns count instead of 0. This does not cause a bug in the current kernel, but the semantics of the return value of the ext4_dio_write_end_io() function are wrong, which is likely to introduce bugs in the future code evolution. Signed-off-by: Jinliang Zheng Reviewed-by: Zhang Yi Link: https://patch.msgid.link/20240919082539.381626-1-alexjlzheng@tencent.com Signed-off-by: Theodore Ts'o commit 813f85360404028cd8340ae7f7f77abc68c86fbc Author: j.xia Date: Thu Sep 19 10:03:41 2024 +0800 ext4: pass write-hint for buffered IO Commit 449813515d3e ("block, fs: Restore the per-bio/request data lifetime fields") restored write-hint support in ext4. But that is applicable only for direct IO. This patch supports passing write-hint for buffered IO from ext4 file system to block layer by filling bi_write_hint of struct bio in io_submit_add_bh(). Signed-off-by: j.xia Link: https://patch.msgid.link/20240919020341.2657646-1-j.xia@samsung.com Signed-off-by: Theodore Ts'o commit 2f3d93e210b9c2866c8b3662adae427d5bf511ec Author: Long Li Date: Fri Sep 6 17:17:46 2024 +0800 ext4: fix race in buffer_head read fault injection When I enabled ext4 debug for fault injection testing, I encountered the following warning: EXT4-fs error (device sda): ext4_read_inode_bitmap:201: comm fsstress: Cannot read inode bitmap - block_group = 8, inode_bitmap = 1051 WARNING: CPU: 0 PID: 511 at fs/buffer.c:1181 mark_buffer_dirty+0x1b3/0x1d0 The root cause of the issue lies in the improper implementation of ext4's buffer_head read fault injection. The actual completion of buffer_head read and the buffer_head fault injection are not atomic, which can lead to the uptodate flag being cleared on normally used buffer_heads in race conditions. [CPU0] [CPU1] [CPU2] ext4_read_inode_bitmap ext4_read_bh() ext4_read_inode_bitmap if (buffer_uptodate(bh)) return bh jbd2_journal_commit_transaction __jbd2_journal_refile_buffer __jbd2_journal_unfile_buffer __jbd2_journal_temp_unlink_buffer ext4_simulate_fail_bh() clear_buffer_uptodate mark_buffer_dirty WARN_ON_ONCE(!buffer_uptodate(bh)) The best approach would be to perform fault injection in the IO completion callback function, rather than after IO completion. However, the IO completion callback function cannot get the fault injection code in sb. Fix it by passing the result of fault injection into the bh read function, we simulate faults within the bh read function itself. This requires adding an extra parameter to the bh read functions that need fault injection. Fixes: 46f870d690fe ("ext4: simulate various I/O and checksum errors when reading metadata") Signed-off-by: Long Li Link: https://patch.msgid.link/20240906091746.510163-1-leo.lilong@huawei.com Signed-off-by: Theodore Ts'o commit a90825898becb730377b157884c82a725f1d3ffa Author: Zhang Yi Date: Fri Sep 6 14:14:01 2024 +0800 ext4: don't pass full mapping flags to ext4_es_insert_extent() When converting a delalloc extent in ext4_es_insert_extent(), since we only want to pass the info of whether the quota has already been claimed if the allocation is a direct allocation from ext4_map_create_blocks(), there is no need to pass full mapping flags, so changes to just pass whether the EXT4_GET_BLOCKS_DELALLOC_RESERVE bit is set. Suggested-by: Jan Kara Signed-off-by: Zhang Yi Reviewed-by: Jan Kara Link: https://patch.msgid.link/20240906061401.2980330-1-yi.zhang@huaweicloud.com Signed-off-by: Theodore Ts'o commit 667de03a3b5eab4ccf532c6e399fe3488a1db58b Author: Andy Shevchenko Date: Thu Sep 5 19:32:29 2024 +0300 ext4: mark ctx_*_flags() with __maybe_unused When ctx_set_flags() is unused, it prevents kernel builds with clang, `make W=1` and CONFIG_WERROR=y: .../ext4/super.c:2120:1: error: unused function 'ctx_set_flags' [-Werror,-Wunused-function] 2120 | EXT4_SET_CTX(flags); /* set only */ | ^~~~~~~~~~~~~~~~~~~ Fix this by marking ctx_*_flags() with __maybe_unused (mark both for the sake of symmetry). See also commit 6863f5643dd7 ("kbuild: allow Clang to find unused static inline functions for W=1 build"). Signed-off-by: Andy Shevchenko Link: https://patch.msgid.link/20240905163229.140522-1-andriy.shevchenko@linux.intel.com Signed-off-by: Theodore Ts'o commit 150c174a6053efc215b7a10b7fbcc869039bb6c3 Author: Amir Goldstein Date: Wed Sep 4 10:46:57 2024 +0200 ext4: return error on syncfs after shutdown This is the logic behavior and one that we would like to verify using a generic fstest similar to xfs/546. Link: https://lore.kernel.org/fstests/20240830152648.GE6216@frogsfrogsfrogs/ Suggested-by: Darrick J. Wong Signed-off-by: Amir Goldstein Reviewed-by: Jan Kara Link: https://patch.msgid.link/20240904084657.1062243-1-amir73il@gmail.com Signed-off-by: Theodore Ts'o commit a9cdf82a47addae72b119a063fc834923e7838fe Author: Zhaoyang Huang Date: Wed Sep 4 15:53:00 2024 +0800 fs: ext4: Don't use CMA for buffer_head cma_alloc() keep failed in our system which thanks to a jh->bh->b_page can not be migrated out of CMA area[1] as the jh has one cp_transaction pending on it because of j_free > j_max_transaction_buffers[2][3][4][5][6]. We temporarily solve this by launching jbd2_log_do_checkpoint forcefully somewhere. Since journal is common mechanism to all JFSs and cp_transaction has a little fewer opportunity to be launched, the cma_alloc() could be affected under the same scenario. This patch would like to have buffer_head of ext4 not use CMA pages when doing sb_getblk. [1] crash_arm64_v8.0.4++> kmem -p|grep ffffff808f0aa150(sb->s_bdev->bd_inode->i_mapping) fffffffe01a51c00 e9470000 ffffff808f0aa150 3 2 8000000008020 lru,private fffffffe03d189c0 174627000 ffffff808f0aa150 4 2 2004000000008020 lru,private fffffffe03d88e00 176238000 ffffff808f0aa150 3f9 2 2008000000008020 lru,private fffffffe03d88e40 176239000 ffffff808f0aa150 6 2 2008000000008020 lru,private fffffffe03d88e80 17623a000 ffffff808f0aa150 5 2 2008000000008020 lru,private fffffffe03d88ec0 17623b000 ffffff808f0aa150 1 2 2008000000008020 lru,private fffffffe03d88f00 17623c000 ffffff808f0aa150 0 2 2008000000008020 lru,private fffffffe040e6540 183995000 ffffff808f0aa150 3f4 2 2004000000008020 lru,private [2] page -> buffer_head crash_arm64_v8.0.4++> struct page.private fffffffe01a51c00 -x private = 0xffffff802fca0c00 [3] buffer_head -> journal_head crash_arm64_v8.0.4++> struct buffer_head.b_private 0xffffff802fca0c00 b_private = 0xffffff8041338e10, [4] journal_head -> b_cp_transaction crash_arm64_v8.0.4++> struct journal_head.b_cp_transaction 0xffffff8041338e10 -x b_cp_transaction = 0xffffff80410f1900, [5] transaction_t -> journal crash_arm64_v8.0.4++> struct transaction_t.t_journal 0xffffff80410f1900 -x t_journal = 0xffffff80e70f3000, [6] j_free & j_max_transaction_buffers crash_arm64_v8.0.4++> struct journal_t.j_free,j_max_transaction_buffers 0xffffff80e70f3000 -x j_free = 0x3f1, j_max_transaction_buffers = 0x100, Suggested-by: Theodore Ts'o Signed-off-by: Zhaoyang Huang Reviewed-by: Jan Kara Link: https://patch.msgid.link/20240904075300.1148836-1-zhaoyang.huang@unisoc.com Signed-off-by: Theodore Ts'o commit c7f9a6fa405248bbd2a398c91d4df30b399f84aa Author: Jiapeng Chong Date: Fri Aug 30 15:17:13 2024 +0800 ext4: simplify if condition The if condition !A || A && B can be simplified to !A || B. ./fs/ext4/fast_commit.c:362:21-23: WARNING !A || A && B is equivalent to !A || B. Reported-by: Abaci Robot Closes: https://bugzilla.openanolis.cn/show_bug.cgi?id=9837 Signed-off-by: Jiapeng Chong Reviewed-by: Jan Kara Link: https://patch.msgid.link/20240830071713.40565-1-jiapeng.chong@linux.alibaba.com Signed-off-by: Theodore Ts'o commit 4a622e4d477bb12ad5ed4abbc7ad1365de1fa347 Author: Theodore Ts'o Date: Wed Oct 23 00:25:37 2024 -0400 ext4: fix FS_IOC_GETFSMAP handling The original implementation ext4's FS_IOC_GETFSMAP handling only worked when the range of queried blocks included at least one free (unallocated) block range. This is because how the metadata blocks were emitted was as a side effect of ext4_mballoc_query_range() calling ext4_getfsmap_datadev_helper(), and that function was only called when a free block range was identified. As a result, this caused generic/365 to fail. Fix this by creating a new function ext4_getfsmap_meta_helper() which gets called so that blocks before the first free block range in a block group can get properly reported. Signed-off-by: Theodore Ts'o Cc: stable@vger.kernel.org commit 40eb3104cf416188c4bd8fd7946f6c388409c286 Author: Baokun Li Date: Tue Oct 8 20:11:52 2024 +0800 ext4: WARN if a full dir leaf block has only one dentry The maximum length of a filename is 255 and the minimum block size is 1024, so it is always guaranteed that the number of entries is greater than or equal to 2 when do_split() is called. So unless ext4_dx_add_entry() and make_indexed_dir() or some other functions are buggy, 'split == 0' will not occur. Setting 'continued' to 0 in this case masks the problem that the file system has become corrupted, even though it prevents possible out-of-bounds access. Hence WARN_ON_ONCE() is used to check if 'split' is 0, and if it is then warns and returns an error to abort split. Suggested-by: Theodore Ts'o Link: https://lore.kernel.org/r/20240823160518.GA424729@mit.edu Signed-off-by: Baokun Li Reviewed-by: Jan Kara Link: https://patch.msgid.link/20241008121152.3771906-1-libaokun@huaweicloud.com Signed-off-by: Theodore Ts'o commit fdfa648ab9393de8c1be21cad17c17bdced3a68a Author: Baokun Li Date: Tue Oct 8 20:01:34 2024 +0800 ext4: show the default enabled prefetch_block_bitmaps option After commit 21175ca434c5 ("ext4: make prefetch_block_bitmaps default"), we enable 'prefetch_block_bitmaps' by default, but this is not shown in the '/proc/fs/ext4/sdx/options' procfs interface. This makes it impossible to distinguish whether the feature is enabled by default or not, so 'prefetch_block_bitmaps' is shown in the 'options' procfs interface when prefetch_block_bitmaps is enabled by default. This makes it easy to notice changes to the default mount options between versions through the '/proc/fs/ext4/sdx/options' procfs interface. Signed-off-by: Baokun Li Reviewed-by: Jan Kara Link: https://patch.msgid.link/20241008120134.3758097-1-libaokun@huaweicloud.com Signed-off-by: Theodore Ts'o commit c1fff92d808bb41064b783a072dee834bcc29f33 Author: Sung-Chi, Li Date: Wed Nov 13 10:39:51 2024 +0800 hwmon: (cros_ec) register thermal sensors to thermal framework cros_ec hwmon driver probes available thermal sensors when probing the driver. Register these thermal sensors to the thermal framework as well via setting HWMON_C_REGISTER_TZ as a chip info, such that thermal framework can adopt these sensors as well. To make cros_ec registrable to thermal framework, the cros_ec dts need the corresponding changes: &cros_ec { #thermal-sensor-cells = <1>; }; Signed-off-by: Sung-Chi, Li Message-ID: <20241113024000.3327161-1-lschyi@chromium.org> Signed-off-by: Guenter Roeck commit 7e33001b8b9a78062679e0fdf5b0842a49063135 Author: Rik van Riel Date: Fri Nov 8 19:27:50 2024 -0500 x86/mm/tlb: Put cpumask_test_cpu() check in switch_mm_irqs_off() under CONFIG_DEBUG_VM On a web server workload, the cpumask_test_cpu() inside the WARN_ON_ONCE() in the 'prev == next branch' takes about 17% of all the CPU time of switch_mm_irqs_off(). On a large fleet, this WARN_ON_ONCE() has not fired in at least a month, possibly never. Move this test under CONFIG_DEBUG_VM so it does not get compiled in production kernels. Signed-off-by: Rik van Riel Signed-off-by: Ingo Molnar Cc: Andy Lutomirski Cc: Peter Zijlstra Cc: Linus Torvalds Link: https://lore.kernel.org/r/20241109003727.3958374-4-riel@surriel.com commit abe949ce0f9be943d8762f91e04b8588255f2f70 Merge: 035c5e2143f3ed 2d5404caa8c7bb Author: Ingo Molnar Date: Wed Nov 13 03:41:59 2024 +0100 Merge tag 'v6.12-rc7' into x86/mm, to pick up fixes before applying new patches Signed-off-by: Ingo Molnar commit ef04d290c01301b7467df48425c36891d86ff417 Author: Jakub Kicinski Date: Fri Nov 8 18:33:03 2024 -0800 net: page_pool: do not count normal frag allocation in stats Commit 0f6deac3a079 ("net: page_pool: add page allocation stats for two fast page allocate path") added increments for "fast path" allocation to page frag alloc. It mentions performance degradation analysis but the details are unclear. Could be that the author was simply surprised by the alloc stats not matching packet count. In my experience the key metric for page pool is the recycling rate. Page return stats, however, count returned _pages_ not frags. This makes it impossible to calculate recycling rate for drivers using the frag API. Here is example output of the page-pool YNL sample for a driver allocating 1200B frags (4k pages) with nearly perfect recycling: $ ./page-pool eth0[2] page pools: 32 (zombies: 0) refs: 291648 bytes: 1194590208 (refs: 0 bytes: 0) recycling: 33.3% (alloc: 4557:2256365862 recycle: 200476245:551541893) The recycling rate is reported as 33.3% because we give out 4096 // 1200 = 3 frags for every recycled page. Effectively revert the aforementioned commit. This also aligns with the stats we would see for drivers which do the fragmentation themselves, although that's not a strong reason in itself. On the (very unlikely) path where we can reuse the current page let's bump the "cached" stat. The fact that we don't put the page in the cache is just an optimization. Acked-by: Jesper Dangaard Brouer Reviewed-by: Xuan Zhuo Acked-by: Ilias Apalodimas Link: https://patch.msgid.link/20241109023303.3366500-1-kuba@kernel.org Signed-off-by: Jakub Kicinski commit 7ed816be35abc3d5bed39d3edc5f2efed2ca5216 Author: Jakub Kicinski Date: Fri Nov 8 19:51:19 2024 -0800 eth: bnxt: use page pool for head frags Testing small size RPCs (300B-400B) on a large AMD system suggests that page pool recycling is very useful even for just the head frags. With this patch (and copy break disabled) I see a 30% performance improvement (82Gbps -> 106Gbps). Convert bnxt from normal page frags to page pool frags for head buffers. On systems with small page size we can use the same pool as for TPA pages. On systems with large pages the frag allocation logic of the page pool is already used to split a large page into TPA chunks. TPA chunks are much larger than heads (8k or 64k, AFAICT vs 1kB) and we always allocate the same sized chunks. Mixing allocation of TPA and head pages would lead to sub-optimal memory use. Plus Taehee's work on zero-copy / devmem will need to differentiate between TPA and non-TPA page pool, anyway. Conditionally allocate a new page pool for heads. Link: https://patch.msgid.link/20241109035119.3391864-1-kuba@kernel.org Signed-off-by: Jakub Kicinski commit 078e0d596f7b5952dad8662ace8f20ed2165e2ce Author: Andrew Lunn Date: Sun Nov 10 18:59:55 2024 +0100 dsa: qca8k: Use nested lock to avoid splat qca8k_phy_eth_command() is used to probe the child MDIO bus while the parent MDIO is locked. This causes lockdep splat, reporting a possible deadlock. It is not an actually deadlock, because different locks are used. By making use of mutex_lock_nested() we can avoid this false positive. Signed-off-by: Andrew Lunn Link: https://patch.msgid.link/20241110175955.3053664-1-andrew@lunn.ch Signed-off-by: Jakub Kicinski commit b169e76ebad22cbd055101ee5aa1a7bed0e66606 Author: Dmitry Kandybka Date: Thu Nov 7 13:36:57 2024 +0300 mptcp: fix possible integer overflow in mptcp_reset_tout_timer In 'mptcp_reset_tout_timer', promote 'probe_timestamp' to unsigned long to avoid possible integer overflow. Compile tested only. Found by Linux Verification Center (linuxtesting.org) with SVACE. Signed-off-by: Dmitry Kandybka Link: https://patch.msgid.link/20241107103657.1560536-1-d.kandybka@gmail.com Signed-off-by: Jakub Kicinski commit a1087da9d11e5bcacc706002bc0f84b790881f69 Author: Leon Hwang Date: Thu Nov 7 21:45:28 2024 +0800 bpf, x86: Propagate tailcall info only for subprogs In x64 JIT, propagate tailcall info only for subprogs, not for helpers or kfuncs. Acked-by: Yonghong Song Signed-off-by: Leon Hwang Link: https://lore.kernel.org/r/20241107134529.8602-2-leon.hwang@linux.dev Signed-off-by: Alexei Starovoitov commit faadc69af1ef68f2820fc29c874a42f1da2685f9 Merge: c1bc51f85cd6be 7c8ce4ffb68467 Author: Alexei Starovoitov Date: Tue Nov 12 17:13:47 2024 -0800 Merge branch 'add-kernel-symbol-for-struct_ops-trampoline' Xu Kuohai says: ==================== Add kernel symbol for struct_ops trampoline. Without kernel symbol for struct_ops trampoline, the unwinder may produce unexpected stacktraces. For example, the x86 ORC and FP unwinder stops stacktrace on a struct_ops trampoline address since there is no kernel symbol for the address. v4: - Add a separate cleanup patch to remove unused member rcu from bpf_struct_ops_map (patch 1) - Use funcs_cnt instead of btf_type_vlen(vt) for links memory calculation in .map_mem_usage (patch 2) - Include ksyms[] memory in map_mem_usage (patch 3) - Various fixes in patch 3 (Thanks to Martin) v3: https://lore.kernel.org/bpf/20241111121641.2679885-1-xukuohai@huaweicloud.com/ - Add a separate cleanup patch to replace links_cnt with funcs_cnt - Allocate ksyms on-demand in update_elem() to stay with the links allocation way - Set ksym name to prog___ v2: https://lore.kernel.org/bpf/20241101111948.1570547-1-xukuohai@huaweicloud.com/ - Refine the commit message for clarity and fix a test bot warning v1: https://lore.kernel.org/bpf/20241030111533.907289-1-xukuohai@huaweicloud.com/ ==================== Reviewed-by: Martin KaFai Lau Link: https://lore.kernel.org/r/20241112145849.3436772-1-xukuohai@huaweicloud.com Signed-off-by: Alexei Starovoitov commit 7c8ce4ffb684676039b1ff9ff81c126794e8d88e Author: Xu Kuohai Date: Tue Nov 12 22:58:49 2024 +0800 bpf: Add kernel symbol for struct_ops trampoline Without kernel symbols for struct_ops trampoline, the unwinder may produce unexpected stacktraces. For example, the x86 ORC and FP unwinders check if an IP is in kernel text by verifying the presence of the IP's kernel symbol. When a struct_ops trampoline address is encountered, the unwinder stops due to the absence of symbol, resulting in an incomplete stacktrace that consists only of direct and indirect child functions called from the trampoline. The arm64 unwinder is another example. While the arm64 unwinder can proceed across a struct_ops trampoline address, the corresponding symbol name is displayed as "unknown", which is confusing. Thus, add kernel symbol for struct_ops trampoline. The name is bpf___, where is the type name of the struct_ops, and is the name of the member that the trampoline is linked to. Below is a comparison of stacktraces captured on x86 by perf record, before and after this patch. Before: ffffffff8116545d __lock_acquire+0xad ([kernel.kallsyms]) ffffffff81167fcc lock_acquire+0xcc ([kernel.kallsyms]) ffffffff813088f4 __bpf_prog_enter+0x34 ([kernel.kallsyms]) After: ffffffff811656bd __lock_acquire+0x30d ([kernel.kallsyms]) ffffffff81167fcc lock_acquire+0xcc ([kernel.kallsyms]) ffffffff81309024 __bpf_prog_enter+0x34 ([kernel.kallsyms]) ffffffffc000d7e9 bpf__tcp_congestion_ops_cong_avoid+0x3e ([kernel.kallsyms]) ffffffff81f250a5 tcp_ack+0x10d5 ([kernel.kallsyms]) ffffffff81f27c66 tcp_rcv_established+0x3b6 ([kernel.kallsyms]) ffffffff81f3ad03 tcp_v4_do_rcv+0x193 ([kernel.kallsyms]) ffffffff81d65a18 __release_sock+0xd8 ([kernel.kallsyms]) ffffffff81d65af4 release_sock+0x34 ([kernel.kallsyms]) ffffffff81f15c4b tcp_sendmsg+0x3b ([kernel.kallsyms]) ffffffff81f663d7 inet_sendmsg+0x47 ([kernel.kallsyms]) ffffffff81d5ab40 sock_write_iter+0x160 ([kernel.kallsyms]) ffffffff8149c67b vfs_write+0x3fb ([kernel.kallsyms]) ffffffff8149caf6 ksys_write+0xc6 ([kernel.kallsyms]) ffffffff8149cb5d __x64_sys_write+0x1d ([kernel.kallsyms]) ffffffff81009200 x64_sys_call+0x1d30 ([kernel.kallsyms]) ffffffff82232d28 do_syscall_64+0x68 ([kernel.kallsyms]) ffffffff8240012f entry_SYSCALL_64_after_hwframe+0x76 ([kernel.kallsyms]) Fixes: 85d33df357b6 ("bpf: Introduce BPF_MAP_TYPE_STRUCT_OPS") Signed-off-by: Xu Kuohai Acked-by: Yonghong Song Link: https://lore.kernel.org/r/20241112145849.3436772-4-xukuohai@huaweicloud.com Signed-off-by: Alexei Starovoitov commit 821a3fa32bbe3bc0fa23b3189325d3720a49a24c Author: Xu Kuohai Date: Tue Nov 12 22:58:48 2024 +0800 bpf: Use function pointers count as struct_ops links count Only function pointers in a struct_ops structure can be linked to bpf progs, so set the links count to the function pointers count, instead of the total members count in the structure. Suggested-by: Martin KaFai Lau Signed-off-by: Xu Kuohai Link: https://lore.kernel.org/r/20241112145849.3436772-3-xukuohai@huaweicloud.com Signed-off-by: Alexei Starovoitov commit bd9d9b48eb1814ad761cce45774a18d95c33803c Author: Xu Kuohai Date: Tue Nov 12 22:58:47 2024 +0800 bpf: Remove unused member rcu from bpf_struct_ops_map The rcu member in bpf_struct_ops_map is not used after commit b671c2067a04 ("bpf: Retire the struct_ops map kvalue->refcnt.") Remove it. Suggested-by: Martin KaFai Lau Signed-off-by: Xu Kuohai Link: https://lore.kernel.org/r/20241112145849.3436772-2-xukuohai@huaweicloud.com Signed-off-by: Alexei Starovoitov commit be6b0eb5c46d85e360c0ff8bdde1aaa199a8fb6d Author: Michael Ellerman Date: Tue Nov 12 22:48:05 2024 +1100 powerpc/cell: Remove dead extern declaration for spu_priv1_beat_ops spu_priv1_beat_ops were removed in commit bf4981a00636 ("powerpc: Remove the celleb support"), remove the unneeded extern. Signed-off-by: Michael Ellerman Link: https://patch.msgid.link/20241112114805.453894-1-mpe@ellerman.id.au commit fae2987e67786a6358c0ef47189b12ff19e9543a Author: Michael Ellerman Date: Tue Nov 12 19:51:48 2024 +1100 cpufreq: maple: Remove maple driver This driver is no longer buildable since the PPC_MAPLE platform was removed, see commit 62f8f307c80e ("powerpc/64: Remove maple platform"). Remove the driver. Note that the comment in the driver says it supports "SMU & 970FX based G5 Macs", but that's not true, that comment was copied from pmac64-cpufreq.c, which still exists and continues to support those machines. Acked-by: Viresh Kumar Signed-off-by: Michael Ellerman Link: https://patch.msgid.link/20241112085148.415574-1-mpe@ellerman.id.au commit c1bc51f85cd6be28a4ec901b358731550a203bb2 Merge: c748a255aedfd4 becfe32b57c7d3 Author: Alexei Starovoitov Date: Tue Nov 12 16:26:25 2024 -0800 Merge branch 'bpf-support-private-stack-for-bpf-progs' Yonghong Song says: ==================== bpf: Support private stack for bpf progs The main motivation for private stack comes from nested scheduler in sched-ext from Tejun. The basic idea is that - each cgroup will its own associated bpf program, - bpf program with parent cgroup will call bpf programs in immediate child cgroups. Let us say we have the following cgroup hierarchy: root_cg (prog0): cg1 (prog1): cg11 (prog11): cg111 (prog111) cg112 (prog112) cg12 (prog12): cg121 (prog121) cg122 (prog122) cg2 (prog2): cg21 (prog21) cg22 (prog22) cg23 (prog23) In the above example, prog0 will call a kfunc which will call prog1 and prog2 to get sched info for cg1 and cg2 and then the information is summarized and sent back to prog0. Similarly, prog11 and prog12 will be invoked in the kfunc and the result will be summarized and sent back to prog1, etc. The following illustrates a possible call sequence: ... -> bpf prog A -> kfunc -> ops. (bpf prog B) ... Currently, for each thread, the x86 kernel allocate 16KB stack. Each bpf program (including its subprograms) has maximum 512B stack size to avoid potential stack overflow. Nested bpf programs further increase the risk of stack overflow. To avoid potential stack overflow caused by bpf programs, this patch set supported private stack and bpf program stack space is allocated during jit time. Using private stack for bpf progs can reduce or avoid potential kernel stack overflow. Currently private stack is applied to tracing programs like kprobe/uprobe, perf_event, tracepoint, raw tracepoint and struct_ops progs. Tracing progs enable private stack if any subprog stack size is more than a threshold (i.e. 64B). Struct-ops progs enable private stack based on particular struct op implementation which can enable private stack before verification at per-insn level. Struct-ops progs have the same treatment as tracing progs w.r.t when to enable private stack. For all these progs, the kernel will do recursion check (no nesting for per prog per cpu) to ensure that private stack won't be overwritten. The bpf_prog_aux struct has a callback func recursion_detected() which can be implemented by kernel subsystem to synchronously detect recursion, report error, etc. Only x86_64 arch supports private stack now. It can be extended to other archs later. Please see each individual patch for details. Change logs: v11 -> v12: - v11 link: https://lore.kernel.org/bpf/20241109025312.148539-1-yonghong.song@linux.dev/ - Fix a bug where allocated percpu space is less than actual private stack. - Add guard memory (before and after actual prog stack) to detect potential underflow/overflow. v10 -> v11: - v10 link: https://lore.kernel.org/bpf/20241107024138.3355687-1-yonghong.song@linux.dev/ - Use two bool variables, priv_stack_requested (used by struct-ops only) and jits_use_priv_stack, in order to make code cleaner. - Set env->prog->aux->jits_use_priv_stack to true if any subprog uses private stack. This is for struct-ops use case to kick in recursion protection. v9 -> v10: - v9 link: https://lore.kernel.org/bpf/20241104193455.3241859-1-yonghong.song@linux.dev/ - Simplify handling async cbs by making those async cb related progs using normal kernel stack. - Do percpu allocation in jit instead of verifier. v8 -> v9: - v8 link: https://lore.kernel.org/bpf/20241101030950.2677215-1-yonghong.song@linux.dev/ - Use enum to express priv stack mode. - Use bits in bpf_subprog_info struct to do subprog recursion check between main/async and async subprogs. - Fix potential memory leak. - Rename recursion detection func from recursion_skipped() to recursion_detected(). v7 -> v8: - v7 link: https://lore.kernel.org/bpf/20241029221637.264348-1-yonghong.song@linux.dev/ - Add recursion_skipped() callback func to bpf_prog->aux structure such that if a recursion miss happened and bpf_prog->aux->recursion_skipped is not NULL, the callback fn will be called so the subsystem can do proper action based on their respective design. v6 -> v7: - v6 link: https://lore.kernel.org/bpf/20241020191341.2104841-1-yonghong.song@linux.dev/ - Going back to do private stack allocation per prog instead per subtree. This can simplify implementation and avoid verifier complexity. - Handle potential nested subprog run if async callback exists. - Use struct_ops->check_member() callback to set whether a particular struct-ops prog wants private stack or not. v5 -> v6: - v5 link: https://lore.kernel.org/bpf/20241017223138.3175885-1-yonghong.song@linux.dev/ - Instead of using (or not using) private stack at struct_ops level, each prog in struct_ops can decide whether to use private stack or not. v4 -> v5: - v4 link: https://lore.kernel.org/bpf/20241010175552.1895980-1-yonghong.song@linux.dev/ - Remove bpf_prog_call() related implementation. - Allow (opt-in) private stack for sched-ext progs. v3 -> v4: - v3 link: https://lore.kernel.org/bpf/20240926234506.1769256-1-yonghong.song@linux.dev/ There is a long discussion in the above v3 link trying to allow private stack to be used by kernel functions in order to simplify implementation. But unfortunately we didn't find a workable solution yet, so we return to the approach where private stack is only used by bpf programs. - Add bpf_prog_call() kfunc. v2 -> v3: - Instead of per-subprog private stack allocation, allocate private stacks at main prog or callback entry prog. Subprogs not main or callback progs will increment the inherited stack pointer to be their frame pointer. - Private stack allows each prog max stack size to be 512 bytes, intead of the whole prog hierarchy to be 512 bytes. - Add some tests. ==================== Link: https://lore.kernel.org/r/20241112163902.2223011-1-yonghong.song@linux.dev Signed-off-by: Alexei Starovoitov commit becfe32b57c7d323fbd94c1a2c6d7eba918ddde8 Author: Yonghong Song Date: Tue Nov 12 08:39:38 2024 -0800 selftests/bpf: Add struct_ops prog private stack tests Add three tests for struct_ops using private stack. ./test_progs -t struct_ops_private_stack #336/1 struct_ops_private_stack/private_stack:OK #336/2 struct_ops_private_stack/private_stack_fail:OK #336/3 struct_ops_private_stack/private_stack_recur:OK #336 struct_ops_private_stack:OK The following is a snippet of a struct_ops check_member() implementation: u32 moff = __btf_member_bit_offset(t, member) / 8; switch (moff) { case offsetof(struct bpf_testmod_ops3, test_1): prog->aux->priv_stack_requested = true; prog->aux->recursion_detected = test_1_recursion_detected; fallthrough; default: break; } return 0; The first test is with nested two different callback functions where the first prog has more than 512 byte stack size (including subprogs) with private stack enabled. The second test is a negative test where the second prog has more than 512 byte stack size without private stack enabled. The third test is the same callback function recursing itself. At run time, the jit trampoline recursion check kicks in to prevent the recursion. The recursion_detected() callback function is implemented by the bpf_testmod, the following message in dmesg bpf_testmod: oh no, recursing into test_1, recursion_misses 1 demonstrates the callback function is indeed triggered when recursion miss happens. Signed-off-by: Yonghong Song Link: https://lore.kernel.org/r/20241112163938.2225528-1-yonghong.song@linux.dev Signed-off-by: Alexei Starovoitov commit 5bd36da1e37e7a78e8b38efd287de6e1394b7d6e Author: Yonghong Song Date: Tue Nov 12 08:39:33 2024 -0800 bpf: Support private stack for struct_ops progs For struct_ops progs, whether a particular prog uses private stack depends on prog->aux->priv_stack_requested setting before actual insn-level verification for that prog. One particular implementation is to piggyback on struct_ops->check_member(). The next patch has an example for this. The struct_ops->check_member() sets prog->aux->priv_stack_requested to be true which enables private stack usage. The struct_ops prog follows the same rule as kprobe/tracing progs after function bpf_enable_priv_stack(). For example, even a struct_ops prog requests private stack, it could still use normal kernel stack if the stack size is small (< 64 bytes). Similar to tracing progs, nested same cpu same prog run will be skipped. A field (recursion_detected()) is added to bpf_prog_aux structure. If bpf_prog->aux->recursion_detected is implemented by the struct_ops subsystem and nested same cpu/prog happens, the function will be triggered to report an error, collect related info, etc. Acked-by: Tejun Heo Signed-off-by: Yonghong Song Link: https://lore.kernel.org/r/20241112163933.2224962-1-yonghong.song@linux.dev Signed-off-by: Alexei Starovoitov commit f4b295ab65980435d7dc8b12d110387d1d1c653c Author: Yonghong Song Date: Tue Nov 12 08:39:27 2024 -0800 selftests/bpf: Add tracing prog private stack tests Some private stack tests are added including: - main prog only with stack size greater than BPF_PSTACK_MIN_SIZE. - main prog only with stack size smaller than BPF_PSTACK_MIN_SIZE. - prog with one subprog having MAX_BPF_STACK stack size and another subprog having non-zero small stack size. - prog with callback function. - prog with exception in main prog or subprog. - prog with async callback without nesting - prog with async callback with possible nesting Signed-off-by: Yonghong Song Link: https://lore.kernel.org/r/20241112163927.2224750-1-yonghong.song@linux.dev Signed-off-by: Alexei Starovoitov commit 7d1cd70d4b16ff0216a5f6c2ae7d0fa9fa978c07 Author: Yonghong Song Date: Tue Nov 12 08:39:22 2024 -0800 bpf, x86: Support private stack in jit Private stack is allocated in function bpf_int_jit_compile() with alignment 8. Private stack allocation size includes the stack size determined by verifier and additional space to protect stack overflow and underflow. See below an illustration: ---> memory address increasing [8 bytes to protect overflow] [normal stack] [8 bytes to protect underflow] If overflow/underflow is detected, kernel messages will be emited in dmesg like BPF private stack overflow/underflow detected for prog Fx BPF Private stack overflow/underflow detected for prog bpf_prog_a41699c234a1567a_subprog1x Those messages are generated when I made some changes to jitted code to intentially cause overflow for some progs. For the jited prog, The x86 register 9 (X86_REG_R9) is used to replace bpf frame register (BPF_REG_10). The private stack is used per subprog per cpu. The X86_REG_R9 is saved and restored around every func call (not including tailcall) to maintain correctness of X86_REG_R9. Signed-off-by: Yonghong Song Link: https://lore.kernel.org/r/20241112163922.2224385-1-yonghong.song@linux.dev Signed-off-by: Alexei Starovoitov commit f4b21ed0b9d6c9fe155451a1fb3531fb44b0afa8 Author: Yonghong Song Date: Tue Nov 12 08:39:17 2024 -0800 bpf, x86: Avoid repeated usage of bpf_prog->aux->stack_depth Refactor the code to avoid repeated usage of bpf_prog->aux->stack_depth in do_jit() func. If the private stack is used, the stack_depth will be 0 for that prog. Refactoring make it easy to adjust stack_depth. Signed-off-by: Yonghong Song Link: https://lore.kernel.org/r/20241112163917.2224189-1-yonghong.song@linux.dev Signed-off-by: Alexei Starovoitov commit e00931c02568dc6ac76f94b1ab471de05e6fdfe8 Author: Yonghong Song Date: Tue Nov 12 08:39:12 2024 -0800 bpf: Enable private stack for eligible subprogs If private stack is used by any subprog, set that subprog prog->aux->jits_use_priv_stack to be true so later jit can allocate private stack for that subprog properly. Also set env->prog->aux->jits_use_priv_stack to be true if any subprog uses private stack. This is a use case for a single main prog (no subprogs) to use private stack, and also a use case for later struct-ops progs where env->prog->aux->jits_use_priv_stack will enable recursion check if any subprog uses private stack. Signed-off-by: Yonghong Song Link: https://lore.kernel.org/r/20241112163912.2224007-1-yonghong.song@linux.dev Signed-off-by: Alexei Starovoitov commit a76ab5731e32d50ff5b1ae97e9dc4b23f41c23f5 Author: Yonghong Song Date: Tue Nov 12 08:39:07 2024 -0800 bpf: Find eligible subprogs for private stack support Private stack will be allocated with percpu allocator in jit time. To avoid complexity at runtime, only one copy of private stack is available per cpu per prog. So runtime recursion check is necessary to avoid stack corruption. Current private stack only supports kprobe/perf_event/tp/raw_tp which has recursion check in the kernel, and prog types that use bpf trampoline recursion check. For trampoline related prog types, currently only tracing progs have recursion checking. To avoid complexity, all async_cb subprogs use normal kernel stack including those subprogs used by both main prog subtree and async_cb subtree. Any prog having tail call also uses kernel stack. To avoid jit penalty with private stack support, a subprog stack size threshold is set such that only if the stack size is no less than the threshold, private stack is supported. The current threshold is 64 bytes. This avoids jit penality if the stack usage is small. A useless 'continue' is also removed from a loop in func check_max_stack_depth(). Signed-off-by: Yonghong Song Link: https://lore.kernel.org/r/20241112163907.2223839-1-yonghong.song@linux.dev Signed-off-by: Alexei Starovoitov commit 6cfe56fbad32c8c5b50e82d9109413566d691569 Author: Agathe Porte Date: Tue Nov 12 13:18:25 2024 +0100 ufs: ufs_sb_private_info: remove unused s_{2,3}apb fields These two fields are populated and stored as a "frequently used value" in ufs_fill_super, but are not used afterwards in the driver. Moreover, one of the shifts triggers UBSAN: shift-out-of-bounds when apbshift is 12 because 12 * 3 = 36 and 1 << 36 does not fit in the 32 bit integer used to store the value. Closes: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2087853 Signed-off-by: Agathe Porte Signed-off-by: Al Viro commit ea90d270349d51086d0dddc55821a782040d68f5 Author: John Garry Date: Tue Nov 12 16:10:18 2024 +0000 md/raid5: Increase r5conf.cache_name size For compiling with W=1, the following warning can be seen: drivers/md/raid5.c: In function ‘setup_conf’: drivers/md/raid5.c:2423:12: error: ‘%s’ directive output may be truncated writing up to 31 bytes into a region of size between 16 and 26 [-Werror=format-truncation=] "raid%d-%s", conf->level, mdname(conf->mddev)); ^~ drivers/md/raid5.c:2422:3: note: ‘snprintf’ output between 7 and 48 bytes into a destination of size 32 snprintf(conf->cache_name[0], namelen, ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "raid%d-%s", conf->level, mdname(conf->mddev)); ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ cc1: all warnings being treated as errors Increase the array size to avoid this warning. Signed-off-by: John Garry Link: https://lore.kernel.org/r/20241112161019.4154616-2-john.g.garry@oracle.com Signed-off-by: Song Liu commit 6a39bb15b3d1c355ab198d41f9590379d734f0bb Author: Colin Ian King Date: Thu Nov 7 13:21:14 2024 +0000 virtio_vdpa: remove redundant check on desc The boolean variable has_affinity is true when desc is non-null and ops->set_vq_affinity is non-null. Hence the call to create_affinity_masks does not need to check for desc being non-null is redundant when has_affinity is true, so it can be removed as well as the now unused default_affd. Signed-off-by: Colin Ian King Message-Id: <20241107132114.22188-1-colin.i.king@gmail.com> Signed-off-by: Michael S. Tsirkin Acked-by: Eugenio Pérez commit df28040c7f24559ffb23d5323eaa2f023a107dbe Author: Max Gurtovoy Date: Sun Oct 6 21:43:41 2024 +0300 virtio_fs: store actual queue index in mq_map This will eliminate the need for index recalculation during the fast path. Signed-off-by: Max Gurtovoy Message-Id: <20241006184341.9081-1-mgurtovoy@nvidia.com> Signed-off-by: Michael S. Tsirkin commit 22d984f1b90f960f9aa92e31b0d310c5f90be8a6 Author: Max Gurtovoy Date: Sun Oct 6 21:43:24 2024 +0300 virtio_fs: add informative log for new tag discovery Enhance the device probing process by adding a log message when a new virtio-fs tag is successfully discovered. This improvement provides better visibility into the initialization of virtio-fs devices. Signed-off-by: Max Gurtovoy Message-Id: <20241006184324.8497-1-mgurtovoy@nvidia.com> Signed-off-by: Michael S. Tsirkin commit a49c26f761d2b9f6506d397f6e8373ebb27c65ba Author: Wenyu Huang Date: Sun Oct 13 11:32:33 2024 +0800 virtio: Make vring_new_virtqueue support packed vring It is used for testing in tools/virtio/vringh_test.c. If vring_new_virtqueue supports packed vring, we can add support for packed vring to vringh and test it. Signed-off-by: Wenyu Huang Message-Id: <20241013033233.65026-1-huangwenyu1998@gmail.com> Signed-off-by: Michael S. Tsirkin Reviewed-by: Stefano Garzarella Acked-by: Jason Wang commit 76f0d870e75e0b00843668ace7603a47890cb9ff Author: Philip Chen Date: Thu Aug 15 00:46:17 2024 +0000 virtio_pmem: Add freeze/restore callbacks Add basic freeze/restore PM callbacks to support hibernation (S4): - On freeze, delete vq and quiesce the device to prepare for snapshotting. - On restore, re-init vq and mark DRIVER_OK. Signed-off-by: Philip Chen Message-Id: <20240815004617.2325269-1-philipchen@chromium.org> Signed-off-by: Michael S. Tsirkin commit 35025963326e44d8bced3eecd42d2f040f4f0024 Author: Si-Wei Liu Date: Mon Oct 21 16:40:40 2024 +0300 vdpa/mlx5: Fix suboptimal range on iotlb iteration The starting iova address to iterate iotlb map entry within a range was set to an irrelevant value when passing to the itree_next() iterator, although luckily it doesn't affect the outcome of finding out the granule of the smallest iotlb map size. Fix the code to make it consistent with the following for-loop. Fixes: 94abbccdf291 ("vdpa/mlx5: Add shared memory registration code") Signed-off-by: Si-Wei Liu Signed-off-by: Dragos Tatulea Message-Id: <20241021134040.975221-3-dtatulea@nvidia.com> Signed-off-by: Michael S. Tsirkin Acked-by: Jason Wang commit 0eb512779d642b21ced83778287a0f7a3ca8f2a1 Author: Charlie Jenkins Date: Fri Nov 8 15:47:36 2024 -0800 riscv: Fix default misaligned access trap Commit d1703dc7bc8e ("RISC-V: Detect unaligned vector accesses supported") removed the default handlers for handle_misaligned_load() and handle_misaligned_store(). When the kernel is compiled without RISCV_SCALAR_MISALIGNED, these handlers are never defined, causing compilation errors. Signed-off-by: Charlie Jenkins Fixes: d1703dc7bc8e ("RISC-V: Detect unaligned vector accesses supported") Reviewed-by: Jesse Taube Link: https://lore.kernel.org/r/20241108-fix_handle_misaligned_load-v2-1-91d547ce64db@rivosinc.com Signed-off-by: Palmer Dabbelt commit f8ce622ac9d89260595e26d4e0da8cb6b4a8e030 Author: Paul E. McKenney Date: Mon Nov 11 13:57:03 2024 -0800 srcu: Check for srcu_read_lock_lite() across all CPUs If srcu_read_lock_lite() is used on a given srcu_struct structure, then the grace-period processing must do synchronize_rcu() instead of smp_mb() between the scans of the ->srcu_unlock_count[] and ->srcu_lock_count[] counters. Currently, it does that by testing the SRCU_READ_FLAVOR_LITE bit of the ->srcu_reader_flavor mask, which works well. But only if the CPU running that srcu_struct structure's grace period has previously executed srcu_read_lock_lite(), which might not be the case, especially just after that srcu_struct structure has been created and initialized. This commit therefore updates the srcu_readers_unlock_idx() function to OR together the ->srcu_reader_flavor masks from all CPUs, and then make the srcu_readers_active_idx_check() function that test the SRCU_READ_FLAVOR_LITE bit in the resulting mask. Note that the srcu_readers_unlock_idx() function is already scanning all the CPUs to sum up the ->srcu_unlock_count[] fields and that this is on the grace-period slow path, hence no concerns about the small amount of extra work. Reported-by: Neeraj Upadhyay Closes: https://lore.kernel.org/all/d07e8f4a-d5ff-4c8e-8e61-50db285c57e9@amd.com/ Fixes: c0f08d6b5a61 ("srcu: Add srcu_read_lock_lite() and srcu_read_unlock_lite()") Signed-off-by: Paul E. McKenney Cc: Frederic Weisbecker Reviewed-by: Neeraj Upadhyay Signed-off-by: Frederic Weisbecker commit 174dd22a781b97cb355b1037f0931436a254d3be Author: Paul E. McKenney Date: Mon Nov 11 09:38:26 2024 -0800 srcu: Remove smp_mb() from srcu_read_unlock_lite() The srcu_read_unlock_lite() function invokes __srcu_read_unlock() instead of __srcu_read_unlock_lite(), which means that it is doing an unnecessary smp_mb(). This is harmless other than the performance degradation. This commit therefore switches to __srcu_read_unlock_lite(). Reported-by: Neeraj Upadhyay Closes: https://lore.kernel.org/all/d07e8f4a-d5ff-4c8e-8e61-50db285c57e9@amd.com/ Fixes: c0f08d6b5a61 ("srcu: Add srcu_read_lock_lite() and srcu_read_unlock_lite()") Signed-off-by: Paul E. McKenney Cc: Frederic Weisbecker Reviewed-by: Neeraj Upadhyay Signed-off-by: Frederic Weisbecker commit 16023977b9e0f75fee9e2f38795b59fb101466e6 Merge: 94dd51c3bc8048 fd0b3581666860 Author: Arnd Bergmann Date: Tue Nov 12 23:18:14 2024 +0100 Merge tag 'samsung-drivers-6.13' of https://git.kernel.org/pub/scm/linux/kernel/git/krzk/linux into soc/dt Samsung SoC drivers for v6.13 Add Samsung ChipID driver support for new SoCs: Exynos8895, Exynos990 and Exynos9810. * tag 'samsung-drivers-6.13' of https://git.kernel.org/pub/scm/linux/kernel/git/krzk/linux: soc: samsung: exynos-chipid: Add support for Exynos9810 SoC dt-bindings: hwinfo: samsung,exynos-chipid: Add Samsung exynos9810 compatible soc: samsung: exynos-chipid: Add support for Exynos 990 chipid dt-bindings: hwinfo: exynos-chipid: Add compatible for Exynos 990 chipid soc: samsung: exynos-chipid: add exynos8895 SoC support dt-bindings: hwinfo: samsung,exynos-chipid: add exynos8895 compatible Link: https://lore.kernel.org/r/20241029081002.21106-1-krzysztof.kozlowski@linaro.org Signed-off-by: Arnd Bergmann commit 9c6cb0377534e77265ea673fd4834f858d5d1a6f Merge: d95fa0fab7cab3 2f76989999a743 Author: Arnd Bergmann Date: Tue Nov 12 23:14:50 2024 +0100 Merge tag 'imx-soc-6.13' of https://git.kernel.org/pub/scm/linux/kernel/git/shawnguo/linux into soc/arm i.MX SoC changes for 6.13: - A change from Andrew Davis to convert i.MX6 PM code to use new sys-off API * tag 'imx-soc-6.13' of https://git.kernel.org/pub/scm/linux/kernel/git/shawnguo/linux: ARM: imx: Switch to new sys-off handler API Link: https://lore.kernel.org/r/20241104090055.1881860-2-shawnguo2@yeah.net Signed-off-by: Arnd Bergmann commit d95fa0fab7cab38a1778d804f1612f6af5bf7a86 Merge: 269e715b99247d 49721115051585 Author: Arnd Bergmann Date: Tue Nov 12 23:14:07 2024 +0100 Merge tag 'zynq-soc-for-6.13' of https://github.com/Xilinx/linux-xlnx into soc/arm ARM: Zynq SoC changes for 6.13 - cleanup zynq_slcr_init() * tag 'zynq-soc-for-6.13' of https://github.com/Xilinx/linux-xlnx: ARM: zynq: Remove unused zynq_slcr_init() declaration Link: https://lore.kernel.org/r/CAHTX3dKLb4nOVpVvnwyxE6zJZNXpiB4hh=WzpKWwhqP7aLobjw@mail.gmail.com Signed-off-by: Arnd Bergmann commit 269e715b99247d88e02caf06f7d8cb62b212974a Merge: 1c8f196da9fc6f 3a6ad95d97eb62 Author: Arnd Bergmann Date: Tue Nov 12 23:13:43 2024 +0100 Merge tag 'samsung-soc-6.13' of https://git.kernel.org/pub/scm/linux/kernel/git/krzk/linux into soc/arm Samsung mach/soc changes for v6.13 Few minor cleanups in platform data headers: drop unused declarations. * tag 'samsung-soc-6.13' of https://git.kernel.org/pub/scm/linux/kernel/git/krzk/linux: ASoC: samsung: Remove obsoleted declaration for s3c64xx_ac97_setup_gpio ARM: samsung: Remove obsoleted declaration for s3c_hwmon_set_platdata Link: https://lore.kernel.org/r/20241029081002.21106-3-krzysztof.kozlowski@linaro.org Signed-off-by: Arnd Bergmann commit 1c8f196da9fc6fc49484275df2b2895c3f0bf86c Merge: 42f7652d3eb527 4ee0bd85dd0a50 Author: Arnd Bergmann Date: Tue Nov 12 23:12:19 2024 +0100 Merge tag 'arm-soc/for-6.13/soc' of https://github.com/Broadcom/stblinux into soc/arm This pull request contains Broadcom ARM-based SoC changes for 6.13, please pull the following: - Linus adds support for the debug UART on BCM6846 (BCMBCA) platform - Florian dros the custom init_irq() callback which does the same thing as the standard irqchip_init() * tag 'arm-soc/for-6.13/soc' of https://github.com/Broadcom/stblinux: ARM: bcm: brcmstb: Drop custom init_irq callback ARM: bcm: Support BCMBCA debug UART Link: https://lore.kernel.org/r/20241028035449.734504-2-florian.fainelli@broadcom.com Signed-off-by: Arnd Bergmann commit 447a54a0f79c9a409ceaa17804bdd2e0206397b9 Author: Vijendar Mukunda Date: Tue Nov 12 10:11:42 2024 -0600 drm/amd: Fix initialization mistake for NBIO 7.7.0 There is a strapping issue on NBIO 7.7.0 that can lead to spurious PME events while in the D0 state. Co-developed-by: Mario Limonciello Signed-off-by: Vijendar Mukunda Signed-off-by: Mario Limonciello Acked-by: Alex Deucher Link: https://lore.kernel.org/r/20241112161142.28974-1-mario.limonciello@amd.com Signed-off-by: Alex Deucher commit 3c2296b1eec55b50c64509ba15406142d4a958dc Author: Alex Deucher Date: Fri Nov 8 09:34:46 2024 -0500 Revert "drm/amd/display: parse umc_info or vram_info based on ASIC" This reverts commit 2551b4a321a68134360b860113dd460133e856e5. This was not the root cause. Revert. Link: https://gitlab.freedesktop.org/drm/amd/-/issues/3678 Reviewed-by: Harry Wentland Signed-off-by: Alex Deucher Cc: aurabindo.pillai@amd.com Cc: hamishclaxton@gmail.com commit 91314e7dfd83345b8b820b782b2511c9c32866cd Author: Hamish Claxton Date: Tue Nov 5 10:42:31 2024 +1000 drm/amd/display: Fix failure to read vram info due to static BP_RESULT The static declaration causes the check to fail. Remove it. Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/3678 Fixes: 00c391102abc ("drm/amd/display: Add misc DC changes for DCN401") Reviewed-by: Harry Wentland Signed-off-by: Hamish Claxton Signed-off-by: Alex Deucher Cc: aurabindo.pillai@amd.com Cc: hamishclaxton@gmail.com commit e8fc090d322346e5ce4c4cfe03a8100e31f61c3c Author: Christian König Date: Tue Jun 4 18:05:00 2024 +0200 drm/amdgpu: enable GTT fallback handling for dGPUs only That is just a waste of time on APUs. Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/3704 Fixes: 216c1282dde3 ("drm/amdgpu: use GTT only as fallback for VRAM|GTT") Reviewed-by: Alex Deucher Signed-off-by: Christian König Signed-off-by: Alex Deucher commit 3fba54700b5321f32b320d36dc44dd970973fb32 Merge: 61107d84aba960 8461bcf0a3d9d3 Author: Arnd Bergmann Date: Tue Nov 12 23:09:58 2024 +0100 Merge tag 'ti-k3-config-for-v6.13' of https://git.kernel.org/pub/scm/linux/kernel/git/ti/linux into soc/defconfig TI K3 defconfig updates for v6.13 Enable driver for GPIO PCF857x I2C GPIO expander present on multiple TI boards * tag 'ti-k3-config-for-v6.13' of https://git.kernel.org/pub/scm/linux/kernel/git/ti/linux: arm64: defconfig: Enable PCF857X GPIO expander Link: https://lore.kernel.org/r/b13eabeb-48dd-493e-a7c7-fd247c971ae8@ti.com Signed-off-by: Arnd Bergmann commit 61107d84aba960dec940a2750413d1065ec801a6 Merge: 31e7323a41e49c c520bbb523304b Author: Arnd Bergmann Date: Tue Nov 12 23:09:31 2024 +0100 Merge tag 'renesas-arm-defconfig-for-v6.13-tag1' of https://git.kernel.org/pub/scm/linux/kernel/git/geert/renesas-devel into soc/defconfig Renesas ARM defconfig updates for v6.13 - Enable Battery Backup Function (VBATTB) and RTC support for the RZ/G3S SoC and the RZ/G3S SMARC SoM. * tag 'renesas-arm-defconfig-for-v6.13-tag1' of https://git.kernel.org/pub/scm/linux/kernel/git/geert/renesas-devel: arm64: defconfig: Enable VBATTB clock and Renesas RTCA-3 Link: https://lore.kernel.org/r/cover.1730726154.git.geert+renesas@glider.be Signed-off-by: Arnd Bergmann commit 31e7323a41e49c294ffad00d45866576ecc770b1 Merge: 2130962a208de3 0fd75ba1750318 Author: Arnd Bergmann Date: Tue Nov 12 23:09:00 2024 +0100 Merge tag 'imx-defconfig-6.13' of https://git.kernel.org/pub/scm/linux/kernel/git/shawnguo/linux into soc/defconfig i.MX defconfig changes for 6.13: - Enable BD71828 regulator and NXPUART Bluetooth driver support in imx_v6_v7_defconfig (needed by Kobo Clara 2E device) * tag 'imx-defconfig-6.13' of https://git.kernel.org/pub/scm/linux/kernel/git/shawnguo/linux: ARM: imx_v6_v7_defconfig: Enable drivers for Kobo Clara 2E Link: https://lore.kernel.org/r/20241104090055.1881860-6-shawnguo2@yeah.net Signed-off-by: Arnd Bergmann commit 2130962a208de37b2edd06db94e29b1728e8c2c1 Merge: 7d33d08f3c0d39 9c957ebbcdd131 Author: Arnd Bergmann Date: Tue Nov 12 23:08:08 2024 +0100 Merge tag 'qcom-arm64-defconfig-for-6.13' of https://git.kernel.org/pub/scm/linux/kernel/git/qcom/linux into soc/defconfig Qualcomm Arm64 defconfig updates for v6.13 This enables multimedia clock controllers used by SC7280-based devices, such as the QCS6490 RB3Gen2. * tag 'qcom-arm64-defconfig-for-6.13' of https://git.kernel.org/pub/scm/linux/kernel/git/qcom/linux: arm64: defconfig: Enable sc7280 clock controllers Link: https://lore.kernel.org/r/20241104035709.19094-1-andersson@kernel.org Signed-off-by: Arnd Bergmann commit 7d33d08f3c0d39f509b5cf53c9ee9cc51c09c077 Merge: 42f7652d3eb527 a1b87bee1bc225 Author: Arnd Bergmann Date: Tue Nov 12 23:06:48 2024 +0100 Merge tag 'arm-soc/for-6.13/defconfig' of https://github.com/Broadcom/stblinux into soc/defconfig This pull request contains a multi_v7_defconfig update: - Florian aligns the ARM64 and ARM multi_v7_defconfig by enabling the kernel with debugging symbols by default and using the toolchain's dwarf version * tag 'arm-soc/for-6.13/defconfig' of https://github.com/Broadcom/stblinux: ARM: multi_v7_defconfig: Enable debugging symbols by default Link: https://lore.kernel.org/r/20241028035449.734504-1-florian.fainelli@broadcom.com Signed-off-by: Arnd Bergmann commit 80e935c8c154d8fbdd85a20d89b4962662ceddd7 Author: Paul E. McKenney Date: Wed Oct 9 11:02:53 2024 -0700 rcutorture: Avoid printing cpu=-1 for no-fault RCU boost failure If a CPU runs throughout the stalled grace period without passing through a quiescent state, RCU priority boosting cannot help. The rcu_torture_boost_failed() function therefore prints a message flagging the first such CPU. However, if the stall was instead due to (for example) RCU's grace-period kthread being starved of CPU, there will be no such CPU, causing rcu_check_boost_fail() to instead pass back -1 through its cpup CPU-pointer parameter. Therefore, the current message complains about a mythical CPU -1. This commit therefore checks for this situation, and notes that all CPUs have passed through a quiescent state. Signed-off-by: Paul E. McKenney Reviewed-by: Neeraj Upadhyay Signed-off-by: Frederic Weisbecker commit ff9ba8db87222be8d344f7c1cc3c28b1e22f6429 Author: Paul E. McKenney Date: Wed Oct 9 11:02:52 2024 -0700 rcuscale: Add guest_os_delay module parameter This commit adds a guest_os_delay module parameter that extends warm-up and cool-down the specified number of seconds before and after the series of test runs. This allows the data-collection intervals from any given rcuscale guest OSes to line up with active periods in the other rcuscale guest OSes, and also allows the thermal warm-up period required to obtain consistent results from one test to the next. Signed-off-by: Paul E. McKenney Reviewed-by: Neeraj Upadhyay Signed-off-by: Frederic Weisbecker commit 046c06f5ba97b31da189396e922ebff3f502518e Author: Paul E. McKenney Date: Wed Oct 9 11:02:51 2024 -0700 refscale: Correct affinity check The current affinity check works fine until there are more reader processes than CPUs, at which point the affinity check is looking for non-existent CPUs. This commit therefore applies the same modulus to the check as is present in the set_cpus_allowed_ptr() call. Signed-off-by: Paul E. McKenney Reviewed-by: Neeraj Upadhyay Signed-off-by: Frederic Weisbecker commit 32693634cdf90e56bd167e5226db7ca569707437 Author: Paul E. McKenney Date: Wed Oct 9 11:02:50 2024 -0700 torture: Add --no-affinity parameter to kvm.sh In performance tests, it can be counter-productive to spread torture-test guest OSes across sockets. Plus the experimenter might have ideas about what CPUs individual guest OSes are to run on. This commit therefore adds a --no-affinity parameter to kvm.sh to prevent it from running taskset on its guest OSes. Signed-off-by: Paul E. McKenney Reviewed-by: Neeraj Upadhyay Signed-off-by: Frederic Weisbecker commit 94dd51c3bc8048c73a6ea0f7052985b8bb9da3f7 Merge: 31257ea09c884f 5c9de6f45db36b Author: Arnd Bergmann Date: Tue Nov 12 23:03:11 2024 +0100 Merge tag 'asahi-soc-dt-6.13' of https://github.com/AsahiLinux/linux into soc/dt Apple SoC DT updates for 6.13: - Added base DTs for a bunch of non-Mac Apple iDevices (pre-M1) * tag 'asahi-soc-dt-6.13' of https://github.com/AsahiLinux/linux: arm64: Kconfig: Update help text for CONFIG_ARCH_APPLE arm64: dts: apple: Add A11 devices arm64: dts: apple: Add A10X devices arm64: dts: apple: Add A10 devices arm64: dts: apple: Add A9X devices arm64: dts: apple: Add A9 devices arm64: dts: apple: Add A8X devices arm64: dts: apple: Add A8 devices arm64: dts: apple: Add A7 devices dt-bindings: arm: apple: Add A11 devices dt-bindings: arm: apple: Add A10X devices dt-bindings: arm: apple: Add A10 devices dt-bindings: arm: apple: Add A9X devices dt-bindings: arm: apple: Add A9 devices dt-bindings: arm: apple: Add A8X devices dt-bindings: arm: apple: Add A8 devices dt-bindings: arm: apple: Add A7 devices dt-bindings: pinctrl: apple,pinctrl: Add A7-A11 compatibles dt-bindings: watchdog: apple,wdt: Add A7-A11 compatibles dt-bindings: arm: cpus: Add Apple A7-A11 CPU cores Link: https://lore.kernel.org/r/a8a19596-5d46-4562-9555-3b3ae7a5a3e5@marcan.st Signed-off-by: Arnd Bergmann commit 31257ea09c884f849f46c1d85993fcd87b8d628c Merge: 06fc642c538e5b 409e01f32787d7 Author: Arnd Bergmann Date: Tue Nov 12 23:02:17 2024 +0100 Merge tag 'v6.13-rockchip-dts64-2' of https://git.kernel.org/pub/scm/linux/kernel/git/mmind/linux-rockchip into soc/dt More new boards: Rock-5C, Banana Pi P2 Pro HDMI output enabled on a huge number of rk3588 boards, now that we have the ability to do that. A new RK356x variant - the RK3566T (with lower max-frequencies). The variant was already in use on some boards which then encoded those OPP differences in the board files itself. This moves this to saner place. Fixed-regulator nowadays has a preferred node-naming scheme set in the binding and we had accumulated a number of different styles over time. A change brings all of them in line for arm64 dts files. * tag 'v6.13-rockchip-dts64-2' of https://git.kernel.org/pub/scm/linux/kernel/git/mmind/linux-rockchip: (24 commits) arm64: dts: rockchip: use less broad pinctrl for pcie3x1 on Radxa E25 arm64: dts: rockchip: add Radxa ROCK 5C dt-bindings: arm: rockchip: add Radxa ROCK 5C arm64: dts: rockchip: orangepi-5-plus: Enable GPU arm64: dts: rockchip: enable USB3 on NanoPC-T6 arm64: dts: rockchip: adapt regulator nodenames to preferred form arm64: dts: rockchip: Enable HDMI display for rk3588 Cool Pi GenBook arm64: dts: rockchip: Enable HDMI display for rk3588 Cool Pi 4B arm64: dts: rockchip: Enable HDMI0 for rk3588 Cool Pi CM5 EVB arm64: dts: rockchip: Enable HDMI on NanoPi R6C/R6S arm64: dts: rockchip: Enable GPU on NanoPi R6C/R6S arm64: dts: rockchip: Enable HDMI on Hardkernel ODROID-M2 arm64: dts: rockchip: Remove non-removable flag from sdmmc on rk3576-sige5 arm64: dts: rockchip: Enable HDMI0 on FriendlyElec CM3588 NAS arm64: dts: rockchip: add Banana Pi P2 Pro board dt-bindings: arm: rockchip: add Banana Pi P2 Pro board arm64: dts: rockchip: Add new SoC dtsi for the RK3566T variant arm64: dts: rockchip: Prepare RK356x SoC dtsi files for per-variant OPPs arm64: dts: rockchip: Update CPU OPP voltages in RK356x SoC dtsi arm64: dts: rockchip: Add OPP voltage ranges to RK3399 OP1 SoC dtsi ... Link: https://lore.kernel.org/r/3313711.oiGErgHkdL@diego Signed-off-by: Arnd Bergmann commit 8521e3c5f0585cad3e73e4ba73535dc274e7eba6 Author: Shaoyun Liu Date: Wed Oct 23 11:12:00 2024 -0400 drm/amd/amdgpu: limit single process inside MES This is for MES to limit only one process for the user queues Signed-off-by: Shaoyun Liu Reviewed-by: Alex Deucher Signed-off-by: Alex Deucher commit 06fc642c538e5b294c60d5b45c914feca1a8ab77 Merge: 36255ab4936111 2c3944d952ec4d Author: Arnd Bergmann Date: Tue Nov 12 23:00:35 2024 +0100 Merge tag 'v6.13-rockchip-dts32-2' of https://git.kernel.org/pub/scm/linux/kernel/git/mmind/linux-rockchip into soc/dt Fixed-regulator nowadays has preferred node-naming scheme set in the binding. This gets all boards on the same state for Rockchip arm32-dts. * tag 'v6.13-rockchip-dts32-2' of https://git.kernel.org/pub/scm/linux/kernel/git/mmind/linux-rockchip: ARM: dts: rockchip: adapt regulator nodenames to preferred form ARM: dts: rockchip: Add Relfor Saib board dt-bindings: arm: rockchip: Add Relfor Saib board dt-bindings: vendor-prefixes: Add Relfor labs ARM: dts: rockchip: Add watchdog node for RV1126 dt-bindings: watchdog: rockchip: Add rockchip,rv1126-wdt string Link: https://lore.kernel.org/r/6740039.4vTCxPXJkl@diego Signed-off-by: Arnd Bergmann commit 36255ab4936111921ed6145ad98233e50452e323 Merge: 6660a1236fbeba af1ad5675a2b5f Author: Arnd Bergmann Date: Tue Nov 12 22:58:06 2024 +0100 Merge tag 'sunxi-dt-for-6.13-2' of https://git.kernel.org/pub/scm/linux/kernel/git/sunxi/linux into soc/dt Allwinner Device Tree changes for 6.13 part 2 - Remove accidental suniv duplicates in Makefile - Add second source magnetometer for Pine Phone - Add orientation (mount matrix) for Pine Phone's accelerometer and magnetometer - Enable eMMC and MMC on A100 Perf1 * tag 'sunxi-dt-for-6.13-2' of https://git.kernel.org/pub/scm/linux/kernel/git/sunxi/linux: arm64: dts: allwinner: a100: perf1: Add eMMC and MMC node arm64: dts: allwinner: pinephone: Add mount matrix to accelerometer arm64: dts: sun50i-a64-pinephone: Add mount-matrix for PinePhone magnetometers arm64: dts: sun50i-a64-pinephone: Add AF8133J to PinePhone ARM: dts: allwinner: Remove accidental suniv duplicates arm64: allwinner: a100: Add MMC related nodes arm64: dts: allwinner: a100: add usb related nodes dt-bindings: usb: sunxi-musb: Add A100 compatible string dt-bindings: usb: Add A100 compatible string dt-bindings: phy: sun50i-a64: add a100 compatible arm64: dts: allwinner: a100: add watchdog node arm64: dts: allwinner: A100: Add PMU mode ARM: dts: sunxi: add support for RerVision A33-Vstar board dt-bindings: arm: sunxi: document RerVision A33-Vstar board arm64: dts: allwinner: Add disable-wp for boards with micro SD card arm64: dts: allwinner: h313/h616/h618/h700: Enable audio codec for all supported boards arm64: dts: allwinner: h616: Add audio codec node Link: https://lore.kernel.org/r/ZzC-OF57MT_yCeWH@wens.tw Signed-off-by: Arnd Bergmann commit 6660a1236fbebaa3282f5bf9cce1f90fbd318a3a Merge: 4c067650105655 c8b72c301dbe71 Author: Arnd Bergmann Date: Tue Nov 12 22:57:19 2024 +0100 Merge tag 'riscv-dt-for-v6.13' of https://git.kernel.org/pub/scm/linux/kernel/git/conor/linux into soc/dt RISC-V Devicetrees for v6.13 StarFive: Support for the DeepComputing FML13V01, a Framework laptop compatible with a JH7110. This board is fairly different to the more standard SBCs offerings that the kernel already supports, so there's also some refactoring of jh7110-common.dtsi to move out nodes unused on the new board. Spacemit: A vendor prefix I grabbed from the basic support series, since its dependencies are not yet ready but peripheral drivers have started being merged. Signed-off-by: Conor Dooley * tag 'riscv-dt-for-v6.13' of https://git.kernel.org/pub/scm/linux/kernel/git/conor/linux: riscv: dts: starfive: add DeepComputing FML13V01 board device tree dt-bindings: riscv: starfive: add deepcomputing,fml13v01 dt-bindings: vendor: add deepcomputing riscv: dts: starfive: jh7110-common: move usb0 config to board dts riscv: dts: starfive: jh7110-common: revised device node dt-bindings: vendor-prefixes: add spacemit Link: https://lore.kernel.org/r/20241108-washboard-material-6b9ff196063d@spud Signed-off-by: Arnd Bergmann commit 4c0676501056559727cda14f4b9f8973b331f51f Merge: 4bdb7837913615 facbe7092f8a92 Author: Arnd Bergmann Date: Tue Nov 12 22:56:44 2024 +0100 Merge tag 'mvebu-dt64-6.13-1' of https://git.kernel.org/pub/scm/linux/kernel/git/gclement/mvebu into soc/dt mvebu dt64 for 6.13 (part 1) armada-*: Drop undocumented SATA phy names * tag 'mvebu-dt64-6.13-1' of https://git.kernel.org/pub/scm/linux/kernel/git/gclement/mvebu: arm64: dts: marvell: Drop undocumented SATA phy names Link: https://lore.kernel.org/r/878qtu83vh.fsf@BLaptop.bootlin.com Signed-off-by: Arnd Bergmann commit 4bdb7837913615e7da816d4754771074397793f4 Merge: 2f992e73462a72 68bc6a71f56875 Author: Arnd Bergmann Date: Tue Nov 12 22:56:12 2024 +0100 Merge tag 'mvebu-dt-6.13-1' of https://git.kernel.org/pub/scm/linux/kernel/git/gclement/mvebu into soc/dt mvebu dt for 6.13 (part 1) turris-omnia: prepare device tree for LED brightness change detection kirkwood: fix at24 EEPROM node name * tag 'mvebu-dt-6.13-1' of https://git.kernel.org/pub/scm/linux/kernel/git/gclement/mvebu: ARM: dts: turris-omnia: Add global LED brightness change interrupt ARM: dts: marvell: kirkwood: Fix at24 EEPROM node name Link: https://lore.kernel.org/r/87bjyq83x0.fsf@BLaptop.bootlin.com Signed-off-by: Arnd Bergmann commit c40655e3310649866c4ebf7a10f0d53802ebdfa9 Author: Frank Li Date: Tue Nov 12 11:52:00 2024 -0500 hwmon: (tmp108) Add support for I3C device Add support for I3C device in the tmp108 driver to handle the P3T1085 sensor. Register the I3C device driver to enable I3C functionality for the sensor. Signed-off-by: Frank Li Message-ID: <20241112-p3t1085-v4-2-a1334314b1e6@nxp.com> Signed-off-by: Guenter Roeck commit 700f3250198d51093884254220a96777a922dd47 Author: Frank Li Date: Tue Nov 12 11:51:59 2024 -0500 hwmon: (tmp108) Add helper function tmp108_common_probe() to prepare I3C support Add help function tmp108_common_probe() to pave road to support i3c for P3T1085(NXP) chip. Use dev_err_probe() to simplify the code. Signed-off-by: Frank Li Message-ID: <20241112-p3t1085-v4-1-a1334314b1e6@nxp.com> Signed-off-by: Guenter Roeck commit fabb1f813ec05975fd3428e72a62ef9f855fd3b4 Author: Huisong Li Date: Tue Nov 12 10:12:28 2024 +0800 hwmon: (acpi_power_meter) Fix fail to load module on platform without _PMD method According to the ACPI specification, the _PMD method is optional. The acpi_power_meter driver shouldn't fail to load if the platform has no _PMD method. Signed-off-by: Huisong Li Message-ID: <20241112021228.22914-1-lihuisong@huawei.com> [groeck: Reworded commit description] Signed-off-by: Guenter Roeck commit 57ee12b6c514146c19b6a159013b48727a012960 Author: Pei Xiao Date: Tue Nov 12 09:39:51 2024 +0800 hwmon: (nct6775-core) Fix overflows seen when writing limit attributes DIV_ROUND_CLOSEST() after kstrtoul() results in an overflow if a large number such as 18446744073709551615 is provided by the user. Fix it by reordering clamp_val() and DIV_ROUND_CLOSEST() operations. Signed-off-by: Pei Xiao Fixes: c3963bc0a0cf ("hwmon: (nct6775) Split core and platform driver") Message-ID: <7d5084cea33f7c0fd0578c59adfff71f93de94d9.1731375425.git.xiaopei01@kylinos.cn> Signed-off-by: Guenter Roeck commit 255ab27a0743865e625d7a6c385d6d10d38eafd5 Author: Marek Vasut Date: Wed Nov 6 19:59:05 2024 +0100 hwmon: (pwm-fan) Introduce start from stopped state handling Delta AFC0612DB-F00 fan has to be set to at least 30% PWM duty cycle to spin up from a stopped state, and can be afterward throttled down to lower PWM duty cycle. Introduce support for operating such fans which need to start at higher PWM duty cycle first and can slow down next. Introduce two new DT properties, "fan-stop-to-start-percent" and "fan-stop-to-start-us". The former describes the minimum percent of fan RPM at which it will surely spin up from stopped state. This value can be found in the fan datasheet and can be converted to PWM duty cycle easily. The "fan-stop-to-start-us" describes the minimum time in microseconds for which the fan has to be set to stopped state start RPM for the fan to surely spin up. Adjust the PWM setting code such that if the PWM duty cycle is below the minimum duty cycle needed by the fan to spin up from stopped state, then first set the PWM duty cycle to the minimum duty cycle needed by the fan to spin up from stopped state, then wait the time necessary for the fan to spin up from stopped state, and finally set the PWM duty cycle to the one desired by user. Signed-off-by: Marek Vasut Message-ID: <20241106185925.223736-2-marex@denx.de> Signed-off-by: Guenter Roeck commit 80bc64201e78f18248343c8986a55fe342a19e17 Author: Marek Vasut Date: Wed Nov 6 19:59:04 2024 +0100 dt-bindings: hwmon: pwm-fan: Document start from stopped state properties Delta AFC0612DB-F00 fan has to be set to at least 30% PWM duty cycle to spin up from a stopped state, and can be afterward throttled down to lower PWM duty cycle. Introduce support for operating such fans which need to start at higher PWM duty cycle first and can slow down next. Document two new DT properties, "fan-stop-to-start-percent" and "fan-stop-to-start-usec". The former describes the minimum percent of fan RPM at which it will surely spin up from stopped state. This value can be found in the fan datasheet and can be converted to PWM duty cycle easily. The "fan-stop-to-start-usec" describes the minimum time in microseconds for which the fan has to be set to stopped state start RPM for the fan to surely spin up. Signed-off-by: Marek Vasut Acked-by: Conor Dooley Message-ID: <20241106185925.223736-1-marex@denx.de> Signed-off-by: Guenter Roeck commit 11d35624d7696a64724160199fc94587010d7cb2 Author: Frank Li Date: Mon Nov 11 12:31:59 2024 -0500 hwmon: (tmp108) Add NXP p3t1085 support Add compatible string 'nxp,p3t1085' since p3t1085's register layout is the same as tmp108. The p3t1085 supports I3C interface. Update document tmp108.rst and Kconfig's help context. Signed-off-by: Frank Li Message-ID: <20241111-p3t1085-v3-2-bff511550aad@nxp.com> Signed-off-by: Guenter Roeck commit 4585580781d69d8627e15f027873e46282ea3787 Author: Frank Li Date: Mon Nov 11 12:31:58 2024 -0500 dt-bindings: hwmon: ti,tmp108: Add nxp,p3t1085 compatible string The register layout of P3T1085 is the same as ti,tmp108. Add compatible string nxp,p3t1085 for it. The difference of P3T1085 is support I3C. Acked-by: Krzysztof Kozlowski Signed-off-by: Frank Li Message-ID: <20241111-p3t1085-v3-1-bff511550aad@nxp.com> Signed-off-by: Guenter Roeck commit 1f22c0725705d2100b0a63dd77130c30d90fd6ad Author: Abhinav Saxena Date: Fri Nov 8 14:22:01 2024 -0700 hwmon: (sch5627, max31827) Fix typos in driver documentation Fix some typos in hwmon/sch5627 and hwmon/max31827 reported by checkpatch.pl. These changes are purely documentation cleanup with no functional modifications. Signed-off-by: Abhinav Saxena Acked-by: Randy Dunlap Reviewed-by: Bagas Sanjaya Message-ID: <20241108212201.144482-1-xandfury@gmail.com> [groeck: Updated subject] Signed-off-by: Guenter Roeck commit c412d7af010154ce9273dbc0296ae9327a605256 Author: Andy Shevchenko Date: Fri Nov 8 14:43:48 2024 +0200 hwmon: (jc42) Drop of_match_ptr() protection This prevents use of this driver with ACPI via PRP0001 and is an example of an anti pattern I'm trying to remove from the kernel. Hence drop from this driver. Also switch of.h for mod_devicetable.h include given use of struct of_device_id which is defined in that header. Reported-by: Konstantin Aladyshev Closes: https://lore.kernel.org/r/CACSj6VW7WKv5tiAkLCvSujENJvXq1Mc7_7vtkQsRSz3JGY0i3Q@mail.gmail.com Signed-off-by: Andy Shevchenko Message-ID: <20241108124348.1392473-1-andriy.shevchenko@linux.intel.com> Signed-off-by: Guenter Roeck commit 2e5bdf8aa2f49d06200fb6e645673c819135b614 Author: Abhinav Saxena Date: Wed Nov 6 18:38:49 2024 -0700 hwmon: (f71882fg) Fix grammar in fan speed trip points explanation Fix several grammatical issues in the fan speed trip points documentation: - Replace awkward "which % the fan should run at at" construction with clearer "that specify the percentage at which" - Fix incorrect "is chip depended" to "are chip dependent" for correct verb agreement and adjective form - Improve readability by reorganizing first sentence and separating the complex explanation into simpler parts - Add hyphen before "see" to improve readability - Remove redundant "at" in temperature description No functional changes, documentation only. Signed-off-by: Abhinav Saxena Message-ID: <20241107013849.47833-1-xandfury@gmail.com> Signed-off-by: Guenter Roeck commit 2fc032ec1de485c64d8561dc7fa0de3f7acf147d Author: Jerome Brunet Date: Tue Nov 5 18:58:43 2024 +0100 dt-bindings: hwmon: pmbus: add ti tps25990 support Add DT binding for the Texas Instruments TPS25990 eFuse Reviewed-by: Conor Dooley Signed-off-by: Jerome Brunet Message-ID: <20241105-tps25990-v4-6-0e312ac70b62@baylibre.com> Signed-off-by: Guenter Roeck commit 509c3a362675bc995771df74d545548f98e37621 Author: Jerome Brunet Date: Tue Nov 5 18:58:42 2024 +0100 hwmon: (pmbus/core) clear faults after setting smbalert mask pmbus_write_smbalert_mask() ignores the errors if the chip can't set smbalert mask the standard way. It is not necessarily a problem for the irq support if the chip is otherwise properly setup but it may leave an uncleared fault behind. pmbus_core will pick the fault on the next register_check(). The register check will fails regardless of the actual register support by the chip. This leads to missing attributes or debugfs entries for chips that should provide them. We cannot rely on register_check() as PMBUS_SMBALERT_MASK may be read-only. Unconditionally clear the page fault after setting PMBUS_SMBALERT_MASK to avoid the problem. Suggested-by: Guenter Roeck Fixes: 221819ca4c36 ("hwmon: (pmbus/core) Add interrupt support") Signed-off-by: Jerome Brunet Message-ID: <20241105-tps25990-v4-5-0e312ac70b62@baylibre.com> Signed-off-by: Guenter Roeck commit 7a750b3986b7910711a5525dde0c84b541e72746 Author: Jerome Brunet Date: Tue Nov 5 18:58:39 2024 +0100 hwmon: (pmbus/core) allow drivers to override WRITE_PROTECT Use _pmbus_read_byte_data() rather than calling smbus directly to check the write protection status. This give a chance to device implementing write protection differently to report back on the actual write protection status. Signed-off-by: Jerome Brunet Message-ID: <20241105-tps25990-v4-2-0e312ac70b62@baylibre.com> [groeck: Fix page parameter of _pmbus_read_byte_data()] Signed-off-by: Guenter Roeck commit 2f992e73462a72397ce6e49a39c6096141ba2838 Merge: d745bdcb7ad0b0 b0191a5cbc222f Author: Arnd Bergmann Date: Tue Nov 12 22:53:47 2024 +0100 Merge tag 'stm32-dt-for-v6.13-1' of https://git.kernel.org/pub/scm/linux/kernel/git/atorgue/stm32 into soc/dt STM32 DT for v6.13, round 1 Highlights: ---------- - MPU: - STM32MP13: - ST DK board: - Add support of WLAN/BT Murata Type 1DX module. - DH SOM: - Add M24256E EEPROM suport. - STMP32MP15: - Use IWDG2 as wakeup source. - Add support of WLAN/BT Murata Type 1DX module on DK2 board. - STM32MP25: - Enable RTC. - Add DMA support for U(S)ART, I2C and SPI instances. * tag 'stm32-dt-for-v6.13-1' of https://git.kernel.org/pub/scm/linux/kernel/git/atorgue/stm32: arm64: dts: st: add DMA support on SPI instances of stm32mp25 arm64: dts: st: add DMA support on I2C instances of stm32mp25 arm64: dts: st: add DMA support on U(S)ART instances of stm32mp25 arm64: dts: st: add RNG node on stm32mp251 arm64: dts: st: enable RTC on stm32mp257f-ev1 board arm64: dts: st: add RTC on stm32mp25x ARM: dts: stm32: add support of WLAN/BT on stm32mp135f-dk ARM: dts: stm32: add support of WLAN/BT on stm32mp157c-dk2 ARM: dts: stm32: rtc, add LSCO to WLAN/BT module on stm32mp135f-dk ARM: dts: stm32: rtc, add LSCO to WLAN/BT module on stm32mp157c-dk2 ARM: dts: stm32: rtc, add pin to provide LSCO on stm32mp13 ARM: dts: stm32: rtc, add pin to provide LSCO on stm32mp15 ARM: dts: stm32: Describe M24256E write-lockable page in DH STM32MP13xx DHCOR SoM DT ARM: dts: stm32: Add IWDG2 EXTI interrupt mapping and mark as wakeup source Link: https://lore.kernel.org/r/92d2d6df-cc5c-488f-8ebd-550b1903db12@foss.st.com Signed-off-by: Arnd Bergmann commit c748a255aedfd42adc4213479f669f0f4809b85e Merge: 47e2c45c9c89fe 4edab4c55d2d07 Author: Alexei Starovoitov Date: Tue Nov 12 13:53:27 2024 -0800 Merge branch 'selftests-bpf-fix-for-bpf_signal-stalls-watchdog-for-test_progs' Eduard Zingerman says: ==================== selftests/bpf: fix for bpf_signal stalls, watchdog for test_progs Test case 'bpf_signal' had been recently reported to stall, both on the mailing list [1] and CI [2]. The stall is caused by CPU cycles perf event not being delivered within expected time frame, before test process enters system call and waits indefinitely. This patch-set addresses the issue in several ways: - A watchdog timer is added to test_progs.c runner: - it prints current sub-test name to stderr if sub-test takes longer than 10 seconds to finish; - it terminates process executing sub-test if sub-test takes longer than 120 seconds to finish. - The test case is updated to await perf event notification with a timeout and a few retries, this serves two purposes: - busy loops longer to increase the time frame for CPU cycles event generation/delivery; - makes a timeout, not stall, a worst case scenario. - The test case is updated to lower frequency of perf events, as high frequency of such events caused events generation throttling, which in turn delayed events delivery by amount of time sufficient to cause test case failure. Note: librt pthread-based timer API is used to implement watchdog timer. I chose this API over SIGALRM because signal handler execution within test process context was sufficient to trigger perf event delivery for send_signal/send_signal_nmi_thread_remote test case, w/o any additional changes. Thus I concluded that SIGALRM based implementation interferes with tests execution. [1] https://lore.kernel.org/bpf/CAP01T75OUeE8E-Lw9df84dm8ag2YmHW619f1DmPSVZ5_O89+Bg@mail.gmail.com/ [2] https://github.com/kernel-patches/bpf/actions/runs/11791485271/job/32843996871 ==================== Link: https://lore.kernel.org/r/20241112110906.3045278-1-eddyz87@gmail.com Signed-off-by: Alexei Starovoitov commit 4edab4c55d2d070ec7ff3526f93ec6d90d9105d4 Author: Eduard Zingerman Date: Tue Nov 12 03:09:06 2024 -0800 selftests/bpf: update send_signal to lower perf evemts frequency Similar to commit [1] sample perf events less often in test_send_signal_nmi(). This should reduce perf events throttling. [1] 7015843afcaf ("selftests/bpf: Fix send_signal test with nested CONFIG_PARAVIRT") Signed-off-by: Eduard Zingerman Link: https://lore.kernel.org/r/20241112110906.3045278-5-eddyz87@gmail.com Signed-off-by: Alexei Starovoitov commit 3209139d00e594e30abc2429ea54c36bfbb9528a Author: Eduard Zingerman Date: Tue Nov 12 03:09:05 2024 -0800 selftests/bpf: allow send_signal test to timeout The following invocation: $ t1=send_signal/send_signal_perf_thread_remote \ t2=send_signal/send_signal_nmi_thread_remote \ ./test_progs -t $t1,$t2 Leads to send_signal_nmi_thread_remote to be stuck on a line 180: /* wait for result */ err = read(pipe_c2p[0], buf, 1); In this test case: - perf event PERF_COUNT_HW_CPU_CYCLES is created for parent process; - BPF program is attached to perf event, and sends a signal to child process when event occurs; - parent program burns some CPU in busy loop and calls read() to get notification from child that it received a signal. The perf event is declared with .sample_period = 1. This forces perf to throttle events, and under some unclear conditions the event does not always occur while parent is in busy loop. After parent enters read() system call CPU cycles event won't be generated for parent anymore. Thus, if perf event had not occurred already the test is stuck. This commit updates the parent to wait for notification with a timeout, doing several iterations of busy loop + read_with_timeout(). Signed-off-by: Eduard Zingerman Link: https://lore.kernel.org/r/20241112110906.3045278-4-eddyz87@gmail.com Signed-off-by: Alexei Starovoitov commit 03066ed3105a71c2b0ad39ea44b6e5733ddd4a68 Author: Eduard Zingerman Date: Tue Nov 12 03:09:04 2024 -0800 selftests/bpf: add read_with_timeout() utility function int read_with_timeout(int fd, char *buf, size_t count, long usec) As a regular read(2), but allows to specify a timeout in micro-seconds. Returns -EAGAIN on timeout. Implemented using select(). Signed-off-by: Eduard Zingerman Link: https://lore.kernel.org/r/20241112110906.3045278-3-eddyz87@gmail.com Signed-off-by: Alexei Starovoitov commit d9d4d127e813427afb26ff7e0f0c58989501be84 Author: Eduard Zingerman Date: Tue Nov 12 03:09:03 2024 -0800 selftests/bpf: watchdog timer for test_progs This commit provides a watchdog timer that sets a limit of how long a single sub-test could run: - if sub-test runs for 10 seconds, the name of the test is printed (currently the name of the test is printed only after it finishes); - if sub-test runs for 120 seconds, the running thread is terminated with SIGSEGV (to trigger crash_handler() and get a stack trace). Specifically: - the timer is armed on each call to run_one_test(); - re-armed at each call to test__start_subtest(); - is stopped when exiting run_one_test(). Default timeout could be overridden using '-w' or '--watchdog-timeout' options. Value 0 can be used to turn the timer off. Here is an example execution: $ ./ssh-exec.sh ./test_progs -w 5 -t \ send_signal/send_signal_perf_thread_remote,send_signal/send_signal_nmi_thread_remote WATCHDOG: test case send_signal/send_signal_nmi_thread_remote executes for 5 seconds, terminating with SIGSEGV Caught signal #11! Stack trace: ./test_progs(crash_handler+0x1f)[0x9049ef] /lib64/libc.so.6(+0x40d00)[0x7f1f1184fd00] /lib64/libc.so.6(read+0x4a)[0x7f1f1191cc4a] ./test_progs[0x720dd3] ./test_progs[0x71ef7a] ./test_progs(test_send_signal+0x1db)[0x71edeb] ./test_progs[0x9066c5] ./test_progs(main+0x5ed)[0x9054ad] /lib64/libc.so.6(+0x2a088)[0x7f1f11839088] /lib64/libc.so.6(__libc_start_main+0x8b)[0x7f1f1183914b] ./test_progs(_start+0x25)[0x527385] #292 send_signal:FAIL test_send_signal_common:PASS:reading pipe 0 nsec test_send_signal_common:PASS:reading pipe error: size 0 0 nsec test_send_signal_common:PASS:incorrect result 0 nsec test_send_signal_common:PASS:pipe_write 0 nsec test_send_signal_common:PASS:setpriority 0 nsec Timer is implemented using timer_{create,start} librt API. Internally librt uses pthreads for SIGEV_THREAD timers, so this change adds a background timer thread to the test process. Because of this a few checks in tests 'bpf_iter' and 'iters' need an update to account for an extra thread. For parallelized scenario the watchdog is also created for each worker fork. If one of the workers gets stuck, it would be terminated by a watchdog. In theory, this might lead to a scenario when all worker threads are exhausted, however this should not be a problem for server_main(), as it would exit with some of the tests not run. Signed-off-by: Eduard Zingerman Link: https://lore.kernel.org/r/20241112110906.3045278-2-eddyz87@gmail.com Signed-off-by: Alexei Starovoitov commit d745bdcb7ad0b0dba6c7c38f7dd53df1b352920c Merge: f0cba6f52394f8 767b6a0d0900c9 Author: Arnd Bergmann Date: Tue Nov 12 22:52:29 2024 +0100 Merge tag 'ti-k3-dt-for-v6.13' of https://git.kernel.org/pub/scm/linux/kernel/git/ti/linux into soc/dt TI K3 device tree updates for v6.13 Generic Fixups/Cleanups: - Cleanup bootph-* tags to limit to leaf nodes only - clock IDs for MCSPI instances fixed up across J7xx family - Misc indentation and whitespace cleanup across dts New SoC - J742s2 which is a cutdown of existing J784s4 and uses same EVM SoC Specific features and Fixes: - eQEP (counter) support across AM64/AM62/AM62A AM64 - M4F Remoteproc support - stats collection support for ICSSGs via ti,pa-stats - Add PCIe EP overlays AM65 - stats collection support for ICSSGs via ti,pa-stats AM62: - M4F Remoteproc support - eMMC/SD TAP value updates - dtbs_check fixes for opp_efuse_table AM62A - 1.4GHz opp entry AM62P - 1.4GHz opp entry J7200 - Add PCIe EP overlays - Pinmux node reg range fixes Board Specific AM62 - am62 verdin ivy carrier board support - am625-verdin TPM device support - am62 verdin ivy board support - Beagleplay Mikrobus PWM header support - am62-verdin increase SD regulator startup delay AM64 - am642-phyboard-electra-rdk trickle charger support - am64-phy* drop buswidth from sdhci nodes * tag 'ti-k3-dt-for-v6.13' of https://git.kernel.org/pub/scm/linux/kernel/git/ti/linux: (61 commits) arm64: dts: ti: k3-am62: use opp_efuse_table for opp-table syscon arm64: dts: ti: k3-am62p5-sk: add 1.4ghz opp entry arm64: dts: ti: k3-am62p: add opp frequencies arm64: dts: ti: k3-am62a7-sk: add 1.4ghz opp entry arm64: dts: ti: k3-am62a: add opp frequencies arm64: dts: ti: k3-am62-verdin: Add Ivy carrier board arm64: dts: ti: k3-am62-verdin: add label to som adc node dt-bindings: arm: ti: Add verdin am62 ivy board arm64: dts: ti: k3-am642-phyboard-electra-rdk: Enable trickle charger arm64: dts: ti: k3-am64-phycore-som: Add M4F remoteproc nodes arm64: dts: ti: k3-am62-phycore-som: Add M4F remoteproc nodes arm64: dts: ti: minor whitespace cleanup arm64: dts: ti: k3-am62x-phyboard-lyra: Fix indentation in audio-card arm64: dts: ti: k3-am642-phyboard-electra-rdk: Fix bus-width property in MMC nodes arm64: dts: ti: k3-am64-phycore-som: Fix bus-width property in MMC nodes arm64: dts: ti: k3-am642-evm: Add overlay for PCIe0 EP mode arm64: dts: ti: k3-j7200-evm: Add overlay for PCIE1 Endpoint Mode arm64: dts: ti: k3-am62-main: Update otap/itap values arm64: dts: ti: k3-am625-beagleplay: Enable MikroBUS PWM arm64: dts: ti: k3-am62-verdin: Fix SD regulator startup delay ... Link: https://lore.kernel.org/r/3ded4795-2186-4e06-bda6-9c9a65a3fdb9@ti.com Signed-off-by: Arnd Bergmann commit f0cba6f52394f803ffbd0f288fe8965e7532e6b2 Merge: bf7626089a6204 be90cd4bd422e8 Author: Arnd Bergmann Date: Tue Nov 12 22:51:53 2024 +0100 Merge tag 'amlogic-arm64-dt-for-v6.13' of https://git.kernel.org/pub/scm/linux/kernel/git/amlogic/linux into soc/dt Amlogic ARM64 DT changes for v6.13: - Add PWM nodes for Amlogic A1 & C3 - Addd missing power-domains properties - Fix G12 uart node name * tag 'amlogic-arm64-dt-for-v6.13' of https://git.kernel.org/pub/scm/linux/kernel/git/amlogic/linux: arm64: dts: amlogic: Add Amlogic C3 PWM arm64: dts: meson-g12-common: fix uart-ao-a typo arm64: dts: meson: a1: bind power domain to temperature sensor arm64: dts: meson: a1: add definitions for meson PWM Link: https://lore.kernel.org/r/6fb3d64a-3913-4db0-9cdc-336af32a88a9@linaro.org Signed-off-by: Arnd Bergmann commit 2996980e20b7a54a1869df15b3445374b850b155 Author: Zqiang Date: Tue Oct 22 11:41:17 2024 +0800 rcu/nocb: Fix missed RCU barrier on deoffloading Currently, running rcutorture test with torture_type=rcu fwd_progress=8 n_barrier_cbs=8 nocbs_nthreads=8 nocbs_toggle=100 onoff_interval=60 test_boost=2, will trigger the following warning: WARNING: CPU: 19 PID: 100 at kernel/rcu/tree_nocb.h:1061 rcu_nocb_rdp_deoffload+0x292/0x2a0 RIP: 0010:rcu_nocb_rdp_deoffload+0x292/0x2a0 Call Trace: ? __warn+0x7e/0x120 ? rcu_nocb_rdp_deoffload+0x292/0x2a0 ? report_bug+0x18e/0x1a0 ? handle_bug+0x3d/0x70 ? exc_invalid_op+0x18/0x70 ? asm_exc_invalid_op+0x1a/0x20 ? rcu_nocb_rdp_deoffload+0x292/0x2a0 rcu_nocb_cpu_deoffload+0x70/0xa0 rcu_nocb_toggle+0x136/0x1c0 ? __pfx_rcu_nocb_toggle+0x10/0x10 kthread+0xd1/0x100 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x2f/0x50 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 CPU0 CPU2 CPU3 //rcu_nocb_toggle //nocb_cb_wait //rcutorture // deoffload CPU1 // process CPU1's rdp rcu_barrier() rcu_segcblist_entrain() rcu_segcblist_add_len(1); // len == 2 // enqueue barrier // callback to CPU1's // rdp->cblist rcu_do_batch() // invoke CPU1's rdp->cblist // callback rcu_barrier_callback() rcu_barrier() mutex_lock(&rcu_state.barrier_mutex); // still see len == 2 // enqueue barrier callback // to CPU1's rdp->cblist rcu_segcblist_entrain() rcu_segcblist_add_len(1); // len == 3 // decrement len rcu_segcblist_add_len(-2); kthread_parkme() // CPU1's rdp->cblist len == 1 // Warn because there is // still a pending barrier // trigger warning WARN_ON_ONCE(rcu_segcblist_n_cbs(&rdp->cblist)); cpus_read_unlock(); // wait CPU1 to comes online and // invoke barrier callback on // CPU1 rdp's->cblist wait_for_completion(&rcu_state.barrier_completion); // deoffload CPU4 cpus_read_lock() rcu_barrier() mutex_lock(&rcu_state.barrier_mutex); // block on barrier_mutex // wait rcu_barrier() on // CPU3 to unlock barrier_mutex // but CPU3 unlock barrier_mutex // need to wait CPU1 comes online // when CPU1 going online will block on cpus_write_lock The above scenario will not only trigger a WARN_ON_ONCE(), but also trigger a deadlock. Thanks to nocb locking, a second racing rcu_barrier() on an offline CPU will either observe the decremented callback counter down to 0 and spare the callback enqueue, or rcuo will observe the new callback and keep rdp->nocb_cb_sleep to false. Therefore check rdp->nocb_cb_sleep before parking to make sure no further rcu_barrier() is waiting on the rdp. Fixes: 1fcb932c8b5c ("rcu/nocb: Simplify (de-)offloading state machine") Suggested-by: Frederic Weisbecker Signed-off-by: Zqiang Reviewed-by: Neeraj Upadhyay Signed-off-by: Frederic Weisbecker commit bf7626089a62048b48c0b842f4ed1a50c37c2be6 Merge: 44533285bdaf11 2b901e9ef05d84 Author: Arnd Bergmann Date: Tue Nov 12 22:50:58 2024 +0100 Merge tag 'amlogic-arm-dt-for-v6.13' of https://git.kernel.org/pub/scm/linux/kernel/git/amlogic/linux into soc/dt Amlogic ARM DT changes for v6.13: - DT fixes to pass bindings chedk, including: - fixing nodes names - dropping meson6 ATV1200 board - add missing properties * tag 'amlogic-arm-dt-for-v6.13' of https://git.kernel.org/pub/scm/linux/kernel/git/amlogic/linux: ARM: dts: amlogic: meson8/8b: remove invalid pinctrl reg ARM: dts: amlogic: meson8b-ec100: add missing gpio-line-names entry ARM: dts: amlogic: meson8b-ec100: add missing clocks property in sound card ARM: dts: amlogic: meson8-minix-neo-x8: fix invalid pnictrl-names ARM: dts: amlogic: add missing phy-mode in ethmac node ARM: dts: amlogic: meson8: use correct pinctrl bank node name ARM: dts: amlogic: fix /memory node name ARM: dts: amlogic: meson8b-odroidc1: fix invalid reset-gpio ARM: dts: amlogic: meson6: remove support for ATV1200 board ARM: dts: amlogic: meson8: fix ao_arc_sram node name ARM: dts: amlogic: meson8: fix soc thermal-zone node name ARM: dts: amlogic: meson6: fix clk81 node name Link: https://lore.kernel.org/r/ffaa3755-8c5d-4fc3-86bf-9129d3889bff@linaro.org Signed-off-by: Arnd Bergmann commit 44533285bdaf11781cf873b2c1c6b7a54a885139 Merge: bdcbb3f8abfa08 b5cf65cc0fd00a Author: Arnd Bergmann Date: Tue Nov 12 22:48:14 2024 +0100 Merge tag 'riscv-sophgo-dt-for-v6.13' of https://github.com/sophgo/linux into soc/dt RISC-V Devicetrees for v6.13 Sophgo: Add pinctrl support for CV1800B & CV1812H. Add SARADC support for CV1800B. Add initial LicheeRV-Nano/SG2002. Add emmc/sdio support for Huashan-Pi/CV1812H. Add power-key support for PioneerBox/SG2042. Signed-off-by: Chen Wang * tag 'riscv-sophgo-dt-for-v6.13' of https://github.com/sophgo/linux: riscv: dts: sophgo: Add emmc support for Huashan Pi riscv: dts: sophgo: Add sdio configuration for Huashan Pi riscv: dts: sophgo: fix pinctrl base-address riscv: sophgo: dts: add power key for pioneer box riscv: dts: sophgo: Add SARADC description for Sophgo CV1800B riscv: dts: sophgo: Add LicheeRV Nano board device tree riscv: dts: sophgo: Add initial SG2002 SoC device tree riscv: dts: sophgo: cv1812h: add pinctrl support riscv: dts: sophgo: cv1800b: add pinctrl support Link: https://lore.kernel.org/r/MA0P287MB2822DC23E1EE47A5C7D41476FE532@MA0P287MB2822.INDP287.PROD.OUTLOOK.COM Signed-off-by: Arnd Bergmann commit bdcbb3f8abfa084bcf4d99c335088db37d9e7ce2 Author: Kuldeep Singh Date: Tue Nov 5 15:18:40 2024 -0600 arm64: dts: lg131x: Update spi clock properties PL022 binding require two clocks to be defined but LG1312 and LG1313 platforms don't comply with bindings and define only one clock. Update spi clocks and clocks-names property by adding appropriate clock reference to make it compliant with bindings. CC: Chanho Min Signed-off-by: Kuldeep Singh Signed-off-by: Rob Herring (Arm) Link: https://lore.kernel.org/r/20241105-dts-spi-fixes-v2-2-623501e5d1ca@kernel.org Signed-off-by: Arnd Bergmann commit 55d0969c451159cff86949b38c39171cab962069 Author: Kuldeep Singh Date: Tue Nov 5 15:18:39 2024 -0600 arm64: dts: seattle: Update spi clock properties PL022 binding require two clocks to be defined but AMD seattle platform does't comply with binding and define only one clock i.e apb_pclk. Update spi clocks and clocks-names property by adding appropriate clock reference to make it compliant with bindings. CC: Tom Lendacky Signed-off-by: Kuldeep Singh Signed-off-by: Rob Herring (Arm) Acked-by: Rob Herring Link: https://lore.kernel.org/r/20241105-dts-spi-fixes-v2-1-623501e5d1ca@kernel.org Signed-off-by: Arnd Bergmann commit f50f6052c340711d7f57540e76ac3c7032611c14 Merge: cbfa4e486ef68b d40fd02c1faf8f Author: Arnd Bergmann Date: Tue Nov 12 22:45:36 2024 +0100 Merge tag 'qcom-arm64-for-6.13' of https://git.kernel.org/pub/scm/linux/kernel/git/qcom/linux into soc/dt Qualcomm Arm64 DeviceTree changes for v6.13 Introduce descriptions of the 8cx Gen3-based Microsoft Surface Pro 9 5G, X Elite based Dell XPS 13 9345, the QCS9100 platform and the "Ride" development boards thereon, and the SM7325 platform and the Nothing Phone 1. MSM8998 gains support for HDMI. The Lenovo Miix 630 gains support for volume keys, audio and sensor DSPs, touchscreen, and its specific WiFi calibration variant. On QCM6490, Fairphone FP5 gains a thermistor adjacent to UFS/RAM, while the IDP gains UFS and WiFi support. For QCS6490 changes to Rb3Gen2 enables WiFi, Venus, PCIe, SD-card, and volume keys. Adreno speedbins are adjusted and PMU nodes' compatibles for the two clusters are corrected. The DB845C/RB3 and QRB5165 RB5 vision mezzanines are converted to DeviceTree overlays, and both gains CMA heap for libcamera to use. SA8775P gains GPI DMA support, support for controlling download mode (bootloader-assisted ramdump support), additional UARTs, and qcrypto support. The "Ride" development board gains WiFi and Bluetooth support. On SC8280XP (8cx Gen3) another UART is described, used in the Microsoft Surface 9 5G. The WiFi/BT combo chip's power management unit is described on the CRD and Lenovo ThinkPad X13s. On SDM630/660 the GPU SMMU and clock controller is added, as is the A2Noc and LPASS SMMU, and the DSP-based WiFi device. GPU, modem DSP and WiFi is then enabled on the Inforce 6560 development board. On SM8450 Hardware Development Kit, the WCN6855 is modelled to enable WiFi and Bluetooth. A "global" interrupt is defined on SM8450 PCIe RC controller, to enable hotplug. On X Elite, USB Type-C controllers are marked as usb-role-switch capable, the GICv3 ITS is enabled for PCIe. TCSR region is described and wired up to allow setting and cleaning the download mode (bootloader-assisted ramdump) flag, and residency numbers for C4/C5 are updated. USB role switch is enabled on Lenovo ThinkPad T14s and the ASUS Vivobook S15. The T14s also gains support for a second source trackpad. The Microsoft Surface Laptop gains LID switch and the USB Type-A connector attached to the multiport controller is enabled. The CRD has its HID device power supplies described. Application SMMU is flagged as DMA coherent across QDU1000, SC7180, SC8180X, SC8280XP, SDM670, SDM845, SM8150, SM8350, SM8450, and X1E80100. In addition to this, the effort to improve style and binding compliance continued. * tag 'qcom-arm64-for-6.13' of https://git.kernel.org/pub/scm/linux/kernel/git/qcom/linux: (120 commits) arm64: dts: qcom: sdm845-db845c-navigation-mezzanine: Add cma heap for libcamera softisp support arm64: dts: qcom: qrb5165-rb5-vision-mezzanine: Add cma heap for libcamera softisp support arm64: dts: qcom: qrb5165-rb5-vision-mezzanine: Drop redundant clock-lanes from camera@1a arm64: dts: qcom: sc8280xp-x13s: Drop redundant clock-lanes from camera@10 arm64: dts: qcom: sdm845-db845c-navigation-mezzanine: Convert mezzanine riser to dtso arm64: dts: qcom: qrb5165-rb5-vision-mezzanine: Convert mezzanine riser to dtbo arm64: dts: qcom: sm8450-hdk: model the PMU of the on-board wcn6855 arm64: dts: qcom: sc8280xp-x13s: model the PMU of the on-board wcn6855 arm64: dts: qcom: sc8280xp-crd: enable bluetooth arm64: dts: qcom: sc8280xp-crd: model the PMU of the on-board wcn6855 arm64: dts: qcom: qcs9100: Add support for the QCS9100 Ride and Ride Rev3 boards dt-bindings: arm: qcom: Document qcs9100-ride and qcs9100-ride Rev3 arm64: dts: qcom: x1e80100: Update C4/C5 residency/exit numbers arm64: dts: qcom: x1e80100-crd: describe HID supplies arm64: dts: qcom: msm8998-lenovo-miix-630: add WiFi calibration variant arm64: dts: qcom: msm8998-clamshell: enable resin/VolDown arm64: dts: qcom: msm8998-lenovo-miix-630: enable VolumeUp button arm64: dts: qcom: msm8998-lenovo-miix-630: enable aDSP and SLPI arm64: dts: qcom: msm8998-lenovo-miix-630: enable touchscreen arm64: dts: qcom: qcs6490-rb3gen2: Add PCIe nodes ... Link: https://lore.kernel.org/r/20241105164901.7787-1-andersson@kernel.org Signed-off-by: Arnd Bergmann commit cbfa4e486ef68bd32bde0dfcbcc3483ccf23cc11 Merge: 8cd0d9b997a507 13be2307b57772 Author: Arnd Bergmann Date: Tue Nov 12 22:44:07 2024 +0100 Merge tag 'omap-for-v6.13/dt-signed-1' of https://git.kernel.org/pub/scm/linux/kernel/git/khilman/linux-omap into soc/dt ARM: dts: OMAP updates for v6.13 Misc. minor updates for OMAP3, OMAP4, AM3 and DRA7 platforms. * tag 'omap-for-v6.13/dt-signed-1' of https://git.kernel.org/pub/scm/linux/kernel/git/khilman/linux-omap: ARM: dts: omap4-kc1: fix twl6030 power node ARM: dts: am335x-bone-common: Increase MDIO reset deassert delay to 50ms ARM: dts: ti/omap: omap4-epson-embt2ws: add charger ARM: dts: omap36xx: declare 1GHz OPP as turbo again ARM: ti/omap: omap3-gta04a5: add Bluetooth ARM: dts: ti/omap: dra7: fix redundant clock divider definition ARM: dts: ti/omap: use standard node name for twl4030 charger ARM: dts: omap: omap4-epson-embt2ws: add GPIO expander ARM: dts: omap: omap4-epson-embt2ws: add unknown gpio outputs ARM: dts: omap: omap4-epson-embt2ws: wire up regulators ARM: dts: omap: omap4-epson-embt2ws: define GPIO regulators ARM: dts: ti: dra7: Remove double include of clock bindings ARM: dts: ti: omap3434-sdp: drop linux,mtd-name from onenand node ARM: dts: ti: omap: am335x-baltos: drop "gpmc,device-nand" from NAND node ARM: dts: ti: drop linux,mtd-name from NAND nodes ARM: dts: ti/omap: Fix at24 EEPROM node names commit 8cd0d9b997a5076f479d82304930cfcc91764bef Merge: dc2fe29c88e20d 0cd647cd53db03 Author: Arnd Bergmann Date: Tue Nov 12 22:42:35 2024 +0100 Merge tag 'renesas-dts-for-v6.13-tag2' of https://git.kernel.org/pub/scm/linux/kernel/git/geert/renesas-devel into soc/dt Renesas DTS updates for v6.13 (take two) - Add a CPU Operating Performance Points table for the RZ/V2H SoC, - Add Battery Backup Function (VBATTB) and RTC support for the RZ/G3S SoC and the RZ/G3S SMARC SoM, - Add DMAC support for MMC on the RZ/A1H SoC and the Genmai development board, - Miscellaneous fixes and improvements. * tag 'renesas-dts-for-v6.13-tag2' of https://git.kernel.org/pub/scm/linux/kernel/git/geert/renesas-devel: arm64: dts: renesas: rzg3s-smarc-som: Enable RTC arm64: dts: renesas: rzg3s-smarc-som: Enable VBATTB arm64: dts: renesas: r9a08g045: Add RTC node arm64: dts: renesas: r9a08g045: Add VBATTB node arm64: dts: renesas: white-hawk-cpu-common: Add pin control for DSI-eDP IRQ ARM: dts: renesas: r7s72100: Add DMA support to MMCIF ARM: dts: renesas: r7s72100: Add DMAC node arm64: dts: renesas: hihope: Drop #sound-dai-cells dt-bindings: clock: renesas,r9a08g045-vbattb: Document VBATTB dt-bindings: clock: r9a08g045-cpg: Add power domain ID for RTC arm64: dts: renesas: r9a09g057: Add OPP table Link: https://lore.kernel.org/r/cover.1730726155.git.geert+renesas@glider.be Signed-off-by: Arnd Bergmann commit 6975c1a486a40446b5bc77a89d9c520f8296fd08 Author: Christoph Hellwig Date: Tue Nov 12 18:00:39 2024 +0100 block: remove the ioprio field from struct request The request ioprio is only initialized from the first attached bio, so requests without a bio already never set it. Directly use the bio field instead. Signed-off-by: Christoph Hellwig Reviewed-by: Bart Van Assche Link: https://lore.kernel.org/r/20241112170050.1612998-3-hch@lst.de Signed-off-by: Jens Axboe commit 61952bb73486fff0f5550bccdf4062d9dd0fb163 Author: Christoph Hellwig Date: Tue Nov 12 18:00:38 2024 +0100 block: remove the write_hint field from struct request The write_hint is only used for read/write requests, which must have a bio attached to them. Just use the bio field instead. Signed-off-by: Christoph Hellwig Reviewed-by: Bart Van Assche Link: https://lore.kernel.org/r/20241112170050.1612998-2-hch@lst.de Signed-off-by: Jens Axboe commit dc2fe29c88e20db951d1acf663a19bc58fbcb050 Merge: cdc9f8bdf7716e 436142058e5dec Author: Arnd Bergmann Date: Tue Nov 12 22:41:15 2024 +0100 Merge tag 'mtk-dts64-for-v6.13' of https://git.kernel.org/pub/scm/linux/kernel/git/mediatek/linux into soc/dt MediaTek ARM64 DeviceTree updates for v6.13 MT8195 (also called MT8395) - Enabled GPU support on Genio 1200 EVK - Added sound-dai-cells for audio codec on MT8195 Cherry Chromebooks MT8192: - Added support Asurada Chromebook variants with Synaptics trackpad MT8188 (also called MT8390): - Added support for CPU DVFS, IOMMU, PWM hardware, SPMI bus, Audio, socinfo, PCI-Express, DisplayPort, MIPI DSI, Ethernet, Video HW Encoders (Stateful) and HW Decoders (Stateless), JPEG HW Encoder/Decoder. - Enabled GPU support on Genio 700 EVK MT8183: - Added support for Video HW Encoders (Stateful) - Added HDMI support on MT8183 Pumpkin board - Fixed some regulators to provide the actual description of the power rails in MT8183 Kukui Chromebooks - Disabled DPI display interface on MT8183 Kukui Chromebooks to fix internal display probing - Fixed address of EEPROM found on MT8183 Kakadu/Kodama Chromebooks - Added SCL internal delay on I2C2 bus for improved I2C-HID devices reliability on MT8183 Jacuzzi Chromebooks MT7988: - Added support for eFuses and UART controllers Plus, addition of OF Graph support in MediaTek MMSYS and some cleanups and dtbs_check fixes for MT8195 and for all machines using the MT6358 PMIC. * tag 'mtk-dts64-for-v6.13' of https://git.kernel.org/pub/scm/linux/kernel/git/mediatek/linux: (55 commits) arm64: dts: mediatek: mt8183-kukui: Drop bogus fixed regulators arm64: dts: mediatek: mt8183-kukui-jacuzzi: Add supplies for fixed regulators arm64: dts: mediatek: mt8183-kukui-jacuzzi: Fix DP bridge supply names arm64: dts: mediatek: mt6358: fix dtbs_check error arm64: dts: mediatek: mt8186-corsola: Fix IT6505 reset line polarity arm64: dts: mt8183: Damu: add i2c2's i2c-scl-internal-delay-ns arm64: dts: mt8183: cozmo: add i2c2's i2c-scl-internal-delay-ns arm64: dts: mt8183: burnet: add i2c2's i2c-scl-internal-delay-ns arm64: dts: mt8183: fennel: add i2c2's i2c-scl-internal-delay-ns dt-bindings: arm: mediatek: mmsys: Add OF graph support for board path arm64: dts: mediatek: mt8186-corsola: Fix GPU supply coupling max-spread arm64: dts: mediatek: mt8195-cherry: Use correct audio codec DAI arm64: dts: mediatek: mt8188: Fix USB3 PHY port default status arm64: dts: mediatek: mt8173-elm-hana: Add vdd-supply to second source trackpad arm64: dts: mediatek: mt8186-corsola-voltorb: Merge speaker codec nodes arm64: dts: mediatek: mt8390-genio-700-evk: Enable ethernet arm64: dts: mediatek: mt8188: Add ethernet node arm64: dts: mediatek: mt8188: Add eDP and DP TX nodes arm64: dts: mediatek: mt8188: Add DP-INTF nodes arm64: dts: mediatek: mt8188: Add display nodes for vdosys1 ... Link: https://lore.kernel.org/r/20241104112625.161365-1-angelogioacchino.delregno@collabora.com Signed-off-by: Arnd Bergmann commit cdc9f8bdf7716e97ff8e79be387e297fa04b1087 Merge: 430851a9dea83d 6c5789c9d2c069 Author: Arnd Bergmann Date: Tue Nov 12 22:39:16 2024 +0100 Merge tag 'imx-dt64-6.13' of https://git.kernel.org/pub/scm/linux/kernel/git/shawnguo/linux into soc/dt i.MX arm64 device tree changes for 6.13: - New device support: Boundary Device Nitrogen8MP, Kontron OSM-S i.MX8MP SoM and BL carrier board, Verdin Ivy carrier board, DHCOM SoM on DRC02 and PicoITX, Gateworks GW82XX-2X, etc. - A series from Carlos Song to add LPSPI alias for i.MX8 and i.MX9 SoCs - A couple of changes from Ciprian Marian Costea to improve S32G uSDHC and SD/eMMC support - A couple of changes from Francesco Dolcini to improve SD regulator startup delay for Verdin devices - A bunch of changes from Frank Li to add I3C overlay for imx93-9x9-qsb, enable PCIe and SATA for imx8qm-mek, add various devices for imx8qxp-mek, fix dt-schema warnings, etc. - A series from João Paulo Gonçalves to improve i.MX8 Apalis and i.MX8M Verdin board support - A set of changes from Laurentiu Mihalcea to enable dsp node for rproc usage in audio subsystem - A set of changes from Peng Fan to improve i.MX95 support, adding SCMI, thermal zone, cooling device, idle states, etc. - A series from Richard Zhu to add PCIe and SATA support for imx8dxl-evk - A series from Shengjiu Wang to enable audio features on imx93-9x9-qsb and imx8ulp-evk board - Other small and random changes * tag 'imx-dt64-6.13' of https://git.kernel.org/pub/scm/linux/kernel/git/shawnguo/linux: (92 commits) arm64: dts: freescale: imx8mp-verdin: Fix SD regulator startup delay arm64: dts: freescale: imx8mm-verdin: Fix SD regulator startup delay arm64: dts: imx8mp-verdin: add single-master property to all i2c nodes arm64: dts: imx8mm-verdin: add single-master property to all i2c nodes arm64: dts: imx95: Add missing vendor string to SCMI property arm64: dts: imx8mp-navqp: Add HDMI support arm64: dts: imx8qm-ss-hsio: fix PCI and SATA clock indices arm64: dts: imx8qm-ss-hsio: fix interrupt-map indent under pci* nodes arm64: dts: imx8qxp-mek: replace hardcode 0 with IMX_LPCG_CLK_0 arm64: dts: imx8mn-tqma8mqnl-mba8mx-usbot: fix coexistence of output-low and output-high in GPIO arm64: dts: layerscape: remove en25s64 and only keep jedec,spi-nor compatible string arm64: dts: imx8mp-kontron-dl: change touchscreen power-supply to AVDD28-supply arm64: dts: imx8mp: Add Boundary Device Nitrogen8MP Universal SMARC Carrier Board arm64: dts: imx8: move samsung,burst-clock-frequency to imx8mn and imx8mm mba8mx board file arm64: dts: mba8mx: remove undocumented 'data-lanes' at panel arm64: dts: imx: Add i.MX8M Plus Gateworks GW82XX-2X support arm64: dts: imx8ulp-evk: Add spdif sound card support arm64: dts: imx8ulp-evk: Add bt-sco sound card support arm64: dts: imx8ulp: Add audio device nodes arm64: dts: imx8qm-mek: enable dsp node for rproc usage ... Link: https://lore.kernel.org/r/20241104090055.1881860-5-shawnguo2@yeah.net Signed-off-by: Arnd Bergmann commit 430851a9dea83d919905f19e8f58c234a56d3e97 Merge: 3a4188025ac2c1 4de1651cde04ea Author: Arnd Bergmann Date: Tue Nov 12 22:38:03 2024 +0100 Merge tag 'imx-dt-6.13' of https://git.kernel.org/pub/scm/linux/kernel/git/shawnguo/linux into soc/dt i.MX ARM device tree changes for 6.13: - New device support: Kobo Clara 2E, Comvetia LXR board, i.MX6DL DHCOM SoM on PDK2 carrier - A bunch of dt-schema warning fixes from Fabio Estevam - A set of changes from Hiago De Franco to update audio card for Apalis and Colibri devices - A series from Marek Vasut to improve pin config nodes according to bindings - A couple of changes from Sean Nyekjaer to add DMA support i.MX6UL UART ports - Other small and random changes * tag 'imx-dt-6.13' of https://git.kernel.org/pub/scm/linux/kernel/git/shawnguo/linux: (39 commits) ARM: dts: imx: Add devicetree for Kobo Clara 2E ARM: dts: imx6sll: Improve gpc description ARM: dts: imx6sl: Pass tempmon #thermal-sensor-cells ARM: dts: imx6sx: Fix tempmon description ARM: dts: imx6sll: Remove regulator-3p0 unit address ARM: dts: imx6sll: Fix the last SPDIF clock name ARM: dts: imx7ulp: Remove incorrect mmc fallback compatible ARM: dts: imx6sl: Remove incorrect mmc fallback compatible ARM: dts: imx6sx: Remove incorrect mmc fallback compatible ARM: dts: imx6sl/sll: Add the "fsl,imx6dl-gpt" fallback ARM: dts: imx6ul: Drop duplicate space in iomux node groups ARM: dts: imx6sx: Align pin config nodes with bindings ARM: dts: imx6sl: imx6sll: Align pin config nodes with bindings ARM: dts: imx6qp: Align pin config nodes with bindings ARM: dts: imx6qdl: Align pin config nodes with bindings ARM: dts: imx6q: Align pin config nodes with bindings ARM: dts: imx6dl: Align pin config nodes with bindings ARM: dts: imx53: Align pin config nodes with bindings ARM: dts: imx51: Align pin config nodes with bindings ARM: dts: imx50: Align pin config nodes with bindings ... Link: https://lore.kernel.org/r/20241104090055.1881860-4-shawnguo2@yeah.net Signed-off-by: Arnd Bergmann commit 3a4188025ac2c1250f73db476176eedd4b819e11 Merge: 7e2574fafdfc36 f1f6309aa90654 Author: Arnd Bergmann Date: Tue Nov 12 22:37:36 2024 +0100 Merge tag 'imx-bindings-6.13' of https://git.kernel.org/pub/scm/linux/kernel/git/shawnguo/linux into soc/dt i.MX dt-bindings changes for 6.13: - Add vendor prefix for ComVetia AG - Add new board compatibles for Kobo Clara 2E, Boundary Device Nitrogen8MP, Comvetia LXR, Kontron i.MX8MP OSM-S, Verdin i.MX8MM/P Ivy, DH Electronics DHCOM, IOTA2 Lumpy, Gateworks GW82XX-2x - A couple changes from Fabio Estevam to improve imx-anatop and imx-gpc bindings - A fsl,dsp bindings update from Laurentiu Mihalcea to correct power domain count * tag 'imx-bindings-6.13' of https://git.kernel.org/pub/scm/linux/kernel/git/shawnguo/linux: dt-bindings: arm: fsl: add compatible strings for Kobo Clara 2E dt-bindings: power: fsl,imx-gpc: Document fsl,imx6sll-gpc dt-bindings: soc: imx: fsl,imx-anatop: Add additional regulators dt-bindings: soc: imx: fsl,imx-anatop: Fix the i.MX7 irq number dt-bindings: arm: fsl: Add Boundary Device Nitrogen8MP Universal SMARC Carrier Board dt-bindings: arm: fsl: Add Gateworks GW82XX-2x dev kit dt-bindings: dsp: fsl,dsp: fix power domain count dt-bindings: arm: fsl: Document i.MX6DL DHCOM SoM on PDK2 carrier board dt-bindings: arm: fsl: Document DH electronics i.MX8M Plus DHCOM PicoITX dt-bindings: arm: fsl: Document DH i.MX8MP DHCOM SoM on DRC02 carrier board dt-bindings: arm: Add i.MX8MP IOTA2 Lumpy board dt-bindings: arm: freescale: Add verdin imx8mp ivy board dt-bindings: arm: freescale: Add verdin imx8mm ivy board dt-bindings: arm: fsl: Document the Comvetia LXR board dt-bindings: vendor-prefixes: Add an entry for ComVetia AG dt-bindings: arm: fsl: Add Kontron i.MX8MP OSM-S based boards Link: https://lore.kernel.org/r/20241104090055.1881860-3-shawnguo2@yeah.net Signed-off-by: Arnd Bergmann commit 7e2574fafdfc3634da05ab6dd8497ab2512d18c1 Merge: 2ffd61e39ea441 ef4b38462e627f Author: Arnd Bergmann Date: Tue Nov 12 22:36:51 2024 +0100 Merge tag 'qcom-arm32-for-6.13' of https://git.kernel.org/pub/scm/linux/kernel/git/qcom/linux into soc/dt Qualcomm Arm32 DeviceTree updates for v6.13 IPQ4019 flash partition scheme is moved to nvmem-layout. SDX55 and SDX65 PCIe EP controllers gain missing linux,pci-domain properties. Stylistic improvements across a range of platforms and devices. * tag 'qcom-arm32-for-6.13' of https://git.kernel.org/pub/scm/linux/kernel/git/qcom/linux: ARM: dts: qcom: ipq4019: use nvmem-layout ARM: dts: qcom: change labels to lower-case ARM: dts: qcom: sdx65: Add 'linux,pci-domain' to PCIe EP controller node ARM: dts: qcom: sdx55: Add 'linux,pci-domain' to PCIe EP controller node ARM: dts: qcom: minor whitespace cleanup ARM: dts: qcom: drop underscore in node names Link: https://lore.kernel.org/r/20241104034744.14378-1-andersson@kernel.org Signed-off-by: Arnd Bergmann commit 2ffd61e39ea44132742addf2a0295f736a8d44e3 Merge: 8b474333fcb790 44dae95e61288a Author: Arnd Bergmann Date: Tue Nov 12 22:36:20 2024 +0100 Merge tag 'socfpga_dts_updates_for_v6.13' of https://git.kernel.org/pub/scm/linux/kernel/git/dinguyen/linux into soc/dt SoCFPGA DTS updates for v6.13 - Fix dts warning for at24 EEPROM node names * tag 'socfpga_dts_updates_for_v6.13' of https://git.kernel.org/pub/scm/linux/kernel/git/dinguyen/linux: ARM: dts: socfpga: Fix at24 EEPROM node names Link: https://lore.kernel.org/r/20241101190046.912598-1-dinguyen@kernel.org Signed-off-by: Arnd Bergmann commit 8b474333fcb7904edfb08b99ef5d5342449ad0cf Merge: 9edd162c920d18 d57df7a7b78eec Author: Arnd Bergmann Date: Tue Nov 12 22:35:11 2024 +0100 Merge tag 'zynqmp-dt-for-6.13' of https://github.com/Xilinx/linux-xlnx into soc/dt arm64: ZynqMP DT changes for 6.13 - Enable AMS for all boards including HWMON - Add thermal zones * tag 'zynqmp-dt-for-6.13' of https://github.com/Xilinx/linux-xlnx: arm64: zynqmp: Add thermal zones arm64: zynqmp: Expose AMS to userspace as HWMON arm64: zynqmp: Enable AMS for all boards Link: https://lore.kernel.org/r/CAHTX3d+x1WrXhsp6+PQbo-B3T9q21tqE1RkhVsh0r7my3vH37g@mail.gmail.com Signed-off-by: Arnd Bergmann commit 9edd162c920d182428d2a6862d117d084e65e18d Merge: c78a5066ff4a46 46fa3fee0b1c02 Author: Arnd Bergmann Date: Tue Nov 12 22:32:05 2024 +0100 Merge tag 'v6.13-armsoc/dts64-1' of https://git.kernel.org/pub/scm/linux/kernel/git/mmind/linux-rockchip into soc/dt New SoCs: basic RK3528 support, RK3399S - a variant made specifically for the Pinephone Pro and for consistencies sake it gets its own SoC dtsi to not hide the specifics in the Pinephone Pro devicetree. New boards: OrangePi-5b, NanoPi R3S, ArmSom Sige 5 (first rk3576 board), Radxa e20c (first rk3528 board), Powkiddy RGB20SX, RK3588S-EVB1 and the ArmSoM LM7 SoM with W3 carrier board. HDMI support for rk3588 brings the first graphical output capability there. This includes of course needed changes to a number of boards. And finally a bunch of newly enabled peripherals on different boards, as well as changes to adhere better to bindings and removal/change of deprecated properties. * tag 'v6.13-armsoc/dts64-1' of https://git.kernel.org/pub/scm/linux/kernel/git/mmind/linux-rockchip: (64 commits) arm64: dts: rockchip: Add rk3588-orangepi-5b device tree dt-bindings: arm: rockchip: Add Orange Pi 5b enum to Orange Pi 5 entry arm64: dts: rockchip: refactor common Orange Pi 5 board arm64: dts: rockchip: Remove 'enable-active-low' from two boards arm64: dts: rockchip: add HDMI support to rk3588-jaguar arm64: dts: rockchip: add HDMI support to rk3588-tiger-haikou arm64: dts: rockchip: add HDMI pinctrl to rk3588-tiger SoM arm64: dts: rockchip: reorder mmc aliases for NanoPi R3S arm64: dts: rockchip: enable eMMC HS200 mode for NanoPi R3S arm64: dts: rockchip: sort props in pmu_io_domains node for NanoPi R3S arm64: dts: rockchip: replace deprecated snps,reset props for NanoPi R3S arm64: dts: rockchip: fix model name for FriendlyElec NanoPi R3S arm64: dts: rockchip: Enable HDMI0 on rock-5a arm64: dts: rockchip: Enable HDMI0 on rk3588-nanopc-t6 arm64: dts: rockchip: pwm-leds for Orange Pi 5 arm64: dts: rockchip: reorder audio/hdmi nodes in Orange Pi 5 arm64: dts: rockchip: analog audio on Orange Pi 5 arm64: dts: rockchip: Add dtsi file for RK3399S SoC variant arm64: dts: rockchip: Convert dts files used as parents to dtsi files arm64: dts: rockchip: fix the pcie refclock oscillator on Rock 5 ITX ... Link: https://lore.kernel.org/r/12542111.O9o76ZdvQC@phil Signed-off-by: Arnd Bergmann commit c78a5066ff4a463b9b4f49681a409ec234648c22 Merge: 03bf4af2726f81 0a4907eea61d1b Author: Arnd Bergmann Date: Tue Nov 12 22:30:58 2024 +0100 Merge tag 'samsung-dt64-6.13' of https://git.kernel.org/pub/scm/linux/kernel/git/krzk/linux into soc/dt Samsung DTS ARM64 changes for v6.13 1. Add new SoC Samsung Exynos8895 and new board using it: Samsung Galaxy S8 (SM-G950F) mobile phone. Only small support so far: CPUs (Samsung Mongoose M2), main clock controllers (FSYS, PERIC, TOP), pin controllers, SPI for cameras, timers. 2. Add new SoC Samsung Exynos990 and new board using it: Samsung Galaxy Note20 5G (c1s/SM-N981B) mobile phone. Only minimal support so far: CPUs (Samsung Mongoose M5), pin controllers, timers. 3. Prepare for adding new SoC Samsung Exynos9810 - add bindings. The SoC DTSI was not yet ready, but it is posted on the mailing lists so should come soon. 4. ExynosAutov920: Add several clock controllers. * tag 'samsung-dt64-6.13' of https://git.kernel.org/pub/scm/linux/kernel/git/krzk/linux: dt-bindings: arm: samsung: Document Exynos9810 and starlte board binding dt-bindings: soc: samsung: exynos-pmu: Add exynos9810 compatible dt-bindings: arm: cpus: Add Samsung Mongoose M3 arm64: dts: exynos8895: Add spi_0/1 nodes arm64: dts: exynos8895: Add Multi Core Timer (MCT) node arm64: dts: exynos8895: Add clock management unit nodes dt-bindings: timer: exynos4210-mct: Add samsung,exynos8895-mct compatible dt-bindings: clock: samsung: Add Exynos8895 SoC arm64: dts: exynos: Add initial support for Samsung Galaxy Note20 5G (c1s) arm64: dts: exynos: Add initial support for the Exynos 990 SoC dt-bindings: arm: samsung: samsung-boards: Add bindings for Exynos 990 boards dt-bindings: arm: cpus: Add Samsung Mongoose M5 arm64: dts: exynosautov920: add peric1, misc and hsi0/1 clock DT nodes dt-bindings: clock: exynosautov920: add peric1, misc and hsi0/1 clock definitions arm64: dts: exynos: Add initial support for Samsung Galaxy S8 arm64: dts: exynos: Add initial support for exynos8895 SoC dt-bindings: soc: samsung: exynos-pmu: Add exynos8895 compatible dt-bindings: arm: samsung: Document dreamlte board binding dt-bindings: arm: cpus: Add Samsung Mongoose M2 Link: https://lore.kernel.org/r/20241029081002.21106-2-krzysztof.kozlowski@linaro.org Signed-off-by: Arnd Bergmann commit 03bf4af2726f81d835b940b051cd1bde9f7d5c2c Merge: a96b9264f2a268 2433e22233f07b Author: Arnd Bergmann Date: Tue Nov 12 22:29:28 2024 +0100 Merge tag 'tegra-for-6.13-arm64-dt' of https://git.kernel.org/pub/scm/linux/kernel/git/tegra/linux into soc/dt arm64: tegra: Device tree changes for v6.13-rc1 Changes in this batch add an device tree file for the industrial module version of the Jetson AGX Orin Developer Kit. There are also some fixes for the Jetson TX1 and new features such as touchscreen, temperature sensor and USB-C extcon support for Smaug (a.k.a. Pixel C). * tag 'tegra-for-6.13-arm64-dt' of https://git.kernel.org/pub/scm/linux/kernel/git/tegra/linux: arm64: tegra: smaug: Declare cros-ec extcon arm64: tegra: Add SDMMC sdr104-offsets for Tegra X1 arm64: dts: nvidia: tegra210-smaug: Add TMP451 temperature sensor node arm64: dts: nvidia: tegra210-smaug: Add touchscreen node arm64: tegra: p2180: Add mandatory compatible for WiFi node arm64: tegra: Create SKU8 AGX Orin board file Link: https://lore.kernel.org/r/20241025150555.2558582-3-thierry.reding@gmail.com Signed-off-by: Arnd Bergmann commit a96b9264f2a268acda61023a7fa3f3a70994eaa8 Merge: 98354868cf63d0 1f451e2493a663 Author: Arnd Bergmann Date: Tue Nov 12 22:28:45 2024 +0100 Merge tag 'tegra-for-6.13-dt-bindings' of https://git.kernel.org/pub/scm/linux/kernel/git/tegra/linux into soc/dt dt-bindings: Changes for v6.13-rc1 This adds documentation for the AGX Orin industrial module. * tag 'tegra-for-6.13-dt-bindings' of https://git.kernel.org/pub/scm/linux/kernel/git/tegra/linux: dt-bindings: arm: Tegra234 Industrial Module Link: https://lore.kernel.org/r/20241025150555.2558582-2-thierry.reding@gmail.com Signed-off-by: Arnd Bergmann commit 98354868cf63d0a04db5e2a14f7c96e3aea5bbbd Merge: 735ac12ee85bdc 54b6c3795484ed Author: Arnd Bergmann Date: Tue Nov 12 22:28:08 2024 +0100 Merge tag 'ux500-dts-for-v6.13' of https://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-nomadik into soc/dt Ux500 DTS file updates for the v6.13 kernel cycle: - Add touchkeys to the Samsung Codina variants - Re-work the Codina device tree for eMMC * tag 'ux500-dts-for-v6.13' of https://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-nomadik: ARM: dts: Reconfigure the MC2 eMMC interface ARM: dts: ux500: Add touchkeys to Codinas Link: https://lore.kernel.org/r/CACRpkda5rix2JLYpexXTeGqKBcHeWxZx7A49jYCCmDPU7CFLSA@mail.gmail.com Signed-off-by: Arnd Bergmann commit 735ac12ee85bdce1d78b1a2713bbae0abbf7c3d5 Merge: dc60889cfacfa9 1e03bd2cf0d68a Author: Arnd Bergmann Date: Tue Nov 12 22:27:33 2024 +0100 Merge tag 'renesas-dts-for-v6.13-tag1' of https://git.kernel.org/pub/scm/linux/kernel/git/geert/renesas-devel into soc/dt Renesas DTS updates for v6.13 - Add support for PCIe on the R-Car V4M SoC and the Gray Hawk development board, - Add support for watchdog, OS timer, keyboard switch, SDHI, and MMCIF on the Genmai development board, - Add support for watchdog on the RSK+RZA1 development board, - Add support for QSPI NOR FLASH on the RZ/G2UL SMARC SoM, - Add support for E-FUSE on the R-Car V3U, S4-8, V4H, and V4M SoCs, - Use interrupts-extended where it makes sense, - Miscellaneous fixes and improvements. * tag 'renesas-dts-for-v6.13-tag1' of https://git.kernel.org/pub/scm/linux/kernel/git/geert/renesas-devel: (53 commits) arm64: dts: renesas: rzg3s-smarc: Use interrupts-extended for gpio-keys arm64: dts: renesas: beacon-renesom: Use interrupts-extended for touchscreen arm64: dts: renesas: Use interrupts-extended for WLAN arm64: dts: renesas: Use interrupts-extended for video decoders arm64: dts: renesas: Use interrupts-extended for USB muxes arm64: dts: renesas: Use interrupts-extended for PMICs arm64: dts: renesas: Use interrupts-extended for I/O expanders arm64: dts: renesas: Use interrupts-extended for HDMI bridges arm64: dts: renesas: Use interrupts-extended for Ethernet PHYs arm64: dts: renesas: Use interrupts-extended for DisplayPort bridges ARM: dts: renesas: kzm9g: Use interrupts-extended for sensors ARM: dts: renesas: kzm9g: Use interrupts-extended for I/O expander ARM: dts: renesas: r8a7742-iwg21m: Use interrupts-extended for RTC ARM: dts: renesas: iwg22d-sodimm: Use interrupts-extended for port expander ARM: dts: renesas: Use interrupts-extended for video decoders ARM: dts: renesas: Use interrupts-extended for touchpanels ARM: dts: renesas: Use interrupts-extended for PMICs ARM: dts: renesas: Use interrupts-extended for HDMI bridges ARM: dts: renesas: Use interrupts-extended for Ethernet PHYs ARM: dts: renesas: Use interrupts-extended for Ethernet MACs ... Signed-off-by: Arnd Bergmann commit dc60889cfacfa992bcc924668c81d3bdc34460e1 Merge: fce30430a420d8 7e756671a664b7 Author: Arnd Bergmann Date: Tue Nov 12 22:26:17 2024 +0100 Merge tag 'thead-dt-for-v6.13-p2' of https://github.com/pdp7/linux into soc/dt T-HEAD Devicetrees for v6.13, part 2 Add gmac, mdio, and phy nodes to enable the gigabit Ethernet ports on the TH1520 SoC-based BeagleV Ahead and Sipeed Lichee Pi 4a boards. The dwmac-thead driver and dt binding have been accepted by netdev and are in linux-next as well as the dts patch in this pull request. I have tested next-20241108 on the Ahead and LPi4a boards, and Ethernet works correctly. Signed-off-by: Drew Fustini * tag 'thead-dt-for-v6.13-p2' of https://github.com/pdp7/linux: riscv: dts: thead: Add TH1520 ethernet nodes Signed-off-by: Arnd Bergmann commit fce30430a420d80c6a55a778062a28054d34ea98 Merge: 42f7652d3eb527 2a3bf75a9408c4 Author: Arnd Bergmann Date: Tue Nov 12 22:25:27 2024 +0100 Merge tag 'thead-dt-for-v6.13' of https://github.com/pdp7/linux into soc/dt T-HEAD Devicetrees for v6.13 Add nodes for pin controllers on the T-Head TH1520 RISC-V SoC. The yaml binding and pinctrl-th1520 driver has been merged into next by Linus W and will be included in the 6.13 pinctrl PR. The TH1520 GPIO controllers are already supported by the gpio-dwapb driver. This PR improves GPIO support by adding GPIO ranges and GPIO line names for the BeagleV Ahead and LicheePi 4A boards. Support is added for the built-in LEDs on the Ahead board. Signed-off-by: Drew Fustini * tag 'thead-dt-for-v6.13' of https://github.com/pdp7/linux: riscv: dts: thead: remove enabled property for spi0 riscv: dts: thead: Add missing GPIO clock-names riscv: dtb: thead: Add BeagleV Ahead LEDs riscv: dts: thead: Add TH1520 pinctrl settings for UART0 riscv: dts: thead: Add Lichee Pi 4M GPIO line names riscv: dts: thead: Adjust TH1520 GPIO labels riscv: dts: thead: Add TH1520 GPIO ranges riscv: dts: thead: Add TH1520 pin control nodes commit 19629206894f1265d9148be475d8665c58596ab3 Author: Longfang Liu Date: Tue Nov 12 15:33:20 2024 +0800 hisi_acc_vfio_pci: create subfunction for data reading This patch generates the code for the operation of reading data from the device into a sub-function. Then, it can be called during the device status data saving phase of the live migration process and the device status data reading function in debugfs. Thereby reducing the redundant code of the driver. Signed-off-by: Longfang Liu Reviewed-by: Shameer Kolothum Link: https://lore.kernel.org/r/20241112073322.54550-3-liulongfang@huawei.com Signed-off-by: Alex Williamson commit ece8a2c77b881a379d24fee4656195d809161867 Author: Longfang Liu Date: Tue Nov 12 15:33:19 2024 +0800 hisi_acc_vfio_pci: extract public functions for container_of In the current driver, vdev is obtained from struct hisi_acc_vf_core_device through the container_of function. This method is used in many places in the driver. In order to reduce this repetitive operation, It was extracted into a public function. Signed-off-by: Longfang Liu Reviewed-by: Shameer Kolothum Link: https://lore.kernel.org/r/20241112073322.54550-2-liulongfang@huawei.com Signed-off-by: Alex Williamson commit a23da88c6c80e41e0503e0b481a22c9eea63f263 Author: Uladzislau Rezki (Sony) Date: Tue Oct 22 12:53:07 2024 +0200 rcu/kvfree: Fix data-race in __mod_timer / kvfree_call_rcu KCSAN reports a data race when access the krcp->monitor_work.timer.expires variable in the schedule_delayed_monitor_work() function: BUG: KCSAN: data-race in __mod_timer / kvfree_call_rcu read to 0xffff888237d1cce8 of 8 bytes by task 10149 on cpu 1: schedule_delayed_monitor_work kernel/rcu/tree.c:3520 [inline] kvfree_call_rcu+0x3b8/0x510 kernel/rcu/tree.c:3839 trie_update_elem+0x47c/0x620 kernel/bpf/lpm_trie.c:441 bpf_map_update_value+0x324/0x350 kernel/bpf/syscall.c:203 generic_map_update_batch+0x401/0x520 kernel/bpf/syscall.c:1849 bpf_map_do_batch+0x28c/0x3f0 kernel/bpf/syscall.c:5143 __sys_bpf+0x2e5/0x7a0 __do_sys_bpf kernel/bpf/syscall.c:5741 [inline] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline] __x64_sys_bpf+0x43/0x50 kernel/bpf/syscall.c:5739 x64_sys_call+0x2625/0x2d60 arch/x86/include/generated/asm/syscalls_64.h:322 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xc9/0x1c0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f write to 0xffff888237d1cce8 of 8 bytes by task 56 on cpu 0: __mod_timer+0x578/0x7f0 kernel/time/timer.c:1173 add_timer_global+0x51/0x70 kernel/time/timer.c:1330 __queue_delayed_work+0x127/0x1a0 kernel/workqueue.c:2523 queue_delayed_work_on+0xdf/0x190 kernel/workqueue.c:2552 queue_delayed_work include/linux/workqueue.h:677 [inline] schedule_delayed_monitor_work kernel/rcu/tree.c:3525 [inline] kfree_rcu_monitor+0x5e8/0x660 kernel/rcu/tree.c:3643 process_one_work kernel/workqueue.c:3229 [inline] process_scheduled_works+0x483/0x9a0 kernel/workqueue.c:3310 worker_thread+0x51d/0x6f0 kernel/workqueue.c:3391 kthread+0x1d1/0x210 kernel/kthread.c:389 ret_from_fork+0x4b/0x60 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Reported by Kernel Concurrency Sanitizer on: CPU: 0 UID: 0 PID: 56 Comm: kworker/u8:4 Not tainted 6.12.0-rc2-syzkaller-00050-g5b7c893ed5ed #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Workqueue: events_unbound kfree_rcu_monitor kfree_rcu_monitor() rearms the work if a "krcp" has to be still offloaded and this is done without holding krcp->lock, whereas the kvfree_call_rcu() holds it. Fix it by acquiring the "krcp->lock" for kfree_rcu_monitor() so both functions do not race anymore. Reported-by: syzbot+061d370693bdd99f9d34@syzkaller.appspotmail.com Link: https://lore.kernel.org/lkml/ZxZ68KmHDQYU0yfD@pc636/T/ Fixes: 8fc5494ad5fa ("rcu/kvfree: Move need_offload_krc() out of krcp->lock") Signed-off-by: Uladzislau Rezki (Sony) Reviewed-by: Neeraj Upadhyay Signed-off-by: Frederic Weisbecker commit 9782dd101f343d7f1cad824dc26ad355341e1f3b Author: Rafael J. Wysocki Date: Sun Nov 10 14:04:47 2024 +0100 thermal: testing: Simplify tt_get_tt_zone() Notice that tt_get_tt_zone() need not use the ret variable in the tt_thermal_zones list walk and make it return right after incrementing the reference counter of the matching entry. No functional impact. Signed-off-by: Rafael J. Wysocki Link: https://patch.msgid.link/6120304.lOV4Wx5bFT@rjwysocki.net commit 0ea3acbc804c2d5a165442cdf9c0526f4d324888 Author: Michal Schmidt Date: Mon Oct 7 12:14:15 2024 +0200 rcu/srcutiny: don't return before reenabling preemption Code after the return statement is dead. Enable preemption before returning from srcu_drive_gp(). This will be important when/if PREEMPT_AUTO (lazy resched) gets merged. Fixes: 65b4a59557f6 ("srcu: Make Tiny SRCU explicitly disable preemption") Reviewed-by: Paul E. McKenney Signed-off-by: Michal Schmidt Reviewed-by: Neeraj Upadhyay Signed-off-by: Frederic Weisbecker commit d4e287d7caff971c859ee6db65add42bde1d86ec Author: Paul E. McKenney Date: Wed Oct 9 11:00:45 2024 -0700 rcu-tasks: Remove open-coded one-byte cmpxchg() emulation This commit removes the open-coded one-byte cmpxchg() emulation from rcu_trc_cmpxchg_need_qs(), replacing it with just cmpxchg() given the latter's new-found ability to handle single-byte arguments across all architectures. Signed-off-by: Paul E. McKenney Reviewed-by: Neeraj Upadhyay Signed-off-by: Frederic Weisbecker commit 0a116dc86d18ba109090be1af1641ef1d57f4e20 Author: Paul E. McKenney Date: Wed Oct 9 11:00:44 2024 -0700 doc: Remove kernel-parameters.txt entry for rcutorture.read_exit There is only ever the one read-exit task, and there is no module parameter named rcutorture.read_exit, so remove the bogus documentation. Instead, use rcutorture.read_exit_burst to enable/disable read-exit race testing. Signed-off-by: Paul E. McKenney Cc: Alexei Starovoitov Cc: Andrii Nakryiko Cc: Peter Zijlstra Cc: Kent Overstreet Cc: Reviewed-by: Neeraj Upadhyay Signed-off-by: Frederic Weisbecker commit de2ad0e72cb0343d151903f97bf7c449fb69a7d1 Author: Paul E. McKenney Date: Wed Oct 9 11:00:43 2024 -0700 rcutorture: Test start-poll primitives with interrupts disabled This commit tests the ->start_poll() and ->start_poll_full() functions with interrupts disabled, but only for RCU variants setting the ->start_poll_irqsoff flag. Signed-off-by: Paul E. McKenney Reviewed-by: Neeraj Upadhyay Signed-off-by: Frederic Weisbecker commit a30763800b04e384f4123d984997bf5c6a2179a9 Author: Paul E. McKenney Date: Wed Oct 9 11:00:42 2024 -0700 rcu: Permit start_poll_synchronize_rcu*() with interrupts disabled The header comment for both start_poll_synchronize_rcu() and start_poll_synchronize_rcu_full() state that interrupts must be enabled when calling these two functions, and there is a lockdep assertion in start_poll_synchronize_rcu_common() enforcing this restriction. However, there is no need for this restrictions, as can be seen in call_rcu(), which does wakeups when interrupts are disabled. This commit therefore removes the lockdep assertion and the comments. Reported-by: Kent Overstreet Signed-off-by: Paul E. McKenney Reviewed-by: Neeraj Upadhyay Signed-off-by: Frederic Weisbecker commit 481aa5fca02a2ee85ca76571becca31f816c2420 Author: Paul E. McKenney Date: Wed Oct 9 11:00:41 2024 -0700 rcu: Allow short-circuiting of synchronize_rcu_tasks_rude() There are now architectures for which all deep-idle and entry-exit functions are properly inlined or marked noinstr. Such architectures do not need synchronize_rcu_tasks_rude(), or will not once RCU Tasks has been modified to pay attention to idle tasks. This commit therefore allows a CONFIG_ARCH_HAS_NOINSTR_MARKINGS Kconfig option to turn synchronize_rcu_tasks_rude() into a no-op. To facilitate testing, kernels built by rcutorture scripting will enable RCU Tasks Trace even on systems that do not need it. [ paulmck: Apply Peter Zijlstra feedback. ] Signed-off-by: Paul E. McKenney Cc: Peter Zijlstra Signed-off-by: Neeraj Upadhyay Signed-off-by: Frederic Weisbecker commit 4fa7f729cecf4aee3cad8218b006b476f0ff90f4 Author: Paul E. McKenney Date: Wed Oct 9 11:00:40 2024 -0700 doc: Add rcuog kthreads to kernel-per-CPU-kthreads.rst This commit adds the rcuog kthreads to the list of callback-offloading kthreads that can be affinitied away from worker CPUs. Signed-off-by: Paul E. McKenney Reviewed-by: Neeraj Upadhyay Signed-off-by: Frederic Weisbecker commit b35ea78a4761b08b2695d98f240fec1f4e85092b Author: Chang S. Bae Date: Wed Nov 6 10:23:13 2024 -0800 cpufreq: ACPI: Simplify MSR read on the boot CPU Replace the 32-bit MSR access function with a 64-bit variant to simplify the call site, eliminating unnecessary 32-bit value manipulations. Signed-off-by: Chang S. Bae Link: https://patch.msgid.link/20241106182313.165297-1-chang.seok.bae@intel.com [ rjw: Subject edit ] Signed-off-by: Rafael J. Wysocki commit f30e2582a79173e6b6f8ebb44783085b6ec78de1 Author: Paul E. McKenney Date: Wed Oct 9 11:00:39 2024 -0700 rcu: Add rcuog kthreads to RCU_NOCB_CPU help text The RCU_NOCB_CPU help text currently fails to mention rcuog kthreads, so this commit adds this information. Reported-by: Olivier Langlois Signed-off-by: Paul E. McKenney Reviewed-by: Neeraj Upadhyay Signed-off-by: Frederic Weisbecker commit 5d2501f42cf8caad1abb44a37f20195a52e1cf07 Author: Jinjie Ruan Date: Mon Sep 2 19:06:54 2024 +0800 rcu: Use the BITS_PER_LONG macro sizeof(unsigned long) * 8 is the number of bits in an unsigned long variable, replace it with BITS_PER_LONG macro to make it simpler. Signed-off-by: Jinjie Ruan Reviewed-by: "Paul E. McKenney" Signed-off-by: Neeraj Upadhyay Signed-off-by: Frederic Weisbecker commit c32912069654f7bf4352f51c9e6386de71b10b62 Author: Hongbo Li Date: Fri Aug 23 17:21:58 2024 +0800 rcu: Use bitwise instead of arithmetic operator for flags This silences the following coccinelle warning: WARNING: sum of probable bitmasks, consider | Signed-off-by: Hongbo Li Reviewed-by: "Paul E. McKenney" Signed-off-by: Neeraj Upadhyay Signed-off-by: Frederic Weisbecker commit 4a09e358922381f9b258e863bcd9c910584203b9 Author: Baruch Siach Date: Sun Aug 18 11:18:17 2024 +0300 doc: rcu: update printed dynticks counter bits The stall warning prints 16 bits since commit 171476775d32 ("context_tracking: Convert state to atomic_t"). Fixes: 171476775d32 ("context_tracking: Convert state to atomic_t") Signed-off-by: Baruch Siach Reviewed-by: "Paul E. McKenney" Signed-off-by: Neeraj Upadhyay Signed-off-by: Frederic Weisbecker commit 70d8b6485b0bcd135b6699fc4252d2272818d1fb Author: Christian Loehle Date: Sat Nov 9 00:24:14 2024 +0000 sched/cpufreq: Ensure sd is rebuilt for EAS check Ensure sugov_eas_rebuild_sd() is always called when sugov_init() succeeds. The out goto initialized sugov without forcing the rebuild. Previously the missing call to sugov_eas_rebuild_sd() could lead to EAS not being enabled on boot when it should have been, because it requires all policies to be controlled by schedutil while they might not have been initialized yet. Fixes: e7a1b32e43b1 ("cpufreq: Rebuild sched-domains when removing cpufreq driver") Signed-off-by: Christian Loehle Link: https://patch.msgid.link/35e572d9-1152-406a-9e34-2525f7548af9@arm.com Signed-off-by: Rafael J. Wysocki commit 927df4cae36207dc9557d4e383bd4cbe2473dd38 Author: Uwe Kleine-König Date: Tue Nov 12 09:35:18 2024 +0100 ACPI: Switch back to struct platform_driver::remove() After commit 0edb555a65d1 ("platform: Make platform_driver::remove() return void") .remove() is (again) the right callback to implement for platform drivers. Convert all platform drivers below drivers/acpi to use .remove(), with the eventual goal to drop struct platform_driver::remove_new(). As .remove() and .remove_new() have the same prototypes, conversion is done by just changing the structure member name in the driver initializer. Signed-off-by: Uwe Kleine-König Link: https://patch.msgid.link/9ee1a9813f53698be62aab9d810b2d97a2a9f186.1731397722.git.u.kleine-koenig@baylibre.com [ rjw: Subject edit ] Signed-off-by: Rafael J. Wysocki commit b2603f8ac8217bc59f5c7f248ac248423b9b99cb Author: Miguel Ojeda Date: Mon Nov 11 21:16:07 2024 +0100 rust: warn on bindgen < 0.69.5 and libclang >= 19.1 When testing a `clang` upgrade with Rust Binder, Alice encountered [1] a build failure caused by `bindgen` not translating some symbols related to tracepoints. This was caused by commit 2e770edd8ce1 ("[libclang] Compute the right spelling location") changing the behavior of a function exposed by `libclang`. `bindgen` fixed the regression in commit 600f63895f73 ("Use clang_getFileLocation instead of clang_getSpellingLocation"). However, the regression fix is only available in `bindgen` versions 0.69.5 or later (it was backported for 0.69.x). This means that when older bindgen versions are used with new versions of `libclang`, `bindgen` may do the wrong thing, which could lead to a build failure. Alice encountered the bug with some header files related to tracepoints, but it could also cause build failures in other circumstances. Thus, always emit a warning when using an old `bindgen` with a new `libclang` so that other people do not have to spend time chasing down the same bug. However, testing just the version is inconvenient, since distributions do patch their packages without changing the version, so I reduced the issue into the following piece of code that can trigger the issue: #define F(x) int x##x F(foo); In particular, an unpatched `bindgen` will ignore the macro expansion and thus not provide a declaration for the exported `int`. Thus add a build test to `rust_is_available.sh` using the code above (that is only triggered if the versions appear to be affected), following what we did for the 0.66.x issue. Moreover, I checked the status in the major distributions we have instructions for: - Fedora 41 was affected but is now OK, since it now ships `bindgen` 0.69.5. Thanks Ben for the quick reply on the updates that were ongoing. Fedora 40 and earlier are OK (older `libclang`, and they also now carry `bindgen` 0.69.5). - Debian Sid was affected but is now OK, since they now ship a patched `bindgen` binary (0.66.1-7+b3). The issue was reported to Debian by email and then as a bug report [2]. Thanks NoisyCoil and Matthias for the quick replies. NoisyCoil handled the needed updates. Debian may upgrade to `bindgen` 0.70.x, too. Debian Testing is OK (older `libclang` so far). - Ubuntu non-LTS (oracular) is affected. The issue was reported to Ubuntu by email and then as a bug report [3]. Ubuntu LTS is not affected (older `libclang` so far). - Arch Linux, Gentoo Linux and openSUSE should be OK (newer `bindgen` is provided). Nix as well (older `libclang` so far). This issue was also added to our "live list" that tracks issues around distributions [4]. Cc: Ben Beasley Cc: NoisyCoil Cc: Matthias Geiger Link: https://lore.kernel.org/rust-for-linux/20241030-bindgen-libclang-warn-v1-1-3a7ba9fedcfe@google.com/ [1] Link: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1086510 [2] Link: https://bugs.launchpad.net/ubuntu/+source/rust-bindgen-cli/+bug/2086639 [3] Link: https://github.com/Rust-for-Linux/linux/issues/1127 [4] Co-developed-by: Alice Ryhl Signed-off-by: Alice Ryhl Link: https://lore.kernel.org/r/20241111201607.653149-1-ojeda@kernel.org Signed-off-by: Miguel Ojeda commit 623e5747c680d3854b6b9882d9907096bc63580d Author: Abhinav Saxena Date: Wed Nov 6 23:19:11 2024 -0700 docs: fix typos and whitespace in Documentation/process/backporting.rst - Fix repeated word "when" in backporting documentation - Remove trailing whitespace after '$' character These issues were reported by checkpatch.pl. No functional changes. Signed-off-by: Abhinav Saxena Signed-off-by: Jonathan Corbet Link: https://lore.kernel.org/r/20241107061911.106040-1-xandfury@gmail.com commit 4a49194f587a62d972b602e3e1a2c3cfe6567966 Author: Hans de Goede Date: Sat Nov 9 23:00:28 2024 +0100 ACPI: x86: Add adev NULL check to acpi_quirk_skip_serdev_enumeration() acpi_dev_hid_match() does not check for adev == NULL, dereferencing it unconditional. Add a check for adev being NULL before calling acpi_dev_hid_match(). At the moment acpi_quirk_skip_serdev_enumeration() is never called with a controller_parent without an ACPI companion, but better safe than sorry. Signed-off-by: Hans de Goede Link: https://patch.msgid.link/20241109220028.83047-1-hdegoede@redhat.com Signed-off-by: Rafael J. Wysocki commit 7f261203d7c2e0c06e668b25dfaaee091a79ab25 Author: Hans de Goede Date: Sat Nov 9 22:59:36 2024 +0100 ACPI: x86: Make UART skip quirks work on PCI UARTs without an UID The Vexia EDU ATLA 10 tablet (9V version) which shipped with Android 4.2 as factory OS has the usual broken DSDT issues for x86 Android tablets. On top of that this tablet is special because all its LPSS island peripherals are enumerated as PCI devices rather then as ACPI devices as they typically are. For the x86-android-tablets kmod to be able to instantiate a serdev client for the Bluetooth HCI on this tablet, an ACPI_QUIRK_UART1_SKIP quirk is necessary. Modify acpi_dmi_skip_serdev_enumeration() to work with PCI enumerated UARTs without an UID, such as the UARTs on this tablet. Also make acpi_dmi_skip_serdev_enumeration() exit early if there are no quirks, since there is nothing to do then. And add the necessary quirks for the Vexia EDU ATLA 10 tablet. This should compile with CONFIG_PCI being unset without issues because dev_is_pci() is defined as "(false)" then. Signed-off-by: Hans de Goede Link: https://patch.msgid.link/20241109215936.83004-1-hdegoede@redhat.com Signed-off-by: Rafael J. Wysocki commit ef7d4c8206ce895e15b3e7cc50bd912477bc2ece Author: Dongliang Mu Date: Thu Nov 7 09:35:52 2024 +0800 docs/zh_CN: fix one sentence in llvm.rst According to Jinjie Ruan, the description about the prebuilt llvm is incorrect. Fix this sentence with new understanding. Link: https://groups.google.com/g/hust-os-kernel-patches/c/GbN5RkVrBho/m/2sC9rAw7BQAJ Signed-off-by: Dongliang Mu Reviewed-by: Jinjie Ruan Signed-off-by: Jonathan Corbet Link: https://lore.kernel.org/r/20241107013615.374757-1-dzm91@hust.edu.cn commit f5aff6fa6441290f567d1d54cb651b1e43a0cd7a Author: Thorsten Leemhuis Date: Tue Nov 5 13:11:08 2024 +0100 docs: bug-bisect: add a note about bisecting -next Explicitly mention how to bisect -next, as nothing in the kernel tree currently explains that bisects between -next versions won't work well and it's better to bisect between mainline and -next. Co-developed-by: Mark Brown Signed-off-by: Mark Brown Reviewed-by: Mark Brown Signed-off-by: Thorsten Leemhuis Signed-off-by: Jonathan Corbet Link: https://lore.kernel.org/r/ec19d5fc503ff7db3d4c4ff9e97fff24cc78f72a.1730808651.git.linux@leemhuis.info commit f060c89dc1a3cfb6db3894e1d96980a568aa355c Author: Thorsten Blum Date: Tue Nov 12 19:26:34 2024 +0100 x86/sgx: Use vmalloc_array() instead of vmalloc() Use vmalloc_array() instead of vmalloc() to calculate the number of bytes to allocate. Signed-off-by: Thorsten Blum Signed-off-by: Dave Hansen Reviewed-by: Jarkko Sakkinen Acked-by: Kai Huang Link: https://lore.kernel.org/all/20241112182633.172944-2-thorsten.blum%40linux.dev commit c4c9cebe2fb9cdc73e55513de7af7a4f50260e88 Author: Waiman Long Date: Sat Nov 9 21:50:23 2024 -0500 cgroup/cpuset: Further optimize code if CONFIG_CPUSETS_V1 not set Currently the cpuset code uses group_subsys_on_dfl() to check if we are running with cgroup v2. If CONFIG_CPUSETS_V1 isn't set, there is really no need to do this check and we can optimize out some of the unneeded v1 specific code paths. Introduce a new cpuset_v2() and use it to replace the cgroup_subsys_on_dfl() check to further optimize the code. Signed-off-by: Waiman Long Signed-off-by: Tejun Heo commit a040c351283e3ac75422621ea205b1d8d687e108 Author: Waiman Long Date: Sat Nov 9 21:50:22 2024 -0500 cgroup/cpuset: Enforce at most one rebuild_sched_domains_locked() call per operation Since commit ff0ce721ec21 ("cgroup/cpuset: Eliminate unncessary sched domains rebuilds in hotplug"), there is only one rebuild_sched_domains_locked() call per hotplug operation. However, writing to the various cpuset control files may still casue more than one rebuild_sched_domains_locked() call to happen in some cases. Juri had found that two rebuild_sched_domains_locked() calls in update_prstate(), one from update_cpumasks_hier() and another one from update_partition_sd_lb() could cause cpuset partition to be created with null total_bw for DL tasks. IOW, DL tasks may not be scheduled correctly in such a partition. A sample command sequence that can reproduce null total_bw is as follows. # echo Y >/sys/kernel/debug/sched/verbose # echo +cpuset >/sys/fs/cgroup/cgroup.subtree_control # mkdir /sys/fs/cgroup/test # echo 0-7 > /sys/fs/cgroup/test/cpuset.cpus # echo 6-7 > /sys/fs/cgroup/test/cpuset.cpus.exclusive # echo root >/sys/fs/cgroup/test/cpuset.cpus.partition Fix this double rebuild_sched_domains_locked() calls problem by replacing existing calls with cpuset_force_rebuild() except the rebuild_sched_domains_cpuslocked() call at the end of cpuset_handle_hotplug(). Checking of the force_sd_rebuild flag is now done at the end of cpuset_write_resmask() and update_prstate() to determine if rebuild_sched_domains_locked() should be called or not. The cpuset v1 code can still call rebuild_sched_domains_locked() directly as double rebuild_sched_domains_locked() calls is not possible. Reported-by: Juri Lelli Closes: https://lore.kernel.org/lkml/ZyuUcJDPBln1BK1Y@jlelli-thinkpadt14gen4.remote.csb/ Signed-off-by: Waiman Long Tested-by: Juri Lelli Signed-off-by: Tejun Heo commit bcd7012afd7bcd45fcd7a0e2f48e57b273702317 Author: Waiman Long Date: Sat Nov 9 21:50:21 2024 -0500 cgroup/cpuset: Revert "Allow suppression of sched domain rebuild in update_cpumasks_hier()" Revert commit 3ae0b773211e ("cgroup/cpuset: Allow suppression of sched domain rebuild in update_cpumasks_hier()") to allow for an alternative way to suppress unnecessary rebuild_sched_domains_locked() calls in update_cpumasks_hier() and elsewhere in a following commit. Signed-off-by: Waiman Long Signed-off-by: Tejun Heo commit 60ad25e14ab5a4e56c8bf7f7d6846eacb9cd53df Author: James Clark Date: Tue Nov 12 10:56:03 2024 +0000 KVM: arm64: Pass on SVE mapping failures This function can fail but its return value isn't passed onto the caller. Presumably this could result in a broken state. Fixes: 66d5b53e20a6 ("KVM: arm64: Allocate memory mapped at hyp for host sve state in pKVM") Signed-off-by: James Clark Reviewed-by: Fuad Tabba Acked-by: Marc Zyngier Link: https://lore.kernel.org/r/20241112105604.795809-1-james.clark@linaro.org Signed-off-by: Oliver Upton commit 5812b95b7ff47d2ccc07b8f050652604ac54cdcf Merge: 3d25d46a255a83 d2fab3fc27cbca Author: Ulf Hansson Date: Tue Nov 12 19:46:55 2024 +0100 pmdomain: Merge branch fixes into next Merge the pmdomain fixes for v6.12-rc[n] into the next branch, to allow them to get tested together with the new changes that are targeted for v6.13. Signed-off-by: Ulf Hansson commit 3d25d46a255a83f94d7d4d4216f38aafc8e116b0 Author: Jishnu Prakash Date: Mon Nov 11 16:24:44 2024 -0800 pmdomain: qcom: rpmhpd: Add rpmhpd support for SM8750 This adds the RPMHPD present in SM8750 SoCs. Signed-off-by: Jishnu Prakash Signed-off-by: Taniya Das Signed-off-by: Melody Olvera Message-ID: <20241112002444.2802092-3-quic_molvera@quicinc.com> Signed-off-by: Ulf Hansson commit 134e9d035d830aabd1121bcda89f7ee9a476d3a3 Author: Taniya Das Date: Mon Nov 11 16:24:43 2024 -0800 dt-bindings: power: qcom,rpmpd: document the SM8750 RPMh Power Domains Document the RPMh Power Domains on the SM8750 Platform. Signed-off-by: Taniya Das Signed-off-by: Jishnu Prakash Signed-off-by: Melody Olvera Message-ID: <20241112002444.2802092-2-quic_molvera@quicinc.com> Signed-off-by: Ulf Hansson commit 8d04dfdbc380d1b77d4312f9e6d2ac1b42598fed Author: Rob Herring (Arm) Date: Mon Nov 4 13:07:42 2024 -0600 pmdomain: imx: Use of_property_present() for non-boolean properties The use of of_property_read_bool() for non-boolean properties is deprecated in favor of of_property_present() when testing for property presence. Signed-off-by: Rob Herring (Arm) Message-ID: <20241104190742.276710-1-robh@kernel.org> Signed-off-by: Ulf Hansson commit c0baf6ead75d6db16798ae48a4ac38c3af4e9280 Merge: 3f31337cf2a5b4 1635e407a4a64d Author: Ulf Hansson Date: Tue Nov 12 19:41:24 2024 +0100 mmc: Merge branch fixes into next Merge the mmc fixes for v6.12-rc[n] into the next branch, to allow them to get tested together with the new mmc changes that are targeted for v6.13. Signed-off-by: Ulf Hansson commit 3f31337cf2a5b48e1a0feaaf6c86dcb2805fd06e Author: Stefan Wahren Date: Fri Nov 8 14:06:47 2024 +0100 mmc: pwrseq_simple: Handle !RESET_CONTROLLER properly The recent introduction of reset control in pwrseq_simple introduced a regression for platforms without RESET_CONTROLLER support, because devm_reset_control_get_optional_shared() would return NULL and make all resets no-ops. Instead of enforcing this dependency, rely on this behavior to determine reset support. As a benefit we can get the rid of the use_reset flag. Fixes: 73bf4b7381f7 ("mmc: pwrseq_simple: add support for one reset control") Signed-off-by: Stefan Wahren Reviewed-by: Florian Fainelli Message-ID: <20241108130647.8281-1-wahrenst@gmx.net> Signed-off-by: Ulf Hansson commit 2508925fb346661bad9f50b497d7ac7d0b6085d0 Author: Andy-ld Lu Date: Mon Nov 11 16:49:31 2024 +0800 mmc: mtk-sd: Fix MMC_CAP2_CRYPTO flag setting Currently, the MMC_CAP2_CRYPTO flag is set by default for eMMC hosts. However, this flag should not be set for hosts that do not support inline encryption. The 'crypto' clock, as described in the documentation, is used for data encryption and decryption. Therefore, only hosts that are configured with this 'crypto' clock should have the MMC_CAP2_CRYPTO flag set. Fixes: 7b438d0377fb ("mmc: mtk-sd: add Inline Crypto Engine clock control") Fixes: ed299eda8fbb ("mmc: mtk-sd: fix devm_clk_get_optional usage") Signed-off-by: Andy-ld Lu Cc: stable@vger.kernel.org Message-ID: <20241111085039.26527-1-andy-ld.lu@mediatek.com> Signed-off-by: Ulf Hansson commit 11597043d74809daf5d14256b96d6781749b3f82 Author: Kalle Valo Date: Tue Nov 12 16:24:19 2024 +0200 Revert "wifi: iwlegacy: do not skip frames with bad FCS" This reverts commit 02b682d54598f61cbb7dbb14d98ec1801112b878. Alf reports that this commit causes the connection to eventually die on iwl4965. The reason is that rx_status.flag is zeroed after RX_FLAG_FAILED_FCS_CRC is set and mac80211 doesn't know the received frame is corrupted. Fixes: 02b682d54598 ("wifi: iwlegacy: do not skip frames with bad FCS") Reported-by: Alf Marius Closes: https://lore.kernel.org/r/60f752e8-787e-44a8-92ae-48bdfc9b43e7@app.fastmail.com/ Signed-off-by: Kalle Valo Link: https://patch.msgid.link/20241112142419.1023743-1-kvalo@kernel.org commit 185e02d61e991bf51389d2ea1497f3b98d090b95 Merge: e3e0f9b7ae280f 7a1f3143377adb Author: Paolo Bonzini Date: Tue Nov 12 13:17:55 2024 -0500 Merge tag 'kvm-s390-next-6.13-1' of https://git.kernel.org/pub/scm/linux/kernel/git/kvms390/linux into HEAD - second part of the ucontrol selftest - cpumodel sanity check selftest - gen17 cpumodel changes commit d68beb276ba26cec47350a6d468e967673ee0c56 Author: Nicolin Chen Date: Wed Oct 30 21:20:56 2024 -0300 iommu/arm-smmu-v3: Support IOMMU_HWPT_INVALIDATE using a VIOMMU object Implement the vIOMMU's cache_invalidate op for user space to invalidate the IOTLB entries, Device ATS and CD entries that are cached by hardware. Add struct iommu_viommu_arm_smmuv3_invalidate defining invalidation entries that are simply in the native format of a 128-bit TLBI command. Scan those commands against the permitted command list and fix their VMID/SID fields to match what is stored in the vIOMMU. Link: https://patch.msgid.link/r/12-v4-9e99b76f3518+3a8-smmuv3_nesting_jgg@nvidia.com Co-developed-by: Eric Auger Signed-off-by: Eric Auger Co-developed-by: Jason Gunthorpe Signed-off-by: Nicolin Chen Tested-by: Nicolin Chen Signed-off-by: Jason Gunthorpe commit f27298a82ba09a1c8aecee8a209b2a312beac672 Author: Jason Gunthorpe Date: Wed Oct 30 21:20:55 2024 -0300 iommu/arm-smmu-v3: Allow ATS for IOMMU_DOMAIN_NESTED The EATS flag needs to flow through the vSTE and into the pSTE, and ensure physical ATS is enabled on the PCI device. The physical ATS state must match the VM's idea of EATS as we rely on the VM to issue the ATS invalidation commands. Thus ATS must remain off at the device until EATS on a nesting domain turns it on. Attaching a nesting domain is the point where the invalidation responsibility transfers to userspace. Update the ATS logic to track EATS for nesting domains and flush the ATC whenever the S2 nesting parent changes. Link: https://patch.msgid.link/r/11-v4-9e99b76f3518+3a8-smmuv3_nesting_jgg@nvidia.com Signed-off-by: Nicolin Chen Tested-by: Nicolin Chen Signed-off-by: Jason Gunthorpe commit 67e4fe3985138325c9b21193be52266750616182 Author: Jason Gunthorpe Date: Wed Oct 30 21:20:54 2024 -0300 iommu/arm-smmu-v3: Use S2FWB for NESTED domains Force Write Back (FWB) changes how the S2 IOPTE's MemAttr field works. When S2FWB is supported and enabled the IOPTE will force cachable access to IOMMU_CACHE memory when nesting with a S1 and deny cachable access when !IOMMU_CACHE. When using a single stage of translation, a simple S2 domain, it doesn't change things for PCI devices as it is just a different encoding for the existing mapping of the IOMMU protection flags to cachability attributes. For non-PCI it also changes the combining rules when incoming transactions have inconsistent attributes. However, when used with a nested S1, FWB has the effect of preventing the guest from choosing a MemAttr in it's S1 that would cause ordinary DMA to bypass the cache. Consistent with KVM we wish to deny the guest the ability to become incoherent with cached memory the hypervisor believes is cachable so we don't have to flush it. Allow NESTED domains to be created if the SMMU has S2FWB support and use S2FWB for NESTING_PARENTS. This is an additional option to CANWBS. Link: https://patch.msgid.link/r/10-v4-9e99b76f3518+3a8-smmuv3_nesting_jgg@nvidia.com Reviewed-by: Nicolin Chen Reviewed-by: Kevin Tian Reviewed-by: Jerry Snitselaar Reviewed-by: Donald Dutile Tested-by: Nicolin Chen Signed-off-by: Jason Gunthorpe commit 1e8be08d1c91d52a9b51d424db78ddbf88660bbb Author: Jason Gunthorpe Date: Wed Oct 30 21:20:53 2024 -0300 iommu/arm-smmu-v3: Support IOMMU_DOMAIN_NESTED For SMMUv3 a IOMMU_DOMAIN_NESTED is composed of a S2 iommu_domain acting as the parent and a user provided STE fragment that defines the CD table and related data with addresses translated by the S2 iommu_domain. The kernel only permits userspace to control certain allowed bits of the STE that are safe for user/guest control. IOTLB maintenance is a bit subtle here, the S1 implicitly includes the S2 translation, but there is no way of knowing which S1 entries refer to a range of S2. For the IOTLB we follow ARM's guidance and issue a CMDQ_OP_TLBI_NH_ALL to flush all ASIDs from the VMID after flushing the S2 on any change to the S2. The IOMMU_DOMAIN_NESTED can only be created from inside a VIOMMU as the invalidation path relies on the VIOMMU to translate virtual stream ID used in the invalidation commands for the CD table and ATS. Link: https://patch.msgid.link/r/9-v4-9e99b76f3518+3a8-smmuv3_nesting_jgg@nvidia.com Reviewed-by: Nicolin Chen Reviewed-by: Kevin Tian Reviewed-by: Jerry Snitselaar Reviewed-by: Donald Dutile Signed-off-by: Nicolin Chen Tested-by: Nicolin Chen Signed-off-by: Jason Gunthorpe commit 69d9b312f38aa19f8c801e90bd23d70685be49f0 Author: Nicolin Chen Date: Wed Oct 30 21:20:52 2024 -0300 iommu/arm-smmu-v3: Support IOMMU_VIOMMU_ALLOC Add a new driver-type for ARM SMMUv3 to enum iommu_viommu_type. Implement an arm_vsmmu_alloc(). As an initial step, copy the VMID from s2_parent. A followup series is required to give the VIOMMU object it's own VMID that will be used in all nesting configurations. Link: https://patch.msgid.link/r/8-v4-9e99b76f3518+3a8-smmuv3_nesting_jgg@nvidia.com Signed-off-by: Nicolin Chen Tested-by: Nicolin Chen Signed-off-by: Jason Gunthorpe commit 4e6bd13aa33c78346973f01c7303b4909d79ec86 Merge: b047c0644f4e0a f6681abd413919 Author: Jason Gunthorpe Date: Tue Nov 12 13:47:28 2024 -0400 Merge branch 'iommufd/arm-smmuv3-nested' of iommu/linux into iommufd for-next Common SMMUv3 patches for the following patches adding nesting, shared branch with the iommu tree. * 'iommufd/arm-smmuv3-nested' of ssh://gitolite.kernel.org/pub/scm/linux/kernel/git/iommu/linux: iommu/arm-smmu-v3: Expose the arm_smmu_attach interface iommu/arm-smmu-v3: Implement IOMMU_HWPT_ALLOC_NEST_PARENT iommu/arm-smmu-v3: Support IOMMU_GET_HW_INFO via struct arm_smmu_hw_info iommu/arm-smmu-v3: Report IOMMU_CAP_ENFORCE_CACHE_COHERENCY for CANWBS ACPI/IORT: Support CANWBS memory access flag ACPICA: IORT: Update for revision E.f vfio: Remove VFIO_TYPE1_NESTING_IOMMU ... Signed-off-by: Jason Gunthorpe commit 291220451c775a054cedc4fab4578a1419eb6256 Author: Andy-ld Lu Date: Thu Nov 7 20:11:21 2024 +0800 mmc: mtk-sd: Fix error handle of probe function In the probe function, it goes to 'release_mem' label and returns after some procedure failure. But if the clocks (partial or all) have been enabled previously, they would not be disabled in msdc_runtime_suspend, since runtime PM is not yet enabled for this case. That cause mmc related clocks always on during system suspend and block suspend flow. Below log is from a SDCard issue of MT8196 chromebook, it returns -ETIMEOUT while polling clock stable in the msdc_ungate_clock() and probe failed, but the enabled clocks could not be disabled anyway. [ 129.059253] clk_chk_dev_pm_suspend() [ 129.350119] suspend warning: msdcpll is on [ 129.354494] [ck_msdc30_1_sel : enabled, 1, 1, 191999939, ck_msdcpll_d2] [ 129.362787] [ck_msdcpll_d2 : enabled, 1, 1, 191999939, msdcpll] [ 129.371041] [ck_msdc30_1_ck : enabled, 1, 1, 191999939, ck_msdc30_1_sel] [ 129.379295] [msdcpll : enabled, 1, 1, 383999878, clk26m] Add a new 'release_clk' label and reorder the error handle functions to make sure the clocks be disabled after probe failure. Fixes: ffaea6ebfe9c ("mmc: mtk-sd: Use readl_poll_timeout instead of open-coded polling") Fixes: 7a2fa8eed936 ("mmc: mtk-sd: use devm_mmc_alloc_host") Signed-off-by: Andy-ld Lu Reviewed-by: AngeloGioacchino Del Regno Cc: stable@vger.kernel.org Message-ID: <20241107121215.5201-1-andy-ld.lu@mediatek.com> Signed-off-by: Ulf Hansson commit 7f083e4b9b39b015620c7dbf8e215fa8f938d719 Author: Victor Shih Date: Tue Nov 5 18:29:01 2024 +0800 mmc: core: Correction a warning caused by incorrect type in assignment for UHS-II There is a type issue in the assignment in the sd_uhs2_dev_init() that will generate a warning when building the kernel. Reported-by: kernel test robot Closes: https://lore.kernel.org/oe-kbuild-all/202411051248.wvjHSFNj-lkp@intel.com/ Signed-off-by: Ben Chuang Signed-off-by: Victor Shih Acked-by: Adrian Hunter Message-ID: <20241105102901.351429-1-victorshihgli@gmail.com> Signed-off-by: Ulf Hansson commit eb4ffa40010472dffdc276da307161545aab45a3 Author: Alexandre Belloni Date: Tue Nov 12 15:36:52 2024 +0100 rtc: amlogic-a4: drop error messages Drop error message because there is a high probability they will never be seen and the final user action is clear, the time has to be set again. Reviewed-by: Neil Armstrong Link: https://lore.kernel.org/r/20241112143652.3445648-1-alexandre.belloni@bootlin.com Signed-off-by: Alexandre Belloni commit c0b5195bad63b18022f2776372fccd3ae9177705 Author: Sebastian Andrzej Siewior Date: Wed Oct 2 17:18:54 2024 +0100 ARM: 9426/1: vfp: Move sending signals outside of vfp_state_hold()ed section. VFP_bounce() is invoked from within vfp_support_entry() and may send a signal. Sending a signal uses spinlock_t which becomes a sleeping lock on PREEMPT_RT and must not be acquired within a preempt-disabled section. Move the vfp_raise_sigfpe() block outside of the vfp_state_hold() section. Reviewed-by: Ard Biesheuvel Signed-off-by: Sebastian Andrzej Siewior Signed-off-by: Russell King (Oracle) commit 27035c23bad54ed552c6741210dd1c4fa50cb386 Author: Sebastian Andrzej Siewior Date: Wed Oct 2 17:18:11 2024 +0100 ARM: 9425/1: vfp: Use vfp_state_hold() in vfp_support_entry(). vfp_entry() is invoked from exception handler and is fully preemptible. It uses local_bh_disable() to remain uninterrupted while checking the VFP state. This is not working on PREEMPT_RT because local_bh_disable() synchronizes the relevant section but the context remains fully preemptible. Use vfp_state_hold() for uninterrupted access. Reviewed-by: Ard Biesheuvel Signed-off-by: Sebastian Andrzej Siewior Signed-off-by: Russell King (Oracle) commit b54cdbad4a39bb3abc85ac151f4882b3d92c5d79 Author: Sebastian Andrzej Siewior Date: Wed Oct 2 17:16:33 2024 +0100 ARM: 9424/1: vfp: Use vfp_state_hold() in vfp_sync_hwstate(). vfp_sync_hwstate() uses preempt_disable() followed by local_bh_disable() to ensure that it won't get interrupted while checking the VFP state. This harms PREEMPT_RT because softirq handling can get preempted and local_bh_disable() synchronizes the related section with a sleeping lock which does not work with disabled preemption. Use the vfp_state_hold() to synchronize the access. Reviewed-by: Ard Biesheuvel Signed-off-by: Sebastian Andrzej Siewior Signed-off-by: Russell King (Oracle) commit f26bdbe1fa9f79fa8cb0d0bf39303c3573c60552 Author: Sebastian Andrzej Siewior Date: Wed Oct 2 17:15:32 2024 +0100 ARM: 9423/1: vfp: Provide vfp_state_hold() for VFP locking. kernel_neon_begin() uses local_bh_disable() to ensure exclusive access to the VFP unit. This is broken on PREEMPT_RT because a BH disabled section remains preemptible on PREEMPT_RT. Introduce vfp_state_hold() which uses local_bh_disable() and preempt_disable() on PREEMPT_RT. Since softirqs are processed always in thread context, disabling preemption is enough to ensure that the current context won't get interrupted by something that is using the VFP. Use it in kernel_neon_begin(). Reviewed-by: Ard Biesheuvel Signed-off-by: Sebastian Andrzej Siewior Signed-off-by: Russell King (Oracle) commit ad8d1e323dd37f91d0c973e2a74c7b9054219adc Author: Kunwu Chan Date: Mon Sep 2 07:39:20 2024 +0100 ARM: 9415/1: amba: Add dev_is_amba() function and export it for modules Add dev_is_amba() function to determine whether the device is a AMBA device. Suggested-by: Andy Shevchenko Signed-off-by: Kunwu Chan Signed-off-by: Russell King (Oracle) commit 6371b4bc179aad17d84ee301b409a5a8ce675657 Author: Colin Ian King Date: Thu Nov 7 12:05:30 2024 +0000 tracing: Remove redundant check on field->field in histograms The check on field->field being true is handled as the first check on the cascaded if statement, so the later checks on field->field are redundant because this clause has already been handled. Since this later check is redundant, just remove it. Cc: Masami Hiramatsu Cc: Mathieu Desnoyers Link: https://lore.kernel.org/20241107120530.18728-1-colin.i.king@gmail.com Signed-off-by: Colin Ian King Signed-off-by: Steven Rostedt (Google) commit b047c0644f4e0aafd202e9519a22e17651fbee70 Author: Nicolin Chen Date: Tue Nov 5 12:05:18 2024 -0800 Documentation: userspace-api: iommufd: Update vDEVICE With the introduction of the new object and its infrastructure, update the doc and the vIOMMU graph to reflect that. Link: https://patch.msgid.link/r/e1ff278b7163909b2641ae04ff364bb41d2a2a2e.1730836308.git.nicolinc@nvidia.com Reviewed-by: Jason Gunthorpe Reviewed-by: Kevin Tian Signed-off-by: Nicolin Chen Reviewed-by: Bagas Sanjaya Signed-off-by: Jason Gunthorpe commit 49ad127719243420b355fd95b0d51ac46ae586e5 Author: Nicolin Chen Date: Tue Nov 5 12:05:17 2024 -0800 iommufd/selftest: Add vIOMMU coverage for IOMMU_HWPT_INVALIDATE ioctl Add a viommu_cache test function to cover vIOMMU invalidations using the updated IOMMU_HWPT_INVALIDATE ioctl, which now allows passing in a vIOMMU via its hwpt_id field. Link: https://patch.msgid.link/r/f317f902041f3d05deaee4ca3fdd8ef4b8297361.1730836308.git.nicolinc@nvidia.com Reviewed-by: Kevin Tian Reviewed-by: Jason Gunthorpe Signed-off-by: Nicolin Chen Signed-off-by: Jason Gunthorpe commit 576ad6eb45d6458c1a5e646dc35e3ec23c73fd1b Author: Nicolin Chen Date: Tue Nov 5 12:05:16 2024 -0800 iommufd/selftest: Add IOMMU_TEST_OP_DEV_CHECK_CACHE test command Similar to IOMMU_TEST_OP_MD_CHECK_IOTLB verifying a mock_domain's iotlb, IOMMU_TEST_OP_DEV_CHECK_CACHE will be used to verify a mock_dev's cache. Link: https://patch.msgid.link/r/cd4082079d75427bd67ed90c3c825e15b5720a5f.1730836308.git.nicolinc@nvidia.com Reviewed-by: Kevin Tian Reviewed-by: Jason Gunthorpe Signed-off-by: Nicolin Chen Signed-off-by: Jason Gunthorpe commit d6563aa2a8309270e042abd22a3e5fe44a6daca2 Author: Nicolin Chen Date: Tue Nov 5 12:05:15 2024 -0800 iommufd/selftest: Add mock_viommu_cache_invalidate Similar to the coverage of cache_invalidate_user for iotlb invalidation, add a device cache and a viommu_cache_invalidate function to test it out. Link: https://patch.msgid.link/r/a29c7c23d7cd143fb26ab68b3618e0957f485fdb.1730836308.git.nicolinc@nvidia.com Reviewed-by: Kevin Tian Signed-off-by: Nicolin Chen Signed-off-by: Jason Gunthorpe commit c747e67978ff473e6830afe0b1f3986dd1f444b5 Author: Nicolin Chen Date: Tue Nov 5 12:05:14 2024 -0800 iommufd/viommu: Add iommufd_viommu_find_dev helper This avoids a bigger trouble of exposing struct iommufd_device and struct iommufd_vdevice in the public header. Link: https://patch.msgid.link/r/84fa7c624db4d4508067ccfdf42059533950180a.1730836308.git.nicolinc@nvidia.com Reviewed-by: Kevin Tian Reviewed-by: Jason Gunthorpe Signed-off-by: Nicolin Chen Signed-off-by: Jason Gunthorpe commit 4f2e59ccb69866c5165525bd7aee47cd5cd00acc Author: Jason Gunthorpe Date: Tue Nov 5 12:05:13 2024 -0800 iommu: Add iommu_copy_struct_from_full_user_array helper The iommu_copy_struct_from_user_array helper can be used to copy a single entry from a user array which might not be efficient if the array is big. Add a new iommu_copy_struct_from_full_user_array to copy the entire user array at once. Update the existing iommu_copy_struct_from_user_array kdoc accordingly. Link: https://patch.msgid.link/r/5cd773d9c26920c5807d232b21d415ea79172e49.1730836308.git.nicolinc@nvidia.com Reviewed-by: Kevin Tian Reviewed-by: Jason Gunthorpe Signed-off-by: Nicolin Chen Signed-off-by: Jason Gunthorpe commit 54ce69e36c71c88f258b1a322c54343d90954858 Author: Nicolin Chen Date: Tue Nov 5 12:05:12 2024 -0800 iommufd: Allow hwpt_id to carry viommu_id for IOMMU_HWPT_INVALIDATE With a vIOMMU object, use space can flush any IOMMU related cache that can be directed via a vIOMMU object. It is similar to the IOMMU_HWPT_INVALIDATE uAPI, but can cover a wider range than IOTLB, e.g. device/desciprtor cache. Allow hwpt_id of the iommu_hwpt_invalidate structure to carry a viommu_id, and reuse the IOMMU_HWPT_INVALIDATE uAPI for vIOMMU invalidations. Drivers can define different structures for vIOMMU invalidations v.s. HWPT ones. Since both the HWPT-based and vIOMMU-based invalidation pathways check own cache invalidation op, remove the WARN_ON_ONCE in the allocator. Update the uAPI, kdoc, and selftest case accordingly. Link: https://patch.msgid.link/r/b411e2245e303b8a964f39f49453a5dff280968f.1730836308.git.nicolinc@nvidia.com Reviewed-by: Jason Gunthorpe Reviewed-by: Kevin Tian Signed-off-by: Nicolin Chen Signed-off-by: Jason Gunthorpe commit 67db79dc1a411335f8a7e53a5e206d96b237d9a8 Author: Nicolin Chen Date: Tue Nov 5 12:05:11 2024 -0800 iommu/viommu: Add cache_invalidate to iommufd_viommu_ops This per-vIOMMU cache_invalidate op is like the cache_invalidate_user op in struct iommu_domain_ops, but wider, supporting device cache (e.g. PCI ATC invaldiations). Link: https://patch.msgid.link/r/90138505850fa6b165135e78a87b4cc7022869a4.1730836308.git.nicolinc@nvidia.com Reviewed-by: Jason Gunthorpe Reviewed-by: Kevin Tian Signed-off-by: Nicolin Chen Signed-off-by: Jason Gunthorpe commit 5778c75703c6e01ffd70a429b9015bed8008a5fd Author: Nicolin Chen Date: Tue Nov 5 12:05:10 2024 -0800 iommufd/selftest: Add IOMMU_VDEVICE_ALLOC test coverage Add a vdevice_alloc op to the viommu mock_viommu_ops for the coverage of IOMMU_VIOMMU_TYPE_SELFTEST allocations. Then, add a vdevice_alloc TEST_F to cover the IOMMU_VDEVICE_ALLOC ioctl. Link: https://patch.msgid.link/r/4b9607e5b86726c8baa7b89bd48123fb44104a23.1730836308.git.nicolinc@nvidia.com Reviewed-by: Kevin Tian Reviewed-by: Jason Gunthorpe Signed-off-by: Nicolin Chen Signed-off-by: Jason Gunthorpe commit 0ce5c2477af2e2284b9c70474e4dae85db211680 Author: Nicolin Chen Date: Tue Nov 5 12:05:09 2024 -0800 iommufd/viommu: Add IOMMUFD_OBJ_VDEVICE and IOMMU_VDEVICE_ALLOC ioctl Introduce a new IOMMUFD_OBJ_VDEVICE to represent a physical device (struct device) against a vIOMMU (struct iommufd_viommu) object in a VM. This vDEVICE object (and its structure) holds all the infos and attributes in the VM, regarding the device related to the vIOMMU. As an initial patch, add a per-vIOMMU virtual ID. This can be: - Virtual StreamID on a nested ARM SMMUv3, an index to a Stream Table - Virtual DeviceID on a nested AMD IOMMU, an index to a Device Table - Virtual RID on a nested Intel VT-D IOMMU, an index to a Context Table Potentially, this vDEVICE structure would hold some vData for Confidential Compute Architecture (CCA). Use this virtual ID to index an "vdevs" xarray that belongs to a vIOMMU object. Add a new ioctl for vDEVICE allocations. Since a vDEVICE is a connection of a device object and an iommufd_viommu object, take two refcounts in the ioctl handler. Link: https://patch.msgid.link/r/cda8fd2263166e61b8191a3b3207e0d2b08545bf.1730836308.git.nicolinc@nvidia.com Signed-off-by: Nicolin Chen Signed-off-by: Jason Gunthorpe commit 87210b100e498c2073a283cb7a6f495fac5b4713 Author: Nicolin Chen Date: Tue Nov 5 12:04:29 2024 -0800 Documentation: userspace-api: iommufd: Update vIOMMU With the introduction of the new object and its infrastructure, update the doc to reflect that and add a new graph. Link: https://patch.msgid.link/r/7e4302064e0d02137c1b1e139342affc0485ed3f.1730836219.git.nicolinc@nvidia.com Reviewed-by: Jason Gunthorpe Reviewed-by: Kevin Tian Signed-off-by: Nicolin Chen Reviewed-by: Bagas Sanjaya Signed-off-by: Jason Gunthorpe commit 7156cd9ef24583c88bcc2f6d213f469aef38bfd9 Author: Nicolin Chen Date: Tue Nov 5 12:04:28 2024 -0800 iommufd/selftest: Add IOMMU_VIOMMU_ALLOC test coverage Add a new iommufd_viommu FIXTURE and setup it up with a vIOMMU object. Any new vIOMMU feature will be added as a TEST_F under that. Link: https://patch.msgid.link/r/abe267c9d004b29cb1712ceba2f378209d4b7e01.1730836219.git.nicolinc@nvidia.com Reviewed-by: Kevin Tian Signed-off-by: Nicolin Chen Signed-off-by: Jason Gunthorpe commit db70827a8827a1ac8d1063732d8c1182820e875c Author: Nicolin Chen Date: Tue Nov 5 12:04:27 2024 -0800 iommufd/selftest: Add IOMMU_VIOMMU_TYPE_SELFTEST Implement the viommu alloc/free functions to increase/reduce refcount of its dependent mock iommu device. User space can verify this loop via the IOMMU_VIOMMU_TYPE_SELFTEST. Link: https://patch.msgid.link/r/9d755a215a3007d4d8d1c2513846830332db62aa.1730836219.git.nicolinc@nvidia.com Reviewed-by: Kevin Tian Reviewed-by: Jason Gunthorpe Signed-off-by: Nicolin Chen Signed-off-by: Jason Gunthorpe commit 86070569450eec1a3b6a358be90a99cab87aa425 Author: Nicolin Chen Date: Tue Nov 5 12:04:26 2024 -0800 iommufd/selftest: Add refcount to mock_iommu_device For an iommu_dev that can unplug (so far only this selftest does so), the viommu->iommu_dev pointer has no guarantee of its life cycle after it is copied from the idev->dev->iommu->iommu_dev. Track the user count of the iommu_dev. Postpone the exit routine using a completion, if refcount is unbalanced. The refcount inc/dec will be added in the following patch. Link: https://patch.msgid.link/r/33f28d64841b497eebef11b49a571e03103c5d24.1730836219.git.nicolinc@nvidia.com Suggested-by: Jason Gunthorpe Reviewed-by: Kevin Tian Reviewed-by: Jason Gunthorpe Signed-off-by: Nicolin Chen Signed-off-by: Jason Gunthorpe commit 18f819901d53b8d1101d3227c87b0d623e9d78f6 Author: Nicolin Chen Date: Tue Nov 5 12:04:25 2024 -0800 iommufd/selftest: Prepare for mock_viommu_alloc_domain_nested() A nested domain now can be allocated for a parent domain or for a vIOMMU object. Rework the existing allocators to prepare for the latter case. Link: https://patch.msgid.link/r/f62894ad8ccae28a8a616845947fe4b76135d79b.1730836219.git.nicolinc@nvidia.com Reviewed-by: Kevin Tian Reviewed-by: Jason Gunthorpe Signed-off-by: Nicolin Chen Signed-off-by: Jason Gunthorpe commit fd6b853f50c868b03797e7ae87f1ed554aea01e4 Author: Nicolin Chen Date: Tue Nov 5 12:04:24 2024 -0800 iommufd/selftest: Add container_of helpers Use these inline helpers to shorten those container_of lines. Note that one of them goes back and forth between iommu_domain and mock_iommu_domain, which isn't necessary. So drop its container_of. Link: https://patch.msgid.link/r/518ec64dae2e814eb29fd9f170f58a3aad56c81c.1730836219.git.nicolinc@nvidia.com Reviewed-by: Kevin Tian Reviewed-by: Jason Gunthorpe Signed-off-by: Nicolin Chen Signed-off-by: Jason Gunthorpe commit 13a750180fc86d41695c8f64d8892412482a401d Author: Nicolin Chen Date: Tue Nov 5 12:04:23 2024 -0800 iommufd: Allow pt_id to carry viommu_id for IOMMU_HWPT_ALLOC Now a vIOMMU holds a shareable nesting parent HWPT. So, it can act like that nesting parent HWPT to allocate a nested HWPT. Support that in the IOMMU_HWPT_ALLOC ioctl handler, and update its kdoc. Also, add an iommufd_viommu_alloc_hwpt_nested helper to allocate a nested HWPT for a vIOMMU object. Since a vIOMMU object holds the parent hwpt's refcount already, increase the refcount of the vIOMMU only. Link: https://patch.msgid.link/r/a0f24f32bfada8b448d17587adcaedeeb50a67ed.1730836219.git.nicolinc@nvidia.com Reviewed-by: Kevin Tian Signed-off-by: Nicolin Chen Signed-off-by: Jason Gunthorpe commit 69d2689e57f5cb235c0609dd2f8fa10c1a832f87 Author: Nicolin Chen Date: Tue Nov 5 12:04:22 2024 -0800 iommufd: Add alloc_domain_nested op to iommufd_viommu_ops Allow IOMMU driver to use a vIOMMU object that holds a nesting parent hwpt/domain to allocate a nested domain. Link: https://patch.msgid.link/r/2dcdb5e405dc0deb68230564530d989d285d959c.1730836219.git.nicolinc@nvidia.com Suggested-by: Jason Gunthorpe Reviewed-by: Kevin Tian Reviewed-by: Jason Gunthorpe Signed-off-by: Nicolin Chen Signed-off-by: Jason Gunthorpe commit 4db97c21ed07a7d4081ed9820599fa36857083d6 Author: Nicolin Chen Date: Tue Nov 5 12:04:21 2024 -0800 iommufd/viommu: Add IOMMU_VIOMMU_ALLOC ioctl Add a new ioctl for user space to do a vIOMMU allocation. It must be based on a nesting parent HWPT, so take its refcount. IOMMU driver wanting to support vIOMMUs must define its IOMMU_VIOMMU_TYPE_ in the uAPI header and implement a viommu_alloc op in its iommu_ops. Link: https://patch.msgid.link/r/dc2b8ba9ac935007beff07c1761c31cd097ed780.1730836219.git.nicolinc@nvidia.com Reviewed-by: Jason Gunthorpe Reviewed-by: Kevin Tian Signed-off-by: Nicolin Chen Signed-off-by: Jason Gunthorpe commit d56d1e8405a9e154a30f4a055eb7ef55516b32b0 Author: Nicolin Chen Date: Tue Nov 5 12:04:20 2024 -0800 iommufd: Verify object in iommufd_object_finalize/abort() To support driver-allocated vIOMMU objects, it's required for IOMMU driver to call the provided iommufd_viommu_alloc helper to embed the core struct. However, there is no guarantee that every driver will call it and allocate objects properly. Make the iommufd_object_finalize/abort functions more robust to verify if the xarray slot indexed by the input obj->id is having an XA_ZERO_ENTRY, which is the reserved value stored by xa_alloc via iommufd_object_alloc. Link: https://patch.msgid.link/r/334bd4dde8e0a88eb30fa67eeef61827cdb546f9.1730836219.git.nicolinc@nvidia.com Suggested-by: Jason Gunthorpe Reviewed-by: Jason Gunthorpe Signed-off-by: Nicolin Chen Signed-off-by: Jason Gunthorpe commit 6b22d562fcd6e3d1cc1c265b0596840946d16a09 Author: Nicolin Chen Date: Tue Nov 5 12:04:19 2024 -0800 iommufd: Introduce IOMMUFD_OBJ_VIOMMU and its related struct Add a new IOMMUFD_OBJ_VIOMMU with an iommufd_viommu structure to represent a slice of physical IOMMU device passed to or shared with a user space VM. This slice, now a vIOMMU object, is a group of virtualization resources of a physical IOMMU's, such as: - Security namespace for guest owned ID, e.g. guest-controlled cache tags - Non-device-affiliated event reporting, e.g. invalidation queue errors - Access to a sharable nesting parent pagetable across physical IOMMUs - Virtualization of various platforms IDs, e.g. RIDs and others - Delivery of paravirtualized invalidation - Direct assigned invalidation queues - Direct assigned interrupts Add a new viommu_alloc op in iommu_ops, for drivers to allocate their own vIOMMU structures. And this allocation also needs a free(), so add struct iommufd_viommu_ops. To simplify a vIOMMU allocation, provide a iommufd_viommu_alloc() helper. It's suggested that a driver should embed a core-level viommu structure in its driver-level viommu struct and call the iommufd_viommu_alloc() helper, meanwhile the driver can also implement a viommu ops: struct my_driver_viommu { struct iommufd_viommu core; /* driver-owned properties/features */ .... }; static const struct iommufd_viommu_ops my_driver_viommu_ops = { .free = my_driver_viommu_free, /* future ops for virtualization features */ .... }; static struct iommufd_viommu my_driver_viommu_alloc(...) { struct my_driver_viommu *my_viommu = iommufd_viommu_alloc(ictx, my_driver_viommu, core, my_driver_viommu_ops); /* Init my_viommu and related HW feature */ .... return &my_viommu->core; } static struct iommu_domain_ops my_driver_domain_ops = { .... .viommu_alloc = my_driver_viommu_alloc, }; Link: https://patch.msgid.link/r/64685e2b79dea0f1dc56f6ede04809b72d578935.1730836219.git.nicolinc@nvidia.com Suggested-by: Jason Gunthorpe Reviewed-by: Kevin Tian Reviewed-by: Jason Gunthorpe Signed-off-by: Nicolin Chen Signed-off-by: Jason Gunthorpe commit 7d4f46c2372d5a850e28f63001013de50843b6e6 Author: Nicolin Chen Date: Tue Nov 5 12:04:18 2024 -0800 iommufd: Move _iommufd_object_alloc helper to a sharable file The following patch will add a new vIOMMU allocator that will require this _iommufd_object_alloc to be sharable with IOMMU drivers (and iommufd too). Add a new driver.c file that will be built with CONFIG_IOMMUFD_DRIVER_CORE selected by CONFIG_IOMMUFD, and put the CONFIG_DRIVER under that remaining to be selectable for drivers to build the existing iova_bitmap.c file. Link: https://patch.msgid.link/r/2f4f6e116dc49ffb67ff6c5e8a7a8e789ab9e98e.1730836219.git.nicolinc@nvidia.com Suggested-by: Jason Gunthorpe Reviewed-by: Jason Gunthorpe Signed-off-by: Nicolin Chen Signed-off-by: Jason Gunthorpe commit a3799717b881aa0f4e722afb70e7b8ba84ae4f36 Author: Nicolin Chen Date: Sun Nov 10 19:02:26 2024 -0800 iommu/tegra241-cmdqv: Fix alignment failure at max_n_shift When configuring a kernel with PAGE_SIZE=4KB, depending on its setting of CONFIG_CMA_ALIGNMENT, VCMDQ_LOG2SIZE_MAX=19 could fail the alignment test and trigger a WARN_ON: WARNING: at drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c:3646 Call trace: arm_smmu_init_one_queue+0x15c/0x210 tegra241_cmdqv_init_structures+0x114/0x338 arm_smmu_device_probe+0xb48/0x1d90 Fix it by capping max_n_shift to CMDQ_MAX_SZ_SHIFT as SMMUv3 CMDQ does. Fixes: 918eb5c856f6 ("iommu/arm-smmu-v3: Add in-kernel support for NVIDIA Tegra241 (Grace) CMDQV") Signed-off-by: Nicolin Chen Link: https://lore.kernel.org/r/20241111030226.1940737-1-nicolinc@nvidia.com Signed-off-by: Will Deacon commit 8ece9d248b851b97e1e0779caa2ca98df9bc41f7 Author: Andreas Kemnade Date: Mon Nov 11 11:27:01 2024 +0100 dt-bindings: mfd: bd71828: Use charger resistor in mOhm instead of MOhm Apparently there was some confusion regarding milliohm vs. megaohm. (m/M). Use microohms to be able to properly specify the charger resistor like other drivers do. This is not used yet by mainline code yet. Specify a current sense resistor in milliohms range rather then megaohms range in the examples. CC: sre@kernel.org Reported-by: Matti Vaittinen Closes: https://lore.kernel.org/imx/6dcd724a-a55c-4cba-a45b-21e76b1973b0@gmail.com/T/#mf590875a9f4d3955cd1041d7196ff0c65c0a7e9d Signed-off-by: Andreas Kemnade Reviewed-by: Matti Vaittinen Acked-by: Conor Dooley Reviewed-by: Sebastian Reichel Fixes: 1af5332fcf7c ("dt-bindings: mfd: Document ROHM BD71828 bindings") Link: https://lore.kernel.org/r/20241111102701.358133-1-andreas@kemnade.info Signed-off-by: Lee Jones commit 91a6533811bb81139c5a44d039b9b0a6af238bc8 Author: Mark Brown Date: Mon Nov 11 16:18:56 2024 +0000 kselftest/arm64: Try harder to generate different keys during PAC tests We very intermittently see failures in the single_thread_different_keys PAC test. As noted in the comment in the test the PAC field can be quite narrow so there is a chance of collisions even with different keys with a chance of 5% for 7 bit keys, and the potential for narrower keys. The test tries to avoid this by running repeatedly, but only tries 10 times which even with a 5% chance of collisions isn't enough. Increase the number of times we attempt to look for collisions by a factor of 100, this also affects other tests which are following a similar pattern with running the test repeatedly and either don't care like with pac_instruction_not_nop or potentially have the same issue like exec_sign_all. The PAC tests are very fast, running in a second or two even in emulation, so the 100x increased cost is mildly irritating but not a huge issue. The bulk of the overhead is in the exec_sign_all test which does a fork() and exec() per iteration. Signed-off-by: Mark Brown Link: https://lore.kernel.org/r/20241111-arm64-pac-test-collisions-v1-2-171875f37e44@kernel.org Signed-off-by: Catalin Marinas commit 27141b690547da5650a420f26ec369ba142a9ebb Author: Mark Brown Date: Mon Nov 11 16:18:55 2024 +0000 kselftest/arm64: Don't leak pipe fds in pac.exec_sign_all() The PAC exec_sign_all() test spawns some child processes, creating pipes to be stdin and stdout for the child. It cleans up most of the file descriptors that are created as part of this but neglects to clean up the parent end of the child stdin and stdout. Add the missing close() calls. Signed-off-by: Mark Brown Link: https://lore.kernel.org/r/20241111-arm64-pac-test-collisions-v1-1-171875f37e44@kernel.org Signed-off-by: Catalin Marinas commit f335e0157717490e99145313871db789e8f10bd9 Author: Marek Behún Date: Mon Nov 11 13:19:45 2024 +0100 platform: cznic: turris-omnia-mcu: Rename variable holding GPIO line names Rename the `omnia_mcu_gpio_templates` variable to `omnia_mcu_gpio_names`. The array contained templates for the names during the development of the driver, but the template prefix `gpio%u.` was dropped before the driver was merged, since this functionality was broken in gpiolib. Signed-off-by: Marek Behún Signed-off-by: Arnd Bergmann commit 372eb09cd98555eca6d912db9c678fa509b1dba0 Author: Marek Behún Date: Mon Nov 11 11:39:57 2024 +0100 platform: cznic: turris-omnia-mcu: Document the driver private data structure Add more comprehensive documentation for the driver private data structure, `struct omnia_mcu`. Signed-off-by: Marek Behún Signed-off-by: Arnd Bergmann commit 0efa0fcfe613d2e5ba745b9cf6daa9ba337cd14c Author: Marek Behún Date: Mon Nov 11 10:53:57 2024 +0100 firmware: turris-mox-rwtm: Document the driver private data structure Add more comprehensive documentation for the driver private data structure, `struct mox_rwtm`. Signed-off-by: Marek Behún Signed-off-by: Arnd Bergmann commit ffca677936ea87c0a5204b39761227da85403774 Merge: 7d6f7cfc34a2e3 a4c14f509509a6 Author: Arnd Bergmann Date: Tue Nov 12 16:01:09 2024 +0100 Merge tag 'ti-driver-soc-for-v6.13' of https://git.kernel.org/pub/scm/linux/kernel/git/ti/linux into soc/drivers TI SoC driver updates for v6.13 - knav_qmss_queue: Cleanups around request_irq params and redundant code. - ti_sci: Power management ops in preperation for suspend/resume capability. Also includes dependency patch to export dev_pm_qos_read_value (acked by Rafael). * tag 'ti-driver-soc-for-v6.13' of https://git.kernel.org/pub/scm/linux/kernel/git/ti/linux: firmware: ti_sci: Remove use of of_match_ptr() helper firmware: ti_sci: add CPU latency constraint management firmware: ti_sci: Introduce Power Management Ops firmware: ti_sci: Add system suspend and resume call firmware: ti_sci: Add support for querying the firmware caps PM: QoS: Export dev_pm_qos_read_value soc: ti: knav_qmss_queue: Drop redundant continue statement soc: ti: knav_qmss_queue: Use IRQF_NO_AUTOEN flag in request_irq() Link: https://lore.kernel.org/r/20241106121708.rso5wvc7wbhfi6xk@maverick Signed-off-by: Arnd Bergmann commit 7d6f7cfc34a2e38fc1c89f331c30d39e6dde4c18 Merge: ec72578ef9453f cf3e10cc0e88bb Author: Arnd Bergmann Date: Tue Nov 12 15:59:53 2024 +0100 Merge tag 'reset-for-v6.13' of git://git.pengutronix.de/pza/linux into soc/drivers Reset controller updates for v6.13 * Split the Amlogic reset-meson driver into platform and auxiliary bus drivers. Add support for the reset controller in the G12 and SM1 audio clock controllers. * Replace the list of boolean parameters to the internal reset_control_get functions with an enum reset_flags bitfield, to make the code more self-descriptive. * Add devres helpers to request pre-deasserted (and automatically re-asserting during cleanup) reset controls. This allows reducing boilerplate in drivers that deassert resets for the lifetime of a device. * Use the new auto-deasserting devres helpers in reset-uniphier-glue as an example. * Add support for the LAN966x PCI device in drivers/misc, as a dependency for the following reset-microchip-sparx5 patches. * Add support for being used on the LAN966x PCI device to the reset-microchip-sparx5 driver. Commit 86f134941a4b ("MAINTAINERS: Add the Microchip LAN966x PCI driver entry") introduces a trivial merge conflict with commit 7280f01e79cc ("net: lan969x: add match data for lan969x") from the net-next tree [1]. [1] https://lore.kernel.org/all/20241101122505.3eacd183@canb.auug.org.au/ * tag 'reset-for-v6.13' of git://git.pengutronix.de/pza/linux: (21 commits) misc: lan966x_pci: Fix dtc warn 'Missing interrupt-parent' misc: lan966x_pci: Fix dtc warns 'missing or empty reg/ranges property' reset: mchp: sparx5: set the dev member of the reset controller reset: mchp: sparx5: Allow building as a module reset: mchp: sparx5: Add MCHP_LAN966X_PCI dependency reset: mchp: sparx5: Map cpu-syscon locally in case of LAN966x MAINTAINERS: Add the Microchip LAN966x PCI driver entry misc: Add support for LAN966x PCI device reset: uniphier-glue: Use devm_reset_control_bulk_get_shared_deasserted() reset: Add devres helpers to request pre-deasserted reset controls reset: replace boolean parameters with flags parameter reset: amlogic: Fix small whitespace issue reset: amlogic: add auxiliary reset driver support reset: amlogic: split the device core and platform probe reset: amlogic: move drivers to a dedicated directory reset: amlogic: add reset status support reset: amlogic: use reset number instead of register count reset: amlogic: add driver parameters reset: amlogic: make parameters unsigned reset: amlogic: use generic data matching function ... Link: https://lore.kernel.org/r/20241105105229.3729474-1-p.zabel@pengutronix.de Signed-off-by: Arnd Bergmann commit ec72578ef9453f9352719b5d5d3b7c777ccb09c4 Merge: 1fac9f8b7d2840 109aa654f85c51 Author: Arnd Bergmann Date: Tue Nov 12 15:56:26 2024 +0100 Merge tag 'scmi-updates-6.13' of https://git.kernel.org/pub/scm/linux/kernel/git/sudeep.holla/linux into soc/drivers Arm SCMI updates for v6.13 Just couple of main additions: 1. Support for variable I/O width within ARM SCMI shared memory area. Some shared memory areas might only support a certain access width, such as 32-bit, which memcpy_{from,to}_io() does not adhere to at least on ARM64 by making both 8-bit and 64-bit accesses to such memory. This support updates the shmem layer to support reading from and writing to such shared memory area using the specified I/O width in the Device Tree. The various transport layers making use of the shmem.c code are updated accordingly to pass the I/O accessors that they store. The device tree bindings are also updated for the same. 2. Extension of SCMI transport bindings to add more properties SCMI transports are characterized by a number of properties. The values assumed by some of them tightly depend on the choices taken at design time and on the overall archiecture of the specific platform: things like timeouts, maximum message size and number of in-flight messages are closely tied to the architecture of the platform like number of SCMI agents on the system, physical memory available to the SCMI platform and so on. Such details are not discoverable as they are outside the scope of the SCMI protocol specification. Currently such properties are simple default values defined at build time, but the increasing number and variety of platforms using SCMI with a wide range of designs has increased the need to have a way to describe such properties across all these platforms. Apart from the above two, there is one NULL pointer dereference fix for very age old SCPI protocol driver which seems to be still in use on few platforms. * tag 'scmi-updates-6.13' of https://git.kernel.org/pub/scm/linux/kernel/git/sudeep.holla/linux: firmware: arm_scpi: Check the DVFS OPP count returned by the firmware firmware: arm_scmi: Relocate atomic_threshold to scmi_desc firmware: arm_scmi: Use max_msg and max_msg_size devicetree properties dt-bindings: firmware: arm,scmi: Introduce more transport properties firmware: arm_scmi: Calculate virtio PDU max size dynamically firmware: arm_scmi: Account for SHMEM memory overhead firmware: arm_scmi: Support 'reg-io-width' property for shared memory dt-bindings: sram: Document reg-io-width property firmware: arm_scmi: Use vendor string in max-rx-timeout-ms dt-bindings: firmware: arm,scmi: Add missing vendor string firmware: arm_scmi: Reject clear channel request on A2P firmware: arm_scmi: Fix slab-use-after-free in scmi_bus_notifier() Link: https://lore.kernel.org/r/20241106110727.4007489-1-sudeep.holla@arm.com Signed-off-by: Arnd Bergmann commit 1fac9f8b7d28402c5f29173f06a784cd3b561e38 Author: Uwe Kleine-König Date: Tue Nov 12 09:35:19 2024 +0100 bus: Switch back to struct platform_driver::remove() After commit 0edb555a65d1 ("platform: Make platform_driver::remove() return void") .remove() is (again) the right callback to implement for platform drivers. Convert all platform drivers below drivers/bus to use .remove(), with the eventual goal to drop struct platform_driver::remove_new(). As .remove() and .remove_new() have the same prototypes, conversion is done by just changing the structure member name in the driver initializer. Signed-off-by: Uwe Kleine-König Signed-off-by: Arnd Bergmann commit c0139f6cbb1fc6438509467ec0455a200cc49a43 Author: Mark Brown Date: Wed Nov 6 17:41:32 2024 +0000 arm64/ptrace: Clarify documentation of VL configuration via ptrace When we configure SVE, SSVE or ZA via ptrace we allow the user to configure the vector length and specify any of the flags that are accepted when configuring via prctl(). This includes the S[VM]E_SET_VL_ONEXEC flag which defers the configuration of the VL until an exec(). We don't do anything to limit the provision of register data as part of configuring the _ONEXEC VL but as a function of the VL enumeration support we do this will be interpreted using the vector length currently configured for the process. This is all a bit surprising, and probably we should just not have allowed register data to be specified with _ONEXEC, but it's our ABI so let's add some explicit documentation in both the ABI documents and the source calling out what happens. The comments are also missing the fact that since SME does not have a mandatory 128 bit VL it is possible for VL enumeration to result in the configuration of a higher VL than was requested, cover that too. Signed-off-by: Mark Brown Link: https://lore.kernel.org/r/20241106-arm64-sve-ptrace-vl-set-v1-1-3b164e8b559c@kernel.org Signed-off-by: Catalin Marinas commit 3e360ef0c0a1fb6ce9a302e40b8057c41ba8a9d2 Author: Mark Brown Date: Thu Nov 7 01:39:22 2024 +0000 kselftest/arm64: Corrupt P0 in the irritator when testing SSVE When building for streaming SVE the irritator for SVE skips updates of both P0 and FFR. While FFR is skipped since it might not be present there is no reason to skip corrupting P0 so switch to an instruction valid in streaming mode and move the ifdef. Signed-off-by: Mark Brown Link: https://lore.kernel.org/r/20241107-arm64-fp-stress-irritator-v2-3-c4b9622e36ee@kernel.org Signed-off-by: Catalin Marinas commit 56131e6d1fcce8e7359a2445711cc1a4ddb8325c Author: Chris Packham Date: Wed Nov 6 13:18:34 2024 +1300 mips: dts: realtek: Add I2C controllers Add the I2C controllers that are part of the RTL9300 SoC. Signed-off-by: Chris Packham Signed-off-by: Thomas Bogendoerfer commit 5ec37be43fe73c21b4b52c4d7f9c400221bdbacf Author: Chris Packham Date: Wed Nov 6 13:18:33 2024 +1300 mips: dts: realtek: Add syscon-reboot node The board level reset on systems using the RTL9302 can be driven via the switch. Use a syscon-reboot node to represent this. Signed-off-by: Chris Packham Signed-off-by: Thomas Bogendoerfer commit f67a922230e898dc7f399cf14489e513224d6c4b Author: WangYuli Date: Sun Nov 3 21:00:05 2024 +0800 MIPS: loongson3_defconfig: Enable blk_dev_nvme by default A significant number of 3A4000 machines come with NVMe drives pre-installed, so we should support it in its defconfig. Tested-by: Erpeng Xu Tested-by: Qiang Ma Signed-off-by: WangYuli Signed-off-by: Thomas Bogendoerfer commit 5cf28d2595a301863b60b880fd45359d28fa7d73 Author: WangYuli Date: Sun Nov 3 21:00:04 2024 +0800 MIPS: loongson3_defconfig: Update configs dependencies Due to long-term changes in kernel build configurations, run 'make savedefconfig' to update the build configuration dependencies. This commit does not affect the actual .config file content, in preparation for future modifications to loongson3_defconfig. Signed-off-by: WangYuli Signed-off-by: Thomas Bogendoerfer commit f95382d73ec8bfee2b4a00b2ac4aa4530f7c4af3 Author: Min-Hua Chen Date: Wed Sep 18 07:38:24 2024 +0800 acpi/arm64: remove unnecessary cast DEFINE_RES_IRQ returns struct resource type, so it is unnecessary to cast it to struct resource. Remove the unnecessary cast to fix the following sparse warnings: drivers/acpi/arm64/gtdt.c:355:19: sparse: warning: cast to non-scalar drivers/acpi/arm64/gtdt.c:355:19: sparse: warning: cast from non-scalar No functional changes intended. Signed-off-by: Min-Hua Chen Acked-by: Hanjun Guo Reviewed-by: Hanjun Guo Reviewed-by: Andy Shevchenko Link: https://lore.kernel.org/r/20240917233827.73167-1-minhuadotchen@gmail.com Signed-off-by: Catalin Marinas commit 9ba89806da16341fb04f0a4fbd01162f78537d54 Author: Maciej W. Rozycki Date: Tue Nov 12 13:47:25 2024 +0000 MAINTAINERS: Remove linux-mips.org references The linux-mips.org site has gone down and no replacement is available at the moment. Remove/update references in MAINTAINERS accordingly. There are a bunch of Kconfig references still present; keep them around for a possible future update or for people to refer to via archive.org. Signed-off-by: Maciej W. Rozycki Signed-off-by: Thomas Bogendoerfer commit 495cc28f8e6b53968c2b990bc185458f5855999f Author: Maciej W. Rozycki Date: Tue Nov 12 13:47:21 2024 +0000 MAINTAINERS: Retire Ralf Baechle Ralf Baechle has been inactive for years now and the linux-mips.org site has gone down. No replacement contact information is available. Thomas has been kind enough to step up as a maintainer for EDAC-CAVIUM OCTEON and IOC3 ETHERNET DRIVER. Update MAINTAINERS, CREDITS, and .get_maintainer.ignore accordingly. Signed-off-by: Maciej W. Rozycki Acked-by: Thomas Bogendoerfer Signed-off-by: Thomas Bogendoerfer commit 131a975aba393cc81dc86687e55412137c520dec Author: Stanislav Jakubek Date: Mon Nov 4 09:48:21 2024 +0100 dt-bindings: mfd: sprd,sc2731: Convert to YAML Convert the Spreadtrum SC27xx PMIC bindings to DT schema. Adjust the filename to match the compatible of the only in-tree user, SC2731. Change #interrupt-cells value to 1, as according to [1] that is the correct value. Move partial examples of child nodes in the child node schemas to this new MFD schema to have one complete example. [1] https://lore.kernel.org/lkml/b6a32917d1e231277d240a4084bebb6ad91247e3.1550060544.git.baolin.wang@linaro.org/ Signed-off-by: Stanislav Jakubek Reviewed-by: Rob Herring (Arm) Acked-by: Sebastian Reichel Acked-by: Alexandre Belloni Acked-by: Jonathan Cameron Link: https://lore.kernel.org/r/efd200c3b5b75405e4e450d064b026f10ae2f8e0.1730709384.git.stano.jakubek@gmail.com Signed-off-by: Lee Jones commit 74b4630e3f3a658c039e2f9aab9e5e58d52b9f1b Author: zhang jiao Date: Tue Nov 12 09:56:08 2024 +0800 TC: Fix the wrong format specifier The format specifier of "unsigned int" in pr_info() should be "%u", not "%d". Signed-off-by: zhang jiao Acked-by: Maciej W. Rozycki Signed-off-by: Thomas Bogendoerfer commit 0d3f073975ad28bd16034ed81b8e525e808cbe37 Author: Gregor Herburger Date: Mon Nov 11 15:10:32 2024 +0100 mfd: tqmx86: Add I2C IRQ support The i2c-ocores controller can run in interrupt mode on tqmx86 modules. Add a module parameter to allow configuring the IRQ number, similar to the handling of the GPIO IRQ. The new code and module parameter refer to the I2C controller as "I2C1", as the TQMx86 PLD actually contains a second I2C controller, for which driver support will be added in the future. Signed-off-by: Gregor Herburger Signed-off-by: Matthias Schiffer Link: https://lore.kernel.org/r/c1b0769e00a8a4e463cffe725e939b0e5c2992c8.1731325758.git.matthias.schiffer@ew.tq-group.com Signed-off-by: Lee Jones commit 1f86faeb8b4bfeaa001a6c24141cdfc98093e9db Author: Matthias Schiffer Date: Mon Nov 11 15:10:31 2024 +0100 mfd: tqmx86: Make IRQ setup errors non-fatal GPIO IRQ setup can fail either because an invalid IRQ was passed as a parameter, or because the GPIO controller does not support interrupts. Neither is severe enough to stop the whole probe; simply disable IRQ support in the GPIO resource when setup fails. The code is made a bit more robust by introduing an enum for the resource list indices instead of assuming that the IRQ is at index 0. Signed-off-by: Matthias Schiffer Link: https://lore.kernel.org/r/2b5522362098d54c6203be6da95bbc545a21fd49.1731325758.git.matthias.schiffer@ew.tq-group.com Signed-off-by: Lee Jones commit b58bbbd7c599eab4861cc68a13440f5ad4679dba Author: Matthias Schiffer Date: Mon Nov 11 15:10:30 2024 +0100 mfd: tqmx86: Refactor GPIO IRQ setup Move IRQ setup into a helper function. The string "GPIO" for error messages is replaced with a label argument to prepare for reusing the function for the I2C IRQ. No functional change intended. Co-developed-by: Gregor Herburger Signed-off-by: Gregor Herburger Signed-off-by: Matthias Schiffer Link: https://lore.kernel.org/r/97f481334f480a113b7076e76f994e0e73ee5aa5.1731325758.git.matthias.schiffer@ew.tq-group.com Signed-off-by: Lee Jones commit aaac6067d7749bba6401fe3d76fc554de8338f36 Author: Matthias Schiffer Date: Mon Nov 11 15:10:29 2024 +0100 mfd: tqmx86: Improve gpio_irq module parameter description Clarify that "7, 9, 12" refers to the valid arguments that can be passed as gpio_irq. Signed-off-by: Matthias Schiffer Link: https://lore.kernel.org/r/3275f436b66f6807c02256bc852d39b03ebd64d5.1731325758.git.matthias.schiffer@ew.tq-group.com Signed-off-by: Lee Jones commit 97f0db59525f7e82113404ea4bf79c435ad53365 Author: Matthias Schiffer Date: Mon Nov 11 15:10:28 2024 +0100 mfd: tqmx86: Add board definitions for TQMx120UC, TQMx130UC and TQMxE41S This adds support for 3 new TQMx86 COMs: - TQMx120UC/TQMx130UC: COM Express Compact Type 6 modules with 12th and 13th Generation Intel Core CPUs ([1, 2]) - TQMxE41S: SMARC 2.1 module with Intel Atom x7000E and compatible CPUs [3] [1] https://www.tq-group.com/en/products/tq-embedded/x86-architecture/tqmx120uc/ [2] https://www.tq-group.com/en/products/tq-embedded/x86-architecture/tqmx130uc/ [3] https://www.tq-group.com/en/products/tq-embedded/x86-architecture/tqmxe41s/ Signed-off-by: Matthias Schiffer Link: https://lore.kernel.org/r/90ddebda96d29246992b58ae0231a511f6424211.1731325758.git.matthias.schiffer@ew.tq-group.com Signed-off-by: Lee Jones commit c4a0a4a45a45e0f189d5cead19f3b2fd295a1346 Author: Thorsten Blum Date: Tue Nov 5 18:38:36 2024 +0100 MIPS: kernel: proc: Use str_yes_no() helper function Remove hard-coded strings by using the str_yes_no() helper function. Signed-off-by: Thorsten Blum Reviewed-by: Maciej W. Rozycki Signed-off-by: Thomas Bogendoerfer commit de7fb8d3a2c913e36d78d762e9fbdd754d8dc749 Author: Anshuman Khandual Date: Mon Nov 11 13:22:49 2024 +0530 arm64/mm: Change protval as 'pteval_t' in map_range() pgprot_t has been defined as an encapsulated structure with pteval_t as its element. Hence it is prudent to use pteval_t as the type instead of via the size based u64. Besides pteval_t type might be different size later on with FEAT_D128. Cc: Will Deacon Cc: Ard Biesheuvel Cc: Ryan Roberts Cc: Mark Rutland Cc: linux-arm-kernel@lists.infradead.org Cc: linux-kernel@vger.kernel.org Signed-off-by: Anshuman Khandual Reviewed-by: Gavin Shan Link: https://lore.kernel.org/r/20241111075249.609493-1-anshuman.khandual@arm.com Signed-off-by: Catalin Marinas commit 768b1f87098a4a586353898b074989808b1b27ad Author: Paul E. McKenney Date: Tue Oct 15 09:11:12 2024 -0700 srcu: Improve srcu_read_lock_lite() kernel-doc comment Where RCU is watching is where it is OK to invoke rcu_read_lock(). Reported-by: Andrii Nakryiko Signed-off-by: Paul E. McKenney Acked-by: Andrii Nakryiko Reviewed-by: Neeraj Upadhyay Signed-off-by: Frederic Weisbecker commit 156d87b679a565a166da4a7ce892cb87f6317faf Author: Karel Balej Date: Sat Oct 12 21:31:38 2024 +0200 mfd: 88pm886: Add the RTC cell Add a MFD cell for the chip's Real-Time Clock (RTC). Signed-off-by: Karel Balej Link: https://lore.kernel.org/r/20241012193345.18594-1-balejk@matfyz.cz Signed-off-by: Lee Jones commit 6a2c0255e8a0fea7439bf395eb290f5734e3d345 Author: Paul E. McKenney Date: Mon Oct 28 17:25:12 2024 -0700 refscale: Add srcu_read_lock_lite() support using "srcu-lite" This commit creates a new srcu-lite option for the refscale.scale_type module parameter that selects srcu_read_lock_lite() and srcu_read_unlock_lite(). [ paulmck: Apply Dan Carpenter feedback. ] Signed-off-by: Paul E. McKenney Cc: Alexei Starovoitov Cc: Andrii Nakryiko Cc: Peter Zijlstra Cc: Kent Overstreet Cc: Reviewed-by: Neeraj Upadhyay Signed-off-by: Frederic Weisbecker commit 930d4e1344f16e20c9d9ffc3f8888ac78dfd5659 Author: Paul E. McKenney Date: Tue Oct 15 09:11:10 2024 -0700 rcutorture: Add light-weight SRCU scenario This commit adds an rcutorture scenario that tests light-weight SRCU readers. While in the area, it adjusts the size of the TREE10 scenario. Signed-off-by: Paul E. McKenney Cc: Alexei Starovoitov Cc: Andrii Nakryiko Cc: Peter Zijlstra Cc: Kent Overstreet Cc: Reviewed-by: Neeraj Upadhyay Signed-off-by: Frederic Weisbecker commit 43349fc4d8098d8679e7b142841a9661c623ed3a Author: Paul E. McKenney Date: Tue Oct 15 09:11:09 2024 -0700 rcutorture: Add srcu_read_lock_lite() support to rcutorture.reader_flavor This commit causes bit 0x4 of rcutorture.reader_flavor to select the new srcu_read_lock_lite() and srcu_read_unlock_lite() functions. Signed-off-by: Paul E. McKenney Cc: Alexei Starovoitov Cc: Andrii Nakryiko Cc: Peter Zijlstra Cc: Kent Overstreet Cc: Reviewed-by: Neeraj Upadhyay Signed-off-by: Frederic Weisbecker commit 95a5de21541d9eb0cf4983f9ffe8b7140db66ef3 Author: Paul E. McKenney Date: Tue Oct 15 09:11:08 2024 -0700 rcutorture: Add reader_flavor parameter for SRCU readers This commit adds an rcutorture.reader_flavor parameter whose bits correspond to reader flavors. For example, SRCU's readers are 0x1 for normal and 0x2 for NMI-safe. Signed-off-by: Paul E. McKenney Cc: Alexei Starovoitov Cc: Andrii Nakryiko Cc: Peter Zijlstra Cc: Kent Overstreet Cc: Reviewed-by: Neeraj Upadhyay Signed-off-by: Frederic Weisbecker commit 37a1decb43f381d5b8f5d4a64608d916949dd9ee Author: Paul E. McKenney Date: Tue Oct 15 09:11:07 2024 -0700 rcutorture: Expand RCUTORTURE_RDR_MASK_[12] to eight bits This commit prepares for testing of multiple SRCU reader flavors by expanding RCUTORTURE_RDR_MASK_1 and RCUTORTURE_RDR_MASK_2 from a single bit to eight bits, allowing them to accommodate the return values from multiple calls to srcu_read_lock*(). This will in turn permit better testing coverage for these SRCU reader flavors, including testing of the diagnostics for inproper use of mixed reader flavors. Signed-off-by: Paul E. McKenney Cc: Alexei Starovoitov Cc: Andrii Nakryiko Cc: Peter Zijlstra Cc: Kent Overstreet Cc: Reviewed-by: Neeraj Upadhyay Signed-off-by: Frederic Weisbecker commit bb94b12e4503bdce003a74e95ee4214eba923f86 Author: Paul E. McKenney Date: Tue Oct 15 09:11:06 2024 -0700 srcu: Allow inlining of __srcu_read_{,un}lock_lite() This commit moves __srcu_read_lock_lite() and __srcu_read_unlock_lite() into include/linux/srcu.h and marks them "static inline" so that they can be inlined into srcu_read_lock_lite() and srcu_read_unlock_lite(), respectively. They are not hand-inlined due to Tree SRCU and Tiny SRCU having different implementations. The earlier removal of smp_mb() combined with the inlining produce significant single-percentage performance wins. Link: https://lore.kernel.org/all/CAEf4BzYgiNmSb=ZKQ65tm6nJDi1UX2Gq26cdHSH1mPwXJYZj5g@mail.gmail.com/ Reported-by: Alexei Starovoitov Signed-off-by: Paul E. McKenney Cc: Alexei Starovoitov Cc: Andrii Nakryiko Cc: Peter Zijlstra Cc: Kent Overstreet Cc: Reviewed-by: Neeraj Upadhyay Signed-off-by: Frederic Weisbecker commit 6364dd8191d27230176ac4b1b4daaecaf4807399 Author: Paul E. McKenney Date: Tue Oct 15 09:11:05 2024 -0700 srcu: Add srcu_read_lock_lite() and srcu_read_unlock_lite() This patch adds srcu_read_lock_lite() and srcu_read_unlock_lite(), which dispense with the read-side smp_mb() but also are restricted to code regions that RCU is watching. If a given srcu_struct structure uses srcu_read_lock_lite() and srcu_read_unlock_lite(), it is not permitted to use any other SRCU read-side marker, before, during, or after. Another price of light-weight readers is heavier weight grace periods. Such readers mean that SRCU grace periods on srcu_struct structures used by light-weight readers will incur at least two calls to synchronize_rcu(). In addition, normal SRCU grace periods for light-weight-reader srcu_struct structures never auto-expedite. Note that expedited SRCU grace periods for light-weight-reader srcu_struct structures still invoke synchronize_rcu(), not synchronize_srcu_expedited(). Something about wishing to keep the IPIs down to a dull roar. The srcu_read_lock_lite() and srcu_read_unlock_lite() functions may not (repeat, *not*) be used from NMI handlers, but if this is needed, an additional flavor of SRCU reader can be added by some future commit. [ paulmck: Apply Alexei Starovoitov expediting feedback. ] [ paulmck: Apply kernel test robot feedback. ] Signed-off-by: Paul E. McKenney Tested-by: kernel test robot Cc: Alexei Starovoitov Cc: Andrii Nakryiko Cc: Peter Zijlstra Cc: Kent Overstreet Cc: Reviewed-by: Neeraj Upadhyay Signed-off-by: Frederic Weisbecker commit 05829be27fe6f64e0675dc3be3a12d43b52492e1 Author: Paul E. McKenney Date: Tue Oct 15 09:11:04 2024 -0700 srcu: Create CPP macros for normal and NMI-safe SRCU readers This commit creates SRCU_READ_FLAVOR_NORMAL and SRCU_READ_FLAVOR_NMI C-preprocessor macros for srcu_read_lock() and srcu_read_lock_nmisafe(), respectively. These replace the old true/false values that were previously passed to srcu_check_read_flavor(). In addition, the srcu_check_read_flavor() function itself requires a bit of rework to handle bitmasks instead of true/false values. Signed-off-by: Paul E. McKenney Cc: Alexei Starovoitov Cc: Andrii Nakryiko Cc: Peter Zijlstra Cc: Kent Overstreet Cc: Signed-off-by: Paul E. McKenney Reviewed-by: Neeraj Upadhyay Signed-off-by: Frederic Weisbecker commit c071b8e5351453c2cb2d12f425d928f3a24ed2d3 Author: Paul E. McKenney Date: Tue Oct 15 09:11:03 2024 -0700 srcu: Improve srcu_read_lock{,_nmisafe}() comments This commit adds some additional usage constraints to the kernel-doc headers of srcu_read_lock() and srcu_read_lock_nmi_safe(). Suggested-by: Andrii Nakryiko Signed-off-by: Paul E. McKenney Reviewed-by: Neeraj Upadhyay Signed-off-by: Frederic Weisbecker commit 9a87bda2b6881de10fb5791cade3719663b8d660 Author: Paul E. McKenney Date: Tue Oct 15 09:11:02 2024 -0700 srcu: Standardize srcu_data pointers to "sdp" and similar This commit changes a few "cpuc" variables to "sdp" to align with usage elsewhere. [ paulmck: Apply Neeraj Upadhyay feedback. ] Signed-off-by: Paul E. McKenney Cc: Alexei Starovoitov Cc: Andrii Nakryiko Cc: Peter Zijlstra Cc: Kent Overstreet Cc: Reviewed-by: Neeraj Upadhyay Signed-off-by: Frederic Weisbecker commit c2f9467c77941cae5a41aa10c06ff0d5b00f69f9 Author: Paul E. McKenney Date: Tue Oct 15 09:11:01 2024 -0700 srcu: Bit manipulation changes for additional reader flavor Currently, there are only two flavors of readers, normal and NMI-safe. Very straightforward state updates suffice to check for erroneous mixing of reader flavors on a given srcu_struct structure. This commit upgrades the checking in preparation for the addition of light-weight (as in memory-barrier-free) readers. Signed-off-by: Paul E. McKenney Cc: Alexei Starovoitov Cc: Andrii Nakryiko Cc: Peter Zijlstra Cc: Kent Overstreet Cc: Reviewed-by: Neeraj Upadhyay Signed-off-by: Frederic Weisbecker commit 365f34483be33a9d0151c06ac39627d7927210d9 Author: Paul E. McKenney Date: Tue Oct 15 09:11:00 2024 -0700 srcu: Renaming in preparation for additional reader flavor Currently, there are only two flavors of readers, normal and NMI-safe. A number of fields, functions, and types reflect this restriction. This renaming-only commit prepares for the addition of light-weight (as in memory-barrier-free) readers. OK, OK, there is also a drive-by white-space fixeup! Signed-off-by: Paul E. McKenney Cc: Alexei Starovoitov Cc: Andrii Nakryiko Cc: Peter Zijlstra Cc: Kent Overstreet Cc: Reviewed-by: Neeraj Upadhyay Signed-off-by: Frederic Weisbecker commit 016d659e62ad9ddda1b6899468d0d0798ed71a4d Author: Catalin Marinas Date: Tue Nov 12 14:35:05 2024 +0000 kselftest/arm64: Fix missing printf() argument in gcs/gcs-stress.c Compiling the child_cleanup() function results in: gcs-stress.c: In function ‘child_cleanup’: gcs-stress.c:266:75: warning: format ‘%d’ expects a matching ‘int’ argument [-Wformat=] 266 | ksft_print_msg("%s: Exited due to signal %d\n", | ~^ | | | int Add the missing child->exit_signal argument. Fixes: 05e6cfff58c4 ("kselftest/arm64: Add a GCS stress test") Signed-off-by: Catalin Marinas commit e8501858035b1f95468da525e7357c8c33811b88 Author: Zhu Jun Date: Sun Nov 10 22:58:09 2024 -0800 leds: ss4200: Fix the wrong format specifier for 'blinking' The format specifier of "signed int" in sprintf() should be "%d", not "%u". Signed-off-by: Zhu Jun Link: https://lore.kernel.org/r/20241111065809.3814-1-zhujun2@cmss.chinamobile.com Signed-off-by: Lee Jones commit 22193c586b43ee88d66954395885742a6e4a49a9 Author: Miguel Ojeda Date: Mon Nov 11 23:08:05 2024 +0100 samples: rust: fix `rust_print` build making it a combined module The `rust_print` module, when built as a module, fails to build with: ERROR: modpost: missing MODULE_LICENSE() in samples/rust/rust_print_events.o ERROR: modpost: "__tracepoint_rust_sample_loaded" [samples/rust/rust_print.ko] undefined! ERROR: modpost: "rust_do_trace_rust_sample_loaded" [samples/rust/rust_print.ko] undefined! Fix it by building it as a combined one. Cc: Masami Hiramatsu Cc: Alex Gaynor Cc: Mark Rutland Cc: Boqun Feng Cc: Gary Guo Cc: Björn Roy Baron Cc: Benno Lossin Cc: Andreas Hindborg Cc: Alice Ryhl Cc: Trevor Gross Cc: "Linux Next Mailing List" Link: https://lore.kernel.org/20241111220805.708889-1-ojeda@kernel.org Reported-by: Stephen Rothwell Closes: https://lore.kernel.org/all/20241108152149.28459a72@canb.auug.org.au/ Fixes: 91d39024e1b0 ("rust: samples: add tracepoint to Rust sample") Signed-off-by: Miguel Ojeda Signed-off-by: Steven Rostedt (Google) commit a012d430a4f29bf76810b019b5d34cb88b29e7eb Author: Yiting Deng Date: Tue Nov 12 11:10:16 2024 +0800 MAINTAINERS: Add an entry for Amlogic RTC driver Add Amlogic RTC entry to MAINTAINERS to clarify the maintainers. Signed-off-by: Yiting Deng Signed-off-by: Xianwei Zhao Link: https://lore.kernel.org/r/20241112-rtc-v6-3-a71b60d2f354@amlogic.com Signed-off-by: Alexandre Belloni commit c89ac9182ee297597f1c6971045382bae19c3f9d Author: Yiting Deng Date: Tue Nov 12 11:10:15 2024 +0800 rtc: support for the Amlogic on-chip RTC This is the third amlogic driver. The RTC hardware of A4 SoC is different from the previous one. This RTC hardware includes a timing function and an alarm function. But the existing has only timing function, alarm function is using the system clock to implement a virtual alarm. Add the RTC driver to support it. Signed-off-by: Yiting Deng Signed-off-by: Xianwei Zhao Link: https://lore.kernel.org/r/20241112-rtc-v6-2-a71b60d2f354@amlogic.com Signed-off-by: Alexandre Belloni commit ce57cf7319e5315637349c02b50a51b2d2efba89 Author: Yiting Deng Date: Tue Nov 12 11:10:14 2024 +0800 dt-bindings: rtc: Add Amlogic A4 and A5 RTC Add documentation describing the Amlogic A4(A113L2) and A5(A113X2) RTC. Signed-off-by: Yiting Deng Reviewed-by: Krzysztof Kozlowski Signed-off-by: Xianwei Zhao Link: https://lore.kernel.org/r/20241112-rtc-v6-1-a71b60d2f354@amlogic.com Signed-off-by: Alexandre Belloni commit 2f681ba4b352cdd5658ed2a96062375a12839755 Author: Benjamin Berg Date: Mon Nov 11 11:29:10 2024 +0100 um: move thread info into task This selects the THREAD_INFO_IN_TASK option for UM and changes the way that the current task is discovered. This is trivial though, as UML already tracks the current task in cpu_tasks[] and this can be used to retrieve it. Also remove the signal handler code that copies the thread information into the IRQ stack. It is obsolete now, which also means that the mentioned race condition cannot happen anymore. Signed-off-by: Benjamin Berg Reviewed-by: Hajime Tazaki Link: https://patch.msgid.link/20241111102910.46512-1-benjamin@sipsolutions.net Signed-off-by: Johannes Berg commit 8182a8b39aa227f5b99b8d4d18f296b82ce4b94c Author: Christoph Hellwig Date: Tue Nov 12 06:43:55 2024 +0100 writeback: wbc_attach_fdatawrite_inode out of line This allows exporting this high-level interface only while keeping wbc_attach_and_unlock_inode private in fs-writeback.c and unexporting __inode_attach_wb. Signed-off-by: Christoph Hellwig Link: https://lore.kernel.org/r/20241112054403.1470586-3-hch@lst.de Reviewed-by: Jan Kara Signed-off-by: Christian Brauner commit 4d7485cff59951c83aa2b6891b24d68b76d86f6f Author: Christoph Hellwig Date: Tue Nov 12 06:43:54 2024 +0100 writeback: add a __releases annoation to wbc_attach_and_unlock_inode This shuts up a sparse lock context tracking warning. Signed-off-by: Christoph Hellwig Link: https://lore.kernel.org/r/20241112054403.1470586-2-hch@lst.de Reviewed-by: Jan Kara Signed-off-by: Christian Brauner commit ed9d95f691c29748f21bc019de9566b698fdfab7 Author: Jeff Layton Date: Mon Nov 11 10:09:56 2024 -0500 fs: add the ability for statmount() to report the fs_subtype /proc/self/mountinfo prints out the sb->s_subtype after the type. This is particularly useful for disambiguating FUSE mounts (at least when the userland driver bothers to set it). Add STATMOUNT_FS_SUBTYPE and claim one of the __spare2 fields to point to the offset into the str[] array. Reviewed-by: Jan Kara Reviewed-by: Ian Kent Signed-off-by: Jeff Layton Link: https://lore.kernel.org/r/20241111-statmount-v4-2-2eaf35d07a80@kernel.org Acked-by: Miklos Szeredi Signed-off-by: Christian Brauner commit 75ead69a717332efa70303fba85e1876793c74a9 Author: Jeff Layton Date: Mon Nov 11 10:09:55 2024 -0500 fs: don't let statmount return empty strings When one of the statmount_string() handlers doesn't emit anything to seq, the kernel currently sets the corresponding flag and emits an empty string. Given that statmount() returns a mask of accessible fields, just leave the bit unset in this case, and skip any NULL termination. If nothing was emitted to the seq, then the EOVERFLOW and EAGAIN cases aren't applicable and the function can just return immediately. Signed-off-by: Jeff Layton Link: https://lore.kernel.org/r/20241111-statmount-v4-1-2eaf35d07a80@kernel.org Acked-by: Miklos Szeredi Reviewed-by: Jan Kara Signed-off-by: Christian Brauner commit c4d7d90747f4e8b528c8cd0a2d9ac01dc4a9339e Author: Mohammed Anees Date: Tue Nov 12 17:08:34 2024 +0530 fs:aio: Remove TODO comment suggesting hash or array usage in io_cancel() The comment suggests a hash or array approach to store the active requests. Currently it iterates through all the active requests and when found deletes the requested request, in the linked list. However io_cancel() isn’t a frequently used operation, and optimizing it wouldn’t bring a substantial benefit to real users and the increased complexity of maintaining a hashtable for this would be significant and will slow down other operation. Therefore remove this TODO to avoid people spending time improving this. Signed-off-by: Mohammed Anees Link: https://lore.kernel.org/r/20241112113906.15825-1-pvmohammedanees2003@gmail.com Reviewed-by: Jan Kara Signed-off-by: Christian Brauner commit 1c82587cb57687de3f18ab4b98a8850c789bedcf Author: Thadeu Lima de Souza Cascardo Date: Thu Nov 7 08:41:09 2024 -0300 hfsplus: don't query the device logical block size multiple times Devices block sizes may change. One of these cases is a loop device by using ioctl LOOP_SET_BLOCK_SIZE. While this may cause other issues like IO being rejected, in the case of hfsplus, it will allocate a block by using that size and potentially write out-of-bounds when hfsplus_read_wrapper calls hfsplus_submit_bio and the latter function reads a different io_size. Using a new min_io_size initally set to sb_min_blocksize works for the purposes of the original fix, since it will be set to the max between HFSPLUS_SECTOR_SIZE and the first seen logical block size. We still use the max between HFSPLUS_SECTOR_SIZE and min_io_size in case the latter is not initialized. Tested by mounting an hfsplus filesystem with loop block sizes 512, 1024 and 4096. The produced KASAN report before the fix looks like this: [ 419.944641] ================================================================== [ 419.945655] BUG: KASAN: slab-use-after-free in hfsplus_read_wrapper+0x659/0xa0a [ 419.946703] Read of size 2 at addr ffff88800721fc00 by task repro/10678 [ 419.947612] [ 419.947846] CPU: 0 UID: 0 PID: 10678 Comm: repro Not tainted 6.12.0-rc5-00008-gdf56e0f2f3ca #84 [ 419.949007] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014 [ 419.950035] Call Trace: [ 419.950384] [ 419.950676] dump_stack_lvl+0x57/0x78 [ 419.951212] ? hfsplus_read_wrapper+0x659/0xa0a [ 419.951830] print_report+0x14c/0x49e [ 419.952361] ? __virt_addr_valid+0x267/0x278 [ 419.952979] ? kmem_cache_debug_flags+0xc/0x1d [ 419.953561] ? hfsplus_read_wrapper+0x659/0xa0a [ 419.954231] kasan_report+0x89/0xb0 [ 419.954748] ? hfsplus_read_wrapper+0x659/0xa0a [ 419.955367] hfsplus_read_wrapper+0x659/0xa0a [ 419.955948] ? __pfx_hfsplus_read_wrapper+0x10/0x10 [ 419.956618] ? do_raw_spin_unlock+0x59/0x1a9 [ 419.957214] ? _raw_spin_unlock+0x1a/0x2e [ 419.957772] hfsplus_fill_super+0x348/0x1590 [ 419.958355] ? hlock_class+0x4c/0x109 [ 419.958867] ? __pfx_hfsplus_fill_super+0x10/0x10 [ 419.959499] ? __pfx_string+0x10/0x10 [ 419.960006] ? lock_acquire+0x3e2/0x454 [ 419.960532] ? bdev_name.constprop.0+0xce/0x243 [ 419.961129] ? __pfx_bdev_name.constprop.0+0x10/0x10 [ 419.961799] ? pointer+0x3f0/0x62f [ 419.962277] ? __pfx_pointer+0x10/0x10 [ 419.962761] ? vsnprintf+0x6c4/0xfba [ 419.963178] ? __pfx_vsnprintf+0x10/0x10 [ 419.963621] ? setup_bdev_super+0x376/0x3b3 [ 419.964029] ? snprintf+0x9d/0xd2 [ 419.964344] ? __pfx_snprintf+0x10/0x10 [ 419.964675] ? lock_acquired+0x45c/0x5e9 [ 419.965016] ? set_blocksize+0x139/0x1c1 [ 419.965381] ? sb_set_blocksize+0x6d/0xae [ 419.965742] ? __pfx_hfsplus_fill_super+0x10/0x10 [ 419.966179] mount_bdev+0x12f/0x1bf [ 419.966512] ? __pfx_mount_bdev+0x10/0x10 [ 419.966886] ? vfs_parse_fs_string+0xce/0x111 [ 419.967293] ? __pfx_vfs_parse_fs_string+0x10/0x10 [ 419.967702] ? __pfx_hfsplus_mount+0x10/0x10 [ 419.968073] legacy_get_tree+0x104/0x178 [ 419.968414] vfs_get_tree+0x86/0x296 [ 419.968751] path_mount+0xba3/0xd0b [ 419.969157] ? __pfx_path_mount+0x10/0x10 [ 419.969594] ? kmem_cache_free+0x1e2/0x260 [ 419.970311] do_mount+0x99/0xe0 [ 419.970630] ? __pfx_do_mount+0x10/0x10 [ 419.971008] __do_sys_mount+0x199/0x1c9 [ 419.971397] do_syscall_64+0xd0/0x135 [ 419.971761] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 419.972233] RIP: 0033:0x7c3cb812972e [ 419.972564] Code: 48 8b 0d f5 46 0d 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d c2 46 0d 00 f7 d8 64 89 01 48 [ 419.974371] RSP: 002b:00007ffe30632548 EFLAGS: 00000286 ORIG_RAX: 00000000000000a5 [ 419.975048] RAX: ffffffffffffffda RBX: 00007ffe306328d8 RCX: 00007c3cb812972e [ 419.975701] RDX: 0000000020000000 RSI: 0000000020000c80 RDI: 00007ffe306325d0 [ 419.976363] RBP: 00007ffe30632720 R08: 00007ffe30632610 R09: 0000000000000000 [ 419.977034] R10: 0000000000200008 R11: 0000000000000286 R12: 0000000000000000 [ 419.977713] R13: 00007ffe306328e8 R14: 00005a0eb298bc68 R15: 00007c3cb8356000 [ 419.978375] [ 419.978589] Fixes: 6596528e391a ("hfsplus: ensure bio requests are not smaller than the hardware sectors") Signed-off-by: Thadeu Lima de Souza Cascardo Link: https://lore.kernel.org/r/20241107114109.839253-1-cascardo@igalia.com Signed-off-by: Christian Brauner commit 7dbd26d0b22d69d36ab3e76ee7f152482a19cbed Author: Mark Brown Date: Tue Nov 12 13:08:16 2024 +0000 kselftest/arm64: Add FPMR coverage to fp-ptrace Add coverage for FPMR to fp-ptrace. FPMR can be available independently of SVE and SME, if SME is supported then FPMR is cleared by entering and exiting streaming mode. As with other registers we generate random values to load into the register, we restrict these to bitfields which are always defined. We also leave bitfields where the valid values are affected by the set of supported FP8 formats zero to reduce complexity, it is unlikely that specific bitfields will be affected by ptrace issues. Signed-off-by: Mark Brown Link: https://lore.kernel.org/r/20241112-arm64-fp-ptrace-fpmr-v2-3-250b57c61254@kernel.org [catalin.marinas@arm.com: use REG_FPMR instead of FPMR] Signed-off-by: Catalin Marinas commit 7e9c5b00009a625cc304c865192978c01c0cc077 Author: Mark Brown Date: Tue Nov 12 13:08:15 2024 +0000 kselftest/arm64: Expand the set of ZA writes fp-ptrace does Currently our test for implementable ZA writes is written in a bit of a convoluted fashion which excludes all changes where we clear SVCR.SM even though we can actually support that since changing the vector length resets SVCR. Make the logic more direct, enabling us to actually run these cases. Signed-off-by: Mark Brown Link: https://lore.kernel.org/r/20241112-arm64-fp-ptrace-fpmr-v2-2-250b57c61254@kernel.org Signed-off-by: Catalin Marinas commit c0350076c13eac4f1d7f7ab6acd43bb252baef7a Author: Mark Brown Date: Tue Nov 12 13:08:14 2024 +0000 kselftets/arm64: Use flag bits for features in fp-ptrace assembler code The assembler portions of fp-ptrace are passed feature flags by the C code indicating which architectural features are supported. Currently these use an entire register for each flag which is wasteful and gets cumbersome as new flags are added. Switch to using flag bits in a single register to make things easier to maintain. No functional change. Signed-off-by: Mark Brown Link: https://lore.kernel.org/r/20241112-arm64-fp-ptrace-fpmr-v2-1-250b57c61254@kernel.org Signed-off-by: Catalin Marinas commit c297aa7d3fb6755890b78b483e82c9cf07370d50 Author: Mark Brown Date: Mon Nov 11 18:32:58 2024 +0000 kselftest/arm64: Enable build of PAC tests with LLVM=1 Currently we don't build the PAC selftests when building with LLVM=1 since we attempt to test for PAC support in the toolchain before we've set up the build system to point at LLVM in lib.mk, which has to be one of the last things in the Makefile. Since all versions of LLVM supported for use with the kernel have PAC support we can just sidestep the issue by just assuming PAC is there when doing a LLVM=1 build. Signed-off-by: Mark Brown Link: https://lore.kernel.org/r/20241111-arm64-selftest-pac-clang-v1-1-08599ceee418@kernel.org Signed-off-by: Catalin Marinas commit 116e50d6474e82579086c0397d2fa3999815f29e Author: Mark Brown Date: Wed Nov 6 17:07:51 2024 +0000 kselftest/arm64: Check that SVCR is 0 in signal handlers We don't currently validate that we exit streaming mode and clear ZA when we enter a signal handler. Add simple checks for this in the SSVE and ZA tests. Signed-off-by: Mark Brown Link: https://lore.kernel.org/r/20241106-arm64-fpmr-signal-test-v1-1-31fa34ce58fe@kernel.org [catalin.marinas@arm.com: Use %lx in fprintf() as uint64_t seems to be unsigned long in glibc] Signed-off-by: Catalin Marinas commit b1e7828cf9343e1da6c575f3ebaa0f511d8b8cbd Author: zhang jiao Date: Tue Nov 12 16:16:37 2024 +0800 spi: Delete useless checks Since "res" will never be null, just delete this check. Signed-off-by: zhang jiao Link: https://patch.msgid.link/20241112081637.40962-1-zhangjiao2@cmss.chinamobile.com Signed-off-by: Mark Brown commit 1b55354745e276db38268f23865eb2c4eba5f59b Author: Uwe Kleine-König Date: Tue Nov 12 09:35:21 2024 +0100 regulator: Switch back to struct platform_driver::remove() After commit 0edb555a65d1 ("platform: Make platform_driver::remove() return void") .remove() is (again) the right callback to implement for platform drivers. Convert all platform drivers below drivers/regulator to use .remove(), with the eventual goal to drop struct platform_driver::remove_new(). As .remove() and .remove_new() have the same prototypes, conversion is done by just changing the structure member name in the driver initializer. A few whitespace changes are done en passant to make indention consistent. Signed-off-by: Uwe Kleine-König Link: https://patch.msgid.link/ab85510f83fa901e44d5d563fe6e768054229bfe.1731398433.git.u.kleine-koenig@baylibre.com Signed-off-by: Mark Brown commit add2332795a648b62fd52356001287c015a59e80 Author: Kuninori Morimoto Date: Tue Nov 12 02:39:44 2024 +0000 ASoC: simple-card-utils: care simple_util_dai for dummy DAI Simple Card Utils has simple_util_dai which is paired to snd_soc_dai, and assmus that CPU/Codec DAI and its paired simple_util_dai are same order for CPU/Codec simple_util_dai[0] <--> snd_soc_dai[0] simple_util_dai[1] <--> snd_soc_dai[1] ... So, it is using same index in for_each loop. (X) gets simple_util_dai (Y) gets snd_soc_dai (Y) for_each_rtd_cpu_dais(.., i, ..) { (X)(A) udai = simple_props_to_dai_cpu(.., i); } (X) for_each_prop_dai_cpu(.., i, ...) { (Y) dai = snd_soc_rtd_to_cpu(.., i); ... } But current Simple Card Utils didn't have simple_util_dai for dummy DAI. So above (A) will get NULL pointer in such case. This patch cares simple_util_dai for dummy DAI. Signed-off-by: Kuninori Morimoto Link: https://patch.msgid.link/87msi5maz3.wl-kuninori.morimoto.gx@renesas.com Signed-off-by: Mark Brown commit c853e96308c58f9a06fcf393bcfe0eabdb72ca9c Author: John Watts Date: Tue Nov 12 21:34:00 2024 +1100 ASoC: test-component: Support continuous rates for test component There's no reason to limit the supported rates of the test component to specific ones as if it's a real piece of hardware. Set the rates to continuous to aid in testing different rates. Signed-off-by: John Watts Link: https://patch.msgid.link/20241112-alsa_test_rates-v1-1-95cf529db871@jookia.org Signed-off-by: Mark Brown commit 182c02a6cd5f7947c403ba2321e262fb0aeaabfc Author: Masahiro Yamada Date: Mon Nov 11 22:45:54 2024 +0900 s390/syscalls: Convert filechk to if_changed The filechk macro always executes the syscalltbl script (and discards the output if there are no changes). Using if_changed is more efficient because it avoids running the script when the target is up-to-date and the command remains unchanged. All other architectures use if_changed for generating syscall headers. Signed-off-by: Masahiro Yamada Link: https://lore.kernel.org/r/20241111134603.2063226-3-masahiroy@kernel.org Signed-off-by: Heiko Carstens commit e17aca2005087ff501dd9e8f187627f91751c7d3 Author: Masahiro Yamada Date: Mon Nov 11 22:45:53 2024 +0900 s390/syscalls: Remove unnecessary argument of filechk_syshdr The filechk_syshdr macro receives $@ in both cases, making the argument redundant. Signed-off-by: Masahiro Yamada Link: https://lore.kernel.org/r/20241111134603.2063226-2-masahiroy@kernel.org Signed-off-by: Heiko Carstens commit 0708967e2d56e370231fd07defa0d69f9ad125e8 Author: Masahiro Yamada Date: Mon Nov 11 22:45:52 2024 +0900 s390/syscalls: Avoid creation of arch/arch/ directory Building the kernel with ARCH=s390 creates a weird arch/arch/ directory. $ find arch/arch arch/arch arch/arch/s390 arch/arch/s390/include arch/arch/s390/include/generated arch/arch/s390/include/generated/asm arch/arch/s390/include/generated/uapi arch/arch/s390/include/generated/uapi/asm The root cause is 'targets' in arch/s390/kernel/syscalls/Makefile, where the relative path is incorrect. Strictly speaking, 'targets' was not necessary in the first place because this Makefile uses 'filechk' instead of 'if_changed'. However, this commit keeps it, as it will be useful when converting 'filechk' to 'if_changed' later. Fixes: 5c75824d915e ("s390/syscalls: add Makefile to generate system call header files") Signed-off-by: Masahiro Yamada Link: https://lore.kernel.org/r/20241111134603.2063226-1-masahiroy@kernel.org Signed-off-by: Heiko Carstens commit 42898f74b28ca2b795823bb665ad6780ab43a013 Author: Heiko Carstens Date: Wed Nov 6 11:03:18 2024 +0100 s390/perf_cpum_cf: Convert to use local64_try_cmpxchg() Convert local64_cmpxchg() usages to local64_try_cmpxchg() in order to generate slightly better code. Reviewed-by: Juergen Christ Signed-off-by: Heiko Carstens commit e449399ffd295a1202b74a258227193454ef333f Author: Heiko Carstens Date: Wed Nov 6 11:03:17 2024 +0100 s390/perf_cpum_sf: Convert to use try_cmpxchg128() Convert cmpxchg128() usages to try_cmpxchg128() in order to generate slightly better code. Reviewed-by: Juergen Christ Signed-off-by: Heiko Carstens commit b59f103d3726c35c8715512a5e3451ad778c127c Author: Heiko Carstens Date: Wed Nov 6 11:03:16 2024 +0100 s390/atomic: Remove __atomic_cmpxchg() variants With users converted to the standard arch_cmpxchg() variants, remove the now unused __atomic_cmpxchg() and __atomic_cmpxchg_bool() variants. Reviewed-by: Juergen Christ Signed-off-by: Heiko Carstens commit d5fd93629af76748751ff583d35039e5834eeb47 Author: Heiko Carstens Date: Wed Nov 6 11:03:15 2024 +0100 s390/locking: Use arch_try_cmpxchg() instead of __atomic_cmpxchg_bool() Use arch_try_cmpxchg() instead of __atomic_cmpxchg_bool() everywhere. This generates the same code like before, but uses the standard cmpxchg() implementation instead of a custom __atomic_cmpxchg_bool(). Reviewed-by: Juergen Christ Signed-off-by: Heiko Carstens commit 75a98ed6faa03656811922cd383994fa7c300259 Author: Heiko Carstens Date: Wed Nov 6 11:03:14 2024 +0100 s390/preempt: Use arch_try_cmpxchg() instead of __atomic_cmpxchg() Use arch_try_cmpxchg() instead of __atomic_cmpxchg() in preempt_count_set() to generate similar or better code, depending in compiler features. Reviewed-by: Juergen Christ Signed-off-by: Heiko Carstens commit 5ba865ad579c6a7efc8f17dab760478a4c5eec66 Author: Heiko Carstens Date: Wed Nov 6 11:03:13 2024 +0100 s390/atomic: Provide arch_atomic_try_cmpxchg() Since gcc 14 flag output operands are supported also for s390. Provide an arch_atomic try_cmpxchg() implementation so that all existing atomic_try_cmpxchg() usages generate slightly better code, if compiled with gcc 14 or newer. Reviewed-by: Juergen Christ Signed-off-by: Heiko Carstens commit f99d670e31b960562fcd34587e9f824b6f05a144 Author: Heiko Carstens Date: Wed Nov 6 11:03:12 2024 +0100 s390/cmpxchg: Use arch_cmpxchg() instead of __atomic_cmpxchg() Use arch_cmpxchg() instead of __atomic_cmpxchg() for the arch_atomic_cmpxchg() implementations. arch_cmpxchg() generates the same code and doesn't need a cast like it is required for arch_atomic64_cmpxchg(). Reviewed-by: Juergen Christ Signed-off-by: Heiko Carstens commit ffc5eac2cda81eec85b75338212d3098f7daef49 Author: Heiko Carstens Date: Wed Nov 6 11:03:11 2024 +0100 s390/atomic: Convert arch_atomic_xchg() to C function Convert the arch_atomic_xchg define to a C function so that proper type checking is provided. Reviewed-by: Juergen Christ Signed-off-by: Heiko Carstens commit c76b3bc28577b1be5ce8042d573e833f133d459a Author: Heiko Carstens Date: Wed Nov 6 11:03:10 2024 +0100 s390/cmpxchg: Provide arch_try_cmpxchg128() Since gcc 14 flag output operands are supported also for s390. Provide an arch_try_cmpxchg128() implementation so that all existing try_cmpxchg128() variants provide slightly better code, if compiled with gcc 14 or newer. Reviewed-by: Juergen Christ Signed-off-by: Heiko Carstens commit de9e2eb89175dd1ad469514f4a710fffe01efd86 Author: Heiko Carstens Date: Wed Nov 6 11:03:09 2024 +0100 s390/cmpxchg: Provide arch_cmpxchg128_local() Just like x86 and arm64 provide a trivial arch_cmpxchg128_local() implementation by mapping it to arch_cmpxchg128(). Reviewed-by: Juergen Christ Signed-off-by: Heiko Carstens commit 0e7d3baa71165a3fbf26206d69355eda0a1d993b Author: Heiko Carstens Date: Wed Nov 6 11:03:08 2024 +0100 s390/cmpxchg: Implement arch_xchg() with arch_try_cmpxchg() Get rid of the arch_xchg() inline assemblies by converting the inline assemblies to C functions which make use of arch_try_cmpxchg(). With flag output operand support the generated code is at least as good as the previous version. Without it is slightly worse, however getting rid of all the inline assembly code is worth it. Signed-off-by: Heiko Carstens commit 0b6de9aec285d24d49a918d52915ed231b2d9e87 Author: Heiko Carstens Date: Wed Nov 6 11:03:07 2024 +0100 s390/cmpxchg: Provide arch_try_cmpxchg() Since gcc 14 flag output operands are supported also for s390. Provide an arch_try_cmpxchg() implementation so that all existing try_cmpxchg() variants provide slightly better code, if compiled with gcc 14 or newer. Reviewed-by: Juergen Christ Signed-off-by: Heiko Carstens commit c8603d692857a43e6f8b7b5eccab1d9aec48bd12 Author: Heiko Carstens Date: Wed Nov 6 11:03:06 2024 +0100 s390/cmpxchg: Convert one and two byte case inline assemblies to C Rewrite __cmpxchg() in order to get rid of the large inline assemblies. Convert the one and two byte inline assemblies to C functions. The generated code of the new implementation is nearly as good or bad as the old variant, but easier to read. Note that the new variants are quite close to the generic cmpxchg_emu_u8() implementation, however a conversion to the generic variant will not follow since with mm/vmstat.c there is heavy user of one byte cmpxchg(). A not inlined variant would have a negative performance impact. Also note that the calls within __arch_cmpxchg() come with rather pointless "& 0xff..." operations. They exist only to avoid false positive sparse warnings like "warning: cast truncates bits from constant value ...". Reviewed-by: Juergen Christ Signed-off-by: Heiko Carstens commit 01bfb451a3e9b7005d626964588d89b699749147 Author: Alexander Egorenkov Date: Tue Nov 5 09:08:22 2024 +0100 s390/dump: Add firmware sysfs attribute for dump area size Dump tools from s390-tools such as zipl need to know the correct dump area size of the machine they run on in order to be able to create valid standalone dumper images. Therefore, allow it to be obtained through the new sysfs read-only attribute /sys/firmware/dump/dump_area_size. Suggested-by: Heiko Carstens Suggested-by: Peter Oberparleiter Signed-off-by: Alexander Egorenkov Reviewed-by: Peter Oberparleiter Signed-off-by: