summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
12 daysf2fs: fix potential deadlock in gc_merge path of f2fs_balance_fs()Chao Yu
When we mount device w/ gc_merge mount option, we may suffer below potential deadlock: Kworker GC trehad Truncator - f2fs_write_cache_pages - f2fs_write_single_data_page - f2fs_do_write_data_page - folio_start_writeback --- set writeback flag on folio - f2fs_outplace_write_data : cached folio in internal bio cache - f2fs_balance_fs - wake_up(gc_thread) : wake up gc thread to run foreground GC - finish_wait(fggc_wq) : wait on the waitqueue --- wait on GC thread to finish the work - truncate_inode_pages_range - __filemap_get_folio(, FGP_LOCK) --- lock folio - truncate_inode_partial_folio - folio_wait_writeback --- wait on writeback being cleared - do_garbage_collect - move_data_page - f2fs_get_lock_data_folio - lock on folio --- blocked on folio's lock In order to avoid such deadlock, let's call below functions to commit cached bios in GC_MERGE path of f2fs_balance_fs() as the same as we did in NOGC_MERGE path. - f2fs_submit_merged_write(sbi, DATA); - f2fs_submit_all_merged_ipu_writes(sbi); Cc: stable@kernel.org Fixes: 351df4b20115 ("f2fs: add segment operations") Cc: Ruipeng Qi <ruipengqi3@gmail.com> Reported: Sandeep Dhavale <dhavale@google.com> Signed-off-by: Chao Yu <chao@kernel.org> Signed-off-by: Chao Yu <chaseyu@google.com> Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
12 daysf2fs: add logs in f2fs_disable_checkpoint()Chao Yu
In order to troubleshoot in which step we may block on during mount w/ checkpoint_disable mount option. Signed-off-by: Chao Yu <chao@kernel.org> Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
12 daysf2fs: add iostat latency tracking for direct IOliujinbao1
F2FS did not collect iostat latency for direct IO reads and writes, hook iomap_dio_ops.submit_io to bind an iostat context and record the submission timestamp. Replace bi_end_io with f2fs_dio_end_bio() to collect IO latency on completion before calling back to the original iomap_dio_bio_end_io(), to add iostat latency tracking support for F2FS DIO. Signed-off-by: shengyong1 <shengyong1@xiaomi.com> Signed-off-by: liujinbao1 <liujinbao1@xiaomi.com> Reviewed-by: Chao Yu <chao@kernel.org> Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
12 daysf2fs: optimize representative type determination in GCDaeho Jeong
In large section mode, do_garbage_collect() previously determined the section's representative type by looking only at the first segment of the section. However, if data was fsynced into an area previously used as a node section, and this area is recovered during roll-forward recovery after sudden power off (SPO), GC would incorrectly assume the section's type based on an empty or obsolete first segment. This caused the recovered data segment to be misunderstood as being stuck inside a node section, triggering false inconsistency panics (Inconsistent segment type in SSA and SIT) and subsequent mount failures. This patch optimizes do_garbage_collect() to determine the section's representative type by identifying the first segment that actually contains valid blocks (valid_blocks > 0) during the main GC loop. This eliminates false alarms from empty/obsolete leading segments while maintaining strict section-level type consistency checks for genuine corruption. Signed-off-by: Daeho Jeong <daehojeong@google.com> Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
12 daysf2fs: Add trace_f2fs_fault_reportliujinbao1
Add trace_f2fs_fault_report to trigger reporting upon f2fs_bug_on, need_fsck, stop_checkpoint, and handle_eio. Since f2fs_bug_on and need_fsck can be triggered in hundreds of scenarios, define set_sbi_flag as a macro to help capture the effective fault function and line number. Signed-off-by: shengyong1 <shengyong1@xiaomi.com> Signed-off-by: liujinbao1 <liujinbao1@xiaomi.com> Reviewed-by: Chao Yu <chao@kernel.org> Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
12 daysf2fs: annotate lockless NAT counter readsCen Zhang
nat_cnt[] is updated while callers hold nat_tree_lock, but F2FS samples the counters locklessly in f2fs_available_free_memory(), excess_dirty_nats(), and excess_cached_nats(). Those helpers only steer cache reclaim and background sync heuristics; they do not control NAT entry lifetime or checkpoint correctness. Document the intent with data_race(READ_ONCE()) and a short comment instead of adding locking to the balance path. Signed-off-by: Cen Zhang <zzzccc427@gmail.com> Reviewed-by: Chao Yu <chao@kernel.org> Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
12 daysf2fs: annotate lockless last_time[] accessesCen Zhang
f2fs stores mount-wide activity timestamps in sbi->last_time[] and samples them from background discard, GC, and balance paths without a dedicated lock. The timestamps are used as best-effort heuristics to decide whether background work should run now or sleep a bit longer. The current helpers use plain loads and stores, so KCSAN can report races between frequent foreground updates and background readers. Exact freshness is not required here, but the intentional lockless accesses should be marked explicitly. Use WRITE_ONCE() in f2fs_update_time() and READ_ONCE() in f2fs_time_over() and f2fs_time_to_wait(). This preserves the existing heuristic behavior and avoids adding locking to hot paths. Signed-off-by: Cen Zhang <zzzccc427@gmail.com> Reviewed-by: Chao Yu <chao@kernel.org> Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
12 daysMerge tag 'staging-7.2-rc1' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging Pull staging driver updates from Greg KH: "Here is the big set of staging driver updates for 7.2-rc1. Nothing major in here, just constant grind of tiny cleanups and coding style fixes and wrapper removals. Overall more code was removed than added, always a nice sign that things are progressing forward. Changes outside of drivers/staging/ was due to the octeon driver changes, which for some reason also lives partially in the mips subsystem, someday that all will be untangled and cleaned up, or just removed entirely, it's hard to tell which is going to be its fate. Other than octeon driver cleanups, in here are the usual: - rtl8723bs driver reworking and cleanups, being the bulk of this merge window given all of the issues and wrappers involved in that beast of a driver - most driver cleanups - sm750fb driver cleanups (which might be done, as this really should be moved to the drm layer one of these days...) - other tiny staging driver cleanups and fixes All of these have been in linux-next for many weeks with no reported issues" * tag 'staging-7.2-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging: (199 commits) staging: most: video: avoid double free on video register failure staging: sm750: rename CamelCase variable Bpp to bpp staging: rtl8723bs: delete superfluous switch statement staging: sm750fb: Mark g_noaccel, g_nomtrr and g_dualview as __ro_after_init staging: rtl8723bs: propagate errno through hal xmit path staging: rtl8723bs: propagate errno through xmit enqueue path staging: rtl8723bs: convert rtw_xmit_classifier to return errno staging: rtl8723bs: make rtw_xmit_classifier static staging: rtl8723bs: simplify rtw_xmit_classifier control flow staging: rtl8723bs: make _rtw_enqueue_cmd return 0 on success staging: rtl8723bs: simplify rtw_enqueue_cmd control flow staging: rtl8723bs: make _rtw_enqueue_cmd static staging: rtl8723bs: simplify _rtw_enqueue_cmd control flow staging: rtl8723bs: fix multiple blank lines in more hal/ files staging: rtl8723bs: remove unused TXDESC_64_BYTES code staging: rtl8723bs: remove unused DBG_XMIT_BUF and DBG_XMIT_BUF_EXT code staging: rtl8723bs: fix multiple blank lines in hal/Hal* files staging: rtl8723bs: fix multiple blank lines in hal/ files staging: rtl8723bs: rtw_mlme: add blank line for readability staging: rtl8723bs: rtw_mlme: wrap rtw_sitesurvey_cmd condition ...
12 daysMerge tag 'char-misc-7.2-rc1' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc Pull misc driver updates from Greg KH: "Here is the big set of char, misc, iio, fpga, and other small driver subsystems changes for 7.2-rc1. Lots of little stuff in here, the majority being of course the IIO driver updates, as a list they are: - IIO driver updates and additions - GPIB driver bugfixes and cleanups - Android binder driver updates (rust and C version) - counter driver updates - MHI driver updates - mei driver updates - w1 driver updates - interconnect driver updates - Comedi driver fixes and updates - some obsolete char drivers removed (applicom and dtlk) - hwtracing driver updates - other tiny driver updates All of these have been in linux-next for a while with no reported issues" * tag 'char-misc-7.2-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc: (406 commits) w1: ds2482: Use named initializers for arrays of i2c_device_data firmware: stratix10-svc: Add support to query Arm Trusted Firmware (ATF) version firmware: stratix10-rsu: avoid blocking reboot_image sysfs when busy coresight: ultrasoc-smb: Fix OOB write in smb_sync_perf_buffer() iio: adc: nxp-sar-adc: harden buffer ISR against per-channel read failure iio: chemical: scd30: Replace manual locking with RAII locking iio: light: tsl2591: remove unneeded tsl2591_compatible_als_persist_cycle() iio: dac: ad5686: create bus ops struct iio: dac: ad5686: cleanup doc header of local structs iio: dac: ad5686: add control_sync() for single-channel devices iio: dac: ad5686: add helpers to handle powerdown masks iio: dac: ad5686: add of_match table to the spi driver iio: dac: ad5686: drop enum id iio: dac: ad5686: remove redundant register definition iio: dac: ad5686: refactor include headers iio: adc: ad4080: fix AD4880 chip ID iio: light: veml3328: add support for new device dt-bindings: iio: light: veml6030: add veml3328 fpga: microchip-spi: fix zero header_size OOB read in mpf_ops_parse_header() fpga: dfl-afu: validate DMA mapping length in afu_dma_map_region() ...
12 daysfscrypt: Replace mk_users keyring with simple listEric Biggers
Change mk_users (the set of user claims to an fscrypt master key) from a 'struct key' keyring to a simple linked list. It's still a collection of 'struct key' for quota tracking. It was originally thought to be natural that a collection of 'struct key' should be held in a 'struct key' keyring. In reality, it's just been causing problems, similar to how using 'struct key' for the filesystem keyring caused problems and was removed in commit d7e7b9af104c ("fscrypt: stop using keyrings subsystem for fscrypt_master_key"). Commit d3a7bd420076 ("fscrypt: clear keyring before calling key_put()") fixed mk_users cleanup to be synchronous. But that apparently wasn't enough: the keyring subsystem's redundant locking is still generating lockdep false positives due to the interaction with filesystem reclaim. With the simple list, the redundant locking and lockdep issue goes away. Of course, searching a linked list is linear-time whereas the 'struct key' keyring used a fancy constant-time associative array. But that's fine here, since in practice there's just one entry in the list. In fact the new code is much faster in practice, since it's much smaller and doesn't have to convert the kuid_t into a string to search for it. Reported-by: syzbot+f55b043dacf43776b50c@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=f55b043dacf43776b50c Reported-by: Mohammed EL Kadiri <med08elkadiri@gmail.com> Closes: https://lore.kernel.org/keyrings/20260614150041.21172-1-med08elkadiri@gmail.com/ Fixes: 23c688b54016 ("fscrypt: allow unprivileged users to add/remove keys for v2 policies") Cc: stable@vger.kernel.org Link: https://patch.msgid.link/20260618221921.87896-1-ebiggers@kernel.org Signed-off-by: Eric Biggers <ebiggers@kernel.org>
12 daysfscrypt: Fix key setup in edge case with multiple data unit sizesEric Biggers
The addition of support for customizable data unit sizes introduced an edge case where a file's contents can be en/decrypted with the wrong data unit size. It occurs when there are multiple v2 policies that: - Have *different* data unit sizes, via the log2_data_unit_size field - Share the same master_key_identifier, contents_encryption_mode, and either FSCRYPT_POLICY_FLAG_DIRECT_KEY, FSCRYPT_POLICY_FLAG_IV_INO_LBLK_32, or FSCRYPT_POLICY_FLAG_IV_INO_LBLK_64 - Are being used on the same filesystem, which also must be mounted with the "inlinecrypt" mount option. Fortunately this edge case doesn't actually occur in practice. I just found it via code review. But it needs to be fixed regardless. The bug is caused by the data unit size not being fully considered when blk_crypto_keys are cached in mk_direct_keys, mk_iv_ino_lblk_32_keys, and mk_iv_ino_lblk_64_keys. They're differentiated only by master key, encryption mode, and flag. However, each one actually has a data unit size too. Only the first data unit size that is cached is used. To fix this, start using the data unit size to differentiate the cached keys. For several reasons, including avoiding increasing the size of struct fscrypt_master_key, just replace all three arrays with a single linked list instead of changing them into two-dimensional arrays. This works well when considering that in practice at most 2 entries are used across all three arrays, so it was already mostly wasted space. For simplicity, make the list also take over the publish/subscribe of the prepared key itself. That is, create separate list nodes for blk_crypto_keys vs crypto_skciphers, and add nodes to the list only when their key is actually prepared. (Note that the legacy fscrypt_direct_keys table in fs/crypto/keysetup_v1.c already works this way.) This eliminates the need for the additional memory barriers when reading and writing the fields of struct fscrypt_prepared_key. Note that I technically should have included the data unit size in the HKDF info string as well. But it's too late to change that. Fixes: 5b1188847180 ("fscrypt: support crypto data unit size less than filesystem block size") Cc: stable@vger.kernel.org Link: https://patch.msgid.link/20260618180652.52742-1-ebiggers@kernel.org Signed-off-by: Eric Biggers <ebiggers@kernel.org>
12 daysMerge tag 'usb-7.2-rc1' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb Pull USB and Thunderbolt driver updates from Greg KH: "Here is the big set of USB and Thunderbolt driver changes for 7.2-rc1. Lots of little stuff in here, major highlights include: - USB4STREAM support for Thunderbolt devices. A new way to send "raw" data very quickly over a USB4 connection to another system directly - Other thunderbolt updates and changes to make the stream code work - xhci driver updates and additions - typec driver updates and additions - usb gadget driver updates and fixes for reported issues - zh_CN documentation translation of the USB documentation - usb-serial driver updates - dts cleanups for some USB platforms - other minor USB driver updates and tweaks All of these have been in linux-next for over a week with no reported issues, most of them for many many weeks" * tag 'usb-7.2-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb: (131 commits) usb: ucsi: huawei_gaokun: support mode switching thunderbolt: debugfs: Fix sideband write size check thunderbolt: debugfs: Fix margining error counter buffer leak usb: host: xhci-rcar: Split R-Car Gen2 and Gen3 .plat_start() handling usb: host: xhci-rcar: Remove SET_XHCI_PLAT_PRIV_FOR_RCAR() macro usb: xhci: allocate internal DCBAA mirror dynamically usb: xhci: allocate DCBAA based on host controller max slots usb: xhci: refactor DCBAA struct xhci: Prevent queuing new commands if xhci is inaccessible xhci: dbc: detect and recover hung DbC during enumeraton xhci: dbc: add timestamps to DbC state changes in a new helper. xhci: dbc: add helper to set and clear DbC DCE enable bit xhci: dbc: serialize enabling and disabling dbc xhci: dbc: Fix sysfs ABI Documentation for xhci dbc states usb: xhci: Improve Soft Retries after short transfers usb: xhci: Remove isochronous URB_SHORT_NOT_OK handling usb: xhci: Remove skip_isoc_td() usb: xhci: Simplify xhci_quiesce() usb: xhci: remove legacy 'num_trbs_free' tracking usb: xhci: fix typo in xhci_set_port_power() comment ...
12 daysMerge tag 'spdx-7.2-rc1' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/spdx Pull SPDX updates from Greg KH: "Here is a "big" set of SPDX-like patches for 7.2-rc1. It is the addition of the ability for the kernel build process to generate a Software Bill of Materials (SBOM) in the SPDX format, that matches up exactly with just the files that are actually built for the specific kernel image generated. To generate a sbom, after the kernel has been built, just do: make sbom and marvel at the JSON file that is generated... This is needed by users for environments in which a SBOM is required (medical, automotive, anything shipped in the EU, etc.) and cuts down by a massive size the "naive" SBOM solution that many vendors have done by just including _all_ of the kernel files in the resulting document. This result is still a giant JSON file, that I am told parses properly, so we just have to trust that it is properly inclusive as attempting to parse that thing by hand is impossible. The scripts here are self-contained python scripts, no additional libraries or tools to create the SBOM are needed, which is important for many build systems. Overall it's just a bit over 4000 lines of "simple" python code, the most complex part is the regex matching lines, but those are nothing compared to what we maintain in scripts/checkpatch.pl today... The various parts where the tool touches the kbuild subsystem have been acked by the kbuild maintainer, so all should be good here. All of these patches have been in linux-next for weeks with no reported problems" * tag 'spdx-7.2-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/spdx: scripts/sbom: add unit tests for SPDX-License-Identifier parsing scripts/sbom: add unit tests for command parsers scripts/sbom: add SPDX build graph scripts/sbom: add SPDX source graph scripts/sbom: add SPDX output graph scripts/sbom: collect file metadata scripts/sbom: add shared SPDX elements scripts/sbom: add JSON-LD serialization scripts/sbom: add SPDX classes scripts/sbom: add additional dependency sources for cmd graph scripts/sbom: add cmd graph generation scripts/sbom: add command parsers scripts/sbom: setup sbom logging scripts/sbom: integrate script in make process scripts/sbom: add documentation
12 daysperf bpf: Fix up build failure due to change of btf_vlen() return typeMark Brown
Fix: util/btf.c: In function '__btf_type__find_member_by_name': util/btf.c:19:43: error: comparison of integer expressions of different signedness: 'int' and '__u32' {aka 'unsigned int'} [-Werror=sign-compare] 19 | for (i = 0, m = btf_members(t); i < btf_vlen(t); i++, m++) { | ^ builtin-trace.c: In function 'syscall_arg__strtoul_btf_enum': builtin-trace.c:967:27: error: comparison of integer expressions of different signedness: 'int' and '__u32' {aka 'unsigned int'} [-Werror=sign-compare] 967 | for (int i = 0; i < btf_vlen(bt); ++i, ++be) { | ^ by making the variable the same type as the function. Committer note: Add an extra hunk from Alan Maguire, fixing btf_enum_scnprintf(). Reviewed-by: Alan Maguire <alan.maguire@oracle.com> Signed-off-by: Mark Brown <broonie@kernel.org> Cc: Alexei Starovoitov <ast@kernel.org> Cc: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
12 daysMerge tag 'tty-7.2-rc1' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty Pull tty / serial driver updates from Greg KH: "Here is the big set of TTY and Serial driver updates for 7.2-rc1. Overall we end up removing more code than added, due to an obsolete synclink_gt driver being removed from the tree, always a nice thing to see happen. Other than that driver removal, major things included in here are: - max310x serial driver updates and fixes - 8250 driver updates and rework in places to make it more "modern" - dts file updates - serial driver core tweaks and updates - vt code cleanups - vc_screen crash fixes - other minor driver updates and cleanups All of these have been in linux-next for well over a week with no reported issues" * tag 'tty-7.2-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty: (49 commits) serial: 8250_pci: Don't specify conflicting values to pci_device_id members vc_screen: fix null-ptr-deref in vcs_notifier() during concurrent vcs_write serial: qcom_geni: Fix RX DMA stall when SE_DMA_RX_LEN_IN is zero vt: merge ucs_is_zero_width()/ucs_is_double_width() into ucs_get_width() serial: 8250: fix possible ISR soft lockup dt-bindings: serial: rs485: remove deprecated .txt binding stub serial: qcom-geni: trace: Add tracepoint support for Qualcomm GENI serial tty: serial: Use named initializers for arrays of i2c_device_data serial: 8250_dw: remove clock-notifier infrastructure serial: 8250_dw: unregister 8250 port if clk_notifier_register() fails amba/serial: amba-pl011: Bring back zx29 UART support serial: 8250: Add support for console flow control serial: 8250: Check LSR timeout on console flow control serial: 8250: Set cons_flow on port registration tty: serial: 8250: protect against NULL uart->port.dev in register arm64: dts: add support for A9 based Amlogic BY401 dt-bindings: arm: amlogic: add A311Y3 support serial: max310x: fix compile errors if CONFIG_SPI_MASTER is disabled serial: qcom-geni: Avoid probing debug console UART without console support serial: max310x: add comments for PLL limits ...
13 daysMerge tag 'nf-26-06-21' of ↵Jakub Kicinski
git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf Pablo Neira Ayuso says: ==================== Netfilter fixes for net The following patchset contains Netfilter fixes for net. This batches fixes for real crashes with trivial/correctness fixes. There is too a rework of the conntrack expectation timeout strategy to deal with a possible race when removing an expectation. 1) Fix the incorrect flowtable timeout extension for entries in hw offload, from Adrian Bente. This is correcting a defect in the functionality, no crash. 2) Hold reference to device under the fake dst in br_netfilter, from Haoze Xie. This is fixing a possible UaF if the device is removed while packet is sitting in nfqueue. 3) Reject template conntrack in xt_cluster, otherwise access to uninitialize conntrack fields are possible leading to WARN_ON due to unset layer 3 protocol. From Wyatt Feng. 4) Make sure the IPv6 tunnel header is in the linear skb data area before pulling. While at it remove incomplete NEXTHDR_DEST support. From Lorenzo Bianconi. This possibly leading to crash if IPv4 header is not in the linear area. 5) Use test_bit_acquire in ipset hash set to avoid reordering of subsequent memory access. This is addressing a LLM related report, no crash has been observed. From Jozsef Kadlecsik. 6) Use test_bit_acquire in ipset bitmap set too, for the same reason as in the previous patch, from Jozsef Kadlecsik. 7) Call kfree_rcu() after rcu_assign_pointer() to address a possible UaF if kfree_rcu() runs inmediately, which to my understanding never happens. Never observed in practise, reported by LLM. Also from Jozsef Kadlecsik. 8) Use disable_delayed_work_sync() instead cancel_delayed_work_sync() to avoid that ipset GC handler re-queues work as reported by LLM. From Jozsef Kadlecsik. This is for correctness. 9) Restore the check in nft_payload for exceeding payloda offset over 2^16. From Florian Westphal. This fixes a silent truncation, not a big deal, but better be assertive and reject it. 10) Validate NFT_META_BRI_IIFHWADDR can only run from bridge prerouting. From Florian Westphal. Harmless but it could allow to read bytes from skb->cb. 11) Zero out destination hardware address during the flowtable path setup, also from Florian. This is a correctness fix, LLM points that possible infoleak can happen but topology to achieve it is not clear. 12) Skip IPv4 options if present when building the IPV4 reject reply. Otherwise bytes in the IPv4 options header can be sent back to origin where the ICMP header is being expected. Again from Florian Westphal. 13) Replace timer API for expectation by GC worker approach. This is implicitly fixing a race between nf_ct_remove_expectations() which might fail to remove the expectation due to timer_del() returning false because timer has expired and callback is being run concurrently. This fix is addressing a crash that has been already reported with a reproducer. 14) Check if br_vlan_get_pvid_rcu() fails, otherwise possible stack infoleak of 4-bytes. From Florian Westphal. * tag 'nf-26-06-21' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf: netfilter: nft_meta_bridge: fix NFT_META_BRI_IIFPVID stack leak netfilter: nf_conntrack_expect: use conntrack GC to reap expectations netfilter: nf_reject: skip iphdr options when looking for icmp header netfilter: nft_flow_offload: zero device address for non-ether case netfilter: nft_meta_bridge: add validate callback for get operations netfilter: nft_payload: reject offsets exceeding 65535 bytes netfilter: ipset: make sure gc is properly stopped netfilter: ipset: fix order of kfree_rcu() and rcu_assign_pointer() netfilter: ipset: Don't use test_bit() in lockless RCU readers in bitmap types netfilter: ipset: Don't use test_bit() in lockless RCU readers in hash types netfilter: flowtable: fix and simplify IP6IP6 tunnel handling netfilter: xt_cluster: reject template conntracks in hash match netfilter: nf_queue: pin bridge device while NFQUEUE holds fake dst netfilter: flowtable: fix offloaded ct timeout never being extended ==================== Link: https://patch.msgid.link/20260620222738.112506-1-pablo@netfilter.org Signed-off-by: Jakub Kicinski <kuba@kernel.org>
13 daysASoC: cs530x: Fix expected MCLK rates for CS5302/4/8Ahmad Fatoum
When this driver was first added, it accepted rates of 24.56 MHz and 22.572 MHz for the MCLK when PLL bypass is enabled. These rates seem to have no basis in the datasheets and were thus replaced with 45.1584 MHz and 49.152 MHz, respectively, in commit e7ab858390f2 ("ASoC: cs530x: Correct MCLK reference frequency values"). While the new rates are indeed correct for the CS4xxx ICs[0][1][2][3], they are incorrect for the CS530x ICs the driver was originally written to support as the MCLK frequencies are halved there[4][5][6]. Fix this by checking against the correct type-appropriate rates. While at it, drop the CS530X_SYSCLK_REF_* macros. They arguably confuse more than they help, especially as they are not applicable to the cs5302/4/8. [0]: https://statics.cirrus.com/pubs/proDatasheet/CS4282P_DS1318F1.pdf [1]: https://statics.cirrus.com/pubs/proDatasheet/CS4302P_DS1315F1.pdf [2]: https://statics.cirrus.com/pubs/proDatasheet/CS4304P_DS1316F1.pdf [3]: https://statics.cirrus.com/pubs/proDatasheet/CS4308P_DS1317F1.pdf [4]: https://statics.cirrus.com/pubs/proDatasheet/CS5302P_DS1312F1.pdf [5]: https://statics.cirrus.com/pubs/proDatasheet/CS5304P_DS1313F1.pdf [6]: https://statics.cirrus.com/pubs/proDatasheet/CS5308P_DS1314F1.pdf Fixes: 2884c29152c0 ("ASoC: cs530x: Support for cs530x ADCs") Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de> Reviewed-by: Charles Keepax <ckeepax@opensource.cirrus.com> Link: https://patch.msgid.link/20260617-cs530x-mclk-v1-1-0215b5f1a0a4@pengutronix.de Signed-off-by: Mark Brown <broonie@kernel.org>
13 daysMerge tag 'i2c-7.2-part2' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/andi.shyti/linux Pull more i2c updates from Andi Shyti: "Cleanups: - generic cleanups in qcom, qcom-cci and pxa, plus core cleanups in algo-bit and atr Fixes: - davinci: clean up cpufreq notifier on probe failure - imx-lpi2c: suspend the adapter while hardware is powered down - ls2x-v2: return IRQ_HANDLED after servicing error interrupts - stm32f7: fix timing calculation accuracy DT bindings: - microchip: permit resets - i2c-mux-pinctrl: update maintainer entry - i2c-mux-reg: convert bindings to DT schema" * tag 'i2c-7.2-part2' of git://git.kernel.org/pub/scm/linux/kernel/git/andi.shyti/linux: i2c: pxa: Use named initializers for the platform_device_id array i2c: imx-lpi2c: mark I2C adapter when hardware is powered down i2c: stm32f7: truncate clock period instead of rounding it dt-bindings: i2c: microchip,corei2c: permit resets i2c: qcom: Unify user-visible "Qualcomm" name i2c: ls2x-v2: return IRQ_HANDLED after servicing an error i2c: atr: annotate i2c_atr_adap_desc->aliases with __counted_by_ptr i2c: algo: bit: use str_plural helper in bit_xfer dt-bindings: i2c: i2c-mux-pinctrl: change maintainer dt-bindings: i2c: convert i2c-mux-reg to DT schema i2c: davinci: Unregister cpufreq notifier on probe failure i2c: qcom-cci: Remove overcautious disable_irq() calls i2c: qcom-cci: Move cci_init() under cci_reset() function i2c: qcom-cci: Do not check return value of cci_init()
13 daysMerge tag 'i3c/for-7.2' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/i3c/linux Pull i3c updates from Alexandre Belloni: "This cycle, there was a lot of work around the mipi-i3c-hci driver that also led to improvements of the core. We also have support for a new SoC, the Microchip SAMA7D65. And of course, there are small fixes for the other controller drivers. Subsystem: - introduce dynamic address reconciliation after DAA - add preliminary API for hub support - fixes for dev_nack_retry_count handling - move hot-join support in the core instead of open coding in different drivers Drivers: - mipi-i3c-hci-pci: DMA abort, recovery and related improvements, hot-join support, Microchip SAMA7D65 support, fix possible race in IBI handling - dw-i3c-master: fix IBI count register selection for versalnet - svc: interrupt handling fixes for NPCM845" * tag 'i3c/for-7.2' of git://git.kernel.org/pub/scm/linux/kernel/git/i3c/linux: (45 commits) i3c: mipi-i3c-hci: Use named initializers for platform_device_id's .driver_data i3c: master: Use unsigned int for dev_nack_retry_count consistently i3c: master: Add missing runtime PM get in dev_nack_retry_count_store() i3c: master: Update dev_nack_retry_count under maintenance lock i3c: master: Expose the APIs to support I3C hub i3c: master: rename i3c_master_reattach_i3c_dev() to *_locked i3c: mipi-i3c-hci: add microchip sama7d65 SoC compatible with the required quirk dt-bindings: i3c: mipi-i3c-hci: add Microchip SAMA7D65 compatible i3c: Consistently define pci_device_ids using named initializers i3c: master: Reconcile dynamic addresses after DAA i3c: master: Move DAA API functions after i3c_master_add_i3c_dev_locked() i3c: master: Make i3c_master_add_i3c_dev_locked() return void i3c: mipi-i3c-hci: Tolerate i3c_master_add_i3c_dev_locked() failures in DAA i3c: master: Prevent reuse of dynamic address on device add failure i3c: mipi-i3c-hci: Ignore DISEC failures when disabling IBIs i3c: mipi-i3c-hci: Fix race in i3c_hci_addr_to_dev() i3c: mipi-i3c-hci: Add Hot-Join support i3c: master: Export i3c_master_enec_disec_locked() i3c: master: Defer new-device registration out of DAA caller context i3c: dw: Drop redundant Hot-Join cancel_work_sync() in shutdown ...
13 daysirqchip/imgpdc: Fix resource leak, add missing chained handler cleanup on removeQingshuang Fu
The driver allocates domain generic chips using irq_alloc_domain_generic_chips() during probe and sets up chained handlers using irq_set_chained_handler_and_data(). However, on driver removal, the generic chips are not freed and the chained handlers are not removed. The generic chips remain on the global gc_list and may later be accessed by generic interrupt chip suspend, resume, or shutdown callbacks after the driver has been removed, potentially resulting in a use-after-free and kernel crash. The chained handlers that were installed in probe for peripheral and syswake interrupts are also left dangling, which can lead to spurious interrupts accessing freed memory. Fix these issues by: - Setting IRQ_DOMAIN_FLAG_DESTROY_GC flag in domain->flags, so the core code automatically removes generic chips when irq_domain_remove() is called - Clearing all chained handlers with NULL in pdc_intc_remove() Fixes: b6ef9161e43a ("irq-imgpdc: add ImgTec PDC irqchip driver") Signed-off-by: Qingshuang Fu <fuqingshuang@kylinos.cn> Signed-off-by: Thomas Gleixner <tglx@kernel.org> Cc: stable@vger.kernel.org Link: https://patch.msgid.link/20260618021352.661773-1-fffsqian@163.com
13 dayssched_ext: Move sources under kernel/sched/ext/Tejun Heo
The sched_ext sources had grown to ten ext* files directly under kernel/sched/. Move them into a new kernel/sched/ext/ subdirectory and drop the now-redundant ext_ prefix. ext.c/h keep their names. kernel/sched/ext.{c,h} -> kernel/sched/ext/ext.{c,h} kernel/sched/ext_internal.h -> kernel/sched/ext/internal.h kernel/sched/ext_types.h -> kernel/sched/ext/types.h kernel/sched/ext_idle.{c,h} -> kernel/sched/ext/idle.{c,h} kernel/sched/ext_cid.{c,h} -> kernel/sched/ext/cid.{c,h} kernel/sched/ext_arena.{c,h} -> kernel/sched/ext/arena.{c,h} The include paths in build_policy.c and sched.h, the MAINTAINERS glob, and a few documentation and comment references are updated to match. No code or symbol changes. Suggested-by: Linus Torvalds <torvalds@linux-foundation.org> Reviewed-by: Andrea Righi <arighi@nvidia.com> Signed-off-by: Tejun Heo <tj@kernel.org>
13 daysMerge tag 'slab-for-7.2-part2' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/vbabka/slab Pull more slab updates from Vlastimil Babka: - Introduce and wire up a new alloc_flags parameter for modifying slab-specific behavior without adding or reusing gfp flags. Also introduce slab_alloc_context to keep function parameter bloat in check. Both are similar to what the page allocator does. kmalloc_flags() exposes alloc_flags for mm-internal users. - SLAB_ALLOC_NOLOCK flag is used to implement kmalloc_nolock() behavior without relying on lack of __GFP_RECLAIM, which caused false positives with workarounds like fd3634312a04 ("debugobject: Make it work with deferred page initialization - again"). - SLAB_ALLOC_NO_RECURSE replaces __GFP_NO_OBJ_EXT, which could have been removed, but pending memory allocation profiling changes in mm tree have grown a new user - there is however a work ongoing to replace that too, so __GFP_NO_OBJ_EXT should eventually be removed. (Vlastimil Babka) - Add kmem_buckets_alloc_track_caller() with a user to be added in the net tree (Pedro Falcato) - Fixes for kernel-doc and slabinfo (Randy Dunlap, Yichong Chen) * tag 'slab-for-7.2-part2' of git://git.kernel.org/pub/scm/linux/kernel/git/vbabka/slab: tools/mm/slabinfo: fix total_objects attribute name slab: recognize @GFP parameter as optional in kernel-doc mm/slab: add a node-track-caller variant for kmem buckets allocation mm/slab: replace __GFP_NO_OBJ_EXT with SLAB_ALLOC_NO_RECURSE for sheaves mm/slab: remove __GFP_NO_OBJ_EXT usage from alloc_slab_obj_exts() mm/slab: introduce kmalloc_flags() mm/slab: allow __GFP_NOMEMALLOC and __GFP_NOWARN for kmalloc_nolock() mm/slab: pass slab_alloc_context to __do_kmalloc_node() mm/slab: allow kmem_cache_alloc_bulk() with any gfp flags mm/slab: replace slab_alloc_node() parameters with slab_alloc_context mm/slab: pass alloc_flags through slab_post_alloc_hook() chain mm/slab: pass alloc_flags to new slab allocation mm/slab: add alloc_flags to slab_alloc_context mm/slab: replace struct partial_context with slab_alloc_context mm/slab: introduce alloc_flags and SLAB_ALLOC_NOLOCK mm/slab: introduce slab_alloc_context mm/slab: stop inlining __slab_alloc_node() mm/slab: do not init any kfence objects on allocation
13 daysMerge tag 'hyperv-next-signed-20260621' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/hyperv/linux Pull hyperv updates from Wei Liu: - Use wakeup mailbox to boot APs in Hyper-V VTL2 TDX guests (Yunhong Jiang, Ricardo Neri) - Move the Hyper-V IOMMU to its own subdirectory (Mukesh Rathor) - Cosmetic changes to mshv and balloon driver (Junrui Luo, Markus Elfring) * tag 'hyperv-next-signed-20260621' of git://git.kernel.org/pub/scm/linux/kernel/git/hyperv/linux: mshv: add bounds check on vp_index in mshv_intercept_isr() hv_balloon: Simplify data output in hv_balloon_debug_show() x86/hyperv: Cosmetic changes in irqdomain.c for readability iommu/hyperv: Create hyperv subdirectory under drivers/iommu x86/hyperv/vtl: Use the wakeup mailbox to boot secondary CPUs x86/hyperv/vtl: Mark the wakeup mailbox page as private x86/acpi: Add a helper to get the address of the wakeup mailbox x86/hyperv/vtl: Setup the 64-bit trampoline for TDX guests x86/realmode: Make the location of the trampoline configurable x86/hyperv/vtl: Set real_mode_header in hv_vtl_init_platform() x86/dt: Parse the Wakeup Mailbox for Intel processors dt-bindings: reserved-memory: Wakeup Mailbox for Intel processors x86/acpi: Add functions to setup and access the wakeup mailbox x86/topology: Add missing struct declaration and attribute dependency
13 daysMerge tag 's390-7.2-2' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux Pull more s390 updates from Alexander Gordeev: - consolidate s390 idle time accounting by moving all CPU time tracking to the architecture backend and eliminate the mix of architecture- specific and common code accounting - Add missing EXPORT_SYMBOL_GPL() to kcpustat_field_idle() and kcpustat_field_iowait() functions - Finalize ptep_get() conversion by replacing direct page table entry dereferencing with proper accessors (ptep_get(), pmdp_get(), etc.) - Explicitly check the buffer length in PKEY_VERIFYPROTK ioctl and pkey_pckmo implementations and fail if the length is exceeded * tag 's390-7.2-2' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux: s390/pkey: Check length in pkey_pckmo handler implementation s390/pkey: Check length in PKEY_VERIFYPROTK ioctl s390/idle: Add missing EXPORT_SYMBOL_GPL() s390/mm: Complete ptep_get() conversion s390/idle: Remove idle time and count sysfs files s390/idle: Provide arch specific kcpustat_field_idle()/kcpustat_field_iowait() s390/irq/idle: Use stcke instead of stckf for time stamps s390/timex: Move union tod_clock type to separate header
13 daysdebugobjects: Plug race against a concurrent OOM disableThomas Gleixner
syzbot reported a puzzling splat: WARNING: kernel/time/hrtimer.c:443 at stub_timer+0xa/0x20 stub_timer() is installed as timer callback function in hrtimer_fixup_assert_init(), which is invoked when debug_object_assert_init() can't find a shadow object. In that case debug objects emits a warning about it before invoking the fixup. Though the provided console log lacks this warning and instead has the following a few seconds before the splat: ODEBUG: Out of memory. ODEBUG disabled So the object was looked up in debug_object_assert_init() and the lookup failed due a concurrent out of memory situation which disabled debug objects and freed the shadow objects: debug_object_assert_init() if (!debug_objects_enabled) return; obj = alloc(); if (!obj) { // Out of memory debug_objects_enabled = false; free_objects(); obj = lookup_or_alloc(); // The lookup failed because the other side // removed the objects, so this returns // an error code as the object in question // is not statically initialized if (!IS_ERR_OR_NULL(obj)) return; if (!obj) { debug_oom(); return; } print(...) if (!debug_objects_enabled) return; fixup(...) The debug object splat is skipped because debug_objects_enabled is false, but the fixup callback is invoked unconditionally, which makes the timer disfunctional. This is only a problem in debug_object_assert_init() and debug_object_activate() as both have to handle statically initialized objects and therefore must handle the error pointer return case gracefully. All other places only handle the found/not found case and the NULL pointer return is a signal for OOM. Otherwise they get a valid shadow object. Plug the hole by checking whether debug objects are still enabled before invoking the print and fixup function in those two places. Fixes: b84d435cc228 ("debugobjects: Extend to assert that an object is initialized") Reported-by: syzbot+5e8dda76ca21dae314b6@syzkaller.appspotmail.com Signed-off-by: Thomas Gleixner <tglx@kernel.org> Cc: stable@vger.kernel.org Link: https://patch.msgid.link/874iiwlzlb.ffs@fw13
13 daystime: Fix off-by-one in compat settimeofday() usec validationWang Yan
The compat version of settimeofday() uses '>' instead of '>=' when validating tv_usec against USEC_PER_SEC, allowing the value 1000000 to pass the check. After the subsequent conversion to nanoseconds (tv_nsec *= NSEC_PER_USEC), this results in tv_nsec == NSEC_PER_SEC, which violates the timespec invariant that tv_nsec must be strictly less than NSEC_PER_SEC. The native settimeofday() was already fixed in commit ce4abda5e126 ("time: Fix off-by-one in settimeofday() usec validation"), but the compat counterpart was missed. Fix it by using '>=' to reject tv_usec values outside the valid range [0, USEC_PER_SEC - 1]. Fixes: 5e0fb1b57bea ("y2038: time: avoid timespec usage in settimeofday()") Signed-off-by: Wang Yan <wangyan01@kylinos.cn> Signed-off-by: Thomas Gleixner <tglx@kernel.org> Acked-by: Arnd Bergmann <arnd@arndb.de> Cc: stable@vger.kernel.org Link: https://patch.msgid.link/20260622103348.120255-1-wangyan01@kylinos.cn
13 daysALSA: hda/realtek: Fix noisy mic for Clevo V6xxAWAaron Erhardt
Add a PCI quirk to reduce the volume of the internal microphone to prevent extremely noisy signal. Signed-off-by: Aaron Erhardt <aer@tuxedocomputers.com> Signed-off-by: Werner Sembach <wse@tuxedocomputers.com> Cc: stable@vger.kernel.org Link: https://patch.msgid.link/20260519155047.106096-1-wse@tuxedocomputers.com Signed-off-by: Takashi Iwai <tiwai@suse.de>
13 dayserofs: handle 48-bit blocks_hi for compressed inodesZhan Xusheng
Combine i_nb.blocks_hi with i_u.blocks_lo when computing inode->i_blocks for compressed inodes, mirroring the startblk_hi handling for unencoded inodes a few lines above. Also evaluate the shift in u64 to avoid truncation. Fixes: efb2aef569b3 ("erofs: add encoded extent on-disk definition") Fixes: 1d191b4ca51d ("erofs: implement encoded extent metadata") Reviewed-by: Gao Xiang <hsiangkao@linux.alibaba.com> Signed-off-by: Zhan Xusheng <zhanxusheng@xiaomi.com> Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>
13 daysdrm/sysfb: Avoid truncating maximum strideThomas Zimmermann
Passing a maximum as 64-bit type to drm_sysfb_get_validated_int0() can truncate the value to 32 bits. Use drm_sysfb_get_validated_size0(), which uses 64-bit arithmetics. Then test the returned stride against the limits of int to avoid truncations in the returned value. A valid stride is in the range of [1, INT_MAX] inclusive. Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de> Reported-by: Sashiko <sashiko-bot@kernel.org> Closes: https://lore.kernel.org/dri-devel/20260617114016.5A5991F000E9@smtp.kernel.org/ Fixes: 32ae90c66fb6 ("drm/sysfb: Add efidrm for EFI displays") Fixes: a84eb6abe2b6 ("drm/sysfb: Add vesadrm for VESA displays") Cc: Thomas Zimmermann <tzimmermann@suse.de> Cc: Javier Martinez Canillas <javierm@redhat.com> Cc: dri-devel@lists.freedesktop.org Cc: <stable@vger.kernel.org> # v6.16+ Reviewed-by: Javier Martinez Canillas <javierm@redhat.com> Link: https://patch.msgid.link/20260618084327.46567-5-tzimmermann@suse.de
13 daysdrm/sysfb: Return errno code from drm_sysfb_get_visible_size()Thomas Zimmermann
Change the return type of drm_sysfb_get_visible_size() to s64 so that it returns a possible errno code from _get_validated_size0(). Fix callers to handle the errno code. The currently returned unsigned type converts an errno code to a very large size value, which drivers interpret as visible size of the system framebuffer. Later efforts to reserve the framebuffer resource fail. The bug has been present since efidrm and vesadrm got merged. It was then part of each driver. Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de> Fixes: 32ae90c66fb6 ("drm/sysfb: Add efidrm for EFI displays") Fixes: a84eb6abe2b6 ("drm/sysfb: Add vesadrm for VESA displays") Reviewed-by: Javier Martinez Canillas <javierm@redhat.com> Cc: Thomas Zimmermann <tzimmermann@suse.de> Cc: Javier Martinez Canillas <javierm@redhat.com> Cc: dri-devel@lists.freedesktop.org Cc: <stable@vger.kernel.org> # v6.16+ Link: https://patch.msgid.link/20260618084327.46567-4-tzimmermann@suse.de
13 daysdrm/sysfb: Avoid possible truncation with calculating visible sizeThomas Zimmermann
Calculating the visible size of the system framebuffer can result in truncation of the result. The calculation uses 32-bit arithmetics, which can overflow if the values for height and stride are large. Fix the issue by multiplying with mul_u32_u32(). Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de> Fixes: 32ae90c66fb6 ("drm/sysfb: Add efidrm for EFI displays") Fixes: a84eb6abe2b6 ("drm/sysfb: Add vesadrm for VESA displays") Reported-by: Sashiko <sashiko-bot@kernel.org> Closes: https://lore.kernel.org/dri-devel/20260617114027.1F2A71F000E9@smtp.kernel.org/ Cc: Thomas Zimmermann <tzimmermann@suse.de> Cc: Javier Martinez Canillas <javierm@redhat.com> Cc: dri-devel@lists.freedesktop.org Cc: <stable@vger.kernel.org> # v6.16+ Reviewed-by: Javier Martinez Canillas <javierm@redhat.com> Link: https://patch.msgid.link/20260618084327.46567-3-tzimmermann@suse.de
13 daysdrm/sysfb: Do not page-align visible size of the framebufferThomas Zimmermann
Only return the actually visible size of the system framebuffer in drm_sysfb_get_visible_size_si(). Drivers use this size value for reserving access to framebuffer memory. Increasing the value can make later attempts to do so fail. Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de> Fixes: 32ae90c66fb6 ("drm/sysfb: Add efidrm for EFI displays") Fixes: a84eb6abe2b6 ("drm/sysfb: Add vesadrm for VESA displays") Reviewed-by: Javier Martinez Canillas <javierm@redhat.com> Cc: Thomas Zimmermann <tzimmermann@suse.de> Cc: Javier Martinez Canillas <javierm@redhat.com> Cc: dri-devel@lists.freedesktop.org Cc: <stable@vger.kernel.org> # v6.16+ Link: https://patch.msgid.link/20260618084327.46567-2-tzimmermann@suse.de
13 daysALSA: hda/realtek: Add LED fixup for HP EliteBook 6 G2i LaptopsDirk Su
The HP EliteBook 6 G2i laptops requires specific LED control method ALC236_FIXUP_HP_GPIO_LED to work Signed-off-by: Dirk Su <dirk.su@canonical.com> Link: https://patch.msgid.link/20260622072019.56351-1-dirk.su@canonical.com Signed-off-by: Takashi Iwai <tiwai@suse.de>
13 daysALSA: hda/realtek: Add quirk for Lenovo Yoga 7 16IAP7Chris Aherin
The Yoga 7 16IAP7 (board LNVNB161216, codec SSID 17aa:386a) has pin complex 0x17 (bass speakers) wrongly reported as unconnected, causing only one of four speaker pins (0x14) to be configured and resulting in mono/tinny audio. SOF corrupts the PCI subsystem ID to 17aa:0000, preventing SND_PCI_QUIRK from matching. HDA_CODEC_QUIRK is used instead, which matches against codec->core.subsystem_id read directly from the HDA codec register and unaffected by the SOF bug. Applies ALC287_FIXUP_YOGA9_14IAP7_BASS_SPK_PIN, the same fixup used for the Yoga 7 14IAL7, which corrects pin 0x17's default configuration and enables both speaker pairs. Signed-off-by: Chris Aherin <chrisaherin@gmail.com> Link: https://patch.msgid.link/20260622001210.20553-1-chrisaherin@gmail.com Signed-off-by: Takashi Iwai <tiwai@suse.de>
13 daysdrm/edid: fix OOB read in drm_parse_tiled_block()Xiang Mei
drm_parse_tiled_block() casts the DisplayID block to a struct displayid_tiled_block and reads the full fixed layout up to tile->topology_id[7] without checking block->num_bytes. The DisplayID iterator only validates the declared payload length, so a crafted EDID can advertise a tiled-display block (tag DATA_BLOCK_TILED_DISPLAY, or DATA_BLOCK_2_TILED_DISPLAY_TOPOLOGY for v2.0) with a small num_bytes at the end of a DisplayID extension. The read then runs past the end of the exact-sized kmemdup()'d EDID allocation, a heap out-of-bounds read. Reject blocks shorter than the spec's 22-byte tiled payload before reading the fixed struct, as drm_parse_vesa_mso_data() already does. BUG: KASAN: slab-out-of-bounds in drm_edid_connector_update Read of size 2 at addr ffff888010077700 by task exploit/147 dump_stack_lvl (lib/dump_stack.c:94 ...) print_report (mm/kasan/report.c:378 ...) kasan_report (mm/kasan/report.c:595) drm_edid_connector_update (drivers/gpu/drm/drm_edid.c:7581) bochs_connector_helper_get_modes (drivers/gpu/drm/tiny/bochs.c:574) drm_helper_probe_single_connector_modes (drivers/gpu/drm/drm_probe_helper.c:426) status_store (drivers/gpu/drm/drm_sysfs.c:219) ... vfs_write (fs/read_write.c:595 fs/read_write.c:688) ksys_write (fs/read_write.c:740) Fixes: 40d9b043a89e ("drm/connector: store tile information from displayid (v3)") Reported-by: Weiming Shi <bestswngs@gmail.com> Assisted-by: Claude:claude-opus-4-8 Signed-off-by: Xiang Mei <xmei5@asu.edu> Reviewed-by: Jani Nikula <jani.nikula@intel.com> Link: https://patch.msgid.link/20260615184737.899892-1-xmei5@asu.edu Signed-off-by: Jani Nikula <jani.nikula@intel.com>
13 daysgpio: tb10x: fix struct tb10x_gpio kernel-docIgor Putko
Fix build warning by adding the missing structure name and description to the kernel-doc comment block. Signed-off-by: Igor Putko <igorpetindev@gmail.com> Link: https://patch.msgid.link/20260618155626.18751-2-igorpetindev@gmail.com Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
13 daysgpiolib: initialize return value in gpiochip_set_multiple()Ruoyu Wang
gpiochip_set_multiple() falls back to setting lines one by one when the chip does not provide set_multiple(). If the fallback path receives an empty mask, the loop is skipped and ret is returned without being initialized. Initialize ret to 0 so an empty mask is treated as a successful no-op. Fixes: 9b407312755f ("gpiolib: rework the wrapper around gpio_chip::set_multiple()") Signed-off-by: Ruoyu Wang <ruoyuw560@gmail.com> Acked-by: Uwe Kleine-König <u.kleine-koenig@baylibre.com> Link: https://patch.msgid.link/20260620155319.79994-1-ruoyuw560@gmail.com Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
13 dayspower: sequencing: fix ABBA deadlock in pwrseq_device_unregister()Bartosz Golaszewski
The pwrseq core takes three locks in consistent order everywhere: pwrseq_sem -> pwrseq->rw_lock -> pwrseq->state_lock pwrseq_get() -> pwrseq_match_device() takes pwrseq_sem for reading, then rw_lock for reading. pwrseq_power_on()/pwrseq_power_off() take rw_lock for reading and then state_lock. pwrseq_device_unregister() is the only exception, it takes: state_lock, then rw_lock for writing and finally pwrseq_sem for writing. This created two potential ABBA deadlock situations that sashiko pointed out. - pwrseq_power_on/off() take rw_lock for reading then state_lock, while pwrseq_unregister() takes state_lock then rw_lock for writing - pwrseq_get() takes pwrseq_sem for reading then rw_lock for reading, while pwrseq_unregister() takes rw_lock for writing then pwrseq_sem for writing Reorder the unregister path to taking pwrseq_sem for writing -> rw_lock for writing and drop the state_lock entirely. This is safe as enable_count is only ever written under rw_lock held for read (via pwrseq_unit_enable()/disable(), reached only from pwrseq_power_on/off()), so holding rw_lock for writing already excludes every other writer and reader and the active-users WARN() stays race-free without state_lock. Fixes: 249ebf3f65f8 ("power: sequencing: implement the pwrseq core") Closes: https://sashiko.dev/#/patchset/20260616151049.1705503-1-vulab%40iscas.ac.cn Link: https://patch.msgid.link/20260618-pwrseq-abba-deadlock-v1-1-943a3fd81c06@oss.qualcomm.com Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
13 dayspower: sequencing: pcie-m2: Sort PCI device IDs in ascending orderWei Deng
Sort the entries in pwrseq_m2_pci_ids[] by device ID in ascending order: 0x1103 (WCN6855) before 0x1107 (WCN7850). Fixes: 2abcfdd91e6a ("power: sequencing: pcie-m2: Add PCI ID 0x1103 for WCN6855 Bluetooth") Reviewed-by: Manivannan Sadhasivam <mani@kernel.org> Signed-off-by: Wei Deng <wei.deng@oss.qualcomm.com> Link: https://patch.msgid.link/20260617143055.820096-1-wei.deng@oss.qualcomm.com Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
13 dayspwrseq: core: fix use-after-free in pwrseq_debugfs_seq_next()Wentao Liang
pwrseq_debugfs_seq_next() declares 'next' with __free(put_device), which causes put_device() to be called on the returned pointer when the variable goes out of scope. This results in a use-after-free since the seq_file framework receives a pointer whose reference has already been dropped. Simply removing __free(put_device) would fix the UAF but would leak the reference acquired by bus_find_next_device(), as stop() only calls up_read(&pwrseq_sem) and never releases the device reference. Fix this by making the reference counting consistent across all seq_file callbacks, matching the standard pattern used by PCI and SCSI: - start(): use get_device() so it returns a referenced pointer. - next(): explicitly put_device(curr) to release the previous device's reference (no NULL check needed - the seq_file framework only calls next() while the previous return was non-NULL). - stop(): put_device(data) to release the last iterated device's reference, with a NULL guard since stop() may be called with NULL when start() returned NULL or next() reached end-of-sequence. Cc: stable@vger.kernel.org Fixes: 249ebf3f65f8 ("power: sequencing: implement the pwrseq core") Signed-off-by: Wentao Liang <vulab@iscas.ac.cn> Link: https://patch.msgid.link/20260616151049.1705503-1-vulab@iscas.ac.cn Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
13 daysMerge tag 'bpf-next-7.2' into loongarch-nextHuacai Chen
LoongArch architecture changes for 7.2 need the bpf changes to add new features, so merge 'bpf-next-7.2' to create a base.
13 dayserofs: remove fscache backend entirelyGao Xiang
EROFS over fscache was introduced to provide image lazy pulling functionality. After the feature landed, the fscache subsystem made netfs a new hard dependency, which is unexpected for a local filesystem and has an kernel-defined caching hierarchy which could be inflexible compared to the fanotify pre-content hooks. Therefore, this feature has been deprecated for almost two years. As EROFS file-backed mounts and fanotify pre-content hooks both upstream for a while and already providing equivalent functionality (erofs-utils has supported fanotify pre-content hooks), let's remove the fscache backend now. The main application of this feature is Nydus [1], and they plan to move to use fanotify pre-content hooks in the near future too. I hope this patch can be merged into Linux 7.2, which is also motivated by newly found implementation issues [2][3] that are not worth investigating given the deprecation and limited development resources. The associated fscache/cachefiles cleanup patch will follow separately through the vfs tree (netfs) later: it seems fine since the codebase is isolated by CONFIG_CACHEFILES_ONDEMAND. [1] https://github.com/dragonflyoss/nydus/blob/v2.1.0/docs/nydus-fscache.md [2] https://github.com/dragonflyoss/nydus/pull/1824 [3] https://lore.kernel.org/r/20260619135800.1594811-1-michael.bommarito@gmail.com Acked-by: Jingbo Xu <jefflexu@linux.alibaba.com> Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>
13 daysMerge branch 'fix-effective-prog-array-indexing-with-bpf_f_preorder'Alexei Starovoitov
Amery Hung says: ==================== Fix effective prog array indexing with BPF_F_PREORDER This patchset fixes a cgroup effective-array indexing bug where replace_effective_prog() and purge_effective_progs() used a linear hlist position that doesn't match the array layout when BPF_F_PREORDER programs are present, corrupting the array on link update and risking a use-after-free in the detach fallback. It computes the slot via a shared effective_prog_pos() helper and adds a cgroup_preorder selftest. Changelog v1 -> v2: - Also fix purge_effective_progs(), in addition to replace_effective_prog() (Sashiko). - selftest: Set err on bpf_link_create() failure so the failure is reported to the caller (Sashiko). ==================== Link: https://patch.msgid.link/20260619063520.2690547-1-ameryhung@gmail.com Signed-off-by: Alexei Starovoitov <ast@kernel.org>
13 daysselftests/bpf: Test cgroup link replace with BPF_F_PREORDERAmery Hung
Add a cgroup_preorder case that attaches a normal and a BPF_F_PREORDER program to a cgroup (effective order [2, 1]), then replaces the normal link's program via bpf_link_update() and checks the effective order becomes [2, 3] — i.e. only the non-preorder slot changes. Without the replace_effective_prog() fix the array is corrupted and the order is wrong. Signed-off-by: Amery Hung <ameryhung@gmail.com> Acked-by: Yonghong Song <yonghong.song@linux.dev> Link: https://lore.kernel.org/r/20260619063520.2690547-3-ameryhung@gmail.com Signed-off-by: Alexei Starovoitov <ast@kernel.org>
13 daysbpf: Fix effective prog array index with BPF_F_PREORDERAmery Hung
replace_effective_prog() and purge_effective_progs() located the slot in the effective array by walking the program hlist and counting entries linearly. That count does not match the array layout: compute_effective_ progs() places BPF_F_PREORDER programs at the front (ancestor cgroup first, attach order within a cgroup) and the rest after them (descendant cgroup first). So when a preorder program is present, the linear hlist position no longer equals the program's index in the effective array. For replace_effective_prog() (bpf_link_update()) this overwrote the wrong slot, corrupting the effective order. For purge_effective_progs(), it could dummy out a slot belonging to a different program and leave the detached program in the array while bpf_prog_put() drops its reference, i.e. a use-after-free. Fix both by replaying compute_effective_progs()'s placement (including the per-cgroup preorder reversal) in a shared effective_prog_pos() helper. Identify the entry by its struct bpf_prog_list pointer rather than by (prog, link) value, so the lookup resolves to exactly the attachment the syscall selected even when the same bpf_prog is attached to several cgroups in the hierarchy. Fixes: 4b82b181a26c ("bpf: Allow pre-ordering for bpf cgroup progs") Signed-off-by: Amery Hung <ameryhung@gmail.com> Acked-by: Yonghong Song <yonghong.song@linux.dev> Link: https://lore.kernel.org/r/20260619063520.2690547-2-ameryhung@gmail.com Signed-off-by: Alexei Starovoitov <ast@kernel.org>
13 daysbpf: Fix BPF_PROG_ASSOC_STRUCT_OPS last field checkThiébaud Weksteen
When struct prog_assoc_struct_ops was added, BPF_PROG_ASSOC_STRUCT_OPS_LAST_FIELD referenced prog_fd instead of the actual last field, flags. Fixes: b5709f6d26d6 ("bpf: Support associating BPF program with struct_ops") Signed-off-by: Thiébaud Weksteen <tweek@google.com> Reviewed-by: Jakub Sitnicki <jakub@cloudflare.com> Acked-by: Yonghong Song <yonghong.song@linux.dev> Link: https://lore.kernel.org/r/20260618040934.4113938-1-tweek@google.com Signed-off-by: Alexei Starovoitov <ast@kernel.org>
13 daysbpf: zero-initialize the fib lookup flow structAvinash Duduskar
bpf_ipv4_fib_lookup() and bpf_ipv6_fib_lookup() build the flow key on the stack with a bare "struct flowi4 fl4;" / "struct flowi6 fl6;" and fill it field by field, but never set flowi4_l3mdev / flowi6_l3mdev. On the non-DIRECT path the lookup goes through the fib rules whenever the netns has custom rules, which a VRF installs: bpf_ipv4_fib_lookup() -> fib_lookup() -> __fib_lookup() -> l3mdev_update_flow() reads !fl->flowi_l3mdev -> fib_rules_lookup() -> fib_rule_match() -> l3mdev_fib_rule_match() uses fl->flowi_l3mdev l3mdev_update_flow() resolves the l3mdev master from the ingress device only while the field is still zero. Left at a nonzero stack value the resolution is skipped, and l3mdev_fib_rule_match() then tests that value as an ifindex, so the VRF master is not resolved and the rule fails to match: an ingress enslaved to a VRF can fail to select its table. FIB rules matching on an L3 master device (l3mdev_fib_rule_iif_match()/ _oif_match()) read the same value, so an "ip rule iif/oif <vrf>" mismatches the same way. Zero-initialize the whole flow struct rather than adding one more field assignment, so any flowi field added later is covered too. ip_route_input_slow() likewise zeroes the field before its input lookup. CONFIG_INIT_STACK_ALL_ZERO masks this by default, but it depends on compiler support (CC_HAS_AUTO_VAR_INIT_ZERO), so INIT_STACK_NONE builds, including older toolchains that fall back to it, are exposed. Built with INIT_STACK_ALL_PATTERN, a plain bpf_fib_lookup (no VLAN, no DIRECT) over a VRF slave whose destination is routed only in the VRF table returns BPF_FIB_LKUP_RET_NOT_FWDED, and resolves with this patch. On the default config the lookup succeeds either way, so ordinary testing does not catch the bug. Fixes: 40867d74c374 ("net: Add l3mdev index to flow struct and avoid oif reset for port devices") Signed-off-by: Avinash Duduskar <avinash.duduskar@gmail.com> Reviewed-by: Toke Høiland-Jørgensen <toke@redhat.com> Link: https://lore.kernel.org/r/20260617224719.1428599-1-avinash.duduskar@gmail.com Signed-off-by: Alexei Starovoitov <ast@kernel.org>
13 daysbpftool: Fix vmlinux BTF leak in cgroup commandsYichong Chen
bpftool cgroup show and tree call libbpf_find_kernel_btf() to resolve attach_btf names, but never release the returned BTF object. For cgroup tree, do_show_tree_fn() is called once for each cgroup visited by nftw(). When more than one cgroup has attached programs, each callback overwrites btf_vmlinux with a new object and loses the previous allocation. Load vmlinux BTF only once during a tree walk and release it when cgroup show or tree completes. Reset btf_vmlinux_id at the same time so batch mode starts with clean state. Fixes: 596f5fb2ea2a ("bpftool: implement cgroup tree for BPF_LSM_CGROUP") Signed-off-by: Yichong Chen <chenyichong@uniontech.com> Reviewed-by: Quentin Monnet <qmo@kernel.org> Link: https://lore.kernel.org/r/24357C69B4405079+20260617090117.280222-1-chenyichong@uniontech.com Signed-off-by: Alexei Starovoitov <ast@kernel.org>
13 daysbpf: Add missing access_ok call to copy_user_symsJiri Olsa
As reported by sashiko we use __get_user without prior access_ok call on the user space pointer. Adding the missing call for the whole pointer array. Plus removing the err check in the error path, because it's not needed and also we can return -ENOMEM directly from the first kvmalloc_array fail path. Cc: stable@vger.kernel.org [1] https://lore.kernel.org/bpf/20260611115503.AC16D1F00893@smtp.kernel.org/ Fixes: 0236fec57a15 ("bpf: Resolve symbols with ftrace_lookup_symbols for kprobe multi link") Reported-by: Sashiko <sashiko-bot@kernel.org> Closes: https://lore.kernel.org/bpf/20260611115503.AC16D1F00893@smtp.kernel.org/ Signed-off-by: Jiri Olsa <jolsa@kernel.org> Reviewed-by: Emil Tsalapatis <emil@etsalapatis.com> Link: https://lore.kernel.org/r/20260616083056.405652-1-jolsa@kernel.org Signed-off-by: Alexei Starovoitov <ast@kernel.org>
13 daysbpf: Allow type tag BTF records to succeed other modifier recordsEmil Tsalapatis
llvm commit [1] allowed attaching type tag records to modifier BTF records. This is useful for using typedefs that encompass a base type and a type tag, e.g.: typedef struct rbtree __arena rbtree_t; Modify btf_check_type_tags() so that it allows this sequence of records. The function now only checks for record loops in BTF modifier record chains. Rename to btf_check_modifier_chain_length to reflect this. Also expand the BTF modifier traversal code to take into account that type record can be interleaved with other modifier records. In effect this means traversing all modifiers to collect the type tags. Also modify existing selftests to now accept modifier records (const, typedef) that point to type tag records. [1] https://github.com/llvm/llvm-project/pull/203089 Signed-off-by: Emil Tsalapatis <emil@etsalapatis.com> Link: https://lore.kernel.org/r/20260616061454.7869-1-emil@etsalapatis.com Signed-off-by: Alexei Starovoitov <ast@kernel.org>