[Deepin-Kernel-SIG] [linux 6.18-y] [Upstream] Update kernel base to 6.18.9#1507
Merged
opsiff merged 123 commits intodeepin-community:linux-6.18.yfrom Feb 26, 2026
Merged
Conversation
[ Upstream commit c644bce62b9c6b441143a03c910f986109c47001 ] Commit c31f91c ("fuse: don't allow signals to interrupt getdents copying") introduced the use of high bits in d_type as flags. However, overlayfs was not adapted to handle this change. In ovl_cache_entry_new(), the code checks if d_type == DT_CHR to determine if an entry might be a whiteout. When fuse is used as the lower layer and sets high bits in d_type, this comparison fails, causing whiteout files to not be recognized properly and resulting in incorrect overlayfs behavior. Fix this by requiring callers of iterate_dir() to opt-in for getting flag bits in d_type outside of S_DT_MASK. Fixes: c31f91c ("fuse: don't allow signals to interrupt getdents copying") Link: https://lore.kernel.org/all/20260107034551.439-1-luochunsheng@ustc.edu/ Link: containerd/stargz-snapshotter#2214 Reported-by: Chunsheng Luo <luochunsheng@ustc.edu> Reviewed-by: Chunsheng Luo <luochunsheng@ustc.edu> Tested-by: Chunsheng Luo <luochunsheng@ustc.edu> Signed-off-by: Amir Goldstein <amir73il@gmail.com> Link: https://patch.msgid.link/20260108074522.3400998-1-amir73il@gmail.com Signed-off-by: Christian Brauner <brauner@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 474f851ec5e2e9568a0938f340d7e6399f0e35e9) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 0d0f1314e8f86f5205f71f9e31e272a1d008e40b ] [BUG] After commit aa60fe1 ("btrfs: zlib: refactor S390x HW acceleration buffer preparation"), we no longer release the folio of the page cache of folio returned by btrfs_compress_filemap_get_folio() for S390 hardware acceleration path. [CAUSE] Before that commit, we call kumap_local() and folio_put() after handling each folio. Although the timing is not ideal (it release previous folio at the beginning of the loop, and rely on some extra cleanup out of the loop), it at least handles the folio release correctly. Meanwhile the refactored code is easier to read, it lacks the call to release the filemap folio. [FIX] Add the missing folio_put() for copy_data_into_buffer(). CC: linux-s390@vger.kernel.org # 6.18+ Fixes: aa60fe1 ("btrfs: zlib: refactor S390x HW acceleration buffer preparation") Reviewed-by: Boris Burkov <boris@bur.io> Signed-off-by: Qu Wenruo <wqu@suse.com> Reviewed-by: David Sterba <dsterba@suse.com> Signed-off-by: David Sterba <dsterba@suse.com> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit e80617a5e1c246da2f112a1a072cdd535046adfe) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 0baa4d3170d72a2a8dc93bf729d6d04ad113dc72 ] In at91_can_probe(), the dev structure is allocated via alloc_candev(). However, if the subsequent call to devm_phy_optional_get() fails, the code jumps directly to exit_iounmap, missing the call to free_candev(). This results in a memory leak of the allocated net_device structure. Fix this by jumping to the exit_free label instead, which ensures that free_candev() is called to properly release the memory. Compile tested only. Issue found using a prototype static analysis tool and code review. Fixes: 3ecc098 ("can: at91_can: add CAN transceiver support") Signed-off-by: Zilin Guan <zilin@seu.edu.cn> Link: https://patch.msgid.link/20260122114128.643752-1-zilin@seu.edu.cn Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 4081d53864dae81ec796fc09c8539cf5bdbafea5) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 0c3cd7a0b862c37acbee6d9502107146cc944398 ]
hci_uart_set_proto() sets HCI_UART_PROTO_INIT before calling
hci_uart_register_dev(), which calls proto->open() to initialize
hu->priv. However, if a TTY write wakeup occurs during this window,
hci_uart_tx_wakeup() may schedule write_work before hu->priv is
initialized, leading to a NULL pointer dereference in
hci_uart_write_work() when proto->dequeue() accesses hu->priv.
The race condition is:
CPU0 CPU1
---- ----
hci_uart_set_proto()
set_bit(HCI_UART_PROTO_INIT)
hci_uart_register_dev()
tty write wakeup
hci_uart_tty_wakeup()
hci_uart_tx_wakeup()
schedule_work(&hu->write_work)
proto->open(hu)
// initializes hu->priv
hci_uart_write_work()
hci_uart_dequeue()
proto->dequeue(hu)
// accesses hu->priv (NULL!)
Fix this by moving set_bit(HCI_UART_PROTO_INIT) after proto->open()
succeeds, ensuring hu->priv is initialized before any work can be
scheduled.
Fixes: 5df5daf ("Bluetooth: hci_uart: Fix another race during initialization")
Link: https://lore.kernel.org/linux-bluetooth/6969764f.170a0220.2b9fc4.35a7@mx.google.com/
Signed-off-by: Jia-Hong Su <s11242586@gmail.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
(cherry picked from commit 03e8c90c62233382042b7bd0fa8b8900552fdb62)
Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 1b9c17fd0a7fdcbe69ec5d6fe8e50bc5ed7f01f2 ] Fix memory leak in set_ssp_complete() where mgmt_pending_cmd structures are not freed after being removed from the pending list. Commit 302a1f6 ("Bluetooth: MGMT: Fix possible UAFs") replaced mgmt_pending_foreach() calls with individual command handling but missed adding mgmt_pending_free() calls in both error and success paths of set_ssp_complete(). Other completion functions like set_le_complete() were fixed correctly in the same commit. This causes a memory leak of the mgmt_pending_cmd structure and its associated parameter data for each SSP command that completes. Add the missing mgmt_pending_free(cmd) calls in both code paths to fix the memory leak. Also fix the same issue in set_advertising_complete(). Fixes: 302a1f6 ("Bluetooth: MGMT: Fix possible UAFs") Signed-off-by: Jianpeng Chang <jianpeng.chang.cn@windriver.com> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 3b6318505378828ee415d6ef678db6a74c077504) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 108948f723b13874b7ebf6b3f1cc598a7de38622 ] In esw_acl_ingress_lgcy_setup(), if esw_acl_table_create() fails, the function returns directly without releasing the previously created counter, leading to a memory leak. Fix this by jumping to the out label instead of returning directly, which aligns with the error handling logic of other paths in this function. Compile tested only. Issue found using a prototype static analysis tool and code review. Fixes: 07bab95 ("net/mlx5: E-Switch, Refactor eswitch ingress acl codes") Signed-off-by: Zilin Guan <zilin@seu.edu.cn> Reviewed-by: Tariq Toukan <tariqt@nvidia.com> Link: https://patch.msgid.link/20260120134640.2717808-1-zilin@seu.edu.cn Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 23f40dbda938eb4738c91d27239e71e3fd722446) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 494fc029f662c331e06b7c2031deff3c64200eed ]
Sinc commit 79a6d1bfe114 ("can: gs_usb: gs_usb_receive_bulk_callback():
unanchor URL on usb_submit_urb() error") a failing resubmit URB will print
an info message.
In the case of a short read where netdev has not yet been assigned,
initialize as NULL to avoid dereferencing an undefined value. Also report
the error value of the failed resubmit.
Fixes: 79a6d1bfe114 ("can: gs_usb: gs_usb_receive_bulk_callback(): unanchor URL on usb_submit_urb() error")
Reported-by: Jakub Kicinski <kuba@kernel.org>
Closes: https://lore.kernel.org/all/20260119181904.1209979-1-kuba@kernel.org/
Link: https://patch.msgid.link/20260120-gs_usb-fix-error-message-v1-1-6be04de572bc@pengutronix.de
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
(cherry picked from commit 713ba826ae114ab339c9a1b31e209bebdadb0ac9)
Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 6de4436bf369e1444606445e4cd5df5bcfc74b48 ] We are not deregistering the fixed phy link when hitting the early exit condition. Add the correct early exit sequence. Fixes: 490cb41 ("net: bcmasp: Add support for ASP2.0 Ethernet controller") Signed-off-by: Justin Chen <justin.chen@broadcom.com> Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com> Link: https://patch.msgid.link/20260122194001.1098859-1-justin.chen@broadcom.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit f14d881f0a5aa57b4956402f36e5b381905b5743) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 8016dc5ee19a77678c264f8ba368b1e873fa705b ] In octep_device_setup(), if octep_ctrl_net_init() fails, the function returns directly without unmapping the mapped resources and freeing the allocated configuration memory. Fix this by jumping to the unsupported_dev label, which performs the necessary cleanup. This aligns with the error handling logic of other paths in this function. Compile tested only. Issue found using a prototype static analysis tool and code review. Fixes: 577f0d1 ("octeon_ep: add separate mailbox command and response queues") Signed-off-by: Zilin Guan <zilin@seu.edu.cn> Reviewed-by: Vadim Fedorenko <vadim.fedorenko@linux.dev> Link: https://patch.msgid.link/20260121130551.3717090-1-zilin@seu.edu.cn Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit d753f3c3f9d7a6e6dbb4d3a97b73007d71624551) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit f6c3665b6dc53c3ab7d31b585446a953a74340ef ] slave->last_rx and slave->target_last_arp_rx[...] can be read and written locklessly. Add READ_ONCE() and WRITE_ONCE() annotations. syzbot reported: BUG: KCSAN: data-race in bond_rcv_validate / bond_rcv_validate write to 0xffff888149f0d428 of 8 bytes by interrupt on cpu 1: bond_rcv_validate+0x202/0x7a0 drivers/net/bonding/bond_main.c:3335 bond_handle_frame+0xde/0x5e0 drivers/net/bonding/bond_main.c:1533 __netif_receive_skb_core+0x5b1/0x1950 net/core/dev.c:6039 __netif_receive_skb_one_core net/core/dev.c:6150 [inline] __netif_receive_skb+0x59/0x270 net/core/dev.c:6265 netif_receive_skb_internal net/core/dev.c:6351 [inline] netif_receive_skb+0x4b/0x2d0 net/core/dev.c:6410 ... write to 0xffff888149f0d428 of 8 bytes by interrupt on cpu 0: bond_rcv_validate+0x202/0x7a0 drivers/net/bonding/bond_main.c:3335 bond_handle_frame+0xde/0x5e0 drivers/net/bonding/bond_main.c:1533 __netif_receive_skb_core+0x5b1/0x1950 net/core/dev.c:6039 __netif_receive_skb_one_core net/core/dev.c:6150 [inline] __netif_receive_skb+0x59/0x270 net/core/dev.c:6265 netif_receive_skb_internal net/core/dev.c:6351 [inline] netif_receive_skb+0x4b/0x2d0 net/core/dev.c:6410 br_netif_receive_skb net/bridge/br_input.c:30 [inline] NF_HOOK include/linux/netfilter.h:318 [inline] ... value changed: 0x0000000100005365 -> 0x0000000100005366 Fixes: f5b2b96 ("[PATCH] bonding: Validate probe replies in ARP monitor") Signed-off-by: Eric Dumazet <edumazet@google.com> Reported-by: syzbot <syzkaller@googlegroups.com> Link: https://patch.msgid.link/20260122162914.2299312-1-edumazet@google.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit bd98324e327e41de04b13e372cc16f73150df254) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 944c614b0a7afa5b87612c3fb557b95a50ad654c ] Since cited commit, core locks the net_device's rss_lock when handling ethtool -x command, so driver's implementation should not lock it again. Remove the latter. Fixes: 040cef3 ("net: ethtool: move get_rxfh callback under the rss_lock") Reported-by: Damir Mansurov <damir.mansurov@oktetlabs.ru> Closes: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1126015 Suggested-by: Ben Hutchings <ben@decadent.org.uk> Signed-off-by: Edward Cree <ecree.xilinx@gmail.com> Link: https://patch.msgid.link/20260123161634.1215006-1-edward.cree@amd.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 590c8179ffb01c17644181408821b55b8704c50c) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 09f979d1f312627b31d2ee1e46f9692e442610cd ] In mvpp2_ethtool_cls_rule_ins(), the ethtool_rule is allocated by ethtool_rx_flow_rule_create(). If the subsequent conversion to flow type fails, the function jumps to the clean_rule label. However, the clean_rule label only frees efs, skipping the cleanup of ethtool_rule, which leads to a memory leak. Fix this by jumping to the clean_eth_rule label, which properly calls ethtool_rx_flow_rule_destroy() before freeing efs. Compile tested only. Issue found using a prototype static analysis tool and code review. Fixes: f4f1ba1 ("net: mvpp2: cls: Report an error for unsupported flow types") Signed-off-by: Zilin Guan <zilin@seu.edu.cn> Reviewed-by: Maxime Chevallier <maxime.chevallier@bootlin.com> Link: https://patch.msgid.link/20260123065716.2248324-1-zilin@seu.edu.cn Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 0b74c6e1327371b67236a86cbf8d4227ac9f95fa) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 03cbcdf93866e61beb0063392e6dbb701f03aea2 ] When replying to a ICMPv6 echo request that comes from localhost address the right output ifindex is 1 (lo) and not rt6i_idev dev index. Use the skb device ifindex instead. This fixes pinging to a local address from localhost source address. $ ping6 -I ::1 2001:1:1::2 -c 3 PING 2001:1:1::2 (2001:1:1::2) from ::1 : 56 data bytes 64 bytes from 2001:1:1::2: icmp_seq=1 ttl=64 time=0.037 ms 64 bytes from 2001:1:1::2: icmp_seq=2 ttl=64 time=0.069 ms 64 bytes from 2001:1:1::2: icmp_seq=3 ttl=64 time=0.122 ms 2001:1:1::2 ping statistics 3 packets transmitted, 3 received, 0% packet loss, time 2032ms rtt min/avg/max/mdev = 0.037/0.076/0.122/0.035 ms Fixes: 1b70d79 ("ipv6: Use rt6i_idev index for echo replies to a local address") Signed-off-by: Fernando Fernandez Mancera <fmancera@suse.de> Reviewed-by: David Ahern <dsahern@kernel.org> Link: https://patch.msgid.link/20260121194409.6749-1-fmancera@suse.de Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 500c1237c9a13cc3d684c5f35df561f570265f56) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit f0813bcd2d9d97fdbdf2efb9532ab03ae92e99e6 ] When receiving data in the DPMAIF RX path, the t7xx_dpmaif_set_frag_to_skb() function adds page fragments to an skb without checking if the number of fragments has exceeded MAX_SKB_FRAGS. This could lead to a buffer overflow in skb_shinfo(skb)->frags[] array, corrupting adjacent memory and potentially causing kernel crashes or other undefined behavior. This issue was identified through static code analysis by comparing with a similar vulnerability fixed in the mt76 driver commit b102f0c ("mt76: fix array overflow on receiving too many fragments for a packet"). The vulnerability could be triggered if the modem firmware sends packets with excessive fragments. While under normal protocol conditions (MTU 3080 bytes, BAT buffer 3584 bytes), a single packet should not require additional fragments, the kernel should not blindly trust firmware behavior. Malicious, buggy, or compromised firmware could potentially craft packets with more fragments than the kernel expects. Fix this by adding a bounds check before calling skb_add_rx_frag() to ensure nr_frags does not exceed MAX_SKB_FRAGS. The check must be performed before unmapping to avoid a page leak and double DMA unmap during device teardown. Fixes: d642b01 ("net: wwan: t7xx: Add data path interface") Signed-off-by: Kery Qi <qikeyu2017@gmail.com> Link: https://patch.msgid.link/20260122170401.1986-2-qikeyu2017@gmail.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 2c0fb0f60bc1545c52da61bc6bd4855c1e7814ba) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit ca12c4a155ebf84e9ef29b05ce979bc89364290f ] The function mlx5_esw_vport_vhca_id() is declared to return bool, but returns -EOPNOTSUPP (-45), which is an int error code. This causes a signedness bug as reported by smatch. This patch fixes this smatch report: drivers/net/ethernet/mellanox/mlx5/core/eswitch.h:981 mlx5_esw_vport_vhca_id() warn: signedness bug returning '(-45)' Fixes: 1baf304 ("net/mlx5: E-Switch, Set/Query hca cap via vhca id") Reviewed-by: Parav Pandit <parav@nvidia.com> Signed-off-by: Zeng Chi <zengchi@kylinos.cn> Reviewed-by: Tariq Toukan <tariqt@nvidia.com> Link: https://patch.msgid.link/20260123085749.1401969-1-zeng_chi911@163.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit cdc4deb9e7be2063aa1fcd6b3efe5a0a68f8dde1) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 8d7ba71e46216b8657a82ca2ec118bc93812a4d0 ]
In rocker_world_port_pre_init(), rocker_port->wpriv is allocated with
kzalloc(wops->port_priv_size, GFP_KERNEL). However, in
rocker_world_port_post_fini(), the memory is only freed when
wops->port_post_fini callback is set:
if (!wops->port_post_fini)
return;
wops->port_post_fini(rocker_port);
kfree(rocker_port->wpriv);
Since rocker_ofdpa_ops does not implement port_post_fini callback
(it is NULL), the wpriv memory allocated for each port is never freed
when ports are removed. This leads to a memory leak of
sizeof(struct ofdpa_port) bytes per port on every device removal.
Fix this by always calling kfree(rocker_port->wpriv) regardless of
whether the port_post_fini callback exists.
Fixes: e420114 ("rocker: introduce worlds infrastructure")
Signed-off-by: Kery Qi <qikeyu2017@gmail.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20260123211030.2109-2-qikeyu2017@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
(cherry picked from commit dce375f4afc348c310d171abcde7ec1499a4c26a)
Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit e2a9eeb69f7d4ca4cf4c70463af77664fdb6ab1d ] syzbot and Eulgyu Kim reported crashes in mptcp_pm_nl_get_local_id() and/or mptcp_pm_nl_is_backup() Root cause is list_splice_init() in mptcp_pm_nl_flush_addrs_doit() which is not RCU ready. list_splice_init_rcu() can not be called here while holding pernet->lock spinlock. Many thanks to Eulgyu Kim for providing a repro and testing our patches. Fixes: 141694d ("mptcp: remove address when netlink flushes addrs") Signed-off-by: Eric Dumazet <edumazet@google.com> Reported-by: syzbot+5498a510ff9de39d37da@syzkaller.appspotmail.com Closes: https://lore.kernel.org/all/6970a46d.a00a0220.3ad28e.5cf0.GAE@google.com/T/ Reported-by: Eulgyu Kim <eulgyukim@snu.ac.kr> Closes: multipath-tcp/mptcp_net-next#611 Reviewed-by: Mat Martineau <martineau@kernel.org> Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org> Link: https://patch.msgid.link/20260124-net-mptcp-race_nl_flush_addrs-v3-1-b2dc1b613e9d@kernel.org Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 1f1b9523527df02685dde603f20ff6e603d8e4a1) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 2c84959167d6493dbdac88965c7389b8ab88bf4e ] Some PHYs stop the refclk for power saving, usually while link down. This causes reading stats to time out. Therefore, in emac_stats_update(), also don't update and reschedule if !netif_carrier_ok(). But that means we could be missing later updates if the link comes back up, so also reschedule when link up is detected in emac_adjust_link(). While we're at it, improve the comments and error message prints around this to reflect the better understanding of how this could happen. Hopefully if this happens again on new hardware, these comments will direct towards a solution. Closes: https://lore.kernel.org/r/20260119141620.1318102-1-amadeus@jmu.edu.cn/ Fixes: bfec6d7 ("net: spacemit: Add K1 Ethernet MAC") Co-developed-by: Chukun Pan <amadeus@jmu.edu.cn> Signed-off-by: Chukun Pan <amadeus@jmu.edu.cn> Signed-off-by: Vivian Wang <wangruikang@iscas.ac.cn> Link: https://patch.msgid.link/20260123-k1-ethernet-clarify-stat-timeout-v3-1-93b9df627e87@iscas.ac.cn Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit fdb99161cbef29dffed56a1cbec13fce301167db) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 165c34fb6068ff153e3fc99a932a80a9d5755709 ]
syzbot reported various memory leaks related to NFC, struct
nfc_llcp_sock, sk_buff, nfc_dev, etc. [0]
The leading log hinted that nfc_llcp_send_ui_frame() failed
to allocate skb due to sock_error(sk) being -ENXIO.
ENXIO is set by nfc_llcp_socket_release() when struct
nfc_llcp_local is destroyed by local_cleanup().
The problem is that there is no synchronisation between
nfc_llcp_send_ui_frame() and local_cleanup(), and skb
could be put into local->tx_queue after it was purged in
local_cleanup():
CPU1 CPU2
---- ----
nfc_llcp_send_ui_frame() local_cleanup()
|- do { '
|- pdu = nfc_alloc_send_skb(..., &err)
| .
| |- nfc_llcp_socket_release(local, false, ENXIO);
| |- skb_queue_purge(&local->tx_queue); |
| ' |
|- skb_queue_tail(&local->tx_queue, pdu); |
... |
|- pdu = nfc_alloc_send_skb(..., &err) |
^._________________________________.'
local_cleanup() is called for struct nfc_llcp_local only
after nfc_llcp_remove_local() unlinks it from llcp_devices.
If we hold local->tx_queue.lock then, we can synchronise
the thread and nfc_llcp_send_ui_frame().
Let's do that and check list_empty(&local->list) before
queuing skb to local->tx_queue in nfc_llcp_send_ui_frame().
[0]:
[ 56.074943][ T6096] llcp: nfc_llcp_send_ui_frame: Could not allocate PDU (error=-6)
[ 64.318868][ T5813] kmemleak: 6 new suspected memory leaks (see /sys/kernel/debug/kmemleak)
BUG: memory leak
unreferenced object 0xffff8881272f6800 (size 1024):
comm "syz.0.17", pid 6096, jiffies 4294942766
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
27 00 03 40 00 00 00 00 00 00 00 00 00 00 00 00 '..@............
backtrace (crc da58d84d):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4979 [inline]
slab_alloc_node mm/slub.c:5284 [inline]
__do_kmalloc_node mm/slub.c:5645 [inline]
__kmalloc_noprof+0x3e3/0x6b0 mm/slub.c:5658
kmalloc_noprof include/linux/slab.h:961 [inline]
sk_prot_alloc+0x11a/0x1b0 net/core/sock.c:2239
sk_alloc+0x36/0x360 net/core/sock.c:2295
nfc_llcp_sock_alloc+0x37/0x130 net/nfc/llcp_sock.c:979
llcp_sock_create+0x71/0xd0 net/nfc/llcp_sock.c:1044
nfc_sock_create+0xc9/0xf0 net/nfc/af_nfc.c:31
__sock_create+0x1a9/0x340 net/socket.c:1605
sock_create net/socket.c:1663 [inline]
__sys_socket_create net/socket.c:1700 [inline]
__sys_socket+0xb9/0x1a0 net/socket.c:1747
__do_sys_socket net/socket.c:1761 [inline]
__se_sys_socket net/socket.c:1759 [inline]
__x64_sys_socket+0x1b/0x30 net/socket.c:1759
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xa4/0xfa0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
BUG: memory leak
unreferenced object 0xffff88810fbd9800 (size 240):
comm "syz.0.17", pid 6096, jiffies 4294942850
hex dump (first 32 bytes):
68 f0 ff 08 81 88 ff ff 68 f0 ff 08 81 88 ff ff h.......h.......
00 00 00 00 00 00 00 00 00 68 2f 27 81 88 ff ff .........h/'....
backtrace (crc 6cc652b1):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4979 [inline]
slab_alloc_node mm/slub.c:5284 [inline]
kmem_cache_alloc_node_noprof+0x36f/0x5e0 mm/slub.c:5336
__alloc_skb+0x203/0x240 net/core/skbuff.c:660
alloc_skb include/linux/skbuff.h:1383 [inline]
alloc_skb_with_frags+0x69/0x3f0 net/core/skbuff.c:6671
sock_alloc_send_pskb+0x379/0x3e0 net/core/sock.c:2965
sock_alloc_send_skb include/net/sock.h:1859 [inline]
nfc_alloc_send_skb+0x45/0x80 net/nfc/core.c:724
nfc_llcp_send_ui_frame+0x162/0x360 net/nfc/llcp_commands.c:766
llcp_sock_sendmsg+0x14c/0x1d0 net/nfc/llcp_sock.c:814
sock_sendmsg_nosec net/socket.c:727 [inline]
__sock_sendmsg net/socket.c:742 [inline]
__sys_sendto+0x2d8/0x2f0 net/socket.c:2244
__do_sys_sendto net/socket.c:2251 [inline]
__se_sys_sendto net/socket.c:2247 [inline]
__x64_sys_sendto+0x28/0x30 net/socket.c:2247
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xa4/0xfa0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Fixes: 94f418a ("NFC: UI frame sending routine implementation")
Reported-by: syzbot+f2d245f1d76bbfa50e4c@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/netdev/697569c7.a00a0220.33ccc7.0014.GAE@google.com/T/#u
Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20260125010214.1572439-1-kuniyu@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
(cherry picked from commit 61858cbce6ca4bef9ed116c689a4be9520841339)
Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit e9acda52fd2ee0cdca332f996da7a95c5fd25294 ] Fix a use-after-free which happens due to enslave failure after the new slave has been added to the array. Since the new slave can be used for Tx immediately, we can use it after it has been freed by the enslave error cleanup path which frees the allocated slave memory. Slave update array is supposed to be called last when further enslave failures are not expected. Move it after xdp setup to avoid any problems. It is very easy to reproduce the problem with a simple xdp_pass prog: ip l add bond1 type bond mode balance-xor ip l set bond1 up ip l set dev bond1 xdp object xdp_pass.o sec xdp_pass ip l add dumdum type dummy Then run in parallel: while :; do ip l set dumdum master bond1 1>/dev/null 2>&1; done; mausezahn bond1 -a own -b rand -A rand -B 1.1.1.1 -c 0 -t tcp "dp=1-1023, flags=syn" The crash happens almost immediately: [ 605.602850] Oops: general protection fault, probably for non-canonical address 0xe0e6fc2460000137: 0000 [#1] SMP KASAN NOPTI [ 605.602916] KASAN: maybe wild-memory-access in range [0x07380123000009b8-0x07380123000009bf] [ 605.602946] CPU: 0 UID: 0 PID: 2445 Comm: mausezahn Kdump: loaded Tainted: G B 6.19.0-rc6+ deepin-community#21 PREEMPT(voluntary) [ 605.602979] Tainted: [B]=BAD_PAGE [ 605.602998] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 605.603032] RIP: 0010:netdev_core_pick_tx+0xcd/0x210 [ 605.603063] Code: 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 3e 01 00 00 48 b8 00 00 00 00 00 fc ff df 4c 8b 6b 08 49 8d 7d 30 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 25 01 00 00 49 8b 45 30 4c 89 e2 48 89 ee 48 89 [ 605.603111] RSP: 0018:ffff88817b9af348 EFLAGS: 00010213 [ 605.603145] RAX: dffffc0000000000 RBX: ffff88817d28b420 RCX: 0000000000000000 [ 605.603172] RDX: 00e7002460000137 RSI: 0000000000000008 RDI: 07380123000009be [ 605.603199] RBP: ffff88817b541a00 R08: 0000000000000001 R09: fffffbfff3ed8c0c [ 605.603226] R10: ffffffff9f6c6067 R11: 0000000000000001 R12: 0000000000000000 [ 605.603253] R13: 073801230000098e R14: ffff88817d28b448 R15: ffff88817b541a84 [ 605.603286] FS: 00007f6570ef67c0(0000) GS:ffff888221dfa000(0000) knlGS:0000000000000000 [ 605.603319] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 605.603343] CR2: 00007f65712fae40 CR3: 000000011371b000 CR4: 0000000000350ef0 [ 605.603373] Call Trace: [ 605.603392] <TASK> [ 605.603410] __dev_queue_xmit+0x448/0x32a0 [ 605.603434] ? __pfx_vprintk_emit+0x10/0x10 [ 605.603461] ? __pfx_vprintk_emit+0x10/0x10 [ 605.603484] ? __pfx___dev_queue_xmit+0x10/0x10 [ 605.603507] ? bond_start_xmit+0xbfb/0xc20 [bonding] [ 605.603546] ? _printk+0xcb/0x100 [ 605.603566] ? __pfx__printk+0x10/0x10 [ 605.603589] ? bond_start_xmit+0xbfb/0xc20 [bonding] [ 605.603627] ? add_taint+0x5e/0x70 [ 605.603648] ? add_taint+0x2a/0x70 [ 605.603670] ? end_report.cold+0x51/0x75 [ 605.603693] ? bond_start_xmit+0xbfb/0xc20 [bonding] [ 605.603731] bond_start_xmit+0x623/0xc20 [bonding] Fixes: 9e2ee5c ("net, bonding: Add XDP support to the bonding driver") Signed-off-by: Nikolay Aleksandrov <razor@blackwall.org> Reported-by: Chen Zhen <chenzhen126@huawei.com> Closes: https://lore.kernel.org/netdev/fae17c21-4940-5605-85b2-1d5e17342358@huawei.com/ CC: Jussi Maki <joamaki@gmail.com> CC: Daniel Borkmann <daniel@iogearbox.net> Acked-by: Daniel Borkmann <daniel@iogearbox.net> Link: https://patch.msgid.link/20260123120659.571187-1-razor@blackwall.org Signed-off-by: Paolo Abeni <pabeni@redhat.com> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit bd25b092a06a3e05f7e8bd6da6fa7318777d8c3d) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 638344712aefeba97b6e0d90f560815fd88abd0f ] When ixgbe_recovery_probe() is invoked and this function fails, allocated resources in advance are not completely freed, because ixgbe_probe() returns ixgbe_recovery_probe() directly and ixgbe_recovery_probe() only frees partial resources, resulting in memory leaks including: - adapter->io_addr - adapter->jump_tables[0] - adapter->mac_table - adapter->rss_key - adapter->af_xdp_zc_qps The leaked MMIO region can be observed in /proc/vmallocinfo, and the remaining leaks are reported by kmemleak. Don't return ixgbe_recovery_probe() directly, and instead let ixgbe_probe() to clean up resources on failures. Fixes: 29cb3b8 ("ixgbe: add E610 implementation of FW recovery mode") Signed-off-by: Kohei Enju <enjuk@amazon.com> Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit c721ea2ff56726412dafb6e4eaf7a04bd99d4df2) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 100cf7b4ca6ed770ec4287f3789b1da2e340a05a ] hw->aci.lock is already initialized in ixgbe_sw_init(), so ixgbe_recovery_probe() doesn't need to initialize the lock. This function is also not responsible for destroying the lock on failures. Additionally, change the name of label in accordance with this change. Fixes: 29cb3b8 ("ixgbe: add E610 implementation of FW recovery mode") Reported-by: Simon Horman <horms@kernel.org> Closes: https://lore.kernel.org/intel-wired-lan/aTcFhoH-z2btEKT-@horms.kernel.org/ Signed-off-by: Kohei Enju <enjuk@amazon.com> Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 214aed313f7a59be4fe34acabd73d957a7851f12) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 9bb30be4d89ff9a8d7ab1aa0eb2edaca83431f85 ]
Add NULL pointer checks in ice_vsi_set_napi_queues() to prevent crashes
during resume from suspend when rings[q_idx]->q_vector is NULL.
Tested adaptor:
60:00.0 Ethernet controller [0200]: Intel Corporation Ethernet Controller E810-XXV for SFP [8086:159b] (rev 02)
Subsystem: Intel Corporation Ethernet Network Adapter E810-XXV-2 [8086:4003]
SR-IOV state: both disabled and enabled can reproduce this issue.
kernel version: v6.18
Reproduce steps:
Boot up and execute suspend like systemctl suspend or rtcwake.
Log:
<1>[ 231.443607] BUG: kernel NULL pointer dereference, address: 0000000000000040
<1>[ 231.444052] #PF: supervisor read access in kernel mode
<1>[ 231.444484] #PF: error_code(0x0000) - not-present page
<6>[ 231.444913] PGD 0 P4D 0
<4>[ 231.445342] Oops: Oops: 0000 [#1] SMP NOPTI
<4>[ 231.446635] RIP: 0010:netif_queue_set_napi+0xa/0x170
<4>[ 231.447067] Code: 31 f6 31 ff c3 cc cc cc cc 0f 1f 80 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 44 00 00 48 85 c9 74 0b <48> 83 79 30 00 0f 84 39 01 00 00 55 41 89 d1 49 89 f8 89 f2 48 89
<4>[ 231.447513] RSP: 0018:ffffcc780fc078c0 EFLAGS: 00010202
<4>[ 231.447961] RAX: ffff8b848ca30400 RBX: ffff8b848caf2028 RCX: 0000000000000010
<4>[ 231.448443] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff8b848dbd4000
<4>[ 231.448896] RBP: ffffcc780fc078e8 R08: 0000000000000000 R09: 0000000000000000
<4>[ 231.449345] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000001
<4>[ 231.449817] R13: ffff8b848dbd4000 R14: ffff8b84833390c8 R15: 0000000000000000
<4>[ 231.450265] FS: 00007c7b29e9d740(0000) GS:ffff8b8c068e2000(0000) knlGS:0000000000000000
<4>[ 231.450715] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
<4>[ 231.451179] CR2: 0000000000000040 CR3: 000000030626f004 CR4: 0000000000f72ef0
<4>[ 231.451629] PKRU: 55555554
<4>[ 231.452076] Call Trace:
<4>[ 231.452549] <TASK>
<4>[ 231.452996] ? ice_vsi_set_napi_queues+0x4d/0x110 [ice]
<4>[ 231.453482] ice_resume+0xfd/0x220 [ice]
<4>[ 231.453977] ? __pfx_pci_pm_resume+0x10/0x10
<4>[ 231.454425] pci_pm_resume+0x8c/0x140
<4>[ 231.454872] ? __pfx_pci_pm_resume+0x10/0x10
<4>[ 231.455347] dpm_run_callback+0x5f/0x160
<4>[ 231.455796] ? dpm_wait_for_superior+0x107/0x170
<4>[ 231.456244] device_resume+0x177/0x270
<4>[ 231.456708] dpm_resume+0x209/0x2f0
<4>[ 231.457151] dpm_resume_end+0x15/0x30
<4>[ 231.457596] suspend_devices_and_enter+0x1da/0x2b0
<4>[ 231.458054] enter_state+0x10e/0x570
Add defensive checks for both the ring pointer and its q_vector
before dereferencing, allowing the system to resume successfully even when
q_vectors are unmapped.
Fixes: 2a5dc09 ("ice: move netif_queue_set_napi to rtnl-protected sections")
Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
Signed-off-by: Aaron Ma <aaron.ma@canonical.com>
Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
(cherry picked from commit 36126ddbe924727add05a594dedf230d3b575e4d)
Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 05faf2c0a76581d0a7fdbb8ec46477ba183df95b ] Since the beginning, the Intel ice driver has counted receive checksum offload mismatches into the rx_errors member of the rtnl_link_stats64 struct. In ethtool -S these show up as rx_csum_bad.nic. I believe counting these in rx_errors is fundamentally wrong, as it's pretty clear from the comments in if_link.h and from every other statistic the driver is summing into rx_errors, that all of them would cause a "hardware drop" except for the UDP checksum mismatch, as well as the fact that all the other causes for rx_errors are L2 reasons, and this L4 UDP "mismatch" is an outlier. A last nail in the coffin is that rx_errors is monitored in production and can indicate a bad NIC/cable/Switch port, but instead some random series of UDP packets with bad checksums will now trigger this alert. This false positive makes the alert useless and affects us as well as other companies. This packet with presumably a bad UDP checksum is *already* passed to the stack, just not marked as offloaded by the hardware/driver. If it is dropped by the stack it will show up as UDP_MIB_CSUMERRORS. And one more thing, none of the other Intel drivers, and at least bnxt_en and mlx5 both don't appear to count UDP offload mismatches as rx_errors. Here is a related customer complaint: https://community.intel.com/t5/Ethernet-Products/ice-rx-errros-is-too-sensitive-to-IP-TCP-attack-packets-Intel/td-p/1662125 Fixes: 4f1fe43 ("ice: Add more Rx errors to netdev's rx_error counter") Cc: Tony Nguyen <anthony.l.nguyen@intel.com> Cc: Jake Keller <jacob.e.keller@intel.com> Cc: IWL <intel-wired-lan@lists.osuosl.org> Signed-off-by: Jesse Brandeburg <jbrandeburg@cloudflare.com> Acked-by: Jacob Keller <jacob.e.keller@intel.com> Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 2df2aad9cf2f478545c7d19283488e1450b86f25) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit f67666938ae626cbda63fbf5176b3583c07e7124 ] When deleting TC steering flows, iterate only over actual devcom peers instead of assuming all possible ports exist. This avoids touching non-existent peers and ensures cleanup is limited to devices the driver is currently connected to. BUG: kernel NULL pointer dereference, address: 0000000000000008 #PF: supervisor write access in kernel mode #PF: error_code(0x0002) - not-present page PGD 133c8a067 P4D 0 Oops: Oops: 0002 [#1] SMP CPU: 19 UID: 0 PID: 2169 Comm: tc Not tainted 6.18.0+ deepin-community#156 NONE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 RIP: 0010:mlx5e_tc_del_fdb_peers_flow+0xbe/0x200 [mlx5_core] Code: 00 00 a8 08 74 a8 49 8b 46 18 f6 c4 02 74 9f 4c 8d bf a0 12 00 00 4c 89 ff e8 0e e7 96 e1 49 8b 44 24 08 49 8b 0c 24 4c 89 ff <48> 89 41 08 48 89 08 49 89 2c 24 49 89 5c 24 08 e8 7d ce 96 e1 49 RSP: 0018:ff11000143867528 EFLAGS: 00010246 RAX: 0000000000000000 RBX: dead000000000122 RCX: 0000000000000000 RDX: ff11000143691580 RSI: ff110001026e5000 RDI: ff11000106f3d2a0 RBP: dead000000000100 R08: 00000000000003fd R09: 0000000000000002 R10: ff11000101c75690 R11: ff1100085faea178 R12: ff11000115f0ae78 R13: 0000000000000000 R14: ff11000115f0a800 R15: ff11000106f3d2a0 FS: 00007f35236bf740(0000) GS:ff110008dc809000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000008 CR3: 0000000157a01001 CR4: 0000000000373eb0 Call Trace: <TASK> mlx5e_tc_del_flow+0x46/0x270 [mlx5_core] mlx5e_flow_put+0x25/0x50 [mlx5_core] mlx5e_delete_flower+0x2a6/0x3e0 [mlx5_core] tc_setup_cb_reoffload+0x20/0x80 fl_reoffload+0x26f/0x2f0 [cls_flower] ? mlx5e_tc_reoffload_flows_work+0xc0/0xc0 [mlx5_core] ? mlx5e_tc_reoffload_flows_work+0xc0/0xc0 [mlx5_core] tcf_block_playback_offloads+0x9e/0x1c0 tcf_block_unbind+0x7b/0xd0 tcf_block_setup+0x186/0x1d0 tcf_block_offload_cmd.isra.0+0xef/0x130 tcf_block_offload_unbind+0x43/0x70 __tcf_block_put+0x85/0x160 ingress_destroy+0x32/0x110 [sch_ingress] __qdisc_destroy+0x44/0x100 qdisc_graft+0x22b/0x610 tc_get_qdisc+0x183/0x4d0 rtnetlink_rcv_msg+0x2d7/0x3d0 ? rtnl_calcit.isra.0+0x100/0x100 netlink_rcv_skb+0x53/0x100 netlink_unicast+0x249/0x320 ? __alloc_skb+0x102/0x1f0 netlink_sendmsg+0x1e3/0x420 __sock_sendmsg+0x38/0x60 ____sys_sendmsg+0x1ef/0x230 ? copy_msghdr_from_user+0x6c/0xa0 ___sys_sendmsg+0x7f/0xc0 ? ___sys_recvmsg+0x8a/0xc0 ? __sys_sendto+0x119/0x180 __sys_sendmsg+0x61/0xb0 do_syscall_64+0x55/0x640 entry_SYSCALL_64_after_hwframe+0x4b/0x53 RIP: 0033:0x7f35238bb764 Code: 15 b9 86 0c 00 f7 d8 64 89 02 b8 ff ff ff ff eb bf 0f 1f 44 00 00 f3 0f 1e fa 80 3d e5 08 0d 00 00 74 13 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 4c c3 0f 1f 00 55 48 89 e5 48 83 ec 20 89 55 RSP: 002b:00007ffed4c35638 EFLAGS: 00000202 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 000055a2efcc75e0 RCX: 00007f35238bb764 RDX: 0000000000000000 RSI: 00007ffed4c356a0 RDI: 0000000000000003 RBP: 00007ffed4c35710 R08: 0000000000000010 R09: 00007f3523984b20 R10: 0000000000000004 R11: 0000000000000202 R12: 00007ffed4c35790 R13: 000000006947df8f R14: 000055a2efcc75e0 R15: 00007ffed4c35780 Fixes: 9be6c21 ("net/mlx5e: Handle offloads flows per peer") Signed-off-by: Mark Bloch <mbloch@nvidia.com> Reviewed-by: Shay Drori <shayd@nvidia.com> Signed-off-by: Tariq Toukan <tariqt@nvidia.com> Reviewed-by: Simon Horman <horms@kernel.org> Link: https://patch.msgid.link/1769411695-18820-3-git-send-email-tariqt@nvidia.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit fdf8437016f578f18b160c6e14f13ab96bfbc3ba) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 476681f10cc1e0e56e26856684e75d4678b072b2 ] The driver's ndo_get_stats64 callback is only reporting mlx5 counters, without accounting for the netdev stats, causing errors from the network stack to be invisible in statistics. Add netdev_stats_to_stats64() call to first populate the counters, then add mlx5 counters on top, ensuring both are accounted for (where appropriate). Fixes: f62b8bb ("net/mlx5: Extend mlx5_core to support ConnectX-4 Ethernet functionality") Signed-off-by: Gal Pressman <gal@nvidia.com> Signed-off-by: Tariq Toukan <tariqt@nvidia.com> Reviewed-by: Simon Horman <horms@kernel.org> Link: https://patch.msgid.link/1769411695-18820-4-git-send-email-tariqt@nvidia.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 92e0483402afcbabedcc64013c93d8fca4d07105) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit d2492688bb9fed6ab6e313682c387ae71a66ebae ]
syzbot reported the splat below [0] without a repro.
It indicates that struct nci_dev.cmd_wq had been destroyed before
nci_close_device() was called via rfkill.
nci_dev.cmd_wq is only destroyed in nci_unregister_device(), which
(I think) was called from virtual_ncidev_close() when syzbot close()d
an fd of virtual_ncidev.
The problem is that nci_unregister_device() destroys nci_dev.cmd_wq
first and then calls nfc_unregister_device(), which removes the
device from rfkill by rfkill_unregister().
So, the device is still visible via rfkill even after nci_dev.cmd_wq
is destroyed.
Let's unregister the device from rfkill first in nci_unregister_device().
Note that we cannot call nfc_unregister_device() before
nci_close_device() because
1) nfc_unregister_device() calls device_del() which frees
all memory allocated by devm_kzalloc() and linked to
ndev->conn_info_list
2) nci_rx_work() could try to queue nci_conn_info to
ndev->conn_info_list which could be leaked
Thus, nfc_unregister_device() is split into two functions so we
can remove rfkill interfaces only before nci_close_device().
[0]:
DEBUG_LOCKS_WARN_ON(1)
WARNING: kernel/locking/lockdep.c:238 at hlock_class kernel/locking/lockdep.c:238 [inline], CPU#0: syz.0.8675/6349
WARNING: kernel/locking/lockdep.c:238 at check_wait_context kernel/locking/lockdep.c:4854 [inline], CPU#0: syz.0.8675/6349
WARNING: kernel/locking/lockdep.c:238 at __lock_acquire+0x39d/0x2cf0 kernel/locking/lockdep.c:5187, CPU#0: syz.0.8675/6349
Modules linked in:
CPU: 0 UID: 0 PID: 6349 Comm: syz.0.8675 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/13/2026
RIP: 0010:hlock_class kernel/locking/lockdep.c:238 [inline]
RIP: 0010:check_wait_context kernel/locking/lockdep.c:4854 [inline]
RIP: 0010:__lock_acquire+0x3a4/0x2cf0 kernel/locking/lockdep.c:5187
Code: 18 00 4c 8b 74 24 08 75 27 90 e8 17 f2 fc 02 85 c0 74 1c 83 3d 50 e0 4e 0e 00 75 13 48 8d 3d 43 f7 51 0e 48 c7 c6 8b 3a de 8d <67> 48 0f b9 3a 90 31 c0 0f b6 98 c4 00 00 00 41 8b 45 20 25 ff 1f
RSP: 0018:ffffc9000c767680 EFLAGS: 00010046
RAX: 0000000000000001 RBX: 0000000000040000 RCX: 0000000000080000
RDX: ffffc90013080000 RSI: ffffffff8dde3a8b RDI: ffffffff8ff24ca0
RBP: 0000000000000003 R08: ffffffff8fef35a3 R09: 1ffffffff1fde6b4
R10: dffffc0000000000 R11: fffffbfff1fde6b5 R12: 00000000000012a2
R13: ffff888030338ba8 R14: ffff888030338000 R15: ffff888030338b30
FS: 00007fa5995f66c0(0000) GS:ffff8881256f8000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f7e72f842d0 CR3: 00000000485a0000 CR4: 00000000003526f0
Call Trace:
<TASK>
lock_acquire+0x106/0x330 kernel/locking/lockdep.c:5868
touch_wq_lockdep_map+0xcb/0x180 kernel/workqueue.c:3940
__flush_workqueue+0x14b/0x14f0 kernel/workqueue.c:3982
nci_close_device+0x302/0x630 net/nfc/nci/core.c:567
nci_dev_down+0x3b/0x50 net/nfc/nci/core.c:639
nfc_dev_down+0x152/0x290 net/nfc/core.c:161
nfc_rfkill_set_block+0x2d/0x100 net/nfc/core.c:179
rfkill_set_block+0x1d2/0x440 net/rfkill/core.c:346
rfkill_fop_write+0x461/0x5a0 net/rfkill/core.c:1301
vfs_write+0x29a/0xb90 fs/read_write.c:684
ksys_write+0x150/0x270 fs/read_write.c:738
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xe2/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fa59b39acb9
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fa5995f6028 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007fa59b615fa0 RCX: 00007fa59b39acb9
RDX: 0000000000000008 RSI: 0000200000000080 RDI: 0000000000000007
RBP: 00007fa59b408bf7 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fa59b616038 R14: 00007fa59b615fa0 R15: 00007ffc82218788
</TASK>
Fixes: 6a2968a ("NFC: basic NCI protocol implementation")
Reported-by: syzbot+f9c5fd1a0874f9069dce@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/695e7f56.050a0220.1c677c.036c.GAE@google.com/
Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20260127040411.494931-1-kuniyu@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
(cherry picked from commit c3369fc5e6120a72169e71acd72e987907a682af)
Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit cc0cf10fdaeadf5542d64a55b5b4120d3df90b7d ] Fix the check if netfilter's static keys are available. netfilter defines and exports static keys if CONFIG_JUMP_LABEL is enabled. (HAVE_JUMP_LABEL is never defined.) Fixes: 971502d ("bridge: netfilter: unroll NF_HOOK helper in bridge input path") Signed-off-by: Martin Kaiser <martin@kaiser.cx> Reviewed-by: Florian Westphal <fw@strlen.de> Reviewed-by: Nikolay Aleksandrov <razor@blackwall.org> Link: https://patch.msgid.link/20260127101925.1754425-1-martin@kaiser.cx Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit f4bb58e14f042c046e68c69f0dbdc25036460fa9) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit a62f7d62d2b115e67c7224e36ace4ef12a9650b4 ] mlx5e_psp_handle_tx_skb() assumes skbs are ipv6 when doing a partial TCP checksum with tso. Make correctly mlx5e_psp_handle_tx_skb() handle ipv4 packets. Fixes: e5a1861 ("net/mlx5e: Implement PSP Tx data path") Signed-off-by: Daniel Zahka <daniel.zahka@gmail.com> Reviewed-by: Eric Dumazet <edumazet@google.com> Reviewed-by: Cosmin Ratiu <cratiu@nvidia.com> Link: https://patch.msgid.link/20260126-dzahka-fix-tx-csum-partial-v2-1-0a905590ea5f@gmail.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 92db64d3546f95326a00a4103e087e1751843e1a) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 2aa1545ba8d4801fba5be83a404e28014b80196a ] Since the commit 25c6a5a ("net: phy: micrel: Dynamically control external clock of KSZ PHY"), the clock of Micrel PHY has been enabled by phy_driver::resume() and disabled by phy_driver::suspend(). However, devm_clk_get_optional_enabled() is used in kszphy_probe(), so the clock will automatically be disabled when the device is unbound from the bus. Therefore, this could cause the clock to be disabled twice, resulting in clk driver warnings. For example, this issue can be reproduced on i.MX6ULL platform, and we can see the following logs when removing the FEC MAC drivers. $ echo 2188000.ethernet > /sys/bus/platform/drivers/fec/unbind $ echo 20b4000.ethernet > /sys/bus/platform/drivers/fec/unbind [ 109.758207] ------------[ cut here ]------------ [ 109.758240] WARNING: drivers/clk/clk.c:1188 at clk_core_disable+0xb4/0xd0, CPU#0: sh/639 [ 109.771011] enet2_ref already disabled [ 109.793359] Call trace: [ 109.822006] clk_core_disable from clk_disable+0x28/0x34 [ 109.827340] clk_disable from clk_disable_unprepare+0xc/0x18 [ 109.833029] clk_disable_unprepare from devm_clk_release+0x1c/0x28 [ 109.839241] devm_clk_release from devres_release_all+0x98/0x100 [ 109.845278] devres_release_all from device_unbind_cleanup+0xc/0x70 [ 109.851571] device_unbind_cleanup from device_release_driver_internal+0x1a4/0x1f4 [ 109.859170] device_release_driver_internal from bus_remove_device+0xbc/0xe4 [ 109.866243] bus_remove_device from device_del+0x140/0x458 [ 109.871757] device_del from phy_mdio_device_remove+0xc/0x24 [ 109.877452] phy_mdio_device_remove from mdiobus_unregister+0x40/0xac [ 109.883918] mdiobus_unregister from fec_enet_mii_remove+0x40/0x78 [ 109.890125] fec_enet_mii_remove from fec_drv_remove+0x4c/0x158 [ 109.896076] fec_drv_remove from device_release_driver_internal+0x17c/0x1f4 [ 109.962748] WARNING: drivers/clk/clk.c:1047 at clk_core_unprepare+0xfc/0x13c, CPU#0: sh/639 [ 109.975805] enet2_ref already unprepared [ 110.002866] Call trace: [ 110.031758] clk_core_unprepare from clk_unprepare+0x24/0x2c [ 110.037440] clk_unprepare from devm_clk_release+0x1c/0x28 [ 110.042957] devm_clk_release from devres_release_all+0x98/0x100 [ 110.048989] devres_release_all from device_unbind_cleanup+0xc/0x70 [ 110.055280] device_unbind_cleanup from device_release_driver_internal+0x1a4/0x1f4 [ 110.062877] device_release_driver_internal from bus_remove_device+0xbc/0xe4 [ 110.069950] bus_remove_device from device_del+0x140/0x458 [ 110.075469] device_del from phy_mdio_device_remove+0xc/0x24 [ 110.081165] phy_mdio_device_remove from mdiobus_unregister+0x40/0xac [ 110.087632] mdiobus_unregister from fec_enet_mii_remove+0x40/0x78 [ 110.093836] fec_enet_mii_remove from fec_drv_remove+0x4c/0x158 [ 110.099782] fec_drv_remove from device_release_driver_internal+0x17c/0x1f4 After analyzing the process of removing the FEC driver, as shown below, it can be seen that the clock was disabled twice by the PHY driver. fec_drv_remove() --> fec_enet_close() --> phy_stop() --> phy_suspend() --> kszphy_suspend() #1 The clock is disabled --> fec_enet_mii_remove() --> mdiobus_unregister() --> phy_mdio_device_remove() --> device_del() --> devm_clk_release() #2 The clock is disabled again Therefore, devm_clk_get_optional() is used to fix the above issue. And to avoid the issue mentioned by the commit 9853294 ("net: phy: micrel: use devm_clk_get_optional_enabled for the rmii-ref clock"), the clock is enabled by clk_prepare_enable() to get the correct clock rate. Fixes: 25c6a5a ("net: phy: micrel: Dynamically control external clock of KSZ PHY") Signed-off-by: Wei Fang <wei.fang@nxp.com> Reviewed-by: Maxime Chevallier <maxime.chevallier@bootlin.com> Link: https://patch.msgid.link/20260126081544.983517-1-wei.fang@nxp.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 335031cacd7e8d2221607a8c0aff69a15faf3a08) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit 239d0ccf567c3b09aed58eb88cd3376af37aaf14 upstream. v1: resolve the issue where some freq frequencies cannot be set correctly due to insufficient floating-point precision. v2: patch this convert on 'max' value only. Signed-off-by: Yang Wang <kevinyang.wang@amd.com> Reviewed-by: Alex Deucher <alexander.deucher@amd.com> Signed-off-by: Alex Deucher <alexander.deucher@amd.com> (cherry picked from commit 53868dd8774344051999c880115740da92f97feb) Cc: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 5f841c308c4531edd32f9780932ddfd46963c40b) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit e7fbff9e7622a00c2b53cb14df481916f0019742 upstream. The reference clock is supposed to be 100Mhz, but it appears to actually be slightly lower (99.81Mhz). Closes: https://gitlab.freedesktop.org/mesa/mesa/-/issues/14451 Reviewed-by: Jesse Zhang <Jesse.Zhang@amd.com> Signed-off-by: Alex Deucher <alexander.deucher@amd.com> (cherry picked from commit 637fee3954d4bd509ea9d95ad1780fc174489860) Cc: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 9a6d87fbe3f516bd980bae9a4b017ad4b2ccdf56) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit cc4f433b14e05eaa4a98fd677b836e9229422387 upstream. wptr is a 64 bit value and we need to update the full value, not just 32 bits. Align with what we already do for KCQs. Reviewed-by: Timur Kristóf <timur.kristof@gmail.com> Reviewed-by: Jesse Zhang <jesse.zhang@amd.com> Signed-off-by: Alex Deucher <alexander.deucher@amd.com> (cherry picked from commit e80b1d1aa1073230b6c25a1a72e88f37e425ccda) Cc: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 75ebd424417022eabc2990d1065eedfd1cc5895d) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit b1f810471c6a6bd349f7f9f2f2fed96082056d46 upstream. wptr is a 64 bit value and we need to update the full value, not just 32 bits. Align with what we already do for KCQs. Reviewed-by: Timur Kristóf <timur.kristof@gmail.com> Reviewed-by: Jesse Zhang <jesse.zhang@amd.com> Signed-off-by: Alex Deucher <alexander.deucher@amd.com> (cherry picked from commit 1f16866bdb1daed7a80ca79ae2837a9832a74fbc) Cc: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 018892bd9a0c054f502c1226e24a95fdeeb928b3) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit 3eb46fbb601f9a0b4df8eba79252a0a85e983044 upstream. Kernel gfx queues do not need to be reinitialized or remapped after a reset. This fixes queue reset failures on APUs. v2: preserve init and remap for MMIO case. Fixes: b3e9bfd ("drm/amdgpu/gfx11: add ring reset callbacks") Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/4789 Reviewed-by: Timur Kristóf <timur.kristof@gmail.com> Signed-off-by: Alex Deucher <alexander.deucher@amd.com> (cherry picked from commit b340ff216fdabfe71ba0cdd47e9835a141d08e10) Cc: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 4867b512bb7f5db2a848912d41124aa0335358c8) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit 9077d32a4b570fa20500aa26e149981c366c965d upstream. wptr is a 64 bit value and we need to update the full value, not just 32 bits. Align with what we already do for KCQs. Reviewed-by: Timur Kristóf <timur.kristof@gmail.com> Reviewed-by: Jesse Zhang <jesse.zhang@amd.com> Signed-off-by: Alex Deucher <alexander.deucher@amd.com> (cherry picked from commit a2918f958d3f677ea93c0ac257cb6ba69b7abb7c) Cc: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit d9790cf8bbe803de1fe95dc88c1eee8f5f8940b5) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit dfd64f6e8cd7b59238cdaf8af7a55711f13a89db upstream. Kernel gfx queues do not need to be reinitialized or remapped after a reset. Align with gfx11. v2: preserve init and remap for MMIO case. Reviewed-by: Timur Kristóf <timur.kristof@gmail.com> Signed-off-by: Alex Deucher <alexander.deucher@amd.com> (cherry picked from commit 0a6d6ed694d72b66b0ed7a483d5effa01acd3951) Cc: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 2d9bff2af0adb94fd5c60e5914dbd0c0be2d5204) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
…remove commit 8b1ecc9377bc641533cd9e76dfa3aee3cd04a007 upstream. On APUs such as Raven and Renoir (GC 9.1.0, 9.2.2, 9.3.0), the ih1 and ih2 interrupt ring buffers are not initialized. This is by design, as these secondary IH rings are only available on discrete GPUs. See vega10_ih_sw_init() which explicitly skips ih1/ih2 initialization when AMD_IS_APU is set. However, amdgpu_gmc_filter_faults_remove() unconditionally uses ih1 to get the timestamp of the last interrupt entry. When retry faults are enabled on APUs (noretry=0), this function is called from the SVM page fault recovery path, resulting in a NULL pointer dereference when amdgpu_ih_decode_iv_ts_helper() attempts to access ih->ring[]. The crash manifests as: BUG: kernel NULL pointer dereference, address: 0000000000000004 RIP: 0010:amdgpu_ih_decode_iv_ts_helper+0x22/0x40 [amdgpu] Call Trace: amdgpu_gmc_filter_faults_remove+0x60/0x130 [amdgpu] svm_range_restore_pages+0xae5/0x11c0 [amdgpu] amdgpu_vm_handle_fault+0xc8/0x340 [amdgpu] gmc_v9_0_process_interrupt+0x191/0x220 [amdgpu] amdgpu_irq_dispatch+0xed/0x2c0 [amdgpu] amdgpu_ih_process+0x84/0x100 [amdgpu] This issue was exposed by commit 1446226 ("drm/amdgpu: Remove GC HW IP 9.3.0 from noretry=1") which changed the default for Renoir APU from noretry=1 to noretry=0, enabling retry fault handling and thus exercising the buggy code path. Fix this by adding a check for ih1.ring_size before attempting to use it. Also restore the soft_ih support from commit dd29944 ("drm/amdgpu: Rework retry fault removal"). This is needed if the hardware doesn't support secondary HW IH rings. v2: additional updates (Alex) Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/3814 Fixes: dd29944 ("drm/amdgpu: Rework retry fault removal") Reviewed-by: Timur Kristóf <timur.kristof@gmail.com> Reviewed-by: Philip Yang <Philip.Yang@amd.com> Signed-off-by: Jon Doron <jond@wiz.io> Signed-off-by: Alex Deucher <alexander.deucher@amd.com> (cherry picked from commit 6ce8d536c80aa1f059e82184f0d1994436b1d526) Cc: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit ac251d17d8af58ddc3daba65eaf0a99e63dc4284) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit b1defcdc4457649db236415ee618a7151e28788c upstream. The EXEC_COUNT field must be > 0. In the gfx shadow handling we always emit a cond_exec packet after the gfx_shadow packet, but the EXEC_COUNT never gets patched. This leads to a hang when we try and reset queues on gfx11 APUs. Fixes: c68cbbf ("drm/amdgpu: cleanup conditional execution") Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/4789 Reviewed-by: Jesse Zhang <Jesse.Zhang@amd.com> Signed-off-by: Alex Deucher <alexander.deucher@amd.com> (cherry picked from commit ba205ac3d6e83f56c4f824f23f1b4522cb844ff3) Cc: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 078377b07f8e825e6798355d5a201a5c7367bcf9) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit 80f1a2c2332fee0edccd006fe87fc8a6db94bab3 upstream.
The Enable bits in CMDQV/VINTF/VCMDQ_CONFIG registers do not actually reset
the HW registers. So, the driver explicitly clears all the registers when a
VINTF or VCMDQ is being initialized calling its hw_deinit() function.
However, a userspace VCMDQ is not properly reset, unlike an in-kernel VCMDQ
getting reset in tegra241_vcmdq_hw_init().
Meanwhile, tegra241_vintf_hw_init() calling tegra241_vintf_hw_deinit() will
not deinit any VCMDQ, since there is no userspace VCMDQ mapped to the VINTF
at that stage.
Then, this may result in dirty VCMDQ registers, which can fail the VM.
Like tegra241_vcmdq_hw_init(), reset a VCMDQ in tegra241_vcmdq_hw_init() to
fix this bug. This is required by a host kernel.
Fixes: 6717f26ab1e7 ("iommu/tegra241-cmdqv: Add user-space use support")
Cc: stable@vger.kernel.org
Reported-by: Bao Nguyen <ncqb@google.com>
Signed-off-by: Nicolin Chen <nicolinc@nvidia.com>
Signed-off-by: Joerg Roedel <joerg.roedel@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit 84df65fcfbff150ba16e6f697f0cbbdbc297ba24)
Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit e64d1cb21a1c6ecd51bc1c94c83f6fc656f7c94d upstream.
GPIO Address Space handler gets a pointer to the in or out value.
This value is supposed to be at least 64-bit, but it's not limited
to be exactly 64-bit. When ACPI tables are being parsed, for
the bigger Connection():s ACPICA creates a Buffer instead of regular
Integer object. The Buffer exists as long as Namespace holds
the certain Connection(). Hence we can access the necessary bits
without worrying. On the other hand, the left shift, used in
the code, is limited by 31 (on 32-bit platforms) and otherwise
considered to be Undefined Behaviour. Also the code uses only
the first 64-bit word for the value, and anything bigger than 63
will be also subject to UB. Fix all this by modifying the code
to correctly set or clear the respective bit in the bitmap constructed
of 64-bit words.
Fixes: 59084c564c41 ("gpiolib: acpi: use BIT_ULL() for u64 mask in address space handler")
Fixes: 2c4d00c ("gpiolib: acpi: Use BIT() macro to increase readability")
Cc: stable@vger.kernel.org
Reviewed-by: Mika Westerberg <mika.westerberg@linux.intel.com>
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Link: https://patch.msgid.link/20260128095918.4157491-1-andriy.shevchenko@linux.intel.com
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit f749b366b8e7934058f807688aa936686da0d196)
Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit d70f79fef65810faf64dbae1f3a1b5623cdb2345 upstream. glibc ≥ 2.42 (GCC 15) defaults to -std=gnu23, which promotes -Wdiscarded-qualifiers to an error. In C23, strstr() and strchr() return "const char *". Change variable types to const char * where the pointers are never modified (res, sym_sfx, next_path). Suggested-by: Florian Weimer <fweimer@redhat.com> Suggested-by: Andrii Nakryiko <andrii@kernel.org> Signed-off-by: Mikhail Gavrilov <mikhail.v.gavrilov@gmail.com> Link: https://lore.kernel.org/r/20251206092825.1471385-1-mikhail.v.gavrilov@gmail.com Signed-off-by: Alexei Starovoitov <ast@kernel.org> [ shung-hsi.yu: needed to fix kernel build failure due to libbpf since glibc 2.43+ (which adds 'const' qualifier to strstr) ] Signed-off-by: Shung-Hsi Yu <shung-hsi.yu@suse.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit ab21cf885fb2af179c44d8beeabd716133b9385d) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
…mit)"
commit 6c65db809796717f0a96cf22f80405dbc1a31a4b upstream.
This reverts commit 604826acb3f53c6648a7ee99a3914ead680ab7fb.
Apparently there is more to supporting atomic modesetting than
providing atomic_(check|commit) callbacks. Before this revert:
WARNING: [] drivers/gpu/drm/drm_plane.c:389 at .__drm_universal_plane_init+0x13c/0x794 [drm], CPU#1: modprobe/1790
BUG: Kernel NULL pointer dereference on read at 0x00000000
.drm_atomic_get_plane_state+0xd4/0x210 [drm] (unreliable)
.drm_client_modeset_commit_atomic+0xf8/0x338 [drm]
.drm_client_modeset_commit_locked+0x80/0x260 [drm]
.drm_client_modeset_commit+0x40/0x7c [drm]
.__drm_fb_helper_restore_fbdev_mode_unlocked.part.0+0xfc/0x108 [drm_kms_helper]
.drm_fb_helper_set_par+0x8c/0xb8 [drm_kms_helper]
.fbcon_init+0x31c/0x618
[...]
.__drm_fb_helper_initial_config_and_unlock+0x474/0x7f4 [drm_kms_helper]
.drm_fbdev_client_hotplug+0xb0/0x120 [drm_client_lib]
.drm_client_register+0x88/0xe4 [drm]
.drm_fbdev_client_setup+0x12c/0x19b4 [drm_client_lib]
.drm_client_setup+0x15c/0x18c [drm_client_lib]
.nouveau_drm_probe+0x19c/0x268 [nouveau]
Fixes: 604826acb3f5 ("drm/nouveau/disp: Set drm_mode_config_funcs.atomic_(check|commit)")
Reported-by: John Ogness <john.ogness@linutronix.de>
Closes: https://lore.kernel.org/lkml/87ldhf1prw.fsf@jogness.linutronix.de
Signed-off-by: John Ogness <john.ogness@linutronix.de>
Tested-by: Daniel Palmer <daniel@thingy.jp>
Link: https://patch.msgid.link/20260130113230.2311221-1-john.ogness@linutronix.de
Signed-off-by: Danilo Krummrich <dakr@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit 5b22c6cbabc789d1ef3165f885bd018545d3b630)
Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit 205305c028ad986d0649b8b100bab6032dcd1bb5 upstream. Replace comma between expressions with semicolons. Using a ',' in place of a ';' can have unintended side effects. Although that is not the case here, it is seems best to use ';' unless ',' is intended. Found by inspection. No functional change intended. Compile tested only. Signed-off-by: Chen Ni <nichen@iscas.ac.cn> Reviewed-by: Jamal Hadi Salim <jhs@mojatatu.com> Link: https://patch.msgid.link/20251112072709.73755-1-nichen@iscas.ac.cn Signed-off-by: Jakub Kicinski <kuba@kernel.org> Cc: Ben Hutchings <ben@decadent.org.uk> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit edb9fab1b78c67b43e21189cf12fccab121c881d) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit a9c1fbbd6dadbaa38c157a07d5d11005460b86b9 upstream. When a sched_ext scheduler tries to kick a CPU, the CPU may be running a higher class task. sched_ext has no control over such CPUs. A sched_ext scheduler couldn't have expected to get access to the CPU after kicking it anyway. Skip kicking when the target CPU is running a higher class. Reviewed-by: Andrea Righi <arighi@nvidia.com> Signed-off-by: Tejun Heo <tj@kernel.org> Signed-off-by: Christian Loehle <christian.loehle@arm.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 664e78f2d4ec3ea09c96ec96c0992b2f910979bb) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit a379fa1e2cae15d7422b4eead83a6366f2f445cb upstream. SCX_KICK_WAIT is used to synchronously wait for the target CPU to complete a reschedule and can be used to implement operations like core scheduling. This used to be implemented by scx_next_task_picked() incrementing pnt_seq, which was always called when a CPU picks the next task to run, allowing SCX_KICK_WAIT to reliably wait for the target CPU to enter the scheduler and pick the next task. However, commit b999e36 ("sched_ext: Replace scx_next_task_picked() with switch_class()") replaced scx_next_task_picked() with the switch_class() callback, which is only called when switching between sched classes. This broke SCX_KICK_WAIT because pnt_seq would no longer be reliably incremented unless the previous task was SCX and the next task was not. This fix leverages commit 4c95380701f5 ("sched/ext: Fold balance_scx() into pick_task_scx()") which refactored the pick path making put_prev_task_scx() the natural place to track task switches for SCX_KICK_WAIT. The fix moves pnt_seq increment to put_prev_task_scx() and also increments it in pick_task_scx() to handle cases where the same task is re-selected, whether by BPF scheduler decision or slice refill. The semantics: If the current task on the target CPU is SCX, SCX_KICK_WAIT waits until the CPU enters the scheduling path. This provides sufficient guarantee for use cases like core scheduling while keeping the operation self-contained within SCX. v2: - Also increment pnt_seq in pick_task_scx() to handle same-task re-selection (Andrea Righi). - Use smp_cond_load_acquire() for the busy-wait loop for better architecture optimization (Peter Zijlstra). Reported-by: Wen-Fang Liu <liuwenfang@honor.com> Link: http://lkml.kernel.org/r/228ebd9e6ed3437996dffe15735a9caa@honor.com Cc: Peter Zijlstra <peterz@infradead.org> Reviewed-by: Andrea Righi <arighi@nvidia.com> Signed-off-by: Tejun Heo <tj@kernel.org> Signed-off-by: Christian Loehle <christian.loehle@arm.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 01b0831d71b6d701ca6a5668ebcec6817ce39aac) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 280d654324e33f8e6e3641f76764694c7b64c5db ] In case of subflow disconnect(), which can also happen with the first subflow in case of errors like timeout or reset, mptcp_subflow_ctx_reset will reset most fields from the mptcp_subflow_context structure, including close_event_done. Then, when another subflow is closed, yet another SUB_CLOSED event for the disconnected initial subflow is sent. Because of the previous reset, there are no source address and destination port. A solution is then to also check the subflow's local id: it shouldn't be negative anyway. Another solution would be not to reset subflow->close_event_done at disconnect time, but when reused. But then, probably the whole reset could be done when being reused. Let's not change this logic, similar to TCP with tcp_disconnect(). Fixes: d82809b ("mptcp: avoid duplicated SUB_CLOSED events") Cc: stable@vger.kernel.org Reported-by: Marco Angaroni <marco.angaroni@italtel.com> Closes: multipath-tcp/mptcp_net-next#603 Reviewed-by: Geliang Tang <geliang@kernel.org> Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org> Link: https://patch.msgid.link/20260127-net-mptcp-dup-nl-events-v1-1-7f71e1bc4feb@kernel.org Signed-off-by: Jakub Kicinski <kuba@kernel.org> [ Adjust context ] Signed-off-by: Sasha Levin <sashal@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 0d26aa84ff0b790d7c29c28c791bdf2c0ecdb57a) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
Link: https://lore.kernel.org/r/20260204143851.857060534@linuxfoundation.org Tested-by: Achill Gilgenast <achill@achill.org>= Tested-by: Brett A C Sheffield <bacs@librecast.net> Tested-by: Salvatore Bonaccorso <carnil@debian.org> Tested-by: Florian Fainelli <florian.fainelli@broadcom.com> Tested-by: Jon Hunter <jonathanh@nvidia.com> Tested-by: Justin M. Forbes <jforbes@fedoraproject.org> Tested-by: Takeshi Ogasawara <takeshi.ogasawara@futuring-girl.com> Tested-by: Peter Schneider <pschneider1968@googlemail.com> Tested-by: Luna Jernberg <droidbittin@gmail.com> Tested-by: Ron Economos <re@w6rz.net> Tested-by: Mark Brown <broonie@kernel.org> Tested-by: Brett Mastbergen <bmastbergen@ciq.com> Tested-by: Hardik Garg <hargar@linux.microsoft.com> Tested-by: Barry K. Nathan <barryn@pobox.com> Tested-by: Shung-Hsi Yu <shung-hsi.yu@suse.com> Tested-by: Dileep Malepu <dileep.debian@gmail.com> Tested-by: Miguel Ojeda <ojeda@kernel.org> Tested-by: Jeffrin Jose T <jeffrin@rajagiritech.edu.in> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit adb851edb70783e3ded28044491f5a3ed065b7b2) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
deepin-ci-robot
requested review from
Ink-Paper,
chenchongbiao and
hello666888999
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
There was a problem hiding this comment.
Pull request overview
This pull request updates the Linux kernel stable branch from version 6.18.8 to 6.18.9, incorporating 123 upstream commits. The update includes critical bug fixes, security improvements, and driver updates across multiple subsystems including networking, GPU drivers, memory management, filesystems, and Rust support.
Changes:
- Security and stability fixes in networking (MPTCP, NFC, bonding), memory management (KASAN, vmalloc, shmem), and drivers
- Bug fixes for NULL pointer dereferences, memory leaks, race conditions, and resource management issues
- Driver updates for Intel (ice, ixgbe), AMD GPU, Mellanox networking, and various other hardware
- Rust toolchain improvements and build system fixes
- Test infrastructure enhancements for MPTCP
Reviewed changes
Copilot reviewed 133 out of 133 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| Makefile | Version bump to 6.18.9 and Rust build cleanup |
| tools/testing/selftests/net/mptcp/mptcp_join.sh | Enhanced MPTCP test coverage with event validation and error handling |
| tools/lib/bpf/libbpf.c | Fix C23 compiler warnings with const qualifier usage |
| sound/soc/intel/common/soc-acpi-intel-ptl-match.c | Correct name_prefix for rt1320-2 device |
| sound/soc/intel/boards/sof_es8336.c | Fix headphone GPIO logic inversion |
| sound/soc/fsl/imx-card.c | Remove forced slot width to sample width assignment |
| sound/soc/amd/yc/acp6x-mach.c | Add DMI quirk for Acer TravelMate |
| sound/hda/codecs/realtek/alc269.c | Add quirk for HP EliteBook 630 G11 |
| scripts/package/kernel.spec | Manual debuginfo package generation for RPM |
| scripts/generate_rust_analyzer.py | Multiple Rust analyzer dependency and edition fixes |
| scripts/Makefile.vmlinux | Fix modules.builtin.modinfo permissions |
| scripts/Makefile.build | Add rustfmt config path for .rsi target |
| rust/kernel/* | Always inline functions using build_assert, fix documentation typo |
| net/* | Extensive networking fixes: MPTCP, NFC race conditions, bonding data races, BPF GSO handling |
| mm/* | Memory management fixes: KASAN vrealloc, kfence randomization, shmem swap race, memory-failure handling |
| lib/flex_proportions.c | Make fprop_new_period hardirq safe |
| kernel/sched/* | Deadline scheduler documentation and fixes, sched_ext kick improvements |
| kernel/events/* | Use is_user_task helper for perf |
| kernel/dma/* | DMA pool exhaustion vs missing pool distinction, CMA parameter handling |
| include/* | New is_user_task helper, KASAN vrealloc API, readdir d_type masking |
| fs/* | Btrfs metadata writeback fixes, bcache I/O accounting and cloning fixes, efivarfs error propagation, writeback interval handling |
| drivers/target/sbp/sbp_target.c | Fix overflow with proper u16 type usage |
| drivers/scsi/* | Memory leak fixes in be2iscsi and qla2xxx |
| drivers/pinctrl/qcom/* | Merge SM8350 LPASS LPI with SC7280, implement get_direction |
| drivers/pinctrl/* | Rockchip and Meson GPIO fixes |
| drivers/of/of_reserved_mem.c | CMA kernel parameter detection improvements |
| drivers/nvme/target/io-cmd-bdev.c | Fix race condition in bio completion |
| drivers/net/* | Multiple driver fixes: wwan overflow prevention, phy clock handling, ethernet stats, bonding use-after-free, CAN error messages |
| drivers/iommu/arm/arm-smmu-v3/tegra241-cmdqv.c | Reset VCMDQ in initialization |
| drivers/gpu/drm/* | Extensive GPU fixes: AMD PM/GMC/GFX, XE device lifecycle, DRM GEM handle validation, MSM/Nouveau/IMX fixes |
| drivers/gpio/* | Multiple GPIO fixes: ACPI handler for >64 bits, virtuser UAF, interrupt masking |
| drivers/firewire/core-transaction.c | Fix split transaction timeout race |
| drivers/bluetooth/* | Memory leak and initialization fixes |
| arch/riscv/include/asm/compat.h | Fix COMPAT_UTS_MACHINE to riscv32 |
| arch/arm64/configs/defconfig | Remove SM8350_LPASS_LPI config (merged with SC7280) |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Reviewer's GuideUpdate Deepin 6.18-y kernel base to upstream Linux 6.18.9, pulling in broad subsystem fixes and small enhancements across networking (mac80211/MPTCP/NFC/bonding/mlx5/ethernet drivers), memory management (KASAN/KFENCE/vmalloc/shmem/hugetlb/memory-failure), scheduler (deadline & sched_ext), storage (bcache, btrfs, NVMe target), DRM (amdgpu/xe/imx/nouveau/msm), GPIO/pinctrl/DMA CMA, Rust tooling, and packaging, with emphasis on robustness, race fixes, and correct accounting/teardown paths. Sequence diagram for NFC device unregister and rfkill removalsequenceDiagram
participant Driver as nfc_driver
participant NFC as nfc_core
participant RFK as rfkill_subsystem
participant DEV as nfc_dev
Driver->>NFC: nci_unregister_device(ndev)
activate NFC
NFC->>RFK: nfc_unregister_rfkill(ndev->nfc_dev)
activate RFK
RFK->>RFK: clear RFKILL_REGISTERED flag
RFK-->>RFK: synchronize_rcu
RFK->>RFK: rfkill_unregister
RFK->>RFK: rfkill_destroy
deactivate RFK
NFC->>NFC: set_bit(NCI_UNREG, flags)
NFC->>NFC: nci_close_device(ndev)
NFC->>NFC: flush_workqueue
NFC->>NFC: cancel_delayed_work_sync
NFC->>NFC: destroy conn_info for each connection
NFC->>NFC: nfc_remove_device(ndev->nfc_dev)
NFC->>DEV: stop_polling
NFC->>DEV: nfc_deselect_target
NFC->>DEV: device_del
NFC-->>Driver: return
deactivate NFC
Class diagram for bcache detached device I/O path refactorclassDiagram
class bcache_device {
+struct gendisk* disk
+struct bio_set bio_split
+struct bio_set bio_detached
+struct cached_dev* cached()
+void cached_dev_submit_bio(bio* bio)
}
class detached_dev_io_private {
+bcache_device* d
+unsigned long start_time
+bio* orig_bio
+bio bio
+detached_dev_end_io(bio* bio)
}
class cached_dev {
+bcache_device disk
+struct block_device* bdev
+int cached_dev_get(cached_dev* dc)
+void cached_dev_submit_bio(bio* bio)
}
class bio {
+blk_status_t bi_status
+void* bi_private
+bio_end_io_t* bi_end_io
}
bcache_device o-- cached_dev : contains
detached_dev_io_private *-- bio : embeds
bcache_device ..> detached_dev_io_private : uses via bio_detached bioset
cached_dev ..> detached_dev_io_private : container_of(clone_bio)
class bcache_request_helpers {
+void detached_dev_do_request(bcache_device* d, bio* orig_bio, unsigned long start_time)
+void detached_dev_end_io(bio* bio)
}
bcache_request_helpers ..> bcache_device
bcache_request_helpers ..> detached_dev_io_private
bcache_request_helpers ..> bio
class bio_end_flow {
+unsigned long bio_start_io_acct(bio* bio)
+void bio_end_io_acct(bio* bio, unsigned long start_time)
+void bio_endio(bio* bio)
}
bio_end_flow ..> detached_dev_io_private
bio_end_flow ..> bio
%% Relations of new flow
cached_dev --> bcache_request_helpers : calls detached_dev_do_request
detached_dev_io_private --> bcache_request_helpers : calls detached_dev_end_io
File-Level Changes
Tips and commandsInteracting with Sourcery
Customizing Your ExperienceAccess your dashboard to:
Getting Help
|
![sourcery-ai[bot]](https://avatars.githubusercontent.com/in/48477?s=60&v=4){kind=small}
There was a problem hiding this comment.
Hey - I've found 1 issue
Prompt for AI Agents
Please address the comments from this code review:
## Individual Comments
### Comment 1
<location path="drivers/md/bcache/request.c" line_range="1115-1118" />
<code_context>
}
- ddip->d = d;
+ clone_bio = bio_alloc_clone(dc->bdev, orig_bio, GFP_NOIO,
+ &d->bio_detached);
+ if (!clone_bio) {
+ orig_bio->bi_status = BLK_STS_RESOURCE;
+ bio_endio(orig_bio);
+ return;
</code_context>
<issue_to_address>
**issue (bug_risk):** BIO accounting is skipped on detached I/O clone allocation failure
In `detached_dev_do_request()`, when `bio_alloc_clone()` fails you set `orig_bio->bi_status` and call `bio_endio(orig_bio)` but never call `bio_end_io_acct()`, leaving the `bio_start_io_acct()` from `cached_dev_submit_bio()` unbalanced. Please also call `bio_end_io_acct(orig_bio, start_time)` in this error path, consistent with the discard and success paths.
</issue_to_address>Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.
Comment on lines
+1115
to
+1118
| clone_bio = bio_alloc_clone(dc->bdev, orig_bio, GFP_NOIO, | ||
| &d->bio_detached); | ||
| if (!clone_bio) { | ||
| orig_bio->bi_status = BLK_STS_RESOURCE; |
There was a problem hiding this comment.
issue (bug_risk): BIO accounting is skipped on detached I/O clone allocation failure
In detached_dev_do_request(), when bio_alloc_clone() fails you set orig_bio->bi_status and call bio_endio(orig_bio) but never call bio_end_io_acct(), leaving the bio_start_io_acct() from cached_dev_submit_bio() unbalanced. Please also call bio_end_io_acct(orig_bio, start_time) in this error path, consistent with the discard and success paths.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Update kernel base to 6.18.9.
git log --oneline v6.18.8..v6.18.9 |wc
123 1031 8664
Aaron Ma (1):
ice: Fix NULL pointer dereference in ice_vsi_set_napi_queues
Alex Deucher (7):
drm/amdgpu/soc21: fix xclk for APUs
drm/amdgpu/gfx10: fix wptr reset in KGQ init
drm/amdgpu/gfx11: fix wptr reset in KGQ init
drm/amdgpu/gfx11: adjust KGQ reset sequence
drm/amdgpu/gfx12: fix wptr reset in KGQ init
drm/amdgpu/gfx12: adjust KGQ reset sequence
drm/amdgpu: Fix cond_exec handling in amdgpu_ib_schedule()
Alexandre Courbot (2):
rust: bits: always inline functions using build_assert with arguments
rust: sync: refcount: always inline functions using build_assert with
arguments
Amir Goldstein (1):
readdir: require opt-in for d_type flags
Andrey Ryabinin (1):
mm/kasan: fix KASAN poisoning in vrealloc()
Andy Shevchenko (1):
gpiolib: acpi: Fix potential out-of-boundary left shift
Bard Liao (1):
ASoC: soc-acpi-intel-ptl-match: fix name_prefix of rt1320-2
Bartosz Golaszewski (2):
pinctrl: lpass-lpi: implement .get_direction() for the GPIO driver
pinctrl: meson: mark the GPIO controller as sleeping
Benjamin Berg (3):
wifi: mac80211: parse all TTLM entries
wifi: mac80211: apply advertised TTLM from association response
wifi: mac80211: correctly decode TTLM with default link map
Chen Miao (1):
kbuild: rust: clean libpin_init_internal in mrproper
Chen Ni (1):
net/sched: act_ife: convert comma to semicolon
Cosmin Ratiu (1):
net/mlx5: Initialize events outside devlink lock
Daniel Zahka (1):
net/mlx5e: don't assume psp tx skbs are ipv6 csum handling
Denis Sergeev (1):
gpiolib: acpi: use BIT_ULL() for u64 mask in address space handler
Doug Berger (1):
gpio: brcmstb: correct hwirq to bank map
Edward Cree (1):
sfc: fix deadlock in RSS config read
Eric Dumazet (2):
bonding: annotate data-races around slave->last_rx
mptcp: fix race in mptcp_pm_nl_flush_addrs_doit()
Ethan Zuo (1):
kbuild: Fix permissions of modules.builtin.modinfo
Fabio Estevam (1):
ASoC: fsl: imx-card: Do not force slot width to sample width
Fernando Fernandez Mancera (1):
ipv6: use the right ifindex when replying to icmpv6 from localhost
Gal Pressman (1):
net/mlx5e: Account for netdev stats in ndo_get_stats64
Greg Kroah-Hartman (1):
Linux 6.18.9
Han Gao (1):
riscv: compat: fix COMPAT_UTS_MACHINE definition
Hang Shu (1):
rust: rbtree: fix documentation typo in CursorMut peek_next method
Haoxiang Li (1):
scsi: be2iscsi: Fix a memory leak in beiscsi_boot_get_sinfo()
Jan Kara (1):
flex_proportions: make fprop_new_period() hardirq safe
Jane Chu (2):
mm/memory-failure: fix missing ->mf_stats count in hugetlb poison
mm/memory-failure: teach kill_accessing_process to accept hugetlb tail
page pfn
Jesse Brandeburg (1):
ice: stop counting UDP csum mismatch as rx_errors
Jia-Hong Su (1):
Bluetooth: hci_uart: fix null-ptr-deref in hci_uart_write_work
Jianbo Liu (1):
net/mlx5e: Skip ESN replay window setup for IPsec crypto offload
Jianpeng Chang (1):
Bluetooth: MGMT: Fix memory leak in set_ssp_complete
Jibin Zhang (1):
net: fix segmentation of forwarding fraglist GRO
Johan Hovold (2):
drm/msm/a6xx: fix bogus hwcg register updates
drm/imx/tve: fix probe device leak
John Ogness (1):
Revert "drm/nouveau/disp: Set
drm_mode_config_funcs.atomic_(check|commit)"
Jon Doron (1):
drm/amdgpu: fix NULL pointer dereference in
amdgpu_gmc_filter_faults_remove
Justin Chen (1):
net: bcmasp: fix early exit leak with fixed phy
Kairui Song (1):
mm/shmem, swap: fix race of truncate and swap entry split
Kery Qi (3):
net: wwan: t7xx: fix potential skb->frags overflow in RX path
rocker: fix memory leak in rocker_world_port_post_fini()
scsi: firewire: sbp-target: Fix overflow in sbp_make_tpg()
Kohei Enju (3):
ixgbe: fix memory leaks in the ixgbe_recovery_probe() path
ixgbe: don't initialize aci lock in ixgbe_recovery_probe()
efivarfs: fix error propagation in efivar_entry_get()
Krzysztof Kozlowski (1):
pinctrl: qcom: sm8350-lpass-lpi: Merge with SC7280 to fix I2S2 and SWR
TX pins
Kuniyuki Iwashima (2):
nfc: llcp: Fix memleak in nfc_llcp_send_ui_frame().
nfc: nci: Fix race between rfkill and nci_unregister_device().
Laveesh Bansal (1):
writeback: fix 100% CPU usage when dirtytime_expire_interval is 0
Marc Kleine-Budde (1):
can: gs_usb: gs_usb_receive_bulk_callback(): fix error message
Mark Bloch (1):
net/mlx5e: TC, delete flows only for existing peers
Martin Kaiser (1):
net: bridge: fix static key check
Martin Larsson (1):
gpio: pca953x: mask interrupts in irq shutdown
Matthieu Baerts (NGI0) (5):
mptcp: only reset subflow errors when propagated
selftests: mptcp: check no dup close events after error
selftests: mptcp: check subflow errors in close events
selftests: mptcp: join: fix local endp not being tracked
mptcp: avoid dup SUB_CLOSED events after disconnect
Miguel Ojeda (3):
rust: kbuild: give
--config-pathtorustfmtin.rsitargetrust: sync: atomic: Provide stub for
rusttest32-bit hostsdrm/tyr: depend on
COMMON_CLKto fix build errorMikhail Gavrilov (1):
libbpf: Fix -Wdiscarded-qualifiers under C23
Ming Lei (1):
nvmet: fix race in nvmet_bio_done() leading to NULL pointer
dereference
Nathan Chancellor (1):
kbuild: rpm-pkg: Generate debuginfo package manually
Nicolin Chen (1):
iommu/tegra241-cmdqv: Reset VCMDQ in tegra241_vcmdq_hw_init_user()
Nikolay Aleksandrov (1):
bonding: fix use-after-free due to enslave fail after slave array
update
Onur Özkan (1):
scripts: generate_rust_analyzer: remove sysroot assertion
Oreoluwa Babatunde (1):
of: reserved_mem: Allow reserved_mem framework detect "cma=" kernel
param
Parav Pandit (1):
net/mlx5: Fix vhca_id access call trace use before alloc
Peter Zijlstra (2):
sched/deadline: Document dl_server
sched/deadline: Fix 'stuck' dl_server
Pimyn Girgis (1):
mm/kfence: randomize the freelist on initialization
Qu Wenruo (2):
btrfs: zlib: fix the folio leak on S390 hardware acceleration
btrfs: do not strictly require dirty metadata threshold for metadata
writepages
Robin Murphy (1):
gpio: rockchip: Stop calling pinctrl for set_direction
Sai Sree Kartheek Adivi (1):
dma/pool: distinguish between missing and exhausted atomic pools
SeungJong Ha (1):
scripts: generate_rust_analyzer: fix resolution of #[pin_data] macros
Shay Drory (1):
net/mlx5: fs, Fix inverted cap check in tx flow table root disconnect
Shida Zhang (3):
bcache: fix improper use of bi_end_io
bcache: use bio cloning for detached device requests
bcache: fix I/O accounting leak in detached_dev_do_request
Shuicheng Lin (4):
drm/xe: Skip address copy for sync-only execs
drm/xe/configfs: Fix is_bound() pci_dev lifetime
drm/xe/nvm: Manage nvm aux cleanup with devres
drm/xe/nvm: Fix double-free on aux add failure
Steven Rostedt (1):
perf: sched: Fix perf crash with new is_user_task() helper
Tagir Garaev (1):
ASoC: Intel: sof_es8336: fix headphone GPIO logic inversion
Takashi Sakamoto (1):
firewire: core: fix race condition against transaction list
Tamir Duberstein (4):
scripts: generate_rust_analyzer: Add pin_init -> compiler_builtins dep
scripts: generate_rust_analyzer: Add pin_init_internal deps
scripts: generate_rust_analyzer: compile sysroot with correct edition
scripts: generate_rust_analyzer: Add compiler_builtins -> core dep
Tejun Heo (2):
sched_ext: Don't kick CPUs running higher classes
sched_ext: Fix SCX_KICK_WAIT to work reliably
Thomas Fourier (1):
scsi: qla2xxx: edif: Fix dma_free_coherent() size
Tvrtko Ursulin (2):
drm: Do not allow userspace to trigger kernel warnings in
drm_gem_change_handle_ioctl()
drm/xe/xelp: Fix Wa_18022495364
Vivian Wang (1):
net: spacemit: Check for netif_carrier_ok() in emac_stats_update()
Wei Fang (1):
net: phy: micrel: fix clk warning when removing the driver
Yang Wang (3):
drm/amd/pm: fix race in power state check before mutex lock
drm/amd/pm: fix smu v13 soft clock frequency setting issue
drm/amd/pm: fix smu v14 soft clock frequency setting issue
Yuhao Huang (1):
gpio: virtuser: fix UAF in configfs release path
Yuntao Wang (1):
of/reserved_mem: Simplify the logic of
fdt_scan_reserved_mem_reg_nodes()
Zeng Chi (1):
net/mlx5: Fix return type mismatch in mlx5_esw_vport_vhca_id()
Zhang Heng (2):
ASoC: amd: yc: Add DMI quirk for Acer TravelMate P216-41-TCO
ALSA: hda/realtek: fix right sounds and mute/micmute LEDs for HP
machine
Zilin Guan (4):
can: at91_can: Fix memory leak in at91_can_probe()
net/mlx5: Fix memory leak in esw_acl_ingress_lgcy_setup()
octeon_ep: Fix memory leak in octep_device_setup()
net: mvpp2: cls: Fix memory leak in mvpp2_ethtool_cls_rule_ins()
robin.kuo (1):
mm, swap: restore swap_space attr aviod kernel panic
Makefile | 5 +-
arch/arm64/configs/defconfig | 1 -
arch/riscv/include/asm/compat.h | 2 +-
drivers/bluetooth/hci_ldisc.c | 4 +-
drivers/firewire/core-transaction.c | 19 +-
drivers/gpio/gpio-brcmstb.c | 8 +-
drivers/gpio/gpio-pca953x.c | 2 +
drivers/gpio/gpio-rockchip.c | 8 -
drivers/gpio/gpio-virtuser.c | 8 +-
drivers/gpio/gpiolib-acpi-core.c | 21 +-
drivers/gpu/drm/amd/amdgpu/amdgpu_gmc.c | 7 +-
drivers/gpu/drm/amd/amdgpu/amdgpu_ib.c | 5 +-
drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c | 2 +-
drivers/gpu/drm/amd/amdgpu/gfx_v11_0.c | 25 +-
drivers/gpu/drm/amd/amdgpu/gfx_v12_0.c | 25 +-
drivers/gpu/drm/amd/amdgpu/soc21.c | 8 +-
drivers/gpu/drm/amd/pm/amdgpu_dpm.c | 7 +-
drivers/gpu/drm/amd/pm/swsmu/inc/smu_v13_0.h | 1 +
drivers/gpu/drm/amd/pm/swsmu/inc/smu_v14_0.h | 1 +
.../gpu/drm/amd/pm/swsmu/smu13/smu_v13_0.c | 1 +
.../gpu/drm/amd/pm/swsmu/smu14/smu_v14_0.c | 1 +
drivers/gpu/drm/drm_gem.c | 18 +-
drivers/gpu/drm/imx/ipuv3/imx-tve.c | 13 ++
drivers/gpu/drm/msm/adreno/a6xx_catalog.c | 2 -
drivers/gpu/drm/nouveau/nouveau_display.c | 2 -
drivers/gpu/drm/tyr/Kconfig | 1 +
drivers/gpu/drm/xe/xe_configfs.c | 3 +-
drivers/gpu/drm/xe/xe_device.c | 2 -
drivers/gpu/drm/xe/xe_exec.c | 6 +-
drivers/gpu/drm/xe/xe_lrc.c | 2 +-
drivers/gpu/drm/xe/xe_nvm.c | 55 +++--
drivers/gpu/drm/xe/xe_nvm.h | 2 -
.../iommu/arm/arm-smmu-v3/tegra241-cmdqv.c | 3 +
drivers/md/bcache/bcache.h | 9 +
drivers/md/bcache/request.c | 80 +++----
drivers/md/bcache/super.c | 12 +-
drivers/net/bonding/bond_main.c | 28 +--
drivers/net/bonding/bond_options.c | 8 +-
drivers/net/can/at91_can.c | 2 +-
drivers/net/can/usb/gs_usb.c | 4 +-
.../net/ethernet/broadcom/asp2/bcmasp_intf.c | 5 +-
drivers/net/ethernet/intel/ice/ice_lib.c | 10 +-
drivers/net/ethernet/intel/ice/ice_main.c | 1 -
drivers/net/ethernet/intel/ixgbe/ixgbe_main.c | 26 +--
.../net/ethernet/marvell/mvpp2/mvpp2_cls.c | 2 +-
.../ethernet/marvell/octeon_ep/octep_main.c | 2 +-
.../net/ethernet/mellanox/mlx5/core/debugfs.c | 16 ++
.../mellanox/mlx5/core/en_accel/ipsec.c | 3 +-
.../mellanox/mlx5/core/en_accel/psp_rxtx.c | 17 +-
.../net/ethernet/mellanox/mlx5/core/en_main.c | 20 +-
.../net/ethernet/mellanox/mlx5/core/en_tc.c | 19 +-
.../mellanox/mlx5/core/esw/acl/ingress_lgcy.c | 2 +-
.../net/ethernet/mellanox/mlx5/core/eswitch.h | 2 +-
.../net/ethernet/mellanox/mlx5/core/fs_cmd.c | 3 +-
.../net/ethernet/mellanox/mlx5/core/main.c | 36 +--
.../ethernet/mellanox/mlx5/core/mlx5_core.h | 1 +
.../mellanox/mlx5/core/sf/dev/driver.c | 1 +
drivers/net/ethernet/rocker/rocker_main.c | 5 +-
drivers/net/ethernet/sfc/mcdi_filters.c | 7 +-
drivers/net/ethernet/spacemit/k1_emac.c | 34 ++-
drivers/net/phy/micrel.c | 17 +-
drivers/net/wwan/t7xx/t7xx_hif_dpmaif_rx.c | 9 +-
drivers/nvme/target/io-cmd-bdev.c | 3 +-
drivers/of/of_reserved_mem.c | 44 ++--
drivers/pinctrl/meson/pinctrl-meson.c | 2 +-
drivers/pinctrl/pinctrl-rockchip.c | 9 +-
drivers/pinctrl/qcom/Kconfig | 15 +-
drivers/pinctrl/qcom/Makefile | 1 -
drivers/pinctrl/qcom/pinctrl-lpass-lpi.c | 17 ++
.../pinctrl/qcom/pinctrl-sc7280-lpass-lpi.c | 3 +
.../pinctrl/qcom/pinctrl-sm8350-lpass-lpi.c | 151 ------------
drivers/scsi/be2iscsi/be_mgmt.c | 1 +
drivers/scsi/qla2xxx/qla_os.c | 2 +-
drivers/target/sbp/sbp_target.c | 4 +-
fs/btrfs/disk-io.c | 22 --
fs/btrfs/extent_io.c | 3 +-
fs/btrfs/extent_io.h | 3 +-
fs/btrfs/zlib.c | 1 +
fs/efivarfs/vars.c | 2 +-
fs/fs-writeback.c | 14 +-
fs/readdir.c | 3 +
include/linux/cma.h | 9 +
include/linux/fs.h | 6 +-
include/linux/kasan.h | 14 ++
include/linux/sched.h | 5 +
include/net/bonding.h | 13 +-
include/net/nfc/nfc.h | 2 +
kernel/dma/contiguous.c | 16 +-
kernel/dma/pool.c | 7 +-
kernel/events/callchain.c | 2 +-
kernel/events/core.c | 6 +-
kernel/sched/deadline.c | 206 +++++++++++++++++
kernel/sched/ext.c | 57 +++--
kernel/sched/ext_internal.h | 6 +-
lib/flex_proportions.c | 5 +-
mm/kasan/common.c | 21 ++
mm/kfence/core.c | 23 +-
mm/memory-failure.c | 99 ++++----
mm/shmem.c | 45 +++-
mm/swap.h | 2 +-
mm/swap_state.c | 3 +-
mm/vmalloc.c | 7 +-
net/bluetooth/mgmt.c | 3 +
net/bridge/br_input.c | 2 +-
net/core/filter.c | 2 +
net/ipv4/tcp_offload.c | 3 +-
net/ipv4/udp_offload.c | 3 +-
net/ipv6/icmp.c | 4 +-
net/ipv6/tcpv6_offload.c | 3 +-
net/mac80211/ieee80211_i.h | 2 -
net/mac80211/mlme.c | 217 ++++++++++--------
net/mptcp/pm_kernel.c | 16 +-
net/mptcp/protocol.c | 13 +-
net/nfc/core.c | 27 ++-
net/nfc/llcp_commands.c | 17 +-
net/nfc/llcp_core.c | 4 +-
net/nfc/nci/core.c | 4 +-
net/sched/act_ife.c | 6 +-
rust/kernel/bits.rs | 6 +-
rust/kernel/rbtree.rs | 2 +-
rust/kernel/sync/atomic/predefine.rs | 11 +
rust/kernel/sync/refcount.rs | 3 +-
scripts/Makefile.build | 2 +-
scripts/Makefile.vmlinux | 3 +-
scripts/generate_rust_analyzer.py | 40 +++-
scripts/package/kernel.spec | 65 +++---
sound/hda/codecs/realtek/alc269.c | 1 +
sound/soc/amd/yc/acp6x-mach.c | 8 +
sound/soc/fsl/imx-card.c | 1 -
sound/soc/intel/boards/sof_es8336.c | 2 +-
.../intel/common/soc-acpi-intel-ptl-match.c | 2 +-
tools/lib/bpf/libbpf.c | 7 +-
.../testing/selftests/net/mptcp/mptcp_join.sh | 81 ++++++-
133 files changed, 1283 insertions(+), 782 deletions(-)
delete mode 100644 drivers/pinctrl/qcom/pinctrl-sm8350-lpass-lpi.c
Summary by Sourcery
Update the kernel baseline to 6.18.9 and incorporate upstream fixes across networking, storage, memory management, scheduler, tooling, and various driver subsystems.
New Features:
Bug Fixes:
Enhancements:
Build: