[Deepin-Kernel-SIG] [linux 6.6-y] [Upstream] Update kernel base to 6.6.120-part5 #1427
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[ Upstream commit 29e8a0c587e328ed458380a45d6028adf64d7487 ] In sprd_clk_init(), when devm_clk_get() returns -EPROBE_DEFER for either uart or source clock, we should propagate the error instead of just warning and continuing with NULL clocks. Currently the driver only emits a warning when clock acquisition fails and proceeds with NULL clock pointers. This can lead to issues later when the clocks are actually needed. More importantly, when the clock provider is not ready yet and returns -EPROBE_DEFER, we should return this error to allow deferred probing. This change adds explicit checks for -EPROBE_DEFER after both: 1. devm_clk_get(uport->dev, uart) 2. devm_clk_get(uport->dev, source) When -EPROBE_DEFER is encountered, the function now returns -EPROBE_DEFER to let the driver framework retry probing later when the clock dependencies are resolved. Signed-off-by: Wenhua Lin <Wenhua.Lin@unisoc.com> Link: https://patch.msgid.link/20251022030840.956589-1-Wenhua.Lin@unisoc.com Reviewed-by: Cixi Geng <cixi.geng@linux.dev> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 1abf4ddeda5cd631ef8a7433d633a8948ac74aac) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit a0a4173631bfcfd3520192c0a61cf911d6a52c3a ] Passing an empty map to perf_cpu_map__max triggered a SEGV. Explicitly test for the empty map. Reported-by: Ingo Molnar <mingo@kernel.org> Closes: https://lore.kernel.org/linux-perf-users/aSwt7yzFjVJCEmVp@gmail.com/ Tested-by: Ingo Molnar <mingo@kernel.org> Signed-off-by: Ian Rogers <irogers@google.com> Tested-by: Thomas Richter <tmricht@linux.ibm.com> Signed-off-by: Namhyung Kim <namhyung@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 92544ae44c441c7c68593e6b014f6c72ac3856e3) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
…configured firmware [ Upstream commit d3429178ee51dd7155445d15a5ab87a45fae3c73 ] When probing the I2C master, disable SMBus interrupts to prevent storms caused by broken firmware mis-configuring IC_SMBUS=1; the handler never services them and a mis-configured SMBUS Master extend-clock timeout or SMBUS Slave extend-clock timeout can flood the CPU. Signed-off-by: Jinhui Guo <guojinhui.liam@bytedance.com> Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com> Acked-by: Mika Westerberg <mika.westerberg@linux.intel.com> Signed-off-by: Andi Shyti <andi.shyti@kernel.org> Link: https://lore.kernel.org/r/20251021075714.3712-2-guojinhui.liam@bytedance.com Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 62641daa93cb8b8ed975fad75fb07f9f9e3488cd) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit b71cbcf7d170e51148d5467820ae8a72febcb651 ]
nvme_fc_ctrl_put can acquire the rport lock when freeing the
ctrl object:
nvme_fc_ctrl_put
nvme_fc_ctrl_free
spin_lock_irqsave(rport->lock)
Thus we can't hold the rport lock when calling nvme_fc_ctrl_put.
Justin suggested use the safe list iterator variant because
nvme_fc_ctrl_put will also modify the rport->list.
Cc: Justin Tee <justin.tee@broadcom.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Daniel Wagner <wagi@kernel.org>
Signed-off-by: Keith Busch <kbusch@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
(cherry picked from commit e3ef3e4888dea279610aab3deffbcfecb116c150)
Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
…quirks [ Upstream commit b169e1733cadb614e87f69d7a5ae1b186c50d313 ] Dell Pro Rugged 10/12 tablets has a reliable VGBS method. If VGBS is not called on boot, the on-screen keyboard won't appear if the device is booted without a keyboard. Call VGBS on boot on thess devices to get the initial state of SW_TABLET_MODE in a reliable way. Signed-off-by: Chia-Lin Kao (AceLan) <acelan.kao@canonical.com> Reviewed-by: Hans de Goede <johannes.goede@oss.qualcomm.com> Link: https://patch.msgid.link/20251127070407.656463-1-acelan.kao@canonical.com Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com> Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 8d8cd3d315db5394e4cea56a7c294ff2aaff7f8e) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 1ddb815fdfd45613c32e9bd1f7137428f298e541 ]
The "dev->clt_device_id" variable is set using ida_alloc_max() which
returns an int and in particular it returns negative error codes.
Change the type from u32 to int to fix the error checking.
Fixes: c9b5645fd8ca ("block: rnbd-clt: Fix leaked ID in init_dev()")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
(cherry picked from commit cebfc2ba2e6ffb68cca14d478f6596b79243eb9a)
Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit d8ee3cfdc89b75dc059dc21c27bef2c1440f67eb ] vhost_vsock_get() uses hash_for_each_possible_rcu() to find the `vhost_vsock` associated with the `guest_cid`. hash_for_each_possible_rcu() should only be called within an RCU read section, as mentioned in the following comment in include/linux/rculist.h: /** * hlist_for_each_entry_rcu - iterate over rcu list of given type * @pos: the type * to use as a loop cursor. * @Head: the head for your list. * @member: the name of the hlist_node within the struct. * @cond: optional lockdep expression if called from non-RCU protection. * * This list-traversal primitive may safely run concurrently with * the _rcu list-mutation primitives such as hlist_add_head_rcu() * as long as the traversal is guarded by rcu_read_lock(). */ Currently, all calls to vhost_vsock_get() are between rcu_read_lock() and rcu_read_unlock() except for calls in vhost_vsock_set_cid() and vhost_vsock_reset_orphans(). In both cases, the current code is safe, but we can make improvements to make it more robust. About vhost_vsock_set_cid(), when building the kernel with CONFIG_PROVE_RCU_LIST enabled, we get the following RCU warning when the user space issues `ioctl(dev, VHOST_VSOCK_SET_GUEST_CID, ...)` : WARNING: suspicious RCU usage 6.18.0-rc7 deepin-community#62 Not tainted ----------------------------- drivers/vhost/vsock.c:74 RCU-list traversed in non-reader section!! other info that might help us debug this: rcu_scheduler_active = 2, debug_locks = 1 1 lock held by rpc-libvirtd/3443: #0: ffffffffc05032a8 (vhost_vsock_mutex){+.+.}-{4:4}, at: vhost_vsock_dev_ioctl+0x2ff/0x530 [vhost_vsock] stack backtrace: CPU: 2 UID: 0 PID: 3443 Comm: rpc-libvirtd Not tainted 6.18.0-rc7 deepin-community#62 PREEMPT(none) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-7.fc42 06/10/2025 Call Trace: <TASK> dump_stack_lvl+0x75/0xb0 dump_stack+0x14/0x1a lockdep_rcu_suspicious.cold+0x4e/0x97 vhost_vsock_get+0x8f/0xa0 [vhost_vsock] vhost_vsock_dev_ioctl+0x307/0x530 [vhost_vsock] __x64_sys_ioctl+0x4f2/0xa00 x64_sys_call+0xed0/0x1da0 do_syscall_64+0x73/0xfa0 entry_SYSCALL_64_after_hwframe+0x76/0x7e ... </TASK> This is not a real problem, because the vhost_vsock_get() caller, i.e. vhost_vsock_set_cid(), holds the `vhost_vsock_mutex` used by the hash table writers. Anyway, to prevent that warning, add lockdep_is_held() condition to hash_for_each_possible_rcu() to verify that either the caller is in an RCU read section or `vhost_vsock_mutex` is held when CONFIG_PROVE_RCU_LIST is enabled; and also clarify the comment for vhost_vsock_get() to better describe the locking requirements and the scope of the returned pointer validity. About vhost_vsock_reset_orphans(), currently this function is only called via vsock_for_each_connected_socket(), which holds the `vsock_table_lock` spinlock (which is also an RCU read-side critical section). However, add an explicit RCU read lock there to make the code more robust and explicit about the RCU requirements, and to prevent issues if the calling context changes in the future or if vhost_vsock_reset_orphans() is called from other contexts. Fixes: 834e772 ("vhost/vsock: fix use-after-free in network stack callers") Cc: stefanha@redhat.com Signed-off-by: Stefano Garzarella <sgarzare@redhat.com> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Message-Id: <20251126133826.142496-1-sgarzare@redhat.com> Message-ID: <20251126210313.GA499503@fedora> Acked-by: Jason Wang <jasowang@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 23a89dda39f4690a0fcdfd61c866510607bc5926) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit cb6d5aa9c0f10074f1ad056c3e2278ad2cc7ec8d ] In smb3_reconfigure(), if smb3_sync_session_ctx_passwords() fails, the function returns immediately without freeing and erasing the newly allocated new_password and new_password2. This causes both a memory leak and a potential information leak. Fix this by calling kfree_sensitive() on both password buffers before returning in this error case. Fixes: 0f0e357 ("cifs: during remount, make sure passwords are in sync") Signed-off-by: Zilin Guan <zilin@seu.edu.cn> Reviewed-by: ChenXiaoSong <chenxiaosong@kylinos.cn> Signed-off-by: Steve French <stfrench@microsoft.com> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit bc390b2737205163e48cc1655f6a0c8cd55b02fc) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit 62cd5d480b9762ce70d720a81fa5b373052ae05f upstream. 'tpm2_load_cmd' allocates a tempoary blob indirectly via 'tpm2_key_decode' but it is not freed in the failure paths. Address this by wrapping the blob into with a cleanup helper. Cc: stable@vger.kernel.org # v5.13+ Fixes: f221974 ("security: keys: trusted: use ASN.1 TPM2 key format for the blobs") Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 19166de9737218b77122c41a5730ac87025e089f) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit b14fad555302a2104948feaff70503b64c80ac01 upstream. __io_openat_prep() allocates a struct filename using getname(). However, for the condition of the file being installed in the fixed file table as well as having O_CLOEXEC flag set, the function returns early. At that point, the request doesn't have REQ_F_NEED_CLEANUP flag set. Due to this, the memory for the newly allocated struct filename is not cleaned up, causing a memory leak. Fix this by setting the REQ_F_NEED_CLEANUP for the request just after the successful getname() call, so that when the request is torn down, the filename will be cleaned up, along with other resources needing cleanup. Reported-by: syzbot+00e61c43eb5e4740438f@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=00e61c43eb5e4740438f Tested-by: syzbot+00e61c43eb5e4740438f@syzkaller.appspotmail.com Cc: stable@vger.kernel.org Signed-off-by: Prithvi Tambewagh <activprithvi@gmail.com> Fixes: b944559 ("io_uring: openat directly into fixed fd table") Signed-off-by: Jens Axboe <axboe@kernel.dk> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 18b99fa603d0df5e1c898699c17d3b92ddc80746) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit b1f856b1727c2eaa4be2c6d7cd7a8ed052bbeb87 upstream. According to the hardware programming guide, the clock frequency must remain below 52MHz during the transition to HS400 mode. However,in the current implementation, the timing is set to HS400 (a DDR mode) before adjusting the clock. This causes the clock to double prematurely to 104MHz during the transition phase, violating the specification and potentially resulting in CRC errors or CMD timeouts. This change ensures that clock doubling is avoided during intermediate transitions and is applied only when the card requires a 200MHz clock for HS400 operation. Signed-off-by: Sarthak Garg <sarthak.garg@oss.qualcomm.com> Reviewed-by: Bjorn Andersson <andersson@kernel.org> Acked-by: Adrian Hunter <adrian.hunter@intel.com> Cc: stable@vger.kernel.org Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit fe2ce8f925b09d819546feb5db52ab1db42cb0d4) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit 2f22115709fc7ebcfa40af3367a508fbbd2f71e9 upstream. In the C code, the 'inc' argument to the assembly functions blake2s_compress_ssse3() and blake2s_compress_avx512() is declared with type u32, matching blake2s_compress(). The assembly code then reads it from the 64-bit %rcx. However, the ABI doesn't guarantee zero-extension to 64 bits, nor do gcc or clang guarantee it. Therefore, fix these functions to read this argument from the 32-bit %ecx. In theory, this bug could have caused the wrong 'inc' value to be used, causing incorrect BLAKE2s hashes. In practice, probably not: I've fixed essentially this same bug in many other assembly files too, but there's never been a real report of it having caused a problem. In x86_64, all writes to 32-bit registers are zero-extended to 64 bits. That results in zero-extension in nearly all situations. I've only been able to demonstrate a lack of zero-extension with a somewhat contrived example involving truncation, e.g. when the C code has a u64 variable holding 0x1234567800000040 and passes it as a u32 expecting it to be truncated to 0x40 (64). But that's not what the real code does, of course. Fixes: ed0356e ("crypto: blake2s - x86_64 SIMD implementation") Cc: stable@vger.kernel.org Reviewed-by: Ard Biesheuvel <ardb@kernel.org> Link: https://lore.kernel.org/r/20251102234209.62133-2-ebiggers@kernel.org Signed-off-by: Eric Biggers <ebiggers@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 4f4515f024973e2c81c51fcea9013c324abbd203) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit c943bfc6afb8d0e781b9b7406f36caa8bbf95cb9 upstream. After a copy pair swap the block device's "device" symlink points to the secondary CCW device, but the gendisk's parent remained the primary, leaving /sys/block/<dasdx> under the wrong parent. Move the gendisk to the secondary's device with device_move(), keeping the sysfs topology consistent after the swap. Fixes: 413862c ("s390/dasd: add copy pair swap capability") Cc: stable@vger.kernel.org deepin-community#6.1 Reviewed-by: Jan Hoeppner <hoeppner@linux.ibm.com> Signed-off-by: Stefan Haberland <sth@linux.ibm.com> Signed-off-by: Jens Axboe <axboe@kernel.dk> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 075e7d288ca3ff966f8b48fa6e5fab69ced302b3) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit 3179a5f7f86bcc3acd5d6fb2a29f891ef5615852 upstream. loop devices under heavy stress-ng loop streessor can trigger many capacity change events in a short time. Each event prints an info message from set_capacity_and_notify(), flooding the console and contributing to soft lockups on slow consoles. Switch the printk in set_capacity_and_notify() to pr_info_ratelimited() so frequent capacity changes do not spam the log while still reporting occasional changes. Cc: stable@vger.kernel.org Signed-off-by: Li Chen <chenl311@chinatelecom.cn> Reviewed-by: Chaitanya Kulkarni <kch@nvidia.com> Reviewed-by: Bart Van Assche <bvanassche@acm.org> Signed-off-by: Jens Axboe <axboe@kernel.dk> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 59e7ee37d5f8d4f52577e11cbde1b6f42a5b5e89) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit 82d20481024cbae2ea87fe8b86d12961bfda7169 upstream. For years I wondered why the floppy driver does not just work on sparc64, e.g: root@SUNW_375_0066:# disktype /dev/fd0 disktype: Can't open /dev/fd0: No such device or address [ 525.341906] disktype: attempt to access beyond end of device fd0: rw=0, sector=0, nr_sectors = 16 limit=8 [ 525.341991] floppy: error 10 while reading block 0 Turns out floppy.c __floppy_read_block_0 tries to read one page for the first test read to determine the disk size and thus fails if that is greater than 4k. Adjust minimum MAX_DISK_SIZE to PAGE_SIZE to fix floppy on sparc64 and likely all other PAGE_SIZE != 4KB configs. Cc: stable@vger.kernel.org Signed-off-by: René Rebe <rene@exactco.de> Signed-off-by: Jens Axboe <axboe@kernel.dk> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 037cf435316ee4ef9146bf8c4a2e5b3f50396ccc) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit f3f9f42232dee596d15491ca3f611d02174db49c upstream.
Currently when the length of a symbol is longer than 0x7f characters,
its type shown in /proc/kallsyms can be incorrect.
I found this issue when reading the code, but it can be reproduced by
following steps:
1. Define a function which symbol length is 130 characters:
#define X13(x) x##x##x##x##x##x##x##x##x##x##x##x##x
static noinline void X13(x123456789)(void)
{
printk("hello world\n");
}
2. The type in vmlinux is 't':
$ nm vmlinux | grep x123456
ffffffff816290f0 t x123456789x123456789x123456789x12[...]
3. Then boot the kernel, the type shown in /proc/kallsyms becomes 'g'
instead of the expected 't':
# cat /proc/kallsyms | grep x123456
ffffffff816290f0 g x123456789x123456789x123456789x12[...]
The root cause is that, after commit 73bbb94 ("kallsyms: support
"big" kernel symbols"), ULEB128 was used to encode symbol name length.
That is, for "big" kernel symbols of which name length is longer than
0x7f characters, the length info is encoded into 2 bytes.
kallsyms_get_symbol_type() expects to read the first char of the
symbol name which indicates the symbol type. However, due to the
"big" symbol case not being handled, the symbol type read from
/proc/kallsyms may be wrong, so handle it properly.
Cc: stable@vger.kernel.org
Fixes: 73bbb94 ("kallsyms: support "big" kernel symbols")
Signed-off-by: Zheng Yejian <zhengyejian@huaweicloud.com>
Acked-by: Gary Guo <gary@garyguo.net>
Link: https://patch.msgid.link/20241011143853.3022643-1-zhengyejian@huaweicloud.com
Signed-off-by: Miguel Ojeda <ojeda@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit 7ad2c3ae07955bf28a7cd9bc45f69cbe114399ca)
Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit 801f614ba263cb37624982b27b4c82f3c3c597a9 upstream. Some NTFS volumes failed to mount because sparse data runs were not handled correctly during runlist unpacking. The code performed arithmetic on the special SPARSE_LCN64 marker, leading to invalid LCN values and mount errors. Add an explicit check for the case described above, marking the run as sparse without applying arithmetic. Fixes: 736fc7b ("fs: ntfs3: Fix integer overflow in run_unpack()") Cc: stable@vger.kernel.org Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 5fd1a6c631b2f8c82484ae3dc8cfd7dadf209bca) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit d3042cbe84a060b4df764eb6c5300bbe20d125ca upstream. The error path of copying the old config used the wrong variable in the error message: $ mkdir /tmp/build $ ./tools/testing/ktest/config-bisect.pl -b /tmp/build config-good /tmp/config-bad $ chmod 0 /tmp/build $ ./tools/testing/ktest/config-bisect.pl -b /tmp/build config-good /tmp/config-bad good cp /tmp/build//.config config-good.tmp ... [0 seconds] FAILED! Use of uninitialized value $config in concatenation (.) or string at ./tools/testing/ktest/config-bisect.pl line 744. failed to copy to config-good.tmp When it should have shown: failed to copy /tmp/build//.config to config-good.tmp Cc: stable@vger.kernel.org Cc: John 'Warthog9' Hawley <warthog9@kernel.org> Fixes: 0f0db06 ("ktest: Add standalone config-bisect.pl program") Link: https://patch.msgid.link/20251203180924.6862bd26@gandalf.local.home Reported-by: "John W. Krahn" <jwkrahn@shaw.ca> Signed-off-by: Steven Rostedt <rostedt@goodmis.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 2c0acd1a1e94819165236baf6aeaf120f31ea66b) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit b97cb7d6a051aa6ebd57906df0e26e9e36c26d14 upstream. If ext4_get_inode_loc() fails (e.g. if it returns -EFSCORRUPTED), iloc.bh will remain set to NULL. Since ext4_xattr_inode_dec_ref_all() lacks error checking, this will lead to a null pointer dereference in ext4_raw_inode(), called right after ext4_get_inode_loc(). Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: c8e008b ("ext4: ignore xattrs past end") Cc: stable@kernel.org Signed-off-by: Karina Yankevich <k.yankevich@omp.ru> Reviewed-by: Sergey Shtylyov <s.shtylyov@omp.ru> Reviewed-by: Baokun Li <libaokun1@huawei.com> Message-ID: <20251022093253.3546296-1-k.yankevich@omp.ru> Signed-off-by: Theodore Ts'o <tytso@mit.edu> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit b5d942922182e82724b7152cb998f540132885ec) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit 4091c8206cfd2e3bb529ef260887296b90d9b6a2 upstream. i_state_flags used on 32-bit archs, need to clear this flag when alloc inode. Find this issue when umount ext4, sometimes track the inode as orphan accidently, cause ext4 mesg dump. Fixes: acf943e ("ext4: fix checks for orphan inodes") Signed-off-by: Haibo Chen <haibo.chen@nxp.com> Reviewed-by: Baokun Li <libaokun1@huawei.com> Reviewed-by: Zhang Yi <yi.zhang@huawei.com> Reviewed-by: Jan Kara <jack@suse.cz> Message-ID: <20251104-ext4-v1-1-73691a0800f9@nxp.com> Signed-off-by: Theodore Ts'o <tytso@mit.edu> Cc: stable@kernel.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 36bf0f765333411755d695c15939032ea7710346) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit 3f7a79d05c692c7cfec70bf104b1b3c3d0ce6247 upstream.
When the MB_CHECK_ASSERT macro is enabled, an assertion failure can
occur in __mb_check_buddy when checking preallocated blocks (pa) in
a block group:
Assertion failure in mb_free_blocks() : "groupnr == e4b->bd_group"
This happens when a pa at the very end of a block group (e.g.,
pa_pstart=32765, pa_len=3 in a group of 32768 blocks) becomes
exhausted - its pa_pstart is advanced by pa_len to 32768, which
lies in the next block group. If this exhausted pa (with pa_len == 0)
is still in the bb_prealloc_list during the buddy check, the assertion
incorrectly flags it as belonging to the wrong group. A possible
sequence is as follows:
ext4_mb_new_blocks
ext4_mb_release_context
pa->pa_pstart += EXT4_C2B(sbi, ac->ac_b_ex.fe_len)
pa->pa_len -= ac->ac_b_ex.fe_len
__mb_check_buddy
for each pa in group
ext4_get_group_no_and_offset
MB_CHECK_ASSERT(groupnr == e4b->bd_group)
To fix this, we modify the check to skip block group validation for
exhausted preallocations (where pa_len == 0). Such entries are in a
transitional state and will be removed from the list soon, so they
should not trigger an assertion. This change prevents the false
positive while maintaining the integrity of the checks for active
allocations.
Fixes: c9de560 ("ext4: Add multi block allocator for ext4")
Signed-off-by: Yongjian Sun <sunyongjian1@huawei.com>
Reviewed-by: Baokun Li <libaokun1@huawei.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Message-ID: <20251106060614.631382-2-sunyongjian@huaweicloud.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit dc06c9dc5e1d54f745dc2016b1520f1d5e85888c)
Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit 7c11c56eb32eae96893eebafdbe3decadefe88ad upstream. Kernel commit 0a6ce20 ("ext4: verify orphan file size is not too big") limits the maximum supported orphan file size to 8 << 20. However, in e2fsprogs, the orphan file size is set to 32–512 filesystem blocks when creating a filesystem. With 64k block size, formatting an ext4 fs >32G gives an orphan file bigger than the kernel allows, so mount prints an error and fails: EXT4-fs (vdb): orphan file too big: 8650752 EXT4-fs (vdb): mount failed To prevent this issue and allow previously created 64KB filesystems to mount, we updates the maximum allowed orphan file size in the kernel to 512 filesystem blocks. Fixes: 0a6ce20 ("ext4: verify orphan file size is not too big") Signed-off-by: Baokun Li <libaokun1@huawei.com> Reviewed-by: Jan Kara <jack@suse.cz> Message-ID: <20251120134233.2994147-1-libaokun@huaweicloud.com> Signed-off-by: Theodore Ts'o <tytso@mit.edu> Cc: stable@kernel.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 79a0e4d3fbef7c8ca3fd5e5b5c00d79cd399cd46) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit 524c3853831cf4f7e1db579e487c757c3065165c upstream. syzbot is reporting possibility of deadlock due to sharing lock_class_key for jbd2_handle across ext4 and ocfs2. But this is a false positive, for one disk partition can't have two filesystems at the same time. Reported-by: syzbot+6e493c165d26d6fcbf72@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=6e493c165d26d6fcbf72 Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Tested-by: syzbot+6e493c165d26d6fcbf72@syzkaller.appspotmail.com Reviewed-by: Jan Kara <jack@suse.cz> Message-ID: <987110fc-5470-457a-a218-d286a09dd82f@I-love.SAKURA.ne.jp> Signed-off-by: Theodore Ts'o <tytso@mit.edu> Cc: stable@kernel.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 815327958ec41b0a2df2a50a01578d5cc8f36ae4) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit 40a71b53d5a6d4ea17e4d54b99b2ac03a7f5e783 upstream. jbd2 journal handling code doesn't want jbd2_might_wait_for_commit() to be placed between start_this_handle() and stop_this_handle(). So it marks the region with rwsem_acquire_read() and rwsem_release(). However, the annotation is too strong for that purpose. We don't have to use more than try lock annotation for that. rwsem_acquire_read() implies: 1. might be a waiter on contention of the lock. 2. enter to the critical section of the lock. All we need in here is to act 2, not 1. So trylock version of annotation is sufficient for that purpose. Now that dept partially relies on lockdep annotaions, dept interpets rwsem_acquire_read() as a potential wait and might report a deadlock by the wait. Replace it with trylock version of annotation. Signed-off-by: Byungchul Park <byungchul@sk.com> Reviewed-by: Jan Kara <jack@suse.cz> Cc: stable@kernel.org Message-ID: <20251024073940.1063-1-byungchul@sk.com> Signed-off-by: Theodore Ts'o <tytso@mit.edu> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 94a16a3a100171a63fde4176b3ddf7aeda104a2f) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit 082b86919b7a94de01d849021b4da820a6cb89dc upstream. Commit cbd9463 ("media: v4l2-mem2mem: Avoid calling .device_run in v4l2_m2m_job_finish") deferred calls to .device_run() to a work queue to avoid recursive calls when a job is finished right away from .device_run(). It failed to update the v4l2_m2m_job_finish() documentation that still states the function must not be called from .device_run(). Fix it. Fixes: cbd9463 ("media: v4l2-mem2mem: Avoid calling .device_run in v4l2_m2m_job_finish") Cc: stable@vger.kernel.org Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit fa4a445f832b185ca5f9975aa329a7be7b5f0343) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit 2ea6190f42d0416a4310e60a7fcb0b49fcbbd4fb upstream. The MPTCP protocol usually schedule the retransmission timer only when there is some chances for such retransmissions to happen. With a notable exception: __mptcp_push_pending() currently schedule such timer unconditionally, potentially leading to unnecessary rtx timer expiration. The issue is present since the blamed commit below but become easily reproducible after commit 27b0e70 ("mptcp: drop bogus optimization in __mptcp_check_push()") Fixes: 33d41c9 ("mptcp: more accurate timeout") Cc: stable@vger.kernel.org Signed-off-by: Paolo Abeni <pabeni@redhat.com> Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org> Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org> Link: https://patch.msgid.link/20251205-net-mptcp-misc-fixes-6-19-rc1-v1-3-9e4781a6c1b8@kernel.org Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 17b470ee53ddc9e636596c1e9c69e1bce7d42793) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit ffb8c27b0539dd90262d1021488e7817fae57c42 upstream. Jakub reported an MPTCP deadlock at fallback time: WARNING: possible recursive locking detected 6.18.0-rc7-virtme #1 Not tainted -------------------------------------------- mptcp_connect/20858 is trying to acquire lock: ff1100001da18b60 (&msk->fallback_lock){+.-.}-{3:3}, at: __mptcp_try_fallback+0xd8/0x280 but task is already holding lock: ff1100001da18b60 (&msk->fallback_lock){+.-.}-{3:3}, at: __mptcp_retrans+0x352/0xaa0 other info that might help us debug this: Possible unsafe locking scenario: CPU0 ---- lock(&msk->fallback_lock); lock(&msk->fallback_lock); *** DEADLOCK *** May be due to missing lock nesting notation 3 locks held by mptcp_connect/20858: #0: ff1100001da18290 (sk_lock-AF_INET){+.+.}-{0:0}, at: mptcp_sendmsg+0x114/0x1bc0 #1: ff1100001db40fd0 (k-sk_lock-AF_INET#2){+.+.}-{0:0}, at: __mptcp_retrans+0x2cb/0xaa0 #2: ff1100001da18b60 (&msk->fallback_lock){+.-.}-{3:3}, at: __mptcp_retrans+0x352/0xaa0 stack backtrace: CPU: 0 UID: 0 PID: 20858 Comm: mptcp_connect Not tainted 6.18.0-rc7-virtme #1 PREEMPT(full) Hardware name: Bochs, BIOS Bochs 01/01/2011 Call Trace: <TASK> dump_stack_lvl+0x6f/0xa0 print_deadlock_bug.cold+0xc0/0xcd validate_chain+0x2ff/0x5f0 __lock_acquire+0x34c/0x740 lock_acquire.part.0+0xbc/0x260 _raw_spin_lock_bh+0x38/0x50 __mptcp_try_fallback+0xd8/0x280 mptcp_sendmsg_frag+0x16c2/0x3050 __mptcp_retrans+0x421/0xaa0 mptcp_release_cb+0x5aa/0xa70 release_sock+0xab/0x1d0 mptcp_sendmsg+0xd5b/0x1bc0 sock_write_iter+0x281/0x4d0 new_sync_write+0x3c5/0x6f0 vfs_write+0x65e/0xbb0 ksys_write+0x17e/0x200 do_syscall_64+0xbb/0xfd0 entry_SYSCALL_64_after_hwframe+0x4b/0x53 RIP: 0033:0x7fa5627cbc5e Code: 4d 89 d8 e8 14 bd 00 00 4c 8b 5d f8 41 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 11 c9 c3 0f 1f 80 00 00 00 00 48 8b 45 10 0f 05 <c9> c3 83 e2 39 83 fa 08 75 e7 e8 13 ff ff ff 0f 1f 00 f3 0f 1e fa RSP: 002b:00007fff1fe14700 EFLAGS: 00000202 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 00007fa5627cbc5e RDX: 0000000000001f9c RSI: 00007fff1fe16984 RDI: 0000000000000005 RBP: 00007fff1fe14710 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000202 R12: 00007fff1fe16920 R13: 0000000000002000 R14: 0000000000001f9c R15: 0000000000001f9c The packet scheduler could attempt a reinjection after receiving an MP_FAIL and before the infinite map has been transmitted, causing a deadlock since MPTCP needs to do the reinjection atomically from WRT fallback. Address the issue explicitly avoiding the reinjection in the critical scenario. Note that this is the only fallback critical section that could potentially send packets and hit the double-lock. Reported-by: Jakub Kicinski <kuba@kernel.org> Closes: https://netdev-ctrl.bots.linux.dev/logs/vmksft/mptcp-dbg/results/412720/1-mptcp-join-sh/stderr Fixes: f8a1d9b ("mptcp: make fallback action and fallback decision atomic") Cc: stable@vger.kernel.org Signed-off-by: Paolo Abeni <pabeni@redhat.com> Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org> Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org> Link: https://patch.msgid.link/20251205-net-mptcp-misc-fixes-6-19-rc1-v1-4-9e4781a6c1b8@kernel.org Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 252892d5a6a2f163ce18f32716e46fa4da7d4e79) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit 0831269b5f71594882accfceb02638124f88955d upstream.
We cannot determine which models require the NO_ATA_1X and
IGNORE_RESIDUE quirks aside from the EL-R12 optical drive device.
Fixes: 955a48a5353f ("usb: usb-storage: No additional quirks need to be added to the EL-R12 optical drive.")
Signed-off-by: Chen Changcheng <chenchangcheng@kylinos.cn>
Link: https://patch.msgid.link/20251218012318.15978-1-chenchangcheng@kylinos.cn
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit 22847606976c321a172dba01cc0a7bd540a027ec)
Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit b91e6aafe8d356086cc621bc03e35ba2299e4788 upstream. rlen value is a user-controlled value, but dtv5100_i2c_msg() does not check the size of the rlen value. Therefore, if it is set to a value larger than sizeof(st->data), an out-of-bounds vuln occurs for st->data. Therefore, we need to add proper range checking to prevent this vuln. Fixes: 60688d5 ("V4L/DVB (8735): dtv5100: replace dummy frontend by zl10353") Cc: stable@vger.kernel.org Signed-off-by: Jeongjun Park <aha310510@gmail.com> Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 4a54d8fcb093761e4c56eb211cf4e39bf8401fa1) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit be440980eace19c035a0745fd6b6e42707bc4f49 upstream. The pvr2_trace message is reporting an error about control read transfers, however it is using the incorrect variable write_len instead of read_lean. Fix this by using the correct variable read_len. Fixes: d855497 ("V4L/DVB (4228a): pvrusb2 to kernel 2.6.18") Cc: stable@vger.kernel.org Signed-off-by: Colin Ian King <colin.i.king@gmail.com> Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit f4cacf8827ba0c72c83f024128f97bf9bf72ea01) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit 3c41114dcdabb7b25f5bc33273c6db9c7af7f4a7 upstream. This can get called from an atomic context. Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/4470 Reviewed-by: Harry Wentland <harry.wentland@amd.com> Signed-off-by: Alex Deucher <alexander.deucher@amd.com> (cherry picked from commit 8acdad9344cc7b4e7bc01f0dfea80093eb3768db) Cc: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 4cd6081860a55e6b4417bf6bf6bea718aac641ab) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit 3fde60a upstream. Character sequences starting with `\` are interpreted by python as escaped Unicode characters. However, they have other meaning in regular expressions (e.g: "\d"). It seems Python >= 3.12 starts emitting a SyntaxWarning when these escaped sequences are not recognized as valid Unicode characters. An example of these warnings: tools/testing/selftests/net/openvswitch/ovs-dpctl.py:505: SyntaxWarning: invalid escape sequence '\d' Fix all the warnings by flagging literals as raw strings. Signed-off-by: Adrian Moreno <amorenoz@redhat.com> Reviewed-by: Aaron Conole <aconole@redhat.com> Link: https://lore.kernel.org/r/20240416090913.2028475-1-amorenoz@redhat.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Adrian Yip <adrian.ytw@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit d3c094e078536cd65b7119bd19f2390ccbe2110f) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit 6f6e309328d53a10c0fe1f77dec2db73373179b6 upstream. Several crypto user API contexts and requests allocated with sock_kmalloc() were left uninitialized, relying on callers to set fields explicitly. This resulted in the use of uninitialized data in certain error paths or when new fields are added in the future. The ACVP patches also contain two user-space interface files: algif_kpp.c and algif_akcipher.c. These too rely on proper initialization of their context structures. A particular issue has been observed with the newly added 'inflight' variable introduced in af_alg_ctx by commit: 67b164a ("crypto: af_alg - Disallow multiple in-flight AIO requests") Because the context is not memset to zero after allocation, the inflight variable has contained garbage values. As a result, af_alg_alloc_areq() has incorrectly returned -EBUSY randomly when the garbage value was interpreted as true: https://github.com/gregkh/linux/blame/master/crypto/af_alg.c#L1209 The check directly tests ctx->inflight without explicitly comparing against true/false. Since inflight is only ever set to true or false later, an uninitialized value has triggered -EBUSY failures. Zero-initializing memory allocated with sock_kmalloc() ensures inflight and other fields start in a known state, removing random issues caused by uninitialized data. Fixes: fe869cd ("crypto: algif_hash - User-space interface for hash operations") Fixes: 5afdfd2 ("crypto: algif_rng - add random number generator support") Fixes: 2d97591 ("crypto: af_alg - consolidation of duplicate code") Fixes: 67b164a ("crypto: af_alg - Disallow multiple in-flight AIO requests") Cc: stable@vger.kernel.org Signed-off-by: Shivani Agarwal <shivani.agarwal@broadcom.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 84238876e3b3b262cf62d5f4d1338e983fb27010) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit 7cf6e0b69b0d90ab042163e5bbddda0dfcf8b6a7 upstream. As kcalloc() may fail, check its return value to avoid a NULL pointer dereference when passing the buffer to rng->read(). On allocation failure, log the error and return since test_len() returns void. Fixes: 2be0d80 ("crypto: caam - add a test for the RNG") Cc: stable@vger.kernel.org Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 206c012bcbd1f1d94a1372fb3401bd23bf2617c9) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit 500e1368e46928f4b2259612dcabb6999afae2a6 upstream. Make sure to drop the reference taken to the AHB platform device when looking up its driver data while enabling the SMMU. Note that holding a reference to a device does not prevent its driver data from going away. Fixes: 89c788b ("ARM: tegra: Add SMMU enabler in AHB") Cc: stable@vger.kernel.org # 3.5 Signed-off-by: Johan Hovold <johan@kernel.org> Signed-off-by: Thierry Reding <treding@nvidia.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit b3b689729cbc0a1f9985dc62e48f1a72fde19bd5) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit 47ef834209e5981f443240d8a8b45bf680df22aa upstream. The commit 4d38328 ("tracing: Fix synth event printk format for str fields") replaced "%.*s" with "%s" but missed removing the number size of the dynamic and static strings. The commit e1a453a ("tracing: Do not add length to print format in synthetic events") fixed the dynamic part but did not fix the static part. That is, with the commands: # echo 's:wake_lat char[] wakee; u64 delta;' >> /sys/kernel/tracing/dynamic_events # echo 'hist:keys=pid:ts=common_timestamp.usecs if !(common_flags & 0x18)' > /sys/kernel/tracing/events/sched/sched_waking/trigger # echo 'hist:keys=next_pid:delta=common_timestamp.usecs-$ts:onmatch(sched.sched_waking).trace(wake_lat,next_comm,$delta)' > /sys/kernel/tracing/events/sched/sched_switch/trigger That caused the output of: <idle>-0 [001] d..5. 193.428167: wake_lat: wakee=(efault)sshd-sessiondelta=155 sshd-session-879 [001] d..5. 193.811080: wake_lat: wakee=(efault)kworker/u34:5delta=58 <idle>-0 [002] d..5. 193.811198: wake_lat: wakee=(efault)bashdelta=91 The commit e1a453a fixed the part where the synthetic event had "char[] wakee". But if one were to replace that with a static size string: # echo 's:wake_lat char[16] wakee; u64 delta;' >> /sys/kernel/tracing/dynamic_events Where "wakee" is defined as "char[16]" and not "char[]" making it a static size, the code triggered the "(efaul)" again. Remove the added STR_VAR_LEN_MAX size as the string is still going to be nul terminated. Cc: stable@vger.kernel.org Cc: Masami Hiramatsu <mhiramat@kernel.org> Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com> Cc: Douglas Raillard <douglas.raillard@arm.com> Link: https://patch.msgid.link/20251204151935.5fa30355@gandalf.local.home Fixes: e1a453a ("tracing: Do not add length to print format in synthetic events") Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 98bf1dece54c9d1e143e3cf0b7e22d3f00717a5b) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit b5c16ea57b030b8e9428ec726e26219dfe05c3d9 upstream. Make sure to drop the reference taken to the ocmem platform device when looking up its driver data. Note that holding a reference to a device does not prevent its driver data from going away so there is no point in keeping the reference. Also note that commit 0ff0270 ("soc: qcom: ocmem: Fix missing put_device() call in of_get_ocmem") fixed the leak in a lookup error path, but the reference is still leaking on success. Fixes: 88c1e94 ("soc: qcom: add OCMEM driver") Cc: stable@vger.kernel.org # 5.5: 0ff0270 Cc: Brian Masney <bmasney@redhat.com> Cc: Miaoqian Lin <linmq006@gmail.com> Signed-off-by: Johan Hovold <johan@kernel.org> Reviewed-by: Brian Masney <bmasney@redhat.com> Link: https://lore.kernel.org/r/20250926143511.6715-2-johan@kernel.org Signed-off-by: Bjorn Andersson <andersson@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit c8ddc5f321d125cd2804106351e87aafa8e0df51) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit 32200f4828de9d7e6db379909898e718747f4e18 upstream. Make sure to drop the reference taken to the canvas platform device when looking up its driver data. Note that holding a reference to a device does not prevent its driver data from going away so there is no point in keeping the reference. Also note that commit 28f851e ("soc: amlogic: canvas: add missing put_device() call in meson_canvas_get()") fixed the leak in a lookup error path, but the reference is still leaking on success. Fixes: d498398 ("soc: amlogic: add meson-canvas driver") Cc: stable@vger.kernel.org # 4.20: 28f851e Cc: Yu Kuai <yukuai3@huawei.com> Signed-off-by: Johan Hovold <johan@kernel.org> Reviewed-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com> Link: https://patch.msgid.link/20250926142454.5929-2-johan@kernel.org Signed-off-by: Neil Armstrong <neil.armstrong@linaro.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 3ccb504e80450e0594e174c0336f20d3fb5169a1) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit a53e356df548f6b0e82529ef3cc6070f42622189 upstream. While testing rpmsg-char interface it was noticed that duplicate sysfs entries are getting created and below warning is noticed. Reason for this is that we are leaking rpmsg device pointer, setting it null without actually unregistering device. Any further attempts to unregister fail because rpdev is NULL, resulting in a leak. Fix this by unregistering rpmsg device before removing its reference from rpmsg channel. sysfs: cannot create duplicate filename '/devices/platform/soc@0/3700000.remot eproc/remoteproc/remoteproc1/3700000.remoteproc:glink-edge/3700000.remoteproc: glink-edge.adsp_apps.-1.-1' [ 114.115347] CPU: 0 UID: 0 PID: 9 Comm: kworker/0:0 Not tainted 6.16.0-rc4 deepin-community#7 PREEMPT [ 114.115355] Hardware name: Qualcomm Technologies, Inc. Robotics RB3gen2 (DT) [ 114.115358] Workqueue: events qcom_glink_work [ 114.115371] Call trace:8 [ 114.115374] show_stack+0x18/0x24 (C) [ 114.115382] dump_stack_lvl+0x60/0x80 [ 114.115388] dump_stack+0x18/0x24 [ 114.115393] sysfs_warn_dup+0x64/0x80 [ 114.115402] sysfs_create_dir_ns+0xf4/0x120 [ 114.115409] kobject_add_internal+0x98/0x260 [ 114.115416] kobject_add+0x9c/0x108 [ 114.115421] device_add+0xc4/0x7a0 [ 114.115429] rpmsg_register_device+0x5c/0xb0 [ 114.115434] qcom_glink_work+0x4bc/0x820 [ 114.115438] process_one_work+0x148/0x284 [ 114.115446] worker_thread+0x2c4/0x3e0 [ 114.115452] kthread+0x12c/0x204 [ 114.115457] ret_from_fork+0x10/0x20 [ 114.115464] kobject: kobject_add_internal failed for 3700000.remoteproc: glink-edge.adsp_apps.-1.-1 with -EEXIST, don't try to register things with the same name in the same directory. [ 114.250045] rpmsg 3700000.remoteproc:glink-edge.adsp_apps.-1.-1: device_add failed: -17 Fixes: 835764d ("rpmsg: glink: Move the common glink protocol implementation to glink_native.c") Cc: Stable@vger.kernel.org Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com> Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com> Link: https://lore.kernel.org/r/20250822100043.2604794-2-srinivas.kandagatla@oss.qualcomm.com Signed-off-by: Bjorn Andersson <andersson@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit c6210714347f72bae8e7142dc0a7f99923c466e7) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit 527250cd9092461f1beac3e4180a4481bffa01b5 upstream.
Members of struct software_node_ref_args should not be dereferenced
directly but set using the provided macros. Commit d7cdbbc93c56
("software node: allow referencing firmware nodes") changed the name of
the software node member and caused a build failure. Remove all direct
dereferences of the ref struct as a fix.
However, this driver also seems to abuse the software node interface by
waiting for a node with an arbitrary name "intel-xhci-usb-sw" to appear
in the system before setting up the reference for the I2C device, while
the actual software node already exists in the intel-xhci-usb-role-switch
module and should be used to set up a static reference. Add a FIXME for
a future improvement.
Fixes: d7cdbbc93c56 ("software node: allow referencing firmware nodes")
Fixes: 53c24c2 ("platform/x86: intel_cht_int33fe: use inline reference properties")
Cc: stable@vger.kernel.org
Reported-by: Stephen Rothwell <sfr@canb.auug.org.au>
Closes: https://lore.kernel.org/all/20251121111534.7cdbfe5c@canb.auug.org.au/
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
Reviewed-by: Hans de Goede <johannes.goede@oss.qualcomm.com>
Acked-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit ad296c4e19c73f6ba9ecf45d5e4915e7a6f77279)
Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit a6ee6aac66fb394b7f6e6187c73bdcd873f2d139 upstream. In i2c_amd_probe(), amd_mp2_find_device() utilizes driver_find_next_device() which internally calls driver_find_device() to locate the matching device. driver_find_device() increments the reference count of the found device by calling get_device(), but amd_mp2_find_device() fails to call put_device() to decrement the reference count before returning. This results in a reference count leak of the PCI device each time i2c_amd_probe() is executed, which may prevent the device from being properly released and cause a memory leak. Found by code review. Cc: stable@vger.kernel.org Fixes: 529766e ("i2c: Add drivers for the AMD PCIe MP2 I2C controller") Signed-off-by: Ma Ke <make24@iscas.ac.cn> Signed-off-by: Andi Shyti <andi.shyti@kernel.org> Link: https://lore.kernel.org/r/20251022095402.8846-1-make24@iscas.ac.cn Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 237a3095bcd6b0c191a1086b7850ae1ea9cb2353) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit b8d5acdcf525f44e521ca4ef51dce4dac403dab4 upstream. In max16065_current_show, data->curr_sense is read twice: once for the error check and again for the calculation. Since i2c_smbus_read_byte_data returns negative error codes on failure, if the data changes to an error code between the check and the use, ADC_TO_CURR results in an incorrect calculation. Read data->curr_sense into a local variable to ensure consistency. Note that data->curr_gain is constant and safe to access directly. This aligns max16065_current_show with max16065_input_show, which already uses a local variable for the same reason. Link: https://lore.kernel.org/all/CALbr=LYJ_ehtp53HXEVkSpYoub+XYSTU8Rg=o1xxMJ8=5z8B-g@mail.gmail.com/ Fixes: f5bae26 ("hwmon: Driver for MAX16065 System Manager and compatibles") Cc: stable@vger.kernel.org Signed-off-by: Gui-Dong Han <hanguidong02@gmail.com> Link: https://lore.kernel.org/r/20251128124709.3876-1-hanguidong02@gmail.com Signed-off-by: Guenter Roeck <linux@roeck-us.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 3769c56a1f0dddde0394a94ba83f1f664c05a5fa) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit 670d7ef945d3a84683594429aea6ab2cdfa5ceb4 upstream. The macro FAN_FROM_REG evaluates its arguments multiple times. When used in lockless contexts involving shared driver data, this leads to Time-of-Check to Time-of-Use (TOCTOU) race conditions, potentially causing divide-by-zero errors. Convert the macro to a static function. This guarantees that arguments are evaluated only once (pass-by-value), preventing the race conditions. Additionally, in store_fan_div, move the calculation of the minimum limit inside the update lock. This ensures that the read-modify-write sequence operates on consistent data. Adhere to the principle of minimal changes by only converting macros that evaluate arguments multiple times and are used in lockless contexts. Link: https://lore.kernel.org/all/CALbr=LYJ_ehtp53HXEVkSpYoub+XYSTU8Rg=o1xxMJ8=5z8B-g@mail.gmail.com/ Fixes: 9873964 ("[PATCH] HWMON: w83791d: New hardware monitoring driver for the Winbond W83791D") Cc: stable@vger.kernel.org Signed-off-by: Gui-Dong Han <hanguidong02@gmail.com> Link: https://lore.kernel.org/r/20251202180105.12842-1-hanguidong02@gmail.com Signed-off-by: Guenter Roeck <linux@roeck-us.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit f94800fbc26ccf7c81eb791707b038a57aa39a18) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit 07272e883fc61574b8367d44de48917f622cdd83 upstream. The macros FAN_FROM_REG and TEMP_FROM_REG evaluate their arguments multiple times. When used in lockless contexts involving shared driver data, this causes Time-of-Check to Time-of-Use (TOCTOU) race conditions. Convert the macros to static functions. This guarantees that arguments are evaluated only once (pass-by-value), preventing the race conditions. Adhere to the principle of minimal changes by only converting macros that evaluate arguments multiple times and are used in lockless contexts. Link: https://lore.kernel.org/all/CALbr=LYJ_ehtp53HXEVkSpYoub+XYSTU8Rg=o1xxMJ8=5z8B-g@mail.gmail.com/ Fixes: 85f03bc ("hwmon: Add support for Winbond W83L786NG/NR") Cc: stable@vger.kernel.org Signed-off-by: Gui-Dong Han <hanguidong02@gmail.com> Link: https://lore.kernel.org/r/20251128123816.3670-1-hanguidong02@gmail.com Signed-off-by: Guenter Roeck <linux@roeck-us.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 84716eb9dc317f129403de70432efa601d105976) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit 7d5864dc5d5ea6a35983dd05295fb17f2f2f44ce upstream. Unlike standalone spi peripherals, on sama5d2, the flexcom spi have fifo size of 32 data. Fix flexcom/spi nodes where this property is wrong. Fixes: 6b9a358 ("ARM: dts: at91: sama5d2: Add missing flexcom definitions") Cc: stable@vger.kernel.org # 5.8+ Signed-off-by: Nicolas Ferre <nicolas.ferre@microchip.com> Link: https://lore.kernel.org/r/20251114140225.30372-1-nicolas.ferre@microchip.com Signed-off-by: Claudiu Beznea <claudiu.beznea@tuxon.dev> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit e195784445877afcf235b237cf96c43883056efd) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit de83d4617f9fe059623e97acf7e1e10d209625b5 upstream. The driver is dropping the references taken to the larb devices during probe after successful lookup as well as on errors. This can potentially lead to a use-after-free in case a larb device has not yet been bound to its driver so that the iommu driver probe defers. Fix this by keeping the references as expected while the iommu driver is bound. Fixes: 2659392 ("iommu/mediatek: Add error path for loop of mm_dts_parse") Cc: stable@vger.kernel.org Cc: Yong Wu <yong.wu@mediatek.com> Acked-by: Robin Murphy <robin.murphy@arm.com> Signed-off-by: Johan Hovold <johan@kernel.org> Reviewed-by: Yong Wu <yong.wu@mediatek.com> Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com> Signed-off-by: Joerg Roedel <joerg.roedel@amd.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 5c04217d06a1161aaf36267e9d971ab6f847d5a7) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit f3ccdfda345ca9a624ea425840a926b8338c1e25 ] The indirect IO is necessary for RTL8822CS, but not necessary for other chips. Otherwiese, it throws errors and becomes unusable. rtw88_8723cs mmc1:0001:1: WOW Firmware version 11.0.0, H2C version 0 rtw88_8723cs mmc1:0001:1: Firmware version 11.0.0, H2C version 0 rtw88_8723cs mmc1:0001:1: sdio read32 failed (0xf0): -110 rtw88_8723cs mmc1:0001:1: sdio write8 failed (0x1c): -110 rtw88_8723cs mmc1:0001:1: sdio read32 failed (0xf0): -110 By vendor driver, only RTL8822CS and RTL8822ES need indirect IO, but RTL8822ES isn't supported yet. Therefore, limit it to RTL8822CS only. Reported-by: Andrey Skvortsov <andrej.skvortzov@gmail.com> Closes: https://lore.kernel.org/linux-wireless/07a32e2d6c764eb1bd9415b5a921a652@realtek.com/T/#m997b4522f7209ba629561c776bfd1d13ab24c1d4 Fixes: 58de1f9 ("wifi: rtw88: sdio: use indirect IO for device registers before power-on") Signed-off-by: Ping-Ke Shih <pkshih@realtek.com> Tested-by: Andrey Skvortsov <andrej.skvortzov@gmail.com> Link: https://patch.msgid.link/1764034729-1251-1-git-send-email-pkshih@realtek.com Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 34e9dd0a1281287f2a8035a0198b48f351adbd08) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 2b77b9551d1184cb5af8271ff350e6e2c1b3db0d ] The QGenie AI code review tool says we should store the capped length to wdev->u.client.ssid_len. The AI is correct. Fixes: 62b635d ("wifi: cfg80211: sme: cap SSID length in __cfg80211_connect_result()") Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org> Link: https://patch.msgid.link/aTAbp5RleyH_lnZE@stanley.mountain Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 8e628bebb109261709734bfa9f1645dfca744e3e) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit a519be2f5d958c5804f2cfd68f1f384291271fab ] When userspace brings down and deletes a non-transmitted profile, it is expected to send a new updated Beacon template for the transmitted profile of that multiple BSSID (MBSSID) group which does not include the removed profile in MBSSID element. This update comes via NL80211_CMD_SET_BEACON. Such updates work well as long as the group continues to have at least one non-transmitted profile as NL80211_ATTR_MBSSID_ELEMS is included in the new Beacon template. But when the last non-trasmitted profile is removed, it still gets included in Beacon templates sent to driver. This happens because when no MBSSID elements are sent by the userspace, ieee80211_assign_beacon() ends up using the element stored from earlier Beacon template. Do not copy old MBSSID elements, instead userspace should always include these when applicable. Fixes: 2b3171c ("mac80211: MBSSID beacon handling in AP mode") Signed-off-by: Aloka Dixit <aloka.dixit@oss.qualcomm.com> Link: https://patch.msgid.link/20251215174656.2866319-2-aloka.dixit@oss.qualcomm.com Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit e27036473d398ed52b02f603aebdc2793c8c5cdf) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
Reviewer's GuideUpstream 6.6.120 part-5 patchset that mostly pulls in bug‑fixes and robustness improvements across filesystems (btrfs, f2fs, ext4, ocfs2, ntfs3, jbd2), KVM SVM/x86, io_uring, vhost/vsock, MPTCP, Ceph OSD map decoding, runtime PM, multiple USB and I2C drivers, and several platform/SoC specific drivers, with a focus on better bounds checking, memory/handle lifetime management, and more accurate error handling. Sequence diagram for MPTCP push and retransmission timer behaviorsequenceDiagram
participant App
participant MPTCP_Sock as mptcp_sock
participant Subflow as subflow_sock
participant RtxTimer as mptcp_rtx_timer
App->>MPTCP_Sock: send()/write()
activate MPTCP_Sock
MPTCP_Sock->>MPTCP_Sock: __mptcp_push_pending(flags)
loop while mptcp_send_head() && push_count > 0
MPTCP_Sock->>Subflow: mptcp_subflow_push_pending()
alt data copied to subflow
MPTCP_Sock->>MPTCP_Sock: copied = true
else no data copied
MPTCP_Sock->>MPTCP_Sock: copied unchanged (false)
end
end
MPTCP_Sock->>Subflow: mptcp_push_release(&info)
alt copied == true (new data pushed)
MPTCP_Sock->>MPTCP_Sock: if !mptcp_rtx_timer_pending()
MPTCP_Sock->>RtxTimer: mptcp_reset_rtx_timer()
MPTCP_Sock->>MPTCP_Sock: mptcp_check_send_data_fin()
else copied == false (no new data)
MPTCP_Sock->>MPTCP_Sock: do not arm rtx timer
note over MPTCP_Sock,RtxTimer: Timer will be updated on ACKs via __mptcp_cleanup_una()
end
deactivate MPTCP_Sock
Sequence diagram for vhost/vsock orphan reset using RCUsequenceDiagram
participant VSockCore as vhost_vsock_core
participant VSk as vsock_sock
participant Hash as vhost_vsock_hash
VSockCore->>VSk: vhost_vsock_reset_orphans(sk)
activate VSk
VSk->>VSk: vsk = vsk_of(sk)
VSk->>Hash: rcu_read_lock()
activate Hash
Hash-->>VSk: enter RCU read section
VSk->>Hash: vhost_vsock_get(remote_cid)
alt instance found in hash
Hash-->>VSk: return vsock instance
VSk->>Hash: rcu_read_unlock()
VSk-->>VSockCore: return (peer still valid)
else no instance found
Hash-->>VSk: return NULL
VSk->>Hash: rcu_read_unlock()
VSk->>VSk: check close timeout state
alt close timeout pending
VSk-->>VSockCore: let timeout expire, no immediate reset
else no timeout pending
VSk->>VSk: reset connection state
VSk-->>VSockCore: orphan connection reset
end
end
deactivate Hash
deactivate VSk
Updated class diagram for f2fs extent aging and allocation countersclassDiagram
class f2fs_sb_info {
<<struct>>
+atomic64_t allocated_data_blocks
+struct inode* meta_inode
+spinlock_t stat_lock
+void* other_fields
+void f2fs_allocate_data_block(page, block_t new_blkaddr)
+void f2fs_put_super(super_block* sb)
}
class extent_info {
<<struct>>
+unsigned int fofs
+unsigned int len
+unsigned int blk
+bool encrypted
+u64 age
+u64 last_blocks
}
class f2fs_extent_age_helpers {
<<module>>
+const u64 F2FS_EXTENT_AGE_INVALID
+void f2fs_update_age_extent_cache_range(dnode_of_data* dn, pgoff_t fofs, unsigned int len)
+int __get_new_block_age(inode* inode, extent_info* ei, struct truncate_extent_info tei)
+void __update_extent_tree_range(inode* inode, struct extent_tree* et, struct truncate_extent_info* tei, pgoff_t fofs, unsigned int len)
}
class truncate_extent_info {
<<struct>>
+u64 last_blocks
+u64 age
}
f2fs_sb_info --> f2fs_extent_age_helpers : uses
f2fs_extent_age_helpers --> extent_info : updates
f2fs_extent_age_helpers --> truncate_extent_info : reads
note for f2fs_sb_info "allocated_data_blocks incremented with wrap protection; resets to 0 on ULLONG_MAX"
note for f2fs_extent_age_helpers "F2FS_EXTENT_AGE_INVALID marks invalid age extents; valid block range is 0..ULLONG_MAX-1"
File-Level Changes
Tips and commandsInteracting with Sourcery
Customizing Your ExperienceAccess your dashboard to:
Getting Help
|
deepin-ci-robot
requested review from
Avenger-285714,
BLumia,
Ink-Paper and
hello666888999
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
![sourcery-ai[bot]](https://avatars.githubusercontent.com/in/48477?s=60&v=4){kind=small}
There was a problem hiding this comment.
Hey - I've found 1 issue, and left some high level feedback:
- In intel_th_output_open(), you now correctly drop the device reference on error, but the success path still never balances the bus_find_device_by_devt() reference (there’s no matching put_device()); consider adding a corresponding put (e.g. in the file’s release path) so the device refcount is not leaked across opens.
Prompt for AI Agents
Please address the comments from this code review:
## Overall Comments
- In intel_th_output_open(), you now correctly drop the device reference on error, but the success path still never balances the bus_find_device_by_devt() reference (there’s no matching put_device()); consider adding a corresponding put (e.g. in the file’s release path) so the device refcount is not leaked across opens.
## Individual Comments
### Comment 1
<location> `drivers/usb/phy/phy-fsl-usb.c:991-990` </location>
<code_context>
struct fsl_usb2_platform_data *pdata = dev_get_platdata(&pdev->dev);
+ disable_delayed_work_sync(&fsl_otg_dev->otg_event);
usb_remove_phy(&fsl_otg_dev->phy);
free_irq(fsl_otg_dev->irq, fsl_otg_dev);
</code_context>
<issue_to_address>
**issue (bug_risk):** Use cancel_delayed_work_sync() instead of disable_delayed_work_sync()
The delayed work API has cancel_delayed_work_sync() but no disable_delayed_work_sync(), so this will not build/link. To ensure the otg_event work is flushed before tearing down the PHY, use cancel_delayed_work_sync(&fsl_otg_dev->otg_event) instead.
</issue_to_address>Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.
| { | ||
| struct fsl_usb2_platform_data *pdata = dev_get_platdata(&pdev->dev); | ||
|
|
||
| disable_delayed_work_sync(&fsl_otg_dev->otg_event); |
There was a problem hiding this comment.
issue (bug_risk): Use cancel_delayed_work_sync() instead of disable_delayed_work_sync()
The delayed work API has cancel_delayed_work_sync() but no disable_delayed_work_sync(), so this will not build/link. To ensure the otg_event work is flushed before tearing down the PHY, use cancel_delayed_work_sync(&fsl_otg_dev->otg_event) instead.
There was a problem hiding this comment.
Pull request overview
This pull request updates the Linux 6.6 kernel base with part 5 of 8 from v6.6.120, containing 100 upstream commits that address various bugs and issues across multiple kernel subsystems. The changes focus primarily on fixing resource leaks, improving error handling, correcting race conditions, and enhancing robustness.
Changes:
- Fixed memory leaks, resource leaks, and device reference handling across multiple drivers (USB, SCSI, I2C, IOMMU, platform devices)
- Corrected filesystem issues in ext4, f2fs, btrfs, ocfs2, ntfs3, and JBD2 including reference counting, extent cache handling, and lockdep annotations
- Addressed KVM virtualization bugs for x86/SVM including async page fault handling, nested VM exit codes, and LAPIC timer drift
- Improved network stack robustness in MPTCP, SUNRPC, wireless, and handshake subsystems
- Fixed kernel core components including tracing, kallsyms, and SCS
- Corrected architecture-specific issues for x86, s390, PowerPC, and ARM
Reviewed changes
Copilot reviewed 103 out of 103 changed files in this pull request and generated 16 comments.
Show a summary per file
| File | Description |
|---|---|
| tools/testing/selftests/net/openvswitch/ovs-dpctl.py | Fixed regex string escaping with raw string literals |
| tools/testing/nvdimm/test/nfit.c | Use per-DIMM device handle with proper validation |
| tools/testing/ktest/config-bisect.pl | Corrected variable names in error messages |
| tools/lib/perf/cpumap.c | Added NULL check for empty CPU maps |
| security/keys/trusted-keys/trusted_tpm2.c | Fixed memory leak using cleanup attribute |
| net/wireless/sme.c | Fixed buffer overflow by using capped SSID length |
| net/sunrpc/xprtrdma/svc_rdma_rw.c | Return 0 on success instead of -EINVAL |
| net/sunrpc/auth_gss/svcauth_gss.c | Avoid NULL pointer deref on zero-length token |
| net/mptcp/protocol.c | Fixed timer scheduling and fallback deadlock |
| net/mac80211/cfg.c | Removed incorrect reuse of old MBSSID elements |
| net/handshake/request.c | Restore destructor on submission failure |
| net/ceph/osdmap.c | Improved OSD pool decoding robustness |
| kernel/trace/trace_events_synth.c | Fixed synthetic event printing format |
| kernel/trace/trace_events.c | Prevent registration of unsupported perf events |
| kernel/scs.c | Fixed parameter to __scs_magic() |
| kernel/kallsyms.c | Fixed symbol type reading for big symbols |
| io_uring/poll.c | Corrected poll update return value handling |
| io_uring/openclose.c | Fixed filename leak on early error |
| include/media/v4l2-mem2mem.h | Updated outdated documentation |
| include/linux/jbd2.h | Added per-journal lock_class_key |
| fs/xfs/xfs_buf_item.c | Fixed memory leak on error path |
| fs/smb/client/fs_context.c | Fixed password memory leaks |
| fs/ocfs2/suballoc.c | Added chain allocator validation |
| fs/ntfs3/run.c | Fixed sparse run overflow handling |
| fs/notify/fsnotify.c | Filter access events for special files |
| fs/nfsd/export.c | Marked unused variable __maybe_unused |
| fs/nfsd/blocklayout.c | Fixed SCSI fence reservation type |
| fs/jbd2/transaction.c | Use weaker lockdep annotation |
| fs/jbd2/journal.c | Use per-journal lock_class_key |
| fs/f2fs/super.c | Deferred reference count checks, fixed fsync recovery |
| fs/f2fs/segment.c | Handle allocated_data_blocks overflow |
| fs/f2fs/namei.c | Invalidate dentry cache on whiteout failure |
| fs/f2fs/file.c | Skip zero-length extent cache updates |
| fs/f2fs/f2fs.h | Added F2FS_EXTENT_AGE_INVALID constant |
| fs/f2fs/extent_cache.c | Fixed age extent cache insertion |
| fs/ext4/xattr.c | Added error checking for inode loc retrieval |
| fs/ext4/super.c | Moved i_state_flags clearing to allocation |
| fs/ext4/orphan.c | Aligned orphan file size with e2fsprogs limit |
| fs/ext4/mballoc.c | Skip zero-length prealloc spaces |
| fs/ext4/inode.c | Removed duplicate ext4_clear_state_flags call |
| fs/ext4/ialloc.c | Removed duplicate ext4_clear_state_flags call |
| fs/btrfs/tree-log.c | Avoid logging certain conflicting directory inodes |
| drivers/vhost/vsock.c | Improved RCU usage with lockdep annotations |
| drivers/usb/storage/unusual_uas.h | Fixed bcdDevice range for device quirk |
| drivers/usb/renesas_usbhs/pipe.c | Fixed resource leak on error paths |
| drivers/usb/phy/phy-isp1301.c | Fixed device reference handling |
| drivers/usb/phy/phy-fsl-usb.c | Cancel delayed work on device removal |
| drivers/usb/gadget/udc/lpc32xx_udc.c | Fixed error handling and resource cleanup |
| drivers/usb/dwc3/host.c | Keep susphy enabled during exit |
| drivers/usb/dwc3/gadget.c | Keep susphy enabled during exit |
| drivers/usb/dwc3/dwc3-of-simple.c | Fixed error path resource cleanup |
| drivers/tty/serial/sprd_serial.c | Return EPROBE_DEFER for clock probing |
| drivers/target/target_core_transport.c | Reset t_task_cdb on allocation failure |
| drivers/soc/qcom/ocmem.c | Fixed device leak on lookup |
| drivers/soc/amlogic/meson-canvas.c | Fixed device leak on lookup |
| drivers/scsi/qla2xxx/qla_os.c | Reverted lockless command completion |
| drivers/scsi/aic94xx/aic94xx_init.c | Kill tasklet before resource cleanup |
| drivers/s390/block/dasd_eckd.c | Fixed gendisk parent after copy pair swap |
| drivers/rpmsg/qcom_glink_native.c | Unregister rpmsg device on endpoint destroy |
| drivers/platform/x86/intel/hid.c | Added Dell rugged tablet DMI quirks |
| drivers/platform/x86/intel/chtwc_int33fe.c | Fixed software node reference handling |
| drivers/platform/chrome/cros_ec_ishtp.c | Unregister EC device on remove |
| drivers/phy/broadcom/phy-bcm63xx-usbh.c | Fixed section mismatches |
| drivers/parisc/gsc.c | Avoid reprogramming affinity on ASP chip |
| drivers/nvme/host/fc.c | Fixed ctrl_list iteration with locking |
| drivers/net/wireless/realtek/rtw88/sdio.c | Limit indirect IO when powered off |
| drivers/net/ethernet/realtek/r8169_main.c | Fixed RTL8117 WoL in DASH mode |
| drivers/mmc/host/sdhci-msm.c | Fixed HS400 clock handling |
| drivers/media/usb/pvrusb2/pvrusb2-hdw.c | Fixed incorrect variable in trace |
| drivers/media/usb/dvb-usb/dtv5100.c | Added bounds checking for I2C reads |
| drivers/media/test-drivers/vidtv/vidtv_channel.c | Initialized local pointers after ownership transfer |
| drivers/iommu/mtk_iommu.c | Fixed device leaks on error paths |
| drivers/i2c/busses/i2c-designware-master.c | Masked SMBus interrupts to prevent storms |
| drivers/i2c/busses/i2c-designware-core.h | Added SMBUS_INTR_MASK register definition |
| drivers/i2c/busses/i2c-amd-mp2-pci.c | Fixed device reference leak |
| drivers/hwtracing/intel_th/core.c | Fixed error handling in output_open |
| drivers/hwmon/w83l786ng.c | Converted macros to functions for TOCTOU |
| drivers/hwmon/w83791d.c | Converted macros to functions for TOCTOU |
| drivers/hwmon/max16065.c | Fixed TOCTOU with local variable |
| drivers/gpu/drm/amd/display/dc/core/dc_surface.c | Use GFP_ATOMIC in atomic context |
| drivers/gpio/gpio-regmap.c | Fixed memory leak on error path |
| drivers/crypto/caam/caamrng.c | Added NULL check after kcalloc |
| drivers/cpuidle/governors/teo.c | Removed misguided target residency check |
| drivers/cpufreq/cpufreq-nforce2.c | Fixed PCI device reference leaks |
| drivers/char/applicom.c | Fixed NULL pointer dereference |
| drivers/block/rnbd/rnbd-clt.h | Fixed signedness of clt_device_id |
| drivers/block/floppy.c | Fixed MAX_DISK_SIZE for non-4KB pages |
| drivers/base/power/runtime.c | Fixed needs_force_resume clearing logic |
| drivers/amba/tegra-ahb.c | Fixed device leak on SMMU enable |
| crypto/algif_rng.c | Zero-initialize per-request context |
| crypto/algif_hash.c | Zero-initialize per-request context |
| crypto/af_alg.c | Zero-initialize async request structure |
| block/genhd.c | Rate-limit capacity change messages |
| arch/x86/kvm/x86.c | Fixed async PF queue handling on CR0.PG toggle |
| arch/x86/kvm/svm/svm.h | Clear exit_code_hi in simple vmexit |
| arch/x86/kvm/svm/svm.c | Fixed selective CR0 intercept handling |
| arch/x86/kvm/svm/nested.c | Mark VMCB dirty bits and set exit_code_hi |
| arch/x86/kvm/lapic.c | Fixed periodic timer drift and hard lockup |
| arch/x86/crypto/blake2s-core.S | Use 32-bit movd instead of 64-bit movq |
| arch/s390/kernel/ipl.c | Clear SBP flag when bootprog is set |
| arch/s390/include/uapi/asm/ipl.h | Added IPL_PL_FLAG_SBP definition |
| arch/powerpc/kexec/core_64.c | Re-enable SMT before waking offline CPUs |
| arch/arm/boot/dts/microchip/sama5d2.dtsi | Fixed flexcom FIFO sizes |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| apic_timer_expired(apic, true); | ||
|
|
||
| if (lapic_is_periodic(apic)) { | ||
| if (lapic_is_periodic(apic) && !WARN_ON_ONCE(!apic->lapic_timer.period)) { |
There was a problem hiding this comment.
The WARN_ON_ONCE check for period==0 at line 2876 is good defensive programming. However, this check should ideally never trigger in production. Consider if there are code paths where the period could legitimately become zero, and if so, those paths should be fixed rather than relying on this warning to prevent the issue.
Comment on lines
+1830
to
1842
| if (pm_runtime_enabled(dev)) | ||
| return; | ||
|
|
||
| if (dev->power.runtime_status == RPM_ACTIVE) | ||
| pm_runtime_set_suspended(dev); | ||
|
|
||
| if (dev->power.irq_safe) { | ||
| spin_lock_irq(&dev->power.lock); | ||
| dev->power.irq_safe = 0; | ||
| spin_unlock_irq(&dev->power.lock); | ||
| if (dev->parent) | ||
| pm_runtime_put(dev->parent); | ||
| } |
There was a problem hiding this comment.
The inverted logic changes the behavior significantly. Previously, the function would only execute the cleanup code if runtime PM was disabled. Now it returns early if runtime PM is enabled. This is correct as the comment at line 1844 indicates "Clear power.needs_force_resume in case it has been set" should only happen when runtime PM is disabled. However, this is a significant behavioral change that warrants careful verification that all callers expect this behavior.
Comment on lines
+218
to
+230
| * | ||
| * FIXME: the relevant software node exists in intel-xhci-usb-role-switch | ||
| * and - if exported - could be used to set up a static reference. | ||
| */ | ||
| mux_ref_node = software_node_find_by_name(NULL, "intel-xhci-usb-sw"); | ||
| if (!mux_ref_node) | ||
| return -EPROBE_DEFER; | ||
|
|
||
| ret = devm_add_action_or_reset(dev, cht_int33fe_put_swnode, | ||
| software_node_fwnode(mux_ref_node)); | ||
| if (ret) | ||
| return ret; | ||
|
|
There was a problem hiding this comment.
The use of devm_add_action_or_reset at line 226 to manage the software node lifetime is good practice. However, the FIXME comment at lines 219-220 indicates that a static reference could be used instead if the software node were exported. This suggests the current approach may not be optimal and could lead to probe failures if the mux node hasn't been created yet (-EPROBE_DEFER).
|
|
||
| inode_set_iversion(&ei->vfs_inode, 1); | ||
| ei->i_flags = 0; | ||
| ext4_clear_state_flags(ei); /* Only relevant on 32-bit archs */ |
There was a problem hiding this comment.
The ext4_clear_state_flags call moved from inode loading paths to allocation. This ensures state flags are cleared only for newly allocated inodes, not for inodes being read from disk. However, the comment "Only relevant on 32-bit archs" at line 1422 is misleading - it should clarify why it's only relevant on 32-bit architectures and what specific state flags need clearing.
Comment on lines
+419
to
420
| memset(ctx, 0, len); | ||
| ctx->len = len; |
There was a problem hiding this comment.
The memset call at line 419 should occur before setting ctx->len at line 420 for consistency with typical initialization patterns, though the current order is functionally correct since len is being overwritten after memset.
| current->journal_info = handle; | ||
|
|
||
| rwsem_acquire_read(&journal->j_trans_commit_map, 0, 0, _THIS_IP_); | ||
| rwsem_acquire_read(&journal->j_trans_commit_map, 0, 1, _THIS_IP_); |
There was a problem hiding this comment.
The change from annotation value 0 to 1 in the third parameter of rwsem_acquire_read indicates that this lock acquisition is nested/can be held by the same task in multiple contexts. This is a subtle but important change for lockdep analysis. The comment should explain why this annotation change was necessary and what nesting pattern exists.
| svm->nested.nested_run_pending = 0; | ||
| svm->nmi_l1_to_l2 = false; | ||
| svm->soft_int_injected = false; | ||
|
|
There was a problem hiding this comment.
Setting exit_code_hi to -1u (0xFFFFFFFF) when VMRUN fails (lines 889 and 922) versus 0 for normal exits is an important distinction. The comment should explain the significance of this sentinel value and how nested hypervisors are expected to interpret exit_code_hi == -1 versus exit_code_hi == 0. This appears to be AMD SVM-specific behavior that needs documentation.
Suggested change
| /* | |
| * Signal to L1 that VMRUN itself failed before L2 started executing. | |
| * | |
| * For "normal" SVM exits, KVM uses exit_code_hi == 0 and provides | |
| * architecturally defined exit_code/exit_info fields that describe | |
| * an exit generated by a running guest. | |
| * | |
| * When VMRUN fails (e.g. due to inconsistent or invalid vmcb12 | |
| * state), KVM cannot report a meaningful architectural SVM exit, | |
| * so exit_code is set to SVM_EXIT_ERR and exit_code_hi is set to | |
| * (u32)-1 (0xFFFFFFFF) as an AMD SVM-specific sentinel. Nested | |
| * hypervisors must treat exit_code_hi == (u32)-1 as "VMRUN failed" | |
| * and not as a regular SVM #VMEXIT, whereas exit_code_hi == 0 | |
| * indicates a normal nested SVM exit. | |
| */ |
Comment on lines
+4640
to
4679
| /* | ||
| * Adjust the exit code accordingly if a CR other than CR0 is | ||
| * being written, and skip straight to the common handling as | ||
| * only CR0 has an additional selective intercept. | ||
| */ | ||
| if (info->intercept == x86_intercept_cr_write && info->modrm_reg) { | ||
| icpt_info.exit_code += info->modrm_reg; | ||
|
|
||
| if (icpt_info.exit_code != SVM_EXIT_WRITE_CR0 || | ||
| info->intercept == x86_intercept_clts) | ||
| break; | ||
| } | ||
|
|
||
| if (!(vmcb12_is_intercept(&svm->nested.ctl, | ||
| INTERCEPT_SELECTIVE_CR0))) | ||
| /* | ||
| * Convert the exit_code to SVM_EXIT_CR0_SEL_WRITE if a | ||
| * selective CR0 intercept is triggered (the common logic will | ||
| * treat the selective intercept as being enabled). Note, the | ||
| * unconditional intercept has higher priority, i.e. this is | ||
| * only relevant if *only* the selective intercept is enabled. | ||
| */ | ||
| if (vmcb12_is_intercept(&svm->nested.ctl, INTERCEPT_CR0_WRITE) || | ||
| !(vmcb12_is_intercept(&svm->nested.ctl, INTERCEPT_SELECTIVE_CR0))) | ||
| break; | ||
|
|
||
| cr0 = vcpu->arch.cr0 & ~SVM_CR0_SELECTIVE_MASK; | ||
| val = info->src_val & ~SVM_CR0_SELECTIVE_MASK; | ||
| /* CLTS never triggers INTERCEPT_SELECTIVE_CR0 */ | ||
| if (info->intercept == x86_intercept_clts) | ||
| break; | ||
|
|
||
| /* LMSW always triggers INTERCEPT_SELECTIVE_CR0 */ | ||
| if (info->intercept == x86_intercept_lmsw) { | ||
| cr0 &= 0xfUL; | ||
| val &= 0xfUL; | ||
| /* lmsw can't clear PE - catch this here */ | ||
| if (cr0 & X86_CR0_PE) | ||
| val |= X86_CR0_PE; | ||
| icpt_info.exit_code = SVM_EXIT_CR0_SEL_WRITE; | ||
| break; | ||
| } | ||
|
|
||
| /* | ||
| * MOV-to-CR0 only triggers INTERCEPT_SELECTIVE_CR0 if any bit | ||
| * other than SVM_CR0_SELECTIVE_MASK is changed. | ||
| */ | ||
| cr0 = vcpu->arch.cr0 & ~SVM_CR0_SELECTIVE_MASK; | ||
| val = info->src_val & ~SVM_CR0_SELECTIVE_MASK; | ||
| if (cr0 ^ val) | ||
| icpt_info.exit_code = SVM_EXIT_CR0_SEL_WRITE; | ||
|
|
||
| break; |
There was a problem hiding this comment.
The logic changes for handling selective CR0 intercepts are complex. The new code at lines 4640-4679 restructures the intercept decision making, but the interaction between CLTS (line 4662) and LMSW (line 4666) with selective intercepts needs clearer documentation. Specifically, why CLTS never triggers selective intercept and why LMSW always triggers it should be explained with reference to AMD documentation or specification.
Comment on lines
+373
to
+375
| // The CPUs are always sorted and nr is always > 0 as 0 length map is | ||
| // encoded as NULL. | ||
| return __perf_cpu_map__cpu(map, __perf_cpu_map__nr(map) - 1); |
There was a problem hiding this comment.
The comment update is misleading. The change removes the assumption that empty maps (nr==0) are encoded as NULL and now explicitly handles NULL maps. However, the comment still claims "nr is always > 0 as 0 length map is encoded as NULL" which contradicts the explicit NULL check above it. The comment should be updated to clarify that NULL maps are now being handled separately.
| elif parse_starts_block(actstr, r"^(\d+)", False, True): | ||
| actstr, output = parse_extract_field( | ||
| actstr, None, "(\d+)", lambda x: int(x), False, "0" | ||
| actstr, None, r"(\d+)", lambda x: int(x), False, "0" |
There was a problem hiding this comment.
This 'lambda' is just a simple wrapper around a callable object. Use that object directly.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
20 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Due to github limit, submit part 5/8 of v6.6.120.
git log --oneline v6.6.120
335..v6.6.120235 |wc100 932 7327
Adrian Moreno (1):
selftests: openvswitch: Fix escape chars in regexp.
Alex Deucher (1):
drm/amd/display: Use GFP_ATOMIC in dc_create_plane_state()
Alison Schofield (1):
tools/testing/nvdimm: Use per-DIMM device handle
Aloka Dixit (1):
wifi: mac80211: do not use old MBSSID elements
Amir Goldstein (1):
fsnotify: do not generate ACCESS/MODIFY events on child for special
files
Andrey Vatoropin (1):
scsi: target: Reset t_task_cdb pointer in error case
Andy Shevchenko (1):
nfsd: Mark variable __maybe_unused to avoid W=1 build break
Baokun Li (1):
ext4: align max orphan file size with e2fsprogs limit
Bartosz Golaszewski (1):
platform/x86: intel: chtwc_int33fe: don't dereference swnode args
Byungchul Park (1):
jbd2: use a weaker annotation in journal handling
Chao Yu (2):
f2fs: fix to avoid updating zero-sized extent in extent cache
f2fs: fix return value of f2fs_recover_fsync_data()
Chen Changcheng (1):
usb: usb-storage: Maintain minimal modifications to the bcdDevice
range.
Chia-Lin Kao (AceLan) (1):
platform/x86/intel/hid: Add Dell Pro Rugged 10/12 tablet to VGBS DMI
quirks
Colin Ian King (1):
media: pvrusb2: Fix incorrect variable used in trace message
Dai Ngo (1):
NFSD: use correct reservation type in nfsd4_scsi_fence_client
Dan Carpenter (2):
block: rnbd-clt: Fix signedness bug in init_dev()
wifi: cfg80211: sme: store capped length in
__cfg80211_connect_result()
Daniel Wagner (1):
nvme-fc: don't hold rport lock when putting ctrl
Deepanshu Kartikey (1):
f2fs: invalidate dentry cache on failed whiteout creation
Duoming Zhou (1):
usb: phy: fsl-usb: Fix use-after-free in delayed work during device
removal
Eric Biggers (1):
lib/crypto: x86/blake2s: Fix 32-bit arg treated as 64-bit
Filipe Manana (1):
btrfs: don't log conflicting inode if it's a dir moved in the current
transaction
Guangshuo Li (1):
crypto: caam - Add check for kcalloc() in test_len()
Gui-Dong Han (3):
hwmon: (max16065) Use local variable to avoid TOCTOU
hwmon: (w83791d) Convert macros to functions to avoid TOCTOU
hwmon: (w83l786ng) Convert macros to functions to avoid TOCTOU
Haibo Chen (1):
ext4: clear i_state_flags when alloc inode
Haoxiang Li (2):
usb: renesas_usbhs: Fix a resource leak in usbhs_pipe_malloc()
xfs: fix a memory leak in xfs_buf_item_init()
Helge Deller (1):
parisc: Do not reprogram affinitiy on ASP chip
Ian Rogers (1):
libperf cpumap: Fix perf_cpu_map__max for an empty/NULL map
Ilya Dryomov (1):
libceph: make decode_pool() more resilient against corrupted osdmaps
Jan Prusakowski (1):
f2fs: ensure node page reads complete before f2fs_put_super() finishes
Jarkko Sakkinen (1):
KEYS: trusted: Fix a memory leak in tpm2_load_cmd
Jens Axboe (1):
io_uring/poll: correctly handle io_poll_add() return value on update
Jeongjun Park (2):
media: dvb-usb: dtv5100: fix out-of-bounds in dtv5100_i2c_msg()
media: vidtv: initialize local pointers upon transfer of memory
ownership
Jim Mattson (2):
KVM: SVM: Mark VMCB_NPT as dirty on nested VMRUN
KVM: SVM: Mark VMCB_PERM_MAP as dirty on nested VMRUN
Jinhui Guo (1):
i2c: designware: Disable SMBus interrupts to prevent storms from
mis-configured firmware
Johan Hovold (6):
phy: broadcom: bcm63xx-usbh: fix section mismatches
usb: phy: isp1301: fix non-OF device reference imbalance
amba: tegra-ahb: Fix device leak on SMMU enable
soc: qcom: ocmem: fix device leak on lookup
soc: amlogic: canvas: fix device leak on lookup
iommu/mediatek: fix use-after-free on probe deferral
Joshua Rogers (2):
svcrdma: return 0 on success from svc_rdma_copy_inline_range
SUNRPC: svcauth_gss: avoid NULL deref on zero length gss_token in
gss_read_proxy_verf
Junrui Luo (1):
scsi: aic94xx: fix use-after-free in device removal path
Karina Yankevich (1):
ext4: xattr: fix null pointer deref in ext4_raw_inode()
Konstantin Komarov (1):
fs/ntfs3: fix mount failure for sparse runs in run_unpack()
Laurent Pinchart (1):
media: v4l2-mem2mem: Fix outdated documentation
Li Chen (1):
block: rate-limit capacity change info log
Ma Ke (3):
USB: lpc32xx_udc: Fix error handling in probe
intel_th: Fix error handling in intel_th_output_open
i2c: amd-mp2: fix reference leak in MP2 PCI device
Maxim Levitsky (1):
KVM: x86: Don't clear async #PF queue when CR0.PG is disabled (e.g. on
#SMI)
Miaoqian Lin (2):
usb: dwc3: of-simple: fix clock resource leak in dwc3_of_simple_probe
cpufreq: nforce2: fix reference count leak in nforce2
Nicolas Ferre (1):
ARM: dts: microchip: sama5d2: fix spi flexcom fifo size to 32
Nysal Jan K.A. (1):
powerpc/kexec: Enable SMT before waking offline CPUs
Paolo Abeni (2):
mptcp: schedule rtx timer only after pushing data
mptcp: avoid deadlock on fallback while reinjecting
Ping-Ke Shih (1):
wifi: rtw88: limit indirect IO under powered off for RTL8822CS
Prithvi Tambewagh (2):
io_uring: fix filename leak in __io_openat_prep()
ocfs2: fix kernel BUG in ocfs2_find_victim_chain
Rafael J. Wysocki (2):
cpuidle: governors: teo: Drop misguided target residency check
PM: runtime: Do not clear needs_force_resume with enabled runtime PM
Rene Rebe (1):
floppy: fix for PAGE_SIZE != 4KB
René Rebe (1):
r8169: fix RTL8117 Wake-on-Lan in DASH mode
Sarthak Garg (1):
mmc: sdhci-msm: Avoid early clock doubling during HS400 transition
Sean Christopherson (3):
KVM: x86: WARN if hrtimer callback for periodic APIC timer fires with
period=0
KVM: nSVM: Set exit_code_hi to -1 when synthesizing SVM_EXIT_ERR
(failed VMRUN)
KVM: nSVM: Clear exit_code_hi in VMCB when synthesizing nested
VM-Exits
Shivani Agarwal (1):
crypto: af_alg - zero initialize memory allocated via sock_kmalloc
Srinivas Kandagatla (1):
rpmsg: glink: fix rpmsg device leak
Stefan Haberland (1):
s390/dasd: Fix gendisk parent after copy pair swap
Stefano Garzarella (1):
vhost/vsock: improve RCU read sections around vhost_vsock_get()
Steven Rostedt (3):
ktest.pl: Fix uninitialized var in config-bisect.pl
tracing: Do not register unsupported perf events
tracing: Fix fixed array of synthetic event
Sven Schnelle (1):
s390/ipl: Clear SBP flag when bootprog is set
Tetsuo Handa (1):
jbd2: use a per-journal lock_class_key for jbd2_trans_commit_key
Tianchu Chen (1):
char: applicom: fix NULL pointer dereference in ac_ioctl
Tony Battersby (1):
scsi: Revert "scsi: qla2xxx: Perform lockless command completion in
abort path"
Tzung-Bi Shih (1):
platform/chrome: cros_ec_ishtp: Fix UAF after unbinding driver
Udipto Goswami (1):
usb: dwc3: keep susphy enabled during exit to avoid controller faults
Wenhua Lin (1):
serial: sprd: Return -EPROBE_DEFER when uart clock is not ready
Wentao Guan (1):
gpio: regmap: Fix memleak in error path in gpio_regmap_register()
Xiaole He (1):
f2fs: fix age extent cache insertion skip on counter overflow
Yongjian Sun (1):
ext4: fix incorrect group number assertion in mb_check_buddy
Yosry Ahmed (2):
KVM: nSVM: Avoid incorrect injection of SVM_EXIT_CR0_SEL_WRITE
KVM: nSVM: Propagate SVM_EXIT_CR0_SEL_WRITE correctly for LMSW
emulation
Zheng Yejian (1):
kallsyms: Fix wrong "big" kernel symbol type read from procfs
Zhichi Lin (1):
scs: fix a wrong parameter in __scs_magic
Zilin Guan (1):
cifs: Fix memory and information leak in smb3_reconfigure()
caoping (1):
net/handshake: restore destructor on submit failure
fuqiang wang (2):
KVM: x86: Explicitly set new periodic hrtimer expiration in
apic_timer_fn()
KVM: x86: Fix VM hard lockup after prolonged inactivity with periodic
HV timer
arch/arm/boot/dts/microchip/sama5d2.dtsi | 10 +-
arch/powerpc/kexec/core_64.c | 19 +++
arch/s390/include/uapi/asm/ipl.h | 1 +
arch/s390/kernel/ipl.c | 48 ++++++--
arch/x86/crypto/blake2s-core.S | 4 +-
arch/x86/kvm/lapic.c | 32 +++--
arch/x86/kvm/svm/nested.c | 6 +-
arch/x86/kvm/svm/svm.c | 44 ++++---
arch/x86/kvm/svm/svm.h | 7 +-
arch/x86/kvm/x86.c | 25 ++--
block/genhd.c | 2 +-
crypto/af_alg.c | 5 +-
crypto/algif_hash.c | 3 +-
crypto/algif_rng.c | 3 +-
drivers/amba/tegra-ahb.c | 1 +
drivers/base/power/runtime.c | 22 ++--
drivers/block/floppy.c | 2 +-
drivers/block/rnbd/rnbd-clt.h | 2 +-
drivers/char/applicom.c | 5 +-
drivers/cpufreq/cpufreq-nforce2.c | 3 +
drivers/cpuidle/governors/teo.c | 7 +-
drivers/crypto/caam/caamrng.c | 4 +-
drivers/gpio/gpio-regmap.c | 2 +-
.../gpu/drm/amd/display/dc/core/dc_surface.c | 2 +-
drivers/hwmon/max16065.c | 7 +-
drivers/hwmon/w83791d.c | 17 ++-
drivers/hwmon/w83l786ng.c | 26 ++--
drivers/hwtracing/intel_th/core.c | 20 ++-
drivers/i2c/busses/i2c-amd-mp2-pci.c | 5 +-
drivers/i2c/busses/i2c-designware-core.h | 1 +
drivers/i2c/busses/i2c-designware-master.c | 7 ++
drivers/iommu/mtk_iommu.c | 25 ++--
.../media/test-drivers/vidtv/vidtv_channel.c | 3 +
drivers/media/usb/dvb-usb/dtv5100.c | 5 +
drivers/media/usb/pvrusb2/pvrusb2-hdw.c | 2 +-
drivers/mmc/host/sdhci-msm.c | 27 ++--
drivers/net/ethernet/realtek/r8169_main.c | 5 +-
drivers/net/wireless/realtek/rtw88/sdio.c | 4 +-
drivers/nvme/host/fc.c | 6 +-
drivers/parisc/gsc.c | 4 +-
drivers/phy/broadcom/phy-bcm63xx-usbh.c | 6 +-
drivers/platform/chrome/cros_ec_ishtp.c | 1 +
drivers/platform/x86/intel/chtwc_int33fe.c | 29 +++--
drivers/platform/x86/intel/hid.c | 12 ++
drivers/rpmsg/qcom_glink_native.c | 8 ++
drivers/s390/block/dasd_eckd.c | 8 ++
drivers/scsi/aic94xx/aic94xx_init.c | 3 +
drivers/scsi/qla2xxx/qla_os.c | 6 -
drivers/soc/amlogic/meson-canvas.c | 5 +-
drivers/soc/qcom/ocmem.c | 2 +-
drivers/target/target_core_transport.c | 1 +
drivers/tty/serial/sprd_serial.c | 6 +
drivers/usb/dwc3/dwc3-of-simple.c | 7 +-
drivers/usb/dwc3/gadget.c | 2 +-
drivers/usb/dwc3/host.c | 2 +-
drivers/usb/gadget/udc/lpc32xx_udc.c | 21 +++-
drivers/usb/phy/phy-fsl-usb.c | 1 +
drivers/usb/phy/phy-isp1301.c | 7 +-
drivers/usb/renesas_usbhs/pipe.c | 2 +
drivers/usb/storage/unusual_uas.h | 2 +-
drivers/vhost/vsock.c | 15 ++-
fs/btrfs/tree-log.c | 38 ++++++
fs/ext4/ialloc.c | 1 -
fs/ext4/inode.c | 1 -
fs/ext4/mballoc.c | 2 +
fs/ext4/orphan.c | 4 +-
fs/ext4/super.c | 1 +
fs/ext4/xattr.c | 6 +-
fs/f2fs/extent_cache.c | 5 +-
fs/f2fs/f2fs.h | 6 +
fs/f2fs/file.c | 7 +-
fs/f2fs/namei.c | 6 +-
fs/f2fs/segment.c | 9 +-
fs/f2fs/super.c | 31 +++--
fs/jbd2/journal.c | 6 +-
fs/jbd2/transaction.c | 2 +-
fs/nfsd/blocklayout.c | 3 +-
fs/nfsd/export.c | 2 +-
fs/notify/fsnotify.c | 9 +-
fs/ntfs3/run.c | 6 +-
fs/ocfs2/suballoc.c | 10 ++
fs/smb/client/fs_context.c | 2 +
fs/xfs/xfs_buf_item.c | 1 +
include/linux/jbd2.h | 6 +
include/media/v4l2-mem2mem.h | 3 +-
io_uring/openclose.c | 2 +-
io_uring/poll.c | 9 +-
kernel/kallsyms.c | 5 +-
kernel/scs.c | 2 +-
kernel/trace/trace_events.c | 2 +
kernel/trace/trace_events_synth.c | 1 -
net/ceph/osdmap.c | 116 ++++++++----------
net/handshake/request.c | 2 +
net/mac80211/cfg.c | 10 --
net/mptcp/protocol.c | 22 ++--
net/sunrpc/auth_gss/svcauth_gss.c | 3 +-
net/sunrpc/xprtrdma/svc_rdma_rw.c | 2 +-
net/wireless/sme.c | 2 +-
security/keys/trusted-keys/trusted_tpm2.c | 6 +-
tools/lib/perf/cpumap.c | 10 +-
tools/testing/ktest/config-bisect.pl | 4 +-
tools/testing/nvdimm/test/nfit.c | 7 +-
.../selftests/net/openvswitch/ovs-dpctl.py | 16 +--
103 files changed, 641 insertions(+), 316 deletions(-)
Summary by Sourcery
Update Linux 6.6.120 kernel base with a batch of upstream fixes across subsystems including KVM, filesystems (btrfs, f2fs, ext4, ocfs2, ntfs3), storage/network drivers, USB/PHY, power management/runtime, cpuidle/cpufreq, and various tooling and test components to improve robustness, memory safety, and correctness.
Bug Fixes: