[Deepin-Kernel-SIG] [linux 6.18.y] [Upstream] Update kernel base to 6.18.7#1494
Merged
opsiff merged 200 commits intodeepin-community:linux-6.18.yfrom Feb 10, 2026
Merged
Conversation
This reverts commit 71c1c1f. Link: deepin-community#1471 Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit ff3f9913bc0749364fbfd86ea62ba2d31c6136c8 upstream.
mu_resource_id is referenced in imx_scu_irq_get_status() and
imx_scu_irq_group_enable() which could be used by other modules, so
need to set correct value before using imx_sc_irq_ipc_handle in
SCU API call.
Reviewed-by: Frank Li <Frank.Li@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
Fixes: 81fb53feb66a ("firmware: imx: scu-irq: Init workqueue before request mbox channel")
Cc: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit 58796d352d74669eacc4715e0901949e9e66f770)
Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit d7f1b4bdc7108be1b178e1617b5f45c8918e88d7 upstream.
The return value calculation was incorrect: `return len - buf_size;`
Initially `len = buf_size`, then `len` decreases with each operation.
This results in a negative return value on success.
Fix by returning `buf_size - len` which correctly calculates the actual
number of bytes written.
Fixes: a976d790f494 ("efi/cper: Add a new helper function to print bitmasks")
Signed-off-by: Morduan Zang <zhangdandan@uniontech.com>
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit a2542fe353a40b9b03bffdcedc64107ac9322aab)
Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit 7d3fa7e954934fbda0a017ac1c305b7b10ecceef upstream. After discussion with the devicetree maintainers we agreed to not extend lists with the generic compatible "apple,nvme-ans2" anymore [1]. Add "apple,t8103-nvme-ans2" as fallback compatible as it is the SoC the driver and bindings were written for. [1]: https://lore.kernel.org/asahi/12ab93b7-1fc2-4ce0-926e-c8141cfe81bf@kernel.org/ Cc: stable@vger.kernel.org # v6.18+ Fixes: 5bd2927 ("nvme-apple: Add initial Apple SoC NVMe driver") Reviewed-by: Neal Gompa <neal@gompa.dev> Reviewed-by: Christoph Hellwig <hch@lst.de> Signed-off-by: Janne Grunau <j@jannau.net> Signed-off-by: Keith Busch <kbusch@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit a685f246ad7909b4e24938d570ba5eaad81abfbd) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit 469d71512d135907bf5ea0972dfab8c420f57848 upstream.
This reverts commit 8a157e0a0aa5143b5d94201508c0ca1bb8cfb941.
That commit incorrectly assumed that the bio_chain() arguments were
swapped in gfs2. However, gfs2 intentionally constructs bio chains so
that the first bio's bi_end_io callback is invoked when all bios in the
chain have completed, unlike bio chains where the last bio's callback is
invoked.
Fixes: 8a157e0a0aa5 ("gfs2: Fix use of bio_chain")
Cc: stable@vger.kernel.org
Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit c6a38672067b9332eb6946f7cd04784b2ec9ac9a)
Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit b45f721775947a84996deb5c661602254ce25ce6 upstream. When loading guest XSAVE state via KVM_SET_XSAVE, and when updating XFD in response to a guest WRMSR, clear XFD-disabled features in the saved (or to be restored) XSTATE_BV to ensure KVM doesn't attempt to load state for features that are disabled via the guest's XFD. Because the kernel executes XRSTOR with the guest's XFD, saving XSTATE_BV[i]=1 with XFD[i]=1 will cause XRSTOR to #NM and panic the kernel. E.g. if fpu_update_guest_xfd() sets XFD without clearing XSTATE_BV: ------------[ cut here ]------------ WARNING: arch/x86/kernel/traps.c:1524 at exc_device_not_available+0x101/0x110, CPU#29: amx_test/848 Modules linked in: kvm_intel kvm irqbypass CPU: 29 UID: 1000 PID: 848 Comm: amx_test Not tainted 6.19.0-rc2-ffa07f7fd437-x86_amx_nm_xfd_non_init-vm deepin-community#171 NONE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 RIP: 0010:exc_device_not_available+0x101/0x110 Call Trace: <TASK> asm_exc_device_not_available+0x1a/0x20 RIP: 0010:restore_fpregs_from_fpstate+0x36/0x90 switch_fpu_return+0x4a/0xb0 kvm_arch_vcpu_ioctl_run+0x1245/0x1e40 [kvm] kvm_vcpu_ioctl+0x2c3/0x8f0 [kvm] __x64_sys_ioctl+0x8f/0xd0 do_syscall_64+0x62/0x940 entry_SYSCALL_64_after_hwframe+0x4b/0x53 </TASK> ---[ end trace 0000000000000000 ]--- This can happen if the guest executes WRMSR(MSR_IA32_XFD) to set XFD[18] = 1, and a host IRQ triggers kernel_fpu_begin() prior to the vmexit handler's call to fpu_update_guest_xfd(). and if userspace stuffs XSTATE_BV[i]=1 via KVM_SET_XSAVE: ------------[ cut here ]------------ WARNING: arch/x86/kernel/traps.c:1524 at exc_device_not_available+0x101/0x110, CPU#14: amx_test/867 Modules linked in: kvm_intel kvm irqbypass CPU: 14 UID: 1000 PID: 867 Comm: amx_test Not tainted 6.19.0-rc2-2dace9faccd6-x86_amx_nm_xfd_non_init-vm deepin-community#168 NONE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 RIP: 0010:exc_device_not_available+0x101/0x110 Call Trace: <TASK> asm_exc_device_not_available+0x1a/0x20 RIP: 0010:restore_fpregs_from_fpstate+0x36/0x90 fpu_swap_kvm_fpstate+0x6b/0x120 kvm_load_guest_fpu+0x30/0x80 [kvm] kvm_arch_vcpu_ioctl_run+0x85/0x1e40 [kvm] kvm_vcpu_ioctl+0x2c3/0x8f0 [kvm] __x64_sys_ioctl+0x8f/0xd0 do_syscall_64+0x62/0x940 entry_SYSCALL_64_after_hwframe+0x4b/0x53 </TASK> ---[ end trace 0000000000000000 ]--- The new behavior is consistent with the AMX architecture. Per Intel's SDM, XSAVE saves XSTATE_BV as '0' for components that are disabled via XFD (and non-compacted XSAVE saves the initial configuration of the state component): If XSAVE, XSAVEC, XSAVEOPT, or XSAVES is saving the state component i, the instruction does not generate #NM when XCR0[i] = IA32_XFD[i] = 1; instead, it operates as if XINUSE[i] = 0 (and the state component was in its initial state): it saves bit i of XSTATE_BV field of the XSAVE header as 0; in addition, XSAVE saves the initial configuration of the state component (the other instructions do not save state component i). Alternatively, KVM could always do XRSTOR with XFD=0, e.g. by using a constant XFD based on the set of enabled features when XSAVEing for a struct fpu_guest. However, having XSTATE_BV[i]=1 for XFD-disabled features can only happen in the above interrupt case, or in similar scenarios involving preemption on preemptible kernels, because fpu_swap_kvm_fpstate()'s call to save_fpregs_to_fpstate() saves the outgoing FPU state with the current XFD; and that is (on all but the first WRMSR to XFD) the guest XFD. Therefore, XFD can only go out of sync with XSTATE_BV in the above interrupt case, or in similar scenarios involving preemption on preemptible kernels, and it we can consider it (de facto) part of KVM ABI that KVM_GET_XSAVE returns XSTATE_BV[i]=0 for XFD-disabled features. Reported-by: Paolo Bonzini <pbonzini@redhat.com> Cc: stable@vger.kernel.org Fixes: 820a6ee ("kvm: x86: Add emulation for IA32_XFD", 2022-01-14) Signed-off-by: Sean Christopherson <seanjc@google.com> [Move clearing of XSTATE_BV from fpu_copy_uabi_to_guest_fpstate to kvm_vcpu_ioctl_x86_set_xsave. - Paolo] Reviewed-by: Binbin Wu <binbin.wu@linux.intel.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit eea6f395ca502c4528314c8112da9b5d65f685eb) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit 6a069876eb1402478900ee0eb7d7fe276bb1f4e3 upstream. On 32-bit ARM, you may encounter linker errors such as this one: ld.lld: error: undefined symbol: _find_next_zero_bit >>> referenced by rust_binder_main.43196037ba7bcee1-cgu.0 >>> drivers/android/binder/rust_binder_main.o:(<rust_binder_main::process::Process>::insert_or_update_handle) in archive vmlinux.a >>> referenced by rust_binder_main.43196037ba7bcee1-cgu.0 >>> drivers/android/binder/rust_binder_main.o:(<rust_binder_main::process::Process>::insert_or_update_handle) in archive vmlinux.a This error occurs because even though the functions are declared by include/linux/find.h, the definition is #ifdef'd out on 32-bit ARM. This is because arch/arm/include/asm/bitops.h contains: #define find_first_zero_bit(p,sz) _find_first_zero_bit_le(p,sz) #define find_next_zero_bit(p,sz,off) _find_next_zero_bit_le(p,sz,off) #define find_first_bit(p,sz) _find_first_bit_le(p,sz) #define find_next_bit(p,sz,off) _find_next_bit_le(p,sz,off) And the underscore-prefixed function is conditional on #ifndef of the non-underscore-prefixed name, but the declaration in find.h is *not* conditional on that #ifndef. To fix the linker error, we ensure that the symbols in question exist when compiling Rust code. We do this by defining them in rust/helpers/ whenever the normal definition is #ifndef'd out. Note that these helpers are somewhat unusual in that they do not have the rust_helper_ prefix that most helpers have. Adding the rust_helper_ prefix does not compile, as 'bindings::_find_next_zero_bit()' will result in a call to a symbol called _find_next_zero_bit as defined by include/linux/find.h rather than a symbol with the rust_helper_ prefix. This is because when a symbol is present in both include/ and rust/helpers/, the one from include/ wins under the assumption that the current configuration is one where that helper is unnecessary. This heuristic fails for _find_next_zero_bit() because the header file always declares it even if the symbol does not exist. The functions still use the __rust_helper annotation. This lets the wrapper function be inlined into Rust code even if full kernel LTO is not used once the patch series for that feature lands. Yury: arches are free to implement they own find_bit() functions. Most rely on generic implementation, but arm32 and m86k - not; so they require custom handling. Alice confirmed it fixes the build for both. Cc: stable@vger.kernel.org Fixes: 6cf93a9 ("rust: add bindings for bitops.h") Reported-by: Andreas Hindborg <a.hindborg@kernel.org> Closes: https://rust-for-linux.zulipchat.com/#narrow/channel/x/topic/x/near/561677301 Tested-by: Andreas Hindborg <a.hindborg@kernel.org> Reviewed-by: Dirk Behme <dirk.behme@de.bosch.com> Signed-off-by: Alice Ryhl <aliceryhl@google.com> Signed-off-by: Yury Norov (NVIDIA) <yury.norov@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 6711f723018ccdf231be9b6c49ba2d6ebbb3a4e5) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit 120f3e6ff76209ee2f62a64e5e7e9d70274df42b upstream. The soundwire update_status() callback may be called multiple times with the same ATTACHED status but initialisation should only be done when transitioning from UNATTACHED to ATTACHED. Fix the inverted hw_init flag which was set to false instead of true after initialisation which defeats its purpose and may result in repeated unnecessary initialisation. Similarly, the initial state of the flag was also inverted so that the codec would only be initialised and brought out of regmap cache only mode if its status first transitions to UNATTACHED. Fixes: aa21a7d ("ASoC: codecs: wsa884x: Add WSA884x family of speakers") Cc: stable@vger.kernel.org # 6.5 Cc: Krzysztof Kozlowski <krzk@kernel.org> Signed-off-by: Johan Hovold <johan@kernel.org> Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@oss.qualcomm.com> Tested-by: Krzysztof Kozlowski <krzysztof.kozlowski@oss.qualcomm.com> Reviewed-by: Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com> Link: https://patch.msgid.link/20260102111413.9605-4-johan@kernel.org Signed-off-by: Mark Brown <broonie@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit afd7591a4ca92f2853eebe8668a64019e97003c2) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit 49aadf830eb048134d33ad7329d92ecff45d8dbb upstream. The soundwire update_status() callback may be called multiple times with the same ATTACHED status but initialisation should only be done when transitioning from UNATTACHED to ATTACHED. This avoids repeated initialisation of the codecs during boot of machines like the Lenovo ThinkPad X13s: [ 11.614523] wsa883x-codec sdw:1:0:0217:0202:00:1: WSA883X Version 1_1, Variant: WSA8835_V2 [ 11.618022] wsa883x-codec sdw:1:0:0217:0202:00:1: WSA883X Version 1_1, Variant: WSA8835_V2 [ 11.621377] wsa883x-codec sdw:1:0:0217:0202:00:1: WSA883X Version 1_1, Variant: WSA8835_V2 [ 11.624065] wsa883x-codec sdw:1:0:0217:0202:00:1: WSA883X Version 1_1, Variant: WSA8835_V2 [ 11.631382] wsa883x-codec sdw:1:0:0217:0202:00:2: WSA883X Version 1_1, Variant: WSA8835_V2 [ 11.634424] wsa883x-codec sdw:1:0:0217:0202:00:2: WSA883X Version 1_1, Variant: WSA8835_V2 Fixes: 43b8c7d ("ASoC: codecs: add wsa883x amplifier support") Cc: stable@vger.kernel.org # 6.0 Cc: Srinivas Kandagatla <srini@kernel.org> Signed-off-by: Johan Hovold <johan@kernel.org> Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@oss.qualcomm.com> Reviewed-by: Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com> Link: https://patch.msgid.link/20260102111413.9605-2-johan@kernel.org Signed-off-by: Mark Brown <broonie@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 67dfd9e8567cc4a1063013bdd14f45ead6ab3297) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit dc2d5ddb193e363187bae2ad358245642d2721fb upstream. On disconnect drm_atomic_helper_disable_all() is called which sets both the fb and crtc for a plane to NULL before invoking a commit. This causes a kernel oops on every display disconnect. Add guards for those dereferences. Cc: <stable@vger.kernel.org> # 6.18.x Fixes: 73cfd16 ("drm/gud: Replace simple display pipe with DRM atomic helpers") Signed-off-by: Shenghao Yang <me@shenghaoyang.info> Reviewed-by: Ruben Wauters <rubenru09@aol.com> Signed-off-by: Ruben Wauters <rubenru09@aol.com> Link: https://patch.msgid.link/20251231055039.44266-1-me@shenghaoyang.info Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit a255ec07f91d4c73a361a28b7a3d82f5710245f1) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit 4156c3745f06bc197094b9ee97a9584e69ed00bf upstream.
Use the new TRAILING_OVERLAP() helper to fix a misalignment bug
along with the following warning:
drivers/net/virtio_net.c:429:46: warning: structure containing a flexible array member is not at the end of another structure [-Wflex-array-member-not-at-end]
This helper creates a union between a flexible-array member (FAM)
and a set of members that would otherwise follow it (in this case
`u8 rss_hash_key_data[VIRTIO_NET_RSS_MAX_KEY_SIZE];`). This
overlays the trailing members (rss_hash_key_data) onto the FAM
(hash_key_data) while keeping the FAM and the start of MEMBERS aligned.
The static_assert() ensures this alignment remains.
Notice that due to tail padding in flexible `struct
virtio_net_rss_config_trailer`, `rss_trailer.hash_key_data`
(at offset 83 in struct virtnet_info) and `rss_hash_key_data` (at
offset 84 in struct virtnet_info) are misaligned by one byte. See
below:
struct virtio_net_rss_config_trailer {
__le16 max_tx_vq; /* 0 2 */
__u8 hash_key_length; /* 2 1 */
__u8 hash_key_data[]; /* 3 0 */
/* size: 4, cachelines: 1, members: 3 */
/* padding: 1 */
/* last cacheline: 4 bytes */
};
struct virtnet_info {
...
struct virtio_net_rss_config_trailer rss_trailer; /* 80 4 */
/* XXX last struct has 1 byte of padding */
u8 rss_hash_key_data[40]; /* 84 40 */
...
/* size: 832, cachelines: 13, members: 48 */
/* sum members: 801, holes: 8, sum holes: 31 */
/* paddings: 2, sum paddings: 5 */
};
After changes, those members are correctly aligned at offset 795:
struct virtnet_info {
...
union {
struct virtio_net_rss_config_trailer rss_trailer; /* 792 4 */
struct {
unsigned char __offset_to_hash_key_data[3]; /* 792 3 */
u8 rss_hash_key_data[40]; /* 795 40 */
}; /* 792 43 */
}; /* 792 44 */
...
/* size: 840, cachelines: 14, members: 47 */
/* sum members: 801, holes: 8, sum holes: 35 */
/* padding: 4 */
/* paddings: 1, sum paddings: 4 */
/* last cacheline: 8 bytes */
};
As a result, the RSS key passed to the device is shifted by 1
byte: the last byte is cut off, and instead a (possibly
uninitialized) byte is added at the beginning.
As a last note `struct virtio_net_rss_config_hdr *rss_hdr;` is also
moved to the end, since it seems those three members should stick
around together. :)
Cc: stable@vger.kernel.org
Fixes: ed3100e ("virtio_net: Use new RSS config structs")
Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Link: https://patch.msgid.link/aWIItWq5dV9XTTCJ@kspp
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit ae48108c2310f1dd700e0dbb655c2f1d92ed00fc)
Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit da579f05ef0faada3559e7faddf761c75cdf85e1 upstream. With IORING_SETUP_DEFER_TASKRUN, task work is queued to ctx->work_llist (local work) rather than the fallback list. During io_ring_exit_work(), io_move_task_work_from_local() was called once before the cancel loop, moving work from work_llist to fallback_llist. However, task work can be added to work_llist during the cancel loop itself. There are two cases: 1) io_kill_timeouts() is called from io_uring_try_cancel_requests() to cancel pending timeouts, and it adds task work via io_req_queue_tw_complete() for each cancelled timeout: 2) URING_CMD requests like ublk can be completed via io_uring_cmd_complete_in_task() from ublk_queue_rq() during canceling, given ublk request queue is only quiesced when canceling the 1st uring_cmd. Since io_allowed_defer_tw_run() returns false in io_ring_exit_work() (kworker != submitter_task), io_run_local_work() is never invoked, and the work_llist entries are never processed. This causes io_uring_try_cancel_requests() to loop indefinitely, resulting in 100% CPU usage in kworker threads. Fix this by moving io_move_task_work_from_local() inside the cancel loop, ensuring any work on work_llist is moved to fallback before each cancel attempt. Cc: stable@vger.kernel.org Fixes: c0e0d6b ("io_uring: add IORING_SETUP_DEFER_TASKRUN") Signed-off-by: Ming Lei <ming.lei@redhat.com> Signed-off-by: Jens Axboe <axboe@kernel.dk> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 704cced8eda4453e96622ea8176434cbf68a8add) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 3d5221af9c7711b7aec8da1298c8fc393ef6183d ] Commit 61fafbe ("xfrm: Determine inner GSO type from packet inner protocol") attempted to fix GSO segmentation by reading the inner protocol from XFRM_MODE_SKB_CB(skb)->protocol. This was incorrect because the field holds the inner L4 protocol (TCP/UDP) instead of the required tunnel protocol. Also, the memory location (shared by XFRM_SKB_CB(skb) which could be overwritten by xfrm_replay_overflow()) is prone to corruption. This combination caused the kernel to select the wrong inner mode and get the wrong address family. The correct value is in xfrm_offload(skb)->proto, which is set from the outer tunnel header's protocol field by esp[4|6]_gso_encap(). It is initialized by xfrm[4|6]_tunnel_encap_add() to either IPPROTO_IPIP or IPPROTO_IPV6, using xfrm_af2proto() and correctly reflects the inner packet's address family. Fixes: 61fafbe ("xfrm: Determine inner GSO type from packet inner protocol") Signed-off-by: Jianbo Liu <jianbol@nvidia.com> Reviewed-by: Sabrina Dubroca <sd@queasysnail.net> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit df1fae862639f518190b132e2119aa98c58ea97d) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit c196def07bbc6e8306d7a274433913444b0db20a ] The XFRM_STATE_NOPMTUDISC flag is only meaningful for output SAs, but it was being applied regardless of the SA direction when the sysctl ip_no_pmtu_disc is enabled. This can unintentionally affect input SAs. Limit setting XFRM_STATE_NOPMTUDISC to output SAs when the SA direction is configured. Closes: strongswan/strongswan#2946 Fixes: a4a87fa ("xfrm: Add Direction to the SA in or out") Signed-off-by: Antony Antony <antony.antony@secunet.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit b7f9587f317d9faaafb1593b4e9d6b65214f8a5e) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 857bf9056291a16785ae3be1d291026b2437fc48 ] Ben Coddington reports seeing a hang in the following stack trace: 0 [ffffd0b50e1774e0] __schedule at ffffffff9ca05415 1 [ffffd0b50e177548] schedule at ffffffff9ca05717 2 [ffffd0b50e177558] bit_wait at ffffffff9ca061e1 3 [ffffd0b50e177568] __wait_on_bit at ffffffff9ca05cfb 4 [ffffd0b50e1775c8] out_of_line_wait_on_bit at ffffffff9ca05ea5 5 [ffffd0b50e177618] pnfs_roc at ffffffffc154207b [nfsv4] 6 [ffffd0b50e1776b8] _nfs4_proc_delegreturn at ffffffffc1506586 [nfsv4] 7 [ffffd0b50e177788] nfs4_proc_delegreturn at ffffffffc1507480 [nfsv4] 8 [ffffd0b50e1777f8] nfs_do_return_delegation at ffffffffc1523e41 [nfsv4] 9 [ffffd0b50e177838] nfs_inode_set_delegation at ffffffffc1524a75 [nfsv4] 10 [ffffd0b50e177888] nfs4_process_delegation at ffffffffc14f41dd [nfsv4] 11 [ffffd0b50e1778a0] _nfs4_opendata_to_nfs4_state at ffffffffc1503edf [nfsv4] 12 [ffffd0b50e1778c0] _nfs4_open_and_get_state at ffffffffc1504e56 [nfsv4] 13 [ffffd0b50e177978] _nfs4_do_open at ffffffffc15051b8 [nfsv4] 14 [ffffd0b50e1779f8] nfs4_do_open at ffffffffc150559c [nfsv4] 15 [ffffd0b50e177a80] nfs4_atomic_open at ffffffffc15057fb [nfsv4] 16 [ffffd0b50e177ad0] nfs4_file_open at ffffffffc15219be [nfsv4] 17 [ffffd0b50e177b78] do_dentry_open at ffffffff9c09e6ea 18 [ffffd0b50e177ba8] vfs_open at ffffffff9c0a082e 19 [ffffd0b50e177bd0] dentry_open at ffffffff9c0a0935 The issue is that the delegreturn is being asked to wait for a layout return that cannot complete because a state recovery was initiated. The state recovery cannot complete until the open() finishes processing the delegations it was given. The solution is to propagate the existing flags that indicate a non-blocking call to the function pnfs_roc(), so that it knows not to wait in this situation. Reported-by: Benjamin Coddington <bcodding@hammerspace.com> Fixes: 29ade5d ("pNFS: Wait on outstanding layoutreturns to complete in pnfs_roc()") Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit d6c75aa9d607044d1e5c8498eff0259eed356c32) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit cce0be6eb4971456b703aaeafd571650d314bcca ] Wang Zhaolong reports a deadlock involving NFSv4.1 state recovery waiting on kthreadd, which is attempting to reclaim memory by calling nfs_release_folio(). The latter cannot make progress due to state recovery being needed. It seems that the only safe thing to do here is to kick off a writeback of the folio, without waiting for completion, or else kicking off an asynchronous commit. Reported-by: Wang Zhaolong <wangzhaolong@huaweicloud.com> Fixes: 96780ca ("NFS: fix up nfs_release_folio() to try to release the page") Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 19b4d9ab5e77843eac0429c019470c02f8710b55) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 0c728083654f0066f5e10a1d2b0bd0907af19a58 ] In nfs4_ff_alloc_deviceid_node(), if the allocation for ds_versions fails, the function jumps to the out_scratch label without freeing the already allocated dsaddrs list, leading to a memory leak. Fix this by jumping to the out_err_drain_dsaddrs label, which properly frees the dsaddrs list before cleaning up other resources. Fixes: d67ae82 ("pnfs/flexfiles: Add the FlexFile Layout Driver") Signed-off-by: Zilin Guan <zilin@seu.edu.cn> Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit ed5d3f2f6885eb99f729e6ffd946e3aa058bd3eb) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 5a74af51c3a6f4cd22c128b0c1c019f68fa90011 ] In bl_parse_scsi(), if the block device length is zero, the function returns immediately without releasing the file reference obtained via bl_open_path(), leading to a memory leak. Fix this by jumping to the out_blkdev_put label to ensure the file reference is properly released. Fixes: d76c769 ("pnfs/blocklayout: Don't add zero-length pnfs_block_dev") Signed-off-by: Zilin Guan <zilin@seu.edu.cn> Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 51926204465e7d2ce71c396e0403aed58140a292) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 14adddc65340f2034751c95616861c0e888e2bb1 ] After resume from suspend to RAM, the following splash is generated if the HDMI driver is probed (independent of a connected cable): [ 1194.484052] irq 80: nobody cared (try booting with the "irqpoll" option) [ 1194.484074] CPU: 0 UID: 0 PID: 627 Comm: rtcwake Not tainted 6.17.0-rc7-g96f1a11414b3 #1 PREEMPT [ 1194.484082] Hardware name: Rockchip RK3576 EVB V10 Board (DT) [ 1194.484085] Call trace: [ 1194.484087] ... (stripped) [ 1194.484283] handlers: [ 1194.484285] [<00000000bc363dcb>] dw_hdmi_qp_main_hardirq [dw_hdmi_qp] [ 1194.484302] Disabling IRQ deepin-community#80 Apparently the HDMI IP is losing part of its state while the system is suspended and generates spurious interrupts during resume. The bug has not yet been noticed, as system suspend does not yet work properly on upstream kernel with either the Rockchip RK3588 or RK3576 platform. Fixes: 128a9bf ("drm/rockchip: Add basic RK3588 HDMI output support") Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com> Reviewed-by: Cristian Ciocaltea <cristian.ciocaltea@collabora.com> Signed-off-by: Heiko Stuebner <heiko@sntech.de> Link: https://patch.msgid.link/20251014-rockchip-hdmi-suspend-fix-v1-1-983fcbf44839@collabora.com Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 282061a7f9f3077c614166444d1f00afbe52bfe1) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit d9186faeae6efb7d0841a5e8eb213ff4c7966614 ] HW version 10 does not have GB Surfaces so there is no backing buffer for surface backed FBs. This would result in a nullptr dereference and crash the driver causing a black screen. Fixes: 9655441 ("drm/vmwgfx: Refactor cursor handling") Signed-off-by: Ian Forbes <ian.forbes@broadcom.com> Reviewed-by: Zack Rusin <zack.rusin@broadcom.com> Signed-off-by: Zack Rusin <zack.rusin@broadcom.com> Link: https://patch.msgid.link/20251114203703.1946616-1-ian.forbes@broadcom.com Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit a91bdd21d5efb3072beefbec13762b7722200c49) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 37a0cff4551c14aca4cfa6ef3f2f0e0f61d66825 ] Some of the warnings need to be reordered between these two functions in order to be correct. This has happened multiple times. Merging them solves this problem once and for all. Fixes: d6667f0 ("drm/vmwgfx: Fix handling of dumb buffers") Signed-off-by: Ian Forbes <ian.forbes@broadcom.com> Signed-off-by: Zack Rusin <zack.rusin@broadcom.com> Link: https://patch.msgid.link/20260107152059.3048329-1-ian.forbes@broadcom.com Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 0674f22eef471f9d1f9ae69bc63e9e14f6ad0049) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 60699ab7cbf0a4eb19929cce243002b39c67917d ] When resending requests, etc, the page base can quickly grow larger than the page size. Fixes: 091bdcf ("nfs/localio: refactor iocb and iov_iter_bvec initialization") Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com> Reviewed-by: Mike Snitzer <snitzer@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit d6ea0b7394a443fb6ddd1a3619ccc2f0781a900c) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 9fae82450d8a5f9c8fa016cd15186e975609b2ac ] According to the implementation of read_poll_timeout_atomic, if the delay time is 0, it will only use a simple loop based on timeout_us to decrement the count. Therefore, the final timeout time will differ significantly from the set timeout time. So, here we set a specific delay time to ensure that the calculation of the timeout duration is accurate. Fixes: 3e89a8c ("drm/rockchip: vop2: Fix the update of LAYER/PORT select registers when there are multi display output on rk3588/rk3568") Signed-off-by: Andy Yan <andy.yan@rock-chips.com> Signed-off-by: Heiko Stuebner <heiko@sntech.de> Link: https://patch.msgid.link/20250718064120.8811-1-andyshrk@163.com Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 47244c00bc5456d57c2e4d2d82ab4e52adf050cc) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
…s pending cfgdone bits [ Upstream commit 7f6721b767e219343cfe9a894f5bd869ff5b9d3a ] The write of cfgdone bits always done at .atomic_flush. When userspace makes plane zpos changes of two crtc within one commit, at the .atomic_begin stage, crtcN will never receive the "layer change cfg done" event of crtcM because crtcM has not yet written "cfgdone". So only wait when there is pending cfgdone bits to avoid long timeout. Fixes: 3e89a8c ("drm/rockchip: vop2: Fix the update of LAYER/PORT select registers when there are multi display output on rk3588/rk3568") Signed-off-by: Andy Yan <andy.yan@rock-chips.com> Signed-off-by: Heiko Stuebner <heiko@sntech.de> Link: https://patch.msgid.link/20250718064120.8811-2-andyshrk@163.com Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 9a88b6c3c8695b708fd83523b3fe5a93e82ef7a4) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
…_state [ Upstream commit 54b603f2db6b95495bc33a8f2bde80f044baff9a ] Due to commit 1b600da ("PM: EM: Optimize em_cpu_energy() and remove division"), the logic for energy consumption calculation has been modified. The actual calculation of cost is 10 * power * max_frequency / frequency instead of power * max_frequency / frequency. Therefore, the comment for cost has been updated to reflect the correct content. Fixes: 1b600da ("PM: EM: Optimize em_cpu_energy() and remove division") Signed-off-by: Yaxiong Tian <tianyaxiong@kylinos.cn> Reviewed-by: Lukasz Luba <lukasz.luba@arm.com> [ rjw: Added Fixes: tag ] Link: https://patch.msgid.link/20251230061534.816894-1-tianyaxiong@kylinos.cn Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 754cfada1bbcbeeb922e54007c3c3aaaeeacf23e) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 872ac785e7680dac9ec7f8c5ccd4f667f49d6997 ] Inspired by yet another syzbot report. IPv6 tunnels call netdev_lockdep_set_classes() for each tunnel type, while IPv4 currently centralizes netdev_lockdep_set_classes() call from ip_tunnel_init(). Make ip_tunnel_init() a macro, so that we have different lockdep classes per tunnel type. Fixes: 0bef512 ("net: add netdev_lockdep_set_classes() to virtual drivers") Reported-by: syzbot+1240b33467289f5ab50b@syzkaller.appspotmail.com Closes: https://lore.kernel.org/netdev/695d439f.050a0220.1c677c.0347.GAE@google.com/T/#u Signed-off-by: Eric Dumazet <edumazet@google.com> Link: https://patch.msgid.link/20260106172426.1760721-1-edumazet@google.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 5584aa64e806282f4f15e61a2ce7f7b62ad81503) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit b1979778e98569c1e78c2c7f16bb24d76541ab00 ] When es58x_alloc_rx_urbs() fails to allocate the requested number of URBs but succeeds in allocating some, it returns an error code. This causes es58x_open() to return early, skipping the cleanup label 'free_urbs', which leads to the anchored URBs being leaked. As pointed out by maintainer Vincent Mailhol, the driver is designed to handle partial URB allocation gracefully. Therefore, partial allocation should not be treated as a fatal error. Modify es58x_alloc_rx_urbs() to return 0 if at least one URB has been allocated, restoring the intended behavior and preventing the leak in es58x_open(). Fixes: 8537257 ("can: etas_es58x: add core support for ETAS ES58X CAN USB interfaces") Reported-by: syzbot+e8cb6691a7cf68256cb8@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=e8cb6691a7cf68256cb8 Signed-off-by: Szymon Wilczek <swilczek.lx@gmail.com> Reviewed-by: Vincent Mailhol <mailhol@kernel.org> Link: https://patch.msgid.link/20251223011732.39361-1-swilczek.lx@gmail.com Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 6c5124a60989051799037834f0a1a4b428718157) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 32b63acd78f577b332d976aa06b56e70d054cbba ] Commit efa5630 ("nvmet-tcp: Fix a kernel panic when host sends an invalid H2C PDU length") added ttag bounds checking and data_offset validation in nvmet_tcp_handle_h2c_data_pdu(), but it did not validate whether the command's data structures (cmd->req.sg and cmd->iov) have been properly initialized before processing H2C_DATA PDUs. The nvmet_tcp_build_pdu_iovec() function dereferences these pointers without NULL checks. This can be triggered by sending H2C_DATA PDU immediately after the ICREQ/ICRESP handshake, before sending a CONNECT command or NVMe write command. Attack vectors that trigger NULL pointer dereferences: 1. H2C_DATA PDU sent before CONNECT → both pointers NULL 2. H2C_DATA PDU for READ command → cmd->req.sg allocated, cmd->iov NULL 3. H2C_DATA PDU for uninitialized command slot → both pointers NULL The fix validates both cmd->req.sg and cmd->iov before calling nvmet_tcp_build_pdu_iovec(). Both checks are required because: - Uninitialized commands: both NULL - READ commands: cmd->req.sg allocated, cmd->iov NULL - WRITE commands: both allocated Fixes: efa5630 ("nvmet-tcp: Fix a kernel panic when host sends an invalid H2C PDU length") Reviewed-by: Sagi Grimberg <sagi@grimberg.me> Signed-off-by: Shivam Kumar <kumar.shivam43666@gmail.com> Signed-off-by: Keith Busch <kbusch@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 374b095e265fa27465f34780e0eb162ff1bef913) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
…e dport [ Upstream commit 3e8aaacdad4f66641f87ab441fe644b45f8ebdff ] If a switch port has more than one decoder that is using the same downstream port, the enumeration of the target lists may fail with: # dmesg | grep target.list update_decoder_targets: cxl decoder1.0: dport3 found in target list, index 3 update_decoder_targets: cxl decoder1.0: dport2 found in target list, index 2 update_decoder_targets: cxl decoder1.0: dport0 found in target list, index 0 update_decoder_targets: cxl decoder2.0: dport3 found in target list, index 1 update_decoder_targets: cxl decoder4.0: dport3 found in target list, index 1 cxl_mem mem6: failed to find endpoint12:0000:00:01.4 in target list of decoder2.1 cxl_mem mem8: failed to find endpoint13:0000:20:01.4 in target list of decoder4.1 The case, that the same downstream port can be used in multiple target lists, is allowed and possible. Fix the update of the target list. Enumerate all children of the switch port and do not stop the iteration after the first matching target was found. With the fix applied: # dmesg | grep target.list update_decoder_targets: cxl decoder1.0: dport2 found in target list, index 2 update_decoder_targets: cxl decoder1.0: dport0 found in target list, index 0 update_decoder_targets: cxl decoder1.0: dport3 found in target list, index 3 update_decoder_targets: cxl decoder2.0: dport3 found in target list, index 1 update_decoder_targets: cxl decoder2.1: dport3 found in target list, index 1 update_decoder_targets: cxl decoder4.0: dport3 found in target list, index 1 update_decoder_targets: cxl decoder4.1: dport3 found in target list, index 1 Analyzing the conditions when this happens: 1) A dport is shared by multiple decoders. 2) The decoders have interleaving configured (ways > 1). The configuration above has the following hierarchy details (fixed version): root0 |_ | | | decoder0.1 | ways: 2 | target_list: 0,1 |_______________________________________ | | | dport0 | dport1 | | port2 port4 | | |___________________ |_____________________ | | | | | | | decoder2.0 decoder2.1 | decoder4.0 decoder4.1 | ways: 2 ways: 2 | ways: 2 ways: 2 | target_list: 2,3 target_list: 2,3 | target_list: 2,3 target_list: 2,3 |___________________ |___________________ | | | | | dport2 | dport3 | dport2 | dport3 | | | | endpoint7 endpoint12 endpoint9 endpoint13 |_ |_ |_ |_ | | | | | | | | | decoder7.0 | decoder12.0 | decoder9.0 | decoder13.0 | decoder7.2 | decoder12.2 | decoder9.2 | decoder13.2 | | | | mem3 mem5 mem6 mem8 Note: Device numbers vary for every boot. Current kernel fails to enumerate endpoint12 and endpoint13 as the target list is not updated for the second decoder. Fixes: 4f06d81 ("cxl: Defer dport allocation for switch ports") Reviewed-by: Dave Jiang <dave.jiang@intel.com> Reviewed-by: Alison Schofield <alison.schofield@intel.com> Reviewed-by: Jonathan Cameron <jonathan.cameron@huawei.com> Signed-off-by: Robert Richter <rrichter@amd.com> Link: https://patch.msgid.link/20260108101324.509667-1-rrichter@amd.com Signed-off-by: Dave Jiang <dave.jiang@intel.com> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 48f6cec8aa56bcbca34a9d156e7578ef70529df2) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 1e1f2055ad5a7a5d548789b334a4473a7665c418 ]
In btrfs_read_locked_inode() if we fail to lookup the inode, we jump to
the 'out' label with a path that has a read locked leaf and then we call
iget_failed(). This can result in a ABBA deadlock, since iget_failed()
triggers inode eviction and that causes the release of the delayed inode,
which must lock the delayed inode's mutex, and a task updating a delayed
inode starts by taking the node's mutex and then modifying the inode's
subvolume btree.
Syzbot reported the following lockdep splat for this:
======================================================
WARNING: possible circular locking dependency detected
syzkaller #0 Not tainted
------------------------------------------------------
btrfs-cleaner/8725 is trying to acquire lock:
ffff0000d6826a48 (&delayed_node->mutex){+.+.}-{4:4}, at: __btrfs_release_delayed_node+0xa0/0x9b0 fs/btrfs/delayed-inode.c:290
but task is already holding lock:
ffff0000dbeba878 (btrfs-tree-00){++++}-{4:4}, at: btrfs_tree_read_lock_nested+0x44/0x2ec fs/btrfs/locking.c:145
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #1 (btrfs-tree-00){++++}-{4:4}:
__lock_release kernel/locking/lockdep.c:5574 [inline]
lock_release+0x198/0x39c kernel/locking/lockdep.c:5889
up_read+0x24/0x3c kernel/locking/rwsem.c:1632
btrfs_tree_read_unlock+0xdc/0x298 fs/btrfs/locking.c:169
btrfs_tree_unlock_rw fs/btrfs/locking.h:218 [inline]
btrfs_search_slot+0xa6c/0x223c fs/btrfs/ctree.c:2133
btrfs_lookup_inode+0xd8/0x38c fs/btrfs/inode-item.c:395
__btrfs_update_delayed_inode+0x124/0xed0 fs/btrfs/delayed-inode.c:1032
btrfs_update_delayed_inode fs/btrfs/delayed-inode.c:1118 [inline]
__btrfs_commit_inode_delayed_items+0x15f8/0x1748 fs/btrfs/delayed-inode.c:1141
__btrfs_run_delayed_items+0x1ac/0x514 fs/btrfs/delayed-inode.c:1176
btrfs_run_delayed_items_nr+0x28/0x38 fs/btrfs/delayed-inode.c:1219
flush_space+0x26c/0xb68 fs/btrfs/space-info.c:828
do_async_reclaim_metadata_space+0x110/0x364 fs/btrfs/space-info.c:1158
btrfs_async_reclaim_metadata_space+0x90/0xd8 fs/btrfs/space-info.c:1226
process_one_work+0x7e8/0x155c kernel/workqueue.c:3263
process_scheduled_works kernel/workqueue.c:3346 [inline]
worker_thread+0x958/0xed8 kernel/workqueue.c:3427
kthread+0x5fc/0x75c kernel/kthread.c:463
ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:844
-> #0 (&delayed_node->mutex){+.+.}-{4:4}:
check_prev_add kernel/locking/lockdep.c:3165 [inline]
check_prevs_add kernel/locking/lockdep.c:3284 [inline]
validate_chain kernel/locking/lockdep.c:3908 [inline]
__lock_acquire+0x1774/0x30a4 kernel/locking/lockdep.c:5237
lock_acquire+0x14c/0x2e0 kernel/locking/lockdep.c:5868
__mutex_lock_common+0x1d0/0x2678 kernel/locking/mutex.c:598
__mutex_lock kernel/locking/mutex.c:760 [inline]
mutex_lock_nested+0x2c/0x38 kernel/locking/mutex.c:812
__btrfs_release_delayed_node+0xa0/0x9b0 fs/btrfs/delayed-inode.c:290
btrfs_release_delayed_node fs/btrfs/delayed-inode.c:315 [inline]
btrfs_remove_delayed_node+0x68/0x84 fs/btrfs/delayed-inode.c:1326
btrfs_evict_inode+0x578/0xe28 fs/btrfs/inode.c:5587
evict+0x414/0x928 fs/inode.c:810
iput_final fs/inode.c:1914 [inline]
iput+0x95c/0xad4 fs/inode.c:1966
iget_failed+0xec/0x134 fs/bad_inode.c:248
btrfs_read_locked_inode+0xe1c/0x1234 fs/btrfs/inode.c:4101
btrfs_iget+0x1b0/0x264 fs/btrfs/inode.c:5837
btrfs_run_defrag_inode fs/btrfs/defrag.c:237 [inline]
btrfs_run_defrag_inodes+0x520/0xdc4 fs/btrfs/defrag.c:309
cleaner_kthread+0x21c/0x418 fs/btrfs/disk-io.c:1516
kthread+0x5fc/0x75c kernel/kthread.c:463
ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:844
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
rlock(btrfs-tree-00);
lock(&delayed_node->mutex);
lock(btrfs-tree-00);
lock(&delayed_node->mutex);
*** DEADLOCK ***
1 lock held by btrfs-cleaner/8725:
#0: ffff0000dbeba878 (btrfs-tree-00){++++}-{4:4}, at: btrfs_tree_read_lock_nested+0x44/0x2ec fs/btrfs/locking.c:145
stack backtrace:
CPU: 0 UID: 0 PID: 8725 Comm: btrfs-cleaner Not tainted syzkaller #0 PREEMPT
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/03/2025
Call trace:
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:499 (C)
__dump_stack+0x30/0x40 lib/dump_stack.c:94
dump_stack_lvl+0xd8/0x12c lib/dump_stack.c:120
dump_stack+0x1c/0x28 lib/dump_stack.c:129
print_circular_bug+0x324/0x32c kernel/locking/lockdep.c:2043
check_noncircular+0x154/0x174 kernel/locking/lockdep.c:2175
check_prev_add kernel/locking/lockdep.c:3165 [inline]
check_prevs_add kernel/locking/lockdep.c:3284 [inline]
validate_chain kernel/locking/lockdep.c:3908 [inline]
__lock_acquire+0x1774/0x30a4 kernel/locking/lockdep.c:5237
lock_acquire+0x14c/0x2e0 kernel/locking/lockdep.c:5868
__mutex_lock_common+0x1d0/0x2678 kernel/locking/mutex.c:598
__mutex_lock kernel/locking/mutex.c:760 [inline]
mutex_lock_nested+0x2c/0x38 kernel/locking/mutex.c:812
__btrfs_release_delayed_node+0xa0/0x9b0 fs/btrfs/delayed-inode.c:290
btrfs_release_delayed_node fs/btrfs/delayed-inode.c:315 [inline]
btrfs_remove_delayed_node+0x68/0x84 fs/btrfs/delayed-inode.c:1326
btrfs_evict_inode+0x578/0xe28 fs/btrfs/inode.c:5587
evict+0x414/0x928 fs/inode.c:810
iput_final fs/inode.c:1914 [inline]
iput+0x95c/0xad4 fs/inode.c:1966
iget_failed+0xec/0x134 fs/bad_inode.c:248
btrfs_read_locked_inode+0xe1c/0x1234 fs/btrfs/inode.c:4101
btrfs_iget+0x1b0/0x264 fs/btrfs/inode.c:5837
btrfs_run_defrag_inode fs/btrfs/defrag.c:237 [inline]
btrfs_run_defrag_inodes+0x520/0xdc4 fs/btrfs/defrag.c:309
cleaner_kthread+0x21c/0x418 fs/btrfs/disk-io.c:1516
kthread+0x5fc/0x75c kernel/kthread.c:463
ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:844
Fix this by releasing the path before calling iget_failed().
