linux-stable.git/drivers/ntb, branch v7.0.2 Linux kernel stable tree x86-64: rename misleadingly named '__copy_user_nocache()' function 2026-04-22T11:32:21+00:00 Linus Torvalds torvalds@linux-foundation.org 2026-03-30T17:39:09+00:00 efea91ad1729ff1853d7418e4d3bc27d085e72d0 commit d187a86de793f84766ea40b9ade7ac60aabbb4fe upstream. This function was a masterclass in bad naming, for various historical reasons. It claimed to be a non-cached user copy. It is literally _neither_ of those things. It's a specialty memory copy routine that uses non-temporal stores for the destination (but not the source), and that does exception handling for both source and destination accesses. Also note that while it works for unaligned targets, any unaligned parts (whether at beginning or end) will not use non-temporal stores, since only words and quadwords can be non-temporal on x86. The exception handling means that it _can_ be used for user space accesses, but not on its own - it needs all the normal "start user space access" logic around it. But typically the user space access would be the source, not the non-temporal destination. That was the original intention of this, where the destination was some fragile persistent memory target that needed non-temporal stores in order to catch machine check exceptions synchronously and deal with them gracefully. Thus that non-descriptive name: one use case was to copy from user space into a non-cached kernel buffer. However, the existing users are a mix of that intended use-case, and a couple of random drivers that just did this as a performance tweak. Some of those random drivers then actively misused the user copying version (with STAC/CLAC and all) to do kernel copies without ever even caring about the exception handling, _just_ for the non-temporal destination. Rename it as a first small step to actually make it halfway sane, and change the prototype to be more normal: it doesn't take a user pointer unless the caller has done the proper conversion, and the argument size is the full size_t (it still won't actually copy more than 4GB in one go, but there's also no reason to silently truncate the size argument in the caller). Finally, use this now sanely named function in the NTB code, which mis-used a user copy version (with STAC/CLAC and all) of this interface despite it not actually being a user copy at all. Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
commit d187a86de793f84766ea40b9ade7ac60aabbb4fe upstream.

This function was a masterclass in bad naming, for various historical
reasons.

It claimed to be a non-cached user copy.  It is literally _neither_ of
those things.  It's a specialty memory copy routine that uses
non-temporal stores for the destination (but not the source), and that
does exception handling for both source and destination accesses.

Also note that while it works for unaligned targets, any unaligned parts
(whether at beginning or end) will not use non-temporal stores, since
only words and quadwords can be non-temporal on x86.

The exception handling means that it _can_ be used for user space
accesses, but not on its own - it needs all the normal "start user space
access" logic around it.

But typically the user space access would be the source, not the
non-temporal destination.  That was the original intention of this,
where the destination was some fragile persistent memory target that
needed non-temporal stores in order to catch machine check exceptions
synchronously and deal with them gracefully.

Thus that non-descriptive name: one use case was to copy from user space
into a non-cached kernel buffer.  However, the existing users are a mix
of that intended use-case, and a couple of random drivers that just did
this as a performance tweak.

Some of those random drivers then actively misused the user copying
version (with STAC/CLAC and all) to do kernel copies without ever even
caring about the exception handling, _just_ for the non-temporal
destination.

Rename it as a first small step to actually make it halfway sane, and
change the prototype to be more normal: it doesn't take a user pointer
unless the caller has done the proper conversion, and the argument size
is the full size_t (it still won't actually copy more than 4GB in one
go, but there's also no reason to silently truncate the size argument in
the caller).

Finally, use this now sanely named function in the NTB code, which
mis-used a user copy version (with STAC/CLAC and all) of this interface
despite it not actually being a user copy at all.

Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Merge tag 'kmalloc_obj-treewide-v7.0-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux 2026-02-21T19:02:58+00:00 Linus Torvalds torvalds@linux-foundation.org 2026-02-21T19:02:58+00:00 8934827db5403eae57d4537114a9ff88b0a8460f Pull kmalloc_obj conversion from Kees Cook: "This does the tree-wide conversion to kmalloc_obj() and friends using coccinelle, with a subsequent small manual cleanup of whitespace alignment that coccinelle does not handle. This uncovered a clang bug in __builtin_counted_by_ref(), so the conversion is preceded by disabling that for current versions of clang. The imminent clang 22.1 release has the fix. I've done allmodconfig build tests for x86_64, arm64, i386, and arm. I did defconfig builds for alpha, m68k, mips, parisc, powerpc, riscv, s390, sparc, sh, arc, csky, xtensa, hexagon, and openrisc" * tag 'kmalloc_obj-treewide-v7.0-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux: kmalloc_obj: Clean up after treewide replacements treewide: Replace kmalloc with kmalloc_obj for non-scalar types compiler_types: Disable __builtin_counted_by_ref for Clang 
Pull kmalloc_obj conversion from Kees Cook:
 "This does the tree-wide conversion to kmalloc_obj() and friends using
  coccinelle, with a subsequent small manual cleanup of whitespace
  alignment that coccinelle does not handle.

  This uncovered a clang bug in __builtin_counted_by_ref(), so the
  conversion is preceded by disabling that for current versions of
  clang.  The imminent clang 22.1 release has the fix.

  I've done allmodconfig build tests for x86_64, arm64, i386, and arm. I
  did defconfig builds for alpha, m68k, mips, parisc, powerpc, riscv,
  s390, sparc, sh, arc, csky, xtensa, hexagon, and openrisc"

* tag 'kmalloc_obj-treewide-v7.0-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux:
  kmalloc_obj: Clean up after treewide replacements
  treewide: Replace kmalloc with kmalloc_obj for non-scalar types
  compiler_types: Disable __builtin_counted_by_ref for Clang
treewide: Replace kmalloc with kmalloc_obj for non-scalar types 2026-02-21T09:02:28+00:00 Kees Cook kees@kernel.org 2026-02-21T07:49:23+00:00 69050f8d6d075dc01af7a5f2f550a8067510366f This is the result of running the Coccinelle script from scripts/coccinelle/api/kmalloc_objs.cocci. The script is designed to avoid scalar types (which need careful case-by-case checking), and instead replace kmalloc-family calls that allocate struct or union object instances: Single allocations: kmalloc(sizeof(TYPE), ...) are replaced with: kmalloc_obj(TYPE, ...) Array allocations: kmalloc_array(COUNT, sizeof(TYPE), ...) are replaced with: kmalloc_objs(TYPE, COUNT, ...) Flex array allocations: kmalloc(struct_size(PTR, FAM, COUNT), ...) are replaced with: kmalloc_flex(*PTR, FAM, COUNT, ...) (where TYPE may also be *VAR) The resulting allocations no longer return "void *", instead returning "TYPE *". Signed-off-by: Kees Cook <kees@kernel.org> 
This is the result of running the Coccinelle script from
scripts/coccinelle/api/kmalloc_objs.cocci. The script is designed to
avoid scalar types (which need careful case-by-case checking), and
instead replace kmalloc-family calls that allocate struct or union
object instances:

Single allocations:	kmalloc(sizeof(TYPE), ...)
are replaced with:	kmalloc_obj(TYPE, ...)

Array allocations:	kmalloc_array(COUNT, sizeof(TYPE), ...)
are replaced with:	kmalloc_objs(TYPE, COUNT, ...)

Flex array allocations:	kmalloc(struct_size(PTR, FAM, COUNT), ...)
are replaced with:	kmalloc_flex(*PTR, FAM, COUNT, ...)

(where TYPE may also be *VAR)

The resulting allocations no longer return "void *", instead returning
"TYPE *".

Signed-off-by: Kees Cook <kees@kernel.org>
NTB: ntb_transport: Use seq_file for QP stats debugfs 2026-02-20T22:31:55+00:00 Koichiro Den den@valinux.co.jp 2026-01-07T04:24:58+00:00 8c1f92ca8bca3ce2d2c085571af89503bc7bc7c4 The ./qp*/stats debugfs file for each NTB transport QP is currently implemented with a hand-crafted kmalloc() buffer and a series of scnprintf() calls. This is a pre-seq_file style pattern and makes future extensions easy to truncate. Convert the stats file to use the seq_file helpers via DEFINE_SHOW_ATTRIBUTE(), which simplifies the code and lets the seq_file core handle buffering and partial reads. Reviewed-by: Frank Li <Frank.Li@nxp.com> Reviewed-by: Dave Jiang <dave.jiang@intel.com> Signed-off-by: Koichiro Den <den@valinux.co.jp> Signed-off-by: Jon Mason <jdmason@kudzu.us> 
The ./qp*/stats debugfs file for each NTB transport QP is currently
implemented with a hand-crafted kmalloc() buffer and a series of
scnprintf() calls. This is a pre-seq_file style pattern and makes future
extensions easy to truncate.

Convert the stats file to use the seq_file helpers via
DEFINE_SHOW_ATTRIBUTE(), which simplifies the code and lets the seq_file
core handle buffering and partial reads.

Reviewed-by: Frank Li <Frank.Li@nxp.com>
Reviewed-by: Dave Jiang <dave.jiang@intel.com>
Signed-off-by: Koichiro Den <den@valinux.co.jp>
Signed-off-by: Jon Mason <jdmason@kudzu.us>
NTB: ntb_transport: Fix too small buffer for debugfs_name 2026-02-20T22:31:55+00:00 Koichiro Den den@valinux.co.jp 2026-01-07T04:24:57+00:00 6a4b50585d74fe45d3ade1e3e86ba8aae79761a5 The buffer used for "qp%d" was only 4 bytes, which truncates names like "qp10" to "qp1" and causes multiple queues to share the same directory. Enlarge the buffer and use sizeof() to avoid truncation. Fixes: fce8a7bb5b4b ("PCI-Express Non-Transparent Bridge Support") Cc: <stable@vger.kernel.org> # v3.9+ Reviewed-by: Frank Li <Frank.Li@nxp.com> Reviewed-by: Dave Jiang <dave.jiang@intel.com> Signed-off-by: Koichiro Den <den@valinux.co.jp> Signed-off-by: Jon Mason <jdmason@kudzu.us> 
The buffer used for "qp%d" was only 4 bytes, which truncates names like
"qp10" to "qp1" and causes multiple queues to share the same directory.

Enlarge the buffer and use sizeof() to avoid truncation.

Fixes: fce8a7bb5b4b ("PCI-Express Non-Transparent Bridge Support")
Cc: <stable@vger.kernel.org> # v3.9+
Reviewed-by: Frank Li <Frank.Li@nxp.com>
Reviewed-by: Dave Jiang <dave.jiang@intel.com>
Signed-off-by: Koichiro Den <den@valinux.co.jp>
Signed-off-by: Jon Mason <jdmason@kudzu.us>
ntb/ntb_tool: correct sscanf format for u64 and size_t in tool_peer_mw_trans_write 2026-02-20T22:31:55+00:00 yangqixiao yangqixiao@inspur.com 2025-12-30T12:46:56+00:00 21fbdc4d0b1e7f9cabacc3587d07c62e01c7b5e8 The sscanf() call in tool_peer_mw_trans_write() uses "%lli:%zi" to parse user input into 'u64 addr' and 'size_t wsize'. This is incorrect: - "%lli" expects a signed long long *, but 'addr' is u64 (unsigned). Input like "0x8000000000000000" is misinterpreted as negative, leading to corrupted address values. - "%zi" expects a signed ssize_t *, but 'wsize' is size_t (unsigned). Input of "-1" is successfully parsed and stored as SIZE_MAX (e.g., 0xFFFFFFFFFFFFFFFF), which may cause buffer overflows or infinite loops in subsequent memory operations. Fix by using format specifiers that match the actual variable types: - "%llu" for u64 (supports hex/decimal, standard for kernel u64 parsing) - "%zu" for size_t (standard and safe; rejects negative input) Signed-off-by: yangqixiao <yangqixiao@inspur.com> Reviewed-by: Dave Jiang <dave.jiang@intel.com> Signed-off-by: Jon Mason <jdmason@kudzu.us> 
The sscanf() call in tool_peer_mw_trans_write() uses "%lli:%zi" to parse
user input into 'u64 addr' and 'size_t wsize'. This is incorrect:

 - "%lli" expects a signed long long *, but 'addr' is u64 (unsigned).
   Input like "0x8000000000000000" is misinterpreted as negative,
   leading to corrupted address values.

 - "%zi" expects a signed ssize_t *, but 'wsize' is size_t (unsigned).
   Input of "-1" is successfully parsed and stored as SIZE_MAX
   (e.g., 0xFFFFFFFFFFFFFFFF), which may cause buffer overflows
   or infinite loops in subsequent memory operations.

Fix by using format specifiers that match the actual variable types:
 - "%llu" for u64 (supports hex/decimal, standard for kernel u64 parsing)
 - "%zu" for size_t (standard and safe; rejects negative input)

Signed-off-by: yangqixiao <yangqixiao@inspur.com>
Reviewed-by: Dave Jiang <dave.jiang@intel.com>
Signed-off-by: Jon Mason <jdmason@kudzu.us>
ntb: intel: Add Intel Gen6 NTB support for DiamondRapids 2026-02-20T22:31:55+00:00 Dave Jiang dave.jiang@intel.com 2026-01-08T21:21:01+00:00 4921811678e93a83cbfebc14814a165ae794bf1d Add DiamondRapids NTB support by adding the DID and adjust the changed PPD0 offset. Signed-off-by: Dave Jiang <dave.jiang@intel.com> Signed-off-by: Jon Mason <jdmason@kudzu.us> 
Add DiamondRapids NTB support by adding the DID and adjust the changed
PPD0 offset.

Signed-off-by: Dave Jiang <dave.jiang@intel.com>
Signed-off-by: Jon Mason <jdmason@kudzu.us>
NTB/msi: Remove unused functions 2026-02-20T22:31:55+00:00 Dr. David Alan Gilbert linux@treblig.org 2025-02-20T02:03:57+00:00 7bd27439a578bb7724a9f09f240337ab95d68d2b ntbm_msi_free_irq() and ntb_msi_peer_addr() were both added in 2019's commit 26b3a37b9284 ("NTB: Introduce MSI library") but have remained unused. Remove them, and the ntbm_msi_callback_match() helper that was used by ntbm_msi_free_irq(). Signed-off-by: Dr. David Alan Gilbert <linux@treblig.org> Signed-off-by: Jon Mason <jdmason@kudzu.us> 
ntbm_msi_free_irq() and ntb_msi_peer_addr() were both added in 2019's
commit 26b3a37b9284 ("NTB: Introduce MSI library")
but have remained unused.

Remove them, and the ntbm_msi_callback_match() helper that
was used by ntbm_msi_free_irq().

Signed-off-by: Dr. David Alan Gilbert <linux@treblig.org>
Signed-off-by: Jon Mason <jdmason@kudzu.us>
ntb: ntb_hw_switchtec: Increase MAX_MWS limit to 256 2026-02-20T22:31:55+00:00 Maciej Grochowski Maciej.Grochowski@sony.com 2025-02-13T22:53:19+00:00 b1f4077465b2110d8a486cd6f1aed0c2569c339a Microchip NTB switchtec devices supports up to 512 LUT's across all NT partitions. This patch enable symmetric NTB configuration to utilize all 512 memory windows across 2 peers partitions. Signed-off-by: Maciej Grochowski <Maciej.Grochowski@sony.com> Signed-off-by: Jon Mason <jdmason@kudzu.us> 
Microchip NTB switchtec devices supports up to 512 LUT's across all
NT partitions. This patch enable symmetric NTB configuration to utilize
all 512 memory windows across 2 peers partitions.

Signed-off-by: Maciej Grochowski <Maciej.Grochowski@sony.com>
Signed-off-by: Jon Mason <jdmason@kudzu.us>
ntb: ntb_hw_switchtec: Fix array-index-out-of-bounds access 2026-02-20T22:31:55+00:00 Maciej Grochowski Maciej.Grochowski@sony.com 2025-02-13T22:53:18+00:00 c8ba7ad2cc1c7b90570aa347b8ebbe279f1eface Number of MW LUTs depends on NTB configuration and can be set to MAX_MWS, This patch protects against invalid index out of bounds access to mw_sizes When invalid access print message to user that configuration is not valid. Signed-off-by: Maciej Grochowski <Maciej.Grochowski@sony.com> Signed-off-by: Jon Mason <jdmason@kudzu.us> 
Number of MW LUTs depends on NTB configuration and can be set to MAX_MWS,
This patch protects against invalid index out of bounds access to mw_sizes
When invalid access print message to user that configuration is not valid.

Signed-off-by: Maciej Grochowski <Maciej.Grochowski@sony.com>
Signed-off-by: Jon Mason <jdmason@kudzu.us>