* android14-6.1-2025-07: (3992 commits)
ANDROID: virt: gunyah: Replace arm_smccc_1_1_smc with arm_smccc_1_1_invoke
ANDROID: GKI: Add symbol list for Nothing
UPSTREAM: posix-cpu-timers: fix race between handle_posix_cpu_timers() and posix_cpu_timer_del()
ANDROID: 16K: Use vma_area slab cache for pad VMA
ANDROID: 16K: Add VMA padding size to smaps output
ANDROID: 16K: Don't copy data vma for maps/smaps output
ANDROID: BACKPORT: KVM: arm64: Always unmap the pvmfw region at stage-2
ANDROID: GKI: add final newline to protected exports file
ANDROID: abi_gki_aarch64_qcom: Add PCIe ECAM related symbols
ANDROID: GKI: Export tracepoint tcp_retransmit_skb
ANDROID: GKI: Update symbol list for vivo
ANDROID: GKI: net: add vendor hooks net qos for gki purpose
ANDROID: GKI: Update symbol list for vivo
ANDROID: GKI: net: add vendor hooks net qos for gki purpose
Revert "ANDROID: mm: Set PAGE_BLOCK_ORDER to 8 when ARM64_16K_PAGES"
ANDROID: mm: Set PAGE_BLOCK_ORDER to 8 when ARM64_16K_PAGES
ANDROID: GKI: Update symbol list for vivo
ANDROID: vendor_hooks: add hook to retry mempool allocation without delay
BACKPORT: FROMGIT: mm: Add CONFIG_PAGE_BLOCK_ORDER to select page block order
BACKPORT: binder: Create safe versions of binder log files
...
Change-Id: I0556b86c975710a929ab1c7cde9dfac0eaa4e07a
commit f90fff1e152dedf52b932240ebbd670d83330eca upstream.
If an exiting non-autoreaping task has already passed exit_notify() and
calls handle_posix_cpu_timers() from IRQ, it can be reaped by its parent
or debugger right after unlock_task_sighand().
If a concurrent posix_cpu_timer_del() runs at that moment, it won't be
able to detect timer->it.cpu.firing != 0: cpu_timer_task_rcu() and/or
lock_task_sighand() will fail.
Add the tsk->exit_state check into run_posix_cpu_timers() to fix this.
This fix is not needed if CONFIG_POSIX_CPU_TIMERS_TASK_WORK=y, because
exit_task_work() is called before exit_notify(). But the check still
makes sense, task_work_add(&tsk->posix_cputimers_work.work) will fail
anyway in this case.
Bug: 425282960
Cc: stable@vger.kernel.org
Reported-by: Benoît Sevens <bsevens@google.com>
Fixes: 0bdd2ed413 ("sched: run_posix_cpu_timers: Don't check ->exit_state, use lock_task_sighand()")
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit c29d5318708e67ac13c1b6fc1007d179fb65b4d7)
Signed-off-by: Lee Jones <joneslee@google.com>
Change-Id: I2a9b8114abf2647c346e763edee1d424a07e86fe
Allocate padding VMA from the vma slab cache; this make it
easier to debug slab leaks than from kmalloc slabs.
Bug: 427145188
Change-Id: I24c5f5d0eb3b06acf506f18f5eb57cd497b13d6d
Signed-off-by: Kalesh Singh <kaleshsingh@google.com>
This reverts commit e1c3bfe365 which is
commit 8ce939a0fa194939cc1f92dbd8bc1a7806e7d40a upstream.
It breaks the Android kernel abi and can be brought back in the future
in an abi-safe way if it is really needed.
Bug: 161946584
Change-Id: I9c672a97df39e7381e10c7cf113a5a36f76c90e4
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
This reverts commit 82ac6adbbb which is
commit 53dac345395c0d2493cbc2f4c85fe38aef5b63f5 upstream.
It breaks the Android kernel build and can be brought back in the future
in an safe way if it is really needed.
Bug: 161946584
Change-Id: Ic3951674e27076bd9867102f525af9adc5c2a43c
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Changes in 6.1.141
gpio: pca953x: Add missing header(s)
gpio: pca953x: Split pca953x_restore_context() and pca953x_save_context()
gpio: pca953x: Simplify code with cleanup helpers
gpio: pca953x: fix IRQ storm on system wake up
phy: renesas: rcar-gen3-usb2: Add support to initialize the bus
phy: renesas: rcar-gen3-usb2: Move IRQ request in probe
phy: renesas: rcar-gen3-usb2: Lock around hardware registers and driver data
phy: renesas: rcar-gen3-usb2: Assert PLL reset on PHY power off
scsi: target: iscsi: Fix timeout on deleted connection
virtio_ring: Fix data race by tagging event_triggered as racy for KCSAN
dma-mapping: avoid potential unused data compilation warning
cgroup: Fix compilation issue due to cgroup_mutex not being exported
scsi: mpi3mr: Add level check to control event logging
net: enetc: refactor bulk flipping of RX buffers to separate function
drm/amdgpu: Allow P2P access through XGMI
selftests/bpf: Mitigate sockmap_ktls disconnect_after_delete failure
bpf: fix possible endless loop in BPF map iteration
samples/bpf: Fix compilation failure for samples/bpf on LoongArch Fedora
kconfig: merge_config: use an empty file as initfile
s390/vfio-ap: Fix no AP queue sharing allowed message written to kernel log
cifs: Add fallback for SMB2 CREATE without FILE_READ_ATTRIBUTES
cifs: Fix querying and creating MF symlinks over SMB1
cifs: Fix negotiate retry functionality
fuse: Return EPERM rather than ENOSYS from link()
NFSv4: Check for delegation validity in nfs_start_delegation_return_locked()
NFS: Don't allow waiting for exiting tasks
SUNRPC: Don't allow waiting for exiting tasks
arm64: Add support for HIP09 Spectre-BHB mitigation
tracing: Mark binary printing functions with __printf() attribute
mailbox: use error ret code of of_parse_phandle_with_args()
fbdev: fsl-diu-fb: add missing device_remove_file()
fbcon: Use correct erase colour for clearing in fbcon
fbdev: core: tileblit: Implement missing margin clearing for tileblit
cifs: Fix establishing NetBIOS session for SMB2+ connection
NFSv4: Treat ENETUNREACH errors as fatal for state recovery
SUNRPC: rpc_clnt_set_transport() must not change the autobind setting
SUNRPC: rpcbind should never reset the port to the value '0'
thermal/drivers/qoriq: Power down TMU on system suspend
dql: Fix dql->limit value when reset.
lockdep: Fix wait context check on softirq for PREEMPT_RT
objtool: Properly disable uaccess validation
PCI: dwc: ep: Ensure proper iteration over outbound map windows
tools/build: Don't pass test log files to linker
pNFS/flexfiles: Report ENETDOWN as a connection error
PCI: vmd: Disable MSI remapping bypass under Xen
libnvdimm/labels: Fix divide error in nd_label_data_init()
mmc: host: Wait for Vdd to settle on card power off
x86/mm: Check return value from memblock_phys_alloc_range()
i2c: qup: Vote for interconnect bandwidth to DRAM
i2c: pxa: fix call balance of i2c->clk handling routines
btrfs: make btrfs_discard_workfn() block_group ref explicit
btrfs: avoid linker error in btrfs_find_create_tree_block()
btrfs: run btrfs_error_commit_super() early
btrfs: fix non-empty delayed iputs list on unmount due to async workers
btrfs: get zone unusable bytes while holding lock at btrfs_reclaim_bgs_work()
btrfs: send: return -ENAMETOOLONG when attempting a path that is too long
drm/amd/display: Guard against setting dispclk low for dcn31x
i3c: master: svc: Fix missing STOP for master request
dlm: make tcp still work in multi-link env
um: Store full CSGSFS and SS register from mcontext
um: Update min_low_pfn to match changes in uml_reserved
ext4: reorder capability check last
scsi: st: Tighten the page format heuristics with MODE SELECT
scsi: st: ERASE does not change tape location
vfio/pci: Handle INTx IRQ_NOTCONNECTED
bpf: Return prog btf_id without capable check
tcp: reorganize tcp_in_ack_event() and tcp_count_delivered()
rtc: rv3032: fix EERD location
thunderbolt: Do not add non-active NVM if NVM upgrade is disabled for retimer
ASoC: mediatek: mt6359: Add stub for mt6359_accdet_enable_jack_detect
kbuild: fix argument parsing in scripts/config
crypto: octeontx2 - suppress auth failure screaming due to negative tests
dm: restrict dm device size to 2^63-512 bytes
net/smc: use the correct ndev to find pnetid by pnetid table
xen: Add support for XenServer 6.1 platform device
pinctrl-tegra: Restore SFSEL bit when freeing pins
ASoC: sun4i-codec: support hp-det-gpios property
ext4: reject the 'data_err=abort' option in nojournal mode
RDMA/uverbs: Propagate errors from rdma_lookup_get_uobject()
posix-timers: Add cond_resched() to posix_timer_add() search loop
timer_list: Don't use %pK through printk()
netfilter: conntrack: Bound nf_conntrack sysctl writes
arm64/mm: Check PUD_TYPE_TABLE in pud_bad()
mmc: dw_mmc: add exynos7870 DW MMC support
mmc: sdhci: Disable SD card clock before changing parameters
hwmon: (dell-smm) Increment the number of fans
ipv6: save dontfrag in cork
drm/amd/display: calculate the remain segments for all pipes
gfs2: Check for empty queue in run_queue
auxdisplay: charlcd: Partially revert "Move hwidth and bwidth to struct hd44780_common"
ASoC: qcom: sm8250: explicitly set format in sm8250_be_hw_params_fixup()
iommu/amd/pgtbl_v2: Improve error handling
cpufreq: tegra186: Share policy per cluster
crypto: lzo - Fix compression buffer overrun
arm64: tegra: p2597: Fix gpio for vdd-1v8-dis regulator
powerpc/prom_init: Fixup missing #size-cells on PowerBook6,7
ALSA: seq: Improve data consistency at polling
tcp: bring back NUMA dispersion in inet_ehash_locks_alloc()
rtc: ds1307: stop disabling alarms on probe
ieee802154: ca8210: Use proper setters and getters for bitwise types
ARM: tegra: Switch DSI-B clock parent to PLLD on Tegra114
media: c8sectpfe: Call of_node_put(i2c_bus) only once in c8sectpfe_probe()
dm cache: prevent BUG_ON by blocking retries on failed device resumes
orangefs: Do not truncate file size
net: phylink: use pl->link_interface in phylink_expects_phy()
remoteproc: qcom_wcnss: Handle platforms with only single power domain
drm/amdgpu: Do not program AGP BAR regs under SRIOV in gfxhub_v1_0.c
media: cx231xx: set device_caps for 417
pinctrl: bcm281xx: Use "unsigned int" instead of bare "unsigned"
net: ethernet: ti: cpsw_new: populate netdev of_node
net: pktgen: fix mpls maximum labels list parsing
perf/hw_breakpoint: Return EOPNOTSUPP for unsupported breakpoint type
ALSA: hda/realtek: Enable PC beep passthrough for HP EliteBook 855 G7
ipv4: fib: Move fib_valid_key_len() to rtm_to_fib_config().
drm/rockchip: vop2: Add uv swap for cluster window
media: uvcvideo: Add sanity check to uvc_ioctl_xu_ctrl_map
clk: imx8mp: inform CCF of maximum frequency of clocks
x86/bugs: Make spectre user default depend on MITIGATION_SPECTRE_V2
hwmon: (gpio-fan) Add missing mutex locks
ARM: at91: pm: fix at91_suspend_finish for ZQ calibration
drm/mediatek: mtk_dpi: Add checks for reg_h_fre_con existence
fpga: altera-cvp: Increase credit timeout
soc: apple: rtkit: Use high prio work queue
soc: apple: rtkit: Implement OSLog buffers properly
PCI: brcmstb: Expand inbound window size up to 64GB
PCI: brcmstb: Add a softdep to MIP MSI-X driver
firmware: arm_ffa: Set dma_mask for ffa devices
net/mlx5: Avoid report two health errors on same syndrome
selftests/net: have `gro.sh -t` return a correct exit code
drm/amdkfd: KFD release_work possible circular locking
leds: pwm-multicolor: Add check for fwnode_property_read_u32
net: ethernet: mtk_ppe_offload: Allow QinQ, double ETH_P_8021Q only
net: xgene-v2: remove incorrect ACPI_PTR annotation
bonding: report duplicate MAC address in all situations
soc: ti: k3-socinfo: Do not use syscon helper to build regmap
x86/build: Fix broken copy command in genimage.sh when making isoimage
drm/amd/display: handle max_downscale_src_width fail check
x86/nmi: Add an emergency handler in nmi_desc & use it in nmi_shootdown_cpus()
cpuidle: menu: Avoid discarding useful information
media: adv7180: Disable test-pattern control on adv7180
libbpf: Fix out-of-bound read
dm: fix unconditional IO throttle caused by REQ_PREFLUSH
x86/kaslr: Reduce KASLR entropy on most x86 systems
MIPS: Use arch specific syscall name match function
genirq/msi: Store the IOMMU IOVA directly in msi_desc instead of iommu_cookie
MIPS: pm-cps: Use per-CPU variables as per-CPU, not per-core
clocksource: mips-gic-timer: Enable counter when CPUs start
scsi: mpt3sas: Send a diag reset if target reset fails
wifi: rtw88: Fix rtw_init_vht_cap() for RTL8814AU
wifi: rtw88: Fix rtw_init_ht_cap() for RTL8814AU
wifi: rtw88: Fix rtw_desc_to_mcsrate() to handle MCS16-31
wifi: rtw89: fw: propagate error code from rtw89_h2c_tx()
net: pktgen: fix access outside of user given buffer in pktgen_thread_write()
EDAC/ie31200: work around false positive build warning
i3c: master: svc: Flush FIFO before sending Dynamic Address Assignment(DAA)
serial: mctrl_gpio: split disable_ms into sync and no_sync APIs
RDMA/core: Fix best page size finding when it can cross SG entries
pmdomain: imx: gpcv2: use proper helper for property detection
can: c_can: Use of_property_present() to test existence of DT property
eth: mlx4: don't try to complete XDP frames in netpoll
PCI: Fix old_size lower bound in calculate_iosize() too
ACPI: HED: Always initialize before evged
vxlan: Join / leave MC group after remote changes
media: test-drivers: vivid: don't call schedule in loop
net/mlx5: Modify LSB bitmask in temperature event to include only the first bit
net/mlx5: Apply rate-limiting to high temperature warning
ASoC: ops: Enforce platform maximum on initial value
ASoC: tas2764: Add reg defaults for TAS2764_INT_CLK_CFG
ASoC: tas2764: Mark SW_RESET as volatile
ASoC: tas2764: Power up/down amp on mute ops
ASoC: soc-dai: check return value at snd_soc_dai_set_tdm_slot()
pinctrl: devicetree: do not goto err when probing hogs in pinctrl_dt_to_map
smack: recognize ipv4 CIPSO w/o categories
kunit: tool: Use qboot on QEMU x86_64
net/mlx4_core: Avoid impossible mlx4_db_alloc() order value
clk: qcom: clk-alpha-pll: Do not use random stack value for recalc rate
serial: sh-sci: Update the suspend/resume support
phy: core: don't require set_mode() callback for phy_get_mode() to work
drm/amdgpu: reset psp->cmd to NULL after releasing the buffer
drm/amd/display: Initial psr_version with correct setting
drm/amdgpu: enlarge the VBIOS binary size limit
drm/amd/display/dm: drop hw_support check in amdgpu_dm_i2c_xfer()
net/mlx5: Extend Ethtool loopback selftest to support non-linear SKB
net/mlx5e: set the tx_queue_len for pfifo_fast
net/mlx5e: reduce rep rxq depth to 256 for ECPF
wifi: mac80211: don't unconditionally call drv_mgd_complete_tx()
wifi: mac80211: remove misplaced drv_mgd_complete_tx() call
arch/powerpc/perf: Check the instruction type before creating sample with perf_mem_data_src
ip: fib_rules: Fetch net from fib_rule in fib[46]_rule_configure().
r8152: add vendor/device ID pair for Dell Alienware AW1022z
wifi: rtw88: Fix download_firmware_validate() for RTL8814AU
clk: qcom: camcc-sm8250: Use clk_rcg2_shared_ops for some RCGs
hwmon: (xgene-hwmon) use appropriate type for the latency value
media: qcom: camss: csid: Only add TPG v4l2 ctrl if TPG hardware is available
vxlan: Annotate FDB data races
r8169: don't scan PHY addresses > 0
rcu: handle quiescent states for PREEMPT_RCU=n, PREEMPT_COUNT=y
rcu: handle unstable rdp in rcu_read_unlock_strict()
rcu: fix header guard for rcu_all_qs()
perf: Avoid the read if the count is already updated
ice: count combined queues using Rx/Tx count
net/mana: fix warning in the writer of client oob
scsi: lpfc: Handle duplicate D_IDs in ndlp search-by D_ID routine
scsi: lpfc: Free phba irq in lpfc_sli4_enable_msi() when pci_irq_vector() fails
scsi: st: Restore some drive settings after reset
HID: usbkbd: Fix the bit shift number for LED_KANA
ASoC: codecs: pcm3168a: Allow for 24-bit in provider mode
drm/ast: Find VBIOS mode from regular display size
bpftool: Fix readlink usage in get_fd_type
perf/amd/ibs: Fix perf_ibs_op.cnt_mask for CurCnt
wifi: rtl8xxxu: retry firmware download on error
wifi: rtw88: Don't use static local variable in rtw8822b_set_tx_power_index_by_rate
wifi: rtw89: add wiphy_lock() to work that isn't held wiphy_lock() yet
spi: zynqmp-gqspi: Always acknowledge interrupts
regulator: ad5398: Add device tree support
wifi: ath9k: return by of_get_mac_address
drm/atomic: clarify the rules around drm_atomic_state->allow_modeset
drm/panel-edp: Add Starry 116KHD024006
drm: Add valid clones check
ASoC: imx-card: Adjust over allocation of memory in imx_card_parse_of()
pinctrl: meson: define the pull up/down resistor value as 60 kOhm
ASoC: Intel: bytcr_rt5640: Add DMI quirk for Acer Aspire SW3-013
ALSA: hda/realtek: Add quirk for HP Spectre x360 15-df1xxx
nvmet-tcp: don't restore null sk_state_change
io_uring/fdinfo: annotate racy sq/cq head/tail reads
btrfs: correct the order of prelim_ref arguments in btrfs__prelim_ref
wifi: iwlwifi: add support for Killer on MTL
xenbus: Allow PVH dom0 a non-local xenstore
__legitimize_mnt(): check for MNT_SYNC_UMOUNT should be under mount_lock
espintcp: remove encap socket caching to avoid reference leak
dmaengine: idxd: add per DSA wq workqueue for processing cr faults
dmaengine: idxd: add idxd_copy_cr() to copy user completion record during page fault handling
dmaengine: idxd: Fix allowing write() from different address spaces
remoteproc: qcom_wcnss: Fix on platforms without fallback regulators
clk: sunxi-ng: d1: Add missing divider for MMC mod clocks
xfrm: Sanitize marks before insert
dmaengine: idxd: Fix ->poll() return value
Bluetooth: L2CAP: Fix not checking l2cap_chan security level
bridge: netfilter: Fix forwarding of fragmented packets
ice: fix vf->num_mac count with port representors
net: dwmac-sun8i: Use parsed internal PHY address instead of 1
net: lan743x: Restore SGMII CTRL register on resume
io_uring: fix overflow resched cqe reordering
sch_hfsc: Fix qlen accounting bug when using peek in hfsc_enqueue()
octeontx2-pf: Add support for page pool
octeontx2-pf: Add AF_XDP non-zero copy support
net/tipc: fix slab-use-after-free Read in tipc_aead_encrypt_done
octeontx2-af: Set LMT_ENA bit for APR table entries
octeontx2-af: Fix APR entry mapping based on APR_LMT_CFG
crypto: algif_hash - fix double free in hash_accept
padata: do not leak refcount in reorder_work
can: slcan: allow reception of short error messages
can: bcm: add locking for bcm_op runtime updates
can: bcm: add missing rcu read protection for procfs content
ALSA: pcm: Fix race of buffer access at PCM OSS layer
ALSA: hda/realtek: Add quirk for Lenovo Yoga Pro 7 14ASP10
llc: fix data loss when reading from a socket in llc_ui_recvmsg()
platform/x86: dell-wmi-sysman: Avoid buffer overflow in current_password_store()
drm/edid: fixed the bug that hdr metadata was not reset
smb: client: Fix use-after-free in cifs_fill_dirent
smb: client: Reset all search buffer pointers when releasing buffer
Revert "drm/amd: Keep display off while going into S4"
memcg: always call cond_resched() after fn()
mm/page_alloc.c: avoid infinite retries caused by cpuset race
Revert "arm64: dts: allwinner: h6: Use RSB for AXP805 PMIC connection"
ksmbd: fix stream write failure
spi: spi-fsl-dspi: restrict register range for regmap access
spi: spi-fsl-dspi: Halt the module after a new message transfer
spi: spi-fsl-dspi: Reset SR flags before sending a new message
kbuild: Disable -Wdefault-const-init-unsafe
serial: sh-sci: Save and restore more registers
pinctrl: tegra: Fix off by one in tegra_pinctrl_get_group()
i3c: master: svc: Fix implicit fallthrough in svc_i3c_master_ibi_work()
x86/mm/init: Handle the special case of device private pages in add_pages(), to not increase max_pfn and trigger dma_addressing_limited() bounce buffers bounce buffers
dmaengine: idxd: Fix passing freed memory in idxd_cdev_open()
octeontx2-pf: fix page_pool creation fail for rings > 32k
octeontx2-pf: Fix page pool cache index corruption.
octeontx2-pf: Fix page pool frag allocation warning
hrtimers: Force migrate away hrtimers queued after CPUHP_AP_HRTIMERS_DYING
btrfs: check folio mapping after unlock in relocate_one_folio()
af_unix: Kconfig: make CONFIG_UNIX bool
af_unix: Return struct unix_sock from unix_get_socket().
af_unix: Run GC on only one CPU.
af_unix: Try to run GC async.
af_unix: Replace BUG_ON() with WARN_ON_ONCE().
af_unix: Remove io_uring code for GC.
af_unix: Remove CONFIG_UNIX_SCM.
af_unix: Allocate struct unix_vertex for each inflight AF_UNIX fd.
af_unix: Allocate struct unix_edge for each inflight AF_UNIX fd.
af_unix: Link struct unix_edge when queuing skb.
af_unix: Bulk update unix_tot_inflight/unix_inflight when queuing skb.
af_unix: Iterate all vertices by DFS.
af_unix: Detect Strongly Connected Components.
af_unix: Save listener for embryo socket.
af_unix: Fix up unix_edge.successor for embryo socket.
af_unix: Save O(n) setup of Tarjan's algo.
af_unix: Skip GC if no cycle exists.
af_unix: Avoid Tarjan's algorithm if unnecessary.
af_unix: Assign a unique index to SCC.
af_unix: Detect dead SCC.
af_unix: Replace garbage collection algorithm.
af_unix: Remove lock dance in unix_peek_fds().
af_unix: Try not to hold unix_gc_lock during accept().
af_unix: Don't access successor in unix_del_edges() during GC.
af_unix: Add dead flag to struct scm_fp_list.
af_unix: Fix garbage collection of embryos carrying OOB with SCM_RIGHTS
af_unix: Fix uninit-value in __unix_walk_scc()
arm64: dts: qcom: sm8350: Fix typo in pil_camera_mem node
net_sched: hfsc: Address reentrant enqueue adding class to eltree twice
perf/arm-cmn: Fix REQ2/SNP2 mixup
perf/arm-cmn: Initialise cmn->cpu earlier
coredump: fix error handling for replace_fd()
pid: add pidfd_prepare()
fork: use pidfd_prepare()
coredump: hand a pidfd to the usermode coredump helper
HID: quirks: Add ADATA XPG alpha wireless mouse support
nfs: don't share pNFS DS connections between net namespaces
platform/x86: thinkpad_acpi: Support also NEC Lavie X1475JAS
um: let 'make clean' properly clean underlying SUBARCH as well
spi: spi-sun4i: fix early activation
nvme-pci: add NVME_QUIRK_NO_DEEPEST_PS quirk for SOLIDIGM P44 Pro
NFS: Avoid flushing data while holding directory locks in nfs_rename()
platform/x86: fujitsu-laptop: Support Lifebook S2110 hotkeys
platform/x86: thinkpad_acpi: Ignore battery threshold change event notification
net: ethernet: ti: am65-cpsw: Lower random mac address error print to info
Linux 6.1.141
Change-Id: I4b93f8e69385f2087bf71545f58ae6f5cee1c5ba
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
commit 6ae930d9db upstream.
Add a new helper that allows to reserve a pidfd and allocates a new
pidfd file that stashes the provided struct pid. This will allow us to
remove places that either open code this function or that call
pidfd_create() but then have to call close_fd() because there are still
failure points after pidfd_create() has been called.
Reviewed-by: Jan Kara <jack@suse.cz>
Message-Id: <20230327-pidfd-file-api-v1-1-5c0e9a3158e4@kernel.org>
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 53dac345395c0d2493cbc2f4c85fe38aef5b63f5 upstream.
hrtimers are migrated away from the dying CPU to any online target at
the CPUHP_AP_HRTIMERS_DYING stage in order not to delay bandwidth timers
handling tasks involved in the CPU hotplug forward progress.
However wakeups can still be performed by the outgoing CPU after
CPUHP_AP_HRTIMERS_DYING. Those can result again in bandwidth timers being
armed. Depending on several considerations (crystal ball power management
based election, earliest timer already enqueued, timer migration enabled or
not), the target may eventually be the current CPU even if offline. If that
happens, the timer is eventually ignored.
The most notable example is RCU which had to deal with each and every of
those wake-ups by deferring them to an online CPU, along with related
workarounds:
_ e787644caf76 (rcu: Defer RCU kthreads wakeup when CPU is dying)
_ 9139f93209d1 (rcu/nocb: Fix RT throttling hrtimer armed from offline CPU)
_ f7345ccc62a4 (rcu/nocb: Fix rcuog wake-up from offline softirq)
The problem isn't confined to RCU though as the stop machine kthread
(which runs CPUHP_AP_HRTIMERS_DYING) reports its completion at the end
of its work through cpu_stop_signal_done() and performs a wake up that
eventually arms the deadline server timer:
WARNING: CPU: 94 PID: 588 at kernel/time/hrtimer.c:1086 hrtimer_start_range_ns+0x289/0x2d0
CPU: 94 UID: 0 PID: 588 Comm: migration/94 Not tainted
Stopper: multi_cpu_stop+0x0/0x120 <- stop_machine_cpuslocked+0x66/0xc0
RIP: 0010:hrtimer_start_range_ns+0x289/0x2d0
Call Trace:
<TASK>
start_dl_timer
enqueue_dl_entity
dl_server_start
enqueue_task_fair
enqueue_task
ttwu_do_activate
try_to_wake_up
complete
cpu_stopper_thread
Instead of providing yet another bandaid to work around the situation, fix
it in the hrtimers infrastructure instead: always migrate away a timer to
an online target whenever it is enqueued from an offline CPU.
This will also allow to revert all the above RCU disgraceful hacks.
Fixes: 5c0930ccaad5 ("hrtimers: Push pending hrtimers away from outgoing CPU earlier")
Reported-by: Vlad Poenaru <vlad.wing@gmail.com>
Reported-by: Usama Arif <usamaarif642@gmail.com>
Signed-off-by: Frederic Weisbecker <frederic@kernel.org>
Signed-off-by: Paul E. McKenney <paulmck@kernel.org>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: stable@vger.kernel.org
Tested-by: Paul E. McKenney <paulmck@kernel.org>
Link: https://lore.kernel.org/all/20250117232433.24027-1-frederic@kernel.org
Closes: 20241213203739.1519801-1-usamaarif642@gmail.com
Signed-off-by: Zhaoyang Li <lizy04@hust.edu.cn>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit d6ebcde6d4ecf34f8495fb30516645db3aea8993 upstream.
A recent patch that addressed a UAF introduced a reference count leak:
the parallel_data refcount is incremented unconditionally, regardless
of the return value of queue_work(). If the work item is already queued,
the incremented refcount is never decremented.
Fix this by checking the return value of queue_work() and decrementing
the refcount when necessary.
Resolves:
Unreferenced object 0xffff9d9f421e3d80 (size 192):
comm "cryptomgr_probe", pid 157, jiffies 4294694003
hex dump (first 32 bytes):
80 8b cf 41 9f 9d ff ff b8 97 e0 89 ff ff ff ff ...A............
d0 97 e0 89 ff ff ff ff 19 00 00 00 1f 88 23 00 ..............#.
backtrace (crc 838fb36):
__kmalloc_cache_noprof+0x284/0x320
padata_alloc_pd+0x20/0x1e0
padata_alloc_shell+0x3b/0xa0
0xffffffffc040a54d
cryptomgr_probe+0x43/0xc0
kthread+0xf6/0x1f0
ret_from_fork+0x2f/0x50
ret_from_fork_asm+0x1a/0x30
Fixes: dd7d37ccf6b1 ("padata: avoid UAF for reorder_work")
Cc: <stable@vger.kernel.org>
Signed-off-by: Dominik Grzegorzek <dominik.grzegorzek@oracle.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit 8ce939a0fa194939cc1f92dbd8bc1a7806e7d40a ]
The event may have been updated in the PMU-specific implementation,
e.g., Intel PEBS counters snapshotting. The common code should not
read and overwrite the value.
The PERF_SAMPLE_READ in the data->sample_type can be used to detect
whether the PMU-specific value is available. If yes, avoid the
pmu->read() in the common code. Add a new flag, skip_read, to track the
case.
Factor out a perf_pmu_read() to clean up the code.
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Signed-off-by: Kan Liang <kan.liang@linux.intel.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Link: https://lkml.kernel.org/r/20250121152303.3128733-3-kan.liang@linux.intel.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit fcf0e25ad4c8d14d2faab4d9a17040f31efce205 ]
rcu_read_unlock_strict() can be called with preemption enabled
which can make for an unstable rdp and a racy norm value.
Fix this by dropping the preempt-count in __rcu_read_unlock()
after the call to rcu_read_unlock_strict(), adjusting the
preempt-count check appropriately.
Suggested-by: Frederic Weisbecker <frederic@kernel.org>
Signed-off-by: Ankur Arora <ankur.a.arora@oracle.com>
Reviewed-by: Frederic Weisbecker <frederic@kernel.org>
Signed-off-by: Paul E. McKenney <paulmck@kernel.org>
Signed-off-by: Boqun Feng <boqun.feng@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 83b28cfe796464ebbde1cf7916c126da6d572685 ]
With PREEMPT_RCU=n, cond_resched() provides urgently needed quiescent
states for read-side critical sections via rcu_all_qs().
One reason why this was needed: lacking preempt-count, the tick
handler has no way of knowing whether it is executing in a
read-side critical section or not.
With (PREEMPT_LAZY=y, PREEMPT_DYNAMIC=n), we get (PREEMPT_COUNT=y,
PREEMPT_RCU=n). In this configuration cond_resched() is a stub and
does not provide quiescent states via rcu_all_qs().
(PREEMPT_RCU=y provides this information via rcu_read_unlock() and
its nesting counter.)
So, use the availability of preempt_count() to report quiescent states
in rcu_flavor_sched_clock_irq().
Suggested-by: Paul E. McKenney <paulmck@kernel.org>
Reviewed-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Signed-off-by: Ankur Arora <ankur.a.arora@oracle.com>
Reviewed-by: Frederic Weisbecker <frederic@kernel.org>
Signed-off-by: Paul E. McKenney <paulmck@kernel.org>
Signed-off-by: Boqun Feng <boqun.feng@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 061c991697062f3bf87b72ed553d1d33a0e370dd ]
Currently, __reserve_bp_slot() returns -ENOSPC for unsupported
breakpoint types on the architecture. For example, powerpc
does not support hardware instruction breakpoints. This causes
the perf_skip BPF selftest to fail, as neither ENOENT nor
EOPNOTSUPP is returned by perf_event_open for unsupported
breakpoint types. As a result, the test that should be skipped
for this arch is not correctly identified.
To resolve this, hw_breakpoint_event_init() should exit early by
checking for unsupported breakpoint types using
hw_breakpoint_slots_cached() and return the appropriate error
(-EOPNOTSUPP).
Signed-off-by: Saket Kumar Bhaskar <skb99@linux.ibm.com>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Cc: Marco Elver <elver@google.com>
Cc: Dmitry Vyukov <dvyukov@google.com>
Cc: Ian Rogers <irogers@google.com>
Cc: Frederic Weisbecker <fweisbec@gmail.com>
Link: https://lore.kernel.org/r/20250303092451.1862862-1-skb99@linux.ibm.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit a52067c24ccf6ee4c85acffa0f155e9714f9adce ]
This reverts commit f590308536 ("timer debug: Hide kernel addresses via
%pK in /proc/timer_list")
The timer list helper SEQ_printf() uses either the real seq_printf() for
procfs output or vprintk() to print to the kernel log, when invoked from
SysRq-q. It uses %pK for printing pointers.
In the past %pK was prefered over %p as it would not leak raw pointer
values into the kernel log. Since commit ad67b74d24 ("printk: hash
addresses printed with %p") the regular %p has been improved to avoid this
issue.
Furthermore, restricted pointers ("%pK") were never meant to be used
through printk(). They can still unintentionally leak raw pointers or
acquire sleeping looks in atomic contexts.
Switch to the regular pointer formatting which is safer, easier to reason
about and sufficient here.
Signed-off-by: Thomas Weißschuh <thomas.weissschuh@linutronix.de>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Link: https://lore.kernel.org/lkml/20250113171731-dc10e3c1-da64-4af0-b767-7c7070468023@linutronix.de/
Link: https://lore.kernel.org/all/20250311-restricted-pointers-timer-v1-1-6626b91e54ab@linutronix.de
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 61c39d8c83e2077f33e0a2c8980a76a7f323f0ce ]
Since:
0c1d7a2c2d ("lockdep: Remove softirq accounting on PREEMPT_RT.")
the wait context test for mutex usage within "in softirq context" fails
as it references @softirq_context:
| wait context tests |
--------------------------------------------------------------------------
| rcu | raw | spin |mutex |
--------------------------------------------------------------------------
in hardirq context: ok | ok | ok | ok |
in hardirq context (not threaded): ok | ok | ok | ok |
in softirq context: ok | ok | ok |FAILED|
As a fix, add lockdep map for BH disabled section. This fixes the
issue by letting us catch cases when local_bh_disable() gets called
with preemption disabled where local_lock doesn't get acquired.
In the case of "in softirq context" selftest, local_bh_disable() was
being called with preemption disable as it's early in the boot.
[ boqun: Move the lockdep annotations into __local_bh_*() to avoid false
positives because of unpaired local_bh_disable() reported by
Borislav Petkov and Peter Zijlstra, and make bh_lock_map
only exist for PREEMPT_RT. ]
[ mingo: Restored authorship and improved the bh_lock_map definition. ]
Signed-off-by: Ryo Takakura <ryotkkr98@gmail.com>
Signed-off-by: Boqun Feng <boqun.feng@gmail.com>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Link: https://lore.kernel.org/r/20250321143322.79651-1-boqun.feng@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 196a062641fe68d9bfe0ad36b6cd7628c99ad22c ]
Binary printing functions are using printf() type of format, and compiler
is not happy about them as is:
kernel/trace/trace.c:3292:9: error: function ‘trace_vbprintk’ might be a candidate for ‘gnu_printf’ format attribute [-Werror=suggest-attribute=format]
kernel/trace/trace_seq.c:182:9: error: function ‘trace_seq_bprintf’ might be a candidate for ‘gnu_printf’ format attribute [-Werror=suggest-attribute=format]
Fix the compilation errors by adding __printf() attribute.
While at it, move existing __printf() attributes from the implementations
to the declarations. IT also fixes incorrect attribute parameters that are
used for trace_array_printk().
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Reviewed-by: Kees Cook <kees@kernel.org>
Reviewed-by: Petr Mladek <pmladek@suse.com>
Link: https://lore.kernel.org/r/20250321144822.324050-4-andriy.shevchenko@linux.intel.com
Signed-off-by: Petr Mladek <pmladek@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 87c259a7a359e73e6c52c68fcbec79988999b4e6 ]
When adding folio_memcg function call in the zram module for
Android16-6.12, the following error occurs during compilation:
ERROR: modpost: "cgroup_mutex" [../soc-repo/zram.ko] undefined!
This error is caused by the indirect call to lockdep_is_held(&cgroup_mutex)
within folio_memcg. The export setting for cgroup_mutex is controlled by
the CONFIG_PROVE_RCU macro. If CONFIG_LOCKDEP is enabled while
CONFIG_PROVE_RCU is not, this compilation error will occur.
To resolve this issue, add a parallel macro CONFIG_LOCKDEP control to
ensure cgroup_mutex is properly exported when needed.
Signed-off-by: gao xu <gaoxu2@honor.com>
Acked-by: Michal Koutný <mkoutny@suse.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Changes in 6.1.140
binfmt: Fix whitespace issues
binfmt_elf: Support segments with 0 filesz and misaligned starts
binfmt_elf: elf_bss no longer used by load_elf_binary()
selftests/exec: load_address: conform test to TAP format output
binfmt_elf: Leave a gap between .bss and brk
selftests/exec: Build both static and non-static load_address tests
binfmt_elf: Calculate total_size earlier
binfmt_elf: Honor PT_LOAD alignment for static PIE
binfmt_elf: Move brk for static PIE even if ASLR disabled
platform/x86: asus-wmi: Fix wlan_ctrl_by_user detection
tracing: probes: Fix a possible race in trace_probe_log APIs
tpm: tis: Double the timeout B to 4s
iio: adc: ad7266: Fix potential timestamp alignment issue.
drm/amd: Stop evicting resources on APUs in suspend
drm/amdgpu: Fix the runtime resume failure issue
drm/amdgpu: trigger flr_work if reading pf2vf data failed
drm/amd: Add Suspend/Hibernate notification callback support
Revert "drm/amd: Stop evicting resources on APUs in suspend"
iio: adc: ad7768-1: Fix insufficient alignment of timestamp.
iio: chemical: sps30: use aligned_s64 for timestamp
clocksource/i8253: Use raw_spinlock_irqsave() in clockevent_i8253_disable()
RDMA/rxe: Fix slab-use-after-free Read in rxe_queue_cleanup bug
HID: thrustmaster: fix memory leak in thrustmaster_interrupts()
HID: uclogic: Add NULL check in uclogic_input_configured()
nfs: handle failure of nfs_get_lock_context in unlock path
spi: loopback-test: Do not split 1024-byte hexdumps
net_sched: Flush gso_skb list too during ->change()
net: mctp: Ensure keys maintain only one ref to corresponding dev
net: cadence: macb: Fix a possible deadlock in macb_halt_tx.
net: dsa: sja1105: discard incoming frames in BR_STATE_LISTENING
nvme-pci: make nvme_pci_npages_prp() __always_inline
nvme-pci: acquire cq_poll_lock in nvme_poll_irqdisable
ALSA: sh: SND_AICA should depend on SH_DMA_API
net/mlx5e: Disable MACsec offload for uplink representor profile
qlcnic: fix memory leak in qlcnic_sriov_channel_cfg_cmd()
regulator: max20086: fix invalid memory access
octeontx2-pf: macsec: Fix incorrect max transmit size in TX secy
net/tls: fix kernel panic when alloc_page failed
NFSv4/pnfs: Reset the layout state after a layoutreturn
dmaengine: Revert "dmaengine: dmatest: Fix dmatest waiting less when interrupted"
LoongArch: Fix MAX_REG_OFFSET calculation
btrfs: fix discard worker infinite loop after disabling discard
drm/amd/display: Correct the reply value when AUX write incomplete
drm/amd/display: Avoid flooding unnecessary info messages
ACPI: PPTT: Fix processor subtable walk
ALSA: es1968: Add error handling for snd_pcm_hw_constraint_pow2()
ALSA: usb-audio: Add sample rate quirk for Audioengine D1
ALSA: usb-audio: Add sample rate quirk for Microdia JP001 USB Camera
dma-buf: insert memory barrier before updating num_fences
hv_netvsc: Use vmbus_sendpacket_mpb_desc() to send VMBus messages
hv_netvsc: Preserve contiguous PFN grouping in the page buffer array
hv_netvsc: Remove rmsg_pgcnt
Drivers: hv: Allow vmbus_sendpacket_mpb_desc() to create multiple ranges
Drivers: hv: vmbus: Remove vmbus_sendpacket_pagebuffer()
ftrace: Fix preemption accounting for stacktrace trigger command
ftrace: Fix preemption accounting for stacktrace filter command
tracing: samples: Initialize trace_array_printk() with the correct function
phy: Fix error handling in tegra_xusb_port_init
phy: renesas: rcar-gen3-usb2: Fix role detection on unbind/bind
phy: renesas: rcar-gen3-usb2: Set timing registers only once
scsi: sd_zbc: block: Respect bio vector limits for REPORT ZONES buffer
smb: client: fix memory leak during error handling for POSIX mkdir
wifi: mt76: disable napi on driver removal
net: qede: Initialize qede_ll_ops with designated initializer
dmaengine: ti: k3-udma: Add missing locking
dmaengine: ti: k3-udma: Use cap_mask directly from dma_device structure instead of a local copy
dmaengine: idxd: fix memory leak in error handling path of idxd_setup_wqs
dmaengine: idxd: fix memory leak in error handling path of idxd_setup_engines
dmaengine: idxd: fix memory leak in error handling path of idxd_setup_groups
dmaengine: idxd: Add missing cleanup for early error out in idxd_setup_internals
dmaengine: idxd: Add missing cleanups in cleanup internals
dmaengine: idxd: Add missing idxd cleanup to fix memory leak in remove call
dmaengine: idxd: fix memory leak in error handling path of idxd_alloc
dmaengine: idxd: fix memory leak in error handling path of idxd_pci_probe
usb: typec: ucsi: displayport: Fix deadlock
usb: typec: altmodes/displayport: create sysfs nodes as driver's default device attribute group
usb: typec: fix potential array underflow in ucsi_ccg_sync_control()
usb: typec: fix pm usage counter imbalance in ucsi_ccg_sync_control()
selftests/mm: compaction_test: support platform with huge mount of memory
mm/vmscan: fix a bug calling wakeup_kswapd() with a wrong zone index
riscv: mm: Fix the out of bound issue of vmemmap address
bpf, arm64: Fix trampoline for BPF_TRAMP_F_CALL_ORIG
bpf, arm64: Fix address emission with tag-based KASAN enabled
LoongArch: Explicitly specify code model in Makefile
hwpoison, memory_hotplug: lock folio before unmap hwpoisoned folio
sctp: add mutual exclusion in proc_sctp_do_udp_port()
btrfs: don't BUG_ON() when 0 reference count at btrfs_lookup_extent_info()
netfilter: nf_tables: pass nft_chain to destroy function, not nft_ctx
netfilter: nf_tables: wait for rcu grace period on net_device removal
netfilter: nf_tables: do not defer rule destruction via call_rcu
arm64/sme: Always exit sme_alloc() early with existing storage
platform/x86/amd/pmc: Only disable IRQ1 wakeup where i8042 actually enabled it
bnxt_en: Fix receive ring space parameters when XDP is active
ipv6: Fix potential uninit-value access in __ip6_make_skb()
ipv4: Fix uninit-value access in __ip_make_skb()
spi: cadence-qspi: fix pointer reference in runtime PM hooks
drm/amdgpu: fix pm notifier handling
x86/modules: Set VM_FLUSH_RESET_PERMS in module_alloc()
Linux 6.1.140
Change-Id: Ieb4e51eea0bf366d869913439bc2a4c35d77334c
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
commit e333332657f615ac2b55aa35565c4a882018bbe9 upstream.
When using the stacktrace trigger command to trace syscalls, the
preemption count was consistently reported as 1 when the system call
event itself had 0 (".").
For example:
root@ubuntu22-vm:/sys/kernel/tracing/events/syscalls/sys_enter_read
$ echo stacktrace > trigger
$ echo 1 > enable
sshd-416 [002] ..... 232.864910: sys_read(fd: a, buf: 556b1f3221d0, count: 8000)
sshd-416 [002] ...1. 232.864913: <stack trace>
=> ftrace_syscall_enter
=> syscall_trace_enter
=> do_syscall_64
=> entry_SYSCALL_64_after_hwframe
The root cause is that the trace framework disables preemption in __DO_TRACE before
invoking the trigger callback.
Use the tracing_gen_ctx_dec() that will accommodate for the increase of
the preemption count in __DO_TRACE when calling the callback. The result
is the accurate reporting of:
sshd-410 [004] ..... 210.117660: sys_read(fd: 4, buf: 559b725ba130, count: 40000)
sshd-410 [004] ..... 210.117662: <stack trace>
=> ftrace_syscall_enter
=> syscall_trace_enter
=> do_syscall_64
=> entry_SYSCALL_64_after_hwframe
Cc: stable@vger.kernel.org
Fixes: ce33c845b0 ("tracing: Dump stacktrace trigger to the corresponding instance")
Link: https://lore.kernel.org/20250512094246.1167956-1-dolinux.peng@gmail.com
Signed-off-by: pengdonglin <dolinux.peng@gmail.com>
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit fd837de3c9cb1a162c69bc1fb1f438467fe7f2f5 ]
Since the shared trace_probe_log variable can be accessed and
modified via probe event create operation of kprobe_events,
uprobe_events, and dynamic_events, it should be protected.
In the dynamic_events, all operations are serialized by
`dyn_event_ops_mutex`. But kprobe_events and uprobe_events
interfaces are not serialized.
To solve this issue, introduces dyn_event_create(), which runs
create() operation under the mutex, for kprobe_events and
uprobe_events. This also uses lockdep to check the mutex is
held when using trace_probe_log* APIs.
Link: https://lore.kernel.org/all/174684868120.551552.3068655787654268804.stgit@devnote2/
Reported-by: Paul Cacheux <paulcacheux@gmail.com>
Closes: https://lore.kernel.org/all/20250510074456.805a16872b591e2971a4d221@kernel.org/
Fixes: ab105a4fb8 ("tracing: Use tracing error_log with probe events")
Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
To modify priority of specific tasks, add the vendor hook in __setscheduler_prio
Bug: 409176857
Change-Id: Id5a2309378f1a8c3ecc1de71c20f44f73b3f7557
Signed-off-by: Chungkai Mei <chungkai@google.com>
Changes in 6.1.139
dm: add missing unlock on in dm_keyslot_evict()
arm64: dts: imx8mm-verdin: Link reg_usdhc2_vqmmc to usdhc2
can: mcan: m_can_class_unregister(): fix order of unregistration calls
can: mcp251xfd: mcp251xfd_remove(): fix order of unregistration calls
ksmbd: prevent out-of-bounds stream writes by validating *pos
openvswitch: Fix unsafe attribute parsing in output_userspace()
ksmbd: fix memory leak in parse_lease_state()
sch_htb: make htb_deactivate() idempotent
gre: Fix again IPv6 link-local address generation.
can: mcp251xfd: fix TDC setting for low data bit rates
rcu/kvfree: Add kvfree_rcu_mightsleep() and kfree_rcu_mightsleep()
can: gw: fix RCU/BH usage in cgw_create_job()
ipv4: Drop tos parameter from flowi4_update_output()
ipvs: fix uninit-value for saddr in do_output_route4
netfilter: ipset: fix region locking in hash types
bpf: Scrub packet on bpf_redirect_peer
net: dsa: b53: allow leaky reserved multicast
net: dsa: b53: fix clearing PVID of a port
net: dsa: b53: fix flushing old pvid VLAN on pvid change
net: dsa: b53: fix VLAN ID for untagged vlan on bridge leave
net: dsa: b53: always rejoin default untagged VLAN on bridge leave
net: dsa: b53: fix learning on VLAN unaware bridges
Input: mtk-pmic-keys - fix possible null pointer dereference
Input: synaptics - enable InterTouch on Dynabook Portege X30-D
Input: synaptics - enable InterTouch on Dynabook Portege X30L-G
Input: synaptics - enable InterTouch on Dell Precision M3800
Input: synaptics - enable SMBus for HP Elitebook 850 G1
Input: synaptics - enable InterTouch on TUXEDO InfinityBook Pro 14 v5
staging: iio: adc: ad7816: Correct conditional logic for store mode
staging: axis-fifo: Remove hardware resets for user errors
staging: axis-fifo: Correct handling of tx_fifo_depth for size validation
x86/mm: Eliminate window where TLB flushes may be inadvertently skipped
drm/amd/display: Shift DMUB AUX reply command if necessary
iio: adc: ad7606: fix serial register access
iio: adis16201: Correct inclinometer channel resolution
iio: imu: st_lsm6dsx: fix possible lockup in st_lsm6dsx_read_fifo
iio: imu: st_lsm6dsx: fix possible lockup in st_lsm6dsx_read_tagged_fifo
drm/v3d: Add job to pending list if the reset was skipped
drm/amd/display: Fix the checking condition in dmub aux handling
drm/amd/display: Remove incorrect checking in dmub aux handler
drm/amd/display: Fix wrong handling for AUX_DEFER case
drm/amd/display: Copy AUX read reply data whenever length > 0
drm/amdgpu/hdp5.2: use memcfg register to post the write for HDP flush
usb: uhci-platform: Make the clock really optional
xenbus: Use kref to track req lifetime
module: ensure that kobject_put() is safe for module type kobjects
ocfs2: switch osb->disable_recovery to enum
ocfs2: implement handshaking with ocfs2 recovery thread
ocfs2: stop quota recovery before disabling quotas
usb: cdnsp: Fix issue with resuming from L1
usb: cdnsp: fix L1 resume issue for RTL_REVISION_NEW_LPM version
usb: gadget: tegra-xudc: ACK ST_RC after clearing CTRL_RUN
usb: host: tegra: Prevent host controller crash when OTG port is used
usb: typec: tcpm: delay SNK_TRY_WAIT_DEBOUNCE to SRC_TRYWAIT transition
usb: typec: ucsi: displayport: Fix NULL pointer access
USB: usbtmc: use interruptible sleep in usbtmc_read
usb: usbtmc: Fix erroneous get_stb ioctl error returns
usb: usbtmc: Fix erroneous wait_srq ioctl return
usb: usbtmc: Fix erroneous generic_read ioctl return
iio: accel: adxl367: fix setting odr for activity time update
iio: temp: maxim-thermocouple: Fix potential lack of DMA safe buffer.
types: Complement the aligned types with signed 64-bit one
iio: accel: adxl355: Make timestamp 64-bit aligned using aligned_s64
iio: adc: dln2: Use aligned_s64 for timestamp
MIPS: Fix MAX_REG_OFFSET
drm/panel: simple: Update timings for AUO G101EVN010
nvme: unblock ctrl state transition for firmware update
do_umount(): add missing barrier before refcount checks in sync case
io_uring: always arm linked timeouts prior to issue
io_uring: ensure deferred completions are posted for multishot
Revert "net: phy: microchip: force IRQ polling mode for lan88xx"
arm64: insn: Add support for encoding DSB
arm64: proton-pack: Expose whether the platform is mitigated by firmware
arm64: proton-pack: Expose whether the branchy loop k value
arm64: bpf: Add BHB mitigation to the epilogue for cBPF programs
arm64: bpf: Only mitigate cBPF programs loaded by unprivileged users
arm64: proton-pack: Add new CPUs 'k' values for branch mitigation
x86/bpf: Call branch history clearing sequence on exit
x86/bpf: Add IBHF call at end of classic BPF
x86/bhi: Do not set BHI_DIS_S in 32-bit mode
x86/speculation: Simplify and make CALL_NOSPEC consistent
x86/speculation: Add a conditional CS prefix to CALL_NOSPEC
x86/speculation: Remove the extra #ifdef around CALL_NOSPEC
Documentation: x86/bugs/its: Add ITS documentation
x86/its: Enumerate Indirect Target Selection (ITS) bug
x86/its: Add support for ITS-safe indirect thunk
x86/its: Add support for ITS-safe return thunk
x86/its: Enable Indirect Target Selection mitigation
x86/its: Add "vmexit" option to skip mitigation on some CPUs
x86/its: Align RETs in BHB clear sequence to avoid thunking
x86/ibt: Keep IBT disabled during alternative patching
x86/its: Use dynamic thunks for indirect branches
x86/its: Fix build errors when CONFIG_MODULES=n
x86/alternative: Optimize returns patching
x86/alternatives: Remove faulty optimization
x86/its: FineIBT-paranoid vs ITS
Linux 6.1.139
Change-Id: I64c25bda7e5f9cf5ae0806bf2e72c053ee4e4c38
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
perf always allocates contiguous AUX pages based on aux_watermark.
However, this contiguous allocation doesn't benefit all PMUs. For
instance, ARM SPE and TRBE operate with virtual pages, and Coresight
ETR allocates a separate buffer. For these PMUs, allocating contiguous
AUX pages unnecessarily exacerbates memory fragmentation. This
fragmentation can prevent their use on long-running devices.
This patch modifies the perf driver to be memory-friendly by default,
by allocating non-contiguous AUX pages. For PMUs requiring contiguous
pages (Intel BTS and some Intel PT), the existing
PERF_PMU_CAP_AUX_NO_SG capability can be used. For PMUs that don't
require but can benefit from contiguous pages (some Intel PT), a new
capability, PERF_PMU_CAP_AUX_PREFER_LARGE, is added to maintain their
existing behavior.
Bug: 393467632
(cherry picked from commit 18049c8cff9cc89daadc4df6975f7d9069638926
git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git perf/core)
Change-Id: Iaff554201726bf271c7625a6df59fb35c6cfbc5d
Signed-off-by: Yabin Cui <yabinc@google.com>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Reviewed-by: James Clark <james.clark@linaro.org>
Reviewed-by: Anshuman Khandual <anshuman.khandual@arm.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Namhyung Kim <namhyung@kernel.org>
Link: https://lore.kernel.org/r/20250508232642.148767-1-yabinc@google.com
Changes in 6.1.138
Revert "rndis_host: Flag RNDIS modems as WWAN devices"
ALSA: usb-audio: Add second USB ID for Jabra Evolve 65 headset
drm/nouveau: Fix WARN_ON in nouveau_fence_context_kill()
EDAC/altera: Test the correct error reg offset
EDAC/altera: Set DDR and SDMMC interrupt mask before registration
i2c: imx-lpi2c: Fix clock count when probe defers
arm64: errata: Add missing sentinels to Spectre-BHB MIDR arrays
parisc: Fix double SIGFPE crash
perf/x86/intel: KVM: Mask PEBS_ENABLE loaded for guest with vCPU's value.
amd-xgbe: Fix to ensure dependent features are toggled with RX checksum offload
irqchip/qcom-mpm: Prevent crash when trying to handle non-wake GPIOs
mmc: renesas_sdhi: Fix error handling in renesas_sdhi_probe
wifi: brcm80211: fmac: Add error handling for brcmf_usb_dl_writeimage()
dm-integrity: fix a warning on invalid table line
dm: always update the array size in realloc_argv on success
iommu/amd: Fix potential buffer overflow in parse_ivrs_acpihid
iommu/vt-d: Apply quirk_iommu_igfx for 8086:0044 (QM57/QS57)
platform/x86/intel-uncore-freq: Fix missing uncore sysfs during CPU hotplug
ksmbd: fix use-after-free in kerberos authentication
cpufreq: Avoid using inconsistent policy->min and policy->max
cpufreq: Fix setting policy limits when frequency tables are used
tracing: Fix oob write in trace_seq_to_buffer()
xfs: fix error returns from xfs_bmapi_write
xfs: fix xfs_bmap_add_extent_delay_real for partial conversions
xfs: remove a racy if_bytes check in xfs_reflink_end_cow_extent
xfs: require XFS_SB_FEAT_INCOMPAT_LOG_XATTRS for attr log intent item recovery
xfs: check opcode and iovec count match in xlog_recover_attri_commit_pass2
xfs: validate recovered name buffers when recovering xattr items
xfs: revert commit 44af6c7e59
xfs: match lock mode in xfs_buffered_write_iomap_begin()
xfs: make the seq argument to xfs_bmapi_convert_delalloc() optional
xfs: make xfs_bmapi_convert_delalloc() to allocate the target offset
xfs: convert delayed extents to unwritten when zeroing post eof blocks
xfs: allow symlinks with short remote targets
xfs: make sure sb_fdblocks is non-negative
xfs: fix freeing speculative preallocations for preallocated files
xfs: allow unlinked symlinks and dirs with zero size
xfs: restrict when we try to align cow fork delalloc to cowextsz hints
KVM: x86: Load DR6 with guest value only before entering .vcpu_run() loop
dm-bufio: don't schedule in atomic context
ASoC: soc-pcm: Fix hw_params() and DAPM widget sequence
wifi: plfxlc: Remove erroneous assert in plfxlc_mac_release
vxlan: vnifilter: Fix unlocked deletion of default FDB entry
net/mlx5: E-Switch, Initialize MAC Address for Default GID
net/mlx5: E-switch, Fix error handling for enabling roce
net: mscc: ocelot: treat 802.1ad tagged traffic as 802.1Q-untagged
net: mscc: ocelot: delete PVID VLAN when readding it as non-PVID
net: ethernet: mtk-star-emac: fix spinlock recursion issues on rx/tx poll
net: ethernet: mtk-star-emac: rearm interrupts in rx_poll only when advised
net_sched: drr: Fix double list add in class with netem as child qdisc
net_sched: hfsc: Fix a UAF vulnerability in class with netem as child qdisc
net_sched: ets: Fix double list add in class with netem as child qdisc
net_sched: qfq: Fix double list add in class with netem as child qdisc
ice: Check VF VSI Pointer Value in ice_vc_add_fdir_fltr()
net: dlink: Correct endianness handling of led_mode
net: dsa: felix: fix broken taprio gate states after clock jump
net: ipv6: fix UDPv6 GSO segmentation with NAT
bnxt_en: Fix coredump logic to free allocated buffer
bnxt_en: Fix out-of-bound memcpy() during ethtool -w
bnxt_en: Fix ethtool -d byte order for 32-bit values
nvme-tcp: fix premature queue removal and I/O failover
net: lan743x: Fix memleak issue when GSO enabled
net: fec: ERR007885 Workaround for conventional TX
net: hns3: store rx VLAN tag offload state for VF
net: hns3: fix an interrupt residual problem
net: hns3: fixed debugfs tm_qset size
net: hns3: defer calling ptp_clock_register()
net: vertexcom: mse102x: Fix possible stuck of SPI interrupt
net: vertexcom: mse102x: Fix LEN_MASK
net: vertexcom: mse102x: Add range check for CMD_RTS
net: vertexcom: mse102x: Fix RX error handling
md: move initialization and destruction of 'io_acct_set' to md.c
PCI: imx6: Skip controller_id generation logic for i.MX7D
sch_htb: make htb_qlen_notify() idempotent
sch_drr: make drr_qlen_notify() idempotent
sch_hfsc: make hfsc_qlen_notify() idempotent
sch_qfq: make qfq_qlen_notify() idempotent
sch_ets: make est_qlen_notify() idempotent
Revert "x86/kexec: Allocate PGD for x86_64 transition page tables separately"
firmware: arm_scmi: Balance device refcount when destroying devices
firmware: arm_ffa: Skip Rx buffer ownership release if not acquired
ARM: dts: opos6ul: add ksz8081 phy properties
net: phy: microchip: force IRQ polling mode for lan88xx
Revert "drm/meson: vclk: fix calculation of 59.94 fractional rates"
irqchip/gic-v2m: Mark a few functions __init
irqchip/gic-v2m: Prevent use after free of gicv2m_get_fwnode()
dm: fix copying after src array boundaries
iommu/arm-smmu-v3: Use the new rb tree helpers
iommu/arm-smmu-v3: Fix iommu_device_probe bug due to duplicated stream ids
drm/amd/display: phase2 enable mst hdcp multiple displays
drm/amd/display: Clean up style problems in amdgpu_dm_hdcp.c
drm/amd/display: Change HDCP update sequence for DM
drm/amd/display: Add scoped mutexes for amdgpu_dm_dhcp
drm/amd/display: Fix slab-use-after-free in hdcp
ASoC: Use of_property_read_bool()
ASoC: soc-core: Stop using of_property_read_bool() for non-boolean properties
Linux 6.1.138
Change-Id: I8f925d0c86ef5afce8775e0a7d2a2ba4bf287427
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
commit f5178c41bb43444a6008150fe6094497135d07cb upstream.
syzbot reported this bug:
==================================================================
BUG: KASAN: slab-out-of-bounds in trace_seq_to_buffer kernel/trace/trace.c:1830 [inline]
BUG: KASAN: slab-out-of-bounds in tracing_splice_read_pipe+0x6be/0xdd0 kernel/trace/trace.c:6822
Write of size 4507 at addr ffff888032b6b000 by task syz.2.320/7260
CPU: 1 UID: 0 PID: 7260 Comm: syz.2.320 Not tainted 6.15.0-rc1-syzkaller-00301-g3bde70a2c827 #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:408 [inline]
print_report+0xc3/0x670 mm/kasan/report.c:521
kasan_report+0xe0/0x110 mm/kasan/report.c:634
check_region_inline mm/kasan/generic.c:183 [inline]
kasan_check_range+0xef/0x1a0 mm/kasan/generic.c:189
__asan_memcpy+0x3c/0x60 mm/kasan/shadow.c:106
trace_seq_to_buffer kernel/trace/trace.c:1830 [inline]
tracing_splice_read_pipe+0x6be/0xdd0 kernel/trace/trace.c:6822
....
==================================================================
It has been reported that trace_seq_to_buffer() tries to copy more data
than PAGE_SIZE to buf. Therefore, to prevent this, we should use the
smaller of trace_seq_used(&iter->seq) and PAGE_SIZE as an argument.
Link: https://lore.kernel.org/20250422113026.13308-1-aha310510@gmail.com
Reported-by: syzbot+c8cd2d2c412b868263fb@syzkaller.appspotmail.com
Fixes: 3c56819b14 ("tracing: splice support for tracing_pipe")
Suggested-by: Steven Rostedt <rostedt@goodmis.org>
Signed-off-by: Jeongjun Park <aha310510@gmail.com>
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
If dup_mmap() encounters an issue, currently uprobe is able to access the
relevant mm via the reverse mapping (in build_map_info()), and if we are
very unlucky with a race window, observe invalid XA_ZERO_ENTRY state which
we establish as part of the fork error path.
This occurs because uprobe_write_opcode() invokes anon_vma_prepare() which
in turn invokes find_mergeable_anon_vma() that uses a VMA iterator,
invoking vma_iter_load() which uses the advanced maple tree API and thus
is able to observe XA_ZERO_ENTRY entries added to dup_mmap() in commit
d24062914837 ("fork: use __mt_dup() to duplicate maple tree in
dup_mmap()").
This change was made on the assumption that only process tear-down code
would actually observe (and make use of) these values. However this very
unlikely but still possible edge case with uprobes exists and
unfortunately does make these observable.
The uprobe operation prevents races against the dup_mmap() operation via
the dup_mmap_sem semaphore, which is acquired via uprobe_start_dup_mmap()
and dropped via uprobe_end_dup_mmap(), and held across
register_for_each_vma() prior to invoking build_map_info() which does the
reverse mapping lookup.
Currently these are acquired and dropped within dup_mmap(), which exposes
the race window prior to error handling in the invoking dup_mm() which
tears down the mm.
We can avoid all this by just moving the invocation of
uprobe_start_dup_mmap() and uprobe_end_dup_mmap() up a level to dup_mm()
and only release this lock once the dup_mmap() operation succeeds or clean
up is done.
This means that the uprobe code can never observe an incompletely
constructed mm and resolves the issue in this case.
Bug: 254441685
Link: https://lkml.kernel.org/r/20241210172412.52995-1-lorenzo.stoakes@oracle.com
Fixes: d24062914837 ("fork: use __mt_dup() to duplicate maple tree in dup_mmap()")
Signed-off-by: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
Reported-by: syzbot+2d788f4f7cb660dac4b7@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/6756d273.050a0220.2477f.003d.GAE@google.com/
Cc: Adrian Hunter <adrian.hunter@intel.com>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
Cc: Ian Rogers <irogers@google.com>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Jann Horn <jannh@google.com>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Kan Liang <kan.liang@linux.intel.com>
Cc: Liam R. Howlett <Liam.Howlett@Oracle.com>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Masami Hiramatsu <mhiramat@kernel.org>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Peng Zhang <zhangpeng.00@bytedance.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: David Hildenbrand <david@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
(cherry picked from commit 8ac662f5da19f5873fdd94c48a5cdb45b2e1b58f)
Signed-off-by: Lee Jones <joneslee@google.com>
Change-Id: I915ed6b4f49d63d0d629dd8e9247d4684c664f3a
Patch series "fork: do not expose incomplete mm on fork".
During fork we may place the virtual memory address space into an
inconsistent state before the fork operation is complete.
In addition, we may encounter an error during the fork operation that
indicates that the virtual memory address space is invalidated.
As a result, we should not be exposing it in any way to external machinery
that might interact with the mm or VMAs, machinery that is not designed to
deal with incomplete state.
We specifically update the fork logic to defer khugepaged and ksm to the
end of the operation and only to be invoked if no error arose, and
disallow uffd from observing fork events should an error have occurred.
This patch (of 2):
Currently on fork we expose the virtual address space of a process to
userland unconditionally if uffd is registered in VMAs, regardless of
whether an error arose in the fork.
This is performed in dup_userfaultfd_complete() which is invoked
unconditionally, and performs two duties - invoking registered handlers
for the UFFD_EVENT_FORK event via dup_fctx(), and clearing down
userfaultfd_fork_ctx objects established in dup_userfaultfd().
This is problematic, because the virtual address space may not yet be
correctly initialised if an error arose.
The change in commit d24062914837 ("fork: use __mt_dup() to duplicate
maple tree in dup_mmap()") makes this more pertinent as we may be in a
state where entries in the maple tree are not yet consistent.
We address this by, on fork error, ensuring that we roll back state that
we would otherwise expect to clean up through the event being handled by
userland and perform the memory freeing duty otherwise performed by
dup_userfaultfd_complete().
We do this by implementing a new function, dup_userfaultfd_fail(), which
performs the same loop, only decrementing reference counts.
Note that we perform mmgrab() on the parent and child mm's, however
userfaultfd_ctx_put() will mmdrop() this once the reference count drops to
zero, so we will avoid memory leaks correctly here.
Bug: 254441685
Link: https://lkml.kernel.org/r/cover.1729014377.git.lorenzo.stoakes@oracle.com
Link: https://lkml.kernel.org/r/d3691d58bb58712b6fb3df2be441d175bd3cdf07.1729014377.git.lorenzo.stoakes@oracle.com
Fixes: d24062914837 ("fork: use __mt_dup() to duplicate maple tree in dup_mmap()")
Signed-off-by: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
Reported-by: Jann Horn <jannh@google.com>
Reviewed-by: Jann Horn <jannh@google.com>
Reviewed-by: Liam R. Howlett <Liam.Howlett@Oracle.com>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Cc: Christian Brauner <brauner@kernel.org>
Cc: Jan Kara <jack@suse.cz>
Cc: Linus Torvalds <torvalds@linuxfoundation.org>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
(cherry picked from commit f64e67e5d3a45a4a04286c47afade4b518acd47b)
Signed-off-by: Lee Jones <joneslee@google.com>
Change-Id: I9c2f774a0f4a0a75729b86c77c627fb38b8bb17b
In order to have better compatibility with the Android build method,
the configurations for Bifrost and Valhall GPUs for GKI build
are respectively deployed in the aforementioned config files.
Change-Id: Id99944e8fa17c986e585855d86b3c8eddec3b906
Signed-off-by: Zhen Chen <chenzhen@rock-chips.com>
This reverts commit 7c2f874c63 which is
commit f3b93547b91ad849b58eb5ab2dd070950ad7beb3 upstream.
It breaks the Android kernel build as BoringSSL can only sign with SHA1
for this Android branch, and we do not want to break the ABI by changing
the module signing process in this stable kernel branch.
It was only added upstream by Greg to get his ARM64 stable builds to
compile properly on the latest version of Fedora, which did NOT like to
sign with SHA1, so blame him :)
Bug: 161946584
Change-Id: I4901a37dd9ac4bdd54a712331e1288053f0d9fb9
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Changes in 6.1.136
module: sign with sha512 instead of sha1 by default
tracing: Add __cpumask to denote a trace event field that is a cpumask_t
tracing: Fix cpumask() example typo
tracing: Add __string_len() example
tracing: Add __print_dynamic_array() helper
tracing: Verify event formats that have "%*p.."
auxdisplay: hd44780: Convert to platform remove callback returning void
auxdisplay: hd44780: Fix an API misuse in hd44780.c
net: dsa: mv88e6xxx: don't dispose of Global2 IRQ mappings from mdiobus code
net: dsa: add support for mac_prepare() and mac_finish() calls
net: dsa: mv88e6xxx: move link forcing to mac_prepare/mac_finish
net: dsa: mv88e6xxx: pass directly chip structure to mv88e6xxx_phy_is_internal
net: dsa: mv88e6xxx: add field to specify internal phys layout
net: dsa: mv88e6xxx: fix internal PHYs for 6320 family
net: dsa: mv88e6xxx: fix VTU methods for 6320 family
iio: adc: ad7768-1: Move setting of val a bit later to avoid unnecessary return value check
iio: adc: ad7768-1: Fix conversion result sign
backlight: led_bl: Convert to platform remove callback returning void
backlight: led_bl: Hold led_access lock when calling led_sysfs_disable()
clk: renesas: rzg2l: Use u32 for flag and mux_flags
clk: renesas: rzg2l: Add struct clk_hw_data
clk: renesas: rzg2l: Remove CPG_SDHI_DSEL from generic header
clk: renesas: rzg2l: Refactor SD mux driver
clk: renesas: r9a07g04[34]: Use SEL_SDHI1_STS status configuration for SD1 mux
clk: renesas: r9a07g04[34]: Fix typo for sel_shdi variable
clk: renesas: r9a07g043: Fix HP clock source for RZ/Five
of: resolver: Simplify of_resolve_phandles() using __free()
of: resolver: Fix device node refcount leakage in of_resolve_phandles()
PCI: Assign PCI domain IDs by ida_alloc()
PCI: Fix reference leak in pci_register_host_bridge()
phy: freescale: imx8m-pcie: Add i.MX8MP PCIe PHY support
phy: freescale: imx8m-pcie: assert phy reset and perst in power off
ASoC: qcom: q6dsp: add support to more display ports
ASoC: qcom: Fix sc7280 lpass potential buffer overflow
selftests/mm: generate a temporary mountpoint for cgroup filesystem
dma/contiguous: avoid warning about unused size_bytes
cpufreq: scmi: Fix null-ptr-deref in scmi_cpufreq_get_rate()
cpufreq: scpi: Fix null-ptr-deref in scpi_cpufreq_get_rate()
cpufreq: cppc: Fix invalid return value in .get() callback
btrfs: avoid page_lockend underflow in btrfs_punch_hole_lock_range()
scsi: core: Clear flags for scsi_cmnd that did not complete
net: lwtunnel: disable BHs when required
net: phy: leds: fix memory leak
tipc: fix NULL pointer dereference in tipc_mon_reinit_self()
net_sched: hfsc: Fix a UAF vulnerability in class handling
net_sched: hfsc: Fix a potential UAF in hfsc_dequeue() too
iommu/amd: Return an error if vCPU affinity is set for non-vCPU IRTE
perf/x86: Fix non-sampling (counting) events on certain x86 platforms
LoongArch: Select ARCH_USE_MEMTEST
LoongArch: Make regs_irqs_disabled() more clear
wifi: mac80211: export ieee80211_purge_tx_queue() for drivers
wifi: rtw88: use ieee80211_purge_tx_queue() to purge TX skb
virtio_console: fix missing byte order handling for cols and rows
xen-netfront: handle NULL returned by xdp_convert_buff_to_frame()
net: selftests: initialize TCP header and skb payload with zero
drm/amd/display: Fix gpu reset in multidisplay config
drm/amd/display: Force full update in gpu reset
LoongArch: Return NULL from huge_pte_offset() for invalid PMD
LoongArch: Remove a bogus reference to ZONE_DMA
KVM: SVM: Allocate IR data using atomic allocation
mcb: fix a double free bug in chameleon_parse_gdd()
USB: storage: quirk for ADATA Portable HDD CH94
mei: me: add panther lake H DID
KVM: x86: Explicitly treat routing entry type changes as changes
KVM: x86: Reset IRTE to host control if *new* route isn't postable
misc: microchip: pci1xxxx: Fix Kernel panic during IRQ handler registration
misc: microchip: pci1xxxx: Fix incorrect IRQ status handling during ack
serial: msm: Configure correct working mode before starting earlycon
serial: sifive: lock port in startup()/shutdown() callbacks
USB: serial: ftdi_sio: add support for Abacus Electrics Optical Probe
USB: serial: option: add Sierra Wireless EM9291
USB: serial: simple: add OWON HDS200 series oscilloscope support
usb: cdns3: Fix deadlock when using NCM gadget
usb: chipidea: ci_hdrc_imx: fix usbmisc handling
usb: chipidea: ci_hdrc_imx: fix call balance of regulator routines
usb: chipidea: ci_hdrc_imx: implement usb_phy_init() error handling
USB: OHCI: Add quirk for LS7A OHCI controller (rev 0x02)
usb: dwc3: gadget: check that event count does not exceed event buffer length
usb: dwc3: xilinx: Prevent spike in reset signal
usb: quirks: add DELAY_INIT quirk for Silicon Motion Flash Drive
usb: quirks: Add delay init quirk for SanDisk 3.2Gen1 Flash Drive
USB: VLI disk crashes if LPM is used
USB: wdm: handle IO errors in wdm_wwan_port_start
USB: wdm: close race between wdm_open and wdm_wwan_port_stop
USB: wdm: wdm_wwan_port_tx_complete mutex in atomic context
USB: wdm: add annotation
pinctrl: renesas: rza2: Fix potential NULL pointer dereference
MIPS: cm: Detect CM quirks from device tree
crypto: null - Use spin lock instead of mutex
bpf: Fix deadlock between rcu_tasks_trace and event_mutex.
clk: check for disabled clock-provider in of_clk_get_hw_from_clkspec()
parisc: PDT: Fix missing prototype warning
s390/sclp: Add check for get_zeroed_page()
s390/tty: Fix a potential memory leak bug
usb: host: max3421-hcd: Add missing spi_device_id table
fs/ntfs3: Fix WARNING in ntfs_extend_initialized_size
usb: dwc3: gadget: Refactor loop to avoid NULL endpoints
usb: dwc3: gadget: Avoid using reserved endpoints on Intel Merrifield
sound/virtio: Fix cancel_sync warnings on uninitialized work_structs
dmaengine: dmatest: Fix dmatest waiting less when interrupted
usb: xhci: Avoid Stop Endpoint retry loop if the endpoint seems Running
usb: gadget: aspeed: Add NULL pointer check in ast_vhub_init_dev()
usb: host: xhci-plat: mvebu: use ->quirks instead of ->init_quirk() func
thunderbolt: Scan retimers after device router has been enumerated
objtool: Silence more KCOV warnings
objtool, ASoC: codecs: wcd934x: Remove potential undefined behavior in wcd934x_slim_irq_handler()
objtool, lkdtm: Obfuscate the do_nothing() pointer
qibfs: fix _another_ leak
ntb: reduce stack usage in idt_scan_mws
ntb_hw_amd: Add NTB PCI ID for new gen CPU
9p/net: fix improper handling of bogus negative read/write replies
rtc: pcf85063: do a SW reset if POR failed
sched/isolation: Make CONFIG_CPU_ISOLATION depend on CONFIG_SMP
KVM: s390: Don't use %pK through tracepoints
udmabuf: fix a buf size overflow issue during udmabuf creation
selftests: ublk: fix test_stripe_04
xen: Change xen-acpi-processor dom0 dependency
nvme: requeue namespace scan on missed AENs
ACPI: EC: Set ec_no_wakeup for Lenovo Go S
ACPI PPTT: Fix coding mistakes in a couple of sizeof() calls
nvme: re-read ANA log page after ns scan completes
objtool: Stop UNRET validation on UD2
selftests/mincore: Allow read-ahead pages to reach the end of the file
x86/bugs: Use SBPB in write_ibpb() if applicable
x86/bugs: Don't fill RSB on VMEXIT with eIBRS+retpoline
x86/bugs: Don't fill RSB on context switch with eIBRS
nvmet-fc: take tgtport reference only once
nvmet-fc: put ref when assoc->del_work is already scheduled
ext4: make block validity check resistent to sb bh corruption
scsi: hisi_sas: Fix I/O errors caused by hardware port ID changes
scsi: ufs: exynos: Ensure pre_link() executes before exynos_ufs_phy_init()
scsi: pm80xx: Set phy_attached to zero when device is gone
x86/i8253: Call clockevent_i8253_disable() with interrupts disabled
loop: aio inherit the ioprio of original request
spi: tegra210-quad: use WARN_ON_ONCE instead of WARN_ON for timeouts
spi: tegra210-quad: add rate limiting and simplify timeout error message
ubsan: Fix panic from test_ubsan_out_of_bounds
md/raid1: Add check for missing source disk in process_checks()
spi: spi-imx: Add check for spi_imx_setupxfer()
of: module: add buffer overflow check in of_modalias()
jfs: define xtree root and page independently
comedi: jr3_pci: Fix synchronous deletion of timer
crypto: atmel-sha204a - Set hwrng quality to lowest possible
net/sched: act_mirred: don't override retval if we already lost the skb
net: dsa: mv88e6xxx: fix atu_move_port_mask for 6341 family
net: dsa: mv88e6xxx: enable PVT for 6321 switch
net: dsa: mv88e6xxx: enable .port_set_policy() for 6320 family
net: dsa: mv88e6xxx: enable STU methods for 6320 family
xdp: Reset bpf_redirect_info before running a xdp's BPF prog.
MIPS: cm: Fix warning if MIPS_CM is disabled
nvme: fixup scan failure for non-ANA multipath controllers
phy: freescale: imx8m-pcie: Do CMN_RST just before PHY PLL lock check
phy: freescale: imx8m-pcie: Add one missing error return
tracing: Remove pointer (asterisk) and brackets from cpumask_t field
PCI: Fix use-after-free in pci_bus_release_domain_nr()
ASoC: qcom: q6afe-dai: fix Display Port Playback stream name
objtool: Silence more KCOV warnings, part 2
Linux 6.1.136
Change-Id: I0649fe0aedec1cc3666200fb579b48f449380179
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
This reverts commit d9a807fb7c which is
commit 28ead3eaabc16ecc907cfb71876da028080f6356 upstream.
It breaks the Android kernel abi and can be brought back in the future
in an abi-safe way if it is really needed.
Bug: 161946584
Change-Id: I8a5f9e59898eb41170e6562631ac23ab81f1271c
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
[ Upstream commit 4580f4e0ebdf8dc8d506ae926b88510395a0c1d1 ]
Fix the following deadlock:
CPU A
_free_event()
perf_kprobe_destroy()
mutex_lock(&event_mutex)
perf_trace_event_unreg()
synchronize_rcu_tasks_trace()
There are several paths where _free_event() grabs event_mutex
and calls sync_rcu_tasks_trace. Above is one such case.
CPU B
bpf_prog_test_run_syscall()
rcu_read_lock_trace()
bpf_prog_run_pin_on_cpu()
bpf_prog_load()
bpf_tracing_func_proto()
trace_set_clr_event()
mutex_lock(&event_mutex)
Delegate trace_set_clr_event() to workqueue to avoid
such lock dependency.
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
Acked-by: Andrii Nakryiko <andrii@kernel.org>
Link: https://lore.kernel.org/bpf/20250224221637.4780-1-alexei.starovoitov@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit d7b98ae5221007d3f202746903d4c21c7caf7ea9 ]
When building with W=1, this variable is unused for configs with
CONFIG_CMA_SIZE_SEL_PERCENTAGE=y:
kernel/dma/contiguous.c:67:26: error: 'size_bytes' defined but not used [-Werror=unused-const-variable=]
Change this to a macro to avoid the warning.
Fixes: c64be2bb1c ("drivers: add Contiguous Memory Allocator")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
Link: https://lore.kernel.org/r/20250409151557.3890443-1-arnd@kernel.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit ea8d7647f9ddf1f81e2027ed305299797299aa03 ]
The trace event verifier checks the formats of trace events to make sure
that they do not point at memory that is not in the trace event itself or
in data that will never be freed. If an event references data that was
allocated when the event triggered and that same data is freed before the
event is read, then the kernel can crash by reading freed memory.
The verifier runs at boot up (or module load) and scans the print formats
of the events and checks their arguments to make sure that dereferenced
pointers are safe. If the format uses "%*p.." the verifier will ignore it,
and that could be dangerous. Cover this case as well.
Also add to the sample code a use case of "%*pbl".
Link: https://lore.kernel.org/all/bcba4d76-2c3f-4d11-baf0-02905db953dd@oracle.com/
Cc: stable@vger.kernel.org
Cc: Masami Hiramatsu <mhiramat@kernel.org>
Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Fixes: 5013f454a3 ("tracing: Add check of trace event print fmts for dereferencing pointers")
Link: https://lore.kernel.org/20250327195311.2d89ec66@gandalf.local.home
Reported-by: Libo Chen <libo.chen@oracle.com>
Reviewed-by: Libo Chen <libo.chen@oracle.com>
Tested-by: Libo Chen <libo.chen@oracle.com>
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
commit f3b93547b91ad849b58eb5ab2dd070950ad7beb3 upstream.
Switch away from using sha1 for module signing by default and use the
more modern sha512 instead, which is what among others Arch, Fedora,
RHEL, and Ubuntu are currently using for their kernels.
Sha1 has not been considered secure against well-funded opponents since
2005[1]; since 2011 the NIST and other organizations furthermore
recommended its replacement[2]. This is why OpenSSL on RHEL9, Fedora
Linux 41+[3], and likely some other current and future distributions
reject the creation of sha1 signatures, which leads to a build error of
allmodconfig configurations:
80A20474797F0000:error:03000098:digital envelope routines:do_sigver_init:invalid digest:crypto/evp/m_sigver.c:342:
make[4]: *** [.../certs/Makefile:53: certs/signing_key.pem] Error 1
make[4]: *** Deleting file 'certs/signing_key.pem'
make[4]: *** Waiting for unfinished jobs....
make[3]: *** [.../scripts/Makefile.build:478: certs] Error 2
make[2]: *** [.../Makefile:1936: .] Error 2
make[1]: *** [.../Makefile:224: __sub-make] Error 2
make[1]: Leaving directory '...'
make: *** [Makefile:224: __sub-make] Error 2
This change makes allmodconfig work again and sets a default that is
more appropriate for current and future users, too.
Link: https://www.schneier.com/blog/archives/2005/02/cryptanalysis_o.html [1]
Link: https://csrc.nist.gov/projects/hash-functions [2]
Link: https://fedoraproject.org/wiki/Changes/OpenSSLDistrustsha1SigVer [3]
Signed-off-by: Thorsten Leemhuis <linux@leemhuis.info>
Reviewed-by: Sami Tolvanen <samitolvanen@google.com>
Tested-by: kdevops <kdevops@lists.linux.dev> [0]
Link: https://github.com/linux-kdevops/linux-modules-kpd/actions/runs/11420092929/job/31775404330 [0]
Link: https://lore.kernel.org/r/52ee32c0c92afc4d3263cea1f8a1cdc809728aff.1729088288.git.linux@leemhuis.info
Signed-off-by: Petr Pavlu <petr.pavlu@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Steps on the way to 6.1.135
Resolves merge conflicts in:
drivers/bluetooth/btqca.c
Change-Id: Ib76d6c88366d035cd32424ee75895b36d2848419
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
commit 28ead3eaabc16ecc907cfb71876da028080f6356 upstream.
bpf progs can be attached to kernel functions, and the attached functions
can take different parameters or return different return values. If
prog attached to one kernel function tail calls prog attached to another
kernel function, the ctx access or return value verification could be
bypassed.
For example, if prog1 is attached to func1 which takes only 1 parameter
and prog2 is attached to func2 which takes two parameters. Since verifier
assumes the bpf ctx passed to prog2 is constructed based on func2's
prototype, verifier allows prog2 to access the second parameter from
the bpf ctx passed to it. The problem is that verifier does not prevent
prog1 from passing its bpf ctx to prog2 via tail call. In this case,
the bpf ctx passed to prog2 is constructed from func1 instead of func2,
that is, the assumption for ctx access verification is bypassed.
Another example, if BPF LSM prog1 is attached to hook file_alloc_security,
and BPF LSM prog2 is attached to hook bpf_lsm_audit_rule_known. Verifier
knows the return value rules for these two hooks, e.g. it is legal for
bpf_lsm_audit_rule_known to return positive number 1, and it is illegal
for file_alloc_security to return positive number. So verifier allows
prog2 to return positive number 1, but does not allow prog1 to return
positive number. The problem is that verifier does not prevent prog1
from calling prog2 via tail call. In this case, prog2's return value 1
will be used as the return value for prog1's hook file_alloc_security.
That is, the return value rule is bypassed.
This patch adds restriction for tail call to prevent such bypasses.
Signed-off-by: Xu Kuohai <xukuohai@huawei.com>
Link: https://lore.kernel.org/r/20240719110059.797546-4-xukuohai@huaweicloud.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
[Minor conflict resolved due to code context change.]
Signed-off-by: Jianqi Ren <jianqi.ren.cn@windriver.com>
Signed-off-by: He Zhe <zhe.he@windriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Tao Huang