[Deepin-Kernel-SIG] [linux 6.6-y] [Upstream] Update kernel base to 6.6.125,6.6.126#1505
Merged
opsiff merged 28 commits intoFeb 27, 2026
Merged
Conversation
commit ec30660 upstream. is_open, has_lease and on_list are stored in the same bitfield byte in struct cached_fid but are updated in different code paths that may run concurrently. Bitfield assignments generate byte read–modify–write operations (e.g. `orb $mask, addr` on x86_64), so updating one flag can restore stale values of the others. A possible interleaving is: CPU1: load old byte (has_lease=1, on_list=1) CPU2: clear both flags (store 0) CPU1: RMW store (old | IS_OPEN) -> reintroduces cleared bits To avoid this class of races, convert these flags to separate bool fields. Cc: stable@vger.kernel.org Fixes: ebe98f1 ("cifs: enable caching of directories for which a lease is held") Signed-off-by: Henrique Carvalho <henrique.carvalho@suse.com> Signed-off-by: Steve French <stfrench@microsoft.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 4386f6af8aaedd0c5ad6f659b40cadcc8f423828) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
…or paths commit 010eb01 upstream. The problem occurs when a signed request fails smb2 signature verification check. In __process_request(), if check_sign_req() returns an error, set_smb2_rsp_status(work, STATUS_ACCESS_DENIED) is called. set_smb2_rsp_status() set work->next_smb2_rcv_hdr_off as zero. By resetting next_smb2_rcv_hdr_off to zero, the pointer to the next command in the chain is lost. Consequently, is_chained_smb2_message() continues to point to the same request header instead of advancing. If the header's NextCommand field is non-zero, the function returns true, causing __handle_ksmbd_work() to repeatedly process the same failed request in an infinite loop. This results in the kernel log being flooded with "bad smb2 signature" messages and high CPU usage. This patch fixes the issue by changing the return value from SERVER_HANDLER_CONTINUE to SERVER_HANDLER_ABORT. This ensures that the processing loop terminates immediately rather than attempting to continue from an invalidated offset. Reported-by: tianshuo han <hantianshuo233@gmail.com> Cc: stable@vger.kernel.org Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 5accdc5b7f28a81bbc5880ac0b8886e60c86e8c8) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit 77ffbca upstream. On kthread_run() failure in ksmbd_tcp_new_connection(), the transport is freed via free_transport(), which does not decrement active_num_conn, leaking this counter. Replace free_transport() with ksmbd_tcp_disconnect(). Fixes: 0d0d468 ("ksmbd: add max connections parameter") Cc: stable@vger.kernel.org Signed-off-by: Henrique Carvalho <henrique.carvalho@suse.com> Acked-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 787769c8cc50416af7b8b1a36e6bcd6aaa7680aa) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit dc23806 upstream. Currently, driver_match_device() is called from three sites. One site (__device_attach_driver) holds device_lock(dev), but the other two (bind_store and __driver_attach) do not. This inconsistency means that bus match() callbacks are not guaranteed to be called with the lock held. Fix this by introducing driver_match_device_locked(), which guarantees holding the device lock using a scoped guard. Replace the unlocked calls in bind_store() and __driver_attach() with this new helper. Also add a lock assertion to driver_match_device() to enforce this guarantee. This consistency also fixes a known race condition. The driver_override implementation relies on the device_lock, so the missing lock led to the use-after-free (UAF) reported in Bugzilla for buses using this field. Stress testing the two newly locked paths for 24 hours with CONFIG_PROVE_LOCKING and CONFIG_LOCKDEP enabled showed no UAF recurrence and no lockdep warnings. Cc: stable@vger.kernel.org Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220789 Suggested-by: Qiu-ji Chen <chenqiuji666@gmail.com> Signed-off-by: Gui-Dong Han <hanguidong02@gmail.com> Fixes: 49b420a ("driver core: check bus->match without holding device lock") Reviewed-by: Danilo Krummrich <dakr@kernel.org> Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Reviewed-by: Rafael J. Wysocki (Intel) <rafael@kernel.org> Link: https://patch.msgid.link/20260113162843.12712-1-hanguidong02@gmail.com Signed-off-by: Danilo Krummrich <dakr@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit adc1796eced46b48e23ec200a219d635f33a38ee) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit 6c0568b upstream. Add USB ID 7392:e611 for Edimax EW-7611UXB which is RTL8851BU-based Wi-Fi + Bluetooth adapter. The information in /sys/kernel/debug/usb/devices about the Bluetooth device is listed as the below: T: Bus=03 Lev=01 Prnt=01 Port=01 Cnt=01 Dev#= 6 Spd=480 MxCh= 0 D: Ver= 2.00 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs= 1 P: Vendor=7392 ProdID=e611 Rev= 0.00 S: Manufacturer=Realtek S: Product=802.11ax WLAN Adapter S: SerialNumber=00e04c000001 C:* #Ifs= 3 Cfg#= 1 Atr=e0 MxPwr=500mA A: FirstIf#= 0 IfCount= 2 Cls=e0(wlcon) Sub=01 Prot=01 I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=81(I) Atr=03(Int.) MxPS= 16 Ivl=1ms E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms I:* If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=03(O) Atr=01(Isoc) MxPS= 0 Ivl=1ms E: Ad=83(I) Atr=01(Isoc) MxPS= 0 Ivl=1ms I: If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=03(O) Atr=01(Isoc) MxPS= 9 Ivl=1ms E: Ad=83(I) Atr=01(Isoc) MxPS= 9 Ivl=1ms I: If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=03(O) Atr=01(Isoc) MxPS= 17 Ivl=1ms E: Ad=83(I) Atr=01(Isoc) MxPS= 17 Ivl=1ms I: If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=03(O) Atr=01(Isoc) MxPS= 25 Ivl=1ms E: Ad=83(I) Atr=01(Isoc) MxPS= 25 Ivl=1ms I: If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=03(O) Atr=01(Isoc) MxPS= 33 Ivl=1ms E: Ad=83(I) Atr=01(Isoc) MxPS= 33 Ivl=1ms I: If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=03(O) Atr=01(Isoc) MxPS= 49 Ivl=1ms E: Ad=83(I) Atr=01(Isoc) MxPS= 49 Ivl=1ms I: If#= 1 Alt= 6 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=03(O) Atr=01(Isoc) MxPS= 63 Ivl=1ms E: Ad=83(I) Atr=01(Isoc) MxPS= 63 Ivl=1ms I:* If#= 2 Alt= 0 #EPs= 8 Cls=ff(vend.) Sub=ff Prot=ff Driver=rtw89_8851bu_git E: Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=06(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=07(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=09(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=0a(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=0b(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=0c(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms Cc: stable@vger.kernel.org # 6.6.x Signed-off-by: Zenm Chen <zenmchen@gmail.com> Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 6dda9f06990544206289a8fa8524ae519a486f67) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
…_store commit 5565a72 upstream. OTX_CPT_UCODE_NAME_LENGTH limits the microcode name to 64 bytes. If a user writes a string of exactly 64 characters, the original code used 'strlen(buf) > 64' to check the length, but then strscpy() copies only 63 characters before adding a NUL terminator, silently truncating the copied string. Fix this off-by-one error by using 'count' directly for the length check to ensure long names are rejected early and copied without truncation. Cc: stable@vger.kernel.org Fixes: d9110b0 ("crypto: marvell - add support for OCTEON TX CPT engine") Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 7dbeeafcb6e50d201b016599d1dcb576fbecfead) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit 1562b1f upstream. The existing allocation of scatterlists in omap_crypto_copy_sg_lists() was allocating an array of scatterlist pointers, not scatterlist objects, resulting in a 4x too small allocation. Use sizeof(*new_sg) to get the correct object size. Fixes: 74ed87e ("crypto: omap - add base support library for common routines") Signed-off-by: Kees Cook <kees@kernel.org> Acked-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 6edf8df4bd29f7bfd245b67b2c31d905f1cfc14b) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit b505047 upstream. When VM boots with one virtio-crypto PCI device and builtin backend, run openssl benchmark command with multiple processes, such as openssl speed -evp aes-128-cbc -engine afalg -seconds 10 -multi 32 openssl processes will hangup and there is error reported like this: virtio_crypto virtio0: dataq.0:id 3 is not a head! It seems that the data virtqueue need protection when it is handled for virtio done notification. If the spinlock protection is added in virtcrypto_done_task(), openssl benchmark with multiple processes works well. Fixes: fed93fb ("crypto: virtio - Handle dataq logic with tasklet") Cc: stable@vger.kernel.org Signed-off-by: Bibo Mao <maobibo@loongson.cn> Acked-by: Jason Wang <jasowang@redhat.com> Acked-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit d6f0d586808689963e58fd739bed626ff5013b24) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
…cipher_crypt_req commit 14f86a1 upstream. With function virtio_crypto_skcipher_crypt_req(), there is already virtqueue_kick() call with spinlock held in function __virtio_crypto_skcipher_do_req(). Remove duplicated virtqueue_kick() function call here. Fixes: d79b5d0 ("crypto: virtio - support crypto engine framework") Cc: stable@vger.kernel.org Signed-off-by: Bibo Mao <maobibo@loongson.cn> Acked-by: Jason Wang <jasowang@redhat.com> Acked-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit dd1f6c920638577a5d68629e31e2676757813ddb) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit ed527ef upstream. When a user executes the FITRIM command, an underflow can occur when calculating nblocks if end_block is too small. Since nblocks is of type sector_t, which is u64, a negative nblocks value will become a very large positive integer. This ultimately leads to the block layer function __blkdev_issue_discard() taking an excessively long time to process the bio chain, and the ns_segctor_sem lock remains held for a long period. This prevents other tasks from acquiring the ns_segctor_sem lock, resulting in the hang reported by syzbot in [1]. If the ending block is too small, typically if it is smaller than 4KiB range, depending on the usage of the segment 0, it may be possible to attempt a discard request beyond the device size causing the hang. Exiting successfully and assign the discarded size (0 in this case) to range->len. Although the start and len values in the user input range are too small, a conservative strategy is adopted here to safely ignore them, which is equivalent to a no-op; it will not perform any trimming and will not throw an error. [1] task:segctord state:D stack:28968 pid:6093 tgid:6093 ppid:2 task_flags:0x200040 flags:0x00080000 Call Trace: rwbase_write_lock+0x3dd/0x750 kernel/locking/rwbase_rt.c:272 nilfs_transaction_lock+0x253/0x4c0 fs/nilfs2/segment.c:357 nilfs_segctor_thread_construct fs/nilfs2/segment.c:2569 [inline] nilfs_segctor_thread+0x6ec/0xe00 fs/nilfs2/segment.c:2684 [ryusuke: corrected part of the commit message about the consequences] Fixes: 82e11e8 ("nilfs2: add nilfs_sufile_trim_fs to trim clean segs") Reported-by: syzbot+7eedce5eb281acd832f0@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=7eedce5eb281acd832f0 Signed-off-by: Edward Adam Davis <eadavis@qq.com> Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com> Cc: stable@vger.kernel.org Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit df1e20796c9f3d541cca47fb72e4369ea135642d) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit 0177aa8 upstream. rtw_core_enable_beacon() reads 4 bytes from an address that is not a multiple of 4. This results in a crash on some systems. Do 1 byte reads/writes instead. Unable to handle kernel paging request at virtual address ffff8000827e0522 Mem abort info: ESR = 0x0000000096000021 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x21: alignment fault Data abort info: ISV = 0, ISS = 0x00000021, ISS2 = 0x00000000 CM = 0, WnR = 0, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 swapper pgtable: 4k pages, 48-bit VAs, pgdp=0000000005492000 [ffff8000827e0522] pgd=0000000000000000, p4d=10000001021d9403, pud=10000001021da403, pmd=100000011061c403, pte=00780000f3200f13 Internal error: Oops: 0000000096000021 [#1] SMP Modules linked in: [...] rtw88_8822ce rtw88_8822c rtw88_pci rtw88_core [...] CPU: 0 UID: 0 PID: 73 Comm: kworker/u32:2 Tainted: G W 6.17.9 #1-NixOS VOLUNTARY Tainted: [W]=WARN Hardware name: FriendlyElec NanoPC-T6 LTS (DT) Workqueue: phy0 rtw_c2h_work [rtw88_core] pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : rtw_pci_read32+0x18/0x40 [rtw88_pci] lr : rtw_core_enable_beacon+0xe0/0x148 [rtw88_core] sp : ffff800080cc3ca0 x29: ffff800080cc3ca0 x28: ffff0001031fc240 x27: ffff000102100828 x26: ffffd2cb7c9b4088 x25: ffff0001031fc2c0 x24: ffff000112fdef00 x23: ffff000112fdef18 x22: ffff000111c29970 x21: 0000000000000001 x20: 0000000000000001 x19: ffff000111c22040 x18: 0000000000000000 x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 x11: 0000000000000000 x10: 0000000000000000 x9 : ffffd2cb6507c090 x8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000000000 x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000 x2 : 0000000000007f10 x1 : 0000000000000522 x0 : ffff8000827e0522 Call trace: rtw_pci_read32+0x18/0x40 [rtw88_pci] (P) rtw_hw_scan_chan_switch+0x124/0x1a8 [rtw88_core] rtw_fw_c2h_cmd_handle+0x254/0x290 [rtw88_core] rtw_c2h_work+0x50/0x98 [rtw88_core] process_one_work+0x178/0x3f8 worker_thread+0x208/0x418 kthread+0x120/0x220 ret_from_fork+0x10/0x20 Code: d28fe202 8b020000 f9524400 8b214000 (b9400000) ---[ end trace 0000000000000000 ]--- Fixes: ad6741b ("wifi: rtw88: Stop high queue during scan") Cc: stable@vger.kernel.org Closes: lwfinger/rtw88#418 Signed-off-by: Bitterblue Smith <rtl8821cerfe2@gmail.com> Acked-by: Ping-Ke Shih <pkshih@realtek.com> Signed-off-by: Ping-Ke Shih <pkshih@realtek.com> Link: https://patch.msgid.link/6345300d-8c93-464c-9b05-d0d9af3c97ad@gmail.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 71dee092903adb496fe1f357b267d94087b679e0) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit b6df15a upstream. System crash with the following signature [154563.214890] nvme nvme2: NVME-FC{1}: controller connect complete [154564.169363] qla2xxx [0000:b0:00.1]-3002:2: nvme: Sched: Set ZIO exchange threshold to 3. [154564.169405] qla2xxx [0000:b0:00.1]-ffffff:2: SET ZIO Activity exchange threshold to 5. [154565.539974] qla2xxx [0000:b0:00.1]-5013:2: RSCN database changed – 0078 0080 0000. [154565.545744] qla2xxx [0000:b0:00.1]-5013:2: RSCN database changed – 0078 00a0 0000. [154565.545857] qla2xxx [0000:b0:00.1]-11a2:2: FEC=enabled (data rate). [154565.552760] qla2xxx [0000:b0:00.1]-11a2:2: FEC=enabled (data rate). [154565.553079] BUG: kernel NULL pointer dereference, address: 00000000000000f8 [154565.553080] #PF: supervisor read access in kernel mode [154565.553082] #PF: error_code(0x0000) - not-present page [154565.553084] PGD 80000010488ab067 P4D 80000010488ab067 PUD 104978a067 PMD 0 [154565.553089] Oops: 0000 1 PREEMPT SMP PTI [154565.553092] CPU: 10 PID: 858 Comm: qla2xxx_2_dpc Kdump: loaded Tainted: G OE ------- --- 5.14.0-503.11.1.el9_5.x86_64 #1 [154565.553096] Hardware name: HPE Synergy 660 Gen10/Synergy 660 Gen10 Compute Module, BIOS I43 09/30/2024 [154565.553097] RIP: 0010:qla_fab_async_scan.part.0+0x40b/0x870 [qla2xxx] [154565.553141] Code: 00 00 e8 58 a3 ec d4 49 89 e9 ba 12 20 00 00 4c 89 e6 49 c7 c0 00 ee a8 c0 48 c7 c1 66 c0 a9 c0 bf 00 80 00 10 e8 15 69 00 00 <4c> 8b 8d f8 00 00 00 4d 85 c9 74 35 49 8b 84 24 00 19 00 00 48 8b [154565.553143] RSP: 0018:ffffb4dbc8aebdd0 EFLAGS: 00010286 [154565.553145] RAX: 0000000000000000 RBX: ffff8ec2cf0908d0 RCX: 0000000000000002 [154565.553147] RDX: 0000000000000000 RSI: ffffffffc0a9c896 RDI: ffffb4dbc8aebd47 [154565.553148] RBP: 0000000000000000 R08: ffffb4dbc8aebd45 R09: 0000000000ffff0a [154565.553150] R10: 0000000000000000 R11: 000000000000000f R12: ffff8ec2cf0908d0 [154565.553151] R13: ffff8ec2cf090900 R14: 0000000000000102 R15: ffff8ec2cf084000 [154565.553152] FS: 0000000000000000(0000) GS:ffff8ed27f800000(0000) knlGS:0000000000000000 [154565.553154] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [154565.553155] CR2: 00000000000000f8 CR3: 000000113ae0a005 CR4: 00000000007706f0 [154565.553157] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [154565.553158] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [154565.553159] PKRU: 55555554 [154565.553160] Call Trace: [154565.553162] <TASK> [154565.553165] ? show_trace_log_lvl+0x1c4/0x2df [154565.553172] ? show_trace_log_lvl+0x1c4/0x2df [154565.553177] ? qla_fab_async_scan.part.0+0x40b/0x870 [qla2xxx] [154565.553215] ? __die_body.cold+0x8/0xd [154565.553218] ? page_fault_oops+0x134/0x170 [154565.553223] ? snprintf+0x49/0x70 [154565.553229] ? exc_page_fault+0x62/0x150 [154565.553238] ? asm_exc_page_fault+0x22/0x30 Check for sp being non NULL before freeing any associated memory Fixes: a423994 ("scsi: qla2xxx: Add switch command to simplify fabric discovery") Cc: stable@vger.kernel.org Signed-off-by: Anil Gurumurthy <agurumurthy@marvell.com> Signed-off-by: Nilesh Javali <njavali@marvell.com> Reviewed-by: Himanshu Madhani <hmadhani2024@gmail.com> Link: https://patch.msgid.link/20251210101604.431868-10-njavali@marvell.com Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 949010291bb941d53733ed08a33454254d9afb1b) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit b0335ee upstream. Tape device doesn't show up after RSCNs. To fix this, remove tape device specific checks which allows recovery of tape devices. Fixes: 44c57f2 ("scsi: qla2xxx: Changes to support FCP2 Target") Cc: stable@vger.kernel.org Signed-off-by: Shreyas Deodhar <sdeodhar@marvell.com> Signed-off-by: Nilesh Javali <njavali@marvell.com> Reviewed-by: Himanshu Madhani <hmadhani2024@gmail.com> Link: https://patch.msgid.link/20251210101604.431868-7-njavali@marvell.com Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit ccbfcaa4b88e5b33d98b1e1227a4f7edee81d77d) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit 8890bf4 upstream. System crash seen during load/unload test in a loop. [105954.384919] RBP: ffff914589838dc0 R08: 0000000000000000 R09: 0000000000000086 [105954.384920] R10: 000000000000000f R11: ffffa31240904be5 R12: ffff914605f868e0 [105954.384921] R13: ffff914605f86910 R14: 0000000000008010 R15: 00000000ddb7c000 [105954.384923] FS: 0000000000000000(0000) GS:ffff9163fec40000(0000) knlGS:0000000000000000 [105954.384925] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [105954.384926] CR2: 000055d31ce1d6a0 CR3: 0000000119f5e001 CR4: 0000000000770ee0 [105954.384928] PKRU: 55555554 [105954.384929] Call Trace: [105954.384931] <IRQ> [105954.384934] qla24xx_sp_unmap+0x1f3/0x2a0 [qla2xxx] [105954.384962] ? qla_async_scan_sp_done+0x114/0x1f0 [qla2xxx] [105954.384980] ? qla24xx_els_ct_entry+0x4de/0x760 [qla2xxx] [105954.384999] ? __wake_up_common+0x80/0x190 [105954.385004] ? qla24xx_process_response_queue+0xc2/0xaa0 [qla2xxx] [105954.385023] ? qla24xx_msix_rsp_q+0x44/0xb0 [qla2xxx] [105954.385040] ? __handle_irq_event_percpu+0x3d/0x190 [105954.385044] ? handle_irq_event+0x58/0xb0 [105954.385046] ? handle_edge_irq+0x93/0x240 [105954.385050] ? __common_interrupt+0x41/0xa0 [105954.385055] ? common_interrupt+0x3e/0xa0 [105954.385060] ? asm_common_interrupt+0x22/0x40 The root cause of this was that there was a free (dma_free_attrs) in the interrupt context. There was a device discovery/fabric scan in progress. A module unload was issued which set the UNLOADING flag. As part of the discovery, after receiving an interrupt a work queue was scheduled (which involved a work to be queued). Since the UNLOADING flag is set, the work item was not allocated and the mapped memory had to be freed. The free occurred in interrupt context leading to system crash. Delay the driver unload until the fabric scan is complete to avoid the crash. Reported-by: kernel test robot <lkp@intel.com> Reported-by: Dan Carpenter <dan.carpenter@linaro.org> Closes: https://lore.kernel.org/all/202512090414.07Waorz0-lkp@intel.com/ Fixes: 783e0dc ("qla2xxx: Check for device state before unloading the driver.") Cc: stable@vger.kernel.org Signed-off-by: Anil Gurumurthy <agurumurthy@marvell.com> Signed-off-by: Nilesh Javali <njavali@marvell.com> Reviewed-by: Himanshu Madhani <hmadhani2024@gmail.com> Link: https://patch.msgid.link/20251210101604.431868-8-njavali@marvell.com Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 528b2f1027edfb52af0171f0f4b227fb356dde05) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit 7adbd2b upstream. System crash seen during load/unload test in a loop, [61110.449331] qla2xxx [0000:27:00.0]-0042:0: Disabled MSI-X. [61110.467494] ============================================================================= [61110.467498] BUG qla2xxx_srbs (Tainted: G OE -------- --- ): Objects remaining in qla2xxx_srbs on __kmem_cache_shutdown() [61110.467501] ----------------------------------------------------------------------------- [61110.467502] Slab 0x000000000ffc8162 objects=51 used=1 fp=0x00000000e25d3d85 flags=0x57ffffc0010200(slab|head|node=1|zone=2|lastcpupid=0x1fffff) [61110.467509] CPU: 53 PID: 455206 Comm: rmmod Kdump: loaded Tainted: G OE -------- --- 5.14.0-284.11.1.el9_2.x86_64 #1 [61110.467513] Hardware name: HPE ProLiant DL385 Gen10 Plus v2/ProLiant DL385 Gen10 Plus v2, BIOS A42 08/17/2023 [61110.467515] Call Trace: [61110.467516] <TASK> [61110.467519] dump_stack_lvl+0x34/0x48 [61110.467526] slab_err.cold+0x53/0x67 [61110.467534] __kmem_cache_shutdown+0x16e/0x320 [61110.467540] kmem_cache_destroy+0x51/0x160 [61110.467544] qla2x00_module_exit+0x93/0x99 [qla2xxx] [61110.467607] ? __do_sys_delete_module.constprop.0+0x178/0x280 [61110.467613] ? syscall_trace_enter.constprop.0+0x145/0x1d0 [61110.467616] ? do_syscall_64+0x5c/0x90 [61110.467619] ? exc_page_fault+0x62/0x150 [61110.467622] ? entry_SYSCALL_64_after_hwframe+0x63/0xcd [61110.467626] </TASK> [61110.467627] Disabling lock debugging due to kernel taint [61110.467635] Object 0x0000000026f7e6e6 @offset=16000 [61110.467639] ------------[ cut here ]------------ [61110.467639] kmem_cache_destroy qla2xxx_srbs: Slab cache still has objects when called from qla2x00_module_exit+0x93/0x99 [qla2xxx] [61110.467659] WARNING: CPU: 53 PID: 455206 at mm/slab_common.c:520 kmem_cache_destroy+0x14d/0x160 [61110.467718] CPU: 53 PID: 455206 Comm: rmmod Kdump: loaded Tainted: G B OE -------- --- 5.14.0-284.11.1.el9_2.x86_64 #1 [61110.467720] Hardware name: HPE ProLiant DL385 Gen10 Plus v2/ProLiant DL385 Gen10 Plus v2, BIOS A42 08/17/2023 [61110.467721] RIP: 0010:kmem_cache_destroy+0x14d/0x160 [61110.467724] Code: 99 7d 07 00 48 89 ef e8 e1 6a 07 00 eb b3 48 8b 55 60 48 8b 4c 24 20 48 c7 c6 70 fc 66 90 48 c7 c7 f8 ef a1 90 e8 e1 ed 7c 00 <0f> 0b eb 93 c3 cc cc cc cc 66 2e 0f 1f 84 00 00 00 00 00 55 48 89 [61110.467725] RSP: 0018:ffffa304e489fe80 EFLAGS: 00010282 [61110.467727] RAX: 0000000000000000 RBX: ffffffffc0d9a860 RCX: 0000000000000027 [61110.467729] RDX: ffff8fd5ff9598a8 RSI: 0000000000000001 RDI: ffff8fd5ff9598a0 [61110.467730] RBP: ffff8fb6aaf78700 R08: 0000000000000000 R09: 0000000100d863b7 [61110.467731] R10: ffffa304e489fd20 R11: ffffffff913bef48 R12: 0000000040002000 [61110.467731] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [61110.467733] FS: 00007f64c89fb740(0000) GS:ffff8fd5ff940000(0000) knlGS:0000000000000000 [61110.467734] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [61110.467735] CR2: 00007f0f02bfe000 CR3: 00000020ad6dc005 CR4: 0000000000770ee0 [61110.467736] PKRU: 55555554 [61110.467737] Call Trace: [61110.467738] <TASK> [61110.467739] qla2x00_module_exit+0x93/0x99 [qla2xxx] [61110.467755] ? __do_sys_delete_module.constprop.0+0x178/0x280 Free sp in the error path to fix the crash. Fixes: f352eeb ("scsi: qla2xxx: Add ability to use GPNFT/GNNFT for RSCN handling") Cc: stable@vger.kernel.org Signed-off-by: Anil Gurumurthy <agurumurthy@marvell.com> Signed-off-by: Nilesh Javali <njavali@marvell.com> Reviewed-by: Himanshu Madhani <hmadhani2024@gmail.com> Link: https://patch.msgid.link/20251210101604.431868-9-njavali@marvell.com Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit aed16d37696f494288a291b4b477484ed0be774b) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit 42b2dab upstream. Issue occurred during a continuous reboot test of several thousand iterations specific to a fabric topo with dual mode target where it sends a PLOGI/PRLI and then sends a LOGO. The initiator was also in the process of discovery and sent a PLOGI to the switch. It then queried a list of ports logged in via mbx 75h and the GPDB response indicated that the target was logged in. This caused a mismatch in the states between the driver and FW. Requery the FW for the state and proceed with the rest of discovery process. Fixes: a423994 ("scsi: qla2xxx: Add switch command to simplify fabric discovery") Cc: stable@vger.kernel.org Signed-off-by: Anil Gurumurthy <agurumurthy@marvell.com> Signed-off-by: Nilesh Javali <njavali@marvell.com> Reviewed-by: Himanshu Madhani <hmadhani2024@gmail.com> Link: https://patch.msgid.link/20251210101604.431868-11-njavali@marvell.com Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit dccf7bc011d0ec05088d3d88afaf511302e8b24e) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit adcbadf upstream. Commit fd580c9 ("net: sfp: augment SFP parsing with phy_interface_t bitmap") did not add augumentation for the interface bitmap in the quirk for Ubiquiti U-Fiber Instant. The subsequent commit f81fa96 ("net: phylink: use phy_interface_t bitmaps for optical modules") then changed phylink code for selection of SFP interface: instead of using link mode bitmap, the interface bitmap is used, and the fastest interface mode supported by both SFP module and MAC is chosen. Since the interface bitmap contains also modes faster than 1000base-x, this caused a regression wherein this module stopped working out-of-the-box. Fix this. Fixes: fd580c9 ("net: sfp: augment SFP parsing with phy_interface_t bitmap") Signed-off-by: Marek Behún <kabel@kernel.org> Reviewed-by: Maxime Chevallier <maxime.chevallier@bootlin.com> Reviewed-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk> Link: https://patch.msgid.link/20260129082227.17443-1-kabel@kernel.org Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 57770faaff8ee53c51c6777d33f7c706903a2409) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit 930b64c upstream. Currently, nfsd_proc_stat_init() ignores the return value of svc_proc_register(). If the procfile creation fails, then the kernel will WARN when it tries to remove the entry later. Fix nfsd_proc_stat_init() to return the same type of pointer as svc_proc_register(), and fix up nfsd_net_init() to check that and fail the nfsd_net construction if it occurs. svc_proc_register() can fail if the dentry can't be allocated, or if an identical dentry already exists. The second case is pretty unlikely in the nfsd_net construction codepath, so if this happens, return -ENOMEM. Reported-by: syzbot+e34ad04f27991521104c@syzkaller.appspotmail.com Closes: https://lore.kernel.org/linux-nfs/67a47501.050a0220.19061f.05f9.GAE@google.com/ Cc: stable@vger.kernel.org # v6.9 Signed-off-by: Jeff Layton <jlayton@kernel.org> Signed-off-by: Chuck Lever <chuck.lever@oracle.com> [ Update the cleanup path to use nfsd_stat_counters_destroy. This ensures the teardown logic is correctly paired with nfsd_stat_counters_init, as required by the current NFSD implementation.] Signed-off-by: Jianqiang kang <jianqkang@sina.cn> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 30405b23b4d5e2a596fb756d48119d7293194e75) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit 69e687c upstream. Several ruleset objects are still not using GFP_KERNEL_ACCOUNT for memory accounting, update them. This includes: - catchall elements - compat match large info area - log prefix - meta secctx - numgen counters - pipapo set backend datastructure - tunnel private objects Fixes: 33758c8 ("memcg: enable accounting for nft objects") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> [ Adjust context ] Signed-off-by: Bin Lan <lanbincn@139.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 1c4f72fa9699346e92c63049abba58758bdc8d73) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit 4c5c6aa upstream. When calculating the lookup table size, ensure the following multiplication does not overflow: - desc->field_len[] maximum value is U8_MAX multiplied by NFT_PIPAPO_GROUPS_PER_BYTE(f) that can be 2, worst case. - NFT_PIPAPO_BUCKETS(f->bb) is 2^8, worst case. - sizeof(unsigned long), from sizeof(*f->lt), lt in struct nft_pipapo_field. Then, use check_mul_overflow() to multiply by bucket size and then use check_add_overflow() to the alignment for avx2 (if needed). Finally, add lt_size_check_overflow() helper and use it to consolidate this. While at it, replace leftover allocation using the GFP_KERNEL to GFP_KERNEL_ACCOUNT for consistency, in pipapo_resize(). Fixes: 3c4287f ("nf_tables: Add set type for arbitrary concatenation of ranges") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Reviewed-by: Stefano Brivio <sbrivio@redhat.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> [ Adjust context ] Signed-off-by: Bin Lan <lanbincn@139.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit a9e757473561da93c6a4136f0e59aba91ec777fc) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit 86814d8 upstream. Replace setsockopt() calls with calls to functions that follow setsockopt() with getsockopt() and check that the returned value and its size are the same as have been set. (Except in vsock_perf.) Signed-off-by: Konstantin Shkolnyy <kshk@linux.ibm.com> Reviewed-by: Stefano Garzarella <sgarzare@redhat.com> Signed-off-by: Paolo Abeni <pabeni@redhat.com> [Stefano: patch needed to avoid vsock test build failure reported by Johan Korsnes after backporting commit 0a98de8 ("vsock/test: fix seqpacket message bounds test") in 6.6-stable tree. Several tests are missing here compared to upstream, so this version has been adapted by removing some hunks.] Signed-off-by: Stefano Garzarella <sgarzare@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 665e5706007338188db8bf833616f973d7a1e7d2) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit 7446284 upstream. driver support indirect read and indirect write operation with assumption no force device removal(unbind) operation. However force device removal(removal) is still available to root superuser. Unbinding driver during operation causes kernel crash. This changes ensure driver able to handle such operation for indirect read and indirect write by implementing refcount to track attached devices to the controller and gracefully wait and until attached devices remove operation completed before proceed with removal operation. Signed-off-by: Khairul Anuar Romli <khairul.anuar.romli@altera.com> Reviewed-by: Matthew Gerlach <matthew.gerlach@altera.com> Reviewed-by: Niravkumar L Rabara <nirav.rabara@altera.com> Link: https://patch.msgid.link/8704fd6bd2ff4d37bba4a0eacf5eba3ba001079e.1756168074.git.khairul.anuar.romli@altera.com Signed-off-by: Mark Brown <broonie@kernel.org> [Add cqspi defination in cqspi_exec_mem_op and minor context change fixed.] Signed-off-by: Robert Garcia <rob_garcia@163.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 8df235f768cea7a5829cb02525622646eb0df5f5) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit 29f4801 upstream. This validates the previous commit: the userspace can set unknown flags -- the 7th bit is currently unused -- without errors, but only the supported ones are printed in the endpoints dumps. The 'Fixes' tag here below is the same as the one from the previous commit: this patch here is not fixing anything wrong in the selftests, but it validates the previous fix for an issue introduced by this commit ID. Fixes: 01cacb0 ("mptcp: add netlink-based PM") Cc: stable@vger.kernel.org Reviewed-by: Mat Martineau <martineau@kernel.org> Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org> Link: https://patch.msgid.link/20251205-net-mptcp-misc-fixes-6-19-rc1-v1-2-9e4781a6c1b8@kernel.org Signed-off-by: Jakub Kicinski <kuba@kernel.org> [ Conflicts in pm_netlink.sh, because some refactoring have been done later on: commit 0d16ed0 ("selftests: mptcp: add {get,format}_endpoint(s) helpers") and commit c99d57d ("selftests: mptcp: use pm_nl endpoint ops") are not in this version. The same operation can still be done at the same place, without using the new helpers. ] Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 2b890bc3a5774018ca8307baeba1b69e10e4e938) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit e2a9eeb upstream. syzbot and Eulgyu Kim reported crashes in mptcp_pm_nl_get_local_id() and/or mptcp_pm_nl_is_backup() Root cause is list_splice_init() in mptcp_pm_nl_flush_addrs_doit() which is not RCU ready. list_splice_init_rcu() can not be called here while holding pernet->lock spinlock. Many thanks to Eulgyu Kim for providing a repro and testing our patches. Fixes: 141694d ("mptcp: remove address when netlink flushes addrs") Signed-off-by: Eric Dumazet <edumazet@google.com> Reported-by: syzbot+5498a510ff9de39d37da@syzkaller.appspotmail.com Closes: https://lore.kernel.org/all/6970a46d.a00a0220.3ad28e.5cf0.GAE@google.com/T/ Reported-by: Eulgyu Kim <eulgyukim@snu.ac.kr> Closes: multipath-tcp/mptcp_net-next#611 Reviewed-by: Mat Martineau <martineau@kernel.org> Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org> Link: https://patch.msgid.link/20260124-net-mptcp-race_nl_flush_addrs-v3-1-b2dc1b613e9d@kernel.org Signed-off-by: Jakub Kicinski <kuba@kernel.org> [ Conflicts because the code has been moved from pm_netlink.c to pm_kernel.c later on in commit 8617e85 ("mptcp: pm: split in-kernel PM specific code"). The same modifications can be applied in pm_netlink.c with one exception, because 'pernet->local_addr_list' has been renamed to 'pernet->endp_list' in commit 35e71e4 ("mptcp: pm: in-kernel: rename 'local_addr_list' to 'endp_list'"). The previous name is then still being used in this version. Also, another conflict is caused by commit 7bcf4d8 ("mptcp: pm: rename helpers linked to 'flush'") which is not in this version: mptcp_nl_remove_addrs_list() has been renamed to mptcp_nl_flush_addrs_list(). The previous name has then been kept. ] Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 455e882192c9833f176f3fbbbb2f036b6c5bf555) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit 730e5eb upstream. Commit 11a78b7 ("ARM: OMAP: MPUIO wake updates") registers the omap_mpuio_driver from omap_mpuio_init(), which is called from omap_gpio_probe(). However, it neither makes sense to register drivers from probe() callbacks of other drivers, nor does the driver core allow registering drivers with a device lock already being held. The latter was revealed by commit dc23806 ("driver core: enforce device_lock for driver_match_device()") leading to a potential deadlock condition described in [1]. Additionally, the omap_mpuio_driver is never unregistered from the driver core, even if the module is unloaded. Hence, register the omap_mpuio_driver from the module initcall and unregister it in module_exit(). Link: https://lore.kernel.org/lkml/DFU7CEPUSG9A.1KKGVW4HIPMSH@kernel.org/ [1] Fixes: dc23806 ("driver core: enforce device_lock for driver_match_device()") Fixes: 11a78b7 ("ARM: OMAP: MPUIO wake updates") Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Danilo Krummrich <dakr@kernel.org> Reviewed-by: Rafael J. Wysocki (Intel) <rafael@kernel.org> Link: https://patch.msgid.link/20260127201725.35883-1-dakr@kernel.org Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 1c04c3a4de8d4bcb9202f94c44f26c57c2572308) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
Link: https://lore.kernel.org/r/20260213134703.882698935@linuxfoundation.org Tested-by: Florian Fainelli <florian.fainelli@broadcom.com> Tested-by: Jon Hunter <jonathanh@nvidia.com> Tested-by: Peter Schneider <pschneider1968@googlemail.com> Tested-by: Ron Economos <re@w6rz.net> Tested-by: Brett A C Sheffield <bacs@librecast.net> Tested-by: Miguel Ojeda <ojeda@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit ae462074fde3b50e1f077aafcac6c28b1700ae54) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
Reviewer's GuideRebases the Deepin 6.6.y kernel to upstream 6.6.125 and pulls in the corresponding upstream fixes across storage (qla2xxx, NILFS2), networking (netfilter/nftables, MPTCP, vsock tests, rtw88, SFP, Bluetooth), crypto (virtio, omap, octeontx), SMB (client and ksmbd), GPIO/driver core, SPI cadence-quadspi, and NFSD proc stats. Sequence diagram for SPI cadence-quadspi refcounted memory operations and removesequenceDiagram
actor user
participant cqspi_probe
participant cqspi_st
participant cqspi_exec_mem_op
participant cqspi_indirect_read_execute
participant cqspi_indirect_write_execute
participant cqspi_remove
user ->> cqspi_probe: probe()
cqspi_probe ->> cqspi_st: refcount_set(refcount, 1)
cqspi_probe ->> cqspi_st: refcount_set(inflight_ops, 1)
user ->> cqspi_exec_mem_op: exec_mem_op(mem, op)
cqspi_exec_mem_op ->> cqspi_st: refcount_read(inflight_ops)
cqspi_exec_mem_op ->> cqspi_st: refcount_read(refcount)
alt refcount == 0
cqspi_exec_mem_op -->> user: return -EBUSY
else refcount > 0
cqspi_exec_mem_op ->> cqspi_st: refcount_inc(inflight_ops)
cqspi_exec_mem_op ->> cqspi_st: refcount_read(refcount)
alt refcount dropped to 0
cqspi_exec_mem_op ->> cqspi_st: refcount_dec(inflight_ops)
cqspi_exec_mem_op -->> user: return -EBUSY
else refcount still > 0
alt read operation
cqspi_exec_mem_op ->> cqspi_indirect_read_execute: cqspi_indirect_read_execute()
cqspi_indirect_read_execute ->> cqspi_st: refcount_read(refcount)
alt refcount == 0
cqspi_indirect_read_execute -->> cqspi_exec_mem_op: -ENODEV
else
cqspi_indirect_read_execute -->> cqspi_exec_mem_op: ret
end
else write operation
cqspi_exec_mem_op ->> cqspi_indirect_write_execute: cqspi_indirect_write_execute()
cqspi_indirect_write_execute ->> cqspi_st: refcount_read(refcount)
alt refcount == 0
cqspi_indirect_write_execute -->> cqspi_exec_mem_op: -ENODEV
else
cqspi_indirect_write_execute -->> cqspi_exec_mem_op: ret
end
end
cqspi_exec_mem_op ->> cqspi_st: refcount_read(inflight_ops)
alt inflight_ops > 1
cqspi_exec_mem_op ->> cqspi_st: refcount_dec(inflight_ops)
end
cqspi_exec_mem_op -->> user: return ret
end
end
user ->> cqspi_remove: remove(pdev)
cqspi_remove ->> cqspi_st: refcount_set(refcount, 0)
cqspi_remove ->> cqspi_st: refcount_dec_and_test(inflight_ops)
alt inflight_ops == 0
cqspi_remove ->> cqspi_remove: skip cqspi_wait_idle()
else inflight_ops > 0
cqspi_remove ->> cqspi_st: cqspi_wait_idle(cqspi)
end
cqspi_remove -->> user: unregister and disable controller
Class diagram for cadence-quadspi driver refcounting and related operationsclassDiagram
class cqspi_st {
bool apb_ahb_hazard
bool is_jh7110
refcount_t refcount
refcount_t inflight_ops
}
class cqspi_driver_platdata {
<<struct>>
}
class spi_mem {
<<struct>>
}
class cqspi_driver {
<<module>>
+int cqspi_probe(platform_device *pdev)
+void cqspi_remove(platform_device *pdev)
+int cqspi_exec_mem_op(spi_mem *mem, spi_mem_op const *op)
+int cqspi_mem_process(spi_mem *mem, spi_mem_op const *op)
+int cqspi_indirect_read_execute(cqspi_flash_pdata *f_pdata, u8 *rxbuf, u32 from_addr, size_t n_rx)
+int cqspi_indirect_write_execute(cqspi_flash_pdata *f_pdata, const u8 *txbuf, u32 to_addr, size_t n_tx)
}
cqspi_driver *-- cqspi_st : owns
cqspi_driver_platdata --> cqspi_st : configures
cqspi_driver --> spi_mem : executes_ops_on
cqspi_exec_mem_op ..> cqspi_indirect_read_execute : may_call
cqspi_exec_mem_op ..> cqspi_indirect_write_execute : may_call
cqspi_probe ..> cqspi_st : refcount_set(refcount,1)\nrefcount_set(inflight_ops,1)
cqspi_remove ..> cqspi_st : refcount_set(refcount,0)\nrefcount_dec_and_test(inflight_ops)
File-Level Changes
Tips and commandsInteracting with Sourcery
Customizing Your ExperienceAccess your dashboard to:
Getting Help
|
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
![sourcery-ai[bot]](https://avatars.githubusercontent.com/in/48477?s=60&v=4){kind=small}
This reverts commit adc1796eced46b48e23ec200a219d635f33a38ee which is commit dc23806 upstream. It causes boot regressions on some systems as all of the "fixes" for drivers are not properly backported yet. Once that is completed, only then can this be applied, if really necessary given the potential for explosions, perhaps we might want to wait a few -rc releases first... Cc: Danilo Krummrich <dakr@kernel.org> Cc: Rafael J. Wysocki (Intel) <rafael@kernel.org> Cc: Danilo Krummrich <dakr@kernel.org> Cc: Gui-Dong Han <hanguidong02@gmail.com> Cc: Qiu-ji Chen <chenqiuji666@gmail.com> Reported-by: Mark Brown <broonie@kernel.org> Link: https://lore.kernel.org/r/7dfd0e63-a725-4fac-b2a0-f2e621d99d1b@sirena.org.uk Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 673dafb9a86349a12a93151fd467625614dc7e12) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 56865d9b7074c08d8191bc721b1e46baa650d9cd) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
opsiff
changed the title
opsiff
changed the title
There was a problem hiding this comment.
Pull request overview
This pull request updates the Linux kernel from version 6.6.124 to 6.6.126, incorporating upstream stable fixes from the 6.6.125 and 6.6.126 releases. The update includes 26 commits addressing various bug fixes, security improvements, and driver enhancements across multiple subsystems including networking (MPTCP, netfilter), filesystems (SMB, NFSD, NILFS2), drivers (SCSI, SPI, GPIO, crypto, wireless, Bluetooth), and testing infrastructure (vsock, MPTCP selftests).
Changes:
- Integrated upstream stable fixes for kernel 6.6.125 and 6.6.126
- Fixed race conditions and memory accounting issues in netfilter subsystem with GFP_KERNEL_ACCOUNT and overflow checking
- Improved error handling in SMB server, NFSD, and SCSI qla2xxx driver
- Enhanced test coverage with vsock socket option verification helpers and MPTCP unknown flag handling
- Added hardware support for new Bluetooth devices and fixed various driver bugs
Reviewed changes
Copilot reviewed 35 out of 35 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| Makefile | Version bump from 6.6.124 to 6.6.126 |
| tools/testing/vsock/util.c | Added socket option verification helpers with get-after-set validation |
| tools/testing/vsock/util.h | Declared new helper function prototypes |
| tools/testing/vsock/vsock_test.c | Refactored to use new setsockopt helper functions |
| tools/testing/vsock/control.c | Updated to use setsockopt_int_check helper |
| tools/testing/selftests/net/mptcp/pm_nl_ctl.c | Added support for unknown address flags in testing |
| tools/testing/selftests/net/mptcp/pm_netlink.sh | Added test case for unknown flag handling |
| net/mptcp/pm_netlink.c | Fixed race condition in address flush operation using proper list detachment |
| net/netfilter/nft_tunnel.c | Changed to GFP_KERNEL_ACCOUNT for memcg accounting |
| net/netfilter/nft_set_pipapo.c | Added overflow checking for lookup table allocation and GFP_KERNEL_ACCOUNT |
| net/netfilter/nft_numgen.c | Changed to GFP_KERNEL_ACCOUNT |
| net/netfilter/nft_meta.c | Changed to GFP_KERNEL_ACCOUNT |
| net/netfilter/nft_log.c | Changed to GFP_KERNEL_ACCOUNT |
| net/netfilter/nft_compat.c | Changed to GFP_KERNEL_ACCOUNT |
| net/netfilter/nf_tables_api.c | Changed to GFP_KERNEL_ACCOUNT |
| fs/smb/server/transport_tcp.c | Fixed connection leak by using proper disconnect function |
| fs/smb/server/server.c | Changed error handling to abort instead of continue on auth/validation failures |
| fs/smb/client/cached_dir.h | Split bitfields to separate booleans to avoid RMW races |
| fs/nilfs2/sufile.c | Added early exit to prevent block overflow in trim operation |
| fs/nfsd/stats.h | Changed nfsd_proc_stat_init to return proc_dir_entry pointer |
| fs/nfsd/stats.c | Updated to return svc_proc_register result |
| fs/nfsd/nfsctl.c | Added error checking for proc stat initialization |
| drivers/spi/spi-cadence-quadspi.c | Implemented refcount mechanism to handle unbind during operations |
| drivers/scsi/qla2xxx/qla_os.c | Added fabric scan flag check to module unload wait condition |
| drivers/scsi/qla2xxx/qla_isr.c | Enhanced port logout event handling with additional state checks |
| drivers/scsi/qla2xxx/qla_init.c | Modified PLOGI handling to query FW state and removed FCP2 special case |
| drivers/scsi/qla2xxx/qla_gs.c | Fixed fabric scan error path to free sp when already scanning |
| drivers/net/wireless/realtek/rtw88/main.c | Fixed alignment fault by using write8 instead of write32 for register access |
| drivers/net/phy/sfp.c | Added missing interface mode setting for Ubiquiti quirk |
| drivers/gpio/gpio-omap.c | Fixed driver registration order to prevent probe-time registration |
| drivers/crypto/virtio/virtio_crypto_skcipher_algs.c | Removed duplicate virtqueue_kick call |
| drivers/crypto/virtio/virtio_crypto_core.c | Added spinlock protection for virtqueue completion handling |
| drivers/crypto/omap-crypto.c | Fixed scatterlist allocation to use correct sizeof operand |
| drivers/crypto/marvell/octeontx/otx_cptpf_ucode.c | Fixed buffer length check to use count instead of strlen |
| drivers/bluetooth/btusb.c | Added USB device ID for Edimax EW-7611UXB adapter |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| fail: | ||
| fprintf(stderr, "%s val %llu\n", errmsg, val); | ||
| exit(EXIT_FAILURE); | ||
| ; |
There was a problem hiding this comment.
There is an extraneous semicolon after the closing brace. This creates an empty statement and should be removed.
|
|
||
| if (atomic_read(&fcport->state) != FCS_ONLINE) { | ||
| ql_dbg(ql_dbg_async, vha, 0x5012, | ||
| "Port state is not online State:0x%x \n", |
There was a problem hiding this comment.
Missing space before the newline escape character. The comment should have a space between "State:0x%x" and "\n" for consistency with standard formatting.
| "Port state is not online State:0x%x \n", | ||
| atomic_read(&fcport->state)); | ||
| ql_dbg(ql_dbg_async, vha, 0x5012, | ||
| "Scheduling session for deletion \n"); |
There was a problem hiding this comment.
Missing space before the newline escape character. The comment should have a space between "deletion" and "\n" for consistency with standard formatting.
Suggested change
| "Scheduling session for deletion \n"); | |
| "Scheduling session for deletion\n"); |
Comment on lines
+1443
to
+1444
| if (refcount_read(&cqspi->inflight_ops) > 1) | ||
| refcount_dec(&cqspi->inflight_ops); |
There was a problem hiding this comment.
The refcount_dec operation should be unconditional, not conditional on refcount > 1. Since refcount_inc was called unconditionally at line 1431, the decrement should also be unconditional. The current logic could cause the inflight_ops counter to become unbalanced, leading to resource leaks or preventing future operations. The check at line 1443 should be removed, and refcount_dec should always be called to match the increment.
Suggested change
| if (refcount_read(&cqspi->inflight_ops) > 1) | |
| refcount_dec(&cqspi->inflight_ops); | |
| refcount_dec(&cqspi->inflight_ops); |
Member
Author
There was a problem hiding this comment.
refcount_set(&cqspi->inflight_ops, 1); will be run in cqspi_probe, need to be keep it.
|
|
||
| refcount_set(&cqspi->refcount, 0); | ||
|
|
||
| if (!refcount_dec_and_test(&cqspi->inflight_ops)) |
There was a problem hiding this comment.
The refcount_dec_and_test logic appears inverted. Since inflight_ops is initialized to 1 and decremented here, the function should wait for idle when the test returns true (i.e., when the counter reaches 0), not when it returns false. The current logic will wait when there are still operations in flight but not wait when the counter has reached zero, which is backwards.
Suggested change
| if (!refcount_dec_and_test(&cqspi->inflight_ops)) | |
| if (refcount_dec_and_test(&cqspi->inflight_ops)) |
Member
Author
There was a problem hiding this comment.
refcount_set(&cqspi->inflight_ops, 1); will be run in cqspi_probe, and if not wait "when the counter has reached zero" is not probed, so not need to cqspi_wait_idle
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Update kernel base to 6.6.126.
git log --oneline v6.6.125..v6.6.126
56865d9b7074c (tag: v6.6.126) Linux 6.6.126
673dafb9a8634 Revert "driver core: enforce device_lock for driver_match_device()"
Update kernel base to 6.6.125.
git log --oneline v6.6.124..v6.6.125 |wc
26 239 1954
Anil Gurumurthy (4):
scsi: qla2xxx: Validate sp before freeing associated memory
scsi: qla2xxx: Delay module unload while fabric scan in progress
scsi: qla2xxx: Free sp in error path to fix system crash
scsi: qla2xxx: Query FW again before proceeding with login
Bibo Mao (2):
crypto: virtio - Add spinlock protection with virtqueue notification
crypto: virtio - Remove duplicated virtqueue_kick in
virtio_crypto_skcipher_crypt_req
Bitterblue Smith (1):
wifi: rtw88: Fix alignment fault in rtw_core_enable_beacon()
Danilo Krummrich (1):
gpio: omap: do not register driver in probe()
Edward Adam Davis (1):
nilfs2: Fix potential block overflow that cause system hang
Eric Dumazet (1):
mptcp: fix race in mptcp_pm_nl_flush_addrs_doit()
Greg Kroah-Hartman (1):
Linux 6.6.125
Gui-Dong Han (1):
driver core: enforce device_lock for driver_match_device()
Henrique Carvalho (2):
smb: client: split cached_fid bitfields to avoid shared-byte RMW races
smb: server: fix leak of active_num_conn in ksmbd_tcp_new_connection()
Jeff Layton (1):
nfsd: don't ignore the return code of svc_proc_register()
Kees Cook (1):
crypto: omap - Allocate OMAP_CRYPTO_FORCE_COPY scatterlists correctly
Khairul Anuar Romli (1):
spi: cadence-quadspi: Implement refcount to handle unbind during busy
Konstantin Shkolnyy (1):
vsock/test: verify socket options after setting them
Marek Behún (1):
net: sfp: Fix quirk for Ubiquiti U-Fiber Instant SFP module
Matthieu Baerts (NGI0) (1):
selftests: mptcp: pm: ensure unknown flags are ignored
Namjae Jeon (1):
ksmbd: fix infinite loop caused by next_smb2_rcv_hdr_off reset in
error paths
Pablo Neira Ayuso (2):
netfilter: nf_tables: missing objects with no memcg accounting
netfilter: nft_set_pipapo: prevent overflow in lookup table allocation
Shreyas Deodhar (1):
scsi: qla2xxx: Allow recovery for tape devices
Thorsten Blum (1):
crypto: octeontx - Fix length check to avoid truncation in
ucode_load_store
Zenm Chen (1):
Bluetooth: btusb: Add USB ID 7392:e611 for Edimax EW-7611UXB
Makefile | 2 +-
drivers/base/base.h | 9 ++
drivers/base/bus.c | 2 +-
drivers/base/dd.c | 2 +-
drivers/bluetooth/btusb.c | 2 +
.../crypto/marvell/octeontx/otx_cptpf_ucode.c | 2 +-
drivers/crypto/omap-crypto.c | 2 +-
drivers/crypto/virtio/virtio_crypto_core.c | 5 +
.../virtio/virtio_crypto_skcipher_algs.c | 2 -
drivers/gpio/gpio-omap.c | 22 ++-
drivers/net/phy/sfp.c | 2 +
drivers/net/wireless/realtek/rtw88/main.c | 4 +-
drivers/scsi/qla2xxx/qla_gs.c | 41 +++--
drivers/scsi/qla2xxx/qla_init.c | 28 ++--
drivers/scsi/qla2xxx/qla_isr.c | 19 ++-
drivers/scsi/qla2xxx/qla_os.c | 3 +-
drivers/spi/spi-cadence-quadspi.c | 34 +++++
fs/nfsd/nfsctl.c | 9 +-
fs/nfsd/stats.c | 4 +-
fs/nfsd/stats.h | 2 +-
fs/nilfs2/sufile.c | 4 +
fs/smb/client/cached_dir.h | 8 +-
fs/smb/server/server.c | 6 +-
fs/smb/server/transport_tcp.c | 3 +-
net/mptcp/pm_netlink.c | 16 +-
net/netfilter/nf_tables_api.c | 2 +-
net/netfilter/nft_compat.c | 6 +-
net/netfilter/nft_log.c | 2 +-
net/netfilter/nft_meta.c | 2 +-
net/netfilter/nft_numgen.c | 2 +-
net/netfilter/nft_set_pipapo.c | 64 +++++---
net/netfilter/nft_tunnel.c | 5 +-
.../testing/selftests/net/mptcp/pm_netlink.sh | 4 +
tools/testing/selftests/net/mptcp/pm_nl_ctl.c | 11 ++
tools/testing/vsock/control.c | 9 +-
tools/testing/vsock/util.c | 143 ++++++++++++++++++
tools/testing/vsock/util.h | 7 +
tools/testing/vsock/vsock_test.c | 29 ++--
38 files changed, 405 insertions(+), 114 deletions(-)
Summary by Sourcery
Update to Linux 6.6.125 and integrate upstream fixes across networking, storage, filesystems, driver core, and test utilities.
Bug Fixes:
Enhancements: