summaryrefslogtreecommitdiff
AgeCommit message (Collapse)AuthorFilesLines
3 daysMerge tag 'nfsd-6.18-1' of ↵HEADmasterLinus Torvalds1-0/+8
git://git.kernel.org/pub/scm/linux/kernel/git/cel/linux Pull nfsd fix from Chuck Lever: - Fix a crasher reported by rtm@csail.mit.edu * tag 'nfsd-6.18-1' of git://git.kernel.org/pub/scm/linux/kernel/git/cel/linux: NFSD: Define a proc_layoutcommit for the FlexFiles layout type
3 daysMerge tag 'for-linus-6.18-2' of https://github.com/cminyard/linux-ipmiLinus Torvalds2-5/+12
Pull IPMI fixes from Corey Minyard: "A few bug fixes for patches that went in this release: a refcount error and some missing or incorrect error checks" * tag 'for-linus-6.18-2' of https://github.com/cminyard/linux-ipmi: ipmi: Fix handling of messages with provided receive message pointer mfd: ls2kbmc: check for devm_mfd_add_devices() failure mfd: ls2kbmc: Fix an IS_ERR() vs NULL check in probe()
5 daysLinux 6.18-rc1v6.18-rc1Linus Torvalds1-2/+2
5 daysMerge tag 'i2c-for-6.18-rc1-hotfix' of ↵Linus Torvalds2-3/+3
git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux Pull i2c fix from Wolfram Sang: "One revert because of a regression in the I2C core which has sadly not showed up during its time in -next" * tag 'i2c-for-6.18-rc1-hotfix' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux: Revert "i2c: boardinfo: Annotate code used in init phase only"
5 daysMerge tag 'irq_urgent_for_v6.18_rc1' of ↵Linus Torvalds2-4/+6
git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull irq fixes from Borislav Petkov: - Skip interrupt ID 0 in sifive-plic during suspend/resume because ID 0 is reserved and accessing reserved register space could result in undefined behavior - Fix a function's retval check in aspeed-scu-ic * tag 'irq_urgent_for_v6.18_rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: irqchip/sifive-plic: Avoid interrupt ID 0 handling during suspend/resume irqchip/aspeed-scu-ic: Fix an IS_ERR() vs NULL check
6 daysMerge tag 'trace-v6.18-3' of ↵Linus Torvalds1-4/+8
git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace Pull tracing fixes from Steven Rostedt: "The previous fix to trace_marker required updating trace_marker_raw as well. The difference between trace_marker_raw from trace_marker is that the raw version is for applications to write binary structures directly into the ring buffer instead of writing ASCII strings. This is for applications that will read the raw data from the ring buffer and get the data structures directly. It's a bit quicker than using the ASCII version. Unfortunately, it appears that our test suite has several tests that test writes to the trace_marker file, but lacks any tests to the trace_marker_raw file (this needs to be remedied). Two issues came about the update to the trace_marker_raw file that syzbot found: - Fix tracing_mark_raw_write() to use per CPU buffer The fix to use the per CPU buffer to copy from user space was needed for both the trace_maker and trace_maker_raw file. The fix for reading from user space into per CPU buffers properly fixed the trace_marker write function, but the trace_marker_raw file wasn't fixed properly. The user space data was correctly written into the per CPU buffer, but the code that wrote into the ring buffer still used the user space pointer and not the per CPU buffer that had the user space data already written. - Stop the fortify string warning from writing into trace_marker_raw After converting the copy_from_user_nofault() into a memcpy(), another issue appeared. As writes to the trace_marker_raw expects binary data, the first entry is a 4 byte identifier. The entry structure is defined as: struct { struct trace_entry ent; int id; char buf[]; }; The size of this structure is reserved on the ring buffer with: size = sizeof(*entry) + cnt; Then it is copied from the buffer into the ring buffer with: memcpy(&entry->id, buf, cnt); This use to be a copy_from_user_nofault(), but now converting it to a memcpy() triggers the fortify-string code, and causes a warning. The allocated space is actually more than what is copied, as the cnt used also includes the entry->id portion. Allocating sizeof(*entry) plus cnt is actually allocating 4 bytes more than what is needed. Change the size function to: size = struct_size(entry, buf, cnt - sizeof(entry->id)); And update the memcpy() to unsafe_memcpy()" * tag 'trace-v6.18-3' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace: tracing: Stop fortify-string from warning in tracing_mark_raw_write() tracing: Fix tracing_mark_raw_write() to use buf and not ubuf
6 daysMerge tag 'kbuild-fixes-6.18-1' of ↵Linus Torvalds5-28/+38
git://git.kernel.org/pub/scm/linux/kernel/git/kbuild/linux Pull Kbuild fixes from Nathan Chancellor: - Fix UAPI types check in headers_check.pl - Only enable -Werror for hostprogs with CONFIG_WERROR / W=e - Ignore fsync() error when output of gen_init_cpio is a pipe - Several little build fixes for recent modules.builtin.modinfo series * tag 'kbuild-fixes-6.18-1' of git://git.kernel.org/pub/scm/linux/kernel/git/kbuild/linux: kbuild: Use '--strip-unneeded-symbol' for removing module device table symbols s390/vmlinux.lds.S: Move .vmlinux.info to end of allocatable sections kbuild: Add '.rel.*' strip pattern for vmlinux kbuild: Restore pattern to avoid stripping .rela.dyn from vmlinux gen_init_cpio: Ignore fsync() returning EINVAL on pipes scripts/Makefile.extrawarn: Respect CONFIG_WERROR / W=e for hostprogs kbuild: uapi: Strip comments before size type check
6 daysRevert "i2c: boardinfo: Annotate code used in init phase only"Wolfram Sang2-3/+3
This reverts commit 1a2b423be6a89dd07d5fc27ea042be68697a6a49 because we got a regression report and need time to find out the details. Reported-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com> Closes: https://lore.kernel.org/r/29ec0082-4dd4-4120-acd2-44b35b4b9487@oss.qualcomm.com Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
6 daysMerge tag 'rtc-6.18' of ↵Linus Torvalds23-354/+753
git://git.kernel.org/pub/scm/linux/kernel/git/abelloni/linux Pull RTC updates from Alexandre Belloni: "This cycle, we have a new RTC driver, for the SpacemiT P1. The optee driver gets alarm support. We also get a fix for a race condition that was fairly rare unless while stress testing the alarms. Subsystem: - Fix race when setting alarm - Ensure alarm irq is enabled when UIE is enabled - remove unneeded 'fast_io' parameter in regmap_config New driver: - SpacemiT P1 RTC Drivers: - efi: Remove wakeup functionality - optee: add alarms support - s3c: Drop support for S3C2410 - zynqmp: Restore alarm functionality after kexec transition" * tag 'rtc-6.18' of git://git.kernel.org/pub/scm/linux/kernel/git/abelloni/linux: (29 commits) rtc: interface: Ensure alarm irq is enabled when UIE is enabled rtc: tps6586x: Fix initial enable_irq/disable_irq balance rtc: cpcap: Fix initial enable_irq/disable_irq balance rtc: isl12022: Fix initial enable_irq/disable_irq balance rtc: interface: Fix long-standing race when setting alarm rtc: pcf2127: fix watchdog interrupt mask on pcf2131 rtc: zynqmp: Restore alarm functionality after kexec transition rtc: amlogic-a4: Optimize global variables rtc: sd2405al: Add I2C address. rtc: Kconfig: move symbols to proper section rtc: optee: make optee_rtc_pm_ops static rtc: optee: Fix error code in optee_rtc_read_alarm() rtc: optee: fix error code in probe() dt-bindings: rtc: Convert apm,xgene-rtc to DT schema rtc: spacemit: support the SpacemiT P1 RTC rtc: optee: add alarm related rtc ops to optee rtc driver rtc: optee: remove unnecessary memory operations rtc: optee: fix memory leak on driver removal rtc: x1205: Fix Xicor X1205 vendor prefix dt-bindings: rtc: Fix Xicor X1205 vendor prefix ...
6 daysMerge tag 'scsi-misc' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsiLinus Torvalds10-25/+36
Pull SCSI fixes from James Bottomley: "Fixes only in drivers (ufs, mvsas, qla2xxx, target) that came in just before or during the merge window. The most important one is the qla2xxx which reverts a conversion to fix flexible array member warnings, that went up in this merge window but which turned out on further testing to be causing data corruption" * tag 'scsi-misc' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi: scsi: ufs: core: Include UTP error in INT_FATAL_ERRORS scsi: ufs: sysfs: Make HID attributes visible scsi: mvsas: Fix use-after-free bugs in mvs_work_queue scsi: ufs: core: Fix PM QoS mutex initialization scsi: ufs: core: Fix runtime suspend error deadlock Revert "scsi: qla2xxx: Fix memcpy() field-spanning write issue" scsi: target: target_core_configfs: Add length check to avoid buffer overflow
6 daysMerge tag 'x86_core_for_v6.18_rc1' of ↵Linus Torvalds36-665/+728
git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull more x86 updates from Borislav Petkov: - Remove a bunch of asm implementing condition flags testing in KVM's emulator in favor of int3_emulate_jcc() which is written in C - Replace KVM fastops with C-based stubs which avoids problems with the fastop infra related to latter not adhering to the C ABI due to their special calling convention and, more importantly, bypassing compiler control-flow integrity checking because they're written in asm - Remove wrongly used static branches and other ugliness accumulated over time in hyperv's hypercall implementation with a proper static function call to the correct hypervisor call variant - Add some fixes and modifications to allow running FRED-enabled kernels in KVM even on non-FRED hardware - Add kCFI improvements like validating indirect calls and prepare for enabling kCFI with GCC. Add cmdline params documentation and other code cleanups - Use the single-byte 0xd6 insn as the official #UD single-byte undefined opcode instruction as agreed upon by both x86 vendors - Other smaller cleanups and touchups all over the place * tag 'x86_core_for_v6.18_rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: (24 commits) x86,retpoline: Optimize patch_retpoline() x86,ibt: Use UDB instead of 0xEA x86/cfi: Remove __noinitretpoline and __noretpoline x86/cfi: Add "debug" option to "cfi=" bootparam x86/cfi: Standardize on common "CFI:" prefix for CFI reports x86/cfi: Document the "cfi=" bootparam options x86/traps: Clarify KCFI instruction layout compiler_types.h: Move __nocfi out of compiler-specific header objtool: Validate kCFI calls x86/fred: KVM: VMX: Always use FRED for IRQs when CONFIG_X86_FRED=y x86/fred: Play nice with invoking asm_fred_entry_from_kvm() on non-FRED hardware x86/fred: Install system vector handlers even if FRED isn't fully enabled x86/hyperv: Use direct call to hypercall-page x86/hyperv: Clean up hv_do_hypercall() KVM: x86: Remove fastops KVM: x86: Convert em_salc() to C KVM: x86: Introduce EM_ASM_3WCL KVM: x86: Introduce EM_ASM_1SRC2 KVM: x86: Introduce EM_ASM_2CL KVM: x86: Introduce EM_ASM_2W ...
6 daysMerge tag 'x86_cleanups_for_v6.18_rc1' of ↵Linus Torvalds34-239/+55
git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull x86 cleanups from Borislav Petkov: - Simplify inline asm flag output operands now that the minimum compiler version supports the =@ccCOND syntax - Remove a bunch of AS_* Kconfig symbols which detect assembler support for various instruction mnemonics now that the minimum assembler version supports them all - The usual cleanups all over the place * tag 'x86_cleanups_for_v6.18_rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: x86/asm: Remove code depending on __GCC_ASM_FLAG_OUTPUTS__ x86/sgx: Use ENCLS mnemonic in <kernel/cpu/sgx/encls.h> x86/mtrr: Remove license boilerplate text with bad FSF address x86/asm: Use RDPKRU and WRPKRU mnemonics in <asm/special_insns.h> x86/idle: Use MONITORX and MWAITX mnemonics in <asm/mwait.h> x86/entry/fred: Push __KERNEL_CS directly x86/kconfig: Remove CONFIG_AS_AVX512 crypto: x86 - Remove CONFIG_AS_VPCLMULQDQ crypto: X86 - Remove CONFIG_AS_VAES crypto: x86 - Remove CONFIG_AS_GFNI x86/kconfig: Drop unused and needless config X86_64_SMP
6 daysMerge tag 'slab-for-6.18-rc1-hotfix' of ↵Linus Torvalds1-14/+51
git://git.kernel.org/pub/scm/linux/kernel/git/vbabka/slab Pull slab fix from Vlastimil Babka: "A NULL pointer deref hotfix" * tag 'slab-for-6.18-rc1-hotfix' of git://git.kernel.org/pub/scm/linux/kernel/git/vbabka/slab: slab: fix barn NULL pointer dereference on memoryless nodes
6 daysMerge tag 'bpf-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpfLinus Torvalds10-25/+118
Pull bpf fixes from Alexei Starovoitov: - Finish constification of 1st parameter of bpf_d_path() (Rong Tao) - Harden userspace-supplied xdp_desc validation (Alexander Lobakin) - Fix metadata_dst leak in __bpf_redirect_neigh_v{4,6}() (Daniel Borkmann) - Fix undefined behavior in {get,put}_unaligned_be32() (Eric Biggers) - Use correct context to unpin bpf hash map with special types (KaFai Wan) * tag 'bpf-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf: selftests/bpf: Add test for unpinning htab with internal timer struct bpf: Avoid RCU context warning when unpinning htab with internal structs xsk: Harden userspace-supplied xdp_desc validation bpf: Fix metadata_dst leak __bpf_redirect_neigh_v{4,6} libbpf: Fix undefined behavior in {get,put}_unaligned_be32() bpf: Finish constification of 1st parameter of bpf_d_path()
6 daysMerge tag 'mm-nonmm-stable-2025-10-10-15-03' of ↵Linus Torvalds6-59/+383
git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Pull more updates from Andrew Morton: "Just one series here - Mike Rappoport has taught KEXEC handover to preserve vmalloc allocations across handover" * tag 'mm-nonmm-stable-2025-10-10-15-03' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm: lib/test_kho: use kho_preserve_vmalloc instead of storing addresses in fdt kho: add support for preserving vmalloc allocations kho: replace kho_preserve_phys() with kho_preserve_pages() kho: check if kho is finalized in __kho_preserve_order() MAINTAINERS, .mailmap: update Umang's email address
6 daysMerge tag 'mm-hotfixes-stable-2025-10-10-15-00' of ↵Linus Torvalds9-42/+45
git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Pull misc fixes from Andrew Morton: "7 hotfixes. All 7 are cc:stable and all 7 are for MM. All singletons, please see the changelogs for details" * tag 'mm-hotfixes-stable-2025-10-10-15-00' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm: mm: hugetlb: avoid soft lockup when mprotect to large memory area fsnotify: pass correct offset to fsnotify_mmap_perm() mm/ksm: fix flag-dropping behavior in ksm_madvise mm/damon/vaddr: do not repeat pte_offset_map_lock() until success mm/rmap: fix soft-dirty and uffd-wp bit loss when remapping zero-filled mTHP subpage to shared zeropage mm/thp: fix MTE tag mismatch when replacing zero-filled subpages memcg: skip cgroup_file_notify if spinning is not allowed
6 daystracing: Stop fortify-string from warning in tracing_mark_raw_write()Steven Rostedt1-2/+6
The way tracing_mark_raw_write() records its data is that it has the following structure: struct { struct trace_entry; int id; char buf[]; }; But memcpy(&entry->id, buf, size) triggers the following warning when the size is greater than the id: ------------[ cut here ]------------ memcpy: detected field-spanning write (size 6) of single field "&entry->id" at kernel/trace/trace.c:7458 (size 4) WARNING: CPU: 7 PID: 995 at kernel/trace/trace.c:7458 write_raw_marker_to_buffer.isra.0+0x1f9/0x2e0 Modules linked in: CPU: 7 UID: 0 PID: 995 Comm: bash Not tainted 6.17.0-test-00007-g60b82183e78a-dirty #211 PREEMPT(voluntary) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.17.0-debian-1.17.0-1 04/01/2014 RIP: 0010:write_raw_marker_to_buffer.isra.0+0x1f9/0x2e0 Code: 04 00 75 a7 b9 04 00 00 00 48 89 de 48 89 04 24 48 c7 c2 e0 b1 d1 b2 48 c7 c7 40 b2 d1 b2 c6 05 2d 88 6a 04 01 e8 f7 e8 bd ff <0f> 0b 48 8b 04 24 e9 76 ff ff ff 49 8d 7c 24 04 49 8d 5c 24 08 48 RSP: 0018:ffff888104c3fc78 EFLAGS: 00010292 RAX: 0000000000000000 RBX: 0000000000000006 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 1ffffffff6b363b4 RDI: 0000000000000001 RBP: ffff888100058a00 R08: ffffffffb041d459 R09: ffffed1020987f40 R10: 0000000000000007 R11: 0000000000000001 R12: ffff888100bb9010 R13: 0000000000000000 R14: 00000000000003e3 R15: ffff888134800000 FS: 00007fa61d286740(0000) GS:ffff888286cad000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000560d28d509f1 CR3: 00000001047a4006 CR4: 0000000000172ef0 Call Trace: <TASK> tracing_mark_raw_write+0x1fe/0x290 ? __pfx_tracing_mark_raw_write+0x10/0x10 ? security_file_permission+0x50/0xf0 ? rw_verify_area+0x6f/0x4b0 vfs_write+0x1d8/0xdd0 ? __pfx_vfs_write+0x10/0x10 ? __pfx_css_rstat_updated+0x10/0x10 ? count_memcg_events+0xd9/0x410 ? fdget_pos+0x53/0x5e0 ksys_write+0x182/0x200 ? __pfx_ksys_write+0x10/0x10 ? do_user_addr_fault+0x4af/0xa30 do_syscall_64+0x63/0x350 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7fa61d318687 Code: 48 89 fa 4c 89 df e8 58 b3 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00 83 e2 39 83 fa 08 75 de e8 23 ff ff ff RSP: 002b:00007ffd87fe0120 EFLAGS: 00000202 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 00007fa61d286740 RCX: 00007fa61d318687 RDX: 0000000000000006 RSI: 0000560d28d509f0 RDI: 0000000000000001 RBP: 0000560d28d509f0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000006 R13: 00007fa61d4715c0 R14: 00007fa61d46ee80 R15: 0000000000000000 </TASK> ---[ end trace 0000000000000000 ]--- This is because fortify string sees that the size of entry->id is only 4 bytes, but it is writing more than that. But this is OK as the dynamic_array is allocated to handle that copy. The size allocated on the ring buffer was actually a bit too big: size = sizeof(*entry) + cnt; But cnt includes the 'id' and the buffer data, so adding cnt to the size of *entry actually allocates too much on the ring buffer. Change the allocation to: size = struct_size(entry, buf, cnt - sizeof(entry->id)); and the memcpy() to unsafe_memcpy() with an added justification. Cc: stable@vger.kernel.org Cc: Masami Hiramatsu <mhiramat@kernel.org> Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com> Cc: Andrew Morton <akpm@linux-foundation.org> Link: https://lore.kernel.org/20251011112032.77be18e4@gandalf.local.home Fixes: 64cf7d058a00 ("tracing: Have trace_marker use per-cpu data to read user space") Reported-by: syzbot+9a2ede1643175f350105@syzkaller.appspotmail.com Closes: https://lore.kernel.org/all/68e973f5.050a0220.1186a4.0010.GAE@google.com/ Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
6 daysslab: fix barn NULL pointer dereference on memoryless nodesVlastimil Babka1-14/+51
Phil reported a boot failure once sheaves become used in commits 59faa4da7cd4 ("maple_tree: use percpu sheaves for maple_node_cache") and 3accabda4da1 ("mm, vma: use percpu sheaves for vm_area_struct cache"): BUG: kernel NULL pointer dereference, address: 0000000000000040 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: Oops: 0000 [#1] SMP NOPTI CPU: 21 UID: 0 PID: 818 Comm: kworker/u398:0 Not tainted 6.17.0-rc3.slab+ #5 PREEMPT(voluntary) Hardware name: Dell Inc. PowerEdge R7425/02MJ3T, BIOS 1.26.0 07/30/2025 RIP: 0010:__pcs_replace_empty_main+0x44/0x1d0 Code: ec 08 48 8b 46 10 48 8b 76 08 48 85 c0 74 0b 8b 48 18 85 c9 0f 85 e5 00 00 00 65 48 63 05 e4 ee 50 02 49 8b 84 c6 e0 00 00 00 <4c> 8b 68 40 4c 89 ef e8 b0 81 ff ff 48 89 c5 48 85 c0 74 1d 48 89 RSP: 0018:ffffd2d10950bdb0 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff8a775dab74b0 RCX: 00000000ffffffff RDX: 0000000000000cc0 RSI: ffff8a6800804000 RDI: ffff8a680004e300 RBP: ffffd2d10950be40 R08: 0000000000000060 R09: ffffffffb9367388 R10: 00000000000149e8 R11: ffff8a6f87a38000 R12: 0000000000000cc0 R13: 0000000000000cc0 R14: ffff8a680004e300 R15: 00000000000000c0 FS: 0000000000000000(0000) GS:ffff8a77a3541000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000040 CR3: 0000000e1aa24000 CR4: 00000000003506f0 Call Trace: <TASK> ? srso_return_thunk+0x5/0x5f ? vm_area_alloc+0x1e/0x60 kmem_cache_alloc_noprof+0x4ec/0x5b0 vm_area_alloc+0x1e/0x60 create_init_stack_vma+0x26/0x210 alloc_bprm+0x139/0x200 kernel_execve+0x4a/0x140 call_usermodehelper_exec_async+0xd0/0x190 ? __pfx_call_usermodehelper_exec_async+0x10/0x10 ret_from_fork+0xf0/0x110 ? __pfx_call_usermodehelper_exec_async+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK> Modules linked in: CR2: 0000000000000040 ---[ end trace 0000000000000000 ]--- RIP: 0010:__pcs_replace_empty_main+0x44/0x1d0 Code: ec 08 48 8b 46 10 48 8b 76 08 48 85 c0 74 0b 8b 48 18 85 c9 0f 85 e5 00 00 00 65 48 63 05 e4 ee 50 02 49 8b 84 c6 e0 00 00 00 <4c> 8b 68 40 4c 89 ef e8 b0 81 ff ff 48 89 c5 48 85 c0 74 1d 48 89 RSP: 0018:ffffd2d10950bdb0 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff8a775dab74b0 RCX: 00000000ffffffff RDX: 0000000000000cc0 RSI: ffff8a6800804000 RDI: ffff8a680004e300 RBP: ffffd2d10950be40 R08: 0000000000000060 R09: ffffffffb9367388 R10: 00000000000149e8 R11: ffff8a6f87a38000 R12: 0000000000000cc0 R13: 0000000000000cc0 R14: ffff8a680004e300 R15: 00000000000000c0 FS: 0000000000000000(0000) GS:ffff8a77a3541000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000040 CR3: 0000000e1aa24000 CR4: 00000000003506f0 Kernel panic - not syncing: Fatal exception Kernel Offset: 0x36a00000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) ---[ end Kernel panic - not syncing: Fatal exception ]--- And noted "this is an AMD EPYC 7401 with 8 NUMA nodes configured such that memory is only on 2 of them." # numactl --hardware available: 8 nodes (0-7) node 0 cpus: 0 8 16 24 32 40 48 56 64 72 80 88 node 0 size: 0 MB node 0 free: 0 MB node 1 cpus: 2 10 18 26 34 42 50 58 66 74 82 90 node 1 size: 31584 MB node 1 free: 30397 MB node 2 cpus: 4 12 20 28 36 44 52 60 68 76 84 92 node 2 size: 0 MB node 2 free: 0 MB node 3 cpus: 6 14 22 30 38 46 54 62 70 78 86 94 node 3 size: 0 MB node 3 free: 0 MB node 4 cpus: 1 9 17 25 33 41 49 57 65 73 81 89 node 4 size: 0 MB node 4 free: 0 MB node 5 cpus: 3 11 19 27 35 43 51 59 67 75 83 91 node 5 size: 32214 MB node 5 free: 31625 MB node 6 cpus: 5 13 21 29 37 45 53 61 69 77 85 93 node 6 size: 0 MB node 6 free: 0 MB node 7 cpus: 7 15 23 31 39 47 55 63 71 79 87 95 node 7 size: 0 MB node 7 free: 0 MB Linus decoded the stacktrace to get_barn() and get_node() and determined that kmem_cache->node[numa_mem_id()] is NULL. The problem is due to a wrong assumption that memoryless nodes only exist on systems with CONFIG_HAVE_MEMORYLESS_NODES, where numa_mem_id() points to the nearest node that has memory. SLUB has been allocating its kmem_cache_node structures only on nodes with memory and so it does with struct node_barn. For kmem_cache_node, get_partial_node() checks if get_node() result is not NULL, which I assumed was for protection from a bogus node id passed to kmalloc_node() but apparently it's also for systems where numa_mem_id() (used when no specific node is given) might return a memoryless node. Fix the sheaves code the same way by checking the result of get_node() and bailing out if it's NULL. Note that cpus on such memoryless nodes will have degraded sheaves performance, which can be improved later, preferably by making numa_mem_id() work properly on such systems. Fixes: 2d517aa09bbc ("slab: add opt-in caching layer of percpu sheaves") Reported-and-tested-by: Phil Auld <pauld@redhat.com> Closes: https://lore.kernel.org/all/20251010151116.GA436967@pauld.westford.csb/ Analyzed-by: Linus Torvalds <torvalds@linux-foundation.org> Link: https://lore.kernel.org/all/CAHk-%3Dwg1xK%2BBr%3DFJ5QipVhzCvq7uQVPt5Prze6HDhQQ%3DQD_BcQ@mail.gmail.com/ Signed-off-by: Vlastimil Babka <vbabka@suse.cz>
6 daystracing: Fix tracing_mark_raw_write() to use buf and not ubufSteven Rostedt1-2/+2
The fix to use a per CPU buffer to read user space tested only the writes to trace_marker. But it appears that the selftests are missing tests to the trace_maker_raw file. The trace_maker_raw file is used by applications that writes data structures and not strings into the file, and the tools read the raw ring buffer to process the structures it writes. The fix that reads the per CPU buffers passes the new per CPU buffer to the trace_marker file writes, but the update to the trace_marker_raw write read the data from user space into the per CPU buffer, but then still used then passed the user space address to the function that records the data. Pass in the per CPU buffer and not the user space address. TODO: Add a test to better test trace_marker_raw. Cc: stable@vger.kernel.org Cc: Masami Hiramatsu <mhiramat@kernel.org> Cc: Mark Rutland <mark.rutland@arm.com> Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com> Cc: Andrew Morton <akpm@linux-foundation.org> Link: https://lore.kernel.org/20251011035243.386098147@kernel.org Fixes: 64cf7d058a00 ("tracing: Have trace_marker use per-cpu data to read user space") Reported-by: syzbot+9a2ede1643175f350105@syzkaller.appspotmail.com Closes: https://lore.kernel.org/all/68e973f5.050a0220.1186a4.0010.GAE@google.com/ Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
7 dayskbuild: Use '--strip-unneeded-symbol' for removing module device table symbolsNathan Chancellor1-1/+1
After commit 5ab23c7923a1 ("modpost: Create modalias for builtin modules"), relocatable RISC-V kernels with CONFIG_KASAN=y start failing when attempting to strip the module device table symbols: riscv64-linux-objcopy: not stripping symbol `__mod_device_table__kmod_irq_starfive_jh8100_intc__of__starfive_intc_irqchip_match_table' because it is named in a relocation make[4]: *** [scripts/Makefile.vmlinux:97: vmlinux] Error 1 The relocation appears to come from .LASANLOC5 in .data.rel.local: $ llvm-objdump --disassemble-symbols=.LASANLOC5 --disassemble-all -r drivers/irqchip/irq-starfive-jh8100-intc.o drivers/irqchip/irq-starfive-jh8100-intc.o: file format elf64-littleriscv Disassembly of section .data.rel.local: 0000000000000180 <.LASANLOC5>: ... 1d0: 0000 unimp 00000000000001d0: R_RISCV_64 __mod_device_table__kmod_irq_starfive_jh8100_intc__of__starfive_intc_irqchip_match_table ... This section appears to come from GCC for including additional information about global variables that may be protected by KASAN. There appears to be no way to opt out of the generation of these symbols through either a flag or attribute. Attempting to remove '.LASANLOC*' with '--strip-symbol' results in the same error as above because these symbols may refer to (thus have relocation between) each other. Avoid this build breakage by switching to '--strip-unneeded-symbol' for removing __mod_device_table__ symbols, as it will only remove the symbol when there is no relocation pointing to it. While this may result in a little more bloat in the symbol table in certain configurations, it is not as bad as outright build failures. Fixes: 5ab23c7923a1 ("modpost: Create modalias for builtin modules") Reported-by: Charles Mirabile <cmirabil@redhat.com> Closes: https://lore.kernel.org/20251007011637.2512413-1-cmirabil@redhat.com/ Suggested-by: Alexey Gladkov <legion@kernel.org> Tested-by: Nicolas Schier <nsc@kernel.org> Signed-off-by: Nathan Chancellor <nathan@kernel.org>
7 daysMerge tag 'for-6.18/hpfs-changes' of ↵Linus Torvalds7-52/+75
git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm Pull hpfs updates from Mikulas Patocka: - Avoid -Wflex-array-member-not-at-end warnings - Replace simple_strtoul with kstrtoint - Fix error code for new_inode() failure * tag 'for-6.18/hpfs-changes' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm: fs/hpfs: Fix error code for new_inode() failure in mkdir/create/mknod/symlink hpfs: Replace simple_strtoul with kstrtoint in hpfs_parse_param fs: hpfs: Avoid multiple -Wflex-array-member-not-at-end warnings
7 daysMerge tag 'drm-next-2025-10-11-1' of https://gitlab.freedesktop.org/drm/kernelLinus Torvalds45-253/+391
Pull more drm fixes from Dave Airlie: "Just the follow up fixes for rc1 from the next branch, amdgpu and xe mostly with a single v3d fix in there. amdgpu: - DC DCE6 fixes - GPU reset fixes - Secure diplay messaging cleanup - MES fix - GPUVM locking fixes - PMFW messaging cleanup - PCI US/DS switch handling fix - VCN queue reset fix - DC FPU handling fix - DCN 3.5 fix - DC mirroring fix amdkfd: - Fix kfd process ref leak - mmap write lock handling fix - Fix comments in IOCTL xe: - Fix build with clang 16 - Fix handling of invalid configfs syntax usage and spell out the expected syntax in the documentation - Do not try late bind firmware when running as VF since it shouldn't handle firmware loading - Fix idle assertion for local BOs - Fix uninitialized variable for late binding - Do not require perfmon_capable to expose free memory at page granularity. Handle it like other drm drivers do - Fix lock handling on suspend error path - Fix I2C controller resume after S3 v3d: - fix fence locking" * tag 'drm-next-2025-10-11-1' of https://gitlab.freedesktop.org/drm/kernel: (34 commits) drm/amd/display: Incorrect Mirror Cositing drm/amd/display: Enable Dynamic DTBCLK Switch drm/amdgpu: Report individual reset error drm/amdgpu: partially revert "revert to old status lock handling v3" drm/amd/display: Fix unsafe uses of kernel mode FPU drm/amd/pm: Disable VCN queue reset on SMU v13.0.6 due to regression drm/amdgpu: Fix general protection fault in amdgpu_vm_bo_reset_state_machine drm/amdgpu: Check swus/ds for switch state save drm/amdkfd: Fix two comments in kfd_ioctl.h drm/amd/pm: Avoid interface mismatch messaging drm/amdgpu: Merge amdgpu_vm_set_pasid into amdgpu_vm_init drm/amd/amdgpu: Fix the mes version that support inv_tlbs drm/amd: Check whether secure display TA loaded successfully drm/amdkfd: Fix mmap write lock not release drm/amdkfd: Fix kfd process ref leaking when userptr unmapping drm/amdgpu: Fix for GPU reset being blocked by KIQ I/O. drm/amd/display: Disable scaling on DCE6 for now drm/amd/display: Properly disable scaling on DCE6 drm/amd/display: Properly clear SCL_*_FILTER_CONTROL on DCE6 drm/amd/display: Add missing DCE6 SCL_HORZ_FILTER_INIT* SRIs ...
7 daysMerge tag 'drm-fixes-2025-10-11' of https://gitlab.freedesktop.org/drm/kernelLinus Torvalds3-8/+17
Pull drm fixes from Dave Airlie: "Some fixes leftover from our fixes branch, just nouveau and vmwgfx: nouveau: - Return errno code from TTM move helper vmwgfx: - Fix null-ptr access in cursor code - Fix UAF in validation - Use correct iterator in validation" * tag 'drm-fixes-2025-10-11' of https://gitlab.freedesktop.org/drm/kernel: drm/nouveau: fix bad ret code in nouveau_bo_move_prep drm/vmwgfx: Fix copy-paste typo in validation drm/vmwgfx: Fix Use-after-free in validation drm/vmwgfx: Fix a null-ptr access in the cursor snooper
7 daysMerge tag 'drm-misc-fixes-2025-10-09' of ↵Dave Airlie3-8/+17
https://gitlab.freedesktop.org/drm/misc/kernel into drm-fixes Short summary of fixes pull: nouveau: - Return errno code from TTM move helper vmwgfx: - Fix null-ptr access in cursor code - Fix UAF in validation - Use correct iterator in validation Signed-off-by: Dave Airlie <airlied@redhat.com> From: Thomas Zimmermann <tzimmermann@suse.de> Link: https://lore.kernel.org/r/20251009120004.GA17570@linux.fritz.box
7 daysMerge tag 'devicetree-fixes-for-6.18-1' of ↵Linus Torvalds8-9/+23
git://git.kernel.org/pub/scm/linux/kernel/git/robh/linux Pull devicetree fixes from Rob Herring: - Allow child nodes on renesas-bsc bus binding - Drop node name pattern on allwinner,sun50i-a64-de2 bus binding - Switch DT patchwork to kernel.org from ozlabs.org - Fix some typos in docs and bindings - Fix reference count in PCI node unittest * tag 'devicetree-fixes-for-6.18-1' of git://git.kernel.org/pub/scm/linux/kernel/git/robh/linux: dt-bindings: bus: renesas-bsc: allow additional properties dt-bindings: bus: allwinner,sun50i-a64-de2: don't check node names MAINTAINERS: Move DT patchwork to kernel.org of: unittest: Fix device reference count leak in of_unittest_pci_node_verify of: doc: Fix typo in doc comments. dt-bindings: mmc: Correct typo "upto" to "up to"
7 daysdt-bindings: bus: renesas-bsc: allow additional propertiesWolfram Sang1-0/+12
Allow additional properties to enable devices attached to the bus. Fixes warnings like these: arch/arm/boot/dts/renesas/sh73a0-kzm9g.dtb: bus@fec10000 (renesas,bsc-sh73a0): Unevaluated properties are not allowed ('ethernet@10000000' was unexpected) arch/arm/boot/dts/renesas/r8a73a4-ape6evm.dtb: bus@fec10000 (renesas,bsc-r8a73a4): Unevaluated properties are not allowed ('ethernet@8000000', 'flash@0' were unexpected) Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be> Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com> Signed-off-by: Rob Herring (Arm) <robh@kernel.org>
7 daysdt-bindings: bus: allwinner,sun50i-a64-de2: don't check node namesWolfram Sang1-1/+1
Node names are already and properly checked by the core schema. No need to do it again. Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com> [robh: Also drop [A-F] in unit address] Signed-off-by: Rob Herring (Arm) <robh@kernel.org>
7 daysMerge tag 'ceph-for-6.18-rc1' of https://github.com/ceph/ceph-clientLinus Torvalds17-248/+323
Pull ceph updates from Ilya Dryomov: - some messenger improvements (Eric and Max) - address an issue (also affected userspace) of incorrect permissions being granted to users who have access to multiple different CephFS instances within the same cluster (Kotresh) - a bunch of assorted CephFS fixes (Slava) * tag 'ceph-for-6.18-rc1' of https://github.com/ceph/ceph-client: ceph: add bug tracking system info to MAINTAINERS ceph: fix multifs mds auth caps issue ceph: cleanup in ceph_alloc_readdir_reply_buffer() ceph: fix potential NULL dereference issue in ceph_fill_trace() libceph: add empty check to ceph_con_get_out_msg() libceph: pass the message pointer instead of loading con->out_msg libceph: make ceph_con_get_out_msg() return the message pointer ceph: fix potential race condition on operations with CEPH_I_ODIRECT flag ceph: refactor wake_up_bit() pattern of calling ceph: fix potential race condition in ceph_ioctl_lazyio() ceph: fix overflowed constant issue in ceph_do_objects_copy() ceph: fix wrong sizeof argument issue in register_session() ceph: add checking of wait_for_completion_killable() return value ceph: make ceph_start_io_*() killable libceph: Use HMAC-SHA256 library instead of crypto_shash
7 daysMerge tag 'v6.18-rc-part2-smb-client-fixes' of ↵Linus Torvalds18-329/+522
git://git.samba.org/sfrench/cifs-2.6 Pull more smb client updates from Steve French: - fix i_size in fallocate - two truncate fixes - utime fix - minor cleanups - SMB1 fixes - improve error check in read - improve perf of copy file_range (copy_chunk) * tag 'v6.18-rc-part2-smb-client-fixes' of git://git.samba.org/sfrench/cifs-2.6: cifs: update internal version number cifs: Add comments for DeletePending assignments in open functions cifs: Add fallback code path for cifs_mkdir_setinfo() cifs: Allow fallback code in smb_set_file_info() also for directories cifs: Query EA $LXMOD in cifs_query_path_info() for WSL reparse points smb: client: remove cfids_invalidation_worker smb: client: remove redudant assignment in cifs_strict_fsync() smb: client: fix race with fallocate(2) and AIO+DIO smb: client: fix missing timestamp updates after utime(2) smb: client: fix missing timestamp updates after ftruncate(2) smb: client: fix missing timestamp updates with O_TRUNC cifs: Fix copy_to_iter return value check smb: client: batch SRV_COPYCHUNK entries to cut round trips smb: client: Omit an if branch in smb2_find_smb_tcon() smb: client: Return directly after a failed genlmsg_new() in cifs_swn_send_register_message() smb: client: Use common code in cifs_do_create() smb: client: Improve unlocking of a mutex in cifs_get_swn_reg() smb: client: Return a status code only as a constant in cifs_spnego_key_instantiate() smb: client: Use common code in cifs_lookup() smb: client: Reduce the scopes for a few variables in two functions
7 daysMerge tag 'xtensa-20251010' of https://github.com/jcmvbkbc/linux-xtensaLinus Torvalds2-3/+8
Pull Xtensa updates from Max Filippov: - minor cleanups * tag 'xtensa-20251010' of https://github.com/jcmvbkbc/linux-xtensa: xtensa: use HZ_PER_MHZ in platform_calibrate_ccount xtensa: simdisk: add input size check in proc_write_simdisk
7 daysMerge tag 'block-6.18-20251009' of ↵Linus Torvalds8-26/+29
git://git.kernel.org/pub/scm/linux/kernel/git/axboe/linux Pull block fixes from Jens Axboe: - Don't include __GFP_NOWARN for loop worker allocation, as it already uses GFP_NOWAIT which has __GFP_NOWARN set already - Small series cleaning up the recent bio_iov_iter_get_pages() changes - loop fix for leaking the backing reference file, if validation fails - Update of a comment pertaining to disk/partition stat locking * tag 'block-6.18-20251009' of git://git.kernel.org/pub/scm/linux/kernel/git/axboe/linux: loop: remove redundant __GFP_NOWARN flag block: move bio_iov_iter_get_bdev_pages to block/fops.c iomap: open code bio_iov_iter_get_bdev_pages block: rename bio_iov_iter_get_pages_aligned to bio_iov_iter_get_pages block: remove bio_iov_iter_get_pages block: Update a comment of disk statistics loop: fix backing file reference leak on validation error
7 daysMerge tag 'io_uring-6.18-20251009' of ↵Linus Torvalds4-3/+9
git://git.kernel.org/pub/scm/linux/kernel/git/axboe/linux Pull io_uring fixes from Jens Axboe: - Fixup indentation in the UAPI header - Two fixes for zcrx. One fixes receiving too much in some cases, and the other deals with not correctly incrementing the source in the fallback copy loop - Fix for a race in the IORING_OP_WAITID command, where there was a small window where the request would be left on the wait_queue_head list even though it was being canceled/completed - Update liburing git URL in the kernel tree * tag 'io_uring-6.18-20251009' of git://git.kernel.org/pub/scm/linux/kernel/git/axboe/linux: io_uring/zcrx: increment fallback loop src offset io_uring/zcrx: fix overshooting recv limit io_uring: use tab indentation for IORING_SEND_VECTORIZED comment io_uring/waitid: always prune wait queue entry in io_waitid_wait() io_uring: update liburing git URL
7 daysMerge patch series "kbuild: Fixes for fallout from recent ↵Nathan Chancellor2-23/+26
modules.builtin.modinfo series" This is a series to address some problems that were exposed by the recent modules.builtin.modinfo series that landed in commit c7d3dd9163e6 ("Merge patch series "Add generated modalias to modules.builtin.modinfo""). The third patch is not directly related to the aforementioned series, as the warning it fixes happens prior to the series but commit 8d18ef04f940 ("s390: vmlinux.lds.S: Reorder sections") from the series creates conflicts in this area, so I included it here. Link: https://patch.msgid.link/20251008-kbuild-fix-modinfo-regressions-v1-0-9fc776c5887c@kernel.org Signed-off-by: Nathan Chancellor <nathan@kernel.org>
7 dayss390/vmlinux.lds.S: Move .vmlinux.info to end of allocatable sectionsNathan Chancellor1-22/+22
When building s390 defconfig with binutils older than 2.32, there are several warnings during the final linking stage: s390-linux-ld: .tmp_vmlinux1: warning: allocated section `.got.plt' not in segment s390-linux-ld: .tmp_vmlinux2: warning: allocated section `.got.plt' not in segment s390-linux-ld: vmlinux.unstripped: warning: allocated section `.got.plt' not in segment s390-linux-objcopy: vmlinux: warning: allocated section `.got.plt' not in segment s390-linux-objcopy: st7afZyb: warning: allocated section `.got.plt' not in segment binutils commit afca762f598 ("S/390: Improve partial relro support for 64 bit") [1] in 2.32 changed where .got.plt is emitted, avoiding the warning. The :NONE in the .vmlinux.info output section description changes the segment for subsequent allocated sections. Move .vmlinux.info right above the discards section to place all other sections in the previously defined segment, .data. Fixes: 30226853d6ec ("s390: vmlinux.lds.S: explicitly handle '.got' and '.plt' sections") Link: https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=afca762f598d453c563f244cd3777715b1a0cb72 [1] Acked-by: Alexander Gordeev <agordeev@linux.ibm.com> Acked-by: Alexey Gladkov <legion@kernel.org> Acked-by: Nicolas Schier <nsc@kernel.org> Link: https://patch.msgid.link/20251008-kbuild-fix-modinfo-regressions-v1-3-9fc776c5887c@kernel.org Signed-off-by: Nathan Chancellor <nathan@kernel.org>
7 dayskbuild: Add '.rel.*' strip pattern for vmlinuxNathan Chancellor1-0/+3
Prior to binutils commit c12d9fa2afe ("Support objcopy --remove-section=.relaFOO") [1] in 2.32, stripping relocation sections required the trailing period (i.e., '.rel.*') to work properly. After commit 3e86e4d74c04 ("kbuild: keep .modinfo section in vmlinux.unstripped"), there is an error with binutils 2.31.1 or earlier because these sections are not properly removed: s390-linux-objcopy: st6tO8Ev: symbol `.modinfo' required but not present s390-linux-objcopy:st6tO8Ev: no symbols Add the old pattern to resolve this issue (along with a comment to allow cleaning this when binutils 2.32 or newer is the minimum supported version). While the aforementioned kbuild change exposes this, the pattern was originally changed by commit 71d815bf5dfd ("kbuild: Strip runtime const RELA sections correctly"), where it would still be incorrect with binutils older than 2.32. Fixes: 71d815bf5dfd ("kbuild: Strip runtime const RELA sections correctly") Link: https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=c12d9fa2afe7abcbe407a00e15719e1a1350c2a7 [1] Reported-by: Linux Kernel Functional Testing <lkft@linaro.org> Closes: https://lore.kernel.org/CA+G9fYvVktRhFtZXdNgVOL8j+ArsJDpvMLgCitaQvQmCx=hwOQ@mail.gmail.com/ Acked-by: Ard Biesheuvel <ardb@kernel.org> Acked-by: Alexey Gladkov <legion@kernel.org> Acked-by: Nicolas Schier <nsc@kernel.org> Link: https://patch.msgid.link/20251008-kbuild-fix-modinfo-regressions-v1-2-9fc776c5887c@kernel.org Signed-off-by: Nathan Chancellor <nathan@kernel.org>
7 dayskbuild: Restore pattern to avoid stripping .rela.dyn from vmlinuxNathan Chancellor1-1/+1
Commit 0ce5139fd96e ("kbuild: always create intermediate vmlinux.unstripped") removed the pattern to avoid stripping .rela.dyn sections added by commit e9d86b8e17e7 ("scripts: Do not strip .rela.dyn section"). Restore it so that .rela.dyn sections remain in the final vmlinux. Fixes: 0ce5139fd96e ("kbuild: always create intermediate vmlinux.unstripped") Acked-by: Ard Biesheuvel <ardb@kernel.org> Acked-by: Alexey Gladkov <legion@kernel.org> Acked-by: Nicolas Schier <nsc@kernel.org> Link: https://patch.msgid.link/20251008-kbuild-fix-modinfo-regressions-v1-1-9fc776c5887c@kernel.org Signed-off-by: Nathan Chancellor <nathan@kernel.org>
7 daysMerge branch ↵Alexei Starovoitov3-2/+63
'bpf-avoid-rcu-context-warning-when-unpinning-htab-with-internal-structs' KaFai Wan says: ==================== bpf: Avoid RCU context warning when unpinning htab with internal structs This small patchset is about avoid RCU context warning when unpinning htab with internal structs (timer, workqueue, or task_work). v3: - fix nit (Yonghong Song) - add Acked-by: Yonghong Song <yonghong.song@linux.dev> v2: - rename bpf_free_inode() to bpf_destroy_inode() (Andrii) https://lore.kernel.org/all/20251007012235.755853-1-kafai.wan@linux.dev/ v1: https://lore.kernel.org/all/20251003084528.502518-1-kafai.wan@linux.dev/ --- ==================== Link: https://patch.msgid.link/20251008102628.808045-1-kafai.wan@linux.dev Signed-off-by: Alexei Starovoitov <ast@kernel.org>
7 daysselftests/bpf: Add test for unpinning htab with internal timer structKaFai Wan2-0/+61
Add test to verify that unpinning hash tables containing internal timer structures does not trigger context warnings. Each subtest (timer_prealloc and timer_no_prealloc) can trigger the context warning when unpinning, but the warning cannot be triggered twice within a short time interval (a HZ), which is expected behavior. Signed-off-by: KaFai Wan <kafai.wan@linux.dev> Acked-by: Yonghong Song <yonghong.song@linux.dev> Link: https://lore.kernel.org/r/20251008102628.808045-3-kafai.wan@linux.dev Signed-off-by: Alexei Starovoitov <ast@kernel.org>
7 daysbpf: Avoid RCU context warning when unpinning htab with internal structsKaFai Wan1-2/+2
When unpinning a BPF hash table (htab or htab_lru) that contains internal structures (timer, workqueue, or task_work) in its values, a BUG warning is triggered: BUG: sleeping function called from invalid context at kernel/bpf/hashtab.c:244 in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 14, name: ksoftirqd/0 ... The issue arises from the interaction between BPF object unpinning and RCU callback mechanisms: 1. BPF object unpinning uses ->free_inode() which schedules cleanup via call_rcu(), deferring the actual freeing to an RCU callback that executes within the RCU_SOFTIRQ context. 2. During cleanup of hash tables containing internal structures, htab_map_free_internal_structs() is invoked, which includes cond_resched() or cond_resched_rcu() calls to yield the CPU during potentially long operations. However, cond_resched() or cond_resched_rcu() cannot be safely called from atomic RCU softirq context, leading to the BUG warning when attempting to reschedule. Fix this by changing from ->free_inode() to ->destroy_inode() and rename bpf_free_inode() to bpf_destroy_inode() for BPF objects (prog, map, link). This allows direct inode freeing without RCU callback scheduling, avoiding the invalid context warning. Reported-by: Le Chen <tom2cat@sjtu.edu.cn> Closes: https://lore.kernel.org/all/1444123482.1827743.1750996347470.JavaMail.zimbra@sjtu.edu.cn/ Fixes: 68134668c17f ("bpf: Add map side support for bpf timers.") Suggested-by: Alexei Starovoitov <ast@kernel.org> Signed-off-by: KaFai Wan <kafai.wan@linux.dev> Acked-by: Yonghong Song <yonghong.song@linux.dev> Link: https://lore.kernel.org/r/20251008102628.808045-2-kafai.wan@linux.dev Signed-off-by: Alexei Starovoitov <ast@kernel.org>
7 daysxsk: Harden userspace-supplied xdp_desc validationAlexander Lobakin1-10/+35
Turned out certain clearly invalid values passed in xdp_desc from userspace can pass xp_{,un}aligned_validate_desc() and then lead to UBs or just invalid frames to be queued for xmit. desc->len close to ``U32_MAX`` with a non-zero pool->tx_metadata_len can cause positive integer overflow and wraparound, the same way low enough desc->addr with a non-zero pool->tx_metadata_len can cause negative integer overflow. Both scenarios can then pass the validation successfully. This doesn't happen with valid XSk applications, but can be used to perform attacks. Always promote desc->len to ``u64`` first to exclude positive overflows of it. Use explicit check_{add,sub}_overflow() when validating desc->addr (which is ``u64`` already). bloat-o-meter reports a little growth of the code size: add/remove: 0/0 grow/shrink: 2/1 up/down: 60/-16 (44) Function old new delta xskq_cons_peek_desc 299 330 +31 xsk_tx_peek_release_desc_batch 973 1002 +29 xsk_generic_xmit 3148 3132 -16 but hopefully this doesn't hurt the performance much. Fixes: 341ac980eab9 ("xsk: Support tx_metadata_len") Cc: stable@vger.kernel.org # 6.8+ Signed-off-by: Alexander Lobakin <aleksander.lobakin@intel.com> Reviewed-by: Jason Xing <kerneljasonxing@gmail.com> Reviewed-by: Maciej Fijalkowski <maciej.fijalkowski@intel.com> Link: https://lore.kernel.org/r/20251008165659.4141318-1-aleksander.lobakin@intel.com Signed-off-by: Alexei Starovoitov <ast@kernel.org>
7 daysMerge tag 'parisc-for-6.18-rc1' of ↵Linus Torvalds12-7/+178
git://git.kernel.org/pub/scm/linux/kernel/git/deller/parisc-linux Pull parisc updates from Helge Deller: "Minor enhancements and fixes, specifically: - report emulation and alignment faults via perf - add initial kernel-side support for perf_events - small initialization fixes in the parisc firmware layer - adjust TC* constants and avoid referencing termio structs to avoid userspace build errors" * tag 'parisc-for-6.18-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/deller/parisc-linux: parisc: Fix iodc and device path return values on old machines parisc: Firmware: Fix returned path for PDC_MODULE_FIND on older machines parisc: Add initial kernel-side perf_event support parisc: Report software alignment faults via perf parisc: Report emulation faults via perf parisc: don't reference obsolete termio struct for TC* constants parisc: Remove spurious if statement from raw_copy_from_user()
7 daysMerge tag 'sound-fix-6.18-rc1' of ↵Linus Torvalds16-55/+206
git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound Pull sound fixes from Takashi Iwai: "A few more small fixes for 6.18-rc1. Most of changes are about ASoC Intel and SOF drivers, while a few other device-specific fixes are found for HD-audio, USB-audio, ASoC RT722VB and Meson" * tag 'sound-fix-6.18-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound: ASoC: rt722: add settings for rt722VB ASoC: meson: aiu-encoder-i2s: fix bit clock polarity ALSA: usb: fpc: replace kmalloc_array followed by copy_from_user with memdup_array_user ALSA: hda/tas2781: Enable init_profile_id for device initialization ALSA: emu10k1: Fix typo in docs ALSA: hda/realtek: Add quirk for ASUS ROG Zephyrus Duo ASoC: SOF: Intel: Read the LLP via the associated Link DMA channel ASoC: SOF: ipc4-pcm: do not report invalid delay values ASoC: SOF: sof-audio: add dev_dbg_ratelimited wrapper ASoC: SOF: Intel: hda-pcm: Place the constraint on period time instead of buffer time ASoC: SOF: ipc4-topology: Account for different ChainDMA host buffer size ASoC: SOF: ipc4-topology: Correct the minimum host DMA buffer size ASoC: SOF: ipc4-pcm: fix start offset calculation for chain DMA ASoC: SOF: ipc4-pcm: fix delay calculation when DSP resamples ASoC: SOF: ipc3-topology: Fix multi-core and static pipelines tear down ALSA: hda/hdmi: Add pin fix for HP ProDesk model
7 daysNFSD: Define a proc_layoutcommit for the FlexFiles layout typeChuck Lever1-0/+8
Avoid a crash if a pNFS client should happen to send a LAYOUTCOMMIT operation on a FlexFiles layout. Reported-by: Robert Morris <rtm@csail.mit.edu> Closes: https://lore.kernel.org/linux-nfs/152f99b2-ba35-4dec-93a9-4690e625dccd@oracle.com/T/#t Cc: Thomas Haynes <loghyr@hammerspace.com> Cc: stable@vger.kernel.org Fixes: 9b9960a0ca47 ("nfsd: Add a super simple flex file server") Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
7 daysMerge tag 'fbdev-for-6.18-rc1' of ↵Linus Torvalds25-165/+259
git://git.kernel.org/pub/scm/linux/kernel/git/deller/linux-fbdev Pull fbdev updates from Helge Deller: "Beside the usual bunch of smaller bug fixes, the majority of changes were by Zsolt Kajtar to improve the s3fb driver. Bug fixes: - Bounds checking to fix vmalloc-out-of-bounds (Albin Babu Varghese) - Fix logic error in "offb" name match (Finn Thain) - simplefb: Fix use after free in (Janne Grunau) - s3fb: Various fixes and powersave improvements (Zsolt Kajtar) Enhancements & code cleanups: - Various fixes in the documentation (Bagas Sanjaya) - Use string choices helpers (Chelsy Ratnawat) - xenfb: Use vmalloc_array to simplify code (Qianfeng Rong) - mb862xxfb: use signed type for error codes (Qianfeng Rong) - Make drivers depend on LCD_CLASS_DEVICE (Thomas Zimmermann) - radeonfb: Remove stale product link in Kconfig (Sukrut Heroorkar)" * tag 'fbdev-for-6.18-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/deller/linux-fbdev: fbdev: Fix logic error in "offb" name match fbdev: Add bounds checking in bit_putcs to fix vmalloc-out-of-bounds fbdev: Make drivers depend on LCD_CLASS_DEVICE fbdev: radeonfb: Remove stale product link in Kconfig Documentation: fb: Retitle driver docs Documentation: fb: ep93xx: Demote section headings Documentation: fb: Split toctree fbdev: simplefb: Fix use after free in simplefb_detach_genpds() fbdev: s3fb: Revert mclk stop in suspend fbdev: mb862xxfb: Use int type to store negative error codes fbdev: Use string choices helpers fbdev: core: Fix ubsan warning in pixel_to_pat fbdev: s3fb: Implement 1 and 2 BPP modes, improve 4 BPP fbdev: s3fb: Implement powersave for S3 FB fbdev: xenfb: Use vmalloc_array to simplify code
7 daysMerge tag 'gpio-fixes-for-v6.18-rc1' of ↵Linus Torvalds2-1/+2
git://git.kernel.org/pub/scm/linux/kernel/git/brgl/linux Pull gpio fixes from Bartosz Golaszewski: - add a missing ACPI ID for MTL-CVF devices in gpio-usbio - mark the gpio-wcd934x controller as "sleeping" as it uses a mutex for locking internally * tag 'gpio-fixes-for-v6.18-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/brgl/linux: gpio: wcd934x: mark the GPIO controller as sleeping gpio: usbio: Add ACPI device-id for MTL-CVF devices
7 daysMerge tag 'ntb-6.18' of https://github.com/jonmason/ntbLinus Torvalds5-51/+94
Pull NTB updates from Jon Mason: - Add support for Renesas R-Car and allow arbitrary BAR mapping in EPF - Update ntb_hw_amd to support the latest generation secondary topology and add a new maintainer - Fix a bug by adding a mutex to ensure `link_event_callback` executes sequentially * tag 'ntb-6.18' of https://github.com/jonmason/ntb: NTB: epf: Add Renesas rcar support NTB: epf: Allow arbitrary BAR mapping ntb: Add mutex to make link_event_callback executed linearly. MAINTAINERS: Update for the NTB AMD driver maintainer ntb_hw_amd: Update amd_ntb_get_link_status to support latest generation secondary topology
7 daysMerge tag 'i2c-for-6.18-rc1-part2' of ↵Linus Torvalds9-212/+386
git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux Pull more i2c updates from Wolfram Sang: - Second part of rtl9300 updates since dependencies are in now: - general cleanups - implement block read/write support - add RTL9310 support - DT schema conversion of hix5hd2 binding - namespace cleanup for i2c-algo-pca - minor simplification for mt65xx * tag 'i2c-for-6.18-rc1-part2' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux: dt-bindings: i2c: hisilicon,hix5hd2: convert to DT schema i2c: mt65xx: convert set_speed function to void i2c: rename wait_for_completion callback to wait_for_completion_cb i2c: rtl9300: add support for RTL9310 I2C controller dt-bindings: i2c: realtek,rtl9301-i2c: extend for RTL9310 support i2c: rtl9300: use scoped guard instead of explicit lock/unlock i2c: rtl9300: separate xfer configuration and execution i2c: rtl9300: do not set read mode on every transfer i2c: rtl9300: move setting SCL frequency to config_io i2c: rtl9300: rename internal sda_pin to sda_num dt-bindings: i2c: realtek,rtl9301-i2c: fix wording and typos i2c: rtl9300: use regmap fields and API for registers i2c: rtl9300: Implement I2C block read and write
7 dayscifs: update internal version numberSteve French1-2/+2
to 2.57 Signed-off-by: Steve French <stfrench@microsoft.com>
7 daysMerge tag 'v6.18-p3' of ↵Linus Torvalds2-8/+8
git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 Pull crypto fixes from Herbert Xu: - Fix bug in crypto_skcipher that breaks the new ti driver - Check for invalid assoclen in essiv * tag 'v6.18-p3' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6: crypto: essiv - Check ssize for decryption and in-place encryption crypto: skcipher - Fix reqsize handling
7 daysMerge tag 'tpmdd-next-v6.18-2' of ↵Linus Torvalds8-199/+137
git://git.kernel.org/pub/scm/linux/kernel/git/jarkko/linux-tpmdd Pull tpm updates from Jarkko Sakkinen: - Disable TCG_TPM2_HMAC from defconfig It causes performance issues, and breaks some atypical configurations. - simplify code using the new crypto library - misc fixes and cleanups * tag 'tpmdd-next-v6.18-2' of git://git.kernel.org/pub/scm/linux/kernel/git/jarkko/linux-tpmdd: tpm: Prevent local DOS via tpm/tpm0/ppi/*operations tpm: use a map for tpm2_calc_ordinal_duration() tpm_tis: Fix incorrect arguments in tpm_tis_probe_irq_single tpm: Use HMAC-SHA256 library instead of open-coded HMAC tpm: Compare HMAC values in constant time tpm: Disable TPM2_TCG_HMAC by default