summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2025-04-25octeon_ep_vf: Resolve netdevice usage count issueSathesh B Edara
The netdevice usage count increases during transmit queue timeouts because netdev_hold is called in ndo_tx_timeout, scheduling a task to reinitialize the card. Although netdev_put is called at the end of the scheduled work, rtnl_unlock checks the reference count during cleanup. This could cause issues if transmit timeout is called on multiple queues. Fixes: cb7dd712189f ("octeon_ep_vf: Add driver framework and device initialization") Signed-off-by: Sathesh B Edara <sedara@marvell.com> Link: https://patch.msgid.link/20250424133944.28128-1-sedara@marvell.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2025-04-25Revert "rndis_host: Flag RNDIS modems as WWAN devices"Christian Heusel
This reverts commit 67d1a8956d2d62fe6b4c13ebabb57806098511d8. Since this commit has been proven to be problematic for the setup of USB-tethered ethernet connections and the related breakage is very noticeable for users it should be reverted until a fixed version of the change can be rolled out. Closes: https://lore.kernel.org/all/e0df2d85-1296-4317-b717-bd757e3ab928@heusel.eu/ Link: https://chaos.social/@gromit/114377862699921553 Link: https://bugzilla.kernel.org/show_bug.cgi?id=220002 Link: https://bugs.gentoo.org/953555 Link: https://bbs.archlinux.org/viewtopic.php?id=304892 Cc: stable@vger.kernel.org Acked-by: Lubomir Rintel <lkundrak@v3.sk> Signed-off-by: Christian Heusel <christian@heusel.eu> Link: https://patch.msgid.link/20250424-usb-tethering-fix-v1-1-b65cf97c740e@heusel.eu Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2025-04-25selftests: net: bridge_vlan_aware: test untagged/8021p-tagged with and ↵Vladimir Oltean
without PVID Recent discussions around commit ad1afb003939 ("vlan_dev: VLAN 0 should be treated as "no vlan tag" (802.1p packet)") have sparked the question what happens with the DSA (and possibly other switchdev) data path when the bridge says that ports should have no PVID VLAN, but the 8021q module, as the result of a NETDEV_UP event, decides it should add VID 0 to the RX filter of those bridge ports. Do those bridge ports receive packets tagged with VID 0 or not, now? We don't know, there is no test. In the veth realm, this passes trivially, because veth is not VLAN filtering and this, the 8021q module lacks the instinct to add VID 0 in the first place. In the realm of VLAN filtering NICs with no switchdev offload, this should also pass, because the VLAN groups of the software bridge are consulted, where it can clearly be seen that a PVID is missing, even though the packet was initially accepted by the NIC. The test only poses a challenge for switchdev drivers, which usually have to program to hardware both VLANs from RX filtering, as well as from switchdev. Especially when a switchdev port joins a VLAN-aware bridge, it is unavoidable that it gains the NETIF_F_HW_VLAN_CTAG_FILTER feature, i.e. any 8021q uppers that the bridge port may have must also be committed to the RX filtering table of the interface. When a VLAN-tagged packet is physically received by the port, it is initially indistinguishable whether it will reach the bridge data path or the 8021q upper data path. That is rather the final step of the new tests that we introduce. We need to build context up to that stage, which means the following: - we need to test that 802.1p (VID 0) tagged traffic is received in the first place (on bridge ports with a valid PVID). This is the "8021p" test. - we need to test that the usual paths of reaching a configuration with no PVID on a bridge port are all covered and they all reach the same state. Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com> Reviewed-by: Ido Schimmel <idosch@nvidia.com> Tested-by: Ido Schimmel <idosch@nvidia.com> Link: https://patch.msgid.link/20250424223734.3096202-2-vladimir.oltean@nxp.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2025-04-25net: mscc: ocelot: delete PVID VLAN when readding it as non-PVIDVladimir Oltean
The following set of commands: ip link add br0 type bridge vlan_filtering 1 # vlan_default_pvid 1 is implicit ip link set swp0 master br0 bridge vlan add dev swp0 vid 1 should result in the dropping of untagged and 802.1p-tagged traffic, but we see that it continues to be accepted. Whereas, had we deleted VID 1 instead, the aforementioned dropping would have worked This is because the ANA_PORT_DROP_CFG update logic doesn't run, because ocelot_vlan_add() only calls ocelot_port_set_pvid() if the new VLAN has the BRIDGE_VLAN_INFO_PVID flag. Similar to other drivers like mt7530_port_vlan_add() which handle this case correctly, we need to test whether the VLAN we're changing used to have the BRIDGE_VLAN_INFO_PVID flag, but lost it now. That amounts to a PVID deletion and should be treated as such. Regarding blame attribution: this never worked properly since the introduction of bridge VLAN filtering in commit 7142529f1688 ("net: mscc: ocelot: add VLAN filtering"). However, there was a significant paradigm shift which aligned the ANA_PORT_DROP_CFG register with the PVID concept rather than with the native VLAN concept, and that change wasn't targeted for 'stable'. Realistically, that is as far as this fix needs to be propagated to. Fixes: be0576fed6d3 ("net: mscc: ocelot: move the logic to drop 802.1p traffic to the pvid deletion") Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com> Link: https://patch.msgid.link/20250424223734.3096202-1-vladimir.oltean@nxp.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2025-04-25Merge branch 'io_uring-zcrx-fix-selftests-and-add-new-test-for-rss-ctx'Jakub Kicinski
David Wei says: ==================== io_uring/zcrx: fix selftests and add new test for rss ctx Update io_uring zero copy receive selftest. Patch 1 does a requested cleanup to use defer() for undoing ethtool actions during the test and restoring the NIC under test back to its original state. Patch 2 adds a required call to set hds_thresh to 0. This is needed for the queue API. Patch 3 adds a new test case for steering into RSS contexts. A real application using io_uring zero copy receive relies on this working to shard work across multiple queues. There seems to be some differences/bugs with steering into RSS contexts and individual queues. ==================== Link: https://patch.msgid.link/20250425022049.3474590-1-dw@davidwei.uk Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2025-04-25io_uring/zcrx: selftests: add test case for rss ctxDavid Wei
RSS contexts are used to shard work across multiple queues for an application using io_uring zero copy receive. Add a test case checking that steering flows into an RSS context works. Until I add multi-thread support to the selftest binary, this test case only has 1 queue in the RSS context. Signed-off-by: David Wei <dw@davidwei.uk> Reviewed-by: Simon Horman <horms@kernel.org> Reviewed-by: Joe Damato <jdamato@fastly.com> Link: https://patch.msgid.link/20250425022049.3474590-4-dw@davidwei.uk Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2025-04-25io_uring/zcrx: selftests: set hds_thresh to 0David Wei
Setting hds_thresh to 0 is required for queue reset. Signed-off-by: David Wei <dw@davidwei.uk> Reviewed-by: Simon Horman <horms@kernel.org> Reviewed-by: Joe Damato <jdamato@fastly.com> Link: https://patch.msgid.link/20250425022049.3474590-3-dw@davidwei.uk Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2025-04-25io_uring/zcrx: selftests: switch to using defer() for cleanupDavid Wei
Switch to using defer() for putting the NIC back to the original state prior to running the selftest. Signed-off-by: David Wei <dw@davidwei.uk> Reviewed-by: Simon Horman <horms@kernel.org> Reviewed-by: Joe Damato <jdamato@fastly.com> Link: https://patch.msgid.link/20250425022049.3474590-2-dw@davidwei.uk Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2025-04-25Merge tag 'bpf-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpfLinus Torvalds
Pull bpf fixes from Alexei Starovoitov: - Add namespace to BPF internal symbols (Alexei Starovoitov) - Fix possible endless loop in BPF map iteration (Brandon Kammerdiener) - Fix compilation failure for samples/bpf on LoongArch (Haoran Jiang) - Disable a part of sockmap_ktls test (Ihor Solodrai) - Correct typo in __clang_major__ macro (Peilin Ye) * tag 'bpf-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf: selftests/bpf: Correct typo in __clang_major__ macro samples/bpf: Fix compilation failure for samples/bpf on LoongArch Fedora bpf: Add namespace to BPF internal symbols selftests/bpf: add test for softlock when modifying hashmap while iterating bpf: fix possible endless loop in BPF map iteration selftests/bpf: Mitigate sockmap_ktls disconnect_after_delete failure
2025-04-25vmxnet3: Fix malformed packet sizing in vmxnet3_process_xdpDaniel Borkmann
vmxnet3 driver's XDP handling is buggy for packet sizes using ring0 (that is, packet sizes between 128 - 3k bytes). We noticed MTU-related connectivity issues with Cilium's service load- balancing in case of vmxnet3 as NIC underneath. A simple curl to a HTTP backend service where the XDP LB was doing IPIP encap led to overly large packet sizes but only for *some* of the packets (e.g. HTTP GET request) while others (e.g. the prior TCP 3WHS) looked completely fine on the wire. In fact, the pcap recording on the backend node actually revealed that the node with the XDP LB was leaking uninitialized kernel data onto the wire for the affected packets, for example, while the packets should have been 152 bytes their actual size was 1482 bytes, so the remainder after 152 bytes was padded with whatever other data was in that page at the time (e.g. we saw user/payload data from prior processed packets). We only noticed this through an MTU issue, e.g. when the XDP LB node and the backend node both had the same MTU (e.g. 1500) then the curl request got dropped on the backend node's NIC given the packet was too large even though the IPIP-encapped packet normally would never even come close to the MTU limit. Lowering the MTU on the XDP LB (e.g. 1480) allowed to let the curl request succeed (which also indicates that the kernel ignored the padding, and thus the issue wasn't very user-visible). Commit e127ce7699c1 ("vmxnet3: Fix missing reserved tailroom") was too eager to also switch xdp_prepare_buff() from rcd->len to rbi->len. It really needs to stick to rcd->len which is the actual packet length from the descriptor. The latter we also feed into vmxnet3_process_xdp_small(), by the way, and it indicates the correct length needed to initialize the xdp->{data,data_end} parts. For e127ce7699c1 ("vmxnet3: Fix missing reserved tailroom") the relevant part was adapting xdp_init_buff() to address the warning given the xdp_data_hard_end() depends on xdp->frame_sz. With that fixed, traffic on the wire looks good again. Fixes: e127ce7699c1 ("vmxnet3: Fix missing reserved tailroom") Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Tested-by: Andrew Sauber <andrew.sauber@isovalent.com> Cc: Anton Protopopov <aspsk@isovalent.com> Cc: William Tu <witu@nvidia.com> Cc: Martin Zaharinov <micron10@gmail.com> Cc: Ronak Doshi <ronak.doshi@broadcom.com> Reviewed-by: Simon Horman <horms@kernel.org> Link: https://patch.msgid.link/20250423133600.176689-1-daniel@iogearbox.net Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2025-04-25selftests/bpf: Correct typo in __clang_major__ macroPeilin Ye
Make sure that CAN_USE_BPF_ST test (compute_live_registers/store) is enabled when __clang_major__ >= 18. Fixes: 2ea8f6a1cda7 ("selftests/bpf: test cases for compute_live_registers()") Signed-off-by: Peilin Ye <yepeilin@google.com> Link: https://lore.kernel.org/r/20250425213712.1542077-1-yepeilin@google.com Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2025-04-25Merge tag 'ata-6.15-rc4' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/libata/linux Pull ata fixes from Damien Le Moal: - Fix the incorrect return type of ata_mselect_control_ata_feature() - Several fixes for the control of the Command Duration Limits feature to avoid unnecessary enable and disable actions. Avoiding the unnecessary enable action also avoids unwanted resets of the CDL statistics log page as that is implied for any enable action. - Fix the translation for sensing the control mode page to correctly return the last enable or disable action performed, as defined in SAT-6. This correct mode sense information is used to fix the behavior of the scsi layer to avoid unnecessary mode select command issuing. * tag 'ata-6.15-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/libata/linux: scsi: Improve CDL control ata: libata-scsi: Improve CDL control ata: libata-scsi: Fix ata_msense_control_ata_feature() ata: libata-scsi: Fix ata_mselect_control_ata_feature() return type
2025-04-25ksmbd: fix use-after-free in session logoffSean Heelan
The sess->user object can currently be in use by another thread, for example if another connection has sent a session setup request to bind to the session being free'd. The handler for that connection could be in the smb2_sess_setup function which makes use of sess->user. Cc: stable@vger.kernel.org Signed-off-by: Sean Heelan <seanheelan@gmail.com> Acked-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com>
2025-04-25ksmbd: fix use-after-free in kerberos authenticationSean Heelan
Setting sess->user = NULL was introduced to fix the dangling pointer created by ksmbd_free_user. However, it is possible another thread could be operating on the session and make use of sess->user after it has been passed to ksmbd_free_user but before sess->user is set to NULL. Cc: stable@vger.kernel.org Signed-off-by: Sean Heelan <seanheelan@gmail.com> Acked-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com>
2025-04-25Merge tag 'vfs-6.15-rc4.fixes' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs Pull vfs fixes from Christian Brauner: - For some reason we went from zero to three maintainers for HFS/HFS+ in a matter of days. The lesson to learn from this might just be that we need to threaten code removal more often!? - Fix a regression introduced by enabling large folios for lage logical block sizes. This has caused issues for noref migration with large folios due to sleeping while in an atomic context. New sleeping variants of pagecache lookup helpers are introduced. These helpers take the folio lock instead of the mapping's private spinlock. The problematic users are converted to the sleeping variants and serialize against noref migration. Atomic users will bail on seeing the new BH_Migrate flag. This also shrinks the critical region of the mapping's private lock and the new blocking callers reduce contention on the spinlock for bdev mappings. - Fix two bugs in do_move_mount() when with MOVE_MOUNT_BENEATH. The first bug is using a mountpoint that is located on a mount we're not holding a reference to. The second bug is putting the mountpoint after we've called namespace_unlock() as it's no longer guaranteed that it does stay a mountpoint. - Remove a pointless call to vfs_getattr_nosec() in the devtmpfs code just to query i_mode instead of simply querying the inode directly. This also avoids lifetime issues for the dm code by an earlier bugfix this cycle that moved bdev_statx() handling into vfs_getattr_nosec(). - Fix AT_FDCWD handling with getname_maybe_null() in the xattr code. - Fix a performance regression for files when multiple callers issue a close when it's not the last reference. - Remove a duplicate noinline annotation from pipe_clear_nowait(). * tag 'vfs-6.15-rc4.fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs: fs/xattr: Fix handling of AT_FDCWD in setxattrat(2) and getxattrat(2) MAINTAINERS: hfs/hfsplus: add myself as maintainer splice: remove duplicate noinline from pipe_clear_nowait devtmpfs: don't use vfs_getattr_nosec to query i_mode fix a couple of races in MNT_TREE_BENEATH handling by do_move_mount() fs: fall back to file_ref_put() for non-last reference mm/migrate: fix sleep in atomic for large folios and buffer heads fs/ext4: use sleeping version of sb_find_get_block() fs/jbd2: use sleeping version of __find_get_block() fs/ocfs2: use sleeping version of __find_get_block() fs/buffer: use sleeping version of __find_get_block() fs/buffer: introduce sleeping flavors for pagecache lookups MAINTAINERS: add HFS/HFS+ maintainers fs/buffer: split locking for pagecache lookups
2025-04-25Merge tag 'ceph-for-6.15-rc4' of https://github.com/ceph/ceph-clientLinus Torvalds
Pull ceph fixes from Ilya Dryomov: "A small CephFS encryption-related fix and a dead code cleanup" * tag 'ceph-for-6.15-rc4' of https://github.com/ceph/ceph-client: ceph: Fix incorrect flush end position calculation ceph: Remove osd_client deadcode
2025-04-25Merge tag 'cxl-fixes-6.15-rc4' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/cxl/cxl Pull cxl fixes from Dave Jiang: "The fixes address global persistent flush (GPF) changes and CXL Features support changes that went in the 6.15 merge window. And also a fix to an issue observed on CXL 1.1 platform during device enumeration. Summary: - Fix using the wrong GPF DVSEC location: - Fix caching of dport GPF DVSEC from the first endpoint - Ensure that the GPF phase timeout is only updated once by first endpoint - Drop is_port parameter for cxl_gpf_get_dvsec() - Fix the devm_* call host device for CXL fwctl setup - Set the out_len in Set Features failure case - Fix RCD initialization by skipping unneeded mem_en check" * tag 'cxl-fixes-6.15-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/cxl/cxl: cxl/core/regs.c: Skip Memory Space Enable check for RCD and RCH Ports cxl/feature: Update out_len in set feature failure case cxl: Fix devm host device for CXL fwctl initialization cxl/pci: Drop the parameter is_port of cxl_gpf_get_dvsec() cxl/pci: Update Port GPF timeout only when the first EP attaching cxl/core: Fix caching dport GPF DVSEC issue
2025-04-26Merge tag 'amd-drm-fixes-6.15-2025-04-23' of ↵Dave Airlie
https://gitlab.freedesktop.org/agd5f/linux into drm-fixes amd-drm-fixes-6.15-2025-04-23: amdgpu: - P2P DMA fixes - Display reset fixes - DCN 3.5 fixes - ACPI EDID fix - LTTPR fix - mode_valid() fix Signed-off-by: Dave Airlie <airlied@redhat.com> From: Alex Deucher <alexander.deucher@amd.com> Link: https://lore.kernel.org/r/20250423183045.2886753-1-alexander.deucher@amd.com
2025-04-26Merge tag 'exynos-drm-fixes-for-v6.15-rc4' of ↵Dave Airlie
git://git.kernel.org/pub/scm/linux/kernel/git/daeinki/drm-exynos into drm-fixes Several fixups - fix spelling error - remove redundant error handling in exynos_drm_vidi.c module. - marks struct decon_data as const in the exynos7_drm_decon driver since it is only read. Cleanup - Remove unnecessary checking in exynos_drm_drv.c module Signed-off-by: Dave Airlie <airlied@redhat.com> From: Inki Dae <inki.dae@samsung.com> Link: https://lore.kernel.org/r/20250423143044.46165-1-inki.dae@samsung.com
2025-04-26Merge tag 'drm-misc-fixes-2025-04-22' of ↵Dave Airlie
https://gitlab.freedesktop.org/drm/misc/kernel into drm-fixes Short summary of fixes pull: meson: - Fix VCLK calculation panel: - jd9365a: Fix reset polarity Signed-off-by: Dave Airlie <airlied@redhat.com> From: Thomas Zimmermann <tzimmermann@suse.de> Link: https://lore.kernel.org/r/20250422151209.GA24823@2a02-2454-fd5e-fd00-5cc9-93f1-8e9a-df9b.dyn6.pyur.net
2025-04-25Drivers: hv: Fix bad ref to hv_synic_eventring_tail when CPU goes offlineMichael Kelley
When a CPU goes offline, hv_common_cpu_die() frees the hv_synic_eventring_tail memory for the CPU. But in a normal VM (i.e., not running in the root partition) the per-CPU memory has not been allocated, resulting in a bad memory reference and oops when computing the argument to kfree(). Fix this by freeing the memory only when running in the root partition. Fixes: 04df7ac39943 ("Drivers: hv: Introduce per-cpu event ring tail") Signed-off-by: Michael Kelley <mhklinux@outlook.com> Reviewed-by: Nuno Das Neves <nunodasneves@linux.microsoft.com> Link: https://lore.kernel.org/r/20250421163134.2024-1-mhklinux@outlook.com Signed-off-by: Wei Liu <wei.liu@kernel.org> Message-ID: <20250421163134.2024-1-mhklinux@outlook.com>
2025-04-25Merge tag 'riscv-for-linus-6.15-rc4' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux Pull RISC-V fixes from Palmer Dabbelt: - A fix for a missing icache flush in uprobes, which manifests as at least a BFF selftest failure on the Spacemit X1 - A workaround for build warnings in flush_icache_range() * tag 'riscv-for-linus-6.15-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux: riscv: uprobes: Add missing fence.i after building the XOL buffer riscv: Replace function-like macro by static inline function
2025-04-25Bluetooth: L2CAP: copy RX timestamp to new fragmentsPauli Virtanen
Copy timestamp too when allocating new skb for received fragment. Fixes missing RX timestamps with fragmentation. Fixes: 4d7ea8ee90e4 ("Bluetooth: L2CAP: Fix handling fragmented length") Signed-off-by: Pauli Virtanen <pav@iki.fi> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
2025-04-25Bluetooth: btintel_pcie: Add additional to checks to clear TX/RX pathsKiran K
Due to a hardware issue, there is a possibility that the driver may miss an MSIx interrupt on the RX/TX data path. Since the TX and RX paths are independent, when a TX MSIx interrupt occurs, the driver can check the RX queue for any pending data and process it if present. The same approach applies to the RX path. Fixes: c2b636b3f788 ("Bluetooth: btintel_pcie: Add support for PCIe transport") Signed-off-by: Chandrashekar Devegowda <chandrashekar.devegowda@intel.com> Signed-off-by: Kiran K <kiran.k@intel.com> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
2025-04-25Bluetooth: btmtksdio: Do close if SDIO card removed without closeChris Lu
To prevent Bluetooth SDIO card from be physically removed suddenly, driver needs to ensure btmtksdio_close is called before btmtksdio_remove to disable interrupts and txrx workqueue. Fixes: 6ac4233afb9a ("Bluetooth: btmtksdio: Prevent enabling interrupts after IRQ handler removal") Signed-off-by: Chris Lu <chris.lu@mediatek.com> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
2025-04-25Bluetooth: btmtksdio: Check function enabled before doing closeChris Lu
Check BTMTKSDIO_FUNC_ENABLED flag before doing close to prevent btmtksdio_close been called twice. Fixes: 6ac4233afb9a ("Bluetooth: btmtksdio: Prevent enabling interrupts after IRQ handler removal") Signed-off-by: Chris Lu <chris.lu@mediatek.com> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
2025-04-25Bluetooth: btusb: avoid NULL pointer dereference in skb_dequeue()En-Wei Wu
A NULL pointer dereference can occur in skb_dequeue() when processing a QCA firmware crash dump on WCN7851 (0489:e0f3). [ 93.672166] Bluetooth: hci0: ACL memdump size(589824) [ 93.672475] BUG: kernel NULL pointer dereference, address: 0000000000000008 [ 93.672517] Workqueue: hci0 hci_devcd_rx [bluetooth] [ 93.672598] RIP: 0010:skb_dequeue+0x50/0x80 The issue stems from handle_dump_pkt_qca() returning 0 even when a dump packet is successfully processed. This is because it incorrectly forwards the return value of hci_devcd_init() (which returns 0 on success). As a result, the caller (btusb_recv_acl_qca() or btusb_recv_evt_qca()) assumes the packet was not handled and passes it to hci_recv_frame(), leading to premature kfree() of the skb. Later, hci_devcd_rx() attempts to dequeue the same skb from the dump queue, resulting in a NULL pointer dereference. Fix this by: 1. Making handle_dump_pkt_qca() return 0 on success and negative errno on failure, consistent with kernel conventions. 2. Splitting dump packet detection into separate functions for ACL and event packets for better structure and readability. This ensures dump packets are properly identified and consumed, avoiding double handling and preventing NULL pointer access. Fixes: 20981ce2d5a5 ("Bluetooth: btusb: Add WCN6855 devcoredump support") Signed-off-by: En-Wei Wu <en-wei.wu@canonical.com> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
2025-04-25Bluetooth: btintel_pcie: Avoid redundant buffer allocationKiran K
Reuse the skb buffer provided by the PCIe driver to pass it onto the stack, instead of copying it to a new skb. Fixes: c2b636b3f788 ("Bluetooth: btintel_pcie: Add support for PCIe transport") Signed-off-by: Kiran K <kiran.k@intel.com> Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
2025-04-25Bluetooth: hci_conn: Fix not setting timeout for BIG Create SyncLuiz Augusto von Dentz
BIG Create Sync requires the command to just generates a status so this makes use of __hci_cmd_sync_status_sk to wait for HCI_EVT_LE_BIG_SYNC_ESTABLISHED, also because of this chance it is not longer necessary to use a custom method to serialize the process of creating the BIG sync since the cmd_work_sync itself ensures only one command would be pending which now awaits for HCI_EVT_LE_BIG_SYNC_ESTABLISHED before proceeding to next connection. Fixes: 42ecf1947135 ("Bluetooth: ISO: Do not emit LE BIG Create Sync if previous is pending") Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
2025-04-25Bluetooth: hci_conn: Fix not setting conn_timeout for Broadcast ReceiverLuiz Augusto von Dentz
Broadcast Receiver requires creating PA sync but the command just generates a status so this makes use of __hci_cmd_sync_status_sk to wait for HCI_EV_LE_PA_SYNC_ESTABLISHED, also because of this chance it is not longer necessary to use a custom method to serialize the process of creating the PA sync since the cmd_work_sync itself ensures only one command would be pending which now awaits for HCI_EV_LE_PA_SYNC_ESTABLISHED before proceeding to next connection. Fixes: 4a5e0ba68676 ("Bluetooth: ISO: Do not emit LE PA Create Sync if previous is pending") Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
2025-04-25Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvmLinus Torvalds
Pull kvm fixes from Paolo Bonzini: "ARM: - Single fix for broken usage of 'multi-MIDR' infrastructure in PI code, adding an open-coded erratum check for everyone's favorite pile of sand: Cavium ThunderX x86: - Bugfixes from a planned posted interrupt rework - Do not use kvm_rip_read() unconditionally to cater for guests with inaccessible register state" * tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm: KVM: x86: Do not use kvm_rip_read() unconditionally for KVM_PROFILING KVM: x86: Do not use kvm_rip_read() unconditionally in KVM tracepoints KVM: SVM: WARN if an invalid posted interrupt IRTE entry is added iommu/amd: WARN if KVM attempts to set vCPU affinity without posted intrrupts iommu/amd: Return an error if vCPU affinity is set for non-vCPU IRTE KVM: x86: Take irqfds.lock when adding/deleting IRQ bypass producer KVM: x86: Explicitly treat routing entry type changes as changes KVM: x86: Reset IRTE to host control if *new* route isn't postable KVM: SVM: Allocate IR data using atomic allocation KVM: SVM: Don't update IRTEs if APICv/AVIC is disabled KVM: arm64, x86: make kvm_arch_has_irq_bypass() inline arm64: Rework checks for broken Cavium HW in the PI code
2025-04-25Merge tag 'block-6.15-20250424' of git://git.kernel.dk/linuxLinus Torvalds
Pull block fixes from Jens Axboe: - Fix autoloading of drivers from stat*(2) - Fix losing read-ahead setting one suspend/resume, when a device is re-probed. - Fix race between setting the block size and page cache updates. Includes a helper that a coming XFS fix will use as well. - ublk cancelation fixes. - ublk selftest additions and fixes. - NVMe pull via Christoph: - fix an out-of-bounds access in nvmet_enable_port (Richard Weinberger) * tag 'block-6.15-20250424' of git://git.kernel.dk/linux: ublk: fix race between io_uring_cmd_complete_in_task and ublk_cancel_cmd ublk: call ublk_dispatch_req() for handling UBLK_U_IO_NEED_GET_DATA block: don't autoload drivers on blk-cgroup configuration block: don't autoload drivers on stat block: remove the backing_inode variable in bdev_statx block: move blkdev_{get,put} _no_open prototypes out of blkdev.h block: never reduce ra_pages in blk_apply_bdi_limits selftests: ublk: common: fix _get_disk_dev_t for pre-9.0 coreutils selftests: ublk: remove useless 'delay_us' from 'struct dev_ctx' selftests: ublk: fix recover test block: hoist block size validation code to a separate function block: fix race between set_blocksize and read paths nvmet: fix out-of-bounds access in nvmet_enable_port
2025-04-25Merge tag 'io_uring-6.15-20250424' of git://git.kernel.dk/linuxLinus Torvalds
Pull io_uring fixes from Jens Axboe: - Fix an older bug for handling of fallback task_work, when the task is exiting. Found by code inspection while reworking cancelation. - Fix duplicate flushing in one of the CQE posting helpers. * tag 'io_uring-6.15-20250424' of git://git.kernel.dk/linux: io_uring: fix 'sync' handling of io_fallback_tw() io_uring: don't duplicate flushing in io_req_post_cqe
2025-04-25Merge tag 'pm-6.15-rc4' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm Pull power management fixes from Rafael Wysocki: "These are cpufreq driver fixes addressing multiple assorted issues: - Fix possible out-of-bound / NULL-ptr-deref in cpufreq drivers (Henry Martin, Andre Przywara) - Fix Kconfig issues with compile-test in cpufreq drivers (Krzysztof Kozlowski, Johan Hovold) - Fix invalid return value in .get() in the CPPC cpufreq driver (Marc Zyngier) - Add SM8650 to cpufreq-dt-platdev blocklist (Pengyu Luo)" * tag 'pm-6.15-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm: cpufreq: fix compile-test defaults cpufreq: cppc: Fix invalid return value in .get() callback cpufreq: scpi: Fix null-ptr-deref in scpi_cpufreq_get_rate() cpufreq: scmi: Fix null-ptr-deref in scmi_cpufreq_get_rate() cpufreq: apple-soc: Fix null-ptr-deref in apple_soc_cpufreq_get_rate() cpufreq: Do not enable by default during compile testing cpufreq: Add SM8650 to cpufreq-dt-platdev blocklist cpufreq: sun50i: prevent out-of-bounds access
2025-04-25Merge tag 'usb-6.15-rc4' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb Pull USB fixes from Greg KH: "Here are some small USB driver fixes and new device ids for 6.15-rc4. Nothing major in here, just the normal set of issues that have cropped up after -rc1: - new device ids for usb-serial drivers - new device quirks added - typec driver fixes - chipidea driver fixes - xhci driver fixes - wdm driver fixes - cdns3 driver fixes - MAINTAINERS file update All of these, except for the MAINTAINERS file update, have been in linux-next for a while with no reported issues" * tag 'usb-6.15-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb: (27 commits) MAINTAINERS: Assign maintainer for the port controller drivers USB: serial: simple: add OWON HDS200 series oscilloscope support USB: serial: ftdi_sio: add support for Abacus Electrics Optical Probe USB: serial: option: add Sierra Wireless EM9291 usb: typec: class: Unlocked on error in typec_register_partner() usb: quirks: Add delay init quirk for SanDisk 3.2Gen1 Flash Drive USB: wdm: add annotation USB: wdm: wdm_wwan_port_tx_complete mutex in atomic context USB: wdm: close race between wdm_open and wdm_wwan_port_stop USB: wdm: handle IO errors in wdm_wwan_port_start USB: VLI disk crashes if LPM is used usb: dwc3: gadget: check that event count does not exceed event buffer length USB: storage: quirk for ADATA Portable HDD CH94 usb: quirks: add DELAY_INIT quirk for Silicon Motion Flash Drive USB: OHCI: Add quirk for LS7A OHCI controller (rev 0x02) usb: dwc3: xilinx: Prevent spike in reset signal usb: cdns3: Fix deadlock when using NCM gadget usb: chipidea: ci_hdrc_imx: implement usb_phy_init() error handling usb: chipidea: ci_hdrc_imx: fix call balance of regulator routines usb: chipidea: ci_hdrc_imx: fix usbmisc handling ...
2025-04-25Merge tag 'tty-6.15-rc4' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty Pull tty/serial fixes from Greg KH: "Here are three small tty/serial driver fixes for 6.15-rc4 to resolve some reported issues. They are: - permissions change for TIOCL_SELMOUSEREPORT to resolve a relaxing of permissions that showed up 6.14 that wasn't _quite_ right. - sifive serial driver fix - msm serial driver fix All of these have been in linux-next for over a week with no reported issues" * tag 'tty-6.15-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty: serial: sifive: lock port in startup()/shutdown() callbacks tty: Require CAP_SYS_ADMIN for all usages of TIOCL_SELMOUSEREPORT serial: msm: Configure correct working mode before starting earlycon
2025-04-25Merge tag 'char-misc-6.15-rc4' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc Pull char/misc driver fixes from Greg KH: "Here are some small char/misc driver fixes to resolve reported problems for 6.15-rc4. Included in here are: - misc chrdev region range fix reported by many people - nvmem driver fixes and dt updates - mei new device id and fixes - comedi driver fix - pps driver fix - binder debug log fix - pci1xxxx driver fixes - firmware driver fix All of these have been in linux-next for over a week with no reported issues" * tag 'char-misc-6.15-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc: (25 commits) firmware: stratix10-svc: Add of_platform_default_populate() mei: vsc: Use struct vsc_tp_packet as vsc-tp tx_buf and rx_buf type mei: vsc: Fix fortify-panic caused by invalid counted_by() use pps: generators: tio: fix platform_set_drvdata() mcb: fix a double free bug in chameleon_parse_gdd() misc: microchip: pci1xxxx: Fix incorrect IRQ status handling during ack misc: microchip: pci1xxxx: Fix Kernel panic during IRQ handler registration char: misc: register chrdev region with all possible minors mei: me: add panther lake H DID comedi: jr3_pci: Fix synchronous deletion of timer binder: fix offset calculation in debug log intel_th: avoid using deprecated page->mapping, index fields dt-bindings: nvmem: Add compatible for MSM8960 dt-bindings: nvmem: Add compatible for IPQ5018 nvmem: qfprom: switch to 4-byte aligned reads nvmem: core: update raw_len if the bit reading is required nvmem: core: verify cell's raw_len nvmem: core: fix bit offsets of more than one byte dt-bindings: nvmem: fixed-cell: increase bits start value to 31 dt-bindings: nvmem: Add compatible for MS8937 ...
2025-04-25Merge tag 'driver-core-6.15-rc4' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/driver-core/driver-core Pull driver core fixes from Greg KH: "Here are some small driver core fixes to resolve a number of reported problems. Included in here are: - driver core sync fix revert to resolve a much reported problem, hopefully this is finally resolved - MAINTAINERS file update, documenting that the driver-core tree is now under a "shared" maintainership model, thanks to Rafael and Danilo for offering to do this! - auxbus documentation and MAINTAINERS file update - MAINTAINERS file update for Rust PCI code - firmware rust binding fixup - software node link fix All of these have been in linux-next for over a week with no reported issues" * tag 'driver-core-6.15-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/driver-core/driver-core: drivers/base/memory: Avoid overhead from for_each_present_section_nr() software node: Prevent link creation failure from causing kobj reference count imbalance device property: Add a note to the fwnode.h drivers/base: Add myself as auxiliary bus reviewer drivers/base: Extend documentation with preferred way to use auxbus driver core: fix potential NULL pointer dereference in dev_uevent() driver core: introduce device_set_driver() helper Revert "drivers: core: synchronize really_probe() and dev_uevent()" MAINTAINERS: update the location of the driver-core git tree rust: firmware: Use `ffi::c_char` type in `FwFunc` MAINTAINERS: pci: add entry for Rust PCI code
2025-04-25Merge tag 'dma-mapping-6.15-2025-04-25' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/mszyprowski/linux Pull dma-maping fixes from Marek Szyprowski: - avoid unused variable warnings (Arnd Bergmann, Marek Szyprowski) - add runtume warnings and debug messages for devices with limited DMA capabilities (Balbir Singh, Chen-Yu Tsai) * tag 'dma-mapping-6.15-2025-04-25' of git://git.kernel.org/pub/scm/linux/kernel/git/mszyprowski/linux: dma-coherent: Warn if OF reserved memory is beyond current coherent DMA mask dma-mapping: Fix warning reported for missing prototype dma-mapping: avoid potential unused data compilation warning dma/mapping.c: dev_dbg support for dma_addressing_limited dma/contiguous: avoid warning about unused size_bytes
2025-04-25Merge tag 'xfs-fixes-6.15-rc4' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linuxLinus Torvalds
Pull xfs fixes from Carlos Maiolino: "This contains a fix for a build failure on some 32-bit architectures and a warning generating docs" * tag 'xfs-fixes-6.15-rc4' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux: xfs: remove duplicate Zoned Filesystems sections in admin-guide XFS: fix zoned gc threshold math for 32-bit arches
2025-04-25samples/bpf: Fix compilation failure for samples/bpf on LoongArch FedoraHaoran Jiang
When building the latest samples/bpf on LoongArch Fedora make M=samples/bpf There are compilation errors as follows: In file included from ./linux/samples/bpf/sockex2_kern.c:2: In file included from ./include/uapi/linux/in.h:25: In file included from ./include/linux/socket.h:8: In file included from ./include/linux/uio.h:9: In file included from ./include/linux/thread_info.h:60: In file included from ./arch/loongarch/include/asm/thread_info.h:15: In file included from ./arch/loongarch/include/asm/processor.h:13: In file included from ./arch/loongarch/include/asm/cpu-info.h:11: ./arch/loongarch/include/asm/loongarch.h:13:10: fatal error: 'larchintrin.h' file not found ^~~~~~~~~~~~~~~ 1 error generated. larchintrin.h is included in /usr/lib64/clang/14.0.6/include, and the header file location is specified at compile time. Test on LoongArch Fedora: https://github.com/fedora-remix-loongarch/releases-info Signed-off-by: Haoran Jiang <jianghaoran@kylinos.cn> Signed-off-by: zhangxi <zhangxi@kylinos.cn> Signed-off-by: Andrii Nakryiko <andrii@kernel.org> Link: https://lore.kernel.org/bpf/20250425095042.838824-1-jianghaoran@kylinos.cn
2025-04-25bpf: Add namespace to BPF internal symbolsAlexei Starovoitov
Add namespace to BPF internal symbols used by light skeleton to prevent abuse and document with the code their allowed usage. Fixes: b1d18a7574d0 ("bpf: Extend sys_bpf commands for bpf_syscall programs.") Signed-off-by: Alexei Starovoitov <ast@kernel.org> Signed-off-by: Andrii Nakryiko <andrii@kernel.org> Acked-by: Kumar Kartikeya Dwivedi <memxor@gmail.com> Link: https://lore.kernel.org/bpf/20250425014542.62385-1-alexei.starovoitov@gmail.com
2025-04-25Merge tag 'bcachefs-2025-04-24' of git://evilpiepirate.org/bcachefsLinus Torvalds
Pull bcachefs fixes from Kent Overstreet: - Case insensitive directories now work - Ciemap now correctly reports on unwritten pagecache data - bcachefs tools 1.25.1 was incorrectly picking unaligned bucket sizes; fix journal and write path bugs this uncovered And assorted smaller fixes... * tag 'bcachefs-2025-04-24' of git://evilpiepirate.org/bcachefs: (24 commits) bcachefs: Rework fiemap transaction restart handling bcachefs: add fiemap delalloc extent detection bcachefs: refactor fiemap processing into extent helper and struct bcachefs: track current fiemap offset in start variable bcachefs: drop duplicate fiemap sync flag bcachefs: Fix btree_iter_peek_prev() at end of inode bcachefs: Make btree_iter_peek_prev() assert more precise bcachefs: Unit test fixes bcachefs: Print mount opts earlier bcachefs: unlink: casefold d_invalidate bcachefs: Fix casefold lookups bcachefs: Casefold is now a regular opts.h option bcachefs: Implement fileattr_(get|set) bcachefs: Allocator now copes with unaligned buckets bcachefs: Start copygc, rebalance threads earlier bcachefs: Refactor bch2_run_recovery_passes() bcachefs: bch2_copygc_wakeup() bcachefs: Fix ref leak in write_super() bcachefs: Change __journal_entry_close() assert to ERO bcachefs: Ensure journal space is block size aligned ...
2025-04-25Merge branch 'bpf-fix-softlock-condition-in-bpf-hashmap-interation'Alexei Starovoitov
Brandon Kammerdiener says: ==================== This patchset fixes an endless loop condition that can occur in bpf_for_each_hash_elem, causing the core to softlock. My understanding is that a combination of RCU list deletion and insertion introduces the new element after the iteration cursor and that there is a chance that an RCU reader may in fact use this new element in iteration. The patch uses a _safe variant of the macro which gets the next element to iterate before executing the loop body for the current element. I have also added a subtest in the for_each selftest that can trigger this condition without the fix. Changes since v2: - Renaming and additional checks in selftests/bpf/prog_tests/for_each.c Changes since v1: - Added missing Signed-off-by lines to both patches ==================== Acked-by: Hou Tao <houtao1@huawei.com> Link: https://patch.msgid.link/20250424153246.141677-1-brandon.kammerdiener@intel.com Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2025-04-25selftests/bpf: add test for softlock when modifying hashmap while iteratingBrandon Kammerdiener
Add test that modifies the map while it's being iterated in such a way that hangs the kernel thread unless the _safe fix is applied to bpf_for_each_hash_elem. Signed-off-by: Brandon Kammerdiener <brandon.kammerdiener@intel.com> Link: https://lore.kernel.org/r/20250424153246.141677-3-brandon.kammerdiener@intel.com Signed-off-by: Alexei Starovoitov <ast@kernel.org> Acked-by: Hou Tao <houtao1@huawei.com>
2025-04-25bpf: fix possible endless loop in BPF map iterationBrandon Kammerdiener
The _safe variant used here gets the next element before running the callback, avoiding the endless loop condition. Signed-off-by: Brandon Kammerdiener <brandon.kammerdiener@intel.com> Link: https://lore.kernel.org/r/20250424153246.141677-2-brandon.kammerdiener@intel.com Signed-off-by: Alexei Starovoitov <ast@kernel.org> Acked-by: Hou Tao <houtao1@huawei.com>
2025-04-25MAINTAINERS: Assign maintainer for the port controller driversHeikki Krogerus
Especially the port manager (tcpm.c) is so major driver that it should have somebody watching over it who really understands it, and the port controller interface in general. Assigning Badhri as the designated reviewer and restoring the status to Maintained from Orphan. Signed-off-by: Heikki Krogerus <heikki.krogerus@linux.intel.com> Cc: Badhri Jagan Sridharan <badhri@google.com> Acked-by: Badhri Jagan Sridharan <badhri@google.com> Link: https://lore.kernel.org/r/20250407133306.387576-1-heikki.krogerus@linux.intel.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2025-04-25fs/xattr: Fix handling of AT_FDCWD in setxattrat(2) and getxattrat(2)Jan Kara
Currently, setxattrat(2) and getxattrat(2) are wrongly handling the calls of the from setxattrat(AF_FDCWD, NULL, AT_EMPTY_PATH, ...) and fail with -EBADF error instead of operating on CWD. Fix it. Fixes: 6140be90ec70 ("fs/xattr: add *at family syscalls") Signed-off-by: Jan Kara <jack@suse.cz> Link: https://lore.kernel.org/20250424132246.16822-2-jack@suse.cz Signed-off-by: Christian Brauner <brauner@kernel.org>
2025-04-25MAINTAINERS: hfs/hfsplus: add myself as maintainerYangtao Li
I used to maintain Allwinner SoC cpufreq and thermal drivers and have some work experience in the F2FS file system. I volunteered to maintain the code together with Slava and Adrian. Signed-off-by: Yangtao Li <frank.li@vivo.com> Link: https://lore.kernel.org/20250423123423.2062619-1-frank.li@vivo.com Acked-by: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de> Signed-off-by: Christian Brauner <brauner@kernel.org>
2025-04-25splice: remove duplicate noinline from pipe_clear_nowaitT.J. Mercier
pipe_clear_nowait has two noinline macros, but we only need one. I checked the whole tree, and this is the only occurrence: $ grep -r "noinline .* noinline" fs/splice.c:static noinline void noinline pipe_clear_nowait(struct file *file) $ Fixes: 0f99fc513ddd ("splice: clear FMODE_NOWAIT on file if splice/vmsplice is used") Signed-off-by: "T.J. Mercier" <tjmercier@google.com> Link: https://lore.kernel.org/20250423180025.2627670-1-tjmercier@google.com Reviewed-by: Jens Axboe <axboe@kernel.dk> Signed-off-by: Christian Brauner <brauner@kernel.org>