Reported-by: syzbot+c1c6edb02bea1da754d8@syzkaller.appspotmail.com
Link: https://lore.kernel.org/linux-btrfs/694530c2.a70a0220.207337.010d.GAE@google.com/
Fixes: 6967399 ("btrfs: push cleanup into btrfs_read_locked_inode()")
Reviewed-by: Boris Burkov <boris@bur.io>
Signed-off-by: Filipe Manana <fdmanana@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
(cherry picked from commit 65241e3ddda60b53a4ee3ae12721fc9ee21d5827)
Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit 3f747004bbd641131d9396d87b5d2d3d1e182728 upstream. Fix a memory leak in gpi_peripheral_config() where the original memory pointed to by gchan->config could be lost if krealloc() fails. The issue occurs when: 1. gchan->config points to previously allocated memory 2. krealloc() fails and returns NULL 3. The function directly assigns NULL to gchan->config, losing the reference to the original memory 4. The original memory becomes unreachable and cannot be freed Fix this by using a temporary variable to hold the krealloc() result and only updating gchan->config when the allocation succeeds. Found via static analysis and code review. Fixes: 5d0c353 ("dmaengine: qcom: Add GPI dma driver") Cc: stable@vger.kernel.org Signed-off-by: Miaoqian Lin <linmq006@gmail.com> Reviewed-by: Bjorn Andersson <andersson@kernel.org> Link: https://patch.msgid.link/20251029123421.91973-1-linmq006@gmail.com Signed-off-by: Vinod Koul <vkoul@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 55a67ba5ac4cebfd54cc8305d4d57a0f1dfe6a85) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit 9fb490323997dcb6f749cd2660a17a39854600cd upstream. Make sure to drop the reference taken when looking up the ICU device during probe also on probe failures (e.g. probe deferral). Fixes: 7de8732 ("dmaengine: sh: rz-dmac: Add RZ/V2H(P) support") Cc: stable@vger.kernel.org # 6.16 Cc: Fabrizio Castro <fabrizio.castro.jz@renesas.com> Signed-off-by: Johan Hovold <johan@kernel.org> Reviewed-by: Fabrizio Castro <fabrizio.castro.jz@renesas.com> Link: https://patch.msgid.link/20251117161258.10679-10-johan@kernel.org Signed-off-by: Vinod Koul <vkoul@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 926d1666420c227eab50962a8622c1b8444720e8) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit 747213b08a1ab6a76e3e3b3e7a209cc1d402b5d0 upstream. After audio full duplex testing, playing the recorded file contains a few playback frames from the previous time. The rz_dmac_terminate_all() does not reset all the hardware descriptors queued previously, leading to the wrong descriptor being picked up during the next DMA transfer. Fix the above issue by resetting all the descriptor headers for a channel in rz_dmac_terminate_all() as rz_dmac_lmdesc_recycle() points to the proper descriptor header filled by the rz_dmac_prepare_descs_for_slave_sg(). Cc: stable@kernel.org Fixes: 5000d37 ("dmaengine: sh: Add DMAC driver for RZ/G2L SoC") Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be> Signed-off-by: Biju Das <biju.das.jz@bp.renesas.com> Reviewed-by: Claudiu Beznea <claudiu.beznea.uj@bp.renesas.com> Tested-by: Claudiu Beznea <claudiu.beznea.uj@bp.renesas.com> Link: https://patch.msgid.link/20251113195052.564338-1-biju.das.jz@bp.renesas.com Signed-off-by: Vinod Koul <vkoul@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 8dd65e98ce20985453c712b550566c6330774b5c) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit dd6e4943889fb354efa3f700e42739da9bddb6ef upstream. Make sure to drop the reference taken when looking up the DMA mux platform device during route allocation. Note that holding a reference to a device does not prevent its driver data from going away so there is no point in keeping the reference. Fixes: df7e762 ("dmaengine: Add STM32 DMAMUX driver") Cc: stable@vger.kernel.org # 4.15 Cc: Pierre-Yves MORDRET <pierre-yves.mordret@foss.st.com> Signed-off-by: Johan Hovold <johan@kernel.org> Reviewed-by: Amelie Delaunay <amelie.delaunay@foss.st.com> Link: https://patch.msgid.link/20251117161258.10679-11-johan@kernel.org Signed-off-by: Vinod Koul <vkoul@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 3ef52d31cce8ba816739085a61efe07b63c6cf27) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit b1b590a590af13ded598e70f0b72bc1e515787a1 upstream. Make sure to drop the reference taken to the DMA master OF node also on late route allocation failures. Fixes: df7e762 ("dmaengine: Add STM32 DMAMUX driver") Cc: stable@vger.kernel.org # 4.15 Cc: Pierre-Yves MORDRET <pierre-yves.mordret@foss.st.com> Signed-off-by: Johan Hovold <johan@kernel.org> Reviewed-by: Amelie Delaunay <amelie.delaunay@foss.st.com> Link: https://patch.msgid.link/20251117161258.10679-12-johan@kernel.org Signed-off-by: Vinod Koul <vkoul@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit f45b1d8bf9d0a9b45ebadcb66b6f93017b10f7a1) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit dc7e44db01fc2498644e3106db3e62a9883a93d5 upstream. Make sure to drop the reference taken when looking up the crossbar platform device during dra7x route allocation. Note that commit 615a4bf ("dmaengine: ti: Add missing put_device in ti_dra7_xbar_route_allocate") fixed the leak in the error paths but the reference is still leaking on successful allocation. Fixes: a074ae3 ("dmaengine: Add driver for TI DMA crossbar on DRA7x") Fixes: 615a4bf ("dmaengine: ti: Add missing put_device in ti_dra7_xbar_route_allocate") Cc: stable@vger.kernel.org # 4.2: 615a4bf Cc: Peter Ujfalusi <peter.ujfalusi@ti.com> Cc: Miaoqian Lin <linmq006@gmail.com> Signed-off-by: Johan Hovold <johan@kernel.org> Link: https://patch.msgid.link/20251117161258.10679-14-johan@kernel.org Signed-off-by: Vinod Koul <vkoul@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 61e8970b0de16f13df1a1fc60106f6d07a45f77d) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit 4fc17b1c6d2e04ad13fd6c21cfbac68043ec03f9 upstream. Make sure to drop the reference taken when looking up the crossbar platform device during am335x route allocation. Fixes: 42dbdcc ("dmaengine: ti-dma-crossbar: Add support for crossbar on AM33xx/AM43xx") Cc: stable@vger.kernel.org # 4.4 Cc: Peter Ujfalusi <peter.ujfalusi@ti.com> Signed-off-by: Johan Hovold <johan@kernel.org> Link: https://patch.msgid.link/20251117161258.10679-15-johan@kernel.org Signed-off-by: Vinod Koul <vkoul@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 30352277d8e09c972436f883a5efd1f1b763ac14) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit 430f7803b69cd5e5694e5dfc884c6628870af36e upstream. Make sure to drop the reference taken when looking up the UDMA platform device. Note that holding a reference to a platform device does not prevent its driver data from going away so there is no point in keeping the reference after the lookup helper returns. Fixes: d702419 ("dmaengine: ti: k3-udma: Add glue layer for non DMAengine users") Fixes: 1438cde ("dmaengine: ti: k3-udma: add missing put_device() call in of_xudma_dev_get()") Cc: stable@vger.kernel.org # 5.6: 1438cde Cc: Grygorii Strashko <grygorii.strashko@ti.com> Cc: Yu Kuai <yukuai3@huawei.com> Signed-off-by: Johan Hovold <johan@kernel.org> Link: https://patch.msgid.link/20251117161258.10679-17-johan@kernel.org Signed-off-by: Vinod Koul <vkoul@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit b3bbbf9da38c2735dc25f50e62775216dfd756f6) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit 27bfafac65d87c58639f5d7af1353ec1e7886963 upstream. The page tables used to map the kernel and userspace often have very different handling rules. There are frequently *_kernel() variants of functions just for kernel page tables. That's not great and has lead to code duplication. Instead of having completely separate call paths, allow a 'ptdesc' to be marked as being for kernel mappings. Introduce helpers to set and clear this status. Note: this uses the PG_referenced bit. Page flags are a great fit for this since it is truly a single bit of information. Use PG_referenced itself because it's a fairly benign flag (as opposed to things like PG_lock). It's also (according to Willy) unlikely to go away any time soon. PG_referenced is not in PAGE_FLAGS_CHECK_AT_FREE. It does not need to be cleared before freeing the page, and pages coming out of the allocator should have it cleared. Regardless, introduce an API to clear it anyway. Having symmetry in the API makes it easier to change the underlying implementation later, like if there was a need to move to a PAGE_FLAGS_CHECK_AT_FREE bit. Link: https://lkml.kernel.org/r/20251022082635.2462433-3-baolu.lu@linux.intel.com Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com> Signed-off-by: Lu Baolu <baolu.lu@linux.intel.com> Reviewed-by: Jason Gunthorpe <jgg@nvidia.com> Reviewed-by: Kevin Tian <kevin.tian@intel.com> Acked-by: David Hildenbrand <david@redhat.com> Acked-by: Mike Rapoport (Microsoft) <rppt@kernel.org> Cc: Alistair Popple <apopple@nvidia.com> Cc: Andy Lutomirski <luto@kernel.org> Cc: Borislav Betkov <bp@alien8.de> Cc: Ingo Molnar <mingo@redhat.com> Cc: Jann Horn <jannh@google.com> Cc: Jean-Philippe Brucker <jean-philippe@linaro.org> Cc: Joerg Roedel <joro@8bytes.org> Cc: Liam Howlett <liam.howlett@oracle.com> Cc: Lorenzo Stoakes <lorenzo.stoakes@oracle.com> Cc: Matthew Wilcox (Oracle) <willy@infradead.org> Cc: Michal Hocko <mhocko@kernel.org> Cc: Peter Zijlstra <peterz@infradead.org> Cc: Robin Murohy <robin.murphy@arm.com> Cc: Thomas Gleinxer <tglx@linutronix.de> Cc: "Uladzislau Rezki (Sony)" <urezki@gmail.com> Cc: Vasant Hegde <vasant.hegde@amd.com> Cc: Vinicius Costa Gomes <vinicius.gomes@intel.com> Cc: Vlastimil Babka <vbabka@suse.cz> Cc: Will Deacon <will@kernel.org> Cc: Yi Lai <yi1.lai@intel.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 1ca0f9e97f315348354b973ffaa3cc7c0328ab10) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit 977870522af34359b461060597ee3a86f27450d6 upstream. Now that the API is in place, mark kernel page table pages just after they are allocated. Unmark them just before they are freed. Note: Unconditionally clearing the 'kernel' marking (via ptdesc_clear_kernel()) would be functionally identical to what is here. But having the if() makes it logically clear that this function can be used for kernel and non-kernel page tables. Link: https://lkml.kernel.org/r/20251022082635.2462433-4-baolu.lu@linux.intel.com Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com> Signed-off-by: Lu Baolu <baolu.lu@linux.intel.com> Reviewed-by: Jason Gunthorpe <jgg@nvidia.com> Reviewed-by: Kevin Tian <kevin.tian@intel.com> Acked-by: David Hildenbrand <david@redhat.com> Acked-by: Mike Rapoport (Microsoft) <rppt@kernel.org> Cc: Alistair Popple <apopple@nvidia.com> Cc: Andy Lutomirski <luto@kernel.org> Cc: Borislav Betkov <bp@alien8.de> Cc: Ingo Molnar <mingo@redhat.com> Cc: Jann Horn <jannh@google.com> Cc: Jean-Philippe Brucker <jean-philippe@linaro.org> Cc: Joerg Roedel <joro@8bytes.org> Cc: Liam Howlett <liam.howlett@oracle.com> Cc: Lorenzo Stoakes <lorenzo.stoakes@oracle.com> Cc: Matthew Wilcox (Oracle) <willy@infradead.org> Cc: Michal Hocko <mhocko@kernel.org> Cc: Peter Zijlstra <peterz@infradead.org> Cc: Robin Murohy <robin.murphy@arm.com> Cc: Thomas Gleinxer <tglx@linutronix.de> Cc: "Uladzislau Rezki (Sony)" <urezki@gmail.com> Cc: Vasant Hegde <vasant.hegde@amd.com> Cc: Vinicius Costa Gomes <vinicius.gomes@intel.com> Cc: Vlastimil Babka <vbabka@suse.cz> Cc: Will Deacon <will@kernel.org> Cc: Yi Lai <yi1.lai@intel.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 83ce8bf84846a8e205473156ade89c823549cd06) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit 412d000346ea38ac4b9bb715a86c73ef89d90dea upstream. There are a billion ways to refer to a physical memory address. One of the x86 PMD freeing code location chooses to use a 'pte_t *' to point to a PMD page and then call a PTE-specific freeing function for it. That's a bit wonky. Just use a 'struct ptdesc *' instead. Its entire purpose is to refer to page table pages. It also means being able to remove an explicit cast. Right now, pte_free_kernel() is a one-liner that calls pagetable_dtor_free(). Effectively, all this patch does is remove one superfluous __pa(__va(paddr)) conversion and then call pagetable_dtor_free() directly instead of through a helper. Link: https://lkml.kernel.org/r/20251022082635.2462433-5-baolu.lu@linux.intel.com Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com> Signed-off-by: Lu Baolu <baolu.lu@linux.intel.com> Reviewed-by: Jason Gunthorpe <jgg@nvidia.com> Reviewed-by: Kevin Tian <kevin.tian@intel.com> Cc: Alistair Popple <apopple@nvidia.com> Cc: Andy Lutomirski <luto@kernel.org> Cc: Borislav Betkov <bp@alien8.de> Cc: David Hildenbrand <david@redhat.com> Cc: Ingo Molnar <mingo@redhat.com> Cc: Jann Horn <jannh@google.com> Cc: Jean-Philippe Brucker <jean-philippe@linaro.org> Cc: Joerg Roedel <joro@8bytes.org> Cc: Liam Howlett <liam.howlett@oracle.com> Cc: Lorenzo Stoakes <lorenzo.stoakes@oracle.com> Cc: Matthew Wilcox (Oracle) <willy@infradead.org> Cc: Michal Hocko <mhocko@kernel.org> Cc: Mike Rapoport (Microsoft) <rppt@kernel.org> Cc: Peter Zijlstra <peterz@infradead.org> Cc: Robin Murohy <robin.murphy@arm.com> Cc: Thomas Gleinxer <tglx@linutronix.de> Cc: "Uladzislau Rezki (Sony)" <urezki@gmail.com> Cc: Vasant Hegde <vasant.hegde@amd.com> Cc: Vinicius Costa Gomes <vinicius.gomes@intel.com> Cc: Vlastimil Babka <vbabka@suse.cz> Cc: Will Deacon <will@kernel.org> Cc: Yi Lai <yi1.lai@intel.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit b63c129bc3adbc2110fbdcf87402e6712edbff13) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit 01894295672335ff304beed4359f30d14d5765f2 upstream. The pages used for ptdescs are currently freed back to the allocator in a single location. They will shortly be freed from a second location. Create a simple helper that just frees them back to the allocator. Link: https://lkml.kernel.org/r/20251022082635.2462433-6-baolu.lu@linux.intel.com Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com> Signed-off-by: Lu Baolu <baolu.lu@linux.intel.com> Reviewed-by: Jason Gunthorpe <jgg@nvidia.com> Reviewed-by: Kevin Tian <kevin.tian@intel.com> Acked-by: David Hildenbrand <david@redhat.com> Acked-by: Mike Rapoport (Microsoft) <rppt@kernel.org> Cc: Alistair Popple <apopple@nvidia.com> Cc: Andy Lutomirski <luto@kernel.org> Cc: Borislav Betkov <bp@alien8.de> Cc: Ingo Molnar <mingo@redhat.com> Cc: Jann Horn <jannh@google.com> Cc: Jean-Philippe Brucker <jean-philippe@linaro.org> Cc: Joerg Roedel <joro@8bytes.org> Cc: Liam Howlett <liam.howlett@oracle.com> Cc: Lorenzo Stoakes <lorenzo.stoakes@oracle.com> Cc: Matthew Wilcox (Oracle) <willy@infradead.org> Cc: Michal Hocko <mhocko@kernel.org> Cc: Peter Zijlstra <peterz@infradead.org> Cc: Robin Murohy <robin.murphy@arm.com> Cc: Thomas Gleinxer <tglx@linutronix.de> Cc: "Uladzislau Rezki (Sony)" <urezki@gmail.com> Cc: Vasant Hegde <vasant.hegde@amd.com> Cc: Vinicius Costa Gomes <vinicius.gomes@intel.com> Cc: Vlastimil Babka <vbabka@suse.cz> Cc: Will Deacon <will@kernel.org> Cc: Yi Lai <yi1.lai@intel.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit c32806bf45b6224370bf74e001d9ea7f047e7b8b) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit bf9e4e30f3538391745a99bc2268ec4f5e4a401e upstream. The kernel's memory management subsystem provides a dedicated interface, pagetable_free(), for freeing page table pages. Updates two call sites to use pagetable_free() instead of the lower-level __free_page() or free_pages(). This improves code consistency and clarity, and ensures the correct freeing mechanism is used. Link: https://lkml.kernel.org/r/20251022082635.2462433-7-baolu.lu@linux.intel.com Signed-off-by: Lu Baolu <baolu.lu@linux.intel.com> Reviewed-by: Jason Gunthorpe <jgg@nvidia.com> Acked-by: David Hildenbrand <david@redhat.com> Acked-by: Mike Rapoport (Microsoft) <rppt@kernel.org> Cc: Alistair Popple <apopple@nvidia.com> Cc: Andy Lutomirski <luto@kernel.org> Cc: Borislav Betkov <bp@alien8.de> Cc: Dave Hansen <dave.hansen@intel.com> Cc: Ingo Molnar <mingo@redhat.com> Cc: Jann Horn <jannh@google.com> Cc: Jean-Philippe Brucker <jean-philippe@linaro.org> Cc: Joerg Roedel <joro@8bytes.org> Cc: Kevin Tian <kevin.tian@intel.com> Cc: Liam Howlett <liam.howlett@oracle.com> Cc: Lorenzo Stoakes <lorenzo.stoakes@oracle.com> Cc: Matthew Wilcox (Oracle) <willy@infradead.org> Cc: Michal Hocko <mhocko@kernel.org> Cc: Peter Zijlstra <peterz@infradead.org> Cc: Robin Murohy <robin.murphy@arm.com> Cc: Thomas Gleinxer <tglx@linutronix.de> Cc: "Uladzislau Rezki (Sony)" <urezki@gmail.com> Cc: Vasant Hegde <vasant.hegde@amd.com> Cc: Vinicius Costa Gomes <vinicius.gomes@intel.com> Cc: Vlastimil Babka <vbabka@suse.cz> Cc: Will Deacon <will@kernel.org> Cc: Yi Lai <yi1.lai@intel.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit a1593c90896babf33e947910c7aecb9f50bab993) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit 5ba2f0a1556479638ac11a3c201421f5515e89f5 upstream. This introduces a conditional asynchronous mechanism, enabled by CONFIG_ASYNC_KERNEL_PGTABLE_FREE. When enabled, this mechanism defers the freeing of pages that are used as page tables for kernel address mappings. These pages are now queued to a work struct instead of being freed immediately. This deferred freeing allows for batch-freeing of page tables, providing a safe context for performing a single expensive operation (TLB flush) for a batch of kernel page tables instead of performing that expensive operation for each page table. Link: https://lkml.kernel.org/r/20251022082635.2462433-8-baolu.lu@linux.intel.com Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com> Signed-off-by: Lu Baolu <baolu.lu@linux.intel.com> Reviewed-by: Jason Gunthorpe <jgg@nvidia.com> Reviewed-by: Kevin Tian <kevin.tian@intel.com> Acked-by: David Hildenbrand <david@redhat.com> Acked-by: Mike Rapoport (Microsoft) <rppt@kernel.org> Cc: Alistair Popple <apopple@nvidia.com> Cc: Andy Lutomirski <luto@kernel.org> Cc: Borislav Betkov <bp@alien8.de> Cc: Ingo Molnar <mingo@redhat.com> Cc: Jann Horn <jannh@google.com> Cc: Jean-Philippe Brucker <jean-philippe@linaro.org> Cc: Joerg Roedel <joro@8bytes.org> Cc: Liam Howlett <liam.howlett@oracle.com> Cc: Lorenzo Stoakes <lorenzo.stoakes@oracle.com> Cc: Matthew Wilcox (Oracle) <willy@infradead.org> Cc: Michal Hocko <mhocko@kernel.org> Cc: Peter Zijlstra <peterz@infradead.org> Cc: Robin Murohy <robin.murphy@arm.com> Cc: Thomas Gleinxer <tglx@linutronix.de> Cc: "Uladzislau Rezki (Sony)" <urezki@gmail.com> Cc: Vasant Hegde <vasant.hegde@amd.com> Cc: Vinicius Costa Gomes <vinicius.gomes@intel.com> Cc: Vlastimil Babka <vbabka@suse.cz> Cc: Will Deacon <will@kernel.org> Cc: Yi Lai <yi1.lai@intel.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit b3039c526f3e1744db0cbb7ae1f0213f5e27d3f4) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit e37d5a2d60a338c5917c45296bac65da1382eda5 upstream. Introduce a new IOMMU interface to flush IOTLB paging cache entries for the CPU kernel address space. This interface is invoked from the x86 architecture code that manages combined user and kernel page tables, specifically before any kernel page table page is freed and reused. This addresses the main issue with vfree() which is a common occurrence and can be triggered by unprivileged users. While this resolves the primary problem, it doesn't address some extremely rare case related to memory unplug of memory that was present as reserved memory at boot, which cannot be triggered by unprivileged users. The discussion can be found at the link below. Enable SVA on x86 architecture since the IOMMU can now receive notification to flush the paging cache before freeing the CPU kernel page table pages. Link: https://lkml.kernel.org/r/20251022082635.2462433-9-baolu.lu@linux.intel.com Link: https://lore.kernel.org/linux-iommu/04983c62-3b1d-40d4-93ae-34ca04b827e5@intel.com/ Co-developed-by: Jason Gunthorpe <jgg@nvidia.com> Signed-off-by: Jason Gunthorpe <jgg@nvidia.com> Signed-off-by: Lu Baolu <baolu.lu@linux.intel.com> Suggested-by: Jann Horn <jannh@google.com> Reviewed-by: Jason Gunthorpe <jgg@nvidia.com> Reviewed-by: Vasant Hegde <vasant.hegde@amd.com> Reviewed-by: Kevin Tian <kevin.tian@intel.com> Cc: Alistair Popple <apopple@nvidia.com> Cc: Andy Lutomirski <luto@kernel.org> Cc: Borislav Betkov <bp@alien8.de> Cc: Dave Hansen <dave.hansen@linux.intel.com> Cc: David Hildenbrand <david@redhat.com> Cc: Ingo Molnar <mingo@redhat.com> Cc: Jean-Philippe Brucker <jean-philippe@linaro.org> Cc: Joerg Roedel <joro@8bytes.org> Cc: Liam Howlett <liam.howlett@oracle.com> Cc: Lorenzo Stoakes <lorenzo.stoakes@oracle.com> Cc: Matthew Wilcox (Oracle) <willy@infradead.org> Cc: Michal Hocko <mhocko@kernel.org> Cc: Mike Rapoport (Microsoft) <rppt@kernel.org> Cc: Peter Zijlstra <peterz@infradead.org> Cc: Robin Murohy <robin.murphy@arm.com> Cc: Thomas Gleinxer <tglx@linutronix.de> Cc: "Uladzislau Rezki (Sony)" <urezki@gmail.com> Cc: Vinicius Costa Gomes <vinicius.gomes@intel.com> Cc: Vlastimil Babka <vbabka@suse.cz> Cc: Will Deacon <will@kernel.org> Cc: Yi Lai <yi1.lai@intel.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 9f0a7ab700f8620e433b05c57fbd26c92ea186d9) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
…e blocking commit 0d30dae38fe01cd1de358c6039a0b1184689fe51 upstream. During suspend/resume tests with S2IDLE, some ISH functional failures were observed because of delay in executing ISH resume handler. Here schedule_work() is used from resume handler to do actual work. schedule_work() uses system_wq, which is a per CPU work queue. Although the queuing is not bound to a CPU, but it prefers local CPU of the caller, unless prohibited. Users of this work queue are not supposed to queue long running work. But in practice, there are scenarios where long running work items are queued on other unbound workqueues, occupying the CPU. As a result, the ISH resume handler may not get a chance to execute in a timely manner. In one scenario, one of the ish_resume_handler() executions was delayed nearly 1 second because another work item on an unbound workqueue occupied the same CPU. This delay causes ISH functionality failures. A similar issue was previously observed where the ISH HID driver timed out while getting the HID descriptor during S4 resume in the recovery kernel, likely caused by the same workqueue contention problem. Create dedicated unbound workqueues for all ISH operations to allow work items to execute on any available CPU, eliminating CPU-specific bottlenecks and improving resume reliability under varying system loads. Also ISH has three different components, a bus driver which implements ISH protocols, a PCI interface layer and HID interface. Use one dedicated work queue for all of them. Signed-off-by: Zhang Lixu <lixu.zhang@intel.com> Signed-off-by: Jiri Kosina <jkosina@suse.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 3d72fadb764c47e37da7017ca52518bf283932e9) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
…oc_workqueue()
commit 3644f4411713f52bf231574aa8759e3d8e20b341 upstream.
Clang warns (or errors with CONFIG_WERROR=y / W=e):
drivers/hid/intel-ish-hid/ipc/ipc.c:935:36: error: cast from 'void (*)(struct workqueue_struct *)' to 'void (*)(void *)' converts to incompatible function type [-Werror,-Wcast-function-type-strict]
935 | if (devm_add_action_or_reset(dev, (void (*)(void *))destroy_workqueue,
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
include/linux/device/devres.h:168:34: note: expanded from macro 'devm_add_action_or_reset'
168 | __devm_add_action_or_ireset(dev, action, data, #action)
| ^~~~~~
This warning is pointing out a kernel control flow integrity (kCFI /
CONFIG_CFI=y) violation will occur due to this function cast when the
destroy_workqueue() is indirectly called via devm_action_release()
because the prototype of destroy_workqueue() does not match the
prototype of (*action)().
Use a local function with the correct prototype to wrap
destroy_workqueue() to resolve the warning and CFI violation.
Reported-by: kernel test robot <lkp@intel.com>
Closes: https://lore.kernel.org/oe-kbuild-all/202510190103.qTZvfdjj-lkp@intel.com/
Closes: ClangBuiltLinux/linux#2139
Fixes: 0d30dae38fe0 ("HID: intel-ish-hid: Use dedicated unbound workqueues to prevent resume blocking")
Signed-off-by: Nathan Chancellor <nathan@kernel.org>
Acked-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
Reviewed-by: Zhang Lixu <lixu.zhang@intel.com>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit 7e58addb8e05379e437e4722534a7cb1cabd767b)
Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
…n type
commit 5037b342825df7094a4906d1e2a9674baab50cb2 upstream.
When wait_current_trans() is called during start_transaction(), it
currently waits for a blocked transaction without considering whether
the given transaction type actually needs to wait for that particular
transaction state. The btrfs_blocked_trans_types[] array already defines
which transaction types should wait for which transaction states, but
this check was missing in wait_current_trans().
This can lead to a deadlock scenario involving two transactions and
pending ordered extents:
1. Transaction A is in TRANS_STATE_COMMIT_DOING state
2. A worker processing an ordered extent calls start_transaction()
with TRANS_JOIN
3. join_transaction() returns -EBUSY because Transaction A is in
TRANS_STATE_COMMIT_DOING
4. Transaction A moves to TRANS_STATE_UNBLOCKED and completes
5. A new Transaction B is created (TRANS_STATE_RUNNING)
6. The ordered extent from step 2 is added to Transaction B's
pending ordered extents
7. Transaction B immediately starts commit by another task and
enters TRANS_STATE_COMMIT_START
8. The worker finally reaches wait_current_trans(), sees Transaction B
in TRANS_STATE_COMMIT_START (a blocked state), and waits
unconditionally
9. However, TRANS_JOIN should NOT wait for TRANS_STATE_COMMIT_START
according to btrfs_blocked_trans_types[]
10. Transaction B is waiting for pending ordered extents to complete
11. Deadlock: Transaction B waits for ordered extent, ordered extent
waits for Transaction B
This can be illustrated by the following call stacks:
CPU0 CPU1
btrfs_finish_ordered_io()
start_transaction(TRANS_JOIN)
join_transaction()
# -EBUSY (Transaction A is
# TRANS_STATE_COMMIT_DOING)
# Transaction A completes
# Transaction B created
# ordered extent added to
# Transaction B's pending list
btrfs_commit_transaction()
# Transaction B enters
# TRANS_STATE_COMMIT_START
# waiting for pending ordered
# extents
wait_current_trans()
# waits for Transaction B
# (should not wait!)
Task bstore_kv_sync in btrfs_commit_transaction waiting for ordered
extents:
__schedule+0x2e7/0x8a0
schedule+0x64/0xe0
btrfs_commit_transaction+0xbf7/0xda0 [btrfs]
btrfs_sync_file+0x342/0x4d0 [btrfs]
__x64_sys_fdatasync+0x4b/0x80
do_syscall_64+0x33/0x40
entry_SYSCALL_64_after_hwframe+0x44/0xa9
Task kworker in wait_current_trans waiting for transaction commit:
Workqueue: btrfs-syno_nocow btrfs_work_helper [btrfs]
__schedule+0x2e7/0x8a0
schedule+0x64/0xe0
wait_current_trans+0xb0/0x110 [btrfs]
start_transaction+0x346/0x5b0 [btrfs]
btrfs_finish_ordered_io.isra.0+0x49b/0x9c0 [btrfs]
btrfs_work_helper+0xe8/0x350 [btrfs]
process_one_work+0x1d3/0x3c0
worker_thread+0x4d/0x3e0
kthread+0x12d/0x150
ret_from_fork+0x1f/0x30
Fix this by passing the transaction type to wait_current_trans() and
checking btrfs_blocked_trans_types[cur_trans->state] against the given
type before deciding to wait. This ensures that transaction types which
are allowed to join during certain blocked states will not unnecessarily
wait and cause deadlocks.
Reviewed-by: Filipe Manana <fdmanana@suse.com>
Signed-off-by: Robbie Ko <robbieko@synology.com>
Signed-off-by: Filipe Manana <fdmanana@suse.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Cc: Motiejus Jakštys <motiejus@jakstys.lt>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit 9ac63333d600732a56b35ee1fa46836da671eb50)
Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit 0acc67c4030c39f39ac90413cc5d0abddd3a9527 upstream. Patch series "mm/page_alloc: Batch callers of free_pcppages_bulk", v5. Motivation & Approach ===================== While testing workloads with high sustained memory pressure on large machines in the Meta fleet (1Tb memory, 316 CPUs), we saw an unexpectedly high number of softlockups. Further investigation showed that the zone lock in free_pcppages_bulk was being held for a long time, and was called to free 2k+ pages over 100 times just during boot. This causes starvation in other processes for the zone lock, which can lead to the system stalling as multiple threads cannot make progress without the locks. We can see these issues manifesting as warnings: [ 4512.591979] rcu: INFO: rcu_sched self-detected stall on CPU [ 4512.604370] rcu: 20-....: (9312 ticks this GP) idle=a654/1/0x4000000000000000 softirq=309340/309344 fqs=5426 [ 4512.626401] rcu: hardirqs softirqs csw/system [ 4512.638793] rcu: number: 0 145 0 [ 4512.651177] rcu: cputime: 30 10410 174 ==> 10558(ms) [ 4512.666657] rcu: (t=21077 jiffies g=783665 q=1242213 ncpus=316) While these warnings don't indicate a crash or a kernel panic, they do point to the underlying issue of lock contention. To prevent starvation in both locks, batch the freeing of pages using pcp->batch. Because free_pcppages_bulk is called with the pcp lock and acquires the zone lock, relinquishing and reacquiring the locks are only effective when both of them are broken together (unless the system was built with queued spinlocks). Thus, instead of modifying free_pcppages_bulk to break both locks, batch the freeing from its callers instead. A similar fix has been implemented in the Meta fleet, and we have seen significantly less softlockups. Testing ======= The following are a few synthetic benchmarks, made on three machines. The first is a large machine with 754GiB memory and 316 processors. The second is a relatively smaller machine with 251GiB memory and 176 processors. The third and final is the smallest of the three, which has 62GiB memory and 36 processors. On all machines, I kick off a kernel build with -j$(nproc). Negative delta is better (faster compilation). Large machine (754GiB memory, 316 processors) make -j$(nproc) +------------+---------------+-----------+ | Metric (s) | Variation (%) | Delta(%) | +------------+---------------+-----------+ | real | 0.8070 | - 1.4865 | | user | 0.2823 | + 0.4081 | | sys | 5.0267 | -11.8737 | +------------+---------------+-----------+ Medium machine (251GiB memory, 176 processors) make -j$(nproc) +------------+---------------+----------+ | Metric (s) | Variation (%) | Delta(%) | +------------+---------------+----------+ | real | 0.2806 | +0.0351 | | user | 0.0994 | +0.3170 | | sys | 0.6229 | -0.6277 | +------------+---------------+----------+ Small machine (62GiB memory, 36 processors) make -j$(nproc) +------------+---------------+----------+ | Metric (s) | Variation (%) | Delta(%) | +------------+---------------+----------+ | real | 0.1503 | -2.6585 | | user | 0.0431 | -2.2984 | | sys | 0.1870 | -3.2013 | +------------+---------------+----------+ Here, variation is the coefficient of variation, i.e. standard deviation / mean. Based on these results, it seems like there are varying degrees to how much lock contention this reduces. For the largest and smallest machines that I ran the tests on, it seems like there is quite some significant reduction. There is also some performance increases visible from userspace. Interestingly, the performance gains don't scale with the size of the machine, but rather there seems to be a dip in the gain there is for the medium-sized machine. One possible theory is that because the high watermark depends on both memory and the number of local CPUs, what impacts zone contention the most is not these individual values, but rather the ratio of mem:processors. This patch (of 5): Currently, refresh_cpu_vm_stats returns an int, indicating how many changes were made during its updates. Using this information, callers like vmstat_update can heuristically determine if more work will be done in the future. However, all of refresh_cpu_vm_stats's callers either (a) ignore the result, only caring about performing the updates, or (b) only care about whether changes were made, but not *how many* changes were made. Simplify the code by returning a bool instead to indicate if updates were made. In addition, simplify fold_diff and decay_pcp_high to return a bool for the same reason. Link: https://lkml.kernel.org/r/20251014145011.3427205-1-joshua.hahnjy@gmail.com Link: https://lkml.kernel.org/r/20251014145011.3427205-2-joshua.hahnjy@gmail.com Signed-off-by: Joshua Hahn <joshua.hahnjy@gmail.com> Reviewed-by: Vlastimil Babka <vbabka@suse.cz> Reviewed-by: SeongJae Park <sj@kernel.org> Cc: Brendan Jackman <jackmanb@google.com> Cc: Chris Mason <clm@fb.com> Cc: Johannes Weiner <hannes@cmpxchg.org> Cc: "Kirill A. Shutemov" <kirill@shutemov.name> Cc: Michal Hocko <mhocko@suse.com> Cc: Suren Baghdasaryan <surenb@google.com> Cc: Zi Yan <ziy@nvidia.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Stable-dep-of: 038a102535eb ("mm/page_alloc: prevent pcp corruption with SMP=n") Signed-off-by: Sasha Levin <sashal@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 2a72a8ddf1888d56744ad7242be8f88d0c9df17b) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit fc4b909c368f3a7b08c895dd5926476b58e85312 upstream. It is possible for pcp->count - pcp->high to exceed pcp->batch by a lot. When this happens, we should perform batching to ensure that free_pcppages_bulk isn't called with too many pages to free at once and starve out other threads that need the pcp or zone lock. Since we are still only freeing the difference between the initial pcp->count and pcp->high values, there should be no change to how many pages are freed. Link: https://lkml.kernel.org/r/20251014145011.3427205-3-joshua.hahnjy@gmail.com Signed-off-by: Joshua Hahn <joshua.hahnjy@gmail.com> Suggested-by: Chris Mason <clm@fb.com> Suggested-by: Andrew Morton <akpm@linux-foundation.org> Co-developed-by: Johannes Weiner <hannes@cmpxchg.org> Reviewed-by: Vlastimil Babka <vbabka@suse.cz> Cc: Brendan Jackman <jackmanb@google.com> Cc: "Kirill A. Shutemov" <kirill@shutemov.name> Cc: Michal Hocko <mhocko@suse.com> Cc: SeongJae Park <sj@kernel.org> Cc: Suren Baghdasaryan <surenb@google.com> Cc: Zi Yan <ziy@nvidia.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Stable-dep-of: 038a102535eb ("mm/page_alloc: prevent pcp corruption with SMP=n") Signed-off-by: Sasha Levin <sashal@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit baea24956aea96546975f9fb55534abd04db5ad9) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit 038a102535eb49e10e93eafac54352fcc5d78847 upstream. The kernel test robot has reported: BUG: spinlock trylock failure on UP on CPU#0, kcompactd0/28 lock: 0xffff888807e35ef0, .magic: dead4ead, .owner: kcompactd0/28, .owner_cpu: 0 CPU: 0 UID: 0 PID: 28 Comm: kcompactd0 Not tainted 6.18.0-rc5-00127-ga06157804399 #1 PREEMPT 8cc09ef94dcec767faa911515ce9e609c45db470 Call Trace: <IRQ> __dump_stack (lib/dump_stack.c:95) dump_stack_lvl (lib/dump_stack.c:123) dump_stack (lib/dump_stack.c:130) spin_dump (kernel/locking/spinlock_debug.c:71) do_raw_spin_trylock (kernel/locking/spinlock_debug.c:?) _raw_spin_trylock (include/linux/spinlock_api_smp.h:89 kernel/locking/spinlock.c:138) __free_frozen_pages (mm/page_alloc.c:2973) ___free_pages (mm/page_alloc.c:5295) __free_pages (mm/page_alloc.c:5334) tlb_remove_table_rcu (include/linux/mm.h:? include/linux/mm.h:3122 include/asm-generic/tlb.h:220 mm/mmu_gather.c:227 mm/mmu_gather.c:290) ? __cfi_tlb_remove_table_rcu (mm/mmu_gather.c:289) ? rcu_core (kernel/rcu/tree.c:?) rcu_core (include/linux/rcupdate.h:341 kernel/rcu/tree.c:2607 kernel/rcu/tree.c:2861) rcu_core_si (kernel/rcu/tree.c:2879) handle_softirqs (arch/x86/include/asm/jump_label.h:36 include/trace/events/irq.h:142 kernel/softirq.c:623) __irq_exit_rcu (arch/x86/include/asm/jump_label.h:36 kernel/softirq.c:725) irq_exit_rcu (kernel/softirq.c:741) sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1052) </IRQ> <TASK> RIP: 0010:_raw_spin_unlock_irqrestore (arch/x86/include/asm/preempt.h:95 include/linux/spinlock_api_smp.h:152 kernel/locking/spinlock.c:194) free_pcppages_bulk (mm/page_alloc.c:1494) drain_pages_zone (include/linux/spinlock.h:391 mm/page_alloc.c:2632) __drain_all_pages (mm/page_alloc.c:2731) drain_all_pages (mm/page_alloc.c:2747) kcompactd (mm/compaction.c:3115) kthread (kernel/kthread.c:465) ? __cfi_kcompactd (mm/compaction.c:3166) ? __cfi_kthread (kernel/kthread.c:412) ret_from_fork (arch/x86/kernel/process.c:164) ? __cfi_kthread (kernel/kthread.c:412) ret_from_fork_asm (arch/x86/entry/entry_64.S:255) </TASK> Matthew has analyzed the report and identified that in drain_page_zone() we are in a section protected by spin_lock(&pcp->lock) and then get an interrupt that attempts spin_trylock() on the same lock. The code is designed to work this way without disabling IRQs and occasionally fail the trylock with a fallback. However, the SMP=n spinlock implementation assumes spin_trylock() will always succeed, and thus it's normally a no-op. Here the enabled lock debugging catches the problem, but otherwise it could cause a corruption of the pcp structure. The problem has been introduced by commit 5749077 ("mm/page_alloc: leave IRQs enabled for per-cpu page allocations"). The pcp locking scheme recognizes the need for disabling IRQs to prevent nesting spin_trylock() sections on SMP=n, but the need to prevent the nesting in spin_lock() has not been recognized. Fix it by introducing local wrappers that change the spin_lock() to spin_lock_iqsave() with SMP=n and use them in all places that do spin_lock(&pcp->lock). [vbabka@suse.cz: add pcp_ prefix to the spin_lock_irqsave wrappers, per Steven] Link: https://lkml.kernel.org/r/20260105-fix-pcp-up-v1-1-5579662d2071@suse.cz Fixes: 5749077 ("mm/page_alloc: leave IRQs enabled for per-cpu page allocations") Signed-off-by: Vlastimil Babka <vbabka@suse.cz> Reported-by: kernel test robot <oliver.sang@intel.com> Closes: https://lore.kernel.org/oe-lkp/202512101320.e2f2dd6f-lkp@intel.com Analyzed-by: Matthew Wilcox <willy@infradead.org> Link: https://lore.kernel.org/all/aUW05pyc9nZkvY-1@casper.infradead.org/ Acked-by: Mel Gorman <mgorman@techsingularity.net> Cc: Brendan Jackman <jackmanb@google.com> Cc: Johannes Weiner <hannes@cmpxchg.org> Cc: Michal Hocko <mhocko@suse.com> Cc: Sebastian Andrzej Siewior <bigeasy@linutronix.de> Cc: Steven Rostedt <rostedt@goodmis.org> Cc: Suren Baghdasaryan <surenb@google.com> Cc: Zi Yan <ziy@nvidia.com> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Sasha Levin <sashal@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 3098f8f7c7b0686c74827aec42a2c45e69801ff8) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
This reverts commit b49c766856fb5901490de577e046149ebf15e39d which is commit e5bf5ee266633cb18fff6f98f0b7d59a62819eee upstream. It has been reported to cause test problems in Android devices. As the other functionfs changes were not also backported at the same time, something is out of sync. So just revert this one for now and it can come back in the future as a patch series if it is tested. Cc: Al Viro <viro@zeniv.linux.org.uk> Cc: Sasha Levin <sashal@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 2d1bf4a7b8ed87ab32adaa40f53dfe332755451d) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit 4b5c493ff762bb0433529ca6870b284f0a2a5ca8 upstream.
A call to mmu_notifier_arch_invalidate_secondary_tlbs() was introduced in
commit e37d5a2d60a3 ("iommu/sva: invalidate stale IOTLB entries for kernel
address space") but without explicitly adding its corresponding header
file <linux/mmu_notifier.h>. This was evidenced while trying to enable
compile testing support for IOMMU_SVA:
config IOMMU_SVA
select IOMMU_MM_DATA
- bool
+ bool "Shared Virtual Addressing" if COMPILE_TEST
The thing is for certain architectures this header file is indirectly
included via <asm/tlbflush.h>. However, for others such as 32-bit arm the
header is missing and it results in a build failure:
$ make ARCH=arm allmodconfig
[...]
drivers/iommu/iommu-sva.c:340:3: error: call to undeclared function 'mmu_notifier_arch_invalidate_secondary_tlbs' [...]
340 | mmu_notifier_arch_invalidate_secondary_tlbs(iommu_mm->mm, start, end);
| ^
Fix this by including the appropriate header file.
Link: https://lkml.kernel.org/r/20260105190747.625082-1-cmllamas@google.com
Fixes: e37d5a2d60a3 ("iommu/sva: invalidate stale IOTLB entries for kernel address space")
Signed-off-by: Carlos Llamas <cmllamas@google.com>
Cc: Baolu Lu <baolu.lu@linux.intel.com>
Cc: Jason Gunthorpe <jgg@ziepe.ca>
Cc: Joerg Roedel <joro@8bytes.org>
Cc: Kevin Tian <kevin.tian@intel.com>
Cc: Robin Murphy <robin.murphy@arm.com>
Cc: Vasant Hegde <vasant.hegde@amd.com>
Cc: Will Deacon <will@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit d6a25e6ee3ec37a9bcba6ca00c4e7b397250acf7)
Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
Link: https://lore.kernel.org/r/20260121181418.537774329@linuxfoundation.org Tested-by: Salvatore Bonaccorso <carnil@debian.org> Tested-by: Ronald Warsow <rwarsow@gmx.de> Tested-by: Shuah Khan <skhan@linuxfoundation.org> Tested-by: Florian Fainelli <florian.fainelli@broadcom.com> Tested-by: Justin M. Forbes <jforbes@fedoraproject.org> Tested-by: Takeshi Ogasawara <takeshi.ogasawara@futuring-girl.com> Tested-by: Brett A C Sheffield <bacs@librecast.net> Tested-by: Shung-Hsi Yu <shung-hsi.yu@suse.com> Tested-by: Jon Hunter <jonathanh@nvidia.com> Tested-by: Ron Economos <re@w6rz.net> Tested-by: Brett Mastbergen <bmastbergen@ciq.com> Tested-by: Peter Schneider <pschneider1968@googlemail.com> Tested-by: Mark Brown <broonie@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 5dfbc5357c34bdf81c84aa78bc8e3d6d9ba10aad) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
![sourcery-ai[bot]](https://avatars.githubusercontent.com/in/48477?s=60&v=4){kind=small}
There was a problem hiding this comment.
Sorry @opsiff, your pull request is larger than the review limit of 150000 diff characters
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
20 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Update kernel base to 6.18.7.
git log --oneline v6.18.6..v6.18.7 |wc
199 1746 14527
Revert "x86/resctrl: Add Hygon QoS support"
Aboorva Devarajan (1):
mm/page_alloc: make percpu_pagelist_high_fraction reads lock-free
Aditya Garg (1):
net: hv_netvsc: reject RSS hash key programming without RX indirection
table
Alex Deucher (1):
drm/amdgpu: make sure userqs are enabled in userq IOCTLs
Alice Ryhl (1):
rust: bitops: fix missing find* functions on 32-bit ARM
Andreas Gruenbacher (1):
Revert "gfs2: Fix use of bio_chain"
Andy Yan (2):
drm/rockchip: vop2: Add delay between poll registers
drm/rockchip: vop2: Only wait for changed layer cfg done when there is
pending cfgdone bits
Anthony Brandon (1):
dmaengine: xilinx: xdma: Fix regmap max_register
Antony Antony (1):
xfrm: set ipv4 no_pmtu_disc flag only on output sa when direction is
set
Arnaud Ferraris (1):
tcpm: allow looking for role_sw device in the main node
Arnd Bergmann (1):
ext4: fix ext4_tune_sb_params padding
Bagas Sanjaya (3):
mm: describe @flags parameter in memalloc_flags_save()
textsearch: describe @list member in ts_ops search
mm, kfence: describe @slab parameter in __kfence_obj_info()
Ben Dooks (1):
mm: numa,memblock: include <asm/numa.h> for 'numa_nodes_parsed'
Benjamin Tissoires (1):
HID: usbhid: paper over wrong bNumDescriptor field
Biju Das (1):
dmaengine: sh: rz-dmac: Fix rz_dmac_terminate_all()
Binbin Zhou (4):
LoongArch: dts: loongson-2k0500: Add default interrupt controller
address cells
LoongArch: dts: loongson-2k1000: Add default interrupt controller
address cells
LoongArch: dts: loongson-2k1000: Fix i2c-gpio node names
LoongArch: dts: loongson-2k2000: Add default interrupt controller
address cells
Brian Foster (1):
xfs: set max_agbno to allow sparse alloc of last full inode chunk
Brian Kao (1):
scsi: core: Fix error handler encryption support
Bui Quang Minh (1):
virtio-net: don't schedule delayed refill worker
Caleb Sander Mateos (1):
block: zero non-PI portion of auto integrity buffer
Carlos Llamas (1):
iommu/sva: include mmu_notifier.h header
Carlos Song (1):
i2c: imx-lpi2c: change to PIO mode in system-wide suspend/resume
progress
Cole Leavitt (1):
ASoC: sdw_utils: cs42l43: Enable Headphone pin for LINEOUT jack type
Dan Carpenter (1):
phy: stm32-usphyc: Fix off by one in probe()
Dan Williams (1):
x86/kaslr: Recognize all ZONE_DEVICE users as physaddr consumers
Dave Hansen (5):
mm: add a ptdesc flag to mark kernel page tables
mm: actually mark kernel page table pages
x86/mm: use 'ptdesc' when freeing PMD pages
mm: introduce pure page table freeing function
mm: introduce deferred freeing for kernel page tables
Emil Svendsen (2):
ASoC: tlv320adcx140: fix null pointer
ASoC: tlv320adcx140: fix word length
Eric Dumazet (8):
ipv4: ip_tunnel: spread netdev_lockdep_set_classes()
net: bridge: annotate data-races around fdb->{updated,used}
ip6_tunnel: use skb_vlan_inet_prepare() in _ip6_tnl_rcv()
net: update netdev_lock{type,name}
macvlan: fix possible UAF in macvlan_forward_source()
ipv4: ip_gre: make ipgre_header() robust
dst: fix races in rt6_uncached_list_del() and rt_del_uncached_list()
net/sched: sch_qfq: do not free existing class in qfq_change_class()
Ethan Nelson-Moore (1):
USB: serial: ftdi_sio: add support for PICAXE AXE027 cable
Filipe Manana (1):
btrfs: release path before iget_failed() in btrfs_read_locked_inode()
Franz Schnyder (1):
phy: fsl-imx8mq-usb: fix typec orientation switch when built as module
Gal Pressman (1):
selftests: drv-net: fix RPS mask handling for high CPU numbers
Greg Kroah-Hartman (2):
Revert "functionfs: fix the open/removal races"
Linux 6.18.7
Guenter Roeck (1):
ftrace: Do not over-allocate ftrace memory
Guodong Xu (1):
dmaengine: mmp_pdma: fix DMA mask handling
Gustavo A. R. Silva (1):
virtio_net: Fix misalignment bug in struct virtnet_info
Günther Noack (1):
selftests/landlock: Properly close a file descriptor
Haotian Zhang (2):
phy: ti: da8xx-usb: Handle devm_pm_runtime_enable() errors
dmaengine: omap-dma: fix dma_pool resource leak in error paths
Haoxiang Li (4):
EDAC/x38: Fix a resource leak in x38_probe1()
EDAC/i3200: Fix a resource leak in i3200_probe1()
drm/amdkfd: fix a memory leak in device_queue_manager_init()
drm/vmwgfx: Fix an error return check in vmw_compat_shader_add()
Harish Kasiviswanathan (1):
drm/amdkfd: No need to suspend whole MES to evict process
Harshit Mogalapalli (1):
soundwire: bus: fix off-by-one when allocating slave IDs
Huacai Chen (1):
USB: OHCI/UHCI: Add soft dependencies on ehci_platform
Ian Forbes (2):
drm/vmwgfx: Fix KMS with 3D on HW version 10
drm/vmwgfx: Merge vmw_bo_release and vmw_bo_free functions
Ilikara Zheng (1):
nvme-pci: disable secondary temp for Wodposit WPBSNM8
Janne Grunau (2):
nvme-apple: add "apple,t8103-nvme-ans2" as compatible
dmaengine: apple-admac: Add "apple,t8103-admac" compatible
Jaroslav Kysela (1):
ALSA: pcm: Improve the fix for race of buffer access at PCM OSS layer
Jianbo Liu (1):
xfrm: Fix inner mode lookup in tunnel mode GSO segmentation
Jiasheng Jiang (1):
btrfs: fix memory leaks in create_space_info() error paths
Jijie Shao (1):
net: phy: motorcomm: fix duplex setting error for phy leds
Johan Hovold (17):
ASoC: codecs: wsa884x: fix codec initialisation
ASoC: codecs: wsa883x: fix unnecessary initialisation
phy: ti: gmii-sel: fix regmap leak on probe failure
ASoC: codecs: wsa881x: fix unnecessary initialisation
dmaengine: at_hdmac: fix device leak on of_dma_xlate()
dmaengine: bcm-sba-raid: fix device leak on probe
dmaengine: cv1800b-dmamux: fix device leak on route allocation
dmaengine: dw: dmamux: fix OF node leak on route allocation failure
dmaengine: idxd: fix device leaks on compat bind and unbind
dmaengine: lpc18xx-dmamux: fix device leak on route allocation
dmaengine: lpc32xx-dmamux: fix device leak on route allocation
dmaengine: sh: rz-dmac: fix device leak on probe failure
dmaengine: stm32: dmamux: fix device leak on route allocation
dmaengine: stm32: dmamux: fix OF node leak on route allocation failure
dmaengine: ti: dma-crossbar: fix device leak on dra7x route allocation
dmaengine: ti: dma-crossbar: fix device leak on am335x route
allocation
dmaengine: ti: k3-udma: fix device leak on udma lookup
Johannes Brüderl (1):
usb: core: add USB_QUIRK_NO_BOS for devices that hang on BOS
descriptor
John Groves (1):
drivers/dax: add some missing kerneldoc comment fields for struct
dev_dax
Joshua Hahn (2):
mm/page_alloc/vmstat: simplify refresh_cpu_vm_stats change detection
mm/page_alloc: batch page freeing in decay_pcp_high
Kery Qi (1):
net: octeon_ep_vf: fix free_irq dev_id mismatch in IRQ rollback
Krzysztof Kozlowski (1):
phy: broadcom: ns-usb3: Fix Wvoid-pointer-to-enum-cast warning (again)
Kuniyuki Iwashima (1):
ipv6: Fix use-after-free in inet6_addr_del().
Li Ming (1):
cxl/hdm: Fix potential infinite loop in __cxl_dpa_reserve()
Lisa Robinson (1):
LoongArch: Fix PMU counter allocation for mixed-type event groups
Loic Poulain (1):
phy: qcom-qusb2: Fix NULL pointer dereference on early suspend
Lorenzo Bianconi (1):
net: airoha: Fix typo in airoha_ppe_setup_tc_block_cb definition
Lorenzo Stoakes (3):
tools/testing/selftests: add tests for !tgt, src mremap() merges
tools/testing/selftests: add forked (un)/faulted VMA merge tests
tools/testing/selftests: fix gup_longterm for unknown fs
Louis Chauvet (1):
phy: rockchip: inno-usb2: fix disconnection in gadget mode
Lu Baolu (2):
x86/mm: use pagetable_free()
iommu/sva: invalidate stale IOTLB entries for kernel address space
Lu Yao (1):
drm/amdgpu: fix drm panic null pointer when driver not support atomic
Luca Ceresoli (1):
phy: rockchip: inno-usb2: fix communication disruption in gadget mode
Ludovic Desroches (1):
drm/panel: simple: restore connector_type fallback
Lyude Paul (1):
drm/nouveau/disp/nv50-: Set lock_core in curs507a_prepare
Marc Kleine-Budde (1):
can: gs_usb: gs_usb_receive_bulk_callback(): fix URB memory leak
Marek Vasut (1):
drm/panel-simple: fix connector type for DataImage SCF0700C48GGU18
panel
Mario Limonciello (1):
drm/amd/display: Bump the HDMI clock to 340MHz
Mario Limonciello (AMD) (2):
drm/amd/display: Show link name in PSR status message
drm/amd: Clean up kfd node on surprise disconnect
Mathias Nyman (1):
xhci: sideband: don't dereference freed ring when removing sideband
endpoint
Matthew Schwartz (1):
ALSA: hda/tas2781: Skip UEFI calibration on ASUS ROG Xbox Ally X
Matthieu Buffet (3):
landlock: Fix TCP handling of short AF_UNSPEC addresses
selftests/landlock: Fix TCP bind(AF_UNSPEC) test case
selftests/landlock: Remove invalid unix socket bind()
Miaoqian Lin (1):
dmaengine: qcom: gpi: Fix memory leak in gpi_peripheral_config()
Mike Rapoport (Microsoft) (1):
mips: fix HIGHMEM initialization
Ming Lei (1):
io_uring: move local task_work in exit cancel loop
Morduan Zang (1):
efi/cper: Fix cper_bits_to_str buffer handling and return value
Nathan Chancellor (1):
HID: intel-ish-hid: Fix -Wcast-function-type-strict in
devm_ishtp_alloc_workqueue()
Neil Armstrong (1):
i2c: qcom-geni: make sure I2C hub controllers can't use SE DMA
Nilay Shroff (2):
null_blk: fix kmemleak by releasing references to fault configfs items
nvme: fix PCIe subsystem reset controller state transition
Nirjhar Roy (IBM) (1):
xfs: Fix the return value of xfs_rtcopy_summary()
Ondrej Ille (1):
can: ctucanfd: fix SSP_SRC in cases when bit-rate is higher than 1
MBit.
Paolo Bonzini (2):
selftests: kvm: replace numbered sync points with actions
selftests: kvm: try getting XFD and XSAVE state out of sync
Pavel Butsykin (1):
mm/zswap: fix error pointer free in zswap_cpu_comp_prepare()
Peng Fan (1):
firmware: imx: scu-irq: Set mu_resource_id before get handle
Peter Zijlstra (2):
sched/deadline: Avoid double update_rq_clock()
sched: Deadline has dynamic priority
Philip Yang (1):
drm/amdgpu: Fix gfx9 update PTE mtype flag
Qiang Ma (3):
LoongArch: KVM: Fix kvm_device leak in kvm_eiointc_destroy()
LoongArch: KVM: Fix kvm_device leak in kvm_ipi_destroy()
LoongArch: KVM: Fix kvm_device leak in kvm_pch_pic_destroy()
Qu Wenruo (1):
btrfs: send: check for inline extents in range_is_hole_in_parent()
Rafael Beims (1):
phy: freescale: imx8m-pcie: assert phy reset during power on
Richard Fitzgerald (2):
ALSA: hda/cirrus_scodec_test: Fix incorrect setup of gpiochip
ALSA: hda/cirrus_scodec_test: Fix test suite name
Robbie Ko (1):
btrfs: fix deadlock in wait_current_trans() due to ignored transaction
type
Robert Richter (1):
cxl/port: Fix target list setup for multiple decoders sharing the same
dport
Ryan Roberts (1):
mm: kmsan: fix poisoning of high-order non-compound pages
Saeed Mahameed (4):
net/mlx5e: Fix crash on profile change rollback failure
net/mlx5e: Don't store mlx5e_priv in mlx5e_dev devlink priv
net/mlx5e: Pass netdev to mlx5e_destroy_netdev instead of priv
net/mlx5e: Restore destroying state bit after profile cleanup
Sean Christopherson (1):
x86/fpu: Clear XSTATE_BV[i] in guest XSAVE state whenever XFD[i]=1
Sebastian Reichel (1):
drm/bridge: dw-hdmi-qp: Fix spurious IRQ on resume
SeongJae Park (5):
mm/damon/core: remove call_control in inactive contexts
mm/damon/sysfs-scheme: cleanup quotas subdirs on scheme dir setup
failure
mm/damon/sysfs-scheme: cleanup access_pattern subdirs on scheme dir
setup failure
mm/damon/sysfs: cleanup intervals subdirs on attrs dir setup failure
mm/damon/sysfs: cleanup attrs subdirs on context dir setup failure
Shakeel Butt (1):
lib/buildid: use __kernel_read() for sleepable context
Sheetal (1):
dmaengine: tegra-adma: Fix use-after-free
Shenghao Yang (1):
drm/gud: fix NULL fb and crtc dereferences on USB disconnect
Shivam Kumar (1):
nvme-tcp: fix NULL pointer dereferences in nvmet_tcp_build_pdu_iovec
Srinivasan Shanmugam (1):
drm/amdgpu/userq: Fix fence reference leak on queue teardown v2
Stefano Garzarella (1):
vsock/test: add a final full barrier after run all tests
Stefano Radaelli (1):
phy: fsl-imx8mq-usb: Clear the PCS_TX_SWING_FULL field before using it
Suraj Gupta (1):
dmaengine: xilinx_dma: Fix uninitialized addr_width when
"xlnx,addrwidth" property is missing
Szymon Wilczek (1):
can: etas_es58x: allow partial RX URB allocation to succeed
Tetsuo Handa (1):
net: can: j1939: j1939_xtp_rx_rts_session_active(): deactivate session
upon receiving the second rts
Thinh Nguyen (1):
usb: dwc3: Check for USB4 IP_NAME
Thomas Weißschuh (1):
hrtimer: Fix softirq base check in update_needs_ipi()
Thomas Zimmermann (1):
drm/sysfb: Remove duplicate declarations
Tingmao Wang (1):
landlock: Fix wrong type usage
Tommaso Merciai (1):
i2c: riic: Move suspend handling to NOIRQ phase
Trond Myklebust (4):
pNFS: Fix a deadlock when returning a delegation during open()
NFS: Fix a deadlock involving nfs_release_folio()
NFS/localio: Deal with page bases that are > PAGE_SIZE
NFS: Fix size read races in truncate, fallocate and copy offload
Ulrich Mohr (1):
USB: serial: option: add Telit LE910 MBIM composition
Vivek Das Mohapatra (1):
drm/amd/display: Initialise backlight level values from hw
Vlastimil Babka (1):
mm/page_alloc: prevent pcp corruption with SMP=n
Wayne Chang (2):
phy: tegra: xusb: Explicitly configure HS_DISCON_LEVEL to 0x7
usb: host: xhci-tegra: Use platform_get_irq_optional() for wake IRQs
Wentao Guan (1):
Revert "x86/resctrl: Add Hygon QoS support"
Wentao Liang (1):
phy: rockchip: inno-usb2: Fix a double free bug in
rockchip_usb2phy_probe()
Xiaochen Shen (2):
x86/resctrl: Add missing resctrl initialization for Hygon
x86/resctrl: Fix memory bandwidth counter width for Hygon
Xu Yang (2):
usb: gadget: uvc: fix interval_duration calculation
usb: gadget: uvc: fix req_payload_size calculation
Yang Erkun (1):
ext4: fix iloc.bh leak in ext4_xattr_inode_update_ref
Yang Li (1):
Bluetooth: hci_sync: enable PA Sync Lost event
Yang Wang (1):
drm/amd/pm: fix smu overdrive data type wrong issue on smu 14.0.2
Yao Zi (1):
LoongArch: dts: Describe PCI sideband IRQ through interrupt-extended
Yaxiong Tian (1):
PM: EM: Fix incorrect description of the cost field in struct
em_perf_state
Yonghong Song (1):
selftests/bpf: Fix selftest verif_scale_strobemeta failure with llvm22
Zhang Heng (1):
ALSA: hda/realtek: Add quirk for HP Pavilion x360 to enable mute LED
Zhang Lixu (1):
HID: intel-ish-hid: Use dedicated unbound workqueues to prevent resume
blocking
Zhen Ni (1):
dmaengine: fsl-edma: Fix clk leak on alloc_chan_resources failure
Zilin Guan (2):
pnfs/flexfiles: Fix memory leak in nfs4_ff_alloc_deviceid_node()
pnfs/blocklayout: Fix memory leak in bl_parse_scsi()
Makefile | 2 +-
arch/loongarch/boot/dts/loongson-2k0500.dtsi | 3 +
arch/loongarch/boot/dts/loongson-2k1000.dtsi | 31 +-
arch/loongarch/boot/dts/loongson-2k2000.dtsi | 35 +-
arch/loongarch/kernel/perf_event.c | 21 +-
arch/loongarch/kvm/intc/eiointc.c | 1 +
arch/loongarch/kvm/intc/ipi.c | 1 +
arch/loongarch/kvm/intc/pch_pic.c | 1 +
arch/mips/mm/init.c | 23 ++
arch/x86/Kconfig | 1 +
arch/x86/kernel/cpu/resctrl/core.c | 17 +-
arch/x86/kernel/cpu/resctrl/internal.h | 3 +
arch/x86/kernel/fpu/core.c | 32 +-
arch/x86/kvm/x86.c | 9 +
arch/x86/mm/init_64.c | 2 +-
arch/x86/mm/kaslr.c | 10 +-
arch/x86/mm/pat/set_memory.c | 2 +-
arch/x86/mm/pgtable.c | 12 +-
block/bio-integrity-auto.c | 2 +-
drivers/block/null_blk/main.c | 12 +-
drivers/cxl/core/hdm.c | 2 +-
drivers/cxl/core/port.c | 2 +-
drivers/dax/dax-private.h | 10 +-
drivers/dma/apple-admac.c | 1 +
drivers/dma/at_hdmac.c | 9 +-
drivers/dma/bcm-sba-raid.c | 6 +-
drivers/dma/cv1800b-dmamux.c | 17 +-
drivers/dma/dw/rzn1-dmamux.c | 4 +-
drivers/dma/fsl-edma-common.c | 1 +
drivers/dma/idxd/compat.c | 23 +-
drivers/dma/lpc18xx-dmamux.c | 19 +-
drivers/dma/lpc32xx-dmamux.c | 19 +-
drivers/dma/mmp_pdma.c | 20 +-
drivers/dma/qcom/gpi.c | 6 +-
drivers/dma/sh/rz-dmac.c | 18 +-
drivers/dma/stm32/stm32-dmamux.c | 22 +-
drivers/dma/tegra210-adma.c | 10 +-
drivers/dma/ti/dma-crossbar.c | 18 +-
drivers/dma/ti/k3-udma-private.c | 2 +-
drivers/dma/ti/omap-dma.c | 4 +
drivers/dma/xilinx/xdma-regs.h | 1 +
drivers/dma/xilinx/xdma.c | 2 +-
drivers/dma/xilinx/xilinx_dma.c | 7 +-
drivers/edac/i3200_edac.c | 11 +-
drivers/edac/x38_edac.c | 9 +-
drivers/firmware/efi/cper.c | 2 +-
drivers/firmware/imx/imx-scu-irq.c | 24 +-
drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 8 +
drivers/gpu/drm/amd/amdgpu/amdgpu_display.c | 7 +-
drivers/gpu/drm/amd/amdgpu/amdgpu_userq.c | 16 +
drivers/gpu/drm/amd/amdgpu/amdgpu_userq.h | 1 +
.../gpu/drm/amd/amdgpu/amdgpu_userq_fence.c | 8 +
drivers/gpu/drm/amd/amdgpu/gmc_v9_0.c | 8 +-
.../drm/amd/amdkfd/kfd_device_queue_manager.c | 31 +-
.../gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 21 +-
.../gpu/drm/amd/display/dc/dc_hdmi_types.h | 2 +-
.../drm/amd/display/dc/link/link_detection.c | 4 +-
.../drm/amd/pm/swsmu/smu14/smu_v14_0_2_ppt.c | 3 +-
drivers/gpu/drm/bridge/synopsys/dw-hdmi-qp.c | 9 +
drivers/gpu/drm/gud/gud_pipe.c | 20 +-
drivers/gpu/drm/nouveau/dispnv50/curs507a.c | 1 +
drivers/gpu/drm/panel/panel-simple.c | 90 ++--
.../gpu/drm/rockchip/dw_hdmi_qp-rockchip.c | 12 +-
drivers/gpu/drm/rockchip/rockchip_vop2_reg.c | 17 +-
drivers/gpu/drm/sysfb/drm_sysfb_helper.h | 9 -
drivers/gpu/drm/vmwgfx/vmwgfx_bo.c | 22 +-
drivers/gpu/drm/vmwgfx/vmwgfx_kms.c | 14 +-
drivers/gpu/drm/vmwgfx/vmwgfx_shader.c | 4 +-
drivers/hid/intel-ish-hid/ipc/ipc.c | 25 +-
drivers/hid/intel-ish-hid/ipc/pci-ish.c | 2 +-
drivers/hid/intel-ish-hid/ishtp-hid-client.c | 4 +-
drivers/hid/intel-ish-hid/ishtp/bus.c | 18 +-
drivers/hid/intel-ish-hid/ishtp/hbm.c | 4 +-
drivers/hid/intel-ish-hid/ishtp/ishtp-dev.h | 3 +
drivers/hid/usbhid/hid-core.c | 17 +-
drivers/i2c/busses/i2c-imx-lpi2c.c | 7 +
drivers/i2c/busses/i2c-qcom-geni.c | 11 +-
drivers/i2c/busses/i2c-riic.c | 46 ++-
drivers/iommu/iommu-sva.c | 33 +-
drivers/net/can/ctucanfd/ctucanfd_base.c | 2 +-
drivers/net/can/usb/etas_es58x/es58x_core.c | 2 +-
drivers/net/can/usb/gs_usb.c | 2 +
.../marvell/octeon_ep_vf/octep_vf_main.c | 2 +-
drivers/net/ethernet/mellanox/mlx5/core/en.h | 13 +-
.../net/ethernet/mellanox/mlx5/core/en_main.c | 86 ++--
.../net/ethernet/mellanox/mlx5/core/en_rep.c | 15 +-
drivers/net/hyperv/netvsc_drv.c | 3 +
drivers/net/macvlan.c | 20 +-
drivers/net/phy/motorcomm.c | 4 +-
drivers/net/virtio_net.c | 59 +--
drivers/nvme/host/apple.c | 1 +
drivers/nvme/host/pci.c | 7 +-
drivers/nvme/target/tcp.c | 12 +
drivers/pci/Kconfig | 6 -
drivers/phy/broadcom/phy-bcm-ns-usb3.c | 2 +-
drivers/phy/freescale/phy-fsl-imx8m-pcie.c | 3 +-
drivers/phy/freescale/phy-fsl-imx8mq-usb.c | 15 +-
drivers/phy/qualcomm/phy-qcom-qusb2.c | 16 +-
drivers/phy/rockchip/phy-rockchip-inno-usb2.c | 14 +-
drivers/phy/st/phy-stm32-usbphyc.c | 2 +-
drivers/phy/tegra/xusb-tegra186.c | 3 +
drivers/phy/ti/phy-da8xx-usb.c | 7 +-
drivers/phy/ti/phy-gmii-sel.c | 2 +-
drivers/scsi/scsi_error.c | 24 ++
drivers/soundwire/bus_type.c | 2 +-
drivers/usb/core/config.c | 5 +
drivers/usb/core/quirks.c | 3 +
drivers/usb/dwc3/core.c | 2 +
drivers/usb/dwc3/core.h | 1 +
drivers/usb/gadget/function/f_fs.c | 53 +--
drivers/usb/gadget/function/f_uvc.c | 4 +
drivers/usb/gadget/function/uvc.h | 3 +-
drivers/usb/gadget/function/uvc_queue.c | 15 +-
drivers/usb/gadget/function/uvc_video.c | 11 +-
drivers/usb/host/ohci-platform.c | 1 +
drivers/usb/host/uhci-platform.c | 1 +
drivers/usb/host/xhci-sideband.c | 1 -
drivers/usb/host/xhci-tegra.c | 2 +-
drivers/usb/host/xhci.c | 15 +-
drivers/usb/serial/ftdi_sio.c | 1 +
drivers/usb/serial/ftdi_sio_ids.h | 2 +
drivers/usb/serial/option.c | 1 +
drivers/usb/typec/tcpm/tcpm.c | 2 +-
fs/btrfs/inode.c | 9 +
fs/btrfs/send.c | 2 +
fs/btrfs/space-info.c | 8 +-
fs/btrfs/transaction.c | 11 +-
fs/ext4/xattr.c | 1 +
fs/gfs2/lops.c | 2 +-
fs/nfs/blocklayout/dev.c | 6 +-
fs/nfs/file.c | 3 +-
fs/nfs/flexfilelayout/flexfilelayoutdev.c | 2 +-
fs/nfs/inode.c | 10 +-
fs/nfs/io.c | 2 +
fs/nfs/localio.c | 2 +
fs/nfs/nfs42proc.c | 29 +-
fs/nfs/nfs4proc.c | 6 +-
fs/nfs/nfstrace.h | 3 +
fs/nfs/pnfs.c | 58 ++-
fs/nfs/pnfs.h | 17 +-
fs/nfs/write.c | 33 ++
fs/xfs/libxfs/xfs_ialloc.c | 11 +-
fs/xfs/xfs_rtalloc.c | 2 +-
include/asm-generic/pgalloc.h | 18 +
include/drm/bridge/dw_hdmi_qp.h | 1 +
include/linux/energy_model.h | 2 +-
include/linux/gfp.h | 2 +-
include/linux/intel-ish-client-if.h | 2 +
include/linux/iommu.h | 4 +
include/linux/kfence.h | 1 +
include/linux/mm.h | 65 ++-
include/linux/nfs_fs.h | 1 +
include/linux/sched/mm.h | 1 +
include/linux/soc/airoha/airoha_offload.h | 4 +-
include/linux/textsearch.h | 1 +
include/linux/usb/quirks.h | 3 +
include/net/ip_tunnels.h | 13 +-
include/scsi/scsi_eh.h | 6 +
include/sound/pcm.h | 2 +-
include/uapi/linux/ext4.h | 2 +-
io_uring/io_uring.c | 8 +-
kernel/sched/core.c | 2 +-
kernel/sched/deadline.c | 3 +-
kernel/sched/syscalls.c | 2 +-
kernel/time/hrtimer.c | 2 +-
kernel/trace/ftrace.c | 29 +-
lib/buildid.c | 32 +-
mm/Kconfig | 15 +-
mm/damon/core.c | 33 +-
mm/damon/sysfs-schemes.c | 10 +-
mm/damon/sysfs.c | 9 +-
mm/kmsan/shadow.c | 2 +-
mm/numa_memblks.c | 2 +
mm/page_alloc.c | 74 +++-
mm/pgtable-generic.c | 39 ++
mm/vmstat.c | 28 +-
mm/zswap.c | 2 +-
net/bluetooth/hci_sync.c | 1 +
net/bridge/br_fdb.c | 28 +-
net/bridge/br_input.c | 4 +-
net/can/j1939/transport.c | 10 +-
net/core/dev.c | 25 +-
net/core/dst.c | 1 +
net/ipv4/esp4_offload.c | 4 +-
net/ipv4/ip_gre.c | 11 +-
net/ipv4/ip_tunnel.c | 5 +-
net/ipv4/route.c | 4 +-
net/ipv6/addrconf.c | 4 +-
net/ipv6/esp6_offload.c | 4 +-
net/ipv6/ip6_tunnel.c | 2 +-
net/ipv6/route.c | 4 +-
net/sched/sch_qfq.c | 6 +-
net/xfrm/xfrm_state.c | 1 +
rust/helpers/bitops.c | 42 ++
security/landlock/audit.c | 2 +-
security/landlock/net.c | 118 +++---
sound/core/oss/pcm_oss.c | 4 +-
sound/core/pcm_native.c | 9 +-
sound/hda/codecs/realtek/alc269.c | 1 +
.../codecs/side-codecs/cirrus_scodec_test.c | 3 +-
.../hda/codecs/side-codecs/tas2781_hda_i2c.c | 13 +-
sound/soc/codecs/tlv320adcx140.c | 8 +-
sound/soc/codecs/wsa881x.c | 9 +
sound/soc/codecs/wsa883x.c | 9 +
sound/soc/codecs/wsa884x.c | 3 +-
sound/soc/sdw_utils/soc_sdw_cs42l43.c | 2 +-
.../testing/selftests/bpf/progs/strobemeta.h | 6 +-
tools/testing/selftests/kvm/x86/amx_test.c | 118 +++---
tools/testing/selftests/landlock/common.h | 1 +
tools/testing/selftests/landlock/fs_test.c | 6 +-
tools/testing/selftests/landlock/net_test.c | 16 +-
tools/testing/selftests/mm/gup_longterm.c | 2 +-
tools/testing/selftests/mm/merge.c | 384 ++++++++++++++++--
tools/testing/selftests/net/toeplitz.c | 4 +-
tools/testing/vsock/util.c | 12 +
215 files changed, 2118 insertions(+), 818 deletions(-)