commit 7dc732d24ff75bae3740d2876b634c0158c79cad
Author: Greg Kroah-Hartman
Date: Thu Jan 2 10:30:56 2025 +0100
Linux 6.1.123
Link: https://lore.kernel.org/r/[email protected]
Tested-by: Florian Fainelli
Tested-by: Salvatore Bonaccorso
Tested-by: Pavel Machek (CIP)
Tested-by: Shuah Khan
Tested-by: kernelci.org bot
Tested-by: Linux Kernel Functional Testing
Tested-by: Hardik Garg
Tested-by: Ron Economos
Signed-off-by: Greg Kroah-Hartman
commit 1599e0fa15ef5b0b9856d02655a81539d1e5f78c
Author: Colin Ian King
Date: Thu Dec 5 10:28:33 2024 +0000
ALSA: hda/realtek: Fix spelling mistake "Firelfy" -> "Firefly"
commit 20c3b3e5f2641eff3d85f33e6a468ac052b169bd upstream.
There is a spelling mistake in a literal string in the alc269_fixup_tbl
quirk table. Fix it.
Fixes: 0d08f0eec961 ("ALSA: hda/realtek: fix micmute LEDs don't work on HP Laptops")
Signed-off-by: Colin Ian King
Link: https://patch.msgid.link/[email protected]
Signed-off-by: Takashi Iwai
Signed-off-by: Greg Kroah-Hartman
commit acddb87620142f38fda834cd1ec661512ca59241
Author: Greg Kroah-Hartman
Date: Mon Dec 30 15:47:08 2024 +0100
Revert "rcu-tasks: Fix access non-existent percpu rtpcp variable in rcu_tasks_need_gpcb()"
This reverts commit 224fd631c41b81697aa622d38615bfbf446b91cf which is
commit fd70e9f1d85f5323096ad313ba73f5fe3d15ea41 upstream.
It is reported to cause problems in testing, so revert it for now.
Link: https://lore.kernel.org/r/20241216-comic-handling-3bcf108cc465@wendy
Reported-by: Conor Dooley
CC: Zhixu Liu
Cc: Zqiang
Cc: Neeraj Upadhyay
Cc: Sasha Levin
Cc: Xiangyu Chen
Signed-off-by: Greg Kroah-Hartman
commit 36775f42e039b01d4abe8998bf66771a37d3cdcc
Author: Yang Erkun
Date: Mon Oct 21 16:25:40 2024 +0800
nfsd: cancel nfsd_shrinker_work using sync mode in nfs4_state_shutdown_net
commit d5ff2fb2e7167e9483846e34148e60c0c016a1f6 upstream.
In the normal case, when we excute `echo 0 > /proc/fs/nfsd/threads`, the
function `nfs4_state_destroy_net` in `nfs4_state_shutdown_net` will
release all resources related to the hashed `nfs4_client`. If the
`nfsd_client_shrinker` is running concurrently, the `expire_client`
function will first unhash this client and then destroy it. This can
lead to the following warning. Additionally, numerous use-after-free
errors may occur as well.
nfsd_client_shrinker echo 0 > /proc/fs/nfsd/threads
expire_client nfsd_shutdown_net
unhash_client ...
nfs4_state_shutdown_net
/* won't wait shrinker exit */
/* cancel_work(&nn->nfsd_shrinker_work)
* nfsd_file for this /* won't destroy unhashed client1 */
* client1 still alive nfs4_state_destroy_net
*/
nfsd_file_cache_shutdown
/* trigger warning */
kmem_cache_destroy(nfsd_file_slab)
kmem_cache_destroy(nfsd_file_mark_slab)
/* release nfsd_file and mark */
__destroy_client
====================================================================
BUG nfsd_file (Not tainted): Objects remaining in nfsd_file on
__kmem_cache_shutdown()
--------------------------------------------------------------------
CPU: 4 UID: 0 PID: 764 Comm: sh Not tainted 6.12.0-rc3+ #1
dump_stack_lvl+0x53/0x70
slab_err+0xb0/0xf0
__kmem_cache_shutdown+0x15c/0x310
kmem_cache_destroy+0x66/0x160
nfsd_file_cache_shutdown+0xac/0x210 [nfsd]
nfsd_destroy_serv+0x251/0x2a0 [nfsd]
nfsd_svc+0x125/0x1e0 [nfsd]
write_threads+0x16a/0x2a0 [nfsd]
nfsctl_transaction_write+0x74/0xa0 [nfsd]
vfs_write+0x1a5/0x6d0
ksys_write+0xc1/0x160
do_syscall_64+0x5f/0x170
entry_SYSCALL_64_after_hwframe+0x76/0x7e
====================================================================
BUG nfsd_file_mark (Tainted: G B W ): Objects remaining
nfsd_file_mark on __kmem_cache_shutdown()
--------------------------------------------------------------------
dump_stack_lvl+0x53/0x70
slab_err+0xb0/0xf0
__kmem_cache_shutdown+0x15c/0x310
kmem_cache_destroy+0x66/0x160
nfsd_file_cache_shutdown+0xc8/0x210 [nfsd]
nfsd_destroy_serv+0x251/0x2a0 [nfsd]
nfsd_svc+0x125/0x1e0 [nfsd]
write_threads+0x16a/0x2a0 [nfsd]
nfsctl_transaction_write+0x74/0xa0 [nfsd]
vfs_write+0x1a5/0x6d0
ksys_write+0xc1/0x160
do_syscall_64+0x5f/0x170
entry_SYSCALL_64_after_hwframe+0x76/0x7e
To resolve this issue, cancel `nfsd_shrinker_work` using synchronous
mode in nfs4_state_shutdown_net.
Fixes: 7c24fa225081 ("NFSD: replace delayed_work with work_struct for nfsd_client_shrinker")
Signed-off-by: Yang Erkun
Reviewed-by: Jeff Layton
Signed-off-by: Chuck Lever
Signed-off-by: Greg Kroah-Hartman
commit 459ef4a242b06ae12b1e70828b6224b2d159d5cc
Author: Qu Wenruo
Date: Wed Dec 18 17:00:56 2024 +1030
btrfs: sysfs: fix direct super block member reads
commit fca432e73db2bec0fdbfbf6d98d3ebcd5388a977 upstream.
The following sysfs entries are reading super block member directly,
which can have a different endian and cause wrong values:
- sys/fs/btrfs//nodesize
- sys/fs/btrfs//sectorsize
- sys/fs/btrfs//clone_alignment
Thankfully those values (nodesize and sectorsize) are always aligned
inside the btrfs_super_block, so it won't trigger unaligned read errors,
just endian problems.
Fix them by using the native cached members instead.
Fixes: df93589a1737 ("btrfs: export more from FS_INFO to sysfs")
CC: [email protected]
Reviewed-by: Naohiro Aota
Reviewed-by: Johannes Thumshirn
Signed-off-by: Qu Wenruo
Reviewed-by: David Sterba
Signed-off-by: David Sterba
Signed-off-by: Greg Kroah-Hartman
commit bb8e287f596b62fac18ed84cc03a9f1752f6b3b8
Author: Filipe Manana
Date: Mon Dec 9 16:43:44 2024 +0000
btrfs: avoid monopolizing a core when activating a swap file
commit 2c8507c63f5498d4ee4af404a8e44ceae4345056 upstream.
During swap activation we iterate over the extents of a file and we can
have many thousands of them, so we can end up in a busy loop monopolizing
a core. Avoid this by doing a voluntary reschedule after processing each
extent.
CC: [email protected] # 5.4+
Reviewed-by: Qu Wenruo
Signed-off-by: Filipe Manana
Signed-off-by: David Sterba
Signed-off-by: Greg Kroah-Hartman
commit 6abbbd8286b6f944eecf3c74444c138590135211
Author: Dimitri Fedrau
Date: Mon Dec 9 11:46:15 2024 +0100
power: supply: gpio-charger: Fix set charge current limits
commit afc6e39e824ad0e44b2af50a97885caec8d213d1 upstream.
Fix set charge current limits for devices which allow to set the lowest
charge current limit to be greater zero. If requested charge current limit
is below lowest limit, the index equals current_limit_map_size which leads
to accessing memory beyond allocated memory.
Fixes: be2919d8355e ("power: supply: gpio-charger: add charge-current-limit feature")
Cc: [email protected]
Signed-off-by: Dimitri Fedrau
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Sebastian Reichel
Signed-off-by: Greg Kroah-Hartman
commit 990730ddbdbe28e67b74cd813c659549123fa6bd
Author: Conor Dooley
Date: Wed Dec 18 12:07:42 2024 +0000
i2c: microchip-core: fix "ghost" detections
commit 49e1f0fd0d4cb03a16b8526c4e683e1958f71490 upstream.
Running i2c-detect currently produces an output akin to:
0 1 2 3 4 5 6 7 8 9 a b c d e f
00: 08 -- 0a -- 0c -- 0e --
10: 10 -- 12 -- 14 -- 16 -- UU 19 -- 1b -- 1d -- 1f
20: -- 21 -- 23 -- 25 -- 27 -- 29 -- 2b -- 2d -- 2f
30: -- -- -- -- -- -- -- -- 38 -- 3a -- 3c -- 3e --
40: 40 -- 42 -- 44 -- 46 -- 48 -- 4a -- 4c -- 4e --
50: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
60: 60 -- 62 -- 64 -- 66 -- 68 -- 6a -- 6c -- 6e --
70: 70 -- 72 -- 74 -- 76 --
This happens because for an i2c_msg with a len of 0 the driver will
mark the transmission of the message as a success once the START has
been sent, without waiting for the devices on the bus to respond with an
ACK/NAK. Since i2cdetect seems to run in a tight loop over all addresses
the NAK is treated as part of the next test for the next address.
Delete the fast path that marks a message as complete when idev->msg_len
is zero after sending a START/RESTART since this isn't a valid scenario.
CC: [email protected]
Fixes: 64a6f1c4987e ("i2c: add support for microchip fpga i2c controllers")
Signed-off-by: Conor Dooley
Reviewed-by: Andi Shyti
Link: https://lore.kernel.org/r/20241218-outbid-encounter-b2e78b1cc707@spud
Signed-off-by: Andi Shyti
Signed-off-by: Greg Kroah-Hartman
commit b106ced61235aafdc71eb8225d48957441d94e58
Author: Carlos Song
Date: Wed Dec 18 12:42:38 2024 +0800
i2c: imx: add imx7d compatible string for applying erratum ERR007805
commit e0cec363197e41af870613e8e17b30bf0e3d41b5 upstream.
Compatible string "fsl,imx7d-i2c" is not exited at i2c-imx driver
compatible string table, at the result, "fsl,imx21-i2c" will be
matched, but it will cause erratum ERR007805 not be applied in fact.
So Add "fsl,imx7d-i2c" compatible string in i2c-imx driver to apply
the erratum ERR007805(https://www.nxp.com/docs/en/errata/IMX7DS_3N09P.pdf).
"
ERR007805 I2C: When the I2C clock speed is configured for 400 kHz,
the SCL low period violates the I2C spec of 1.3 uS min
Description: When the I2C module is programmed to operate at the
maximum clock speed of 400 kHz (as defined by the I2C spec), the SCL
clock low period violates the I2C spec of 1.3 uS min. The user must
reduce the clock speed to obtain the SCL low time to meet the 1.3us
I2C minimum required. This behavior means the SoC is not compliant
to the I2C spec at 400kHz.
Workaround: To meet the clock low period requirement in fast speed
mode, SCL must be configured to 384KHz or less.
"
"fsl,imx7d-i2c" already is documented in binding doc. This erratum
fix has been included in imx6_i2c_hwdata and it is the same in all
I.MX6/7/8, so just reuse it.
Fixes: 39c025721d70 ("i2c: imx: Implement errata ERR007805 or e7805 bus frequency limit")
Cc: [email protected] # v5.18+
Signed-off-by: Carlos Song
Signed-off-by: Haibo Chen
Reviewed-by: Frank Li
Fixes: 39c025721d70 ("i2c: imx: Implement errata ERR007805 or e7805 bus frequency limit")
Acked-by: Oleksij Rempel
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Andi Shyti
Signed-off-by: Greg Kroah-Hartman
commit 906fb74685d9aa9ee9b47fc96ac7623125126565
Author: Conor Dooley
Date: Wed Dec 18 12:07:40 2024 +0000
i2c: microchip-core: actually use repeated sends
commit 9a8f9320d67b27ddd7f1ee88d91820197a0e908f upstream.
At present, where repeated sends are intended to be used, the
i2c-microchip-core driver sends a stop followed by a start. Lots of i2c
devices must not malfunction in the face of this behaviour, because the
driver has operated like this for years! Try to keep track of whether or
not a repeated send is required, and suppress sending a stop in these
cases.
CC: [email protected]
Fixes: 64a6f1c4987e ("i2c: add support for microchip fpga i2c controllers")
Signed-off-by: Conor Dooley
Reviewed-by: Andi Shyti
Link: https://lore.kernel.org/r/20241218-football-composure-e56df2461461@spud
Signed-off-by: Andi Shyti
Signed-off-by: Greg Kroah-Hartman
commit 6237331361711810d8f2e3fbfe2f7a6f9548f5e0
Author: Pavel Begunkov
Date: Thu Dec 26 16:49:23 2024 +0000
io_uring/sqpoll: fix sqpoll error handling races
commit e33ac68e5e21ec1292490dfe061e75c0dbdd3bd4 upstream.
BUG: KASAN: slab-use-after-free in __lock_acquire+0x370b/0x4a10 kernel/locking/lockdep.c:5089
Call Trace:
...
_raw_spin_lock_irqsave+0x3d/0x60 kernel/locking/spinlock.c:162
class_raw_spinlock_irqsave_constructor include/linux/spinlock.h:551 [inline]
try_to_wake_up+0xb5/0x23c0 kernel/sched/core.c:4205
io_sq_thread_park+0xac/0xe0 io_uring/sqpoll.c:55
io_sq_thread_finish+0x6b/0x310 io_uring/sqpoll.c:96
io_sq_offload_create+0x162/0x11d0 io_uring/sqpoll.c:497
io_uring_create io_uring/io_uring.c:3724 [inline]
io_uring_setup+0x1728/0x3230 io_uring/io_uring.c:3806
...
Kun Hu reports that the SQPOLL creating error path has UAF, which
happens if io_uring_alloc_task_context() fails and then io_sq_thread()
manages to run and complete before the rest of error handling code,
which means io_sq_thread_finish() is looking at already killed task.
Note that this is mostly theoretical, requiring fault injection on
the allocation side to trigger in practice.
Cc: [email protected]
Reported-by: Kun Hu
Signed-off-by: Pavel Begunkov
Link: https://lore.kernel.org/r/0f2f1aa5729332612bd01fe0f2f385fd1f06ce7c.1735231717.git.asml.silence@gmail.com
Signed-off-by: Jens Axboe
Signed-off-by: Greg Kroah-Hartman
commit 3d15f4c2449558ffe83b4dba30614ef1cd6937c3
Author: Lizhi Xu
Date: Mon Dec 16 15:32:38 2024 +0800
tracing: Prevent bad count for tracing_cpumask_write
commit 98feccbf32cfdde8c722bc4587aaa60ee5ac33f0 upstream.
If a large count is provided, it will trigger a warning in bitmap_parse_user.
Also check zero for it.
Cc: [email protected]
Fixes: 9e01c1b74c953 ("cpumask: convert kernel trace functions")
Link: https://lore.kernel.org/[email protected]
Reported-by: [email protected]
Closes: https://syzkaller.appspot.com/bug?extid=0aecfd34fb878546f3fd
Tested-by: [email protected]
Signed-off-by: Lizhi Xu
Signed-off-by: Steven Rostedt (Google)
Signed-off-by: Greg Kroah-Hartman
commit f2a16d2ba4a6e7e68ac8910d5ab950d8e921ad6c
Author: Christian Göttsche
Date: Mon Nov 25 11:50:25 2024 +0100
tracing: Constify string literal data member in struct trace_event_call
commit 452f4b31e3f70a52b97890888eeb9eaa9a87139a upstream.
The name member of the struct trace_event_call is assigned with
generated string literals; declare them pointer to read-only.
Reported by clang:
security/landlock/syscalls.c:179:1: warning: initializing 'char *' with an expression of type 'const char[34]' discards qualifiers [-Wincompatible-pointer-types-discards-qualifiers]
179 | SYSCALL_DEFINE3(landlock_create_ruleset,
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
180 | const struct landlock_ruleset_attr __user *const, attr,
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
181 | const size_t, size, const __u32, flags)
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
./include/linux/syscalls.h:226:36: note: expanded from macro 'SYSCALL_DEFINE3'
226 | #define SYSCALL_DEFINE3(name, ...) SYSCALL_DEFINEx(3, _##name, __VA_ARGS__)
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
./include/linux/syscalls.h:234:2: note: expanded from macro 'SYSCALL_DEFINEx'
234 | SYSCALL_METADATA(sname, x, __VA_ARGS__) \
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
./include/linux/syscalls.h:184:2: note: expanded from macro 'SYSCALL_METADATA'
184 | SYSCALL_TRACE_ENTER_EVENT(sname); \
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
./include/linux/syscalls.h:151:30: note: expanded from macro 'SYSCALL_TRACE_ENTER_EVENT'
151 | .name = "sys_enter"#sname, \
| ^~~~~~~~~~~~~~~~~
Cc: [email protected]
Cc: Masami Hiramatsu
Cc: Mathieu Desnoyers
Cc: Mickaël Salaün
Cc: Günther Noack
Cc: Nathan Chancellor
Cc: Nick Desaulniers
Cc: Bill Wendling
Cc: Justin Stitt
Link: https://lore.kernel.org/[email protected]
Fixes: b77e38aa240c3 ("tracing: add event trace infrastructure")
Signed-off-by: Christian Göttsche
Signed-off-by: Steven Rostedt (Google)
Signed-off-by: Greg Kroah-Hartman
commit 581d8a5ac119b0036836a9c69c0d68d939ec405b
Author: Chen Ridong
Date: Tue Dec 17 00:48:18 2024 +0000
freezer, sched: Report frozen tasks as 'D' instead of 'R'
[ Upstream commit f718faf3940e95d5d34af9041f279f598396ab7d ]
Before commit:
f5d39b020809 ("freezer,sched: Rewrite core freezer logic")
the frozen task stat was reported as 'D' in cgroup v1.
However, after rewriting the core freezer logic, the frozen task stat is
reported as 'R'. This is confusing, especially when a task with stat of
'S' is frozen.
This bug can be reproduced with these steps:
$ cd /sys/fs/cgroup/freezer/
$ mkdir test
$ sleep 1000 &
[1] 739 // task whose stat is 'S'
$ echo 739 > test/cgroup.procs
$ echo FROZEN > test/freezer.state
$ ps -aux | grep 739
root 739 0.1 0.0 8376 1812 pts/0 R 10:56 0:00 sleep 1000
As shown above, a task whose stat is 'S' was changed to 'R' when it was
frozen.
To solve this regression, simply maintain the same reported state as
before the rewrite.
[ mingo: Enhanced the changelog and comments ]
Fixes: f5d39b020809 ("freezer,sched: Rewrite core freezer logic")
Signed-off-by: Chen Ridong
Signed-off-by: Peter Zijlstra (Intel)
Signed-off-by: Ingo Molnar
Acked-by: Tejun Heo
Acked-by: Michal Koutný
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Sasha Levin
commit b0ce4e8fedbd783b110693de311031d7ea04cdda
Author: NeilBrown
Date: Wed Aug 30 09:04:19 2023 +1000
sched/core: Report correct state for TASK_IDLE | TASK_FREEZABLE
[ Upstream commit 0d6b35283bcf1a379cf20066544af8e6a6b16b46 ]
task_state_index() ignores uninteresting state flags (such as
TASK_FREEZABLE) for most states, but for TASK_IDLE and TASK_RTLOCK_WAIT
it does not.
So if a task is waiting TASK_IDLE|TASK_FREEZABLE it gets incorrectly
reported as TASK_UNINTERRUPTIBLE or "D". (it is planned for nfsd to
change to use this state).
Fix this by only testing the interesting bits and not the irrelevant
bits in __task_state_index()
Signed-off-by: NeilBrown
Signed-off-by: Ingo Molnar
Link: https://lore.kernel.org/r/[email protected]
Stable-dep-of: f718faf3940e ("freezer, sched: Report frozen tasks as 'D' instead of 'R'")
Signed-off-by: Sasha Levin
commit da719022a474bc6e9c8688c7c2084c04e58cd36f
Author: Ulf Hansson
Date: Fri Nov 22 14:42:02 2024 +0100
pmdomain: core: Add missing put_device()
[ Upstream commit b8f7bbd1f4ecff6d6277b8c454f62bb0a1c6dbe4 ]
When removing a genpd we don't clean up the genpd->dev correctly. Let's add
the missing put_device() in genpd_free_data() to fix this.
Fixes: 401ea1572de9 ("PM / Domain: Add struct device to genpd")
Cc: [email protected]
Signed-off-by: Ulf Hansson
Message-ID: <[email protected]>
Signed-off-by: Sasha Levin
commit 10d40c46db968f48f538e1508caafcadc769ff7c
Author: Chris Chiu
Date: Mon Dec 2 22:46:59 2024 +0800
ALSA: hda/realtek: fix micmute LEDs don't work on HP Laptops
[ Upstream commit 0d08f0eec961acdb0424a3e2cfb37cfb89154833 ]
These HP laptops use Realtek HDA codec ALC3315 combined CS35L56
Amplifiers. They need the quirk ALC285_FIXUP_HP_GPIO_LED to get
the micmute LED working.
Signed-off-by: Chris Chiu
Reviewed-by: Simon Trimmer
Cc:
Link: https://patch.msgid.link/[email protected]
Signed-off-by: Takashi Iwai
Signed-off-by: Sasha Levin
commit 8fb5edd2027bbf93fc1e14e1b14d828a68e92db5
Author: Dirk Su
Date: Tue Nov 26 14:05:24 2024 +0800
ALSA: hda/realtek: fix mute/micmute LEDs don't work for EliteBook X G1i
[ Upstream commit 7ba81e4c3aa0ca25f06dc4456e7d36fa8e76385f ]
HP EliteBook X G1i needs ALC285_FIXUP_HP_GPIO_LED quirk to
make mic-mute/audio-mute working.
Signed-off-by: Dirk Su
Cc:
Link: https://patch.msgid.link/[email protected]
Signed-off-by: Takashi Iwai
Stable-dep-of: 0d08f0eec961 ("ALSA: hda/realtek: fix micmute LEDs don't work on HP Laptops")
Signed-off-by: Sasha Levin
commit 4e8074bb33d18f56af30a0252cb3606d27eb1c13
Author: Hou Tao
Date: Fri Dec 27 14:04:35 2024 +0800
bpf: Check validity of link->type in bpf_link_show_fdinfo()
commit 8421d4c8762bd022cb491f2f0f7019ef51b4f0a7 upstream.
If a newly-added link type doesn't invoke BPF_LINK_TYPE(), accessing
bpf_link_type_strs[link->type] may result in an out-of-bounds access.
To spot such missed invocations early in the future, checking the
validity of link->type in bpf_link_show_fdinfo() and emitting a warning
when such invocations are missed.
Signed-off-by: Hou Tao
Signed-off-by: Andrii Nakryiko
Link: https://lore.kernel.org/bpf/[email protected]
[ shung-hsi.yu: break up existing seq_printf() call since commit 68b04864ca42
("bpf: Create links for BPF struct_ops maps.") is not present ]
Signed-off-by: Shung-Hsi Yu
Signed-off-by: Sasha Levin
commit db84cb4c8c565e6d4de84b23c2818b63991adfdd
Author: Cosmin Ratiu
Date: Thu Dec 26 15:11:31 2024 +0800
net/mlx5e: Don't call cleanup on profile rollback failure
[ Upstream commit 4dbc1d1a9f39c3711ad2a40addca04d07d9ab5d0 ]
When profile rollback fails in mlx5e_netdev_change_profile, the netdev
profile var is left set to NULL. Avoid a crash when unloading the driver
by not calling profile->cleanup in such a case.
This was encountered while testing, with the original trigger that
the wq rescuer thread creation got interrupted (presumably due to
Ctrl+C-ing modprobe), which gets converted to ENOMEM (-12) by
mlx5e_priv_init, the profile rollback also fails for the same reason
(signal still active) so the profile is left as NULL, leading to a crash
later in _mlx5e_remove.
[ 732.473932] mlx5_core 0000:08:00.1: E-Switch: Unload vfs: mode(OFFLOADS), nvfs(2), necvfs(0), active vports(2)
[ 734.525513] workqueue: Failed to create a rescuer kthread for wq "mlx5e": -EINTR
[ 734.557372] mlx5_core 0000:08:00.1: mlx5e_netdev_init_profile:6235:(pid 6086): mlx5e_priv_init failed, err=-12
[ 734.559187] mlx5_core 0000:08:00.1 eth3: mlx5e_netdev_change_profile: new profile init failed, -12
[ 734.560153] workqueue: Failed to create a rescuer kthread for wq "mlx5e": -EINTR
[ 734.589378] mlx5_core 0000:08:00.1: mlx5e_netdev_init_profile:6235:(pid 6086): mlx5e_priv_init failed, err=-12
[ 734.591136] mlx5_core 0000:08:00.1 eth3: mlx5e_netdev_change_profile: failed to rollback to orig profile, -12
[ 745.537492] BUG: kernel NULL pointer dereference, address: 0000000000000008
[ 745.538222] #PF: supervisor read access in kernel mode
[ 745.551290] Call Trace:
[ 745.551590]
[ 745.551866] ? __die+0x20/0x60
[ 745.552218] ? page_fault_oops+0x150/0x400
[ 745.555307] ? exc_page_fault+0x79/0x240
[ 745.555729] ? asm_exc_page_fault+0x22/0x30
[ 745.556166] ? mlx5e_remove+0x6b/0xb0 [mlx5_core]
[ 745.556698] auxiliary_bus_remove+0x18/0x30
[ 745.557134] device_release_driver_internal+0x1df/0x240
[ 745.557654] bus_remove_device+0xd7/0x140
[ 745.558075] device_del+0x15b/0x3c0
[ 745.558456] mlx5_rescan_drivers_locked.part.0+0xb1/0x2f0 [mlx5_core]
[ 745.559112] mlx5_unregister_device+0x34/0x50 [mlx5_core]
[ 745.559686] mlx5_uninit_one+0x46/0xf0 [mlx5_core]
[ 745.560203] remove_one+0x4e/0xd0 [mlx5_core]
[ 745.560694] pci_device_remove+0x39/0xa0
[ 745.561112] device_release_driver_internal+0x1df/0x240
[ 745.561631] driver_detach+0x47/0x90
[ 745.562022] bus_remove_driver+0x84/0x100
[ 745.562444] pci_unregister_driver+0x3b/0x90
[ 745.562890] mlx5_cleanup+0xc/0x1b [mlx5_core]
[ 745.563415] __x64_sys_delete_module+0x14d/0x2f0
[ 745.563886] ? kmem_cache_free+0x1b0/0x460
[ 745.564313] ? lockdep_hardirqs_on_prepare+0xe2/0x190
[ 745.564825] do_syscall_64+0x6d/0x140
[ 745.565223] entry_SYSCALL_64_after_hwframe+0x4b/0x53
[ 745.565725] RIP: 0033:0x7f1579b1288b
Fixes: 3ef14e463f6e ("net/mlx5e: Separate between netdev objects and mlx5e profiles initialization")
Signed-off-by: Cosmin Ratiu
Reviewed-by: Dragos Tatulea
Signed-off-by: Tariq Toukan
Signed-off-by: Paolo Abeni
Signed-off-by: Jianqi Ren
Signed-off-by: Sasha Levin
commit 7b93728274f7698469c92b4d6c64a7eb1617e3a0
Author: Jiaxun Yang
Date: Tue Dec 24 14:22:39 2024 +0800
MIPS: mipsregs: Set proper ISA level for virt extensions
[ Upstream commit a640d6762a7d404644201ebf6d2a078e8dc84f97 ]
c994a3ec7ecc ("MIPS: set mips32r5 for virt extensions") setted
some instructions in virt extensions to ISA level mips32r5.
However TLB related vz instructions was leftover, also this
shouldn't be done to a R5 or R6 kernel buid.
Reorg macros to set ISA level as needed when _ASM_SET_VIRT
is called.
Signed-off-by: Jiaxun Yang
Signed-off-by: Thomas Bogendoerfer
Signed-off-by: WangYuli
Signed-off-by: Sasha Levin
commit b016bb8f415e1e986cfb4ade659450c72e84c3ff
Author: Jiaxun Yang
Date: Tue Dec 24 14:09:18 2024 +0800
MIPS: Probe toolchain support of -msym32
[ Upstream commit 18ca63a2e23c5e170d2d7552b64b1f5ad019cd9b ]
msym32 is not supported by LLVM toolchain.
Workaround by probe toolchain support of msym32 for KBUILD_SYM32
feature.
Link: https://github.com/ClangBuiltLinux/linux/issues/1544
Signed-off-by: Jiaxun Yang
Signed-off-by: Thomas Bogendoerfer
Signed-off-by: WangYuli
Signed-off-by: Sasha Levin
commit 53e049204d291826c76a6eaff521dee65fdc9534
Author: Matthew Wilcox (Oracle)
Date: Mon Dec 23 20:07:29 2024 +0000
vmalloc: fix accounting with i915
[ Upstream commit a2e740e216f5bf49ccb83b6d490c72a340558a43 ]
If the caller of vmap() specifies VM_MAP_PUT_PAGES (currently only the
i915 driver), we will decrement nr_vmalloc_pages and MEMCG_VMALLOC in
vfree(). These counters are incremented by vmalloc() but not by vmap() so
this will cause an underflow. Check the VM_MAP_PUT_PAGES flag before
decrementing either counter.
Link: https://lkml.kernel.org/r/[email protected]
Fixes: b944afc9d64d ("mm: add a VM_MAP_PUT_PAGES flag for vmap")
Signed-off-by: Matthew Wilcox (Oracle)
Acked-by: Johannes Weiner
Reviewed-by: Shakeel Butt
Reviewed-by: Balbir Singh
Acked-by: Michal Hocko
Cc: Christoph Hellwig
Cc: Muchun Song
Cc: Roman Gushchin
Cc: "Uladzislau Rezki (Sony)"
Cc:
Signed-off-by: Andrew Morton
Signed-off-by: Matthew Wilcox (Oracle)
Signed-off-by: Sasha Levin
commit 45883477b19e7bc90b72265e413d46fab895f2ae
Author: Ming Lei
Date: Fri Dec 6 19:16:06 2024 +0800
blk-mq: register cpuhp callback after hctx is added to xarray table
[ Upstream commit 4bf485a7db5d82ddd0f3ad2b299893199090375e ]
We need to retrieve 'hctx' from xarray table in the cpuhp callback, so the
callback should be registered after this 'hctx' is added to xarray table.
Cc: Reinette Chatre
Cc: Fenghua Yu
Cc: Peter Newman
Cc: Babu Moger
Cc: Luck Tony
Signed-off-by: Ming Lei
Tested-by: Tony Luck
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Jens Axboe
Signed-off-by: Sasha Levin
commit 9e323f856cf4963120e0e3892a84ef8bd764a0e4
Author: Ming Lei
Date: Tue Nov 12 20:58:21 2024 +0800
virtio-blk: don't keep queue frozen during system suspend
[ Upstream commit 7678abee0867e6b7fb89aa40f6e9f575f755fb37 ]
Commit 4ce6e2db00de ("virtio-blk: Ensure no requests in virtqueues before
deleting vqs.") replaces queue quiesce with queue freeze in virtio-blk's
PM callbacks. And the motivation is to drain inflight IOs before suspending.
block layer's queue freeze looks very handy, but it is also easy to cause
deadlock, such as, any attempt to call into bio_queue_enter() may run into
deadlock if the queue is frozen in current context. There are all kinds
of ->suspend() called in suspend context, so keeping queue frozen in the
whole suspend context isn't one good idea. And Marek reported lockdep
warning[1] caused by virtio-blk's freeze queue in virtblk_freeze().
[1] https://lore.kernel.org/linux-block/[email protected]/
Given the motivation is to drain in-flight IOs, it can be done by calling
freeze & unfreeze, meantime restore to previous behavior by keeping queue
quiesced during suspend.
Cc: Yi Sun
Cc: Michael S. Tsirkin
Cc: Jason Wang
Cc: Stefan Hajnoczi
Cc: [email protected]
Reported-by: Marek Szyprowski
Signed-off-by: Ming Lei
Acked-by: Stefan Hajnoczi
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Jens Axboe
Signed-off-by: Sasha Levin
commit f61b2e5e7821f868d6afc22382a66a30ee780ba0
Author: Imre Deak
Date: Wed Dec 4 15:20:07 2024 +0200
drm/dp_mst: Ensure mst_primary pointer is valid in drm_dp_mst_handle_up_req()
[ Upstream commit e54b00086f7473dbda1a7d6fc47720ced157c6a8 ]
While receiving an MST up request message from one thread in
drm_dp_mst_handle_up_req(), the MST topology could be removed from
another thread via drm_dp_mst_topology_mgr_set_mst(false), freeing
mst_primary and setting drm_dp_mst_topology_mgr::mst_primary to NULL.
This could lead to a NULL deref/use-after-free of mst_primary in
drm_dp_mst_handle_up_req().
Avoid the above by holding a reference for mst_primary in
drm_dp_mst_handle_up_req() while it's used.
v2: Fix kfreeing the request if getting an mst_primary reference fails.
Cc: Lyude Paul
Reviewed-by: Lyude Paul (v1)
Signed-off-by: Imre Deak
Link: https://patchwork.freedesktop.org/patch/msgid/[email protected]
Signed-off-by: Sasha Levin
commit ade7aeb0da220fc2ae4404d7f1e337377b9bde47
Author: Cathy Avery
Date: Wed Nov 27 13:13:24 2024 -0500
scsi: storvsc: Do not flag MAINTENANCE_IN return of SRB_STATUS_DATA_OVERRUN as an error
[ Upstream commit b1aee7f034615b6824d2c70ddb37ef9fc23493b7 ]
This partially reverts commit 812fe6420a6e ("scsi: storvsc: Handle
additional SRB status values").
HyperV does not support MAINTENANCE_IN resulting in FC passthrough
returning the SRB_STATUS_DATA_OVERRUN value. Now that
SRB_STATUS_DATA_OVERRUN is treated as an error, multipath ALUA paths go
into a faulty state as multipath ALUA submits RTPG commands via
MAINTENANCE_IN.
[ 3.215560] hv_storvsc 1d69d403-9692-4460-89f9-a8cbcc0f94f3:
tag#230 cmd 0xa3 status: scsi 0x0 srb 0x12 hv 0xc0000001
[ 3.215572] scsi 1:0:0:32: alua: rtpg failed, result 458752
Make MAINTENANCE_IN return success to avoid the error path as is
currently done with INQUIRY and MODE_SENSE.
Suggested-by: Michael Kelley
Signed-off-by: Cathy Avery
Link: https://lore.kernel.org/r/[email protected]
Reviewed-by: Michael Kelley
Reviewed-by: Ewan D. Milne
Signed-off-by: Martin K. Petersen
Signed-off-by: Sasha Levin
commit 47c629d393fb3e74e440ea7df5d15443475fd1c4
Author: Ranjan Kumar
Date: Sun Nov 10 23:03:40 2024 +0530
scsi: mpt3sas: Diag-Reset when Doorbell-In-Use bit is set during driver load time
[ Upstream commit 3f5eb062e8aa335643181c480e6c590c6cedfd22 ]
Issue a Diag-Reset when the "Doorbell-In-Use" bit is set during the
driver load/initialization.
Signed-off-by: Ranjan Kumar
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Martin K. Petersen
Signed-off-by: Sasha Levin
commit ba3c90162b0675e81487daf2bf8cb1b6b3f91547
Author: Armin Wolf
Date: Sat Nov 23 23:47:00 2024 +0100
platform/x86: asus-nb-wmi: Ignore unknown event 0xCF
[ Upstream commit e9fba20c29e27dc99e55e1c550573a114561bf8c ]
On the Asus X541UAK an unknown event 0xCF is emited when the charger
is plugged in. This is caused by the following AML code:
If (ACPS ())
{
ACPF = One
Local0 = 0x58
If (ATKP)
{
^^^^ATKD.IANE (0xCF)
}
}
Else
{
ACPF = Zero
Local0 = 0x57
}
Notify (AC0, 0x80) // Status Change
If (ATKP)
{
^^^^ATKD.IANE (Local0)
}
Sleep (0x64)
PNOT ()
Sleep (0x0A)
NBAT (0x80)
Ignore the 0xCF event to silence the unknown event warning.
Reported-by: Pau Espin Pedrol
Closes: https://lore.kernel.org/platform-driver-x86/[email protected]
Signed-off-by: Armin Wolf
Reviewed-by: Hans de Goede
Link: https://lore.kernel.org/r/[email protected]
Reviewed-by: Ilpo Järvinen
Signed-off-by: Ilpo Järvinen
Signed-off-by: Sasha Levin
commit 048abad5a8e4a89f1393f3b568b2ccbe1b6eb1e7
Author: Mark Brown
Date: Wed Nov 27 13:35:06 2024 +0000
regmap: Use correct format specifier for logging range errors
[ Upstream commit 3f1aa0c533d9dd8a835caf9a6824449c463ee7e2 ]
The register addresses are unsigned ints so we should use %u not %d to
log them.
Signed-off-by: Mark Brown
Link: https://patch.msgid.link/[email protected]
Signed-off-by: Mark Brown
Signed-off-by: Sasha Levin
commit 2ea605f61e9a94ae5b6a8ddfa23d1e75cbded40a
Author: Brahmajit Das
Date: Tue Nov 26 11:41:35 2024 +0530
smb: server: Fix building with GCC 15
[ Upstream commit e18655cf35a5958fbf4ae9ca3ebf28871a3a1801 ]
GCC 15 introduces -Werror=unterminated-string-initialization by default,
this results in the following build error
fs/smb/server/smb_common.c:21:35: error: initializer-string for array of 'char' is too long [-Werror=unterminated-string-ini
tialization]
21 | static const char basechars[43] = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ_-!@#$%";
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
cc1: all warnings being treated as errors
To this we are replacing char basechars[43] with a character pointer
and then using strlen to get the length.
Signed-off-by: Brahmajit Das
Acked-by: Namjae Jeon
Signed-off-by: Steve French
Signed-off-by: Sasha Levin
commit 385c4fdbffa6e8e8c7cda48e0c7f8bf433bde97d
Author: bo liu
Date: Fri Nov 29 09:44:41 2024 +0800
ALSA: hda/conexant: fix Z60MR100 startup pop issue
[ Upstream commit 947c4012f8f03a8bb946beb6e5294d5e32817d67 ]
When Z60MR100 startup, speaker will output a pop. To fix this issue,
we mute codec by init verbs in bios when system startup, and set GPIO
to low to unmute codec in codec driver when it loaded .
[ white space fixes and compile warning fix by tiwai ]
Signed-off-by: bo liu
Link: https://patch.msgid.link/[email protected]
Signed-off-by: Takashi Iwai
Signed-off-by: Sasha Levin
commit edadc693bfcc0f1ea08b8fa041c9361fd042410d
Author: Tomas Henzl
Date: Mon Sep 23 19:48:33 2024 +0200
scsi: megaraid_sas: Fix for a potential deadlock
[ Upstream commit 50740f4dc78b41dec7c8e39772619d5ba841ddd7 ]
This fixes a 'possible circular locking dependency detected' warning
CPU0 CPU1
---- ----
lock(&instance->reset_mutex);
lock(&shost->scan_mutex);
lock(&instance->reset_mutex);
lock(&shost->scan_mutex);
Fix this by temporarily releasing the reset_mutex.
Signed-off-by: Tomas Henzl
Link: https://lore.kernel.org/r/[email protected]
Acked-by: Chandrakanth Patil
Signed-off-by: Martin K. Petersen
Signed-off-by: Sasha Levin
commit 7aafb0c40088bdf20768bae0dda35377871a8253
Author: Magnus Lindholm
Date: Wed Nov 13 23:51:49 2024 +0100
scsi: qla1280: Fix hw revision numbering for ISP1020/1040
[ Upstream commit c064de86d2a3909222d5996c5047f64c7a8f791b ]
Fix the hardware revision numbering for Qlogic ISP1020/1040 boards. HWMASK
suggests that the revision number only needs four bits, this is consistent
with how NetBSD does things in their ISP driver. Verified on a IPS1040B
which is seen as rev 5 not as BIT_4.
Signed-off-by: Magnus Lindholm
Link: https://lore.kernel.org/r/[email protected]
Reviewed-by: Christoph Hellwig
Signed-off-by: Martin K. Petersen
Signed-off-by: Sasha Levin
commit e53deb6f425b36622621efbe911ee4f3e8ba1bfc
Author: James Hilliard
Date: Fri Oct 25 00:34:40 2024 -0600
watchdog: it87_wdt: add PWRGD enable quirk for Qotom QCML04
[ Upstream commit 43439076383a7611300334d1357c0f8883f40816 ]
For the watchdog timer to work properly on the QCML04 board we need to
set PWRGD enable in the Environment Controller Configuration Registers
Special Configuration Register 1 when it is not already set, this may
be the case when the watchdog is not enabled from within the BIOS.
Signed-off-by: James Hilliard
Reviewed-by: Guenter Roeck
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Guenter Roeck
Signed-off-by: Wim Van Sebroeck
Signed-off-by: Sasha Levin
commit 83f5ba098aac2f3a85e99c9c3d876b83a9a47c23
Author: Masami Hiramatsu (Google)
Date: Wed Dec 11 09:10:55 2024 +0900
tracing/kprobe: Make trace_kprobe's module callback called after jump_label update
[ Upstream commit d685d55dfc86b1a4bdcec77c3c1f8a83f181264e ]
Make sure the trace_kprobe's module notifer callback function is called
after jump_label's callback is called. Since the trace_kprobe's callback
eventually checks jump_label address during registering new kprobe on
the loading module, jump_label must be updated before this registration
happens.
Link: https://lore.kernel.org/all/173387585556.995044.3157941002975446119.stgit@devnote2/
Fixes: 614243181050 ("tracing/kprobes: Support module init function probing")
Signed-off-by: Masami Hiramatsu (Google)
Signed-off-by: Sasha Levin
commit 7357ad7d1fadf25f8c1eaf175a9d6bd02e853a0b
Author: Alexander Lobakin
Date: Thu Dec 19 14:57:34 2024 +0100
stddef: make __struct_group() UAPI C++-friendly
[ Upstream commit 724c6ce38bbaeb4b3f109b0e066d6c0ecd15446c ]
For the most part of the C++ history, it couldn't have type
declarations inside anonymous unions for different reasons. At the
same time, __struct_group() relies on the latters, so when the @TAG
argument is not empty, C++ code doesn't want to build (even under
`extern "C"`):
../linux/include/uapi/linux/pkt_cls.h:25:24: error:
'struct tc_u32_sel::::tc_u32_sel_hdr,' invalid;
an anonymous union may only have public non-static data members
[-fpermissive]
The safest way to fix this without trying to switch standards (which
is impossible in UAPI anyway) etc., is to disable tag declaration
for that language. This won't break anything since for now it's not
buildable at all.
Use a separate definition for __struct_group() when __cplusplus is
defined to mitigate the error, including the version from tools/.
Fixes: 50d7bd38c3aa ("stddef: Introduce struct_group() helper macro")
Reported-by: Christopher Ferris
Closes: https://lore.kernel.org/linux-hardening/[email protected]
Suggested-by: Kees Cook # __struct_group_tag()
Signed-off-by: Alexander Lobakin
Reviewed-by: Gustavo A. R. Silva
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Kees Cook
Signed-off-by: Sasha Levin
commit 8b2282b5084521254a2cd9742a3f4e1d5b77f843
Author: Haren Myneni
Date: Fri Dec 13 21:17:58 2024 -0800
powerpc/pseries/vas: Add close() callback in vas_vm_ops struct
[ Upstream commit 05aa156e156ef3168e7ab8a68721945196495c17 ]
The mapping VMA address is saved in VAS window struct when the
paste address is mapped. This VMA address is used during migration
to unmap the paste address if the window is active. The paste
address mapping will be removed when the window is closed or with
the munmap(). But the VMA address in the VAS window is not updated
with munmap() which is causing invalid access during migration.
The KASAN report shows:
[16386.254991] BUG: KASAN: slab-use-after-free in reconfig_close_windows+0x1a0/0x4e8
[16386.255043] Read of size 8 at addr c00000014a819670 by task drmgr/696928
[16386.255096] CPU: 29 UID: 0 PID: 696928 Comm: drmgr Kdump: loaded Tainted: G B 6.11.0-rc5-nxgzip #2
[16386.255128] Tainted: [B]=BAD_PAGE
[16386.255148] Hardware name: IBM,9080-HEX Power11 (architected) 0x820200 0xf000007 of:IBM,FW1110.00 (NH1110_016) hv:phyp pSeries
[16386.255181] Call Trace:
[16386.255202] [c00000016b297660] [c0000000018ad0ac] dump_stack_lvl+0x84/0xe8 (unreliable)
[16386.255246] [c00000016b297690] [c0000000006e8a90] print_report+0x19c/0x764
[16386.255285] [c00000016b297760] [c0000000006e9490] kasan_report+0x128/0x1f8
[16386.255309] [c00000016b297880] [c0000000006eb5c8] __asan_load8+0xac/0xe0
[16386.255326] [c00000016b2978a0] [c00000000013f898] reconfig_close_windows+0x1a0/0x4e8
[16386.255343] [c00000016b297990] [c000000000140e58] vas_migration_handler+0x3a4/0x3fc
[16386.255368] [c00000016b297a90] [c000000000128848] pseries_migrate_partition+0x4c/0x4c4
...
[16386.256136] Allocated by task 696554 on cpu 31 at 16377.277618s:
[16386.256149] kasan_save_stack+0x34/0x68
[16386.256163] kasan_save_track+0x34/0x80
[16386.256175] kasan_save_alloc_info+0x58/0x74
[16386.256196] __kasan_slab_alloc+0xb8/0xdc
[16386.256209] kmem_cache_alloc_noprof+0x200/0x3d0
[16386.256225] vm_area_alloc+0x44/0x150
[16386.256245] mmap_region+0x214/0x10c4
[16386.256265] do_mmap+0x5fc/0x750
[16386.256277] vm_mmap_pgoff+0x14c/0x24c
[16386.256292] ksys_mmap_pgoff+0x20c/0x348
[16386.256303] sys_mmap+0xd0/0x160
...
[16386.256350] Freed by task 0 on cpu 31 at 16386.204848s:
[16386.256363] kasan_save_stack+0x34/0x68
[16386.256374] kasan_save_track+0x34/0x80
[16386.256384] kasan_save_free_info+0x64/0x10c
[16386.256396] __kasan_slab_free+0x120/0x204
[16386.256415] kmem_cache_free+0x128/0x450
[16386.256428] vm_area_free_rcu_cb+0xa8/0xd8
[16386.256441] rcu_do_batch+0x2c8/0xcf0
[16386.256458] rcu_core+0x378/0x3c4
[16386.256473] handle_softirqs+0x20c/0x60c
[16386.256495] do_softirq_own_stack+0x6c/0x88
[16386.256509] do_softirq_own_stack+0x58/0x88
[16386.256521] __irq_exit_rcu+0x1a4/0x20c
[16386.256533] irq_exit+0x20/0x38
[16386.256544] interrupt_async_exit_prepare.constprop.0+0x18/0x2c
...
[16386.256717] Last potentially related work creation:
[16386.256729] kasan_save_stack+0x34/0x68
[16386.256741] __kasan_record_aux_stack+0xcc/0x12c
[16386.256753] __call_rcu_common.constprop.0+0x94/0xd04
[16386.256766] vm_area_free+0x28/0x3c
[16386.256778] remove_vma+0xf4/0x114
[16386.256797] do_vmi_align_munmap.constprop.0+0x684/0x870
[16386.256811] __vm_munmap+0xe0/0x1f8
[16386.256821] sys_munmap+0x54/0x6c
[16386.256830] system_call_exception+0x1a0/0x4a0
[16386.256841] system_call_vectored_common+0x15c/0x2ec
[16386.256868] The buggy address belongs to the object at c00000014a819670
which belongs to the cache vm_area_struct of size 168
[16386.256887] The buggy address is located 0 bytes inside of
freed 168-byte region [c00000014a819670, c00000014a819718)
[16386.256915] The buggy address belongs to the physical page:
[16386.256928] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x14a81
[16386.256950] memcg:c0000000ba430001
[16386.256961] anon flags: 0x43ffff800000000(node=4|zone=0|lastcpupid=0x7ffff)
[16386.256975] page_type: 0xfdffffff(slab)
[16386.256990] raw: 043ffff800000000 c00000000501c080 0000000000000000 5deadbee00000001
[16386.257003] raw: 0000000000000000 00000000011a011a 00000001fdffffff c0000000ba430001
[16386.257018] page dumped because: kasan: bad access detected
This patch adds close() callback in vas_vm_ops vm_operations_struct
which will be executed during munmap() before freeing VMA. The VMA
address in the VAS window is set to NULL after holding the window
mmap_mutex.
Fixes: 37e6764895ef ("powerpc/pseries/vas: Add VAS migration handler")
Signed-off-by: Haren Myneni
Signed-off-by: Madhavan Srinivasan
Link: https://patch.msgid.link/[email protected]
Signed-off-by: Sasha Levin
commit 6ea15205d7e2b811fbbdf79783f686f58abfb4b7
Author: Dan Carpenter
Date: Wed Oct 23 11:40:56 2024 +0300
mtd: rawnand: fix double free in atmel_pmecc_create_user()
commit d8e4771f99c0400a1873235704b28bb803c83d17 upstream.
The "user" pointer was converted from being allocated with kzalloc() to
being allocated by devm_kzalloc(). Calling kfree(user) will lead to a
double free.
Fixes: 6d734f1bfc33 ("mtd: rawnand: atmel: Fix possible memory leak")
Signed-off-by: Dan Carpenter
Signed-off-by: Miquel Raynal
Signed-off-by: Greg Kroah-Hartman
commit fdba6d5e455388377ec7e82a5913ddfcc7edd93b
Author: Chen Ridong
Date: Tue Oct 29 08:28:45 2024 +0000
dmaengine: at_xdmac: avoid null_prt_deref in at_xdmac_prep_dma_memset
commit c43ec96e8d34399bd9dab2f2dc316b904892133f upstream.
The at_xdmac_memset_create_desc may return NULL, which will lead to a
null pointer dereference. For example, the len input is error, or the
atchan->free_descs_list is empty and memory is exhausted. Therefore, add
check to avoid this.
Fixes: b206d9a23ac7 ("dmaengine: xdmac: Add memset support")
Signed-off-by: Chen Ridong
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Vinod Koul
Signed-off-by: Greg Kroah-Hartman
commit f03e6bb31c83a62ad972777da5e95c239f9747be
Author: Sasha Finkelstein
Date: Sun Nov 24 16:48:28 2024 +0100
dmaengine: apple-admac: Avoid accessing registers in probe
commit 8d55e8a16f019211163f1180fd9f9fbe05901900 upstream.
The ADMAC attached to the AOP has complex power sequencing, and is
power gated when the probe callback runs. Move the register reads
to other functions, where we can guarantee that the hardware is
switched on.
Fixes: 568aa6dd641f ("dmaengine: apple-admac: Allocate cache SRAM to channels")
Signed-off-by: Sasha Finkelstein
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Vinod Koul
Signed-off-by: Greg Kroah-Hartman
commit c2610aba67ed9cd5eac7e50d897dd04504e6a12a
Author: Akhil R
Date: Thu Dec 12 18:14:12 2024 +0530
dmaengine: tegra: Return correct DMA status when paused
commit ebc008699fd95701c9af5ebaeb0793eef81a71d5 upstream.
Currently, the driver does not return the correct DMA status when a DMA
pause is issued by the client drivers. This causes GPCDMA users to
assume that DMA is still running, while in reality, the DMA is paused.
Return DMA_PAUSED for tx_status() if the channel is paused in the middle
of a transfer.
Fixes: ee17028009d4 ("dmaengine: tegra: Add tegra gpcdma driver")
Cc: [email protected]
Signed-off-by: Akhil R
Signed-off-by: Kartik Rajput
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Vinod Koul
Signed-off-by: Greg Kroah-Hartman
commit e1f1aa97183fbd076babf45aefabd5c6042f0729
Author: Andy Shevchenko