[Deepin-Kernel-SIG] [linux 6.6-y] [Upstream] Update kernel base to 6.6.127#1511
Merged
opsiff merged 39 commits intoFeb 27, 2026
Merged
Conversation
commit c2c6822 upstream. Kernel panic observed on system, [5353358.825191] BUG: unable to handle page fault for address: ff5f5e897b024000 [5353358.825194] #PF: supervisor write access in kernel mode [5353358.825195] #PF: error_code(0x0002) - not-present page [5353358.825196] PGD 100006067 P4D 0 [5353358.825198] Oops: 0002 [#1] PREEMPT SMP NOPTI [5353358.825200] CPU: 5 PID: 2132085 Comm: qlafwupdate.sub Kdump: loaded Tainted: G W L ------- --- 5.14.0-503.34.1.el9_5.x86_64 #1 [5353358.825203] Hardware name: HPE ProLiant DL360 Gen11/ProLiant DL360 Gen11, BIOS 2.44 01/17/2025 [5353358.825204] RIP: 0010:memcpy_erms+0x6/0x10 [5353358.825211] RSP: 0018:ff591da8f4f6b710 EFLAGS: 00010246 [5353358.825212] RAX: ff5f5e897b024000 RBX: 0000000000007090 RCX: 0000000000001000 [5353358.825213] RDX: 0000000000001000 RSI: ff591da8f4fed090 RDI: ff5f5e897b024000 [5353358.825214] RBP: 0000000000010000 R08: ff5f5e897b024000 R09: 0000000000000000 [5353358.825215] R10: ff46cf8c40517000 R11: 0000000000000001 R12: 0000000000008090 [5353358.825216] R13: ff591da8f4f6b720 R14: 0000000000001000 R15: 0000000000000000 [5353358.825218] FS: 00007f1e88d47740(0000) GS:ff46cf935f940000(0000) knlGS:0000000000000000 [5353358.825219] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [5353358.825220] CR2: ff5f5e897b024000 CR3: 0000000231532004 CR4: 0000000000771ef0 [5353358.825221] PKRU: 55555554 [5353358.825222] Call Trace: [5353358.825223] <TASK> [5353358.825224] ? show_trace_log_lvl+0x1c4/0x2df [5353358.825229] ? show_trace_log_lvl+0x1c4/0x2df [5353358.825232] ? sg_copy_buffer+0xc8/0x110 [5353358.825236] ? __die_body.cold+0x8/0xd [5353358.825238] ? page_fault_oops+0x134/0x170 [5353358.825242] ? kernelmode_fixup_or_oops+0x84/0x110 [5353358.825244] ? exc_page_fault+0xa8/0x150 [5353358.825247] ? asm_exc_page_fault+0x22/0x30 [5353358.825252] ? memcpy_erms+0x6/0x10 [5353358.825253] sg_copy_buffer+0xc8/0x110 [5353358.825259] qla2x00_process_vendor_specific+0x652/0x1320 [qla2xxx] [5353358.825317] qla24xx_bsg_request+0x1b2/0x2d0 [qla2xxx] Most routines in qla_bsg.c call bsg_done() only for success cases. However a few invoke it for failure case as well leading to a double free. Validate before calling bsg_done(). Cc: stable@vger.kernel.org Signed-off-by: Anil Gurumurthy <agurumurthy@marvell.com> Signed-off-by: Nilesh Javali <njavali@marvell.com> Reviewed-by: Himanshu Madhani <hmadhani2024@gmail.com> Link: https://patch.msgid.link/20251210101604.431868-12-njavali@marvell.com Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> Signed-off-by: Sasha Levin <sashal@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 74e7458537cd9349cf019862e51491f670871707) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 328e4df ] In "struct pci_epf_group", the 'type_group' field is unused. This was added, but already unused, by commit 70b3740 ("PCI: endpoint: Automatically create a function specific attributes group"). Thus, remove it. Found with cppcheck, unusedStructMember. [kwilczynski: commit log] Link: https://lore.kernel.org/linux-pci/6507d44b6c60a19af35a605e2d58050be8872ab6.1712341008.git.christophe.jaillet@wanadoo.fr Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr> Signed-off-by: Krzysztof Wilczyński <kwilczynski@kernel.org> Signed-off-by: Bjorn Helgaas <bhelgaas@google.com> Stable-dep-of: 7c5c7d0 ("PCI: endpoint: Avoid creating sub-groups asynchronously") Signed-off-by: Sasha Levin <sashal@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 68c9fdb01af8ac31bc046268235fceb77c6c1ddd) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 7c5c7d0 ] The asynchronous creation of sub-groups by a delayed work could lead to a NULL pointer dereference when the driver directory is removed before the work completes. The crash can be easily reproduced with the following commands: # cd /sys/kernel/config/pci_ep/functions/pci_epf_test # for i in {1..20}; do mkdir test && rmdir test; done BUG: kernel NULL pointer dereference, address: 0000000000000088 ... Call Trace: configfs_register_group+0x3d/0x190 pci_epf_cfs_work+0x41/0x110 process_one_work+0x18f/0x350 worker_thread+0x25a/0x3a0 Fix this issue by using configfs_add_default_group() API which does not have the deadlock problem as configfs_register_group() and does not require the delayed work handler. Fixes: e85a2d7 ("PCI: endpoint: Add support in configfs to associate two EPCs with EPF") Signed-off-by: Liu Song <liu.song13@zte.com.cn> [mani: slightly reworded the description and added stable list] Signed-off-by: Manivannan Sadhasivam <mani@kernel.org> Signed-off-by: Bjorn Helgaas <bhelgaas@google.com> Cc: stable@kernel.org Link: https://patch.msgid.link/20250710143845409gLM6JdlwPhlHG9iX3F6jK@zte.com.cn Signed-off-by: Sasha Levin <sashal@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 8cb905eca73944089a0db01443c7628a9e87012d) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
…ow functions [ Upstream commit a50522c ] Use sysfs_emit() instead of snprintf()/sprintf() when writing to sysfs buffers, as recommended by the kernel documentation. Signed-off-by: Chelsy Ratnawat <chelsyratnawat2001@gmail.com> Acked-by: Ioana Ciornei <ioana.ciornei@nxp.com> Link: https://lore.kernel.org/r/20250822124339.1739290-1-chelsyratnawat2001@gmail.com Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu> Stable-dep-of: 148891e ("bus: fsl-mc: fix use-after-free in driver_override_show()") Signed-off-by: Sasha Levin <sashal@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 3118a9c6875b8318f35123e7923783a0ab248a3a) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 148891e ] The driver_override_show() function reads the driver_override string without holding the device_lock. However, driver_override_store() uses driver_set_override(), which modifies and frees the string while holding the device_lock. This can result in a concurrent use-after-free if the string is freed by the store function while being read by the show function. Fix this by holding the device_lock around the read operation. Fixes: 1f86a00 ("bus/fsl-mc: add support for 'driver_override' in the mc-bus") Cc: stable@vger.kernel.org Signed-off-by: Gui-Dong Han <hanguidong02@gmail.com> Reviewed-by: Ioana Ciornei <ioana.ciornei@nxp.com> Link: https://lore.kernel.org/r/20251202174438.12658-1-hanguidong02@gmail.com Signed-off-by: Christophe Leroy (CS GROUP) <chleroy@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit b1983840287303e0dfb401b1b6cecc5ea7471e90) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit b48fe9a ] Add a PCI quirk to enable microphone detection on the headphone jack of TongFang X6AR55xU devices. Signed-off-by: Tim Guttzeit <t.guttzeit@tuxedocomputers.com> Signed-off-by: Werner Sembach <wse@tuxedocomputers.com> Link: https://patch.msgid.link/20260119151626.35481-1-wse@tuxedocomputers.com Signed-off-by: Takashi Iwai <tiwai@suse.de> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 2accd79be906f2ea16b2e7205b136296f564a63e) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 018b211 ] Add ASUS ExpertBook PM1503CDA to the DMI quirks table to enable internal DMIC support via the ACP6x machine driver. Signed-off-by: Anatolii Shirykalov <pipocavsobake@gmail.com> Link: https://patch.msgid.link/20260119145618.3171435-1-pipocavsobake@gmail.com Signed-off-by: Mark Brown <broonie@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 4cfb1aed47539626e4310652fef8bb13ad4d6154) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 96313fc ] There was a lockdep warning in sprd_gpio: [ 6.258269][T329@C6] [ BUG: Invalid wait context ] [ 6.258270][T329@C6] 6.18.0-android17-0-g30527ad7aaae-ab00009-4k #1 Tainted: G W OE [ 6.258272][T329@C6] ----------------------------- [ 6.258273][T329@C6] modprobe/329 is trying to lock: [ 6.258275][T329@C6] ffffff8081c91690 (&sprd_gpio->lock){....}-{3:3}, at: sprd_gpio_irq_unmask+0x4c/0xa4 [gpio_sprd] [ 6.258282][T329@C6] other info that might help us debug this: [ 6.258283][T329@C6] context-{5:5} [ 6.258285][T329@C6] 3 locks held by modprobe/329: [ 6.258286][T329@C6] #0: ffffff808baca108 (&dev->mutex){....}-{4:4}, at: __driver_attach+0xc4/0x204 [ 6.258295][T329@C6] #1: ffffff80965e7240 (request_class#4){+.+.}-{4:4}, at: __setup_irq+0x1cc/0x82c [ 6.258304][T329@C6] #2: ffffff80965e70c8 (lock_class#4){....}-{2:2}, at: __setup_irq+0x21c/0x82c [ 6.258313][T329@C6] stack backtrace: [ 6.258314][T329@C6] CPU: 6 UID: 0 PID: 329 Comm: modprobe Tainted: G W OE 6.18.0-android17-0-g30527ad7aaae-ab00009-4k #1 PREEMPT 3ad5b0f45741a16e5838da790706e16ceb6717df [ 6.258316][T329@C6] Tainted: [W]=WARN, [O]=OOT_MODULE, [E]=UNSIGNED_MODULE [ 6.258317][T329@C6] Hardware name: Unisoc UMS9632-base Board (DT) [ 6.258318][T329@C6] Call trace: [ 6.258318][T329@C6] show_stack+0x20/0x30 (C) [ 6.258321][T329@C6] __dump_stack+0x28/0x3c [ 6.258324][T329@C6] dump_stack_lvl+0xac/0xf0 [ 6.258326][T329@C6] dump_stack+0x18/0x3c [ 6.258329][T329@C6] __lock_acquire+0x824/0x2c28 [ 6.258331][T329@C6] lock_acquire+0x148/0x2cc [ 6.258333][T329@C6] _raw_spin_lock_irqsave+0x6c/0xb4 [ 6.258334][T329@C6] sprd_gpio_irq_unmask+0x4c/0xa4 [gpio_sprd 814535e93c6d8e0853c45c02eab0fa88a9da6487] [ 6.258337][T329@C6] irq_startup+0x238/0x350 [ 6.258340][T329@C6] __setup_irq+0x504/0x82c [ 6.258342][T329@C6] request_threaded_irq+0x118/0x184 [ 6.258344][T329@C6] devm_request_threaded_irq+0x94/0x120 [ 6.258347][T329@C6] sc8546_init_irq+0x114/0x170 [sc8546_charger 223586ccafc27439f7db4f95b0c8e6e882349a99] [ 6.258352][T329@C6] sc8546_charger_probe+0x53c/0x5a0 [sc8546_charger 223586ccafc27439f7db4f95b0c8e6e882349a99] [ 6.258358][T329@C6] i2c_device_probe+0x2c8/0x350 [ 6.258361][T329@C6] really_probe+0x1a8/0x46c [ 6.258363][T329@C6] __driver_probe_device+0xa4/0x10c [ 6.258366][T329@C6] driver_probe_device+0x44/0x1b4 [ 6.258369][T329@C6] __driver_attach+0xd0/0x204 [ 6.258371][T329@C6] bus_for_each_dev+0x10c/0x168 [ 6.258373][T329@C6] driver_attach+0x2c/0x3c [ 6.258376][T329@C6] bus_add_driver+0x154/0x29c [ 6.258378][T329@C6] driver_register+0x70/0x10c [ 6.258381][T329@C6] i2c_register_driver+0x48/0xc8 [ 6.258384][T329@C6] init_module+0x28/0xfd8 [sc8546_charger 223586ccafc27439f7db4f95b0c8e6e882349a99] [ 6.258389][T329@C6] do_one_initcall+0x128/0x42c [ 6.258392][T329@C6] do_init_module+0x60/0x254 [ 6.258395][T329@C6] load_module+0x1054/0x1220 [ 6.258397][T329@C6] __arm64_sys_finit_module+0x240/0x35c [ 6.258400][T329@C6] invoke_syscall+0x60/0xec [ 6.258402][T329@C6] el0_svc_common+0xb0/0xe4 [ 6.258405][T329@C6] do_el0_svc+0x24/0x30 [ 6.258407][T329@C6] el0_svc+0x54/0x1c4 [ 6.258409][T329@C6] el0t_64_sync_handler+0x68/0xdc [ 6.258411][T329@C6] el0t_64_sync+0x1c4/0x1c8 This is because the spin_lock would change to rt_mutex in PREEMPT_RT, however the sprd_gpio->lock would use in hard-irq, this is unsafe. So change the spin_lock_t to raw_spin_lock_t to use the spinlock in hard-irq. Signed-off-by: Xuewen Yan <xuewen.yan@unisoc.com> Reviewed-by: Baolin Wang <baolin.wang@linux.alibaba.com> Reviewed-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de> Link: https://lore.kernel.org/r/20260126094209.9855-1-xuewen.yan@unisoc.com [Bartosz: tweaked the commit message] Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit b204c5ec24a238f5d06cfa688fb3b80d1afdb91c) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 9e18920 ] Inspur S14-G1 is equipped with ALC256. Enable "power saving mode" and Enable "headset jack mode". Signed-off-by: Zhang Heng <zhangheng@kylinos.cn> Link: https://patch.msgid.link/20260126073508.3897461-2-zhangheng@kylinos.cn Signed-off-by: Takashi Iwai <tiwai@suse.de> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 6834804ad484fabbc6bc994a77110f8d52cfe179) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 6dd0fdc ] ASP_TX5 was incorrectly mapped to a channel value of 3 corrects, the channel value of 4. Reviewed-by: Charles Keepax <ckeepax@opensource.cirrus.com> Signed-off-by: Ricardo Rivera-Matos <rriveram@opensource.cirrus.com> Link: https://patch.msgid.link/20260115192523.1335742-2-rriveram@opensource.cirrus.com Signed-off-by: Mark Brown <broonie@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 79100c3bc0c4679df3bb63a46e51b5124351a9fd) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit ab7ad7a ] romfs_fill_super() ignores the return value of sb_set_blocksize(), which can fail if the requested block size is incompatible with the block device's configuration. This can be triggered by setting a loop device's block size larger than PAGE_SIZE using ioctl(LOOP_SET_BLOCK_SIZE, 32768), then mounting a romfs filesystem on that device. When sb_set_blocksize(sb, ROMBSIZE) is called with ROMBSIZE=4096 but the device has logical_block_size=32768, bdev_validate_blocksize() fails because the requested size is smaller than the device's logical block size. sb_set_blocksize() returns 0 (failure), but romfs ignores this and continues mounting. The superblock's block size remains at the device's logical block size (32768). Later, when sb_bread() attempts I/O with this oversized block size, it triggers a kernel BUG in folio_set_bh(): kernel BUG at fs/buffer.c:1582! BUG_ON(size > PAGE_SIZE); Fix by checking the return value of sb_set_blocksize() and failing the mount with -EINVAL if it returns 0. Reported-by: syzbot+9c4e33e12283d9437c25@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=9c4e33e12283d9437c25 Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com> Link: https://patch.msgid.link/20260113084037.1167887-1-kartikey406@gmail.com Signed-off-by: Christian Brauner <brauner@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit cbd9931e6456822067725354d83446c5bb813030) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 1beee8d ] The variable j is set, however never used in or outside the loop, thus resulting in dead code. Building with GCC 16 results in a build error due to -Werror=unused-but-set-variable= enabled by default. This patch clean up the dead code and fixes the build error. Example build log: drivers/gpu/drm/tegra/sor.c:1867:19: error: variable ‘j’ set but not used [-Werror=unused-but-set-variable=] 1867 | size_t i, j; | ^ Signed-off-by: Brahmajit Das <listout@listout.xyz> Signed-off-by: Thierry Reding <treding@nvidia.com> Link: https://lore.kernel.org/r/20250901212020.3757519-1-listout@listout.xyz Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit e120bae4c56d162f38e23ba67097077bf3e43cdd) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit fe747d7 ] In a few places in the Classmate laptop driver, code using the accel object may run before that object's address is stored in the driver data of the input device using it. For example, cmpc_accel_sensitivity_store_v4() is the "show" method of cmpc_accel_sensitivity_attr_v4 which is added in cmpc_accel_add_v4(), before calling dev_set_drvdata() for inputdev->dev. If the sysfs attribute is accessed prematurely, the dev_get_drvdata(&inputdev->dev) call in in cmpc_accel_sensitivity_store_v4() returns NULL which leads to a NULL pointer dereference going forward. Moreover, sysfs attributes using the input device are added before initializing that device by cmpc_add_acpi_notify_device() and if one of them is accessed before running that function, a NULL pointer dereference will occur. For example, cmpc_accel_sensitivity_attr_v4 is added before calling cmpc_add_acpi_notify_device() and if it is read prematurely, the dev_get_drvdata(&acpi->dev) call in cmpc_accel_sensitivity_show_v4() returns NULL which leads to a NULL pointer dereference going forward. Fix this by adding NULL pointer checks in all of the relevant places. Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com> Link: https://patch.msgid.link/12825381.O9o76ZdvQC@rafael.j.wysocki Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com> Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 9cf4b9b8ad09d6e05307abc4e951cabdff4be652) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 6b64112 ] Add DMI entry for Huawei Matebook D (BOD-WXX9) with HEADPHONE_GPIO and DMIC quirks. This device has ES8336 codec with: - GPIO 16 (headphone-enable) for headphone amplifier control - GPIO 17 (speakers-enable) for speaker amplifier control - GPIO 269 for jack detection IRQ - 2-channel DMIC Hardware investigation shows that both GPIO 16 and 17 are required for proper audio routing, as headphones and speakers share the same physical output (HPOL/HPOR) and are separated only via amplifier enable signals. RFC: Seeking advice on GPIO control issue: GPIO values change in driver (gpiod_get_value() shows logical value changes) but not physically (debugfs gpio shows no change). The same gpiod_set_value_cansleep() calls work correctly in probe context with msleep(), but fail when called from DAPM event callbacks. Context information from diagnostics: - in_atomic=0, in_interrupt=0, irqs_disabled=0 - Process context: pipewire - GPIO 17 (speakers): changes in driver, no physical change - GPIO 16 (headphone): changes in driver, no physical change In Windows, audio switching works without visible GPIO changes, suggesting possible ACPI/firmware involvement. Any suggestions on how to properly control these GPIOs from DAPM events would be appreciated. Signed-off-by: Tagir Garaev <tgaraev653@gmail.com> Link: https://patch.msgid.link/20260201121728.16597-1-tgaraev653@gmail.com Signed-off-by: Mark Brown <broonie@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit d7d7b93aca648d991a8343f42388a910c5c13641) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 611c7d2 ] Fix the missing mic on HP 200 G2a 16 by adding quirk with the board ID 8EE4 Signed-off-by: Dirk Su <dirk.su@canonical.com> Link: https://patch.msgid.link/20260129065038.39349-1-dirk.su@canonical.com Signed-off-by: Mark Brown <broonie@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit c3876edb0184338fcfc6c30c92ff286e68b74547) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 2b4e00d ] The MECHREVO Wujie 15X Pro suffers from spurious IRQ issues related to the AMD PMC. Add it to the quirk list to use the spurious_8042 fix. Signed-off-by: gongqi <550230171hxy@gmail.com> Link: https://patch.msgid.link/20260122155501.376199-4-550230171hxy@gmail.com Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit e8f5d1306a3a5516fe699039614040c084bd6341) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 43b0b7e ] The acpi_pcc_hotkey_add() error path leaks sysfs group pcc_attr_group if platform_device_register_simple() fails for the "panasonic" platform device. Address this by making it call sysfs_remove_group() in that case for the group in question. Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com> Link: https://patch.msgid.link/3398370.44csPzL39Z@rafael.j.wysocki Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com> Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 329bb274a3a9144d2fe5a16cdc9b3b05000116b3) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit e77a408 ] The load detection process for 3-pole jacks requires slightly updated reference values to ensure an accurate result. Update the code to apply different tunings for the 3-pole and 4-pole cases. This also updates the thresholds overall so update the relevant comments to match. Signed-off-by: Charles Keepax <ckeepax@opensource.cirrus.com> Link: https://patch.msgid.link/20260130150927.2964664-1-ckeepax@opensource.cirrus.com Signed-off-by: Mark Brown <broonie@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit f49d2497da140a4dbb7d6373264553ea04b37691) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit f514248 ] fsl_xcvr_activate_ctl() has lockdep_assert_held(&card->snd_card->controls_rwsem), but fsl_xcvr_mode_put() calls it without acquiring this lock. Other callers of fsl_xcvr_activate_ctl() in fsl_xcvr_startup() and fsl_xcvr_shutdown() properly acquire the lock with down_read()/up_read(). Add the missing down_read()/up_read() calls around fsl_xcvr_activate_ctl() in fsl_xcvr_mode_put() to fix the lockdep assertion and prevent potential race conditions when multiple userspace threads access the control. Signed-off-by: Ziyi Guo <n7l8m4@u.northwestern.edu> Link: https://patch.msgid.link/20260202174112.2018402-1-n7l8m4@u.northwestern.edu Signed-off-by: Mark Brown <broonie@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 61e007657bf7740d54ca2aadce0fb5997839818e) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit c62e065 ] Since commit 9880702 ("ACPI: property: Support using strings in reference properties") it is possible to use strings instead of local references. This work fine with single GPIO but not with arrays as acpi_gpio_package_count() didn't handle this case. Update it to handle strings like local references to cover this case as well. Signed-off-by: Alban Bedel <alban.bedel@lht.dlh.de> Reviewed-by: Mika Westerberg <mika.westerberg@linux.intel.com> Link: https://patch.msgid.link/20260129145944.3372777-1-alban.bedel@lht.dlh.de Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 16f137fb74c178799271cb7c34e2eebe7dc0651f) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit 139d42c upstream. Currently, the kernel couldn't boot when ARCH_IOREMAP, ARCH_WRITECOMBINE and KASAN are enabled together. Because DMW2 is used by kernel now which is configured as 0xa000000000000000 for WriteCombine, but KASAN has no segment mapping for it. This patch fix this issue. Solution: Add the relevant definitions for WriteCombine (DMW2) in KASAN. Cc: stable@vger.kernel.org Fixes: 8e02c3b ("LoongArch: Add writecombine support for DMW-based ioremap()") Signed-off-by: Kanglong Wang <wangkanglong@loongson.cn> Signed-off-by: Huacai Chen <chenhuacai@loongson.cn> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit f507fc06c7cd440724f740dd29f6f1d7046b862e) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit 5ec5ac4 upstream. kasan_init_generic() indicates that kasan is fully initialized, so it should be put at end of kasan_init(). Otherwise bringing up the primary CPU failed when CONFIG_KASAN is set on PTW-enabled systems, here are the call chains: kernel_entry() start_kernel() setup_arch() kasan_init() kasan_init_generic() The reason is PTW-enabled systems have speculative accesses which means memory accesses to the shadow memory after kasan_init() may be executed by hardware before. However, accessing shadow memory is safe only after kasan fully initialized because kasan_init() uses a temporary PGD table until we have populated all levels of shadow page tables and writen the PGD register. Moving kasan_init_generic() later can defer the occasion of kasan_enabled(), so as to avoid speculative accesses on shadow pages. After moving kasan_init_generic() to the end, kasan_init() can no longer call kasan_mem_to_shadow() for shadow address conversion because it will always return kasan_early_shadow_page. On the other hand, we should keep the current logic of kasan_mem_to_shadow() for both the early and final stage because there may be instrumentation before kasan_init(). To solve this, we factor out a new mem_to_shadow() function from current kasan_mem_to_shadow() for the shadow address conversion in kasan_init(). Cc: stable@vger.kernel.org Signed-off-by: Tiezhu Yang <yangtiezhu@loongson.cn> Signed-off-by: Huacai Chen <chenhuacai@loongson.cn> [ Huacai: To backport from upstream to 6.6 & 6.12, kasan_enabled() is replaced with kasan_arch_is_ready() and kasan_init_generic() is replaced with "kasan_early_stage = false". ] Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 78e706f9b1977ff7a86c4b49dd1fac5e1ea71c48) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
This reverts commit 8c9e9cd398777fd60ba202211da1110614cb5bc5 which is commit db9ae3b upstream. We have had three independent production user reports in combination with Cilium utilizing WireGuard as encryption underneath that k8s Pod E/W traffic to certain peer nodes fully stalled. The situation appears as follows: - Occurs very rarely but at random times under heavy networking load. - Once the issue triggers the decryption side stops working completely for that WireGuard peer, other peers keep working fine. The stall happens also for newly initiated connections towards that particular WireGuard peer. - Only the decryption side is affected, never the encryption side. - Once it triggers, it never recovers and remains in this state, the CPU/mem on that node looks normal, no leak, busy loop or crash. - bpftrace on the affected system shows that wg_prev_queue_enqueue fails, thus the MAX_QUEUED_PACKETS (1024 skbs!) for the peer's rx_queue is reached. - Also, bpftrace shows that wg_packet_rx_poll for that peer is never called again after reaching this state for that peer. For other peers wg_packet_rx_poll does get called normally. - Commit db9ae3b ("wireguard: device: enable threaded NAPI") switched WireGuard to threaded NAPI by default. The default has not been changed for triggering the issue, neither did CPU hotplugging occur (i.e. 5bd8de2 ("wireguard: queueing: always return valid online CPU in wg_cpumask_choose_online()")). - The issue has been observed with stable kernels of v5.15 as well as v6.1. It was reported to us that v5.10 stable is working fine, and no report on v6.6 stable either (somewhat related discussion in [0] though). - In the WireGuard driver the only material difference between v5.10 stable and v5.15 stable is the switch to threaded NAPI by default. [0] https://lore.kernel.org/netdev/CA+wXwBTT74RErDGAnj98PqS=wvdh8eM1pi4q6tTdExtjnokKqA@mail.gmail.com/ Breakdown of the problem: 1) skbs arriving for decryption are enqueued to the peer->rx_queue in wg_packet_consume_data via wg_queue_enqueue_per_device_and_peer. 2) The latter only moves the skb into the MPSC peer queue if it does not surpass MAX_QUEUED_PACKETS (1024) which is kept track in an atomic counter via wg_prev_queue_enqueue. 3) In case enqueueing was successful, the skb is also queued up in the device queue, round-robin picks a next online CPU, and schedules the decryption worker. 4) The wg_packet_decrypt_worker, once scheduled, picks these up from the queue, decrypts the packets and once done calls into wg_queue_enqueue_per_peer_rx. 5) The latter updates the state to PACKET_STATE_CRYPTED on success and calls napi_schedule on the per peer->napi instance. 6) NAPI then polls via wg_packet_rx_poll. wg_prev_queue_peek checks on the peer->rx_queue. It will wg_prev_queue_dequeue if the queue->peeked skb was not cached yet, or just return the latter otherwise. (wg_prev_queue_drop_peeked later clears the cache.) 7) From an ordering perspective, the peer->rx_queue has skbs in order while the device queue with the per-CPU worker threads from a global ordering PoV can finish the decryption and signal the skb PACKET_STATE_CRYPTED out of order. 8) A situation can be observed that the first packet coming in will be stuck waiting for the decryption worker to be scheduled for a longer time when the system is under pressure. 9) While this is the case, the other CPUs in the meantime finish decryption and call into napi_schedule. 10) Now in wg_packet_rx_poll it picks up the first in-order skb from the peer->rx_queue and sees that its state is still PACKET_STATE_UNCRYPTED. The NAPI poll routine then exits early with work_done = 0 and calls napi_complete_done, signalling it "finished" processing. 11) The assumption in wg_packet_decrypt_worker is that when the decryption finished the subsequent napi_schedule will always lead to a later invocation of wg_packet_rx_poll to pick up the finished packet. 12) However, it appears that a later napi_schedule does /not/ schedule a later poll and thus no wg_packet_rx_poll. 13) If this situation happens exactly for the corner case where the decryption worker of the first packet is stuck and waiting to be scheduled, and the network load for WireGuard is very high then the queue can build up to MAX_QUEUED_PACKETS. 14) If this situation occurs, then no new decryption worker will be scheduled and also no new napi_schedule to make forward progress. 15) This means the peer->rx_queue stops processing packets completely and they are indefinitely stuck waiting for a new NAPI poll on that peer which never happens. New packets for that peer are then dropped due to full queue, as it has been observed on the production machines. Technically, the backport of commit db9ae3b ("wireguard: device: enable threaded NAPI") to stable should not have happened since it is more of an optimization rather than a pure fix and addresses a NAPI situation with utilizing many WireGuard tunnel devices in parallel. Revert it from stable given the backport triggers a regression for mentioned kernels. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Acked-by: Jason A. Donenfeld <Jason@zx2c4.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 168ee1549fa24fff2ab924a2ca7b1d85f30e062d) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit 14967a9 upstream. commit 59d9094 ("mm: hugetlb: independent PMD page table shared count") introduced ->pt_share_count dedicated to hugetlb PMD share count tracking, but omitted fixing copy_hugetlb_page_range(), leaving the function relying on page_count() for tracking that no longer works. When lazy page table copy for hugetlb is disabled, that is, revert commit bcd51a3 ("hugetlb: lazy page table copies in fork()") fork()'ing with hugetlb PMD sharing quickly lockup - [ 239.446559] watchdog: BUG: soft lockup - CPU#75 stuck for 27s! [ 239.446611] RIP: 0010:native_queued_spin_lock_slowpath+0x7e/0x2e0 [ 239.446631] Call Trace: [ 239.446633] <TASK> [ 239.446636] _raw_spin_lock+0x3f/0x60 [ 239.446639] copy_hugetlb_page_range+0x258/0xb50 [ 239.446645] copy_page_range+0x22b/0x2c0 [ 239.446651] dup_mmap+0x3e2/0x770 [ 239.446654] dup_mm.constprop.0+0x5e/0x230 [ 239.446657] copy_process+0xd17/0x1760 [ 239.446660] kernel_clone+0xc0/0x3e0 [ 239.446661] __do_sys_clone+0x65/0xa0 [ 239.446664] do_syscall_64+0x82/0x930 [ 239.446668] ? count_memcg_events+0xd2/0x190 [ 239.446671] ? syscall_trace_enter+0x14e/0x1f0 [ 239.446676] ? syscall_exit_work+0x118/0x150 [ 239.446677] ? arch_exit_to_user_mode_prepare.constprop.0+0x9/0xb0 [ 239.446681] ? clear_bhb_loop+0x30/0x80 [ 239.446684] ? clear_bhb_loop+0x30/0x80 [ 239.446686] entry_SYSCALL_64_after_hwframe+0x76/0x7e There are two options to resolve the potential latent issue: 1. warn against PMD sharing in copy_hugetlb_page_range(), 2. fix it. This patch opts for the second option. While at it, simplify the comment, the details are not actually relevant anymore. Link: https://lkml.kernel.org/r/20250916004520.1604530-1-jane.chu@oracle.com Fixes: 59d9094 ("mm: hugetlb: independent PMD page table shared count") Signed-off-by: Jane Chu <jane.chu@oracle.com> Reviewed-by: Harry Yoo <harry.yoo@oracle.com> Acked-by: Oscar Salvador <osalvador@suse.de> Acked-by: David Hildenbrand <david@redhat.com> Cc: Jann Horn <jannh@google.com> Cc: Liu Shixin <liushixin2@huawei.com> Cc: Muchun Song <muchun.song@linux.dev> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: David Hildenbrand (Arm) <david@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 8c9a1b0710510c3cc25526c815ca798705cb1936) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit ca1a47c upstream. Patch series "mm/hugetlb: fixes for PMD table sharing (incl. using mmu_gather)", v3. One functional fix, one performance regression fix, and two related comment fixes. I cleaned up my prototype I recently shared [1] for the performance fix, deferring most of the cleanups I had in the prototype to a later point. While doing that I identified the other things. The goal of this patch set is to be backported to stable trees "fairly" easily. At least patch #1 and #4. Patch #1 fixes hugetlb_pmd_shared() not detecting any sharing Patch #2 + #3 are simple comment fixes that patch #4 interacts with. Patch #4 is a fix for the reported performance regression due to excessive IPI broadcasts during fork()+exit(). The last patch is all about TLB flushes, IPIs and mmu_gather. Read: complicated There are plenty of cleanups in the future to be had + one reasonable optimization on x86. But that's all out of scope for this series. Runtime tested, with a focus on fixing the performance regression using the original reproducer [2] on x86. This patch (of 4): We switched from (wrongly) using the page count to an independent shared count. Now, shared page tables have a refcount of 1 (excluding speculative references) and instead use ptdesc->pt_share_count to identify sharing. We didn't convert hugetlb_pmd_shared(), so right now, we would never detect a shared PMD table as such, because sharing/unsharing no longer touches the refcount of a PMD table. Page migration, like mbind() or migrate_pages() would allow for migrating folios mapped into such shared PMD tables, even though the folios are not exclusive. In smaps we would account them as "private" although they are "shared", and we would be wrongly setting the PM_MMAP_EXCLUSIVE in the pagemap interface. Fix it by properly using ptdesc_pmd_is_shared() in hugetlb_pmd_shared(). Link: https://lkml.kernel.org/r/20251223214037.580860-1-david@kernel.org Link: https://lkml.kernel.org/r/20251223214037.580860-2-david@kernel.org Link: https://lore.kernel.org/all/8cab934d-4a56-44aa-b641-bfd7e23bd673@kernel.org/ [1] Link: https://lore.kernel.org/all/8cab934d-4a56-44aa-b641-bfd7e23bd673@kernel.org/ [2] Fixes: 59d9094 ("mm: hugetlb: independent PMD page table shared count") Signed-off-by: David Hildenbrand (Red Hat) <david@kernel.org> Reviewed-by: Rik van Riel <riel@surriel.com> Reviewed-by: Lance Yang <lance.yang@linux.dev> Tested-by: Lance Yang <lance.yang@linux.dev> Reviewed-by: Harry Yoo <harry.yoo@oracle.com> Tested-by: Laurence Oberman <loberman@redhat.com> Reviewed-by: Lorenzo Stoakes <lorenzo.stoakes@oracle.com> Acked-by: Oscar Salvador <osalvador@suse.de> Cc: Liu Shixin <liushixin2@huawei.com> Cc: "Uschakow, Stanislav" <suschako@amazon.de> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: David Hildenbrand (Arm) <david@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 51dcf459845fd28f5a0d83d408a379b274ec5cc5) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit 3937027 upstream. Ever since we stopped using the page count to detect shared PMD page tables, these comments are outdated. The only reason we have to flush the TLB early is because once we drop the i_mmap_rwsem, the previously shared page table could get freed (to then get reallocated and used for other purpose). So we really have to flush the TLB before that could happen. So let's simplify the comments a bit. The "If we unshared PMDs, the TLB flush was not recorded in mmu_gather." part introduced as in commit a4a118f ("hugetlbfs: flush TLBs correctly after huge_pmd_unshare") was confusing: sure it is recorded in the mmu_gather, otherwise tlb_flush_mmu_tlbonly() wouldn't do anything. So let's drop that comment while at it as well. We'll centralize these comments in a single helper as we rework the code next. Link: https://lkml.kernel.org/r/20251223214037.580860-3-david@kernel.org Fixes: 59d9094 ("mm: hugetlb: independent PMD page table shared count") Signed-off-by: David Hildenbrand (Red Hat) <david@kernel.org> Reviewed-by: Rik van Riel <riel@surriel.com> Tested-by: Laurence Oberman <loberman@redhat.com> Reviewed-by: Lorenzo Stoakes <lorenzo.stoakes@oracle.com> Acked-by: Oscar Salvador <osalvador@suse.de> Reviewed-by: Harry Yoo <harry.yoo@oracle.com> Cc: Liu Shixin <liushixin2@huawei.com> Cc: Lance Yang <lance.yang@linux.dev> Cc: "Uschakow, Stanislav" <suschako@amazon.de> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: David Hildenbrand (Arm) <david@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 2eeca9383efebb27c85a5ed12ba261c282f7a716) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
…ing mmu_gather commit 8ce720d upstream. As reported, ever since commit 1013af4 ("mm/hugetlb: fix huge_pmd_unshare() vs GUP-fast race") we can end up in some situations where we perform so many IPI broadcasts when unsharing hugetlb PMD page tables that it severely regresses some workloads. In particular, when we fork()+exit(), or when we munmap() a large area backed by many shared PMD tables, we perform one IPI broadcast per unshared PMD table. There are two optimizations to be had: (1) When we process (unshare) multiple such PMD tables, such as during exit(), it is sufficient to send a single IPI broadcast (as long as we respect locking rules) instead of one per PMD table. Locking prevents that any of these PMD tables could get reused before we drop the lock. (2) When we are not the last sharer (> 2 users including us), there is no need to send the IPI broadcast. The shared PMD tables cannot become exclusive (fully unshared) before an IPI will be broadcasted by the last sharer. Concurrent GUP-fast could walk into a PMD table just before we unshared it. It could then succeed in grabbing a page from the shared page table even after munmap() etc succeeded (and supressed an IPI). But there is not difference compared to GUP-fast just sleeping for a while after grabbing the page and re-enabling IRQs. Most importantly, GUP-fast will never walk into page tables that are no-longer shared, because the last sharer will issue an IPI broadcast. (if ever required, checking whether the PUD changed in GUP-fast after grabbing the page like we do in the PTE case could handle this) So let's rework PMD sharing TLB flushing + IPI sync to use the mmu_gather infrastructure so we can implement these optimizations and demystify the code at least a bit. Extend the mmu_gather infrastructure to be able to deal with our special hugetlb PMD table sharing implementation. To make initialization of the mmu_gather easier when working on a single VMA (in particular, when dealing with hugetlb), provide tlb_gather_mmu_vma(). We'll consolidate the handling for (full) unsharing of PMD tables in tlb_unshare_pmd_ptdesc() and tlb_flush_unshared_tables(), and track in "struct mmu_gather" whether we had (full) unsharing of PMD tables. Because locking is very special (concurrent unsharing+reuse must be prevented), we disallow deferring flushing to tlb_finish_mmu() and instead require an explicit earlier call to tlb_flush_unshared_tables(). From hugetlb code, we call huge_pmd_unshare_flush() where we make sure that the expected lock protecting us from concurrent unsharing+reuse is still held. Check with a VM_WARN_ON_ONCE() in tlb_finish_mmu() that tlb_flush_unshared_tables() was properly called earlier. Document it all properly. Notes about tlb_remove_table_sync_one() interaction with unsharing: There are two fairly tricky things: (1) tlb_remove_table_sync_one() is a NOP on architectures without CONFIG_MMU_GATHER_RCU_TABLE_FREE. Here, the assumption is that the previous TLB flush would send an IPI to all relevant CPUs. Careful: some architectures like x86 only send IPIs to all relevant CPUs when tlb->freed_tables is set. The relevant architectures should be selecting MMU_GATHER_RCU_TABLE_FREE, but x86 might not do that in stable kernels and it might have been problematic before this patch. Also, the arch flushing behavior (independent of IPIs) is different when tlb->freed_tables is set. Do we have to enlighten them to also take care of tlb->unshared_tables? So far we didn't care, so hopefully we are fine. Of course, we could be setting tlb->freed_tables as well, but that might then unnecessarily flush too much, because the semantics of tlb->freed_tables are a bit fuzzy. This patch changes nothing in this regard. (2) tlb_remove_table_sync_one() is not a NOP on architectures with CONFIG_MMU_GATHER_RCU_TABLE_FREE that actually don't need a sync. Take x86 as an example: in the common case (!pv, !X86_FEATURE_INVLPGB) we still issue IPIs during TLB flushes and don't actually need the second tlb_remove_table_sync_one(). This optimized can be implemented on top of this, by checking e.g., in tlb_remove_table_sync_one() whether we really need IPIs. But as described in (1), it really must honor tlb->freed_tables then to send IPIs to all relevant CPUs. Notes on TLB flushing changes: (1) Flushing for non-shared PMD tables We're converting from flush_hugetlb_tlb_range() to tlb_remove_huge_tlb_entry(). Given that we properly initialize the MMU gather in tlb_gather_mmu_vma() to be hugetlb aware, similar to __unmap_hugepage_range(), that should be fine. (2) Flushing for shared PMD tables We're converting from various things (flush_hugetlb_tlb_range(), tlb_flush_pmd_range(), flush_tlb_range()) to tlb_flush_pmd_range(). tlb_flush_pmd_range() achieves the same that tlb_remove_huge_tlb_entry() would achieve in these scenarios. Note that tlb_remove_huge_tlb_entry() also calls __tlb_remove_tlb_entry(), however that is only implemented on powerpc, which does not support PMD table sharing. Similar to (1), tlb_gather_mmu_vma() should make sure that TLB flushing keeps on working as expected. Further, note that the ptdesc_pmd_pts_dec() in huge_pmd_share() is not a concern, as we are holding the i_mmap_lock the whole time, preventing concurrent unsharing. That ptdesc_pmd_pts_dec() usage will be removed separately as a cleanup later. There are plenty more cleanups to be had, but they have to wait until this is fixed. [david@kernel.org: fix kerneldoc] Link: https://lkml.kernel.org/r/f223dd74-331c-412d-93fc-69e360a5006c@kernel.org Link: https://lkml.kernel.org/r/20251223214037.580860-5-david@kernel.org Fixes: 1013af4 ("mm/hugetlb: fix huge_pmd_unshare() vs GUP-fast race") Signed-off-by: David Hildenbrand (Red Hat) <david@kernel.org> Reported-by: "Uschakow, Stanislav" <suschako@amazon.de> Closes: https://lore.kernel.org/all/4d3878531c76479d9f8ca9789dc6485d@amazon.de/ Tested-by: Laurence Oberman <loberman@redhat.com> Acked-by: Harry Yoo <harry.yoo@oracle.com> Reviewed-by: Lorenzo Stoakes <lorenzo.stoakes@oracle.com> Cc: Lance Yang <lance.yang@linux.dev> Cc: Liu Shixin <liushixin2@huawei.com> Cc: Oscar Salvador <osalvador@suse.de> Cc: Rik van Riel <riel@surriel.com> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: David Hildenbrand (Arm) <david@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit ff37dd18ce7739a26aab0cc2d31006a45e6bde63) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
Commit b1bcaed ("cpuset: Treat cpusets in attaching as populated") was backported to the long‑term support (LTS) branches. However, because commit d5cf4d3 ("cgroup/cpuset: Don't track # of local child partitions") was not backported, a corresponding adaptation to the backported code is still required. To ensure correct behavior, replace cgroup_is_populated with cpuset_is_populated in the partition_is_populated function. Cc: stable@vger.kernel.org # 6.1+ Fixes: b1bcaed ("cpuset: Treat cpusets in attaching as populated") Cc: Waiman Long <longman@redhat.com> Cc: Tejun Heo <tj@kernel.org> Signed-off-by: Chen Ridong <chenridong@huawei.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 6e5eccdef67ee879d7c0474c7e19e8b683f27dbe) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit 0209e21 upstream. A userspace program can trigger the RIVA NV3 arbitration code by calling the FBIOPUT_VSCREENINFO ioctl on /dev/fb*. When doing so, the driver recomputes FIFO arbitration parameters in nv3_arb(), using state->mclk_khz (derived from the PRAMDAC MCLK PLL) as a divisor without validating it first. In a normal setup, state->mclk_khz is provided by the real hardware and is non-zero. However, an attacker can construct a malicious or misconfigured device (e.g. a crafted/emulated PCI device) that exposes a bogus PLL configuration, causing state->mclk_khz to become zero. Once nv3_get_param() calls nv3_arb(), the division by state->mclk_khz in the gns calculation causes a divide error and crashes the kernel. Fix this by checking whether state->mclk_khz is zero and bailing out before doing the division. The following log reveals it: rivafb: setting virtual Y resolution to 2184 divide error: 0000 [#1] PREEMPT SMP KASAN PTI CPU: 0 PID: 2187 Comm: syz-executor.0 Not tainted 5.18.0-rc1+ #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014 RIP: 0010:nv3_arb drivers/video/fbdev/riva/riva_hw.c:439 [inline] RIP: 0010:nv3_get_param+0x3ab/0x13b0 drivers/video/fbdev/riva/riva_hw.c:546 Call Trace: nv3CalcArbitration.constprop.0+0x255/0x460 drivers/video/fbdev/riva/riva_hw.c:603 nv3UpdateArbitrationSettings drivers/video/fbdev/riva/riva_hw.c:637 [inline] CalcStateExt+0x447/0x1b90 drivers/video/fbdev/riva/riva_hw.c:1246 riva_load_video_mode+0x8a9/0xea0 drivers/video/fbdev/riva/fbdev.c:779 rivafb_set_par+0xc0/0x5f0 drivers/video/fbdev/riva/fbdev.c:1196 fb_set_var+0x604/0xeb0 drivers/video/fbdev/core/fbmem.c:1033 do_fb_ioctl+0x234/0x670 drivers/video/fbdev/core/fbmem.c:1109 fb_ioctl+0xdd/0x130 drivers/video/fbdev/core/fbmem.c:1188 __x64_sys_ioctl+0x122/0x190 fs/ioctl.c:856 Fixes: 1da177e ("Linux-2.6.12-rc2") Cc: stable@vger.kernel.org Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com> Signed-off-by: Helge Deller <deller@gmx.de> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 78daf5984d96edec3b920c72a93bd6821b8710b7) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit 120adae upstream. The UFX_IOCTL_REPORT_DAMAGE ioctl does not properly copy data from userspace to kernelspace, and instead directly references the memory, which can cause problems if invalid data is passed from userspace. Fix this all up by correctly copying the memory before accessing it within the kernel. Reported-by: Tianchu Chen <flynnnchen@tencent.com> Cc: stable <stable@kernel.org> Cc: Steve Glendinning <steve.glendinning@shawell.net> Cc: Helge Deller <deller@gmx.de> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Helge Deller <deller@gmx.de> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 0634e8d650993602fc5b389ff7ac525f6542e141) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit 761dac9 upstream. It missed the stat count in f2fs_gc_range. Cc: stable@kernel.org Fixes: 9bf1dcb ("f2fs: fix to account gc stats correctly") Signed-off-by: Zhiguo Niu <zhiguo.niu@unisoc.com> Reviewed-by: Chao Yu <chao@kernel.org> Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 81193503af1fb9102fdd0c5f906af4dc39551e21) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit 98ea003 upstream. Some f2fs sysfs attributes suffer from out-of-bounds memory access and incorrect handling of integer values whose size is not 4 bytes. For example: vm:~# echo 65537 > /sys/fs/f2fs/vde/carve_out vm:~# cat /sys/fs/f2fs/vde/carve_out 65537 vm:~# echo 4294967297 > /sys/fs/f2fs/vde/atgc_age_threshold vm:~# cat /sys/fs/f2fs/vde/atgc_age_threshold 1 carve_out maps to {struct f2fs_sb_info}->carve_out, which is a 8-bit integer. However, the sysfs interface allows setting it to a value larger than 255, resulting in an out-of-range update. atgc_age_threshold maps to {struct atgc_management}->age_threshold, which is a 64-bit integer, but its sysfs interface cannot correctly set values larger than UINT_MAX. The root causes are: 1. __sbi_store() treats all default values as unsigned int, which prevents updating integers larger than 4 bytes and causes out-of-bounds writes for integers smaller than 4 bytes. 2. f2fs_sbi_show() also assumes all default values are unsigned int, leading to out-of-bounds reads and incorrect access to integers larger than 4 bytes. This patch introduces {struct f2fs_attr}->size to record the actual size of the integer associated with each sysfs attribute. With this information, sysfs read and write operations can correctly access and update values according to their real data size, avoiding memory corruption and truncation. Fixes: b59d0ba ("f2fs: add sysfs support for controlling the gc_thread") Cc: stable@kernel.org Signed-off-by: Jinbao Liu <liujinbao1@xiaomi.com> Signed-off-by: Yongpeng Yang <yangyongpeng@xiaomi.com> Reviewed-by: Chao Yu <chao@kernel.org> Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit eebd72cff518ac87e660aefb8a41224bd88c32ce) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
…nt atomic commit and checkpoint writes [ Upstream commit 7633a73 ] During SPO tests, when mounting F2FS, an -EINVAL error was returned from f2fs_recover_inode_page. The issue occurred under the following scenario Thread A Thread B f2fs_ioc_commit_atomic_write - f2fs_do_sync_file // atomic = true - f2fs_fsync_node_pages : last_folio = inode folio : schedule before folio_lock(last_folio) f2fs_write_checkpoint - block_operations// writeback last_folio - schedule before f2fs_flush_nat_entries : set_fsync_mark(last_folio, 1) : set_dentry_mark(last_folio, 1) : folio_mark_dirty(last_folio) - __write_node_folio(last_folio) : f2fs_down_read(&sbi->node_write)//block - f2fs_flush_nat_entries : {struct nat_entry}->flag |= BIT(IS_CHECKPOINTED) - unblock_operations : f2fs_up_write(&sbi->node_write) f2fs_write_checkpoint//return : f2fs_do_write_node_page() f2fs_ioc_commit_atomic_write//return SPO Thread A calls f2fs_need_dentry_mark(sbi, ino), and the last_folio has already been written once. However, the {struct nat_entry}->flag did not have the IS_CHECKPOINTED set, causing set_dentry_mark(last_folio, 1) and write last_folio again after Thread B finishes f2fs_write_checkpoint. After SPO and reboot, it was detected that {struct node_info}->blk_addr was not NULL_ADDR because Thread B successfully write the checkpoint. This issue only occurs in atomic write scenarios. For regular file fsync operations, the folio must be dirty. If block_operations->f2fs_sync_node_pages successfully submit the folio write, this path will not be executed. Otherwise, the f2fs_write_checkpoint will need to wait for the folio write submission to complete, as sbi->nr_pages[F2FS_DIRTY_NODES] > 0. Therefore, the situation where f2fs_need_dentry_mark checks that the {struct nat_entry}->flag /wo the IS_CHECKPOINTED flag, but the folio write has already been submitted, will not occur. Therefore, for atomic file fsync, sbi->node_write should be acquired through __write_node_folio to ensure that the IS_CHECKPOINTED flag correctly indicates that the checkpoint write has been completed. Fixes: 608514d ("f2fs: set fsync mark only for the last dnode") Cc: stable@kernel.org Signed-off-by: Sheng Yong <shengyong1@xiaomi.com> Signed-off-by: Jinbao Liu <liujinbao1@xiaomi.com> Signed-off-by: Yongpeng Yang <yangyongpeng@xiaomi.com> Reviewed-by: Chao Yu <chao@kernel.org> Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org> [ folio => page ] Signed-off-by: Sasha Levin <sashal@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 75e19da068adf0dc5dd269dd157392434b9117d4) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit ce2739e ] As syzbot reported an use-after-free issue in f2fs_write_end_io(). It is caused by below race condition: loop device umount - worker_thread - loop_process_work - do_req_filebacked - lo_rw_aio - lo_rw_aio_complete - blk_mq_end_request - blk_update_request - f2fs_write_end_io - dec_page_count - folio_end_writeback - kill_f2fs_super - kill_block_super - f2fs_put_super : free(sbi) : get_pages(, F2FS_WB_CP_DATA) accessed sbi which is freed In kill_f2fs_super(), we will drop all page caches of f2fs inodes before call free(sbi), it guarantee that all folios should end its writeback, so it should be safe to access sbi before last folio_end_writeback(). Let's relocate ckpt thread wakeup flow before folio_end_writeback() to resolve this issue. Cc: stable@kernel.org Fixes: e234088 ("f2fs: avoid wait if IO end up when do_checkpoint for better performance") Reported-by: syzbot+b4444e3c972a7a124187@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=b4444e3c972a7a124187 Signed-off-by: Chao Yu <chao@kernel.org> Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org> [ folio => page ] Signed-off-by: Sasha Levin <sashal@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit acc2c97fc0005846e5cf11b5ba3189fef130c9b3) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 0f9b121 ] If the max open zones of zoned devices are less than the active logs of F2FS, the device may error due to insufficient zone resources when multiple active logs are being written at the same time. Signed-off-by: Wenjie Qi <qwjhust@gmail.com> Signed-off-by: Chao Yu <chao@kernel.org> Reviewed-by: Daeho Jeong <daehojeong@google.com> Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org> Stable-dep-of: 5c145c0 ("f2fs: fix to avoid mapping wrong physical block for swapfile") Signed-off-by: Sasha Levin <sashal@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 20a8bad29d18127890f7292f0638075103a21076) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 5c145c0 ] Xiaolong Guo reported a f2fs bug in bugzilla [1] [1] https://bugzilla.kernel.org/show_bug.cgi?id=220951 Quoted: "When using stress-ng's swap stress test on F2FS filesystem with kernel 6.6+, the system experiences data corruption leading to either: 1 dm-verity corruption errors and device reboot 2 F2FS node corruption errors and boot hangs The issue occurs specifically when: 1 Using F2FS filesystem (ext4 is unaffected) 2 Swapfile size is less than F2FS section size (2MB) 3 Swapfile has fragmented physical layout (multiple non-contiguous extents) 4 Kernel version is 6.6+ (6.1 is unaffected) The root cause is in check_swap_activate() function in fs/f2fs/data.c. When the first extent of a small swapfile (< 2MB) is not aligned to section boundaries, the function incorrectly treats it as the last extent, failing to map subsequent extents. This results in incorrect swap_extent creation where only the first extent is mapped, causing subsequent swap writes to overwrite wrong physical locations (other files' data). Steps to Reproduce 1 Setup a device with F2FS-formatted userdata partition 2 Compile stress-ng from https://github.com/ColinIanKing/stress-ng 3 Run swap stress test: (Android devices) adb shell "cd /data/stressng; ./stress-ng-64 --metrics-brief --timeout 60 --swap 0" Log: 1 Ftrace shows in kernel 6.6, only first extent is mapped during second f2fs_map_blocks call in check_swap_activate(): stress-ng-swap-8990: f2fs_map_blocks: ino=11002, file offset=0, start blkaddr=0x43143, len=0x1 (Only 4KB mapped, not the full swapfile) 2 in kernel 6.1, both extents are correctly mapped: stress-ng-swap-5966: f2fs_map_blocks: ino=28011, file offset=0, start blkaddr=0x13cd4, len=0x1 stress-ng-swap-5966: f2fs_map_blocks: ino=28011, file offset=1, start blkaddr=0x60c84b, len=0xff The problematic code is in check_swap_activate(): if ((pblock - SM_I(sbi)->main_blkaddr) % blks_per_sec || nr_pblocks % blks_per_sec || !f2fs_valid_pinned_area(sbi, pblock)) { bool last_extent = false; not_aligned++; nr_pblocks = roundup(nr_pblocks, blks_per_sec); if (cur_lblock + nr_pblocks > sis->max) nr_pblocks -= blks_per_sec; /* this extent is last one */ if (!nr_pblocks) { nr_pblocks = last_lblock - cur_lblock; last_extent = true; } ret = f2fs_migrate_blocks(inode, cur_lblock, nr_pblocks); if (ret) { if (ret == -ENOENT) ret = -EINVAL; goto out; } if (!last_extent) goto retry; } When the first extent is unaligned and roundup(nr_pblocks, blks_per_sec) exceeds sis->max, we subtract blks_per_sec resulting in nr_pblocks = 0. The code then incorrectly assumes this is the last extent, sets nr_pblocks = last_lblock - cur_lblock (entire swapfile), and performs migration. After migration, it doesn't retry mapping, so subsequent extents are never processed. " In order to fix this issue, we need to lookup block mapping info after we migrate all blocks in the tail of swapfile. Cc: stable@kernel.org Fixes: 9703d69 ("f2fs: support file pinning for zoned devices") Cc: Daeho Jeong <daehojeong@google.com> Reported-and-tested-by: Xiaolong Guo <guoxiaolong2008@gmail.com> Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220951 Signed-off-by: Chao Yu <chao@kernel.org> Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org> [ f2fs_is_sequential_zone_area() => !f2fs_valid_pinned_area() ] Signed-off-by: Sasha Levin <sashal@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit d4534a7f6c92baaf7e12a45fc6e37332cafafc33) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit 509f403 upstream. Add the following compositions: 0x10a1: RNDIS + tty (AT/NMEA) + tty (AT) + tty (diag) T: Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 9 Spd=480 MxCh= 0 D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 P: Vendor=1bc7 ProdID=10a1 Rev=05.15 S: Manufacturer=Telit Cinterion S: Product=FN920 S: SerialNumber=d128dba9 C: #Ifs= 5 Cfg#= 1 Atr=e0 MxPwr=500mA I: If#= 0 Alt= 0 #EPs= 1 Cls=ef(misc ) Sub=04 Prot=01 Driver=rndis_host E: Ad=82(I) Atr=03(Int.) MxPS= 8 Ivl=32ms I: If#= 1 Alt= 0 #EPs= 2 Cls=0a(data ) Sub=00 Prot=00 Driver=rndis_host E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=60 Driver=option E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=86(I) Atr=03(Int.) MxPS= 10 Ivl=32ms I: If#= 4 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms 0x10a6: RNDIS + tty (AT/NMEA) + tty (AT) + tty (diag) T: Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 10 Spd=480 MxCh= 0 D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 P: Vendor=1bc7 ProdID=10a6 Rev=05.15 S: Manufacturer=Telit Cinterion S: Product=FN920 S: SerialNumber=d128dba9 C: #Ifs= 5 Cfg#= 1 Atr=e0 MxPwr=500mA I: If#= 0 Alt= 0 #EPs= 1 Cls=ef(misc ) Sub=04 Prot=01 Driver=rndis_host E: Ad=82(I) Atr=03(Int.) MxPS= 8 Ivl=32ms I: If#= 1 Alt= 0 #EPs= 2 Cls=0a(data ) Sub=00 Prot=00 Driver=rndis_host E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=86(I) Atr=03(Int.) MxPS= 10 Ivl=32ms I: If#= 4 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms 0x10ab: RNDIS + tty (AT) + tty (diag) + DPL (Data Packet Logging) + adb T: Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 11 Spd=480 MxCh= 0 D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 P: Vendor=1bc7 ProdID=10ab Rev=05.15 S: Manufacturer=Telit Cinterion S: Product=FN920 S: SerialNumber=d128dba9 C: #Ifs= 6 Cfg#= 1 Atr=e0 MxPwr=500mA I: If#= 0 Alt= 0 #EPs= 1 Cls=ef(misc ) Sub=04 Prot=01 Driver=rndis_host E: Ad=82(I) Atr=03(Int.) MxPS= 8 Ivl=32ms I: If#= 1 Alt= 0 #EPs= 2 Cls=0a(data ) Sub=00 Prot=00 Driver=rndis_host E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms I: If#= 3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms I: If#= 4 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=80 Driver=(none) E: Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms I: If#= 5 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=(none) E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms Cc: stable@vger.kernel.org Signed-off-by: Fabio Porcedda <fabio.porcedda@gmail.com> Signed-off-by: Johan Hovold <johan@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 35ac888bf8aca1366a5b99531cccbc1a370d2d08) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 9990ddf ] Make skb_vlan_inet_prepare return the skb drop reasons, which is just what pskb_may_pull_reason() returns. Meanwhile, adjust all the call of it. Signed-off-by: Menglong Dong <dongml2@chinatelecom.cn> Reviewed-by: Simon Horman <horms@kernel.org> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit f478b8239d6564b20bbf2972e441c31f945a2b76) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
Link: https://lore.kernel.org/r/20260217200004.221651386@linuxfoundation.org Tested-by: Florian Fainelli <florian.fainelli@broadcom.com> Tested-by: Peter Schneider <pschneider1968@googlemail.com> Tested-by: Jon Hunter <jonathanh@nvidia.com> Tested-by: Brett A C Sheffield <bacs@librecast.net> Tested-by: Mark Brown <broonie@kernel.org> Tested-by: Francesco Dolcini <francesco.dolcini@toradex.com> Tested-by: Ron Economos <re@w6rz.net> Tested-by: Miguel Ojeda <ojeda@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 7a137e9bfa0e1919555d60f9dc0c05a7a5ba75d0) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
Reviewer's GuideRebases the Deepin 6.6-y kernel to upstream 6.6.127 and pulls in the associated upstream fixes, notably around hugetlb PMD sharing and TLB gathering, LoongArch KASAN write-combine support, multiple f2fs correctness and zoned-device fixes, network tunnel drop-reason handling, GPIO/raw locking, fbdev/ioctl safety, and assorted platform/sound/PCI/USB quirks and bugfixes. Sequence diagram for huge_pmd_unshare with per-VMA mmu_gather and flushsequenceDiagram
participant Caller as move_hugetlb_page_tables
participant TLB as mmu_gather
participant VMA as vm_area_struct
participant HUGEPMD as huge_pmd_unshare
participant TLBCORE as tlb_unshare_pmd_ptdesc
participant FLUSH as huge_pmd_unshare_flush
Caller->>TLB: tlb_gather_mmu_vma(TLB, VMA)
loop per_huge_pmd
Caller->>HUGEPMD: huge_pmd_unshare(TLB, VMA, addr, ptep)
alt PMD table is shared
HUGEPMD->>TLBCORE: tlb_unshare_pmd_ptdesc(TLB, virt_to_ptdesc(ptep), addr)
TLBCORE-->>HUGEPMD: updates unshared_tables and fully_unshared_tables
HUGEPMD-->>Caller: return 1
Caller->>TLB: tlb_remove_huge_tlb_entry(h, TLB, src_pte, addr)
else PMD table not shared
HUGEPMD-->>Caller: return 0
end
end
Caller->>TLB: tlb_flush_mmu_tlbonly(TLB)
Caller->>FLUSH: huge_pmd_unshare_flush(TLB, VMA)
FLUSH->>TLB: tlb_flush_unshared_tables(TLB)
FLUSH-->>Caller: done
Caller->>TLB: tlb_finish_mmu(TLB)
TLB-->>Caller: gather finished
Class diagram for updated hugetlb PMD sharing and mmu_gather integrationclassDiagram
class mmu_gather {
+mm_struct *mm
+unsigned int vma_huge
+unsigned int vma_pfn
+unsigned int unshared_tables
+unsigned int fully_unshared_tables
+unsigned int batch_count
+void __tlb_reset_range()
+void tlb_flush_mmu_tlbonly()
+void tlb_flush_pmd_range(unsigned long addr, unsigned long size)
}
class ptdesc {
+atomic_t pt_share_count
+void ptdesc_pmd_pts_init()
+void ptdesc_pmd_pts_inc()
+void ptdesc_pmd_pts_dec()
+int ptdesc_pmd_pts_count()
+bool ptdesc_pmd_is_shared()
}
class vm_area_struct {
+mm_struct *vm_mm
+struct file *vm_file
}
class hugetlb_ops {
+int huge_pmd_unshare(mmu_gather *tlb, vm_area_struct *vma, unsigned long addr, pte_t *ptep)
+void huge_pmd_unshare_flush(mmu_gather *tlb, vm_area_struct *vma)
+unsigned long hugetlb_mask_last_page(struct hstate *h)
}
class tlb_api {
+void tlb_gather_mmu(mmu_gather *tlb, mm_struct *mm)
+void tlb_gather_mmu_fullmm(mmu_gather *tlb, mm_struct *mm)
+void tlb_gather_mmu_vma(mmu_gather *tlb, vm_area_struct *vma)
+void tlb_finish_mmu(mmu_gather *tlb)
+void tlb_unshare_pmd_ptdesc(mmu_gather *tlb, ptdesc *pt, unsigned long addr)
+void tlb_flush_unshared_tables(mmu_gather *tlb)
}
class mm_hugetlb_c {
+int copy_hugetlb_page_range(mm_struct *dst, mm_struct *src)
+int move_hugetlb_page_tables(vm_area_struct *vma)
+void __unmap_hugepage_range(mmu_gather *tlb, vm_area_struct *vma)
+long hugetlb_change_protection(vm_area_struct *vma)
+static void hugetlb_unshare_pmds(vm_area_struct *vma)
}
class rmap_c {
+bool try_to_unmap_one(folio *folio, vm_area_struct *vma)
+bool try_to_migrate_one(folio *folio, vm_area_struct *vma)
}
mmu_gather "1" o-- "*" ptdesc : manages
vm_area_struct "1" --> "1" mm_struct : vm_mm
hugetlb_ops ..> mmu_gather : uses
hugetlb_ops ..> ptdesc : unshare
tlb_api ..> mmu_gather : initializes
tlb_api ..> vm_area_struct : vma based
tlb_api ..> ptdesc : tlb_unshare_pmd_ptdesc
mm_hugetlb_c ..> hugetlb_ops : calls huge_pmd_unshare
mm_hugetlb_c ..> tlb_api : uses tlb_gather_mmu_vma tlb_finish_mmu
rmap_c ..> hugetlb_ops : calls huge_pmd_unshare
rmap_c ..> tlb_api : uses tlb_gather_mmu_vma tlb_finish_mmu
Class diagram for f2fs sysfs attributes and zoned device max_open_zonesclassDiagram
class f2fs_attr {
+struct attribute attr
+ssize_t (*show)(f2fs_attr *a, f2fs_sb_info *sbi, char *buf)
+ssize_t (*store)(f2fs_attr *a, f2fs_sb_info *sbi, const char *buf, size_t len)
+int struct_type
+int offset
+int size
+int id
}
class f2fs_sb_info {
+unsigned int blocks_per_blkz
+unsigned int max_open_zones
+atomic_t cp_call_count[ ]
+wait_queue_head_t cp_wait
}
class f2fs_sysfs_c {
+ssize_t f2fs_sbi_show(f2fs_attr *a, f2fs_sb_info *sbi, char *buf)
+ssize_t f2fs_sbi_store(f2fs_attr *a, f2fs_sb_info *sbi, const char *buf, size_t len)
+ssize_t __sbi_show_value(f2fs_attr *a, f2fs_sb_info *sbi, char *buf, unsigned char *value)
+void __sbi_store_value(f2fs_attr *a, f2fs_sb_info *sbi, unsigned char *ui, unsigned long value)
}
class f2fs_super_c {
+int f2fs_remount(super_block *sb, int *flags, char *data)
+int f2fs_scan_devices(f2fs_sb_info *sbi)
+int init_blkz_info(f2fs_sb_info *sbi, int devi)
}
class f2fs_data_c {
+void f2fs_write_end_io(struct bio *bio)
+int check_swap_activate(struct swap_info_struct *sis, struct file *file, sector_t *span)
}
class f2fs_node_c {
+int __write_node_page(struct page *page, bool atomic, bool *submitted, int compr)
+int f2fs_fsync_node_pages(f2fs_sb_info *sbi, struct inode *inode, struct writeback_control *wbc, bool atomic)
}
f2fs_attr --> f2fs_sb_info : targets struct via struct_type+offset
f2fs_sysfs_c ..> f2fs_attr : uses size field
f2fs_sysfs_c ..> f2fs_sb_info : reads and writes fields
f2fs_super_c ..> f2fs_sb_info : initializes max_open_zones
f2fs_super_c ..> f2fs_sb_info : validates max_open_zones vs active_logs
f2fs_data_c ..> f2fs_sb_info : uses cp_wait and cp_call_count
f2fs_node_c ..> f2fs_sb_info : uses options and inode flags
File-Level Changes
Tips and commandsInteracting with Sourcery
Customizing Your ExperienceAccess your dashboard to:
Getting Help
|
deepin-ci-robot
requested review from
BLumia,
Ink-Paper,
MingcongBai and
hello666888999
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
![sourcery-ai[bot]](https://avatars.githubusercontent.com/in/48477?s=60&v=4){kind=small}
There was a problem hiding this comment.
Pull request overview
Updates the Deepin kernel tree to upstream Linux 6.6.127, bringing in the corresponding stable fixes across memory management, filesystems, networking, and a broad set of device/platform drivers.
Changes:
- Bump kernel sublevel from 6.6.126 → 6.6.127 and merge upstream stable patches.
- Update MMU gather + hugetlb PMD unsharing/flush handling to reduce unnecessary IPIs and fix correctness issues.
- Pull in targeted fixes/quirks across F2FS, networking tunnels, audio codecs/boards, platform drivers, and assorted device drivers.
Reviewed changes
Copilot reviewed 40 out of 40 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| Makefile | Kernel sublevel bump to 6.6.127. |
| arch/loongarch/include/asm/kasan.h | Extend LoongArch KASAN shadow layout for WriteCombine range. |
| arch/loongarch/mm/kasan_init.c | Rework LoongArch KASAN shadow mapping/init sequencing. |
| drivers/bus/fsl-mc/fsl-mc-bus.c | sysfs_emit conversion + locking in driver_override_show(). |
| drivers/gpio/gpio-sprd.c | Switch SPRD GPIO lock to raw_spinlock. |
| drivers/gpio/gpiolib-acpi.c | Fix ACPI GPIO counting to handle string references. |
| drivers/gpu/drm/tegra/hdmi.c | Fix unused variable in HDMI infoframe packing loop. |
| drivers/gpu/drm/tegra/sor.c | Fix unused variable in SOR HDMI infoframe packing loop. |
| drivers/net/bareudp.c | Adapt to skb_vlan_inet_prepare() drop-reason API. |
| drivers/net/geneve.c | Adapt to skb_vlan_inet_prepare() drop-reason API. |
| drivers/net/wireguard/device.c | Revert threaded-NAPI enabling in wg_newlink(). |
| drivers/pci/endpoint/pci-ep-cfs.c | Avoid async subgroup creation; use configfs default groups. |
| drivers/platform/x86/amd/pmc/pmc-quirks.c | Add DMI quirk entry for MECHREVO Wujie 15X Pro. |
| drivers/platform/x86/classmate-laptop.c | Add missing NULL checks for driver data in sysfs ops. |
| drivers/platform/x86/panasonic-laptop.c | Fix sysfs group cleanup on error path. |
| drivers/scsi/qla2xxx/qla_bsg.c | Prevent double completion/free by gating bsg_job_done(). |
| drivers/usb/serial/option.c | Add Telit FN20C04/FN920C04 RNDIS compositions. |
| drivers/video/fbdev/riva/riva_hw.c | Avoid divide-by-zero in nv3 arbitration calculations. |
| drivers/video/fbdev/smscufx.c | Copy ioctl damage area from userspace safely. |
| fs/f2fs/data.c | Fix F2FS writeback completion ordering + swapfile mapping behavior. |
| fs/f2fs/f2fs.h | Track max_open_zones in f2fs_sb_info for zoned devices. |
| fs/f2fs/gc.c | Account foreground GC range calls in stats. |
| fs/f2fs/node.c | Refine atomic fsync/dentry-marking behavior. |
| fs/f2fs/super.c | Zoned device max-open-zones validation on mount/remount; init max_open_zones. |
| fs/f2fs/sysfs.c | Make sysfs value show/store size-aware (u8/u16/u32/u64). |
| fs/romfs/super.c | Check sb_set_blocksize() return and fail cleanly. |
| include/asm-generic/tlb.h | Track/flush unshared page tables via mmu_gather flags/helpers. |
| include/linux/hugetlb.h | Update huge_pmd_unshare() API + add huge_pmd_unshare_flush(). |
| include/linux/mm_types.h | Add ptdesc_pmd_is_shared() helper + tlb_gather_mmu_vma() decl. |
| include/net/ip_tunnels.h | Change skb_vlan_inet_prepare() to return skb_drop_reason. |
| kernel/cgroup/cpuset.c | Use cpuset_is_populated() to fix population detection. |
| mm/hugetlb.c | Rework hugetlb PMD sharing/unsharing to use mmu_gather and targeted flushes. |
| mm/mmu_gather.c | Add tlb_gather_mmu_vma() and track fully_unshared_tables. |
| mm/rmap.c | Use tlb_gather_mmu_vma() + huge_pmd_unshare_flush() for hugetlb unshare paths. |
| sound/pci/hda/patch_realtek.c | Add new Realtek HDA quirks/pin quirks. |
| sound/soc/amd/yc/acp6x-mach.c | Add new DMI quirks for AMD YC platforms. |
| sound/soc/codecs/cs35l45.c | Fix ASP_TX5 DAPM widget channel index. |
| sound/soc/codecs/cs42l43-jack.c | Refine load-detect patches for 3/4 pole and impedance classification. |
| sound/soc/fsl/fsl_xcvr.c | Add locking around control activation during mode changes. |
| sound/soc/intel/boards/sof_es8336.c | Add Huawei BOD-WXX9 DMI quirk. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+398
to
+414
| static void __sbi_store_value(struct f2fs_attr *a, | ||
| struct f2fs_sb_info *sbi, | ||
| unsigned char *ui, unsigned long value) | ||
| { | ||
| switch (a->size) { | ||
| case 1: | ||
| *(u8 *)ui = value; | ||
| break; | ||
| case 2: | ||
| *(u16 *)ui = value; | ||
| break; | ||
| case 4: | ||
| *(u32 *)ui = value; | ||
| break; | ||
| case 8: | ||
| *(u64 *)ui = value; | ||
| break; |
There was a problem hiding this comment.
__sbi_store_value() takes the value as unsigned long, but attributes can now be size==8 (u64). On 32-bit kernels this truncates and also pairs poorly with kstrtoul() parsing, so writing u64 sysfs fields (e.g., max_io_bytes) won't work correctly. Use u64 for the parsed/stored value (kstrtoull()) when a->size==8 and pass a u64 into __sbi_store_value().
Comment on lines
+209
to
+214
| down_read(&card->snd_card->controls_rwsem); | ||
| fsl_xcvr_activate_ctl(dai, fsl_xcvr_arc_mode_kctl.name, | ||
| (xcvr->mode == FSL_XCVR_MODE_ARC)); | ||
| fsl_xcvr_activate_ctl(dai, fsl_xcvr_earc_capds_kctl.name, | ||
| (xcvr->mode == FSL_XCVR_MODE_EARC)); | ||
| up_read(&card->snd_card->controls_rwsem); |
There was a problem hiding this comment.
fsl_xcvr_mode_put() is invoked from ALSA control write paths with card->controls_rwsem already held in write mode (see sound/core/control.c:snd_ctl_elem_write()). Taking down_read() on the same controls_rwsem here can deadlock. The extra locking is also unnecessary for fsl_xcvr_activate_ctl(), which already asserts the lock is held. Drop the down_read()/up_read() here (or replace with a lockdep assertion if needed).
Comment on lines
+439
to
+441
| if (!state->mclk_khz) | ||
| return (0); | ||
|
|
There was a problem hiding this comment.
Early-returning when state->mclk_khz == 0 leaves output state inconsistent: nv3_arb() returns before initializing ainfo->converged and before setting any safe defaults in res_info, but callers (e.g., nv3_get_param()/nv3CalcArbitration) read those fields. Initialize ainfo/res_info to known failure defaults before returning (or fall back to the existing non-converged default path).
Suggested change
| if (!state->mclk_khz) | |
| return (0); | |
| if (!state->mclk_khz) { | |
| /* | |
| * If the memory clock is zero, we cannot perform a meaningful | |
| * arbitration calculation. Ensure that the output structures | |
| * are left in a consistent "failure" state so that callers do | |
| * not observe uninitialized data. | |
| */ | |
| if (res_info) | |
| memset(res_info, 0, sizeof(*res_info)); | |
| if (ainfo) { | |
| ainfo->by_gfacc = 0; | |
| ainfo->wcmocc = 0; | |
| ainfo->wcgocc = 0; | |
| ainfo->wcvocc = 0; | |
| ainfo->wcvlwm = 0; | |
| ainfo->wcglwm = 0; | |
| ainfo->mocc = 0; | |
| ainfo->vocc = 0; | |
| ainfo->gocc = 0; | |
| ainfo->engine_en = 0; | |
| ainfo->converged = 0; | |
| ainfo->cur = ENGINE; | |
| ainfo->first_vacc = 0; | |
| ainfo->first_gacc = 0; | |
| ainfo->first_macc = 0; | |
| } | |
| return 0; | |
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Update kernel base to 6.6.127.
git log --oneline v6.6.126..v6.6.127 | wc
40 348 2850
Merged:
LoongArch: Add writecombine support for DMW-based ioremap()
Alban Bedel (1):
gpiolib: acpi: Fix gpio count with string references
Anatolii Shirykalov (1):
ASoC: amd: yc: Add ASUS ExpertBook PM1503CDA to quirks list
Anil Gurumurthy (1):
scsi: qla2xxx: Fix bsg_done() causing double free
Brahmajit Das (1):
drm/tegra: hdmi: sor: Fix error: variable ‘j’ set but not used
Chao Yu (2):
f2fs: fix to avoid UAF in f2fs_write_end_io()
f2fs: fix to avoid mapping wrong physical block for swapfile
Charles Keepax (1):
ASoC: cs42l43: Correct handling of 3-pole jack load detection
Chelsy Ratnawat (1):
bus: fsl-mc: Replace snprintf and sprintf with sysfs_emit in sysfs
show functions
Chen Ridong (1):
cpuset: Fix missing adaptation for cpuset_is_populated
Christophe JAILLET (1):
PCI: endpoint: Remove unused field in struct pci_epf_group
Daniel Borkmann (1):
Revert "wireguard: device: enable threaded NAPI"
David Hildenbrand (Red Hat) (3):
mm/hugetlb: fix hugetlb_pmd_shared()
mm/hugetlb: fix two comments related to huge_pmd_unshare()
mm/hugetlb: fix excessive IPI broadcasts when unsharing PMD tables
using mmu_gather
Deepanshu Kartikey (1):
romfs: check sb_set_blocksize() return value
Dirk Su (1):
ASoC: amd: yc: Add quirk for HP 200 G2a 16
Fabio Porcedda (1):
USB: serial: option: add Telit FN920C04 RNDIS compositions
Greg Kroah-Hartman (2):
fbdev: smscufx: properly copy ioctl memory to kernelspace
Linux 6.6.127
Guangshuo Li (1):
fbdev: rivafb: fix divide error in nv3_arb()
Gui-Dong Han (1):
bus: fsl-mc: fix use-after-free in driver_override_show()
Jane Chu (1):
mm/hugetlb: fix copy_hugetlb_page_range() to use ->pt_share_count
Kanglong Wang (1):
LoongArch: Add WriteCombine shadow mapping in KASAN
Liu Song (1):
PCI: endpoint: Avoid creating sub-groups asynchronously
Menglong Dong (1):
net: tunnel: make skb_vlan_inet_prepare() return drop reasons
Rafael J. Wysocki (2):
platform/x86: classmate-laptop: Add missing NULL pointer checks
platform/x86: panasonic-laptop: Fix sysfs group leak in error path
Ricardo Rivera-Matos (1):
ASoC: cs35l45: Corrects ASP_TX5 DAPM widget channel
Tagir Garaev (1):
ASoC: Intel: sof_es8336: Add DMI quirk for Huawei BOD-WXX9
Tiezhu Yang (1):
LoongArch: Rework KASAN initialization for PTW-enabled systems
Tim Guttzeit (1):
ALSA: hda/realtek: Fix headset mic for TongFang X6AR55xU
Wenjie Qi (1):
f2fs: fix zoned block device information initialization
Xuewen Yan (1):
gpio: sprd: Change sprd_gpio lock to raw_spin_lock
Yongpeng Yang (2):
f2fs: fix out-of-bounds access in sysfs attribute read/write
f2fs: fix IS_CHECKPOINTED flag inconsistency issue caused by
concurrent atomic commit and checkpoint writes
Zhang Heng (1):
ALSA: hda/realtek: Add quirk for Inspur S14-G1
Zhiguo Niu (1):
f2fs: fix to add gc count stat in f2fs_gc_range
Ziyi Guo (1):
ASoC: fsl_xcvr: fix missing lock in fsl_xcvr_mode_put()
gongqi (1):
platform/x86/amd/pmc: Add quirk for MECHREVO Wujie 15X Pro
Makefile | 2 +-
arch/loongarch/include/asm/kasan.h | 11 +-
arch/loongarch/mm/kasan_init.c | 76 ++++++-----
drivers/bus/fsl-mc/fsl-mc-bus.c | 10 +-
drivers/gpio/gpio-sprd.c | 8 +-
drivers/gpio/gpiolib-acpi.c | 1 +
drivers/gpu/drm/tegra/hdmi.c | 4 +-
drivers/gpu/drm/tegra/sor.c | 4 +-
drivers/net/bareudp.c | 4 +-
drivers/net/geneve.c | 4 +-
drivers/net/wireguard/device.c | 1 -
drivers/pci/endpoint/pci-ep-cfs.c | 16 +--
drivers/platform/x86/amd/pmc/pmc-quirks.c | 7 ++
drivers/platform/x86/classmate-laptop.c | 32 +++++
drivers/platform/x86/panasonic-laptop.c | 4 +-
drivers/scsi/qla2xxx/qla_bsg.c | 28 +++--
drivers/usb/serial/option.c | 6 +
drivers/video/fbdev/riva/riva_hw.c | 3 +
drivers/video/fbdev/smscufx.c | 8 +-
fs/f2fs/data.c | 26 ++--
fs/f2fs/f2fs.h | 1 +
fs/f2fs/gc.c | 1 +
fs/f2fs/node.c | 14 ++-
fs/f2fs/super.c | 27 ++++
fs/f2fs/sysfs.c | 60 +++++++--
fs/romfs/super.c | 5 +-
include/asm-generic/tlb.h | 77 +++++++++++-
include/linux/hugetlb.h | 17 ++-
include/linux/mm_types.h | 6 +
include/net/ip_tunnels.h | 13 +-
kernel/cgroup/cpuset.c | 2 +-
mm/hugetlb.c | 146 ++++++++++++----------
mm/mmu_gather.c | 33 +++++
mm/rmap.c | 25 ++--
sound/pci/hda/patch_realtek.c | 5 +
sound/soc/amd/yc/acp6x-mach.c | 14 +++
sound/soc/codecs/cs35l45.c | 2 +-
sound/soc/codecs/cs42l43-jack.c | 37 +++++-
sound/soc/fsl/fsl_xcvr.c | 3 +
sound/soc/intel/boards/sof_es8336.c | 9 ++
40 files changed, 554 insertions(+), 198 deletions(-)
Summary by Sourcery
Update to Linux 6.6.127 and pull in upstream fixes across memory management, filesystems, device drivers, and platform quirks.
New Features:
Bug Fixes:
Enhancements:
Build: