[Deepin-Kernel-SIG] [linux 6.6-y] [Upstream] Update kernel base to 6.12.70#1504
Open
opsiff wants to merge 115 commits intodeepin-community:linux-6.12.yfrom
Open
[Deepin-Kernel-SIG] [linux 6.6-y] [Upstream] Update kernel base to 6.12.70#1504opsiff wants to merge 115 commits intodeepin-community:linux-6.12.yfrom
opsiff wants to merge 115 commits intodeepin-community:linux-6.12.yfrom
Conversation
commit 52a0a98549344ca20ad81a4176d68d28e3c05a5c upstream. nvmet_tcp_build_pdu_iovec() could walk past cmd->req.sg when a PDU length or offset exceeds sg_cnt and then use bogus sg->length/offset values, leading to _copy_to_iter() GPF/KASAN. Guard sg_idx, remaining entries, and sg->length/offset before building the bvec. Fixes: 872d26a ("nvmet-tcp: add NVMe over TCP target driver") Signed-off-by: YunJe Shin <ioerts@kookmin.ac.kr> Reviewed-by: Sagi Grimberg <sagi@grimberg.me> Reviewed-by: Joonkyo Jung <joonkyoj@yonsei.ac.kr> Signed-off-by: Keith Busch <kbusch@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 19672ae68d52ff75347ebe2420dde1b07adca09f) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit 2687c848e57820651b9f69d30c4710f4219f7dbf upstream. Fedora QA reported the following panic: BUG: unable to handle page fault for address: 0000000040003e54 #PF: supervisor write access in kernel mode #PF: error_code(0x0002) - not-present page Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS edk2-20251119-3.fc43 11/19/2025 RIP: 0010:vmware_hypercall4.constprop.0+0x52/0x90 .. Call Trace: vmmouse_report_events+0x13e/0x1b0 psmouse_handle_byte+0x15/0x60 ps2_interrupt+0x8a/0xd0 ... because the QEMU VMware mouse emulation is buggy, and clears the top 32 bits of %rdi that the kernel kept a pointer in. The QEMU vmmouse driver saves and restores the register state in a "uint32_t data[6];" and as a result restores the state with the high bits all cleared. RDI originally contained the value of a valid kernel stack address (0xff5eeb3240003e54). After the vmware hypercall it now contains 0x40003e54, and we get a page fault as a result when it is dereferenced. The proper fix would be in QEMU, but this works around the issue in the kernel to keep old setups working, when old kernels had not happened to keep any state in %rdi over the hypercall. In theory this same issue exists for all the hypercalls in the vmmouse driver; in practice it has only been seen with vmware_hypercall3() and vmware_hypercall4(). For now, just mark RDI/RSI as clobbered for those two calls. This should have a minimal effect on code generation overall as it should be rare for the compiler to want to make RDI/RSI live across hypercalls. Reported-by: Justin Forbes <jforbes@fedoraproject.org> Link: https://lore.kernel.org/all/99a9c69a-fc1a-43b7-8d1e-c42d6493b41f@broadcom.com/ Signed-off-by: Josh Poimboeuf <jpoimboe@kernel.org> Cc: stable@kernel.org Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 2f467a92df61eb516a4ec36ee16234dd4e5ccf00) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit 16459fe7e0ca6520a6e8f603de4ccd52b90fd765 upstream. The original patch inverted the PTE unconditionally to avoid L1TF-vulnerable PTEs, but Linux doesn't make this adjustment in 2-level paging. Adjust the logic to use the flip_protnone_guard() helper, which is a nop on 2-level paging but inverts the address bits in all other paging modes. This doesn't matter for the Xen aspect of the original change. Linux no longer supports running 32bit PV under Xen, and Xen doesn't support running any 32bit PV guests without using PAE paging. Link: https://lkml.kernel.org/r/20260126211046.2096622-1-andrew.cooper3@citrix.com Fixes: b505f1944535 ("x86/kfence: avoid writing L1TF-vulnerable PTEs") Reported-by: Ryusuke Konishi <konishi.ryusuke@gmail.com> Closes: https://lore.kernel.org/lkml/CAKFNMokwjw68ubYQM9WkzOuH51wLznHpEOMSqtMoV1Rn9JV_gw@mail.gmail.com/ Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Tested-by: Ryusuke Konishi <konishi.ryusuke@gmail.com> Tested-by: Borislav Petkov (AMD) <bp@alien8.de> Cc: Alexander Potapenko <glider@google.com> Cc: Marco Elver <elver@google.com> Cc: Dmitry Vyukov <dvyukov@google.com> Cc: Thomas Gleixner <tglx@linutronix.de> Cc: Ingo Molnar <mingo@redhat.com> Cc: Dave Hansen <dave.hansen@linux.intel.com> Cc: "H. Peter Anvin" <hpa@zytor.com> Cc: Jann Horn <jannh@google.com> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 917ccf6fd180aba860ea01b3efa0503af911fb2b) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit 25e9e322d2ab5c03602eff4fbf4f7c40019d8de2 upstream. The LTR blocking statistics and wakeup event counters are incorrectly cross-referenced during debugfs output rendering. The code populates pss_ltr_blkd[] with LTR blocking data and pss_s0ix_wakeup[] with wakeup data, but the display loops reference the wrong arrays. This causes the "LTR Blocking Status" section to print wakeup events and the "Wakes Status" section to print LTR blockers, misleading power management analysis and S0ix residency debugging. Fix by aligning array usage with the intended output section labels. Fixes: 87bee29 ("platform:x86: Add Intel Telemetry Debugfs interfaces") Cc: stable@vger.kernel.org Signed-off-by: Kaushlendra Kumar <kaushlendra.kumar@intel.com> Link: https://patch.msgid.link/20251224032053.3915900-1-kaushlendra.kumar@intel.com Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com> Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit e6ff2ebff427be6fef71ea120638216b08715ff6) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit 826af7fa62e347464b1b4e0ba2fe19a92438084f upstream. The PCM trigger callback of aloop driver tries to check the PCM state and stop the stream of the tied substream in the corresponding cable. Since both check and stop operations are performed outside the cable lock, this may result in UAF when a program attempts to trigger frequently while opening/closing the tied stream, as spotted by fuzzers. For addressing the UAF, this patch changes two things: - It covers the most of code in loopback_check_format() with cable->lock spinlock, and add the proper NULL checks. This avoids already some racy accesses. - In addition, now we try to check the state of the capture PCM stream that may be stopped in this function, which was the major pain point leading to UAF. Reported-by: syzbot+5f8f3acdee1ec7a7ef7b@syzkaller.appspotmail.com Closes: https://lore.kernel.org/69783ba1.050a0220.c9109.0011.GAE@google.com Cc: <stable@vger.kernel.org> Link: https://patch.msgid.link/20260203141003.116584-1-tiwai@suse.de Signed-off-by: Takashi Iwai <tiwai@suse.de> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit bad15420050db1803767e58756114800cce91ea4) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
…t state commit 8aa6f7697f5981d336cac7af6ddd182a03c6da01 upstream. As it is indicated by the comment, the rpmpd_aggregate_corner() function tries to clamp the state to the highest corner/level supported by the given power domain, however the calculation of the highest state contains an off-by-one error. The 'max_state' member of the 'rpmpd' structure indicates the highest corner/level, and as such it does not needs to be decremented. Change the code to use the 'max_state' value directly to avoid the error. Fixes: 98c8b3e ("soc: qcom: rpmpd: Add sync_state") Signed-off-by: Gabor Juhos <j4g8y7@gmail.com> Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com> Cc: stable@vger.kernel.org Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit ab99415e30f22210edd79d1673ccc3dd5c75a1ef) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit e9ab2b83893dd03cf04d98faded81190e635233f upstream. Current design will power off all dependent GPC power domains in imx8mp_blk_ctrl_suspend(), even though the user device has enabled wakeup capability. The result is that wakeup function never works for such device. An example will be USB wakeup on i.MX8MP. PHY device '382f0040.usb-phy' is attached to power domain 'hsioblk-usb-phy2' which is spawned by hsio block control. A virtual power domain device 'genpd:3:32f10000.blk-ctrl' is created to build connection with 'hsioblk-usb-phy2' and it depends on GPC power domain 'usb-otg2'. If device '382f0040.usb-phy' enable wakeup, only power domain 'hsioblk-usb-phy2' keeps on during system suspend, power domain 'usb-otg2' is off all the time. So the wakeup event can't happen. In order to further establish a connection between the power domains related to GPC and block control during system suspend, register a genpd power on/off notifier for the power_dev. This allows us to prevent the GPC power domain from being powered off, in case the block control power domain is kept on to serve system wakeup. Suggested-by: Ulf Hansson <ulf.hansson@linaro.org> Fixes: 556f5cf ("soc: imx: add i.MX8MP HSIO blk-ctrl") Cc: stable@vger.kernel.org Signed-off-by: Xu Yang <xu.yang_2@nxp.com> Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit fb14cb9a1cd69f8a47c3468c32f192ce6836f67c) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit ae0a24c5a8dcea20bf8e344eadf6593e6d1959c3 upstream. On i.MX8MM, the GPUMIX, GPU2D, and GPU3D blocks share a common reset domain. Due to this hardware limitation, powering off/on GPU2D or GPU3D also triggers a reset of the GPUMIX domain, including its ADB400 port. However, the ADB400 interface must always be placed into power‑down mode before being reset. Currently the GPUMIX and GPU2D/3D power domains rely on runtime PM to handle dependency ordering. In some corner cases, the GPUMIX power off sequence is skipped, leaving the ADB400 port active when GPU2D/3D reset. This causes the GPUMIX ADB400 port to be reset while still active, leading to unpredictable bus behavior and GPU hangs. To avoid this, refine the power‑domain control logic so that the GPUMIX ADB400 port is explicitly powered down and powered up as part of the GPU power domain on/off sequence. This ensures proper ordering and prevents incorrect ADB400 reset. Suggested-by: Lucas Stach <l.stach@pengutronix.de> Signed-off-by: Jacky Bai <ping.bai@nxp.com> Reviewed-by: Lucas Stach <l.stach@pengutronix.de> Tested-by: Philipp Zabel <p.zabel@pengutronix.de> Cc: stable@vger.kernel.org Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit b8ea101959ab1a46c92be46c238283b0fe60252e) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
…keup commit e2c4c5b2bbd4f688a0f9f6da26cdf6d723c53478 upstream. USB system wakeup need its PHY on, so add the GENPD_FLAG_ACTIVE_WAKEUP flags to USB PHY genpd configuration. Signed-off-by: Xu Yang <xu.yang_2@nxp.com> Fixes: 556f5cf ("soc: imx: add i.MX8MP HSIO blk-ctrl") Cc: stable@vger.kernel.org Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit e142106ee355e74aedf781b18a686a63e729f5bd) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit 6bd8b4a92a901fae1a422e6f914801063c345e8d upstream. Fix out-of-range access of bc->domains in imx8m_blk_ctrl_remove(). Fixes: 2684ac0 ("soc: imx: add i.MX8M blk-ctrl driver") Cc: stable@kernel.org Signed-off-by: Xu Yang <xu.yang_2@nxp.com> Reviewed-by: Daniel Baluta <daniel.baluta@nxp.com> Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 4390dcdabb5fca4647bf56a5a6b050bbdfa5760f) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit e6c53ead2d8fa73206e0a63e9cd9aea6bc929837 upstream. When CONFIG_MEM_ALLOC_PROFILING_DEBUG is enabled, the following warning may be noticed: [ 3959.023862] ------------[ cut here ]------------ [ 3959.023891] alloc_tag was not cleared (got tag for lib/xarray.c:378) [ 3959.023947] WARNING: ./include/linux/alloc_tag.h:155 at alloc_tag_add+0x128/0x178, CPU#6: mkfs.ntfs/113998 [ 3959.023978] Modules linked in: dns_resolver tun brd overlay exfat btrfs blake2b libblake2b xor xor_neon raid6_pq loop sctp ip6_udp_tunnel udp_tunnel ext4 crc16 mbcache jbd2 rfkill sunrpc vfat fat sg fuse nfnetlink sr_mod virtio_gpu cdrom drm_client_lib virtio_dma_buf drm_shmem_helper drm_kms_helper ghash_ce drm sm4 backlight virtio_net net_failover virtio_scsi failover virtio_console virtio_blk virtio_mmio dm_mirror dm_region_hash dm_log dm_multipath dm_mod i2c_dev aes_neon_bs aes_ce_blk [last unloaded: hwpoison_inject] [ 3959.024170] CPU: 6 UID: 0 PID: 113998 Comm: mkfs.ntfs Kdump: loaded Tainted: G W 6.19.0-rc7+ deepin-community#7 PREEMPT(voluntary) [ 3959.024182] Tainted: [W]=WARN [ 3959.024186] Hardware name: QEMU KVM Virtual Machine, BIOS unknown 2/2/2022 [ 3959.024192] pstate: 604000c5 (nZCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 3959.024199] pc : alloc_tag_add+0x128/0x178 [ 3959.024207] lr : alloc_tag_add+0x128/0x178 [ 3959.024214] sp : ffff80008b696d60 [ 3959.024219] x29: ffff80008b696d60 x28: 0000000000000000 x27: 0000000000000240 [ 3959.024232] x26: 0000000000000000 x25: 0000000000000240 x24: ffff800085d17860 [ 3959.024245] x23: 0000000000402800 x22: ffff0000c0012dc0 x21: 00000000000002d0 [ 3959.024257] x20: ffff0000e6ef3318 x19: ffff800085ae0410 x18: 0000000000000000 [ 3959.024269] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 [ 3959.024281] x14: 0000000000000000 x13: 0000000000000001 x12: ffff600064101293 [ 3959.024292] x11: 1fffe00064101292 x10: ffff600064101292 x9 : dfff800000000000 [ 3959.024305] x8 : 00009fff9befed6e x7 : ffff000320809493 x6 : 0000000000000001 [ 3959.024316] x5 : ffff000320809490 x4 : ffff600064101293 x3 : ffff800080691838 [ 3959.024328] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff0000d5bcd640 [ 3959.024340] Call trace: [ 3959.024346] alloc_tag_add+0x128/0x178 (P) [ 3959.024355] __alloc_tagging_slab_alloc_hook+0x11c/0x1a8 [ 3959.024362] kmem_cache_alloc_lru_noprof+0x1b8/0x5e8 [ 3959.024369] xas_alloc+0x304/0x4f0 [ 3959.024381] xas_create+0x1e0/0x4a0 [ 3959.024388] xas_store+0x68/0xda8 [ 3959.024395] __filemap_add_folio+0x5b0/0xbd8 [ 3959.024409] filemap_add_folio+0x16c/0x7e0 [ 3959.024416] __filemap_get_folio_mpol+0x2dc/0x9e8 [ 3959.024424] iomap_get_folio+0xfc/0x180 [ 3959.024435] __iomap_get_folio+0x2f8/0x4b8 [ 3959.024441] iomap_write_begin+0x198/0xc18 [ 3959.024448] iomap_write_iter+0x2ec/0x8f8 [ 3959.024454] iomap_file_buffered_write+0x19c/0x290 [ 3959.024461] blkdev_write_iter+0x38c/0x978 [ 3959.024470] vfs_write+0x4d4/0x928 [ 3959.024482] ksys_write+0xfc/0x1f8 [ 3959.024489] __arm64_sys_write+0x74/0xb0 [ 3959.024496] invoke_syscall+0xd4/0x258 [ 3959.024507] el0_svc_common.constprop.0+0xb4/0x240 [ 3959.024514] do_el0_svc+0x48/0x68 [ 3959.024520] el0_svc+0x40/0xf8 [ 3959.024526] el0t_64_sync_handler+0xa0/0xe8 [ 3959.024533] el0t_64_sync+0x1ac/0x1b0 [ 3959.024540] ---[ end trace 0000000000000000 ]--- When __memcg_slab_post_alloc_hook() fails, there are two different free paths depending on whether size == 1 or size != 1. In the kmem_cache_free_bulk() path, we do call alloc_tagging_slab_free_hook(). However, in memcg_alloc_abort_single() we don't, the above warning will be triggered on the next allocation. Therefore, add alloc_tagging_slab_free_hook() to the memcg_alloc_abort_single() path. Fixes: 9f9796b ("mm, slab: move memcg charging to post-alloc hook") Cc: stable@vger.kernel.org Suggested-by: Hao Li <hao.li@linux.dev> Signed-off-by: Hao Ge <hao.ge@linux.dev> Reviewed-by: Hao Li <hao.li@linux.dev> Reviewed-by: Suren Baghdasaryan <surenb@google.com> Reviewed-by: Harry Yoo <harry.yoo@oracle.com> Link: https://patch.msgid.link/20260204101401.202762-1-hao.ge@linux.dev Signed-off-by: Vlastimil Babka <vbabka@suse.cz> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit b8bc72587c79fe52c14732e16a766b6eded00707) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit 7987cce375ac8ce98e170a77aa2399f2cf6eb99f upstream.
