- Kernel - mailweb.openeuler.org

[PATCH OLK-6.6] usb: gadget: f_ncm: Fix net_device lifecycle with device_move
by Xinyu Zheng 22 May '26

22 May '26

From: Kuen-Han Tsai <khtsai(a)google.com> mainline inclusion from mainline-v7.0-rc4 commit ec35c1969650e7cb6c8a91020e568ed46e3551b0 category: bugfix bugzilla: https://atomgit.com/src-openeuler/kernel/issues/14979 CVE: CVE-2026-43421 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- The network device outlived its parent gadget device during disconnection, resulting in dangling sysfs links and null pointer dereference problems. A prior attempt to solve this by removing SET_NETDEV_DEV entirely [1] was reverted due to power management ordering concerns and a NO-CARRIER regression. A subsequent attempt to defer net_device allocation to bind [2] broke 1:1 mapping between function instance and network device, making it impossible for configfs to report the resolved interface name. This results in a regression where the DHCP server fails on pmOS. Use device_move to reparent the net_device between the gadget device and /sys/devices/virtual/ across bind/unbind cycles. This preserves the network interface across USB reconnection, allowing the DHCP server to retain their binding. Introduce gether_attach_gadget()/gether_detach_gadget() helpers and use __free(detach_gadget) macro to undo attachment on bind failure. The bind_count ensures device_move executes only on the first bind. [1] https://lore.kernel.org/lkml/f2a4f9847617a0929d62025748384092e5f35cce.camel… [2] https://lore.kernel.org/linux-usb/795ea759-7eaf-4f78-81f4-01ffbf2d7961@ixit… Fixes: 40d133d7f542 ("usb: gadget: f_ncm: convert to new function interface with backward compatibility") Cc: stable <stable(a)kernel.org> Signed-off-by: Kuen-Han Tsai <khtsai(a)google.com> Link: https://patch.msgid.link/20260309-f-ncm-revert-v2-7-ea2afbc7d9b2@google.com Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Conflicts: drivers/usb/gadget/function/f_ncm.c [zxy: context conflict] Signed-off-by: Xinyu Zheng <zhengxinyu6(a)huawei.com> --- drivers/usb/gadget/function/f_ncm.c | 36 +++++++++++++++++++-------- drivers/usb/gadget/function/u_ether.c | 22 ++++++++++++++++ drivers/usb/gadget/function/u_ether.h | 26 +++++++++++++++++++ drivers/usb/gadget/function/u_ncm.h | 2 +- 4 files changed, 74 insertions(+), 12 deletions(-) diff --git a/drivers/usb/gadget/function/f_ncm.c b/drivers/usb/gadget/function/f_ncm.c index 1da4e59338c5..56af3e57a07f 100644 --- a/drivers/usb/gadget/function/f_ncm.c +++ b/drivers/usb/gadget/function/f_ncm.c @@ -1425,6 +1425,7 @@ static int ncm_bind(struct usb_configuration *c, struct usb_function *f) struct f_ncm_opts *ncm_opts; struct usb_os_desc_table *os_desc_table __free(kfree) = NULL; + struct net_device *net __free(detach_gadget) = NULL; struct usb_request *request __free(free_usb_request) = NULL; if (!can_support_ecm(cdev->gadget)) @@ -1438,16 +1439,19 @@ static int ncm_bind(struct usb_configuration *c, struct usb_function *f) return -ENOMEM; } - mutex_lock(&ncm_opts->lock); - gether_set_gadget(ncm_opts->net, cdev->gadget); - if (!ncm_opts->bound) - status = gether_register_netdev(ncm_opts->net); - mutex_unlock(&ncm_opts->lock); - - if (status) - return status; - - ncm_opts->bound = true; + scoped_guard(mutex, &ncm_opts->lock) + if (ncm_opts->bind_count == 0) { + if (!device_is_registered(&ncm_opts->net->dev)) { + ncm_opts->net->mtu = (ncm_opts->max_segment_size - ETH_HLEN); + gether_set_gadget(ncm_opts->net, cdev->gadget); + status = gether_register_netdev(ncm_opts->net); + } else + status = gether_attach_gadget(ncm_opts->net, cdev->gadget); + + if (status) + return status; + net = ncm_opts->net; + } ncm_string_defs[1].s = ncm->ethaddr; @@ -1547,6 +1551,9 @@ static int ncm_bind(struct usb_configuration *c, struct usb_function *f) } ncm->notify_req = no_free_ptr(request); + ncm_opts->bind_count++; + retain_and_null_ptr(net); + DBG(cdev, "CDC Network: IN/%s OUT/%s NOTIFY/%s\n", ncm->port.in_ep->name, ncm->port.out_ep->name, ncm->notify->name); @@ -1593,7 +1600,7 @@ static void ncm_free_inst(struct usb_function_instance *f) struct f_ncm_opts *opts; opts = container_of(f, struct f_ncm_opts, func_inst); - if (opts->bound) + if (device_is_registered(&opts->net->dev)) gether_cleanup(netdev_priv(opts->net)); else free_netdev(opts->net); @@ -1655,9 +1662,12 @@ static void ncm_free(struct usb_function *f) static void ncm_unbind(struct usb_configuration *c, struct usb_function *f) { struct f_ncm *ncm = func_to_ncm(f); + struct f_ncm_opts *ncm_opts; DBG(c->cdev, "ncm unbind\n"); + ncm_opts = container_of(f->fi, struct f_ncm_opts, func_inst); + hrtimer_cancel(&ncm->task_timer); kfree(f->os_desc_table); @@ -1673,6 +1683,10 @@ static void ncm_unbind(struct usb_configuration *c, struct usb_function *f) kfree(ncm->notify_req->buf); usb_ep_free_request(ncm->notify, ncm->notify_req); + + ncm_opts->bind_count--; + if (ncm_opts->bind_count == 0) + gether_detach_gadget(ncm_opts->net); } static struct usb_function *ncm_alloc(struct usb_function_instance *fi) diff --git a/drivers/usb/gadget/function/u_ether.c b/drivers/usb/gadget/function/u_ether.c index 2da2db5e15a3..fae3cd49e0f8 100644 --- a/drivers/usb/gadget/function/u_ether.c +++ b/drivers/usb/gadget/function/u_ether.c @@ -896,6 +896,28 @@ void gether_set_gadget(struct net_device *net, struct usb_gadget *g) } EXPORT_SYMBOL_GPL(gether_set_gadget); +int gether_attach_gadget(struct net_device *net, struct usb_gadget *g) +{ + int ret; + + ret = device_move(&net->dev, &g->dev, DPM_ORDER_DEV_AFTER_PARENT); + if (ret) + return ret; + + gether_set_gadget(net, g); + return 0; +} +EXPORT_SYMBOL_GPL(gether_attach_gadget); + +void gether_detach_gadget(struct net_device *net) +{ + struct eth_dev *dev = netdev_priv(net); + + device_move(&net->dev, NULL, DPM_ORDER_NONE); + dev->gadget = NULL; +} +EXPORT_SYMBOL_GPL(gether_detach_gadget); + int gether_set_dev_addr(struct net_device *net, const char *dev_addr) { struct eth_dev *dev; diff --git a/drivers/usb/gadget/function/u_ether.h b/drivers/usb/gadget/function/u_ether.h index 34be220cef77..c85a1cf3c115 100644 --- a/drivers/usb/gadget/function/u_ether.h +++ b/drivers/usb/gadget/function/u_ether.h @@ -150,6 +150,32 @@ static inline struct net_device *gether_setup_default(void) */ void gether_set_gadget(struct net_device *net, struct usb_gadget *g); +/** + * gether_attach_gadget - Reparent net_device to the gadget device. + * @net: The network device to reparent. + * @g: The target USB gadget device to parent to. + * + * This function moves the network device to be a child of the USB gadget + * device in the device hierarchy. This is typically done when the function + * is bound to a configuration. + * + * Returns 0 on success, or a negative error code on failure. + */ +int gether_attach_gadget(struct net_device *net, struct usb_gadget *g); + +/** + * gether_detach_gadget - Detach net_device from its gadget parent. + * @net: The network device to detach. + * + * This function moves the network device to be a child of the virtual + * devices parent, effectively detaching it from the USB gadget device + * hierarchy. This is typically done when the function is unbound + * from a configuration but the instance is not yet freed. + */ +void gether_detach_gadget(struct net_device *net); + +DEFINE_FREE(detach_gadget, struct net_device *, if (_T) gether_detach_gadget(_T)) + /** * gether_set_dev_addr - initialize an ethernet-over-usb link with eth address * @net: device representing this link diff --git a/drivers/usb/gadget/function/u_ncm.h b/drivers/usb/gadget/function/u_ncm.h index 5408854d8407..297e5087872f 100644 --- a/drivers/usb/gadget/function/u_ncm.h +++ b/drivers/usb/gadget/function/u_ncm.h @@ -18,7 +18,7 @@ struct f_ncm_opts { struct usb_function_instance func_inst; struct net_device *net; - bool bound; + int bind_count; struct config_group *ncm_interf_group; struct usb_os_desc ncm_os_desc; -- 2.34.1

2 1

[PATCH OLK-5.10 0/2] arm64/mm: Enable batched TLB flush in unmap_hotplug_range()
by Wupeng Ma 22 May '26

22 May '26

Enable batched TLB flush in unmap_hotplug_range(). Anshuman Khandual (1): arm64/mm: Enable batched TLB flush in unmap_hotplug_range() Peter Zijlstra (1): arm64/mm: Implement pXX_leaf_size() support arch/arm64/include/asm/pgtable.h | 4 ++++ arch/arm64/mm/mmu.c | 36 ++++++++++++++++++-------------- 2 files changed, 24 insertions(+), 16 deletions(-) -- 2.43.0

2 3

[PATCH OLK-6.6] sched/fair: Do not send IPI if WFI timeout is 0
by Jinjie Ruan 22 May '26

22 May '26

hulk inclusion category: feature bugzilla: https://atomgit.com/openeuler/kernel/issues/8929 ---------------------------------------- When the WFI timeout is configured to 0, no WFI suppression will be applied to offline tasks and no IPI is needed, and no IPI will eliminate the background noise. Signed-off-by: Jinjie Ruan <ruanjinjie(a)huawei.com> --- arch/arm64/include/asm/xint.h | 2 ++ arch/arm64/kernel/smt_qos.c | 2 +- kernel/sched/smt_qos.c | 2 +- 3 files changed, 4 insertions(+), 2 deletions(-) diff --git a/arch/arm64/include/asm/xint.h b/arch/arm64/include/asm/xint.h index 2a63c663988e..7d89280a53f8 100644 --- a/arch/arm64/include/asm/xint.h +++ b/arch/arm64/include/asm/xint.h @@ -5,6 +5,8 @@ #define NR_IPI_USER 7 // SGI #ifndef __ASSEMBLY__ +extern unsigned int sysctl_sched_wfi_timeout; + extern void gic_handle_irq_noack(struct pt_regs *regs); extern void gic_handle_nmi_noack(struct pt_regs *regs); extern void arch_smp_send_ipi_user(int cpu); diff --git a/arch/arm64/kernel/smt_qos.c b/arch/arm64/kernel/smt_qos.c index 7e1a8e1121da..9f113c50d389 100644 --- a/arch/arm64/kernel/smt_qos.c +++ b/arch/arm64/kernel/smt_qos.c @@ -11,7 +11,7 @@ #include <vdso/time64.h> -static unsigned int sysctl_sched_wfi_timeout = 50; +unsigned int sysctl_sched_wfi_timeout = 50; static DEFINE_STATIC_KEY_TRUE(split_mode); static u32 arch_timer_freq; diff --git a/kernel/sched/smt_qos.c b/kernel/sched/smt_qos.c index 8f3eead1b179..c07c279ab0f7 100644 --- a/kernel/sched/smt_qos.c +++ b/kernel/sched/smt_qos.c @@ -123,7 +123,7 @@ static inline void send_ipi_throttle_smt(int this_cpu) { int cpu; - if (!system_uses_xint()) + if (!system_uses_xint() || !sysctl_sched_wfi_timeout) return; for_each_cpu(cpu, cpu_smt_mask(this_cpu)) { -- 2.34.1

2 1

[PATCH OLK-5.10] arm64/mm: Enable batched TLB flush in unmap_hotplug_range()
by Wupeng Ma 22 May '26

22 May '26

From: Anshuman Khandual <anshuman.khandual(a)arm.com> stable inclusion from stable-v6.12.86 commit 7260b0ec7a84023412f8c26a456ee9a23e29bdb6 category: bugfix bugzilla: https://atomgit.com/openeuler/kernel/issues/9219 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit 48478b9f791376b4b89018d7afdfd06865498f65 upstream. During a memory hot remove operation, both linear and vmemmap mappings for the memory range being removed, get unmapped via unmap_hotplug_range() but mapped pages get freed only for vmemmap mapping. This is just a sequential operation where each table entry gets cleared, followed by a leaf specific TLB flush, and then followed by memory free operation when applicable. This approach was simple and uniform both for vmemmap and linear mappings. But linear mapping might contain CONT marked block memory where it becomes necessary to first clear out all entire in the range before a TLB flush. This is as per the architecture requirement. Hence batch all TLB flushes during the table tear down walk and finally do it in unmap_hotplug_range(). Prior to this fix, it was hypothetically possible for a speculative access to a higher address in the contiguous block to fill the TLB with shattered entries for the entire contiguous range after a lower address had already been cleared and invalidated. Due to the table entries being shattered, the subsequent TLB invalidation for the higher address would not then clear the TLB entries for the lower address, meaning stale TLB entries could persist. Besides it also helps in improving the performance via TLBI range operation along with reduced synchronization instructions. The time spent executing unmap_hotplug_range() improved 97% measured over a 2GB memory hot removal in KVM guest. This scheme is not applicable during vmemmap mapping tear down where memory needs to be freed and hence a TLB flush is required after clearing out page table entry. Cc: Will Deacon <will(a)kernel.org> Cc: linux-arm-kernel(a)lists.infradead.org Cc: linux-kernel(a)vger.kernel.org Closes: https://lore.kernel.org/all/aWZYXhrT6D2M-7-N@willie-the-truck/ Fixes: bbd6ec605c0f ("arm64/mm: Enable memory hot remove") Cc: stable(a)vger.kernel.org Reviewed-by: David Hildenbrand (Arm) <david(a)kernel.org> Reviewed-by: Ryan Roberts <ryan.roberts(a)arm.com> Signed-off-by: Ryan Roberts <ryan.roberts(a)arm.com> Signed-off-by: Anshuman Khandual <anshuman.khandual(a)arm.com> Signed-off-by: Catalin Marinas <catalin.marinas(a)arm.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Conflicts: arch/arm64/mm/mmu.c [Conflicts due to commit 5a00bfd6a52c ("arm64/mm: new ptep layer to manage contig bit") update pte_clear to __pte_clear, that is fine.] Signed-off-by: Wupeng Ma <mawupeng1(a)huawei.com> --- arch/arm64/mm/mmu.c | 36 ++++++++++++++++++++---------------- 1 file changed, 20 insertions(+), 16 deletions(-) diff --git a/arch/arm64/mm/mmu.c b/arch/arm64/mm/mmu.c index adaca1fd5a277..a1f7080643a86 100644 --- a/arch/arm64/mm/mmu.c +++ b/arch/arm64/mm/mmu.c @@ -874,10 +874,14 @@ static void unmap_hotplug_pte_range(pmd_t *pmdp, unsigned long addr, WARN_ON(!pte_present(pte)); pte_clear(&init_mm, addr, ptep); - flush_tlb_kernel_range(addr, addr + PAGE_SIZE); - if (free_mapped) + if (free_mapped) { + /* CONT blocks are not supported in the vmemmap */ + WARN_ON(pte_cont(pte)); + flush_tlb_kernel_range(addr, addr + PAGE_SIZE); free_hotplug_page_range(pte_page(pte), PAGE_SIZE, altmap); + } + /* unmap_hotplug_range() flushes TLB for !free_mapped */ } while (addr += PAGE_SIZE, addr < end); } @@ -898,15 +902,14 @@ static void unmap_hotplug_pmd_range(pud_t *pudp, unsigned long addr, WARN_ON(!pmd_present(pmd)); if (pmd_sect(pmd)) { pmd_clear(pmdp); - - /* - * One TLBI should be sufficient here as the PMD_SIZE - * range is mapped with a single block entry. - */ - flush_tlb_kernel_range(addr, addr + PAGE_SIZE); - if (free_mapped) + if (free_mapped) { + /* CONT blocks are not supported in the vmemmap */ + WARN_ON(pmd_cont(pmd)); + flush_tlb_kernel_range(addr, addr + PMD_SIZE); free_hotplug_page_range(pmd_page(pmd), PMD_SIZE, altmap); + } + /* unmap_hotplug_range() flushes TLB for !free_mapped */ continue; } WARN_ON(!pmd_table(pmd)); @@ -931,15 +934,12 @@ static void unmap_hotplug_pud_range(p4d_t *p4dp, unsigned long addr, WARN_ON(!pud_present(pud)); if (pud_sect(pud)) { pud_clear(pudp); - - /* - * One TLBI should be sufficient here as the PUD_SIZE - * range is mapped with a single block entry. - */ - flush_tlb_kernel_range(addr, addr + PAGE_SIZE); - if (free_mapped) + if (free_mapped) { + flush_tlb_kernel_range(addr, addr + PUD_SIZE); free_hotplug_page_range(pud_page(pud), PUD_SIZE, altmap); + } + /* unmap_hotplug_range() flushes TLB for !free_mapped */ continue; } WARN_ON(!pud_table(pud)); @@ -969,6 +969,7 @@ static void unmap_hotplug_p4d_range(pgd_t *pgdp, unsigned long addr, static void unmap_hotplug_range(unsigned long addr, unsigned long end, bool free_mapped, struct vmem_altmap *altmap) { + unsigned long start = addr; unsigned long next; pgd_t *pgdp, pgd; @@ -990,6 +991,9 @@ static void unmap_hotplug_range(unsigned long addr, unsigned long end, WARN_ON(!pgd_present(pgd)); unmap_hotplug_p4d_range(pgdp, addr, next, free_mapped, altmap); } while (addr = next, addr < end); + + if (!free_mapped) + flush_tlb_kernel_range(start, end); } static void free_empty_pte_table(pmd_t *pmdp, unsigned long addr, -- 2.43.0

2 2

[PATCH OLK-6.6] arm64/mm: Enable batched TLB flush in unmap_hotplug_range()
by Wupeng Ma 22 May '26

22 May '26

From: Anshuman Khandual <anshuman.khandual(a)arm.com> stable inclusion from stable-v6.12.86 commit 7260b0ec7a84023412f8c26a456ee9a23e29bdb6 category: bugfix bugzilla: https://atomgit.com/openeuler/kernel/issues/9219 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit 48478b9f791376b4b89018d7afdfd06865498f65 upstream. During a memory hot remove operation, both linear and vmemmap mappings for the memory range being removed, get unmapped via unmap_hotplug_range() but mapped pages get freed only for vmemmap mapping. This is just a sequential operation where each table entry gets cleared, followed by a leaf specific TLB flush, and then followed by memory free operation when applicable. This approach was simple and uniform both for vmemmap and linear mappings. But linear mapping might contain CONT marked block memory where it becomes necessary to first clear out all entire in the range before a TLB flush. This is as per the architecture requirement. Hence batch all TLB flushes during the table tear down walk and finally do it in unmap_hotplug_range(). Prior to this fix, it was hypothetically possible for a speculative access to a higher address in the contiguous block to fill the TLB with shattered entries for the entire contiguous range after a lower address had already been cleared and invalidated. Due to the table entries being shattered, the subsequent TLB invalidation for the higher address would not then clear the TLB entries for the lower address, meaning stale TLB entries could persist. Besides it also helps in improving the performance via TLBI range operation along with reduced synchronization instructions. The time spent executing unmap_hotplug_range() improved 97% measured over a 2GB memory hot removal in KVM guest. This scheme is not applicable during vmemmap mapping tear down where memory needs to be freed and hence a TLB flush is required after clearing out page table entry. Cc: Will Deacon <will(a)kernel.org> Cc: linux-arm-kernel(a)lists.infradead.org Cc: linux-kernel(a)vger.kernel.org Closes: https://lore.kernel.org/all/aWZYXhrT6D2M-7-N@willie-the-truck/ Fixes: bbd6ec605c0f ("arm64/mm: Enable memory hot remove") Cc: stable(a)vger.kernel.org Reviewed-by: David Hildenbrand (Arm) <david(a)kernel.org> Reviewed-by: Ryan Roberts <ryan.roberts(a)arm.com> Signed-off-by: Ryan Roberts <ryan.roberts(a)arm.com> Signed-off-by: Anshuman Khandual <anshuman.khandual(a)arm.com> Signed-off-by: Catalin Marinas <catalin.marinas(a)arm.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Wupeng Ma <mawupeng1(a)huawei.com> --- arch/arm64/mm/mmu.c | 36 ++++++++++++++++++++---------------- 1 file changed, 20 insertions(+), 16 deletions(-) diff --git a/arch/arm64/mm/mmu.c b/arch/arm64/mm/mmu.c index b2ef6c56db749..f65dbd76e2567 100644 --- a/arch/arm64/mm/mmu.c +++ b/arch/arm64/mm/mmu.c @@ -876,10 +876,14 @@ static void unmap_hotplug_pte_range(pmd_t *pmdp, unsigned long addr, WARN_ON(!pte_present(pte)); __pte_clear(&init_mm, addr, ptep); - flush_tlb_kernel_range(addr, addr + PAGE_SIZE); - if (free_mapped) + if (free_mapped) { + /* CONT blocks are not supported in the vmemmap */ + WARN_ON(pte_cont(pte)); + flush_tlb_kernel_range(addr, addr + PAGE_SIZE); free_hotplug_page_range(pte_page(pte), PAGE_SIZE, altmap); + } + /* unmap_hotplug_range() flushes TLB for !free_mapped */ } while (addr += PAGE_SIZE, addr < end); } @@ -900,15 +904,14 @@ static void unmap_hotplug_pmd_range(pud_t *pudp, unsigned long addr, WARN_ON(!pmd_present(pmd)); if (pmd_sect(pmd)) { pmd_clear(pmdp); - - /* - * One TLBI should be sufficient here as the PMD_SIZE - * range is mapped with a single block entry. - */ - flush_tlb_kernel_range(addr, addr + PAGE_SIZE); - if (free_mapped) + if (free_mapped) { + /* CONT blocks are not supported in the vmemmap */ + WARN_ON(pmd_cont(pmd)); + flush_tlb_kernel_range(addr, addr + PMD_SIZE); free_hotplug_page_range(pmd_page(pmd), PMD_SIZE, altmap); + } + /* unmap_hotplug_range() flushes TLB for !free_mapped */ continue; } WARN_ON(!pmd_table(pmd)); @@ -933,15 +936,12 @@ static void unmap_hotplug_pud_range(p4d_t *p4dp, unsigned long addr, WARN_ON(!pud_present(pud)); if (pud_sect(pud)) { pud_clear(pudp); - - /* - * One TLBI should be sufficient here as the PUD_SIZE - * range is mapped with a single block entry. - */ - flush_tlb_kernel_range(addr, addr + PAGE_SIZE); - if (free_mapped) + if (free_mapped) { + flush_tlb_kernel_range(addr, addr + PUD_SIZE); free_hotplug_page_range(pud_page(pud), PUD_SIZE, altmap); + } + /* unmap_hotplug_range() flushes TLB for !free_mapped */ continue; } WARN_ON(!pud_table(pud)); @@ -971,6 +971,7 @@ static void unmap_hotplug_p4d_range(pgd_t *pgdp, unsigned long addr, static void unmap_hotplug_range(unsigned long addr, unsigned long end, bool free_mapped, struct vmem_altmap *altmap) { + unsigned long start = addr; unsigned long next; pgd_t *pgdp, pgd; @@ -992,6 +993,9 @@ static void unmap_hotplug_range(unsigned long addr, unsigned long end, WARN_ON(!pgd_present(pgd)); unmap_hotplug_p4d_range(pgdp, addr, next, free_mapped, altmap); } while (addr = next, addr < end); + + if (!free_mapped) + flush_tlb_kernel_range(start, end); } static void free_empty_pte_table(pmd_t *pmdp, unsigned long addr, -- 2.43.0

2 1

[PATCH OLK-6.6 0/2] tracepoints: get correct superblock from dentry in event btrfs_sync_file()
by Pan Taixi 22 May '26

22 May '26

[ Upstream commit a85b46db143fda5869e7d8df8f258ccef5fa1719 ] If overlay is used on top of btrfs, dentry->d_sb translates to overlay's super block and fsid assignment will lead to a crash. Use file_inode(file)->i_sb to always get btrfs_sb. The patch above introduced another problem and is fixed in the following patch: The trace event btrfs_sync_file() is called in an atomic context (all trace events are) and its call to dput(), which is needed due to the call to dget_parent(), can sleep, triggering a kernel splat. This can be reproduced by enabling the trace event and running btrfs/056 from fstests for example. The splat shown in dmesg is the following: [53.919] BUG: sleeping function called from invalid context at fs/dcache.c:970 [53.947] in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 32773, name: xfs_io [53.988] preempt_count: 2, expected: 0 [53.967] RCU nest depth: 0, expected: 0 [53.943] Preemption disabled at: [53.944] [<0000000000000000>] 0x0 [54.078] CPU: 0 UID: 0 PID: 32773 Comm: xfs_io Tainted: G W 7.1.0-rc1-btrfs-next-232+ #1 PREEMPT(full) [54.070] Tainted: [W]=WARN [54.071] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014 [54.072] Call Trace: [54.074] <TASK> [54.076] dump_stack_lvl+0x56/0x80 [54.079] __might_resched.cold+0xd6/0x10f [54.072] dput.part.0+0x24/0x110 [54.078] trace_event_raw_event_btrfs_sync_file+0x75/0x140 [btrfs] [54.089] btrfs_sync_file+0x1ed/0x530 [btrfs] [54.087] ? __handle_mm_fault+0x8ae/0xed0 [54.089] btrfs_do_write_iter+0x172/0x210 [btrfs] [54.091] vfs_write+0x21f/0x450 [54.094] __x64_sys_pwrite64+0x8d/0xc0 [54.096] ? do_user_addr_fault+0x20c/0x670 [54.099] do_syscall_64+0x60/0xf20 [54.092] ? clear_bhb_loop+0x60/0xb0 [54.094] entry_SYSCALL_64_after_hwframe+0x76/0x7e So stop using dget_parent() and dput() and access the parent dentry directly as dentry->d_parent. This is also what ext4 is doing in its equivalent trace event ext4_sync_file_enter(). Filipe Manana (1): btrfs: tracepoints: fix sleep while in atomic context in btrfs_sync_file() Goldwyn Rodrigues (1): btrfs: tracepoints: get correct superblock from dentry in event btrfs_sync_file() include/trace/events/btrfs.h | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) -- 2.34.1

2 3

[PATCH OLK-5.10 0/2] tracepoints: get correct superblock from dentry in event btrfs_sync_file()
by Pan Taixi 22 May '26

22 May '26

[ Upstream commit a85b46db143fda5869e7d8df8f258ccef5fa1719 ] If overlay is used on top of btrfs, dentry->d_sb translates to overlay's super block and fsid assignment will lead to a crash. Use file_inode(file)->i_sb to always get btrfs_sb. The patch above introduced another problem and is fixed in the following patch: The trace event btrfs_sync_file() is called in an atomic context (all trace events are) and its call to dput(), which is needed due to the call to dget_parent(), can sleep, triggering a kernel splat. This can be reproduced by enabling the trace event and running btrfs/056 from fstests for example. The splat shown in dmesg is the following: [53.919] BUG: sleeping function called from invalid context at fs/dcache.c:970 [53.947] in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 32773, name: xfs_io [53.988] preempt_count: 2, expected: 0 [53.967] RCU nest depth: 0, expected: 0 [53.943] Preemption disabled at: [53.944] [<0000000000000000>] 0x0 [54.078] CPU: 0 UID: 0 PID: 32773 Comm: xfs_io Tainted: G W 7.1.0-rc1-btrfs-next-232+ #1 PREEMPT(full) [54.070] Tainted: [W]=WARN [54.071] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014 [54.072] Call Trace: [54.074] <TASK> [54.076] dump_stack_lvl+0x56/0x80 [54.079] __might_resched.cold+0xd6/0x10f [54.072] dput.part.0+0x24/0x110 [54.078] trace_event_raw_event_btrfs_sync_file+0x75/0x140 [btrfs] [54.089] btrfs_sync_file+0x1ed/0x530 [btrfs] [54.087] ? __handle_mm_fault+0x8ae/0xed0 [54.089] btrfs_do_write_iter+0x172/0x210 [btrfs] [54.091] vfs_write+0x21f/0x450 [54.094] __x64_sys_pwrite64+0x8d/0xc0 [54.096] ? do_user_addr_fault+0x20c/0x670 [54.099] do_syscall_64+0x60/0xf20 [54.092] ? clear_bhb_loop+0x60/0xb0 [54.094] entry_SYSCALL_64_after_hwframe+0x76/0x7e So stop using dget_parent() and dput() and access the parent dentry directly as dentry->d_parent. This is also what ext4 is doing in its equivalent trace event ext4_sync_file_enter(). Filipe Manana (1): btrfs: tracepoints: fix sleep while in atomic context in btrfs_sync_file() Goldwyn Rodrigues (1): btrfs: tracepoints: get correct superblock from dentry in event btrfs_sync_file() include/trace/events/btrfs.h | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) -- 2.34.1

2 3

[PATCH v2 OLK-6.6 0/5] Fix NULL pointer dereference
by Liu Kai 22 May '26

22 May '26

Fix NULL pointer dereference Liu Kai (5): xSched/cgroup: remove legacy cftypes due to cgroup v1 incompatibility xSched: fix incorrect error returns in vstream allocation xSched: prevent HBM allocation for non-AI tasks xSched/dmem: memory allocation size must larger than 0 xSched: fix NULL pointer dereference in cfs_rq during class switch include/linux/xsched.h | 30 ++++++++++++++++++++++++------ kernel/xsched/cgroup.c | 3 +-- kernel/xsched/core.c | 12 ++++-------- kernel/xsched/vstream.c | 27 +++++++++------------------ 4 files changed, 38 insertions(+), 34 deletions(-) -- 2.34.1

2 6

[PATCH 00/23] KVM: arm64: rVIC/rVID PV interrupt controller
by Kunkun Jiang 21 May '26

21 May '26

https://lore.kernel.org/all/20200903152610.1078827-1-maz@kernel.org/ Marc Zyngier (5): irqchip/rvic: Add support for untrusted interrupt allocation irqchip: Add Reduced Virtual Interrupt Distributor support irqchip/rvid: Add PCI MSI support KVM: arm64: Tighten msis_require_devid reporting KVM: arm64: Add debugfs files for the rVIC/rVID implementation wanghaibin (18): irqchip: Add Reduced Virtual Interrupt Controller driver KVM: arm64: Move GIC model out of the distributor KVM: arm64: vgic-v3: Move early init to kvm_vgic_create() KVM: arm64: Add irqchip callback structure to kvm_arch KVM: arm64: Move kvm_vgic_destroy to kvm_irqchip_flow KVM: arm64: Move kvm_vgic_vcpu_init() to irqchip_flow KVM: arm64: Move kvm_vgic_vcpu_[un]blocking() to irqchip_flow KVM: arm64: Move kvm_vgic_vcpu_load/put() to irqchip_flow KVM: arm64: Move kvm_vgic_vcpu_pending_irq() to irqchip_flow KVM: arm64: Move vgic resource mapping on first run to irqchip_flow KVM: arm64: Move kvm_vgic_vcpu_{sync, flush}_hwstate() to irqchip_flow KVM: arm64: nVHE: Only save/restore GICv3 state if modeling a GIC KVM: arm64: Move interrupt injection to irqchip_flow KVM: arm64: Move mapping of HW interrupts into irqchip_flow KVM: arm64: Move set_owner into irqchip_flow KVM: arm64: Turn vgic_initialized into irqchip_finalized KVM: arm64: Move irqfd routing to irqchip_flow KVM: arm64: Add a rVIC/rVID in-kernel implementation arch/arm64/include/asm/kvm_host.h | 12 +- arch/arm64/include/asm/kvm_irq.h | 142 +++ arch/arm64/include/uapi/asm/kvm.h | 10 + arch/arm64/kvm/Makefile | 2 +- arch/arm64/kvm/arch_timer.c | 55 +- arch/arm64/kvm/arm.c | 128 ++- arch/arm64/kvm/hyp/nvhe/switch.c | 10 +- arch/arm64/kvm/hypercalls.c | 13 + arch/arm64/kvm/pmu-emul.c | 10 +- arch/arm64/kvm/rvic-cpu.c | 1217 +++++++++++++++++++++++++ arch/arm64/kvm/vgic/vgic-debug.c | 7 +- arch/arm64/kvm/vgic/vgic-init.c | 122 ++- arch/arm64/kvm/vgic/vgic-irqfd.c | 72 +- arch/arm64/kvm/vgic/vgic-its.c | 2 +- arch/arm64/kvm/vgic/vgic-kvm-device.c | 18 +- arch/arm64/kvm/vgic/vgic-mmio-v3.c | 2 +- arch/arm64/kvm/vgic/vgic-mmio.c | 14 +- arch/arm64/kvm/vgic/vgic-v3.c | 24 +- arch/arm64/kvm/vgic/vgic.c | 55 +- arch/arm64/kvm/vgic/vgic.h | 41 +- arch/arm64/kvm/virtcca_cvm.c | 2 +- drivers/irqchip/Kconfig | 12 + drivers/irqchip/Makefile | 2 + drivers/irqchip/irq-rvic.c | 595 ++++++++++++ drivers/irqchip/irq-rvid.c | 440 +++++++++ include/kvm/arm_rvic.h | 41 + include/kvm/arm_vgic.h | 32 - include/linux/cpuhotplug.h | 1 + include/linux/irqchip/irq-rvic.h | 100 ++ include/uapi/linux/kvm.h | 3 +- 30 files changed, 2945 insertions(+), 239 deletions(-) create mode 100644 arch/arm64/include/asm/kvm_irq.h create mode 100644 arch/arm64/kvm/rvic-cpu.c create mode 100644 drivers/irqchip/irq-rvic.c create mode 100644 drivers/irqchip/irq-rvid.c create mode 100644 include/kvm/arm_rvic.h create mode 100644 include/linux/irqchip/irq-rvic.h -- 2.33.0

1 23

[PATCH openEuler-1.0-LTS v7 00/11] support apei_page_offline_policy
by Qi Xi 21 May '26

21 May '26

Patches 1-4 are the old page isolation solution (enable_soft_offline + panic prevention), already delivered to customers. Original PR: https://atomgit.com/openeuler/kernel/merge_requests/20004 Patches 5-11 are the new solution, enabling automated configuration in the new version: Patches 5-7 remove the redundant enable_soft_offline bit 1 huge page isolation switch from the old solution, and copy mc only supports THP and regular pages. Patch 8 adds sysctl_apei_page_offline_policy to support regular/huge page isolation policies and driver notification chain. Patch 9-11 fix bugs. Changes in v7: Use blocking notifier for page offline policy chain Changes in v6: Fix panic casued by UCE in kernel context (!current->mm). Changes in v5: Change sysctl_apei_page_offline_policy bit0 to enable/disable driver notification. Backport some patches that have been merged. Since CONFIG_UCE_KERNEL_RECOVERY depends on CONFIG_ARM64, remove the redundant condition in migrate_page(). Changes in v4: Fix typo errors and backport bugfix for mc_copy. Changes in v3: Use bool rather than int as the return type of apei_page_should_offline(). Drop the PF_UCE_KERNEL_RECOVERY flag after soft-offlining the page. Changes in v2: Add a new sysctl_apei_page_offline_policy, instead of changing soft_offline_page. Jiaqi Yan (1): mm/memory-failure: userspace controls soft-offlining pages Kyle Meyer (1): mm/memory-failure: support disabling soft offline for HugeTLB pages Qi Xi (5): Revert "mm/memory-failure: support disabling soft offline for HugeTLB pages" Revert "arm64: mm: Add copy mc support for migrate_page" apei/ghes: Add sysctl interface to control soft-offline page isolation uce: Prevent kernel panic for kernel-context UCE with recovery path apei: use blocking notifier for page offline policy chain Wupeng Ma (3): uce: add copy_mc_highpage{s} arm64: mm: Add copy mc support for migrate_page arm64: mm: Add copy mc support for migrate_page Yongjian Sun (1): ext4: fix e4b bitmap inconsistency reports arch/arm64/mm/fault.c | 10 +++++- drivers/acpi/apei/ghes.c | 77 ++++++++++++++++++++++++++++++++++++++++ fs/ext4/mballoc.c | 21 +++++------ include/linux/highmem.h | 55 ++++++++++++++++++++++++++++ include/linux/mm.h | 7 ++++ kernel/sysctl.c | 21 +++++++++++ mm/memory-failure.c | 20 +++++++++-- mm/migrate.c | 58 ++++++++++++++++++++++++++++-- 8 files changed, 253 insertions(+), 16 deletions(-) -- 2.33.0

2 12