This is kind of last-minute, but Al Viro reported that the new
FOP_DONTCACHE flag causes memory corruption due to use-after-free
issues.
This was triggered by commit 974c5e6139 ("xfs: flag as supporting
FOP_DONTCACHE"), but that is not the underlying bug - it is just the
first user of the flag.
Vlastimil Babka suspects the underlying problem stems from the
folio_end_writeback() logic introduced in commit fb7d3bc414
("mm/filemap: drop streaming/uncached pages when writeback completes").
The most straightforward fix would be to just revert the commit that
exposed this, but Matthew Wilcox points out that other filesystems are
also starting to enable the FOP_DONTCACHE logic, so this instead
disables that bit globally for now.
The fix will hopefully end up being trivial and we can just re-enable
this logic after more testing, but until such a time we'll have to
disable the new FOP_DONTCACHE flag.
Reported-by: Al Viro <viro@zeniv.linux.org.uk>
Link: https://lore.kernel.org/all/20250525083209.GS2023217@ZenIV/
Triggered-by: 974c5e6139 ("xfs: flag as supporting FOP_DONTCACHE")
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: Matthew Wilcox <willy@infradead.org>
Cc: Jan Kara <jack@suse.cz>
Cc: Jens Axboe <axboe@kernel.dk>
Cc: Christoph Hellwig <hch@lst.de>
Cc: Darrick J. Wong <djwong@kernel.org>
Cc: Christian Brauner <brauner@kernel.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
or aren't considered necessary for -stable kernels. 19 are for MM.
-----BEGIN PGP SIGNATURE-----
iHUEABYKAB0WIQTTMBEPP41GrTpTJgfdBJ7gKXxAjgUCaDLNqwAKCRDdBJ7gKXxA
juanAQD4aZn7ACTpbIgDIlLVJouq6OOHEYye9hhxz19UN2mAUgEAn8jPqvBDav3S
HxjMFSdgLUQVO03FCs9tpNJchi69nw0=
=R3UI
-----END PGP SIGNATURE-----
Merge tag 'mm-hotfixes-stable-2025-05-25-00-58' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm
Pull hotfixes from Andrew Morton:
"22 hotfixes.
13 are cc:stable and the remainder address post-6.14 issues or aren't
considered necessary for -stable kernels. 19 are for MM"
* tag 'mm-hotfixes-stable-2025-05-25-00-58' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm: (22 commits)
mailmap: add Jarkko's employer email address
mm: fix copy_vma() error handling for hugetlb mappings
memcg: always call cond_resched() after fn()
mm/hugetlb: fix kernel NULL pointer dereference when replacing free hugetlb folios
mm: vmalloc: only zero-init on vrealloc shrink
mm: vmalloc: actually use the in-place vrealloc region
alloc_tag: allocate percpu counters for module tags dynamically
module: release codetag section when module load fails
mm/cma: make detection of highmem_start more robust
MAINTAINERS: add mm memory policy section
MAINTAINERS: add mm ksm section
kasan: avoid sleepable page allocation from atomic context
highmem: add folio_test_partial_kmap()
MAINTAINERS: add hung-task detector section
taskstats: fix struct taskstats breaks backward compatibility since version 15
mm/truncate: fix out-of-bounds when doing a right-aligned split
MAINTAINERS: add mm reclaim section
MAINTAINERS: update page allocator section
mm: fix VM_UFFD_MINOR == VM_SHADOW_STACK on USERFAULTFD=y && ARM64_GCS=y
mm: mmap: map MAP_STACK to VM_NOHUGEPAGE only if THP is enabled
...
Add the current employer email address to mailmap.
Link: https://lkml.kernel.org/r/20250523121105.15850-1-jarkko@kernel.org
Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
Cc: Alexander Sverdlin <alexander.sverdlin@gmail.com>
Cc: Antonio Quartulli <antonio@openvpn.net>
Cc: Carlos Bilbao <carlos.bilbao@kernel.org>
Cc: Kees Cook <kees@kernel.org>
Cc: Simon Wunderlich <sw@simonwunderlich.de>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
If, during a mremap() operation for a hugetlb-backed memory mapping,
copy_vma() fails after the source vma has been duplicated and opened (ie.
vma_link() fails), the error is handled by closing the new vma. This
updates the hugetlbfs reservation counter of the reservation map which at
this point is referenced by both the source vma and the new copy. As a
result, once the new vma has been freed and copy_vma() returns, the
reservation counter for the source vma will be incorrect.
This patch addresses this corner case by clearing the hugetlb private page
reservation reference for the new vma and decrementing the reference
before closing the vma, so that vma_close() won't update the reservation
counter. This is also what copy_vma_and_data() does with the source vma
if copy_vma() succeeds, so a helper function has been added to do the
fixup in both functions.
The issue was reported by a private syzbot instance and can be reproduced
using the C reproducer in [1]. It's also a possible duplicate of public
syzbot report [2]. The WARNING report is:
============================================================
page_counter underflow: -1024 nr_pages=1024
WARNING: CPU: 0 PID: 3287 at mm/page_counter.c:61 page_counter_cancel+0xf6/0x120
Modules linked in:
CPU: 0 UID: 0 PID: 3287 Comm: repro__WARNING_ Not tainted 6.15.0-rc7+ #54 NONE
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-2-gc13ff2cd-prebuilt.qemu.org 04/01/2014
RIP: 0010:page_counter_cancel+0xf6/0x120
Code: ff 5b 41 5e 41 5f 5d c3 cc cc cc cc e8 f3 4f 8f ff c6 05 64 01 27 06 01 48 c7 c7 60 15 f8 85 48 89 de 4c 89 fa e8 2a a7 51 ff <0f> 0b e9 66 ff ff ff 44 89 f9 80 e1 07 38 c1 7c 9d 4c 81
RSP: 0018:ffffc900025df6a0 EFLAGS: 00010246
RAX: 2edfc409ebb44e00 RBX: fffffffffffffc00 RCX: ffff8880155f0000
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000
RBP: dffffc0000000000 R08: ffffffff81c4a23c R09: 1ffff1100330482a
R10: dffffc0000000000 R11: ffffed100330482b R12: 0000000000000000
R13: ffff888058a882c0 R14: ffff888058a882c0 R15: 0000000000000400
FS: 0000000000000000(0000) GS:ffff88808fc53000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000004b33e0 CR3: 00000000076d6000 CR4: 00000000000006f0
Call Trace:
<TASK>
page_counter_uncharge+0x33/0x80
hugetlb_cgroup_uncharge_counter+0xcb/0x120
hugetlb_vm_op_close+0x579/0x960
? __pfx_hugetlb_vm_op_close+0x10/0x10
remove_vma+0x88/0x130
exit_mmap+0x71e/0xe00
? __pfx_exit_mmap+0x10/0x10
? __mutex_unlock_slowpath+0x22e/0x7f0
? __pfx_exit_aio+0x10/0x10
? __up_read+0x256/0x690
? uprobe_clear_state+0x274/0x290
? mm_update_next_owner+0xa9/0x810
__mmput+0xc9/0x370
exit_mm+0x203/0x2f0
? __pfx_exit_mm+0x10/0x10
? taskstats_exit+0x32b/0xa60
do_exit+0x921/0x2740
? do_raw_spin_lock+0x155/0x3b0
? __pfx_do_exit+0x10/0x10
? __pfx_do_raw_spin_lock+0x10/0x10
? _raw_spin_lock_irq+0xc5/0x100
do_group_exit+0x20c/0x2c0
get_signal+0x168c/0x1720
? __pfx_get_signal+0x10/0x10
? schedule+0x165/0x360
arch_do_signal_or_restart+0x8e/0x7d0
? __pfx_arch_do_signal_or_restart+0x10/0x10
? __pfx___se_sys_futex+0x10/0x10
syscall_exit_to_user_mode+0xb8/0x2c0
do_syscall_64+0x75/0x120
entry_SYSCALL_64_after_hwframe+0x76/0x7e
RIP: 0033:0x422dcd
Code: Unable to access opcode bytes at 0x422da3.
RSP: 002b:00007ff266cdb208 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: 0000000000000001 RBX: 00007ff266cdbcdc RCX: 0000000000422dcd
RDX: 00000000000f4240 RSI: 0000000000000081 RDI: 00000000004c7bec
RBP: 00007ff266cdb220 R08: 203a6362696c6720 R09: 203a6362696c6720
R10: 0000200000c00000 R11: 0000000000000246 R12: ffffffffffffffd0
R13: 0000000000000002 R14: 00007ffe1cb5f520 R15: 00007ff266cbb000
</TASK>
============================================================
Link: https://lkml.kernel.org/r/20250523-warning_in_page_counter_cancel-v2-1-b6df1a8cfefd@igalia.com
Link: https://people.igalia.com/rcn/kernel_logs/20250422__WARNING_in_page_counter_cancel__repro.c [1]
Link: https://lore.kernel.org/all/67000a50.050a0220.49194.048d.GAE@google.com/ [2]
Signed-off-by: Ricardo Cañuelo Navarro <rcn@igalia.com>
Suggested-by: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
Reviewed-by: Liam R. Howlett <Liam.Howlett@oracle.com>
Cc: Florent Revest <revest@google.com>
Cc: Jann Horn <jannh@google.com>
Cc: Oscar Salvador <osalvador@suse.de>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
I am seeing soft lockup on certain machine types when a cgroup OOMs. This
is happening because killing the process in certain machine might be very
slow, which causes the soft lockup and RCU stalls. This happens usually
when the cgroup has MANY processes and memory.oom.group is set.
Example I am seeing in real production:
[462012.244552] Memory cgroup out of memory: Killed process 3370438 (crosvm) ....
....
[462037.318059] Memory cgroup out of memory: Killed process 4171372 (adb) ....
[462037.348314] watchdog: BUG: soft lockup - CPU#64 stuck for 26s! [stat_manager-ag:1618982]
....
Quick look at why this is so slow, it seems to be related to serial flush
for certain machine types. For all the crashes I saw, the target CPU was
at console_flush_all().
In the case above, there are thousands of processes in the cgroup, and it
is soft locking up before it reaches the 1024 limit in the code (which
would call the cond_resched()). So, cond_resched() in 1024 blocks is not
sufficient.
Remove the counter-based conditional rescheduling logic and call
cond_resched() unconditionally after each task iteration, after fn() is
called. This avoids the lockup independently of how slow fn() is.
Link: https://lkml.kernel.org/r/20250523-memcg_fix-v1-1-ad3eafb60477@debian.org
Fixes: ade81479c7 ("memcg: fix soft lockup in the OOM process")
Signed-off-by: Breno Leitao <leitao@debian.org>
Suggested-by: Rik van Riel <riel@surriel.com>
Acked-by: Shakeel Butt <shakeel.butt@linux.dev>
Cc: Michael van der Westhuizen <rmikey@meta.com>
Cc: Usama Arif <usamaarif642@gmail.com>
Cc: Pavel Begunkov <asml.silence@gmail.com>
Cc: Chen Ridong <chenridong@huawei.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Johannes Weiner <hannes@cmpxchg.org>
Cc: Michal Hocko <mhocko@kernel.org>
Cc: Michal Hocko <mhocko@suse.com>
Cc: Muchun Song <muchun.song@linux.dev>
Cc: Roman Gushchin <roman.gushchin@linux.dev>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
The common case is to grow reallocations, and since init_on_alloc will
have already zeroed the whole allocation, we only need to zero when
shrinking the allocation.
Link: https://lkml.kernel.org/r/20250515214217.619685-2-kees@kernel.org
Fixes: a0309faf1c ("mm: vmalloc: support more granular vrealloc() sizing")
Signed-off-by: Kees Cook <kees@kernel.org>
Tested-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
Cc: Danilo Krummrich <dakr@kernel.org>
Cc: Eduard Zingerman <eddyz87@gmail.com>
Cc: "Erhard F." <erhard_f@mailbox.org>
Cc: Shung-Hsi Yu <shung-hsi.yu@suse.com>
Cc: "Uladzislau Rezki (Sony)" <urezki@gmail.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Patch series "mm: vmalloc: Actually use the in-place vrealloc region".
This fixes a performance regression[1] with vrealloc()[1].
The refactoring to not build a new vmalloc region only actually worked
when shrinking. Actually return the resized area when it grows. Ugh.
Link: https://lkml.kernel.org/r/20250515214217.619685-1-kees@kernel.org
Fixes: a0309faf1c ("mm: vmalloc: support more granular vrealloc() sizing")
Signed-off-by: Kees Cook <kees@kernel.org>
Reported-by: Shung-Hsi Yu <shung-hsi.yu@suse.com>
Closes: https://lore.kernel.org/all/20250515-bpf-verifier-slowdown-vwo2meju4cgp2su5ckj@6gi6ssxbnfqg [1]
Tested-by: Eduard Zingerman <eddyz87@gmail.com>
Tested-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
Tested-by: Shung-Hsi Yu <shung-hsi.yu@suse.com>
Reviewed-by: "Uladzislau Rezki (Sony)" <urezki@gmail.com>
Reviewed-by: Danilo Krummrich <dakr@kernel.org>
Cc: "Erhard F." <erhard_f@mailbox.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
When a module gets unloaded it checks whether any of its tags are still in
use and if so, we keep the memory containing module's allocation tags
alive until all tags are unused. However percpu counters referenced by
the tags are freed by free_module(). This will lead to UAF if the memory
allocated by a module is accessed after module was unloaded.
To fix this we allocate percpu counters for module allocation tags
dynamically and we keep it alive for tags which are still in use after
module unloading. This also removes the requirement of a larger
PERCPU_MODULE_RESERVE when memory allocation profiling is enabled because
percpu memory for counters does not need to be reserved anymore.
Link: https://lkml.kernel.org/r/20250517000739.5930-1-surenb@google.com
Fixes: 0db6f8d782 ("alloc_tag: load module tags into separate contiguous memory")
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
Reported-by: David Wang <00107082@163.com>
Closes: https://lore.kernel.org/all/20250516131246.6244-1-00107082@163.com/
Tested-by: David Wang <00107082@163.com>
Cc: Christoph Lameter (Ampere) <cl@gentwo.org>
Cc: Dennis Zhou <dennis@kernel.org>
Cc: Kent Overstreet <kent.overstreet@linux.dev>
Cc: Pasha Tatashin <pasha.tatashin@soleen.com>
Cc: Tejun Heo <tj@kernel.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
When module load fails after memory for codetag section is ready, codetag
section memory will not be properly released. This causes memory leak,
and if next module load happens to get the same module address, codetag
may pick the uninitialized section when manipulating tags during module
unload, and leads to "unable to handle page fault" BUG.
Link: https://lkml.kernel.org/r/20250519163823.7540-1-00107082@163.com
Fixes: 0db6f8d782 ("alloc_tag: load module tags into separate contiguous memory")
Closes: https://lore.kernel.org/all/20250516131246.6244-1-00107082@163.com/
Signed-off-by: David Wang <00107082@163.com>
Acked-by: Suren Baghdasaryan <surenb@google.com>
Cc: Petr Pavlu <petr.pavlu@suse.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Pratyush Yadav reports the following crash:
------------[ cut here ]------------
kernel BUG at arch/x86/mm/physaddr.c:23!
ception 0x06 IP 10:ffffffff812ebbf8 error 0 cr2 0xffff88903ffff000
CPU: 0 UID: 0 PID: 0 Comm: swapper Not tainted 6.15.0-rc6+ #231 PREEMPT(undef)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Arch Linux 1.16.3-1-1 04/01/2014
RIP: 0010:__phys_addr+0x58/0x60
Code: 01 48 89 c2 48 d3 ea 48 85 d2 75 05 e9 91 52 cf 00 0f 0b 48 3d ff ff ff 1f 77 0f 48 8b 05 20 54 55 01 48 01 d0 e9 78 52 cf 00 <0f> 0b 90 0f 1f 44 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90
RSP: 0000:ffffffff82803dd8 EFLAGS: 00010006 ORIG_RAX: 0000000000000000
RAX: 000000007fffffff RBX: 00000000ffffffff RCX: 0000000000000000
RDX: 000000007fffffff RSI: 0000000280000000 RDI: ffffffffffffffff
RBP: ffffffff82803e68 R08: 0000000000000000 R09: 0000000000000000
R10: ffffffff83153180 R11: ffffffff82803e48 R12: ffffffff83c9aed0
R13: 0000000000000000 R14: 0000001040000000 R15: 0000000000000000
FS: 0000000000000000(0000) GS:0000000000000000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff88903ffff000 CR3: 0000000002838000 CR4: 00000000000000b0
Call Trace:
<TASK>
? __cma_declare_contiguous_nid+0x6e/0x340
? cma_declare_contiguous_nid+0x33/0x70
? dma_contiguous_reserve_area+0x2f/0x70
? setup_arch+0x6f1/0x870
? start_kernel+0x52/0x4b0
? x86_64_start_reservations+0x29/0x30
? x86_64_start_kernel+0x7c/0x80
? common_startup_64+0x13e/0x141
The reason is that __cma_declare_contiguous_nid() does:
highmem_start = __pa(high_memory - 1) + 1;
If dma_contiguous_reserve_area() (or any other CMA declaration) is
called before free_area_init(), high_memory is uninitialized. Without
CONFIG_DEBUG_VIRTUAL, it will likely work but use the wrong value for
highmem_start.
The issue occurs because commit e120d1bc12 ("arch, mm: set high_memory
in free_area_init()") moved initialization of high_memory after the call
to dma_contiguous_reserve() -> __cma_declare_contiguous_nid() on several
architectures.
In the case CONFIG_HIGHMEM is enabled, some architectures that actually
support HIGHMEM (arm, powerpc and x86) have initialization of high_memory
before a possible call to __cma_declare_contiguous_nid() and some
initialized high_memory late anyway (arc, csky, microblase, mips, sparc,
xtensa) even before the commit e120d1bc12 so they are fine with using
uninitialized value of high_memory.
And in the case CONFIG_HIGHMEM is disabled high_memory essentially becomes
the first address after memory end, so instead of relying on high_memory
to calculate highmem_start use memblock_end_of_DRAM() and eliminate the
dependency of CMA area creation on high_memory in majority of
configurations.
Link: https://lkml.kernel.org/r/20250519171805.1288393-1-rppt@kernel.org
Fixes: e120d1bc12 ("arch, mm: set high_memory in free_area_init()")
Signed-off-by: Mike Rapoport (Microsoft) <rppt@kernel.org>
Reported-by: Pratyush Yadav <ptyadav@amazon.de>
Tested-by: Pratyush Yadav <ptyadav@amazon.de>
Tested-by: Alexandre Ghiti <alexghiti@rivosinc.com>
Reviewed-by: Oscar Salvador <osalvador@suse.de>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
- even more Xbox controllers added to xpad driver: Turtle Beach Recon
Wired Controller, Turtle Beach Stealth Ultra, and PowerA Wired
Controller
- a fix to Synaptics RMI driver to not crash if controller reports
unsupported version of F34 (firmware flash) function.
-----BEGIN PGP SIGNATURE-----
iHUEABYIAB0WIQST2eWILY88ieB2DOtAj56VGEWXnAUCaDJzrQAKCRBAj56VGEWX
nJLwAP4zeNCtEIMex8lAmVcLe9smcHuin+kEAKeIwTY3Y3VhKgD9G46WKFz2Ft3A
Zc1CVi333GiMNlt0iiW+n+oQAYRPHAk=
=X3Z5
-----END PGP SIGNATURE-----
Merge tag 'input-for-v6.15-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input
Pull input fixes from Dmitry Torokhov:
- even more Xbox controllers added to xpad driver: Turtle Beach Recon
Wired Controller, Turtle Beach Stealth Ultra, and PowerA Wired
Controller
- a fix to Synaptics RMI driver to not crash if controller reports
unsupported version of F34 (firmware flash) function
* tag 'input-for-v6.15-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input:
Input: synaptics-rmi - fix crash with unsupported versions of F34
Input: xpad - add more controllers
A few final fixes for v6.15, some driver fixes for the Freescale DSPI
driver pulled over from their vendor code and another instance of the
fixes Greg has been sending throughout the kernel for constification of
the bus_type in driver core match() functions.
-----BEGIN PGP SIGNATURE-----
iQEzBAABCgAdFiEEreZoqmdXGLWf4p/qJNaLcl1Uh9AFAmgySG0ACgkQJNaLcl1U
h9ClEQf/ViohgWBL0RLAsPdqyfTvSvhLS87V5ze4LWRmzNSYkwUQcGx0fx3QjRCl
ekZyzHUUzsFY/6yHlgZ8KaP2kgHBtuNc4l4Kefpnmen6GFCOsFjaw6X/3WHkxmLN
kJOuMjNr4p4he1X0tUE5yZfAqWs2QdsZ91unfx8DejvHV0nzlaqjCp0yaJQEcnAx
KPx1pkC9Lj9F+SPh2hs2bJeHLkIUmyj6ZRbqhQk4BYGdKTiGpAo7FclmVDjWiztZ
uWZ3Auzsyd6d0z74RkR95SZHQFmwABzvYoz7/LtMw0QK6MCDq6FAlVuYAi7Rc6OJ
GkmS9ERJsEGdflfDg0JMYG1wTtiawQ==
=7jIv
-----END PGP SIGNATURE-----
Merge tag 'spi-fix-v6.15-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi
Pull spi fixes from Mark Brown:
"A few final fixes for v6.15, some driver fixes for the Freescale DSPI
driver pulled over from their vendor code and another instance of the
fixes Greg has been sending throughout the kernel for constification
of the bus_type in driver core match() functions"
* tag 'spi-fix-v6.15-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi:
spi: spi-fsl-dspi: Reset SR flags before sending a new message
spi: spi-fsl-dspi: Halt the module after a new message transfer
spi: spi-fsl-dspi: restrict register range for regmap access
spi: use container_of_cont() for to_spi_device()
edid:
- fix HDR metadata reset
amdgpu:
- Hibernate fix
xe:
- Make sure to check all forcewakes when dumping mocs
- Fix wrong use of read64 on 32b register
- Synchronize Panther Lake PCI IDs
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEEKbZHaGwW9KfbeusDHTzWXnEhr4FAmgw8ocACgkQDHTzWXnE
hr76fg//Zlxf6ZLorKmpF80gYeNicFJLlcn0WKTUzgG4qzq2vwsfs+MdbB6UCp2I
ajL8+sF8Op4k4LJF6HSsjOITQYdPcZpb+b20jAFKsIm7W5C46Wi5Zmz3PF7wy0Ox
54oLAzOAiSrr6o48DbHlp1oHuF3Vo50MN+DRMrEgxdJ05isuWZVllDVb4HgEOMhu
eHUSkfPMAnjaB94V9Z+ZBwSLa4rDgNO07gUxAY3hEJXR1q/eIIof62MHD7rCnM3J
l2BlNWu3bcy2wRoy8JGooysCs9ux8Bcf0SvIDQnQFiwlwdeuP6jpURv8cH9nwXqa
du6gUTQLnIwqrgI0cuQQGAWPwuHufXJ+1qUWpvltqWFh+379QJ7djkAXOx3K83o2
gbr467o29ffUzC7xFVi8vg3GQbyJ10ygu8DHv6k0t4ZtJ60kLThwb+grkKP6KTab
an3QunAypvCJQpDcUIMuZaiJzYklwIaX7VPj2uvBaUS5MG62m9/8IXGebjfisDj0
30Bw1Am18cTVQFIolvabWufv9PIT4vEVX9gxLi0zR41diTPuv9b+PUVKaXruSUBe
04xPWWOh8hdARuG93gcHruUedGTZAvveFA/AnOW+rCYqpVSM3+TOyxGi/Vqg65UA
RtaoLWegg+4VPbXCQ2UviEyrN1A6wwMR8lcF6nIRZjnxLLimMoM=
=e3/K
-----END PGP SIGNATURE-----
Merge tag 'drm-fixes-2025-05-24' of https://gitlab.freedesktop.org/drm/kernel
Pull drm fixes from Dave Airlie:
"Weekly drm fixes pull, on target to be quiet, just one amdgpu, one
edid and a few minor xe fixes.
edid:
- fix HDR metadata reset
amdgpu:
- Hibernate fix
xe:
- Make sure to check all forcewakes when dumping mocs
- Fix wrong use of read64 on 32b register
- Synchronize Panther Lake PCI IDs"
* tag 'drm-fixes-2025-05-24' of https://gitlab.freedesktop.org/drm/kernel:
drm/xe/ptl: Update the PTL pci id table
drm/xe: Use xe_mmio_read32() to read mtcfg register
drm/xe/mocs: Check if all domains awake
Revert "drm/amd: Keep display off while going into S4"
drm/edid: fixed the bug that hdr metadata was not reset
- Make sure to check all forcewakes when dumping mocs
- Fix wrong use of read64 on 32b register
- Synchronize Panther Lake PCI IDs
-----BEGIN PGP SIGNATURE-----
iQJNBAABCgA3FiEE6rM8lpABPHM5FqyDm6KlpjDL6lMFAmgwC5QZHGx1Y2FzLmRl
bWFyY2hpQGludGVsLmNvbQAKCRCboqWmMMvqU6MhEACTEdipxv3o11hgJte0eF25
mhfxCUivKYJfXI3ZucvtIlIPA7FuygNKLlPqsf7GBmcmJA6FN4BSmpxSVGDJHb52
qDy/DOeUJ/mXeKuNLbjq4AEGRPZYq2duTxjCwwjPKsBGKNAhU4dP6XAyDcYphEkl
AqbGuZ8fUQIeeLmaH9fbwKfCLh3YbBcE2LnKfmL2hrIGpdXltXcoD2V5L+ALSdim
dyCvCriwC77b/22ZC0DeE4DNFohuuTg9k3RRzFC6gRQjpxkie6hWosDUB/Zr2CWX
uh4JlTwgzPcURahOcnRtG/85lxc2eGp5FiLlO7znCyX8raYQqU+rNkZDiOLUpAeo
CVE2x62TcdKwXi+muwzg1L9Z1qSjQoyVj+cub8nxBzIaMrNSNPbpdSBv9HthMTcq
3w8Ehf9XoYSEZe6FarL53I5dfQIixqTrZ4sLOSaJn3Nt5hWeLoQ1r7vIC8p/tfq5
9RrUIwBL8nzVdZ3ZyCjg8exK0nvukbDsBNTSVSPZqKo/gvyAvAfJOpF0FPEnpoGP
a6CebvNoVvjHFKTg+K6Kur/4hCmfu7ekLoHwaw9li98NxbnFppWAMOe3Kwl8qAni
KeNQqhPf4VqejVU61/fR+/zSiFPh3FjwF1NLj5FPrVd/4189+8BF+OaxMe5GSp78
JzGRXtp2E43DiK2fmxgYNw==
=Ppm2
-----END PGP SIGNATURE-----
Merge tag 'drm-xe-fixes-2025-05-23' of https://gitlab.freedesktop.org/drm/xe/kernel into drm-fixes
Driver Changes:
- Make sure to check all forcewakes when dumping mocs
- Fix wrong use of read64 on 32b register
- Synchronize Panther Lake PCI IDs
Signed-off-by: Dave Airlie <airlied@redhat.com>
From: Lucas De Marchi <lucas.demarchi@intel.com>
Link: https://lore.kernel.org/r/uixp5cq7emz32lmwwvq4vbujppugfozhyj3cm2aqzx4lcg7ivn@m2khvf4kvz5p
Fix a coding mistake in the x86_pkg_temp_thermal Intel thermal driver
coming from an incorrect conflict resolution during a merge (Zhang Rui).
-----BEGIN PGP SIGNATURE-----
iQFGBAABCAAwFiEEcM8Aw/RY0dgsiRUR7l+9nS/U47UFAmgwmDESHHJqd0Byand5
c29ja2kubmV0AAoJEO5fvZ0v1OO1CwAIAI6pQ3EeuulyIZG2iK2F4FQDw0DY+Tqr
LkT5eyDp9X4XhQvq0t6oPb0Kmaz5o21kxYRfKbPLA8lxhFlUPu4/mv+aMjPBYgI1
fah/5EuPMrxI9ZFN1Sdhb5+W4Qx8+ZooZWW46GM2dMDdP5/RJ/SASDYcTxiza6yi
sgui9XyzK49wIHjoSNqSHn/rvFd11S2ZxER6gcPlXAs56ZuJTAc0T+wtV46FFiAS
XcPBcynicUXSioRijPdpdul2xxmGtHkmKCmiiwsSbgj4Zi9O9T+7pgrhh5lt65XG
4aPqW1aGJX2gf9n00bE3g6Ohcn9iJaNwdzFJPiom+/f+vIjD8Ns15/Q=
=68aU
-----END PGP SIGNATURE-----
Merge tag 'thermal-6.15-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm
Pull thermal control fix from Rafael Wysocki:
"This fixes a coding mistake in the x86_pkg_temp_thermal Intel thermal
driver that was introduced by an incorrect conflict resolution during
a merge (Zhang Rui)"
* tag 'thermal-6.15-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
thermal: intel: x86_pkg_temp_thermal: Fix bogus trip temperature
-----BEGIN PGP SIGNATURE-----
iQGzBAABCgAdFiEE6fsu8pdIjtWE/DpLiiy9cAdyT1EFAmgumngACgkQiiy9cAdy
T1G11wwAmJTHyRxLx/koFy7cKCwL4+ttza0TdXD+NhRSjtb3Bd69OvDLWtefpa+0
NERFUM43/kJ4vIBeIw0mTaW8BVuVc5zna/yzkbPRN0ehdRnN1iuZTjHLJeqMvDt8
jNKfuRpC0IaC5DQxtVWMDmNDNSEQmK9zlcRVb2LhDTTBPSLlFIUcmUfJDXysyzwB
4I7Q2xG/OkpBx7oA7QQZEvzj4S80kcDRkWZK2sQ0EgwuEflc+rU6EUSJsEkenUTx
fQiv6rKY5ul6QV29VytXGOK3yHDDVNmUQ/g0FcbdAwpXEXz2H+ZmjDCVpRkuGlVZ
9IZA6lYy6eEheyCMYcVWmhtQgs+96Oqez6Z+snQf4Sjq+op37bWotFBaB5/gRuPr
lue43XfUbjRey8a8xTb0zNCwph9y5WaEez9dPR3BoHMHgTvvhrgFT4VL/iffGK9v
fLcMWb+HgHasvRag07khSRNp1pJEnYPEMzhyFyHTVExtgr3jhktP2k6jtSVRScrW
Dc2/pjfM
=vrEs
-----END PGP SIGNATURE-----
Merge tag 'v6.15-rc8-ksmbd-server-fixes' of git://git.samba.org/ksmbd
Pull smb server fixes from Steve French:
- Fix for rename regression due to the recent VFS lookup changes
- Fix write failure
- locking fix for oplock handling
* tag 'v6.15-rc8-ksmbd-server-fixes' of git://git.samba.org/ksmbd:
ksmbd: use list_first_entry_or_null for opinfo_get_list()
ksmbd: fix rename failure
ksmbd: fix stream write failure
A few last minute fixes:
- two driver fixes for samsung/google platforms, both addressing
mistakes in changes from the 6.15 merge window
- a revert for an allwinner devicetree change that caused problems
- a fix for an older regression with the LEDs on Marvell Armada 3720
- a defconfig change to enable chacha20 again after a crypto
subsystem change in 6.15 inadventently turned it off
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEo6/YBQwIrVS28WGKmmx57+YAGNkFAmgwdrYACgkQmmx57+YA
GNk3fg/9GhYsDBwVm6+yKu+fhUQHh9NatjAxM3JMJK3N3iHoCTTRii/Xigg5oHTU
Q6aWhMlHVBDxOs0QXBt1275Otw5P6KE44HfPAJY/QorJJNi2CLLBfL5RUQwykOdC
gk9sF3Mw7nn2nqsQ6oterBEm8a4wSw02W0sdp3Jbic/HOSRUrCmc682bBTpuNBq4
ysHu8YF4lJ8QkVtfcKXr4WtJM9STo/D/eWFfzG7l3tBwaXYDaZMPg4ceK6W/Rkd+
U7sztOO5oReMrgMj4KrOf6b0j57AmIQSI5gtwLhvLDxkdIHLrMBDA0Hnh4uRLpSG
Y1k43tv7V6SPNxIO8PLkUmpGyxMz53qSF+AP7sGfQ/j1aghCj9UCRvy0DRArcSh/
5nyR4kF9MKkVF21VMR6arOTIJhHmn9LhimN4AJGWz1NF66fa2z85wAOgji3LhykK
65uJUJhzFtzohcFqCt58y78WTj5vLZ4qo4DjbfhDZ60jFfTTaCm1fFjoEL5VpJCv
GP9AEJqu1FNxQqr/zQeTHMDdUixR0qYEXQqNTUxK9uZuXIXQCPo+Gj2vH6kx5wTU
9HbG02Xf5aGw07BsvTEYTHBcNx1QgS7sSS9W4MdpOzqhxyqvFyL+UgZ4fKxCQ+TB
Aa1vcgssQInD+F1/q6CoRzBNmqVOmTOFeiNNJ4wBVqPIEDOWY3A=
=bZbJ
-----END PGP SIGNATURE-----
Merge tag 'soc-fixes-6.15-3' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc
Pull SoC fixes from Arnd Bergmann:
"A few last minute fixes:
- two driver fixes for samsung/google platforms, both addressing
mistakes in changes from the 6.15 merge window
- a revert for an allwinner devicetree change that caused problems
- a fix for an older regression with the LEDs on Marvell Armada 3720
- a defconfig change to enable chacha20 again after a crypto
subsystem change in 6.15 inadventently turned it off"
* tag 'soc-fixes-6.15-3' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc:
arm64: defconfig: Ensure CRYPTO_CHACHA20_NEON is selected
arm64: dts: marvell: uDPU: define pinctrl state for alarm LEDs
Revert "arm64: dts: allwinner: h6: Use RSB for AXP805 PMIC connection"
soc: samsung: usi: prevent wrong bits inversion during unconfiguring
firmware: exynos-acpm: check saved RX before bailing out on empty RX queue
-----BEGIN PGP SIGNATURE-----
iHUEABYKAB0WIQRAhzRXHqcMeLMyaSiRxhvAZXjcogUCaDBLdgAKCRCRxhvAZXjc
oh61AP43WQ/Y0OrRqzKDPHGaFb4wGCdJwTKM2ZIjo8bSSXucZgD/ZcX6ksmmLp5/
XMsPzB7e5vrnkY5Y1jRdPn1fBWqlHQk=
=dTHV
-----END PGP SIGNATURE-----
Merge tag 'vfs-6.15-rc8.fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs
Pull vfs fixes from Christian Brauner:
"This contains a small set of fixes for the blocking buffer lookup
conversion done earlier this cycle.
It adds a missing conversion in the getblk slowpath and a few minor
optimizations and cleanups"
* tag 'vfs-6.15-rc8.fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs:
fs/buffer: optimize discard_buffer()
fs/buffer: remove superfluous statements
fs/buffer: avoid redundant lookup in getblk slowpath
fs/buffer: use sleeping lookup in __getblk_slowpath()
The ARL requires that the GMA and NPU devices both be in D3Hot in order
for PC10 and S0iX to be achieved in S2idle. The original ARL-H/U addition
to the intel_pmc_core driver attempted to do this by switching them to D3
in the init and resume calls of the intel_pmc_core driver.
The problem is the ARL-H/U have a different NPU device and thus are not
being properly set and thus S0iX does not work properly in ARL-H/U. This
patch creates a new ARL-H specific device id that is correct and also
adds the D3 fixup to the suspend callback. This way if the PCI devies
drop from D3 to D0 after resume they can be corrected for the next
suspend. Thus there is no dropout in S0iX.
Fixes: bd820906ea ("platform/x86/intel/pmc: Add Arrow Lake U/H support to intel_pmc_core driver")
Signed-off-by: Todd Brandt <todd.e.brandt@intel.com>
Link: https://lore.kernel.org/r/a61f78be45c13f39e122dcc684b636f4b21e79a0.1747737446.git.todd.e.brandt@intel.com
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Update to current bspec table.
Bspec: 72574
Signed-off-by: Matt Atwood <matthew.s.atwood@intel.com>
Reviewed-by: Tejas Upadhyay <tejas.upadhyay@intel.com>
Reviewed-by: Clint Taylor <Clinton.A.Taylor@intel.com>
Link: https://lore.kernel.org/r/20250520195749.371748-1-matthew.s.atwood@intel.com
Signed-off-by: Matt Roper <matthew.d.roper@intel.com>
(cherry picked from commit 49c6dc74b5)
Signed-off-by: Lucas De Marchi <lucas.demarchi@intel.com>
The mtcfg register is a 32-bit register and should therefore be
accessed using xe_mmio_read32().
Other 3 changes per codestyle suggestion:
"
xe_mmio.c:83: CHECK: Alignment should match open parenthesis
xe_mmio.c:131: CHECK: Comparison to NULL could be written "!xe->mmio.regs"
xe_mmio.c:315: CHECK: line length of 103 exceeds 100 columns
"
Fixes: dd08ebf6c3 ("drm/xe: Introduce a new DRM driver for Intel GPUs")
Reviewed-by: Tejas Upadhyay <tejas.upadhyay@intel.com>
Cc: Matt Roper <matthew.d.roper@intel.com>
Signed-off-by: Shuicheng Lin <shuicheng.lin@intel.com>
Link: https://lore.kernel.org/r/20250513153010.3464767-1-shuicheng.lin@intel.com
Signed-off-by: Matt Roper <matthew.d.roper@intel.com>
(cherry picked from commit d2662cf8f4)
Signed-off-by: Lucas De Marchi <lucas.demarchi@intel.com>
Small stuff, main ones users will be interested in:
- Couple more casefolding fixes; we can now detect and repair casefolded
dirents in non-casefolded dir and vice versa
- Fix for massive write inflation with mmapped io, which hit certain
databases
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEKnAFLkS8Qha+jvQrE6szbY3KbnYFAmgvz74ACgkQE6szbY3K
bnY2mw/+Ioz+7dQz4vw2DY48o6Qn9jGst1XANOb2PQD/1RaEcnJF2d8C5gmjxVN6
ysl/TQf+BHLkiXb6TTOgXVgtLjGBMOk3NNHrv8ebthacFcIfPC7r/cE5KmECRPiT
0Fs6KTDeQscjLzg8YHI1PHnJ6EU/uYy76wK1nIcF5VJxLYSH6UQ2ZAo7NT0sAc2K
PyCsvmOb8mev3wrCHgYYUWZyS0Cla6a44bpG83km5NhIC4dcrL8On8TO2E2VwVpX
A9otPSLmmdIuJd+Q6nUNiEFOVcdtZn/rH9jz9QWokH/kpdoqCysZneTHXEy0kVCG
NAKuEKv/mv+cQ45pn+4JhWf+FaLih/46w+C/10gNWShHoqdxIZFYOlb3S5ZCvK7L
ij5zlcQF/ZrT7bZJTov1J6SUM9LShgTvt4gjqcaiokb2BBYqLn6u/TBaNgW9wu0Q
4BiYfdO/BfCaLiBvIz2WuMmUfh2i+rBYjetW0R+Sq8f/vFfFTw7tWipO/u4zrE7J
D5FVT9+XGwAvRULk1/jG5df9ZsF/g4L2CMdQuWh/8wXfTp/GrKirFN5x6Ywkz6ew
rb/m/ukSOLLUcRBJCapZmDrRwBnaQ0MTFi6z8qNb125ENR0WwbYkV0XdkBOi3U/g
1OM2eC/SWOrWkNXl4mLMv0MUSLEsVyuYUtf75FvVm4zNH9Spqos=
=a06t
-----END PGP SIGNATURE-----
Merge tag 'bcachefs-2025-05-22' of git://evilpiepirate.org/bcachefs
Pull bcachefs fixes from Kent Overstreet:
"Small stuff, main ones users will be interested in:
- Couple more casefolding fixes; we can now detect and repair
casefolded dirents in non-casefolded dir and vice versa
- Fix for massive write inflation with mmapped io, which hit certain
databases"
* tag 'bcachefs-2025-05-22' of git://evilpiepirate.org/bcachefs:
bcachefs: Check for casefolded dirents in non casefolded dirs
bcachefs: Fix bch2_dirent_create_snapshot() for casefolding
bcachefs: Fix casefold opt via xattr interface
bcachefs: mkwrite() now only dirties one page
bcachefs: fix extent_has_stripe_ptr()
bcachefs: Fix bch2_btree_path_traverse_cached() when paths realloced
-----BEGIN PGP SIGNATURE-----
iQJEBAABCAAuFiEEwPw5LcreJtl1+l5K99NY+ylx4KYFAmgve4UQHGF4Ym9lQGtl
cm5lbC5kawAKCRD301j7KXHgplcrD/9S58Q2NGNppHdxOb0kv5uNQFBnyKTGaAOV
yo/XT5lshRhc9C9cZyMEjtSVwfLqEYGyaqrX/4i85t1jnJ4ih1x97B4cZEhx0wJE
Tfcyzt8ugspaiN2j+eIouft9C5tcDUw6RWjMjJUX5zSH5e+pbxz3/Ibpk2PZjKZO
iAKa4APHyPnaRiWnjgEkT5GJKjI1Fhi1G4ORTXP1VoI03K6bRKmsbLDoMaIZsBe3
uoBO0RV2NJqIfLk6J5xB1mhBt1prQrXd6f4SpZj0CPyUrnqqH9zankOKoi8vnM2N
L/xNmdfLFevdk2QfeVSQrQlLilMlvXp8KJu2fuexCR78sqySoXpnb9Mjh58AWlCD
czs8ltYIzHci/rTR7p6oBqF8DznUc5tLwEX7wI2rbIJ5CgxnxhnIZYDTyd7xct92
4pIefgU4YHTCpCY3JFnOggh6dlP9YlzCvjB61SvZPl7OrY2+E+ly7Xdz1Uo5Url/
gQaE3z0iajLefiPn0sTJgoI93A8H20ctGGsS9p0LyjWskmd9iCPG1eKbOSCXJ5Zw
1EJEeM0giXgWZ8Ks2h9NaODuoSkrNldWQmJxcitR0jprfmKZj4eh4qfgVlzdPzWH
dn4j51I8jgUrjlehGPA3zRrGBqxSQyGMR9RtqCNjCXEJMiJNT9M1TiSB/Y6p4D8f
NcH4/SJVLQ==
=IqsP
-----END PGP SIGNATURE-----
Merge tag 'block-6.15-20250522' of git://git.kernel.dk/linux
Pull block fixes from Jens Axboe:
- Fix for a regression with setting up loop on a file system
without ->write_iter()
- Fix for an nvme sysfs regression
* tag 'block-6.15-20250522' of git://git.kernel.dk/linux:
nvme: avoid creating multipath sysfs group under namespace path devices
loop: don't require ->write_iter for writable files in loop_configure
-----BEGIN PGP SIGNATURE-----
iQJEBAABCAAuFiEEwPw5LcreJtl1+l5K99NY+ylx4KYFAmgve5YQHGF4Ym9lQGtl
cm5lbC5kawAKCRD301j7KXHgpkSrEACZkR7tg1ceo6dA/Gen4nXFslh1fqBx6lsP
qK6xGA7ZhZMsQalY3EGGQ/Pz5fOaXq60Kps5FKZe3nslS+1+iq3CJ12t+T3JA6MI
3+Bms67yubzAaBqIJi+di+GsDY4PgJieLme/Ojs4FLkHs85h6IeMBXBZ5Mvzy/pj
mW9X/LxwWE+wgombRNzYi4Ta85KpoPp1r2hFkdeSD/WvjgZ3PktXYx1g9jPEUOE8
ey80POW1J8q2v7IQaXBL0xRORMUCV4XD5vwnl5SXDBGVDo5tA0ychYRIvhjr51ui
hNpF/bdCiMlprxaA2FPZt5OAkrsbcKuSI4Il5tsgmc6WPHE8gNPzXygZOtVhOdtD
XfeJiNFaOrC17FFrzl3gYWmdxz+pWyNS4RInRFoUoqaVV1CXSrB+xr/rz/QU/L0d
MlP+oOQQ7PrBhqJdncXEeAsl7VTDzH060hg6+kexz3T+vLf6yQMI0iBTlwyaINnD
PEhJYje5p8wIre4khWHiv47KbPkh8rDg6Uv5XBLuZ0M4PJY5QYZT85MLhr1ICepy
di1G6vynE3FKLbBGmRyDycES3zAxFGLjSG5AsP1xfDTsrwerN/wKqgP6D6ugQBCf
E+CeL8J3dtM/JkuiJn8KBT117D8MVC6yT30kewcgYYZsFcgZiF1V7d0v5Kg+1ePj
sTnOfT4xKw==
=DbwT
-----END PGP SIGNATURE-----
Merge tag 'io_uring-6.15-20250522' of git://git.kernel.dk/linux
Pull io_uring fixes from Jens Axboe:
- Kill a duplicate function definition, which can cause linking issues
in certain .config configurations. Introduced in this cycle.
- Fix for a potential overflow CQE reordering issue if a re-schedule is
done during posting. Heading to stable.
- Fix for an issue with recv bundles, where certain conditions can lead
to gaps in the buffers, where a contiguous buffer range was expected.
Heading to stable.
* tag 'io_uring-6.15-20250522' of git://git.kernel.dk/linux:
io_uring/net: only retry recv bundle for a full transfer
io_uring: fix overflow resched cqe reordering
io_uring/cmd: axe duplicate io_uring_cmd_import_fixed_vec() declaration
-----BEGIN PGP SIGNATURE-----
iQGzBAABCgAdFiEE6fsu8pdIjtWE/DpLiiy9cAdyT1EFAmgvRZwACgkQiiy9cAdy
T1FhHgwAmCyhbUzJkszIn3KCVrcxPmydM4zf7fniiAEk9uUX58FdovQ7fbrt6wxY
joN3dtvoCu5A6zOAyzBWt8V6gnWqz2EH6nve9bMo+WRk380RbIisSYnZC0NaYjQb
oM/5zuyBxIqvN30CkLVMp/6Ps6wdGmdyOcjtK4xeyW7BPnM7pd74Z2ttEy9QsxlT
PCETHtL1wM+iKKf3ua5N7Sti11mXyTOe/6X3Kl65rmiyiNQ2F6L/qTtswbu4QOzv
mVsxoEOSxPu52KIostZsWloP2vQuvE8Cuk4z3UoC1Osd/xmvMAoOiMbB72vyAmHW
4dJgvZei+D3gKUQslIZSCIG0cQfneBxhp/z4+YxSGAnWgDx/5g3IJuyZ6bk5SQXA
PNJu80fOe683QudxNzmQN3WioYdgRatxPxZFjqW8uhovWRM9EPydB3vi+oCdEQcH
KXJNAR3pUSaavVRiLdm8JbLkqVchjEuTj/Ba1Ws9Z4LVJpVFAqhIynHDoxqPIhsh
jGcJJA4X
=Agsj
-----END PGP SIGNATURE-----
Merge tag '6.15-rc8-smb3-client-fixes' of git://git.samba.org/sfrench/cifs-2.6
Pull smb client fixes from Steve French:
- Two fixes for use after free in readdir code paths
* tag '6.15-rc8-smb3-client-fixes' of git://git.samba.org/sfrench/cifs-2.6:
smb: client: Reset all search buffer pointers when releasing buffer
smb: client: Fix use-after-free in cifs_fill_dirent
subsystems and follow-ups for the recent netdev locking changes,
anyhow there are no known pending regressions.
Including fixes from bluetooth, ipsec and CAN.
Current release - regressions:
- eth: team: grab team lock during team_change_rx_flags
- eth: bnxt_en: fix netdev locking in ULP IRQ functions
Current release - new code bugs:
- xfrm: ipcomp: fix truesize computation on receive
- eth: airoha: fix page recycling in airoha_qdma_rx_process()
Previous releases - regressions:
- sched: hfsc: fix qlen accounting bug when using peek in hfsc_enqueue()
- mr: consolidate the ipmr_can_free_table() checks.
- bridge: netfilter: fix forwarding of fragmented packets
- xsk: bring back busy polling support in XDP_COPY
- can:
- add missing rcu read protection for procfs content
- kvaser_pciefd: force IRQ edge in case of nested IRQ
Previous releases - always broken:
- xfrm: espintcp: remove encap socket caching to avoid reference leak
- bluetooth: use skb_pull to avoid unsafe access in QCA dump handling
- eth: idpf:
- fix null-ptr-deref in idpf_features_check
- fix idpf_vport_splitq_napi_poll()
- eth: hibmcge: fix wrong ndo.open() after reset fail issue
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
-----BEGIN PGP SIGNATURE-----
iQJGBAABCAAwFiEEg1AjqC77wbdLX2LbKSR5jcyPE6QFAmgvDZsSHHBhYmVuaUBy
ZWRoYXQuY29tAAoJECkkeY3MjxOkJDIP/19+HmMpWNwQWpMXbgror4C5kBrvlIHc
zAY1JgULLly8gAdIOvdEvt/362EganUjPwW9jszcxZmhfna/3EPgXQJnQFZi6Xm9
wrndNFUUUdUFgXXk7OopBHJ8AaBeID2gGhUwnH4GgaHeyjPm/J31W5c35I4tKP/b
tTpAdVTBeKCBWHBxB85AL/l/RqkbeQK5NmwC9+cXcFE95uhSWLuEk4YzwosTXffz
spfz9Q3tuBKHSiYxNLI63N2lV4oErram8CRomEk/5MKAq9AixwEoIBZp26n7IYRH
LK0JNS6wh6UutxUKWekhEiYbbEW7ovTtWNa3/uhi7dzfgG9oVLsZz9orSP34Xxrj
R3TFQguQX88kFAJjU15WClBSOJDvxWB/tuffu5x2tA8w/9IWinWrc7z2gtp0dCFb
Dpwt9ZIqnfB3poR/8XUI6Gb+yEJsNLFVmQxbLPlJmmUlCaXHy2/yBgp6k0A3eg9J
fuRcIQlWOaobamKZ8do5ofrkU9rIDbdJD8tRGfsSvOWZNOYKiiS9PpzKC0lNeNbH
wbLKNHhId88mUvZZvE04Z1wUy2GSLlhhF0WgxQZy2xOYk0fCdkKwdARGowi+GxCe
1oUtDv4RcETEeFoQ2ukyRZTOgmYLMUwMh4i4o3fVuPWD4+zQydzKa4AbCZbZe19J
7Hg6y+j6t/oA
=W+1w
-----END PGP SIGNATURE-----
Merge tag 'net-6.15-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net
Pull networking fixes from Paolo Abeni:
"This is somewhat larger than what I hoped for, with a few PRs from
subsystems and follow-ups for the recent netdev locking changes,
anyhow there are no known pending regressions.
Including fixes from bluetooth, ipsec and CAN.
Current release - regressions:
- eth: team: grab team lock during team_change_rx_flags
- eth: bnxt_en: fix netdev locking in ULP IRQ functions
Current release - new code bugs:
- xfrm: ipcomp: fix truesize computation on receive
- eth: airoha: fix page recycling in airoha_qdma_rx_process()
Previous releases - regressions:
- sched: hfsc: fix qlen accounting bug when using peek in
hfsc_enqueue()
- mr: consolidate the ipmr_can_free_table() checks.
- bridge: netfilter: fix forwarding of fragmented packets
- xsk: bring back busy polling support in XDP_COPY
- can:
- add missing rcu read protection for procfs content
- kvaser_pciefd: force IRQ edge in case of nested IRQ
Previous releases - always broken:
- xfrm: espintcp: remove encap socket caching to avoid reference leak
- bluetooth: use skb_pull to avoid unsafe access in QCA dump handling
- eth: idpf:
- fix null-ptr-deref in idpf_features_check
- fix idpf_vport_splitq_napi_poll()
- eth: hibmcge: fix wrong ndo.open() after reset fail issue"
* tag 'net-6.15-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (40 commits)
octeontx2-af: Fix APR entry mapping based on APR_LMT_CFG
octeontx2-af: Set LMT_ENA bit for APR table entries
net/tipc: fix slab-use-after-free Read in tipc_aead_encrypt_done
octeontx2-pf: Avoid adding dcbnl_ops for LBK and SDP vf
selftests/tc-testing: Add an HFSC qlen accounting test
sch_hfsc: Fix qlen accounting bug when using peek in hfsc_enqueue()
idpf: fix idpf_vport_splitq_napi_poll()
net: hibmcge: fix wrong ndo.open() after reset fail issue.
net: hibmcge: fix incorrect statistics update issue
xsk: Bring back busy polling support in XDP_COPY
can: slcan: allow reception of short error messages
net: lan743x: Restore SGMII CTRL register on resume
bnxt_en: Fix netdev locking in ULP IRQ functions
MAINTAINERS: Drop myself to reviewer for ravb driver
net: dwmac-sun8i: Use parsed internal PHY address instead of 1
net: ethernet: ti: am65-cpsw: Lower random mac address error print to info
can: kvaser_pciefd: Continue parsing DMA buf after dropped RX
can: kvaser_pciefd: Fix echo_skb race
can: kvaser_pciefd: Force IRQ edge in case of nested IRQ
idpf: fix null-ptr-deref in idpf_features_check
...
portions when using hogs.
First patch hits into the gpiolib making gpiochip_line_is_valid()
NULL-tolerant.
Second patch fixes the actual problem.
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEElDRnuGcz/wPCXQWMQRCzN7AZXXMFAmgu4YIACgkQQRCzN7AZ
XXPjKw/+JsvFeihW6JedAcfeV0NvUzra80cx9ArJMul48v+CR+vpZr0XsdDzH7tn
19zNqi5jA57uzGruuoI+KR8BxXHYS3bUuzy68zpHgKy4UzJ5pt0ehm3ArbGcA0Nq
7MCUs9WP3BuOWfwrb1bdeWbFlk9ApO8drqrREmcnZrJRPSBwjG9lkNZwrDz1pUaQ
Nj/45cq2LQiXY52y2znovDQsnhD6omECeT0hbZ33pNyjmr+cWyIHlZXWrDSADHF8
nLGgFx/8NpIkBE9vx3+Ch5iHyAO9qCrEFmsaOMJlqIme5eYBuu8noJQUrGVAYRVT
HA9bsIzDO6ko2ZhWpzr3/0tiJ7IlRPHy9C/9BNnDaH1STwhEtpnBCJkaEiXxb8JD
oNY9b9NDn3VN8lHMlxjDSryYsgrlcyJ9m6G4SHqa62UHvwp4osScb24Y03O4wxTz
xSuokmeO2KGHiEdZwHrObrAYSBBxMAq4aENehZbLxy5GswAawhiwJcIoWez9AyNA
xWkkKwX+YPlB8yFGJREHcON07dhnGHU99HBavYj+RBGeZFl2U7f22s7u8MnM+3Ul
7kAWwRjwLVTEPTWbAQ7W+GLSAShwkPGSEqZEKvPLXGh9Bg6+UjEx2NCa02Kicpi9
l5+2rL/xZw10vHFZnXuwwD2wzMe2mgc5VRZFquOXror18exM744=
=EGi8
-----END PGP SIGNATURE-----
Merge tag 'pinctrl-v6.15-4' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl
Pull pin control fixes from Linus Walleij:
"This deals with a crash in the Qualcomm pin controller GPIO
parts when using hogs.
The first patch to gpiolib makes gpiochip_line_is_valid()
NULL-tolerant.
The second patch fixes the actual problem"
* tag 'pinctrl-v6.15-4' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl:
pinctrl: qcom: switch to devm_register_sys_off_handler()
gpiolib: don't crash on enabling GPIO HOG pins
A collection of small fixes for 6.15 final. It became slightly a
higher amount than expected, but all look easy and safe to apply.
- A fix for PCM core race spotted by fuzzing
- ASoC topology fix for single DAI link
- UAF fix for ASoC SOF Intel HD-audio at reloading
- ASoC SOF Intel and Mediatek fixes
- Trivial HD-audio quirks as usual
-----BEGIN PGP SIGNATURE-----
iQJCBAABCAAsFiEEIXTw5fNLNI7mMiVaLtJE4w1nLE8FAmguOYEOHHRpd2FpQHN1
c2UuZGUACgkQLtJE4w1nLE+WBg/9H1DiszHW5dU0eukvuTGPoIbwqF2Yk4guVwyw
VImWPmTWm/b5wymnck+fLSPIAu80//jhXJUsoJg2A6/yIb5JILYYVbp48ct0yBRY
L2c3PPPwNWILlHm7PdmfWHTpkgxdxaUFh7QapfHf7tCZUk6VZ4q72SJG3LDL54WV
bsbQCSepltajmyX0mFNzIu/p8DFqrxKYyOo3OyrRmHf9tCrskUFjKTzcmU6ARFNm
9Rr/6+1ISMsuhMhzyzXEmWPIjxMpOhz1IunvDdg+QdU/gQTZLyKa8YrUaMhdA1P0
r0j7uAiz73T2qCTwJb0rxBfOcdl9KC4KMSa6zFy8zRH+92Dpw8K49kPCAjbHcvNv
zuSCh/NY+U384ggIkPC8Kn2bBgBmj+ueMFXkCafv+NM7KJrGDCBQgZu1yxJEeHSO
CU0aF4PkczBYfMgplOZxVX4+50GUj+Nbtn1oFWhzdzAnwZaY7iEEuIGd7xDa9T6b
2o8R9gC/cbAYJX9JbxzasUGn1eIlQQNO/Fv21N7hUJSWD0rI67uNC2MDjIjK/A1m
P4NHm7ANHzUdzehN9efRaMTyvJudDxEoSMk4XcGN0cQ4IXwZaYfg0lJEif0haZlk
rFceUhAURsyp7z/KOrsZLAC2tXzRtX/ui73BDMzS8yyzh557pFbGkthkPZ14KIIA
NjuHz7M=
=9Evp
-----END PGP SIGNATURE-----
Merge tag 'sound-6.15' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound
Pull sound fixes from Takashi Iwai:
"A collection of small fixes for 6.15 final. It became slightly a
higher amount than expected, but all look easy and safe to apply:
- A fix for PCM core race spotted by fuzzing
- ASoC topology fix for single DAI link
- UAF fix for ASoC SOF Intel HD-audio at reloading
- ASoC SOF Intel and Mediatek fixes
- Trivial HD-audio quirks as usual"
* tag 'sound-6.15' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound:
ALSA: hda/realtek - Add new HP ZBook laptop with micmute led fixup
ALSA: hda/realtek: Add support for HP Agusta using CS35L41 HDA
ALSA: hda/realtek: Add quirk for Lenovo Yoga Pro 7 14ASP10
ALSA: hda/realtek - restore auto-mute mode for Dell Chrome platform
ALSA: pcm: Fix race of buffer access at PCM OSS layer
ASoC: SOF: Intel: hda: Fix UAF when reloading module
ASoc: SOF: topology: connect DAI to a single DAI link
ASoC: SOF: Intel: hda-bus: Use PIO mode on ACE2+ platforms
ASoC: SOF: ipc4-pcm: Delay reporting is only supported for playback direction
ASoC: SOF: ipc4-control: Use SOF_CTRL_CMD_BINARY as numid for bytes_ext
ASoC: mediatek: mt8188-mt6359: Depend on MT6359_ACCDET set or disabled
ASoC: mediatek: mt8188-mt6359: select CONFIG_SND_SOC_MT6359_ACCDET
- do not create the newly added multipath sysfs group for
non-multipath nodes (Nilay Shroff)
-----BEGIN PGP SIGNATURE-----
iQI/BAABCgApFiEEgdbnc3r/njty3Iq9D55TZVIEUYMFAmgvMZULHGhjaEBsc3Qu
ZGUACgkQD55TZVIEUYNmNhAAuZ/iRkZx9/d3/iaXTubdYAvF8OPyntwkFwkvfTWt
z68bWG16I0a5cie8LursAZNiW7XoDf6aoO4CF8Z+WMSkDDHAynq54t8Bu1VwGArf
cNOU0sHzQxHsnIzYHp1clF5HHWZ6mJjVcN52mmnNkKHzMdVEU8eYV4nQyatjEmPj
IQ7aOXnpqvdiHuhZiZkWPrXCZaqmCbhzlg7c8LGOXJcSHRna+rBBnmB+LnSd8qB9
kwN3+pCb29VUwP8vfCxSkrAfeCknd4v5ifLaqn+G8pM0fpy8c1j3oGINj7tv6sD8
vkOlyZBlt8K3w86+gtXeRdSuWTcQJFjsICW06rAQYJ9Jv8Zt2nrZ8E88WHY+SEzr
5YMnVg8sfkhK/i8QZ3nwCc8dlCh+T3Vsmv+uclB2v3qyzHKPJghuvFWWYZd/L6qk
8yUDpSx1XhwT0tHtWovph5+BdZtOaS1abPmCRv75JCJGW1XYULOr3fhC7MjbJVwV
PztoBYU9Y7y4cTPTSJujdNLCTFNfN3H1ukTuQAbOWC+M4M96vQoLAAUl8Wn01r/e
nE/C4e5swQXG+ZB+99qIVWizIlGNdt1pJ+TzXzJdlE0untVTW0RQf3qMIqF2tlHj
jOlqggMo3RTP1TBdzoMYq4qcg9oAcbKLkpUG1kR8t8h8fF2HrcdTJO0mx5ySnEG2
sI4=
=wIO/
-----END PGP SIGNATURE-----
Merge tag 'nvme-6.15-2025-05-22' of git://git.infradead.org/nvme into block-6.15
Pull NVMe fix from Christoph:
"nvme fixes for Linux 6.15
- do not create the newly added multipath sysfs group for
non-multipath nodes (Nilay Shroff)"
* tag 'nvme-6.15-2025-05-22' of git://git.infradead.org/nvme:
nvme: avoid creating multipath sysfs group under namespace path devices
If, in a previous transfer, the controller sends more data than expected
by the DSPI target, SR.RFDF (RX FIFO is not empty) will remain asserted.
When flushing the FIFOs at the beginning of a new transfer (writing 1
into MCR.CLR_TXF and MCR.CLR_RXF), SR.RFDF should also be cleared.
Otherwise, when running in target mode with DMA, if SR.RFDF remains
asserted, the DMA callback will be fired before the controller sends any
data.
Take this opportunity to reset all Status Register fields.
Fixes: 5ce3cc5674 ("spi: spi-fsl-dspi: Provide support for DSPI slave mode operation (Vybryd vf610)")
Signed-off-by: Larisa Grigore <larisa.grigore@nxp.com>
Signed-off-by: James Clark <james.clark@linaro.org>
Link: https://patch.msgid.link/20250522-james-nxp-spi-v2-3-bea884630cfb@linaro.org
Signed-off-by: Mark Brown <broonie@kernel.org>
The XSPI mode implementation in this driver still uses the EOQ flag to
signal the last word in a transmission and deassert the PCS signal.
However, at speeds lower than ~200kHZ, the PCS signal seems to remain
asserted even when SR[EOQF] = 1 indicates the end of a transmission.
This is a problem for target devices which require the deassertation of
the PCS signal between transfers.
Hence, this commit 'forces' the deassertation of the PCS by stopping the
module through MCR[HALT] after completing a new transfer. According to
the reference manual, the module stops or transitions from the Running
state to the Stopped state after the current frame, when any one of the
following conditions exist:
- The value of SR[EOQF] = 1.
- The chip is in Debug mode and the value of MCR[FRZ] = 1.
- The value of MCR[HALT] = 1.
This shouldn't be done if the last transfer in the message has cs_change
set.
Fixes: ea93ed4c18 ("spi: spi-fsl-dspi: Use EOQ for last word in buffer even for XSPI mode")
Signed-off-by: Bogdan-Gabriel Roman <bogdan-gabriel.roman@nxp.com>
Signed-off-by: Larisa Grigore <larisa.grigore@nxp.com>
Signed-off-by: James Clark <james.clark@linaro.org>
Link: https://patch.msgid.link/20250522-james-nxp-spi-v2-2-bea884630cfb@linaro.org
Signed-off-by: Mark Brown <broonie@kernel.org>
DSPI registers are NOT continuous, some registers are reserved and
accessing them from userspace will trigger external abort, add regmap
register access table to avoid below abort.
For example on S32G:
# cat /sys/kernel/debug/regmap/401d8000.spi/registers
Internal error: synchronous external abort: 96000210 1 PREEMPT SMP
...
Call trace:
regmap_mmio_read32le+0x24/0x48
regmap_mmio_read+0x48/0x70
_regmap_bus_reg_read+0x38/0x48
_regmap_read+0x68/0x1b0
regmap_read+0x50/0x78
regmap_read_debugfs+0x120/0x338
Fixes: 1acbdeb92c ("spi/fsl-dspi: Convert to use regmap and add big-endian support")
Co-developed-by: Xulin Sun <xulin.sun@windriver.com>
Signed-off-by: Xulin Sun <xulin.sun@windriver.com>
Signed-off-by: Larisa Grigore <larisa.grigore@nxp.com>
Signed-off-by: James Clark <james.clark@linaro.org>
Link: https://patch.msgid.link/20250522-james-nxp-spi-v2-1-bea884630cfb@linaro.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Some places in the spi core pass in a const pointer to a device and the
default container_of() casts that away, which is not a good idea.
Preserve the proper const attribute by using container_of_const() for
to_spi_device() instead, which is what it was designed for.
Note, this removes the NULL check for a device pointer in the call, but
no one was ever checking for that return value, and a device pointer
should never be NULL overall anyway, so this should be a safe change.
Cc: Mark Brown <broonie@kernel.org>
Fixes: d69d804845 ("driver core: have match() callback in struct bus_type take a const *")
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Link: https://patch.msgid.link/2025052230-fidgeting-stooge-66f5@gregkh
Signed-off-by: Mark Brown <broonie@kernel.org>
-----BEGIN PGP SIGNATURE-----
iQFHBAABCgAxFiEEn/sM2K9nqF/8FWzzDHRl3/mQkZwFAmgtivcTHG1rbEBwZW5n
dXRyb25peC5kZQAKCRAMdGXf+ZCRnHdfB/9xpi2QMYgjWn5CWHaRT5JAt1BTVTAW
g7W1iddSkw18T/+FalxSjYPZKoE+6k2AcI/VTLbjEnv4bOPlmE48dItB8WsQnwHc
1Jjbvc861HTYL51UuYH3oqXH4MrY2BiPk2aoCOuT7vPDsn/PISbfIZ41eBK3noTS
TCY3DLV7u6tnureaCqGnl2M9lBfgF86rtn+d5vza2IFDu49b2J+Cv41CRkEIbP9P
kujiCAxStN+neCKd1LtZgFbmfy63xUujPtZR2h0oYiOK9X/Nz2bjmFu40zyC+vCn
z9P0oSXx2yaJCHiDrdzMM1McHhdpU4rNjVlYMKFQBNy/WfEvFHt+Eydy
=dV2M
-----END PGP SIGNATURE-----
Merge tag 'linux-can-fixes-for-6.15-20250521' of git://git.kernel.org/pub/scm/linux/kernel/git/mkl/linux-can
Marc Kleine-Budde says:
====================
pull-request: can 2025-05-22
this is a pull request of 4 patches for net/main.
The first 3 patches are by Axel Forsman and fix a ISR race condition
in the kvaser_pciefd driver.
The last patch is by Carlos Sanchez and fixes the reception of short
error messages in the slcan driver.
* tag 'linux-can-fixes-for-6.15-20250521' of git://git.kernel.org/pub/scm/linux/kernel/git/mkl/linux-can:
can: slcan: allow reception of short error messages
can: kvaser_pciefd: Continue parsing DMA buf after dropped RX
can: kvaser_pciefd: Fix echo_skb race
can: kvaser_pciefd: Force IRQ edge in case of nested IRQ
====================
Link: https://patch.msgid.link/20250522082344.490913-1-mkl@pengutronix.de
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Geetha sowjanya says:
====================
octeontx2-af: APR Mapping Fixes
This patch series includes fixes related to APR (LMT)
mapping and debugfs support.
Changes include:
Patch 1:Set LMT_ENA bit for APR table entries.
Enables the LMT line for each PF/VF by setting
the LMT_ENA bit in the APR_LMT_MAP_ENTRY_S
structure.
Patch-2:Fix APR entry in debugfs
The APR table was previously mapped using a fixed size,
which could lead to incorrect mappings when the number
of PFs and VFs differed from the assumed value.
This patch updates the logic to calculate the APR table
size dynamically, based on values from the APR_LMT_CFG
register, ensuring correct representation in debugfs.
====================
Link: https://patch.msgid.link/20250521060834.19780-1-gakula@marvell.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
The current implementation maps the APR table using a fixed size,
which can lead to incorrect mapping when the number of PFs and VFs
varies.
This patch corrects the mapping by calculating the APR table
size dynamically based on the values configured in the
APR_LMT_CFG register, ensuring accurate representation
of APR entries in debugfs.
Fixes: 0daa55d033 ("octeontx2-af: cn10k: debugfs for dumping LMTST map table").
Signed-off-by: Geetha sowjanya <gakula@marvell.com>
Link: https://patch.msgid.link/20250521060834.19780-3-gakula@marvell.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
This patch enables the LMT line for a PF/VF by setting the
LMT_ENA bit in the APR_LMT_MAP_ENTRY_S structure.
Additionally, it simplifies the logic for calculating the
LMTST table index by consistently using the maximum
number of hw supported VFs (i.e., 256).
Fixes: 873a1e3d20 ("octeontx2-af: cn10k: Setting up lmtst map table").
Signed-off-by: Subbaraya Sundeep <sbhatta@marvell.com>
Signed-off-by: Geetha sowjanya <gakula@marvell.com>
Reviewed-by: Michal Swiatkowski <michal.swiatkowski@linux.intel.com>
Link: https://patch.msgid.link/20250521060834.19780-2-gakula@marvell.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEH7ZpcWbFyOOp6OJbrB3Eaf9PW7cFAmgtYgEACgkQrB3Eaf9P
W7e1ag//da84UIRyJwMfDO4Y3MXDNPslNSDuq0HuvwRtdLIBLFtwitSzU1uhKsxY
yn5v7RSsxvp6lXW2RT+Ycor2qZ/mGHJsHcVfG7m0YjxH6unw7yzjqn5LNNzRbYN4
NcD8P0skuX6d80EFPUB3Hsnmdj1VKR62OsWyk3rAPb4CLBVKJt9OsseVfN4bn1R0
TaZSIkdh5EDGYXTBKb49jc8LFfQo7+uVg/AjtZ/2ZsWt+Qgw3XevTIcwLokH00rt
GzXcLjC1g+b6TeVncOuD1oiNJUtQVGYV23t2yQlk9k2HFzCdNnq0YM9pzawwiI+l
icBV2X/QFjhdCRkvJRF4dkXq/4tnnEmYoY/1vSOoWR9VmY2u8Lr3VRiDD/h0gYJT
KXd8YPMtZLDnLgmH+DwWbv4vdLtHvQTmB8XFzb/4VN6Ikucenry3loJsUsLnS+Je
t1/7unLrg9yyJC6UPzweqjAx+6VgZvem/M5kejIVxHpk+Wg2dXGZ2jz4fsVuZYPB
dMLj1h1MLn4gOt2b/bdI2do0C+p2R1axrTNw+RiqwCrb1h5Ey+7RAhWyXyaHUEs3
1brMAgOcvdbaaeSIpoHJ8eJx/PgRxDrxRnUC3HjCGPNApYQXC3FM3POk7wwJ9C0i
odlHrq+yOdzLCZyU+YKdR1q3kPq9AWpUSmc4Olg359OQ9IxDGQw=
=bgyq
-----END PGP SIGNATURE-----
Merge tag 'ipsec-2025-05-21' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec
Steffen Klassert says:
====================
pull request (net): ipsec 2025-05-21
1) Fix some missing kfree_skb in the error paths of espintcp.
From Sabrina Dubroca.
2) Fix a reference leak in espintcp.
From Sabrina Dubroca.
3) Fix UDP GRO handling for ESPINUDP.
From Tobias Brunner.
4) Fix ipcomp truesize computation on the receive path.
From Sabrina Dubroca.
5) Sanitize marks before policy/state insertation.
From Paul Chaignon.
* tag 'ipsec-2025-05-21' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec:
xfrm: Sanitize marks before insert
xfrm: ipcomp: fix truesize computation on receive
xfrm: Fix UDP GRO handling for some corner cases
espintcp: remove encap socket caching to avoid reference leak
espintcp: fix skb leaks
====================
Link: https://patch.msgid.link/20250521054348.4057269-1-steffen.klassert@secunet.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Syzbot reported a slab-use-after-free with the following call trace:
==================================================================
BUG: KASAN: slab-use-after-free in tipc_aead_encrypt_done+0x4bd/0x510 net/tipc/crypto.c:840
Read of size 8 at addr ffff88807a733000 by task kworker/1:0/25
Call Trace:
kasan_report+0xd9/0x110 mm/kasan/report.c:601
tipc_aead_encrypt_done+0x4bd/0x510 net/tipc/crypto.c:840
crypto_request_complete include/crypto/algapi.h:266
aead_request_complete include/crypto/internal/aead.h:85
cryptd_aead_crypt+0x3b8/0x750 crypto/cryptd.c:772
crypto_request_complete include/crypto/algapi.h:266
cryptd_queue_worker+0x131/0x200 crypto/cryptd.c:181
process_one_work+0x9fb/0x1b60 kernel/workqueue.c:3231
Allocated by task 8355:
kzalloc_noprof include/linux/slab.h:778
tipc_crypto_start+0xcc/0x9e0 net/tipc/crypto.c:1466
tipc_init_net+0x2dd/0x430 net/tipc/core.c:72
ops_init+0xb9/0x650 net/core/net_namespace.c:139
setup_net+0x435/0xb40 net/core/net_namespace.c:343
copy_net_ns+0x2f0/0x670 net/core/net_namespace.c:508
create_new_namespaces+0x3ea/0xb10 kernel/nsproxy.c:110
unshare_nsproxy_namespaces+0xc0/0x1f0 kernel/nsproxy.c:228
ksys_unshare+0x419/0x970 kernel/fork.c:3323
__do_sys_unshare kernel/fork.c:3394
Freed by task 63:
kfree+0x12a/0x3b0 mm/slub.c:4557
tipc_crypto_stop+0x23c/0x500 net/tipc/crypto.c:1539
tipc_exit_net+0x8c/0x110 net/tipc/core.c:119
ops_exit_list+0xb0/0x180 net/core/net_namespace.c:173
cleanup_net+0x5b7/0xbf0 net/core/net_namespace.c:640
process_one_work+0x9fb/0x1b60 kernel/workqueue.c:3231
After freed the tipc_crypto tx by delete namespace, tipc_aead_encrypt_done
may still visit it in cryptd_queue_worker workqueue.
I reproduce this issue by:
ip netns add ns1
ip link add veth1 type veth peer name veth2
ip link set veth1 netns ns1
ip netns exec ns1 tipc bearer enable media eth dev veth1
ip netns exec ns1 tipc node set key this_is_a_master_key master
ip netns exec ns1 tipc bearer disable media eth dev veth1
ip netns del ns1
The key of reproduction is that, simd_aead_encrypt is interrupted, leading
to crypto_simd_usable() return false. Thus, the cryptd_queue_worker is
triggered, and the tipc_crypto tx will be visited.
tipc_disc_timeout
tipc_bearer_xmit_skb
tipc_crypto_xmit
tipc_aead_encrypt
crypto_aead_encrypt
// encrypt()
simd_aead_encrypt
// crypto_simd_usable() is false
child = &ctx->cryptd_tfm->base;
simd_aead_encrypt
crypto_aead_encrypt
// encrypt()
cryptd_aead_encrypt_enqueue
cryptd_aead_enqueue
cryptd_enqueue_request
// trigger cryptd_queue_worker
queue_work_on(smp_processor_id(), cryptd_wq, &cpu_queue->work)
Fix this by holding net reference count before encrypt.
Reported-by: syzbot+55c12726619ff85ce1f6@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=55c12726619ff85ce1f6
Fixes: fc1b6d6de2 ("tipc: introduce TIPC encryption & authentication")
Signed-off-by: Wang Liang <wangliang74@huawei.com>
Link: https://patch.msgid.link/20250520101404.1341730-1-wangliang74@huawei.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Priority flow control is not supported for LBK and SDP vf. This patch
adds support to not add dcbnl_ops for LBK and SDP vf.
Fixes: 8e67558177 ("octeontx2-pf: PFC config support with DCBx")
Signed-off-by: Suman Ghosh <sumang@marvell.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20250519072658.2960851-1-sumang@marvell.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
