[Deepin-Kernel-SIG] [linux 6.12-y] [Upstream] Update kernel base to 6.12.76,6.12.77#1684
Merged
opsiff merged 264 commits intoMay 12, 2026
Merged
Conversation
…update_cpumasks_hier() [ Upstream commit 68230aa ] Commit e2ffe50 ("cgroup/cpuset: Add cpuset.cpus.exclusive for v2") incorrectly changed the 2nd parameter of cpuset_update_tasks_cpumask() from tmp->new_cpus to cp->effective_cpus. This second parameter is just a temporary cpumask for internal use. The cpuset_update_tasks_cpumask() function was originally called update_tasks_cpumask() before commit 381b53c ("cgroup/cpuset: rename functions shared between v1 and v2"). This mistake can incorrectly change the effective_cpus of the cpuset when it is the top_cpuset or in arm64 architecture where task_cpu_possible_mask() may differ from cpu_possible_mask. So far top_cpuset hasn't been passed to update_cpumasks_hier() yet, but arm64 arch can still be impacted. Fix it by reverting the incorrect change. Fixes: e2ffe50 ("cgroup/cpuset: Add cpuset.cpus.exclusive for v2") Signed-off-by: Waiman Long <longman@redhat.com> Signed-off-by: Tejun Heo <tj@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 6e4f70034387bfdea0027692a34599dc88f3a03e) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
…sume [ Upstream commit 62c0153 ] Move the link recovery trigger from ufshcd_uic_pwr_ctrl() to __ufshcd_wl_resume(). Ensure link recovery is only attempted when hibern8 exit fails during resume, not during hibern8 enter in suspend. Improve error handling and prevent unnecessary link recovery attempts. Fixes: 35dabf4 ("scsi: ufs: core: Use link recovery when h8 exit fails during runtime resume") Signed-off-by: Peter Wang <peter.wang@mediatek.com> Reviewed-by: Bart Van Assche <bvanassche@acm.org> Link: https://patch.msgid.link/20260223103906.2533654-1-peter.wang@mediatek.com Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 1bcc4ea8207a0191588646936a7634dcbca4deb7) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 7fe8dec ] We calculate the possible packet sizes beforehand for adaptive and synchronous endpoints, but we didn't take care of the max frame size for those pre-calculated values. When a device or a bus limits the packet size, a high sample rate or a high number of channels may lead to the packet sizes that are larger than the given limit, which results in an error from the USB core at submitting URBs. As a simple workaround, just add the sanity checks of pre-calculated packet sizes to have the upper boundary of ep->maxframesize. Fixes: f0bd62b ("ALSA: usb-audio: Improve frames size computation") Link: https://bugzilla.kernel.org/show_bug.cgi?id=221076 Signed-off-by: Takashi Iwai <tiwai@suse.de> Link: https://patch.msgid.link/20260225085233.316306-2-tiwai@suse.de Signed-off-by: Takashi Iwai <tiwai@suse.de> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 192cc667e77e331dd5d221c1b3990377668faf82) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 4e9113c ] Replace the remaining with inclusive terms; it's only this function name we overlooked at the previous conversion. Fixes: 53837b4 ("ALSA: usb-audio: Replace slave/master terms") Signed-off-by: Takashi Iwai <tiwai@suse.de> Link: https://patch.msgid.link/20260225085233.316306-5-tiwai@suse.de Signed-off-by: Takashi Iwai <tiwai@suse.de> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 367e4285127ffdbeec594fcf4c0b5af7888d25c5) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit c9bc175 ] Make sure that __perf_event_overflow() runs with IRQs disabled for all possible callchains. Specifically the software events can end up running it with only preemption disabled. This opens up a race vs perf_event_exit_event() and friends that will go and free various things the overflow path expects to be present, like the BPF program. Fixes: 592903c ("perf_counter: add an event_list") Reported-by: Simond Hu <cmdhh1767@gmail.com> Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org> Tested-by: Simond Hu <cmdhh1767@gmail.com> Link: https://patch.msgid.link/20260224122909.GV1395416@noisy.programming.kicks-ass.net Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 5c48fdc4b4623533d86e279f51531a7ba212eb87) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 0d785e2 ] With the conversion to generic entry [1] cpu idle exit cpu time accounting was converted from assembly to C. This introduced an reversed order of cpu time accounting. On cpu idle exit the current accounting happens with the following call chain: -> do_io_irq()/do_ext_irq() -> irq_enter_rcu() -> account_hardirq_enter() -> vtime_account_irq() -> vtime_account_kernel() vtime_account_kernel() accounts the passed cpu time since last_update_timer as system time, and updates last_update_timer to the current cpu timer value. However the subsequent call of -> account_idle_time_irq() will incorrectly subtract passed cpu time from timer_idle_enter to the updated last_update_timer value from system_timer. Then last_update_timer is updated to a sys_enter_timer, which means that last_update_timer goes back in time. Subsequently account_hardirq_exit() will account too much cpu time as hardirq time. The sum of all accounted cpu times is still correct, however some cpu time which was previously accounted as system time is now accounted as hardirq time, plus there is the oddity that last_update_timer goes back in time. Restore previous behavior by extracting cpu time accounting code from account_idle_time_irq() into a new update_timer_idle() function and call it before irq_enter_rcu(). Fixes: 56e62a7 ("s390: convert to generic entry") [1] Reviewed-by: Sven Schnelle <svens@linux.ibm.com> Signed-off-by: Heiko Carstens <hca@linux.ibm.com> Signed-off-by: Vasily Gorbik <gor@linux.ibm.com> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 3120d12adfbfe2c5339048b0f2ccb161028fe47b) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit dbc0fb3 ] Since delayed accounting of system time [1] the virtual timer is forwarded by do_account_vtime() but also vtime_account_kernel(), vtime_account_softirq(), and vtime_account_hardirq(). This leads to double accounting of system, guest, softirq, and hardirq time. Remove accounting from the vtime_account*() family to restore old behavior. There is only one user of the vtimer interface, which might explain why nobody noticed this so far. Fixes: b7394a5 ("sched/cputime, s390: Implement delayed accounting of system time") [1] Reviewed-by: Sven Schnelle <svens@linux.ibm.com> Signed-off-by: Heiko Carstens <hca@linux.ibm.com> Signed-off-by: Vasily Gorbik <gor@linux.ibm.com> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 00d5cf8c597855b81151a8589a9e7841cffa2aad) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit ca3c342 ] Introduce the epc core helper function pci_epc_function_is_valid() to verify that an epc pointer, a physical function number and a virtual function number are all valid. This avoids repeating the code pattern: if (IS_ERR_OR_NULL(epc) || func_no >= epc->max_functions) return err; if (vfunc_no > 0 && (!epc->max_vfs || vfunc_no > epc->max_vfs[func_no])) return err; in many functions of the endpoint controller core code. Signed-off-by: Damien Le Moal <dlemoal@kernel.org> Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org> Reviewed-by: Niklas Cassel <cassel@kernel.org> Link: https://lore.kernel.org/r/20241012113246.95634-2-dlemoal@kernel.org Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org> Stable-dep-of: c22533c ("PCI: dwc: ep: Flush MSI-X write before unmapping its ATU entry") Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit fa391a36e178a90dc37a7c06849dd17dd15d01c9) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit ce1dfe6 ] Some endpoint controllers have requirements on the alignment of the controller physical memory address that must be used to map a RC PCI address region. For instance, the endpoint controller of the RK3399 SoC uses at most the lower 20 bits of a physical memory address region as the lower bits of a RC PCI address region. For mapping a PCI address region of size bytes starting from pci_addr, the exact number of address bits used is the number of address bits changing in the address range [pci_addr..pci_addr + size - 1]. For this example, this creates the following constraints: 1) The offset into the controller physical memory allocated for a mapping depends on the mapping size *and* the starting PCI address for the mapping. 2) A mapping size cannot exceed the controller windows size (1MB) minus the offset needed into the allocated physical memory, which can end up being a smaller size than the desired mapping size. Handling these constraints independently of the controller being used in an endpoint function driver is not possible with the current EPC API as only the ->align field in struct pci_epc_features is provided but used for BAR (inbound ATU mappings) mapping only. A new API is needed for function drivers to discover mapping constraints and handle non-static requirements based on the RC PCI address range to access. Introduce the endpoint controller operation ->align_addr() to allow the EPC core functions to obtain the size and the offset into a controller address region that must be allocated and mapped to access a RC PCI address region. The size of the mapping provided by the align_addr() operation can then be used as the size argument for the function pci_epc_mem_alloc_addr() and the offset into the allocated controller memory provided can be used to correctly handle data transfers. For endpoint controllers that have PCI address alignment constraints, the align_addr() operation may indicate upon return an effective PCI address mapping size that is smaller (but not 0) than the requested PCI address region size. The controller ->align_addr() operation is optional: controllers that do not have any alignment constraints for mapping RC PCI address regions do not need to implement this operation. For such controllers, it is always assumed that the mapping size is equal to the requested size of the PCI region and that the mapping offset is 0. The function pci_epc_mem_map() is introduced to use this new controller operation (if it is defined) to handle controller memory allocation and mapping to a RC PCI address region in endpoint function drivers. This function first uses the ->align_addr() controller operation to determine the controller memory address size (and offset into) needed for mapping an RC PCI address region. The result of this operation is used to allocate a controller physical memory region using pci_epc_mem_alloc_addr() and then to map that memory to the RC PCI address space with pci_epc_map_addr(). Since ->align_addr() () may indicate that not all of a RC PCI address region can be mapped, pci_epc_mem_map() may only partially map the RC PCI address region specified. It is the responsibility of the caller (an endpoint function driver) to handle such smaller mapping by repeatedly using pci_epc_mem_map() over the desried PCI address range. The counterpart of pci_epc_mem_map() to unmap and free a mapped controller memory address region is pci_epc_mem_unmap(). Both functions operate using the new struct pci_epc_map data structure. This new structure represents a mapping PCI address, mapping effective size, the size of the controller memory needed for the mapping as well as the physical and virtual CPU addresses of the mapping (phys_base and virt_base fields). For convenience, the physical and virtual CPU addresses within that mapping to use to access the target RC PCI address region are also provided (phys_addr and virt_addr fields). Endpoint function drivers can use struct pci_epc_map to access the mapped RC PCI address region using the ->virt_addr and ->pci_size fields. Co-developed-by: Rick Wertenbroek <rick.wertenbroek@gmail.com> Signed-off-by: Rick Wertenbroek <rick.wertenbroek@gmail.com> Signed-off-by: Damien Le Moal <dlemoal@kernel.org> Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org> Link: https://lore.kernel.org/r/20241012113246.95634-4-dlemoal@kernel.org [mani: squashed the patch that changed phy_addr_t to u64] Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org> Stable-dep-of: c22533c ("PCI: dwc: ep: Flush MSI-X write before unmapping its ATU entry") Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 9373f0bf9954270556c4bf2ad039cfc54400155f) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit e73ea1c ] The function dw_pcie_prog_outbound_atu() used to program outbound ATU entries for mapping RC PCI addresses to local CPU addresses does not allow PCI addresses that are not aligned to the value of region_align of struct dw_pcie. This value is determined from the iATU hardware registers during probing of the iATU (done by dw_pcie_iatu_detect()). This value is thus valid for all DWC PCIe controllers, and valid regardless of the hardware configuration used when synthesizing the DWC PCIe controller. Implement the ->align_addr() endpoint controller operation to allow this mapping alignment to be transparently handled by endpoint function drivers through the function pci_epc_mem_map(). Link: https://lore.kernel.org/linux-pci/20241012113246.95634-7-dlemoal@kernel.org Link: https://lore.kernel.org/linux-pci/20241015090712.112674-1-dlemoal@kernel.org Link: https://lore.kernel.org/linux-pci/20241017132052.4014605-5-cassel@kernel.org Co-developed-by: Niklas Cassel <cassel@kernel.org> Signed-off-by: Damien Le Moal <dlemoal@kernel.org> [mani: squashed the patch that changed phy_addr_t to u64] Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org> [kwilczynski: squashed patch that updated the pci_size variable] Signed-off-by: Krzysztof Wilczyński <kwilczynski@kernel.org> Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org> Stable-dep-of: c22533c ("PCI: dwc: ep: Flush MSI-X write before unmapping its ATU entry") Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit fd9528fbe2fb98c43260c867a7b7194976572031) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
…_irq() [ Upstream commit 3fafc38 ] Use the dw_pcie_ep_align_addr() function to calculate the alignment in dw_pcie_ep_raise_{msi,msix}_irq() instead of open coding the same. Link: https://lore.kernel.org/r/20241017132052.4014605-6-cassel@kernel.org Link: https://lore.kernel.org/r/20241104205144.409236-2-cassel@kernel.org Tested-by: Damien Le Moal <dlemoal@kernel.org> Signed-off-by: Niklas Cassel <cassel@kernel.org> [kwilczynski: squashed patch that fixes memory map sizes] Signed-off-by: Krzysztof Wilczyński <kwilczynski@kernel.org> Reviewed-by: Damien Le Moal <dlemoal@kernel.org> Reviewed-by: Frank Li <Frank.Li@nxp.com> Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org> Stable-dep-of: c22533c ("PCI: dwc: ep: Flush MSI-X write before unmapping its ATU entry") Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 5e13ef9235c7bd8b2b558219f1d97e544824cb7c) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit c22533c ] Endpoint drivers use dw_pcie_ep_raise_msix_irq() to raise an MSI-X interrupt to the host using a writel(), which generates a PCI posted write transaction. There's no completion for posted writes, so the writel() may return before the PCI write completes. dw_pcie_ep_raise_msix_irq() also unmaps the outbound ATU entry used for the PCI write, so the write races with the unmap. If the PCI write loses the race with the ATU unmap, the write may corrupt host memory or cause IOMMU errors, e.g., these when running fio with a larger queue depth against nvmet-pci-epf: arm-smmu-v3 fc900000.iommu: 0x0000010000000010 arm-smmu-v3 fc900000.iommu: 0x0000020000000000 arm-smmu-v3 fc900000.iommu: 0x000000090000f040 arm-smmu-v3 fc900000.iommu: 0x0000000000000000 arm-smmu-v3 fc900000.iommu: event: F_TRANSLATION client: 0000:01:00.0 sid: 0x100 ssid: 0x0 iova: 0x90000f040 ipa: 0x0 arm-smmu-v3 fc900000.iommu: unpriv data write s1 "Input address caused fault" stag: 0x0 Flush the write by performing a readl() of the same address to ensure that the write has reached the destination before the ATU entry is unmapped. The same problem was solved for dw_pcie_ep_raise_msi_irq() in commit 8719c64 ("PCI: dwc: ep: Cache MSI outbound iATU mapping"), but there it was solved by dedicating an outbound iATU only for MSI. We can't do the same for MSI-X because each vector can have a different msg_addr and the msg_addr may be changed while the vector is masked. Fixes: beb4641 ("PCI: dwc: Add MSI-X callbacks handler") Signed-off-by: Niklas Cassel <cassel@kernel.org> [bhelgaas: commit log] Signed-off-by: Bjorn Helgaas <bhelgaas@google.com> Reviewed-by: Frank Li <Frank.Li@nxp.com> Link: https://patch.msgid.link/20260211175540.105677-2-cassel@kernel.org Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit a7afb8f810c04845fdfc58c57d9cf0cc5f23ced0) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 5e0bcc7 ] Mutexes must be unlocked before these are destroyed. This has been detected by the Clang thread-safety analyzer. Cc: Alex Deucher <alexander.deucher@amd.com> Cc: Christian König <christian.koenig@amd.com> Cc: Yang Wang <kevinyang.wang@amd.com> Cc: Hawking Zhang <Hawking.Zhang@amd.com> Cc: amd-gfx@lists.freedesktop.org Fixes: f5e4cc8 ("drm/amdgpu: implement RAS ACA driver framework") Reviewed-by: Yang Wang <kevinyang.wang@amd.com> Acked-by: Christian König <christian.koenig@amd.com> Signed-off-by: Bart Van Assche <bvanassche@acm.org> Signed-off-by: Alex Deucher <alexander.deucher@amd.com> (cherry picked from commit 270258ba320beb99648dceffb67e86ac76786e55) Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 0518ce29ad2004afe4dd2f9864c22bd20961b0a9) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 99eeb83 ] Replace kzalloc() followed by copy_from_user() with memdup_user() to improve and simplify ta_if_load_debugfs_write() and ta_if_invoke_debugfs_write(). No functional changes intended. Reviewed-by: Tvrtko Ursulin <tvrtko.ursulin@igalia.com> Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev> Signed-off-by: Alex Deucher <alexander.deucher@amd.com> Stable-dep-of: 480ad5f ("drm/amdgpu: Fix locking bugs in error paths") Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 3a9828141d4baaef4c64fe04ceaff859205da3e2) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 480ad5f ] Do not unlock psp->ras_context.mutex if it has not been locked. This has been detected by the Clang thread-safety analyzer. Cc: Alex Deucher <alexander.deucher@amd.com> Cc: Christian König <christian.koenig@amd.com> Cc: YiPeng Chai <YiPeng.Chai@amd.com> Cc: Hawking Zhang <Hawking.Zhang@amd.com> Cc: amd-gfx@lists.freedesktop.org Fixes: b3fb79c ("drm/amdgpu: add mutex to protect ras shared memory") Acked-by: Christian König <christian.koenig@amd.com> Signed-off-by: Bart Van Assche <bvanassche@acm.org> Signed-off-by: Alex Deucher <alexander.deucher@amd.com> (cherry picked from commit 6fa01b4335978051d2cd80841728fd63cc597970) Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 1359449b33bb600fe8985643385b0915dcc28320) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 483dd12 ] We can use snd_kcontrol_chip(). Let's use it. Signed-off-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com> Signed-off-by: Takashi Iwai <tiwai@suse.de> Link: https://patch.msgid.link/87plglauda.wl-kuninori.morimoto.gx@renesas.com Stable-dep-of: 003ce8c ("ALSA: hda: cs35l56: Fix signedness error in cs35l56_hda_posture_put()") Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 1c84c68e752427c2225d9844a2e13200ab99ff7c) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 003ce8c ] In cs35l56_hda_posture_put() assign ucontrol->value.integer.value[0] to a long instead of an unsigned long. ucontrol->value.integer.value[0] is a long. This fixes the sparse warning: sound/hda/codecs/side-codecs/cs35l56_hda.c:256:20: warning: unsigned value that used to be signed checked against zero? sound/hda/codecs/side-codecs/cs35l56_hda.c:252:29: signed value source Signed-off-by: Richard Fitzgerald <rf@opensource.cirrus.com> Fixes: 73cfbfa ("ALSA: hda/cs35l56: Add driver for Cirrus Logic CS35L56 amplifier") Link: https://patch.msgid.link/20260226111728.1700431-1-rf@opensource.cirrus.com Signed-off-by: Takashi Iwai <tiwai@suse.de> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 0507cf9ae0a9b7e64fea53700032672b101615bd) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
…item() [ Upstream commit 511dc89 ] Fix the error message in check_dev_extent_item(), when an overlapping stripe is encountered. For dev extents, objectid is the disk number and offset the physical address, so prev_key->objectid should actually be prev_key->offset. (I can't take any credit for this one - this was discovered by Chris and his friend Claude.) Reported-by: Chris Mason <clm@fb.com> Fixes: 008e251 ("btrfs: tree-checker: add dev extent item checks") Reviewed-by: Qu Wenruo <wqu@suse.com> Signed-off-by: Mark Harmstone <mark@harmstone.com> Reviewed-by: David Sterba <dsterba@suse.com> Signed-off-by: David Sterba <dsterba@suse.com> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 0226914e4d5e9a50c20b4f7fcb30a12296e55d6b) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit a101727 ] Fix a copy-paste error in check_extent_data_ref(): we're printing root as in the message above, we should be printing objectid. Fixes: f333a3c ("btrfs: tree-checker: validate dref root and objectid") Reviewed-by: Qu Wenruo <wqu@suse.com> Signed-off-by: Mark Harmstone <mark@harmstone.com> Reviewed-by: David Sterba <dsterba@suse.com> Signed-off-by: David Sterba <dsterba@suse.com> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit ca57b339e4a74d86a4b0bd8b490aab8b69b9c4bf) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 44e2fda ] Commit b471965 ("btrfs: fix replace/scrub failure with metadata_uuid") fixed the comparison in scrub_verify_one_metadata() to use metadata_uuid rather than fsid, but left the warning as it was. Fix it so it matches what we're doing. Fixes: b471965 ("btrfs: fix replace/scrub failure with metadata_uuid") Reviewed-by: Qu Wenruo <wqu@suse.com> Signed-off-by: Mark Harmstone <mark@harmstone.com> Reviewed-by: David Sterba <dsterba@suse.com> Signed-off-by: David Sterba <dsterba@suse.com> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 390cc898680ed9cd05dd634a91fec072d13d970c) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 1c7e911 ] Fix the error message in btrfs_delete_subvolume() if we can't delete a subvolume because it has an active swapfile: we were printing the number of the parent rather than the target. Fixes: 60021bd ("btrfs: prevent subvol with swapfile from being deleted") Reviewed-by: Qu Wenruo <wqu@suse.com> Reviewed-by: Filipe Manana <fdmanana@suse.com> Signed-off-by: Mark Harmstone <mark@harmstone.com> Reviewed-by: David Sterba <dsterba@suse.com> Signed-off-by: David Sterba <dsterba@suse.com> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit a78db325aca15c231f252359c90f3ecb8aa327a2) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 587bb33 ] Commit d7f67ac ("btrfs: relax block-group-tree feature dependency checks") introduced a regression when it comes to handling unsupported incompat or compat_ro flags. Beforehand we only printed the flags that we didn't recognize, afterwards we printed them all, which is less useful. Fix the error handling so it behaves like it used to. Fixes: d7f67ac ("btrfs: relax block-group-tree feature dependency checks") Reviewed-by: Qu Wenruo <wqu@suse.com> Signed-off-by: Mark Harmstone <mark@harmstone.com> Reviewed-by: David Sterba <dsterba@suse.com> Signed-off-by: David Sterba <dsterba@suse.com> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 283cc83f63e095f6754b5e486548a28509768693) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
…earing [ Upstream commit ef06fd1 ] struct bpf_plt contains a u64 target field. Currently, the BPF JIT allocator requests an alignment of 4 bytes (sizeof(u32)) for the JIT buffer. Because the base address of the JIT buffer can be 4-byte aligned (e.g., ending in 0x4 or 0xc), the relative padding logic in build_plt() fails to ensure that target lands on an 8-byte boundary. This leads to two issues: 1. UBSAN reports misaligned-access warnings when dereferencing the structure. 2. More critically, target is updated concurrently via WRITE_ONCE() in bpf_arch_text_poke() while the JIT'd code executes ldr. On arm64, 64-bit loads/stores are only guaranteed to be single-copy atomic if they are 64-bit aligned. A misaligned target risks a torn read, causing the JIT to jump to a corrupted address. Fix this by increasing the allocation alignment requirement to 8 bytes (sizeof(u64)) in bpf_jit_binary_pack_alloc(). This anchors the base of the JIT buffer to an 8-byte boundary, allowing the relative padding math in build_plt() to correctly align the target field. Fixes: b2ad54e ("bpf, arm64: Implement bpf_arch_text_poke() for arm64") Signed-off-by: Fuad Tabba <tabba@google.com> Acked-by: Will Deacon <will@kernel.org> Link: https://lore.kernel.org/r/20260226075525.233321-1-tabba@google.com Signed-off-by: Alexei Starovoitov <ast@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 80ad264da02cc4aee718e799c2b79f0f834673dc) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit b7bf516 ] get_upper_ifindexes() iterates over all upper devices and writes their indices into an array without checking bounds. Also the callers assume that the max number of upper devices is MAX_NEST_DEV and allocate excluded_devices[1+MAX_NEST_DEV] on the stack, but that assumption is not correct and the number of upper devices could be larger than MAX_NEST_DEV (e.g., many macvlans), causing a stack-out-of-bounds write. Add a max parameter to get_upper_ifindexes() to avoid the issue. When there are too many upper devices, return -EOVERFLOW and abort the redirect. To reproduce, create more than MAX_NEST_DEV(8) macvlans on a device with an XDP program attached using BPF_F_BROADCAST | BPF_F_EXCLUDE_INGRESS. Then send a packet to the device to trigger the XDP redirect path. Reported-by: syzbot+10cc7f13760b31bd2e61@syzkaller.appspotmail.com Closes: https://lore.kernel.org/all/698c4ce3.050a0220.340abe.000b.GAE@google.com/T/ Fixes: aeea1b8 ("bpf, devmap: Exclude XDP broadcast to master device") Reviewed-by: Toke Høiland-Jørgensen <toke@redhat.com> Signed-off-by: Kohei Enju <kohei@enjuk.jp> Link: https://lore.kernel.org/r/20260225053506.4738-1-kohei@enjuk.jp Signed-off-by: Alexei Starovoitov <ast@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit d2c31d8e03d05edc16656e5ffe187f0d1da763d7) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 3919599 ] fb82437 ("PCI: Change capability register offsets to hex") incorrectly converted the PCI_CAP_EXP_ENDPOINT_SIZEOF_V2 value from decimal 52 to hex 0x32: -#define PCI_CAP_EXP_ENDPOINT_SIZEOF_V2 52 /* v2 endpoints with link end here */ +#define PCI_CAP_EXP_ENDPOINT_SIZEOF_V2 0x32 /* end of v2 EPs w/ link */ This broke PCI capabilities in a VMM because subsequent ones weren't DWORD-aligned. Change PCI_CAP_EXP_ENDPOINT_SIZEOF_V2 to the correct value of 0x34. fb82437 was from Baruch Siach <baruch@tkos.co.il>, but this was not Baruch's fault; it's a mistake I made when applying the patch. Fixes: fb82437 ("PCI: Change capability register offsets to hex") Reported-by: David Woodhouse <dwmw2@infradead.org> Closes: https://lore.kernel.org/all/3ae392a0158e9d9ab09a1d42150429dd8ca42791.camel@infradead.org Signed-off-by: Bjorn Helgaas <bhelgaas@google.com> Reviewed-by: Krzysztof Wilczyński <kwilczynski@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 2129ce65c83eeb8011db67dc8d83de2028aace33) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit adbf61c ] ACPI v6.3 defined a new "Online Capable" MADT LAPIC flag. This bit is used in conjunction with the "Enabled" MADT LAPIC flag to determine if a CPU can be enabled/hotplugged by the OS after boot. Before the new bit was defined, the "Enabled" bit was explicitly described like this (ACPI v6.0 wording provided): "If zero, this processor is unusable, and the operating system support will not attempt to use it" This means that CPU hotplug (based on MADT) is not possible. Many BIOS implementations follow this guidance. They may include LAPIC entries in MADT for unavailable CPUs, but since these entries are marked with "Enabled=0" it is expected that the OS will completely ignore these entries. However, QEMU will do the same (include entries with "Enabled=0") for the purpose of allowing CPU hotplug within the guest. Comment from QEMU function pc_madt_cpu_entry(): /* ACPI spec says that LAPIC entry for non present * CPU may be omitted from MADT or it must be marked * as disabled. However omitting non present CPU from * MADT breaks hotplug on linux. So possible CPUs * should be put in MADT but kept disabled. */ Recent Linux topology changes broke the QEMU use case. A following fix for the QEMU use case broke bare metal topology enumeration. Rework the Linux MADT LAPIC flags check to allow the QEMU use case only for guests and to maintain the ACPI spec behavior for bare metal. Remove an unnecessary check added to fix a bare metal case introduced by the QEMU "fix". [ bp: Change logic as Michal suggested. ] [ mingo: Removed misapplied -stable tag. ] Fixes: fed8d87 ("x86/acpi/boot: Correct acpi_is_processor_usable() check") Fixes: f0551af ("x86/topology: Ignore non-present APIC IDs in a present package") Closes: https://lore.kernel.org/r/20251024204658.3da9bf3f.michal.pecio@gmail.com Reported-by: Michal Pecio <michal.pecio@gmail.com> Signed-off-by: Yazen Ghannam <yazen.ghannam@amd.com> Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de> Signed-off-by: Ingo Molnar <mingo@kernel.org> Tested-by: Michal Pecio <michal.pecio@gmail.com> Tested-by: Ricardo Neri <ricardo.neri-calderon@linux.intel.com> Link: https://lore.kernel.org/20251111145357.4031846-1-yazen.ghannam@amd.com Cc: stable@vger.kernel.org Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit a7df760f70742c8a66171e281e7f4354a9abfeab) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 6cfa038 ] Make sure to drop the reference taken when looking up the SMI device during common probe on late probe failure (e.g. probe deferral) and on driver unbind. Fixes: 4740475 ("memory: mtk-smi: Add device link for smi-sub-common") Fixes: 038ae37 ("memory: mtk-smi: add missing put_device() call in mtk_smi_device_link_common") Cc: stable@vger.kernel.org # 5.16: 038ae37 Cc: stable@vger.kernel.org # 5.16 Cc: Yong Wu <yong.wu@mediatek.com> Cc: Miaoqian Lin <linmq006@gmail.com> Signed-off-by: Johan Hovold <johan@kernel.org> Link: https://patch.msgid.link/20251121164624.13685-2-johan@kernel.org Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 984992f31cfb71b25cd0a72ef51ceb5dd6f187e8) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 9dae659 ] Make sure to drop the reference taken when looking up the SMI device during larb probe on late probe failure (e.g. probe deferral) and on driver unbind. Fixes: cc8bbe1 ("memory: mediatek: Add SMI driver") Fixes: 038ae37 ("memory: mtk-smi: add missing put_device() call in mtk_smi_device_link_common") Cc: stable@vger.kernel.org # 4.6: 038ae37 Cc: stable@vger.kernel.org # 4.6 Cc: Yong Wu <yong.wu@mediatek.com> Cc: Miaoqian Lin <linmq006@gmail.com> Signed-off-by: Johan Hovold <johan@kernel.org> Link: https://patch.msgid.link/20251121164624.13685-3-johan@kernel.org Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 1f23a48ff2b8ab47e514f7c84a4b1dbf9b848168) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit ec9fd49 ] The Root Complex specific device tree binding for pcie-dw-rockchip has the 'sys' interrupt marked as required. The driver requests the 'sys' IRQ unconditionally, and errors out if not provided. Thus, we can unconditionally set 'use_linkup_irq', so dw_pcie_host_init() doesn't wait for the link to come up. This will skip the wait for link up (since the bus will be enumerated once the link up IRQ is triggered), which reduces the bootup time. Link: https://lore.kernel.org/r/20250113-rockchip-no-wait-v1-1-25417f37b92f@kernel.org Signed-off-by: Niklas Cassel <cassel@kernel.org> [bhelgaas: commit log] Signed-off-by: Bjorn Helgaas <bhelgaas@google.com> Signed-off-by: Krzysztof Wilczyński <kwilczynski@kernel.org> Stable-dep-of: fc62980 ("Revert "PCI: dw-rockchip: Don't wait for link since we can detect Link Up"") Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit fdf5e166058a17551bc11d60ed55c7dfac196201) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
…k Up" [ Upstream commit fc62980 ] This reverts commit ec9fd49. While this fake hotplugging was a nice idea, it has shown that this feature does not handle PCIe switches correctly: pci_bus 0004:43: busn_res: can not insert [bus 43-41] under [bus 42-41] (conflicts with (null) [bus 42-41]) pci_bus 0004:43: busn_res: [bus 43-41] end is updated to 43 pci_bus 0004:43: busn_res: can not insert [bus 43] under [bus 42-41] (conflicts with (null) [bus 42-41]) pci 0004:42:00.0: devices behind bridge are unusable because [bus 43] cannot be assigned for them pci_bus 0004:44: busn_res: can not insert [bus 44-41] under [bus 42-41] (conflicts with (null) [bus 42-41]) pci_bus 0004:44: busn_res: [bus 44-41] end is updated to 44 pci_bus 0004:44: busn_res: can not insert [bus 44] under [bus 42-41] (conflicts with (null) [bus 42-41]) pci 0004:42:02.0: devices behind bridge are unusable because [bus 44] cannot be assigned for them pci_bus 0004:45: busn_res: can not insert [bus 45-41] under [bus 42-41] (conflicts with (null) [bus 42-41]) pci_bus 0004:45: busn_res: [bus 45-41] end is updated to 45 pci_bus 0004:45: busn_res: can not insert [bus 45] under [bus 42-41] (conflicts with (null) [bus 42-41]) pci 0004:42:06.0: devices behind bridge are unusable because [bus 45] cannot be assigned for them pci_bus 0004:46: busn_res: can not insert [bus 46-41] under [bus 42-41] (conflicts with (null) [bus 42-41]) pci_bus 0004:46: busn_res: [bus 46-41] end is updated to 46 pci_bus 0004:46: busn_res: can not insert [bus 46] under [bus 42-41] (conflicts with (null) [bus 42-41]) pci 0004:42:0e.0: devices behind bridge are unusable because [bus 46] cannot be assigned for them pci_bus 0004:42: busn_res: [bus 42-41] end is updated to 46 pci_bus 0004:42: busn_res: can not insert [bus 42-46] under [bus 41] (conflicts with (null) [bus 41]) pci 0004:41:00.0: devices behind bridge are unusable because [bus 42-46] cannot be assigned for them pcieport 0004:40:00.0: bridge has subordinate 41 but max busn 46 During the initial scan, PCI core doesn't see the switch and since the Root Port is not hot plug capable, the secondary bus number gets assigned as the subordinate bus number. This means, the PCI core assumes that only one bus will appear behind the Root Port since the Root Port is not hot plug capable. This works perfectly fine for PCIe endpoints connected to the Root Port, since they don't extend the bus. However, if a PCIe switch is connected, then there is a problem when the downstream busses starts showing up and the PCI core doesn't extend the subordinate bus number and bridge resources after initial scan during boot. The long term plan is to migrate this driver to the upcoming pwrctrl APIs that are supposed to handle this problem elegantly. Suggested-by: Manivannan Sadhasivam <mani@kernel.org> Signed-off-by: Niklas Cassel <cassel@kernel.org> Signed-off-by: Manivannan Sadhasivam <mani@kernel.org> Tested-by: Shawn Lin <shawn.lin@rock-chips.com> Acked-by: Shawn Lin <shawn.lin@rock-chips.com> Cc: stable@vger.kernel.org Link: https://patch.msgid.link/20251222064207.3246632-9-cassel@kernel.org Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit ff6c9a40e426527faa749ec41a87f552ff2ccbf8) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit d87c828 ] The FEAT_SVE2p1 is indicated by ID_AA64ZFR0_EL1.SVEver. However, the BFADD requires the FEAT_SVE_B16B16, which is indicated by ID_AA64ZFR0_EL1.B16B16. This could cause the test to incorrectly fail on a CPU that supports FEAT_SVE2.1 but not FEAT_SVE_B16B16. LD1Q Gather load quadwords which is decoded from SVE encodings and implied by FEAT_SVE2p1. Fixes: c5195b0 ("kselftest/arm64: Add SVE 2.1 to hwcap test") Signed-off-by: Yifan Wu <wuyifan50@huawei.com> Reviewed-by: Mark Brown <broonie@kernel.org> Signed-off-by: Will Deacon <will@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 1cf22986da18fb14d884f90aaf0aada5fbc86d8e) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 457965c ] If trigger_data_alloc() fails and returns NULL, event_hist_trigger_parse() jumps to the out_free error path. While kfree() safely handles a NULL pointer, trigger_data_free() does not. This causes a NULL pointer dereference in trigger_data_free() when evaluating data->cmd_ops->set_filter. Fix the problem by adding a NULL pointer check to trigger_data_free(). The problem was found by an experimental code review agent based on gemini-3.1-pro while reviewing backports into v6.18.y. Cc: Miaoqian Lin <linmq006@gmail.com> Cc: Masami Hiramatsu <mhiramat@kernel.org> Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com> Cc: Steven Rostedt (Google) <rostedt@goodmis.org> Link: https://patch.msgid.link/20260305193339.2810953-1-linux@roeck-us.net Fixes: 0550069 ("tracing: Properly process error handling in event_hist_trigger_parse()") Assisted-by: Gemini:gemini-3.1-pro Signed-off-by: Guenter Roeck <linux@roeck-us.net> Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 42b380f97d65e76e7b310facd525f730272daf57) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
…red blocks commit 11cb63b upstream. As Paolo said earlier [1]: "Since the blamed commit below, classify can return TC_ACT_CONSUMED while the current skb being held by the defragmentation engine. As reported by GangMin Kim, if such packet is that may cause a UaF when the defrag engine later on tries to tuch again such packet." act_ct was never meant to be used in the egress path, however some users are attaching it to egress today [2]. Attempting to reach a middle ground, we noticed that, while most qdiscs are not handling TC_ACT_CONSUMED, clsact/ingress qdiscs are. With that in mind, we address the issue by only allowing act_ct to bind to clsact/ingress qdiscs and shared blocks. That way it's still possible to attach act_ct to egress (albeit only with clsact). [1] https://lore.kernel.org/netdev/674b8cbfc385c6f37fb29a1de08d8fe5c2b0fbee.1771321118.git.pabeni@redhat.com/ [2] https://lore.kernel.org/netdev/cc6bfb4a-4a2b-42d8-b9ce-7ef6644fb22b@ovn.org/ Reported-by: GangMin Kim <km.kim1503@gmail.com> Fixes: 3f14b37 ("net/sched: act_ct: fix skb leak and crash on ooo frags") CC: stable@vger.kernel.org Signed-off-by: Victor Nogueira <victor@mojatatu.com> Acked-by: Jamal Hadi Salim <jhs@mojatatu.com> Link: https://patch.msgid.link/20260225134349.1287037-1-victor@mojatatu.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 524ce8b4ea8f64900b6c52b6a28df74f6bc0801e) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit 9063d7e2615f4a7ab321de6b520e23d370e58816 upstream. Start states are read from untrusted data and used as indexes into the DFA state tables. The aa_dfa_next() function call in unpack_pdb() will access dfa->tables[YYTD_ID_BASE][start], and if the start state exceeds the number of states in the DFA, this results in an out-of-bound read. ================================================================== BUG: KASAN: slab-out-of-bounds in aa_dfa_next+0x2a1/0x360 Read of size 4 at addr ffff88811956fb90 by task su/1097 ... Reject policies with out-of-bounds start states during unpacking to prevent the issue. Fixes: ad5ff3d ("AppArmor: Add ability to load extended policy") Reported-by: Qualys Security Advisory <qsa@qualys.com> Tested-by: Salvatore Bonaccorso <carnil@debian.org> Reviewed-by: Georgia Garcia <georgia.garcia@canonical.com> Reviewed-by: Cengiz Can <cengiz.can@canonical.com> Signed-off-by: Massimiliano Pellizzer <massimiliano.pellizzer@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 15c3eb8916e7db01cb246d04a1fe6f0fdc065b0c) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit e38c55d9f834e5b848bfed0f5c586aaf45acb825 upstream. The function sets `*ns = NULL` on every call, leaking the namespace string allocated in previous iterations when multiple profiles are unpacked. This also breaks namespace consistency checking since *ns is always NULL when the comparison is made. Remove the incorrect assignment. The caller (aa_unpack) initializes *ns to NULL once before the loop, which is sufficient. Fixes: dd51c84 ("apparmor: provide base for multiple profiles to be replaced at once") Reported-by: Qualys Security Advisory <qsa@qualys.com> Tested-by: Salvatore Bonaccorso <carnil@debian.org> Reviewed-by: Georgia Garcia <georgia.garcia@canonical.com> Reviewed-by: Cengiz Can <cengiz.can@canonical.com> Signed-off-by: Massimiliano Pellizzer <massimiliano.pellizzer@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 786e2c2a87d9c505f33321d1fd23a176aa8ddeb1) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit ab09264660f9de5d05d1ef4e225aa447c63a8747 upstream.
The profile removal code uses recursion when removing nested profiles,
which can lead to kernel stack exhaustion and system crashes.
Reproducer:
$ pf='a'; for ((i=0; i<1024; i++)); do
echo -e "profile $pf { \n }" | apparmor_parser -K -a;
pf="$pf//x";
done
$ echo -n a > /sys/kernel/security/apparmor/.remove
Replace the recursive __aa_profile_list_release() approach with an
iterative approach in __remove_profile(). The function repeatedly
finds and removes leaf profiles until the entire subtree is removed,
maintaining the same removal semantic without recursion.
Fixes: c88d4c7 ("AppArmor: core policy routines")
Reported-by: Qualys Security Advisory <qsa@qualys.com>
Tested-by: Salvatore Bonaccorso <carnil@debian.org>
Reviewed-by: Georgia Garcia <georgia.garcia@canonical.com>
Reviewed-by: Cengiz Can <cengiz.can@canonical.com>
Signed-off-by: Massimiliano Pellizzer <massimiliano.pellizzer@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit 999bd704b0b641527a5ed46f0d969deff8cfa68b)
Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit 306039414932c80f8420695a24d4fe10c84ccfb2 upstream. Currently the number of policy namespaces is not bounded relying on the user namespace limit. However policy namespaces aren't strictly tied to user namespaces and it is possible to create them and nest them arbitrarily deep which can be used to exhaust system resource. Hard cap policy namespaces to the same depth as user namespaces. Fixes: c88d4c7 ("AppArmor: core policy routines") Reported-by: Qualys Security Advisory <qsa@qualys.com> Reviewed-by: Ryan Lee <ryan.lee@canonical.com> Reviewed-by: Cengiz Can <cengiz.can@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 853ce31ca72097d23991a06876a2ccb5cb64b603) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit 8756b68edae37ff546c02091989a4ceab3f20abd upstream. The match_char() macro evaluates its character parameter multiple times when traversing differential encoding chains. When invoked with *str++, the string pointer advances on each iteration of the inner do-while loop, causing the DFA to check different characters at each iteration and therefore skip input characters. This results in out-of-bounds reads when the pointer advances past the input buffer boundary. [ 94.984676] ================================================================== [ 94.985301] BUG: KASAN: slab-out-of-bounds in aa_dfa_match+0x5ae/0x760 [ 94.985655] Read of size 1 at addr ffff888100342000 by task file/976 [ 94.986319] CPU: 7 UID: 1000 PID: 976 Comm: file Not tainted 6.19.0-rc7-next-20260127 #1 PREEMPT(lazy) [ 94.986322] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 94.986329] Call Trace: [ 94.986341] <TASK> [ 94.986347] dump_stack_lvl+0x5e/0x80 [ 94.986374] print_report+0xc8/0x270 [ 94.986384] ? aa_dfa_match+0x5ae/0x760 [ 94.986388] kasan_report+0x118/0x150 [ 94.986401] ? aa_dfa_match+0x5ae/0x760 [ 94.986405] aa_dfa_match+0x5ae/0x760 [ 94.986408] __aa_path_perm+0x131/0x400 [ 94.986418] aa_path_perm+0x219/0x2f0 [ 94.986424] apparmor_file_open+0x345/0x570 [ 94.986431] security_file_open+0x5c/0x140 [ 94.986442] do_dentry_open+0x2f6/0x1120 [ 94.986450] vfs_open+0x38/0x2b0 [ 94.986453] ? may_open+0x1e2/0x2b0 [ 94.986466] path_openat+0x231b/0x2b30 [ 94.986469] ? __x64_sys_openat+0xf8/0x130 [ 94.986477] do_file_open+0x19d/0x360 [ 94.986487] do_sys_openat2+0x98/0x100 [ 94.986491] __x64_sys_openat+0xf8/0x130 [ 94.986499] do_syscall_64+0x8e/0x660 [ 94.986515] ? count_memcg_events+0x15f/0x3c0 [ 94.986526] ? srso_alias_return_thunk+0x5/0xfbef5 [ 94.986540] ? handle_mm_fault+0x1639/0x1ef0 [ 94.986551] ? vma_start_read+0xf0/0x320 [ 94.986558] ? srso_alias_return_thunk+0x5/0xfbef5 [ 94.986561] ? srso_alias_return_thunk+0x5/0xfbef5 [ 94.986563] ? fpregs_assert_state_consistent+0x50/0xe0 [ 94.986572] ? srso_alias_return_thunk+0x5/0xfbef5 [ 94.986574] ? arch_exit_to_user_mode_prepare+0x9/0xb0 [ 94.986587] ? srso_alias_return_thunk+0x5/0xfbef5 [ 94.986588] ? irqentry_exit+0x3c/0x590 [ 94.986595] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 94.986597] RIP: 0033:0x7fda4a79c3ea Fix by extracting the character value before invoking match_char, ensuring single evaluation per outer loop. Fixes: 074c1cd ("apparmor: dfa move character match into a macro") Reported-by: Qualys Security Advisory <qsa@qualys.com> Tested-by: Salvatore Bonaccorso <carnil@debian.org> Reviewed-by: Georgia Garcia <georgia.garcia@canonical.com> Reviewed-by: Cengiz Can <cengiz.can@canonical.com> Signed-off-by: Massimiliano Pellizzer <massimiliano.pellizzer@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit b73c1dff8a9d7eeaebabf8097a5b2de192f40913) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit d352873bbefa7eb39995239d0b44ccdf8aaa79a4 upstream. The verify_dfa() function only checks DEFAULT_TABLE bounds when the state is not differentially encoded. When the verification loop traverses the differential encoding chain, it reads k = DEFAULT_TABLE[j] and uses k as an array index without validation. A malformed DFA with DEFAULT_TABLE[j] >= state_count, therefore, causes both out-of-bounds reads and writes. [ 57.179855] ================================================================== [ 57.180549] BUG: KASAN: slab-out-of-bounds in verify_dfa+0x59a/0x660 [ 57.180904] Read of size 4 at addr ffff888100eadec4 by task su/993 [ 57.181554] CPU: 1 UID: 0 PID: 993 Comm: su Not tainted 6.19.0-rc7-next-20260127 #1 PREEMPT(lazy) [ 57.181558] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 57.181563] Call Trace: [ 57.181572] <TASK> [ 57.181577] dump_stack_lvl+0x5e/0x80 [ 57.181596] print_report+0xc8/0x270 [ 57.181605] ? verify_dfa+0x59a/0x660 [ 57.181608] kasan_report+0x118/0x150 [ 57.181620] ? verify_dfa+0x59a/0x660 [ 57.181623] verify_dfa+0x59a/0x660 [ 57.181627] aa_dfa_unpack+0x1610/0x1740 [ 57.181629] ? __kmalloc_cache_noprof+0x1d0/0x470 [ 57.181640] unpack_pdb+0x86d/0x46b0 [ 57.181647] ? srso_alias_return_thunk+0x5/0xfbef5 [ 57.181653] ? srso_alias_return_thunk+0x5/0xfbef5 [ 57.181656] ? aa_unpack_nameX+0x1a8/0x300 [ 57.181659] aa_unpack+0x20b0/0x4c30 [ 57.181662] ? srso_alias_return_thunk+0x5/0xfbef5 [ 57.181664] ? stack_depot_save_flags+0x33/0x700 [ 57.181681] ? kasan_save_track+0x4f/0x80 [ 57.181683] ? kasan_save_track+0x3e/0x80 [ 57.181686] ? __kasan_kmalloc+0x93/0xb0 [ 57.181688] ? __kvmalloc_node_noprof+0x44a/0x780 [ 57.181693] ? aa_simple_write_to_buffer+0x54/0x130 [ 57.181697] ? policy_update+0x154/0x330 [ 57.181704] aa_replace_profiles+0x15a/0x1dd0 [ 57.181707] ? srso_alias_return_thunk+0x5/0xfbef5 [ 57.181710] ? __kvmalloc_node_noprof+0x44a/0x780 [ 57.181712] ? aa_loaddata_alloc+0x77/0x140 [ 57.181715] ? srso_alias_return_thunk+0x5/0xfbef5 [ 57.181717] ? _copy_from_user+0x2a/0x70 [ 57.181730] policy_update+0x17a/0x330 [ 57.181733] profile_replace+0x153/0x1a0 [ 57.181735] ? rw_verify_area+0x93/0x2d0 [ 57.181740] vfs_write+0x235/0xab0 [ 57.181745] ksys_write+0xb0/0x170 [ 57.181748] do_syscall_64+0x8e/0x660 [ 57.181762] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 57.181765] RIP: 0033:0x7f6192792eb2 Remove the MATCH_FLAG_DIFF_ENCODE condition to validate all DEFAULT_TABLE entries unconditionally. Fixes: 031dcc8 ("apparmor: dfa add support for state differential encoding") Reported-by: Qualys Security Advisory <qsa@qualys.com> Tested-by: Salvatore Bonaccorso <carnil@debian.org> Reviewed-by: Georgia Garcia <georgia.garcia@canonical.com> Reviewed-by: Cengiz Can <cengiz.can@canonical.com> Signed-off-by: Massimiliano Pellizzer <massimiliano.pellizzer@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 76b4d36c5122866452d34d8f79985e191f9c3831) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit 5df0c44e8f5f619d3beb871207aded7c78414502 upstream.
if ns_name is NULL after
1071 error = aa_unpack(udata, &lh, &ns_name);
and if ent->ns_name contains an ns_name in
1089 } else if (ent->ns_name) {
then ns_name is assigned the ent->ns_name
1095 ns_name = ent->ns_name;
however ent->ns_name is freed at
1262 aa_load_ent_free(ent);
and then again when freeing ns_name at
1270 kfree(ns_name);
Fix this by NULLing out ent->ns_name after it is transferred to ns_name
Fixes: 145a0ef ("apparmor: fix blob compression when ns is forced on a policy load")
Reported-by: Qualys Security Advisory <qsa@qualys.com>
Tested-by: Salvatore Bonaccorso <carnil@debian.org>
Reviewed-by: Georgia Garcia <georgia.garcia@canonical.com>
Reviewed-by: Cengiz Can <cengiz.can@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit 86feeccd6b93ed94bd6655f30de80f163f8d5a45)
Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
…ment commit 6601e13e82841879406bf9f369032656f441a425 upstream. An unprivileged local user can load, replace, and remove profiles by opening the apparmorfs interfaces, via a confused deputy attack, by passing the opened fd to a privileged process, and getting the privileged process to write to the interface. This does require a privileged target that can be manipulated to do the write for the unprivileged process, but once such access is achieved full policy management is possible and all the possible implications that implies: removing confinement, DoS of system or target applications by denying all execution, by-passing the unprivileged user namespace restriction, to exploiting kernel bugs for a local privilege escalation. The policy management interface can not have its permissions simply changed from 0666 to 0600 because non-root processes need to be able to load policy to different policy namespaces. Instead ensure the task writing the interface has privileges that are a subset of the task that opened the interface. This is already done via policy for confined processes, but unconfined can delegate access to the opened fd, by-passing the usual policy check. Fixes: b7fd2c0 ("apparmor: add per policy ns .load, .replace, .remove interface files") Reported-by: Qualys Security Advisory <qsa@qualys.com> Tested-by: Salvatore Bonaccorso <carnil@debian.org> Reviewed-by: Georgia Garcia <georgia.garcia@canonical.com> Reviewed-by: Cengiz Can <cengiz.can@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 0fc63dd9170643d15c25681fca792539e23f4640) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit 39440b137546a3aa383cfdabc605fb73811b6093 upstream. Differential encoding allows loops to be created if it is abused. To prevent this the unpack should verify that a diff-encode chain terminates. Unfortunately the differential encode verification had two bugs. 1. it conflated states that had gone through check and already been marked, with states that were currently being checked and marked. This means that loops in the current chain being verified are treated as a chain that has already been verified. 2. the order bailout on already checked states compared current chain check iterators j,k instead of using the outer loop iterator i. Meaning a step backwards in states in the current chain verification was being mistaken for moving to an already verified state. Move to a double mark scheme where already verified states get a different mark, than the current chain being kept. This enables us to also drop the backwards verification check that was the cause of the second error as any already verified state is already marked. Fixes: 031dcc8 ("apparmor: dfa add support for state differential encoding") Reported-by: Qualys Security Advisory <qsa@qualys.com> Tested-by: Salvatore Bonaccorso <carnil@debian.org> Reviewed-by: Georgia Garcia <georgia.garcia@canonical.com> Reviewed-by: Cengiz Can <cengiz.can@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 34fc60b125ed1d4eb002c76b0664bf0619492167) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit a0b7091c4de45a7325c8780e6934a894f92ac86b upstream. There is a race condition that leads to a use-after-free situation: because the rawdata inodes are not refcounted, an attacker can start open()ing one of the rawdata files, and at the same time remove the last reference to this rawdata (by removing the corresponding profile, for example), which frees its struct aa_loaddata; as a result, when seq_rawdata_open() is reached, i_private is a dangling pointer and freed memory is accessed. The rawdata inodes weren't refcounted to avoid a circular refcount and were supposed to be held by the profile rawdata reference. However during profile removal there is a window where the vfs and profile destruction race, resulting in the use after free. Fix this by moving to a double refcount scheme. Where the profile refcount on rawdata is used to break the circular dependency. Allowing for freeing of the rawdata once all inode references to the rawdata are put. Fixes: 5d5182c ("apparmor: move to per loaddata files, instead of replicating in profiles") Reported-by: Qualys Security Advisory <qsa@qualys.com> Reviewed-by: Georgia Garcia <georgia.garcia@canonical.com> Reviewed-by: Maxime Bélair <maxime.belair@canonical.com> Reviewed-by: Cengiz Can <cengiz.can@canonical.com> Tested-by: Salvatore Bonaccorso <carnil@debian.org> Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit f9761add6d100962a23996cb68f3d6abdd4d1815) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit 8e135b8aee5a06c52a4347a5a6d51223c6f36ba3 upstream. AppArmor was putting the reference to i_private data on its end after removing the original entry from the file system. However the inode can aand does live beyond that point and it is possible that some of the fs call back functions will be invoked after the reference has been put, which results in a race between freeing the data and accessing it through the fs. While the rawdata/loaddata is the most likely candidate to fail the race, as it has the fewest references. If properly crafted it might be possible to trigger a race for the other types stored in i_private. Fix this by moving the put of i_private referenced data to the correct place which is during inode eviction. Fixes: c961ee5 ("apparmor: convert from securityfs to apparmorfs for policy ns files") Reported-by: Qualys Security Advisory <qsa@qualys.com> Reviewed-by: Georgia Garcia <georgia.garcia@canonical.com> Reviewed-by: Maxime Bélair <maxime.belair@canonical.com> Reviewed-by: Cengiz Can <cengiz.can@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit eecce026399917f6efa532c56bc7a3e9dd6ee68b) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit 3c3fac6 upstream. In ext4_mb_init(), ext4_mb_avg_fragment_size_destroy() may be called when sbi->s_mb_avg_fragment_size remains uninitialized (e.g., if groupinfo slab cache allocation fails). Since ext4_mb_avg_fragment_size_destroy() lacks null pointer checking, this leads to a null pointer dereference. ================================================================== EXT4-fs: no memory for groupinfo slab cache BUG: kernel NULL pointer dereference, address: 0000000000000000 PGD 0 P4D 0 Oops: Oops: 0002 [#1] SMP PTI CPU:2 UID: 0 PID: 87 Comm:mount Not tainted 6.17.0-rc2 deepin-community#1134 PREEMPT(none) RIP: 0010:_raw_spin_lock_irqsave+0x1b/0x40 Call Trace: <TASK> xa_destroy+0x61/0x130 ext4_mb_init+0x483/0x540 __ext4_fill_super+0x116d/0x17b0 ext4_fill_super+0xd3/0x280 get_tree_bdev_flags+0x132/0x1d0 vfs_get_tree+0x29/0xd0 do_new_mount+0x197/0x300 __x64_sys_mount+0x116/0x150 do_syscall_64+0x50/0x1c0 entry_SYSCALL_64_after_hwframe+0x76/0x7e ================================================================== Therefore, add necessary null check to ext4_mb_avg_fragment_size_destroy() to prevent this issue. The same fix is also applied to ext4_mb_largest_free_orders_destroy(). Reported-by: syzbot+1713b1aa266195b916c2@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=1713b1aa266195b916c2 Cc: stable@kernel.org Fixes: f7eaacb ("ext4: convert free groups order lists to xarrays") Signed-off-by: Baokun Li <libaokun1@huawei.com> Reviewed-by: Zhang Yi <yi.zhang@huawei.com> Reviewed-by: Ritesh Harjani (IBM) <ritesh.list@gmail.com> Signed-off-by: Theodore Ts'o <tytso@mit.edu> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 08d9175578d6a8e9b81921898fbf01aa669cd2be) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit 55db009 upstream. cancel_work_sync() is a sleeping function so it cannot be called with the spin lock of a port being held. Move the call to this function in ata_port_detach() after EH completes, with the port lock released, together with other work cancellation calls. Fixes: 0ea8408 ("ata: libata-scsi: avoid Non-NCQ command starvation") Signed-off-by: Damien Le Moal <dlemoal@kernel.org> Reviewed-by: Hannes Reinecke <hare@suse.de> Reviewed-by: Igor Pylypiv <ipylypiv@google.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 42ea6c476b2739c9acdf7120bd2d6ef9d0d78456) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit eddb98a upstream. A deferred qc may timeout while waiting for the device queue to drain to be submitted. In such case, since the qc is not active, ata_scsi_cmd_error_handler() ends up calling scsi_eh_finish_cmd(), which frees the qc. But as the port deferred_qc field still references this finished/freed qc, the deferred qc work may eventually attempt to call ata_qc_issue() against this invalid qc, leading to errors such as reported by UBSAN (syzbot run): UBSAN: shift-out-of-bounds in drivers/ata/libata-core.c:5166:24 shift exponent 4210818301 is too large for 64-bit type 'long long unsigned int' ... Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x100/0x190 lib/dump_stack.c:120 ubsan_epilogue+0xa/0x30 lib/ubsan.c:233 __ubsan_handle_shift_out_of_bounds+0x279/0x2a0 lib/ubsan.c:494 ata_qc_issue.cold+0x38/0x9f drivers/ata/libata-core.c:5166 ata_scsi_deferred_qc_work+0x154/0x1f0 drivers/ata/libata-scsi.c:1679 process_one_work+0x9d7/0x1920 kernel/workqueue.c:3275 process_scheduled_works kernel/workqueue.c:3358 [inline] worker_thread+0x5da/0xe40 kernel/workqueue.c:3439 kthread+0x370/0x450 kernel/kthread.c:467 ret_from_fork+0x754/0xd80 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 </TASK> Fix this by checking if the qc of a timed out SCSI command is a deferred one, and in such case, clear the port deferred_qc field and finish the SCSI command with DID_TIME_OUT. Reported-by: syzbot+1f77b8ca15336fff21ff@syzkaller.appspotmail.com Fixes: 0ea8408 ("ata: libata-scsi: avoid Non-NCQ command starvation") Signed-off-by: Damien Le Moal <dlemoal@kernel.org> Reviewed-by: Hannes Reinecke <hare@suse.de> Reviewed-by: Igor Pylypiv <ipylypiv@google.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit d2459cba1d9977af5e09efbe2f3379b03966d367) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit aac9b27 upstream. Syzbot reported a WARN_ON() in ata_scsi_deferred_qc_work(), caused by ap->ops->qc_defer() returning non-zero before issuing the deferred qc. ata_scsi_schedule_deferred_qc() is called during each command completion. This function will check if there is a deferred QC, and if ap->ops->qc_defer() returns zero, meaning that it is possible to queue the deferred qc at this time (without being deferred), then it will queue the work which will issue the deferred qc. Once the work get to run, which can potentially be a very long time after the work was scheduled, there is a WARN_ON() if ap->ops->qc_defer() returns non-zero. While we hold the ap->lock both when assigning and clearing deferred_qc, and the work itself holds the ap->lock, the code currently does not cancel the work after clearing the deferred qc. This means that the following scenario can happen: 1) One or several NCQ commands are queued. 2) A non-NCQ command is queued, gets stored in ap->deferred_qc. 3) Last NCQ command gets completed, work is queued to issue the deferred qc. 4) Timeout or error happens, ap->deferred_qc is cleared. The queued work is currently NOT canceled. 5) Port is reset. 6) One or several NCQ commands are queued. 7) A non-NCQ command is queued, gets stored in ap->deferred_qc. 8) Work is finally run. Yet at this time, there is still NCQ commands in flight. The work in 8) really belongs to the non-NCQ command in 2), not to the non-NCQ command in 7). The reason why the work is executed when it is not supposed to, is because it was never canceled when ap->deferred_qc was cleared in 4). Thus, ensure that we always cancel the work after clearing ap->deferred_qc. Another potential fix would have been to let ata_scsi_deferred_qc_work() do nothing if ap->ops->qc_defer() returns non-zero. However, canceling the work when clearing ap->deferred_qc seems slightly more logical, as we hold the ap->lock when clearing ap->deferred_qc, so we know that the work cannot be holding the lock. (The function could be waiting for the lock, but that is okay since it will do nothing if ap->deferred_qc is not set.) Reported-by: syzbot+bcaf842a1e8ead8dfb89@syzkaller.appspotmail.com Fixes: 0ea8408 ("ata: libata-scsi: avoid Non-NCQ command starvation") Fixes: eddb98a ("ata: libata-eh: correctly handle deferred qc timeouts") Reviewed-by: Igor Pylypiv <ipylypiv@google.com> Reviewed-by: Damien Le Moal <dlemoal@kernel.org> Signed-off-by: Niklas Cassel <cassel@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 0d12453818c35e1ded84633152c6b05002ae48b9) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit ee0e6e6 upstream. If the ata_qc_for_each_raw() loop finishes without finding a matching SCSI command for any QC, the variable qc will hold a pointer to the last element examined, which has the tag i == ATA_MAX_QUEUE - 1. This qc can match the port deferred QC (ap->deferred_qc). If that happens, the condition qc == ap->deferred_qc evaluates to true despite the loop not breaking with a match on the SCSI command for this QC. In that case, the error handler mistakenly intercepts a command that has not been issued yet and that has not timed out, and thus erroneously returning a timeout error. Fix the problem by checking for i < ATA_MAX_QUEUE in addition to qc == ap->deferred_qc. The problem was found by an experimental code review agent based on gemini-3.1-pro while reviewing backports into v6.18.y. Assisted-by: Gemini:gemini-3.1-pro Fixes: eddb98a ("ata: libata-eh: correctly handle deferred qc timeouts") Signed-off-by: Guenter Roeck <linux@roeck-us.net> [cassel: modified commit log as suggested by Damien] Reviewed-by: Damien Le Moal <dlemoal@kernel.org> Signed-off-by: Niklas Cassel <cassel@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 1ba82a3bbc09822ecd143885dbb0236e073adc08) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
Link: https://lore.kernel.org/r/20260312201018.128816016@linuxfoundation.org Tested-by: Brett A C Sheffield <bacs@librecast.net> Tested-by: Shuah Khan <skhan@linuxfoundation.org> Tested-by: Mark Brown <broonie@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 6f232446a62980e51f537db1c655e686d869b9ed) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
![sourcery-ai[bot]](https://avatars.githubusercontent.com/in/48477?s=60&v=4){kind=small}
There was a problem hiding this comment.
Sorry @opsiff, your pull request is larger than the review limit of 150000 diff characters
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
There was a problem hiding this comment.
Pull request overview
This pull request updates the Deepin kernel stable base from Linux 6.12.75 to 6.12.77, pulling in upstream stable fixes across networking, filesystems, security (AppArmor), drivers, architecture code, and test infrastructure.
Changes:
- Bump kernel version sublevel to 6.12.77.
- Pull in upstream stable fixes/refactors across multiple subsystems (net, fs, security, drivers, arch).
- Update/extend selftests and KUnit tooling to match upstream behavior.
Reviewed changes
Copilot reviewed 241 out of 241 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| tools/testing/selftests/net/mptcp/simult_flows.sh | Adjust netem queue limit to stabilize RTT estimation in tests. |
| tools/testing/selftests/net/mptcp/mptcp_join.sh | Add MPTCP remove test case for signal+subflow with limits. |
| tools/testing/selftests/kselftest_harness.h | Constructor priorities + safer memset helper for harness metadata. |
| tools/testing/selftests/arm64/abi/hwcap.c | Update SVE2p1 SIGILL instruction used by ABI test. |
| tools/testing/kunit/kunit_tool_test.py | Add regression test ensuring run_kernel args aren’t mutated. |
| tools/testing/kunit/kunit_kernel.py | Avoid mutating caller-provided kernel args by copying list. |
| sound/usb/validate.c | Fix UAC3 header validator version constant. |
| sound/usb/quirks.c | Adjust quirk flags for Focusrite Novation vendor ID. |
| sound/usb/mixer_scarlett2.c | Scarlett2 control bookkeeping changes and config sizing fixes. |
| sound/usb/endpoint.c | Rename packet sizing helper + clamp packsize to maxframesize. |
| sound/pci/hda/patch_realtek.c | Add/extend machine quirks for Realtek codecs. |
| sound/pci/hda/patch_conexant.c | Add new Conexant fixup for Acer Swift / extend quirks. |
| sound/pci/hda/cs35l56_hda.c | Use snd_kcontrol_chip() and type cleanup for control data. |
| security/apparmor/policy_unpack.c | Refcounting rework for loaddata + DFA start-state validation. |
| security/apparmor/policy_ns.c | Enforce maximum AppArmor namespace nesting depth. |
| security/apparmor/label.c | Switch label/proxy refcount fields to aa_common_ref. |
| security/apparmor/include/policy.h | Update kref accessors and aa_may_manage_policy signature. |
| security/apparmor/include/policy_ns.h | Define MAX_NS_DEPTH for namespace nesting. |
| security/apparmor/include/match.h | Add MARK_DIFF_ENCODE_VERIFIED flag. |
| security/apparmor/include/lib.h | Introduce aa_common_ref and reftype enum for aafs objects. |
| security/apparmor/include/label.h | Convert label/proxy krefs to aa_common_ref and update helpers. |
| rust/kernel/kunit.rs | Avoid unused-args warning when CONFIG_PRINTK is disabled. |
| net/xdp/xsk.c | Refactor ZC receive path handling for frags and descriptor accounting. |
| net/xdp/xsk_buff_pool.c | Unify list node usage for XSK buffer pool bookkeeping. |
| net/wireless/radiotap.c | Iterator fix to properly stop/skip namespace parsing. |
| net/wireless/core.c | Cancel rfkill work during wiphy unregister. |
| net/sched/sch_fq.c | Reset per-band packet counters on fq reset. |
| net/sched/sch_ets.c | Fix overflow/precision issues using u64 + div64_u64(). |
| net/sched/cls_api.c | Add ingress/clsact detection helper and set action flags. |
| net/sched/act_ct.c | Reject ct binding outside ingress/clsact with extack message. |
| net/rds/tcp.c | Fix lock ordering to avoid circular dependency in net refcount upgrade. |
| net/nfc/rawsock.c | Prevent tx work races on close; cancel work and purge queues. |
| net/nfc/nci/data.c | Correctly clear exchange state before callbacks/early returns. |
| net/nfc/nci/core.c | Fix skb freeing on early errors + allow certain zero-length NTFs. |
| net/netfilter/nft_set_pipapo.h | Add gc_head list for pipapo GC queueing. |
| net/netfilter/nf_tables_api.c | Move nft_trans_gc_space() out of this file (now inline in header). |
| net/mac80211/mlme.c | Guard against invalid link_id in MLO reconfiguration. |
| net/mac80211/mesh.c | Require mesh_chansw_params_ie before using CSA parameters. |
| net/ipv6/route.c | L3 slave device selection and reject-route handling adjustment. |
| net/ipv4/sysctl_net_ipv4.c | Fix seed updates using per-field READ/WRITE_ONCE(). |
| net/core/filter.c | Fix tailroom computation for frag tail growth + WARN on negative. |
| net/can/bcm.c | Initialize tx lock for bcm op setup. |
| net/bridge/br_input.c | Use ipv6_mod_enabled() instead of CONFIG_IPV6 gating. |
| net/bridge/br_device.c | Use ipv6_mod_enabled() instead of CONFIG_IPV6 gating. |
| net/atm/lec.c | Avoid NULL deref by checking vpriv before access/free. |
| Makefile | Bump SUBLEVEL to 77. |
| kernel/workqueue.c | Add system_percpu_wq/system_dfl_wq globals and allocations. |
| kernel/trace/trace.c | Add VMA open hook to duplicate ring buffer mmap accounting. |
| kernel/trace/trace_events_trigger.c | Make trigger_data_free() NULL-safe. |
| kernel/trace/ring_buffer.c | Add ring_buffer_map_dup() to handle VMA duplication. |
| kernel/rseq.c | Clarify rseq_len rules in comment. |
| kernel/kexec_core.c | Add kimage segment mapping helpers (vmap/vunmap). |
| kernel/events/core.c | Add lockdep assertions + serialize swevent sampling vs release. |
| kernel/cgroup/cpuset.c | Update tasks’ cpumask using tmp->new_cpus during hierarchy update. |
| kernel/bpf/trampoline.c | Fix trampoline put/release logic and use bpf_link_inc_not_zero(). |
| kernel/bpf/devmap.c | Add overflow handling while collecting upper device ifindexes. |
| include/uapi/linux/pci_regs.h | Fix PCIe endpoint cap size constant (v2). |
| include/net/xsk_buff_pool.h | Consolidate XSK list node fields. |
| include/net/xdp_sock_drv.h | Add rx frag step helper and list node updates for frag tracking. |
| include/net/tc_act/tc_ife.h | Move metalist into params for RCU-safe updates. |
| include/net/sch_generic.h | Handle nolock qdiscs safely during reset-all. |
| include/net/netfilter/nf_tables.h | Provide inline nft_trans_gc_space() helper. |
| include/net/ip_fib.h | Fix READ_ONCE on mp_seed field access. |
| include/net/bonding.h | Export __bond_xdp_check() helper declaration. |
| include/net/act_api.h | Add TCA_ACT_FLAGS_AT_INGRESS_OR_CLSACT flag. |
| include/linux/workqueue.h | Document new system_percpu_wq/system_dfl_wq globals. |
| include/linux/ring_buffer.h | Export ring_buffer_map_dup() prototype. |
| include/linux/platform_data/max6639.h | Remove obsolete platform_data header. |
| include/linux/pci-epc.h | Add pci_epc_map struct + align_addr op + mem_map/unmap helpers. |
| include/linux/mailbox_controller.h | Add fw_xlate callback and header include ordering cleanup. |
| include/linux/mailbox_client.h | Header include ordering cleanup. |
| include/linux/libata.h | Add deferred qc fields and helper inlines. |
| include/linux/kexec.h | Export kimage_map_segment/unmap APIs (and stubs when disabled). |
| include/linux/ioport.h | Add resource_set_size/resource_set_range helpers. |
| include/linux/indirect_call_wrapper.h | Avoid double-evaluating function pointer in INDIRECT_CALL_* macros. |
| include/linux/ima.h | Add ima_kexec_post_load + ima_validate_range declaration. |
| fs/xattr.c | Switch to fd CLASS helpers and consistent EBADF checks. |
| fs/squashfs/cache.c | Add offset bounds check for metadata reads. |
| fs/smb/server/smb2pdu.c | Add locking around channel xarray access/store. |
| fs/smb/server/mgmt/user_session.h | Add rwsem chann_lock for channel list protection. |
| fs/smb/server/mgmt/user_session.c | Use chann_lock in channel add/del/free paths. |
| fs/smb/client/transport.c | Update channel picking semantics and simplify selection logic. |
| fs/smb/client/smb2pdu.c | Fix auth key handling and correct posix qinfo sizing. |
| fs/smb/client/smb2inode.c | Fix posix qinfo sizing in compound query info. |
| fs/smb/client/connect.c | Remove debug log that printed credential payload. |
| fs/nfsd/nfsctl.c | Use current_cred() instead of get_current_cred() for svc call. |
| fs/namespace.c | Fix /proc/mounts iteration pos handling using unique IDs. |
| fs/ext4/mballoc.h | Extend allocation context state (prefetch/error tracking fields). |
| fs/ext4/mballoc-test.c | Remove list init for removed group_info list nodes. |
| fs/ext4/extents.c | Fix unwritten extent split/convert flag handling. |
| fs/ext4/ext4.h | Replace fragment-size lists with xarrays; add ext4_try_lock_group(). |
| fs/eventpoll.c | Adjust loop check return semantics relative to EP_MAX_NESTS. |
| fs/btrfs/tree-checker.c | Fix error messages using correct fields. |
| fs/btrfs/space-info.c | Periodic reclaim logic fixes and better sweep return handling. |
| fs/btrfs/scrub.c | Use metadata_uuid for fsid comparison message. |
| fs/btrfs/misc.h | Add AUTO_KFREE/AUTO_KVFREE convenience macros. |
| fs/btrfs/inode.c | Fix root ID used in subvolume delete warning. |
| fs/btrfs/disk-io.c | Improve unknown feature reporting to show only unsupported bits. |
| fs/btrfs/direct-io.c | Fallback to buffered IO when checksums are required. |
| fs/btrfs/block-group.c | Improve reclaim logging/accounting and periodic reclaim readiness. |
| drivers/xen/xen-acpi-processor.c | Skip _CST evaluation when absent and pblk missing. |
| drivers/usb/cdns3/core.c | Resume flow fixes and avoid re-resume on role-changed path. |
| drivers/ufs/core/ufshcd.c | Move hibern8 exit recovery to resume path with link recovery. |
| drivers/target/target_core_configfs.c | Validate dbroot via kern_path and directory check. |
| drivers/staging/media/tegra-video/vi.c | Fix error path to free state and return proper ret. |
| drivers/scsi/scsi_scan.c | Fix refcount leak on budget map allocation failure. |
| drivers/scsi/pm8001/pm8001_sas.c | Fix device-gone path unlocking + return behavior. |
| drivers/scsi/lpfc/lpfc_sli4.h | Add WC-mapped DPP register pointer. |
| drivers/scsi/lpfc/lpfc_sli.c | Add ioremap_wc support for DPP and update WQ creation. |
| drivers/scsi/lpfc/lpfc_init.c | Unmap newly added WC mapping on PCI mem unset. |
| drivers/platform/x86/thinkpad_acpi.c | Respect per-battery threshold support flags. |
| drivers/platform/x86/dell/dell-wmi-sysman/passwordattr-interface.c | Remove hex dump of password buffer. |
| drivers/platform/x86/dell/dell-wmi-base.c | Add keymap entries for mute/micmute scancodes. |
| drivers/pinctrl/pinctrl-equilibrium.c | Rename/adjust irq_chip callbacks and mask+ack sequence. |
| drivers/pinctrl/cirrus/pinctrl-cs42l43.c | Avoid double-put on fwnode when devm action fails. |
| drivers/pci/probe.c | Use new resource_set_range helper for BAR sizing. |
| drivers/of/kexec.c | Use ima_validate_range() for IMA kexec buffer bounds validation. |
| drivers/nvme/host/pr.c | Use size_t, kvzalloc, and bounds checks for reservation status ext. |
| drivers/nvme/host/core.c | Put existing admin queue before allocating a new one. |
| drivers/nfc/pn533/usb.c | Fix usb device refcount on disconnect. |
| drivers/net/wireless/ti/wlcore/main.c | Fix resume mutex ordering. |
| drivers/net/wireless/st/cw1200/pm.c | Fix missing mutex unlocks on error paths in WoW suspend. |
| drivers/net/wireless/rsi/rsi_91x_mac80211.c | Fix initial status value in config path. |
| drivers/net/wireless/mediatek/mt76/mt7996/mac.c | Add skb length validation before parsing action frames. |
| drivers/net/wireless/mediatek/mt76/mt7925/mac.c | Add skb length validation before parsing action frames. |
| drivers/net/wireless/mediatek/mt76/mt76_connac_mac.c | Add skb length validation for ADDBA request parsing. |
| drivers/net/vxlan/vxlan_core.c | Avoid IPv6 ND access when ipv6 disabled (nd_tbl NULL). |
| drivers/net/usb/pegasus.c | Validate required endpoints and set intf earlier. |
| drivers/net/usb/kaweth.c | Validate required endpoints during probe. |
| drivers/net/usb/kalmia.c | Validate bulk endpoints prior to pipe setup. |
| drivers/net/ethernet/ti/icssg/icssg_prueth.c | Reset link state to force reconfiguration on restart. |
| drivers/net/ethernet/ti/cpsw_ale.c | Fix multicast flushing host-port mask handling. |
| drivers/net/ethernet/ti/am65-cpsw-nuss.c | Fix port_mask for multicast flushing. |
| drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | Fix VLAN add/del error handling and active_vlans bookkeeping. |
| drivers/net/ethernet/stmicro/stmmac/dwmac-loongson.c | Adjust clk_csr default for Loongson dwmac. |
| drivers/net/ethernet/mediatek/mtk_eth_soc.c | Fix XDP program update rollback/open sequencing. |
| drivers/net/ethernet/marvell/octeon_ep/octep_rx.c | Use READ/WRITE_ONCE for counters/indices; add underflow warning. |
| drivers/net/ethernet/marvell/octeon_ep/octep_main.c | Refactor pkt counter updates and use napi_complete_done(). |
| drivers/net/ethernet/marvell/octeon_ep_vf/octep_vf_rx.c | Same counter/ordering fixes for VF receive path. |
| drivers/net/ethernet/marvell/octeon_ep_vf/octep_vf_main.c | Same pkt update refactor for VF NAPI path. |
| drivers/net/ethernet/intel/idpf/idpf_txrx.c | Fix IRQ name formatting to use vector index. |
| drivers/net/ethernet/intel/iavf/iavf_main.c | Convert PF-provided max frame size to MTU with validation. |
| drivers/net/ethernet/intel/i40e/i40e_txrx.c | Unregister xdp_rxq_info during ring cleanup (avoid double-unreg). |
| drivers/net/ethernet/intel/i40e/i40e_trace.h | Use smp_processor_id() instead of get_cpu(). |
| drivers/net/ethernet/intel/e1000e/ich8lan.c | Clear DPG_EN to prevent unexpected autonomous power gating. |
| drivers/net/ethernet/intel/e1000e/defines.h | Add E1000_CTRL_EXT_DPG_EN bit definition. |
| drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c | Ensure IRQ status is cleared on invalid if_id path. |
| drivers/net/ethernet/amd/xgbe/xgbe.h | Remove unused overall device spinlock field. |
| drivers/net/ethernet/amd/xgbe/xgbe-main.c | Remove initialization of removed lock. |
| drivers/net/ethernet/amd/xgbe/xgbe-drv.c | Remove lock usage in powerdown/powerup paths. |
| drivers/net/ethernet/amd/xgbe/xgbe-common.h | Fix MAC_TCR_SS_WIDTH constant. |
| drivers/net/dsa/realtek/rtl8365mb.c | Return actual error from phy_ocp_write instead of 0. |
| drivers/net/can/usb/ucan.c | Reject zero-length messages in bulk rx sanity check. |
| drivers/net/can/usb/f81604.c | URB anchoring, short URB checks, better resubmit/error handling. |
| drivers/net/can/usb/etas_es58x/es58x_core.c | Anchor rx URBs and improve resubmit error handling. |
| drivers/net/can/usb/ems_usb.c | Fix bounds checks using actual_length and header size validation. |
| drivers/net/can/spi/mcp251x.c | Avoid deadlock by deferring free_irq until after lock release. |
| drivers/net/bonding/bond_options.c | Reject xmit hash policy updates incompatible with active XDP prog. |
| drivers/net/bonding/bond_main.c | Refactor XDP compatibility check into __bond_xdp_check(). |
| drivers/net/arcnet/com20020-pci.c | Provide default card_info when driver_data is NULL. |
| drivers/memory/mtk-smi.c | Fix device refcounting with put_device() on error/remove. |
| drivers/media/i2c/Kconfig | Add GPIOLIB dependency for DW9714. |
| drivers/media/dvb-core/dmxdev.c | Adjust DVR ringbuffer initialization/reset sequence. |
| drivers/irqchip/irq-sifive-plic.c | Use enable register state instead of irqd_irq_disabled(). |
| drivers/iommu/intel/pasid.c | Skip ATS dev-IOTLB flush if PCIe device is not present. |
| drivers/input/mouse/synaptics_i2c.c | Move work to system_dfl_wq and gate resume scheduling on enabled input. |
| drivers/infiniband/hw/mthca/mthca_provider.c | Fix user DB unmap and SRQ free ordering. |
| drivers/infiniband/hw/irdma/verbs.c | Zero-initialize uresp for user AH creation. |
| drivers/i2c/busses/i2c-i801.c | Add acpi_lock to protect acpi_reserved access and handler interactions. |
| drivers/hwmon/max16065.c | Use READ/WRITE_ONCE for cached sensor readings and fault bits. |
| drivers/hwmon/Kconfig | Update AHT10 Kconfig text to include DHT20. |
| drivers/hwmon/it87.c | Handle it87_lock() errors properly in resume path. |
| drivers/hwmon/aht10.c | Add DHT20 support and per-variant init command handling. |
| drivers/hid/hid-zydacron.c | Guard raw event handling with HID_CLAIMED_INPUT. |
| drivers/hid/hid-ids.h | Add Lenovo YogaBook 9i USB device ID. |
| drivers/hid/hid-creative-sb0540.c | Guard raw event handling with HID_CLAIMED_INPUT. |
| drivers/hid/hid-cmedia.c | Guard raw event handling with HID_CLAIMED_INPUT. |
| drivers/gpu/drm/xe/xe_ring_ops.c | Disable arbitration to prevent preemption during fence signaling. |
| drivers/gpu/drm/xe/xe_reg_sr.c | Fix leak on xa_store failure by freeing allocated entry. |
| drivers/gpu/drm/vmwgfx/vmwgfx_page_dirty.c | Add proper kref free callback for dirty tracking object. |
| drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c | Return correct error code from vmw_user_bo_lookup failures. |
| drivers/gpu/drm/tegra/dsi.c | Fix put_device ordering in ganged probe path. |
| drivers/gpu/drm/solomon/ssd130x.c | Fix page_start calculation reuse for both addressing modes. |
| drivers/gpu/drm/scheduler/sched_main.c | Document drm_sched_job_done() result parameter. |
| drivers/gpu/drm/logicvc/logicvc_drm.c | Use __free(device_node) for layers node cleanup. |
| drivers/gpu/drm/amd/amdgpu/amdgpu_psp_ta.c | Use memdup_user and fix cleanup/unlock flow. |
| drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | Use pci_dev_is_disconnected() for unplugged checks. |
| drivers/gpu/drm/amd/amdgpu/amdgpu_aca.c | Fix missing mutex_unlock before mutex_destroy. |
| drivers/firmware/efi/mokvar-table.c | Update comment to reference efi_unmap_boot_services(). |
| drivers/clk/tegra/clk-tegra124-emc.c | Fix device ref put ordering in EMC driver lookup. |
| drivers/block/drbd/drbd_req.c | Use first_peer_device() when marking out-of-sync on read error. |
| drivers/block/drbd/drbd_interval.h | Add field to resume partial al_begin_io_nonblock progress. |
| drivers/block/drbd/drbd_actlog.c | Improve nonblocking AL begin logic and handle partial progress. |
| drivers/ata/libata.h | Add deferred qc helpers and prototypes. |
| drivers/ata/libata-eh.c | Handle deferred qc timeouts and requeue deferred qc on EH start. |
| drivers/ata/libata-core.c | Use ata_dev_is_zac() and add deferred qc work init/cancellation. |
| drivers/acpi/apei/Makefile | Disable KASAN on ghes.o for older clang + KASAN stack issues. |
| Documentation/hwmon/aht10.rst | Document DHT20 support and CRC8 note update. |
| arch/x86/platform/efi/quirks.c | Replace immediate freeing with deferred free_reserved_area mechanism. |
| arch/x86/platform/efi/efi.c | Call efi_unmap_boot_services() instead of efi_free_boot_services(). |
| arch/x86/kvm/x86.c | Don’t WARN on -EBUSY nested events; only treat other errors. |
| arch/x86/kernel/setup.c | Remove redundant ima_validate_range check from x86 path. |
| arch/x86/kernel/cpu/topology.c | Remove hypervisor native hotplug package rejection logic. |
| arch/x86/kernel/acpi/boot.c | Adjust LAPIC usability rules for guests vs bare metal. |
| arch/x86/include/asm/efi.h | Rename exported symbol to efi_unmap_boot_services(). |
| arch/x86/entry/entry_fred.c | Avoid storing array_index_nospec result in a variable. |
| arch/s390/kernel/vtime.c | Avoid virt_timer_forward in irq accounting helpers; simplify deltas. |
| arch/s390/kernel/irq.c | Update timer idle state earlier when coming from enabled-wait idle. |
| arch/s390/kernel/idle.c | Split timer update vs accounting for idle IRQ time. |
| arch/s390/include/asm/idle.h | Add update_timer_idle() prototype. |
| arch/loongarch/mm/tlb.c | Remove redundant extern exception_handlers declaration. |
| arch/loongarch/kernel/unwind_prologue.c | Remove unused externs and cleanup. |
| arch/loongarch/kernel/unwind_orc.c | Fix bt_address mapping + use guard(rcu)() instead of preempt_disable. |
| arch/loongarch/include/asm/setup.h | Export pcpu_handlers/exception_handlers and include threads.h. |
| arch/Kconfig | Select TASKS_TRACE_RCU when enabling UPROBES. |
| arch/arm64/net/bpf_jit_comp.c | Fix RO header alignment for JIT pack allocation (u64). |
| arch/arm64/kvm/sys_regs.c | Hide POE feature if host doesn’t support it. |
| arch/arm64/boot/dts/rockchip/rk3588-extra.dtsi | Fix PCIe ranges address-cells formatting for high addresses. |
| arch/arm64/boot/dts/rockchip/rk3588-base.dtsi | Fix PCIe ranges address-cells formatting for high addresses. |
| arch/arm64/boot/dts/rockchip/rk356x.dtsi | Fix PCIe ranges formatting for high addresses. |
| arch/arm64/boot/dts/rockchip/rk3568.dtsi | Fix PCIe ranges formatting for high addresses. |
| arch/arm/include/asm/string.h | Fix memset64 argument order/endianness handling via union split. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+427
to
+432
| sz = sizeof(*ranges_to_free) * efi.memmap.nr_map + 1; | ||
| ranges_to_free = kzalloc(sz, GFP_KERNEL); | ||
| if (!ranges_to_free) { | ||
| pr_err("Failed to allocate storage for freeable EFI regions\n"); | ||
| return; | ||
| } |
Comment on lines
7854
to
7860
| system_wq = alloc_workqueue("events", 0, 0); | ||
| system_percpu_wq = alloc_workqueue("events", 0, 0); | ||
| system_highpri_wq = alloc_workqueue("events_highpri", WQ_HIGHPRI, 0); | ||
| system_long_wq = alloc_workqueue("events_long", 0, 0); | ||
| system_unbound_wq = alloc_workqueue("events_unbound", WQ_UNBOUND, | ||
| WQ_MAX_ACTIVE); | ||
| system_unbound_wq = alloc_workqueue("events_unbound", WQ_UNBOUND, WQ_MAX_ACTIVE); | ||
| system_dfl_wq = alloc_workqueue("events_unbound", WQ_UNBOUND, WQ_MAX_ACTIVE); | ||
| system_freezable_wq = alloc_workqueue("events_freezable", |
Comment on lines
+172
to
188
| contd = XDP_PKT_CONTD; | ||
| num_desc = xdp_get_shared_info_from_buff(xdp)->nr_frags + 1; | ||
| if (xskq_prod_nb_free(xs->rx, num_desc) < num_desc) { | ||
| xs->rx_queue_full++; | ||
| err = -ENOBUFS; | ||
| goto err; | ||
| if (likely(!frags)) | ||
| return 0; | ||
| } | ||
|
|
||
| __xsk_rcv_zc(xs, xskb, len, contd); | ||
| xskb_list = &xskb->pool->xskb_list; | ||
| list_for_each_entry_safe(pos, tmp, xskb_list, xskb_list_node) { | ||
| list_for_each_entry_safe(pos, tmp, xskb_list, list_node) { | ||
| if (list_is_singular(xskb_list)) | ||
| contd = 0; | ||
| len = pos->xdp.data_end - pos->xdp.data; | ||
| err = __xsk_rcv_zc(xs, pos, len, contd); | ||
| if (err) | ||
| goto err; | ||
| list_del(&pos->xskb_list_node); | ||
| __xsk_rcv_zc(xs, pos, len, contd); | ||
| list_del_init(&pos->list_node); | ||
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Update kernel base to 6.12.76.
Update kernel base to 6.12.77.
git log --oneline v6.12.75..v6.12.77 |wc
263 2304 18929