The CephFS kernel client has regression starting from 6.18-rc1.
We have issue in ceph_mds_auth_match() if fs_name == NULL:
const char fs_name = mdsc->fsc->mount_options->mds_namespace;
...
if (auth->match.fs_name && strcmp(auth->match.fs_name, fs_name)) {
/ fsname mismatch, try next one */
return 0;
}
Patrick Donnelly suggested that: In summary, we should definitely start
decoding `fs_name` from the MDSMap and do strict authorizations checks
against it. Note that the `-o mds_namespace=foo` should only be used for
selecting the file system to mount and nothing else. It's possible
no mds_namespace is specified but the kernel will mount the only
file system that exists which may have name "foo".
This patch reworks ceph_mdsmap_decode() and namespace_equals() with
the goal of supporting the suggested concept. Now struct ceph_mdsmap
contains m_fs_name field that receives copy of extracted FS name
by ceph_extract_encoded_string(). For the case of "old" CephFS file
systems, it is used "cephfs" name.
[ idryomov: replace redundant %*pE with %s in ceph_mdsmap_decode(),
get rid of a series of strlen() calls in ceph_namespace_match(),
drop changes to namespace_equals() body to avoid treating empty
mds_namespace as equal, drop changes to ceph_mdsc_handle_fsmap()
as namespace_equals() isn't an equivalent substitution there ]
Cc: stable@vger.kernel.org
Fixes: 22c73d5 ("ceph: fix multifs mds auth caps issue")
Link: https://tracker.ceph.com/issues/73886
Signed-off-by: Viacheslav Dubeyko <Slava.Dubeyko@ibm.com>
Reviewed-by: Patrick Donnelly <pdonnell@ibm.com>
Tested-by: Patrick Donnelly <pdonnell@ibm.com>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit c6f8326f26bd20d648d9a55afd68148d1b6afe28)
Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit bd3884a204c3b507e6baa9a4091aa927f9af5404 upstream. Similar to commit 870611e ("rbd: get snapshot context after exclusive lock is ensured to be held"), move the "beyond EOD" check into the image request state machine so that it's performed after exclusive lock is ensured to be held. This avoids various race conditions which can arise when the image is shrunk under I/O (in practice, mostly readahead). In one such scenario rbd_assert(objno < rbd_dev->object_map_size); can be triggered if a close-to-EOD read gets queued right before the shrink is initiated and the EOD check is performed against an outdated mapping_size. After the resize is done on the server side and exclusive lock is (re)acquired bringing along the new (now shrunk) object map, the read starts going through the state machine and rbd_obj_may_exist() gets invoked on an object that is out of bounds of rbd_dev->object_map array. Cc: stable@vger.kernel.org Signed-off-by: Ilya Dryomov <idryomov@gmail.com> Reviewed-by: Dongsheng Yang <dongsheng.yang@linux.dev> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 41ededf7ef153762f9f24fe1a566a692f1366898) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit 23ea2a4c72323feb6e3e025e8a6f18336513d5ad upstream. On big-endian systems the 32-bit low and high halves need to be swapped for the underlying assembly implementation to work correctly. Fixes: fd1d362 ("ARM: implement memset32 & memset64") Cc: stable@vger.kernel.org Signed-off-by: Thomas Weißschuh <thomas.weissschuh@linutronix.de> Reviewed-by: Matthew Wilcox (Oracle) <willy@infradead.org> Reviewed-by: Arnd Bergmann <arnd@arndb.de> Signed-off-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 60645e27e3ec69472360b8934db55e492f6439a1) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit bc8dedae022ce3058659c3addef3ec4b41d15e00 upstream. This fixes a kernel oops when reading ceph snapshot directories (.snap), for example by simply running `ls /mnt/my_ceph/.snap`. The variable str is guarded by __free(kfree), but advanced by one for skipping the initial '_' in snapshot names. Thus, kfree() is called with an invalid pointer. This patch removes the need for advancing the pointer so kfree() is called with correct memory pointer. Steps to reproduce: 1. Create snapshots on a cephfs volume (I've 63 snaps in my testcase) 2. Add cephfs mount to fstab $ echo "samba-fileserver@.files=/volumes/datapool/stuff/3461082b-ecc9-4e82-8549-3fd2590d3fb6 /mnt/test/stuff ceph acl,noatime,_netdev 0 0" >> /etc/fstab 3. Reboot the system $ systemctl reboot 4. Check if it's really mounted $ mount | grep stuff 5. List snapshots (expected 63 snapshots on my system) $ ls /mnt/test/stuff/.snap Now ls hangs forever and the kernel log shows the oops. Cc: stable@vger.kernel.org Fixes: 101841c ("[ceph] parse_longname(): strrchr() expects NUL-terminated string") Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220807 Suggested-by: Helge Deller <deller@gmx.de> Signed-off-by: Daniel Vogelbacher <daniel@chaospixel.com> Reviewed-by: Viacheslav Dubeyko <Slava.Dubeyko@ibm.com> Signed-off-by: Ilya Dryomov <idryomov@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 8c9af7339de419819cfc641d551675d38ff99abf) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit 7b9ebcce0296e104a0d82a6b09d68564806158ff upstream. The driver and the NIC share a region in memory for stats reporting. The NIC calculates its offset into this region based on the total size of the stats region and the size of the NIC's stats. When the number of queues is changed, the driver's stats region is resized. If the queue count is increased, the NIC can write past the end of the allocated stats region, causing memory corruption. If the queue count is decreased, there is a gap between the driver and NIC stats, leading to incorrect stats reporting. This change fixes the issue by allocating stats region with maximum size, and the offset calculation for NIC stats is changed to match with the calculation of the NIC. Cc: stable@vger.kernel.org Fixes: 24aeb56 ("gve: Add Gvnic stats AQ command and ethtool show/set-priv-flags.") Signed-off-by: Debarghya Kundu <debarghyak@google.com> Reviewed-by: Joshua Washington <joshwash@google.com> Signed-off-by: Harshitha Ramamurthy <hramamurthy@google.com> Reviewed-by: Jacob Keller <jacob.e.keller@intel.com> Link: https://patch.msgid.link/20260202193925.3106272-2-hramamurthy@google.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 9fa0a755db3e1945fe00f73fe27d85ef6c8818b7) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit c7db85d579a1dccb624235534508c75fbf2dfe46 upstream. The gve driver's "rx_dropped" statistic, exposed via `ethtool -S`, incorrectly includes `rx_buf_alloc_fail` counts. These failures represent an inability to allocate receive buffers, not true packet drops where a received packet is discarded. This misrepresentation can lead to inaccurate diagnostics. This patch rectifies the ethtool "rx_dropped" calculation. It removes `rx_buf_alloc_fail` from the total and adds `xdp_tx_errors` and `xdp_redirect_errors`, which represent legitimate packet drops within the XDP path. Cc: stable@vger.kernel.org Fixes: 433e274 ("gve: Add stats for gve.") Signed-off-by: Max Yuan <maxyuan@google.com> Reviewed-by: Jordan Rhee <jordanrhee@google.com> Reviewed-by: Joshua Washington <joshwash@google.com> Reviewed-by: Matt Olson <maolson@google.com> Signed-off-by: Harshitha Ramamurthy <hramamurthy@google.com> Reviewed-by: Jacob Keller <jacob.e.keller@intel.com> Link: https://patch.msgid.link/20260202193925.3106272-3-hramamurthy@google.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit fe787920fac0026b5440df3823f959bb5efddd7d) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit 2030dddf95451b4e7a389f052091e7c4b7b274c6 upstream. When truncating a large swap entry, shmem_free_swap() returns 0 when the entry's index doesn't match the given index due to lookup alignment. The failure fallback path checks if the entry crosses the end border and aborts when it happens, so truncate won't erase an unexpected entry or range. But one scenario was ignored. When `index` points to the middle of a large swap entry, and the large swap entry doesn't go across the end border, find_get_entries() will return that large swap entry as the first item in the batch with `indices[0]` equal to `index`. The entry's base index will be smaller than `indices[0]`, so shmem_free_swap() will fail and return 0 due to the "base < index" check. The code will then call shmem_confirm_swap(), get the order, check if it crosses the END boundary (which it doesn't), and retry with the same index. The next iteration will find the same entry again at the same index with same indices, leading to an infinite loop. Fix this by retrying with a round-down index, and abort if the index is smaller than the truncate range. Link: https://lkml.kernel.org/r/aXo6ltB5iqAKJzY8@KASONG-MC4 Fixes: 809bc86 ("mm: shmem: support large folio swap out") Fixes: 8a1968bd997f ("mm/shmem, swap: fix race of truncate and swap entry split") Signed-off-by: Kairui Song <kasong@tencent.com> Reported-by: Chris Mason <clm@meta.com> Closes: https://lore.kernel.org/linux-mm/20260128130336.727049-1-clm@meta.com/ Reviewed-by: Baolin Wang <baolin.wang@linux.alibaba.com> Cc: Baoquan He <bhe@redhat.com> Cc: Barry Song <baohua@kernel.org> Cc: Chris Li <chrisl@kernel.org> Cc: Hugh Dickins <hughd@google.com> Cc: Kemeng Shi <shikemeng@huaweicloud.com> Cc: Nhat Pham <nphamcs@gmail.com> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit dfc3ab6bd64860f8022d69903be299d09be86e11) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit 243b467dea1735fed904c2e54d248a46fa417a2d upstream. This reverts commit 7294863. This commit was erroneously applied again after commit 0ab5d71 ("drm/amd: Refactor `amdgpu_aspm` to be evaluated per device") removed it, leading to very hard to debug crashes, when used with a system with two AMD GPUs of which only one supports ASPM. Link: https://lore.kernel.org/linux-acpi/20251006120944.7880-1-spasswolf@web.de/ Link: acpica/acpica#1060 Fixes: 0ab5d71 ("drm/amd: Refactor `amdgpu_aspm` to be evaluated per device") Signed-off-by: Bert Karwatzki <spasswolf@web.de> Reviewed-by: Christian König <christian.koenig@amd.com> Reviewed-by: Mario Limonciello (AMD) <superm1@kernel.org> Signed-off-by: Mario Limonciello <mario.limonciello@amd.com> Signed-off-by: Alex Deucher <alexander.deucher@amd.com> (cherry picked from commit 97a9689300eb2b393ba5efc17c8e5db835917080) Cc: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 5b794951541e84d2968980a68dd1ac38420f75f3) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit b4d37cdb77a0015f51fee083598fa227cc07aaf1 upstream. When deassigning a KVM_IRQFD, don't clobber the irqfd's copy of the IRQ's routing entry as doing so breaks kvm_arch_irq_bypass_del_producer() on x86 and arm64, which explicitly look for KVM_IRQ_ROUTING_MSI. Instead, to handle a concurrent routing update, verify that the irqfd is still active before consuming the routing information. As evidenced by the x86 and arm64 bugs, and another bug in kvm_arch_update_irqfd_routing() (see below), clobbering the entry type without notifying arch code is surprising and error prone. As a bonus, checking that the irqfd is active provides a convenient location for documenting _why_ KVM must not consume the routing entry for an irqfd that is in the process of being deassigned: once the irqfd is deleted from the list (which happens *before* the eventfd is detached), it will no longer receive updates via kvm_irq_routing_update(), and so KVM could deliver an event using stale routing information (relative to KVM_SET_GSI_ROUTING returning to userspace). As an even better bonus, explicitly checking for the irqfd being active fixes a similar bug to the one the clobbering is trying to prevent: if an irqfd is deactivated, and then its routing is changed, kvm_irq_routing_update() won't invoke kvm_arch_update_irqfd_routing() (because the irqfd isn't in the list). And so if the irqfd is in bypass mode, IRQs will continue to be posted using the old routing information. As for kvm_arch_irq_bypass_del_producer(), clobbering the routing type results in KVM incorrectly keeping the IRQ in bypass mode, which is especially problematic on AMD as KVM tracks IRQs that are being posted to a vCPU in a list whose lifetime is tied to the irqfd. Without the help of KASAN to detect use-after-free, the most common sympton on AMD is a NULL pointer deref in amd_iommu_update_ga() due to the memory for irqfd structure being re-allocated and zeroed, resulting in irqfd->irq_bypass_data being NULL when read by avic_update_iommu_vcpu_affinity(): BUG: kernel NULL pointer dereference, address: 0000000000000018 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 40cf2b9067 P4D 40cf2b9067 PUD 408362a067 PMD 0 Oops: Oops: 0000 [#1] SMP CPU: 6 UID: 0 PID: 40383 Comm: vfio_irq_test Tainted: G U W O 6.19.0-smp--5dddc257e6b2-irqfd deepin-community#31 NONE Tainted: [U]=USER, [W]=WARN, [O]=OOT_MODULE Hardware name: Google, Inc. Arcadia_IT_80/Arcadia_IT_80, BIOS 34.78.2-0 09/05/2025 RIP: 0010:amd_iommu_update_ga+0x19/0xe0 Call Trace: <TASK> avic_update_iommu_vcpu_affinity+0x3d/0x90 [kvm_amd] __avic_vcpu_load+0xf4/0x130 [kvm_amd] kvm_arch_vcpu_load+0x89/0x210 [kvm] vcpu_load+0x30/0x40 [kvm] kvm_arch_vcpu_ioctl_run+0x45/0x620 [kvm] kvm_vcpu_ioctl+0x571/0x6a0 [kvm] __se_sys_ioctl+0x6d/0xb0 do_syscall_64+0x6f/0x9d0 entry_SYSCALL_64_after_hwframe+0x4b/0x53 RIP: 0033:0x46893b </TASK> ---[ end trace 0000000000000000 ]--- If AVIC is inhibited when the irfd is deassigned, the bug will manifest as list corruption, e.g. on the next irqfd assignment. list_add corruption. next->prev should be prev (ffff8d474d5cd588), but was 0000000000000000. (next=ffff8d8658f86530). ------------[ cut here ]------------ kernel BUG at lib/list_debug.c:31! Oops: invalid opcode: 0000 [#1] SMP CPU: 128 UID: 0 PID: 80818 Comm: vfio_irq_test Tainted: G U W O 6.19.0-smp--f19dc4d680ba-irqfd deepin-community#28 NONE Tainted: [U]=USER, [W]=WARN, [O]=OOT_MODULE Hardware name: Google, Inc. Arcadia_IT_80/Arcadia_IT_80, BIOS 34.78.2-0 09/05/2025 RIP: 0010:__list_add_valid_or_report+0x97/0xc0 Call Trace: <TASK> avic_pi_update_irte+0x28e/0x2b0 [kvm_amd] kvm_pi_update_irte+0xbf/0x190 [kvm] kvm_arch_irq_bypass_add_producer+0x72/0x90 [kvm] irq_bypass_register_consumer+0xcd/0x170 [irqbypass] kvm_irqfd+0x4c6/0x540 [kvm] kvm_vm_ioctl+0x118/0x5d0 [kvm] __se_sys_ioctl+0x6d/0xb0 do_syscall_64+0x6f/0x9d0 entry_SYSCALL_64_after_hwframe+0x4b/0x53 </TASK> ---[ end trace 0000000000000000 ]--- On Intel and arm64, the bug is less noisy, as the end result is that the device keeps posting IRQs to the vCPU even after it's been deassigned. Note, the worst of the breakage can be traced back to commit cb21073 ("KVM: Pass new routing entries and irqfd when updating IRTEs"), as before that commit KVM would pull the routing information from the per-VM routing table. But as above, similar bugs have existed since support for IRQ bypass was added. E.g. if a routing change finished before irq_shutdown() invoked kvm_arch_irq_bypass_del_producer(), VMX and SVM would see stale routing information and potentially leave the irqfd in bypass mode. Alternatively, x86 could be fixed by explicitly checking irq_bypass_vcpu instead of irq_entry.type in kvm_arch_irq_bypass_del_producer(), and arm64 could be modified to utilize irq_bypass_vcpu in a similar manner. But (a) that wouldn't fix the routing updates bug, and (b) fixing core code doesn't preclude x86 (or arm64) from adding such code as a sanity check (spoiler alert). Fixes: f70c20a ("KVM: Add an arch specific hooks in 'struct kvm_kernel_irqfd'") Fixes: cb21073 ("KVM: Pass new routing entries and irqfd when updating IRTEs") Fixes: a0d7e2f ("KVM: arm64: vgic-v4: Only attempt vLPI mapping for actual MSIs") Cc: stable@vger.kernel.org Cc: Marc Zyngier <maz@kernel.org> Cc: Oliver Upton <oupton@kernel.org> Link: https://patch.msgid.link/20260113174606.104978-2-seanjc@google.com Signed-off-by: Sean Christopherson <seanjc@google.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit ff48c9312d042bfbe826ca675e98acc6c623211c) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit a2f1e22390ac2ca7ac8d77aa0f78c068b6dd2208 upstream. When the PCI core gained power management support in 2002, it introduced pci_save_state() and pci_restore_state() helpers to restore Config Space after a D3hot or D3cold transition, which implies a Soft or Fundamental Reset (PCIe r7.0 sec 5.8): https://git.kernel.org/tglx/history/c/a5287abe398b In 2006, EEH and AER were introduced to recover from errors by performing a reset. Because errors can occur at any time, drivers began calling pci_save_state() on probe to ensure recoverability. In 2009, recoverability was foiled by commit c82f63e ("PCI: check saved state before restore"): It amended pci_restore_state() to bail out if the "state_saved" flag has been cleared. The flag is cleared by pci_restore_state() itself, hence a saved state is now allowed to be restored only once and is then invalidated. That doesn't seem to make sense because the saved state should be good enough to be reused. Soon after, drivers began to work around this behavior by calling pci_save_state() immediately after pci_restore_state(), see e.g. commit b94f2d7 ("igb: call pci_save_state after pci_restore_state"). Hilariously, two drivers even set the "saved_state" flag to true before invoking pci_restore_state(), see ipr_reset_restore_cfg_space() and e1000_io_slot_reset(). Despite these workarounds, recoverability at all times is not guaranteed: E.g. when a PCIe port goes through a runtime suspend and resume cycle, the "saved_state" flag is cleared by: pci_pm_runtime_resume() pci_pm_default_resume_early() pci_restore_state() ... and hence on a subsequent AER event, the port's Config Space cannot be restored. Riana reports a recovery failure of a GPU-integrated PCIe switch and has root-caused it to the behavior of pci_restore_state(). Another workaround would be necessary, namely calling pci_save_state() in pcie_port_device_runtime_resume(). The motivation of commit c82f63e was to prevent restoring state if pci_save_state() hasn't been called before. But that can be achieved by saving state already on device addition, after Config Space has been initialized. A desirable side effect is that devices become recoverable even if no driver gets bound. This renders the commit unnecessary, so revert it. Reported-by: Riana Tauro <riana.tauro@intel.com> # off-list Signed-off-by: Lukas Wunner <lukas@wunner.de> Signed-off-by: Bjorn Helgaas <bhelgaas@google.com> Tested-by: Riana Tauro <riana.tauro@intel.com> Reviewed-by: Rafael J. Wysocki (Intel) <rafael@kernel.org> Link: https://patch.msgid.link/9e34ce61c5404e99ffdd29205122c6fb334b38aa.1763483367.git.lukas@wunner.de Cc: Mario Limonciello <mario.limonciello@amd.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 58130e7ce6cb6e1f73221e412fef6c85ee561425) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit d4a0587 upstream. Fix build regression seen when using old gcc-9 compiler. Signed-off-by: Todd Brandt <todd.e.brandt@intel.com> Reviewed-by: Chen Yu <yu.c.chen@intel.com> Signed-off-by: Len Brown <len.brown@intel.com> Signed-off-by: Nikolay Kuratov <kniv@yandex-team.ru> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit d288ba832d92d16f7db0f6996ffbde2e79190ffe) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit c258f5c4502c9667bccf5d76fa731ab9c96687c1 upstream. When one process(such as udev) opens ublk block device (e.g., to read the partition table via bdev_open()), a deadlock[1] can occur: 1. bdev_open() grabs disk->open_mutex 2. The process issues read I/O to ublk backend to read partition table 3. In __ublk_complete_rq(), blk_update_request() or blk_mq_end_request() runs bio->bi_end_io() callbacks 4. If this triggers fput() on file descriptor of ublk block device, the work may be deferred to current task's task work (see fput() implementation) 5. This eventually calls blkdev_release() from the same context 6. blkdev_release() tries to grab disk->open_mutex again 7. Deadlock: same task waiting for a mutex it already holds The fix is to run blk_update_request() and blk_mq_end_request() with bottom halves disabled. This forces blkdev_release() to run in kernel work-queue context instead of current task work context, and allows ublk server to make forward progress, and avoids the deadlock. Fixes: 71f28f3 ("ublk_drv: add io_uring based userspace block driver") Link: ublk-org/ublksrv#170 [1] Signed-off-by: Ming Lei <ming.lei@redhat.com> Reviewed-by: Caleb Sander Mateos <csander@purestorage.com> [axboe: rewrite comment in ublk] Signed-off-by: Jens Axboe <axboe@kernel.dk> [ The fix omits the change in __ublk_do_auto_buf_reg() since this function doesn't exist in Linux 6.12. ] Signed-off-by: Alva Lan <alvalan9@foxmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 9bcc47343ee0ef346aa7b2b460c8ff56bd882fe7) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit bea3e1d upstream. BUG: KASAN: slab-out-of-bounds in hfsplus_uni2asc+0xa71/0xb90 fs/hfsplus/unicode.c:186 Read of size 2 at addr ffff8880289ef218 by task syz.6.248/14290 CPU: 0 UID: 0 PID: 14290 Comm: syz.6.248 Not tainted 6.16.4 #1 PREEMPT(full) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1b0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xca/0x5f0 mm/kasan/report.c:482 kasan_report+0xca/0x100 mm/kasan/report.c:595 hfsplus_uni2asc+0xa71/0xb90 fs/hfsplus/unicode.c:186 hfsplus_listxattr+0x5b6/0xbd0 fs/hfsplus/xattr.c:738 vfs_listxattr+0xbe/0x140 fs/xattr.c:493 listxattr+0xee/0x190 fs/xattr.c:924 filename_listxattr fs/xattr.c:958 [inline] path_listxattrat+0x143/0x360 fs/xattr.c:988 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcb/0x4c0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fe0e9fae16d Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fe0eae67f98 EFLAGS: 00000246 ORIG_RAX: 00000000000000c3 RAX: ffffffffffffffda RBX: 00007fe0ea205fa0 RCX: 00007fe0e9fae16d RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000200000000000 RBP: 00007fe0ea0480f0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007fe0ea206038 R14: 00007fe0ea205fa0 R15: 00007fe0eae48000 </TASK> Allocated by task 14290: kasan_save_stack+0x24/0x50 mm/kasan/common.c:47 kasan_save_track+0x14/0x30 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:394 kasan_kmalloc include/linux/kasan.h:260 [inline] __do_kmalloc_node mm/slub.c:4333 [inline] __kmalloc_noprof+0x219/0x540 mm/slub.c:4345 kmalloc_noprof include/linux/slab.h:909 [inline] hfsplus_find_init+0x95/0x1f0 fs/hfsplus/bfind.c:21 hfsplus_listxattr+0x331/0xbd0 fs/hfsplus/xattr.c:697 vfs_listxattr+0xbe/0x140 fs/xattr.c:493 listxattr+0xee/0x190 fs/xattr.c:924 filename_listxattr fs/xattr.c:958 [inline] path_listxattrat+0x143/0x360 fs/xattr.c:988 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcb/0x4c0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f When hfsplus_uni2asc is called from hfsplus_listxattr, it actually passes in a struct hfsplus_attr_unistr*. The size of the corresponding structure is different from that of hfsplus_unistr, so the previous fix (9445878) is insufficient. The pointer on the unicode buffer is still going beyond the allocated memory. This patch introduces two warpper functions hfsplus_uni2asc_xattr_str and hfsplus_uni2asc_str to process two unicode buffers, struct hfsplus_attr_unistr* and struct hfsplus_unistr* respectively. When ustrlen value is bigger than the allocated memory size, the ustrlen value is limited to an safe size. Fixes: 9445878 ("hfsplus: fix slab-out-of-bounds read in hfsplus_uni2asc()") Signed-off-by: Kang Chen <k.chen@smail.nju.edu.cn> Reviewed-by: Viacheslav Dubeyko <slava@dubeyko.com> Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com> Link: https://lore.kernel.org/r/20250909031316.1647094-1-k.chen@smail.nju.edu.cn Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com> Signed-off-by: Jianqiang kang <jianqkang@sina.cn> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 5b5228964619b180f366940505b77255b1a03929) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit 1769f90e5ba2a6d24bb46b85da33fe861c68f005 upstream. The error logging for failed transactions is misleading as it always reports "dead process or thread" even when the target is actually frozen. Additionally, the pid and tid are reversed which can further confuse debugging efforts. Fix both issues. Cc: stable@kernel.org Cc: Steven Moreland <smoreland@google.com> Fixes: a15dac8 ("binder: additional transaction error logs") Signed-off-by: Carlos Llamas <cmllamas@google.com> Reviewed-by: Alice Ryhl <aliceryhl@google.com> Link: https://patch.msgid.link/20260123175702.2154348-1-cmllamas@google.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 9eec6f49d3fae873d9416a622356707b37d0be12) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit ec4ddc90d201d09ef4e4bef8a2c6d9624525ad68 upstream. The 'max' argument of ida_alloc_max() takes the maximum valid ID and not the "count". Using an ID of BINDERFS_MAX_MINOR (1 << 20) for dev->minor would exceed the limits of minor numbers (20-bits). Fix this off-by-one error by subtracting 1 from the 'max'. Cc: stable@vger.kernel.org Fixes: 3ad20fe ("binder: implement binderfs") Signed-off-by: Carlos Llamas <cmllamas@google.com> Link: https://patch.msgid.link/20260127235545.2307876-2-cmllamas@google.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit ee5e42e9a59ac02e82ff79fe3d67705f5d3787d1) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
…t failures [ Upstream commit e396a74222654486d6ab45dca5d0c54c408b8b91 ] Some distributions (such as Ubuntu) configure GCC so that _FORTIFY_SOURCE is automatically enabled at -O1 or above. This results in some fortified version of definitions of standard library functions are included. While linker resolves the symbols, the fortified versions might override the definitions in lib/string_override.c and reference to those PLT entries in GLIBC. This is not a problem for the code in host, but it is a disaster for the guest code. E.g., if build and run x86/nested_emulation_test on Ubuntu 24.04 will encounter a L1 #PF due to memset() reference to __memset_chk@plt. The option -fno-builtin-memset is not helpful here, because those fortified versions are not built-in but some definitions which are included by header, they are for different intentions. In order to eliminate the unpredictable behaviors may vary depending on the linker and platform, add the "-U_FORTIFY_SOURCE" into CFLAGS to prevent from introducing the fortified definitions. Signed-off-by: Zhiquan Li <zhiquan_li@163.com> Link: https://patch.msgid.link/20260122053551.548229-1-zhiquan_li@163.com Fixes: 6b6f714 ("KVM: selftests: Implement memcmp(), memcpy(), and memset() for guest use") Cc: stable@vger.kernel.org [sean: tag for stable] Signed-off-by: Sean Christopherson <seanjc@google.com> [ Makefile.kvm -> Makefile ] Signed-off-by: Sasha Levin <sashal@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 87ff11143615c16fb60a2a998150c53f87e9d803) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit b5cbacd7f86f4f62b8813688c8e73be94e8e1951 ] Fix PROCMAP_QUERY to fetch optional build ID only after dropping mmap_lock or per-VMA lock, whichever was used to lock VMA under question, to avoid deadlock reported by syzbot: -> #1 (&mm->mmap_lock){++++}-{4:4}: __might_fault+0xed/0x170 _copy_to_iter+0x118/0x1720 copy_page_to_iter+0x12d/0x1e0 filemap_read+0x720/0x10a0 blkdev_read_iter+0x2b5/0x4e0 vfs_read+0x7f4/0xae0 ksys_read+0x12a/0x250 do_syscall_64+0xcb/0xf80 entry_SYSCALL_64_after_hwframe+0x77/0x7f -> #0 (&sb->s_type->i_mutex_key#8){++++}-{4:4}: __lock_acquire+0x1509/0x26d0 lock_acquire+0x185/0x340 down_read+0x98/0x490 blkdev_read_iter+0x2a7/0x4e0 __kernel_read+0x39a/0xa90 freader_fetch+0x1d5/0xa80 __build_id_parse.isra.0+0xea/0x6a0 do_procmap_query+0xd75/0x1050 procfs_procmap_ioctl+0x7a/0xb0 __x64_sys_ioctl+0x18e/0x210 do_syscall_64+0xcb/0xf80 entry_SYSCALL_64_after_hwframe+0x77/0x7f other info that might help us debug this: Possible unsafe locking scenario: CPU0 CPU1 ---- ---- rlock(&mm->mmap_lock); lock(&sb->s_type->i_mutex_key#8); lock(&mm->mmap_lock); rlock(&sb->s_type->i_mutex_key#8); *** DEADLOCK *** This seems to be exacerbated (as we haven't seen these syzbot reports before that) by the recent: 777a8560fd29 ("lib/buildid: use __kernel_read() for sleepable context") To make this safe, we need to grab file refcount while VMA is still locked, but other than that everything is pretty straightforward. Internal build_id_parse() API assumes VMA is passed, but it only needs the underlying file reference, so just add another variant build_id_parse_file() that expects file passed directly. [akpm@linux-foundation.org: fix up kerneldoc] Link: https://lkml.kernel.org/r/20260129215340.3742283-1-andrii@kernel.org Fixes: ed5d583 ("fs/procfs: implement efficient VMA querying API for /proc/<pid>/maps") Signed-off-by: Andrii Nakryiko <andrii@kernel.org> Reported-by: <syzbot+4e70c8e0a2017b432f7a@syzkaller.appspotmail.com> Reviewed-by: Suren Baghdasaryan <surenb@google.com> Tested-by: Suren Baghdasaryan <surenb@google.com> Reviewed-by: Shakeel Butt <shakeel.butt@linux.dev> Cc: Alexei Starovoitov <ast@kernel.org> Cc: Daniel Borkmann <daniel@iogearbox.net> Cc: Eduard Zingerman <eddyz87@gmail.com> Cc: Hao Luo <haoluo@google.com> Cc: Jiri Olsa <jolsa@kernel.org> Cc: John Fastabend <john.fastabend@gmail.com> Cc: KP Singh <kpsingh@kernel.org> Cc: Martin KaFai Lau <martin.lau@linux.dev> Cc: Song Liu <song@kernel.org> Cc: Stanislav Fomichev <sdf@fomichev.me> Cc: Yonghong Song <yonghong.song@linux.dev> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> [ mm is local var instead of function param ] Signed-off-by: Sasha Levin <sashal@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit b9b97e6aeb534315f9646b2090d1a5024c6a4e82) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 033c55fe2e326bea022c3cc5178ecf3e0e459b82 ]
The fields of ftrace specific events (events used to save ftrace internal
events like function traces and trace_printk) are generated similarly to
how normal trace event fields are generated. That is, the fields are added
to a trace_events_fields array that saves the name, offset, size,
alignment and signness of the field. It is used to produce the output in
the format file in tracefs so that tooling knows how to parse the binary
data of the trace events.
The issue is that some of the ftrace event structures are packed. The
function graph exit event structures are one of them. The 64 bit calltime
and rettime fields end up 4 byte aligned, but the algorithm to show to
userspace shows them as 8 byte aligned.
The macros that create the ftrace events has one for embedded structure
fields. There's two macros for theses fields:
__field_desc() and __field_packed()
The difference of the latter macro is that it treats the field as packed.
Rename that field to __field_desc_packed() and create replace the
__field_packed() to be a normal field that is packed and have the calltime
and rettime use those.
This showed up on 32bit architectures for function graph time fields. It
had:
~# cat /sys/kernel/tracing/events/ftrace/funcgraph_exit/format
[..]
field:unsigned long func; offset:8; size:4; signed:0;
field:unsigned int depth; offset:12; size:4; signed:0;
field:unsigned int overrun; offset:16; size:4; signed:0;
field:unsigned long long calltime; offset:24; size:8; signed:0;
field:unsigned long long rettime; offset:32; size:8; signed:0;
Notice that overrun is at offset 16 with size 4, where in the structure
calltime is at offset 20 (16 + 4), but it shows the offset at 24. That's
because it used the alignment of unsigned long long when used as a
declaration and not as a member of a structure where it would be aligned
by word size (in this case 4).
By using the proper structure alignment, the format has it at the correct
offset:
~# cat /sys/kernel/tracing/events/ftrace/funcgraph_exit/format
[..]
field:unsigned long func; offset:8; size:4; signed:0;
field:unsigned int depth; offset:12; size:4; signed:0;
field:unsigned int overrun; offset:16; size:4; signed:0;
field:unsigned long long calltime; offset:20; size:8; signed:0;
field:unsigned long long rettime; offset:28; size:8; signed:0;
Cc: stable@vger.kernel.org
Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Cc: Mark Rutland <mark.rutland@arm.com>
Acked-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
Reported-by: "jempty.liang" <imntjempty@163.com>
Link: https://patch.msgid.link/20260204113628.53faec78@gandalf.local.home
Fixes: 04ae87a ("ftrace: Rework event_create_dir()")
Closes: https://lore.kernel.org/all/20260130015740.212343-1-imntjempty@163.com/
Closes: https://lore.kernel.org/all/20260202123342.2544795-1-imntjempty@163.com/
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
[ adapted field types and macro arguments ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit 76d035271e120de0b1b49384d1bb76fa2a0e2a9e)
Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit ff4071c60018a668249dc6a2df7d16330543540e ] ieee80211_ocb_rx_no_sta() assumes a valid channel context, which is only present after JOIN_OCB. RX may run before JOIN_OCB is executed, in which case the OCB interface is not operational. Skip RX peer handling when the interface is not joined to avoid warnings in the RX path. Reported-by: syzbot+b364457b2d1d4e4a3054@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=b364457b2d1d4e4a3054 Tested-by: syzbot+b364457b2d1d4e4a3054@syzkaller.appspotmail.com Signed-off-by: Moon Hee Lee <moonhee.lee.ca@gmail.com> Link: https://patch.msgid.link/20251216035932.18332-1-moonhee.lee.ca@gmail.com Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 536447521b3b9be1975c7f1db9054bdf2ab779cb) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 5c2c3c38be396257a6a2e55bd601a12bb9781507 ] The udp GRO complete stage assumes that all the packets inserted the RX have the `encapsulation` flag zeroed. Such assumption is not true, as a few H/W NICs can set such flag when H/W offloading the checksum for an UDP encapsulated traffic, the tun driver can inject GSO packets with UDP encapsulation and the problematic layout can also be created via a veth based setup. Due to the above, in the problematic scenarios, udp4_gro_complete() uses the wrong network offset (inner instead of outer) to compute the outer UDP header pseudo checksum, leading to csum validation errors later on in packet processing. Address the issue always clearing the encapsulation flag at GRO completion time. Such flag will be set again as needed for encapsulated packets by udp_gro_complete(). Fixes: 5ef31ea ("net: gro: fix udp bad offset in socket lookup by adding {inner_}network_offset to napi_gro_cb") Reviewed-by: Willem de Bruijn <willemb@google.com> Signed-off-by: Paolo Abeni <pabeni@redhat.com> Reviewed-by: Eric Dumazet <edumazet@google.com> Link: https://patch.msgid.link/562638dbebb3b15424220e26a180274b387e2a88.1770032084.git.pabeni@redhat.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit b83557bc6f560433fe5d727e241069f8db5ba709) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 0e0c8f4d16de92520623aa1ea485cadbf64e6929 ]
The mgag200_bmc_stop_scanout() function is called by the .atomic_disable()
handler for the MGA G200 VGA BMC encoder. This function performs a few
register writes to inform the BMC of an upcoming mode change, and then
polls to wait until the BMC actually stops.
The polling is implemented using a busy loop with udelay() and an iteration
timeout of 300, resulting in the function blocking for 300 milliseconds.
The function gets called ultimately by the output_poll_execute work thread
for the DRM output change polling thread of the mgag200 driver:
kworker/0:0-mm_ 3528 [000] 4555.315364:
ffffffffaa0e25b3 delay_halt.part.0+0x33
ffffffffc03f6188 mgag200_bmc_stop_scanout+0x178
ffffffffc087ae7a disable_outputs+0x12a
ffffffffc087c12a drm_atomic_helper_commit_tail+0x1a
ffffffffc03fa7b6 mgag200_mode_config_helper_atomic_commit_tail+0x26
ffffffffc087c9c1 commit_tail+0x91
ffffffffc087d51b drm_atomic_helper_commit+0x11b
ffffffffc0509694 drm_atomic_commit+0xa4
ffffffffc05105e8 drm_client_modeset_commit_atomic+0x1e8
ffffffffc0510ce6 drm_client_modeset_commit_locked+0x56
ffffffffc0510e24 drm_client_modeset_commit+0x24
ffffffffc088a743 __drm_fb_helper_restore_fbdev_mode_unlocked+0x93
ffffffffc088a683 drm_fb_helper_hotplug_event+0xe3
ffffffffc050f8aa drm_client_dev_hotplug+0x9a
ffffffffc088555a output_poll_execute+0x29a
ffffffffa9b35924 process_one_work+0x194
ffffffffa9b364ee worker_thread+0x2fe
ffffffffa9b3ecad kthread+0xdd
ffffffffa9a08549 ret_from_fork+0x29
On a server running ptp4l with the mgag200 driver loaded, we found that
ptp4l would sometimes get blocked from execution because of this busy
waiting loop.
Every so often, approximately once every 20 minutes -- though with large
variance -- the output_poll_execute() thread would detect some sort of
change that required performing a hotplug event which results in attempting
to stop the BMC scanout, resulting in a 300msec delay on one CPU.
On this system, ptp4l was pinned to a single CPU. When the
output_poll_execute() thread ran on that CPU, it blocked ptp4l from
executing for its 300 millisecond duration.
This resulted in PTP service disruptions such as failure to send a SYNC
message on time, failure to handle ANNOUNCE messages on time, and clock
check warnings from the application. All of this despite the application
being configured with FIFO_RT and a higher priority than the background
workqueue tasks. (However, note that the kernel did not use
CONFIG_PREEMPT...)
It is unclear if the event is due to a faulty VGA connection, another bug,
or actual events causing a change in the connection. At least on the system
under test it is not a one-time event and consistently causes disruption to
the time sensitive applications.
The function has some helpful comments explaining what steps it is
attempting to take. In particular, step 3a and 3b are explained as such:
3a - The third step is to verify if there is an active scan. We are
waiting on a 0 on remhsyncsts (<XSPAREREG<0>.
3b - This step occurs only if the remove is actually scanning. We are
waiting for the end of the frame which is a 1 on remvsyncsts
(<XSPAREREG<1>).
The actual steps 3a and 3b are implemented as while loops with a
non-sleeping udelay(). The first step iterates while the tmp value at
position 0 is *not* set. That is, it keeps iterating as long as the bit is
zero. If the bit is already 0 (because there is no active scan), it will
iterate the entire 300 attempts which wastes 300 milliseconds in total.
This is opposite of what the description claims.
The step 3b logic only executes if we do not iterate over the entire 300
attempts in the first loop. If it does trigger, it is trying to check and
wait for a 1 on the remvsyncsts. However, again the condition is actually
inverted and it will loop as long as the bit is 1, stopping once it hits
zero (rather than the explained attempt to wait until we see a 1).
Worse, both loops are implemented using non-sleeping waits which spin
instead of allowing the scheduler to run other processes. If the kernel is
not configured to allow arbitrary preemption, it will waste valuable CPU
time doing nothing.
There does not appear to be any documentation for the BMC register
interface, beyond what is in the comments here. It seems more probable that
the comment here is correct and the implementation accidentally got
inverted from the intended logic.
Reading through other DRM driver implementations, it does not appear that
the .atomic_enable or .atomic_disable handlers need to delay instead of
sleep. For example, the ast_astdp_encoder_helper_atomic_disable() function
calls ast_dp_set_phy_sleep() which uses msleep(). The "atomic" in the name
is referring to the atomic modesetting support, which is the support to
enable atomic configuration from userspace, and not to the "atomic context"
of the kernel. There is no reason to use udelay() here if a sleep would be
sufficient.
Replace the while loops with a read_poll_timeout() based implementation
that will sleep between iterations, and which stops polling once the
condition is met (instead of looping as long as the condition is met). This
aligns with the commented behavior and avoids blocking on the CPU while
doing nothing.
Note the RREG_DAC is implemented using a statement expression to allow
working properly with the read_poll_timeout family of functions. The other
RREG_<TYPE> macros ought to be cleaned up to have better semantics, and
several places in the mgag200 driver could make use of RREG_DAC or similar
RREG_* macros should likely be cleaned up for better semantics as well, but
that task has been left as a future cleanup for a non-bugfix.
Fixes: 414c453 ("mgag200: initial g200se driver (v2)")
Suggested-by: Thomas Zimmermann <tzimmermann@suse.de>
Signed-off-by: Jacob Keller <jacob.e.keller@intel.com>
Reviewed-by: Thomas Zimmermann <tzimmermann@suse.de>
Reviewed-by: Jocelyn Falempe <jfalempe@redhat.com>
Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
Link: https://patch.msgid.link/20260202-jk-mgag200-fix-bad-udelay-v2-1-ce1e9665987d@intel.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
(cherry picked from commit 1aacebe9d4ccb1a89caa9eb9fe3bb24723e80564)
Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 7ee9b3e091c63da71e15c72003f1f07e467f5158 ] The topology query helper advanced the user pointer by the size of the pointer, not the size of the structure. This can misalign the output blob and corrupt the following mask. Fix the increment to use sizeof(*topo). There is no issue currently, as sizeof(*topo) happens to be equal to sizeof(topo) on 64-bit systems (both evaluate to 8 bytes). Fixes: dd08ebf ("drm/xe: Introduce a new DRM driver for Intel GPUs") Signed-off-by: Shuicheng Lin <shuicheng.lin@intel.com> Reviewed-by: Matt Roper <matthew.d.roper@intel.com> Link: https://patch.msgid.link/20260130043907.465128-2-shuicheng.lin@intel.com Signed-off-by: Matt Roper <matthew.d.roper@intel.com> (cherry picked from commit c2a6859138e7f73ad904be17dd7d1da6cc7f06b3) Signed-off-by: Thomas Hellström <thomas.hellstrom@linux.intel.com> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 422f646b4ab50c8078ca217db0f13da20a6ab3b0) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit f2eedad ] Fix the false-positive "Missing outer runtime PM protection" warning triggered by release_async_domains() -> intel_runtime_pm_get_noresume() -> xe_pm_runtime_get_noresume() during system suspend. xe_pm_runtime_get_noresume() is supposed to warn if the device is not in the runtime resumed state, using xe_pm_runtime_get_if_in_use() for this. However the latter function will fail if called during runtime or system suspend/resume, regardless of whether the device is runtime resumed or not. Based on the above suppress the warning during system suspend/resume, similarly to how this is done during runtime suspend/resume. Suggested-by: Imre Deak <imre.deak@intel.com> Reviewed-by: Imre Deak <imre.deak@intel.com> Link: https://patchwork.freedesktop.org/patch/msgid/20241217230547.1667561-1-rodrigo.vivi@intel.com Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com> Stable-dep-of: bb36170d959f ("drm/xe/pm: Disable D3Cold for BMG only on specific platforms") Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit c8a5ec95c96168853f2bcc68f53942e6c0421472) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit bb36170d959fad7f663f91eb9c32a84dd86bef2b ] Restrict D3Cold disablement for BMG to unsupported NUC platforms, instead of disabling it on all platforms. Signed-off-by: Karthik Poosa <karthik.poosa@intel.com> Fixes: 3e331a6 ("drm/xe/pm: Temporarily disable D3Cold on BMG") Link: https://patch.msgid.link/20260123173238.1642383-1-karthik.poosa@intel.com Reviewed-by: Rodrigo Vivi <rodrigo.vivi@intel.com> Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com> (cherry picked from commit 39125eaf8863ab09d70c4b493f58639b08d5a897) Signed-off-by: Thomas Hellström <thomas.hellstrom@linux.intel.com> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit c0de1cc6a69432fd850cf6ad9a16855da45cd9a6) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 831a2b27914cc880130ffe8fb8d1e65a5324d07f ] This is a printf-style function, which gcc -Werror=suggest-attribute=format correctly points out: drivers/hwmon/occ/common.c: In function 'occ_init_attribute': drivers/hwmon/occ/common.c:761:9: error: function 'occ_init_attribute' might be a candidate for 'gnu_printf' format attribute [-Werror=suggest-attribute=format] Add the attribute to avoid this warning and ensure any incorrect format strings are detected here. Fixes: 744c2fe ("hwmon: (occ) Rework attribute registration for stack usage") Signed-off-by: Arnd Bergmann <arnd@arndb.de> Link: https://lore.kernel.org/r/20260203163440.2674340-1-arnd@kernel.org Signed-off-by: Guenter Roeck <linux@roeck-us.net> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 09dc5be323d4fc79bae2dfe38bb422a942e6dd30) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
…activate()
[ Upstream commit f41c5d151078c5348271ffaf8e7410d96f2d82f8 ]
nft_map_catchall_activate() has an inverted element activity check
compared to its non-catchall counterpart nft_mapelem_activate() and
compared to what is logically required.
nft_map_catchall_activate() is called from the abort path to re-activate
catchall map elements that were deactivated during a failed transaction.
It should skip elements that are already active (they don't need
re-activation) and process elements that are inactive (they need to be
restored). Instead, the current code does the opposite: it skips inactive
elements and processes active ones.
Compare the non-catchall activate callback, which is correct:
nft_mapelem_activate():
if (nft_set_elem_active(ext, iter->genmask))
return 0; /* skip active, process inactive */
With the buggy catchall version:
nft_map_catchall_activate():
if (!nft_set_elem_active(ext, genmask))
continue; /* skip inactive, process active */
The consequence is that when a DELSET operation is aborted,
nft_setelem_data_activate() is never called for the catchall element.
For NFT_GOTO verdict elements, this means nft_data_hold() is never
called to restore the chain->use reference count. Each abort cycle
permanently decrements chain->use. Once chain->use reaches zero,
DELCHAIN succeeds and frees the chain while catchall verdict elements
still reference it, resulting in a use-after-free.
This is exploitable for local privilege escalation from an unprivileged
user via user namespaces + nftables on distributions that enable
CONFIG_USER_NS and CONFIG_NF_TABLES.
Fix by removing the negation so the check matches nft_mapelem_activate():
skip active elements, process inactive ones.
Fixes: 628bd3e ("netfilter: nf_tables: drop map element references from preparation phase")
Signed-off-by: Andrew Fasano <andrew.fasano@nist.gov>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
(cherry picked from commit 1444ff890b4653add12f734ffeffc173d42862dd)
Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit bbf4a17ad9ffc4e3d7ec13d73ecd59dea149ed25 ]
syzbot reported a kernel BUG in fib6_add_rt2node() when adding an IPv6
route. [0]
Commit f72514b3c569 ("ipv6: clear RA flags when adding a static
route") introduced logic to clear RTF_ADDRCONF from existing routes
when a static route with the same nexthop is added. However, this
causes a problem when the existing route has a gateway.
When RTF_ADDRCONF is cleared from a route that has a gateway, that
route becomes eligible for ECMP, i.e. rt6_qualify_for_ecmp() returns
true. The issue is that this route was never added to the
fib6_siblings list.
This leads to a mismatch between the following counts:
- The sibling count computed by iterating fib6_next chain, which
includes the newly ECMP-eligible route
- The actual siblings in fib6_siblings list, which does not include
that route
When a subsequent ECMP route is added, fib6_add_rt2node() hits
BUG_ON(sibling->fib6_nsiblings != rt->fib6_nsiblings) because the
counts don't match.
Fix this by only clearing RTF_ADDRCONF when the existing route does
not have a gateway. Routes without a gateway cannot qualify for ECMP
anyway (rt6_qualify_for_ecmp() requires fib_nh_gw_family), so clearing
RTF_ADDRCONF on them is safe and matches the original intent of the
commit.
[0]:
kernel BUG at net/ipv6/ip6_fib.c:1217!
Oops: invalid opcode: 0000 [#1] SMP KASAN PTI
CPU: 0 UID: 0 PID: 6010 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
RIP: 0010:fib6_add_rt2node+0x3433/0x3470 net/ipv6/ip6_fib.c:1217
[...]
Call Trace:
<TASK>
fib6_add+0x8da/0x18a0 net/ipv6/ip6_fib.c:1532
__ip6_ins_rt net/ipv6/route.c:1351 [inline]
ip6_route_add+0xde/0x1b0 net/ipv6/route.c:3946
ipv6_route_ioctl+0x35c/0x480 net/ipv6/route.c:4571
inet6_ioctl+0x219/0x280 net/ipv6/af_inet6.c:577
sock_do_ioctl+0xdc/0x300 net/socket.c:1245
sock_ioctl+0x576/0x790 net/socket.c:1366
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl+0xfc/0x170 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Fixes: f72514b3c569 ("ipv6: clear RA flags when adding a static route")
Reported-by: syzbot+cb809def1baaac68ab92@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=cb809def1baaac68ab92
Tested-by: syzbot+cb809def1baaac68ab92@syzkaller.appspotmail.com
Signed-off-by: Shigeru Yoshida <syoshida@redhat.com>
Reviewed-by: Fernando Fernandez Mancera <fmancera@suse.de>
Link: https://patch.msgid.link/20260204095837.1285552-1-syoshida@redhat.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
(cherry picked from commit d8143c54ceeba232dc8a13aa0afa14a44b371d93)
Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 124bdc6eccc8c5cba68fee00e01c084c116c4360 ] When the support for the Sound Blaster X-Fi Surround 5.1 Pro was added, the existing logic for the X-Fi Surround 5.1 in snd_audigy2nx_led_put() was broken due to missing *else* before the added *if*: snd_usb_ctl_msg() became incorrectly called twice and an error from first snd_usb_ctl_msg() call ignored. As the added snd_usb_ctl_msg() call was totally identical to the existing one for the "plain" X-Fi Surround 5.1, just merge those two *if* statements while fixing the broken logic... Found by Linux Verification Center (linuxtesting.org) with the Svace static analysis tool. Fixes: 7cdd8d7 ("ALSA: usb-audio - Add support for USB X-Fi S51 Pro") Signed-off-by: Sergey Shtylyov <s.shtylyov@auroraos.dev> Link: https://patch.msgid.link/20260203161558.18680-1-s.shtylyov@auroraos.dev Signed-off-by: Takashi Iwai <tiwai@suse.de> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit ae0aad8c49df89e20d52c03450af3e39f680e757) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 7f67ba5413f98d93116a756e7f17cd2c1d6c2bd6 ] Fixes: 4a767b1 ("ASoC: amd: add acp3x pdm driver dma ops") Signed-off-by: Chris Bainbridge <chris.bainbridge@gmail.com> Link: https://patch.msgid.link/20260202205034.7697-1-chris.bainbridge@gmail.com Signed-off-by: Mark Brown <broonie@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit c9c14d2abe4c5546fcd3a7347fadc4aad2b308d8) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
… transfer
[ Upstream commit aabd8ea0aa253d40cf5f20a609fc3d6f61e38299 ]
When the ISR thread wakes up late and finds that the timeout handler
has already processed the transfer (curr_xfer is NULL), return
IRQ_HANDLED instead of IRQ_NONE.
Use a similar approach to tegra_qspi_handle_timeout() by reading
QSPI_TRANS_STATUS and checking the QSPI_RDY bit to determine if the
hardware actually completed the transfer. If QSPI_RDY is set, the
interrupt was legitimate and triggered by real hardware activity.
The fact that the timeout path handled it first doesn't make it
spurious. Returning IRQ_NONE incorrectly suggests the interrupt
wasn't for this device, which can cause issues with shared interrupt
lines and interrupt accounting.
Fixes: b4e002d8a7ce ("spi: tegra210-quad: Fix timeout handling")
Signed-off-by: Breno Leitao <leitao@debian.org>
Signed-off-by: Usama Arif <usamaarif642@gmail.com>
Tested-by: Jon Hunter <jonathanh@nvidia.com>
Acked-by: Jon Hunter <jonathanh@nvidia.com>
Acked-by: Thierry Reding <treding@nvidia.com>
Link: https://patch.msgid.link/20260126-tegra_xfer-v2-1-6d2115e4f387@debian.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
(cherry picked from commit 69079e7b26d553391328aa018a043fec416c0d95)
Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit ef13ba357656451d6371940d8414e3e271df97e3 ] Move the assignment of the transfer pointer from curr_xfer inside the spinlock critical section in both handle_cpu_based_xfer() and handle_dma_based_xfer(). Previously, curr_xfer was read before acquiring the lock, creating a window where the timeout path could clear curr_xfer between reading it and using it. By moving the read inside the lock, the handlers are guaranteed to see a consistent value that cannot be modified by the timeout path. Fixes: 921fc18 ("spi: tegra210-quad: Add support for Tegra210 QSPI controller") Signed-off-by: Breno Leitao <leitao@debian.org> Acked-by: Thierry Reding <treding@nvidia.com> Tested-by: Jon Hunter <jonathanh@nvidia.com> Acked-by: Jon Hunter <jonathanh@nvidia.com> Link: https://patch.msgid.link/20260126-tegra_xfer-v2-2-6d2115e4f387@debian.org Signed-off-by: Mark Brown <broonie@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 62059d8ac0acf612c247094cba451b923ad64c37) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
…transfer_one [ Upstream commit f5a4d7f5e32ba163cff893493ec1cbb0fd2fb0d5 ] When the timeout handler processes a completed transfer and signals completion, the transfer thread can immediately set up the next transfer and assign curr_xfer to point to it. If a delayed ISR from the previous transfer then runs, it checks if (!tqspi->curr_xfer) (currently without the lock also -- to be fixed soon) to detect stale interrupts, but this check passes because curr_xfer now points to the new transfer. The ISR then incorrectly processes the new transfer's context. Protect the curr_xfer assignment with the spinlock to ensure the ISR either sees NULL (and bails out) or sees the new value only after the assignment is complete. Fixes: 921fc18 ("spi: tegra210-quad: Add support for Tegra210 QSPI controller") Signed-off-by: Breno Leitao <leitao@debian.org> Tested-by: Jon Hunter <jonathanh@nvidia.com> Acked-by: Jon Hunter <jonathanh@nvidia.com> Acked-by: Thierry Reding <treding@nvidia.com> Link: https://patch.msgid.link/20260126-tegra_xfer-v2-3-6d2115e4f387@debian.org Signed-off-by: Mark Brown <broonie@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit f5a8a27e6eea4ebbf793ff1c9ab79b2896fd28ce) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit bf4528ab28e2bf112c3a2cdef44fd13f007781cd ]
The curr_xfer field is read by the IRQ handler without holding the lock
to check if a transfer is in progress. When clearing curr_xfer in the
combined sequence transfer loop, protect it with the spinlock to prevent
a race with the interrupt handler.
Protect the curr_xfer clearing at the exit path of
tegra_qspi_combined_seq_xfer() with the spinlock to prevent a race
with the interrupt handler that reads this field.
Without this protection, the IRQ handler could read a partially updated
curr_xfer value, leading to NULL pointer dereference or use-after-free.
Fixes: b4e002d8a7ce ("spi: tegra210-quad: Fix timeout handling")
Signed-off-by: Breno Leitao <leitao@debian.org>
Tested-by: Jon Hunter <jonathanh@nvidia.com>
Acked-by: Jon Hunter <jonathanh@nvidia.com>
Acked-by: Thierry Reding <treding@nvidia.com>
Link: https://patch.msgid.link/20260126-tegra_xfer-v2-4-6d2115e4f387@debian.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
(cherry picked from commit 6fd446178a610a48e80e5c5b487b0707cd01daac)
Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
…ined_seq_xfer
[ Upstream commit 6d7723e8161f3c3f14125557e19dd080e9d882be ]
Protect the curr_xfer clearing in tegra_qspi_non_combined_seq_xfer()
with the spinlock to prevent a race with the interrupt handler that
reads this field to check if a transfer is in progress.
Fixes: b4e002d8a7ce ("spi: tegra210-quad: Fix timeout handling")
Signed-off-by: Breno Leitao <leitao@debian.org>
Tested-by: Jon Hunter <jonathanh@nvidia.com>
Acked-by: Jon Hunter <jonathanh@nvidia.com>
Acked-by: Thierry Reding <treding@nvidia.com>
Link: https://patch.msgid.link/20260126-tegra_xfer-v2-5-6d2115e4f387@debian.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
(cherry picked from commit 947e6c7ba1578d8cc19f1cb12b21da12336d2862)
Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 41d9a6795b95d6ea28439ac1e9ce8c95bbca20fc ] In tegra_slink_probe(), when platform_get_irq() fails, it directly returns from the function with an error code, which causes a memory leak. Replace it with a goto label to ensure proper cleanup. Fixes: eb9913b ("spi: tegra: Fix missing IRQ check in tegra_slink_probe()") Signed-off-by: Felix Gu <ustc.gu@gmail.com> Reviewed-by: Jon Hunter <jonathanh@nvidia.com> Link: https://patch.msgid.link/20260202-slink-v1-1-eac50433a6f9@gmail.com Signed-off-by: Mark Brown <broonie@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 075415ae18b5b3e4d0187962d538653154216fe7) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit a0a75b40c919b9f6d3a0b6c978e6ccf344c1be5a ] The COMMAND1 register bits [29:28] set the SPI mode, which controls the clock idle level. When a transfer ends, tegra_spi_transfer_end() writes def_command1_reg back to restore the default state, but this register value currently lacks the mode bits. This results in the clock always being configured as idle low, breaking devices that need it high. Fix this by storing the mode bits in def_command1_reg during setup, to prevent this field from always being cleared. Fixes: f333a33 ("spi/tegra114: add spi driver") Signed-off-by: Vishwaroop A <va@nvidia.com> Link: https://patch.msgid.link/20260204141212.1540382-1-va@nvidia.com Signed-off-by: Mark Brown <broonie@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 6d6b23aada49c4cd44d61d83c073e507c2acb8fc) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit 1aaedafb21f38cb872d44f7608b4828a1e14e795 upstream.
Add a PCI quirk to enable microphone detection on the headphone jack of
TongFang X6AR55xU devices.
The former quirk entry did not acomplish this and is removed.
Fixes: b48fe9af1e60 ("ALSA: hda/realtek: Fix headset mic for TongFang X6AR55xU")
Signed-off-by: Tim Guttzeit <t.guttzeit@tuxedocomputers.com>
Signed-off-by: Werner Sembach <wse@tuxedocomputers.com>
Link: https://patch.msgid.link/20260123221233.28273-1-wse@tuxedocomputers.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit 833a9452f59f4790e1656644ad8cbfc3cdffe4b2)
Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
…NERS commit ec0c0aa upstream. The recent changes in the gpiolib-acpi.c need also updates in the Documentation and MAINTAINERS. Do the necessary changes here. Fixes: babb541af627 ("gpiolib: acpi: Move quirks to a separate file") Reported-by: Stephen Rothwell <sfr@canb.auug.org.au> Closes: https://lore.kernel.org/r/20250516193436.09bdf8cc@canb.auug.org.au Reviewed-by: Randy Dunlap <rdunlap@infradead.org> Tested-by: Randy Dunlap <rdunlap@infradead.org> Acked-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com> Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com> Cc: Ben Hutchings <ben@decadent.org.uk> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit c1ae8301551f39803a22f4684c2ee50ed2dd9e68) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
Link: https://lore.kernel.org/r/20260209142310.204833231@linuxfoundation.org Tested-by: Francesco Dolcini <francesco.dolcini@toradex.com> Tested-by: Brett A C Sheffield <bacs@librecast.net> Tested-by: Peter Schneider <pschneider1968@googlemail.com> Tested-by: Hardik Garg <hargar@linux.microsoft.com> Tested-by: Souleymane Conte <conte.souleymane@gmail.com> Tested-by: Jon Hunter <jonathanh@nvidia.com> Tested-by: Florian Fainelli <florian.fainelli@broadcom.com> Tested-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com> Tested-by: Ron Economos <re@w6rz.net> Tested-by: Mark Brown <broonie@kernel.org Tested-by: Jeffrin Jose T <jeffrin@rajagiritech.edu.in> Tested-by: Shung-Hsi Yu <shung-hsi.yu@suse.com> Tested-by: Salvatore Bonaccorso <carnil@debian.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 88969c951665e2d5b75ff5c03d04fec022e85c9c) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
Reviewer's GuideRebases the Deepin 6.6-y kernel to upstream 6.12.70 and pulls in a wide set of upstream fixes, notably around SFP PHY/module capability parsing, Google GVE ethtool statistics and NIC report handling, ALSA loopback and HDA Realtek quirks, KVM irqfd teardown safety, build ID handling via files instead of VMAs, shmem truncation and RBD EOD checks, Tegra QSPI concurrency fixes, and various driver/platform corner‑case fixes and cleanups. Sequence diagram for procfs build ID query using file-based parsingsequenceDiagram
actor UserProcess
participant Procfs as procfs_do_procmap_query
participant MM as mm_struct
participant VMA as vm_area_struct
participant File as vm_file
participant BuildID as build_id_lib
UserProcess->>Procfs: ioctl(PROCMAP_QUERY, user_arg)
Procfs->>MM: acquire_mmap_lock(mm)
Procfs->>VMA: find_vma(karg.start, karg.end)
Note over Procfs,VMA: Fill inode, pgoff, vma_name into karg
alt build_id requested and vma has file
Procfs->>VMA: vm_file
VMA-->>Procfs: file*
Procfs->>File: get_file(file)
else no build_id or no file
Procfs-->>Procfs: vm_file == NULL
end
Procfs->>MM: query_vma_teardown(mm, vma)
Procfs->>MM: mmput(mm)
alt build_id requested
alt vm_file is set
Procfs->>BuildID: build_id_parse_file(file, buf, &size)
BuildID-->>Procfs: 0 or error
alt success and user buffer large enough
Procfs-->>UserProcess: set karg.build_id_size
else error or ENAMETOOLONG
Procfs-->>UserProcess: return err
end
else vm_file is NULL
Procfs-->>Procfs: err = -ENOENT, karg.build_id_size = 0
end
Procfs->>File: fput(file) if non-NULL
end
Procfs->>UserProcess: copy_to_user(karg, name, build_id_buf)
UserProcess-->>Procfs: ack
Procfs-->>UserProcess: return 0 or err
Sequence diagram for KVM irqfd deassignment and wakeup safetysequenceDiagram
actor VMM as Userspace_VMM
participant KVM as kvm_irqfd
participant IRQList as irqfds_list
participant IRQFD as kvm_kernel_irqfd
participant Eventfd as eventfd_wait_queue
participant vCPU as kvm_vcpu
VMM->>KVM: ioctl(KVM_IRQFD, deassign, eventfd,gsi)
KVM->>IRQList: spin_lock_irq(kvm->irqfds.lock)
loop find matching irqfd
IRQList-->>KVM: next IRQFD
alt irqfd->eventfd == eventfd && irqfd->gsi == gsi
KVM->>IRQFD: irqfd_deactivate(irqfd)
note over IRQFD: lockdep_assert_held(irqfds.lock)
IRQFD->>IRQList: list_del_init(&irqfd->list)
IRQFD-->>IRQFD: active = false
end
end
KVM->>IRQList: spin_unlock_irq(kvm->irqfds.lock)
KVM->>IRQFD: flush_work(irqfd->inject)
KVM-->>VMM: return 0
note over Eventfd,IRQFD: Later eventfd signal path
Eventfd->>IRQFD: irqfd_wakeup(wait,mode,sync,key)
IRQFD->>IRQFD: irqfd_is_active(irqfd)
note over IRQFD: lockdep_assert_once(irqfds.lock || irq_srcu)
alt irqfd is inactive
IRQFD-->>IRQFD: skip kvm_arch_set_irq_inatomic
IRQFD-->>vCPU: schedule_work(irqfd->inject) (may be no-op)
else irqfd is active
IRQFD->>vCPU: kvm_arch_set_irq_inatomic(&irq, kvm, source,1,false)
alt returns -EWOULDBLOCK
IRQFD->>vCPU: schedule_work(irqfd->inject)
else success
vCPU-->>IRQFD: interrupt injected
end
end
Updated class diagram for SFP module capabilities and quirksclassDiagram
class sfp_bus {
+const sfp_socket_ops* socket_ops
+device* sfp_dev
+sfp* sfp
+const sfp_upstream_ops* upstream_ops
+void* upstream
+bool registered
+bool started
+sfp_module_caps caps
+int sfp_module_insert(sfp_bus* bus, sfp_eeprom_id* id, sfp_quirk* quirk)
+void sfp_module_remove(sfp_bus* bus)
}
class sfp_module_caps {
+unsigned long interfaces[PHY_INTERFACE_MODE_MAX]
+unsigned long link_modes[__ETHTOOL_LINK_MODE_MASK_NBITS]
+bool may_have_phy
+u8 port
}
class sfp_quirk {
+const char* vendor
+const char* part
+void support(sfp_eeprom_id* id, sfp_module_caps* caps)
+void fixup(sfp* module)
}
class sfp_core_helpers {
+void sfp_module_parse_support(sfp_bus* bus, sfp_eeprom_id* id)
+void sfp_module_parse_port(sfp_bus* bus, sfp_eeprom_id* id)
+void sfp_module_parse_may_have_phy(sfp_bus* bus, sfp_eeprom_id* id)
+void sfp_init_module(sfp_bus* bus, sfp_eeprom_id* id, sfp_quirk* quirk)
+int sfp_parse_port(sfp_bus* bus, sfp_eeprom_id* id, unsigned long* support)
+bool sfp_may_have_phy(sfp_bus* bus, sfp_eeprom_id* id)
+void sfp_parse_support(sfp_bus* bus, sfp_eeprom_id* id, unsigned long* support, unsigned long* interfaces)
}
class sfp_quirk_impl_2500basex {
+void sfp_quirk_2500basex(sfp_eeprom_id* id, sfp_module_caps* caps)
}
class sfp_quirk_impl_disable_autoneg {
+void sfp_quirk_disable_autoneg(sfp_eeprom_id* id, sfp_module_caps* caps)
}
class sfp_quirk_impl_oem_2_5g {
+void sfp_quirk_oem_2_5g(sfp_eeprom_id* id, sfp_module_caps* caps)
}
class sfp_quirk_impl_ubnt_uf_instant {
+void sfp_quirk_ubnt_uf_instant(sfp_eeprom_id* id, sfp_module_caps* caps)
}
sfp_bus --> sfp_module_caps : has
sfp_bus --> sfp_core_helpers : uses
sfp_bus --> sfp_quirk : optional_quirk
sfp_quirk <|-- sfp_quirk_impl_2500basex : implements_support
sfp_quirk <|-- sfp_quirk_impl_disable_autoneg : implements_support
sfp_quirk <|-- sfp_quirk_impl_oem_2_5g : implements_support
sfp_quirk <|-- sfp_quirk_impl_ubnt_uf_instant : implements_support
sfp_core_helpers ..> sfp_module_caps : fills_caps
sfp_core_helpers ..> sfp_quirk : invokes_support
File-Level Changes
Tips and commandsInteracting with Sourcery
Customizing Your ExperienceAccess your dashboard to:
Getting Help
|
deepin-ci-robot
requested review from
Ink-Paper,
chenchongbiao and
hello666888999
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
![sourcery-ai[bot]](https://avatars.githubusercontent.com/in/48477?s=60&v=4){kind=small}
There was a problem hiding this comment.
Hey - I've left some high level feedback:
- In do_procmap_query() the new vm_file handling calls query_vma_teardown()/mmput() once before the build ID parsing and then again on the common out: error path, which risks double-teardown of the same mm/vma; consider restructuring to only tear down and drop the mm/file in one place.
- The change to the liquidio and liquidio VF setup_nic_devices() error paths from a
while (i--)loop to ado { ... } while (i--)loop, combined with the newi--before goto on devlink alloc failure, can cause the cleanup code to run once with i == -1; it would be safer to ensure i is non-negative before entering the cleanup loop.
Prompt for AI Agents
Please address the comments from this code review:
## Overall Comments
- In do_procmap_query() the new vm_file handling calls query_vma_teardown()/mmput() once before the build ID parsing and then again on the common out: error path, which risks double-teardown of the same mm/vma; consider restructuring to only tear down and drop the mm/file in one place.
- The change to the liquidio and liquidio VF setup_nic_devices() error paths from a `while (i--)` loop to a `do { ... } while (i--)` loop, combined with the new `i--` before goto on devlink alloc failure, can cause the cleanup code to run once with i == -1; it would be safer to ensure i is non-negative before entering the cleanup loop.Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.
There was a problem hiding this comment.
Pull request overview
Updates the repository’s Linux stable kernel base from 6.12.69 to 6.12.70, pulling in upstream stable fixes across multiple subsystems (KVM, net, storage, HID, filesystems, tracing, power management, etc.).
Changes:
- Bump kernel version
SUBLEVELto 70 and apply the upstreamv6.12.70stable patchset. - Incorporate upstream bugfixes/hardening across drivers, filesystems, networking, tracing, and virtualization.
- Update selected tooling/build flags (e.g., KVM selftests, turbostat) to address build/runtime issues.
Reviewed changes
Copilot reviewed 120 out of 120 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| Documentation/driver-api/gpio/index.rst | Update kernel-doc reference for ACPI GPIO docs. |
| Documentation/translations/zh_CN/driver-api/gpio/index.rst | Sync translated GPIO doc reference with upstream file split. |
| MAINTAINERS | Update GPIO ACPI file globs to match file renames/splits. |
| Makefile | Bump kernel sublevel to 6.12.70. |
| arch/arm/include/asm/string.h | Fix memset64() behavior for big-endian. |
| arch/loongarch/kernel/traps.c | Add exception fixup for specific ADE subcode. |
| arch/loongarch/mm/cache.c | Correct protection_map entries for VM_NONE/VM_SHARED. |
| arch/riscv/kernel/traps.c | Harden syscall indexing under speculation. |
| arch/x86/include/asm/kfence.h | Fix KFENCE page protection to avoid L1TF-vulnerable PTEs. |
| arch/x86/include/asm/vmware.h | Fix hypercall clobber list. |
| block/bfq-cgroup.c | Fix aux stat accumulation destination. |
| drivers/android/binder.c | Fix BR_FROZEN_REPLY logging message formatting/meaning. |
| drivers/android/binderfs.c | Fix ida_alloc_max() upper bound usage. |
| drivers/base/regmap/regcache-maple.c | Fix error path cleanup in regcache-maple write. |
| drivers/block/rbd.c | Add EOD checking after lock ensured; adjust snapc handling. |
| drivers/block/ublk_drv.c | Avoid deadlock by ending requests with softirqs disabled in key paths. |
| drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | Restore MMIO access after mode1 reset. |
| drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c | Remove ASPM check logic (upstream revert). |
| drivers/gpu/drm/amd/display/dc/dcn30/dcn30_cm_common.c | Fix DCN3+ LUT point handling. |
| drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_0_ppt.c | Disable MMIO access during mode1 reset. |
| drivers/gpu/drm/amd/pm/swsmu/smu14/smu_v14_0_2_ppt.c | Disable MMIO access during mode1 reset (non-emu). |
| drivers/gpu/drm/mgag200/mgag200_bmc.c | Use read_poll_timeout() for scanout stop sequencing. |
| drivers/gpu/drm/mgag200/mgag200_drv.h | Add DAC register read helper macro. |
| drivers/gpu/drm/xe/xe_pm.c | Refine D3Cold gating and suspend/resume detection. |
| drivers/gpu/drm/xe/xe_query.c | Fix user pointer advance size calculation. |
| drivers/hid/hid-ids.h | Add new USB IDs (e.g., Edifier, Chicony camera). |
| drivers/hid/hid-logitech-hidpp.c | Add Logitech MX Anywhere 3S Bluetooth support. |
| drivers/hid/hid-multitouch.c | Add MT_QUIRK_STICKY_FINGERS to MT_CLS_VTL. |
| drivers/hid/hid-playstation.c | Center initial joystick axes to avoid spurious events. |
| drivers/hid/hid-quirks.c | Add quirks/ignore-list entries for new devices. |
| drivers/hid/i2c-hid/i2c-hid-core.c | Clamp recv_len to prevent potential buffer overflow. |
| drivers/hid/intel-ish-hid/ishtp-hid-client.c | Reset enum_devices_done before enumeration. |
| drivers/hid/intel-ish-hid/ishtp/bus.c | Match driver IDs against full ID table rather than first entry only. |
| drivers/hwmon/occ/common.c | Mark occ_init_attribute() as __printf for format checking. |
| drivers/md/md.c | Suspend array while updating raid_disks via sysfs. |
| drivers/net/ethernet/adi/adin1110.c | Check devm_gpiod_get_optional() return value. |
| drivers/net/ethernet/cavium/liquidio/lio_main.c | Initialize netdev pointers earlier; fix cleanup loop edge cases. |
| drivers/net/ethernet/cavium/liquidio/lio_vf_main.c | Fix cleanup loop for setup failure paths. |
| drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c | Add num_ifs checks and bounds check in IRQ handler. |
| drivers/net/ethernet/google/gve/gve_ethtool.c | Fix stats/report indexing and include XDP error accounting. |
| drivers/net/ethernet/google/gve/gve_main.c | Allocate stats report based on max queues. |
| drivers/net/macvlan.c | Fix error recovery ordering for macvlan port destroy. |
| drivers/net/phy/sfp-bus.c | Refactor SFP capability parsing into cached module caps. |
| drivers/net/phy/sfp.c | Convert quirks to operate on sfp_module_caps. |
| drivers/net/phy/sfp.h | Update quirk hook signature to support(caps) model. |
| drivers/net/usb/r8152.c | Fix resume/reset sequencing to avoid deadlock. |
| drivers/net/usb/sr9700.c | Add support for SR9700 variant with virtual driver CD-ROM. |
| drivers/net/wireless/ti/wlcore/tx.c | Ensure skb headroom before skb_push in TX alloc path. |
| drivers/nvme/host/fc.c | Release admin tagset if init fails. |
| drivers/nvme/target/tcp.c | Add bounds checks in PDU iovec building and listen callback guard. |
| drivers/pci/bus.c | Save config space on add for error recoverability. |
| drivers/pci/controller/dwc/pcie-qcom.c | Adjust ASPM L0s handling and config flags. |
| drivers/pci/pci.c | Remove early return in pci_restore_state when state not saved. |
| drivers/platform/x86/hp/hp-bioscfg/bioscfg.c | Skip empty attribute names. |
| drivers/platform/x86/intel/int0002_vgpio.c | Fix documentation reference to gpiolib-acpi. |
| drivers/platform/x86/intel/intel_plr_tpmi.c | Make debugfs status file writable. |
| drivers/platform/x86/intel/telemetry/debugfs.c | Fix swapped arrays in PSS output. |
| drivers/platform/x86/intel/telemetry/pltdrv.c | Fix event_regs mask extraction. |
| drivers/platform/x86/toshiba_haps.c | Convert allocation to devm_kzalloc to avoid leaks. |
| drivers/pmdomain/imx/gpcv2.c | Fix GPU handshake bit masks (GENMASK). |
| drivers/pmdomain/imx/imx8m-blk-ctrl.c | Fix loop bound in remove path. |
| drivers/pmdomain/imx/imx8mp-blk-ctrl.c | Add wakeup flags and genpd power notifier handling. |
| drivers/pmdomain/qcom/rpmpd.c | Fix off-by-one clamp to highest corner/level. |
| drivers/spi/spi-hisi-kunpeng.c | Fix debugfs node naming by using proper controller lookup. |
| drivers/spi/spi-tegra114.c | Preserve SPI mode bits in default register. |
| drivers/spi/spi-tegra20-slink.c | Fix error path to avoid leaked PM refs on IRQ failure. |
| drivers/spi/spi-tegra210-quad.c | Fix locking around curr_xfer and IRQ handling edge cases. |
| drivers/target/iscsi/iscsi_target_util.c | Fix UAF by unlocking before complete() in dec usage paths. |
| fs/btrfs/disk-io.c | Enforce full read-only behavior for rescue mount options. |
| fs/btrfs/fs.h | Add full read-only mount option mask definition. |
| fs/btrfs/inode.c | Fix error path handling in inline COW range logic. |
| fs/ceph/crypto.c | Harden long snapshot name parsing; avoid invalid pointer free. |
| fs/ceph/mds_client.c | Use decoded fs name and wildcard matching for auth match. |
| fs/ceph/mdsmap.c | Track/validate fs_name in mdsmap; free on destroy. |
| fs/ceph/mdsmap.h | Add m_fs_name to mdsmap struct. |
| fs/ceph/super.h | Add namespace wildcard matching helper and adjust namespace_equals return type. |
| fs/hfsplus/dir.c | Use bounded unicode conversion helper for normal strings. |
| fs/hfsplus/hfsplus_fs.h | Export new unicode conversion helper APIs. |
| fs/hfsplus/unicode.c | Add bounded conversion helpers and xattr-specific max length. |
| fs/hfsplus/xattr.c | Use xattr-safe unicode conversion helper. |
| fs/proc/task_mmu.c | Avoid build-id parsing under VMA lock by using file ref and deferred parse. |
| fs/smb/client/smb2file.c | Fix memory leak in retry path by freeing error response buffer. |
| fs/smb/server/smb2pdu.c | Fix refcount leaks and ensure session RPC close on error paths. |
| include/linux/buildid.h | Add build_id_parse_file() declaration. |
| include/linux/ceph/ceph_fs.h | Define CEPH_OLD_FS_NAME constant. |
| include/linux/phy.h | Add phy_interface_copy/weight helpers. |
| include/linux/sfp.h | Introduce sfp_module_caps struct. |
| include/linux/skbuff.h | Add skb_header_pointer_careful() helper. |
| kernel/trace/ring_buffer.c | Add cond_resched() to avoid softlockups during resize free loop. |
| kernel/trace/trace.h | Adjust trace field macros for packed/desc packed. |
| kernel/trace/trace_entries.h | Switch funcgraph packed fields to new macros. |
| kernel/trace/trace_export.c | Fix field macro definitions for packed/desc packed. |
| lib/buildid.c | Refactor build-id parsing to accept file and add build_id_parse_file(). |
| mm/shmem.c | Fix truncate race infinite loop with large swap entries. |
| mm/slub.c | Add alloc_tagging hook in memcg_alloc_abort_single and reuse computed slab. |
| net/bridge/netfilter/ebtables.c | Replace -EEXIST with -EBUSY for template registration conflict. |
| net/core/filter.c | Fix stats accounting in BPF redirect paths (dropped vs tx_errors). |
| net/core/gro.c | Clear skb->encapsulation before gro_complete for encapsulated packets. |
| net/ipv6/ip6_fib.c | Fix ECMP sibling count mismatch when clearing flags. |
| net/mac80211/iface.c | Correctly check CSA active across links. |
| net/mac80211/key.c | Avoid incrementing tailroom counter for tainted keys. |
| net/mac80211/ocb.c | Skip rx_no_sta when interface not joined. |
| net/mac80211/sta_info.c | Collect station statistics earlier when disconnecting. |
| net/netfilter/nf_log.c | Replace -EEXIST with -EBUSY on logger registration conflict. |
| net/netfilter/nf_tables_api.c | Fix inverted genmask check in catchall activation. |
| net/netfilter/x_tables.c | Replace -EEXIST with -EBUSY on template registration conflict. |
| net/sched/cls_u32.c | Use skb_header_pointer_careful() for user-controlled offsets. |
| net/tipc/crypto.c | Use kfree_sensitive() for session key material. |
| net/wireless/util.c | Fix HE bitrate calculation overflow by using do_div on widened tmp. |
| sound/drivers/aloop.c | Fix racy access at PCM trigger / format mismatch handling. |
| sound/pci/hda/patch_realtek.c | Add/adjust Realtek quirks for multiple laptop models. |
| sound/soc/amd/renoir/acp3x-pdm-dma.c | Fix memory leak by freeing stream instance on close. |
| sound/soc/amd/yc/acp6x-mach.c | Add ASUS M6500RE DMI quirk. |
| sound/soc/codecs/tlv320adcx140.c | Propagate GPIO reset acquisition errors via dev_err_probe. |
| sound/soc/generic/simple-card-utils.c | Guard link direction parsing assignments. |
| sound/soc/ti/davinci-evm.c | Fix reference leaks; add proper cleanup/put paths on error. |
| sound/usb/mixer_quirks.c | Fix snd_audigy2nx_led_update() device ID handling. |
| tools/power/x86/turbostat/turbostat.c | Fix GCC9 build regression by hoisting declarations. |
| tools/testing/selftests/kvm/Makefile | Undefine _FORTIFY_SOURCE to avoid unpredictable selftest failures. |
| virt/kvm/eventfd.c | Fix irqfd deassign/injection handling and add lock/SRCU assertions. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
1150
to
1156
| bool is_playback_only = of_property_read_bool(np, "playback-only"); | ||
| bool is_capture_only = of_property_read_bool(np, "capture-only"); | ||
|
|
||
| if (playback_only) | ||
| if (np && playback_only) | ||
| *playback_only = is_playback_only; | ||
| if (capture_only) | ||
| if (np && capture_only) | ||
| *capture_only = is_capture_only; |
There was a problem hiding this comment.
of_property_read_bool() is already NULL-safe (it returns false when np is NULL via of_find_property()), so gating the assignments on np changes semantics: a NULL np will no longer clear *playback_only/*capture_only to false, potentially leaving stale values from earlier calls. Consider restoring the previous if (playback_only) / if (capture_only) checks (or early-return when !np) so the outputs are always updated when the pointers are non-NULL.
Comment on lines
+37
to
+54
| * sfp_parse_port() - Parse the EEPROM base ID, setting the port type | ||
| * @bus: a pointer to the &struct sfp_bus structure for the sfp module | ||
| * @id: a pointer to the module's &struct sfp_eeprom_id | ||
| * @support: optional pointer to an array of unsigned long for the | ||
| * ethtool support mask | ||
| * | ||
| * Parse the EEPROM identification given in @id, and return one of | ||
| * %PORT_TP, %PORT_FIBRE or %PORT_OTHER. If @support is non-%NULL, | ||
| * also set the ethtool %ETHTOOL_LINK_MODE_xxx_BIT corresponding with | ||
| * the connector type. | ||
| * | ||
| * If the port type is not known, returns %PORT_OTHER. | ||
| */ | ||
| int sfp_parse_port(struct sfp_bus *bus, const struct sfp_eeprom_id *id, | ||
| unsigned long *support) | ||
| { | ||
| return bus->caps.port; | ||
| } |
There was a problem hiding this comment.
The exported sfp_parse_port() no longer parses id or updates the optional support mask as described in its kernel-doc comment; it now just returns the cached bus->caps.port. Please update the kernel-doc (and consider dropping/annotating the now-unused parameters) so the API contract matches the implementation.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
20 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Update kernel base to 6.12.70.
git log --oneline v6.12.69..v6.12.70 |wc
115 1001 8412
Handle:
HID: i2c-hid: fix potential buffer overflow in i2c_hid_get_report()
Andrew Cooper (1):
x86/kfence: fix booting on 32bit non-PAE systems
Andrew Fasano (1):
netfilter: nf_tables: fix inverted genmask check in
nft_map_catchall_activate()
Andrii Nakryiko (1):
procfs: avoid fetching build ID while holding VMA lock
Andy Shevchenko (1):
gpiolib-acpi: Update file references in the Documentation and
MAINTAINERS
Arnd Bergmann (1):
hwmon: (occ) Mark occ_init_attribute() as __printf
Baochen Qiang (1):
wifi: mac80211: collect station statistics earlier when disconnect
Bert Karwatzki (1):
Revert "drm/amd: Check if ASPM is enabled from PCIe subsystem"
Breno Leitao (5):
spi: tegra210-quad: Return IRQ_HANDLED when timeout already processed
transfer
spi: tegra210-quad: Move curr_xfer read inside spinlock
spi: tegra210-quad: Protect curr_xfer assignment in
tegra_qspi_setup_transfer_one
spi: tegra210-quad: Protect curr_xfer in tegra_qspi_combined_seq_xfer
spi: tegra210-quad: Protect curr_xfer clearing in
tegra_qspi_non_combined_seq_xfer
Carlos Llamas (2):
binder: fix BR_FROZEN_REPLY error log
binderfs: fix ida_alloc_max() upper bound
Chaitanya Kulkarni (1):
nvme-fc: release admin tagset if init fails
Chen Ni (1):
net: ethernet: adi: adin1110: Check return value of
devm_gpiod_get_optional() in adin1110_check_spi()
ChenXiaoSong (1):
smb/client: fix memory leak in smb2_open_file()
Chenghao Duan (1):
LoongArch: Enable exception fixup for specific ADE subcode
Chris Bainbridge (1):
ASoC: amd: fix memory leak in acp3x pdm dma ops
Chris Chiu (1):
HID: quirks: Add another Chicony HP 5MP Cameras to hid_ignore_list
Daniel Gomez (1):
netfilter: replace -EEXIST with -EBUSY
Daniel Hodges (1):
tipc: use kfree_sensitive() for session key material
Daniel Vogelbacher (1):
ceph: fix oops due to invalid pointer for kfree() in parse_longname()
DaytonCL (1):
HID: multitouch: add MT_QUIRK_STICKY_FINGERS to MT_CLS_VTL
Debarghya Kundu (1):
gve: Fix stats report corruption on queue count change
Dennis Marttinen (1):
HID: logitech: add HID++ support for Logitech MX Anywhere 3S
Devyn Liu (1):
spi: hisi-kunpeng: Fixed the wrong debugfs node name in hisi_spi
debugfs initialization
Dimitrios Katsaros (1):
ASoC: tlv320adcx140: Propagate error codes during probe
Eric Dumazet (3):
net: add skb_header_pointer_careful() helper
net/sched: cls_u32: use skb_header_pointer_careful()
macvlan: fix error recovery in macvlan_common_newlink()
Ethan Nelson-Moore (1):
net: usb: sr9700: support devices with virtual driver CD
Felix Gu (1):
spi: tegra: Fix a memory leak in tegra_slink_probe()
FengWei Shih (1):
md: suspend array while updating raid_disks via sysfs
Filipe Manana (1):
btrfs: fix reservation leak in some error paths when inserting inline
extent
Gabor Juhos (1):
pmdomain: qcom: rpmpd: fix off-by-one error in clamping to the highest
state
Greg Kroah-Hartman (1):
Linux 6.12.70
Hannes Reinecke (1):
nvmet-tcp: fixup hang in nvmet_tcp_listen_data_ready()
Hao Ge (1):
mm/slab: Add alloc_tagging_slab_free_hook for memcg_alloc_abort_single
Huacai Chen (1):
LoongArch: Set correct protection_map[] for VM_NONE/VM_SHARED
Ilya Dryomov (1):
rbd: check for EOD after exclusive lock is ensured to be held
Jacky Bai (1):
pmdomain: imx: gpcv2: Fix the imx8mm gpu hang due to wrong adb400
reset
Jacob Keller (1):
drm/mgag200: fix mgag200_bmc_stop_scanout()
Jakub Kicinski (1):
net: don't touch dev->stats in BPF redirect paths
Josh Poimboeuf (1):
x86/vmware: Fix hypercall clobbers
Junrui Luo (2):
dpaa2-switch: prevent ZERO_SIZE_PTR dereference when num_ifs is zero
dpaa2-switch: add bounds check for if_id in IRQ handler
Kairui Song (1):
mm, shmem: prevent infinite loop on truncate race
Kang Chen (1):
hfsplus: fix slab-out-of-bounds read in hfsplus_uni2asc()
Karthik Poosa (1):
drm/xe/pm: Disable D3Cold for BMG only on specific platforms
Kaushlendra Kumar (3):
platform/x86: intel_telemetry: Fix swapped arrays in PSS output
regmap: maple: free entry on mas_store_gfp() failure
platform/x86: intel_telemetry: Fix PSS event register mask
Kery Qi (1):
ASoC: davinci-evm: Fix reference leak in davinci_evm_probe
Kwok Kin Ming (1):
HID: i2c-hid: fix potential buffer overflow in i2c_hid_get_report()
Lukas Gerlach (1):
riscv: Sanitize syscall table indexing under speculation
Lukas Wunner (1):
PCI/ERR: Ensure error recoverability at all times
Manivannan Sadhasivam (1):
PCI: qcom: Remove ASPM L0s support for MSM8996 SoC
Marek Behún (1):
net: sfp: Fix quirk for Ubiquiti U-Fiber Instant SFP module
Mario Limonciello (1):
platform/x86: hp-bioscfg: Skip empty attribute names
Martin Hamilton (1):
ALSA: hda/realtek: ALC269 fixup for Lenovo Yoga Book 9i 13IRU8 audio
Matouš Lánský (1):
ALSA: hda/realtek: Add quirk for Acer Nitro AN517-55
Maurizio Lombardi (2):
scsi: target: iscsi: Fix use-after-free in
iscsit_dec_session_usage_count()
scsi: target: iscsi: Fix use-after-free in
iscsit_dec_conn_usage_count()
Max Yuan (1):
gve: Correct ethtool rx_dropped calculation
Melissa Wen (1):
drm/amd/display: fix wrong color value mapping on MCM shaper LUT
Ming Lei (1):
ublk: fix deadlock when reading partition table
Miri Korenblit (2):
wifi: mac80211: correctly check if CSA is active
wifi: mac80211: don't increment crypto_tx_tailroom_needed_cnt twice
Moon Hee Lee (1):
wifi: mac80211: ocb: skip rx_no_sta when interface is not joined
Paolo Abeni (1):
net: gro: fix outer network offset
Perry Yuan (1):
drm/amd/pm: Disable MMIO access during SMU Mode 1 reset
Peter Åstrand (1):
wifi: wlcore: ensure skb headroom before skb_push
Qu Wenruo (1):
btrfs: reject new transactions if the fs is fully read-only
Radhi Bajahaw (1):
ASoC: amd: yc: Fix microphone on ASUS M6500RE
Rafael J. Wysocki (1):
platform/x86: toshiba_haps: Fix memory leaks in add/remove routines
Ricardo Neri (1):
platform/x86/intel/tpmi/plr: Make the file domain/status writeable
Rodrigo Lugathe da Conceição Alves (1):
HID: Apply quirk HID_QUIRK_ALWAYS_POLL to Edifier QR30 (2d99:a101)
Rodrigo Vivi (1):
drm/xe/pm: Also avoid missing outer rpm warning on system suspend
Ruslan Krupitsa (1):
ALSA: hda/realtek: add HP Laptop 15s-eq1xxx mute LED quirk
Russell King (Oracle) (4):
net: phy: add phy_interface_weight()
net: phy: add phy_interface_copy()
net: sfp: pre-parse the module support
net: sfp: convert sfp quirks to modify struct sfp_module_support
Sean Christopherson (1):
KVM: Don't clobber irqfd routing type when deassigning irqfd
Sergey Senozhatsky (1):
net: usb: r8152: fix resume reset deadlock
Sergey Shtylyov (1):
ALSA: usb-audio: fix broken logic in snd_audigy2nx_led_update()
Shengjiu Wang (1):
ASoC: simple-card-utils: Check device node before overwrite direction
Shigeru Yoshida (1):
ipv6: Fix ECMP sibling count mismatch when clearing RTF_ADDRCONF
Shuicheng Lin (1):
drm/xe/query: Fix topology query pointer advance
Siarhei Vishniakou (1):
HID: playstation: Center initial joystick axes to prevent spurious
events
Steven Rostedt (1):
tracing: Fix ftrace event field alignments
Takashi Iwai (1):
ALSA: aloop: Fix racy access at PCM trigger
Thomas Weissschuh (1):
ARM: 9468/1: fix memset64() on big-endian
Tim Guttzeit (1):
ALSA: hda/realtek: Fix headset mic for TongFang X6AR55xU
Todd Brandt (1):
tools/power turbostat: fix GCC9 build regression
Veerendranath Jakkam (1):
wifi: cfg80211: Fix bitrate calculation overflow for HE rates
Viacheslav Dubeyko (1):
ceph: fix NULL pointer dereference in ceph_mds_auth_match()
Vishwaroop A (1):
spi: tegra114: Preserve SPI mode bits in def_command1_reg
Werner Sembach (1):
ALSA: hda/realtek: Really fix headset mic for TongFang X6AR55xU.
Wupeng Ma (1):
ring-buffer: Avoid softlockup in ring_buffer_resize() during memory
free
Xu Yang (3):
pmdomain: imx8mp-blk-ctrl: Keep gpc power domain on for system wakeup
pmdomain: imx8mp-blk-ctrl: Keep usb phy power domain on for system
wakeup
pmdomain: imx8m-blk-ctrl: fix out-of-range access of bc->domains
YunJe Shin (1):
nvmet-tcp: add bounds checks in nvmet_tcp_build_pdu_iovec
Zhang Lixu (2):
HID: intel-ish-hid: Update ishtp bus match to support device ID table
HID: intel-ish-hid: Reset enum_devices_done before enumeration
ZhangGuoDong (3):
smb/server: call ksmbd_session_rpc_close() on error path in
create_smb2_pipe()
smb/server: fix refcount leak in smb2_open()
smb/server: fix refcount leak in parse_durable_handle_context()
Zhiquan Li (1):
KVM: selftests: Add -U_FORTIFY_SOURCE to avoid some unpredictable test
failures
Zilin Guan (3):
net: liquidio: Initialize netdev pointer before queue setup
net: liquidio: Fix off-by-one error in PF setup_nic_devices() cleanup
net: liquidio: Fix off-by-one error in VF setup_nic_devices() cleanup
shechenglong (1):
block,bfq: fix aux stat accumulation destination
Documentation/driver-api/gpio/index.rst | 2 +-
.../zh_CN/driver-api/gpio/index.rst | 2 +-
MAINTAINERS | 2 +-
Makefile | 2 +-
arch/arm/include/asm/string.h | 5 +-
arch/loongarch/kernel/traps.c | 5 ++
arch/loongarch/mm/cache.c | 8 +-
arch/riscv/kernel/traps.c | 4 +-
arch/x86/include/asm/kfence.h | 7 +-
arch/x86/include/asm/vmware.h | 4 +-
block/bfq-cgroup.c | 2 +-
drivers/android/binder.c | 5 +-
drivers/android/binderfs.c | 8 +-
drivers/base/regmap/regcache-maple.c | 11 +--
drivers/block/rbd.c | 33 +++++---
drivers/block/ublk_drv.c | 30 ++++++-
drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 3 +
drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c | 3 -
.../amd/display/dc/dcn30/dcn30_cm_common.c | 7 +-
.../drm/amd/pm/swsmu/smu13/smu_v13_0_0_ppt.c | 7 +-
.../drm/amd/pm/swsmu/smu14/smu_v14_0_2_ppt.c | 9 ++-
drivers/gpu/drm/mgag200/mgag200_bmc.c | 31 +++-----
drivers/gpu/drm/mgag200/mgag200_drv.h | 6 ++
drivers/gpu/drm/xe/xe_pm.c | 17 +++-
drivers/gpu/drm/xe/xe_query.c | 2 +-
drivers/hid/hid-ids.h | 4 +
drivers/hid/hid-logitech-hidpp.c | 2 +
drivers/hid/hid-multitouch.c | 1 +
drivers/hid/hid-playstation.c | 5 ++
drivers/hid/hid-quirks.c | 2 +
drivers/hid/i2c-hid/i2c-hid-core.c | 1 +
drivers/hid/intel-ish-hid/ishtp-hid-client.c | 1 +
drivers/hid/intel-ish-hid/ishtp/bus.c | 12 ++-
drivers/hwmon/occ/common.c | 1 +
drivers/md/md.c | 4 +-
drivers/net/ethernet/adi/adin1110.c | 3 +
.../net/ethernet/cavium/liquidio/lio_main.c | 39 ++++-----
.../ethernet/cavium/liquidio/lio_vf_main.c | 4 +-
.../ethernet/freescale/dpaa2/dpaa2-switch.c | 10 +++
drivers/net/ethernet/google/gve/gve_ethtool.c | 77 ++++++++++++------
drivers/net/ethernet/google/gve/gve_main.c | 4 +-
drivers/net/macvlan.c | 5 +-
drivers/net/phy/sfp-bus.c | 79 +++++++++++++------
drivers/net/phy/sfp.c | 51 ++++++------
drivers/net/phy/sfp.h | 4 +-
drivers/net/usb/r8152.c | 29 +++----
drivers/net/usb/sr9700.c | 5 ++
drivers/net/wireless/ti/wlcore/tx.c | 5 ++
drivers/nvme/host/fc.c | 2 +
drivers/nvme/target/tcp.c | 26 ++++--
drivers/pci/bus.c | 3 +
drivers/pci/controller/dwc/pcie-qcom.c | 4 +-
drivers/pci/pci.c | 3 -
drivers/platform/x86/hp/hp-bioscfg/bioscfg.c | 5 ++
drivers/platform/x86/intel/int0002_vgpio.c | 2 +-
drivers/platform/x86/intel/intel_plr_tpmi.c | 2 +-
.../platform/x86/intel/telemetry/debugfs.c | 4 +-
drivers/platform/x86/intel/telemetry/pltdrv.c | 2 +-
drivers/platform/x86/toshiba_haps.c | 2 +-
drivers/pmdomain/imx/gpcv2.c | 8 +-
drivers/pmdomain/imx/imx8m-blk-ctrl.c | 2 +-
drivers/pmdomain/imx/imx8mp-blk-ctrl.c | 30 +++++++
drivers/pmdomain/qcom/rpmpd.c | 2 +-
drivers/spi/spi-hisi-kunpeng.c | 4 +-
drivers/spi/spi-tegra114.c | 3 +
drivers/spi/spi-tegra20-slink.c | 6 +-
drivers/spi/spi-tegra210-quad.c | 36 ++++++++-
drivers/target/iscsi/iscsi_target_util.c | 10 ++-
fs/btrfs/disk-io.c | 13 +++
fs/btrfs/fs.h | 8 ++
fs/btrfs/inode.c | 16 ++--
fs/ceph/crypto.c | 9 ++-
fs/ceph/mds_client.c | 5 +-
fs/ceph/mdsmap.c | 26 ++++--
fs/ceph/mdsmap.h | 1 +
fs/ceph/super.h | 16 +++-
fs/hfsplus/dir.c | 2 +-
fs/hfsplus/hfsplus_fs.h | 8 +-
fs/hfsplus/unicode.c | 24 ++++--
fs/hfsplus/xattr.c | 6 +-
fs/proc/task_mmu.c | 42 ++++++----
fs/smb/client/smb2file.c | 1 +
fs/smb/server/smb2pdu.c | 8 +-
include/linux/buildid.h | 3 +
include/linux/ceph/ceph_fs.h | 6 ++
include/linux/phy.h | 10 +++
include/linux/sfp.h | 22 ++++++
include/linux/skbuff.h | 12 +++
kernel/trace/ring_buffer.c | 2 +
kernel/trace/trace.h | 7 +-
kernel/trace/trace_entries.h | 26 +++---
kernel/trace/trace_export.c | 21 +++--
lib/buildid.c | 42 +++++++---
mm/shmem.c | 23 +++---
mm/slub.c | 6 +-
net/bridge/netfilter/ebtables.c | 2 +-
net/core/filter.c | 8 +-
net/core/gro.c | 2 +
net/ipv6/ip6_fib.c | 3 +-
net/mac80211/iface.c | 8 +-
net/mac80211/key.c | 3 +-
net/mac80211/ocb.c | 3 +
net/mac80211/sta_info.c | 7 +-
net/netfilter/nf_log.c | 4 +-
net/netfilter/nf_tables_api.c | 2 +-
net/netfilter/x_tables.c | 2 +-
net/sched/cls_u32.c | 13 ++-
net/tipc/crypto.c | 4 +-
net/wireless/util.c | 8 +-
sound/drivers/aloop.c | 62 +++++++++------
sound/pci/hda/patch_realtek.c | 27 ++++++-
sound/soc/amd/renoir/acp3x-pdm-dma.c | 2 +
sound/soc/amd/yc/acp6x-mach.c | 7 ++
sound/soc/codecs/tlv320adcx140.c | 3 +
sound/soc/generic/simple-card-utils.c | 4 +-
sound/soc/ti/davinci-evm.c | 39 +++++++--
sound/usb/mixer_quirks.c | 9 +--
tools/power/x86/turbostat/turbostat.c | 15 ++--
tools/testing/selftests/kvm/Makefile | 1 +
virt/kvm/eventfd.c | 44 ++++++-----
120 files changed, 944 insertions(+), 422 deletions(-)
Summary by Sourcery
Update to Linux 6.12.70 and incorporate upstream fixes across storage, networking, HID, audio, tracing, power management, and filesystem subsystems.
Bug Fixes:
Enhancements:
Build:
Documentation:
Tests: