* [PATCH 6.1 000/969] 6.1.175-rc1 review
@ 2026-05-30 15:52 Greg Kroah-Hartman
2026-05-30 15:52 ` [PATCH 6.1 001/969] ASoC: amd: yc: Add DMI quirk for ASUS EXPERTBOOK BM1403CDA Greg Kroah-Hartman
` (975 more replies)
0 siblings, 976 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, linux-kernel, torvalds, akpm, linux,
shuah, patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, rwarsow, conor, hargar, broonie, achill, sr
This is the start of the stable review cycle for the 6.1.175 release.
There are 969 patches in this series, all will be posted as a response
to this one. If anyone has any issues with these being applied, please
let me know.
Responses should be made by Mon, 01 Jun 2026 16:01:39 +0000.
Anything received after that time might be too late.
The whole patch series can be found in one patch at:
https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.1.175-rc1.gz
or in the git tree and branch at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.1.y
and the diffstat can be found below.
thanks,
greg k-h
-------------
Pseudo-Shortlog of commits:
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Linux 6.1.175-rc1
Linus Torvalds <torvalds@linux-foundation.org>
security/keys: fix missed RCU read section on lookup
Aditya Garg <gargaditya@linux.microsoft.com>
net: mana: validate rx_req_idx to prevent out-of-bounds array access
Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
gpio: cdev: check if uAPI v2 config attributes are correctly zeroed
Andy Shevchenko <andy.shevchenko@gmail.com>
gpiolib: cdev: use !mem_is_zero() instead of memchr_inv(s, 0, n)
Jani Nikula <jani.nikula@intel.com>
string: add mem_is_zero() helper to check if memory area is all zeros
Rosen Penev <rosenp@gmail.com>
net: ag71xx: check error for platform_get_irq
David Carlier <devnexen@gmail.com>
tracing: Avoid NULL return from hist_field_name() on truncation
Ido Schimmel <idosch@nvidia.com>
bridge: mcast: Fix a possible use-after-free when removing a bridge port
Petr Machata <petrm@nvidia.com>
net: bridge: Flush multicast groups when snooping is disabled
Guangshuo Li <lgs201920130244@gmail.com>
RDMA/rtrs: Fix use-after-free in path file creation cleanup
Rafael J. Wysocki <rafael.j.wysocki@intel.com>
platform/x86: intel-vbtn: Check ACPI_HANDLE() against NULL
Rafael J. Wysocki <rafael.j.wysocki@intel.com>
platform/x86: intel-hid: Check ACPI_HANDLE() against NULL
Rafael J. Wysocki <rafael.j.wysocki@intel.com>
platform/x86: hp_accel: Check ACPI_COMPANION() against NULL
Rafael J. Wysocki <rafael.j.wysocki@intel.com>
platform/x86: adv_swbutton: Check ACPI_HANDLE() against NULL
Erni Sri Satya Vennela <ernis@linux.microsoft.com>
net: mana: Fix TOCTOU double-fetch of hwc_msg_id from DMA buffer
Daniel Golle <daniel@makrotopia.org>
net: dsa: mt7530: preserve VLAN tags on trapped link-local frames
Arınç ÜNAL <arinc.unal@arinc9.com>
net: dsa: mt7530: rename mt753x_bpdu_port_fw enum to mt753x_to_cpu_fw
Daniel Golle <daniel@makrotopia.org>
net: dsa: mt7530: fix FDB entries not aging out with short timeout
Daniel Golle <daniel@makrotopia.org>
net: dsa: mt7530: sync driver-specific behavior of MT7531 variants
Matthew Leach <matthew.leach@collabora.com>
wifi: ath11k: fix peer resolution on rx path when peer_id=0
P Praneesh <quic_ppranees@quicinc.com>
wifi: ath11k: fix rssi station dump not updated in QCN9074
Sriram R <quic_srirrama@quicinc.com>
wifi: ath11k: add new hw ops for IPQ5018 to get rx dest ring hashmap
Sriram R <quic_srirrama@quicinc.com>
wifi: ath11k: initialize hw_ops for IPQ5018
Sriram R <quic_srirrama@quicinc.com>
wifi: ath11k: update hal srng regs for IPQ5018
Sriram R <quic_srirrama@quicinc.com>
wifi: ath11k: remap ce register space for IPQ5018
Sriram R <quic_srirrama@quicinc.com>
wifi: ath11k: update ce configurations for IPQ5018
Sriram R <quic_srirrama@quicinc.com>
wifi: ath11k: update hw params for IPQ5018
Youghandhar Chintala <quic_youghand@quicinc.com>
wifi: ath11k: Trigger sta disconnect on hardware restart
Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
drm/msm/snapshot: fix dumping of the unaligned regions
Felix Gu <ustc.gu@gmail.com>
spi: mtk-snfi: Fix resource leak in mtk_snand_read_page_cache()
Jakub Kicinski <kuba@kernel.org>
net: tls: prevent chain-after-chain in plain text SG
Jakub Kicinski <kuba@kernel.org>
net: tls: fix off-by-one in sg_chain entry count for wrapped sk_msg ring
Xiang Mei <xmei5@asu.edu>
net/smc: reject CHID-0 ACCEPT that matches an empty ism_dev slot
Sayali Patil <sayalip@linux.ibm.com>
powerpc/time: Remove redundant preempt_disable|enable() calls from arch_irq_work_raise()
Mikko Perttunen <mperttunen@nvidia.com>
drm/msm: Fix iommu_map_sgtable() return value check and avoid WARN
Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
drm/msm/dsi: don't dump registers past the mapped region
Chenguang Zhao <zhaochenguang@kylinos.cn>
ethtool: fix ethnl_bitmap32_not_zero() bit interval semantics
Xiang Mei <xmei5@asu.edu>
net/smc: avoid NULL deref of conn->lnk in smc_msg_event tracepoint
Lukas Bulwahn <lukas.bulwahn@redhat.com>
HID: quirks: really enable the intended work around for appledisplay
Nicolas Escande <nico.escande@gmail.com>
wifi: ath11k: fix error path leaks in some WMI WOW calls
Ethan Nelson-Moore <enelsonmoore@gmail.com>
net: ethernet: cs89x0: remove stale CONFIG_MACH_MX31ADS reference
Linus Walleij <linusw@kernel.org>
net: ethernet: cortina: Carry over frag counter
Andreas Haarmann-Thiemann <eitschman@nebelreich.de>
net: ethernet: cortina: Drop half-assembled SKB
Linus Walleij <linusw@kernel.org>
net: ethernet: cortina: Make RX SKB per-port
Jiayuan Chen <jiayuan.chen@linux.dev>
irq_work: Fix use-after-free in irq_work_single() on PREEMPT_RT
Rosen Penev <rosenp@gmail.com>
irqchip/ath79-cpu: Remove unused function
Gabor Juhos <j4g8y7@gmail.com>
phy: marvell: mvebu-a3700-utmi: fix incorrect USB2_PHY_CTRL register access
Myeonghun Pak <mhun512@gmail.com>
net: lan966x: avoid unregistering netdev on register failure
Bart Van Assche <bvanassche@acm.org>
ice: fix locking in ice_dcb_rebuild()
Kuniyuki Iwashima <kuniyu@google.com>
tcp: Fix imbalanced icsk_accept_queue count.
Florian Westphal <fw@strlen.de>
netfilter: bridge: eb_tables: close module init race
Florian Westphal <fw@strlen.de>
netfilter: x_tables: close dangling table module init race
Florian Westphal <fw@strlen.de>
netfilter: ebtables: close dangling table module init race
Florian Westphal <fw@strlen.de>
netfilter: ebtables: move to two-stage removal scheme
Florian Westphal <fw@strlen.de>
netfilter: x_tables: add and use xtables_unregister_table_exit
Florian Westphal <fw@strlen.de>
netfilter: x_tables: add and use xt_unregister_table_pre_exit
Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: Exclude LEGACY TABLES on PREEMPT_RT.
Breno Leitao <leitao@debian.org>
netfilter: Make legacy configs user selectable
Kuniyuki Iwashima <kuniyu@amazon.com>
netfilter: arptables: Select NETFILTER_FAMILY_ARP when building arp_tables.c
Florian Westphal <fw@strlen.de>
netfilter: xtables: fix up kconfig dependencies
Florian Westphal <fw@strlen.de>
netfilter: ebtables: allow xtables-nft only builds
Florian Westphal <fw@strlen.de>
netfilter: xtables: allow xtables-nft only builds
Florian Westphal <fw@strlen.de>
netfilter: arptables: allow xtables-nft only builds
Florian Westphal <fw@strlen.de>
netfilter: x_tables: unregister the templates first
Guenter Roeck <linux@roeck-us.net>
ARM: integrator: Fix early initialization
Maulik Shah <maulik.shah@oss.qualcomm.com>
pinctrl: qcom: Fix wakeirq map by removing disconnected irqs for sm8150
David Gow <david@davidgow.net>
kunit: config: KUNIT_DEBUGFS should depend on DEBUG_FS
David Gow <david@davidgow.net>
kunit: config: Enable KUNIT_DEBUGFS by default
Sudeep Holla <sudeep.holla@kernel.org>
firmware: arm_ffa: Skip free_pages on RX buffer alloc failure
Sudeep Holla <sudeep.holla@kernel.org>
firmware: arm_ffa: Check for NULL FF-A ID table while driver registration
Takashi Iwai <tiwai@suse.de>
HID: uclogic: Fix regression of input name assignment
Abdurrahman Hussain <abdurrahman@nexthop.ai>
hwmon: (pmbus/adm1266) reject short block-read responses in the GPIO accessors
Abdurrahman Hussain <abdurrahman@nexthop.ai>
hwmon: (pmbus/adm1266) register the nvmem device after pmbus_do_probe()
Abdurrahman Hussain <abdurrahman@nexthop.ai>
hwmon: (pmbus/adm1266) register the gpio_chip after pmbus_do_probe()
Abdurrahman Hussain <abdurrahman@nexthop.ai>
hwmon: (pmbus/adm1266) don't clobber GPIO bits before PDIO read in get_multiple
Abdurrahman Hussain <abdurrahman@nexthop.ai>
hwmon: (pmbus/adm1266) cap PDIO scan in get_multiple at ADM1266_PDIO_NR
Abdurrahman Hussain <abdurrahman@nexthop.ai>
hwmon: (pmbus/adm1266) bounce blackbox records through a protocol-sized buffer
Abdurrahman Hussain <abdurrahman@nexthop.ai>
hwmon: (pmbus/adm1266) include PEC byte in pmbus_block_xfer read buffer
Abdurrahman Hussain <abdurrahman@nexthop.ai>
hwmon: (pmbus/adm1266) reject implausible blackbox record_count
Abdurrahman Hussain <abdurrahman@nexthop.ai>
hwmon: (pmbus/adm1266) seed timestamp from the real-time clock
Sven Eckelmann <sven@narfation.org>
batman-adv: tt: fix negative tt_buff_len
Sven Eckelmann <sven@narfation.org>
batman-adv: tt: fix negative last_changeset_len
Sven Eckelmann <sven@narfation.org>
batman-adv: tp_meter: avoid use of uninit sender vars
Sven Eckelmann <sven@narfation.org>
batman-adv: bla: fix report_work leak on backbone_gw purge
Sven Eckelmann <sven@narfation.org>
batman-adv: frag: disallow unicast fragment in fragment
Luxiao Xu <rakukuip@gmail.com>
batman-adv: fix tp_meter counter underflow during shutdown
Ruide Cao <caoruide123@gmail.com>
batman-adv: fix fragment reassembly length accounting
Sven Eckelmann <sven@narfation.org>
batman-adv: dat: handle forward allocation error
Ruijie Li <ruijieli51@gmail.com>
batman-adv: clear current gateway during teardown
Sven Eckelmann <sven@narfation.org>
batman-adv: mcast: fix use-after-free in orig_node RCU release
Harry Wentland <harry.wentland@amd.com>
drm/amd/display: Validate payload length and link_index in dc_process_dmub_aux_transfer_async
Harry Wentland <harry.wentland@amd.com>
drm/amd/display: Validate GPIO pin LUT table size before iterating
Harry Wentland <harry.wentland@amd.com>
drm/amd/display: Fix integer overflow in bios_get_image()
Osama Abdelkader <osama.abdelkader@gmail.com>
drm/bridge: megachips: remove bridge when irq request fails
Julien Chauveau <chauveau.julien@gmail.com>
drm/bridge: it66121: acquire reset GPIO in probe
Deepanshu Kartikey <kartikey406@gmail.com>
drm/virtio: use uninterruptible resv lock for plane updates
Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
device property: set fwnode->secondary to NULL in fwnode_init()
Huacai Chen <chenhuacai@kernel.org>
LoongArch: Remove unused code to avoid build warning
Michael Bommarito <michael.bommarito@gmail.com>
RDMA/siw: Reject MPA FPDU length underflow before signed receive math
Johan Hovold <johan@kernel.org>
spi: ti-qspi: fix use-after-free after DMA setup failure
Johan Hovold <johan@kernel.org>
spi: sprd: fix error pointer deref after DMA setup failure
Michael Bommarito <michael.bommarito@gmail.com>
scsi: isci: Fix use-after-free in device removal path
Osama Abdelkader <osama.abdelkader@gmail.com>
drm/bridge: chipone-icn6211: use devm_drm_bridge_add in i2c probe
Michael Bommarito <michael.bommarito@gmail.com>
KVM: arm64: vgic-its: Reject restored DTE with out-of-range num_eventid_bits
Masami Hiramatsu (Google) <mhiramat@kernel.org>
tracing: Do not call map->ops->elt_free() if elt_alloc() fails
Zhihao Cheng <chengzhihao1@huawei.com>
cifs: Fix busy dentry used after unmounting
John Walker <johnwalker0@gmail.com>
wifi: cfg80211: advance loop vars in cfg80211_merge_profile()
Marcin Szycik <marcin.szycik@intel.com>
ice: fix setting promisc mode while adding VID filter
Michael Bommarito <michael.bommarito@gmail.com>
ixgbevf: fix use-after-free in VEPA multicast source pruning
Michael Bommarito <michael.bommarito@gmail.com>
ipv4: raw: reject IP_HDRINCL packets with ihl < 5
Kyle Farnung <kfarnung@gmail.com>
wifi: ath11k: clear shared SRNG pointer state on restart
Stefano Garzarella <sgarzare@redhat.com>
vsock/virtio: reset connection on receiving queue overflow
Minh Nguyen <minhnguyen.080505@gmail.com>
vsock/vmci: fix UAF when peer resets connection during handshake
Steven Rostedt <rostedt@goodmis.org>
ring-buffer: Fix reporting of missed events in iterator
Dawei Feng <dawei.feng@seu.edu.cn>
qed: fix double free in qed_cxt_tables_alloc()
Nan Li <tonanli66@gmail.com>
netfilter: ipset: stop hash:* range iteration at end
Haoze Xie <royenheart@gmail.com>
netfilter: nf_queue: hold bridge skb->dev while queued
Zhengchuan Liang <zcliangcn@gmail.com>
netfilter: ip6t_hbh: reject oversized option lists
Michael Bommarito <michael.bommarito@gmail.com>
net: ifb: report ethtool stats over num_tx_queues
Nicolai Buchwitz <nb@tipi-net.de>
net: bcmgenet: keep RBUF EEE/PM disabled
Zijing Yin <yzjaurora@gmail.com>
phonet/pep: disable BH around forwarded sk_receive_skb()
Michael Bommarito <michael.bommarito@gmail.com>
Bluetooth: MGMT: validate Add Extended Advertising Data length
Mingyu Wang <25181214217@stu.xidian.edu.cn>
Bluetooth: hci_uart: fix UAFs and race conditions in close and init paths
Jann Horn <jannh@google.com>
Bluetooth: bnep: Fix UAF read of dev->name
David Carlier <devnexen@gmail.com>
Bluetooth: ISO: drop ISO_END frames received without prior ISO_START
Safa Karakuş <safa.karakus@secunnix.com>
Bluetooth: fix UAF in l2cap_sock_cleanup_listen() vs l2cap_conn_del()
Abdun Nihaal <nihaal@cse.iitm.ac.in>
net: wwan: iosm: fix potential memory leaks in ipc_imem_init()
Takashi Iwai <tiwai@suse.de>
ALSA: asihpi: Fix potential OOB array access at reading cache
Cássio Gabriel <cassiogabrielcontato@gmail.com>
ALSA: ua101: Reject too-short USB descriptors
Abdurrahman Hussain <abdurrahman@nexthop.ai>
hwmon: (pmbus/adm1266) widen blackbox-info buffer to I2C_SMBUS_BLOCK_MAX
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
sysfs: don't remove existing directory on update failure
Adrian Hunter <adrian.hunter@intel.com>
i3c: mipi-i3c-hci: Correct RING_CTRL_ABORT handling in DMA dequeue
Asim Viladi Oglu Manizada <manizada@pm.me>
smb: client: reject userspace cifs.spnego descriptions
Sasha Levin <sashal@kernel.org>
Revert "s390/cio: Fix device lifecycle handling in css_alloc_subchannel()"
Sasha Levin <sashal@kernel.org>
Revert "x86/vdso: Fix output operand size of RDPID"
Deepanshu Kartikey <kartikey406@gmail.com>
wifi: mac80211: check tdls flag in ieee80211_tdls_oper
Pengpeng Hou <pengpeng@iscas.ac.cn>
s390/debug: Reject zero-length input before trimming a newline
Pavel Begunkov <asml.silence@gmail.com>
io_uring: prevent opcode speculation
Allison Henderson <achender@kernel.org>
net/rds: reset op_nents when zerocopy page pin fails
Nicholas Carlini <nicholas@carlini.com>
io-wq: check that the predecessor is hashed in io_wq_remove_pending()
Johan Hovold <johan@kernel.org>
drm/gma500/oaktrail_lvds: fix i2c adapter leaks on init
Johan Hovold <johan@kernel.org>
drm/gma500/oaktrail_lvds: fix hang on init failure
Johan Hovold <johan@kernel.org>
drm/gma500/oaktrail_hdmi: fix i2c adapter leak on setup
Gyeyoung Baek <gye976@gmail.com>
drm/panfrost: Fix wait_bo ioctl leaking positive return from dma_resv_wait_timeout()
Sebastian Brzezinka <sebastian.brzezinka@intel.com>
drm/i915: skip __i915_request_skip() for already signaled requests
Naval Alcalá <ari@naval.cat>
iommu/vt-d: Disable DMAR for Intel Q35 IGFX
Raphael Zimmer <raphael.zimmer@tu-ilmenau.de>
libceph: handle rbtree insertion error in decode_choose_args()
Raphael Zimmer <raphael.zimmer@tu-ilmenau.de>
libceph: Fix potential out-of-bounds access in crush_decode()
Raphael Zimmer <raphael.zimmer@tu-ilmenau.de>
libceph: Fix potential null-ptr-deref in decode_choose_args()
Raphael Zimmer <raphael.zimmer@tu-ilmenau.de>
libceph: Fix potential out-of-bounds access in osdmap_decode()
Ma Ke <make24@iscas.ac.cn>
powerpc/warp: Fix error handling in pika_dtm_thread
Viacheslav Dubeyko <Slava.Dubeyko@ibm.com>
ceph: fix a buffer leak in __ceph_setxattr()
Cássio Gabriel <cassiogabrielcontato@gmail.com>
ALSA: usb-audio: Bound MIDI endpoint descriptor scans
Chaitanya Kumar Borah <chaitanya.kumar.borah@intel.com>
drm/i915/dp: Fix VSC dynamic range signaling for RGB formats
Ye Bin <yebin10@huawei.com>
smb/client: fix possible infinite loop and oob read in symlink_data()
Qiang Ma <maqianga@uniontech.com>
KVM: x86: Fix Xen hypercall tracepoint argument assignment
Junrui Luo <moonafterrain@outlook.com>
KVM: s390: pci: fix GAIT table indexing due to double-scaling pointer arithmetic
Aaron Sacks <contact@xchglabs.com>
KVM: Reject wrapped offset in kvm_reset_dirty_gfn()
Sergio Correia <scorreia@redhat.com>
audit: enforce AUDIT_LOCKED for AUDIT_TRIM and AUDIT_MAKE_EQUIV
Zoran Ilievski <goodboy@rexbytes.com>
net: atlantic: preserve PCI wake-from-D3 on shutdown when WOL enabled
Li Xiasong <lixiasong1@huawei.com>
netfilter: nft_ct: fix missing expect put in obj eval
Sergio Correia <scorreia@redhat.com>
audit: fix incorrect inheritable capability in CAPSET records
Li Xiasong <lixiasong1@huawei.com>
netfilter: nf_conntrack_sip: get helper before allocating expectation
Matt Vollrath <tactii@gmail.com>
i40e: Cleanup PTP pins on probe failure
Herbert Xu <herbert@gondor.apana.org.au>
crypto: af_alg - Cap AEAD AD length to 0x80000000
Tonghao Zhang <tonghao@bamaicloud.com>
net: bonding: update the slave array for broadcast mode
Hangbin Liu <liuhangbin@gmail.com>
bonding: fix NULL pointer dereference in actor_port_prio setting
Breno Leitao <leitao@debian.org>
netconsole: avoid out-of-bounds access on empty string in trim_newline()
Takahiro Kuwano <Takahiro.Kuwano@infineon.com>
mtd: spi-nor: spansion: Enable JFFS2 write buffer for S25FS256T
Peter Ujfalusi <peter.ujfalusi@linux.intel.com>
ASoC: SOF: stream-ipc: Check for cstream nullity in sof_ipc_msg_data()
Peter Ujfalusi <peter.ujfalusi@linux.intel.com>
ASoC: SOF: pcm: Clear the susbstream pointer to NULL on close
Cássio Gabriel <cassiogabrielcontato@gmail.com>
ALSA: core: Serialize deferred fasync state checks
Takashi Iwai <tiwai@suse.de>
ALSA: misc: Use guard() for spin locks
Filipe Manana <fdmanana@suse.com>
btrfs: tracepoints: fix sleep while in atomic context in btrfs_sync_file()
Justin Chen <justin.chen@broadcom.com>
net: bcmgenet: fix leaking free_bds
Ryo Takakura <ryotkkr98@gmail.com>
net: bcmgenet: Initialize u64 stats seq counter
Eric Dumazet <edumazet@google.com>
net/sched: sch_pie: annotate more data-races in pie_dump_stats()
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
smb: client: fix OOB reads parsing symlink error response
Liang Jie <liangjie@lixiang.com>
smb: client: correctly handle ErrorContextData as a flexible array
Paolo Abeni <pabeni@redhat.com>
net/sched: cls_flower: revert unintended changes
Jakub Kicinski <kuba@kernel.org>
net: tls: fix strparser anchor skb leak on offload RX setup failure
Petr Oros <poros@redhat.com>
ice: fix NULL pointer dereference in ice_reset_all_vfs()
Jacob Keller <jacob.e.keller@intel.com>
ice: Pull common tasks into ice_vf_post_vsi_rebuild
Petr Oros <poros@redhat.com>
iavf: add VIRTCHNL_OP_ADD_VLAN to success completion handler
Petr Oros <poros@redhat.com>
iavf: wait for PF confirmation before removing VLAN filters
Petr Oros <poros@redhat.com>
iavf: stop removing VLAN filters from PF on interface down
Petr Oros <poros@redhat.com>
iavf: rename IAVF_VLAN_IS_NEW to IAVF_VLAN_ADDING
Eric Dumazet <edumazet@google.com>
bonding: 3ad: implement proper RCU rules for port->aggregator
Hangbin Liu <liuhangbin@gmail.com>
bonding: print churn state via netlink
Hangbin Liu <liuhangbin@gmail.com>
bonding: add support for per-port LACP actor priority
Tonghao Zhang <tonghao@bamaicloud.com>
net: bonding: add broadcast_neighbor option for 802.3ad
Jones Syue 薛懷宗 <jonessyue@qnap.com>
bonding: 802.3ad replace MAC_ADDRESS_EQUAL with __agg_has_partner
Timur Kristóf <timur.kristof@gmail.com>
drm/amd/display: Read EDID from VBIOS embedded panel info
Timur Kristóf <timur.kristof@gmail.com>
drm/amd/display: Allow DCE link encoder without AUX registers
Sebastian Andrzej Siewior <bigeasy@linutronix.de>
futex: Prevent lockup in requeue-PI during signal/ timeout wakeup
wangdicheng <wangdicheng@kylinos.cn>
ALSA: hda/conexant: Fix missing error check for jack detection
wangdicheng <wangdicheng@kylinos.cn>
ALSA: hda/conexant: Renaming the codec with device ID 0x1f86 and 0x1f87
Oldherl Oh <me@oldherl.one>
ALSA: hda/conexant: fix some typos
Breno Leitao <leitao@debian.org>
netconsole: propagate device name truncation in dev_name_store()
Matthew Wood <thepacketgeek@gmail.com>
net: netconsole: move newline trimming to function
Eric Dumazet <edumazet@google.com>
net/sched: sch_cake: annotate data-races in cake_dump_stats() (V)
Weiming Shi <bestswngs@gmail.com>
bareudp: fix NULL pointer dereference in bareudp_fill_metadata_dst()
Beniamino Galvani <b.galvani@gmail.com>
ipv6: rename and move ip6_dst_lookup_tunnel()
Beniamino Galvani <b.galvani@gmail.com>
ipv4: add new arguments to udp_tunnel_dst_lookup()
Beniamino Galvani <b.galvani@gmail.com>
ipv4: remove "proto" argument from udp_tunnel_dst_lookup()
Beniamino Galvani <b.galvani@gmail.com>
ipv4: rename and move ip_route_output_tunnel()
Xin Long <lucien.xin@gmail.com>
sctp: discard stale INIT after handshake completion
Xin Long <lucien.xin@gmail.com>
netfilter: skip recording stale or retransmitted INIT
Christian A. Ehrhardt <christian.ehrhardt@codasip.com>
ASoC: codecs: ab8500: Fix casting of private data
Heiko Schocher <hs@nabladev.com>
net: phy: dp83869: fix setting CLK_O_SEL field.
William A. Kennington III <william@wkennington.com>
net: mctp i2c: check length before marking flow active
Takashi Iwai <tiwai@suse.de>
ALSA: usb-audio: Fix potential leak of pd at parsing UAC3 streams
Florian Westphal <fw@strlen.de>
neigh: let neigh_xmit take skb ownership
Eric Dumazet <edumazet@google.com>
neighbour: add RCU protection to neigh_tables[]
Paul Geurts <paul.geurts@prodrive-technologies.com>
NFC: trf7970a: Ignore antenna noise when checking for RF field
Morduan Zang <zhangdandan@uniontech.com>
net: usb: rtl8150: free skb on usb_submit_urb() failure in xmit
Zhan Jun <zhanjun@uniontech.com>
net: usb: rtl8150: fix use-after-free in rtl8150_start_xmit()
Ido Schimmel <idosch@nvidia.com>
vrf: Fix a potential NPD when removing a port from a VRF
Eric Dumazet <edumazet@google.com>
net/sched: sch_fq_pie: annotate data-races in fq_pie_dump_stats()
Eric Dumazet <edumazet@google.com>
net/sched: sch_choke: annotate data-races in choke_dump_stats()
Stephen Hemminger <stephen@networkplumber.org>
net/sched: netem: fix slot delay calculation overflow
Stephen Hemminger <stephen@networkplumber.org>
net/sched: netem: validate slot configuration
Stephen Hemminger <stephen@networkplumber.org>
net/sched: netem: fix queue limit check to include reordered packets
Stephen Hemminger <stephen@networkplumber.org>
net/sched: netem: fix probability gaps in 4-state loss model
Nikola Z. Ivanov <zlatistiv@gmail.com>
netdevsim: zero initialize struct iphdr in dummy sk_buff
Daan De Meyer <daan@amutable.com>
cdrom, scsi: sr: propagate read-only status to block layer via set_disk_ro()
John Madieu <john.madieu@gmail.com>
spi: rockchip: Read ISR, not IMR, to detect cs-inactive IRQ
Yang Yingliang <yangyingliang@huawei.com>
spi: rockchip: switch to use modern name
Lizhe <sensor1010@163.com>
drivers/spi-rockchip.c : Remove redundant variable slave
Florian Westphal <fw@strlen.de>
netfilter: nf_conntrack_sip: don't use simple_strtoul
Jiexun Wang <wangjiexun2025@gmail.com>
netfilter: xt_policy: fix strict mode inbound policy matching
Timur Kristóf <timur.kristof@gmail.com>
drm/amdgpu/gfx6: Support harvested SI chips with disabled TCCs (v2)
Timur Kristóf <timur.kristof@gmail.com>
drm/amdgpu/uvd3.1: Don't validate the firmware when already validated
Alexandre Demers <alexandre.f.demers@gmail.com>
drm/amdgpu: fix spelling typos
Keith Busch <kbusch@kernel.org>
nvme-pci: fix missed admin queue sq doorbell write
Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: arp_tables: fix IEEE1394 ARP payload parsing
Maurizio Lombardi <mlombard@redhat.com>
nvmet-tcp: propagate nvmet_tcp_build_pdu_iovec() errors to its callers
Breno Leitao <leitao@debian.org>
tracing: branch: Fix inverted check on stat tracer registration
Mark Harmstone <mark@harmstone.com>
btrfs: fix double-decrement of bytes_may_use in submit_one_async_extent()
Wolfram Sang <wsa+renesas@sang-engineering.com>
mailbox: mailbox-test: make data_ready a per-instance variable
Wolfram Sang <wsa+renesas@sang-engineering.com>
mailbox: mailbox-test: initialize struct earlier
Wolfram Sang <wsa+renesas@sang-engineering.com>
mailbox: mailbox-test: don't free the reused channel
Wolfram Sang <wsa+renesas@sang-engineering.com>
mailbox: add sanity check for channel array
cuitao <cuitao@kylinos.cn>
cgroup/rdma: fix integer overflow in rdmacg_try_charge()
Wolfram Sang <wsa+renesas@sang-engineering.com>
mailbox: mailbox-test: free channels on probe error
Yuho Choi <dbgh9129@gmail.com>
fbdev: offb: fix PCI device reference leak on probe failure
Anthony Pighin (Nokia) <anthony.pighin@nokia.com>
rtc: abx80x: Disable alarm feature if no interrupt attached
Bae Yeonju <iwasbaeyz@gmail.com>
fs/adfs: validate nzones in adfs_validate_bblk()
Kohei Enju <kohei@enjuk.jp>
vhost_net: fix sleeping with preempt-disabled in vhost_net_busy_poll()
Lee Jones <lee@kernel.org>
tipc: fix double-free in tipc_buf_append()
Alexey Kodanev <aleksei.kodanev@bell-sw.com>
nfp: fix swapped arguments in nfp_encode_basic_qdr() calls
Mieczyslaw Nalewaj <namiltd@yahoo.com>
net: dsa: realtek: rtl8365mb: fix mode mask calculation
Eric Dumazet <edumazet@google.com>
net/sched: sch_sfb: annotate data-races in sfb_dump_stats()
Eric Dumazet <edumazet@google.com>
net/sched: sch_red: annotate data-races in red_dump_stats()
Eric Dumazet <edumazet@google.com>
net/sched: sch_fq_codel: remove data-races from fq_codel_dump_stats()
Eric Dumazet <edumazet@google.com>
net/sched: sch_pie: annotate data-races in pie_dump_stats()
Eric Dumazet <edumazet@google.com>
net_sched: sch_hhf: annotate data-races in hhf_dump_stats()
Michael Bommarito <michael.bommarito@gmail.com>
net/rds: zero per-item info buffer before handing it to visitors
Hyunwoo Kim <imv4bel@gmail.com>
ksmbd: scope conn->binding slowpath to bound sessions only
DaeMyung Kang <charsyam@gmail.com>
ksmbd: destroy tree_conn_ida in ksmbd_session_destroy()
Jun Yan <jerrysteve1101@gmail.com>
arm64: dts: meson-gxl-p230: fix ethernet PHY interrupt number
Weiming Shi <bestswngs@gmail.com>
slip: bound decode() reads against the compressed packet length
Weiming Shi <bestswngs@gmail.com>
slip: reject VJ receive packets on instances with no rstate array
Fernando Fernandez Mancera <fmancera@suse.de>
netfilter: nfnetlink_osf: fix potential NULL dereference in ttl check
Fernando Fernandez Mancera <fmancera@suse.de>
netfilter: nfnetlink_osf: fix out-of-bounds read on option matching
Yingnan Zhang <342144303@qq.com>
ipvs: fix MTU check for GSO packets in tunnel mode
Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: xtables: restrict several matches to inet family
Florian Westphal <fw@strlen.de>
netfilter: conntrack: remove sprintf usage
Xiang Mei <xmei5@asu.edu>
netfilter: nfnetlink_osf: fix divide-by-zero in OSF_WSS_MODULO
Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: nft_osf: restrict it to ipv4
Weiming Shi <bestswngs@gmail.com>
openvswitch: cap upcall PID array size and pre-size vport replies
Qingfang Deng <qingfang.deng@linux.dev>
pppoe: drop PFC frames
Michael Bommarito <michael.bommarito@gmail.com>
sctp: fix OOB write to userspace in sctp_getsockopt_peer_auth_chunks
Eric Dumazet <edumazet@google.com>
ipv6: fix possible UAF in icmpv6_rcv()
Matt Vollrath <tactii@gmail.com>
e1000e: Unroll PTP in probe error handling
Kohei Enju <kohei@enjuk.jp>
i40e: don't advertise IFF_SUPP_NOFCS
Eric Dumazet <edumazet@google.com>
tcp: annotate data-races around (tp->write_seq - tp->snd_nxt)
Eric Dumazet <edumazet@google.com>
tcp: annotate data-races around tp->dsack_dups
Eric Dumazet <edumazet@google.com>
tcp: annotate data-races around tp->bytes_retrans
Eric Dumazet <edumazet@google.com>
tcp: annotate data-races around tp->bytes_sent
Eric Dumazet <edumazet@google.com>
tcp: add data-race annotations around tp->data_segs_out and tp->total_retrans
Eric Dumazet <edumazet@google.com>
tcp: preserve const qualifier in tcp_sk()
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
container_of: add container_of_const() that preserves const-ness of the pointer
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
container_of: remove container_of_safe()
Vinicius Costa Gomes <vinicius.gomes@intel.com>
net/sched: taprio: fix use-after-free in advance_sched() on schedule switch
Vladimir Oltean <vladimir.oltean@nxp.com>
net/sched: taprio: rename close_time to end_time
Vladimir Oltean <vladimir.oltean@nxp.com>
net/sched: taprio: refactor one skb dequeue from TXQ to separate function
Vladimir Oltean <vladimir.oltean@nxp.com>
net/sched: taprio: continue with other TXQs if one dequeue() failed
Jiayuan Chen <jiayuan.chen@linux.dev>
nexthop: fix IPv6 route referencing IPv4 nexthop
Dudu Lu <phx0fer@gmail.com>
net/sched: sch_cake: fix NAT destination port not being updated in cake_update_flowkeys
Peng Fan <peng.fan@nxp.com>
arm64: dts: imx8mm-tqma8mqml: Correct PAD settings for PMIC_nINT
Peng Fan <peng.fan@nxp.com>
arm64: dts: imx8mn-tqma8mqnl: Correct PAD settings for PMIC_nINT
René Rebe <rene@exactco.de>
PCMCIA: Fix garbled log messages for KERN_CONT
Peng Fan <peng.fan@nxp.com>
arm64: dts: imx8mp-dhcom-som: Correct PAD settings for PMIC_nINT
Peng Fan <peng.fan@nxp.com>
arm64: dts: imx8mp-icore-mx8mp: Correct PAD settings for PMIC_nINT
Paul Moses <p@1g4.org>
crypto: ccp - copy IV using skcipher ivsize
T Pratham <t-pratham@ti.com>
crypto: sa2ul - Fix AEAD fallback algorithm names
Ville Syrjälä <ville.syrjala@linux.intel.com>
drm/i915/wm: Verify the correct plane DDB entry
Stanislav Lisovskiy <stanislav.lisovskiy@intel.com>
drm/i915: Loop over all active pipes in intel_mbus_dbox_update
Gustavo Sousa <gustavo.sousa@intel.com>
drm/i915: Extract intel_dbuf_mdclk_cdclk_ratio_update()
Ville Syrjälä <ville.syrjala@linux.intel.com>
drm/i915: Constify watermark state checker
Yongpeng Yang <yangyongpeng@xiaomi.com>
f2fs: protect extension_list reading with sb_lock in f2fs_sbi_show()
Christophe JAILLET <christophe.jaillet@wanadoo.fr>
f2fs: Use sysfs_emit_at() to simplify code
Brian Masney <bmasney@redhat.com>
clk: visconti: pll: initialize clk_init_data to zero
Geert Uytterhoeven <geert+renesas@glider.be>
lib/hexdump: print_hex_dump_bytes() calls print_hex_dump_debug()
Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
clk: qcom: dispcc-sc7180: Add missing MDSS resets
Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
dt-bindings: clock: qcom,dispcc-sc7180: Define MDSS resets
Geert Uytterhoeven <geert+renesas@glider.be>
clk: xgene: Fix mapping leak in xgene_pllclk_init()
Arnd Bergmann <arnd@arndb.de>
clk: qoriq: avoid format string warning
Sebastian Krzyszkowiak <sebastian.krzyszkowiak@puri.sm>
clk: imx8mq: Correct the CSI PHY sels
Felix Gu <ustc.gu@gmail.com>
clk: imx: imx6q: Fix device node reference leak in of_assigned_ldb_sels()
Felix Gu <ustc.gu@gmail.com>
clk: imx: imx6q: Fix device node reference leak in pll6_bypassed()
Val Packett <val@packett.cool>
clk: qcom: dispcc-sm8250: Enable parents for pixel clocks
Val Packett <val@packett.cool>
clk: qcom: dispcc-sm8250: Use shared ops on the mdss vsync clk
Val Packett <val@packett.cool>
clk: qcom: gcc-sc8180x: Use retention for PCIe power domains
Val Packett <val@packett.cool>
clk: qcom: gcc-sc8180x: Use retention for USB power domains
Val Packett <val@packett.cool>
clk: qcom: gcc-sc8180x: Add missing GDSCs
Val Packett <val@packett.cool>
dt-bindings: clock: qcom,gcc-sc8180x: Add missing GDSCs
Junrui Luo <moonafterrain@outlook.com>
scsi: target: core: Fix integer overflow in UNMAP bounds check
Yang Erkun <yangerkun@huawei.com>
scsi: sg: Resolve soft lockup issue when opening /dev/sgX
Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
clk: qcom: dispcc-sm8450: use RCG2 ops for DPTX1 AUX clock source
Florian Westphal <fw@strlen.de>
RDMA/core: Prefer NLA_NUL_STRING
Pengpeng Hou <pengpeng@iscas.ac.cn>
platform/x86: dell-wmi-sysman: bound enumeration string aggregation
Fedor Pchelkin <pchelkin@ispras.ru>
platform/x86: dell_rbu: avoid uninit value usage in packet_size_write()
Pengpeng Hou <pengpeng@iscas.ac.cn>
fs/ntfs3: terminate the cached volume label after UTF-8 conversion
Andy Shevchenko <andriy.shevchenko@linux.intel.com>
nfs/blocklayout: Fix compilation error (`make W=1`) in bl_write_pagelist()
Abdun Nihaal <nihaal@cse.iitm.ac.in>
mfd: mc13xxx-core: Fix memory leak in mc13xxx_add_subdevice_pdata()
Rafael J. Wysocki <rafael.j.wysocki@intel.com>
platform/x86: panasonic-laptop: Fix OPTD notifier registration and cleanup
Randy Dunlap <rdunlap@infradead.org>
tty: hvc_iucv: fix off-by-one in number of supported devices
Chen Ni <nichen@iscas.ac.cn>
leds: lgm-sso: Remove duplicate assignments for priv->mmap
Rafael J. Wysocki <rafael.j.wysocki@intel.com>
platform/surface: surfacepro3_button: Drop wakeup source on remove
Chen Ni <nichen@iscas.ac.cn>
backlight: sky81452-backlight: Check return value of devm_gpiod_get_optional() in sky81452_bl_parse_dt()
Nuno Sa <nuno.sa@analog.com>
dev_printk: add new dev_err_probe() helpers
Andy Shevchenko <andriy.shevchenko@linux.intel.com>
driver core: Move dev_err_probe() to where it belogs
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
driver core: device.h: remove extern from function prototypes
Billy Tsai <billy_tsai@aspeedtech.com>
i3c: mipi-i3c-hci: fix IBI payload length calculation for final status
Arnaldo Carvalho de Melo <acme@redhat.com>
perf util: Kill die() prototype, dead for a long time
Leo Yan <leo.yan@arm.com>
perf expr: Return -EINVAL for syntax error in expr__find_ids()
Yu-Chun Lin <eleanor15x@gmail.com>
pinctrl: abx500: Fix type of 'argument' variable
Mike Leach <mike.leach@arm.com>
perf: tools: cs-etm: Fix print issue for Coresight debug in ETE/TRBE trace
Ian Rogers <irogers@google.com>
perf branch: Avoid incrementing NULL
Andy Shevchenko <andriy.shevchenko@linux.intel.com>
pinctrl: cy8c95x0: Avoid returning positive values to user space
Andy Shevchenko <andriy.shevchenko@linux.intel.com>
pinctrl: cy8c95x0: Unify messages with help of dev_err_probe()
Andy Shevchenko <andriy.shevchenko@linux.intel.com>
pinctrl: cy8c95x0: remove duplicate error message
Ethan Tidmore <ethantidmore06@gmail.com>
pinctrl: pinctrl-pic32: Fix resource leak
Puranjay Mohan <puranjay@kernel.org>
bpf, arm32: Reject BPF-to-BPF calls and callbacks in the JIT
Yihan Ding <dingyihan@uniontech.com>
bpf: allow UTF-8 literals in bpf_bprintf_prepare()
Daniel Borkmann <daniel@iogearbox.net>
bpf: Fix precedence bug in convert_bpf_ld_abs alignment check
Michal Luczaj <mhal@rbox.co>
bpf, sockmap: Take state lock for af_unix iter
Michal Luczaj <mhal@rbox.co>
bpf, sockmap: Fix af_unix null-ptr-deref in proto update
Michal Luczaj <mhal@rbox.co>
bpf, sockmap: Fix af_unix iter deadlock
Daniel Borkmann <daniel@iogearbox.net>
bpf, arm64: Fix off-by-one in check_imm signed range check
Oliver Neukum <oneukum@suse.com>
HID: usbhid: fix deadlock in hid_post_reset()
Richard Genoud <richard.genoud@bootlin.com>
mtd: rawnand: sunxi: fix sunxi_nfc_hw_ecc_read_extra_oob
Cosmin Tanislav <cosmin-gabriel.tanislav.xa@renesas.com>
mtd: parsers: ofpart: call of_node_get() for dedicated subpartitions
Cosmin Tanislav <cosmin-gabriel.tanislav.xa@renesas.com>
mtd: parsers: ofpart: call of_node_put() only in ofpart_fail path
Shiji Yang <yangshiji66@outlook.com>
mtd: spi-nor: swp: check SR_TB flag when getting tb_mask
Jonas Gorski <jonas.gorski@gmail.com>
mtd: spi-nor: update spi_nor_fixups::post_sfdp() documentation
Takahiro Kuwano <Takahiro.Kuwano@infineon.com>
mtd: spi-nor: sfdp: introduce smpt_map_id fixup hook
Takahiro Kuwano <Takahiro.Kuwano@infineon.com>
mtd: spi-nor: sfdp: introduce smpt_read_dummy fixup hook
Tudor Ambarus <tudor.ambarus@linaro.org>
mtd: spi-nor: Allow post_sfdp hook to return errors
Takahiro Kuwano <Takahiro.Kuwano@infineon.com>
mtd: spi-nor: spansion: Add support for Infineon S25FS256T
Takahiro Kuwano <Takahiro.Kuwano@infineon.com>
mtd: spi-nor: spansion: Make RD_ANY_REG_OP macro take number of dummy bytes
Tudor Ambarus <tudor.ambarus@microchip.com>
mtd: spi-nor: spansion: Replace hardcoded values for addr_nbytes/addr_mode_nbytes
Takahiro Kuwano <Takahiro.Kuwano@infineon.com>
mtd: spi-nor: spansion: Rename s28hs512t prefix
Haibo Chen <haibo.chen@nxp.com>
mtd: spi-nor: core: correct the op.dummy.nbytes when check read operations
Chen Ni <nichen@iscas.ac.cn>
mtd: physmap_of_gemini: Fix disabled pinctrl state check
Denis Benato <denis.benato@linux.dev>
HID: asus: do not abort probe when not necessary
Denis Benato <denis.benato@linux.dev>
HID: asus: make asus_resume adhere to linux kernel coding standards
Daniel Hodges <hodgesd@meta.com>
ima: check return value of crypto_shash_final() in boot aggregate
Pengpeng Hou <pengpeng@iscas.ac.cn>
tracing: Rebuild full_name on each hist_field_name() call
Frank Li <Frank.Li@nxp.com>
dmaengine: mxs-dma: Fix missing return value from of_dma_controller_register()
Cole Leavitt <cole@unwrap.rs>
soundwire: bus: demote UNATTACHED state warnings to dev_dbg()
Khairul Anuar Romli <karom.9560@gmail.com>
dmaengine: dw-axi-dmac: Remove unnecessary return statement from void function
ZhengYuan Huang <gality369@gmail.com>
ocfs2: validate group add input before caching
ZhengYuan Huang <gality369@gmail.com>
ocfs2: validate bg_bits during freefrag scan
ZhengYuan Huang <gality369@gmail.com>
ocfs2: fix listxattr handling when the buffer is full
Christoph Hellwig <hch@lst.de>
arm64/xor: fix conflicting attributes for xor_block_template
Aaro Koskinen <aaro.koskinen@iki.fi>
ARM: OMAP1: Fix DEBUG_LL and earlyprintk on OMAP16XX
Alexander Koskovich <AKoskovich@pm.me>
arm64: dts: qcom: sm8250: Add missing CPU7 3.09GHz OPP
Alok Tiwari <alok.a.tiwari@oracle.com>
soc: qcom: aoss: compare against normalized cooling state
Alok Tiwari <alok.a.tiwari@oracle.com>
soc: qcom: llcc: fix v1 SB syndrome register offset
Junrui Luo <moonafterrain@outlook.com>
ocfs2/dlm: fix off-by-one in dlm_match_regions() region comparison
Junrui Luo <moonafterrain@outlook.com>
ocfs2/dlm: validate qr_numregions in dlm_match_regions()
Michal Grzedzicki <mge@meta.com>
unshare: fix nsproxy leak in ksys_unshare() on set_cred_ucounts() failure
Sumit Gupta <sumitg@nvidia.com>
soc/tegra: cbb: Set ERD on resume for err interrupt
David Heidelberg <david@ixit.cz>
arm64: dts: qcom: sdm845-xiaomi-beryllium: Mark l1a regulator as powered during boot
Vladimir Zapolskiy <vladimir.zapolskiy@linaro.org>
arm64: dts: qcom: sm8450: Enable UHS-I SDR50 and SDR104 SD card modes
Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
arm64: dts: qcom: sm8450: Fix GIC_ITS range length
Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
soc: qcom: ocmem: return -EPROBE_DEFER is ocmem is not available
Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
soc: qcom: ocmem: register reasons for probe deferrals
Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
soc: qcom: ocmem: use scoped device node handling to simplify error paths
Akari Tsuyukusa <akkun11.open@gmail.com>
arm64: dts: mediatek: mt7986a: Fix gpio-ranges pin count
Akari Tsuyukusa <akkun11.open@gmail.com>
arm64: dts: mediatek: mt6795: Fix gpio-ranges pin count
Sherry Sun <sherry.sun@nxp.com>
arm64: dts: imx8mp-evk: Enable pull select bit for PCIe regulator GPIO (M.2 W_DISABLE1)
Mikko Perttunen <mperttunen@nvidia.com>
memory: tegra30-emc: Fix dll_change check
Mikko Perttunen <mperttunen@nvidia.com>
memory: tegra124-emc: Fix dll_change check
Rafał Miłecki <rafal@milecki.pl>
ARM: dts: mediatek: mt7623: fix efuse fallback compatible
Joshua Klinesmith <joshuaklinesmith@gmail.com>
ksmbd: fix use-after-free from async crypto on Qualcomm crypto engine
Thomas Huth <thuth@redhat.com>
efi/capsule-loader: fix incorrect sizeof in phys array reallocation
Andreas Gruenbacher <agruenba@redhat.com>
gfs2: prevent NULL pointer dereference during unmount
Andreas Gruenbacher <agruenba@redhat.com>
gfs2: add some missing log locking
Jan Kara <jack@suse.cz>
quota: Fix race of dquot_scan_active() with quota deactivation
Ricardo B. Marlière <rbm@suse.com>
ktest: Run POST_KTEST hooks on failure and cancellation
Ricardo B. Marlière <rbm@suse.com>
ktest: Honor empty per-test option overrides
Ricardo B. Marlière <rbm@suse.com>
ktest: Avoid undef warning when WARNINGS_FILE is unset
Andreas Gruenbacher <agruenba@redhat.com>
gfs2: Call unlock_new_inode before d_instantiate
Ming-Hung Tsai <mtsai@redhat.com>
dm cache: fix missing return in invalidate_committed's error path
Cássio Gabriel <cassiogabrielcontato@gmail.com>
ALSA: sc6000: Keep the programmed board state in card-private data
Takashi Iwai <tiwai@suse.de>
ALSA: sc6000: Use standard print API
Pei Xiao <xiaopei01@kylinos.cn>
spi: mtk-snfi: unregister ECC engine on probe failure and remove() callback
Vidya Sagar <vidyas@nvidia.com>
PCI: tegra194: Allow system suspend when the Endpoint link is not up
Vidya Sagar <vidyas@nvidia.com>
PCI: tegra194: Disable direct speed change for Endpoint mode
Vidya Sagar <vidyas@nvidia.com>
PCI: tegra194: Use devm_gpiod_get_optional() to parse "nvidia,refclk-select"
Manikanta Maddireddy <mmaddireddy@nvidia.com>
PCI: tegra194: Disable PERST# IRQ only in Endpoint mode
Vidya Sagar <vidyas@nvidia.com>
PCI: tegra194: Don't force the device into the D0 state before L2
Manivannan Sadhasivam <manivannan.sadhasivam@oss.qualcomm.com>
PCI: tegra194: Rename 'root_bus' to 'root_port_bus' in tegra_pcie_downstream_dev_to_D0()
Manikanta Maddireddy <mmaddireddy@nvidia.com>
PCI: tegra194: Disable LTSSM after transition to Detect on surprise link down
Manikanta Maddireddy <mmaddireddy@nvidia.com>
PCI: tegra194: Increase LTSSM poll time on surprise link down
Vidya Sagar <vidyas@nvidia.com>
PCI: tegra194: Fix polling delay for L2 state
Frank Li <Frank.Li@nxp.com>
PCI: Add PCIE_PME_TO_L2_TIMEOUT_US L2 ready timeout value
Cássio Gabriel <cassiogabrielcontato@gmail.com>
ASoC: SOF: compress: return the configured codec from get_params
Daniel Baluta <daniel.baluta@nxp.com>
ASoC: SOF: Add support for compress API for stream data/offset
Daniel Baluta <daniel.baluta@nxp.com>
ASoC: SOF: Prepare set_stream_data_offset for compress API
Daniel Baluta <daniel.baluta@nxp.com>
ASoC: SOF: Prepare ipc_msg_data to be used with compress API
V sujith kumar Reddy <Vsujithkumar.Reddy@amd.com>
ASoC: SOF: amd: Fix for reading position updates from stream box.
Panagiotis Petrakopoulos <npetrakopoulos2003@gmail.com>
ALSA: scarlett2: Add missing sentinel initializer field
Waiman Long <longman@redhat.com>
selftest: memcg: skip memcg_sock test if address family not supported
Jane Chu <jane.chu@oracle.com>
Documentation: fix a hugetlbfs reservation statement
AnishMulay <anishm7030@gmail.com>
selftests/mm: skip migration tests if NUMA is unavailable
Chen-Yu Tsai <wenst@chromium.org>
PCI: mediatek-gen3: Prevent leaking IRQ domains when IRQ not found
Gerd Bayer <gbayer@linux.ibm.com>
PCI: Enable AtomicOps only if Root Port supports them
Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
ASoC: qcom: qdsp6: topology: check widget type before accessing data
Shengjiu Wang <shengjiu.wang@nxp.com>
ASoC: fsl_easrc: Change the type for iec958 channel status controls
Shengjiu Wang <shengjiu.wang@nxp.com>
ASoC: fsl_easrc: Fix value type in fsl_easrc_iec958_get_bits()
Shengjiu Wang <shengjiu.wang@nxp.com>
ASoC: fsl_easrc: Check the variable range in fsl_easrc_iec958_put_bits()
Shengjiu Wang <shengjiu.wang@nxp.com>
ASoC: fsl_xcvr: Fix event generation in fsl_xcvr_mode_put()
Shengjiu Wang <shengjiu.wang@nxp.com>
ASoC: fsl_xcvr: Fix event generation in fsl_xcvr_arc_mode_put()
Shengjiu Wang <shengjiu.wang@nxp.com>
ASoC: fsl_micfil: Fix event generation in micfil_quality_set()
Felix Gu <ustc.gu@gmail.com>
pmdomain: imx: scu-pd: Fix device_node reference leak during ->probe()
Felix Gu <gu_0233@qq.com>
pmdomain: ti: omap_prm: Fix a reference leak on device node
Akhil P Oommen <akhilpo@oss.qualcomm.com>
drm/msm/a6xx: Use barriers while updating HFI Q headers
Rob Clark <robin.clark@oss.qualcomm.com>
drm/msm/shrinker: Fix can_block() logic
Rob Clark <robin.clark@oss.qualcomm.com>
drm/msm/a6xx: Fix HLSQ register dumping
Lei Huang <huanglei@kylinos.cn>
ALSA: hda/realtek: fix code style (ERROR: else should follow close brace '}')
Luke D. Jones <luke@ljones.dev>
ALSA: hda/realtek: Whitespace fix
Timur Kristóf <timur.kristof@gmail.com>
drm/amd/pm/smu7: Add SCLK cap for quirky Hawaii board
Timur Kristóf <timur.kristof@gmail.com>
drm/amd/pm/ci: Fill DW8 fields from SMC
Timur Kristóf <timur.kristof@gmail.com>
drm/amd/pm/ci: Clear EnabledForActivity field for memory levels
Timur Kristóf <timur.kristof@gmail.com>
drm/amd/pm/ci: Fix powertune defaults for Hawaii 0x67B0
Timur Kristóf <timur.kristof@gmail.com>
drm/amd/pm/smu7: Fix SMU7 voltage dependency on display clock
Timur Kristóf <timur.kristof@gmail.com>
drm/amd/pm/ci: Disable MCLK DPM on problematic CI ASICs
Timur Kristóf <timur.kristof@gmail.com>
drm/amd/pm/ci: Use highest MCLK on CI when MCLK DPM is disabled
Cássio Gabriel <cassiogabrielcontato@gmail.com>
ALSA: core: Validate compress device numbers without dynamic minors
Sebastian Reichel <sebastian.reichel@collabora.com>
drm/panel: simple: Correct G190EAN01 prepare timing
Alexander Koskovich <akoskovich@pm.me>
drm/msm/dsi: rename MSM8998 DSI version from V2_2_0 to V2_0_0
Yuanjie Yang <yuanjie.yang@oss.qualcomm.com>
drm/msm/dpu: fix mismatch between power and frequency
Pei Xiao <xiaopei01@kylinos.cn>
spi: hisi-kunpeng: prevent infinite while() loop in hisi_spi_flush_fifo
Alex Deucher <alexander.deucher@amd.com>
drm/amdgpu/gfx10: look at the right prop for gfx queue priority
Daniel Jordan <daniel.m.jordan@oracle.com>
padata: Put CPU offline callback in ONLINE section to allow failure
Chuyi Zhou <zhouchuyi@bytedance.com>
padata: Remove cpu online check from cpu add and removal
Andy Shevchenko <andriy.shevchenko@linux.intel.com>
fbdev: matroxfb: Mark variable with __maybe_unused to avoid W=1 build break
Guillaume Gonnet <ggonnet.linux@gmail.com>
dm init: ensure device probing has finished in dm-mod.waitfor=
Srinivasan Shanmugam <srinivasan.shanmugam@amd.com>
drm/amdgpu: Add default case in DVI mode validation
Ethan Tidmore <ethantidmore06@gmail.com>
drm/sun4i: Fix resource leaks
Felix Gu <ustc.gu@gmail.com>
spi: fsl-qspi: Use reinit_completion() for repeated operations
Junrui Luo <moonafterrain@outlook.com>
dm log: fix out-of-bounds write due to region_count overflow
Ming-Hung Tsai <mtsai@redhat.com>
dm cache metadata: fix memory leak on metadata abort retry
Ming-Hung Tsai <mtsai@redhat.com>
dm cache: fix dirty mapping checking in passthrough mode switching
Ming-Hung Tsai <mtsai@redhat.com>
dm cache: support shrinking the origin device
Ming-Hung Tsai <mtsai@redhat.com>
dm cache: fix concurrent write failure in passthrough mode
Ming-Hung Tsai <mtsai@redhat.com>
dm cache policy smq: fix missing locks in invalidating cache blocks
Ming-Hung Tsai <mtsai@redhat.com>
dm cache: fix write hang in passthrough mode
Ming-Hung Tsai <mtsai@redhat.com>
dm cache: fix write path cache coherency in passthrough mode
Ming-Hung Tsai <mtsai@redhat.com>
dm cache: fix null-deref with concurrent writes in passthrough mode
Sander Vanheule <sander@svanheule.net>
ASoC: sti: use managed regmap_field allocations
Sander Vanheule <sander@svanheule.net>
ASoC: sti: Return errors from regmap_field_alloc()
Ethan Tidmore <ethantidmore06@gmail.com>
drm/sun4i: backend: fix error pointer dereference
Alexander Konyukhov <Alexander.Konyukhov@kaspersky.com>
drm/komeda: fix integer overflow in AFBC framebuffer size check
Jiayuan Chen <jiayuan.chen@linux.dev>
net, bpf: fix null-ptr-deref in xdp_master_redirect() for down master
Xin Long <lucien.xin@gmail.com>
sctp: fix missing encap_port propagation for GSO fragments
Dudu Lu <phx0fer@gmail.com>
Bluetooth: l2cap: Add missing chan lock in l2cap_ecred_reconf_rsp
Pauli Virtanen <pav@iki.fi>
Bluetooth: fix locking in hci_conn_request_evt() with HCI_PROTO_DEFER
Jonathan Rissanen <jonathan.rissanen@axis.com>
Bluetooth: hci_ldisc: Clear HCI_UART_PROTO_INIT on error
Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Bluetooth: L2CAP: Fix printing wrong information if SDU length exceeds MTU
Sun Jian <sun.jian.kdev@gmail.com>
bpf: reject short IPv4/IPv6 inputs in bpf_prog_test_run_skb
Taegu Ha <hataegu0826@gmail.com>
ppp: require CAP_NET_ADMIN in target netns for unattached ioctls
Greg Jumper <greg.jumper@oracle.com>
net/rds: Restrict use of RDS/IB to the initial network namespace
Håkon Bugge <haakon.bugge@oracle.com>
net/rds: Optimize rds_ib_laddr_check
Jamal Hadi Salim <jhs@mojatatu.com>
net/sched: act_ct: Only release RCU read lock after ct_ft
Mashiro Chen <mashiro.chen@mailbox.org>
net: hamradio: 6pack: fix uninit-value in sixpack_receive_buf
Jiri Slaby (SUSE) <jirislaby@kernel.org>
6pack: propagage new tty types
Florian Westphal <fw@strlen.de>
netfilter: nft_fwd_netdev: check ttl/hl before forwarding
Florian Westphal <fw@strlen.de>
netfilter: xt_socket: enable defrag after all other checks
Justin Chen <justin.chen@broadcom.com>
net: bcmgenet: fix racing timeout handler
Zak Kemble <zakkemble@gmail.com>
net: bcmgenet: switch to use 64bit statistics
Doug Berger <opendmb@gmail.com>
net: bcmgenet: support reclaiming unsent Tx packets
Doug Berger <opendmb@gmail.com>
net: bcmgenet: move DESC_INDEX flow to ring 0
Doug Berger <opendmb@gmail.com>
net: bcmgenet: add bcmgenet_has_* helpers
Florian Fainelli <florian.fainelli@broadcom.com>
net: bcmgenet: Remove custom ndo_poll_controller()
Florian Fainelli <florian.fainelli@broadcom.com>
net: bcmgenet: Remove TX ring full logging
Justin Chen <justin.chen@broadcom.com>
net: bcmgenet: fix off-by-one in bcmgenet_put_txcb
Wang Wensheng <wsw9603@163.com>
arm64: kexec: Remove duplicate allocation for trans_pgd
Haoyu Lu <hechushiguitu666@gmail.com>
ACPI: AGDI: fix missing newline in error message
Weiming Shi <bestswngs@gmail.com>
bpf: reject negative CO-RE accessor indices in bpf_core_parse_spec()
Jiayuan Chen <jiayuan.chen@linux.dev>
bpf: Drop task_to_inode and inet_conn_established from lsm sleepable hooks
Ethan Tidmore <ethantidmore06@gmail.com>
wifi: brcmfmac: Fix error pointer dereference
Weiming Shi <bestswngs@gmail.com>
bpf: fix end-of-list detection in cgroup_storage_get_next_key()
Eric Dumazet <edumazet@google.com>
macvlan: annotate data-races around port->bc_queue_len_used
Sourabh Jain <sourabhjain@linux.ibm.com>
powerpc/crash: fix backup region offset update to elfcorehdr
Chih Kai Hsu <hsu.chih.kai@realtek.com>
r8152: fix incorrect register write to USB_UPHY_XTAL
Alexey Velichayshiy <a.velichayshiy@ispras.ru>
wifi: rtw89: phy: fix uninitialized variable access in rtw89_phy_cfo_set_crystal_cap()
David Carlier <devnexen@gmail.com>
bpf: Use RCU-safe iteration in dev_map_redirect_multi() SKB path
Thorsten Blum <thorsten.blum@toblux.com>
bpf, devmap: Remove unnecessary if check in for loop
Petr Pavlu <petr.pavlu@suse.com>
module: Fix freeing of charp module parameters when CONFIG_SYSFS=n
Petr Pavlu <petr.pavlu@suse.com>
params: Replace __modinit with __init_or_module
Shyam Saini <shyamsaini@linux.microsoft.com>
kernel: globalize lookup_or_create_module_kobject()
Shyam Saini <shyamsaini@linux.microsoft.com>
kernel: param: rename locate_module_kobject
Cai Xinchen <caixinchen1@huawei.com>
dpaa2: compile dpaa2 even CONFIG_FSL_DPAA2_ETH=n
Cai Xinchen <caixinchen1@huawei.com>
dpaa2: add independent dependencies for FSL_DPAA2_SWITCH
Feng Yang <yangfeng@kylinos.cn>
bpf: test_run: Fix the null pointer dereference issue in bpf_lwt_xmit_push_encap
Vadim Fedorenko <vadfed@meta.com>
bpf: Add CHECKSUM_COMPLETE to bpf test progs
Duoming Zhou <duoming@zju.edu.cn>
wifi: rtlwifi: pci: fix possible use-after-free caused by unfinished irq_prepare_bcn_tasklet
Zilin Guan <zilin@seu.edu.cn>
wifi: mwifiex: Fix memory leak in mwifiex_11n_aggregate_pkt()
Mario Limonciello (AMD) <superm1@kernel.org>
firmware: dmi: Correct an indexing error in dmi.h
Bart Van Assche <bvanassche@acm.org>
locking: Fix rwlock support in <linux/spinlock_up.h>
Thomas Gleixner <tglx@kernel.org>
hrtimer: Reduce trace noise in hrtimer_start()
Peter Zijlstra <peterz@infradead.org>
hrtimer: Avoid pointless reprogramming in __hrtimer_start_range_ns()
Richard Clark <richard.xnu.clark@gmail.com>
hrtimers: Update the return type of enqueue_hrtimer()
Brian Masney <bmasney@redhat.com>
irqchip/irq-pic32-evic: Address warning related to wrong printf() formatter
Gui-Dong Han <hanguidong02@gmail.com>
debugfs: check for NULL pointer in debugfs_create_str()
Gopi Krishna Menon <krishnagopi487@gmail.com>
thermal/drivers/spear: Fix error condition for reading st,thermal-flags
Danilo Krummrich <dakr@kernel.org>
devres: fix missing node debug info in devm_krealloc()
Cole Leavitt <cole@unwrap.rs>
pstore/ram: fix resource leak when ioremap() fails
Deepanshu Kartikey <kartikey406@gmail.com>
nilfs2: reject zero bd_oblocknr in nilfs_ioctl_mark_blocks_dirty()
Bart Van Assche <bvanassche@acm.org>
drbd: Balance RCU calls in drbd_adm_dump_devices()
HyungJung Joo <jhj140711@gmail.com>
fs/omfs: reject s_sys_blocksize smaller than OMFS_DIR_START
Ming Lei <ming.lei@redhat.com>
blk-cgroup: wait for blkcg cleanup before initializing new disk
Mingzhe Zou <mingzhe.zou@easystack.cn>
bcache: fix uninitialized closure object
Amit Kumar Mahapatra <amit.kumar-mahapatra@amd.com>
mtd: spi-nor: sst: Fix SST write failure
Benjamin Cheng <benjamin.cheng@amd.com>
drm/amdgpu/vcn4: Avoid overflow on msg bound check
Benjamin Cheng <benjamin.cheng@amd.com>
drm/amdgpu/vcn3: Avoid overflow on msg bound check
Dudu Lu <phx0fer@gmail.com>
vsock/virtio: fix accept queue count leak on transport mismatch
Norbert Szetei <norbert@doyensec.com>
vsock: fix buffer size clamping order
Viorel Suman (OSS) <viorel.suman@oss.nxp.com>
pwm: imx-tpm: Count the number of enabled channels in probe
Sanjaikumar V S <sanjaikumar.vs@dicortech.com>
mtd: spi-nor: sst: Fix write enable before AAI sequence
Bence Csókás <csokas.bence@prolan.hu>
mtd: spi-nor: sst: Factor out common write operation to `sst_nor_write_data()`
Siwei Zhang <oss@fourdim.xyz>
Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_get_sndtimeo_cb()
Sven Eckelmann <sven@narfation.org>
batman-adv: bla: put backbone reference on failed claim hash insert
Sven Eckelmann <sven@narfation.org>
batman-adv: bla: only purge non-released claims
Sven Eckelmann <sven@narfation.org>
batman-adv: bla: prevent use-after-free when deleting claims
Jiexun Wang <wangjiexun2025@gmail.com>
batman-adv: stop caching unowned originator pointers in BAT IV
Jiexun Wang <wangjiexun2025@gmail.com>
batman-adv: reject new tp_meter sessions during teardown
Lyes Bourennani <lbourennani@fuzzinglabs.com>
batman-adv: fix integer overflow on buff_pos
Ben Morris <bmorris@anthropic.com>
sctp: revalidate list cursor after sctp_sendmsg_to_asoc() in SCTP_SENDALL
Alex Deucher <alexander.deucher@amd.com>
drm/amdgpu/pm: align Hawaii mclk workaround with radeon
Alex Deucher <alexander.deucher@amd.com>
drm/amdgpu/pm: add missing revision check for CI
John B. Moore <jbmoore61@gmail.com>
drm/amdgpu/sdma4: replace BUG_ON with WARN_ON in fence emission
John B. Moore <jbmoore61@gmail.com>
drm/amdgpu/gfx9: drop unnecessary 64-bit fence flag check in KIQ
Philip Yang <Philip.Yang@amd.com>
drm/amdgpu: zero-initialize GART table on allocation
Alex Deucher <alexander.deucher@amd.com>
drm/radeon: add missing revision check for CI
Alysa Liu <Alysa.Liu@amd.com>
drm/amdkfd: validate SVM ioctl nattr against buffer size
Ashutosh Desai <ashutoshdesai993@gmail.com>
drm/gem: Fix inconsistent plane dimension calculation in drm_gem_fb_init_with_funcs()
Benjamin Cheng <benjamin.cheng@amd.com>
drm/amdgpu/vcn3: Prevent OOB reads when parsing dec msg
Benjamin Cheng <benjamin.cheng@amd.com>
drm/amdgpu/vcn4: Prevent OOB reads when parsing dec msg
Benjamin Cheng <benjamin.cheng@amd.com>
drm/amdgpu/vce: Prevent partial address patches
Benjamin Cheng <benjamin.cheng@amd.com>
drm/amdgpu: Add bounds checking to ib_{get,set}_value
Johan Hovold <johan@kernel.org>
spi: mpc52xx: fix use-after-free on unbind
Johan Hovold <johan@kernel.org>
spi: orion: fix clock imbalance on registration failure
Johan Hovold <johan@kernel.org>
spi: imx: fix runtime pm leak on probe deferral
Johan Hovold <johan@kernel.org>
spi: mtk-nor: fix controller deregistration
Haoxiang Li <lihaoxiang@isrc.iscas.ac.cn>
media: omap3isp: drop the use count of v4l2 pipeline
Matthias Fend <matthias.fend@emfend.at>
media: i2c: ov08d10: fix image vertical start setting
Wenmeng Liu <wenmeng.liu@oss.qualcomm.com>
media: i2c: imx412: Assert reset GPIO during probe
Sergey Shtylyov <s.shtylyov@auroraos.dev>
media: dib8000: avoid division by 0 in dib8000_set_dds()
Abdun Nihaal <nihaal@cse.iitm.ac.in>
media: pci: zoran: fix potential memory leak in zoran_probe()
Krishna Chomal <krishna.chomal108@gmail.com>
platform/x86: hp-wmi: Ignore backlight and FnLock events
Wang Jun <1742789905@qq.com>
media: saa7164: add ioremap return checks and cleanups
Johan Hovold <johan@kernel.org>
regulator: bd9571mwv: fix OF node reference imbalance
Johan Hovold <johan@kernel.org>
regulator: act8945a: fix OF node reference imbalance
Oliver Neukum <oneukum@suse.com>
media: rc: streamzap: Error handling in probe
Oliver Neukum <oneukum@suse.com>
media: rc: xbox_remote: heed DMA restrictions
Johan Hovold <johan@kernel.org>
regulator: max77650: fix OF node reference imbalance
Sakari Ailus <sakari.ailus@linux.intel.com>
staging: media: atomisp: Disallow all private IOCTLs
Alexander Koskovich <akoskovich@pm.me>
media: i2c: ov8856: free control handler on error in ov8856_init_controls()
Ricardo Ribalda <ribalda@chromium.org>
media: uvcvideo: Enable VB2_DMABUF for metadata stream
Paul E. McKenney <paulmck@kernel.org>
exit: Sleep at TASK_IDLE when waiting for application core dump
Zhiguo Niu <zhiguo.niu@unisoc.com>
f2fs: compress: fix UAF of f2fs_inode_info in f2fs_free_dic
Zhiguo Niu <zhiguo.niu@unisoc.com>
f2fs: compress: change the first parameter of page_array_{alloc,free} to sbi
Huacai Chen <chenhuacai@kernel.org>
LoongArch: Use per-root-bridge PCIH flag to skip mem resource fixup
Wentao Guan <guanwentao@uniontech.com>
LoongArch: Fix potential ADE in loongson_gpu_fixup_dma_hang()
David Woodhouse <dwmw@amazon.co.uk>
KVM: arm64: vgic: Fix IIDR revision field extracted from wrong value
Yongpeng Yang <yangyongpeng@xiaomi.com>
f2fs: fix incorrect multidevice info in trace_f2fs_map_blocks()
Yongpeng Yang <yangyongpeng@xiaomi.com>
f2fs: fix fiemap boundary handling when read extent cache is incomplete
Cen Zhang <zzzccc427@gmail.com>
f2fs: add READ_ONCE() for i_blocks in f2fs_update_inode()
Gang Yan <yangang@kylinos.cn>
mptcp: fix scheduling with atomic in timestamp sockopt
Gang Yan <yangang@kylinos.cn>
mptcp: sockopt: set timestamp flags on subflow socket, not msk
Shardul Bankar <shardul.b@mpiricsoftware.com>
mptcp: use MPTCP_RST_EMPTCP for ACK HMAC validation failure
Shardul Bankar <shardul.b@mpiricsoftware.com>
mptcp: use MPJoinSynAckHMacFailure for SynAck HMAC failure
Jason Gunthorpe <jgg@ziepe.ca>
RDMA/vmw_pvrdma: Fix double free on pvrdma_alloc_ucontext() error path
Michael Bommarito <michael.bommarito@gmail.com>
RDMA/rxe: Reject unknown opcodes before ICRC processing
Jason Gunthorpe <jgg@ziepe.ca>
RDMA/ocrdma: Don't NULL deref uctx on errors in ocrdma_copy_pd_uresp()
Jason Gunthorpe <jgg@ziepe.ca>
RDMA/mlx4: Fix resource leak on error in mlx4_ib_create_srq()
André Draszik <andre.draszik@linaro.org>
power: supply: max17042: avoid overflow when determining health
Lukas Wunner <lukas@wunner.de>
PCI/AER: Stop ruling out unbound devices as error source
Shuai Xue <xueshuai@linux.alibaba.com>
PCI/AER: Clear only error bits in PCIe Device Status
Zisen Ye <zisenye@stu.xidian.edu.cn>
smb/client: fix out-of-bounds read in symlink_data()
Vasily Gorbik <gor@linux.ibm.com>
s390/debug: Reject zero-length input in debug_input_flush_fn()
Jason Gunthorpe <jgg@ziepe.ca>
RDMA/hns: Fix unlocked call to hns_roce_qp_remove()
Ilya Maximets <i.maximets@ovn.org>
openvswitch: vport: fix self-deadlock on release of tunnel ports
Chaitanya Kulkarni <kch@nvidia.com>
nvmet: avoid recursive nvmet-wq flush in nvmet_ctrl_free
Fedor Pchelkin <pchelkin@ispras.ru>
nvme-apple: drop invalid put of admin queue reference count
Junrui Luo <moonafterrain@outlook.com>
md/raid10: fix divide-by-zero in setup_geo() with zero far_copies
Raphael Zimmer <raphael.zimmer@tu-ilmenau.de>
libceph: Fix slab-out-of-bounds access in auth message processing
Michael Bommarito <michael.bommarito@gmail.com>
isofs: validate block number from NFS file handle in isofs_export_iget
Michael Bommarito <michael.bommarito@gmail.com>
isofs: validate Rock Ridge CE continuation extent against volume size
Eric Biggers <ebiggers@kernel.org>
dm-verity-fec: correctly reject too-small hash devices
Eric Biggers <ebiggers@kernel.org>
dm-verity-fec: correctly reject too-small FEC devices
Mikulas Patocka <mpatocka@redhat.com>
dm: fix a buffer overflow in ioctl processing
Mikulas Patocka <mpatocka@redhat.com>
dm: don't report warning when doing deferred remove
Mikulas Patocka <mpatocka@redhat.com>
dm-thin: fix metadata refcount underflow
Guangshuo Li <lgs201920130244@gmail.com>
btrfs: fix double free in create_space_info() error path
Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
ASoC: qcom: q6apm: remove child devices when apm is removed
Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
ASoC: qcom: q6apm-lpass-dai: Fix multiple graph opens
Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
ASoC: qcom: q6apm-dai: reset queue ptr on trigger stop
Cássio Gabriel <cassiogabrielcontato@gmail.com>
ASoC: Intel: bytcr_wm5102: Fix MCLK leak on platform_clock_control error
Joseph Salisbury <joseph.salisbury@oracle.com>
ASoC: fsl_easrc: fix comment typo
Tommaso Soncin <soncintommaso@gmail.com>
ASoC: amd: yc: Add HP OMEN Gaming Laptop 16-ap0xxx product line in quirk table
Shrikanth Hegde <sshegde@linux.ibm.com>
cpuidle: powerpc: avoid double clear when breaking snooze
Conor Dooley <conor.dooley@microchip.com>
clk: microchip: mpfs-ccc: fix out of bounds access during output registration
Johan Hovold <johan@kernel.org>
spi: topcliff-pch: fix use-after-free on unbind
Thorsten Blum <thorsten.blum@linux.dev>
thermal/drivers/sprd: Fix raw temperature clamping in sprd_thm_rawdata_to_temp
Thorsten Blum <thorsten.blum@linux.dev>
thermal/drivers/sprd: Fix temperature clamping in sprd_thm_temp_to_rawdata
Michael Bommarito <michael.bommarito@gmail.com>
udf: reject descriptors with oversized CRC length
Mingming Cao <mmc@linux.ibm.com>
ibmveth: Disable GSO for packets with small MSS
Hamza Mahfooz <hamzamahfooz@linux.microsoft.com>
hv_sock: fix ARM64 support
Xu Yang <xu.yang_2@nxp.com>
extcon: ptn5150: handle pending IRQ events during system resume
Shyam Prasad N <sprasad@microsoft.com>
cifs: change_conf needs to be called for session setup
Shyam Prasad N <sprasad@microsoft.com>
cifs: abort open_cached_dir if we don't request leases
Myeonghun Pak <mhun512@gmail.com>
hwmon: (corsair-psu) Close HID device on probe errors
Sanman Pradhan <psanman@juniper.net>
hwmon: (ltc2992) Fix u32 overflow in power read path
Sanman Pradhan <psanman@juniper.net>
hwmon: (ltc2992) Clamp threshold writes to hardware range
Hongling Zeng <zenghongling@kylinos.cn>
parisc: Fix IRQ leak in LASI driver
Nan Li <tonanli66@gmail.com>
net/rds: handle zerocopy send cleanup before the message is queued
Maoyi Xie <maoyixie.tju@gmail.com>
ip6_gre: Use cached t->net in ip6erspan_changelink().
SeungJu Cheon <suunj1331@gmail.com>
sound: ua101: fix division by zero at probe
Kai Zen <kai.aizen.dev@gmail.com>
net: rtnetlink: zero ifla_vf_broadcast to avoid stack infoleak in rtnl_fill_vfinfo
Miklos Szeredi <mszeredi@redhat.com>
fanotify: fix false positive on permission events
Johan Hovold <johan@kernel.org>
staging: vme_user: fix root device leak on init failure
Johan Hovold <johan@kernel.org>
spi: zynqmp-gqspi: fix controller deregistration
Siwei Zhang <oss@fourdim.xyz>
Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_state_change_cb()
Siwei Zhang <oss@fourdim.xyz>
Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_new_connection_cb()
Michael Bommarito <michael.bommarito@gmail.com>
Bluetooth: virtio_bt: validate rx pkt_type header length
Michael Bommarito <michael.bommarito@gmail.com>
Bluetooth: virtio_bt: clamp rx length before skb_put
Yilin Zhu <zylzyl2333@gmail.com>
ipv6: xfrm6: release dst on error in xfrm6_rcv_encap()
Ruijie Li <ruijieli51@gmail.com>
xfrm: provide message size for XFRM_MSG_MAPPING
Sourabh Jain <sourabhjain@linux.ibm.com>
powerpc/kdump: fix KASAN sanitization flag for core_$(BITS).o
Cássio Gabriel <cassiogabrielcontato@gmail.com>
ALSA: firewire-tascam: Do not drop unread control events
Felix Gu <ustc.gu@gmail.com>
usb: ulpi: fix memory leak on ulpi_register() error paths
Fabio Porcedda <fabio.porcedda@gmail.com>
USB: serial: option: add Telit Cinterion LE910Cx compositions
Aaro Koskinen <aaro.koskinen@iki.fi>
USB: omap_udc: DMA: Don't enable burst 4 mode
Cássio Gabriel <cassiogabrielcontato@gmail.com>
ALSA: usb-audio: Fix UAC3 cluster descriptor size check
Takashi Iwai <tiwai@suse.de>
ALSA: usb-audio: Avoid potential endless loop in convert_chmap_v3()
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
usb: usblp: fix uninitialized heap leak via LPGETSTATUS ioctl
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
usb: usblp: fix heap leak in IEEE 1284 device ID via short response
Tristan Madani <tristan@talencesecurity.com>
wifi: b43: enforce bounds check on firmware key index in b43_rx()
Jiri Slaby (SUSE) <jirislaby@kernel.org>
wifi: ath5k: do not access array OOB
Jeongjun Park <aha310510@gmail.com>
wifi: rsi: fix kthread lifetime race between self-exit and external-stop
Tristan Madani <tristan@talencesecurity.com>
wifi: b43legacy: enforce bounds check on firmware key index in RX path
Leon Yen <leon.yen@mediatek.com>
wifi: mt76: mt7921: fix a potential clc buffer length underflow
Jann Horn <jannh@google.com>
exit: prevent preemption of oopsing TASK_DEAD task
Zilin Guan <zilin@seu.edu.cn>
ice: Fix memory leak in ice_set_ringparam()
Cen Zhang <zzzccc427@gmail.com>
Bluetooth: btintel: serialize btintel_hw_error() with hci_req_sync_lock
Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Bluetooth: hci_sync: Remove remaining dependencies of hci_request
Jamal Hadi Salim <jhs@mojatatu.com>
net/sched: sch_red: Replace direct dequeue call with peek and qdisc_dequeue_peeked
Qingfang Deng <qingfang.deng@linux.dev>
flow_dissector: do not dissect PPPoE PFC frames
Dong Chenchen <dongchenchen2@huawei.com>
net: Fix icmp host relookup triggering ip_rt_bug
Sean Christopherson <seanjc@google.com>
KVM: x86: Fix shadow paging use-after-free due to unexpected GFN
Tejas Bharambe <tejas.bharambe@outlook.com>
ext4: validate p_idx bounds in ext4_ext_correct_indexes
Felix Gu <ustc.gu@gmail.com>
spi: meson-spicc: Fix double-put in remove path
Yussuf Khalil <dev@pp3345.net>
drm/amd/display: Do not skip unrelated mode changes in DSC validation
Johan Hovold <johan@kernel.org>
spi: rockchip: fix controller deregistration
Mark Brown <broonie@kernel.org>
ASoC: SOF: Don't allow pointer operations on unconfigured streams
Shivam Kalra <shivamkalra98@zohomail.in>
ACPI: video: force native backlight on HP OMEN 16 (8A44)
Jinjie Ruan <ruanjinjie@huawei.com>
ACPI: CPPC: Fix related_cpus inconsistency during CPU hotplug
Guangshuo Li <lgs201920130244@gmail.com>
ACPI: scan: Use acpi_dev_put() in object add error paths
Rajat Gupta <rajgupt@qti.qualcomm.com>
fbdev: udlfb: add vm_ops to dlfb_ops_mmap to prevent use-after-free
Corey Minyard <corey@minyard.net>
ipmi:si: Return state to normal if message allocation fails
Corey Minyard <corey@minyard.net>
ipmi: Check event message buffer response for bad data
Corey Minyard <corey@minyard.net>
ipmi: Add limits to event and receive message requests
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
scsi: target: configfs: Bound snprintf() return in tg_pt_gp_members_show()
Kai Ma <k4729.23098@gmail.com>
netfilter: reject zero shift in nft_bitwise
Andrea Mayer <andrea.mayer@uniroma2.it>
net: ipv6: fix NOREF dst use in seg6 and rpl lwtunnels
Deepanshu Kartikey <kartikey406@gmail.com>
ALSA: caiaq: fix usb_dev refcount leak on probe failure
Arjan van de Ven <arjan@linux.intel.com>
drm/amdgpu: fix zero-size GDS range init on RDNA4
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
ipv6: rpl: reserve mac_len headroom when recompressed SRH grows
Takashi Iwai <tiwai@suse.de>
ALSA: caiaq: Don't abort when no input device is available
Takashi Iwai <tiwai@suse.de>
ALSA: caiaq: Fix potentially leftover ep1_in_urb at error path
Douglas Anderson <dianders@chromium.org>
driver core: Add kernel-doc for DEV_FLAG_COUNT enum value
Yucheng Lu <kanolyc@gmail.com>
crypto: authencesn - reject short ahash digests during instance creation
Andrea Mayer <andrea.mayer@uniroma2.it>
seg6: fix seg6 lwtunnel output redirect for L2 reduced encap mode
Yang Xiuwei <yangxiuwei@kylinos.cn>
scsi: sd: fix missing put_disk() when device_add(&disk_dev) fails
Keenan Dong <keenanat2000@gmail.com>
rtmutex: Use waiter::task instead of current in remove_waiter()
Tobias Gaertner <tob.gaertner@me.com>
ntfs3: fix integer overflow in run_unpack() volume boundary check
Tobias Gaertner <tob.gaertner@me.com>
ntfs3: add buffer boundary checks to run_unpack()
Steven Rostedt <rostedt@goodmis.org>
ktest: Fix the month in the name of the failure directory
Chen Zhao <chezhao@nvidia.com>
IB/core: Fix zero dmac race in neighbor resolution
Junrui Luo <moonafterrain@outlook.com>
dm mirror: fix integer overflow in create_dirty_log()
Thorsten Blum <thorsten.blum@linux.dev>
crypto: atmel-sha204a - Fix potential UAF and memory leak in remove path
Thorsten Blum <thorsten.blum@linux.dev>
crypto: atmel-tdes - fix DMA sync direction
Haoxiang Li <lihaoxiang@isrc.iscas.ac.cn>
crypto: ccree - fix a memory leak in cc_mac_digest()
Thomas Fourier <fourier.thomas@gmail.com>
crypto: hisilicon - Fix dma_unmap_single() direction
Thorsten Blum <thorsten.blum@linux.dev>
crypto: atmel-ecc - Release client on allocation failure
Thorsten Blum <thorsten.blum@linux.dev>
crypto: atmel-aes - Fix 3-page memory leak in atmel_aes_buff_cleanup
Eric Biggers <ebiggers@kernel.org>
crypto: arm64/aes - Fix 32-bit aes_mac_update() arg treated as 64-bit
Johan Hovold <johan@kernel.org>
can: ucan: fix devres lifetime
Shuvam Pandey <shuvampandey1@gmail.com>
Bluetooth: hci_event: fix potential UAF in SSP passkey handlers
Yiyang Chen <cyyzero16@gmail.com>
taskstats: set version in TGID exit notifications
Zhenzhong Wu <jt26wzz@gmail.com>
tcp: call sk_data_ready() after listener migration
Chia-Ming Chang <chiamingc@synology.com>
inotify: fix watch count leak when fsnotify_add_inode_mark_locked() fails
Junrui Luo <moonafterrain@outlook.com>
md/raid5: validate payload size before accessing journal metadata
Chia-Ming Chang <chiamingc@synology.com>
md/raid5: fix soft lockup in retry_aligned_read()
Sohei Koyama <skoyama@ddn.com>
ext4: fix missing brelse() in ext4_xattr_inode_dec_ref_all()
Jens Axboe <axboe@kernel.dk>
io_uring/poll: fix multishot recv missing EOF on wakeup race
James Kim <james010kim@gmail.com>
mtd: docg3: fix use-after-free in docg3_release()
Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
mtd: docg3: Convert to platform remove callback returning void
Yosry Ahmed <yosry@kernel.org>
KVM: nSVM: Add missing consistency check for nCR3 validity
Yosry Ahmed <yosry@kernel.org>
KVM: nSVM: Add missing consistency check for EFER, CR0, CR4, and CS
Yosry Ahmed <yosry@kernel.org>
KVM: nSVM: Clear tracking of L1->L2 NMI and soft IRQ on nested #VMEXIT
Yosry Ahmed <yosry@kernel.org>
KVM: nSVM: Clear GIF on nested #VMEXIT(INVALID)
Yosry Ahmed <yosry@kernel.org>
KVM: nSVM: Always inject a #GP if mapping VMCB12 fails on nested VMRUN
Yosry Ahmed <yosry.ahmed@linux.dev>
KVM: nSVM: Use vcpu->arch.cr2 when updating vmcb12 on nested #VMEXIT
Yosry Ahmed <yosry@kernel.org>
KVM: nSVM: Ensure AVIC is inhibited when restoring a vCPU to guest mode
Sean Christopherson <seanjc@google.com>
KVM: SVM: Explicitly mark vmcb01 dirty after modifying VMCB intercepts
Kevin Cheng <chengkev@google.com>
KVM: SVM: Inject #UD for INVLPGA if EFER.SVME=0
Yosry Ahmed <yosry@kernel.org>
KVM: nSVM: Sync interrupt shadow to cached vmcb12 after VMRUN of L2
Yosry Ahmed <yosry@kernel.org>
KVM: nSVM: Sync NextRIP to cached vmcb12 after VMRUN of L2
Yosry Ahmed <yosry.ahmed@linux.dev>
KVM: nSVM: Mark all of vmcb02 dirty when restoring nested state
Denis M. Karpov <komlomal@gmail.com>
userfaultfd: allow registration of ranges below mmap_min_addr
Johan Hovold <johan@kernel.org>
rtc: ntxec: fix OF node reference imbalance
Jacqueline Wong <jacqwong@google.com>
tpm: tpm_tis: add error logging for data transfer
Shawn Lin <shawn.lin@rock-chips.com>
mmc: sdhci-of-dwcmshc: Disable clock before DLL configuration
Bin Liu <b-liu@ti.com>
mmc: block: use single block write in retry
Ryan Roberts <ryan.roberts@arm.com>
randomize_kstack: Maintain kstack_offset per task
Krzysztof Kozlowski <krzysztof.kozlowski@oss.qualcomm.com>
power: supply: axp288_charger: Do not cancel work before initializing it
Huacai Chen <chenhuacai@kernel.org>
LoongArch: Show CPU vulnerabilites correctly
Arnd Bergmann <arnd@arndb.de>
tpm: avoid -Wunused-but-set-variable
Nathan Chancellor <nathan@kernel.org>
extract-cert: Wrap key_pass with '#ifdef USE_PKCS11_ENGINE'
Raphael Zimmer <raphael.zimmer@tu-ilmenau.de>
libceph: Prevent potential null-ptr-deref in ceph_handle_auth_reply()
Ruide Cao <caoruide123@gmail.com>
ipv4: icmp: validate reply type before using icmp_pointers
hkbinbin <hkbinbinbin@gmail.com>
RDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv
Luca Ceresoli <luca.ceresoli@bootlin.com>
drm/arcpgu: fix device node leak
Marek Vasut <marex@nabladev.com>
net: ks8851: Avoid excess softirq scheduling
Marek Vasut <marex@nabladev.com>
net: ks8851: Reinstate disabling of BHs around IRQ handler
Ruijie Li <ruijieli51@gmail.com>
net/smc: avoid early lgr access in smc_clc_wait_msg
Ao Zhou <draw51280@163.com>
net: rds: fix MR cleanup on copy error
Yiyang Chen <cyyzero16@gmail.com>
tools/accounting: handle truncated taskstats netlink messages
Jonathan Santos <Jonathan.Santos@analog.com>
iio: adc: ad7768-1: fix one-shot mode data acquisition
Cássio Gabriel <cassiogabrielcontato@gmail.com>
ALSA: 6fire: Fix input volume change detection
Takashi Iwai <tiwai@suse.de>
ALSA: caiaq: Handle probe errors properly
Cássio Gabriel <cassiogabrielcontato@gmail.com>
ALSA: caiaq: Fix control_put() result and cache rollback
Takashi Iwai <tiwai@suse.de>
ALSA: core: Fix potential data race at fasync handling
Jens Axboe <axboe@kernel.dk>
io_uring/poll: ensure EPOLL_ONESHOT is propagated for EPOLL_URING_WAKE
Longxuan Yu <ylong030@ucr.edu>
io_uring/poll: fix signed comparison in io_poll_get_ownership()
David Lechner <dlechner@baylibre.com>
iio: adc: ti-ads7950: use iio_push_to_buffers_with_ts_unaligned()
Pavel Begunkov <asml.silence@gmail.com>
io_uring/timeout: check unused sqe fields
Dawei Feng <dawei.feng@seu.edu.cn>
rbd: fix null-ptr-deref when device_add_disk() fails
Simon Liebold <simonlie@amazon.de>
selftests/mqueue: Fix incorrectly named file
Helge Deller <deller@gmx.de>
parisc: _llseek syscall is only available for 32-bit userspace
Robert Beckett <bob.beckett@collabora.com>
nvme: respect NVME_QUIRK_DISABLE_WRITE_ZEROES when wzsl is set
Robert Beckett <bob.beckett@collabora.com>
nvme-pci: add NVME_QUIRK_DISABLE_WRITE_ZEROES for Kingston OM3SGP4
Josh Hunt <johunt@akamai.com>
md/raid10: fix deadlock with check operation and nowait requests
Gao Xiang <xiang@kernel.org>
erofs: fix the out-of-bounds nameoff handling for trailing dirents
Cássio Gabriel <cassiogabrielcontato@gmail.com>
ALSA: seq_oss: return full count for successful SEQ_FULLSIZE writes
Harin Lee <me@harin.net>
ALSA: ctxfi: Add fallback to default RSR for S/PDIF
Cássio Gabriel <cassiogabrielcontato@gmail.com>
ALSA: aoa: i2sbus: fix OF node lifetime handling
Vasiliy Kovalev <kovalev@altlinux.org>
ext2: reject inodes with zero i_nlink and valid mode in ext2_iget()
Manivannan Sadhasivam <manivannan.sadhasivam@oss.qualcomm.com>
net: qrtr: ns: Fix use-after-free in driver remove()
Chen Ni <nichen@iscas.ac.cn>
media: i2c: imx219: Check return value of devm_gpiod_get_optional() in imx219_probe()
Josh Law <objecting@objecting.org>
lib/ts_kmp: fix integer overflow in pattern length calculation
Rong Zhang <i@rong.moe>
Revert "ALSA: usb: Increase volume range that triggers a warning"
Koichiro Den <den@valinux.co.jp>
PCI: endpoint: pci-epf-ntb: Remove duplicate resource teardown
Luxiao Xu <rakukuip@gmail.com>
net: strparser: fix skb_head leak in strp_abort_strp()
Zhengchuan Liang <zcliangcn@gmail.com>
net: caif: clear client service pointer on teardown
Ziqing Chen <chenziqing@xiaomi.com>
ALSA: control: Validate buf_len before strnlen() in snd_ctl_elem_init_enum_names()
Ming Qian <ming.qian@oss.nxp.com>
media: amphion: Fix race between m2m job_abort and device_run
Herbert Xu <herbert@gondor.apana.org.au>
crypto: pcrypt - Fix handling of MAY_BACKLOG requests
Chao Yu <chao@kernel.org>
f2fs: fix to detect potential corrupted nid in free_nid_list
Michael Bommarito <michael.bommarito@gmail.com>
um: drivers: call kernel_strrchr() explicitly in cow_user.c
Fedor Pchelkin <pchelkin@ispras.ru>
wifi: rtw88: check for PCI upstream bridge existence
Douglas Anderson <dianders@chromium.org>
driver core: Don't let a device probe until it's ready
Heming Zhao <heming.zhao@suse.com>
ocfs2: split transactions in dio completion to avoid credit exhaustion
Douglas Anderson <dianders@chromium.org>
device property: Make modifications of fwnode "flags" thread safe
Douglas Anderson <dianders@chromium.org>
regset: use kvzalloc() for regset_get_alloc()
Youngmin Nam <youngmin.nam@samsung.com>
arm64: set __exception_irq_entry with __irq_entry as a default
Ming Lei <ming.lei@redhat.com>
blk-mq: fix NULL dereference on q->elevator in blk_mq_elv_switch_none
Jianpeng Chang <jianpeng.chang.cn@windriver.com>
net: enetc: fix the deadlock of enetc_mdio_lock
Jesse.Zhang <Jesse.Zhang@amd.com>
drm/amdgpu: Limit BO list entry count to prevent resource exhaustion
Tvrtko Ursulin <tvrtko.ursulin@igalia.com>
drm/amdgpu: Use vmemdup_array_user in amdgpu_bo_create_list_entry_array
Herbert Xu <herbert@gondor.apana.org.au>
padata: Remove comment for reorder_work
Herbert Xu <herbert@gondor.apana.org.au>
padata: Fix pd UAF once and for all
Thomas Zimmermann <tzimmermann@suse.de>
firmware: google: framebuffer: Do not mark framebuffer as busy
Tyllis Xu <livelycarpet87@gmail.com>
ibmasm: fix heap over-read in ibmasm_send_i2o_message()
Tyllis Xu <livelycarpet87@gmail.com>
ibmasm: fix OOB reads in command_file_write due to missing size checks
Tyllis Xu <livelycarpet87@gmail.com>
misc: ibmasm: fix OOB MMIO read in ibmasm_handle_mouse_interrupt()
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
drm/nouveau: fix u32 overflow in pushbuf reloc bounds check
Takashi Iwai <tiwai@suse.de>
ALSA: usb-audio: Evaluate packsize caps at the right place
Michal Pecio <michal.pecio@gmail.com>
usb: xhci: Make usb_host_endpoint.hcpriv survive endpoint_disable()
Cássio Gabriel <cassiogabrielcontato@gmail.com>
ALSA: usb-audio: Fix Audio Advantage Micro II SPDIF switch
Cássio Gabriel <cassiogabrielcontato@gmail.com>
ALSA: usb-audio: Avoid false E-MU sample-rate notifications
Cássio Gabriel <cassiogabrielcontato@gmail.com>
ALSA: usb-audio: stop parsing UAC2 rates at MAX_NR_RATES
Anderson Nascimento <anderson@allelesecurity.com>
rxrpc: Fix missing validation of ticket length in non-XDR key preparsing
Sean Christopherson <seanjc@google.com>
crypto: ccp: Don't attempt to copy ID to userspace if PSP command failed
Sean Christopherson <seanjc@google.com>
crypto: ccp: Don't attempt to copy PDH cert to userspace if PSP command failed
Sean Christopherson <seanjc@google.com>
crypto: ccp: Don't attempt to copy CSR to userspace if PSP command failed
Berk Cem Goksel <berkcgoksel@gmail.com>
ALSA: caiaq: take a reference on the USB device in create_card()
Cryolitia PukNgae <cryolitia.pukngae@linux.dev>
ALSA: usb-audio: apply quirk for MOONDROP JU Jiu
George Saad <geoo115@gmail.com>
f2fs: fix use-after-free of sbi in f2fs_compress_write_end_io()
Tristan Madani <tristan@talencesecurity.com>
ksmbd: use check_add_overflow() to prevent u16 DACL size overflow
Tristan Madani <tristan@talencesecurity.com>
ksmbd: fix out-of-bounds write in smb2_get_ea() EA alignment
Michael Bommarito <michael.bommarito@gmail.com>
smb: client: fix OOB read in smb2_ioctl_query_info QUERY_INFO path
Michael Bommarito <michael.bommarito@gmail.com>
smb: client: require a full NFS mode SID before reading mode bits
DaeMyung Kang <charsyam@gmail.com>
smb: server: fix max_connections off-by-one in tcp accept path
Michael Bommarito <michael.bommarito@gmail.com>
smb: server: fix active_num_conn leak on transport allocation failure
Darrick J. Wong <djwong@kernel.org>
fuse: quiet down complaints in fuse_conn_limit_write
Samuel Page <sam@bynar.io>
fuse: reject oversized dirents in page cache
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
fs/ntfs3: validate rec->used in journal-replay file record check
Wang Jie <jiewang2024@lzu.edu.cn>
rxrpc: only handle RESPONSE during service challenge
David Howells <dhowells@redhat.com>
rxrpc: Fix anonymous key handling
Mark Rutland <mark.rutland@arm.com>
arm64: mm: fix VA-range sanity check
Nathan Chancellor <nathan@kernel.org>
scripts/dtc: Remove unused dts_version in dtc-lexer.l
Johannes Berg <johannes.berg@intel.com>
wifi: iwlwifi: read txq->read_ptr under lock
Ye Bin <yebin10@huawei.com>
f2fs: fix null-ptr-deref in f2fs_submit_page_bio()
Takashi Iwai <tiwai@suse.de>
ALSA: control: Avoid WARN() for symlink errors
André Draszik <andre.draszik@linaro.org>
scsi: ufs: core: Fix use-after free in init error and remove paths
David Howells <dhowells@redhat.com>
rxrpc: Fix recvmsg() unconditional requeue
Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
ASoC: qcom: q6apm: move component registration to unmanaged version
Dawei Li <set_pte_at@outlook.com>
soc: qcom: apr: make remove callback of apr driver void returned
Koichiro Den <den@valinux.co.jp>
PCI: endpoint: pci-epf-vntb: Stop cmd_handler work in epf_ntb_epc_cleanup
Tamir Duberstein <tamird@kernel.org>
scripts: generate_rust_analyzer.py: define scripts
Ming Lei <ming.lei@redhat.com>
ublk: fix deadlock when reading partition table
David Woodhouse <dwmw@amazon.co.uk>
KVM: x86: Use __DECLARE_FLEX_ARRAY() for UAPI structures with VLAs
Yuqi Xu <xuyuqiabc@gmail.com>
rxrpc: reject undecryptable rxkad response tickets
Guocai He <guocai.he.cn@windriver.com>
Revert "wifi: cfg80211: stop NAN and P2P in cfg80211_leave"
David Howells <dhowells@redhat.com>
rxrpc: Fix call removal to use RCU safe deletion
David Howells <dhowells@redhat.com>
rxrpc: Fix key quota calculation for multitoken keys
Joseph Qi <joseph.qi@linux.alibaba.com>
ocfs2: fix out-of-bounds write in ocfs2_write_end_inline
Deepanshu Kartikey <kartikey406@gmail.com>
ocfs2: validate inline data i_size during inode read
Dmitry Antipov <dmantipov@yandex.ru>
ocfs2: add inline inode consistency check to ocfs2_validate_inode_block()
Sebastian Krzyszkowiak <sebastian.krzyszkowiak@puri.sm>
arm64: dts: imx8mq-librem5: Bump BUCK1 suspend voltage up to 0.85V
Sebastian Krzyszkowiak <sebastian.krzyszkowiak@puri.sm>
Revert "arm64: dts: imx8mq-librem5: Set the DVS voltages lower"
Sebastian Krzyszkowiak <sebastian.krzyszkowiak@puri.sm>
arm64: dts: imx8mq-librem5: Bump BUCK1 suspend voltage to 0.81V
Sebastian Krzyszkowiak <sebastian.krzyszkowiak@puri.sm>
arm64: dts: imx8mq-librem5: Set the DVS voltages lower
Vladimir Oltean <vladimir.oltean@nxp.com>
net: dsa: clean up FDB, MDB, VLAN entries on unbind
Felix Fietkau <nbd@nbd.name>
wifi: mac80211: always free skb on ieee80211_tx_prepare_skb() failure
Andrew Price <anprice@redhat.com>
gfs2: Validate i_depth for exhash directories
Andrew Price <anprice@redhat.com>
gfs2: Improve gfs2_consist_inode() usage
Minhong He <heminhong@kylinos.cn>
ipv6: add NULL checks for idev in SRv6 paths
Sasha Levin <sashal@kernel.org>
Revert "net: ixp4xx_eth: convert to ndo_hwtstamp_get() and ndo_hwtstamp_set()"
Sasha Levin <sashal@kernel.org>
Revert "net: ethernet: xscale: Check for PTP support properly"
Koichiro Den <den@valinux.co.jp>
PCI: endpoint: pci-epf-vntb: Remove duplicate resource teardown
Jeongjun Park <aha310510@gmail.com>
media: hackrf: fix to not free memory after the device is registered in hackrf_probe()
Abd-Alrhman Masalkhi <abd.masalkhi@gmail.com>
media: vidtv: fix pass-by-value structs causing MSAN warnings
Deepanshu Kartikey <kartikey406@gmail.com>
nilfs2: fix NULL i_assoc_inode dereference in nilfs_mdt_save_to_shadow_map
Jeongjun Park <aha310510@gmail.com>
media: as102: fix to not free memory after the device is registered in as102_usb_probe()
Mingzhe Zou <mingzhe.zou@easystack.cn>
bcache: fix cached_dev.sb_bio use-after-free and crash
Berk Cem Goksel <berkcgoksel@gmail.com>
ALSA: 6fire: fix use-after-free on disconnect
Abhishek Kumar <abhishek_sts8@yahoo.com>
media: em28xx: fix use-after-free in em28xx_v4l2_open()
Ruslan Valiyev <linuxoid@gmail.com>
media: vidtv: fix nfeeds state corruption on start_streaming failure
Breno Leitao <leitao@debian.org>
mm: blk-cgroup: fix use-after-free in cgwb_release_workfn()
Ritesh Harjani (IBM) <ritesh.list@gmail.com>
mm/kasan: fix double free for kasan pXds
Sean Christopherson <seanjc@google.com>
KVM: x86: Use scratch field in MMIO fragment to hold small write values
Sasha Levin <sashal@kernel.org>
checkpatch: add support for Assisted-by tag
Pengpeng Hou <pengpeng@iscas.ac.cn>
rxrpc: proc: size address buffers for %pISpc output
Pablo Neira Ayuso <pablo@netfilter.org>
nf_tables: nft_dynset: fix possible stateful expression memleak in error path
Christian König <christian.koenig@amd.com>
drm/amdgpu: remove two invalid BUG_ON()s
Wang Liang <wangliang74@huawei.com>
bonding: check xdp prog when set bond mode
Hangbin Liu <liuhangbin@gmail.com>
bonding: return detailed error when loading native XDP fails
Eric Dumazet <edumazet@google.com>
net: sched: fix TCF_LAYER_TRANSPORT handling in tcf_get_base_ptr()
Eric Dumazet <edumazet@google.com>
net: add proper RCU protection to /proc/net/ptype
Jeongjun Park <aha310510@gmail.com>
ALSA: usb-audio: fix race condition to UAF in snd_usbmidi_free
Sasha Levin <sashal@kernel.org>
Revert "dmaengine: idxd: Fix not releasing workqueue on .release()"
Sean Christopherson <seanjc@google.com>
KVM: SEV: Drop WARN on large size for KVM_MEMORY_ENCRYPT_REG_REGION
ZhengYuan Huang <gality369@gmail.com>
ocfs2: handle invalid dinode in ocfs2_group_extend
Tejas Bharambe <tejas.bharambe@outlook.com>
ocfs2: fix use-after-free in ocfs2_fault() when VM_FAULT_RETRY
Joseph Qi <joseph.qi@linux.alibaba.com>
ocfs2: fix possible deadlock between unlink and dio_end_io_write
Ruslan Valiyev <linuxoid@gmail.com>
media: vidtv: fix NULL pointer dereference in vidtv_channel_pmt_match_sections
Zhihao Cheng <chengzhihao1@huawei.com>
dcache: Limit the minimal number of bucket to two
Harin Lee <me@harin.net>
ALSA: ctxfi: Limit PTP to a single page
SeongJae Park <sj@kernel.org>
Docs/admin-guide/mm/damon/reclaim: warn commit_inputs vs param updates race
Fabio Porcedda <fabio.porcedda@gmail.com>
USB: serial: option: add Telit Cinterion FN990A MBIM composition
Junrui Luo <moonafterrain@outlook.com>
staging: sm750fb: fix division by zero in ps_to_hz()
Tamir Duberstein <tamird@kernel.org>
scripts: generate_rust_analyzer.py: avoid FD leak
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
fbdev: udlfb: avoid divide-by-zero on FBIOPUT_VSCREENINFO
Xu Yang <xu.yang_2@nxp.com>
usb: port: add delay after usb_hub_set_port_power()
Dave Carey <carvsdriver@gmail.com>
USB: cdc-acm: Add quirks for Yoga Book 9 14IAH10 INGENIC touchscreen
Daniel Brát <danek.brat@gmail.com>
usb: storage: Expand range of matched versions for VL817 quirks entry
Nathan Rebello <nathan.c.rebello@gmail.com>
usbip: validate number_of_packets in usbip_pack_ret_submit()
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
ksmbd: require 3 sub-authorities before reading sub_auth[2]
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
ksmbd: validate EaNameLength in smb2_get_ea()
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
usb: gadget: renesas_usb3: validate endpoint index in standard request handlers
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
usb: gadget: f_phonet: fix skb frags[] overflow in pn_rx_complete()
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
usb: gadget: f_ncm: validate minimum block_len in ncm_unwrap_ntb()
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
fbdev: tdfxfb: avoid divide-by-zero on FBIOPUT_VSCREENINFO
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
ALSA: fireworks: bound device-supplied status before string array lookup
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
drm/vc4: platform_get_irq_byname() returns an int
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
NFC: digital: Bounds check NFC-A cascade depth in SDD response handler
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
net: usb: cdc-phonet: fix skb frags[] overflow in rx_complete()
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
HID: core: clamp report_size in s32ton() to avoid undefined shift
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
HID: alps: fix NULL pointer dereference in alps_raw_event()
Lin YuChen <starpt.official@gmail.com>
staging: rtl8723bs: initialize le_tmp64 in rtw_BIP_verify()
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
i2c: s3c24xx: check the size of the SMBUS message before using it
Samuel Page <sam@bynar.io>
can: raw: fix ro->uniq use-after-free in raw_rcv()
Junxi Qian <qjx1298677004@gmail.com>
nfc: llcp: add missing return after LLCP_CLOSED checks
Jouni Högander <jouni.hogander@intel.com>
drm/i915/psr: Do not use pipe_src as borders for SU area
Geoffrey D. Bennett <g@b4.vu>
ALSA: usb-audio: Improve Focusrite sample rate filtering
Florian Westphal <fw@strlen.de>
netfilter: conntrack: add missing netlink policy validations
Maarten Lankhorst <dev@lankhorst.se>
Revert "drm: Fix use-after-free on framebuffers and property blobs when calling drm_dev_unplug"
Zide Chen <zide.chen@intel.com>
perf/x86/intel/uncore: Skip discovery table for offline dies
Samasth Norway Ananda <samasth.norway.ananda@oracle.com>
gpio: tegra: fix irq_release_resources calling enable instead of disable
Alice Mikityanska <alice@isovalent.com>
l2tp: Drop large packets with UDP encap
Jiexun Wang <wangjiexun2025@gmail.com>
af_unix: read UNIX_DIAG_VFS data under unix_state_lock
Zhengchuan Liang <zcliangcn@gmail.com>
netfilter: ip6t_eui64: reject invalid MAC header for all packets
Ren Wei <n05ec@lzu.edu.cn>
netfilter: xt_multiport: validate range encoding in checkentry
Xiang Mei <xmei5@asu.edu>
netfilter: nfnetlink_log: initialize nfgenmsg in NLMSG_DONE terminator
Daniel Golle <daniel@makrotopia.org>
selftests: net: bridge_vlan_mcast: wait for h1 before querier check
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
xfrm_user: fix info leak in build_mapping()
Steffen Klassert <steffen.klassert@secunet.com>
xfrm: Wait for RCU readers during policy netns exit
Maciej Fijalkowski <maciej.fijalkowski@intel.com>
xsk: tighten UMEM headroom validation to account for tailroom and min frame
Agalakov Daniil <ade@amicon.ru>
e1000: check return value of e1000_read_eeprom
Michal Schmidt <mschmidt@redhat.com>
ixgbevf: add missing negotiate_features op to Hyper-V ops table
Pengpeng Hou <pengpeng@iscas.ac.cn>
tracing/probe: reject non-closed empty immediate strings
Jon Hunter <jonathanh@nvidia.com>
dt-bindings: net: Fix Tegra234 MGBE PTP clock
Pengpeng Hou <pengpeng@iscas.ac.cn>
nfc: s3fwrn5: allocate rx skb before consuming bytes
Yiqi Sun <sunyiqixm@gmail.com>
ipv4: icmp: fix null-ptr-deref in icmp_build_probe()
Eric Dumazet <edumazet@google.com>
net: lapbether: handle NETDEV_PRE_TYPE_CHANGE
Ruide Cao <caoruide123@gmail.com>
net: sched: act_csum: validate nested VLAN headers
Nicholas Carlini <nicholas@carlini.com>
eventpoll: defer struct eventpoll free to RCU grace period
Paolo Abeni <pabeni@redhat.com>
epoll: use refcount to reduce ep_mutex contention
Maíra Canal <mcanal@igalia.com>
drm/vc4: Protect madv read in vc4_gem_object_mmap() with madv_lock
Maíra Canal <mcanal@igalia.com>
drm/vc4: Fix a memory leak in hang state error path
Maíra Canal <mcanal@igalia.com>
drm/vc4: Fix memory leak of BO array in hang state
Maíra Canal <mcanal@igalia.com>
drm/vc4: Release runtime PM reference after binding V3D
Long Li <longli@microsoft.com>
PCI: hv: Set default NUMA node to 0 for devices without affinity info
Sebastian Krzyszkowiak <sebastian.krzyszkowiak@puri.sm>
arm64: dts: imx8mq: Set the correct gpu_ahb clock frequency
Potin Lai <potin.lai.pt@gmail.com>
soc: aspeed: socinfo: Mask table entries for accurate SoC ID matching
Tomasz Merta <tomasz.merta@arrow.com>
ASoC: stm32_sai: fix incorrect BCLK polarity for DSP_A/B, LEFT_J
Pengpeng Hou <pengpeng@iscas.ac.cn>
wifi: brcmfmac: validate bsscfg indices in IF events
Arthur Husband <artmoty@gmail.com>
ata: ahci: force 32-bit DMA for JMicron JMB582/JMB585
Benoît Sevens <bsevens@google.com>
HID: roccat: fix use-after-free in roccat_report_event
songxiebing <songxiebing@kylinos.cn>
ALSA: hda/realtek: Add quirk for Lenovo Yoga Pro 7 14IAH10
leo vriska <leo@60228.dev>
HID: quirks: add HID_QUIRK_ALWAYS_POLL for 8BitDo Pro 3
Andy Shevchenko <andriy.shevchenko@linux.intel.com>
pinctrl: intel: Fix the revision for new features (1kOhm PD, HW debouncer)
Gilson Marquato Júnior <gilsonmandalogo@hotmail.com>
ASoC: amd: yc: Add DMI entry for HP Laptop 15-fc0xxx
Fredric Cover <FredTheDude@proton.me>
fs/smb/client: fix out-of-bounds read in cifs_sanitize_prepath
Phil Willoughby <willerz@gmail.com>
ALSA: usb-audio: Fix quirk flags for NeuralDSP Quad Cortex
Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
ASoC: soc-core: call missing INIT_LIST_HEAD() for card_aux_list
Pengpeng Hou <pengpeng@iscas.ac.cn>
wifi: wl1251: validate packet IDs before indexing tx_frames
Dustin L. Howett <dustin@howett.net>
ALSA: hda/realtek: add quirk for Framework F111:000F
Florian Westphal <fw@strlen.de>
netfilter: nft_set_pipapo_avx2: don't return non-matching entry on expiry
César Montoya <sprit152009@gmail.com>
ALSA: hda/realtek: Add mute LED quirk for HP Pavilion 15-eg0xxx
Goldwyn Rodrigues <rgoldwyn@suse.de>
btrfs: tracepoints: get correct superblock from dentry in event btrfs_sync_file()
Wenyuan Li <2063309626@qq.com>
can: mcp251x: add error handling for power enable in open and resume
Cássio Gabriel <cassiogabrielcontato@gmail.com>
ASoC: SOF: topology: reject invalid vendor array size in token parser
Zhang Heng <zhangheng@kylinos.cn>
ASoC: amd: yc: Add DMI quirk for Thin A15 B7VF
Arnd Bergmann <arnd@arndb.de>
ALSA: asihpi: avoid write overflow check warning
Arnd Bergmann <arnd@arndb.de>
media: rkvdec: reduce stack usage in rkvdec_init_v4l2_vp9_count_tbl()
Andrii Kovalchuk <coderpy4@proton.me>
ALSA: hda/realtek: Add HP ENVY Laptop 13-ba0xxx quirk
Vee Satayamas <vsatayamas@gmail.com>
ASoC: amd: yc: Add DMI quirk for ASUS EXPERTBOOK BM1403CDA
-------------
Diffstat:
Documentation/admin-guide/mm/damon/reclaim.rst | 4 +
.../bindings/net/nvidia,tegra234-mgbe.yaml | 4 +-
Documentation/mm/hugetlbfs_reserv.rst | 2 +-
Documentation/networking/bonding.rst | 15 +
Makefile | 4 +-
arch/arm/boot/dts/mt7623.dtsi | 2 +-
arch/arm/mach-omap1/clock_data.c | 4 +-
arch/arm/mach-versatile/integrator_cp.c | 13 +-
arch/arm/net/bpf_jit_32.c | 6 +
.../boot/dts/amlogic/meson-gxl-s905d-p230.dts | 3 +-
.../arm64/boot/dts/freescale/imx8mm-tqma8mqml.dtsi | 2 +-
.../arm64/boot/dts/freescale/imx8mn-tqma8mqnl.dtsi | 2 +-
.../arm64/boot/dts/freescale/imx8mp-dhcom-som.dtsi | 2 +-
arch/arm64/boot/dts/freescale/imx8mp-evk.dts | 2 +-
.../boot/dts/freescale/imx8mp-icore-mx8mp.dtsi | 2 +-
arch/arm64/boot/dts/freescale/imx8mq-librem5.dtsi | 2 +-
arch/arm64/boot/dts/freescale/imx8mq.dtsi | 2 +-
arch/arm64/boot/dts/mediatek/mt6795.dtsi | 2 +-
arch/arm64/boot/dts/mediatek/mt7986a.dtsi | 2 +-
.../boot/dts/qcom/sdm845-xiaomi-beryllium.dts | 1 +
arch/arm64/boot/dts/qcom/sm8250.dtsi | 5 +
arch/arm64/boot/dts/qcom/sm8450.dtsi | 5 +-
arch/arm64/crypto/aes-modes.S | 4 +-
arch/arm64/include/asm/exception.h | 5 -
arch/arm64/include/asm/xor.h | 2 +-
arch/arm64/kernel/machine_kexec.c | 3 -
arch/arm64/kvm/vgic/vgic-its.c | 4 +
arch/arm64/kvm/vgic/vgic-mmio-v2.c | 2 +-
arch/arm64/kvm/vgic/vgic-mmio-v3.c | 2 +-
arch/arm64/mm/mmu.c | 4 +-
arch/arm64/net/bpf_jit_comp.c | 4 +-
arch/loongarch/kernel/cpu-probe.c | 7 +
arch/loongarch/mm/init.c | 4 -
arch/loongarch/pci/acpi.c | 5 +
arch/loongarch/pci/pci.c | 3 +
arch/parisc/kernel/syscalls/syscall.tbl | 2 +-
arch/powerpc/kernel/time.c | 6 +-
arch/powerpc/kexec/Makefile | 2 +-
arch/powerpc/kexec/file_load_64.c | 2 +-
arch/powerpc/platforms/44x/warp.c | 2 +
arch/s390/kernel/debug.c | 8 +
arch/s390/kvm/interrupt.c | 3 +-
arch/s390/kvm/pci.c | 6 +-
arch/um/drivers/cow_user.c | 8 +-
arch/x86/events/intel/uncore_discovery.c | 2 +-
arch/x86/include/asm/segment.h | 8 +-
arch/x86/include/uapi/asm/kvm.h | 12 +-
arch/x86/kvm/mmu/mmu.c | 36 +-
arch/x86/kvm/mmu/spte.h | 5 +
arch/x86/kvm/svm/nested.c | 38 +-
arch/x86/kvm/svm/sev.c | 11 +-
arch/x86/kvm/svm/svm.c | 13 +
arch/x86/kvm/svm/svm.h | 1 +
arch/x86/kvm/trace.h | 2 +-
arch/x86/kvm/x86.c | 14 +-
block/blk-cgroup.c | 15 +
block/blk-mq.c | 10 +-
certs/extract-cert.c | 6 +-
crypto/af_alg.c | 2 +
crypto/authencesn.c | 5 +
crypto/pcrypt.c | 7 +-
drivers/acpi/arm64/agdi.c | 2 +-
drivers/acpi/cppc_acpi.c | 6 +-
drivers/acpi/power.c | 2 +-
drivers/acpi/scan.c | 2 +-
drivers/acpi/video_detect.c | 8 +
drivers/ata/ahci.c | 14 +
drivers/base/core.c | 39 +-
drivers/base/dd.c | 20 +
drivers/base/devres.c | 2 +
drivers/block/drbd/drbd_nl.c | 8 +-
drivers/block/rbd.c | 6 +-
drivers/block/ublk_drv.c | 28 +-
drivers/bluetooth/btintel.c | 11 +-
drivers/bluetooth/hci_ldisc.c | 51 +-
drivers/bluetooth/virtio_bt.c | 39 +-
drivers/bus/imx-weim.c | 2 +-
drivers/cdrom/cdrom.c | 73 +-
drivers/char/ipmi/ipmi_si_intf.c | 70 +-
drivers/char/ipmi/ipmi_ssif.c | 23 +-
drivers/char/tpm/tpm_tis_core.c | 4 +
drivers/clk/clk-qoriq.c | 17 +-
drivers/clk/clk-xgene.c | 2 +
drivers/clk/imx/clk-imx6q.c | 12 +-
drivers/clk/imx/clk-imx8mq.c | 4 +-
drivers/clk/microchip/clk-mpfs-ccc.c | 6 +-
drivers/clk/qcom/dispcc-sc7180.c | 8 +
drivers/clk/qcom/dispcc-sm8250.c | 6 +-
drivers/clk/qcom/dispcc-sm8450.c | 2 +-
drivers/clk/qcom/gcc-sc8180x.c | 64 +-
drivers/clk/visconti/pll.c | 2 +-
drivers/cpuidle/cpuidle-powernv.c | 5 +-
drivers/cpuidle/cpuidle-pseries.c | 5 +-
drivers/crypto/atmel-aes.c | 2 +-
drivers/crypto/atmel-ecc.c | 1 +
drivers/crypto/atmel-sha204a.c | 6 +-
drivers/crypto/atmel-tdes.c | 8 +-
drivers/crypto/ccp/ccp-crypto-aes.c | 7 +-
drivers/crypto/ccp/sev-dev.c | 19 +-
drivers/crypto/ccree/cc_hash.c | 1 +
drivers/crypto/hisilicon/sec/sec_algs.c | 2 +-
drivers/crypto/sa2ul.c | 4 +-
drivers/dma/dw-axi-dmac/dw-axi-dmac-platform.c | 2 -
drivers/dma/idxd/sysfs.c | 1 -
drivers/dma/mxs-dma.c | 1 +
drivers/extcon/extcon-ptn5150.c | 14 +
drivers/firmware/arm_ffa/bus.c | 4 +-
drivers/firmware/arm_ffa/driver.c | 2 +-
drivers/firmware/efi/capsule-loader.c | 2 +-
drivers/firmware/google/framebuffer-coreboot.c | 2 +-
drivers/firmware/imx/scu-pd.c | 1 +
drivers/gpio/gpio-tegra.c | 2 +-
drivers/gpio/gpiolib-cdev.c | 21 +-
drivers/gpu/drm/amd/amdgpu/amdgpu_bo_list.c | 43 +-
drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c | 2 +
drivers/gpu/drm/amd/amdgpu/amdgpu_gart.c | 13 +-
drivers/gpu/drm/amd/amdgpu/amdgpu_gmc.c | 2 +-
drivers/gpu/drm/amd/amdgpu/amdgpu_ring.h | 11 +-
drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c | 3 +
drivers/gpu/drm/amd/amdgpu/amdgpu_vce.c | 3 +
drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c | 2 +-
drivers/gpu/drm/amd/amdgpu/gfx_v11_0.c | 2 -
drivers/gpu/drm/amd/amdgpu/gfx_v6_0.c | 66 ++
drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c | 3 -
drivers/gpu/drm/amd/amdgpu/sdma_v4_0.c | 4 +-
drivers/gpu/drm/amd/amdgpu/uvd_v3_1.c | 16 +-
drivers/gpu/drm/amd/amdgpu/uvd_v4_2.c | 3 +-
drivers/gpu/drm/amd/amdgpu/vce_v2_0.c | 2 +-
drivers/gpu/drm/amd/amdgpu/vcn_v3_0.c | 25 +-
drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c | 23 +-
drivers/gpu/drm/amd/amdkfd/kfd_chardev.c | 26 +-
drivers/gpu/drm/amd/amdkfd/kfd_priv.h | 3 +
drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 5 +
drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.h | 1 +
.../amd/display/amdgpu_dm/amdgpu_dm_mst_types.c | 7 +-
drivers/gpu/drm/amd/display/dc/bios/bios_parser.c | 62 ++
drivers/gpu/drm/amd/display/dc/bios/bios_parser2.c | 9 +
.../drm/amd/display/dc/bios/bios_parser_helper.c | 9 +-
drivers/gpu/drm/amd/display/dc/core/dc.c | 6 +-
.../gpu/drm/amd/display/dc/dce/dce_link_encoder.c | 4 +-
.../amd/display/include/grph_object_ctrl_defs.h | 4 +
drivers/gpu/drm/amd/pm/powerplay/hwmgr/hwmgr.c | 15 +
.../gpu/drm/amd/pm/powerplay/hwmgr/smu7_hwmgr.c | 118 +++-
.../gpu/drm/amd/pm/powerplay/hwmgr/smu7_hwmgr.h | 1 +
drivers/gpu/drm/amd/pm/powerplay/inc/hwmgr.h | 1 +
.../gpu/drm/amd/pm/powerplay/smumgr/ci_smumgr.c | 28 +-
.../drm/arm/display/komeda/komeda_framebuffer.c | 6 +-
drivers/gpu/drm/bridge/chipone-icn6211.c | 4 +-
drivers/gpu/drm/bridge/ite-it66121.c | 5 +
.../drm/bridge/megachips-stdpxxxx-ge-b850v3-fw.c | 16 +-
drivers/gpu/drm/drm_file.c | 5 +-
drivers/gpu/drm/drm_gem_framebuffer_helper.c | 4 +-
drivers/gpu/drm/drm_mode_config.c | 9 +-
drivers/gpu/drm/gma500/oaktrail_hdmi.c | 1 +
drivers/gpu/drm/gma500/oaktrail_lvds.c | 9 +-
drivers/gpu/drm/i915/display/intel_dp.c | 9 +-
drivers/gpu/drm/i915/display/intel_psr.c | 18 +-
drivers/gpu/drm/i915/display/skl_watermark.c | 43 +-
drivers/gpu/drm/i915/display/skl_watermark.h | 2 +-
drivers/gpu/drm/i915/gt/intel_reset.c | 3 +-
drivers/gpu/drm/msm/adreno/a6xx_gpu_state.c | 2 +-
drivers/gpu/drm/msm/adreno/a6xx_hfi.c | 14 +-
drivers/gpu/drm/msm/disp/dpu1/dpu_kms.c | 2 -
drivers/gpu/drm/msm/disp/msm_disp_snapshot_util.c | 24 +-
drivers/gpu/drm/msm/dsi/dsi_cfg.c | 4 +-
drivers/gpu/drm/msm/dsi/dsi_cfg.h | 2 +-
drivers/gpu/drm/msm/dsi/dsi_host.c | 1 +
drivers/gpu/drm/msm/msm_gem_shrinker.c | 5 +-
drivers/gpu/drm/msm/msm_iommu.c | 5 +-
drivers/gpu/drm/nouveau/nouveau_gem.c | 2 +-
drivers/gpu/drm/panel/panel-simple.c | 2 +-
drivers/gpu/drm/panfrost/panfrost_drv.c | 2 +
drivers/gpu/drm/radeon/ci_dpm.c | 9 +-
drivers/gpu/drm/sun4i/sun4i_backend.c | 6 +-
drivers/gpu/drm/tiny/arcpgu.c | 3 +-
drivers/gpu/drm/vc4/vc4_bo.c | 3 +
drivers/gpu/drm/vc4/vc4_gem.c | 19 +-
drivers/gpu/drm/vc4/vc4_hdmi.c | 14 +-
drivers/gpu/drm/vc4/vc4_v3d.c | 1 +
drivers/gpu/drm/virtio/virtgpu_drv.h | 1 +
drivers/gpu/drm/virtio/virtgpu_gem.c | 17 +
drivers/gpu/drm/virtio/virtgpu_plane.c | 10 +-
drivers/hid/hid-alps.c | 3 +
drivers/hid/hid-asus.c | 28 +-
drivers/hid/hid-core.c | 3 +
drivers/hid/hid-ids.h | 3 +
drivers/hid/hid-quirks.c | 3 +-
drivers/hid/hid-roccat.c | 2 +
drivers/hid/hid-uclogic-core.c | 4 +-
drivers/hid/usbhid/hid-core.c | 2 +-
drivers/hwmon/corsair-psu.c | 4 +-
drivers/hwmon/ltc2992.c | 41 +-
drivers/hwmon/pmbus/adm1266.c | 32 +-
drivers/i2c/busses/i2c-s3c2410.c | 7 +-
drivers/i2c/i2c-core-of.c | 2 +-
drivers/i3c/master/mipi-i3c-hci/dma.c | 30 +-
drivers/iio/adc/ad7768-1.c | 9 +-
drivers/iio/adc/ti-ads7950.c | 11 +-
drivers/infiniband/core/addr.c | 3 +
drivers/infiniband/core/iwpm_msg.c | 6 +-
drivers/infiniband/hw/hns/hns_roce_qp.c | 7 +
drivers/infiniband/hw/mlx4/srq.c | 4 +-
drivers/infiniband/hw/ocrdma/ocrdma_verbs.c | 4 +-
drivers/infiniband/hw/vmw_pvrdma/pvrdma_verbs.c | 2 +-
drivers/infiniband/sw/rxe/rxe_recv.c | 14 +-
drivers/infiniband/sw/siw/siw_qp_rx.c | 15 +
drivers/infiniband/ulp/rtrs/rtrs-srv-sysfs.c | 2 +-
drivers/iommu/intel/iommu.c | 3 +
drivers/irqchip/irq-ath79-cpu.c | 7 -
drivers/irqchip/irq-pic32-evic.c | 2 +-
drivers/leds/blink/leds-lgm-sso.c | 2 -
drivers/mailbox/mailbox-test.c | 39 +-
drivers/mailbox/mailbox.c | 3 +-
drivers/md/bcache/super.c | 8 +
drivers/md/dm-cache-metadata.c | 24 +-
drivers/md/dm-cache-metadata.h | 5 -
drivers/md/dm-cache-policy-smq.c | 4 +
drivers/md/dm-cache-target.c | 143 +++-
drivers/md/dm-init.c | 4 +-
drivers/md/dm-ioctl.c | 6 +-
drivers/md/dm-log.c | 6 +-
drivers/md/dm-raid1.c | 6 +-
drivers/md/dm-verity-fec.c | 8 +-
drivers/md/persistent-data/dm-btree-remove.c | 8 +
drivers/md/raid10.c | 6 +-
drivers/md/raid5-cache.c | 48 +-
drivers/md/raid5.c | 8 +-
drivers/media/dvb-frontends/dib8000.c | 4 +-
drivers/media/i2c/imx219.c | 3 +
drivers/media/i2c/imx412.c | 2 +-
drivers/media/i2c/ov08d10.c | 10 +-
drivers/media/i2c/ov8856.c | 10 +-
drivers/media/pci/saa7164/saa7164-core.c | 47 +-
drivers/media/pci/zoran/zoran_card.c | 2 +-
drivers/media/platform/amphion/vpu_v4l2.c | 9 +-
drivers/media/platform/ti/omap3isp/ispvideo.c | 1 +
drivers/media/rc/streamzap.c | 12 +-
drivers/media/rc/xbox_remote.c | 9 +-
drivers/media/test-drivers/vidtv/vidtv_bridge.c | 4 +-
drivers/media/test-drivers/vidtv/vidtv_channel.c | 4 +
drivers/media/test-drivers/vidtv/vidtv_mux.c | 4 +-
drivers/media/test-drivers/vidtv/vidtv_ts.c | 48 +-
drivers/media/test-drivers/vidtv/vidtv_ts.h | 4 +-
drivers/media/usb/as102/as102_usb_drv.c | 2 +
drivers/media/usb/em28xx/em28xx-video.c | 14 +-
drivers/media/usb/hackrf/hackrf.c | 7 +-
drivers/media/usb/uvc/uvc_queue.c | 3 +-
drivers/memory/tegra/tegra124-emc.c | 2 +-
drivers/memory/tegra/tegra30-emc.c | 6 +-
drivers/mfd/mc13xxx-core.c | 2 +-
drivers/misc/ibmasm/ibmasmfs.c | 7 +
drivers/misc/ibmasm/lowlevel.c | 12 +-
drivers/misc/ibmasm/remote.c | 5 +
drivers/mmc/core/block.c | 12 +-
drivers/mmc/core/queue.h | 3 +
drivers/mmc/host/sdhci-of-dwcmshc.c | 19 +-
drivers/mtd/devices/docg3.c | 8 +-
drivers/mtd/maps/physmap-gemini.c | 2 +-
drivers/mtd/nand/raw/sunxi_nand.c | 6 +-
drivers/mtd/parsers/ofpart_core.c | 4 +-
drivers/mtd/spi-nor/core.c | 2 +-
drivers/mtd/spi-nor/core.h | 10 +-
drivers/mtd/spi-nor/micron-st.c | 4 +-
drivers/mtd/spi-nor/sfdp.c | 47 +-
drivers/mtd/spi-nor/spansion.c | 106 ++-
drivers/mtd/spi-nor/sst.c | 50 +-
drivers/mtd/spi-nor/swp.c | 4 +-
drivers/net/bareudp.c | 24 +-
drivers/net/bonding/bond_3ad.c | 123 ++--
drivers/net/bonding/bond_main.c | 90 ++-
drivers/net/bonding/bond_netlink.c | 37 +-
drivers/net/bonding/bond_options.c | 74 +++
drivers/net/bonding/bond_procfs.c | 3 +-
drivers/net/bonding/bond_sysfs_slave.c | 17 +-
drivers/net/can/spi/mcp251x.c | 29 +-
drivers/net/can/usb/ucan.c | 2 +-
drivers/net/dsa/mt7530.c | 85 +--
drivers/net/dsa/mt7530.h | 70 +-
drivers/net/dsa/realtek/rtl8365mb.c | 2 +-
.../net/ethernet/aquantia/atlantic/aq_pci_func.c | 2 +-
drivers/net/ethernet/atheros/ag71xx.c | 3 +
drivers/net/ethernet/broadcom/genet/bcmgenet.c | 733 +++++++++------------
drivers/net/ethernet/broadcom/genet/bcmgenet.h | 68 +-
drivers/net/ethernet/broadcom/genet/bcmgenet_wol.c | 4 +-
drivers/net/ethernet/broadcom/genet/bcmmii.c | 6 +-
drivers/net/ethernet/cirrus/cs89x0.c | 2 -
drivers/net/ethernet/cortina/gemini.c | 21 +-
drivers/net/ethernet/freescale/Makefile | 3 +-
drivers/net/ethernet/freescale/dpaa2/Kconfig | 4 +
drivers/net/ethernet/freescale/enetc/enetc.c | 25 +-
drivers/net/ethernet/ibm/ibmveth.c | 22 +
drivers/net/ethernet/ibm/ibmveth.h | 1 +
drivers/net/ethernet/intel/e1000/e1000_ethtool.c | 8 +-
drivers/net/ethernet/intel/e1000e/netdev.c | 1 +
drivers/net/ethernet/intel/i40e/i40e.h | 1 +
drivers/net/ethernet/intel/i40e/i40e_main.c | 2 +-
drivers/net/ethernet/intel/i40e/i40e_ptp.c | 3 +-
drivers/net/ethernet/intel/iavf/iavf.h | 9 +-
drivers/net/ethernet/intel/iavf/iavf_main.c | 52 +-
drivers/net/ethernet/intel/iavf/iavf_virtchnl.c | 76 +--
drivers/net/ethernet/intel/ice/ice_dcb_lib.c | 4 +-
drivers/net/ethernet/intel/ice/ice_ethtool.c | 11 +-
drivers/net/ethernet/intel/ice/ice_main.c | 2 +-
drivers/net/ethernet/intel/ice/ice_sriov.c | 2 -
drivers/net/ethernet/intel/ice/ice_vf_lib.c | 26 +-
drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c | 1 +
drivers/net/ethernet/intel/ixgbevf/vf.c | 7 +
drivers/net/ethernet/micrel/ks8851.h | 6 +-
drivers/net/ethernet/micrel/ks8851_common.c | 69 +-
drivers/net/ethernet/micrel/ks8851_par.c | 15 +-
drivers/net/ethernet/micrel/ks8851_spi.c | 11 +-
.../net/ethernet/microchip/lan966x/lan966x_main.c | 8 +-
drivers/net/ethernet/microsoft/mana/hw_channel.c | 35 +-
.../ethernet/netronome/nfp/nfpcore/nfp_target.c | 17 +-
drivers/net/ethernet/qlogic/qed/qed_cxt.c | 2 +
drivers/net/ethernet/xscale/ixp4xx_eth.c | 60 +-
drivers/net/ethernet/xscale/ptp_ixp46x.c | 3 -
drivers/net/hamradio/6pack.c | 39 +-
drivers/net/ifb.c | 11 +-
drivers/net/macvlan.c | 8 +-
drivers/net/mctp/mctp-i2c.c | 4 +-
drivers/net/netconsole.c | 26 +-
drivers/net/netdevsim/dev.c | 2 +-
drivers/net/phy/dp83869.c | 13 +-
drivers/net/phy/mdio_bus.c | 4 +-
drivers/net/ppp/ppp_generic.c | 5 +-
drivers/net/ppp/pppoe.c | 8 +-
drivers/net/slip/slhc.c | 49 +-
drivers/net/usb/cdc-phonet.c | 7 +-
drivers/net/usb/r8152.c | 2 +-
drivers/net/usb/rtl8150.c | 12 +-
drivers/net/vrf.c | 15 +-
drivers/net/wan/lapbether.c | 13 +-
drivers/net/wireless/ath/ath11k/ahb.c | 44 +-
drivers/net/wireless/ath/ath11k/ce.h | 16 +
drivers/net/wireless/ath/ath11k/core.c | 91 +++
drivers/net/wireless/ath/ath11k/core.h | 12 +
drivers/net/wireless/ath/ath11k/dp_rx.c | 3 +-
drivers/net/wireless/ath/ath11k/hal.c | 31 +-
drivers/net/wireless/ath/ath11k/hal.h | 5 +
drivers/net/wireless/ath/ath11k/hal_rx.c | 13 +-
drivers/net/wireless/ath/ath11k/hal_rx.h | 18 +-
drivers/net/wireless/ath/ath11k/hw.c | 398 ++++++++++-
drivers/net/wireless/ath/ath11k/hw.h | 14 +-
drivers/net/wireless/ath/ath11k/mac.c | 7 +
drivers/net/wireless/ath/ath11k/pci.c | 2 +
drivers/net/wireless/ath/ath11k/wmi.c | 19 +-
drivers/net/wireless/ath/ath5k/base.c | 3 +-
drivers/net/wireless/ath/ath9k/channel.c | 6 +-
drivers/net/wireless/broadcom/b43/xmit.c | 3 +-
drivers/net/wireless/broadcom/b43legacy/xmit.c | 3 +-
.../wireless/broadcom/brcm80211/brcmfmac/chip.c | 15 +
.../wireless/broadcom/brcm80211/brcmfmac/fweh.c | 5 +
drivers/net/wireless/intel/iwlwifi/queue/tx.c | 3 +-
drivers/net/wireless/mac80211_hwsim.c | 1 -
drivers/net/wireless/marvell/mwifiex/11n_aggr.c | 1 +
drivers/net/wireless/mediatek/mt76/mt7921/mcu.c | 3 +
drivers/net/wireless/realtek/rtlwifi/pci.c | 1 +
drivers/net/wireless/realtek/rtw88/pci.c | 3 +-
drivers/net/wireless/realtek/rtw89/phy.c | 2 +-
drivers/net/wireless/rsi/rsi_common.h | 5 +-
drivers/net/wireless/ti/wl1251/tx.c | 8 +-
drivers/net/wwan/iosm/iosm_ipc_imem.c | 2 +
drivers/nfc/s3fwrn5/uart.c | 10 +-
drivers/nfc/trf7970a.c | 3 +-
drivers/nvme/host/apple.c | 6 +-
drivers/nvme/host/core.c | 2 +-
drivers/nvme/host/pci.c | 3 +
drivers/nvme/target/core.c | 2 +-
drivers/nvme/target/tcp.c | 51 +-
drivers/of/base.c | 2 +-
drivers/of/dynamic.c | 2 +-
drivers/of/platform.c | 2 +-
drivers/parisc/lasi.c | 12 +-
drivers/pci/controller/dwc/pcie-tegra194.c | 151 ++---
drivers/pci/controller/pci-hyperv.c | 8 +
drivers/pci/controller/pcie-mediatek-gen3.c | 8 +-
drivers/pci/endpoint/functions/pci-epf-ntb.c | 56 +-
drivers/pci/endpoint/functions/pci-epf-vntb.c | 19 +-
drivers/pci/pci.c | 48 +-
drivers/pci/pci.h | 6 +
drivers/pci/pcie/aer.c | 2 -
drivers/pcmcia/rsrc_nonstatic.c | 6 +-
drivers/phy/marvell/phy-mvebu-a3700-utmi.c | 5 +-
drivers/pinctrl/intel/pinctrl-intel.c | 2 +-
drivers/pinctrl/nomadik/pinctrl-abx500.c | 2 +-
drivers/pinctrl/pinctrl-cy8c95x0.c | 27 +-
drivers/pinctrl/pinctrl-pic32.c | 20 +-
drivers/pinctrl/qcom/pinctrl-sm8150.c | 8 +-
drivers/platform/surface/surfacepro3_button.c | 1 +
drivers/platform/x86/adv_swbutton.c | 6 +-
.../x86/dell/dell-wmi-sysman/enum-attributes.c | 34 +-
drivers/platform/x86/dell/dell_rbu.c | 6 +-
drivers/platform/x86/hp/hp-wmi.c | 5 +
drivers/platform/x86/hp/hp_accel.c | 3 +
drivers/platform/x86/intel/hid.c | 6 +-
drivers/platform/x86/intel/vbtn.c | 6 +-
drivers/platform/x86/panasonic-laptop.c | 5 +-
drivers/power/supply/axp288_charger.c | 19 +-
drivers/power/supply/max17042_battery.c | 2 +-
drivers/pwm/pwm-imx-tpm.c | 8 +
drivers/regulator/act8945a-regulator.c | 3 +-
drivers/regulator/bd9571mwv-regulator.c | 3 +-
drivers/regulator/max77650-regulator.c | 2 +-
drivers/rtc/rtc-abx80x.c | 2 +
drivers/rtc/rtc-ntxec.c | 2 +-
drivers/s390/cio/css.c | 2 +-
drivers/scsi/isci/host.c | 3 +
drivers/scsi/sd.c | 1 +
drivers/scsi/sg.c | 29 +-
drivers/scsi/sr.c | 11 +-
drivers/scsi/sr.h | 1 -
drivers/soc/aspeed/aspeed-socinfo.c | 2 +-
drivers/soc/qcom/llcc-qcom.c | 2 +-
drivers/soc/qcom/ocmem.c | 22 +-
drivers/soc/qcom/qcom_aoss.c | 2 +-
drivers/soc/tegra/cbb/tegra234-cbb.c | 4 +
drivers/soc/ti/omap_prm.c | 1 +
drivers/soundwire/bus.c | 8 +-
drivers/spi/spi-fsl-qspi.c | 3 +-
drivers/spi/spi-hisi-kunpeng.c | 12 +-
drivers/spi/spi-imx.c | 1 +
drivers/spi/spi-meson-spicc.c | 2 -
drivers/spi/spi-mpc52xx.c | 3 +-
drivers/spi/spi-mtk-nor.c | 4 +-
drivers/spi/spi-mtk-snfi.c | 16 +-
drivers/spi/spi-orion.c | 6 +
drivers/spi/spi-rockchip.c | 66 +-
drivers/spi/spi-sprd.c | 3 +-
drivers/spi/spi-ti-qspi.c | 1 +
drivers/spi/spi-topcliff-pch.c | 6 +-
drivers/spi/spi-zynqmp-gqspi.c | 4 +-
drivers/spi/spi.c | 2 +-
drivers/staging/media/atomisp/pci/atomisp_ioctl.c | 4 +
drivers/staging/media/rkvdec/rkvdec-vp9.c | 3 +-
drivers/staging/rtl8723bs/core/rtw_security.c | 2 +-
drivers/staging/sm750fb/sm750.c | 3 +
drivers/staging/vme_user/vme_fake.c | 2 +
drivers/target/target_core_configfs.c | 2 +-
drivers/target/target_core_sbc.c | 3 +-
drivers/thermal/spear_thermal.c | 2 +-
drivers/thermal/sprd_thermal.c | 4 +-
drivers/tty/hvc/hvc_iucv.c | 2 +-
drivers/ufs/core/ufshcd.c | 31 +-
drivers/ufs/host/ufshcd-pci.c | 2 -
drivers/ufs/host/ufshcd-pltfrm.c | 25 +-
drivers/usb/class/cdc-acm.c | 53 +-
drivers/usb/class/usblp.c | 3 +-
drivers/usb/common/ulpi.c | 5 +-
drivers/usb/core/port.c | 1 +
drivers/usb/gadget/function/f_ncm.c | 4 +-
drivers/usb/gadget/function/f_phonet.c | 9 +
drivers/usb/gadget/udc/omap_udc.c | 4 -
drivers/usb/gadget/udc/renesas_usb3.c | 7 +-
drivers/usb/host/xhci.c | 1 -
drivers/usb/serial/option.c | 6 +
drivers/usb/storage/unusual_devs.h | 7 +-
drivers/usb/usbip/usbip_common.c | 12 +
drivers/vhost/net.c | 4 +-
drivers/video/backlight/sky81452-backlight.c | 3 +
drivers/video/fbdev/matrox/g450_pll.c | 2 +-
drivers/video/fbdev/offb.c | 7 +-
drivers/video/fbdev/tdfxfb.c | 3 +
drivers/video/fbdev/udlfb.c | 34 +-
fs/adfs/super.c | 3 +
fs/binfmt_elf.c | 2 +-
fs/btrfs/inode.c | 2 +-
fs/btrfs/space-info.c | 2 +-
fs/ceph/xattr.c | 1 +
fs/dcache.c | 4 +-
fs/debugfs/file.c | 5 +-
fs/erofs/dir.c | 28 +-
fs/eventpoll.c | 201 ++++--
fs/ext2/inode.c | 14 +-
fs/ext4/extents.c | 15 +
fs/ext4/xattr.c | 4 +-
fs/f2fs/compress.c | 90 +--
fs/f2fs/data.c | 28 +-
fs/f2fs/f2fs.h | 2 +
fs/f2fs/inode.c | 2 +-
fs/f2fs/node.c | 17 +-
fs/f2fs/super.c | 8 +-
fs/f2fs/sysfs.c | 52 +-
fs/fuse/control.c | 4 +-
fs/fuse/readdir.c | 4 +
fs/gfs2/dir.c | 37 +-
fs/gfs2/glops.c | 40 +-
fs/gfs2/inode.c | 3 +-
fs/gfs2/log.c | 33 +-
fs/gfs2/xattr.c | 28 +-
fs/isofs/export.c | 2 +-
fs/isofs/rock.c | 9 +
fs/nfs/blocklayout/blocklayout.c | 4 +-
fs/nilfs2/dat.c | 3 +
fs/nilfs2/ioctl.c | 6 +
fs/notify/fsnotify.c | 2 +-
fs/notify/inotify/inotify_user.c | 1 +
fs/notify/mark.c | 18 +-
fs/ntfs3/fslog.c | 12 +-
fs/ntfs3/run.c | 18 +-
fs/ntfs3/super.c | 7 +-
fs/ocfs2/aops.c | 75 ++-
fs/ocfs2/dlm/dlmdomain.c | 10 +-
fs/ocfs2/inode.c | 31 +
fs/ocfs2/ioctl.c | 18 +-
fs/ocfs2/mmap.c | 7 +-
fs/ocfs2/ocfs2_trace.h | 10 +-
fs/ocfs2/resize.c | 22 +-
fs/ocfs2/xattr.c | 4 +-
fs/omfs/inode.c | 6 +
fs/pstore/ram_core.c | 4 +
fs/quota/dquot.c | 38 +-
fs/smb/client/cached_dir.c | 8 +
fs/smb/client/cifs_spnego.c | 16 +
fs/smb/client/cifsacl.c | 1 +
fs/smb/client/cifsfs.c | 2 +
fs/smb/client/fs_context.c | 4 +
fs/smb/client/smb2file.c | 27 +-
fs/smb/client/smb2misc.c | 3 +-
fs/smb/client/smb2ops.c | 17 +
fs/smb/client/smb2pdu.h | 2 +-
fs/smb/server/auth.c | 11 +-
fs/smb/server/mgmt/user_session.c | 12 +-
fs/smb/server/smb2pdu.c | 7 +
fs/smb/server/smbacl.c | 19 +-
fs/smb/server/transport_tcp.c | 4 +-
fs/sysfs/group.c | 2 +-
fs/udf/misc.c | 8 +-
fs/userfaultfd.c | 2 -
include/dt-bindings/clock/qcom,dispcc-sc7180.h | 7 +-
include/dt-bindings/clock/qcom,gcc-sc8180x.h | 5 +
include/linux/cdrom.h | 1 +
include/linux/container_of.h | 23 +-
include/linux/cpuhotplug.h | 1 -
include/linux/dev_printk.h | 10 +
include/linux/device.h | 48 +-
include/linux/dmi.h | 5 +
include/linux/f2fs_fs.h | 1 +
include/linux/fsnotify_backend.h | 1 +
include/linux/fwnode.h | 45 +-
include/linux/kvm_host.h | 3 +-
include/linux/module.h | 2 +
include/linux/moduleparam.h | 11 +-
include/linux/netfilter/x_tables.h | 3 +-
include/linux/netfilter_arp/arp_tables.h | 1 -
include/linux/netfilter_ipv4/ip_tables.h | 1 -
include/linux/netfilter_ipv6/ip6_tables.h | 1 -
include/linux/padata.h | 12 +-
include/linux/ppp_defs.h | 16 +
include/linux/printk.h | 5 +-
include/linux/quotaops.h | 9 +-
include/linux/randomize_kstack.h | 26 +-
include/linux/sched.h | 4 +
include/linux/soc/qcom/apr.h | 2 +-
include/linux/spinlock_up.h | 20 +-
include/linux/string.h | 12 +
include/linux/tcp.h | 10 +-
include/linux/tpm_eventlog.h | 9 +-
include/linux/usb.h | 3 +-
include/net/bluetooth/hci_sync.h | 17 +
include/net/bond_3ad.h | 3 +-
include/net/bond_options.h | 2 +
include/net/bonding.h | 4 +
include/net/ipv6.h | 6 -
include/net/mac80211.h | 4 +
include/net/netfilter/nf_queue.h | 1 +
include/net/netfilter/nf_tables.h | 2 +
include/net/pie.h | 2 +-
include/net/pkt_cls.h | 2 +
include/net/route.h | 6 -
include/net/tcp.h | 2 +-
include/net/udp_tunnel.h | 15 +
include/trace/events/btrfs.h | 9 +-
include/trace/events/rxrpc.h | 4 +
include/trace/events/timer.h | 11 +-
include/uapi/linux/bpf.h | 2 +
include/uapi/linux/if_link.h | 3 +
include/uapi/linux/kvm.h | 11 +-
include/ufs/ufshcd.h | 1 -
include/video/udlfb.h | 1 +
init/main.c | 1 -
io_uring/io-wq.c | 3 +-
io_uring/io_uring.c | 2 +
io_uring/poll.c | 14 +-
io_uring/timeout.c | 4 +
kernel/audit.c | 4 +
kernel/auditsc.c | 2 +-
kernel/bpf/bpf_lsm.c | 1 -
kernel/bpf/devmap.c | 8 +-
kernel/bpf/helpers.c | 17 +-
kernel/bpf/local_storage.c | 2 +-
kernel/cgroup/rdma.c | 2 +-
kernel/exit.c | 3 +-
kernel/fork.c | 13 +-
kernel/futex/requeue.c | 13 +-
kernel/irq_work.c | 7 +
kernel/locking/rtmutex.c | 13 +-
kernel/module/main.c | 4 +-
kernel/padata.c | 266 +++-----
kernel/params.c | 46 +-
kernel/regset.c | 6 +-
kernel/taskstats.c | 1 +
kernel/time/hrtimer.c | 56 +-
kernel/trace/ring_buffer.c | 8 +-
kernel/trace/trace_branch.c | 8 +-
kernel/trace/trace_events_hist.c | 12 +-
kernel/trace/trace_probe.c | 2 +-
kernel/trace/tracing_map.c | 17 +-
lib/kunit/Kconfig | 5 +-
lib/ts_kmp.c | 18 +-
mm/backing-dev.c | 5 +-
mm/kasan/init.c | 8 +-
net/batman-adv/bat_iv_ogm.c | 85 ++-
net/batman-adv/bridge_loop_avoidance.c | 65 +-
net/batman-adv/distributed-arp-table.c | 3 +
net/batman-adv/fragmentation.c | 58 +-
net/batman-adv/gateway_client.c | 4 +
net/batman-adv/originator.c | 4 +-
net/batman-adv/tp_meter.c | 32 +-
net/batman-adv/types.h | 6 +-
net/bluetooth/af_bluetooth.c | 10 +
net/bluetooth/bnep/core.c | 2 +-
net/bluetooth/hci_event.c | 21 +-
net/bluetooth/hci_request.h | 21 -
net/bluetooth/hci_sync.c | 14 +-
net/bluetooth/iso.c | 14 +-
net/bluetooth/l2cap_core.c | 8 +-
net/bluetooth/l2cap_sock.c | 60 +-
net/bluetooth/mgmt.c | 6 +
net/bluetooth/rfcomm/sock.c | 9 +-
net/bluetooth/sco.c | 9 +-
net/bpf/test_run.c | 63 +-
net/bridge/br_multicast.c | 27 +-
net/bridge/netfilter/Kconfig | 13 +
net/bridge/netfilter/Makefile | 2 +-
net/bridge/netfilter/ebtable_broute.c | 14 +-
net/bridge/netfilter/ebtable_filter.c | 14 +-
net/bridge/netfilter/ebtable_nat.c | 12 +-
net/bridge/netfilter/ebtables.c | 71 +-
net/caif/cfsrvl.c | 14 +-
net/can/raw.c | 11 +-
net/ceph/auth.c | 4 +-
net/ceph/crush/crush.c | 6 +-
net/ceph/mon_client.c | 2 +
net/ceph/osdmap.c | 14 +-
net/core/filter.c | 4 +-
net/core/flow_dissector.c | 13 +-
net/core/neighbour.c | 34 +-
net/core/net-procfs.c | 49 +-
net/core/rtnetlink.c | 1 +
net/dsa/dsa2.c | 38 +-
net/ethtool/bitset.c | 8 +-
net/ipv4/icmp.c | 15 +-
net/ipv4/inet_connection_sock.c | 5 +-
net/ipv4/netfilter/Kconfig | 59 +-
net/ipv4/netfilter/Makefile | 2 +-
net/ipv4/netfilter/arp_tables.c | 36 +-
net/ipv4/netfilter/arpt_mangle.c | 8 +
net/ipv4/netfilter/arptable_filter.c | 27 +-
net/ipv4/netfilter/ip_tables.c | 18 +-
net/ipv4/netfilter/iptable_filter.c | 27 +-
net/ipv4/netfilter/iptable_mangle.c | 29 +-
net/ipv4/netfilter/iptable_nat.c | 6 +-
net/ipv4/netfilter/iptable_raw.c | 26 +-
net/ipv4/netfilter/iptable_security.c | 27 +-
net/ipv4/nexthop.c | 4 +-
net/ipv4/raw.c | 2 +-
net/ipv4/route.c | 48 --
net/ipv4/tcp.c | 17 +-
net/ipv4/tcp_input.c | 6 +-
net/ipv4/tcp_minisocks.c | 5 +-
net/ipv4/tcp_output.c | 20 +-
net/ipv4/tcp_recovery.c | 2 +-
net/ipv4/udp_tunnel_core.c | 48 ++
net/ipv6/exthdrs.c | 13 +-
net/ipv6/icmp.c | 10 +-
net/ipv6/ip6_gre.c | 5 +-
net/ipv6/ip6_output.c | 68 --
net/ipv6/ip6_udp_tunnel.c | 69 ++
net/ipv6/netfilter/Kconfig | 30 +-
net/ipv6/netfilter/Makefile | 2 +-
net/ipv6/netfilter/ip6_tables.c | 18 +-
net/ipv6/netfilter/ip6t_eui64.c | 3 +-
net/ipv6/netfilter/ip6t_hbh.c | 4 +
net/ipv6/netfilter/ip6table_filter.c | 26 +-
net/ipv6/netfilter/ip6table_mangle.c | 27 +-
net/ipv6/netfilter/ip6table_nat.c | 6 +-
net/ipv6/netfilter/ip6table_raw.c | 24 +-
net/ipv6/netfilter/ip6table_security.c | 27 +-
net/ipv6/rpl_iptunnel.c | 9 +
net/ipv6/seg6_hmac.c | 2 +
net/ipv6/seg6_iptunnel.c | 12 +-
net/ipv6/xfrm6_protocol.c | 4 +-
net/l2tp/l2tp_core.c | 5 +
net/mac80211/tdls.c | 2 +-
net/mac80211/tx.c | 4 +-
net/mptcp/sockopt.c | 12 +-
net/mptcp/subflow.c | 4 +-
net/netfilter/Kconfig | 22 +-
net/netfilter/ipset/ip_set_hash_ipmark.c | 6 +-
net/netfilter/ipset/ip_set_hash_ipport.c | 5 +-
net/netfilter/ipset/ip_set_hash_ipportip.c | 5 +-
net/netfilter/ipset/ip_set_hash_ipportnet.c | 5 +-
net/netfilter/ipvs/ip_vs_xmit.c | 19 +-
net/netfilter/nf_conntrack_netlink.c | 2 +-
net/netfilter/nf_conntrack_proto_sctp.c | 13 +-
net/netfilter/nf_conntrack_sip.c | 160 +++--
net/netfilter/nf_nat_amanda.c | 2 +-
net/netfilter/nf_nat_sip.c | 34 +-
net/netfilter/nf_queue.c | 4 +-
net/netfilter/nf_tables_api.c | 4 +-
net/netfilter/nfnetlink_log.c | 8 +-
net/netfilter/nfnetlink_osf.c | 45 +-
net/netfilter/nfnetlink_queue.c | 2 +
net/netfilter/nft_bitwise.c | 3 +-
net/netfilter/nft_ct.c | 2 +
net/netfilter/nft_dynset.c | 10 +-
net/netfilter/nft_fwd_netdev.c | 10 +
net/netfilter/nft_osf.c | 6 +-
net/netfilter/nft_set_pipapo_avx2.c | 20 +-
net/netfilter/x_tables.c | 116 +++-
net/netfilter/xt_mac.c | 34 +-
net/netfilter/xt_multiport.c | 34 +-
net/netfilter/xt_owner.c | 37 +-
net/netfilter/xt_physdev.c | 29 +-
net/netfilter/xt_policy.c | 2 +-
net/netfilter/xt_realm.c | 2 +-
net/netfilter/xt_socket.c | 23 +-
net/nfc/digital_technology.c | 6 +
net/nfc/llcp_core.c | 2 +
net/openvswitch/datapath.c | 35 +-
net/openvswitch/vport-netdev.c | 6 +-
net/openvswitch/vport.c | 3 +
net/phonet/pep.c | 19 +-
net/qrtr/ns.c | 11 +
net/rds/af_rds.c | 10 +-
net/rds/connection.c | 14 +
net/rds/ib.c | 24 +-
net/rds/ib.h | 1 +
net/rds/ib_rdma.c | 2 +-
net/rds/message.c | 21 +-
net/rds/rdma.c | 4 -
net/rxrpc/call_object.c | 22 +-
net/rxrpc/conn_event.c | 17 +-
net/rxrpc/key.c | 9 +-
net/rxrpc/proc.c | 26 +-
net/rxrpc/recvmsg.c | 22 +-
net/rxrpc/rxkad.c | 7 +-
net/rxrpc/sendmsg.c | 2 +-
net/sched/act_csum.c | 6 +-
net/sched/act_ct.c | 8 +-
net/sched/em_cmp.c | 5 +-
net/sched/em_nbyte.c | 2 +
net/sched/em_text.c | 11 +-
net/sched/sch_cake.c | 15 +-
net/sched/sch_choke.c | 26 +-
net/sched/sch_fq_codel.c | 3 +-
net/sched/sch_fq_pie.c | 19 +-
net/sched/sch_hhf.c | 19 +-
net/sched/sch_netem.c | 44 +-
net/sched/sch_pie.c | 52 +-
net/sched/sch_red.c | 33 +-
net/sched/sch_sfb.c | 54 +-
net/sched/sch_taprio.c | 176 ++---
net/sctp/inqueue.c | 1 +
net/sctp/sm_statefuns.c | 6 +
net/sctp/socket.c | 11 +-
net/smc/af_smc.c | 3 +-
net/smc/smc_clc.c | 4 +-
net/smc/smc_tracepoint.h | 2 +-
net/strparser/strparser.c | 8 +
net/tipc/msg.c | 14 +-
net/tls/tls.h | 1 +
net/tls/tls_strp.c | 6 +
net/tls/tls_sw.c | 30 +-
net/unix/af_unix.c | 9 +-
net/unix/diag.c | 21 +-
net/unix/unix_bpf.c | 3 +
net/vmw_vsock/af_vsock.c | 6 +-
net/vmw_vsock/hyperv_transport.c | 4 +-
net/vmw_vsock/virtio_transport_common.c | 23 +-
net/vmw_vsock/vmci_transport.c | 2 +-
net/wireless/core.c | 4 +-
net/wireless/scan.c | 3 +
net/xdp/xdp_umem.c | 3 +-
net/xfrm/xfrm_policy.c | 2 +
net/xfrm/xfrm_user.c | 2 +
scripts/checkpatch.pl | 10 +
scripts/dtc/dtc-lexer.l | 3 -
scripts/generate_rust_analyzer.py | 17 +-
security/integrity/ima/ima_crypto.c | 2 +-
security/keys/keyring.c | 1 +
sound/aoa/soundbus/i2sbus/core.c | 9 +-
sound/core/compress_offload.c | 7 -
sound/core/control.c | 4 +
sound/core/control_led.c | 14 +-
sound/core/misc.c | 44 +-
sound/core/seq/oss/seq_oss_rw.c | 6 +-
sound/core/sound.c | 7 +
sound/firewire/fireworks/fireworks_command.c | 5 +-
sound/firewire/tascam/tascam-hwdep.c | 1 +
sound/isa/sc6000.c | 285 ++++----
sound/pci/asihpi/hpicmn.c | 6 +
sound/pci/asihpi/hpimsgx.c | 6 +-
sound/pci/ctxfi/ctatc.c | 3 +-
sound/pci/ctxfi/ctvmem.h | 2 +-
sound/pci/hda/patch_conexant.c | 34 +-
sound/pci/hda/patch_realtek.c | 8 +-
sound/soc/amd/yc/acp6x-mach.c | 35 +
sound/soc/codecs/ab8500-codec.c | 6 +-
sound/soc/fsl/fsl_easrc.c | 125 +++-
sound/soc/fsl/fsl_micfil.c | 28 +-
sound/soc/fsl/fsl_xcvr.c | 22 +-
sound/soc/intel/boards/bytcr_wm5102.c | 1 +
sound/soc/qcom/qdsp6/q6apm-dai.c | 1 +
sound/soc/qcom/qdsp6/q6apm-lpass-dais.c | 2 +-
sound/soc/qcom/qdsp6/q6apm.c | 17 +-
sound/soc/qcom/qdsp6/q6core.c | 4 +-
sound/soc/qcom/qdsp6/topology.c | 8 +-
sound/soc/soc-core.c | 1 +
sound/soc/sof/amd/acp-common.c | 1 +
sound/soc/sof/amd/acp-ipc.c | 34 +-
sound/soc/sof/amd/acp.h | 7 +-
sound/soc/sof/compress.c | 11 +-
sound/soc/sof/intel/hda-ipc.c | 8 +-
sound/soc/sof/intel/hda.h | 4 +-
sound/soc/sof/ipc3-pcm.c | 3 +-
sound/soc/sof/ipc3.c | 4 +-
sound/soc/sof/mediatek/mt8186/mt8186.c | 2 +-
sound/soc/sof/mediatek/mt8195/mt8195.c | 2 +-
sound/soc/sof/ops.h | 8 +-
sound/soc/sof/pcm.c | 2 +
sound/soc/sof/sof-priv.h | 13 +-
sound/soc/sof/stream-ipc.c | 57 +-
sound/soc/sof/topology.c | 2 +-
sound/soc/sti/uniperif_player.c | 9 +-
sound/soc/stm/stm32_sai_sub.c | 3 +
sound/usb/6fire/chip.c | 17 +-
sound/usb/6fire/control.c | 10 +-
sound/usb/caiaq/control.c | 52 +-
sound/usb/caiaq/device.c | 39 +-
sound/usb/caiaq/input.c | 2 +-
sound/usb/endpoint.c | 6 +-
sound/usb/format.c | 88 ++-
sound/usb/midi.c | 21 +-
sound/usb/misc/ua101.c | 12 +-
sound/usb/mixer.c | 14 +-
sound/usb/mixer_quirks.c | 12 +-
sound/usb/mixer_scarlett2.c | 2 +-
sound/usb/quirks.c | 4 +-
sound/usb/stream.c | 62 +-
sound/usb/stream.h | 3 +-
tools/accounting/getdelays.c | 41 +-
tools/accounting/procacct.c | 40 +-
tools/include/uapi/linux/bpf.h | 2 +
tools/lib/bpf/relo_core.c | 2 +
tools/perf/util/branch.h | 3 +
tools/perf/util/cs-etm-decoder/cs-etm-decoder.c | 51 +-
tools/perf/util/expr.c | 3 +-
tools/perf/util/util.h | 1 -
tools/testing/ktest/ktest.pl | 37 +-
tools/testing/selftests/bpf/prog_tests/snprintf.c | 3 +-
tools/testing/selftests/cgroup/test_memcontrol.c | 11 +-
.../testing/selftests/mqueue/{setting => settings} | 0
.../selftests/net/forwarding/bridge_vlan_mcast.sh | 1 +
tools/testing/selftests/vm/migration.c | 3 +-
virt/kvm/dirty_ring.c | 3 +-
867 files changed, 9112 insertions(+), 4400 deletions(-)
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 001/969] ASoC: amd: yc: Add DMI quirk for ASUS EXPERTBOOK BM1403CDA
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
@ 2026-05-30 15:52 ` Greg Kroah-Hartman
2026-05-30 15:52 ` [PATCH 6.1 002/969] ALSA: hda/realtek: Add HP ENVY Laptop 13-ba0xxx quirk Greg Kroah-Hartman
` (974 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vee Satayamas, Zhang Heng,
Mark Brown, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vee Satayamas <vsatayamas@gmail.com>
[ Upstream commit f200b2f9a810c440c6750b56fc647b73337749a1 ]
Add a DMI quirk for the Asus Expertbook BM1403CDA to resolve the issue of the
internal microphone not being detected.
Link: https://bugzilla.kernel.org/show_bug.cgi?id=221236
Signed-off-by: Vee Satayamas <vsatayamas@gmail.com>
Reviewed-by: Zhang Heng <zhangheng@kylinos.cn>
Link: https://patch.msgid.link/20260315142511.66029-2-vsatayamas@gmail.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/amd/yc/acp6x-mach.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/sound/soc/amd/yc/acp6x-mach.c b/sound/soc/amd/yc/acp6x-mach.c
index 991f8777cc859..be510328c5a0c 100644
--- a/sound/soc/amd/yc/acp6x-mach.c
+++ b/sound/soc/amd/yc/acp6x-mach.c
@@ -563,6 +563,13 @@ static const struct dmi_system_id yc_acp_quirk_table[] = {
DMI_MATCH(DMI_BOARD_NAME, "PM1503CDA"),
}
},
+ {
+ .driver_data = &acp6x_card,
+ .matches = {
+ DMI_MATCH(DMI_BOARD_VENDOR, "ASUSTeK COMPUTER INC."),
+ DMI_MATCH(DMI_BOARD_NAME, "BM1403CDA"),
+ }
+ },
{}
};
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 002/969] ALSA: hda/realtek: Add HP ENVY Laptop 13-ba0xxx quirk
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
2026-05-30 15:52 ` [PATCH 6.1 001/969] ASoC: amd: yc: Add DMI quirk for ASUS EXPERTBOOK BM1403CDA Greg Kroah-Hartman
@ 2026-05-30 15:52 ` Greg Kroah-Hartman
2026-05-30 15:52 ` [PATCH 6.1 003/969] media: rkvdec: reduce stack usage in rkvdec_init_v4l2_vp9_count_tbl() Greg Kroah-Hartman
` (973 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andrii Kovalchuk, Takashi Iwai,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andrii Kovalchuk <coderpy4@proton.me>
[ Upstream commit 793b008cd39516385791a1d1d223d817e947a471 ]
Add a PCI quirk for HP ENVY Laptop 13-ba0xxx (PCI device ID 0x8756)
to enable proper mute LED and mic mute behavior using the
ALC245_FIXUP_HP_X360_MUTE_LEDS fixup.
Signed-off-by: Andrii Kovalchuk <coderpy4@proton.me>
Link: https://patch.msgid.link/u0s-uRVegF9BN0t-4JnOUwsIAR-mVc4U4FJfJHdEHX7ro_laErHD9y35NebWybcN16gVaVHPJo1ap3AoJ1a2gqJImPvThgeNt_SYVY1KaDw=@proton.me
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/pci/hda/patch_realtek.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
index 9d6b3a6b8ed26..6048ad6319e3b 100644
--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -9938,6 +9938,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = {
SND_PCI_QUIRK(0x103c, 0x8730, "HP ProBook 445 G7", ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF),
SND_PCI_QUIRK(0x103c, 0x8735, "HP ProBook 435 G7", ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF),
SND_PCI_QUIRK(0x103c, 0x8736, "HP", ALC285_FIXUP_HP_GPIO_AMP_INIT),
+ SND_PCI_QUIRK(0x103c, 0x8756, "HP ENVY Laptop 13-ba0xxx", ALC245_FIXUP_HP_X360_MUTE_LEDS),
SND_PCI_QUIRK(0x103c, 0x8760, "HP EliteBook 8{4,5}5 G7", ALC285_FIXUP_HP_BEEP_MICMUTE_LED),
SND_PCI_QUIRK(0x103c, 0x876e, "HP ENVY x360 Convertible 13-ay0xxx", ALC245_FIXUP_HP_X360_MUTE_LEDS),
SND_PCI_QUIRK(0x103c, 0x877a, "HP", ALC285_FIXUP_HP_MUTE_LED),
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 003/969] media: rkvdec: reduce stack usage in rkvdec_init_v4l2_vp9_count_tbl()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
2026-05-30 15:52 ` [PATCH 6.1 001/969] ASoC: amd: yc: Add DMI quirk for ASUS EXPERTBOOK BM1403CDA Greg Kroah-Hartman
2026-05-30 15:52 ` [PATCH 6.1 002/969] ALSA: hda/realtek: Add HP ENVY Laptop 13-ba0xxx quirk Greg Kroah-Hartman
@ 2026-05-30 15:52 ` Greg Kroah-Hartman
2026-05-30 15:52 ` [PATCH 6.1 004/969] ALSA: asihpi: avoid write overflow check warning Greg Kroah-Hartman
` (972 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Arnd Bergmann, Nicolas Dufresne,
Mauro Carvalho Chehab, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Arnd Bergmann <arnd@arndb.de>
[ Upstream commit c03b7dec3c4ddc97872fa12bfca75bae9cb46510 ]
The deeply nested loop in rkvdec_init_v4l2_vp9_count_tbl() needs a lot
of registers, so when the clang register allocator runs out, it ends up
spilling countless temporaries to the stack:
drivers/media/platform/rockchip/rkvdec/rkvdec-vp9.c:966:12: error: stack frame size (1472) exceeds limit (1280) in 'rkvdec_vp9_start' [-Werror,-Wframe-larger-than]
Marking this function as noinline_for_stack keeps it out of
rkvdec_vp9_start(), giving the compiler more room for optimization.
The resulting code is good enough that both the total stack usage
and the loop get enough better to stay under the warning limit,
though it's still slow, and would need a larger rework if this
function ends up being called in a fast path.
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Reviewed-by: Nicolas Dufresne <nicolas.dufresne@collabora.com>
Signed-off-by: Nicolas Dufresne <nicolas.dufresne@collabora.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/staging/media/rkvdec/rkvdec-vp9.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/staging/media/rkvdec/rkvdec-vp9.c b/drivers/staging/media/rkvdec/rkvdec-vp9.c
index cfae99b40ccb4..dc3e6354c7974 100644
--- a/drivers/staging/media/rkvdec/rkvdec-vp9.c
+++ b/drivers/staging/media/rkvdec/rkvdec-vp9.c
@@ -924,7 +924,8 @@ static void rkvdec_vp9_done(struct rkvdec_ctx *ctx,
update_ctx_last_info(vp9_ctx);
}
-static void rkvdec_init_v4l2_vp9_count_tbl(struct rkvdec_ctx *ctx)
+static noinline_for_stack void
+rkvdec_init_v4l2_vp9_count_tbl(struct rkvdec_ctx *ctx)
{
struct rkvdec_vp9_ctx *vp9_ctx = ctx->priv;
struct rkvdec_vp9_intra_frame_symbol_counts *intra_cnts = vp9_ctx->count_tbl.cpu;
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 004/969] ALSA: asihpi: avoid write overflow check warning
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (2 preceding siblings ...)
2026-05-30 15:52 ` [PATCH 6.1 003/969] media: rkvdec: reduce stack usage in rkvdec_init_v4l2_vp9_count_tbl() Greg Kroah-Hartman
@ 2026-05-30 15:52 ` Greg Kroah-Hartman
2026-05-30 15:52 ` [PATCH 6.1 005/969] ASoC: amd: yc: Add DMI quirk for Thin A15 B7VF Greg Kroah-Hartman
` (971 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Arnd Bergmann, Takashi Iwai,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Arnd Bergmann <arnd@arndb.de>
[ Upstream commit 591721223be9e28f83489a59289579493b8e3d83 ]
clang-22 rightfully warns that the memcpy() in adapter_prepare() copies
between different structures, crossing the boundary of nested
structures inside it:
In file included from sound/pci/asihpi/hpimsgx.c:13:
In file included from include/linux/string.h:386:
include/linux/fortify-string.h:569:4: error: call to '__write_overflow_field' declared with 'warning' attribute: detected write beyond size of field (1st parameter); maybe use struct_group()? [-Werror,-Wattribute-warning]
569 | __write_overflow_field(p_size_field, size);
The two structures seem to refer to the same layout, despite the
separate definitions, so the code is in fact correct.
Avoid the warning by copying the two inner structures separately.
I see the same pattern happens in other functions in the same file,
so there is a chance that this may come back in the future, but
this instance is the only one that I saw in practice, hitting it
multiple times per day in randconfig build.
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Link: https://patch.msgid.link/20260318124016.3488566-1-arnd@kernel.org
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/pci/asihpi/hpimsgx.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/sound/pci/asihpi/hpimsgx.c b/sound/pci/asihpi/hpimsgx.c
index b68e6bfbbfbab..ed1c7b7744361 100644
--- a/sound/pci/asihpi/hpimsgx.c
+++ b/sound/pci/asihpi/hpimsgx.c
@@ -581,8 +581,10 @@ static u16 adapter_prepare(u16 adapter)
HPI_ADAPTER_OPEN);
hm.adapter_index = adapter;
hw_entry_point(&hm, &hr);
- memcpy(&rESP_HPI_ADAPTER_OPEN[adapter], &hr,
- sizeof(rESP_HPI_ADAPTER_OPEN[0]));
+ memcpy(&rESP_HPI_ADAPTER_OPEN[adapter].h, &hr,
+ sizeof(rESP_HPI_ADAPTER_OPEN[adapter].h));
+ memcpy(&rESP_HPI_ADAPTER_OPEN[adapter].a, &hr.u.ax.info,
+ sizeof(rESP_HPI_ADAPTER_OPEN[adapter].a));
if (hr.error)
return hr.error;
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 005/969] ASoC: amd: yc: Add DMI quirk for Thin A15 B7VF
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (3 preceding siblings ...)
2026-05-30 15:52 ` [PATCH 6.1 004/969] ALSA: asihpi: avoid write overflow check warning Greg Kroah-Hartman
@ 2026-05-30 15:52 ` Greg Kroah-Hartman
2026-05-30 15:52 ` [PATCH 6.1 006/969] ASoC: SOF: topology: reject invalid vendor array size in token parser Greg Kroah-Hartman
` (970 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:52 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Zhang Heng, Mark Brown, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhang Heng <zhangheng@kylinos.cn>
[ Upstream commit 1f182ec9d7084db7dfdb2372d453c28f0e5c3f0a ]
Add a DMI quirk for the Thin A15 B7VF fixing the issue where
the internal microphone was not detected.
Link: https://bugzilla.kernel.org/show_bug.cgi?id=220833
Signed-off-by: Zhang Heng <zhangheng@kylinos.cn>
Link: https://patch.msgid.link/20260316080218.2931304-1-zhangheng@kylinos.cn
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/amd/yc/acp6x-mach.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/sound/soc/amd/yc/acp6x-mach.c b/sound/soc/amd/yc/acp6x-mach.c
index be510328c5a0c..d650091d3f302 100644
--- a/sound/soc/amd/yc/acp6x-mach.c
+++ b/sound/soc/amd/yc/acp6x-mach.c
@@ -570,6 +570,13 @@ static const struct dmi_system_id yc_acp_quirk_table[] = {
DMI_MATCH(DMI_BOARD_NAME, "BM1403CDA"),
}
},
+ {
+ .driver_data = &acp6x_card,
+ .matches = {
+ DMI_MATCH(DMI_BOARD_VENDOR, "Micro-Star International Co., Ltd."),
+ DMI_MATCH(DMI_PRODUCT_NAME, "Thin A15 B7VE"),
+ }
+ },
{}
};
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 006/969] ASoC: SOF: topology: reject invalid vendor array size in token parser
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (4 preceding siblings ...)
2026-05-30 15:52 ` [PATCH 6.1 005/969] ASoC: amd: yc: Add DMI quirk for Thin A15 B7VF Greg Kroah-Hartman
@ 2026-05-30 15:52 ` Greg Kroah-Hartman
2026-05-30 15:52 ` [PATCH 6.1 007/969] can: mcp251x: add error handling for power enable in open and resume Greg Kroah-Hartman
` (969 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Cássio Gabriel, Peter Ujfalusi,
Mark Brown, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cássio Gabriel <cassiogabrielcontato@gmail.com>
[ Upstream commit 215e5fe75881a7e2425df04aeeed47a903d5cd5d ]
sof_parse_token_sets() accepts array->size values that can be invalid
for a vendor tuple array header. In particular, a zero size does not
advance the parser state and can lead to non-progress parsing on
malformed topology data.
Validate array->size against the minimum header size and reject values
smaller than sizeof(*array) before parsing. This preserves behavior for
valid topologies and hardens malformed-input handling.
Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com>
Acked-by: Peter Ujfalusi <peter.ujfalusi@linux.intel.com>
Link: https://patch.msgid.link/20260319-sof-topology-array-size-fix-v1-1-f9191b16b1b7@gmail.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/sof/topology.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sound/soc/sof/topology.c b/sound/soc/sof/topology.c
index 374c8b1d69584..d803111e36385 100644
--- a/sound/soc/sof/topology.c
+++ b/sound/soc/sof/topology.c
@@ -678,7 +678,7 @@ static int sof_parse_token_sets(struct snd_soc_component *scomp,
asize = le32_to_cpu(array->size);
/* validate asize */
- if (asize < 0) { /* FIXME: A zero-size array makes no sense */
+ if (asize < sizeof(*array)) {
dev_err(scomp->dev, "error: invalid array size 0x%x\n",
asize);
return -EINVAL;
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 007/969] can: mcp251x: add error handling for power enable in open and resume
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (5 preceding siblings ...)
2026-05-30 15:52 ` [PATCH 6.1 006/969] ASoC: SOF: topology: reject invalid vendor array size in token parser Greg Kroah-Hartman
@ 2026-05-30 15:52 ` Greg Kroah-Hartman
2026-05-30 15:52 ` [PATCH 6.1 008/969] btrfs: tracepoints: get correct superblock from dentry in event btrfs_sync_file() Greg Kroah-Hartman
` (968 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Wenyuan Li, Marc Kleine-Budde,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wenyuan Li <2063309626@qq.com>
[ Upstream commit 7a57354756c7df223abe2c33774235ad70cb4231 ]
Add missing error handling for mcp251x_power_enable() calls in both
mcp251x_open() and mcp251x_can_resume() functions.
In mcp251x_open(), if power enable fails, jump to error path to close
candev without attempting to disable power again.
In mcp251x_can_resume(), properly check return values of power enable calls
for both power and transceiver regulators. If any fails, return the error
code to the PM framework and log the failure.
This ensures the driver properly handles power control failures and
maintains correct device state.
Signed-off-by: Wenyuan Li <2063309626@qq.com>
Link: https://patch.msgid.link/tencent_F3EFC5D7738AC548857B91657715E2D3AA06@qq.com
[mkl: fix patch description]
[mkl: mcp251x_can_resume(): replace goto by return]
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/can/spi/mcp251x.c | 29 ++++++++++++++++++++++++-----
1 file changed, 24 insertions(+), 5 deletions(-)
diff --git a/drivers/net/can/spi/mcp251x.c b/drivers/net/can/spi/mcp251x.c
index 72ae17b2313ec..d3ffab297b77b 100644
--- a/drivers/net/can/spi/mcp251x.c
+++ b/drivers/net/can/spi/mcp251x.c
@@ -1213,7 +1213,11 @@ static int mcp251x_open(struct net_device *net)
}
mutex_lock(&priv->mcp_lock);
- mcp251x_power_enable(priv->transceiver, 1);
+ ret = mcp251x_power_enable(priv->transceiver, 1);
+ if (ret) {
+ dev_err(&spi->dev, "failed to enable transceiver power: %pe\n", ERR_PTR(ret));
+ goto out_close_candev;
+ }
priv->force_quit = 0;
priv->tx_skb = NULL;
@@ -1260,6 +1264,7 @@ static int mcp251x_open(struct net_device *net)
mcp251x_hw_sleep(spi);
out_close:
mcp251x_power_enable(priv->transceiver, 0);
+out_close_candev:
close_candev(net);
mutex_unlock(&priv->mcp_lock);
if (release_irq)
@@ -1499,11 +1504,25 @@ static int __maybe_unused mcp251x_can_resume(struct device *dev)
{
struct spi_device *spi = to_spi_device(dev);
struct mcp251x_priv *priv = spi_get_drvdata(spi);
+ int ret = 0;
- if (priv->after_suspend & AFTER_SUSPEND_POWER)
- mcp251x_power_enable(priv->power, 1);
- if (priv->after_suspend & AFTER_SUSPEND_UP)
- mcp251x_power_enable(priv->transceiver, 1);
+ if (priv->after_suspend & AFTER_SUSPEND_POWER) {
+ ret = mcp251x_power_enable(priv->power, 1);
+ if (ret) {
+ dev_err(dev, "failed to restore power: %pe\n", ERR_PTR(ret));
+ return ret;
+ }
+ }
+
+ if (priv->after_suspend & AFTER_SUSPEND_UP) {
+ ret = mcp251x_power_enable(priv->transceiver, 1);
+ if (ret) {
+ dev_err(dev, "failed to restore transceiver power: %pe\n", ERR_PTR(ret));
+ if (priv->after_suspend & AFTER_SUSPEND_POWER)
+ mcp251x_power_enable(priv->power, 0);
+ return ret;
+ }
+ }
if (priv->after_suspend & (AFTER_SUSPEND_POWER | AFTER_SUSPEND_UP))
queue_work(priv->wq, &priv->restart_work);
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 008/969] btrfs: tracepoints: get correct superblock from dentry in event btrfs_sync_file()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (6 preceding siblings ...)
2026-05-30 15:52 ` [PATCH 6.1 007/969] can: mcp251x: add error handling for power enable in open and resume Greg Kroah-Hartman
@ 2026-05-30 15:52 ` Greg Kroah-Hartman
2026-05-30 15:52 ` [PATCH 6.1 009/969] ALSA: hda/realtek: Add mute LED quirk for HP Pavilion 15-eg0xxx Greg Kroah-Hartman
` (967 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Boris Burkov, Goldwyn Rodrigues,
David Sterba, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Goldwyn Rodrigues <rgoldwyn@suse.de>
[ Upstream commit a85b46db143fda5869e7d8df8f258ccef5fa1719 ]
If overlay is used on top of btrfs, dentry->d_sb translates to overlay's
super block and fsid assignment will lead to a crash.
Use file_inode(file)->i_sb to always get btrfs_sb.
Reviewed-by: Boris Burkov <boris@bur.io>
Signed-off-by: Goldwyn Rodrigues <rgoldwyn@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/trace/events/btrfs.h | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/include/trace/events/btrfs.h b/include/trace/events/btrfs.h
index 31847ccae4936..8054ce54807de 100644
--- a/include/trace/events/btrfs.h
+++ b/include/trace/events/btrfs.h
@@ -760,12 +760,15 @@ TRACE_EVENT(btrfs_sync_file,
),
TP_fast_assign(
- const struct dentry *dentry = file->f_path.dentry;
- const struct inode *inode = d_inode(dentry);
+ struct dentry *dentry = file_dentry(file);
+ struct inode *inode = file_inode(file);
+ struct dentry *parent = dget_parent(dentry);
+ struct inode *parent_inode = d_inode(parent);
- TP_fast_assign_fsid(btrfs_sb(file->f_path.dentry->d_sb));
+ dput(parent);
+ TP_fast_assign_fsid(btrfs_sb(inode->i_sb));
__entry->ino = btrfs_ino(BTRFS_I(inode));
- __entry->parent = btrfs_ino(BTRFS_I(d_inode(dentry->d_parent)));
+ __entry->parent = btrfs_ino(BTRFS_I(parent_inode));
__entry->datasync = datasync;
__entry->root_objectid =
BTRFS_I(inode)->root->root_key.objectid;
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 009/969] ALSA: hda/realtek: Add mute LED quirk for HP Pavilion 15-eg0xxx
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (7 preceding siblings ...)
2026-05-30 15:52 ` [PATCH 6.1 008/969] btrfs: tracepoints: get correct superblock from dentry in event btrfs_sync_file() Greg Kroah-Hartman
@ 2026-05-30 15:52 ` Greg Kroah-Hartman
2026-05-30 15:52 ` [PATCH 6.1 010/969] netfilter: nft_set_pipapo_avx2: dont return non-matching entry on expiry Greg Kroah-Hartman
` (966 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, César Montoya, Takashi Iwai,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: César Montoya <sprit152009@gmail.com>
[ Upstream commit 2f388b4e8fdd6b0f27cafd281658daacfd85807e ]
The HP Pavilion 15-eg0xxx with subsystem ID 0x103c87cb uses a Realtek
ALC287 codec with a mute LED wired to GPIO pin 4 (mask 0x10). The
existing ALC287_FIXUP_HP_GPIO_LED fixup already handles this correctly,
but the subsystem ID was missing from the quirk table.
GPIO pin confirmed via manual hda-verb testing:
hda-verb SET_GPIO_MASK 0x10
hda-verb SET_GPIO_DIRECTION 0x10
hda-verb SET_GPIO_DATA 0x10
Signed-off-by: César Montoya <sprit152009@gmail.com>
Link: https://patch.msgid.link/20260321153603.12771-1-sprit152009@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/pci/hda/patch_realtek.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
index 6048ad6319e3b..6bffce599c961 100644
--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -9952,6 +9952,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = {
SND_PCI_QUIRK(0x103c, 0x8788, "HP OMEN 15", ALC285_FIXUP_HP_MUTE_LED),
SND_PCI_QUIRK(0x103c, 0x87b7, "HP Laptop 14-fq0xxx", ALC236_FIXUP_HP_MUTE_LED_COEFBIT2),
SND_PCI_QUIRK(0x103c, 0x87c8, "HP", ALC287_FIXUP_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x87cb, "HP Pavilion 15-eg0xxx", ALC287_FIXUP_HP_GPIO_LED),
SND_PCI_QUIRK(0x103c, 0x87cc, "HP Pavilion 15-eg0xxx", ALC287_FIXUP_HP_GPIO_LED),
SND_PCI_QUIRK(0x103c, 0x87d3, "HP Laptop 15-gw0xxx", ALC236_FIXUP_HP_MUTE_LED_COEFBIT2),
SND_PCI_QUIRK(0x103c, 0x87df, "HP ProBook 430 G8 Notebook PC", ALC236_FIXUP_HP_GPIO_LED),
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 010/969] netfilter: nft_set_pipapo_avx2: dont return non-matching entry on expiry
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (8 preceding siblings ...)
2026-05-30 15:52 ` [PATCH 6.1 009/969] ALSA: hda/realtek: Add mute LED quirk for HP Pavilion 15-eg0xxx Greg Kroah-Hartman
@ 2026-05-30 15:52 ` Greg Kroah-Hartman
2026-05-30 15:52 ` [PATCH 6.1 011/969] ALSA: hda/realtek: add quirk for Framework F111:000F Greg Kroah-Hartman
` (965 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Florian Westphal, Stefano Brivio,
Pablo Neira Ayuso, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Florian Westphal <fw@strlen.de>
[ Upstream commit d3c0037ffe1273fa1961e779ff6906234d6cf53c ]
New test case fails unexpectedly when avx2 matching functions are used.
The test first loads a ranomly generated pipapo set
with 'ipv4 . port' key, i.e. nft -f foo.
This works. Then, it reloads the set after a flush:
(echo flush set t s; cat foo) | nft -f -
This is expected to work, because its the same set after all and it was
already loaded once.
But with avx2, this fails: nft reports a clashing element.
The reported clash is of following form:
We successfully re-inserted
a . b
c . d
Then we try to insert a . d
avx2 finds the already existing a . d, which (due to 'flush set') is marked
as invalid in the new generation. It skips the element and moves to next.
Due to incorrect masking, the skip-step finds the next matching
element *only considering the first field*,
i.e. we return the already reinserted "a . b", even though the
last field is different and the entry should not have been matched.
No such error is reported for the generic c implementation (no avx2) or when
the last field has to use the 'nft_pipapo_avx2_lookup_slow' fallback.
Bisection points to
7711f4bb4b36 ("netfilter: nft_set_pipapo: fix range overlap detection")
but that fix merely uncovers this bug.
Before this commit, the wrong element is returned, but erronously
reported as a full, identical duplicate.
The root-cause is too early return in the avx2 match functions.
When we process the last field, we should continue to process data
until the entire input size has been consumed to make sure no stale
bits remain in the map.
Link: https://lore.kernel.org/netfilter-devel/20260321152506.037f68c0@elisabeth/
Signed-off-by: Florian Westphal <fw@strlen.de>
Reviewed-by: Stefano Brivio <sbrivio@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/nft_set_pipapo_avx2.c | 20 ++++++++++----------
1 file changed, 10 insertions(+), 10 deletions(-)
diff --git a/net/netfilter/nft_set_pipapo_avx2.c b/net/netfilter/nft_set_pipapo_avx2.c
index be7c16c79f711..2a761a644d4da 100644
--- a/net/netfilter/nft_set_pipapo_avx2.c
+++ b/net/netfilter/nft_set_pipapo_avx2.c
@@ -242,7 +242,7 @@ static int nft_pipapo_avx2_lookup_4b_2(unsigned long *map, unsigned long *fill,
b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last);
if (last)
- return b;
+ ret = b;
if (unlikely(ret == -1))
ret = b / XSAVE_YMM_SIZE;
@@ -319,7 +319,7 @@ static int nft_pipapo_avx2_lookup_4b_4(unsigned long *map, unsigned long *fill,
b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last);
if (last)
- return b;
+ ret = b;
if (unlikely(ret == -1))
ret = b / XSAVE_YMM_SIZE;
@@ -414,7 +414,7 @@ static int nft_pipapo_avx2_lookup_4b_8(unsigned long *map, unsigned long *fill,
b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last);
if (last)
- return b;
+ ret = b;
if (unlikely(ret == -1))
ret = b / XSAVE_YMM_SIZE;
@@ -505,7 +505,7 @@ static int nft_pipapo_avx2_lookup_4b_12(unsigned long *map, unsigned long *fill,
b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last);
if (last)
- return b;
+ ret = b;
if (unlikely(ret == -1))
ret = b / XSAVE_YMM_SIZE;
@@ -641,7 +641,7 @@ static int nft_pipapo_avx2_lookup_4b_32(unsigned long *map, unsigned long *fill,
b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last);
if (last)
- return b;
+ ret = b;
if (unlikely(ret == -1))
ret = b / XSAVE_YMM_SIZE;
@@ -699,7 +699,7 @@ static int nft_pipapo_avx2_lookup_8b_1(unsigned long *map, unsigned long *fill,
b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last);
if (last)
- return b;
+ ret = b;
if (unlikely(ret == -1))
ret = b / XSAVE_YMM_SIZE;
@@ -764,7 +764,7 @@ static int nft_pipapo_avx2_lookup_8b_2(unsigned long *map, unsigned long *fill,
b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last);
if (last)
- return b;
+ ret = b;
if (unlikely(ret == -1))
ret = b / XSAVE_YMM_SIZE;
@@ -839,7 +839,7 @@ static int nft_pipapo_avx2_lookup_8b_4(unsigned long *map, unsigned long *fill,
b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last);
if (last)
- return b;
+ ret = b;
if (unlikely(ret == -1))
ret = b / XSAVE_YMM_SIZE;
@@ -925,7 +925,7 @@ static int nft_pipapo_avx2_lookup_8b_6(unsigned long *map, unsigned long *fill,
b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last);
if (last)
- return b;
+ ret = b;
if (unlikely(ret == -1))
ret = b / XSAVE_YMM_SIZE;
@@ -1019,7 +1019,7 @@ static int nft_pipapo_avx2_lookup_8b_16(unsigned long *map, unsigned long *fill,
b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last);
if (last)
- return b;
+ ret = b;
if (unlikely(ret == -1))
ret = b / XSAVE_YMM_SIZE;
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 011/969] ALSA: hda/realtek: add quirk for Framework F111:000F
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (9 preceding siblings ...)
2026-05-30 15:52 ` [PATCH 6.1 010/969] netfilter: nft_set_pipapo_avx2: dont return non-matching entry on expiry Greg Kroah-Hartman
@ 2026-05-30 15:52 ` Greg Kroah-Hartman
2026-05-30 15:52 ` [PATCH 6.1 012/969] wifi: wl1251: validate packet IDs before indexing tx_frames Greg Kroah-Hartman
` (964 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dustin L. Howett, Takashi Iwai,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dustin L. Howett <dustin@howett.net>
[ Upstream commit bac1e57adf08c9ee33e95fb09cd032f330294e70 ]
Similar to commit 7b509910b3ad ("ALSA hda/realtek: Add quirk for
Framework F111:000C") and previous quirks for Framework systems with
Realtek codecs.
000F is another new platform with an ALC285 which needs the same quirk.
Signed-off-by: Dustin L. Howett <dustin@howett.net>
Link: https://patch.msgid.link/20260327-framework-alsa-000f-v1-1-74013aba1c00@howett.net
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/pci/hda/patch_realtek.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
index 6bffce599c961..82de15e176746 100644
--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -10474,6 +10474,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = {
SND_PCI_QUIRK(0xf111, 0x0009, "Framework Laptop", ALC295_FIXUP_FRAMEWORK_LAPTOP_MIC_NO_PRESENCE),
SND_PCI_QUIRK(0xf111, 0x000b, "Framework Laptop", ALC295_FIXUP_FRAMEWORK_LAPTOP_MIC_NO_PRESENCE),
SND_PCI_QUIRK(0xf111, 0x000c, "Framework Laptop", ALC295_FIXUP_FRAMEWORK_LAPTOP_MIC_NO_PRESENCE),
+ SND_PCI_QUIRK(0xf111, 0x000f, "Framework Laptop", ALC295_FIXUP_FRAMEWORK_LAPTOP_MIC_NO_PRESENCE),
#if 0
/* Below is a quirk table taken from the old code.
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 012/969] wifi: wl1251: validate packet IDs before indexing tx_frames
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (10 preceding siblings ...)
2026-05-30 15:52 ` [PATCH 6.1 011/969] ALSA: hda/realtek: add quirk for Framework F111:000F Greg Kroah-Hartman
@ 2026-05-30 15:52 ` Greg Kroah-Hartman
2026-05-30 15:52 ` [PATCH 6.1 013/969] ASoC: soc-core: call missing INIT_LIST_HEAD() for card_aux_list Greg Kroah-Hartman
` (963 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Pengpeng Hou, Johannes Berg,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pengpeng Hou <pengpeng@iscas.ac.cn>
[ Upstream commit 0fd56fad9c56356e7fa7a7c52e7ecbf807a44eb0 ]
wl1251_tx_packet_cb() uses the firmware completion ID directly to index
the fixed 16-entry wl->tx_frames[] array. The ID is a raw u8 from the
completion block, and the callback does not currently verify that it
fits the array before dereferencing it.
Reject completion IDs that fall outside wl->tx_frames[] and keep the
existing NULL check in the same guard. This keeps the fix local to the
trust boundary and avoids touching the rest of the completion flow.
Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
Link: https://patch.msgid.link/20260323080845.40033-1-pengpeng@iscas.ac.cn
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/ti/wl1251/tx.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/drivers/net/wireless/ti/wl1251/tx.c b/drivers/net/wireless/ti/wl1251/tx.c
index 06dc74cc6cb52..2b316c78eefc9 100644
--- a/drivers/net/wireless/ti/wl1251/tx.c
+++ b/drivers/net/wireless/ti/wl1251/tx.c
@@ -402,12 +402,14 @@ static void wl1251_tx_packet_cb(struct wl1251 *wl,
int hdrlen;
u8 *frame;
- skb = wl->tx_frames[result->id];
- if (skb == NULL) {
- wl1251_error("SKB for packet %d is NULL", result->id);
+ if (unlikely(result->id >= ARRAY_SIZE(wl->tx_frames) ||
+ wl->tx_frames[result->id] == NULL)) {
+ wl1251_error("invalid packet id %u", result->id);
return;
}
+ skb = wl->tx_frames[result->id];
+
info = IEEE80211_SKB_CB(skb);
if (!(info->flags & IEEE80211_TX_CTL_NO_ACK) &&
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 013/969] ASoC: soc-core: call missing INIT_LIST_HEAD() for card_aux_list
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (11 preceding siblings ...)
2026-05-30 15:52 ` [PATCH 6.1 012/969] wifi: wl1251: validate packet IDs before indexing tx_frames Greg Kroah-Hartman
@ 2026-05-30 15:52 ` Greg Kroah-Hartman
2026-05-30 15:52 ` [PATCH 6.1 014/969] ALSA: usb-audio: Fix quirk flags for NeuralDSP Quad Cortex Greg Kroah-Hartman
` (962 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kuninori Morimoto, Mark Brown,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
[ Upstream commit b9eff9732cb0f86a68c9d1592a98ceab47c01e95 ]
Component has "card_aux_list" which is added/deled in bind/unbind aux dev
function (A), and used in for_each_card_auxs() loop (B).
static void soc_unbind_aux_dev(...)
{
...
for_each_card_auxs_safe(...) {
...
(A) list_del(&component->card_aux_list);
} ^^^^^^^^^^^^^
}
static int soc_bind_aux_dev(...)
{
...
for_each_card_pre_auxs(...) {
...
(A) list_add(&component->card_aux_list, ...);
} ^^^^^^^^^^^^^
...
}
#define for_each_card_auxs(card, component) \
(B) list_for_each_entry(component, ..., card_aux_list)
^^^^^^^^^^^^^
But it has been used without calling INIT_LIST_HEAD().
> git grep card_aux_list sound/soc
sound/soc/soc-core.c: list_del(&component->card_aux_list);
sound/soc/soc-core.c: list_add(&component->card_aux_list, ...);
call missing INIT_LIST_HEAD() for it.
Signed-off-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
Link: https://patch.msgid.link/87341mxa8l.wl-kuninori.morimoto.gx@renesas.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/soc-core.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/sound/soc/soc-core.c b/sound/soc/soc-core.c
index dfd58d9db7c1f..33c991e578629 100644
--- a/sound/soc/soc-core.c
+++ b/sound/soc/soc-core.c
@@ -2618,6 +2618,7 @@ int snd_soc_component_initialize(struct snd_soc_component *component,
INIT_LIST_HEAD(&component->dobj_list);
INIT_LIST_HEAD(&component->card_list);
INIT_LIST_HEAD(&component->list);
+ INIT_LIST_HEAD(&component->card_aux_list);
mutex_init(&component->io_mutex);
component->name = fmt_single_name(dev, &component->id);
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 014/969] ALSA: usb-audio: Fix quirk flags for NeuralDSP Quad Cortex
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (12 preceding siblings ...)
2026-05-30 15:52 ` [PATCH 6.1 013/969] ASoC: soc-core: call missing INIT_LIST_HEAD() for card_aux_list Greg Kroah-Hartman
@ 2026-05-30 15:52 ` Greg Kroah-Hartman
2026-05-30 15:52 ` [PATCH 6.1 015/969] fs/smb/client: fix out-of-bounds read in cifs_sanitize_prepath Greg Kroah-Hartman
` (961 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yue Wang, Jaroslav Kysela,
Takashi Iwai, Phil Willoughby, Takashi Iwai, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Phil Willoughby <willerz@gmail.com>
[ Upstream commit bc5b4e5ae1a67700a618328217b6a3bd0f296e97 ]
The NeuralDSP Quad Cortex does not support DSD playback. We need
this product-specific entry with zero quirks because otherwise it
falls through to the vendor-specific entry which marks it as
supporting DSD playback.
Cc: Yue Wang <yuleopen@gmail.com>
Cc: Jaroslav Kysela <perex@perex.cz>
Cc: Takashi Iwai <tiwai@suse.com>
Signed-off-by: Phil Willoughby <willerz@gmail.com>
Link: https://patch.msgid.link/20260328080921.3310-1-willerz@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/usb/quirks.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/sound/usb/quirks.c b/sound/usb/quirks.c
index 74828de545e22..23361e78189d0 100644
--- a/sound/usb/quirks.c
+++ b/sound/usb/quirks.c
@@ -2177,6 +2177,8 @@ static const struct usb_audio_quirk_flags_table quirk_flags_table[] = {
QUIRK_FLAG_PLAYBACK_FIRST | QUIRK_FLAG_GENERIC_IMPLICIT_FB),
DEVICE_FLG(0x13e5, 0x0001, /* Serato Phono */
QUIRK_FLAG_IGNORE_CTL_ERROR),
+ DEVICE_FLG(0x152a, 0x880a, /* NeuralDSP Quad Cortex */
+ 0), /* Doesn't have the vendor quirk which would otherwise apply */
DEVICE_FLG(0x154e, 0x1002, /* Denon DCD-1500RE */
QUIRK_FLAG_ITF_USB_DSD_DAC | QUIRK_FLAG_CTL_MSG_DELAY),
DEVICE_FLG(0x154e, 0x1003, /* Denon DA-300USB */
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 015/969] fs/smb/client: fix out-of-bounds read in cifs_sanitize_prepath
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (13 preceding siblings ...)
2026-05-30 15:52 ` [PATCH 6.1 014/969] ALSA: usb-audio: Fix quirk flags for NeuralDSP Quad Cortex Greg Kroah-Hartman
@ 2026-05-30 15:52 ` Greg Kroah-Hartman
2026-05-30 15:52 ` [PATCH 6.1 016/969] ASoC: amd: yc: Add DMI entry for HP Laptop 15-fc0xxx Greg Kroah-Hartman
` (960 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Fredric Cover, Steve French,
Sasha Levin, Henrique Carvalho
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Fredric Cover <FredTheDude@proton.me>
[ Upstream commit 78ec5bf2f589ec7fd8f169394bfeca541b077317 ]
When cifs_sanitize_prepath is called with an empty string or a string
containing only delimiters (e.g., "/"), the current logic attempts to
check *(cursor2 - 1) before cursor2 has advanced. This results in an
out-of-bounds read.
This patch adds an early exit check after stripping prepended
delimiters. If no path content remains, the function returns NULL.
The bug was identified via manual audit and verified using a
standalone test case compiled with AddressSanitizer, which
triggered a SEGV on affected inputs.
Signed-off-by: Fredric Cover <FredTheDude@proton.me>
Reviewed-by: Henrique Carvalho <[2]henrique.carvalho@suse.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/smb/client/fs_context.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/fs/smb/client/fs_context.c b/fs/smb/client/fs_context.c
index 9000299e98cb4..35f2c94aafd14 100644
--- a/fs/smb/client/fs_context.c
+++ b/fs/smb/client/fs_context.c
@@ -454,6 +454,10 @@ char *cifs_sanitize_prepath(char *prepath, gfp_t gfp)
while (IS_DELIM(*cursor1))
cursor1++;
+ /* exit in case of only delimiters */
+ if (!*cursor1)
+ return NULL;
+
/* copy the first letter */
*cursor2 = *cursor1;
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 016/969] ASoC: amd: yc: Add DMI entry for HP Laptop 15-fc0xxx
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (14 preceding siblings ...)
2026-05-30 15:52 ` [PATCH 6.1 015/969] fs/smb/client: fix out-of-bounds read in cifs_sanitize_prepath Greg Kroah-Hartman
@ 2026-05-30 15:52 ` Greg Kroah-Hartman
2026-05-30 15:52 ` [PATCH 6.1 017/969] pinctrl: intel: Fix the revision for new features (1kOhm PD, HW debouncer) Greg Kroah-Hartman
` (959 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Gilson Marquato Júnior,
Mark Brown, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gilson Marquato Júnior <gilsonmandalogo@hotmail.com>
[ Upstream commit 8ec017cf31299c4b6287ebe27afe81c986aeef88 ]
The HP Laptop 15-fc0xxx (subsystem ID 0x103c8dc9) has an internal
DMIC connected to the AMD ACP6x audio coprocessor. Add a DMI quirk
entry so the internal microphone is properly detected on this model.
Tested on HP Laptop 15-fc0237ns with Fedora 43 (kernel 6.19.9).
Signed-off-by: Gilson Marquato Júnior <gilsonmandalogo@hotmail.com>
Link: https://patch.msgid.link/20260330-hp-15-fc0xxx-dmic-v2-v1-1-6dd6f53a1917@hotmail.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/amd/yc/acp6x-mach.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/sound/soc/amd/yc/acp6x-mach.c b/sound/soc/amd/yc/acp6x-mach.c
index d650091d3f302..c9bc2289d3661 100644
--- a/sound/soc/amd/yc/acp6x-mach.c
+++ b/sound/soc/amd/yc/acp6x-mach.c
@@ -45,6 +45,13 @@ static struct snd_soc_card acp6x_card = {
};
static const struct dmi_system_id yc_acp_quirk_table[] = {
+ {
+ .driver_data = &acp6x_card,
+ .matches = {
+ DMI_MATCH(DMI_BOARD_VENDOR, "HP"),
+ DMI_MATCH(DMI_PRODUCT_NAME, "HP Laptop 15-fc0xxx"),
+ }
+ },
{
.driver_data = &acp6x_card,
.matches = {
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 017/969] pinctrl: intel: Fix the revision for new features (1kOhm PD, HW debouncer)
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (15 preceding siblings ...)
2026-05-30 15:52 ` [PATCH 6.1 016/969] ASoC: amd: yc: Add DMI entry for HP Laptop 15-fc0xxx Greg Kroah-Hartman
@ 2026-05-30 15:52 ` Greg Kroah-Hartman
2026-05-30 15:52 ` [PATCH 6.1 018/969] HID: quirks: add HID_QUIRK_ALWAYS_POLL for 8BitDo Pro 3 Greg Kroah-Hartman
` (958 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:52 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Andy Shevchenko, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
[ Upstream commit a4337a24d13e9e3b98a113e71d6b80dc5ed5f8c4 ]
The 1kOhm pull down and hardware debouncer are features of the revision 0.92
of the Chassis specification. Fix that in the code accordingly.
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pinctrl/intel/pinctrl-intel.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/pinctrl/intel/pinctrl-intel.c b/drivers/pinctrl/intel/pinctrl-intel.c
index 8542053d4d6d0..2c357a69e0345 100644
--- a/drivers/pinctrl/intel/pinctrl-intel.c
+++ b/drivers/pinctrl/intel/pinctrl-intel.c
@@ -1547,7 +1547,7 @@ static int intel_pinctrl_probe(struct platform_device *pdev,
value = readl(regs + REVID);
if (value == ~0u)
return -ENODEV;
- if (((value & REVID_MASK) >> REVID_SHIFT) >= 0x94) {
+ if (((value & REVID_MASK) >> REVID_SHIFT) >= 0x92) {
community->features |= PINCTRL_FEATURE_DEBOUNCE;
community->features |= PINCTRL_FEATURE_1K_PD;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 018/969] HID: quirks: add HID_QUIRK_ALWAYS_POLL for 8BitDo Pro 3
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (16 preceding siblings ...)
2026-05-30 15:52 ` [PATCH 6.1 017/969] pinctrl: intel: Fix the revision for new features (1kOhm PD, HW debouncer) Greg Kroah-Hartman
@ 2026-05-30 15:52 ` Greg Kroah-Hartman
2026-05-30 15:52 ` [PATCH 6.1 019/969] ALSA: hda/realtek: Add quirk for Lenovo Yoga Pro 7 14IAH10 Greg Kroah-Hartman
` (957 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:52 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, leo vriska, Jiri Kosina, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: leo vriska <leo@60228.dev>
[ Upstream commit 532743944324a873bbaf8620fcabcd0e69e30c36 ]
According to a mailing list report [1], this controller's predecessor
has the same issue. However, it uses the xpad driver instead of HID, so
this quirk wouldn't apply.
[1]: https://lore.kernel.org/linux-input/unufo3$det$1@ciao.gmane.io/
Signed-off-by: leo vriska <leo@60228.dev>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hid/hid-ids.h | 3 +++
drivers/hid/hid-quirks.c | 1 +
2 files changed, 4 insertions(+)
diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h
index fd3198d4b7c5b..23adda52f6ef5 100644
--- a/drivers/hid/hid-ids.h
+++ b/drivers/hid/hid-ids.h
@@ -22,6 +22,9 @@
#define USB_DEVICE_ID_3M2256 0x0502
#define USB_DEVICE_ID_3M3266 0x0506
+#define USB_VENDOR_ID_8BITDO 0x2dc8
+#define USB_DEVICE_ID_8BITDO_PRO_3 0x6009
+
#define USB_VENDOR_ID_A4TECH 0x09da
#define USB_DEVICE_ID_A4TECH_WCP32PU 0x0006
#define USB_DEVICE_ID_A4TECH_X5_005D 0x000a
diff --git a/drivers/hid/hid-quirks.c b/drivers/hid/hid-quirks.c
index 030ad260e7566..99fca77d16641 100644
--- a/drivers/hid/hid-quirks.c
+++ b/drivers/hid/hid-quirks.c
@@ -25,6 +25,7 @@
*/
static const struct hid_device_id hid_quirks[] = {
+ { HID_USB_DEVICE(USB_VENDOR_ID_8BITDO, USB_DEVICE_ID_8BITDO_PRO_3), HID_QUIRK_ALWAYS_POLL },
{ HID_USB_DEVICE(USB_VENDOR_ID_AASHIMA, USB_DEVICE_ID_AASHIMA_GAMEPAD), HID_QUIRK_BADPAD },
{ HID_USB_DEVICE(USB_VENDOR_ID_AASHIMA, USB_DEVICE_ID_AASHIMA_PREDATOR), HID_QUIRK_BADPAD },
{ HID_USB_DEVICE(USB_VENDOR_ID_ADATA_XPG, USB_VENDOR_ID_ADATA_XPG_WL_GAMING_MOUSE), HID_QUIRK_ALWAYS_POLL },
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 019/969] ALSA: hda/realtek: Add quirk for Lenovo Yoga Pro 7 14IAH10
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (17 preceding siblings ...)
2026-05-30 15:52 ` [PATCH 6.1 018/969] HID: quirks: add HID_QUIRK_ALWAYS_POLL for 8BitDo Pro 3 Greg Kroah-Hartman
@ 2026-05-30 15:52 ` Greg Kroah-Hartman
2026-05-30 15:52 ` [PATCH 6.1 020/969] HID: roccat: fix use-after-free in roccat_report_event Greg Kroah-Hartman
` (956 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Fernando Garcia Corona, songxiebing,
Takashi Iwai, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: songxiebing <songxiebing@kylinos.cn>
[ Upstream commit f0541edb2e7333f320642c7b491a67912c1f65db ]
The bass speakers are not working, and add the following entry
in /etc/modprobe.d/snd.conf:
options snd-sof-intel-hda-generic hda_model=alc287-yoga9-bass-spk-pin
Fixes the bass speakers.
So add the quick ALC287_FIXUP_YOGA9_14IAP7_BASS_SPK_PIN here.
Reported-by: Fernando Garcia Corona <fgarcor@gmail.com>
Closes: https://bugzilla.kernel.org/show_bug.cgi?id=221317
Signed-off-by: songxiebing <songxiebing@kylinos.cn>
Link: https://patch.msgid.link/20260405012651.133838-1-songxiebing@kylinos.cn
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/pci/hda/patch_realtek.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
index 82de15e176746..0889dfd80fa44 100644
--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -10396,6 +10396,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = {
SND_PCI_QUIRK(0x17aa, 0x3869, "Lenovo Yoga7 14IAL7", ALC287_FIXUP_YOGA9_14IAP7_BASS_SPK_PIN),
SND_PCI_QUIRK(0x17aa, 0x3902, "Lenovo E50-80", ALC269_FIXUP_DMIC_THINKPAD_ACPI),
SND_PCI_QUIRK(0x17aa, 0x390d, "Lenovo Yoga Pro 7 14ASP10", ALC287_FIXUP_YOGA9_14IAP7_BASS_SPK_PIN),
+ SND_PCI_QUIRK(0x17aa, 0x3911, "Lenovo Yoga Pro 7 14IAH10", ALC287_FIXUP_YOGA9_14IAP7_BASS_SPK_PIN),
SND_PCI_QUIRK(0x17aa, 0x3913, "Lenovo 145", ALC236_FIXUP_LENOVO_INV_DMIC),
SND_PCI_QUIRK(0x17aa, 0x3977, "IdeaPad S210", ALC283_FIXUP_INT_MIC),
SND_PCI_QUIRK(0x17aa, 0x3978, "Lenovo B50-70", ALC269_FIXUP_DMIC_THINKPAD_ACPI),
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 020/969] HID: roccat: fix use-after-free in roccat_report_event
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (18 preceding siblings ...)
2026-05-30 15:52 ` [PATCH 6.1 019/969] ALSA: hda/realtek: Add quirk for Lenovo Yoga Pro 7 14IAH10 Greg Kroah-Hartman
@ 2026-05-30 15:52 ` Greg Kroah-Hartman
2026-05-30 15:52 ` [PATCH 6.1 021/969] ata: ahci: force 32-bit DMA for JMicron JMB582/JMB585 Greg Kroah-Hartman
` (955 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Benoît Sevens, Silvan Jegen,
Jiri Kosina, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Benoît Sevens <bsevens@google.com>
[ Upstream commit d802d848308b35220f21a8025352f0c0aba15c12 ]
roccat_report_event() iterates over the device->readers list without
holding the readers_lock. This allows a concurrent roccat_release() to
remove and free a reader while it's still being accessed, leading to a
use-after-free.
Protect the readers list traversal with the readers_lock mutex.
Signed-off-by: Benoît Sevens <bsevens@google.com>
Reviewed-by: Silvan Jegen <s.jegen@gmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hid/hid-roccat.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/hid/hid-roccat.c b/drivers/hid/hid-roccat.c
index 6da80e442fdd1..420e4335c3e83 100644
--- a/drivers/hid/hid-roccat.c
+++ b/drivers/hid/hid-roccat.c
@@ -257,6 +257,7 @@ int roccat_report_event(int minor, u8 const *data)
if (!new_value)
return -ENOMEM;
+ mutex_lock(&device->readers_lock);
mutex_lock(&device->cbuf_lock);
report = &device->cbuf[device->cbuf_end];
@@ -279,6 +280,7 @@ int roccat_report_event(int minor, u8 const *data)
}
mutex_unlock(&device->cbuf_lock);
+ mutex_unlock(&device->readers_lock);
wake_up_interruptible(&device->wait);
return 0;
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 021/969] ata: ahci: force 32-bit DMA for JMicron JMB582/JMB585
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (19 preceding siblings ...)
2026-05-30 15:52 ` [PATCH 6.1 020/969] HID: roccat: fix use-after-free in roccat_report_event Greg Kroah-Hartman
@ 2026-05-30 15:52 ` Greg Kroah-Hartman
2026-05-30 15:52 ` [PATCH 6.1 022/969] wifi: brcmfmac: validate bsscfg indices in IF events Greg Kroah-Hartman
` (954 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Arthur Husband, Damien Le Moal,
Niklas Cassel, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Arthur Husband <artmoty@gmail.com>
[ Upstream commit 105c42566a550e2d05fc14f763216a8765ee5d0e ]
The JMicron JMB585 (and JMB582) SATA controllers advertise 64-bit DMA
support via the S64A bit in the AHCI CAP register, but their 64-bit DMA
implementation is defective. Under sustained I/O, DMA transfers targeting
addresses above 4GB silently corrupt data -- writes land at incorrect
memory addresses with no errors logged.
The failure pattern is similar to the ASMedia ASM1061
(commit 20730e9b2778 ("ahci: add 43-bit DMA address quirk for ASMedia
ASM1061 controllers")), which also falsely advertised full 64-bit DMA
support. However, the JMB585 requires a stricter 32-bit DMA mask rather
than 43-bit, as corruption occurs with any address above 4GB.
On the Minisforum N5 Pro specifically, the combination of the JMB585's
broken 64-bit DMA with the AMD Family 1Ah (Strix Point) IOMMU causes
silent data corruption that is only detectable via checksumming
filesystems (BTRFS/ZFS scrub). The corruption occurs when 32-bit IOVA
space is exhausted and the kernel transparently switches to 64-bit DMA
addresses.
Add device-specific PCI ID entries for the JMB582 (0x0582) and JMB585
(0x0585) before the generic JMicron class match, using a new board type
that combines AHCI_HFLAG_IGN_IRQ_IF_ERR (preserving existing behavior)
with AHCI_HFLAG_32BIT_ONLY to force 32-bit DMA masks.
Signed-off-by: Arthur Husband <artmoty@gmail.com>
Reviewed-by: Damien Le Moal <dlemoal@kernel.org>
Signed-off-by: Niklas Cassel <cassel@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/ata/ahci.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/drivers/ata/ahci.c b/drivers/ata/ahci.c
index a4b0a499b67d4..c9fbf824901e2 100644
--- a/drivers/ata/ahci.c
+++ b/drivers/ata/ahci.c
@@ -61,6 +61,7 @@ enum board_ids {
/* board IDs for specific chipsets in alphabetical order */
board_ahci_al,
board_ahci_avn,
+ board_ahci_jmb585,
board_ahci_mcp65,
board_ahci_mcp77,
board_ahci_mcp89,
@@ -200,6 +201,15 @@ static const struct ata_port_info ahci_port_info[] = {
.udma_mask = ATA_UDMA6,
.port_ops = &ahci_avn_ops,
},
+ /* JMicron JMB582/585: 64-bit DMA is broken, force 32-bit */
+ [board_ahci_jmb585] = {
+ AHCI_HFLAGS (AHCI_HFLAG_IGN_IRQ_IF_ERR |
+ AHCI_HFLAG_32BIT_ONLY),
+ .flags = AHCI_FLAG_COMMON,
+ .pio_mask = ATA_PIO4,
+ .udma_mask = ATA_UDMA6,
+ .port_ops = &ahci_ops,
+ },
[board_ahci_mcp65] = {
AHCI_HFLAGS (AHCI_HFLAG_NO_FPDMA_AA | AHCI_HFLAG_NO_PMP |
AHCI_HFLAG_YES_NCQ),
@@ -433,6 +443,10 @@ static const struct pci_device_id ahci_pci_tbl[] = {
/* Elkhart Lake IDs 0x4b60 & 0x4b62 https://sata-io.org/product/8803 not tested yet */
{ PCI_VDEVICE(INTEL, 0x4b63), board_ahci_low_power }, /* Elkhart Lake AHCI */
+ /* JMicron JMB582/585: force 32-bit DMA (broken 64-bit implementation) */
+ { PCI_VDEVICE(JMICRON, 0x0582), board_ahci_jmb585 },
+ { PCI_VDEVICE(JMICRON, 0x0585), board_ahci_jmb585 },
+
/* JMicron 360/1/3/5/6, match class to avoid IDE function */
{ PCI_VENDOR_ID_JMICRON, PCI_ANY_ID, PCI_ANY_ID, PCI_ANY_ID,
PCI_CLASS_STORAGE_SATA_AHCI, 0xffffff, board_ahci_ign_iferr },
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 022/969] wifi: brcmfmac: validate bsscfg indices in IF events
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (20 preceding siblings ...)
2026-05-30 15:52 ` [PATCH 6.1 021/969] ata: ahci: force 32-bit DMA for JMicron JMB582/JMB585 Greg Kroah-Hartman
@ 2026-05-30 15:52 ` Greg Kroah-Hartman
2026-05-30 15:52 ` [PATCH 6.1 023/969] ASoC: stm32_sai: fix incorrect BCLK polarity for DSP_A/B, LEFT_J Greg Kroah-Hartman
` (953 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Pengpeng Hou, Arend van Spriel,
Johannes Berg, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pengpeng Hou <pengpeng@iscas.ac.cn>
[ Upstream commit 304950a467d83678bd0b0f46331882e2ac23b12d ]
brcmf_fweh_handle_if_event() validates the firmware-provided interface
index before it touches drvr->iflist[], but it still uses the raw
bsscfgidx field as an array index without a matching range check.
Reject IF events whose bsscfg index does not fit in drvr->iflist[]
before indexing the interface array.
Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>
Link: https://patch.msgid.link/20260323074551.93530-1-pengpeng@iscas.ac.cn
[add missing wifi prefix]
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c
index dac7eb77799bd..e6be192dc0af2 100644
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c
@@ -151,6 +151,11 @@ static void brcmf_fweh_handle_if_event(struct brcmf_pub *drvr,
bphy_err(drvr, "invalid interface index: %u\n", ifevent->ifidx);
return;
}
+ if (ifevent->bsscfgidx >= BRCMF_MAX_IFS) {
+ bphy_err(drvr, "invalid bsscfg index: %u\n",
+ ifevent->bsscfgidx);
+ return;
+ }
ifp = drvr->iflist[ifevent->bsscfgidx];
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 023/969] ASoC: stm32_sai: fix incorrect BCLK polarity for DSP_A/B, LEFT_J
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (21 preceding siblings ...)
2026-05-30 15:52 ` [PATCH 6.1 022/969] wifi: brcmfmac: validate bsscfg indices in IF events Greg Kroah-Hartman
@ 2026-05-30 15:52 ` Greg Kroah-Hartman
2026-05-30 15:52 ` [PATCH 6.1 024/969] soc: aspeed: socinfo: Mask table entries for accurate SoC ID matching Greg Kroah-Hartman
` (952 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:52 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Tomasz Merta, Mark Brown,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tomasz Merta <tomasz.merta@arrow.com>
[ Upstream commit 0669631dbccd41cf3ca7aa70213fcd8bb41c4b38 ]
The STM32 SAI driver do not set the clock strobing bit (CKSTR) for DSP_A,
DSP_B and LEFT_J formats, causing data to be sampled on the wrong BCLK
edge when SND_SOC_DAIFMT_NB_NF is used.
Per ALSA convention, NB_NF requires sampling on the rising BCLK edge.
The STM32MP25 SAI reference manual states that CKSTR=1 is required for
signals received by the SAI to be sampled on the SCK rising edge.
Without setting CKSTR=1, the SAI samples on the falling edge, violating
the NB_NF convention. For comparison, the NXP FSL SAI driver correctly
sets FSL_SAI_CR2_BCP for DSP_A, DSP_B and LEFT_J, consistent with its
I2S handling.
This patch adds SAI_XCR1_CKSTR for DSP_A, DSP_B and LEFT_J in
stm32_sai_set_dai_fmt which was verified empirically with a cs47l35 codec.
RIGHT_J (LSB) is not investigated and addressed by this patch.
Note: the STM32 I2S driver (stm32_i2s_set_dai_fmt) may have the same issue
for DSP_A mode, as I2S_CGFR_CKPOL is not set. This has not been verified
and is left for a separate investigation.
Signed-off-by: Tomasz Merta <tommerta@gmail.com>
Link: https://patch.msgid.link/20260408084056.20588-1-tommerta@gmail.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/stm/stm32_sai_sub.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/sound/soc/stm/stm32_sai_sub.c b/sound/soc/stm/stm32_sai_sub.c
index 8653be3c206ea..927834b4123f5 100644
--- a/sound/soc/stm/stm32_sai_sub.c
+++ b/sound/soc/stm/stm32_sai_sub.c
@@ -669,6 +669,7 @@ static int stm32_sai_set_dai_fmt(struct snd_soc_dai *cpu_dai, unsigned int fmt)
break;
/* Left justified */
case SND_SOC_DAIFMT_MSB:
+ cr1 |= SAI_XCR1_CKSTR;
frcr |= SAI_XFRCR_FSPOL | SAI_XFRCR_FSDEF;
break;
/* Right justified */
@@ -676,9 +677,11 @@ static int stm32_sai_set_dai_fmt(struct snd_soc_dai *cpu_dai, unsigned int fmt)
frcr |= SAI_XFRCR_FSPOL | SAI_XFRCR_FSDEF;
break;
case SND_SOC_DAIFMT_DSP_A:
+ cr1 |= SAI_XCR1_CKSTR;
frcr |= SAI_XFRCR_FSPOL | SAI_XFRCR_FSOFF;
break;
case SND_SOC_DAIFMT_DSP_B:
+ cr1 |= SAI_XCR1_CKSTR;
frcr |= SAI_XFRCR_FSPOL;
break;
default:
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 024/969] soc: aspeed: socinfo: Mask table entries for accurate SoC ID matching
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (22 preceding siblings ...)
2026-05-30 15:52 ` [PATCH 6.1 023/969] ASoC: stm32_sai: fix incorrect BCLK polarity for DSP_A/B, LEFT_J Greg Kroah-Hartman
@ 2026-05-30 15:52 ` Greg Kroah-Hartman
2026-05-30 15:52 ` [PATCH 6.1 025/969] arm64: dts: imx8mq: Set the correct gpu_ahb clock frequency Greg Kroah-Hartman
` (951 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:52 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Potin Lai, Andrew Jeffery,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Potin Lai <potin.lai.pt@gmail.com>
[ Upstream commit 7ec1bd3d9be671d04325b9e06149b8813f6a4836 ]
The siliconid_to_name() function currently masks the input silicon ID
with 0xff00ffff, but compares it against unmasked table entries. This
causes matching to fail if the table entries contain non-zero values in
the bits covered by the mask (bits 16-23).
Update the logic to apply the 0xff00ffff mask to the table entries
during comparison. This ensures that only the relevant model and
revision bits are considered, providing a consistent match across
different manufacturing batches.
[arj: Add Fixes: tag, fix 'soninfo' typo, clarify function reference]
Fixes: e0218dca5787 ("soc: aspeed: Add soc info driver")
Signed-off-by: Potin Lai <potin.lai.pt@gmail.com>
Link: https://patch.msgid.link/20260122-soc_aspeed_name_fix-v1-1-33a847f2581c@gmail.com
Signed-off-by: Andrew Jeffery <andrew@codeconstruct.com.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/soc/aspeed/aspeed-socinfo.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/soc/aspeed/aspeed-socinfo.c b/drivers/soc/aspeed/aspeed-socinfo.c
index 67e9ac3d08ecc..a90b100f4d101 100644
--- a/drivers/soc/aspeed/aspeed-socinfo.c
+++ b/drivers/soc/aspeed/aspeed-socinfo.c
@@ -39,7 +39,7 @@ static const char *siliconid_to_name(u32 siliconid)
unsigned int i;
for (i = 0 ; i < ARRAY_SIZE(rev_table) ; ++i) {
- if (rev_table[i].id == id)
+ if ((rev_table[i].id & 0xff00ffff) == id)
return rev_table[i].name;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 025/969] arm64: dts: imx8mq: Set the correct gpu_ahb clock frequency
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (23 preceding siblings ...)
2026-05-30 15:52 ` [PATCH 6.1 024/969] soc: aspeed: socinfo: Mask table entries for accurate SoC ID matching Greg Kroah-Hartman
@ 2026-05-30 15:52 ` Greg Kroah-Hartman
2026-05-30 15:52 ` [PATCH 6.1 026/969] PCI: hv: Set default NUMA node to 0 for devices without affinity info Greg Kroah-Hartman
` (950 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Frank Li, Sebastian Krzyszkowiak,
Peng Fan, Fabio Estevam, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sebastian Krzyszkowiak <sebastian.krzyszkowiak@puri.sm>
[ Upstream commit 1f99b5d93d99ca17d50b386a674d0ce1f20932d8 ]
According to i.MX 8M Quad Reference Manual, GPU_AHB_CLK_ROOT's maximum
frequency is 400MHz.
Fixes: 45d2c84eb3a2 ("arm64: dts: imx8mq: add GPU node")
Reviewed-by: Frank Li <Frank.Li@nxp.com>
Signed-off-by: Sebastian Krzyszkowiak <sebastian.krzyszkowiak@puri.sm>
Reviewed-by: Peng Fan <peng.fan@nxp.com>
Reviewed-by: Fabio Estevam <festevam@gmail.com>
Signed-off-by: Frank Li <Frank.Li@nxp.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/freescale/imx8mq.dtsi | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm64/boot/dts/freescale/imx8mq.dtsi b/arch/arm64/boot/dts/freescale/imx8mq.dtsi
index e642cb7d54d77..25b0017eb7363 100644
--- a/arch/arm64/boot/dts/freescale/imx8mq.dtsi
+++ b/arch/arm64/boot/dts/freescale/imx8mq.dtsi
@@ -1411,7 +1411,7 @@ gpu: gpu@38000000 {
<&clk IMX8MQ_GPU_PLL_OUT>,
<&clk IMX8MQ_GPU_PLL>;
assigned-clock-rates = <800000000>, <800000000>,
- <800000000>, <800000000>, <0>;
+ <800000000>, <400000000>, <0>;
power-domains = <&pgc_gpu>;
};
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 026/969] PCI: hv: Set default NUMA node to 0 for devices without affinity info
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (24 preceding siblings ...)
2026-05-30 15:52 ` [PATCH 6.1 025/969] arm64: dts: imx8mq: Set the correct gpu_ahb clock frequency Greg Kroah-Hartman
@ 2026-05-30 15:52 ` Greg Kroah-Hartman
2026-05-30 15:52 ` [PATCH 6.1 027/969] drm/vc4: Release runtime PM reference after binding V3D Greg Kroah-Hartman
` (949 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Long Li, Michael Kelley, Wei Liu,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Long Li <longli@microsoft.com>
[ Upstream commit 7b3b1e5a87b2f5e35c52b5386d7c327be869454f ]
When hv_pci_assign_numa_node() processes a device that does not have
HV_PCI_DEVICE_FLAG_NUMA_AFFINITY set or has an out-of-range
virtual_numa_node, the device NUMA node is left unset. On x86_64,
the uninitialized default happens to be 0, but on ARM64 it is
NUMA_NO_NODE (-1).
Tests show that when no NUMA information is available from the Hyper-V
host, devices perform best when assigned to node 0. With NUMA_NO_NODE
the kernel may spread work across NUMA nodes, which degrades
performance on Hyper-V, particularly for high-throughput devices like
MANA.
Always set the device NUMA node to 0 before the conditional NUMA
affinity check, so that devices get a performant default when the host
provides no NUMA information, and behavior is consistent on both
x86_64 and ARM64.
Fixes: 999dd956d838 ("PCI: hv: Add support for protocol 1.3 and support PCI_BUS_RELATIONS2")
Signed-off-by: Long Li <longli@microsoft.com>
Reviewed-by: Michael Kelley <mhklinux@outlook.com>
Signed-off-by: Wei Liu <wei.liu@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pci/controller/pci-hyperv.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/drivers/pci/controller/pci-hyperv.c b/drivers/pci/controller/pci-hyperv.c
index 09491d06589ee..58430ca37bbdf 100644
--- a/drivers/pci/controller/pci-hyperv.c
+++ b/drivers/pci/controller/pci-hyperv.c
@@ -2291,6 +2291,14 @@ static void hv_pci_assign_numa_node(struct hv_pcibus_device *hbus)
if (!hv_dev)
continue;
+ /*
+ * If the Hyper-V host doesn't provide a NUMA node for the
+ * device, default to node 0. With NUMA_NO_NODE the kernel
+ * may spread work across NUMA nodes, which degrades
+ * performance on Hyper-V.
+ */
+ set_dev_node(&dev->dev, 0);
+
if (hv_dev->desc.flags & HV_PCI_DEVICE_FLAG_NUMA_AFFINITY &&
hv_dev->desc.virtual_numa_node < num_possible_nodes())
/*
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 027/969] drm/vc4: Release runtime PM reference after binding V3D
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (25 preceding siblings ...)
2026-05-30 15:52 ` [PATCH 6.1 026/969] PCI: hv: Set default NUMA node to 0 for devices without affinity info Greg Kroah-Hartman
@ 2026-05-30 15:52 ` Greg Kroah-Hartman
2026-05-30 15:52 ` [PATCH 6.1 028/969] drm/vc4: Fix memory leak of BO array in hang state Greg Kroah-Hartman
` (948 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Melissa Wen, Maíra Canal,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Maíra Canal <mcanal@igalia.com>
[ Upstream commit aaefbdde9abdc43699e110679c0e10972a5e1c59 ]
The vc4_v3d_bind() function acquires a runtime PM reference via
pm_runtime_resume_and_get() to access V3D registers during setup.
However, this reference is never released after a successful bind.
This prevents the device from ever runtime suspending, since the
reference count never reaches zero.
Release the runtime PM reference by adding pm_runtime_put_autosuspend()
after autosuspend is configured, allowing the device to runtime suspend
after the delay.
Fixes: 266cff37d7fc ("drm/vc4: v3d: Rework the runtime_pm setup")
Reviewed-by: Melissa Wen <mwen@igalia.com>
Link: https://patch.msgid.link/20260330-vc4-misc-fixes-v1-1-92defc940a29@igalia.com
Signed-off-by: Maíra Canal <mcanal@igalia.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/vc4/vc4_v3d.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/gpu/drm/vc4/vc4_v3d.c b/drivers/gpu/drm/vc4/vc4_v3d.c
index 56abb0d6bc39b..a39e6f8eff0a6 100644
--- a/drivers/gpu/drm/vc4/vc4_v3d.c
+++ b/drivers/gpu/drm/vc4/vc4_v3d.c
@@ -497,6 +497,7 @@ static int vc4_v3d_bind(struct device *dev, struct device *master, void *data)
pm_runtime_use_autosuspend(dev);
pm_runtime_set_autosuspend_delay(dev, 40); /* a little over 2 frames. */
+ pm_runtime_put_autosuspend(dev);
return 0;
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 028/969] drm/vc4: Fix memory leak of BO array in hang state
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (26 preceding siblings ...)
2026-05-30 15:52 ` [PATCH 6.1 027/969] drm/vc4: Release runtime PM reference after binding V3D Greg Kroah-Hartman
@ 2026-05-30 15:52 ` Greg Kroah-Hartman
2026-05-30 15:52 ` [PATCH 6.1 029/969] drm/vc4: Fix a memory leak in hang state error path Greg Kroah-Hartman
` (947 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Melissa Wen, Maíra Canal,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Maíra Canal <mcanal@igalia.com>
[ Upstream commit f4dfd6847b3e5d24e336bca6057485116d17aea4 ]
The hang state's BO array is allocated separately with kzalloc() in
vc4_save_hang_state() but never freed in vc4_free_hang_state(). Add the
missing kfree() for the BO array before freeing the hang state struct.
Fixes: 214613656b51 ("drm/vc4: Add an interface for capturing the GPU state after a hang.")
Reviewed-by: Melissa Wen <mwen@igalia.com>
Link: https://patch.msgid.link/20260330-vc4-misc-fixes-v1-2-92defc940a29@igalia.com
Signed-off-by: Maíra Canal <mcanal@igalia.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/vc4/vc4_gem.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/gpu/drm/vc4/vc4_gem.c b/drivers/gpu/drm/vc4/vc4_gem.c
index 628d40ff3aa1c..c446684a72183 100644
--- a/drivers/gpu/drm/vc4/vc4_gem.c
+++ b/drivers/gpu/drm/vc4/vc4_gem.c
@@ -60,6 +60,7 @@ vc4_free_hang_state(struct drm_device *dev, struct vc4_hang_state *state)
for (i = 0; i < state->user_state.bo_count; i++)
drm_gem_object_put(state->bo[i]);
+ kfree(state->bo);
kfree(state);
}
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 029/969] drm/vc4: Fix a memory leak in hang state error path
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (27 preceding siblings ...)
2026-05-30 15:52 ` [PATCH 6.1 028/969] drm/vc4: Fix memory leak of BO array in hang state Greg Kroah-Hartman
@ 2026-05-30 15:52 ` Greg Kroah-Hartman
2026-05-30 15:52 ` [PATCH 6.1 030/969] drm/vc4: Protect madv read in vc4_gem_object_mmap() with madv_lock Greg Kroah-Hartman
` (946 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Melissa Wen, Maíra Canal,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Maíra Canal <mcanal@igalia.com>
[ Upstream commit 9525d169e5fd481538cf8c663cc5839e54f2e481 ]
When vc4_save_hang_state() encounters an early return condition, it
returns without freeing the previously allocated `kernel_state`,
leaking memory.
Add the missing kfree() calls by consolidating the early return paths
into a single place.
Fixes: 214613656b51 ("drm/vc4: Add an interface for capturing the GPU state after a hang.")
Reviewed-by: Melissa Wen <mwen@igalia.com>
Link: https://patch.msgid.link/20260330-vc4-misc-fixes-v1-3-92defc940a29@igalia.com
Signed-off-by: Maíra Canal <mcanal@igalia.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/vc4/vc4_gem.c | 18 ++++++++++--------
1 file changed, 10 insertions(+), 8 deletions(-)
diff --git a/drivers/gpu/drm/vc4/vc4_gem.c b/drivers/gpu/drm/vc4/vc4_gem.c
index c446684a72183..0d88226b17deb 100644
--- a/drivers/gpu/drm/vc4/vc4_gem.c
+++ b/drivers/gpu/drm/vc4/vc4_gem.c
@@ -169,10 +169,8 @@ vc4_save_hang_state(struct drm_device *dev)
spin_lock_irqsave(&vc4->job_lock, irqflags);
exec[0] = vc4_first_bin_job(vc4);
exec[1] = vc4_first_render_job(vc4);
- if (!exec[0] && !exec[1]) {
- spin_unlock_irqrestore(&vc4->job_lock, irqflags);
- return;
- }
+ if (!exec[0] && !exec[1])
+ goto err_free_state;
/* Get the bos from both binner and renderer into hang state. */
state->bo_count = 0;
@@ -189,10 +187,8 @@ vc4_save_hang_state(struct drm_device *dev)
kernel_state->bo = kcalloc(state->bo_count,
sizeof(*kernel_state->bo), GFP_ATOMIC);
- if (!kernel_state->bo) {
- spin_unlock_irqrestore(&vc4->job_lock, irqflags);
- return;
- }
+ if (!kernel_state->bo)
+ goto err_free_state;
k = 0;
for (i = 0; i < 2; i++) {
@@ -284,6 +280,12 @@ vc4_save_hang_state(struct drm_device *dev)
vc4->hang_state = kernel_state;
spin_unlock_irqrestore(&vc4->job_lock, irqflags);
}
+
+ return;
+
+err_free_state:
+ spin_unlock_irqrestore(&vc4->job_lock, irqflags);
+ kfree(kernel_state);
}
static void
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 030/969] drm/vc4: Protect madv read in vc4_gem_object_mmap() with madv_lock
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (28 preceding siblings ...)
2026-05-30 15:52 ` [PATCH 6.1 029/969] drm/vc4: Fix a memory leak in hang state error path Greg Kroah-Hartman
@ 2026-05-30 15:52 ` Greg Kroah-Hartman
2026-05-30 15:52 ` [PATCH 6.1 031/969] epoll: use refcount to reduce ep_mutex contention Greg Kroah-Hartman
` (945 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Melissa Wen, Maíra Canal,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Maíra Canal <mcanal@igalia.com>
[ Upstream commit 338c56050d8e892604da97f67bfa8cc4015a955f ]
The mmap callback reads bo->madv without holding madv_lock, racing with
concurrent DRM_IOCTL_VC4_GEM_MADVISE calls that modify the field under
the same lock. Add the missing locking to prevent the data race.
Fixes: b9f19259b84d ("drm/vc4: Add the DRM_IOCTL_VC4_GEM_MADVISE ioctl")
Reviewed-by: Melissa Wen <mwen@igalia.com>
Link: https://patch.msgid.link/20260330-vc4-misc-fixes-v1-4-92defc940a29@igalia.com
Signed-off-by: Maíra Canal <mcanal@igalia.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/vc4/vc4_bo.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/gpu/drm/vc4/vc4_bo.c b/drivers/gpu/drm/vc4/vc4_bo.c
index ce0ea446bd707..9028a56dd12b8 100644
--- a/drivers/gpu/drm/vc4/vc4_bo.c
+++ b/drivers/gpu/drm/vc4/vc4_bo.c
@@ -738,12 +738,15 @@ static int vc4_gem_object_mmap(struct drm_gem_object *obj, struct vm_area_struct
return -EINVAL;
}
+ mutex_lock(&bo->madv_lock);
if (bo->madv != VC4_MADV_WILLNEED) {
DRM_DEBUG("mmaping of %s BO not allowed\n",
bo->madv == VC4_MADV_DONTNEED ?
"purgeable" : "purged");
+ mutex_unlock(&bo->madv_lock);
return -EINVAL;
}
+ mutex_unlock(&bo->madv_lock);
return drm_gem_dma_mmap(&bo->base, vma);
}
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 031/969] epoll: use refcount to reduce ep_mutex contention
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (29 preceding siblings ...)
2026-05-30 15:52 ` [PATCH 6.1 030/969] drm/vc4: Protect madv read in vc4_gem_object_mmap() with madv_lock Greg Kroah-Hartman
@ 2026-05-30 15:52 ` Greg Kroah-Hartman
2026-05-30 15:52 ` [PATCH 6.1 032/969] eventpoll: defer struct eventpoll free to RCU grace period Greg Kroah-Hartman
` (944 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Paolo Abeni, Eric Dumazet, Xiumei Mu,
Soheil Hassas Yeganeh, Davidlohr Bueso, Alexander Viro,
Carlos Maiolino, Christian Brauner, Eric Biggers, Jacob Keller,
Jens Axboe, Andrew Morton, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paolo Abeni <pabeni@redhat.com>
[ Upstream commit 58c9b016e12855286370dfb704c08498edbc857a ]
We are observing huge contention on the epmutex during an http
connection/rate test:
83.17% 0.25% nginx [kernel.kallsyms] [k] entry_SYSCALL_64_after_hwframe
[...]
|--66.96%--__fput
|--60.04%--eventpoll_release_file
|--58.41%--__mutex_lock.isra.6
|--56.56%--osq_lock
The application is multi-threaded, creates a new epoll entry for
each incoming connection, and does not delete it before the
connection shutdown - that is, before the connection's fd close().
Many different threads compete frequently for the epmutex lock,
affecting the overall performance.
To reduce the contention this patch introduces explicit reference counting
for the eventpoll struct. Each registered event acquires a reference,
and references are released at ep_remove() time.
The eventpoll struct is released by whoever - among EP file close() and
and the monitored file close() drops its last reference.
Additionally, this introduces a new 'dying' flag to prevent races between
the EP file close() and the monitored file close().
ep_eventpoll_release() marks, under f_lock spinlock, each epitem as dying
before removing it, while EP file close() does not touch dying epitems.
The above is needed as both close operations could run concurrently and
drop the EP reference acquired via the epitem entry. Without the above
flag, the monitored file close() could reach the EP struct via the epitem
list while the epitem is still listed and then try to put it after its
disposal.
An alternative could be avoiding touching the references acquired via
the epitems at EP file close() time, but that could leave the EP struct
alive for potentially unlimited time after EP file close(), with nasty
side effects.
With all the above in place, we can drop the epmutex usage at disposal time.
Overall this produces a significant performance improvement in the
mentioned connection/rate scenario: the mutex operations disappear from
the topmost offenders in the perf report, and the measured connections/rate
grows by ~60%.
To make the change more readable this additionally renames ep_free() to
ep_clear_and_put(), and moves the actual memory cleanup in a separate
ep_free() helper.
Link: https://lkml.kernel.org/r/4a57788dcaf28f5eb4f8dfddcc3a8b172a7357bb.1679504153.git.pabeni@redhat.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Co-developed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Tested-by: Xiumei Mu <xmu@redhiat.com>
Acked-by: Soheil Hassas Yeganeh <soheil@google.com>
Reviewed-by: Davidlohr Bueso <dave@stgolabs.net>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Cc: Carlos Maiolino <cmaiolino@redhat.com>
Cc: Christian Brauner <brauner@kernel.org>
Cc: Eric Biggers <ebiggers@kernel.org>
Cc: Jacob Keller <jacob.e.keller@intel.com>
Cc: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Stable-dep-of: 07712db80857 ("eventpoll: defer struct eventpoll free to RCU grace period")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/eventpoll.c | 195 +++++++++++++++++++++++++++++++------------------
1 file changed, 123 insertions(+), 72 deletions(-)
diff --git a/fs/eventpoll.c b/fs/eventpoll.c
index 4c590e988d4a2..f20a35775cf66 100644
--- a/fs/eventpoll.c
+++ b/fs/eventpoll.c
@@ -57,13 +57,7 @@
* we need a lock that will allow us to sleep. This lock is a
* mutex (ep->mtx). It is acquired during the event transfer loop,
* during epoll_ctl(EPOLL_CTL_DEL) and during eventpoll_release_file().
- * Then we also need a global mutex to serialize eventpoll_release_file()
- * and ep_free().
- * This mutex is acquired by ep_free() during the epoll file
- * cleanup path and it is also acquired by eventpoll_release_file()
- * if a file has been pushed inside an epoll set and it is then
- * close()d without a previous call to epoll_ctl(EPOLL_CTL_DEL).
- * It is also acquired when inserting an epoll fd onto another epoll
+ * The epmutex is acquired when inserting an epoll fd onto another epoll
* fd. We do this so that we walk the epoll tree and ensure that this
* insertion does not create a cycle of epoll file descriptors, which
* could lead to deadlock. We need a global mutex to prevent two
@@ -153,6 +147,13 @@ struct epitem {
/* The file descriptor information this item refers to */
struct epoll_filefd ffd;
+ /*
+ * Protected by file->f_lock, true for to-be-released epitem already
+ * removed from the "struct file" items list; together with
+ * eventpoll->refcount orchestrates "struct eventpoll" disposal
+ */
+ bool dying;
+
/* List containing poll wait queues */
struct eppoll_entry *pwqlist;
@@ -218,6 +219,12 @@ struct eventpoll {
struct hlist_head refs;
u8 loop_check_depth;
+ /*
+ * usage count, used together with epitem->dying to
+ * orchestrate the disposal of this struct
+ */
+ refcount_t refcount;
+
#ifdef CONFIG_NET_RX_BUSY_POLL
/* used to track busy poll napi_id */
unsigned int napi_id;
@@ -241,9 +248,7 @@ struct ep_pqueue {
/* Maximum number of epoll watched descriptors, per user */
static long max_user_watches __read_mostly;
-/*
- * This mutex is used to serialize ep_free() and eventpoll_release_file().
- */
+/* Used for cycles detection */
static DEFINE_MUTEX(epmutex);
static u64 loop_check_gen = 0;
@@ -558,8 +563,7 @@ static void ep_remove_wait_queue(struct eppoll_entry *pwq)
/*
* This function unregisters poll callbacks from the associated file
- * descriptor. Must be called with "mtx" held (or "epmutex" if called from
- * ep_free).
+ * descriptor. Must be called with "mtx" held.
*/
static void ep_unregister_pollwait(struct eventpoll *ep, struct epitem *epi)
{
@@ -682,11 +686,40 @@ static void epi_rcu_free(struct rcu_head *head)
kmem_cache_free(epi_cache, epi);
}
+static void ep_get(struct eventpoll *ep)
+{
+ refcount_inc(&ep->refcount);
+}
+
+/*
+ * Returns true if the event poll can be disposed
+ */
+static bool ep_refcount_dec_and_test(struct eventpoll *ep)
+{
+ if (!refcount_dec_and_test(&ep->refcount))
+ return false;
+
+ WARN_ON_ONCE(!RB_EMPTY_ROOT(&ep->rbr.rb_root));
+ return true;
+}
+
+static void ep_free(struct eventpoll *ep)
+{
+ mutex_destroy(&ep->mtx);
+ free_uid(ep->user);
+ wakeup_source_unregister(ep->ws);
+ kfree(ep);
+}
+
/*
* Removes a "struct epitem" from the eventpoll RB tree and deallocates
* all the associated resources. Must be called with "mtx" held.
+ * If the dying flag is set, do the removal only if force is true.
+ * This prevents ep_clear_and_put() from dropping all the ep references
+ * while running concurrently with eventpoll_release_file().
+ * Returns true if the eventpoll can be disposed.
*/
-static int ep_remove(struct eventpoll *ep, struct epitem *epi)
+static bool __ep_remove(struct eventpoll *ep, struct epitem *epi, bool force)
{
struct file *file = epi->ffd.file;
struct epitems_head *to_free;
@@ -701,6 +734,11 @@ static int ep_remove(struct eventpoll *ep, struct epitem *epi)
/* Remove the current item from the list of epoll hooks */
spin_lock(&file->f_lock);
+ if (epi->dying && !force) {
+ spin_unlock(&file->f_lock);
+ return false;
+ }
+
to_free = NULL;
head = file->f_ep;
if (head->first == &epi->fllink && !epi->fllink.next) {
@@ -735,28 +773,28 @@ static int ep_remove(struct eventpoll *ep, struct epitem *epi)
call_rcu(&epi->rcu, epi_rcu_free);
percpu_counter_dec(&ep->user->epoll_watches);
+ return ep_refcount_dec_and_test(ep);
+}
- return 0;
+/*
+ * ep_remove variant for callers owing an additional reference to the ep
+ */
+static void ep_remove_safe(struct eventpoll *ep, struct epitem *epi)
+{
+ WARN_ON_ONCE(__ep_remove(ep, epi, false));
}
-static void ep_free(struct eventpoll *ep)
+static void ep_clear_and_put(struct eventpoll *ep)
{
- struct rb_node *rbp;
+ struct rb_node *rbp, *next;
struct epitem *epi;
+ bool dispose;
/* We need to release all tasks waiting for these file */
if (waitqueue_active(&ep->poll_wait))
ep_poll_safewake(ep, NULL, 0);
- /*
- * We need to lock this because we could be hit by
- * eventpoll_release_file() while we're freeing the "struct eventpoll".
- * We do not need to hold "ep->mtx" here because the epoll file
- * is on the way to be removed and no one has references to it
- * anymore. The only hit might come from eventpoll_release_file() but
- * holding "epmutex" is sufficient here.
- */
- mutex_lock(&epmutex);
+ mutex_lock(&ep->mtx);
/*
* Walks through the whole tree by unregistering poll callbacks.
@@ -769,26 +807,25 @@ static void ep_free(struct eventpoll *ep)
}
/*
- * Walks through the whole tree by freeing each "struct epitem". At this
- * point we are sure no poll callbacks will be lingering around, and also by
- * holding "epmutex" we can be sure that no file cleanup code will hit
- * us during this operation. So we can avoid the lock on "ep->lock".
- * We do not need to lock ep->mtx, either, we only do it to prevent
- * a lockdep warning.
+ * Walks through the whole tree and try to free each "struct epitem".
+ * Note that ep_remove_safe() will not remove the epitem in case of a
+ * racing eventpoll_release_file(); the latter will do the removal.
+ * At this point we are sure no poll callbacks will be lingering around.
+ * Since we still own a reference to the eventpoll struct, the loop can't
+ * dispose it.
*/
- mutex_lock(&ep->mtx);
- while ((rbp = rb_first_cached(&ep->rbr)) != NULL) {
+ for (rbp = rb_first_cached(&ep->rbr); rbp; rbp = next) {
+ next = rb_next(rbp);
epi = rb_entry(rbp, struct epitem, rbn);
- ep_remove(ep, epi);
+ ep_remove_safe(ep, epi);
cond_resched();
}
+
+ dispose = ep_refcount_dec_and_test(ep);
mutex_unlock(&ep->mtx);
- mutex_unlock(&epmutex);
- mutex_destroy(&ep->mtx);
- free_uid(ep->user);
- wakeup_source_unregister(ep->ws);
- kfree(ep);
+ if (dispose)
+ ep_free(ep);
}
static int ep_eventpoll_release(struct inode *inode, struct file *file)
@@ -796,7 +833,7 @@ static int ep_eventpoll_release(struct inode *inode, struct file *file)
struct eventpoll *ep = file->private_data;
if (ep)
- ep_free(ep);
+ ep_clear_and_put(ep);
return 0;
}
@@ -944,33 +981,34 @@ void eventpoll_release_file(struct file *file)
{
struct eventpoll *ep;
struct epitem *epi;
- struct hlist_node *next;
+ bool dispose;
/*
- * We don't want to get "file->f_lock" because it is not
- * necessary. It is not necessary because we're in the "struct file"
- * cleanup path, and this means that no one is using this file anymore.
- * So, for example, epoll_ctl() cannot hit here since if we reach this
- * point, the file counter already went to zero and fget() would fail.
- * The only hit might come from ep_free() but by holding the mutex
- * will correctly serialize the operation. We do need to acquire
- * "ep->mtx" after "epmutex" because ep_remove() requires it when called
- * from anywhere but ep_free().
- *
- * Besides, ep_remove() acquires the lock, so we can't hold it here.
+ * Use the 'dying' flag to prevent a concurrent ep_clear_and_put() from
+ * touching the epitems list before eventpoll_release_file() can access
+ * the ep->mtx.
*/
- mutex_lock(&epmutex);
- if (unlikely(!file->f_ep)) {
- mutex_unlock(&epmutex);
- return;
- }
- hlist_for_each_entry_safe(epi, next, file->f_ep, fllink) {
+again:
+ spin_lock(&file->f_lock);
+ if (file->f_ep && file->f_ep->first) {
+ epi = hlist_entry(file->f_ep->first, struct epitem, fllink);
+ epi->dying = true;
+ spin_unlock(&file->f_lock);
+
+ /*
+ * ep access is safe as we still own a reference to the ep
+ * struct
+ */
ep = epi->ep;
- mutex_lock_nested(&ep->mtx, 0);
- ep_remove(ep, epi);
+ mutex_lock(&ep->mtx);
+ dispose = __ep_remove(ep, epi, true);
mutex_unlock(&ep->mtx);
+
+ if (dispose)
+ ep_free(ep);
+ goto again;
}
- mutex_unlock(&epmutex);
+ spin_unlock(&file->f_lock);
}
static int ep_alloc(struct eventpoll **pep)
@@ -993,6 +1031,7 @@ static int ep_alloc(struct eventpoll **pep)
ep->rbr = RB_ROOT_CACHED;
ep->ovflist = EP_UNACTIVE_PTR;
ep->user = user;
+ refcount_set(&ep->refcount, 1);
*pep = ep;
@@ -1177,10 +1216,10 @@ static int ep_poll_callback(wait_queue_entry_t *wait, unsigned mode, int sync, v
*/
list_del_init(&wait->entry);
/*
- * ->whead != NULL protects us from the race with ep_free()
- * or ep_remove(), ep_remove_wait_queue() takes whead->lock
- * held by the caller. Once we nullify it, nothing protects
- * ep/epi or even wait.
+ * ->whead != NULL protects us from the race with
+ * ep_clear_and_put() or ep_remove(), ep_remove_wait_queue()
+ * takes whead->lock held by the caller. Once we nullify it,
+ * nothing protects ep/epi or even wait.
*/
smp_store_release(&ep_pwq_from_wait(wait)->whead, NULL);
}
@@ -1451,16 +1490,22 @@ static int ep_insert(struct eventpoll *ep, const struct epoll_event *event,
if (tep)
mutex_unlock(&tep->mtx);
+ /*
+ * ep_remove_safe() calls in the later error paths can't lead to
+ * ep_free() as the ep file itself still holds an ep reference.
+ */
+ ep_get(ep);
+
/* now check if we've created too many backpaths */
if (unlikely(full_check && reverse_path_check())) {
- ep_remove(ep, epi);
+ ep_remove_safe(ep, epi);
return -EINVAL;
}
if (epi->event.events & EPOLLWAKEUP) {
error = ep_create_wakeup_source(epi);
if (error) {
- ep_remove(ep, epi);
+ ep_remove_safe(ep, epi);
return error;
}
}
@@ -1484,7 +1529,7 @@ static int ep_insert(struct eventpoll *ep, const struct epoll_event *event,
* high memory pressure.
*/
if (unlikely(!epq.epi)) {
- ep_remove(ep, epi);
+ ep_remove_safe(ep, epi);
return -ENOMEM;
}
@@ -2016,7 +2061,7 @@ static int do_epoll_create(int flags)
out_free_fd:
put_unused_fd(fd);
out_free_ep:
- ep_free(ep);
+ ep_clear_and_put(ep);
return error;
}
@@ -2158,10 +2203,16 @@ int do_epoll_ctl(int epfd, int op, int fd, struct epoll_event *epds,
error = -EEXIST;
break;
case EPOLL_CTL_DEL:
- if (epi)
- error = ep_remove(ep, epi);
- else
+ if (epi) {
+ /*
+ * The eventpoll itself is still alive: the refcount
+ * can't go to zero here.
+ */
+ ep_remove_safe(ep, epi);
+ error = 0;
+ } else {
error = -ENOENT;
+ }
break;
case EPOLL_CTL_MOD:
if (epi) {
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 032/969] eventpoll: defer struct eventpoll free to RCU grace period
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (30 preceding siblings ...)
2026-05-30 15:52 ` [PATCH 6.1 031/969] epoll: use refcount to reduce ep_mutex contention Greg Kroah-Hartman
@ 2026-05-30 15:52 ` Greg Kroah-Hartman
2026-05-30 15:52 ` [PATCH 6.1 033/969] net: sched: act_csum: validate nested VLAN headers Greg Kroah-Hartman
` (943 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nicholas Carlini, Christian Brauner,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nicholas Carlini <nicholas@carlini.com>
[ Upstream commit 07712db80857d5d09ae08f3df85a708ecfc3b61f ]
In certain situations, ep_free() in eventpoll.c will kfree the epi->ep
eventpoll struct while it still being used by another concurrent thread.
Defer the kfree() to an RCU callback to prevent UAF.
Fixes: f2e467a48287 ("eventpoll: Fix semi-unbounded recursion")
Signed-off-by: Nicholas Carlini <nicholas@carlini.com>
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/eventpoll.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/fs/eventpoll.c b/fs/eventpoll.c
index f20a35775cf66..f6038819fe79f 100644
--- a/fs/eventpoll.c
+++ b/fs/eventpoll.c
@@ -225,6 +225,9 @@ struct eventpoll {
*/
refcount_t refcount;
+ /* used to defer freeing past ep_get_upwards_depth_proc() RCU walk */
+ struct rcu_head rcu;
+
#ifdef CONFIG_NET_RX_BUSY_POLL
/* used to track busy poll napi_id */
unsigned int napi_id;
@@ -708,7 +711,8 @@ static void ep_free(struct eventpoll *ep)
mutex_destroy(&ep->mtx);
free_uid(ep->user);
wakeup_source_unregister(ep->ws);
- kfree(ep);
+ /* ep_get_upwards_depth_proc() may still hold epi->ep under RCU */
+ kfree_rcu(ep, rcu);
}
/*
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 033/969] net: sched: act_csum: validate nested VLAN headers
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (31 preceding siblings ...)
2026-05-30 15:52 ` [PATCH 6.1 032/969] eventpoll: defer struct eventpoll free to RCU grace period Greg Kroah-Hartman
@ 2026-05-30 15:52 ` Greg Kroah-Hartman
2026-05-30 15:52 ` [PATCH 6.1 034/969] net: lapbether: handle NETDEV_PRE_TYPE_CHANGE Greg Kroah-Hartman
` (942 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yifan Wu, Juefei Pu, Yuan Tan,
Xin Liu, Ren Wei, Ruide Cao, Ren Wei, Simon Horman,
Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ruide Cao <caoruide123@gmail.com>
[ Upstream commit c842743d073bdd683606cb414eb0ca84465dd834 ]
tcf_csum_act() walks nested VLAN headers directly from skb->data when an
skb still carries in-payload VLAN tags. The current code reads
vlan->h_vlan_encapsulated_proto and then pulls VLAN_HLEN bytes without
first ensuring that the full VLAN header is present in the linear area.
If only part of an inner VLAN header is linearized, accessing
h_vlan_encapsulated_proto reads past the linear area, and the following
skb_pull(VLAN_HLEN) may violate skb invariants.
Fix this by requiring pskb_may_pull(skb, VLAN_HLEN) before accessing and
pulling each nested VLAN header. If the header still is not fully
available, drop the packet through the existing error path.
Fixes: 2ecba2d1e45b ("net: sched: act_csum: Fix csum calc for tagged packets")
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Co-developed-by: Yuan Tan <yuantan098@gmail.com>
Signed-off-by: Yuan Tan <yuantan098@gmail.com>
Suggested-by: Xin Liu <bird@lzu.edu.cn>
Tested-by: Ren Wei <enjou1224z@gmail.com>
Signed-off-by: Ruide Cao <caoruide123@gmail.com>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/22df2fcb49f410203eafa5d97963dd36089f4ecf.1774892775.git.caoruide123@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/act_csum.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/net/sched/act_csum.c b/net/sched/act_csum.c
index 1366adf9b9091..bcef42a3ad645 100644
--- a/net/sched/act_csum.c
+++ b/net/sched/act_csum.c
@@ -602,8 +602,12 @@ static int tcf_csum_act(struct sk_buff *skb, const struct tc_action *a,
protocol = skb->protocol;
orig_vlan_tag_present = true;
} else {
- struct vlan_hdr *vlan = (struct vlan_hdr *)skb->data;
+ struct vlan_hdr *vlan;
+ if (!pskb_may_pull(skb, VLAN_HLEN))
+ goto drop;
+
+ vlan = (struct vlan_hdr *)skb->data;
protocol = vlan->h_vlan_encapsulated_proto;
skb_pull(skb, VLAN_HLEN);
skb_reset_network_header(skb);
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 034/969] net: lapbether: handle NETDEV_PRE_TYPE_CHANGE
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (32 preceding siblings ...)
2026-05-30 15:52 ` [PATCH 6.1 033/969] net: sched: act_csum: validate nested VLAN headers Greg Kroah-Hartman
@ 2026-05-30 15:52 ` Greg Kroah-Hartman
2026-05-30 15:52 ` [PATCH 6.1 035/969] ipv4: icmp: fix null-ptr-deref in icmp_build_probe() Greg Kroah-Hartman
` (941 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+d8c285748fa7292580a9,
Eric Dumazet, Martin Schiller, Simon Horman, Jakub Kicinski,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit b120e4432f9f56c7103133d6a11245e617695adb ]
lapbeth_data_transmit() expects the underlying device type
to be ARPHRD_ETHER.
Returning NOTIFY_BAD from lapbeth_device_event() makes sure
bonding driver can not break this expectation.
Fixes: 872254dd6b1f ("net/bonding: Enable bonding to enslave non ARPHRD_ETHER")
Reported-by: syzbot+d8c285748fa7292580a9@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/netdev/69cd22a1.050a0220.70c3a.0002.GAE@google.com/T/#u
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Martin Schiller <ms@dev.tdt.de>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20260402103519.1201565-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wan/lapbether.c | 13 ++++++++-----
1 file changed, 8 insertions(+), 5 deletions(-)
diff --git a/drivers/net/wan/lapbether.c b/drivers/net/wan/lapbether.c
index 56326f38fe8a3..da61716a66c46 100644
--- a/drivers/net/wan/lapbether.c
+++ b/drivers/net/wan/lapbether.c
@@ -444,33 +444,36 @@ static void lapbeth_free_device(struct lapbethdev *lapbeth)
static int lapbeth_device_event(struct notifier_block *this,
unsigned long event, void *ptr)
{
- struct lapbethdev *lapbeth;
struct net_device *dev = netdev_notifier_info_to_dev(ptr);
+ struct lapbethdev *lapbeth;
if (dev_net(dev) != &init_net)
return NOTIFY_DONE;
- if (!dev_is_ethdev(dev) && !lapbeth_get_x25_dev(dev))
+ lapbeth = lapbeth_get_x25_dev(dev);
+ if (!dev_is_ethdev(dev) && !lapbeth)
return NOTIFY_DONE;
switch (event) {
case NETDEV_UP:
/* New ethernet device -> new LAPB interface */
- if (!lapbeth_get_x25_dev(dev))
+ if (!lapbeth)
lapbeth_new_device(dev);
break;
case NETDEV_GOING_DOWN:
/* ethernet device closes -> close LAPB interface */
- lapbeth = lapbeth_get_x25_dev(dev);
if (lapbeth)
dev_close(lapbeth->axdev);
break;
case NETDEV_UNREGISTER:
/* ethernet device disappears -> remove LAPB interface */
- lapbeth = lapbeth_get_x25_dev(dev);
if (lapbeth)
lapbeth_free_device(lapbeth);
break;
+ case NETDEV_PRE_TYPE_CHANGE:
+ /* Our underlying device type must not change. */
+ if (lapbeth)
+ return NOTIFY_BAD;
}
return NOTIFY_DONE;
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 035/969] ipv4: icmp: fix null-ptr-deref in icmp_build_probe()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (33 preceding siblings ...)
2026-05-30 15:52 ` [PATCH 6.1 034/969] net: lapbether: handle NETDEV_PRE_TYPE_CHANGE Greg Kroah-Hartman
@ 2026-05-30 15:52 ` Greg Kroah-Hartman
2026-05-30 15:52 ` [PATCH 6.1 036/969] nfc: s3fwrn5: allocate rx skb before consuming bytes Greg Kroah-Hartman
` (940 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:52 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Yiqi Sun, Jakub Kicinski,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yiqi Sun <sunyiqixm@gmail.com>
[ Upstream commit fde29fd9349327acc50d19a0b5f3d5a6c964dfd8 ]
ipv6_stub->ipv6_dev_find() may return ERR_PTR(-EAFNOSUPPORT) when the
IPv6 stack is not active (CONFIG_IPV6=m and not loaded), and passing
this error pointer to dev_hold() will cause a kernel crash with
null-ptr-deref.
Instead, silently discard the request. RFC 8335 does not appear to
define a specific response for the case where an IPv6 interface
identifier is syntactically valid but the implementation cannot perform
the lookup at runtime, and silently dropping the request may safer than
misreporting "No Such Interface".
Fixes: d329ea5bd884 ("icmp: add response to RFC 8335 PROBE messages")
Signed-off-by: Yiqi Sun <sunyiqixm@gmail.com>
Link: https://patch.msgid.link/20260402070419.2291578-1-sunyiqixm@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/icmp.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c
index 309d22f2858cc..7a6e4853cf98d 100644
--- a/net/ipv4/icmp.c
+++ b/net/ipv4/icmp.c
@@ -1130,6 +1130,13 @@ bool icmp_build_probe(struct sk_buff *skb, struct icmphdr *icmphdr)
if (iio->ident.addr.ctype3_hdr.addrlen != sizeof(struct in6_addr))
goto send_mal_query;
dev = ipv6_stub->ipv6_dev_find(net, &iio->ident.addr.ip_addr.ipv6_addr, dev);
+ /*
+ * If IPv6 identifier lookup is unavailable, silently
+ * discard the request instead of misreporting NO_IF.
+ */
+ if (IS_ERR(dev))
+ return false;
+
dev_hold(dev);
break;
#endif
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 036/969] nfc: s3fwrn5: allocate rx skb before consuming bytes
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (34 preceding siblings ...)
2026-05-30 15:52 ` [PATCH 6.1 035/969] ipv4: icmp: fix null-ptr-deref in icmp_build_probe() Greg Kroah-Hartman
@ 2026-05-30 15:52 ` Greg Kroah-Hartman
2026-05-30 15:52 ` [PATCH 6.1 037/969] dt-bindings: net: Fix Tegra234 MGBE PTP clock Greg Kroah-Hartman
` (939 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Pengpeng Hou, Jakub Kicinski,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pengpeng Hou <pengpeng@iscas.ac.cn>
[ Upstream commit 5c14a19d5b1645cce1cb1252833d70b23635b632 ]
s3fwrn82_uart_read() reports the number of accepted bytes to the serdev
core. The current code consumes bytes into recv_skb and may already
deliver a complete frame before allocating a fresh receive buffer.
If that alloc_skb() fails, the callback returns 0 even though it has
already consumed bytes, and it leaves recv_skb as NULL for the next
receive callback. That breaks the receive_buf() accounting contract and
can also lead to a NULL dereference on the next skb_put_u8().
Allocate the receive skb lazily before consuming the next byte instead.
If allocation fails, return the number of bytes already accepted.
Fixes: 3f52c2cb7e3a ("nfc: s3fwrn5: Support a UART interface")
Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
Link: https://patch.msgid.link/20260402042148.65236-1-pengpeng@iscas.ac.cn
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/nfc/s3fwrn5/uart.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/drivers/nfc/s3fwrn5/uart.c b/drivers/nfc/s3fwrn5/uart.c
index 82ea35d748a5d..dde1a87ed1e47 100644
--- a/drivers/nfc/s3fwrn5/uart.c
+++ b/drivers/nfc/s3fwrn5/uart.c
@@ -59,6 +59,12 @@ static int s3fwrn82_uart_read(struct serdev_device *serdev,
size_t i;
for (i = 0; i < count; i++) {
+ if (!phy->recv_skb) {
+ phy->recv_skb = alloc_skb(NCI_SKB_BUFF_LEN, GFP_KERNEL);
+ if (!phy->recv_skb)
+ return i;
+ }
+
skb_put_u8(phy->recv_skb, *data++);
if (phy->recv_skb->len < S3FWRN82_NCI_HEADER)
@@ -70,9 +76,7 @@ static int s3fwrn82_uart_read(struct serdev_device *serdev,
s3fwrn5_recv_frame(phy->common.ndev, phy->recv_skb,
phy->common.mode);
- phy->recv_skb = alloc_skb(NCI_SKB_BUFF_LEN, GFP_KERNEL);
- if (!phy->recv_skb)
- return 0;
+ phy->recv_skb = NULL;
}
return i;
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 037/969] dt-bindings: net: Fix Tegra234 MGBE PTP clock
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (35 preceding siblings ...)
2026-05-30 15:52 ` [PATCH 6.1 036/969] nfc: s3fwrn5: allocate rx skb before consuming bytes Greg Kroah-Hartman
@ 2026-05-30 15:52 ` Greg Kroah-Hartman
2026-05-30 15:52 ` [PATCH 6.1 038/969] tracing/probe: reject non-closed empty immediate strings Greg Kroah-Hartman
` (938 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jon Hunter, Krzysztof Kozlowski,
Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jon Hunter <jonathanh@nvidia.com>
[ Upstream commit fb22b1fc5bca3c0aad95388933497ceb30f1fb26 ]
The PTP clock for the Tegra234 MGBE device is incorrectly named
'ptp-ref' and should be 'ptp_ref'. This is causing the following
warning to be observed on Tegra234 platforms that use this device:
ERR KERN tegra-mgbe 6800000.ethernet eth0: Invalid PTP clock rate
WARNING KERN tegra-mgbe 6800000.ethernet eth0: PTP init failed
Although this constitutes an ABI breakage in the binding for this
device, PTP support has clearly never worked and so fix this now
so we can correct the device-tree for this device. Note that the
MGBE driver still supports the legacy 'ptp-ref' clock name and so
older/existing device-trees will still work, but given that this
is not the correct name, there is no point to advertise this in the
binding.
Fixes: 189c2e5c7669 ("dt-bindings: net: Add Tegra234 MGBE")
Signed-off-by: Jon Hunter <jonathanh@nvidia.com>
Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@oss.qualcomm.com>
Link: https://patch.msgid.link/20260401102941.17466-3-jonathanh@nvidia.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../devicetree/bindings/net/nvidia,tegra234-mgbe.yaml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/Documentation/devicetree/bindings/net/nvidia,tegra234-mgbe.yaml b/Documentation/devicetree/bindings/net/nvidia,tegra234-mgbe.yaml
index 2bd3efff2485e..215f14d1897d2 100644
--- a/Documentation/devicetree/bindings/net/nvidia,tegra234-mgbe.yaml
+++ b/Documentation/devicetree/bindings/net/nvidia,tegra234-mgbe.yaml
@@ -42,7 +42,7 @@ properties:
- const: mgbe
- const: mac
- const: mac-divider
- - const: ptp-ref
+ - const: ptp_ref
- const: rx-input-m
- const: rx-input
- const: tx
@@ -133,7 +133,7 @@ examples:
<&bpmp TEGRA234_CLK_MGBE0_RX_PCS_M>,
<&bpmp TEGRA234_CLK_MGBE0_RX_PCS>,
<&bpmp TEGRA234_CLK_MGBE0_TX_PCS>;
- clock-names = "mgbe", "mac", "mac-divider", "ptp-ref", "rx-input-m",
+ clock-names = "mgbe", "mac", "mac-divider", "ptp_ref", "rx-input-m",
"rx-input", "tx", "eee-pcs", "rx-pcs-input", "rx-pcs-m",
"rx-pcs", "tx-pcs";
resets = <&bpmp TEGRA234_RESET_MGBE0_MAC>,
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 038/969] tracing/probe: reject non-closed empty immediate strings
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (36 preceding siblings ...)
2026-05-30 15:52 ` [PATCH 6.1 037/969] dt-bindings: net: Fix Tegra234 MGBE PTP clock Greg Kroah-Hartman
@ 2026-05-30 15:52 ` Greg Kroah-Hartman
2026-05-30 15:52 ` [PATCH 6.1 039/969] ixgbevf: add missing negotiate_features op to Hyper-V ops table Greg Kroah-Hartman
` (937 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Pengpeng Hou,
Steven Rostedt (Google), Masami Hiramatsu (Google), Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pengpeng Hou <pengpeng@iscas.ac.cn>
[ Upstream commit 4346be6577aaa04586167402ae87bbdbe32484a4 ]
parse_probe_arg() accepts quoted immediate strings and passes the body
after the opening quote to __parse_imm_string(). That helper currently
computes strlen(str) and immediately dereferences str[len - 1], which
underflows when the body is empty and not closed with double-quotation.
Reject empty non-closed immediate strings before checking for the closing quote.
Link: https://lore.kernel.org/all/20260401160315.88518-1-pengpeng@iscas.ac.cn/
Fixes: a42e3c4de964 ("tracing/probe: Add immediate string parameter support")
Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
Reviewed-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/trace/trace_probe.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/trace/trace_probe.c b/kernel/trace/trace_probe.c
index 3888a59c9dfe9..280e3d0f61b29 100644
--- a/kernel/trace/trace_probe.c
+++ b/kernel/trace/trace_probe.c
@@ -366,7 +366,7 @@ static int __parse_imm_string(char *str, char **pbuf, int offs)
{
size_t len = strlen(str);
- if (str[len - 1] != '"') {
+ if (!len || str[len - 1] != '"') {
trace_probe_log_err(offs + len, IMMSTR_NO_CLOSE);
return -EINVAL;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 039/969] ixgbevf: add missing negotiate_features op to Hyper-V ops table
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (37 preceding siblings ...)
2026-05-30 15:52 ` [PATCH 6.1 038/969] tracing/probe: reject non-closed empty immediate strings Greg Kroah-Hartman
@ 2026-05-30 15:52 ` Greg Kroah-Hartman
2026-05-30 15:52 ` [PATCH 6.1 040/969] e1000: check return value of e1000_read_eeprom Greg Kroah-Hartman
` (936 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xiaoqiang Xiong, Michal Schmidt,
Aleksandr Loktionov, Tony Nguyen, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michal Schmidt <mschmidt@redhat.com>
[ Upstream commit 4821d563cd7f251ae728be1a6d04af82a294a5b9 ]
Commit a7075f501bd3 ("ixgbevf: fix mailbox API compatibility by
negotiating supported features") added the .negotiate_features callback
to ixgbe_mac_operations and populated it in ixgbevf_mac_ops, but forgot
to add it to ixgbevf_hv_mac_ops. This leaves the function pointer NULL
on Hyper-V VMs.
During probe, ixgbevf_negotiate_api() calls ixgbevf_set_features(),
which unconditionally dereferences hw->mac.ops.negotiate_features().
On Hyper-V this results in a NULL pointer dereference:
BUG: kernel NULL pointer dereference, address: 0000000000000000
[...]
Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine [...]
Workqueue: events work_for_cpu_fn
RIP: 0010:0x0
[...]
Call Trace:
ixgbevf_negotiate_api+0x66/0x160 [ixgbevf]
ixgbevf_sw_init+0xe4/0x1f0 [ixgbevf]
ixgbevf_probe+0x20f/0x4a0 [ixgbevf]
local_pci_probe+0x50/0xa0
work_for_cpu_fn+0x1a/0x30
[...]
Add ixgbevf_hv_negotiate_features_vf() that returns -EOPNOTSUPP and
wire it into ixgbevf_hv_mac_ops. The caller already handles -EOPNOTSUPP
gracefully.
Fixes: a7075f501bd3 ("ixgbevf: fix mailbox API compatibility by negotiating supported features")
Reported-by: Xiaoqiang Xiong <xxiong@redhat.com>
Closes: https://issues.redhat.com/browse/RHEL-155455
Assisted-by: Claude:claude-4.6-opus-high Cursor
Tested-by: Xiaoqiang Xiong <xxiong@redhat.com>
Signed-off-by: Michal Schmidt <mschmidt@redhat.com>
Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/ixgbevf/vf.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/drivers/net/ethernet/intel/ixgbevf/vf.c b/drivers/net/ethernet/intel/ixgbevf/vf.c
index 708d5dd921acc..70dfda13b7885 100644
--- a/drivers/net/ethernet/intel/ixgbevf/vf.c
+++ b/drivers/net/ethernet/intel/ixgbevf/vf.c
@@ -709,6 +709,12 @@ static int ixgbevf_negotiate_features_vf(struct ixgbe_hw *hw, u32 *pf_features)
return err;
}
+static int ixgbevf_hv_negotiate_features_vf(struct ixgbe_hw *hw,
+ u32 *pf_features)
+{
+ return -EOPNOTSUPP;
+}
+
/**
* ixgbevf_set_vfta_vf - Set/Unset VLAN filter table address
* @hw: pointer to the HW structure
@@ -1142,6 +1148,7 @@ static const struct ixgbe_mac_operations ixgbevf_hv_mac_ops = {
.setup_link = ixgbevf_setup_mac_link_vf,
.check_link = ixgbevf_hv_check_mac_link_vf,
.negotiate_api_version = ixgbevf_hv_negotiate_api_version_vf,
+ .negotiate_features = ixgbevf_hv_negotiate_features_vf,
.set_rar = ixgbevf_hv_set_rar_vf,
.update_mc_addr_list = ixgbevf_hv_update_mc_addr_list_vf,
.update_xcast_mode = ixgbevf_hv_update_xcast_mode,
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 040/969] e1000: check return value of e1000_read_eeprom
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (38 preceding siblings ...)
2026-05-30 15:52 ` [PATCH 6.1 039/969] ixgbevf: add missing negotiate_features op to Hyper-V ops table Greg Kroah-Hartman
@ 2026-05-30 15:52 ` Greg Kroah-Hartman
2026-05-30 15:52 ` [PATCH 6.1 041/969] xsk: tighten UMEM headroom validation to account for tailroom and min frame Greg Kroah-Hartman
` (935 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Iskhakov Daniil, Agalakov Daniil,
Aleksandr Loktionov, Tony Nguyen, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Agalakov Daniil <ade@amicon.ru>
[ Upstream commit d3baa34a470771399c1495bc04b1e26ac15d598e ]
[Why]
e1000_set_eeprom() performs a read-modify-write operation when the write
range is not word-aligned. This requires reading the first and last words
of the range from the EEPROM to preserve the unmodified bytes.
However, the code does not check the return value of e1000_read_eeprom().
If the read fails, the operation continues using uninitialized data from
eeprom_buff. This results in corrupted data being written back to the
EEPROM for the boundary words.
Add the missing error checks and abort the operation if reading fails.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Co-developed-by: Iskhakov Daniil <dish@amicon.ru>
Signed-off-by: Iskhakov Daniil <dish@amicon.ru>
Signed-off-by: Agalakov Daniil <ade@amicon.ru>
Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/e1000/e1000_ethtool.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/intel/e1000/e1000_ethtool.c b/drivers/net/ethernet/intel/e1000/e1000_ethtool.c
index d06d29c6c0370..c7b50059663d9 100644
--- a/drivers/net/ethernet/intel/e1000/e1000_ethtool.c
+++ b/drivers/net/ethernet/intel/e1000/e1000_ethtool.c
@@ -496,14 +496,19 @@ static int e1000_set_eeprom(struct net_device *netdev,
*/
ret_val = e1000_read_eeprom(hw, first_word, 1,
&eeprom_buff[0]);
+ if (ret_val)
+ goto out;
+
ptr++;
}
- if (((eeprom->offset + eeprom->len) & 1) && (ret_val == 0)) {
+ if ((eeprom->offset + eeprom->len) & 1) {
/* need read/modify/write of last changed EEPROM word
* only the first byte of the word is being modified
*/
ret_val = e1000_read_eeprom(hw, last_word, 1,
&eeprom_buff[last_word - first_word]);
+ if (ret_val)
+ goto out;
}
/* Device's eeprom is always little-endian, word addressable */
@@ -522,6 +527,7 @@ static int e1000_set_eeprom(struct net_device *netdev,
if ((ret_val == 0) && (first_word <= EEPROM_CHECKSUM_REG))
e1000_update_eeprom_checksum(hw);
+out:
kfree(eeprom_buff);
return ret_val;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 041/969] xsk: tighten UMEM headroom validation to account for tailroom and min frame
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (39 preceding siblings ...)
2026-05-30 15:52 ` [PATCH 6.1 040/969] e1000: check return value of e1000_read_eeprom Greg Kroah-Hartman
@ 2026-05-30 15:52 ` Greg Kroah-Hartman
2026-05-30 15:52 ` [PATCH 6.1 042/969] xfrm: Wait for RCU readers during policy netns exit Greg Kroah-Hartman
` (934 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Björn Töpel,
Stanislav Fomichev, Maciej Fijalkowski, Jakub Kicinski,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
[ Upstream commit a315e022a72d95ef5f1d4e58e903cb492b0ad931 ]
The current headroom validation in xdp_umem_reg() could leave us with
insufficient space dedicated to even receive minimum-sized ethernet
frame. Furthermore if multi-buffer would come to play then
skb_shared_info stored at the end of XSK frame would be corrupted.
HW typically works with 128-aligned sizes so let us provide this value
as bare minimum.
Multi-buffer setting is known later in the configuration process so
besides accounting for 128 bytes, let us also take care of tailroom space
upfront.
Reviewed-by: Björn Töpel <bjorn@kernel.org>
Acked-by: Stanislav Fomichev <sdf@fomichev.me>
Fixes: 99e3a236dd43 ("xsk: Add missing check on user supplied headroom size")
Signed-off-by: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
Link: https://patch.msgid.link/20260402154958.562179-2-maciej.fijalkowski@intel.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/xdp/xdp_umem.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/xdp/xdp_umem.c b/net/xdp/xdp_umem.c
index 02207e852d796..561290f9e68b5 100644
--- a/net/xdp/xdp_umem.c
+++ b/net/xdp/xdp_umem.c
@@ -196,7 +196,8 @@ static int xdp_umem_reg(struct xdp_umem *umem, struct xdp_umem_reg *mr)
if (!unaligned_chunks && chunks_rem)
return -EINVAL;
- if (headroom >= chunk_size - XDP_PACKET_HEADROOM)
+ if (headroom > chunk_size - XDP_PACKET_HEADROOM -
+ SKB_DATA_ALIGN(sizeof(struct skb_shared_info)) - 128)
return -EINVAL;
umem->size = size;
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 042/969] xfrm: Wait for RCU readers during policy netns exit
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (40 preceding siblings ...)
2026-05-30 15:52 ` [PATCH 6.1 041/969] xsk: tighten UMEM headroom validation to account for tailroom and min frame Greg Kroah-Hartman
@ 2026-05-30 15:52 ` Greg Kroah-Hartman
2026-05-30 15:52 ` [PATCH 6.1 043/969] xfrm_user: fix info leak in build_mapping() Greg Kroah-Hartman
` (933 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Steffen Klassert, Florian Westphal,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Steffen Klassert <steffen.klassert@secunet.com>
[ Upstream commit 069daad4f2ae9c5c108131995529d5f02392c446 ]
xfrm_policy_fini() frees the policy_bydst hash tables after flushing the
policy work items and deleting all policies, but it does not wait for
concurrent RCU readers to leave their read-side critical sections first.
The policy_bydst tables are published via rcu_assign_pointer() and are
looked up through rcu_dereference_check(), so netns teardown must also
wait for an RCU grace period before freeing the table memory.
Fix this by adding synchronize_rcu() before freeing the policy hash tables.
Fixes: e1e551bc5630 ("xfrm: policy: prepare policy_bydst hash for rcu lookups")
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Reviewed-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/xfrm/xfrm_policy.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index cd534803a0e42..7b9151f4eccfd 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -4129,6 +4129,8 @@ static void xfrm_policy_fini(struct net *net)
#endif
xfrm_policy_flush(net, XFRM_POLICY_TYPE_MAIN, false);
+ synchronize_rcu();
+
WARN_ON(!list_empty(&net->xfrm.policy_all));
for (dir = 0; dir < XFRM_POLICY_MAX; dir++) {
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 043/969] xfrm_user: fix info leak in build_mapping()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (41 preceding siblings ...)
2026-05-30 15:52 ` [PATCH 6.1 042/969] xfrm: Wait for RCU readers during policy netns exit Greg Kroah-Hartman
@ 2026-05-30 15:52 ` Greg Kroah-Hartman
2026-05-30 15:52 ` [PATCH 6.1 044/969] selftests: net: bridge_vlan_mcast: wait for h1 before querier check Greg Kroah-Hartman
` (932 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Steffen Klassert, Herbert Xu,
David S. Miller, Eric Dumazet, Jakub Kicinski, Paolo Abeni,
Simon Horman, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit 1beb76b2053b68c491b78370794b8ff63c8f8c02 ]
struct xfrm_usersa_id has a one-byte padding hole after the proto
field, which ends up never getting set to zero before copying out to
userspace. Fix that up by zeroing out the whole structure before
setting individual variables.
Fixes: 3a2dfbe8acb1 ("xfrm: Notify changes in UDP encapsulation via netlink")
Cc: Steffen Klassert <steffen.klassert@secunet.com>
Cc: Herbert Xu <herbert@gondor.apana.org.au>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: Eric Dumazet <edumazet@google.com>
Cc: Jakub Kicinski <kuba@kernel.org>
Cc: Paolo Abeni <pabeni@redhat.com>
Cc: Simon Horman <horms@kernel.org>
Assisted-by: gregkh_clanker_t1000
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/xfrm/xfrm_user.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index 64137facd128e..9d22a7753f080 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -3729,6 +3729,7 @@ static int build_mapping(struct sk_buff *skb, struct xfrm_state *x,
um = nlmsg_data(nlh);
+ memset(&um->id, 0, sizeof(um->id));
memcpy(&um->id.daddr, &x->id.daddr, sizeof(um->id.daddr));
um->id.spi = x->id.spi;
um->id.family = x->props.family;
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 044/969] selftests: net: bridge_vlan_mcast: wait for h1 before querier check
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (42 preceding siblings ...)
2026-05-30 15:52 ` [PATCH 6.1 043/969] xfrm_user: fix info leak in build_mapping() Greg Kroah-Hartman
@ 2026-05-30 15:52 ` Greg Kroah-Hartman
2026-05-30 15:52 ` [PATCH 6.1 045/969] netfilter: nfnetlink_log: initialize nfgenmsg in NLMSG_DONE terminator Greg Kroah-Hartman
` (931 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Daniel Golle, Alexander Sverdlin,
Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Daniel Golle <daniel@makrotopia.org>
[ Upstream commit efaa71faf212324ecbf6d5339e9717fe53254f58 ]
The querier-interval test adds h1 (currently a slave of the VRF created
by simple_if_init) to a temporary bridge br1 acting as an outside IGMP
querier. The kernel VRF driver (drivers/net/vrf.c) calls cycle_netdev()
on every slave add and remove, toggling the interface admin-down then up.
Phylink takes the PHY down during the admin-down half of that cycle.
Since h1 and swp1 are cable-connected, swp1 also loses its link may need
several seconds to re-negotiate.
Use setup_wait_dev $h1 0 which waits for h1 to return to UP state, so the
test can rely on the link being back up at this point.
Fixes: 4d8610ee8bd77 ("selftests: net: bridge: add vlan mcast_querier_interval tests")
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Reviewed-by: Alexander Sverdlin <alexander.sverdlin@siemens.com>
Link: https://patch.msgid.link/c830f130860fd2efae08bfb9e5b25fd028e58ce5.1775424423.git.daniel@makrotopia.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/testing/selftests/net/forwarding/bridge_vlan_mcast.sh | 1 +
1 file changed, 1 insertion(+)
diff --git a/tools/testing/selftests/net/forwarding/bridge_vlan_mcast.sh b/tools/testing/selftests/net/forwarding/bridge_vlan_mcast.sh
index 8748d1b1d95b7..cc0a6e46457d9 100755
--- a/tools/testing/selftests/net/forwarding/bridge_vlan_mcast.sh
+++ b/tools/testing/selftests/net/forwarding/bridge_vlan_mcast.sh
@@ -411,6 +411,7 @@ vlmc_querier_intvl_test()
bridge vlan add vid 10 dev br1 self pvid untagged
ip link set dev $h1 master br1
ip link set dev br1 up
+ setup_wait_dev $h1 0
bridge vlan add vid 10 dev $h1 master
bridge vlan global set vid 10 dev br1 mcast_snooping 1 mcast_querier 1
sleep 2
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 045/969] netfilter: nfnetlink_log: initialize nfgenmsg in NLMSG_DONE terminator
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (43 preceding siblings ...)
2026-05-30 15:52 ` [PATCH 6.1 044/969] selftests: net: bridge_vlan_mcast: wait for h1 before querier check Greg Kroah-Hartman
@ 2026-05-30 15:52 ` Greg Kroah-Hartman
2026-05-30 15:52 ` [PATCH 6.1 046/969] netfilter: xt_multiport: validate range encoding in checkentry Greg Kroah-Hartman
` (930 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Weiming Shi, Xiang Mei,
Florian Westphal, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xiang Mei <xmei5@asu.edu>
[ Upstream commit 1f3083aec8836213da441270cdb1ab612dd82cf4 ]
When batching multiple NFLOG messages (inst->qlen > 1), __nfulnl_send()
appends an NLMSG_DONE terminator with sizeof(struct nfgenmsg) payload via
nlmsg_put(), but never initializes the nfgenmsg bytes. The nlmsg_put()
helper only zeroes alignment padding after the payload, not the payload
itself, so four bytes of stale kernel heap data are leaked to userspace
in the NLMSG_DONE message body.
Use nfnl_msg_put() to build the NLMSG_DONE terminator, which initializes
the nfgenmsg payload via nfnl_fill_hdr(), consistent with how
__build_packet_message() already constructs NFULNL_MSG_PACKET headers.
Fixes: 29c5d4afba51 ("[NETFILTER]: nfnetlink_log: fix sending of multipart messages")
Reported-by: Weiming Shi <bestswngs@gmail.com>
Signed-off-by: Xiang Mei <xmei5@asu.edu>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/nfnetlink_log.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/net/netfilter/nfnetlink_log.c b/net/netfilter/nfnetlink_log.c
index 6bf7d7bea1fc2..b7528fa74f3af 100644
--- a/net/netfilter/nfnetlink_log.c
+++ b/net/netfilter/nfnetlink_log.c
@@ -351,10 +351,10 @@ static void
__nfulnl_send(struct nfulnl_instance *inst)
{
if (inst->qlen > 1) {
- struct nlmsghdr *nlh = nlmsg_put(inst->skb, 0, 0,
- NLMSG_DONE,
- sizeof(struct nfgenmsg),
- 0);
+ struct nlmsghdr *nlh = nfnl_msg_put(inst->skb, 0, 0,
+ NLMSG_DONE, 0,
+ AF_UNSPEC, NFNETLINK_V0,
+ htons(inst->group_num));
if (WARN_ONCE(!nlh, "bad nlskb size: %u, tailroom %d\n",
inst->skb->len, skb_tailroom(inst->skb))) {
kfree_skb(inst->skb);
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 046/969] netfilter: xt_multiport: validate range encoding in checkentry
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (44 preceding siblings ...)
2026-05-30 15:52 ` [PATCH 6.1 045/969] netfilter: nfnetlink_log: initialize nfgenmsg in NLMSG_DONE terminator Greg Kroah-Hartman
@ 2026-05-30 15:52 ` Greg Kroah-Hartman
2026-05-30 15:52 ` [PATCH 6.1 047/969] netfilter: ip6t_eui64: reject invalid MAC header for all packets Greg Kroah-Hartman
` (929 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yifan Wu, Juefei Pu, Yuan Tan,
Xin Liu, Yuhang Zheng, Ren Wei, Florian Westphal, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ren Wei <n05ec@lzu.edu.cn>
[ Upstream commit ff64c5bfef12461df8450e0f50bb693b5269c720 ]
ports_match_v1() treats any non-zero pflags entry as the start of a
port range and unconditionally consumes the next ports[] element as
the range end.
The checkentry path currently validates protocol, flags and count, but
it does not validate the range encoding itself. As a result, malformed
rules can mark the last slot as a range start or place two range starts
back to back, leaving ports_match_v1() to step past the last valid
ports[] element while interpreting the rule.
Reject malformed multiport v1 rules in checkentry by validating that
each range start has a following element and that the following element
is not itself marked as another range start.
Fixes: a89ecb6a2ef7 ("[NETFILTER]: x_tables: unify IPv4/IPv6 multiport match")
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Co-developed-by: Yuan Tan <yuantan098@gmail.com>
Signed-off-by: Yuan Tan <yuantan098@gmail.com>
Suggested-by: Xin Liu <bird@lzu.edu.cn>
Tested-by: Yuhang Zheng <z1652074432@gmail.com>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/xt_multiport.c | 34 ++++++++++++++++++++++++++++++----
1 file changed, 30 insertions(+), 4 deletions(-)
diff --git a/net/netfilter/xt_multiport.c b/net/netfilter/xt_multiport.c
index 44a00f5acde8a..a1691ff405d3c 100644
--- a/net/netfilter/xt_multiport.c
+++ b/net/netfilter/xt_multiport.c
@@ -105,6 +105,28 @@ multiport_mt(const struct sk_buff *skb, struct xt_action_param *par)
return ports_match_v1(multiinfo, ntohs(pptr[0]), ntohs(pptr[1]));
}
+static bool
+multiport_valid_ranges(const struct xt_multiport_v1 *multiinfo)
+{
+ unsigned int i;
+
+ for (i = 0; i < multiinfo->count; i++) {
+ if (!multiinfo->pflags[i])
+ continue;
+
+ if (++i >= multiinfo->count)
+ return false;
+
+ if (multiinfo->pflags[i])
+ return false;
+
+ if (multiinfo->ports[i - 1] > multiinfo->ports[i])
+ return false;
+ }
+
+ return true;
+}
+
static inline bool
check(u_int16_t proto,
u_int8_t ip_invflags,
@@ -127,8 +149,10 @@ static int multiport_mt_check(const struct xt_mtchk_param *par)
const struct ipt_ip *ip = par->entryinfo;
const struct xt_multiport_v1 *multiinfo = par->matchinfo;
- return check(ip->proto, ip->invflags, multiinfo->flags,
- multiinfo->count) ? 0 : -EINVAL;
+ if (!check(ip->proto, ip->invflags, multiinfo->flags, multiinfo->count))
+ return -EINVAL;
+
+ return multiport_valid_ranges(multiinfo) ? 0 : -EINVAL;
}
static int multiport_mt6_check(const struct xt_mtchk_param *par)
@@ -136,8 +160,10 @@ static int multiport_mt6_check(const struct xt_mtchk_param *par)
const struct ip6t_ip6 *ip = par->entryinfo;
const struct xt_multiport_v1 *multiinfo = par->matchinfo;
- return check(ip->proto, ip->invflags, multiinfo->flags,
- multiinfo->count) ? 0 : -EINVAL;
+ if (!check(ip->proto, ip->invflags, multiinfo->flags, multiinfo->count))
+ return -EINVAL;
+
+ return multiport_valid_ranges(multiinfo) ? 0 : -EINVAL;
}
static struct xt_match multiport_mt_reg[] __read_mostly = {
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 047/969] netfilter: ip6t_eui64: reject invalid MAC header for all packets
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (45 preceding siblings ...)
2026-05-30 15:52 ` [PATCH 6.1 046/969] netfilter: xt_multiport: validate range encoding in checkentry Greg Kroah-Hartman
@ 2026-05-30 15:52 ` Greg Kroah-Hartman
2026-05-30 15:52 ` [PATCH 6.1 048/969] af_unix: read UNIX_DIAG_VFS data under unix_state_lock Greg Kroah-Hartman
` (928 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yifan Wu, Juefei Pu, Yuan Tan,
Xin Liu, Ren Wei, Zhengchuan Liang, Ren Wei, Florian Westphal,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhengchuan Liang <zcliangcn@gmail.com>
[ Upstream commit fdce0b3590f724540795b874b4c8850c90e6b0a8 ]
`eui64_mt6()` derives a modified EUI-64 from the Ethernet source address
and compares it with the low 64 bits of the IPv6 source address.
The existing guard only rejects an invalid MAC header when
`par->fragoff != 0`. For packets with `par->fragoff == 0`, `eui64_mt6()`
can still reach `eth_hdr(skb)` even when the MAC header is not valid.
Fix this by removing the `par->fragoff != 0` condition so that packets
with an invalid MAC header are rejected before accessing `eth_hdr(skb)`.
Fixes: 1da177e4c3f41 ("Linux-2.6.12-rc2")
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Co-developed-by: Yuan Tan <yuantan098@gmail.com>
Signed-off-by: Yuan Tan <yuantan098@gmail.com>
Suggested-by: Xin Liu <bird@lzu.edu.cn>
Tested-by: Ren Wei <enjou1224z@gmail.com>
Signed-off-by: Zhengchuan Liang <zcliangcn@gmail.com>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv6/netfilter/ip6t_eui64.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/net/ipv6/netfilter/ip6t_eui64.c b/net/ipv6/netfilter/ip6t_eui64.c
index d704f7ed300c2..da69a27e8332c 100644
--- a/net/ipv6/netfilter/ip6t_eui64.c
+++ b/net/ipv6/netfilter/ip6t_eui64.c
@@ -22,8 +22,7 @@ eui64_mt6(const struct sk_buff *skb, struct xt_action_param *par)
unsigned char eui64[8];
if (!(skb_mac_header(skb) >= skb->head &&
- skb_mac_header(skb) + ETH_HLEN <= skb->data) &&
- par->fragoff != 0) {
+ skb_mac_header(skb) + ETH_HLEN <= skb->data)) {
par->hotdrop = true;
return false;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 048/969] af_unix: read UNIX_DIAG_VFS data under unix_state_lock
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (46 preceding siblings ...)
2026-05-30 15:52 ` [PATCH 6.1 047/969] netfilter: ip6t_eui64: reject invalid MAC header for all packets Greg Kroah-Hartman
@ 2026-05-30 15:52 ` Greg Kroah-Hartman
2026-05-30 15:52 ` [PATCH 6.1 049/969] l2tp: Drop large packets with UDP encap Greg Kroah-Hartman
` (927 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yifan Wu, Juefei Pu, Yuan Tan,
Xin Liu, Ren Wei, Jiexun Wang, Ren Wei, Kuniyuki Iwashima,
Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiexun Wang <wangjiexun2025@gmail.com>
[ Upstream commit 39897df386376912d561d4946499379effa1e7ef ]
Exact UNIX diag lookups hold a reference to the socket, but not to
u->path. Meanwhile, unix_release_sock() clears u->path under
unix_state_lock() and drops the path reference after unlocking.
Read the inode and device numbers for UNIX_DIAG_VFS while holding
unix_state_lock(), then emit the netlink attribute after dropping the
lock.
This keeps the VFS data stable while the reply is being built.
Fixes: 5f7b0569460b ("unix_diag: Unix inode info NLA")
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Co-developed-by: Yuan Tan <yuantan098@gmail.com>
Signed-off-by: Yuan Tan <yuantan098@gmail.com>
Suggested-by: Xin Liu <bird@lzu.edu.cn>
Tested-by: Ren Wei <enjou1224z@gmail.com>
Signed-off-by: Jiexun Wang <wangjiexun2025@gmail.com>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com>
Link: https://patch.msgid.link/20260407080015.1744197-1-n05ec@lzu.edu.cn
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/unix/diag.c | 21 +++++++++++++--------
1 file changed, 13 insertions(+), 8 deletions(-)
diff --git a/net/unix/diag.c b/net/unix/diag.c
index a6bd861314df0..169d068064bba 100644
--- a/net/unix/diag.c
+++ b/net/unix/diag.c
@@ -26,18 +26,23 @@ static int sk_diag_dump_name(struct sock *sk, struct sk_buff *nlskb)
static int sk_diag_dump_vfs(struct sock *sk, struct sk_buff *nlskb)
{
- struct dentry *dentry = unix_sk(sk)->path.dentry;
+ struct unix_diag_vfs uv;
+ struct dentry *dentry;
+ bool have_vfs = false;
+ unix_state_lock(sk);
+ dentry = unix_sk(sk)->path.dentry;
if (dentry) {
- struct unix_diag_vfs uv = {
- .udiag_vfs_ino = d_backing_inode(dentry)->i_ino,
- .udiag_vfs_dev = dentry->d_sb->s_dev,
- };
-
- return nla_put(nlskb, UNIX_DIAG_VFS, sizeof(uv), &uv);
+ uv.udiag_vfs_ino = d_backing_inode(dentry)->i_ino;
+ uv.udiag_vfs_dev = dentry->d_sb->s_dev;
+ have_vfs = true;
}
+ unix_state_unlock(sk);
- return 0;
+ if (!have_vfs)
+ return 0;
+
+ return nla_put(nlskb, UNIX_DIAG_VFS, sizeof(uv), &uv);
}
static int sk_diag_dump_peer(struct sock *sk, struct sk_buff *nlskb)
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 049/969] l2tp: Drop large packets with UDP encap
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (47 preceding siblings ...)
2026-05-30 15:52 ` [PATCH 6.1 048/969] af_unix: read UNIX_DIAG_VFS data under unix_state_lock Greg Kroah-Hartman
@ 2026-05-30 15:52 ` Greg Kroah-Hartman
2026-05-30 15:52 ` [PATCH 6.1 050/969] gpio: tegra: fix irq_release_resources calling enable instead of disable Greg Kroah-Hartman
` (926 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+ci3edea60a44225dec,
Alice Mikityanska, Paolo Abeni, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alice Mikityanska <alice@isovalent.com>
[ Upstream commit ebe560ea5f54134279356703e73b7f867c89db13 ]
syzbot reported a WARN on my patch series [1]. The actual issue is an
overflow of 16-bit UDP length field, and it exists in the upstream code.
My series added a debug WARN with an overflow check that exposed the
issue, that's why syzbot tripped on my patches, rather than on upstream
code.
syzbot's repro:
r0 = socket$pppl2tp(0x18, 0x1, 0x1)
r1 = socket$inet6_udp(0xa, 0x2, 0x0)
connect$inet6(r1, &(0x7f00000000c0)={0xa, 0x0, 0x0, @loopback, 0xfffffffc}, 0x1c)
connect$pppl2tp(r0, &(0x7f0000000240)=@pppol2tpin6={0x18, 0x1, {0x0, r1, 0x4, 0x0, 0x0, 0x0, {0xa, 0x4e22, 0xffff, @ipv4={'\x00', '\xff\xff', @empty}}}}, 0x32)
writev(r0, &(0x7f0000000080)=[{&(0x7f0000000000)="ee", 0x34000}], 0x1)
It basically sends an oversized (0x34000 bytes) PPPoL2TP packet with UDP
encapsulation, and l2tp_xmit_core doesn't check for overflows when it
assigns the UDP length field. The value gets trimmed to 16 bites.
Add an overflow check that drops oversized packets and avoids sending
packets with trimmed UDP length to the wire.
syzbot's stack trace (with my patch applied):
len >= 65536u
WARNING: ./include/linux/udp.h:38 at udp_set_len_short include/linux/udp.h:38 [inline], CPU#1: syz.0.17/5957
WARNING: ./include/linux/udp.h:38 at l2tp_xmit_core net/l2tp/l2tp_core.c:1293 [inline], CPU#1: syz.0.17/5957
WARNING: ./include/linux/udp.h:38 at l2tp_xmit_skb+0x1204/0x18d0 net/l2tp/l2tp_core.c:1327, CPU#1: syz.0.17/5957
Modules linked in:
CPU: 1 UID: 0 PID: 5957 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
RIP: 0010:udp_set_len_short include/linux/udp.h:38 [inline]
RIP: 0010:l2tp_xmit_core net/l2tp/l2tp_core.c:1293 [inline]
RIP: 0010:l2tp_xmit_skb+0x1204/0x18d0 net/l2tp/l2tp_core.c:1327
Code: 0f 0b 90 e9 21 f9 ff ff e8 e9 05 ec f6 90 0f 0b 90 e9 8d f9 ff ff e8 db 05 ec f6 90 0f 0b 90 e9 cc f9 ff ff e8 cd 05 ec f6 90 <0f> 0b 90 e9 de fa ff ff 44 89 f1 80 e1 07 80 c1 03 38 c1 0f 8c 4f
RSP: 0018:ffffc90003d67878 EFLAGS: 00010293
RAX: ffffffff8ad985e3 RBX: ffff8881a6400090 RCX: ffff8881697f0000
RDX: 0000000000000000 RSI: 0000000000034010 RDI: 000000000000ffff
RBP: dffffc0000000000 R08: 0000000000000003 R09: 0000000000000004
R10: dffffc0000000000 R11: fffff520007acf00 R12: ffff8881baf20900
R13: 0000000000034010 R14: ffff8881a640008e R15: ffff8881760f7000
FS: 000055557e81f500(0000) GS:ffff8882a9467000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000200000033000 CR3: 00000001612f4000 CR4: 00000000000006f0
Call Trace:
<TASK>
pppol2tp_sendmsg+0x40a/0x5f0 net/l2tp/l2tp_ppp.c:302
sock_sendmsg_nosec net/socket.c:727 [inline]
__sock_sendmsg net/socket.c:742 [inline]
sock_write_iter+0x503/0x550 net/socket.c:1195
do_iter_readv_writev+0x619/0x8c0 fs/read_write.c:-1
vfs_writev+0x33c/0x990 fs/read_write.c:1059
do_writev+0x154/0x2e0 fs/read_write.c:1105
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f636479c629
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffffd4241c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000014
RAX: ffffffffffffffda RBX: 00007f6364a15fa0 RCX: 00007f636479c629
RDX: 0000000000000001 RSI: 0000200000000080 RDI: 0000000000000003
RBP: 00007f6364832b39 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f6364a15fac R14: 00007f6364a15fa0 R15: 00007f6364a15fa0
</TASK>
[1]: https://lore.kernel.org/all/20260226201600.222044-1-alice.kernel@fastmail.im/
Fixes: 3557baabf280 ("[L2TP]: PPP over L2TP driver core")
Reported-by: syzbot+ci3edea60a44225dec@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/netdev/69a1dfba.050a0220.3a55be.0026.GAE@google.com/
Signed-off-by: Alice Mikityanska <alice@isovalent.com>
Link: https://patch.msgid.link/20260403174949.843941-1-alice.kernel@fastmail.im
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/l2tp/l2tp_core.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c
index e0ca08ebd16a9..3c701795fa100 100644
--- a/net/l2tp/l2tp_core.c
+++ b/net/l2tp/l2tp_core.c
@@ -1083,6 +1083,11 @@ static int l2tp_xmit_core(struct l2tp_session *session, struct sk_buff *skb, uns
uh->source = inet->inet_sport;
uh->dest = inet->inet_dport;
udp_len = uhlen + session->hdr_len + data_len;
+ if (udp_len > U16_MAX) {
+ kfree_skb(skb);
+ ret = NET_XMIT_DROP;
+ goto out_unlock;
+ }
uh->len = htons(udp_len);
/* Calculate UDP checksum if configured to do so */
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 050/969] gpio: tegra: fix irq_release_resources calling enable instead of disable
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (48 preceding siblings ...)
2026-05-30 15:52 ` [PATCH 6.1 049/969] l2tp: Drop large packets with UDP encap Greg Kroah-Hartman
@ 2026-05-30 15:52 ` Greg Kroah-Hartman
2026-05-30 15:52 ` [PATCH 6.1 051/969] perf/x86/intel/uncore: Skip discovery table for offline dies Greg Kroah-Hartman
` (925 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Samasth Norway Ananda,
Bartosz Golaszewski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Samasth Norway Ananda <samasth.norway.ananda@oracle.com>
[ Upstream commit 1561d96f5f55c1bca9ff047ace5813f4f244eea6 ]
tegra_gpio_irq_release_resources() erroneously calls tegra_gpio_enable()
instead of tegra_gpio_disable(). When IRQ resources are released, the
GPIO configuration bit (CNF) should be cleared to deconfigure the pin as
a GPIO. Leaving it enabled wastes power and can cause unexpected behavior
if the pin is later reused for an alternate function via pinctrl.
Fixes: 66fecef5bde0 ("gpio: tegra: Convert to gpio_irq_chip")
Signed-off-by: Samasth Norway Ananda <samasth.norway.ananda@oracle.com>
Link: https://patch.msgid.link/20260407210247.1737938-1-samasth.norway.ananda@oracle.com
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpio/gpio-tegra.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpio/gpio-tegra.c b/drivers/gpio/gpio-tegra.c
index 5b265a6fd3c18..49ff77c3ad198 100644
--- a/drivers/gpio/gpio-tegra.c
+++ b/drivers/gpio/gpio-tegra.c
@@ -597,7 +597,7 @@ static void tegra_gpio_irq_release_resources(struct irq_data *d)
struct tegra_gpio_info *tgi = gpiochip_get_data(chip);
gpiochip_relres_irq(chip, d->hwirq);
- tegra_gpio_enable(tgi, d->hwirq);
+ tegra_gpio_disable(tgi, d->hwirq);
}
static void tegra_gpio_irq_print_chip(struct irq_data *d, struct seq_file *s)
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 051/969] perf/x86/intel/uncore: Skip discovery table for offline dies
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (49 preceding siblings ...)
2026-05-30 15:52 ` [PATCH 6.1 050/969] gpio: tegra: fix irq_release_resources calling enable instead of disable Greg Kroah-Hartman
@ 2026-05-30 15:52 ` Greg Kroah-Hartman
2026-05-30 15:52 ` [PATCH 6.1 052/969] Revert "drm: Fix use-after-free on framebuffers and property blobs when calling drm_dev_unplug" Greg Kroah-Hartman
` (924 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Steve Wahl, Zide Chen,
Peter Zijlstra (Intel), Dapeng Mi, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zide Chen <zide.chen@intel.com>
[ Upstream commit 7b568e9eba2fad89a696f22f0413d44cf4a1f892 ]
This warning can be triggered if NUMA is disabled and the system
boots with fewer CPUs than the number of CPUs in die 0.
WARNING: CPU: 9 PID: 7257 at uncore.c:1157 uncore_pci_pmu_register+0x136/0x160 [intel_uncore]
Currently, the discovery table continues to be parsed even if all CPUs
in the associated die are offline. This can lead to an array overflow
at "pmu->boxes[die] = box" in uncore_pci_pmu_register(), which may
trigger the warning above or cause other issues.
Fixes: edae1f06c2cd ("perf/x86/intel/uncore: Parse uncore discovery tables")
Reported-by: Steve Wahl <steve.wahl@hpe.com>
Signed-off-by: Zide Chen <zide.chen@intel.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Reviewed-by: Dapeng Mi <dapeng1.mi@linux.intel.com>
Tested-by: Steve Wahl <steve.wahl@hpe.com>
Link: https://patch.msgid.link/20260313174050.171704-3-zide.chen@intel.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/events/intel/uncore_discovery.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/x86/events/intel/uncore_discovery.c b/arch/x86/events/intel/uncore_discovery.c
index 7d454141433c8..a78899a27dcb4 100644
--- a/arch/x86/events/intel/uncore_discovery.c
+++ b/arch/x86/events/intel/uncore_discovery.c
@@ -311,7 +311,7 @@ bool intel_uncore_has_discovery_tables(void)
(val & UNCORE_DISCOVERY_DVSEC2_BIR_MASK) * UNCORE_DISCOVERY_BIR_STEP;
die = get_device_die_id(dev);
- if (die < 0)
+ if ((die < 0) || (die >= uncore_max_dies()))
continue;
parse_discovery_table(dev, die, bar_offset, &parsed);
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 052/969] Revert "drm: Fix use-after-free on framebuffers and property blobs when calling drm_dev_unplug"
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (50 preceding siblings ...)
2026-05-30 15:52 ` [PATCH 6.1 051/969] perf/x86/intel/uncore: Skip discovery table for offline dies Greg Kroah-Hartman
@ 2026-05-30 15:52 ` Greg Kroah-Hartman
2026-05-30 15:52 ` [PATCH 6.1 053/969] netfilter: conntrack: add missing netlink policy validations Greg Kroah-Hartman
` (923 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thomas Hellström, Guenter Roeck,
Simona Vetter, Maarten Lankhorst, Thorsten Leemhuis, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Maarten Lankhorst <dev@lankhorst.se>
commit 45ebe43ea00d6b9f5b3e0db9c35b8ca2a96b7e70 upstream.
This reverts commit 6bee098b91417654703e17eb5c1822c6dfd0c01d.
Den 2026-03-25 kl. 22:11, skrev Simona Vetter:
> On Wed, Mar 25, 2026 at 10:26:40AM -0700, Guenter Roeck wrote:
>> Hi,
>>
>> On Fri, Mar 13, 2026 at 04:17:27PM +0100, Maarten Lankhorst wrote:
>>> When trying to do a rather aggressive test of igt's "xe_module_load
>>> --r reload" with a full desktop environment and game running I noticed
>>> a few OOPSes when dereferencing freed pointers, related to
>>> framebuffers and property blobs after the compositor exits.
>>>
>>> Solve this by guarding the freeing in drm_file with drm_dev_enter/exit,
>>> and immediately put the references from struct drm_file objects during
>>> drm_dev_unplug().
>>>
>>
>> With this patch in v6.18.20, I get the warning backtraces below.
>> The backtraces are gone with the patch reverted.
>
> Yeah, this needs to be reverted, reasoning below. Maarten, can you please
> take care of that and feed the revert through the usual channels? I don't
> think it's critical enough that we need to fast-track this into drm.git
> directly.
>
> Quoting the patch here again:
>
>> drivers/gpu/drm/drm_file.c| 5 ++++-
>> drivers/gpu/drm/drm_mode_config.c | 9 ++++++---
>> 2 files changed, 10 insertions(+), 4 deletions(-)
>>
>> diff --git a/drivers/gpu/drm/drm_file.c b/drivers/gpu/drm/drm_file.c
>> index ec820686b3021..f52141f842a1f 100644
>> --- a/drivers/gpu/drm/drm_file.c
>> +++ b/drivers/gpu/drm/drm_file.c
>> @@ -233,6 +233,7 @@ static void drm_events_release(struct drm_file *file_priv)
>> void drm_file_free(struct drm_file *file)
>> {
>> struct drm_device *dev;
>> +int idx;
>>
>> if (!file)
>> return;
>> @@ -249,9 +250,11 @@ void drm_file_free(struct drm_file *file)
>>
>> drm_events_release(file);
>>
>> -if (drm_core_check_feature(dev, DRIVER_MODESET)) {
>> +if (drm_core_check_feature(dev, DRIVER_MODESET) &&
>> +drm_dev_enter(dev, &idx)) {
>
> This is misplaced for two reasons:
>
> - Even if we'd want to guarantee that we hold a drm_dev_enter/exit
> reference during framebuffer teardown, we'd need to do this
> _consistently over all callsites. Not ad-hoc in just one place that a
> testcase hits. This also means kerneldoc updates of the relevant hooks
> and at least a bunch of acks from other driver people to document the
> consensus.
>
> - More importantly, this is driver responsibilities in general unless we
> have extremely good reasons to the contrary. Which means this must be
> placed in xe.
>
>> drm_fb_release(file);
>> drm_property_destroy_user_blobs(dev, file);
>> +drm_dev_exit(idx);
>> }
>>
>> if (drm_core_check_feature(dev, DRIVER_SYNCOBJ))
>> diff --git a/drivers/gpu/drm/drm_mode_config.c b/drivers/gpu/drm/drm_mode_config.c
>> index 84ae8a23a3678..e349418978f79 100644
>> --- a/drivers/gpu/drm/drm_mode_config.c
>> +++ b/drivers/gpu/drm/drm_mode_config.c
>> @@ -583,10 +583,13 @@ void drm_mode_config_cleanup(struct drm_device *dev)
>> */
>> WARN_ON(!list_empty(&dev->mode_config.fb_list));
>> list_for_each_entry_safe(fb, fbt, &dev->mode_config.fb_list, head) {
>> -struct drm_printer p = drm_dbg_printer(dev, DRM_UT_KMS, "[leaked fb]");
>> +if (list_empty(&fb->filp_head) || drm_framebuffer_read_refcount(fb) > 1) {
>> +struct drm_printer p = drm_dbg_printer(dev, DRM_UT_KMS, "[leaked fb]");
>
> This is also wrong:
>
> - Firstly, it's a completely independent bug, we do not smash two bugfixes
> into one patch.
>
> - Secondly, it's again a driver bug: drm_mode_cleanup must be called when
> the last drm_device reference disappears (hence the existence of
> drmm_mode_config_init), not when the driver gets unbound. The fact that
> this shows up in a callchain from a devres cleanup means the intel
> driver gets this wrong (like almost everyone else because historically
> we didn't know better).
>
> If we don't follow this rule, then we get races with this code here
> running concurrently with drm_file fb cleanups, which just does not
> work. Review pointed that out, but then shrugged it off with a confused
> explanation:
>
> https://lore.kernel.org/all/e61e64c796ccfb17ae673331a3df4b877bf42d82.camel@linux.intel.com/
>
> Yes this also means a lot of the other drm_device teardown that drivers
> do happens way too early. There is a massive can of worms here of a
> magnitude that most likely is much, much bigger than what you can
> backport to stable kernels. Hotunplug is _hard_.
Back to the drawing board, and fixing it in the intel display driver
instead.
Cc: Thomas Hellström <thomas.hellstrom@linux.intel.com>
Fixes: 6bee098b9141 ("drm: Fix use-after-free on framebuffers and property blobs when calling drm_dev_unplug")
Reported-by: Guenter Roeck <linux@roeck-us.net>
Tested-by: Guenter Roeck <linux@roeck-us.net>
Acked-by: Simona Vetter <simona.vetter@ffwll.ch>
Signed-off-by: Maarten Lankhorst <dev@lankhorst.se>
Link: https://patch.msgid.link/20260326082217.39941-2-dev@lankhorst.se
[ Thorsten: adjust to the v6.6.y/v6.6.y backports of 6bee098b9141 ]
Signed-off-by: Thorsten Leemhuis <linux@leemhuis.info>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/drm_file.c | 5 +----
drivers/gpu/drm/drm_mode_config.c | 9 +++------
2 files changed, 4 insertions(+), 10 deletions(-)
diff --git a/drivers/gpu/drm/drm_file.c b/drivers/gpu/drm/drm_file.c
index 3722c796e632f..d6a0572984b54 100644
--- a/drivers/gpu/drm/drm_file.c
+++ b/drivers/gpu/drm/drm_file.c
@@ -239,7 +239,6 @@ static void drm_events_release(struct drm_file *file_priv)
void drm_file_free(struct drm_file *file)
{
struct drm_device *dev;
- int idx;
if (!file)
return;
@@ -265,11 +264,9 @@ void drm_file_free(struct drm_file *file)
drm_events_release(file);
- if (drm_core_check_feature(dev, DRIVER_MODESET) &&
- drm_dev_enter(dev, &idx)) {
+ if (drm_core_check_feature(dev, DRIVER_MODESET)) {
drm_fb_release(file);
drm_property_destroy_user_blobs(dev, file);
- drm_dev_exit(idx);
}
if (drm_core_check_feature(dev, DRIVER_SYNCOBJ))
diff --git a/drivers/gpu/drm/drm_mode_config.c b/drivers/gpu/drm/drm_mode_config.c
index 8c844bce4f28a..8525ef8515406 100644
--- a/drivers/gpu/drm/drm_mode_config.c
+++ b/drivers/gpu/drm/drm_mode_config.c
@@ -544,13 +544,10 @@ void drm_mode_config_cleanup(struct drm_device *dev)
*/
WARN_ON(!list_empty(&dev->mode_config.fb_list));
list_for_each_entry_safe(fb, fbt, &dev->mode_config.fb_list, head) {
- if (list_empty(&fb->filp_head) || drm_framebuffer_read_refcount(fb) > 1) {
- struct drm_printer p = drm_debug_printer("[leaked fb]");
+ struct drm_printer p = drm_debug_printer("[leaked fb]");
- drm_printf(&p, "framebuffer[%u]:\n", fb->base.id);
- drm_framebuffer_print_info(&p, 1, fb);
- }
- list_del_init(&fb->filp_head);
+ drm_printf(&p, "framebuffer[%u]:\n", fb->base.id);
+ drm_framebuffer_print_info(&p, 1, fb);
drm_framebuffer_free(&fb->base.refcount);
}
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 053/969] netfilter: conntrack: add missing netlink policy validations
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (51 preceding siblings ...)
2026-05-30 15:52 ` [PATCH 6.1 052/969] Revert "drm: Fix use-after-free on framebuffers and property blobs when calling drm_dev_unplug" Greg Kroah-Hartman
@ 2026-05-30 15:52 ` Greg Kroah-Hartman
2026-05-30 15:52 ` [PATCH 6.1 054/969] ALSA: usb-audio: Improve Focusrite sample rate filtering Greg Kroah-Hartman
` (922 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hyunwoo Kim, Florian Westphal,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Florian Westphal <fw@strlen.de>
[ Upstream commit f900e1d77ee0ef87bfb5ab3fe60f0b3d8ad5ba05 ]
Hyunwoo Kim reports out-of-bounds access in sctp and ctnetlink.
These attributes are used by the kernel without any validation.
Extend the netlink policies accordingly.
Quoting the reporter:
nlattr_to_sctp() assigns the user-supplied CTA_PROTOINFO_SCTP_STATE
value directly to ct->proto.sctp.state without checking that it is
within the valid range. [..]
and: ... with exp->dir = 100, the access at
ct->master->tuplehash[100] reads 5600 bytes past the start of a
320-byte nf_conn object, causing a slab-out-of-bounds read confirmed by
UBSAN.
Fixes: 076a0ca02644 ("netfilter: ctnetlink: add NAT support for expectations")
Fixes: a258860e01b8 ("netfilter: ctnetlink: add full support for SCTP to ctnetlink")
Reported-by: Hyunwoo Kim <imv4bel@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/nf_conntrack_netlink.c | 2 +-
net/netfilter/nf_conntrack_proto_sctp.c | 3 ++-
2 files changed, 3 insertions(+), 2 deletions(-)
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index 89cec02de68ba..bcbd77608365a 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -3458,7 +3458,7 @@ ctnetlink_change_expect(struct nf_conntrack_expect *x,
#if IS_ENABLED(CONFIG_NF_NAT)
static const struct nla_policy exp_nat_nla_policy[CTA_EXPECT_NAT_MAX+1] = {
- [CTA_EXPECT_NAT_DIR] = { .type = NLA_U32 },
+ [CTA_EXPECT_NAT_DIR] = NLA_POLICY_MAX(NLA_BE32, IP_CT_DIR_REPLY),
[CTA_EXPECT_NAT_TUPLE] = { .type = NLA_NESTED },
};
#endif
diff --git a/net/netfilter/nf_conntrack_proto_sctp.c b/net/netfilter/nf_conntrack_proto_sctp.c
index 7ffd698497f2a..90458799324ec 100644
--- a/net/netfilter/nf_conntrack_proto_sctp.c
+++ b/net/netfilter/nf_conntrack_proto_sctp.c
@@ -600,7 +600,8 @@ static int sctp_to_nlattr(struct sk_buff *skb, struct nlattr *nla,
}
static const struct nla_policy sctp_nla_policy[CTA_PROTOINFO_SCTP_MAX+1] = {
- [CTA_PROTOINFO_SCTP_STATE] = { .type = NLA_U8 },
+ [CTA_PROTOINFO_SCTP_STATE] = NLA_POLICY_MAX(NLA_U8,
+ SCTP_CONNTRACK_HEARTBEAT_SENT),
[CTA_PROTOINFO_SCTP_VTAG_ORIGINAL] = { .type = NLA_U32 },
[CTA_PROTOINFO_SCTP_VTAG_REPLY] = { .type = NLA_U32 },
};
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 054/969] ALSA: usb-audio: Improve Focusrite sample rate filtering
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (52 preceding siblings ...)
2026-05-30 15:52 ` [PATCH 6.1 053/969] netfilter: conntrack: add missing netlink policy validations Greg Kroah-Hartman
@ 2026-05-30 15:52 ` Greg Kroah-Hartman
2026-05-31 15:13 ` Geoffrey D. Bennett
2026-05-30 15:52 ` [PATCH 6.1 055/969] drm/i915/psr: Do not use pipe_src as borders for SU area Greg Kroah-Hartman
` (921 subsequent siblings)
975 siblings, 1 reply; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Geoffrey D. Bennett, Takashi Iwai,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Geoffrey D. Bennett <g@b4.vu>
[ Upstream commit 24d2d3c5f94007a5a0554065ab7349bb69e28bcb ]
Replace the bLength == 10 max_rate check in
focusrite_valid_sample_rate() with filtering that also examines the
bmControls VAL_ALT_SETTINGS bit.
When VAL_ALT_SETTINGS is readable, the device uses strict
per-altsetting rate filtering (only the highest rate pair for that
altsetting is valid). When it is not readable, all rates up to
max_rate are valid.
For devices without the bLength == 10 Format Type descriptor extension
but with VAL_ALT_SETTINGS readable and multiple altsettings (only seen
in Scarlett 18i8 3rd Gen playback), fall back to the Focusrite
convention: alt 1 = 48kHz, alt 2 = 96kHz, alt 3 = 192kHz.
This produces correct rate tables for all tested Focusrite devices
(all Scarlett 2nd, 3rd, and 4th Gen, Clarett+, and Vocaster) using
only USB descriptors, allowing QUIRK_FLAG_VALIDATE_RATES to be removed
for Focusrite in the next commit.
Signed-off-by: Geoffrey D. Bennett <g@b4.vu>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Link: https://patch.msgid.link/7e18c1f393a6ecb6fc75dd867a2c4dbe135e3e22.1771594828.git.g@b4.vu
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/usb/format.c | 86 +++++++++++++++++++++++++++++++++++++++-------
1 file changed, 74 insertions(+), 12 deletions(-)
diff --git a/sound/usb/format.c b/sound/usb/format.c
index f33d25a4e4cc7..682adbdf7ee79 100644
--- a/sound/usb/format.c
+++ b/sound/usb/format.c
@@ -304,9 +304,37 @@ static bool s1810c_valid_sample_rate(struct audioformat *fp,
}
/*
- * Many Focusrite devices supports a limited set of sampling rates per
- * altsetting. Maximum rate is exposed in the last 4 bytes of Format Type
- * descriptor which has a non-standard bLength = 10.
+ * Focusrite devices use rate pairs: 44100/48000, 88200/96000, and
+ * 176400/192000. Return true if rate is in the pair for max_rate.
+ */
+static bool focusrite_rate_pair(unsigned int rate,
+ unsigned int max_rate)
+{
+ switch (max_rate) {
+ case 48000: return rate == 44100 || rate == 48000;
+ case 96000: return rate == 88200 || rate == 96000;
+ case 192000: return rate == 176400 || rate == 192000;
+ default: return true;
+ }
+}
+
+/*
+ * Focusrite devices report all supported rates in a single clock
+ * source but only a subset is valid per altsetting.
+ *
+ * Detection uses two descriptor features:
+ *
+ * 1. Format Type descriptor bLength == 10: non-standard extension
+ * with max sample rate in bytes 6..9.
+ *
+ * 2. bmControls VAL_ALT_SETTINGS readable bit: when set, the device
+ * only supports the highest rate pair for that altsetting, and when
+ * clear, all rates up to max_rate are valid.
+ *
+ * For devices without the bLength == 10 extension but with
+ * VAL_ALT_SETTINGS readable and multiple altsettings (only seen in
+ * Scarlett 18i8 3rd Gen playback), fall back to the Focusrite
+ * convention: alt 1 = 48kHz, alt 2 = 96kHz, alt 3 = 192kHz.
*/
static bool focusrite_valid_sample_rate(struct snd_usb_audio *chip,
struct audioformat *fp,
@@ -314,8 +342,10 @@ static bool focusrite_valid_sample_rate(struct snd_usb_audio *chip,
{
struct usb_interface *iface;
struct usb_host_interface *alts;
+ struct uac2_as_header_descriptor *as;
unsigned char *fmt;
unsigned int max_rate;
+ bool val_alt;
iface = usb_ifnum_to_if(chip->dev, fp->iface);
if (!iface)
@@ -327,26 +357,58 @@ static bool focusrite_valid_sample_rate(struct snd_usb_audio *chip,
if (!fmt)
return true;
+ as = snd_usb_find_csint_desc(alts->extra, alts->extralen,
+ NULL, UAC_AS_GENERAL);
+ if (!as)
+ return true;
+
+ val_alt = uac_v2v3_control_is_readable(as->bmControls,
+ UAC2_AS_VAL_ALT_SETTINGS);
+
if (fmt[0] == 10) { /* bLength */
max_rate = combine_quad(&fmt[6]);
- /* Validate max rate */
- if (max_rate != 48000 &&
- max_rate != 96000 &&
- max_rate != 192000 &&
- max_rate != 384000) {
-
+ if (val_alt)
+ return focusrite_rate_pair(rate, max_rate);
+
+ /* No val_alt: rates fall through from higher */
+ switch (max_rate) {
+ case 192000:
+ if (rate == 176400 || rate == 192000)
+ return true;
+ fallthrough;
+ case 96000:
+ if (rate == 88200 || rate == 96000)
+ return true;
+ fallthrough;
+ case 48000:
+ return (rate == 44100 || rate == 48000);
+ default:
usb_audio_info(chip,
"%u:%d : unexpected max rate: %u\n",
fp->iface, fp->altsetting, max_rate);
-
return true;
}
+ }
- return rate <= max_rate;
+ if (!val_alt)
+ return true;
+
+ /* Multi-altsetting device with val_alt but no max_rate
+ * in the format descriptor. Use Focusrite convention:
+ * alt 1 = 48kHz, alt 2 = 96kHz, alt 3 = 192kHz.
+ */
+ if (iface->num_altsetting <= 2)
+ return true;
+
+ switch (fp->altsetting) {
+ case 1: max_rate = 48000; break;
+ case 2: max_rate = 96000; break;
+ case 3: max_rate = 192000; break;
+ default: return true;
}
- return true;
+ return focusrite_rate_pair(rate, max_rate);
}
/*
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 055/969] drm/i915/psr: Do not use pipe_src as borders for SU area
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (53 preceding siblings ...)
2026-05-30 15:52 ` [PATCH 6.1 054/969] ALSA: usb-audio: Improve Focusrite sample rate filtering Greg Kroah-Hartman
@ 2026-05-30 15:52 ` Greg Kroah-Hartman
2026-05-30 15:53 ` [PATCH 6.1 056/969] nfc: llcp: add missing return after LLCP_CLOSED checks Greg Kroah-Hartman
` (920 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jouni Högander, Mika Kahola,
Joonas Lahtinen, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jouni Högander <jouni.hogander@intel.com>
[ Upstream commit 75519f5df2a9b23f7bf305e12dc9a6e3e65c24b7 ]
This far using crtc_state->pipe_src as borders for Selective Update area
haven't caused visible problems as drm_rect_width(crtc_state->pipe_src) ==
crtc_state->hw.adjusted_mode.crtc_hdisplay and
drm_rect_height(crtc_state->pipe_src) ==
crtc_state->hw.adjusted_mode.crtc_vdisplay when pipe scaling is not
used. On the other hand using pipe scaling is forcing full frame updates and all the
Selective Update area calculations are skipped. Now this improper usage of
crtc_state->pipe_src is causing following warnings:
<4> [7771.978166] xe 0000:00:02.0: [drm] drm_WARN_ON_ONCE(su_lines % vdsc_cfg->slice_height)
after WARN_ON_ONCE was added by commit:
"drm/i915/dsc: Add helper for writing DSC Selective Update ET parameters"
These warnings are seen when DSC and pipe scaling are enabled
simultaneously. This is because on full frame update SU area is improperly
set as pipe_src which is not aligned with DSC slice height.
Fix these by creating local rectangle using
crtc_state->hw.adjusted_mode.crtc_hdisplay and
crtc_state->hw.adjusted_mode.crtc_vdisplay. Use this local rectangle as
borders for SU area.
Fixes: d6774b8c3c58 ("drm/i915: Ensure damage clip area is within pipe area")
Cc: <stable@vger.kernel.org> # v6.0+
Signed-off-by: Jouni Högander <jouni.hogander@intel.com>
Reviewed-by: Mika Kahola <mika.kahola@intel.com>
Link: https://patch.msgid.link/20260327114553.195285-1-jouni.hogander@intel.com
(cherry picked from commit da0cdc1c329dd2ff09c41fbbe9fbd9c92c5d2c6e)
Signed-off-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
[ omitted hunks for DSC selective update ET alignment infrastructure ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/i915/display/intel_psr.c | 18 ++++++++++++------
1 file changed, 12 insertions(+), 6 deletions(-)
diff --git a/drivers/gpu/drm/i915/display/intel_psr.c b/drivers/gpu/drm/i915/display/intel_psr.c
index e2d7c0a6802aa..a465b19293108 100644
--- a/drivers/gpu/drm/i915/display/intel_psr.c
+++ b/drivers/gpu/drm/i915/display/intel_psr.c
@@ -1686,9 +1686,9 @@ static void psr2_man_trk_ctl_calc(struct intel_crtc_state *crtc_state,
static void clip_area_update(struct drm_rect *overlap_damage_area,
struct drm_rect *damage_area,
- struct drm_rect *pipe_src)
+ struct drm_rect *display_area)
{
- if (!drm_rect_intersect(damage_area, pipe_src))
+ if (!drm_rect_intersect(damage_area, display_area))
return;
if (overlap_damage_area->y1 == -1) {
@@ -1761,6 +1761,12 @@ int intel_psr2_sel_fetch_update(struct intel_atomic_state *state,
struct drm_rect pipe_clip = { .x1 = 0, .y1 = -1, .x2 = INT_MAX, .y2 = -1 };
struct intel_plane_state *new_plane_state, *old_plane_state;
struct intel_plane *plane;
+ struct drm_rect display_area = {
+ .x1 = 0,
+ .y1 = 0,
+ .x2 = crtc_state->hw.adjusted_mode.crtc_hdisplay,
+ .y2 = crtc_state->hw.adjusted_mode.crtc_vdisplay,
+ };
bool full_update = false;
int i, ret;
@@ -1807,14 +1813,14 @@ int intel_psr2_sel_fetch_update(struct intel_atomic_state *state,
damaged_area.y1 = old_plane_state->uapi.dst.y1;
damaged_area.y2 = old_plane_state->uapi.dst.y2;
clip_area_update(&pipe_clip, &damaged_area,
- &crtc_state->pipe_src);
+ &display_area);
}
if (new_plane_state->uapi.visible) {
damaged_area.y1 = new_plane_state->uapi.dst.y1;
damaged_area.y2 = new_plane_state->uapi.dst.y2;
clip_area_update(&pipe_clip, &damaged_area,
- &crtc_state->pipe_src);
+ &display_area);
}
continue;
} else if (new_plane_state->uapi.alpha != old_plane_state->uapi.alpha) {
@@ -1822,7 +1828,7 @@ int intel_psr2_sel_fetch_update(struct intel_atomic_state *state,
damaged_area.y1 = new_plane_state->uapi.dst.y1;
damaged_area.y2 = new_plane_state->uapi.dst.y2;
clip_area_update(&pipe_clip, &damaged_area,
- &crtc_state->pipe_src);
+ &display_area);
continue;
}
@@ -1838,7 +1844,7 @@ int intel_psr2_sel_fetch_update(struct intel_atomic_state *state,
damaged_area.x1 += new_plane_state->uapi.dst.x1 - src.x1;
damaged_area.x2 += new_plane_state->uapi.dst.x1 - src.x1;
- clip_area_update(&pipe_clip, &damaged_area, &crtc_state->pipe_src);
+ clip_area_update(&pipe_clip, &damaged_area, &display_area);
}
/*
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 056/969] nfc: llcp: add missing return after LLCP_CLOSED checks
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (54 preceding siblings ...)
2026-05-30 15:52 ` [PATCH 6.1 055/969] drm/i915/psr: Do not use pipe_src as borders for SU area Greg Kroah-Hartman
@ 2026-05-30 15:53 ` Greg Kroah-Hartman
2026-05-30 15:53 ` [PATCH 6.1 057/969] can: raw: fix ro->uniq use-after-free in raw_rcv() Greg Kroah-Hartman
` (919 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Junxi Qian, Eric Dumazet,
Jakub Kicinski
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Junxi Qian <qjx1298677004@gmail.com>
commit 2b5dd4632966c39da6ba74dbc8689b309065e82c upstream.
In nfc_llcp_recv_hdlc() and nfc_llcp_recv_disc(), when the socket
state is LLCP_CLOSED, the code correctly calls release_sock() and
nfc_llcp_sock_put() but fails to return. Execution falls through to
the remainder of the function, which calls release_sock() and
nfc_llcp_sock_put() again. This results in a double release_sock()
and a refcount underflow via double nfc_llcp_sock_put(), leading to
a use-after-free.
Add the missing return statements after the LLCP_CLOSED branches
in both functions to prevent the fall-through.
Fixes: d646960f7986 ("NFC: Initial LLCP support")
Signed-off-by: Junxi Qian <qjx1298677004@gmail.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20260408081006.3723-1-qjx1298677004@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/nfc/llcp_core.c | 2 ++
1 file changed, 2 insertions(+)
--- a/net/nfc/llcp_core.c
+++ b/net/nfc/llcp_core.c
@@ -1089,6 +1089,7 @@ static void nfc_llcp_recv_hdlc(struct nf
if (sk->sk_state == LLCP_CLOSED) {
release_sock(sk);
nfc_llcp_sock_put(llcp_sock);
+ return;
}
/* Pass the payload upstream */
@@ -1180,6 +1181,7 @@ static void nfc_llcp_recv_disc(struct nf
if (sk->sk_state == LLCP_CLOSED) {
release_sock(sk);
nfc_llcp_sock_put(llcp_sock);
+ return;
}
if (sk->sk_state == LLCP_CONNECTED) {
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 057/969] can: raw: fix ro->uniq use-after-free in raw_rcv()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (55 preceding siblings ...)
2026-05-30 15:53 ` [PATCH 6.1 056/969] nfc: llcp: add missing return after LLCP_CLOSED checks Greg Kroah-Hartman
@ 2026-05-30 15:53 ` Greg Kroah-Hartman
2026-05-30 15:53 ` [PATCH 6.1 058/969] i2c: s3c24xx: check the size of the SMBUS message before using it Greg Kroah-Hartman
` (918 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Samuel Page, Oliver Hartkopp,
Marc Kleine-Budde
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Samuel Page <sam@bynar.io>
commit a535a9217ca3f2fccedaafb2fddb4c48f27d36dc upstream.
raw_release() unregisters raw CAN receive filters via can_rx_unregister(),
but receiver deletion is deferred with call_rcu(). This leaves a window
where raw_rcv() may still be running in an RCU read-side critical section
after raw_release() frees ro->uniq, leading to a use-after-free of the
percpu uniq storage.
Move free_percpu(ro->uniq) out of raw_release() and into a raw-specific
socket destructor. can_rx_unregister() takes an extra reference to the
socket and only drops it from the RCU callback, so freeing uniq from
sk_destruct ensures the percpu area is not released until the relevant
callbacks have drained.
Fixes: 514ac99c64b2 ("can: fix multiple delivery of a single CAN frame for overlapping CAN filters")
Cc: stable@vger.kernel.org # v4.1+
Assisted-by: Bynario AI
Signed-off-by: Samuel Page <sam@bynar.io>
Link: https://patch.msgid.link/26ec626d-cae7-4418-9782-7198864d070c@bynar.io
Acked-by: Oliver Hartkopp <socketcan@hartkopp.net>
[mkl: applied manually]
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/can/raw.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
--- a/net/can/raw.c
+++ b/net/can/raw.c
@@ -336,6 +336,14 @@ static int raw_notifier(struct notifier_
return NOTIFY_DONE;
}
+static void raw_sock_destruct(struct sock *sk)
+{
+ struct raw_sock *ro = raw_sk(sk);
+
+ free_percpu(ro->uniq);
+ can_sock_destruct(sk);
+}
+
static int raw_init(struct sock *sk)
{
struct raw_sock *ro = raw_sk(sk);
@@ -362,6 +370,8 @@ static int raw_init(struct sock *sk)
if (unlikely(!ro->uniq))
return -ENOMEM;
+ sk->sk_destruct = raw_sock_destruct;
+
/* set notifier */
spin_lock(&raw_notifier_lock);
list_add_tail(&ro->notifier, &raw_notifier_list);
@@ -409,7 +419,6 @@ static int raw_release(struct socket *so
ro->bound = 0;
ro->dev = NULL;
ro->count = 0;
- free_percpu(ro->uniq);
sock_orphan(sk);
sock->sk = NULL;
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 058/969] i2c: s3c24xx: check the size of the SMBUS message before using it
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (56 preceding siblings ...)
2026-05-30 15:53 ` [PATCH 6.1 057/969] can: raw: fix ro->uniq use-after-free in raw_rcv() Greg Kroah-Hartman
@ 2026-05-30 15:53 ` Greg Kroah-Hartman
2026-05-30 15:53 ` [PATCH 6.1 059/969] staging: rtl8723bs: initialize le_tmp64 in rtw_BIP_verify() Greg Kroah-Hartman
` (917 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Krzysztof Kozlowski, Alim Akhtar,
Andi Shyti, stable
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit c0128c7157d639a931353ea344fb44aad6d6e17a upstream.
The first byte of an i2c SMBUS message is the size, and it should be
verified to ensure that it is in the range of 0..I2C_SMBUS_BLOCK_MAX
before processing it.
This is the same logic that was added in commit a6e04f05ce0b ("i2c:
tegra: check msg length in SMBUS block read") to the i2c tegra driver.
Cc: Krzysztof Kozlowski <krzk@kernel.org>
Cc: Alim Akhtar <alim.akhtar@samsung.com>
Cc: Andi Shyti <andi.shyti@kernel.org>
Cc: stable <stable@kernel.org>
Assisted-by: gkh_clanker_2000
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Andi Shyti <andi.shyti@kernel.org>
Link: https://lore.kernel.org/r/2026022314-rely-scrubbed-4839@gregkh
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/i2c/busses/i2c-s3c2410.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
--- a/drivers/i2c/busses/i2c-s3c2410.c
+++ b/drivers/i2c/busses/i2c-s3c2410.c
@@ -508,8 +508,13 @@ static int i2c_s3c_irq_nextbyte(struct s
i2c->msg->buf[i2c->msg_ptr++] = byte;
/* Add actual length to read for smbus block read */
- if (i2c->msg->flags & I2C_M_RECV_LEN && i2c->msg->len == 1)
+ if (i2c->msg->flags & I2C_M_RECV_LEN && i2c->msg->len == 1) {
+ if (byte == 0 || byte > I2C_SMBUS_BLOCK_MAX) {
+ s3c24xx_i2c_stop(i2c, -EPROTO);
+ break;
+ }
i2c->msg->len += byte;
+ }
prepare_read:
if (is_msglast(i2c)) {
/* last byte of buffer */
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 059/969] staging: rtl8723bs: initialize le_tmp64 in rtw_BIP_verify()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (57 preceding siblings ...)
2026-05-30 15:53 ` [PATCH 6.1 058/969] i2c: s3c24xx: check the size of the SMBUS message before using it Greg Kroah-Hartman
@ 2026-05-30 15:53 ` Greg Kroah-Hartman
2026-05-30 15:53 ` [PATCH 6.1 060/969] HID: alps: fix NULL pointer dereference in alps_raw_event() Greg Kroah-Hartman
` (916 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:53 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Dan Carpenter, Lin YuChen
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lin YuChen <starpt.official@gmail.com>
commit 8c964b82a4e97ec7f25e17b803ee196009b38a57 upstream.
Initialize le_tmp64 to zero in rtw_BIP_verify() to prevent using
uninitialized data.
Smatch warns that only 6 bytes are copied to this 8-byte (u64)
variable, leaving the last two bytes uninitialized:
drivers/staging/rtl8723bs/core/rtw_security.c:1308 rtw_BIP_verify()
warn: not copying enough bytes for '&le_tmp64' (8 vs 6 bytes)
Initializing the variable at the start of the function fixes this
warning and ensures predictable behavior.
Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver")
Cc: stable <stable@kernel.org>
Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
Closes: https://lore.kernel.org/linux-staging/abvwIQh0CHTp4wNJ@stanley.mountain/
Signed-off-by: Lin YuChen <starpt.official@gmail.com>
Reviewed-by: Dan Carpenter <dan.carpenter@linaro.org>
Link: https://patch.msgid.link/20260320172502.167332-1-starpt.official@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/staging/rtl8723bs/core/rtw_security.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/staging/rtl8723bs/core/rtw_security.c
+++ b/drivers/staging/rtl8723bs/core/rtw_security.c
@@ -1364,7 +1364,7 @@ u32 rtw_BIP_verify(struct adapter *padap
u8 mic[16];
struct mlme_ext_priv *pmlmeext = &padapter->mlmeextpriv;
__le16 le_tmp;
- __le64 le_tmp64;
+ __le64 le_tmp64 = 0;
ori_len = pattrib->pkt_len-WLAN_HDR_A3_LEN+BIP_AAD_SIZE;
BIP_AAD = rtw_zmalloc(ori_len);
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 060/969] HID: alps: fix NULL pointer dereference in alps_raw_event()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (58 preceding siblings ...)
2026-05-30 15:53 ` [PATCH 6.1 059/969] staging: rtl8723bs: initialize le_tmp64 in rtw_BIP_verify() Greg Kroah-Hartman
@ 2026-05-30 15:53 ` Greg Kroah-Hartman
2026-05-30 15:53 ` [PATCH 6.1 061/969] HID: core: clamp report_size in s32ton() to avoid undefined shift Greg Kroah-Hartman
` (915 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Jiri Kosina,
Benjamin Tissoires, Masaki Ota, linux-input, Jiri Kosina
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 1badfc4319224820d5d890f8eab6aa52e4e83339 upstream.
Commit ecfa6f34492c ("HID: Add HID_CLAIMED_INPUT guards in raw_event
callbacks missing them") attempted to fix up the HID drivers that had
missed the previous fix that was done in 2ff5baa9b527 ("HID: appleir:
Fix potential NULL dereference at raw event handle"), but the alps
driver was missed.
Fix this up by properly checking in the hid-alps driver that it had been
claimed correctly before attempting to process the raw event.
Fixes: 73196ebe134d ("HID: alps: add support for Alps T4 Touchpad device")
Cc: stable <stable@kernel.org>
Cc: Jiri Kosina <jikos@kernel.org>
Cc: Benjamin Tissoires <bentiss@kernel.org>
Cc: Masaki Ota <masaki.ota@jp.alps.com>
Cc: linux-input@vger.kernel.org
Assisted-by: gregkh_clanker_t1000
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hid/hid-alps.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/hid/hid-alps.c
+++ b/drivers/hid/hid-alps.c
@@ -437,6 +437,9 @@ static int alps_raw_event(struct hid_dev
int ret = 0;
struct alps_dev *hdata = hid_get_drvdata(hdev);
+ if (!(hdev->claimed & HID_CLAIMED_INPUT) || !hdata->input)
+ return 0;
+
switch (hdev->product) {
case HID_PRODUCT_ID_T4_BTNLESS:
ret = t4_raw_event(hdata, data, size);
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 061/969] HID: core: clamp report_size in s32ton() to avoid undefined shift
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (59 preceding siblings ...)
2026-05-30 15:53 ` [PATCH 6.1 060/969] HID: alps: fix NULL pointer dereference in alps_raw_event() Greg Kroah-Hartman
@ 2026-05-30 15:53 ` Greg Kroah-Hartman
2026-05-30 15:53 ` [PATCH 6.1 062/969] net: usb: cdc-phonet: fix skb frags[] overflow in rx_complete() Greg Kroah-Hartman
` (914 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Jiri Kosina,
Benjamin Tissoires, linux-input, Jiri Kosina
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 69c02ffde6ed4d535fa4e693a9e572729cad3d0d upstream.
s32ton() shifts by n-1 where n is the field's report_size, a value that
comes directly from a HID device. The HID parser bounds report_size
only to <= 256, so a broken HID device can supply a report descriptor
with a wide field that triggers shift exponents up to 256 on a 32-bit
type when an output report is built via hid_output_field() or
hid_set_field().
Commit ec61b41918587 ("HID: core: fix shift-out-of-bounds in
hid_report_raw_event") added the same n > 32 clamp to the function
snto32(), but s32ton() was never given the same fix as I guess syzbot
hadn't figured out how to fuzz a device the same way.
Fix this up by just clamping the max value of n, just like snto32()
does.
Cc: stable <stable@kernel.org>
Cc: Jiri Kosina <jikos@kernel.org>
Cc: Benjamin Tissoires <bentiss@kernel.org>
Cc: linux-input@vger.kernel.org
Assisted-by: gregkh_clanker_t1000
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hid/hid-core.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/hid/hid-core.c
+++ b/drivers/hid/hid-core.c
@@ -1358,6 +1358,9 @@ static u32 s32ton(__s32 value, unsigned
if (!value || !n)
return 0;
+ if (n > 32)
+ n = 32;
+
a = value >> (n - 1);
if (a && a != -1)
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 062/969] net: usb: cdc-phonet: fix skb frags[] overflow in rx_complete()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (60 preceding siblings ...)
2026-05-30 15:53 ` [PATCH 6.1 061/969] HID: core: clamp report_size in s32ton() to avoid undefined shift Greg Kroah-Hartman
@ 2026-05-30 15:53 ` Greg Kroah-Hartman
2026-05-30 15:53 ` [PATCH 6.1 063/969] NFC: digital: Bounds check NFC-A cascade depth in SDD response handler Greg Kroah-Hartman
` (913 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andrew Lunn, David S. Miller,
Eric Dumazet, Jakub Kicinski, Paolo Abeni, stable
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 600dc40554dc5ad1e6f3af51f700228033f43ea7 upstream.
A malicious USB device claiming to be a CDC Phonet modem can overflow
the skb_shared_info->frags[] array by sending an unbounded sequence of
full-page bulk transfers.
Drop the skb and increment the length error when the frag limit is
reached. This matches the same fix that commit f0813bcd2d9d ("net:
wwan: t7xx: fix potential skb->frags overflow in RX path") did for the
t7xx driver.
Cc: Andrew Lunn <andrew+netdev@lunn.ch>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: Eric Dumazet <edumazet@google.com>
Cc: Jakub Kicinski <kuba@kernel.org>
Cc: Paolo Abeni <pabeni@redhat.com>
Cc: stable <stable@kernel.org>
Assisted-by: gregkh_clanker_t1000
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Link: https://patch.msgid.link/2026041134-dreamboat-buddhism-d1ec@gregkh
Fixes: 87cf65601e17 ("USB host CDC Phonet network interface driver")
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/usb/cdc-phonet.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
--- a/drivers/net/usb/cdc-phonet.c
+++ b/drivers/net/usb/cdc-phonet.c
@@ -157,11 +157,16 @@ static void rx_complete(struct urb *req)
PAGE_SIZE);
page = NULL;
}
- } else {
+ } else if (skb_shinfo(skb)->nr_frags < MAX_SKB_FRAGS) {
skb_add_rx_frag(skb, skb_shinfo(skb)->nr_frags,
page, 0, req->actual_length,
PAGE_SIZE);
page = NULL;
+ } else {
+ dev_kfree_skb_any(skb);
+ pnd->rx_skb = NULL;
+ skb = NULL;
+ dev->stats.rx_length_errors++;
}
if (req->actual_length < PAGE_SIZE)
pnd->rx_skb = NULL; /* Last fragment */
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 063/969] NFC: digital: Bounds check NFC-A cascade depth in SDD response handler
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (61 preceding siblings ...)
2026-05-30 15:53 ` [PATCH 6.1 062/969] net: usb: cdc-phonet: fix skb frags[] overflow in rx_complete() Greg Kroah-Hartman
@ 2026-05-30 15:53 ` Greg Kroah-Hartman
2026-05-30 15:53 ` [PATCH 6.1 064/969] drm/vc4: platform_get_irq_byname() returns an int Greg Kroah-Hartman
` (912 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Simon Horman, Kees Cook,
Thierry Escande, Samuel Ortiz, stable, Jakub Kicinski
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 46ce8be2ced389bccd84bcc04a12cf2f4d0c22d1 upstream.
The NFC-A anti-collision cascade in digital_in_recv_sdd_res() appends 3
or 4 bytes to target->nfcid1 on each round, but the number of cascade
rounds is controlled entirely by the peer device. The peer sets the
cascade tag in the SDD_RES (deciding 3 vs 4 bytes) and the
cascade-incomplete bit in the SEL_RES (deciding whether another round
follows).
ISO 14443-3 limits NFC-A to three cascade levels and target->nfcid1 is
sized accordingly (NFC_NFCID1_MAXSIZE = 10), but nothing in the driver
actually enforces this. This means a malicious peer can keep the
cascade running, writing past the heap-allocated nfc_target with each
round.
Fix this by rejecting the response when the accumulated UID would exceed
the buffer.
Commit e329e71013c9 ("NFC: nci: Bounds check struct nfc_target arrays")
fixed similar missing checks against the same field on the NCI path.
Cc: Simon Horman <horms@kernel.org>
Cc: Kees Cook <kees@kernel.org>
Cc: Thierry Escande <thierry.escande@linux.intel.com>
Cc: Samuel Ortiz <sameo@linux.intel.com>
Fixes: 2c66daecc409 ("NFC Digital: Add NFC-A technology support")
Cc: stable <stable@kernel.org>
Assisted-by: gregkh_clanker_t1000
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Link: https://patch.msgid.link/2026040913-figure-seducing-bd3f@gregkh
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/nfc/digital_technology.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/net/nfc/digital_technology.c
+++ b/net/nfc/digital_technology.c
@@ -424,6 +424,12 @@ static void digital_in_recv_sdd_res(stru
size = 4;
}
+ if (target->nfcid1_len + size > NFC_NFCID1_MAXSIZE) {
+ PROTOCOL_ERR("4.7.2.1");
+ rc = -EPROTO;
+ goto exit;
+ }
+
memcpy(target->nfcid1 + target->nfcid1_len, sdd_res->nfcid1 + offset,
size);
target->nfcid1_len += size;
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 064/969] drm/vc4: platform_get_irq_byname() returns an int
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (62 preceding siblings ...)
2026-05-30 15:53 ` [PATCH 6.1 063/969] NFC: digital: Bounds check NFC-A cascade depth in SDD response handler Greg Kroah-Hartman
@ 2026-05-30 15:53 ` Greg Kroah-Hartman
2026-05-30 15:53 ` [PATCH 6.1 065/969] ALSA: fireworks: bound device-supplied status before string array lookup Greg Kroah-Hartman
` (911 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Maxime Ripard, Dave Stevenson,
Maíra Canal, Raspberry Pi Kernel Maintenance,
Maarten Lankhorst, Thomas Zimmermann, David Airlie, Simona Vetter,
stable
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit e597a809a2b97e927060ba182f58eb3e6101bc70 upstream.
platform_get_irq_byname() will return a negative value if an error
happens, so it should be checked and not just passed directly into
devm_request_threaded_irq() hoping all will be ok.
Cc: Maxime Ripard <mripard@kernel.org>
Cc: Dave Stevenson <dave.stevenson@raspberrypi.com>
Cc: Maíra Canal <mcanal@igalia.com>
Cc: Raspberry Pi Kernel Maintenance <kernel-list@raspberrypi.com>
Cc: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
Cc: Thomas Zimmermann <tzimmermann@suse.de>
Cc: David Airlie <airlied@gmail.com>
Cc: Simona Vetter <simona@ffwll.ch>
Cc: stable <stable@kernel.org>
Assisted-by: gkh_clanker_2000
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Link: https://patch.msgid.link/2026022339-cornflake-t-shirt-2471@gregkh
Signed-off-by: Maíra Canal <mcanal@igalia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/vc4/vc4_hdmi.c | 14 ++++++++++----
1 file changed, 10 insertions(+), 4 deletions(-)
--- a/drivers/gpu/drm/vc4/vc4_hdmi.c
+++ b/drivers/gpu/drm/vc4/vc4_hdmi.c
@@ -2614,17 +2614,23 @@ static int vc4_hdmi_hotplug_init(struct
int ret;
if (vc4_hdmi->variant->external_irq_controller) {
- unsigned int hpd_con = platform_get_irq_byname(pdev, "hpd-connected");
- unsigned int hpd_rm = platform_get_irq_byname(pdev, "hpd-removed");
+ int hpd = platform_get_irq_byname(pdev, "hpd-connected");
- ret = devm_request_threaded_irq(&pdev->dev, hpd_con,
+ if (hpd < 0)
+ return hpd;
+
+ ret = devm_request_threaded_irq(&pdev->dev, hpd,
NULL,
vc4_hdmi_hpd_irq_thread, IRQF_ONESHOT,
"vc4 hdmi hpd connected", vc4_hdmi);
if (ret)
return ret;
- ret = devm_request_threaded_irq(&pdev->dev, hpd_rm,
+ hpd = platform_get_irq_byname(pdev, "hpd-removed");
+ if (hpd < 0)
+ return hpd;
+
+ ret = devm_request_threaded_irq(&pdev->dev, hpd,
NULL,
vc4_hdmi_hpd_irq_thread, IRQF_ONESHOT,
"vc4 hdmi hpd disconnected", vc4_hdmi);
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 065/969] ALSA: fireworks: bound device-supplied status before string array lookup
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (63 preceding siblings ...)
2026-05-30 15:53 ` [PATCH 6.1 064/969] drm/vc4: platform_get_irq_byname() returns an int Greg Kroah-Hartman
@ 2026-05-30 15:53 ` Greg Kroah-Hartman
2026-05-30 15:53 ` [PATCH 6.1 066/969] fbdev: tdfxfb: avoid divide-by-zero on FBIOPUT_VSCREENINFO Greg Kroah-Hartman
` (910 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Clemens Ladisch, Takashi Sakamoto,
Jaroslav Kysela, Takashi Iwai, stable, Takashi Iwai
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 07704bbf36f57e4379e4cadf96410dab14621e3b upstream.
The status field in an EFW response is a 32-bit value supplied by the
firewire device. efr_status_names[] has 17 entries so a status value
outside that range goes off into the weeds when looking at the %s value.
Even worse, the status could return EFR_STATUS_INCOMPLETE which is
0x80000000, and is obviously not in that array of potential strings.
Fix this up by properly bounding the index against the array size and
printing "unknown" if it's not recognized.
Cc: Clemens Ladisch <clemens@ladisch.de>
Cc: Takashi Sakamoto <o-takashi@sakamocchi.jp>
Cc: Jaroslav Kysela <perex@perex.cz>
Cc: Takashi Iwai <tiwai@suse.com>
Fixes: bde8a8f23bbe ("ALSA: fireworks: Add transaction and some commands")
Cc: stable <stable@kernel.org>
Assisted-by: gregkh_clanker_t1000
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Reviewed-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
Link: https://patch.msgid.link/2026040953-astute-camera-1aa1@gregkh
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/firewire/fireworks/fireworks_command.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/sound/firewire/fireworks/fireworks_command.c
+++ b/sound/firewire/fireworks/fireworks_command.c
@@ -151,10 +151,13 @@ efw_transaction(struct snd_efw *efw, uns
(be32_to_cpu(header->category) != category) ||
(be32_to_cpu(header->command) != command) ||
(be32_to_cpu(header->status) != EFR_STATUS_OK)) {
+ u32 st = be32_to_cpu(header->status);
+
dev_err(&efw->unit->device, "EFW command failed [%u/%u]: %s\n",
be32_to_cpu(header->category),
be32_to_cpu(header->command),
- efr_status_names[be32_to_cpu(header->status)]);
+ st < ARRAY_SIZE(efr_status_names) ?
+ efr_status_names[st] : "unknown");
err = -EIO;
goto end;
}
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 066/969] fbdev: tdfxfb: avoid divide-by-zero on FBIOPUT_VSCREENINFO
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (64 preceding siblings ...)
2026-05-30 15:53 ` [PATCH 6.1 065/969] ALSA: fireworks: bound device-supplied status before string array lookup Greg Kroah-Hartman
@ 2026-05-30 15:53 ` Greg Kroah-Hartman
2026-05-30 15:53 ` [PATCH 6.1 067/969] usb: gadget: f_ncm: validate minimum block_len in ncm_unwrap_ntb() Greg Kroah-Hartman
` (909 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:53 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Helge Deller, stable
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 8f98b81fe011e1879e6a7b1247e69e06a5e17af2 upstream.
Much like commit 19f953e74356 ("fbdev: fb_pm2fb: Avoid potential divide
by zero error"), we also need to prevent that same crash from happening
in the udlfb driver as it uses pixclock directly when dividing, which
will crash.
Cc: Helge Deller <deller@gmx.de>
Assisted-by: gregkh_clanker_t1000
Cc: stable <stable@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/video/fbdev/tdfxfb.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/video/fbdev/tdfxfb.c
+++ b/drivers/video/fbdev/tdfxfb.c
@@ -496,6 +496,9 @@ static int tdfxfb_check_var(struct fb_va
}
}
+ if (!var->pixclock)
+ return -EINVAL;
+
if (PICOS2KHZ(var->pixclock) > par->max_pixclock) {
DPRINTK("pixclock too high (%ldKHz)\n",
PICOS2KHZ(var->pixclock));
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 067/969] usb: gadget: f_ncm: validate minimum block_len in ncm_unwrap_ntb()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (65 preceding siblings ...)
2026-05-30 15:53 ` [PATCH 6.1 066/969] fbdev: tdfxfb: avoid divide-by-zero on FBIOPUT_VSCREENINFO Greg Kroah-Hartman
@ 2026-05-30 15:53 ` Greg Kroah-Hartman
2026-05-30 15:53 ` [PATCH 6.1 068/969] usb: gadget: f_phonet: fix skb frags[] overflow in pn_rx_complete() Greg Kroah-Hartman
` (908 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:53 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 8f993d30b95dc9557a8a96ceca11abed674c8acb upstream.
The block_len read from the host-supplied NTB header is checked against
ntb_max but has no lower bound. When block_len is smaller than
opts->ndp_size, the bounds check of:
ndp_index > (block_len - opts->ndp_size)
will underflow producing a huge unsigned value that ndp_index can never
exceed, defeating the check entirely.
The same underflow occurs in the datagram index checks against block_len
- opts->dpe_size. With those checks neutered, a malicious USB host can
choose ndp_index and datagram offsets that point past the actual
transfer, and the skb_put_data() copies adjacent kernel memory into the
network skb.
Fix this by rejecting block lengths that cannot hold at least the NTB
header plus one NDP. This will make block_len - opts->ndp_size and
block_len - opts->dpe_size both well-defined.
Commit 8d2b1a1ec9f5 ("CDC-NCM: avoid overflow in sanity checking") fixed
a related class of issues on the host side of NCM.
Fixes: 2b74b0a04d3e ("USB: gadget: f_ncm: add bounds checks to ncm_unwrap_ntb()")
Cc: stable <stable@kernel.org>
Assisted-by: gregkh_clanker_t1000
Link: https://patch.msgid.link/2026040753-baffle-handheld-624d@gregkh
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/gadget/function/f_ncm.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/usb/gadget/function/f_ncm.c
+++ b/drivers/usb/gadget/function/f_ncm.c
@@ -1211,8 +1211,8 @@ parse_ntb:
block_len = get_ncm(&tmp, opts->block_length);
/* (d)wBlockLength */
- if (block_len > ntb_max) {
- INFO(port->func.config->cdev, "OUT size exceeded\n");
+ if ((block_len < opts->nth_size + opts->ndp_size) || (block_len > ntb_max)) {
+ INFO(port->func.config->cdev, "Bad block length: %#X\n", block_len);
goto err;
}
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 068/969] usb: gadget: f_phonet: fix skb frags[] overflow in pn_rx_complete()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (66 preceding siblings ...)
2026-05-30 15:53 ` [PATCH 6.1 067/969] usb: gadget: f_ncm: validate minimum block_len in ncm_unwrap_ntb() Greg Kroah-Hartman
@ 2026-05-30 15:53 ` Greg Kroah-Hartman
2026-05-30 15:53 ` [PATCH 6.1 069/969] usb: gadget: renesas_usb3: validate endpoint index in standard request handlers Greg Kroah-Hartman
` (907 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:53 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit c088d5dd2fffb4de1fb8e7f57751c8b82942180a upstream.
A broken/bored/mean USB host can overflow the skb_shared_info->frags[]
array on a Linux gadget exposing a Phonet function by sending an
unbounded sequence of full-page OUT transfers.
pn_rx_complete() finalizes the skb only when req->actual < req->length,
where req->length is set to PAGE_SIZE by the gadget. If the host always
sends exactly PAGE_SIZE bytes per transfer, fp->rx.skb will never be
reset and each completion will add another fragment via
skb_add_rx_frag(). Once nr_frags exceeds MAX_SKB_FRAGS (default 17),
subsequent frag stores overwrite memory adjacent to the shinfo on the
heap.
Drop the skb and account a length error when the frag limit is reached,
matching the fix applied in t7xx by commit f0813bcd2d9d ("net: wwan:
t7xx: fix potential skb->frags overflow in RX path").
Cc: stable <stable@kernel.org>
Assisted-by: gregkh_clanker_t1000
Link: https://patch.msgid.link/2026040705-fruit-unloved-0701@gregkh
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/gadget/function/f_phonet.c | 9 +++++++++
1 file changed, 9 insertions(+)
--- a/drivers/usb/gadget/function/f_phonet.c
+++ b/drivers/usb/gadget/function/f_phonet.c
@@ -333,6 +333,15 @@ static void pn_rx_complete(struct usb_ep
if (unlikely(!skb))
break;
+ if (unlikely(skb_shinfo(skb)->nr_frags >= MAX_SKB_FRAGS)) {
+ /* Frame count from host exceeds frags[] capacity */
+ dev_kfree_skb_any(skb);
+ if (fp->rx.skb == skb)
+ fp->rx.skb = NULL;
+ dev->stats.rx_length_errors++;
+ break;
+ }
+
if (skb->len == 0) { /* First fragment */
skb->protocol = htons(ETH_P_PHONET);
skb_reset_mac_header(skb);
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 069/969] usb: gadget: renesas_usb3: validate endpoint index in standard request handlers
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (67 preceding siblings ...)
2026-05-30 15:53 ` [PATCH 6.1 068/969] usb: gadget: f_phonet: fix skb frags[] overflow in pn_rx_complete() Greg Kroah-Hartman
@ 2026-05-30 15:53 ` Greg Kroah-Hartman
2026-05-30 15:53 ` [PATCH 6.1 070/969] ksmbd: validate EaNameLength in smb2_get_ea() Greg Kroah-Hartman
` (906 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:53 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit f880aac8a57ebd92abfa685d45424b2998ac1059 upstream.
The GET_STATUS and SET/CLEAR_FEATURE handlers extract the endpoint
number from the host-supplied wIndex without any sort of validation.
Fix this up by validating the number of endpoints actually match up with
the number the device has before attempting to dereference a pointer
based on this math.
This is just like what was done in commit ee0d382feb44 ("usb: gadget:
aspeed_udc: validate endpoint index for ast udc") for the aspeed driver.
Fixes: 746bfe63bba3 ("usb: gadget: renesas_usb3: add support for Renesas USB3.0 peripheral controller")
Cc: stable <stable@kernel.org>
Assisted-by: gregkh_clanker_t1000
Link: https://patch.msgid.link/2026040647-sincerity-untidy-b104@gregkh
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/gadget/udc/renesas_usb3.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
--- a/drivers/usb/gadget/udc/renesas_usb3.c
+++ b/drivers/usb/gadget/udc/renesas_usb3.c
@@ -1628,6 +1628,10 @@ static bool usb3_std_req_get_status(stru
break;
case USB_RECIP_ENDPOINT:
num = le16_to_cpu(ctrl->wIndex) & USB_ENDPOINT_NUMBER_MASK;
+ if (num >= usb3->num_usb3_eps) {
+ stall = true;
+ break;
+ }
usb3_ep = usb3_get_ep(usb3, num);
if (usb3_ep->halt)
status |= 1 << USB_ENDPOINT_HALT;
@@ -1740,7 +1744,8 @@ static bool usb3_std_req_feature_endpoin
struct renesas_usb3_ep *usb3_ep;
struct renesas_usb3_request *usb3_req;
- if (le16_to_cpu(ctrl->wValue) != USB_ENDPOINT_HALT)
+ if ((le16_to_cpu(ctrl->wValue) != USB_ENDPOINT_HALT) ||
+ (num >= usb3->num_usb3_eps))
return true; /* stall */
usb3_ep = usb3_get_ep(usb3, num);
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 070/969] ksmbd: validate EaNameLength in smb2_get_ea()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (68 preceding siblings ...)
2026-05-30 15:53 ` [PATCH 6.1 069/969] usb: gadget: renesas_usb3: validate endpoint index in standard request handlers Greg Kroah-Hartman
@ 2026-05-30 15:53 ` Greg Kroah-Hartman
2026-05-30 15:53 ` [PATCH 6.1 071/969] ksmbd: require 3 sub-authorities before reading sub_auth[2] Greg Kroah-Hartman
` (905 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Namjae Jeon, Steve French,
Sergey Senozhatsky, Tom Talpey, linux-cifs, stable, Steve French
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 66751841212c2cc196577453c37f7774ff363f02 upstream.
smb2_get_ea() reads ea_req->EaNameLength from the client request and
passes it directly to strncmp() as the comparison length without
verifying that the length of the name really is the size of the input
buffer received.
Fix this up by properly checking the size of the name based on the value
received and the overall size of the request, to prevent a later
strncmp() call to use the length as a "trusted" size of the buffer.
Without this check, uninitialized heap values might be slowly leaked to
the client.
Cc: Namjae Jeon <linkinjeon@kernel.org>
Cc: Steve French <smfrench@gmail.com>
Cc: Sergey Senozhatsky <senozhatsky@chromium.org>
Cc: Tom Talpey <tom@talpey.com>
Cc: linux-cifs@vger.kernel.org
Cc: <stable@kernel.org>
Assisted-by: gregkh_clanker_t1000
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/server/smb2pdu.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/fs/smb/server/smb2pdu.c
+++ b/fs/smb/server/smb2pdu.c
@@ -4390,6 +4390,11 @@ static int smb2_get_ea(struct ksmbd_work
ea_req = (struct smb2_ea_info_req *)((char *)req +
le16_to_cpu(req->InputBufferOffset));
+
+ if (le32_to_cpu(req->InputBufferLength) <
+ offsetof(struct smb2_ea_info_req, name) +
+ ea_req->EaNameLength)
+ return -EINVAL;
} else {
/* need to send all EAs, if no specific EA is requested*/
if (le32_to_cpu(req->Flags) & SL_RETURN_SINGLE_ENTRY)
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 071/969] ksmbd: require 3 sub-authorities before reading sub_auth[2]
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (69 preceding siblings ...)
2026-05-30 15:53 ` [PATCH 6.1 070/969] ksmbd: validate EaNameLength in smb2_get_ea() Greg Kroah-Hartman
@ 2026-05-30 15:53 ` Greg Kroah-Hartman
2026-05-30 15:53 ` [PATCH 6.1 072/969] usbip: validate number_of_packets in usbip_pack_ret_submit() Greg Kroah-Hartman
` (904 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Namjae Jeon, Steve French,
Sergey Senozhatsky, Tom Talpey, linux-cifs, stable, Steve French
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 53370cf9090777774e07fd9a8ebce67c6cc333ab upstream.
parse_dacl() compares each ACE SID against sid_unix_NFS_mode and on
match reads sid.sub_auth[2] as the file mode. If sid_unix_NFS_mode is
the prefix S-1-5-88-3 with num_subauth = 2 then compare_sids() compares
only min(num_subauth, 2) sub-authorities so a client SID with
num_subauth = 2 and sub_auth = {88, 3} will match.
If num_subauth = 2 and the ACE is placed at the very end of the security
descriptor, sub_auth[2] will be 4 bytes past end_of_acl. The
out-of-band bytes will then be masked to the low 9 bits and applied as
the file's POSIX mode, probably not something that is good to have
happen.
Fix this up by forcing the SID to actually carry a third sub-authority
before reading it at all.
Cc: Namjae Jeon <linkinjeon@kernel.org>
Cc: Steve French <smfrench@gmail.com>
Cc: Sergey Senozhatsky <senozhatsky@chromium.org>
Cc: Tom Talpey <tom@talpey.com>
Cc: linux-cifs@vger.kernel.org
Cc: <stable@kernel.org>
Assisted-by: gregkh_clanker_t1000
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/server/smbacl.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/fs/smb/server/smbacl.c
+++ b/fs/smb/server/smbacl.c
@@ -451,7 +451,8 @@ static void parse_dacl(struct user_names
ppace[i]->access_req =
smb_map_generic_desired_access(ppace[i]->access_req);
- if (!(compare_sids(&ppace[i]->sid, &sid_unix_NFS_mode))) {
+ if (ppace[i]->sid.num_subauth >= 3 &&
+ !(compare_sids(&ppace[i]->sid, &sid_unix_NFS_mode))) {
fattr->cf_mode =
le32_to_cpu(ppace[i]->sid.sub_auth[2]);
break;
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 072/969] usbip: validate number_of_packets in usbip_pack_ret_submit()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (70 preceding siblings ...)
2026-05-30 15:53 ` [PATCH 6.1 071/969] ksmbd: require 3 sub-authorities before reading sub_auth[2] Greg Kroah-Hartman
@ 2026-05-30 15:53 ` Greg Kroah-Hartman
2026-05-30 15:53 ` [PATCH 6.1 073/969] usb: storage: Expand range of matched versions for VL817 quirks entry Greg Kroah-Hartman
` (903 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:53 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Shuah Khan, Nathan Rebello
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nathan Rebello <nathan.c.rebello@gmail.com>
commit 2ab833a16a825373aad2ba7d54b572b277e95b71 upstream.
When a USB/IP client receives a RET_SUBMIT response,
usbip_pack_ret_submit() unconditionally overwrites
urb->number_of_packets from the network PDU. This value is
subsequently used as the loop bound in usbip_recv_iso() and
usbip_pad_iso() to iterate over urb->iso_frame_desc[], a flexible
array whose size was fixed at URB allocation time based on the
*original* number_of_packets from the CMD_SUBMIT.
A malicious USB/IP server can set number_of_packets in the response
to a value larger than what was originally submitted, causing a heap
out-of-bounds write when usbip_recv_iso() writes to
urb->iso_frame_desc[i] beyond the allocated region.
KASAN confirmed this with kernel 7.0.0-rc5:
BUG: KASAN: slab-out-of-bounds in usbip_recv_iso+0x46a/0x640
Write of size 4 at addr ffff888106351d40 by task vhci_rx/69
The buggy address is located 0 bytes to the right of
allocated 320-byte region [ffff888106351c00, ffff888106351d40)
The server side (stub_rx.c) and gadget side (vudc_rx.c) already
validate number_of_packets in the CMD_SUBMIT path since commits
c6688ef9f297 ("usbip: fix stub_rx: harden CMD_SUBMIT path to handle
malicious input") and b78d830f0049 ("usbip: fix vudc_rx: harden
CMD_SUBMIT path to handle malicious input"). The server side validates
against USBIP_MAX_ISO_PACKETS because no URB exists yet at that point.
On the client side we have the original URB, so we can use the tighter
bound: the response must not exceed the original number_of_packets.
This mirrors the existing validation of actual_length against
transfer_buffer_length in usbip_recv_xbuff(), which checks the
response value against the original allocation size.
Kelvin Mbogo's series ("usb: usbip: fix integer overflow in
usbip_recv_iso()", v2) hardens the receive-side functions themselves;
this patch complements that work by catching the bad value at its
source -- in usbip_pack_ret_submit() before the overwrite -- and
using the tighter per-URB allocation bound rather than the global
USBIP_MAX_ISO_PACKETS limit.
Fix this by checking rpdu->number_of_packets against
urb->number_of_packets in usbip_pack_ret_submit() before the
overwrite. On violation, clamp to zero so that usbip_recv_iso() and
usbip_pad_iso() safely return early.
Fixes: 1325f85fa49f ("staging: usbip: bugfix add number of packets for isochronous frames")
Cc: stable <stable@kernel.org>
Acked-by: Shuah Khan <skhan@linuxfoundation.org>
Signed-off-by: Nathan Rebello <nathan.c.rebello@gmail.com>
Link: https://patch.msgid.link/20260402085259.234-1-nathan.c.rebello@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/usbip/usbip_common.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
--- a/drivers/usb/usbip/usbip_common.c
+++ b/drivers/usb/usbip/usbip_common.c
@@ -469,6 +469,18 @@ static void usbip_pack_ret_submit(struct
urb->status = rpdu->status;
urb->actual_length = rpdu->actual_length;
urb->start_frame = rpdu->start_frame;
+ /*
+ * The number_of_packets field determines the length of
+ * iso_frame_desc[], which is a flexible array allocated
+ * at URB creation time. A response must never claim more
+ * packets than originally submitted; doing so would cause
+ * an out-of-bounds write in usbip_recv_iso() and
+ * usbip_pad_iso(). Clamp to zero on violation so both
+ * functions safely return early.
+ */
+ if (rpdu->number_of_packets < 0 ||
+ rpdu->number_of_packets > urb->number_of_packets)
+ rpdu->number_of_packets = 0;
urb->number_of_packets = rpdu->number_of_packets;
urb->error_count = rpdu->error_count;
}
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 073/969] usb: storage: Expand range of matched versions for VL817 quirks entry
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (71 preceding siblings ...)
2026-05-30 15:53 ` [PATCH 6.1 072/969] usbip: validate number_of_packets in usbip_pack_ret_submit() Greg Kroah-Hartman
@ 2026-05-30 15:53 ` Greg Kroah-Hartman
2026-05-30 15:53 ` [PATCH 6.1 074/969] USB: cdc-acm: Add quirks for Yoga Book 9 14IAH10 INGENIC touchscreen Greg Kroah-Hartman
` (902 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:53 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Daniel Brát, stable
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Daniel Brát <danek.brat@gmail.com>
commit 609865ab3d5d803556f628e221ecd3d06aed9f30 upstream.
Expands range of matched bcdDevice values for the VL817 quirk entry.
This is based on experience with Axagon EE35-GTR rev1 3.5" HDD
enclosure, which reports its bcdDevice as 0x0843, but presumably other
vendors using this IC in their products may set it to any other value.
Signed-off-by: Daniel Brát <danek.brat@gmail.com>
Cc: stable <stable@kernel.org>
Link: https://patch.msgid.link/20260402172433.5227-1-danek.brat@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/storage/unusual_devs.h | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
--- a/drivers/usb/storage/unusual_devs.h
+++ b/drivers/usb/storage/unusual_devs.h
@@ -2350,10 +2350,11 @@ UNUSUAL_DEV( 0x2027, 0xa001, 0x0000, 0x
US_FL_SCM_MULT_TARG ),
/*
- * Reported by DocMAX <mail@vacharakis.de>
- * and Thomas Weißschuh <linux@weissschuh.net>
+ * Reported by DocMAX <mail@vacharakis.de>,
+ * Thomas Weißschuh <linux@weissschuh.net>
+ * and Daniel Brát <danek.brat@gmail.com>
*/
-UNUSUAL_DEV( 0x2109, 0x0715, 0x9999, 0x9999,
+UNUSUAL_DEV( 0x2109, 0x0715, 0x0000, 0x9999,
"VIA Labs, Inc.",
"VL817 SATA Bridge",
USB_SC_DEVICE, USB_PR_DEVICE, NULL,
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 074/969] USB: cdc-acm: Add quirks for Yoga Book 9 14IAH10 INGENIC touchscreen
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (72 preceding siblings ...)
2026-05-30 15:53 ` [PATCH 6.1 073/969] usb: storage: Expand range of matched versions for VL817 quirks entry Greg Kroah-Hartman
@ 2026-05-30 15:53 ` Greg Kroah-Hartman
2026-05-30 15:53 ` [PATCH 6.1 075/969] usb: port: add delay after usb_hub_set_port_power() Greg Kroah-Hartman
` (901 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:53 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Dave Carey, stable, Oliver Neukum
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dave Carey <carvsdriver@gmail.com>
commit f58752ebcb35e156c85cd1a82d6579c7af3b9023 upstream.
The Lenovo Yoga Book 9 14IAH10 (83KJ) has a composite USB device
(17EF:6161) that controls both touchscreens via a CDC ACM interface.
Interface 0 is a standard CDC ACM control interface, but interface 1
(the data interface) incorrectly declares vendor-specific class (0xFF)
instead of USB_CLASS_CDC_DATA. cdc-acm rejects the device at probe with
-EINVAL, leaving interface 0 unbound and EP 0x82 never polled.
With no consumer polling EP 0x82, the firmware's watchdog fires every
~20 seconds and resets the USB bus, producing a continuous disconnect/
reconnect loop that prevents the touchscreens from ever initialising.
Add two new quirk flags:
VENDOR_CLASS_DATA_IFACE: Bypasses the bInterfaceClass check in
acm_probe() that would otherwise reject the vendor-class data
interface with -EINVAL.
ALWAYS_POLL_CTRL: Submits the notification URB at probe() rather than
waiting for a TTY open. This keeps EP 0x82 polled at all times,
permanently suppressing the firmware watchdog. The URB is resubmitted
after port_shutdown() and on system resume. SET_CONTROL_LINE_STATE
(DTR|RTS) is sent at probe and after port_shutdown() to complete
firmware handshake.
Note: the firmware performs exactly 4 USB connect/disconnect cycles
(~19 s each) on every cold boot before stabilising. This is a fixed
firmware property; touch is available ~75-80 s after power-on.
Signed-off-by: Dave Carey <carvsdriver@gmail.com>
Cc: stable <stable@kernel.org>
Tested-by: Dave Carey <carvsdriver@gmail.com>
Acked-by: Oliver Neukum <oneukum@suse.com>
Link: https://patch.msgid.link/20260402182950.389016-1-carvsdriver@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/class/cdc-acm.c | 53 ++++++++++++++++++++++++++++++++++++++------
1 file changed, 46 insertions(+), 7 deletions(-)
--- a/drivers/usb/class/cdc-acm.c
+++ b/drivers/usb/class/cdc-acm.c
@@ -113,6 +113,8 @@ static int acm_ctrl_msg(struct acm *acm,
int retval;
retval = usb_autopm_get_interface(acm->control);
+#define VENDOR_CLASS_DATA_IFACE BIT(9) /* data interface uses vendor-specific class */
+#define ALWAYS_POLL_CTRL BIT(10) /* keep ctrl URB active even without an open TTY */
if (retval)
return retval;
@@ -699,12 +701,14 @@ static int acm_port_activate(struct tty_
set_bit(TTY_NO_WRITE_SPLIT, &tty->flags);
acm->control->needs_remote_wakeup = 1;
- acm->ctrlurb->dev = acm->dev;
- retval = usb_submit_urb(acm->ctrlurb, GFP_KERNEL);
- if (retval) {
- dev_err(&acm->control->dev,
- "%s - usb_submit_urb(ctrl irq) failed\n", __func__);
- goto error_submit_urb;
+ if (!(acm->quirks & ALWAYS_POLL_CTRL)) {
+ acm->ctrlurb->dev = acm->dev;
+ retval = usb_submit_urb(acm->ctrlurb, GFP_KERNEL);
+ if (retval) {
+ dev_err(&acm->control->dev,
+ "%s - usb_submit_urb(ctrl irq) failed\n", __func__);
+ goto error_submit_urb;
+ }
}
acm_tty_set_termios(tty, NULL);
@@ -777,6 +781,14 @@ static void acm_port_shutdown(struct tty
acm_unpoison_urbs(acm);
+ if (acm->quirks & ALWAYS_POLL_CTRL) {
+ acm->ctrlurb->dev = acm->dev;
+ if (usb_submit_urb(acm->ctrlurb, GFP_KERNEL))
+ dev_dbg(&acm->control->dev,
+ "ctrl polling restart failed after port close\n");
+ /* port_shutdown() cleared DTR/RTS; restore them */
+ acm_set_control(acm, USB_CDC_CTRL_DTR | USB_CDC_CTRL_RTS);
+ }
}
static void acm_tty_cleanup(struct tty_struct *tty)
@@ -1304,6 +1316,9 @@ skip_normal_probe:
dev_dbg(&intf->dev,
"Your device has switched interfaces.\n");
swap(control_interface, data_interface);
+ } else if (quirks & VENDOR_CLASS_DATA_IFACE) {
+ dev_dbg(&intf->dev,
+ "Vendor-specific data interface class, continuing.\n");
} else {
return -EINVAL;
}
@@ -1498,6 +1513,9 @@ skip_countries:
acm->line.bDataBits = 8;
acm_set_line(acm, &acm->line);
+ if (quirks & ALWAYS_POLL_CTRL)
+ acm_set_control(acm, USB_CDC_CTRL_DTR | USB_CDC_CTRL_RTS);
+
if (!acm->combined_interfaces) {
rv = usb_driver_claim_interface(&acm_driver, data_interface, acm);
if (rv)
@@ -1519,6 +1537,13 @@ skip_countries:
dev_info(&intf->dev, "ttyACM%d: USB ACM device\n", minor);
+ if (acm->quirks & ALWAYS_POLL_CTRL) {
+ acm->ctrlurb->dev = acm->dev;
+ if (usb_submit_urb(acm->ctrlurb, GFP_KERNEL))
+ dev_warn(&intf->dev,
+ "failed to start persistent ctrl polling\n");
+ }
+
return 0;
err_release_data_interface:
@@ -1645,7 +1670,7 @@ static int acm_resume(struct usb_interfa
acm_unpoison_urbs(acm);
- if (tty_port_initialized(&acm->port)) {
+ if (tty_port_initialized(&acm->port) || (acm->quirks & ALWAYS_POLL_CTRL)) {
rv = usb_submit_urb(acm->ctrlurb, GFP_ATOMIC);
for (;;) {
@@ -1992,6 +2017,20 @@ static const struct usb_device_id acm_id
/* CH343 supports CAP_BRK, but doesn't advertise it */
{ USB_DEVICE(0x1a86, 0x55d3), .driver_info = MISSING_CAP_BRK, },
+ /*
+ * Lenovo Yoga Book 9 14IAH10 (83KJ) — INGENIC 17EF:6161 touchscreen
+ * composite device. The CDC ACM control interface (0) uses a standard
+ * Union descriptor, but the data interface (1) is declared as vendor-
+ * specific class (0xff) with no CDC data descriptors, so cdc-acm would
+ * normally reject it. The firmware also requires continuous polling of
+ * the notification endpoint (EP 0x82) to suppress a 20-second watchdog
+ * reset; ALWAYS_POLL_CTRL keeps the ctrlurb active even when no TTY is
+ * open. Match only the control interface by class to avoid probing the
+ * vendor-specific data interface.
+ */
+ { USB_DEVICE_INTERFACE_CLASS(0x17ef, 0x6161, USB_CLASS_COMM),
+ .driver_info = VENDOR_CLASS_DATA_IFACE | ALWAYS_POLL_CTRL },
+
/* control interfaces without any protocol set */
{ USB_INTERFACE_INFO(USB_CLASS_COMM, USB_CDC_SUBCLASS_ACM,
USB_CDC_PROTO_NONE) },
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 075/969] usb: port: add delay after usb_hub_set_port_power()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (73 preceding siblings ...)
2026-05-30 15:53 ` [PATCH 6.1 074/969] USB: cdc-acm: Add quirks for Yoga Book 9 14IAH10 INGENIC touchscreen Greg Kroah-Hartman
@ 2026-05-30 15:53 ` Greg Kroah-Hartman
2026-05-30 15:53 ` [PATCH 6.1 076/969] fbdev: udlfb: avoid divide-by-zero on FBIOPUT_VSCREENINFO Greg Kroah-Hartman
` (900 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:53 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Xu Yang
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xu Yang <xu.yang_2@nxp.com>
commit b84cc80610a8ce036deb987f056ce3196ead7f1e upstream.
When a port is disabled, an attached device will be disconnected. This
causes a port-status-change event, which will race with hub autosuspend
(if the disabled port was the only connected port on its hub), causing
an immediate resume and a second autosuspend. Both of these can be
avoided by adding a short delay after the call to
usb_hub_set_port_power().
Below log shows what is happening:
$ echo 1 > usb1-port1/disable
[ 37.958239] usb 1-1: USB disconnect, device number 2
[ 37.964101] usb 1-1: unregistering device
[ 37.970070] hub 1-0:1.0: hub_suspend
[ 37.971305] hub 1-0:1.0: state 7 ports 1 chg 0000 evt 0002
[ 37.974412] usb usb1: bus auto-suspend, wakeup 1
[ 37.988175] usb usb1: suspend raced with wakeup event <---
[ 37.993947] usb usb1: usb auto-resume
[ 37.998401] hub 1-0:1.0: hub_resume
[ 38.105688] usb usb1-port1: status 0000, change 0000, 12 Mb/s
[ 38.112399] hub 1-0:1.0: state 7 ports 1 chg 0000 evt 0000
[ 38.118645] hub 1-0:1.0: hub_suspend
[ 38.122963] usb usb1: bus auto-suspend, wakeup 1
[ 38.200368] usb usb1: usb wakeup-resume
[ 38.204982] usb usb1: usb auto-resume
[ 38.209376] hub 1-0:1.0: hub_resume
[ 38.213676] usb usb1-port1: status 0101 change 0001
[ 38.321552] hub 1-0:1.0: state 7 ports 1 chg 0002 evt 0000
[ 38.327978] usb usb1-port1: status 0101, change 0000, 12 Mb/s
[ 38.457429] usb 1-1: new high-speed USB device number 3 using ci_hdrc
Then, port change bit will be fixed to the final state and
usb_clear_port_feature() can correctly clear it after this period. This
will also avoid usb runtime suspend routine to run because
usb_autopm_put_interface() not run yet.
Fixes: f061f43d7418 ("usb: hub: port: add sysfs entry to switch port power")
Cc: stable@kernel.org
Signed-off-by: Xu Yang <xu.yang_2@nxp.com>
Link: https://patch.msgid.link/20260316095042.1559882-1-xu.yang_2@nxp.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/core/port.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/usb/core/port.c
+++ b/drivers/usb/core/port.c
@@ -111,6 +111,7 @@ static ssize_t disable_store(struct devi
usb_disconnect(&port_dev->child);
rc = usb_hub_set_port_power(hdev, hub, port1, !disabled);
+ msleep(2 * hub_power_on_good_delay(hub));
if (disabled) {
usb_clear_port_feature(hdev, port1, USB_PORT_FEAT_C_CONNECTION);
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 076/969] fbdev: udlfb: avoid divide-by-zero on FBIOPUT_VSCREENINFO
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (74 preceding siblings ...)
2026-05-30 15:53 ` [PATCH 6.1 075/969] usb: port: add delay after usb_hub_set_port_power() Greg Kroah-Hartman
@ 2026-05-30 15:53 ` Greg Kroah-Hartman
2026-05-30 15:53 ` [PATCH 6.1 077/969] scripts: generate_rust_analyzer.py: avoid FD leak Greg Kroah-Hartman
` (899 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:53 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Bernie Thompson, Helge Deller
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit a31e4518bec70333a0a98f2946a12b53b45fe5b9 upstream.
Much like commit 19f953e74356 ("fbdev: fb_pm2fb: Avoid potential divide
by zero error"), we also need to prevent that same crash from happening
in the udlfb driver as it uses pixclock directly when dividing, which
will crash.
Cc: Bernie Thompson <bernie@plugable.com>
Cc: Helge Deller <deller@gmx.de>
Fixes: 59277b679f8b ("Staging: udlfb: add dynamic modeset support")
Assisted-by: gregkh_clanker_t1000
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/video/fbdev/udlfb.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/video/fbdev/udlfb.c
+++ b/drivers/video/fbdev/udlfb.c
@@ -1078,6 +1078,9 @@ static int dlfb_ops_check_var(struct fb_
struct fb_videomode mode;
struct dlfb_data *dlfb = info->par;
+ if (!var->pixclock)
+ return -EINVAL;
+
/* set device-specific elements of var unrelated to mode */
dlfb_var_color_format(var);
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 077/969] scripts: generate_rust_analyzer.py: avoid FD leak
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (75 preceding siblings ...)
2026-05-30 15:53 ` [PATCH 6.1 076/969] fbdev: udlfb: avoid divide-by-zero on FBIOPUT_VSCREENINFO Greg Kroah-Hartman
@ 2026-05-30 15:53 ` Greg Kroah-Hartman
2026-05-30 15:53 ` [PATCH 6.1 078/969] staging: sm750fb: fix division by zero in ps_to_hz() Greg Kroah-Hartman
` (898 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Daniel Almeida, Fiona Behrens,
Trevor Gross, Tamir Duberstein
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tamir Duberstein <tamird@kernel.org>
commit 9b4744d8eda2824041064a5639ccbb079850914d upstream.
Use `pathlib.Path.read_text()` to avoid leaking file descriptors.
Fixes: 8c4555ccc55c ("scripts: add `generate_rust_analyzer.py`")
Cc: stable@vger.kernel.org
Reviewed-by: Daniel Almeida <daniel.almeida@collabora.com>
Reviewed-by: Fiona Behrens <me@kloenk.dev>
Reviewed-by: Trevor Gross <tmgross@umich.edu>
Link: https://patch.msgid.link/20260127-rust-analyzer-fd-leak-v2-1-1bb55b9b6822@kernel.org
Signed-off-by: Tamir Duberstein <tamird@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
scripts/generate_rust_analyzer.py | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/scripts/generate_rust_analyzer.py
+++ b/scripts/generate_rust_analyzer.py
@@ -115,9 +115,10 @@ def generate_crates(srctree, objtree, sy
def is_root_crate(build_file, target):
try:
- return f"{target}.o" in open(build_file).read()
+ contents = build_file.read_text()
except FileNotFoundError:
return False
+ return f"{target}.o" in contents
# Then, the rest outside of `rust/`.
#
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 078/969] staging: sm750fb: fix division by zero in ps_to_hz()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (76 preceding siblings ...)
2026-05-30 15:53 ` [PATCH 6.1 077/969] scripts: generate_rust_analyzer.py: avoid FD leak Greg Kroah-Hartman
@ 2026-05-30 15:53 ` Greg Kroah-Hartman
2026-05-30 15:53 ` [PATCH 6.1 079/969] USB: serial: option: add Telit Cinterion FN990A MBIM composition Greg Kroah-Hartman
` (897 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:53 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Yuhao Jiang, Junrui Luo
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Junrui Luo <moonafterrain@outlook.com>
commit 75a1621e4f91310673c9acbcbb25c2a7ff821cd3 upstream.
ps_to_hz() is called from hw_sm750_crtc_set_mode() without validating
that pixclock is non-zero. A zero pixclock passed via FBIOPUT_VSCREENINFO
causes a division by zero.
Fix by rejecting zero pixclock in lynxfb_ops_check_var(), consistent
with other framebuffer drivers.
Fixes: 81dee67e215b ("staging: sm750fb: add sm750 to staging")
Reported-by: Yuhao Jiang <danisjiang@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
Link: https://patch.msgid.link/SYBPR01MB7881AFBFCE28CCF528B35D0CAF4BA@SYBPR01MB7881.ausprd01.prod.outlook.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/staging/sm750fb/sm750.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/staging/sm750fb/sm750.c
+++ b/drivers/staging/sm750fb/sm750.c
@@ -484,6 +484,9 @@ static int lynxfb_ops_check_var(struct f
struct lynxfb_crtc *crtc;
resource_size_t request;
+ if (!var->pixclock)
+ return -EINVAL;
+
ret = 0;
par = info->par;
crtc = &par->crtc;
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 079/969] USB: serial: option: add Telit Cinterion FN990A MBIM composition
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (77 preceding siblings ...)
2026-05-30 15:53 ` [PATCH 6.1 078/969] staging: sm750fb: fix division by zero in ps_to_hz() Greg Kroah-Hartman
@ 2026-05-30 15:53 ` Greg Kroah-Hartman
2026-05-30 15:53 ` [PATCH 6.1 080/969] Docs/admin-guide/mm/damon/reclaim: warn commit_inputs vs param updates race Greg Kroah-Hartman
` (896 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:53 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Fabio Porcedda, Johan Hovold
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Fabio Porcedda <fabio.porcedda@gmail.com>
commit f8cc59ecc22841be5deb07b549c0c6a2657cd5f9 upstream.
Add the following Telit Cinterion FN990A MBIM composition:
0x1074: MBIM + tty (AT/NMEA) + tty (AT) + tty (AT) + tty (diag) +
DPL (Data Packet Logging) + adb
T: Bus=01 Lev=01 Prnt=04 Port=06 Cnt=01 Dev#= 7 Spd=480 MxCh= 0
D: Ver= 2.10 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs= 1
P: Vendor=1bc7 ProdID=1074 Rev=05.04
S: Manufacturer=Telit Wireless Solutions
S: Product=FN990
S: SerialNumber=70628d0c
C: #Ifs= 8 Cfg#= 1 Atr=e0 MxPwr=500mA
I: If#= 0 Alt= 0 #EPs= 1 Cls=02(commc) Sub=0e Prot=00 Driver=cdc_mbim
E: Ad=81(I) Atr=03(Int.) MxPS= 64 Ivl=32ms
I: If#= 1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim
E: Ad=0f(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=8e(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=60 Driver=option
E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=83(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=85(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
I: If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=87(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
I: If#= 5 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option
E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=88(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I: If#= 6 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=80 Driver=(none)
E: Ad=8f(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I: If#= 7 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=(none)
E: Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=89(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
Cc: stable@vger.kernel.org
Signed-off-by: Fabio Porcedda <fabio.porcedda@gmail.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/serial/option.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/usb/serial/option.c
+++ b/drivers/usb/serial/option.c
@@ -1383,6 +1383,8 @@ static const struct usb_device_id option
.driver_info = NCTRL(2) | RSVD(3) },
{ USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1073, 0xff), /* Telit FN990A (ECM) */
.driver_info = NCTRL(0) | RSVD(1) },
+ { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1074, 0xff), /* Telit FN990A (MBIM) */
+ .driver_info = NCTRL(5) | RSVD(6) | RSVD(7) },
{ USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1075, 0xff), /* Telit FN990A (PCIe) */
.driver_info = RSVD(0) },
{ USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1077, 0xff), /* Telit FN990A (rmnet + audio) */
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 080/969] Docs/admin-guide/mm/damon/reclaim: warn commit_inputs vs param updates race
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (78 preceding siblings ...)
2026-05-30 15:53 ` [PATCH 6.1 079/969] USB: serial: option: add Telit Cinterion FN990A MBIM composition Greg Kroah-Hartman
@ 2026-05-30 15:53 ` Greg Kroah-Hartman
2026-05-30 15:53 ` [PATCH 6.1 081/969] ALSA: ctxfi: Limit PTP to a single page Greg Kroah-Hartman
` (895 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:53 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, SeongJae Park, Andrew Morton
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: SeongJae Park <sj@kernel.org>
commit 0beba407d4585a15b0dc09f2064b5b3ddcb0e857 upstream.
Patch series "Docs/admin-guide/mm/damon: warn commit_inputs vs other
params race".
Writing 'Y' to the commit_inputs parameter of DAMON_RECLAIM and
DAMON_LRU_SORT, and writing other parameters before the commit_inputs
request is completely processed can cause race conditions. While the
consequence can be bad, the documentation is not clearly describing that.
Add clear warnings.
The issue was discovered [1,2] by sashiko.
This patch (of 2):
DAMON_RECLAIM handles commit_inputs request inside kdamond thread,
reading the module parameters. If the user updates the module
parameters while the kdamond thread is reading those, races can happen.
To avoid this, the commit_inputs parameter shows whether it is still in
the progress, assuming users wouldn't update parameters in the middle of
the work. Some users might ignore that. Add a warning about the
behavior.
The issue was discovered in [1] by sashiko.
Link: https://lore.kernel.org/20260329153052.46657-2-sj@kernel.org
Link: https://lore.kernel.org/20260319161620.189392-3-objecting@objecting.org [1]
Link: https://lore.kernel.org/20260319161620.189392-2-objecting@objecting.org [3]
Fixes: 81a84182c343 ("Docs/admin-guide/mm/damon/reclaim: document 'commit_inputs' parameter")
Signed-off-by: SeongJae Park <sj@kernel.org>
Cc: <stable@vger.kernel.org> # 5.19.x
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
Documentation/admin-guide/mm/damon/reclaim.rst | 4 ++++
1 file changed, 4 insertions(+)
--- a/Documentation/admin-guide/mm/damon/reclaim.rst
+++ b/Documentation/admin-guide/mm/damon/reclaim.rst
@@ -71,6 +71,10 @@ of parametrs except ``enabled`` again.
parameter is set as ``N``. If invalid parameters are found while the
re-reading, DAMON_RECLAIM will be disabled.
+Once ``Y`` is written to this parameter, the user must not write to any
+parameters until reading ``commit_inputs`` again returns ``N``. If users
+violate this rule, the kernel may exhibit undefined behavior.
+
min_age
-------
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 081/969] ALSA: ctxfi: Limit PTP to a single page
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (79 preceding siblings ...)
2026-05-30 15:53 ` [PATCH 6.1 080/969] Docs/admin-guide/mm/damon/reclaim: warn commit_inputs vs param updates race Greg Kroah-Hartman
@ 2026-05-30 15:53 ` Greg Kroah-Hartman
2026-05-30 15:53 ` [PATCH 6.1 082/969] dcache: Limit the minimal number of bucket to two Greg Kroah-Hartman
` (894 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:53 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Harin Lee, Takashi Iwai
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Harin Lee <me@harin.net>
commit e9418da50d9e5c496c22fe392e4ad74c038a94eb upstream.
Commit 391e69143d0a increased CT_PTP_NUM from 1 to 4 to support 256
playback streams, but the additional pages are not used by the card
correctly. The CT20K2 hardware already has multiple VMEM_PTPAL
registers, but using them separately would require refactoring the
entire virtual memory allocation logic.
ct_vm_map() always uses PTEs in vm->ptp[0].area regardless of
CT_PTP_NUM. On AMD64 systems, a single PTP covers 512 PTEs (2M). When
aggregate memory allocations exceed this limit, ct_vm_map() tries to
access beyond the allocated space and causes a page fault:
BUG: unable to handle page fault for address: ffffd4ae8a10a000
Oops: Oops: 0002 [#1] SMP PTI
RIP: 0010:ct_vm_map+0x17c/0x280 [snd_ctxfi]
Call Trace:
atc_pcm_playback_prepare+0x225/0x3b0
ct_pcm_playback_prepare+0x38/0x60
snd_pcm_do_prepare+0x2f/0x50
snd_pcm_action_single+0x36/0x90
snd_pcm_action_nonatomic+0xbf/0xd0
snd_pcm_ioctl+0x28/0x40
__x64_sys_ioctl+0x97/0xe0
do_syscall_64+0x81/0x610
entry_SYSCALL_64_after_hwframe+0x76/0x7e
Revert CT_PTP_NUM to 1. The 256 SRC_RESOURCE_NUM and playback_count
remain unchanged.
Fixes: 391e69143d0a ("ALSA: ctxfi: Bump playback substreams to 256")
Cc: stable@vger.kernel.org
Signed-off-by: Harin Lee <me@harin.net>
Link: https://patch.msgid.link/20260406074857.216034-1-me@harin.net
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/pci/ctxfi/ctvmem.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/sound/pci/ctxfi/ctvmem.h
+++ b/sound/pci/ctxfi/ctvmem.h
@@ -15,7 +15,7 @@
#ifndef CTVMEM_H
#define CTVMEM_H
-#define CT_PTP_NUM 4 /* num of device page table pages */
+#define CT_PTP_NUM 1 /* num of device page table pages */
#include <linux/mutex.h>
#include <linux/list.h>
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 082/969] dcache: Limit the minimal number of bucket to two
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (80 preceding siblings ...)
2026-05-30 15:53 ` [PATCH 6.1 081/969] ALSA: ctxfi: Limit PTP to a single page Greg Kroah-Hartman
@ 2026-05-30 15:53 ` Greg Kroah-Hartman
2026-05-30 15:53 ` [PATCH 6.1 083/969] media: vidtv: fix NULL pointer dereference in vidtv_channel_pmt_match_sections Greg Kroah-Hartman
` (893 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zhihao Cheng, Yang Erkun,
Christian Brauner
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhihao Cheng <chengzhihao1@huawei.com>
commit f08fe8891c3eeb63b73f9f1f6d97aa629c821579 upstream.
There is an OOB read problem on dentry_hashtable when user sets
'dhash_entries=1':
BUG: unable to handle page fault for address: ffff888b30b774b0
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
Oops: Oops: 0000 [#1] SMP PTI
RIP: 0010:__d_lookup+0x56/0x120
Call Trace:
d_lookup.cold+0x16/0x5d
lookup_dcache+0x27/0xf0
lookup_one_qstr_excl+0x2a/0x180
start_dirop+0x55/0xa0
simple_start_creating+0x8d/0xa0
debugfs_start_creating+0x8c/0x180
debugfs_create_dir+0x1d/0x1c0
pinctrl_init+0x6d/0x140
do_one_initcall+0x6d/0x3d0
kernel_init_freeable+0x39f/0x460
kernel_init+0x2a/0x260
There will be only one bucket in dentry_hashtable when dhash_entries is
set as one, and d_hash_shift is calculated as 32 by dcache_init(). Then,
following process will access more than one buckets(which memory region
is not allocated) in dentry_hashtable:
d_lookup
b = d_hash(hash)
dentry_hashtable + ((u32)hashlen >> d_hash_shift)
// The C standard defines the behavior of right shift amounts
// exceeding the bit width of the operand as undefined. The
// result of '(u32)hashlen >> d_hash_shift' becomes 'hashlen',
// so 'b' will point to an unallocated memory region.
hlist_bl_for_each_entry_rcu(b)
hlist_bl_first_rcu(head)
h->first // read OOB!
Fix it by limiting the minimal number of dentry_hashtable bucket to two,
so that 'd_hash_shift' won't exceeds the bit width of type u32.
Cc: stable@vger.kernel.org
Signed-off-by: Zhihao Cheng <chengzhihao1@huawei.com>
Link: https://patch.msgid.link/20260130034853.215819-1-chengzhihao1@huawei.com
Reviewed-by: Yang Erkun <yangerkun@huawei.com>
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/dcache.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/fs/dcache.c
+++ b/fs/dcache.c
@@ -3299,7 +3299,7 @@ static void __init dcache_init_early(voi
HASH_EARLY | HASH_ZERO,
&d_hash_shift,
NULL,
- 0,
+ 2,
0);
d_hash_shift = 32 - d_hash_shift;
}
@@ -3327,7 +3327,7 @@ static void __init dcache_init(void)
HASH_ZERO,
&d_hash_shift,
NULL,
- 0,
+ 2,
0);
d_hash_shift = 32 - d_hash_shift;
}
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 083/969] media: vidtv: fix NULL pointer dereference in vidtv_channel_pmt_match_sections
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (81 preceding siblings ...)
2026-05-30 15:53 ` [PATCH 6.1 082/969] dcache: Limit the minimal number of bucket to two Greg Kroah-Hartman
@ 2026-05-30 15:53 ` Greg Kroah-Hartman
2026-05-30 15:53 ` [PATCH 6.1 084/969] ocfs2: fix possible deadlock between unlink and dio_end_io_write Greg Kroah-Hartman
` (892 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+1f5bcc7c919ec578777a,
Ruslan Valiyev, Hans Verkuil
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ruslan Valiyev <linuxoid@gmail.com>
commit f8e1fc918a9fe67103bcda01d20d745f264d00a7 upstream.
syzbot reported a general protection fault in vidtv_psi_desc_assign [1].
vidtv_psi_pmt_stream_init() can return NULL on memory allocation
failure, but vidtv_channel_pmt_match_sections() does not check for
this. When tail is NULL, the subsequent call to
vidtv_psi_desc_assign(&tail->descriptor, desc) dereferences a NULL
pointer offset, causing a general protection fault.
Add a NULL check after vidtv_psi_pmt_stream_init(). On failure, clean
up the already-allocated stream chain and return.
[1]
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
RIP: 0010:vidtv_psi_desc_assign+0x24/0x90 drivers/media/test-drivers/vidtv/vidtv_psi.c:629
Call Trace:
<TASK>
vidtv_channel_pmt_match_sections drivers/media/test-drivers/vidtv/vidtv_channel.c:349 [inline]
vidtv_channel_si_init+0x1445/0x1a50 drivers/media/test-drivers/vidtv/vidtv_channel.c:479
vidtv_mux_init+0x526/0xbe0 drivers/media/test-drivers/vidtv/vidtv_mux.c:519
vidtv_start_streaming drivers/media/test-drivers/vidtv/vidtv_bridge.c:194 [inline]
vidtv_start_feed+0x33e/0x4d0 drivers/media/test-drivers/vidtv/vidtv_bridge.c:239
Fixes: f90cf6079bf67 ("media: vidtv: add a bridge driver")
Cc: stable@vger.kernel.org
Reported-by: syzbot+1f5bcc7c919ec578777a@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=1f5bcc7c919ec578777a
Signed-off-by: Ruslan Valiyev <linuxoid@gmail.com>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/test-drivers/vidtv/vidtv_channel.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/drivers/media/test-drivers/vidtv/vidtv_channel.c
+++ b/drivers/media/test-drivers/vidtv/vidtv_channel.c
@@ -341,6 +341,10 @@ vidtv_channel_pmt_match_sections(struct
tail = vidtv_psi_pmt_stream_init(tail,
s->type,
e_pid);
+ if (!tail) {
+ vidtv_psi_pmt_stream_destroy(head);
+ return;
+ }
if (!head)
head = tail;
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 084/969] ocfs2: fix possible deadlock between unlink and dio_end_io_write
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (82 preceding siblings ...)
2026-05-30 15:53 ` [PATCH 6.1 083/969] media: vidtv: fix NULL pointer dereference in vidtv_channel_pmt_match_sections Greg Kroah-Hartman
@ 2026-05-30 15:53 ` Greg Kroah-Hartman
2026-05-30 15:53 ` [PATCH 6.1 085/969] ocfs2: fix use-after-free in ocfs2_fault() when VM_FAULT_RETRY Greg Kroah-Hartman
` (891 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+67b90111784a3eac8c04,
Joseph Qi, Heming Zhao, Mark Fasheh, Joel Becker, Junxiao Bi,
Joseph Qi, Changwei Ge, Jun Piao, Andrew Morton
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Joseph Qi <joseph.qi@linux.alibaba.com>
commit b02da26a992db0c0e2559acbda0fc48d4a2fd337 upstream.
ocfs2_unlink takes orphan dir inode_lock first and then ip_alloc_sem,
while in ocfs2_dio_end_io_write, it acquires these locks in reverse order.
This creates an ABBA lock ordering violation on lock classes
ocfs2_sysfile_lock_key[ORPHAN_DIR_SYSTEM_INODE] and
ocfs2_file_ip_alloc_sem_key.
Lock Chain #0 (orphan dir inode_lock -> ip_alloc_sem):
ocfs2_unlink
ocfs2_prepare_orphan_dir
ocfs2_lookup_lock_orphan_dir
inode_lock(orphan_dir_inode) <- lock A
__ocfs2_prepare_orphan_dir
ocfs2_prepare_dir_for_insert
ocfs2_extend_dir
ocfs2_expand_inline_dir
down_write(&oi->ip_alloc_sem) <- Lock B
Lock Chain #1 (ip_alloc_sem -> orphan dir inode_lock):
ocfs2_dio_end_io_write
down_write(&oi->ip_alloc_sem) <- Lock B
ocfs2_del_inode_from_orphan()
inode_lock(orphan_dir_inode) <- Lock A
Deadlock Scenario:
CPU0 (unlink) CPU1 (dio_end_io_write)
------ ------
inode_lock(orphan_dir_inode)
down_write(ip_alloc_sem)
down_write(ip_alloc_sem)
inode_lock(orphan_dir_inode)
Since ip_alloc_sem is to protect allocation changes, which is unrelated
with operations in ocfs2_del_inode_from_orphan. So move
ocfs2_del_inode_from_orphan out of ip_alloc_sem to fix the deadlock.
Link: https://lkml.kernel.org/r/20260306032211.1016452-1-joseph.qi@linux.alibaba.com
Reported-by: syzbot+67b90111784a3eac8c04@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=67b90111784a3eac8c04
Fixes: a86a72a4a4e0 ("ocfs2: take ip_alloc_sem in ocfs2_dio_get_block & ocfs2_dio_end_io_write")
Signed-off-by: Joseph Qi <joseph.qi@linux.alibaba.com>
Reviewed-by: Heming Zhao <heming.zhao@suse.com>
Cc: Mark Fasheh <mark@fasheh.com>
Cc: Joel Becker <jlbec@evilplan.org>
Cc: Junxiao Bi <junxiao.bi@oracle.com>
Cc: Joseph Qi <jiangqi903@gmail.com>
Cc: Changwei Ge <gechangwei@live.cn>
Cc: Jun Piao <piaojun@huawei.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ocfs2/aops.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
--- a/fs/ocfs2/aops.c
+++ b/fs/ocfs2/aops.c
@@ -2322,8 +2322,6 @@ static int ocfs2_dio_end_io_write(struct
goto out;
}
- down_write(&oi->ip_alloc_sem);
-
/* Delete orphan before acquire i_rwsem. */
if (dwc->dw_orphaned) {
BUG_ON(dwc->dw_writer_pid != task_pid_nr(current));
@@ -2336,6 +2334,7 @@ static int ocfs2_dio_end_io_write(struct
mlog_errno(ret);
}
+ down_write(&oi->ip_alloc_sem);
di = (struct ocfs2_dinode *)di_bh->b_data;
ocfs2_init_dinode_extent_tree(&et, INODE_CACHE(inode), di_bh);
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 085/969] ocfs2: fix use-after-free in ocfs2_fault() when VM_FAULT_RETRY
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (83 preceding siblings ...)
2026-05-30 15:53 ` [PATCH 6.1 084/969] ocfs2: fix possible deadlock between unlink and dio_end_io_write Greg Kroah-Hartman
@ 2026-05-30 15:53 ` Greg Kroah-Hartman
2026-05-30 15:53 ` [PATCH 6.1 086/969] ocfs2: handle invalid dinode in ocfs2_group_extend Greg Kroah-Hartman
` (890 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tejas Bharambe,
syzbot+a49010a0e8fcdeea075f, Joseph Qi, Mark Fasheh, Joel Becker,
Junxiao Bi, Changwei Ge, Jun Piao, Heming Zhao, Andrew Morton
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tejas Bharambe <tejas.bharambe@outlook.com>
commit 7de554cabf160e331e4442e2a9ad874ca9875921 upstream.
filemap_fault() may drop the mmap_lock before returning VM_FAULT_RETRY,
as documented in mm/filemap.c:
"If our return value has VM_FAULT_RETRY set, it's because the mmap_lock
may be dropped before doing I/O or by lock_folio_maybe_drop_mmap()."
When this happens, a concurrent munmap() can call remove_vma() and free
the vm_area_struct via RCU. The saved 'vma' pointer in ocfs2_fault() then
becomes a dangling pointer, and the subsequent trace_ocfs2_fault() call
dereferences it -- a use-after-free.
Fix this by saving ip_blkno as a plain integer before calling
filemap_fault(), and removing vma from the trace event. Since
ip_blkno is copied by value before the lock can be dropped, it
remains valid regardless of what happens to the vma or inode
afterward.
Link: https://lkml.kernel.org/r/20260410083816.34951-1-tejas.bharambe@outlook.com
Fixes: 614a9e849ca6 ("ocfs2: Remove FILE_IO from masklog.")
Signed-off-by: Tejas Bharambe <tejas.bharambe@outlook.com>
Reported-by: syzbot+a49010a0e8fcdeea075f@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=a49010a0e8fcdeea075f
Suggested-by: Joseph Qi <joseph.qi@linux.alibaba.com>
Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
Cc: Mark Fasheh <mark@fasheh.com>
Cc: Joel Becker <jlbec@evilplan.org>
Cc: Junxiao Bi <junxiao.bi@oracle.com>
Cc: Changwei Ge <gechangwei@live.cn>
Cc: Jun Piao <piaojun@huawei.com>
Cc: Heming Zhao <heming.zhao@suse.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ocfs2/mmap.c | 7 +++----
fs/ocfs2/ocfs2_trace.h | 10 ++++------
2 files changed, 7 insertions(+), 10 deletions(-)
--- a/fs/ocfs2/mmap.c
+++ b/fs/ocfs2/mmap.c
@@ -30,7 +30,8 @@
static vm_fault_t ocfs2_fault(struct vm_fault *vmf)
{
- struct vm_area_struct *vma = vmf->vma;
+ unsigned long long ip_blkno =
+ OCFS2_I(file_inode(vmf->vma->vm_file))->ip_blkno;
sigset_t oldset;
vm_fault_t ret;
@@ -38,11 +39,9 @@ static vm_fault_t ocfs2_fault(struct vm_
ret = filemap_fault(vmf);
ocfs2_unblock_signals(&oldset);
- trace_ocfs2_fault(OCFS2_I(vma->vm_file->f_mapping->host)->ip_blkno,
- vma, vmf->page, vmf->pgoff);
+ trace_ocfs2_fault(ip_blkno, vmf->page, vmf->pgoff);
return ret;
}
-
static vm_fault_t __ocfs2_page_mkwrite(struct file *file,
struct buffer_head *di_bh, struct page *page)
{
--- a/fs/ocfs2/ocfs2_trace.h
+++ b/fs/ocfs2/ocfs2_trace.h
@@ -1248,22 +1248,20 @@ TRACE_EVENT(ocfs2_write_end_inline,
TRACE_EVENT(ocfs2_fault,
TP_PROTO(unsigned long long ino,
- void *area, void *page, unsigned long pgoff),
- TP_ARGS(ino, area, page, pgoff),
+ void *page, unsigned long pgoff),
+ TP_ARGS(ino, page, pgoff),
TP_STRUCT__entry(
__field(unsigned long long, ino)
- __field(void *, area)
__field(void *, page)
__field(unsigned long, pgoff)
),
TP_fast_assign(
__entry->ino = ino;
- __entry->area = area;
__entry->page = page;
__entry->pgoff = pgoff;
),
- TP_printk("%llu %p %p %lu",
- __entry->ino, __entry->area, __entry->page, __entry->pgoff)
+ TP_printk("%llu %p %lu",
+ __entry->ino, __entry->page, __entry->pgoff)
);
/* End of trace events for fs/ocfs2/mmap.c. */
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 086/969] ocfs2: handle invalid dinode in ocfs2_group_extend
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (84 preceding siblings ...)
2026-05-30 15:53 ` [PATCH 6.1 085/969] ocfs2: fix use-after-free in ocfs2_fault() when VM_FAULT_RETRY Greg Kroah-Hartman
@ 2026-05-30 15:53 ` Greg Kroah-Hartman
2026-05-30 15:53 ` [PATCH 6.1 087/969] KVM: SEV: Drop WARN on large size for KVM_MEMORY_ENCRYPT_REG_REGION Greg Kroah-Hartman
` (889 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, ZhengYuan Huang, Joseph Qi,
Mark Fasheh, Joel Becker, Junxiao Bi, Changwei Ge, Jun Piao,
Heming Zhao, Andrew Morton
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: ZhengYuan Huang <gality369@gmail.com>
commit 4a1c0ddc6e7bcf2e9db0eeaab9340dcfe97f448f upstream.
[BUG]
kernel BUG at fs/ocfs2/resize.c:308!
Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI
RIP: 0010:ocfs2_group_extend+0x10aa/0x1ae0 fs/ocfs2/resize.c:308
Code: 8b8520ff ffff83f8 860f8580 030000e8 5cc3c1fe
Call Trace:
...
ocfs2_ioctl+0x175/0x6e0 fs/ocfs2/ioctl.c:869
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__x64_sys_ioctl+0x197/0x1e0 fs/ioctl.c:583
x64_sys_call+0x1144/0x26a0 arch/x86/include/generated/asm/syscalls_64.h:17
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x93/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x76/0x7e
...
[CAUSE]
ocfs2_group_extend() assumes that the global bitmap inode block
returned from ocfs2_inode_lock() has already been validated and
BUG_ONs when the signature is not a dinode. That assumption is too
strong for crafted filesystems because the JBD2-managed buffer path
can bypass structural validation and return an invalid dinode to the
resize ioctl.
[FIX]
Validate the dinode explicitly in ocfs2_group_extend(). If the global
bitmap buffer does not contain a valid dinode, report filesystem
corruption with ocfs2_error() and fail the resize operation instead of
crashing the kernel.
Link: https://lkml.kernel.org/r/20260401092303.3709187-1-gality369@gmail.com
Fixes: 10995aa2451a ("ocfs2: Morph the haphazard OCFS2_IS_VALID_DINODE() checks.")
Signed-off-by: ZhengYuan Huang <gality369@gmail.com>
Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
Cc: Mark Fasheh <mark@fasheh.com>
Cc: Joel Becker <jlbec@evilplan.org>
Cc: Junxiao Bi <junxiao.bi@oracle.com>
Cc: Changwei Ge <gechangwei@live.cn>
Cc: Jun Piao <piaojun@huawei.com>
Cc: Heming Zhao <heming.zhao@suse.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ocfs2/resize.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
--- a/fs/ocfs2/resize.c
+++ b/fs/ocfs2/resize.c
@@ -295,9 +295,13 @@ int ocfs2_group_extend(struct inode * in
fe = (struct ocfs2_dinode *)main_bm_bh->b_data;
- /* main_bm_bh is validated by inode read inside ocfs2_inode_lock(),
- * so any corruption is a code bug. */
- BUG_ON(!OCFS2_IS_VALID_DINODE(fe));
+ /* JBD-managed buffers can bypass validation, so treat this as corruption. */
+ if (!OCFS2_IS_VALID_DINODE(fe)) {
+ ret = ocfs2_error(main_bm_inode->i_sb,
+ "Invalid dinode #%llu\n",
+ (unsigned long long)OCFS2_I(main_bm_inode)->ip_blkno);
+ goto out_unlock;
+ }
if (le16_to_cpu(fe->id2.i_chain.cl_cpg) !=
ocfs2_group_bitmap_size(osb->sb, 0,
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 087/969] KVM: SEV: Drop WARN on large size for KVM_MEMORY_ENCRYPT_REG_REGION
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (85 preceding siblings ...)
2026-05-30 15:53 ` [PATCH 6.1 086/969] ocfs2: handle invalid dinode in ocfs2_group_extend Greg Kroah-Hartman
@ 2026-05-30 15:53 ` Greg Kroah-Hartman
2026-05-30 15:53 ` [PATCH 6.1 088/969] Revert "dmaengine: idxd: Fix not releasing workqueue on .release()" Greg Kroah-Hartman
` (888 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:53 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Liam Merwick, Sean Christopherson
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Christopherson <seanjc@google.com>
commit 8acffeef5ef720c35e513e322ab08e32683f32f2 upstream.
Drop the WARN in sev_pin_memory() on npages overflowing an int, as the
WARN is comically trivially to trigger from userspace, e.g. by doing:
struct kvm_enc_region range = {
.addr = 0,
.size = -1ul,
};
__vm_ioctl(vm, KVM_MEMORY_ENCRYPT_REG_REGION, &range);
Note, the checks in sev_mem_enc_register_region() that presumably exist to
verify the incoming address+size are completely worthless, as both "addr"
and "size" are u64s and SEV is 64-bit only, i.e. they _can't_ be greater
than ULONG_MAX. That wart will be cleaned up in the near future.
if (range->addr > ULONG_MAX || range->size > ULONG_MAX)
return -EINVAL;
Opportunistically add a comment to explain why the code calculates the
number of pages the "hard" way, e.g. instead of just shifting @ulen.
Fixes: 78824fabc72e ("KVM: SVM: fix svn_pin_memory()'s use of get_user_pages_fast()")
Cc: stable@vger.kernel.org
Reviewed-by: Liam Merwick <liam.merwick@oracle.com>
Tested-by: Liam Merwick <liam.merwick@oracle.com>
Link: https://patch.msgid.link/20260313003302.3136111-2-seanjc@google.com
Signed-off-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/svm/sev.c | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
--- a/arch/x86/kvm/svm/sev.c
+++ b/arch/x86/kvm/svm/sev.c
@@ -406,10 +406,16 @@ static struct page **sev_pin_memory(stru
if (ulen == 0 || uaddr + ulen < uaddr)
return ERR_PTR(-EINVAL);
- /* Calculate number of pages. */
+ /*
+ * Calculate the number of pages that need to be pinned to cover the
+ * entire range. Note! This isn't simply ulen >> PAGE_SHIFT, as KVM
+ * doesn't require the incoming address+size to be page aligned!
+ */
first = (uaddr & PAGE_MASK) >> PAGE_SHIFT;
last = ((uaddr + ulen - 1) & PAGE_MASK) >> PAGE_SHIFT;
npages = (last - first + 1);
+ if (npages > INT_MAX)
+ return ERR_PTR(-EINVAL);
locked = sev->pages_locked + npages;
lock_limit = rlimit(RLIMIT_MEMLOCK) >> PAGE_SHIFT;
@@ -418,9 +424,6 @@ static struct page **sev_pin_memory(stru
return ERR_PTR(-ENOMEM);
}
- if (WARN_ON_ONCE(npages > INT_MAX))
- return ERR_PTR(-EINVAL);
-
/* Avoid using vmalloc for smaller buffers. */
size = npages * sizeof(struct page *);
if (size > PAGE_SIZE)
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 088/969] Revert "dmaengine: idxd: Fix not releasing workqueue on .release()"
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (86 preceding siblings ...)
2026-05-30 15:53 ` [PATCH 6.1 087/969] KVM: SEV: Drop WARN on large size for KVM_MEMORY_ENCRYPT_REG_REGION Greg Kroah-Hartman
@ 2026-05-30 15:53 ` Greg Kroah-Hartman
2026-05-30 15:53 ` [PATCH 6.1 089/969] ALSA: usb-audio: fix race condition to UAF in snd_usbmidi_free Greg Kroah-Hartman
` (887 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:53 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
This reverts commit fd4cb61bbd0fc3a749a8da6145cbb56d8f6dba35.
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/dma/idxd/sysfs.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/drivers/dma/idxd/sysfs.c b/drivers/dma/idxd/sysfs.c
index ea222e1654ab9..0689464c4816a 100644
--- a/drivers/dma/idxd/sysfs.c
+++ b/drivers/dma/idxd/sysfs.c
@@ -1663,7 +1663,6 @@ static void idxd_conf_device_release(struct device *dev)
{
struct idxd_device *idxd = confdev_to_idxd(dev);
- destroy_workqueue(idxd->wq);
kfree(idxd->groups);
bitmap_free(idxd->wq_enable_map);
kfree(idxd->wqs);
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 089/969] ALSA: usb-audio: fix race condition to UAF in snd_usbmidi_free
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (87 preceding siblings ...)
2026-05-30 15:53 ` [PATCH 6.1 088/969] Revert "dmaengine: idxd: Fix not releasing workqueue on .release()" Greg Kroah-Hartman
@ 2026-05-30 15:53 ` Greg Kroah-Hartman
2026-05-30 15:53 ` [PATCH 6.1 090/969] net: add proper RCU protection to /proc/net/ptype Greg Kroah-Hartman
` (886 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+f02665daa2abeef4a947,
Jeongjun Park, Takashi Iwai, Wenshan Lan, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jeongjun Park <aha310510@gmail.com>
[ Upstream commit 9f2c0ac1423d5f267e7f1d1940780fc764b0fee3 ]
The previous commit 0718a78f6a9f ("ALSA: usb-audio: Kill timer properly at
removal") patched a UAF issue caused by the error timer.
However, because the error timer kill added in this patch occurs after the
endpoint delete, a race condition to UAF still occurs, albeit rarely.
Additionally, since kill-cleanup for urb is also missing, freed memory can
be accessed in interrupt context related to urb, which can cause UAF.
Therefore, to prevent this, error timer and urb must be killed before
freeing the heap memory.
Cc: <stable@vger.kernel.org>
Reported-by: syzbot+f02665daa2abeef4a947@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=f02665daa2abeef4a947
Fixes: 0718a78f6a9f ("ALSA: usb-audio: Kill timer properly at removal")
Signed-off-by: Jeongjun Park <aha310510@gmail.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Wenshan Lan <jetlan9@163.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/usb/midi.c | 9 ++++-----
1 file changed, 4 insertions(+), 5 deletions(-)
diff --git a/sound/usb/midi.c b/sound/usb/midi.c
index 08dd0f0b19a3f..49a11e517e785 100644
--- a/sound/usb/midi.c
+++ b/sound/usb/midi.c
@@ -1522,15 +1522,14 @@ static void snd_usbmidi_free(struct snd_usb_midi *umidi)
{
int i;
+ if (!umidi->disconnected)
+ snd_usbmidi_disconnect(&umidi->list);
+
for (i = 0; i < MIDI_MAX_ENDPOINTS; ++i) {
struct snd_usb_midi_endpoint *ep = &umidi->endpoints[i];
- if (ep->out)
- snd_usbmidi_out_endpoint_delete(ep->out);
- if (ep->in)
- snd_usbmidi_in_endpoint_delete(ep->in);
+ kfree(ep->out);
}
mutex_destroy(&umidi->mutex);
- timer_shutdown_sync(&umidi->error_timer);
kfree(umidi);
}
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 090/969] net: add proper RCU protection to /proc/net/ptype
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (88 preceding siblings ...)
2026-05-30 15:53 ` [PATCH 6.1 089/969] ALSA: usb-audio: fix race condition to UAF in snd_usbmidi_free Greg Kroah-Hartman
@ 2026-05-30 15:53 ` Greg Kroah-Hartman
2026-05-30 15:53 ` [PATCH 6.1 091/969] net: sched: fix TCF_LAYER_TRANSPORT handling in tcf_get_base_ptr() Greg Kroah-Hartman
` (885 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yin Fengwei, Dong Chenchen,
Eric Dumazet, Willem de Bruijn, Jakub Kicinski, XiaoHua Wang,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit f613e8b4afea0cd17c7168e8b00e25bc8d33175d ]
Yin Fengwei reported an RCU stall in ptype_seq_show() and provided
a patch.
Real issue is that ptype_seq_next() and ptype_seq_show() violate
RCU rules.
ptype_seq_show() runs under rcu_read_lock(), and reads pt->dev
to get device name without any barrier.
At the same time, concurrent writers can remove a packet_type structure
(which is correctly freed after an RCU grace period) and clear pt->dev
without an RCU grace period.
Define ptype_iter_state to carry a dev pointer along seq_net_private:
struct ptype_iter_state {
struct seq_net_private p;
struct net_device *dev; // added in this patch
};
We need to record the device pointer in ptype_get_idx() and
ptype_seq_next() so that ptype_seq_show() is safe against
concurrent pt->dev changes.
We also need to add full RCU protection in ptype_seq_next().
(Missing READ_ONCE() when reading list.next values)
Many thanks to Dong Chenchen for providing a repro.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Fixes: 1d10f8a1f40b ("net-procfs: show net devices bound packet types")
Fixes: c353e8983e0d ("net: introduce per netns packet chains")
Reported-by: Yin Fengwei <fengwei_yin@linux.alibaba.com>
Reported-by: Dong Chenchen <dongchenchen2@huawei.com>
Closes: https://lore.kernel.org/netdev/CANn89iKRRKPnWjJmb-_3a=sq+9h6DvTQM4DBZHT5ZRGPMzQaiA@mail.gmail.com/T/#m7b80b9fc9b9267f90e0b7aad557595f686f9c50d
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Willem de Bruijn <willemb@google.com>
Tested-by: Yin Fengwei <fengwei_yin@linux.alibaba.com>
Link: https://patch.msgid.link/20260202205217.2881198-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
[ Some adjustments have been made. ]
Signed-off-by: XiaoHua Wang <561399680@139.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/core/net-procfs.c | 49 +++++++++++++++++++++++++++++--------------
1 file changed, 33 insertions(+), 16 deletions(-)
diff --git a/net/core/net-procfs.c b/net/core/net-procfs.c
index 1ec23bf8b05ca..2be3c1f6949bc 100644
--- a/net/core/net-procfs.c
+++ b/net/core/net-procfs.c
@@ -192,8 +192,14 @@ static const struct seq_operations softnet_seq_ops = {
.show = softnet_seq_show,
};
+struct ptype_iter_state {
+ struct seq_net_private p;
+ struct net_device *dev;
+};
+
static void *ptype_get_idx(struct seq_file *seq, loff_t pos)
{
+ struct ptype_iter_state *iter = seq->private;
struct list_head *ptype_list = NULL;
struct packet_type *pt = NULL;
struct net_device *dev;
@@ -203,12 +209,16 @@ static void *ptype_get_idx(struct seq_file *seq, loff_t pos)
for_each_netdev_rcu(seq_file_net(seq), dev) {
ptype_list = &dev->ptype_all;
list_for_each_entry_rcu(pt, ptype_list, list) {
- if (i == pos)
+ if (i == pos) {
+ iter->dev = dev;
return pt;
+ }
++i;
}
}
+ iter->dev = NULL;
+
list_for_each_entry_rcu(pt, &ptype_all, list) {
if (i == pos)
return pt;
@@ -234,6 +244,7 @@ static void *ptype_seq_start(struct seq_file *seq, loff_t *pos)
static void *ptype_seq_next(struct seq_file *seq, void *v, loff_t *pos)
{
+ struct ptype_iter_state *iter = seq->private;
struct net_device *dev;
struct packet_type *pt;
struct list_head *nxt;
@@ -244,20 +255,21 @@ static void *ptype_seq_next(struct seq_file *seq, void *v, loff_t *pos)
return ptype_get_idx(seq, 0);
pt = v;
- nxt = pt->list.next;
- if (pt->dev) {
- if (nxt != &pt->dev->ptype_all)
+ nxt = READ_ONCE(pt->list.next);
+ dev = iter->dev;
+ if (dev) {
+ if (nxt != &dev->ptype_all)
goto found;
- dev = pt->dev;
for_each_netdev_continue_rcu(seq_file_net(seq), dev) {
- if (!list_empty(&dev->ptype_all)) {
- nxt = dev->ptype_all.next;
+ nxt = READ_ONCE(dev->ptype_all.next);
+ if (nxt != &dev->ptype_all) {
+ iter->dev = dev;
goto found;
}
}
-
- nxt = ptype_all.next;
+ iter->dev = NULL;
+ nxt = READ_ONCE(ptype_all.next);
goto ptype_all;
}
@@ -266,14 +278,14 @@ static void *ptype_seq_next(struct seq_file *seq, void *v, loff_t *pos)
if (nxt != &ptype_all)
goto found;
hash = 0;
- nxt = ptype_base[0].next;
+ nxt = READ_ONCE(ptype_base[0].next);
} else
hash = ntohs(pt->type) & PTYPE_HASH_MASK;
while (nxt == &ptype_base[hash]) {
if (++hash >= PTYPE_HASH_SIZE)
return NULL;
- nxt = ptype_base[hash].next;
+ nxt = READ_ONCE(ptype_base[hash].next);
}
found:
return list_entry(nxt, struct packet_type, list);
@@ -287,19 +299,24 @@ static void ptype_seq_stop(struct seq_file *seq, void *v)
static int ptype_seq_show(struct seq_file *seq, void *v)
{
+ struct ptype_iter_state *iter = seq->private;
struct packet_type *pt = v;
+ struct net_device *dev;
- if (v == SEQ_START_TOKEN)
+ if (v == SEQ_START_TOKEN) {
seq_puts(seq, "Type Device Function\n");
- else if ((!pt->af_packet_net || net_eq(pt->af_packet_net, seq_file_net(seq))) &&
- (!pt->dev || net_eq(dev_net(pt->dev), seq_file_net(seq)))) {
+ return 0;
+ }
+ dev = iter->dev;
+ if ((!pt->af_packet_net || net_eq(pt->af_packet_net, seq_file_net(seq))) &&
+ (!dev || net_eq(dev_net(dev), seq_file_net(seq)))) {
if (pt->type == htons(ETH_P_ALL))
seq_puts(seq, "ALL ");
else
seq_printf(seq, "%04x", ntohs(pt->type));
seq_printf(seq, " %-8s %ps\n",
- pt->dev ? pt->dev->name : "", pt->func);
+ dev ? dev->name : "", pt->func);
}
return 0;
@@ -323,7 +340,7 @@ static int __net_init dev_proc_net_init(struct net *net)
&softnet_seq_ops))
goto out_dev;
if (!proc_create_net("ptype", 0444, net->proc_net, &ptype_seq_ops,
- sizeof(struct seq_net_private)))
+ sizeof(struct ptype_iter_state)))
goto out_softnet;
if (wext_proc_init(net))
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 091/969] net: sched: fix TCF_LAYER_TRANSPORT handling in tcf_get_base_ptr()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (89 preceding siblings ...)
2026-05-30 15:53 ` [PATCH 6.1 090/969] net: add proper RCU protection to /proc/net/ptype Greg Kroah-Hartman
@ 2026-05-30 15:53 ` Greg Kroah-Hartman
2026-05-30 15:53 ` [PATCH 6.1 092/969] bonding: return detailed error when loading native XDP fails Greg Kroah-Hartman
` (884 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+f3a497f02c389d86ef16,
Eric Dumazet, Jamal Hadi Salim, Jakub Kicinski, Chelsy Ratnawat,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[Upstream commit 4fe5a00ec70717a7f1002d8913ec6143582b3c8e]
syzbot reported that tcf_get_base_ptr() can be called while transport
header is not set [1].
Instead of returning a dangling pointer, return NULL.
Fix tcf_get_base_ptr() callers to handle this NULL value.
[1]
WARNING: CPU: 1 PID: 6019 at ./include/linux/skbuff.h:3071 skb_transport_header include/linux/skbuff.h:3071 [inline]
WARNING: CPU: 1 PID: 6019 at ./include/linux/skbuff.h:3071 tcf_get_base_ptr include/net/pkt_cls.h:539 [inline]
WARNING: CPU: 1 PID: 6019 at ./include/linux/skbuff.h:3071 em_nbyte_match+0x2d8/0x3f0 net/sched/em_nbyte.c:43
Modules linked in:
CPU: 1 UID: 0 PID: 6019 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full)
Call Trace:
<TASK>
tcf_em_match net/sched/ematch.c:494 [inline]
__tcf_em_tree_match+0x1ac/0x770 net/sched/ematch.c:520
tcf_em_tree_match include/net/pkt_cls.h:512 [inline]
basic_classify+0x115/0x2d0 net/sched/cls_basic.c:50
tc_classify include/net/tc_wrapper.h:197 [inline]
__tcf_classify net/sched/cls_api.c:1764 [inline]
tcf_classify+0x4cf/0x1140 net/sched/cls_api.c:1860
multiq_classify net/sched/sch_multiq.c:39 [inline]
multiq_enqueue+0xfd/0x4c0 net/sched/sch_multiq.c:66
dev_qdisc_enqueue+0x4e/0x260 net/core/dev.c:4118
__dev_xmit_skb net/core/dev.c:4214 [inline]
__dev_queue_xmit+0xe83/0x3b50 net/core/dev.c:4729
packet_snd net/packet/af_packet.c:3076 [inline]
packet_sendmsg+0x3e33/0x5080 net/packet/af_packet.c:3108
sock_sendmsg_nosec net/socket.c:727 [inline]
__sock_sendmsg+0x21c/0x270 net/socket.c:742
____sys_sendmsg+0x505/0x830 net/socket.c:2630
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reported-by: syzbot+f3a497f02c389d86ef16@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/netdev/6920855a.a70a0220.2ea503.0058.GAE@google.com/T/#u
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Jamal Hadi Salim <jhs@mojatatu.com>
Link: https://patch.msgid.link/20251121154100.1616228-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Chelsy Ratnawat <chelsyratnawat2001@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/net/pkt_cls.h | 2 ++
net/sched/em_cmp.c | 5 ++++-
net/sched/em_nbyte.c | 2 ++
net/sched/em_text.c | 11 +++++++++--
4 files changed, 17 insertions(+), 3 deletions(-)
diff --git a/include/net/pkt_cls.h b/include/net/pkt_cls.h
index 4cabb32a2ad94..857d9ea60d469 100644
--- a/include/net/pkt_cls.h
+++ b/include/net/pkt_cls.h
@@ -526,6 +526,8 @@ static inline unsigned char * tcf_get_base_ptr(struct sk_buff *skb, int layer)
case TCF_LAYER_NETWORK:
return skb_network_header(skb);
case TCF_LAYER_TRANSPORT:
+ if (!skb_transport_header_was_set(skb))
+ break;
return skb_transport_header(skb);
}
diff --git a/net/sched/em_cmp.c b/net/sched/em_cmp.c
index f17b049ea5309..71ce113f2d08e 100644
--- a/net/sched/em_cmp.c
+++ b/net/sched/em_cmp.c
@@ -22,9 +22,12 @@ static int em_cmp_match(struct sk_buff *skb, struct tcf_ematch *em,
struct tcf_pkt_info *info)
{
struct tcf_em_cmp *cmp = (struct tcf_em_cmp *) em->data;
- unsigned char *ptr = tcf_get_base_ptr(skb, cmp->layer) + cmp->off;
+ unsigned char *ptr = tcf_get_base_ptr(skb, cmp->layer);
u32 val = 0;
+ if (!ptr)
+ return 0;
+ ptr += cmp->off;
if (!tcf_valid_offset(skb, ptr, cmp->align))
return 0;
diff --git a/net/sched/em_nbyte.c b/net/sched/em_nbyte.c
index a83b237cbeb06..2e3c1d58d4563 100644
--- a/net/sched/em_nbyte.c
+++ b/net/sched/em_nbyte.c
@@ -42,6 +42,8 @@ static int em_nbyte_match(struct sk_buff *skb, struct tcf_ematch *em,
struct nbyte_data *nbyte = (struct nbyte_data *) em->data;
unsigned char *ptr = tcf_get_base_ptr(skb, nbyte->hdr.layer);
+ if (!ptr)
+ return 0;
ptr += nbyte->hdr.off;
if (!tcf_valid_offset(skb, ptr, nbyte->hdr.len))
diff --git a/net/sched/em_text.c b/net/sched/em_text.c
index f176afb70559e..32aae8a9dedaa 100644
--- a/net/sched/em_text.c
+++ b/net/sched/em_text.c
@@ -29,12 +29,19 @@ static int em_text_match(struct sk_buff *skb, struct tcf_ematch *m,
struct tcf_pkt_info *info)
{
struct text_match *tm = EM_TEXT_PRIV(m);
+ unsigned char *ptr;
int from, to;
- from = tcf_get_base_ptr(skb, tm->from_layer) - skb->data;
+ ptr = tcf_get_base_ptr(skb, tm->from_layer);
+ if (!ptr)
+ return 0;
+ from = ptr - skb->data;
from += tm->from_offset;
- to = tcf_get_base_ptr(skb, tm->to_layer) - skb->data;
+ ptr = tcf_get_base_ptr(skb, tm->to_layer);
+ if (!ptr)
+ return 0;
+ to = ptr - skb->data;
to += tm->to_offset;
return skb_find_text(skb, from, to, tm->config) != UINT_MAX;
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 092/969] bonding: return detailed error when loading native XDP fails
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (90 preceding siblings ...)
2026-05-30 15:53 ` [PATCH 6.1 091/969] net: sched: fix TCF_LAYER_TRANSPORT handling in tcf_get_base_ptr() Greg Kroah-Hartman
@ 2026-05-30 15:53 ` Greg Kroah-Hartman
2026-05-30 15:53 ` [PATCH 6.1 093/969] bonding: check xdp prog when set bond mode Greg Kroah-Hartman
` (883 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nikolay Aleksandrov,
Toke Høiland-Jørgensen, Hangbin Liu, Jakub Kicinski,
Rajani Kantha, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hangbin Liu <liuhangbin@gmail.com>
[ Upstream commit 22ccb684c1cae37411450e6e86a379cd3c29cb8f ]
Bonding only supports native XDP for specific modes, which can lead to
confusion for users regarding why XDP loads successfully at times and
fails at others. This patch enhances error handling by returning detailed
error messages, providing users with clearer insights into the specific
reasons for the failure when loading native XDP.
Reviewed-by: Nikolay Aleksandrov <razor@blackwall.org>
Reviewed-by: Toke Høiland-Jørgensen <toke@redhat.com>
Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
Link: https://patch.msgid.link/20241021031211.814-2-liuhangbin@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Rajani Kantha <681739313@139.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/bonding/bond_main.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
index 7fe7485fbb160..c6b4f681c70d1 100644
--- a/drivers/net/bonding/bond_main.c
+++ b/drivers/net/bonding/bond_main.c
@@ -5636,8 +5636,11 @@ static int bond_xdp_set(struct net_device *dev, struct bpf_prog *prog,
ASSERT_RTNL();
- if (!bond_xdp_check(bond))
+ if (!bond_xdp_check(bond)) {
+ BOND_NL_ERR(dev, extack,
+ "No native XDP support for the current bonding mode");
return -EOPNOTSUPP;
+ }
old_prog = bond->xdp_prog;
bond->xdp_prog = prog;
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 093/969] bonding: check xdp prog when set bond mode
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (91 preceding siblings ...)
2026-05-30 15:53 ` [PATCH 6.1 092/969] bonding: return detailed error when loading native XDP fails Greg Kroah-Hartman
@ 2026-05-30 15:53 ` Greg Kroah-Hartman
2026-05-30 15:53 ` [PATCH 6.1 094/969] drm/amdgpu: remove two invalid BUG_ON()s Greg Kroah-Hartman
` (882 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Wang Liang, Jussi Maki,
Nikolay Aleksandrov, Toke Høiland-Jørgensen,
Jakub Kicinski, Rajani Kantha, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wang Liang <wangliang74@huawei.com>
[ Upstream commit 094ee6017ea09c11d6af187935a949df32803ce0 ]
Following operations can trigger a warning[1]:
ip netns add ns1
ip netns exec ns1 ip link add bond0 type bond mode balance-rr
ip netns exec ns1 ip link set dev bond0 xdp obj af_xdp_kern.o sec xdp
ip netns exec ns1 ip link set bond0 type bond mode broadcast
ip netns del ns1
When delete the namespace, dev_xdp_uninstall() is called to remove xdp
program on bond dev, and bond_xdp_set() will check the bond mode. If bond
mode is changed after attaching xdp program, the warning may occur.
Some bond modes (broadcast, etc.) do not support native xdp. Set bond mode
with xdp program attached is not good. Add check for xdp program when set
bond mode.
[1]
------------[ cut here ]------------
WARNING: CPU: 0 PID: 11 at net/core/dev.c:9912 unregister_netdevice_many_notify+0x8d9/0x930
Modules linked in:
CPU: 0 UID: 0 PID: 11 Comm: kworker/u4:0 Not tainted 6.14.0-rc4 #107
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.15.0-0-g2dd4b9b3f840-prebuilt.qemu.org 04/01/2014
Workqueue: netns cleanup_net
RIP: 0010:unregister_netdevice_many_notify+0x8d9/0x930
Code: 00 00 48 c7 c6 6f e3 a2 82 48 c7 c7 d0 b3 96 82 e8 9c 10 3e ...
RSP: 0018:ffffc90000063d80 EFLAGS: 00000282
RAX: 00000000ffffffa1 RBX: ffff888004959000 RCX: 00000000ffffdfff
RDX: 0000000000000000 RSI: 00000000ffffffea RDI: ffffc90000063b48
RBP: ffffc90000063e28 R08: ffffffff82d39b28 R09: 0000000000009ffb
R10: 0000000000000175 R11: ffffffff82d09b40 R12: ffff8880049598e8
R13: 0000000000000001 R14: dead000000000100 R15: ffffc90000045000
FS: 0000000000000000(0000) GS:ffff888007a00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000000d406b60 CR3: 000000000483e000 CR4: 00000000000006f0
Call Trace:
<TASK>
? __warn+0x83/0x130
? unregister_netdevice_many_notify+0x8d9/0x930
? report_bug+0x18e/0x1a0
? handle_bug+0x54/0x90
? exc_invalid_op+0x18/0x70
? asm_exc_invalid_op+0x1a/0x20
? unregister_netdevice_many_notify+0x8d9/0x930
? bond_net_exit_batch_rtnl+0x5c/0x90
cleanup_net+0x237/0x3d0
process_one_work+0x163/0x390
worker_thread+0x293/0x3b0
? __pfx_worker_thread+0x10/0x10
kthread+0xec/0x1e0
? __pfx_kthread+0x10/0x10
? __pfx_kthread+0x10/0x10
ret_from_fork+0x2f/0x50
? __pfx_kthread+0x10/0x10
ret_from_fork_asm+0x1a/0x30
</TASK>
---[ end trace 0000000000000000 ]---
Fixes: 9e2ee5c7e7c3 ("net, bonding: Add XDP support to the bonding driver")
Signed-off-by: Wang Liang <wangliang74@huawei.com>
Acked-by: Jussi Maki <joamaki@gmail.com>
Reviewed-by: Nikolay Aleksandrov <razor@blackwall.org>
Reviewed-by: Toke Høiland-Jørgensen <toke@redhat.com>
Link: https://patch.msgid.link/20250321044852.1086551-1-wangliang74@huawei.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
[ Ignore changes in bond_xdp_set_features(), it was introduced to kernel
in commit:cb9e6e584d58 ("bonding: add xdp_features support") since 6.4 ]
Signed-off-by: Rajani Kantha <681739313@139.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/bonding/bond_main.c | 6 +++---
drivers/net/bonding/bond_options.c | 3 +++
include/net/bonding.h | 1 +
3 files changed, 7 insertions(+), 3 deletions(-)
diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
index c6b4f681c70d1..14e7439717a3d 100644
--- a/drivers/net/bonding/bond_main.c
+++ b/drivers/net/bonding/bond_main.c
@@ -320,9 +320,9 @@ bool bond_sk_check(struct bonding *bond)
}
}
-static bool bond_xdp_check(struct bonding *bond)
+bool bond_xdp_check(struct bonding *bond, int mode)
{
- switch (BOND_MODE(bond)) {
+ switch (mode) {
case BOND_MODE_ROUNDROBIN:
case BOND_MODE_ACTIVEBACKUP:
return true;
@@ -5636,7 +5636,7 @@ static int bond_xdp_set(struct net_device *dev, struct bpf_prog *prog,
ASSERT_RTNL();
- if (!bond_xdp_check(bond)) {
+ if (!bond_xdp_check(bond, BOND_MODE(bond))) {
BOND_NL_ERR(dev, extack,
"No native XDP support for the current bonding mode");
return -EOPNOTSUPP;
diff --git a/drivers/net/bonding/bond_options.c b/drivers/net/bonding/bond_options.c
index 9473e76c6dc9d..62b5d29e6db6c 100644
--- a/drivers/net/bonding/bond_options.c
+++ b/drivers/net/bonding/bond_options.c
@@ -881,6 +881,9 @@ static bool bond_set_tls_features(struct bonding *bond)
static int bond_option_mode_set(struct bonding *bond,
const struct bond_opt_value *newval)
{
+ if (bond->xdp_prog && !bond_xdp_check(bond, newval->value))
+ return -EOPNOTSUPP;
+
if (!bond_mode_uses_arp(newval->value)) {
if (bond->params.arp_interval) {
netdev_dbg(bond->dev, "%s mode is incompatible with arp monitoring, start mii monitoring\n",
diff --git a/include/net/bonding.h b/include/net/bonding.h
index bdfbe77c18420..0a84a63d5e324 100644
--- a/include/net/bonding.h
+++ b/include/net/bonding.h
@@ -701,6 +701,7 @@ void bond_debug_register(struct bonding *bond);
void bond_debug_unregister(struct bonding *bond);
void bond_debug_reregister(struct bonding *bond);
const char *bond_mode_name(int mode);
+bool bond_xdp_check(struct bonding *bond, int mode);
void bond_setup(struct net_device *bond_dev);
unsigned int bond_get_num_tx_queues(void);
int bond_netlink_init(void);
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 094/969] drm/amdgpu: remove two invalid BUG_ON()s
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (92 preceding siblings ...)
2026-05-30 15:53 ` [PATCH 6.1 093/969] bonding: check xdp prog when set bond mode Greg Kroah-Hartman
@ 2026-05-30 15:53 ` Greg Kroah-Hartman
2026-05-30 15:53 ` [PATCH 6.1 095/969] nf_tables: nft_dynset: fix possible stateful expression memleak in error path Greg Kroah-Hartman
` (881 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christian König, Alex Deucher,
Timur Kristóf, Robert Garcia, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christian König <christian.koenig@amd.com>
[ Upstream commit 5d55ed19d4190d2c210ac05ac7a53f800a8c6fe5 ]
Those can be triggered trivially by userspace.
Signed-off-by: Christian König <christian.koenig@amd.com>
Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
Acked-by: Timur Kristóf <timur.kristof@gmail.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
[ Modified to gfx_v11_0.c only. ]
Signed-off-by: Robert Garcia <rob_garcia@163.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/amdgpu/gfx_v11_0.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/drivers/gpu/drm/amd/amdgpu/gfx_v11_0.c b/drivers/gpu/drm/amd/amdgpu/gfx_v11_0.c
index 37f793f7d4d24..6e3a32779168b 100644
--- a/drivers/gpu/drm/amd/amdgpu/gfx_v11_0.c
+++ b/drivers/gpu/drm/amd/amdgpu/gfx_v11_0.c
@@ -5380,8 +5380,6 @@ static void gfx_v11_0_ring_emit_ib_gfx(struct amdgpu_ring *ring,
unsigned vmid = AMDGPU_JOB_GET_VMID(job);
u32 header, control = 0;
- BUG_ON(ib->flags & AMDGPU_IB_FLAG_CE);
-
header = PACKET3(PACKET3_INDIRECT_BUFFER, 2);
control |= ib->length_dw | (vmid << 24);
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 095/969] nf_tables: nft_dynset: fix possible stateful expression memleak in error path
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (93 preceding siblings ...)
2026-05-30 15:53 ` [PATCH 6.1 094/969] drm/amdgpu: remove two invalid BUG_ON()s Greg Kroah-Hartman
@ 2026-05-30 15:53 ` Greg Kroah-Hartman
2026-05-30 15:53 ` [PATCH 6.1 096/969] rxrpc: proc: size address buffers for %pISpc output Greg Kroah-Hartman
` (880 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Gurpreet Shergill, Pablo Neira Ayuso,
Florian Westphal, Li hongliang, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pablo Neira Ayuso <pablo@netfilter.org>
[ Upstream commit 0548a13b5a145b16e4da0628b5936baf35f51b43 ]
If cloning the second stateful expression in the element via GFP_ATOMIC
fails, then the first stateful expression remains in place without being
released.
unreferenced object (percpu) 0x607b97e9cab8 (size 16):
comm "softirq", pid 0, jiffies 4294931867
hex dump (first 16 bytes on cpu 3):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
backtrace (crc 0):
pcpu_alloc_noprof+0x453/0xd80
nft_counter_clone+0x9c/0x190 [nf_tables]
nft_expr_clone+0x8f/0x1b0 [nf_tables]
nft_dynset_new+0x2cb/0x5f0 [nf_tables]
nft_rhash_update+0x236/0x11c0 [nf_tables]
nft_dynset_eval+0x11f/0x670 [nf_tables]
nft_do_chain+0x253/0x1700 [nf_tables]
nft_do_chain_ipv4+0x18d/0x270 [nf_tables]
nf_hook_slow+0xaa/0x1e0
ip_local_deliver+0x209/0x330
Fixes: 563125a73ac3 ("netfilter: nftables: generalize set extension to support for several expressions")
Reported-by: Gurpreet Shergill <giki.shergill@proton.me>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Florian Westphal <fw@strlen.de>
[ Minor conflict resolved. ]
Signed-off-by: Li hongliang <1468888505@139.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/net/netfilter/nf_tables.h | 2 ++
net/netfilter/nf_tables_api.c | 4 ++--
net/netfilter/nft_dynset.c | 10 +++++++++-
3 files changed, 13 insertions(+), 3 deletions(-)
diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h
index 38c74f9fcce22..dafa0a32e6e1d 100644
--- a/include/net/netfilter/nf_tables.h
+++ b/include/net/netfilter/nf_tables.h
@@ -838,6 +838,8 @@ void *nft_set_elem_init(const struct nft_set *set,
u64 timeout, u64 expiration, gfp_t gfp);
int nft_set_elem_expr_clone(const struct nft_ctx *ctx, struct nft_set *set,
struct nft_expr *expr_array[]);
+void nft_set_elem_expr_destroy(const struct nft_ctx *ctx,
+ struct nft_set_elem_expr *elem_expr);
void nft_set_elem_destroy(const struct nft_set *set, void *elem,
bool destroy_expr);
void nf_tables_set_elem_destroy(const struct nft_ctx *ctx,
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index fb3d529ebf5ab..0c42242826387 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -6025,8 +6025,8 @@ static void __nft_set_elem_expr_destroy(const struct nft_ctx *ctx,
}
}
-static void nft_set_elem_expr_destroy(const struct nft_ctx *ctx,
- struct nft_set_elem_expr *elem_expr)
+void nft_set_elem_expr_destroy(const struct nft_ctx *ctx,
+ struct nft_set_elem_expr *elem_expr)
{
struct nft_expr *expr;
u32 size;
diff --git a/net/netfilter/nft_dynset.c b/net/netfilter/nft_dynset.c
index 953aba871f45c..5f58ac874005a 100644
--- a/net/netfilter/nft_dynset.c
+++ b/net/netfilter/nft_dynset.c
@@ -30,18 +30,26 @@ static int nft_dynset_expr_setup(const struct nft_dynset *priv,
const struct nft_set_ext *ext)
{
struct nft_set_elem_expr *elem_expr = nft_set_ext_expr(ext);
+ struct nft_ctx ctx = {
+ .net = read_pnet(&priv->set->net),
+ .family = priv->set->table->family,
+ };
struct nft_expr *expr;
int i;
for (i = 0; i < priv->num_exprs; i++) {
expr = nft_setelem_expr_at(elem_expr, elem_expr->size);
if (nft_expr_clone(expr, priv->expr_array[i], GFP_ATOMIC) < 0)
- return -1;
+ goto err_out;
elem_expr->size += priv->expr_array[i]->ops->size;
}
return 0;
+err_out:
+ nft_set_elem_expr_destroy(&ctx, elem_expr);
+
+ return -1;
}
static void *nft_dynset_new(struct nft_set *set, const struct nft_expr *expr,
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 096/969] rxrpc: proc: size address buffers for %pISpc output
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (94 preceding siblings ...)
2026-05-30 15:53 ` [PATCH 6.1 095/969] nf_tables: nft_dynset: fix possible stateful expression memleak in error path Greg Kroah-Hartman
@ 2026-05-30 15:53 ` Greg Kroah-Hartman
2026-05-30 15:53 ` [PATCH 6.1 097/969] checkpatch: add support for Assisted-by tag Greg Kroah-Hartman
` (879 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Pengpeng Hou, David Howells,
Marc Dionne, Anderson Nascimento, Simon Horman, linux-afs, stable,
Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pengpeng Hou <pengpeng@iscas.ac.cn>
[ Upstream commit a44ce6aa2efb61fe44f2cfab72bb01544bbca272 ]
The AF_RXRPC procfs helpers format local and remote socket addresses into
fixed 50-byte stack buffers with "%pISpc".
That is too small for the longest current-tree IPv6-with-port form the
formatter can produce. In lib/vsprintf.c, the compressed IPv6 path uses a
dotted-quad tail not only for v4mapped addresses, but also for ISATAP
addresses via ipv6_addr_is_isatap().
As a result, a case such as
[ffff:ffff:ffff:ffff:0:5efe:255.255.255.255]:65535
is possible with the current formatter. That is 50 visible characters, so
51 bytes including the trailing NUL, which does not fit in the existing
char[50] buffers used by net/rxrpc/proc.c.
Size the buffers from the formatter's maximum textual form and switch the
call sites to scnprintf().
Changes since v1:
- correct the changelog to cite the actual maximum current-tree case
explicitly
- frame the proof around the ISATAP formatting path instead of the earlier
mapped-v4 example
Fixes: 75b54cb57ca3 ("rxrpc: Add IPv6 support")
Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
Signed-off-by: David Howells <dhowells@redhat.com>
cc: Marc Dionne <marc.dionne@auristor.com>
cc: Anderson Nascimento <anderson@allelesecurity.com>
cc: Simon Horman <horms@kernel.org>
cc: linux-afs@lists.infradead.org
cc: stable@kernel.org
Link: https://patch.msgid.link/20260408121252.2249051-22-dhowells@redhat.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
[ adapted address accessors and variable declarations ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/rxrpc/proc.c | 26 +++++++++++++++-----------
1 file changed, 15 insertions(+), 11 deletions(-)
diff --git a/net/rxrpc/proc.c b/net/rxrpc/proc.c
index 245418943e01c..47d36554ad311 100644
--- a/net/rxrpc/proc.c
+++ b/net/rxrpc/proc.c
@@ -10,6 +10,10 @@
#include <net/af_rxrpc.h>
#include "ar-internal.h"
+#define RXRPC_PROC_ADDRBUF_SIZE \
+ (sizeof("[xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:255.255.255.255]") + \
+ sizeof(":12345"))
+
static const char *const rxrpc_conn_states[RXRPC_CONN__NR_STATES] = {
[RXRPC_CONN_UNUSED] = "Unused ",
[RXRPC_CONN_CLIENT] = "Client ",
@@ -55,7 +59,7 @@ static int rxrpc_call_seq_show(struct seq_file *seq, void *v)
struct rxrpc_net *rxnet = rxrpc_net(seq_file_net(seq));
unsigned long timeout = 0;
rxrpc_seq_t tx_hard_ack, rx_hard_ack;
- char lbuff[50], rbuff[50];
+ char lbuff[RXRPC_PROC_ADDRBUF_SIZE], rbuff[RXRPC_PROC_ADDRBUF_SIZE];
if (v == &rxnet->calls) {
seq_puts(seq,
@@ -72,7 +76,7 @@ static int rxrpc_call_seq_show(struct seq_file *seq, void *v)
if (rx) {
local = READ_ONCE(rx->local);
if (local)
- sprintf(lbuff, "%pISpc", &local->srx.transport);
+ scnprintf(lbuff, sizeof(lbuff), "%pISpc", &local->srx.transport);
else
strcpy(lbuff, "no_local");
} else {
@@ -81,7 +85,7 @@ static int rxrpc_call_seq_show(struct seq_file *seq, void *v)
peer = call->peer;
if (peer)
- sprintf(rbuff, "%pISpc", &peer->srx.transport);
+ scnprintf(rbuff, sizeof(rbuff), "%pISpc", &peer->srx.transport);
else
strcpy(rbuff, "no_connection");
@@ -152,7 +156,7 @@ static int rxrpc_connection_seq_show(struct seq_file *seq, void *v)
{
struct rxrpc_connection *conn;
struct rxrpc_net *rxnet = rxrpc_net(seq_file_net(seq));
- char lbuff[50], rbuff[50];
+ char lbuff[RXRPC_PROC_ADDRBUF_SIZE], rbuff[RXRPC_PROC_ADDRBUF_SIZE];
if (v == &rxnet->conn_proc_list) {
seq_puts(seq,
@@ -171,9 +175,9 @@ static int rxrpc_connection_seq_show(struct seq_file *seq, void *v)
goto print;
}
- sprintf(lbuff, "%pISpc", &conn->params.local->srx.transport);
+ scnprintf(lbuff, sizeof(lbuff), "%pISpc", &conn->params.local->srx.transport);
- sprintf(rbuff, "%pISpc", &conn->params.peer->srx.transport);
+ scnprintf(rbuff, sizeof(rbuff), "%pISpc", &conn->params.peer->srx.transport);
print:
seq_printf(seq,
"UDP %-47.47s %-47.47s %4x %08x %s %3u"
@@ -210,7 +214,7 @@ static int rxrpc_peer_seq_show(struct seq_file *seq, void *v)
{
struct rxrpc_peer *peer;
time64_t now;
- char lbuff[50], rbuff[50];
+ char lbuff[RXRPC_PROC_ADDRBUF_SIZE], rbuff[RXRPC_PROC_ADDRBUF_SIZE];
if (v == SEQ_START_TOKEN) {
seq_puts(seq,
@@ -223,9 +227,9 @@ static int rxrpc_peer_seq_show(struct seq_file *seq, void *v)
peer = list_entry(v, struct rxrpc_peer, hash_link);
- sprintf(lbuff, "%pISpc", &peer->local->srx.transport);
+ scnprintf(lbuff, sizeof(lbuff), "%pISpc", &peer->local->srx.transport);
- sprintf(rbuff, "%pISpc", &peer->srx.transport);
+ scnprintf(rbuff, sizeof(rbuff), "%pISpc", &peer->srx.transport);
now = ktime_get_seconds();
seq_printf(seq,
@@ -335,7 +339,7 @@ const struct seq_operations rxrpc_peer_seq_ops = {
static int rxrpc_local_seq_show(struct seq_file *seq, void *v)
{
struct rxrpc_local *local;
- char lbuff[50];
+ char lbuff[RXRPC_PROC_ADDRBUF_SIZE];
if (v == SEQ_START_TOKEN) {
seq_puts(seq,
@@ -346,7 +350,7 @@ static int rxrpc_local_seq_show(struct seq_file *seq, void *v)
local = hlist_entry(v, struct rxrpc_local, link);
- sprintf(lbuff, "%pISpc", &local->srx.transport);
+ scnprintf(lbuff, sizeof(lbuff), "%pISpc", &local->srx.transport);
seq_printf(seq,
"UDP %-47.47s %3u %3u\n",
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 097/969] checkpatch: add support for Assisted-by tag
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (95 preceding siblings ...)
2026-05-30 15:53 ` [PATCH 6.1 096/969] rxrpc: proc: size address buffers for %pISpc output Greg Kroah-Hartman
@ 2026-05-30 15:53 ` Greg Kroah-Hartman
2026-05-30 15:53 ` [PATCH 6.1 098/969] KVM: x86: Use scratch field in MMIO fragment to hold small write values Greg Kroah-Hartman
` (878 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sasha Levin, Bart Van Assche,
Joe Perches, Andy Whitcroft, Dwaipayan Ray, Jonathan Corbet,
Lukas Bulwahn, Andrew Morton
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sasha Levin <sashal@kernel.org>
commit d1db4118489fffd2b2f612140b7acbb477880839 upstream.
The Assisted-by tag was introduced in
Documentation/process/coding-assistants.rst for attributing AI tool
contributions to kernel patches. However, checkpatch.pl did not recognize
this tag, causing two issues:
WARNING: Non-standard signature: Assisted-by:
ERROR: Unrecognized email address: 'AGENT_NAME:MODEL_VERSION'
Fix this by:
1. Adding Assisted-by to the recognized $signature_tags list
2. Skipping email validation for Assisted-by lines since they use the
AGENT_NAME:MODEL_VERSION format instead of an email address
3. Warning when the Assisted-by value doesn't match the expected format
Link: https://lkml.kernel.org/r/20260311215818.518930-1-sashal@kernel.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
Reported-by: Bart Van Assche <bvanassche@acm.org>
Acked-by: Joe Perches <joe@perches.com>
Cc: Andy Whitcroft <apw@canonical.com>
Cc: Dwaipayan Ray <dwaipayanray1@gmail.com>
Cc: Jonathan Corbet <corbet@lwn.net>
Cc: Lukas Bulwahn <lukas.bulwahn@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
scripts/checkpatch.pl | 10 ++++++++++
1 file changed, 10 insertions(+)
--- a/scripts/checkpatch.pl
+++ b/scripts/checkpatch.pl
@@ -616,6 +616,7 @@ our $signature_tags = qr{(?xi:
Reviewed-by:|
Reported-by:|
Suggested-by:|
+ Assisted-by:|
To:|
Cc:
)};
@@ -3031,6 +3032,15 @@ sub process {
}
}
+ # Assisted-by uses AGENT_NAME:MODEL_VERSION format, not email
+ if ($sign_off =~ /^Assisted-by:/i) {
+ if ($email !~ /^\S+:\S+/) {
+ WARN("BAD_SIGN_OFF",
+ "Assisted-by expects 'AGENT_NAME:MODEL_VERSION [TOOL1] [TOOL2]' format\n" . $herecurr);
+ }
+ next;
+ }
+
my ($email_name, $name_comment, $email_address, $comment) = parse_email($email);
my $suggested_email = format_email(($email_name, $name_comment, $email_address, $comment));
if ($suggested_email eq "") {
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 098/969] KVM: x86: Use scratch field in MMIO fragment to hold small write values
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (96 preceding siblings ...)
2026-05-30 15:53 ` [PATCH 6.1 097/969] checkpatch: add support for Assisted-by tag Greg Kroah-Hartman
@ 2026-05-30 15:53 ` Greg Kroah-Hartman
2026-05-30 15:53 ` [PATCH 6.1 099/969] mm/kasan: fix double free for kasan pXds Greg Kroah-Hartman
` (877 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yashu Zhang, Tom Lendacky,
Rick Edgecombe, Sean Christopherson
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Christopherson <seanjc@google.com>
commit 0b16e69d17d8c35c5c9d5918bf596c75a44655d3 upstream.
When exiting to userspace to service an emulated MMIO write, copy the
to-be-written value to a scratch field in the MMIO fragment if the size
of the data payload is 8 bytes or less, i.e. can fit in a single chunk,
instead of pointing the fragment directly at the source value.
This fixes a class of use-after-free bugs that occur when the emulator
initiates a write using an on-stack, local variable as the source, the
write splits a page boundary, *and* both pages are MMIO pages. Because
KVM's ABI only allows for physically contiguous MMIO requests, accesses
that split MMIO pages are separated into two fragments, and are sent to
userspace one at a time. When KVM attempts to complete userspace MMIO in
response to KVM_RUN after the first fragment, KVM will detect the second
fragment and generate a second userspace exit, and reference the on-stack
variable.
The issue is most visible if the second KVM_RUN is performed by a separate
task, in which case the stack of the initiating task can show up as truly
freed data.
==================================================================
BUG: KASAN: use-after-free in complete_emulated_mmio+0x305/0x420
Read of size 1 at addr ffff888009c378d1 by task syz-executor417/984
CPU: 1 PID: 984 Comm: syz-executor417 Not tainted 5.10.0-182.0.0.95.h2627.eulerosv2r13.x86_64 #3
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.15.0-0-g2dd4b9b3f840-prebuilt.qemu.org 04/01/2014 Call Trace:
dump_stack+0xbe/0xfd
print_address_description.constprop.0+0x19/0x170
__kasan_report.cold+0x6c/0x84
kasan_report+0x3a/0x50
check_memory_region+0xfd/0x1f0
memcpy+0x20/0x60
complete_emulated_mmio+0x305/0x420
kvm_arch_vcpu_ioctl_run+0x63f/0x6d0
kvm_vcpu_ioctl+0x413/0xb20
__se_sys_ioctl+0x111/0x160
do_syscall_64+0x30/0x40
entry_SYSCALL_64_after_hwframe+0x67/0xd1
RIP: 0033:0x42477d
Code: <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007faa8e6890e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00000000004d7338 RCX: 000000000042477d
RDX: 0000000000000000 RSI: 000000000000ae80 RDI: 0000000000000005
RBP: 00000000004d7330 R08: 00007fff28d546df R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004d733c
R13: 0000000000000000 R14: 000000000040a200 R15: 00007fff28d54720
The buggy address belongs to the page:
page:0000000029f6a428 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x9c37
flags: 0xfffffc0000000(node=0|zone=1|lastcpupid=0x1fffff)
raw: 000fffffc0000000 0000000000000000 ffffea0000270dc8 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff888009c37780: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff888009c37800: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff888009c37880: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff888009c37900: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff888009c37980: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
The bug can also be reproduced with a targeted KVM-Unit-Test by hacking
KVM to fill a large on-stack variable in complete_emulated_mmio(), i.e. by
overwrite the data value with garbage.
Limit the use of the scratch fields to 8-byte or smaller accesses, and to
just writes, as larger accesses and reads are not affected thanks to
implementation details in the emulator, but add a sanity check to ensure
those details don't change in the future. Specifically, KVM never uses
on-stack variables for accesses larger that 8 bytes, e.g. uses an operand
in the emulator context, and *all* reads are buffered through the mem_read
cache.
Note! Using the scratch field for reads is not only unnecessary, it's
also extremely difficult to handle correctly. As above, KVM buffers all
reads through the mem_read cache, and heavily relies on that behavior when
re-emulating the instruction after a userspace MMIO read exit. If a read
splits a page, the first page is NOT an MMIO page, and the second page IS
an MMIO page, then the MMIO fragment needs to point at _just_ the second
chunk of the destination, i.e. its position in the mem_read cache. Taking
the "obvious" approach of copying the fragment value into the destination
when re-emulating the instruction would clobber the first chunk of the
destination, i.e. would clobber the data that was read from guest memory.
Fixes: f78146b0f923 ("KVM: Fix page-crossing MMIO")
Suggested-by: Yashu Zhang <zhangjiaji1@huawei.com>
Reported-by: Yashu Zhang <zhangjiaji1@huawei.com>
Closes: https://lore.kernel.org/all/369eaaa2b3c1425c85e8477066391bc7@huawei.com
Cc: stable@vger.kernel.org
Tested-by: Tom Lendacky <thomas.lendacky@gmail.com>
Tested-by: Rick Edgecombe <rick.p.edgecombe@intel.com>
Link: https://patch.msgid.link/20260225012049.920665-2-seanjc@google.com
Signed-off-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/x86.c | 14 +++++++++++++-
include/linux/kvm_host.h | 3 ++-
2 files changed, 15 insertions(+), 2 deletions(-)
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -7628,7 +7628,13 @@ static int emulator_read_write_onepage(u
WARN_ON(vcpu->mmio_nr_fragments >= KVM_MAX_MMIO_FRAGMENTS);
frag = &vcpu->mmio_fragments[vcpu->mmio_nr_fragments++];
frag->gpa = gpa;
- frag->data = val;
+ if (write && bytes <= 8u) {
+ frag->val = 0;
+ frag->data = &frag->val;
+ memcpy(&frag->val, val, bytes);
+ } else {
+ frag->data = val;
+ }
frag->len = bytes;
return X86EMUL_CONTINUE;
}
@@ -7643,6 +7649,9 @@ static int emulator_read_write(struct x8
gpa_t gpa;
int rc;
+ if (WARN_ON_ONCE((bytes > 8u || !ops->write) && object_is_on_stack(val)))
+ return X86EMUL_UNHANDLEABLE;
+
if (ops->read_write_prepare &&
ops->read_write_prepare(vcpu, val, bytes))
return X86EMUL_CONTINUE;
@@ -11197,6 +11206,9 @@ static int complete_emulated_mmio(struct
frag++;
vcpu->mmio_cur_fragment++;
} else {
+ if (WARN_ON_ONCE(frag->data == &frag->val))
+ return -EIO;
+
/* Go forward to the next mmio piece. */
frag->data += len;
frag->gpa += len;
--- a/include/linux/kvm_host.h
+++ b/include/linux/kvm_host.h
@@ -303,7 +303,8 @@ static inline bool kvm_vcpu_can_poll(kti
struct kvm_mmio_fragment {
gpa_t gpa;
void *data;
- unsigned len;
+ u64 val;
+ unsigned int len;
};
struct kvm_vcpu {
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 099/969] mm/kasan: fix double free for kasan pXds
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (97 preceding siblings ...)
2026-05-30 15:53 ` [PATCH 6.1 098/969] KVM: x86: Use scratch field in MMIO fragment to hold small write values Greg Kroah-Hartman
@ 2026-05-30 15:53 ` Greg Kroah-Hartman
2026-05-30 15:53 ` [PATCH 6.1 100/969] mm: blk-cgroup: fix use-after-free in cgwb_release_workfn() Greg Kroah-Hartman
` (876 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ritesh Harjani (IBM),
Venkat Rao Bagalkote, Alexander Potapenko, Andrey Konovalov,
Andrey Ryabinin, Dmitry Vyukov, Vincenzo Frascino, Andrew Morton
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ritesh Harjani (IBM) <ritesh.list@gmail.com>
commit 51d8c78be0c27ddb91bc2c0263941d8b30a47d3b upstream.
kasan_free_pxd() assumes the page table is always struct page aligned.
But that's not always the case for all architectures. E.g. In case of
powerpc with 64K pagesize, PUD table (of size 4096) comes from slab cache
named pgtable-2^9. Hence instead of page_to_virt(pxd_page()) let's just
directly pass the start of the pxd table which is passed as the 1st
argument.
This fixes the below double free kasan issue seen with PMEM:
radix-mmu: Mapped 0x0000047d10000000-0x0000047f90000000 with 2.00 MiB pages
==================================================================
BUG: KASAN: double-free in kasan_remove_zero_shadow+0x9c4/0xa20
Free of addr c0000003c38e0000 by task ndctl/2164
CPU: 34 UID: 0 PID: 2164 Comm: ndctl Not tainted 6.19.0-rc1-00048-gea1013c15392 #157 VOLUNTARY
Hardware name: IBM,9080-HEX POWER10 (architected) 0x800200 0xf000006 of:IBM,FW1060.00 (NH1060_012) hv:phyp pSeries
Call Trace:
dump_stack_lvl+0x88/0xc4 (unreliable)
print_report+0x214/0x63c
kasan_report_invalid_free+0xe4/0x110
check_slab_allocation+0x100/0x150
kmem_cache_free+0x128/0x6e0
kasan_remove_zero_shadow+0x9c4/0xa20
memunmap_pages+0x2b8/0x5c0
devm_action_release+0x54/0x70
release_nodes+0xc8/0x1a0
devres_release_all+0xe0/0x140
device_unbind_cleanup+0x30/0x120
device_release_driver_internal+0x3e4/0x450
unbind_store+0xfc/0x110
drv_attr_store+0x78/0xb0
sysfs_kf_write+0x114/0x140
kernfs_fop_write_iter+0x264/0x3f0
vfs_write+0x3bc/0x7d0
ksys_write+0xa4/0x190
system_call_exception+0x190/0x480
system_call_vectored_common+0x15c/0x2ec
---- interrupt: 3000 at 0x7fff93b3d3f4
NIP: 00007fff93b3d3f4 LR: 00007fff93b3d3f4 CTR: 0000000000000000
REGS: c0000003f1b07e80 TRAP: 3000 Not tainted (6.19.0-rc1-00048-gea1013c15392)
MSR: 800000000280f033 <SF,VEC,VSX,EE,PR,FP,ME,IR,DR,RI,LE> CR: 48888208 XER: 00000000
<...>
NIP [00007fff93b3d3f4] 0x7fff93b3d3f4
LR [00007fff93b3d3f4] 0x7fff93b3d3f4
---- interrupt: 3000
The buggy address belongs to the object at c0000003c38e0000
which belongs to the cache pgtable-2^9 of size 4096
The buggy address is located 0 bytes inside of
4096-byte region [c0000003c38e0000, c0000003c38e1000)
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x3c38c
head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
memcg:c0000003bfd63e01
flags: 0x63ffff800000040(head|node=6|zone=0|lastcpupid=0x7ffff)
page_type: f5(slab)
raw: 063ffff800000040 c000000140058980 5deadbeef0000122 0000000000000000
raw: 0000000000000000 0000000080200020 00000000f5000000 c0000003bfd63e01
head: 063ffff800000040 c000000140058980 5deadbeef0000122 0000000000000000
head: 0000000000000000 0000000080200020 00000000f5000000 c0000003bfd63e01
head: 063ffff800000002 c00c000000f0e301 00000000ffffffff 00000000ffffffff
head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004
page dumped because: kasan: bad access detected
[ 138.953636] [ T2164] Memory state around the buggy address:
[ 138.953643] [ T2164] c0000003c38dff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 138.953652] [ T2164] c0000003c38dff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 138.953661] [ T2164] >c0000003c38e0000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 138.953669] [ T2164] ^
[ 138.953675] [ T2164] c0000003c38e0080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 138.953684] [ T2164] c0000003c38e0100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 138.953692] [ T2164] ==================================================================
[ 138.953701] [ T2164] Disabling lock debugging due to kernel taint
Link: https://lkml.kernel.org/r/2f9135c7866c6e0d06e960993b8a5674a9ebc7ec.1771938394.git.ritesh.list@gmail.com
Fixes: 0207df4fa1a8 ("kernel/memremap, kasan: make ZONE_DEVICE with work with KASAN")
Signed-off-by: Ritesh Harjani (IBM) <ritesh.list@gmail.com>
Reported-by: Venkat Rao Bagalkote <venkat88@linux.ibm.com>
Reviewed-by: Alexander Potapenko <glider@google.com>
Cc: Andrey Konovalov <andreyknvl@gmail.com>
Cc: Andrey Ryabinin <ryabinin.a.a@gmail.com>
Cc: Dmitry Vyukov <dvyukov@google.com>
Cc: "Ritesh Harjani (IBM)" <ritesh.list@gmail.com>
Cc: Vincenzo Frascino <vincenzo.frascino@arm.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/kasan/init.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/mm/kasan/init.c
+++ b/mm/kasan/init.c
@@ -290,7 +290,7 @@ static void kasan_free_pte(pte_t *pte_st
return;
}
- pte_free_kernel(&init_mm, (pte_t *)page_to_virt(pmd_page(*pmd)));
+ pte_free_kernel(&init_mm, pte_start);
pmd_clear(pmd);
}
@@ -305,7 +305,7 @@ static void kasan_free_pmd(pmd_t *pmd_st
return;
}
- pmd_free(&init_mm, (pmd_t *)page_to_virt(pud_page(*pud)));
+ pmd_free(&init_mm, pmd_start);
pud_clear(pud);
}
@@ -320,7 +320,7 @@ static void kasan_free_pud(pud_t *pud_st
return;
}
- pud_free(&init_mm, (pud_t *)page_to_virt(p4d_page(*p4d)));
+ pud_free(&init_mm, pud_start);
p4d_clear(p4d);
}
@@ -335,7 +335,7 @@ static void kasan_free_p4d(p4d_t *p4d_st
return;
}
- p4d_free(&init_mm, (p4d_t *)page_to_virt(pgd_page(*pgd)));
+ p4d_free(&init_mm, p4d_start);
pgd_clear(pgd);
}
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 100/969] mm: blk-cgroup: fix use-after-free in cgwb_release_workfn()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (98 preceding siblings ...)
2026-05-30 15:53 ` [PATCH 6.1 099/969] mm/kasan: fix double free for kasan pXds Greg Kroah-Hartman
@ 2026-05-30 15:53 ` Greg Kroah-Hartman
2026-05-30 15:53 ` [PATCH 6.1 101/969] media: vidtv: fix nfeeds state corruption on start_streaming failure Greg Kroah-Hartman
` (875 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Breno Leitao, Dennis Zhou,
Shakeel Butt, David Hildenbrand, Jens Axboe, Johannes Weiner,
Josef Bacik, JP Kobryn, Liam Howlett, Lorenzo Stoakes (Oracle),
Martin KaFai Lau, Michal Hocko, Mike Rapoport, Suren Baghdasaryan,
Tejun Heo, Andrew Morton
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Breno Leitao <leitao@debian.org>
commit 8f5857be99f1ed1fa80991c72449541f634626ee upstream.
cgwb_release_workfn() calls css_put(wb->blkcg_css) and then later accesses
wb->blkcg_css again via blkcg_unpin_online(). If css_put() drops the last
reference, the blkcg can be freed asynchronously (css_free_rwork_fn ->
blkcg_css_free -> kfree) before blkcg_unpin_online() dereferences the
pointer to access blkcg->online_pin, resulting in a use-after-free:
BUG: KASAN: slab-use-after-free in blkcg_unpin_online (./include/linux/instrumented.h:112 ./include/linux/atomic/atomic-instrumented.h:400 ./include/linux/refcount.h:389 ./include/linux/refcount.h:432 ./include/linux/refcount.h:450 block/blk-cgroup.c:1367)
Write of size 4 at addr ff11000117aa6160 by task kworker/71:1/531
Workqueue: cgwb_release cgwb_release_workfn
Call Trace:
<TASK>
blkcg_unpin_online (./include/linux/instrumented.h:112 ./include/linux/atomic/atomic-instrumented.h:400 ./include/linux/refcount.h:389 ./include/linux/refcount.h:432 ./include/linux/refcount.h:450 block/blk-cgroup.c:1367)
cgwb_release_workfn (mm/backing-dev.c:629)
process_scheduled_works (kernel/workqueue.c:3278 kernel/workqueue.c:3385)
Freed by task 1016:
kfree (./include/linux/kasan.h:235 mm/slub.c:2689 mm/slub.c:6246 mm/slub.c:6561)
css_free_rwork_fn (kernel/cgroup/cgroup.c:5542)
process_scheduled_works (kernel/workqueue.c:3302 kernel/workqueue.c:3385)
** Stack based on commit 66672af7a095 ("Add linux-next specific files
for 20260410")
I am seeing this crash sporadically in Meta fleet across multiple kernel
versions. A full reproducer is available at:
https://github.com/leitao/debug/blob/main/reproducers/repro_blkcg_uaf.sh
(The race window is narrow. To make it easily reproducible, inject a
msleep(100) between css_put() and blkcg_unpin_online() in
cgwb_release_workfn(). With that delay and a KASAN-enabled kernel, the
reproducer triggers the splat reliably in less than a second.)
Fix this by moving blkcg_unpin_online() before css_put(), so the
cgwb's CSS reference keeps the blkcg alive while blkcg_unpin_online()
accesses it.
Link: https://lore.kernel.org/20260413-blkcg-v1-1-35b72622d16c@debian.org
Fixes: 59b57717fff8 ("blkcg: delay blkg destruction until after writeback has finished")
Signed-off-by: Breno Leitao <leitao@debian.org>
Reviewed-by: Dennis Zhou <dennis@kernel.org>
Reviewed-by: Shakeel Butt <shakeel.butt@linux.dev>
Cc: David Hildenbrand <david@kernel.org>
Cc: Jens Axboe <axboe@kernel.dk>
Cc: Johannes Weiner <hannes@cmpxchg.org>
Cc: Josef Bacik <josef@toxicpanda.com>
Cc: JP Kobryn <inwardvessel@gmail.com>
Cc: Liam Howlett <liam.howlett@oracle.com>
Cc: Lorenzo Stoakes (Oracle) <ljs@kernel.org>
Cc: Martin KaFai Lau <martin.lau@linux.dev>
Cc: Michal Hocko <mhocko@suse.com>
Cc: Mike Rapoport <rppt@kernel.org>
Cc: Suren Baghdasaryan <surenb@google.com>
Cc: Tejun Heo <tj@kernel.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/backing-dev.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- a/mm/backing-dev.c
+++ b/mm/backing-dev.c
@@ -399,12 +399,13 @@ static void cgwb_release_workfn(struct w
wb_shutdown(wb);
css_put(wb->memcg_css);
- css_put(wb->blkcg_css);
- mutex_unlock(&wb->bdi->cgwb_release_mutex);
/* triggers blkg destruction if no online users left */
blkcg_unpin_online(wb->blkcg_css);
+ css_put(wb->blkcg_css);
+ mutex_unlock(&wb->bdi->cgwb_release_mutex);
+
fprop_local_destroy_percpu(&wb->memcg_completions);
spin_lock_irq(&cgwb_lock);
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 101/969] media: vidtv: fix nfeeds state corruption on start_streaming failure
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (99 preceding siblings ...)
2026-05-30 15:53 ` [PATCH 6.1 100/969] mm: blk-cgroup: fix use-after-free in cgwb_release_workfn() Greg Kroah-Hartman
@ 2026-05-30 15:53 ` Greg Kroah-Hartman
2026-05-30 15:53 ` [PATCH 6.1 102/969] media: em28xx: fix use-after-free in em28xx_v4l2_open() Greg Kroah-Hartman
` (874 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+639ebc6ec75e96674741,
Ruslan Valiyev, Hans Verkuil
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ruslan Valiyev <linuxoid@gmail.com>
commit a0e5a598fe9a4612b852406b51153b881592aede upstream.
syzbot reported a memory leak in vidtv_psi_service_desc_init [1].
When vidtv_start_streaming() fails inside vidtv_start_feed(), the
nfeeds counter is left incremented even though no feed was actually
started. This corrupts the driver state: subsequent start_feed calls
see nfeeds > 1 and skip starting the mux, while stop_feed calls
eventually try to stop a non-existent stream.
This state corruption can also lead to memory leaks, since the mux
and channel resources may be partially allocated during a failed
start_streaming but never cleaned up, as the stop path finds
dvb->streaming == false and returns early.
Fix by decrementing nfeeds back when start_streaming fails, keeping
the counter in sync with the actual number of active feeds.
[1]
BUG: memory leak
unreferenced object 0xffff888145b50820 (size 32):
comm "syz.0.17", pid 6068, jiffies 4294944486
backtrace (crc 90a0c7d4):
vidtv_psi_service_desc_init+0x74/0x1b0 drivers/media/test-drivers/vidtv/vidtv_psi.c:288
vidtv_channel_s302m_init+0xb1/0x2a0 drivers/media/test-drivers/vidtv/vidtv_channel.c:83
vidtv_channels_init+0x1b/0x40 drivers/media/test-drivers/vidtv/vidtv_channel.c:524
vidtv_mux_init+0x516/0xbe0 drivers/media/test-drivers/vidtv/vidtv_mux.c:518
vidtv_start_streaming drivers/media/test-drivers/vidtv/vidtv_bridge.c:194 [inline]
vidtv_start_feed+0x33e/0x4d0 drivers/media/test-drivers/vidtv/vidtv_bridge.c:239
Fixes: f90cf6079bf67 ("media: vidtv: add a bridge driver")
Cc: stable@vger.kernel.org
Reported-by: syzbot+639ebc6ec75e96674741@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=639ebc6ec75e96674741
Signed-off-by: Ruslan Valiyev <linuxoid@gmail.com>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/test-drivers/vidtv/vidtv_bridge.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/media/test-drivers/vidtv/vidtv_bridge.c
+++ b/drivers/media/test-drivers/vidtv/vidtv_bridge.c
@@ -237,8 +237,10 @@ static int vidtv_start_feed(struct dvb_d
if (dvb->nfeeds == 1) {
ret = vidtv_start_streaming(dvb);
- if (ret < 0)
+ if (ret < 0) {
+ dvb->nfeeds--;
rc = ret;
+ }
}
mutex_unlock(&dvb->feed_lock);
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 102/969] media: em28xx: fix use-after-free in em28xx_v4l2_open()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (100 preceding siblings ...)
2026-05-30 15:53 ` [PATCH 6.1 101/969] media: vidtv: fix nfeeds state corruption on start_streaming failure Greg Kroah-Hartman
@ 2026-05-30 15:53 ` Greg Kroah-Hartman
2026-05-30 15:53 ` [PATCH 6.1 103/969] ALSA: 6fire: fix use-after-free on disconnect Greg Kroah-Hartman
` (873 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+c025d34b8eaa54c571b8,
Abhishek Kumar, Hans Verkuil
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Abhishek Kumar <abhishek_sts8@yahoo.com>
commit a66485a934c7187ae8e36517d40615fa2e961cff upstream.
em28xx_v4l2_open() reads dev->v4l2 without holding dev->lock,
creating a race with em28xx_v4l2_init()'s error path and
em28xx_v4l2_fini(), both of which free the em28xx_v4l2 struct
and set dev->v4l2 to NULL under dev->lock.
This race leads to two issues:
- use-after-free in v4l2_fh_init() when accessing vdev->ctrl_handler,
since the video_device is embedded in the freed em28xx_v4l2 struct.
- NULL pointer dereference in em28xx_resolution_set() when accessing
v4l2->norm, since dev->v4l2 has been set to NULL.
Fix this by moving the mutex_lock() before the dev->v4l2 read and
adding a NULL check for dev->v4l2 under the lock.
Reported-by: syzbot+c025d34b8eaa54c571b8@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=c025d34b8eaa54c571b8
Fixes: 8139a4d583ab ("[media] em28xx: move v4l2 user counting fields from struct em28xx to struct v4l2")
Cc: stable@vger.kernel.org
Signed-off-by: Abhishek Kumar <abhishek_sts8@yahoo.com>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/usb/em28xx/em28xx-video.c | 14 ++++++++++----
1 file changed, 10 insertions(+), 4 deletions(-)
--- a/drivers/media/usb/em28xx/em28xx-video.c
+++ b/drivers/media/usb/em28xx/em28xx-video.c
@@ -2126,7 +2126,7 @@ static int em28xx_v4l2_open(struct file
{
struct video_device *vdev = video_devdata(filp);
struct em28xx *dev = video_drvdata(filp);
- struct em28xx_v4l2 *v4l2 = dev->v4l2;
+ struct em28xx_v4l2 *v4l2;
enum v4l2_buf_type fh_type = 0;
int ret;
@@ -2143,13 +2143,19 @@ static int em28xx_v4l2_open(struct file
return -EINVAL;
}
+ if (mutex_lock_interruptible(&dev->lock))
+ return -ERESTARTSYS;
+
+ v4l2 = dev->v4l2;
+ if (!v4l2) {
+ mutex_unlock(&dev->lock);
+ return -ENODEV;
+ }
+
em28xx_videodbg("open dev=%s type=%s users=%d\n",
video_device_node_name(vdev), v4l2_type_names[fh_type],
v4l2->users);
- if (mutex_lock_interruptible(&dev->lock))
- return -ERESTARTSYS;
-
ret = v4l2_fh_open(filp);
if (ret) {
dev_err(&dev->intf->dev,
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 103/969] ALSA: 6fire: fix use-after-free on disconnect
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (101 preceding siblings ...)
2026-05-30 15:53 ` [PATCH 6.1 102/969] media: em28xx: fix use-after-free in em28xx_v4l2_open() Greg Kroah-Hartman
@ 2026-05-30 15:53 ` Greg Kroah-Hartman
2026-05-30 15:53 ` [PATCH 6.1 104/969] bcache: fix cached_dev.sb_bio use-after-free and crash Greg Kroah-Hartman
` (872 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andrey Konovalov, Berk Cem Goksel,
Takashi Iwai
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Berk Cem Goksel <berkcgoksel@gmail.com>
commit b9c826916fdce6419b94eb0cd8810fdac18c2386 upstream.
In usb6fire_chip_abort(), the chip struct is allocated as the card's
private data (via snd_card_new with sizeof(struct sfire_chip)). When
snd_card_free_when_closed() is called and no file handles are open, the
card and embedded chip are freed synchronously. The subsequent
chip->card = NULL write then hits freed slab memory.
Call trace:
usb6fire_chip_abort sound/usb/6fire/chip.c:59 [inline]
usb6fire_chip_disconnect+0x348/0x358 sound/usb/6fire/chip.c:182
usb_unbind_interface+0x1a8/0x88c drivers/usb/core/driver.c:458
...
hub_event+0x1a04/0x4518 drivers/usb/core/hub.c:5953
Fix by moving the card lifecycle out of usb6fire_chip_abort() and into
usb6fire_chip_disconnect(). The card pointer is saved in a local
before any teardown, snd_card_disconnect() is called first to prevent
new opens, URBs are aborted while chip is still valid, and
snd_card_free_when_closed() is called last so chip is never accessed
after the card may be freed.
Fixes: a0810c3d6dd2 ("ALSA: 6fire: Release resources at card release")
Cc: stable@vger.kernel.org
Cc: Andrey Konovalov <andreyknvl@gmail.com>
Signed-off-by: Berk Cem Goksel <berkcgoksel@gmail.com>
Link: https://patch.msgid.link/20260410051341.1069716-1-berkcgoksel@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/usb/6fire/chip.c | 17 ++++++++++++-----
1 file changed, 12 insertions(+), 5 deletions(-)
--- a/sound/usb/6fire/chip.c
+++ b/sound/usb/6fire/chip.c
@@ -53,11 +53,6 @@ static void usb6fire_chip_abort(struct s
usb6fire_comm_abort(chip);
if (chip->control)
usb6fire_control_abort(chip);
- if (chip->card) {
- snd_card_disconnect(chip->card);
- snd_card_free_when_closed(chip->card);
- chip->card = NULL;
- }
}
}
@@ -170,6 +165,7 @@ destroy_chip:
static void usb6fire_chip_disconnect(struct usb_interface *intf)
{
struct sfire_chip *chip;
+ struct snd_card *card;
chip = usb_get_intfdata(intf);
if (chip) { /* if !chip, fw upload has been performed */
@@ -180,8 +176,19 @@ static void usb6fire_chip_disconnect(str
chips[chip->regidx] = NULL;
mutex_unlock(®ister_mutex);
+ /*
+ * Save card pointer before teardown.
+ * snd_card_free_when_closed() may free card (and
+ * the embedded chip) immediately, so it must be
+ * called last and chip must not be accessed after.
+ */
+ card = chip->card;
chip->shutdown = true;
+ if (card)
+ snd_card_disconnect(card);
usb6fire_chip_abort(chip);
+ if (card)
+ snd_card_free_when_closed(card);
}
}
}
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 104/969] bcache: fix cached_dev.sb_bio use-after-free and crash
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (102 preceding siblings ...)
2026-05-30 15:53 ` [PATCH 6.1 103/969] ALSA: 6fire: fix use-after-free on disconnect Greg Kroah-Hartman
@ 2026-05-30 15:53 ` Greg Kroah-Hartman
2026-05-30 15:53 ` [PATCH 6.1 105/969] media: as102: fix to not free memory after the device is registered in as102_usb_probe() Greg Kroah-Hartman
` (871 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:53 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Mingzhe Zou, Coly Li, Jens Axboe
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mingzhe Zou <mingzhe.zou@easystack.cn>
commit fec114a98b8735ee89c75216c45a78e28be0f128 upstream.
In our production environment, we have received multiple crash reports
regarding libceph, which have caught our attention:
```
[6888366.280350] Call Trace:
[6888366.280452] blk_update_request+0x14e/0x370
[6888366.280561] blk_mq_end_request+0x1a/0x130
[6888366.280671] rbd_img_handle_request+0x1a0/0x1b0 [rbd]
[6888366.280792] rbd_obj_handle_request+0x32/0x40 [rbd]
[6888366.280903] __complete_request+0x22/0x70 [libceph]
[6888366.281032] osd_dispatch+0x15e/0xb40 [libceph]
[6888366.281164] ? inet_recvmsg+0x5b/0xd0
[6888366.281272] ? ceph_tcp_recvmsg+0x6f/0xa0 [libceph]
[6888366.281405] ceph_con_process_message+0x79/0x140 [libceph]
[6888366.281534] ceph_con_v1_try_read+0x5d7/0xf30 [libceph]
[6888366.281661] ceph_con_workfn+0x329/0x680 [libceph]
```
After analyzing the coredump file, we found that the address of
dc->sb_bio has been freed. We know that cached_dev is only freed when it
is stopped.
Since sb_bio is a part of struct cached_dev, rather than an alloc every
time. If the device is stopped while writing to the superblock, the
released address will be accessed at endio.
This patch hopes to wait for sb_write to complete in cached_dev_free.
It should be noted that we analyzed the cause of the problem, then tell
all details to the QWEN and adopted the modifications it made.
Signed-off-by: Mingzhe Zou <mingzhe.zou@easystack.cn>
Fixes: cafe563591446 ("bcache: A block layer cache")
Cc: stable@vger.kernel.org # 3.10+
Signed-off-by: Coly Li <colyli@fnnas.com>
Link: https://patch.msgid.link/20260322134102.480107-1-colyli@fnnas.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/md/bcache/super.c | 7 +++++++
1 file changed, 7 insertions(+)
--- a/drivers/md/bcache/super.c
+++ b/drivers/md/bcache/super.c
@@ -1368,6 +1368,13 @@ static void cached_dev_free(struct closu
mutex_unlock(&bch_register_lock);
+ /*
+ * Wait for any pending sb_write to complete before free.
+ * The sb_bio is embedded in struct cached_dev, so we must
+ * ensure no I/O is in progress.
+ */
+ closure_sync(&dc->sb_write);
+
if (dc->sb_disk)
put_page(virt_to_page(dc->sb_disk));
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 105/969] media: as102: fix to not free memory after the device is registered in as102_usb_probe()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (103 preceding siblings ...)
2026-05-30 15:53 ` [PATCH 6.1 104/969] bcache: fix cached_dev.sb_bio use-after-free and crash Greg Kroah-Hartman
@ 2026-05-30 15:53 ` Greg Kroah-Hartman
2026-05-30 15:53 ` [PATCH 6.1 106/969] nilfs2: fix NULL i_assoc_inode dereference in nilfs_mdt_save_to_shadow_map Greg Kroah-Hartman
` (870 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+47321e8fd5a4c84088db,
Jeongjun Park, Hans Verkuil
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jeongjun Park <aha310510@gmail.com>
commit 8bd29dbe03fc5b0f039ab2395ff37b64236d2f0c upstream.
In as102_usb driver, the following race condition occurs:
```
CPU0 CPU1
as102_usb_probe()
kzalloc(); // alloc as102_dev_t
....
usb_register_dev();
fd = sys_open("/path/to/dev"); // open as102 fd
....
usb_deregister_dev();
....
kfree(); // free as102_dev_t
....
sys_close(fd);
as102_release() // UAF!!
as102_usb_release()
kfree(); // DFB!!
```
When a USB character device registered with usb_register_dev() is later
unregistered (via usb_deregister_dev() or disconnect), the device node is
removed so new open() calls fail. However, file descriptors that are
already open do not go away immediately: they remain valid until the last
reference is dropped and the driver's .release() is invoked.
In as102, as102_usb_probe() calls usb_register_dev() and then, on an
error path, does usb_deregister_dev() and frees as102_dev_t right away.
If userspace raced a successful open() before the deregistration, that
open FD will later hit as102_release() --> as102_usb_release() and access
or free as102_dev_t again, occur a race to use-after-free and
double-free vuln.
The fix is to never kfree(as102_dev_t) directly once usb_register_dev()
has succeeded. After deregistration, defer freeing memory to .release().
In other words, let release() perform the last kfree when the final open
FD is closed.
Cc: <stable@vger.kernel.org>
Reported-by: syzbot+47321e8fd5a4c84088db@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=47321e8fd5a4c84088db
Fixes: cd19f7d3e39b ("[media] as102: fix leaks at failure paths in as102_usb_probe()")
Signed-off-by: Jeongjun Park <aha310510@gmail.com>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/usb/as102/as102_usb_drv.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/media/usb/as102/as102_usb_drv.c
+++ b/drivers/media/usb/as102/as102_usb_drv.c
@@ -405,7 +405,9 @@ static int as102_usb_probe(struct usb_in
failed_dvb:
as102_free_usb_stream_buffer(as102_dev);
failed_stream:
+ usb_set_intfdata(intf, NULL);
usb_deregister_dev(intf, &as102_usb_class_driver);
+ return ret;
failed:
usb_put_dev(as102_dev->bus_adap.usb_dev);
usb_set_intfdata(intf, NULL);
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 106/969] nilfs2: fix NULL i_assoc_inode dereference in nilfs_mdt_save_to_shadow_map
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (104 preceding siblings ...)
2026-05-30 15:53 ` [PATCH 6.1 105/969] media: as102: fix to not free memory after the device is registered in as102_usb_probe() Greg Kroah-Hartman
@ 2026-05-30 15:53 ` Greg Kroah-Hartman
2026-05-30 15:53 ` [PATCH 6.1 107/969] media: vidtv: fix pass-by-value structs causing MSAN warnings Greg Kroah-Hartman
` (869 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+4b4093b1f24ad789bf37,
Deepanshu Kartikey, Ryusuke Konishi, Viacheslav Dubeyko
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Deepanshu Kartikey <kartikey406@gmail.com>
commit 4a4e0328edd9e9755843787d28f16dd4165f8b48 upstream.
The DAT inode's btree node cache (i_assoc_inode) is initialized lazily
during btree operations. However, nilfs_mdt_save_to_shadow_map()
assumes i_assoc_inode is already initialized when copying dirty pages
to the shadow map during GC.
If NILFS_IOCTL_CLEAN_SEGMENTS is called immediately after mount before
any btree operation has occurred on the DAT inode, i_assoc_inode is
NULL leading to a general protection fault.
Fix this by calling nilfs_attach_btree_node_cache() on the DAT inode
in nilfs_dat_read() at mount time, ensuring i_assoc_inode is always
initialized before any GC operation can use it.
Reported-by: syzbot+4b4093b1f24ad789bf37@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=4b4093b1f24ad789bf37
Tested-by: syzbot+4b4093b1f24ad789bf37@syzkaller.appspotmail.com
Fixes: e897be17a441 ("nilfs2: fix lockdep warnings in page operations for btree nodes")
Signed-off-by: Deepanshu Kartikey <Kartikey406@gmail.com>
Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/nilfs2/dat.c | 3 +++
1 file changed, 3 insertions(+)
--- a/fs/nilfs2/dat.c
+++ b/fs/nilfs2/dat.c
@@ -526,6 +526,9 @@ int nilfs_dat_read(struct super_block *s
if (err)
goto failed;
+ err = nilfs_attach_btree_node_cache(dat);
+ if (err)
+ goto failed;
err = nilfs_read_inode_common(dat, raw_inode);
if (err)
goto failed;
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 107/969] media: vidtv: fix pass-by-value structs causing MSAN warnings
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (105 preceding siblings ...)
2026-05-30 15:53 ` [PATCH 6.1 106/969] nilfs2: fix NULL i_assoc_inode dereference in nilfs_mdt_save_to_shadow_map Greg Kroah-Hartman
@ 2026-05-30 15:53 ` Greg Kroah-Hartman
2026-05-30 15:53 ` [PATCH 6.1 108/969] media: hackrf: fix to not free memory after the device is registered in hackrf_probe() Greg Kroah-Hartman
` (868 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+96f901260a0b2d29cd1a,
Yihan Ding, Abd-Alrhman Masalkhi, Hans Verkuil
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Abd-Alrhman Masalkhi <abd.masalkhi@gmail.com>
commit 5f8e73bde67e931468bc2a1860d78d72f0c6ba41 upstream.
vidtv_ts_null_write_into() and vidtv_ts_pcr_write_into() take their
argument structs by value, causing MSAN to report uninit-value warnings.
While only vidtv_ts_null_write_into() has triggered a report so far,
both functions share the same issue.
Fix by passing both structs by const pointer instead, avoiding the
stack copy of the struct along with its MSAN shadow and origin metadata.
The functions do not modify the structs, which is enforced by the const
qualifier.
Fixes: f90cf6079bf67 ("media: vidtv: add a bridge driver")
Cc: stable@vger.kernel.org
Reported-by: syzbot+96f901260a0b2d29cd1a@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=96f901260a0b2d29cd1a
Tested-by: syzbot+96f901260a0b2d29cd1a@syzkaller.appspotmail.com
Suggested-by: Yihan Ding <dingyihan@uniontech.com>
Signed-off-by: Abd-Alrhman Masalkhi <abd.masalkhi@gmail.com>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/test-drivers/vidtv/vidtv_mux.c | 4 +-
drivers/media/test-drivers/vidtv/vidtv_ts.c | 50 +++++++++++++--------------
drivers/media/test-drivers/vidtv/vidtv_ts.h | 4 +-
3 files changed, 29 insertions(+), 29 deletions(-)
--- a/drivers/media/test-drivers/vidtv/vidtv_mux.c
+++ b/drivers/media/test-drivers/vidtv/vidtv_mux.c
@@ -233,7 +233,7 @@ static u32 vidtv_mux_push_pcr(struct vid
/* the 27Mhz clock will feed both parts of the PCR bitfield */
args.pcr = m->timing.clk;
- nbytes += vidtv_ts_pcr_write_into(args);
+ nbytes += vidtv_ts_pcr_write_into(&args);
m->mux_buf_offset += nbytes;
m->num_streamed_pcr++;
@@ -363,7 +363,7 @@ static u32 vidtv_mux_pad_with_nulls(stru
args.continuity_counter = &ctx->cc;
for (i = 0; i < npkts; ++i) {
- m->mux_buf_offset += vidtv_ts_null_write_into(args);
+ m->mux_buf_offset += vidtv_ts_null_write_into(&args);
args.dest_offset = m->mux_buf_offset;
}
--- a/drivers/media/test-drivers/vidtv/vidtv_ts.c
+++ b/drivers/media/test-drivers/vidtv/vidtv_ts.c
@@ -48,7 +48,7 @@ void vidtv_ts_inc_cc(u8 *continuity_coun
*continuity_counter = 0;
}
-u32 vidtv_ts_null_write_into(struct null_packet_write_args args)
+u32 vidtv_ts_null_write_into(const struct null_packet_write_args *args)
{
u32 nbytes = 0;
struct vidtv_mpeg_ts ts_header = {};
@@ -56,21 +56,21 @@ u32 vidtv_ts_null_write_into(struct null
ts_header.sync_byte = TS_SYNC_BYTE;
ts_header.bitfield = cpu_to_be16(TS_NULL_PACKET_PID);
ts_header.payload = 1;
- ts_header.continuity_counter = *args.continuity_counter;
+ ts_header.continuity_counter = *args->continuity_counter;
/* copy TS header */
- nbytes += vidtv_memcpy(args.dest_buf,
- args.dest_offset + nbytes,
- args.buf_sz,
+ nbytes += vidtv_memcpy(args->dest_buf,
+ args->dest_offset + nbytes,
+ args->buf_sz,
&ts_header,
sizeof(ts_header));
- vidtv_ts_inc_cc(args.continuity_counter);
+ vidtv_ts_inc_cc(args->continuity_counter);
/* fill the rest with empty data */
- nbytes += vidtv_memset(args.dest_buf,
- args.dest_offset + nbytes,
- args.buf_sz,
+ nbytes += vidtv_memset(args->dest_buf,
+ args->dest_offset + nbytes,
+ args->buf_sz,
TS_FILL_BYTE,
TS_PACKET_LEN - nbytes);
@@ -83,17 +83,17 @@ u32 vidtv_ts_null_write_into(struct null
return nbytes;
}
-u32 vidtv_ts_pcr_write_into(struct pcr_write_args args)
+u32 vidtv_ts_pcr_write_into(const struct pcr_write_args *args)
{
u32 nbytes = 0;
struct vidtv_mpeg_ts ts_header = {};
struct vidtv_mpeg_ts_adaption ts_adap = {};
ts_header.sync_byte = TS_SYNC_BYTE;
- ts_header.bitfield = cpu_to_be16(args.pid);
+ ts_header.bitfield = cpu_to_be16(args->pid);
ts_header.scrambling = 0;
/* cc is not incremented, but it is needed. see 13818-1 clause 2.4.3.3 */
- ts_header.continuity_counter = *args.continuity_counter;
+ ts_header.continuity_counter = *args->continuity_counter;
ts_header.payload = 0;
ts_header.adaptation_field = 1;
@@ -102,27 +102,27 @@ u32 vidtv_ts_pcr_write_into(struct pcr_w
ts_adap.PCR = 1;
/* copy TS header */
- nbytes += vidtv_memcpy(args.dest_buf,
- args.dest_offset + nbytes,
- args.buf_sz,
+ nbytes += vidtv_memcpy(args->dest_buf,
+ args->dest_offset + nbytes,
+ args->buf_sz,
&ts_header,
sizeof(ts_header));
/* write the adap after the TS header */
- nbytes += vidtv_memcpy(args.dest_buf,
- args.dest_offset + nbytes,
- args.buf_sz,
+ nbytes += vidtv_memcpy(args->dest_buf,
+ args->dest_offset + nbytes,
+ args->buf_sz,
&ts_adap,
sizeof(ts_adap));
/* write the PCR optional */
- nbytes += vidtv_ts_write_pcr_bits(args.dest_buf,
- args.dest_offset + nbytes,
- args.pcr);
-
- nbytes += vidtv_memset(args.dest_buf,
- args.dest_offset + nbytes,
- args.buf_sz,
+ nbytes += vidtv_ts_write_pcr_bits(args->dest_buf,
+ args->dest_offset + nbytes,
+ args->pcr);
+
+ nbytes += vidtv_memset(args->dest_buf,
+ args->dest_offset + nbytes,
+ args->buf_sz,
TS_FILL_BYTE,
TS_PACKET_LEN - nbytes);
--- a/drivers/media/test-drivers/vidtv/vidtv_ts.h
+++ b/drivers/media/test-drivers/vidtv/vidtv_ts.h
@@ -90,7 +90,7 @@ void vidtv_ts_inc_cc(u8 *continuity_coun
*
* Return: The number of bytes written into the buffer.
*/
-u32 vidtv_ts_null_write_into(struct null_packet_write_args args);
+u32 vidtv_ts_null_write_into(const struct null_packet_write_args *args);
/**
* vidtv_ts_pcr_write_into - Write a PCR packet into a buffer.
@@ -101,6 +101,6 @@ u32 vidtv_ts_null_write_into(struct null
*
* Return: The number of bytes written into the buffer.
*/
-u32 vidtv_ts_pcr_write_into(struct pcr_write_args args);
+u32 vidtv_ts_pcr_write_into(const struct pcr_write_args *args);
#endif //VIDTV_TS_H
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 108/969] media: hackrf: fix to not free memory after the device is registered in hackrf_probe()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (106 preceding siblings ...)
2026-05-30 15:53 ` [PATCH 6.1 107/969] media: vidtv: fix pass-by-value structs causing MSAN warnings Greg Kroah-Hartman
@ 2026-05-30 15:53 ` Greg Kroah-Hartman
2026-05-30 15:53 ` [PATCH 6.1 109/969] PCI: endpoint: pci-epf-vntb: Remove duplicate resource teardown Greg Kroah-Hartman
` (867 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+6ffd76b5405c006a46b7,
syzbot+f1b20958f93d2d250727, Jeongjun Park, Hans Verkuil
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jeongjun Park <aha310510@gmail.com>
commit 3b7da2b4d0fe014eff181ed37e3bf832eb8ed258 upstream.
In hackrf driver, the following race condition occurs:
```
CPU0 CPU1
hackrf_probe()
kzalloc(); // alloc hackrf_dev
....
v4l2_device_register();
....
fd = sys_open("/path/to/dev"); // open hackrf fd
....
v4l2_device_unregister();
....
kfree(); // free hackrf_dev
....
sys_ioctl(fd, ...);
v4l2_ioctl();
video_is_registered() // UAF!!
....
sys_close(fd);
v4l2_release() // UAF!!
hackrf_video_release()
kfree(); // DFB!!
```
When a V4L2 or video device is unregistered, the device node is removed so
new open() calls are blocked.
However, file descriptors that are already open-and any in-flight I/O-do
not terminate immediately; they remain valid until the last reference is
dropped and the driver's release() is invoked.
Therefore, freeing device memory on the error path after hackrf_probe()
has registered dev it will lead to a race to use-after-free vuln, since
those already-open handles haven't been released yet.
And since release() free memory too, race to use-after-free and
double-free vuln occur.
To prevent this, if device is registered from probe(), it should be
modified to free memory only through release() rather than calling
kfree() directly.
Cc: <stable@vger.kernel.org>
Reported-by: syzbot+6ffd76b5405c006a46b7@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=6ffd76b5405c006a46b7
Reported-by: syzbot+f1b20958f93d2d250727@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=f1b20958f93d2d250727
Fixes: 8bc4a9ed8504 ("[media] hackrf: add support for transmitter")
Signed-off-by: Jeongjun Park <aha310510@gmail.com>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/usb/hackrf/hackrf.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
--- a/drivers/media/usb/hackrf/hackrf.c
+++ b/drivers/media/usb/hackrf/hackrf.c
@@ -1485,7 +1485,7 @@ static int hackrf_probe(struct usb_inter
if (ret) {
dev_err(dev->dev,
"Failed to register as video device (%d)\n", ret);
- goto err_v4l2_device_unregister;
+ goto err_v4l2_device_put;
}
dev_info(dev->dev, "Registered as %s\n",
video_device_node_name(&dev->rx_vdev));
@@ -1514,8 +1514,9 @@ static int hackrf_probe(struct usb_inter
return 0;
err_video_unregister_device_rx:
video_unregister_device(&dev->rx_vdev);
-err_v4l2_device_unregister:
- v4l2_device_unregister(&dev->v4l2_dev);
+err_v4l2_device_put:
+ v4l2_device_put(&dev->v4l2_dev);
+ return ret;
err_v4l2_ctrl_handler_free_tx:
v4l2_ctrl_handler_free(&dev->tx_ctrl_handler);
err_v4l2_ctrl_handler_free_rx:
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 109/969] PCI: endpoint: pci-epf-vntb: Remove duplicate resource teardown
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (107 preceding siblings ...)
2026-05-30 15:53 ` [PATCH 6.1 108/969] media: hackrf: fix to not free memory after the device is registered in hackrf_probe() Greg Kroah-Hartman
@ 2026-05-30 15:53 ` Greg Kroah-Hartman
2026-05-30 15:53 ` [PATCH 6.1 110/969] Revert "net: ethernet: xscale: Check for PTP support properly" Greg Kroah-Hartman
` (866 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Koichiro Den, Manivannan Sadhasivam,
Frank Li, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Koichiro Den <den@valinux.co.jp>
[ Upstream commit 0da63230d3ec1ec5fcc443a2314233e95bfece54 ]
epf_ntb_epc_destroy() duplicates the teardown that the caller is
supposed to perform later. This leads to an oops when .allow_link fails
or when .drop_link is performed. The following is an example oops of the
former case:
Unable to handle kernel paging request at virtual address dead000000000108
[...]
[dead000000000108] address between user and kernel address ranges
Internal error: Oops: 0000000096000044 [#1] SMP
[...]
Call trace:
pci_epc_remove_epf+0x78/0xe0 (P)
pci_primary_epc_epf_link+0x88/0xa8
configfs_symlink+0x1f4/0x5a0
vfs_symlink+0x134/0x1d8
do_symlinkat+0x88/0x138
__arm64_sys_symlinkat+0x74/0xe0
[...]
Remove the helper, and drop pci_epc_put(). EPC device refcounting is
tied to the configfs EPC group lifetime, and pci_epc_put() in the
.drop_link path is sufficient.
Fixes: e35f56bb0330 ("PCI: endpoint: Support NTB transfer between RC and EP")
Signed-off-by: Koichiro Den <den@valinux.co.jp>
Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
Reviewed-by: Frank Li <Frank.Li@nxp.com>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20260226084142.2226875-2-den@valinux.co.jp
[ adjusted context ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pci/endpoint/functions/pci-epf-vntb.c | 18 +-----------------
1 file changed, 1 insertion(+), 17 deletions(-)
diff --git a/drivers/pci/endpoint/functions/pci-epf-vntb.c b/drivers/pci/endpoint/functions/pci-epf-vntb.c
index d057537781f60..eee49a3eec04c 100644
--- a/drivers/pci/endpoint/functions/pci-epf-vntb.c
+++ b/drivers/pci/endpoint/functions/pci-epf-vntb.c
@@ -676,18 +676,6 @@ static void epf_ntb_mw_bar_clear(struct epf_ntb *ntb, int num_mws)
}
}
-/**
- * epf_ntb_epc_destroy() - Cleanup NTB EPC interface
- * @ntb: NTB device that facilitates communication between HOST and VHOST
- *
- * Wrapper for epf_ntb_epc_destroy_interface() to cleanup all the NTB interfaces
- */
-static void epf_ntb_epc_destroy(struct epf_ntb *ntb)
-{
- pci_epc_remove_epf(ntb->epf->epc, ntb->epf, 0);
- pci_epc_put(ntb->epf->epc);
-}
-
/**
* epf_ntb_init_epc_bar() - Identify BARs to be used for each of the NTB
* constructs (scratchpad region, doorbell, memorywindow)
@@ -1331,7 +1319,7 @@ static int epf_ntb_bind(struct pci_epf *epf)
ret = epf_ntb_init_epc_bar(ntb);
if (ret) {
dev_err(dev, "Failed to create NTB EPC\n");
- goto err_bar_init;
+ return ret;
}
ret = epf_ntb_config_spad_bar_alloc(ntb);
@@ -1371,9 +1359,6 @@ static int epf_ntb_bind(struct pci_epf *epf)
err_bar_alloc:
epf_ntb_config_spad_bar_free(ntb);
-err_bar_init:
- epf_ntb_epc_destroy(ntb);
-
return ret;
}
@@ -1389,7 +1374,6 @@ static void epf_ntb_unbind(struct pci_epf *epf)
epf_ntb_epc_cleanup(ntb);
epf_ntb_config_spad_bar_free(ntb);
- epf_ntb_epc_destroy(ntb);
pci_unregister_driver(&vntb_pci_driver);
}
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 110/969] Revert "net: ethernet: xscale: Check for PTP support properly"
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (108 preceding siblings ...)
2026-05-30 15:53 ` [PATCH 6.1 109/969] PCI: endpoint: pci-epf-vntb: Remove duplicate resource teardown Greg Kroah-Hartman
@ 2026-05-30 15:53 ` Greg Kroah-Hartman
2026-05-30 15:53 ` [PATCH 6.1 111/969] Revert "net: ixp4xx_eth: convert to ndo_hwtstamp_get() and ndo_hwtstamp_set()" Greg Kroah-Hartman
` (865 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:53 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
This reverts commit 5195b10c34b8993194ad12ad7d8f54d861be084b.
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/xscale/ixp4xx_eth.c | 5 ++++-
drivers/net/ethernet/xscale/ptp_ixp46x.c | 3 ---
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/net/ethernet/xscale/ixp4xx_eth.c b/drivers/net/ethernet/xscale/ixp4xx_eth.c
index aa6d30dd35c38..a5e03e66cfd38 100644
--- a/drivers/net/ethernet/xscale/ixp4xx_eth.c
+++ b/drivers/net/ethernet/xscale/ixp4xx_eth.c
@@ -395,12 +395,15 @@ static int ixp4xx_hwtstamp_set(struct net_device *netdev,
int ret;
int ch;
+ if (!cpu_is_ixp46x())
+ return -EOPNOTSUPP;
+
if (!netif_running(netdev))
return -EINVAL;
ret = ixp46x_ptp_find(&port->timesync_regs, &port->phc_index);
if (ret)
- return -EOPNOTSUPP;
+ return ret;
ch = PORT2CHANNEL(port);
regs = port->timesync_regs;
diff --git a/drivers/net/ethernet/xscale/ptp_ixp46x.c b/drivers/net/ethernet/xscale/ptp_ixp46x.c
index b8953745a9f2e..9abbdb71e629f 100644
--- a/drivers/net/ethernet/xscale/ptp_ixp46x.c
+++ b/drivers/net/ethernet/xscale/ptp_ixp46x.c
@@ -243,9 +243,6 @@ static struct ixp_clock ixp_clock;
int ixp46x_ptp_find(struct ixp46x_ts_regs *__iomem *regs, int *phc_index)
{
- if (!cpu_is_ixp46x())
- return -ENODEV;
-
*regs = ixp_clock.regs;
*phc_index = ptp_clock_index(ixp_clock.ptp_clock);
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 111/969] Revert "net: ixp4xx_eth: convert to ndo_hwtstamp_get() and ndo_hwtstamp_set()"
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (109 preceding siblings ...)
2026-05-30 15:53 ` [PATCH 6.1 110/969] Revert "net: ethernet: xscale: Check for PTP support properly" Greg Kroah-Hartman
@ 2026-05-30 15:53 ` Greg Kroah-Hartman
2026-05-30 15:53 ` [PATCH 6.1 112/969] ipv6: add NULL checks for idev in SRv6 paths Greg Kroah-Hartman
` (864 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:53 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
This reverts commit a94d5447f6bf827bc29be2520ca636685bbc29e6.
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/xscale/ixp4xx_eth.c | 61 +++++++++++++-----------
1 file changed, 32 insertions(+), 29 deletions(-)
diff --git a/drivers/net/ethernet/xscale/ixp4xx_eth.c b/drivers/net/ethernet/xscale/ixp4xx_eth.c
index a5e03e66cfd38..3b0c5f177447b 100644
--- a/drivers/net/ethernet/xscale/ixp4xx_eth.c
+++ b/drivers/net/ethernet/xscale/ixp4xx_eth.c
@@ -386,20 +386,16 @@ static void ixp_tx_timestamp(struct port *port, struct sk_buff *skb)
__raw_writel(TX_SNAPSHOT_LOCKED, ®s->channel[ch].ch_event);
}
-static int ixp4xx_hwtstamp_set(struct net_device *netdev,
- struct kernel_hwtstamp_config *cfg,
- struct netlink_ext_ack *extack)
+static int hwtstamp_set(struct net_device *netdev, struct ifreq *ifr)
{
+ struct hwtstamp_config cfg;
struct ixp46x_ts_regs *regs;
struct port *port = netdev_priv(netdev);
int ret;
int ch;
- if (!cpu_is_ixp46x())
- return -EOPNOTSUPP;
-
- if (!netif_running(netdev))
- return -EINVAL;
+ if (copy_from_user(&cfg, ifr->ifr_data, sizeof(cfg)))
+ return -EFAULT;
ret = ixp46x_ptp_find(&port->timesync_regs, &port->phc_index);
if (ret)
@@ -408,10 +404,10 @@ static int ixp4xx_hwtstamp_set(struct net_device *netdev,
ch = PORT2CHANNEL(port);
regs = port->timesync_regs;
- if (cfg->tx_type != HWTSTAMP_TX_OFF && cfg->tx_type != HWTSTAMP_TX_ON)
+ if (cfg.tx_type != HWTSTAMP_TX_OFF && cfg.tx_type != HWTSTAMP_TX_ON)
return -ERANGE;
- switch (cfg->rx_filter) {
+ switch (cfg.rx_filter) {
case HWTSTAMP_FILTER_NONE:
port->hwts_rx_en = 0;
break;
@@ -427,45 +423,39 @@ static int ixp4xx_hwtstamp_set(struct net_device *netdev,
return -ERANGE;
}
- port->hwts_tx_en = cfg->tx_type == HWTSTAMP_TX_ON;
+ port->hwts_tx_en = cfg.tx_type == HWTSTAMP_TX_ON;
/* Clear out any old time stamps. */
__raw_writel(TX_SNAPSHOT_LOCKED | RX_SNAPSHOT_LOCKED,
®s->channel[ch].ch_event);
- return 0;
+ return copy_to_user(ifr->ifr_data, &cfg, sizeof(cfg)) ? -EFAULT : 0;
}
-static int ixp4xx_hwtstamp_get(struct net_device *netdev,
- struct kernel_hwtstamp_config *cfg)
+static int hwtstamp_get(struct net_device *netdev, struct ifreq *ifr)
{
+ struct hwtstamp_config cfg;
struct port *port = netdev_priv(netdev);
- if (!cpu_is_ixp46x())
- return -EOPNOTSUPP;
-
- if (!netif_running(netdev))
- return -EINVAL;
-
- cfg->flags = 0;
- cfg->tx_type = port->hwts_tx_en ? HWTSTAMP_TX_ON : HWTSTAMP_TX_OFF;
+ cfg.flags = 0;
+ cfg.tx_type = port->hwts_tx_en ? HWTSTAMP_TX_ON : HWTSTAMP_TX_OFF;
switch (port->hwts_rx_en) {
case 0:
- cfg->rx_filter = HWTSTAMP_FILTER_NONE;
+ cfg.rx_filter = HWTSTAMP_FILTER_NONE;
break;
case PTP_SLAVE_MODE:
- cfg->rx_filter = HWTSTAMP_FILTER_PTP_V1_L4_SYNC;
+ cfg.rx_filter = HWTSTAMP_FILTER_PTP_V1_L4_SYNC;
break;
case PTP_MASTER_MODE:
- cfg->rx_filter = HWTSTAMP_FILTER_PTP_V1_L4_DELAY_REQ;
+ cfg.rx_filter = HWTSTAMP_FILTER_PTP_V1_L4_DELAY_REQ;
break;
default:
WARN_ON_ONCE(1);
return -ERANGE;
}
- return 0;
+ return copy_to_user(ifr->ifr_data, &cfg, sizeof(cfg)) ? -EFAULT : 0;
}
static int ixp4xx_mdio_cmd(struct mii_bus *bus, int phy_id, int location,
@@ -987,6 +977,21 @@ static void eth_set_mcast_list(struct net_device *dev)
}
+static int eth_ioctl(struct net_device *dev, struct ifreq *req, int cmd)
+{
+ if (!netif_running(dev))
+ return -EINVAL;
+
+ if (cpu_is_ixp46x()) {
+ if (cmd == SIOCSHWTSTAMP)
+ return hwtstamp_set(dev, req);
+ if (cmd == SIOCGHWTSTAMP)
+ return hwtstamp_get(dev, req);
+ }
+
+ return phy_mii_ioctl(dev->phydev, req, cmd);
+}
+
/* ethtool support */
static void ixp4xx_get_drvinfo(struct net_device *dev,
@@ -1371,11 +1376,9 @@ static const struct net_device_ops ixp4xx_netdev_ops = {
.ndo_stop = eth_close,
.ndo_start_xmit = eth_xmit,
.ndo_set_rx_mode = eth_set_mcast_list,
- .ndo_eth_ioctl = phy_do_ioctl_running,
+ .ndo_eth_ioctl = eth_ioctl,
.ndo_set_mac_address = eth_mac_addr,
.ndo_validate_addr = eth_validate_addr,
- .ndo_hwtstamp_get = ixp4xx_hwtstamp_get,
- .ndo_hwtstamp_set = ixp4xx_hwtstamp_set,
};
static struct eth_plat_info *ixp4xx_of_get_platdata(struct device *dev)
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 112/969] ipv6: add NULL checks for idev in SRv6 paths
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (110 preceding siblings ...)
2026-05-30 15:53 ` [PATCH 6.1 111/969] Revert "net: ixp4xx_eth: convert to ndo_hwtstamp_get() and ndo_hwtstamp_set()" Greg Kroah-Hartman
@ 2026-05-30 15:53 ` Greg Kroah-Hartman
2026-05-30 15:53 ` [PATCH 6.1 113/969] gfs2: Improve gfs2_consist_inode() usage Greg Kroah-Hartman
` (863 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Minhong He, Andrea Mayer,
Jakub Kicinski, Li hongliang, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Minhong He <heminhong@kylinos.cn>
[ Upstream commit 06413793526251870e20402c39930804f14d59c0 ]
__in6_dev_get() can return NULL when the device has no IPv6 configuration
(e.g. MTU < IPV6_MIN_MTU or after NETDEV_UNREGISTER).
Add NULL checks for idev returned by __in6_dev_get() in both
seg6_hmac_validate_skb() and ipv6_srh_rcv() to prevent potential NULL
pointer dereferences.
Fixes: 1ababeba4a21 ("ipv6: implement dataplane support for rthdr type 4 (Segment Routing Header)")
Fixes: bf355b8d2c30 ("ipv6: sr: add core files for SR HMAC support")
Signed-off-by: Minhong He <heminhong@kylinos.cn>
Reviewed-by: Andrea Mayer <andrea.mayer@uniroma2.it>
Link: https://patch.msgid.link/20260316073301.106643-1-heminhong@kylinos.cn
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Li hongliang <1468888505@139.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv6/exthdrs.c | 4 ++++
net/ipv6/seg6_hmac.c | 2 ++
2 files changed, 6 insertions(+)
diff --git a/net/ipv6/exthdrs.c b/net/ipv6/exthdrs.c
index 61e0060185f4b..5fb97a87d2cb5 100644
--- a/net/ipv6/exthdrs.c
+++ b/net/ipv6/exthdrs.c
@@ -381,6 +381,10 @@ static int ipv6_srh_rcv(struct sk_buff *skb)
hdr = (struct ipv6_sr_hdr *)skb_transport_header(skb);
idev = __in6_dev_get(skb->dev);
+ if (!idev) {
+ kfree_skb(skb);
+ return -1;
+ }
accept_seg6 = net->ipv6.devconf_all->seg6_enabled;
if (accept_seg6 > idev->cnf.seg6_enabled)
diff --git a/net/ipv6/seg6_hmac.c b/net/ipv6/seg6_hmac.c
index b90c286d77ed4..e784f539194ad 100644
--- a/net/ipv6/seg6_hmac.c
+++ b/net/ipv6/seg6_hmac.c
@@ -244,6 +244,8 @@ bool seg6_hmac_validate_skb(struct sk_buff *skb)
struct inet6_dev *idev;
idev = __in6_dev_get(skb->dev);
+ if (!idev)
+ return false;
srh = (struct ipv6_sr_hdr *)skb_transport_header(skb);
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 113/969] gfs2: Improve gfs2_consist_inode() usage
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (111 preceding siblings ...)
2026-05-30 15:53 ` [PATCH 6.1 112/969] ipv6: add NULL checks for idev in SRv6 paths Greg Kroah-Hartman
@ 2026-05-30 15:53 ` Greg Kroah-Hartman
2026-05-30 15:53 ` [PATCH 6.1 114/969] gfs2: Validate i_depth for exhash directories Greg Kroah-Hartman
` (862 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andrew Price, Andreas Gruenbacher,
Ruohan Lan, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andrew Price <anprice@redhat.com>
[ Upstream commit 10398ef57aa189153406c110f5957145030f08fe ]
gfs2_consist_inode() logs an error message with the source file and line
number. When we jump before calling it, the line number becomes less
useful as it no longer relates to the source of the error. To aid
troubleshooting, replace the gotos with the gfs2_consist_inode() calls
so that the error messages are more informative.
Signed-off-by: Andrew Price <anprice@redhat.com>
Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
Signed-off-by: Ruohan Lan <ruohanlan@aliyun.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/gfs2/dir.c | 31 +++++++++++++++++--------------
fs/gfs2/glops.c | 34 ++++++++++++++++++++--------------
fs/gfs2/xattr.c | 28 ++++++++++++++++------------
3 files changed, 53 insertions(+), 40 deletions(-)
diff --git a/fs/gfs2/dir.c b/fs/gfs2/dir.c
index 54a6d17b8c252..96924af95c8ef 100644
--- a/fs/gfs2/dir.c
+++ b/fs/gfs2/dir.c
@@ -562,15 +562,18 @@ static struct gfs2_dirent *gfs2_dirent_scan(struct inode *inode, void *buf,
int ret = 0;
ret = gfs2_dirent_offset(GFS2_SB(inode), buf);
- if (ret < 0)
- goto consist_inode;
-
+ if (ret < 0) {
+ gfs2_consist_inode(GFS2_I(inode));
+ return ERR_PTR(-EIO);
+ }
offset = ret;
prev = NULL;
dent = buf + offset;
size = be16_to_cpu(dent->de_rec_len);
- if (gfs2_check_dirent(GFS2_SB(inode), dent, offset, size, len, 1))
- goto consist_inode;
+ if (gfs2_check_dirent(GFS2_SB(inode), dent, offset, size, len, 1)) {
+ gfs2_consist_inode(GFS2_I(inode));
+ return ERR_PTR(-EIO);
+ }
do {
ret = scan(dent, name, opaque);
if (ret)
@@ -582,8 +585,10 @@ static struct gfs2_dirent *gfs2_dirent_scan(struct inode *inode, void *buf,
dent = buf + offset;
size = be16_to_cpu(dent->de_rec_len);
if (gfs2_check_dirent(GFS2_SB(inode), dent, offset, size,
- len, 0))
- goto consist_inode;
+ len, 0)) {
+ gfs2_consist_inode(GFS2_I(inode));
+ return ERR_PTR(-EIO);
+ }
} while(1);
switch(ret) {
@@ -597,10 +602,6 @@ static struct gfs2_dirent *gfs2_dirent_scan(struct inode *inode, void *buf,
BUG_ON(ret > 0);
return ERR_PTR(ret);
}
-
-consist_inode:
- gfs2_consist_inode(GFS2_I(inode));
- return ERR_PTR(-EIO);
}
static int dirent_check_reclen(struct gfs2_inode *dip,
@@ -609,14 +610,16 @@ static int dirent_check_reclen(struct gfs2_inode *dip,
const void *ptr = d;
u16 rec_len = be16_to_cpu(d->de_rec_len);
- if (unlikely(rec_len < sizeof(struct gfs2_dirent)))
- goto broken;
+ if (unlikely(rec_len < sizeof(struct gfs2_dirent))) {
+ gfs2_consist_inode(dip);
+ return -EIO;
+ }
ptr += rec_len;
if (ptr < end_p)
return rec_len;
if (ptr == end_p)
return -ENOENT;
-broken:
+
gfs2_consist_inode(dip);
return -EIO;
}
diff --git a/fs/gfs2/glops.c b/fs/gfs2/glops.c
index bb5bc32a5eea5..f4bd487a9b3b0 100644
--- a/fs/gfs2/glops.c
+++ b/fs/gfs2/glops.c
@@ -404,10 +404,14 @@ static int gfs2_dinode_in(struct gfs2_inode *ip, const void *buf)
struct inode *inode = &ip->i_inode;
bool is_new = inode->i_state & I_NEW;
- if (unlikely(ip->i_no_addr != be64_to_cpu(str->di_num.no_addr)))
- goto corrupt;
- if (unlikely(!is_new && inode_wrong_type(inode, mode)))
- goto corrupt;
+ if (unlikely(ip->i_no_addr != be64_to_cpu(str->di_num.no_addr))) {
+ gfs2_consist_inode(ip);
+ return -EIO;
+ }
+ if (unlikely(!is_new && inode_wrong_type(inode, mode))) {
+ gfs2_consist_inode(ip);
+ return -EIO;
+ }
ip->i_no_formal_ino = be64_to_cpu(str->di_num.no_formal_ino);
inode->i_mode = mode;
if (is_new) {
@@ -443,26 +447,28 @@ static int gfs2_dinode_in(struct gfs2_inode *ip, const void *buf)
/* i_diskflags and i_eattr must be set before gfs2_set_inode_flags() */
gfs2_set_inode_flags(inode);
height = be16_to_cpu(str->di_height);
- if (unlikely(height > sdp->sd_max_height))
- goto corrupt;
+ if (unlikely(height > sdp->sd_max_height)) {
+ gfs2_consist_inode(ip);
+ return -EIO;
+ }
ip->i_height = (u8)height;
depth = be16_to_cpu(str->di_depth);
- if (unlikely(depth > GFS2_DIR_MAX_DEPTH))
- goto corrupt;
+ if (unlikely(depth > GFS2_DIR_MAX_DEPTH)) {
+ gfs2_consist_inode(ip);
+ return -EIO;
+ }
ip->i_depth = (u8)depth;
ip->i_entries = be32_to_cpu(str->di_entries);
- if (gfs2_is_stuffed(ip) && inode->i_size > gfs2_max_stuffed_size(ip))
- goto corrupt;
-
+ if (gfs2_is_stuffed(ip) && inode->i_size > gfs2_max_stuffed_size(ip)) {
+ gfs2_consist_inode(ip);
+ return -EIO;
+ }
if (S_ISREG(inode->i_mode))
gfs2_set_aops(inode);
return 0;
-corrupt:
- gfs2_consist_inode(ip);
- return -EIO;
}
/**
diff --git a/fs/gfs2/xattr.c b/fs/gfs2/xattr.c
index f6a66050380e9..6590aad6720b4 100644
--- a/fs/gfs2/xattr.c
+++ b/fs/gfs2/xattr.c
@@ -96,30 +96,34 @@ static int ea_foreach_i(struct gfs2_inode *ip, struct buffer_head *bh,
return -EIO;
for (ea = GFS2_EA_BH2FIRST(bh);; prev = ea, ea = GFS2_EA2NEXT(ea)) {
- if (!GFS2_EA_REC_LEN(ea))
- goto fail;
+ if (!GFS2_EA_REC_LEN(ea)) {
+ gfs2_consist_inode(ip);
+ return -EIO;
+ }
if (!(bh->b_data <= (char *)ea && (char *)GFS2_EA2NEXT(ea) <=
- bh->b_data + bh->b_size))
- goto fail;
- if (!gfs2_eatype_valid(sdp, ea->ea_type))
- goto fail;
+ bh->b_data + bh->b_size)) {
+ gfs2_consist_inode(ip);
+ return -EIO;
+ }
+ if (!gfs2_eatype_valid(sdp, ea->ea_type)) {
+ gfs2_consist_inode(ip);
+ return -EIO;
+ }
error = ea_call(ip, bh, ea, prev, data);
if (error)
return error;
if (GFS2_EA_IS_LAST(ea)) {
if ((char *)GFS2_EA2NEXT(ea) !=
- bh->b_data + bh->b_size)
- goto fail;
+ bh->b_data + bh->b_size) {
+ gfs2_consist_inode(ip);
+ return -EIO;
+ }
break;
}
}
return error;
-
-fail:
- gfs2_consist_inode(ip);
- return -EIO;
}
static int ea_foreach(struct gfs2_inode *ip, ea_call_t ea_call, void *data)
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 114/969] gfs2: Validate i_depth for exhash directories
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (112 preceding siblings ...)
2026-05-30 15:53 ` [PATCH 6.1 113/969] gfs2: Improve gfs2_consist_inode() usage Greg Kroah-Hartman
@ 2026-05-30 15:53 ` Greg Kroah-Hartman
2026-05-30 15:53 ` [PATCH 6.1 115/969] wifi: mac80211: always free skb on ieee80211_tx_prepare_skb() failure Greg Kroah-Hartman
` (861 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+4708579bb230a0582a57,
Andrew Price, Andreas Gruenbacher, Ruohan Lan, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andrew Price <anprice@redhat.com>
[ Upstream commit 557c024ca7250bb65ae60f16c02074106c2f197b ]
A fuzzer test introduced corruption that ends up with a depth of 0 in
dir_e_read(), causing an undefined shift by 32 at:
index = hash >> (32 - dip->i_depth);
As calculated in an open-coded way in dir_make_exhash(), the minimum
depth for an exhash directory is ilog2(sdp->sd_hash_ptrs) and 0 is
invalid as sdp->sd_hash_ptrs is fixed as sdp->bsize / 16 at mount time.
So we can avoid the undefined behaviour by checking for depth values
lower than the minimum in gfs2_dinode_in(). Values greater than the
maximum are already being checked for there.
Also switch the calculation in dir_make_exhash() to use ilog2() to
clarify how the depth is calculated.
Tested with the syzkaller repro.c and xfstests '-g quick'.
Reported-by: syzbot+4708579bb230a0582a57@syzkaller.appspotmail.com
Signed-off-by: Andrew Price <anprice@redhat.com>
Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
Signed-off-by: Ruohan Lan <ruohanlan@aliyun.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/gfs2/dir.c | 6 ++----
fs/gfs2/glops.c | 6 ++++++
2 files changed, 8 insertions(+), 4 deletions(-)
diff --git a/fs/gfs2/dir.c b/fs/gfs2/dir.c
index 96924af95c8ef..3716d89d8af6f 100644
--- a/fs/gfs2/dir.c
+++ b/fs/gfs2/dir.c
@@ -60,6 +60,7 @@
#include <linux/crc32.h>
#include <linux/vmalloc.h>
#include <linux/bio.h>
+#include <linux/log2.h>
#include "gfs2.h"
#include "incore.h"
@@ -912,7 +913,6 @@ static int dir_make_exhash(struct inode *inode)
struct qstr args;
struct buffer_head *bh, *dibh;
struct gfs2_leaf *leaf;
- int y;
u32 x;
__be64 *lp;
u64 bn;
@@ -979,9 +979,7 @@ static int dir_make_exhash(struct inode *inode)
i_size_write(inode, sdp->sd_sb.sb_bsize / 2);
gfs2_add_inode_blocks(&dip->i_inode, 1);
dip->i_diskflags |= GFS2_DIF_EXHASH;
-
- for (x = sdp->sd_hash_ptrs, y = -1; x; x >>= 1, y++) ;
- dip->i_depth = y;
+ dip->i_depth = ilog2(sdp->sd_hash_ptrs);
gfs2_dinode_out(dip, dibh->b_data);
diff --git a/fs/gfs2/glops.c b/fs/gfs2/glops.c
index f4bd487a9b3b0..e7904c1c985f6 100644
--- a/fs/gfs2/glops.c
+++ b/fs/gfs2/glops.c
@@ -11,6 +11,7 @@
#include <linux/bio.h>
#include <linux/posix_acl.h>
#include <linux/security.h>
+#include <linux/log2.h>
#include "gfs2.h"
#include "incore.h"
@@ -458,6 +459,11 @@ static int gfs2_dinode_in(struct gfs2_inode *ip, const void *buf)
gfs2_consist_inode(ip);
return -EIO;
}
+ if ((ip->i_diskflags & GFS2_DIF_EXHASH) &&
+ depth < ilog2(sdp->sd_hash_ptrs)) {
+ gfs2_consist_inode(ip);
+ return -EIO;
+ }
ip->i_depth = (u8)depth;
ip->i_entries = be32_to_cpu(str->di_entries);
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 115/969] wifi: mac80211: always free skb on ieee80211_tx_prepare_skb() failure
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (113 preceding siblings ...)
2026-05-30 15:53 ` [PATCH 6.1 114/969] gfs2: Validate i_depth for exhash directories Greg Kroah-Hartman
@ 2026-05-30 15:53 ` Greg Kroah-Hartman
2026-05-30 15:54 ` [PATCH 6.1 116/969] net: dsa: clean up FDB, MDB, VLAN entries on unbind Greg Kroah-Hartman
` (860 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Felix Fietkau, Johannes Berg,
Li hongliang, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Felix Fietkau <nbd@nbd.name>
[ Upstream commit d5ad6ab61cbd89afdb60881f6274f74328af3ee9 ]
ieee80211_tx_prepare_skb() has three error paths, but only two of them
free the skb. The first error path (ieee80211_tx_prepare() returning
TX_DROP) does not free it, while invoke_tx_handlers() failure and the
fragmentation check both do.
Add kfree_skb() to the first error path so all three are consistent,
and remove the now-redundant frees in callers (ath9k, mt76,
mac80211_hwsim) to avoid double-free.
Document the skb ownership guarantee in the function's kdoc.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Link: https://patch.msgid.link/20260314065455.2462900-1-nbd@nbd.name
Fixes: 06be6b149f7e ("mac80211: add ieee80211_tx_prepare_skb() helper function")
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
[ Exclude changes to drivers/net/wireless/mediatek/mt76/scan.c as this file is first
introduced by commit 31083e38548f("wifi: mt76: add code for emulating hardware scanning")
after linux-6.14.]
Signed-off-by: Li hongliang <1468888505@139.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/ath/ath9k/channel.c | 6 ++----
drivers/net/wireless/mac80211_hwsim.c | 1 -
include/net/mac80211.h | 4 ++++
net/mac80211/tx.c | 4 +++-
4 files changed, 9 insertions(+), 6 deletions(-)
diff --git a/drivers/net/wireless/ath/ath9k/channel.c b/drivers/net/wireless/ath/ath9k/channel.c
index 571062f2e82a7..ba8ec5112afe8 100644
--- a/drivers/net/wireless/ath/ath9k/channel.c
+++ b/drivers/net/wireless/ath/ath9k/channel.c
@@ -1011,7 +1011,7 @@ static void ath_scan_send_probe(struct ath_softc *sc,
skb_set_queue_mapping(skb, IEEE80211_AC_VO);
if (!ieee80211_tx_prepare_skb(sc->hw, vif, skb, band, NULL))
- goto error;
+ return;
txctl.txq = sc->tx.txq_map[IEEE80211_AC_VO];
if (ath_tx_start(sc->hw, skb, &txctl))
@@ -1124,10 +1124,8 @@ ath_chanctx_send_vif_ps_frame(struct ath_softc *sc, struct ath_vif *avp,
skb->priority = 7;
skb_set_queue_mapping(skb, IEEE80211_AC_VO);
- if (!ieee80211_tx_prepare_skb(sc->hw, vif, skb, band, &sta)) {
- dev_kfree_skb_any(skb);
+ if (!ieee80211_tx_prepare_skb(sc->hw, vif, skb, band, &sta))
return false;
- }
break;
default:
return false;
diff --git a/drivers/net/wireless/mac80211_hwsim.c b/drivers/net/wireless/mac80211_hwsim.c
index 80a2a668cfb9e..316b5f56b6e53 100644
--- a/drivers/net/wireless/mac80211_hwsim.c
+++ b/drivers/net/wireless/mac80211_hwsim.c
@@ -2743,7 +2743,6 @@ static void hw_scan_work(struct work_struct *work)
hwsim->tmp_chan->band,
NULL)) {
rcu_read_unlock();
- kfree_skb(probe);
continue;
}
diff --git a/include/net/mac80211.h b/include/net/mac80211.h
index 62e0847d3793b..1769d03e6b1d4 100644
--- a/include/net/mac80211.h
+++ b/include/net/mac80211.h
@@ -6874,6 +6874,10 @@ void ieee80211_report_wowlan_wakeup(struct ieee80211_vif *vif,
* @band: the band to transmit on
* @sta: optional pointer to get the station to send the frame to
*
+ * Return: %true if the skb was prepared, %false otherwise.
+ * On failure, the skb is freed by this function; callers must not
+ * free it again.
+ *
* Note: must be called under RCU lock
*/
bool ieee80211_tx_prepare_skb(struct ieee80211_hw *hw,
diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
index 7333e43dfc354..2e99a1063e939 100644
--- a/net/mac80211/tx.c
+++ b/net/mac80211/tx.c
@@ -1934,8 +1934,10 @@ bool ieee80211_tx_prepare_skb(struct ieee80211_hw *hw,
struct ieee80211_tx_data tx;
struct sk_buff *skb2;
- if (ieee80211_tx_prepare(sdata, &tx, NULL, skb) == TX_DROP)
+ if (ieee80211_tx_prepare(sdata, &tx, NULL, skb) == TX_DROP) {
+ kfree_skb(skb);
return false;
+ }
info->band = band;
info->control.vif = vif;
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 116/969] net: dsa: clean up FDB, MDB, VLAN entries on unbind
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (114 preceding siblings ...)
2026-05-30 15:53 ` [PATCH 6.1 115/969] wifi: mac80211: always free skb on ieee80211_tx_prepare_skb() failure Greg Kroah-Hartman
@ 2026-05-30 15:54 ` Greg Kroah-Hartman
2026-05-30 15:54 ` [PATCH 6.1 117/969] arm64: dts: imx8mq-librem5: Set the DVS voltages lower Greg Kroah-Hartman
` (859 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vladimir Oltean, Jakub Kicinski,
Alva Lan, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vladimir Oltean <vladimir.oltean@nxp.com>
[ Upstream commit 7afb5fb42d4950f33af2732b8147c552659f79b7 ]
As explained in many places such as commit b117e1e8a86d ("net: dsa:
delete dsa_legacy_fdb_add and dsa_legacy_fdb_del"), DSA is written given
the assumption that higher layers have balanced additions/deletions.
As such, it only makes sense to be extremely vocal when those
assumptions are violated and the driver unbinds with entries still
present.
But Ido Schimmel points out a very simple situation where that is wrong:
https://lore.kernel.org/netdev/ZDazSM5UsPPjQuKr@shredder/
(also briefly discussed by me in the aforementioned commit).
Basically, while the bridge bypass operations are not something that DSA
explicitly documents, and for the majority of DSA drivers this API
simply causes them to go to promiscuous mode, that isn't the case for
all drivers. Some have the necessary requirements for bridge bypass
operations to do something useful - see dsa_switch_supports_uc_filtering().
Although in tools/testing/selftests/net/forwarding/local_termination.sh,
we made an effort to popularize better mechanisms to manage address
filters on DSA interfaces from user space - namely macvlan for unicast,
and setsockopt(IP_ADD_MEMBERSHIP) - through mtools - for multicast, the
fact is that 'bridge fdb add ... self static local' also exists as
kernel UAPI, and might be useful to someone, even if only for a quick
hack.
It seems counter-productive to block that path by implementing shim
.ndo_fdb_add and .ndo_fdb_del operations which just return -EOPNOTSUPP
in order to prevent the ndo_dflt_fdb_add() and ndo_dflt_fdb_del() from
running, although we could do that.
Accepting that cleanup is necessary seems to be the only option.
Especially since we appear to be coming back at this from a different
angle as well. Russell King is noticing that the WARN_ON() triggers even
for VLANs:
https://lore.kernel.org/netdev/Z_li8Bj8bD4-BYKQ@shell.armlinux.org.uk/
What happens in the bug report above is that dsa_port_do_vlan_del() fails,
then the VLAN entry lingers on, and then we warn on unbind and leak it.
This is not a straight revert of the blamed commit, but we now add an
informational print to the kernel log (to still have a way to see
that bugs exist), and some extra comments gathered from past years'
experience, to justify the logic.
Fixes: 0832cd9f1f02 ("net: dsa: warn if port lists aren't empty in dsa_port_teardown")
Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
Link: https://patch.msgid.link/20250414212930.2956310-1-vladimir.oltean@nxp.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
[ Apply the patch to net/dsa/dsa2.c in v6.1 since commit
47d2ce03dcfb ("net: dsa: rename dsa2.c back into dsa.c and create its header")
renamed this file to net/dsa/dsa.c starting from v6.2. ]
Signed-off-by: Alva Lan <alvalan9@foxmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/dsa/dsa2.c | 38 +++++++++++++++++++++++++++++++++++---
1 file changed, 35 insertions(+), 3 deletions(-)
--- a/net/dsa/dsa2.c
+++ b/net/dsa/dsa2.c
@@ -1738,12 +1738,44 @@ static int dsa_switch_parse(struct dsa_s
static void dsa_switch_release_ports(struct dsa_switch *ds)
{
+ struct dsa_mac_addr *a, *tmp;
struct dsa_port *dp, *next;
+ struct dsa_vlan *v, *n;
dsa_switch_for_each_port_safe(dp, next, ds) {
- WARN_ON(!list_empty(&dp->fdbs));
- WARN_ON(!list_empty(&dp->mdbs));
- WARN_ON(!list_empty(&dp->vlans));
+ /* These are either entries that upper layers lost track of
+ * (probably due to bugs), or installed through interfaces
+ * where one does not necessarily have to remove them, like
+ * ndo_dflt_fdb_add().
+ */
+ list_for_each_entry_safe(a, tmp, &dp->fdbs, list) {
+ dev_info(ds->dev,
+ "Cleaning up unicast address %pM vid %u from port %d\n",
+ a->addr, a->vid, dp->index);
+ list_del(&a->list);
+ kfree(a);
+ }
+
+ list_for_each_entry_safe(a, tmp, &dp->mdbs, list) {
+ dev_info(ds->dev,
+ "Cleaning up multicast address %pM vid %u from port %d\n",
+ a->addr, a->vid, dp->index);
+ list_del(&a->list);
+ kfree(a);
+ }
+
+ /* These are entries that upper layers have lost track of,
+ * probably due to bugs, but also due to dsa_port_do_vlan_del()
+ * having failed and the VLAN entry still lingering on.
+ */
+ list_for_each_entry_safe(v, n, &dp->vlans, list) {
+ dev_info(ds->dev,
+ "Cleaning up vid %u from port %d\n",
+ v->vid, dp->index);
+ list_del(&v->list);
+ kfree(v);
+ }
+
list_del(&dp->list);
kfree(dp);
}
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 117/969] arm64: dts: imx8mq-librem5: Set the DVS voltages lower
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (115 preceding siblings ...)
2026-05-30 15:54 ` [PATCH 6.1 116/969] net: dsa: clean up FDB, MDB, VLAN entries on unbind Greg Kroah-Hartman
@ 2026-05-30 15:54 ` Greg Kroah-Hartman
2026-05-30 15:54 ` [PATCH 6.1 118/969] arm64: dts: imx8mq-librem5: Bump BUCK1 suspend voltage to 0.81V Greg Kroah-Hartman
` (858 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sebastian Krzyszkowiak,
Martin Kepplinger, Shawn Guo, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sebastian Krzyszkowiak <sebastian.krzyszkowiak@puri.sm>
[ Upstream commit c24a9b698fb02cd0723fa8375abab07f94b97b10 ]
They're still in the operating range according to i.MX 8M Quad
datasheet. There's some headroom added over minimal values to
account for voltage drop.
Operational ranges (min - typ - max [selected]):
- VDD_SOC (BUCK1): 0.81 - 0.9 - 0.99 [0.88]
- VDD_ARM (BUCK2): 0.81 - 0.9 - 1.05 [0.84] (1000MHz)
0.90 - 1.0 - 1.05 [0.93] (1500MHz)
- VDD_GPU (BUCK3): 0.81 - 0.9 - 1.05 [0.85] (800MHz)
0.90 - 1.0 - 1.05 [ -- ] (1000MHz)
- VDD_VPU (BUCK4): 0.81 - 0.9 - 1.05 [ -- ] (550/500/588MHz)
0.90 - 1.0 - 1.05 [0.93] (660/600/800MHz)
Idle power consumption doesn't appear to be influenced much,
but a simple load test (`cat /dev/urandom | pigz - > /dev/null`
combined with running Animatch) seems to show about 0.3W of
difference.
Care is advised, as there may be differences between each
units in how low can they be undervolted - in my experience,
reaching that point usually makes the phone fail to boot.
In my case, it appears that my Birch phone can go down the most.
This is a somewhat conservative set of values that I've seen
working well on all my devices; I haven't tried very hard to
optimize it, so more experiments are welcome.
Signed-off-by: Sebastian Krzyszkowiak <sebastian.krzyszkowiak@puri.sm>
Signed-off-by: Martin Kepplinger <martin.kepplinger@puri.sm>
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
Stable-dep-of: 511f76bf1dce ("arm64: dts: imx8mq-librem5: Bump BUCK1 suspend voltage up to 0.85V")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/boot/dts/freescale/imx8mq-librem5-r3.dts | 2 -
arch/arm64/boot/dts/freescale/imx8mq-librem5.dtsi | 22 ++++++++++++++------
2 files changed, 17 insertions(+), 7 deletions(-)
--- a/arch/arm64/boot/dts/freescale/imx8mq-librem5-r3.dts
+++ b/arch/arm64/boot/dts/freescale/imx8mq-librem5-r3.dts
@@ -7,7 +7,7 @@
&a53_opp_table {
opp-1000000000 {
- opp-microvolt = <1000000>;
+ opp-microvolt = <950000>;
};
};
--- a/arch/arm64/boot/dts/freescale/imx8mq-librem5.dtsi
+++ b/arch/arm64/boot/dts/freescale/imx8mq-librem5.dtsi
@@ -819,8 +819,8 @@
regulator-max-microvolt = <1300000>;
regulator-boot-on;
regulator-ramp-delay = <1250>;
- rohm,dvs-run-voltage = <900000>;
- rohm,dvs-idle-voltage = <850000>;
+ rohm,dvs-run-voltage = <880000>;
+ rohm,dvs-idle-voltage = <820000>;
rohm,dvs-suspend-voltage = <800000>;
regulator-always-on;
};
@@ -831,8 +831,8 @@
regulator-max-microvolt = <1300000>;
regulator-boot-on;
regulator-ramp-delay = <1250>;
- rohm,dvs-run-voltage = <1000000>;
- rohm,dvs-idle-voltage = <900000>;
+ rohm,dvs-run-voltage = <950000>;
+ rohm,dvs-idle-voltage = <850000>;
regulator-always-on;
};
@@ -841,14 +841,14 @@
regulator-min-microvolt = <700000>;
regulator-max-microvolt = <1300000>;
regulator-boot-on;
- rohm,dvs-run-voltage = <900000>;
+ rohm,dvs-run-voltage = <850000>;
};
buck4_reg: BUCK4 {
regulator-name = "buck4";
regulator-min-microvolt = <700000>;
regulator-max-microvolt = <1300000>;
- rohm,dvs-run-voltage = <1000000>;
+ rohm,dvs-run-voltage = <930000>;
};
buck5_reg: BUCK5 {
@@ -1379,3 +1379,13 @@
fsl,ext-reset-output;
status = "okay";
};
+
+&a53_opp_table {
+ opp-1000000000 {
+ opp-microvolt = <850000>;
+ };
+
+ opp-1500000000 {
+ opp-microvolt = <950000>;
+ };
+};
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 118/969] arm64: dts: imx8mq-librem5: Bump BUCK1 suspend voltage to 0.81V
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (116 preceding siblings ...)
2026-05-30 15:54 ` [PATCH 6.1 117/969] arm64: dts: imx8mq-librem5: Set the DVS voltages lower Greg Kroah-Hartman
@ 2026-05-30 15:54 ` Greg Kroah-Hartman
2026-05-30 15:54 ` [PATCH 6.1 119/969] Revert "arm64: dts: imx8mq-librem5: Set the DVS voltages lower" Greg Kroah-Hartman
` (857 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sebastian Krzyszkowiak,
Martin Kepplinger, Shawn Guo, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sebastian Krzyszkowiak <sebastian.krzyszkowiak@puri.sm>
[ Upstream commit 94b91e3ca6688fafd6a5dd70bd89fe9d3aee88da ]
0.8V is outside of the operating voltage specified for imx8mq, see
chapter 3.1.4 "Operating ranges" of the IMX8MDQLQCEC document.
Signed-off-by: Sebastian Krzyszkowiak <sebastian.krzyszkowiak@puri.sm>
Signed-off-by: Martin Kepplinger <martin.kepplinger@puri.sm>
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
Stable-dep-of: 511f76bf1dce ("arm64: dts: imx8mq-librem5: Bump BUCK1 suspend voltage up to 0.85V")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/boot/dts/freescale/imx8mq-librem5.dtsi | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/arm64/boot/dts/freescale/imx8mq-librem5.dtsi
+++ b/arch/arm64/boot/dts/freescale/imx8mq-librem5.dtsi
@@ -821,7 +821,7 @@
regulator-ramp-delay = <1250>;
rohm,dvs-run-voltage = <880000>;
rohm,dvs-idle-voltage = <820000>;
- rohm,dvs-suspend-voltage = <800000>;
+ rohm,dvs-suspend-voltage = <810000>;
regulator-always-on;
};
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 119/969] Revert "arm64: dts: imx8mq-librem5: Set the DVS voltages lower"
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (117 preceding siblings ...)
2026-05-30 15:54 ` [PATCH 6.1 118/969] arm64: dts: imx8mq-librem5: Bump BUCK1 suspend voltage to 0.81V Greg Kroah-Hartman
@ 2026-05-30 15:54 ` Greg Kroah-Hartman
2026-05-30 15:54 ` [PATCH 6.1 120/969] arm64: dts: imx8mq-librem5: Bump BUCK1 suspend voltage up to 0.85V Greg Kroah-Hartman
` (856 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sebastian Krzyszkowiak, Frank Li,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sebastian Krzyszkowiak <sebastian.krzyszkowiak@puri.sm>
[ Upstream commit 4cd46ea0eb4504f7f4fea92cb4601c5c9a3e545e ]
This reverts commit c24a9b698fb02cd0723fa8375abab07f94b97b10.
It's been found that there's a significant per-unit variance in accepted
supply voltages and the current set still makes some units unstable.
Revert back to nominal values.
Cc: stable@vger.kernel.org
Fixes: c24a9b698fb0 ("arm64: dts: imx8mq-librem5: Set the DVS voltages lower")
Signed-off-by: Sebastian Krzyszkowiak <sebastian.krzyszkowiak@puri.sm>
Signed-off-by: Frank Li <Frank.Li@nxp.com>
Stable-dep-of: 511f76bf1dce ("arm64: dts: imx8mq-librem5: Bump BUCK1 suspend voltage up to 0.85V")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/boot/dts/freescale/imx8mq-librem5-r3.dts | 2 -
arch/arm64/boot/dts/freescale/imx8mq-librem5.dtsi | 22 +++++---------------
2 files changed, 7 insertions(+), 17 deletions(-)
--- a/arch/arm64/boot/dts/freescale/imx8mq-librem5-r3.dts
+++ b/arch/arm64/boot/dts/freescale/imx8mq-librem5-r3.dts
@@ -7,7 +7,7 @@
&a53_opp_table {
opp-1000000000 {
- opp-microvolt = <950000>;
+ opp-microvolt = <1000000>;
};
};
--- a/arch/arm64/boot/dts/freescale/imx8mq-librem5.dtsi
+++ b/arch/arm64/boot/dts/freescale/imx8mq-librem5.dtsi
@@ -819,8 +819,8 @@
regulator-max-microvolt = <1300000>;
regulator-boot-on;
regulator-ramp-delay = <1250>;
- rohm,dvs-run-voltage = <880000>;
- rohm,dvs-idle-voltage = <820000>;
+ rohm,dvs-run-voltage = <900000>;
+ rohm,dvs-idle-voltage = <850000>;
rohm,dvs-suspend-voltage = <810000>;
regulator-always-on;
};
@@ -831,8 +831,8 @@
regulator-max-microvolt = <1300000>;
regulator-boot-on;
regulator-ramp-delay = <1250>;
- rohm,dvs-run-voltage = <950000>;
- rohm,dvs-idle-voltage = <850000>;
+ rohm,dvs-run-voltage = <1000000>;
+ rohm,dvs-idle-voltage = <900000>;
regulator-always-on;
};
@@ -841,14 +841,14 @@
regulator-min-microvolt = <700000>;
regulator-max-microvolt = <1300000>;
regulator-boot-on;
- rohm,dvs-run-voltage = <850000>;
+ rohm,dvs-run-voltage = <900000>;
};
buck4_reg: BUCK4 {
regulator-name = "buck4";
regulator-min-microvolt = <700000>;
regulator-max-microvolt = <1300000>;
- rohm,dvs-run-voltage = <930000>;
+ rohm,dvs-run-voltage = <1000000>;
};
buck5_reg: BUCK5 {
@@ -1379,13 +1379,3 @@
fsl,ext-reset-output;
status = "okay";
};
-
-&a53_opp_table {
- opp-1000000000 {
- opp-microvolt = <850000>;
- };
-
- opp-1500000000 {
- opp-microvolt = <950000>;
- };
-};
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 120/969] arm64: dts: imx8mq-librem5: Bump BUCK1 suspend voltage up to 0.85V
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (118 preceding siblings ...)
2026-05-30 15:54 ` [PATCH 6.1 119/969] Revert "arm64: dts: imx8mq-librem5: Set the DVS voltages lower" Greg Kroah-Hartman
@ 2026-05-30 15:54 ` Greg Kroah-Hartman
2026-05-30 15:54 ` [PATCH 6.1 121/969] ocfs2: add inline inode consistency check to ocfs2_validate_inode_block() Greg Kroah-Hartman
` (855 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sebastian Krzyszkowiak, Frank Li,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sebastian Krzyszkowiak <sebastian.krzyszkowiak@puri.sm>
[ Upstream commit 511f76bf1dce5acf8907b65a7d1bc8f7e7c0d637 ]
The minimal voltage of VDD_SOC sourced from BUCK1 is 0.81V, which
is the currently set value. However, BD71837 only guarantees accuracy
of ±0.01V, and this still doesn't factor other reasons for actual
voltage to slightly drop in, resulting in the possibility of running
out of the operational range.
Bump the voltage up to 0.85V, which should give enough headroom.
Cc: stable@vger.kernel.org
Fixes: 8f0216b006e5 ("arm64: dts: Add a device tree for the Librem 5 phone")
Signed-off-by: Sebastian Krzyszkowiak <sebastian.krzyszkowiak@puri.sm>
Signed-off-by: Frank Li <Frank.Li@nxp.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/boot/dts/freescale/imx8mq-librem5.dtsi | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/arm64/boot/dts/freescale/imx8mq-librem5.dtsi
+++ b/arch/arm64/boot/dts/freescale/imx8mq-librem5.dtsi
@@ -821,7 +821,7 @@
regulator-ramp-delay = <1250>;
rohm,dvs-run-voltage = <900000>;
rohm,dvs-idle-voltage = <850000>;
- rohm,dvs-suspend-voltage = <810000>;
+ rohm,dvs-suspend-voltage = <850000>;
regulator-always-on;
};
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 121/969] ocfs2: add inline inode consistency check to ocfs2_validate_inode_block()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (119 preceding siblings ...)
2026-05-30 15:54 ` [PATCH 6.1 120/969] arm64: dts: imx8mq-librem5: Bump BUCK1 suspend voltage up to 0.85V Greg Kroah-Hartman
@ 2026-05-30 15:54 ` Greg Kroah-Hartman
2026-05-30 15:54 ` [PATCH 6.1 122/969] ocfs2: validate inline data i_size during inode read Greg Kroah-Hartman
` (854 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dmitry Antipov,
syzbot+c16daba279a1161acfb0, Joseph Qi, Joseph Qi, Mark Fasheh,
Joel Becker, Junxiao Bi, Changwei Ge, Jun Piao, Heming Zhao,
Andrew Morton, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dmitry Antipov <dmantipov@yandex.ru>
[ Upstream commit a2b1c419ff72ec62ff5831684e30cd1d4f0b09ee ]
In 'ocfs2_validate_inode_block()', add an extra check whether an inode
with inline data (i.e. self-contained) has no clusters, thus preventing
an invalid inode from being passed to 'ocfs2_evict_inode()' and below.
Link: https://lkml.kernel.org/r/20251023141650.417129-1-dmantipov@yandex.ru
Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
Reported-by: syzbot+c16daba279a1161acfb0@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=c16daba279a1161acfb0
Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
Cc: Joseph Qi <jiangqi903@gmail.com>
Cc: Mark Fasheh <mark@fasheh.com>
Cc: Joel Becker <jlbec@evilplan.org>
Cc: Junxiao Bi <junxiao.bi@oracle.com>
Cc: Changwei Ge <gechangwei@live.cn>
Cc: Jun Piao <piaojun@huawei.com>
Cc: Heming Zhao <heming.zhao@suse.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Stable-dep-of: 7bc5da4842be ("ocfs2: fix out-of-bounds write in ocfs2_write_end_inline")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ocfs2/inode.c | 8 ++++++++
1 file changed, 8 insertions(+)
--- a/fs/ocfs2/inode.c
+++ b/fs/ocfs2/inode.c
@@ -1419,6 +1419,14 @@ int ocfs2_validate_inode_block(struct su
goto bail;
}
+ if ((le16_to_cpu(di->i_dyn_features) & OCFS2_INLINE_DATA_FL) &&
+ le32_to_cpu(di->i_clusters)) {
+ rc = ocfs2_error(sb, "Invalid dinode %llu: %u clusters\n",
+ (unsigned long long)bh->b_blocknr,
+ le32_to_cpu(di->i_clusters));
+ goto bail;
+ }
+
rc = 0;
bail:
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 122/969] ocfs2: validate inline data i_size during inode read
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (120 preceding siblings ...)
2026-05-30 15:54 ` [PATCH 6.1 121/969] ocfs2: add inline inode consistency check to ocfs2_validate_inode_block() Greg Kroah-Hartman
@ 2026-05-30 15:54 ` Greg Kroah-Hartman
2026-05-30 15:54 ` [PATCH 6.1 123/969] ocfs2: fix out-of-bounds write in ocfs2_write_end_inline Greg Kroah-Hartman
` (853 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Deepanshu Kartikey,
syzbot+c897823f699449cc3eb4, Joseph Qi, Mark Fasheh, Joel Becker,
Junxiao Bi, Changwei Ge, Jun Piao, Heming Zhao, Andrew Morton,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Deepanshu Kartikey <kartikey406@gmail.com>
[ Upstream commit 1524af3685b35feac76662cc551cbc37bd14775f ]
When reading an inode from disk, ocfs2_validate_inode_block() performs
various sanity checks but does not validate the size of inline data. If
the filesystem is corrupted, an inode's i_size can exceed the actual
inline data capacity (id_count).
This causes ocfs2_dir_foreach_blk_id() to iterate beyond the inline data
buffer, triggering a use-after-free when accessing directory entries from
freed memory.
In the syzbot report:
- i_size was 1099511627576 bytes (~1TB)
- Actual inline data capacity (id_count) is typically <256 bytes
- A garbage rec_len (54648) caused ctx->pos to jump out of bounds
- This triggered a UAF in ocfs2_check_dir_entry()
Fix by adding a validation check in ocfs2_validate_inode_block() to ensure
inodes with inline data have i_size <= id_count. This catches the
corruption early during inode read and prevents all downstream code from
operating on invalid data.
Link: https://lkml.kernel.org/r/20251212052132.16750-1-kartikey406@gmail.com
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
Reported-by: syzbot+c897823f699449cc3eb4@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=c897823f699449cc3eb4
Tested-by: syzbot+c897823f699449cc3eb4@syzkaller.appspotmail.com
Link: https://lore.kernel.org/all/20251211115231.3560028-1-kartikey406@gmail.com/T/ [v1]
Link: https://lore.kernel.org/all/20251212040400.6377-1-kartikey406@gmail.com/T/ [v2]
Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
Cc: Mark Fasheh <mark@fasheh.com>
Cc: Joel Becker <jlbec@evilplan.org>
Cc: Junxiao Bi <junxiao.bi@oracle.com>
Cc: Changwei Ge <gechangwei@live.cn>
Cc: Jun Piao <piaojun@huawei.com>
Cc: Heming Zhao <heming.zhao@suse.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Stable-dep-of: 7bc5da4842be ("ocfs2: fix out-of-bounds write in ocfs2_write_end_inline")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ocfs2/inode.c | 25 +++++++++++++++++++------
1 file changed, 19 insertions(+), 6 deletions(-)
--- a/fs/ocfs2/inode.c
+++ b/fs/ocfs2/inode.c
@@ -1419,12 +1419,25 @@ int ocfs2_validate_inode_block(struct su
goto bail;
}
- if ((le16_to_cpu(di->i_dyn_features) & OCFS2_INLINE_DATA_FL) &&
- le32_to_cpu(di->i_clusters)) {
- rc = ocfs2_error(sb, "Invalid dinode %llu: %u clusters\n",
- (unsigned long long)bh->b_blocknr,
- le32_to_cpu(di->i_clusters));
- goto bail;
+ if (le16_to_cpu(di->i_dyn_features) & OCFS2_INLINE_DATA_FL) {
+ struct ocfs2_inline_data *data = &di->id2.i_data;
+
+ if (le32_to_cpu(di->i_clusters)) {
+ rc = ocfs2_error(sb,
+ "Invalid dinode %llu: %u clusters\n",
+ (unsigned long long)bh->b_blocknr,
+ le32_to_cpu(di->i_clusters));
+ goto bail;
+ }
+
+ if (le64_to_cpu(di->i_size) > le16_to_cpu(data->id_count)) {
+ rc = ocfs2_error(sb,
+ "Invalid dinode #%llu: inline data i_size %llu exceeds id_count %u\n",
+ (unsigned long long)bh->b_blocknr,
+ (unsigned long long)le64_to_cpu(di->i_size),
+ le16_to_cpu(data->id_count));
+ goto bail;
+ }
}
rc = 0;
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 123/969] ocfs2: fix out-of-bounds write in ocfs2_write_end_inline
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (121 preceding siblings ...)
2026-05-30 15:54 ` [PATCH 6.1 122/969] ocfs2: validate inline data i_size during inode read Greg Kroah-Hartman
@ 2026-05-30 15:54 ` Greg Kroah-Hartman
2026-05-30 15:54 ` [PATCH 6.1 124/969] rxrpc: Fix key quota calculation for multitoken keys Greg Kroah-Hartman
` (852 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Joseph Qi,
syzbot+62c1793956716ea8b28a, Mark Fasheh, Joel Becker, Junxiao Bi,
Changwei Ge, Jun Piao, Heming Zhao, Andrew Morton, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Joseph Qi <joseph.qi@linux.alibaba.com>
[ Upstream commit 7bc5da4842bed3252d26e742213741a4d0ac1b14 ]
KASAN reports a use-after-free write of 4086 bytes in
ocfs2_write_end_inline, called from ocfs2_write_end_nolock during a
copy_file_range splice fallback on a corrupted ocfs2 filesystem mounted on
a loop device. The actual bug is an out-of-bounds write past the inode
block buffer, not a true use-after-free. The write overflows into an
adjacent freed page, which KASAN reports as UAF.
The root cause is that ocfs2_try_to_write_inline_data trusts the on-disk
id_count field to determine whether a write fits in inline data. On a
corrupted filesystem, id_count can exceed the physical maximum inline data
capacity, causing writes to overflow the inode block buffer.
Call trace (crash path):
vfs_copy_file_range (fs/read_write.c:1634)
do_splice_direct
splice_direct_to_actor
iter_file_splice_write
ocfs2_file_write_iter
generic_perform_write
ocfs2_write_end
ocfs2_write_end_nolock (fs/ocfs2/aops.c:1949)
ocfs2_write_end_inline (fs/ocfs2/aops.c:1915)
memcpy_from_folio <-- KASAN: write OOB
So add id_count upper bound check in ocfs2_validate_inode_block() to
alongside the existing i_size check to fix it.
Link: https://lkml.kernel.org/r/20260403063830.3662739-1-joseph.qi@linux.alibaba.com
Signed-off-by: Joseph Qi <joseph.qi@linux.alibaba.com>
Reported-by: syzbot+62c1793956716ea8b28a@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=62c1793956716ea8b28a
Cc: Mark Fasheh <mark@fasheh.com>
Cc: Joel Becker <jlbec@evilplan.org>
Cc: Junxiao Bi <junxiao.bi@oracle.com>
Cc: Changwei Ge <gechangwei@live.cn>
Cc: Jun Piao <piaojun@huawei.com>
Cc: Heming Zhao <heming.zhao@suse.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ocfs2/inode.c | 10 ++++++++++
1 file changed, 10 insertions(+)
--- a/fs/ocfs2/inode.c
+++ b/fs/ocfs2/inode.c
@@ -1430,6 +1430,16 @@ int ocfs2_validate_inode_block(struct su
goto bail;
}
+ if (le16_to_cpu(data->id_count) >
+ ocfs2_max_inline_data_with_xattr(sb, di)) {
+ rc = ocfs2_error(sb,
+ "Invalid dinode #%llu: inline data id_count %u exceeds max %d\n",
+ (unsigned long long)bh->b_blocknr,
+ le16_to_cpu(data->id_count),
+ ocfs2_max_inline_data_with_xattr(sb, di));
+ goto bail;
+ }
+
if (le64_to_cpu(di->i_size) > le16_to_cpu(data->id_count)) {
rc = ocfs2_error(sb,
"Invalid dinode #%llu: inline data i_size %llu exceeds id_count %u\n",
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 124/969] rxrpc: Fix key quota calculation for multitoken keys
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (122 preceding siblings ...)
2026-05-30 15:54 ` [PATCH 6.1 123/969] ocfs2: fix out-of-bounds write in ocfs2_write_end_inline Greg Kroah-Hartman
@ 2026-05-30 15:54 ` Greg Kroah-Hartman
2026-05-30 15:54 ` [PATCH 6.1 125/969] rxrpc: Fix call removal to use RCU safe deletion Greg Kroah-Hartman
` (851 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Howells, Marc Dionne,
Jeffrey Altman, Simon Horman, linux-afs, stable, Jakub Kicinski,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Howells <dhowells@redhat.com>
[ Upstream commit bdbfead6d38979475df0c2f4bad2b19394fe9bdc ]
In the rxrpc key preparsing, every token extracted sets the proposed quota
value, but for multitoken keys, this will overwrite the previous proposed
quota, losing it.
Fix this by adding to the proposed quota instead.
Fixes: 8a7a3eb4ddbe ("KEYS: RxRPC: Use key preparsing")
Closes: https://sashiko.dev/#/patchset/20260319150150.4189381-1-dhowells%40redhat.com
Signed-off-by: David Howells <dhowells@redhat.com>
cc: Marc Dionne <marc.dionne@auristor.com>
cc: Jeffrey Altman <jaltman@auristor.com>
cc: Simon Horman <horms@kernel.org>
cc: linux-afs@lists.infradead.org
cc: stable@kernel.org
Link: https://patch.msgid.link/20260408121252.2249051-2-dhowells@redhat.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
[ dropped hunk for rxrpc_preparse_xdr_yfs_rxgk() ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/rxrpc/key.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- a/net/rxrpc/key.c
+++ b/net/rxrpc/key.c
@@ -72,7 +72,7 @@ static int rxrpc_preparse_xdr_rxkad(stru
return -EKEYREJECTED;
plen = sizeof(*token) + sizeof(*token->kad) + tktlen;
- prep->quotalen = datalen + plen;
+ prep->quotalen += datalen + plen;
plen -= sizeof(*token);
token = kzalloc(sizeof(*token), GFP_KERNEL);
@@ -303,6 +303,7 @@ static int rxrpc_preparse(struct key_pre
memcpy(&kver, prep->data, sizeof(kver));
prep->data += sizeof(kver);
prep->datalen -= sizeof(kver);
+ prep->quotalen = 0;
_debug("KEY I/F VERSION: %u", kver);
@@ -340,7 +341,7 @@ static int rxrpc_preparse(struct key_pre
goto error;
plen = sizeof(*token->kad) + v1->ticket_length;
- prep->quotalen = plen + sizeof(*token);
+ prep->quotalen += plen + sizeof(*token);
ret = -ENOMEM;
token = kzalloc(sizeof(*token), GFP_KERNEL);
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 125/969] rxrpc: Fix call removal to use RCU safe deletion
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (123 preceding siblings ...)
2026-05-30 15:54 ` [PATCH 6.1 124/969] rxrpc: Fix key quota calculation for multitoken keys Greg Kroah-Hartman
@ 2026-05-30 15:54 ` Greg Kroah-Hartman
2026-05-30 15:54 ` [PATCH 6.1 126/969] Revert "wifi: cfg80211: stop NAN and P2P in cfg80211_leave" Greg Kroah-Hartman
` (850 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Howells, Marc Dionne,
Jeffrey Altman, Linus Torvalds, Simon Horman, linux-afs, stable,
Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Howells <dhowells@redhat.com>
[ Upstream commit 146d4ab94cf129ee06cd467cb5c71368a6b5bad6 ]
Fix rxrpc call removal from the rxnet->calls list to use list_del_rcu()
rather than list_del_init() to prevent stuffing up reading
/proc/net/rxrpc/calls from potentially getting into an infinite loop.
This, however, means that list_empty() no longer works on an entry that's
been deleted from the list, making it harder to detect prior deletion. Fix
this by:
Firstly, make rxrpc_destroy_all_calls() only dump the first ten calls that
are unexpectedly still on the list. Limiting the number of steps means
there's no need to call cond_resched() or to remove calls from the list
here, thereby eliminating the need for rxrpc_put_call() to check for that.
rxrpc_put_call() can then be fixed to unconditionally delete the call from
the list as it is the only place that the deletion occurs.
Fixes: 2baec2c3f854 ("rxrpc: Support network namespacing")
Closes: https://sashiko.dev/#/patchset/20260319150150.4189381-1-dhowells%40redhat.com
Signed-off-by: David Howells <dhowells@redhat.com>
cc: Marc Dionne <marc.dionne@auristor.com>
cc: Jeffrey Altman <jaltman@auristor.com>
cc: Linus Torvalds <torvalds@linux-foundation.org>
cc: Simon Horman <horms@kernel.org>
cc: linux-afs@lists.infradead.org
cc: stable@kernel.org
Link: https://patch.msgid.link/20260408121252.2249051-5-dhowells@redhat.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
[ adapted to older API ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/rxrpc/call_object.c | 22 ++++++++--------------
1 file changed, 8 insertions(+), 14 deletions(-)
--- a/net/rxrpc/call_object.c
+++ b/net/rxrpc/call_object.c
@@ -634,11 +634,9 @@ void rxrpc_put_call(struct rxrpc_call *c
_debug("call %d dead", call->debug_id);
ASSERTCMP(call->state, ==, RXRPC_CALL_COMPLETE);
- if (!list_empty(&call->link)) {
- spin_lock_bh(&rxnet->call_lock);
- list_del_init(&call->link);
- spin_unlock_bh(&rxnet->call_lock);
- }
+ spin_lock_bh(&rxnet->call_lock);
+ list_del_rcu(&call->link);
+ spin_unlock_bh(&rxnet->call_lock);
rxrpc_cleanup_call(call);
}
@@ -709,24 +707,20 @@ void rxrpc_destroy_all_calls(struct rxrp
_enter("");
if (!list_empty(&rxnet->calls)) {
- spin_lock_bh(&rxnet->call_lock);
+ int shown = 0;
- while (!list_empty(&rxnet->calls)) {
- call = list_entry(rxnet->calls.next,
- struct rxrpc_call, link);
- _debug("Zapping call %p", call);
+ spin_lock_bh(&rxnet->call_lock);
+ list_for_each_entry(call, &rxnet->calls, link) {
rxrpc_see_call(call);
- list_del_init(&call->link);
pr_err("Call %p still in use (%d,%s,%lx,%lx)!\n",
call, refcount_read(&call->ref),
rxrpc_call_states[call->state],
call->flags, call->events);
- spin_unlock_bh(&rxnet->call_lock);
- cond_resched();
- spin_lock_bh(&rxnet->call_lock);
+ if (++shown >= 10)
+ break;
}
spin_unlock_bh(&rxnet->call_lock);
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 126/969] Revert "wifi: cfg80211: stop NAN and P2P in cfg80211_leave"
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (124 preceding siblings ...)
2026-05-30 15:54 ` [PATCH 6.1 125/969] rxrpc: Fix call removal to use RCU safe deletion Greg Kroah-Hartman
@ 2026-05-30 15:54 ` Greg Kroah-Hartman
2026-05-30 15:54 ` [PATCH 6.1 127/969] rxrpc: reject undecryptable rxkad response tickets Greg Kroah-Hartman
` (849 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:54 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Guocai He
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Guocai He <guocai.he.cn@windriver.com>
This reverts commit 0c4f1c02d27a880b10b58c63f574f13bed4f711d which is commit
e1696c8bd0056bc1a5f7766f58ac333adc203e8a upstream.
The reverted patch introduced a deadlock. The locking situation in mainline is
totally different, so it is incorrect to directly backport the commit from mainline.
Signed-off-by: Guocai He <guocai.he.cn@windriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/wireless/core.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
--- a/net/wireless/core.c
+++ b/net/wireless/core.c
@@ -1328,10 +1328,8 @@ void __cfg80211_leave(struct cfg80211_re
__cfg80211_leave_ocb(rdev, dev);
break;
case NL80211_IFTYPE_P2P_DEVICE:
- cfg80211_stop_p2p_device(rdev, wdev);
- break;
case NL80211_IFTYPE_NAN:
- cfg80211_stop_nan(rdev, wdev);
+ /* cannot happen, has no netdev */
break;
case NL80211_IFTYPE_AP_VLAN:
case NL80211_IFTYPE_MONITOR:
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 127/969] rxrpc: reject undecryptable rxkad response tickets
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (125 preceding siblings ...)
2026-05-30 15:54 ` [PATCH 6.1 126/969] Revert "wifi: cfg80211: stop NAN and P2P in cfg80211_leave" Greg Kroah-Hartman
@ 2026-05-30 15:54 ` Greg Kroah-Hartman
2026-05-30 15:54 ` [PATCH 6.1 128/969] KVM: x86: Use __DECLARE_FLEX_ARRAY() for UAPI structures with VLAs Greg Kroah-Hartman
` (848 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yifan Wu, Juefei Pu, Yuan Tan,
Xin Liu, Ren Wei, Yuqi Xu, Ren Wei, David Howells, Marc Dionne,
Simon Horman, linux-afs, stable, Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yuqi Xu <xuyuqiabc@gmail.com>
[ Upstream commit fe4447cd95623b1cfacc15f280aab73a6d7340b2 ]
rxkad_decrypt_ticket() decrypts the RXKAD response ticket and then
parses the buffer as plaintext without checking whether
crypto_skcipher_decrypt() succeeded.
A malformed RESPONSE can therefore use a non-block-aligned ticket
length, make the decrypt operation fail, and still drive the ticket
parser with attacker-controlled bytes.
Check the decrypt result and abort the connection with RXKADBADTICKET
when ticket decryption fails.
Fixes: 17926a79320a ("[AF_RXRPC]: Provide secure RxRPC sockets for use by userspace and kernel both")
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Co-developed-by: Yuan Tan <yuantan098@gmail.com>
Signed-off-by: Yuan Tan <yuantan098@gmail.com>
Suggested-by: Xin Liu <bird@lzu.edu.cn>
Tested-by: Ren Wei <enjou1224z@gmail.com>
Signed-off-by: Yuqi Xu <xuyuqiabc@gmail.com>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
Signed-off-by: David Howells <dhowells@redhat.com>
cc: Marc Dionne <marc.dionne@auristor.com>
cc: Simon Horman <horms@kernel.org>
cc: linux-afs@lists.infradead.org
cc: stable@kernel.org
Link: https://patch.msgid.link/20260408121252.2249051-12-dhowells@redhat.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
[ adapted `rxrpc_abort_conn()` call to existing `goto other_error` error-handling pattern ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/rxrpc/rxkad.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
--- a/net/rxrpc/rxkad.c
+++ b/net/rxrpc/rxkad.c
@@ -1013,8 +1013,13 @@ static int rxkad_decrypt_ticket(struct r
sg_init_one(&sg[0], ticket, ticket_len);
skcipher_request_set_callback(req, 0, NULL, NULL);
skcipher_request_set_crypt(req, sg, sg, ticket_len, iv.x);
- crypto_skcipher_decrypt(req);
+ ret = crypto_skcipher_decrypt(req);
skcipher_request_free(req);
+ if (ret < 0) {
+ abort_code = RXKADBADTICKET;
+ ret = -EPROTO;
+ goto other_error;
+ }
p = ticket;
end = p + ticket_len;
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 128/969] KVM: x86: Use __DECLARE_FLEX_ARRAY() for UAPI structures with VLAs
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (126 preceding siblings ...)
2026-05-30 15:54 ` [PATCH 6.1 127/969] rxrpc: reject undecryptable rxkad response tickets Greg Kroah-Hartman
@ 2026-05-30 15:54 ` Greg Kroah-Hartman
2026-05-30 15:54 ` [PATCH 6.1 129/969] ublk: fix deadlock when reading partition table Greg Kroah-Hartman
` (847 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Woodhouse, Sean Christopherson,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Woodhouse <dwmw@amazon.co.uk>
[ Upstream commit 2619da73bb2f10d88f7e1087125c40144fdf0987 ]
Commit 94dfc73e7cf4 ("treewide: uapi: Replace zero-length arrays with
flexible-array members") broke the userspace API for C++.
These structures ending in VLAs are typically a *header*, which can be
followed by an arbitrary number of entries. Userspace typically creates
a larger structure with some non-zero number of entries, for example in
QEMU's kvm_arch_get_supported_msr_feature():
struct {
struct kvm_msrs info;
struct kvm_msr_entry entries[1];
} msr_data = {};
While that works in C, it fails in C++ with an error like:
flexible array member 'kvm_msrs::entries' not at end of 'struct msr_data'
Fix this by using __DECLARE_FLEX_ARRAY() for the VLA, which uses [0]
for C++ compilation.
Fixes: 94dfc73e7cf4 ("treewide: uapi: Replace zero-length arrays with flexible-array members")
Cc: stable@vger.kernel.org
Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
Link: https://patch.msgid.link/3abaf6aefd6e5efeff3b860ac38421d9dec908db.camel@infradead.org
[sean: tag for stable@]
Signed-off-by: Sean Christopherson <seanjc@google.com>
[ applied `__DECLARE_FLEX_ARRAY(char, name)` change directly instead of inside missing `#ifdef __KERNEL__` else branch ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/include/uapi/asm/kvm.h | 12 ++++++------
include/uapi/linux/kvm.h | 11 ++++++-----
2 files changed, 12 insertions(+), 11 deletions(-)
--- a/arch/x86/include/uapi/asm/kvm.h
+++ b/arch/x86/include/uapi/asm/kvm.h
@@ -198,13 +198,13 @@ struct kvm_msrs {
__u32 nmsrs; /* number of msrs in entries */
__u32 pad;
- struct kvm_msr_entry entries[];
+ __DECLARE_FLEX_ARRAY(struct kvm_msr_entry, entries);
};
/* for KVM_GET_MSR_INDEX_LIST */
struct kvm_msr_list {
__u32 nmsrs; /* number of msrs in entries */
- __u32 indices[];
+ __DECLARE_FLEX_ARRAY(__u32, indices);
};
/* Maximum size of any access bitmap in bytes */
@@ -241,7 +241,7 @@ struct kvm_cpuid_entry {
struct kvm_cpuid {
__u32 nent;
__u32 padding;
- struct kvm_cpuid_entry entries[];
+ __DECLARE_FLEX_ARRAY(struct kvm_cpuid_entry, entries);
};
struct kvm_cpuid_entry2 {
@@ -263,7 +263,7 @@ struct kvm_cpuid_entry2 {
struct kvm_cpuid2 {
__u32 nent;
__u32 padding;
- struct kvm_cpuid_entry2 entries[];
+ __DECLARE_FLEX_ARRAY(struct kvm_cpuid_entry2, entries);
};
/* for KVM_GET_PIT and KVM_SET_PIT */
@@ -394,7 +394,7 @@ struct kvm_xsave {
* the contents of CPUID leaf 0xD on the host.
*/
__u32 region[1024];
- __u32 extra[];
+ __DECLARE_FLEX_ARRAY(__u32, extra);
};
#define KVM_MAX_XCRS 16
@@ -522,7 +522,7 @@ struct kvm_pmu_event_filter {
__u32 fixed_counter_bitmap;
__u32 flags;
__u32 pad[4];
- __u64 events[];
+ __DECLARE_FLEX_ARRAY(__u64, events);
};
#define KVM_PMU_EVENT_ALLOW 0
--- a/include/uapi/linux/kvm.h
+++ b/include/uapi/linux/kvm.h
@@ -11,6 +11,7 @@
#include <linux/const.h>
#include <linux/types.h>
#include <linux/compiler.h>
+#include <linux/stddef.h>
#include <linux/ioctl.h>
#include <asm/kvm.h>
@@ -556,7 +557,7 @@ struct kvm_coalesced_mmio {
struct kvm_coalesced_mmio_ring {
__u32 first, last;
- struct kvm_coalesced_mmio coalesced_mmio[];
+ __DECLARE_FLEX_ARRAY(struct kvm_coalesced_mmio, coalesced_mmio);
};
#define KVM_COALESCED_MMIO_MAX \
@@ -635,7 +636,7 @@ struct kvm_clear_dirty_log {
/* for KVM_SET_SIGNAL_MASK */
struct kvm_signal_mask {
__u32 len;
- __u8 sigset[];
+ __DECLARE_FLEX_ARRAY(__u8, sigset);
};
/* for KVM_TPR_ACCESS_REPORTING */
@@ -1242,7 +1243,7 @@ struct kvm_irq_routing_entry {
struct kvm_irq_routing {
__u32 nr;
__u32 flags;
- struct kvm_irq_routing_entry entries[];
+ __DECLARE_FLEX_ARRAY(struct kvm_irq_routing_entry, entries);
};
#endif
@@ -1362,7 +1363,7 @@ struct kvm_dirty_tlb {
struct kvm_reg_list {
__u64 n; /* number of regs */
- __u64 reg[];
+ __DECLARE_FLEX_ARRAY(__u64, reg);
};
struct kvm_one_reg {
@@ -2183,7 +2184,7 @@ struct kvm_stats_desc {
__u16 size;
__u32 offset;
__u32 bucket_size;
- char name[];
+ __DECLARE_FLEX_ARRAY(char, name);
};
#define KVM_GET_STATS_FD _IO(KVMIO, 0xce)
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 129/969] ublk: fix deadlock when reading partition table
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (127 preceding siblings ...)
2026-05-30 15:54 ` [PATCH 6.1 128/969] KVM: x86: Use __DECLARE_FLEX_ARRAY() for UAPI structures with VLAs Greg Kroah-Hartman
@ 2026-05-30 15:54 ` Greg Kroah-Hartman
2026-05-30 15:54 ` [PATCH 6.1 130/969] scripts: generate_rust_analyzer.py: define scripts Greg Kroah-Hartman
` (846 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ming Lei, Caleb Sander Mateos,
Jens Axboe, Ruohan Lan
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ming Lei <ming.lei@redhat.com>
[ Upstream commit c258f5c4502c9667bccf5d76fa731ab9c96687c1 ]
When one process(such as udev) opens ublk block device (e.g., to read
the partition table via bdev_open()), a deadlock[1] can occur:
1. bdev_open() grabs disk->open_mutex
2. The process issues read I/O to ublk backend to read partition table
3. In __ublk_complete_rq(), blk_update_request() or blk_mq_end_request()
runs bio->bi_end_io() callbacks
4. If this triggers fput() on file descriptor of ublk block device, the
work may be deferred to current task's task work (see fput() implementation)
5. This eventually calls blkdev_release() from the same context
6. blkdev_release() tries to grab disk->open_mutex again
7. Deadlock: same task waiting for a mutex it already holds
The fix is to run blk_update_request() and blk_mq_end_request() with bottom
halves disabled. This forces blkdev_release() to run in kernel work-queue
context instead of current task work context, and allows ublk server to make
forward progress, and avoids the deadlock.
Fixes: 71f28f3136af ("ublk_drv: add io_uring based userspace block driver")
Link: https://github.com/ublk-org/ublksrv/issues/170 [1]
Signed-off-by: Ming Lei <ming.lei@redhat.com>
Reviewed-by: Caleb Sander Mateos <csander@purestorage.com>
[axboe: rewrite comment in ublk]
Signed-off-by: Jens Axboe <axboe@kernel.dk>
[ The fix omits the change in __ublk_do_auto_buf_reg() since this function
doesn't exist in 6.1. ]
Signed-off-by: Ruohan Lan <ruohanlan@aliyun.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/block/ublk_drv.c | 28 ++++++++++++++++++++++++++--
1 file changed, 26 insertions(+), 2 deletions(-)
--- a/drivers/block/ublk_drv.c
+++ b/drivers/block/ublk_drv.c
@@ -603,12 +603,20 @@ static inline bool ubq_daemon_is_dying(s
return ubq->ubq_daemon->flags & PF_EXITING;
}
+static void ublk_end_request(struct request *req, blk_status_t error)
+{
+ local_bh_disable();
+ blk_mq_end_request(req, error);
+ local_bh_enable();
+}
+
/* todo: handle partial completion */
static void ublk_complete_rq(struct request *req)
{
struct ublk_queue *ubq = req->mq_hctx->driver_data;
struct ublk_io *io = &ubq->ios[req->tag];
unsigned int unmapped_bytes;
+ bool requeue;
/* failed read IO if nothing is read */
if (!io->res && req_op(req) == REQ_OP_READ)
@@ -641,7 +649,23 @@ static void ublk_complete_rq(struct requ
if (unlikely(unmapped_bytes < io->res))
io->res = unmapped_bytes;
- if (blk_update_request(req, BLK_STS_OK, io->res))
+ /*
+ * Run bio->bi_end_io() with softirqs disabled. If the final fput
+ * happens off this path, then that will prevent ublk's blkdev_release()
+ * from being called on current's task work, see fput() implementation.
+ *
+ * Otherwise, ublk server may not provide forward progress in case of
+ * reading the partition table from bdev_open() with disk->open_mutex
+ * held, and causes dead lock as we could already be holding
+ * disk->open_mutex here.
+ *
+ * Preferably we would not be doing IO with a mutex held that is also
+ * used for release, but this work-around will suffice for now.
+ */
+ local_bh_disable();
+ requeue = blk_update_request(req, BLK_STS_OK, io->res);
+ local_bh_enable();
+ if (requeue)
blk_mq_requeue_request(req, true);
else
__blk_mq_end_request(req, BLK_STS_OK);
@@ -694,7 +718,7 @@ static inline void __ublk_abort_rq(struc
if (ublk_queue_can_use_recovery(ubq))
blk_mq_requeue_request(rq, false);
else
- blk_mq_end_request(rq, BLK_STS_IOERR);
+ ublk_end_request(rq, BLK_STS_IOERR);
mod_delayed_work(system_wq, &ubq->dev->monitor_work, 0);
}
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 130/969] scripts: generate_rust_analyzer.py: define scripts
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (128 preceding siblings ...)
2026-05-30 15:54 ` [PATCH 6.1 129/969] ublk: fix deadlock when reading partition table Greg Kroah-Hartman
@ 2026-05-30 15:54 ` Greg Kroah-Hartman
2026-05-30 15:54 ` [PATCH 6.1 131/969] PCI: endpoint: pci-epf-vntb: Stop cmd_handler work in epf_ntb_epc_cleanup Greg Kroah-Hartman
` (845 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Daniel Almeida, Fiona Behrens,
Trevor Gross, Tamir Duberstein, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tamir Duberstein <tamird@kernel.org>
[ Upstream commit 36c619f6bd793493294becb10a02fea370b67a91 ]
Add IDE support for host-side scripts written in Rust. This support has
been missing since these scripts were initially added in commit
9a8ff24ce584 ("scripts: add `generate_rust_target.rs`"), thus add it.
Change the existing instance of extension stripping to
`pathlib.Path.stem` to maintain code consistency.
Fixes: 9a8ff24ce584 ("scripts: add `generate_rust_target.rs`")
Cc: stable@vger.kernel.org
Reviewed-by: Daniel Almeida <daniel.almeida@collabora.com>
Reviewed-by: Fiona Behrens <me@kloenk.dev>
Reviewed-by: Trevor Gross <tmgross@umich.edu>
Link: https://patch.msgid.link/20260122-rust-analyzer-scripts-v1-1-ff6ba278170e@kernel.org
Signed-off-by: Tamir Duberstein <tamird@kernel.org>
[ changed `[std]` dep to `["std"]` and kept untyped `is_root_crate()` ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
scripts/generate_rust_analyzer.py | 14 +++++++++++++-
1 file changed, 13 insertions(+), 1 deletion(-)
--- a/scripts/generate_rust_analyzer.py
+++ b/scripts/generate_rust_analyzer.py
@@ -113,6 +113,18 @@ def generate_crates(srctree, objtree, sy
"exclude_dirs": [],
}
+ scripts = srctree / "scripts"
+ makefile = (scripts / "Makefile").read_text()
+ for path in scripts.glob("*.rs"):
+ name = path.stem
+ if f"{name}-rust" not in makefile:
+ continue
+ append_crate(
+ name,
+ path,
+ ["std"],
+ )
+
def is_root_crate(build_file, target):
try:
contents = build_file.read_text()
@@ -129,7 +141,7 @@ def generate_crates(srctree, objtree, sy
for folder in extra_dirs:
for path in folder.rglob("*.rs"):
logging.info("Checking %s", path)
- name = path.name.replace(".rs", "")
+ name = path.stem
# Skip those that are not crate roots.
if not is_root_crate(path.parent / "Makefile", name) and \
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 131/969] PCI: endpoint: pci-epf-vntb: Stop cmd_handler work in epf_ntb_epc_cleanup
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (129 preceding siblings ...)
2026-05-30 15:54 ` [PATCH 6.1 130/969] scripts: generate_rust_analyzer.py: define scripts Greg Kroah-Hartman
@ 2026-05-30 15:54 ` Greg Kroah-Hartman
2026-05-30 15:54 ` [PATCH 6.1 132/969] soc: qcom: apr: make remove callback of apr driver void returned Greg Kroah-Hartman
` (844 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Koichiro Den, Manivannan Sadhasivam,
Frank Li, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Koichiro Den <den@valinux.co.jp>
[ Upstream commit d799984233a50abd2667a7d17a9a710a3f10ebe2 ]
Disable the delayed work before clearing BAR mappings and doorbells to
avoid running the handler after resources have been torn down.
Unable to handle kernel paging request at virtual address ffff800083f46004
[...]
Internal error: Oops: 0000000096000007 [#1] SMP
[...]
Call trace:
epf_ntb_cmd_handler+0x54/0x200 [pci_epf_vntb] (P)
process_one_work+0x154/0x3b0
worker_thread+0x2c8/0x400
kthread+0x148/0x210
ret_from_fork+0x10/0x20
Fixes: e35f56bb0330 ("PCI: endpoint: Support NTB transfer between RC and EP")
Signed-off-by: Koichiro Den <den@valinux.co.jp>
Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
Reviewed-by: Frank Li <Frank.Li@nxp.com>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20260226084142.2226875-4-den@valinux.co.jp
[ replaced disable_delayed_work_sync() with cancel_delayed_work_sync() ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pci/endpoint/functions/pci-epf-vntb.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/pci/endpoint/functions/pci-epf-vntb.c
+++ b/drivers/pci/endpoint/functions/pci-epf-vntb.c
@@ -801,6 +801,7 @@ err_config_interrupt:
*/
static void epf_ntb_epc_cleanup(struct epf_ntb *ntb)
{
+ cancel_delayed_work_sync(&ntb->cmd_handler);
epf_ntb_mw_bar_clear(ntb, ntb->num_mws);
epf_ntb_db_bar_clear(ntb);
epf_ntb_config_sspad_bar_clear(ntb);
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 132/969] soc: qcom: apr: make remove callback of apr driver void returned
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (130 preceding siblings ...)
2026-05-30 15:54 ` [PATCH 6.1 131/969] PCI: endpoint: pci-epf-vntb: Stop cmd_handler work in epf_ntb_epc_cleanup Greg Kroah-Hartman
@ 2026-05-30 15:54 ` Greg Kroah-Hartman
2026-05-30 15:54 ` [PATCH 6.1 133/969] ASoC: qcom: q6apm: move component registration to unmanaged version Greg Kroah-Hartman
` (843 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:54 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Dawei Li, Bjorn Andersson,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dawei Li <set_pte_at@outlook.com>
[ Upstream commit 33ae3d0955943ac5bacfcb6911cf7cb74822bf8c ]
Since commit fc7a6209d571 ("bus: Make remove callback return void")
forces bus_type::remove be void-returned, it doesn't make much sense
for any bus based driver implementing remove callbalk to return
non-void to its caller.
As such, change the remove function for apr bus based drivers to
return void.
Signed-off-by: Dawei Li <set_pte_at@outlook.com>
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Link: https://lore.kernel.org/r/TYCP286MB23232B7968D34DB8323B0F16CAFB9@TYCP286MB2323.JPNP286.PROD.OUTLOOK.COM
Stable-dep-of: 6ec1235fc941 ("ASoC: qcom: q6apm: move component registration to unmanaged version")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/soc/qcom/apr.h | 2 +-
sound/soc/qcom/qdsp6/q6core.c | 4 +---
2 files changed, 2 insertions(+), 4 deletions(-)
--- a/include/linux/soc/qcom/apr.h
+++ b/include/linux/soc/qcom/apr.h
@@ -153,7 +153,7 @@ typedef struct apr_device gpr_device_t;
struct apr_driver {
int (*probe)(struct apr_device *sl);
- int (*remove)(struct apr_device *sl);
+ void (*remove)(struct apr_device *sl);
int (*callback)(struct apr_device *a,
struct apr_resp_pkt *d);
int (*gpr_callback)(struct gpr_resp_pkt *d, void *data, int op);
--- a/sound/soc/qcom/qdsp6/q6core.c
+++ b/sound/soc/qcom/qdsp6/q6core.c
@@ -339,7 +339,7 @@ static int q6core_probe(struct apr_devic
return 0;
}
-static int q6core_exit(struct apr_device *adev)
+static void q6core_exit(struct apr_device *adev)
{
struct q6core *core = dev_get_drvdata(&adev->dev);
@@ -350,8 +350,6 @@ static int q6core_exit(struct apr_device
g_core = NULL;
kfree(core);
-
- return 0;
}
#ifdef CONFIG_OF
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 133/969] ASoC: qcom: q6apm: move component registration to unmanaged version
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (131 preceding siblings ...)
2026-05-30 15:54 ` [PATCH 6.1 132/969] soc: qcom: apr: make remove callback of apr driver void returned Greg Kroah-Hartman
@ 2026-05-30 15:54 ` Greg Kroah-Hartman
2026-05-30 15:54 ` [PATCH 6.1 134/969] rxrpc: Fix recvmsg() unconditional requeue Greg Kroah-Hartman
` (842 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stable, Srinivas Kandagatla,
Mark Brown, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
[ Upstream commit 6ec1235fc941dac6c011b30ee01d9220ff87e0cd ]
q6apm component registers dais dynamically from ASoC toplology, which
are allocated using device managed version apis. Allocating both
component and dynamic dais using managed version could lead to incorrect
free ordering, dai will be freed while component still holding references
to it.
Fix this issue by moving component to unmanged version so
that the dai pointers are only freeded after the component is removed.
==================================================================
BUG: KASAN: slab-use-after-free in snd_soc_del_component_unlocked+0x3d4/0x400 [snd_soc_core]
Read of size 8 at addr ffff00084493a6e8 by task kworker/u48:0/3426
Tainted: [W]=WARN
Hardware name: LENOVO 21N2ZC5PUS/21N2ZC5PUS, BIOS N42ET57W (1.31 ) 08/08/2024
Workqueue: pdr_notifier_wq pdr_notifier_work [pdr_interface]
Call trace:
show_stack+0x28/0x7c (C)
dump_stack_lvl+0x60/0x80
print_report+0x160/0x4b4
kasan_report+0xac/0xfc
__asan_report_load8_noabort+0x20/0x34
snd_soc_del_component_unlocked+0x3d4/0x400 [snd_soc_core]
snd_soc_unregister_component_by_driver+0x50/0x88 [snd_soc_core]
devm_component_release+0x30/0x5c [snd_soc_core]
devres_release_all+0x13c/0x210
device_unbind_cleanup+0x20/0x190
device_release_driver_internal+0x350/0x468
device_release_driver+0x18/0x30
bus_remove_device+0x1a0/0x35c
device_del+0x314/0x7f0
device_unregister+0x20/0xbc
apr_remove_device+0x5c/0x7c [apr]
device_for_each_child+0xd8/0x160
apr_pd_status+0x7c/0xa8 [apr]
pdr_notifier_work+0x114/0x240 [pdr_interface]
process_one_work+0x500/0xb70
worker_thread+0x630/0xfb0
kthread+0x370/0x6c0
ret_from_fork+0x10/0x20
Allocated by task 77:
kasan_save_stack+0x40/0x68
kasan_save_track+0x20/0x40
kasan_save_alloc_info+0x44/0x58
__kasan_kmalloc+0xbc/0xdc
__kmalloc_node_track_caller_noprof+0x1f4/0x620
devm_kmalloc+0x7c/0x1c8
snd_soc_register_dai+0x50/0x4f0 [snd_soc_core]
soc_tplg_pcm_elems_load+0x55c/0x1eb8 [snd_soc_core]
snd_soc_tplg_component_load+0x4f8/0xb60 [snd_soc_core]
audioreach_tplg_init+0x124/0x1fc [snd_q6apm]
q6apm_audio_probe+0x10/0x1c [snd_q6apm]
snd_soc_component_probe+0x5c/0x118 [snd_soc_core]
soc_probe_component+0x44c/0xaf0 [snd_soc_core]
snd_soc_bind_card+0xad0/0x2370 [snd_soc_core]
snd_soc_register_card+0x3b0/0x4c0 [snd_soc_core]
devm_snd_soc_register_card+0x50/0xc8 [snd_soc_core]
x1e80100_platform_probe+0x208/0x368 [snd_soc_x1e80100]
platform_probe+0xc0/0x188
really_probe+0x188/0x804
__driver_probe_device+0x158/0x358
driver_probe_device+0x60/0x190
__device_attach_driver+0x16c/0x2a8
bus_for_each_drv+0x100/0x194
__device_attach+0x174/0x380
device_initial_probe+0x14/0x20
bus_probe_device+0x124/0x154
deferred_probe_work_func+0x140/0x220
process_one_work+0x500/0xb70
worker_thread+0x630/0xfb0
kthread+0x370/0x6c0
ret_from_fork+0x10/0x20
Freed by task 3426:
kasan_save_stack+0x40/0x68
kasan_save_track+0x20/0x40
__kasan_save_free_info+0x4c/0x80
__kasan_slab_free+0x78/0xa0
kfree+0x100/0x4a4
devres_release_all+0x144/0x210
device_unbind_cleanup+0x20/0x190
device_release_driver_internal+0x350/0x468
device_release_driver+0x18/0x30
bus_remove_device+0x1a0/0x35c
device_del+0x314/0x7f0
device_unregister+0x20/0xbc
apr_remove_device+0x5c/0x7c [apr]
device_for_each_child+0xd8/0x160
apr_pd_status+0x7c/0xa8 [apr]
pdr_notifier_work+0x114/0x240 [pdr_interface]
process_one_work+0x500/0xb70
worker_thread+0x630/0xfb0
kthread+0x370/0x6c0
ret_from_fork+0x10/0x20
Fixes: 5477518b8a0e ("ASoC: qdsp6: audioreach: add q6apm support")
Cc: Stable@vger.kernel.org
Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
Link: https://patch.msgid.link/20260402081118.348071-2-srinivas.kandagatla@oss.qualcomm.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/soc/qcom/qdsp6/q6apm.c | 14 ++++++++++++--
1 file changed, 12 insertions(+), 2 deletions(-)
--- a/sound/soc/qcom/qdsp6/q6apm.c
+++ b/sound/soc/qcom/qdsp6/q6apm.c
@@ -746,13 +746,22 @@ static int apm_probe(gpr_device_t *gdev)
q6apm_get_apm_state(apm);
- ret = devm_snd_soc_register_component(dev, &q6apm_audio_component, NULL, 0);
+ ret = snd_soc_register_component(dev, &q6apm_audio_component, NULL, 0);
if (ret < 0) {
dev_err(dev, "failed to get register q6apm: %d\n", ret);
return ret;
}
- return of_platform_populate(dev->of_node, NULL, NULL, dev);
+ ret = of_platform_populate(dev->of_node, NULL, NULL, dev);
+ if (ret)
+ snd_soc_unregister_component(dev);
+
+ return ret;
+}
+
+static void apm_remove(gpr_device_t *gdev)
+{
+ snd_soc_unregister_component(&gdev->dev);
}
struct audioreach_module *q6apm_find_module_by_mid(struct q6apm_graph *graph, uint32_t mid)
@@ -819,6 +828,7 @@ MODULE_DEVICE_TABLE(of, apm_device_id);
static gpr_driver_t apm_driver = {
.probe = apm_probe,
+ .remove = apm_remove,
.gpr_callback = apm_callback,
.driver = {
.name = "qcom-apm",
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 134/969] rxrpc: Fix recvmsg() unconditional requeue
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (132 preceding siblings ...)
2026-05-30 15:54 ` [PATCH 6.1 133/969] ASoC: qcom: q6apm: move component registration to unmanaged version Greg Kroah-Hartman
@ 2026-05-30 15:54 ` Greg Kroah-Hartman
2026-05-30 15:54 ` [PATCH 6.1 135/969] scsi: ufs: core: Fix use-after free in init error and remove paths Greg Kroah-Hartman
` (841 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Faith, Pumpkin Chang, David Howells,
Marc Dionne, Jakub Kicinski, Jay Wang
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Howells <dhowells@redhat.com>
[ Upstream commit 2c28769a51deb6022d7fbd499987e237a01dd63a ]
If rxrpc_recvmsg() fails because MSG_DONTWAIT was specified but the call
at the front of the recvmsg queue already has its mutex locked, it
requeues the call - whether or not the call is already queued. The call
may be on the queue because MSG_PEEK was also passed and so the call was
not dequeued or because the I/O thread requeued it.
The unconditional requeue may then corrupt the recvmsg queue, leading to
things like UAFs or refcount underruns.
Fix this by only requeuing the call if it isn't already on the queue -
and moving it to the front if it is already queued. If we don't queue
it, we have to put the ref we obtained by dequeuing it.
Also, MSG_PEEK doesn't dequeue the call so shouldn't call
rxrpc_notify_socket() for the call if we didn't use up all the data on
the queue, so fix that also.
Fixes: 540b1c48c37a ("rxrpc: Fix deadlock between call creation and sendmsg/recvmsg")
Reported-by: Faith <faith@zellic.io>
Reported-by: Pumpkin Chang <pumpkin@devco.re>
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: Marc Dionne <marc.dionne@auristor.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Cc: stable@vger.kernel.org
[Adapted to 6.1: use write_lock_bh/write_unlock_bh, trace_rxrpc_call
directly for see-call tracing, and 6.1 trace enum naming convention.]
Signed-off-by: Jay Wang <wanjay@amazon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/trace/events/rxrpc.h | 4 ++++
net/rxrpc/recvmsg.c | 22 ++++++++++++++++++----
2 files changed, 22 insertions(+), 4 deletions(-)
--- a/include/trace/events/rxrpc.h
+++ b/include/trace/events/rxrpc.h
@@ -82,9 +82,13 @@
EM(rxrpc_call_put_notimer, "PnT") \
EM(rxrpc_call_put_timer, "PTM") \
EM(rxrpc_call_put_userid, "Pus") \
+ EM(rxrpc_call_put_recvmsg_peek_nowait, "PpN") \
EM(rxrpc_call_queued, "QUE") \
EM(rxrpc_call_queued_ref, "QUR") \
EM(rxrpc_call_release, "RLS") \
+ EM(rxrpc_call_see_recvmsg_requeue, "SrQ") \
+ EM(rxrpc_call_see_recvmsg_requeue_first,"SrF") \
+ EM(rxrpc_call_see_recvmsg_requeue_move, "SrM") \
E_(rxrpc_call_seen, "SEE")
#define rxrpc_transmit_traces \
--- a/net/rxrpc/recvmsg.c
+++ b/net/rxrpc/recvmsg.c
@@ -607,7 +607,8 @@ try_again:
if (after(call->rx_top, call->rx_hard_ack) &&
call->rxtx_buffer[(call->rx_hard_ack + 1) & RXRPC_RXTX_BUFF_MASK])
- rxrpc_notify_socket(call);
+ if (!(flags & MSG_PEEK))
+ rxrpc_notify_socket(call);
break;
default:
ret = 0;
@@ -642,11 +643,24 @@ error_unlock_call:
error_requeue_call:
if (!(flags & MSG_PEEK)) {
write_lock_bh(&rx->recvmsg_lock);
- list_add(&call->recvmsg_link, &rx->recvmsg_q);
- write_unlock_bh(&rx->recvmsg_lock);
+ if (list_empty(&call->recvmsg_link)) {
+ list_add(&call->recvmsg_link, &rx->recvmsg_q);
+ trace_rxrpc_call(call->debug_id,
+ rxrpc_call_see_recvmsg_requeue,
+ refcount_read(&call->ref),
+ __builtin_return_address(0), NULL);
+ write_unlock_bh(&rx->recvmsg_lock);
+ } else if (list_is_first(&call->recvmsg_link, &rx->recvmsg_q)) {
+ write_unlock_bh(&rx->recvmsg_lock);
+ rxrpc_put_call(call, rxrpc_call_see_recvmsg_requeue_first);
+ } else {
+ list_move(&call->recvmsg_link, &rx->recvmsg_q);
+ write_unlock_bh(&rx->recvmsg_lock);
+ rxrpc_put_call(call, rxrpc_call_see_recvmsg_requeue_move);
+ }
trace_rxrpc_recvmsg(call, rxrpc_recvmsg_requeue, 0, 0, 0, 0);
} else {
- rxrpc_put_call(call, rxrpc_call_put);
+ rxrpc_put_call(call, rxrpc_call_put_recvmsg_peek_nowait);
}
error_no_call:
release_sock(&rx->sk);
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 135/969] scsi: ufs: core: Fix use-after free in init error and remove paths
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (133 preceding siblings ...)
2026-05-30 15:54 ` [PATCH 6.1 134/969] rxrpc: Fix recvmsg() unconditional requeue Greg Kroah-Hartman
@ 2026-05-30 15:54 ` Greg Kroah-Hartman
2026-05-30 15:54 ` [PATCH 6.1 136/969] ALSA: control: Avoid WARN() for symlink errors Greg Kroah-Hartman
` (840 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:54 UTC (permalink / raw)
To: stable, Andr� Draszik
Cc: Greg Kroah-Hartman, patches, Bean Huo, Manivannan Sadhasivam,
Eric Biggers, Martin K. Petersen, Robert Garcia
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: André Draszik <andre.draszik@linaro.org>
[ Upstream commit f8fb2403ddebb5eea0033d90d9daae4c88749ada ]
devm_blk_crypto_profile_init() registers a cleanup handler to run when
the associated (platform-) device is being released. For UFS, the
crypto private data and pointers are stored as part of the ufs_hba's
data structure 'struct ufs_hba::crypto_profile'. This structure is
allocated as part of the underlying ufshcd and therefore Scsi_host
allocation.
During driver release or during error handling in ufshcd_pltfrm_init(),
this structure is released as part of ufshcd_dealloc_host() before the
(platform-) device associated with the crypto call above is released.
Once this device is released, the crypto cleanup code will run, using
the just-released 'struct ufs_hba::crypto_profile'. This causes a
use-after-free situation:
Call trace:
kfree+0x60/0x2d8 (P)
kvfree+0x44/0x60
blk_crypto_profile_destroy_callback+0x28/0x70
devm_action_release+0x1c/0x30
release_nodes+0x6c/0x108
devres_release_all+0x98/0x100
device_unbind_cleanup+0x20/0x70
really_probe+0x218/0x2d0
In other words, the initialisation code flow is:
platform-device probe
ufshcd_pltfrm_init()
ufshcd_alloc_host()
scsi_host_alloc()
allocation of struct ufs_hba
creation of scsi-host devices
devm_blk_crypto_profile_init()
devm registration of cleanup handler using platform-device
and during error handling of ufshcd_pltfrm_init() or during driver
removal:
ufshcd_dealloc_host()
scsi_host_put()
put_device(scsi-host)
release of struct ufs_hba
put_device(platform-device)
crypto cleanup handler
To fix this use-after free, change ufshcd_alloc_host() to register a
devres action to automatically cleanup the underlying SCSI device on
ufshcd destruction, without requiring explicit calls to
ufshcd_dealloc_host(). This way:
* the crypto profile and all other ufs_hba-owned resources are
destroyed before SCSI (as they've been registered after)
* a memleak is plugged in tc-dwc-g210-pci.c remove() as a
side-effect
* EXPORT_SYMBOL_GPL(ufshcd_dealloc_host) can be removed fully as
it's not needed anymore
* no future drivers using ufshcd_alloc_host() could ever forget
adding the cleanup
Fixes: cb77cb5abe1f ("blk-crypto: rename blk_keyslot_manager to blk_crypto_profile")
Fixes: d76d9d7d1009 ("scsi: ufs: use devm_blk_ksm_init()")
Cc: stable@vger.kernel.org
Signed-off-by: André Draszik <andre.draszik@linaro.org>
Link: https://lore.kernel.org/r/20250124-ufshcd-fix-v4-1-c5d0144aae59@linaro.org
Reviewed-by: Bean Huo <beanhuo@micron.com>
Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
Acked-by: Eric Biggers <ebiggers@kernel.org>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
[ Delete modifications about ufshcd_parse_operating_points() for it's added from
commit 72208ebe181e3("scsi: ufs: core: Add support for parsing OPP")
and that in ufshcd_pltfrm_remove() for it's added from commit
897df60c16d54("scsi: ufs: pltfrm: Dellocate HBA during ufshcd_pltfrm_remove()"). ]
Signed-off-by: Robert Garcia <rob_garcia@163.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/ufs/core/ufshcd.c | 31 +++++++++++++++++++++----------
drivers/ufs/host/ufshcd-pci.c | 2 --
drivers/ufs/host/ufshcd-pltfrm.c | 25 ++++++++-----------------
include/ufs/ufshcd.h | 1 -
4 files changed, 29 insertions(+), 30 deletions(-)
--- a/drivers/ufs/core/ufshcd.c
+++ b/drivers/ufs/core/ufshcd.c
@@ -9662,16 +9662,6 @@ void ufshcd_remove(struct ufs_hba *hba)
EXPORT_SYMBOL_GPL(ufshcd_remove);
/**
- * ufshcd_dealloc_host - deallocate Host Bus Adapter (HBA)
- * @hba: pointer to Host Bus Adapter (HBA)
- */
-void ufshcd_dealloc_host(struct ufs_hba *hba)
-{
- scsi_host_put(hba->host);
-}
-EXPORT_SYMBOL_GPL(ufshcd_dealloc_host);
-
-/**
* ufshcd_set_dma_mask - Set dma mask based on the controller
* addressing capability
* @hba: per adapter instance
@@ -9690,10 +9680,24 @@ static int ufshcd_set_dma_mask(struct uf
}
/**
+ * ufshcd_devres_release - devres cleanup handler, invoked during release of
+ * hba->dev
+ * @host: pointer to SCSI host
+ */
+static void ufshcd_devres_release(void *host)
+{
+ scsi_host_put(host);
+}
+
+/**
* ufshcd_alloc_host - allocate Host Bus Adapter (HBA)
* @dev: pointer to device handle
* @hba_handle: driver private handle
* Returns 0 on success, non-zero value on failure
+ *
+ * NOTE: There is no corresponding ufshcd_dealloc_host() because this function
+ * keeps track of its allocations using devres and deallocates everything on
+ * device removal automatically.
*/
int ufshcd_alloc_host(struct device *dev, struct ufs_hba **hba_handle)
{
@@ -9715,6 +9719,13 @@ int ufshcd_alloc_host(struct device *dev
err = -ENOMEM;
goto out_error;
}
+
+ err = devm_add_action_or_reset(dev, ufshcd_devres_release,
+ host);
+ if (err)
+ return dev_err_probe(dev, err,
+ "failed to add ufshcd dealloc action\n");
+
host->nr_maps = HCTX_TYPE_POLL + 1;
hba = shost_priv(host);
hba->host = host;
--- a/drivers/ufs/host/ufshcd-pci.c
+++ b/drivers/ufs/host/ufshcd-pci.c
@@ -629,7 +629,6 @@ static void ufshcd_pci_remove(struct pci
pm_runtime_forbid(&pdev->dev);
pm_runtime_get_noresume(&pdev->dev);
ufshcd_remove(hba);
- ufshcd_dealloc_host(hba);
}
/**
@@ -674,7 +673,6 @@ ufshcd_pci_probe(struct pci_dev *pdev, c
err = ufshcd_init(hba, mmio_base, pdev->irq);
if (err) {
dev_err(&pdev->dev, "Initialization failed\n");
- ufshcd_dealloc_host(hba);
return err;
}
--- a/drivers/ufs/host/ufshcd-pltfrm.c
+++ b/drivers/ufs/host/ufshcd-pltfrm.c
@@ -343,21 +343,17 @@ int ufshcd_pltfrm_init(struct platform_d
struct device *dev = &pdev->dev;
mmio_base = devm_platform_ioremap_resource(pdev, 0);
- if (IS_ERR(mmio_base)) {
- err = PTR_ERR(mmio_base);
- goto out;
- }
+ if (IS_ERR(mmio_base))
+ return PTR_ERR(mmio_base);
irq = platform_get_irq(pdev, 0);
- if (irq < 0) {
- err = irq;
- goto out;
- }
+ if (irq < 0)
+ return irq;
err = ufshcd_alloc_host(dev, &hba);
if (err) {
dev_err(dev, "Allocation failed\n");
- goto out;
+ return err;
}
hba->vops = vops;
@@ -366,13 +362,13 @@ int ufshcd_pltfrm_init(struct platform_d
if (err) {
dev_err(dev, "%s: clock parse failed %d\n",
__func__, err);
- goto dealloc_host;
+ return err;
}
err = ufshcd_parse_regulator_info(hba);
if (err) {
dev_err(dev, "%s: regulator init failed %d\n",
__func__, err);
- goto dealloc_host;
+ return err;
}
ufshcd_init_lanes_per_dir(hba);
@@ -380,18 +376,13 @@ int ufshcd_pltfrm_init(struct platform_d
err = ufshcd_init(hba, mmio_base, irq);
if (err) {
dev_err(dev, "Initialization failed\n");
- goto dealloc_host;
+ return err;
}
pm_runtime_set_active(dev);
pm_runtime_enable(dev);
return 0;
-
-dealloc_host:
- ufshcd_dealloc_host(hba);
-out:
- return err;
}
EXPORT_SYMBOL_GPL(ufshcd_pltfrm_init);
--- a/include/ufs/ufshcd.h
+++ b/include/ufs/ufshcd.h
@@ -1063,7 +1063,6 @@ static inline void ufshcd_rmwl(struct uf
}
int ufshcd_alloc_host(struct device *, struct ufs_hba **);
-void ufshcd_dealloc_host(struct ufs_hba *);
int ufshcd_hba_enable(struct ufs_hba *hba);
int ufshcd_init(struct ufs_hba *, void __iomem *, unsigned int);
int ufshcd_link_recovery(struct ufs_hba *hba);
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 136/969] ALSA: control: Avoid WARN() for symlink errors
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (134 preceding siblings ...)
2026-05-30 15:54 ` [PATCH 6.1 135/969] scsi: ufs: core: Fix use-after free in init error and remove paths Greg Kroah-Hartman
@ 2026-05-30 15:54 ` Greg Kroah-Hartman
2026-05-30 15:54 ` [PATCH 6.1 137/969] f2fs: fix null-ptr-deref in f2fs_submit_page_bio() Greg Kroah-Hartman
` (839 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+4e7919b09c67ffd198ae,
Takashi Iwai, Robert Garcia
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
commit b2e538a9827dd04ab5273bf4be8eb2edb84357b0 upstream.
Using WARN() for showing the error of symlink creations don't give
more information than telling that something goes wrong, since the
usual code path is a lregister callback from each control element
creation. More badly, the use of WARN() rather confuses fuzzer as if
it were serious issues.
This patch downgrades the warning messages to use the normal dev_err()
instead of WARN(). For making it clearer, add the function name to
the prefix, too.
Fixes: a135dfb5de15 ("ALSA: led control - add sysfs kcontrol LED marking layer")
Reported-by: syzbot+4e7919b09c67ffd198ae@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/675664c7.050a0220.a30f1.018c.GAE@google.com
Link: https://patch.msgid.link/20241209095614.4273-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
[ Use card->ctl_dev.kobj to keep struct consistent. ]
Signed-off-by: Robert Garcia <rob_garcia@163.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/core/control_led.c | 14 ++++++++++----
1 file changed, 10 insertions(+), 4 deletions(-)
--- a/sound/core/control_led.c
+++ b/sound/core/control_led.c
@@ -688,10 +688,16 @@ static void snd_ctl_led_sysfs_add(struct
goto cerr;
led->cards[card->number] = led_card;
snprintf(link_name, sizeof(link_name), "led-%s", led->name);
- WARN(sysfs_create_link(&card->ctl_dev.kobj, &led_card->dev.kobj, link_name),
- "can't create symlink to controlC%i device\n", card->number);
- WARN(sysfs_create_link(&led_card->dev.kobj, &card->card_dev.kobj, "card"),
- "can't create symlink to card%i\n", card->number);
+ if (sysfs_create_link(&card->ctl_dev.kobj, &led_card->dev.kobj,
+ link_name))
+ dev_err(card->dev,
+ "%s: can't create symlink to controlC%i device\n",
+ __func__, card->number);
+ if (sysfs_create_link(&led_card->dev.kobj, &card->card_dev.kobj,
+ "card"))
+ dev_err(card->dev,
+ "%s: can't create symlink to card%i\n",
+ __func__, card->number);
continue;
cerr:
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 137/969] f2fs: fix null-ptr-deref in f2fs_submit_page_bio()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (135 preceding siblings ...)
2026-05-30 15:54 ` [PATCH 6.1 136/969] ALSA: control: Avoid WARN() for symlink errors Greg Kroah-Hartman
@ 2026-05-30 15:54 ` Greg Kroah-Hartman
2026-05-30 15:54 ` [PATCH 6.1 138/969] wifi: iwlwifi: read txq->read_ptr under lock Greg Kroah-Hartman
` (838 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:54 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ye Bin, Chao Yu, Jaegeuk Kim,
Bin Lan
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ye Bin <yebin10@huawei.com>
commit b7d0a97b28083084ebdd8e5c6bccd12e6ec18faa upstream.
There's issue as follows when concurrently installing the f2fs.ko
module and mounting the f2fs file system:
KASAN: null-ptr-deref in range [0x0000000000000020-0x0000000000000027]
RIP: 0010:__bio_alloc+0x2fb/0x6c0 [f2fs]
Call Trace:
<TASK>
f2fs_submit_page_bio+0x126/0x8b0 [f2fs]
__get_meta_page+0x1d4/0x920 [f2fs]
get_checkpoint_version.constprop.0+0x2b/0x3c0 [f2fs]
validate_checkpoint+0xac/0x290 [f2fs]
f2fs_get_valid_checkpoint+0x207/0x950 [f2fs]
f2fs_fill_super+0x1007/0x39b0 [f2fs]
mount_bdev+0x183/0x250
legacy_get_tree+0xf4/0x1e0
vfs_get_tree+0x88/0x340
do_new_mount+0x283/0x5e0
path_mount+0x2b2/0x15b0
__x64_sys_mount+0x1fe/0x270
do_syscall_64+0x5f/0x170
entry_SYSCALL_64_after_hwframe+0x76/0x7e
Above issue happens as the biset of the f2fs file system is not
initialized before register "f2fs_fs_type".
To address above issue just register "f2fs_fs_type" at the last in
init_f2fs_fs(). Ensure that all f2fs file system resources are
initialized.
Fixes: f543805fcd60 ("f2fs: introduce private bioset")
Signed-off-by: Ye Bin <yebin10@huawei.com>
Reviewed-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
[ Minor context conflict resolved. ]
Signed-off-by: Bin Lan <lanbincn@139.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/f2fs/super.c | 8 ++------
1 file changed, 2 insertions(+), 6 deletions(-)
--- a/fs/f2fs/super.c
+++ b/fs/f2fs/super.c
@@ -4760,9 +4760,6 @@ static int __init init_f2fs_fs(void)
err = register_shrinker(&f2fs_shrinker_info, "f2fs-shrinker");
if (err)
goto free_sysfs;
- err = register_filesystem(&f2fs_fs_type);
- if (err)
- goto free_shrinker;
f2fs_create_root_stats();
err = f2fs_init_post_read_processing();
if (err)
@@ -4786,6 +4783,7 @@ static int __init init_f2fs_fs(void)
if (err)
goto free_compress_cache;
err = f2fs_init_xattr_cache();
+ err = register_filesystem(&f2fs_fs_type);
if (err)
goto free_casefold_cache;
return 0;
@@ -4805,8 +4803,6 @@ free_post_read:
f2fs_destroy_post_read_processing();
free_root_stats:
f2fs_destroy_root_stats();
- unregister_filesystem(&f2fs_fs_type);
-free_shrinker:
unregister_shrinker(&f2fs_shrinker_info);
free_sysfs:
f2fs_exit_sysfs();
@@ -4830,6 +4826,7 @@ fail:
static void __exit exit_f2fs_fs(void)
{
+ unregister_filesystem(&f2fs_fs_type);
f2fs_destroy_xattr_cache();
f2fs_destroy_casefold_cache();
f2fs_destroy_compress_cache();
@@ -4839,7 +4836,6 @@ static void __exit exit_f2fs_fs(void)
f2fs_destroy_iostat_processing();
f2fs_destroy_post_read_processing();
f2fs_destroy_root_stats();
- unregister_filesystem(&f2fs_fs_type);
unregister_shrinker(&f2fs_shrinker_info);
f2fs_exit_sysfs();
f2fs_destroy_garbage_collection_cache();
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 138/969] wifi: iwlwifi: read txq->read_ptr under lock
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (136 preceding siblings ...)
2026-05-30 15:54 ` [PATCH 6.1 137/969] f2fs: fix null-ptr-deref in f2fs_submit_page_bio() Greg Kroah-Hartman
@ 2026-05-30 15:54 ` Greg Kroah-Hartman
2026-05-30 15:54 ` [PATCH 6.1 139/969] scripts/dtc: Remove unused dts_version in dtc-lexer.l Greg Kroah-Hartman
` (837 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Johannes Berg, Miri Korenblit,
Robert Garcia
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johannes Berg <johannes.berg@intel.com>
commit c2ace6300600c634553657785dfe5ea0ed688ac2 upstream.
If we read txq->read_ptr without lock, we can read the same
value twice, then obtain the lock, and reclaim from there
to two different places, but crucially reclaim the same
entry twice, resulting in the WARN_ONCE() a little later.
Fix that by reading txq->read_ptr under lock.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
Link: https://msgid.link/20240319100755.bf4c62196504.I978a7ca56c6bd6f1bf42c15aa923ba03366a840b@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
[ Change read_ptr definition according to commit
413be839bfca9("wifi: iwlwifi: add a validity check of queue_id in iwl_txq_reclaim"). ]
Signed-off-by: Robert Garcia <rob_garcia@163.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/intel/iwlwifi/queue/tx.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/net/wireless/intel/iwlwifi/queue/tx.c
+++ b/drivers/net/wireless/intel/iwlwifi/queue/tx.c
@@ -1555,7 +1555,7 @@ void iwl_txq_reclaim(struct iwl_trans *t
{
struct iwl_txq *txq = trans->txqs.txq[txq_id];
int tfd_num = iwl_txq_get_cmd_index(txq, ssn);
- int read_ptr = iwl_txq_get_cmd_index(txq, txq->read_ptr);
+ int read_ptr;
int last_to_free;
/* This function is not meant to release cmd queue*/
@@ -1563,6 +1563,7 @@ void iwl_txq_reclaim(struct iwl_trans *t
return;
spin_lock_bh(&txq->lock);
+ read_ptr = iwl_txq_get_cmd_index(txq, txq->read_ptr);
if (!test_bit(txq_id, trans->txqs.queue_used)) {
IWL_DEBUG_TX_QUEUES(trans, "Q %d inactive - ignoring idx %d\n",
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 139/969] scripts/dtc: Remove unused dts_version in dtc-lexer.l
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (137 preceding siblings ...)
2026-05-30 15:54 ` [PATCH 6.1 138/969] wifi: iwlwifi: read txq->read_ptr under lock Greg Kroah-Hartman
@ 2026-05-30 15:54 ` Greg Kroah-Hartman
2026-05-30 15:54 ` [PATCH 6.1 140/969] arm64: mm: fix VA-range sanity check Greg Kroah-Hartman
` (836 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches,
stable@vger.kernel.org, devicetree@vger.kernel.org, Nathan Chancellor,
Nathan Chancellor
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nathan Chancellor <nathan@kernel.org>
This patch is for stable only. Commit 5a09df20872c ("scripts/dtc: Update
to upstream version v1.7.2-69-g53373d135579") upstream applied it as
part of a regular scripts/dtc sync, which may be unsuitable for older
versions of stable where the warning it fixes is present.
A recent strengthening of -Wunused-but-set-variable (enabled with -Wall)
in clang under a new subwarning, -Wunused-but-set-global, points out an
unused static global variable in dtc-lexer.lex.c (compiled from
dtc-lexer.l):
scripts/dtc/dtc-lexer.lex.c:641:12: warning: variable 'dts_version' set but not used [-Wunused-but-set-global]
641 | static int dts_version = 1;
| ^
Remove it to clear up the warning, as it is truly unused.
Fixes: 658f29a51e98 ("of/flattree: Update dtc to current mainline.")
Signed-off-by: Nathan Chancellor <nathan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
This should apply cleanly to all supported stable branches.
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
scripts/dtc/dtc-lexer.l | 3 ---
1 file changed, 3 deletions(-)
--- a/scripts/dtc/dtc-lexer.l
+++ b/scripts/dtc/dtc-lexer.l
@@ -39,8 +39,6 @@ extern bool treesource_error;
#define DPRINT(fmt, ...) do { } while (0)
#endif
-static int dts_version = 1;
-
#define BEGIN_DEFAULT() DPRINT("<V1>\n"); \
BEGIN(V1); \
@@ -101,7 +99,6 @@ static void PRINTF(1, 2) lexical_error(c
<*>"/dts-v1/" {
DPRINT("Keyword: /dts-v1/\n");
- dts_version = 1;
BEGIN_DEFAULT();
return DT_V1;
}
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 140/969] arm64: mm: fix VA-range sanity check
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (138 preceding siblings ...)
2026-05-30 15:54 ` [PATCH 6.1 139/969] scripts/dtc: Remove unused dts_version in dtc-lexer.l Greg Kroah-Hartman
@ 2026-05-30 15:54 ` Greg Kroah-Hartman
2026-05-30 15:54 ` [PATCH 6.1 141/969] rxrpc: Fix anonymous key handling Greg Kroah-Hartman
` (835 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mark Rutland, Russell King,
Steve Capper, Will Deacon, Russell King (Oracle), Catalin Marinas,
Alva Lan
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mark Rutland <mark.rutland@arm.com>
commit ab9b4008092c86dc12497af155a0901cc1156999 upstream.
Both create_mapping_noalloc() and update_mapping_prot() sanity-check
their 'virt' parameter, but the check itself doesn't make much sense.
The condition used today appears to be a historical accident.
The sanity-check condition:
if ((virt >= PAGE_END) && (virt < VMALLOC_START)) {
[ ... warning here ... ]
return;
}
... can only be true for the KASAN shadow region or the module region,
and there's no reason to exclude these specifically for creating and
updateing mappings.
When arm64 support was first upstreamed in commit:
c1cc1552616d0f35 ("arm64: MMU initialisation")
... the condition was:
if (virt < VMALLOC_START) {
[ ... warning here ... ]
return;
}
At the time, VMALLOC_START was the lowest kernel address, and this was
checking whether 'virt' would be translated via TTBR1.
Subsequently in commit:
14c127c957c1c607 ("arm64: mm: Flip kernel VA space")
... the condition was changed to:
if ((virt >= VA_START) && (virt < VMALLOC_START)) {
[ ... warning here ... ]
return;
}
This appear to have been a thinko. The commit moved the linear map to
the bottom of the kernel address space, with VMALLOC_START being at the
halfway point. The old condition would warn for changes to the linear
map below this, and at the time VA_START was the end of the linear map.
Subsequently we cleaned up the naming of VA_START in commit:
77ad4ce69321abbe ("arm64: memory: rename VA_START to PAGE_END")
... keeping the erroneous condition as:
if ((virt >= PAGE_END) && (virt < VMALLOC_START)) {
[ ... warning here ... ]
return;
}
Correct the condition to check against the start of the TTBR1 address
space, which is currently PAGE_OFFSET. This simplifies the logic, and
more clearly matches the "outside kernel range" message in the warning.
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Cc: Russell King <linux@armlinux.org.uk>
Cc: Steve Capper <steve.capper@arm.com>
Cc: Will Deacon <will@kernel.org>
Reviewed-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
Link: https://lore.kernel.org/r/20230615102628.1052103-1-mark.rutland@arm.com
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Alva Lan <alvalan9@foxmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/mm/mmu.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/arch/arm64/mm/mmu.c
+++ b/arch/arm64/mm/mmu.c
@@ -451,7 +451,7 @@ static phys_addr_t pgd_pgtable_alloc(int
static void __init create_mapping_noalloc(phys_addr_t phys, unsigned long virt,
phys_addr_t size, pgprot_t prot)
{
- if ((virt >= PAGE_END) && (virt < VMALLOC_START)) {
+ if (virt < PAGE_OFFSET) {
pr_warn("BUG: not creating mapping for %pa at 0x%016lx - outside kernel range\n",
&phys, virt);
return;
@@ -478,7 +478,7 @@ void __init create_pgd_mapping(struct mm
static void update_mapping_prot(phys_addr_t phys, unsigned long virt,
phys_addr_t size, pgprot_t prot)
{
- if ((virt >= PAGE_END) && (virt < VMALLOC_START)) {
+ if (virt < PAGE_OFFSET) {
pr_warn("BUG: not updating mapping for %pa at 0x%016lx - outside kernel range\n",
&phys, virt);
return;
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 141/969] rxrpc: Fix anonymous key handling
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (139 preceding siblings ...)
2026-05-30 15:54 ` [PATCH 6.1 140/969] arm64: mm: fix VA-range sanity check Greg Kroah-Hartman
@ 2026-05-30 15:54 ` Greg Kroah-Hartman
2026-05-30 15:54 ` [PATCH 6.1 142/969] rxrpc: only handle RESPONSE during service challenge Greg Kroah-Hartman
` (834 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Howells, Marc Dionne,
Jeffrey Altman, Simon Horman, linux-afs, stable, Jakub Kicinski,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Howells <dhowells@redhat.com>
[ Upstream commit 6a59d84b4fc2f27f7b40e348506cc686712e260b ]
In rxrpc_new_client_call_for_sendmsg(), a key with no payload is meant to
be substituted for a NULL key pointer, but the variable this is done with
is subsequently not used.
Fix this by using "key" rather than "rx->key" when filling in the
connection parameters.
Note that this only affects direct use of AF_RXRPC; the kAFS filesystem
doesn't use sendmsg() directly and so bypasses the issue. Further,
AF_RXRPC passes a NULL key in if no key is set, so using an anonymous key
in that manner works. Since this hasn't been noticed to this point, it
might be better just to remove the "key" variable and the code that sets it
- and, arguably, rxrpc_init_client_call_security() would be a better place
to handle it.
Fixes: 19ffa01c9c45 ("rxrpc: Use structs to hold connection params and protocol info")
Closes: https://sashiko.dev/#/patchset/20260319150150.4189381-1-dhowells%40redhat.com
Signed-off-by: David Howells <dhowells@redhat.com>
cc: Marc Dionne <marc.dionne@auristor.com>
cc: Jeffrey Altman <jaltman@auristor.com>
cc: Simon Horman <horms@kernel.org>
cc: linux-afs@lists.infradead.org
cc: stable@kernel.org
Link: https://patch.msgid.link/20260408121252.2249051-4-dhowells@redhat.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/rxrpc/sendmsg.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/rxrpc/sendmsg.c
+++ b/net/rxrpc/sendmsg.c
@@ -624,7 +624,7 @@ rxrpc_new_client_call_for_sendmsg(struct
memset(&cp, 0, sizeof(cp));
cp.local = rx->local;
- cp.key = rx->key;
+ cp.key = key;
cp.security_level = rx->min_sec_level;
cp.exclusive = rx->exclusive | p->exclusive;
cp.upgrade = p->upgrade;
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 142/969] rxrpc: only handle RESPONSE during service challenge
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (140 preceding siblings ...)
2026-05-30 15:54 ` [PATCH 6.1 141/969] rxrpc: Fix anonymous key handling Greg Kroah-Hartman
@ 2026-05-30 15:54 ` Greg Kroah-Hartman
2026-05-30 15:54 ` [PATCH 6.1 143/969] fs/ntfs3: validate rec->used in journal-replay file record check Greg Kroah-Hartman
` (833 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yifan Wu, Juefei Pu, Yuan Tan,
Xin Liu, Jie Wang, Yang Yang, David Howells, Marc Dionne,
Jeffrey Altman, Simon Horman, linux-afs, stable, Jakub Kicinski,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wang Jie <jiewang2024@lzu.edu.cn>
[ Upstream commit c43ffdcfdbb5567b1f143556df8a04b4eeea041c ]
Only process RESPONSE packets while the service connection is still in
RXRPC_CONN_SERVICE_CHALLENGING. Check that state under state_lock before
running response verification and security initialization, then use a local
secured flag to decide whether to queue the secured-connection work after
the state transition. This keeps duplicate or late RESPONSE packets from
re-running the setup path and removes the unlocked post-transition state
test.
Fixes: 17926a79320a ("[AF_RXRPC]: Provide secure RxRPC sockets for use by userspace and kernel both")
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Co-developed-by: Yuan Tan <yuantan098@gmail.com>
Signed-off-by: Yuan Tan <yuantan098@gmail.com>
Suggested-by: Xin Liu <bird@lzu.edu.cn>
Signed-off-by: Jie Wang <jiewang2024@lzu.edu.cn>
Signed-off-by: Yang Yang <n05ec@lzu.edu.cn>
Signed-off-by: David Howells <dhowells@redhat.com>
cc: Marc Dionne <marc.dionne@auristor.com>
cc: Jeffrey Altman <jaltman@auristor.com>
cc: Simon Horman <horms@kernel.org>
cc: linux-afs@lists.infradead.org
cc: stable@kernel.org
Link: https://patch.msgid.link/20260408121252.2249051-21-dhowells@redhat.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
[ adapted to spin_lock_bh usage, 3-arg verify_response(), and direct rxrpc_call_is_secure() ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/rxrpc/conn_event.c | 17 +++++++++++++----
1 file changed, 13 insertions(+), 4 deletions(-)
--- a/net/rxrpc/conn_event.c
+++ b/net/rxrpc/conn_event.c
@@ -293,6 +293,7 @@ static int rxrpc_process_event(struct rx
u32 *_abort_code)
{
struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
+ bool secured = false;
__be32 wtmp;
u32 abort_code;
int loop, ret;
@@ -337,6 +338,13 @@ static int rxrpc_process_event(struct rx
_abort_code);
case RXRPC_PACKET_TYPE_RESPONSE:
+ spin_lock_bh(&conn->state_lock);
+ if (conn->state != RXRPC_CONN_SERVICE_CHALLENGING) {
+ spin_unlock_bh(&conn->state_lock);
+ return 0;
+ }
+ spin_unlock_bh(&conn->state_lock);
+
ret = conn->security->verify_response(conn, skb, _abort_code);
if (ret < 0)
return ret;
@@ -348,17 +356,18 @@ static int rxrpc_process_event(struct rx
spin_lock(&conn->bundle->channel_lock);
spin_lock_bh(&conn->state_lock);
-
if (conn->state == RXRPC_CONN_SERVICE_CHALLENGING) {
conn->state = RXRPC_CONN_SERVICE;
- spin_unlock_bh(&conn->state_lock);
+ secured = true;
+ }
+ spin_unlock_bh(&conn->state_lock);
+
+ if (secured) {
for (loop = 0; loop < RXRPC_MAXCALLS; loop++)
rxrpc_call_is_secure(
rcu_dereference_protected(
conn->channels[loop].call,
lockdep_is_held(&conn->bundle->channel_lock)));
- } else {
- spin_unlock_bh(&conn->state_lock);
}
spin_unlock(&conn->bundle->channel_lock);
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 143/969] fs/ntfs3: validate rec->used in journal-replay file record check
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (141 preceding siblings ...)
2026-05-30 15:54 ` [PATCH 6.1 142/969] rxrpc: only handle RESPONSE during service challenge Greg Kroah-Hartman
@ 2026-05-30 15:54 ` Greg Kroah-Hartman
2026-05-30 15:54 ` [PATCH 6.1 144/969] fuse: reject oversized dirents in page cache Greg Kroah-Hartman
` (832 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:54 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Konstantin Komarov, stable
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 0ca0485e4b2e837ebb6cbd4f2451aba665a03e4b upstream.
check_file_record() validates rec->total against the record size but
never validates rec->used. The do_action() journal-replay handlers read
rec->used from disk and use it to compute memmove lengths:
DeleteAttribute: memmove(attr, ..., used - asize - roff)
CreateAttribute: memmove(..., attr, used - roff)
change_attr_size: memmove(..., used - PtrOffset(rec, next))
When rec->used is smaller than the offset of a validated attribute, or
larger than the record size, these subtractions can underflow allowing
us to copy huge amounts of memory in to a 4kb buffer, generally
considered a bad idea overall.
This requires a corrupted filesystem, which isn't a threat model the
kernel really needs to worry about, but checking for such an obvious
out-of-bounds value is good to keep things robust, especially on journal
replay
Fix this up by bounding rec->used correctly.
This is much like commit b2bc7c44ed17 ("fs/ntfs3: Fix slab-out-of-bounds
read in DeleteIndexEntryRoot") which checked different values in this
same switch statement.
Cc: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
Fixes: b46acd6a6a62 ("fs/ntfs3: Add NTFS journal")
Cc: stable <stable@kernel.org>
Assisted-by: gregkh_clanker_t1000
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ntfs3/fslog.c | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
--- a/fs/ntfs3/fslog.c
+++ b/fs/ntfs3/fslog.c
@@ -2792,13 +2792,14 @@ static inline bool check_file_record(con
u16 fn = le16_to_cpu(rec->rhdr.fix_num);
u16 ao = le16_to_cpu(rec->attr_off);
u32 rs = sbi->record_size;
+ u32 used = le32_to_cpu(rec->used);
/* Check the file record header for consistency. */
if (rec->rhdr.sign != NTFS_FILE_SIGNATURE ||
fo > (SECTOR_SIZE - ((rs >> SECTOR_SHIFT) + 1) * sizeof(short)) ||
(fn - 1) * SECTOR_SIZE != rs || ao < MFTRECORD_FIXUP_OFFSET_1 ||
ao > sbi->record_size - SIZEOF_RESIDENT || !is_rec_inuse(rec) ||
- le32_to_cpu(rec->total) != rs) {
+ le32_to_cpu(rec->total) != rs || used > rs || used < ao) {
return false;
}
@@ -2810,6 +2811,15 @@ static inline bool check_file_record(con
return false;
}
+ /*
+ * The do_action() handlers compute memmove lengths as
+ * "rec->used - <offset of validated attr>", which underflows when
+ * rec->used is smaller than the attribute walk reached. At this
+ * point attr is the ATTR_END marker; rec->used must cover it.
+ */
+ if (used < PtrOffset(rec, attr) + sizeof(attr->type))
+ return false;
+
return true;
}
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 144/969] fuse: reject oversized dirents in page cache
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (142 preceding siblings ...)
2026-05-30 15:54 ` [PATCH 6.1 143/969] fs/ntfs3: validate rec->used in journal-replay file record check Greg Kroah-Hartman
@ 2026-05-30 15:54 ` Greg Kroah-Hartman
2026-05-30 15:54 ` [PATCH 6.1 145/969] fuse: quiet down complaints in fuse_conn_limit_write Greg Kroah-Hartman
` (831 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Samuel Page, Qi Tang, Zijun Hu,
Miklos Szeredi, Christian Brauner
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Samuel Page <sam@bynar.io>
commit 51a8de6c50bf947c8f534cd73da4c8f0a13e7bed upstream.
fuse_add_dirent_to_cache() computes a serialized dirent size from the
server-controlled namelen field and copies the dirent into a single
page-cache page. The existing logic only checks whether the dirent fits
in the remaining space of the current page and advances to a fresh page
if not. It never checks whether the dirent itself exceeds PAGE_SIZE.
As a result, a malicious FUSE server can return a dirent with
namelen=4095, producing a serialized record size of 4120 bytes. On 4 KiB
page systems this causes memcpy() to overflow the cache page by 24 bytes
into the following kernel page.
Reject dirents that cannot fit in a single page before copying them into
the readdir cache.
Fixes: 69e34551152a ("fuse: allow caching readdir")
Cc: stable@vger.kernel.org # v6.16+
Assisted-by: Bynario AI
Signed-off-by: Samuel Page <sam@bynar.io>
Reported-by: Qi Tang <tpluszz77@gmail.com>
Reported-by: Zijun Hu <nightu@northwestern.edu>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Link: https://patch.msgid.link/20260420090139.662772-1-mszeredi@redhat.com
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/fuse/readdir.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/fs/fuse/readdir.c
+++ b/fs/fuse/readdir.c
@@ -41,6 +41,10 @@ static void fuse_add_dirent_to_cache(str
unsigned int offset;
void *addr;
+ /* Dirent doesn't fit in readdir cache page? Skip caching. */
+ if (reclen > PAGE_SIZE)
+ return;
+
spin_lock(&fi->rdc.lock);
/*
* Is cache already completed? Or this entry does not go at the end of
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 145/969] fuse: quiet down complaints in fuse_conn_limit_write
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (143 preceding siblings ...)
2026-05-30 15:54 ` [PATCH 6.1 144/969] fuse: reject oversized dirents in page cache Greg Kroah-Hartman
@ 2026-05-30 15:54 ` Greg Kroah-Hartman
2026-05-30 15:54 ` [PATCH 6.1 146/969] smb: server: fix active_num_conn leak on transport allocation failure Greg Kroah-Hartman
` (830 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:54 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Darrick J. Wong, Miklos Szeredi
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Darrick J. Wong <djwong@kernel.org>
commit 129a45f9755a89f573c6a513a6b9e3d234ce89b0 upstream.
gcc 15 complains about an uninitialized variable val that is passed by
reference into fuse_conn_limit_write:
control.c: In function ‘fuse_conn_congestion_threshold_write’:
include/asm-generic/rwonce.h:55:37: warning: ‘val’ may be used uninitialized [-Wmaybe-uninitialized]
55 | *(volatile typeof(x) *)&(x) = (val); \
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~~
include/asm-generic/rwonce.h:61:9: note: in expansion of macro ‘__WRITE_ONCE’
61 | __WRITE_ONCE(x, val); \
| ^~~~~~~~~~~~
control.c:178:9: note: in expansion of macro ‘WRITE_ONCE’
178 | WRITE_ONCE(fc->congestion_threshold, val);
| ^~~~~~~~~~
control.c:166:18: note: ‘val’ was declared here
166 | unsigned val;
| ^~~
Unfortunately there's enough macro spew involved in kstrtoul_from_user
that I think gcc gives up on its analysis and sprays the above warning.
AFAICT it's not actually a bug, but we could just zero-initialize the
variable to enable using -Wmaybe-uninitialized to find real problems.
Previously we would use some weird uninitialized_var annotation to quiet
down the warnings, so clearly this code has been like this for quite
some time.
Cc: stable@vger.kernel.org # v5.9
Fixes: 3f649ab728cda8 ("treewide: Remove uninitialized_var() usage")
Signed-off-by: Darrick J. Wong <djwong@kernel.org>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/fuse/control.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/fs/fuse/control.c
+++ b/fs/fuse/control.c
@@ -120,7 +120,7 @@ static ssize_t fuse_conn_max_background_
const char __user *buf,
size_t count, loff_t *ppos)
{
- unsigned val;
+ unsigned int val = 0;
ssize_t ret;
ret = fuse_conn_limit_write(file, buf, count, ppos, &val,
@@ -162,7 +162,7 @@ static ssize_t fuse_conn_congestion_thre
const char __user *buf,
size_t count, loff_t *ppos)
{
- unsigned val;
+ unsigned int val = 0;
struct fuse_conn *fc;
ssize_t ret;
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 146/969] smb: server: fix active_num_conn leak on transport allocation failure
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (144 preceding siblings ...)
2026-05-30 15:54 ` [PATCH 6.1 145/969] fuse: quiet down complaints in fuse_conn_limit_write Greg Kroah-Hartman
@ 2026-05-30 15:54 ` Greg Kroah-Hartman
2026-05-30 15:54 ` [PATCH 6.1 147/969] smb: server: fix max_connections off-by-one in tcp accept path Greg Kroah-Hartman
` (829 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michael Bommarito, Namjae Jeon,
Steve French
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
commit 6551300dc452ac16a855a83dbd1e74899542d3b3 upstream.
Commit 77ffbcac4e56 ("smb: server: fix leak of active_num_conn in
ksmbd_tcp_new_connection()") addressed the kthread_run() failure
path. The earlier alloc_transport() == NULL path in the same
function has the same leak, is reachable pre-authentication via any
TCP connect to port 445, and was empirically reproduced on UML
(ARCH=um, v7.0-rc7): a small number of forced allocation failures
were sufficient to put ksmbd into a state where every subsequent
connection attempt was rejected for the remainder of the boot.
ksmbd_kthread_fn() increments active_num_conn before calling
ksmbd_tcp_new_connection() and discards the return value, so when
alloc_transport() returns NULL the socket is released and -ENOMEM
returned without decrementing the counter. Each such failure
permanently consumes one slot from the max_connections pool; once
cumulative failures reach the cap, atomic_inc_return() hits the
threshold on every subsequent accept and every new connection is
rejected. The counter is only reset by module reload.
An unauthenticated remote attacker can drive the server toward the
memory pressure that makes alloc_transport() fail by holding open
connections with large RFC1002 lengths up to MAX_STREAM_PROT_LEN
(0x00FFFFFF); natural transient allocation failures on a loaded
host produce the same drift more slowly.
Mirror the existing rollback pattern in ksmbd_kthread_fn(): on the
alloc_transport() failure path, decrement active_num_conn gated on
server_conf.max_connections.
Repro details: with the patch reverted, forced alloc_transport()
NULL returns leaked counter slots and subsequent connection
attempts -- including legitimate connects issued after the
forced-fail window had closed -- were all rejected with "Limit the
maximum number of connections". With this patch applied, the same
connect sequence produces no rejections and the counter cycles
cleanly between zero and one on every accept.
Fixes: 0d0d4680db22 ("ksmbd: add max connections parameter")
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-6
Assisted-by: Codex:gpt-5-4
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/server/transport_tcp.c | 2 ++
1 file changed, 2 insertions(+)
--- a/fs/smb/server/transport_tcp.c
+++ b/fs/smb/server/transport_tcp.c
@@ -199,6 +199,8 @@ static int ksmbd_tcp_new_connection(stru
t = alloc_transport(client_sk);
if (!t) {
sock_release(client_sk);
+ if (server_conf.max_connections)
+ atomic_dec(&active_num_conn);
return -ENOMEM;
}
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 147/969] smb: server: fix max_connections off-by-one in tcp accept path
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (145 preceding siblings ...)
2026-05-30 15:54 ` [PATCH 6.1 146/969] smb: server: fix active_num_conn leak on transport allocation failure Greg Kroah-Hartman
@ 2026-05-30 15:54 ` Greg Kroah-Hartman
2026-05-30 15:54 ` [PATCH 6.1 148/969] smb: client: require a full NFS mode SID before reading mode bits Greg Kroah-Hartman
` (828 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, DaeMyung Kang, Namjae Jeon,
Steve French
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: DaeMyung Kang <charsyam@gmail.com>
commit ce23158bfe584bd90d1918f279fdf9de57802012 upstream.
The global max_connections check in ksmbd's TCP accept path counts
the newly accepted connection with atomic_inc_return(), but then
rejects the connection when the result is greater than or equal to
server_conf.max_connections.
That makes the effective limit one smaller than configured. For
example:
- max_connections=1 rejects the first connection
- max_connections=2 allows only one connection
The per-IP limit in the same function uses <= correctly because it
counts only pre-existing connections. The global limit instead checks
the post-increment total, so it should reject only when that total
exceeds the configured maximum.
Fix this by changing the comparison from >= to >, so exactly
max_connections simultaneous connections are allowed and the next one
is rejected. This matches the documented meaning of max_connections
in fs/smb/server/ksmbd_netlink.h as the "Number of maximum simultaneous
connections".
Fixes: 0d0d4680db22 ("ksmbd: add max connections parameter")
Cc: stable@vger.kernel.org
Signed-off-by: DaeMyung Kang <charsyam@gmail.com>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/server/transport_tcp.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/smb/server/transport_tcp.c
+++ b/fs/smb/server/transport_tcp.c
@@ -293,7 +293,7 @@ static int ksmbd_kthread_fn(void *p)
skip_max_ip_conns_limit:
if (server_conf.max_connections &&
- atomic_inc_return(&active_num_conn) >= server_conf.max_connections) {
+ atomic_inc_return(&active_num_conn) > server_conf.max_connections) {
pr_info_ratelimited("Limit the maximum number of connections(%u)\n",
atomic_read(&active_num_conn));
atomic_dec(&active_num_conn);
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 148/969] smb: client: require a full NFS mode SID before reading mode bits
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (146 preceding siblings ...)
2026-05-30 15:54 ` [PATCH 6.1 147/969] smb: server: fix max_connections off-by-one in tcp accept path Greg Kroah-Hartman
@ 2026-05-30 15:54 ` Greg Kroah-Hartman
2026-05-30 15:54 ` [PATCH 6.1 149/969] smb: client: fix OOB read in smb2_ioctl_query_info QUERY_INFO path Greg Kroah-Hartman
` (827 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:54 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Michael Bommarito, Steve French
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
commit 2757ad3e4b6f9e0fed4c7739594e702abc5cab21 upstream.
parse_dacl() treats an ACE SID matching sid_unix_NFS_mode as an NFS
mode SID and reads sid.sub_auth[2] to recover the mode bits.
That assumes the ACE carries three subauthorities, but compare_sids()
only compares min(a, b) subauthorities. A malicious server can return
an ACE with num_subauth = 2 and sub_auth[] = {88, 3}, which still
matches sid_unix_NFS_mode and then drives the sub_auth[2] read four
bytes past the end of the ACE.
Require num_subauth >= 3 before treating the ACE as an NFS mode SID.
This keeps the fix local to the special-SID mode path without changing
compare_sids() semantics for the rest of cifsacl.
Fixes: e2f8fbfb8d09 ("cifs: get mode bits from special sid on stat")
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-6
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/client/cifsacl.c | 1 +
1 file changed, 1 insertion(+)
--- a/fs/smb/client/cifsacl.c
+++ b/fs/smb/client/cifsacl.c
@@ -807,6 +807,7 @@ static void parse_dacl(struct cifs_acl *
dump_ace(ppace[i], end_of_acl);
#endif
if (mode_from_special_sid &&
+ ppace[i]->sid.num_subauth >= 3 &&
(compare_sids(&(ppace[i]->sid),
&sid_unix_NFS_mode) == 0)) {
/*
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 149/969] smb: client: fix OOB read in smb2_ioctl_query_info QUERY_INFO path
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (147 preceding siblings ...)
2026-05-30 15:54 ` [PATCH 6.1 148/969] smb: client: require a full NFS mode SID before reading mode bits Greg Kroah-Hartman
@ 2026-05-30 15:54 ` Greg Kroah-Hartman
2026-05-30 15:54 ` [PATCH 6.1 150/969] ksmbd: fix out-of-bounds write in smb2_get_ea() EA alignment Greg Kroah-Hartman
` (826 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:54 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Michael Bommarito, Steve French
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
commit a58c5af19ff0d6f44f6e9fe31e33a2c92223f77e upstream.
smb2_ioctl_query_info() has two response-copy branches: PASSTHRU_FSCTL
and the default QUERY_INFO path. The QUERY_INFO branch clamps
qi.input_buffer_length to the server-reported OutputBufferLength and then
copies qi.input_buffer_length bytes from qi_rsp->Buffer to userspace, but
it never verifies that the flexible-array payload actually fits within
rsp_iov[1].iov_len.
A malicious server can return OutputBufferLength larger than the actual
QUERY_INFO response, causing copy_to_user() to walk past the response
buffer and expose adjacent kernel heap to userspace.
Guard the QUERY_INFO copy with a bounds check on the actual Buffer
payload. Use struct_size(qi_rsp, Buffer, qi.input_buffer_length)
rather than an open-coded addition so the guard cannot overflow on
32-bit builds.
Fixes: f5778c398713 ("SMB3: Allow SMB3 FSCTL queries to be sent to server from tools")
Cc: stable@vger.kernel.org
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Assisted-by: Claude:claude-opus-4-6
Assisted-by: Codex:gpt-5-4
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/client/smb2ops.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/fs/smb/client/smb2ops.c
+++ b/fs/smb/client/smb2ops.c
@@ -1701,6 +1701,12 @@ smb2_ioctl_query_info(const unsigned int
qi_rsp = (struct smb2_query_info_rsp *)rsp_iov[1].iov_base;
if (le32_to_cpu(qi_rsp->OutputBufferLength) < qi.input_buffer_length)
qi.input_buffer_length = le32_to_cpu(qi_rsp->OutputBufferLength);
+ if (qi.input_buffer_length > 0 &&
+ struct_size(qi_rsp, Buffer, qi.input_buffer_length) >
+ rsp_iov[1].iov_len) {
+ rc = -EFAULT;
+ goto out;
+ }
if (copy_to_user(&pqi->input_buffer_length,
&qi.input_buffer_length,
sizeof(qi.input_buffer_length))) {
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 150/969] ksmbd: fix out-of-bounds write in smb2_get_ea() EA alignment
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (148 preceding siblings ...)
2026-05-30 15:54 ` [PATCH 6.1 149/969] smb: client: fix OOB read in smb2_ioctl_query_info QUERY_INFO path Greg Kroah-Hartman
@ 2026-05-30 15:54 ` Greg Kroah-Hartman
2026-05-30 15:54 ` [PATCH 6.1 151/969] ksmbd: use check_add_overflow() to prevent u16 DACL size overflow Greg Kroah-Hartman
` (825 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tristan Madani, Namjae Jeon,
Steve French
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tristan Madani <tristan@talencesecurity.com>
commit 30010c952077a1c89ecdd71fc4d574c75a8f5617 upstream.
smb2_get_ea() applies 4-byte alignment padding via memset() after
writing each EA entry. The bounds check on buf_free_len is performed
before the value memcpy, but the alignment memset fires unconditionally
afterward with no check on remaining space.
When the EA value exactly fills the remaining buffer (buf_free_len == 0
after value subtraction), the alignment memset writes 1-3 NUL bytes
past the buf_free_len boundary. In compound requests where the response
buffer is shared across commands, the first command (e.g., READ) can
consume most of the buffer, leaving a tight remainder for the QUERY_INFO
EA response. The alignment memset then overwrites past the physical
kvmalloc allocation into adjacent kernel heap memory.
Add a bounds check before the alignment memset to ensure buf_free_len
can accommodate the padding bytes.
This is the same bug pattern fixed by commit beef2634f81f ("ksmbd: fix
potencial OOB in get_file_all_info() for compound requests") and
commit fda9522ed6af ("ksmbd: fix OOB write in QUERY_INFO for compound
requests"), both of which added bounds checks before unconditional
writes in QUERY_INFO response handlers.
Cc: stable@vger.kernel.org
Fixes: e2b76ab8b5c9 ("ksmbd: add support for read compound")
Signed-off-by: Tristan Madani <tristan@talencesecurity.com>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/server/smb2pdu.c | 2 ++
1 file changed, 2 insertions(+)
--- a/fs/smb/server/smb2pdu.c
+++ b/fs/smb/server/smb2pdu.c
@@ -4495,6 +4495,8 @@ static int smb2_get_ea(struct ksmbd_work
/* align next xattr entry at 4 byte bundary */
alignment_bytes = ((next_offset + 3) & ~3) - next_offset;
if (alignment_bytes) {
+ if (buf_free_len < alignment_bytes)
+ break;
memset(ptr, '\0', alignment_bytes);
ptr += alignment_bytes;
next_offset += alignment_bytes;
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 151/969] ksmbd: use check_add_overflow() to prevent u16 DACL size overflow
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (149 preceding siblings ...)
2026-05-30 15:54 ` [PATCH 6.1 150/969] ksmbd: fix out-of-bounds write in smb2_get_ea() EA alignment Greg Kroah-Hartman
@ 2026-05-30 15:54 ` Greg Kroah-Hartman
2026-05-30 15:54 ` [PATCH 6.1 152/969] f2fs: fix use-after-free of sbi in f2fs_compress_write_end_io() Greg Kroah-Hartman
` (824 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tristan Madani, Namjae Jeon,
Steve French
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tristan Madani <tristan@talencesecurity.com>
commit 299f962c0b02d048fb45d248b4da493d03f3175d upstream.
set_posix_acl_entries_dacl() and set_ntacl_dacl() accumulate ACE sizes
in u16 variables. When a file has many POSIX ACL entries, the
accumulated size can wrap past 65535, causing the pointer arithmetic
(char *)pndace + *size to land within already-written ACEs. Subsequent
writes then overwrite earlier entries, and pndacl->size gets a
truncated value.
Use check_add_overflow() at each accumulation point to detect the
wrap before it corrupts the buffer, consistent with existing
check_mul_overflow() usage elsewhere in smbacl.c.
Cc: stable@vger.kernel.org
Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3")
Signed-off-by: Tristan Madani <tristan@talencesecurity.com>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/server/smbacl.c | 16 ++++++++++++----
1 file changed, 12 insertions(+), 4 deletions(-)
--- a/fs/smb/server/smbacl.c
+++ b/fs/smb/server/smbacl.c
@@ -596,6 +596,7 @@ static void set_posix_acl_entries_dacl(s
struct smb_sid *sid;
struct smb_ace *ntace;
int i, j;
+ u16 ace_sz;
if (!fattr->cf_acls)
goto posix_default_acl;
@@ -640,8 +641,10 @@ static void set_posix_acl_entries_dacl(s
flags = 0x03;
ntace = (struct smb_ace *)((char *)pndace + *size);
- *size += fill_ace_for_sid(ntace, sid, ACCESS_ALLOWED, flags,
+ ace_sz = fill_ace_for_sid(ntace, sid, ACCESS_ALLOWED, flags,
pace->e_perm, 0777);
+ if (check_add_overflow(*size, ace_sz, size))
+ break;
(*num_aces)++;
if (pace->e_tag == ACL_USER)
ntace->access_req |=
@@ -650,8 +653,10 @@ static void set_posix_acl_entries_dacl(s
if (S_ISDIR(fattr->cf_mode) &&
(pace->e_tag == ACL_USER || pace->e_tag == ACL_GROUP)) {
ntace = (struct smb_ace *)((char *)pndace + *size);
- *size += fill_ace_for_sid(ntace, sid, ACCESS_ALLOWED,
+ ace_sz = fill_ace_for_sid(ntace, sid, ACCESS_ALLOWED,
0x03, pace->e_perm, 0777);
+ if (check_add_overflow(*size, ace_sz, size))
+ break;
(*num_aces)++;
if (pace->e_tag == ACL_USER)
ntace->access_req |=
@@ -691,8 +696,10 @@ posix_default_acl:
}
ntace = (struct smb_ace *)((char *)pndace + *size);
- *size += fill_ace_for_sid(ntace, sid, ACCESS_ALLOWED, 0x0b,
+ ace_sz = fill_ace_for_sid(ntace, sid, ACCESS_ALLOWED, 0x0b,
pace->e_perm, 0777);
+ if (check_add_overflow(*size, ace_sz, size))
+ break;
(*num_aces)++;
if (pace->e_tag == ACL_USER)
ntace->access_req |=
@@ -728,7 +735,8 @@ static void set_ntacl_dacl(struct user_n
break;
memcpy((char *)pndace + size, ntace, nt_ace_size);
- size += nt_ace_size;
+ if (check_add_overflow(size, nt_ace_size, &size))
+ break;
aces_size -= nt_ace_size;
ntace = (struct smb_ace *)((char *)ntace + nt_ace_size);
num_aces++;
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 152/969] f2fs: fix use-after-free of sbi in f2fs_compress_write_end_io()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (150 preceding siblings ...)
2026-05-30 15:54 ` [PATCH 6.1 151/969] ksmbd: use check_add_overflow() to prevent u16 DACL size overflow Greg Kroah-Hartman
@ 2026-05-30 15:54 ` Greg Kroah-Hartman
2026-05-30 15:54 ` [PATCH 6.1 153/969] ALSA: usb-audio: apply quirk for MOONDROP JU Jiu Greg Kroah-Hartman
` (823 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:54 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, George Saad, Chao Yu, Jaegeuk Kim
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: George Saad <geoo115@gmail.com>
commit 39d4ee19c1e7d753dd655aebee632271b171f43a upstream.
In f2fs_compress_write_end_io(), dec_page_count(sbi, type) can bring
the F2FS_WB_CP_DATA counter to zero, unblocking
f2fs_wait_on_all_pages() in f2fs_put_super() on a concurrent unmount
CPU. The unmount path then proceeds to call
f2fs_destroy_page_array_cache(sbi), which destroys
sbi->page_array_slab via kmem_cache_destroy(), and eventually
kfree(sbi). Meanwhile, the bio completion callback is still executing:
when it reaches page_array_free(sbi, ...), it dereferences
sbi->page_array_slab — a destroyed slab cache — to call
kmem_cache_free(), causing a use-after-free.
This is the same class of bug as CVE-2026-23234 (which fixed the
equivalent race in f2fs_write_end_io() in data.c), but in the
compressed writeback completion path that was not covered by that fix.
Fix this by moving dec_page_count() to after page_array_free(), so
that all sbi accesses complete before the counter decrement that can
unblock unmount. For non-last folios (where atomic_dec_return on
cic->pending_pages is nonzero), dec_page_count is called immediately
before returning — page_array_free is not reached on this path, so
there is no post-decrement sbi access. For the last folio,
page_array_free runs while the F2FS_WB_CP_DATA counter is still
nonzero (this folio has not yet decremented it), keeping sbi alive,
and dec_page_count runs as the final operation.
Fixes: 4c8ff7095bef ("f2fs: support data compression")
Cc: stable@vger.kernel.org
Signed-off-by: George Saad <geoo115@gmail.com>
Reviewed-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/f2fs/compress.c | 14 +++++++++++---
1 file changed, 11 insertions(+), 3 deletions(-)
--- a/fs/f2fs/compress.c
+++ b/fs/f2fs/compress.c
@@ -1444,10 +1444,10 @@ void f2fs_compress_write_end_io(struct b
f2fs_compress_free_page(page);
- dec_page_count(sbi, type);
-
- if (atomic_dec_return(&cic->pending_pages))
+ if (atomic_dec_return(&cic->pending_pages)) {
+ dec_page_count(sbi, type);
return;
+ }
for (i = 0; i < cic->nr_rpages; i++) {
WARN_ON(!cic->rpages[i]);
@@ -1457,6 +1457,14 @@ void f2fs_compress_write_end_io(struct b
page_array_free(cic->inode, cic->rpages, cic->nr_rpages);
kmem_cache_free(cic_entry_slab, cic);
+
+ /*
+ * Make sure dec_page_count() is the last access to sbi.
+ * Once it drops the F2FS_WB_CP_DATA counter to zero, the
+ * unmount thread can proceed to destroy sbi and
+ * sbi->page_array_slab.
+ */
+ dec_page_count(sbi, type);
}
static int f2fs_write_raw_pages(struct compress_ctx *cc,
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 153/969] ALSA: usb-audio: apply quirk for MOONDROP JU Jiu
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (151 preceding siblings ...)
2026-05-30 15:54 ` [PATCH 6.1 152/969] f2fs: fix use-after-free of sbi in f2fs_compress_write_end_io() Greg Kroah-Hartman
@ 2026-05-30 15:54 ` Greg Kroah-Hartman
2026-05-30 15:54 ` [PATCH 6.1 154/969] ALSA: caiaq: take a reference on the USB device in create_card() Greg Kroah-Hartman
` (822 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:54 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Kagura, Cryolitia PukNgae,
Takashi Iwai
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cryolitia PukNgae <cryolitia.pukngae@linux.dev>
commit 4513d3e0bbc0585b86ccf2631902593ff97e88f5 upstream.
It(ID 31b2:0111 JU Jiu) reports a MIN value -12800 for volume control, but
will mute when setting it less than -10880.
Thanks to my girlfriend Kagura for reporting this issue.
Cc: Kagura <me@mail.kagurach.uk>
Cc: stable@vger.kernel.org
Signed-off-by: Cryolitia PukNgae <cryolitia.pukngae@linux.dev>
Link: https://patch.msgid.link/20260402-syy-v1-1-068d3bc30ddc@linux.dev
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/usb/mixer.c | 7 +++++++
1 file changed, 7 insertions(+)
--- a/sound/usb/mixer.c
+++ b/sound/usb/mixer.c
@@ -1198,6 +1198,13 @@ static void volume_control_quirks(struct
cval->min = -14208; /* Mute under it */
}
break;
+ case USB_ID(0x31b2, 0x0111): /* MOONDROP JU Jiu */
+ if (!strcmp(kctl->id.name, "PCM Playback Volume")) {
+ usb_audio_info(chip,
+ "set volume quirk for MOONDROP JU Jiu\n");
+ cval->min = -10880; /* Mute under it */
+ }
+ break;
}
}
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 154/969] ALSA: caiaq: take a reference on the USB device in create_card()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (152 preceding siblings ...)
2026-05-30 15:54 ` [PATCH 6.1 153/969] ALSA: usb-audio: apply quirk for MOONDROP JU Jiu Greg Kroah-Hartman
@ 2026-05-30 15:54 ` Greg Kroah-Hartman
2026-05-30 15:54 ` [PATCH 6.1 155/969] crypto: ccp: Dont attempt to copy CSR to userspace if PSP command failed Greg Kroah-Hartman
` (821 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andrey Konovalov, Berk Cem Goksel,
Takashi Iwai
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Berk Cem Goksel <berkcgoksel@gmail.com>
commit 80bb50e2d459213cccff3111d5ef98ed4238c0d5 upstream.
The caiaq driver stores a pointer to the parent USB device in
cdev->chip.dev but never takes a reference on it. The card's
private_free callback, snd_usb_caiaq_card_free(), can run
asynchronously via snd_card_free_when_closed() after the USB
device has already been disconnected and freed, so any access to
cdev->chip.dev in that path dereferences a freed usb_device.
On top of the refcounting issue, the current card_free implementation
calls usb_reset_device(cdev->chip.dev). A reset in a free callback
is inappropriate: the device is going away, the call takes the
device lock in a teardown context, and the reset races with the
disconnect path that the callback is already cleaning up after.
Take a reference on the USB device in create_card() with
usb_get_dev(), drop it with usb_put_dev() in the free callback,
and remove the usb_reset_device() call.
Fixes: b04dcbb7f7b1 ("ALSA: caiaq: Use snd_card_free_when_closed() at disconnection")
Cc: stable@vger.kernel.org
Cc: Andrey Konovalov <andreyknvl@gmail.com>
Signed-off-by: Berk Cem Goksel <berkcgoksel@gmail.com>
Link: https://patch.msgid.link/20260413034941.1131465-3-berkcgoksel@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/usb/caiaq/device.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/sound/usb/caiaq/device.c
+++ b/sound/usb/caiaq/device.c
@@ -384,7 +384,7 @@ static void card_free(struct snd_card *c
snd_usb_caiaq_input_free(cdev);
#endif
snd_usb_caiaq_audio_free(cdev);
- usb_reset_device(cdev->chip.dev);
+ usb_put_dev(cdev->chip.dev);
}
static int create_card(struct usb_device *usb_dev,
@@ -410,7 +410,7 @@ static int create_card(struct usb_device
return err;
cdev = caiaqdev(card);
- cdev->chip.dev = usb_dev;
+ cdev->chip.dev = usb_get_dev(usb_dev);
cdev->chip.card = card;
cdev->chip.usb_id = USB_ID(le16_to_cpu(usb_dev->descriptor.idVendor),
le16_to_cpu(usb_dev->descriptor.idProduct));
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 155/969] crypto: ccp: Dont attempt to copy CSR to userspace if PSP command failed
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (153 preceding siblings ...)
2026-05-30 15:54 ` [PATCH 6.1 154/969] ALSA: caiaq: take a reference on the USB device in create_card() Greg Kroah-Hartman
@ 2026-05-30 15:54 ` Greg Kroah-Hartman
2026-05-30 15:54 ` [PATCH 6.1 156/969] crypto: ccp: Dont attempt to copy PDH cert " Greg Kroah-Hartman
` (820 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexander Potapenko,
Sebastian Alba Vives, Sean Christopherson, Herbert Xu
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Christopherson <seanjc@google.com>
commit abe4a6d6f606113251868c2c4a06ba904bb41eed upstream.
When retrieving the PEK CSR, don't attempt to copy the blob to userspace
if the firmware command failed. If the failure was due to an invalid
length, i.e. the userspace buffer+length was too small, copying the number
of bytes _firmware_ requires will overflow the kernel-allocated buffer and
leak data to userspace.
BUG: KASAN: slab-out-of-bounds in instrument_copy_to_user ../include/linux/instrumented.h:129 [inline]
BUG: KASAN: slab-out-of-bounds in _inline_copy_to_user ../include/linux/uaccess.h:205 [inline]
BUG: KASAN: slab-out-of-bounds in _copy_to_user+0x66/0xa0 ../lib/usercopy.c:26
Read of size 2084 at addr ffff898144612e20 by task syz.9.219/21405
CPU: 14 UID: 0 PID: 21405 Comm: syz.9.219 Tainted: G U O 7.0.0-smp-DEV #28 PREEMPTLAZY
Tainted: [U]=USER, [O]=OOT_MODULE
Hardware name: Google, Inc. Arcadia_IT_80/Arcadia_IT_80, BIOS 12.62.0-0 11/19/2025
Call Trace:
<TASK>
dump_stack_lvl+0xc5/0x110 ../lib/dump_stack.c:120
print_address_description ../mm/kasan/report.c:378 [inline]
print_report+0xbc/0x260 ../mm/kasan/report.c:482
kasan_report+0xa2/0xe0 ../mm/kasan/report.c:595
check_region_inline ../mm/kasan/generic.c:-1 [inline]
kasan_check_range+0x264/0x2c0 ../mm/kasan/generic.c:200
instrument_copy_to_user ../include/linux/instrumented.h:129 [inline]
_inline_copy_to_user ../include/linux/uaccess.h:205 [inline]
_copy_to_user+0x66/0xa0 ../lib/usercopy.c:26
copy_to_user ../include/linux/uaccess.h:236 [inline]
sev_ioctl_do_pek_csr+0x31f/0x590 ../drivers/crypto/ccp/sev-dev.c:1872
sev_ioctl+0x3a4/0x490 ../drivers/crypto/ccp/sev-dev.c:2562
vfs_ioctl ../fs/ioctl.c:51 [inline]
__do_sys_ioctl ../fs/ioctl.c:597 [inline]
__se_sys_ioctl+0x11d/0x1b0 ../fs/ioctl.c:583
do_syscall_x64 ../arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xe0/0x800 ../arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x76/0x7e
</TASK>
WARN if the driver says the command succeeded, but the firmware error code
says otherwise, as __sev_do_cmd_locked() is expected to return -EIO on any
firwmware error.
Reported-by: Alexander Potapenko <glider@google.com>
Reported-by: Sebastian Alba Vives <sebasjosue84@gmail.com>
Fixes: e799035609e1 ("crypto: ccp: Implement SEV_PEK_CSR ioctl command")
Cc: stable@vger.kernel.org
Signed-off-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/crypto/ccp/sev-dev.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
--- a/drivers/crypto/ccp/sev-dev.c
+++ b/drivers/crypto/ccp/sev-dev.c
@@ -669,7 +669,10 @@ cmd:
ret = __sev_do_cmd_locked(SEV_CMD_PEK_CSR, &data, &argp->error);
- /* If we query the CSR length, FW responded with expected data. */
+ /*
+ * Firmware will returns the length of the CSR blob (either the minimum
+ * required length or the actual length written), return it to the user.
+ */
input.length = data.len;
if (copy_to_user((void __user *)argp->data, &input, sizeof(input))) {
@@ -677,6 +680,9 @@ cmd:
goto e_free_blob;
}
+ if (ret || WARN_ON_ONCE(argp->error))
+ goto e_free_blob;
+
if (blob) {
if (copy_to_user(input_address, blob, input.length))
ret = -EFAULT;
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 156/969] crypto: ccp: Dont attempt to copy PDH cert to userspace if PSP command failed
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (154 preceding siblings ...)
2026-05-30 15:54 ` [PATCH 6.1 155/969] crypto: ccp: Dont attempt to copy CSR to userspace if PSP command failed Greg Kroah-Hartman
@ 2026-05-30 15:54 ` Greg Kroah-Hartman
2026-05-30 15:54 ` [PATCH 6.1 157/969] crypto: ccp: Dont attempt to copy ID " Greg Kroah-Hartman
` (819 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexander Potapenko,
Sebastian Alba Vives, Sean Christopherson, Herbert Xu
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Christopherson <seanjc@google.com>
commit e76239fed3cffd6d304d8ca3ce23984fd24f57d3 upstream.
When retrieving the PDH cert, don't attempt to copy the blobs to userspace
if the firmware command failed. If the failure was due to an invalid
length, i.e. the userspace buffer+length was too small, copying the number
of bytes _firmware_ requires will overflow the kernel-allocated buffer and
leak data to userspace.
BUG: KASAN: slab-out-of-bounds in instrument_copy_to_user ../include/linux/instrumented.h:129 [inline]
BUG: KASAN: slab-out-of-bounds in _inline_copy_to_user ../include/linux/uaccess.h:205 [inline]
BUG: KASAN: slab-out-of-bounds in _copy_to_user+0x66/0xa0 ../lib/usercopy.c:26
Read of size 2084 at addr ffff8885c4ab8aa0 by task syz.0.186/21033
CPU: 51 UID: 0 PID: 21033 Comm: syz.0.186 Tainted: G U O 7.0.0-smp-DEV #28 PREEMPTLAZY
Tainted: [U]=USER, [O]=OOT_MODULE
Hardware name: Google, Inc. Arcadia_IT_80/Arcadia_IT_80, BIOS 34.84.12-0 11/17/2025
Call Trace:
<TASK>
dump_stack_lvl+0xc5/0x110 ../lib/dump_stack.c:120
print_address_description ../mm/kasan/report.c:378 [inline]
print_report+0xbc/0x260 ../mm/kasan/report.c:482
kasan_report+0xa2/0xe0 ../mm/kasan/report.c:595
check_region_inline ../mm/kasan/generic.c:-1 [inline]
kasan_check_range+0x264/0x2c0 ../mm/kasan/generic.c:200
instrument_copy_to_user ../include/linux/instrumented.h:129 [inline]
_inline_copy_to_user ../include/linux/uaccess.h:205 [inline]
_copy_to_user+0x66/0xa0 ../lib/usercopy.c:26
copy_to_user ../include/linux/uaccess.h:236 [inline]
sev_ioctl_do_pdh_export+0x3d3/0x7c0 ../drivers/crypto/ccp/sev-dev.c:2347
sev_ioctl+0x2a2/0x490 ../drivers/crypto/ccp/sev-dev.c:2568
vfs_ioctl ../fs/ioctl.c:51 [inline]
__do_sys_ioctl ../fs/ioctl.c:597 [inline]
__se_sys_ioctl+0x11d/0x1b0 ../fs/ioctl.c:583
do_syscall_x64 ../arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xe0/0x800 ../arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x76/0x7e
</TASK>
WARN if the driver says the command succeeded, but the firmware error code
says otherwise, as __sev_do_cmd_locked() is expected to return -EIO on any
firwmware error.
Reported-by: Alexander Potapenko <glider@google.com>
Reported-by: Sebastian Alba Vives <sebasjosue84@gmail.com>
Fixes: 76a2b524a4b1 ("crypto: ccp: Implement SEV_PDH_CERT_EXPORT ioctl command")
Cc: stable@vger.kernel.org
Signed-off-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/crypto/ccp/sev-dev.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
--- a/drivers/crypto/ccp/sev-dev.c
+++ b/drivers/crypto/ccp/sev-dev.c
@@ -1041,7 +1041,10 @@ static int sev_ioctl_do_pdh_export(struc
cmd:
ret = __sev_do_cmd_locked(SEV_CMD_PDH_CERT_EXPORT, &data, &argp->error);
- /* If we query the length, FW responded with expected data. */
+ /*
+ * Firmware will return the length of the blobs (either the minimum
+ * required length or the actual length written), return 'em to the user.
+ */
input.cert_chain_len = data.cert_chain_len;
input.pdh_cert_len = data.pdh_cert_len;
@@ -1050,6 +1053,9 @@ cmd:
goto e_free_cert;
}
+ if (ret || WARN_ON_ONCE(argp->error))
+ goto e_free_cert;
+
if (pdh_blob) {
if (copy_to_user(input_pdh_cert_address,
pdh_blob, input.pdh_cert_len)) {
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 157/969] crypto: ccp: Dont attempt to copy ID to userspace if PSP command failed
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (155 preceding siblings ...)
2026-05-30 15:54 ` [PATCH 6.1 156/969] crypto: ccp: Dont attempt to copy PDH cert " Greg Kroah-Hartman
@ 2026-05-30 15:54 ` Greg Kroah-Hartman
2026-05-30 15:54 ` [PATCH 6.1 158/969] rxrpc: Fix missing validation of ticket length in non-XDR key preparsing Greg Kroah-Hartman
` (818 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexander Potapenko,
Sebastian Alba Vives, Sean Christopherson, Herbert Xu
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Christopherson <seanjc@google.com>
commit 4f685dbfa87c546e51d9dc6cab379d20f275e114 upstream.
When retrieving the ID for the CPU, don't attempt to copy the ID blob to
userspace if the firmware command failed. If the failure was due to an
invalid length, i.e. the userspace buffer+length was too small, copying
the number of bytes _firmware_ requires will overflow the kernel-allocated
buffer and leak data to userspace.
BUG: KASAN: slab-out-of-bounds in instrument_copy_to_user ../include/linux/instrumented.h:129 [inline]
BUG: KASAN: slab-out-of-bounds in _inline_copy_to_user ../include/linux/uaccess.h:205 [inline]
BUG: KASAN: slab-out-of-bounds in _copy_to_user+0x66/0xa0 ../lib/usercopy.c:26
Read of size 64 at addr ffff8881867f5960 by task syz.0.906/24388
CPU: 130 UID: 0 PID: 24388 Comm: syz.0.906 Tainted: G U O 7.0.0-smp-DEV #28 PREEMPTLAZY
Tainted: [U]=USER, [O]=OOT_MODULE
Hardware name: Google, Inc. Arcadia_IT_80/Arcadia_IT_80, BIOS 12.62.0-0 11/19/2025
Call Trace:
<TASK>
dump_stack_lvl+0xc5/0x110 ../lib/dump_stack.c:120
print_address_description ../mm/kasan/report.c:378 [inline]
print_report+0xbc/0x260 ../mm/kasan/report.c:482
kasan_report+0xa2/0xe0 ../mm/kasan/report.c:595
check_region_inline ../mm/kasan/generic.c:-1 [inline]
kasan_check_range+0x264/0x2c0 ../mm/kasan/generic.c:200
instrument_copy_to_user ../include/linux/instrumented.h:129 [inline]
_inline_copy_to_user ../include/linux/uaccess.h:205 [inline]
_copy_to_user+0x66/0xa0 ../lib/usercopy.c:26
copy_to_user ../include/linux/uaccess.h:236 [inline]
sev_ioctl_do_get_id2+0x361/0x490 ../drivers/crypto/ccp/sev-dev.c:2222
sev_ioctl+0x25f/0x490 ../drivers/crypto/ccp/sev-dev.c:2575
vfs_ioctl ../fs/ioctl.c:51 [inline]
__do_sys_ioctl ../fs/ioctl.c:597 [inline]
__se_sys_ioctl+0x11d/0x1b0 ../fs/ioctl.c:583
do_syscall_x64 ../arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xe0/0x800 ../arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x76/0x7e
</TASK>
WARN if the driver says the command succeeded, but the firmware error code
says otherwise, as __sev_do_cmd_locked() is expected to return -EIO on any
firwmware error.
Reported-by: Alexander Potapenko <glider@google.com>
Reported-by: Sebastian Alba Vives <sebasjosue84@gmail.com>
Fixes: d6112ea0cb34 ("crypto: ccp - introduce SEV_GET_ID2 command")
Cc: stable@vger.kernel.org
Signed-off-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/crypto/ccp/sev-dev.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/crypto/ccp/sev-dev.c
+++ b/drivers/crypto/ccp/sev-dev.c
@@ -927,6 +927,9 @@ static int sev_ioctl_do_get_id2(struct s
goto e_free;
}
+ if (ret || WARN_ON_ONCE(argp->error))
+ goto e_free;
+
if (id_blob) {
if (copy_to_user(input_address, id_blob, data.len)) {
ret = -EFAULT;
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 158/969] rxrpc: Fix missing validation of ticket length in non-XDR key preparsing
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (156 preceding siblings ...)
2026-05-30 15:54 ` [PATCH 6.1 157/969] crypto: ccp: Dont attempt to copy ID " Greg Kroah-Hartman
@ 2026-05-30 15:54 ` Greg Kroah-Hartman
2026-05-30 15:54 ` [PATCH 6.1 159/969] ALSA: usb-audio: stop parsing UAC2 rates at MAX_NR_RATES Greg Kroah-Hartman
` (817 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Anderson Nascimento, David Howells,
Marc Dionne, Jeffrey Altman, Simon Horman, linux-afs, stable,
Jakub Kicinski
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Anderson Nascimento <anderson@allelesecurity.com>
commit ac33733b10b484d666f97688561670afd5861383 upstream.
In rxrpc_preparse(), there are two paths for parsing key payloads: the
XDR path (for large payloads) and the non-XDR path (for payloads <= 28
bytes). While the XDR path (rxrpc_preparse_xdr_rxkad()) correctly
validates the ticket length against AFSTOKEN_RK_TIX_MAX, the non-XDR
path fails to do so.
This allows an unprivileged user to provide a very large ticket length.
When this key is later read via rxrpc_read(), the total
token size (toksize) calculation results in a value that exceeds
AFSTOKEN_LENGTH_MAX, triggering a WARN_ON().
[ 2001.302904] WARNING: CPU: 2 PID: 2108 at net/rxrpc/key.c:778 rxrpc_read+0x109/0x5c0 [rxrpc]
Fix this by adding a check in the non-XDR parsing path of rxrpc_preparse()
to ensure the ticket length does not exceed AFSTOKEN_RK_TIX_MAX,
bringing it into parity with the XDR parsing logic.
Fixes: 8a7a3eb4ddbe ("KEYS: RxRPC: Use key preparsing")
Fixes: 84924aac08a4 ("rxrpc: Fix checker warning")
Reported-by: Anderson Nascimento <anderson@allelesecurity.com>
Signed-off-by: Anderson Nascimento <anderson@allelesecurity.com>
Signed-off-by: David Howells <dhowells@redhat.com>
cc: Marc Dionne <marc.dionne@auristor.com>
cc: Jeffrey Altman <jaltman@auristor.com>
cc: Simon Horman <horms@kernel.org>
cc: linux-afs@lists.infradead.org
cc: stable@kernel.org
Link: https://patch.msgid.link/20260422161438.2593376-7-dhowells@redhat.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/rxrpc/key.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/net/rxrpc/key.c
+++ b/net/rxrpc/key.c
@@ -340,6 +340,10 @@ static int rxrpc_preparse(struct key_pre
if (v1->security_index != RXRPC_SECURITY_RXKAD)
goto error;
+ ret = -EKEYREJECTED;
+ if (v1->ticket_length > AFSTOKEN_RK_TIX_MAX)
+ goto error;
+
plen = sizeof(*token->kad) + v1->ticket_length;
prep->quotalen += plen + sizeof(*token);
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 159/969] ALSA: usb-audio: stop parsing UAC2 rates at MAX_NR_RATES
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (157 preceding siblings ...)
2026-05-30 15:54 ` [PATCH 6.1 158/969] rxrpc: Fix missing validation of ticket length in non-XDR key preparsing Greg Kroah-Hartman
@ 2026-05-30 15:54 ` Greg Kroah-Hartman
2026-05-30 15:54 ` [PATCH 6.1 160/969] ALSA: usb-audio: Avoid false E-MU sample-rate notifications Greg Kroah-Hartman
` (816 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+d56178c27a4710960820,
Cássio Gabriel, Takashi Iwai
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cássio Gabriel <cassiogabrielcontato@gmail.com>
commit 3c318f97dcc50b2e0556a1813bd6958678e881fd upstream.
parse_uac2_sample_rate_range() caps the number of enumerated
rates at MAX_NR_RATES, but it only breaks out of the current
rate loop. A malformed UAC2 RANGE response with additional
triplets continues parsing the remaining triplets and repeatedly
prints "invalid uac2 rates" while probe still holds
register_mutex.
Stop the whole parse once the cap is reached and return the
number of rates collected so far.
Fixes: 4fa0e81b8350 ("ALSA: usb-audio: fix possible hang and overflow in parse_uac2_sample_rate_range()")
Cc: stable@vger.kernel.org
Reported-by: syzbot+d56178c27a4710960820@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=d56178c27a4710960820
Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com>
Link: https://patch.msgid.link/20260415-usb-audio-uac2-rate-cap-v1-1-5ecbafc120d8@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/usb/format.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/sound/usb/format.c
+++ b/sound/usb/format.c
@@ -461,7 +461,7 @@ static int parse_uac2_sample_rate_range(
nr_rates++;
if (nr_rates >= MAX_NR_RATES) {
usb_audio_err(chip, "invalid uac2 rates\n");
- break;
+ return nr_rates;
}
skip_rate:
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 160/969] ALSA: usb-audio: Avoid false E-MU sample-rate notifications
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (158 preceding siblings ...)
2026-05-30 15:54 ` [PATCH 6.1 159/969] ALSA: usb-audio: stop parsing UAC2 rates at MAX_NR_RATES Greg Kroah-Hartman
@ 2026-05-30 15:54 ` Greg Kroah-Hartman
2026-05-30 15:54 ` [PATCH 6.1 161/969] ALSA: usb-audio: Fix Audio Advantage Micro II SPDIF switch Greg Kroah-Hartman
` (815 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:54 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Cássio Gabriel, Takashi Iwai
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cássio Gabriel <cassiogabrielcontato@gmail.com>
commit fca9c850042a7ab4828ce3a9caa8bc40ea09856a upstream.
snd_emuusb_set_samplerate() unconditionally notifies the E-MU
SampleRate Extension Unit control after issuing SET_CUR.
If snd_usb_mixer_set_ctl_value() fails, the control value has not
changed, yet snd_usb_mixer_notify_id() still invalidates the cache and
emits a value-change event to userspace.
Notify the control only after a successful write.
Fixes: 7d2b451e65d2 ("ALSA: usb-audio - Added functionality for E-mu 0404USB/0202USB/TrackerPre")
Cc: stable@vger.kernel.org
Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com>
Link: https://patch.msgid.link/20260421-alsa-emuusb-samplerate-notify-v1-1-8b63bbc1d7f1@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/usb/mixer_quirks.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
--- a/sound/usb/mixer_quirks.c
+++ b/sound/usb/mixer_quirks.c
@@ -1561,15 +1561,17 @@ void snd_emuusb_set_samplerate(struct sn
{
struct usb_mixer_interface *mixer;
struct usb_mixer_elem_info *cval;
+ int err;
int unitid = 12; /* SampleRate ExtensionUnit ID */
list_for_each_entry(mixer, &chip->mixer_list, list) {
if (mixer->id_elems[unitid]) {
cval = mixer_elem_list_to_info(mixer->id_elems[unitid]);
- snd_usb_mixer_set_ctl_value(cval, UAC_SET_CUR,
- cval->control << 8,
- samplerate_id);
- snd_usb_mixer_notify_id(mixer, unitid);
+ err = snd_usb_mixer_set_ctl_value(cval, UAC_SET_CUR,
+ cval->control << 8,
+ samplerate_id);
+ if (!err)
+ snd_usb_mixer_notify_id(mixer, unitid);
break;
}
}
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 161/969] ALSA: usb-audio: Fix Audio Advantage Micro II SPDIF switch
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (159 preceding siblings ...)
2026-05-30 15:54 ` [PATCH 6.1 160/969] ALSA: usb-audio: Avoid false E-MU sample-rate notifications Greg Kroah-Hartman
@ 2026-05-30 15:54 ` Greg Kroah-Hartman
2026-05-30 15:54 ` [PATCH 6.1 162/969] usb: xhci: Make usb_host_endpoint.hcpriv survive endpoint_disable() Greg Kroah-Hartman
` (814 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:54 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Cássio Gabriel, Takashi Iwai
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cássio Gabriel <cassiogabrielcontato@gmail.com>
commit a9224f26b754b5034719248891ff3c2ea0d11144 upstream.
snd_microii_spdif_switch_put() returns 0 when the requested
vendor register value differs from the cached one.
This comparison was inverted by the resume-support conversion,
so real SPDIF switch toggles are ignored while no-op writes still
issue SET_CUR and report success.
Return early only when the requested value matches the cached one.
Fixes: 288673beae6c ("ALSA: usb-audio: Add resume support for MicroII SPDIF ctls")
Cc: stable@vger.kernel.org
Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com>
Link: https://patch.msgid.link/20260421-microii-spdif-switch-fix-v1-1-5c50dc28b88f@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/usb/mixer_quirks.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/sound/usb/mixer_quirks.c
+++ b/sound/usb/mixer_quirks.c
@@ -2066,7 +2066,7 @@ static int snd_microii_spdif_switch_put(
int err;
reg = ucontrol->value.integer.value[0] ? 0x28 : 0x2a;
- if (reg != list->kctl->private_value)
+ if (reg == list->kctl->private_value)
return 0;
kcontrol->private_value = reg;
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 162/969] usb: xhci: Make usb_host_endpoint.hcpriv survive endpoint_disable()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (160 preceding siblings ...)
2026-05-30 15:54 ` [PATCH 6.1 161/969] ALSA: usb-audio: Fix Audio Advantage Micro II SPDIF switch Greg Kroah-Hartman
@ 2026-05-30 15:54 ` Greg Kroah-Hartman
2026-05-30 15:54 ` [PATCH 6.1 163/969] ALSA: usb-audio: Evaluate packsize caps at the right place Greg Kroah-Hartman
` (813 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:54 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Michal Pecio, Mathias Nyman
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michal Pecio <michal.pecio@gmail.com>
commit 25e531b422dc2ac90cdae3b6e74b5cdeb081440d upstream.
xHCI hardware maintains its endpoint state between add_endpoint()
and drop_endpoint() calls followed by successful check_bandwidth().
So does the driver.
Core may call endpoint_disable() during xHCI endpoint life, so don't
clear host_ep->hcpriv then, because this breaks endpoint_reset().
If a driver calls usb_set_interface(), submits URBs which make host
sequence state non-zero and calls usb_clear_halt(), the device clears
its sequence state but xhci_endpoint_reset() bails out. The next URB
malfunctions: USB2 loses one packet, USB3 gets Transaction Error or
may not complete at all on some (buggy?) HCs from ASMedia and AMD.
This is triggered by uvcvideo on bulk video devices.
The code was copied from ehci_endpoint_disable() but it isn't needed
here - hcpriv should only be NULL on emulated root hub endpoints.
It might prevent resetting and inadvertently enabling a disabled and
dropped endpoint, but core shouldn't try to reset dropped endpoints.
Document xhci requirements regarding hcpriv. They are currently met.
Fixes: 18b74067ac78 ("xhci: Fix use-after-free regression in xhci clear hub TT implementation")
Cc: stable@vger.kernel.org
Signed-off-by: Michal Pecio <michal.pecio@gmail.com>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Link: https://patch.msgid.link/20260402131342.2628648-26-mathias.nyman@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/host/xhci.c | 1 -
include/linux/usb.h | 3 ++-
2 files changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/usb/host/xhci.c
+++ b/drivers/usb/host/xhci.c
@@ -3248,7 +3248,6 @@ rescan:
xhci_dbg(xhci, "endpoint disable with ep_state 0x%x\n",
ep->ep_state);
done:
- host_ep->hcpriv = NULL;
spin_unlock_irqrestore(&xhci->lock, flags);
}
--- a/include/linux/usb.h
+++ b/include/linux/usb.h
@@ -54,7 +54,8 @@ struct ep_device;
* @ssp_isoc_ep_comp: SuperSpeedPlus isoc companion descriptor for this endpoint
* @urb_list: urbs queued to this endpoint; maintained by usbcore
* @hcpriv: for use by HCD; typically holds hardware dma queue head (QH)
- * with one or more transfer descriptors (TDs) per urb
+ * with one or more transfer descriptors (TDs) per urb; must be preserved
+ * by core while BW is allocated for the endpoint
* @ep_dev: ep_device for sysfs info
* @extra: descriptors following this endpoint in the configuration
* @extralen: how many bytes of "extra" are valid
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 163/969] ALSA: usb-audio: Evaluate packsize caps at the right place
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (161 preceding siblings ...)
2026-05-30 15:54 ` [PATCH 6.1 162/969] usb: xhci: Make usb_host_endpoint.hcpriv survive endpoint_disable() Greg Kroah-Hartman
@ 2026-05-30 15:54 ` Greg Kroah-Hartman
2026-05-30 15:54 ` [PATCH 6.1 164/969] drm/nouveau: fix u32 overflow in pushbuf reloc bounds check Greg Kroah-Hartman
` (812 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:54 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Takashi Iwai
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
commit 52521e8398839105ef8eb22b3f0993f9b0d11a57 upstream.
We introduced the upper bound checks of the packet sizes by the
ep->maxframesize for avoiding the URB submission errors. However, the
check was applied at an incorrect place in the function
snd_usb_endpoint_set_params() where ep->maxframesize isn't defined
yet; the value is defined at a bit later position. So this ended up
with a failure at the first run while the second run works.
For fixing it, move the check at the correct place, right after the
calculation of ep->maxframesize in the same function.
Fixes: 7fe8dec3f628 ("ALSA: usb-audio: Cap the packet size pre-calculations")
Link: https://bugzilla.kernel.org/show_bug.cgi?id=221292
Cc: <stable@vger.kernel.org>
Link: https://patch.msgid.link/20260410143220.1676344-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/usb/endpoint.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/sound/usb/endpoint.c
+++ b/sound/usb/endpoint.c
@@ -1393,9 +1393,6 @@ int snd_usb_endpoint_set_params(struct s
goto unlock;
}
- ep->packsize[0] = min(ep->packsize[0], ep->maxframesize);
- ep->packsize[1] = min(ep->packsize[1], ep->maxframesize);
-
/* calculate the frequency in 16.16 format */
ep->freqm = ep->freqn;
ep->freqshift = INT_MIN;
@@ -1422,6 +1419,9 @@ int snd_usb_endpoint_set_params(struct s
ep->maxframesize = ep->maxpacksize / ep->cur_frame_bytes;
ep->curframesize = ep->curpacksize / ep->cur_frame_bytes;
+ ep->packsize[0] = min(ep->packsize[0], ep->maxframesize);
+ ep->packsize[1] = min(ep->packsize[1], ep->maxframesize);
+
err = update_clock_ref_rate(chip, ep);
if (err >= 0) {
ep->need_setup = false;
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 164/969] drm/nouveau: fix u32 overflow in pushbuf reloc bounds check
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (162 preceding siblings ...)
2026-05-30 15:54 ` [PATCH 6.1 163/969] ALSA: usb-audio: Evaluate packsize caps at the right place Greg Kroah-Hartman
@ 2026-05-30 15:54 ` Greg Kroah-Hartman
2026-05-30 15:54 ` [PATCH 6.1 165/969] misc: ibmasm: fix OOB MMIO read in ibmasm_handle_mouse_interrupt() Greg Kroah-Hartman
` (811 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lyude Paul, Danilo Krummrich,
Maarten Lankhorst, Maxime Ripard, Thomas Zimmermann, David Airlie,
Simona Vetter, stable
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 2fc87d37be1b730a149b035f9375fdb8cc5333a5 upstream.
nouveau_gem_pushbuf_reloc_apply() validates each relocation with
if (r->reloc_bo_offset + 4 > nvbo->bo.base.size)
but reloc_bo_offset is __u32 (uapi/drm/nouveau_drm.h) and the integer
literal 4 promotes to unsigned int, so the addition is performed in 32
bits and wraps before the comparison against the size_t bo size.
Cast to u64 so the addition happens in 64-bit arithmetic.
Cc: Lyude Paul <lyude@redhat.com>
Cc: Danilo Krummrich <dakr@kernel.org>
Cc: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
Cc: Maxime Ripard <mripard@kernel.org>
Cc: Thomas Zimmermann <tzimmermann@suse.de>
Cc: David Airlie <airlied@gmail.com>
Cc: Simona Vetter <simona@ffwll.ch>
Reported-by: Anthropic
Cc: stable <stable@kernel.org>
Assisted-by: gkh_clanker_t1000
Fixes: a1606a9596e5 ("drm/nouveau: new gem pushbuf interface, bump to 0.0.16")
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Add Fixes: tag. - Danilo ]
Signed-off-by: Danilo Krummrich <dakr@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/nouveau/nouveau_gem.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/gpu/drm/nouveau/nouveau_gem.c
+++ b/drivers/gpu/drm/nouveau/nouveau_gem.c
@@ -668,7 +668,7 @@ nouveau_gem_pushbuf_reloc_apply(struct n
}
nvbo = (void *)(unsigned long)bo[r->reloc_bo_index].user_priv;
- if (unlikely(r->reloc_bo_offset + 4 >
+ if (unlikely((u64)r->reloc_bo_offset + 4 >
nvbo->bo.base.size)) {
NV_PRINTK(err, cli, "reloc outside of bo\n");
ret = -EINVAL;
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 165/969] misc: ibmasm: fix OOB MMIO read in ibmasm_handle_mouse_interrupt()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (163 preceding siblings ...)
2026-05-30 15:54 ` [PATCH 6.1 164/969] drm/nouveau: fix u32 overflow in pushbuf reloc bounds check Greg Kroah-Hartman
@ 2026-05-30 15:54 ` Greg Kroah-Hartman
2026-05-30 15:54 ` [PATCH 6.1 166/969] ibmasm: fix OOB reads in command_file_write due to missing size checks Greg Kroah-Hartman
` (810 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:54 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Yuhao Jiang, ychen, Tyllis Xu
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tyllis Xu <livelycarpet87@gmail.com>
commit 4b6e6ead556734bdc14024c5f837132b1e7a4b84 upstream.
ibmasm_handle_mouse_interrupt() performs an out-of-bounds MMIO read
when the queue reader or writer index from hardware exceeds
REMOTE_QUEUE_SIZE (60).
A compromised service processor can trigger this by writing an
out-of-range value to the reader or writer MMIO register before
asserting an interrupt. Since writer is re-read from hardware on
every loop iteration, it can also be set to an out-of-range value
after the loop has already started.
The root cause is that get_queue_reader() and get_queue_writer() return
raw readl() values that are passed directly into get_queue_entry(),
which computes:
queue_begin + reader * sizeof(struct remote_input)
with no bounds check. This unchecked MMIO address is then passed to
memcpy_fromio(), reading 8 bytes from unintended device registers.
For sufficiently large values the address falls outside the PCI BAR
mapping entirely, triggering a machine check exception.
Fix by checking both indices against REMOTE_QUEUE_SIZE at the top of
the loop body, before any call to get_queue_entry(). On an out-of-range
value, reset the reader register to 0 via set_queue_reader() before
breaking, so that normal queue operation can resume if the corrupted
hardware state is transient.
Reported-by: Yuhao Jiang <danisjiang@gmail.com>
Fixes: 278d72ae8803 ("[PATCH] ibmasm driver: redesign handling of remote control events")
Cc: stable@vger.kernel.org
Cc: ychen@northwestern.edu
Signed-off-by: Tyllis Xu <LivelyCarpet87@gmail.com>
Link: https://patch.msgid.link/20260308062108.258940-1-LivelyCarpet87@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/misc/ibmasm/remote.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/drivers/misc/ibmasm/remote.c
+++ b/drivers/misc/ibmasm/remote.c
@@ -177,6 +177,11 @@ void ibmasm_handle_mouse_interrupt(struc
writer = get_queue_writer(sp);
while (reader != writer) {
+ if (reader >= REMOTE_QUEUE_SIZE || writer >= REMOTE_QUEUE_SIZE) {
+ set_queue_reader(sp, 0);
+ break;
+ }
+
memcpy_fromio(&input, get_queue_entry(sp, reader),
sizeof(struct remote_input));
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 166/969] ibmasm: fix OOB reads in command_file_write due to missing size checks
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (164 preceding siblings ...)
2026-05-30 15:54 ` [PATCH 6.1 165/969] misc: ibmasm: fix OOB MMIO read in ibmasm_handle_mouse_interrupt() Greg Kroah-Hartman
@ 2026-05-30 15:54 ` Greg Kroah-Hartman
2026-05-30 15:54 ` [PATCH 6.1 167/969] ibmasm: fix heap over-read in ibmasm_send_i2o_message() Greg Kroah-Hartman
` (809 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:54 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Yuhao Jiang, Tyllis Xu
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tyllis Xu <livelycarpet87@gmail.com>
commit 0eb09f737428e482a32a2e31e5e223f2b35a71d3 upstream.
The command_file_write() handler allocates a kernel buffer of exactly
count bytes and copies user data into it, but does not validate the
buffer against the dot command protocol before passing it to
get_dot_command_size() and get_dot_command_timeout().
Since both the allocation size (count) and the header fields (command_size,
data_size) are independently user-controlled, an attacker can cause
get_dot_command_size() to return a value exceeding the allocation,
triggering OOB reads in get_dot_command_timeout() and an out-of-bounds
memcpy_toio() that leaks kernel heap memory to the service processor.
Fix with two guards: reject writes smaller than sizeof(struct
dot_command_header) before allocation, then after copying user data
reject commands where the buffer is smaller than the total size declared
by the header (sizeof(header) + command_size + data_size). This ensures
all subsequent header and payload field accesses stay within the buffer.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reported-by: Yuhao Jiang <danisjiang@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: Tyllis Xu <LivelyCarpet87@gmail.com>
Link: https://patch.msgid.link/20260314165355.548119-1-LivelyCarpet87@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/misc/ibmasm/ibmasmfs.c | 7 +++++++
1 file changed, 7 insertions(+)
--- a/drivers/misc/ibmasm/ibmasmfs.c
+++ b/drivers/misc/ibmasm/ibmasmfs.c
@@ -303,6 +303,8 @@ static ssize_t command_file_write(struct
return -EINVAL;
if (count == 0 || count > IBMASM_CMD_MAX_BUFFER_SIZE)
return 0;
+ if (count < sizeof(struct dot_command_header))
+ return -EINVAL;
if (*offset != 0)
return 0;
@@ -319,6 +321,11 @@ static ssize_t command_file_write(struct
return -EFAULT;
}
+ if (count < get_dot_command_size(cmd->buffer)) {
+ command_put(cmd);
+ return -EINVAL;
+ }
+
spin_lock_irqsave(&command_data->sp->lock, flags);
if (command_data->command) {
spin_unlock_irqrestore(&command_data->sp->lock, flags);
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 167/969] ibmasm: fix heap over-read in ibmasm_send_i2o_message()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (165 preceding siblings ...)
2026-05-30 15:54 ` [PATCH 6.1 166/969] ibmasm: fix OOB reads in command_file_write due to missing size checks Greg Kroah-Hartman
@ 2026-05-30 15:54 ` Greg Kroah-Hartman
2026-05-30 15:54 ` [PATCH 6.1 168/969] firmware: google: framebuffer: Do not mark framebuffer as busy Greg Kroah-Hartman
` (808 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:54 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Yuhao Jiang, Tyllis Xu
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tyllis Xu <livelycarpet87@gmail.com>
commit 9aad71144fa3682cca3837a06c8623016790e7ec upstream.
The ibmasm_send_i2o_message() function uses get_dot_command_size() to
compute the byte count for memcpy_toio(), but this value is derived from
user-controlled fields in the dot_command_header (command_size: u8,
data_size: u16) and is never validated against the actual allocation size.
A root user can write a small buffer with inflated header fields, causing
memcpy_toio() to read up to ~65 KB past the end of the allocation into
adjacent kernel heap, which is then forwarded to the service processor
over MMIO.
Silently clamping the copy size is not sufficient: if the header fields
claim a larger size than the buffer, the SP receives a dot command whose
own header is inconsistent with the I2O message length, which can cause
the SP to desynchronize. Reject such commands outright by returning
failure.
Validate command_size before calling get_mfa_inbound() to avoid leaking
an I2O message frame: reading INBOUND_QUEUE_PORT dequeues a hardware
frame from the controller's free pool, and returning without a
corresponding set_mfa_inbound() call would permanently exhaust it.
Additionally, clamp command_size to I2O_COMMAND_SIZE before the
memcpy_toio() so the MMIO write stays within the I2O message frame,
consistent with the clamping already performed by outgoing_message_size()
for the header field.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reported-by: Yuhao Jiang <danisjiang@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: Tyllis Xu <LivelyCarpet87@gmail.com>
Link: https://patch.msgid.link/20260314165805.548293-1-LivelyCarpet87@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/misc/ibmasm/lowlevel.c | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
--- a/drivers/misc/ibmasm/lowlevel.c
+++ b/drivers/misc/ibmasm/lowlevel.c
@@ -19,17 +19,21 @@ static struct i2o_header header = I2O_HE
int ibmasm_send_i2o_message(struct service_processor *sp)
{
u32 mfa;
- unsigned int command_size;
+ size_t command_size;
struct i2o_message *message;
struct command *command = sp->current_command;
+ command_size = get_dot_command_size(command->buffer);
+ if (command_size > command->buffer_size)
+ return 1;
+ if (command_size > I2O_COMMAND_SIZE)
+ command_size = I2O_COMMAND_SIZE;
+
mfa = get_mfa_inbound(sp->base_address);
if (!mfa)
return 1;
- command_size = get_dot_command_size(command->buffer);
- header.message_size = outgoing_message_size(command_size);
-
+ header.message_size = outgoing_message_size((unsigned int)command_size);
message = get_i2o_message(sp->base_address, mfa);
memcpy_toio(&message->header, &header, sizeof(struct i2o_header));
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 168/969] firmware: google: framebuffer: Do not mark framebuffer as busy
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (166 preceding siblings ...)
2026-05-30 15:54 ` [PATCH 6.1 167/969] ibmasm: fix heap over-read in ibmasm_send_i2o_message() Greg Kroah-Hartman
@ 2026-05-30 15:54 ` Greg Kroah-Hartman
2026-05-30 15:54 ` [PATCH 6.1 169/969] padata: Fix pd UAF once and for all Greg Kroah-Hartman
` (807 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thomas Zimmermann, Tzung-Bi Shih,
Julius Werner, Samuel Holland, Brian Norris, chrome-platform
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Zimmermann <tzimmermann@suse.de>
commit f3850d399de3b6142b02315227ef9e772ed0c302 upstream.
Remove the flag IORESOURCE_BUSY flag from coreboot's framebuffer
resource. It prevents simpledrm from successfully requesting the
range for its own use; resulting in errors such as
[ 2.775430] simple-framebuffer simple-framebuffer.0: [drm] could not acquire memory region [mem 0x80000000-0x80407fff flags 0x80000200]
As with other uses of simple-framebuffer, the simple-framebuffer
device should only declare it's I/O resources, but not actively use
them.
Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
Fixes: 851b4c14532d ("firmware: coreboot: Add coreboot framebuffer driver")
Acked-by: Tzung-Bi Shih <tzungbi@kernel.org>
Acked-by: Julius Werner <jwerner@chromium.org>
Cc: Samuel Holland <samuel@sholland.org>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Tzung-Bi Shih <tzungbi@kernel.org>
Cc: Brian Norris <briannorris@chromium.org>
Cc: Julius Werner <jwerner@chromium.org>
Cc: chrome-platform@lists.linux.dev
Cc: <stable@vger.kernel.org> # v4.18+
Link: https://patch.msgid.link/20260217155836.96267-3-tzimmermann@suse.de
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/firmware/google/framebuffer-coreboot.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/firmware/google/framebuffer-coreboot.c
+++ b/drivers/firmware/google/framebuffer-coreboot.c
@@ -50,7 +50,7 @@ static int framebuffer_probe(struct core
return -ENODEV;
memset(&res, 0, sizeof(res));
- res.flags = IORESOURCE_MEM | IORESOURCE_BUSY;
+ res.flags = IORESOURCE_MEM;
res.name = "Coreboot Framebuffer";
res.start = fb->physical_address;
length = PAGE_ALIGN(fb->y_resolution * fb->bytes_per_line);
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 169/969] padata: Fix pd UAF once and for all
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (167 preceding siblings ...)
2026-05-30 15:54 ` [PATCH 6.1 168/969] firmware: google: framebuffer: Do not mark framebuffer as busy Greg Kroah-Hartman
@ 2026-05-30 15:54 ` Greg Kroah-Hartman
2026-05-30 15:54 ` [PATCH 6.1 170/969] padata: Remove comment for reorder_work Greg Kroah-Hartman
` (806 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:54 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Herbert Xu, Bin Lan, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Herbert Xu <herbert@gondor.apana.org.au>
[ Upstream commit 71203f68c7749609d7fc8ae6ad054bdedeb24f91 ]
There is a race condition/UAF in padata_reorder that goes back
to the initial commit. A reference count is taken at the start
of the process in padata_do_parallel, and released at the end in
padata_serial_worker.
This reference count is (and only is) required for padata_replace
to function correctly. If padata_replace is never called then
there is no issue.
In the function padata_reorder which serves as the core of padata,
as soon as padata is added to queue->serial.list, and the associated
spin lock released, that padata may be processed and the reference
count on pd would go away.
Fix this by getting the next padata before the squeue->serial lock
is released.
In order to make this possible, simplify padata_reorder by only
calling it once the next padata arrives.
Fixes: 16295bec6398 ("padata: Generic parallelization/serialization interface")
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
[ Adjust context of padata_find_next(). Replace
cpumask_next_wrap(cpu, pd->cpumask.pcpu) with
cpumask_next_wrap(cpu, pd->cpumask.pcpu, -1, false) in padata_reorder() in
v6.1 according to dc5bb9b769c9 ("cpumask: deprecate cpumask_next_wrap()") and
f954a2d37637 ("padata: switch padata_find_next() to using cpumask_next_wrap()")
. ]
Signed-off-by: Bin Lan <lanbincn@139.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/padata.h | 3 -
kernel/padata.c | 136 +++++++++++------------------------------
2 files changed, 37 insertions(+), 102 deletions(-)
diff --git a/include/linux/padata.h b/include/linux/padata.h
index 495b16b6b4d72..9ca779d7e310e 100644
--- a/include/linux/padata.h
+++ b/include/linux/padata.h
@@ -91,7 +91,6 @@ struct padata_cpumask {
* @cpu: Next CPU to be processed.
* @cpumask: The cpumasks in use for parallel and serial workers.
* @reorder_work: work struct for reordering.
- * @lock: Reorder lock.
*/
struct parallel_data {
struct padata_shell *ps;
@@ -102,8 +101,6 @@ struct parallel_data {
unsigned int processed;
int cpu;
struct padata_cpumask cpumask;
- struct work_struct reorder_work;
- spinlock_t ____cacheline_aligned lock;
};
/**
diff --git a/kernel/padata.c b/kernel/padata.c
index d49f97abe086f..93e288dc373ee 100644
--- a/kernel/padata.c
+++ b/kernel/padata.c
@@ -253,20 +253,17 @@ EXPORT_SYMBOL(padata_do_parallel);
* be parallel processed by another cpu and is not yet present in
* the cpu's reorder queue.
*/
-static struct padata_priv *padata_find_next(struct parallel_data *pd,
- bool remove_object)
+static struct padata_priv *padata_find_next(struct parallel_data *pd, int cpu,
+ unsigned int processed)
{
struct padata_priv *padata;
struct padata_list *reorder;
- int cpu = pd->cpu;
reorder = per_cpu_ptr(pd->reorder_list, cpu);
spin_lock(&reorder->lock);
- if (list_empty(&reorder->list)) {
- spin_unlock(&reorder->lock);
- return NULL;
- }
+ if (list_empty(&reorder->list))
+ goto notfound;
padata = list_entry(reorder->list.next, struct padata_priv, list);
@@ -274,101 +271,52 @@ static struct padata_priv *padata_find_next(struct parallel_data *pd,
* Checks the rare case where two or more parallel jobs have hashed to
* the same CPU and one of the later ones finishes first.
*/
- if (padata->seq_nr != pd->processed) {
- spin_unlock(&reorder->lock);
- return NULL;
- }
-
- if (remove_object) {
- list_del_init(&padata->list);
- ++pd->processed;
- /* When sequence wraps around, reset to the first CPU. */
- if (unlikely(pd->processed == 0))
- pd->cpu = cpumask_first(pd->cpumask.pcpu);
- else
- pd->cpu = cpumask_next_wrap(cpu, pd->cpumask.pcpu, -1, false);
- }
+ if (padata->seq_nr != processed)
+ goto notfound;
+ list_del_init(&padata->list);
spin_unlock(&reorder->lock);
return padata;
+
+notfound:
+ pd->processed = processed;
+ pd->cpu = cpu;
+ spin_unlock(&reorder->lock);
+ return NULL;
}
-static void padata_reorder(struct parallel_data *pd)
+static void padata_reorder(struct padata_priv *padata)
{
+ struct parallel_data *pd = padata->pd;
struct padata_instance *pinst = pd->ps->pinst;
- int cb_cpu;
- struct padata_priv *padata;
- struct padata_serial_queue *squeue;
- struct padata_list *reorder;
+ unsigned int processed;
+ int cpu;
- /*
- * We need to ensure that only one cpu can work on dequeueing of
- * the reorder queue the time. Calculating in which percpu reorder
- * queue the next object will arrive takes some time. A spinlock
- * would be highly contended. Also it is not clear in which order
- * the objects arrive to the reorder queues. So a cpu could wait to
- * get the lock just to notice that there is nothing to do at the
- * moment. Therefore we use a trylock and let the holder of the lock
- * care for all the objects enqueued during the holdtime of the lock.
- */
- if (!spin_trylock_bh(&pd->lock))
- return;
+ processed = pd->processed;
+ cpu = pd->cpu;
- while (1) {
- padata = padata_find_next(pd, true);
+ do {
+ struct padata_serial_queue *squeue;
+ int cb_cpu;
- /*
- * If the next object that needs serialization is parallel
- * processed by another cpu and is still on it's way to the
- * cpu's reorder queue, nothing to do for now.
- */
- if (!padata)
- break;
+ cpu = cpumask_next_wrap(cpu, pd->cpumask.pcpu, -1, false);
+ processed++;
cb_cpu = padata->cb_cpu;
squeue = per_cpu_ptr(pd->squeue, cb_cpu);
spin_lock(&squeue->serial.lock);
list_add_tail(&padata->list, &squeue->serial.list);
- spin_unlock(&squeue->serial.lock);
-
queue_work_on(cb_cpu, pinst->serial_wq, &squeue->work);
- }
- spin_unlock_bh(&pd->lock);
-
- /*
- * The next object that needs serialization might have arrived to
- * the reorder queues in the meantime.
- *
- * Ensure reorder queue is read after pd->lock is dropped so we see
- * new objects from another task in padata_do_serial. Pairs with
- * smp_mb in padata_do_serial.
- */
- smp_mb();
-
- reorder = per_cpu_ptr(pd->reorder_list, pd->cpu);
- if (!list_empty(&reorder->list) && padata_find_next(pd, false)) {
/*
- * Other context(eg. the padata_serial_worker) can finish the request.
- * To avoid UAF issue, add pd ref here, and put pd ref after reorder_work finish.
+ * If the next object that needs serialization is parallel
+ * processed by another cpu and is still on it's way to the
+ * cpu's reorder queue, end the loop.
*/
- padata_get_pd(pd);
- if (!queue_work(pinst->serial_wq, &pd->reorder_work))
- padata_put_pd(pd);
- }
-}
-
-static void invoke_padata_reorder(struct work_struct *work)
-{
- struct parallel_data *pd;
-
- local_bh_disable();
- pd = container_of(work, struct parallel_data, reorder_work);
- padata_reorder(pd);
- local_bh_enable();
- /* Pairs with putting the reorder_work in the serial_wq */
- padata_put_pd(pd);
+ padata = padata_find_next(pd, cpu, processed);
+ spin_unlock(&squeue->serial.lock);
+ } while (padata);
}
static void padata_serial_worker(struct work_struct *serial_work)
@@ -419,6 +367,7 @@ void padata_do_serial(struct padata_priv *padata)
struct padata_list *reorder = per_cpu_ptr(pd->reorder_list, hashed_cpu);
struct padata_priv *cur;
struct list_head *pos;
+ bool gotit = true;
spin_lock(&reorder->lock);
/* Sort in ascending order of sequence number. */
@@ -428,17 +377,14 @@ void padata_do_serial(struct padata_priv *padata)
if ((signed int)(cur->seq_nr - padata->seq_nr) < 0)
break;
}
- list_add(&padata->list, pos);
+ if (padata->seq_nr != pd->processed) {
+ gotit = false;
+ list_add(&padata->list, pos);
+ }
spin_unlock(&reorder->lock);
- /*
- * Ensure the addition to the reorder list is ordered correctly
- * with the trylock of pd->lock in padata_reorder. Pairs with smp_mb
- * in padata_reorder.
- */
- smp_mb();
-
- padata_reorder(pd);
+ if (gotit)
+ padata_reorder(padata);
}
EXPORT_SYMBOL(padata_do_serial);
@@ -625,9 +571,7 @@ static struct parallel_data *padata_alloc_pd(struct padata_shell *ps)
padata_init_squeues(pd);
pd->seq_nr = -1;
refcount_set(&pd->refcnt, 1);
- spin_lock_init(&pd->lock);
pd->cpu = cpumask_first(pd->cpumask.pcpu);
- INIT_WORK(&pd->reorder_work, invoke_padata_reorder);
return pd;
@@ -1137,12 +1081,6 @@ void padata_free_shell(struct padata_shell *ps)
if (!ps)
return;
- /*
- * Wait for all _do_serial calls to finish to avoid touching
- * freed pd's and ps's.
- */
- synchronize_rcu();
-
mutex_lock(&ps->pinst->lock);
list_del(&ps->list);
pd = rcu_dereference_protected(ps->pd, 1);
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 170/969] padata: Remove comment for reorder_work
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (168 preceding siblings ...)
2026-05-30 15:54 ` [PATCH 6.1 169/969] padata: Fix pd UAF once and for all Greg Kroah-Hartman
@ 2026-05-30 15:54 ` Greg Kroah-Hartman
2026-05-30 15:54 ` [PATCH 6.1 171/969] drm/amdgpu: Use vmemdup_array_user in amdgpu_bo_create_list_entry_array Greg Kroah-Hartman
` (805 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stephen Rothwell, Herbert Xu,
Bin Lan, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Herbert Xu <herbert@gondor.apana.org.au>
[ Upstream commit 82a0302e7167d0b7c6cde56613db3748f8dd806d ]
Remove comment for reorder_work which no longer exists.
Reported-by: Stephen Rothwell <sfr@canb.auug.org.au>
Fixes: 71203f68c774 ("padata: Fix pd UAF once and for all")
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Bin Lan <lanbincn@139.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/padata.h | 1 -
1 file changed, 1 deletion(-)
diff --git a/include/linux/padata.h b/include/linux/padata.h
index 9ca779d7e310e..6f07e12a43819 100644
--- a/include/linux/padata.h
+++ b/include/linux/padata.h
@@ -90,7 +90,6 @@ struct padata_cpumask {
* @processed: Number of already processed objects.
* @cpu: Next CPU to be processed.
* @cpumask: The cpumasks in use for parallel and serial workers.
- * @reorder_work: work struct for reordering.
*/
struct parallel_data {
struct padata_shell *ps;
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 171/969] drm/amdgpu: Use vmemdup_array_user in amdgpu_bo_create_list_entry_array
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (169 preceding siblings ...)
2026-05-30 15:54 ` [PATCH 6.1 170/969] padata: Remove comment for reorder_work Greg Kroah-Hartman
@ 2026-05-30 15:54 ` Greg Kroah-Hartman
2026-05-30 15:54 ` [PATCH 6.1 172/969] drm/amdgpu: Limit BO list entry count to prevent resource exhaustion Greg Kroah-Hartman
` (804 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tvrtko Ursulin, Alex Deucher,
Fang Wang, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tvrtko Ursulin <tvrtko.ursulin@igalia.com>
[ Upstream commit c4ac100e9ae252b09986766ad23b1f83ca3a369d ]
Replace kvmalloc_array() + copy_from_user() with vmemdup_array_user() on
the fast path.
This shrinks the source code and improves separation between the kernel
and userspace slabs.
Signed-off-by: Tvrtko Ursulin <tvrtko.ursulin@igalia.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Fang Wang <32840572@qq.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_bo_list.c | 41 +++++++++------------
1 file changed, 17 insertions(+), 24 deletions(-)
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_bo_list.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_bo_list.c
index fdc302aa59e7b..79e43896edddb 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_bo_list.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_bo_list.c
@@ -226,43 +226,36 @@ void amdgpu_bo_list_put(struct amdgpu_bo_list *list)
int amdgpu_bo_create_list_entry_array(struct drm_amdgpu_bo_list_in *in,
struct drm_amdgpu_bo_list_entry **info_param)
{
- const void __user *uptr = u64_to_user_ptr(in->bo_info_ptr);
const uint32_t info_size = sizeof(struct drm_amdgpu_bo_list_entry);
+ const void __user *uptr = u64_to_user_ptr(in->bo_info_ptr);
+ const uint32_t bo_info_size = in->bo_info_size;
+ const uint32_t bo_number = in->bo_number;
struct drm_amdgpu_bo_list_entry *info;
- int r;
-
- info = kvmalloc_array(in->bo_number, info_size, GFP_KERNEL);
- if (!info)
- return -ENOMEM;
/* copy the handle array from userspace to a kernel buffer */
- r = -EFAULT;
- if (likely(info_size == in->bo_info_size)) {
- unsigned long bytes = in->bo_number *
- in->bo_info_size;
-
- if (copy_from_user(info, uptr, bytes))
- goto error_free;
-
+ if (likely(info_size == bo_info_size)) {
+ info = vmemdup_array_user(uptr, bo_number, info_size);
+ if (IS_ERR(info))
+ return PTR_ERR(info);
} else {
- unsigned long bytes = min(in->bo_info_size, info_size);
+ const uint32_t bytes = min(bo_info_size, info_size);
unsigned i;
- memset(info, 0, in->bo_number * info_size);
- for (i = 0; i < in->bo_number; ++i) {
- if (copy_from_user(&info[i], uptr, bytes))
- goto error_free;
+ info = kvmalloc_array(bo_number, info_size, GFP_KERNEL);
+ if (!info)
+ return -ENOMEM;
- uptr += in->bo_info_size;
+ memset(info, 0, bo_number * info_size);
+ for (i = 0; i < bo_number; ++i, uptr += bo_info_size) {
+ if (copy_from_user(&info[i], uptr, bytes)) {
+ kvfree(info);
+ return -EFAULT;
+ }
}
}
*info_param = info;
return 0;
-
-error_free:
- kvfree(info);
- return r;
}
int amdgpu_bo_list_ioctl(struct drm_device *dev, void *data,
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 172/969] drm/amdgpu: Limit BO list entry count to prevent resource exhaustion
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (170 preceding siblings ...)
2026-05-30 15:54 ` [PATCH 6.1 171/969] drm/amdgpu: Use vmemdup_array_user in amdgpu_bo_create_list_entry_array Greg Kroah-Hartman
@ 2026-05-30 15:54 ` Greg Kroah-Hartman
2026-05-30 15:54 ` [PATCH 6.1 173/969] net: enetc: fix the deadlock of enetc_mdio_lock Greg Kroah-Hartman
` (803 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christian König, Jesse Zhang,
Alex Deucher, Fang Wang, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jesse.Zhang <Jesse.Zhang@amd.com>
[ Upstream commit 6270b1a5dab94665d7adce3dc78bc9066ed28bdd ]
Userspace can pass an arbitrary number of BO list entries via the
bo_number field. Although the previous multiplication overflow check
prevents out-of-bounds allocation, a large number of entries could still
cause excessive memory allocation (up to potentially gigabytes) and
unnecessarily long list processing times.
Introduce a hard limit of 128k entries per BO list, which is more than
sufficient for any realistic use case (e.g., a single list containing all
buffers in a large scene). This prevents memory exhaustion attacks and
ensures predictable performance.
Return -EINVAL if the requested entry count exceeds the limit
Reviewed-by: Christian König <christian.koenig@amd.com>
Suggested-by: Christian König <christian.koenig@amd.com>
Signed-off-by: Jesse Zhang <jesse.zhang@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 688b87d39e0aa8135105b40dc167d74b5ada5332)
Cc: stable@vger.kernel.org
Signed-off-by: Fang Wang <32840572@qq.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_bo_list.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_bo_list.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_bo_list.c
index 79e43896edddb..28a5b54a3aae1 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_bo_list.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_bo_list.c
@@ -35,6 +35,7 @@
#define AMDGPU_BO_LIST_MAX_PRIORITY 32u
#define AMDGPU_BO_LIST_NUM_BUCKETS (AMDGPU_BO_LIST_MAX_PRIORITY + 1)
+#define AMDGPU_BO_LIST_MAX_ENTRIES (128 * 1024)
static void amdgpu_bo_list_free_rcu(struct rcu_head *rcu)
{
@@ -232,6 +233,9 @@ int amdgpu_bo_create_list_entry_array(struct drm_amdgpu_bo_list_in *in,
const uint32_t bo_number = in->bo_number;
struct drm_amdgpu_bo_list_entry *info;
+ if (bo_number > AMDGPU_BO_LIST_MAX_ENTRIES)
+ return -EINVAL;
+
/* copy the handle array from userspace to a kernel buffer */
if (likely(info_size == bo_info_size)) {
info = vmemdup_array_user(uptr, bo_number, info_size);
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 173/969] net: enetc: fix the deadlock of enetc_mdio_lock
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (171 preceding siblings ...)
2026-05-30 15:54 ` [PATCH 6.1 172/969] drm/amdgpu: Limit BO list entry count to prevent resource exhaustion Greg Kroah-Hartman
@ 2026-05-30 15:54 ` Greg Kroah-Hartman
2026-05-30 15:54 ` [PATCH 6.1 174/969] blk-mq: fix NULL dereference on q->elevator in blk_mq_elv_switch_none Greg Kroah-Hartman
` (802 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jianpeng Chang, Wei Fang,
Jakub Kicinski, Charles Xu, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jianpeng Chang <jianpeng.chang.cn@windriver.com>
[ Upstream commit 50bd33f6b3922a6b760aa30d409cae891cec8fb5 ]
After applying the workaround for err050089, the LS1028A platform
experiences RCU stalls on RT kernel. This issue is caused by the
recursive acquisition of the read lock enetc_mdio_lock. Here list some
of the call stacks identified under the enetc_poll path that may lead to
a deadlock:
enetc_poll
-> enetc_lock_mdio
-> enetc_clean_rx_ring OR napi_complete_done
-> napi_gro_receive
-> enetc_start_xmit
-> enetc_lock_mdio
-> enetc_map_tx_buffs
-> enetc_unlock_mdio
-> enetc_unlock_mdio
After enetc_poll acquires the read lock, a higher-priority writer attempts
to acquire the lock, causing preemption. The writer detects that a
read lock is already held and is scheduled out. However, readers under
enetc_poll cannot acquire the read lock again because a writer is already
waiting, leading to a thread hang.
Currently, the deadlock is avoided by adjusting enetc_lock_mdio to prevent
recursive lock acquisition.
Fixes: 6d36ecdbc441 ("net: enetc: take the MDIO lock only once per NAPI poll cycle")
Signed-off-by: Jianpeng Chang <jianpeng.chang.cn@windriver.com>
Acked-by: Wei Fang <wei.fang@nxp.com>
Link: https://patch.msgid.link/20251015021427.180757-1-jianpeng.chang.cn@windriver.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
[ adjusted context ]
Signed-off-by: Charles Xu <charles_xu@189.cn>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/freescale/enetc/enetc.c | 25 ++++++++++++++++----
1 file changed, 21 insertions(+), 4 deletions(-)
diff --git a/drivers/net/ethernet/freescale/enetc/enetc.c b/drivers/net/ethernet/freescale/enetc/enetc.c
index bf49c07c8b513..a0177130dc37a 100644
--- a/drivers/net/ethernet/freescale/enetc/enetc.c
+++ b/drivers/net/ethernet/freescale/enetc/enetc.c
@@ -1225,6 +1225,8 @@ static int enetc_clean_rx_ring(struct enetc_bdr *rx_ring,
/* next descriptor to process */
i = rx_ring->next_to_clean;
+ enetc_lock_mdio();
+
while (likely(rx_frm_cnt < work_limit)) {
union enetc_rx_bd *rxbd;
struct sk_buff *skb;
@@ -1260,7 +1262,9 @@ static int enetc_clean_rx_ring(struct enetc_bdr *rx_ring,
rx_byte_cnt += skb->len + ETH_HLEN;
rx_frm_cnt++;
+ enetc_unlock_mdio();
napi_gro_receive(napi, skb);
+ enetc_lock_mdio();
}
rx_ring->next_to_clean = i;
@@ -1268,6 +1272,8 @@ static int enetc_clean_rx_ring(struct enetc_bdr *rx_ring,
rx_ring->stats.packets += rx_frm_cnt;
rx_ring->stats.bytes += rx_byte_cnt;
+ enetc_unlock_mdio();
+
return rx_frm_cnt;
}
@@ -1562,6 +1568,8 @@ static int enetc_clean_rx_ring_xdp(struct enetc_bdr *rx_ring,
/* next descriptor to process */
i = rx_ring->next_to_clean;
+ enetc_lock_mdio();
+
while (likely(rx_frm_cnt < work_limit)) {
union enetc_rx_bd *rxbd, *orig_rxbd;
int orig_i, orig_cleaned_cnt;
@@ -1621,7 +1629,9 @@ static int enetc_clean_rx_ring_xdp(struct enetc_bdr *rx_ring,
if (unlikely(!skb))
goto out;
+ enetc_unlock_mdio();
napi_gro_receive(napi, skb);
+ enetc_lock_mdio();
break;
case XDP_TX:
tx_ring = priv->xdp_tx_ring[rx_ring->index];
@@ -1664,7 +1674,9 @@ static int enetc_clean_rx_ring_xdp(struct enetc_bdr *rx_ring,
break;
}
+ enetc_unlock_mdio();
err = xdp_do_redirect(rx_ring->ndev, &xdp_buff, prog);
+ enetc_lock_mdio();
if (unlikely(err)) {
enetc_xdp_drop(rx_ring, orig_i, i);
rx_ring->stats.xdp_redirect_failures++;
@@ -1684,8 +1696,11 @@ static int enetc_clean_rx_ring_xdp(struct enetc_bdr *rx_ring,
rx_ring->stats.packets += rx_frm_cnt;
rx_ring->stats.bytes += rx_byte_cnt;
- if (xdp_redirect_frm_cnt)
+ if (xdp_redirect_frm_cnt) {
+ enetc_unlock_mdio();
xdp_do_flush_map();
+ enetc_lock_mdio();
+ }
if (xdp_tx_frm_cnt)
enetc_update_tx_ring_tail(tx_ring);
@@ -1694,6 +1709,8 @@ static int enetc_clean_rx_ring_xdp(struct enetc_bdr *rx_ring,
enetc_refill_rx_ring(rx_ring, enetc_bd_unused(rx_ring) -
rx_ring->xdp.xdp_tx_in_flight);
+ enetc_unlock_mdio();
+
return rx_frm_cnt;
}
@@ -1712,6 +1729,7 @@ static int enetc_poll(struct napi_struct *napi, int budget)
for (i = 0; i < v->count_tx_rings; i++)
if (!enetc_clean_tx_ring(&v->tx_ring[i], budget))
complete = false;
+ enetc_unlock_mdio();
prog = rx_ring->xdp.prog;
if (prog)
@@ -1723,10 +1741,8 @@ static int enetc_poll(struct napi_struct *napi, int budget)
if (work_done)
v->rx_napi_work = true;
- if (!complete) {
- enetc_unlock_mdio();
+ if (!complete)
return budget;
- }
napi_complete_done(napi, work_done);
@@ -1735,6 +1751,7 @@ static int enetc_poll(struct napi_struct *napi, int budget)
v->rx_napi_work = false;
+ enetc_lock_mdio();
/* enable interrupts */
enetc_wr_reg_hot(v->rbier, ENETC_RBIER_RXTIE);
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 174/969] blk-mq: fix NULL dereference on q->elevator in blk_mq_elv_switch_none
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (172 preceding siblings ...)
2026-05-30 15:54 ` [PATCH 6.1 173/969] net: enetc: fix the deadlock of enetc_mdio_lock Greg Kroah-Hartman
@ 2026-05-30 15:54 ` Greg Kroah-Hartman
2026-05-30 15:54 ` [PATCH 6.1 175/969] arm64: set __exception_irq_entry with __irq_entry as a default Greg Kroah-Hartman
` (801 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Guangwu Zhang, Ming Lei, Jens Axboe,
Leon Chen, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ming Lei <ming.lei@redhat.com>
[ Upstream commit 245165658e1c9f95c0fecfe02b9b1ebd30a1198a ]
After grabbing q->sysfs_lock, q->elevator may become NULL because of
elevator switch.
Fix the NULL dereference on q->elevator by checking it with lock.
Reported-by: Guangwu Zhang <guazhang@redhat.com>
Signed-off-by: Ming Lei <ming.lei@redhat.com>
Link: https://lore.kernel.org/r/20230616132354.415109-1-ming.lei@redhat.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Leon Chen <leonchen.oss@139.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
block/blk-mq.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/block/blk-mq.c b/block/blk-mq.c
index f480b6ddba5ee..8a9d9e3db1668 100644
--- a/block/blk-mq.c
+++ b/block/blk-mq.c
@@ -4732,9 +4732,6 @@ static bool blk_mq_elv_switch_none(struct list_head *head,
{
struct blk_mq_qe_pair *qe;
- if (!q->elevator)
- return true;
-
qe = kmalloc(sizeof(*qe), GFP_NOIO | __GFP_NOWARN | __GFP_NORETRY);
if (!qe)
return false;
@@ -4742,6 +4739,12 @@ static bool blk_mq_elv_switch_none(struct list_head *head,
/* q->elevator needs protection from ->sysfs_lock */
mutex_lock(&q->sysfs_lock);
+ /* the check has to be done with holding sysfs_lock */
+ if (!q->elevator) {
+ kfree(qe);
+ goto unlock;
+ }
+
INIT_LIST_HEAD(&qe->node);
qe->q = q;
qe->type = q->elevator->type;
@@ -4756,6 +4759,7 @@ static bool blk_mq_elv_switch_none(struct list_head *head,
*/
__module_get(qe->type->elevator_owner);
elevator_switch(q, NULL);
+unlock:
mutex_unlock(&q->sysfs_lock);
return true;
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 175/969] arm64: set __exception_irq_entry with __irq_entry as a default
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (173 preceding siblings ...)
2026-05-30 15:54 ` [PATCH 6.1 174/969] blk-mq: fix NULL dereference on q->elevator in blk_mq_elv_switch_none Greg Kroah-Hartman
@ 2026-05-30 15:54 ` Greg Kroah-Hartman
2026-05-30 15:55 ` [PATCH 6.1 176/969] regset: use kvzalloc() for regset_get_alloc() Greg Kroah-Hartman
` (800 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Youngmin Nam, SEO HOYOUNG,
Mark Rutland, Catalin Marinas, Leon Chen, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Youngmin Nam <youngmin.nam@samsung.com>
[ Upstream commit f6794950f0e5ba37e3bbedda4d6ab0aad7395dd3 ]
filter_irq_stacks() is supposed to cut entries which are related irq entries
from its call stack.
And in_irqentry_text() which is called by filter_irq_stacks()
uses __irqentry_text_start/end symbol to find irq entries in callstack.
But it doesn't work correctly as without "CONFIG_FUNCTION_GRAPH_TRACER",
arm64 kernel doesn't include gic_handle_irq which is entry point of arm64 irq
between __irqentry_text_start and __irqentry_text_end as we discussed in below link.
https://lore.kernel.org/all/CACT4Y+aReMGLYua2rCLHgFpS9io5cZC04Q8GLs-uNmrn1ezxYQ@mail.gmail.com/#t
This problem can makes unintentional deep call stack entries especially
in KASAN enabled situation as below.
[ 2479.383395]I[0:launcher-loader: 1719] Stack depot reached limit capacity
[ 2479.383538]I[0:launcher-loader: 1719] WARNING: CPU: 0 PID: 1719 at lib/stackdepot.c:129 __stack_depot_save+0x464/0x46c
[ 2479.385693]I[0:launcher-loader: 1719] pstate: 624000c5 (nZCv daIF +PAN -UAO +TCO -DIT -SSBS BTYPE=--)
[ 2479.385724]I[0:launcher-loader: 1719] pc : __stack_depot_save+0x464/0x46c
[ 2479.385751]I[0:launcher-loader: 1719] lr : __stack_depot_save+0x460/0x46c
[ 2479.385774]I[0:launcher-loader: 1719] sp : ffffffc0080073c0
[ 2479.385793]I[0:launcher-loader: 1719] x29: ffffffc0080073e0 x28: ffffffd00b78a000 x27: 0000000000000000
[ 2479.385839]I[0:launcher-loader: 1719] x26: 000000000004d1dd x25: ffffff891474f000 x24: 00000000ca64d1dd
[ 2479.385882]I[0:launcher-loader: 1719] x23: 0000000000000200 x22: 0000000000000220 x21: 0000000000000040
[ 2479.385925]I[0:launcher-loader: 1719] x20: ffffffc008007440 x19: 0000000000000000 x18: 0000000000000000
[ 2479.385969]I[0:launcher-loader: 1719] x17: 2065726568207475 x16: 000000000000005e x15: 2d2d2d2d2d2d2d20
[ 2479.386013]I[0:launcher-loader: 1719] x14: 5d39313731203a72 x13: 00000000002f6b30 x12: 00000000002f6af8
[ 2479.386057]I[0:launcher-loader: 1719] x11: 00000000ffffffff x10: ffffffb90aacf000 x9 : e8a74a6c16008800
[ 2479.386101]I[0:launcher-loader: 1719] x8 : e8a74a6c16008800 x7 : 00000000002f6b30 x6 : 00000000002f6af8
[ 2479.386145]I[0:launcher-loader: 1719] x5 : ffffffc0080070c8 x4 : ffffffd00b192380 x3 : ffffffd0092b313c
[ 2479.386189]I[0:launcher-loader: 1719] x2 : 0000000000000001 x1 : 0000000000000004 x0 : 0000000000000022
[ 2479.386231]I[0:launcher-loader: 1719] Call trace:
[ 2479.386248]I[0:launcher-loader: 1719] __stack_depot_save+0x464/0x46c
[ 2479.386273]I[0:launcher-loader: 1719] kasan_save_stack+0x58/0x70
[ 2479.386303]I[0:launcher-loader: 1719] save_stack_info+0x34/0x138
[ 2479.386331]I[0:launcher-loader: 1719] kasan_save_free_info+0x18/0x24
[ 2479.386358]I[0:launcher-loader: 1719] ____kasan_slab_free+0x16c/0x170
[ 2479.386385]I[0:launcher-loader: 1719] __kasan_slab_free+0x10/0x20
[ 2479.386410]I[0:launcher-loader: 1719] kmem_cache_free+0x238/0x53c
[ 2479.386435]I[0:launcher-loader: 1719] mempool_free_slab+0x1c/0x28
[ 2479.386460]I[0:launcher-loader: 1719] mempool_free+0x7c/0x1a0
[ 2479.386484]I[0:launcher-loader: 1719] bvec_free+0x34/0x80
[ 2479.386514]I[0:launcher-loader: 1719] bio_free+0x60/0x98
[ 2479.386540]I[0:launcher-loader: 1719] bio_put+0x50/0x21c
[ 2479.386567]I[0:launcher-loader: 1719] f2fs_write_end_io+0x4ac/0x4d0
[ 2479.386594]I[0:launcher-loader: 1719] bio_endio+0x2dc/0x300
[ 2479.386622]I[0:launcher-loader: 1719] __dm_io_complete+0x324/0x37c
[ 2479.386650]I[0:launcher-loader: 1719] dm_io_dec_pending+0x60/0xa4
[ 2479.386676]I[0:launcher-loader: 1719] clone_endio+0xf8/0x2f0
[ 2479.386700]I[0:launcher-loader: 1719] bio_endio+0x2dc/0x300
[ 2479.386727]I[0:launcher-loader: 1719] blk_update_request+0x258/0x63c
[ 2479.386754]I[0:launcher-loader: 1719] scsi_end_request+0x50/0x304
[ 2479.386782]I[0:launcher-loader: 1719] scsi_io_completion+0x88/0x160
[ 2479.386808]I[0:launcher-loader: 1719] scsi_finish_command+0x17c/0x194
[ 2479.386833]I[0:launcher-loader: 1719] scsi_complete+0xcc/0x158
[ 2479.386859]I[0:launcher-loader: 1719] blk_mq_complete_request+0x4c/0x5c
[ 2479.386885]I[0:launcher-loader: 1719] scsi_done_internal+0xf4/0x1e0
[ 2479.386910]I[0:launcher-loader: 1719] scsi_done+0x14/0x20
[ 2479.386935]I[0:launcher-loader: 1719] ufshcd_compl_one_cqe+0x578/0x71c
[ 2479.386963]I[0:launcher-loader: 1719] ufshcd_mcq_poll_cqe_nolock+0xc8/0x150
[ 2479.386991]I[0:launcher-loader: 1719] ufshcd_intr+0x868/0xc0c
[ 2479.387017]I[0:launcher-loader: 1719] __handle_irq_event_percpu+0xd0/0x348
[ 2479.387044]I[0:launcher-loader: 1719] handle_irq_event_percpu+0x24/0x74
[ 2479.387068]I[0:launcher-loader: 1719] handle_irq_event+0x74/0xe0
[ 2479.387091]I[0:launcher-loader: 1719] handle_fasteoi_irq+0x174/0x240
[ 2479.387118]I[0:launcher-loader: 1719] handle_irq_desc+0x7c/0x2c0
[ 2479.387147]I[0:launcher-loader: 1719] generic_handle_domain_irq+0x1c/0x28
[ 2479.387174]I[0:launcher-loader: 1719] gic_handle_irq+0x64/0x158
[ 2479.387204]I[0:launcher-loader: 1719] call_on_irq_stack+0x2c/0x54
[ 2479.387231]I[0:launcher-loader: 1719] do_interrupt_handler+0x70/0xa0
[ 2479.387258]I[0:launcher-loader: 1719] el1_interrupt+0x34/0x68
[ 2479.387283]I[0:launcher-loader: 1719] el1h_64_irq_handler+0x18/0x24
[ 2479.387308]I[0:launcher-loader: 1719] el1h_64_irq+0x68/0x6c
[ 2479.387332]I[0:launcher-loader: 1719] blk_attempt_bio_merge+0x8/0x170
[ 2479.387356]I[0:launcher-loader: 1719] blk_mq_attempt_bio_merge+0x78/0x98
[ 2479.387383]I[0:launcher-loader: 1719] blk_mq_submit_bio+0x324/0xa40
[ 2479.387409]I[0:launcher-loader: 1719] __submit_bio+0x104/0x138
[ 2479.387436]I[0:launcher-loader: 1719] submit_bio_noacct_nocheck+0x1d0/0x4a0
[ 2479.387462]I[0:launcher-loader: 1719] submit_bio_noacct+0x618/0x804
[ 2479.387487]I[0:launcher-loader: 1719] submit_bio+0x164/0x180
[ 2479.387511]I[0:launcher-loader: 1719] f2fs_submit_read_bio+0xe4/0x1c4
[ 2479.387537]I[0:launcher-loader: 1719] f2fs_mpage_readpages+0x888/0xa4c
[ 2479.387563]I[0:launcher-loader: 1719] f2fs_readahead+0xd4/0x19c
[ 2479.387587]I[0:launcher-loader: 1719] read_pages+0xb0/0x4ac
[ 2479.387614]I[0:launcher-loader: 1719] page_cache_ra_unbounded+0x238/0x288
[ 2479.387642]I[0:launcher-loader: 1719] do_page_cache_ra+0x60/0x6c
[ 2479.387669]I[0:launcher-loader: 1719] page_cache_ra_order+0x318/0x364
[ 2479.387695]I[0:launcher-loader: 1719] ondemand_readahead+0x30c/0x3d8
[ 2479.387722]I[0:launcher-loader: 1719] page_cache_sync_ra+0xb4/0xc8
[ 2479.387749]I[0:launcher-loader: 1719] filemap_read+0x268/0xd24
[ 2479.387777]I[0:launcher-loader: 1719] f2fs_file_read_iter+0x1a0/0x62c
[ 2479.387806]I[0:launcher-loader: 1719] vfs_read+0x258/0x34c
[ 2479.387831]I[0:launcher-loader: 1719] ksys_pread64+0x8c/0xd0
[ 2479.387857]I[0:launcher-loader: 1719] __arm64_sys_pread64+0x48/0x54
[ 2479.387881]I[0:launcher-loader: 1719] invoke_syscall+0x58/0x158
[ 2479.387909]I[0:launcher-loader: 1719] el0_svc_common+0xf0/0x134
[ 2479.387935]I[0:launcher-loader: 1719] do_el0_svc+0x44/0x114
[ 2479.387961]I[0:launcher-loader: 1719] el0_svc+0x2c/0x80
[ 2479.387985]I[0:launcher-loader: 1719] el0t_64_sync_handler+0x48/0x114
[ 2479.388010]I[0:launcher-loader: 1719] el0t_64_sync+0x190/0x194
[ 2479.388038]I[0:launcher-loader: 1719] Kernel panic - not syncing: kernel: panic_on_warn set ...
So let's set __exception_irq_entry with __irq_entry as a default.
Applying this patch, we can see gic_hande_irq is included in Systemp.map as below.
* Before
ffffffc008010000 T __do_softirq
ffffffc008010000 T __irqentry_text_end
ffffffc008010000 T __irqentry_text_start
ffffffc008010000 T __softirqentry_text_start
ffffffc008010000 T _stext
ffffffc00801066c T __softirqentry_text_end
ffffffc008010670 T __entry_text_start
* After
ffffffc008010000 T __irqentry_text_start
ffffffc008010000 T _stext
ffffffc008010000 t gic_handle_irq
ffffffc00801013c t gic_handle_irq
ffffffc008010294 T __irqentry_text_end
ffffffc008010298 T __do_softirq
ffffffc008010298 T __softirqentry_text_start
ffffffc008010904 T __softirqentry_text_end
ffffffc008010908 T __entry_text_start
Signed-off-by: Youngmin Nam <youngmin.nam@samsung.com>
Signed-off-by: SEO HOYOUNG <hy50.seo@samsung.com>
Reviewed-by: Mark Rutland <mark.rutland@arm.com>
Link: https://lore.kernel.org/r/20230424010436.779733-1-youngmin.nam@samsung.com
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Leon Chen <leonchen.oss@139.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/include/asm/exception.h | 5 -----
1 file changed, 5 deletions(-)
diff --git a/arch/arm64/include/asm/exception.h b/arch/arm64/include/asm/exception.h
index 19713d0f013b7..18dbb35a337f7 100644
--- a/arch/arm64/include/asm/exception.h
+++ b/arch/arm64/include/asm/exception.h
@@ -8,16 +8,11 @@
#define __ASM_EXCEPTION_H
#include <asm/esr.h>
-#include <asm/kprobes.h>
#include <asm/ptrace.h>
#include <linux/interrupt.h>
-#ifdef CONFIG_FUNCTION_GRAPH_TRACER
#define __exception_irq_entry __irq_entry
-#else
-#define __exception_irq_entry __kprobes
-#endif
static inline unsigned long disr_to_esr(u64 disr)
{
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 176/969] regset: use kvzalloc() for regset_get_alloc()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (174 preceding siblings ...)
2026-05-30 15:54 ` [PATCH 6.1 175/969] arm64: set __exception_irq_entry with __irq_entry as a default Greg Kroah-Hartman
@ 2026-05-30 15:55 ` Greg Kroah-Hartman
2026-05-30 15:55 ` [PATCH 6.1 177/969] device property: Make modifications of fwnode "flags" thread safe Greg Kroah-Hartman
` (799 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Douglas Anderson, Catalin Marinas,
Al Viro, Christian Brauner, Dave Martin, Eric Biederman, Jan Kara,
Kees Cook, Mark Brown, Matthew Wilcox (Oracle), Oleg Nesterov,
Will Deacon, Andrew Morton, Wen Yang, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Douglas Anderson <dianders@chromium.org>
commit 6b839b3b76cf17296ebd4a893841f32cae08229c upstream.
While browsing through ChromeOS crash reports, I found one with an
allocation failure that looked like this:
chrome: page allocation failure: order:7,
mode:0x40dc0(GFP_KERNEL|__GFP_COMP|__GFP_ZERO),
nodemask=(null),cpuset=urgent,mems_allowed=0
CPU: 7 PID: 3295 Comm: chrome Not tainted
5.15.133-20574-g8044615ac35c #1 (HASH:1162 1)
Hardware name: Google Lazor (rev3 - 8) with KB Backlight (DT)
Call trace:
...
warn_alloc+0x104/0x174
__alloc_pages+0x5f0/0x6e4
kmalloc_order+0x44/0x98
kmalloc_order_trace+0x34/0x124
__kmalloc+0x228/0x36c
__regset_get+0x68/0xcc
regset_get_alloc+0x1c/0x28
elf_core_dump+0x3d8/0xd8c
do_coredump+0xeb8/0x1378
get_signal+0x14c/0x804
...
An order 7 allocation is (1 << 7) contiguous pages, or 512K. It's not
a surprise that this allocation failed on a system that's been running
for a while.
More digging showed that it was fairly easy to see the order 7
allocation by just sending a SIGQUIT to chrome (or other processes) to
generate a core dump. The actual amount being allocated was 279,584
bytes and it was for "core_note_type" NT_ARM_SVE.
There was quite a bit of discussion [1] on the mailing lists in
response to my v1 patch attempting to switch to vmalloc. The overall
conclusion was that we could likely reduce the 279,584 byte allocation
by quite a bit and Mark Brown has sent a patch to that effect [2].
However even with the 279,584 byte allocation gone there are still
65,552 byte allocations. These are just barely more than the 65,536
bytes and thus would require an order 5 allocation.
An order 5 allocation is still something to avoid unless necessary and
nothing needs the memory here to be contiguous. Change the allocation
to kvzalloc() which should still be efficient for small allocations
but doesn't force the memory subsystem to work hard (and maybe fail)
at getting a large contiguous chunk.
[1] https://lore.kernel.org/r/20240201171159.1.Id9ad163b60d21c9e56c2d686b0cc9083a8ba7924@changeid
[2] https://lore.kernel.org/r/20240203-arm64-sve-ptrace-regset-size-v1-1-2c3ba1386b9e@kernel.org
Link: https://lkml.kernel.org/r/20240205092626.v2.1.Id9ad163b60d21c9e56c2d686b0cc9083a8ba7924@changeid
Signed-off-by: Douglas Anderson <dianders@chromium.org>
Reviewed-by: Catalin Marinas <catalin.marinas@arm.com>
Cc: Al Viro <viro@ZenIV.linux.org.uk>
Cc: Christian Brauner <brauner@kernel.org>
Cc: Dave Martin <Dave.Martin@arm.com>
Cc: Eric Biederman <ebiederm@xmission.com>
Cc: Jan Kara <jack@suse.cz>
Cc: Kees Cook <keescook@chromium.org>
Cc: Mark Brown <broonie@kernel.org>
Cc: Matthew Wilcox (Oracle) <willy@infradead.org>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Will Deacon <will@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Wen Yang <wen.yang@linux.dev>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/binfmt_elf.c | 2 +-
kernel/regset.c | 6 +++---
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c
index 762704eed9ce9..2fa739f2f7bb8 100644
--- a/fs/binfmt_elf.c
+++ b/fs/binfmt_elf.c
@@ -2014,7 +2014,7 @@ static void free_note_info(struct elf_note_info *info)
threads = t->next;
WARN_ON(t->notes[0].data && t->notes[0].data != &t->prstatus);
for (i = 1; i < info->thread_notes; ++i)
- kfree(t->notes[i].data);
+ kvfree(t->notes[i].data);
kfree(t);
}
kfree(info->psinfo.data);
diff --git a/kernel/regset.c b/kernel/regset.c
index 586823786f397..b2871fa68b2a7 100644
--- a/kernel/regset.c
+++ b/kernel/regset.c
@@ -16,14 +16,14 @@ static int __regset_get(struct task_struct *target,
if (size > regset->n * regset->size)
size = regset->n * regset->size;
if (!p) {
- to_free = p = kzalloc(size, GFP_KERNEL);
+ to_free = p = kvzalloc(size, GFP_KERNEL);
if (!p)
return -ENOMEM;
}
res = regset->regset_get(target, regset,
(struct membuf){.p = p, .left = size});
if (res < 0) {
- kfree(to_free);
+ kvfree(to_free);
return res;
}
*data = p;
@@ -71,6 +71,6 @@ int copy_regset_to_user(struct task_struct *target,
ret = regset_get_alloc(target, regset, size, &buf);
if (ret > 0)
ret = copy_to_user(data, buf, ret) ? -EFAULT : 0;
- kfree(buf);
+ kvfree(buf);
return ret;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 177/969] device property: Make modifications of fwnode "flags" thread safe
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (175 preceding siblings ...)
2026-05-30 15:55 ` [PATCH 6.1 176/969] regset: use kvzalloc() for regset_get_alloc() Greg Kroah-Hartman
@ 2026-05-30 15:55 ` Greg Kroah-Hartman
2026-05-30 15:55 ` [PATCH 6.1 178/969] ocfs2: split transactions in dio completion to avoid credit exhaustion Greg Kroah-Hartman
` (798 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andy Shevchenko, Mark Brown,
Wolfram Sang, Douglas Anderson, Rafael J. Wysocki (Intel),
Saravana Kannan, Danilo Krummrich
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Douglas Anderson <dianders@chromium.org>
commit f72e77c33e4b5657af35125e75bab249256030f3 upstream.
In various places in the kernel, we modify the fwnode "flags" member
by doing either:
fwnode->flags |= SOME_FLAG;
fwnode->flags &= ~SOME_FLAG;
This type of modification is not thread-safe. If two threads are both
mucking with the flags at the same time then one can clobber the
other.
While flags are often modified while under the "fwnode_link_lock",
this is not universally true.
Create some accessor functions for setting, clearing, and testing the
FWNODE flags and move all users to these accessor functions. New
accessor functions use set_bit() and clear_bit(), which are
thread-safe.
Cc: stable@vger.kernel.org
Fixes: c2c724c868c4 ("driver core: Add fw_devlink_parse_fwtree()")
Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Acked-by: Mark Brown <broonie@kernel.org>
Reviewed-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
Signed-off-by: Douglas Anderson <dianders@chromium.org>
Reviewed-by: Rafael J. Wysocki (Intel) <rafael@kernel.org>
Reviewed-by: Saravana Kannan <saravanak@kernel.org>
Link: https://patch.msgid.link/20260317090112.v2.1.I0a4d03104ecd5103df3d76f66c8d21b1d15a2e38@changeid
[ Fix fwnode_clear_flag() argument alignment, restore dropped blank
line in fwnode_dev_initialized(), and remove unnecessary parentheses
around fwnode_test_flag() calls. - Danilo ]
Signed-off-by: Danilo Krummrich <dakr@kernel.org>
Signed-off-by: Douglas Anderson <dianders@chromium.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/base/core.c | 24 ++++++++++++------------
drivers/bus/imx-weim.c | 2 +-
drivers/i2c/i2c-core-of.c | 2 +-
drivers/net/phy/mdio_bus.c | 4 ++--
drivers/of/base.c | 2 +-
drivers/of/dynamic.c | 2 +-
drivers/of/platform.c | 2 +-
drivers/spi/spi.c | 2 +-
include/linux/fwnode.h | 44 +++++++++++++++++++++++++++++++++-----------
9 files changed, 53 insertions(+), 31 deletions(-)
--- a/drivers/base/core.c
+++ b/drivers/base/core.c
@@ -194,7 +194,7 @@ void fw_devlink_purge_absent_suppliers(s
if (fwnode->dev)
return;
- fwnode->flags |= FWNODE_FLAG_NOT_DEVICE;
+ fwnode_set_flag(fwnode, FWNODE_FLAG_NOT_DEVICE);
fwnode_links_purge_consumers(fwnode);
fwnode_for_each_available_child_node(fwnode, child)
@@ -240,7 +240,7 @@ static void __fw_devlink_pickup_dangling
if (fwnode->dev && fwnode->dev->bus)
return;
- fwnode->flags |= FWNODE_FLAG_NOT_DEVICE;
+ fwnode_set_flag(fwnode, FWNODE_FLAG_NOT_DEVICE);
__fwnode_links_move_consumers(fwnode, new_sup);
fwnode_for_each_available_child_node(fwnode, child)
@@ -1070,7 +1070,7 @@ static void device_links_missing_supplie
static bool dev_is_best_effort(struct device *dev)
{
return (fw_devlink_best_effort && dev->can_match) ||
- (dev->fwnode && (dev->fwnode->flags & FWNODE_FLAG_BEST_EFFORT));
+ (dev->fwnode && fwnode_test_flag(dev->fwnode, FWNODE_FLAG_BEST_EFFORT));
}
static struct fwnode_handle *fwnode_links_check_suppliers(
@@ -1764,11 +1764,11 @@ bool fw_devlink_is_strict(void)
static void fw_devlink_parse_fwnode(struct fwnode_handle *fwnode)
{
- if (fwnode->flags & FWNODE_FLAG_LINKS_ADDED)
+ if (fwnode_test_flag(fwnode, FWNODE_FLAG_LINKS_ADDED))
return;
fwnode_call_int_op(fwnode, add_links);
- fwnode->flags |= FWNODE_FLAG_LINKS_ADDED;
+ fwnode_set_flag(fwnode, FWNODE_FLAG_LINKS_ADDED);
}
static void fw_devlink_parse_fwtree(struct fwnode_handle *fwnode)
@@ -1889,7 +1889,7 @@ static bool fwnode_init_without_drv(stru
struct device *dev;
bool ret;
- if (!(fwnode->flags & FWNODE_FLAG_INITIALIZED))
+ if (!fwnode_test_flag(fwnode, FWNODE_FLAG_INITIALIZED))
return false;
dev = get_dev_from_fwnode(fwnode);
@@ -1948,10 +1948,10 @@ static bool __fw_devlink_relax_cycles(st
* We aren't trying to find all cycles. Just a cycle between con and
* sup_handle.
*/
- if (sup_handle->flags & FWNODE_FLAG_VISITED)
+ if (fwnode_test_flag(sup_handle, FWNODE_FLAG_VISITED))
return false;
- sup_handle->flags |= FWNODE_FLAG_VISITED;
+ fwnode_set_flag(sup_handle, FWNODE_FLAG_VISITED);
/* Termination condition. */
if (sup_handle == con_handle) {
@@ -2021,7 +2021,7 @@ static bool __fw_devlink_relax_cycles(st
}
out:
- sup_handle->flags &= ~FWNODE_FLAG_VISITED;
+ fwnode_clear_flag(sup_handle, FWNODE_FLAG_VISITED);
put_device(sup_dev);
put_device(con_dev);
put_device(par_dev);
@@ -2074,7 +2074,7 @@ static int fw_devlink_create_devlink(str
* When such a flag is set, we can't create device links where P is the
* supplier of C as that would delay the probe of C.
*/
- if (sup_handle->flags & FWNODE_FLAG_NEEDS_CHILD_BOUND_ON_ADD &&
+ if (fwnode_test_flag(sup_handle, FWNODE_FLAG_NEEDS_CHILD_BOUND_ON_ADD) &&
fwnode_is_ancestor_of(sup_handle, con->fwnode))
return -EINVAL;
@@ -2097,7 +2097,7 @@ static int fw_devlink_create_devlink(str
else
flags = FW_DEVLINK_FLAGS_PERMISSIVE;
- if (sup_handle->flags & FWNODE_FLAG_NOT_DEVICE)
+ if (fwnode_test_flag(sup_handle, FWNODE_FLAG_NOT_DEVICE))
sup_dev = fwnode_get_next_parent_dev(sup_handle);
else
sup_dev = get_dev_from_fwnode(sup_handle);
@@ -2109,7 +2109,7 @@ static int fw_devlink_create_devlink(str
* supplier device indefinitely.
*/
if (sup_dev->links.status == DL_DEV_NO_DRIVER &&
- sup_handle->flags & FWNODE_FLAG_INITIALIZED) {
+ fwnode_test_flag(sup_handle, FWNODE_FLAG_INITIALIZED)) {
dev_dbg(con,
"Not linking %pfwf - dev might never probe\n",
sup_handle);
--- a/drivers/bus/imx-weim.c
+++ b/drivers/bus/imx-weim.c
@@ -336,7 +336,7 @@ static int of_weim_notify(struct notifie
* fw_devlink doesn't skip adding consumers to this
* device.
*/
- rd->dn->fwnode.flags &= ~FWNODE_FLAG_NOT_DEVICE;
+ fwnode_clear_flag(&rd->dn->fwnode, FWNODE_FLAG_NOT_DEVICE);
if (!of_platform_device_create(rd->dn, NULL, &pdev->dev)) {
dev_err(&pdev->dev,
"Failed to create child device '%pOF'\n",
--- a/drivers/i2c/i2c-core-of.c
+++ b/drivers/i2c/i2c-core-of.c
@@ -182,7 +182,7 @@ static int of_i2c_notify(struct notifier
* Clear the flag before adding the device so that fw_devlink
* doesn't skip adding consumers to this device.
*/
- rd->dn->fwnode.flags &= ~FWNODE_FLAG_NOT_DEVICE;
+ fwnode_clear_flag(&rd->dn->fwnode, FWNODE_FLAG_NOT_DEVICE);
client = of_i2c_register_device(adap, rd->dn);
if (IS_ERR(client)) {
dev_err(&adap->dev, "failed to create client for '%pOF'\n",
--- a/drivers/net/phy/mdio_bus.c
+++ b/drivers/net/phy/mdio_bus.c
@@ -539,8 +539,8 @@ int __mdiobus_register(struct mii_bus *b
return -EINVAL;
if (bus->parent && bus->parent->of_node)
- bus->parent->of_node->fwnode.flags |=
- FWNODE_FLAG_NEEDS_CHILD_BOUND_ON_ADD;
+ fwnode_set_flag(&bus->parent->of_node->fwnode,
+ FWNODE_FLAG_NEEDS_CHILD_BOUND_ON_ADD);
WARN(bus->state != MDIOBUS_ALLOCATED &&
bus->state != MDIOBUS_UNREGISTERED,
--- a/drivers/of/base.c
+++ b/drivers/of/base.c
@@ -1927,7 +1927,7 @@ void of_alias_scan(void * (*dt_alloc)(u6
if (name)
of_stdout = of_find_node_opts_by_path(name, &of_stdout_options);
if (of_stdout)
- of_stdout->fwnode.flags |= FWNODE_FLAG_BEST_EFFORT;
+ fwnode_set_flag(&of_stdout->fwnode, FWNODE_FLAG_BEST_EFFORT);
}
if (!of_aliases)
--- a/drivers/of/dynamic.c
+++ b/drivers/of/dynamic.c
@@ -227,7 +227,7 @@ static void __of_attach_node(struct devi
np->sibling = np->parent->child;
np->parent->child = np;
of_node_clear_flag(np, OF_DETACHED);
- np->fwnode.flags |= FWNODE_FLAG_NOT_DEVICE;
+ fwnode_set_flag(&np->fwnode, FWNODE_FLAG_NOT_DEVICE);
}
/**
--- a/drivers/of/platform.c
+++ b/drivers/of/platform.c
@@ -745,7 +745,7 @@ static int of_platform_notify(struct not
* Clear the flag before adding the device so that fw_devlink
* doesn't skip adding consumers to this device.
*/
- rd->dn->fwnode.flags &= ~FWNODE_FLAG_NOT_DEVICE;
+ fwnode_clear_flag(&rd->dn->fwnode, FWNODE_FLAG_NOT_DEVICE);
/* pdev_parent may be NULL when no bus platform device */
pdev_parent = of_find_device_by_node(rd->dn->parent);
pdev = of_platform_device_create(rd->dn, NULL,
--- a/drivers/spi/spi.c
+++ b/drivers/spi/spi.c
@@ -4480,7 +4480,7 @@ static int of_spi_notify(struct notifier
* Clear the flag before adding the device so that fw_devlink
* doesn't skip adding consumers to this device.
*/
- rd->dn->fwnode.flags &= ~FWNODE_FLAG_NOT_DEVICE;
+ fwnode_clear_flag(&rd->dn->fwnode, FWNODE_FLAG_NOT_DEVICE);
spi = of_register_spi_device(ctlr, rd->dn);
put_device(&ctlr->dev);
--- a/include/linux/fwnode.h
+++ b/include/linux/fwnode.h
@@ -12,6 +12,7 @@
#include <linux/types.h>
#include <linux/list.h>
#include <linux/bits.h>
+#include <linux/bitops.h>
#include <linux/err.h>
struct fwnode_operations;
@@ -31,12 +32,12 @@ struct device;
* suppliers. Only enforce ordering with suppliers that have
* drivers.
*/
-#define FWNODE_FLAG_LINKS_ADDED BIT(0)
-#define FWNODE_FLAG_NOT_DEVICE BIT(1)
-#define FWNODE_FLAG_INITIALIZED BIT(2)
-#define FWNODE_FLAG_NEEDS_CHILD_BOUND_ON_ADD BIT(3)
-#define FWNODE_FLAG_BEST_EFFORT BIT(4)
-#define FWNODE_FLAG_VISITED BIT(5)
+#define FWNODE_FLAG_LINKS_ADDED 0
+#define FWNODE_FLAG_NOT_DEVICE 1
+#define FWNODE_FLAG_INITIALIZED 2
+#define FWNODE_FLAG_NEEDS_CHILD_BOUND_ON_ADD 3
+#define FWNODE_FLAG_BEST_EFFORT 4
+#define FWNODE_FLAG_VISITED 5
struct fwnode_handle {
struct fwnode_handle *secondary;
@@ -44,7 +45,7 @@ struct fwnode_handle {
struct device *dev;
struct list_head suppliers;
struct list_head consumers;
- u8 flags;
+ unsigned long flags;
};
/*
@@ -197,16 +198,37 @@ static inline void fwnode_init(struct fw
INIT_LIST_HEAD(&fwnode->suppliers);
}
+static inline void fwnode_set_flag(struct fwnode_handle *fwnode,
+ unsigned int bit)
+{
+ set_bit(bit, &fwnode->flags);
+}
+
+static inline void fwnode_clear_flag(struct fwnode_handle *fwnode,
+ unsigned int bit)
+{
+ clear_bit(bit, &fwnode->flags);
+}
+
+static inline void fwnode_assign_flag(struct fwnode_handle *fwnode,
+ unsigned int bit, bool value)
+{
+ assign_bit(bit, &fwnode->flags, value);
+}
+
+static inline bool fwnode_test_flag(struct fwnode_handle *fwnode,
+ unsigned int bit)
+{
+ return test_bit(bit, &fwnode->flags);
+}
+
static inline void fwnode_dev_initialized(struct fwnode_handle *fwnode,
bool initialized)
{
if (IS_ERR_OR_NULL(fwnode))
return;
- if (initialized)
- fwnode->flags |= FWNODE_FLAG_INITIALIZED;
- else
- fwnode->flags &= ~FWNODE_FLAG_INITIALIZED;
+ fwnode_assign_flag(fwnode, FWNODE_FLAG_INITIALIZED, initialized);
}
extern bool fw_devlink_is_strict(void);
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 178/969] ocfs2: split transactions in dio completion to avoid credit exhaustion
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (176 preceding siblings ...)
2026-05-30 15:55 ` [PATCH 6.1 177/969] device property: Make modifications of fwnode "flags" thread safe Greg Kroah-Hartman
@ 2026-05-30 15:55 ` Greg Kroah-Hartman
2026-05-30 15:55 ` [PATCH 6.1 179/969] driver core: Dont let a device probe until its ready Greg Kroah-Hartman
` (797 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Heming Zhao, Jan Kara, Joseph Qi,
Mark Fasheh, Joel Becker, Junxiao Bi, Changwei Ge, Jun Piao,
Andrew Morton
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Heming Zhao <heming.zhao@suse.com>
commit d647c5b2fbf81560818dacade360abc8c00a9665 upstream.
During ocfs2 dio operations, JBD2 may report warnings via following
call trace:
ocfs2_dio_end_io_write
ocfs2_mark_extent_written
ocfs2_change_extent_flag
ocfs2_split_extent
ocfs2_try_to_merge_extent
ocfs2_extend_rotate_transaction
ocfs2_extend_trans
jbd2__journal_restart
start_this_handle
output: JBD2: kworker/6:2 wants too many credits credits:5450 rsv_credits:0 max:5449
To prevent exceeding the credits limit, modify ocfs2_dio_end_io_write() to
handle extents in a batch of transaction.
Additionally, relocate ocfs2_del_inode_from_orphan(). The orphan inode
should only be removed from the orphan list after the extent tree update
is complete. This ensures that if a crash occurs in the middle of extent
tree updates, we won't leave stale blocks beyond EOF.
This patch also changes the logic for updating the inode size and removing
orphan, making it similar to ext4_dio_write_end_io(). Both operations are
performed only when everything looks good.
Finally, thanks to Jans and Joseph for providing the bug fix prototype and
suggestions.
Link: https://lkml.kernel.org/r/20260402134328.27334-2-heming.zhao@suse.com
Signed-off-by: Heming Zhao <heming.zhao@suse.com>
Suggested-by: Jan Kara <jack@suse.cz>
Suggested-by: Joseph Qi <joseph.qi@linux.alibaba.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
Cc: Mark Fasheh <mark@fasheh.com>
Cc: Joel Becker <jlbec@evilplan.org>
Cc: Junxiao Bi <junxiao.bi@oracle.com>
Cc: Changwei Ge <gechangwei@live.cn>
Cc: Jun Piao <piaojun@huawei.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ocfs2/aops.c | 74 ++++++++++++++++++++++++++++++++++----------------------
1 file changed, 45 insertions(+), 29 deletions(-)
--- a/fs/ocfs2/aops.c
+++ b/fs/ocfs2/aops.c
@@ -37,6 +37,8 @@
#include "namei.h"
#include "sysfile.h"
+#define OCFS2_DIO_MARK_EXTENT_BATCH 200
+
static int ocfs2_symlink_get_block(struct inode *inode, sector_t iblock,
struct buffer_head *bh_result, int create)
{
@@ -2305,7 +2307,7 @@ static int ocfs2_dio_end_io_write(struct
struct ocfs2_alloc_context *meta_ac = NULL;
handle_t *handle = NULL;
loff_t end = offset + bytes;
- int ret = 0, credits = 0;
+ int ret = 0, credits = 0, batch = 0;
ocfs2_init_dealloc_ctxt(&dealloc);
@@ -2322,18 +2324,6 @@ static int ocfs2_dio_end_io_write(struct
goto out;
}
- /* Delete orphan before acquire i_rwsem. */
- if (dwc->dw_orphaned) {
- BUG_ON(dwc->dw_writer_pid != task_pid_nr(current));
-
- end = end > i_size_read(inode) ? end : 0;
-
- ret = ocfs2_del_inode_from_orphan(osb, inode, di_bh,
- !!end, end);
- if (ret < 0)
- mlog_errno(ret);
- }
-
down_write(&oi->ip_alloc_sem);
di = (struct ocfs2_dinode *)di_bh->b_data;
@@ -2354,24 +2344,25 @@ static int ocfs2_dio_end_io_write(struct
credits = ocfs2_calc_extend_credits(inode->i_sb, &di->id2.i_list);
- handle = ocfs2_start_trans(osb, credits);
- if (IS_ERR(handle)) {
- ret = PTR_ERR(handle);
- mlog_errno(ret);
- goto unlock;
- }
- ret = ocfs2_journal_access_di(handle, INODE_CACHE(inode), di_bh,
- OCFS2_JOURNAL_ACCESS_WRITE);
- if (ret) {
- mlog_errno(ret);
- goto commit;
- }
-
list_for_each_entry(ue, &dwc->dw_zero_list, ue_node) {
+ if (!handle) {
+ handle = ocfs2_start_trans(osb, credits);
+ if (IS_ERR(handle)) {
+ ret = PTR_ERR(handle);
+ mlog_errno(ret);
+ goto unlock;
+ }
+ ret = ocfs2_journal_access_di(handle, INODE_CACHE(inode), di_bh,
+ OCFS2_JOURNAL_ACCESS_WRITE);
+ if (ret) {
+ mlog_errno(ret);
+ goto commit;
+ }
+ }
ret = ocfs2_assure_trans_credits(handle, credits);
if (ret < 0) {
mlog_errno(ret);
- break;
+ goto commit;
}
ret = ocfs2_mark_extent_written(inode, &et, handle,
ue->ue_cpos, 1,
@@ -2379,19 +2370,44 @@ static int ocfs2_dio_end_io_write(struct
meta_ac, &dealloc);
if (ret < 0) {
mlog_errno(ret);
- break;
+ goto commit;
+ }
+
+ if (++batch == OCFS2_DIO_MARK_EXTENT_BATCH) {
+ ocfs2_commit_trans(osb, handle);
+ handle = NULL;
+ batch = 0;
}
}
if (end > i_size_read(inode)) {
+ if (!handle) {
+ handle = ocfs2_start_trans(osb, credits);
+ if (IS_ERR(handle)) {
+ ret = PTR_ERR(handle);
+ mlog_errno(ret);
+ goto unlock;
+ }
+ }
ret = ocfs2_set_inode_size(handle, inode, di_bh, end);
if (ret < 0)
mlog_errno(ret);
}
+
commit:
- ocfs2_commit_trans(osb, handle);
+ if (handle)
+ ocfs2_commit_trans(osb, handle);
unlock:
up_write(&oi->ip_alloc_sem);
+
+ /* everything looks good, let's start the cleanup */
+ if (!ret && dwc->dw_orphaned) {
+ BUG_ON(dwc->dw_writer_pid != task_pid_nr(current));
+
+ ret = ocfs2_del_inode_from_orphan(osb, inode, di_bh, 0, 0);
+ if (ret < 0)
+ mlog_errno(ret);
+ }
ocfs2_inode_unlock(inode, 1);
brelse(di_bh);
out:
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 179/969] driver core: Dont let a device probe until its ready
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (177 preceding siblings ...)
2026-05-30 15:55 ` [PATCH 6.1 178/969] ocfs2: split transactions in dio completion to avoid credit exhaustion Greg Kroah-Hartman
@ 2026-05-30 15:55 ` Greg Kroah-Hartman
2026-05-30 15:55 ` [PATCH 6.1 180/969] wifi: rtw88: check for PCI upstream bridge existence Greg Kroah-Hartman
` (796 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alan Stern,
Rafael J. Wysocki (Intel), Danilo Krummrich, Marek Szyprowski,
Douglas Anderson, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Douglas Anderson <dianders@chromium.org>
[ Upstream commit a2225b6e834a838ae3c93709760edc0a169eb2f2 ]
The moment we link a "struct device" into the list of devices for the
bus, it's possible probe can happen. This is because another thread
can load the driver at any time and that can cause the device to
probe. This has been seen in practice with a stack crawl that looks
like this [1]:
really_probe()
__driver_probe_device()
driver_probe_device()
__driver_attach()
bus_for_each_dev()
driver_attach()
bus_add_driver()
driver_register()
__platform_driver_register()
init_module() [some module]
do_one_initcall()
do_init_module()
load_module()
__arm64_sys_finit_module()
invoke_syscall()
As a result of the above, it was seen that device_links_driver_bound()
could be called for the device before "dev->fwnode->dev" was
assigned. This prevented __fw_devlink_pickup_dangling_consumers() from
being called which meant that other devices waiting on our driver's
sub-nodes were stuck deferring forever.
It's believed that this problem is showing up suddenly for two
reasons:
1. Android has recently (last ~1 year) implemented an optimization to
the order it loads modules [2]. When devices opt-in to this faster
loading, modules are loaded one-after-the-other very quickly. This
is unlike how other distributions do it. The reproduction of this
problem has only been seen on devices that opt-in to Android's
"parallel module loading".
2. Android devices typically opt-in to fw_devlink, and the most
noticeable issue is the NULL "dev->fwnode->dev" in
device_links_driver_bound(). fw_devlink is somewhat new code and
also not in use by all Linux devices.
Even though the specific symptom where "dev->fwnode->dev" wasn't
assigned could be fixed by moving that assignment higher in
device_add(), other parts of device_add() (like the call to
device_pm_add()) are also important to run before probe. Only moving
the "dev->fwnode->dev" assignment would likely fix the current
symptoms but lead to difficult-to-debug problems in the future.
Fix the problem by preventing probe until device_add() has run far
enough that the device is ready to probe. If somehow we end up trying
to probe before we're allowed, __driver_probe_device() will return
-EPROBE_DEFER which will make certain the device is noticed.
In the race condition that was seen with Android's faster module
loading, we will temporarily add the device to the deferred list and
then take it off immediately when device_add() probes the device.
Instead of adding another flag to the bitfields already in "struct
device", instead add a new "flags" field and use that. This allows us
to freely change the bit from different thread without worrying about
corrupting nearby bits (and means threads changing other bit won't
corrupt us).
[1] Captured on a machine running a downstream 6.6 kernel
[2] https://cs.android.com/android/platform/superproject/main/+/main:system/core/libmodprobe/libmodprobe.cpp?q=LoadModulesParallel
Cc: stable@vger.kernel.org
Fixes: 2023c610dc54 ("Driver core: add new device to bus's list before probing")
Reviewed-by: Alan Stern <stern@rowland.harvard.edu>
Reviewed-by: Rafael J. Wysocki (Intel) <rafael@kernel.org>
Reviewed-by: Danilo Krummrich <dakr@kernel.org>
Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Acked-by: Marek Szyprowski <m.szyprowski@samsung.com>
Signed-off-by: Douglas Anderson <dianders@chromium.org>
Link: https://patch.msgid.link/20260406162231.v5.1.Id750b0fbcc94f23ed04b7aecabcead688d0d8c17@changeid
Signed-off-by: Danilo Krummrich <dakr@kernel.org>
Signed-off-by: Douglas Anderson <dianders@chromium.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/base/core.c | 15 ++++++++++++++
drivers/base/dd.c | 20 +++++++++++++++++++
include/linux/device.h | 44 ++++++++++++++++++++++++++++++++++++++++++
3 files changed, 79 insertions(+)
diff --git a/drivers/base/core.c b/drivers/base/core.c
index 157775dc401b2..81a8fe313f6a4 100644
--- a/drivers/base/core.c
+++ b/drivers/base/core.c
@@ -3694,6 +3694,21 @@ int device_add(struct device *dev)
fw_devlink_link_device(dev);
}
+ /*
+ * The moment the device was linked into the bus's "klist_devices" in
+ * bus_add_device() then it's possible that probe could have been
+ * attempted in a different thread via userspace loading a driver
+ * matching the device. "ready_to_probe" being unset would have
+ * blocked those attempts. Now that all of the above initialization has
+ * happened, unblock probe. If probe happens through another thread
+ * after this point but before bus_probe_device() runs then it's fine.
+ * bus_probe_device() -> device_initial_probe() -> __device_attach()
+ * will notice (under device_lock) that the device is already bound.
+ */
+ device_lock(dev);
+ dev_set_ready_to_probe(dev);
+ device_unlock(dev);
+
bus_probe_device(dev);
/*
diff --git a/drivers/base/dd.c b/drivers/base/dd.c
index dbbe2cebb8917..1c6f266f9367f 100644
--- a/drivers/base/dd.c
+++ b/drivers/base/dd.c
@@ -770,6 +770,26 @@ static int __driver_probe_device(struct device_driver *drv, struct device *dev)
if (dev->driver)
return -EBUSY;
+ /*
+ * In device_add(), the "struct device" gets linked into the subsystem's
+ * list of devices and broadcast to userspace (via uevent) before we're
+ * quite ready to probe. Those open pathways to driver probe before
+ * we've finished enough of device_add() to reliably support probe.
+ * Detect this and tell other pathways to try again later. device_add()
+ * itself will also try to probe immediately after setting
+ * "ready_to_probe".
+ */
+ if (!dev_ready_to_probe(dev))
+ return dev_err_probe(dev, -EPROBE_DEFER, "Device not ready to probe\n");
+
+ /*
+ * Set can_match = true after calling dev_ready_to_probe(), so
+ * driver_deferred_probe_add() won't actually add the device to the
+ * deferred probe list when dev_ready_to_probe() returns false.
+ *
+ * When dev_ready_to_probe() returns false, it means that device_add()
+ * will do another probe() attempt for us.
+ */
dev->can_match = true;
pr_debug("bus: '%s': %s: matched device %s with driver %s\n",
drv->bus->name, __func__, dev_name(dev), drv->name);
diff --git a/include/linux/device.h b/include/linux/device.h
index cc84521795b14..528e0dad742e1 100644
--- a/include/linux/device.h
+++ b/include/linux/device.h
@@ -457,6 +457,21 @@ struct device_physical_location {
bool lid;
};
+/**
+ * enum struct_device_flags - Flags in struct device
+ *
+ * Each flag should have a set of accessor functions created via
+ * __create_dev_flag_accessors() for each access.
+ *
+ * @DEV_FLAG_READY_TO_PROBE: If set then device_add() has finished enough
+ * initialization that probe could be called.
+ */
+enum struct_device_flags {
+ DEV_FLAG_READY_TO_PROBE = 0,
+
+ DEV_FLAG_COUNT
+};
+
/**
* struct device - The basic device structure
* @parent: The device's "parent" device, the device to which it is attached.
@@ -545,6 +560,7 @@ struct device_physical_location {
* and optionall (if the coherent mask is large enough) also
* for dma allocations. This flag is managed by the dma ops
* instance from ->dma_supported.
+ * @flags: DEV_FLAG_XXX flags. Use atomic bitfield operations to modify.
*
* At the lowest level, every device in a Linux system is represented by an
* instance of struct device. The device structure contains the information
@@ -652,8 +668,36 @@ struct device {
#ifdef CONFIG_DMA_OPS_BYPASS
bool dma_ops_bypass : 1;
#endif
+
+ DECLARE_BITMAP(flags, DEV_FLAG_COUNT);
};
+#define __create_dev_flag_accessors(accessor_name, flag_name) \
+static inline bool dev_##accessor_name(const struct device *dev) \
+{ \
+ return test_bit(flag_name, dev->flags); \
+} \
+static inline void dev_set_##accessor_name(struct device *dev) \
+{ \
+ set_bit(flag_name, dev->flags); \
+} \
+static inline void dev_clear_##accessor_name(struct device *dev) \
+{ \
+ clear_bit(flag_name, dev->flags); \
+} \
+static inline void dev_assign_##accessor_name(struct device *dev, bool value) \
+{ \
+ assign_bit(flag_name, dev->flags, value); \
+} \
+static inline bool dev_test_and_set_##accessor_name(struct device *dev) \
+{ \
+ return test_and_set_bit(flag_name, dev->flags); \
+}
+
+__create_dev_flag_accessors(ready_to_probe, DEV_FLAG_READY_TO_PROBE);
+
+#undef __create_dev_flag_accessors
+
/**
* struct device_link - Device link representation.
* @supplier: The device on the supplier end of the link.
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 180/969] wifi: rtw88: check for PCI upstream bridge existence
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (178 preceding siblings ...)
2026-05-30 15:55 ` [PATCH 6.1 179/969] driver core: Dont let a device probe until its ready Greg Kroah-Hartman
@ 2026-05-30 15:55 ` Greg Kroah-Hartman
2026-05-30 15:55 ` [PATCH 6.1 181/969] um: drivers: call kernel_strrchr() explicitly in cow_user.c Greg Kroah-Hartman
` (795 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Fedor Pchelkin, Ping-Ke Shih
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Fedor Pchelkin <pchelkin@ispras.ru>
commit eb101d2abdcccb514ca4fccd3b278dd8267374f6 upstream.
pci_upstream_bridge() returns NULL if the device is on a root bus. If
8821CE is installed in the system with such a PCI topology, the probing
routine will crash. This has probably been unnoticed as 8821CE is mostly
supplied in laptops where there is a PCI-to-PCI bridge located upstream
from the device. However the card might be installed on a system with
different configuration.
Check if the bridge does exist for the specific workaround to be applied.
Found by Linux Verification Center (linuxtesting.org) with Svace static
analysis tool.
Fixes: 24f5e38a13b5 ("rtw88: Disable PCIe ASPM while doing NAPI poll on 8821CE")
Cc: stable@vger.kernel.org
Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>
Acked-by: Ping-Ke Shih <pkshih@realtek.com>
Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
Link: https://patch.msgid.link/20260220094730.49791-1-pchelkin@ispras.ru
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/realtek/rtw88/pci.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/net/wireless/realtek/rtw88/pci.c
+++ b/drivers/net/wireless/realtek/rtw88/pci.c
@@ -1784,7 +1784,8 @@ int rtw_pci_probe(struct pci_dev *pdev,
}
/* Disable PCIe ASPM L1 while doing NAPI poll for 8821CE */
- if (rtwdev->chip->id == RTW_CHIP_TYPE_8821C && bridge->vendor == PCI_VENDOR_ID_INTEL)
+ if (rtwdev->chip->id == RTW_CHIP_TYPE_8821C &&
+ bridge && bridge->vendor == PCI_VENDOR_ID_INTEL)
rtwpci->rx_no_aspm = true;
rtw_pci_phy_cfg(rtwdev);
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 181/969] um: drivers: call kernel_strrchr() explicitly in cow_user.c
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (179 preceding siblings ...)
2026-05-30 15:55 ` [PATCH 6.1 180/969] wifi: rtw88: check for PCI upstream bridge existence Greg Kroah-Hartman
@ 2026-05-30 15:55 ` Greg Kroah-Hartman
2026-05-30 15:55 ` [PATCH 6.1 182/969] f2fs: fix to detect potential corrupted nid in free_nid_list Greg Kroah-Hartman
` (794 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Johannes Berg, Michael Bommarito,
Johannes Berg
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
commit 91e901c65b4da02a6fd543e3f0049829ae9645b7 upstream.
Building ARCH=um on glibc >= 2.43 fails:
arch/um/drivers/cow_user.c: error: implicit declaration of
function 'strrchr' [-Wimplicit-function-declaration]
glibc 2.43's C23 const-preserving strrchr() macro does not survive
UML's global -Dstrrchr=kernel_strrchr remap from arch/um/Makefile.
Call kernel_strrchr() directly in cow_user.c so the source no longer
depends on the -D rewrite.
Fixes: 2c51a4bc0233 ("um: fix strrchr() problems")
Suggested-by: Johannes Berg <johannes@sipsolutions.net>
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-6
Assisted-by: Codex:gpt-5-4
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Link: https://patch.msgid.link/20260408070102.2325572-1-michael.bommarito@gmail.com
[remove unnecessary 'extern']
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/um/drivers/cow_user.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
--- a/arch/um/drivers/cow_user.c
+++ b/arch/um/drivers/cow_user.c
@@ -15,6 +15,12 @@
#include "cow.h"
#include "cow_sys.h"
+/*
+ * arch/um/Makefile remaps strrchr to kernel_strrchr; call the kernel
+ * name directly to avoid glibc >= 2.43's C23 strrchr macro.
+ */
+char *kernel_strrchr(const char *, int);
+
#define PATH_LEN_V1 256
/* unsigned time_t works until year 2106 */
@@ -153,7 +159,7 @@ static int absolutize(char *to, int size
errno);
return -1;
}
- slash = strrchr(from, '/');
+ slash = kernel_strrchr(from, '/');
if (slash != NULL) {
*slash = '\0';
if (chdir(from)) {
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 182/969] f2fs: fix to detect potential corrupted nid in free_nid_list
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (180 preceding siblings ...)
2026-05-30 15:55 ` [PATCH 6.1 181/969] um: drivers: call kernel_strrchr() explicitly in cow_user.c Greg Kroah-Hartman
@ 2026-05-30 15:55 ` Greg Kroah-Hartman
2026-05-30 15:55 ` [PATCH 6.1 183/969] crypto: pcrypt - Fix handling of MAY_BACKLOG requests Greg Kroah-Hartman
` (793 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chao Yu, Jaegeuk Kim, Robert Garcia,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chao Yu <chao@kernel.org>
[ Upstream commit 8fc6056dcf79937c46c97fa4996cda65956437a9 ]
As reported, on-disk footer.ino and footer.nid is the same and
out-of-range, let's add sanity check on f2fs_alloc_nid() to detect
any potential corruption in free_nid_list.
Signed-off-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Robert Garcia <rob_garcia@163.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/f2fs/node.c | 17 ++++++++++++++++-
include/linux/f2fs_fs.h | 1 +
2 files changed, 17 insertions(+), 1 deletion(-)
diff --git a/fs/f2fs/node.c b/fs/f2fs/node.c
index 2555787c79bbe..06c94680ae4e7 100644
--- a/fs/f2fs/node.c
+++ b/fs/f2fs/node.c
@@ -27,12 +27,17 @@ static struct kmem_cache *free_nid_slab;
static struct kmem_cache *nat_entry_set_slab;
static struct kmem_cache *fsync_node_entry_slab;
+static inline bool is_invalid_nid(struct f2fs_sb_info *sbi, nid_t nid)
+{
+ return nid < F2FS_ROOT_INO(sbi) || nid >= NM_I(sbi)->max_nid;
+}
+
/*
* Check whether the given nid is within node id range.
*/
int f2fs_check_nid_range(struct f2fs_sb_info *sbi, nid_t nid)
{
- if (unlikely(nid < F2FS_ROOT_INO(sbi) || nid >= NM_I(sbi)->max_nid)) {
+ if (unlikely(is_invalid_nid(sbi, nid))) {
set_sbi_flag(sbi, SBI_NEED_FSCK);
f2fs_warn(sbi, "%s: out-of-range nid=%x, run fsck to fix.",
__func__, nid);
@@ -2593,6 +2598,16 @@ bool f2fs_alloc_nid(struct f2fs_sb_info *sbi, nid_t *nid)
f2fs_bug_on(sbi, list_empty(&nm_i->free_nid_list));
i = list_first_entry(&nm_i->free_nid_list,
struct free_nid, list);
+
+ if (unlikely(is_invalid_nid(sbi, i->nid))) {
+ spin_unlock(&nm_i->nid_list_lock);
+ f2fs_err(sbi, "Corrupted nid %u in free_nid_list",
+ i->nid);
+ f2fs_stop_checkpoint(sbi, false,
+ STOP_CP_REASON_CORRUPTED_NID);
+ return false;
+ }
+
*nid = i->nid;
__move_free_nid(sbi, i, FREE_NID, PREALLOC_NID);
diff --git a/include/linux/f2fs_fs.h b/include/linux/f2fs_fs.h
index c61d8fc1deb3e..26c7daca99598 100644
--- a/include/linux/f2fs_fs.h
+++ b/include/linux/f2fs_fs.h
@@ -81,6 +81,7 @@ enum stop_cp_reason {
STOP_CP_REASON_CORRUPTED_SUMMARY,
STOP_CP_REASON_UPDATE_INODE,
STOP_CP_REASON_FLUSH_FAIL,
+ STOP_CP_REASON_CORRUPTED_NID,
STOP_CP_REASON_MAX,
};
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 183/969] crypto: pcrypt - Fix handling of MAY_BACKLOG requests
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (181 preceding siblings ...)
2026-05-30 15:55 ` [PATCH 6.1 182/969] f2fs: fix to detect potential corrupted nid in free_nid_list Greg Kroah-Hartman
@ 2026-05-30 15:55 ` Greg Kroah-Hartman
2026-05-30 15:55 ` [PATCH 6.1 184/969] media: amphion: Fix race between m2m job_abort and device_run Greg Kroah-Hartman
` (792 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Yiming Qian, Herbert Xu,
Eric Biggers
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Herbert Xu <herbert@gondor.apana.org.au>
commit 915b692e6cb723aac658c25eb82c58fd81235110 upstream.
MAY_BACKLOG requests can return EBUSY. Handle them by checking
for that value and filtering out EINPROGRESS notifications.
Reported-by: Yiming Qian <yimingqian591@gmail.com>
Fixes: 5a1436beec57 ("crypto: pcrypt - call the complete function on error")
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Cc: Eric Biggers <ebiggers@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
crypto/pcrypt.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
--- a/crypto/pcrypt.c
+++ b/crypto/pcrypt.c
@@ -69,6 +69,9 @@ static void pcrypt_aead_done(struct cryp
struct pcrypt_request *preq = aead_request_ctx(req);
struct padata_priv *padata = pcrypt_request_padata(preq);
+ if (err == -EINPROGRESS)
+ return;
+
padata->info = err;
padata_do_serial(padata);
@@ -82,7 +85,7 @@ static void pcrypt_aead_enc(struct padat
ret = crypto_aead_encrypt(req);
- if (ret == -EINPROGRESS)
+ if (ret == -EINPROGRESS || ret == -EBUSY)
return;
padata->info = ret;
@@ -133,7 +136,7 @@ static void pcrypt_aead_dec(struct padat
ret = crypto_aead_decrypt(req);
- if (ret == -EINPROGRESS)
+ if (ret == -EINPROGRESS || ret == -EBUSY)
return;
padata->info = ret;
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 184/969] media: amphion: Fix race between m2m job_abort and device_run
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (182 preceding siblings ...)
2026-05-30 15:55 ` [PATCH 6.1 183/969] crypto: pcrypt - Fix handling of MAY_BACKLOG requests Greg Kroah-Hartman
@ 2026-05-30 15:55 ` Greg Kroah-Hartman
2026-05-30 15:55 ` [PATCH 6.1 185/969] ALSA: control: Validate buf_len before strnlen() in snd_ctl_elem_init_enum_names() Greg Kroah-Hartman
` (791 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ming Qian, Nicolas Dufresne,
Hans Verkuil
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ming Qian <ming.qian@oss.nxp.com>
commit 8cd35ceadcfc8c5da2eb7f7ce24525ce9d4ee62e upstream.
Fix kernel panic caused by race condition where v4l2_m2m_ctx_release()
frees m2m_ctx while v4l2_m2m_try_run() is about to call device_run
with the same context.
Race sequence:
v4l2_m2m_try_run(): v4l2_m2m_ctx_release():
lock/unlock v4l2_m2m_cancel_job()
job_abort()
v4l2_m2m_job_finish()
kfree(m2m_ctx) <- frees ctx
device_run() <- use-after-free crash at 0x538
Crash trace:
Unable to handle kernel read from unreadable memory at virtual address
0000000000000538
v4l2_m2m_try_run+0x78/0x138
v4l2_m2m_device_run_work+0x14/0x20
The amphion vpu driver does not rely on the m2m framework's device_run
callback to perform encode/decode operations.
Fix the race by preventing m2m framework job scheduling entirely:
- Add job_ready callback returning 0 (no jobs ready for m2m framework)
- Remove job_abort callback to avoid the race condition
Fixes: 3cd084519c6f ("media: amphion: add vpu v4l2 m2m support")
Cc: stable@vger.kernel.org
Signed-off-by: Ming Qian <ming.qian@oss.nxp.com>
Reviewed-by: Nicolas Dufresne <nicolas.dufresne@collabora.com>
Signed-off-by: Nicolas Dufresne <nicolas.dufresne@collabora.com>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/platform/amphion/vpu_v4l2.c | 9 +++------
1 file changed, 3 insertions(+), 6 deletions(-)
--- a/drivers/media/platform/amphion/vpu_v4l2.c
+++ b/drivers/media/platform/amphion/vpu_v4l2.c
@@ -356,17 +356,14 @@ static void vpu_m2m_device_run(void *pri
{
}
-static void vpu_m2m_job_abort(void *priv)
+static int vpu_m2m_job_ready(void *priv)
{
- struct vpu_inst *inst = priv;
- struct v4l2_m2m_ctx *m2m_ctx = inst->fh.m2m_ctx;
-
- v4l2_m2m_job_finish(m2m_ctx->m2m_dev, m2m_ctx);
+ return 0;
}
static const struct v4l2_m2m_ops vpu_m2m_ops = {
.device_run = vpu_m2m_device_run,
- .job_abort = vpu_m2m_job_abort
+ .job_ready = vpu_m2m_job_ready,
};
static int vpu_vb2_queue_setup(struct vb2_queue *vq,
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 185/969] ALSA: control: Validate buf_len before strnlen() in snd_ctl_elem_init_enum_names()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (183 preceding siblings ...)
2026-05-30 15:55 ` [PATCH 6.1 184/969] media: amphion: Fix race between m2m job_abort and device_run Greg Kroah-Hartman
@ 2026-05-30 15:55 ` Greg Kroah-Hartman
2026-05-30 15:55 ` [PATCH 6.1 186/969] net: caif: clear client service pointer on teardown Greg Kroah-Hartman
` (790 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ziqing Chen, Takashi Iwai
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ziqing Chen <chenziqing@xiaomi.com>
commit e0da8a8cac74f4b9f577979d131f0d2b88a84487 upstream.
snd_ctl_elem_init_enum_names() advances pointer p through the names
buffer while decrementing buf_len. If buf_len reaches zero but items
remain, the next iteration calls strnlen(p, 0).
While strnlen(p, 0) returns 0 and would hit the existing name_len == 0
error path, CONFIG_FORTIFY_SOURCE's fortified strnlen() first checks
maxlen against __builtin_dynamic_object_size(). When Clang loses track
of p's object size inside the loop, this triggers a BRK exception panic
before the return value is examined.
Add a buf_len == 0 guard at the loop entry to prevent calling fortified
strnlen() on an exhausted buffer.
Found by kernel fuzz testing through Xiaomi Smartphone.
Fixes: 8d448162bda5 ("ALSA: control: add support for ENUMERATED user space controls")
Cc: stable@vger.kernel.org
Signed-off-by: Ziqing Chen <chenziqing@xiaomi.com>
Link: https://patch.msgid.link/20260414132437.261304-1-chenziqing@xiaomi.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/core/control.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/sound/core/control.c
+++ b/sound/core/control.c
@@ -1592,6 +1592,10 @@ static int snd_ctl_elem_init_enum_names(
/* check that there are enough valid names */
p = names;
for (i = 0; i < ue->info.value.enumerated.items; ++i) {
+ if (buf_len == 0) {
+ kvfree(names);
+ return -EINVAL;
+ }
name_len = strnlen(p, buf_len);
if (name_len == 0 || name_len >= 64 || name_len == buf_len) {
kvfree(names);
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 186/969] net: caif: clear client service pointer on teardown
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (184 preceding siblings ...)
2026-05-30 15:55 ` [PATCH 6.1 185/969] ALSA: control: Validate buf_len before strnlen() in snd_ctl_elem_init_enum_names() Greg Kroah-Hartman
@ 2026-05-30 15:55 ` Greg Kroah-Hartman
2026-05-30 15:55 ` [PATCH 6.1 187/969] net: strparser: fix skb_head leak in strp_abort_strp() Greg Kroah-Hartman
` (789 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Yifan Wu, Juefei Pu,
Yuan Tan, Xin Liu, Ren Wei, Zhengchuan Liang, Ren Wei,
Paolo Abeni
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhengchuan Liang <zcliangcn@gmail.com>
commit f7cf8ece8cee3c1ee361991470cdb1eb65ab02e8 upstream.
`caif_connect()` can tear down an existing client after remote shutdown by
calling `caif_disconnect_client()` followed by `caif_free_client()`.
`caif_free_client()` releases the service layer referenced by
`adap_layer->dn`, but leaves that pointer stale.
When the socket is later destroyed, `caif_sock_destructor()` calls
`caif_free_client()` again and dereferences the freed service pointer.
Clear the client/service links before releasing the service object so
repeated teardown becomes harmless.
Fixes: 43e369210108 ("caif: Move refcount from service layer to sock and dev.")
Cc: stable@kernel.org
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Co-developed-by: Yuan Tan <yuantan098@gmail.com>
Signed-off-by: Yuan Tan <yuantan098@gmail.com>
Suggested-by: Xin Liu <bird@lzu.edu.cn>
Tested-by: Ren Wei <enjou1224z@gmail.com>
Signed-off-by: Zhengchuan Liang <zcliangcn@gmail.com>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
Link: https://patch.msgid.link/9f3d37847c0037568aae698ca23cd47c6691acb0.1775897577.git.zcliangcn@gmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/caif/cfsrvl.c | 14 ++++++++++++--
1 file changed, 12 insertions(+), 2 deletions(-)
--- a/net/caif/cfsrvl.c
+++ b/net/caif/cfsrvl.c
@@ -197,10 +197,20 @@ bool cfsrvl_phyid_match(struct cflayer *
void caif_free_client(struct cflayer *adap_layer)
{
+ struct cflayer *serv_layer;
struct cfsrvl *servl;
- if (adap_layer == NULL || adap_layer->dn == NULL)
+
+ if (!adap_layer)
+ return;
+
+ serv_layer = adap_layer->dn;
+ if (!serv_layer)
return;
- servl = container_obj(adap_layer->dn);
+
+ layer_set_dn(adap_layer, NULL);
+ layer_set_up(serv_layer, NULL);
+
+ servl = container_obj(serv_layer);
servl->release(&servl->layer);
}
EXPORT_SYMBOL(caif_free_client);
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 187/969] net: strparser: fix skb_head leak in strp_abort_strp()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (185 preceding siblings ...)
2026-05-30 15:55 ` [PATCH 6.1 186/969] net: caif: clear client service pointer on teardown Greg Kroah-Hartman
@ 2026-05-30 15:55 ` Greg Kroah-Hartman
2026-05-30 15:55 ` [PATCH 6.1 188/969] PCI: endpoint: pci-epf-ntb: Remove duplicate resource teardown Greg Kroah-Hartman
` (788 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Yifan Wu, Juefei Pu,
Yuan Tan, Xin Liu, Luxiao Xu, Ren Wei, Paolo Abeni
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Luxiao Xu <rakukuip@gmail.com>
commit fe72340daaf1af588be88056faf98965f39e6032 upstream.
When the stream parser is aborted, for example after a message assembly timeout,
it can still hold a reference to a partially assembled message in
strp->skb_head.
That skb is not released in strp_abort_strp(), which leaks the partially
assembled message and can be triggered repeatedly to exhaust memory.
Fix this by freeing strp->skb_head and resetting the parser state in the
abort path. Leave strp_stop() unchanged so final cleanup still happens in
strp_done() after the work and timer have been synchronized.
Fixes: 43a0c6751a32 ("strparser: Stream parser for messages")
Cc: stable@kernel.org
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Co-developed-by: Yuan Tan <yuantan098@gmail.com>
Signed-off-by: Yuan Tan <yuantan098@gmail.com>
Suggested-by: Xin Liu <bird@lzu.edu.cn>
Tested-by: Yuan Tan <yuantan098@gmail.com>
Signed-off-by: Luxiao Xu <rakukuip@gmail.com>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
Link: https://patch.msgid.link/ade3857a9404999ce9a1c27ec523efc896072678.1775482694.git.rakukuip@gmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/strparser/strparser.c | 8 ++++++++
1 file changed, 8 insertions(+)
--- a/net/strparser/strparser.c
+++ b/net/strparser/strparser.c
@@ -45,6 +45,14 @@ static void strp_abort_strp(struct strpa
strp->stopped = 1;
+ if (strp->skb_head) {
+ kfree_skb(strp->skb_head);
+ strp->skb_head = NULL;
+ }
+
+ strp->skb_nextp = NULL;
+ strp->need_bytes = 0;
+
if (strp->sk) {
struct sock *sk = strp->sk;
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 188/969] PCI: endpoint: pci-epf-ntb: Remove duplicate resource teardown
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (186 preceding siblings ...)
2026-05-30 15:55 ` [PATCH 6.1 187/969] net: strparser: fix skb_head leak in strp_abort_strp() Greg Kroah-Hartman
@ 2026-05-30 15:55 ` Greg Kroah-Hartman
2026-05-30 15:55 ` [PATCH 6.1 189/969] Revert "ALSA: usb: Increase volume range that triggers a warning" Greg Kroah-Hartman
` (787 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Koichiro Den, Manivannan Sadhasivam,
Frank Li
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Koichiro Den <den@valinux.co.jp>
commit 3446beddba450c8d6f9aca2f028712ac527fead3 upstream.
epf_ntb_epc_destroy() duplicates the teardown that the caller is
supposed to do later. This leads to an oops when .allow_link fails or
when .drop_link is performed. Remove the helper.
Also drop pci_epc_put(). EPC device refcounting is tied to configfs EPC
group lifetime, and pci_epc_put() in the .drop_link path is sufficient.
Fixes: 8b821cf76150 ("PCI: endpoint: Add EP function driver to provide NTB functionality")
Signed-off-by: Koichiro Den <den@valinux.co.jp>
Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
Reviewed-by: Frank Li <Frank.Li@nxp.com>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20260226084142.2226875-3-den@valinux.co.jp
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pci/endpoint/functions/pci-epf-ntb.c | 56 ---------------------------
1 file changed, 2 insertions(+), 54 deletions(-)
--- a/drivers/pci/endpoint/functions/pci-epf-ntb.c
+++ b/drivers/pci/endpoint/functions/pci-epf-ntb.c
@@ -1495,47 +1495,6 @@ err_alloc_peer_mem:
}
/**
- * epf_ntb_epc_destroy_interface() - Cleanup NTB EPC interface
- * @ntb: NTB device that facilitates communication between HOST1 and HOST2
- * @type: PRIMARY interface or SECONDARY interface
- *
- * Unbind NTB function device from EPC and relinquish reference to pci_epc
- * for each of the interface.
- */
-static void epf_ntb_epc_destroy_interface(struct epf_ntb *ntb,
- enum pci_epc_interface_type type)
-{
- struct epf_ntb_epc *ntb_epc;
- struct pci_epc *epc;
- struct pci_epf *epf;
-
- if (type < 0)
- return;
-
- epf = ntb->epf;
- ntb_epc = ntb->epc[type];
- if (!ntb_epc)
- return;
- epc = ntb_epc->epc;
- pci_epc_remove_epf(epc, epf, type);
- pci_epc_put(epc);
-}
-
-/**
- * epf_ntb_epc_destroy() - Cleanup NTB EPC interface
- * @ntb: NTB device that facilitates communication between HOST1 and HOST2
- *
- * Wrapper for epf_ntb_epc_destroy_interface() to cleanup all the NTB interfaces
- */
-static void epf_ntb_epc_destroy(struct epf_ntb *ntb)
-{
- enum pci_epc_interface_type type;
-
- for (type = PRIMARY_INTERFACE; type <= SECONDARY_INTERFACE; type++)
- epf_ntb_epc_destroy_interface(ntb, type);
-}
-
-/**
* epf_ntb_epc_create_interface() - Create and initialize NTB EPC interface
* @ntb: NTB device that facilitates communication between HOST1 and HOST2
* @epc: struct pci_epc to which a particular NTB interface should be associated
@@ -1614,15 +1573,8 @@ static int epf_ntb_epc_create(struct epf
ret = epf_ntb_epc_create_interface(ntb, epf->sec_epc,
SECONDARY_INTERFACE);
- if (ret) {
+ if (ret)
dev_err(dev, "SECONDARY intf: Fail to create NTB EPC\n");
- goto err_epc_create;
- }
-
- return 0;
-
-err_epc_create:
- epf_ntb_epc_destroy_interface(ntb, PRIMARY_INTERFACE);
return ret;
}
@@ -1887,7 +1839,7 @@ static int epf_ntb_bind(struct pci_epf *
ret = epf_ntb_init_epc_bar(ntb);
if (ret) {
dev_err(dev, "Failed to create NTB EPC\n");
- goto err_bar_init;
+ return ret;
}
ret = epf_ntb_config_spad_bar_alloc_interface(ntb);
@@ -1909,9 +1861,6 @@ static int epf_ntb_bind(struct pci_epf *
err_bar_alloc:
epf_ntb_config_spad_bar_free(ntb);
-err_bar_init:
- epf_ntb_epc_destroy(ntb);
-
return ret;
}
@@ -1927,7 +1876,6 @@ static void epf_ntb_unbind(struct pci_ep
epf_ntb_epc_cleanup(ntb);
epf_ntb_config_spad_bar_free(ntb);
- epf_ntb_epc_destroy(ntb);
}
#define EPF_NTB_R(_name) \
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 189/969] Revert "ALSA: usb: Increase volume range that triggers a warning"
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (187 preceding siblings ...)
2026-05-30 15:55 ` [PATCH 6.1 188/969] PCI: endpoint: pci-epf-ntb: Remove duplicate resource teardown Greg Kroah-Hartman
@ 2026-05-30 15:55 ` Greg Kroah-Hartman
2026-05-30 15:55 ` [PATCH 6.1 190/969] lib/ts_kmp: fix integer overflow in pattern length calculation Greg Kroah-Hartman
` (786 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Rong Zhang, Arun Raghavan,
Takashi Iwai
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rong Zhang <i@rong.moe>
commit 41d78cb724f4b40b7548af420ccfe524b14023bb upstream.
UAC uses 2 bytes to store volume values, so the maximum volume range is
0xFFFF (65535, val = -32768/32767/1).
The reverted commit bumpped the range of triggering the warning to >
65535, effectively making the range check a no-op. It didn't fix
anything but covered any potential problems and deviated from the
original intention of the range check.
This reverts commit 6b971191fcfc9e3c2c0143eea22534f1f48dbb62.
Fixes: 6b971191fcfc ("ALSA: usb: Increase volume range that triggers a warning")
Cc: stable@vger.kernel.org
Signed-off-by: Rong Zhang <i@rong.moe>
Acked-by: Arun Raghavan <arunr@valvesoftware.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Link: https://patch.msgid.link/20260303194805.266158-2-i@rong.moe
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/usb/mixer.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
--- a/sound/usb/mixer.c
+++ b/sound/usb/mixer.c
@@ -1814,10 +1814,11 @@ static void __build_feature_ctl(struct u
range = (cval->max - cval->min) / cval->res;
/*
- * There are definitely devices with a range of ~20,000, so let's be
- * conservative and allow for a bit more.
+ * Are there devices with volume range more than 255? I use a bit more
+ * to be sure. 384 is a resolution magic number found on Logitech
+ * devices. It will definitively catch all buggy Logitech devices.
*/
- if (range > 65535) {
+ if (range > 384) {
usb_audio_warn(mixer->chip,
"Warning! Unlikely big volume range (=%u), cval->res is probably wrong.",
range);
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 190/969] lib/ts_kmp: fix integer overflow in pattern length calculation
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (188 preceding siblings ...)
2026-05-30 15:55 ` [PATCH 6.1 189/969] Revert "ALSA: usb: Increase volume range that triggers a warning" Greg Kroah-Hartman
@ 2026-05-30 15:55 ` Greg Kroah-Hartman
2026-05-30 15:55 ` [PATCH 6.1 191/969] media: i2c: imx219: Check return value of devm_gpiod_get_optional() in imx219_probe() Greg Kroah-Hartman
` (785 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Josh Law, Andrew Morton
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Josh Law <objecting@objecting.org>
commit 8cdf30813ea8ce881cecc08664144416dbdb3e16 upstream.
The ts_kmp algorithm stores its prefix_tbl[] table and pattern in a single
allocation sized from the pattern length. If the prefix_tbl[] size
calculation wraps, the resulting allocation can be too small and
subsequent pattern copies can overflow it.
Fix this by rejecting zero-length patterns and by using overflow helpers
before calculating the combined allocation size.
This fixes a potential heap overflow. The pattern length calculation can
wrap during a size_t addition, leading to an undersized allocation.
Because the textsearch library is reachable from userspace via Netfilter's
xt_string module, this is a security risk that should be backported to LTS
kernels.
Link: https://lkml.kernel.org/r/20260308202028.2889285-2-objecting@objecting.org
Signed-off-by: Josh Law <objecting@objecting.org>
Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
lib/ts_kmp.c | 18 ++++++++++++++++--
1 file changed, 16 insertions(+), 2 deletions(-)
--- a/lib/ts_kmp.c
+++ b/lib/ts_kmp.c
@@ -94,8 +94,22 @@ static struct ts_config *kmp_init(const
struct ts_config *conf;
struct ts_kmp *kmp;
int i;
- unsigned int prefix_tbl_len = len * sizeof(unsigned int);
- size_t priv_size = sizeof(*kmp) + len + prefix_tbl_len;
+ unsigned int prefix_tbl_len;
+ size_t priv_size;
+
+ /* Zero-length patterns would make kmp_find() read beyond kmp->pattern. */
+ if (unlikely(!len))
+ return ERR_PTR(-EINVAL);
+
+ /*
+ * kmp->pattern is stored immediately after the prefix_tbl[] table.
+ * Reject lengths that would wrap while sizing either region.
+ */
+ if (unlikely(check_mul_overflow(len, sizeof(*kmp->prefix_tbl),
+ &prefix_tbl_len) ||
+ check_add_overflow(sizeof(*kmp), (size_t)len, &priv_size) ||
+ check_add_overflow(priv_size, prefix_tbl_len, &priv_size)))
+ return ERR_PTR(-EINVAL);
conf = alloc_ts_config(priv_size, gfp_mask);
if (IS_ERR(conf))
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 191/969] media: i2c: imx219: Check return value of devm_gpiod_get_optional() in imx219_probe()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (189 preceding siblings ...)
2026-05-30 15:55 ` [PATCH 6.1 190/969] lib/ts_kmp: fix integer overflow in pattern length calculation Greg Kroah-Hartman
@ 2026-05-30 15:55 ` Greg Kroah-Hartman
2026-05-30 15:55 ` [PATCH 6.1 192/969] net: qrtr: ns: Fix use-after-free in driver remove() Greg Kroah-Hartman
` (784 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chen Ni, Dave Stevenson, Jai Luthra,
Sakari Ailus, Mauro Carvalho Chehab
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chen Ni <nichen@iscas.ac.cn>
commit 943b1f27a3eead21b22e2531a5432ea5910b60eb upstream.
The devm_gpiod_get_optional() function may return an error pointer
(ERR_PTR) in case of a genuine failure during GPIO acquisition,
not just NULL which indicates the legitimate absence of an optional
GPIO.
Add an IS_ERR() check after the function call to catch such errors and
propagate them to the probe function, ensuring the driver fails to load
safely rather than proceeding with an invalid pointer.
Fixes: 1283b3b8f82b ("media: i2c: Add driver for Sony IMX219 sensor")
Cc: stable@vger.kernel.org
Signed-off-by: Chen Ni <nichen@iscas.ac.cn>
Reviewed-by: Dave Stevenson <dave.stevenson@raspberrypi.com>
Reviewed-by: Jai Luthra <jai.luthra@ideasonboard.com>
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/i2c/imx219.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/media/i2c/imx219.c
+++ b/drivers/media/i2c/imx219.c
@@ -1435,6 +1435,9 @@ static int imx219_probe(struct i2c_clien
/* Request optional enable pin */
imx219->reset_gpio = devm_gpiod_get_optional(dev, "reset",
GPIOD_OUT_HIGH);
+ if (IS_ERR(imx219->reset_gpio))
+ return dev_err_probe(dev, PTR_ERR(imx219->reset_gpio),
+ "failed to get reset gpio\n");
/*
* The sensor must be powered for imx219_identify_module()
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 192/969] net: qrtr: ns: Fix use-after-free in driver remove()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (190 preceding siblings ...)
2026-05-30 15:55 ` [PATCH 6.1 191/969] media: i2c: imx219: Check return value of devm_gpiod_get_optional() in imx219_probe() Greg Kroah-Hartman
@ 2026-05-30 15:55 ` Greg Kroah-Hartman
2026-05-30 15:55 ` [PATCH 6.1 193/969] ext2: reject inodes with zero i_nlink and valid mode in ext2_iget() Greg Kroah-Hartman
` (783 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Manivannan Sadhasivam,
Jakub Kicinski
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Manivannan Sadhasivam <manivannan.sadhasivam@oss.qualcomm.com>
commit 7809fea20c9404bfcfa6112ec08d1fe1d3520beb upstream.
In the remove callback, if a packet arrives after destroy_workqueue() is
called, but before sock_release(), the qrtr_ns_data_ready() callback will
try to queue the work, causing use-after-free issue.
Fix this issue by saving the default 'sk_data_ready' callback during
qrtr_ns_init() and use it to replace the qrtr_ns_data_ready() callback at
the start of remove(). This ensures that even if a packet arrives after
destroy_workqueue(), the work struct will not be dereferenced.
Note that it is also required to ensure that the RX threads are completed
before destroying the workqueue, because the threads could be using the
qrtr_ns_data_ready() callback.
Cc: stable@vger.kernel.org
Fixes: 0c2204a4ad71 ("net: qrtr: Migrate nameservice to kernel from userspace")
Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@oss.qualcomm.com>
Link: https://patch.msgid.link/20260409-qrtr-fix-v3-5-00a8a5ff2b51@oss.qualcomm.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/qrtr/ns.c | 11 +++++++++++
1 file changed, 11 insertions(+)
--- a/net/qrtr/ns.c
+++ b/net/qrtr/ns.c
@@ -23,6 +23,7 @@ static struct {
struct list_head lookups;
struct workqueue_struct *workqueue;
struct work_struct work;
+ void (*saved_data_ready)(struct sock *sk);
int local_node;
} qrtr_ns;
@@ -788,6 +789,7 @@ int qrtr_ns_init(void)
goto err_sock;
}
+ qrtr_ns.saved_data_ready = qrtr_ns.sock->sk->sk_data_ready;
qrtr_ns.sock->sk->sk_data_ready = qrtr_ns_data_ready;
sq.sq_port = QRTR_PORT_CTRL;
@@ -828,6 +830,10 @@ int qrtr_ns_init(void)
return 0;
err_wq:
+ write_lock_bh(&qrtr_ns.sock->sk->sk_callback_lock);
+ qrtr_ns.sock->sk->sk_data_ready = qrtr_ns.saved_data_ready;
+ write_unlock_bh(&qrtr_ns.sock->sk->sk_callback_lock);
+
destroy_workqueue(qrtr_ns.workqueue);
err_sock:
sock_release(qrtr_ns.sock);
@@ -837,7 +843,12 @@ EXPORT_SYMBOL_GPL(qrtr_ns_init);
void qrtr_ns_remove(void)
{
+ write_lock_bh(&qrtr_ns.sock->sk->sk_callback_lock);
+ qrtr_ns.sock->sk->sk_data_ready = qrtr_ns.saved_data_ready;
+ write_unlock_bh(&qrtr_ns.sock->sk->sk_callback_lock);
+
cancel_work_sync(&qrtr_ns.work);
+ synchronize_net();
destroy_workqueue(qrtr_ns.workqueue);
/* sock_release() expects the two references that were put during
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 193/969] ext2: reject inodes with zero i_nlink and valid mode in ext2_iget()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (191 preceding siblings ...)
2026-05-30 15:55 ` [PATCH 6.1 192/969] net: qrtr: ns: Fix use-after-free in driver remove() Greg Kroah-Hartman
@ 2026-05-30 15:55 ` Greg Kroah-Hartman
2026-05-30 15:55 ` [PATCH 6.1 194/969] ALSA: aoa: i2sbus: fix OF node lifetime handling Greg Kroah-Hartman
` (782 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Vasiliy Kovalev, Jan Kara
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vasiliy Kovalev <kovalev@altlinux.org>
commit 25947cc5b2374cd5bf627fe3141496444260d04f upstream.
ext2_iget() already rejects inodes with i_nlink == 0 when i_mode is
zero or i_dtime is set, treating them as deleted. However, the case of
i_nlink == 0 with a non-zero mode and zero dtime slips through. Since
ext2 has no orphan list, such a combination can only result from
filesystem corruption - a legitimate inode deletion always sets either
i_dtime or clears i_mode before freeing the inode.
A crafted image can exploit this gap to present such an inode to the
VFS, which then triggers WARN_ON inside drop_nlink() (fs/inode.c) via
ext2_unlink(), ext2_rename() and ext2_rmdir():
WARNING: CPU: 3 PID: 609 at fs/inode.c:336 drop_nlink+0xad/0xd0 fs/inode.c:336
CPU: 3 UID: 0 PID: 609 Comm: syz-executor Not tainted 6.12.77+ #1
Call Trace:
<TASK>
inode_dec_link_count include/linux/fs.h:2518 [inline]
ext2_unlink+0x26c/0x300 fs/ext2/namei.c:295
vfs_unlink+0x2fc/0x9b0 fs/namei.c:4477
do_unlinkat+0x53e/0x730 fs/namei.c:4541
__x64_sys_unlink+0xc6/0x110 fs/namei.c:4587
do_syscall_64+0xf5/0x220 arch/x86/entry/common.c:78
entry_SYSCALL_64_after_hwframe+0x77/0x7f
</TASK>
WARNING: CPU: 0 PID: 646 at fs/inode.c:336 drop_nlink+0xad/0xd0 fs/inode.c:336
CPU: 0 UID: 0 PID: 646 Comm: syz.0.17 Not tainted 6.12.77+ #1
Call Trace:
<TASK>
inode_dec_link_count include/linux/fs.h:2518 [inline]
ext2_rename+0x35e/0x850 fs/ext2/namei.c:374
vfs_rename+0xf2f/0x2060 fs/namei.c:5021
do_renameat2+0xbe2/0xd50 fs/namei.c:5178
__x64_sys_rename+0x7e/0xa0 fs/namei.c:5223
do_syscall_64+0xf5/0x220 arch/x86/entry/common.c:78
entry_SYSCALL_64_after_hwframe+0x77/0x7f
</TASK>
WARNING: CPU: 0 PID: 634 at fs/inode.c:336 drop_nlink+0xad/0xd0 fs/inode.c:336
CPU: 0 UID: 0 PID: 634 Comm: syz-executor Not tainted 6.12.77+ #1
Call Trace:
<TASK>
inode_dec_link_count include/linux/fs.h:2518 [inline]
ext2_rmdir+0xca/0x110 fs/ext2/namei.c:311
vfs_rmdir+0x204/0x690 fs/namei.c:4348
do_rmdir+0x372/0x3e0 fs/namei.c:4407
__x64_sys_unlinkat+0xf0/0x130 fs/namei.c:4577
do_syscall_64+0xf5/0x220 arch/x86/entry/common.c:78
entry_SYSCALL_64_after_hwframe+0x77/0x7f
</TASK>
Extend the existing i_nlink == 0 check to also catch this case,
reporting the corruption via ext2_error() and returning -EFSCORRUPTED.
This rejects the inode at load time and prevents it from reaching any
of the namei.c paths.
Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Signed-off-by: Vasiliy Kovalev <kovalev@altlinux.org>
Link: https://patch.msgid.link/20260404152011.2590197-1-kovalev@altlinux.org
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext2/inode.c | 14 +++++++++++---
1 file changed, 11 insertions(+), 3 deletions(-)
--- a/fs/ext2/inode.c
+++ b/fs/ext2/inode.c
@@ -1419,9 +1419,17 @@ struct inode *ext2_iget (struct super_bl
* the test is that same one that e2fsck uses
* NeilBrown 1999oct15
*/
- if (inode->i_nlink == 0 && (inode->i_mode == 0 || ei->i_dtime)) {
- /* this inode is deleted */
- ret = -ESTALE;
+ if (inode->i_nlink == 0) {
+ if (inode->i_mode == 0 || ei->i_dtime) {
+ /* this inode is deleted */
+ ret = -ESTALE;
+ } else {
+ ext2_error(sb, __func__,
+ "inode %lu has zero i_nlink with mode 0%o and no dtime, "
+ "filesystem may be corrupt",
+ ino, inode->i_mode);
+ ret = -EFSCORRUPTED;
+ }
goto bad_inode;
}
inode->i_blocks = le32_to_cpu(raw_inode->i_blocks);
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 194/969] ALSA: aoa: i2sbus: fix OF node lifetime handling
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (192 preceding siblings ...)
2026-05-30 15:55 ` [PATCH 6.1 193/969] ext2: reject inodes with zero i_nlink and valid mode in ext2_iget() Greg Kroah-Hartman
@ 2026-05-30 15:55 ` Greg Kroah-Hartman
2026-05-30 15:55 ` [PATCH 6.1 195/969] ALSA: ctxfi: Add fallback to default RSR for S/PDIF Greg Kroah-Hartman
` (781 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Cássio Gabriel, Takashi Iwai
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cássio Gabriel <cassiogabrielcontato@gmail.com>
commit 4ec93f070eda6b765b62efcaed9241c3b3b0b6ad upstream.
i2sbus_add_dev() keeps the matched "sound" child pointer after
for_each_child_of_node() has dropped the iterator reference. Take an
extra reference before saving that node and drop it after the
layout-id/device-id lookup is complete.
The function also stores np in dev->sound.ofdev.dev.of_node without
taking a reference for the embedded soundbus device. Since i2sbus
overrides the embedded platform device release callback, balance that
reference explicitly in the local error path and in i2sbus_release_dev().
Fixes: f3d9478b2ce4 ("[ALSA] snd-aoa: add snd-aoa")
Cc: stable@vger.kernel.org
Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com>
Link: https://patch.msgid.link/20260330-aoa-i2sbus-ofnode-lifetime-v1-1-51c309f4ff06@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/aoa/soundbus/i2sbus/core.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
--- a/sound/aoa/soundbus/i2sbus/core.c
+++ b/sound/aoa/soundbus/i2sbus/core.c
@@ -83,6 +83,7 @@ static void i2sbus_release_dev(struct de
for (i = aoa_resource_i2smmio; i <= aoa_resource_rxdbdma; i++)
free_irq(i2sdev->interrupts[i], i2sdev);
i2sbus_control_remove_dev(i2sdev->control, i2sdev);
+ of_node_put(i2sdev->sound.ofdev.dev.of_node);
mutex_destroy(&i2sdev->lock);
kfree(i2sdev);
}
@@ -148,7 +149,6 @@ static int i2sbus_get_and_fixup_rsrc(str
}
/* Returns 1 if added, 0 for otherwise; don't return a negative value! */
-/* FIXME: look at device node refcounting */
static int i2sbus_add_dev(struct macio_dev *macio,
struct i2sbus_control *control,
struct device_node *np)
@@ -179,8 +179,9 @@ static int i2sbus_add_dev(struct macio_d
i = 0;
for_each_child_of_node(np, child) {
if (of_node_name_eq(child, "sound")) {
+ of_node_put(sound);
i++;
- sound = child;
+ sound = of_node_get(child);
}
}
if (i == 1) {
@@ -206,6 +207,7 @@ static int i2sbus_add_dev(struct macio_d
}
}
}
+ of_node_put(sound);
/* for the time being, until we can handle non-layout-id
* things in some fabric, refuse to attach if there is no
* layout-id property or we haven't been forced to attach.
@@ -220,7 +222,7 @@ static int i2sbus_add_dev(struct macio_d
mutex_init(&dev->lock);
spin_lock_init(&dev->low_lock);
dev->sound.ofdev.archdata.dma_mask = macio->ofdev.archdata.dma_mask;
- dev->sound.ofdev.dev.of_node = np;
+ dev->sound.ofdev.dev.of_node = of_node_get(np);
dev->sound.ofdev.dev.dma_mask = &dev->sound.ofdev.archdata.dma_mask;
dev->sound.ofdev.dev.parent = &macio->ofdev.dev;
dev->sound.ofdev.dev.release = i2sbus_release_dev;
@@ -328,6 +330,7 @@ static int i2sbus_add_dev(struct macio_d
for (i=0;i<3;i++)
release_and_free_resource(dev->allocated_resource[i]);
mutex_destroy(&dev->lock);
+ of_node_put(dev->sound.ofdev.dev.of_node);
kfree(dev);
return 0;
}
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 195/969] ALSA: ctxfi: Add fallback to default RSR for S/PDIF
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (193 preceding siblings ...)
2026-05-30 15:55 ` [PATCH 6.1 194/969] ALSA: aoa: i2sbus: fix OF node lifetime handling Greg Kroah-Hartman
@ 2026-05-30 15:55 ` Greg Kroah-Hartman
2026-05-30 15:55 ` [PATCH 6.1 196/969] ALSA: seq_oss: return full count for successful SEQ_FULLSIZE writes Greg Kroah-Hartman
` (780 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Harin Lee, Takashi Iwai
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Harin Lee <me@harin.net>
commit 7d61662197ecdc458e33e475b6ada7f6da61d364 upstream.
spdif_passthru_playback_get_resources() uses atc->pll_rate as the RSR
for the MSR calculation loop. However, pll_rate is only updated in
atc_pll_init() and not in hw_pll_init(), so it remains 0 after the
card init.
When spdif_passthru_playback_setup() skips atc_pll_init() for
32000 Hz, (rsr * desc.msr) always becomes 0, causing the loop to spin
indefinitely.
Add fallback to use atc->rsr when atc->pll_rate is 0. This reflects
the hardware state, since hw_card_init() already configures the PLL
to the default RSR.
Fixes: 8cc72361481f ("ALSA: SB X-Fi driver merge")
Cc: stable@vger.kernel.org
Signed-off-by: Harin Lee <me@harin.net>
Link: https://patch.msgid.link/20260406074913.217374-1-me@harin.net
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/pci/ctxfi/ctatc.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/sound/pci/ctxfi/ctatc.c
+++ b/sound/pci/ctxfi/ctatc.c
@@ -791,7 +791,8 @@ static int spdif_passthru_playback_get_r
struct src *src;
int err;
int n_amixer = apcm->substream->runtime->channels, i;
- unsigned int pitch, rsr = atc->pll_rate;
+ unsigned int pitch;
+ unsigned int rsr = atc->pll_rate ? atc->pll_rate : atc->rsr;
/* first release old resources */
atc_pcm_release_resources(atc, apcm);
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 196/969] ALSA: seq_oss: return full count for successful SEQ_FULLSIZE writes
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (194 preceding siblings ...)
2026-05-30 15:55 ` [PATCH 6.1 195/969] ALSA: ctxfi: Add fallback to default RSR for S/PDIF Greg Kroah-Hartman
@ 2026-05-30 15:55 ` Greg Kroah-Hartman
2026-05-30 15:55 ` [PATCH 6.1 197/969] erofs: fix the out-of-bounds nameoff handling for trailing dirents Greg Kroah-Hartman
` (779 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Cássio Gabriel, Takashi Iwai
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cássio Gabriel <cassiogabrielcontato@gmail.com>
commit bbc6c0dda54fc0ad8f8aed0b796c23e186e1a188 upstream.
snd_seq_oss_write() currently returns the raw load_patch() callback
result for SEQ_FULLSIZE events.
That callback is documented as returning 0 on success and -errno on
failure, but snd_seq_oss_write() is the file write path and should
report the number of user bytes consumed on success. Some in-tree
backends also return backend-specific positive values, which can still
be shorter than the original write size.
Return the full byte count for successful SEQ_FULLSIZE writes.
Preserve negative errors and convert any nonnegative completion to the
original count.
Cc: stable@vger.kernel.org
Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com>
Link: https://patch.msgid.link/20260324-alsa-seq-oss-fullsize-write-return-v1-1-66d448510538@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/core/seq/oss/seq_oss_rw.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/sound/core/seq/oss/seq_oss_rw.c
+++ b/sound/core/seq/oss/seq_oss_rw.c
@@ -101,9 +101,9 @@ snd_seq_oss_write(struct seq_oss_devinfo
break;
}
fmt = (*(unsigned short *)rec.c) & 0xffff;
- /* FIXME the return value isn't correct */
- return snd_seq_oss_synth_load_patch(dp, rec.s.dev,
- fmt, buf, 0, count);
+ err = snd_seq_oss_synth_load_patch(dp, rec.s.dev,
+ fmt, buf, 0, count);
+ return err < 0 ? err : count;
}
if (ev_is_long(&rec)) {
/* extended code */
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 197/969] erofs: fix the out-of-bounds nameoff handling for trailing dirents
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (195 preceding siblings ...)
2026-05-30 15:55 ` [PATCH 6.1 196/969] ALSA: seq_oss: return full count for successful SEQ_FULLSIZE writes Greg Kroah-Hartman
@ 2026-05-30 15:55 ` Greg Kroah-Hartman
2026-05-30 15:55 ` [PATCH 6.1 198/969] md/raid10: fix deadlock with check operation and nowait requests Greg Kroah-Hartman
` (778 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yuhao Jiang, Junrui Luo, Gao Xiang,
Chao Yu
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gao Xiang <hsiangkao@linux.alibaba.com>
commit d18a3b5d337fa412a38e776e6b4b857a58836575 upstream.
Currently we already have boundary-checks for nameoffs, but the trailing
dirents are special since the namelens are calculated with strnlen()
with unchecked nameoffs.
If a crafted EROFS has a trailing dirent with nameoff >= maxsize,
maxsize - nameoff can underflow, causing strnlen() to read past the
directory block.
nameoff0 should also be verified to be a multiple of
`sizeof(struct erofs_dirent)` as well [1].
[1] https://sashiko.dev/#/patchset/20260416063511.3173774-1-hsiangkao%40linux.alibaba.com
Fixes: 3aa8ec716e52 ("staging: erofs: add directory operations")
Fixes: 33bac912840f ("staging: erofs: keep corrupted fs from crashing kernel in erofs_readdir()")
Reported-by: Yuhao Jiang <danisjiang@gmail.com>
Reported-by: Junrui Luo <moonafterrain@outlook.com>
Closes: https://lore.kernel.org/r/A0FD7E0F-7558-49B0-8BC8-EB1ECDB2479A@outlook.com
Cc: stable@vger.kernel.org
Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>
Reviewed-by: Chao Yu <chao@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/erofs/dir.c | 28 +++++++++++++++-------------
1 file changed, 15 insertions(+), 13 deletions(-)
--- a/fs/erofs/dir.c
+++ b/fs/erofs/dir.c
@@ -22,20 +22,18 @@ static int erofs_fill_dentries(struct in
nameoff = le16_to_cpu(de->nameoff);
de_name = (char *)dentry_blk + nameoff;
- /* the last dirent in the block? */
- if (de + 1 >= end)
- de_namelen = strnlen(de_name, maxsize - nameoff);
- else
+ /* non-trailing dirent in the directory block? */
+ if (de + 1 < end)
de_namelen = le16_to_cpu(de[1].nameoff) - nameoff;
+ else if (maxsize <= nameoff)
+ goto err_bogus;
+ else
+ de_namelen = strnlen(de_name, maxsize - nameoff);
- /* a corrupted entry is found */
- if (nameoff + de_namelen > maxsize ||
- de_namelen > EROFS_NAME_LEN) {
- erofs_err(dir->i_sb, "bogus dirent @ nid %llu",
- EROFS_I(dir)->nid);
- DBG_BUGON(1);
- return -EFSCORRUPTED;
- }
+ /* a corrupted entry is found (including negative namelen) */
+ if (!in_range32(de_namelen, 1, EROFS_NAME_LEN) ||
+ nameoff + de_namelen > maxsize)
+ goto err_bogus;
if (!dir_emit(ctx, de_name, de_namelen,
le64_to_cpu(de->nid), d_type))
@@ -44,6 +42,10 @@ static int erofs_fill_dentries(struct in
ctx->pos += sizeof(struct erofs_dirent);
}
return 0;
+err_bogus:
+ erofs_err(dir->i_sb, "bogus dirent @ nid %llu", EROFS_I(dir)->nid);
+ DBG_BUGON(1);
+ return -EFSCORRUPTED;
}
static int erofs_readdir(struct file *f, struct dir_context *ctx)
@@ -71,7 +73,7 @@ static int erofs_readdir(struct file *f,
}
nameoff = le16_to_cpu(de->nameoff);
- if (nameoff < sizeof(struct erofs_dirent) || nameoff >= bsz) {
+ if (!nameoff || nameoff >= bsz || (nameoff % sizeof(*de))) {
erofs_err(sb, "invalid de[0].nameoff %u @ nid %llu",
nameoff, EROFS_I(dir)->nid);
err = -EFSCORRUPTED;
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 198/969] md/raid10: fix deadlock with check operation and nowait requests
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (196 preceding siblings ...)
2026-05-30 15:55 ` [PATCH 6.1 197/969] erofs: fix the out-of-bounds nameoff handling for trailing dirents Greg Kroah-Hartman
@ 2026-05-30 15:55 ` Greg Kroah-Hartman
2026-05-30 15:55 ` [PATCH 6.1 199/969] nvme-pci: add NVME_QUIRK_DISABLE_WRITE_ZEROES for Kingston OM3SGP4 Greg Kroah-Hartman
` (777 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Josh Hunt, Yu Kuai
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Josh Hunt <johunt@akamai.com>
commit 7d96f3120a7fb7210d21b520c5b6f495da6ba436 upstream.
When an array check is running it will raise the barrier at which point
normal requests will become blocked and increment the nr_pending value to
signal there is work pending inside of wait_barrier(). NOWAIT requests
do not block and so will return immediately with an error, and additionally
do not increment nr_pending in wait_barrier(). Upstream change commit
43806c3d5b9b ("raid10: cleanup memleak at raid10_make_request") added a
call to raid_end_bio_io() to fix a memory leak when NOWAIT requests hit
this condition. raid_end_bio_io() eventually calls allow_barrier() and
it will unconditionally do an atomic_dec_and_test(&conf->nr_pending) even
though the corresponding increment on nr_pending didn't happen in the
NOWAIT case.
This can be easily seen by starting a check operation while an application
is doing nowait IO on the same array. This results in a deadlocked state
due to nr_pending value underflowing and so the md resync thread gets stuck
waiting for nr_pending to == 0.
Output of r10conf state of the array when we hit this condition:
crash> struct r10conf
barrier = 1,
nr_pending = {
counter = -41
},
nr_waiting = 15,
nr_queued = 0,
Example of md_sync thread stuck waiting on raise_barrier() and other
requests stuck in wait_barrier():
md1_resync
[<0>] raise_barrier+0xce/0x1c0
[<0>] raid10_sync_request+0x1ca/0x1ed0
[<0>] md_do_sync+0x779/0x1110
[<0>] md_thread+0x90/0x160
[<0>] kthread+0xbe/0xf0
[<0>] ret_from_fork+0x34/0x50
[<0>] ret_from_fork_asm+0x1a/0x30
kworker/u1040:2+flush-253:4
[<0>] wait_barrier+0x1de/0x220
[<0>] regular_request_wait+0x30/0x180
[<0>] raid10_make_request+0x261/0x1000
[<0>] md_handle_request+0x13b/0x230
[<0>] __submit_bio+0x107/0x1f0
[<0>] submit_bio_noacct_nocheck+0x16f/0x390
[<0>] ext4_io_submit+0x24/0x40
[<0>] ext4_do_writepages+0x254/0xc80
[<0>] ext4_writepages+0x84/0x120
[<0>] do_writepages+0x7a/0x260
[<0>] __writeback_single_inode+0x3d/0x300
[<0>] writeback_sb_inodes+0x1dd/0x470
[<0>] __writeback_inodes_wb+0x4c/0xe0
[<0>] wb_writeback+0x18b/0x2d0
[<0>] wb_workfn+0x2a1/0x400
[<0>] process_one_work+0x149/0x330
[<0>] worker_thread+0x2d2/0x410
[<0>] kthread+0xbe/0xf0
[<0>] ret_from_fork+0x34/0x50
[<0>] ret_from_fork_asm+0x1a/0x30
Fixes: 43806c3d5b9b ("raid10: cleanup memleak at raid10_make_request")
Cc: stable@vger.kernel.org
Signed-off-by: Josh Hunt <johunt@akamai.com>
Link: https://lore.kernel.org/linux-raid/20260303005619.1352958-1-johunt@akamai.com
Signed-off-by: Yu Kuai <yukuai@fnnas.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/md/raid10.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/md/raid10.c
+++ b/drivers/md/raid10.c
@@ -1211,7 +1211,7 @@ static void raid10_read_request(struct m
}
if (!regular_request_wait(mddev, conf, bio, r10_bio->sectors)) {
- raid_end_bio_io(r10_bio);
+ free_r10bio(r10_bio);
return;
}
@@ -1436,7 +1436,7 @@ static void raid10_write_request(struct
sectors = r10_bio->sectors;
if (!regular_request_wait(mddev, conf, bio, sectors)) {
- raid_end_bio_io(r10_bio);
+ free_r10bio(r10_bio);
return;
}
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 199/969] nvme-pci: add NVME_QUIRK_DISABLE_WRITE_ZEROES for Kingston OM3SGP4
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (197 preceding siblings ...)
2026-05-30 15:55 ` [PATCH 6.1 198/969] md/raid10: fix deadlock with check operation and nowait requests Greg Kroah-Hartman
@ 2026-05-30 15:55 ` Greg Kroah-Hartman
2026-05-30 15:55 ` [PATCH 6.1 200/969] nvme: respect NVME_QUIRK_DISABLE_WRITE_ZEROES when wzsl is set Greg Kroah-Hartman
` (776 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Robert Beckett, Keith Busch
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Robert Beckett <bob.beckett@collabora.com>
commit a8eebf9699d69987cc49cec4e4fdb4111ab32423 upstream.
The Kingston OM3SGP42048K2-A00 (PCI ID 2646:502f) firmware has a race
condition when processing concurrent write zeroes and DSM (discard)
commands, causing spurious "LBA Out of Range" errors and IOMMU page
faults at address 0x0.
The issue is reliably triggered by running two concurrent mkfs commands
on different partitions of the same drive, which generates interleaved
write zeroes and discard operations.
Disable write zeroes for this device, matching the pattern used for
other Kingston OM* drives that have similar firmware issues.
Cc: stable@vger.kernel.org
Signed-off-by: Robert Beckett <bob.beckett@collabora.com>
Assisted-by: claude-opus-4-6-v1
Signed-off-by: Keith Busch <kbusch@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/nvme/host/pci.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/nvme/host/pci.c
+++ b/drivers/nvme/host/pci.c
@@ -3620,6 +3620,8 @@ static const struct pci_device_id nvme_i
.driver_data = NVME_QUIRK_DISABLE_WRITE_ZEROES, },
{ PCI_DEVICE(0x2646, 0x501E), /* KINGSTON OM3PGP4xxxxQ OS21011 NVMe SSD */
.driver_data = NVME_QUIRK_DISABLE_WRITE_ZEROES, },
+ { PCI_DEVICE(0x2646, 0x502F), /* KINGSTON OM3SGP4xxxxK NVMe SSD */
+ .driver_data = NVME_QUIRK_DISABLE_WRITE_ZEROES, },
{ PCI_DEVICE(0x1f40, 0x1202), /* Netac Technologies Co. NV3000 NVMe SSD */
.driver_data = NVME_QUIRK_BOGUS_NID, },
{ PCI_DEVICE(0x1f40, 0x5236), /* Netac Technologies Co. NV7000 NVMe SSD */
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 200/969] nvme: respect NVME_QUIRK_DISABLE_WRITE_ZEROES when wzsl is set
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (198 preceding siblings ...)
2026-05-30 15:55 ` [PATCH 6.1 199/969] nvme-pci: add NVME_QUIRK_DISABLE_WRITE_ZEROES for Kingston OM3SGP4 Greg Kroah-Hartman
@ 2026-05-30 15:55 ` Greg Kroah-Hartman
2026-05-30 15:55 ` [PATCH 6.1 201/969] parisc: _llseek syscall is only available for 32-bit userspace Greg Kroah-Hartman
` (775 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Robert Beckett, Keith Busch
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Robert Beckett <bob.beckett@collabora.com>
commit 40f0496b617b431f8d2dd94d7f785c1121f8a68a upstream.
The NVM Command Set Identify Controller data may report a non-zero
Write Zeroes Size Limit (wzsl). When present, nvme_init_non_mdts_limits()
unconditionally overrides max_zeroes_sectors from wzsl, even if
NVME_QUIRK_DISABLE_WRITE_ZEROES previously set it to zero.
This effectively re-enables write zeroes for devices that need it
disabled, defeating the quirk. Several Kingston OM* drives rely on
this quirk to avoid firmware issues with write zeroes commands.
Check for the quirk before applying the wzsl override.
Fixes: 5befc7c26e5a ("nvme: implement non-mdts command limits")
Cc: stable@vger.kernel.org
Signed-off-by: Robert Beckett <bob.beckett@collabora.com>
Assisted-by: claude-opus-4-6-v1
Signed-off-by: Keith Busch <kbusch@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/nvme/host/core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/nvme/host/core.c
+++ b/drivers/nvme/host/core.c
@@ -3188,7 +3188,7 @@ static int nvme_init_non_mdts_limits(str
if (id->dmrl)
ctrl->max_discard_segments = id->dmrl;
ctrl->dmrsl = le32_to_cpu(id->dmrsl);
- if (id->wzsl)
+ if (id->wzsl && !(ctrl->quirks & NVME_QUIRK_DISABLE_WRITE_ZEROES))
ctrl->max_zeroes_sectors = nvme_mps_to_sectors(ctrl, id->wzsl);
free_data:
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 201/969] parisc: _llseek syscall is only available for 32-bit userspace
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (199 preceding siblings ...)
2026-05-30 15:55 ` [PATCH 6.1 200/969] nvme: respect NVME_QUIRK_DISABLE_WRITE_ZEROES when wzsl is set Greg Kroah-Hartman
@ 2026-05-30 15:55 ` Greg Kroah-Hartman
2026-05-30 15:55 ` [PATCH 6.1 202/969] selftests/mqueue: Fix incorrectly named file Greg Kroah-Hartman
` (774 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Helge Deller
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Helge Deller <deller@gmx.de>
commit da3680f564bd787ce974f9931e6e924d908b3b2a upstream.
Cc: stable@vger.kernel.org
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/parisc/kernel/syscalls/syscall.tbl | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/parisc/kernel/syscalls/syscall.tbl
+++ b/arch/parisc/kernel/syscalls/syscall.tbl
@@ -154,7 +154,7 @@
# 137 was afs_syscall
138 common setfsuid sys_setfsuid
139 common setfsgid sys_setfsgid
-140 common _llseek sys_llseek
+140 32 _llseek sys_llseek
141 common getdents sys_getdents compat_sys_getdents
142 common _newselect sys_select compat_sys_select
143 common flock sys_flock
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 202/969] selftests/mqueue: Fix incorrectly named file
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (200 preceding siblings ...)
2026-05-30 15:55 ` [PATCH 6.1 201/969] parisc: _llseek syscall is only available for 32-bit userspace Greg Kroah-Hartman
@ 2026-05-30 15:55 ` Greg Kroah-Hartman
2026-05-30 15:55 ` [PATCH 6.1 203/969] rbd: fix null-ptr-deref when device_add_disk() fails Greg Kroah-Hartman
` (773 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Simon Liebold, Shuah Khan
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Simon Liebold <simonlie@amazon.de>
commit 64fac99037689020ad97e472ae898e96ea3616dc upstream.
Commit 85506aca2eb4 ("selftests/mqueue: Set timeout to 180 seconds")
intended to increase the timeout for mq_perf_tests from the default
kselftest limit of 45 seconds to 180 seconds.
Unfortunately, the file storing this information was incorrectly named
`setting` instead of `settings`, causing the kselftest runner not to
pick up the limit and keep using the default 45 seconds limit.
Fix this by renaming it to `settings` to ensure that the kselftest
runner uses the increased timeout of 180 seconds for this test.
Fixes: 85506aca2eb4 ("selftests/mqueue: Set timeout to 180 seconds")
Cc: <stable@vger.kernel.org> # 5.10.y
Signed-off-by: Simon Liebold <simonlie@amazon.de>
Link: https://lore.kernel.org/r/20260312140200.2224850-1-simonlie@amazon.de
Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
tools/testing/selftests/mqueue/{setting => settings} | 0
tools/testing/selftests/mqueue/setting | 1 -
tools/testing/selftests/mqueue/settings | 1 +
2 files changed, 1 insertion(+), 1 deletion(-)
rename tools/testing/selftests/mqueue/{setting => settings} (100%)
--- a/tools/testing/selftests/mqueue/setting
+++ /dev/null
@@ -1 +0,0 @@
-timeout=180
--- /dev/null
+++ b/tools/testing/selftests/mqueue/settings
@@ -0,0 +1 @@
+timeout=180
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 203/969] rbd: fix null-ptr-deref when device_add_disk() fails
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (201 preceding siblings ...)
2026-05-30 15:55 ` [PATCH 6.1 202/969] selftests/mqueue: Fix incorrectly named file Greg Kroah-Hartman
@ 2026-05-30 15:55 ` Greg Kroah-Hartman
2026-05-30 15:55 ` [PATCH 6.1 204/969] io_uring/timeout: check unused sqe fields Greg Kroah-Hartman
` (772 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Zilin Guan, Dawei Feng, Ilya Dryomov
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dawei Feng <dawei.feng@seu.edu.cn>
commit d1fef92e414433ca7b89abf85cb0df42b8d475eb upstream.
do_rbd_add() publishes the device with device_add() before calling
device_add_disk(). If device_add_disk() fails after device_add()
succeeds, the error path calls rbd_free_disk() directly and then later
falls through to rbd_dev_device_release(), which calls rbd_free_disk()
again. This double teardown can leave blk-mq cleanup operating on
invalid state and trigger a null-ptr-deref in
__blk_mq_free_map_and_rqs(), reached from blk_mq_free_tag_set().
Fix this by following the normal remove ordering: call device_del()
before rbd_dev_device_release() when device_add_disk() fails after
device_add(). That keeps the teardown sequence consistent and avoids
re-entering disk cleanup through the wrong path.
The bug was first flagged by an experimental analysis tool we are
developing for kernel memory-management bugs while analyzing
v6.13-rc1. The tool is still under development and is not yet publicly
available.
We reproduced the bug on v7.0 with a real Ceph backend and a QEMU x86_64
guest booted with KASAN and CONFIG_FAILSLAB enabled. The reproducer
confines failslab injections to the __add_disk() range and injects
fail-nth while mapping an RBD image through
/sys/bus/rbd/add_single_major.
On the unpatched kernel, fail-nth=4 reliably triggered the fault:
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
CPU: 0 UID: 0 PID: 273 Comm: bash Not tainted 7.0.0-01247-gd60bc1401583 #6 PREEMPT(lazy)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014
RIP: 0010:__blk_mq_free_map_and_rqs+0x8c/0x240
Code: 00 00 48 8b 6b 60 41 89 f4 49 c1 e4 03 4c 01 e5 45 85 ed 0f 85 0a 01 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 e9 48 c1 e9 03 <80> 3c 01 00 0f 85 31 01 00 00 4c 8b 6d 00 4d 85 ed 0f 84 e2 00 00
RSP: 0018:ff1100000ab0fac8 EFLAGS: 00000246
RAX: dffffc0000000000 RBX: ff1100000c4806a0 RCX: 0000000000000000
RDX: 0000000000000002 RSI: 0000000000000000 RDI: ff1100000c4806f4
RBP: 0000000000000000 R08: 0000000000000001 R09: ffe21c000189001b
R10: ff1100000c4800df R11: ff1100006cf37be0 R12: 0000000000000000
R13: 0000000000000000 R14: ff1100000c480700 R15: ff1100000c480004
FS: 00007f0fbe8fe740(0000) GS:ff110000e5851000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fe53473b2e0 CR3: 0000000012eef000 CR4: 00000000007516f0
PKRU: 55555554
Call Trace:
<TASK>
blk_mq_free_tag_set+0x77/0x460
do_rbd_add+0x1446/0x2b80
? __pfx_do_rbd_add+0x10/0x10
? lock_acquire+0x18c/0x300
? find_held_lock+0x2b/0x80
? sysfs_file_kobj+0xb6/0x1b0
? __pfx_sysfs_kf_write+0x10/0x10
kernfs_fop_write_iter+0x2f4/0x4a0
vfs_write+0x98e/0x1000
? expand_files+0x51f/0x850
? __pfx_vfs_write+0x10/0x10
ksys_write+0xf2/0x1d0
? __pfx_ksys_write+0x10/0x10
do_syscall_64+0x115/0x690
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f0fbea15907
Code: 10 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 48 89 54 24 18 48 89 74 24
RSP: 002b:00007ffe22346ea8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 0000000000000058 RCX: 00007f0fbea15907
RDX: 0000000000000058 RSI: 0000563ace6c0ef0 RDI: 0000000000000001
RBP: 0000563ace6c0ef0 R08: 0000563ace6c0ef0 R09: 6b6435726d694141
R10: 5250337279762f78 R11: 0000000000000246 R12: 0000000000000058
R13: 00007f0fbeb1c780 R14: ff1100000c480700 R15: ff1100000c480004
</TASK>
With this fix applied, rerunning the reproducer over fail-nth=1..256
yields no KASAN reports.
[ idryomov: rename err_out_device_del -> err_out_device ]
Cc: stable@vger.kernel.org
Fixes: 27c97abc30e2 ("rbd: add add_disk() error handling")
Signed-off-by: Zilin Guan <zilin@seu.edu.cn>
Signed-off-by: Dawei Feng <dawei.feng@seu.edu.cn>
Reviewed-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/block/rbd.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/drivers/block/rbd.c
+++ b/drivers/block/rbd.c
@@ -7175,7 +7175,7 @@ static ssize_t do_rbd_add(struct bus_typ
rc = device_add_disk(&rbd_dev->dev, rbd_dev->disk, NULL);
if (rc)
- goto err_out_cleanup_disk;
+ goto err_out_device;
spin_lock(&rbd_dev_list_lock);
list_add_tail(&rbd_dev->node, &rbd_dev_list);
@@ -7189,8 +7189,8 @@ out:
module_put(THIS_MODULE);
return rc;
-err_out_cleanup_disk:
- rbd_free_disk(rbd_dev);
+err_out_device:
+ device_del(&rbd_dev->dev);
err_out_image_lock:
rbd_dev_image_unlock(rbd_dev);
rbd_dev_device_release(rbd_dev);
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 204/969] io_uring/timeout: check unused sqe fields
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (202 preceding siblings ...)
2026-05-30 15:55 ` [PATCH 6.1 203/969] rbd: fix null-ptr-deref when device_add_disk() fails Greg Kroah-Hartman
@ 2026-05-30 15:55 ` Greg Kroah-Hartman
2026-05-30 15:55 ` [PATCH 6.1 205/969] iio: adc: ti-ads7950: use iio_push_to_buffers_with_ts_unaligned() Greg Kroah-Hartman
` (771 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Pavel Begunkov, Jens Axboe
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pavel Begunkov <asml.silence@gmail.com>
commit 484ae637a3e3d909718de7c07afd3bb34b6b8504 upstream.
Zero check unused SQE fields addr3 and pad2 for timeout and timeout
update requests. They're not needed now, but could be used sometime
in the future.
Cc: stable@vger.kernel.org
Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
io_uring/timeout.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/io_uring/timeout.c
+++ b/io_uring/timeout.c
@@ -394,6 +394,8 @@ int io_timeout_remove_prep(struct io_kio
if (unlikely(req->flags & (REQ_F_FIXED_FILE | REQ_F_BUFFER_SELECT)))
return -EINVAL;
+ if (sqe->addr3 || sqe->__pad2[0])
+ return -EINVAL;
if (sqe->buf_index || sqe->len || sqe->splice_fd_in)
return -EINVAL;
@@ -466,6 +468,8 @@ static int __io_timeout_prep(struct io_k
unsigned flags;
u32 off = READ_ONCE(sqe->off);
+ if (sqe->addr3 || sqe->__pad2[0])
+ return -EINVAL;
if (sqe->buf_index || sqe->len != 1 || sqe->splice_fd_in)
return -EINVAL;
if (off && is_timeout_link)
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 205/969] iio: adc: ti-ads7950: use iio_push_to_buffers_with_ts_unaligned()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (203 preceding siblings ...)
2026-05-30 15:55 ` [PATCH 6.1 204/969] io_uring/timeout: check unused sqe fields Greg Kroah-Hartman
@ 2026-05-30 15:55 ` Greg Kroah-Hartman
2026-05-30 15:55 ` [PATCH 6.1 206/969] io_uring/poll: fix signed comparison in io_poll_get_ownership() Greg Kroah-Hartman
` (770 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, David Lechner, Stable,
Jonathan Cameron
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Lechner <dlechner@baylibre.com>
commit 7806c060cceb2d6895efbb6cff2f2f17cf1ec5de upstream.
Use iio_push_to_buffers_with_ts_unaligned() to avoid unaligned access
when writing the timestamp in the rx_buf.
The previous implementation would have been fine on architectures that
support 4-byte alignment of 64-bit integers but could cause issues on
architectures that require 8-byte alignment.
Fixes: 902c4b2446d4 ("iio: adc: New driver for TI ADS7950 chips")
Signed-off-by: David Lechner <dlechner@baylibre.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/adc/ti-ads7950.c | 11 +++++------
1 file changed, 5 insertions(+), 6 deletions(-)
--- a/drivers/iio/adc/ti-ads7950.c
+++ b/drivers/iio/adc/ti-ads7950.c
@@ -47,8 +47,6 @@
#define TI_ADS7950_MAX_CHAN 16
#define TI_ADS7950_NUM_GPIOS 4
-#define TI_ADS7950_TIMESTAMP_SIZE (sizeof(int64_t) / sizeof(__be16))
-
/* val = value, dec = left shift, bits = number of bits of the mask */
#define TI_ADS7950_EXTRACT(val, dec, bits) \
(((val) >> (dec)) & ((1 << (bits)) - 1))
@@ -105,8 +103,7 @@ struct ti_ads7950_state {
* DMA (thus cache coherency maintenance) may require the
* transfer buffers to live in their own cache lines.
*/
- u16 rx_buf[TI_ADS7950_MAX_CHAN + 2 + TI_ADS7950_TIMESTAMP_SIZE]
- __aligned(IIO_DMA_MINALIGN);
+ u16 rx_buf[TI_ADS7950_MAX_CHAN + 2] __aligned(IIO_DMA_MINALIGN);
u16 tx_buf[TI_ADS7950_MAX_CHAN + 2];
u16 single_tx;
u16 single_rx;
@@ -313,8 +310,10 @@ static irqreturn_t ti_ads7950_trigger_ha
if (ret < 0)
goto out;
- iio_push_to_buffers_with_timestamp(indio_dev, &st->rx_buf[2],
- iio_get_time_ns(indio_dev));
+ iio_push_to_buffers_with_ts_unaligned(indio_dev, &st->rx_buf[2],
+ sizeof(*st->rx_buf) *
+ TI_ADS7950_MAX_CHAN,
+ iio_get_time_ns(indio_dev));
out:
mutex_unlock(&st->slock);
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 206/969] io_uring/poll: fix signed comparison in io_poll_get_ownership()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (204 preceding siblings ...)
2026-05-30 15:55 ` [PATCH 6.1 205/969] iio: adc: ti-ads7950: use iio_push_to_buffers_with_ts_unaligned() Greg Kroah-Hartman
@ 2026-05-30 15:55 ` Greg Kroah-Hartman
2026-05-30 15:55 ` [PATCH 6.1 207/969] io_uring/poll: ensure EPOLL_ONESHOT is propagated for EPOLL_URING_WAKE Greg Kroah-Hartman
` (769 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yifan Wu, Juefei Pu, Yuan Tan,
Xin Liu, Zhengchuan Liang, Longxuan Yu, Ren Wei, Pavel Begunkov,
Jens Axboe
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Longxuan Yu <ylong030@ucr.edu>
commit 326941b22806cbf2df1fbfe902b7908b368cce42 upstream.
io_poll_get_ownership() uses a signed comparison to check whether
poll_refs has reached the threshold for the slowpath:
if (unlikely(atomic_read(&req->poll_refs) >= IO_POLL_REF_BIAS))
atomic_read() returns int (signed). When IO_POLL_CANCEL_FLAG
(BIT(31)) is set in poll_refs, the value becomes negative in
signed arithmetic, so the >= 128 comparison always evaluates to
false and the slowpath is never taken.
Fix this by casting the atomic_read() result to unsigned int
before the comparison, so that the cancel flag is treated as a
large positive value and correctly triggers the slowpath.
Fixes: a26a35e9019f ("io_uring: make poll refs more robust")
Cc: stable@vger.kernel.org
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Co-developed-by: Yuan Tan <yuantan098@gmail.com>
Signed-off-by: Yuan Tan <yuantan098@gmail.com>
Suggested-by: Xin Liu <bird@lzu.edu.cn>
Tested-by: Zhengchuan Liang <zcliangcn@gmail.com>
Signed-off-by: Longxuan Yu <ylong030@ucr.edu>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
Reviewed-by: Pavel Begunkov <asml.silence@gmail.com>
Link: https://patch.msgid.link/3a3508b08bcd7f1bc3beff848ae6e1d73d355043.1775965597.git.ylong030@ucr.edu
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
io_uring/poll.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/io_uring/poll.c
+++ b/io_uring/poll.c
@@ -88,7 +88,7 @@ static bool io_poll_get_ownership_slowpa
*/
static inline bool io_poll_get_ownership(struct io_kiocb *req)
{
- if (unlikely(atomic_read(&req->poll_refs) >= IO_POLL_REF_BIAS))
+ if (unlikely((unsigned int)atomic_read(&req->poll_refs) >= IO_POLL_REF_BIAS))
return io_poll_get_ownership_slowpath(req);
return !(atomic_fetch_inc(&req->poll_refs) & IO_POLL_REF_MASK);
}
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 207/969] io_uring/poll: ensure EPOLL_ONESHOT is propagated for EPOLL_URING_WAKE
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (205 preceding siblings ...)
2026-05-30 15:55 ` [PATCH 6.1 206/969] io_uring/poll: fix signed comparison in io_poll_get_ownership() Greg Kroah-Hartman
@ 2026-05-30 15:55 ` Greg Kroah-Hartman
2026-05-30 15:55 ` [PATCH 6.1 208/969] ALSA: core: Fix potential data race at fasync handling Greg Kroah-Hartman
` (768 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Azizcan Daştan, Jens Axboe
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jens Axboe <axboe@kernel.dk>
commit 1967f0b1cafdde37aa9e08e6021c14bcc484b7a5 upstream.
Commit:
aacf2f9f382c ("io_uring: fix req->apoll_events")
fixed an issue where poll->events and req->apoll_events weren't
synchronized, but then when the commit referenced in Fixes got added,
it didn't ensure the same thing.
If we mask in EPOLLONESHOT in the regular EPOLL_URING_WAKE path, then
ensure it's done for both. Including a link to the original report
below, even though it's mostly nonsense. But it includes a reproducer
that does show that IORING_CQE_F_MORE is set in the previous CQE,
while no more CQEs will be generated for this request. Just ignore
anything that pretends this is security related in any way, it's just
the typical AI nonsense.
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/io-uring/CAM0zi7yQzF3eKncgHo4iVM5yFLAjsiob_ucqyWKs=hyd_GqiMg@mail.gmail.com/
Reported-by: Azizcan Daştan <azizcan.d@mileniumsec.com>
Fixes: 4464853277d0 ("io_uring: pass in EPOLL_URING_WAKE for eventfd signaling and wakeups")
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
io_uring/poll.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/io_uring/poll.c
+++ b/io_uring/poll.c
@@ -451,8 +451,10 @@ static int io_poll_wake(struct wait_queu
* disable multishot as there is a circular dependency between
* CQ posting and triggering the event.
*/
- if (mask & EPOLL_URING_WAKE)
+ if (mask & EPOLL_URING_WAKE) {
poll->events |= EPOLLONESHOT;
+ req->apoll_events |= EPOLLONESHOT;
+ }
/* optional, saves extra locking for removal in tw handler */
if (mask && poll->events & EPOLLONESHOT) {
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 208/969] ALSA: core: Fix potential data race at fasync handling
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (206 preceding siblings ...)
2026-05-30 15:55 ` [PATCH 6.1 207/969] io_uring/poll: ensure EPOLL_ONESHOT is propagated for EPOLL_URING_WAKE Greg Kroah-Hartman
@ 2026-05-30 15:55 ` Greg Kroah-Hartman
2026-05-30 15:55 ` [PATCH 6.1 209/969] ALSA: caiaq: Fix control_put() result and cache rollback Greg Kroah-Hartman
` (767 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jake Lamberson, Takashi Iwai
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
commit 8146cd333d235ed32d48bb803fdf743472d7c783 upstream.
In snd_fasync_work_fn(), which is the offload work for traversing and
processing the pending fasync list, the call of kill_fasync() is done
outside the snd_fasync_lock for avoiding deadlocks. The problem is
that its the references of fasync->on, fasync->signal and fasync->poll
are done there also outside the lock. Since these may be modified by
snd_kill_fasync() call concurrently from other process, inconsistent
values might be passed to kill_fasync(). Although there shouldn't be
critical UAF, it's still better to be addressed.
This patch moves the kill_fasync() argument evaluations inside the
snd_fasync_lock for avoiding the data races above. The handling in
fasync->on flag is optimized in the loop to skip directly.
Also, for more clarity, snd_fasync_free() takes the lock and unlink
the pending entry more directly instead of clearing fasync->on flag.
Reported-by: Jake Lamberson <lamberson.jake@gmail.com>
Fixes: ef34a0ae7a26 ("ALSA: core: Add async signal helpers")
Cc: <stable@vger.kernel.org>
Link: https://patch.msgid.link/20260420061721.3253644-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/core/misc.c | 13 ++++++++++---
1 file changed, 10 insertions(+), 3 deletions(-)
--- a/sound/core/misc.c
+++ b/sound/core/misc.c
@@ -171,14 +171,18 @@ static LIST_HEAD(snd_fasync_list);
static void snd_fasync_work_fn(struct work_struct *work)
{
struct snd_fasync *fasync;
+ int signal, poll;
spin_lock_irq(&snd_fasync_lock);
while (!list_empty(&snd_fasync_list)) {
fasync = list_first_entry(&snd_fasync_list, struct snd_fasync, list);
list_del_init(&fasync->list);
+ if (!fasync->on)
+ continue;
+ signal = fasync->signal;
+ poll = fasync->poll;
spin_unlock_irq(&snd_fasync_lock);
- if (fasync->on)
- kill_fasync(&fasync->fasync, fasync->signal, fasync->poll);
+ kill_fasync(&fasync->fasync, signal, poll);
spin_lock_irq(&snd_fasync_lock);
}
spin_unlock_irq(&snd_fasync_lock);
@@ -234,7 +238,10 @@ void snd_fasync_free(struct snd_fasync *
{
if (!fasync)
return;
- fasync->on = 0;
+
+ scoped_guard(spinlock_irq, &snd_fasync_lock)
+ list_del_init(&fasync->list);
+
flush_work(&snd_fasync_work);
kfree(fasync);
}
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 209/969] ALSA: caiaq: Fix control_put() result and cache rollback
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (207 preceding siblings ...)
2026-05-30 15:55 ` [PATCH 6.1 208/969] ALSA: core: Fix potential data race at fasync handling Greg Kroah-Hartman
@ 2026-05-30 15:55 ` Greg Kroah-Hartman
2026-05-30 15:55 ` [PATCH 6.1 210/969] ALSA: caiaq: Handle probe errors properly Greg Kroah-Hartman
` (766 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Cássio Gabriel, Takashi Iwai
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cássio Gabriel <cassiogabrielcontato@gmail.com>
commit a3542d1b30f92307f545f2def14e8d988dffdff0 upstream.
control_put() always returns 1 and updates cdev->control_state[]
before sending the USB command. It also ignores transport errors
from usb_bulk_msg(), snd_usb_caiaq_send_command(), and
snd_usb_caiaq_send_command_bank().
That breaks the ALSA .put() contract and can leave control_get()
reporting a cached value the device never accepted.
Return 0 for unchanged values, propagate transport failures,
and restore the cached byte when the write fails.
Fixes: 8e3cd08ed8e59 ("[ALSA] caiaq - add control API and more input features")
Cc: stable@vger.kernel.org
Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com>
Link: https://patch.msgid.link/20260417-caiaq-control-put-v1-1-c37826e92447@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/usb/caiaq/control.c | 54 +++++++++++++++++++++++++++++++---------------
1 file changed, 37 insertions(+), 17 deletions(-)
--- a/sound/usb/caiaq/control.c
+++ b/sound/usb/caiaq/control.c
@@ -87,6 +87,7 @@ static int control_put(struct snd_kcontr
struct snd_usb_caiaqdev *cdev = caiaqdev(chip->card);
int pos = kcontrol->private_value;
int v = ucontrol->value.integer.value[0];
+ int ret;
unsigned char cmd;
switch (cdev->chip.usb_id) {
@@ -103,6 +104,10 @@ static int control_put(struct snd_kcontr
if (pos & CNT_INTVAL) {
int i = pos & ~CNT_INTVAL;
+ unsigned char old = cdev->control_state[i];
+
+ if (old == v)
+ return 0;
cdev->control_state[i] = v;
@@ -113,10 +118,11 @@ static int control_put(struct snd_kcontr
cdev->ep8_out_buf[0] = i;
cdev->ep8_out_buf[1] = v;
- usb_bulk_msg(cdev->chip.dev,
- usb_sndbulkpipe(cdev->chip.dev, 8),
- cdev->ep8_out_buf, sizeof(cdev->ep8_out_buf),
- &actual_len, 200);
+ ret = usb_bulk_msg(cdev->chip.dev,
+ usb_sndbulkpipe(cdev->chip.dev, 8),
+ cdev->ep8_out_buf,
+ sizeof(cdev->ep8_out_buf),
+ &actual_len, 200);
} else if (cdev->chip.usb_id ==
USB_ID(USB_VID_NATIVEINSTRUMENTS, USB_PID_MASCHINECONTROLLER)) {
@@ -128,21 +134,36 @@ static int control_put(struct snd_kcontr
offset = MASCHINE_BANK_SIZE;
}
- snd_usb_caiaq_send_command_bank(cdev, cmd, bank,
- cdev->control_state + offset,
- MASCHINE_BANK_SIZE);
+ ret = snd_usb_caiaq_send_command_bank(cdev, cmd, bank,
+ cdev->control_state + offset,
+ MASCHINE_BANK_SIZE);
} else {
- snd_usb_caiaq_send_command(cdev, cmd,
- cdev->control_state, sizeof(cdev->control_state));
+ ret = snd_usb_caiaq_send_command(cdev, cmd,
+ cdev->control_state,
+ sizeof(cdev->control_state));
}
- } else {
- if (v)
- cdev->control_state[pos / 8] |= 1 << (pos % 8);
- else
- cdev->control_state[pos / 8] &= ~(1 << (pos % 8));
- snd_usb_caiaq_send_command(cdev, cmd,
- cdev->control_state, sizeof(cdev->control_state));
+ if (ret < 0) {
+ cdev->control_state[i] = old;
+ return ret;
+ }
+ } else {
+ int idx = pos / 8;
+ unsigned char mask = 1 << (pos % 8);
+ unsigned char old = cdev->control_state[idx];
+ unsigned char val = v ? (old | mask) : (old & ~mask);
+
+ if (old == val)
+ return 0;
+
+ cdev->control_state[idx] = val;
+ ret = snd_usb_caiaq_send_command(cdev, cmd,
+ cdev->control_state,
+ sizeof(cdev->control_state));
+ if (ret < 0) {
+ cdev->control_state[idx] = old;
+ return ret;
+ }
}
return 1;
@@ -640,4 +661,3 @@ int snd_usb_caiaq_control_init(struct sn
return ret;
}
-
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 210/969] ALSA: caiaq: Handle probe errors properly
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (208 preceding siblings ...)
2026-05-30 15:55 ` [PATCH 6.1 209/969] ALSA: caiaq: Fix control_put() result and cache rollback Greg Kroah-Hartman
@ 2026-05-30 15:55 ` Greg Kroah-Hartman
2026-05-30 15:55 ` [PATCH 6.1 211/969] ALSA: 6fire: Fix input volume change detection Greg Kroah-Hartman
` (765 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Takashi Iwai
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
commit 28abd224db4a49560b452115bca3672a20e45b2f upstream.
The probe procedure of setup_card() in caiaq driver doesn't treat the
error cases gracefully, e.g. the error from snd_card_register() calls
snd_card_free() but continues. This would lead to a UAF for the
further calls like snd_usb_caiaq_control_init(), as Berk suggested in
another patch in the link below.
However, the problem is not only that; in general, this function drops
the all error handlings (as it's a void function) although its caller
can propagate an error to snd_probe(), which eventually calls
snd_card_free() as a proper error path. That said, we should treat
each error case in setup_card(), and just return the error code
promptly, which is then handled later as a fatal error in snd_probe().
This patch achieves it by changing the setup_card() to return an error
code. Also, the superfluous snd_card_free() call is removed, too.
Note that card->private_free can be set still safely at returning an
error. All called functions in card_free() have checks of the
unassigned resources or NULL checks.
Fixes: 8e3cd08ed8e5 ("[ALSA] caiaq - add control API and more input features")
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/20260413034941.1131465-2-berkcgoksel@gmail.com
Link: https://patch.msgid.link/20260414105916.364073-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/usb/caiaq/device.c | 33 ++++++++++++++++++++++++---------
1 file changed, 24 insertions(+), 9 deletions(-)
--- a/sound/usb/caiaq/device.c
+++ b/sound/usb/caiaq/device.c
@@ -290,7 +290,7 @@ int snd_usb_caiaq_set_auto_msg(struct sn
tmp, sizeof(tmp));
}
-static void setup_card(struct snd_usb_caiaqdev *cdev)
+static int setup_card(struct snd_usb_caiaqdev *cdev)
{
int ret;
char val[4];
@@ -325,8 +325,10 @@ static void setup_card(struct snd_usb_ca
snd_usb_caiaq_send_command(cdev, EP1_CMD_READ_IO, NULL, 0);
if (!wait_event_timeout(cdev->ep1_wait_queue,
- cdev->control_state[0] != 0xff, HZ))
- return;
+ cdev->control_state[0] != 0xff, HZ)) {
+ dev_err(dev, "Read timeout for control state\n");
+ return -EINVAL;
+ }
/* fix up some defaults */
if ((cdev->control_state[1] != 2) ||
@@ -347,33 +349,43 @@ static void setup_card(struct snd_usb_ca
cdev->spec.num_digital_audio_out +
cdev->spec.num_digital_audio_in > 0) {
ret = snd_usb_caiaq_audio_init(cdev);
- if (ret < 0)
+ if (ret < 0) {
dev_err(dev, "Unable to set up audio system (ret=%d)\n", ret);
+ return ret;
+ }
}
if (cdev->spec.num_midi_in +
cdev->spec.num_midi_out > 0) {
ret = snd_usb_caiaq_midi_init(cdev);
- if (ret < 0)
+ if (ret < 0) {
dev_err(dev, "Unable to set up MIDI system (ret=%d)\n", ret);
+ return ret;
+ }
}
#ifdef CONFIG_SND_USB_CAIAQ_INPUT
ret = snd_usb_caiaq_input_init(cdev);
- if (ret < 0)
+ if (ret < 0) {
dev_err(dev, "Unable to set up input system (ret=%d)\n", ret);
+ return ret;
+ }
#endif
/* finally, register the card and all its sub-instances */
ret = snd_card_register(cdev->chip.card);
if (ret < 0) {
dev_err(dev, "snd_card_register() returned %d\n", ret);
- snd_card_free(cdev->chip.card);
+ return ret;
}
ret = snd_usb_caiaq_control_init(cdev);
- if (ret < 0)
+ if (ret < 0) {
dev_err(dev, "Unable to set up control system (ret=%d)\n", ret);
+ return ret;
+ }
+
+ return 0;
}
static void card_free(struct snd_card *card)
@@ -499,8 +511,11 @@ static int init_card(struct snd_usb_caia
snprintf(card->longname, sizeof(card->longname), "%s %s (%s)",
cdev->vendor_name, cdev->product_name, usbpath);
- setup_card(cdev);
card->private_free = card_free;
+ err = setup_card(cdev);
+ if (err < 0)
+ return err;
+
return 0;
err_kill_urb:
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 211/969] ALSA: 6fire: Fix input volume change detection
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (209 preceding siblings ...)
2026-05-30 15:55 ` [PATCH 6.1 210/969] ALSA: caiaq: Handle probe errors properly Greg Kroah-Hartman
@ 2026-05-30 15:55 ` Greg Kroah-Hartman
2026-05-30 15:55 ` [PATCH 6.1 212/969] iio: adc: ad7768-1: fix one-shot mode data acquisition Greg Kroah-Hartman
` (764 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Cássio Gabriel, Takashi Iwai
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cássio Gabriel <cassiogabrielcontato@gmail.com>
commit dc88eef8f55e85e92d016cdf7e291f5560efd79b upstream.
usb6fire_control_input_vol_put() stores the analog capture volume
as a signed offset in rt->input_vol[] (-15..+15), but it compares
the cached value against the user-visible mixer value (0..30)
before subtracting 15.
This mixes two domains in the change detection path. Since the
runtime is zero-initialized, the visible default is 15; writing 0
right after probe is ignored, while writing 15 is reported as a
change even though the cached value remains 0.
Normalize the user value before comparing it with the cached offset.
Fixes: 06bb4e743501 ("ALSA: snd-usb-6fire: add analog input volume control")
Cc: stable@vger.kernel.org
Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com>
Link: https://patch.msgid.link/20260416-alsa-6fire-input-volume-change-detection-v1-1-ec78299168df@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/usb/6fire/control.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
--- a/sound/usb/6fire/control.c
+++ b/sound/usb/6fire/control.c
@@ -290,15 +290,17 @@ static int usb6fire_control_input_vol_pu
struct snd_ctl_elem_value *ucontrol)
{
struct control_runtime *rt = snd_kcontrol_chip(kcontrol);
+ int vol0 = ucontrol->value.integer.value[0] - 15;
+ int vol1 = ucontrol->value.integer.value[1] - 15;
int changed = 0;
- if (rt->input_vol[0] != ucontrol->value.integer.value[0]) {
- rt->input_vol[0] = ucontrol->value.integer.value[0] - 15;
+ if (rt->input_vol[0] != vol0) {
+ rt->input_vol[0] = vol0;
rt->ivol_updated &= ~(1 << 0);
changed = 1;
}
- if (rt->input_vol[1] != ucontrol->value.integer.value[1]) {
- rt->input_vol[1] = ucontrol->value.integer.value[1] - 15;
+ if (rt->input_vol[1] != vol1) {
+ rt->input_vol[1] = vol1;
rt->ivol_updated &= ~(1 << 1);
changed = 1;
}
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 212/969] iio: adc: ad7768-1: fix one-shot mode data acquisition
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (210 preceding siblings ...)
2026-05-30 15:55 ` [PATCH 6.1 211/969] ALSA: 6fire: Fix input volume change detection Greg Kroah-Hartman
@ 2026-05-30 15:55 ` Greg Kroah-Hartman
2026-05-30 15:55 ` [PATCH 6.1 213/969] tools/accounting: handle truncated taskstats netlink messages Greg Kroah-Hartman
` (763 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jonathan Santos, David Lechner,
Stable, Jonathan Cameron
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jonathan Santos <Jonathan.Santos@analog.com>
commit 8be19e233744961db6069da9c9ab63eb085a0447 upstream.
According to the datasheet, one-shot mode requires a SYNC_IN pulse to
trigger a new sample conversion. In the current implementation, No sync
pulse was sent after switching to one-shot mode and reinit_completion()
was called before mode switching, creating a race condition where spurious
interrupts during mode change could trigger completion prematurely.
Fix by sending a sync pulse after configuring one-shot mode and
reinit_completion() to ensure it only waits for the actual conversion
completion.
Fixes: a5f8c7da3dbe ("iio: adc: Add AD7768-1 ADC basic support")
Signed-off-by: Jonathan Santos <Jonathan.Santos@analog.com>
Reviewed-by: David Lechner <dlechner@baylibre.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/adc/ad7768-1.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
--- a/drivers/iio/adc/ad7768-1.c
+++ b/drivers/iio/adc/ad7768-1.c
@@ -241,12 +241,17 @@ static int ad7768_scan_direct(struct iio
struct ad7768_state *st = iio_priv(indio_dev);
int readval, ret;
- reinit_completion(&st->completion);
-
ret = ad7768_set_mode(st, AD7768_ONE_SHOT);
if (ret < 0)
return ret;
+ reinit_completion(&st->completion);
+
+ /* One-shot mode requires a SYNC pulse to generate a new sample */
+ ret = ad7768_send_sync_pulse(st);
+ if (ret)
+ return ret;
+
ret = wait_for_completion_timeout(&st->completion,
msecs_to_jiffies(1000));
if (!ret)
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 213/969] tools/accounting: handle truncated taskstats netlink messages
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (211 preceding siblings ...)
2026-05-30 15:55 ` [PATCH 6.1 212/969] iio: adc: ad7768-1: fix one-shot mode data acquisition Greg Kroah-Hartman
@ 2026-05-30 15:55 ` Greg Kroah-Hartman
2026-05-30 15:55 ` [PATCH 6.1 214/969] net: rds: fix MR cleanup on copy error Greg Kroah-Hartman
` (762 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yiyang Chen, Balbir Singh,
Dr. Thomas Orgis, Fan Yu, Wang Yaxin, Andrew Morton
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yiyang Chen <cyyzero16@gmail.com>
commit cc82b3dcc6a8fa259fbda12ab00d6fc00908a49e upstream.
procacct and getdelays use a fixed receive buffer for taskstats generic
netlink messages. A multi-threaded process exit can emit a single
PID+TGID notification large enough to exceed that buffer on newer kernels.
Switch to recvmsg() so MSG_TRUNC is detected explicitly, increase the
message buffer size, and report truncated datagrams clearly instead of
misparsing them as fatal netlink errors.
Also print the taskstats version in debug output to make version
mismatches easier to diagnose while inspecting taskstats traffic.
Link: https://lkml.kernel.org/r/520308bb4cbbaf8dc2c7296b5f60f11e12fb30a5.1774810498.git.cyyzero16@gmail.com
Signed-off-by: Yiyang Chen <cyyzero16@gmail.com>
Cc: Balbir Singh <bsingharora@gmail.com>
Cc: Dr. Thomas Orgis <thomas.orgis@uni-hamburg.de>
Cc: Fan Yu <fan.yu9@zte.com.cn>
Cc: Wang Yaxin <wang.yaxin@zte.com.cn>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
tools/accounting/getdelays.c | 41 +++++++++++++++++++++++++++++++++++++----
tools/accounting/procacct.c | 40 ++++++++++++++++++++++++++++++++++++----
2 files changed, 73 insertions(+), 8 deletions(-)
--- a/tools/accounting/getdelays.c
+++ b/tools/accounting/getdelays.c
@@ -59,7 +59,7 @@ int print_task_context_switch_counts;
}
/* Maximum size of response requested or message sent */
-#define MAX_MSG_SIZE 1024
+#define MAX_MSG_SIZE 2048
/* Maximum number of cpus expected to be specified in a cpumask */
#define MAX_CPUS 32
@@ -114,6 +114,32 @@ error:
return -1;
}
+static int recv_taskstats_msg(int sd, struct msgtemplate *msg)
+{
+ struct sockaddr_nl nladdr;
+ struct iovec iov = {
+ .iov_base = msg,
+ .iov_len = sizeof(*msg),
+ };
+ struct msghdr hdr = {
+ .msg_name = &nladdr,
+ .msg_namelen = sizeof(nladdr),
+ .msg_iov = &iov,
+ .msg_iovlen = 1,
+ };
+ int ret;
+
+ ret = recvmsg(sd, &hdr, 0);
+ if (ret < 0)
+ return -1;
+ if (hdr.msg_flags & MSG_TRUNC) {
+ errno = EMSGSIZE;
+ return -1;
+ }
+
+ return ret;
+}
+
static int send_cmd(int sd, __u16 nlmsg_type, __u32 nlmsg_pid,
__u8 genl_cmd, __u16 nla_type,
@@ -459,12 +485,16 @@ int main(int argc, char *argv[])
}
do {
- rep_len = recv(nl_sd, &msg, sizeof(msg), 0);
+ rep_len = recv_taskstats_msg(nl_sd, &msg);
PRINTF("received %d bytes\n", rep_len);
if (rep_len < 0) {
- fprintf(stderr, "nonfatal reply error: errno %d\n",
- errno);
+ if (errno == EMSGSIZE)
+ fprintf(stderr,
+ "dropped truncated taskstats netlink message, please increase MAX_MSG_SIZE\n");
+ else
+ fprintf(stderr, "nonfatal reply error: errno %d\n",
+ errno);
continue;
}
if (msg.n.nlmsg_type == NLMSG_ERROR ||
@@ -506,6 +536,9 @@ int main(int argc, char *argv[])
printf("TGID\t%d\n", rtid);
break;
case TASKSTATS_TYPE_STATS:
+ PRINTF("version %u\n",
+ ((struct taskstats *)
+ NLA_DATA(na))->version);
if (print_delays)
print_delayacct((struct taskstats *) NLA_DATA(na));
if (print_io_accounting)
--- a/tools/accounting/procacct.c
+++ b/tools/accounting/procacct.c
@@ -71,7 +71,7 @@ int print_task_context_switch_counts;
}
/* Maximum size of response requested or message sent */
-#define MAX_MSG_SIZE 1024
+#define MAX_MSG_SIZE 2048
/* Maximum number of cpus expected to be specified in a cpumask */
#define MAX_CPUS 32
@@ -121,6 +121,32 @@ error:
return -1;
}
+static int recv_taskstats_msg(int sd, struct msgtemplate *msg)
+{
+ struct sockaddr_nl nladdr;
+ struct iovec iov = {
+ .iov_base = msg,
+ .iov_len = sizeof(*msg),
+ };
+ struct msghdr hdr = {
+ .msg_name = &nladdr,
+ .msg_namelen = sizeof(nladdr),
+ .msg_iov = &iov,
+ .msg_iovlen = 1,
+ };
+ int ret;
+
+ ret = recvmsg(sd, &hdr, 0);
+ if (ret < 0)
+ return -1;
+ if (hdr.msg_flags & MSG_TRUNC) {
+ errno = EMSGSIZE;
+ return -1;
+ }
+
+ return ret;
+}
+
static int send_cmd(int sd, __u16 nlmsg_type, __u32 nlmsg_pid,
__u8 genl_cmd, __u16 nla_type,
@@ -239,6 +265,8 @@ void handle_aggr(int mother, struct nlat
PRINTF("TGID\t%d\n", rtid);
break;
case TASKSTATS_TYPE_STATS:
+ PRINTF("version %u\n",
+ ((struct taskstats *)NLA_DATA(na))->version);
if (mother == TASKSTATS_TYPE_AGGR_PID)
print_procacct((struct taskstats *) NLA_DATA(na));
if (fd) {
@@ -353,12 +381,16 @@ int main(int argc, char *argv[])
}
do {
- rep_len = recv(nl_sd, &msg, sizeof(msg), 0);
+ rep_len = recv_taskstats_msg(nl_sd, &msg);
PRINTF("received %d bytes\n", rep_len);
if (rep_len < 0) {
- fprintf(stderr, "nonfatal reply error: errno %d\n",
- errno);
+ if (errno == EMSGSIZE)
+ fprintf(stderr,
+ "dropped truncated taskstats netlink message, please increase MAX_MSG_SIZE\n");
+ else
+ fprintf(stderr, "nonfatal reply error: errno %d\n",
+ errno);
continue;
}
if (msg.n.nlmsg_type == NLMSG_ERROR ||
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 214/969] net: rds: fix MR cleanup on copy error
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (212 preceding siblings ...)
2026-05-30 15:55 ` [PATCH 6.1 213/969] tools/accounting: handle truncated taskstats netlink messages Greg Kroah-Hartman
@ 2026-05-30 15:55 ` Greg Kroah-Hartman
2026-05-30 15:55 ` [PATCH 6.1 215/969] net/smc: avoid early lgr access in smc_clc_wait_msg Greg Kroah-Hartman
` (761 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Yuan Tan, Yifan Wu,
Juefei Pu, Xin Liu, Ao Zhou, Ren Wei, Allison Henderson,
Jakub Kicinski
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ao Zhou <draw51280@163.com>
commit 8141a2dc70080eda1aedc0389ed2db2b292af5bd upstream.
__rds_rdma_map() hands sg/pages ownership to the transport after
get_mr() succeeds. If copying the generated cookie back to user space
fails after that point, the error path must not free those resources
again before dropping the MR reference.
Remove the duplicate unpin/free from the put_user() failure branch so
that MR teardown is handled only through the existing final cleanup
path.
Fixes: 0d4597c8c5ab ("net/rds: Track user mapped pages through special API")
Cc: stable@kernel.org
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Signed-off-by: Ao Zhou <draw51280@163.com>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
Reviewed-by: Allison Henderson <achender@kernel.org>
Link: https://patch.msgid.link/79c8ef73ec8e5844d71038983940cc2943099baf.1776764247.git.draw51280@163.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/rds/rdma.c | 4 ----
1 file changed, 4 deletions(-)
--- a/net/rds/rdma.c
+++ b/net/rds/rdma.c
@@ -326,10 +326,6 @@ static int __rds_rdma_map(struct rds_soc
if (args->cookie_addr &&
put_user(cookie, (u64 __user *)(unsigned long)args->cookie_addr)) {
- if (!need_odp) {
- unpin_user_pages(pages, nr_pages);
- kfree(sg);
- }
ret = -EFAULT;
goto out;
}
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 215/969] net/smc: avoid early lgr access in smc_clc_wait_msg
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (213 preceding siblings ...)
2026-05-30 15:55 ` [PATCH 6.1 214/969] net: rds: fix MR cleanup on copy error Greg Kroah-Hartman
@ 2026-05-30 15:55 ` Greg Kroah-Hartman
2026-05-30 15:55 ` [PATCH 6.1 216/969] net: ks8851: Reinstate disabling of BHs around IRQ handler Greg Kroah-Hartman
` (760 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Yuan Tan, Yifan Wu,
Juefei Pu, Xin Liu, Ruijie Li, Ren Wei, Dust Li, Jakub Kicinski
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ruijie Li <ruijieli51@gmail.com>
commit 5a8db80f721deee8e916c2cfdee78decda02ce4f upstream.
A CLC decline can be received while the handshake is still in an early
stage, before the connection has been associated with a link group.
The decline handling in smc_clc_wait_msg() updates link-group level sync
state for first-contact declines, but that state only exists after link
group setup has completed. Guard the link-group update accordingly and
keep the per-socket peer diagnosis handling unchanged.
This preserves the existing sync_err handling for established link-group
contexts and avoids touching link-group state before it is available.
Fixes: 0cfdd8f92cac ("smc: connection and link group creation")
Cc: stable@kernel.org
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Signed-off-by: Ruijie Li <ruijieli51@gmail.com>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
Reviewed-by: Dust Li <dust.li@linux.alibaba.com>
Link: https://patch.msgid.link/08c68a5c817acf198cce63d22517e232e8d60718.1776850759.git.ruijieli51@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/smc/smc_clc.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/net/smc/smc_clc.c
+++ b/net/smc/smc_clc.c
@@ -764,8 +764,8 @@ int smc_clc_wait_msg(struct smc_sock *sm
dclc = (struct smc_clc_msg_decline *)clcm;
reason_code = SMC_CLC_DECL_PEERDECL;
smc->peer_diagnosis = ntohl(dclc->peer_diagnosis);
- if (((struct smc_clc_msg_decline *)buf)->hdr.typev2 &
- SMC_FIRST_CONTACT_MASK) {
+ if ((dclc->hdr.typev2 & SMC_FIRST_CONTACT_MASK) &&
+ smc->conn.lgr) {
smc->conn.lgr->sync_err = 1;
smc_lgr_terminate_sched(smc->conn.lgr);
}
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 216/969] net: ks8851: Reinstate disabling of BHs around IRQ handler
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (214 preceding siblings ...)
2026-05-30 15:55 ` [PATCH 6.1 215/969] net/smc: avoid early lgr access in smc_clc_wait_msg Greg Kroah-Hartman
@ 2026-05-30 15:55 ` Greg Kroah-Hartman
2026-05-30 15:55 ` [PATCH 6.1 217/969] net: ks8851: Avoid excess softirq scheduling Greg Kroah-Hartman
` (759 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sebastian Andrzej Siewior,
Marek Vasut, Jakub Kicinski
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Marek Vasut <marex@nabladev.com>
commit 5c9fcac3c872224316714d0d8914d9af16c76a6d upstream.
If the driver executes ks8851_irq() AND a TX packet has been sent, then
the driver enables TX queue via netif_wake_queue() which schedules TX
softirq to queue packets for this device.
If CONFIG_PREEMPT_RT=y is set AND a packet has also been received by
the MAC, then ks8851_rx_pkts() calls netdev_alloc_skb_ip_align() to
allocate SKBs for the received packets. If netdev_alloc_skb_ip_align()
is called with BH enabled, then local_bh_enable() at the end of
netdev_alloc_skb_ip_align() will trigger the pending softirq processing,
which may ultimately call the .xmit callback ks8851_start_xmit_par().
The ks8851_start_xmit_par() will try to lock struct ks8851_net_par
.lock spinlock, which is already locked by ks8851_irq() from which
ks8851_start_xmit_par() was called. This leads to a deadlock, which
is reported by the kernel, including a trace listed below.
If CONFIG_PREEMPT_RT is not set, then since commit 0913ec336a6c0
("net: ks8851: Fix deadlock with the SPI chip variant") the deadlock
can also be triggered without received packet in the RX FIFO. The
pending softirqs will be processed on return from
spin_unlock_bh(&ks->statelock) in ks8851_irq(), which triggers the
deadlock as well.
Fix the problem by disabling BH around critical sections, including the
IRQ handler, thus preventing the net_tx_action() softirq from triggering
during these critical sections. The net_tx_action() softirq is triggered
once BH are re-enabled and at the end of the IRQ handler, once all the
other IRQ handler actions have been completed.
__schedule from schedule_rtlock+0x1c/0x34
schedule_rtlock from rtlock_slowlock_locked+0x548/0x904
rtlock_slowlock_locked from rt_spin_lock+0x60/0x9c
rt_spin_lock from ks8851_start_xmit_par+0x74/0x1a8
ks8851_start_xmit_par from netdev_start_xmit+0x20/0x44
netdev_start_xmit from dev_hard_start_xmit+0xd0/0x188
dev_hard_start_xmit from sch_direct_xmit+0xb8/0x25c
sch_direct_xmit from __qdisc_run+0x1f8/0x4ec
__qdisc_run from qdisc_run+0x1c/0x28
qdisc_run from net_tx_action+0x1f0/0x268
net_tx_action from handle_softirqs+0x1a4/0x270
handle_softirqs from __local_bh_enable_ip+0xcc/0xe0
__local_bh_enable_ip from __alloc_skb+0xd8/0x128
__alloc_skb from __netdev_alloc_skb+0x3c/0x19c
__netdev_alloc_skb from ks8851_irq+0x388/0x4d4
ks8851_irq from irq_thread_fn+0x24/0x64
irq_thread_fn from irq_thread+0x178/0x28c
irq_thread from kthread+0x12c/0x138
kthread from ret_from_fork+0x14/0x28
Reviewed-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Fixes: e0863634bf9f ("net: ks8851: Queue RX packets in IRQ handler instead of disabling BHs")
Cc: stable@vger.kernel.org
Signed-off-by: Marek Vasut <marex@nabladev.com>
Link: https://patch.msgid.link/20260415231020.455298-1-marex@nabladev.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/micrel/ks8851.h | 6 --
drivers/net/ethernet/micrel/ks8851_common.c | 64 +++++++++++-----------------
drivers/net/ethernet/micrel/ks8851_par.c | 15 ++----
drivers/net/ethernet/micrel/ks8851_spi.c | 11 +---
4 files changed, 38 insertions(+), 58 deletions(-)
--- a/drivers/net/ethernet/micrel/ks8851.h
+++ b/drivers/net/ethernet/micrel/ks8851.h
@@ -408,10 +408,8 @@ struct ks8851_net {
struct gpio_desc *gpio;
struct mii_bus *mii_bus;
- void (*lock)(struct ks8851_net *ks,
- unsigned long *flags);
- void (*unlock)(struct ks8851_net *ks,
- unsigned long *flags);
+ void (*lock)(struct ks8851_net *ks);
+ void (*unlock)(struct ks8851_net *ks);
unsigned int (*rdreg16)(struct ks8851_net *ks,
unsigned int reg);
void (*wrreg16)(struct ks8851_net *ks,
--- a/drivers/net/ethernet/micrel/ks8851_common.c
+++ b/drivers/net/ethernet/micrel/ks8851_common.c
@@ -28,25 +28,23 @@
/**
* ks8851_lock - register access lock
* @ks: The chip state
- * @flags: Spinlock flags
*
* Claim chip register access lock
*/
-static void ks8851_lock(struct ks8851_net *ks, unsigned long *flags)
+static void ks8851_lock(struct ks8851_net *ks)
{
- ks->lock(ks, flags);
+ ks->lock(ks);
}
/**
* ks8851_unlock - register access unlock
* @ks: The chip state
- * @flags: Spinlock flags
*
* Release chip register access lock
*/
-static void ks8851_unlock(struct ks8851_net *ks, unsigned long *flags)
+static void ks8851_unlock(struct ks8851_net *ks)
{
- ks->unlock(ks, flags);
+ ks->unlock(ks);
}
/**
@@ -129,11 +127,10 @@ static void ks8851_set_powermode(struct
static int ks8851_write_mac_addr(struct net_device *dev)
{
struct ks8851_net *ks = netdev_priv(dev);
- unsigned long flags;
u16 val;
int i;
- ks8851_lock(ks, &flags);
+ ks8851_lock(ks);
/*
* Wake up chip in case it was powered off when stopped; otherwise,
@@ -149,7 +146,7 @@ static int ks8851_write_mac_addr(struct
if (!netif_running(dev))
ks8851_set_powermode(ks, PMECR_PM_SOFTDOWN);
- ks8851_unlock(ks, &flags);
+ ks8851_unlock(ks);
return 0;
}
@@ -163,12 +160,11 @@ static int ks8851_write_mac_addr(struct
static void ks8851_read_mac_addr(struct net_device *dev)
{
struct ks8851_net *ks = netdev_priv(dev);
- unsigned long flags;
u8 addr[ETH_ALEN];
u16 reg;
int i;
- ks8851_lock(ks, &flags);
+ ks8851_lock(ks);
for (i = 0; i < ETH_ALEN; i += 2) {
reg = ks8851_rdreg16(ks, KS_MAR(i));
@@ -177,7 +173,7 @@ static void ks8851_read_mac_addr(struct
}
eth_hw_addr_set(dev, addr);
- ks8851_unlock(ks, &flags);
+ ks8851_unlock(ks);
}
/**
@@ -328,11 +324,10 @@ static irqreturn_t ks8851_irq(int irq, v
{
struct ks8851_net *ks = _ks;
struct sk_buff_head rxq;
- unsigned long flags;
unsigned int status;
struct sk_buff *skb;
- ks8851_lock(ks, &flags);
+ ks8851_lock(ks);
status = ks8851_rdreg16(ks, KS_ISR);
ks8851_wrreg16(ks, KS_ISR, status);
@@ -389,7 +384,7 @@ static irqreturn_t ks8851_irq(int irq, v
ks8851_wrreg16(ks, KS_RXCR1, rxc->rxcr1);
}
- ks8851_unlock(ks, &flags);
+ ks8851_unlock(ks);
if (status & IRQ_LCI)
mii_check_link(&ks->mii);
@@ -421,7 +416,6 @@ static void ks8851_flush_tx_work(struct
static int ks8851_net_open(struct net_device *dev)
{
struct ks8851_net *ks = netdev_priv(dev);
- unsigned long flags;
int ret;
ret = request_threaded_irq(dev->irq, NULL, ks8851_irq,
@@ -434,7 +428,7 @@ static int ks8851_net_open(struct net_de
/* lock the card, even if we may not actually be doing anything
* else at the moment */
- ks8851_lock(ks, &flags);
+ ks8851_lock(ks);
netif_dbg(ks, ifup, ks->netdev, "opening\n");
@@ -487,7 +481,7 @@ static int ks8851_net_open(struct net_de
netif_dbg(ks, ifup, ks->netdev, "network device up\n");
- ks8851_unlock(ks, &flags);
+ ks8851_unlock(ks);
mii_check_link(&ks->mii);
return 0;
}
@@ -503,23 +497,22 @@ static int ks8851_net_open(struct net_de
static int ks8851_net_stop(struct net_device *dev)
{
struct ks8851_net *ks = netdev_priv(dev);
- unsigned long flags;
netif_info(ks, ifdown, dev, "shutting down\n");
netif_stop_queue(dev);
- ks8851_lock(ks, &flags);
+ ks8851_lock(ks);
/* turn off the IRQs and ack any outstanding */
ks8851_wrreg16(ks, KS_IER, 0x0000);
ks8851_wrreg16(ks, KS_ISR, 0xffff);
- ks8851_unlock(ks, &flags);
+ ks8851_unlock(ks);
/* stop any outstanding work */
ks8851_flush_tx_work(ks);
flush_work(&ks->rxctrl_work);
- ks8851_lock(ks, &flags);
+ ks8851_lock(ks);
/* shutdown RX process */
ks8851_wrreg16(ks, KS_RXCR1, 0x0000);
@@ -528,7 +521,7 @@ static int ks8851_net_stop(struct net_de
/* set powermode to soft power down to save power */
ks8851_set_powermode(ks, PMECR_PM_SOFTDOWN);
- ks8851_unlock(ks, &flags);
+ ks8851_unlock(ks);
/* ensure any queued tx buffers are dumped */
while (!skb_queue_empty(&ks->txq)) {
@@ -582,14 +575,13 @@ static netdev_tx_t ks8851_start_xmit(str
static void ks8851_rxctrl_work(struct work_struct *work)
{
struct ks8851_net *ks = container_of(work, struct ks8851_net, rxctrl_work);
- unsigned long flags;
- ks8851_lock(ks, &flags);
+ ks8851_lock(ks);
/* need to shutdown RXQ before modifying filter parameters */
ks8851_wrreg16(ks, KS_RXCR1, 0x00);
- ks8851_unlock(ks, &flags);
+ ks8851_unlock(ks);
}
static void ks8851_set_rx_mode(struct net_device *dev)
@@ -796,7 +788,6 @@ static int ks8851_set_eeprom(struct net_
{
struct ks8851_net *ks = netdev_priv(dev);
int offset = ee->offset;
- unsigned long flags;
int len = ee->len;
u16 tmp;
@@ -810,7 +801,7 @@ static int ks8851_set_eeprom(struct net_
if (!(ks->rc_ccr & CCR_EEPROM))
return -ENOENT;
- ks8851_lock(ks, &flags);
+ ks8851_lock(ks);
ks8851_eeprom_claim(ks);
@@ -833,7 +824,7 @@ static int ks8851_set_eeprom(struct net_
eeprom_93cx6_wren(&ks->eeprom, false);
ks8851_eeprom_release(ks);
- ks8851_unlock(ks, &flags);
+ ks8851_unlock(ks);
return 0;
}
@@ -843,7 +834,6 @@ static int ks8851_get_eeprom(struct net_
{
struct ks8851_net *ks = netdev_priv(dev);
int offset = ee->offset;
- unsigned long flags;
int len = ee->len;
/* must be 2 byte aligned */
@@ -853,7 +843,7 @@ static int ks8851_get_eeprom(struct net_
if (!(ks->rc_ccr & CCR_EEPROM))
return -ENOENT;
- ks8851_lock(ks, &flags);
+ ks8851_lock(ks);
ks8851_eeprom_claim(ks);
@@ -861,7 +851,7 @@ static int ks8851_get_eeprom(struct net_
eeprom_93cx6_multiread(&ks->eeprom, offset/2, (__le16 *)data, len/2);
ks8851_eeprom_release(ks);
- ks8851_unlock(ks, &flags);
+ ks8851_unlock(ks);
return 0;
}
@@ -920,7 +910,6 @@ static int ks8851_phy_reg(int reg)
static int ks8851_phy_read_common(struct net_device *dev, int phy_addr, int reg)
{
struct ks8851_net *ks = netdev_priv(dev);
- unsigned long flags;
int result;
int ksreg;
@@ -928,9 +917,9 @@ static int ks8851_phy_read_common(struct
if (ksreg < 0)
return ksreg;
- ks8851_lock(ks, &flags);
+ ks8851_lock(ks);
result = ks8851_rdreg16(ks, ksreg);
- ks8851_unlock(ks, &flags);
+ ks8851_unlock(ks);
return result;
}
@@ -965,14 +954,13 @@ static void ks8851_phy_write(struct net_
int phy, int reg, int value)
{
struct ks8851_net *ks = netdev_priv(dev);
- unsigned long flags;
int ksreg;
ksreg = ks8851_phy_reg(reg);
if (ksreg >= 0) {
- ks8851_lock(ks, &flags);
+ ks8851_lock(ks);
ks8851_wrreg16(ks, ksreg, value);
- ks8851_unlock(ks, &flags);
+ ks8851_unlock(ks);
}
}
--- a/drivers/net/ethernet/micrel/ks8851_par.c
+++ b/drivers/net/ethernet/micrel/ks8851_par.c
@@ -55,29 +55,27 @@ struct ks8851_net_par {
/**
* ks8851_lock_par - register access lock
* @ks: The chip state
- * @flags: Spinlock flags
*
* Claim chip register access lock
*/
-static void ks8851_lock_par(struct ks8851_net *ks, unsigned long *flags)
+static void ks8851_lock_par(struct ks8851_net *ks)
{
struct ks8851_net_par *ksp = to_ks8851_par(ks);
- spin_lock_irqsave(&ksp->lock, *flags);
+ spin_lock_bh(&ksp->lock);
}
/**
* ks8851_unlock_par - register access unlock
* @ks: The chip state
- * @flags: Spinlock flags
*
* Release chip register access lock
*/
-static void ks8851_unlock_par(struct ks8851_net *ks, unsigned long *flags)
+static void ks8851_unlock_par(struct ks8851_net *ks)
{
struct ks8851_net_par *ksp = to_ks8851_par(ks);
- spin_unlock_irqrestore(&ksp->lock, *flags);
+ spin_unlock_bh(&ksp->lock);
}
/**
@@ -233,7 +231,6 @@ static netdev_tx_t ks8851_start_xmit_par
{
struct ks8851_net *ks = netdev_priv(dev);
netdev_tx_t ret = NETDEV_TX_OK;
- unsigned long flags;
unsigned int txqcr;
u16 txmir;
int err;
@@ -241,7 +238,7 @@ static netdev_tx_t ks8851_start_xmit_par
netif_dbg(ks, tx_queued, ks->netdev,
"%s: skb %p, %d@%p\n", __func__, skb, skb->len, skb->data);
- ks8851_lock_par(ks, &flags);
+ ks8851_lock_par(ks);
txmir = ks8851_rdreg16_par(ks, KS_TXMIR) & 0x1fff;
@@ -262,7 +259,7 @@ static netdev_tx_t ks8851_start_xmit_par
ret = NETDEV_TX_BUSY;
}
- ks8851_unlock_par(ks, &flags);
+ ks8851_unlock_par(ks);
return ret;
}
--- a/drivers/net/ethernet/micrel/ks8851_spi.c
+++ b/drivers/net/ethernet/micrel/ks8851_spi.c
@@ -73,11 +73,10 @@ struct ks8851_net_spi {
/**
* ks8851_lock_spi - register access lock
* @ks: The chip state
- * @flags: Spinlock flags
*
* Claim chip register access lock
*/
-static void ks8851_lock_spi(struct ks8851_net *ks, unsigned long *flags)
+static void ks8851_lock_spi(struct ks8851_net *ks)
{
struct ks8851_net_spi *kss = to_ks8851_spi(ks);
@@ -87,11 +86,10 @@ static void ks8851_lock_spi(struct ks885
/**
* ks8851_unlock_spi - register access unlock
* @ks: The chip state
- * @flags: Spinlock flags
*
* Release chip register access lock
*/
-static void ks8851_unlock_spi(struct ks8851_net *ks, unsigned long *flags)
+static void ks8851_unlock_spi(struct ks8851_net *ks)
{
struct ks8851_net_spi *kss = to_ks8851_spi(ks);
@@ -311,7 +309,6 @@ static void ks8851_tx_work(struct work_s
struct ks8851_net_spi *kss;
unsigned short tx_space;
struct ks8851_net *ks;
- unsigned long flags;
struct sk_buff *txb;
bool last;
@@ -319,7 +316,7 @@ static void ks8851_tx_work(struct work_s
ks = &kss->ks8851;
last = skb_queue_empty(&ks->txq);
- ks8851_lock_spi(ks, &flags);
+ ks8851_lock_spi(ks);
while (!last) {
txb = skb_dequeue(&ks->txq);
@@ -345,7 +342,7 @@ static void ks8851_tx_work(struct work_s
ks->tx_space = tx_space;
spin_unlock_bh(&ks->statelock);
- ks8851_unlock_spi(ks, &flags);
+ ks8851_unlock_spi(ks);
}
/**
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 217/969] net: ks8851: Avoid excess softirq scheduling
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (215 preceding siblings ...)
2026-05-30 15:55 ` [PATCH 6.1 216/969] net: ks8851: Reinstate disabling of BHs around IRQ handler Greg Kroah-Hartman
@ 2026-05-30 15:55 ` Greg Kroah-Hartman
2026-05-30 15:55 ` [PATCH 6.1 218/969] drm/arcpgu: fix device node leak Greg Kroah-Hartman
` (758 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sebastian Andrzej Siewior,
Marek Vasut, Jakub Kicinski
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Marek Vasut <marex@nabladev.com>
commit 22230e68b2cf1ab6b027be8cf1198164a949c4fa upstream.
The code injects a packet into netif_rx() repeatedly, which will add
it to its internal NAPI and schedule a softirq, and process it. It is
more efficient to queue multiple packets and process them all at the
local_bh_enable() time.
Reviewed-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Fixes: e0863634bf9f ("net: ks8851: Queue RX packets in IRQ handler instead of disabling BHs")
Cc: stable@vger.kernel.org
Signed-off-by: Marek Vasut <marex@nabladev.com>
Link: https://patch.msgid.link/20260415231020.455298-2-marex@nabladev.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/micrel/ks8851_common.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/drivers/net/ethernet/micrel/ks8851_common.c
+++ b/drivers/net/ethernet/micrel/ks8851_common.c
@@ -389,9 +389,12 @@ static irqreturn_t ks8851_irq(int irq, v
if (status & IRQ_LCI)
mii_check_link(&ks->mii);
- if (status & IRQ_RXI)
+ if (status & IRQ_RXI) {
+ local_bh_disable();
while ((skb = __skb_dequeue(&rxq)))
netif_rx(skb);
+ local_bh_enable();
+ }
return IRQ_HANDLED;
}
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 218/969] drm/arcpgu: fix device node leak
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (216 preceding siblings ...)
2026-05-30 15:55 ` [PATCH 6.1 217/969] net: ks8851: Avoid excess softirq scheduling Greg Kroah-Hartman
@ 2026-05-30 15:55 ` Greg Kroah-Hartman
2026-05-30 15:55 ` [PATCH 6.1 219/969] RDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv Greg Kroah-Hartman
` (757 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Louis Chauvet, Luca Ceresoli
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Luca Ceresoli <luca.ceresoli@bootlin.com>
commit ad3ac32a3893a2bbcad545efc005a8e4e7ecf10c upstream.
This function gets a device_node reference via
of_graph_get_remote_port_parent() and stores it in encoder_node, but never
puts that reference. Add it.
There used to be a of_node_put(encoder_node) but it has been removed by
mistake during a rework in commit 3ea66a794fdc ("drm/arc: Inline
arcpgu_drm_hdmi_init").
Fixes: 3ea66a794fdc ("drm/arc: Inline arcpgu_drm_hdmi_init")
Cc: stable@vger.kernel.org
Reviewed-by: Louis Chauvet <louis.chauvet@bootlin.com>
Link: https://patch.msgid.link/20260402-drm-arcgpu-fix-device-node-leak-v2-1-d773cf754ae5@bootlin.com
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/tiny/arcpgu.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/gpu/drm/tiny/arcpgu.c
+++ b/drivers/gpu/drm/tiny/arcpgu.c
@@ -248,7 +248,8 @@ DEFINE_DRM_GEM_DMA_FOPS(arcpgu_drm_ops);
static int arcpgu_load(struct arcpgu_drm_private *arcpgu)
{
struct platform_device *pdev = to_platform_device(arcpgu->drm.dev);
- struct device_node *encoder_node = NULL, *endpoint_node = NULL;
+ struct device_node *encoder_node __free(device_node) = NULL;
+ struct device_node *endpoint_node = NULL;
struct drm_connector *connector = NULL;
struct drm_device *drm = &arcpgu->drm;
struct resource *res;
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 219/969] RDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (217 preceding siblings ...)
2026-05-30 15:55 ` [PATCH 6.1 218/969] drm/arcpgu: fix device node leak Greg Kroah-Hartman
@ 2026-05-30 15:55 ` Greg Kroah-Hartman
2026-05-30 15:55 ` [PATCH 6.1 220/969] ipv4: icmp: validate reply type before using icmp_pointers Greg Kroah-Hartman
` (756 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, hkbinbin, Zhu Yanjun,
Jason Gunthorpe
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: hkbinbin <hkbinbinbin@gmail.com>
commit 7244491dab347f648e661da96dc0febadd9daec3 upstream.
rxe_rcv() currently checks only that the incoming packet is at least
header_size(pkt) bytes long before payload_size() is used.
However, payload_size() subtracts both the attacker-controlled BTH pad
field and RXE_ICRC_SIZE from pkt->paylen:
payload_size = pkt->paylen - offset[RXE_PAYLOAD] - bth_pad(pkt)
- RXE_ICRC_SIZE
This means a short packet can still make payload_size() underflow even
if it includes enough bytes for the fixed headers. Simply requiring
header_size(pkt) + RXE_ICRC_SIZE is not sufficient either, because a
packet with a forged non-zero BTH pad can still leave payload_size()
negative and pass an underflowed value to later receive-path users.
Fix this by validating pkt->paylen against the full minimum length
required by payload_size(): header_size(pkt) + bth_pad(pkt) +
RXE_ICRC_SIZE.
Cc: stable@vger.kernel.org
Fixes: 8700e3e7c485 ("Soft RoCE driver")
Link: https://patch.msgid.link/r/20260401121907.1468366-1-hkbinbinbin@gmail.com
Signed-off-by: hkbinbin <hkbinbinbin@gmail.com>
Reviewed-by: Zhu Yanjun <yanjun.zhu@linux.dev>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/infiniband/sw/rxe/rxe_recv.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/infiniband/sw/rxe/rxe_recv.c
+++ b/drivers/infiniband/sw/rxe/rxe_recv.c
@@ -322,7 +322,8 @@ void rxe_rcv(struct sk_buff *skb)
pkt->qp = NULL;
pkt->mask |= rxe_opcode[pkt->opcode].mask;
- if (unlikely(skb->len < header_size(pkt)))
+ if (unlikely(pkt->paylen < header_size(pkt) + bth_pad(pkt) +
+ RXE_ICRC_SIZE))
goto drop;
err = hdr_check(pkt);
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 220/969] ipv4: icmp: validate reply type before using icmp_pointers
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (218 preceding siblings ...)
2026-05-30 15:55 ` [PATCH 6.1 219/969] RDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv Greg Kroah-Hartman
@ 2026-05-30 15:55 ` Greg Kroah-Hartman
2026-05-30 15:55 ` [PATCH 6.1 221/969] libceph: Prevent potential null-ptr-deref in ceph_handle_auth_reply() Greg Kroah-Hartman
` (755 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Yuan Tan, Yifan Wu,
Juefei Pu, Xin Liu, Ruide Cao, Ren Wei, Simon Horman,
Jakub Kicinski
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ruide Cao <caoruide123@gmail.com>
commit 67bf002a2d7387a6312138210d0bd06e3cf4879b upstream.
Extended echo replies use ICMP_EXT_ECHOREPLY as the outbound reply type.
That value is outside the range covered by icmp_pointers[], which only
describes the traditional ICMP types up to NR_ICMP_TYPES.
Avoid consulting icmp_pointers[] for reply types outside that range, and
use array_index_nospec() for the remaining in-range lookup. Normal ICMP
replies keep their existing behavior unchanged.
Fixes: d329ea5bd884 ("icmp: add response to RFC 8335 PROBE messages")
Cc: stable@kernel.org
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Signed-off-by: Ruide Cao <caoruide123@gmail.com>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/0dace90c01a5978e829ca741ef684dbd7304ce62.1776628519.git.caoruide123@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv4/icmp.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/net/ipv4/icmp.c
+++ b/net/ipv4/icmp.c
@@ -64,6 +64,7 @@
#include <linux/jiffies.h>
#include <linux/kernel.h>
#include <linux/fcntl.h>
+#include <linux/nospec.h>
#include <linux/socket.h>
#include <linux/in.h>
#include <linux/inet.h>
@@ -359,7 +360,9 @@ static int icmp_glue_bits(void *from, ch
to, len);
skb->csum = csum_block_add(skb->csum, csum, odd);
- if (icmp_pointers[icmp_param->data.icmph.type].error)
+ if (icmp_param->data.icmph.type <= NR_ICMP_TYPES &&
+ icmp_pointers[array_index_nospec(icmp_param->data.icmph.type,
+ NR_ICMP_TYPES + 1)].error)
nf_ct_attach(skb, icmp_param->skb);
return 0;
}
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 221/969] libceph: Prevent potential null-ptr-deref in ceph_handle_auth_reply()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (219 preceding siblings ...)
2026-05-30 15:55 ` [PATCH 6.1 220/969] ipv4: icmp: validate reply type before using icmp_pointers Greg Kroah-Hartman
@ 2026-05-30 15:55 ` Greg Kroah-Hartman
2026-05-30 15:55 ` [PATCH 6.1 222/969] extract-cert: Wrap key_pass with #ifdef USE_PKCS11_ENGINE Greg Kroah-Hartman
` (754 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Raphael Zimmer, Ilya Dryomov
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Raphael Zimmer <raphael.zimmer@tu-ilmenau.de>
commit 5199c125d25aeae8615c4fc31652cc0fe624338e upstream.
If a message of type CEPH_MSG_AUTH_REPLY contains a zero value for both
protocol and result, this is currently not treated as an error. In case
of ac->negotiating == true and ac->protocol > 0, this leads to setting
ac->protocol = 0 and ac->ops = NULL. Thereafter, the check for
ac->protocol != protocol returns false, and init_protocol() is not
called. Subsequently, ac->ops->handle_reply() is called, which leads to
a null pointer dereference, because ac->ops is still NULL.
This patch changes the check for ac->protocol != protocol to
!ac->protocol, as this also includes the case when the protocol was set
to zero in the message. This causes the message to be treated as
containing a bad auth protocol.
Cc: stable@vger.kernel.org
Signed-off-by: Raphael Zimmer <raphael.zimmer@tu-ilmenau.de>
Reviewed-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ceph/auth.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/ceph/auth.c
+++ b/net/ceph/auth.c
@@ -245,7 +245,7 @@ int ceph_handle_auth_reply(struct ceph_a
ac->protocol = 0;
ac->ops = NULL;
}
- if (ac->protocol != protocol) {
+ if (!ac->protocol) {
ret = init_protocol(ac, protocol);
if (ret) {
pr_err("auth protocol '%s' init failed: %d\n",
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 222/969] extract-cert: Wrap key_pass with #ifdef USE_PKCS11_ENGINE
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (220 preceding siblings ...)
2026-05-30 15:55 ` [PATCH 6.1 221/969] libceph: Prevent potential null-ptr-deref in ceph_handle_auth_reply() Greg Kroah-Hartman
@ 2026-05-30 15:55 ` Greg Kroah-Hartman
2026-05-30 15:55 ` [PATCH 6.1 223/969] tpm: avoid -Wunused-but-set-variable Greg Kroah-Hartman
` (753 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Nick Desaulniers, Nathan Chancellor
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nathan Chancellor <nathan@kernel.org>
commit 4f96b7c68a9904e01049ef610d701b382dca9574 upstream.
A recent strengthening of -Wunused-but-set-variable (enabled with -Wall)
in clang under a new subwarning, -Wunused-but-set-global, points out an
unused static global variable in certs/extract-cert.c:
certs/extract-cert.c:46:20: error: variable 'key_pass' set but not used [-Werror,-Wunused-but-set-global]
46 | static const char *key_pass;
| ^
After commit 558bdc45dfb2 ("sign-file,extract-cert: use pkcs11 provider
for OPENSSL MAJOR >= 3"), key_pass is only used with the OpenSSL engine
API, not the new provider API. Wrap key_pass's declaration and
assignment with '#ifdef USE_PKCS11_ENGINE' so that it is only included
with its use to clear up the warning. While this is a little uglier than
just marking key_pass with the unused attribute, this will make it
easier to clean up all code associated with the use of the engine API if
it were ever removed in the future. While in the area, use a tab for
the key_pass assignment line to match the rest of the file.
Cc: stable@vger.kernel.org
Fixes: 558bdc45dfb2 ("sign-file,extract-cert: use pkcs11 provider for OPENSSL MAJOR >= 3")
Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>
Tested-by: Nick Desaulniers <ndesaulniers@google.com>
Link: https://patch.msgid.link/20260325-certs-extract-cert-key_pass-unused-but-set-global-v1-1-ecf94326d532@kernel.org
Signed-off-by: Nathan Chancellor <nathan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
| 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
--- a/certs/extract-cert.c
+++ b/certs/extract-cert.c
@@ -43,7 +43,9 @@ void format(void)
exit(2);
}
+#ifdef USE_PKCS11_ENGINE
static const char *key_pass;
+#endif
static BIO *wb;
static char *cert_dst;
static int kbuild_verbose;
@@ -132,7 +134,9 @@ int main(int argc, char **argv)
kbuild_verbose = atoi(getenv("KBUILD_VERBOSE")?:"0");
- key_pass = getenv("KBUILD_SIGN_PIN");
+#ifdef USE_PKCS11_ENGINE
+ key_pass = getenv("KBUILD_SIGN_PIN");
+#endif
if (argc != 3)
format();
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 223/969] tpm: avoid -Wunused-but-set-variable
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (221 preceding siblings ...)
2026-05-30 15:55 ` [PATCH 6.1 222/969] extract-cert: Wrap key_pass with #ifdef USE_PKCS11_ENGINE Greg Kroah-Hartman
@ 2026-05-30 15:55 ` Greg Kroah-Hartman
2026-05-30 15:55 ` [PATCH 6.1 224/969] LoongArch: Show CPU vulnerabilites correctly Greg Kroah-Hartman
` (752 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Arnd Bergmann, Thorsten Blum,
Jarkko Sakkinen
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Arnd Bergmann <arnd@arndb.de>
commit 6f1d4d2ecfcd1b577dc87350ea965fe81f272e83 upstream.
Outside of the EFI tpm code, the TPM_MEMREMAP()/TPM_MEMUNMAP functions are
defined as trivial macros, leading to the mapping_size variable ending
up unused:
In file included from drivers/char/tpm/tpm-sysfs.c:16:
In file included from drivers/char/tpm/tpm.h:28:
include/linux/tpm_eventlog.h:167:6: error: variable 'mapping_size' set but not used [-Werror,-Wunused-but-set-variable]
167 | int mapping_size;
Turn the stubs into inline functions to avoid this warning.
Cc: stable@vger.kernel.org # v5.3+
Fixes: c46f3405692d ("tpm: Reserve the TPM final events table")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Reviewed-by: Thorsten Blum <thorsten.blum@linux.dev>
Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/tpm_eventlog.h | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
--- a/include/linux/tpm_eventlog.h
+++ b/include/linux/tpm_eventlog.h
@@ -131,11 +131,16 @@ struct tcg_algorithm_info {
};
#ifndef TPM_MEMREMAP
-#define TPM_MEMREMAP(start, size) NULL
+static inline void *TPM_MEMREMAP(unsigned long start, size_t size)
+{
+ return NULL;
+}
#endif
#ifndef TPM_MEMUNMAP
-#define TPM_MEMUNMAP(start, size) do{} while(0)
+static inline void TPM_MEMUNMAP(void *mapping, size_t size)
+{
+}
#endif
/**
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 224/969] LoongArch: Show CPU vulnerabilites correctly
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (222 preceding siblings ...)
2026-05-30 15:55 ` [PATCH 6.1 223/969] tpm: avoid -Wunused-but-set-variable Greg Kroah-Hartman
@ 2026-05-30 15:55 ` Greg Kroah-Hartman
2026-05-30 15:55 ` [PATCH 6.1 225/969] power: supply: axp288_charger: Do not cancel work before initializing it Greg Kroah-Hartman
` (751 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Huacai Chen
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Huacai Chen <chenhuacai@loongson.cn>
commit 37e57e8ad96cdec4a57b55fd10bef50f7370a954 upstream.
Most LoongArch processors are vulnerable to Spectre-V1 Proof-of-Concept
(PoC). And the generic mechanism, __user pointer sanitization, can be
used as a mitigation. This means to use array_index_nospec() to prevent
out of boundry access in syscall and other critical paths.
Implement the arch-specific cpu_show_spectre_v1() to show CPU Spectre-V1
vulnerabilites correctly.
Cc: stable@vger.kernel.org
Link: https://cc-sw.com/chinese-loongarch-architecture-evaluation-part-3-of-3/
Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/loongarch/kernel/cpu-probe.c | 7 +++++++
1 file changed, 7 insertions(+)
--- a/arch/loongarch/kernel/cpu-probe.c
+++ b/arch/loongarch/kernel/cpu-probe.c
@@ -7,6 +7,7 @@
#include <linux/init.h>
#include <linux/kernel.h>
#include <linux/ptrace.h>
+#include <linux/cpu.h>
#include <linux/smp.h>
#include <linux/stddef.h>
#include <linux/export.h>
@@ -297,3 +298,9 @@ void cpu_probe(void)
cpu_report();
}
+
+ssize_t cpu_show_spectre_v1(struct device *dev,
+ struct device_attribute *attr, char *buf)
+{
+ return sysfs_emit(buf, "Mitigation: __user pointer sanitization\n");
+}
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 225/969] power: supply: axp288_charger: Do not cancel work before initializing it
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (223 preceding siblings ...)
2026-05-30 15:55 ` [PATCH 6.1 224/969] LoongArch: Show CPU vulnerabilites correctly Greg Kroah-Hartman
@ 2026-05-30 15:55 ` Greg Kroah-Hartman
2026-05-30 15:55 ` [PATCH 6.1 226/969] randomize_kstack: Maintain kstack_offset per task Greg Kroah-Hartman
` (750 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Krzysztof Kozlowski, Hans de Goede,
Chen-Yu Tsai, Sebastian Reichel
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Krzysztof Kozlowski <krzysztof.kozlowski@oss.qualcomm.com>
commit 658342fd75b582cbb06544d513171c3d645faead upstream.
Driver registered devm handler to cancel_work_sync() before even the
work was initialized, thus leading to possible warning from
kernel/workqueue.c on (!work->func) check, if the error path was hit
before the initialization happened.
Use devm_work_autocancel() on each work item independently, which
handles the initialization and handler to cancel work.
Fixes: 165c2357744e ("power: supply: axp288_charger: Properly stop work on probe-error / remove")
Cc: stable@vger.kernel.org
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@oss.qualcomm.com>
Reviewed-by: Hans de Goede <johannes.goede@oss.qualcomm.com>
Reviewed-by: Chen-Yu Tsai <wens@kernel.org>
Link: https://patch.msgid.link/20260220174938.672883-5-krzysztof.kozlowski@oss.qualcomm.com
Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/power/supply/axp288_charger.c | 19 ++++++++-----------
1 file changed, 8 insertions(+), 11 deletions(-)
--- a/drivers/power/supply/axp288_charger.c
+++ b/drivers/power/supply/axp288_charger.c
@@ -10,6 +10,7 @@
#include <linux/acpi.h>
#include <linux/bitops.h>
#include <linux/module.h>
+#include <linux/devm-helpers.h>
#include <linux/device.h>
#include <linux/regmap.h>
#include <linux/workqueue.h>
@@ -821,14 +822,6 @@ static int charger_init_hw_regs(struct a
return 0;
}
-static void axp288_charger_cancel_work(void *data)
-{
- struct axp288_chrg_info *info = data;
-
- cancel_work_sync(&info->otg.work);
- cancel_work_sync(&info->cable.work);
-}
-
static int axp288_charger_probe(struct platform_device *pdev)
{
int ret, i, pirq;
@@ -900,12 +893,12 @@ static int axp288_charger_probe(struct p
}
/* Cancel our work on cleanup, register this before the notifiers */
- ret = devm_add_action(dev, axp288_charger_cancel_work, info);
+ ret = devm_work_autocancel(dev, &info->cable.work,
+ axp288_charger_extcon_evt_worker);
if (ret)
return ret;
/* Register for extcon notification */
- INIT_WORK(&info->cable.work, axp288_charger_extcon_evt_worker);
info->cable.nb.notifier_call = axp288_charger_handle_cable_evt;
ret = devm_extcon_register_notifier_all(dev, info->cable.edev,
&info->cable.nb);
@@ -915,8 +908,12 @@ static int axp288_charger_probe(struct p
}
schedule_work(&info->cable.work);
+ ret = devm_work_autocancel(dev, &info->otg.work,
+ axp288_charger_otg_evt_worker);
+ if (ret)
+ return ret;
+
/* Register for OTG notification */
- INIT_WORK(&info->otg.work, axp288_charger_otg_evt_worker);
info->otg.id_nb.notifier_call = axp288_charger_handle_otg_evt;
if (info->otg.cable) {
ret = devm_extcon_register_notifier(dev, info->otg.cable,
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 226/969] randomize_kstack: Maintain kstack_offset per task
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (224 preceding siblings ...)
2026-05-30 15:55 ` [PATCH 6.1 225/969] power: supply: axp288_charger: Do not cancel work before initializing it Greg Kroah-Hartman
@ 2026-05-30 15:55 ` Greg Kroah-Hartman
2026-05-30 15:55 ` [PATCH 6.1 227/969] mmc: block: use single block write in retry Greg Kroah-Hartman
` (749 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Mark Rutland, Ryan Roberts,
Kees Cook
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ryan Roberts <ryan.roberts@arm.com>
commit 37beb42560165869838e7d91724f3e629db64129 upstream.
kstack_offset was previously maintained per-cpu, but this caused a
couple of issues. So let's instead make it per-task.
Issue 1: add_random_kstack_offset() and choose_random_kstack_offset()
expected and required to be called with interrupts and preemption
disabled so that it could manipulate per-cpu state. But arm64, loongarch
and risc-v are calling them with interrupts and preemption enabled. I
don't _think_ this causes any functional issues, but it's certainly
unexpected and could lead to manipulating the wrong cpu's state, which
could cause a minor performance degradation due to bouncing the cache
lines. By maintaining the state per-task those functions can safely be
called in preemptible context.
Issue 2: add_random_kstack_offset() is called before executing the
syscall and expands the stack using a previously chosen random offset.
choose_random_kstack_offset() is called after executing the syscall and
chooses and stores a new random offset for the next syscall. With
per-cpu storage for this offset, an attacker could force cpu migration
during the execution of the syscall and prevent the offset from being
updated for the original cpu such that it is predictable for the next
syscall on that cpu. By maintaining the state per-task, this problem
goes away because the per-task random offset is updated after the
syscall regardless of which cpu it is executing on.
Fixes: 39218ff4c625 ("stack: Optionally randomize kernel stack offset each syscall")
Closes: https://lore.kernel.org/all/dd8c37bc-795f-4c7a-9086-69e584d8ab24@arm.com/
Cc: stable@vger.kernel.org
Acked-by: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Ryan Roberts <ryan.roberts@arm.com>
Link: https://patch.msgid.link/20260303150840.3789438-2-ryan.roberts@arm.com
Signed-off-by: Kees Cook <kees@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/randomize_kstack.h | 26 +++++++++++++++-----------
include/linux/sched.h | 4 ++++
init/main.c | 1 -
kernel/fork.c | 2 ++
4 files changed, 21 insertions(+), 12 deletions(-)
--- a/include/linux/randomize_kstack.h
+++ b/include/linux/randomize_kstack.h
@@ -9,7 +9,6 @@
DECLARE_STATIC_KEY_MAYBE(CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT,
randomize_kstack_offset);
-DECLARE_PER_CPU(u32, kstack_offset);
/*
* Do not use this anywhere else in the kernel. This is used here because
@@ -44,15 +43,14 @@ DECLARE_PER_CPU(u32, kstack_offset);
* add_random_kstack_offset - Increase stack utilization by previously
* chosen random offset
*
- * This should be used in the syscall entry path when interrupts and
- * preempt are disabled, and after user registers have been stored to
- * the stack. For testing the resulting entropy, please see:
- * tools/testing/selftests/lkdtm/stack-entropy.sh
+ * This should be used in the syscall entry path after user registers have been
+ * stored to the stack. Preemption may be enabled. For testing the resulting
+ * entropy, please see: tools/testing/selftests/lkdtm/stack-entropy.sh
*/
#define add_random_kstack_offset() do { \
if (static_branch_maybe(CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT, \
&randomize_kstack_offset)) { \
- u32 offset = raw_cpu_read(kstack_offset); \
+ u32 offset = current->kstack_offset; \
u8 *ptr = __kstack_alloca(KSTACK_OFFSET_MAX(offset)); \
/* Keep allocation even after "ptr" loses scope. */ \
asm volatile("" :: "r"(ptr) : "memory"); \
@@ -63,9 +61,9 @@ DECLARE_PER_CPU(u32, kstack_offset);
* choose_random_kstack_offset - Choose the random offset for the next
* add_random_kstack_offset()
*
- * This should only be used during syscall exit when interrupts and
- * preempt are disabled. This position in the syscall flow is done to
- * frustrate attacks from userspace attempting to learn the next offset:
+ * This should only be used during syscall exit. Preemption may be enabled. This
+ * position in the syscall flow is done to frustrate attacks from userspace
+ * attempting to learn the next offset:
* - Maximize the timing uncertainty visible from userspace: if the
* offset is chosen at syscall entry, userspace has much more control
* over the timing between choosing offsets. "How long will we be in
@@ -79,14 +77,20 @@ DECLARE_PER_CPU(u32, kstack_offset);
#define choose_random_kstack_offset(rand) do { \
if (static_branch_maybe(CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT, \
&randomize_kstack_offset)) { \
- u32 offset = raw_cpu_read(kstack_offset); \
+ u32 offset = current->kstack_offset; \
offset = ror32(offset, 5) ^ (rand); \
- raw_cpu_write(kstack_offset, offset); \
+ current->kstack_offset = offset; \
} \
} while (0)
+
+static inline void random_kstack_task_init(struct task_struct *tsk)
+{
+ tsk->kstack_offset = 0;
+}
#else /* CONFIG_RANDOMIZE_KSTACK_OFFSET */
#define add_random_kstack_offset() do { } while (0)
#define choose_random_kstack_offset(rand) do { } while (0)
+#define random_kstack_task_init(tsk) do { } while (0)
#endif /* CONFIG_RANDOMIZE_KSTACK_OFFSET */
#endif
--- a/include/linux/sched.h
+++ b/include/linux/sched.h
@@ -1491,6 +1491,10 @@ struct task_struct {
unsigned long prev_lowest_stack;
#endif
+#ifdef CONFIG_RANDOMIZE_KSTACK_OFFSET
+ u32 kstack_offset;
+#endif
+
#ifdef CONFIG_X86_MCE
void __user *mce_vaddr;
__u64 mce_kflags;
--- a/init/main.c
+++ b/init/main.c
@@ -880,7 +880,6 @@ static void __init mm_init(void)
#ifdef CONFIG_RANDOMIZE_KSTACK_OFFSET
DEFINE_STATIC_KEY_MAYBE_RO(CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT,
randomize_kstack_offset);
-DEFINE_PER_CPU(u32, kstack_offset);
static int __init early_randomize_kstack_offset(char *buf)
{
--- a/kernel/fork.c
+++ b/kernel/fork.c
@@ -94,6 +94,7 @@
#include <linux/thread_info.h>
#include <linux/stackleak.h>
#include <linux/kasan.h>
+#include <linux/randomize_kstack.h>
#include <linux/scs.h>
#include <linux/io_uring.h>
#include <linux/bpf.h>
@@ -2366,6 +2367,7 @@ static __latent_entropy struct task_stru
if (retval)
goto bad_fork_cleanup_io;
+ random_kstack_task_init(p);
stackleak_task_init(p);
if (pid != &init_struct_pid) {
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 227/969] mmc: block: use single block write in retry
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (225 preceding siblings ...)
2026-05-30 15:55 ` [PATCH 6.1 226/969] randomize_kstack: Maintain kstack_offset per task Greg Kroah-Hartman
@ 2026-05-30 15:55 ` Greg Kroah-Hartman
2026-05-30 15:55 ` [PATCH 6.1 228/969] mmc: sdhci-of-dwcmshc: Disable clock before DLL configuration Greg Kroah-Hartman
` (748 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jens Axboe, Bin Liu, Ulf Hansson
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bin Liu <b-liu@ti.com>
commit c7c6d4f5103864f73ee3a78bfd6da241f84197dd upstream.
Due to errata i2493[0], multi-block write would still fail in retries.
With i2493, the MMC interface has the potential of write failures when
issuing multi-block writes operating in HS200 mode with excessive IO
supply noise.
While the errata provides guidance in hardware design and layout to
minimize the IO supply noise, in theory the write failure cannot be
resolved in hardware. The software solution to ensure the data integrity
is to add minimum 5us delay between block writes. Single-block write is
the practical way to introduce the delay.
This patch reuses recovery_mode flag, and switches to single-block
write in retry when multi-block write fails. It covers both CQE and
non-CQE cases.
[0] https://www.ti.com/lit/pdf/sprz582
Cc: stable@vger.kernel.org
Suggested-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Bin Liu <b-liu@ti.com>
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mmc/core/block.c | 12 ++++++++++--
drivers/mmc/core/queue.h | 3 +++
2 files changed, 13 insertions(+), 2 deletions(-)
--- a/drivers/mmc/core/block.c
+++ b/drivers/mmc/core/block.c
@@ -1401,6 +1401,9 @@ static void mmc_blk_data_prep(struct mmc
rq_data_dir(req) == WRITE &&
(md->flags & MMC_BLK_REL_WR);
+ if (mqrq->flags & MQRQ_XFER_SINGLE_BLOCK)
+ recovery_mode = 1;
+
memset(brq, 0, sizeof(struct mmc_blk_request));
mmc_crypto_prepare_req(mqrq);
@@ -1540,10 +1543,13 @@ static void mmc_blk_cqe_complete_rq(stru
err = 0;
if (err) {
- if (mqrq->retries++ < MMC_CQE_RETRIES)
+ if (mqrq->retries++ < MMC_CQE_RETRIES) {
+ if (rq_data_dir(req) == WRITE)
+ mqrq->flags |= MQRQ_XFER_SINGLE_BLOCK;
blk_mq_requeue_request(req, true);
- else
+ } else {
blk_mq_end_request(req, BLK_STS_IOERR);
+ }
} else if (mrq->data) {
if (blk_update_request(req, BLK_STS_OK, mrq->data->bytes_xfered))
blk_mq_requeue_request(req, true);
@@ -2081,6 +2087,8 @@ static void mmc_blk_mq_complete_rq(struc
} else if (!blk_rq_bytes(req)) {
__blk_mq_end_request(req, BLK_STS_IOERR);
} else if (mqrq->retries++ < MMC_MAX_RETRIES) {
+ if (rq_data_dir(req) == WRITE)
+ mqrq->flags |= MQRQ_XFER_SINGLE_BLOCK;
blk_mq_requeue_request(req, true);
} else {
if (mmc_card_removed(mq->card))
--- a/drivers/mmc/core/queue.h
+++ b/drivers/mmc/core/queue.h
@@ -61,6 +61,8 @@ enum mmc_drv_op {
MMC_DRV_OP_GET_EXT_CSD,
};
+#define MQRQ_XFER_SINGLE_BLOCK BIT(0)
+
struct mmc_queue_req {
struct mmc_blk_request brq;
struct scatterlist *sg;
@@ -69,6 +71,7 @@ struct mmc_queue_req {
void *drv_op_data;
unsigned int ioc_count;
int retries;
+ u32 flags;
};
struct mmc_queue {
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 228/969] mmc: sdhci-of-dwcmshc: Disable clock before DLL configuration
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (226 preceding siblings ...)
2026-05-30 15:55 ` [PATCH 6.1 227/969] mmc: block: use single block write in retry Greg Kroah-Hartman
@ 2026-05-30 15:55 ` Greg Kroah-Hartman
2026-05-30 15:55 ` [PATCH 6.1 229/969] tpm: tpm_tis: add error logging for data transfer Greg Kroah-Hartman
` (747 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Shawn Lin, Adrian Hunter,
Ulf Hansson
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shawn Lin <shawn.lin@rock-chips.com>
commit 6546a49bbe656981d99a389195560999058c89c4 upstream.
According to the ASIC design recommendations, the clock must be
disabled before operating the DLL to prevent glitches that could
affect the internal digital logic. In extreme cases, failing to
do so may cause the controller to malfunction completely.
Adds a step to disable the clock before DLL configuration and
re-enables it at the end.
Fixes: 08f3dff799d4 ("mmc: sdhci-of-dwcmshc: add rockchip platform support")
Cc: stable@vger.kernel.org
Signed-off-by: Shawn Lin <shawn.lin@rock-chips.com>
Acked-by: Adrian Hunter <adrian.hunter@intel.com>
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mmc/host/sdhci-of-dwcmshc.c | 19 ++++++++++++++++---
1 file changed, 16 insertions(+), 3 deletions(-)
--- a/drivers/mmc/host/sdhci-of-dwcmshc.c
+++ b/drivers/mmc/host/sdhci-of-dwcmshc.c
@@ -235,12 +235,15 @@ static void dwcmshc_rk3568_set_clock(str
extra &= ~BIT(0);
sdhci_writel(host, extra, reg);
+ /* Disable clock while config DLL */
+ sdhci_writew(host, 0, SDHCI_CLOCK_CONTROL);
+
if (clock <= 52000000) {
if (host->mmc->ios.timing == MMC_TIMING_MMC_HS200 ||
host->mmc->ios.timing == MMC_TIMING_MMC_HS400) {
dev_err(mmc_dev(host->mmc),
"Can't reduce the clock below 52MHz in HS200/HS400 mode");
- return;
+ goto enable_clk;
}
/*
@@ -260,7 +263,7 @@ static void dwcmshc_rk3568_set_clock(str
DLL_STRBIN_DELAY_NUM_SEL |
DLL_STRBIN_DELAY_NUM_DEFAULT << DLL_STRBIN_DELAY_NUM_OFFSET;
sdhci_writel(host, extra, DWCMSHC_EMMC_DLL_STRBIN);
- return;
+ goto enable_clk;
}
/* Reset DLL */
@@ -287,7 +290,7 @@ static void dwcmshc_rk3568_set_clock(str
500 * USEC_PER_MSEC);
if (err) {
dev_err(mmc_dev(host->mmc), "DLL lock timeout!\n");
- return;
+ goto enable_clk;
}
extra = 0x1 << 16 | /* tune clock stop en */
@@ -320,6 +323,16 @@ static void dwcmshc_rk3568_set_clock(str
DLL_STRBIN_TAPNUM_DEFAULT |
DLL_STRBIN_TAPNUM_FROM_SW;
sdhci_writel(host, extra, DWCMSHC_EMMC_DLL_STRBIN);
+
+enable_clk:
+ /*
+ * The sdclk frequency select bits in SDHCI_CLOCK_CONTROL are not functional
+ * on Rockchip's SDHCI implementation. Instead, the clock frequency is fully
+ * controlled via external clk provider by calling clk_set_rate(). Consequently,
+ * passing 0 to sdhci_enable_clk() only re-enables the already-configured clock,
+ * which matches the hardware's actual behavior.
+ */
+ sdhci_enable_clk(host, 0);
}
static void rk35xx_sdhci_reset(struct sdhci_host *host, u8 mask)
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 229/969] tpm: tpm_tis: add error logging for data transfer
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (227 preceding siblings ...)
2026-05-30 15:55 ` [PATCH 6.1 228/969] mmc: sdhci-of-dwcmshc: Disable clock before DLL configuration Greg Kroah-Hartman
@ 2026-05-30 15:55 ` Greg Kroah-Hartman
2026-05-30 15:55 ` [PATCH 6.1 230/969] rtc: ntxec: fix OF node reference imbalance Greg Kroah-Hartman
` (746 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jacqueline Wong, Jordan Hand,
Jarkko Sakkinen
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jacqueline Wong <jacqwong@google.com>
commit 0471921e2d1043dcc6de5cffb49dd37709521abe upstream.
Add logging to more easily determine reason for transmit failure
Cc: stable@vger.kernel.org # v6.6+
Fixes: 280db21e153d8 ("tpm_tis: Resend command to recover from data transfer errors")
Signed-off-by: Jacqueline Wong <jacqwong@google.com>
Signed-off-by: Jordan Hand <jhand@google.com>
Link: https://lore.kernel.org/r/20260415160006.2275325-2-jacqwong@google.com
Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/char/tpm/tpm_tis_core.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/drivers/char/tpm/tpm_tis_core.c
+++ b/drivers/char/tpm/tpm_tis_core.c
@@ -441,6 +441,8 @@ static int tpm_tis_send_data(struct tpm_
status = tpm_tis_status(chip);
if (!itpm && (status & TPM_STS_DATA_EXPECT) == 0) {
rc = -EIO;
+ dev_err(&chip->dev, "TPM_STS_DATA_EXPECT should be set. sts = 0x%08x\n",
+ status);
goto out_err;
}
}
@@ -461,6 +463,8 @@ static int tpm_tis_send_data(struct tpm_
status = tpm_tis_status(chip);
if (!itpm && (status & TPM_STS_DATA_EXPECT) != 0) {
rc = -EIO;
+ dev_err(&chip->dev, "TPM_STS_DATA_EXPECT should be unset. sts = 0x%08x\n",
+ status);
goto out_err;
}
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 230/969] rtc: ntxec: fix OF node reference imbalance
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (228 preceding siblings ...)
2026-05-30 15:55 ` [PATCH 6.1 229/969] tpm: tpm_tis: add error logging for data transfer Greg Kroah-Hartman
@ 2026-05-30 15:55 ` Greg Kroah-Hartman
2026-05-30 15:55 ` [PATCH 6.1 231/969] userfaultfd: allow registration of ranges below mmap_min_addr Greg Kroah-Hartman
` (745 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jonathan Neuschäfer,
Johan Hovold, Alexandre Belloni
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 30c4d2f26bb3538c328035cea2e6265c8320539e upstream.
The driver reuses the OF node of the parent multi-function device but
fails to take another reference to balance the one dropped by the
platform bus code when unbinding the MFD and deregistering the child
devices.
Fix this by using the intended helper for reusing OF nodes.
Fixes: 435af89786c6 ("rtc: New driver for RTC in Netronix embedded controller")
Cc: stable@vger.kernel.org # 5.13
Cc: Jonathan Neuschäfer <j.neuschaefer@gmx.net>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20260407122717.2676774-1-johan@kernel.org
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/rtc/rtc-ntxec.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/rtc/rtc-ntxec.c
+++ b/drivers/rtc/rtc-ntxec.c
@@ -110,7 +110,7 @@ static int ntxec_rtc_probe(struct platfo
struct rtc_device *dev;
struct ntxec_rtc *rtc;
- pdev->dev.of_node = pdev->dev.parent->of_node;
+ device_set_of_node_from_dev(&pdev->dev, pdev->dev.parent);
rtc = devm_kzalloc(&pdev->dev, sizeof(*rtc), GFP_KERNEL);
if (!rtc)
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 231/969] userfaultfd: allow registration of ranges below mmap_min_addr
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (229 preceding siblings ...)
2026-05-30 15:55 ` [PATCH 6.1 230/969] rtc: ntxec: fix OF node reference imbalance Greg Kroah-Hartman
@ 2026-05-30 15:55 ` Greg Kroah-Hartman
2026-05-30 15:55 ` [PATCH 6.1 232/969] KVM: nSVM: Mark all of vmcb02 dirty when restoring nested state Greg Kroah-Hartman
` (744 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Denis M. Karpov, Lorenzo Stoakes,
Harry Yoo (Oracle), Pedro Falcato, Liam R. Howlett,
Mike Rapoport (Microsoft), Alexander Viro, Christian Brauner,
Jan Kara, Jann Horn, Peter Xu, Andrew Morton
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Denis M. Karpov <komlomal@gmail.com>
commit 161ce69c2c89781784b945d8e281ff2da9dede9c upstream.
The current implementation of validate_range() in fs/userfaultfd.c
performs a hard check against mmap_min_addr. This is redundant because
UFFDIO_REGISTER operates on memory ranges that must already be backed by a
VMA.
Enforcing mmap_min_addr or capability checks again in userfaultfd is
unnecessary and prevents applications like binary compilers from using
UFFD for valid memory regions mapped by application.
Remove the redundant check for mmap_min_addr.
We started using UFFD instead of the classic mprotect approach in the
binary translator to track application writes. During development, we
encountered this bug. The translator cannot control where the translated
application chooses to map its memory and if the app requires a
low-address area, UFFD fails, whereas mprotect would work just fine. I
believe this is a genuine logic bug rather than an improvement, and I
would appreciate including the fix in stable.
Link: https://lore.kernel.org/20260409103345.15044-1-komlomal@gmail.com
Fixes: 86039bd3b4e6 ("userfaultfd: add new syscall to provide memory externalization")
Signed-off-by: Denis M. Karpov <komlomal@gmail.com>
Reviewed-by: Lorenzo Stoakes <ljs@kernel.org>
Acked-by: Harry Yoo (Oracle) <harry@kernel.org>
Reviewed-by: Pedro Falcato <pfalcato@suse.de>
Reviewed-by: Liam R. Howlett <Liam.Howlett@oracle.com>
Reviewed-by: Mike Rapoport (Microsoft) <rppt@kernel.org>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Christian Brauner <brauner@kernel.org>
Cc: Jan Kara <jack@suse.cz>
Cc: Jann Horn <jannh@google.com>
Cc: Peter Xu <peterx@redhat.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/userfaultfd.c | 2 --
1 file changed, 2 deletions(-)
--- a/fs/userfaultfd.c
+++ b/fs/userfaultfd.c
@@ -1271,8 +1271,6 @@ static __always_inline int validate_rang
return -EINVAL;
if (!len)
return -EINVAL;
- if (start < mmap_min_addr)
- return -EINVAL;
if (start >= task_size)
return -EINVAL;
if (len > task_size - start)
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 232/969] KVM: nSVM: Mark all of vmcb02 dirty when restoring nested state
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (230 preceding siblings ...)
2026-05-30 15:55 ` [PATCH 6.1 231/969] userfaultfd: allow registration of ranges below mmap_min_addr Greg Kroah-Hartman
@ 2026-05-30 15:55 ` Greg Kroah-Hartman
2026-05-30 15:55 ` [PATCH 6.1 233/969] KVM: nSVM: Sync NextRIP to cached vmcb12 after VMRUN of L2 Greg Kroah-Hartman
` (743 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Yosry Ahmed, Sean Christopherson
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yosry Ahmed <yosry.ahmed@linux.dev>
commit e63fb1379f4b9300a44739964e69549bebbcdca4 upstream.
When restoring a vCPU in guest mode, any state restored before
KVM_SET_NESTED_STATE (e.g. KVM_SET_SREGS) will mark the corresponding
dirty bits in vmcb01, as it is the active VMCB before switching to
vmcb02 in svm_set_nested_state().
Hence, mark all fields in vmcb02 dirty in svm_set_nested_state() to
capture any previously restored fields.
Fixes: cc440cdad5b7 ("KVM: nSVM: implement KVM_GET_NESTED_STATE and KVM_SET_NESTED_STATE")
CC: stable@vger.kernel.org
Signed-off-by: Yosry Ahmed <yosry.ahmed@linux.dev>
Link: https://patch.msgid.link/20260210010806.3204289-1-yosry.ahmed@linux.dev
Signed-off-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/svm/nested.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/arch/x86/kvm/svm/nested.c
+++ b/arch/x86/kvm/svm/nested.c
@@ -1661,6 +1661,12 @@ static int svm_set_nested_state(struct k
nested_vmcb02_prepare_control(svm, svm->vmcb->save.rip, svm->vmcb->save.cs.base);
/*
+ * Any previously restored state (e.g. KVM_SET_SREGS) would mark fields
+ * dirty in vmcb01 instead of vmcb02, so mark all of vmcb02 dirty here.
+ */
+ vmcb_mark_all_dirty(svm->vmcb);
+
+ /*
* While the nested guest CR3 is already checked and set by
* KVM_SET_SREGS, it was set when nested state was yet loaded,
* thus MMU might not be initialized correctly.
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 233/969] KVM: nSVM: Sync NextRIP to cached vmcb12 after VMRUN of L2
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (231 preceding siblings ...)
2026-05-30 15:55 ` [PATCH 6.1 232/969] KVM: nSVM: Mark all of vmcb02 dirty when restoring nested state Greg Kroah-Hartman
@ 2026-05-30 15:55 ` Greg Kroah-Hartman
2026-05-30 15:55 ` [PATCH 6.1 234/969] KVM: nSVM: Sync interrupt shadow " Greg Kroah-Hartman
` (742 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Yosry Ahmed, Sean Christopherson
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yosry Ahmed <yosry@kernel.org>
commit 778d8c1b2a6ffe622ddcd3bb35b620e6e41f4da0 upstream.
After VMRUN in guest mode, nested_sync_control_from_vmcb02() syncs
fields written by the CPU from vmcb02 to the cached vmcb12. This is
because the cached vmcb12 is used as the authoritative copy of some of
the controls, and is the payload when saving/restoring nested state.
NextRIP is also written by the CPU (in some cases) after VMRUN, but is
not sync'd to the cached vmcb12. As a result, it is corrupted after
save/restore (replaced by the original value written by L1 on nested
VMRUN). This could cause problems for both KVM (e.g. when injecting a
soft IRQ) or L1 (e.g. when using NextRIP to advance RIP after emulating
an instruction).
Fix this by sync'ing NextRIP to the cache after VMRUN of L2, but only
after completing interrupts (not in nested_sync_control_from_vmcb02()),
as KVM may update NextRIP (e.g. when re-injecting a soft IRQ).
Fixes: cc440cdad5b7 ("KVM: nSVM: implement KVM_GET_NESTED_STATE and KVM_SET_NESTED_STATE")
CC: stable@vger.kernel.org
Co-developed-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Yosry Ahmed <yosry@kernel.org>
Link: https://patch.msgid.link/20260225005950.3739782-2-yosry@kernel.org
Signed-off-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/svm/svm.c | 10 ++++++++++
1 file changed, 10 insertions(+)
--- a/arch/x86/kvm/svm/svm.c
+++ b/arch/x86/kvm/svm/svm.c
@@ -4146,6 +4146,16 @@ static __no_kcsan fastpath_t svm_vcpu_ru
svm_complete_interrupts(vcpu);
+ /*
+ * Update the cache after completing interrupts to get an accurate
+ * NextRIP, e.g. when re-injecting a soft interrupt.
+ *
+ * FIXME: Rework svm_get_nested_state() to not pull data from the
+ * cache (except for maybe int_ctl).
+ */
+ if (is_guest_mode(vcpu))
+ svm->nested.ctl.next_rip = svm->vmcb->control.next_rip;
+
return svm_exit_handlers_fastpath(vcpu);
}
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 234/969] KVM: nSVM: Sync interrupt shadow to cached vmcb12 after VMRUN of L2
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (232 preceding siblings ...)
2026-05-30 15:55 ` [PATCH 6.1 233/969] KVM: nSVM: Sync NextRIP to cached vmcb12 after VMRUN of L2 Greg Kroah-Hartman
@ 2026-05-30 15:55 ` Greg Kroah-Hartman
2026-05-30 15:55 ` [PATCH 6.1 235/969] KVM: SVM: Inject #UD for INVLPGA if EFER.SVME=0 Greg Kroah-Hartman
` (741 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Yosry Ahmed, Sean Christopherson
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yosry Ahmed <yosry@kernel.org>
commit 03bee264f8ebfd39e0254c98e112d033a7aa9055 upstream.
After VMRUN in guest mode, nested_sync_control_from_vmcb02() syncs
fields written by the CPU from vmcb02 to the cached vmcb12. This is
because the cached vmcb12 is used as the authoritative copy of some of
the controls, and is the payload when saving/restoring nested state.
int_state is also written by the CPU, specifically bit 0 (i.e.
SVM_INTERRUPT_SHADOW_MASK) for nested VMs, but it is not sync'd to
cached vmcb12. This does not cause a problem if KVM_SET_NESTED_STATE
preceeds KVM_SET_VCPU_EVENTS in the restore path, as an interrupt shadow
would be correctly restored to vmcb02 (KVM_SET_VCPU_EVENTS overwrites
what KVM_SET_NESTED_STATE restored in int_state).
However, if KVM_SET_VCPU_EVENTS preceeds KVM_SET_NESTED_STATE, an
interrupt shadow would be restored into vmcb01 instead of vmcb02. This
would mostly be benign for L1 (delays an interrupt), but not for L2. For
L2, the vCPU could hang (e.g. if a wakeup interrupt is delivered before
a HLT that should have been in an interrupt shadow).
Sync int_state to the cached vmcb12 in nested_sync_control_from_vmcb02()
to avoid this problem. With that, KVM_SET_NESTED_STATE restores the
correct interrupt shadow state, and if KVM_SET_VCPU_EVENTS follows it
would overwrite it with the same value.
Fixes: cc440cdad5b7 ("KVM: nSVM: implement KVM_GET_NESTED_STATE and KVM_SET_NESTED_STATE")
CC: stable@vger.kernel.org
Signed-off-by: Yosry Ahmed <yosry@kernel.org>
Link: https://patch.msgid.link/20260225005950.3739782-3-yosry@kernel.org
Signed-off-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/svm/nested.c | 1 +
1 file changed, 1 insertion(+)
--- a/arch/x86/kvm/svm/nested.c
+++ b/arch/x86/kvm/svm/nested.c
@@ -400,6 +400,7 @@ void nested_sync_control_from_vmcb02(str
u32 mask;
svm->nested.ctl.event_inj = svm->vmcb->control.event_inj;
svm->nested.ctl.event_inj_err = svm->vmcb->control.event_inj_err;
+ svm->nested.ctl.int_state = svm->vmcb->control.int_state;
/* Only a few fields of int_ctl are written by the processor. */
mask = V_IRQ_MASK | V_TPR_MASK;
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 235/969] KVM: SVM: Inject #UD for INVLPGA if EFER.SVME=0
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (233 preceding siblings ...)
2026-05-30 15:55 ` [PATCH 6.1 234/969] KVM: nSVM: Sync interrupt shadow " Greg Kroah-Hartman
@ 2026-05-30 15:55 ` Greg Kroah-Hartman
2026-05-30 15:56 ` [PATCH 6.1 236/969] KVM: SVM: Explicitly mark vmcb01 dirty after modifying VMCB intercepts Greg Kroah-Hartman
` (740 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kevin Cheng, Yosry Ahmed,
Sean Christopherson
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kevin Cheng <chengkev@google.com>
commit d99df02ff427f461102230f9c5b90a6c64ee8e23 upstream.
INVLPGA should cause a #UD when EFER.SVME is not set. Add a check to
properly inject #UD when EFER.SVME=0.
Fixes: ff092385e828 ("KVM: SVM: Implement INVLPGA")
Cc: stable@vger.kernel.org
Signed-off-by: Kevin Cheng <chengkev@google.com>
Reviewed-by: Yosry Ahmed <yosry.ahmed@linux.dev>
Link: https://patch.msgid.link/20260228033328.2285047-3-chengkev@google.com
[sean: tag for stable@]
Signed-off-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/svm/svm.c | 3 +++
1 file changed, 3 insertions(+)
--- a/arch/x86/kvm/svm/svm.c
+++ b/arch/x86/kvm/svm/svm.c
@@ -2399,6 +2399,9 @@ static int invlpga_interception(struct k
gva_t gva = kvm_rax_read(vcpu);
u32 asid = kvm_rcx_read(vcpu);
+ if (nested_svm_check_permissions(vcpu))
+ return 1;
+
/* FIXME: Handle an address size prefix. */
if (!is_long_mode(vcpu))
gva = (u32)gva;
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 236/969] KVM: SVM: Explicitly mark vmcb01 dirty after modifying VMCB intercepts
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (234 preceding siblings ...)
2026-05-30 15:55 ` [PATCH 6.1 235/969] KVM: SVM: Inject #UD for INVLPGA if EFER.SVME=0 Greg Kroah-Hartman
@ 2026-05-30 15:56 ` Greg Kroah-Hartman
2026-05-30 15:56 ` [PATCH 6.1 237/969] KVM: nSVM: Ensure AVIC is inhibited when restoring a vCPU to guest mode Greg Kroah-Hartman
` (739 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Yosry Ahmed, Sean Christopherson
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Christopherson <seanjc@google.com>
commit d5bde6113aed8315a2bfe708730b721be9c2f48b upstream.
When reacting to an intercept update, explicitly mark vmcb01's intercepts
dirty, as KVM always initially operates on vmcb01, and nested_svm_vmexit()
isn't guaranteed to mark VMCB_INTERCEPTS as dirty. I.e. if L2 is active,
KVM will modify the intercepts for L1, but might not mark them as dirty
before the next VMRUN of L1.
Fixes: 116a0a23676e ("KVM: SVM: Add clean-bit for intercetps, tsc-offset and pause filter count")
Cc: stable@vger.kernel.org
Reviewed-by: Yosry Ahmed <yosry.ahmed@linux.dev>
Link: https://patch.msgid.link/20260218230958.2877682-2-seanjc@google.com
Signed-off-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/svm/nested.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/arch/x86/kvm/svm/nested.c
+++ b/arch/x86/kvm/svm/nested.c
@@ -128,11 +128,13 @@ void recalc_intercepts(struct vcpu_svm *
struct vmcb_ctrl_area_cached *g;
unsigned int i;
- vmcb_mark_dirty(svm->vmcb, VMCB_INTERCEPTS);
+ vmcb_mark_dirty(svm->vmcb01.ptr, VMCB_INTERCEPTS);
if (!is_guest_mode(&svm->vcpu))
return;
+ vmcb_mark_dirty(svm->vmcb, VMCB_INTERCEPTS);
+
c = &svm->vmcb->control;
h = &svm->vmcb01.ptr->control;
g = &svm->nested.ctl;
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 237/969] KVM: nSVM: Ensure AVIC is inhibited when restoring a vCPU to guest mode
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (235 preceding siblings ...)
2026-05-30 15:56 ` [PATCH 6.1 236/969] KVM: SVM: Explicitly mark vmcb01 dirty after modifying VMCB intercepts Greg Kroah-Hartman
@ 2026-05-30 15:56 ` Greg Kroah-Hartman
2026-05-30 15:56 ` [PATCH 6.1 238/969] KVM: nSVM: Use vcpu->arch.cr2 when updating vmcb12 on nested #VMEXIT Greg Kroah-Hartman
` (738 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Yosry Ahmed, Sean Christopherson
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yosry Ahmed <yosry@kernel.org>
commit 24f7d36b824b65cf1a2db3db478059187b2a37b0 upstream.
On nested VMRUN, KVM ensures AVIC is inhibited by requesting
KVM_REQ_APICV_UPDATE, triggering a check of inhibit reasons, finding
APICV_INHIBIT_REASON_NESTED, and disabling AVIC.
However, when KVM_SET_NESTED_STATE is performed on a vCPU not in guest
mode with AVIC enabled, KVM_REQ_APICV_UPDATE is not requested, and AVIC
is not inhibited.
Request KVM_REQ_APICV_UPDATE in the KVM_SET_NESTED_STATE path if AVIC is
active, similar to the nested VMRUN path.
Fixes: f44509f849fe ("KVM: x86: SVM: allow AVIC to co-exist with a nested guest running")
Cc: stable@vger.kernel.org
Signed-off-by: Yosry Ahmed <yosry@kernel.org>
Link: https://patch.msgid.link/20260224225017.3303870-1-yosry@kernel.org
Signed-off-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/svm/nested.c | 3 +++
1 file changed, 3 insertions(+)
--- a/arch/x86/kvm/svm/nested.c
+++ b/arch/x86/kvm/svm/nested.c
@@ -1682,6 +1682,9 @@ static int svm_set_nested_state(struct k
svm->nested.force_msr_bitmap_recalc = true;
+ if (kvm_vcpu_apicv_active(vcpu))
+ kvm_make_request(KVM_REQ_APICV_UPDATE, vcpu);
+
kvm_make_request(KVM_REQ_GET_NESTED_STATE_PAGES, vcpu);
ret = 0;
out_free:
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 238/969] KVM: nSVM: Use vcpu->arch.cr2 when updating vmcb12 on nested #VMEXIT
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (236 preceding siblings ...)
2026-05-30 15:56 ` [PATCH 6.1 237/969] KVM: nSVM: Ensure AVIC is inhibited when restoring a vCPU to guest mode Greg Kroah-Hartman
@ 2026-05-30 15:56 ` Greg Kroah-Hartman
2026-05-30 15:56 ` [PATCH 6.1 239/969] KVM: nSVM: Always inject a #GP if mapping VMCB12 fails on nested VMRUN Greg Kroah-Hartman
` (737 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Yosry Ahmed, Sean Christopherson
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yosry Ahmed <yosry.ahmed@linux.dev>
commit 5c247d08bc81bbad4c662dcf5654137a2f8483ec upstream.
KVM currently uses the value of CR2 from vmcb02 to update vmcb12 on
nested #VMEXIT. This value is incorrect in some cases, causing L1 to run
L2 with a corrupted CR2. This could lead to segfaults or data corruption
if L2 is in the middle of handling a #PF and reads a corrupted CR2. Use
the correct value in vcpu->arch.cr2 instead.
The value in vcpu->arch.cr2 is sync'd to vmcb02 shortly before a VMRUN
of L2, and sync'd back to vcpu->arch.cr2 shortly after. The value are
only out-of-sync in two cases: after save+restore, and after a #PF is
injected into L2. In either case, if a #VMEXIT to L1 is synthesized
before L2 runs, using the value in vmcb02 would be incorrect.
After save+restore, the value of CR2 is restored by KVM_SET_SREGS into
vcpu->arch.cr2. It is not reflect in vmcb02 until a VMRUN of L2. Before
that, it holds whatever was in vmcb02 before restore, which would be
zero on a new vCPU that never ran nested. If a #VMEXIT to L1 is
synthesized before L2 ever runs, using vcpu->arch.cr2 to update vmcb12
is the right thing to do.
The #PF injection case is more nuanced. Although the APM is a bit
unclear about when CR2 is written during a #PF, the SDM is more clear:
Processors update CR2 whenever a page fault is detected. If a
second page fault occurs while an earlier page fault is being
delivered, the faulting linear address of the second fault will
overwrite the contents of CR2 (replacing the previous address).
These updates to CR2 occur even if the page fault results in a
double fault or occurs during the delivery of a double fault.
KVM injecting the exception surely counts as the #PF being "detected".
More importantly, when an exception is injected into L2 at the time of a
synthesized #VMEXIT, KVM updates exit_int_info in vmcb12 accordingly,
such that an L1 hypervisor can re-inject the exception. If CR2 is not
written at that point, the L1 hypervisor have no way of correctly
re-injecting the #PF. Hence, if a #VMEXIT to L1 is synthesized after
the #PF is injected into L2 but before it actually runs, using
vcpu->arch.cr2 to update vmcb12 is also the right thing to do.
Note that KVM does _not_ update vcpu->arch.cr2 when a #PF is pending for
L2, only when it is injected. The distinction is important, because only
injected (but not intercepted) exceptions are propagated to L1 through
exit_int_info. It would be incorrect to update CR2 in vmcb12 for a
pending #PF, as L1 would perceive an updated CR2 value with no #PF.
Cc: stable@vger.kernel.org
Signed-off-by: Yosry Ahmed <yosry.ahmed@linux.dev>
Link: https://patch.msgid.link/20260203201010.1871056-1-yosry.ahmed@linux.dev
Signed-off-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/svm/nested.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/x86/kvm/svm/nested.c
+++ b/arch/x86/kvm/svm/nested.c
@@ -958,7 +958,7 @@ int nested_svm_vmexit(struct vcpu_svm *s
vmcb12->save.efer = svm->vcpu.arch.efer;
vmcb12->save.cr0 = kvm_read_cr0(vcpu);
vmcb12->save.cr3 = kvm_read_cr3(vcpu);
- vmcb12->save.cr2 = vmcb02->save.cr2;
+ vmcb12->save.cr2 = vcpu->arch.cr2;
vmcb12->save.cr4 = svm->vcpu.arch.cr4;
vmcb12->save.rflags = kvm_get_rflags(vcpu);
vmcb12->save.rip = kvm_rip_read(vcpu);
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 239/969] KVM: nSVM: Always inject a #GP if mapping VMCB12 fails on nested VMRUN
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (237 preceding siblings ...)
2026-05-30 15:56 ` [PATCH 6.1 238/969] KVM: nSVM: Use vcpu->arch.cr2 when updating vmcb12 on nested #VMEXIT Greg Kroah-Hartman
@ 2026-05-30 15:56 ` Greg Kroah-Hartman
2026-05-30 15:56 ` [PATCH 6.1 240/969] KVM: nSVM: Clear GIF on nested #VMEXIT(INVALID) Greg Kroah-Hartman
` (736 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Yosry Ahmed, Sean Christopherson
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yosry Ahmed <yosry@kernel.org>
commit 01ddcdc55e097ca38c28ae656711b8e6d1df71f8 upstream.
nested_svm_vmrun() currently only injects a #GP if kvm_vcpu_map() fails
with -EINVAL. But it could also fail with -EFAULT if creating a host
mapping failed. Inject a #GP in all cases, no reason to treat failure
modes differently.
Fixes: 8c5fbf1a7231 ("KVM/nSVM: Use the new mapping API for mapping guest memory")
CC: stable@vger.kernel.org
Co-developed-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Yosry Ahmed <yosry@kernel.org>
Link: https://patch.msgid.link/20260303003421.2185681-6-yosry@kernel.org
Signed-off-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/svm/nested.c | 5 +----
1 file changed, 1 insertion(+), 4 deletions(-)
--- a/arch/x86/kvm/svm/nested.c
+++ b/arch/x86/kvm/svm/nested.c
@@ -816,12 +816,9 @@ int nested_svm_vmrun(struct kvm_vcpu *vc
}
vmcb12_gpa = svm->vmcb->save.rax;
- ret = kvm_vcpu_map(vcpu, gpa_to_gfn(vmcb12_gpa), &map);
- if (ret == -EINVAL) {
+ if (kvm_vcpu_map(vcpu, gpa_to_gfn(vmcb12_gpa), &map)) {
kvm_inject_gp(vcpu, 0);
return 1;
- } else if (ret) {
- return kvm_skip_emulated_instruction(vcpu);
}
ret = kvm_skip_emulated_instruction(vcpu);
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 240/969] KVM: nSVM: Clear GIF on nested #VMEXIT(INVALID)
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (238 preceding siblings ...)
2026-05-30 15:56 ` [PATCH 6.1 239/969] KVM: nSVM: Always inject a #GP if mapping VMCB12 fails on nested VMRUN Greg Kroah-Hartman
@ 2026-05-30 15:56 ` Greg Kroah-Hartman
2026-05-30 15:56 ` [PATCH 6.1 241/969] KVM: nSVM: Clear tracking of L1->L2 NMI and soft IRQ on nested #VMEXIT Greg Kroah-Hartman
` (735 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Yosry Ahmed, Sean Christopherson
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yosry Ahmed <yosry@kernel.org>
commit f85a6ce06e4a0d49652f57967a649ab09e06287c upstream.
According to the APM, GIF is set to 0 on any #VMEXIT, including
an #VMEXIT(INVALID) due to failed consistency checks. Clear GIF on
consistency check failures.
Fixes: 3d6368ef580a ("KVM: SVM: Add VMRUN handler")
Cc: stable@vger.kernel.org
Signed-off-by: Yosry Ahmed <yosry@kernel.org>
Link: https://patch.msgid.link/20260303003421.2185681-11-yosry@kernel.org
Signed-off-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/svm/nested.c | 1 +
1 file changed, 1 insertion(+)
--- a/arch/x86/kvm/svm/nested.c
+++ b/arch/x86/kvm/svm/nested.c
@@ -837,6 +837,7 @@ int nested_svm_vmrun(struct kvm_vcpu *vc
vmcb12->control.exit_code_hi = -1u;
vmcb12->control.exit_info_1 = 0;
vmcb12->control.exit_info_2 = 0;
+ svm_set_gif(svm, false);
goto out;
}
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 241/969] KVM: nSVM: Clear tracking of L1->L2 NMI and soft IRQ on nested #VMEXIT
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (239 preceding siblings ...)
2026-05-30 15:56 ` [PATCH 6.1 240/969] KVM: nSVM: Clear GIF on nested #VMEXIT(INVALID) Greg Kroah-Hartman
@ 2026-05-30 15:56 ` Greg Kroah-Hartman
2026-05-30 15:56 ` [PATCH 6.1 242/969] KVM: nSVM: Add missing consistency check for EFER, CR0, CR4, and CS Greg Kroah-Hartman
` (734 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Yosry Ahmed, Sean Christopherson
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yosry Ahmed <yosry@kernel.org>
commit 8998e1d012f3f45d0456f16706682cef04c3c436 upstream.
KVM clears tracking of L1->L2 injected NMIs (i.e. nmi_l1_to_l2) and soft
IRQs (i.e. soft_int_injected) on a synthesized #VMEXIT(INVALID) due to
failed VMRUN. However, they are not explicitly cleared in other
synthesized #VMEXITs.
soft_int_injected is always cleared after the first VMRUN of L2 when
completing interrupts, as any re-injection is then tracked by KVM
(instead of purely in vmcb02).
nmi_l1_to_l2 is not cleared after the first VMRUN if NMI injection
failed, as KVM still needs to keep track that the NMI originated from L1
to avoid blocking NMIs for L1. It is only cleared when the NMI injection
succeeds.
KVM could synthesize a #VMEXIT to L1 before successfully injecting the
NMI into L2 (e.g. due to a #NPF on L2's NMI handler in L1's NPTs). In
this case, nmi_l1_to_l2 will remain true, and KVM may not correctly mask
NMIs and intercept IRET when injecting an NMI into L1.
Clear both nmi_l1_to_l2 and soft_int_injected in nested_svm_vmexit(), i.e.
for all #VMEXITs except those that occur due to failed consistency checks,
as those happen before nmi_l1_to_l2 or soft_int_injected are set.
Fixes: 159fc6fa3b7d ("KVM: nSVM: Transparently handle L1 -> L2 NMI re-injection")
Cc: stable@vger.kernel.org
Signed-off-by: Yosry Ahmed <yosry@kernel.org>
Link: https://patch.msgid.link/20260303003421.2185681-13-yosry@kernel.org
Signed-off-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/svm/nested.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/arch/x86/kvm/svm/nested.c
+++ b/arch/x86/kvm/svm/nested.c
@@ -864,8 +864,6 @@ int nested_svm_vmrun(struct kvm_vcpu *vc
out_exit_err:
svm->nested.nested_run_pending = 0;
- svm->nmi_l1_to_l2 = false;
- svm->soft_int_injected = false;
svm->vmcb->control.exit_code = SVM_EXIT_ERR;
svm->vmcb->control.exit_code_hi = -1u;
@@ -1131,6 +1129,10 @@ void svm_free_nested(struct vcpu_svm *sv
__free_page(virt_to_page(svm->nested.vmcb02.ptr));
svm->nested.vmcb02.ptr = NULL;
+ /* Drop tracking for L1->L2 injected NMIs and soft IRQs */
+ svm->nmi_l1_to_l2 = false;
+ svm->soft_int_injected = false;
+
/*
* When last_vmcb12_gpa matches the current vmcb12 gpa,
* some vmcb12 fields are not loaded if they are marked clean
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 242/969] KVM: nSVM: Add missing consistency check for EFER, CR0, CR4, and CS
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (240 preceding siblings ...)
2026-05-30 15:56 ` [PATCH 6.1 241/969] KVM: nSVM: Clear tracking of L1->L2 NMI and soft IRQ on nested #VMEXIT Greg Kroah-Hartman
@ 2026-05-30 15:56 ` Greg Kroah-Hartman
2026-05-30 15:56 ` [PATCH 6.1 243/969] KVM: nSVM: Add missing consistency check for nCR3 validity Greg Kroah-Hartman
` (733 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Yosry Ahmed, Sean Christopherson
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yosry Ahmed <yosry@kernel.org>
commit 96bd3e76a171a8e21a6387e54e4c420a81968492 upstream.
According to the APM Volume #2, 15.5, Canonicalization and Consistency
Checks (24593—Rev. 3.42—March 2024), the following condition (among
others) results in a #VMEXIT with VMEXIT_INVALID (aka SVM_EXIT_ERR):
EFER.LME, CR0.PG, CR4.PAE, CS.L, and CS.D are all non-zero.
In the list of consistency checks done when EFER.LME and CR0.PG are set,
add a check that CS.L and CS.D are not both set, after the existing
check that CR4.PAE is set.
This is functionally a nop because the nested VMRUN results in
SVM_EXIT_ERR in HW, which is forwarded to L1, but KVM makes all
consistency checks before a VMRUN is actually attempted.
Fixes: 3d6368ef580a ("KVM: SVM: Add VMRUN handler")
Cc: stable@vger.kernel.org
Signed-off-by: Yosry Ahmed <yosry@kernel.org>
Link: https://patch.msgid.link/20260303003421.2185681-17-yosry@kernel.org
Signed-off-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/svm/nested.c | 6 ++++++
arch/x86/kvm/svm/svm.h | 1 +
2 files changed, 7 insertions(+)
--- a/arch/x86/kvm/svm/nested.c
+++ b/arch/x86/kvm/svm/nested.c
@@ -292,6 +292,10 @@ static bool __nested_vmcb_check_save(str
CC(!(save->cr0 & X86_CR0_PE)) ||
CC(kvm_vcpu_is_illegal_gpa(vcpu, save->cr3)))
return false;
+
+ if (CC((save->cs.attrib & SVM_SELECTOR_L_MASK) &&
+ (save->cs.attrib & SVM_SELECTOR_DB_MASK)))
+ return false;
}
/* Note, SVM doesn't have any additional restrictions on CR4. */
@@ -378,6 +382,8 @@ static void __nested_copy_vmcb_save_to_c
* Copy only fields that are validated, as we need them
* to avoid TOC/TOU races.
*/
+ to->cs = from->cs;
+
to->efer = from->efer;
to->cr0 = from->cr0;
to->cr3 = from->cr3;
--- a/arch/x86/kvm/svm/svm.h
+++ b/arch/x86/kvm/svm/svm.h
@@ -118,6 +118,7 @@ struct kvm_vmcb_info {
};
struct vmcb_save_area_cached {
+ struct vmcb_seg cs;
u64 efer;
u64 cr4;
u64 cr3;
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 243/969] KVM: nSVM: Add missing consistency check for nCR3 validity
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (241 preceding siblings ...)
2026-05-30 15:56 ` [PATCH 6.1 242/969] KVM: nSVM: Add missing consistency check for EFER, CR0, CR4, and CS Greg Kroah-Hartman
@ 2026-05-30 15:56 ` Greg Kroah-Hartman
2026-05-30 15:56 ` [PATCH 6.1 244/969] mtd: docg3: Convert to platform remove callback returning void Greg Kroah-Hartman
` (732 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Yosry Ahmed, Sean Christopherson
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yosry Ahmed <yosry@kernel.org>
commit b71138fcc362c67ebe66747bb22cb4e6b4d6a651 upstream.
>From the APM Volume #2, 15.25.4 (24593—Rev. 3.42—March 2024):
When VMRUN is executed with nested paging enabled (NP_ENABLE = 1), the
following conditions are considered illegal state combinations, in
addition to those mentioned in “Canonicalization and Consistency Checks”:
• Any MBZ bit of nCR3 is set.
• Any G_PAT.PA field has an unsupported type encoding or any
reserved field in G_PAT has a nonzero value.
Add the consistency check for nCR3 being a legal GPA with no MBZ bits
set. Note, the G_PAT.PA check is being handled separately[*].
Link: https://lore.kernel.org/kvm/20260205214326.1029278-3-jmattson@google.com [*]
Fixes: 4b16184c1cca ("KVM: SVM: Initialize Nested Nested MMU context on VMRUN")
Cc: stable@vger.kernel.org
Signed-off-by: Yosry Ahmed <yosry@kernel.org>
Link: https://patch.msgid.link/20260303003421.2185681-16-yosry@kernel.org
[sean: capture everything in CC(), massage changelog formatting]
Signed-off-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/svm/nested.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/arch/x86/kvm/svm/nested.c
+++ b/arch/x86/kvm/svm/nested.c
@@ -257,6 +257,10 @@ static bool __nested_vmcb_check_controls
if (CC((control->nested_ctl & SVM_NESTED_CTL_NP_ENABLE) && !npt_enabled))
return false;
+ if (CC((control->nested_ctl & SVM_NESTED_CTL_NP_ENABLE) &&
+ !kvm_vcpu_is_legal_gpa(vcpu, control->nested_cr3)))
+ return false;
+
if (CC(!nested_svm_check_bitmap_pa(vcpu, control->msrpm_base_pa,
MSRPM_SIZE)))
return false;
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 244/969] mtd: docg3: Convert to platform remove callback returning void
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (242 preceding siblings ...)
2026-05-30 15:56 ` [PATCH 6.1 243/969] KVM: nSVM: Add missing consistency check for nCR3 validity Greg Kroah-Hartman
@ 2026-05-30 15:56 ` Greg Kroah-Hartman
2026-05-30 15:56 ` [PATCH 6.1 245/969] mtd: docg3: fix use-after-free in docg3_release() Greg Kroah-Hartman
` (731 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Uwe Kleine-König, Miquel Raynal,
Tudor Ambarus, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
[ Upstream commit eb0cec77d534413a800ec20944a2b1e37cfecdcf ]
The .remove() callback for a platform driver returns an int which makes
many driver authors wrongly assume it's possible to do error handling by
returning an error code. However the value returned is ignored (apart
from emitting a warning) and this typically results in resource leaks.
To improve here there is a quest to make the remove callback return
void. In the first step of this quest all drivers are converted to
.remove_new(), which already returns void. Eventually after all drivers
are converted, .remove_new() will be renamed to .remove().
Trivially convert this driver from always returning zero in the remove
callback to the void returning variant.
Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Acked-by: Tudor Ambarus <tudor.ambarus@linaro.org>
Link: https://lore.kernel.org/linux-mtd/20231008200143.196369-5-u.kleine-koenig@pengutronix.de
Stable-dep-of: ca19808bc6fa ("mtd: docg3: fix use-after-free in docg3_release()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mtd/devices/docg3.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/drivers/mtd/devices/docg3.c b/drivers/mtd/devices/docg3.c
index a7714e3de887f..8cb25cfd9c10a 100644
--- a/drivers/mtd/devices/docg3.c
+++ b/drivers/mtd/devices/docg3.c
@@ -2046,7 +2046,7 @@ static int __init docg3_probe(struct platform_device *pdev)
*
* Returns 0
*/
-static int docg3_release(struct platform_device *pdev)
+static void docg3_release(struct platform_device *pdev)
{
struct docg3_cascade *cascade = platform_get_drvdata(pdev);
struct docg3 *docg3 = cascade->floors[0]->priv;
@@ -2058,7 +2058,6 @@ static int docg3_release(struct platform_device *pdev)
doc_release_device(cascade->floors[floor]);
bch_free(docg3->cascade->bch);
- return 0;
}
#ifdef CONFIG_OF
@@ -2076,7 +2075,7 @@ static struct platform_driver g3_driver = {
},
.suspend = docg3_suspend,
.resume = docg3_resume,
- .remove = docg3_release,
+ .remove_new = docg3_release,
};
module_platform_driver_probe(g3_driver, docg3_probe);
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 245/969] mtd: docg3: fix use-after-free in docg3_release()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (243 preceding siblings ...)
2026-05-30 15:56 ` [PATCH 6.1 244/969] mtd: docg3: Convert to platform remove callback returning void Greg Kroah-Hartman
@ 2026-05-30 15:56 ` Greg Kroah-Hartman
2026-05-30 15:56 ` [PATCH 6.1 246/969] io_uring/poll: fix multishot recv missing EOF on wakeup race Greg Kroah-Hartman
` (730 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, James Kim, Miquel Raynal,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: James Kim <james010kim@gmail.com>
[ Upstream commit ca19808bc6fac7e29420d8508df569b346b3e339 ]
In docg3_release(), the docg3 pointer is obtained from
cascade->floors[0]->priv before the loop that calls
doc_release_device() on each floor. doc_release_device() frees the
docg3 struct via kfree(docg3) at line 1881. After the loop,
docg3->cascade->bch dereferences the already-freed pointer.
Fix this by accessing cascade->bch directly, which is equivalent
since docg3->cascade points back to the same cascade struct, and
is already available as a local variable. This also removes the
now-unused docg3 local variable.
Fixes: c8ae3f744ddc ("lib/bch: Rework a little bit the exported function names")
Cc: stable@vger.kernel.org
Signed-off-by: James Kim <james010kim@gmail.com>
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mtd/devices/docg3.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/drivers/mtd/devices/docg3.c b/drivers/mtd/devices/docg3.c
index 8cb25cfd9c10a..2f82bc7c07931 100644
--- a/drivers/mtd/devices/docg3.c
+++ b/drivers/mtd/devices/docg3.c
@@ -2049,7 +2049,6 @@ static int __init docg3_probe(struct platform_device *pdev)
static void docg3_release(struct platform_device *pdev)
{
struct docg3_cascade *cascade = platform_get_drvdata(pdev);
- struct docg3 *docg3 = cascade->floors[0]->priv;
int floor;
doc_unregister_sysfs(pdev, cascade);
@@ -2057,7 +2056,7 @@ static void docg3_release(struct platform_device *pdev)
if (cascade->floors[floor])
doc_release_device(cascade->floors[floor]);
- bch_free(docg3->cascade->bch);
+ bch_free(cascade->bch);
}
#ifdef CONFIG_OF
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 246/969] io_uring/poll: fix multishot recv missing EOF on wakeup race
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (244 preceding siblings ...)
2026-05-30 15:56 ` [PATCH 6.1 245/969] mtd: docg3: fix use-after-free in docg3_release() Greg Kroah-Hartman
@ 2026-05-30 15:56 ` Greg Kroah-Hartman
2026-05-30 15:56 ` [PATCH 6.1 247/969] ext4: fix missing brelse() in ext4_xattr_inode_dec_ref_all() Greg Kroah-Hartman
` (729 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Francis Brosseau, Jens Axboe,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jens Axboe <axboe@kernel.dk>
[ Upstream commit a68ed2df72131447d131531a08fe4dfcf4fa4653 ]
When a socket send and shutdown() happen back-to-back, both fire
wake-ups before the receiver's task_work has a chance to run. The first
wake gets poll ownership (poll_refs=1), and the second bumps it to 2.
When io_poll_check_events() runs, it calls io_poll_issue() which does a
recv that reads the data and returns IOU_RETRY. The loop then drains all
accumulated refs (atomic_sub_return(2) -> 0) and exits, even though only
the first event was consumed. Since the shutdown is a persistent state
change, no further wakeups will happen, and the multishot recv can hang
forever.
Check specifically for HUP in the poll loop, and ensure that another
loop is done to check for status if more than a single poll activation
is pending. This ensures we don't lose the shutdown event.
Backport notes for linux-6.1.y:
- In 6.1.y the do-while masks v in the while-condition itself, so
v can carry IO_POLL_RETRY_FLAG/IO_POLL_CANCEL_FLAG bits when we
reach the multishot branch. The HUP check therefore compares
`(v & IO_POLL_REF_MASK) != 1` rather than the upstream `v != 1`.
- io_poll_issue takes `bool *locked` here (renamed to `ts` in 6.6+).
- 6.1.y has no IOU_REQUEUE return path; only IOU_STOP_MULTISHOT.
CVE: CVE-2026-23473
Cc: stable@vger.kernel.org # 6.1.y
Fixes: dbc2564cfe0f ("io_uring: let fast poll support multishot")
Reported-by: Francis Brosseau <francis@malagauche.com>
Link: https://github.com/axboe/liburing/issues/1549
Signed-off-by: Jens Axboe <axboe@kernel.dk>
[backport for linux-6.1.y, verified 2026-05-01]
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
io_uring/poll.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/io_uring/poll.c b/io_uring/poll.c
index 367605a5878fe..cdf1f2f57b9a2 100644
--- a/io_uring/poll.c
+++ b/io_uring/poll.c
@@ -303,7 +303,13 @@ static int io_poll_check_events(struct io_kiocb *req, bool *locked)
return IOU_POLL_REMOVE_POLL_USE_RES;
}
} else {
- int ret = io_poll_issue(req, locked);
+ int ret;
+
+ /* multiple refs and HUP, ensure we loop once more */
+ if ((req->cqe.res & (POLLHUP | POLLRDHUP)) &&
+ (v & IO_POLL_REF_MASK) != 1)
+ v--;
+ ret = io_poll_issue(req, locked);
io_kbuf_recycle(req, 0);
if (ret == IOU_STOP_MULTISHOT)
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 247/969] ext4: fix missing brelse() in ext4_xattr_inode_dec_ref_all()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (245 preceding siblings ...)
2026-05-30 15:56 ` [PATCH 6.1 246/969] io_uring/poll: fix multishot recv missing EOF on wakeup race Greg Kroah-Hartman
@ 2026-05-30 15:56 ` Greg Kroah-Hartman
2026-05-30 15:56 ` [PATCH 6.1 248/969] md/raid5: fix soft lockup in retry_aligned_read() Greg Kroah-Hartman
` (728 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sohei Koyama, Andreas Dilger,
Ritesh Harjani (IBM), Zhang Yi, Baokun Li, Theodore Tso
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sohei Koyama <skoyama@ddn.com>
commit 77d059519382bd66283e6a4e83ee186e87e7708f upstream.
The commit c8e008b60492 ("ext4: ignore xattrs past end")
introduced a refcount leak in when block_csum is false.
ext4_xattr_inode_dec_ref_all() calls ext4_get_inode_loc() to
get iloc.bh, but never releases it with brelse().
Fixes: c8e008b60492 ("ext4: ignore xattrs past end")
Signed-off-by: Sohei Koyama <skoyama@ddn.com>
Reviewed-by: Andreas Dilger <adilger@dilger.ca>
Reviewed-by: Ritesh Harjani (IBM) <ritesh.list@gmail.com>
Cc: stable@vger.kernel.org
Reviewed-by: Zhang Yi <yi.zhang@huawei.com>
Reviewed-by: Baokun Li <libaokun@linux.alibaba.com>
Link: https://patch.msgid.link/20260406074830.8480-1-skoyama@ddn.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/xattr.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/fs/ext4/xattr.c
+++ b/fs/ext4/xattr.c
@@ -1112,7 +1112,7 @@ ext4_xattr_inode_dec_ref_all(handle_t *h
{
struct inode *ea_inode;
struct ext4_xattr_entry *entry;
- struct ext4_iloc iloc;
+ struct ext4_iloc iloc = { .bh = NULL };
bool dirty = false;
unsigned int ea_ino;
int err;
@@ -1207,6 +1207,8 @@ ext4_xattr_inode_dec_ref_all(handle_t *h
ext4_warning_inode(parent,
"handle dirty metadata err=%d", err);
}
+
+ brelse(iloc.bh);
}
/*
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 248/969] md/raid5: fix soft lockup in retry_aligned_read()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (246 preceding siblings ...)
2026-05-30 15:56 ` [PATCH 6.1 247/969] ext4: fix missing brelse() in ext4_xattr_inode_dec_ref_all() Greg Kroah-Hartman
@ 2026-05-30 15:56 ` Greg Kroah-Hartman
2026-05-30 15:56 ` [PATCH 6.1 249/969] md/raid5: validate payload size before accessing journal metadata Greg Kroah-Hartman
` (727 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, FengWei Shih, Chia-Ming Chang,
Yu Kuai
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chia-Ming Chang <chiamingc@synology.com>
commit 7f9f7c697474268d9ef9479df3ddfe7cdcfbbffc upstream.
When retry_aligned_read() encounters an overlapped stripe, it releases
the stripe via raid5_release_stripe() which puts it on the lockless
released_stripes llist. In the next raid5d loop iteration,
release_stripe_list() drains the stripe onto handle_list (since
STRIPE_HANDLE is set by the original IO), but retry_aligned_read()
runs before handle_active_stripes() and removes the stripe from
handle_list via find_get_stripe() -> list_del_init(). This prevents
handle_stripe() from ever processing the stripe to resolve the
overlap, causing an infinite loop and soft lockup.
Fix this by using __release_stripe() with temp_inactive_list instead
of raid5_release_stripe() in the failure path, so the stripe does not
go through the released_stripes llist. This allows raid5d to break out
of its loop, and the overlap will be resolved when the stripe is
eventually processed by handle_stripe().
Fixes: 773ca82fa1ee ("raid5: make release_stripe lockless")
Cc: stable@vger.kernel.org
Signed-off-by: FengWei Shih <dannyshih@synology.com>
Signed-off-by: Chia-Ming Chang <chiamingc@synology.com>
Link: https://lore.kernel.org/linux-raid/20260402061406.455755-1-chiamingc@synology.com/
Signed-off-by: Yu Kuai <yukuai@fnnas.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/md/raid5.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
--- a/drivers/md/raid5.c
+++ b/drivers/md/raid5.c
@@ -6664,7 +6664,13 @@ static int retry_aligned_read(struct r5
}
if (!add_stripe_bio(sh, raid_bio, dd_idx, 0, 0)) {
- raid5_release_stripe(sh);
+ int hash;
+
+ spin_lock_irq(&conf->device_lock);
+ hash = sh->hash_lock_index;
+ __release_stripe(conf, sh,
+ &conf->temp_inactive_list[hash]);
+ spin_unlock_irq(&conf->device_lock);
conf->retry_read_aligned = raid_bio;
conf->retry_read_offset = scnt;
return handled;
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 249/969] md/raid5: validate payload size before accessing journal metadata
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (247 preceding siblings ...)
2026-05-30 15:56 ` [PATCH 6.1 248/969] md/raid5: fix soft lockup in retry_aligned_read() Greg Kroah-Hartman
@ 2026-05-30 15:56 ` Greg Kroah-Hartman
2026-05-30 15:56 ` [PATCH 6.1 250/969] inotify: fix watch count leak when fsnotify_add_inode_mark_locked() fails Greg Kroah-Hartman
` (726 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Junrui Luo, Yu Kuai
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Junrui Luo <moonafterrain@outlook.com>
commit b0cc3ae97e893bf54bbce447f4e9fd2e0b88bff9 upstream.
r5c_recovery_analyze_meta_block() and
r5l_recovery_verify_data_checksum_for_mb() iterate over payloads in a
journal metadata block using on-disk payload size fields without
validating them against the remaining space in the metadata block.
A corrupted journal contains payload sizes extending beyond the PAGE_SIZE
boundary can cause out-of-bounds reads when accessing payload fields or
computing offsets.
Add bounds validation for each payload type to ensure the full payload
fits within meta_size before processing.
Fixes: b4c625c67362 ("md/r5cache: r5cache recovery: part 1")
Cc: stable@vger.kernel.org
Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
Link: https://lore.kernel.org/linux-raid/SYBPR01MB78815E78D829BB86CD7C8015AF5FA@SYBPR01MB7881.ausprd01.prod.outlook.com/
Signed-off-by: Yu Kuai <yukuai@fnnas.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/md/raid5-cache.c | 48 ++++++++++++++++++++++++++++++++---------------
1 file changed, 33 insertions(+), 15 deletions(-)
--- a/drivers/md/raid5-cache.c
+++ b/drivers/md/raid5-cache.c
@@ -2012,15 +2012,27 @@ r5l_recovery_verify_data_checksum_for_mb
return -ENOMEM;
while (mb_offset < le32_to_cpu(mb->meta_size)) {
+ sector_t payload_len;
+
payload = (void *)mb + mb_offset;
payload_flush = (void *)mb + mb_offset;
if (le16_to_cpu(payload->header.type) == R5LOG_PAYLOAD_DATA) {
+ payload_len = sizeof(struct r5l_payload_data_parity) +
+ (sector_t)sizeof(__le32) *
+ (le32_to_cpu(payload->size) >> (PAGE_SHIFT - 9));
+ if (mb_offset + payload_len > le32_to_cpu(mb->meta_size))
+ goto mismatch;
if (r5l_recovery_verify_data_checksum(
log, ctx, page, log_offset,
payload->checksum[0]) < 0)
goto mismatch;
} else if (le16_to_cpu(payload->header.type) == R5LOG_PAYLOAD_PARITY) {
+ payload_len = sizeof(struct r5l_payload_data_parity) +
+ (sector_t)sizeof(__le32) *
+ (le32_to_cpu(payload->size) >> (PAGE_SHIFT - 9));
+ if (mb_offset + payload_len > le32_to_cpu(mb->meta_size))
+ goto mismatch;
if (r5l_recovery_verify_data_checksum(
log, ctx, page, log_offset,
payload->checksum[0]) < 0)
@@ -2033,22 +2045,18 @@ r5l_recovery_verify_data_checksum_for_mb
payload->checksum[1]) < 0)
goto mismatch;
} else if (le16_to_cpu(payload->header.type) == R5LOG_PAYLOAD_FLUSH) {
- /* nothing to do for R5LOG_PAYLOAD_FLUSH here */
+ payload_len = sizeof(struct r5l_payload_flush) +
+ (sector_t)le32_to_cpu(payload_flush->size);
+ if (mb_offset + payload_len > le32_to_cpu(mb->meta_size))
+ goto mismatch;
} else /* not R5LOG_PAYLOAD_DATA/PARITY/FLUSH */
goto mismatch;
- if (le16_to_cpu(payload->header.type) == R5LOG_PAYLOAD_FLUSH) {
- mb_offset += sizeof(struct r5l_payload_flush) +
- le32_to_cpu(payload_flush->size);
- } else {
- /* DATA or PARITY payload */
+ if (le16_to_cpu(payload->header.type) != R5LOG_PAYLOAD_FLUSH) {
log_offset = r5l_ring_add(log, log_offset,
le32_to_cpu(payload->size));
- mb_offset += sizeof(struct r5l_payload_data_parity) +
- sizeof(__le32) *
- (le32_to_cpu(payload->size) >> (PAGE_SHIFT - 9));
}
-
+ mb_offset += payload_len;
}
put_page(page);
@@ -2099,6 +2107,7 @@ r5c_recovery_analyze_meta_block(struct r
log_offset = r5l_ring_add(log, ctx->pos, BLOCK_SECTORS);
while (mb_offset < le32_to_cpu(mb->meta_size)) {
+ sector_t payload_len;
int dd;
payload = (void *)mb + mb_offset;
@@ -2107,6 +2116,12 @@ r5c_recovery_analyze_meta_block(struct r
if (le16_to_cpu(payload->header.type) == R5LOG_PAYLOAD_FLUSH) {
int i, count;
+ payload_len = sizeof(struct r5l_payload_flush) +
+ (sector_t)le32_to_cpu(payload_flush->size);
+ if (mb_offset + payload_len >
+ le32_to_cpu(mb->meta_size))
+ return -EINVAL;
+
count = le32_to_cpu(payload_flush->size) / sizeof(__le64);
for (i = 0; i < count; ++i) {
stripe_sect = le64_to_cpu(payload_flush->flush_stripes[i]);
@@ -2120,12 +2135,17 @@ r5c_recovery_analyze_meta_block(struct r
}
}
- mb_offset += sizeof(struct r5l_payload_flush) +
- le32_to_cpu(payload_flush->size);
+ mb_offset += payload_len;
continue;
}
/* DATA or PARITY payload */
+ payload_len = sizeof(struct r5l_payload_data_parity) +
+ (sector_t)sizeof(__le32) *
+ (le32_to_cpu(payload->size) >> (PAGE_SHIFT - 9));
+ if (mb_offset + payload_len > le32_to_cpu(mb->meta_size))
+ return -EINVAL;
+
stripe_sect = (le16_to_cpu(payload->header.type) == R5LOG_PAYLOAD_DATA) ?
raid5_compute_sector(
conf, le64_to_cpu(payload->location), 0, &dd,
@@ -2190,9 +2210,7 @@ r5c_recovery_analyze_meta_block(struct r
log_offset = r5l_ring_add(log, log_offset,
le32_to_cpu(payload->size));
- mb_offset += sizeof(struct r5l_payload_data_parity) +
- sizeof(__le32) *
- (le32_to_cpu(payload->size) >> (PAGE_SHIFT - 9));
+ mb_offset += payload_len;
}
return 0;
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 250/969] inotify: fix watch count leak when fsnotify_add_inode_mark_locked() fails
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (248 preceding siblings ...)
2026-05-30 15:56 ` [PATCH 6.1 249/969] md/raid5: validate payload size before accessing journal metadata Greg Kroah-Hartman
@ 2026-05-30 15:56 ` Greg Kroah-Hartman
2026-05-30 15:56 ` [PATCH 6.1 251/969] tcp: call sk_data_ready() after listener migration Greg Kroah-Hartman
` (725 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chia-Ming Chang, robbieko,
Nikolay Borisov, Jan Kara
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chia-Ming Chang <chiamingc@synology.com>
commit 6a320935fa4293e9e599ec9f85dc9eb3be7029f8 upstream.
When fsnotify_add_inode_mark_locked() fails in inotify_new_watch(),
the error path calls inotify_remove_from_idr() but does not call
dec_inotify_watches() to undo the preceding inc_inotify_watches().
This leaks a watch count, and repeated failures can exhaust the
max_user_watches limit with -ENOSPC even when no watches are active.
Prior to commit 1cce1eea0aff ("inotify: Convert to using per-namespace
limits"), the watch count was incremented after fsnotify_add_mark_locked()
succeeded, so this path was not affected. The conversion moved
inc_inotify_watches() before the mark insertion without adding the
corresponding rollback.
Add the missing dec_inotify_watches() call in the error path.
Fixes: 1cce1eea0aff ("inotify: Convert to using per-namespace limits")
Cc: stable@vger.kernel.org
Signed-off-by: Chia-Ming Chang <chiamingc@synology.com>
Signed-off-by: robbieko <robbieko@synology.com>
Reviewed-by: Nikolay Borisov <nik.borisov@suse.com>
Link: https://patch.msgid.link/20260224093442.3076294-1-chiamingc@synology.com
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/notify/inotify/inotify_user.c | 1 +
1 file changed, 1 insertion(+)
--- a/fs/notify/inotify/inotify_user.c
+++ b/fs/notify/inotify/inotify_user.c
@@ -622,6 +622,7 @@ static int inotify_new_watch(struct fsno
if (ret) {
/* we failed to get on the inode, get off the idr */
inotify_remove_from_idr(group, tmp_i_mark);
+ dec_inotify_watches(group->inotify_data.ucounts);
goto out_err;
}
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 251/969] tcp: call sk_data_ready() after listener migration
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (249 preceding siblings ...)
2026-05-30 15:56 ` [PATCH 6.1 250/969] inotify: fix watch count leak when fsnotify_add_inode_mark_locked() fails Greg Kroah-Hartman
@ 2026-05-30 15:56 ` Greg Kroah-Hartman
2026-05-30 15:56 ` [PATCH 6.1 252/969] taskstats: set version in TGID exit notifications Greg Kroah-Hartman
` (724 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, Kuniyuki Iwashima,
Zhenzhong Wu, Jakub Kicinski
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhenzhong Wu <jt26wzz@gmail.com>
commit 3864c6ba1e041bc75342353a70fa2a2c6f909923 upstream.
When inet_csk_listen_stop() migrates an established child socket from
a closing listener to another socket in the same SO_REUSEPORT group,
the target listener gets a new accept-queue entry via
inet_csk_reqsk_queue_add(), but that path never notifies the target
listener's waiters. A nonblocking accept() still works because it
checks the queue directly, but poll()/epoll_wait() waiters and
blocking accept() callers can also remain asleep indefinitely.
Call READ_ONCE(nsk->sk_data_ready)(nsk) after a successful migration
in inet_csk_listen_stop().
However, after inet_csk_reqsk_queue_add() succeeds, the ref acquired
in reuseport_migrate_sock() is effectively transferred to
nreq->rsk_listener. Another CPU can then dequeue nreq via accept()
or listener shutdown, hit reqsk_put(), and drop that listener ref.
Since listeners are SOCK_RCU_FREE, wrap the post-queue_add()
dereferences of nsk in rcu_read_lock()/rcu_read_unlock(), which also
covers the existing sock_net(nsk) access in that path.
The reqsk_timer_handler() path does not need the same changes for two
reasons: half-open requests become readable only after the final ACK,
where tcp_child_process() already wakes the listener; and once nreq is
visible via inet_ehash_insert(), the success path no longer touches
nsk directly.
Fixes: 54b92e841937 ("tcp: Migrate TCP_ESTABLISHED/TCP_SYN_RECV sockets in accept queues.")
Cc: stable@vger.kernel.org
Suggested-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com>
Signed-off-by: Zhenzhong Wu <jt26wzz@gmail.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20260422024554.130346-2-jt26wzz@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv4/inet_connection_sock.c | 3 +++
1 file changed, 3 insertions(+)
--- a/net/ipv4/inet_connection_sock.c
+++ b/net/ipv4/inet_connection_sock.c
@@ -1429,16 +1429,19 @@ void inet_csk_listen_stop(struct sock *s
if (nreq) {
refcount_set(&nreq->rsk_refcnt, 1);
+ rcu_read_lock();
if (inet_csk_reqsk_queue_add(nsk, nreq, child)) {
__NET_INC_STATS(sock_net(nsk),
LINUX_MIB_TCPMIGRATEREQSUCCESS);
reqsk_migrate_reset(req);
+ READ_ONCE(nsk->sk_data_ready)(nsk);
} else {
__NET_INC_STATS(sock_net(nsk),
LINUX_MIB_TCPMIGRATEREQFAILURE);
reqsk_migrate_reset(nreq);
__reqsk_free(nreq);
}
+ rcu_read_unlock();
/* inet_csk_reqsk_queue_add() has already
* called inet_child_forget() on failure case.
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 252/969] taskstats: set version in TGID exit notifications
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (250 preceding siblings ...)
2026-05-30 15:56 ` [PATCH 6.1 251/969] tcp: call sk_data_ready() after listener migration Greg Kroah-Hartman
@ 2026-05-30 15:56 ` Greg Kroah-Hartman
2026-05-30 15:56 ` [PATCH 6.1 253/969] Bluetooth: hci_event: fix potential UAF in SSP passkey handlers Greg Kroah-Hartman
` (723 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yiyang Chen, Balbir Singh,
Dr. Thomas Orgis, Fan Yu, Wang Yaxin, Andrew Morton
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yiyang Chen <cyyzero16@gmail.com>
commit 16c4f0211aaa1ec1422b11b59f64f1abe9009fc0 upstream.
delay accounting started populating taskstats records with a valid version
field via fill_pid() and fill_tgid().
Later, commit ad4ecbcba728 ("[PATCH] delay accounting taskstats interface
send tgid once") changed the TGID exit path to send the cached
signal->stats aggregate directly instead of building the outgoing record
through fill_tgid(). Unlike fill_tgid(), fill_tgid_exit() only
accumulates accounting data and never initializes stats->version.
As a result, TGID exit notifications can reach userspace with version == 0
even though PID exit notifications and TASKSTATS_CMD_GET replies carry a
valid taskstats version.
This is easy to reproduce with `tools/accounting/getdelays.c`.
I have a small follow-up patch for that tool which:
1. increases the receive buffer/message size so the pid+tgid
combined exit notification is not dropped/truncated
2. prints `stats->version`.
With that patch, the reproducer is:
Terminal 1:
./getdelays -d -v -l -m 0
Terminal 2:
taskset -c 0 python3 -c 'import threading,time; t=threading.Thread(target=time.sleep,args=(0.1,)); t.start(); t.join()'
That produces both PID and TGID exit notifications for the same
process. The PID exit record reports a valid taskstats version, while
the TGID exit record reports `version 0`.
This patch (of 2):
Set stats->version = TASKSTATS_VERSION after copying the cached TGID
aggregate into the outgoing netlink payload so all taskstats records are
self-describing again.
Link: https://lkml.kernel.org/r/ba83d934e59edd431b693607de573eb9ca059309.1774810498.git.cyyzero16@gmail.com
Fixes: ad4ecbcba728 ("[PATCH] delay accounting taskstats interface send tgid once")
Signed-off-by: Yiyang Chen <cyyzero16@gmail.com>
Cc: Balbir Singh <bsingharora@gmail.com>
Cc: Dr. Thomas Orgis <thomas.orgis@uni-hamburg.de>
Cc: Fan Yu <fan.yu9@zte.com.cn>
Cc: Wang Yaxin <wang.yaxin@zte.com.cn>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/taskstats.c | 1 +
1 file changed, 1 insertion(+)
--- a/kernel/taskstats.c
+++ b/kernel/taskstats.c
@@ -656,6 +656,7 @@ void taskstats_exit(struct task_struct *
goto err;
memcpy(stats, tsk->signal->stats, sizeof(*stats));
+ stats->version = TASKSTATS_VERSION;
send:
send_cpu_listeners(rep_skb, listeners);
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 253/969] Bluetooth: hci_event: fix potential UAF in SSP passkey handlers
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (251 preceding siblings ...)
2026-05-30 15:56 ` [PATCH 6.1 252/969] taskstats: set version in TGID exit notifications Greg Kroah-Hartman
@ 2026-05-30 15:56 ` Greg Kroah-Hartman
2026-05-30 15:56 ` [PATCH 6.1 254/969] can: ucan: fix devres lifetime Greg Kroah-Hartman
` (722 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Shuvam Pandey,
Luiz Augusto von Dentz
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shuvam Pandey <shuvampandey1@gmail.com>
commit 85fa3512048793076eef658f66489112dcc91993 upstream.
hci_conn lookup and field access must be covered by hdev lock in
hci_user_passkey_notify_evt() and hci_keypress_notify_evt(), otherwise
the connection can be freed concurrently.
Extend the hci_dev_lock critical section to cover all conn usage in both
handlers.
Keep the existing keypress notification behavior unchanged by routing
the early exits through a common unlock path.
Fixes: 92a25256f142 ("Bluetooth: mgmt: Implement support for passkey notification")
Cc: stable@vger.kernel.org
Signed-off-by: Shuvam Pandey <shuvampandey1@gmail.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/bluetooth/hci_event.c | 18 ++++++++++++++----
1 file changed, 14 insertions(+), 4 deletions(-)
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -5497,9 +5497,11 @@ static void hci_user_passkey_notify_evt(
bt_dev_dbg(hdev, "");
+ hci_dev_lock(hdev);
+
conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
if (!conn)
- return;
+ goto unlock;
conn->passkey_notify = __le32_to_cpu(ev->passkey);
conn->passkey_entered = 0;
@@ -5508,6 +5510,9 @@ static void hci_user_passkey_notify_evt(
mgmt_user_passkey_notify(hdev, &conn->dst, conn->type,
conn->dst_type, conn->passkey_notify,
conn->passkey_entered);
+
+unlock:
+ hci_dev_unlock(hdev);
}
static void hci_keypress_notify_evt(struct hci_dev *hdev, void *data,
@@ -5518,14 +5523,16 @@ static void hci_keypress_notify_evt(stru
bt_dev_dbg(hdev, "");
+ hci_dev_lock(hdev);
+
conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
if (!conn)
- return;
+ goto unlock;
switch (ev->type) {
case HCI_KEYPRESS_STARTED:
conn->passkey_entered = 0;
- return;
+ goto unlock;
case HCI_KEYPRESS_ENTERED:
conn->passkey_entered++;
@@ -5540,13 +5547,16 @@ static void hci_keypress_notify_evt(stru
break;
case HCI_KEYPRESS_COMPLETED:
- return;
+ goto unlock;
}
if (hci_dev_test_flag(hdev, HCI_MGMT))
mgmt_user_passkey_notify(hdev, &conn->dst, conn->type,
conn->dst_type, conn->passkey_notify,
conn->passkey_entered);
+
+unlock:
+ hci_dev_unlock(hdev);
}
static void hci_simple_pair_complete_evt(struct hci_dev *hdev, void *data,
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 254/969] can: ucan: fix devres lifetime
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (252 preceding siblings ...)
2026-05-30 15:56 ` [PATCH 6.1 253/969] Bluetooth: hci_event: fix potential UAF in SSP passkey handlers Greg Kroah-Hartman
@ 2026-05-30 15:56 ` Greg Kroah-Hartman
2026-05-30 15:56 ` [PATCH 6.1 255/969] crypto: arm64/aes - Fix 32-bit aes_mac_update() arg treated as 64-bit Greg Kroah-Hartman
` (721 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jakob Unterwurzacher, Johan Hovold,
Marc Kleine-Budde
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit fed4626501c871890da287bec62a96e52da1af89 upstream.
USB drivers bind to USB interfaces and any device managed resources
should have their lifetime tied to the interface rather than parent USB
device. This avoids issues like memory leaks when drivers are unbound
without their devices being physically disconnected (e.g. on probe
deferral or configuration changes).
Fix the control message buffer lifetime so that it is released on driver
unbind.
Fixes: 9f2d3eae88d2 ("can: ucan: add driver for Theobroma Systems UCAN devices")
Cc: stable@vger.kernel.org # 4.19
Cc: Jakob Unterwurzacher <jakob.unterwurzacher@theobroma-systems.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20260327104520.1310158-1-johan@kernel.org
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/can/usb/ucan.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/net/can/usb/ucan.c
+++ b/drivers/net/can/usb/ucan.c
@@ -1398,7 +1398,7 @@ static int ucan_probe(struct usb_interfa
*/
/* Prepare Memory for control transfers */
- ctl_msg_buffer = devm_kzalloc(&udev->dev,
+ ctl_msg_buffer = devm_kzalloc(&intf->dev,
sizeof(union ucan_ctl_payload),
GFP_KERNEL);
if (!ctl_msg_buffer) {
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 255/969] crypto: arm64/aes - Fix 32-bit aes_mac_update() arg treated as 64-bit
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (253 preceding siblings ...)
2026-05-30 15:56 ` [PATCH 6.1 254/969] can: ucan: fix devres lifetime Greg Kroah-Hartman
@ 2026-05-30 15:56 ` Greg Kroah-Hartman
2026-05-30 15:56 ` [PATCH 6.1 256/969] crypto: atmel-aes - Fix 3-page memory leak in atmel_aes_buff_cleanup Greg Kroah-Hartman
` (720 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ard Biesheuvel, Eric Biggers
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Biggers <ebiggers@kernel.org>
commit f8f08d7cc43237e91e3aedf7b67d015d24c38fcc upstream.
Since the 'enc_after' argument to neon_aes_mac_update() and
ce_aes_mac_update() has type 'int', it needs to be accessed using the
corresponding 32-bit register, not the 64-bit register. The upper half
of the corresponding 64-bit register may contain garbage.
Fixes: 4860620da7e5 ("crypto: arm64/aes - add NEON/Crypto Extensions CBCMAC/CMAC/XCBC driver")
Cc: stable@vger.kernel.org
Reviewed-by: Ard Biesheuvel <ardb@kernel.org>
Link: https://lore.kernel.org/r/20260218213501.136844-4-ebiggers@kernel.org
Signed-off-by: Eric Biggers <ebiggers@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/crypto/aes-modes.S | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/arch/arm64/crypto/aes-modes.S
+++ b/arch/arm64/crypto/aes-modes.S
@@ -848,7 +848,7 @@ AES_FUNC_START(aes_mac_update)
encrypt_block v0, w2, x1, x7, w8
eor v0.16b, v0.16b, v4.16b
cmp w3, wzr
- csinv x5, x6, xzr, eq
+ csinv w5, w6, wzr, eq
cbz w5, .Lmacout
encrypt_block v0, w2, x1, x7, w8
st1 {v0.16b}, [x4] /* return dg */
@@ -862,7 +862,7 @@ AES_FUNC_START(aes_mac_update)
eor v0.16b, v0.16b, v1.16b /* ..and xor with dg */
subs w3, w3, #1
- csinv x5, x6, xzr, eq
+ csinv w5, w6, wzr, eq
cbz w5, .Lmacout
.Lmacenc:
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 256/969] crypto: atmel-aes - Fix 3-page memory leak in atmel_aes_buff_cleanup
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (254 preceding siblings ...)
2026-05-30 15:56 ` [PATCH 6.1 255/969] crypto: arm64/aes - Fix 32-bit aes_mac_update() arg treated as 64-bit Greg Kroah-Hartman
@ 2026-05-30 15:56 ` Greg Kroah-Hartman
2026-05-30 15:56 ` [PATCH 6.1 257/969] crypto: atmel-ecc - Release client on allocation failure Greg Kroah-Hartman
` (719 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Thorsten Blum, Herbert Xu
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thorsten Blum <thorsten.blum@linux.dev>
commit 3fcfff4ed35f963380a68741bcd52742baff7f76 upstream.
atmel_aes_buff_init() allocates 4 pages using __get_free_pages() with
ATMEL_AES_BUFFER_ORDER, but atmel_aes_buff_cleanup() frees only the
first page using free_page(), leaking the remaining 3 pages. Use
free_pages() with ATMEL_AES_BUFFER_ORDER to fix the memory leak.
Fixes: bbe628ed897d ("crypto: atmel-aes - improve performances of data transfer")
Cc: stable@vger.kernel.org
Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/crypto/atmel-aes.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/crypto/atmel-aes.c
+++ b/drivers/crypto/atmel-aes.c
@@ -2329,7 +2329,7 @@ static int atmel_aes_buff_init(struct at
static void atmel_aes_buff_cleanup(struct atmel_aes_dev *dd)
{
- free_page((unsigned long)dd->buf);
+ free_pages((unsigned long)dd->buf, ATMEL_AES_BUFFER_ORDER);
}
static int atmel_aes_dma_init(struct atmel_aes_dev *dd)
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 257/969] crypto: atmel-ecc - Release client on allocation failure
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (255 preceding siblings ...)
2026-05-30 15:56 ` [PATCH 6.1 256/969] crypto: atmel-aes - Fix 3-page memory leak in atmel_aes_buff_cleanup Greg Kroah-Hartman
@ 2026-05-30 15:56 ` Greg Kroah-Hartman
2026-05-30 15:56 ` [PATCH 6.1 258/969] crypto: hisilicon - Fix dma_unmap_single() direction Greg Kroah-Hartman
` (718 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Thorsten Blum, Herbert Xu
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thorsten Blum <thorsten.blum@linux.dev>
commit 095d50008d55d13f8fcf1bbeb7c6eba51779bc85 upstream.
Call atmel_ecc_i2c_client_free() to release the I2C client reserved by
atmel_ecc_i2c_client_alloc() when crypto_alloc_kpp() fails. Otherwise
->tfm_count will be out of sync.
Fixes: 11105693fa05 ("crypto: atmel-ecc - introduce Microchip / Atmel ECC driver")
Cc: stable@vger.kernel.org
Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/crypto/atmel-ecc.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/crypto/atmel-ecc.c
+++ b/drivers/crypto/atmel-ecc.c
@@ -261,6 +261,7 @@ static int atmel_ecdh_init_tfm(struct cr
if (IS_ERR(fallback)) {
dev_err(&ctx->client->dev, "Failed to allocate transformation for '%s': %ld\n",
alg, PTR_ERR(fallback));
+ atmel_ecc_i2c_client_free(ctx->client);
return PTR_ERR(fallback);
}
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 258/969] crypto: hisilicon - Fix dma_unmap_single() direction
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (256 preceding siblings ...)
2026-05-30 15:56 ` [PATCH 6.1 257/969] crypto: atmel-ecc - Release client on allocation failure Greg Kroah-Hartman
@ 2026-05-30 15:56 ` Greg Kroah-Hartman
2026-05-30 15:56 ` [PATCH 6.1 259/969] crypto: ccree - fix a memory leak in cc_mac_digest() Greg Kroah-Hartman
` (717 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thomas Fourier, Thorsten Blum,
Herbert Xu
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Fourier <fourier.thomas@gmail.com>
commit 1ee57ab93b75eb59f426aef37b5498a7ffc28278 upstream.
The direction used to map the buffer skreq->iv is DMA_TO_DEVICE but it is
unmapped with direction DMA_BIDIRECTIONAL in the error path.
Change the unmap to match the mapping.
Fixes: 915e4e8413da ("crypto: hisilicon - SEC security accelerator driver")
Cc: <stable@vger.kernel.org>
Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
Reviewed-by: Thorsten Blum <thorsten.blum@linux.dev>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/crypto/hisilicon/sec/sec_algs.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/crypto/hisilicon/sec/sec_algs.c
+++ b/drivers/crypto/hisilicon/sec/sec_algs.c
@@ -844,7 +844,7 @@ err_free_elements:
if (crypto_skcipher_ivsize(atfm))
dma_unmap_single(info->dev, sec_req->dma_iv,
crypto_skcipher_ivsize(atfm),
- DMA_BIDIRECTIONAL);
+ DMA_TO_DEVICE);
err_unmap_out_sg:
if (split)
sec_unmap_sg_on_err(skreq->dst, steps, splits_out,
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 259/969] crypto: ccree - fix a memory leak in cc_mac_digest()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (257 preceding siblings ...)
2026-05-30 15:56 ` [PATCH 6.1 258/969] crypto: hisilicon - Fix dma_unmap_single() direction Greg Kroah-Hartman
@ 2026-05-30 15:56 ` Greg Kroah-Hartman
2026-05-30 15:56 ` [PATCH 6.1 260/969] crypto: atmel-tdes - fix DMA sync direction Greg Kroah-Hartman
` (716 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Haoxiang Li, Herbert Xu
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haoxiang Li <lihaoxiang@isrc.iscas.ac.cn>
commit 02c64052fad03699b9c6d1df2f9b444d17e4ac50 upstream.
Add cc_unmap_result() if cc_map_hash_request_final()
fails to prevent potential memory leak.
Fixes: 63893811b0fc ("crypto: ccree - add ahash support")
Cc: stable@vger.kernel.org
Signed-off-by: Haoxiang Li <lihaoxiang@isrc.iscas.ac.cn>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/crypto/ccree/cc_hash.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/crypto/ccree/cc_hash.c
+++ b/drivers/crypto/ccree/cc_hash.c
@@ -1448,6 +1448,7 @@ static int cc_mac_digest(struct ahash_re
if (cc_map_hash_request_final(ctx->drvdata, state, req->src,
req->nbytes, 1, flags)) {
dev_err(dev, "map_ahash_request_final() failed\n");
+ cc_unmap_result(dev, state, digestsize, req->result);
cc_unmap_req(dev, state, ctx);
return -ENOMEM;
}
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 260/969] crypto: atmel-tdes - fix DMA sync direction
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (258 preceding siblings ...)
2026-05-30 15:56 ` [PATCH 6.1 259/969] crypto: ccree - fix a memory leak in cc_mac_digest() Greg Kroah-Hartman
@ 2026-05-30 15:56 ` Greg Kroah-Hartman
2026-05-30 15:56 ` [PATCH 6.1 261/969] crypto: atmel-sha204a - Fix potential UAF and memory leak in remove path Greg Kroah-Hartman
` (715 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Thorsten Blum, Herbert Xu
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thorsten Blum <thorsten.blum@linux.dev>
commit c8a9a647532f5c2a04180352693215e24e9dba03 upstream.
Before DMA output is consumed by the CPU, ->dma_addr_out must be synced
with dma_sync_single_for_cpu() instead of dma_sync_single_for_device().
Using the wrong direction can return stale cache data on non-coherent
platforms.
Fixes: 13802005d8f2 ("crypto: atmel - add Atmel DES/TDES driver")
Fixes: 1f858040c2f7 ("crypto: atmel-tdes - add support for latest release of the IP (0x700)")
Cc: stable@vger.kernel.org
Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/crypto/atmel-tdes.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/drivers/crypto/atmel-tdes.c
+++ b/drivers/crypto/atmel-tdes.c
@@ -304,8 +304,8 @@ static int atmel_tdes_crypt_pdc_stop(str
dma_unmap_sg(dd->dev, dd->out_sg, 1, DMA_FROM_DEVICE);
dma_unmap_sg(dd->dev, dd->in_sg, 1, DMA_TO_DEVICE);
} else {
- dma_sync_single_for_device(dd->dev, dd->dma_addr_out,
- dd->dma_size, DMA_FROM_DEVICE);
+ dma_sync_single_for_cpu(dd->dev, dd->dma_addr_out,
+ dd->dma_size, DMA_FROM_DEVICE);
/* copy data */
count = atmel_tdes_sg_copy(&dd->out_sg, &dd->out_offset,
@@ -660,8 +660,8 @@ static int atmel_tdes_crypt_dma_stop(str
dma_unmap_sg(dd->dev, dd->out_sg, 1, DMA_FROM_DEVICE);
dma_unmap_sg(dd->dev, dd->in_sg, 1, DMA_TO_DEVICE);
} else {
- dma_sync_single_for_device(dd->dev, dd->dma_addr_out,
- dd->dma_size, DMA_FROM_DEVICE);
+ dma_sync_single_for_cpu(dd->dev, dd->dma_addr_out,
+ dd->dma_size, DMA_FROM_DEVICE);
/* copy data */
count = atmel_tdes_sg_copy(&dd->out_sg, &dd->out_offset,
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 261/969] crypto: atmel-sha204a - Fix potential UAF and memory leak in remove path
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (259 preceding siblings ...)
2026-05-30 15:56 ` [PATCH 6.1 260/969] crypto: atmel-tdes - fix DMA sync direction Greg Kroah-Hartman
@ 2026-05-30 15:56 ` Greg Kroah-Hartman
2026-05-30 15:56 ` [PATCH 6.1 262/969] dm mirror: fix integer overflow in create_dirty_log() Greg Kroah-Hartman
` (714 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Thorsten Blum, Herbert Xu
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thorsten Blum <thorsten.blum@linux.dev>
commit bab1adf3b87e4bfac92c4f5963c63db434d561c1 upstream.
Unregister the hwrng to prevent new ->read() calls and flush the Atmel
I2C workqueue before teardown to prevent a potential UAF if a queued
callback runs while the device is being removed.
Drop the early return to ensure sysfs entries are removed and
->hwrng.priv is freed, preventing a memory leak.
Fixes: da001fb651b0 ("crypto: atmel-i2c - add support for SHA204A random number generator")
Cc: stable@vger.kernel.org
Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/crypto/atmel-sha204a.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
--- a/drivers/crypto/atmel-sha204a.c
+++ b/drivers/crypto/atmel-sha204a.c
@@ -126,10 +126,8 @@ static void atmel_sha204a_remove(struct
{
struct atmel_i2c_client_priv *i2c_priv = i2c_get_clientdata(client);
- if (atomic_read(&i2c_priv->tfm_count)) {
- dev_emerg(&client->dev, "Device is busy, will remove it anyhow\n");
- return;
- }
+ devm_hwrng_unregister(&client->dev, &i2c_priv->hwrng);
+ atmel_i2c_flush_queue();
kfree((void *)i2c_priv->hwrng.priv);
}
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 262/969] dm mirror: fix integer overflow in create_dirty_log()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (260 preceding siblings ...)
2026-05-30 15:56 ` [PATCH 6.1 261/969] crypto: atmel-sha204a - Fix potential UAF and memory leak in remove path Greg Kroah-Hartman
@ 2026-05-30 15:56 ` Greg Kroah-Hartman
2026-05-30 15:56 ` [PATCH 6.1 263/969] IB/core: Fix zero dmac race in neighbor resolution Greg Kroah-Hartman
` (713 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yuhao Jiang, Junrui Luo,
Benjamin Marzinski, Mikulas Patocka
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Junrui Luo <moonafterrain@outlook.com>
commit 4c788c6f921b22f9b6c3f316c4a071c05683e7de upstream.
The argument count calculation in create_dirty_log() performs
`*args_used = 2 + param_count` before validating against argc. When a
user provides a param_count close to UINT_MAX via the device mapper
table string, this unsigned addition wraps around to a small value,
causing the subsequent `argc < *args_used` check to be bypassed.
The overflowed param_count is then passed as argc to dm_dirty_log_create(),
where it can cause out-of-bounds reads on the argv array.
Fix by comparing param_count against argc - 2 before performing the
addition, following the same pattern used by parse_features() in the
same file. Since argc >= 2 is already guaranteed, the subtraction is
safe.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Reported-by: Yuhao Jiang <danisjiang@gmail.com>
Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
Reviewed-by: Benjamin Marzinski <bmarzins@redhat.com>
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/md/dm-raid1.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/drivers/md/dm-raid1.c
+++ b/drivers/md/dm-raid1.c
@@ -978,13 +978,13 @@ static struct dm_dirty_log *create_dirty
return NULL;
}
- *args_used = 2 + param_count;
-
- if (argc < *args_used) {
+ if (param_count > argc - 2) {
ti->error = "Insufficient mirror log arguments";
return NULL;
}
+ *args_used = 2 + param_count;
+
dl = dm_dirty_log_create(argv[0], ti, mirror_flush, param_count,
argv + 2);
if (!dl) {
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 263/969] IB/core: Fix zero dmac race in neighbor resolution
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (261 preceding siblings ...)
2026-05-30 15:56 ` [PATCH 6.1 262/969] dm mirror: fix integer overflow in create_dirty_log() Greg Kroah-Hartman
@ 2026-05-30 15:56 ` Greg Kroah-Hartman
2026-05-30 15:56 ` [PATCH 6.1 264/969] ktest: Fix the month in the name of the failure directory Greg Kroah-Hartman
` (712 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chen Zhao, Parav Pandit,
Leon Romanovsky, Jason Gunthorpe
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chen Zhao <chezhao@nvidia.com>
commit 5e6de34d82b49cab9d8a42063e9cd0f22a4f31e5 upstream.
dst_fetch_ha() checks nud_state without holding the neighbor lock, then
copies ha under the seqlock. A race in __neigh_update() where nud_state
is set to NUD_REACHABLE before ha is written allows dst_fetch_ha() to
read a zero MAC address while the seqlock reports no concurrent writer.
netevent_callback amplifies this by waking ALL pending addr_req workers
when ANY neighbor becomes NUD_VALID. At scale (N peers resolving ARP
concurrently), the hit probability scales as N^2, making it near-certain
for large RDMA workloads.
N(A): neigh_update(A) W(A): addr_resolve(A)
| [sleep]
| write_lock_bh(&A->lock) |
| A->nud_state = NUD_REACHABLE |
| // A->ha is still 0 |
| [woken by netevent_cb() of
| another neighbour]
| | dst_fetch_ha(A)
| | A->nud_state & NUD_VALID
| | read_seqbegin(&A->ha_lock)
| | snapshot = A->ha /* 0 */
| | read_seqretry(&A->ha_lock)
| | return snapshot
| seqlock(&A->ha_lock)
| A->ha = mac_A /* too late */
| sequnlock(&A->ha_lock)
| write_unlock_bh(&A->lock)
The incorrect/zero mac is read and programmed in the device QP while it
was not yet updated. This causes silent packet loss and eventual
RETRY_EXC_ERR.
Fix by holding the neighbor read lock across the nud_state check and
ha copy in dst_fetch_ha(), ensuring it synchronizes with
__neigh_update() which is updating while holding the write lock.
Cc: stable@vger.kernel.org
Fixes: 92ebb6a0a13a ("IB/cm: Remove now useless rcu_lock in dst_fetch_ha")
Link: https://patch.msgid.link/r/20260405-fix-dmac-race-v1-1-cfa1ec2ce54a@nvidia.com
Signed-off-by: Chen Zhao <chezhao@nvidia.com>
Reviewed-by: Parav Pandit <parav@nvidia.com>
Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/infiniband/core/addr.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/infiniband/core/addr.c
+++ b/drivers/infiniband/core/addr.c
@@ -321,11 +321,14 @@ static int dst_fetch_ha(const struct dst
if (!n)
return -ENODATA;
+ read_lock_bh(&n->lock);
if (!(n->nud_state & NUD_VALID)) {
+ read_unlock_bh(&n->lock);
neigh_event_send(n, NULL);
ret = -ENODATA;
} else {
neigh_ha_snapshot(dev_addr->dst_dev_addr, n, dst->dev);
+ read_unlock_bh(&n->lock);
}
neigh_release(n);
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 264/969] ktest: Fix the month in the name of the failure directory
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (262 preceding siblings ...)
2026-05-30 15:56 ` [PATCH 6.1 263/969] IB/core: Fix zero dmac race in neighbor resolution Greg Kroah-Hartman
@ 2026-05-30 15:56 ` Greg Kroah-Hartman
2026-05-30 15:56 ` [PATCH 6.1 265/969] ntfs3: add buffer boundary checks to run_unpack() Greg Kroah-Hartman
` (711 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, John Warthog9 Hawley, Steven Rostedt
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Steven Rostedt <rostedt@goodmis.org>
commit 768059ede35f197575a38b10797b52402d9d4d2f upstream.
The Perl localtime() function returns the month starting at 0 not 1. This
caused the date produced to create the directory for saving files of a
failed run to have the month off by one.
machine-test-useconfig-fail-20260314073628
The above happened in April, not March. The correct name should have been:
machine-test-useconfig-fail-20260414073628
This was somewhat confusing.
Cc: stable@vger.kernel.org
Cc: John 'Warthog9' Hawley <warthog9@kernel.org>
Link: https://patch.msgid.link/20260420142426.33ad0293@fedora
Fixes: 7faafbd69639b ("ktest: Add open and close console and start stop monitor")
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
tools/testing/ktest/ktest.pl | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/tools/testing/ktest/ktest.pl
+++ b/tools/testing/ktest/ktest.pl
@@ -1770,7 +1770,7 @@ sub save_logs {
my ($result, $basedir) = @_;
my @t = localtime;
my $date = sprintf "%04d%02d%02d%02d%02d%02d",
- 1900+$t[5],$t[4],$t[3],$t[2],$t[1],$t[0];
+ 1900+$t[5],$t[4]+1,$t[3],$t[2],$t[1],$t[0];
my $type = $build_type;
if ($type =~ /useconfig/) {
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 265/969] ntfs3: add buffer boundary checks to run_unpack()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (263 preceding siblings ...)
2026-05-30 15:56 ` [PATCH 6.1 264/969] ktest: Fix the month in the name of the failure directory Greg Kroah-Hartman
@ 2026-05-30 15:56 ` Greg Kroah-Hartman
2026-05-30 15:56 ` [PATCH 6.1 266/969] ntfs3: fix integer overflow in run_unpack() volume boundary check Greg Kroah-Hartman
` (710 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Tobias Gaertner, Konstantin Komarov
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tobias Gaertner <tob.gaertner@me.com>
commit b62567bca47408e6739dee75f02a2113548af875 upstream.
run_unpack() checks `run_buf < run_last` at the top of the while loop
but then reads size_size and offset_size bytes via run_unpack_s64()
without verifying they fit within the remaining buffer. A crafted NTFS
image with truncated run data in an MFT attribute triggers an OOB heap
read of up to 15 bytes when the filesystem is mounted.
Add boundary checks before each run_unpack_s64() call to ensure the
declared field size does not exceed the remaining buffer.
Found by fuzzing with a source-patched harness (LibAFL + QEMU).
Fixes: 82cae269cfa95 ("fs/ntfs3: Add initialization of super block")
Cc: stable@vger.kernel.org
Signed-off-by: Tobias Gaertner <tob.gaertner@me.com>
Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ntfs3/run.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/fs/ntfs3/run.c
+++ b/fs/ntfs3/run.c
@@ -963,6 +963,9 @@ int run_unpack(struct runs_tree *run, st
if (size_size > 8)
return -EINVAL;
+ if (run_buf + size_size > run_last)
+ return -EINVAL;
+
len = run_unpack_s64(run_buf, size_size, 0);
/* Skip size_size. */
run_buf += size_size;
@@ -975,6 +978,9 @@ int run_unpack(struct runs_tree *run, st
else if (offset_size <= 8) {
s64 dlcn;
+ if (run_buf + offset_size > run_last)
+ return -EINVAL;
+
/* Initial value of dlcn is -1 or 0. */
dlcn = (run_buf[offset_size - 1] & 0x80) ? (s64)-1 : 0;
dlcn = run_unpack_s64(run_buf, offset_size, dlcn);
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 266/969] ntfs3: fix integer overflow in run_unpack() volume boundary check
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (264 preceding siblings ...)
2026-05-30 15:56 ` [PATCH 6.1 265/969] ntfs3: add buffer boundary checks to run_unpack() Greg Kroah-Hartman
@ 2026-05-30 15:56 ` Greg Kroah-Hartman
2026-05-30 15:56 ` [PATCH 6.1 267/969] rtmutex: Use waiter::task instead of current in remove_waiter() Greg Kroah-Hartman
` (709 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Tobias Gaertner, Konstantin Komarov
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tobias Gaertner <tob.gaertner@me.com>
commit 984a415f019536ea2d24de9010744e5302a9a948 upstream.
The volume boundary check `lcn + len > sbi->used.bitmap.nbits` uses raw
addition which can wrap around for large lcn and len values, bypassing
the validation. Use check_add_overflow() as is already done for the
adjacent prev_lcn + dlcn and vcn64 + len checks added by commit
3ac37e100385 ("ntfs3: Fix integer overflow in run_unpack()").
Found by fuzzing with a source-patched harness (LibAFL + QEMU).
Fixes: 82cae269cfa95 ("fs/ntfs3: Add initialization of super block")
Cc: stable@vger.kernel.org
Signed-off-by: Tobias Gaertner <tob.gaertner@me.com>
Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ntfs3/run.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
--- a/fs/ntfs3/run.c
+++ b/fs/ntfs3/run.c
@@ -1018,9 +1018,15 @@ int run_unpack(struct runs_tree *run, st
return -EOPNOTSUPP;
}
#endif
- if (lcn != SPARSE_LCN64 && lcn + len > sbi->used.bitmap.nbits) {
- /* LCN range is out of volume. */
- return -EINVAL;
+ if (lcn != SPARSE_LCN64) {
+ u64 lcn_end;
+
+ if (check_add_overflow(lcn, len, &lcn_end))
+ return -EINVAL;
+ if (lcn_end > sbi->used.bitmap.nbits) {
+ /* LCN range is out of volume. */
+ return -EINVAL;
+ }
}
if (!run)
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 267/969] rtmutex: Use waiter::task instead of current in remove_waiter()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (265 preceding siblings ...)
2026-05-30 15:56 ` [PATCH 6.1 266/969] ntfs3: fix integer overflow in run_unpack() volume boundary check Greg Kroah-Hartman
@ 2026-05-30 15:56 ` Greg Kroah-Hartman
2026-05-30 15:56 ` [PATCH 6.1 268/969] scsi: sd: fix missing put_disk() when device_add(&disk_dev) fails Greg Kroah-Hartman
` (708 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yuan Tan, Yifan Wu, Juefei Pu,
Xin Liu, Keenan Dong, Thomas Gleixner
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Keenan Dong <keenanat2000@gmail.com>
commit 3bfdc63936dd4773109b7b8c280c0f3b5ae7d349 upstream.
remove_waiter() is used by the slowlock paths, but it is also used for
proxy-lock rollback in rt_mutex_start_proxy_lock() when invoked from
futex_requeue().
In the latter case waiter::task is not current, but remove_waiter()
operates on current for the dequeue operation. That results in several
problems:
1) the rbtree dequeue happens without waiter::task::pi_lock being held
2) the waiter task's pi_blocked_on state is not cleared, which leaves a
dangling pointer primed for UAF around.
3) rt_mutex_adjust_prio_chain() operates on the wrong top priority waiter
task
Use waiter::task instead of current in all related operations in
remove_waiter() to cure those problems.
[ tglx: Fixup rt_mutex_adjust_prio_chain(), add a comment and amend the
changelog ]
Fixes: 8161239a8bcc ("rtmutex: Simplify PI algorithm and make highest prio task get lock")
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Signed-off-by: Keenan Dong <keenanat2000@gmail.com>
Signed-off-by: Thomas Gleixner <tglx@kernel.org>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/locking/rtmutex.c | 13 ++++++++-----
1 file changed, 8 insertions(+), 5 deletions(-)
--- a/kernel/locking/rtmutex.c
+++ b/kernel/locking/rtmutex.c
@@ -1511,20 +1511,23 @@ static bool rtmutex_spin_on_owner(struct
*
* Must be called with lock->wait_lock held and interrupts disabled. It must
* have just failed to try_to_take_rt_mutex().
+ *
+ * When invoked from rt_mutex_start_proxy_lock() waiter::task != current !
*/
static void __sched remove_waiter(struct rt_mutex_base *lock,
struct rt_mutex_waiter *waiter)
{
bool is_top_waiter = (waiter == rt_mutex_top_waiter(lock));
struct task_struct *owner = rt_mutex_owner(lock);
+ struct task_struct *waiter_task = waiter->task;
struct rt_mutex_base *next_lock;
lockdep_assert_held(&lock->wait_lock);
- raw_spin_lock(¤t->pi_lock);
- rt_mutex_dequeue(lock, waiter);
- current->pi_blocked_on = NULL;
- raw_spin_unlock(¤t->pi_lock);
+ scoped_guard(raw_spinlock, &waiter_task->pi_lock) {
+ rt_mutex_dequeue(lock, waiter);
+ waiter_task->pi_blocked_on = NULL;
+ }
/*
* Only update priority if the waiter was the highest priority
@@ -1560,7 +1563,7 @@ static void __sched remove_waiter(struct
raw_spin_unlock_irq(&lock->wait_lock);
rt_mutex_adjust_prio_chain(owner, RT_MUTEX_MIN_CHAINWALK, lock,
- next_lock, NULL, current);
+ next_lock, NULL, waiter_task);
raw_spin_lock_irq(&lock->wait_lock);
}
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 268/969] scsi: sd: fix missing put_disk() when device_add(&disk_dev) fails
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (266 preceding siblings ...)
2026-05-30 15:56 ` [PATCH 6.1 267/969] rtmutex: Use waiter::task instead of current in remove_waiter() Greg Kroah-Hartman
@ 2026-05-30 15:56 ` Greg Kroah-Hartman
2026-05-30 15:56 ` [PATCH 6.1 269/969] seg6: fix seg6 lwtunnel output redirect for L2 reduced encap mode Greg Kroah-Hartman
` (707 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, John Garry, Yang Xiuwei,
Martin K. Petersen
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yang Xiuwei <yangxiuwei@kylinos.cn>
commit 1e111c4b3a726df1254670a5cc4868cedb946d37 upstream.
If device_add(&sdkp->disk_dev) fails, put_device() runs
scsi_disk_release(), which frees the scsi_disk but leaves the gendisk
referenced. The device_add_disk() error path in sd_probe() calls
put_disk(gd); call put_disk(gd) here to mirror that cleanup.
Fixes: 265dfe8ebbab ("scsi: sd: Free scsi_disk device via put_device()")
Cc: stable@vger.kernel.org
Reviewed-by: John Garry <john.g.garry@oracle.com>
Signed-off-by: Yang Xiuwei <yangxiuwei@kylinos.cn>
Link: https://patch.msgid.link/20260330014952.152776-1-yangxiuwei@kylinos.cn
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/scsi/sd.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/scsi/sd.c
+++ b/drivers/scsi/sd.c
@@ -3607,6 +3607,7 @@ static int sd_probe(struct device *dev)
error = device_add(&sdkp->disk_dev);
if (error) {
put_device(&sdkp->disk_dev);
+ put_disk(gd);
goto out;
}
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 269/969] seg6: fix seg6 lwtunnel output redirect for L2 reduced encap mode
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (267 preceding siblings ...)
2026-05-30 15:56 ` [PATCH 6.1 268/969] scsi: sd: fix missing put_disk() when device_add(&disk_dev) fails Greg Kroah-Hartman
@ 2026-05-30 15:56 ` Greg Kroah-Hartman
2026-05-30 15:56 ` [PATCH 6.1 270/969] crypto: authencesn - reject short ahash digests during instance creation Greg Kroah-Hartman
` (706 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andrea Mayer, Justin Iurman,
Jakub Kicinski
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andrea Mayer <andrea.mayer@uniroma2.it>
commit ade67d5f588832c7ba131aadd4215a94ce0a15c8 upstream.
When SEG6_IPTUN_MODE_L2ENCAP_RED (L2ENCAP_RED) was introduced, the
condition in seg6_build_state() that excludes L2 encap modes from
setting LWTUNNEL_STATE_OUTPUT_REDIRECT was not updated to account for
the new mode.
As a consequence, L2ENCAP_RED routes incorrectly trigger seg6_output()
on the output path, where the packet is silently dropped because
skb_mac_header_was_set() fails on L3 packets.
Extend the check to also exclude L2ENCAP_RED, consistent with L2ENCAP.
Fixes: 13f0296be8ec ("seg6: add support for SRv6 H.L2Encaps.Red behavior")
Cc: stable@vger.kernel.org
Signed-off-by: Andrea Mayer <andrea.mayer@uniroma2.it>
Reviewed-by: Justin Iurman <justin.iurman@gmail.com>
Link: https://patch.msgid.link/20260418162838.31979-1-andrea.mayer@uniroma2.it
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv6/seg6_iptunnel.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/net/ipv6/seg6_iptunnel.c
+++ b/net/ipv6/seg6_iptunnel.c
@@ -712,7 +712,8 @@ static int seg6_build_state(struct net *
newts->type = LWTUNNEL_ENCAP_SEG6;
newts->flags |= LWTUNNEL_STATE_INPUT_REDIRECT;
- if (tuninfo->mode != SEG6_IPTUN_MODE_L2ENCAP)
+ if (tuninfo->mode != SEG6_IPTUN_MODE_L2ENCAP &&
+ tuninfo->mode != SEG6_IPTUN_MODE_L2ENCAP_RED)
newts->flags |= LWTUNNEL_STATE_OUTPUT_REDIRECT;
newts->headroom = seg6_lwt_headroom(tuninfo);
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 270/969] crypto: authencesn - reject short ahash digests during instance creation
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (268 preceding siblings ...)
2026-05-30 15:56 ` [PATCH 6.1 269/969] seg6: fix seg6 lwtunnel output redirect for L2 reduced encap mode Greg Kroah-Hartman
@ 2026-05-30 15:56 ` Greg Kroah-Hartman
2026-05-30 15:56 ` [PATCH 6.1 271/969] driver core: Add kernel-doc for DEV_FLAG_COUNT enum value Greg Kroah-Hartman
` (705 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Yifan Wu, Juefei Pu,
Yuan Tan, Xin Liu, Yuhang Zheng, Eric Biggers, Yucheng Lu,
Ren Wei, Herbert Xu
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yucheng Lu <kanolyc@gmail.com>
commit 5db6ef9847717329f12c5ea8aba7e9f588a980c0 upstream.
authencesn requires either a zero authsize or an authsize of at least
4 bytes because the ESN encrypt/decrypt paths always move 4 bytes of
high-order sequence number data at the end of the authenticated data.
While crypto_authenc_esn_setauthsize() already rejects explicit
non-zero authsizes in the range 1..3, crypto_authenc_esn_create()
still copied auth->digestsize into inst->alg.maxauthsize without
validating it. The AEAD core then initialized the tfm's default
authsize from that value.
As a result, selecting an ahash with digest size 1..3, such as
cbcmac(cipher_null), exposed authencesn instances whose default
authsize was invalid even though setauthsize() would have rejected the
same value. AF_ALG could then trigger the ESN tail handling with a
too-short tag and hit an out-of-bounds access.
Reject authencesn instances whose ahash digest size is in the invalid
non-zero range 1..3 so that no tfm can inherit an unsupported default
authsize.
Fixes: f15f05b0a5de ("crypto: ccm - switch to separate cbcmac driver")
Cc: stable@kernel.org
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Co-developed-by: Yuan Tan <yuantan098@gmail.com>
Signed-off-by: Yuan Tan <yuantan098@gmail.com>
Suggested-by: Xin Liu <bird@lzu.edu.cn>
Tested-by: Yuhang Zheng <z1652074432@gmail.com>
Reviewed-by: Eric Biggers <ebiggers@kernel.org>
Signed-off-by: Yucheng Lu <kanolyc@gmail.com>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
crypto/authencesn.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/crypto/authencesn.c
+++ b/crypto/authencesn.c
@@ -400,6 +400,11 @@ static int crypto_authenc_esn_create(str
auth = crypto_spawn_ahash_alg(&ctx->auth);
auth_base = &auth->base;
+ if (auth->digestsize > 0 && auth->digestsize < 4) {
+ err = -EINVAL;
+ goto err_free_inst;
+ }
+
err = crypto_grab_skcipher(&ctx->enc, aead_crypto_instance(inst),
crypto_attr_alg_name(tb[2]), 0, mask);
if (err)
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 271/969] driver core: Add kernel-doc for DEV_FLAG_COUNT enum value
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (269 preceding siblings ...)
2026-05-30 15:56 ` [PATCH 6.1 270/969] crypto: authencesn - reject short ahash digests during instance creation Greg Kroah-Hartman
@ 2026-05-30 15:56 ` Greg Kroah-Hartman
2026-05-30 15:56 ` [PATCH 6.1 272/969] ALSA: caiaq: Fix potentially leftover ep1_in_urb at error path Greg Kroah-Hartman
` (704 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Randy Dunlap, Douglas Anderson,
Danilo Krummrich
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Douglas Anderson <dianders@chromium.org>
commit 5b484311507b5d403c1f7a45f6aa3778549e268b upstream.
Even though nobody should use this value (except when declaring the
"flags" bitmap), kernel-doc still gets upset that it's not documented.
It reports:
WARNING: ../include/linux/device.h:519
Enum value 'DEV_FLAG_COUNT' not described in enum 'struct_device_flags'
Add the description of DEV_FLAG_COUNT.
Fixes: a2225b6e834a ("driver core: Don't let a device probe until it's ready")
Reported-by: Randy Dunlap <rdunlap@infradead.org>
Closes: https://lore.kernel.org/f318cd43-81fd-48b9-abf7-92af85f12f91@infradead.org
Signed-off-by: Douglas Anderson <dianders@chromium.org>
Tested-by: Randy Dunlap <rdunlap@infradead.org>
Reviewed-by: Randy Dunlap <rdunlap@infradead.org>
Link: https://patch.msgid.link/20260413195910.1.I23aca74fe2d3636a47df196a80920fecb2643220@changeid
Signed-off-by: Danilo Krummrich <dakr@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/device.h | 1 +
1 file changed, 1 insertion(+)
--- a/include/linux/device.h
+++ b/include/linux/device.h
@@ -465,6 +465,7 @@ struct device_physical_location {
*
* @DEV_FLAG_READY_TO_PROBE: If set then device_add() has finished enough
* initialization that probe could be called.
+ * @DEV_FLAG_COUNT: Number of defined struct_device_flags.
*/
enum struct_device_flags {
DEV_FLAG_READY_TO_PROBE = 0,
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 272/969] ALSA: caiaq: Fix potentially leftover ep1_in_urb at error path
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (270 preceding siblings ...)
2026-05-30 15:56 ` [PATCH 6.1 271/969] driver core: Add kernel-doc for DEV_FLAG_COUNT enum value Greg Kroah-Hartman
@ 2026-05-30 15:56 ` Greg Kroah-Hartman
2026-05-30 15:56 ` [PATCH 6.1 273/969] ALSA: caiaq: Dont abort when no input device is available Greg Kroah-Hartman
` (703 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Takashi Iwai
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
commit 0a7b5221b5b51cc798fcfc3be00d02eade149d69 upstream.
The previous fix for handling the error from setup_card() missed that
an internal URB cdev->ep1_in_urb might have been already submitted
beforehand. In the normal case, this URB gets killed at the
disconnection, but in the error path, we didn't do it, hence there can
be a potential leak.
Fix it in the error path for setup_card(), too.
Fixes: 28abd224db4a ("ALSA: caiaq: Handle probe errors properly")
Cc: <stable@vger.kernel.org>
Link: https://patch.msgid.link/20260427123819.890185-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/usb/caiaq/device.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/sound/usb/caiaq/device.c
+++ b/sound/usb/caiaq/device.c
@@ -514,7 +514,7 @@ static int init_card(struct snd_usb_caia
card->private_free = card_free;
err = setup_card(cdev);
if (err < 0)
- return err;
+ goto err_kill_urb;
return 0;
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 273/969] ALSA: caiaq: Dont abort when no input device is available
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (271 preceding siblings ...)
2026-05-30 15:56 ` [PATCH 6.1 272/969] ALSA: caiaq: Fix potentially leftover ep1_in_urb at error path Greg Kroah-Hartman
@ 2026-05-30 15:56 ` Greg Kroah-Hartman
2026-05-30 15:56 ` [PATCH 6.1 274/969] ipv6: rpl: reserve mac_len headroom when recompressed SRH grows Greg Kroah-Hartman
` (702 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Takashi Iwai
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
commit b32ae47a2b0a1fb4bd4942242847966d9b178222 upstream.
The previous fix to handle the error from setup_card() caused a
regression for the models that have no dedicated input device;
snd_usb_caiaq_input_init() just returns -EINVAL, and we treat it as a
fatal error although it should be ignored.
As a regression fix, change the error code to -ENODEV, and ignore this
error in the callee, to continue probing.
Fixes: 28abd224db4a ("ALSA: caiaq: Handle probe errors properly")
Cc: <stable@vger.kernel.org>
Link: https://bugzilla.kernel.org/show_bug.cgi?id=221423
Link: https://patch.msgid.link/20260427145642.6637-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/usb/caiaq/device.c | 2 +-
sound/usb/caiaq/input.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
--- a/sound/usb/caiaq/device.c
+++ b/sound/usb/caiaq/device.c
@@ -366,7 +366,7 @@ static int setup_card(struct snd_usb_cai
#ifdef CONFIG_SND_USB_CAIAQ_INPUT
ret = snd_usb_caiaq_input_init(cdev);
- if (ret < 0) {
+ if (ret < 0 && ret != -ENODEV) {
dev_err(dev, "Unable to set up input system (ret=%d)\n", ret);
return ret;
}
--- a/sound/usb/caiaq/input.c
+++ b/sound/usb/caiaq/input.c
@@ -804,7 +804,7 @@ int snd_usb_caiaq_input_init(struct snd_
default:
/* no input methods supported on this device */
- ret = -EINVAL;
+ ret = -ENODEV;
goto exit_free_idev;
}
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 274/969] ipv6: rpl: reserve mac_len headroom when recompressed SRH grows
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (272 preceding siblings ...)
2026-05-30 15:56 ` [PATCH 6.1 273/969] ALSA: caiaq: Dont abort when no input device is available Greg Kroah-Hartman
@ 2026-05-30 15:56 ` Greg Kroah-Hartman
2026-05-30 15:56 ` [PATCH 6.1 275/969] drm/amdgpu: fix zero-size GDS range init on RDNA4 Greg Kroah-Hartman
` (701 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Jakub Kicinski
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 9e6bf146b55999a095bb14f73a843942456d1adc upstream.
ipv6_rpl_srh_rcv() decompresses an RFC 6554 Source Routing Header, swaps
the next segment into ipv6_hdr->daddr, recompresses, then pulls the old
header and pushes the new one plus the IPv6 header back. The
recompressed header can be larger than the received one when the swap
reduces the common-prefix length the segments share with daddr (CmprI=0,
CmprE>0, seg[0][0] != daddr[0] gives the maximum +8 bytes).
pskb_expand_head() was gated on segments_left == 0, so on earlier
segments the push consumed unchecked headroom. Once skb_push() leaves
fewer than skb->mac_len bytes in front of data,
skb_mac_header_rebuild()'s call to:
skb_set_mac_header(skb, -skb->mac_len);
will store (data - head) - mac_len into the u16 mac_header field, which
wraps to ~65530, and the following memmove() writes mac_len bytes ~64KiB
past skb->head.
A single AF_INET6/SOCK_RAW/IPV6_HDRINCL packet over lo with a two
segment type-3 SRH (CmprI=0, CmprE=15) reaches headroom 8 after one
pass; KASAN reports a 14-byte OOB write in ipv6_rthdr_rcv.
Fix this by expanding the head whenever the remaining room is less than
the push size plus mac_len, and request that much extra so the rebuilt
MAC header fits afterwards.
Fixes: 8610c7c6e3bd ("net: ipv6: add support for rpl sr exthdr")
Cc: stable <stable@kernel.org>
Reported-by: Anthropic
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Link: https://patch.msgid.link/2026042133-gout-unvented-1bd9@gregkh
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv6/exthdrs.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
--- a/net/ipv6/exthdrs.c
+++ b/net/ipv6/exthdrs.c
@@ -500,6 +500,7 @@ static int ipv6_rpl_srh_rcv(struct sk_bu
struct net *net = dev_net(skb->dev);
struct inet6_dev *idev;
struct ipv6hdr *oldhdr;
+ unsigned int chdr_len;
unsigned char *buf;
int accept_rpl_seg;
int i, err;
@@ -619,8 +620,10 @@ looped_back:
skb_pull(skb, ((hdr->hdrlen + 1) << 3));
skb_postpull_rcsum(skb, oldhdr,
sizeof(struct ipv6hdr) + ((hdr->hdrlen + 1) << 3));
- if (unlikely(!hdr->segments_left)) {
- if (pskb_expand_head(skb, sizeof(struct ipv6hdr) + ((chdr->hdrlen + 1) << 3), 0,
+ chdr_len = sizeof(struct ipv6hdr) + ((chdr->hdrlen + 1) << 3);
+ if (unlikely(!hdr->segments_left ||
+ skb_headroom(skb) < chdr_len + skb->mac_len)) {
+ if (pskb_expand_head(skb, chdr_len + skb->mac_len, 0,
GFP_ATOMIC)) {
__IP6_INC_STATS(net, ip6_dst_idev(skb_dst(skb)), IPSTATS_MIB_OUTDISCARDS);
kfree_skb(skb);
@@ -630,7 +633,7 @@ looped_back:
oldhdr = ipv6_hdr(skb);
}
- skb_push(skb, ((chdr->hdrlen + 1) << 3) + sizeof(struct ipv6hdr));
+ skb_push(skb, chdr_len);
skb_reset_network_header(skb);
skb_mac_header_rebuild(skb);
skb_set_transport_header(skb, sizeof(struct ipv6hdr));
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 275/969] drm/amdgpu: fix zero-size GDS range init on RDNA4
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (273 preceding siblings ...)
2026-05-30 15:56 ` [PATCH 6.1 274/969] ipv6: rpl: reserve mac_len headroom when recompressed SRH grows Greg Kroah-Hartman
@ 2026-05-30 15:56 ` Greg Kroah-Hartman
2026-05-30 15:56 ` [PATCH 6.1 276/969] ALSA: caiaq: fix usb_dev refcount leak on probe failure Greg Kroah-Hartman
` (700 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Arjan van de Ven, Alex Deucher,
Christian König, amd-gfx, dri-devel, linux-kernel
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Arjan van de Ven <arjan@linux.intel.com>
commit 095a8b0ad3c3b5cdc3850d961adb8a8f735220bb upstream.
RDNA4 (GFX 12) hardware removes the GDS, GWS, and OA on-chip memory
resources. The gfx_v12_0 initialisation code correctly leaves
adev->gds.gds_size, adev->gds.gws_size, and adev->gds.oa_size at
zero to reflect this.
amdgpu_ttm_init() unconditionally calls amdgpu_ttm_init_on_chip() for
each of these resources regardless of size. When the size is zero,
amdgpu_ttm_init_on_chip() forwards the call to ttm_range_man_init(),
which calls drm_mm_init(mm, 0, 0). drm_mm_init() immediately fires
DRM_MM_BUG_ON(start + size <= start) -- trivially true when size is
zero -- crashing the kernel during modprobe of amdgpu on an RX 9070 XT.
Guard against this by returning 0 early from
amdgpu_ttm_init_on_chip() when size_in_page is zero. This skips TTM
resource manager registration for hardware resources that are absent,
without affecting any other GPU type.
DRM_MM_BUG_ON() only asserts if CONFIG_DRM_DEBUG_MM is enabled in
the kernel config. This is apparently rarely enabled as these chips
have been in the market for over a year and this issue was only reported
now.
Link: https://lore.kernel.org/all/bug-221376-2300@https.bugzilla.kernel.org%2F/
Link: https://bugzilla.kernel.org/show_bug.cgi?id=221376
Oops-Analysis: http://oops.fenrus.org/reports/bugzilla.korg/221376/report.html
Assisted-by: GitHub Copilot:Claude Sonnet 4.6 linux-kernel-oops-x86.
Signed-off-by: Arjan van de Ven <arjan@linux.intel.com>
Cc: Alex Deucher <alexander.deucher@amd.com>
Cc: "Christian König" <christian.koenig@amd.com>
Cc: amd-gfx@lists.freedesktop.org
Cc: dri-devel@lists.freedesktop.org
Cc: linux-kernel@vger.kernel.org
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 5719ce5865279cad4fd5f01011fe037168503f2d)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c
@@ -76,6 +76,9 @@ static int amdgpu_ttm_init_on_chip(struc
unsigned int type,
uint64_t size_in_page)
{
+ if (!size_in_page)
+ return 0;
+
return ttm_range_man_init(&adev->mman.bdev, type,
false, size_in_page);
}
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 276/969] ALSA: caiaq: fix usb_dev refcount leak on probe failure
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (274 preceding siblings ...)
2026-05-30 15:56 ` [PATCH 6.1 275/969] drm/amdgpu: fix zero-size GDS range init on RDNA4 Greg Kroah-Hartman
@ 2026-05-30 15:56 ` Greg Kroah-Hartman
2026-05-30 15:56 ` [PATCH 6.1 277/969] net: ipv6: fix NOREF dst use in seg6 and rpl lwtunnels Greg Kroah-Hartman
` (699 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+2afd7e71155c7e241560,
Deepanshu Kartikey, Takashi Iwai
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Deepanshu Kartikey <kartikey406@gmail.com>
commit 7a5f1cd22d47f8ca4b760b6334378ae42c1bd24b upstream.
create_card() takes a reference on the USB device with usb_get_dev()
and stores the matching usb_put_dev() in card_free(), which is
installed as the snd_card's ->private_free destructor.
However, ->private_free is only assigned near the end of init_card(),
after several failure points (usb_set_interface(), EP type checks,
usb_submit_urb(), the EP1_CMD_GET_DEVICE_INFO exchange, and its
timeout). When any of those fail, init_card() returns an error to
snd_probe(), which calls snd_card_free(card). Because ->private_free
is still NULL, card_free() never runs, the usb_get_dev() reference
is not dropped, and the struct usb_device leaks along with its
descriptor allocations and device_private.
syzbot reproduces this with a malformed UAC3 device whose only valid
altsetting is 0; init_card()'s usb_set_interface(usb_dev, 0, 1) call
fails with -EIO and triggers the leak.
Move the ->private_free assignment into create_card(), immediately
after usb_get_dev(), so that every error path reaching snd_card_free()
balances the reference. card_free()'s callees (snd_usb_caiaq_input_free,
free_urbs, kfree) already tolerate the partially-initialized state
because the chip private area is zero-initialized by snd_card_new().
Fixes: 80bb50e2d459 ("ALSA: caiaq: take a reference on the USB device in create_card()")
Reported-by: syzbot+2afd7e71155c7e241560@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=2afd7e71155c7e241560
Tested-by: syzbot+2afd7e71155c7e241560@syzkaller.appspotmail.com
Cc: stable@vger.kernel.org
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
Link: https://patch.msgid.link/20260426001934.70813-1-kartikey406@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/usb/caiaq/device.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/sound/usb/caiaq/device.c
+++ b/sound/usb/caiaq/device.c
@@ -423,6 +423,7 @@ static int create_card(struct usb_device
cdev = caiaqdev(card);
cdev->chip.dev = usb_get_dev(usb_dev);
+ card->private_free = card_free;
cdev->chip.card = card;
cdev->chip.usb_id = USB_ID(le16_to_cpu(usb_dev->descriptor.idVendor),
le16_to_cpu(usb_dev->descriptor.idProduct));
@@ -511,7 +512,6 @@ static int init_card(struct snd_usb_caia
snprintf(card->longname, sizeof(card->longname), "%s %s (%s)",
cdev->vendor_name, cdev->product_name, usbpath);
- card->private_free = card_free;
err = setup_card(cdev);
if (err < 0)
goto err_kill_urb;
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 277/969] net: ipv6: fix NOREF dst use in seg6 and rpl lwtunnels
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (275 preceding siblings ...)
2026-05-30 15:56 ` [PATCH 6.1 276/969] ALSA: caiaq: fix usb_dev refcount leak on probe failure Greg Kroah-Hartman
@ 2026-05-30 15:56 ` Greg Kroah-Hartman
2026-05-30 15:56 ` [PATCH 6.1 278/969] netfilter: reject zero shift in nft_bitwise Greg Kroah-Hartman
` (698 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andrea Mayer, Simon Horman,
Justin Iurman, Paolo Abeni
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andrea Mayer <andrea.mayer@uniroma2.it>
commit f9c52a6ba9780bd27e0bf4c044fd91c13c778b6e upstream.
seg6_input_core() and rpl_input() call ip6_route_input() which sets a
NOREF dst on the skb, then pass it to dst_cache_set_ip6() invoking
dst_hold() unconditionally.
On PREEMPT_RT, ksoftirqd is preemptible and a higher-priority task can
release the underlying pcpu_rt between the lookup and the caching
through a concurrent FIB lookup on a shared nexthop.
Simplified race sequence:
ksoftirqd/X higher-prio task (same CPU X)
----------- --------------------------------
seg6_input_core(,skb)/rpl_input(skb)
dst_cache_get()
-> miss
ip6_route_input(skb)
-> ip6_pol_route(,skb,flags)
[RT6_LOOKUP_F_DST_NOREF in flags]
-> FIB lookup resolves fib6_nh
[nhid=N route]
-> rt6_make_pcpu_route()
[creates pcpu_rt, refcount=1]
pcpu_rt->sernum = fib6_sernum
[fib6_sernum=W]
-> cmpxchg(fib6_nh.rt6i_pcpu,
NULL, pcpu_rt)
[slot was empty, store succeeds]
-> skb_dst_set_noref(skb, dst)
[dst is pcpu_rt, refcount still 1]
rt_genid_bump_ipv6()
-> bumps fib6_sernum
[fib6_sernum from W to Z]
ip6_route_output()
-> ip6_pol_route()
-> FIB lookup resolves fib6_nh
[nhid=N]
-> rt6_get_pcpu_route()
pcpu_rt->sernum != fib6_sernum
[W <> Z, stale]
-> prev = xchg(rt6i_pcpu, NULL)
-> dst_release(prev)
[prev is pcpu_rt,
refcount 1->0, dead]
dst = skb_dst(skb)
[dst is the dead pcpu_rt]
dst_cache_set_ip6(dst)
-> dst_hold() on dead dst
-> WARN / use-after-free
For the race to occur, ksoftirqd must be preemptible (PREEMPT_RT without
PREEMPT_RT_NEEDS_BH_LOCK) and a concurrent task must be able to release
the pcpu_rt. Shared nexthop objects provide such a path, as two routes
pointing to the same nhid share the same fib6_nh and its rt6i_pcpu
entry.
Fix seg6_input_core() and rpl_input() by calling skb_dst_force() after
ip6_route_input() to force the NOREF dst into a refcounted one before
caching.
The output path is not affected as ip6_route_output() already returns a
refcounted dst.
Fixes: af4a2209b134 ("ipv6: sr: use dst_cache in seg6_input")
Fixes: a7a29f9c361f ("net: ipv6: add rpl sr tunnel")
Cc: stable@vger.kernel.org
Signed-off-by: Andrea Mayer <andrea.mayer@uniroma2.it>
Reviewed-by: Simon Horman <horms@kernel.org>
Reviewed-by: Justin Iurman <justin.iurman@gmail.com>
Link: https://patch.msgid.link/20260421094735.20997-1-andrea.mayer@uniroma2.it
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv6/rpl_iptunnel.c | 9 +++++++++
net/ipv6/seg6_iptunnel.c | 9 +++++++++
2 files changed, 18 insertions(+)
--- a/net/ipv6/rpl_iptunnel.c
+++ b/net/ipv6/rpl_iptunnel.c
@@ -284,7 +284,16 @@ static int rpl_input(struct sk_buff *skb
if (!dst) {
ip6_route_input(skb);
+
+ /* ip6_route_input() sets a NOREF dst; force a refcount on it
+ * before caching or further use.
+ */
+ skb_dst_force(skb);
dst = skb_dst(skb);
+ if (unlikely(!dst)) {
+ err = -ENETUNREACH;
+ goto drop;
+ }
/* cache only if we don't create a dst reference loop */
if (!dst->error && lwtst != dst->lwtstate) {
--- a/net/ipv6/seg6_iptunnel.c
+++ b/net/ipv6/seg6_iptunnel.c
@@ -498,7 +498,16 @@ static int seg6_input_core(struct net *n
if (!dst) {
ip6_route_input(skb);
+
+ /* ip6_route_input() sets a NOREF dst; force a refcount on it
+ * before caching or further use.
+ */
+ skb_dst_force(skb);
dst = skb_dst(skb);
+ if (unlikely(!dst)) {
+ err = -ENETUNREACH;
+ goto drop;
+ }
/* cache only if we don't create a dst reference loop */
if (!dst->error && lwtst != dst->lwtstate) {
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 278/969] netfilter: reject zero shift in nft_bitwise
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (276 preceding siblings ...)
2026-05-30 15:56 ` [PATCH 6.1 277/969] net: ipv6: fix NOREF dst use in seg6 and rpl lwtunnels Greg Kroah-Hartman
@ 2026-05-30 15:56 ` Greg Kroah-Hartman
2026-05-30 15:56 ` [PATCH 6.1 279/969] scsi: target: configfs: Bound snprintf() return in tg_pt_gp_members_show() Greg Kroah-Hartman
` (697 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Yuan Tan, Yifan Wu,
Juefei Pu, Xin Liu, Kai Ma, Ren Wei, Fernando Fernandez Mancera,
Pablo Neira Ayuso
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kai Ma <k4729.23098@gmail.com>
commit fe11e5c40817b84abaa5d83bfb6586d8412bfd07 upstream.
Reject zero shift operands for nft_bitwise left and right shift
expressions during initialization.
The carry propagation logic computes the carry from the adjacent 32-bit
word using BITS_PER_TYPE(u32) - shift. A zero shift operand turns this
into a 32-bit shift, which is undefined behaviour.
Reject zero shift operands in the control plane, alongside the existing
check for values greater than or equal to 32, so malformed rules never
reach the packet path.
Fixes: 567d746b55bc ("netfilter: bitwise: add support for shifts.")
Cc: stable@kernel.org
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Signed-off-by: Kai Ma <k4729.23098@gmail.com>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
Reviewed-by: Fernando Fernandez Mancera <fmancera@suse.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/netfilter/nft_bitwise.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/net/netfilter/nft_bitwise.c
+++ b/net/netfilter/nft_bitwise.c
@@ -149,7 +149,8 @@ static int nft_bitwise_init_shift(struct
if (err < 0)
return err;
- if (priv->data.data[0] >= BITS_PER_TYPE(u32)) {
+ if (!priv->data.data[0] ||
+ priv->data.data[0] >= BITS_PER_TYPE(u32)) {
nft_data_release(&priv->data, desc.type);
return -EINVAL;
}
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 279/969] scsi: target: configfs: Bound snprintf() return in tg_pt_gp_members_show()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (277 preceding siblings ...)
2026-05-30 15:56 ` [PATCH 6.1 278/969] netfilter: reject zero shift in nft_bitwise Greg Kroah-Hartman
@ 2026-05-30 15:56 ` Greg Kroah-Hartman
2026-05-30 15:56 ` [PATCH 6.1 280/969] ipmi: Add limits to event and receive message requests Greg Kroah-Hartman
` (696 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Martin K. Petersen
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 772a896a56e0e3ef9424a025cec9176f9d8f4552 upstream.
target_tg_pt_gp_members_show() formats LUN paths with snprintf() into a
256-byte stack buffer, then will memcpy() cur_len bytes from that
buffer. snprintf() returns the length the output would have had, which
can exceed the buffer size when the fabric WWN is long because iSCSI IQN
names can be up to 223 bytes. The check at the memcpy() site only
guards the destination page write, not the source read, so memcpy() will
read past the stack buffer and copy adjacent stack contents to the sysfs
reader, which when CONFIG_FORTIFY_SOURCE is enabled, fortify_panic()
will be triggered.
Commit 27e06650a5ea ("scsi: target: target_core_configfs: Add length
check to avoid buffer overflow") added the same bound to the
target_lu_gp_members_show() but the tg_pt_gp variant was missed so
resolve that here.
Cc: Martin K. Petersen <martin.petersen@oracle.com>
Fixes: c66ac9db8d4a ("[SCSI] target: Add LIO target core v4.0.0-rc6")
Assisted-by: gregkh_clanker_t1000
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Link: https://patch.msgid.link/2026041159-garter-theft-3be0@gregkh
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/target/target_core_configfs.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/target/target_core_configfs.c
+++ b/drivers/target/target_core_configfs.c
@@ -3087,7 +3087,7 @@ static ssize_t target_tg_pt_gp_members_s
config_item_name(&lun->lun_group.cg_item));
cur_len++; /* Extra byte for NULL terminator */
- if ((cur_len + len) > PAGE_SIZE) {
+ if (cur_len > TG_PT_GROUP_NAME_BUF || (cur_len + len) > PAGE_SIZE) {
pr_warn("Ran out of lu_gp_show_attr"
"_members buffer\n");
break;
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 280/969] ipmi: Add limits to event and receive message requests
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (278 preceding siblings ...)
2026-05-30 15:56 ` [PATCH 6.1 279/969] scsi: target: configfs: Bound snprintf() return in tg_pt_gp_members_show() Greg Kroah-Hartman
@ 2026-05-30 15:56 ` Greg Kroah-Hartman
2026-05-30 15:56 ` [PATCH 6.1 281/969] ipmi: Check event message buffer response for bad data Greg Kroah-Hartman
` (695 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Matt Fleming, Corey Minyard
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Corey Minyard <corey@minyard.net>
commit c4cca236968683eb0d59abfb12d5c7e4d8514227 upstream.
The driver would just fetch events and receive messages until the
BMC said it was done. To avoid issues with BMCs that never say they are
done, add a limit of 10 fetches at a time.
In addition, an si interface has an attn state it can return from the
hardware which is supposed to cause a flag fetch to see if the driver
needs to fetch events or message or a few other things. If the attn
bit gets stuck, it's a similar problem. So allow messages in between
flag fetches so the driver itself doesn't get stuck.
This is a more general fix than the previous fix for the specific bad
BMC, but should fix the more general issue of a BMC that won't stop
saying it has data.
This has been there from the beginning of the driver. It's not a bug
per-se, but it is accounting for bugs in BMCs.
Reported-by: Matt Fleming <mfleming@cloudflare.com>
Closes: https://lore.kernel.org/lkml/20260415115930.3428942-1-matt@readmodwrite.com/
Fixes: <1da177e4c3f4> ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Signed-off-by: Corey Minyard <corey@minyard.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/char/ipmi/ipmi_si_intf.c | 54 +++++++++++++++++++++++++++++++--------
drivers/char/ipmi/ipmi_ssif.c | 23 +++++++++++++++-
2 files changed, 64 insertions(+), 13 deletions(-)
--- a/drivers/char/ipmi/ipmi_si_intf.c
+++ b/drivers/char/ipmi/ipmi_si_intf.c
@@ -162,6 +162,10 @@ struct smi_info {
OEM2_DATA_AVAIL)
unsigned char msg_flags;
+ /* When requesting events and messages, don't do it forever. */
+ unsigned int num_requests_in_a_row;
+ bool last_was_flag_fetch;
+
/* Does the BMC have an event buffer? */
bool has_event_buffer;
@@ -394,7 +398,10 @@ static void start_getting_msg_queue(stru
start_new_msg(smi_info, smi_info->curr_msg->data,
smi_info->curr_msg->data_size);
- smi_info->si_state = SI_GETTING_MESSAGES;
+ if (smi_info->si_state != SI_GETTING_MESSAGES) {
+ smi_info->num_requests_in_a_row = 0;
+ smi_info->si_state = SI_GETTING_MESSAGES;
+ }
}
static void start_getting_events(struct smi_info *smi_info)
@@ -405,7 +412,10 @@ static void start_getting_events(struct
start_new_msg(smi_info, smi_info->curr_msg->data,
smi_info->curr_msg->data_size);
- smi_info->si_state = SI_GETTING_EVENTS;
+ if (smi_info->si_state != SI_GETTING_EVENTS) {
+ smi_info->num_requests_in_a_row = 0;
+ smi_info->si_state = SI_GETTING_EVENTS;
+ }
}
/*
@@ -579,6 +589,7 @@ static void handle_transaction_done(stru
smi_info->si_state = SI_NORMAL;
} else {
smi_info->msg_flags = msg[3];
+ smi_info->last_was_flag_fetch = true;
handle_flags(smi_info);
}
break;
@@ -624,6 +635,11 @@ static void handle_transaction_done(stru
} else {
smi_inc_stat(smi_info, events);
+ smi_info->num_requests_in_a_row++;
+ if (smi_info->num_requests_in_a_row > 10)
+ /* Stop if we do this too many times. */
+ smi_info->msg_flags &= ~EVENT_MSG_BUFFER_FULL;
+
/*
* Do this before we deliver the message
* because delivering the message releases the
@@ -662,6 +678,11 @@ static void handle_transaction_done(stru
} else {
smi_inc_stat(smi_info, incoming_messages);
+ smi_info->num_requests_in_a_row++;
+ if (smi_info->num_requests_in_a_row > 10)
+ /* Stop if we do this too many times. */
+ smi_info->msg_flags &= ~RECEIVE_MSG_AVAIL;
+
/*
* Do this before we deliver the message
* because delivering the message releases the
@@ -790,6 +811,26 @@ restart:
}
/*
+ * If we are currently idle, or if the last thing that was
+ * done was a flag fetch and there is a message pending, try
+ * to start the next message.
+ *
+ * We do the waiting message check to avoid a stuck flag
+ * completely wedging the driver. Let a message through
+ * in between flag operations if that happens.
+ */
+ if (si_sm_result == SI_SM_IDLE ||
+ (si_sm_result == SI_SM_ATTN && smi_info->waiting_msg &&
+ smi_info->last_was_flag_fetch)) {
+ smi_info->last_was_flag_fetch = false;
+ smi_inc_stat(smi_info, idles);
+
+ si_sm_result = start_next_msg(smi_info);
+ if (si_sm_result != SI_SM_IDLE)
+ goto restart;
+ }
+
+ /*
* We prefer handling attn over new messages. But don't do
* this if there is not yet an upper layer to handle anything.
*/
@@ -822,15 +863,6 @@ restart:
}
}
- /* If we are currently idle, try to start the next message. */
- if (si_sm_result == SI_SM_IDLE) {
- smi_inc_stat(smi_info, idles);
-
- si_sm_result = start_next_msg(smi_info);
- if (si_sm_result != SI_SM_IDLE)
- goto restart;
- }
-
if ((si_sm_result == SI_SM_IDLE)
&& (atomic_read(&smi_info->req_events))) {
/*
--- a/drivers/char/ipmi/ipmi_ssif.c
+++ b/drivers/char/ipmi/ipmi_ssif.c
@@ -225,6 +225,9 @@ struct ssif_info {
bool has_event_buffer;
bool supports_alert;
+ /* When requesting events and messages, don't do it forever. */
+ unsigned int num_requests_in_a_row;
+
/*
* Used to tell what we should do with alerts. If we are
* waiting on a response, read the data immediately.
@@ -413,7 +416,10 @@ static void start_event_fetch(struct ssi
}
ssif_info->curr_msg = msg;
- ssif_info->ssif_state = SSIF_GETTING_EVENTS;
+ if (ssif_info->ssif_state != SSIF_GETTING_EVENTS) {
+ ssif_info->num_requests_in_a_row = 0;
+ ssif_info->ssif_state = SSIF_GETTING_EVENTS;
+ }
ipmi_ssif_unlock_cond(ssif_info, flags);
msg->data[0] = (IPMI_NETFN_APP_REQUEST << 2);
@@ -436,7 +442,10 @@ static void start_recv_msg_fetch(struct
}
ssif_info->curr_msg = msg;
- ssif_info->ssif_state = SSIF_GETTING_MESSAGES;
+ if (ssif_info->ssif_state != SSIF_GETTING_MESSAGES) {
+ ssif_info->num_requests_in_a_row = 0;
+ ssif_info->ssif_state = SSIF_GETTING_MESSAGES;
+ }
ipmi_ssif_unlock_cond(ssif_info, flags);
msg->data[0] = (IPMI_NETFN_APP_REQUEST << 2);
@@ -843,6 +852,11 @@ static void msg_done_handler(struct ssif
ssif_info->msg_flags &= ~EVENT_MSG_BUFFER_FULL;
handle_flags(ssif_info, flags);
} else {
+ ssif_info->num_requests_in_a_row++;
+ if (ssif_info->num_requests_in_a_row > 10)
+ /* Stop if we do this too many times. */
+ ssif_info->msg_flags &= ~EVENT_MSG_BUFFER_FULL;
+
handle_flags(ssif_info, flags);
ssif_inc_stat(ssif_info, events);
deliver_recv_msg(ssif_info, msg);
@@ -876,6 +890,11 @@ static void msg_done_handler(struct ssif
ssif_info->msg_flags &= ~RECEIVE_MSG_AVAIL;
handle_flags(ssif_info, flags);
} else {
+ ssif_info->num_requests_in_a_row++;
+ if (ssif_info->num_requests_in_a_row > 10)
+ /* Stop if we do this too many times. */
+ ssif_info->msg_flags &= ~RECEIVE_MSG_AVAIL;
+
ssif_inc_stat(ssif_info, incoming_messages);
handle_flags(ssif_info, flags);
deliver_recv_msg(ssif_info, msg);
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 281/969] ipmi: Check event message buffer response for bad data
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (279 preceding siblings ...)
2026-05-30 15:56 ` [PATCH 6.1 280/969] ipmi: Add limits to event and receive message requests Greg Kroah-Hartman
@ 2026-05-30 15:56 ` Greg Kroah-Hartman
2026-05-30 15:56 ` [PATCH 6.1 282/969] ipmi:si: Return state to normal if message allocation fails Greg Kroah-Hartman
` (694 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Matt Fleming, Corey Minyard
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Corey Minyard <corey@minyard.net>
commit 36920f30e78e69df01f9691c470b6f3ba8aebf98 upstream.
The event message buffer response data size got checked later when
processing, but check it right after the response comes back. It
appears some BMCs may return an empty message instead of an error
when fetching events.
There are apparently some new BMCs that make this error, so we need to
compensate.
Reported-by: Matt Fleming <mfleming@cloudflare.com>
Closes: https://lore.kernel.org/lkml/20260415115930.3428942-1-matt@readmodwrite.com/
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: <stable@vger.kernel.org>
Signed-off-by: Corey Minyard <corey@minyard.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/char/ipmi/ipmi_si_intf.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
--- a/drivers/char/ipmi/ipmi_si_intf.c
+++ b/drivers/char/ipmi/ipmi_si_intf.c
@@ -625,7 +625,13 @@ static void handle_transaction_done(stru
*/
msg = smi_info->curr_msg;
smi_info->curr_msg = NULL;
- if (msg->rsp[2] != 0) {
+ /*
+ * It appears some BMCs, with no event data, return no
+ * data in the message and not a 0x80 error as the
+ * spec says they should. Shut down processing if
+ * the data is not the right length.
+ */
+ if (msg->rsp[2] != 0 || msg->rsp_size != 19) {
/* Error getting event, probably done. */
msg->done(msg);
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 282/969] ipmi:si: Return state to normal if message allocation fails
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (280 preceding siblings ...)
2026-05-30 15:56 ` [PATCH 6.1 281/969] ipmi: Check event message buffer response for bad data Greg Kroah-Hartman
@ 2026-05-30 15:56 ` Greg Kroah-Hartman
2026-05-30 15:56 ` [PATCH 6.1 283/969] fbdev: udlfb: add vm_ops to dlfb_ops_mmap to prevent use-after-free Greg Kroah-Hartman
` (693 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Corey Minyard
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Corey Minyard <corey@minyard.net>
commit 09dd798270ff582d7309f285d4aaf5dbebae01cb upstream.
There were places where nothing would get started if a message
allocation failed, so the driver needs to return to normal state.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: <stable@vger.kernel.org>
Signed-off-by: Corey Minyard <corey@minyard.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/char/ipmi/ipmi_si_intf.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
--- a/drivers/char/ipmi/ipmi_si_intf.c
+++ b/drivers/char/ipmi/ipmi_si_intf.c
@@ -481,15 +481,19 @@ retry:
} else if (smi_info->msg_flags & RECEIVE_MSG_AVAIL) {
/* Messages available. */
smi_info->curr_msg = alloc_msg_handle_irq(smi_info);
- if (!smi_info->curr_msg)
+ if (!smi_info->curr_msg) {
+ smi_info->si_state = SI_NORMAL;
return;
+ }
start_getting_msg_queue(smi_info);
} else if (smi_info->msg_flags & EVENT_MSG_BUFFER_FULL) {
/* Events available. */
smi_info->curr_msg = alloc_msg_handle_irq(smi_info);
- if (!smi_info->curr_msg)
+ if (!smi_info->curr_msg) {
+ smi_info->si_state = SI_NORMAL;
return;
+ }
start_getting_events(smi_info);
} else if (smi_info->msg_flags & OEM_DATA_AVAIL &&
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 283/969] fbdev: udlfb: add vm_ops to dlfb_ops_mmap to prevent use-after-free
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (281 preceding siblings ...)
2026-05-30 15:56 ` [PATCH 6.1 282/969] ipmi:si: Return state to normal if message allocation fails Greg Kroah-Hartman
@ 2026-05-30 15:56 ` Greg Kroah-Hartman
2026-05-30 15:56 ` [PATCH 6.1 284/969] ACPI: scan: Use acpi_dev_put() in object add error paths Greg Kroah-Hartman
` (692 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Rajat Gupta, Helge Deller
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rajat Gupta <rajgupt@qti.qualcomm.com>
commit 8de779dc40d35d39fa07387b6f921eb11df0f511 upstream.
dlfb_ops_mmap() uses remap_pfn_range() to map vmalloc framebuffer pages
to userspace but sets no vm_ops on the VMA. This means the kernel cannot
track active mmaps. When dlfb_realloc_framebuffer() replaces the backing
buffer via FBIOPUT_VSCREENINFO, existing mmap PTEs are not invalidated.
On USB disconnect, dlfb_ops_destroy() calls vfree() on the old pages
while userspace PTEs still reference them, resulting in a use-after-free:
the process retains read/write access to freed kernel pages.
Add vm_operations_struct with open/close callbacks that maintain an
atomic mmap_count on struct dlfb_data. In dlfb_realloc_framebuffer(),
check mmap_count and return -EBUSY if the buffer is currently mapped,
preventing buffer replacement while userspace holds stale PTEs.
Tested with PoC using dummy_hcd + raw_gadget USB device emulation.
Signed-off-by: Rajat Gupta <rajgupt@qti.qualcomm.com>
Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: stable@vger.kernel.org
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/video/fbdev/udlfb.c | 31 ++++++++++++++++++++++++++++++-
include/video/udlfb.h | 1 +
2 files changed, 31 insertions(+), 1 deletion(-)
--- a/drivers/video/fbdev/udlfb.c
+++ b/drivers/video/fbdev/udlfb.c
@@ -321,12 +321,32 @@ static int dlfb_set_video_mode(struct dl
return retval;
}
+static void dlfb_vm_open(struct vm_area_struct *vma)
+{
+ struct dlfb_data *dlfb = vma->vm_private_data;
+
+ atomic_inc(&dlfb->mmap_count);
+}
+
+static void dlfb_vm_close(struct vm_area_struct *vma)
+{
+ struct dlfb_data *dlfb = vma->vm_private_data;
+
+ atomic_dec(&dlfb->mmap_count);
+}
+
+static const struct vm_operations_struct dlfb_vm_ops = {
+ .open = dlfb_vm_open,
+ .close = dlfb_vm_close,
+};
+
static int dlfb_ops_mmap(struct fb_info *info, struct vm_area_struct *vma)
{
unsigned long start = vma->vm_start;
unsigned long size = vma->vm_end - vma->vm_start;
unsigned long offset = vma->vm_pgoff << PAGE_SHIFT;
unsigned long page, pos;
+ struct dlfb_data *dlfb = info->par;
if (info->fbdefio)
return fb_deferred_io_mmap(info, vma);
@@ -356,6 +376,9 @@ static int dlfb_ops_mmap(struct fb_info
size = 0;
}
+ vma->vm_ops = &dlfb_vm_ops;
+ vma->vm_private_data = dlfb;
+ atomic_inc(&dlfb->mmap_count);
return 0;
}
@@ -1219,7 +1242,6 @@ static void dlfb_deferred_vfree(struct d
/*
* Assumes &info->lock held by caller
- * Assumes no active clients have framebuffer open
*/
static int dlfb_realloc_framebuffer(struct dlfb_data *dlfb, struct fb_info *info, u32 new_len)
{
@@ -1231,6 +1253,13 @@ static int dlfb_realloc_framebuffer(stru
new_len = PAGE_ALIGN(new_len);
if (new_len > old_len) {
+ if (atomic_read(&dlfb->mmap_count) > 0) {
+ dev_warn(info->dev,
+ "refusing realloc: %d active mmaps\n",
+ atomic_read(&dlfb->mmap_count));
+ return -EBUSY;
+ }
+
/*
* Alloc system memory for virtual framebuffer
*/
--- a/include/video/udlfb.h
+++ b/include/video/udlfb.h
@@ -56,6 +56,7 @@ struct dlfb_data {
spinlock_t damage_lock;
struct work_struct damage_work;
struct fb_ops ops;
+ atomic_t mmap_count;
/* blit-only rendering path metrics, exposed through sysfs */
atomic_t bytes_rendered; /* raw pixel-bytes driver asked to render */
atomic_t bytes_identical; /* saved effort with backbuffer comparison */
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 284/969] ACPI: scan: Use acpi_dev_put() in object add error paths
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (282 preceding siblings ...)
2026-05-30 15:56 ` [PATCH 6.1 283/969] fbdev: udlfb: add vm_ops to dlfb_ops_mmap to prevent use-after-free Greg Kroah-Hartman
@ 2026-05-30 15:56 ` Greg Kroah-Hartman
2026-05-30 15:56 ` [PATCH 6.1 285/969] ACPI: CPPC: Fix related_cpus inconsistency during CPU hotplug Greg Kroah-Hartman
` (691 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Guangshuo Li, Rafael J. Wysocki
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Guangshuo Li <lgs201920130244@gmail.com>
commit 9c0acc169ac71535477caedea8315f7041c5f07c upstream.
After acpi_init_device_object(), the lifetime of struct acpi_device is
managed by the driver core through reference counting.
Both acpi_add_power_resource() and acpi_add_single_object() call
acpi_init_device_object() and then invoke acpi_device_add(). If that
fails, their error paths call the release callback directly instead of
dropping the device reference through acpi_dev_put().
This bypasses the normal device lifetime rules and frees the object
without releasing the reference acquired by device_initialize(), which
may lead to a refcount leak.
The issue was identified by a static analysis tool I developed and
confirmed by manual review.
Fix both error paths by using acpi_dev_put() and let the release
callback handle the final cleanup.
Fixes: 781d737c7466 ("ACPI: Drop power resources driver")
Fixes: 718fb0de8ff88 ("ACPI: fix NULL bug for HID/UID string")
Cc: All applicable <stable@vger.kernel.org>
Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com>
Link: https://patch.msgid.link/20260413135343.2884481-1-lgs201920130244@gmail.com
Signed-off-by: Rafael J. Wysocki <rjw@rjwysocki.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/acpi/power.c | 2 +-
drivers/acpi/scan.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/acpi/power.c
+++ b/drivers/acpi/power.c
@@ -986,7 +986,7 @@ struct acpi_device *acpi_add_power_resou
return device;
err:
- acpi_release_power_resource(&device->dev);
+ acpi_dev_put(device);
return NULL;
}
--- a/drivers/acpi/scan.c
+++ b/drivers/acpi/scan.c
@@ -1856,7 +1856,7 @@ static int acpi_add_single_object(struct
result = acpi_device_add(device);
if (result) {
- acpi_device_release(&device->dev);
+ acpi_dev_put(device);
return result;
}
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 285/969] ACPI: CPPC: Fix related_cpus inconsistency during CPU hotplug
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (283 preceding siblings ...)
2026-05-30 15:56 ` [PATCH 6.1 284/969] ACPI: scan: Use acpi_dev_put() in object add error paths Greg Kroah-Hartman
@ 2026-05-30 15:56 ` Greg Kroah-Hartman
2026-05-30 15:56 ` [PATCH 6.1 286/969] ACPI: video: force native backlight on HP OMEN 16 (8A44) Greg Kroah-Hartman
` (690 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sean Kelley, Jinjie Ruan,
Rafael J. Wysocki
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jinjie Ruan <ruanjinjie@huawei.com>
commit 75141a770f4f8225d316f6c7e146723a32e9720e upstream.
When concurrently bringing up and down two SMT threads of a physical
core, many warning call traces occur as below:
The issue timeline is as follows:
1. When the system starts,
cpufreq: CPU: 220, policy->related_cpus: 220-221, policy->cpus: 220-221
2. Offline CPU 220 and CPU 221.
3. Online CPU 220
- CPU 221 is now offline, as acpi_get_psd_map() use
for_each_online_cpu(), so the cpu_data->shared_cpu_map,
policy->cpus, and related_cpus has only CPU 220.
cpufreq: CPU: 220, policy->related_cpus: 220, policy->cpus: 220
4. Offline CPU 220
5. Online CPU 221, the below call trace occurs:
- Since CPU 220 and CPU 221 share one policy, and
policy->related_cpus = 220 after step 3, so CPU 221
is not in policy->related_cpus but
per_cpu(cpufreq_cpu_data, cpu221) is not NULL.
After reverting commit 56eb0c0ed345 ("ACPI: CPPC: Fix remaining
for_each_possible_cpu() to use online CPUs"), the issue disappeared.
The _PSD (P-State Dependency) defines the hardware-level dependency of
frequency control across CPU cores. Since this relationship is a physical
attribute of the hardware topology, it remains constant regardless of the
online or offline status of the CPUs.
Using for_each_online_cpu() in acpi_get_psd_map() is problematic. If a
CPU is offline, it will be excluded from the shared_cpu_map.
Consequently, if that CPU is brought online later, the kernel will fail
to recognize it as part of any shared frequency domain.
Switch back to for_each_possible_cpu() to ensure that all cores defined
in the ACPI tables are correctly mapped into their respective performance
domains from the start. This aligns with the logic of policy->related_cpus,
which must encompass all potentially available cores in the domain to
prevent logic gaps during CPU hotplug operations.
To resolve the original issue regarding the "nosmt" or "nosmt=force"
boot parameter, as send_pcc_cmd() function already does if (!desc)
continue, so reverting that loop back to for_each_possible_cpu() is ok,
only need to change the match_cpc_ptr NULL case in acpi_get_psd_map() to
continue as Sean suggested.
How to reproduce, on arm64 machine with SMT support which use acpi cppc
cpufreq driver:
bash test.sh 220 & bash test.sh 221 &
The test.sh is as below:
while true
do
echo 0 > /sys/devices/system/cpu/cpu${1}/online
sleep 0.5
cat /sys/devices/system/cpu/cpu${1}/cpufreq/related_cpus
echo 1 > /sys/devices/system/cpu/cpu${1}/online
cat /sys/devices/system/cpu/cpu${1}/cpufreq/related_cpus
done
CPU: 221 PID: 1119 Comm: cpuhp/221 Kdump: loaded Not tainted 6.6.0debug+ #5
Hardware name: To be filled by O.E.M. S920X20/BC83AMDA01-7270Z, BIOS 20.39 09/04/2024
pstate: a1400009 (NzCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)
pc : cpufreq_online+0x8ac/0xa90
lr : cpuhp_cpufreq_online+0x18/0x30
sp : ffff80008739bce0
x29: ffff80008739bce0 x28: 0000000000000000 x27: ffff28400ca32200
x26: 0000000000000000 x25: 0000000000000003 x24: ffffd483503ff000
x23: ffffd483504051a0 x22: ffffd48350024a00 x21: 00000000000000dd
x20: 000000000000001d x19: ffff28400ca32000 x18: 0000000000000000
x17: 0000000000000020 x16: ffffd4834e6a3fc8 x15: 0000000000000020
x14: 0000000000000008 x13: 0000000000000001 x12: 00000000ffffffff
x11: 0000000000000040 x10: ffffd48350430728 x9 : ffffd4834f087c78
x8 : 0000000000000001 x7 : ffff2840092bdf00 x6 : ffffd483504264f0
x5 : ffffd48350405000 x4 : ffff283f7f95cc60 x3 : 0000000000000000
x2 : ffff53bc2f94b000 x1 : 00000000000000dd x0 : 0000000000000000
Call trace:
cpufreq_online+0x8ac/0xa90
cpuhp_cpufreq_online+0x18/0x30
cpuhp_invoke_callback+0x128/0x580
cpuhp_thread_fun+0x110/0x1b0
smpboot_thread_fn+0x140/0x190
kthread+0xec/0x100
ret_from_fork+0x10/0x20
---[ end trace 0000000000000000 ]---
Cc: All applicable <stable@vger.kernel.org>
Fixes: 56eb0c0ed345 ("ACPI: CPPC: Fix remaining for_each_possible_cpu() to use online CPUs")
Co-developed-by: Sean Kelley <skelley@nvidia.com>
Signed-off-by: Sean Kelley <skelley@nvidia.com>
Signed-off-by: Jinjie Ruan <ruanjinjie@huawei.com>
[ rjw: Changelog edits ]
Link: https://patch.msgid.link/20260417040112.3727756-1-ruanjinjie@huawei.com
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/acpi/cppc_acpi.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/drivers/acpi/cppc_acpi.c
+++ b/drivers/acpi/cppc_acpi.c
@@ -342,7 +342,7 @@ static int send_pcc_cmd(int pcc_ss_id, u
end:
if (cmd == CMD_WRITE) {
if (unlikely(ret)) {
- for_each_online_cpu(i) {
+ for_each_possible_cpu(i) {
struct cpc_desc *desc = per_cpu(cpc_desc_ptr, i);
if (!desc)
@@ -504,13 +504,13 @@ int acpi_get_psd_map(unsigned int cpu, s
else if (pdomain->coord_type == DOMAIN_COORD_TYPE_SW_ANY)
cpu_data->shared_type = CPUFREQ_SHARED_TYPE_ANY;
- for_each_online_cpu(i) {
+ for_each_possible_cpu(i) {
if (i == cpu)
continue;
match_cpc_ptr = per_cpu(cpc_desc_ptr, i);
if (!match_cpc_ptr)
- goto err_fault;
+ continue;
match_pdomain = &(match_cpc_ptr->domain_info);
if (match_pdomain->domain != pdomain->domain)
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 286/969] ACPI: video: force native backlight on HP OMEN 16 (8A44)
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (284 preceding siblings ...)
2026-05-30 15:56 ` [PATCH 6.1 285/969] ACPI: CPPC: Fix related_cpus inconsistency during CPU hotplug Greg Kroah-Hartman
@ 2026-05-30 15:56 ` Greg Kroah-Hartman
2026-05-30 15:56 ` [PATCH 6.1 287/969] ASoC: SOF: Dont allow pointer operations on unconfigured streams Greg Kroah-Hartman
` (689 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Shivam Kalra, Rafael J. Wysocki
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shivam Kalra <shivamkalra98@zohomail.in>
commit 4b506ea5351a1f5937ac632a4a5c35f6f796cc41 upstream.
The HP OMEN 16 Gaming Laptop (board name 8A44) has a mux-less hybrid
GPU configuration with AMD Rembrandt (Radeon 680M) and NVIDIA GA104
(RTX 3070 Ti). The internal eDP panel is wired to the AMD iGPU.
When Nouveau loads without GSP firmware, the ACPI video backlight
device (acpi_video0) gets registered alongside the native AMD
backlight (amdgpu_bl2). In this state, writes to amdgpu_bl2 update
the software brightness value but fail to change the physical panel
brightness.
Force native backlight to prevent acpi_video0 from registering.
Confirmed that booting with acpi_backlight=native resolves the
issue.
Cc: All applicable <stable@vger.kernel.org>
Signed-off-by: Shivam Kalra <shivamkalra98@zohomail.in>
Link: https://patch.msgid.link/20260426-omen-16-backlight-fix-v1-1-62364f268ea6@zohomail.in
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/acpi/video_detect.c | 8 ++++++++
1 file changed, 8 insertions(+)
--- a/drivers/acpi/video_detect.c
+++ b/drivers/acpi/video_detect.c
@@ -776,6 +776,14 @@ static const struct dmi_system_id video_
DMI_MATCH(DMI_PRODUCT_NAME, "Z830"),
},
},
+ {
+ .callback = video_detect_force_native,
+ /* HP OMEN Gaming Laptop 16-n0xxx */
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "HP"),
+ DMI_MATCH(DMI_PRODUCT_NAME, "OMEN by HP Gaming Laptop 16-n0xxx"),
+ },
+ },
/*
* Models which have nvidia-ec-wmi support, but should not use it.
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 287/969] ASoC: SOF: Dont allow pointer operations on unconfigured streams
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (285 preceding siblings ...)
2026-05-30 15:56 ` [PATCH 6.1 286/969] ACPI: video: force native backlight on HP OMEN 16 (8A44) Greg Kroah-Hartman
@ 2026-05-30 15:56 ` Greg Kroah-Hartman
2026-05-30 15:56 ` [PATCH 6.1 288/969] spi: rockchip: fix controller deregistration Greg Kroah-Hartman
` (688 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Mark Brown
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mark Brown <broonie@kernel.org>
commit c5b6285aae050ff1c3ea824ca3d88ac4be1e69c8 upstream.
When reporting the pointer for a compressed stream we report the current
I/O frame position by dividing the position by the number of channels
multiplied by the number of container bytes. These values default to 0 and
are only configured as part of setting the stream parameters so this allows
a divide by zero to be configured. Validate that they are non zero,
returning an error if not
Fixes: c1a731c71359 ("ASoC: SOF: compress: Add support for computing timestamps")
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20260326-asoc-compress-tstamp-params-v1-1-3dc735b3d599@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/soc/sof/compress.c | 3 +++
1 file changed, 3 insertions(+)
--- a/sound/soc/sof/compress.c
+++ b/sound/soc/sof/compress.c
@@ -366,6 +366,9 @@ static int sof_compr_pointer(struct snd_
if (!spcm)
return -EINVAL;
+ if (!sstream->channels || !sstream->sample_container_bytes)
+ return -EBUSY;
+
tstamp->sampling_rate = sstream->sampling_rate;
tstamp->copied_total = sstream->copied_total;
tstamp->pcm_io_frames = div_u64(spcm->stream[cstream->direction].posn.dai_posn,
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 288/969] spi: rockchip: fix controller deregistration
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (286 preceding siblings ...)
2026-05-30 15:56 ` [PATCH 6.1 287/969] ASoC: SOF: Dont allow pointer operations on unconfigured streams Greg Kroah-Hartman
@ 2026-05-30 15:56 ` Greg Kroah-Hartman
2026-05-30 15:56 ` [PATCH 6.1 289/969] drm/amd/display: Do not skip unrelated mode changes in DSC validation Greg Kroah-Hartman
` (687 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, addy ke, Johan Hovold, Mark Brown
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 53e7a16070feb7d1d4d81a583eaac5e25048b9c3 upstream.
Make sure to deregister the controller before freeing underlying
resources like DMA channels during driver unbind.
Fixes: 64e36824b32b ("spi/rockchip: add driver for Rockchip RK3xxx SoCs integrated SPI")
Cc: stable@vger.kernel.org # 3.17
Cc: addy ke <addy.ke@rock-chips.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20260324082326.901043-3-johan@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-rockchip.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/spi/spi-rockchip.c
+++ b/drivers/spi/spi-rockchip.c
@@ -921,7 +921,7 @@ static int rockchip_spi_probe(struct pla
break;
}
- ret = devm_spi_register_controller(&pdev->dev, ctlr);
+ ret = spi_register_controller(ctlr);
if (ret < 0) {
dev_err(&pdev->dev, "Failed to register controller\n");
goto err_free_dma_rx;
@@ -957,6 +957,8 @@ static int rockchip_spi_remove(struct pl
clk_disable_unprepare(rs->spiclk);
clk_disable_unprepare(rs->apb_pclk);
+ spi_unregister_controller(ctlr);
+
pm_runtime_put_noidle(&pdev->dev);
pm_runtime_disable(&pdev->dev);
pm_runtime_set_suspended(&pdev->dev);
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 289/969] drm/amd/display: Do not skip unrelated mode changes in DSC validation
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (287 preceding siblings ...)
2026-05-30 15:56 ` [PATCH 6.1 288/969] spi: rockchip: fix controller deregistration Greg Kroah-Hartman
@ 2026-05-30 15:56 ` Greg Kroah-Hartman
2026-05-30 15:56 ` [PATCH 6.1 290/969] spi: meson-spicc: Fix double-put in remove path Greg Kroah-Hartman
` (686 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yussuf Khalil, Harry Wentland,
Alex Deucher, Fang Wang, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yussuf Khalil <dev@pp3345.net>
[ Upstream commit aed3d041ab061ec8a64f50a3edda0f4db7280025 ]
Starting with commit 17ce8a6907f7 ("drm/amd/display: Add dsc pre-validation in
atomic check"), amdgpu resets the CRTC state mode_changed flag to false when
recomputing the DSC configuration results in no timing change for a particular
stream.
However, this is incorrect in scenarios where a change in MST/DSC configuration
happens in the same KMS commit as another (unrelated) mode change. For example,
the integrated panel of a laptop may be configured differently (e.g., HDR
enabled/disabled) depending on whether external screens are attached. In this
case, plugging in external DP-MST screens may result in the mode_changed flag
being dropped incorrectly for the integrated panel if its DSC configuration
did not change during precomputation in pre_validate_dsc().
At this point, however, dm_update_crtc_state() has already created new streams
for CRTCs with DSC-independent mode changes. In turn,
amdgpu_dm_commit_streams() will never release the old stream, resulting in a
memory leak. amdgpu_dm_atomic_commit_tail() will never acquire a reference to
the new stream either, which manifests as a use-after-free when the stream gets
disabled later on:
BUG: KASAN: use-after-free in dc_stream_release+0x25/0x90 [amdgpu]
Write of size 4 at addr ffff88813d836524 by task kworker/9:9/29977
Workqueue: events drm_mode_rmfb_work_fn
Call Trace:
<TASK>
dump_stack_lvl+0x6e/0xa0
print_address_description.constprop.0+0x88/0x320
? dc_stream_release+0x25/0x90 [amdgpu]
print_report+0xfc/0x1ff
? srso_alias_return_thunk+0x5/0xfbef5
? __virt_addr_valid+0x225/0x4e0
? dc_stream_release+0x25/0x90 [amdgpu]
kasan_report+0xe1/0x180
? dc_stream_release+0x25/0x90 [amdgpu]
kasan_check_range+0x125/0x200
dc_stream_release+0x25/0x90 [amdgpu]
dc_state_destruct+0x14d/0x5c0 [amdgpu]
dc_state_release.part.0+0x4e/0x130 [amdgpu]
dm_atomic_destroy_state+0x3f/0x70 [amdgpu]
drm_atomic_state_default_clear+0x8ee/0xf30
? drm_mode_object_put.part.0+0xb1/0x130
__drm_atomic_state_free+0x15c/0x2d0
atomic_remove_fb+0x67e/0x980
Since there is no reliable way of figuring out whether a CRTC has unrelated
mode changes pending at the time of DSC validation, remember the value of the
mode_changed flag from before the point where a CRTC was marked as potentially
affected by a change in DSC configuration. Reset the mode_changed flag to this
earlier value instead in pre_validate_dsc().
Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/5004
Fixes: 17ce8a6907f7 ("drm/amd/display: Add dsc pre-validation in atomic check")
Signed-off-by: Yussuf Khalil <dev@pp3345.net>
Reviewed-by: Harry Wentland <harry.wentland@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit cc7c7121ae082b7b82891baa7280f1ff2608f22b)
Signed-off-by: Fang Wang <32840572@qq.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 5 +++++
drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.h | 1 +
.../gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c | 7 +++++--
3 files changed, 11 insertions(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
index 7eff2b94ab666..bb5e3a6086f2e 100644
--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
+++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
@@ -9908,6 +9908,11 @@ static int amdgpu_dm_atomic_check(struct drm_device *dev,
#if defined(CONFIG_DRM_AMD_DC_DCN)
if (dc_resource_is_dsc_encoding_supported(dc)) {
+ for_each_oldnew_crtc_in_state(state, crtc, old_crtc_state, new_crtc_state, i) {
+ dm_new_crtc_state = to_dm_crtc_state(new_crtc_state);
+ dm_new_crtc_state->mode_changed_independent_from_dsc = new_crtc_state->mode_changed;
+ }
+
for_each_oldnew_crtc_in_state(state, crtc, old_crtc_state, new_crtc_state, i) {
if (drm_atomic_crtc_needs_modeset(new_crtc_state)) {
ret = add_affected_mst_dsc_crtcs(state, crtc);
diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.h b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.h
index df18b4df1f2c1..12385b6f8443b 100644
--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.h
+++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.h
@@ -698,6 +698,7 @@ struct dm_crtc_state {
bool freesync_vrr_info_changed;
+ bool mode_changed_independent_from_dsc;
bool dsc_force_changed;
bool vrr_supported;
struct mod_freesync_config freesync_config;
diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c
index 495491decec1e..94c83a707acc6 100644
--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c
+++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c
@@ -1564,8 +1564,11 @@ int pre_validate_dsc(struct drm_atomic_state *state,
} else {
int ind = find_crtc_index_in_state_by_stream(state, stream);
- if (ind >= 0)
- state->crtcs[ind].new_state->mode_changed = 0;
+ if (ind >= 0) {
+ struct dm_crtc_state *dm_new_crtc_state = to_dm_crtc_state(state->crtcs[ind].new_state);
+
+ dm_new_crtc_state->base.mode_changed = dm_new_crtc_state->mode_changed_independent_from_dsc;
+ }
}
}
clean_exit:
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 290/969] spi: meson-spicc: Fix double-put in remove path
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (288 preceding siblings ...)
2026-05-30 15:56 ` [PATCH 6.1 289/969] drm/amd/display: Do not skip unrelated mode changes in DSC validation Greg Kroah-Hartman
@ 2026-05-30 15:56 ` Greg Kroah-Hartman
2026-05-30 15:56 ` [PATCH 6.1 291/969] ext4: validate p_idx bounds in ext4_ext_correct_indexes Greg Kroah-Hartman
` (685 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Felix Gu, Johan Hovold, Mark Brown,
Wenshan Lan, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Felix Gu <ustc.gu@gmail.com>
[ Upstream commit 63542bb402b7013171c9f621c28b609eda4dbf1f ]
meson_spicc_probe() registers the controller with
devm_spi_register_controller(), so teardown already drops the
controller reference via devm cleanup.
Calling spi_controller_put() again in meson_spicc_remove()
causes a double-put.
Fixes: 8311ee2164c5 ("spi: meson-spicc: fix memory leak in meson_spicc_remove")
Signed-off-by: Felix Gu <ustc.gu@gmail.com>
Reviewed-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20260322-rockchip-v1-1-fac3f0c6dad8@gmail.com
Signed-off-by: Mark Brown <broonie@kernel.org>
[ In v6.1, commit 68bf3288c7eb ("spi: meson-spicc: switch to use modern name")
has not been applied, so the driver still uses the legacy spicc->master field
and spi_master_put() API. The line to remove is spi_master_put(spicc->master)
rather than spi_controller_put(spicc->host) as in the upstream patch.
They are functionally identical. ]
Signed-off-by: Wenshan Lan <jetlan9@163.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/spi/spi-meson-spicc.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/drivers/spi/spi-meson-spicc.c b/drivers/spi/spi-meson-spicc.c
index 1b4195c54ee26..04cf8489dd56b 100644
--- a/drivers/spi/spi-meson-spicc.c
+++ b/drivers/spi/spi-meson-spicc.c
@@ -883,8 +883,6 @@ static int meson_spicc_remove(struct platform_device *pdev)
clk_disable_unprepare(spicc->core);
clk_disable_unprepare(spicc->pclk);
- spi_master_put(spicc->master);
-
return 0;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 291/969] ext4: validate p_idx bounds in ext4_ext_correct_indexes
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (289 preceding siblings ...)
2026-05-30 15:56 ` [PATCH 6.1 290/969] spi: meson-spicc: Fix double-put in remove path Greg Kroah-Hartman
@ 2026-05-30 15:56 ` Greg Kroah-Hartman
2026-05-30 15:56 ` [PATCH 6.1 292/969] KVM: x86: Fix shadow paging use-after-free due to unexpected GFN Greg Kroah-Hartman
` (684 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+04c4e65cab786a2e5b7e,
Tejas Bharambe, Theodore Tso, stable, Jianqiang kang, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tejas Bharambe <tejas.bharambe@outlook.com>
[ Upstream commit 2acb5c12ebd860f30e4faf67e6cc8c44ddfe5fe8 ]
ext4_ext_correct_indexes() walks up the extent tree correcting
index entries when the first extent in a leaf is modified. Before
accessing path[k].p_idx->ei_block, there is no validation that
p_idx falls within the valid range of index entries for that
level.
If the on-disk extent header contains a corrupted or crafted
eh_entries value, p_idx can point past the end of the allocated
buffer, causing a slab-out-of-bounds read.
Fix this by validating path[k].p_idx against EXT_LAST_INDEX() at
both access sites: before the while loop and inside it. Return
-EFSCORRUPTED if the index pointer is out of range, consistent
with how other bounds violations are handled in the ext4 extent
tree code.
Reported-by: syzbot+04c4e65cab786a2e5b7e@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=04c4e65cab786a2e5b7e
Signed-off-by: Tejas Bharambe <tejas.bharambe@outlook.com>
Link: https://patch.msgid.link/JH0PR06MB66326016F9B6AD24097D232B897CA@JH0PR06MB6632.apcprd06.prod.outlook.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org
[ Minor conflict resolved. ]
Signed-off-by: Jianqiang kang <jianqkang@sina.cn>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ext4/extents.c | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c
index 1df7174774694..6d95dab538475 100644
--- a/fs/ext4/extents.c
+++ b/fs/ext4/extents.c
@@ -1740,6 +1740,13 @@ static int ext4_ext_correct_indexes(handle_t *handle, struct inode *inode,
err = ext4_ext_get_access(handle, inode, path + k);
if (err)
return err;
+ if (unlikely(path[k].p_idx > EXT_LAST_INDEX(path[k].p_hdr))) {
+ EXT4_ERROR_INODE(inode,
+ "path[%d].p_idx %p > EXT_LAST_INDEX %p",
+ k, path[k].p_idx,
+ EXT_LAST_INDEX(path[k].p_hdr));
+ return -EFSCORRUPTED;
+ }
path[k].p_idx->ei_block = border;
err = ext4_ext_dirty(handle, inode, path + k);
if (err)
@@ -1752,6 +1759,14 @@ static int ext4_ext_correct_indexes(handle_t *handle, struct inode *inode,
err = ext4_ext_get_access(handle, inode, path + k);
if (err)
break;
+ if (unlikely(path[k].p_idx > EXT_LAST_INDEX(path[k].p_hdr))) {
+ EXT4_ERROR_INODE(inode,
+ "path[%d].p_idx %p > EXT_LAST_INDEX %p",
+ k, path[k].p_idx,
+ EXT_LAST_INDEX(path[k].p_hdr));
+ err = -EFSCORRUPTED;
+ break;
+ }
path[k].p_idx->ei_block = border;
err = ext4_ext_dirty(handle, inode, path + k);
if (err)
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 292/969] KVM: x86: Fix shadow paging use-after-free due to unexpected GFN
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (290 preceding siblings ...)
2026-05-30 15:56 ` [PATCH 6.1 291/969] ext4: validate p_idx bounds in ext4_ext_correct_indexes Greg Kroah-Hartman
@ 2026-05-30 15:56 ` Greg Kroah-Hartman
2026-05-30 15:56 ` [PATCH 6.1 293/969] net: Fix icmp host relookup triggering ip_rt_bug Greg Kroah-Hartman
` (683 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexander Bulekov, Fred Griffoul,
Sean Christopherson, Paolo Bonzini, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Christopherson <seanjc@google.com>
commit 0cb2af2ea66ad8ff195c156ea690f11216285bdf upstream.
The shadow MMU computes GFNs for direct shadow pages using sp->gfn plus
the SPTE index. This assumption breaks for shadow paging if the guest
page tables are modified between VM entries (similar to commit
aad885e77496, "KVM: x86/mmu: Drop/zap existing present SPTE even
when creating an MMIO SPTE", 2026-03-27). The flow is as follows:
- a PDE is installed for a 2MB mapping, and a page in that area is
accessed. KVM creates a kvm_mmu_page consisting of 512 4KB pages;
the kvm_mmu_page is marked by FNAME(fetch) as direct-mapped because
the guest's mapping is a huge page (and thus contiguous).
- the PDE mapping is changed from outside the guest.
- the guest accesses another page in the same 2MB area. KVM installs
a new leaf SPTE and rmap entry; the SPTE uses the "correct" GFN
(i.e. based on the new mapping, as changed in the previous step) but
that GFN is outside of the [sp->gfn, sp->gfn + 511] range; therefore
the rmap entry cannot be found and removed when the kvm_mmu_page
is zapped.
- the memslot that covers the first 2MB mapping is deleted, and the
kvm_mmu_page for the now-invalid GPA is zapped. However, rmap_remove()
only looks at the [sp->gfn, sp->gfn + 511] range established in step 1,
and fails to find the rmap entry that was recorded by step 3.
- any operation that causes an rmap walk for the same page accessed
by step 3 then walks a stale rmap and dereferences a freed kvm_mmu_page.
This includes dirty logging or MMU notifier invalidations (e.g., from
MADV_DONTNEED).
The underlying issue is that KVM's walking of shadow PTEs assumes that
if a SPTE is present when KVM wants to install a non-leaf SPTE, then the
existing kvm_mmu_page must be for the correct gfn. Because the only way
for the gfn to be wrong is if KVM messed up and failed to zap a SPTE...
which shouldn't happen, but *actually* only happens in response to a
guest write.
That bug dates back literally forever, as even the first version of KVM
assumes that the GFN matches and walks into the "wrong" shadow page.
However, that was only an imprecision until 2032a93d66fa ("KVM: MMU:
Don't allocate gfns page for direct mmu pages") came along.
Fix it by checking for a target gfn mismatch and zapping the existing
SPTE. That way the old SP and rmap entries are gone, KVM installs
the rmap in the right location, and everyone is happy.
Fixes: 2032a93d66fa ("KVM: MMU: Don't allocate gfns page for direct mmu pages")
Fixes: 6aa8b732ca01 ("kvm: userspace interface")
Reported-by: Alexander Bulekov <bkov@amazon.com>
Reported-by: Fred Griffoul <fgriffo@amazon.co.uk>
Cc: stable@vger.kernel.org
Signed-off-by: Sean Christopherson <seanjc@google.com>
Link: https://patch.msgid.link/20260503201029.106481-1-pbonzini@redhat.com/
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/kvm/mmu/mmu.c | 36 ++++++++++++++----------------------
arch/x86/kvm/mmu/spte.h | 5 +++++
2 files changed, 19 insertions(+), 22 deletions(-)
diff --git a/arch/x86/kvm/mmu/mmu.c b/arch/x86/kvm/mmu/mmu.c
index ed5ba38bec869..58d67e5ab2c58 100644
--- a/arch/x86/kvm/mmu/mmu.c
+++ b/arch/x86/kvm/mmu/mmu.c
@@ -163,6 +163,8 @@ struct kmem_cache *mmu_page_header_cache;
static struct percpu_counter kvm_total_used_mmu_pages;
static void mmu_spte_set(u64 *sptep, u64 spte);
+static int mmu_page_zap_pte(struct kvm *kvm, struct kvm_mmu_page *sp,
+ u64 *spte, struct list_head *invalid_list);
struct kvm_mmu_role_regs {
const unsigned long cr0;
@@ -1156,20 +1158,6 @@ static void drop_spte(struct kvm *kvm, u64 *sptep)
rmap_remove(kvm, sptep);
}
-static void drop_large_spte(struct kvm *kvm, u64 *sptep, bool flush)
-{
- struct kvm_mmu_page *sp;
-
- sp = sptep_to_sp(sptep);
- WARN_ON(sp->role.level == PG_LEVEL_4K);
-
- drop_spte(kvm, sptep);
-
- if (flush)
- kvm_flush_remote_tlbs_with_address(kvm, sp->gfn,
- KVM_PAGES_PER_HPAGE(sp->role.level));
-}
-
/*
* Write-protect on the specified @sptep, @pt_protect indicates whether
* spte write-protection is caused by protecting shadow page table.
@@ -2253,7 +2241,8 @@ static struct kvm_mmu_page *kvm_mmu_get_child_sp(struct kvm_vcpu *vcpu,
{
union kvm_mmu_page_role role;
- if (is_shadow_present_pte(*sptep) && !is_large_pte(*sptep))
+ if (is_shadow_present_pte(*sptep) && !is_large_pte(*sptep) &&
+ spte_to_child_sp(*sptep) && spte_to_child_sp(*sptep)->gfn == gfn)
return ERR_PTR(-EEXIST);
role = kvm_mmu_child_role(sptep, direct, access);
@@ -2331,13 +2320,16 @@ static void __link_shadow_page(struct kvm *kvm,
BUILD_BUG_ON(VMX_EPT_WRITABLE_MASK != PT_WRITABLE_MASK);
- /*
- * If an SPTE is present already, it must be a leaf and therefore
- * a large one. Drop it, and flush the TLB if needed, before
- * installing sp.
- */
- if (is_shadow_present_pte(*sptep))
- drop_large_spte(kvm, sptep, flush);
+ if (is_shadow_present_pte(*sptep)) {
+ struct kvm_mmu_page *parent_sp;
+ LIST_HEAD(invalid_list);
+
+ parent_sp = sptep_to_sp(sptep);
+ WARN_ON_ONCE(parent_sp->role.level == PG_LEVEL_4K);
+
+ mmu_page_zap_pte(kvm, parent_sp, sptep, &invalid_list);
+ kvm_mmu_remote_flush_or_zap(kvm, &invalid_list, true);
+ }
spte = make_nonleaf_spte(sp->spt, sp_ad_disabled(sp));
diff --git a/arch/x86/kvm/mmu/spte.h b/arch/x86/kvm/mmu/spte.h
index 7670c13ce251b..0ed97eb1c2e6b 100644
--- a/arch/x86/kvm/mmu/spte.h
+++ b/arch/x86/kvm/mmu/spte.h
@@ -295,6 +295,11 @@ static inline bool is_executable_pte(u64 spte)
return (spte & (shadow_x_mask | shadow_nx_mask)) == shadow_x_mask;
}
+static inline struct kvm_mmu_page *spte_to_child_sp(u64 spte)
+{
+ return to_shadow_page(spte & SPTE_BASE_ADDR_MASK);
+}
+
static inline kvm_pfn_t spte_to_pfn(u64 pte)
{
return (pte & SPTE_BASE_ADDR_MASK) >> PAGE_SHIFT;
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 293/969] net: Fix icmp host relookup triggering ip_rt_bug
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (291 preceding siblings ...)
2026-05-30 15:56 ` [PATCH 6.1 292/969] KVM: x86: Fix shadow paging use-after-free due to unexpected GFN Greg Kroah-Hartman
@ 2026-05-30 15:56 ` Greg Kroah-Hartman
2026-05-30 15:56 ` [PATCH 6.1 294/969] flow_dissector: do not dissect PPPoE PFC frames Greg Kroah-Hartman
` (682 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dong Chenchen, David Ahern,
Eric Dumazet, Jakub Kicinski, Jiayuan Chen, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dong Chenchen <dongchenchen2@huawei.com>
[ Upstream commit c44daa7e3c73229f7ac74985acb8c7fb909c4e0a ]
arp link failure may trigger ip_rt_bug while xfrm enabled, call trace is:
WARNING: CPU: 0 PID: 0 at net/ipv4/route.c:1241 ip_rt_bug+0x14/0x20
Modules linked in:
CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.12.0-rc6-00077-g2e1b3cc9d7f7
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
RIP: 0010:ip_rt_bug+0x14/0x20
Call Trace:
<IRQ>
ip_send_skb+0x14/0x40
__icmp_send+0x42d/0x6a0
ipv4_link_failure+0xe2/0x1d0
arp_error_report+0x3c/0x50
neigh_invalidate+0x8d/0x100
neigh_timer_handler+0x2e1/0x330
call_timer_fn+0x21/0x120
__run_timer_base.part.0+0x1c9/0x270
run_timer_softirq+0x4c/0x80
handle_softirqs+0xac/0x280
irq_exit_rcu+0x62/0x80
sysvec_apic_timer_interrupt+0x77/0x90
The script below reproduces this scenario:
ip xfrm policy add src 0.0.0.0/0 dst 0.0.0.0/0 \
dir out priority 0 ptype main flag localok icmp
ip l a veth1 type veth
ip a a 192.168.141.111/24 dev veth0
ip l s veth0 up
ping 192.168.141.155 -c 1
icmp_route_lookup() create input routes for locally generated packets
while xfrm relookup ICMP traffic.Then it will set input route
(dst->out = ip_rt_bug) to skb for DESTUNREACH.
For ICMP err triggered by locally generated packets, dst->dev of output
route is loopback. Generally, xfrm relookup verification is not required
on loopback interfaces (net.ipv4.conf.lo.disable_xfrm = 1).
Skip icmp relookup for locally generated packets to fix it.
Fixes: 8b7817f3a959 ("[IPSEC]: Add ICMP host relookup support")
Signed-off-by: Dong Chenchen <dongchenchen2@huawei.com>
Reviewed-by: David Ahern <dsahern@kernel.org>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20241127040850.1513135-1-dongchenchen2@huawei.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Jiayuan Chen <jiayuan.chen@linux.dev>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/icmp.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c
index 66def7f98f704..a9aef281631ee 100644
--- a/net/ipv4/icmp.c
+++ b/net/ipv4/icmp.c
@@ -518,6 +518,9 @@ static struct rtable *icmp_route_lookup(struct net *net, struct flowi4 *fl4,
if (!IS_ERR(rt)) {
if (rt != rt2)
return rt;
+ if (inet_addr_type_dev_table(net, route_lookup_dev,
+ fl4->daddr) == RTN_LOCAL)
+ return rt;
} else if (PTR_ERR(rt) == -EPERM) {
rt = NULL;
} else
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 294/969] flow_dissector: do not dissect PPPoE PFC frames
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (292 preceding siblings ...)
2026-05-30 15:56 ` [PATCH 6.1 293/969] net: Fix icmp host relookup triggering ip_rt_bug Greg Kroah-Hartman
@ 2026-05-30 15:56 ` Greg Kroah-Hartman
2026-05-30 15:56 ` [PATCH 6.1 295/969] net/sched: sch_red: Replace direct dequeue call with peek and qdisc_dequeue_peeked Greg Kroah-Hartman
` (681 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Qingfang Deng, Jakub Kicinski,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Qingfang Deng <qingfang.deng@linux.dev>
[ Upstream commit d6c19b31a3c1d519fabdcf0aa239e6b6109b9473 ]
RFC 2516 Section 7 states that Protocol Field Compression (PFC) is NOT
RECOMMENDED for PPPoE. In practice, pppd does not support negotiating
PFC for PPPoE sessions, and the flow dissector driver has assumed an
uncompressed frame until the blamed commit.
During the review process of that commit [1], support for PFC is
suggested. However, having a compressed (1-byte) protocol field means
the subsequent PPP payload is shifted by one byte, causing 4-byte
misalignment for the network header and an unaligned access exception
on some architectures.
The exception can be reproduced by sending a PPPoE PFC frame to an
ethernet interface of a MIPS board, with RPS enabled, even if no PPPoE
session is active on that interface:
$ 0 : 00000000 80c40000 00000000 85144817
$ 4 : 00000008 00000100 80a75758 81dc9bb8
$ 8 : 00000010 8087ae2c 0000003d 00000000
$12 : 000000e0 00000039 00000000 00000000
$16 : 85043240 80a75758 81dc9bb8 00006488
$20 : 0000002f 00000007 85144810 80a70000
$24 : 81d1bda0 00000000
$28 : 81dc8000 81dc9aa8 00000000 805ead08
Hi : 00009d51
Lo : 2163358a
epc : 805e91f0 __skb_flow_dissect+0x1b0/0x1b50
ra : 805ead08 __skb_get_hash_net+0x74/0x12c
Status: 11000403 KERNEL EXL IE
Cause : 40800010 (ExcCode 04)
BadVA : 85144817
PrId : 0001992f (MIPS 1004Kc)
Call Trace:
[<805e91f0>] __skb_flow_dissect+0x1b0/0x1b50
[<805ead08>] __skb_get_hash_net+0x74/0x12c
[<805ef330>] get_rps_cpu+0x1b8/0x3fc
[<805fca70>] netif_receive_skb_list_internal+0x324/0x364
[<805fd120>] napi_complete_done+0x68/0x2a4
[<8058de5c>] mtk_napi_rx+0x228/0xfec
[<805fd398>] __napi_poll+0x3c/0x1c4
[<805fd754>] napi_threaded_poll_loop+0x234/0x29c
[<805fd848>] napi_threaded_poll+0x8c/0xb0
[<80053544>] kthread+0x104/0x12c
[<80002bd8>] ret_from_kernel_thread+0x14/0x1c
Code: 02d51821 1060045b 00000000 <8c640000> 3084000f 2c820005 144001a2 00042080 8e220000
To reduce the attack surface and maintain performance, do not process
PPPoE PFC frames.
[1] https://lore.kernel.org/r/20220630231016.GA392@debian.home
Fixes: 46126db9c861 ("flow_dissector: Add PPPoE dissectors")
Signed-off-by: Qingfang Deng <qingfang.deng@linux.dev>
Link: https://patch.msgid.link/20260415022456.141758-1-qingfang.deng@linux.dev
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/core/flow_dissector.c | 13 +++++--------
1 file changed, 5 insertions(+), 8 deletions(-)
diff --git a/net/core/flow_dissector.c b/net/core/flow_dissector.c
index 5f50e182acd57..77c65b2968a37 100644
--- a/net/core/flow_dissector.c
+++ b/net/core/flow_dissector.c
@@ -1270,16 +1270,13 @@ bool __skb_flow_dissect(const struct net *net,
break;
}
- /* least significant bit of the most significant octet
- * indicates if protocol field was compressed
+ /* PFC (compressed 1-byte protocol) frames are not processed.
+ * A compressed protocol field has the least significant bit of
+ * the most significant octet set, which will fail the following
+ * ppp_proto_is_valid(), returning FLOW_DISSECT_RET_OUT_BAD.
*/
ppp_proto = ntohs(hdr->proto);
- if (ppp_proto & 0x0100) {
- ppp_proto = ppp_proto >> 8;
- nhoff += PPPOE_SES_HLEN - 1;
- } else {
- nhoff += PPPOE_SES_HLEN;
- }
+ nhoff += PPPOE_SES_HLEN;
if (ppp_proto == PPP_IP) {
proto = htons(ETH_P_IP);
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 295/969] net/sched: sch_red: Replace direct dequeue call with peek and qdisc_dequeue_peeked
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (293 preceding siblings ...)
2026-05-30 15:56 ` [PATCH 6.1 294/969] flow_dissector: do not dissect PPPoE PFC frames Greg Kroah-Hartman
@ 2026-05-30 15:56 ` Greg Kroah-Hartman
2026-05-30 15:57 ` [PATCH 6.1 296/969] Bluetooth: hci_sync: Remove remaining dependencies of hci_request Greg Kroah-Hartman
` (680 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Manas, Rakshit Awasthi,
Jamal Hadi Salim, Eric Dumazet, Jakub Kicinski
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jamal Hadi Salim <jhs@mojatatu.com>
commit 458d5615272d3de535748342eb68ca492343048c upstream.
When red qdisc has children (eg qfq qdisc) whose peek() callback is
qdisc_peek_dequeued(), we could get a kernel panic. When the parent of such
qdiscs (eg illustrated in patch #3 as tbf) wants to retrieve an skb from
its child (red in this case), it will do the following:
1a. do a peek() - and when sensing there's an skb the child can offer, then
- the child in this case(red) calls its child's (qfq) peek.
qfq does the right thing and will return the gso_skb queue packet.
Note: if there wasnt a gso_skb entry then qfq will store it there.
1b. invoke a dequeue() on the child (red). And herein lies the problem.
- red will call the child's dequeue() which will essentially just
try to grab something of qfq's queue.
[ 78.667668][ T363] KASAN: null-ptr-deref in range [0x0000000000000048-0x000000000000004f]
[ 78.667927][ T363] CPU: 1 UID: 0 PID: 363 Comm: ping Not tainted 7.1.0-rc1-00033-g46f74a3f7d57-dirty #790 PREEMPT(full)
[ 78.668263][ T363] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[ 78.668486][ T363] RIP: 0010:qfq_dequeue+0x446/0xc90 [sch_qfq]
[ 78.668718][ T363] Code: 54 c0 e8 dd 90 00 f1 48 c7 c7 e0 03 54 c0 48 89 de e8 ce 90 00 f1 48 8d 7b 48 b8 ff ff 37 00 48 89 fa 48 c1 e0 2a 48 c1 ea 03 <80> 3c 02 00 74 05 e8 ef a1 e1 f1 48 8b 7b 48 48 8d 54 24 58 48 8d
[ 78.669312][ T363] RSP: 0018:ffff88810de573e0 EFLAGS: 00010216
[ 78.669533][ T363] RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000
[ 78.669790][ T363] RDX: 0000000000000009 RSI: 0000000000000004 RDI: 0000000000000048
[ 78.670044][ T363] RBP: ffff888110dc4000 R08: ffffffffb1b0885a R09: fffffbfff6ba9078
[ 78.670297][ T363] R10: 0000000000000003 R11: ffff888110e31c80 R12: 0000001880000000
[ 78.670560][ T363] R13: ffff888110dc4150 R14: ffff888110dc42b8 R15: 0000000000000200
[ 78.670814][ T363] FS: 00007f66a8f09c40(0000) GS:ffff888163428000(0000) knlGS:0000000000000000
[ 78.671110][ T363] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 78.671324][ T363] CR2: 000055db4c6a30a8 CR3: 000000010da67000 CR4: 0000000000750ef0
[ 78.671585][ T363] PKRU: 55555554
[ 78.671713][ T363] Call Trace:
[ 78.671843][ T363] <TASK>
[ 78.671936][ T363] ? __pfx_qfq_dequeue+0x10/0x10 [sch_qfq]
[ 78.672148][ T363] ? __pfx__printk+0x10/0x10
[ 78.672322][ T363] ? srso_alias_return_thunk+0x5/0xfbef5
[ 78.672496][ T363] ? lockdep_hardirqs_on_prepare+0xa8/0x1a0
[ 78.672706][ T363] ? srso_alias_return_thunk+0x5/0xfbef5
[ 78.672875][ T363] ? trace_hardirqs_on+0x19/0x1a0
[ 78.673047][ T363] red_dequeue+0x65/0x270 [sch_red]
[ 78.673217][ T363] ? srso_alias_return_thunk+0x5/0xfbef5
[ 78.673385][ T363] tbf_dequeue.cold+0xb0/0x70c [sch_tbf]
[ 78.673566][ T363] __qdisc_run+0x169/0x1900
The right thing to do in #1b is to grab the skb off gso_skb queue.
This patchset fixes that issue by changing #1b to use qdisc_dequeue_peeked()
method instead.
Fixes: 77be155cba4e ("pkt_sched: Add peek emulation for non-work-conserving qdiscs.")
Reported-by: Manas <ghandatmanas@gmail.com>
Reported-by: Rakshit Awasthi <rakshitawasthi17@gmail.com>
Signed-off-by: Jamal Hadi Salim <jhs@mojatatu.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20260430152957.194015-2-jhs@mojatatu.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/sched/sch_red.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/sched/sch_red.c
+++ b/net/sched/sch_red.c
@@ -153,7 +153,7 @@ static struct sk_buff *red_dequeue(struc
struct red_sched_data *q = qdisc_priv(sch);
struct Qdisc *child = q->qdisc;
- skb = child->dequeue(child);
+ skb = qdisc_dequeue_peeked(child);
if (skb) {
qdisc_bstats_update(sch, skb);
qdisc_qstats_backlog_dec(sch, skb);
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 296/969] Bluetooth: hci_sync: Remove remaining dependencies of hci_request
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (294 preceding siblings ...)
2026-05-30 15:56 ` [PATCH 6.1 295/969] net/sched: sch_red: Replace direct dequeue call with peek and qdisc_dequeue_peeked Greg Kroah-Hartman
@ 2026-05-30 15:57 ` Greg Kroah-Hartman
2026-05-30 15:57 ` [PATCH 6.1 297/969] Bluetooth: btintel: serialize btintel_hw_error() with hci_req_sync_lock Greg Kroah-Hartman
` (679 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Luiz Augusto von Dentz, Fang Wang,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
[ Upstream commit f2d89775358606c7ab6b6b6c4a02fe1e8cd270b1 ]
This removes the dependencies of hci_req_init and hci_request_cancel_all
from hci_sync.c.
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Fang Wang <32840572@qq.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/net/bluetooth/hci_sync.h | 17 +++++++++++++++++
net/bluetooth/hci_request.h | 21 ---------------------
net/bluetooth/hci_sync.c | 14 +++++++++++---
3 files changed, 28 insertions(+), 24 deletions(-)
diff --git a/include/net/bluetooth/hci_sync.h b/include/net/bluetooth/hci_sync.h
index a8b106d884d41..a68ddf5c02286 100644
--- a/include/net/bluetooth/hci_sync.h
+++ b/include/net/bluetooth/hci_sync.h
@@ -5,6 +5,23 @@
* Copyright (C) 2021 Intel Corporation
*/
+#define HCI_REQ_DONE 0
+#define HCI_REQ_PEND 1
+#define HCI_REQ_CANCELED 2
+
+#define hci_req_sync_lock(hdev) mutex_lock(&hdev->req_lock)
+#define hci_req_sync_unlock(hdev) mutex_unlock(&hdev->req_lock)
+
+struct hci_request {
+ struct hci_dev *hdev;
+ struct sk_buff_head cmd_q;
+
+ /* If something goes wrong when building the HCI request, the error
+ * value is stored in this field.
+ */
+ int err;
+};
+
typedef int (*hci_cmd_sync_work_func_t)(struct hci_dev *hdev, void *data);
typedef void (*hci_cmd_sync_work_destroy_t)(struct hci_dev *hdev, void *data,
int err);
diff --git a/net/bluetooth/hci_request.h b/net/bluetooth/hci_request.h
index 0be75cf0efed8..b730da4a8b476 100644
--- a/net/bluetooth/hci_request.h
+++ b/net/bluetooth/hci_request.h
@@ -22,27 +22,6 @@
#include <asm/unaligned.h>
-#define HCI_REQ_DONE 0
-#define HCI_REQ_PEND 1
-#define HCI_REQ_CANCELED 2
-
-#define hci_req_sync_lock(hdev) mutex_lock(&hdev->req_lock)
-#define hci_req_sync_unlock(hdev) mutex_unlock(&hdev->req_lock)
-
-#define HCI_REQ_DONE 0
-#define HCI_REQ_PEND 1
-#define HCI_REQ_CANCELED 2
-
-struct hci_request {
- struct hci_dev *hdev;
- struct sk_buff_head cmd_q;
-
- /* If something goes wrong when building the HCI request, the error
- * value is stored in this field.
- */
- int err;
-};
-
void hci_req_init(struct hci_request *req, struct hci_dev *hdev);
void hci_req_purge(struct hci_request *req);
bool hci_req_status_pend(struct hci_dev *hdev);
diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
index c6f9d07a48194..4d23455e90bbe 100644
--- a/net/bluetooth/hci_sync.c
+++ b/net/bluetooth/hci_sync.c
@@ -11,7 +11,6 @@
#include <net/bluetooth/hci_core.h>
#include <net/bluetooth/mgmt.h>
-#include "hci_request.h"
#include "hci_codec.h"
#include "hci_debugfs.h"
#include "smp.h"
@@ -142,6 +141,13 @@ static int hci_cmd_sync_run(struct hci_request *req)
return 0;
}
+static void hci_request_init(struct hci_request *req, struct hci_dev *hdev)
+{
+ skb_queue_head_init(&req->cmd_q);
+ req->hdev = hdev;
+ req->err = 0;
+}
+
/* This function requires the caller holds hdev->req_lock. */
struct sk_buff *__hci_cmd_sync_sk(struct hci_dev *hdev, u16 opcode, u32 plen,
const void *param, u8 event, u32 timeout,
@@ -153,7 +159,7 @@ struct sk_buff *__hci_cmd_sync_sk(struct hci_dev *hdev, u16 opcode, u32 plen,
bt_dev_dbg(hdev, "Opcode 0x%4.4x", opcode);
- hci_req_init(&req, hdev);
+ hci_request_init(&req, hdev);
hci_cmd_sync_add(&req, opcode, plen, param, event, sk);
@@ -5188,7 +5194,9 @@ int hci_dev_close_sync(struct hci_dev *hdev)
cancel_delayed_work(&hdev->le_scan_disable);
cancel_delayed_work(&hdev->le_scan_restart);
- hci_request_cancel_all(hdev);
+ hci_cmd_sync_cancel_sync(hdev, ENODEV);
+
+ cancel_interleave_scan(hdev);
if (hdev->adv_instance_timeout) {
cancel_delayed_work_sync(&hdev->adv_instance_expire);
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 297/969] Bluetooth: btintel: serialize btintel_hw_error() with hci_req_sync_lock
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (295 preceding siblings ...)
2026-05-30 15:57 ` [PATCH 6.1 296/969] Bluetooth: hci_sync: Remove remaining dependencies of hci_request Greg Kroah-Hartman
@ 2026-05-30 15:57 ` Greg Kroah-Hartman
2026-05-30 15:57 ` [PATCH 6.1 298/969] ice: Fix memory leak in ice_set_ringparam() Greg Kroah-Hartman
` (678 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Cen Zhang, Luiz Augusto von Dentz,
Fang Wang, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cen Zhang <zzzccc427@gmail.com>
[ Upstream commit 94d8e6fe5d0818e9300e514e095a200bd5ff93ae ]
btintel_hw_error() issues two __hci_cmd_sync() calls (HCI_OP_RESET
and Intel exception-info retrieval) without holding
hci_req_sync_lock(). This lets it race against
hci_dev_do_close() -> btintel_shutdown_combined(), which also runs
__hci_cmd_sync() under the same lock. When both paths manipulate
hdev->req_status/req_rsp concurrently, the close path may free the
response skb first, and the still-running hw_error path hits a
slab-use-after-free in kfree_skb().
Wrap the whole recovery sequence in hci_req_sync_lock/unlock so it
is serialized with every other synchronous HCI command issuer.
Below is the data race report and the kasan report:
BUG: data-race in __hci_cmd_sync_sk / btintel_shutdown_combined
read of hdev->req_rsp at net/bluetooth/hci_sync.c:199
by task kworker/u17:1/83:
__hci_cmd_sync_sk+0x12f2/0x1c30 net/bluetooth/hci_sync.c:200
__hci_cmd_sync+0x55/0x80 net/bluetooth/hci_sync.c:223
btintel_hw_error+0x114/0x670 drivers/bluetooth/btintel.c:254
hci_error_reset+0x348/0xa30 net/bluetooth/hci_core.c:1030
write/free by task ioctl/22580:
btintel_shutdown_combined+0xd0/0x360
drivers/bluetooth/btintel.c:3648
hci_dev_close_sync+0x9ae/0x2c10 net/bluetooth/hci_sync.c:5246
hci_dev_do_close+0x232/0x460 net/bluetooth/hci_core.c:526
BUG: KASAN: slab-use-after-free in
sk_skb_reason_drop+0x43/0x380 net/core/skbuff.c:1202
Read of size 4 at addr ffff888144a738dc
by task kworker/u17:1/83:
__hci_cmd_sync_sk+0x12f2/0x1c30 net/bluetooth/hci_sync.c:200
__hci_cmd_sync+0x55/0x80 net/bluetooth/hci_sync.c:223
btintel_hw_error+0x186/0x670 drivers/bluetooth/btintel.c:260
Fixes: 973bb97e5aee ("Bluetooth: btintel: Add generic function for handling hardware errors")
Signed-off-by: Cen Zhang <zzzccc427@gmail.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Fang Wang <32840572@qq.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/bluetooth/btintel.c | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/drivers/bluetooth/btintel.c b/drivers/bluetooth/btintel.c
index 7a9d2da3c8146..1cba08e9403a4 100644
--- a/drivers/bluetooth/btintel.c
+++ b/drivers/bluetooth/btintel.c
@@ -225,11 +225,13 @@ static void btintel_hw_error(struct hci_dev *hdev, u8 code)
bt_dev_err(hdev, "Hardware error 0x%2.2x", code);
+ hci_req_sync_lock(hdev);
+
skb = __hci_cmd_sync(hdev, HCI_OP_RESET, 0, NULL, HCI_INIT_TIMEOUT);
if (IS_ERR(skb)) {
bt_dev_err(hdev, "Reset after hardware error failed (%ld)",
PTR_ERR(skb));
- return;
+ goto unlock;
}
kfree_skb(skb);
@@ -237,18 +239,21 @@ static void btintel_hw_error(struct hci_dev *hdev, u8 code)
if (IS_ERR(skb)) {
bt_dev_err(hdev, "Retrieving Intel exception info failed (%ld)",
PTR_ERR(skb));
- return;
+ goto unlock;
}
if (skb->len != 13) {
bt_dev_err(hdev, "Exception info size mismatch");
kfree_skb(skb);
- return;
+ goto unlock;
}
bt_dev_err(hdev, "Exception info %s", (char *)(skb->data + 1));
kfree_skb(skb);
+
+unlock:
+ hci_req_sync_unlock(hdev);
}
int btintel_version_info(struct hci_dev *hdev, struct intel_version *ver)
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 298/969] ice: Fix memory leak in ice_set_ringparam()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (296 preceding siblings ...)
2026-05-30 15:57 ` [PATCH 6.1 297/969] Bluetooth: btintel: serialize btintel_hw_error() with hci_req_sync_lock Greg Kroah-Hartman
@ 2026-05-30 15:57 ` Greg Kroah-Hartman
2026-05-30 15:57 ` [PATCH 6.1 299/969] exit: prevent preemption of oopsing TASK_DEAD task Greg Kroah-Hartman
` (677 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zilin Guan, Paul Menzel,
Aleksandr Loktionov, Tony Nguyen, Rajani Kantha, Sasha Levin,
Rinitha S
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zilin Guan <zilin@seu.edu.cn>
[ Upstream commit fe868b499d16f55bbeea89992edb98043c9de416 ]
In ice_set_ringparam, tx_rings and xdp_rings are allocated before
rx_rings. If the allocation of rx_rings fails, the code jumps to
the done label leaking both tx_rings and xdp_rings. Furthermore, if
the setup of an individual Rx ring fails during the loop, the code jumps
to the free_tx label which releases tx_rings but leaks xdp_rings.
Fix this by introducing a free_xdp label and updating the error paths to
ensure both xdp_rings and tx_rings are properly freed if rx_rings
allocation or setup fails.
Compile tested only. Issue found using a prototype static analysis tool
and code review.
Fixes: fcea6f3da546 ("ice: Add stats and ethtool support")
Fixes: efc2214b6047 ("ice: Add support for XDP")
Signed-off-by: Zilin Guan <zilin@seu.edu.cn>
Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
Tested-by: Rinitha S <sx.rinitha@intel.com> (A Contingent worker at Intel)
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: Rajani Kantha <681739313@139.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/ice/ice_ethtool.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/intel/ice/ice_ethtool.c b/drivers/net/ethernet/intel/ice/ice_ethtool.c
index 49c524304a412..7774292a5bdbe 100644
--- a/drivers/net/ethernet/intel/ice/ice_ethtool.c
+++ b/drivers/net/ethernet/intel/ice/ice_ethtool.c
@@ -2891,7 +2891,7 @@ ice_set_ringparam(struct net_device *netdev, struct ethtool_ringparam *ring,
rx_rings = kcalloc(vsi->num_rxq, sizeof(*rx_rings), GFP_KERNEL);
if (!rx_rings) {
err = -ENOMEM;
- goto done;
+ goto free_xdp;
}
ice_for_each_rxq(vsi, i) {
@@ -2921,7 +2921,7 @@ ice_set_ringparam(struct net_device *netdev, struct ethtool_ringparam *ring,
}
kfree(rx_rings);
err = -ENOMEM;
- goto free_tx;
+ goto free_xdp;
}
}
@@ -2972,6 +2972,13 @@ ice_set_ringparam(struct net_device *netdev, struct ethtool_ringparam *ring,
}
goto done;
+free_xdp:
+ if (xdp_rings) {
+ ice_for_each_xdp_txq(vsi, i)
+ ice_free_tx_ring(&xdp_rings[i]);
+ kfree(xdp_rings);
+ }
+
free_tx:
/* error cleanup if the Rx allocations failed after getting Tx */
if (tx_rings) {
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 299/969] exit: prevent preemption of oopsing TASK_DEAD task
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (297 preceding siblings ...)
2026-05-30 15:57 ` [PATCH 6.1 298/969] ice: Fix memory leak in ice_set_ringparam() Greg Kroah-Hartman
@ 2026-05-30 15:57 ` Greg Kroah-Hartman
2026-05-30 15:57 ` [PATCH 6.1 300/969] wifi: mt76: mt7921: fix a potential clc buffer length underflow Greg Kroah-Hartman
` (676 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Jann Horn, Peter Zijlstra,
Linus Torvalds
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jann Horn <jannh@google.com>
commit c1fa0bb633e4a6b11e83ffc57fa5abe8ebb87891 upstream.
When an already-exiting task oopses, make_task_dead() currently calls
do_task_dead() with preemption enabled. That is forbidden:
do_task_dead() calls __schedule(), which has a comment saying "WARNING:
must be called with preemption disabled!".
If an oopsing task is preempted in do_task_dead(), between becoming
TASK_DEAD and entering the scheduler explicitly, bad things happen:
finish_task_switch() assumes that once the scheduler has switched away
from a TASK_DEAD task, the task can never run again and its stack is no
longer needed; but that assumption apparently doesn't hold if the dead
task was preempted (the SM_PREEMPT case).
This means that the scheduler ends up repeatedly dropping references on
the dead task's stack, which can lead to use-after-free or double-free
of the entire task stack; in other words, two tasks can end up running
on the same stack, resulting in various kinds of memory corruption.
(This does not just affect "recursively oopsing" tasks; it is enough to
oops once during task exit, for example in a file_operations::release
handler)
Fixes: 7f80a2fd7db9 ("exit: Stop poorly open coding do_task_dead in make_task_dead")
Cc: stable@kernel.org
Signed-off-by: Jann Horn <jannh@google.com>
Acked-by: Peter Zijlstra <peterz@infradead.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/exit.c | 1 +
1 file changed, 1 insertion(+)
--- a/kernel/exit.c
+++ b/kernel/exit.c
@@ -979,6 +979,7 @@ void __noreturn make_task_dead(int signr
futex_exit_recursive(tsk);
tsk->exit_state = EXIT_DEAD;
refcount_inc(&tsk->rcu_users);
+ preempt_disable();
do_task_dead();
}
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 300/969] wifi: mt76: mt7921: fix a potential clc buffer length underflow
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (298 preceding siblings ...)
2026-05-30 15:57 ` [PATCH 6.1 299/969] exit: prevent preemption of oopsing TASK_DEAD task Greg Kroah-Hartman
@ 2026-05-30 15:57 ` Greg Kroah-Hartman
2026-05-30 15:57 ` [PATCH 6.1 301/969] wifi: b43legacy: enforce bounds check on firmware key index in RX path Greg Kroah-Hartman
` (675 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:57 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Leon Yen, Ming Yen Hsieh,
Felix Fietkau
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Leon Yen <leon.yen@mediatek.com>
commit 5373f8b19e568b5c217832b9bbef165bd2b2df14 upstream.
The buf_len is used to limit the iterations for retrieving the country
power setting and may underflow under certain conditions due to changes
in the power table in CLC.
This underflow leads to an almost infinite loop or an invalid power
setting resulting in driver initialization failure.
Cc: stable@vger.kernel.org
Fixes: fa6ad88e023d ("wifi: mt76: mt7921: fix country count limitation for CLC")
Signed-off-by: Leon Yen <leon.yen@mediatek.com>
Signed-off-by: Ming Yen Hsieh <mingyen.hsieh@mediatek.com>
Link: https://patch.msgid.link/20251009020158.1923429-1-mingyen.hsieh@mediatek.com
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/mediatek/mt76/mt7921/mcu.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/net/wireless/mediatek/mt76/mt7921/mcu.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7921/mcu.c
@@ -1054,6 +1054,9 @@ int __mt7921_mcu_set_clc(struct mt7921_d
u16 len = le16_to_cpu(rule->len);
u16 offset = len + sizeof(*rule);
+ if (buf_len < offset)
+ break;
+
pos += offset;
buf_len -= offset;
if (rule->alpha2[0] != alpha2[0] ||
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 301/969] wifi: b43legacy: enforce bounds check on firmware key index in RX path
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (299 preceding siblings ...)
2026-05-30 15:57 ` [PATCH 6.1 300/969] wifi: mt76: mt7921: fix a potential clc buffer length underflow Greg Kroah-Hartman
@ 2026-05-30 15:57 ` Greg Kroah-Hartman
2026-05-30 15:57 ` [PATCH 6.1 302/969] wifi: rsi: fix kthread lifetime race between self-exit and external-stop Greg Kroah-Hartman
` (674 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:57 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Tristan Madani, Johannes Berg
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tristan Madani <tristan@talencesecurity.com>
commit a035766f970bde2d4298346a31a80685be5c0205 upstream.
Same fix as b43: the firmware-controlled key index in b43legacy_rx()
can exceed dev->max_nr_keys. The existing B43legacy_WARN_ON is
non-enforcing in production builds, allowing an out-of-bounds read of
dev->key[].
Make the check enforcing by dropping the frame for invalid indices.
Fixes: 75388acd0cd8 ("[B43LEGACY]: add mac80211-based driver for legacy BCM43xx devices")
Cc: stable@vger.kernel.org
Signed-off-by: Tristan Madani <tristan@talencesecurity.com>
Link: https://patch.msgid.link/20260417111145.2694196-2-tristmd@gmail.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/broadcom/b43legacy/xmit.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/net/wireless/broadcom/b43legacy/xmit.c
+++ b/drivers/net/wireless/broadcom/b43legacy/xmit.c
@@ -476,7 +476,8 @@ void b43legacy_rx(struct b43legacy_wldev
* key index, but the ucode passed it slightly different.
*/
keyidx = b43legacy_kidx_to_raw(dev, keyidx);
- B43legacy_WARN_ON(keyidx >= dev->max_nr_keys);
+ if (B43legacy_WARN_ON(keyidx >= dev->max_nr_keys))
+ goto drop;
if (dev->key[keyidx].algorithm != B43legacy_SEC_ALGO_NONE) {
/* Remove PROTECTED flag to mark it as decrypted. */
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 302/969] wifi: rsi: fix kthread lifetime race between self-exit and external-stop
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (300 preceding siblings ...)
2026-05-30 15:57 ` [PATCH 6.1 301/969] wifi: b43legacy: enforce bounds check on firmware key index in RX path Greg Kroah-Hartman
@ 2026-05-30 15:57 ` Greg Kroah-Hartman
2026-05-30 15:57 ` [PATCH 6.1 303/969] wifi: ath5k: do not access array OOB Greg Kroah-Hartman
` (673 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+5de83f57cd8531f55596,
Jeongjun Park, Johannes Berg
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jeongjun Park <aha310510@gmail.com>
commit db57a1aa54ff68669781976e4edb045e09e2b65b upstream.
RSI driver use both self-exit(kthread_complete_and_exit) and external-stop
(kthread_stop) when killing a kthread. Generally, kthread_stop() is called
first, and in this case, no particular issues occur.
However, in rare instances where kthread_complete_and_exit() is called
first and then kthread_stop() is called, a UAF occurs because the kthread
object, which has already exited and been freed, is accessed again.
Therefore, to prevent this with minimal modification, you must remove
kthread_stop() and change the code to wait until the self-exit operation
is completed.
Cc: <stable@vger.kernel.org>
Reported-by: syzbot+5de83f57cd8531f55596@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/69e5d03b.a00a0220.1bd0ca.0064.GAE@google.com/
Fixes: 4c62764d0fc2 ("rsi: improve kernel thread handling to fix kernel panic")
Signed-off-by: Jeongjun Park <aha310510@gmail.com>
Link: https://patch.msgid.link/20260422173846.37640-1-aha310510@gmail.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/rsi/rsi_common.h | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
--- a/drivers/net/wireless/rsi/rsi_common.h
+++ b/drivers/net/wireless/rsi/rsi_common.h
@@ -70,12 +70,11 @@ static inline int rsi_create_kthread(str
return 0;
}
-static inline int rsi_kill_thread(struct rsi_thread *handle)
+static inline void rsi_kill_thread(struct rsi_thread *handle)
{
atomic_inc(&handle->thread_done);
rsi_set_event(&handle->event);
-
- return kthread_stop(handle->task);
+ wait_for_completion(&handle->completion);
}
void rsi_mac80211_detach(struct rsi_hw *hw);
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 303/969] wifi: ath5k: do not access array OOB
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (301 preceding siblings ...)
2026-05-30 15:57 ` [PATCH 6.1 302/969] wifi: rsi: fix kthread lifetime race between self-exit and external-stop Greg Kroah-Hartman
@ 2026-05-30 15:57 ` Greg Kroah-Hartman
2026-05-30 15:57 ` [PATCH 6.1 304/969] wifi: b43: enforce bounds check on firmware key index in b43_rx() Greg Kroah-Hartman
` (672 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jiri Slaby (SUSE), Vincent Danjean,
Jeff Johnson
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiri Slaby (SUSE) <jirislaby@kernel.org>
commit d748603f12baff112caa3ab7d39f50100f010dbd upstream.
Vincent reports:
> The ath5k driver seems to do an array-index-out-of-bounds access as
> shown by the UBSAN kernel message:
> UBSAN: array-index-out-of-bounds in drivers/net/wireless/ath/ath5k/base.c:1741:20
> index 4 is out of range for type 'ieee80211_tx_rate [4]'
> ...
> Call Trace:
> <TASK>
> dump_stack_lvl+0x5d/0x80
> ubsan_epilogue+0x5/0x2b
> __ubsan_handle_out_of_bounds.cold+0x46/0x4b
> ath5k_tasklet_tx+0x4e0/0x560 [ath5k]
> tasklet_action_common+0xb5/0x1c0
It is real. 'ts->ts_final_idx' can be 3 on 5212, so:
info->status.rates[ts->ts_final_idx + 1].idx = -1;
with the array defined as:
struct ieee80211_tx_rate rates[IEEE80211_TX_MAX_RATES];
while the size is:
#define IEEE80211_TX_MAX_RATES 4
is indeed bogus.
Set this 'idx = -1' sentinel only if the array index is less than the
array size. As mac80211 will not look at rates beyond the size
(IEEE80211_TX_MAX_RATES).
Note: The effect of the OOB write is negligible. It just overwrites the
next member of info->status, i.e. ack_signal.
Signed-off-by: Jiri Slaby (SUSE) <jirislaby@kernel.org>
Reported-by: Vincent Danjean <vdanjean@debian.org>
Link: https://lore.kernel.org/all/aQYUkIaT87ccDCin@eldamar.lan
Closes: https://bugs.debian.org/1119093
Fixes: 6d7b97b23e11 ("ath5k: fix tx status reporting issues")
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20251209100459.2253198-1-jirislaby@kernel.org
Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/ath/ath5k/base.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/net/wireless/ath/ath5k/base.c
+++ b/drivers/net/wireless/ath/ath5k/base.c
@@ -1738,7 +1738,8 @@ ath5k_tx_frame_completed(struct ath5k_hw
}
info->status.rates[ts->ts_final_idx].count = ts->ts_final_retry;
- info->status.rates[ts->ts_final_idx + 1].idx = -1;
+ if (ts->ts_final_idx + 1 < IEEE80211_TX_MAX_RATES)
+ info->status.rates[ts->ts_final_idx + 1].idx = -1;
if (unlikely(ts->ts_status)) {
ah->stats.ack_fail++;
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 304/969] wifi: b43: enforce bounds check on firmware key index in b43_rx()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (302 preceding siblings ...)
2026-05-30 15:57 ` [PATCH 6.1 303/969] wifi: ath5k: do not access array OOB Greg Kroah-Hartman
@ 2026-05-30 15:57 ` Greg Kroah-Hartman
2026-05-30 15:57 ` [PATCH 6.1 305/969] usb: usblp: fix heap leak in IEEE 1284 device ID via short response Greg Kroah-Hartman
` (671 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jonas Gorski, Michael Büsch,
Tristan Madani, Johannes Berg
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tristan Madani <tristan@talencesecurity.com>
commit 1f4f78bf8549e6ac4f04fba4176854f3a6e0c332 upstream.
The firmware-controlled key index in b43_rx() can exceed the dev->key[]
array size (58 entries). The existing B43_WARN_ON is non-enforcing in
production builds, allowing an out-of-bounds read.
Make the B43_WARN_ON check enforcing by dropping the frame when the
firmware returns an invalid key index.
Suggested-by: Jonas Gorski <jonas.gorski@gmail.com>
Acked-by: Michael Büsch <m@bues.ch>
Fixes: e4d6b7951812 ("[B43]: add mac80211-based driver for modern BCM43xx devices")
Cc: stable@vger.kernel.org
Signed-off-by: Tristan Madani <tristan@talencesecurity.com>
Link: https://patch.msgid.link/20260417111145.2694196-1-tristmd@gmail.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/broadcom/b43/xmit.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/net/wireless/broadcom/b43/xmit.c
+++ b/drivers/net/wireless/broadcom/b43/xmit.c
@@ -702,7 +702,8 @@ void b43_rx(struct b43_wldev *dev, struc
* key index, but the ucode passed it slightly different.
*/
keyidx = b43_kidx_to_raw(dev, keyidx);
- B43_WARN_ON(keyidx >= ARRAY_SIZE(dev->key));
+ if (B43_WARN_ON(keyidx >= ARRAY_SIZE(dev->key)))
+ goto drop;
if (dev->key[keyidx].algorithm != B43_SEC_ALGO_NONE) {
wlhdr_len = ieee80211_hdrlen(fctl);
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 305/969] usb: usblp: fix heap leak in IEEE 1284 device ID via short response
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (303 preceding siblings ...)
2026-05-30 15:57 ` [PATCH 6.1 304/969] wifi: b43: enforce bounds check on firmware key index in b43_rx() Greg Kroah-Hartman
@ 2026-05-30 15:57 ` Greg Kroah-Hartman
2026-05-30 15:57 ` [PATCH 6.1 306/969] usb: usblp: fix uninitialized heap leak via LPGETSTATUS ioctl Greg Kroah-Hartman
` (670 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:57 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Pete Zaitcev, stable
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 7a400c6fe3617e31e690e3f7ca37bb335e0498f3 upstream.
usblp_ctrl_msg() collapses the usb_control_msg() return value to
0/-errno, discarding the actual number of bytes transferred. A broken
printer can complete the GET_DEVICE_ID control transfer short and the
driver has no way to know.
usblp_cache_device_id_string() reads the 2-byte big-endian length prefix
from the response and trusts it (clamped only to the buffer bounds).
The buffer is kmalloc(1024) at probe time. A device that sends exactly
two bytes (e.g. 0x03 0xFF, claiming a 1023-byte ID) leaves
device_id_string[2..1022] holding stale kmalloc heap.
That stale data is then exposed:
- via the ieee1284_id sysfs attribute (sprintf("%s", buf+2), truncated
at the first NUL in the stale heap), and
- via the IOCNR_GET_DEVICE_ID ioctl, which copy_to_user()s the full
claimed length regardless of NULs, up to 1021 bytes of uninitialized
heap, with the leak size chosen by the device.
Fix this up by just zapping the buffer with zeros before each request
sent to the device.
Cc: Pete Zaitcev <zaitcev@redhat.com>
Assisted-by: gkh_clanker_t1000
Cc: stable <stable@kernel.org>
Link: https://patch.msgid.link/2026042002-unicorn-greedily-3c63@gregkh
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/class/usblp.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/usb/class/usblp.c
+++ b/drivers/usb/class/usblp.c
@@ -1365,6 +1365,7 @@ static int usblp_cache_device_id_string(
{
int err, length;
+ memset(usblp->device_id_string, 0, USBLP_DEVICE_ID_SIZE);
err = usblp_get_id(usblp, 0, usblp->device_id_string, USBLP_DEVICE_ID_SIZE - 1);
if (err < 0) {
dev_dbg(&usblp->intf->dev,
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 306/969] usb: usblp: fix uninitialized heap leak via LPGETSTATUS ioctl
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (304 preceding siblings ...)
2026-05-30 15:57 ` [PATCH 6.1 305/969] usb: usblp: fix heap leak in IEEE 1284 device ID via short response Greg Kroah-Hartman
@ 2026-05-30 15:57 ` Greg Kroah-Hartman
2026-05-30 15:57 ` [PATCH 6.1 307/969] ALSA: usb-audio: Avoid potential endless loop in convert_chmap_v3() Greg Kroah-Hartman
` (669 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:57 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Pete Zaitcev, stable
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit b38e53cbfb9d84732e5984fbd73e128d592415c5 upstream.
Just like in a previous problem in this driver, usblp_ctrl_msg() will
collapse the usb_control_msg() return value to 0/-errno, discarding the
actual number of bytes transferred.
Ideally that short command should be detected and error out, but many
printers are known to send "incorrect" responses back so we can't just
do that.
statusbuf is kmalloc(8) at probe time and never filled before the first
LPGETSTATUS ioctl.
usblp_read_status() requests 1 byte. If a malicious printer responds
with zero bytes, *statusbuf is one byte of stale kmalloc heap,
sign-extended into the local int status, which the LPGETSTATUS path then
copy_to_user()s directly to the ioctl caller.
Fix this all by just zapping out the memory buffer when allocated at
probe time. If a later call does a short read, the data will be
identical to what the device sent it the last time, so there is no
"leak" of information happening.
Cc: Pete Zaitcev <zaitcev@redhat.com>
Assisted-by: gkh_clanker_t1000
Cc: stable <stable@kernel.org>
Link: https://patch.msgid.link/2026042011-shredder-savage-48c6@gregkh
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/class/usblp.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/usb/class/usblp.c
+++ b/drivers/usb/class/usblp.c
@@ -1166,7 +1166,7 @@ static int usblp_probe(struct usb_interf
}
/* Allocate buffer for printer status */
- usblp->statusbuf = kmalloc(STATUS_BUF_SIZE, GFP_KERNEL);
+ usblp->statusbuf = kzalloc(STATUS_BUF_SIZE, GFP_KERNEL);
if (!usblp->statusbuf) {
retval = -ENOMEM;
goto abort;
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 307/969] ALSA: usb-audio: Avoid potential endless loop in convert_chmap_v3()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (305 preceding siblings ...)
2026-05-30 15:57 ` [PATCH 6.1 306/969] usb: usblp: fix uninitialized heap leak via LPGETSTATUS ioctl Greg Kroah-Hartman
@ 2026-05-30 15:57 ` Greg Kroah-Hartman
2026-05-30 15:57 ` [PATCH 6.1 308/969] ALSA: usb-audio: Fix UAC3 cluster descriptor size check Greg Kroah-Hartman
` (668 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:57 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Takashi Iwai
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
commit 6e7247d8f5fefeceb0bb9cc80a5388a636b219cd upstream.
The convert_chmap_v3() has a loop with its increment size of
cs_desc->wLength, but we forgot to validate cs_desc->wLength itself,
which may lead to potential endless loop by a malformed descriptor.
Add a proper size check to abort the loop for plugging the hole.
Fixes: ecfd41166b72 ("ALSA: usb-audio: Validate UAC3 cluster segment descriptors")
Cc: <stable@vger.kernel.org>
Link: https://patch.msgid.link/20260427152224.15276-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/usb/stream.c | 2 ++
1 file changed, 2 insertions(+)
--- a/sound/usb/stream.c
+++ b/sound/usb/stream.c
@@ -352,6 +352,8 @@ snd_pcm_chmap_elem *convert_chmap_v3(str
if (len < sizeof(*cs_desc))
break;
cs_len = le16_to_cpu(cs_desc->wLength);
+ if (cs_len < sizeof(*cs_desc))
+ break;
if (len < cs_len)
break;
cs_type = cs_desc->bSegmentType;
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 308/969] ALSA: usb-audio: Fix UAC3 cluster descriptor size check
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (306 preceding siblings ...)
2026-05-30 15:57 ` [PATCH 6.1 307/969] ALSA: usb-audio: Avoid potential endless loop in convert_chmap_v3() Greg Kroah-Hartman
@ 2026-05-30 15:57 ` Greg Kroah-Hartman
2026-05-30 15:57 ` [PATCH 6.1 309/969] USB: omap_udc: DMA: Dont enable burst 4 mode Greg Kroah-Hartman
` (667 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:57 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Cássio Gabriel, Takashi Iwai
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cássio Gabriel <cassiogabrielcontato@gmail.com>
commit 26265dd69da32d88a88d21987853cec899d9e21f upstream.
The UAC3 cluster descriptor length check in
snd_usb_get_audioformat_uac3()was added to
make sure that the buffer is large enough for
a struct uac3_cluster_header_descriptor before the
returned data is cast and used.
However, the check uses sizeof(cluster), where cluster
is a pointer, not the size of the descriptor header.
This makes the validation depend on the architecture
pointer size and does not match the intended object size.
Check against sizeof(*cluster) instead.
Fixes: fb4e2a6e8f28 ("ALSA: usb-audio: Fix out-of-bounds read in snd_usb_get_audioformat_uac3()")
Cc: stable@vger.kernel.org
Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com>
Link: https://patch.msgid.link/20260424-alsa-usb-uac3-cluster-size-v1-1-99a5808898a3@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/usb/stream.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/sound/usb/stream.c
+++ b/sound/usb/stream.c
@@ -993,7 +993,7 @@ snd_usb_get_audioformat_uac3(struct snd_
* and request Cluster Descriptor
*/
wLength = le16_to_cpu(hc_header.wLength);
- if (wLength < sizeof(cluster))
+ if (wLength < sizeof(*cluster))
return NULL;
cluster = kzalloc(wLength, GFP_KERNEL);
if (!cluster)
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 309/969] USB: omap_udc: DMA: Dont enable burst 4 mode
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (307 preceding siblings ...)
2026-05-30 15:57 ` [PATCH 6.1 308/969] ALSA: usb-audio: Fix UAC3 cluster descriptor size check Greg Kroah-Hartman
@ 2026-05-30 15:57 ` Greg Kroah-Hartman
2026-05-30 15:57 ` [PATCH 6.1 310/969] USB: serial: option: add Telit Cinterion LE910Cx compositions Greg Kroah-Hartman
` (666 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:57 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Aaro Koskinen
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Aaro Koskinen <aaro.koskinen@iki.fi>
commit 3f91484f6c13c434bd573ca6b6779c26adb0ddab upstream.
Commit 65111084c63d7 ("USB: more omap_udc updates (dma and omap1710)")
added setting for DMA burst 4 mode. But I think this should be undone for
two reasons:
- It breaks DMA on 15xx boards - transfers just silently stall.
- On newer OMAP1 boards, like Nokia 770 (omap1710), there is no measurable
performance impact when testing TCP throughput with g_ether with large
15000 byte MTU size.
It's also worth noting that when the original change was made, the
OMAP_DMA_DATA_BURST_4 handling in arch/arm/plat-omap/dma.c was broken, and
actually resulted in the same as the OMAP_DMA_DATA_BURST_DIS i.e. burst
disabled. This was fixed not until a couple kernel releases later in an
unrelated commit 1a8bfa1eb998a ("[ARM] 3142/1: OMAP 2/5: Update files
common to omap1 and omap2").
So based on this it seems there was never really a very good reason to
enable this burst mode in omap_udc, so remove it now to allow 15xx DMA
to work again (it provides 2x throughput compared to PIO mode).
Fixes: 65111084c63d ("[PATCH] USB: more omap_udc updates (dma and omap1710)")
Cc: stable <stable@kernel.org>
Signed-off-by: Aaro Koskinen <aaro.koskinen@iki.fi>
Link: https://patch.msgid.link/ad06qHLclWHeSGnV@darkstar.musicnaut.iki.fi
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/gadget/udc/omap_udc.c | 4 ----
1 file changed, 4 deletions(-)
--- a/drivers/usb/gadget/udc/omap_udc.c
+++ b/drivers/usb/gadget/udc/omap_udc.c
@@ -734,8 +734,6 @@ static void dma_channel_claim(struct oma
if (status == 0) {
omap_writew(reg, UDC_TXDMA_CFG);
/* EMIFF or SDRC */
- omap_set_dma_src_burst_mode(ep->lch,
- OMAP_DMA_DATA_BURST_4);
omap_set_dma_src_data_pack(ep->lch, 1);
/* TIPB */
omap_set_dma_dest_params(ep->lch,
@@ -757,8 +755,6 @@ static void dma_channel_claim(struct oma
UDC_DATA_DMA,
0, 0);
/* EMIFF or SDRC */
- omap_set_dma_dest_burst_mode(ep->lch,
- OMAP_DMA_DATA_BURST_4);
omap_set_dma_dest_data_pack(ep->lch, 1);
}
}
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 310/969] USB: serial: option: add Telit Cinterion LE910Cx compositions
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (308 preceding siblings ...)
2026-05-30 15:57 ` [PATCH 6.1 309/969] USB: omap_udc: DMA: Dont enable burst 4 mode Greg Kroah-Hartman
@ 2026-05-30 15:57 ` Greg Kroah-Hartman
2026-05-30 15:57 ` [PATCH 6.1 311/969] usb: ulpi: fix memory leak on ulpi_register() error paths Greg Kroah-Hartman
` (665 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:57 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Fabio Porcedda, Johan Hovold
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Fabio Porcedda <fabio.porcedda@gmail.com>
commit 100201d349edd226ca3470c894c92dccc67ee7a8 upstream.
Add the following Telit Cinterion LE910Cx compositions:
0x1251: RNDIS + tty (AT/NMEA) + tty (AT) + tty (AT) + tty (SAP)
T: Bus=01 Lev=01 Prnt=21 Port=06 Cnt=01 Dev#=108 Spd=480 MxCh= 0
D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
P: Vendor=1bc7 ProdID=1251 Rev=03.18
S: Manufacturer=Android
S: Product=LE910C1-EU
S: SerialNumber=0123456789ABCDEF
C: #Ifs= 6 Cfg#= 1 Atr=a0 MxPwr=500mA
I: If#= 0 Alt= 0 #EPs= 1 Cls=02(commc) Sub=02 Prot=ff Driver=rndis_host
E: Ad=82(I) Atr=03(Int.) MxPS= 8 Ivl=32ms
I: If#= 1 Alt= 0 #EPs= 2 Cls=0a(data ) Sub=00 Prot=00 Driver=rndis_host
E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=86(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
I: If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=88(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
I: If#= 5 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
E: Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=89(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=8a(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
0x1253: ECM + tty (AT/NMEA) + tty (AT) + tty (AT) + tty (SAP)
T: Bus=01 Lev=01 Prnt=21 Port=06 Cnt=01 Dev#=121 Spd=480 MxCh= 0
D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
P: Vendor=1bc7 ProdID=1253 Rev=03.18
S: Manufacturer=Android
S: Product=LE910C1-EU
S: SerialNumber=0123456789ABCDEF
C: #Ifs= 6 Cfg#= 1 Atr=a0 MxPwr=500mA
I: If#= 0 Alt= 0 #EPs= 1 Cls=02(commc) Sub=06 Prot=00 Driver=cdc_ether
E: Ad=82(I) Atr=03(Int.) MxPS= 16 Ivl=32ms
I: If#= 1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=00 Driver=cdc_ether
E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=86(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
I: If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=88(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
I: If#= 5 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
E: Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=89(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=8a(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
0x1254: tty (AT) + tty (AT)
T: Bus=01 Lev=01 Prnt=21 Port=06 Cnt=01 Dev#=122 Spd=480 MxCh= 0
D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
P: Vendor=1bc7 ProdID=1254 Rev=03.18
S: Manufacturer=Android
S: Product=LE910C1-EU
S: SerialNumber=0123456789ABCDEF
C: #Ifs= 2 Cfg#= 1 Atr=a0 MxPwr=500mA
I: If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=82(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
I: If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
0x1255: tty (AT/NMEA) + tty (AT) + tty (AT) + tty (SAP)
T: Bus=01 Lev=01 Prnt=21 Port=06 Cnt=01 Dev#=123 Spd=480 MxCh= 0
D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
P: Vendor=1bc7 ProdID=1255 Rev=03.18
S: Manufacturer=Android
S: Product=LE910C1-EU
S: SerialNumber=0123456789ABCDEF
C: #Ifs= 4 Cfg#= 1 Atr=a0 MxPwr=500mA
I: If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=82(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
I: If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=86(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=88(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
Cc: stable@vger.kernel.org
Signed-off-by: Fabio Porcedda <fabio.porcedda@gmail.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/serial/option.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/drivers/usb/serial/option.c
+++ b/drivers/usb/serial/option.c
@@ -1513,7 +1513,11 @@ static const struct usb_device_id option
{ USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1231, 0xff), /* Telit LE910Cx (RNDIS) */
.driver_info = NCTRL(2) | RSVD(3) },
{ USB_DEVICE_AND_INTERFACE_INFO(TELIT_VENDOR_ID, 0x1250, 0xff, 0x00, 0x00) }, /* Telit LE910Cx (rmnet) */
+ { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1251, 0xff) }, /* Telit LE910Cx (RNDIS) */
{ USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1252, 0xff) }, /* Telit LE910Cx (MBIM) */
+ { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1253, 0xff) }, /* Telit LE910Cx (ECM) */
+ { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1254, 0xff) }, /* Telit LE910Cx */
+ { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1255, 0xff) }, /* Telit LE910Cx */
{ USB_DEVICE(TELIT_VENDOR_ID, 0x1260),
.driver_info = NCTRL(0) | RSVD(1) | RSVD(2) },
{ USB_DEVICE(TELIT_VENDOR_ID, 0x1261),
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 311/969] usb: ulpi: fix memory leak on ulpi_register() error paths
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (309 preceding siblings ...)
2026-05-30 15:57 ` [PATCH 6.1 310/969] USB: serial: option: add Telit Cinterion LE910Cx compositions Greg Kroah-Hartman
@ 2026-05-30 15:57 ` Greg Kroah-Hartman
2026-05-30 15:57 ` [PATCH 6.1 312/969] ALSA: firewire-tascam: Do not drop unread control events Greg Kroah-Hartman
` (664 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:57 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Felix Gu, Heikki Krogerus
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Felix Gu <ustc.gu@gmail.com>
commit 0b9fcab1b8608d429e5f239afb197de928d4de7d upstream.
Commit 01af542392b5 ("usb: ulpi: fix double free in
ulpi_register_interface() error path") removed kfree(ulpi) from
ulpi_register_interface() to fix a double-free when device_register()
fails.
But when ulpi_of_register() or ulpi_read_id() fail before
device_register() is called, the ulpi allocation is leaked.
Add kfree(ulpi) on both error paths to properly clean up the allocation.
Fixes: 01af542392b5 ("usb: ulpi: fix double free in ulpi_register_interface() error path")
Cc: stable <stable@kernel.org>
Signed-off-by: Felix Gu <ustc.gu@gmail.com>
Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Link: https://patch.msgid.link/20260407-ulpi-v1-1-f3fafe53f7b2@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/common/ulpi.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/drivers/usb/common/ulpi.c
+++ b/drivers/usb/common/ulpi.c
@@ -286,12 +286,15 @@ static int ulpi_register(struct device *
ACPI_COMPANION_SET(&ulpi->dev, ACPI_COMPANION(dev));
ret = ulpi_of_register(ulpi);
- if (ret)
+ if (ret) {
+ kfree(ulpi);
return ret;
+ }
ret = ulpi_read_id(ulpi);
if (ret) {
of_node_put(ulpi->dev.of_node);
+ kfree(ulpi);
return ret;
}
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 312/969] ALSA: firewire-tascam: Do not drop unread control events
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (310 preceding siblings ...)
2026-05-30 15:57 ` [PATCH 6.1 311/969] usb: ulpi: fix memory leak on ulpi_register() error paths Greg Kroah-Hartman
@ 2026-05-30 15:57 ` Greg Kroah-Hartman
2026-05-30 15:57 ` [PATCH 6.1 313/969] powerpc/kdump: fix KASAN sanitization flag for core_$(BITS).o Greg Kroah-Hartman
` (663 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Takashi Sakamoto,
Cássio Gabriel, Takashi Iwai
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cássio Gabriel <cassiogabrielcontato@gmail.com>
commit 0749daa8eb5ab90334aaad3b0671efd7150d43b1 upstream.
tscm_hwdep_read_queue() copies as many queued control events as fit in
the userspace buffer. When the buffer is smaller than the current
contiguous queue segment, length is rounded down to the number of bytes
that can be copied.
However, after copying that shortened length, the code advances pull_pos
to the original tail_pos, marking the whole contiguous segment as
consumed. Any events between the copied portion and tail_pos are lost.
Limit tail_pos to the position after the entries actually copied before
updating pull_pos. When the whole segment fits, this is equivalent to the
old tail_pos update; when the buffer is smaller, the remaining events
stay queued for the next read.
Fixes: a8c0d13267a4 ("ALSA: firewire-tascam: notify events of change of state for userspace applications")
Cc: stable@vger.kernel.org
Suggested-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com>
Reviewed-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
Co-developed-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Link: https://patch.msgid.link/20260503-alsa-firewire-tascam-read-queue-v2-1-126c6efd7642@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/firewire/tascam/tascam-hwdep.c | 1 +
1 file changed, 1 insertion(+)
--- a/sound/firewire/tascam/tascam-hwdep.c
+++ b/sound/firewire/tascam/tascam-hwdep.c
@@ -73,6 +73,7 @@ static long tscm_hwdep_read_queue(struct
length = rounddown(remained, sizeof(*entries));
if (length == 0)
break;
+ tail_pos = head_pos + length / sizeof(*entries);
spin_unlock_irq(&tscm->lock);
if (copy_to_user(pos, &entries[head_pos], length))
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 313/969] powerpc/kdump: fix KASAN sanitization flag for core_$(BITS).o
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (311 preceding siblings ...)
2026-05-30 15:57 ` [PATCH 6.1 312/969] ALSA: firewire-tascam: Do not drop unread control events Greg Kroah-Hartman
@ 2026-05-30 15:57 ` Greg Kroah-Hartman
2026-05-30 15:57 ` [PATCH 6.1 314/969] xfrm: provide message size for XFRM_MSG_MAPPING Greg Kroah-Hartman
` (662 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Venkat Rao Bagalkote,
Ritesh Harjani (IBM), Mahesh Salgaonkar, Aboorva Devarajan,
Sourabh Jain, Madhavan Srinivasan
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sourabh Jain <sourabhjain@linux.ibm.com>
commit b3a97f9484080c6e71db9e803e3cc1bb372a9bc7 upstream.
KASAN instrumentation is intended to be disabled for the kexec core
code, but the existing Makefile entry misses the object suffix. As a
result, the flag is not applied correctly to core_$(BITS).o.
So when KASAN is enabled, kexec_copy_flush and copy_segments in
kexec/core_64.c are instrumented, which can result in accesses to
shadow memory via normal address translation paths. Since these run
with the MMU disabled, such accesses may trigger page faults
(bad_page_fault) that cannot be handled in the kdump path, ultimately
causing a hang and preventing the kdump kernel from booting. The same
is true for kexec as well, since the same functions are used there.
Update the entry to include the “.o” suffix so that KASAN
instrumentation is properly disabled for this object file.
Fixes: 2ab2d5794f14 ("powerpc/kasan: Disable address sanitization in kexec paths")
Reported-by: Venkat Rao Bagalkote <venkat88@linux.ibm.com>
Closes: https://lore.kernel.org/all/1dee8891-8bcc-46b4-93f3-fc3a774abd5b@linux.ibm.com/
Cc: stable@vger.kernel.org
Reviewed-by: Ritesh Harjani (IBM) <ritesh.list@gmail.com>
Tested-by: Venkat Rao Bagalkote <venkat88@linux.ibm.com>
Acked-by: Mahesh Salgaonkar <mahesh@linux.ibm.com>
Reviewed-by: Aboorva Devarajan <aboorvad@linux.ibm.com>
Tested-by: Aboorva Devarajan <aboorvad@linux.ibm.com>
Signed-off-by: Sourabh Jain <sourabhjain@linux.ibm.com>
Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com>
Link: https://patch.msgid.link/20260407124349.1698552-1-sourabhjain@linux.ibm.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/powerpc/kexec/Makefile | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/powerpc/kexec/Makefile
+++ b/arch/powerpc/kexec/Makefile
@@ -14,4 +14,4 @@ GCOV_PROFILE_core_$(BITS).o := n
KCOV_INSTRUMENT_core_$(BITS).o := n
UBSAN_SANITIZE_core_$(BITS).o := n
KASAN_SANITIZE_core.o := n
-KASAN_SANITIZE_core_$(BITS) := n
+KASAN_SANITIZE_core_$(BITS).o := n
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 314/969] xfrm: provide message size for XFRM_MSG_MAPPING
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (312 preceding siblings ...)
2026-05-30 15:57 ` [PATCH 6.1 313/969] powerpc/kdump: fix KASAN sanitization flag for core_$(BITS).o Greg Kroah-Hartman
@ 2026-05-30 15:57 ` Greg Kroah-Hartman
2026-05-30 15:57 ` [PATCH 6.1 315/969] ipv6: xfrm6: release dst on error in xfrm6_rcv_encap() Greg Kroah-Hartman
` (661 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Yuan Tan, Yifan Wu,
Juefei Pu, Xin Liu, Ruijie Li, Ren Wei, Steffen Klassert
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ruijie Li <ruijieli51@gmail.com>
commit 28465227c80fe417b4013c432be1f3737cb9f9a3 upstream.
The compat 64=>32 translation path handles XFRM_MSG_MAPPING, but
xfrm_msg_min[] does not provide the native payload size for this
message type.
Add the missing XFRM_MSG_MAPPING entry so compat translation can size
and translate mapping notifications correctly.
Fixes: 5461fc0c8d9f ("xfrm/compat: Add 64=>32-bit messages translator")
Cc: stable@kernel.org
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Signed-off-by: Ruijie Li <ruijieli51@gmail.com>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/xfrm/xfrm_user.c | 1 +
1 file changed, 1 insertion(+)
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -2960,6 +2960,7 @@ const int xfrm_msg_min[XFRM_NR_MSGTYPES]
[XFRM_MSG_GETSADINFO - XFRM_MSG_BASE] = sizeof(u32),
[XFRM_MSG_NEWSPDINFO - XFRM_MSG_BASE] = sizeof(u32),
[XFRM_MSG_GETSPDINFO - XFRM_MSG_BASE] = sizeof(u32),
+ [XFRM_MSG_MAPPING - XFRM_MSG_BASE] = XMSGSIZE(xfrm_user_mapping),
[XFRM_MSG_SETDEFAULT - XFRM_MSG_BASE] = XMSGSIZE(xfrm_userpolicy_default),
[XFRM_MSG_GETDEFAULT - XFRM_MSG_BASE] = XMSGSIZE(xfrm_userpolicy_default),
};
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 315/969] ipv6: xfrm6: release dst on error in xfrm6_rcv_encap()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (313 preceding siblings ...)
2026-05-30 15:57 ` [PATCH 6.1 314/969] xfrm: provide message size for XFRM_MSG_MAPPING Greg Kroah-Hartman
@ 2026-05-30 15:57 ` Greg Kroah-Hartman
2026-05-30 15:57 ` [PATCH 6.1 316/969] Bluetooth: virtio_bt: clamp rx length before skb_put Greg Kroah-Hartman
` (660 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Yifan Wu, Juefei Pu,
Yuan Tan, Xin Liu, Ruide Cao, Yilin Zhu, Ren Wei, Simon Horman,
Steffen Klassert
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yilin Zhu <zylzyl2333@gmail.com>
commit bc0fcb9823cd0894934cf968b525c575833d7078 upstream.
xfrm6_rcv_encap() performs an IPv6 route lookup when the skb does not
already have a dst attached. ip6_route_input_lookup() returns a
referenced dst entry even when the lookup resolves to an error route.
If dst->error is set, xfrm6_rcv_encap() drops the skb without attaching
the dst to the skb and without releasing the reference returned by the
lookup. Repeated packets hitting this path therefore leak dst entries.
Release the dst before jumping to the drop path.
Fixes: 0146dca70b87 ("xfrm: add support for UDPv6 encapsulation of ESP")
Cc: stable@kernel.org
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Co-developed-by: Yuan Tan <yuantan098@gmail.com>
Signed-off-by: Yuan Tan <yuantan098@gmail.com>
Suggested-by: Xin Liu <bird@lzu.edu.cn>
Tested-by: Ruide Cao <caoruide123@gmail.com>
Signed-off-by: Yilin Zhu <zylzyl2333@gmail.com>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
Reviewed-by: Simon Horman <horms@kernel.org>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv6/xfrm6_protocol.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/net/ipv6/xfrm6_protocol.c
+++ b/net/ipv6/xfrm6_protocol.c
@@ -88,8 +88,10 @@ int xfrm6_rcv_encap(struct sk_buff *skb,
dst = ip6_route_input_lookup(dev_net(skb->dev), skb->dev, &fl6,
skb, flags);
- if (dst->error)
+ if (dst->error) {
+ dst_release(dst);
goto drop;
+ }
skb_dst_set(skb, dst);
}
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 316/969] Bluetooth: virtio_bt: clamp rx length before skb_put
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (314 preceding siblings ...)
2026-05-30 15:57 ` [PATCH 6.1 315/969] ipv6: xfrm6: release dst on error in xfrm6_rcv_encap() Greg Kroah-Hartman
@ 2026-05-30 15:57 ` Greg Kroah-Hartman
2026-05-30 15:57 ` [PATCH 6.1 317/969] Bluetooth: virtio_bt: validate rx pkt_type header length Greg Kroah-Hartman
` (659 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Soenke Huster, Michael Bommarito,
Luiz Augusto von Dentz
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
commit 21bd244b6de5d2fe1063c23acc93fbdd2b20d112 upstream.
virtbt_rx_work() calls skb_put(skb, len) where len comes directly
from virtqueue_get_buf() with no validation against the buffer we
posted to the device. The RX skb is allocated in virtbt_add_inbuf()
and exposed to virtio as exactly 1000 bytes via sg_init_one().
Checking len against skb_tailroom(skb) is not sufficient because
alloc_skb() can leave more tailroom than the 1000 bytes actually
handed to the device. A malicious or buggy backend can therefore
report used.len between 1001 and skb_tailroom(skb), causing skb_put()
to include uninitialized kernel heap bytes that were never written by
the device.
The same path also accepts len == 0, in which case skb_put(skb, 0)
leaves the skb empty but virtbt_rx_handle() still reads the pkt_type
byte from skb->data, consuming uninitialized memory.
Define VIRTBT_RX_BUF_SIZE once and reuse it in alloc_skb() and
sg_init_one(), and gate virtbt_rx_work() on that same constant so
the bound checked matches the buffer actually exposed to the device.
Reject used.len == 0 in the same gate so an empty completion can
no longer reach virtbt_rx_handle().
Use bt_dev_err_ratelimited() because the length value comes from an
untrusted backend that can otherwise flood the kernel log.
Same class of bug as commit c04db81cd028 ("net/9p: Fix buffer
overflow in USB transport layer"), which hardened the USB 9p
transport against unchecked device-reported length.
Fixes: 160fbcf3bfb9 ("Bluetooth: virtio_bt: Use skb_put to set length")
Cc: stable@vger.kernel.org
Cc: Soenke Huster <soenke.huster@eknoes.de>
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Assisted-by: Claude:claude-opus-4-7
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/bluetooth/virtio_bt.c | 16 ++++++++++++----
1 file changed, 12 insertions(+), 4 deletions(-)
--- a/drivers/bluetooth/virtio_bt.c
+++ b/drivers/bluetooth/virtio_bt.c
@@ -12,6 +12,7 @@
#include <net/bluetooth/hci_core.h>
#define VERSION "0.1"
+#define VIRTBT_RX_BUF_SIZE 1000
enum {
VIRTBT_VQ_TX,
@@ -33,11 +34,11 @@ static int virtbt_add_inbuf(struct virti
struct sk_buff *skb;
int err;
- skb = alloc_skb(1000, GFP_KERNEL);
+ skb = alloc_skb(VIRTBT_RX_BUF_SIZE, GFP_KERNEL);
if (!skb)
return -ENOMEM;
- sg_init_one(sg, skb->data, 1000);
+ sg_init_one(sg, skb->data, VIRTBT_RX_BUF_SIZE);
err = virtqueue_add_inbuf(vq, sg, 1, skb, GFP_KERNEL);
if (err < 0) {
@@ -219,8 +220,15 @@ static void virtbt_rx_work(struct work_s
if (!skb)
return;
- skb_put(skb, len);
- virtbt_rx_handle(vbt, skb);
+ if (!len || len > VIRTBT_RX_BUF_SIZE) {
+ bt_dev_err_ratelimited(vbt->hdev,
+ "rx reply len %u outside [1, %u]\n",
+ len, VIRTBT_RX_BUF_SIZE);
+ kfree_skb(skb);
+ } else {
+ skb_put(skb, len);
+ virtbt_rx_handle(vbt, skb);
+ }
if (virtbt_add_inbuf(vbt) < 0)
return;
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 317/969] Bluetooth: virtio_bt: validate rx pkt_type header length
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (315 preceding siblings ...)
2026-05-30 15:57 ` [PATCH 6.1 316/969] Bluetooth: virtio_bt: clamp rx length before skb_put Greg Kroah-Hartman
@ 2026-05-30 15:57 ` Greg Kroah-Hartman
2026-05-30 15:57 ` [PATCH 6.1 318/969] Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_new_connection_cb() Greg Kroah-Hartman
` (658 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Soenke Huster, Michael Bommarito,
Luiz Augusto von Dentz
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
commit daf23014e5d975e72ea9c02b5160d3fcf070ea47 upstream.
virtbt_rx_handle() reads the leading pkt_type byte from the RX skb
and forwards the remainder to hci_recv_frame() for every
event/ACL/SCO/ISO type, without checking that the remaining payload
is at least the fixed HCI header for that type.
After the preceding patch bounds the backend-supplied used.len to
[1, VIRTBT_RX_BUF_SIZE], a one-byte completion still reaches
hci_recv_frame() with skb->len already pulled to 0. If the byte
happened to be HCI_ACLDATA_PKT, the ACL-vs-ISO classification
fast-path in hci_dev_classify_pkt_type() dereferences
hci_acl_hdr(skb)->handle whenever the HCI device has an active
CIS_LINK, BIS_LINK, or PA_LINK connection, reading two bytes of
uninitialized RX-buffer data. The same hazard exists for every
packet type the driver accepts because none of the switch cases in
virtbt_rx_handle() check skb->len against the per-type minimum HCI
header size before handing the frame to the core.
After stripping pkt_type, require skb->len to cover the fixed
header size for the selected type (event 2, ACL 4, SCO 3, ISO 4)
before calling hci_recv_frame(); drop ratelimited otherwise.
Unknown pkt_type values still take the original kfree_skb() default
path.
Use bt_dev_err_ratelimited() because both the length and pkt_type
values come from an untrusted backend that can otherwise flood the
kernel log.
Fixes: 160fbcf3bfb9 ("Bluetooth: virtio_bt: Use skb_put to set length")
Cc: stable@vger.kernel.org
Cc: Soenke Huster <soenke.huster@eknoes.de>
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Assisted-by: Claude:claude-opus-4-7
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/bluetooth/virtio_bt.c | 23 ++++++++++++++++++++---
1 file changed, 20 insertions(+), 3 deletions(-)
--- a/drivers/bluetooth/virtio_bt.c
+++ b/drivers/bluetooth/virtio_bt.c
@@ -190,6 +190,7 @@ static int virtbt_shutdown_generic(struc
static void virtbt_rx_handle(struct virtio_bluetooth *vbt, struct sk_buff *skb)
{
+ size_t min_hdr;
__u8 pkt_type;
pkt_type = *((__u8 *) skb->data);
@@ -197,16 +198,32 @@ static void virtbt_rx_handle(struct virt
switch (pkt_type) {
case HCI_EVENT_PKT:
+ min_hdr = sizeof(struct hci_event_hdr);
+ break;
case HCI_ACLDATA_PKT:
+ min_hdr = sizeof(struct hci_acl_hdr);
+ break;
case HCI_SCODATA_PKT:
+ min_hdr = sizeof(struct hci_sco_hdr);
+ break;
case HCI_ISODATA_PKT:
- hci_skb_pkt_type(skb) = pkt_type;
- hci_recv_frame(vbt->hdev, skb);
+ min_hdr = sizeof(struct hci_iso_hdr);
break;
default:
kfree_skb(skb);
- break;
+ return;
}
+
+ if (skb->len < min_hdr) {
+ bt_dev_err_ratelimited(vbt->hdev,
+ "rx pkt_type 0x%02x payload %u < hdr %zu\n",
+ pkt_type, skb->len, min_hdr);
+ kfree_skb(skb);
+ return;
+ }
+
+ hci_skb_pkt_type(skb) = pkt_type;
+ hci_recv_frame(vbt->hdev, skb);
}
static void virtbt_rx_work(struct work_struct *work)
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 318/969] Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_new_connection_cb()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (316 preceding siblings ...)
2026-05-30 15:57 ` [PATCH 6.1 317/969] Bluetooth: virtio_bt: validate rx pkt_type header length Greg Kroah-Hartman
@ 2026-05-30 15:57 ` Greg Kroah-Hartman
2026-05-30 15:57 ` [PATCH 6.1 319/969] Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_state_change_cb() Greg Kroah-Hartman
` (657 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Siwei Zhang,
Luiz Augusto von Dentz
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Siwei Zhang <oss@fourdim.xyz>
commit 0a120d96166301d7a95be75b52f843837dbd1219 upstream.
Add the same NULL guard already present in
l2cap_sock_resume_cb() and l2cap_sock_ready_cb().
Fixes: 80808e431e1e ("Bluetooth: Add l2cap_chan_ops abstraction")
Cc: stable@kernel.org
Signed-off-by: Siwei Zhang <oss@fourdim.xyz>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/bluetooth/l2cap_sock.c | 3 +++
1 file changed, 3 insertions(+)
--- a/net/bluetooth/l2cap_sock.c
+++ b/net/bluetooth/l2cap_sock.c
@@ -1500,6 +1500,9 @@ static struct l2cap_chan *l2cap_sock_new
{
struct sock *sk, *parent = chan->data;
+ if (!parent)
+ return NULL;
+
lock_sock(parent);
/* Check for backlog size */
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 319/969] Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_state_change_cb()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (317 preceding siblings ...)
2026-05-30 15:57 ` [PATCH 6.1 318/969] Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_new_connection_cb() Greg Kroah-Hartman
@ 2026-05-30 15:57 ` Greg Kroah-Hartman
2026-05-30 15:57 ` [PATCH 6.1 320/969] spi: zynqmp-gqspi: fix controller deregistration Greg Kroah-Hartman
` (656 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Siwei Zhang,
Luiz Augusto von Dentz
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Siwei Zhang <oss@fourdim.xyz>
commit 2ff1a41a912de8517b4482e946dd951b7d80edbf upstream.
Add the same NULL guard already present in
l2cap_sock_resume_cb() and l2cap_sock_ready_cb().
Fixes: 89bc500e41fc ("Bluetooth: Add state tracking to struct l2cap_chan")
Cc: stable@kernel.org
Signed-off-by: Siwei Zhang <oss@fourdim.xyz>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/bluetooth/l2cap_sock.c | 3 +++
1 file changed, 3 insertions(+)
--- a/net/bluetooth/l2cap_sock.c
+++ b/net/bluetooth/l2cap_sock.c
@@ -1663,6 +1663,9 @@ static void l2cap_sock_state_change_cb(s
{
struct sock *sk = chan->data;
+ if (!sk)
+ return;
+
sk->sk_state = state;
if (err)
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 320/969] spi: zynqmp-gqspi: fix controller deregistration
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (318 preceding siblings ...)
2026-05-30 15:57 ` [PATCH 6.1 319/969] Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_state_change_cb() Greg Kroah-Hartman
@ 2026-05-30 15:57 ` Greg Kroah-Hartman
2026-05-30 15:57 ` [PATCH 6.1 321/969] staging: vme_user: fix root device leak on init failure Greg Kroah-Hartman
` (655 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ranjit Waghmode, Johan Hovold,
Mark Brown
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 6895fc4faafc9082e15e4e624b23dd5f0c98feb5 upstream.
Make sure to deregister the controller before disabling underlying
resources like clocks during driver unbind.
Fixes: dfe11a11d523 ("spi: Add support for Zynq Ultrascale+ MPSoC GQSPI controller")
Cc: stable@vger.kernel.org # 4.2: 64640f6c972e
Cc: stable@vger.kernel.org # 4.2
Cc: Ranjit Waghmode <ranjit.waghmode@xilinx.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20260410081757.503099-26-johan@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-zynqmp-gqspi.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/spi/spi-zynqmp-gqspi.c
+++ b/drivers/spi/spi-zynqmp-gqspi.c
@@ -1202,7 +1202,7 @@ static int zynqmp_qspi_probe(struct plat
ctlr->dev.of_node = np;
ctlr->auto_runtime_pm = true;
- ret = devm_spi_register_controller(&pdev->dev, ctlr);
+ ret = spi_register_controller(ctlr);
if (ret) {
dev_err(&pdev->dev, "spi_register_controller failed\n");
goto clk_dis_all;
@@ -1243,6 +1243,8 @@ static int zynqmp_qspi_remove(struct pla
pm_runtime_get_sync(&pdev->dev);
+ spi_unregister_controller(xqspi->ctlr);
+
zynqmp_gqspi_write(xqspi, GQSPI_EN_OFST, 0x0);
pm_runtime_disable(&pdev->dev);
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 321/969] staging: vme_user: fix root device leak on init failure
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (319 preceding siblings ...)
2026-05-30 15:57 ` [PATCH 6.1 320/969] spi: zynqmp-gqspi: fix controller deregistration Greg Kroah-Hartman
@ 2026-05-30 15:57 ` Greg Kroah-Hartman
2026-05-30 15:57 ` [PATCH 6.1 322/969] fanotify: fix false positive on permission events Greg Kroah-Hartman
` (654 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:57 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Martyn Welch, Johan Hovold
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 32c91e8ee039777d0b95b914633fc6a42607959c upstream.
Make sure to deregister and free the root device in case module
initialisation fails.
Fixes: 658bcdae9c67 ("vme: Adding Fake VME driver")
Cc: stable@vger.kernel.org # 4.9
Cc: Martyn Welch <martyn@welchs.me.uk>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20260424104910.2619349-1-johan@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/staging/vme_user/vme_fake.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/staging/vme_user/vme_fake.c
+++ b/drivers/staging/vme_user/vme_fake.c
@@ -1242,6 +1242,8 @@ err_master:
err_driver:
kfree(fake_bridge);
err_struct:
+ root_device_unregister(vme_root);
+
return retval;
}
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 322/969] fanotify: fix false positive on permission events
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (320 preceding siblings ...)
2026-05-30 15:57 ` [PATCH 6.1 321/969] staging: vme_user: fix root device leak on init failure Greg Kroah-Hartman
@ 2026-05-30 15:57 ` Greg Kroah-Hartman
2026-05-30 15:57 ` [PATCH 6.1 323/969] net: rtnetlink: zero ifla_vf_broadcast to avoid stack infoleak in rtnl_fill_vfinfo Greg Kroah-Hartman
` (653 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:57 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Miklos Szeredi, Jan Kara
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Miklos Szeredi <mszeredi@redhat.com>
commit 7746e3bd4cc19b5092e00d32d676e329bfcb6900 upstream.
fsnotify_get_mark_safe() may return false for a mark on an unrelated group,
which results in bypassing the permission check.
Fix by skipping over detached marks that are not in the current group.
CC: stable@vger.kernel.org
Fixes: abc77577a669 ("fsnotify: Provide framework for dropping SRCU lock in ->handle_event")
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Link: https://patch.msgid.link/20260410144950.156160-1-mszeredi@redhat.com
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/notify/fsnotify.c | 2 +-
fs/notify/mark.c | 18 +++++++++++-------
include/linux/fsnotify_backend.h | 1 +
3 files changed, 13 insertions(+), 8 deletions(-)
--- a/fs/notify/fsnotify.c
+++ b/fs/notify/fsnotify.c
@@ -398,7 +398,7 @@ static struct fsnotify_mark *fsnotify_fi
return hlist_entry_safe(node, struct fsnotify_mark, obj_list);
}
-static struct fsnotify_mark *fsnotify_next_mark(struct fsnotify_mark *mark)
+struct fsnotify_mark *fsnotify_next_mark(struct fsnotify_mark *mark)
{
struct hlist_node *node = NULL;
--- a/fs/notify/mark.c
+++ b/fs/notify/mark.c
@@ -380,9 +380,6 @@ EXPORT_SYMBOL_GPL(fsnotify_put_mark);
*/
static bool fsnotify_get_mark_safe(struct fsnotify_mark *mark)
{
- if (!mark)
- return true;
-
if (refcount_inc_not_zero(&mark->refcnt)) {
spin_lock(&mark->lock);
if (mark->flags & FSNOTIFY_MARK_FLAG_ATTACHED) {
@@ -423,15 +420,22 @@ bool fsnotify_prepare_user_wait(struct f
int type;
fsnotify_foreach_iter_type(type) {
+ struct fsnotify_mark *mark = iter_info->marks[type];
+
/* This can fail if mark is being removed */
- if (!fsnotify_get_mark_safe(iter_info->marks[type])) {
- __release(&fsnotify_mark_srcu);
- goto fail;
+ while (mark && !fsnotify_get_mark_safe(mark)) {
+ if (mark->group == iter_info->current_group) {
+ __release(&fsnotify_mark_srcu);
+ goto fail;
+ }
+ /* This is a mark in an unrelated group, skip */
+ mark = fsnotify_next_mark(mark);
+ iter_info->marks[type] = mark;
}
}
/*
- * Now that both marks are pinned by refcount in the inode / vfsmount
+ * Now that all marks are pinned by refcount in the inode / vfsmount / etc
* lists, we can drop SRCU lock, and safely resume the list iteration
* once userspace returns.
*/
--- a/include/linux/fsnotify_backend.h
+++ b/include/linux/fsnotify_backend.h
@@ -820,6 +820,7 @@ static inline void fsnotify_clear_sb_mar
}
extern void fsnotify_get_mark(struct fsnotify_mark *mark);
extern void fsnotify_put_mark(struct fsnotify_mark *mark);
+struct fsnotify_mark *fsnotify_next_mark(struct fsnotify_mark *mark);
extern void fsnotify_finish_user_wait(struct fsnotify_iter_info *iter_info);
extern bool fsnotify_prepare_user_wait(struct fsnotify_iter_info *iter_info);
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 323/969] net: rtnetlink: zero ifla_vf_broadcast to avoid stack infoleak in rtnl_fill_vfinfo
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (321 preceding siblings ...)
2026-05-30 15:57 ` [PATCH 6.1 322/969] fanotify: fix false positive on permission events Greg Kroah-Hartman
@ 2026-05-30 15:57 ` Greg Kroah-Hartman
2026-05-30 15:57 ` [PATCH 6.1 324/969] sound: ua101: fix division by zero at probe Greg Kroah-Hartman
` (652 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:57 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Kai Zen, Jakub Kicinski
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kai Zen <kai.aizen.dev@gmail.com>
commit 4b9e327991815e128ad3af75c3a04630a63ce3e0 upstream.
rtnl_fill_vfinfo() declares struct ifla_vf_broadcast on the stack
without initialisation:
struct ifla_vf_broadcast vf_broadcast;
The struct contains a single fixed 32-byte field:
/* include/uapi/linux/if_link.h */
struct ifla_vf_broadcast {
__u8 broadcast[32];
};
The function then copies dev->broadcast into it using dev->addr_len
as the length:
memcpy(vf_broadcast.broadcast, dev->broadcast, dev->addr_len);
On Ethernet devices (the overwhelming majority of SR-IOV NICs)
dev->addr_len is 6, so only the first 6 bytes of broadcast[] are
written. The remaining 26 bytes retain whatever was previously on
the kernel stack. The full struct is then handed to userspace via:
nla_put(skb, IFLA_VF_BROADCAST,
sizeof(vf_broadcast), &vf_broadcast)
leaking up to 26 bytes of uninitialised kernel stack per VF per
RTM_GETLINK request, repeatable.
The other vf_* structs in the same function are explicitly zeroed
for exactly this reason - see the memset() calls for ivi,
vf_vlan_info, node_guid and port_guid a few lines above.
vf_broadcast was simply missed when it was added.
Reachability: any unprivileged local process can open AF_NETLINK /
NETLINK_ROUTE without capabilities and send RTM_GETLINK with an
IFLA_EXT_MASK attribute carrying RTEXT_FILTER_VF. The kernel walks
each VF and emits IFLA_VF_BROADCAST, leaking 26 bytes of stack per
VF per request. Stack residue at this call site can include return
addresses and transient sensitive data; KASAN with stack
instrumentation, or KMSAN, will flag the nla_put() when reproduced.
Zero the on-stack struct before the partial memcpy, matching the
existing pattern used for the other vf_* structs in the same
function.
Fixes: 75345f888f70 ("ipoib: show VF broadcast address")
Cc: stable@vger.kernel.org
Signed-off-by: Kai Zen <kai.aizen.dev@gmail.com>
Link: https://patch.msgid.link/3c506e8f936e52b57620269b55c348af05d413a2.1777557228.git.kai.aizen.dev@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/core/rtnetlink.c | 1 +
1 file changed, 1 insertion(+)
--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -1346,6 +1346,7 @@ static noinline_for_stack int rtnl_fill_
port_guid.vf = ivi.vf;
memcpy(vf_mac.mac, ivi.mac, sizeof(ivi.mac));
+ memset(&vf_broadcast, 0, sizeof(vf_broadcast));
memcpy(vf_broadcast.broadcast, dev->broadcast, dev->addr_len);
vf_vlan.vlan = ivi.vlan;
vf_vlan.qos = ivi.qos;
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 324/969] sound: ua101: fix division by zero at probe
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (322 preceding siblings ...)
2026-05-30 15:57 ` [PATCH 6.1 323/969] net: rtnetlink: zero ifla_vf_broadcast to avoid stack infoleak in rtnl_fill_vfinfo Greg Kroah-Hartman
@ 2026-05-30 15:57 ` Greg Kroah-Hartman
2026-05-30 15:57 ` [PATCH 6.1 325/969] ip6_gre: Use cached t->net in ip6erspan_changelink() Greg Kroah-Hartman
` (651 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:57 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, SeungJu Cheon, Takashi Iwai
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: SeungJu Cheon <suunj1331@gmail.com>
commit d1f73f169c1014463b5060e3f60813e13ddc7b87 upstream.
Add a missing sanity check for bNrChannels in detect_usb_format()
to prevent a division by zero in playback_urb_complete() and
capture_urb_complete().
USB core does not validate class-specific descriptor fields such
as bNrChannels, so drivers must verify them before use. If a
device provides bNrChannels = 0, frame_bytes becomes zero and is
later used as a divisor in the URB completion handlers, leading
to a kernel crash.
Fixes: 63978ab3e3e9 ("sound: add Edirol UA-101 support")
Cc: stable@vger.kernel.org
Signed-off-by: SeungJu Cheon <suunj1331@gmail.com>
Link: https://patch.msgid.link/20260426111239.103296-1-suunj1331@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/usb/misc/ua101.c | 7 +++++++
1 file changed, 7 insertions(+)
--- a/sound/usb/misc/ua101.c
+++ b/sound/usb/misc/ua101.c
@@ -994,6 +994,13 @@ static int detect_usb_format(struct ua10
ua->capture.channels = fmt_capture->bNrChannels;
ua->playback.channels = fmt_playback->bNrChannels;
+ if (!ua->capture.channels || !ua->playback.channels) {
+ dev_err(&ua->dev->dev,
+ "invalid channel count: capture %u, playback %u\n",
+ ua->capture.channels, ua->playback.channels);
+ return -EINVAL;
+ }
+
ua->capture.frame_bytes =
fmt_capture->bSubframeSize * ua->capture.channels;
ua->playback.frame_bytes =
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 325/969] ip6_gre: Use cached t->net in ip6erspan_changelink().
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (323 preceding siblings ...)
2026-05-30 15:57 ` [PATCH 6.1 324/969] sound: ua101: fix division by zero at probe Greg Kroah-Hartman
@ 2026-05-30 15:57 ` Greg Kroah-Hartman
2026-05-30 15:57 ` [PATCH 6.1 326/969] net/rds: handle zerocopy send cleanup before the message is queued Greg Kroah-Hartman
` (650 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Maoyi Xie, Eric Dumazet,
Kuniyuki Iwashima, Jakub Kicinski
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Maoyi Xie <maoyixie.tju@gmail.com>
commit 1d324c2f43f70c965f25c58cc3611c779adbe47e upstream.
After commit 5e72ce3e3980 ("net: ipv6: Use link netns in newlink() of
rtnl_link_ops"), ip6erspan_newlink() correctly resolves the per-netns
ip6gre hash via link_net. ip6erspan_changelink() was not converted in
that series and still uses dev_net(dev), which diverges from the
device's creation netns after IFLA_NET_NS_FD migration.
This re-inserts the tunnel into the wrong per-netns hash. The
original netns keeps a stale entry. When that netns is later
destroyed, ip6gre_exit_rtnl_net() walks the stale entry, producing a
slab-use-after-free reported by KASAN, followed by a kernel BUG at
net/core/dev.c (LIST_POISON1) in unregister_netdevice_many_notify().
Reachable from an unprivileged user namespace (unshare --user
--map-root-user --net).
ip6gre_changelink() earlier in the same file already uses the cached
t->net; only ip6erspan_changelink() has the wrong shape.
Fixes: 2d665034f239 ("net: ip6_gre: Fix ip6erspan hlen calculation")
Cc: stable@vger.kernel.org # v5.15+
Signed-off-by: Maoyi Xie <maoyi.xie@ntu.edu.sg>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com>
Link: https://patch.msgid.link/20260430103318.3206018-1-maoyi.xie@ntu.edu.sg
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv6/ip6_gre.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- a/net/ipv6/ip6_gre.c
+++ b/net/ipv6/ip6_gre.c
@@ -2322,10 +2322,11 @@ static int ip6erspan_changelink(struct n
struct nlattr *data[],
struct netlink_ext_ack *extack)
{
- struct ip6gre_net *ign = net_generic(dev_net(dev), ip6gre_net_id);
+ struct ip6_tnl *t = netdev_priv(dev);
struct __ip6_tnl_parm p;
- struct ip6_tnl *t;
+ struct ip6gre_net *ign;
+ ign = net_generic(t->net, ip6gre_net_id);
t = ip6gre_changelink_common(dev, tb, data, &p, extack);
if (IS_ERR(t))
return PTR_ERR(t);
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 326/969] net/rds: handle zerocopy send cleanup before the message is queued
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (324 preceding siblings ...)
2026-05-30 15:57 ` [PATCH 6.1 325/969] ip6_gre: Use cached t->net in ip6erspan_changelink() Greg Kroah-Hartman
@ 2026-05-30 15:57 ` Greg Kroah-Hartman
2026-05-30 15:57 ` [PATCH 6.1 327/969] parisc: Fix IRQ leak in LASI driver Greg Kroah-Hartman
` (649 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Yuan Tan, Yifan Wu,
Juefei Pu, Xin Liu, Xiao Liu, Nan Li, Ren Wei, Allison Henderson,
Paolo Abeni
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nan Li <tonanli66@gmail.com>
commit 44b550d88b267320459d518c0743a241ab2108fa upstream.
A zerocopy send can fail after user pages have been pinned but before
the message is attached to the sending socket.
The purge path currently infers zerocopy state from rm->m_rs, so an
unqueued message can be cleaned up as if it owned normal payload pages.
However, zerocopy ownership is really determined by the presence of
op_mmp_znotifier, regardless of whether the message has reached the
socket queue.
Capture op_mmp_znotifier up front in rds_message_purge() and use it as
the cleanup discriminator. If the message is already associated with a
socket, keep the existing completion path. Otherwise, drop the pinned
page accounting directly and release the notifier before putting the
payload pages.
This keeps early send failure cleanup consistent with the zerocopy
lifetime rules without changing the normal queued completion path.
Fixes: 0cebaccef3ac ("rds: zerocopy Tx support.")
Cc: stable@kernel.org
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Co-developed-by: Xiao Liu <lx24@stu.ynu.edu.cn>
Signed-off-by: Xiao Liu <lx24@stu.ynu.edu.cn>
Signed-off-by: Nan Li <tonanli66@gmail.com>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
Reviewed-by: Allison Henderson <achender@kernel.org>
Link: https://patch.msgid.link/d2ea98a6313d5467bac00f7c9fef8c7acddb9258.1777550074.git.tonanli66@gmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/rds/message.c | 20 +++++++++++++++-----
1 file changed, 15 insertions(+), 5 deletions(-)
--- a/net/rds/message.c
+++ b/net/rds/message.c
@@ -129,24 +129,34 @@ static void rds_rm_zerocopy_callback(str
*/
static void rds_message_purge(struct rds_message *rm)
{
+ struct rds_znotifier *znotifier;
unsigned long i, flags;
- bool zcopy = false;
+ bool zcopy;
if (unlikely(test_bit(RDS_MSG_PAGEVEC, &rm->m_flags)))
return;
spin_lock_irqsave(&rm->m_rs_lock, flags);
+ znotifier = rm->data.op_mmp_znotifier;
+ rm->data.op_mmp_znotifier = NULL;
+ zcopy = !!znotifier;
+
if (rm->m_rs) {
struct rds_sock *rs = rm->m_rs;
- if (rm->data.op_mmp_znotifier) {
- zcopy = true;
- rds_rm_zerocopy_callback(rs, rm->data.op_mmp_znotifier);
+ if (znotifier) {
+ rds_rm_zerocopy_callback(rs, znotifier);
rds_wake_sk_sleep(rs);
- rm->data.op_mmp_znotifier = NULL;
}
sock_put(rds_rs_to_sk(rs));
rm->m_rs = NULL;
+ } else if (znotifier) {
+ /*
+ * Zerocopy can fail before the message is queued on the
+ * socket, so there is no rs to carry the notification.
+ */
+ mm_unaccount_pinned_pages(&znotifier->z_mmp);
+ kfree(rds_info_from_znotifier(znotifier));
}
spin_unlock_irqrestore(&rm->m_rs_lock, flags);
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 327/969] parisc: Fix IRQ leak in LASI driver
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (325 preceding siblings ...)
2026-05-30 15:57 ` [PATCH 6.1 326/969] net/rds: handle zerocopy send cleanup before the message is queued Greg Kroah-Hartman
@ 2026-05-30 15:57 ` Greg Kroah-Hartman
2026-05-30 15:57 ` [PATCH 6.1 328/969] hwmon: (ltc2992) Clamp threshold writes to hardware range Greg Kroah-Hartman
` (648 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, kernel test robot, Dan Carpenter,
Hongling Zeng, Helge Deller
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hongling Zeng <zenghongling@kylinos.cn>
commit 37b0dc5e279f35036fb638d1e187197b6c05a76d upstream.
When request_irq() succeeds but gsc_common_setup() fails later,
the IRQ is never released. Fix this by adding proper error handling
with goto labels to ensure resources are released in LIFO order.
Detected by Smatch:
drivers/parisc/lasi.c:216 lasi_init_chip() warn: 'lasi->gsc_irq.irq'
from request_irq() not released on lines: 207.
Reported-by: kernel test robot <lkp@intel.com>
Reported-by: Dan Carpenter <error27@gmail.com>
Closes: https://lore.kernel.org/r/202604180957.4QdAIxP6-lkp@intel.com/
Signed-off-by: Hongling Zeng <zenghongling@kylinos.cn>
Cc: stable@vger.kernel.org
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/parisc/lasi.c | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
--- a/drivers/parisc/lasi.c
+++ b/drivers/parisc/lasi.c
@@ -196,8 +196,7 @@ static int __init lasi_init_chip(struct
ret = request_irq(lasi->gsc_irq.irq, gsc_asic_intr, 0, "lasi", lasi);
if (ret < 0) {
- kfree(lasi);
- return ret;
+ goto err_free;
}
/* enable IRQ's for devices below LASI */
@@ -206,8 +205,7 @@ static int __init lasi_init_chip(struct
/* Done init'ing, register this driver */
ret = gsc_common_setup(dev, lasi);
if (ret) {
- kfree(lasi);
- return ret;
+ goto err_irq;
}
gsc_fixup_irqs(dev, lasi, lasi_choose_irq);
@@ -220,6 +218,12 @@ static int __init lasi_init_chip(struct
chassis_power_off = lasi_power_off;
return ret;
+
+err_irq:
+ free_irq(lasi->gsc_irq.irq, lasi);
+err_free:
+ kfree(lasi);
+ return ret;
}
static struct parisc_device_id lasi_tbl[] __initdata = {
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 328/969] hwmon: (ltc2992) Clamp threshold writes to hardware range
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (326 preceding siblings ...)
2026-05-30 15:57 ` [PATCH 6.1 327/969] parisc: Fix IRQ leak in LASI driver Greg Kroah-Hartman
@ 2026-05-30 15:57 ` Greg Kroah-Hartman
2026-05-30 15:57 ` [PATCH 6.1 329/969] hwmon: (ltc2992) Fix u32 overflow in power read path Greg Kroah-Hartman
` (647 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:57 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Sanman Pradhan, Guenter Roeck
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sanman Pradhan <psanman@juniper.net>
commit d6cc7c99bf1f73eda7d565d224d791d16239bb41 upstream.
ltc2992_set_voltage(), ltc2992_set_current(), and ltc2992_set_power()
do not validate the user-supplied value before converting it to a
register value. This can result in:
1. Negative input values wrapping to large positive register values.
For power, the negative long is implicitly cast to u64 in
mul_u64_u32_div(), producing an incorrect value. For voltage and
current, the negative converted value wraps when passed to
ltc2992_write_reg() as a u32.
2. Intermediate arithmetic exceeding the range representable in u64 on
64-bit platforms. In ltc2992_set_voltage(), (u64)val * 1000 can
exceed U64_MAX when val is a large positive long. In
ltc2992_set_current(), (u64)val * r_sense_uohm can overflow
similarly. In ltc2992_set_power(), the computed value may not fit
in u64.
3. Register values exceeding the hardware field width. Voltage and
current threshold registers are 12-bit (stored left-justified in
16 bits), and power threshold registers are 24-bit. Without
clamping, bits above the field width are truncated in
ltc2992_write_reg().
Fix by clamping negative values to zero, clamping positive values to
the rounded hardware-representable maximum (the value returned by the
read path for a full-scale register) to prevent intermediate overflow,
and clamping the converted register value to the hardware field width
before writing. The existing conversion formula and rounding behavior
are preserved.
In the power write path, cancel the factor of 1000 from both the
numerator (r_sense_uohm * 1000) and the denominator
(VADC_UV_LSB * IADC_NANOV_LSB) to also eliminate a u32 overflow of
r_sense_uohm * 1000 when r_sense_uohm exceeds about 4.29 ohms.
Fixes: b0bd407e94b03 ("hwmon: (ltc2992) Add support")
Cc: stable@vger.kernel.org
Signed-off-by: Sanman Pradhan <psanman@juniper.net>
Link: https://lore.kernel.org/r/20260416215904.101969-2-sanman.pradhan@hpe.com
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hwmon/ltc2992.c | 35 ++++++++++++++++++++++++++++-------
1 file changed, 28 insertions(+), 7 deletions(-)
--- a/drivers/hwmon/ltc2992.c
+++ b/drivers/hwmon/ltc2992.c
@@ -421,10 +421,16 @@ static int ltc2992_get_voltage(struct lt
static int ltc2992_set_voltage(struct ltc2992_state *st, u32 reg, u32 scale, long val)
{
- val = DIV_ROUND_CLOSEST(val * 1000, scale);
- val = val << 4;
+ u32 reg_val;
+ long vmax;
+
+ vmax = DIV_ROUND_CLOSEST_ULL(0xFFFULL * scale, 1000);
+ val = max(val, 0L);
+ val = min(val, vmax);
+ reg_val = min(DIV_ROUND_CLOSEST_ULL((u64)val * 1000, scale),
+ 0xFFFULL) << 4;
- return ltc2992_write_reg(st, reg, 2, val);
+ return ltc2992_write_reg(st, reg, 2, reg_val);
}
static int ltc2992_read_gpio_alarm(struct ltc2992_state *st, int nr_gpio, u32 attr, long *val)
@@ -549,9 +555,15 @@ static int ltc2992_get_current(struct lt
static int ltc2992_set_current(struct ltc2992_state *st, u32 reg, u32 channel, long val)
{
u32 reg_val;
+ long cmax;
- reg_val = DIV_ROUND_CLOSEST(val * st->r_sense_uohm[channel], LTC2992_IADC_NANOV_LSB);
- reg_val = reg_val << 4;
+ cmax = DIV_ROUND_CLOSEST_ULL(0xFFFULL * LTC2992_IADC_NANOV_LSB,
+ st->r_sense_uohm[channel]);
+ val = max(val, 0L);
+ val = min(val, cmax);
+ reg_val = min(DIV_ROUND_CLOSEST_ULL((u64)val * st->r_sense_uohm[channel],
+ LTC2992_IADC_NANOV_LSB),
+ 0xFFFULL) << 4;
return ltc2992_write_reg(st, reg, 2, reg_val);
}
@@ -624,9 +636,18 @@ static int ltc2992_get_power(struct ltc2
static int ltc2992_set_power(struct ltc2992_state *st, u32 reg, u32 channel, long val)
{
u32 reg_val;
+ u64 pmax, uval;
- reg_val = mul_u64_u32_div(val, st->r_sense_uohm[channel] * 1000,
- LTC2992_VADC_UV_LSB * LTC2992_IADC_NANOV_LSB);
+ uval = max(val, 0L);
+ pmax = mul_u64_u32_div(0xFFFFFFULL,
+ LTC2992_VADC_UV_LSB / 1000 *
+ LTC2992_IADC_NANOV_LSB,
+ st->r_sense_uohm[channel]);
+ uval = min(uval, pmax);
+ reg_val = min(mul_u64_u32_div(uval, st->r_sense_uohm[channel],
+ LTC2992_VADC_UV_LSB / 1000 *
+ LTC2992_IADC_NANOV_LSB),
+ 0xFFFFFFULL);
return ltc2992_write_reg(st, reg, 3, reg_val);
}
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 329/969] hwmon: (ltc2992) Fix u32 overflow in power read path
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (327 preceding siblings ...)
2026-05-30 15:57 ` [PATCH 6.1 328/969] hwmon: (ltc2992) Clamp threshold writes to hardware range Greg Kroah-Hartman
@ 2026-05-30 15:57 ` Greg Kroah-Hartman
2026-05-30 15:57 ` [PATCH 6.1 330/969] hwmon: (corsair-psu) Close HID device on probe errors Greg Kroah-Hartman
` (646 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:57 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Sanman Pradhan, Guenter Roeck
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sanman Pradhan <psanman@juniper.net>
commit 2da0c1fd01dbd6b22844e8676585153dfc660cbe upstream.
ltc2992_get_power() computes the divisor for mul_u64_u32_div() as
r_sense_uohm * 1000. This multiplication overflows u32 when
r_sense_uohm exceeds about 4.29 ohms (4294967 micro-ohms), producing
a truncated divisor and an incorrect power reading.
Cancel the factor of 1000 from both the numerator
(VADC_UV_LSB * IADC_NANOV_LSB = 312500000) and the divisor
(r_sense_uohm * 1000), giving (VADC_UV_LSB / 1000) * IADC_NANOV_LSB
= 312500 as the numerator and plain r_sense_uohm as the divisor.
The cancellation is exact because LTC2992_VADC_UV_LSB (25000) is
divisible by 1000.
This is the read-path counterpart of the write-path fix applied in
the preceding patch.
Fixes: b0bd407e94b03 ("hwmon: (ltc2992) Add support")
Cc: stable@vger.kernel.org
Signed-off-by: Sanman Pradhan <psanman@juniper.net>
Link: https://lore.kernel.org/r/20260416215904.101969-3-sanman.pradhan@hpe.com
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hwmon/ltc2992.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/drivers/hwmon/ltc2992.c
+++ b/drivers/hwmon/ltc2992.c
@@ -627,8 +627,10 @@ static int ltc2992_get_power(struct ltc2
if (reg_val < 0)
return reg_val;
- *val = mul_u64_u32_div(reg_val, LTC2992_VADC_UV_LSB * LTC2992_IADC_NANOV_LSB,
- st->r_sense_uohm[channel] * 1000);
+ *val = mul_u64_u32_div(reg_val,
+ LTC2992_VADC_UV_LSB / 1000 *
+ LTC2992_IADC_NANOV_LSB,
+ st->r_sense_uohm[channel]);
return 0;
}
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 330/969] hwmon: (corsair-psu) Close HID device on probe errors
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (328 preceding siblings ...)
2026-05-30 15:57 ` [PATCH 6.1 329/969] hwmon: (ltc2992) Fix u32 overflow in power read path Greg Kroah-Hartman
@ 2026-05-30 15:57 ` Greg Kroah-Hartman
2026-05-30 15:57 ` [PATCH 6.1 331/969] cifs: abort open_cached_dir if we dont request leases Greg Kroah-Hartman
` (645 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Myeonghun Pak, Wilken Gottwalt,
Guenter Roeck
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Myeonghun Pak <mhun512@gmail.com>
commit 174606451fbb17db506ebaacdd5e203e57773d5f upstream.
corsairpsu_probe() opens the HID device before sending the device init
and firmware-info commands. If either command fails, the error path jumps
directly to fail_and_stop and skips hid_hw_close().
Use the existing fail_and_close label for those post-open failures so the
open count and low-level close callback are balanced before hid_hw_stop().
Fixes: d115b51e0e56 ("hwmon: add Corsair PSU HID controller driver")
Cc: stable@vger.kernel.org
Signed-off-by: Myeonghun Pak <mhun512@gmail.com>
Reviewed-by: Wilken Gottwalt <wilken.gottwalt@posteo.net>
Link: https://lore.kernel.org/r/20260424135107.13720-1-mhun512@gmail.com
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hwmon/corsair-psu.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/hwmon/corsair-psu.c
+++ b/drivers/hwmon/corsair-psu.c
@@ -743,13 +743,13 @@ static int corsairpsu_probe(struct hid_d
ret = corsairpsu_init(priv);
if (ret < 0) {
dev_err(&hdev->dev, "unable to initialize device (%d)\n", ret);
- goto fail_and_stop;
+ goto fail_and_close;
}
ret = corsairpsu_fwinfo(priv);
if (ret < 0) {
dev_err(&hdev->dev, "unable to query firmware (%d)\n", ret);
- goto fail_and_stop;
+ goto fail_and_close;
}
corsairpsu_get_criticals(priv);
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 331/969] cifs: abort open_cached_dir if we dont request leases
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (329 preceding siblings ...)
2026-05-30 15:57 ` [PATCH 6.1 330/969] hwmon: (corsair-psu) Close HID device on probe errors Greg Kroah-Hartman
@ 2026-05-30 15:57 ` Greg Kroah-Hartman
2026-05-30 15:57 ` [PATCH 6.1 332/969] cifs: change_conf needs to be called for session setup Greg Kroah-Hartman
` (644 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Bharath SM, Shyam Prasad N,
Steve French
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shyam Prasad N <sprasad@microsoft.com>
commit d68ce834f8cf6cb2e77f3331df65166b35466b53 upstream.
It is possible that SMB2_open_init may not set lease context based
on the requested oplock level. This can happen when leases have been
temporarily or permanently disabled. When this happens, we will have
open_cached_dir making an open without lease context and the response
will anyway be rejected by open_cached_dir (thereby forcing a close to
discard this open). That's unnecessary two round-trips to the server.
This change adds a check before making the open request to the server
to make sure that SMB2_open_init did add the expected lease context
to the open in open_cached_dir.
Cc: <stable@vger.kernel.org>
Reviewed-by: Bharath SM <bharathsm@microsoft.com>
Signed-off-by: Shyam Prasad N <sprasad@microsoft.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/client/cached_dir.c | 8 ++++++++
1 file changed, 8 insertions(+)
--- a/fs/smb/client/cached_dir.c
+++ b/fs/smb/client/cached_dir.c
@@ -228,6 +228,14 @@ int open_cached_dir(unsigned int xid, st
&rqst[0], &oplock, &oparms, utf16_path);
if (rc)
goto oshr_free;
+
+ if (oplock != SMB2_OPLOCK_LEVEL_II) {
+ rc = -EINVAL;
+ cifs_dbg(FYI, "%s: Oplock level %d not suitable for cached directory\n",
+ __func__, oplock);
+ goto oshr_free;
+ }
+
smb2_set_next_command(tcon, &rqst[0]);
memset(&qi_iov, 0, sizeof(qi_iov));
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 332/969] cifs: change_conf needs to be called for session setup
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (330 preceding siblings ...)
2026-05-30 15:57 ` [PATCH 6.1 331/969] cifs: abort open_cached_dir if we dont request leases Greg Kroah-Hartman
@ 2026-05-30 15:57 ` Greg Kroah-Hartman
2026-05-30 15:57 ` [PATCH 6.1 333/969] extcon: ptn5150: handle pending IRQ events during system resume Greg Kroah-Hartman
` (643 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Bharath SM, Shyam Prasad N,
Steve French
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shyam Prasad N <sprasad@microsoft.com>
commit c208a2b95811d6e1ebae65d0d2fc13f73707f8e7 upstream.
Today we skip calling change_conf for negotiates and session setup
requests. This can be a problem for mchan as the immediate next call
after session setup could be due to an I/O that is made on the
mount point. For single channel, this is not a problem as
there will be several calls after setting up session.
This change enforces calling change_conf when the total credits contain
enough for reservations for echoes and oplocks. We expect this to happen
during the last session setup response. This way, echoes and oplocks are
not disabled before the first request to the server. So if that first
request is an open, it does not need to disable requesting leases.
Cc: <stable@vger.kernel.org>
Reviewed-by: Bharath SM <bharathsm@microsoft.com>
Signed-off-by: Shyam Prasad N <sprasad@microsoft.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/client/smb2ops.c | 11 +++++++++++
1 file changed, 11 insertions(+)
--- a/fs/smb/client/smb2ops.c
+++ b/fs/smb/client/smb2ops.c
@@ -94,10 +94,21 @@ smb2_add_credits(struct TCP_Server_Info
add, server->in_flight);
}
server->in_flight--;
+
+ /*
+ * Rebalance credits when an op drains in_flight. For session setup,
+ * do this only when the total accumulated credits are high enough (>2)
+ * so that a newly established secondary channel can reserve credits for
+ * echoes and oplocks. We expect this to happen at the end of the final
+ * session setup response.
+ */
if (server->in_flight == 0 &&
((optype & CIFS_OP_MASK) != CIFS_NEG_OP) &&
((optype & CIFS_OP_MASK) != CIFS_SESS_OP))
rc = change_conf(server);
+ else if (server->in_flight == 0 &&
+ ((optype & CIFS_OP_MASK) == CIFS_SESS_OP) && *val > 2)
+ rc = change_conf(server);
/*
* Sometimes server returns 0 credits on oplock break ack - we need to
* rebalance credits in this case.
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 333/969] extcon: ptn5150: handle pending IRQ events during system resume
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (331 preceding siblings ...)
2026-05-30 15:57 ` [PATCH 6.1 332/969] cifs: change_conf needs to be called for session setup Greg Kroah-Hartman
@ 2026-05-30 15:57 ` Greg Kroah-Hartman
2026-05-30 15:57 ` [PATCH 6.1 334/969] hv_sock: fix ARM64 support Greg Kroah-Hartman
` (642 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Krzysztof Kozlowski, MyungJoo Ham,
Xu Yang, Chanwoo Choi
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xu Yang <xu.yang_2@nxp.com>
commit 4652fefcda3c604c83d1ae28ede94544e2142f06 upstream.
When the system is suspended and ptn5150 wakeup interrupt is disabled,
any changes on ptn5150 will only be record in interrupt status
registers and won't fire an IRQ since its trigger type is falling
edge. So the HW interrupt line will keep at low state and any further
changes won't trigger IRQ anymore. To fix it, this will schedule a
work to check whether any IRQ are pending and handle it accordingly.
Fixes: 4ed754de2d66 ("extcon: Add support for ptn5150 extcon driver")
Cc: stable@vger.kernel.org
Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Acked-by: MyungJoo Ham <myungjoo.ham@samsung.com>
Signed-off-by: Xu Yang <xu.yang_2@nxp.com>
Signed-off-by: Chanwoo Choi <cw00.choi@samsung.com>
Link: https://lore.kernel.org/lkml/20251115025905.1395347-1-xu.yang_2@nxp.com/
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/extcon/extcon-ptn5150.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
--- a/drivers/extcon/extcon-ptn5150.c
+++ b/drivers/extcon/extcon-ptn5150.c
@@ -331,6 +331,19 @@ static int ptn5150_i2c_probe(struct i2c_
return 0;
}
+static int ptn5150_resume(struct device *dev)
+{
+ struct i2c_client *i2c = to_i2c_client(dev);
+ struct ptn5150_info *info = i2c_get_clientdata(i2c);
+
+ /* Need to check possible pending interrupt events */
+ schedule_work(&info->irq_work);
+
+ return 0;
+}
+
+static DEFINE_SIMPLE_DEV_PM_OPS(ptn5150_pm_ops, NULL, ptn5150_resume);
+
static const struct of_device_id ptn5150_dt_match[] = {
{ .compatible = "nxp,ptn5150" },
{ },
@@ -346,6 +359,7 @@ MODULE_DEVICE_TABLE(i2c, ptn5150_i2c_id)
static struct i2c_driver ptn5150_i2c_driver = {
.driver = {
.name = "ptn5150",
+ .pm = pm_sleep_ptr(&ptn5150_pm_ops),
.of_match_table = ptn5150_dt_match,
},
.probe_new = ptn5150_i2c_probe,
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 334/969] hv_sock: fix ARM64 support
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (332 preceding siblings ...)
2026-05-30 15:57 ` [PATCH 6.1 333/969] extcon: ptn5150: handle pending IRQ events during system resume Greg Kroah-Hartman
@ 2026-05-30 15:57 ` Greg Kroah-Hartman
2026-05-30 15:57 ` [PATCH 6.1 335/969] ibmveth: Disable GSO for packets with small MSS Greg Kroah-Hartman
` (641 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dexuan Cui, Hamza Mahfooz,
Stefano Garzarella, Jakub Kicinski
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hamza Mahfooz <hamzamahfooz@linux.microsoft.com>
commit b31681206e3f527970a7c7ed807fbf6a028fc25b upstream.
VMBUS ring buffers must be page aligned. Therefore, the current value of
24K presents a challenge on ARM64 kernels (with 64K pages). So, use
VMBUS_RING_SIZE() to ensure they are always aligned and large enough to
hold all of the relevant data.
Cc: stable@vger.kernel.org
Fixes: 77ffe33363c0 ("hv_sock: use HV_HYP_PAGE_SIZE for Hyper-V communication")
Tested-by: Dexuan Cui <decui@microsoft.com>
Reviewed-by: Dexuan Cui <decui@microsoft.com>
Signed-off-by: Hamza Mahfooz <hamzamahfooz@linux.microsoft.com>
Acked-by: Stefano Garzarella <sgarzare@redhat.com>
Link: https://patch.msgid.link/20260428125339.13963-1-hamzamahfooz@linux.microsoft.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/vmw_vsock/hyperv_transport.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/net/vmw_vsock/hyperv_transport.c
+++ b/net/vmw_vsock/hyperv_transport.c
@@ -375,10 +375,10 @@ static void hvs_open_connection(struct v
} else {
sndbuf = max_t(int, sk->sk_sndbuf, RINGBUFFER_HVS_SND_SIZE);
sndbuf = min_t(int, sndbuf, RINGBUFFER_HVS_MAX_SIZE);
- sndbuf = ALIGN(sndbuf, HV_HYP_PAGE_SIZE);
+ sndbuf = VMBUS_RING_SIZE(sndbuf);
rcvbuf = max_t(int, sk->sk_rcvbuf, RINGBUFFER_HVS_RCV_SIZE);
rcvbuf = min_t(int, rcvbuf, RINGBUFFER_HVS_MAX_SIZE);
- rcvbuf = ALIGN(rcvbuf, HV_HYP_PAGE_SIZE);
+ rcvbuf = VMBUS_RING_SIZE(rcvbuf);
}
chan->max_pkt_size = HVS_MAX_PKT_SIZE;
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 335/969] ibmveth: Disable GSO for packets with small MSS
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (333 preceding siblings ...)
2026-05-30 15:57 ` [PATCH 6.1 334/969] hv_sock: fix ARM64 support Greg Kroah-Hartman
@ 2026-05-30 15:57 ` Greg Kroah-Hartman
2026-05-30 15:57 ` [PATCH 6.1 336/969] udf: reject descriptors with oversized CRC length Greg Kroah-Hartman
` (640 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Brian King, Shaik Abdulla,
Naveed Ahmed, Mingming Cao, Jakub Kicinski
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mingming Cao <mmc@linux.ibm.com>
commit cc427d24ac6442ffdeafd157a63c7c5b73ed4de4 upstream.
Some physical adapters on Power systems do not support segmentation
offload when the MSS is less than 224 bytes. Attempting to send such
packets causes the adapter to freeze, stopping all traffic until
manually reset.
Implement ndo_features_check to disable GSO for packets with small MSS
values. The network stack will perform software segmentation instead.
The 224-byte minimum matches ibmvnic
commit <f10b09ef687f> ("ibmvnic: Enforce stronger sanity checks
on GSO packets")
which uses the same physical adapters in SEA configurations.
The issue occurs specifically when the hardware attempts to perform
segmentation (gso_segs > 1) with a small MSS. Single-segment GSO packets
(gso_segs == 1) do not trigger the problematic LSO code path and are
transmitted normally without segmentation.
Add an ndo_features_check callback to disable GSO when MSS < 224 bytes.
Also call vlan_features_check() to ensure proper handling of VLAN packets,
particularly QinQ (802.1ad) configurations where the hardware parser may
not support certain offload features.
Validated using iptables to force small MSS values. Without the fix,
the adapter freezes. With the fix, packets are segmented in software
and transmission succeeds. Comprehensive regression testing completedd
(MSS tests, performance, stability).
Fixes: 8641dd85799f ("ibmveth: Add support for TSO")
Cc: stable@vger.kernel.org
Reviewed-by: Brian King <bjking1@linux.ibm.com>
Tested-by: Shaik Abdulla <shaik.abdulla1@ibm.com>
Tested-by: Naveed Ahmed <naveedaus@in.ibm.com>
Signed-off-by: Mingming Cao <mmc@linux.ibm.com>
Link: https://patch.msgid.link/20260424162917.65725-1-mmc@linux.ibm.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/ibm/ibmveth.c | 22 ++++++++++++++++++++++
drivers/net/ethernet/ibm/ibmveth.h | 1 +
2 files changed, 23 insertions(+)
--- a/drivers/net/ethernet/ibm/ibmveth.c
+++ b/drivers/net/ethernet/ibm/ibmveth.c
@@ -1637,6 +1637,27 @@ static int ibmveth_set_mac_addr(struct n
return 0;
}
+static netdev_features_t ibmveth_features_check(struct sk_buff *skb,
+ struct net_device *dev,
+ netdev_features_t features)
+{
+ /* Some physical adapters do not support segmentation offload with
+ * MSS < 224. Disable GSO for such packets to avoid adapter freeze.
+ * Note: Single-segment packets (gso_segs == 1) don't need this check
+ * as they bypass the LSO path and are transmitted without segmentation.
+ */
+ if (skb_is_gso(skb)) {
+ if (skb_shinfo(skb)->gso_size < IBMVETH_MIN_LSO_MSS) {
+ netdev_warn_once(dev,
+ "MSS %u too small for LSO, disabling GSO\n",
+ skb_shinfo(skb)->gso_size);
+ features &= ~NETIF_F_GSO_MASK;
+ }
+ }
+
+ return vlan_features_check(skb, features);
+}
+
static const struct net_device_ops ibmveth_netdev_ops = {
.ndo_open = ibmveth_open,
.ndo_stop = ibmveth_close,
@@ -1648,6 +1669,7 @@ static const struct net_device_ops ibmve
.ndo_set_features = ibmveth_set_features,
.ndo_validate_addr = eth_validate_addr,
.ndo_set_mac_address = ibmveth_set_mac_addr,
+ .ndo_features_check = ibmveth_features_check,
#ifdef CONFIG_NET_POLL_CONTROLLER
.ndo_poll_controller = ibmveth_poll_controller,
#endif
--- a/drivers/net/ethernet/ibm/ibmveth.h
+++ b/drivers/net/ethernet/ibm/ibmveth.h
@@ -36,6 +36,7 @@
#define IBMVETH_ILLAN_IPV4_TCP_CSUM 0x0000000000000002UL
#define IBMVETH_ILLAN_ACTIVE_TRUNK 0x0000000000000001UL
+#define IBMVETH_MIN_LSO_MSS 224 /* Minimum MSS for LSO */
/* hcall macros */
#define h_register_logical_lan(ua, buflst, rxq, fltlst, mac) \
plpar_hcall_norets(H_REGISTER_LOGICAL_LAN, ua, buflst, rxq, fltlst, mac)
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 336/969] udf: reject descriptors with oversized CRC length
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (334 preceding siblings ...)
2026-05-30 15:57 ` [PATCH 6.1 335/969] ibmveth: Disable GSO for packets with small MSS Greg Kroah-Hartman
@ 2026-05-30 15:57 ` Greg Kroah-Hartman
2026-05-30 15:57 ` [PATCH 6.1 337/969] thermal/drivers/sprd: Fix temperature clamping in sprd_thm_temp_to_rawdata Greg Kroah-Hartman
` (639 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:57 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Michael Bommarito, Jan Kara
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
commit 55d41b0a20128e86b9e960dd2e3f0a2d69a18df7 upstream.
udf_read_tagged() skips CRC verification when descCRCLength +
sizeof(struct tag) exceeds the block size. A crafted UDF image can
set descCRCLength to an oversized value to bypass CRC validation
entirely; the descriptor is then accepted based solely on the 8-bit
tag checksum, which is trivially recomputable.
Reject such descriptors instead of silently accepting them. A
legitimate single-block descriptor should never have a CRC length that
exceeds the block.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-6
Assisted-by: Codex:gpt-5-4
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Link: https://patch.msgid.link/20260413211240.853662-1-michael.bommarito@gmail.com
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/udf/misc.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
--- a/fs/udf/misc.c
+++ b/fs/udf/misc.c
@@ -250,8 +250,12 @@ struct buffer_head *udf_read_tagged(stru
}
/* Verify the descriptor CRC */
- if (le16_to_cpu(tag_p->descCRCLength) + sizeof(struct tag) > sb->s_blocksize ||
- le16_to_cpu(tag_p->descCRC) == crc_itu_t(0,
+ if (le16_to_cpu(tag_p->descCRCLength) + sizeof(struct tag) > sb->s_blocksize) {
+ udf_err(sb, "block %u: CRC length %u exceeds block size\n",
+ block, le16_to_cpu(tag_p->descCRCLength));
+ goto error_out;
+ }
+ if (le16_to_cpu(tag_p->descCRC) == crc_itu_t(0,
bh->b_data + sizeof(struct tag),
le16_to_cpu(tag_p->descCRCLength)))
return bh;
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 337/969] thermal/drivers/sprd: Fix temperature clamping in sprd_thm_temp_to_rawdata
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (335 preceding siblings ...)
2026-05-30 15:57 ` [PATCH 6.1 336/969] udf: reject descriptors with oversized CRC length Greg Kroah-Hartman
@ 2026-05-30 15:57 ` Greg Kroah-Hartman
2026-05-30 15:57 ` [PATCH 6.1 338/969] thermal/drivers/sprd: Fix raw temperature clamping in sprd_thm_rawdata_to_temp Greg Kroah-Hartman
` (638 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thorsten Blum, Daniel Lezcano,
Baolin Wang
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thorsten Blum <thorsten.blum@linux.dev>
commit 83c0f9a5d679a6f8d84fc49b2f62ea434ccab4b6 upstream.
The temperature was never clamped to SPRD_THM_TEMP_LOW or
SPRD_THM_TEMP_HIGH because the return value of clamp() was not used. Fix
this by assigning the clamped value to 'temp'.
Casting SPRD_THM_TEMP_LOW and SPRD_THM_TEMP_HIGH to int is also
redundant and can be removed.
Fixes: 554fdbaf19b1 ("thermal: sprd: Add Spreadtrum thermal driver support")
Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev>
Signed-off-by: Daniel Lezcano <daniel.lezcano@kernel.org>
Reviewed-by: Baolin Wang <baolin.wang@linux.alibaba.com>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20260307102422.306055-1-thorsten.blum@linux.dev
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/thermal/sprd_thermal.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/thermal/sprd_thermal.c
+++ b/drivers/thermal/sprd_thermal.c
@@ -192,7 +192,7 @@ static int sprd_thm_temp_to_rawdata(int
{
u32 val;
- clamp(temp, (int)SPRD_THM_TEMP_LOW, (int)SPRD_THM_TEMP_HIGH);
+ temp = clamp(temp, SPRD_THM_TEMP_LOW, SPRD_THM_TEMP_HIGH);
/*
* According to the thermal datasheet, the formula of converting
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 338/969] thermal/drivers/sprd: Fix raw temperature clamping in sprd_thm_rawdata_to_temp
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (336 preceding siblings ...)
2026-05-30 15:57 ` [PATCH 6.1 337/969] thermal/drivers/sprd: Fix temperature clamping in sprd_thm_temp_to_rawdata Greg Kroah-Hartman
@ 2026-05-30 15:57 ` Greg Kroah-Hartman
2026-05-30 15:57 ` [PATCH 6.1 339/969] spi: topcliff-pch: fix use-after-free on unbind Greg Kroah-Hartman
` (637 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thorsten Blum, Daniel Lezcano,
Baolin Wang
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thorsten Blum <thorsten.blum@linux.dev>
commit b3414148bbc1f9cd56217e58a558c6ac4fd1b4a6 upstream.
The raw temperature data was never clamped to SPRD_THM_RAW_DATA_LOW or
SPRD_THM_RAW_DATA_HIGH because the return value of clamp() was not used.
Fix this by assigning the clamped value to 'rawdata'.
Casting SPRD_THM_RAW_DATA_LOW and SPRD_THM_RAW_DATA_HIGH to u32 is also
redundant and can be removed.
Fixes: 554fdbaf19b1 ("thermal: sprd: Add Spreadtrum thermal driver support")
Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev>
Signed-off-by: Daniel Lezcano <daniel.lezcano@kernel.org>
Reviewed-by: Baolin Wang <baolin.wang@linux.alibaba.com>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20260307102422.306055-2-thorsten.blum@linux.dev
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/thermal/sprd_thermal.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/thermal/sprd_thermal.c
+++ b/drivers/thermal/sprd_thermal.c
@@ -178,7 +178,7 @@ static int sprd_thm_sensor_calibration(s
static int sprd_thm_rawdata_to_temp(struct sprd_thermal_sensor *sen,
u32 rawdata)
{
- clamp(rawdata, (u32)SPRD_THM_RAW_DATA_LOW, (u32)SPRD_THM_RAW_DATA_HIGH);
+ rawdata = clamp(rawdata, SPRD_THM_RAW_DATA_LOW, SPRD_THM_RAW_DATA_HIGH);
/*
* According to the thermal datasheet, the formula of converting
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 339/969] spi: topcliff-pch: fix use-after-free on unbind
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (337 preceding siblings ...)
2026-05-30 15:57 ` [PATCH 6.1 338/969] thermal/drivers/sprd: Fix raw temperature clamping in sprd_thm_rawdata_to_temp Greg Kroah-Hartman
@ 2026-05-30 15:57 ` Greg Kroah-Hartman
2026-05-30 15:57 ` [PATCH 6.1 340/969] clk: microchip: mpfs-ccc: fix out of bounds access during output registration Greg Kroah-Hartman
` (636 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tomoya MORINAGA, Johan Hovold,
Mark Brown
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 9d72732fe70c11424bc90ed466c7ccfa58b42a9a upstream.
Give the driver a chance to flush its queue before releasing the DMA
buffers on driver unbind
Fixes: c37f3c2749b5 ("spi/topcliff_pch: DMA support")
Cc: stable@vger.kernel.org # 3.1
Cc: Tomoya MORINAGA <tomoya-linux@dsn.okisemi.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20260414134319.978196-9-johan@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-topcliff-pch.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/drivers/spi/spi-topcliff-pch.c
+++ b/drivers/spi/spi-topcliff-pch.c
@@ -1406,9 +1406,6 @@ static int pch_spi_pd_remove(struct plat
dev_dbg(&plat_dev->dev, "%s:[ch%d] irq=%d\n",
__func__, plat_dev->id, board_dat->pdev->irq);
- if (use_dma)
- pch_free_dma_buf(board_dat, data);
-
/* check for any pending messages; no action is taken if the queue
* is still full; but at least we tried. Unload anyway */
count = 500;
@@ -1432,6 +1429,9 @@ static int pch_spi_pd_remove(struct plat
free_irq(board_dat->pdev->irq, data);
}
+ if (use_dma)
+ pch_free_dma_buf(board_dat, data);
+
pci_iounmap(board_dat->pdev, data->io_remap_addr);
spi_unregister_master(data->master);
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 340/969] clk: microchip: mpfs-ccc: fix out of bounds access during output registration
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (338 preceding siblings ...)
2026-05-30 15:57 ` [PATCH 6.1 339/969] spi: topcliff-pch: fix use-after-free on unbind Greg Kroah-Hartman
@ 2026-05-30 15:57 ` Greg Kroah-Hartman
2026-05-30 15:57 ` [PATCH 6.1 341/969] cpuidle: powerpc: avoid double clear when breaking snooze Greg Kroah-Hartman
` (635 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:57 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Brian Masney, Conor Dooley
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Conor Dooley <conor.dooley@microchip.com>
commit 2f7ae8ab6aa73daaf080d5332110357c29df9c36 upstream.
UBSAN reported an out of bounds access during registration of the last
two outputs. This out of bounds access occurs because space is only
allocated in the hws array for two PLLs and the four output dividers
that each has, but the defined IDs contain two DLLS and their two
outputs each, which are not supported by the driver. The ID order is
PLLs -> DLLs -> PLL outputs -> DLL outputs. Decrement the PLL output IDs
by two while adding them to the array to avoid the problem.
Fixes: d39fb172760e ("clk: microchip: add PolarFire SoC fabric clock support")
CC: stable@vger.kernel.org
Reviewed-by: Brian Masney <bmasney@redhat.com>
Signed-off-by: Conor Dooley <conor.dooley@microchip.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/clk/microchip/clk-mpfs-ccc.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/drivers/clk/microchip/clk-mpfs-ccc.c b/drivers/clk/microchip/clk-mpfs-ccc.c
index 3a3ea2d142f8..0a76a1aaa50f 100644
--- a/drivers/clk/microchip/clk-mpfs-ccc.c
+++ b/drivers/clk/microchip/clk-mpfs-ccc.c
@@ -178,7 +178,7 @@ static int mpfs_ccc_register_outputs(struct device *dev, struct mpfs_ccc_out_hw_
return dev_err_probe(dev, ret, "failed to register clock id: %d\n",
out_hw->id);
- data->hw_data.hws[out_hw->id] = &out_hw->divider.hw;
+ data->hw_data.hws[out_hw->id - 2] = &out_hw->divider.hw;
}
return 0;
@@ -234,6 +234,10 @@ static int mpfs_ccc_probe(struct platform_device *pdev)
unsigned int num_clks;
int ret;
+ /*
+ * If DLLs get added here, mpfs_ccc_register_outputs() currently packs
+ * sparse clock IDs in the hws array
+ */
num_clks = ARRAY_SIZE(mpfs_ccc_pll_clks) + ARRAY_SIZE(mpfs_ccc_pll0out_clks) +
ARRAY_SIZE(mpfs_ccc_pll1out_clks);
--
2.54.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 341/969] cpuidle: powerpc: avoid double clear when breaking snooze
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (339 preceding siblings ...)
2026-05-30 15:57 ` [PATCH 6.1 340/969] clk: microchip: mpfs-ccc: fix out of bounds access during output registration Greg Kroah-Hartman
@ 2026-05-30 15:57 ` Greg Kroah-Hartman
2026-05-30 15:57 ` [PATCH 6.1 342/969] ASoC: amd: yc: Add HP OMEN Gaming Laptop 16-ap0xxx product line in quirk table Greg Kroah-Hartman
` (634 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mukesh Kumar Chaurasiya (IBM),
Shrikanth Hegde, Madhavan Srinivasan
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shrikanth Hegde <sshegde@linux.ibm.com>
commit 64ed1e3e728afb57ba9acb59e69de930ead847d9 upstream.
snooze_loop is done often in any system which has fair bit of
idle time. So it qualifies for even micro-optimizations.
When breaking the snooze due to timeout, TIF_POLLING_NRFLAG is cleared
twice. Clearing the bit invokes atomics. Avoid double clear and thereby
avoid one atomic write.
dev->poll_time_limit indicates whether the loop was broken due to
timeout. Use that instead of defining a new variable.
Fixes: 7ded429152e8 ("cpuidle: powerpc: no memory barrier after break from idle")
Cc: stable@vger.kernel.org
Reviewed-by: Mukesh Kumar Chaurasiya (IBM) <mkchauras@gmail.com>
Signed-off-by: Shrikanth Hegde <sshegde@linux.ibm.com>
Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com>
Link: https://patch.msgid.link/20260311061709.1230440-1-sshegde@linux.ibm.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/cpuidle/cpuidle-powernv.c | 5 ++++-
drivers/cpuidle/cpuidle-pseries.c | 5 ++++-
2 files changed, 8 insertions(+), 2 deletions(-)
--- a/drivers/cpuidle/cpuidle-powernv.c
+++ b/drivers/cpuidle/cpuidle-powernv.c
@@ -93,7 +93,10 @@ static int snooze_loop(struct cpuidle_de
HMT_medium();
ppc64_runlatch_on();
- clear_thread_flag(TIF_POLLING_NRFLAG);
+
+ /* Avoid double clear when breaking */
+ if (!dev->poll_time_limit)
+ clear_thread_flag(TIF_POLLING_NRFLAG);
local_irq_disable();
--- a/drivers/cpuidle/cpuidle-pseries.c
+++ b/drivers/cpuidle/cpuidle-pseries.c
@@ -61,7 +61,10 @@ static int snooze_loop(struct cpuidle_de
}
HMT_medium();
- clear_thread_flag(TIF_POLLING_NRFLAG);
+
+ /* Avoid double clear when breaking */
+ if (!dev->poll_time_limit)
+ clear_thread_flag(TIF_POLLING_NRFLAG);
local_irq_disable();
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 342/969] ASoC: amd: yc: Add HP OMEN Gaming Laptop 16-ap0xxx product line in quirk table
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (340 preceding siblings ...)
2026-05-30 15:57 ` [PATCH 6.1 341/969] cpuidle: powerpc: avoid double clear when breaking snooze Greg Kroah-Hartman
@ 2026-05-30 15:57 ` Greg Kroah-Hartman
2026-05-30 15:57 ` [PATCH 6.1 343/969] ASoC: fsl_easrc: fix comment typo Greg Kroah-Hartman
` (633 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:57 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Tommaso Soncin, Mark Brown
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tommaso Soncin <soncintommaso@gmail.com>
commit d63c219b7ff39f897da10c160a2edef76320f16c upstream.
Add a DMI quirk for the HP OMEN Gaming Laptop 16-ap0xxx line fixing the
issue where the internal microphone was not detected.
Cc: stable@vger.kernel.org
Signed-off-by: Tommaso Soncin <soncintommaso@gmail.com>
Link: https://patch.msgid.link/20260429160858.538986-1-soncintommaso@gmail.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/soc/amd/yc/acp6x-mach.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
--- a/sound/soc/amd/yc/acp6x-mach.c
+++ b/sound/soc/amd/yc/acp6x-mach.c
@@ -55,6 +55,13 @@ static const struct dmi_system_id yc_acp
{
.driver_data = &acp6x_card,
.matches = {
+ DMI_MATCH(DMI_BOARD_VENDOR, "HP"),
+ DMI_MATCH(DMI_PRODUCT_NAME, "OMEN Gaming Laptop 16-ap0xxx"),
+ }
+ },
+ {
+ .driver_data = &acp6x_card,
+ .matches = {
DMI_MATCH(DMI_BOARD_VENDOR, "Dell Inc."),
DMI_MATCH(DMI_PRODUCT_NAME, "Dell G15 5525"),
}
@@ -578,6 +585,13 @@ static const struct dmi_system_id yc_acp
}
},
{
+ .driver_data = &acp6x_card,
+ .matches = {
+ DMI_MATCH(DMI_BOARD_VENDOR, "HP"),
+ DMI_MATCH(DMI_BOARD_NAME, "8E35"),
+ }
+ },
+ {
.driver_data = &acp6x_card,
.matches = {
DMI_MATCH(DMI_BOARD_VENDOR, "Micro-Star International Co., Ltd."),
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 343/969] ASoC: fsl_easrc: fix comment typo
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (341 preceding siblings ...)
2026-05-30 15:57 ` [PATCH 6.1 342/969] ASoC: amd: yc: Add HP OMEN Gaming Laptop 16-ap0xxx product line in quirk table Greg Kroah-Hartman
@ 2026-05-30 15:57 ` Greg Kroah-Hartman
2026-05-30 15:57 ` [PATCH 6.1 344/969] ASoC: Intel: bytcr_wm5102: Fix MCLK leak on platform_clock_control error Greg Kroah-Hartman
` (632 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:57 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Joseph Salisbury, Mark Brown
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Joseph Salisbury <joseph.salisbury@oracle.com>
commit 804dce6c73fdfa44184ee4e8b09abad7f5da408f upstream.
The file contains a spelling error in a source comment (funciton).
Typos in comments reduce readability and make text searches less reliable
for developers and maintainers.
Replace 'funciton' with 'function' in the affected comment. This is a
comment-only cleanup and does not change behavior.
Fixes: 955ac624058f ("ASoC: fsl_easrc: Add EASRC ASoC CPU DAI drivers")
Cc: stable@vger.kernel.org
Signed-off-by: Joseph Salisbury <joseph.salisbury@oracle.com>
Link: https://patch.msgid.link/20260316180545.144032-1-joseph.salisbury@oracle.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/soc/fsl/fsl_easrc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/sound/soc/fsl/fsl_easrc.c
+++ b/sound/soc/fsl/fsl_easrc.c
@@ -1286,7 +1286,7 @@ static int fsl_easrc_request_context(int
/*
* Release the context
*
- * This funciton is mainly doing the revert thing in request context
+ * This function is mainly doing the revert thing in request context
*/
static void fsl_easrc_release_context(struct fsl_asrc_pair *ctx)
{
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 344/969] ASoC: Intel: bytcr_wm5102: Fix MCLK leak on platform_clock_control error
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (342 preceding siblings ...)
2026-05-30 15:57 ` [PATCH 6.1 343/969] ASoC: fsl_easrc: fix comment typo Greg Kroah-Hartman
@ 2026-05-30 15:57 ` Greg Kroah-Hartman
2026-05-30 15:57 ` [PATCH 6.1 345/969] ASoC: qcom: q6apm-dai: reset queue ptr on trigger stop Greg Kroah-Hartman
` (631 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Cássio Gabriel, Cezary Rojewski,
Hans de Goede, Mark Brown
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cássio Gabriel <cassiogabrielcontato@gmail.com>
commit 13d30682e8dee191ac04e93642f0372a723e8b0c upstream.
If byt_wm5102_prepare_and_enable_pll1() fails in the
SND_SOC_DAPM_EVENT_ON() path, platform_clock_control() returns after
clk_prepare_enable(priv->mclk) without disabling the clock again.
This leaks an MCLK enable reference on failed power-up attempts. Add the
missing clk_disable_unprepare() on the error path, matching the unwind
used by the other Intel platform_clock_control() implementations.
Fixes: 9a87fc1e0619 ("ASoC: Intel: bytcr_wm5102: Add machine driver for BYT/WM5102")
Cc: stable@vger.kernel.org
Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com>
Reviewed-by: Cezary Rojewski <cezary.rojewski@intel.com>
Reviewed-by: Hans de Goede <johannes.goede@oss.qualcomm.com>
Link: https://patch.msgid.link/20260427-bytcr-wm5102-mclk-leak-v1-1-02b96d08e99c@gmail.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/soc/intel/boards/bytcr_wm5102.c | 1 +
1 file changed, 1 insertion(+)
--- a/sound/soc/intel/boards/bytcr_wm5102.c
+++ b/sound/soc/intel/boards/bytcr_wm5102.c
@@ -111,6 +111,7 @@ static int platform_clock_control(struct
ret = byt_wm5102_prepare_and_enable_pll1(codec_dai, 48000);
if (ret) {
dev_err(card->dev, "Error setting codec sysclk: %d\n", ret);
+ clk_disable_unprepare(priv->mclk);
return ret;
}
} else {
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 345/969] ASoC: qcom: q6apm-dai: reset queue ptr on trigger stop
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (343 preceding siblings ...)
2026-05-30 15:57 ` [PATCH 6.1 344/969] ASoC: Intel: bytcr_wm5102: Fix MCLK leak on platform_clock_control error Greg Kroah-Hartman
@ 2026-05-30 15:57 ` Greg Kroah-Hartman
2026-05-30 15:57 ` [PATCH 6.1 346/969] ASoC: qcom: q6apm-lpass-dai: Fix multiple graph opens Greg Kroah-Hartman
` (630 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:57 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Stable, Srinivas Kandagatla,
Mark Brown
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
commit cab45ab95ce7600fc0ff84585c77fd45b7b0d67c upstream.
Reset queue pointer on SNDRV_PCM_TRIGGER_STOP event to be inline
with resetting appl_ptr. Without this we will end up with a queue_ptr
out of sync and driver could try to send data that is not ready yet.
Fix this by resetting the queue_ptr.
Fixes: 3d4a4411aa8bb ("ASoC: q6apm-dai: schedule all available frames to avoid dsp under-runs")
Cc: Stable@vger.kernel.org
Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
Link: https://patch.msgid.link/20260402081118.348071-6-srinivas.kandagatla@oss.qualcomm.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/soc/qcom/qdsp6/q6apm-dai.c | 1 +
sound/soc/qcom/qdsp6/q6apm.c | 2 ++
2 files changed, 3 insertions(+)
--- a/sound/soc/qcom/qdsp6/q6apm-dai.c
+++ b/sound/soc/qcom/qdsp6/q6apm-dai.c
@@ -246,6 +246,7 @@ static int q6apm_dai_trigger(struct snd_
case SNDRV_PCM_TRIGGER_STOP:
/* TODO support be handled via SoftPause Module */
prtd->state = Q6APM_STREAM_STOPPED;
+ prtd->queue_ptr = 0;
break;
case SNDRV_PCM_TRIGGER_SUSPEND:
case SNDRV_PCM_TRIGGER_PAUSE_PUSH:
--- a/sound/soc/qcom/qdsp6/q6apm.c
+++ b/sound/soc/qcom/qdsp6/q6apm.c
@@ -294,6 +294,8 @@ int q6apm_map_memory_regions(struct q6ap
mutex_lock(&graph->lock);
+ data->dsp_buf = 0;
+
if (data->buf) {
mutex_unlock(&graph->lock);
return 0;
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 346/969] ASoC: qcom: q6apm-lpass-dai: Fix multiple graph opens
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (344 preceding siblings ...)
2026-05-30 15:57 ` [PATCH 6.1 345/969] ASoC: qcom: q6apm-dai: reset queue ptr on trigger stop Greg Kroah-Hartman
@ 2026-05-30 15:57 ` Greg Kroah-Hartman
2026-05-30 15:57 ` [PATCH 6.1 347/969] ASoC: qcom: q6apm: remove child devices when apm is removed Greg Kroah-Hartman
` (629 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:57 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Stable, Srinivas Kandagatla,
Mark Brown
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
commit 69acc488aaf39d0ddf6c3cf0e47c1873d39919a2 upstream.
As prepare can be called mulitple times, this can result in multiple
graph opens for playback path.
This will result in a memory leaks, fix this by adding a check before
opening.
Fixes: be1fae62cf25 ("ASoC: q6apm-lpass-dai: close graph on prepare errors")
Cc: Stable@vger.kernel.org
Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
Link: https://patch.msgid.link/20260402081118.348071-5-srinivas.kandagatla@oss.qualcomm.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/soc/qcom/qdsp6/q6apm-lpass-dais.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/sound/soc/qcom/qdsp6/q6apm-lpass-dais.c
+++ b/sound/soc/qcom/qdsp6/q6apm-lpass-dais.c
@@ -144,7 +144,7 @@ static int q6apm_lpass_dai_prepare(struc
* It is recommend to load DSP with source graph first and then sink
* graph, so sequence for playback and capture will be different
*/
- if (substream->stream == SNDRV_PCM_STREAM_PLAYBACK) {
+ if (substream->stream == SNDRV_PCM_STREAM_PLAYBACK && dai_data->graph[dai->id] == NULL) {
graph = q6apm_graph_open(dai->dev, NULL, dai->dev, graph_id);
if (IS_ERR(graph)) {
dev_err(dai->dev, "Failed to open graph (%d)\n", graph_id);
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 347/969] ASoC: qcom: q6apm: remove child devices when apm is removed
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (345 preceding siblings ...)
2026-05-30 15:57 ` [PATCH 6.1 346/969] ASoC: qcom: q6apm-lpass-dai: Fix multiple graph opens Greg Kroah-Hartman
@ 2026-05-30 15:57 ` Greg Kroah-Hartman
2026-05-30 15:57 ` [PATCH 6.1 348/969] btrfs: fix double free in create_space_info() error path Greg Kroah-Hartman
` (628 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:57 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Stable, Srinivas Kandagatla,
Mark Brown
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
commit 4a0e1bcc98f7281d1605768bd2fe71eacc34f9b7 upstream.
looks like q6apm driver does not remove the child driver q6apm-dai and
q6apm-bedais when the this driver is removed.
Fix this by depopulating them in remove callback.
With this change when the dsp is shutdown all the devices associated with
q6apm will now be removed.
Fixes: 5477518b8a0e ("ASoC: qdsp6: audioreach: add q6apm support")
Cc: Stable@vger.kernel.org
Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
Link: https://patch.msgid.link/20260402081118.348071-3-srinivas.kandagatla@oss.qualcomm.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/soc/qcom/qdsp6/q6apm.c | 1 +
1 file changed, 1 insertion(+)
--- a/sound/soc/qcom/qdsp6/q6apm.c
+++ b/sound/soc/qcom/qdsp6/q6apm.c
@@ -763,6 +763,7 @@ static int apm_probe(gpr_device_t *gdev)
static void apm_remove(gpr_device_t *gdev)
{
+ of_platform_depopulate(&gdev->dev);
snd_soc_unregister_component(&gdev->dev);
}
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 348/969] btrfs: fix double free in create_space_info() error path
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (346 preceding siblings ...)
2026-05-30 15:57 ` [PATCH 6.1 347/969] ASoC: qcom: q6apm: remove child devices when apm is removed Greg Kroah-Hartman
@ 2026-05-30 15:57 ` Greg Kroah-Hartman
2026-05-30 15:57 ` [PATCH 6.1 349/969] dm-thin: fix metadata refcount underflow Greg Kroah-Hartman
` (627 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:57 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Qu Wenruo, Guangshuo Li,
David Sterba
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Guangshuo Li <lgs201920130244@gmail.com>
commit 3f487be81292702a59ea9dbc4088b3360a50e837 upstream.
When kobject_init_and_add() fails, the call chain is:
create_space_info()
-> btrfs_sysfs_add_space_info_type()
-> kobject_init_and_add()
-> failure
-> kobject_put(&space_info->kobj)
-> space_info_release()
-> kfree(space_info)
Then control returns to create_space_info():
btrfs_sysfs_add_space_info_type() returns error
-> goto out_free
-> kfree(space_info)
This causes a double free.
Keep the direct kfree(space_info) for the earlier failure path, but
after btrfs_sysfs_add_space_info_type() has called kobject_put(), let
the kobject release callback handle the cleanup.
Fixes: a11224a016d6d ("btrfs: fix memory leaks in create_space_info() error paths")
CC: stable@vger.kernel.org # 6.19+
Reviewed-by: Qu Wenruo <wqu@suse.com>
Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/btrfs/space-info.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/btrfs/space-info.c
+++ b/fs/btrfs/space-info.c
@@ -290,7 +290,7 @@ static int create_space_info(struct btrf
ret = btrfs_sysfs_add_space_info_type(info, space_info);
if (ret)
- goto out_free;
+ return ret;
list_add(&space_info->list, &info->space_info);
if (flags & BTRFS_BLOCK_GROUP_DATA)
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 349/969] dm-thin: fix metadata refcount underflow
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (347 preceding siblings ...)
2026-05-30 15:57 ` [PATCH 6.1 348/969] btrfs: fix double free in create_space_info() error path Greg Kroah-Hartman
@ 2026-05-30 15:57 ` Greg Kroah-Hartman
2026-05-30 15:57 ` [PATCH 6.1 350/969] dm: dont report warning when doing deferred remove Greg Kroah-Hartman
` (626 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:57 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Mikulas Patocka
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mikulas Patocka <mpatocka@redhat.com>
commit 09a65adc7d8bbfce06392cb6d375468e2728ead5 upstream.
There's a bug in dm-thin in the function rebalance_children. If the
internal btree node has one entry, the code tries to copy all btree
entries from the node's child to the node itself and then decrement the
child's reference count.
If the child node is shared (it has reference count > 1), we won't free
it, so there would be two pointers to each of the grandchildren nodes.
But the reference counts of the grandchildren is not increased, thus the
reference count doesn't match the number of pointers that point to the
grandchildren. This results in "device mapper: space map common: unable
to decrement block" errors.
Fix this bug by incrementing reference counts on the grandchildren if the
btree node is shared.
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Fixes: 3241b1d3e0aa ("dm: add persistent data library")
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/md/persistent-data/dm-btree-remove.c | 8 ++++++++
1 file changed, 8 insertions(+)
--- a/drivers/md/persistent-data/dm-btree-remove.c
+++ b/drivers/md/persistent-data/dm-btree-remove.c
@@ -486,12 +486,20 @@ static int rebalance_children(struct sha
if (le32_to_cpu(n->header.nr_entries) == 1) {
struct dm_block *child;
+ int is_shared;
dm_block_t b = value64(n, 0);
+ r = dm_tm_block_is_shared(info->tm, b, &is_shared);
+ if (r)
+ return r;
+
r = dm_tm_read_lock(info->tm, b, &btree_node_validator, &child);
if (r)
return r;
+ if (is_shared)
+ inc_children(info->tm, dm_block_data(child), vt);
+
memcpy(n, dm_block_data(child),
dm_bm_block_size(dm_tm_get_bm(info->tm)));
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 350/969] dm: dont report warning when doing deferred remove
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (348 preceding siblings ...)
2026-05-30 15:57 ` [PATCH 6.1 349/969] dm-thin: fix metadata refcount underflow Greg Kroah-Hartman
@ 2026-05-30 15:57 ` Greg Kroah-Hartman
2026-05-30 15:57 ` [PATCH 6.1 351/969] dm: fix a buffer overflow in ioctl processing Greg Kroah-Hartman
` (625 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:57 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Mikulas Patocka, Zdenek Kabelac
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mikulas Patocka <mpatocka@redhat.com>
commit b7cce3e2cca9cd78418f3c3784474b778e7996fe upstream.
If dm_hash_remove_all was called from dm_deferred_remove, it would write
a warning "remove_all left %d open device(s)" if there are some other
devices active.
The warning is bogus, so let's disable it in this case.
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Reported-by: Zdenek Kabelac <zkabelac@redhat.com>
Cc: stable@vger.kernel.org
Fixes: 2c140a246dc0 ("dm: allow remove to be deferred")
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/md/dm-ioctl.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/md/dm-ioctl.c
+++ b/drivers/md/dm-ioctl.c
@@ -367,7 +367,7 @@ retry:
up_write(&_hash_lock);
- if (dev_skipped)
+ if (dev_skipped && !only_deferred)
DMWARN("remove_all left %d open device(s)", dev_skipped);
}
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 351/969] dm: fix a buffer overflow in ioctl processing
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (349 preceding siblings ...)
2026-05-30 15:57 ` [PATCH 6.1 350/969] dm: dont report warning when doing deferred remove Greg Kroah-Hartman
@ 2026-05-30 15:57 ` Greg Kroah-Hartman
2026-05-30 15:57 ` [PATCH 6.1 352/969] dm-verity-fec: correctly reject too-small FEC devices Greg Kroah-Hartman
` (624 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tony Asleson, Mikulas Patocka,
Bryn M. Reeves
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mikulas Patocka <mpatocka@redhat.com>
commit 2fa49cc884f6496a915c35621ba4da35649bf159 upstream.
Tony Asleson (using Claude) found a buffer overflow in dm-ioctl in the
function retrieve_status:
1. The code in retrieve_status checks that the output string fits into
the output buffer and writes the output string there
2. Then, the code aligns the "outptr" variable to the next 8-byte
boundary:
outptr = align_ptr(outptr);
3. The alignment doesn't check overflow, so outptr could point past the
buffer end
4. The "for" loop is iterated again, it executes:
remaining = len - (outptr - outbuf);
5. If "outptr" points past "outbuf + len", the arithmetics wraps around
and the variable "remaining" contains unusually high number
6. With "remaining" being high, the code writes more data past the end of
the buffer
Luckily, this bug has no security implications because:
1. Only root can issue device mapper ioctls
2. The commonly used libraries that communicate with device mapper
(libdevmapper and devicemapper-rs) use buffer size that is aligned to
8 bytes - thus, "outptr = align_ptr(outptr)" can't overshoot the input
buffer and the bug can't happen accidentally
Reported-by: Tony Asleson <tasleson@redhat.com>
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Reviewed-by: Bryn M. Reeves <bmr@redhat.com>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/md/dm-ioctl.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/drivers/md/dm-ioctl.c
+++ b/drivers/md/dm-ioctl.c
@@ -1316,6 +1316,10 @@ static void retrieve_status(struct dm_ta
used = param->data_start + (outptr - outbuf);
outptr = align_ptr(outptr);
+ if (!outptr || outptr > outbuf + len) {
+ param->flags |= DM_BUFFER_FULL_FLAG;
+ break;
+ }
spec->next = outptr - outbuf;
}
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 352/969] dm-verity-fec: correctly reject too-small FEC devices
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (350 preceding siblings ...)
2026-05-30 15:57 ` [PATCH 6.1 351/969] dm: fix a buffer overflow in ioctl processing Greg Kroah-Hartman
@ 2026-05-30 15:57 ` Greg Kroah-Hartman
2026-05-30 15:57 ` [PATCH 6.1 353/969] dm-verity-fec: correctly reject too-small hash devices Greg Kroah-Hartman
` (623 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:57 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Eric Biggers, Mikulas Patocka
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Biggers <ebiggers@kernel.org>
commit 2b14e0bb63cc671120e7791658f5c494fc66d072 upstream.
Fix verity_fec_ctr() to reject too-small FEC devices by correctly
computing the number of parity blocks as 'f->rounds * f->roots'.
Previously it incorrectly used 'div64_u64(f->rounds * f->roots,
v->fec->roots << SECTOR_SHIFT)' which is a much smaller value.
Note that the units of 'rounds' are blocks, not bytes. This matches the
units of the value returned by dm_bufio_get_device_size(), which are
also blocks. A later commit will give 'rounds' a clearer name.
Fixes: a739ff3f543a ("dm verity: add support for forward error correction")
Cc: stable@vger.kernel.org
Signed-off-by: Eric Biggers <ebiggers@kernel.org>
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/md/dm-verity-fec.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
--- a/drivers/md/dm-verity-fec.c
+++ b/drivers/md/dm-verity-fec.c
@@ -684,7 +684,7 @@ int verity_fec_ctr(struct dm_verity *v)
{
struct dm_verity_fec *f = v->fec;
struct dm_target *ti = v->ti;
- u64 hash_blocks, fec_blocks;
+ u64 hash_blocks;
int ret;
if (!verity_fec_is_enabled(v)) {
@@ -765,8 +765,7 @@ int verity_fec_ctr(struct dm_verity *v)
dm_bufio_set_sector_offset(f->bufio, f->start << (v->data_dev_block_bits - SECTOR_SHIFT));
- fec_blocks = div64_u64(f->rounds * f->roots, v->fec->roots << SECTOR_SHIFT);
- if (dm_bufio_get_device_size(f->bufio) < fec_blocks) {
+ if (dm_bufio_get_device_size(f->bufio) < f->rounds * f->roots) {
ti->error = "FEC device is too small";
return -E2BIG;
}
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 353/969] dm-verity-fec: correctly reject too-small hash devices
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (351 preceding siblings ...)
2026-05-30 15:57 ` [PATCH 6.1 352/969] dm-verity-fec: correctly reject too-small FEC devices Greg Kroah-Hartman
@ 2026-05-30 15:57 ` Greg Kroah-Hartman
2026-05-30 15:57 ` [PATCH 6.1 354/969] isofs: validate Rock Ridge CE continuation extent against volume size Greg Kroah-Hartman
` (622 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:57 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Eric Biggers, Mikulas Patocka
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Biggers <ebiggers@kernel.org>
commit 4355142245f7e55336dcc005ec03592df4d546f8 upstream.
Fix verity_fec_ctr() to reject too-small hash devices by correctly
taking hash_start into account.
Note that this is necessary because dm-verity doesn't call
dm_bufio_set_sector_offset() on the hash device's bufio client
(v->bufio). Thus, dm_bufio_get_device_size(v->bufio) returns a size
relative to 0 rather than hash_start. An alternative fix would be to
call dm_bufio_set_sector_offset() on v->bufio, but then all the code
that reads from the hash device would have to be adjusted accordingly.
Fixes: a739ff3f543a ("dm verity: add support for forward error correction")
Cc: stable@vger.kernel.org
Signed-off-by: Eric Biggers <ebiggers@kernel.org>
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/md/dm-verity-fec.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/md/dm-verity-fec.c
+++ b/drivers/md/dm-verity-fec.c
@@ -747,7 +747,8 @@ int verity_fec_ctr(struct dm_verity *v)
* it to be large enough.
*/
f->hash_blocks = f->blocks - v->data_blocks;
- if (dm_bufio_get_device_size(v->bufio) < f->hash_blocks) {
+ if (dm_bufio_get_device_size(v->bufio) <
+ v->hash_start + f->hash_blocks) {
ti->error = "Hash device is too small for "
DM_VERITY_OPT_FEC_BLOCKS;
return -E2BIG;
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 354/969] isofs: validate Rock Ridge CE continuation extent against volume size
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (352 preceding siblings ...)
2026-05-30 15:57 ` [PATCH 6.1 353/969] dm-verity-fec: correctly reject too-small hash devices Greg Kroah-Hartman
@ 2026-05-30 15:57 ` Greg Kroah-Hartman
2026-05-30 15:57 ` [PATCH 6.1 355/969] isofs: validate block number from NFS file handle in isofs_export_iget Greg Kroah-Hartman
` (621 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:57 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Michael Bommarito, Jan Kara
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
commit a36d990f591320e9dd379ab30063ebfe91d47e1f upstream.
rock_continue() reads rs->cont_extent verbatim from the Rock Ridge CE
record and passes it to sb_bread() without checking that the block
number is within the mounted ISO 9660 volume. commit e595447e177b
("[PATCH] rock.c: handle corrupted directories") added cont_offset
and cont_size rejection for the CE continuation but did not validate
the extent block number itself. commit f54e18f1b831 ("isofs: Fix
infinite looping over CE entries") later capped the CE chain length
at RR_MAX_CE_ENTRIES = 32 but again left the block number unchecked.
With a crafted ISO mounted via udisks2 (desktop optical auto-mount)
or via CAP_SYS_ADMIN mount, rs->cont_extent can therefore point at
an out-of-range block or at blocks belonging to an adjacent
filesystem on the same block device. sb_bread() on an out-of-range
block returns NULL cleanly via the block layer EIO path, so there
is no memory-safety violation. For in-range reads of adjacent-
filesystem data, the CE buffer is parsed as Rock Ridge records and
only the text of SL sub-records reaches userspace through
readlink(), which makes the info-leak channel narrow and difficult
to exploit; still, rejecting the malformed CE outright matches the
rejection shape already present in the same function for
cont_offset and cont_size.
Add an ISOFS_SB(sb)->s_nzones bounds check to rock_continue() next
to the existing offset/size rejection, printing the same
corrupted-directory-entry notice.
Fixes: f54e18f1b831 ("isofs: Fix infinite looping over CE entries")
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-7
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Link: https://patch.msgid.link/20260419212155.2169382-2-michael.bommarito@gmail.com
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/isofs/rock.c | 9 +++++++++
1 file changed, 9 insertions(+)
--- a/fs/isofs/rock.c
+++ b/fs/isofs/rock.c
@@ -101,6 +101,15 @@ static int rock_continue(struct rock_sta
goto out;
}
+ if ((unsigned)rs->cont_extent >= ISOFS_SB(rs->inode->i_sb)->s_nzones) {
+ printk(KERN_NOTICE "rock: corrupted directory entry. "
+ "extent=%u out of volume (nzones=%lu)\n",
+ (unsigned)rs->cont_extent,
+ ISOFS_SB(rs->inode->i_sb)->s_nzones);
+ ret = -EIO;
+ goto out;
+ }
+
if (rs->cont_extent) {
struct buffer_head *bh;
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 355/969] isofs: validate block number from NFS file handle in isofs_export_iget
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (353 preceding siblings ...)
2026-05-30 15:57 ` [PATCH 6.1 354/969] isofs: validate Rock Ridge CE continuation extent against volume size Greg Kroah-Hartman
@ 2026-05-30 15:57 ` Greg Kroah-Hartman
2026-05-30 15:58 ` [PATCH 6.1 356/969] libceph: Fix slab-out-of-bounds access in auth message processing Greg Kroah-Hartman
` (620 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:57 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Michael Bommarito, Jan Kara
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
commit 24376458138387fb251e782e624c7776e9826796 upstream.
isofs_fh_to_dentry() and isofs_fh_to_parent() pass an attacker-
controlled block number (ifid->block or ifid->parent_block) from
the NFS file handle to isofs_export_iget(), which only rejects
block == 0 before calling isofs_iget() and ultimately sb_bread().
A crafted file handle with fh_len sufficient to pass the check
added by commit 0405d4b63d08 ("isofs: Prevent the use of too small
fid") can still drive the server to read any in-range block on the
backing device as if it were an iso_directory_record. That earlier
fix was assigned CVE-2025-37780.
sb_bread() on an out-of-range block returns NULL cleanly via the
EIO path, so there is no memory-safety violation. For in-range
reads of adjacent-partition data on the same block device, the
unrelated bytes end up in iso_inode_info fields that reach the NFS
client as dentry metadata. The deployment surface (isofs exported
over NFS from loop-mounted images) is narrow and requires an
authenticated NFS peer, but the malformed-file-handle class is
reportable as hardening next to the existing CVE-2025-37780 fix.
Reject block >= ISOFS_SB(sb)->s_nzones in isofs_export_iget() so
the check covers both isofs_fh_to_dentry() and isofs_fh_to_parent()
call sites with a single line.
Fixes: 0405d4b63d08 ("isofs: Prevent the use of too small fid")
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-7
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Link: https://patch.msgid.link/20260419212155.2169382-3-michael.bommarito@gmail.com
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/isofs/export.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/isofs/export.c
+++ b/fs/isofs/export.c
@@ -24,7 +24,7 @@ isofs_export_iget(struct super_block *sb
{
struct inode *inode;
- if (block == 0)
+ if (block == 0 || block >= ISOFS_SB(sb)->s_nzones)
return ERR_PTR(-ESTALE);
inode = isofs_iget(sb, block, offset);
if (IS_ERR(inode))
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 356/969] libceph: Fix slab-out-of-bounds access in auth message processing
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (354 preceding siblings ...)
2026-05-30 15:57 ` [PATCH 6.1 355/969] isofs: validate block number from NFS file handle in isofs_export_iget Greg Kroah-Hartman
@ 2026-05-30 15:58 ` Greg Kroah-Hartman
2026-05-30 15:58 ` [PATCH 6.1 357/969] md/raid10: fix divide-by-zero in setup_geo() with zero far_copies Greg Kroah-Hartman
` (619 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Raphael Zimmer, Ilya Dryomov
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Raphael Zimmer <raphael.zimmer@tu-ilmenau.de>
commit 1c439de70b1c3eb3c6bffa8245c16b9fc318f114 upstream.
If a (potentially corrupted) message of type CEPH_MSG_AUTH_REPLY
contains a positive value in its result field, it is treated as an
error code by ceph_handle_auth_reply() and returned to
handle_auth_reply(). Thereafter, an attempt is made to send the
preallocated message of type CEPH_MSG_AUTH, where the returned value is
interpreted as the size of the front segment to send. If the result
value in the message is greater than the size of the memory buffer
allocated for the front segment, an out-of-bounds access occurs, and
the content of the memory region beyond this buffer is sent out.
This patch fixes the issue by treating only negative values in the
result field as errors. Positive values are therefore treated as success
in the same way as a zero value. Additionally, a BUG_ON is added to
__send_prepared_auth_request() comparing the len parameter to
front_alloc_len to prevent sending the message if it exceeds the bounds
of the allocation and to make it easier to catch any logic flaws leading
to this.
Cc: stable@vger.kernel.org
Signed-off-by: Raphael Zimmer <raphael.zimmer@tu-ilmenau.de>
Reviewed-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ceph/auth.c | 2 +-
net/ceph/mon_client.c | 2 ++
2 files changed, 3 insertions(+), 1 deletion(-)
--- a/net/ceph/auth.c
+++ b/net/ceph/auth.c
@@ -257,7 +257,7 @@ int ceph_handle_auth_reply(struct ceph_a
ac->negotiating = false;
}
- if (result) {
+ if (result < 0) {
pr_err("auth protocol '%s' mauth authentication failed: %d\n",
ceph_auth_proto_name(ac->protocol), result);
ret = result;
--- a/net/ceph/mon_client.c
+++ b/net/ceph/mon_client.c
@@ -174,6 +174,8 @@ int ceph_monmap_contains(struct ceph_mon
*/
static void __send_prepared_auth_request(struct ceph_mon_client *monc, int len)
{
+ BUG_ON(len > monc->m_auth->front_alloc_len);
+
monc->pending_auth = 1;
monc->m_auth->front.iov_len = len;
monc->m_auth->hdr.front_len = cpu_to_le32(len);
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 357/969] md/raid10: fix divide-by-zero in setup_geo() with zero far_copies
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (355 preceding siblings ...)
2026-05-30 15:58 ` [PATCH 6.1 356/969] libceph: Fix slab-out-of-bounds access in auth message processing Greg Kroah-Hartman
@ 2026-05-30 15:58 ` Greg Kroah-Hartman
2026-05-30 15:58 ` [PATCH 6.1 358/969] nvme-apple: drop invalid put of admin queue reference count Greg Kroah-Hartman
` (618 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Junrui Luo, Yu Kuai
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Junrui Luo <moonafterrain@outlook.com>
commit 9aa6d860b0930e2f72795665c42c44252a558a0c upstream.
setup_geo() extracts near_copies (nc) and far_copies (fc) from the
user-provided layout parameter without checking for zero. When fc=0
with the "improved" far set layout selected, 'geo->far_set_size =
disks / fc' triggers a divide-by-zero.
Validate nc and fc immediately after extraction, returning -1 if
either is zero.
Fixes: 475901aff158 ("MD RAID10: Improve redundancy for 'far' and 'offset' algorithms (part 1)")
Cc: stable@vger.kernel.org
Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
Link: https://lore.kernel.org/linux-raid/SYBPR01MB7881A5E2556806CC1D318582AF232@SYBPR01MB7881.ausprd01.prod.outlook.com
Signed-off-by: Yu Kuai <yukuai@fnnas.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/md/raid10.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/md/raid10.c
+++ b/drivers/md/raid10.c
@@ -3993,6 +3993,8 @@ static int setup_geo(struct geom *geo, s
nc = layout & 255;
fc = (layout >> 8) & 255;
fo = layout & (1<<16);
+ if (!nc || !fc)
+ return -1;
geo->raid_disks = disks;
geo->near_copies = nc;
geo->far_copies = fc;
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 358/969] nvme-apple: drop invalid put of admin queue reference count
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (356 preceding siblings ...)
2026-05-30 15:58 ` [PATCH 6.1 357/969] md/raid10: fix divide-by-zero in setup_geo() with zero far_copies Greg Kroah-Hartman
@ 2026-05-30 15:58 ` Greg Kroah-Hartman
2026-05-30 15:58 ` [PATCH 6.1 359/969] nvmet: avoid recursive nvmet-wq flush in nvmet_ctrl_free Greg Kroah-Hartman
` (617 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christoph Hellwig, Fedor Pchelkin,
Keith Busch
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Fedor Pchelkin <pchelkin@ispras.ru>
commit ba9d308ccd6732dd97ed8080d834a4a89e758e14 upstream.
Commit 03b3bcd319b3 ("nvme: fix admin request_queue lifetime") moved the
admin queue reference ->put call into nvme_free_ctrl() - a controller
device release callback performed for every nvme driver doing
nvme_init_ctrl().
nvme-apple sets refcount of the admin queue to 1 at allocation during the
probe function and then puts it twice now:
nvme_free_ctrl()
blk_put_queue(ctrl->admin_q) // #1
->free_ctrl()
apple_nvme_free_ctrl()
blk_put_queue(anv->ctrl.admin_q) // #2
Note that there is a commit 941f7298c70c ("nvme-apple: remove an extra
queue reference") which intended to drop taking an extra admin queue
reference. Looks like at that moment it accidentally fixed a refcount
leak, which existed since the driver's introduction. There were two ->get
calls at driver's probe function and a single ->put inside
apple_nvme_free_ctrl().
However now after commit 03b3bcd319b3 ("nvme: fix admin request_queue
lifetime") the refcount is imbalanced again. Fix it by removing extra
->put call from apple_nvme_free_ctrl(). anv->dev and ctrl->dev point to
the same device, so use ctrl->dev directly for simplification. Compile
tested only.
Found by Linux Verification Center (linuxtesting.org).
Fixes: 03b3bcd319b3 ("nvme: fix admin request_queue lifetime")
Cc: stable@vger.kernel.org
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>
Signed-off-by: Keith Busch <kbusch@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/nvme/host/apple.c | 6 +-----
1 file changed, 1 insertion(+), 5 deletions(-)
--- a/drivers/nvme/host/apple.c
+++ b/drivers/nvme/host/apple.c
@@ -1194,11 +1194,7 @@ static int apple_nvme_get_address(struct
static void apple_nvme_free_ctrl(struct nvme_ctrl *ctrl)
{
- struct apple_nvme *anv = ctrl_to_apple_nvme(ctrl);
-
- if (anv->ctrl.admin_q)
- blk_put_queue(anv->ctrl.admin_q);
- put_device(anv->dev);
+ put_device(ctrl->dev);
}
static const struct nvme_ctrl_ops nvme_ctrl_ops = {
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 359/969] nvmet: avoid recursive nvmet-wq flush in nvmet_ctrl_free
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (357 preceding siblings ...)
2026-05-30 15:58 ` [PATCH 6.1 358/969] nvme-apple: drop invalid put of admin queue reference count Greg Kroah-Hartman
@ 2026-05-30 15:58 ` Greg Kroah-Hartman
2026-05-30 15:58 ` [PATCH 6.1 360/969] openvswitch: vport: fix self-deadlock on release of tunnel ports Greg Kroah-Hartman
` (616 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christoph Hellwig,
Chaitanya Kulkarni, Keith Busch
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chaitanya Kulkarni <kch@nvidia.com>
commit aade8abd8b868b6ffa9697aadaea28ec7f65bee6 upstream.
nvmet_tcp_release_queue_work() runs on nvmet-wq and can drop the
final controller reference through nvmet_cq_put(). If that triggers
nvmet_ctrl_free(), the teardown path flushes ctrl->async_event_work on
the same nvmet-wq.
Call chain:
nvmet_tcp_schedule_release_queue()
kref_put(&queue->kref, nvmet_tcp_release_queue)
nvmet_tcp_release_queue()
queue_work(nvmet_wq, &queue->release_work) <--- nvmet_wq
process_one_work()
nvmet_tcp_release_queue_work()
nvmet_cq_put(&queue->nvme_cq)
nvmet_cq_destroy()
nvmet_ctrl_put(cq->ctrl)
nvmet_ctrl_free()
flush_work(&ctrl->async_event_work) <--- nvmet_wq
Previously Scheduled by :-
nvmet_add_async_event
queue_work(nvmet_wq, &ctrl->async_event_work);
This trips lockdep with a possible recursive locking warning.
[ 5223.015876] run blktests nvme/003 at 2026-04-07 20:53:55
[ 5223.061801] loop0: detected capacity change from 0 to 2097152
[ 5223.072206] nvmet: adding nsid 1 to subsystem blktests-subsystem-1
[ 5223.088368] nvmet_tcp: enabling port 0 (127.0.0.1:4420)
[ 5223.126086] nvmet: Created discovery controller 1 for subsystem nqn.2014-08.org.nvmexpress.discovery for NQN nqn.2014-08.org.nvmexpress:uuid:0f01fb42-9f7f-4856-b0b3-51e60b8de349.
[ 5223.128453] nvme nvme1: new ctrl: NQN "nqn.2014-08.org.nvmexpress.discovery", addr 127.0.0.1:4420, hostnqn: nqn.2014-08.org.nvmexpress:uuid:0f01fb42-9f7f-4856-b0b3-51e60b8de349
[ 5233.199447] nvme nvme1: Removing ctrl: NQN "nqn.2014-08.org.nvmexpress.discovery"
[ 5233.227718] ============================================
[ 5233.231283] WARNING: possible recursive locking detected
[ 5233.234696] 7.0.0-rc3nvme+ #20 Tainted: G O N
[ 5233.238434] --------------------------------------------
[ 5233.241852] kworker/u192:6/2413 is trying to acquire lock:
[ 5233.245429] ffff888111632548 ((wq_completion)nvmet-wq){+.+.}-{0:0}, at: touch_wq_lockdep_map+0x26/0x90
[ 5233.251438]
but task is already holding lock:
[ 5233.255254] ffff888111632548 ((wq_completion)nvmet-wq){+.+.}-{0:0}, at: process_one_work+0x5cc/0x6e0
[ 5233.261125]
other info that might help us debug this:
[ 5233.265333] Possible unsafe locking scenario:
[ 5233.269217] CPU0
[ 5233.270795] ----
[ 5233.272436] lock((wq_completion)nvmet-wq);
[ 5233.275241] lock((wq_completion)nvmet-wq);
[ 5233.278020]
*** DEADLOCK ***
[ 5233.281793] May be due to missing lock nesting notation
[ 5233.286195] 3 locks held by kworker/u192:6/2413:
[ 5233.289192] #0: ffff888111632548 ((wq_completion)nvmet-wq){+.+.}-{0:0}, at: process_one_work+0x5cc/0x6e0
[ 5233.294569] #1: ffffc9000e2a7e40 ((work_completion)(&queue->release_work)){+.+.}-{0:0}, at: process_one_work+0x1c5/0x6e0
[ 5233.300128] #2: ffffffff82d7dc40 (rcu_read_lock){....}-{1:3}, at: __flush_work+0x62/0x530
[ 5233.304290]
stack backtrace:
[ 5233.306520] CPU: 4 UID: 0 PID: 2413 Comm: kworker/u192:6 Tainted: G O N 7.0.0-rc3nvme+ #20 PREEMPT(full)
[ 5233.306524] Tainted: [O]=OOT_MODULE, [N]=TEST
[ 5233.306525] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.17.0-0-gb52ca86e094d-prebuilt.qemu.org 04/01/2014
[ 5233.306527] Workqueue: nvmet-wq nvmet_tcp_release_queue_work [nvmet_tcp]
[ 5233.306532] Call Trace:
[ 5233.306534] <TASK>
[ 5233.306536] dump_stack_lvl+0x73/0xb0
[ 5233.306552] print_deadlock_bug+0x225/0x2f0
[ 5233.306556] __lock_acquire+0x13f0/0x2290
[ 5233.306563] lock_acquire+0xd0/0x300
[ 5233.306565] ? touch_wq_lockdep_map+0x26/0x90
[ 5233.306571] ? __flush_work+0x20b/0x530
[ 5233.306573] ? touch_wq_lockdep_map+0x26/0x90
[ 5233.306577] touch_wq_lockdep_map+0x3b/0x90
[ 5233.306580] ? touch_wq_lockdep_map+0x26/0x90
[ 5233.306583] ? __flush_work+0x20b/0x530
[ 5233.306585] __flush_work+0x268/0x530
[ 5233.306588] ? __pfx_wq_barrier_func+0x10/0x10
[ 5233.306594] ? xen_error_entry+0x30/0x60
[ 5233.306600] nvmet_ctrl_free+0x140/0x310 [nvmet]
[ 5233.306617] nvmet_cq_put+0x74/0x90 [nvmet]
[ 5233.306629] nvmet_tcp_release_queue_work+0x19f/0x360 [nvmet_tcp]
[ 5233.306634] process_one_work+0x206/0x6e0
[ 5233.306640] worker_thread+0x184/0x320
[ 5233.306643] ? __pfx_worker_thread+0x10/0x10
[ 5233.306646] kthread+0xf1/0x130
[ 5233.306648] ? __pfx_kthread+0x10/0x10
[ 5233.306651] ret_from_fork+0x355/0x450
[ 5233.306653] ? __pfx_kthread+0x10/0x10
[ 5233.306656] ret_from_fork_asm+0x1a/0x30
[ 5233.306664] </TASK>
There is also no need to flush async_event_work from controller
teardown. The admin queue teardown already fails outstanding AER
requests before the final controller put :-
nvmet_sq_destroy(admin sq)
nvmet_async_events_failall(ctrl)
The controller has already been removed from the subsystem list before
nvmet_ctrl_free() quiesces outstanding work.
Replace flush_work() with cancel_work_sync() so a pending
async_event_work item is canceled and a running instance is waited on
without recursing into the same workqueue.
Fixes: 06406d81a2d7 ("nvmet: cancel fatal error and flush async work before free controller")
Cc: stable@vger.kernel.org
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Chaitanya Kulkarni <kch@nvidia.com>
Signed-off-by: Keith Busch <kbusch@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/nvme/target/core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/nvme/target/core.c
+++ b/drivers/nvme/target/core.c
@@ -1496,7 +1496,7 @@ static void nvmet_ctrl_free(struct kref
nvmet_stop_keep_alive_timer(ctrl);
- flush_work(&ctrl->async_event_work);
+ cancel_work_sync(&ctrl->async_event_work);
cancel_work_sync(&ctrl->fatal_err_work);
nvmet_destroy_auth(ctrl);
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 360/969] openvswitch: vport: fix self-deadlock on release of tunnel ports
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (358 preceding siblings ...)
2026-05-30 15:58 ` [PATCH 6.1 359/969] nvmet: avoid recursive nvmet-wq flush in nvmet_ctrl_free Greg Kroah-Hartman
@ 2026-05-30 15:58 ` Greg Kroah-Hartman
2026-05-30 15:58 ` [PATCH 6.1 361/969] RDMA/hns: Fix unlocked call to hns_roce_qp_remove() Greg Kroah-Hartman
` (615 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eelco Chaudron, Ilya Maximets,
Aaron Conole, Paolo Abeni
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ilya Maximets <i.maximets@ovn.org>
commit aa69918bd418e700309fdd08509dba324fb24296 upstream.
vports are used concurrently and protected by RCU, so netdev_put()
must happen after the RCU grace period. So, either in an RCU call or
after the synchronize_net(). The rtnl_delete_link() must happen under
RTNL and so can't be executed in RCU context. Calling synchronize_net()
while holding RTNL is not a good idea for performance and system
stability under load in general, so calling netdev_put() in RCU call
is the right solution here.
However,
when the device is deleted, rtnl_unlock() will call netdev_run_todo()
and block until all the references are gone. In the current code this
means that we never reach the call_rcu() and the vport is never freed
and the reference is never released, causing a self-deadlock on device
removal.
Fix that by moving the rcu_call() before the rtnl_unlock(), so the
scheduled RCU callback will be executed when synchronize_net() is
called from the rtnl_unlock()->netdev_run_todo() while the RTNL itself
is already released.
Fixes: 6931d21f87bc ("openvswitch: defer tunnel netdev_put to RCU release")
Cc: stable@vger.kernel.org
Acked-by: Eelco Chaudron <echaudro@redhat.com>
Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
Acked-by: Aaron Conole <aconole@redhat.com>
Link: https://patch.msgid.link/20260430233848.440994-2-i.maximets@ovn.org
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/openvswitch/vport-netdev.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
--- a/net/openvswitch/vport-netdev.c
+++ b/net/openvswitch/vport-netdev.c
@@ -189,9 +189,13 @@ void ovs_netdev_tunnel_destroy(struct vp
*/
if (vport->dev->reg_state == NETREG_REGISTERED)
rtnl_delete_link(vport->dev, 0, NULL);
- rtnl_unlock();
+ /* We can't put the device reference yet, since it can still be in
+ * use, but rtnl_unlock()->netdev_run_todo() will block until all
+ * the references are released, so the RCU call must be before it.
+ */
call_rcu(&vport->rcu, vport_netdev_free);
+ rtnl_unlock();
}
EXPORT_SYMBOL_GPL(ovs_netdev_tunnel_destroy);
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 361/969] RDMA/hns: Fix unlocked call to hns_roce_qp_remove()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (359 preceding siblings ...)
2026-05-30 15:58 ` [PATCH 6.1 360/969] openvswitch: vport: fix self-deadlock on release of tunnel ports Greg Kroah-Hartman
@ 2026-05-30 15:58 ` Greg Kroah-Hartman
2026-05-30 15:58 ` [PATCH 6.1 362/969] s390/debug: Reject zero-length input in debug_input_flush_fn() Greg Kroah-Hartman
` (614 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Junxian Huang, Jason Gunthorpe
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jason Gunthorpe <jgg@nvidia.com>
commit 0c99acbc8b6c6dd526ae475a48ee1897b61072fb upstream.
Sashiko points out that hns_roce_qp_remove() requires the caller to hold
locks. The error flow in hns_roce_create_qp_common() doesn't hold those
locks for the error unwind so it risks corrupting memory.
Grab the same locks the other two callers use.
Cc: stable@vger.kernel.org
Fixes: e088a685eae9 ("RDMA/hns: Support rq record doorbell for the user space")
Link: https://sashiko.dev/#/patchset/0-v2-1c49eeb88c48%2B91-rdma_udata_rep_jgg%40nvidia.com?part=9
Link: https://patch.msgid.link/r/15-v1-41f3135e5565+9d2-rdma_ai_fixes1_jgg@nvidia.com
Reviewed-by: Junxian Huang <huangjunxian6@hisilicon.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/infiniband/hw/hns/hns_roce_qp.c | 7 +++++++
1 file changed, 7 insertions(+)
--- a/drivers/infiniband/hw/hns/hns_roce_qp.c
+++ b/drivers/infiniband/hw/hns/hns_roce_qp.c
@@ -1146,6 +1146,7 @@ static int hns_roce_create_qp_common(str
struct hns_roce_ib_create_qp_resp resp = {};
struct ib_device *ibdev = &hr_dev->ib_dev;
struct hns_roce_ib_create_qp ucmd = {};
+ unsigned long flags;
int ret;
mutex_init(&hr_qp->mutex);
@@ -1229,7 +1230,13 @@ static int hns_roce_create_qp_common(str
return 0;
err_flow_ctrl:
+ spin_lock_irqsave(&hr_dev->qp_list_lock, flags);
+ hns_roce_lock_cqs(init_attr->send_cq ? to_hr_cq(init_attr->send_cq) : NULL,
+ init_attr->recv_cq ? to_hr_cq(init_attr->recv_cq) : NULL);
hns_roce_qp_remove(hr_dev, hr_qp);
+ hns_roce_unlock_cqs(init_attr->send_cq ? to_hr_cq(init_attr->send_cq) : NULL,
+ init_attr->recv_cq ? to_hr_cq(init_attr->recv_cq) : NULL);
+ spin_unlock_irqrestore(&hr_dev->qp_list_lock, flags);
err_store:
free_qpc(hr_dev, hr_qp);
err_qpc:
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 362/969] s390/debug: Reject zero-length input in debug_input_flush_fn()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (360 preceding siblings ...)
2026-05-30 15:58 ` [PATCH 6.1 361/969] RDMA/hns: Fix unlocked call to hns_roce_qp_remove() Greg Kroah-Hartman
@ 2026-05-30 15:58 ` Greg Kroah-Hartman
2026-05-30 15:58 ` [PATCH 6.1 363/969] smb/client: fix out-of-bounds read in symlink_data() Greg Kroah-Hartman
` (613 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Heiko Carstens, Vasily Gorbik,
Alexander Gordeev
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vasily Gorbik <gor@linux.ibm.com>
commit e14622a7584f9608927c59a7d6ae4a0999dc545e upstream.
debug_input_flush_fn() always copies one byte from the userspace buffer
with copy_from_user() regardless of the supplied write length. A
zero-length write therefore reads one byte beyond the caller's buffer.
If the stale byte happens to be '-' or a digit the debug log is
silently flushed. With an unmapped buffer the call returns -EFAULT.
Reject zero-length writes before copying from userspace.
Cc: stable@vger.kernel.org # v5.10+
Acked-by: Heiko Carstens <hca@linux.ibm.com>
Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/s390/kernel/debug.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/arch/s390/kernel/debug.c
+++ b/arch/s390/kernel/debug.c
@@ -1444,6 +1444,11 @@ static int debug_input_flush_fn(debug_in
char input_buf[1];
int rc = user_len;
+ if (!user_len) {
+ rc = -EINVAL;
+ goto out;
+ }
+
if (user_len > 0x10000)
user_len = 0x10000;
if (*offset != 0) {
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 363/969] smb/client: fix out-of-bounds read in symlink_data()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (361 preceding siblings ...)
2026-05-30 15:58 ` [PATCH 6.1 362/969] s390/debug: Reject zero-length input in debug_input_flush_fn() Greg Kroah-Hartman
@ 2026-05-30 15:58 ` Greg Kroah-Hartman
2026-05-30 15:58 ` [PATCH 6.1 364/969] PCI/AER: Clear only error bits in PCIe Device Status Greg Kroah-Hartman
` (612 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stable, Zisen Ye, ChenXiaoSong,
Steve French
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zisen Ye <zisenye@stu.xidian.edu.cn>
commit d62b8d236fab503c6fec1d3e9a38bea71feaca20 upstream.
Since smb2_check_message() returns success without length validation for
the symlink error response, in symlink_data() it is possible for
iov->iov_len to be smaller than sizeof(struct smb2_err_rsp). If the buffer
only contains the base SMB2 header (64 bytes), accessing
err->ErrorContextCount (at offset 66) or err->ByteCount later in
symlink_data() will cause an out-of-bounds read.
Link: https://lore.kernel.org/linux-cifs/297d8d9b-adf7-42fd-a1c2-5b1f230032bc@chenxiaosong.com/
Fixes: 76894f3e2f71 ("cifs: improve symlink handling for smb2+")
Cc: Stable@vger.kernel.org
Signed-off-by: Zisen Ye <zisenye@stu.xidian.edu.cn>
Reviewed-by: ChenXiaoSong <chenxiaosong@kylinos.cn>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/client/smb2misc.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/fs/smb/client/smb2misc.c
+++ b/fs/smb/client/smb2misc.c
@@ -239,7 +239,8 @@ smb2_check_message(char *buf, unsigned i
if (len != calc_len) {
/* create failed on symlink */
if (command == SMB2_CREATE_HE &&
- shdr->Status == STATUS_STOPPED_ON_SYMLINK)
+ shdr->Status == STATUS_STOPPED_ON_SYMLINK &&
+ len > calc_len)
return 0;
/* Windows 7 server returns 24 bytes more */
if (calc_len + 24 == len && command == SMB2_OPLOCK_BREAK_HE)
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 364/969] PCI/AER: Clear only error bits in PCIe Device Status
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (362 preceding siblings ...)
2026-05-30 15:58 ` [PATCH 6.1 363/969] smb/client: fix out-of-bounds read in symlink_data() Greg Kroah-Hartman
@ 2026-05-30 15:58 ` Greg Kroah-Hartman
2026-05-30 15:58 ` [PATCH 6.1 365/969] PCI/AER: Stop ruling out unbound devices as error source Greg Kroah-Hartman
` (611 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lukas Wunner, Shuai Xue,
Bjorn Helgaas, Kuppuswamy Sathyanarayanan
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shuai Xue <xueshuai@linux.alibaba.com>
commit a8aeea1bf3c80cc87983689e0118770e019bd4f3 upstream.
Currently, pcie_clear_device_status() clears the entire PCIe Device Status
register (PCI_EXP_DEVSTA) by writing back the value read from the register,
which affects not only the error status bits but also other writable bits.
According to PCIe r7.0, sec 7.5.3.5, this register contains:
- RW1C error status bits (CED, NFED, FED, URD at bits 0-3): These are the
four error status bits that need to be cleared.
- Read-only bits (AUXPD at bit 4, TRPND at bit 5): Writing to these has
no effect.
- Emergency Power Reduction Detected (bit 6): A RW1C non-error bit
introduced in PCIe r5.0 (2019). This is currently the only writable
non-error bit in the Device Status register. Unconditionally clearing
this bit can interfere with other software components that rely on this
power management indication.
- Reserved bits (RsvdZ): These bits are required to be written as zero.
Writing 1s to them (as the current implementation may do) violates the
specification.
To prevent unintended side effects, modify pcie_clear_device_status() to
only write 1s to the four error status bits (CED, NFED, FED, URD), leaving
the Emergency Power Reduction Detected bit and reserved bits unaffected.
Fixes: ec752f5d54d7 ("PCI/AER: Clear device status bits during ERR_FATAL and ERR_NONFATAL")
Suggested-by: Lukas Wunner <lukas@wunner.de>
Signed-off-by: Shuai Xue <xueshuai@linux.alibaba.com>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Reviewed-by: Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy@linux.intel.com>
Reviewed-by: Lukas Wunner <lukas@wunner.de>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20260211124624.49656-1-xueshuai@linux.alibaba.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pci/pci.c | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
--- a/drivers/pci/pci.c
+++ b/drivers/pci/pci.c
@@ -2396,10 +2396,9 @@ EXPORT_SYMBOL_GPL(pci_set_pcie_reset_sta
#ifdef CONFIG_PCIEAER
void pcie_clear_device_status(struct pci_dev *dev)
{
- u16 sta;
-
- pcie_capability_read_word(dev, PCI_EXP_DEVSTA, &sta);
- pcie_capability_write_word(dev, PCI_EXP_DEVSTA, sta);
+ pcie_capability_write_word(dev, PCI_EXP_DEVSTA,
+ PCI_EXP_DEVSTA_CED | PCI_EXP_DEVSTA_NFED |
+ PCI_EXP_DEVSTA_FED | PCI_EXP_DEVSTA_URD);
}
#endif
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 365/969] PCI/AER: Stop ruling out unbound devices as error source
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (363 preceding siblings ...)
2026-05-30 15:58 ` [PATCH 6.1 364/969] PCI/AER: Clear only error bits in PCIe Device Status Greg Kroah-Hartman
@ 2026-05-30 15:58 ` Greg Kroah-Hartman
2026-05-30 15:58 ` [PATCH 6.1 366/969] power: supply: max17042: avoid overflow when determining health Greg Kroah-Hartman
` (610 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lukas Wunner, Bjorn Helgaas,
Stefan Roese
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lukas Wunner <lukas@wunner.de>
commit 1ab4a3c805084d752ec571efc78272295a9f2f74 upstream.
When searching for the error source, the AER driver rules out devices whose
enable_cnt is zero. This was introduced in 2009 by commit 28eb27cf0839
("PCI AER: support invalid error source IDs") without providing a
rationale.
Drivers typically call pci_enable_device() on probe, hence the enable_cnt
check essentially filters out unbound devices. At the time of the commit,
drivers had to opt in to AER by calling pci_enable_pcie_error_reporting()
and so any AER-enabled device could be assumed to be bound to a driver.
The check thus made sense because it allowed skipping config space accesses
to devices which were known not to be the error source.
But since 2022, AER is universally enabled on all devices when they are
enumerated, cf. commit f26e58bf6f54 ("PCI/AER: Enable error reporting when
AER is native").
Errors may very well be reported by unbound devices, e.g. due to link
instability. By ruling them out as error source, errors reported by them
are neither logged nor cleared. When they do get bound and another error
occurs, the earlier error is reported together with the new error, which
may confuse users. Stop doing so.
Fixes: f26e58bf6f54 ("PCI/AER: Enable error reporting when AER is native")
Signed-off-by: Lukas Wunner <lukas@wunner.de>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Reviewed-by: Stefan Roese <stefan.roese@mailbox.org>
Cc: stable@vger.kernel.org # v6.0+
Link: https://patch.msgid.link/734338c2e8b669db5a5a3b45d34131b55ffebfca.1774605029.git.lukas@wunner.de
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pci/pcie/aer.c | 2 --
1 file changed, 2 deletions(-)
--- a/drivers/pci/pcie/aer.c
+++ b/drivers/pci/pcie/aer.c
@@ -857,8 +857,6 @@ static bool is_error_source(struct pci_d
* 3) There are multiple errors and prior ID comparing fails;
* We check AER status registers to find possible reporter.
*/
- if (atomic_read(&dev->enable_cnt) == 0)
- return false;
/* Check if AER is enabled */
pcie_capability_read_word(dev, PCI_EXP_DEVCTL, ®16);
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 366/969] power: supply: max17042: avoid overflow when determining health
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (364 preceding siblings ...)
2026-05-30 15:58 ` [PATCH 6.1 365/969] PCI/AER: Stop ruling out unbound devices as error source Greg Kroah-Hartman
@ 2026-05-30 15:58 ` Greg Kroah-Hartman
2026-05-30 15:58 ` [PATCH 6.1 367/969] RDMA/mlx4: Fix resource leak on error in mlx4_ib_create_srq() Greg Kroah-Hartman
` (609 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, André Draszik,
Sebastian Reichel
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: André Draszik <andre.draszik@linaro.org>
commit 9a44949da669708f19d29141e65b3ac774d08f5a upstream.
If vmax has the default value of INT_MAX (e.g. because not specified in
DT), battery health is reported as over-voltage. This is because adding
any value to vmax (the vmax tolerance in this case) causes it to wrap
around, making it negative and smaller than the measured battery
voltage.
Avoid that by using size_add().
Fixes: edd4ab055931 ("power: max17042_battery: add HEALTH and TEMP_* properties support")
Cc: stable@vger.kernel.org
Signed-off-by: André Draszik <andre.draszik@linaro.org>
Link: https://patch.msgid.link/20260302-max77759-fg-v3-6-3c5f01dbda23@linaro.org
Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/power/supply/max17042_battery.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/power/supply/max17042_battery.c
+++ b/drivers/power/supply/max17042_battery.c
@@ -199,7 +199,7 @@ static int max17042_get_battery_health(s
goto out;
}
- if (vbatt > chip->pdata->vmax + MAX17042_VMAX_TOLERANCE) {
+ if (vbatt > size_add(chip->pdata->vmax, MAX17042_VMAX_TOLERANCE)) {
*health = POWER_SUPPLY_HEALTH_OVERVOLTAGE;
goto out;
}
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 367/969] RDMA/mlx4: Fix resource leak on error in mlx4_ib_create_srq()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (365 preceding siblings ...)
2026-05-30 15:58 ` [PATCH 6.1 366/969] power: supply: max17042: avoid overflow when determining health Greg Kroah-Hartman
@ 2026-05-30 15:58 ` Greg Kroah-Hartman
2026-05-30 15:58 ` [PATCH 6.1 368/969] RDMA/ocrdma: Dont NULL deref uctx on errors in ocrdma_copy_pd_uresp() Greg Kroah-Hartman
` (608 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jason Gunthorpe
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jason Gunthorpe <jgg@nvidia.com>
commit c54c7e4cb679c0aaa1cb489b9c3f2cd98e63a44c upstream.
Sashiko points out that mlx4_srq_alloc() was not undone during error
unwind, add the missing call to mlx4_srq_free().
Cc: stable@vger.kernel.org
Fixes: 225c7b1feef1 ("IB/mlx4: Add a driver Mellanox ConnectX InfiniBand adapters")
Link: https://sashiko.dev/#/patchset/0-v1-e911b76a94d1%2B65d95-rdma_udata_rep_jgg%40nvidia.com?part=8
Link: https://patch.msgid.link/r/11-v1-41f3135e5565+9d2-rdma_ai_fixes1_jgg@nvidia.com
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/infiniband/hw/mlx4/srq.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/infiniband/hw/mlx4/srq.c
+++ b/drivers/infiniband/hw/mlx4/srq.c
@@ -193,13 +193,15 @@ int mlx4_ib_create_srq(struct ib_srq *ib
if (udata)
if (ib_copy_to_udata(udata, &srq->msrq.srqn, sizeof (__u32))) {
err = -EFAULT;
- goto err_wrid;
+ goto err_srq;
}
init_attr->attr.max_wr = srq->msrq.max - 1;
return 0;
+err_srq:
+ mlx4_srq_free(dev->dev, &srq->msrq);
err_wrid:
if (udata)
mlx4_ib_db_unmap_user(ucontext, &srq->db);
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 368/969] RDMA/ocrdma: Dont NULL deref uctx on errors in ocrdma_copy_pd_uresp()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (366 preceding siblings ...)
2026-05-30 15:58 ` [PATCH 6.1 367/969] RDMA/mlx4: Fix resource leak on error in mlx4_ib_create_srq() Greg Kroah-Hartman
@ 2026-05-30 15:58 ` Greg Kroah-Hartman
2026-05-30 15:58 ` [PATCH 6.1 369/969] RDMA/rxe: Reject unknown opcodes before ICRC processing Greg Kroah-Hartman
` (607 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jason Gunthorpe
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jason Gunthorpe <jgg@nvidia.com>
commit 34fbf48cf3b410d2a6e8c586fa952a36331ca5ba upstream.
Sashiko points out that pd->uctx isn't initialized until late in the
function so all these error flow references are NULL and will crash. Use
the uctx that isn't NULL.
Cc: stable@vger.kernel.org
Fixes: fe2caefcdf58 ("RDMA/ocrdma: Add driver for Emulex OneConnect IBoE RDMA adapter")
Link: https://sashiko.dev/#/patchset/0-v1-e911b76a94d1%2B65d95-rdma_udata_rep_jgg%40nvidia.com?part=4
Link: https://patch.msgid.link/r/9-v1-41f3135e5565+9d2-rdma_ai_fixes1_jgg@nvidia.com
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/infiniband/hw/ocrdma/ocrdma_verbs.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/infiniband/hw/ocrdma/ocrdma_verbs.c
+++ b/drivers/infiniband/hw/ocrdma/ocrdma_verbs.c
@@ -620,9 +620,9 @@ static int ocrdma_copy_pd_uresp(struct o
ucopy_err:
if (pd->dpp_enabled)
- ocrdma_del_mmap(pd->uctx, dpp_page_addr, PAGE_SIZE);
+ ocrdma_del_mmap(uctx, dpp_page_addr, PAGE_SIZE);
dpp_map_err:
- ocrdma_del_mmap(pd->uctx, db_page_addr, db_page_size);
+ ocrdma_del_mmap(uctx, db_page_addr, db_page_size);
return status;
}
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 369/969] RDMA/rxe: Reject unknown opcodes before ICRC processing
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (367 preceding siblings ...)
2026-05-30 15:58 ` [PATCH 6.1 368/969] RDMA/ocrdma: Dont NULL deref uctx on errors in ocrdma_copy_pd_uresp() Greg Kroah-Hartman
@ 2026-05-30 15:58 ` Greg Kroah-Hartman
2026-05-30 15:58 ` [PATCH 6.1 370/969] RDMA/vmw_pvrdma: Fix double free on pvrdma_alloc_ucontext() error path Greg Kroah-Hartman
` (606 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michael Bommarito, Zhu Yanjun,
Jason Gunthorpe
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
commit 4c6f86d85d03cdb33addce86aa69aa795ca6c47a upstream.
Even after applying commit 7244491dab34 ("RDMA/rxe: Validate pad and ICRC
before payload_size() in rxe_rcv"), a single unauthenticated UDP packet
can still trigger panic. That patch handled payload_size() underflow only
for valid opcodes with short packets, not for packets carrying an unknown
opcode. The unknown-opcode OOB read described below predates that commit
and reaches back to the initial Soft RoCE driver.
The check added there reads
pkt->paylen < header_size(pkt) + bth_pad(pkt) + RXE_ICRC_SIZE
where header_size(pkt) expands to rxe_opcode[pkt->opcode].length. The
rxe_opcode[] array has 256 entries but is only populated for defined IB
opcodes; any other entry (for example opcode 0xff) is zero-initialized, so
length == 0 and the check degenerates to
pkt->paylen < 0 + bth_pad(pkt) + RXE_ICRC_SIZE
which does not constrain pkt->paylen enough. rxe_icrc_hdr() then computes
rxe_opcode[pkt->opcode].length - RXE_BTH_BYTES
which underflows when length == 0 and passes a huge value to rxe_crc32(),
causing an out-of-bounds read of the skb payload.
Reproduced on v7.0-rc7 with that fix applied, QEMU/KVM with
CONFIG_RDMA_RXE=y and CONFIG_KASAN=y, after
rdma link add rxe0 type rxe netdev eth0
A single 48-byte UDP packet to port 4791 with BTH opcode=0xff and
QPN=IB_MULTICAST_QPN triggers:
BUG: KASAN: slab-out-of-bounds in crc32_le+0x115/0x170
Read of size 1 at addr ...
The buggy address is located 0 bytes to the right of
allocated 704-byte region
Call Trace:
crc32_le+0x115/0x170
rxe_icrc_hdr.isra.0+0x226/0x300
rxe_icrc_check+0x13f/0x3a0
rxe_rcv+0x6e1/0x16e0
rxe_udp_encap_recv+0x20a/0x320
udp_queue_rcv_one_skb+0x7ed/0x12c0
Subsequent packets with the same shape fault on unmapped memory and panic
the kernel. The trigger requires only module load and "rdma link add"; no
QP, no connection, and no authentication.
Fix this by rejecting packets whose opcode has no rxe_opcode[] entry,
detected via the zero mask or zero length, before any length arithmetic
runs.
Cc: stable@vger.kernel.org
Fixes: 8700e3e7c485 ("Soft RoCE driver")
Link: https://patch.msgid.link/r/20260414111555.3386793-1-michael.bommarito@gmail.com
Assisted-by: Claude:claude-opus-4-6
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Reviewed-by: Zhu Yanjun <yanjun.zhu@linux.dev>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/infiniband/sw/rxe/rxe_recv.c | 11 +++++++++++
1 file changed, 11 insertions(+)
--- a/drivers/infiniband/sw/rxe/rxe_recv.c
+++ b/drivers/infiniband/sw/rxe/rxe_recv.c
@@ -322,6 +322,17 @@ void rxe_rcv(struct sk_buff *skb)
pkt->qp = NULL;
pkt->mask |= rxe_opcode[pkt->opcode].mask;
+ /*
+ * Unknown opcodes have a zero-initialized rxe_opcode[] entry, so
+ * both mask and length are 0. Reject them before any length math:
+ * rxe_icrc_hdr() would otherwise compute length - RXE_BTH_BYTES
+ * and pass the underflowed value to rxe_crc32(), producing an
+ * out-of-bounds read.
+ */
+ if (unlikely(!rxe_opcode[pkt->opcode].mask ||
+ !rxe_opcode[pkt->opcode].length))
+ goto drop;
+
if (unlikely(pkt->paylen < header_size(pkt) + bth_pad(pkt) +
RXE_ICRC_SIZE))
goto drop;
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 370/969] RDMA/vmw_pvrdma: Fix double free on pvrdma_alloc_ucontext() error path
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (368 preceding siblings ...)
2026-05-30 15:58 ` [PATCH 6.1 369/969] RDMA/rxe: Reject unknown opcodes before ICRC processing Greg Kroah-Hartman
@ 2026-05-30 15:58 ` Greg Kroah-Hartman
2026-05-30 15:58 ` [PATCH 6.1 371/969] mptcp: use MPJoinSynAckHMacFailure for SynAck HMAC failure Greg Kroah-Hartman
` (605 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jason Gunthorpe
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jason Gunthorpe <jgg@nvidia.com>
commit e38e86995df27f1f854063dab1f0c6a513db3faf upstream.
Sashiko points out that pvrdma_uar_free() is already called within
pvrdma_dealloc_ucontext(), so calling it before triggers a double free.
Cc: stable@vger.kernel.org
Fixes: 29c8d9eba550 ("IB: Add vmw_pvrdma driver")
Link: https://sashiko.dev/#/patchset/0-v1-e911b76a94d1%2B65d95-rdma_udata_rep_jgg%40nvidia.com?part=4
Link: https://patch.msgid.link/r/10-v1-41f3135e5565+9d2-rdma_ai_fixes1_jgg@nvidia.com
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/infiniband/hw/vmw_pvrdma/pvrdma_verbs.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/infiniband/hw/vmw_pvrdma/pvrdma_verbs.c
+++ b/drivers/infiniband/hw/vmw_pvrdma/pvrdma_verbs.c
@@ -350,7 +350,7 @@ int pvrdma_alloc_ucontext(struct ib_ucon
uresp.qp_tab_size = vdev->dsr->caps.max_qp;
ret = ib_copy_to_udata(udata, &uresp, sizeof(uresp));
if (ret) {
- pvrdma_uar_free(vdev, &context->uar);
+ /* pvrdma_dealloc_ucontext() also frees the UAR */
pvrdma_dealloc_ucontext(&context->ibucontext);
return -EFAULT;
}
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 371/969] mptcp: use MPJoinSynAckHMacFailure for SynAck HMAC failure
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (369 preceding siblings ...)
2026-05-30 15:58 ` [PATCH 6.1 370/969] RDMA/vmw_pvrdma: Fix double free on pvrdma_alloc_ucontext() error path Greg Kroah-Hartman
@ 2026-05-30 15:58 ` Greg Kroah-Hartman
2026-05-30 15:58 ` [PATCH 6.1 372/969] mptcp: use MPTCP_RST_EMPTCP for ACK HMAC validation failure Greg Kroah-Hartman
` (604 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Matthieu Baerts (NGI0),
Shardul Bankar, Jakub Kicinski
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shardul Bankar <shardul.b@mpiricsoftware.com>
commit c4a99a921949cddc590b22bb14eeb23dffcc3ba6 upstream.
In subflow_finish_connect(), HMAC validation of the server's HMAC
in SYN/ACK + MP_JOIN increments MPTCP_MIB_JOINACKMAC ("HMAC was
wrong on ACK + MP_JOIN") on failure. The function processes the
SYN/ACK, not the ACK; the matching MPTCP_MIB_JOINSYNACKMAC counter
("HMAC was wrong on SYN/ACK + MP_JOIN") exists but is not
incremented anywhere in the tree.
The mirror site on the server, subflow_syn_recv_sock(), already
uses JOINACKMAC correctly for ACK HMAC failure. Use JOINSYNACKMAC
at the SYN/ACK validation site so each counter reflects the packet
whose HMAC actually failed.
Suggested-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Fixes: fc518953bc9c ("mptcp: add and use MIB counter infrastructure")
Cc: stable@vger.kernel.org
Signed-off-by: Shardul Bankar <shardul.b@mpiricsoftware.com>
Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20260501-net-mptcp-misc-fixes-7-1-rc3-v1-1-b70118df778e@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/subflow.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/mptcp/subflow.c
+++ b/net/mptcp/subflow.c
@@ -469,7 +469,7 @@ static void subflow_finish_connect(struc
subflow->backup);
if (!subflow_thmac_valid(subflow)) {
- MPTCP_INC_STATS(sock_net(sk), MPTCP_MIB_JOINACKMAC);
+ MPTCP_INC_STATS(sock_net(sk), MPTCP_MIB_JOINSYNACKMAC);
subflow->reset_reason = MPTCP_RST_EMPTCP;
goto do_reset;
}
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 372/969] mptcp: use MPTCP_RST_EMPTCP for ACK HMAC validation failure
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (370 preceding siblings ...)
2026-05-30 15:58 ` [PATCH 6.1 371/969] mptcp: use MPJoinSynAckHMacFailure for SynAck HMAC failure Greg Kroah-Hartman
@ 2026-05-30 15:58 ` Greg Kroah-Hartman
2026-05-30 15:58 ` [PATCH 6.1 373/969] mptcp: sockopt: set timestamp flags on subflow socket, not msk Greg Kroah-Hartman
` (603 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Matthieu Baerts (NGI0),
Shardul Bankar, Jakub Kicinski
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shardul Bankar <shardul.b@mpiricsoftware.com>
commit a6da02d4c00fdda2417e42ad2b762a9209e6cc49 upstream.
When HMAC validation fails on a received ACK + MP_JOIN in
subflow_syn_recv_sock(), the subflow is reset with reason
MPTCP_RST_EPROHIBIT ("Administratively prohibited"). This is
incorrect: HMAC validation failure is an MPTCP protocol-level
error, not an administrative policy denial.
The mirror site on the client, in subflow_finish_connect(), already
uses MPTCP_RST_EMPTCP ("MPTCP-specific error") for the same kind of
HMAC failure on the SYN/ACK + MP_JOIN. Use the same reason on the
server side for symmetry and accuracy.
Suggested-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Fixes: 443041deb5ef ("mptcp: fix NULL pointer in can_accept_new_subflow")
Cc: stable@vger.kernel.org
Signed-off-by: Shardul Bankar <shardul.b@mpiricsoftware.com>
Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20260501-net-mptcp-misc-fixes-7-1-rc3-v1-2-b70118df778e@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/subflow.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/mptcp/subflow.c
+++ b/net/mptcp/subflow.c
@@ -796,7 +796,7 @@ create_child:
if (!subflow_hmac_valid(req, &mp_opt)) {
SUBFLOW_REQ_INC_STATS(req, MPTCP_MIB_JOINACKMAC);
- subflow_add_reset_reason(skb, MPTCP_RST_EPROHIBIT);
+ subflow_add_reset_reason(skb, MPTCP_RST_EMPTCP);
goto dispose_child;
}
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 373/969] mptcp: sockopt: set timestamp flags on subflow socket, not msk
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (371 preceding siblings ...)
2026-05-30 15:58 ` [PATCH 6.1 372/969] mptcp: use MPTCP_RST_EMPTCP for ACK HMAC validation failure Greg Kroah-Hartman
@ 2026-05-30 15:58 ` Greg Kroah-Hartman
2026-05-30 15:58 ` [PATCH 6.1 374/969] mptcp: fix scheduling with atomic in timestamp sockopt Greg Kroah-Hartman
` (602 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Gang Yan, Matthieu Baerts (NGI0),
Jakub Kicinski
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gang Yan <yangang@kylinos.cn>
commit 5f95c21fc23a7ef22b4d27d1ed9bb55557ffb926 upstream.
Both mptcp_setsockopt_sol_socket_tstamp() and
mptcp_setsockopt_sol_socket_timestamping() iterate over subflows,
acquire the subflow socket lock, but then erroneously pass the MPTCP
msk socket to sock_set_timestamp() / sock_set_timestamping() instead
of the subflow ssk. As a result, the timestamp flags are set on the
wrong socket and have no effect on the actual subflows.
Pass ssk instead of sk to both helpers.
Fixes: 9061f24bf82e ("mptcp: sockopt: propagate timestamp request to subflows")
Cc: stable@vger.kernel.org
Signed-off-by: Gang Yan <yangang@kylinos.cn>
Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20260427-net-mptcp-misc-fixes-7-1-rc2-v1-1-7432b7f279fa@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/sockopt.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/net/mptcp/sockopt.c
+++ b/net/mptcp/sockopt.c
@@ -159,7 +159,7 @@ static int mptcp_setsockopt_sol_socket_t
struct sock *ssk = mptcp_subflow_tcp_sock(subflow);
bool slow = lock_sock_fast(ssk);
- sock_set_timestamp(sk, optname, !!val);
+ sock_set_timestamp(ssk, optname, !!val);
unlock_sock_fast(ssk, slow);
}
@@ -235,7 +235,7 @@ static int mptcp_setsockopt_sol_socket_t
struct sock *ssk = mptcp_subflow_tcp_sock(subflow);
bool slow = lock_sock_fast(ssk);
- sock_set_timestamping(sk, optname, timestamping);
+ sock_set_timestamping(ssk, optname, timestamping);
unlock_sock_fast(ssk, slow);
}
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 374/969] mptcp: fix scheduling with atomic in timestamp sockopt
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (372 preceding siblings ...)
2026-05-30 15:58 ` [PATCH 6.1 373/969] mptcp: sockopt: set timestamp flags on subflow socket, not msk Greg Kroah-Hartman
@ 2026-05-30 15:58 ` Greg Kroah-Hartman
2026-05-30 15:58 ` [PATCH 6.1 375/969] f2fs: add READ_ONCE() for i_blocks in f2fs_update_inode() Greg Kroah-Hartman
` (601 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sashiko, Gang Yan,
Matthieu Baerts (NGI0), Jakub Kicinski
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gang Yan <yangang@kylinos.cn>
commit b5c52908d52c6c8eb8933264aa6087a0600fd892 upstream.
Using lock_sock_fast() (atomic context) around sock_set_timestamp()
and sock_set_timestamping() is unsafe, as both helpers can sleep.
Replace lock_sock_fast() with sleepable lock_sock()/release_sock()
to avoid scheduling while atomic panic.
Fixes: 9061f24bf82e ("mptcp: sockopt: propagate timestamp request to subflows")
Cc: stable@vger.kernel.org
Reported-by: Sashiko <sashiko-bot@kernel.org>
Closes: https://sashiko.dev/#/patchset/20260420093343.16443-1-gang.yan@linux.dev
Signed-off-by: Gang Yan <yangang@kylinos.cn>
Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20260427-net-mptcp-misc-fixes-7-1-rc2-v1-2-7432b7f279fa@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/sockopt.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/net/mptcp/sockopt.c
+++ b/net/mptcp/sockopt.c
@@ -157,10 +157,10 @@ static int mptcp_setsockopt_sol_socket_t
lock_sock(sk);
mptcp_for_each_subflow(msk, subflow) {
struct sock *ssk = mptcp_subflow_tcp_sock(subflow);
- bool slow = lock_sock_fast(ssk);
+ lock_sock(ssk);
sock_set_timestamp(ssk, optname, !!val);
- unlock_sock_fast(ssk, slow);
+ release_sock(ssk);
}
release_sock(sk);
@@ -233,10 +233,10 @@ static int mptcp_setsockopt_sol_socket_t
mptcp_for_each_subflow(msk, subflow) {
struct sock *ssk = mptcp_subflow_tcp_sock(subflow);
- bool slow = lock_sock_fast(ssk);
+ lock_sock(ssk);
sock_set_timestamping(ssk, optname, timestamping);
- unlock_sock_fast(ssk, slow);
+ release_sock(ssk);
}
release_sock(sk);
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 375/969] f2fs: add READ_ONCE() for i_blocks in f2fs_update_inode()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (373 preceding siblings ...)
2026-05-30 15:58 ` [PATCH 6.1 374/969] mptcp: fix scheduling with atomic in timestamp sockopt Greg Kroah-Hartman
@ 2026-05-30 15:58 ` Greg Kroah-Hartman
2026-05-30 15:58 ` [PATCH 6.1 376/969] f2fs: fix fiemap boundary handling when read extent cache is incomplete Greg Kroah-Hartman
` (600 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Cen Zhang, Chao Yu, Jaegeuk Kim
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cen Zhang <zzzccc427@gmail.com>
commit 5471834a96fb697874be2ca0b052e74bcf3c23d1 upstream.
f2fs_update_inode() reads inode->i_blocks without holding i_lock to
serialize it to the on-disk inode, while concurrent truncate or
allocation paths may modify i_blocks under i_lock. Since blkcnt_t is
u64, this risks torn reads on 32-bit architectures.
Following the approach in ext4_inode_blocks_set(), add READ_ONCE() to prevent
potential compiler-induced tearing.
Fixes: 19f99cee206c ("f2fs: add core inode operations")
Cc: stable@vger.kernel.org
Signed-off-by: Cen Zhang <zzzccc427@gmail.com>
Reviewed-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/f2fs/inode.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/f2fs/inode.c
+++ b/fs/f2fs/inode.c
@@ -597,7 +597,7 @@ void f2fs_update_inode(struct inode *ino
ri->i_uid = cpu_to_le32(i_uid_read(inode));
ri->i_gid = cpu_to_le32(i_gid_read(inode));
ri->i_links = cpu_to_le32(inode->i_nlink);
- ri->i_blocks = cpu_to_le64(SECTOR_TO_BLOCK(inode->i_blocks) + 1);
+ ri->i_blocks = cpu_to_le64(SECTOR_TO_BLOCK(READ_ONCE(inode->i_blocks)) + 1);
if (!f2fs_is_atomic_file(inode) ||
is_inode_flag_set(inode, FI_ATOMIC_COMMITTED))
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 376/969] f2fs: fix fiemap boundary handling when read extent cache is incomplete
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (374 preceding siblings ...)
2026-05-30 15:58 ` [PATCH 6.1 375/969] f2fs: add READ_ONCE() for i_blocks in f2fs_update_inode() Greg Kroah-Hartman
@ 2026-05-30 15:58 ` Greg Kroah-Hartman
2026-05-30 15:58 ` [PATCH 6.1 377/969] f2fs: fix incorrect multidevice info in trace_f2fs_map_blocks() Greg Kroah-Hartman
` (599 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Yongpeng Yang, Chao Yu,
Jaegeuk Kim
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yongpeng Yang <yangyongpeng@xiaomi.com>
commit 95e159ad3e52f7478cfd22e44ec37c9f334f8993 upstream.
f2fs_fiemap() calls f2fs_map_blocks() to obtain the block mapping a
file, and then merges contiguous mappings into extents. If the mapping
is found in the read extent cache, node blocks do not need to be read.
However, in the following scenario, a contiguous extent can be split
into two extents:
$ dd if=/dev/zero of=data.128M bs=1M count=128
$ losetup -f data.128M
$ mkfs.f2fs /dev/loop0 -f
$ mount -o mode=lfs /dev/loop0 /mnt/f2fs/
$ cd /mnt/f2fs/
$ dd if=/dev/zero of=data.72M bs=1M count=72 && sync
$ dd if=/dev/zero of=data.4M bs=1M count=4 && sync
$ dd if=/dev/zero of=data.4M bs=1M count=2 seek=2 conv=notrunc && sync
$ echo 3 > /proc/sys/vm/drop_caches
$ dd if=/dev/zero of=data.4M bs=1M count=2 seek=0 conv=notrunc && sync
$ dd if=/dev/zero of=data.4M bs=1M count=2 seek=0 conv=notrunc && sync
$ f2fs_io fiemap 0 1024 data.4M
Fiemap: offset = 0 len = 1024
logical addr. physical addr. length flags
0 0000000000000000 0000000006400000 0000000000200000 00001000
1 0000000000200000 0000000006600000 0000000000200000 00001001
Although the physical addresses of the ranges 0~2MB and 2M~4MB are
contiguous, the mapping for the 2M~4MB range is not present in memory.
When the physical addresses for the 0~2MB range are updated, no merge
happens because the adjacent mapping is missing from the in-memory
cache. As a result, fiemap reports two separate extents instead of a
single contiguous one.
The root cause is that the read extent cache does not guarantee that all
blocks of an extent are present in memory. Therefore, when the extent
length returned by f2fs_map_blocks_cached() is smaller than maxblocks,
the remaining mappings are retrieved via f2fs_get_dnode_of_data() to
ensure correct fiemap extent boundary handling.
Cc: stable@kernel.org
Fixes: cd8fc5226bef ("f2fs: remove the create argument to f2fs_map_blocks")
Signed-off-by: Yongpeng Yang <yangyongpeng@xiaomi.com>
Reviewed-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/f2fs/data.c | 25 ++++++++++++++++++++++---
1 file changed, 22 insertions(+), 3 deletions(-)
--- a/fs/f2fs/data.c
+++ b/fs/f2fs/data.c
@@ -1522,8 +1522,26 @@ int f2fs_map_blocks(struct inode *inode,
if (!maxblocks)
return 0;
- if (!map->m_may_create && f2fs_map_blocks_cached(inode, map, flag))
- goto out;
+ if (!map->m_may_create && f2fs_map_blocks_cached(inode, map, flag)) {
+ struct extent_info ei;
+
+ /*
+ * 1. If map->m_multidev_dio is true, map->m_pblk cannot be
+ * waitted by f2fs_wait_on_block_writeback_range() and are not
+ * mergeable.
+ * 2. If pgofs hits the read extent cache, it means the mapping
+ * is already cached in the extent cache, but it is not
+ * mergeable, and there is no need to query the mapping again
+ * via f2fs_get_dnode_of_data().
+ */
+ pgofs = (pgoff_t)map->m_lblk + map->m_len;
+ if (map->m_len == maxblocks ||
+ map->m_multidev_dio ||
+ f2fs_lookup_read_extent_cache(inode, pgofs, &ei))
+ goto out;
+ ofs = map->m_len;
+ goto map_more;
+ }
map->m_bdev = inode->i_sb->s_bdev;
map->m_multidev_dio =
@@ -1534,7 +1552,8 @@ int f2fs_map_blocks(struct inode *inode,
/* it only supports block size == page size */
pgofs = (pgoff_t)map->m_lblk;
- end = pgofs + maxblocks;
+map_more:
+ end = (pgoff_t)map->m_lblk + maxblocks;
next_dnode:
if (map->m_may_create) {
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 377/969] f2fs: fix incorrect multidevice info in trace_f2fs_map_blocks()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (375 preceding siblings ...)
2026-05-30 15:58 ` [PATCH 6.1 376/969] f2fs: fix fiemap boundary handling when read extent cache is incomplete Greg Kroah-Hartman
@ 2026-05-30 15:58 ` Greg Kroah-Hartman
2026-05-30 15:58 ` [PATCH 6.1 378/969] KVM: arm64: vgic: Fix IIDR revision field extracted from wrong value Greg Kroah-Hartman
` (598 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Yongpeng Yang, Chao Yu,
Jaegeuk Kim
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yongpeng Yang <yangyongpeng@xiaomi.com>
commit eb2ca3ca983551a80e16a4a25df5a4ce59df8484 upstream.
When f2fs_map_blocks()->f2fs_map_blocks_cached() hits the read extent
cache, map->m_multidev_dio is not updated, which leads to incorrect
multidevice information being reported by trace_f2fs_map_blocks().
This patch updates map->m_multidev_dio in f2fs_map_blocks_cached() when
the read extent cache is hit.
Cc: stable@kernel.org
Fixes: 0094e98bd147 ("f2fs: factor a f2fs_map_blocks_cached helper")
Signed-off-by: Yongpeng Yang <yangyongpeng@xiaomi.com>
Reviewed-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/f2fs/data.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/fs/f2fs/data.c
+++ b/fs/f2fs/data.c
@@ -1487,7 +1487,8 @@ static bool f2fs_map_blocks_cached(struc
f2fs_wait_on_block_writeback_range(inode,
map->m_pblk, map->m_len);
- if (f2fs_allow_multi_device_dio(sbi, flag)) {
+ map->m_multidev_dio = f2fs_allow_multi_device_dio(sbi, flag);
+ if (map->m_multidev_dio) {
int bidx = f2fs_target_device_index(sbi, map->m_pblk);
struct f2fs_dev_info *dev = &sbi->devs[bidx];
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 378/969] KVM: arm64: vgic: Fix IIDR revision field extracted from wrong value
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (376 preceding siblings ...)
2026-05-30 15:58 ` [PATCH 6.1 377/969] f2fs: fix incorrect multidevice info in trace_f2fs_map_blocks() Greg Kroah-Hartman
@ 2026-05-30 15:58 ` Greg Kroah-Hartman
2026-05-30 15:58 ` [PATCH 6.1 379/969] LoongArch: Fix potential ADE in loongson_gpu_fixup_dma_hang() Greg Kroah-Hartman
` (597 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, David Woodhouse, Marc Zyngier
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Woodhouse <dwmw@amazon.co.uk>
commit a0e6ae45af17e8b27958830595799c702ffbab8d upstream.
The uaccess write handlers for GICD_IIDR in both GICv2 and GICv3
extract the revision field from 'reg' (the current IIDR value read back
from the emulated distributor) instead of 'val' (the value userspace is
trying to write). This means userspace can never actually change the
implementation revision — the extracted value is always the current one.
Fix the FIELD_GET to use 'val' so that userspace can select a different
revision for migration compatibility.
Fixes: 49a1a2c70a7f ("KVM: arm64: vgic-v3: Advertise GICR_CTLR.{IR, CES} as a new GICD_IIDR revision")
Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
Link: https://patch.msgid.link/20260407210949.2076251-2-dwmw2@infradead.org
Signed-off-by: Marc Zyngier <maz@kernel.org>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/kvm/vgic/vgic-mmio-v2.c | 2 +-
arch/arm64/kvm/vgic/vgic-mmio-v3.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
--- a/arch/arm64/kvm/vgic/vgic-mmio-v2.c
+++ b/arch/arm64/kvm/vgic/vgic-mmio-v2.c
@@ -91,7 +91,7 @@ static int vgic_mmio_uaccess_write_v2_mi
* migration from old kernels to new kernels with legacy
* userspace.
*/
- reg = FIELD_GET(GICD_IIDR_REVISION_MASK, reg);
+ reg = FIELD_GET(GICD_IIDR_REVISION_MASK, val);
switch (reg) {
case KVM_VGIC_IMP_REV_2:
case KVM_VGIC_IMP_REV_3:
--- a/arch/arm64/kvm/vgic/vgic-mmio-v3.c
+++ b/arch/arm64/kvm/vgic/vgic-mmio-v3.c
@@ -167,7 +167,7 @@ static int vgic_mmio_uaccess_write_v3_mi
if ((reg ^ val) & ~GICD_IIDR_REVISION_MASK)
return -EINVAL;
- reg = FIELD_GET(GICD_IIDR_REVISION_MASK, reg);
+ reg = FIELD_GET(GICD_IIDR_REVISION_MASK, val);
switch (reg) {
case KVM_VGIC_IMP_REV_2:
case KVM_VGIC_IMP_REV_3:
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 379/969] LoongArch: Fix potential ADE in loongson_gpu_fixup_dma_hang()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (377 preceding siblings ...)
2026-05-30 15:58 ` [PATCH 6.1 378/969] KVM: arm64: vgic: Fix IIDR revision field extracted from wrong value Greg Kroah-Hartman
@ 2026-05-30 15:58 ` Greg Kroah-Hartman
2026-05-30 15:58 ` [PATCH 6.1 380/969] LoongArch: Use per-root-bridge PCIH flag to skip mem resource fixup Greg Kroah-Hartman
` (596 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Wentao Guan, Huacai Chen
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wentao Guan <guanwentao@uniontech.com>
commit 8dfa2f8780e486d05b9a0ffce70b8f5fbd62053e upstream.
The switch case in loongson_gpu_fixup_dma_hang() may not DC2 or DC3, and
readl(crtc_reg) will access with random address, because the "device" is
from "base+PCI_DEVICE_ID", "base" is from "pdev->devfn+1". This is wrong
when my platform inserts a discrete GPU:
lspci -tv
-[0000:00]-+-00.0 Loongson Technology LLC Hyper Transport Bridge Controller
...
+-06.0 Loongson Technology LLC LG100 GPU
+-06.2 Loongson Technology LLC Device 7a37
...
Add a default switch case to fix the panic as below:
Kernel ade access[#1]:
CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.6.136-loong64-desktop-hwe+ #4
pc 90000000017e5534 ra 90000000017e54c0 tp 90000001002f8000 sp 90000001002fb6c0
a0 80000efe00003100 a1 0000000000003100 a2 0000000000000000 a3 0000000000000002
a4 90000001002fb6b4 a5 900000087cdb58fd a6 90000000027af000 a7 0000000000000001
t0 00000000000085b9 t1 000000000000ffff t2 0000000000000000 t3 0000000000000000
t4 fffffffffffffffd t5 00000000fffb6d9c t6 0000000000083b00 t7 00000000000070c0
t8 900000087cdb4d94 u0 900000087cdb58fd s9 90000001002fb826 s0 90000000031c12c8
s1 7fffffffffffff00 s2 90000000031c12d0 s3 0000000000002710 s4 0000000000000000
s5 0000000000000000 s6 9000000100053000 s7 7fffffffffffff00 s8 90000000030d4000
ra: 90000000017e54c0 loongson_gpu_fixup_dma_hang+0x40/0x210
ERA: 90000000017e5534 loongson_gpu_fixup_dma_hang+0xb4/0x210
CRMD: 000000b0 (PLV0 -IE -DA +PG DACF=CC DACM=CC -WE)
PRMD: 00000004 (PPLV0 +PIE -PWE)
EUEN: 00000000 (-FPE -SXE -ASXE -BTE)
ECFG: 00071c1d (LIE=0,2-4,10-12 VS=7)
ESTAT: 00480000 [ADEM] (IS= ECode=8 EsubCode=1)
BADV: 7fffffffffffff00
PRID: 0014d000 (Loongson-64bit, Loongson-3A6000-HV)
Modules linked in:
Process swapper/0 (pid: 1, threadinfo=(____ptrval____), task=(____ptrval____))
Stack : 0000000000000006 90000001002fb778 90000001002fb704 0000000000000007
0000000016a65700 90000000017e5690 000000000000ffff ffffffffffffffff
900000000209f7c0 9000000100053000 900000000209f7a8 9000000000eebc08
0000000000000000 0000000000000000 0000000000000006 90000001002fb778
90000001000530b8 90000000027af000 0000000000000000 9000000100054000
9000000100053000 9000000000ebb70c 9000000100004c00 9000000004000001
90000001002fb7e4 bae765461f31cb12 0000000000000000 0000000000000000
0000000000000006 90000000027af000 0000000000000030 90000000027af000
900000087cd6f800 9000000100053000 0000000000000000 9000000000ebc560
7a2500147cdaf720 bae765461f31cb12 0000000000000001 0000000000000030
...
Call Trace:
[<90000000017e5534>] loongson_gpu_fixup_dma_hang+0xb4/0x210
[<9000000000eebc08>] pci_fixup_device+0x108/0x280
[<9000000000ebb70c>] pci_setup_device+0x24c/0x690
[<9000000000ebc560>] pci_scan_single_device+0xe0/0x140
[<9000000000ebc684>] pci_scan_slot+0xc4/0x280
[<9000000000ebdd00>] pci_scan_child_bus_extend+0x60/0x3f0
[<9000000000f5bc94>] acpi_pci_root_create+0x2b4/0x420
[<90000000017e5e74>] pci_acpi_scan_root+0x2d4/0x440
[<9000000000f5b02c>] acpi_pci_root_add+0x21c/0x3a0
[<9000000000f4ee54>] acpi_bus_attach+0x1a4/0x3c0
[<90000000010e200c>] device_for_each_child+0x6c/0xe0
[<9000000000f4bbf4>] acpi_dev_for_each_child+0x44/0x70
[<9000000000f4ef40>] acpi_bus_attach+0x290/0x3c0
[<90000000010e200c>] device_for_each_child+0x6c/0xe0
[<9000000000f4bbf4>] acpi_dev_for_each_child+0x44/0x70
[<9000000000f4ef40>] acpi_bus_attach+0x290/0x3c0
[<9000000000f5211c>] acpi_bus_scan+0x6c/0x280
[<900000000189c028>] acpi_scan_init+0x194/0x310
[<900000000189bc6c>] acpi_init+0xcc/0x140
[<9000000000220cdc>] do_one_initcall+0x4c/0x310
[<90000000018618fc>] kernel_init_freeable+0x258/0x2d4
[<900000000184326c>] kernel_init+0x28/0x13c
[<9000000000222008>] ret_from_kernel_thread+0xc/0xa4
Cc: stable@vger.kernel.org
Fixes: 95db0c9f526d ("LoongArch: Workaround LS2K/LS7A GPU DMA hang bug")
Link: https://gist.github.com/opsiff/ebf2dac51b4013d22462f2124c55f807
Link: https://gist.github.com/opsiff/a62f2a73db0492b3c49bf223a339b133
Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/loongarch/pci/pci.c | 3 +++
1 file changed, 3 insertions(+)
--- a/arch/loongarch/pci/pci.c
+++ b/arch/loongarch/pci/pci.c
@@ -133,6 +133,9 @@ static void loongson_gpu_fixup_dma_hang(
crtc_reg = regbase;
crtc_offset = 0x400;
break;
+ default:
+ iounmap(regbase);
+ return;
}
for (i = 0; i < CRTC_NUM_MAX; i++, crtc_reg += crtc_offset) {
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 380/969] LoongArch: Use per-root-bridge PCIH flag to skip mem resource fixup
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (378 preceding siblings ...)
2026-05-30 15:58 ` [PATCH 6.1 379/969] LoongArch: Fix potential ADE in loongson_gpu_fixup_dma_hang() Greg Kroah-Hartman
@ 2026-05-30 15:58 ` Greg Kroah-Hartman
2026-05-30 15:58 ` [PATCH 6.1 381/969] f2fs: compress: change the first parameter of page_array_{alloc,free} to sbi Greg Kroah-Hartman
` (595 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Chao Li, Dongyan Qian, Huacai Chen
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Huacai Chen <chenhuacai@loongson.cn>
commit 49f33840dcc907d21313d369e34872880846b61c upstream.
When firmware enables 64-bit PCI host bridge support, some root bridges
already provide valid 64-bit mem resource windows through ACPI.
In this case, the LoongArch-specific mem resource high-bits fixup in
acpi_prepare_root_resources() should not be applied unconditionally.
Otherwise, the kernel may override the native resource layout derived
from firmware, and later BAR assignment can fail to place device BARs
into the intended 64-bit address space correctly.
Add a per-root-bridge ACPI flag, PCIH, and evaluate it from the current
root bridge device scope. When PCIH is set, skip the mem resource high-
bits fixup path and let the kernel use the firmware-provided resource
description directly. When PCIH is absent or cleared, keep the existing
behavior and continue filling the high address bits from the host bridge
address.
This makes the behavior per-root-bridge configurable and avoids breaking
valid 64-bit BAR space allocation on bridges whose 64-bit windows have
already been fully described by firmware.
Cc: stable@vger.kernel.org
Suggested-by: Chao Li <lichao@loongson.cn>
Tested-by: Dongyan Qian <qiandongyan@loongson.cn>
Signed-off-by: Dongyan Qian <qiandongyan@loongson.cn>
Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/loongarch/pci/acpi.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/arch/loongarch/pci/acpi.c
+++ b/arch/loongarch/pci/acpi.c
@@ -58,11 +58,16 @@ static void acpi_release_root_info(struc
static int acpi_prepare_root_resources(struct acpi_pci_root_info *ci)
{
int status;
+ unsigned long long pci_h = 0;
struct resource_entry *entry, *tmp;
struct acpi_device *device = ci->bridge;
status = acpi_pci_probe_root_resources(ci);
if (status > 0) {
+ acpi_evaluate_integer(device->handle, "PCIH", NULL, &pci_h);
+ if (pci_h)
+ return status;
+
resource_list_for_each_entry_safe(entry, tmp, &ci->resources) {
if (entry->res->flags & IORESOURCE_MEM) {
entry->offset = ci->root->mcfg_addr & GENMASK_ULL(63, 40);
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 381/969] f2fs: compress: change the first parameter of page_array_{alloc,free} to sbi
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (379 preceding siblings ...)
2026-05-30 15:58 ` [PATCH 6.1 380/969] LoongArch: Use per-root-bridge PCIH flag to skip mem resource fixup Greg Kroah-Hartman
@ 2026-05-30 15:58 ` Greg Kroah-Hartman
2026-05-30 15:58 ` [PATCH 6.1 382/969] f2fs: compress: fix UAF of f2fs_inode_info in f2fs_free_dic Greg Kroah-Hartman
` (594 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zhiguo Niu, Baocong Liu, Chao Yu,
Jaegeuk Kim, Bin Lan, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhiguo Niu <zhiguo.niu@unisoc.com>
[ Upstream commit 8e2a9b656474d67c55010f2c003ea2cf889a19ff ]
No logic changes, just cleanup and prepare for fixing the UAF issue
in f2fs_free_dic.
Signed-off-by: Zhiguo Niu <zhiguo.niu@unisoc.com>
Signed-off-by: Baocong Liu <baocong.liu@unisoc.com>
Reviewed-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Bin Lan <lanbincn@139.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/f2fs/compress.c | 40 ++++++++++++++++++++--------------------
1 file changed, 20 insertions(+), 20 deletions(-)
diff --git a/fs/f2fs/compress.c b/fs/f2fs/compress.c
index 4dcd0870e0c74..1e90286212866 100644
--- a/fs/f2fs/compress.c
+++ b/fs/f2fs/compress.c
@@ -23,20 +23,18 @@
static struct kmem_cache *cic_entry_slab;
static struct kmem_cache *dic_entry_slab;
-static void *page_array_alloc(struct inode *inode, int nr)
+static void *page_array_alloc(struct f2fs_sb_info *sbi, int nr)
{
- struct f2fs_sb_info *sbi = F2FS_I_SB(inode);
unsigned int size = sizeof(struct page *) * nr;
if (likely(size <= sbi->page_array_slab_size))
return f2fs_kmem_cache_alloc(sbi->page_array_slab,
- GFP_F2FS_ZERO, false, F2FS_I_SB(inode));
+ GFP_F2FS_ZERO, false, sbi);
return f2fs_kzalloc(sbi, size, GFP_NOFS);
}
-static void page_array_free(struct inode *inode, void *pages, int nr)
+static void page_array_free(struct f2fs_sb_info *sbi, void *pages, int nr)
{
- struct f2fs_sb_info *sbi = F2FS_I_SB(inode);
unsigned int size = sizeof(struct page *) * nr;
if (!pages)
@@ -145,13 +143,13 @@ int f2fs_init_compress_ctx(struct compress_ctx *cc)
if (cc->rpages)
return 0;
- cc->rpages = page_array_alloc(cc->inode, cc->cluster_size);
+ cc->rpages = page_array_alloc(F2FS_I_SB(cc->inode), cc->cluster_size);
return cc->rpages ? 0 : -ENOMEM;
}
void f2fs_destroy_compress_ctx(struct compress_ctx *cc, bool reuse)
{
- page_array_free(cc->inode, cc->rpages, cc->cluster_size);
+ page_array_free(F2FS_I_SB(cc->inode), cc->rpages, cc->cluster_size);
cc->rpages = NULL;
cc->nr_rpages = 0;
cc->nr_cpages = 0;
@@ -640,6 +638,7 @@ static void *f2fs_vmap(struct page **pages, unsigned int count)
static int f2fs_compress_pages(struct compress_ctx *cc)
{
+ struct f2fs_sb_info *sbi = F2FS_I_SB(cc->inode);
struct f2fs_inode_info *fi = F2FS_I(cc->inode);
const struct f2fs_compress_ops *cops =
f2fs_cops[fi->i_compress_algorithm];
@@ -660,7 +659,7 @@ static int f2fs_compress_pages(struct compress_ctx *cc)
cc->nr_cpages = DIV_ROUND_UP(max_len, PAGE_SIZE);
cc->valid_nr_cpages = cc->nr_cpages;
- cc->cpages = page_array_alloc(cc->inode, cc->nr_cpages);
+ cc->cpages = page_array_alloc(sbi, cc->nr_cpages);
if (!cc->cpages) {
ret = -ENOMEM;
goto destroy_compress_ctx;
@@ -742,7 +741,7 @@ static int f2fs_compress_pages(struct compress_ctx *cc)
if (cc->cpages[i])
f2fs_compress_free_page(cc->cpages[i]);
}
- page_array_free(cc->inode, cc->cpages, cc->nr_cpages);
+ page_array_free(sbi, cc->cpages, cc->nr_cpages);
cc->cpages = NULL;
destroy_compress_ctx:
if (cops->destroy_compress_ctx)
@@ -1308,7 +1307,7 @@ static int f2fs_write_compressed_pages(struct compress_ctx *cc,
cic->magic = F2FS_COMPRESSED_PAGE_MAGIC;
cic->inode = inode;
atomic_set(&cic->pending_pages, cc->valid_nr_cpages);
- cic->rpages = page_array_alloc(cc->inode, cc->cluster_size);
+ cic->rpages = page_array_alloc(sbi, cc->cluster_size);
if (!cic->rpages)
goto out_put_cic;
@@ -1401,13 +1400,13 @@ static int f2fs_write_compressed_pages(struct compress_ctx *cc,
spin_unlock(&fi->i_size_lock);
f2fs_put_rpages(cc);
- page_array_free(cc->inode, cc->cpages, cc->nr_cpages);
+ page_array_free(sbi, cc->cpages, cc->nr_cpages);
cc->cpages = NULL;
f2fs_destroy_compress_ctx(cc, false);
return 0;
out_destroy_crypt:
- page_array_free(cc->inode, cic->rpages, cc->cluster_size);
+ page_array_free(sbi, cic->rpages, cc->cluster_size);
for (--i; i >= 0; i--)
fscrypt_finalize_bounce_page(&cc->cpages[i]);
@@ -1425,7 +1424,7 @@ static int f2fs_write_compressed_pages(struct compress_ctx *cc,
f2fs_compress_free_page(cc->cpages[i]);
cc->cpages[i] = NULL;
}
- page_array_free(cc->inode, cc->cpages, cc->nr_cpages);
+ page_array_free(sbi, cc->cpages, cc->nr_cpages);
cc->cpages = NULL;
return -EAGAIN;
}
@@ -1455,7 +1454,7 @@ void f2fs_compress_write_end_io(struct bio *bio, struct page *page)
end_page_writeback(cic->rpages[i]);
}
- page_array_free(cic->inode, cic->rpages, cic->nr_rpages);
+ page_array_free(sbi, cic->rpages, cic->nr_rpages);
kmem_cache_free(cic_entry_slab, cic);
/*
@@ -1601,7 +1600,7 @@ static int f2fs_prepare_decomp_mem(struct decompress_io_ctx *dic,
if (!allow_memalloc_for_decomp(F2FS_I_SB(dic->inode), pre_alloc))
return 0;
- dic->tpages = page_array_alloc(dic->inode, dic->cluster_size);
+ dic->tpages = page_array_alloc(F2FS_I_SB(dic->inode), dic->cluster_size);
if (!dic->tpages)
return -ENOMEM;
@@ -1663,7 +1662,7 @@ struct decompress_io_ctx *f2fs_alloc_dic(struct compress_ctx *cc)
if (!dic)
return ERR_PTR(-ENOMEM);
- dic->rpages = page_array_alloc(cc->inode, cc->cluster_size);
+ dic->rpages = page_array_alloc(sbi, cc->cluster_size);
if (!dic->rpages) {
kmem_cache_free(dic_entry_slab, dic);
return ERR_PTR(-ENOMEM);
@@ -1684,7 +1683,7 @@ struct decompress_io_ctx *f2fs_alloc_dic(struct compress_ctx *cc)
dic->rpages[i] = cc->rpages[i];
dic->nr_rpages = cc->cluster_size;
- dic->cpages = page_array_alloc(dic->inode, dic->nr_cpages);
+ dic->cpages = page_array_alloc(sbi, dic->nr_cpages);
if (!dic->cpages) {
ret = -ENOMEM;
goto out_free;
@@ -1719,6 +1718,7 @@ static void f2fs_free_dic(struct decompress_io_ctx *dic,
bool bypass_destroy_callback)
{
int i;
+ struct f2fs_sb_info *sbi = F2FS_I_SB(dic->inode);
f2fs_release_decomp_mem(dic, bypass_destroy_callback, true);
@@ -1730,7 +1730,7 @@ static void f2fs_free_dic(struct decompress_io_ctx *dic,
continue;
f2fs_compress_free_page(dic->tpages[i]);
}
- page_array_free(dic->inode, dic->tpages, dic->cluster_size);
+ page_array_free(sbi, dic->tpages, dic->cluster_size);
}
if (dic->cpages) {
@@ -1739,10 +1739,10 @@ static void f2fs_free_dic(struct decompress_io_ctx *dic,
continue;
f2fs_compress_free_page(dic->cpages[i]);
}
- page_array_free(dic->inode, dic->cpages, dic->nr_cpages);
+ page_array_free(sbi, dic->cpages, dic->nr_cpages);
}
- page_array_free(dic->inode, dic->rpages, dic->nr_rpages);
+ page_array_free(sbi, dic->rpages, dic->nr_rpages);
kmem_cache_free(dic_entry_slab, dic);
}
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 382/969] f2fs: compress: fix UAF of f2fs_inode_info in f2fs_free_dic
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (380 preceding siblings ...)
2026-05-30 15:58 ` [PATCH 6.1 381/969] f2fs: compress: change the first parameter of page_array_{alloc,free} to sbi Greg Kroah-Hartman
@ 2026-05-30 15:58 ` Greg Kroah-Hartman
2026-05-30 15:58 ` [PATCH 6.1 383/969] exit: Sleep at TASK_IDLE when waiting for application core dump Greg Kroah-Hartman
` (593 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Daeho Jeong, Zhiguo Niu, Baocong Liu,
Chao Yu, Jaegeuk Kim, Bin Lan, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhiguo Niu <zhiguo.niu@unisoc.com>
[ Upstream commit 39868685c2a94a70762bc6d77dc81d781d05bff5 ]
The decompress_io_ctx may be released asynchronously after
I/O completion. If this file is deleted immediately after read,
and the kworker of processing post_read_wq has not been executed yet
due to high workloads, It is possible that the inode(f2fs_inode_info)
is evicted and freed before it is used f2fs_free_dic.
The UAF case as below:
Thread A Thread B
- f2fs_decompress_end_io
- f2fs_put_dic
- queue_work
add free_dic work to post_read_wq
- do_unlink
- iput
- evict
- call_rcu
This file is deleted after read.
Thread C kworker to process post_read_wq
- rcu_do_batch
- f2fs_free_inode
- kmem_cache_free
inode is freed by rcu
- process_scheduled_works
- f2fs_late_free_dic
- f2fs_free_dic
- f2fs_release_decomp_mem
read (dic->inode)->i_compress_algorithm
This patch store compress_algorithm and sbi in dic to avoid inode UAF.
In addition, the previous solution is deprecated in [1] may cause system hang.
[1] https://lore.kernel.org/all/c36ab955-c8db-4a8b-a9d0-f07b5f426c3f@kernel.org
Cc: Daeho Jeong <daehojeong@google.com>
Fixes: bff139b49d9f ("f2fs: handle decompress only post processing in softirq")
Signed-off-by: Zhiguo Niu <zhiguo.niu@unisoc.com>
Signed-off-by: Baocong Liu <baocong.liu@unisoc.com>
Reviewed-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
[ No changes are made to the code logic; F2FS_I_SB(dic->inode) is
replaced with dic->sbi in v6.1. ]
Signed-off-by: Bin Lan <lanbincn@139.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/f2fs/compress.c | 40 ++++++++++++++++++++--------------------
fs/f2fs/f2fs.h | 2 ++
2 files changed, 22 insertions(+), 20 deletions(-)
diff --git a/fs/f2fs/compress.c b/fs/f2fs/compress.c
index 1e90286212866..5d0c41abb4050 100644
--- a/fs/f2fs/compress.c
+++ b/fs/f2fs/compress.c
@@ -211,14 +211,14 @@ static int lzo_decompress_pages(struct decompress_io_ctx *dic)
dic->rbuf, &dic->rlen);
if (ret != LZO_E_OK) {
printk_ratelimited("%sF2FS-fs (%s): lzo decompress failed, ret:%d\n",
- KERN_ERR, F2FS_I_SB(dic->inode)->sb->s_id, ret);
+ KERN_ERR, dic->sbi->sb->s_id, ret);
return -EIO;
}
if (dic->rlen != PAGE_SIZE << dic->log_cluster_size) {
printk_ratelimited("%sF2FS-fs (%s): lzo invalid rlen:%zu, "
"expected:%lu\n", KERN_ERR,
- F2FS_I_SB(dic->inode)->sb->s_id,
+ dic->sbi->sb->s_id,
dic->rlen,
PAGE_SIZE << dic->log_cluster_size);
return -EIO;
@@ -307,14 +307,14 @@ static int lz4_decompress_pages(struct decompress_io_ctx *dic)
dic->clen, dic->rlen);
if (ret < 0) {
printk_ratelimited("%sF2FS-fs (%s): lz4 decompress failed, ret:%d\n",
- KERN_ERR, F2FS_I_SB(dic->inode)->sb->s_id, ret);
+ KERN_ERR, dic->sbi->sb->s_id, ret);
return -EIO;
}
if (ret != PAGE_SIZE << dic->log_cluster_size) {
printk_ratelimited("%sF2FS-fs (%s): lz4 invalid ret:%d, "
"expected:%lu\n", KERN_ERR,
- F2FS_I_SB(dic->inode)->sb->s_id, ret,
+ dic->sbi->sb->s_id, ret,
PAGE_SIZE << dic->log_cluster_size);
return -EIO;
}
@@ -437,7 +437,7 @@ static int zstd_init_decompress_ctx(struct decompress_io_ctx *dic)
workspace_size = zstd_dstream_workspace_bound(max_window_size);
- workspace = f2fs_kvmalloc(F2FS_I_SB(dic->inode),
+ workspace = f2fs_kvmalloc(dic->sbi,
workspace_size, GFP_NOFS);
if (!workspace)
return -ENOMEM;
@@ -445,7 +445,7 @@ static int zstd_init_decompress_ctx(struct decompress_io_ctx *dic)
stream = zstd_init_dstream(max_window_size, workspace, workspace_size);
if (!stream) {
printk_ratelimited("%sF2FS-fs (%s): %s zstd_init_dstream failed\n",
- KERN_ERR, F2FS_I_SB(dic->inode)->sb->s_id,
+ KERN_ERR, dic->sbi->sb->s_id,
__func__);
kvfree(workspace);
return -EIO;
@@ -482,7 +482,7 @@ static int zstd_decompress_pages(struct decompress_io_ctx *dic)
ret = zstd_decompress_stream(stream, &outbuf, &inbuf);
if (zstd_is_error(ret)) {
printk_ratelimited("%sF2FS-fs (%s): %s zstd_decompress_stream failed, ret: %d\n",
- KERN_ERR, F2FS_I_SB(dic->inode)->sb->s_id,
+ KERN_ERR, dic->sbi->sb->s_id,
__func__, zstd_get_error_code(ret));
return -EIO;
}
@@ -490,7 +490,7 @@ static int zstd_decompress_pages(struct decompress_io_ctx *dic)
if (dic->rlen != outbuf.pos) {
printk_ratelimited("%sF2FS-fs (%s): %s ZSTD invalid rlen:%zu, "
"expected:%lu\n", KERN_ERR,
- F2FS_I_SB(dic->inode)->sb->s_id,
+ dic->sbi->sb->s_id,
__func__, dic->rlen,
PAGE_SIZE << dic->log_cluster_size);
return -EIO;
@@ -759,7 +759,7 @@ static void f2fs_release_decomp_mem(struct decompress_io_ctx *dic,
void f2fs_decompress_cluster(struct decompress_io_ctx *dic, bool in_task)
{
- struct f2fs_sb_info *sbi = F2FS_I_SB(dic->inode);
+ struct f2fs_sb_info *sbi = dic->sbi;
struct f2fs_inode_info *fi = F2FS_I(dic->inode);
const struct f2fs_compress_ops *cops =
f2fs_cops[fi->i_compress_algorithm];
@@ -832,7 +832,7 @@ void f2fs_end_read_compressed_page(struct page *page, bool failed,
{
struct decompress_io_ctx *dic =
(struct decompress_io_ctx *)page_private(page);
- struct f2fs_sb_info *sbi = F2FS_I_SB(dic->inode);
+ struct f2fs_sb_info *sbi = dic->sbi;
dec_page_count(sbi, F2FS_RD_DATA);
@@ -1593,14 +1593,13 @@ static inline bool allow_memalloc_for_decomp(struct f2fs_sb_info *sbi,
static int f2fs_prepare_decomp_mem(struct decompress_io_ctx *dic,
bool pre_alloc)
{
- const struct f2fs_compress_ops *cops =
- f2fs_cops[F2FS_I(dic->inode)->i_compress_algorithm];
+ const struct f2fs_compress_ops *cops = f2fs_cops[dic->compress_algorithm];
int i;
- if (!allow_memalloc_for_decomp(F2FS_I_SB(dic->inode), pre_alloc))
+ if (!allow_memalloc_for_decomp(dic->sbi, pre_alloc))
return 0;
- dic->tpages = page_array_alloc(F2FS_I_SB(dic->inode), dic->cluster_size);
+ dic->tpages = page_array_alloc(dic->sbi, dic->cluster_size);
if (!dic->tpages)
return -ENOMEM;
@@ -1632,10 +1631,9 @@ static int f2fs_prepare_decomp_mem(struct decompress_io_ctx *dic,
static void f2fs_release_decomp_mem(struct decompress_io_ctx *dic,
bool bypass_destroy_callback, bool pre_alloc)
{
- const struct f2fs_compress_ops *cops =
- f2fs_cops[F2FS_I(dic->inode)->i_compress_algorithm];
+ const struct f2fs_compress_ops *cops = f2fs_cops[dic->compress_algorithm];
- if (!allow_memalloc_for_decomp(F2FS_I_SB(dic->inode), pre_alloc))
+ if (!allow_memalloc_for_decomp(dic->sbi, pre_alloc))
return;
if (!bypass_destroy_callback && cops->destroy_decompress_ctx)
@@ -1670,6 +1668,8 @@ struct decompress_io_ctx *f2fs_alloc_dic(struct compress_ctx *cc)
dic->magic = F2FS_COMPRESSED_PAGE_MAGIC;
dic->inode = cc->inode;
+ dic->sbi = sbi;
+ dic->compress_algorithm = F2FS_I(cc->inode)->i_compress_algorithm;
atomic_set(&dic->remaining_pages, cc->nr_cpages);
dic->cluster_idx = cc->cluster_idx;
dic->cluster_size = cc->cluster_size;
@@ -1718,7 +1718,8 @@ static void f2fs_free_dic(struct decompress_io_ctx *dic,
bool bypass_destroy_callback)
{
int i;
- struct f2fs_sb_info *sbi = F2FS_I_SB(dic->inode);
+ /* use sbi in dic to avoid UFA of dic->inode*/
+ struct f2fs_sb_info *sbi = dic->sbi;
f2fs_release_decomp_mem(dic, bypass_destroy_callback, true);
@@ -1761,8 +1762,7 @@ static void f2fs_put_dic(struct decompress_io_ctx *dic, bool in_task)
f2fs_free_dic(dic, false);
} else {
INIT_WORK(&dic->free_work, f2fs_late_free_dic);
- queue_work(F2FS_I_SB(dic->inode)->post_read_wq,
- &dic->free_work);
+ queue_work(dic->sbi->post_read_wq, &dic->free_work);
}
}
}
diff --git a/fs/f2fs/f2fs.h b/fs/f2fs/f2fs.h
index bbb86e2156989..faa6efe1ceaf5 100644
--- a/fs/f2fs/f2fs.h
+++ b/fs/f2fs/f2fs.h
@@ -1546,6 +1546,7 @@ struct compress_io_ctx {
struct decompress_io_ctx {
u32 magic; /* magic number to indicate page is compressed */
struct inode *inode; /* inode the context belong to */
+ struct f2fs_sb_info *sbi; /* f2fs_sb_info pointer */
pgoff_t cluster_idx; /* cluster index number */
unsigned int cluster_size; /* page count in cluster */
unsigned int log_cluster_size; /* log of cluster size */
@@ -1586,6 +1587,7 @@ struct decompress_io_ctx {
bool failed; /* IO error occurred before decompression? */
bool need_verity; /* need fs-verity verification after decompression? */
+ unsigned char compress_algorithm; /* backup algorithm type */
void *private; /* payload buffer for specified decompression algorithm */
void *private2; /* extra payload buffer */
struct work_struct verity_work; /* work to verify the decompressed pages */
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 383/969] exit: Sleep at TASK_IDLE when waiting for application core dump
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (381 preceding siblings ...)
2026-05-30 15:58 ` [PATCH 6.1 382/969] f2fs: compress: fix UAF of f2fs_inode_info in f2fs_free_dic Greg Kroah-Hartman
@ 2026-05-30 15:58 ` Greg Kroah-Hartman
2026-05-30 15:58 ` [PATCH 6.1 384/969] media: uvcvideo: Enable VB2_DMABUF for metadata stream Greg Kroah-Hartman
` (592 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Anhad Jai Singh, Paul E. McKenney,
Oleg Nesterov, Jens Axboe, Christian Brauner, Andrew Morton,
Matthew Wilcox (Oracle), Chris Mason, Rik van Riel, Paul Menzel
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paul E. McKenney <paulmck@kernel.org>
commit b8e753128ed074fcb48e9ceded940752f6b1c19f upstream.
Currently, the coredump_task_exit() function sets the task state
to TASK_UNINTERRUPTIBLE|TASK_FREEZABLE, which usually works well.
But a combination of large memory and slow (and/or highly contended)
mass storage can cause application core dumps to take more than
two minutes, which can cause check_hung_task(), which is invoked by
check_hung_uninterruptible_tasks(), to produce task-blocked splats.
There does not seem to be any reasonable benefit to getting these splats.
Furthermore, as Oleg Nesterov points out, TASK_UNINTERRUPTIBLE could
be misleading because the task sleeping in coredump_task_exit() really
is killable, albeit indirectly. See the check of signal->core_state
in prepare_signal() and the check of fatal_signal_pending()
in dump_interrupted(), which bypass the normal unkillability of
TASK_UNINTERRUPTIBLE, resulting in coredump_finish() invoking
wake_up_process() on any threads sleeping in coredump_task_exit().
Therefore, change that TASK_UNINTERRUPTIBLE to TASK_IDLE.
Reported-by: Anhad Jai Singh <ffledgling@meta.com>
Signed-off-by: Paul E. McKenney <paulmck@kernel.org>
Acked-by: Oleg Nesterov <oleg@redhat.com>
Cc: Jens Axboe <axboe@kernel.dk>
Cc: Christian Brauner <brauner@kernel.org>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: "Matthew Wilcox (Oracle)" <willy@infradead.org>
Cc: Chris Mason <clm@fb.com>
Cc: Rik van Riel <riel@surriel.com>
Cc: Paul Menzel <pmenzel@molgen.mpg.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/exit.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/kernel/exit.c
+++ b/kernel/exit.c
@@ -426,7 +426,7 @@ static void coredump_task_exit(struct ta
complete(&core_state->startup);
for (;;) {
- set_current_state(TASK_UNINTERRUPTIBLE|TASK_FREEZABLE);
+ set_current_state(TASK_IDLE|TASK_FREEZABLE);
if (!self.task) /* see coredump_finish() */
break;
schedule();
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 384/969] media: uvcvideo: Enable VB2_DMABUF for metadata stream
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (382 preceding siblings ...)
2026-05-30 15:58 ` [PATCH 6.1 383/969] exit: Sleep at TASK_IDLE when waiting for application core dump Greg Kroah-Hartman
@ 2026-05-30 15:58 ` Greg Kroah-Hartman
2026-05-30 15:58 ` [PATCH 6.1 385/969] media: i2c: ov8856: free control handler on error in ov8856_init_controls() Greg Kroah-Hartman
` (591 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ricardo Ribalda, Laurent Pinchart,
Hans de Goede, Hans Verkuil
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ricardo Ribalda <ribalda@chromium.org>
commit fbac03467e53d8d72e5099c03df26d9adae11416 upstream.
The UVC driver has two video streams, one for the frames and another one
for the metadata. Both streams share most of the codebase, but only the
data stream declares support for DMABUF transfer mode.
I have tried the DMABUF transfer mode with CONFIG_DMABUF_HEAPS_SYSTEM
and the frames looked correct.
This patch announces the support for DMABUF for the metadata stream.
This is useful for apps/HALs that only want to support DMABUF.
Cc: stable@vger.kernel.org
Fixes: 088ead2552458 ("media: uvcvideo: Add a metadata device node")
Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Reviewed-by: Hans de Goede <johannes.goede@oss.qualcomm.com>
Link: https://patch.msgid.link/20260309-uvc-metadata-dmabuf-v1-1-fc8b87bd29c5@chromium.org
Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/usb/uvc/uvc_queue.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
--- a/drivers/media/usb/uvc/uvc_queue.c
+++ b/drivers/media/usb/uvc/uvc_queue.c
@@ -218,7 +218,7 @@ int uvc_queue_init(struct uvc_video_queu
int ret;
queue->queue.type = type;
- queue->queue.io_modes = VB2_MMAP | VB2_USERPTR;
+ queue->queue.io_modes = VB2_MMAP | VB2_USERPTR | VB2_DMABUF;
queue->queue.drv_priv = queue;
queue->queue.buf_struct_size = sizeof(struct uvc_buffer);
queue->queue.mem_ops = &vb2_vmalloc_memops;
@@ -231,7 +231,6 @@ int uvc_queue_init(struct uvc_video_queu
queue->queue.ops = &uvc_meta_queue_qops;
break;
default:
- queue->queue.io_modes |= VB2_DMABUF;
queue->queue.ops = &uvc_queue_qops;
break;
}
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 385/969] media: i2c: ov8856: free control handler on error in ov8856_init_controls()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (383 preceding siblings ...)
2026-05-30 15:58 ` [PATCH 6.1 384/969] media: uvcvideo: Enable VB2_DMABUF for metadata stream Greg Kroah-Hartman
@ 2026-05-30 15:58 ` Greg Kroah-Hartman
2026-05-30 15:58 ` [PATCH 6.1 386/969] staging: media: atomisp: Disallow all private IOCTLs Greg Kroah-Hartman
` (590 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexander Koskovich, Sakari Ailus,
Hans Verkuil
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexander Koskovich <akoskovich@pm.me>
commit f75e160745663ce9b13362ae6e90bd439c58df69 upstream.
The control handler wasn't freed if adding controls failed, add an error
exit label and convert the existing error return to use it.
Fixes: 879347f0c258 ("media: ov8856: Add support for OV8856 sensor")
Cc: stable@vger.kernel.org
Signed-off-by: Alexander Koskovich <akoskovich@pm.me>
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/i2c/ov8856.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
--- a/drivers/media/i2c/ov8856.c
+++ b/drivers/media/i2c/ov8856.c
@@ -1954,12 +1954,18 @@ static int ov8856_init_controls(struct o
V4L2_CID_HFLIP, 0, 1, 1, 0);
v4l2_ctrl_new_std(ctrl_hdlr, &ov8856_ctrl_ops,
V4L2_CID_VFLIP, 0, 1, 1, 0);
- if (ctrl_hdlr->error)
- return ctrl_hdlr->error;
+ if (ctrl_hdlr->error) {
+ ret = ctrl_hdlr->error;
+ goto err_ctrl_handler_free;
+ }
ov8856->sd.ctrl_handler = ctrl_hdlr;
return 0;
+
+err_ctrl_handler_free:
+ v4l2_ctrl_handler_free(ctrl_hdlr);
+ return ret;
}
static void ov8856_update_pad_format(struct ov8856 *ov8856,
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 386/969] staging: media: atomisp: Disallow all private IOCTLs
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (384 preceding siblings ...)
2026-05-30 15:58 ` [PATCH 6.1 385/969] media: i2c: ov8856: free control handler on error in ov8856_init_controls() Greg Kroah-Hartman
@ 2026-05-30 15:58 ` Greg Kroah-Hartman
2026-05-30 15:58 ` [PATCH 6.1 387/969] regulator: max77650: fix OF node reference imbalance Greg Kroah-Hartman
` (589 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Soufiane Dani, Sakari Ailus,
Mauro Carvalho Chehab
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sakari Ailus <sakari.ailus@linux.intel.com>
commit 2b7eb2c5dc72f0fc954ac4aa155f9e285e937f7c upstream.
Disallow all private IOCTLs. These aren't quite as safe as one could
assume of IOCTL handlers; disable them for now. Instead of removing the
code, return in the beginning of the function if cmd is non-zero in order
to keep static checkers happy.
Reported-by: Soufiane Dani <soufianeda@tutanota.com>
Closes: https://lore.kernel.org/linux-staging/20260210-atomisp-fix-v1-1-024429cbff31@tutanota.com/
Cc: stable@vger.kernel.org
Fixes: a49d25364dfb ("staging/atomisp: Add support for the Intel IPU v2")
Fixes: ad85094b293e ("Revert "media: staging: atomisp: Remove driver"")
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/staging/media/atomisp/pci/atomisp_ioctl.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/drivers/staging/media/atomisp/pci/atomisp_ioctl.c
+++ b/drivers/staging/media/atomisp/pci/atomisp_ioctl.c
@@ -2456,6 +2456,10 @@ static long atomisp_vidioc_default(struc
struct v4l2_subdev *motor;
int err;
+ /* Disable all private IOCTLs for now! */
+ if (cmd)
+ return -EINVAL;
+
if (!IS_ISP2401)
motor = isp->inputs[asd->input_curr].motor;
else
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 387/969] regulator: max77650: fix OF node reference imbalance
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (385 preceding siblings ...)
2026-05-30 15:58 ` [PATCH 6.1 386/969] staging: media: atomisp: Disallow all private IOCTLs Greg Kroah-Hartman
@ 2026-05-30 15:58 ` Greg Kroah-Hartman
2026-05-30 15:58 ` [PATCH 6.1 388/969] media: rc: xbox_remote: heed DMA restrictions Greg Kroah-Hartman
` (588 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Bartosz Golaszewski, Johan Hovold,
Mark Brown
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 2edaf5f7ada0ab5c9ec1f0836bd19779a8d85262 upstream.
The driver reuses the OF node of the parent multi-function device but
fails to take another reference to balance the one dropped by the
platform bus code when unbinding the MFD and deregistering the child
devices.
Fix this by using the intended helper for reusing OF nodes.
Fixes: bcc61f1c44fd ("regulator: max77650: add regulator support")
Cc: stable@vger.kernel.org # 5.1
Reviewed-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20260408073055.5183-4-johan@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/regulator/max77650-regulator.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/regulator/max77650-regulator.c
+++ b/drivers/regulator/max77650-regulator.c
@@ -339,7 +339,7 @@ static int max77650_regulator_probe(stru
parent = dev->parent;
if (!dev->of_node)
- dev->of_node = parent->of_node;
+ device_set_of_node_from_dev(dev, parent);
rdescs = devm_kcalloc(dev, MAX77650_REGULATOR_NUM_REGULATORS,
sizeof(*rdescs), GFP_KERNEL);
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 388/969] media: rc: xbox_remote: heed DMA restrictions
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (386 preceding siblings ...)
2026-05-30 15:58 ` [PATCH 6.1 387/969] regulator: max77650: fix OF node reference imbalance Greg Kroah-Hartman
@ 2026-05-30 15:58 ` Greg Kroah-Hartman
2026-05-30 15:58 ` [PATCH 6.1 389/969] media: rc: streamzap: Error handling in probe Greg Kroah-Hartman
` (587 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Oliver Neukum, Sean Young,
Hans Verkuil
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Oliver Neukum <oneukum@suse.com>
commit e280d1e5e3f2595bbb43fe6e1bce00c59a43c0ff upstream.
The buffer for IO must not be part of the device structure
because that violates the DMA coherency rules.
Fixes: 02d32bdad3123 ("media: rc: add driver for Xbox DVD Movie Playback Kit")
Cc: stable@vger.kernel.org
Signed-off-by: Oliver Neukum <oneukum@suse.com>
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/rc/xbox_remote.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
--- a/drivers/media/rc/xbox_remote.c
+++ b/drivers/media/rc/xbox_remote.c
@@ -55,7 +55,7 @@ struct xbox_remote {
struct usb_interface *interface;
struct urb *irq_urb;
- unsigned char inbuf[DATA_BUFSIZE] __aligned(sizeof(u16));
+ u8 *inbuf;
char rc_name[NAME_BUFSIZE];
char rc_phys[NAME_BUFSIZE];
@@ -218,6 +218,10 @@ static int xbox_remote_probe(struct usb_
if (!xbox_remote || !rc_dev)
goto exit_free_dev_rdev;
+ xbox_remote->inbuf = kzalloc(DATA_BUFSIZE, GFP_KERNEL);
+ if (!xbox_remote->inbuf)
+ goto exit_free_inbuf;
+
/* Allocate URB buffer */
xbox_remote->irq_urb = usb_alloc_urb(0, GFP_KERNEL);
if (!xbox_remote->irq_urb)
@@ -262,6 +266,8 @@ exit_kill_urbs:
usb_kill_urb(xbox_remote->irq_urb);
exit_free_buffers:
usb_free_urb(xbox_remote->irq_urb);
+exit_free_inbuf:
+ kfree(xbox_remote->inbuf);
exit_free_dev_rdev:
rc_free_device(rc_dev);
kfree(xbox_remote);
@@ -286,6 +292,7 @@ static void xbox_remote_disconnect(struc
usb_kill_urb(xbox_remote->irq_urb);
rc_unregister_device(xbox_remote->rdev);
usb_free_urb(xbox_remote->irq_urb);
+ kfree(xbox_remote->inbuf);
kfree(xbox_remote);
}
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 389/969] media: rc: streamzap: Error handling in probe
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (387 preceding siblings ...)
2026-05-30 15:58 ` [PATCH 6.1 388/969] media: rc: xbox_remote: heed DMA restrictions Greg Kroah-Hartman
@ 2026-05-30 15:58 ` Greg Kroah-Hartman
2026-05-30 15:58 ` [PATCH 6.1 390/969] regulator: act8945a: fix OF node reference imbalance Greg Kroah-Hartman
` (586 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Oliver Neukum, Sean Young,
Hans Verkuil
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Oliver Neukum <oneukum@suse.com>
commit 42844992664f03ef9f930e64f7370fa481e9c267 upstream.
If submitting the URB fails, the device will be unusable.
Probe() must fail.
Fixes: 7a569f524dd36 ("V4L/DVB: IR/streamzap: functional in-kernel decoding")
Cc: stable@vger.kernel.org
Signed-off-by: Oliver Neukum <oneukum@suse.com>
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/rc/streamzap.c | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
--- a/drivers/media/rc/streamzap.c
+++ b/drivers/media/rc/streamzap.c
@@ -219,9 +219,8 @@ static void streamzap_callback(struct ur
case -ESHUTDOWN:
/*
* this urb is terminated, clean up.
- * sz might already be invalid at this point
*/
- dev_err(sz->dev, "urb terminated, status: %d\n", urb->status);
+ dev_dbg(sz->dev, "urb terminated, status: %d\n", urb->status);
return;
default:
break;
@@ -358,11 +357,16 @@ static int streamzap_probe(struct usb_in
usb_set_intfdata(intf, sz);
- if (usb_submit_urb(sz->urb_in, GFP_ATOMIC))
+ retval = usb_submit_urb(sz->urb_in, GFP_ATOMIC);
+ if (retval < 0) {
dev_err(sz->dev, "urb submit failed\n");
+ goto rc_submit_fail;
+ }
return 0;
-
+rc_submit_fail:
+ rc_free_device(sz->rdev);
+ usb_set_intfdata(intf, NULL);
rc_dev_fail:
usb_free_urb(sz->urb_in);
free_buf_in:
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 390/969] regulator: act8945a: fix OF node reference imbalance
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (388 preceding siblings ...)
2026-05-30 15:58 ` [PATCH 6.1 389/969] media: rc: streamzap: Error handling in probe Greg Kroah-Hartman
@ 2026-05-30 15:58 ` Greg Kroah-Hartman
2026-05-30 15:58 ` [PATCH 6.1 391/969] regulator: bd9571mwv: " Greg Kroah-Hartman
` (585 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Wenyou Yang, Johan Hovold,
Mark Brown
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 0d15ce31375ccef4162f960b34547a821b7619d2 upstream.
The driver reuses the OF node of the parent multi-function device but
fails to take another reference to balance the one dropped by the
platform bus code when unbinding the MFD and deregistering the child
devices.
Fix this by using the intended helper for reusing OF nodes.
Fixes: 38c09961048b ("regulator: act8945a: add regulator driver for ACT8945A")
Cc: stable@vger.kernel.org # 4.6
Cc: Wenyou Yang <wenyou.yang@atmel.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20260408073055.5183-7-johan@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/regulator/act8945a-regulator.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/regulator/act8945a-regulator.c
+++ b/drivers/regulator/act8945a-regulator.c
@@ -302,8 +302,9 @@ static int act8945a_pmic_probe(struct pl
num_regulators = ARRAY_SIZE(act8945a_regulators);
}
+ device_set_of_node_from_dev(&pdev->dev, pdev->dev.parent);
+
config.dev = &pdev->dev;
- config.dev->of_node = pdev->dev.parent->of_node;
config.driver_data = act8945a;
for (i = 0; i < num_regulators; i++) {
rdev = devm_regulator_register(&pdev->dev, ®ulators[i],
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 391/969] regulator: bd9571mwv: fix OF node reference imbalance
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (389 preceding siblings ...)
2026-05-30 15:58 ` [PATCH 6.1 390/969] regulator: act8945a: fix OF node reference imbalance Greg Kroah-Hartman
@ 2026-05-30 15:58 ` Greg Kroah-Hartman
2026-05-30 15:58 ` [PATCH 6.1 392/969] media: saa7164: add ioremap return checks and cleanups Greg Kroah-Hartman
` (584 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Marek Vasut, Johan Hovold,
Mark Brown
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 8498100ee1d00422b8c5b161b3e332278b92a59a upstream.
The driver reuses the OF node of the parent multi-function device but
fails to take another reference to balance the one dropped by the
platform bus code when unbinding the MFD and deregistering the child
devices.
Fix this by using the intended helper for reusing OF nodes.
Fixes: e85c5a153fe2 ("regulator: Add ROHM BD9571MWV-M PMIC regulator driver")
Cc: stable@vger.kernel.org # 4.12
Cc: Marek Vasut <marek.vasut@gmail.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20260408073055.5183-8-johan@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/regulator/bd9571mwv-regulator.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/regulator/bd9571mwv-regulator.c
+++ b/drivers/regulator/bd9571mwv-regulator.c
@@ -288,8 +288,9 @@ static int bd9571mwv_regulator_probe(str
platform_set_drvdata(pdev, bdreg);
+ device_set_of_node_from_dev(&pdev->dev, pdev->dev.parent);
+
config.dev = &pdev->dev;
- config.dev->of_node = pdev->dev.parent->of_node;
config.driver_data = bdreg;
config.regmap = bdreg->regmap;
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 392/969] media: saa7164: add ioremap return checks and cleanups
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (390 preceding siblings ...)
2026-05-30 15:58 ` [PATCH 6.1 391/969] regulator: bd9571mwv: " Greg Kroah-Hartman
@ 2026-05-30 15:58 ` Greg Kroah-Hartman
2026-05-30 15:58 ` [PATCH 6.1 393/969] platform/x86: hp-wmi: Ignore backlight and FnLock events Greg Kroah-Hartman
` (583 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Wang Jun, Hans Verkuil
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wang Jun <1742789905@qq.com>
commit d51c60a498e83c9a79884c8e420f97e3885c9583 upstream.
Add checks for ioremap return values in saa7164_dev_setup(). If
ioremap for BAR0 or BAR2 fails, release the already allocated PCI
memory regions, remove the device from the global list, decrement
the device count, and return -ENODEV.
This prevents potential null pointer dereferences and ensures proper
cleanup on memory mapping failures.
Fixes: 443c1228d505 ("V4L/DVB (12923): SAA7164: Add support for the NXP SAA7164 silicon")
Cc: stable@vger.kernel.org
Signed-off-by: Wang Jun <1742789905@qq.com>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/pci/saa7164/saa7164-core.c | 47 +++++++++++++++++++++++--------
1 file changed, 35 insertions(+), 12 deletions(-)
--- a/drivers/media/pci/saa7164/saa7164-core.c
+++ b/drivers/media/pci/saa7164/saa7164-core.c
@@ -890,6 +890,15 @@ static int get_resources(struct saa7164_
return -EBUSY;
}
+static void release_resources(struct saa7164_dev *dev)
+{
+ release_mem_region(pci_resource_start(dev->pci, 0),
+ pci_resource_len(dev->pci, 0));
+
+ release_mem_region(pci_resource_start(dev->pci, 2),
+ pci_resource_len(dev->pci, 2));
+}
+
static int saa7164_port_init(struct saa7164_dev *dev, int portnr)
{
struct saa7164_port *port = NULL;
@@ -949,9 +958,9 @@ static int saa7164_dev_setup(struct saa7
snprintf(dev->name, sizeof(dev->name), "saa7164[%d]", dev->nr);
- mutex_lock(&devlist);
- list_add_tail(&dev->devlist, &saa7164_devlist);
- mutex_unlock(&devlist);
+ scoped_guard(mutex, &devlist) {
+ list_add_tail(&dev->devlist, &saa7164_devlist);
+ }
/* board config */
dev->board = UNSET;
@@ -998,11 +1007,17 @@ static int saa7164_dev_setup(struct saa7
}
/* PCI/e allocations */
- dev->lmmio = ioremap(pci_resource_start(dev->pci, 0),
- pci_resource_len(dev->pci, 0));
+ dev->lmmio = pci_ioremap_bar(dev->pci, 0);
+ if (!dev->lmmio) {
+ dev_err(&dev->pci->dev, "Failed to remap MMIO BAR 0\n");
+ goto err_ioremap_bar0;
+ }
- dev->lmmio2 = ioremap(pci_resource_start(dev->pci, 2),
- pci_resource_len(dev->pci, 2));
+ dev->lmmio2 = pci_ioremap_bar(dev->pci, 2);
+ if (!dev->lmmio2) {
+ dev_err(&dev->pci->dev, "Failed to remap MMIO BAR 2\n");
+ goto err_ioremap_bar2;
+ }
dev->bmmio = (u8 __iomem *)dev->lmmio;
dev->bmmio2 = (u8 __iomem *)dev->lmmio2;
@@ -1021,17 +1036,25 @@ static int saa7164_dev_setup(struct saa7
saa7164_pci_quirks(dev);
return 0;
+
+err_ioremap_bar2:
+ iounmap(dev->lmmio);
+err_ioremap_bar0:
+ release_resources(dev);
+
+ scoped_guard(mutex, &devlist) {
+ list_del(&dev->devlist);
+ }
+ saa7164_devcount--;
+
+ return -ENODEV;
}
static void saa7164_dev_unregister(struct saa7164_dev *dev)
{
dprintk(1, "%s()\n", __func__);
- release_mem_region(pci_resource_start(dev->pci, 0),
- pci_resource_len(dev->pci, 0));
-
- release_mem_region(pci_resource_start(dev->pci, 2),
- pci_resource_len(dev->pci, 2));
+ release_resources(dev);
if (!atomic_dec_and_test(&dev->refcount))
return;
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 393/969] platform/x86: hp-wmi: Ignore backlight and FnLock events
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (391 preceding siblings ...)
2026-05-30 15:58 ` [PATCH 6.1 392/969] media: saa7164: add ioremap return checks and cleanups Greg Kroah-Hartman
@ 2026-05-30 15:58 ` Greg Kroah-Hartman
2026-05-30 15:58 ` [PATCH 6.1 394/969] media: pci: zoran: fix potential memory leak in zoran_probe() Greg Kroah-Hartman
` (582 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Artem S. Tashkinov, Krishna Chomal,
Ilpo Järvinen
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Krishna Chomal <krishna.chomal108@gmail.com>
commit e8c597368b8500a824c639bfb5ed0044068c6870 upstream.
On HP OmniBook 7 the keyboard backlight and FnLock keys are handled
directly by the firmware. However, they still trigger WMI events which
results in "Unknown key code" warnings in dmesg.
Add these key codes to the keymap with KE_IGNORE to silence the warnings
since no software action is needed.
Tested-by: Artem S. Tashkinov <aros@gmx.com>
Reported-by: Artem S. Tashkinov <aros@gmx.com>
Closes: https://bugzilla.kernel.org/show_bug.cgi?id=221181
Signed-off-by: Krishna Chomal <krishna.chomal108@gmail.com>
Link: https://patch.msgid.link/20260403080155.169653-1-krishna.chomal108@gmail.com
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/platform/x86/hp/hp-wmi.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/drivers/platform/x86/hp/hp-wmi.c
+++ b/drivers/platform/x86/hp/hp-wmi.c
@@ -223,6 +223,11 @@ static const struct key_entry hp_wmi_key
{ KE_KEY, 0x21a9, { KEY_TOUCHPAD_OFF } },
{ KE_KEY, 0x121a9, { KEY_TOUCHPAD_ON } },
{ KE_KEY, 0x231b, { KEY_HELP } },
+ { KE_IGNORE, 0x21ab, }, /* FnLock on */
+ { KE_IGNORE, 0x121ab, }, /* FnLock off */
+ { KE_IGNORE, 0x30021aa, }, /* kbd backlight: level 2 -> off */
+ { KE_IGNORE, 0x33221aa, }, /* kbd backlight: off -> level 1 */
+ { KE_IGNORE, 0x36421aa, }, /* kbd backlight: level 1 -> level 2*/
{ KE_END, 0 }
};
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 394/969] media: pci: zoran: fix potential memory leak in zoran_probe()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (392 preceding siblings ...)
2026-05-30 15:58 ` [PATCH 6.1 393/969] platform/x86: hp-wmi: Ignore backlight and FnLock events Greg Kroah-Hartman
@ 2026-05-30 15:58 ` Greg Kroah-Hartman
2026-05-30 15:58 ` [PATCH 6.1 395/969] media: dib8000: avoid division by 0 in dib8000_set_dds() Greg Kroah-Hartman
` (581 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Abdun Nihaal, Hans Verkuil
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Abdun Nihaal <nihaal@cse.iitm.ac.in>
commit 8ea21435fe36fb853706f4935d78bc11beb63fb4 upstream.
The memory allocated for codec in videocodec_attach() is not freed in
one of the error paths, due to an incorrect goto label. Fix the label
to free it on error.
Fixes: 8f7cc5c0b0eb ("media: staging: media: zoran: introduce zoran_i2c_init")
Cc: stable@vger.kernel.org
Signed-off-by: Abdun Nihaal <nihaal@cse.iitm.ac.in>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/pci/zoran/zoran_card.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/media/pci/zoran/zoran_card.c
+++ b/drivers/media/pci/zoran/zoran_card.c
@@ -1377,7 +1377,7 @@ static int zoran_probe(struct pci_dev *p
}
if (zr->codec->type != zr->card.video_codec) {
pci_err(pdev, "%s - wrong codec\n", __func__);
- goto zr_unreg_videocodec;
+ goto zr_detach_codec;
}
}
if (zr->card.video_vfe != 0) {
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 395/969] media: dib8000: avoid division by 0 in dib8000_set_dds()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (393 preceding siblings ...)
2026-05-30 15:58 ` [PATCH 6.1 394/969] media: pci: zoran: fix potential memory leak in zoran_probe() Greg Kroah-Hartman
@ 2026-05-30 15:58 ` Greg Kroah-Hartman
2026-05-30 15:58 ` [PATCH 6.1 396/969] media: i2c: imx412: Assert reset GPIO during probe Greg Kroah-Hartman
` (580 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Sergey Shtylyov, Hans Verkuil
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sergey Shtylyov <s.shtylyov@auroraos.dev>
commit dde3c37af95cd6fa301c4906f33d627bc9dd874c upstream.
In dib8000_set_dds(), 1 << 26 (67108864) divided by e.g. 1 apparently can't
fit into 16-bit variable unit_khz_dds_val, being truncated to 0; this will
cause division by 0 while calling dprintk() with debugging enabled (via the
module parameter). Use s32 instead of s16 to declare the variable, getting
rid of the cast to u16 in the *else* branch as well...
Found by Linux Verification Center (linuxtesting.org) with the Svace static
analysis tool.
Fixes: 173a64cb3fcf ("[media] dib8000: enhancement")
Cc: stable@vger.kernel.org
Signed-off-by: Sergey Shtylyov <s.shtylyov@auroraos.dev>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/dvb-frontends/dib8000.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/media/dvb-frontends/dib8000.c
+++ b/drivers/media/dvb-frontends/dib8000.c
@@ -2694,7 +2694,7 @@ static void dib8000_viterbi_state(struct
static void dib8000_set_dds(struct dib8000_state *state, s32 offset_khz)
{
- s16 unit_khz_dds_val;
+ s32 unit_khz_dds_val;
u32 abs_offset_khz = abs(offset_khz);
u32 dds = state->cfg.pll->ifreq & 0x1ffffff;
u8 invert = !!(state->cfg.pll->ifreq & (1 << 25));
@@ -2715,7 +2715,7 @@ static void dib8000_set_dds(struct dib80
dds = (1<<26) - dds;
} else {
ratio = 2;
- unit_khz_dds_val = (u16) (67108864 / state->cfg.pll->internal);
+ unit_khz_dds_val = 67108864 / state->cfg.pll->internal;
if (offset_khz < 0)
unit_khz_dds_val *= -1;
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 396/969] media: i2c: imx412: Assert reset GPIO during probe
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (394 preceding siblings ...)
2026-05-30 15:58 ` [PATCH 6.1 395/969] media: dib8000: avoid division by 0 in dib8000_set_dds() Greg Kroah-Hartman
@ 2026-05-30 15:58 ` Greg Kroah-Hartman
2026-05-30 15:58 ` [PATCH 6.1 397/969] media: i2c: ov08d10: fix image vertical start setting Greg Kroah-Hartman
` (579 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Wenmeng Liu, Sakari Ailus,
Mauro Carvalho Chehab
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wenmeng Liu <wenmeng.liu@oss.qualcomm.com>
commit 8467c5ff5acae28513bc1e0af535e06b41b04344 upstream.
Assert the reset GPIO before first power up. This avoids a mismatch where
the first power up (when the reset GPIO defaults deasserted) differs from
subsequent cycles.
Signed-off-by: Wenmeng Liu <wenmeng.liu@oss.qualcomm.com>
Fixes: 9214e86c0cc1 ("media: i2c: Add imx412 camera sensor driver")
Cc: stable@vger.kernel.org
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/i2c/imx412.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/media/i2c/imx412.c
+++ b/drivers/media/i2c/imx412.c
@@ -934,7 +934,7 @@ static int imx412_parse_hw_config(struct
/* Request optional reset pin */
imx412->reset_gpio = devm_gpiod_get_optional(imx412->dev, "reset",
- GPIOD_OUT_LOW);
+ GPIOD_OUT_HIGH);
if (IS_ERR(imx412->reset_gpio)) {
dev_err(imx412->dev, "failed to get reset gpio %ld\n",
PTR_ERR(imx412->reset_gpio));
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 397/969] media: i2c: ov08d10: fix image vertical start setting
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (395 preceding siblings ...)
2026-05-30 15:58 ` [PATCH 6.1 396/969] media: i2c: imx412: Assert reset GPIO during probe Greg Kroah-Hartman
@ 2026-05-30 15:58 ` Greg Kroah-Hartman
2026-05-30 15:58 ` [PATCH 6.1 398/969] media: omap3isp: drop the use count of v4l2 pipeline Greg Kroah-Hartman
` (578 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Matthias Fend, Sakari Ailus,
Hans Verkuil
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matthias Fend <matthias.fend@emfend.at>
commit 5d150fa0f16096d736bd24d13e04495da5116fab upstream.
The current settings for the "image vertical start" register appear to be
incorrect. While this only results in an incorrect start line for native
modes, this faulty setting causes actual problems in binning mode. At least
on an i.MX8MP test system, only corrupted frames could be received.
To correct this, the recommended settings from the reference register sets
are used for all modes. Since this shifts the start by one line, the Bayer
pattern also changes, which has also been corrected.
Fixes: 7be91e02ed57 ("media: i2c: Add ov08d10 camera sensor driver")
Cc: stable@vger.kernel.org
Signed-off-by: Matthias Fend <matthias.fend@emfend.at>
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/i2c/ov08d10.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
--- a/drivers/media/i2c/ov08d10.c
+++ b/drivers/media/i2c/ov08d10.c
@@ -217,7 +217,7 @@ static const struct ov08d10_reg lane_2_m
{0x9a, 0x30},
{0xa8, 0x02},
{0xfd, 0x02},
- {0xa1, 0x01},
+ {0xa1, 0x00},
{0xa2, 0x09},
{0xa3, 0x9c},
{0xa5, 0x00},
@@ -335,7 +335,7 @@ static const struct ov08d10_reg lane_2_m
{0x9a, 0x30},
{0xa8, 0x02},
{0xfd, 0x02},
- {0xa1, 0x09},
+ {0xa1, 0x08},
{0xa2, 0x09},
{0xa3, 0x90},
{0xa5, 0x08},
@@ -467,7 +467,7 @@ static const struct ov08d10_reg lane_2_m
{0xaa, 0xd0},
{0xab, 0x06},
{0xac, 0x68},
- {0xa1, 0x09},
+ {0xa1, 0x04},
{0xa2, 0x04},
{0xa3, 0xc8},
{0xa5, 0x04},
@@ -615,8 +615,8 @@ static const struct ov08d10_lane_cfg lan
static u32 ov08d10_get_format_code(struct ov08d10 *ov08d10)
{
static const u32 codes[2][2] = {
- { MEDIA_BUS_FMT_SGRBG10_1X10, MEDIA_BUS_FMT_SRGGB10_1X10},
- { MEDIA_BUS_FMT_SBGGR10_1X10, MEDIA_BUS_FMT_SGBRG10_1X10},
+ { MEDIA_BUS_FMT_SBGGR10_1X10, MEDIA_BUS_FMT_SGBRG10_1X10 },
+ { MEDIA_BUS_FMT_SGRBG10_1X10, MEDIA_BUS_FMT_SRGGB10_1X10 },
};
return codes[ov08d10->vflip->val][ov08d10->hflip->val];
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 398/969] media: omap3isp: drop the use count of v4l2 pipeline
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (396 preceding siblings ...)
2026-05-30 15:58 ` [PATCH 6.1 397/969] media: i2c: ov08d10: fix image vertical start setting Greg Kroah-Hartman
@ 2026-05-30 15:58 ` Greg Kroah-Hartman
2026-05-30 15:58 ` [PATCH 6.1 399/969] spi: mtk-nor: fix controller deregistration Greg Kroah-Hartman
` (577 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Haoxiang Li, Sakari Ailus,
Mauro Carvalho Chehab
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haoxiang Li <lihaoxiang@isrc.iscas.ac.cn>
commit 9da49bd9d4224035cff39b40d7395310abb10201 upstream.
In isp_video_open(), drop the use count of v4l2
pipeline if vb2_queue_init() fails.
Fixes: 8fd390b89cc8 ("media: Split v4l2_pipeline_pm_use into v4l2_pipeline_pm_{get, put}")
Cc: stable@vger.kernel.org
Signed-off-by: Haoxiang Li <lihaoxiang@isrc.iscas.ac.cn>
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/platform/ti/omap3isp/ispvideo.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/media/platform/ti/omap3isp/ispvideo.c
+++ b/drivers/media/platform/ti/omap3isp/ispvideo.c
@@ -1328,6 +1328,7 @@ static int isp_video_open(struct file *f
ret = vb2_queue_init(&handle->queue);
if (ret < 0) {
+ v4l2_pipeline_pm_put(&video->video.entity);
omap3isp_put(video->isp);
goto done;
}
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 399/969] spi: mtk-nor: fix controller deregistration
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (397 preceding siblings ...)
2026-05-30 15:58 ` [PATCH 6.1 398/969] media: omap3isp: drop the use count of v4l2 pipeline Greg Kroah-Hartman
@ 2026-05-30 15:58 ` Greg Kroah-Hartman
2026-05-30 15:58 ` [PATCH 6.1 400/969] spi: imx: fix runtime pm leak on probe deferral Greg Kroah-Hartman
` (576 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Chuanhong Guo, Johan Hovold,
Mark Brown
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 76336f24934621db286cabb20b483773ee01dcaa upstream.
Make sure to deregister the controller before disabling underlying
resources like clocks during driver unbind.
Fixes: 881d1ee9fe81 ("spi: add support for mediatek spi-nor controller")
Cc: stable@vger.kernel.org # 5.7
Cc: Chuanhong Guo <gch981213@gmail.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20260410081757.503099-3-johan@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-mtk-nor.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/spi/spi-mtk-nor.c
+++ b/drivers/spi/spi-mtk-nor.c
@@ -900,7 +900,7 @@ static int mtk_nor_probe(struct platform
pm_runtime_enable(&pdev->dev);
pm_runtime_get_noresume(&pdev->dev);
- ret = devm_spi_register_controller(&pdev->dev, ctlr);
+ ret = spi_register_controller(ctlr);
if (ret < 0)
goto err_probe;
@@ -926,6 +926,8 @@ static int mtk_nor_remove(struct platfor
struct spi_controller *ctlr = dev_get_drvdata(&pdev->dev);
struct mtk_nor *sp = spi_controller_get_devdata(ctlr);
+ spi_unregister_controller(ctlr);
+
pm_runtime_disable(&pdev->dev);
pm_runtime_set_suspended(&pdev->dev);
pm_runtime_dont_use_autosuspend(&pdev->dev);
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 400/969] spi: imx: fix runtime pm leak on probe deferral
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (398 preceding siblings ...)
2026-05-30 15:58 ` [PATCH 6.1 399/969] spi: mtk-nor: fix controller deregistration Greg Kroah-Hartman
@ 2026-05-30 15:58 ` Greg Kroah-Hartman
2026-05-30 15:58 ` [PATCH 6.1 401/969] spi: orion: fix clock imbalance on registration failure Greg Kroah-Hartman
` (575 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Sascha Hauer, Johan Hovold,
Mark Brown
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit a1d50a37d3b1df84f536a982f692371039df4a48 upstream.
Make sure to balance the runtime PM usage count before returning on
probe failure (e.g. probe deferral) so that the controller can be
suspended when a driver is later bound.
Fixes: 43b6bf406cd0 ("spi: imx: fix runtime pm support for !CONFIG_PM")
Cc: stable@vger.kernel.org # 5.10
Cc: Sascha Hauer <s.hauer@pengutronix.de>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20260421125632.1537235-1-johan@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-imx.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/spi/spi-imx.c
+++ b/drivers/spi/spi-imx.c
@@ -1867,6 +1867,7 @@ out_register_controller:
out_runtime_pm_put:
pm_runtime_dont_use_autosuspend(spi_imx->dev);
pm_runtime_disable(spi_imx->dev);
+ pm_runtime_put_noidle(spi_imx->dev);
pm_runtime_set_suspended(&pdev->dev);
clk_disable_unprepare(spi_imx->clk_ipg);
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 401/969] spi: orion: fix clock imbalance on registration failure
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (399 preceding siblings ...)
2026-05-30 15:58 ` [PATCH 6.1 400/969] spi: imx: fix runtime pm leak on probe deferral Greg Kroah-Hartman
@ 2026-05-30 15:58 ` Greg Kroah-Hartman
2026-05-30 15:58 ` [PATCH 6.1 402/969] spi: mpc52xx: fix use-after-free on unbind Greg Kroah-Hartman
` (574 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Russell King, Johan Hovold,
Mark Brown
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 443cde0dc59c5d154156ac9f27a7dadef8ebc0c2 upstream.
Make sure that the controller is not runtime suspended before disabling
clocks on probe failure.
Also restore the autosuspend setting.
Fixes: 5c6786945b4e ("spi: spi-orion: add runtime PM support")
Cc: stable@vger.kernel.org # 3.17
Cc: Russell King <rmk+kernel@arm.linux.org.uk>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20260421130211.1537628-3-johan@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-orion.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/drivers/spi/spi-orion.c
+++ b/drivers/spi/spi-orion.c
@@ -780,6 +780,7 @@ static int orion_spi_probe(struct platfo
pm_runtime_set_active(&pdev->dev);
pm_runtime_use_autosuspend(&pdev->dev);
pm_runtime_set_autosuspend_delay(&pdev->dev, SPI_AUTOSUSPEND_TIMEOUT);
+ pm_runtime_get_noresume(&pdev->dev);
pm_runtime_enable(&pdev->dev);
status = orion_spi_reset(spi);
@@ -791,10 +792,15 @@ static int orion_spi_probe(struct platfo
if (status < 0)
goto out_rel_pm;
+ pm_runtime_put_autosuspend(&pdev->dev);
+
return status;
out_rel_pm:
pm_runtime_disable(&pdev->dev);
+ pm_runtime_put_noidle(&pdev->dev);
+ pm_runtime_set_suspended(&pdev->dev);
+ pm_runtime_dont_use_autosuspend(&pdev->dev);
out_rel_axi_clk:
clk_disable_unprepare(spi->axi_clk);
out_rel_clk:
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 402/969] spi: mpc52xx: fix use-after-free on unbind
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (400 preceding siblings ...)
2026-05-30 15:58 ` [PATCH 6.1 401/969] spi: orion: fix clock imbalance on registration failure Greg Kroah-Hartman
@ 2026-05-30 15:58 ` Greg Kroah-Hartman
2026-05-30 15:58 ` [PATCH 6.1 403/969] drm/amdgpu: Add bounds checking to ib_{get,set}_value Greg Kroah-Hartman
` (573 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Pei Xiao, Johan Hovold, Mark Brown
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 706b3dc2ac7a998c55e14b3fd2e8f934c367e6e0 upstream.
The state machine work is scheduled by the interrupt handler and
therefore needs to be cancelled after disabling interrupts to avoid a
potential use-after-free.
Fixes: 984836621aad ("spi: mpc52xx: Add cancel_work_sync before module remove")
Cc: stable@vger.kernel.org
Cc: Pei Xiao <xiaopei01@kylinos.cn>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20260414134319.978196-5-johan@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-mpc52xx.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/spi/spi-mpc52xx.c
+++ b/drivers/spi/spi-mpc52xx.c
@@ -519,10 +519,11 @@ static int mpc52xx_spi_remove(struct pla
struct mpc52xx_spi *ms = spi_master_get_devdata(master);
int i;
- cancel_work_sync(&ms->work);
free_irq(ms->irq0, ms);
free_irq(ms->irq1, ms);
+ cancel_work_sync(&ms->work);
+
for (i = 0; i < ms->gpio_cs_count; i++)
gpiod_put(ms->gpio_cs[i]);
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 403/969] drm/amdgpu: Add bounds checking to ib_{get,set}_value
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (401 preceding siblings ...)
2026-05-30 15:58 ` [PATCH 6.1 402/969] spi: mpc52xx: fix use-after-free on unbind Greg Kroah-Hartman
@ 2026-05-30 15:58 ` Greg Kroah-Hartman
2026-05-30 15:58 ` [PATCH 6.1 404/969] drm/amdgpu/vce: Prevent partial address patches Greg Kroah-Hartman
` (572 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Benjamin Cheng, Christian König,
Ruijing Dong, Alex Deucher
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Benjamin Cheng <benjamin.cheng@amd.com>
commit 66085e206431ef88ce36f53c1f53d570790ccc9e upstream.
The uvd/vce/vcn code accesses the IB at predefined offsets without
checking that the IB is large enough. Check the bounds here. The caller
is responsible for making sure it can handle arbitrary return values.
Also make the idx a uint32_t to prevent overflows causing the condition
to fail.
Signed-off-by: Benjamin Cheng <benjamin.cheng@amd.com>
Reviewed-by: Christian König <christian.koenig@amd.com>
Reviewed-by: Ruijing Dong <ruijing.dong@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_ring.h | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ring.h
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ring.h
@@ -392,15 +392,18 @@ void amdgpu_debugfs_ring_init(struct amd
int amdgpu_ring_init_mqd(struct amdgpu_ring *ring);
-static inline u32 amdgpu_ib_get_value(struct amdgpu_ib *ib, int idx)
+static inline u32 amdgpu_ib_get_value(struct amdgpu_ib *ib, uint32_t idx)
{
- return ib->ptr[idx];
+ if (idx < ib->length_dw)
+ return ib->ptr[idx];
+ return 0;
}
-static inline void amdgpu_ib_set_value(struct amdgpu_ib *ib, int idx,
+static inline void amdgpu_ib_set_value(struct amdgpu_ib *ib, uint32_t idx,
uint32_t value)
{
- ib->ptr[idx] = value;
+ if (idx < ib->length_dw)
+ ib->ptr[idx] = value;
}
int amdgpu_ib_get(struct amdgpu_device *adev, struct amdgpu_vm *vm,
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 404/969] drm/amdgpu/vce: Prevent partial address patches
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (402 preceding siblings ...)
2026-05-30 15:58 ` [PATCH 6.1 403/969] drm/amdgpu: Add bounds checking to ib_{get,set}_value Greg Kroah-Hartman
@ 2026-05-30 15:58 ` Greg Kroah-Hartman
2026-05-30 15:58 ` [PATCH 6.1 405/969] drm/amdgpu/vcn4: Prevent OOB reads when parsing dec msg Greg Kroah-Hartman
` (571 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Benjamin Cheng, Alex Deucher
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Benjamin Cheng <benjamin.cheng@amd.com>
commit de2a02cc28d6d5d37db07d00a9a684c754a5fd74 upstream.
In the case that only one of lo/hi is valid, the patching could result
in a bad address written to in FW.
Signed-off-by: Benjamin Cheng <benjamin.cheng@amd.com>
Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_vce.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_vce.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_vce.c
@@ -658,6 +658,9 @@ static int amdgpu_vce_cs_reloc(struct am
uint64_t addr;
int r;
+ if (lo >= ib->length_dw || hi >= ib->length_dw)
+ return -EINVAL;
+
if (index == 0xffffffff)
index = 0;
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 405/969] drm/amdgpu/vcn4: Prevent OOB reads when parsing dec msg
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (403 preceding siblings ...)
2026-05-30 15:58 ` [PATCH 6.1 404/969] drm/amdgpu/vce: Prevent partial address patches Greg Kroah-Hartman
@ 2026-05-30 15:58 ` Greg Kroah-Hartman
2026-05-30 15:58 ` [PATCH 6.1 406/969] drm/amdgpu/vcn3: " Greg Kroah-Hartman
` (570 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Benjamin Cheng, Christian König,
Ruijing Dong, Alex Deucher
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Benjamin Cheng <benjamin.cheng@amd.com>
commit 0a78f2bac1424deb7c9d5e09c6b8e849d8e8b648 upstream.
Check bounds against the end of the BO whenever we access the msg.
Signed-off-by: Benjamin Cheng <benjamin.cheng@amd.com>
Reviewed-by: Christian König <christian.koenig@amd.com>
Reviewed-by: Ruijing Dong <ruijing.dong@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c | 21 ++++++++++++++++++---
1 file changed, 18 insertions(+), 3 deletions(-)
--- a/drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c
+++ b/drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c
@@ -1612,7 +1612,7 @@ static int vcn_v4_0_dec_msg(struct amdgp
{
struct ttm_operation_ctx ctx = { false, false };
struct amdgpu_bo_va_mapping *map;
- uint32_t *msg, num_buffers;
+ uint32_t *msg, num_buffers, len_dw;
struct amdgpu_bo *bo;
uint64_t start, end;
unsigned int i;
@@ -1633,6 +1633,11 @@ static int vcn_v4_0_dec_msg(struct amdgp
return -EINVAL;
}
+ if (end - addr < 16) {
+ DRM_ERROR("VCN messages must be at least 4 DWORDs!\n");
+ return -EINVAL;
+ }
+
bo->flags |= AMDGPU_GEM_CREATE_CPU_ACCESS_REQUIRED;
amdgpu_bo_placement_from_domain(bo, bo->allowed_domains);
r = ttm_bo_validate(&bo->tbo, &bo->placement, &ctx);
@@ -1649,8 +1654,8 @@ static int vcn_v4_0_dec_msg(struct amdgp
msg = ptr + addr - start;
- /* Check length */
if (msg[1] > end - addr) {
+ DRM_ERROR("VCN message header does not fit in BO!\n");
r = -EINVAL;
goto out;
}
@@ -1658,7 +1663,16 @@ static int vcn_v4_0_dec_msg(struct amdgp
if (msg[3] != RDECODE_MSG_CREATE)
goto out;
+ len_dw = msg[1] / 4;
num_buffers = msg[2];
+
+ /* Verify that all indices fit within the claimed length. Each index is 4 DWORDs */
+ if (num_buffers > len_dw || 6 + num_buffers * 4 > len_dw) {
+ DRM_ERROR("VCN message has too many buffers!\n");
+ r = -EINVAL;
+ goto out;
+ }
+
for (i = 0, msg = &msg[6]; i < num_buffers; ++i, msg += 4) {
uint32_t offset, size, *create;
@@ -1668,7 +1682,8 @@ static int vcn_v4_0_dec_msg(struct amdgp
offset = msg[1];
size = msg[2];
- if (offset + size > end) {
+ if (size < 4 || offset + size > end - addr) {
+ DRM_ERROR("VCN message buffer exceeds BO bounds!\n");
r = -EINVAL;
goto out;
}
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 406/969] drm/amdgpu/vcn3: Prevent OOB reads when parsing dec msg
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (404 preceding siblings ...)
2026-05-30 15:58 ` [PATCH 6.1 405/969] drm/amdgpu/vcn4: Prevent OOB reads when parsing dec msg Greg Kroah-Hartman
@ 2026-05-30 15:58 ` Greg Kroah-Hartman
2026-05-30 15:58 ` [PATCH 6.1 407/969] drm/gem: Fix inconsistent plane dimension calculation in drm_gem_fb_init_with_funcs() Greg Kroah-Hartman
` (569 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Benjamin Cheng, Christian König,
Ruijing Dong, Alex Deucher
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Benjamin Cheng <benjamin.cheng@amd.com>
commit b193019860d61e92da395eae2011f2f6716b182f upstream.
Check bounds against the end of the BO whenever we access the msg.
Signed-off-by: Benjamin Cheng <benjamin.cheng@amd.com>
Reviewed-by: Christian König <christian.koenig@amd.com>
Reviewed-by: Ruijing Dong <ruijing.dong@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/amdgpu/vcn_v3_0.c | 23 +++++++++++++++++++----
1 file changed, 19 insertions(+), 4 deletions(-)
--- a/drivers/gpu/drm/amd/amdgpu/vcn_v3_0.c
+++ b/drivers/gpu/drm/amd/amdgpu/vcn_v3_0.c
@@ -1781,7 +1781,7 @@ static int vcn_v3_0_dec_msg(struct amdgp
{
struct ttm_operation_ctx ctx = { false, false };
struct amdgpu_bo_va_mapping *map;
- uint32_t *msg, num_buffers;
+ uint32_t *msg, num_buffers, len_dw;
struct amdgpu_bo *bo;
uint64_t start, end;
unsigned int i;
@@ -1802,6 +1802,11 @@ static int vcn_v3_0_dec_msg(struct amdgp
return -EINVAL;
}
+ if (end - addr < 16) {
+ DRM_ERROR("VCN messages must be at least 4 DWORDs!\n");
+ return -EINVAL;
+ }
+
bo->flags |= AMDGPU_GEM_CREATE_CPU_ACCESS_REQUIRED;
amdgpu_bo_placement_from_domain(bo, bo->allowed_domains);
r = ttm_bo_validate(&bo->tbo, &bo->placement, &ctx);
@@ -1818,8 +1823,8 @@ static int vcn_v3_0_dec_msg(struct amdgp
msg = ptr + addr - start;
- /* Check length */
if (msg[1] > end - addr) {
+ DRM_ERROR("VCN message header does not fit in BO!\n");
r = -EINVAL;
goto out;
}
@@ -1827,7 +1832,16 @@ static int vcn_v3_0_dec_msg(struct amdgp
if (msg[3] != RDECODE_MSG_CREATE)
goto out;
+ len_dw = msg[1] / 4;
num_buffers = msg[2];
+
+ /* Verify that all indices fit within the claimed length. Each index is 4 DWORDs */
+ if (num_buffers > len_dw || 6 + num_buffers * 4 > len_dw) {
+ DRM_ERROR("VCN message has too many buffers!\n");
+ r = -EINVAL;
+ goto out;
+ }
+
for (i = 0, msg = &msg[6]; i < num_buffers; ++i, msg += 4) {
uint32_t offset, size, *create;
@@ -1837,14 +1851,15 @@ static int vcn_v3_0_dec_msg(struct amdgp
offset = msg[1];
size = msg[2];
- if (offset + size > end) {
+ if (size < 4 || offset + size > end - addr) {
+ DRM_ERROR("VCN message buffer exceeds BO bounds!\n");
r = -EINVAL;
goto out;
}
create = ptr + addr + offset - start;
- /* H246, HEVC and VP9 can run on any instance */
+ /* H264, HEVC and VP9 can run on any instance */
if (create[0] == 0x7 || create[0] == 0x10 || create[0] == 0x11)
continue;
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 407/969] drm/gem: Fix inconsistent plane dimension calculation in drm_gem_fb_init_with_funcs()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (405 preceding siblings ...)
2026-05-30 15:58 ` [PATCH 6.1 406/969] drm/amdgpu/vcn3: " Greg Kroah-Hartman
@ 2026-05-30 15:58 ` Greg Kroah-Hartman
2026-05-30 15:58 ` [PATCH 6.1 408/969] drm/amdkfd: validate SVM ioctl nattr against buffer size Greg Kroah-Hartman
` (568 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Thomas Zimmermann, Ashutosh Desai
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ashutosh Desai <ashutoshdesai993@gmail.com>
commit 3d4c2268bd7243c3780fe32bf24ff876da272acf upstream.
drm_gem_fb_init_with_funcs() computes sub-sampled plane dimensions
using plain integer division:
unsigned int width = mode_cmd->width / (i ? info->hsub : 1);
unsigned int height = mode_cmd->height / (i ? info->vsub : 1);
However, the ioctl-level framebuffer_check() in drm_framebuffer.c uses
drm_format_info_plane_width/height() which round up dimensions via
DIV_ROUND_UP(). This inconsistency corrupts the subsequent GEM object
size check for certain pixel format and dimension combinations.
For example, with NV12 (vsub=2) and a 1-pixel-tall framebuffer the
GEM size validation path sees height=0 instead of height=1. The
expression (height - 1) then wraps to UINT_MAX as an unsigned int,
causing min_size to overflow and wrap back to a small value. A tiny
GEM object therefore passes the size guard, yet when the GPU accesses
the chroma plane it will read or write memory beyond the object's
bounds.
Fix by replacing the open-coded divisions with drm_format_info_plane_width()
and drm_format_info_plane_height(), which use DIV_ROUND_UP() and match
the calculation already used in framebuffer_check().
Fixes: 4c3dbb2c312c ("drm: Add GEM backed framebuffer library")
Cc: stable@vger.kernel.org # v4.14+
Reviewed-by: Thomas Zimmermann <tzimmermann@suse.de>
Signed-off-by: Ashutosh Desai <ashutoshdesai993@gmail.com>
Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
Link: https://patch.msgid.link/20260420013637.457751-1-ashutoshdesai993@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/drm_gem_framebuffer_helper.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/gpu/drm/drm_gem_framebuffer_helper.c
+++ b/drivers/gpu/drm/drm_gem_framebuffer_helper.c
@@ -166,8 +166,8 @@ int drm_gem_fb_init_with_funcs(struct dr
}
for (i = 0; i < info->num_planes; i++) {
- unsigned int width = mode_cmd->width / (i ? info->hsub : 1);
- unsigned int height = mode_cmd->height / (i ? info->vsub : 1);
+ unsigned int width = drm_format_info_plane_width(info, mode_cmd->width, i);
+ unsigned int height = drm_format_info_plane_height(info, mode_cmd->height, i);
unsigned int min_size;
objs[i] = drm_gem_object_lookup(file, mode_cmd->handles[i]);
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 408/969] drm/amdkfd: validate SVM ioctl nattr against buffer size
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (406 preceding siblings ...)
2026-05-30 15:58 ` [PATCH 6.1 407/969] drm/gem: Fix inconsistent plane dimension calculation in drm_gem_fb_init_with_funcs() Greg Kroah-Hartman
@ 2026-05-30 15:58 ` Greg Kroah-Hartman
2026-05-30 15:58 ` [PATCH 6.1 409/969] drm/radeon: add missing revision check for CI Greg Kroah-Hartman
` (567 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Amir Shetaia, Alysa Liu,
Alex Deucher
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alysa Liu <Alysa.Liu@amd.com>
commit 045e0ff208f0838a246c10204105126611b267a1 upstream.
Validate nattr field against the buffer size, preventing
out-of-bounds buffer access via user-controlled attribute count.
Reviewed-by: Amir Shetaia <Amir.Shetaia@amd.com>
Signed-off-by: Alysa Liu <Alysa.Liu@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 5eca8bfdfa456c3304ca77523718fe24254c172f)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/amdkfd/kfd_chardev.c | 26 ++++++++++++++++++++++++--
drivers/gpu/drm/amd/amdkfd/kfd_priv.h | 3 +++
2 files changed, 27 insertions(+), 2 deletions(-)
--- a/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c
+++ b/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c
@@ -26,6 +26,7 @@
#include <linux/err.h>
#include <linux/fs.h>
#include <linux/file.h>
+#include <linux/overflow.h>
#include <linux/sched.h>
#include <linux/slab.h>
#include <linux/uaccess.h>
@@ -1614,6 +1615,16 @@ static int kfd_ioctl_smi_events(struct f
return kfd_smi_event_open(pdd->dev, &args->anon_fd);
}
+static int kfd_ioctl_svm_validate(void *kdata, unsigned int usize)
+{
+ struct kfd_ioctl_svm_args *args = kdata;
+ size_t expected = struct_size(args, attrs, args->nattr);
+
+ if (expected == SIZE_MAX || usize < expected)
+ return -EINVAL;
+ return 0;
+}
+
#if IS_ENABLED(CONFIG_HSA_AMD_SVM)
static int kfd_ioctl_set_xnack_mode(struct file *filep,
@@ -2672,7 +2683,11 @@ static int kfd_ioctl_criu(struct file *f
#define AMDKFD_IOCTL_DEF(ioctl, _func, _flags) \
[_IOC_NR(ioctl)] = {.cmd = ioctl, .func = _func, .flags = _flags, \
- .cmd_drv = 0, .name = #ioctl}
+ .validate = NULL, .cmd_drv = 0, .name = #ioctl}
+
+#define AMDKFD_IOCTL_DEF_V(ioctl, _func, _validate, _flags) \
+ [_IOC_NR(ioctl)] = {.cmd = ioctl, .func = _func, .flags = _flags, \
+ .validate = _validate, .cmd_drv = 0, .name = #ioctl}
/** Ioctl table */
static const struct amdkfd_ioctl_desc amdkfd_ioctls[] = {
@@ -2769,7 +2784,8 @@ static const struct amdkfd_ioctl_desc am
AMDKFD_IOCTL_DEF(AMDKFD_IOC_SMI_EVENTS,
kfd_ioctl_smi_events, 0),
- AMDKFD_IOCTL_DEF(AMDKFD_IOC_SVM, kfd_ioctl_svm, 0),
+ AMDKFD_IOCTL_DEF_V(AMDKFD_IOC_SVM, kfd_ioctl_svm,
+ kfd_ioctl_svm_validate, 0),
AMDKFD_IOCTL_DEF(AMDKFD_IOC_SET_XNACK_MODE,
kfd_ioctl_set_xnack_mode, 0),
@@ -2882,6 +2898,12 @@ static long kfd_ioctl(struct file *filep
memset(kdata, 0, usize);
}
+ if (ioctl->validate) {
+ retcode = ioctl->validate(kdata, usize);
+ if (retcode)
+ goto err_i1;
+ }
+
retcode = func(filep, process, kdata);
if (cmd & IOC_OUT)
--- a/drivers/gpu/drm/amd/amdkfd/kfd_priv.h
+++ b/drivers/gpu/drm/amd/amdkfd/kfd_priv.h
@@ -924,10 +924,13 @@ extern struct srcu_struct kfd_processes_
typedef int amdkfd_ioctl_t(struct file *filep, struct kfd_process *p,
void *data);
+typedef int amdkfd_ioctl_validate_t(void *kdata, unsigned int usize);
+
struct amdkfd_ioctl_desc {
unsigned int cmd;
int flags;
amdkfd_ioctl_t *func;
+ amdkfd_ioctl_validate_t *validate;
unsigned int cmd_drv;
const char *name;
};
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 409/969] drm/radeon: add missing revision check for CI
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (407 preceding siblings ...)
2026-05-30 15:58 ` [PATCH 6.1 408/969] drm/amdkfd: validate SVM ioctl nattr against buffer size Greg Kroah-Hartman
@ 2026-05-30 15:58 ` Greg Kroah-Hartman
2026-05-30 15:58 ` [PATCH 6.1 410/969] drm/amdgpu: zero-initialize GART table on allocation Greg Kroah-Hartman
` (566 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Timur Kristóf, Kent Russell,
Alex Deucher
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alex Deucher <alexander.deucher@amd.com>
commit 17223816498f7b117d138d18eb0eba63604dc74e upstream.
The memory level workarounds only apply to revision 0 SKUs.
Link: https://gitlab.freedesktop.org/drm/amd/-/work_items/1816
Fixes: 127e056e2a82 ("drm/radeon: fix mclk vddc configuration for cards for hawaii")
Fixes: 21b8a369046f ("drm/radeon: fix dram timing for certain hawaii boards")
Fixes: 90b2fee35cb9 ("drm/radeon: fix dpm mc init for certain hawaii boards")
Reviewed-by: Timur Kristóf <timur.kristof@gmail.com>
Reviewed-by: Kent Russell <kent.russell@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 4d8dcc14311515077062b5740f39f427075de5c9)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/radeon/ci_dpm.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
--- a/drivers/gpu/drm/radeon/ci_dpm.c
+++ b/drivers/gpu/drm/radeon/ci_dpm.c
@@ -2466,7 +2466,8 @@ static void ci_register_patching_mc_arb(
if (patch &&
((rdev->pdev->device == 0x67B0) ||
- (rdev->pdev->device == 0x67B1))) {
+ (rdev->pdev->device == 0x67B1)) &&
+ (rdev->pdev->revision == 0)) {
if ((memory_clock > 100000) && (memory_clock <= 125000)) {
tmp2 = (((0x31 * engine_clock) / 125000) - 1) & 0xff;
*dram_timimg2 &= ~0x00ff0000;
@@ -3307,7 +3308,8 @@ static int ci_populate_all_memory_levels
pi->smc_state_table.MemoryLevel[0].EnabledForActivity = 1;
if ((dpm_table->mclk_table.count >= 2) &&
- ((rdev->pdev->device == 0x67B0) || (rdev->pdev->device == 0x67B1))) {
+ ((rdev->pdev->device == 0x67B0) || (rdev->pdev->device == 0x67B1)) &&
+ (rdev->pdev->revision == 0)) {
pi->smc_state_table.MemoryLevel[1].MinVddc =
pi->smc_state_table.MemoryLevel[0].MinVddc;
pi->smc_state_table.MemoryLevel[1].MinVddcPhases =
@@ -4504,7 +4506,8 @@ static int ci_register_patching_mc_seq(s
if (patch &&
((rdev->pdev->device == 0x67B0) ||
- (rdev->pdev->device == 0x67B1))) {
+ (rdev->pdev->device == 0x67B1)) &&
+ (rdev->pdev->revision == 0)) {
for (i = 0; i < table->last; i++) {
if (table->last >= SMU7_DISCRETE_MC_REGISTER_ARRAY_SIZE)
return -EINVAL;
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 410/969] drm/amdgpu: zero-initialize GART table on allocation
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (408 preceding siblings ...)
2026-05-30 15:58 ` [PATCH 6.1 409/969] drm/radeon: add missing revision check for CI Greg Kroah-Hartman
@ 2026-05-30 15:58 ` Greg Kroah-Hartman
2026-05-30 15:58 ` [PATCH 6.1 411/969] drm/amdgpu/gfx9: drop unnecessary 64-bit fence flag check in KIQ Greg Kroah-Hartman
` (565 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Felix Kuehling, Philip Yang,
Christian König, Alex Deucher
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Philip Yang <Philip.Yang@amd.com>
commit e6c2e6c2e1fa066968a16aca1cb66cd1bdde7741 upstream.
GART TLB is flushed after unmapping but not after mapping. Since
amdgpu_bo_create_kernel() does not zero-initialize the buffer, when a
single PTE is written the TLB may speculatively load other uninitialized
entries from the same cacheline. Those garbage entries can appear valid,
and a subsequent write to another PTE in the same cacheline may cause the
GPU to use a stale garbage PTE from the TLB.
Fix this by calling memset_io() to zero-initialize the GART table with
gart_pte_flags immediately after allocation.
Using AMDGPU_GEM_CREATE_VRAM_CLEARED, SDMA-based clear will not work
since SDMA needs GART to be initialized to work.
Suggested-by: Felix Kuehling <felix.kuehling@amd.com>
Signed-off-by: Philip Yang <Philip.Yang@amd.com>
Reviewed-by: Christian König <christian.koenig@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit d9af8263b82b6eaa60c5718e0c6631c5037e4b24)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_gart.c | 13 ++++++++++---
1 file changed, 10 insertions(+), 3 deletions(-)
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_gart.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_gart.c
@@ -114,12 +114,19 @@ void amdgpu_gart_dummy_page_fini(struct
*/
int amdgpu_gart_table_vram_alloc(struct amdgpu_device *adev)
{
+ int r;
+
if (adev->gart.bo != NULL)
return 0;
- return amdgpu_bo_create_kernel(adev, adev->gart.table_size, PAGE_SIZE,
- AMDGPU_GEM_DOMAIN_VRAM, &adev->gart.bo,
- NULL, (void *)&adev->gart.ptr);
+ r = amdgpu_bo_create_kernel(adev, adev->gart.table_size, PAGE_SIZE,
+ AMDGPU_GEM_DOMAIN_VRAM, &adev->gart.bo,
+ NULL, (void *)&adev->gart.ptr);
+ if (r)
+ return r;
+
+ memset_io(adev->gart.ptr, adev->gart.gart_pte_flags, adev->gart.table_size);
+ return 0;
}
/**
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 411/969] drm/amdgpu/gfx9: drop unnecessary 64-bit fence flag check in KIQ
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (409 preceding siblings ...)
2026-05-30 15:58 ` [PATCH 6.1 410/969] drm/amdgpu: zero-initialize GART table on allocation Greg Kroah-Hartman
@ 2026-05-30 15:58 ` Greg Kroah-Hartman
2026-05-30 15:58 ` [PATCH 6.1 412/969] drm/amdgpu/sdma4: replace BUG_ON with WARN_ON in fence emission Greg Kroah-Hartman
` (564 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christian König, John B. Moore,
Alex Deucher
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: John B. Moore <jbmoore61@gmail.com>
commit 7bbfb2559bcec39d1a4e1182d931a2046112c352 upstream.
Remove the BUG_ON(flags & AMDGPU_FENCE_FLAG_64BIT) assertion from
gfx_v9_0_ring_emit_fence_kiq(). The KIQ hardware supports 64-bit
fence writes; the 32-bit writeback address constraint is an
upper-layer convention, not a hardware limitation. The check serves
no purpose and should not be present.
Found by code inspection while investigating related BUG_ON
assertions in the GFX and compute ring emission paths.
Reviewed-by: Christian König <christian.koenig@amd.com>
Signed-off-by: John B. Moore <jbmoore61@gmail.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 1b1101a46a426bb4328116bb5273c326a2780389)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c | 3 ---
1 file changed, 3 deletions(-)
--- a/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c
+++ b/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c
@@ -5316,9 +5316,6 @@ static void gfx_v9_0_ring_emit_fence_kiq
{
struct amdgpu_device *adev = ring->adev;
- /* we only allocate 32bit for each seq wb address */
- BUG_ON(flags & AMDGPU_FENCE_FLAG_64BIT);
-
/* write fence seq to the "addr" */
amdgpu_ring_write(ring, PACKET3(PACKET3_WRITE_DATA, 3));
amdgpu_ring_write(ring, (WRITE_DATA_ENGINE_SEL(0) |
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 412/969] drm/amdgpu/sdma4: replace BUG_ON with WARN_ON in fence emission
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (410 preceding siblings ...)
2026-05-30 15:58 ` [PATCH 6.1 411/969] drm/amdgpu/gfx9: drop unnecessary 64-bit fence flag check in KIQ Greg Kroah-Hartman
@ 2026-05-30 15:58 ` Greg Kroah-Hartman
2026-05-30 15:58 ` [PATCH 6.1 413/969] drm/amdgpu/pm: add missing revision check for CI Greg Kroah-Hartman
` (563 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christian König, John B. Moore,
Alex Deucher
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: John B. Moore <jbmoore61@gmail.com>
commit 78d2e624fa073c14970aa097adcf3ea31c157a66 upstream.
sdma_v4_0_ring_emit_fence() contains two BUG_ON(addr & 0x3) assertions
that verify fence writeback addresses are dword-aligned. These
assertions can be reached from unprivileged userspace via crafted
DRM_IOCTL_AMDGPU_CS submissions, causing a fatal kernel panic in a
scheduler worker thread.
Replace both BUG_ON() calls with WARN_ON() to log the condition without
crashing the kernel. A misaligned fence address at this point indicates
a driver bug, but crashing the kernel is never the correct response when
the assertion is reachable from userspace.
The CS IOCTL path is the correct place to filter invalid submissions;
the ring emission callback is too late to do anything about it.
Fixes: 2130f89ced2c ("drm/amdgpu: add SDMA v4.0 implementation (v2)")
Reviewed-by: Christian König <christian.koenig@amd.com>
Signed-off-by: John B. Moore <jbmoore61@gmail.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit b90250bd933afd1ba94d86d6b13821997b22b18e)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/amdgpu/sdma_v4_0.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/gpu/drm/amd/amdgpu/sdma_v4_0.c
+++ b/drivers/gpu/drm/amd/amdgpu/sdma_v4_0.c
@@ -884,7 +884,7 @@ static void sdma_v4_0_ring_emit_fence(st
/* write the fence */
amdgpu_ring_write(ring, SDMA_PKT_HEADER_OP(SDMA_OP_FENCE));
/* zero in first two bits */
- BUG_ON(addr & 0x3);
+ WARN_ON(addr & 0x3);
amdgpu_ring_write(ring, lower_32_bits(addr));
amdgpu_ring_write(ring, upper_32_bits(addr));
amdgpu_ring_write(ring, lower_32_bits(seq));
@@ -894,7 +894,7 @@ static void sdma_v4_0_ring_emit_fence(st
addr += 4;
amdgpu_ring_write(ring, SDMA_PKT_HEADER_OP(SDMA_OP_FENCE));
/* zero in first two bits */
- BUG_ON(addr & 0x3);
+ WARN_ON(addr & 0x3);
amdgpu_ring_write(ring, lower_32_bits(addr));
amdgpu_ring_write(ring, upper_32_bits(addr));
amdgpu_ring_write(ring, upper_32_bits(seq));
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 413/969] drm/amdgpu/pm: add missing revision check for CI
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (411 preceding siblings ...)
2026-05-30 15:58 ` [PATCH 6.1 412/969] drm/amdgpu/sdma4: replace BUG_ON with WARN_ON in fence emission Greg Kroah-Hartman
@ 2026-05-30 15:58 ` Greg Kroah-Hartman
2026-05-30 15:58 ` [PATCH 6.1 414/969] drm/amdgpu/pm: align Hawaii mclk workaround with radeon Greg Kroah-Hartman
` (562 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Timur Kristóf, Kent Russell,
Alex Deucher
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alex Deucher <alexander.deucher@amd.com>
commit 2a561b361b7681509710f3cfc3d95d54c87ac69f upstream.
The ci_populate_all_memory_levels() workaround only
applies to revision 0 SKUs.
Link: https://gitlab.freedesktop.org/drm/amd/-/work_items/1816
Fixes: 9f4b35411cfe ("drm/amd/powerplay: add CI asics support to smumgr (v3)")
Reviewed-by: Timur Kristóf <timur.kristof@gmail.com>
Reviewed-by: Kent Russell <kent.russell@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 1db15ba8f72f400bbad8ae0ce24fafc43429d4bd)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/pm/powerplay/smumgr/ci_smumgr.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- a/drivers/gpu/drm/amd/pm/powerplay/smumgr/ci_smumgr.c
+++ b/drivers/gpu/drm/amd/pm/powerplay/smumgr/ci_smumgr.c
@@ -1327,8 +1327,9 @@ static int ci_populate_all_memory_levels
dev_id = adev->pdev->device;
- if ((dpm_table->mclk_table.count >= 2)
- && ((dev_id == 0x67B0) || (dev_id == 0x67B1))) {
+ if ((dpm_table->mclk_table.count >= 2) &&
+ ((dev_id == 0x67B0) || (dev_id == 0x67B1)) &&
+ (adev->pdev->revision == 0)) {
smu_data->smc_state_table.MemoryLevel[1].MinVddci =
smu_data->smc_state_table.MemoryLevel[0].MinVddci;
smu_data->smc_state_table.MemoryLevel[1].MinMvdd =
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 414/969] drm/amdgpu/pm: align Hawaii mclk workaround with radeon
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (412 preceding siblings ...)
2026-05-30 15:58 ` [PATCH 6.1 413/969] drm/amdgpu/pm: add missing revision check for CI Greg Kroah-Hartman
@ 2026-05-30 15:58 ` Greg Kroah-Hartman
2026-05-30 15:58 ` [PATCH 6.1 415/969] sctp: revalidate list cursor after sctp_sendmsg_to_asoc() in SCTP_SENDALL Greg Kroah-Hartman
` (561 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Timur Kristóf, Kent Russell,
Alex Deucher
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alex Deucher <alexander.deucher@amd.com>
commit 1987c79b4fe5789dfa14423e78b5c25f6acf3e9d upstream.
Align the hawaii mclk workaround with radeon and windows.
Link: https://gitlab.freedesktop.org/drm/amd/-/work_items/1816
Fixes: 9f4b35411cfe ("drm/amd/powerplay: add CI asics support to smumgr (v3)")
Reviewed-by: Timur Kristóf <timur.kristof@gmail.com>
Reviewed-by: Kent Russell <kent.russell@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 9649528b637f668c5af9f2b83ca4ad8576ae2121)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/pm/powerplay/smumgr/ci_smumgr.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/drivers/gpu/drm/amd/pm/powerplay/smumgr/ci_smumgr.c
+++ b/drivers/gpu/drm/amd/pm/powerplay/smumgr/ci_smumgr.c
@@ -1330,10 +1330,10 @@ static int ci_populate_all_memory_levels
if ((dpm_table->mclk_table.count >= 2) &&
((dev_id == 0x67B0) || (dev_id == 0x67B1)) &&
(adev->pdev->revision == 0)) {
- smu_data->smc_state_table.MemoryLevel[1].MinVddci =
- smu_data->smc_state_table.MemoryLevel[0].MinVddci;
- smu_data->smc_state_table.MemoryLevel[1].MinMvdd =
- smu_data->smc_state_table.MemoryLevel[0].MinMvdd;
+ smu_data->smc_state_table.MemoryLevel[1].MinVddc =
+ smu_data->smc_state_table.MemoryLevel[0].MinVddc;
+ smu_data->smc_state_table.MemoryLevel[1].MinVddcPhases =
+ smu_data->smc_state_table.MemoryLevel[0].MinVddcPhases;
}
smu_data->smc_state_table.MemoryLevel[0].ActivityLevel = 0x1F;
CONVERT_FROM_HOST_TO_SMC_US(smu_data->smc_state_table.MemoryLevel[0].ActivityLevel);
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 415/969] sctp: revalidate list cursor after sctp_sendmsg_to_asoc() in SCTP_SENDALL
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (413 preceding siblings ...)
2026-05-30 15:58 ` [PATCH 6.1 414/969] drm/amdgpu/pm: align Hawaii mclk workaround with radeon Greg Kroah-Hartman
@ 2026-05-30 15:58 ` Greg Kroah-Hartman
2026-05-30 15:59 ` [PATCH 6.1 416/969] batman-adv: fix integer overflow on buff_pos Greg Kroah-Hartman
` (560 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ben Morris, Xin Long, Jakub Kicinski
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ben Morris <bmorris@anthropic.com>
commit abb5f36771cc4c05899b34000829a787572a8817 upstream.
The SCTP_SENDALL path in sctp_sendmsg() iterates ep->asocs with
list_for_each_entry_safe(), which caches the next entry in @tmp before
the loop body runs. The body calls sctp_sendmsg_to_asoc(), which may
drop the socket lock inside sctp_wait_for_sndbuf().
While the lock is dropped, another thread can SCTP_SOCKOPT_PEELOFF the
association cached in @tmp, migrating it to a new endpoint via
sctp_sock_migrate() (list_del_init() + list_add_tail() to
newep->asocs), and optionally close the new socket which frees the
association via kfree_rcu(). The cached @tmp can also be freed by a
network ABORT for that association, processed in softirq while the
lock is dropped.
sctp_wait_for_sndbuf() revalidates @asoc (the current entry) on re-lock
via the "sk != asoc->base.sk" and "asoc->base.dead" checks, but nothing
revalidates @tmp. After a successful return, the iterator advances to
the stale @tmp, yielding either a use-after-free (if the peeled socket
was closed) or a list-walk onto the new endpoint's list head (type
confusion of &newep->asocs as a struct sctp_association *).
Both are reachable from CapEff=0; the type-confusion path gives
controlled indirect call via the outqueue.sched->init_sid pointer.
Fix by re-deriving @tmp from @asoc after sctp_sendmsg_to_asoc()
returns. @asoc is known to still be on ep->asocs at that point: the
only callers that list_del an association from ep->asocs are
sctp_association_free() (which sets asoc->base.dead) and
sctp_assoc_migrate() (which changes asoc->base.sk), and
sctp_wait_for_sndbuf() checks both under the lock before any
successful return; a tripped check propagates as err < 0 and the loop
bails before the re-derive.
The SCTP_ABORT path in sctp_sendmsg_check_sflags() returns 0 and the
loop hits 'continue' before sctp_sendmsg_to_asoc() is ever called, so
the @tmp cached by list_for_each_entry_safe() still covers the
lock-held free that ba59fb027307 ("sctp: walk the list of asoc
safely") was added for.
Fixes: 4910280503f3 ("sctp: add support for snd flag SCTP_SENDALL process in sendmsg")
Cc: stable@vger.kernel.org
Signed-off-by: Ben Morris <bmorris@anthropic.com>
Acked-by: Xin Long <lucien.xin@gmail.com>
Link: https://patch.msgid.link/20260508001455.3137-1-joycathacker@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/sctp/socket.c | 9 +++++++++
1 file changed, 9 insertions(+)
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -1984,6 +1984,15 @@ static int sctp_sendmsg(struct sock *sk,
goto out_unlock;
iov_iter_revert(&msg->msg_iter, err);
+
+ /* sctp_sendmsg_to_asoc() may have released the socket
+ * lock (sctp_wait_for_sndbuf), during which other
+ * associations on ep->asocs could have been peeled
+ * off or freed. @asoc itself is revalidated by the
+ * base.dead and base.sk checks in sctp_wait_for_sndbuf,
+ * so re-derive the cached cursor from it.
+ */
+ tmp = list_next_entry(asoc, asocs);
}
goto out_unlock;
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 416/969] batman-adv: fix integer overflow on buff_pos
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (414 preceding siblings ...)
2026-05-30 15:58 ` [PATCH 6.1 415/969] sctp: revalidate list cursor after sctp_sendmsg_to_asoc() in SCTP_SENDALL Greg Kroah-Hartman
@ 2026-05-30 15:59 ` Greg Kroah-Hartman
2026-05-30 15:59 ` [PATCH 6.1 417/969] batman-adv: reject new tp_meter sessions during teardown Greg Kroah-Hartman
` (559 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lyes Bourennani, Alexis Pinson,
Sven Eckelmann
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lyes Bourennani <lbourennani@fuzzinglabs.com>
commit 0799e5943611006b346b8813c7daf7dd5aa26bfd upstream.
Fixing an integer overflow present in batadv_iv_ogm_send_to_if. The size
check is done using the int type in batadv_iv_ogm_aggr_packet whereas the
buff_pos variable uses the s16 type. This could lead to an out-of-bound
read.
Cc: stable@vger.kernel.org
Fixes: c6c8fea29769 ("net: Add batman-adv meshing protocol")
Signed-off-by: Lyes Bourennani <lbourennani@fuzzinglabs.com>
Signed-off-by: Alexis Pinson <apinson@fuzzinglabs.com>
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/batman-adv/bat_iv_ogm.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/batman-adv/bat_iv_ogm.c
+++ b/net/batman-adv/bat_iv_ogm.c
@@ -335,7 +335,7 @@ static void batadv_iv_ogm_send_to_if(str
struct batadv_priv *bat_priv = netdev_priv(hard_iface->soft_iface);
const char *fwd_str;
u8 packet_num;
- s16 buff_pos;
+ int buff_pos;
struct batadv_ogm_packet *batadv_ogm_packet;
struct sk_buff *skb;
u8 *packet_pos;
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 417/969] batman-adv: reject new tp_meter sessions during teardown
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (415 preceding siblings ...)
2026-05-30 15:59 ` [PATCH 6.1 416/969] batman-adv: fix integer overflow on buff_pos Greg Kroah-Hartman
@ 2026-05-30 15:59 ` Greg Kroah-Hartman
2026-05-30 15:59 ` [PATCH 6.1 418/969] batman-adv: stop caching unowned originator pointers in BAT IV Greg Kroah-Hartman
` (558 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Yuan Tan, Yifan Wu,
Juefei Pu, Xin Liu, Luxing Yin, Jiexun Wang, Ren Wei,
Sven Eckelmann
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiexun Wang <wangjiexun2025@gmail.com>
commit 3243543592425beec83d453793e9d27caa0d8e66 upstream.
Prevent tp_meter from starting new sender or receiver sessions after
mesh_state has left BATADV_MESH_ACTIVE.
Fixes: 33a3bb4a3345 ("batman-adv: throughput meter implementation")
Cc: stable@kernel.org
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Co-developed-by: Luxing Yin <tr0jan@lzu.edu.cn>
Signed-off-by: Luxing Yin <tr0jan@lzu.edu.cn>
Signed-off-by: Jiexun Wang <wangjiexun2025@gmail.com>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/batman-adv/tp_meter.c | 17 ++++++++++++++++-
1 file changed, 16 insertions(+), 1 deletion(-)
--- a/net/batman-adv/tp_meter.c
+++ b/net/batman-adv/tp_meter.c
@@ -947,6 +947,13 @@ void batadv_tp_start(struct batadv_priv
/* look for an already existing test towards this node */
spin_lock_bh(&bat_priv->tp_list_lock);
+ if (atomic_read(&bat_priv->mesh_state) != BATADV_MESH_ACTIVE) {
+ spin_unlock_bh(&bat_priv->tp_list_lock);
+ batadv_tp_batctl_error_notify(BATADV_TP_REASON_DST_UNREACHABLE,
+ dst, bat_priv, session_cookie);
+ return;
+ }
+
tp_vars = batadv_tp_list_find(bat_priv, dst);
if (tp_vars) {
spin_unlock_bh(&bat_priv->tp_list_lock);
@@ -1329,9 +1336,12 @@ static struct batadv_tp_vars *
batadv_tp_init_recv(struct batadv_priv *bat_priv,
const struct batadv_icmp_tp_packet *icmp)
{
- struct batadv_tp_vars *tp_vars;
+ struct batadv_tp_vars *tp_vars = NULL;
spin_lock_bh(&bat_priv->tp_list_lock);
+ if (atomic_read(&bat_priv->mesh_state) != BATADV_MESH_ACTIVE)
+ goto out_unlock;
+
tp_vars = batadv_tp_list_find_session(bat_priv, icmp->orig,
icmp->session);
if (tp_vars)
@@ -1464,6 +1474,9 @@ void batadv_tp_meter_recv(struct batadv_
{
struct batadv_icmp_tp_packet *icmp;
+ if (atomic_read(&bat_priv->mesh_state) != BATADV_MESH_ACTIVE)
+ goto out;
+
icmp = (struct batadv_icmp_tp_packet *)skb->data;
switch (icmp->subtype) {
@@ -1478,6 +1491,8 @@ void batadv_tp_meter_recv(struct batadv_
"Received unknown TP Metric packet type %u\n",
icmp->subtype);
}
+
+out:
consume_skb(skb);
}
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 418/969] batman-adv: stop caching unowned originator pointers in BAT IV
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (416 preceding siblings ...)
2026-05-30 15:59 ` [PATCH 6.1 417/969] batman-adv: reject new tp_meter sessions during teardown Greg Kroah-Hartman
@ 2026-05-30 15:59 ` Greg Kroah-Hartman
2026-05-30 15:59 ` [PATCH 6.1 419/969] batman-adv: bla: prevent use-after-free when deleting claims Greg Kroah-Hartman
` (557 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Yuan Tan, Yifan Wu,
Juefei Pu, Xin Liu, Jiexun Wang, Ren Wei, Sven Eckelmann
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiexun Wang <wangjiexun2025@gmail.com>
commit f03e8583532941b07761c5429de7d50766fa3110 upstream.
BAT IV keeps the last-hop neighbor address in each neigh_node, but some
paths also cache an originator pointer derived from a temporary lookup.
That pointer is not owned by the neigh_node and may no longer refer to a
live originator entry after purge handling runs.
Stop storing the auxiliary originator pointer in the BAT IV neighbor
state. When BAT IV needs the neighbor originator data, resolve it from
the stored neighbor address and drop the reference again after use.
Fixes: c6c8fea29769 ("net: Add batman-adv meshing protocol")
Cc: stable@kernel.org
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Signed-off-by: Jiexun Wang <wangjiexun2025@gmail.com>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
[sven: avoid bonding logic for outgoing OGM]
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/batman-adv/bat_iv_ogm.c | 83 +++++++++++++++++++++++++++++++-------------
1 file changed, 59 insertions(+), 24 deletions(-)
--- a/net/batman-adv/bat_iv_ogm.c
+++ b/net/batman-adv/bat_iv_ogm.c
@@ -173,19 +173,12 @@ free_orig_node_hash:
static struct batadv_neigh_node *
batadv_iv_ogm_neigh_new(struct batadv_hard_iface *hard_iface,
const u8 *neigh_addr,
- struct batadv_orig_node *orig_node,
- struct batadv_orig_node *orig_neigh)
+ struct batadv_orig_node *orig_node)
{
struct batadv_neigh_node *neigh_node;
neigh_node = batadv_neigh_node_get_or_create(orig_node,
hard_iface, neigh_addr);
- if (!neigh_node)
- goto out;
-
- neigh_node->orig_node = orig_neigh;
-
-out:
return neigh_node;
}
@@ -902,6 +895,31 @@ static u8 batadv_iv_orig_ifinfo_sum(stru
}
/**
+ * batadv_iv_ogm_neigh_ifinfo_sum() - Get bcast_own sum for a last-hop neighbor
+ * @bat_priv: the bat priv with all the mesh interface information
+ * @neigh_node: last-hop neighbor of an originator
+ *
+ * Return: Number of replied (rebroadcasted) OGMs for the originator currently
+ * announced by the neighbor. Returns 0 if the neighbor's originator entry is
+ * not available anymore.
+ */
+static u8 batadv_iv_ogm_neigh_ifinfo_sum(struct batadv_priv *bat_priv,
+ const struct batadv_neigh_node *neigh_node)
+{
+ struct batadv_orig_node *orig_neigh;
+ u8 sum;
+
+ orig_neigh = batadv_orig_hash_find(bat_priv, neigh_node->addr);
+ if (!orig_neigh)
+ return 0;
+
+ sum = batadv_iv_orig_ifinfo_sum(orig_neigh, neigh_node->if_incoming);
+ batadv_orig_node_put(orig_neigh);
+
+ return sum;
+}
+
+/**
* batadv_iv_ogm_orig_update() - use OGM to update corresponding data in an
* originator
* @bat_priv: the bat priv with all the soft interface information
@@ -970,17 +988,9 @@ batadv_iv_ogm_orig_update(struct batadv_
}
if (!neigh_node) {
- struct batadv_orig_node *orig_tmp;
-
- orig_tmp = batadv_iv_ogm_orig_get(bat_priv, ethhdr->h_source);
- if (!orig_tmp)
- goto unlock;
-
neigh_node = batadv_iv_ogm_neigh_new(if_incoming,
ethhdr->h_source,
- orig_node, orig_tmp);
-
- batadv_orig_node_put(orig_tmp);
+ orig_node);
if (!neigh_node)
goto unlock;
} else {
@@ -1032,10 +1042,9 @@ batadv_iv_ogm_orig_update(struct batadv_
*/
if (router_ifinfo &&
neigh_ifinfo->bat_iv.tq_avg == router_ifinfo->bat_iv.tq_avg) {
- sum_orig = batadv_iv_orig_ifinfo_sum(router->orig_node,
- router->if_incoming);
- sum_neigh = batadv_iv_orig_ifinfo_sum(neigh_node->orig_node,
- neigh_node->if_incoming);
+ sum_orig = batadv_iv_ogm_neigh_ifinfo_sum(bat_priv, router);
+ sum_neigh = batadv_iv_ogm_neigh_ifinfo_sum(bat_priv,
+ neigh_node);
if (sum_orig >= sum_neigh)
goto out;
}
@@ -1101,7 +1110,6 @@ static bool batadv_iv_ogm_calc_tq(struct
if (!neigh_node)
neigh_node = batadv_iv_ogm_neigh_new(if_incoming,
orig_neigh_node->orig,
- orig_neigh_node,
orig_neigh_node);
if (!neigh_node)
@@ -1298,6 +1306,32 @@ out:
}
/**
+ * batadv_orig_to_direct_router() - get direct next hop neighbor to an orig address
+ * @bat_priv: the bat priv with all the mesh interface information
+ * @orig_addr: the originator MAC address to search the best next hop router for
+ * @if_outgoing: the interface where the OGM should be sent to
+ *
+ * Return: A neighbor node which is the best router towards the given originator
+ * address. Bonding candidates are ignored.
+ */
+static struct batadv_neigh_node *
+batadv_orig_to_direct_router(struct batadv_priv *bat_priv, u8 *orig_addr,
+ struct batadv_hard_iface *if_outgoing)
+{
+ struct batadv_neigh_node *neigh_node;
+ struct batadv_orig_node *orig_node;
+
+ orig_node = batadv_orig_hash_find(bat_priv, orig_addr);
+ if (!orig_node)
+ return NULL;
+
+ neigh_node = batadv_orig_router_get(orig_node, if_outgoing);
+ batadv_orig_node_put(orig_node);
+
+ return neigh_node;
+}
+
+/**
* batadv_iv_ogm_process_per_outif() - process a batman iv OGM for an outgoing
* interface
* @skb: the skb containing the OGM
@@ -1367,8 +1401,9 @@ batadv_iv_ogm_process_per_outif(const st
router = batadv_orig_router_get(orig_node, if_outgoing);
if (router) {
- router_router = batadv_orig_router_get(router->orig_node,
- if_outgoing);
+ router_router = batadv_orig_to_direct_router(bat_priv,
+ router->addr,
+ if_outgoing);
router_ifinfo = batadv_neigh_ifinfo_get(router, if_outgoing);
}
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 419/969] batman-adv: bla: prevent use-after-free when deleting claims
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (417 preceding siblings ...)
2026-05-30 15:59 ` [PATCH 6.1 418/969] batman-adv: stop caching unowned originator pointers in BAT IV Greg Kroah-Hartman
@ 2026-05-30 15:59 ` Greg Kroah-Hartman
2026-05-30 15:59 ` [PATCH 6.1 420/969] batman-adv: bla: only purge non-released claims Greg Kroah-Hartman
` (556 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:59 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Sven Eckelmann
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sven Eckelmann <sven@narfation.org>
commit 4ae1709a314060a196981b344610d023ea841e57 upstream.
When batadv_bla_del_backbone_claims() removes all claims for a backbone, it
does this by dropping the link entry in the hash list. This list entry
itself was one of the references which need to be dropped at the same time
via batadv_claim_put().
But the batadv_claim_put() must not be done before the last access to the
claim object in this function. Otherwise the claim might be freed already
by the batadv_claim_release() function before the list entry was dropped.
Cc: stable@kernel.org
Fixes: 23721387c409 ("batman-adv: add basic bridge loop avoidance code")
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/batman-adv/bridge_loop_avoidance.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/batman-adv/bridge_loop_avoidance.c
+++ b/net/batman-adv/bridge_loop_avoidance.c
@@ -318,8 +318,8 @@ batadv_bla_del_backbone_claims(struct ba
if (claim->backbone_gw != backbone_gw)
continue;
- batadv_claim_put(claim);
hlist_del_rcu(&claim->hash_entry);
+ batadv_claim_put(claim);
}
spin_unlock_bh(list_lock);
}
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 420/969] batman-adv: bla: only purge non-released claims
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (418 preceding siblings ...)
2026-05-30 15:59 ` [PATCH 6.1 419/969] batman-adv: bla: prevent use-after-free when deleting claims Greg Kroah-Hartman
@ 2026-05-30 15:59 ` Greg Kroah-Hartman
2026-05-30 15:59 ` [PATCH 6.1 421/969] batman-adv: bla: put backbone reference on failed claim hash insert Greg Kroah-Hartman
` (555 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:59 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Sven Eckelmann
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sven Eckelmann <sven@narfation.org>
commit cf6b604011591865ae39ac82de8978c1120d17af upstream.
When batadv_bla_purge_claims() goes through the list of claims, it is only
traversing the hash list with an rcu_read_lock(). Due to a potential
parallel batadv_claim_put(), it can happen that it encounters a claim which
was actually in the process of being released+freed by
batadv_claim_release(). In this case, backbone_gw is set to NULL before the
delayed RCU kfree is started. Calling batadv_bla_claim_get_backbone_gw() is
then no longer allowed because it would cause a NULL-ptr derefence.
To avoid this, only claims with a valid reference counter must be purged.
All others are already taken care of.
Cc: stable@kernel.org
Fixes: 23721387c409 ("batman-adv: add basic bridge loop avoidance code")
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/batman-adv/bridge_loop_avoidance.c | 8 ++++++++
1 file changed, 8 insertions(+)
--- a/net/batman-adv/bridge_loop_avoidance.c
+++ b/net/batman-adv/bridge_loop_avoidance.c
@@ -1288,6 +1288,13 @@ static void batadv_bla_purge_claims(stru
rcu_read_lock();
hlist_for_each_entry_rcu(claim, head, hash_entry) {
+ /* only purge claims not currently in the process of being released.
+ * Such claims could otherwise have a NULL-ptr backbone_gw set because
+ * they already went through batadv_claim_release()
+ */
+ if (!kref_get_unless_zero(&claim->refcount))
+ continue;
+
backbone_gw = batadv_bla_claim_get_backbone_gw(claim);
if (now)
goto purge_now;
@@ -1313,6 +1320,7 @@ purge_now:
claim->addr, claim->vid);
skip:
batadv_backbone_gw_put(backbone_gw);
+ batadv_claim_put(claim);
}
rcu_read_unlock();
}
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 421/969] batman-adv: bla: put backbone reference on failed claim hash insert
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (419 preceding siblings ...)
2026-05-30 15:59 ` [PATCH 6.1 420/969] batman-adv: bla: only purge non-released claims Greg Kroah-Hartman
@ 2026-05-30 15:59 ` Greg Kroah-Hartman
2026-05-30 15:59 ` [PATCH 6.1 422/969] Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_get_sndtimeo_cb() Greg Kroah-Hartman
` (554 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:59 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Sven Eckelmann
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sven Eckelmann <sven@narfation.org>
commit ba9d20ee9076dac32c371116bacbe72480eb356c upstream.
When batadv_bla_add_claim() fails to insert a new claim into the hash, it
leaked a reference to the backbone_gw for which the claim was intended.
Call batadv_backbone_gw_put() on the error path to release the reference
and avoid leaking the backbone_gw object.
Cc: stable@kernel.org
Fixes: 3db0decf1185 ("batman-adv: Fix non-atomic bla_claim::backbone_gw access")
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/batman-adv/bridge_loop_avoidance.c | 1 +
1 file changed, 1 insertion(+)
--- a/net/batman-adv/bridge_loop_avoidance.c
+++ b/net/batman-adv/bridge_loop_avoidance.c
@@ -723,6 +723,7 @@ static void batadv_bla_add_claim(struct
if (unlikely(hash_added != 0)) {
/* only local changes happened. */
+ batadv_backbone_gw_put(backbone_gw);
kfree(claim);
return;
}
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 422/969] Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_get_sndtimeo_cb()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (420 preceding siblings ...)
2026-05-30 15:59 ` [PATCH 6.1 421/969] batman-adv: bla: put backbone reference on failed claim hash insert Greg Kroah-Hartman
@ 2026-05-30 15:59 ` Greg Kroah-Hartman
2026-05-30 15:59 ` [PATCH 6.1 423/969] mtd: spi-nor: sst: Factor out common write operation to `sst_nor_write_data()` Greg Kroah-Hartman
` (553 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Siwei Zhang,
Luiz Augusto von Dentz
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Siwei Zhang <oss@fourdim.xyz>
commit 78a88d43dab8d23aeef934ed8ce34d40e6b3d613 upstream.
Add the same NULL guard already present in
l2cap_sock_resume_cb() and l2cap_sock_ready_cb().
Fixes: 8d836d71e222 ("Bluetooth: Access sk_sndtimeo indirectly in l2cap_core.c")
Cc: stable@kernel.org
Signed-off-by: Siwei Zhang <oss@fourdim.xyz>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/bluetooth/l2cap_sock.c | 3 +++
1 file changed, 3 insertions(+)
--- a/net/bluetooth/l2cap_sock.c
+++ b/net/bluetooth/l2cap_sock.c
@@ -1767,6 +1767,9 @@ static long l2cap_sock_get_sndtimeo_cb(s
{
struct sock *sk = chan->data;
+ if (!sk)
+ return 0;
+
return sk->sk_sndtimeo;
}
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 423/969] mtd: spi-nor: sst: Factor out common write operation to `sst_nor_write_data()`
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (421 preceding siblings ...)
2026-05-30 15:59 ` [PATCH 6.1 422/969] Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_get_sndtimeo_cb() Greg Kroah-Hartman
@ 2026-05-30 15:59 ` Greg Kroah-Hartman
2026-05-30 15:59 ` [PATCH 6.1 424/969] mtd: spi-nor: sst: Fix write enable before AAI sequence Greg Kroah-Hartman
` (552 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:59 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, =20Bence?=, Pratyush Yadav
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bence Csókás <csokas.bence@prolan.hu>
commit 18bcb4aa54eab75dce41e5c176a1c2bff94f0f79 upstream.
Writing to the Flash in `sst_nor_write()` is a 3-step process:
first an optional one-byte write to get 2-byte-aligned, then the
bulk of the data is written out in vendor-specific 2-byte writes.
Finally, if there's a byte left over, another one-byte write.
This was implemented 3 times in the body of `sst_nor_write()`.
To reduce code duplication, factor out these sub-steps to their
own function.
Signed-off-by: Csókás, Bence <csokas.bence@prolan.hu>
Reviewed-by: Pratyush Yadav <pratyush@kernel.org>
[pratyush@kernel.org: fixup whitespace, use %zu instead of %i in WARN()]
Signed-off-by: Pratyush Yadav <pratyush@kernel.org>
Link: https://lore.kernel.org/r/20240710091401.1282824-1-csokas.bence@prolan.hu
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mtd/spi-nor/sst.c | 39 +++++++++++++++++++--------------------
1 file changed, 19 insertions(+), 20 deletions(-)
--- a/drivers/mtd/spi-nor/sst.c
+++ b/drivers/mtd/spi-nor/sst.c
@@ -117,6 +117,21 @@ static const struct flash_info sst_nor_p
.fixups = &sst26vf_nor_fixups },
};
+static int sst_nor_write_data(struct spi_nor *nor, loff_t to, size_t len,
+ const u_char *buf)
+{
+ u8 op = (len == 1) ? SPINOR_OP_BP : SPINOR_OP_AAI_WP;
+ int ret;
+
+ nor->program_opcode = op;
+ ret = spi_nor_write_data(nor, to, 1, buf);
+ if (ret < 0)
+ return ret;
+ WARN(ret != len, "While writing %zu byte written %i bytes\n", len, ret);
+
+ return spi_nor_wait_till_ready(nor);
+}
+
static int sst_nor_write(struct mtd_info *mtd, loff_t to, size_t len,
size_t *retlen, const u_char *buf)
{
@@ -138,16 +153,10 @@ static int sst_nor_write(struct mtd_info
/* Start write from odd address. */
if (to % 2) {
- nor->program_opcode = SPINOR_OP_BP;
-
/* write one byte. */
- ret = spi_nor_write_data(nor, to, 1, buf);
+ ret = sst_nor_write_data(nor, to, 1, buf);
if (ret < 0)
goto out;
- WARN(ret != 1, "While writing 1 byte written %i bytes\n", ret);
- ret = spi_nor_wait_till_ready(nor);
- if (ret)
- goto out;
to++;
actual++;
@@ -155,16 +164,11 @@ static int sst_nor_write(struct mtd_info
/* Write out most of the data here. */
for (; actual < len - 1; actual += 2) {
- nor->program_opcode = SPINOR_OP_AAI_WP;
-
/* write two bytes. */
- ret = spi_nor_write_data(nor, to, 2, buf + actual);
+ ret = sst_nor_write_data(nor, to, 2, buf + actual);
if (ret < 0)
goto out;
- WARN(ret != 2, "While writing 2 bytes written %i bytes\n", ret);
- ret = spi_nor_wait_till_ready(nor);
- if (ret)
- goto out;
+
to += 2;
nor->sst_write_second = true;
}
@@ -184,14 +188,9 @@ static int sst_nor_write(struct mtd_info
if (ret)
goto out;
- nor->program_opcode = SPINOR_OP_BP;
- ret = spi_nor_write_data(nor, to, 1, buf + actual);
+ ret = sst_nor_write_data(nor, to, 1, buf + actual);
if (ret < 0)
goto out;
- WARN(ret != 1, "While writing 1 byte written %i bytes\n", ret);
- ret = spi_nor_wait_till_ready(nor);
- if (ret)
- goto out;
actual += 1;
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 424/969] mtd: spi-nor: sst: Fix write enable before AAI sequence
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (422 preceding siblings ...)
2026-05-30 15:59 ` [PATCH 6.1 423/969] mtd: spi-nor: sst: Factor out common write operation to `sst_nor_write_data()` Greg Kroah-Hartman
@ 2026-05-30 15:59 ` Greg Kroah-Hartman
2026-05-30 15:59 ` [PATCH 6.1 425/969] pwm: imx-tpm: Count the number of enabled channels in probe Greg Kroah-Hartman
` (551 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sanjaikumar V S, Hendrik Donner,
Pratyush Yadav (Google)
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sanjaikumar V S <sanjaikumar.vs@dicortech.com>
commit a0f64241d3566a49c0a9b33ba7ae458ae22003a9 upstream.
When writing to SST flash starting at an odd address, a single byte is
first programmed using the byte program (BP) command. After this
operation completes, the flash hardware automatically clears the Write
Enable Latch (WEL) bit.
If an AAI (Auto Address Increment) word program sequence follows, it
requires WEL to be set. Without re-enabling writes, the AAI sequence
fails.
Add spi_nor_write_enable() after the odd-address byte program when more
data needs to be written. Use a local boolean for clarity.
Fixes: b199489d37b2 ("mtd: spi-nor: add the framework for SPI NOR")
Cc: stable@vger.kernel.org
Signed-off-by: Sanjaikumar V S <sanjaikumar.vs@dicortech.com>
Tested-by: Hendrik Donner <hd@os-cillation.de>
Reviewed-by: Hendrik Donner <hd@os-cillation.de>
Signed-off-by: Pratyush Yadav (Google) <pratyush@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mtd/spi-nor/sst.c | 13 +++++++++++++
1 file changed, 13 insertions(+)
--- a/drivers/mtd/spi-nor/sst.c
+++ b/drivers/mtd/spi-nor/sst.c
@@ -153,6 +153,8 @@ static int sst_nor_write(struct mtd_info
/* Start write from odd address. */
if (to % 2) {
+ bool needs_write_enable = (len > 1);
+
/* write one byte. */
ret = sst_nor_write_data(nor, to, 1, buf);
if (ret < 0)
@@ -160,6 +162,17 @@ static int sst_nor_write(struct mtd_info
to++;
actual++;
+
+ /*
+ * Byte program clears the write enable latch. If more
+ * data needs to be written using the AAI sequence,
+ * re-enable writes.
+ */
+ if (needs_write_enable) {
+ ret = spi_nor_write_enable(nor);
+ if (ret)
+ goto out;
+ }
}
/* Write out most of the data here. */
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 425/969] pwm: imx-tpm: Count the number of enabled channels in probe
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (423 preceding siblings ...)
2026-05-30 15:59 ` [PATCH 6.1 424/969] mtd: spi-nor: sst: Fix write enable before AAI sequence Greg Kroah-Hartman
@ 2026-05-30 15:59 ` Greg Kroah-Hartman
2026-05-30 15:59 ` [PATCH 6.1 426/969] vsock: fix buffer size clamping order Greg Kroah-Hartman
` (550 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Viorel Suman (OSS),
Uwe Kleine-König
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Viorel Suman (OSS) <viorel.suman@oss.nxp.com>
commit 3962c24f2d14e8a7f8a23f56b7ce320523947342 upstream.
On a soft reset TPM PWM IP may preserve its internal state from previous
runtime, therefore on a subsequent OS boot and driver probe
"enable_count" value and TPM PWM IP internal channels "enabled" states
may get unaligned. In consequence on a suspend/resume cycle the call "if
(--tpm->enable_count == 0)" may lead to "enable_count" overflow the
system being blocked from entering suspend due to:
if (tpm->enable_count > 0)
return -EBUSY;
Fix the problem by counting the enabled channels in probe function.
Signed-off-by: Viorel Suman (OSS) <viorel.suman@oss.nxp.com>
Fixes: 738a1cfec2ed ("pwm: Add i.MX TPM PWM driver support")
Link: https://patch.msgid.link/20260311123309.348904-1-viorel.suman@oss.nxp.com
Cc: stable@vger.kernel.org
Signed-off-by: Uwe Kleine-König <ukleinek@kernel.org>
[ukleinek: backport to linux-6.6.y]
Signed-off-by: Uwe Kleine-König <ukleinek@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pwm/pwm-imx-tpm.c | 8 ++++++++
1 file changed, 8 insertions(+)
--- a/drivers/pwm/pwm-imx-tpm.c
+++ b/drivers/pwm/pwm-imx-tpm.c
@@ -350,6 +350,7 @@ static int pwm_imx_tpm_probe(struct plat
{
struct imx_tpm_pwm_chip *tpm;
int ret;
+ unsigned int i;
u32 val;
tpm = devm_kzalloc(&pdev->dev, sizeof(*tpm), GFP_KERNEL);
@@ -383,6 +384,13 @@ static int pwm_imx_tpm_probe(struct plat
mutex_init(&tpm->lock);
+ /* count the enabled channels */
+ for (i = 0; i < tpm->chip.npwm; ++i) {
+ val = readl(tpm->base + PWM_IMX_TPM_CnSC(i));
+ if (FIELD_GET(PWM_IMX_TPM_CnSC_ELS, val))
+ ++tpm->enable_count;
+ }
+
ret = pwmchip_add(&tpm->chip);
if (ret) {
dev_err(&pdev->dev, "failed to add PWM chip: %d\n", ret);
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 426/969] vsock: fix buffer size clamping order
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (424 preceding siblings ...)
2026-05-30 15:59 ` [PATCH 6.1 425/969] pwm: imx-tpm: Count the number of enabled channels in probe Greg Kroah-Hartman
@ 2026-05-30 15:59 ` Greg Kroah-Hartman
2026-05-30 15:59 ` [PATCH 6.1 427/969] vsock/virtio: fix accept queue count leak on transport mismatch Greg Kroah-Hartman
` (549 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stefano Garzarella, Norbert Szetei,
Jakub Kicinski, Luigi Leonardi
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Norbert Szetei <norbert@doyensec.com>
commit d114bfdc9b76bf93b881e195b7ec957c14227bab upstream.
In vsock_update_buffer_size(), the buffer size was being clamped to the
maximum first, and then to the minimum. If a user sets a minimum buffer
size larger than the maximum, the minimum check overrides the maximum
check, inverting the constraint.
This breaks the intended socket memory boundaries by allowing the
vsk->buffer_size to grow beyond the configured vsk->buffer_max_size.
Fix this by checking the minimum first, and then the maximum. This
ensures the buffer size never exceeds the buffer_max_size.
Fixes: b9f2b0ffde0c ("vsock: handle buffer_size sockopts in the core")
Suggested-by: Stefano Garzarella <sgarzare@redhat.com>
Signed-off-by: Norbert Szetei <norbert@doyensec.com>
Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
Link: https://patch.msgid.link/180118C5-8BCF-4A63-A305-4EE53A34AB9C@doyensec.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Cc: Luigi Leonardi <leonardi@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/vmw_vsock/af_vsock.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/net/vmw_vsock/af_vsock.c
+++ b/net/vmw_vsock/af_vsock.c
@@ -1680,12 +1680,12 @@ static void vsock_update_buffer_size(str
const struct vsock_transport *transport,
u64 val)
{
- if (val > vsk->buffer_max_size)
- val = vsk->buffer_max_size;
-
if (val < vsk->buffer_min_size)
val = vsk->buffer_min_size;
+ if (val > vsk->buffer_max_size)
+ val = vsk->buffer_max_size;
+
if (val != vsk->buffer_size &&
transport && transport->notify_buffer_size)
transport->notify_buffer_size(vsk, &val);
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 427/969] vsock/virtio: fix accept queue count leak on transport mismatch
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (425 preceding siblings ...)
2026-05-30 15:59 ` [PATCH 6.1 426/969] vsock: fix buffer size clamping order Greg Kroah-Hartman
@ 2026-05-30 15:59 ` Greg Kroah-Hartman
2026-05-30 15:59 ` [PATCH 6.1 428/969] drm/amdgpu/vcn3: Avoid overflow on msg bound check Greg Kroah-Hartman
` (548 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dudu Lu, Bobby Eshleman,
Luigi Leonardi, Stefano Garzarella, Michael S. Tsirkin,
Paolo Abeni
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dudu Lu <phx0fer@gmail.com>
commit 52bcb57a4e8a0865a76c587c2451906342ae1b2d upstream.
virtio_transport_recv_listen() calls sk_acceptq_added() before
vsock_assign_transport(). If vsock_assign_transport() fails or
selects a different transport, the error path returns without
calling sk_acceptq_removed(), permanently incrementing
sk_ack_backlog.
After approximately backlog+1 such failures, sk_acceptq_is_full()
returns true, causing the listener to reject all new connections.
Fix by moving sk_acceptq_added() to after the transport validation,
matching the pattern used by vmci_transport and hyperv_transport.
Fixes: c0cfa2d8a788 ("vsock: add multi-transports support")
Signed-off-by: Dudu Lu <phx0fer@gmail.com>
Reviewed-by: Bobby Eshleman <bobbyeshleman@meta.com>
Reviewed-by: Luigi Leonardi <leonardi@redhat.com>
Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Link: https://patch.msgid.link/20260413131409.19022-1-phx0fer@gmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Cc: Luigi Leonardi <leonardi@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/vmw_vsock/virtio_transport_common.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
--- a/net/vmw_vsock/virtio_transport_common.c
+++ b/net/vmw_vsock/virtio_transport_common.c
@@ -1259,8 +1259,6 @@ virtio_transport_recv_listen(struct sock
return -ENOMEM;
}
- sk_acceptq_added(sk);
-
lock_sock_nested(child, SINGLE_DEPTH_NESTING);
child->sk_state = TCP_ESTABLISHED;
@@ -1282,6 +1280,7 @@ virtio_transport_recv_listen(struct sock
return ret;
}
+ sk_acceptq_added(sk);
if (virtio_transport_space_update(child, skb))
child->sk_write_space(child);
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 428/969] drm/amdgpu/vcn3: Avoid overflow on msg bound check
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (426 preceding siblings ...)
2026-05-30 15:59 ` [PATCH 6.1 427/969] vsock/virtio: fix accept queue count leak on transport mismatch Greg Kroah-Hartman
@ 2026-05-30 15:59 ` Greg Kroah-Hartman
2026-05-30 15:59 ` [PATCH 6.1 429/969] drm/amdgpu/vcn4: " Greg Kroah-Hartman
` (547 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, SDL, Benjamin Cheng, Ruijing Dong,
Alex Deucher
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Benjamin Cheng <benjamin.cheng@amd.com>
commit e6e9faba8100628990cccd13f0f044a648c303cf upstream.
As pointed out by SDL, the previous condition may be vulnerable to
overflow.
Fixes: b193019860d6 ("drm/amdgpu/vcn3: Prevent OOB reads when parsing dec msg")
Cc: SDL <sdl@nppct.ru>
Signed-off-by: Benjamin Cheng <benjamin.cheng@amd.com>
Reviewed-by: Ruijing Dong <ruijing.dong@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit db00257ac9e4a51eb2515aaea161a019f7125e10)
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/amdgpu/vcn_v3_0.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/gpu/drm/amd/amdgpu/vcn_v3_0.c
+++ b/drivers/gpu/drm/amd/amdgpu/vcn_v3_0.c
@@ -1844,6 +1844,7 @@ static int vcn_v3_0_dec_msg(struct amdgp
for (i = 0, msg = &msg[6]; i < num_buffers; ++i, msg += 4) {
uint32_t offset, size, *create;
+ uint64_t buf_end;
if (msg[0] != RDECODE_MESSAGE_CREATE)
continue;
@@ -1851,7 +1852,8 @@ static int vcn_v3_0_dec_msg(struct amdgp
offset = msg[1];
size = msg[2];
- if (size < 4 || offset + size > end - addr) {
+ if (size < 4 || check_add_overflow(offset, size, &buf_end) ||
+ buf_end > end - addr) {
DRM_ERROR("VCN message buffer exceeds BO bounds!\n");
r = -EINVAL;
goto out;
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 429/969] drm/amdgpu/vcn4: Avoid overflow on msg bound check
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (427 preceding siblings ...)
2026-05-30 15:59 ` [PATCH 6.1 428/969] drm/amdgpu/vcn3: Avoid overflow on msg bound check Greg Kroah-Hartman
@ 2026-05-30 15:59 ` Greg Kroah-Hartman
2026-05-30 15:59 ` [PATCH 6.1 430/969] mtd: spi-nor: sst: Fix SST write failure Greg Kroah-Hartman
` (546 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, SDL, Benjamin Cheng, Ruijing Dong,
Alex Deucher
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Benjamin Cheng <benjamin.cheng@amd.com>
commit 65bce27ea6192320448c30267ffc17ffa094e713 upstream.
As pointed out by SDL, the previous condition may be vulnerable to
overflow.
Fixes: 0a78f2bac142 ("drm/amdgpu/vcn4: Prevent OOB reads when parsing dec msg")
Cc: SDL <sdl@nppct.ru>
Signed-off-by: Benjamin Cheng <benjamin.cheng@amd.com>
Reviewed-by: Ruijing Dong <ruijing.dong@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 3c5367d950140d4ec7af830b2268a5a6fdaa3885)
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c
+++ b/drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c
@@ -1675,6 +1675,7 @@ static int vcn_v4_0_dec_msg(struct amdgp
for (i = 0, msg = &msg[6]; i < num_buffers; ++i, msg += 4) {
uint32_t offset, size, *create;
+ uint64_t buf_end;
if (msg[0] != RDECODE_MESSAGE_CREATE)
continue;
@@ -1682,7 +1683,8 @@ static int vcn_v4_0_dec_msg(struct amdgp
offset = msg[1];
size = msg[2];
- if (size < 4 || offset + size > end - addr) {
+ if (size < 4 || check_add_overflow(offset, size, &buf_end) ||
+ buf_end > end - addr) {
DRM_ERROR("VCN message buffer exceeds BO bounds!\n");
r = -EINVAL;
goto out;
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 430/969] mtd: spi-nor: sst: Fix SST write failure
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (428 preceding siblings ...)
2026-05-30 15:59 ` [PATCH 6.1 429/969] drm/amdgpu/vcn4: " Greg Kroah-Hartman
@ 2026-05-30 15:59 ` Greg Kroah-Hartman
2026-05-30 15:59 ` [PATCH 6.1 431/969] bcache: fix uninitialized closure object Greg Kroah-Hartman
` (545 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Amit Kumar Mahapatra, Pratyush Yadav,
Tudor Ambarus, Bence Csókás
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Amit Kumar Mahapatra <amit.kumar-mahapatra@amd.com>
commit 539bd20352832b9244238a055eb169ccf1c41ff6 upstream.
'commit 18bcb4aa54ea ("mtd: spi-nor: sst: Factor out common write operation
to `sst_nor_write_data()`")' introduced a bug where only one byte of data
is written, regardless of the number of bytes passed to
sst_nor_write_data(), causing a kernel crash during the write operation.
Ensure the correct number of bytes are written as passed to
sst_nor_write_data().
Call trace:
[ 57.400180] ------------[ cut here ]------------
[ 57.404842] While writing 2 byte written 1 bytes
[ 57.409493] WARNING: CPU: 0 PID: 737 at drivers/mtd/spi-nor/sst.c:187 sst_nor_write_data+0x6c/0x74
[ 57.418464] Modules linked in:
[ 57.421517] CPU: 0 UID: 0 PID: 737 Comm: mtd_debug Not tainted 6.12.0-g5ad04afd91f9 #30
[ 57.429517] Hardware name: Xilinx Versal A2197 Processor board revA - x-prc-02 revA (DT)
[ 57.437600] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[ 57.444557] pc : sst_nor_write_data+0x6c/0x74
[ 57.448911] lr : sst_nor_write_data+0x6c/0x74
[ 57.453264] sp : ffff80008232bb40
[ 57.456570] x29: ffff80008232bb40 x28: 0000000000010000 x27: 0000000000000001
[ 57.463708] x26: 000000000000ffff x25: 0000000000000000 x24: 0000000000000000
[ 57.470843] x23: 0000000000010000 x22: ffff80008232bbf0 x21: ffff000816230000
[ 57.477978] x20: ffff0008056c0080 x19: 0000000000000002 x18: 0000000000000006
[ 57.485112] x17: 0000000000000000 x16: 0000000000000000 x15: ffff80008232b580
[ 57.492246] x14: 0000000000000000 x13: ffff8000816d1530 x12: 00000000000004a4
[ 57.499380] x11: 000000000000018c x10: ffff8000816fd530 x9 : ffff8000816d1530
[ 57.506515] x8 : 00000000fffff7ff x7 : ffff8000816fd530 x6 : 0000000000000001
[ 57.513649] x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000
[ 57.520782] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff0008049b0000
[ 57.527916] Call trace:
[ 57.530354] sst_nor_write_data+0x6c/0x74
[ 57.534361] sst_nor_write+0xb4/0x18c
[ 57.538019] mtd_write_oob_std+0x7c/0x88
[ 57.541941] mtd_write_oob+0x70/0xbc
[ 57.545511] mtd_write+0x68/0xa8
[ 57.548733] mtdchar_write+0x10c/0x290
[ 57.552477] vfs_write+0xb4/0x3a8
[ 57.555791] ksys_write+0x74/0x10c
[ 57.559189] __arm64_sys_write+0x1c/0x28
[ 57.563109] invoke_syscall+0x54/0x11c
[ 57.566856] el0_svc_common.constprop.0+0xc0/0xe0
[ 57.571557] do_el0_svc+0x1c/0x28
[ 57.574868] el0_svc+0x30/0xcc
[ 57.577921] el0t_64_sync_handler+0x120/0x12c
[ 57.582276] el0t_64_sync+0x190/0x194
[ 57.585933] ---[ end trace 0000000000000000 ]---
Cc: stable@vger.kernel.org
Fixes: 18bcb4aa54ea ("mtd: spi-nor: sst: Factor out common write operation to `sst_nor_write_data()`")
Signed-off-by: Amit Kumar Mahapatra <amit.kumar-mahapatra@amd.com>
Reviewed-by: Pratyush Yadav <pratyush@kernel.org>
Reviewed-by: Tudor Ambarus <tudor.ambarus@linaro.org>
Reviewed-by: Bence Csókás <csokas.bence@prolan.hu>
[pratyush@kernel.org: add Cc stable tag]
Signed-off-by: Pratyush Yadav <pratyush@kernel.org>
Link: https://lore.kernel.org/r/20250213054546.2078121-1-amit.kumar-mahapatra@amd.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mtd/spi-nor/sst.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/mtd/spi-nor/sst.c
+++ b/drivers/mtd/spi-nor/sst.c
@@ -124,7 +124,7 @@ static int sst_nor_write_data(struct spi
int ret;
nor->program_opcode = op;
- ret = spi_nor_write_data(nor, to, 1, buf);
+ ret = spi_nor_write_data(nor, to, len, buf);
if (ret < 0)
return ret;
WARN(ret != len, "While writing %zu byte written %i bytes\n", len, ret);
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 431/969] bcache: fix uninitialized closure object
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (429 preceding siblings ...)
2026-05-30 15:59 ` [PATCH 6.1 430/969] mtd: spi-nor: sst: Fix SST write failure Greg Kroah-Hartman
@ 2026-05-30 15:59 ` Greg Kroah-Hartman
2026-06-01 17:34 ` Mahmoud Nagy Adam
2026-05-30 15:59 ` [PATCH 6.1 432/969] blk-cgroup: wait for blkcg cleanup before initializing new disk Greg Kroah-Hartman
` (544 subsequent siblings)
975 siblings, 1 reply; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:59 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Mingzhe Zou, Coly Li, Jens Axboe
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mingzhe Zou <mingzhe.zou@easystack.cn>
commit 20a8e451ec1c7e99060b1bbaaad03ce88c39ddb8 upstream.
In the previous patch ("bcache: fix cached_dev.sb_bio use-after-free and
crash"), we adopted a simple modification suggestion from AI to fix the
use-after-free.
But in actual testing, we found an extreme case where the device is
stopped before calling bch_write_bdev_super().
At this point, struct closure sb_write has not been initialized yet.
For this patch, we ensure that sb_bio has been completed via
sb_write_mutex.
Signed-off-by: Mingzhe Zou <mingzhe.zou@easystack.cn>
Signed-off-by: Coly Li <colyli@fnnas.com>
Link: https://patch.msgid.link/20260403042135.2221247-1-colyli@fnnas.com
Fixes: fec114a98b87 ("bcache: fix cached_dev.sb_bio use-after-free and crash")
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/md/bcache/super.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/md/bcache/super.c
+++ b/drivers/md/bcache/super.c
@@ -1373,7 +1373,8 @@ static void cached_dev_free(struct closu
* The sb_bio is embedded in struct cached_dev, so we must
* ensure no I/O is in progress.
*/
- closure_sync(&dc->sb_write);
+ down(&dc->sb_write_mutex);
+ up(&dc->sb_write_mutex);
if (dc->sb_disk)
put_page(virt_to_page(dc->sb_disk));
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 432/969] blk-cgroup: wait for blkcg cleanup before initializing new disk
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (430 preceding siblings ...)
2026-05-30 15:59 ` [PATCH 6.1 431/969] bcache: fix uninitialized closure object Greg Kroah-Hartman
@ 2026-05-30 15:59 ` Greg Kroah-Hartman
2026-05-30 15:59 ` [PATCH 6.1 433/969] fs/omfs: reject s_sys_blocksize smaller than OMFS_DIR_START Greg Kroah-Hartman
` (543 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yi Zhang, Ming Lei,
Christoph Hellwig, Jens Axboe, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ming Lei <ming.lei@redhat.com>
[ Upstream commit 3dbaacf6ab68f81e3375fe769a2ecdbd3ce386fd ]
When a queue is shared across disk rebind (e.g., SCSI unbind/bind), the
previous disk's blkcg state is cleaned up asynchronously via
disk_release() -> blkcg_exit_disk(). If the new disk's blkcg_init_disk()
runs before that cleanup finishes, we may overwrite q->root_blkg while
the old one is still alive, and radix_tree_insert() in blkg_create()
fails with -EEXIST because the old blkg entries still occupy the same
queue id slot in blkcg->blkg_tree. This causes the sd probe to fail
with -ENOMEM.
Fix it by waiting in blkcg_init_disk() for root_blkg to become NULL,
which indicates the previous disk's blkcg cleanup has completed.
Fixes: 1059699f87eb ("block: move blkcg initialization/destroy into disk allocation/release handler")
Cc: Yi Zhang <yi.zhang@redhat.com>
Signed-off-by: Ming Lei <ming.lei@redhat.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Link: https://patch.msgid.link/20260311032837.2368714-1-ming.lei@redhat.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
block/blk-cgroup.c | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/block/blk-cgroup.c b/block/blk-cgroup.c
index f314192b6de84..9b081dfba9007 100644
--- a/block/blk-cgroup.c
+++ b/block/blk-cgroup.c
@@ -24,6 +24,7 @@
#include <linux/backing-dev.h>
#include <linux/slab.h>
#include <linux/delay.h>
+#include <linux/wait_bit.h>
#include <linux/atomic.h>
#include <linux/ctype.h>
#include <linux/resume_user_mode.h>
@@ -509,6 +510,8 @@ static void blkg_destroy_all(struct gendisk *disk)
q->root_blkg = NULL;
spin_unlock_irq(&q->queue_lock);
+
+ wake_up_var(&q->root_blkg);
}
static int blkcg_reset_stats(struct cgroup_subsys_state *css,
@@ -1259,6 +1262,18 @@ int blkcg_init_disk(struct gendisk *disk)
INIT_LIST_HEAD(&q->blkg_list);
+ /*
+ * If the queue is shared across disk rebind (e.g., SCSI), the
+ * previous disk's blkcg state is cleaned up asynchronously via
+ * disk_release() -> blkcg_exit_disk(). Wait for that cleanup to
+ * finish (indicated by root_blkg becoming NULL) before setting up
+ * new blkcg state. Otherwise, we may overwrite q->root_blkg while
+ * the old one is still alive, and radix_tree_insert() in
+ * blkg_create() will fail with -EEXIST because the old entries
+ * still occupy the same queue id slot in blkcg->blkg_tree.
+ */
+ wait_var_event(&q->root_blkg, !READ_ONCE(q->root_blkg));
+
new_blkg = blkg_alloc(&blkcg_root, disk, GFP_KERNEL);
if (!new_blkg)
return -ENOMEM;
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 433/969] fs/omfs: reject s_sys_blocksize smaller than OMFS_DIR_START
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (431 preceding siblings ...)
2026-05-30 15:59 ` [PATCH 6.1 432/969] blk-cgroup: wait for blkcg cleanup before initializing new disk Greg Kroah-Hartman
@ 2026-05-30 15:59 ` Greg Kroah-Hartman
2026-05-30 15:59 ` [PATCH 6.1 434/969] drbd: Balance RCU calls in drbd_adm_dump_devices() Greg Kroah-Hartman
` (542 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hyungjung Joo, Christian Brauner,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: HyungJung Joo <jhj140711@gmail.com>
[ Upstream commit 0621c385fda1376e967f37ccd534c26c3e511d14 ]
omfs_fill_super() rejects oversized s_sys_blocksize values (> PAGE_SIZE),
but it does not reject values smaller than OMFS_DIR_START (0x1b8 = 440).
Later, omfs_make_empty() uses
sbi->s_sys_blocksize - OMFS_DIR_START
as the length argument to memset(). Since s_sys_blocksize is u32,
a crafted filesystem image with s_sys_blocksize < OMFS_DIR_START causes
an unsigned underflow there, wrapping to a value near 2^32. That drives
a ~4 GiB memset() from bh->b_data + OMFS_DIR_START and overwrites kernel
memory far beyond the backing block buffer.
Add the corresponding lower-bound check alongside the existing upper-bound
check in omfs_fill_super(), so that malformed images are rejected during
superblock validation before any filesystem data is processed.
Fixes: a3ab7155ea21 ("omfs: add directory routines")
Signed-off-by: Hyungjung Joo <jhj140711@gmail.com>
Link: https://patch.msgid.link/20260317054827.1822061-1-jhj140711@gmail.com
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/omfs/inode.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/fs/omfs/inode.c b/fs/omfs/inode.c
index 2a0e83236c011..9773846daa4bc 100644
--- a/fs/omfs/inode.c
+++ b/fs/omfs/inode.c
@@ -515,6 +515,12 @@ static int omfs_fill_super(struct super_block *sb, void *data, int silent)
goto out_brelse_bh;
}
+ if (sbi->s_sys_blocksize < OMFS_DIR_START) {
+ printk(KERN_ERR "omfs: sysblock size (%d) is too small\n",
+ sbi->s_sys_blocksize);
+ goto out_brelse_bh;
+ }
+
if (sbi->s_blocksize < sbi->s_sys_blocksize ||
sbi->s_blocksize > OMFS_MAX_BLOCK_SIZE) {
printk(KERN_ERR "omfs: block size (%d) is out of range\n",
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 434/969] drbd: Balance RCU calls in drbd_adm_dump_devices()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (432 preceding siblings ...)
2026-05-30 15:59 ` [PATCH 6.1 433/969] fs/omfs: reject s_sys_blocksize smaller than OMFS_DIR_START Greg Kroah-Hartman
@ 2026-05-30 15:59 ` Greg Kroah-Hartman
2026-05-30 15:59 ` [PATCH 6.1 435/969] nilfs2: reject zero bd_oblocknr in nilfs_ioctl_mark_blocks_dirty() Greg Kroah-Hartman
` (541 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christoph Böhmwalder,
Christoph Hellwig, Andreas Gruenbacher, Bart Van Assche,
Jens Axboe, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bart Van Assche <bvanassche@acm.org>
[ Upstream commit 2b31e86387e60b3689339f0f0fbb4d3623d9d494 ]
Make drbd_adm_dump_devices() call rcu_read_lock() before
rcu_read_unlock() is called. This has been detected by the Clang
thread-safety analyzer.
Tested-by: Christoph Böhmwalder <christoph.boehmwalder@linbit.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Cc: Andreas Gruenbacher <agruenba@redhat.com>
Fixes: a55bbd375d18 ("drbd: Backport the "status" command")
Signed-off-by: Bart Van Assche <bvanassche@acm.org>
Link: https://patch.msgid.link/20260326214054.284593-1-bvanassche@acm.org
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/block/drbd/drbd_nl.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/drivers/block/drbd/drbd_nl.c b/drivers/block/drbd/drbd_nl.c
index 249eba7d21c28..5f6afcbb996c8 100644
--- a/drivers/block/drbd/drbd_nl.c
+++ b/drivers/block/drbd/drbd_nl.c
@@ -3345,8 +3345,10 @@ int drbd_adm_dump_devices(struct sk_buff *skb, struct netlink_callback *cb)
if (resource_filter) {
retcode = ERR_RES_NOT_KNOWN;
resource = drbd_find_resource(nla_data(resource_filter));
- if (!resource)
+ if (!resource) {
+ rcu_read_lock();
goto put_result;
+ }
cb->args[0] = (long)resource;
}
}
@@ -3595,8 +3597,10 @@ int drbd_adm_dump_peer_devices(struct sk_buff *skb, struct netlink_callback *cb)
if (resource_filter) {
retcode = ERR_RES_NOT_KNOWN;
resource = drbd_find_resource(nla_data(resource_filter));
- if (!resource)
+ if (!resource) {
+ rcu_read_lock();
goto put_result;
+ }
}
cb->args[0] = (long)resource;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 435/969] nilfs2: reject zero bd_oblocknr in nilfs_ioctl_mark_blocks_dirty()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (433 preceding siblings ...)
2026-05-30 15:59 ` [PATCH 6.1 434/969] drbd: Balance RCU calls in drbd_adm_dump_devices() Greg Kroah-Hartman
@ 2026-05-30 15:59 ` Greg Kroah-Hartman
2026-05-30 15:59 ` [PATCH 6.1 436/969] pstore/ram: fix resource leak when ioremap() fails Greg Kroah-Hartman
` (540 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+98a040252119df0506f8,
Ryusuke Konishi, Deepanshu Kartikey, syzbot+466a45fcfb0562f5b9a0,
Junjie Cao, Viacheslav Dubeyko, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Deepanshu Kartikey <kartikey406@gmail.com>
[ Upstream commit be3e5d10643d3be1cbac9d9939f220a99253f980 ]
nilfs_ioctl_mark_blocks_dirty() uses bd_oblocknr to detect dead blocks
by comparing it with the current block number bd_blocknr. If they differ,
the block is considered dead and skipped.
However, bd_oblocknr should never be 0 since block 0 typically stores the
primary superblock and is never a valid GC target block. A corrupted ioctl
request with bd_oblocknr set to 0 causes the comparison to incorrectly
match when the lookup returns -ENOENT and sets bd_blocknr to 0, bypassing
the dead block check and calling nilfs_bmap_mark() on a non-existent
block. This causes nilfs_btree_do_lookup() to return -ENOENT, triggering
the WARN_ON(ret == -ENOENT).
Fix this by rejecting ioctl requests with bd_oblocknr set to 0 at the
beginning of each iteration.
[ryusuke: slightly modified the commit message and comments for accuracy]
Fixes: 7942b919f732 ("nilfs2: ioctl operations")
Reported-by: syzbot+98a040252119df0506f8@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=98a040252119df0506f8
Suggested-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
Signed-off-by: Deepanshu Kartikey <Kartikey406@gmail.com>
Reported-by: syzbot+466a45fcfb0562f5b9a0@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=466a45fcfb0562f5b9a0
Cc: Junjie Cao <junjie.cao@linux.dev>
Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/nilfs2/ioctl.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/fs/nilfs2/ioctl.c b/fs/nilfs2/ioctl.c
index 1d4d610bd82b5..7f972f0b1a885 100644
--- a/fs/nilfs2/ioctl.c
+++ b/fs/nilfs2/ioctl.c
@@ -751,6 +751,12 @@ static int nilfs_ioctl_mark_blocks_dirty(struct the_nilfs *nilfs,
int ret, i;
for (i = 0; i < nmembs; i++) {
+ /*
+ * bd_oblocknr must never be 0 as block 0
+ * is never a valid GC target block
+ */
+ if (unlikely(!bdescs[i].bd_oblocknr))
+ return -EINVAL;
/* XXX: use macro or inline func to check liveness */
ret = nilfs_bmap_lookup_at_level(bmap,
bdescs[i].bd_offset,
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 436/969] pstore/ram: fix resource leak when ioremap() fails
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (434 preceding siblings ...)
2026-05-30 15:59 ` [PATCH 6.1 435/969] nilfs2: reject zero bd_oblocknr in nilfs_ioctl_mark_blocks_dirty() Greg Kroah-Hartman
@ 2026-05-30 15:59 ` Greg Kroah-Hartman
2026-05-30 15:59 ` [PATCH 6.1 437/969] devres: fix missing node debug info in devm_krealloc() Greg Kroah-Hartman
` (539 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:59 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Cole Leavitt, Kees Cook, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cole Leavitt <cole@unwrap.rs>
[ Upstream commit 2ddb69f686ef7a621645e97fc7329c50edf5d0e5 ]
In persistent_ram_iomap(), ioremap() or ioremap_wc() may return NULL on
failure. Currently, if this happens, the function returns NULL without
releasing the memory region acquired by request_mem_region().
This leads to a resource leak where the memory region remains reserved
but unusable.
Additionally, the caller persistent_ram_buffer_map() handles NULL
correctly by returning -ENOMEM, but without this check, a NULL return
combined with request_mem_region() succeeding leaves resources in an
inconsistent state.
This is the ioremap() counterpart to commit 05363abc7625 ("pstore:
ram_core: fix incorrect success return when vmap() fails") which fixed
a similar issue in the vmap() path.
Fixes: 404a6043385d ("staging: android: persistent_ram: handle reserving and mapping memory")
Signed-off-by: Cole Leavitt <cole@unwrap.rs>
Link: https://patch.msgid.link/20260225235406.11790-1-cole@unwrap.rs
Signed-off-by: Kees Cook <kees@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/pstore/ram_core.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/fs/pstore/ram_core.c b/fs/pstore/ram_core.c
index 0e58eb7ffac84..ed86e173f8cfc 100644
--- a/fs/pstore/ram_core.c
+++ b/fs/pstore/ram_core.c
@@ -489,6 +489,10 @@ static void *persistent_ram_iomap(phys_addr_t start, size_t size,
else
va = ioremap_wc(start, size);
+ /* We must release the mem region if ioremap fails. */
+ if (!va)
+ release_mem_region(start, size);
+
/*
* Since request_mem_region() and ioremap() are byte-granularity
* there is no need handle anything special like we do when the
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 437/969] devres: fix missing node debug info in devm_krealloc()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (435 preceding siblings ...)
2026-05-30 15:59 ` [PATCH 6.1 436/969] pstore/ram: fix resource leak when ioremap() fails Greg Kroah-Hartman
@ 2026-05-30 15:59 ` Greg Kroah-Hartman
2026-05-30 15:59 ` [PATCH 6.1 438/969] thermal/drivers/spear: Fix error condition for reading st,thermal-flags Greg Kroah-Hartman
` (538 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:59 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Danilo Krummrich, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Danilo Krummrich <dakr@kernel.org>
[ Upstream commit f813ec9e84b4d0ca81ec1da94ab07bfb4a29266c ]
Fix missing call to set_node_dbginfo() for new devres nodes created by
devm_krealloc().
Fixes: f82485722e5d ("devres: provide devm_krealloc()")
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Link: https://patch.msgid.link/20260202235210.55176-2-dakr@kernel.org
Signed-off-by: Danilo Krummrich <dakr@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/base/devres.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/base/devres.c b/drivers/base/devres.c
index 9d0ea5c14bc50..2b4f866a61db6 100644
--- a/drivers/base/devres.c
+++ b/drivers/base/devres.c
@@ -909,6 +909,8 @@ void *devm_krealloc(struct device *dev, void *ptr, size_t new_size, gfp_t gfp)
if (!new_dr)
return NULL;
+ set_node_dbginfo(&new_dr->node, "devm_krealloc_release", new_size);
+
/*
* The spinlock protects the linked list against concurrent
* modifications but not the resource itself.
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 438/969] thermal/drivers/spear: Fix error condition for reading st,thermal-flags
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (436 preceding siblings ...)
2026-05-30 15:59 ` [PATCH 6.1 437/969] devres: fix missing node debug info in devm_krealloc() Greg Kroah-Hartman
@ 2026-05-30 15:59 ` Greg Kroah-Hartman
2026-05-30 15:59 ` [PATCH 6.1 439/969] debugfs: check for NULL pointer in debugfs_create_str() Greg Kroah-Hartman
` (537 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Gopi Krishna Menon, Daniel Lezcano,
Daniel Baluta, Lukasz Luba, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gopi Krishna Menon <krishnagopi487@gmail.com>
[ Upstream commit da2c4f332a0504d9c284e7626a561d343c8d6f57 ]
of_property_read_u32 returns 0 on success. The current check returns
-EINVAL if the property is read successfully.
Fix the check by removing ! from of_property_read_u32
Fixes: b9c7aff481f1 ("drivers/thermal/spear_thermal.c: add Device Tree probing capability")
Signed-off-by: Gopi Krishna Menon <krishnagopi487@gmail.com>
Signed-off-by: Daniel Lezcano <daniel.lezcano@kernel.org>
Suggested-by: Daniel Baluta <daniel.baluta@nxp.com>
Reviewed-by: Lukasz Luba <lukasz.luba@arm.com>
Link: https://patch.msgid.link/20260327090526.59330-1-krishnagopi487@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/thermal/spear_thermal.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/thermal/spear_thermal.c b/drivers/thermal/spear_thermal.c
index ee33ed692e4f7..42d8736d5ba49 100644
--- a/drivers/thermal/spear_thermal.c
+++ b/drivers/thermal/spear_thermal.c
@@ -94,7 +94,7 @@ static int spear_thermal_probe(struct platform_device *pdev)
struct resource *res;
int ret = 0, val;
- if (!np || !of_property_read_u32(np, "st,thermal-flags", &val)) {
+ if (!np || of_property_read_u32(np, "st,thermal-flags", &val)) {
dev_err(&pdev->dev, "Failed: DT Pdata not passed\n");
return -EINVAL;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 439/969] debugfs: check for NULL pointer in debugfs_create_str()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (437 preceding siblings ...)
2026-05-30 15:59 ` [PATCH 6.1 438/969] thermal/drivers/spear: Fix error condition for reading st,thermal-flags Greg Kroah-Hartman
@ 2026-05-30 15:59 ` Greg Kroah-Hartman
2026-05-30 15:59 ` [PATCH 6.1 440/969] irqchip/irq-pic32-evic: Address warning related to wrong printf() formatter Greg Kroah-Hartman
` (536 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:59 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, yangshiguang, Gui-Dong Han,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gui-Dong Han <hanguidong02@gmail.com>
[ Upstream commit 31de83980d3764d784f79ff1bc93c42b324f4013 ]
Passing a NULL pointer to debugfs_create_str() leads to a NULL pointer
dereference when the debugfs file is read. Following upstream
discussions, forbid the creation of debugfs string files with NULL
pointers. Add a WARN_ON() to expose offending callers and return early.
Fixes: 9af0440ec86e ("debugfs: Implement debugfs_create_str()")
Reported-by: yangshiguang <yangshiguang@xiaomi.com>
Closes: https://lore.kernel.org/lkml/2025122221-gag-malt-75ba@gregkh/
Suggested-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Gui-Dong Han <hanguidong02@gmail.com>
Link: https://patch.msgid.link/20260323085930.88894-2-hanguidong02@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/debugfs/file.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/fs/debugfs/file.c b/fs/debugfs/file.c
index b38304b444764..cda3ba59b10f6 100644
--- a/fs/debugfs/file.c
+++ b/fs/debugfs/file.c
@@ -942,7 +942,7 @@ static const struct file_operations fops_str_wo = {
* directory dentry if set. If this parameter is %NULL, then the
* file will be created in the root of the debugfs filesystem.
* @value: a pointer to the variable that the file should read to and write
- * from.
+ * from. This pointer and the string it points to must not be %NULL.
*
* This function creates a file in debugfs with the given name that
* contains the value of the variable @value. If the @mode variable is so
@@ -960,6 +960,9 @@ static const struct file_operations fops_str_wo = {
void debugfs_create_str(const char *name, umode_t mode,
struct dentry *parent, char **value)
{
+ if (WARN_ON(!value || !*value))
+ return;
+
debugfs_create_mode_unsafe(name, mode, parent, value, &fops_str,
&fops_str_ro, &fops_str_wo);
}
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 440/969] irqchip/irq-pic32-evic: Address warning related to wrong printf() formatter
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (438 preceding siblings ...)
2026-05-30 15:59 ` [PATCH 6.1 439/969] debugfs: check for NULL pointer in debugfs_create_str() Greg Kroah-Hartman
@ 2026-05-30 15:59 ` Greg Kroah-Hartman
2026-05-30 15:59 ` [PATCH 6.1 441/969] hrtimers: Update the return type of enqueue_hrtimer() Greg Kroah-Hartman
` (535 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Brian Masney, Thomas Gleixner,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Brian Masney <bmasney@redhat.com>
[ Upstream commit 86be659415b0ddefebc3120e309091aa215a9064 ]
This driver is currently only build on 32 bit MIPS systems. When building
it on x86_64, the following warning occurs:
drivers/irqchip/irq-pic32-evic.c: In function ‘pic32_ext_irq_of_init’:
./include/linux/kern_levels.h:5:25: error: format ‘%d’ expects argument of type
‘int’, but argument 2 has type ‘long unsigned int’ [-Werror=format=]
Update the printf() formatter in preparation for allowing this driver to
be compiled on all architectures.
Fixes: aaa8666ada780 ("IRQCHIP: irq-pic32-evic: Add support for PIC32 interrupt controller")
Signed-off-by: Brian Masney <bmasney@redhat.com>
Signed-off-by: Thomas Gleixner <tglx@kernel.org>
Link: https://patch.msgid.link/20260222-irqchip-pic32-v1-1-37f50d1f14af@redhat.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/irqchip/irq-pic32-evic.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/irqchip/irq-pic32-evic.c b/drivers/irqchip/irq-pic32-evic.c
index 1d9bb28d13e5d..1a72047f3aa2e 100644
--- a/drivers/irqchip/irq-pic32-evic.c
+++ b/drivers/irqchip/irq-pic32-evic.c
@@ -198,7 +198,7 @@ static void __init pic32_ext_irq_of_init(struct irq_domain *domain)
of_property_for_each_u32(node, pname, prop, p, hwirq) {
if (i >= ARRAY_SIZE(priv->ext_irqs)) {
- pr_warn("More than %d external irq, skip rest\n",
+ pr_warn("More than %zu external irq, skip rest\n",
ARRAY_SIZE(priv->ext_irqs));
break;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 441/969] hrtimers: Update the return type of enqueue_hrtimer()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (439 preceding siblings ...)
2026-05-30 15:59 ` [PATCH 6.1 440/969] irqchip/irq-pic32-evic: Address warning related to wrong printf() formatter Greg Kroah-Hartman
@ 2026-05-30 15:59 ` Greg Kroah-Hartman
2026-05-30 15:59 ` [PATCH 6.1 442/969] hrtimer: Avoid pointless reprogramming in __hrtimer_start_range_ns() Greg Kroah-Hartman
` (534 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Richard Clark, Thomas Gleixner,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Richard Clark <richard.xnu.clark@gmail.com>
[ Upstream commit da7100d3bf7d6f5c49ef493ea963766898e9b069 ]
The return type should be 'bool' instead of 'int' according to the calling
context in the kernel, and its internal implementation, i.e. :
return timerqueue_add();
which is a bool-return function.
[ tglx: Adjust function arguments ]
Signed-off-by: Richard Clark <richard.xnu.clark@gmail.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Link: https://lore.kernel.org/all/Z2ppT7me13dtxm1a@MBC02GN1V4Q05P
Stable-dep-of: f2e388a019e4 ("hrtimer: Reduce trace noise in hrtimer_start()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/time/hrtimer.c | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/kernel/time/hrtimer.c b/kernel/time/hrtimer.c
index 002b29e566cb3..062dda96e2706 100644
--- a/kernel/time/hrtimer.c
+++ b/kernel/time/hrtimer.c
@@ -1096,11 +1096,10 @@ EXPORT_SYMBOL_GPL(hrtimer_forward);
* The timer is inserted in expiry order. Insertion into the
* red black tree is O(log(n)). Must hold the base lock.
*
- * Returns 1 when the new timer is the leftmost timer in the tree.
+ * Returns true when the new timer is the leftmost timer in the tree.
*/
-static int enqueue_hrtimer(struct hrtimer *timer,
- struct hrtimer_clock_base *base,
- enum hrtimer_mode mode)
+static bool enqueue_hrtimer(struct hrtimer *timer, struct hrtimer_clock_base *base,
+ enum hrtimer_mode mode)
{
debug_activate(timer, mode);
WARN_ON_ONCE(!base->cpu_base->online);
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 442/969] hrtimer: Avoid pointless reprogramming in __hrtimer_start_range_ns()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (440 preceding siblings ...)
2026-05-30 15:59 ` [PATCH 6.1 441/969] hrtimers: Update the return type of enqueue_hrtimer() Greg Kroah-Hartman
@ 2026-05-30 15:59 ` Greg Kroah-Hartman
2026-05-30 15:59 ` [PATCH 6.1 443/969] hrtimer: Reduce trace noise in hrtimer_start() Greg Kroah-Hartman
` (533 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Peter Zijlstra (Intel),
Thomas Gleixner, Juri Lelli, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peter Zijlstra <peterz@infradead.org>
[ Upstream commit d19ff16c11db38f3ee179d72751fb9b340174330 ]
Much like hrtimer_reprogram(), skip programming if the cpu_base is running
the hrtimer interrupt.
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Signed-off-by: Thomas Gleixner <tglx@kernel.org>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Reviewed-by: Juri Lelli <juri.lelli@redhat.com>
Reviewed-by: Thomas Gleixner <tglx@kernel.org>
Link: https://patch.msgid.link/20260224163429.069535561@kernel.org
Stable-dep-of: f2e388a019e4 ("hrtimer: Reduce trace noise in hrtimer_start()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/time/hrtimer.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/kernel/time/hrtimer.c b/kernel/time/hrtimer.c
index 062dda96e2706..2d8c7b735baeb 100644
--- a/kernel/time/hrtimer.c
+++ b/kernel/time/hrtimer.c
@@ -1284,6 +1284,14 @@ static int __hrtimer_start_range_ns(struct hrtimer *timer, ktime_t tim,
}
first = enqueue_hrtimer(timer, new_base, mode);
+
+ /*
+ * If the hrtimer interrupt is running, then it will reevaluate the
+ * clock bases and reprogram the clock event device.
+ */
+ if (new_base->cpu_base->in_hrtirq)
+ return false;
+
if (!force_local) {
/*
* If the current CPU base is online, then the timer is
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 443/969] hrtimer: Reduce trace noise in hrtimer_start()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (441 preceding siblings ...)
2026-05-30 15:59 ` [PATCH 6.1 442/969] hrtimer: Avoid pointless reprogramming in __hrtimer_start_range_ns() Greg Kroah-Hartman
@ 2026-05-30 15:59 ` Greg Kroah-Hartman
2026-05-30 15:59 ` [PATCH 6.1 444/969] locking: Fix rwlock support in <linux/spinlock_up.h> Greg Kroah-Hartman
` (532 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thomas Gleixner,
Peter Zijlstra (Intel), Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Gleixner <tglx@kernel.org>
[ Upstream commit f2e388a019e4cf83a15883a3d1f1384298e9a6aa ]
hrtimer_start() when invoked with an already armed timer traces like:
<comm>-.. [032] d.h2. 5.002263: hrtimer_cancel: hrtimer= ....
<comm>-.. [032] d.h1. 5.002263: hrtimer_start: hrtimer= ....
Which is incorrect as the timer doesn't get canceled. Just the expiry time
changes. The internal dequeue operation which is required for that is not
really interesting for trace analysis. But it makes it tedious to keep real
cancellations and the above case apart.
Remove the cancel tracing in hrtimer_start() and add a 'was_armed'
indicator to the hrtimer start tracepoint, which clearly indicates what the
state of the hrtimer is when hrtimer_start() is invoked:
<comm>-.. [032] d.h1. 6.200103: hrtimer_start: hrtimer= .... was_armed=0
<comm>-.. [032] d.h1. 6.200558: hrtimer_start: hrtimer= .... was_armed=1
Fixes: c6a2a1770245 ("hrtimer: Add tracepoint for hrtimers")
Signed-off-by: Thomas Gleixner <tglx@kernel.org>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Link: https://patch.msgid.link/20260224163430.208491877@kernel.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/trace/events/timer.h | 11 +++++----
kernel/time/hrtimer.c | 43 +++++++++++++++++-------------------
2 files changed, 27 insertions(+), 27 deletions(-)
diff --git a/include/trace/events/timer.h b/include/trace/events/timer.h
index b4bc2828fa09f..ec8d0de1ad225 100644
--- a/include/trace/events/timer.h
+++ b/include/trace/events/timer.h
@@ -198,12 +198,13 @@ TRACE_EVENT(hrtimer_init,
* hrtimer_start - called when the hrtimer is started
* @hrtimer: pointer to struct hrtimer
* @mode: the hrtimers mode
+ * @was_armed: Was armed when hrtimer_start*() was invoked
*/
TRACE_EVENT(hrtimer_start,
- TP_PROTO(struct hrtimer *hrtimer, enum hrtimer_mode mode),
+ TP_PROTO(struct hrtimer *hrtimer, enum hrtimer_mode mode, bool was_armed),
- TP_ARGS(hrtimer, mode),
+ TP_ARGS(hrtimer, mode, was_armed),
TP_STRUCT__entry(
__field( void *, hrtimer )
@@ -211,6 +212,7 @@ TRACE_EVENT(hrtimer_start,
__field( s64, expires )
__field( s64, softexpires )
__field( enum hrtimer_mode, mode )
+ __field( bool, was_armed )
),
TP_fast_assign(
@@ -219,13 +221,14 @@ TRACE_EVENT(hrtimer_start,
__entry->expires = hrtimer_get_expires(hrtimer);
__entry->softexpires = hrtimer_get_softexpires(hrtimer);
__entry->mode = mode;
+ __entry->was_armed = was_armed;
),
TP_printk("hrtimer=%p function=%ps expires=%llu softexpires=%llu "
- "mode=%s", __entry->hrtimer, __entry->function,
+ "mode=%s was_armed=%d", __entry->hrtimer, __entry->function,
(unsigned long long) __entry->expires,
(unsigned long long) __entry->softexpires,
- decode_hrtimer_mode(__entry->mode))
+ decode_hrtimer_mode(__entry->mode), __entry->was_armed)
);
/**
diff --git a/kernel/time/hrtimer.c b/kernel/time/hrtimer.c
index 2d8c7b735baeb..d56e18b133741 100644
--- a/kernel/time/hrtimer.c
+++ b/kernel/time/hrtimer.c
@@ -497,17 +497,10 @@ debug_init(struct hrtimer *timer, clockid_t clockid,
trace_hrtimer_init(timer, clockid, mode);
}
-static inline void debug_activate(struct hrtimer *timer,
- enum hrtimer_mode mode)
+static inline void debug_activate(struct hrtimer *timer, enum hrtimer_mode mode, bool was_armed)
{
debug_hrtimer_activate(timer, mode);
- trace_hrtimer_start(timer, mode);
-}
-
-static inline void debug_deactivate(struct hrtimer *timer)
-{
- debug_hrtimer_deactivate(timer);
- trace_hrtimer_cancel(timer);
+ trace_hrtimer_start(timer, mode, was_armed);
}
static struct hrtimer_clock_base *
@@ -1099,9 +1092,9 @@ EXPORT_SYMBOL_GPL(hrtimer_forward);
* Returns true when the new timer is the leftmost timer in the tree.
*/
static bool enqueue_hrtimer(struct hrtimer *timer, struct hrtimer_clock_base *base,
- enum hrtimer_mode mode)
+ enum hrtimer_mode mode, bool was_armed)
{
- debug_activate(timer, mode);
+ debug_activate(timer, mode, was_armed);
WARN_ON_ONCE(!base->cpu_base->online);
base->cpu_base->active_bases |= 1 << base->index;
@@ -1161,6 +1154,8 @@ remove_hrtimer(struct hrtimer *timer, struct hrtimer_clock_base *base,
if (state & HRTIMER_STATE_ENQUEUED) {
bool reprogram;
+ debug_hrtimer_deactivate(timer);
+
/*
* Remove the timer and force reprogramming when high
* resolution mode is active and the timer is on the current
@@ -1169,7 +1164,6 @@ remove_hrtimer(struct hrtimer *timer, struct hrtimer_clock_base *base,
* reprogramming happens in the interrupt handler. This is a
* rare case and less expensive than a smp call.
*/
- debug_deactivate(timer);
reprogram = base->cpu_base == this_cpu_ptr(&hrtimer_bases);
/*
@@ -1236,15 +1230,15 @@ static int __hrtimer_start_range_ns(struct hrtimer *timer, ktime_t tim,
{
struct hrtimer_cpu_base *this_cpu_base = this_cpu_ptr(&hrtimer_bases);
struct hrtimer_clock_base *new_base;
- bool force_local, first;
+ bool force_local, first, was_armed;
/*
* If the timer is on the local cpu base and is the first expiring
* timer then this might end up reprogramming the hardware twice
- * (on removal and on enqueue). To avoid that by prevent the
- * reprogram on removal, keep the timer local to the current CPU
- * and enforce reprogramming after it is queued no matter whether
- * it is the new first expiring timer again or not.
+ * (on removal and on enqueue). To avoid that prevent the reprogram
+ * on removal, keep the timer local to the current CPU and enforce
+ * reprogramming after it is queued no matter whether it is the new
+ * first expiring timer again or not.
*/
force_local = base->cpu_base == this_cpu_base;
force_local &= base->cpu_base->next_timer == timer;
@@ -1266,7 +1260,7 @@ static int __hrtimer_start_range_ns(struct hrtimer *timer, ktime_t tim,
* avoids programming the underlying clock event twice (once at
* removal and once after enqueue).
*/
- remove_hrtimer(timer, base, true, force_local);
+ was_armed = remove_hrtimer(timer, base, true, force_local);
if (mode & HRTIMER_MODE_REL)
tim = ktime_add_safe(tim, base->get_time());
@@ -1283,7 +1277,7 @@ static int __hrtimer_start_range_ns(struct hrtimer *timer, ktime_t tim,
new_base = base;
}
- first = enqueue_hrtimer(timer, new_base, mode);
+ first = enqueue_hrtimer(timer, new_base, mode, was_armed);
/*
* If the hrtimer interrupt is running, then it will reevaluate the
@@ -1387,8 +1381,11 @@ int hrtimer_try_to_cancel(struct hrtimer *timer)
base = lock_hrtimer_base(timer, &flags);
- if (!hrtimer_callback_running(timer))
+ if (!hrtimer_callback_running(timer)) {
ret = remove_hrtimer(timer, base, false, false);
+ if (ret)
+ trace_hrtimer_cancel(timer);
+ }
unlock_hrtimer_base(timer, &flags);
@@ -1768,7 +1765,7 @@ static void __run_hrtimer(struct hrtimer_cpu_base *cpu_base,
*/
if (restart != HRTIMER_NORESTART &&
!(timer->state & HRTIMER_STATE_ENQUEUED))
- enqueue_hrtimer(timer, base, HRTIMER_MODE_ABS);
+ enqueue_hrtimer(timer, base, HRTIMER_MODE_ABS, false);
/*
* Separate the ->running assignment from the ->state assignment.
@@ -2250,7 +2247,7 @@ static void migrate_hrtimer_list(struct hrtimer_clock_base *old_base,
while ((node = timerqueue_getnext(&old_base->active))) {
timer = container_of(node, struct hrtimer, node);
BUG_ON(hrtimer_callback_running(timer));
- debug_deactivate(timer);
+ debug_hrtimer_deactivate(timer);
/*
* Mark it as ENQUEUED not INACTIVE otherwise the
@@ -2267,7 +2264,7 @@ static void migrate_hrtimer_list(struct hrtimer_clock_base *old_base,
* sort out already expired timers and reprogram the
* event device.
*/
- enqueue_hrtimer(timer, new_base, HRTIMER_MODE_ABS);
+ enqueue_hrtimer(timer, new_base, HRTIMER_MODE_ABS, true);
}
}
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 444/969] locking: Fix rwlock support in <linux/spinlock_up.h>
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (442 preceding siblings ...)
2026-05-30 15:59 ` [PATCH 6.1 443/969] hrtimer: Reduce trace noise in hrtimer_start() Greg Kroah-Hartman
@ 2026-05-30 15:59 ` Greg Kroah-Hartman
2026-05-30 15:59 ` [PATCH 6.1 445/969] firmware: dmi: Correct an indexing error in dmi.h Greg Kroah-Hartman
` (531 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Bart Van Assche,
Peter Zijlstra (Intel), Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bart Van Assche <bvanassche@acm.org>
[ Upstream commit 756a0e011cfca0b45a48464aa25b05d9a9c2fb0b ]
Architecture support for rwlocks must be available whether or not
CONFIG_DEBUG_SPINLOCK has been defined. Move the definitions of the
arch_{read,write}_{lock,trylock,unlock}() macros such that these become
visbile if CONFIG_DEBUG_SPINLOCK=n.
This patch prepares for converting do_raw_{read,write}_trylock() into
inline functions. Without this patch that conversion triggers a build
failure for UP architectures, e.g. arm-ep93xx. I used the following
kernel configuration to build the kernel for that architecture:
CONFIG_ARCH_MULTIPLATFORM=y
CONFIG_ARCH_MULTI_V7=n
CONFIG_ATAGS=y
CONFIG_MMU=y
CONFIG_ARCH_MULTI_V4T=y
CONFIG_CPU_LITTLE_ENDIAN=y
CONFIG_ARCH_EP93XX=y
Fixes: fb1c8f93d869 ("[PATCH] spinlock consolidation")
Signed-off-by: Bart Van Assche <bvanassche@acm.org>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Link: https://patch.msgid.link/20260313171510.230998-2-bvanassche@acm.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/spinlock_up.h | 20 ++++++++++----------
1 file changed, 10 insertions(+), 10 deletions(-)
diff --git a/include/linux/spinlock_up.h b/include/linux/spinlock_up.h
index c87204247592f..a132fc562297a 100644
--- a/include/linux/spinlock_up.h
+++ b/include/linux/spinlock_up.h
@@ -48,16 +48,6 @@ static inline void arch_spin_unlock(arch_spinlock_t *lock)
lock->slock = 1;
}
-/*
- * Read-write spinlocks. No debug version.
- */
-#define arch_read_lock(lock) do { barrier(); (void)(lock); } while (0)
-#define arch_write_lock(lock) do { barrier(); (void)(lock); } while (0)
-#define arch_read_trylock(lock) ({ barrier(); (void)(lock); 1; })
-#define arch_write_trylock(lock) ({ barrier(); (void)(lock); 1; })
-#define arch_read_unlock(lock) do { barrier(); (void)(lock); } while (0)
-#define arch_write_unlock(lock) do { barrier(); (void)(lock); } while (0)
-
#else /* DEBUG_SPINLOCK */
#define arch_spin_is_locked(lock) ((void)(lock), 0)
/* for sched/core.c and kernel_lock.c: */
@@ -68,4 +58,14 @@ static inline void arch_spin_unlock(arch_spinlock_t *lock)
#define arch_spin_is_contended(lock) (((void)(lock), 0))
+/*
+ * Read-write spinlocks. No debug version.
+ */
+#define arch_read_lock(lock) do { barrier(); (void)(lock); } while (0)
+#define arch_write_lock(lock) do { barrier(); (void)(lock); } while (0)
+#define arch_read_trylock(lock) ({ barrier(); (void)(lock); 1; })
+#define arch_write_trylock(lock) ({ barrier(); (void)(lock); 1; })
+#define arch_read_unlock(lock) do { barrier(); (void)(lock); } while (0)
+#define arch_write_unlock(lock) do { barrier(); (void)(lock); } while (0)
+
#endif /* __LINUX_SPINLOCK_UP_H */
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 445/969] firmware: dmi: Correct an indexing error in dmi.h
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (443 preceding siblings ...)
2026-05-30 15:59 ` [PATCH 6.1 444/969] locking: Fix rwlock support in <linux/spinlock_up.h> Greg Kroah-Hartman
@ 2026-05-30 15:59 ` Greg Kroah-Hartman
2026-05-30 15:59 ` [PATCH 6.1 446/969] wifi: mwifiex: Fix memory leak in mwifiex_11n_aggregate_pkt() Greg Kroah-Hartman
` (530 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mario Limonciello (AMD),
Borislav Petkov (AMD), Jean Delvare, Yazen Ghannam, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mario Limonciello (AMD) <superm1@kernel.org>
[ Upstream commit c064abc68e009d2cc18416e7132d9c25e03125b6 ]
The entries later in enum dmi_entry_type don't match the SMBIOS
specification¹.
The entry for type 33: `64-Bit Memory Error Information` is not present and
thus the index for all later entries is incorrect.
Add it.
Also, add missing entry types 43-46, while at it.
¹ Search for "System Management BIOS (SMBIOS) Reference Specification"
[ bp: Drop the flaky SMBIOS spec URL. ]
Fixes: 93c890dbe5287 ("firmware: Add DMI entry types to the headers")
Signed-off-by: Mario Limonciello (AMD) <superm1@kernel.org>
Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
Reviewed-by: Jean Delvare <jdelvare@suse.de>
Reviewed-by: Yazen Ghannam <yazen.ghannam@amd.com>
Link: https://patch.msgid.link/20260307141024.819807-2-superm1@kernel.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/dmi.h | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/include/linux/dmi.h b/include/linux/dmi.h
index 927f8a8b7a1dd..2eedf44e68012 100644
--- a/include/linux/dmi.h
+++ b/include/linux/dmi.h
@@ -60,6 +60,7 @@ enum dmi_entry_type {
DMI_ENTRY_OOB_REMOTE_ACCESS,
DMI_ENTRY_BIS_ENTRY,
DMI_ENTRY_SYSTEM_BOOT,
+ DMI_ENTRY_64_MEM_ERROR,
DMI_ENTRY_MGMT_DEV,
DMI_ENTRY_MGMT_DEV_COMPONENT,
DMI_ENTRY_MGMT_DEV_THRES,
@@ -69,6 +70,10 @@ enum dmi_entry_type {
DMI_ENTRY_ADDITIONAL,
DMI_ENTRY_ONBOARD_DEV_EXT,
DMI_ENTRY_MGMT_CONTROLLER_HOST,
+ DMI_ENTRY_TPM_DEVICE,
+ DMI_ENTRY_PROCESSOR_ADDITIONAL,
+ DMI_ENTRY_FIRMWARE_INVENTORY,
+ DMI_ENTRY_STRING_PROPERTY,
DMI_ENTRY_INACTIVE = 126,
DMI_ENTRY_END_OF_TABLE = 127,
};
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 446/969] wifi: mwifiex: Fix memory leak in mwifiex_11n_aggregate_pkt()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (444 preceding siblings ...)
2026-05-30 15:59 ` [PATCH 6.1 445/969] firmware: dmi: Correct an indexing error in dmi.h Greg Kroah-Hartman
@ 2026-05-30 15:59 ` Greg Kroah-Hartman
2026-05-30 15:59 ` [PATCH 6.1 447/969] wifi: rtlwifi: pci: fix possible use-after-free caused by unfinished irq_prepare_bcn_tasklet Greg Kroah-Hartman
` (529 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zilin Guan, Jeff Chen, Johannes Berg,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zilin Guan <zilin@seu.edu.cn>
[ Upstream commit 990a73dec3fdc145fef6c827c29205437d533ece ]
In mwifiex_11n_aggregate_pkt(), skb_aggr is allocated via
mwifiex_alloc_dma_align_buf(). If mwifiex_is_ralist_valid() returns false,
the function currently returns -1 immediately without freeing the
previously allocated skb_aggr, causing a memory leak.
Since skb_aggr has not yet been queued via skb_queue_tail(), no other
references to this memory exist. Therefore, it has to be freed locally
before returning the error.
Fix this by calling mwifiex_write_data_complete() to free skb_aggr before
returning the error status.
Compile tested only. Issue found using a prototype static analysis tool
and code review.
Fixes: 5e6e3a92b9a4 ("wireless: mwifiex: initial commit for Marvell mwifiex driver")
Signed-off-by: Zilin Guan <zilin@seu.edu.cn>
Reviewed-by: Jeff Chen <jeff.chen_1@nxp.com>
Link: https://patch.msgid.link/20260119092625.1349934-1-zilin@seu.edu.cn
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/marvell/mwifiex/11n_aggr.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/net/wireless/marvell/mwifiex/11n_aggr.c b/drivers/net/wireless/marvell/mwifiex/11n_aggr.c
index 34b4b34276d6d..042b1fe5f0d67 100644
--- a/drivers/net/wireless/marvell/mwifiex/11n_aggr.c
+++ b/drivers/net/wireless/marvell/mwifiex/11n_aggr.c
@@ -203,6 +203,7 @@ mwifiex_11n_aggregate_pkt(struct mwifiex_private *priv,
if (!mwifiex_is_ralist_valid(priv, pra_list, ptrindex)) {
spin_unlock_bh(&priv->wmm.ra_list_spinlock);
+ mwifiex_write_data_complete(adapter, skb_aggr, 1, -1);
return -1;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 447/969] wifi: rtlwifi: pci: fix possible use-after-free caused by unfinished irq_prepare_bcn_tasklet
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (445 preceding siblings ...)
2026-05-30 15:59 ` [PATCH 6.1 446/969] wifi: mwifiex: Fix memory leak in mwifiex_11n_aggregate_pkt() Greg Kroah-Hartman
@ 2026-05-30 15:59 ` Greg Kroah-Hartman
2026-05-30 15:59 ` [PATCH 6.1 448/969] bpf: Add CHECKSUM_COMPLETE to bpf test progs Greg Kroah-Hartman
` (528 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:59 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Duoming Zhou, Ping-Ke Shih,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Duoming Zhou <duoming@zju.edu.cn>
[ Upstream commit 039cd522dc70151da13329a5e3ae19b1736f468a ]
The irq_prepare_bcn_tasklet is initialized in rtl_pci_init() and
scheduled when RTL_IMR_BCNINT interrupt is triggered by hardware.
But it is never killed in rtl_pci_deinit(). When the rtlwifi card
probe fails or is being detached, the ieee80211_hw is deallocated.
However, irq_prepare_bcn_tasklet may still be running or pending,
leading to use-after-free when the freed ieee80211_hw is accessed
in _rtl_pci_prepare_bcn_tasklet().
Similar to irq_tasklet, add tasklet_kill() in rtl_pci_deinit() to
ensure that irq_prepare_bcn_tasklet is properly terminated before
the ieee80211_hw is released.
The issue was identified through static analysis.
Fixes: 0c8173385e54 ("rtl8192ce: Add new driver")
Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
Acked-by: Ping-Ke Shih <pkshih@realtek.com>
Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
Link: https://patch.msgid.link/20260223045522.48377-1-duoming@zju.edu.cn
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/realtek/rtlwifi/pci.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/net/wireless/realtek/rtlwifi/pci.c b/drivers/net/wireless/realtek/rtlwifi/pci.c
index 4029e4e590fa6..ba2277cfbe3dc 100644
--- a/drivers/net/wireless/realtek/rtlwifi/pci.c
+++ b/drivers/net/wireless/realtek/rtlwifi/pci.c
@@ -1675,6 +1675,7 @@ static void rtl_pci_deinit(struct ieee80211_hw *hw)
synchronize_irq(rtlpci->pdev->irq);
tasklet_kill(&rtlpriv->works.irq_tasklet);
+ tasklet_kill(&rtlpriv->works.irq_prepare_bcn_tasklet);
cancel_work_sync(&rtlpriv->works.lps_change_work);
}
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 448/969] bpf: Add CHECKSUM_COMPLETE to bpf test progs
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (446 preceding siblings ...)
2026-05-30 15:59 ` [PATCH 6.1 447/969] wifi: rtlwifi: pci: fix possible use-after-free caused by unfinished irq_prepare_bcn_tasklet Greg Kroah-Hartman
@ 2026-05-30 15:59 ` Greg Kroah-Hartman
2026-05-30 15:59 ` [PATCH 6.1 449/969] bpf: test_run: Fix the null pointer dereference issue in bpf_lwt_xmit_push_encap Greg Kroah-Hartman
` (527 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vadim Fedorenko, Daniel Borkmann,
Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vadim Fedorenko <vadfed@meta.com>
[ Upstream commit a3cfe84cca28f205761a0450016593b0d728165e ]
Add special flag to validate that TC BPF program properly updates
checksum information in skb.
Signed-off-by: Vadim Fedorenko <vadfed@meta.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Reviewed-by: Jakub Kicinski <kuba@kernel.org>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
Link: https://lore.kernel.org/bpf/20240606145851.229116-1-vadfed@meta.com
Stable-dep-of: 972787479ee7 ("bpf: test_run: Fix the null pointer dereference issue in bpf_lwt_xmit_push_encap")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/uapi/linux/bpf.h | 2 ++
net/bpf/test_run.c | 28 +++++++++++++++++++++++++++-
tools/include/uapi/linux/bpf.h | 2 ++
3 files changed, 31 insertions(+), 1 deletion(-)
diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h
index 216d1f0009791..600b10c50fdd9 100644
--- a/include/uapi/linux/bpf.h
+++ b/include/uapi/linux/bpf.h
@@ -1286,6 +1286,8 @@ enum {
#define BPF_F_TEST_RUN_ON_CPU (1U << 0)
/* If set, XDP frames will be transmitted after processing */
#define BPF_F_TEST_XDP_LIVE_FRAMES (1U << 1)
+/* If set, apply CHECKSUM_COMPLETE to skb and validate the checksum */
+#define BPF_F_TEST_SKB_CHECKSUM_COMPLETE (1U << 2)
/* type for BPF_ENABLE_STATS */
enum bpf_stats_type {
diff --git a/net/bpf/test_run.c b/net/bpf/test_run.c
index 9cbdfb9fd6743..2b8daf1cb6885 100644
--- a/net/bpf/test_run.c
+++ b/net/bpf/test_run.c
@@ -1099,7 +1099,8 @@ int bpf_prog_test_run_skb(struct bpf_prog *prog, const union bpf_attr *kattr,
void *data;
int ret;
- if (kattr->test.flags || kattr->test.cpu || kattr->test.batch_size)
+ if ((kattr->test.flags & ~BPF_F_TEST_SKB_CHECKSUM_COMPLETE) ||
+ kattr->test.cpu || kattr->test.batch_size)
return -EINVAL;
if (size < ETH_HLEN)
@@ -1150,6 +1151,7 @@ int bpf_prog_test_run_skb(struct bpf_prog *prog, const union bpf_attr *kattr,
skb_reserve(skb, NET_SKB_PAD + NET_IP_ALIGN);
__skb_put(skb, size);
+
if (ctx && ctx->ifindex > 1) {
dev = dev_get_by_index(net, ctx->ifindex);
if (!dev) {
@@ -1185,9 +1187,19 @@ int bpf_prog_test_run_skb(struct bpf_prog *prog, const union bpf_attr *kattr,
__skb_push(skb, hh_len);
if (is_direct_pkt_access)
bpf_compute_data_pointers(skb);
+
ret = convert___skb_to_skb(skb, ctx);
if (ret)
goto out;
+
+ if (kattr->test.flags & BPF_F_TEST_SKB_CHECKSUM_COMPLETE) {
+ const int off = skb_network_offset(skb);
+ int len = skb->len - off;
+
+ skb->csum = skb_checksum(skb, off, len, 0);
+ skb->ip_summed = CHECKSUM_COMPLETE;
+ }
+
ret = bpf_test_run(prog, skb, repeat, &retval, &duration, false);
if (ret)
goto out;
@@ -1202,6 +1214,20 @@ int bpf_prog_test_run_skb(struct bpf_prog *prog, const union bpf_attr *kattr,
}
memset(__skb_push(skb, hh_len), 0, hh_len);
}
+
+ if (kattr->test.flags & BPF_F_TEST_SKB_CHECKSUM_COMPLETE) {
+ const int off = skb_network_offset(skb);
+ int len = skb->len - off;
+ __wsum csum;
+
+ csum = skb_checksum(skb, off, len, 0);
+
+ if (csum_fold(skb->csum) != csum_fold(csum)) {
+ ret = -EBADMSG;
+ goto out;
+ }
+ }
+
convert_skb_to___skb(skb, ctx);
size = skb->len;
diff --git a/tools/include/uapi/linux/bpf.h b/tools/include/uapi/linux/bpf.h
index 39818b6e0293c..cbdc5299f6bf7 100644
--- a/tools/include/uapi/linux/bpf.h
+++ b/tools/include/uapi/linux/bpf.h
@@ -1286,6 +1286,8 @@ enum {
#define BPF_F_TEST_RUN_ON_CPU (1U << 0)
/* If set, XDP frames will be transmitted after processing */
#define BPF_F_TEST_XDP_LIVE_FRAMES (1U << 1)
+/* If set, apply CHECKSUM_COMPLETE to skb and validate the checksum */
+#define BPF_F_TEST_SKB_CHECKSUM_COMPLETE (1U << 2)
/* type for BPF_ENABLE_STATS */
enum bpf_stats_type {
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 449/969] bpf: test_run: Fix the null pointer dereference issue in bpf_lwt_xmit_push_encap
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (447 preceding siblings ...)
2026-05-30 15:59 ` [PATCH 6.1 448/969] bpf: Add CHECKSUM_COMPLETE to bpf test progs Greg Kroah-Hartman
@ 2026-05-30 15:59 ` Greg Kroah-Hartman
2026-05-30 15:59 ` [PATCH 6.1 450/969] dpaa2: add independent dependencies for FSL_DPAA2_SWITCH Greg Kroah-Hartman
` (526 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yinhao Hu, Kaiyan Mei, Yun Lu,
Feng Yang, Martin KaFai Lau, syzbot, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Feng Yang <yangfeng@kylinos.cn>
[ Upstream commit 972787479ee73006fddb5e59ab5c8e733810ff42 ]
The bpf_lwt_xmit_push_encap helper needs to access skb_dst(skb)->dev to
calculate the needed headroom:
err = skb_cow_head(skb,
len + LL_RESERVED_SPACE(skb_dst(skb)->dev));
But skb->_skb_refdst may not be initialized when the skb is set up by
bpf_prog_test_run_skb function. Executing bpf_lwt_push_ip_encap function
in this scenario will trigger null pointer dereference, causing a kernel
crash as Yinhao reported:
[ 105.186365] BUG: kernel NULL pointer dereference, address: 0000000000000000
[ 105.186382] #PF: supervisor read access in kernel mode
[ 105.186388] #PF: error_code(0x0000) - not-present page
[ 105.186393] PGD 121d3d067 P4D 121d3d067 PUD 106c83067 PMD 0
[ 105.186404] Oops: 0000 [#1] PREEMPT SMP NOPTI
[ 105.186412] CPU: 3 PID: 3250 Comm: poc Kdump: loaded Not tainted 6.19.0-rc5 #1
[ 105.186423] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[ 105.186427] RIP: 0010:bpf_lwt_push_ip_encap+0x1eb/0x520
[ 105.186443] Code: 0f 84 de 01 00 00 0f b7 4a 04 66 85 c9 0f 85 47 01 00 00 31 c0 5b 5d 41 5c 41 5d 41 5e c3 cc cc cc cc 48 8b 73 58 48 83 e6 fe <48> 8b 36 0f b7 be ec 00 00 00 0f b7 b6 e6 00 00 00 01 fe 83 e6 f0
[ 105.186449] RSP: 0018:ffffbb0e0387bc50 EFLAGS: 00010246
[ 105.186455] RAX: 000000000000004e RBX: ffff94c74e036500 RCX: ffff94c74874da00
[ 105.186460] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff94c74e036500
[ 105.186463] RBP: 0000000000000001 R08: 0000000000000002 R09: 0000000000000000
[ 105.186467] R10: ffffbb0e0387bd50 R11: 0000000000000000 R12: ffffbb0e0387bc98
[ 105.186471] R13: 0000000000000014 R14: 0000000000000000 R15: 0000000000000002
[ 105.186484] FS: 00007f166aa4d680(0000) GS:ffff94c8b7780000(0000) knlGS:0000000000000000
[ 105.186490] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 105.186494] CR2: 0000000000000000 CR3: 000000015eade001 CR4: 0000000000770ee0
[ 105.186499] PKRU: 55555554
[ 105.186502] Call Trace:
[ 105.186507] <TASK>
[ 105.186513] bpf_lwt_xmit_push_encap+0x2b/0x40
[ 105.186522] bpf_prog_a75eaad51e517912+0x41/0x49
[ 105.186536] ? kvm_clock_get_cycles+0x18/0x30
[ 105.186547] ? ktime_get+0x3c/0xa0
[ 105.186554] bpf_test_run+0x195/0x320
[ 105.186563] ? bpf_test_run+0x10f/0x320
[ 105.186579] bpf_prog_test_run_skb+0x2f5/0x4f0
[ 105.186590] __sys_bpf+0x69c/0xa40
[ 105.186603] __x64_sys_bpf+0x1e/0x30
[ 105.186611] do_syscall_64+0x59/0x110
[ 105.186620] entry_SYSCALL_64_after_hwframe+0x76/0xe0
[ 105.186649] RIP: 0033:0x7f166a97455d
Temporarily add the setting of skb->_skb_refdst before bpf_test_run to resolve the issue.
Fixes: 52f278774e79 ("bpf: implement BPF_LWT_ENCAP_IP mode in bpf_lwt_push_encap")
Reported-by: Yinhao Hu <dddddd@hust.edu.cn>
Reported-by: Kaiyan Mei <M202472210@hust.edu.cn>
Closes: https://groups.google.com/g/hust-os-kernel-patches/c/8-a0kPpBW2s
Signed-off-by: Yun Lu <luyun@kylinos.cn>
Signed-off-by: Feng Yang <yangfeng@kylinos.cn>
Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
Tested-by: syzbot@syzkaller.appspotmail.com
Link: https://patch.msgid.link/20260304094429.168521-2-yangfeng59949@163.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bpf/test_run.c | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/net/bpf/test_run.c b/net/bpf/test_run.c
index 2b8daf1cb6885..51259647c65fb 100644
--- a/net/bpf/test_run.c
+++ b/net/bpf/test_run.c
@@ -1200,6 +1200,21 @@ int bpf_prog_test_run_skb(struct bpf_prog *prog, const union bpf_attr *kattr,
skb->ip_summed = CHECKSUM_COMPLETE;
}
+ if (prog->type == BPF_PROG_TYPE_LWT_XMIT) {
+ if (!ipv6_bpf_stub) {
+ pr_warn_once("Please test this program with the IPv6 module loaded\n");
+ ret = -EOPNOTSUPP;
+ goto out;
+ }
+#if IS_ENABLED(CONFIG_IPV6)
+ /* For CONFIG_IPV6=n, ipv6_bpf_stub is NULL which is
+ * handled by the above if statement.
+ */
+ dst_hold(&net->ipv6.ip6_null_entry->dst);
+ skb_dst_set(skb, &net->ipv6.ip6_null_entry->dst);
+#endif
+ }
+
ret = bpf_test_run(prog, skb, repeat, &retval, &duration, false);
if (ret)
goto out;
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 450/969] dpaa2: add independent dependencies for FSL_DPAA2_SWITCH
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (448 preceding siblings ...)
2026-05-30 15:59 ` [PATCH 6.1 449/969] bpf: test_run: Fix the null pointer dereference issue in bpf_lwt_xmit_push_encap Greg Kroah-Hartman
@ 2026-05-30 15:59 ` Greg Kroah-Hartman
2026-05-30 15:59 ` [PATCH 6.1 451/969] dpaa2: compile dpaa2 even CONFIG_FSL_DPAA2_ETH=n Greg Kroah-Hartman
` (525 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ioana Ciornei, Cai Xinchen,
Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cai Xinchen <caixinchen1@huawei.com>
[ Upstream commit 12589892f41c4c645c80ef9f036f7451a6045624 ]
Since the commit 84cba72956fd ("dpaa2-switch: integrate
the MAC endpoint support") included dpaa2-mac.o in the driver,
but it didn't select PCS_LYNX, PHYLINK and FSL_XGMAC_MDIO. it
will lead to link error, such as
undefined reference to `phylink_ethtool_ksettings_set'
undefined reference to `lynx_pcs_create_fwnode'
And the same reason as the commit d2624e70a2f53 ("dpaa2-eth: select
XGMAC_MDIO for MDIO bus support"), enable the FSL_XGMAC_MDIO Kconfig
option in order to have MDIO access to internal and external PHYs.
Because dpaa2-switch uses fsl_mc_driver APIs, add depends on FSL_MC_BUS
&& FSL_MC_DPIO as FSL_DPAA2_SWITCH do.
FSL_XGMAC_MDIO and FSL_MC_BUS depend on OF, thus the dependence of
FSL_MC_BUS can satisfy FSL_XGMAC_MDIO's OF requirement.
Fixes: 84cba72956fd ("dpaa2-switch: integrate the MAC endpoint support")
Suggested-by: Ioana Ciornei <ioana.ciornei@nxp.com>
Signed-off-by: Cai Xinchen <caixinchen1@huawei.com>
Link: https://patch.msgid.link/20260312065907.476663-2-caixinchen1@huawei.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/freescale/dpaa2/Kconfig | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/net/ethernet/freescale/dpaa2/Kconfig b/drivers/net/ethernet/freescale/dpaa2/Kconfig
index d029b69c3f183..36280e5d99e1f 100644
--- a/drivers/net/ethernet/freescale/dpaa2/Kconfig
+++ b/drivers/net/ethernet/freescale/dpaa2/Kconfig
@@ -34,6 +34,10 @@ config FSL_DPAA2_SWITCH
tristate "Freescale DPAA2 Ethernet Switch"
depends on BRIDGE || BRIDGE=n
depends on NET_SWITCHDEV
+ depends on FSL_MC_BUS && FSL_MC_DPIO
+ select PHYLINK
+ select PCS_LYNX
+ select FSL_XGMAC_MDIO
help
Driver for Freescale DPAA2 Ethernet Switch. This driver manages
switch objects discovered on the Freeescale MC bus.
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 451/969] dpaa2: compile dpaa2 even CONFIG_FSL_DPAA2_ETH=n
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (449 preceding siblings ...)
2026-05-30 15:59 ` [PATCH 6.1 450/969] dpaa2: add independent dependencies for FSL_DPAA2_SWITCH Greg Kroah-Hartman
@ 2026-05-30 15:59 ` Greg Kroah-Hartman
2026-05-30 15:59 ` [PATCH 6.1 452/969] kernel: param: rename locate_module_kobject Greg Kroah-Hartman
` (524 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ioana Ciornei, Cai Xinchen,
Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cai Xinchen <caixinchen1@huawei.com>
[ Upstream commit 97daf00745f7f9f261b0e91418de6e79d7826c36 ]
CONFIG_FSL_DPAA2_ETH and CONFIG_FSL_DPAA2_SWITCH are not
associated, but the compilation of FSL_DPAA2_SWITCH depends on
the compilation of the dpaa2 folder. The files controlled by
CONFIG_FSL_DPAA2_SWITCH in the dpaa2 folder are not controlled
by CONFIG_FSL_DPAA2_ETH, except for the files controlled by
CONFIG_FSL_DPAA2_SWITCH. Therefore, removing the restriction will
not affect the compilation of the files in the directory.
Fixes: f48298d3fbfaa ("staging: dpaa2-switch: move the driver out of staging")
Suggested-by: Ioana Ciornei <ioana.ciornei@nxp.com>
Signed-off-by: Cai Xinchen <caixinchen1@huawei.com>
Link: https://patch.msgid.link/20260312065907.476663-3-caixinchen1@huawei.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/freescale/Makefile | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/freescale/Makefile b/drivers/net/ethernet/freescale/Makefile
index de7b318422330..d0a259e47960f 100644
--- a/drivers/net/ethernet/freescale/Makefile
+++ b/drivers/net/ethernet/freescale/Makefile
@@ -22,6 +22,5 @@ ucc_geth_driver-objs := ucc_geth.o ucc_geth_ethtool.o
obj-$(CONFIG_FSL_FMAN) += fman/
obj-$(CONFIG_FSL_DPAA_ETH) += dpaa/
-obj-$(CONFIG_FSL_DPAA2_ETH) += dpaa2/
-
+obj-y += dpaa2/
obj-y += enetc/
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 452/969] kernel: param: rename locate_module_kobject
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (450 preceding siblings ...)
2026-05-30 15:59 ` [PATCH 6.1 451/969] dpaa2: compile dpaa2 even CONFIG_FSL_DPAA2_ETH=n Greg Kroah-Hartman
@ 2026-05-30 15:59 ` Greg Kroah-Hartman
2026-05-30 15:59 ` [PATCH 6.1 453/969] kernel: globalize lookup_or_create_module_kobject() Greg Kroah-Hartman
` (523 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Rasmus Villemoes, Shyam Saini,
Petr Pavlu, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shyam Saini <shyamsaini@linux.microsoft.com>
[ Upstream commit bbc9462f0cb0c8917a4908e856731708f0cee910 ]
The locate_module_kobject() function looks up an existing
module_kobject for a given module name. If it cannot find the
corresponding module_kobject, it creates one for the given name.
This commit renames locate_module_kobject() to
lookup_or_create_module_kobject() to better describe its operations.
This doesn't change anything functionality wise.
Suggested-by: Rasmus Villemoes <linux@rasmusvillemoes.dk>
Signed-off-by: Shyam Saini <shyamsaini@linux.microsoft.com>
Link: https://lore.kernel.org/r/20250227184930.34163-2-shyamsaini@linux.microsoft.com
Signed-off-by: Petr Pavlu <petr.pavlu@suse.com>
Stable-dep-of: deffe1edba62 ("module: Fix freeing of charp module parameters when CONFIG_SYSFS=n")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/params.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/kernel/params.c b/kernel/params.c
index 27954dfe3d204..6e41ecc54b534 100644
--- a/kernel/params.c
+++ b/kernel/params.c
@@ -758,7 +758,7 @@ void destroy_params(const struct kernel_param *params, unsigned num)
params[i].ops->free(params[i].arg);
}
-static struct module_kobject * __init locate_module_kobject(const char *name)
+static struct module_kobject * __init lookup_or_create_module_kobject(const char *name)
{
struct module_kobject *mk;
struct kobject *kobj;
@@ -800,7 +800,7 @@ static void __init kernel_add_sysfs_param(const char *name,
struct module_kobject *mk;
int err;
- mk = locate_module_kobject(name);
+ mk = lookup_or_create_module_kobject(name);
if (!mk)
return;
@@ -871,7 +871,7 @@ static void __init version_sysfs_builtin(void)
int err;
for (vattr = __start___modver; vattr < __stop___modver; vattr++) {
- mk = locate_module_kobject(vattr->module_name);
+ mk = lookup_or_create_module_kobject(vattr->module_name);
if (mk) {
err = sysfs_create_file(&mk->kobj, &vattr->mattr.attr);
WARN_ON_ONCE(err);
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 453/969] kernel: globalize lookup_or_create_module_kobject()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (451 preceding siblings ...)
2026-05-30 15:59 ` [PATCH 6.1 452/969] kernel: param: rename locate_module_kobject Greg Kroah-Hartman
@ 2026-05-30 15:59 ` Greg Kroah-Hartman
2026-05-30 15:59 ` [PATCH 6.1 454/969] params: Replace __modinit with __init_or_module Greg Kroah-Hartman
` (522 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Rasmus Villemoes, Shyam Saini,
Petr Pavlu, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shyam Saini <shyamsaini@linux.microsoft.com>
[ Upstream commit 7c76c813cfc42a7376378a0c4b7250db2eebab81 ]
lookup_or_create_module_kobject() is marked as static and __init,
to make it global drop static keyword.
Since this function can be called from non-init code, use __modinit
instead of __init, __modinit marker will make it __init if
CONFIG_MODULES is not defined.
Suggested-by: Rasmus Villemoes <linux@rasmusvillemoes.dk>
Signed-off-by: Shyam Saini <shyamsaini@linux.microsoft.com>
Link: https://lore.kernel.org/r/20250227184930.34163-4-shyamsaini@linux.microsoft.com
Signed-off-by: Petr Pavlu <petr.pavlu@suse.com>
Stable-dep-of: deffe1edba62 ("module: Fix freeing of charp module parameters when CONFIG_SYSFS=n")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/module.h | 2 ++
kernel/params.c | 2 +-
2 files changed, 3 insertions(+), 1 deletion(-)
diff --git a/include/linux/module.h b/include/linux/module.h
index a119d2d6c0cba..92f6d8d6dcab0 100644
--- a/include/linux/module.h
+++ b/include/linux/module.h
@@ -161,6 +161,8 @@ extern void cleanup_module(void);
#define __INITRODATA_OR_MODULE __INITRODATA
#endif /*CONFIG_MODULES*/
+struct module_kobject *lookup_or_create_module_kobject(const char *name);
+
/* Generic info of form tag = "info" */
#define MODULE_INFO(tag, info) __MODULE_INFO(tag, tag, info)
diff --git a/kernel/params.c b/kernel/params.c
index 6e41ecc54b534..587d9cdafd118 100644
--- a/kernel/params.c
+++ b/kernel/params.c
@@ -758,7 +758,7 @@ void destroy_params(const struct kernel_param *params, unsigned num)
params[i].ops->free(params[i].arg);
}
-static struct module_kobject * __init lookup_or_create_module_kobject(const char *name)
+struct module_kobject __modinit * lookup_or_create_module_kobject(const char *name)
{
struct module_kobject *mk;
struct kobject *kobj;
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 454/969] params: Replace __modinit with __init_or_module
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (452 preceding siblings ...)
2026-05-30 15:59 ` [PATCH 6.1 453/969] kernel: globalize lookup_or_create_module_kobject() Greg Kroah-Hartman
@ 2026-05-30 15:59 ` Greg Kroah-Hartman
2026-05-30 15:59 ` [PATCH 6.1 455/969] module: Fix freeing of charp module parameters when CONFIG_SYSFS=n Greg Kroah-Hartman
` (521 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Petr Pavlu, Aaron Tomlin,
Daniel Gomez, Sami Tolvanen, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Petr Pavlu <petr.pavlu@suse.com>
[ Upstream commit 3cb0c3bdea5388519bc1bf575dca6421b133302b ]
Remove the custom __modinit macro from kernel/params.c and instead use the
common __init_or_module macro from include/linux/module.h. Both provide the
same functionality.
Signed-off-by: Petr Pavlu <petr.pavlu@suse.com>
Reviewed-by: Aaron Tomlin <atomlin@atomlin.com>
Reviewed-by: Daniel Gomez <da.gomez@samsung.com>
Reviewed-by: Sami Tolvanen <samitolvanen@google.com>
Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
Stable-dep-of: deffe1edba62 ("module: Fix freeing of charp module parameters when CONFIG_SYSFS=n")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/params.c | 15 +++++----------
1 file changed, 5 insertions(+), 10 deletions(-)
diff --git a/kernel/params.c b/kernel/params.c
index 587d9cdafd118..5ae507cd19960 100644
--- a/kernel/params.c
+++ b/kernel/params.c
@@ -592,12 +592,6 @@ static ssize_t param_attr_store(struct module_attribute *mattr,
}
#endif
-#ifdef CONFIG_MODULES
-#define __modinit
-#else
-#define __modinit __init
-#endif
-
#ifdef CONFIG_SYSFS
void kernel_param_lock(struct module *mod)
{
@@ -622,9 +616,9 @@ EXPORT_SYMBOL(kernel_param_unlock);
* create file in sysfs. Returns an error on out of memory. Always cleans up
* if there's an error.
*/
-static __modinit int add_sysfs_param(struct module_kobject *mk,
- const struct kernel_param *kp,
- const char *name)
+static __init_or_module int add_sysfs_param(struct module_kobject *mk,
+ const struct kernel_param *kp,
+ const char *name)
{
struct module_param_attrs *new_mp;
struct attribute **new_attrs;
@@ -758,7 +752,8 @@ void destroy_params(const struct kernel_param *params, unsigned num)
params[i].ops->free(params[i].arg);
}
-struct module_kobject __modinit * lookup_or_create_module_kobject(const char *name)
+struct module_kobject * __init_or_module
+lookup_or_create_module_kobject(const char *name)
{
struct module_kobject *mk;
struct kobject *kobj;
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 455/969] module: Fix freeing of charp module parameters when CONFIG_SYSFS=n
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (453 preceding siblings ...)
2026-05-30 15:59 ` [PATCH 6.1 454/969] params: Replace __modinit with __init_or_module Greg Kroah-Hartman
@ 2026-05-30 15:59 ` Greg Kroah-Hartman
2026-05-30 15:59 ` [PATCH 6.1 456/969] bpf, devmap: Remove unnecessary if check in for loop Greg Kroah-Hartman
` (520 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:59 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Petr Pavlu, Sami Tolvanen,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Petr Pavlu <petr.pavlu@suse.com>
[ Upstream commit deffe1edba626d474fef38007c03646ca5876a0e ]
When setting a charp module parameter, the param_set_charp() function
allocates memory to store a copy of the input value. Later, when the module
is potentially unloaded, the destroy_params() function is called to free
this allocated memory.
However, destroy_params() is available only when CONFIG_SYSFS=y, otherwise
only a dummy variant is present. In the unlikely case that the kernel is
configured with CONFIG_MODULES=y and CONFIG_SYSFS=n, this results in
a memory leak of charp values when a module is unloaded.
Fix this issue by making destroy_params() always available when
CONFIG_MODULES=y. Rename the function to module_destroy_params() to clarify
that it is intended for use by the module loader.
Fixes: e180a6b7759a ("param: fix charp parameters set via sysfs")
Signed-off-by: Petr Pavlu <petr.pavlu@suse.com>
Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/moduleparam.h | 11 +++--------
kernel/module/main.c | 4 ++--
kernel/params.c | 27 ++++++++++++++++++---------
3 files changed, 23 insertions(+), 19 deletions(-)
diff --git a/include/linux/moduleparam.h b/include/linux/moduleparam.h
index 061e19c94a6bc..f73ca4d62683b 100644
--- a/include/linux/moduleparam.h
+++ b/include/linux/moduleparam.h
@@ -392,14 +392,9 @@ extern char *parse_args(const char *name,
const char *doing, void *arg));
/* Called by module remove. */
-#ifdef CONFIG_SYSFS
-extern void destroy_params(const struct kernel_param *params, unsigned num);
-#else
-static inline void destroy_params(const struct kernel_param *params,
- unsigned num)
-{
-}
-#endif /* !CONFIG_SYSFS */
+#ifdef CONFIG_MODULES
+void module_destroy_params(const struct kernel_param *params, unsigned int num);
+#endif
/* All the helper functions */
/* The macros to do compile-time type checking stolen from Jakub
diff --git a/kernel/module/main.c b/kernel/module/main.c
index 6b3cffd9f8a8a..e83e84f699ded 100644
--- a/kernel/module/main.c
+++ b/kernel/module/main.c
@@ -1172,7 +1172,7 @@ static void free_module(struct module *mod)
module_unload_free(mod);
/* Free any allocated parameters. */
- destroy_params(mod->kp, mod->num_kp);
+ module_destroy_params(mod->kp, mod->num_kp);
if (is_livepatch_module(mod))
free_module_elf(mod);
@@ -2890,7 +2890,7 @@ static int load_module(struct load_info *info, const char __user *uargs,
mod_sysfs_teardown(mod);
coming_cleanup:
mod->state = MODULE_STATE_GOING;
- destroy_params(mod->kp, mod->num_kp);
+ module_destroy_params(mod->kp, mod->num_kp);
blocking_notifier_call_chain(&module_notify_list,
MODULE_STATE_GOING, mod);
klp_module_going(mod);
diff --git a/kernel/params.c b/kernel/params.c
index 5ae507cd19960..82109c0cf9918 100644
--- a/kernel/params.c
+++ b/kernel/params.c
@@ -743,15 +743,6 @@ void module_param_sysfs_remove(struct module *mod)
}
#endif
-void destroy_params(const struct kernel_param *params, unsigned num)
-{
- unsigned int i;
-
- for (i = 0; i < num; i++)
- if (params[i].ops->free)
- params[i].ops->free(params[i].arg);
-}
-
struct module_kobject * __init_or_module
lookup_or_create_module_kobject(const char *name)
{
@@ -971,3 +962,21 @@ static int __init param_sysfs_init(void)
subsys_initcall(param_sysfs_init);
#endif /* CONFIG_SYSFS */
+
+#ifdef CONFIG_MODULES
+
+/*
+ * module_destroy_params - free all parameters for one module
+ * @params: module parameters (array)
+ * @num: number of module parameters
+ */
+void module_destroy_params(const struct kernel_param *params, unsigned int num)
+{
+ unsigned int i;
+
+ for (i = 0; i < num; i++)
+ if (params[i].ops->free)
+ params[i].ops->free(params[i].arg);
+}
+
+#endif /* CONFIG_MODULES */
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 456/969] bpf, devmap: Remove unnecessary if check in for loop
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (454 preceding siblings ...)
2026-05-30 15:59 ` [PATCH 6.1 455/969] module: Fix freeing of charp module parameters when CONFIG_SYSFS=n Greg Kroah-Hartman
@ 2026-05-30 15:59 ` Greg Kroah-Hartman
2026-05-30 15:59 ` [PATCH 6.1 457/969] bpf: Use RCU-safe iteration in dev_map_redirect_multi() SKB path Greg Kroah-Hartman
` (519 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thorsten Blum, Daniel Borkmann,
Toke Høiland-Jørgensen, Jiri Olsa, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thorsten Blum <thorsten.blum@toblux.com>
[ Upstream commit 2317dc2c22cc353b699c7d1db47b2fe91f54055c ]
The iterator variable dst cannot be NULL and the if check can be removed.
Remove it and fix the following Coccinelle/coccicheck warning reported
by itnull.cocci:
ERROR: iterator variable bound on line 762 cannot be NULL
Signed-off-by: Thorsten Blum <thorsten.blum@toblux.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Reviewed-by: Toke Høiland-Jørgensen <toke@redhat.com>
Acked-by: Jiri Olsa <jolsa@kernel.org>
Link: https://lore.kernel.org/bpf/20240529101900.103913-2-thorsten.blum@toblux.com
Stable-dep-of: 8ed82f807bb0 ("bpf: Use RCU-safe iteration in dev_map_redirect_multi() SKB path")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/bpf/devmap.c | 3 ---
1 file changed, 3 deletions(-)
diff --git a/kernel/bpf/devmap.c b/kernel/bpf/devmap.c
index 5e05732db2368..71025d1311a57 100644
--- a/kernel/bpf/devmap.c
+++ b/kernel/bpf/devmap.c
@@ -759,9 +759,6 @@ int dev_map_redirect_multi(struct net_device *dev, struct sk_buff *skb,
for (i = 0; i < dtab->n_buckets; i++) {
head = dev_map_index_hash(dtab, i);
hlist_for_each_entry_safe(dst, next, head, index_hlist) {
- if (!dst)
- continue;
-
if (is_ifindex_excluded(excluded_devices, num_excluded,
dst->dev->ifindex))
continue;
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 457/969] bpf: Use RCU-safe iteration in dev_map_redirect_multi() SKB path
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (455 preceding siblings ...)
2026-05-30 15:59 ` [PATCH 6.1 456/969] bpf, devmap: Remove unnecessary if check in for loop Greg Kroah-Hartman
@ 2026-05-30 15:59 ` Greg Kroah-Hartman
2026-05-30 15:59 ` [PATCH 6.1 458/969] wifi: rtw89: phy: fix uninitialized variable access in rtw89_phy_cfo_set_crystal_cap() Greg Kroah-Hartman
` (518 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Carlier, Martin KaFai Lau,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Carlier <devnexen@gmail.com>
[ Upstream commit 8ed82f807bb09d2c8455aaa665f2c6cb17bc6a19 ]
The DEVMAP_HASH branch in dev_map_redirect_multi() uses
hlist_for_each_entry_safe() to iterate hash buckets, but this function
runs under RCU protection (called from xdp_do_generic_redirect_map()
in softirq context). Concurrent writers (__dev_map_hash_update_elem,
dev_map_hash_delete_elem) modify the list using RCU primitives
(hlist_add_head_rcu, hlist_del_rcu).
hlist_for_each_entry_safe() performs plain pointer dereferences without
rcu_dereference(), missing the acquire barrier needed to pair with
writers' rcu_assign_pointer(). On weakly-ordered architectures (ARM64,
POWER), a reader can observe a partially-constructed node. It also
defeats CONFIG_PROVE_RCU lockdep validation and KCSAN data-race
detection.
Replace with hlist_for_each_entry_rcu() using rcu_read_lock_bh_held()
as the lockdep condition, consistent with the rcu_dereference_check()
used in the DEVMAP (non-hash) branch of the same functions. Also fix
the same incorrect lockdep_is_held(&dtab->index_lock) condition in
dev_map_enqueue_multi(), where the lock is not held either.
Fixes: e624d4ed4aa8 ("xdp: Extend xdp_redirect_map with broadcast support")
Signed-off-by: David Carlier <devnexen@gmail.com>
Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
Link: https://patch.msgid.link/20260320072645.16731-1-devnexen@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/bpf/devmap.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/kernel/bpf/devmap.c b/kernel/bpf/devmap.c
index 71025d1311a57..c8d8977296bc1 100644
--- a/kernel/bpf/devmap.c
+++ b/kernel/bpf/devmap.c
@@ -636,7 +636,7 @@ int dev_map_enqueue_multi(struct xdp_frame *xdpf, struct net_device *dev_rx,
for (i = 0; i < dtab->n_buckets; i++) {
head = dev_map_index_hash(dtab, i);
hlist_for_each_entry_rcu(dst, head, index_hlist,
- lockdep_is_held(&dtab->index_lock)) {
+ rcu_read_lock_bh_held()) {
if (!is_valid_dst(dst, xdpf))
continue;
@@ -718,7 +718,6 @@ int dev_map_redirect_multi(struct net_device *dev, struct sk_buff *skb,
struct bpf_dtab_netdev *dst, *last_dst = NULL;
int excluded_devices[1+MAX_NEST_DEV];
struct hlist_head *head;
- struct hlist_node *next;
int num_excluded = 0;
unsigned int i;
int err;
@@ -758,7 +757,7 @@ int dev_map_redirect_multi(struct net_device *dev, struct sk_buff *skb,
} else { /* BPF_MAP_TYPE_DEVMAP_HASH */
for (i = 0; i < dtab->n_buckets; i++) {
head = dev_map_index_hash(dtab, i);
- hlist_for_each_entry_safe(dst, next, head, index_hlist) {
+ hlist_for_each_entry_rcu(dst, head, index_hlist, rcu_read_lock_bh_held()) {
if (is_ifindex_excluded(excluded_devices, num_excluded,
dst->dev->ifindex))
continue;
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 458/969] wifi: rtw89: phy: fix uninitialized variable access in rtw89_phy_cfo_set_crystal_cap()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (456 preceding siblings ...)
2026-05-30 15:59 ` [PATCH 6.1 457/969] bpf: Use RCU-safe iteration in dev_map_redirect_multi() SKB path Greg Kroah-Hartman
@ 2026-05-30 15:59 ` Greg Kroah-Hartman
2026-05-30 15:59 ` [PATCH 6.1 459/969] r8152: fix incorrect register write to USB_UPHY_XTAL Greg Kroah-Hartman
` (517 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexey Velichayshiy, Ping-Ke Shih,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexey Velichayshiy <a.velichayshiy@ispras.ru>
[ Upstream commit 047cddf88c611e616d49a00311d4722e46286234 ]
In the rtw89_phy_cfo_set_crystal_cap() function, for chips other than
RTL8852A/RTL8851B, the values read by rtw89_mac_read_xtal_si() are
stored into the local variables sc_xi_val and sc_xo_val. If either
read fails, these variables remain uninitialized, they are later
used to update cfo->crystal_cap and in debug print statements. This
can lead to undefined behavior.
Fix the issue by initializing sc_xi_val and sc_xo_val to zero,
like is implemented in vendor driver.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: 8379fa611536 ("rtw89: 8852c: add write/read crystal function in CFO tracking")
Signed-off-by: Alexey Velichayshiy <a.velichayshiy@ispras.ru>
Acked-by: Ping-Ke Shih <pkshih@realtek.com>
Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
Link: https://patch.msgid.link/20260323140613.1615574-1-a.velichayshiy@ispras.ru
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/realtek/rtw89/phy.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/wireless/realtek/rtw89/phy.c b/drivers/net/wireless/realtek/rtw89/phy.c
index f6647f9d23939..980b8079bc707 100644
--- a/drivers/net/wireless/realtek/rtw89/phy.c
+++ b/drivers/net/wireless/realtek/rtw89/phy.c
@@ -2148,7 +2148,7 @@ static void rtw89_phy_cfo_set_crystal_cap(struct rtw89_dev *rtwdev,
{
struct rtw89_cfo_tracking_info *cfo = &rtwdev->cfo_tracking;
const struct rtw89_chip_info *chip = rtwdev->chip;
- u8 sc_xi_val, sc_xo_val;
+ u8 sc_xi_val = 0, sc_xo_val = 0;
if (!force && cfo->crystal_cap == crystal_cap)
return;
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 459/969] r8152: fix incorrect register write to USB_UPHY_XTAL
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (457 preceding siblings ...)
2026-05-30 15:59 ` [PATCH 6.1 458/969] wifi: rtw89: phy: fix uninitialized variable access in rtw89_phy_cfo_set_crystal_cap() Greg Kroah-Hartman
@ 2026-05-30 15:59 ` Greg Kroah-Hartman
2026-05-30 15:59 ` [PATCH 6.1 460/969] powerpc/crash: fix backup region offset update to elfcorehdr Greg Kroah-Hartman
` (516 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chih Kai Hsu, Hayes Wang,
Paolo Abeni, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chih Kai Hsu <hsu.chih.kai@realtek.com>
[ Upstream commit 48afd5124fd6129c46fd12cb06155384b1c4a0c4 ]
The old code used ocp_write_byte() to clear the OOBS_POLLING bit
(BIT(8)) in the USB_UPHY_XTAL register, but this doesn't correctly
clear a bit in the upper byte of the 16-bit register.
Fix this by using ocp_write_word() instead.
Fixes: 195aae321c82 ("r8152: support new chips")
Signed-off-by: Chih Kai Hsu <hsu.chih.kai@realtek.com>
Reviewed-by: Hayes Wang <hayeswang@realtek.com>
Link: https://patch.msgid.link/20260326073925.32976-454-nic_swsd@realtek.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/usb/r8152.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/usb/r8152.c b/drivers/net/usb/r8152.c
index 15979cd7d15ae..98e30291b0500 100644
--- a/drivers/net/usb/r8152.c
+++ b/drivers/net/usb/r8152.c
@@ -3748,7 +3748,7 @@ static void r8156_ups_en(struct r8152 *tp, bool enable)
case RTL_VER_15:
ocp_data = ocp_read_word(tp, MCU_TYPE_USB, USB_UPHY_XTAL);
ocp_data &= ~OOBS_POLLING;
- ocp_write_byte(tp, MCU_TYPE_USB, USB_UPHY_XTAL, ocp_data);
+ ocp_write_word(tp, MCU_TYPE_USB, USB_UPHY_XTAL, ocp_data);
break;
default:
break;
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 460/969] powerpc/crash: fix backup region offset update to elfcorehdr
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (458 preceding siblings ...)
2026-05-30 15:59 ` [PATCH 6.1 459/969] r8152: fix incorrect register write to USB_UPHY_XTAL Greg Kroah-Hartman
@ 2026-05-30 15:59 ` Greg Kroah-Hartman
2026-05-30 15:59 ` [PATCH 6.1 461/969] macvlan: annotate data-races around port->bc_queue_len_used Greg Kroah-Hartman
` (515 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Aditya Gupta, Sourabh Jain,
Hari Bathini, Madhavan Srinivasan, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sourabh Jain <sourabhjain@linux.ibm.com>
[ Upstream commit 789335cacdf37da93bb7c70322dff8c7e82881df ]
update_backup_region_phdr() in file_load_64.c iterates over all the
program headers in the kdump kernel’s elfcorehdr and updates the
p_offset of the program header whose physical address starts at 0.
However, the loop logic is incorrect because the program header pointer
is not updated during iteration. Since elfcorehdr typically contains
PT_NOTE entries first, the PT_LOAD program header with physical address
0 is never reached. As a result, its p_offset is not updated to point to
the backup region.
Because of this behavior, the capture kernel exports the first 64 KB of
the crashed kernel’s memory at offset 0, even though that memory
actually lives in the backup region. When a crash happens, purgatory
copies the first 64 KB of the crashed kernel’s memory into the backup
region so the capture kernel can safely use it.
This has not caused problems so far because the first 64 KB is usually
identical in both the crashed and capture kernels. However, this is
just an assumption and is not guaranteed to always hold true.
Fix update_backup_region_phdr() to correctly update the p_offset of the
program header with a starting physical address of 0 by correcting the
logic used to iterate over the program headers.
Fixes: cb350c1f1f86 ("powerpc/kexec_file: Prepare elfcore header for crashing kernel")
Reviewed-by: Aditya Gupta <adityag@linux.ibm.com>
Signed-off-by: Sourabh Jain <sourabhjain@linux.ibm.com>
Reviewed-by: Hari Bathini <hbathini@linux.ibm.com>
Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com>
Link: https://patch.msgid.link/20260312083051.1935737-2-sourabhjain@linux.ibm.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/powerpc/kexec/file_load_64.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/powerpc/kexec/file_load_64.c b/arch/powerpc/kexec/file_load_64.c
index 04d100ca18b86..9e3382e824311 100644
--- a/arch/powerpc/kexec/file_load_64.c
+++ b/arch/powerpc/kexec/file_load_64.c
@@ -768,7 +768,7 @@ static void update_backup_region_phdr(struct kimage *image, Elf64_Ehdr *ehdr)
unsigned int i;
phdr = (Elf64_Phdr *)(ehdr + 1);
- for (i = 0; i < ehdr->e_phnum; i++) {
+ for (i = 0; i < ehdr->e_phnum; i++, phdr++) {
if (phdr->p_paddr == BACKUP_SRC_START) {
phdr->p_offset = image->arch.backup_start;
pr_debug("Backup region offset updated to 0x%lx\n",
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 461/969] macvlan: annotate data-races around port->bc_queue_len_used
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (459 preceding siblings ...)
2026-05-30 15:59 ` [PATCH 6.1 460/969] powerpc/crash: fix backup region offset update to elfcorehdr Greg Kroah-Hartman
@ 2026-05-30 15:59 ` Greg Kroah-Hartman
2026-05-30 15:59 ` [PATCH 6.1 462/969] bpf: fix end-of-list detection in cgroup_storage_get_next_key() Greg Kroah-Hartman
` (514 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, Jakub Kicinski,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 1ef5789d9906df3771c99b7f413caaf2bf473ca5 ]
port->bc_queue_len_used is read and written locklessly,
add READ_ONCE()/WRITE_ONCE() annotations.
While WRITE_ONCE() in macvlan_fill_info() is not yet needed,
it is a prereq for future RTNL avoidance.
Fixes: d4bff72c8401 ("macvlan: Support for high multicast packet rate")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20260401103809.3038139-2-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/macvlan.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/drivers/net/macvlan.c b/drivers/net/macvlan.c
index 24e36d78a23ae..14018be5e7e70 100644
--- a/drivers/net/macvlan.c
+++ b/drivers/net/macvlan.c
@@ -344,6 +344,7 @@ static void macvlan_broadcast_enqueue(struct macvlan_port *port,
const struct macvlan_dev *src,
struct sk_buff *skb)
{
+ u32 bc_queue_len_used = READ_ONCE(port->bc_queue_len_used);
struct sk_buff *nskb;
int err = -ENOMEM;
@@ -354,7 +355,7 @@ static void macvlan_broadcast_enqueue(struct macvlan_port *port,
MACVLAN_SKB_CB(nskb)->src = src;
spin_lock(&port->bc_queue.lock);
- if (skb_queue_len(&port->bc_queue) < port->bc_queue_len_used) {
+ if (skb_queue_len(&port->bc_queue) < bc_queue_len_used) {
if (src)
dev_hold(src->dev);
__skb_queue_tail(&port->bc_queue, nskb);
@@ -1695,7 +1696,8 @@ static int macvlan_fill_info(struct sk_buff *skb,
}
if (nla_put_u32(skb, IFLA_MACVLAN_BC_QUEUE_LEN, vlan->bc_queue_len_req))
goto nla_put_failure;
- if (nla_put_u32(skb, IFLA_MACVLAN_BC_QUEUE_LEN_USED, port->bc_queue_len_used))
+ if (nla_put_u32(skb, IFLA_MACVLAN_BC_QUEUE_LEN_USED,
+ READ_ONCE(port->bc_queue_len_used)))
goto nla_put_failure;
return 0;
@@ -1751,7 +1753,7 @@ static void update_port_bc_queue_len(struct macvlan_port *port)
if (vlan->bc_queue_len_req > max_bc_queue_len_req)
max_bc_queue_len_req = vlan->bc_queue_len_req;
}
- port->bc_queue_len_used = max_bc_queue_len_req;
+ WRITE_ONCE(port->bc_queue_len_used, max_bc_queue_len_req);
}
static int macvlan_device_event(struct notifier_block *unused,
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 462/969] bpf: fix end-of-list detection in cgroup_storage_get_next_key()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (460 preceding siblings ...)
2026-05-30 15:59 ` [PATCH 6.1 461/969] macvlan: annotate data-races around port->bc_queue_len_used Greg Kroah-Hartman
@ 2026-05-30 15:59 ` Greg Kroah-Hartman
2026-05-30 15:59 ` [PATCH 6.1 463/969] wifi: brcmfmac: Fix error pointer dereference Greg Kroah-Hartman
` (513 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xiang Mei, Weiming Shi, Sun Jian,
Paul Chaignon, Alexei Starovoitov, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Weiming Shi <bestswngs@gmail.com>
[ Upstream commit 5828b9e5b272ecff7cf5d345128d3de7324117f7 ]
list_next_entry() never returns NULL -- when the current element is the
last entry it wraps to the list head via container_of(). The subsequent
NULL check is therefore dead code and get_next_key() never returns
-ENOENT for the last element, instead reading storage->key from a bogus
pointer that aliases internal map fields and copying the result to
userspace.
Replace it with list_entry_is_head() so the function correctly returns
-ENOENT when there are no more entries.
Fixes: de9cbbaadba5 ("bpf: introduce cgroup storage maps")
Reported-by: Xiang Mei <xmei5@asu.edu>
Signed-off-by: Weiming Shi <bestswngs@gmail.com>
Reviewed-by: Sun Jian <sun.jian.kdev@gmail.com>
Acked-by: Paul Chaignon <paul.chaignon@gmail.com>
Link: https://lore.kernel.org/r/20260403132951.43533-2-bestswngs@gmail.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/bpf/local_storage.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/bpf/local_storage.c b/kernel/bpf/local_storage.c
index f01ca6f1ee031..acf4649f7e472 100644
--- a/kernel/bpf/local_storage.c
+++ b/kernel/bpf/local_storage.c
@@ -259,7 +259,7 @@ static int cgroup_storage_get_next_key(struct bpf_map *_map, void *key,
goto enoent;
storage = list_next_entry(storage, list_map);
- if (!storage)
+ if (list_entry_is_head(storage, &map->list, list_map))
goto enoent;
} else {
storage = list_first_entry(&map->list,
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 463/969] wifi: brcmfmac: Fix error pointer dereference
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (461 preceding siblings ...)
2026-05-30 15:59 ` [PATCH 6.1 462/969] bpf: fix end-of-list detection in cgroup_storage_get_next_key() Greg Kroah-Hartman
@ 2026-05-30 15:59 ` Greg Kroah-Hartman
2026-05-30 15:59 ` [PATCH 6.1 464/969] bpf: Drop task_to_inode and inet_conn_established from lsm sleepable hooks Greg Kroah-Hartman
` (512 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ethan Tidmore, Arend van Spriel,
Johannes Berg, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ethan Tidmore <ethantidmore06@gmail.com>
[ Upstream commit dd8592fc6007a451c3e4b9025de365e39de8178a ]
The function brcmf_chip_add_core() can return an error pointer and is
not checked. Add checks for error pointer.
Detected by Smatch:
drivers/net/wireless/broadcom/brcm80211/brcmfmac/chip.c:1010 brcmf_chip_recognition() error:
'core' dereferencing possible ERR_PTR()
drivers/net/wireless/broadcom/brcm80211/brcmfmac/chip.c:1013 brcmf_chip_recognition() error:
'core' dereferencing possible ERR_PTR()
drivers/net/wireless/broadcom/brcm80211/brcmfmac/chip.c:1016 brcmf_chip_recognition() error:
'core' dereferencing possible ERR_PTR()
drivers/net/wireless/broadcom/brcm80211/brcmfmac/chip.c:1019 brcmf_chip_recognition() error:
'core' dereferencing possible ERR_PTR()
drivers/net/wireless/broadcom/brcm80211/brcmfmac/chip.c:1022 brcmf_chip_recognition() error:
'core' dereferencing possible ERR_PTR()
Fixes: cb7cf7be9eba7 ("brcmfmac: make chip related functions host interface independent")
Signed-off-by: Ethan Tidmore <ethantidmore06@gmail.com>
Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>
Link: https://patch.msgid.link/20260217023043.73631-1-ethantidmore06@gmail.com
[add missing wifi: prefix]
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../wireless/broadcom/brcm80211/brcmfmac/chip.c | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/chip.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/chip.c
index 121893bbaa1d7..1fbe5c721adf8 100644
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/chip.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/chip.c
@@ -992,18 +992,33 @@ static int brcmf_chip_recognition(struct brcmf_chip_priv *ci)
core = brcmf_chip_add_core(ci, BCMA_CORE_CHIPCOMMON,
SI_ENUM_BASE_DEFAULT, 0);
+ if (IS_ERR(core))
+ return PTR_ERR(core);
+
brcmf_chip_sb_corerev(ci, core);
core = brcmf_chip_add_core(ci, BCMA_CORE_SDIO_DEV,
BCM4329_CORE_BUS_BASE, 0);
+ if (IS_ERR(core))
+ return PTR_ERR(core);
+
brcmf_chip_sb_corerev(ci, core);
core = brcmf_chip_add_core(ci, BCMA_CORE_INTERNAL_MEM,
BCM4329_CORE_SOCRAM_BASE, 0);
+ if (IS_ERR(core))
+ return PTR_ERR(core);
+
brcmf_chip_sb_corerev(ci, core);
core = brcmf_chip_add_core(ci, BCMA_CORE_ARM_CM3,
BCM4329_CORE_ARM_BASE, 0);
+ if (IS_ERR(core))
+ return PTR_ERR(core);
+
brcmf_chip_sb_corerev(ci, core);
core = brcmf_chip_add_core(ci, BCMA_CORE_80211, 0x18001000, 0);
+ if (IS_ERR(core))
+ return PTR_ERR(core);
+
brcmf_chip_sb_corerev(ci, core);
} else if (socitype == SOCI_AI) {
ci->iscoreup = brcmf_chip_ai_iscoreup;
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 464/969] bpf: Drop task_to_inode and inet_conn_established from lsm sleepable hooks
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (462 preceding siblings ...)
2026-05-30 15:59 ` [PATCH 6.1 463/969] wifi: brcmfmac: Fix error pointer dereference Greg Kroah-Hartman
@ 2026-05-30 15:59 ` Greg Kroah-Hartman
2026-05-30 15:59 ` [PATCH 6.1 465/969] bpf: reject negative CO-RE accessor indices in bpf_core_parse_spec() Greg Kroah-Hartman
` (511 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Quan Sun, Yinhao Hu, Kaiyan Mei,
Dongliang Mu, Jiayuan Chen, Alexei Starovoitov, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiayuan Chen <jiayuan.chen@linux.dev>
[ Upstream commit beaf0e96b1da74549a6cabd040f9667d83b2e97e ]
bpf_lsm_task_to_inode() is called under rcu_read_lock() and
bpf_lsm_inet_conn_established() is called from softirq context, so
neither hook can be used by sleepable LSM programs.
Fixes: 423f16108c9d8 ("bpf: Augment the set of sleepable LSM hooks")
Reported-by: Quan Sun <2022090917019@std.uestc.edu.cn>
Reported-by: Yinhao Hu <dddddd@hust.edu.cn>
Reported-by: Kaiyan Mei <M202472210@hust.edu.cn>
Reported-by: Dongliang Mu <dzm91@hust.edu.cn>
Closes: https://lore.kernel.org/bpf/3ab69731-24d1-431a-a351-452aafaaf2a5@std.uestc.edu.cn/T/#u
Signed-off-by: Jiayuan Chen <jiayuan.chen@linux.dev>
Link: https://lore.kernel.org/r/20260407122334.344072-1-jiayuan.chen@linux.dev
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/bpf/bpf_lsm.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/kernel/bpf/bpf_lsm.c b/kernel/bpf/bpf_lsm.c
index e6a76da4bca78..075c06aa9c951 100644
--- a/kernel/bpf/bpf_lsm.c
+++ b/kernel/bpf/bpf_lsm.c
@@ -338,7 +338,6 @@ BTF_ID(func, bpf_lsm_current_getsecid_subj)
BTF_ID(func, bpf_lsm_task_getsecid_obj)
BTF_ID(func, bpf_lsm_task_prctl)
BTF_ID(func, bpf_lsm_task_setscheduler)
-BTF_ID(func, bpf_lsm_task_to_inode)
BTF_ID(func, bpf_lsm_userns_create)
BTF_SET_END(sleepable_lsm_hooks)
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 465/969] bpf: reject negative CO-RE accessor indices in bpf_core_parse_spec()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (463 preceding siblings ...)
2026-05-30 15:59 ` [PATCH 6.1 464/969] bpf: Drop task_to_inode and inet_conn_established from lsm sleepable hooks Greg Kroah-Hartman
@ 2026-05-30 15:59 ` Greg Kroah-Hartman
2026-05-30 15:59 ` [PATCH 6.1 466/969] ACPI: AGDI: fix missing newline in error message Greg Kroah-Hartman
` (510 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xiang Mei, Weiming Shi,
Emil Tsalapatis, Paul Chaignon, Alexei Starovoitov, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Weiming Shi <bestswngs@gmail.com>
[ Upstream commit 1c22483a2c4bbf747787f328392ca3e68619c4dc ]
CO-RE accessor strings are colon-separated indices that describe a path
from a root BTF type to a target field, e.g. "0:1:2" walks through
nested struct members. bpf_core_parse_spec() parses each component with
sscanf("%d"), so negative values like -1 are silently accepted. The
subsequent bounds checks (access_idx >= btf_vlen(t)) only guard the
upper bound and always pass for negative values because C integer
promotion converts the __u16 btf_vlen result to int, making the
comparison (int)(-1) >= (int)(N) false for any positive N.
When -1 reaches btf_member_bit_offset() it gets cast to u32 0xffffffff,
producing an out-of-bounds read far past the members array. A crafted
BPF program with a negative CO-RE accessor on any struct that exists in
vmlinux BTF (e.g. task_struct) crashes the kernel deterministically
during BPF_PROG_LOAD on any system with CONFIG_DEBUG_INFO_BTF=y
(default on major distributions). The bug is reachable with CAP_BPF:
BUG: unable to handle page fault for address: ffffed11818b6626
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
Oops: Oops: 0000 [#1] SMP KASAN NOPTI
CPU: 0 UID: 0 PID: 85 Comm: poc Not tainted 7.0.0-rc6 #18 PREEMPT(full)
RIP: 0010:bpf_core_parse_spec (tools/lib/bpf/relo_core.c:354)
RAX: 00000000ffffffff
Call Trace:
<TASK>
bpf_core_calc_relo_insn (tools/lib/bpf/relo_core.c:1321)
bpf_core_apply (kernel/bpf/btf.c:9507)
check_core_relo (kernel/bpf/verifier.c:19475)
bpf_check (kernel/bpf/verifier.c:26031)
bpf_prog_load (kernel/bpf/syscall.c:3089)
__sys_bpf (kernel/bpf/syscall.c:6228)
</TASK>
CO-RE accessor indices are inherently non-negative (struct member index,
array element index, or enumerator index), so reject them immediately
after parsing.
Fixes: ddc7c3042614 ("libbpf: implement BPF CO-RE offset relocation algorithm")
Reported-by: Xiang Mei <xmei5@asu.edu>
Signed-off-by: Weiming Shi <bestswngs@gmail.com>
Reviewed-by: Emil Tsalapatis <emil@etsalapatis.com>
Acked-by: Paul Chaignon <paul.chaignon@gmail.com>
Link: https://lore.kernel.org/r/20260404161221.961828-2-bestswngs@gmail.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/lib/bpf/relo_core.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/tools/lib/bpf/relo_core.c b/tools/lib/bpf/relo_core.c
index c4b0e81ae2931..701a4fc305b0a 100644
--- a/tools/lib/bpf/relo_core.c
+++ b/tools/lib/bpf/relo_core.c
@@ -293,6 +293,8 @@ int bpf_core_parse_spec(const char *prog_name, const struct btf *btf,
++spec_str;
if (sscanf(spec_str, "%d%n", &access_idx, &parsed_len) != 1)
return -EINVAL;
+ if (access_idx < 0)
+ return -EINVAL;
if (spec->raw_len == BPF_CORE_SPEC_MAX_LEN)
return -E2BIG;
spec_str += parsed_len;
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 466/969] ACPI: AGDI: fix missing newline in error message
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (464 preceding siblings ...)
2026-05-30 15:59 ` [PATCH 6.1 465/969] bpf: reject negative CO-RE accessor indices in bpf_core_parse_spec() Greg Kroah-Hartman
@ 2026-05-30 15:59 ` Greg Kroah-Hartman
2026-05-30 15:59 ` [PATCH 6.1 467/969] arm64: kexec: Remove duplicate allocation for trans_pgd Greg Kroah-Hartman
` (509 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ilkka Koskinen, Haoyu Lu, Hanjun Guo,
Catalin Marinas, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haoyu Lu <hechushiguitu666@gmail.com>
[ Upstream commit b178330b67abb7293b6de28b2a49d49c83962db5 ]
Add the missing trailing newline to the dev_err() message
printed when SDEI event registration fails.
This keeps the error output as a properly terminated log line.
Fixes: a2a591fb76e6 ("ACPI: AGDI: Add driver for Arm Generic Diagnostic Dump and Reset device")
Reviewed-by: Ilkka Koskinen <ilkka@os.amperecomputing.com>
Signed-off-by: Haoyu Lu <hechushiguitu666@gmail.com>
Reviewed-by: Hanjun Guo <guohanjun@huawei.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/acpi/arm64/agdi.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/acpi/arm64/agdi.c b/drivers/acpi/arm64/agdi.c
index cf31abd0ed1bb..53a674c83f588 100644
--- a/drivers/acpi/arm64/agdi.c
+++ b/drivers/acpi/arm64/agdi.c
@@ -32,7 +32,7 @@ static int agdi_sdei_probe(struct platform_device *pdev,
err = sdei_event_register(adata->sdei_event, agdi_sdei_handler, pdev);
if (err) {
- dev_err(&pdev->dev, "Failed to register for SDEI event %d",
+ dev_err(&pdev->dev, "Failed to register for SDEI event %d\n",
adata->sdei_event);
return err;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 467/969] arm64: kexec: Remove duplicate allocation for trans_pgd
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (465 preceding siblings ...)
2026-05-30 15:59 ` [PATCH 6.1 466/969] ACPI: AGDI: fix missing newline in error message Greg Kroah-Hartman
@ 2026-05-30 15:59 ` Greg Kroah-Hartman
2026-05-30 15:59 ` [PATCH 6.1 468/969] net: bcmgenet: fix off-by-one in bcmgenet_put_txcb Greg Kroah-Hartman
` (508 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Wang Wensheng, Pasha Tatashin,
Catalin Marinas, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wang Wensheng <wsw9603@163.com>
[ Upstream commit ee020bf6f14094c9ae434bb37e6957a1fdad513c ]
trans_pgd would be allocated in trans_pgd_create_copy(), so remove the
duplicate allocation before calling trans_pgd_create_copy().
Fixes: 3744b5280e67 ("arm64: kexec: install a copy of the linear-map")
Signed-off-by: Wang Wensheng <wsw9603@163.com>
Reviewed-by: Pasha Tatashin <pasha.tatashin@soleen.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/kernel/machine_kexec.c | 3 ---
1 file changed, 3 deletions(-)
diff --git a/arch/arm64/kernel/machine_kexec.c b/arch/arm64/kernel/machine_kexec.c
index ce3d40120f72f..f660648cbceee 100644
--- a/arch/arm64/kernel/machine_kexec.c
+++ b/arch/arm64/kernel/machine_kexec.c
@@ -142,9 +142,6 @@ int machine_kexec_post_load(struct kimage *kimage)
}
/* Create a copy of the linear map */
- trans_pgd = kexec_page_alloc(kimage);
- if (!trans_pgd)
- return -ENOMEM;
rc = trans_pgd_create_copy(&info, &trans_pgd, PAGE_OFFSET, PAGE_END);
if (rc)
return rc;
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 468/969] net: bcmgenet: fix off-by-one in bcmgenet_put_txcb
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (466 preceding siblings ...)
2026-05-30 15:59 ` [PATCH 6.1 467/969] arm64: kexec: Remove duplicate allocation for trans_pgd Greg Kroah-Hartman
@ 2026-05-30 15:59 ` Greg Kroah-Hartman
2026-05-30 15:59 ` [PATCH 6.1 469/969] net: bcmgenet: Remove TX ring full logging Greg Kroah-Hartman
` (507 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Justin Chen, Nicolai Buchwitz,
Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Justin Chen <justin.chen@broadcom.com>
[ Upstream commit 57f3f53d2c9c5a9e133596e2f7bc1c50688a6d38 ]
The write_ptr points to the next open tx_cb. We want to return the
tx_cb that gets rewinded, so we must rewind the pointer first then
return the tx_cb that it points to. That way the txcb can be correctly
cleaned up.
Fixes: 876dbadd53a7 ("net: bcmgenet: Fix unmapping of fragments in bcmgenet_xmit()")
Signed-off-by: Justin Chen <justin.chen@broadcom.com>
Reviewed-by: Nicolai Buchwitz <nb@tipi-net.de>
Link: https://patch.msgid.link/20260406175756.134567-2-justin.chen@broadcom.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/broadcom/genet/bcmgenet.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/net/ethernet/broadcom/genet/bcmgenet.c b/drivers/net/ethernet/broadcom/genet/bcmgenet.c
index f087a97164094..650f51471a0e1 100644
--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c
+++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c
@@ -1744,15 +1744,15 @@ static struct enet_cb *bcmgenet_put_txcb(struct bcmgenet_priv *priv,
{
struct enet_cb *tx_cb_ptr;
- tx_cb_ptr = ring->cbs;
- tx_cb_ptr += ring->write_ptr - ring->cb_ptr;
-
/* Rewinding local write pointer */
if (ring->write_ptr == ring->cb_ptr)
ring->write_ptr = ring->end_ptr;
else
ring->write_ptr--;
+ tx_cb_ptr = ring->cbs;
+ tx_cb_ptr += ring->write_ptr - ring->cb_ptr;
+
return tx_cb_ptr;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 469/969] net: bcmgenet: Remove TX ring full logging
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (467 preceding siblings ...)
2026-05-30 15:59 ` [PATCH 6.1 468/969] net: bcmgenet: fix off-by-one in bcmgenet_put_txcb Greg Kroah-Hartman
@ 2026-05-30 15:59 ` Greg Kroah-Hartman
2026-05-30 15:59 ` [PATCH 6.1 470/969] net: bcmgenet: Remove custom ndo_poll_controller() Greg Kroah-Hartman
` (506 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Florian Fainelli, Simon Horman,
Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Florian Fainelli <florian.fainelli@broadcom.com>
[ Upstream commit df41fa677d9b4717c930afbe88b06f5cefdacb21 ]
There is no need to spam the kernel log with such an indication, remove
this message.
Signed-off-by: Florian Fainelli <florian.fainelli@broadcom.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://lore.kernel.org/r/20230728183945.760531-1-florian.fainelli@broadcom.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Stable-dep-of: 5393b2b5bee2 ("net: bcmgenet: fix racing timeout handler")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/broadcom/genet/bcmgenet.c | 6 +-----
1 file changed, 1 insertion(+), 5 deletions(-)
diff --git a/drivers/net/ethernet/broadcom/genet/bcmgenet.c b/drivers/net/ethernet/broadcom/genet/bcmgenet.c
index 650f51471a0e1..1d679de9c3235 100644
--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c
+++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c
@@ -2072,12 +2072,8 @@ static netdev_tx_t bcmgenet_xmit(struct sk_buff *skb, struct net_device *dev)
spin_lock(&ring->lock);
if (ring->free_bds <= (nr_frags + 1)) {
- if (!netif_tx_queue_stopped(txq)) {
+ if (!netif_tx_queue_stopped(txq))
netif_tx_stop_queue(txq);
- netdev_err(dev,
- "%s: tx ring %d full when queue %d awake\n",
- __func__, index, ring->queue);
- }
ret = NETDEV_TX_BUSY;
goto out;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 470/969] net: bcmgenet: Remove custom ndo_poll_controller()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (468 preceding siblings ...)
2026-05-30 15:59 ` [PATCH 6.1 469/969] net: bcmgenet: Remove TX ring full logging Greg Kroah-Hartman
@ 2026-05-30 15:59 ` Greg Kroah-Hartman
2026-05-30 15:59 ` [PATCH 6.1 471/969] net: bcmgenet: add bcmgenet_has_* helpers Greg Kroah-Hartman
` (505 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Florian Fainelli, Eric Dumazet,
David S. Miller, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Florian Fainelli <florian.fainelli@broadcom.com>
[ Upstream commit 19537e125cc7cf2da43a606f5bcebbe0c9aea4cc ]
The driver gained a .ndo_poll_controller() at a time where the TX
cleaning process was always done from NAPI which makes this unnecessary.
See commit ac3d9dd034e5 ("netpoll: make ndo_poll_controller() optional")
for more background.
Signed-off-by: Florian Fainelli <florian.fainelli@broadcom.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Stable-dep-of: 5393b2b5bee2 ("net: bcmgenet: fix racing timeout handler")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../net/ethernet/broadcom/genet/bcmgenet.c | 20 -------------------
1 file changed, 20 deletions(-)
diff --git a/drivers/net/ethernet/broadcom/genet/bcmgenet.c b/drivers/net/ethernet/broadcom/genet/bcmgenet.c
index 1d679de9c3235..4d76c9aebd439 100644
--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c
+++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c
@@ -3250,23 +3250,6 @@ static irqreturn_t bcmgenet_wol_isr(int irq, void *dev_id)
return IRQ_HANDLED;
}
-#ifdef CONFIG_NET_POLL_CONTROLLER
-static void bcmgenet_poll_controller(struct net_device *dev)
-{
- struct bcmgenet_priv *priv = netdev_priv(dev);
-
- /* Invoke the main RX/TX interrupt handler */
- disable_irq(priv->irq0);
- bcmgenet_isr0(priv->irq0, priv);
- enable_irq(priv->irq0);
-
- /* And the interrupt handler for RX/TX priority queues */
- disable_irq(priv->irq1);
- bcmgenet_isr1(priv->irq1, priv);
- enable_irq(priv->irq1);
-}
-#endif
-
static void bcmgenet_umac_reset(struct bcmgenet_priv *priv)
{
u32 reg;
@@ -3736,9 +3719,6 @@ static const struct net_device_ops bcmgenet_netdev_ops = {
.ndo_set_mac_address = bcmgenet_set_mac_addr,
.ndo_eth_ioctl = phy_do_ioctl_running,
.ndo_set_features = bcmgenet_set_features,
-#ifdef CONFIG_NET_POLL_CONTROLLER
- .ndo_poll_controller = bcmgenet_poll_controller,
-#endif
.ndo_get_stats = bcmgenet_get_stats,
.ndo_change_carrier = bcmgenet_change_carrier,
};
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 471/969] net: bcmgenet: add bcmgenet_has_* helpers
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (469 preceding siblings ...)
2026-05-30 15:59 ` [PATCH 6.1 470/969] net: bcmgenet: Remove custom ndo_poll_controller() Greg Kroah-Hartman
@ 2026-05-30 15:59 ` Greg Kroah-Hartman
2026-05-30 15:59 ` [PATCH 6.1 472/969] net: bcmgenet: move DESC_INDEX flow to ring 0 Greg Kroah-Hartman
` (504 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Doug Berger, Florian Fainelli,
Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Doug Berger <opendmb@gmail.com>
[ Upstream commit 07c1a756a50b1180a085ab61819a388bbb906a95 ]
Introduce helper functions to indicate whether the driver should
make use of a particular feature that it supports. These helpers
abstract the implementation of how the feature availability is
encoded.
Signed-off-by: Doug Berger <opendmb@gmail.com>
Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
Link: https://patch.msgid.link/20250306192643.2383632-3-opendmb@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Stable-dep-of: 5393b2b5bee2 ("net: bcmgenet: fix racing timeout handler")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../net/ethernet/broadcom/genet/bcmgenet.c | 20 +++++++-------
.../net/ethernet/broadcom/genet/bcmgenet.h | 27 ++++++++++++++++++-
drivers/net/ethernet/broadcom/genet/bcmmii.c | 6 ++---
3 files changed, 39 insertions(+), 14 deletions(-)
diff --git a/drivers/net/ethernet/broadcom/genet/bcmgenet.c b/drivers/net/ethernet/broadcom/genet/bcmgenet.c
index 4d76c9aebd439..88d2a8c3d3baf 100644
--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c
+++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c
@@ -104,7 +104,7 @@ static inline void dmadesc_set_addr(struct bcmgenet_priv *priv,
* the platform is explicitly configured for 64-bits/LPAE.
*/
#ifdef CONFIG_PHYS_ADDR_T_64BIT
- if (priv->hw_params->flags & GENET_HAS_40BITS)
+ if (bcmgenet_has_40bits(priv))
bcmgenet_writel(upper_32_bits(addr), d + DMA_DESC_ADDRESS_HI);
#endif
}
@@ -1648,9 +1648,9 @@ static int bcmgenet_power_down(struct bcmgenet_priv *priv,
case GENET_POWER_PASSIVE:
/* Power down LED */
- if (priv->hw_params->flags & GENET_HAS_EXT) {
+ if (bcmgenet_has_ext(priv)) {
reg = bcmgenet_ext_readl(priv, EXT_EXT_PWR_MGMT);
- if (GENET_IS_V5(priv) && !priv->ephy_16nm)
+ if (GENET_IS_V5(priv) && !bcmgenet_has_ephy_16nm(priv))
reg |= EXT_PWR_DOWN_PHY_EN |
EXT_PWR_DOWN_PHY_RD |
EXT_PWR_DOWN_PHY_SD |
@@ -1678,7 +1678,7 @@ static void bcmgenet_power_up(struct bcmgenet_priv *priv,
{
u32 reg;
- if (!(priv->hw_params->flags & GENET_HAS_EXT))
+ if (!bcmgenet_has_ext(priv))
return;
reg = bcmgenet_ext_readl(priv, EXT_EXT_PWR_MGMT);
@@ -1687,7 +1687,7 @@ static void bcmgenet_power_up(struct bcmgenet_priv *priv,
case GENET_POWER_PASSIVE:
reg &= ~(EXT_PWR_DOWN_DLL | EXT_PWR_DOWN_BIAS |
EXT_ENERGY_DET_MASK);
- if (GENET_IS_V5(priv) && !priv->ephy_16nm) {
+ if (GENET_IS_V5(priv) && !bcmgenet_has_ephy_16nm(priv)) {
reg &= ~(EXT_PWR_DOWN_PHY_EN |
EXT_PWR_DOWN_PHY_RD |
EXT_PWR_DOWN_PHY_SD |
@@ -2520,7 +2520,7 @@ static void bcmgenet_link_intr_enable(struct bcmgenet_priv *priv)
} else if (priv->ext_phy) {
int0_enable |= UMAC_IRQ_LINK_EVENT;
} else if (priv->phy_interface == PHY_INTERFACE_MODE_MOCA) {
- if (priv->hw_params->flags & GENET_HAS_MOCA_LINK_DET)
+ if (bcmgenet_has_moca_link_det(priv))
int0_enable |= UMAC_IRQ_LINK_EVENT;
}
bcmgenet_intrl2_0_writel(priv, int0_enable, INTRL2_CPU_MASK_CLEAR);
@@ -2585,7 +2585,7 @@ static void init_umac(struct bcmgenet_priv *priv)
}
/* Enable MDIO interrupts on GENET v3+ */
- if (priv->hw_params->flags & GENET_HAS_MDIO_INTR)
+ if (bcmgenet_has_mdio_intr(priv))
int0_enable |= (UMAC_IRQ_MDIO_DONE | UMAC_IRQ_MDIO_ERROR);
bcmgenet_intrl2_0_writel(priv, int0_enable, INTRL2_CPU_MASK_CLEAR);
@@ -3225,7 +3225,7 @@ static irqreturn_t bcmgenet_isr0(int irq, void *dev_id)
}
}
- if ((priv->hw_params->flags & GENET_HAS_MDIO_INTR) &&
+ if (bcmgenet_has_mdio_intr(priv) &&
status & (UMAC_IRQ_MDIO_DONE | UMAC_IRQ_MDIO_ERROR)) {
wake_up(&priv->wq);
}
@@ -3895,7 +3895,7 @@ static void bcmgenet_set_hw_params(struct bcmgenet_priv *priv)
}
#ifdef CONFIG_PHYS_ADDR_T_64BIT
- if (!(params->flags & GENET_HAS_40BITS))
+ if (!bcmgenet_has_40bits(priv))
pr_warn("GENET does not support 40-bits PA\n");
#endif
@@ -4074,7 +4074,7 @@ static int bcmgenet_probe(struct platform_device *pdev)
bcmgenet_set_hw_params(priv);
err = -EIO;
- if (priv->hw_params->flags & GENET_HAS_40BITS)
+ if (bcmgenet_has_40bits(priv))
err = dma_set_mask_and_coherent(&pdev->dev, DMA_BIT_MASK(40));
if (err)
err = dma_set_mask_and_coherent(&pdev->dev, DMA_BIT_MASK(32));
diff --git a/drivers/net/ethernet/broadcom/genet/bcmgenet.h b/drivers/net/ethernet/broadcom/genet/bcmgenet.h
index 28e2c94ef835c..ba83819210aa8 100644
--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.h
+++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.h
@@ -1,6 +1,6 @@
/* SPDX-License-Identifier: GPL-2.0-only */
/*
- * Copyright (c) 2014-2024 Broadcom
+ * Copyright (c) 2014-2025 Broadcom
*/
#ifndef __BCMGENET_H__
@@ -650,6 +650,31 @@ struct bcmgenet_priv {
struct ethtool_eee eee;
};
+static inline bool bcmgenet_has_40bits(struct bcmgenet_priv *priv)
+{
+ return !!(priv->hw_params->flags & GENET_HAS_40BITS);
+}
+
+static inline bool bcmgenet_has_ext(struct bcmgenet_priv *priv)
+{
+ return !!(priv->hw_params->flags & GENET_HAS_EXT);
+}
+
+static inline bool bcmgenet_has_mdio_intr(struct bcmgenet_priv *priv)
+{
+ return !!(priv->hw_params->flags & GENET_HAS_MDIO_INTR);
+}
+
+static inline bool bcmgenet_has_moca_link_det(struct bcmgenet_priv *priv)
+{
+ return !!(priv->hw_params->flags & GENET_HAS_MOCA_LINK_DET);
+}
+
+static inline bool bcmgenet_has_ephy_16nm(struct bcmgenet_priv *priv)
+{
+ return priv->ephy_16nm;
+}
+
#define GENET_IO_MACRO(name, offset) \
static inline u32 bcmgenet_##name##_readl(struct bcmgenet_priv *priv, \
u32 off) \
diff --git a/drivers/net/ethernet/broadcom/genet/bcmmii.c b/drivers/net/ethernet/broadcom/genet/bcmmii.c
index f21f2aaa6fd91..3836ea92527f3 100644
--- a/drivers/net/ethernet/broadcom/genet/bcmmii.c
+++ b/drivers/net/ethernet/broadcom/genet/bcmmii.c
@@ -2,7 +2,7 @@
/*
* Broadcom GENET MDIO routines
*
- * Copyright (c) 2014-2024 Broadcom
+ * Copyright (c) 2014-2025 Broadcom
*/
#include <linux/acpi.h>
@@ -153,7 +153,7 @@ void bcmgenet_phy_power_set(struct net_device *dev, bool enable)
u32 reg = 0;
/* EXT_GPHY_CTRL is only valid for GENETv4 and onward */
- if (GENET_IS_V4(priv) || priv->ephy_16nm) {
+ if (GENET_IS_V4(priv) || bcmgenet_has_ephy_16nm(priv)) {
reg = bcmgenet_ext_readl(priv, EXT_GPHY_CTRL);
if (enable) {
reg &= ~EXT_CK25_DIS;
@@ -183,7 +183,7 @@ void bcmgenet_phy_power_set(struct net_device *dev, bool enable)
static void bcmgenet_moca_phy_setup(struct bcmgenet_priv *priv)
{
- if (priv->hw_params->flags & GENET_HAS_MOCA_LINK_DET)
+ if (bcmgenet_has_moca_link_det(priv))
fixed_phy_set_link_update(priv->dev->phydev,
bcmgenet_fixed_phy_link_update);
}
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 472/969] net: bcmgenet: move DESC_INDEX flow to ring 0
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (470 preceding siblings ...)
2026-05-30 15:59 ` [PATCH 6.1 471/969] net: bcmgenet: add bcmgenet_has_* helpers Greg Kroah-Hartman
@ 2026-05-30 15:59 ` Greg Kroah-Hartman
2026-05-30 15:59 ` [PATCH 6.1 473/969] net: bcmgenet: support reclaiming unsent Tx packets Greg Kroah-Hartman
` (503 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Doug Berger, Florian Fainelli,
Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Doug Berger <opendmb@gmail.com>
[ Upstream commit 3b5d4f5a820d362dd46472542b2e961fb1f93515 ]
The default transmit and receive packet handling is moved from
the DESC_INDEX (i.e. 16) descriptor rings to the Ring 0 queues.
This saves a fair amount of special case code by unifying the
handling.
A default dummy filter is enabled in the Hardware Filter Block
to route default receive packets to Ring 0.
Signed-off-by: Doug Berger <opendmb@gmail.com>
Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
Link: https://patch.msgid.link/20250306192643.2383632-7-opendmb@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Stable-dep-of: 5393b2b5bee2 ("net: bcmgenet: fix racing timeout handler")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../net/ethernet/broadcom/genet/bcmgenet.c | 369 +++++-------------
.../net/ethernet/broadcom/genet/bcmgenet.h | 12 +-
.../ethernet/broadcom/genet/bcmgenet_wol.c | 4 +-
3 files changed, 110 insertions(+), 275 deletions(-)
diff --git a/drivers/net/ethernet/broadcom/genet/bcmgenet.c b/drivers/net/ethernet/broadcom/genet/bcmgenet.c
index 88d2a8c3d3baf..9f670bbecc726 100644
--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c
+++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c
@@ -41,15 +41,13 @@
#include "bcmgenet.h"
-/* Maximum number of hardware queues, downsized if needed */
-#define GENET_MAX_MQ_CNT 4
-
/* Default highest priority queue for multi queue support */
-#define GENET_Q0_PRIORITY 0
+#define GENET_Q1_PRIORITY 0
+#define GENET_Q0_PRIORITY 1
-#define GENET_Q16_RX_BD_CNT \
+#define GENET_Q0_RX_BD_CNT \
(TOTAL_DESC - priv->hw_params->rx_queues * priv->hw_params->rx_bds_per_q)
-#define GENET_Q16_TX_BD_CNT \
+#define GENET_Q0_TX_BD_CNT \
(TOTAL_DESC - priv->hw_params->tx_queues * priv->hw_params->tx_bds_per_q)
#define RX_BUF_LENGTH 2048
@@ -603,7 +601,7 @@ static void bcmgenet_hfb_create_rxnfc_filter(struct bcmgenet_priv *priv,
u16 mask_16;
size_t size;
- f = fs->location;
+ f = fs->location + 1;
if (fs->flow_type & FLOW_MAC_EXT) {
bcmgenet_hfb_insert_data(priv, f, 0,
&fs->h_ext.h_dest, &fs->m_ext.h_dest,
@@ -685,19 +683,14 @@ static void bcmgenet_hfb_create_rxnfc_filter(struct bcmgenet_priv *priv,
}
bcmgenet_hfb_set_filter_length(priv, f, 2 * f_length);
- if (!fs->ring_cookie || fs->ring_cookie == RX_CLS_FLOW_WAKE) {
- /* Ring 0 flows can be handled by the default Descriptor Ring
- * We'll map them to ring 0, but don't enable the filter
- */
+ if (fs->ring_cookie == RX_CLS_FLOW_WAKE)
bcmgenet_hfb_set_filter_rx_queue_mapping(priv, f, 0);
- rule->state = BCMGENET_RXNFC_STATE_DISABLED;
- } else {
+ else
/* Other Rx rings are direct mapped here */
bcmgenet_hfb_set_filter_rx_queue_mapping(priv, f,
fs->ring_cookie);
- bcmgenet_hfb_enable_filter(priv, f);
- rule->state = BCMGENET_RXNFC_STATE_ENABLED;
- }
+ bcmgenet_hfb_enable_filter(priv, f);
+ rule->state = BCMGENET_RXNFC_STATE_ENABLED;
}
/* bcmgenet_hfb_clear
@@ -733,6 +726,10 @@ static void bcmgenet_hfb_clear(struct bcmgenet_priv *priv)
for (i = 0; i < priv->hw_params->hfb_filter_cnt; i++)
bcmgenet_hfb_clear_filter(priv, i);
+
+ /* Enable filter 0 to send default flow to ring 0 */
+ bcmgenet_hfb_set_filter_length(priv, 0, 4);
+ bcmgenet_hfb_enable_filter(priv, 0);
}
static void bcmgenet_hfb_init(struct bcmgenet_priv *priv)
@@ -837,20 +834,16 @@ static int bcmgenet_get_coalesce(struct net_device *dev,
unsigned int i;
ec->tx_max_coalesced_frames =
- bcmgenet_tdma_ring_readl(priv, DESC_INDEX,
- DMA_MBUF_DONE_THRESH);
+ bcmgenet_tdma_ring_readl(priv, 0, DMA_MBUF_DONE_THRESH);
ec->rx_max_coalesced_frames =
- bcmgenet_rdma_ring_readl(priv, DESC_INDEX,
- DMA_MBUF_DONE_THRESH);
+ bcmgenet_rdma_ring_readl(priv, 0, DMA_MBUF_DONE_THRESH);
ec->rx_coalesce_usecs =
- bcmgenet_rdma_readl(priv, DMA_RING16_TIMEOUT) * 8192 / 1000;
+ bcmgenet_rdma_readl(priv, DMA_RING0_TIMEOUT) * 8192 / 1000;
- for (i = 0; i < priv->hw_params->rx_queues; i++) {
+ for (i = 0; i <= priv->hw_params->rx_queues; i++) {
ring = &priv->rx_rings[i];
ec->use_adaptive_rx_coalesce |= ring->dim.use_dim;
}
- ring = &priv->rx_rings[DESC_INDEX];
- ec->use_adaptive_rx_coalesce |= ring->dim.use_dim;
return 0;
}
@@ -920,17 +913,13 @@ static int bcmgenet_set_coalesce(struct net_device *dev,
/* Program all TX queues with the same values, as there is no
* ethtool knob to do coalescing on a per-queue basis
*/
- for (i = 0; i < priv->hw_params->tx_queues; i++)
+ for (i = 0; i <= priv->hw_params->tx_queues; i++)
bcmgenet_tdma_ring_writel(priv, i,
ec->tx_max_coalesced_frames,
DMA_MBUF_DONE_THRESH);
- bcmgenet_tdma_ring_writel(priv, DESC_INDEX,
- ec->tx_max_coalesced_frames,
- DMA_MBUF_DONE_THRESH);
- for (i = 0; i < priv->hw_params->rx_queues; i++)
+ for (i = 0; i <= priv->hw_params->rx_queues; i++)
bcmgenet_set_ring_rx_coalesce(&priv->rx_rings[i], ec);
- bcmgenet_set_ring_rx_coalesce(&priv->rx_rings[DESC_INDEX], ec);
return 0;
}
@@ -1138,7 +1127,7 @@ static const struct bcmgenet_stats bcmgenet_gstrings_stats[] = {
STAT_GENET_Q(1),
STAT_GENET_Q(2),
STAT_GENET_Q(3),
- STAT_GENET_Q(16),
+ STAT_GENET_Q(4),
};
#define BCMGENET_STATS_LEN ARRAY_SIZE(bcmgenet_gstrings_stats)
@@ -1469,10 +1458,10 @@ static int bcmgenet_insert_flow(struct net_device *dev,
loc_rule = &priv->rxnfc_rules[cmd->fs.location];
if (loc_rule->state == BCMGENET_RXNFC_STATE_ENABLED)
- bcmgenet_hfb_disable_filter(priv, cmd->fs.location);
+ bcmgenet_hfb_disable_filter(priv, cmd->fs.location + 1);
if (loc_rule->state != BCMGENET_RXNFC_STATE_UNUSED) {
list_del(&loc_rule->list);
- bcmgenet_hfb_clear_filter(priv, cmd->fs.location);
+ bcmgenet_hfb_clear_filter(priv, cmd->fs.location + 1);
}
loc_rule->state = BCMGENET_RXNFC_STATE_UNUSED;
memcpy(&loc_rule->fs, &cmd->fs,
@@ -1502,10 +1491,10 @@ static int bcmgenet_delete_flow(struct net_device *dev,
}
if (rule->state == BCMGENET_RXNFC_STATE_ENABLED)
- bcmgenet_hfb_disable_filter(priv, cmd->fs.location);
+ bcmgenet_hfb_disable_filter(priv, cmd->fs.location + 1);
if (rule->state != BCMGENET_RXNFC_STATE_UNUSED) {
list_del(&rule->list);
- bcmgenet_hfb_clear_filter(priv, cmd->fs.location);
+ bcmgenet_hfb_clear_filter(priv, cmd->fs.location + 1);
}
rule->state = BCMGENET_RXNFC_STATE_UNUSED;
memset(&rule->fs, 0, sizeof(struct ethtool_rx_flow_spec));
@@ -1756,18 +1745,6 @@ static struct enet_cb *bcmgenet_put_txcb(struct bcmgenet_priv *priv,
return tx_cb_ptr;
}
-static inline void bcmgenet_rx_ring16_int_disable(struct bcmgenet_rx_ring *ring)
-{
- bcmgenet_intrl2_0_writel(ring->priv, UMAC_IRQ_RXDMA_DONE,
- INTRL2_CPU_MASK_SET);
-}
-
-static inline void bcmgenet_rx_ring16_int_enable(struct bcmgenet_rx_ring *ring)
-{
- bcmgenet_intrl2_0_writel(ring->priv, UMAC_IRQ_RXDMA_DONE,
- INTRL2_CPU_MASK_CLEAR);
-}
-
static inline void bcmgenet_rx_ring_int_disable(struct bcmgenet_rx_ring *ring)
{
bcmgenet_intrl2_1_writel(ring->priv,
@@ -1782,18 +1759,6 @@ static inline void bcmgenet_rx_ring_int_enable(struct bcmgenet_rx_ring *ring)
INTRL2_CPU_MASK_CLEAR);
}
-static inline void bcmgenet_tx_ring16_int_disable(struct bcmgenet_tx_ring *ring)
-{
- bcmgenet_intrl2_0_writel(ring->priv, UMAC_IRQ_TXDMA_DONE,
- INTRL2_CPU_MASK_SET);
-}
-
-static inline void bcmgenet_tx_ring16_int_enable(struct bcmgenet_tx_ring *ring)
-{
- bcmgenet_intrl2_0_writel(ring->priv, UMAC_IRQ_TXDMA_DONE,
- INTRL2_CPU_MASK_CLEAR);
-}
-
static inline void bcmgenet_tx_ring_int_enable(struct bcmgenet_tx_ring *ring)
{
bcmgenet_intrl2_1_writel(ring->priv, 1 << ring->index,
@@ -1874,12 +1839,7 @@ static unsigned int __bcmgenet_tx_reclaim(struct net_device *dev,
struct sk_buff *skb;
/* Clear status before servicing to reduce spurious interrupts */
- if (ring->index == DESC_INDEX)
- bcmgenet_intrl2_0_writel(priv, UMAC_IRQ_TXDMA_DONE,
- INTRL2_CPU_CLEAR);
- else
- bcmgenet_intrl2_1_writel(priv, (1 << ring->index),
- INTRL2_CPU_CLEAR);
+ bcmgenet_intrl2_1_writel(priv, (1 << ring->index), INTRL2_CPU_CLEAR);
/* Compute how many buffers are transmitted since last xmit call */
c_index = bcmgenet_tdma_ring_readl(priv, ring->index, TDMA_CONS_INDEX)
@@ -1913,7 +1873,7 @@ static unsigned int __bcmgenet_tx_reclaim(struct net_device *dev,
ring->packets += pkts_compl;
ring->bytes += bytes_compl;
- netdev_tx_completed_queue(netdev_get_tx_queue(dev, ring->queue),
+ netdev_tx_completed_queue(netdev_get_tx_queue(dev, ring->index),
pkts_compl, bytes_compl);
return txbds_processed;
@@ -1941,14 +1901,14 @@ static int bcmgenet_tx_poll(struct napi_struct *napi, int budget)
spin_lock(&ring->lock);
work_done = __bcmgenet_tx_reclaim(ring->priv->dev, ring);
if (ring->free_bds > (MAX_SKB_FRAGS + 1)) {
- txq = netdev_get_tx_queue(ring->priv->dev, ring->queue);
+ txq = netdev_get_tx_queue(ring->priv->dev, ring->index);
netif_tx_wake_queue(txq);
}
spin_unlock(&ring->lock);
if (work_done == 0) {
napi_complete(napi);
- ring->int_enable(ring);
+ bcmgenet_tx_ring_int_enable(ring);
return 0;
}
@@ -1959,14 +1919,11 @@ static int bcmgenet_tx_poll(struct napi_struct *napi, int budget)
static void bcmgenet_tx_reclaim_all(struct net_device *dev)
{
struct bcmgenet_priv *priv = netdev_priv(dev);
- int i;
-
- if (netif_is_multiqueue(dev)) {
- for (i = 0; i < priv->hw_params->tx_queues; i++)
- bcmgenet_tx_reclaim(dev, &priv->tx_rings[i]);
- }
+ int i = 0;
- bcmgenet_tx_reclaim(dev, &priv->tx_rings[DESC_INDEX]);
+ do {
+ bcmgenet_tx_reclaim(dev, &priv->tx_rings[i++]);
+ } while (i <= priv->hw_params->tx_queues && netif_is_multiqueue(dev));
}
/* Reallocate the SKB to put enough headroom in front of it and insert
@@ -2054,19 +2011,14 @@ static netdev_tx_t bcmgenet_xmit(struct sk_buff *skb, struct net_device *dev)
index = skb_get_queue_mapping(skb);
/* Mapping strategy:
- * queue_mapping = 0, unclassified, packet xmited through ring16
- * queue_mapping = 1, goes to ring 0. (highest priority queue
- * queue_mapping = 2, goes to ring 1.
- * queue_mapping = 3, goes to ring 2.
- * queue_mapping = 4, goes to ring 3.
+ * queue_mapping = 0, unclassified, packet xmited through ring 0
+ * queue_mapping = 1, goes to ring 1. (highest priority queue)
+ * queue_mapping = 2, goes to ring 2.
+ * queue_mapping = 3, goes to ring 3.
+ * queue_mapping = 4, goes to ring 4.
*/
- if (index == 0)
- index = DESC_INDEX;
- else
- index -= 1;
-
ring = &priv->tx_rings[index];
- txq = netdev_get_tx_queue(dev, ring->queue);
+ txq = netdev_get_tx_queue(dev, index);
nr_frags = skb_shinfo(skb)->nr_frags;
@@ -2239,15 +2191,8 @@ static unsigned int bcmgenet_desc_rx(struct bcmgenet_rx_ring *ring,
unsigned int discards;
/* Clear status before servicing to reduce spurious interrupts */
- if (ring->index == DESC_INDEX) {
- bcmgenet_intrl2_0_writel(priv, UMAC_IRQ_RXDMA_DONE,
- INTRL2_CPU_CLEAR);
- } else {
- mask = 1 << (UMAC_IRQ1_RX_INTR_SHIFT + ring->index);
- bcmgenet_intrl2_1_writel(priv,
- mask,
- INTRL2_CPU_CLEAR);
- }
+ mask = 1 << (UMAC_IRQ1_RX_INTR_SHIFT + ring->index);
+ bcmgenet_intrl2_1_writel(priv, mask, INTRL2_CPU_CLEAR);
p_index = bcmgenet_rdma_ring_readl(priv, ring->index, RDMA_PROD_INDEX);
@@ -2396,7 +2341,7 @@ static int bcmgenet_rx_poll(struct napi_struct *napi, int budget)
if (work_done < budget) {
napi_complete_done(napi, work_done);
- ring->int_enable(ring);
+ bcmgenet_rx_ring_int_enable(ring);
}
if (ring->dim.use_dim) {
@@ -2636,15 +2581,6 @@ static void bcmgenet_init_tx_ring(struct bcmgenet_priv *priv,
spin_lock_init(&ring->lock);
ring->priv = priv;
ring->index = index;
- if (index == DESC_INDEX) {
- ring->queue = 0;
- ring->int_enable = bcmgenet_tx_ring16_int_enable;
- ring->int_disable = bcmgenet_tx_ring16_int_disable;
- } else {
- ring->queue = index + 1;
- ring->int_enable = bcmgenet_tx_ring_int_enable;
- ring->int_disable = bcmgenet_tx_ring_int_disable;
- }
ring->cbs = priv->tx_cbs + start_ptr;
ring->size = size;
ring->clean_ptr = start_ptr;
@@ -2655,8 +2591,8 @@ static void bcmgenet_init_tx_ring(struct bcmgenet_priv *priv,
ring->end_ptr = end_ptr - 1;
ring->prod_index = 0;
- /* Set flow period for ring != 16 */
- if (index != DESC_INDEX)
+ /* Set flow period for ring != 0 */
+ if (index)
flow_period_val = ENET_MAX_MTU_SIZE << 16;
bcmgenet_tdma_ring_writel(priv, index, 0, TDMA_PROD_INDEX);
@@ -2694,13 +2630,6 @@ static int bcmgenet_init_rx_ring(struct bcmgenet_priv *priv,
ring->priv = priv;
ring->index = index;
- if (index == DESC_INDEX) {
- ring->int_enable = bcmgenet_rx_ring16_int_enable;
- ring->int_disable = bcmgenet_rx_ring16_int_disable;
- } else {
- ring->int_enable = bcmgenet_rx_ring_int_enable;
- ring->int_disable = bcmgenet_rx_ring_int_disable;
- }
ring->cbs = priv->rx_cbs + start_ptr;
ring->size = size;
ring->c_index = 0;
@@ -2746,15 +2675,11 @@ static void bcmgenet_enable_tx_napi(struct bcmgenet_priv *priv)
unsigned int i;
struct bcmgenet_tx_ring *ring;
- for (i = 0; i < priv->hw_params->tx_queues; ++i) {
+ for (i = 0; i <= priv->hw_params->tx_queues; ++i) {
ring = &priv->tx_rings[i];
napi_enable(&ring->napi);
- ring->int_enable(ring);
+ bcmgenet_tx_ring_int_enable(ring);
}
-
- ring = &priv->tx_rings[DESC_INDEX];
- napi_enable(&ring->napi);
- ring->int_enable(ring);
}
static void bcmgenet_disable_tx_napi(struct bcmgenet_priv *priv)
@@ -2762,13 +2687,10 @@ static void bcmgenet_disable_tx_napi(struct bcmgenet_priv *priv)
unsigned int i;
struct bcmgenet_tx_ring *ring;
- for (i = 0; i < priv->hw_params->tx_queues; ++i) {
+ for (i = 0; i <= priv->hw_params->tx_queues; ++i) {
ring = &priv->tx_rings[i];
napi_disable(&ring->napi);
}
-
- ring = &priv->tx_rings[DESC_INDEX];
- napi_disable(&ring->napi);
}
static void bcmgenet_fini_tx_napi(struct bcmgenet_priv *priv)
@@ -2776,33 +2698,31 @@ static void bcmgenet_fini_tx_napi(struct bcmgenet_priv *priv)
unsigned int i;
struct bcmgenet_tx_ring *ring;
- for (i = 0; i < priv->hw_params->tx_queues; ++i) {
+ for (i = 0; i <= priv->hw_params->tx_queues; ++i) {
ring = &priv->tx_rings[i];
netif_napi_del(&ring->napi);
}
-
- ring = &priv->tx_rings[DESC_INDEX];
- netif_napi_del(&ring->napi);
}
/* Initialize Tx queues
*
- * Queues 0-3 are priority-based, each one has 32 descriptors,
- * with queue 0 being the highest priority queue.
+ * Queues 1-4 are priority-based, each one has 32 descriptors,
+ * with queue 1 being the highest priority queue.
*
- * Queue 16 is the default Tx queue with
- * GENET_Q16_TX_BD_CNT = 256 - 4 * 32 = 128 descriptors.
+ * Queue 0 is the default Tx queue with
+ * GENET_Q0_TX_BD_CNT = 256 - 4 * 32 = 128 descriptors.
*
* The transmit control block pool is then partitioned as follows:
- * - Tx queue 0 uses tx_cbs[0..31]
- * - Tx queue 1 uses tx_cbs[32..63]
- * - Tx queue 2 uses tx_cbs[64..95]
- * - Tx queue 3 uses tx_cbs[96..127]
- * - Tx queue 16 uses tx_cbs[128..255]
+ * - Tx queue 0 uses tx_cbs[0..127]
+ * - Tx queue 1 uses tx_cbs[128..159]
+ * - Tx queue 2 uses tx_cbs[160..191]
+ * - Tx queue 3 uses tx_cbs[192..223]
+ * - Tx queue 4 uses tx_cbs[224..255]
*/
static void bcmgenet_init_tx_queues(struct net_device *dev)
{
struct bcmgenet_priv *priv = netdev_priv(dev);
+ unsigned int start = 0, end = GENET_Q0_TX_BD_CNT;
u32 i, dma_enable;
u32 dma_ctrl, ring_cfg;
u32 dma_priority[3] = {0, 0, 0};
@@ -2819,27 +2739,17 @@ static void bcmgenet_init_tx_queues(struct net_device *dev)
bcmgenet_tdma_writel(priv, DMA_ARBITER_SP, DMA_ARB_CTRL);
/* Initialize Tx priority queues */
- for (i = 0; i < priv->hw_params->tx_queues; i++) {
- bcmgenet_init_tx_ring(priv, i, priv->hw_params->tx_bds_per_q,
- i * priv->hw_params->tx_bds_per_q,
- (i + 1) * priv->hw_params->tx_bds_per_q);
+ for (i = 0; i <= priv->hw_params->tx_queues; i++) {
+ bcmgenet_init_tx_ring(priv, i, end - start, start, end);
+ start = end;
+ end += priv->hw_params->tx_bds_per_q;
ring_cfg |= (1 << i);
dma_ctrl |= (1 << (i + DMA_RING_BUF_EN_SHIFT));
dma_priority[DMA_PRIO_REG_INDEX(i)] |=
- ((GENET_Q0_PRIORITY + i) << DMA_PRIO_REG_SHIFT(i));
+ (i ? GENET_Q1_PRIORITY : GENET_Q0_PRIORITY)
+ << DMA_PRIO_REG_SHIFT(i);
}
- /* Initialize Tx default queue 16 */
- bcmgenet_init_tx_ring(priv, DESC_INDEX, GENET_Q16_TX_BD_CNT,
- priv->hw_params->tx_queues *
- priv->hw_params->tx_bds_per_q,
- TOTAL_DESC);
- ring_cfg |= (1 << DESC_INDEX);
- dma_ctrl |= (1 << (DESC_INDEX + DMA_RING_BUF_EN_SHIFT));
- dma_priority[DMA_PRIO_REG_INDEX(DESC_INDEX)] |=
- ((GENET_Q0_PRIORITY + priv->hw_params->tx_queues) <<
- DMA_PRIO_REG_SHIFT(DESC_INDEX));
-
/* Set Tx queue priorities */
bcmgenet_tdma_writel(priv, dma_priority[0], DMA_PRIORITY_0);
bcmgenet_tdma_writel(priv, dma_priority[1], DMA_PRIORITY_1);
@@ -2859,15 +2769,11 @@ static void bcmgenet_enable_rx_napi(struct bcmgenet_priv *priv)
unsigned int i;
struct bcmgenet_rx_ring *ring;
- for (i = 0; i < priv->hw_params->rx_queues; ++i) {
+ for (i = 0; i <= priv->hw_params->rx_queues; ++i) {
ring = &priv->rx_rings[i];
napi_enable(&ring->napi);
- ring->int_enable(ring);
+ bcmgenet_rx_ring_int_enable(ring);
}
-
- ring = &priv->rx_rings[DESC_INDEX];
- napi_enable(&ring->napi);
- ring->int_enable(ring);
}
static void bcmgenet_disable_rx_napi(struct bcmgenet_priv *priv)
@@ -2875,15 +2781,11 @@ static void bcmgenet_disable_rx_napi(struct bcmgenet_priv *priv)
unsigned int i;
struct bcmgenet_rx_ring *ring;
- for (i = 0; i < priv->hw_params->rx_queues; ++i) {
+ for (i = 0; i <= priv->hw_params->rx_queues; ++i) {
ring = &priv->rx_rings[i];
napi_disable(&ring->napi);
cancel_work_sync(&ring->dim.dim.work);
}
-
- ring = &priv->rx_rings[DESC_INDEX];
- napi_disable(&ring->napi);
- cancel_work_sync(&ring->dim.dim.work);
}
static void bcmgenet_fini_rx_napi(struct bcmgenet_priv *priv)
@@ -2891,13 +2793,10 @@ static void bcmgenet_fini_rx_napi(struct bcmgenet_priv *priv)
unsigned int i;
struct bcmgenet_rx_ring *ring;
- for (i = 0; i < priv->hw_params->rx_queues; ++i) {
+ for (i = 0; i <= priv->hw_params->rx_queues; ++i) {
ring = &priv->rx_rings[i];
netif_napi_del(&ring->napi);
}
-
- ring = &priv->rx_rings[DESC_INDEX];
- netif_napi_del(&ring->napi);
}
/* Initialize Rx queues
@@ -2905,15 +2804,13 @@ static void bcmgenet_fini_rx_napi(struct bcmgenet_priv *priv)
* Queues 0-15 are priority queues. Hardware Filtering Block (HFB) can be
* used to direct traffic to these queues.
*
- * Queue 16 is the default Rx queue with GENET_Q16_RX_BD_CNT descriptors.
+ * Queue 0 is also the default Rx queue with GENET_Q0_RX_BD_CNT descriptors.
*/
static int bcmgenet_init_rx_queues(struct net_device *dev)
{
struct bcmgenet_priv *priv = netdev_priv(dev);
- u32 i;
- u32 dma_enable;
- u32 dma_ctrl;
- u32 ring_cfg;
+ unsigned int start = 0, end = GENET_Q0_RX_BD_CNT;
+ u32 i, dma_enable, dma_ctrl = 0, ring_cfg = 0;
int ret;
dma_ctrl = bcmgenet_rdma_readl(priv, DMA_CTRL);
@@ -2925,34 +2822,21 @@ static int bcmgenet_init_rx_queues(struct net_device *dev)
ring_cfg = 0;
/* Initialize Rx priority queues */
- for (i = 0; i < priv->hw_params->rx_queues; i++) {
- ret = bcmgenet_init_rx_ring(priv, i,
- priv->hw_params->rx_bds_per_q,
- i * priv->hw_params->rx_bds_per_q,
- (i + 1) *
- priv->hw_params->rx_bds_per_q);
+ for (i = 0; i <= priv->hw_params->rx_queues; i++) {
+ ret = bcmgenet_init_rx_ring(priv, i, end - start, start, end);
if (ret)
return ret;
+ start = end;
+ end += priv->hw_params->rx_bds_per_q;
ring_cfg |= (1 << i);
dma_ctrl |= (1 << (i + DMA_RING_BUF_EN_SHIFT));
}
- /* Initialize Rx default queue 16 */
- ret = bcmgenet_init_rx_ring(priv, DESC_INDEX, GENET_Q16_RX_BD_CNT,
- priv->hw_params->rx_queues *
- priv->hw_params->rx_bds_per_q,
- TOTAL_DESC);
- if (ret)
- return ret;
-
- ring_cfg |= (1 << DESC_INDEX);
- dma_ctrl |= (1 << (DESC_INDEX + DMA_RING_BUF_EN_SHIFT));
-
- /* Enable rings */
+ /* Configure Rx queues as descriptor rings */
bcmgenet_rdma_writel(priv, ring_cfg, DMA_RING_CFG);
- /* Configure ring as descriptor ring and re-enable DMA if enabled */
+ /* Enable Rx rings */
if (dma_enable)
dma_ctrl |= DMA_EN;
bcmgenet_rdma_writel(priv, dma_ctrl, DMA_CTRL);
@@ -3011,14 +2895,14 @@ static int bcmgenet_dma_teardown(struct bcmgenet_priv *priv)
}
dma_ctrl = 0;
- for (i = 0; i < priv->hw_params->rx_queues; i++)
+ for (i = 0; i <= priv->hw_params->rx_queues; i++)
dma_ctrl |= (1 << (i + DMA_RING_BUF_EN_SHIFT));
reg = bcmgenet_rdma_readl(priv, DMA_CTRL);
reg &= ~dma_ctrl;
bcmgenet_rdma_writel(priv, reg, DMA_CTRL);
dma_ctrl = 0;
- for (i = 0; i < priv->hw_params->tx_queues; i++)
+ for (i = 0; i <= priv->hw_params->tx_queues; i++)
dma_ctrl |= (1 << (i + DMA_RING_BUF_EN_SHIFT));
reg = bcmgenet_tdma_readl(priv, DMA_CTRL);
reg &= ~dma_ctrl;
@@ -3039,14 +2923,11 @@ static void bcmgenet_fini_dma(struct bcmgenet_priv *priv)
dev_kfree_skb(bcmgenet_free_tx_cb(&priv->pdev->dev,
priv->tx_cbs + i));
- for (i = 0; i < priv->hw_params->tx_queues; i++) {
- txq = netdev_get_tx_queue(priv->dev, priv->tx_rings[i].queue);
+ for (i = 0; i <= priv->hw_params->tx_queues; i++) {
+ txq = netdev_get_tx_queue(priv->dev, i);
netdev_tx_reset_queue(txq);
}
- txq = netdev_get_tx_queue(priv->dev, priv->tx_rings[DESC_INDEX].queue);
- netdev_tx_reset_queue(txq);
-
bcmgenet_free_rx_buffers(priv);
kfree(priv->rx_cbs);
kfree(priv->tx_cbs);
@@ -3139,7 +3020,7 @@ static void bcmgenet_irq_task(struct work_struct *work)
}
-/* bcmgenet_isr1: handle Rx and Tx priority queues */
+/* bcmgenet_isr1: handle Rx and Tx queues */
static irqreturn_t bcmgenet_isr1(int irq, void *dev_id)
{
struct bcmgenet_priv *priv = dev_id;
@@ -3158,7 +3039,7 @@ static irqreturn_t bcmgenet_isr1(int irq, void *dev_id)
"%s: IRQ=0x%x\n", __func__, status);
/* Check Rx priority queue interrupts */
- for (index = 0; index < priv->hw_params->rx_queues; index++) {
+ for (index = 0; index <= priv->hw_params->rx_queues; index++) {
if (!(status & BIT(UMAC_IRQ1_RX_INTR_SHIFT + index)))
continue;
@@ -3166,20 +3047,20 @@ static irqreturn_t bcmgenet_isr1(int irq, void *dev_id)
rx_ring->dim.event_ctr++;
if (likely(napi_schedule_prep(&rx_ring->napi))) {
- rx_ring->int_disable(rx_ring);
+ bcmgenet_rx_ring_int_disable(rx_ring);
__napi_schedule_irqoff(&rx_ring->napi);
}
}
/* Check Tx priority queue interrupts */
- for (index = 0; index < priv->hw_params->tx_queues; index++) {
+ for (index = 0; index <= priv->hw_params->tx_queues; index++) {
if (!(status & BIT(index)))
continue;
tx_ring = &priv->tx_rings[index];
if (likely(napi_schedule_prep(&tx_ring->napi))) {
- tx_ring->int_disable(tx_ring);
+ bcmgenet_tx_ring_int_disable(tx_ring);
__napi_schedule_irqoff(&tx_ring->napi);
}
}
@@ -3187,12 +3068,10 @@ static irqreturn_t bcmgenet_isr1(int irq, void *dev_id)
return IRQ_HANDLED;
}
-/* bcmgenet_isr0: handle Rx and Tx default queues + other stuff */
+/* bcmgenet_isr0: handle other stuff */
static irqreturn_t bcmgenet_isr0(int irq, void *dev_id)
{
struct bcmgenet_priv *priv = dev_id;
- struct bcmgenet_rx_ring *rx_ring;
- struct bcmgenet_tx_ring *tx_ring;
unsigned int status;
unsigned long flags;
@@ -3206,25 +3085,6 @@ static irqreturn_t bcmgenet_isr0(int irq, void *dev_id)
netif_dbg(priv, intr, priv->dev,
"IRQ=0x%x\n", status);
- if (status & UMAC_IRQ_RXDMA_DONE) {
- rx_ring = &priv->rx_rings[DESC_INDEX];
- rx_ring->dim.event_ctr++;
-
- if (likely(napi_schedule_prep(&rx_ring->napi))) {
- rx_ring->int_disable(rx_ring);
- __napi_schedule_irqoff(&rx_ring->napi);
- }
- }
-
- if (status & UMAC_IRQ_TXDMA_DONE) {
- tx_ring = &priv->tx_rings[DESC_INDEX];
-
- if (likely(napi_schedule_prep(&tx_ring->napi))) {
- tx_ring->int_disable(tx_ring);
- __napi_schedule_irqoff(&tx_ring->napi);
- }
- }
-
if (bcmgenet_has_mdio_intr(priv) &&
status & (UMAC_IRQ_MDIO_DONE | UMAC_IRQ_MDIO_ERROR)) {
wake_up(&priv->wq);
@@ -3290,15 +3150,15 @@ static u32 bcmgenet_dma_disable(struct bcmgenet_priv *priv, bool flush_rx)
u32 dma_ctrl;
/* disable DMA */
- dma_ctrl = 1 << (DESC_INDEX + DMA_RING_BUF_EN_SHIFT) | DMA_EN;
- for (i = 0; i < priv->hw_params->tx_queues; i++)
+ dma_ctrl = DMA_EN;
+ for (i = 0; i <= priv->hw_params->tx_queues; i++)
dma_ctrl |= (1 << (i + DMA_RING_BUF_EN_SHIFT));
reg = bcmgenet_tdma_readl(priv, DMA_CTRL);
reg &= ~dma_ctrl;
bcmgenet_tdma_writel(priv, reg, DMA_CTRL);
- dma_ctrl = 1 << (DESC_INDEX + DMA_RING_BUF_EN_SHIFT) | DMA_EN;
- for (i = 0; i < priv->hw_params->rx_queues; i++)
+ dma_ctrl = DMA_EN;
+ for (i = 0; i <= priv->hw_params->rx_queues; i++)
dma_ctrl |= (1 << (i + DMA_RING_BUF_EN_SHIFT));
reg = bcmgenet_rdma_readl(priv, DMA_CTRL);
reg &= ~dma_ctrl;
@@ -3381,6 +3241,9 @@ static int bcmgenet_open(struct net_device *dev)
bcmgenet_set_hw_addr(priv, dev->dev_addr);
+ /* HFB init */
+ bcmgenet_hfb_init(priv);
+
/* Disable RX/TX DMA and flush TX and RX queues */
dma_ctrl = bcmgenet_dma_disable(priv, true);
@@ -3391,12 +3254,8 @@ static int bcmgenet_open(struct net_device *dev)
goto err_clk_disable;
}
- /* Always enable ring 16 - descriptor ring */
bcmgenet_enable_dma(priv, dma_ctrl);
- /* HFB init */
- bcmgenet_hfb_init(priv);
-
ret = request_irq(priv->irq0, bcmgenet_isr0, IRQF_SHARED,
dev->name, priv);
if (ret < 0) {
@@ -3503,16 +3362,11 @@ static void bcmgenet_dump_tx_queue(struct bcmgenet_tx_ring *ring)
if (!netif_msg_tx_err(priv))
return;
- txq = netdev_get_tx_queue(priv->dev, ring->queue);
+ txq = netdev_get_tx_queue(priv->dev, ring->index);
spin_lock(&ring->lock);
- if (ring->index == DESC_INDEX) {
- intsts = ~bcmgenet_intrl2_0_readl(priv, INTRL2_CPU_MASK_STATUS);
- intmsk = UMAC_IRQ_TXDMA_DONE | UMAC_IRQ_TXDMA_MBDONE;
- } else {
- intsts = ~bcmgenet_intrl2_1_readl(priv, INTRL2_CPU_MASK_STATUS);
- intmsk = 1 << ring->index;
- }
+ intsts = ~bcmgenet_intrl2_1_readl(priv, INTRL2_CPU_MASK_STATUS);
+ intmsk = 1 << ring->index;
c_index = bcmgenet_tdma_ring_readl(priv, ring->index, TDMA_CONS_INDEX);
p_index = bcmgenet_tdma_ring_readl(priv, ring->index, TDMA_PROD_INDEX);
txq_stopped = netif_tx_queue_stopped(txq);
@@ -3526,7 +3380,7 @@ static void bcmgenet_dump_tx_queue(struct bcmgenet_tx_ring *ring)
"(sw)c_index: %d (hw)c_index: %d\n"
"(sw)clean_p: %d (sw)write_p: %d\n"
"(sw)cb_ptr: %d (sw)end_ptr: %d\n",
- ring->index, ring->queue,
+ ring->index, ring->index,
txq_stopped ? "stopped" : "active",
intsts & intmsk ? "enabled" : "disabled",
free_bds, ring->size,
@@ -3539,25 +3393,20 @@ static void bcmgenet_dump_tx_queue(struct bcmgenet_tx_ring *ring)
static void bcmgenet_timeout(struct net_device *dev, unsigned int txqueue)
{
struct bcmgenet_priv *priv = netdev_priv(dev);
- u32 int0_enable = 0;
u32 int1_enable = 0;
unsigned int q;
netif_dbg(priv, tx_err, dev, "bcmgenet_timeout\n");
- for (q = 0; q < priv->hw_params->tx_queues; q++)
+ for (q = 0; q <= priv->hw_params->tx_queues; q++)
bcmgenet_dump_tx_queue(&priv->tx_rings[q]);
- bcmgenet_dump_tx_queue(&priv->tx_rings[DESC_INDEX]);
bcmgenet_tx_reclaim_all(dev);
- for (q = 0; q < priv->hw_params->tx_queues; q++)
+ for (q = 0; q <= priv->hw_params->tx_queues; q++)
int1_enable |= (1 << q);
- int0_enable = UMAC_IRQ_TXDMA_DONE;
-
/* Re-enable TX interrupts if disabled */
- bcmgenet_intrl2_0_writel(priv, int0_enable, INTRL2_CPU_MASK_CLEAR);
bcmgenet_intrl2_1_writel(priv, int1_enable, INTRL2_CPU_MASK_CLEAR);
netif_trans_update(dev);
@@ -3661,16 +3510,13 @@ static struct net_device_stats *bcmgenet_get_stats(struct net_device *dev)
struct bcmgenet_rx_ring *rx_ring;
unsigned int q;
- for (q = 0; q < priv->hw_params->tx_queues; q++) {
+ for (q = 0; q <= priv->hw_params->tx_queues; q++) {
tx_ring = &priv->tx_rings[q];
tx_bytes += tx_ring->bytes;
tx_packets += tx_ring->packets;
}
- tx_ring = &priv->tx_rings[DESC_INDEX];
- tx_bytes += tx_ring->bytes;
- tx_packets += tx_ring->packets;
- for (q = 0; q < priv->hw_params->rx_queues; q++) {
+ for (q = 0; q <= priv->hw_params->rx_queues; q++) {
rx_ring = &priv->rx_rings[q];
rx_bytes += rx_ring->bytes;
@@ -3678,11 +3524,6 @@ static struct net_device_stats *bcmgenet_get_stats(struct net_device *dev)
rx_errors += rx_ring->errors;
rx_dropped += rx_ring->dropped;
}
- rx_ring = &priv->rx_rings[DESC_INDEX];
- rx_bytes += rx_ring->bytes;
- rx_packets += rx_ring->packets;
- rx_errors += rx_ring->errors;
- rx_dropped += rx_ring->dropped;
dev->stats.tx_bytes = tx_bytes;
dev->stats.tx_packets = tx_packets;
@@ -4129,16 +3970,13 @@ static int bcmgenet_probe(struct platform_device *pdev)
if (err)
goto err_clk_disable;
- /* setup number of real queues + 1 (GENET_V1 has 0 hardware queues
- * just the ring 16 descriptor based TX
- */
+ /* setup number of real queues + 1 */
netif_set_real_num_tx_queues(priv->dev, priv->hw_params->tx_queues + 1);
netif_set_real_num_rx_queues(priv->dev, priv->hw_params->rx_queues + 1);
/* Set default coalescing parameters */
- for (i = 0; i < priv->hw_params->rx_queues; i++)
+ for (i = 0; i <= priv->hw_params->rx_queues; i++)
priv->rx_rings[i].rx_max_coalesced_frames = 1;
- priv->rx_rings[DESC_INDEX].rx_max_coalesced_frames = 1;
/* libphy will determine the link state */
netif_carrier_off(dev);
@@ -4263,7 +4101,6 @@ static int bcmgenet_resume(struct device *d)
goto out_clk_disable;
}
- /* Always enable ring 16 - descriptor ring */
bcmgenet_enable_dma(priv, dma_ctrl);
if (!device_may_wakeup(d))
diff --git a/drivers/net/ethernet/broadcom/genet/bcmgenet.h b/drivers/net/ethernet/broadcom/genet/bcmgenet.h
index ba83819210aa8..f3a1139cb7108 100644
--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.h
+++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.h
@@ -18,6 +18,9 @@
#include "../unimac.h"
+/* Maximum number of hardware queues, downsized if needed */
+#define GENET_MAX_MQ_CNT 4
+
/* total number of Buffer Descriptors, same for Rx/Tx */
#define TOTAL_DESC 256
@@ -513,7 +516,6 @@ struct bcmgenet_tx_ring {
unsigned long packets;
unsigned long bytes;
unsigned int index; /* ring index */
- unsigned int queue; /* queue index */
struct enet_cb *cbs; /* tx ring buffer control block*/
unsigned int size; /* size of each tx ring */
unsigned int clean_ptr; /* Tx ring clean pointer */
@@ -523,8 +525,6 @@ struct bcmgenet_tx_ring {
unsigned int prod_index; /* Tx ring producer index SW copy */
unsigned int cb_ptr; /* Tx ring initial CB ptr */
unsigned int end_ptr; /* Tx ring end CB ptr */
- void (*int_enable)(struct bcmgenet_tx_ring *);
- void (*int_disable)(struct bcmgenet_tx_ring *);
struct bcmgenet_priv *priv;
};
@@ -553,8 +553,6 @@ struct bcmgenet_rx_ring {
struct bcmgenet_net_dim dim;
u32 rx_max_coalesced_frames;
u32 rx_coalesce_usecs;
- void (*int_enable)(struct bcmgenet_rx_ring *);
- void (*int_disable)(struct bcmgenet_rx_ring *);
struct bcmgenet_priv *priv;
};
@@ -583,7 +581,7 @@ struct bcmgenet_priv {
struct enet_cb *tx_cbs;
unsigned int num_tx_bds;
- struct bcmgenet_tx_ring tx_rings[DESC_INDEX + 1];
+ struct bcmgenet_tx_ring tx_rings[GENET_MAX_MQ_CNT + 1];
/* receive variables */
void __iomem *rx_bds;
@@ -593,7 +591,7 @@ struct bcmgenet_priv {
struct bcmgenet_rxnfc_rule rxnfc_rules[MAX_NUM_OF_FS_RULES];
struct list_head rxnfc_list;
- struct bcmgenet_rx_ring rx_rings[DESC_INDEX + 1];
+ struct bcmgenet_rx_ring rx_rings[GENET_MAX_MQ_CNT + 1];
/* other misc variables */
struct bcmgenet_hw_params *hw_params;
diff --git a/drivers/net/ethernet/broadcom/genet/bcmgenet_wol.c b/drivers/net/ethernet/broadcom/genet/bcmgenet_wol.c
index 3ab506ed94252..cd5a35309ca78 100644
--- a/drivers/net/ethernet/broadcom/genet/bcmgenet_wol.c
+++ b/drivers/net/ethernet/broadcom/genet/bcmgenet_wol.c
@@ -2,7 +2,7 @@
/*
* Broadcom GENET (Gigabit Ethernet) Wake-on-LAN support
*
- * Copyright (c) 2014-2024 Broadcom
+ * Copyright (c) 2014-2025 Broadcom
*/
#define pr_fmt(fmt) "bcmgenet_wol: " fmt
@@ -158,7 +158,7 @@ int bcmgenet_wol_power_down_cfg(struct bcmgenet_priv *priv,
if (priv->wolopts & WAKE_FILTER) {
list_for_each_entry(rule, &priv->rxnfc_list, list)
if (rule->fs.ring_cookie == RX_CLS_FLOW_WAKE)
- hfb_enable |= (1 << rule->fs.location);
+ hfb_enable |= (1 << (rule->fs.location + 1));
reg = (hfb_ctrl_reg & ~RBUF_HFB_EN) | RBUF_ACPI_EN;
bcmgenet_hfb_reg_writel(priv, reg, HFB_CTRL);
}
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 473/969] net: bcmgenet: support reclaiming unsent Tx packets
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (471 preceding siblings ...)
2026-05-30 15:59 ` [PATCH 6.1 472/969] net: bcmgenet: move DESC_INDEX flow to ring 0 Greg Kroah-Hartman
@ 2026-05-30 15:59 ` Greg Kroah-Hartman
2026-05-30 15:59 ` [PATCH 6.1 474/969] net: bcmgenet: switch to use 64bit statistics Greg Kroah-Hartman
` (502 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Doug Berger, Florian Fainelli,
Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Doug Berger <opendmb@gmail.com>
[ Upstream commit f1bacae8b655163dcbc3c54b9e714ef1a8986d7b ]
When disabling the transmitter any outstanding packets can now
be reclaimed by bcmgenet_tx_reclaim_all() rather than by the
bcmgenet_fini_dma() function.
Signed-off-by: Doug Berger <opendmb@gmail.com>
Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
Link: https://patch.msgid.link/20250306192643.2383632-12-opendmb@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Stable-dep-of: 5393b2b5bee2 ("net: bcmgenet: fix racing timeout handler")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../net/ethernet/broadcom/genet/bcmgenet.c | 37 +++++++++++++++----
1 file changed, 30 insertions(+), 7 deletions(-)
diff --git a/drivers/net/ethernet/broadcom/genet/bcmgenet.c b/drivers/net/ethernet/broadcom/genet/bcmgenet.c
index 9f670bbecc726..032ba3a157e4b 100644
--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c
+++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c
@@ -1880,12 +1880,39 @@ static unsigned int __bcmgenet_tx_reclaim(struct net_device *dev,
}
static unsigned int bcmgenet_tx_reclaim(struct net_device *dev,
- struct bcmgenet_tx_ring *ring)
+ struct bcmgenet_tx_ring *ring,
+ bool all)
{
- unsigned int released;
+ struct bcmgenet_priv *priv = netdev_priv(dev);
+ struct device *kdev = &priv->pdev->dev;
+ unsigned int released, drop, wr_ptr;
+ struct enet_cb *cb_ptr;
+ struct sk_buff *skb;
spin_lock_bh(&ring->lock);
released = __bcmgenet_tx_reclaim(dev, ring);
+ if (all) {
+ skb = NULL;
+ drop = (ring->prod_index - ring->c_index) & DMA_C_INDEX_MASK;
+ released += drop;
+ ring->prod_index = ring->c_index & DMA_C_INDEX_MASK;
+ while (drop--) {
+ cb_ptr = bcmgenet_put_txcb(priv, ring);
+ skb = cb_ptr->skb;
+ bcmgenet_free_tx_cb(kdev, cb_ptr);
+ if (skb && cb_ptr == GENET_CB(skb)->first_cb) {
+ dev_consume_skb_any(skb);
+ skb = NULL;
+ }
+ }
+ if (skb)
+ dev_consume_skb_any(skb);
+ bcmgenet_tdma_ring_writel(priv, ring->index,
+ ring->prod_index, TDMA_PROD_INDEX);
+ wr_ptr = ring->write_ptr * WORDS_PER_BD(priv);
+ bcmgenet_tdma_ring_writel(priv, ring->index, wr_ptr,
+ TDMA_WRITE_PTR);
+ }
spin_unlock_bh(&ring->lock);
return released;
@@ -1922,7 +1949,7 @@ static void bcmgenet_tx_reclaim_all(struct net_device *dev)
int i = 0;
do {
- bcmgenet_tx_reclaim(dev, &priv->tx_rings[i++]);
+ bcmgenet_tx_reclaim(dev, &priv->tx_rings[i++], true);
} while (i <= priv->hw_params->tx_queues && netif_is_multiqueue(dev));
}
@@ -2919,10 +2946,6 @@ static void bcmgenet_fini_dma(struct bcmgenet_priv *priv)
bcmgenet_fini_rx_napi(priv);
bcmgenet_fini_tx_napi(priv);
- for (i = 0; i < priv->num_tx_bds; i++)
- dev_kfree_skb(bcmgenet_free_tx_cb(&priv->pdev->dev,
- priv->tx_cbs + i));
-
for (i = 0; i <= priv->hw_params->tx_queues; i++) {
txq = netdev_get_tx_queue(priv->dev, i);
netdev_tx_reset_queue(txq);
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 474/969] net: bcmgenet: switch to use 64bit statistics
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (472 preceding siblings ...)
2026-05-30 15:59 ` [PATCH 6.1 473/969] net: bcmgenet: support reclaiming unsent Tx packets Greg Kroah-Hartman
@ 2026-05-30 15:59 ` Greg Kroah-Hartman
2026-05-30 15:59 ` [PATCH 6.1 475/969] net: bcmgenet: fix racing timeout handler Greg Kroah-Hartman
` (501 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zak Kemble, Florian Fainelli,
Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zak Kemble <zakkemble@gmail.com>
[ Upstream commit 59aa6e3072aa7e51e9040e8c342d0c0825c5f48f ]
Update the driver to use ndo_get_stats64, rtnl_link_stats64 and
u64_stats_t counters for statistics.
Signed-off-by: Zak Kemble <zakkemble@gmail.com>
Tested-by: Florian Fainelli <florian.fainelli@broadcom.com>
Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
Link: https://patch.msgid.link/20250519113257.1031-2-zakkemble@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Stable-dep-of: 5393b2b5bee2 ("net: bcmgenet: fix racing timeout handler")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../net/ethernet/broadcom/genet/bcmgenet.c | 246 ++++++++++++------
.../net/ethernet/broadcom/genet/bcmgenet.h | 29 ++-
2 files changed, 187 insertions(+), 88 deletions(-)
diff --git a/drivers/net/ethernet/broadcom/genet/bcmgenet.c b/drivers/net/ethernet/broadcom/genet/bcmgenet.c
index 032ba3a157e4b..12aa07fb81db3 100644
--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c
+++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c
@@ -968,12 +968,13 @@ static int bcmgenet_set_pauseparam(struct net_device *dev,
/* standard ethtool support functions. */
enum bcmgenet_stat_type {
- BCMGENET_STAT_NETDEV = -1,
+ BCMGENET_STAT_RTNL = -1,
BCMGENET_STAT_MIB_RX,
BCMGENET_STAT_MIB_TX,
BCMGENET_STAT_RUNT,
BCMGENET_STAT_MISC,
BCMGENET_STAT_SOFT,
+ BCMGENET_STAT_SOFT64,
};
struct bcmgenet_stats {
@@ -983,13 +984,15 @@ struct bcmgenet_stats {
enum bcmgenet_stat_type type;
/* reg offset from UMAC base for misc counters */
u16 reg_offset;
+ /* sync for u64 stats counters */
+ int syncp_offset;
};
-#define STAT_NETDEV(m) { \
+#define STAT_RTNL(m) { \
.stat_string = __stringify(m), \
- .stat_sizeof = sizeof(((struct net_device_stats *)0)->m), \
- .stat_offset = offsetof(struct net_device_stats, m), \
- .type = BCMGENET_STAT_NETDEV, \
+ .stat_sizeof = sizeof(((struct rtnl_link_stats64 *)0)->m), \
+ .stat_offset = offsetof(struct rtnl_link_stats64, m), \
+ .type = BCMGENET_STAT_RTNL, \
}
#define STAT_GENET_MIB(str, m, _type) { \
@@ -999,6 +1002,14 @@ struct bcmgenet_stats {
.type = _type, \
}
+#define STAT_GENET_SOFT_MIB64(str, s, m) { \
+ .stat_string = str, \
+ .stat_sizeof = sizeof(((struct bcmgenet_priv *)0)->s.m), \
+ .stat_offset = offsetof(struct bcmgenet_priv, s.m), \
+ .type = BCMGENET_STAT_SOFT64, \
+ .syncp_offset = offsetof(struct bcmgenet_priv, s.syncp), \
+}
+
#define STAT_GENET_MIB_RX(str, m) STAT_GENET_MIB(str, m, BCMGENET_STAT_MIB_RX)
#define STAT_GENET_MIB_TX(str, m) STAT_GENET_MIB(str, m, BCMGENET_STAT_MIB_TX)
#define STAT_GENET_RUNT(str, m) STAT_GENET_MIB(str, m, BCMGENET_STAT_RUNT)
@@ -1013,18 +1024,18 @@ struct bcmgenet_stats {
}
#define STAT_GENET_Q(num) \
- STAT_GENET_SOFT_MIB("txq" __stringify(num) "_packets", \
- tx_rings[num].packets), \
- STAT_GENET_SOFT_MIB("txq" __stringify(num) "_bytes", \
- tx_rings[num].bytes), \
- STAT_GENET_SOFT_MIB("rxq" __stringify(num) "_bytes", \
- rx_rings[num].bytes), \
- STAT_GENET_SOFT_MIB("rxq" __stringify(num) "_packets", \
- rx_rings[num].packets), \
- STAT_GENET_SOFT_MIB("rxq" __stringify(num) "_errors", \
- rx_rings[num].errors), \
- STAT_GENET_SOFT_MIB("rxq" __stringify(num) "_dropped", \
- rx_rings[num].dropped)
+ STAT_GENET_SOFT_MIB64("txq" __stringify(num) "_packets", \
+ tx_rings[num].stats64, packets), \
+ STAT_GENET_SOFT_MIB64("txq" __stringify(num) "_bytes", \
+ tx_rings[num].stats64, bytes), \
+ STAT_GENET_SOFT_MIB64("rxq" __stringify(num) "_bytes", \
+ rx_rings[num].stats64, bytes), \
+ STAT_GENET_SOFT_MIB64("rxq" __stringify(num) "_packets", \
+ rx_rings[num].stats64, packets), \
+ STAT_GENET_SOFT_MIB64("rxq" __stringify(num) "_errors", \
+ rx_rings[num].stats64, errors), \
+ STAT_GENET_SOFT_MIB64("rxq" __stringify(num) "_dropped", \
+ rx_rings[num].stats64, dropped)
/* There is a 0xC gap between the end of RX and beginning of TX stats and then
* between the end of TX stats and the beginning of the RX RUNT
@@ -1036,15 +1047,15 @@ struct bcmgenet_stats {
*/
static const struct bcmgenet_stats bcmgenet_gstrings_stats[] = {
/* general stats */
- STAT_NETDEV(rx_packets),
- STAT_NETDEV(tx_packets),
- STAT_NETDEV(rx_bytes),
- STAT_NETDEV(tx_bytes),
- STAT_NETDEV(rx_errors),
- STAT_NETDEV(tx_errors),
- STAT_NETDEV(rx_dropped),
- STAT_NETDEV(tx_dropped),
- STAT_NETDEV(multicast),
+ STAT_RTNL(rx_packets),
+ STAT_RTNL(tx_packets),
+ STAT_RTNL(rx_bytes),
+ STAT_RTNL(tx_bytes),
+ STAT_RTNL(rx_errors),
+ STAT_RTNL(tx_errors),
+ STAT_RTNL(rx_dropped),
+ STAT_RTNL(tx_dropped),
+ STAT_RTNL(multicast),
/* UniMAC RSV counters */
STAT_GENET_MIB_RX("rx_64_octets", mib.rx.pkt_cnt.cnt_64),
STAT_GENET_MIB_RX("rx_65_127_oct", mib.rx.pkt_cnt.cnt_127),
@@ -1132,6 +1143,20 @@ static const struct bcmgenet_stats bcmgenet_gstrings_stats[] = {
#define BCMGENET_STATS_LEN ARRAY_SIZE(bcmgenet_gstrings_stats)
+#define BCMGENET_STATS64_ADD(stats, m, v) \
+ do { \
+ u64_stats_update_begin(&stats->syncp); \
+ u64_stats_add(&stats->m, v); \
+ u64_stats_update_end(&stats->syncp); \
+ } while (0)
+
+#define BCMGENET_STATS64_INC(stats, m) \
+ do { \
+ u64_stats_update_begin(&stats->syncp); \
+ u64_stats_inc(&stats->m); \
+ u64_stats_update_end(&stats->syncp); \
+ } while (0)
+
static void bcmgenet_get_drvinfo(struct net_device *dev,
struct ethtool_drvinfo *info)
{
@@ -1215,8 +1240,9 @@ static void bcmgenet_update_mib_counters(struct bcmgenet_priv *priv)
s = &bcmgenet_gstrings_stats[i];
switch (s->type) {
- case BCMGENET_STAT_NETDEV:
+ case BCMGENET_STAT_RTNL:
case BCMGENET_STAT_SOFT:
+ case BCMGENET_STAT_SOFT64:
continue;
case BCMGENET_STAT_RUNT:
offset += BCMGENET_STAT_OFFSET;
@@ -1254,28 +1280,40 @@ static void bcmgenet_get_ethtool_stats(struct net_device *dev,
u64 *data)
{
struct bcmgenet_priv *priv = netdev_priv(dev);
+ struct rtnl_link_stats64 stats64;
+ struct u64_stats_sync *syncp;
+ unsigned int start;
int i;
if (netif_running(dev))
bcmgenet_update_mib_counters(priv);
- dev->netdev_ops->ndo_get_stats(dev);
+ dev_get_stats(dev, &stats64);
for (i = 0; i < BCMGENET_STATS_LEN; i++) {
const struct bcmgenet_stats *s;
char *p;
s = &bcmgenet_gstrings_stats[i];
- if (s->type == BCMGENET_STAT_NETDEV)
- p = (char *)&dev->stats;
- else
- p = (char *)priv;
- p += s->stat_offset;
- if (sizeof(unsigned long) != sizeof(u32) &&
- s->stat_sizeof == sizeof(unsigned long))
- data[i] = *(unsigned long *)p;
- else
- data[i] = *(u32 *)p;
+ p = (char *)priv;
+
+ if (s->type == BCMGENET_STAT_SOFT64) {
+ syncp = (struct u64_stats_sync *)(p + s->syncp_offset);
+ do {
+ start = u64_stats_fetch_begin(syncp);
+ data[i] = u64_stats_read((u64_stats_t *)(p + s->stat_offset));
+ } while (u64_stats_fetch_retry(syncp, start));
+ } else {
+ if (s->type == BCMGENET_STAT_RTNL)
+ p = (char *)&stats64;
+
+ p += s->stat_offset;
+ if (sizeof(unsigned long) != sizeof(u32) &&
+ s->stat_sizeof == sizeof(unsigned long))
+ data[i] = *(unsigned long *)p;
+ else
+ data[i] = *(u32 *)p;
+ }
}
}
@@ -1830,6 +1868,7 @@ static struct sk_buff *bcmgenet_free_rx_cb(struct device *dev,
static unsigned int __bcmgenet_tx_reclaim(struct net_device *dev,
struct bcmgenet_tx_ring *ring)
{
+ struct bcmgenet_tx_stats64 *stats = &ring->stats64;
struct bcmgenet_priv *priv = netdev_priv(dev);
unsigned int txbds_processed = 0;
unsigned int bytes_compl = 0;
@@ -1870,8 +1909,10 @@ static unsigned int __bcmgenet_tx_reclaim(struct net_device *dev,
ring->free_bds += txbds_processed;
ring->c_index = c_index;
- ring->packets += pkts_compl;
- ring->bytes += bytes_compl;
+ u64_stats_update_begin(&stats->syncp);
+ u64_stats_add(&stats->packets, pkts_compl);
+ u64_stats_add(&stats->bytes, bytes_compl);
+ u64_stats_update_end(&stats->syncp);
netdev_tx_completed_queue(netdev_get_tx_queue(dev, ring->index),
pkts_compl, bytes_compl);
@@ -1957,8 +1998,10 @@ static void bcmgenet_tx_reclaim_all(struct net_device *dev)
* the transmit checksum offsets in the descriptors
*/
static struct sk_buff *bcmgenet_add_tsb(struct net_device *dev,
- struct sk_buff *skb)
+ struct sk_buff *skb,
+ struct bcmgenet_tx_ring *ring)
{
+ struct bcmgenet_tx_stats64 *stats = &ring->stats64;
struct bcmgenet_priv *priv = netdev_priv(dev);
struct status_64 *status = NULL;
struct sk_buff *new_skb;
@@ -1975,7 +2018,7 @@ static struct sk_buff *bcmgenet_add_tsb(struct net_device *dev,
if (!new_skb) {
dev_kfree_skb_any(skb);
priv->mib.tx_realloc_tsb_failed++;
- dev->stats.tx_dropped++;
+ BCMGENET_STATS64_INC(stats, dropped);
return NULL;
}
dev_consume_skb_any(skb);
@@ -2063,7 +2106,7 @@ static netdev_tx_t bcmgenet_xmit(struct sk_buff *skb, struct net_device *dev)
GENET_CB(skb)->bytes_sent = skb->len;
/* add the Transmit Status Block */
- skb = bcmgenet_add_tsb(dev, skb);
+ skb = bcmgenet_add_tsb(dev, skb, ring);
if (!skb) {
ret = NETDEV_TX_OK;
goto out;
@@ -2205,6 +2248,7 @@ static struct sk_buff *bcmgenet_rx_refill(struct bcmgenet_priv *priv,
static unsigned int bcmgenet_desc_rx(struct bcmgenet_rx_ring *ring,
unsigned int budget)
{
+ struct bcmgenet_rx_stats64 *stats = &ring->stats64;
struct bcmgenet_priv *priv = ring->priv;
struct net_device *dev = priv->dev;
struct enet_cb *cb;
@@ -2227,7 +2271,7 @@ static unsigned int bcmgenet_desc_rx(struct bcmgenet_rx_ring *ring,
DMA_P_INDEX_DISCARD_CNT_MASK;
if (discards > ring->old_discards) {
discards = discards - ring->old_discards;
- ring->errors += discards;
+ BCMGENET_STATS64_ADD(stats, errors, discards);
ring->old_discards += discards;
/* Clear HW register when we reach 75% of maximum 0xFFFF */
@@ -2253,7 +2297,7 @@ static unsigned int bcmgenet_desc_rx(struct bcmgenet_rx_ring *ring,
skb = bcmgenet_rx_refill(priv, cb);
if (unlikely(!skb)) {
- ring->dropped++;
+ BCMGENET_STATS64_INC(stats, dropped);
goto next;
}
@@ -2280,8 +2324,7 @@ static unsigned int bcmgenet_desc_rx(struct bcmgenet_rx_ring *ring,
if (unlikely(len > RX_BUF_LENGTH)) {
netif_err(priv, rx_status, dev, "oversized packet\n");
- dev->stats.rx_length_errors++;
- dev->stats.rx_errors++;
+ BCMGENET_STATS64_INC(stats, length_errors);
dev_kfree_skb_any(skb);
goto next;
}
@@ -2289,7 +2332,7 @@ static unsigned int bcmgenet_desc_rx(struct bcmgenet_rx_ring *ring,
if (unlikely(!(dma_flag & DMA_EOP) || !(dma_flag & DMA_SOP))) {
netif_err(priv, rx_status, dev,
"dropping fragmented packet!\n");
- ring->errors++;
+ BCMGENET_STATS64_INC(stats, errors);
dev_kfree_skb_any(skb);
goto next;
}
@@ -2302,15 +2345,22 @@ static unsigned int bcmgenet_desc_rx(struct bcmgenet_rx_ring *ring,
DMA_RX_RXER))) {
netif_err(priv, rx_status, dev, "dma_flag=0x%x\n",
(unsigned int)dma_flag);
+ u64_stats_update_begin(&stats->syncp);
if (dma_flag & DMA_RX_CRC_ERROR)
- dev->stats.rx_crc_errors++;
+ u64_stats_inc(&stats->crc_errors);
if (dma_flag & DMA_RX_OV)
- dev->stats.rx_over_errors++;
+ u64_stats_inc(&stats->over_errors);
if (dma_flag & DMA_RX_NO)
- dev->stats.rx_frame_errors++;
+ u64_stats_inc(&stats->frame_errors);
if (dma_flag & DMA_RX_LG)
- dev->stats.rx_length_errors++;
- dev->stats.rx_errors++;
+ u64_stats_inc(&stats->length_errors);
+ if ((dma_flag & (DMA_RX_CRC_ERROR |
+ DMA_RX_OV |
+ DMA_RX_NO |
+ DMA_RX_LG |
+ DMA_RX_RXER)) == DMA_RX_RXER)
+ u64_stats_inc(&stats->errors);
+ u64_stats_update_end(&stats->syncp);
dev_kfree_skb_any(skb);
goto next;
} /* error packet */
@@ -2330,10 +2380,13 @@ static unsigned int bcmgenet_desc_rx(struct bcmgenet_rx_ring *ring,
/*Finish setting up the received SKB and send it to the kernel*/
skb->protocol = eth_type_trans(skb, priv->dev);
- ring->packets++;
- ring->bytes += len;
+
+ u64_stats_update_begin(&stats->syncp);
+ u64_stats_inc(&stats->packets);
+ u64_stats_add(&stats->bytes, len);
if (dma_flag & DMA_RX_MULT)
- dev->stats.multicast++;
+ u64_stats_inc(&stats->multicast);
+ u64_stats_update_end(&stats->syncp);
/* Notify kernel */
napi_gro_receive(&ring->napi, skb);
@@ -3434,7 +3487,7 @@ static void bcmgenet_timeout(struct net_device *dev, unsigned int txqueue)
netif_trans_update(dev);
- dev->stats.tx_errors++;
+ BCMGENET_STATS64_INC((&priv->tx_rings[txqueue].stats64), errors);
netif_tx_wake_all_queues(dev);
}
@@ -3523,39 +3576,68 @@ static int bcmgenet_set_mac_addr(struct net_device *dev, void *p)
return 0;
}
-static struct net_device_stats *bcmgenet_get_stats(struct net_device *dev)
+static void bcmgenet_get_stats64(struct net_device *dev,
+ struct rtnl_link_stats64 *stats)
{
struct bcmgenet_priv *priv = netdev_priv(dev);
- unsigned long tx_bytes = 0, tx_packets = 0;
- unsigned long rx_bytes = 0, rx_packets = 0;
- unsigned long rx_errors = 0, rx_dropped = 0;
- struct bcmgenet_tx_ring *tx_ring;
- struct bcmgenet_rx_ring *rx_ring;
+ struct bcmgenet_tx_stats64 *tx_stats;
+ struct bcmgenet_rx_stats64 *rx_stats;
+ u64 rx_length_errors, rx_over_errors;
+ u64 rx_crc_errors, rx_frame_errors;
+ u64 tx_errors, tx_dropped;
+ u64 rx_errors, rx_dropped;
+ u64 tx_bytes, tx_packets;
+ u64 rx_bytes, rx_packets;
+ unsigned int start;
unsigned int q;
+ u64 multicast;
for (q = 0; q <= priv->hw_params->tx_queues; q++) {
- tx_ring = &priv->tx_rings[q];
- tx_bytes += tx_ring->bytes;
- tx_packets += tx_ring->packets;
+ tx_stats = &priv->tx_rings[q].stats64;
+ do {
+ start = u64_stats_fetch_begin(&tx_stats->syncp);
+ tx_bytes = u64_stats_read(&tx_stats->bytes);
+ tx_packets = u64_stats_read(&tx_stats->packets);
+ tx_errors = u64_stats_read(&tx_stats->errors);
+ tx_dropped = u64_stats_read(&tx_stats->dropped);
+ } while (u64_stats_fetch_retry(&tx_stats->syncp, start));
+
+ stats->tx_bytes += tx_bytes;
+ stats->tx_packets += tx_packets;
+ stats->tx_errors += tx_errors;
+ stats->tx_dropped += tx_dropped;
}
for (q = 0; q <= priv->hw_params->rx_queues; q++) {
- rx_ring = &priv->rx_rings[q];
-
- rx_bytes += rx_ring->bytes;
- rx_packets += rx_ring->packets;
- rx_errors += rx_ring->errors;
- rx_dropped += rx_ring->dropped;
+ rx_stats = &priv->rx_rings[q].stats64;
+ do {
+ start = u64_stats_fetch_begin(&rx_stats->syncp);
+ rx_bytes = u64_stats_read(&rx_stats->bytes);
+ rx_packets = u64_stats_read(&rx_stats->packets);
+ rx_errors = u64_stats_read(&rx_stats->errors);
+ rx_dropped = u64_stats_read(&rx_stats->dropped);
+ rx_length_errors = u64_stats_read(&rx_stats->length_errors);
+ rx_over_errors = u64_stats_read(&rx_stats->over_errors);
+ rx_crc_errors = u64_stats_read(&rx_stats->crc_errors);
+ rx_frame_errors = u64_stats_read(&rx_stats->frame_errors);
+ multicast = u64_stats_read(&rx_stats->multicast);
+ } while (u64_stats_fetch_retry(&rx_stats->syncp, start));
+
+ rx_errors += rx_length_errors;
+ rx_errors += rx_crc_errors;
+ rx_errors += rx_frame_errors;
+
+ stats->rx_bytes += rx_bytes;
+ stats->rx_packets += rx_packets;
+ stats->rx_errors += rx_errors;
+ stats->rx_dropped += rx_dropped;
+ stats->rx_missed_errors += rx_errors;
+ stats->rx_length_errors += rx_length_errors;
+ stats->rx_over_errors += rx_over_errors;
+ stats->rx_crc_errors += rx_crc_errors;
+ stats->rx_frame_errors += rx_frame_errors;
+ stats->multicast += multicast;
}
-
- dev->stats.tx_bytes = tx_bytes;
- dev->stats.tx_packets = tx_packets;
- dev->stats.rx_bytes = rx_bytes;
- dev->stats.rx_packets = rx_packets;
- dev->stats.rx_errors = rx_errors;
- dev->stats.rx_missed_errors = rx_errors;
- dev->stats.rx_dropped = rx_dropped;
- return &dev->stats;
}
static int bcmgenet_change_carrier(struct net_device *dev, bool new_carrier)
@@ -3583,7 +3665,7 @@ static const struct net_device_ops bcmgenet_netdev_ops = {
.ndo_set_mac_address = bcmgenet_set_mac_addr,
.ndo_eth_ioctl = phy_do_ioctl_running,
.ndo_set_features = bcmgenet_set_features,
- .ndo_get_stats = bcmgenet_get_stats,
+ .ndo_get_stats64 = bcmgenet_get_stats64,
.ndo_change_carrier = bcmgenet_change_carrier,
};
diff --git a/drivers/net/ethernet/broadcom/genet/bcmgenet.h b/drivers/net/ethernet/broadcom/genet/bcmgenet.h
index f3a1139cb7108..94957dfa55b6f 100644
--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.h
+++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.h
@@ -155,6 +155,27 @@ struct bcmgenet_mib_counters {
u32 tx_realloc_tsb_failed;
};
+struct bcmgenet_tx_stats64 {
+ struct u64_stats_sync syncp;
+ u64_stats_t packets;
+ u64_stats_t bytes;
+ u64_stats_t errors;
+ u64_stats_t dropped;
+};
+
+struct bcmgenet_rx_stats64 {
+ struct u64_stats_sync syncp;
+ u64_stats_t bytes;
+ u64_stats_t packets;
+ u64_stats_t errors;
+ u64_stats_t dropped;
+ u64_stats_t multicast;
+ u64_stats_t length_errors;
+ u64_stats_t over_errors;
+ u64_stats_t crc_errors;
+ u64_stats_t frame_errors;
+};
+
#define UMAC_MIB_START 0x400
#define UMAC_MDIO_CMD 0x614
@@ -513,8 +534,7 @@ struct bcmgenet_skb_cb {
struct bcmgenet_tx_ring {
spinlock_t lock; /* ring lock */
struct napi_struct napi; /* NAPI per tx queue */
- unsigned long packets;
- unsigned long bytes;
+ struct bcmgenet_tx_stats64 stats64;
unsigned int index; /* ring index */
struct enet_cb *cbs; /* tx ring buffer control block*/
unsigned int size; /* size of each tx ring */
@@ -538,10 +558,7 @@ struct bcmgenet_net_dim {
struct bcmgenet_rx_ring {
struct napi_struct napi; /* Rx NAPI struct */
- unsigned long bytes;
- unsigned long packets;
- unsigned long errors;
- unsigned long dropped;
+ struct bcmgenet_rx_stats64 stats64;
unsigned int index; /* Rx ring index */
struct enet_cb *cbs; /* Rx ring buffer control block */
unsigned int size; /* Rx ring size */
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 475/969] net: bcmgenet: fix racing timeout handler
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (473 preceding siblings ...)
2026-05-30 15:59 ` [PATCH 6.1 474/969] net: bcmgenet: switch to use 64bit statistics Greg Kroah-Hartman
@ 2026-05-30 15:59 ` Greg Kroah-Hartman
2026-05-30 16:00 ` [PATCH 6.1 476/969] netfilter: xt_socket: enable defrag after all other checks Greg Kroah-Hartman
` (500 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 15:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Justin Chen, Florian Fainelli,
Nicolai Buchwitz, Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Justin Chen <justin.chen@broadcom.com>
[ Upstream commit 5393b2b5bee2ac51a0043dc7f4ac3475f053d08d ]
The bcmgenet_timeout handler tries to take down all tx queues when
a single queue times out. This is over zealous and causes many race
conditions with queues that are still chugging along. Instead lets
only restart the timed out queue.
Fixes: 13ea657806cf ("net: bcmgenet: improve TX timeout")
Signed-off-by: Justin Chen <justin.chen@broadcom.com>
Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
Reviewed-by: Nicolai Buchwitz <nb@tipi-net.de>
Tested-by: Nicolai Buchwitz <nb@tipi-net.de>
Link: https://patch.msgid.link/20260406175756.134567-4-justin.chen@broadcom.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../net/ethernet/broadcom/genet/bcmgenet.c | 22 ++++++++-----------
1 file changed, 9 insertions(+), 13 deletions(-)
diff --git a/drivers/net/ethernet/broadcom/genet/bcmgenet.c b/drivers/net/ethernet/broadcom/genet/bcmgenet.c
index 12aa07fb81db3..43fba7b47d1cd 100644
--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c
+++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c
@@ -3469,27 +3469,23 @@ static void bcmgenet_dump_tx_queue(struct bcmgenet_tx_ring *ring)
static void bcmgenet_timeout(struct net_device *dev, unsigned int txqueue)
{
struct bcmgenet_priv *priv = netdev_priv(dev);
- u32 int1_enable = 0;
- unsigned int q;
+ struct bcmgenet_tx_ring *ring = &priv->tx_rings[txqueue];
+ struct netdev_queue *txq = netdev_get_tx_queue(dev, txqueue);
netif_dbg(priv, tx_err, dev, "bcmgenet_timeout\n");
- for (q = 0; q <= priv->hw_params->tx_queues; q++)
- bcmgenet_dump_tx_queue(&priv->tx_rings[q]);
-
- bcmgenet_tx_reclaim_all(dev);
+ bcmgenet_dump_tx_queue(ring);
- for (q = 0; q <= priv->hw_params->tx_queues; q++)
- int1_enable |= (1 << q);
+ bcmgenet_tx_reclaim(dev, ring, true);
- /* Re-enable TX interrupts if disabled */
- bcmgenet_intrl2_1_writel(priv, int1_enable, INTRL2_CPU_MASK_CLEAR);
+ /* Re-enable the TX interrupt for this ring */
+ bcmgenet_intrl2_1_writel(priv, 1 << txqueue, INTRL2_CPU_MASK_CLEAR);
- netif_trans_update(dev);
+ txq_trans_cond_update(txq);
- BCMGENET_STATS64_INC((&priv->tx_rings[txqueue].stats64), errors);
+ BCMGENET_STATS64_INC((&ring->stats64), errors);
- netif_tx_wake_all_queues(dev);
+ netif_tx_wake_queue(txq);
}
#define MAX_MDF_FILTER 17
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 476/969] netfilter: xt_socket: enable defrag after all other checks
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (474 preceding siblings ...)
2026-05-30 15:59 ` [PATCH 6.1 475/969] net: bcmgenet: fix racing timeout handler Greg Kroah-Hartman
@ 2026-05-30 16:00 ` Greg Kroah-Hartman
2026-05-30 16:00 ` [PATCH 6.1 477/969] netfilter: nft_fwd_netdev: check ttl/hl before forwarding Greg Kroah-Hartman
` (499 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Florian Westphal, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Florian Westphal <fw@strlen.de>
[ Upstream commit 542be3fa5aff54210a02954c38f07e53ea9bdafd ]
Originally this did not matter because defrag was enabled once per netns
and only disabled again on netns dismantle. When this got changed I should
have adjusted checkentry to not leave defrag enabled on error.
Fixes: de8c12110a13 ("netfilter: disable defrag once its no longer needed")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/xt_socket.c | 23 ++++++-----------------
1 file changed, 6 insertions(+), 17 deletions(-)
diff --git a/net/netfilter/xt_socket.c b/net/netfilter/xt_socket.c
index 76e01f292aaff..811e53bee4085 100644
--- a/net/netfilter/xt_socket.c
+++ b/net/netfilter/xt_socket.c
@@ -168,52 +168,41 @@ static int socket_mt_enable_defrag(struct net *net, int family)
static int socket_mt_v1_check(const struct xt_mtchk_param *par)
{
const struct xt_socket_mtinfo1 *info = (struct xt_socket_mtinfo1 *) par->matchinfo;
- int err;
-
- err = socket_mt_enable_defrag(par->net, par->family);
- if (err)
- return err;
if (info->flags & ~XT_SOCKET_FLAGS_V1) {
pr_info_ratelimited("unknown flags 0x%x\n",
info->flags & ~XT_SOCKET_FLAGS_V1);
return -EINVAL;
}
- return 0;
+
+ return socket_mt_enable_defrag(par->net, par->family);
}
static int socket_mt_v2_check(const struct xt_mtchk_param *par)
{
const struct xt_socket_mtinfo2 *info = (struct xt_socket_mtinfo2 *) par->matchinfo;
- int err;
-
- err = socket_mt_enable_defrag(par->net, par->family);
- if (err)
- return err;
if (info->flags & ~XT_SOCKET_FLAGS_V2) {
pr_info_ratelimited("unknown flags 0x%x\n",
info->flags & ~XT_SOCKET_FLAGS_V2);
return -EINVAL;
}
- return 0;
+
+ return socket_mt_enable_defrag(par->net, par->family);
}
static int socket_mt_v3_check(const struct xt_mtchk_param *par)
{
const struct xt_socket_mtinfo3 *info =
(struct xt_socket_mtinfo3 *)par->matchinfo;
- int err;
- err = socket_mt_enable_defrag(par->net, par->family);
- if (err)
- return err;
if (info->flags & ~XT_SOCKET_FLAGS_V3) {
pr_info_ratelimited("unknown flags 0x%x\n",
info->flags & ~XT_SOCKET_FLAGS_V3);
return -EINVAL;
}
- return 0;
+
+ return socket_mt_enable_defrag(par->net, par->family);
}
static void socket_mt_destroy(const struct xt_mtdtor_param *par)
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 477/969] netfilter: nft_fwd_netdev: check ttl/hl before forwarding
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (475 preceding siblings ...)
2026-05-30 16:00 ` [PATCH 6.1 476/969] netfilter: xt_socket: enable defrag after all other checks Greg Kroah-Hartman
@ 2026-05-30 16:00 ` Greg Kroah-Hartman
2026-05-30 16:00 ` [PATCH 6.1 478/969] 6pack: propagage new tty types Greg Kroah-Hartman
` (498 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Florian Westphal, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Florian Westphal <fw@strlen.de>
[ Upstream commit 1dfd95bdf4d18d263aa8fad06bfb9f4d9c992b18 ]
Drop packets if their ttl/hl is too small for forwarding.
Fixes: d32de98ea70f ("netfilter: nft_fwd_netdev: allow to forward packets via neighbour layer")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/nft_fwd_netdev.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/net/netfilter/nft_fwd_netdev.c b/net/netfilter/nft_fwd_netdev.c
index 7c5876dc9ff2b..6f6b355134625 100644
--- a/net/netfilter/nft_fwd_netdev.c
+++ b/net/netfilter/nft_fwd_netdev.c
@@ -115,6 +115,11 @@ static void nft_fwd_neigh_eval(const struct nft_expr *expr,
goto out;
}
iph = ip_hdr(skb);
+ if (iph->ttl <= 1) {
+ verdict = NF_DROP;
+ goto out;
+ }
+
ip_decrease_ttl(iph);
neigh_table = NEIGH_ARP_TABLE;
break;
@@ -131,6 +136,11 @@ static void nft_fwd_neigh_eval(const struct nft_expr *expr,
goto out;
}
ip6h = ipv6_hdr(skb);
+ if (ip6h->hop_limit <= 1) {
+ verdict = NF_DROP;
+ goto out;
+ }
+
ip6h->hop_limit--;
neigh_table = NEIGH_ND_TABLE;
break;
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 478/969] 6pack: propagage new tty types
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (476 preceding siblings ...)
2026-05-30 16:00 ` [PATCH 6.1 477/969] netfilter: nft_fwd_netdev: check ttl/hl before forwarding Greg Kroah-Hartman
@ 2026-05-30 16:00 ` Greg Kroah-Hartman
2026-05-30 16:00 ` [PATCH 6.1 479/969] net: hamradio: 6pack: fix uninit-value in sixpack_receive_buf Greg Kroah-Hartman
` (497 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jiri Slaby (SUSE), Andreas Koensgen,
David S. Miller, Eric Dumazet, Jakub Kicinski, Paolo Abeni,
linux-hams, netdev, Jeremy Kerr, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiri Slaby (SUSE) <jirislaby@kernel.org>
[ Upstream commit 1241b384efa53f4b7a95fe2b34d69359bb3ae1b5 ]
In tty, u8 is now used for data, ssize_t for sizes (with possible
negative error codes). Propagate these types to 6pack.
Signed-off-by: Jiri Slaby (SUSE) <jirislaby@kernel.org>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Andreas Koensgen <ajk@comnets.uni-bremen.de>
Cc: David S. Miller <davem@davemloft.net>
Cc: Eric Dumazet <edumazet@google.com>
Cc: Jakub Kicinski <kuba@kernel.org>
Cc: Paolo Abeni <pabeni@redhat.com>
Cc: linux-hams@vger.kernel.org
Cc: netdev@vger.kernel.org
Reviewed-by: Jeremy Kerr <jk@codeconstruct.com.au>
Link: https://lore.kernel.org/r/20240808103549.429349-12-jirislaby@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Stable-dep-of: bf9a38803b26 ("net: hamradio: 6pack: fix uninit-value in sixpack_receive_buf")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/hamradio/6pack.c | 32 ++++++++++++++++----------------
1 file changed, 16 insertions(+), 16 deletions(-)
diff --git a/drivers/net/hamradio/6pack.c b/drivers/net/hamradio/6pack.c
index 1b007dd174794..fe85cffa4f945 100644
--- a/drivers/net/hamradio/6pack.c
+++ b/drivers/net/hamradio/6pack.c
@@ -94,8 +94,8 @@ struct sixpack {
unsigned char *xhead; /* next byte to XMIT */
int xleft; /* bytes left in XMIT queue */
- unsigned char raw_buf[4];
- unsigned char cooked_buf[400];
+ u8 raw_buf[4];
+ u8 cooked_buf[400];
unsigned int rx_count;
unsigned int rx_count_cooked;
@@ -113,8 +113,8 @@ struct sixpack {
unsigned char slottime;
unsigned char duplex;
unsigned char led_state;
- unsigned char status;
- unsigned char status1;
+ u8 status;
+ u8 status1;
unsigned char status2;
unsigned char tx_enable;
unsigned char tnc_state;
@@ -126,7 +126,7 @@ struct sixpack {
#define AX25_6PACK_HEADER_LEN 0
-static void sixpack_decode(struct sixpack *, const unsigned char[], int);
+static void sixpack_decode(struct sixpack *, const u8 *, size_t);
static int encode_sixpack(unsigned char *, unsigned char *, int, unsigned char);
/*
@@ -331,7 +331,7 @@ static void sp_bump(struct sixpack *sp, char cmd)
{
struct sk_buff *skb;
int count;
- unsigned char *ptr;
+ u8 *ptr;
count = sp->rcount + 1;
@@ -397,7 +397,7 @@ static void sixpack_receive_buf(struct tty_struct *tty,
const unsigned char *cp, const char *fp, int count)
{
struct sixpack *sp;
- int count1;
+ size_t count1;
if (!count)
return;
@@ -773,9 +773,9 @@ static int encode_sixpack(unsigned char *tx_buf, unsigned char *tx_buf_raw,
/* decode 4 sixpack-encoded bytes into 3 data bytes */
-static void decode_data(struct sixpack *sp, unsigned char inbyte)
+static void decode_data(struct sixpack *sp, u8 inbyte)
{
- unsigned char *buf;
+ u8 *buf;
if (sp->rx_count != 3) {
sp->raw_buf[sp->rx_count++] = inbyte;
@@ -801,9 +801,9 @@ static void decode_data(struct sixpack *sp, unsigned char inbyte)
/* identify and execute a 6pack priority command byte */
-static void decode_prio_command(struct sixpack *sp, unsigned char cmd)
+static void decode_prio_command(struct sixpack *sp, u8 cmd)
{
- int actual;
+ ssize_t actual;
if ((cmd & SIXP_PRIO_DATA_MASK) != 0) { /* idle ? */
@@ -851,9 +851,9 @@ static void decode_prio_command(struct sixpack *sp, unsigned char cmd)
/* identify and execute a standard 6pack command byte */
-static void decode_std_command(struct sixpack *sp, unsigned char cmd)
+static void decode_std_command(struct sixpack *sp, u8 cmd)
{
- unsigned char checksum = 0, rest = 0;
+ u8 checksum = 0, rest = 0;
short i;
switch (cmd & SIXP_CMD_MASK) { /* normal command */
@@ -901,10 +901,10 @@ static void decode_std_command(struct sixpack *sp, unsigned char cmd)
/* decode a 6pack packet */
static void
-sixpack_decode(struct sixpack *sp, const unsigned char *pre_rbuff, int count)
+sixpack_decode(struct sixpack *sp, const u8 *pre_rbuff, size_t count)
{
- unsigned char inbyte;
- int count1;
+ size_t count1;
+ u8 inbyte;
for (count1 = 0; count1 < count; count1++) {
inbyte = pre_rbuff[count1];
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 479/969] net: hamradio: 6pack: fix uninit-value in sixpack_receive_buf
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (477 preceding siblings ...)
2026-05-30 16:00 ` [PATCH 6.1 478/969] 6pack: propagage new tty types Greg Kroah-Hartman
@ 2026-05-30 16:00 ` Greg Kroah-Hartman
2026-05-30 16:00 ` [PATCH 6.1 480/969] net/sched: act_ct: Only release RCU read lock after ct_ft Greg Kroah-Hartman
` (496 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+ecdb8c9878a81eb21e54,
Mashiro Chen, Simon Horman, Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mashiro Chen <mashiro.chen@mailbox.org>
[ Upstream commit bf9a38803b2626b01cc769aaf13485d8650f576f ]
sixpack_receive_buf() does not properly skip bytes with TTY error flags.
The while loop iterates through the flags buffer but never advances the
data pointer (cp), and passes the original count (including error bytes)
to sixpack_decode(). This causes sixpack_decode() to process bytes that
should have been skipped due to TTY errors. The TTY layer does not
guarantee that cp[i] holds a meaningful value when fp[i] is set, so
passing those positions to sixpack_decode() results in KMSAN reporting
an uninit-value read.
Fix this by processing bytes one at a time, advancing cp on each
iteration, and only passing valid (non-error) bytes to sixpack_decode().
This matches the pattern used by slip_receive_buf() and
mkiss_receive_buf() for the same purpose.
Reported-by: syzbot+ecdb8c9878a81eb21e54@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=ecdb8c9878a81eb21e54
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Mashiro Chen <mashiro.chen@mailbox.org>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20260407173101.107352-1-mashiro.chen@mailbox.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/hamradio/6pack.c | 9 ++++-----
1 file changed, 4 insertions(+), 5 deletions(-)
diff --git a/drivers/net/hamradio/6pack.c b/drivers/net/hamradio/6pack.c
index fe85cffa4f945..ac953fad5d8d9 100644
--- a/drivers/net/hamradio/6pack.c
+++ b/drivers/net/hamradio/6pack.c
@@ -397,7 +397,6 @@ static void sixpack_receive_buf(struct tty_struct *tty,
const unsigned char *cp, const char *fp, int count)
{
struct sixpack *sp;
- size_t count1;
if (!count)
return;
@@ -407,16 +406,16 @@ static void sixpack_receive_buf(struct tty_struct *tty,
return;
/* Read the characters out of the buffer */
- count1 = count;
- while (count) {
- count--;
+ while (count--) {
if (fp && *fp++) {
if (!test_and_set_bit(SIXPF_ERROR, &sp->flags))
sp->dev->stats.rx_errors++;
+ cp++;
continue;
}
+ sixpack_decode(sp, cp, 1);
+ cp++;
}
- sixpack_decode(sp, cp, count1);
tty_unthrottle(tty);
}
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 480/969] net/sched: act_ct: Only release RCU read lock after ct_ft
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (478 preceding siblings ...)
2026-05-30 16:00 ` [PATCH 6.1 479/969] net: hamradio: 6pack: fix uninit-value in sixpack_receive_buf Greg Kroah-Hartman
@ 2026-05-30 16:00 ` Greg Kroah-Hartman
2026-05-30 16:00 ` [PATCH 6.1 481/969] net/rds: Optimize rds_ib_laddr_check Greg Kroah-Hartman
` (495 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, zdi-disclosures, Victor Nogueira,
Jamal Hadi Salim, Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jamal Hadi Salim <jhs@mojatatu.com>
[ Upstream commit f462dca0c8415bf0058d0ffa476354c4476d0f09 ]
When looking up a flow table in act_ct in tcf_ct_flow_table_get(),
rhashtable_lookup_fast() internally opens and closes an RCU read critical
section before returning ct_ft.
The tcf_ct_flow_table_cleanup_work() can complete before refcount_inc_not_zero()
is invoked on the returned ct_ft resulting in a UAF on the already freed ct_ft
object. This vulnerability can lead to privilege escalation.
Analysis from zdi-disclosures@trendmicro.com:
When initializing act_ct, tcf_ct_init() is called, which internally triggers
tcf_ct_flow_table_get().
static int tcf_ct_flow_table_get(struct net *net, struct tcf_ct_params *params)
{
struct zones_ht_key key = { .net = net, .zone = params->zone };
struct tcf_ct_flow_table *ct_ft;
int err = -ENOMEM;
mutex_lock(&zones_mutex);
ct_ft = rhashtable_lookup_fast(&zones_ht, &key, zones_params); // [1]
if (ct_ft && refcount_inc_not_zero(&ct_ft->ref)) // [2]
goto out_unlock;
...
}
static __always_inline void *rhashtable_lookup_fast(
struct rhashtable *ht, const void *key,
const struct rhashtable_params params)
{
void *obj;
rcu_read_lock();
obj = rhashtable_lookup(ht, key, params);
rcu_read_unlock();
return obj;
}
At [1], rhashtable_lookup_fast() looks up and returns the corresponding ct_ft
from zones_ht . The lookup is performed within an RCU read critical section
through rcu_read_lock() / rcu_read_unlock(), which prevents the object from
being freed. However, at the point of function return, rcu_read_unlock() has
already been called, and there is nothing preventing ct_ft from being freed
before reaching refcount_inc_not_zero(&ct_ft->ref) at [2]. This interval becomes
the race window, during which ct_ft can be freed.
Free Process:
tcf_ct_flow_table_put() is executed through the path tcf_ct_cleanup() call_rcu()
tcf_ct_params_free_rcu() tcf_ct_params_free() tcf_ct_flow_table_put().
static void tcf_ct_flow_table_put(struct tcf_ct_flow_table *ct_ft)
{
if (refcount_dec_and_test(&ct_ft->ref)) {
rhashtable_remove_fast(&zones_ht, &ct_ft->node, zones_params);
INIT_RCU_WORK(&ct_ft->rwork, tcf_ct_flow_table_cleanup_work); // [3]
queue_rcu_work(act_ct_wq, &ct_ft->rwork);
}
}
At [3], tcf_ct_flow_table_cleanup_work() is scheduled as RCU work
static void tcf_ct_flow_table_cleanup_work(struct work_struct *work)
{
struct tcf_ct_flow_table *ct_ft;
struct flow_block *block;
ct_ft = container_of(to_rcu_work(work), struct tcf_ct_flow_table,
rwork);
nf_flow_table_free(&ct_ft->nf_ft);
block = &ct_ft->nf_ft.flow_block;
down_write(&ct_ft->nf_ft.flow_block_lock);
WARN_ON(!list_empty(&block->cb_list));
up_write(&ct_ft->nf_ft.flow_block_lock);
kfree(ct_ft); // [4]
module_put(THIS_MODULE);
}
tcf_ct_flow_table_cleanup_work() frees ct_ft at [4]. When this function executes
between [1] and [2], UAF occurs.
This race condition has a very short race window, making it generally
difficult to trigger. Therefore, to trigger the vulnerability an msleep(100) was
inserted after[1]
Fixes: 138470a9b2cc2 ("net/sched: act_ct: fix lockdep splat in tcf_ct_flow_table_get")
Reported-by: zdi-disclosures@trendmicro.com
Tested-by: Victor Nogueira <victor@mojatatu.com>
Signed-off-by: Jamal Hadi Salim <jhs@mojatatu.com>
Link: https://patch.msgid.link/20260410111627.46611-1-jhs@mojatatu.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/act_ct.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/net/sched/act_ct.c b/net/sched/act_ct.c
index 75a8fba9fa57a..651701a186fec 100644
--- a/net/sched/act_ct.c
+++ b/net/sched/act_ct.c
@@ -324,9 +324,13 @@ static int tcf_ct_flow_table_get(struct net *net, struct tcf_ct_params *params)
int err = -ENOMEM;
mutex_lock(&zones_mutex);
- ct_ft = rhashtable_lookup_fast(&zones_ht, &key, zones_params);
- if (ct_ft && refcount_inc_not_zero(&ct_ft->ref))
+ rcu_read_lock();
+ ct_ft = rhashtable_lookup(&zones_ht, &key, zones_params);
+ if (ct_ft && refcount_inc_not_zero(&ct_ft->ref)) {
+ rcu_read_unlock();
goto out_unlock;
+ }
+ rcu_read_unlock();
ct_ft = kzalloc(sizeof(*ct_ft), GFP_KERNEL);
if (!ct_ft)
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 481/969] net/rds: Optimize rds_ib_laddr_check
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (479 preceding siblings ...)
2026-05-30 16:00 ` [PATCH 6.1 480/969] net/sched: act_ct: Only release RCU read lock after ct_ft Greg Kroah-Hartman
@ 2026-05-30 16:00 ` Greg Kroah-Hartman
2026-05-30 16:00 ` [PATCH 6.1 482/969] net/rds: Restrict use of RDS/IB to the initial network namespace Greg Kroah-Hartman
` (494 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Håkon Bugge,
Somasundaram Krishnasamy, Gerd Rausch, Allison Henderson,
Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Håkon Bugge <haakon.bugge@oracle.com>
[ Upstream commit 236f718ac885965fa886440b9898dfae185c9733 ]
rds_ib_laddr_check() creates a CM_ID and attempts to bind the address
in question to it. This in order to qualify the allegedly local
address as a usable IB/RoCE address.
In the field, ExaWatcher runs rds-ping to all ports in the fabric from
all local ports. This using all active ToS'es. In a full rack system,
we have 14 cell servers and eight db servers. Typically, 6 ToS'es are
used. This implies 528 rds-ping invocations per ExaWatcher's "RDSinfo"
interval.
Adding to this, each rds-ping invocation creates eight sockets and
binds the local address to them:
socket(AF_RDS, SOCK_SEQPACKET, 0) = 3
bind(3, {sa_family=AF_INET, sin_port=htons(0),
sin_addr=inet_addr("192.168.36.2")}, 16) = 0
socket(AF_RDS, SOCK_SEQPACKET, 0) = 4
bind(4, {sa_family=AF_INET, sin_port=htons(0),
sin_addr=inet_addr("192.168.36.2")}, 16) = 0
socket(AF_RDS, SOCK_SEQPACKET, 0) = 5
bind(5, {sa_family=AF_INET, sin_port=htons(0),
sin_addr=inet_addr("192.168.36.2")}, 16) = 0
socket(AF_RDS, SOCK_SEQPACKET, 0) = 6
bind(6, {sa_family=AF_INET, sin_port=htons(0),
sin_addr=inet_addr("192.168.36.2")}, 16) = 0
socket(AF_RDS, SOCK_SEQPACKET, 0) = 7
bind(7, {sa_family=AF_INET, sin_port=htons(0),
sin_addr=inet_addr("192.168.36.2")}, 16) = 0
socket(AF_RDS, SOCK_SEQPACKET, 0) = 8
bind(8, {sa_family=AF_INET, sin_port=htons(0),
sin_addr=inet_addr("192.168.36.2")}, 16) = 0
socket(AF_RDS, SOCK_SEQPACKET, 0) = 9
bind(9, {sa_family=AF_INET, sin_port=htons(0),
sin_addr=inet_addr("192.168.36.2")}, 16) = 0
socket(AF_RDS, SOCK_SEQPACKET, 0) = 10
bind(10, {sa_family=AF_INET, sin_port=htons(0),
sin_addr=inet_addr("192.168.36.2")}, 16) = 0
So, at every interval ExaWatcher executes rds-ping's, 4224 CM_IDs are
allocated, considering this full-rack system. After the a CM_ID has
been allocated, rdma_bind_addr() is called, with the port number being
zero. This implies that the CMA will attempt to search for an un-used
ephemeral port. Simplified, the algorithm is to start at a random
position in the available port space, and then if needed, iterate
until an un-used port is found.
The book-keeping of used ports uses the idr system, which again uses
slab to allocate new struct idr_layer's. The size is 2092 bytes and
slab tries to reduce the wasted space. Hence, it chooses an order:3
allocation, for which 15 idr_layer structs will fit and only 1388
bytes are wasted per the 32KiB order:3 chunk.
Although this order:3 allocation seems like a good space/speed
trade-off, it does not resonate well with how it used by the CMA. The
combination of the randomized starting point in the port space (which
has close to zero spatial locality) and the close proximity in time of
the 4224 invocations of the rds-ping's, creates a memory hog for
order:3 allocations.
These costly allocations may need reclaims and/or compaction. At
worst, they may fail and produce a stack trace such as (from uek4):
[<ffffffff811a72d5>] __inc_zone_page_state+0x35/0x40
[<ffffffff811c2e97>] page_add_file_rmap+0x57/0x60
[<ffffffffa37ca1df>] remove_migration_pte+0x3f/0x3c0 [ksplice_6cn872bt_vmlinux_new]
[<ffffffff811c3de8>] rmap_walk+0xd8/0x340
[<ffffffff811e8860>] remove_migration_ptes+0x40/0x50
[<ffffffff811ea83c>] migrate_pages+0x3ec/0x890
[<ffffffff811afa0d>] compact_zone+0x32d/0x9a0
[<ffffffff811b00ed>] compact_zone_order+0x6d/0x90
[<ffffffff811b03b2>] try_to_compact_pages+0x102/0x270
[<ffffffff81190e56>] __alloc_pages_direct_compact+0x46/0x100
[<ffffffff8119165b>] __alloc_pages_nodemask+0x74b/0xaa0
[<ffffffff811d8411>] alloc_pages_current+0x91/0x110
[<ffffffff811e3b0b>] new_slab+0x38b/0x480
[<ffffffffa41323c7>] __slab_alloc+0x3b7/0x4a0 [ksplice_s0dk66a8_vmlinux_new]
[<ffffffff811e42ab>] kmem_cache_alloc+0x1fb/0x250
[<ffffffff8131fdd6>] idr_layer_alloc+0x36/0x90
[<ffffffff8132029c>] idr_get_empty_slot+0x28c/0x3d0
[<ffffffff813204ad>] idr_alloc+0x4d/0xf0
[<ffffffffa051727d>] cma_alloc_port+0x4d/0xa0 [rdma_cm]
[<ffffffffa0517cbe>] rdma_bind_addr+0x2ae/0x5b0 [rdma_cm]
[<ffffffffa09d8083>] rds_ib_laddr_check+0x83/0x2c0 [ksplice_6l2xst5i_rds_rdma_new]
[<ffffffffa05f892b>] rds_trans_get_preferred+0x5b/0xa0 [rds]
[<ffffffffa05f09f2>] rds_bind+0x212/0x280 [rds]
[<ffffffff815b4016>] SYSC_bind+0xe6/0x120
[<ffffffff815b4d3e>] SyS_bind+0xe/0x10
[<ffffffff816b031a>] system_call_fastpath+0x18/0xd4
To avoid these excessive calls to rdma_bind_addr(), we optimize
rds_ib_laddr_check() by simply checking if the address in question has
been used before. The rds_rdma module keeps track of addresses
associated with IB devices, and the function rds_ib_get_device() is
used to determine if the address already has been qualified as a valid
local address. If not found, we call the legacy rds_ib_laddr_check(),
now renamed to rds_ib_laddr_check_cm().
Signed-off-by: Håkon Bugge <haakon.bugge@oracle.com>
Signed-off-by: Somasundaram Krishnasamy <somasundaram.krishnasamy@oracle.com>
Signed-off-by: Gerd Rausch <gerd.rausch@oracle.com>
Signed-off-by: Allison Henderson <achender@kernel.org>
Link: https://patch.msgid.link/20260408080420.540032-2-achender@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Stable-dep-of: ebf71dd4aff4 ("net/rds: Restrict use of RDS/IB to the initial network namespace")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/rds/ib.c | 20 ++++++++++++++++++--
net/rds/ib.h | 1 +
net/rds/ib_rdma.c | 2 +-
3 files changed, 20 insertions(+), 3 deletions(-)
diff --git a/net/rds/ib.c b/net/rds/ib.c
index 9826fe7f9d008..996f007cd516b 100644
--- a/net/rds/ib.c
+++ b/net/rds/ib.c
@@ -403,8 +403,8 @@ static void rds6_ib_ic_info(struct socket *sock, unsigned int len,
* allowed to influence which paths have priority. We could call userspace
* asserting this policy "routing".
*/
-static int rds_ib_laddr_check(struct net *net, const struct in6_addr *addr,
- __u32 scope_id)
+static int rds_ib_laddr_check_cm(struct net *net, const struct in6_addr *addr,
+ __u32 scope_id)
{
int ret;
struct rdma_cm_id *cm_id;
@@ -489,6 +489,22 @@ static int rds_ib_laddr_check(struct net *net, const struct in6_addr *addr,
return ret;
}
+static int rds_ib_laddr_check(struct net *net, const struct in6_addr *addr,
+ __u32 scope_id)
+{
+ struct rds_ib_device *rds_ibdev = NULL;
+
+ if (ipv6_addr_v4mapped(addr)) {
+ rds_ibdev = rds_ib_get_device(addr->s6_addr32[3]);
+ if (rds_ibdev) {
+ rds_ib_dev_put(rds_ibdev);
+ return 0;
+ }
+ }
+
+ return rds_ib_laddr_check_cm(net, addr, scope_id);
+}
+
static void rds_ib_unregister_client(void)
{
ib_unregister_client(&rds_ib_client);
diff --git a/net/rds/ib.h b/net/rds/ib.h
index 2ba71102b1f1f..d6c1197731c1c 100644
--- a/net/rds/ib.h
+++ b/net/rds/ib.h
@@ -384,6 +384,7 @@ void rds_ib_cm_connect_complete(struct rds_connection *conn,
__rds_ib_conn_error(conn, KERN_WARNING "RDS/IB: " fmt)
/* ib_rdma.c */
+struct rds_ib_device *rds_ib_get_device(__be32 ipaddr);
int rds_ib_update_ipaddr(struct rds_ib_device *rds_ibdev,
struct in6_addr *ipaddr);
void rds_ib_add_conn(struct rds_ib_device *rds_ibdev, struct rds_connection *conn);
diff --git a/net/rds/ib_rdma.c b/net/rds/ib_rdma.c
index 30fca2169aa7a..468fd60d818ff 100644
--- a/net/rds/ib_rdma.c
+++ b/net/rds/ib_rdma.c
@@ -47,7 +47,7 @@ struct rds_ib_dereg_odp_mr {
static void rds_ib_odp_mr_worker(struct work_struct *work);
-static struct rds_ib_device *rds_ib_get_device(__be32 ipaddr)
+struct rds_ib_device *rds_ib_get_device(__be32 ipaddr)
{
struct rds_ib_device *rds_ibdev;
struct rds_ib_ipaddr *i_ipaddr;
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 482/969] net/rds: Restrict use of RDS/IB to the initial network namespace
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (480 preceding siblings ...)
2026-05-30 16:00 ` [PATCH 6.1 481/969] net/rds: Optimize rds_ib_laddr_check Greg Kroah-Hartman
@ 2026-05-30 16:00 ` Greg Kroah-Hartman
2026-05-30 16:00 ` [PATCH 6.1 483/969] ppp: require CAP_NET_ADMIN in target netns for unattached ioctls Greg Kroah-Hartman
` (493 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+da8e060735ae02c8f3d1,
Greg Jumper, Allison Henderson, Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Greg Jumper <greg.jumper@oracle.com>
[ Upstream commit ebf71dd4aff46e8e421d455db3e231ba43d2fa8a ]
Prevent using RDS/IB in network namespaces other than the initial one.
The existing RDS/IB code will not work properly in non-initial network
namespaces.
Fixes: d5a8ac28a7ff ("RDS-TCP: Make RDS-TCP work correctly when it is set up in a netns other than init_net")
Reported-by: syzbot+da8e060735ae02c8f3d1@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=da8e060735ae02c8f3d1
Signed-off-by: Greg Jumper <greg.jumper@oracle.com>
Signed-off-by: Allison Henderson <achender@kernel.org>
Link: https://patch.msgid.link/20260408080420.540032-3-achender@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/rds/af_rds.c | 10 ++++++++--
net/rds/ib.c | 4 ++++
2 files changed, 12 insertions(+), 2 deletions(-)
diff --git a/net/rds/af_rds.c b/net/rds/af_rds.c
index d107f7605db4f..752ae3fbc2e7a 100644
--- a/net/rds/af_rds.c
+++ b/net/rds/af_rds.c
@@ -357,7 +357,8 @@ static int rds_cong_monitor(struct rds_sock *rs, sockptr_t optval, int optlen)
return ret;
}
-static int rds_set_transport(struct rds_sock *rs, sockptr_t optval, int optlen)
+static int rds_set_transport(struct net *net, struct rds_sock *rs,
+ sockptr_t optval, int optlen)
{
int t_type;
@@ -373,6 +374,10 @@ static int rds_set_transport(struct rds_sock *rs, sockptr_t optval, int optlen)
if (t_type < 0 || t_type >= RDS_TRANS_COUNT)
return -EINVAL;
+ /* RDS/IB is restricted to the initial network namespace */
+ if (t_type != RDS_TRANS_TCP && !net_eq(net, &init_net))
+ return -EPROTOTYPE;
+
rs->rs_transport = rds_trans_get(t_type);
return rs->rs_transport ? 0 : -ENOPROTOOPT;
@@ -433,6 +438,7 @@ static int rds_setsockopt(struct socket *sock, int level, int optname,
sockptr_t optval, unsigned int optlen)
{
struct rds_sock *rs = rds_sk_to_rs(sock->sk);
+ struct net *net = sock_net(sock->sk);
int ret;
if (level != SOL_RDS) {
@@ -461,7 +467,7 @@ static int rds_setsockopt(struct socket *sock, int level, int optname,
break;
case SO_RDS_TRANSPORT:
lock_sock(sock->sk);
- ret = rds_set_transport(rs, optval, optlen);
+ ret = rds_set_transport(net, rs, optval, optlen);
release_sock(sock->sk);
break;
case SO_TIMESTAMP_OLD:
diff --git a/net/rds/ib.c b/net/rds/ib.c
index 996f007cd516b..ce5be43c5fbac 100644
--- a/net/rds/ib.c
+++ b/net/rds/ib.c
@@ -494,6 +494,10 @@ static int rds_ib_laddr_check(struct net *net, const struct in6_addr *addr,
{
struct rds_ib_device *rds_ibdev = NULL;
+ /* RDS/IB is restricted to the initial network namespace */
+ if (!net_eq(net, &init_net))
+ return -EPROTOTYPE;
+
if (ipv6_addr_v4mapped(addr)) {
rds_ibdev = rds_ib_get_device(addr->s6_addr32[3]);
if (rds_ibdev) {
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 483/969] ppp: require CAP_NET_ADMIN in target netns for unattached ioctls
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (481 preceding siblings ...)
2026-05-30 16:00 ` [PATCH 6.1 482/969] net/rds: Restrict use of RDS/IB to the initial network namespace Greg Kroah-Hartman
@ 2026-05-30 16:00 ` Greg Kroah-Hartman
2026-05-30 16:00 ` [PATCH 6.1 484/969] bpf: reject short IPv4/IPv6 inputs in bpf_prog_test_run_skb Greg Kroah-Hartman
` (492 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Taegu Ha, Jakub Kicinski,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Taegu Ha <hataegu0826@gmail.com>
[ Upstream commit 2bb6379416fd19f44c3423a00bfd8626259f6067 ]
/dev/ppp open is currently authorized against file->f_cred->user_ns,
while unattached administrative ioctls operate on current->nsproxy->net_ns.
As a result, a local unprivileged user can create a new user namespace
with CLONE_NEWUSER, gain CAP_NET_ADMIN only in that new user namespace,
and still issue PPPIOCNEWUNIT, PPPIOCATTACH, or PPPIOCATTCHAN against
an inherited network namespace.
Require CAP_NET_ADMIN in the user namespace that owns the target network
namespace before handling unattached PPP administrative ioctls.
This preserves normal pppd operation in the network namespace it is
actually privileged in, while rejecting the userns-only inherited-netns
case.
Fixes: 273ec51dd7ce ("net: ppp_generic - introduce net-namespace functionality v2")
Signed-off-by: Taegu Ha <hataegu0826@gmail.com>
Link: https://patch.msgid.link/20260409071117.4354-1-hataegu0826@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ppp/ppp_generic.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c
index f184368d5c5e7..89973d0959a68 100644
--- a/drivers/net/ppp/ppp_generic.c
+++ b/drivers/net/ppp/ppp_generic.c
@@ -1062,6 +1062,9 @@ static int ppp_unattached_ioctl(struct net *net, struct ppp_file *pf,
struct ppp_net *pn;
int __user *p = (int __user *)arg;
+ if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
+ return -EPERM;
+
switch (cmd) {
case PPPIOCNEWUNIT:
/* Create a new ppp unit */
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 484/969] bpf: reject short IPv4/IPv6 inputs in bpf_prog_test_run_skb
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (482 preceding siblings ...)
2026-05-30 16:00 ` [PATCH 6.1 483/969] ppp: require CAP_NET_ADMIN in target netns for unattached ioctls Greg Kroah-Hartman
@ 2026-05-30 16:00 ` Greg Kroah-Hartman
2026-05-30 16:00 ` [PATCH 6.1 485/969] Bluetooth: L2CAP: Fix printing wrong information if SDU length exceeds MTU Greg Kroah-Hartman
` (491 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+619b9ef527f510a57cfc,
Sun Jian, Alexei Starovoitov, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sun Jian <sun.jian.kdev@gmail.com>
[ Upstream commit 12bec2bd4b76d81c5d3996bd14ec1b7f4d983747 ]
bpf_prog_test_run_skb() calls eth_type_trans() first and then uses
skb->protocol to initialize sk family and address fields for the test
run.
For IPv4 and IPv6 packets, it may access ip_hdr(skb) or ipv6_hdr(skb)
even when the provided test input only contains an Ethernet header.
Reject the input earlier if the Ethernet frame carries IPv4/IPv6
EtherType but the L3 header is too short.
Fold the IPv4/IPv6 header length checks into the existing protocol
switch and return -EINVAL before accessing the network headers.
Fixes: fa5cb548ced6 ("bpf: Setup socket family and addresses in bpf_prog_test_run_skb")
Reported-by: syzbot+619b9ef527f510a57cfc@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=619b9ef527f510a57cfc
Signed-off-by: Sun Jian <sun.jian.kdev@gmail.com>
Link: https://lore.kernel.org/r/20260408034623.180320-2-sun.jian.kdev@gmail.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bpf/test_run.c | 20 ++++++++++++--------
1 file changed, 12 insertions(+), 8 deletions(-)
diff --git a/net/bpf/test_run.c b/net/bpf/test_run.c
index 51259647c65fb..84d7a4dd8f051 100644
--- a/net/bpf/test_run.c
+++ b/net/bpf/test_run.c
@@ -1164,19 +1164,23 @@ int bpf_prog_test_run_skb(struct bpf_prog *prog, const union bpf_attr *kattr,
switch (skb->protocol) {
case htons(ETH_P_IP):
- sk->sk_family = AF_INET;
- if (sizeof(struct iphdr) <= skb_headlen(skb)) {
- sk->sk_rcv_saddr = ip_hdr(skb)->saddr;
- sk->sk_daddr = ip_hdr(skb)->daddr;
+ if (skb_headlen(skb) < sizeof(struct iphdr)) {
+ ret = -EINVAL;
+ goto out;
}
+ sk->sk_family = AF_INET;
+ sk->sk_rcv_saddr = ip_hdr(skb)->saddr;
+ sk->sk_daddr = ip_hdr(skb)->daddr;
break;
#if IS_ENABLED(CONFIG_IPV6)
case htons(ETH_P_IPV6):
- sk->sk_family = AF_INET6;
- if (sizeof(struct ipv6hdr) <= skb_headlen(skb)) {
- sk->sk_v6_rcv_saddr = ipv6_hdr(skb)->saddr;
- sk->sk_v6_daddr = ipv6_hdr(skb)->daddr;
+ if (skb_headlen(skb) < sizeof(struct ipv6hdr)) {
+ ret = -EINVAL;
+ goto out;
}
+ sk->sk_family = AF_INET6;
+ sk->sk_v6_rcv_saddr = ipv6_hdr(skb)->saddr;
+ sk->sk_v6_daddr = ipv6_hdr(skb)->daddr;
break;
#endif
default:
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 485/969] Bluetooth: L2CAP: Fix printing wrong information if SDU length exceeds MTU
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (483 preceding siblings ...)
2026-05-30 16:00 ` [PATCH 6.1 484/969] bpf: reject short IPv4/IPv6 inputs in bpf_prog_test_run_skb Greg Kroah-Hartman
@ 2026-05-30 16:00 ` Greg Kroah-Hartman
2026-05-30 16:00 ` [PATCH 6.1 486/969] Bluetooth: hci_ldisc: Clear HCI_UART_PROTO_INIT on error Greg Kroah-Hartman
` (490 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Luiz Augusto von Dentz, Paul Menzel,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
[ Upstream commit 15bf35a660eb82a49f8397fc3d3acada8dae13db ]
The code was printing skb->len and sdu_len in the places where it should
be sdu_len and chan->imtu respectively to match the if conditions.
Link: https://lore.kernel.org/linux-bluetooth/20260315132013.75ab40c5@kernel.org/T/#m1418f9c82eeff8510c1beaa21cf53af20db96c06
Fixes: e1d9a6688986 ("Bluetooth: LE L2CAP: Disconnect if received packet's SDU exceeds IMTU")
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bluetooth/l2cap_core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index 8a2d36f5cf33b..56fbf8d2769c6 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -7730,7 +7730,7 @@ static int l2cap_ecred_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
if (sdu_len > chan->imtu) {
BT_ERR("Too big LE L2CAP SDU length: len %u > %u",
- skb->len, sdu_len);
+ sdu_len, chan->imtu);
l2cap_send_disconn_req(chan, ECONNRESET);
err = -EMSGSIZE;
goto failed;
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 486/969] Bluetooth: hci_ldisc: Clear HCI_UART_PROTO_INIT on error
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (484 preceding siblings ...)
2026-05-30 16:00 ` [PATCH 6.1 485/969] Bluetooth: L2CAP: Fix printing wrong information if SDU length exceeds MTU Greg Kroah-Hartman
@ 2026-05-30 16:00 ` Greg Kroah-Hartman
2026-05-30 16:00 ` [PATCH 6.1 487/969] Bluetooth: fix locking in hci_conn_request_evt() with HCI_PROTO_DEFER Greg Kroah-Hartman
` (489 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jonathan Rissanen,
Luiz Augusto von Dentz, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jonathan Rissanen <jonathan.rissanen@axis.com>
[ Upstream commit 68d39ea5e0adc9ecaea1ce8abd842ec972eb8718 ]
When hci_register_dev() fails in hci_uart_register_dev()
HCI_UART_PROTO_INIT is not cleared before calling hu->proto->close(hu)
and setting hu->hdev to NULL. This means incoming UART data will reach
the protocol-specific recv handler in hci_uart_tty_receive() after
resources are freed.
Clear HCI_UART_PROTO_INIT with a write lock before calling
hu->proto->close() and setting hu->hdev to NULL. The write lock ensures
all active readers have completed and no new reader can enter the
protocol recv path before resources are freed.
This allows the protocol-specific recv functions to remove the
"HCI_UART_REGISTERED" guard without risking a null pointer dereference
if hci_register_dev() fails.
Fixes: 5df5dafc171b ("Bluetooth: hci_uart: Fix another race during initialization")
Signed-off-by: Jonathan Rissanen <jonathan.rissanen@axis.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/bluetooth/hci_ldisc.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/bluetooth/hci_ldisc.c b/drivers/bluetooth/hci_ldisc.c
index 2752857dbccf3..f86ac94d53a4e 100644
--- a/drivers/bluetooth/hci_ldisc.c
+++ b/drivers/bluetooth/hci_ldisc.c
@@ -694,6 +694,9 @@ static int hci_uart_register_dev(struct hci_uart *hu)
if (hci_register_dev(hdev) < 0) {
BT_ERR("Can't register HCI device");
+ percpu_down_write(&hu->proto_lock);
+ clear_bit(HCI_UART_PROTO_INIT, &hu->flags);
+ percpu_up_write(&hu->proto_lock);
hu->proto->close(hu);
hu->hdev = NULL;
hci_free_dev(hdev);
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 487/969] Bluetooth: fix locking in hci_conn_request_evt() with HCI_PROTO_DEFER
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (485 preceding siblings ...)
2026-05-30 16:00 ` [PATCH 6.1 486/969] Bluetooth: hci_ldisc: Clear HCI_UART_PROTO_INIT on error Greg Kroah-Hartman
@ 2026-05-30 16:00 ` Greg Kroah-Hartman
2026-05-30 16:00 ` [PATCH 6.1 488/969] Bluetooth: l2cap: Add missing chan lock in l2cap_ecred_reconf_rsp Greg Kroah-Hartman
` (488 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Pauli Virtanen,
Luiz Augusto von Dentz, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pauli Virtanen <pav@iki.fi>
[ Upstream commit 5c7209a341ff2ac338b2b0375c34a307b37c9ac2 ]
When protocol sets HCI_PROTO_DEFER, hci_conn_request_evt() calls
hci_connect_cfm(conn) without hdev->lock. Generally hci_connect_cfm()
assumes it is held, and if conn is deleted concurrently -> UAF.
Only SCO and ISO set HCI_PROTO_DEFER and only for defer setup listen,
and HCI_EV_CONN_REQUEST is not generated for ISO. In the non-deferred
listening socket code paths, hci_connect_cfm(conn) is called with
hdev->lock held.
Fix by holding the lock.
Fixes: 70c464256310 ("Bluetooth: Refactor connection request handling")
Signed-off-by: Pauli Virtanen <pav@iki.fi>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bluetooth/hci_event.c | 3 ---
1 file changed, 3 deletions(-)
diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
index 31606454c7c81..d572ce3061cf9 100644
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -3365,8 +3365,6 @@ static void hci_conn_request_evt(struct hci_dev *hdev, void *data,
memcpy(conn->dev_class, ev->dev_class, 3);
- hci_dev_unlock(hdev);
-
if (ev->link_type == ACL_LINK ||
(!(flags & HCI_PROTO_DEFER) && !lmp_esco_capable(hdev))) {
struct hci_cp_accept_conn_req cp;
@@ -3400,7 +3398,6 @@ static void hci_conn_request_evt(struct hci_dev *hdev, void *data,
hci_connect_cfm(conn, 0);
}
- return;
unlock:
hci_dev_unlock(hdev);
}
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 488/969] Bluetooth: l2cap: Add missing chan lock in l2cap_ecred_reconf_rsp
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (486 preceding siblings ...)
2026-05-30 16:00 ` [PATCH 6.1 487/969] Bluetooth: fix locking in hci_conn_request_evt() with HCI_PROTO_DEFER Greg Kroah-Hartman
@ 2026-05-30 16:00 ` Greg Kroah-Hartman
2026-05-30 16:00 ` [PATCH 6.1 489/969] sctp: fix missing encap_port propagation for GSO fragments Greg Kroah-Hartman
` (487 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dudu Lu, Luiz Augusto von Dentz,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dudu Lu <phx0fer@gmail.com>
[ Upstream commit 42776497cdbc9a665b384a6dcb85f0d4bd927eab ]
l2cap_ecred_reconf_rsp() calls l2cap_chan_del() without holding
l2cap_chan_lock(). Every other l2cap_chan_del() caller in the file
acquires the lock first. A remote BLE device can send a crafted
L2CAP ECRED reconfiguration response to corrupt the channel list
while another thread is iterating it.
Add l2cap_chan_hold() and l2cap_chan_lock() before l2cap_chan_del(),
and l2cap_chan_unlock() and l2cap_chan_put() after, matching the
pattern used in l2cap_ecred_conn_rsp() and l2cap_conn_del().
Fixes: 15f02b910562 ("Bluetooth: L2CAP: Add initial code for Enhanced Credit Based Mode")
Signed-off-by: Dudu Lu <phx0fer@gmail.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bluetooth/l2cap_core.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index 56fbf8d2769c6..21f63ca434e3f 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -6461,7 +6461,13 @@ static inline int l2cap_ecred_reconf_rsp(struct l2cap_conn *conn,
if (chan->ident != cmd->ident)
continue;
+ l2cap_chan_hold(chan);
+ l2cap_chan_lock(chan);
+
l2cap_chan_del(chan, ECONNRESET);
+
+ l2cap_chan_unlock(chan);
+ l2cap_chan_put(chan);
}
return 0;
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 489/969] sctp: fix missing encap_port propagation for GSO fragments
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (487 preceding siblings ...)
2026-05-30 16:00 ` [PATCH 6.1 488/969] Bluetooth: l2cap: Add missing chan lock in l2cap_ecred_reconf_rsp Greg Kroah-Hartman
@ 2026-05-30 16:00 ` Greg Kroah-Hartman
2026-05-30 16:00 ` [PATCH 6.1 490/969] net, bpf: fix null-ptr-deref in xdp_master_redirect() for down master Greg Kroah-Hartman
` (486 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xin Long, Marcelo Ricardo Leitner,
Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xin Long <lucien.xin@gmail.com>
[ Upstream commit bf6f95ae3b8b2638c0e1d6d802d50983ce5d0f45 ]
encap_port in SCTP_INPUT_CB(skb) is used by sctp_vtag_verify() for
SCTP-over-UDP processing. In the GSO case, it is only set on the head
skb, while fragment skbs leave it 0.
This results in fragment skbs seeing encap_port == 0, breaking
SCTP-over-UDP connections.
Fix it by propagating encap_port from the head skb cb when initializing
fragment skbs in sctp_inq_pop().
Fixes: 046c052b475e ("sctp: enable udp tunneling socks")
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Link: https://patch.msgid.link/ea65ed61b3598d8b4940f0170b9aa1762307e6c3.1776017631.git.lucien.xin@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sctp/inqueue.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/sctp/inqueue.c b/net/sctp/inqueue.c
index f5a7d5a387555..a024c08432471 100644
--- a/net/sctp/inqueue.c
+++ b/net/sctp/inqueue.c
@@ -201,6 +201,7 @@ struct sctp_chunk *sctp_inq_pop(struct sctp_inq *queue)
cb->chunk = head_cb->chunk;
cb->af = head_cb->af;
+ cb->encap_port = head_cb->encap_port;
}
}
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 490/969] net, bpf: fix null-ptr-deref in xdp_master_redirect() for down master
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (488 preceding siblings ...)
2026-05-30 16:00 ` [PATCH 6.1 489/969] sctp: fix missing encap_port propagation for GSO fragments Greg Kroah-Hartman
@ 2026-05-30 16:00 ` Greg Kroah-Hartman
2026-05-30 16:00 ` [PATCH 6.1 491/969] drm/komeda: fix integer overflow in AFBC framebuffer size check Greg Kroah-Hartman
` (485 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+80e046b8da2820b6ba73,
Daniel Borkmann, Jiayuan Chen, Paolo Abeni, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiayuan Chen <jiayuan.chen@linux.dev>
[ Upstream commit 1921f91298d1388a0bb9db8f83800c998b649cb3 ]
syzkaller reported a kernel panic in bond_rr_gen_slave_id() reached via
xdp_master_redirect(). Full decoded trace:
https://syzkaller.appspot.com/bug?extid=80e046b8da2820b6ba73
bond_rr_gen_slave_id() dereferences bond->rr_tx_counter, a per-CPU
counter that bonding only allocates in bond_open() when the mode is
round-robin. If the bond device was never brought up, rr_tx_counter
stays NULL.
The XDP redirect path can still reach that code on a bond that was
never opened: bpf_master_redirect_enabled_key is a global static key,
so as soon as any bond device has native XDP attached, the
XDP_TX -> xdp_master_redirect() interception is enabled for every
slave system-wide. The path xdp_master_redirect() ->
bond_xdp_get_xmit_slave() -> bond_xdp_xmit_roundrobin_slave_get() ->
bond_rr_gen_slave_id() then runs against a bond that has no
rr_tx_counter and crashes.
Fix this in the generic xdp_master_redirect() by refusing to call into
the master's ->ndo_xdp_get_xmit_slave() when the master device is not
up. IFF_UP is only set after ->ndo_open() has successfully returned,
so this reliably excludes masters whose XDP state has not been fully
initialized. Drop the frame with XDP_ABORTED so the exception is
visible via trace_xdp_exception() rather than silently falling through.
This is not specific to bonding: any current or future master that
defers XDP state allocation to ->ndo_open() is protected.
Fixes: 879af96ffd72 ("net, core: Add support for XDP redirection to slave device")
Reported-by: syzbot+80e046b8da2820b6ba73@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/698f84c6.a70a0220.2c38d7.00cc.GAE@google.com/T/
Suggested-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Jiayuan Chen <jiayuan.chen@linux.dev>
Link: https://patch.msgid.link/20260411005524.201200-2-jiayuan.chen@linux.dev
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/core/filter.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/core/filter.c b/net/core/filter.c
index 271cb6881dbb1..aee85a0062ce6 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -4268,6 +4268,8 @@ u32 xdp_master_redirect(struct xdp_buff *xdp)
struct bpf_redirect_info *ri = this_cpu_ptr(&bpf_redirect_info);
master = netdev_master_upper_dev_get_rcu(xdp->rxq->dev);
+ if (unlikely(!(master->flags & IFF_UP)))
+ return XDP_ABORTED;
slave = master->netdev_ops->ndo_xdp_get_xmit_slave(master, xdp);
if (slave && slave != xdp->rxq->dev) {
/* The target device is different from the receiving device, so
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 491/969] drm/komeda: fix integer overflow in AFBC framebuffer size check
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (489 preceding siblings ...)
2026-05-30 16:00 ` [PATCH 6.1 490/969] net, bpf: fix null-ptr-deref in xdp_master_redirect() for down master Greg Kroah-Hartman
@ 2026-05-30 16:00 ` Greg Kroah-Hartman
2026-05-30 16:00 ` [PATCH 6.1 492/969] drm/sun4i: backend: fix error pointer dereference Greg Kroah-Hartman
` (484 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexander Konyukhov, Liviu Dudau,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexander Konyukhov <Alexander.Konyukhov@kaspersky.com>
[ Upstream commit 779ec12c85c9e4547519e3903a371a3b26a289de ]
The AFBC framebuffer size validation calculates the minimum required
buffer size by adding the AFBC payload size to the framebuffer offset.
This addition is performed without checking for integer overflow.
If the addition oveflows, the size check may incorrectly succed and
allow userspace to provide an undersized drm_gem_object, potentially
leading to out-of-bounds memory access.
Add usage of check_add_overflow() to safely compute the minimum
required size and reject the framebuffer if an overflow is detected.
This makes the AFBC size validation more robust against malformed.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: 65ad2392dd6d ("drm/komeda: Added AFBC support for komeda driver")
Signed-off-by: Alexander Konyukhov <Alexander.Konyukhov@kaspersky.com>
Acked-by: Liviu Dudau <liviu.dudau@arm.com>
Signed-off-by: Liviu Dudau <liviu.dudau@arm.com>
Link: https://lore.kernel.org/r/20260203134907.1587067-1-Alexander.Konyukhov@kaspersky.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/arm/display/komeda/komeda_framebuffer.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/arm/display/komeda/komeda_framebuffer.c b/drivers/gpu/drm/arm/display/komeda/komeda_framebuffer.c
index df5da5a447555..b4f2b89651ff2 100644
--- a/drivers/gpu/drm/arm/display/komeda/komeda_framebuffer.c
+++ b/drivers/gpu/drm/arm/display/komeda/komeda_framebuffer.c
@@ -4,6 +4,8 @@
* Author: James.Qian.Wang <james.qian.wang@arm.com>
*
*/
+#include <linux/overflow.h>
+
#include <drm/drm_device.h>
#include <drm/drm_fb_dma_helper.h>
#include <drm/drm_gem.h>
@@ -92,7 +94,9 @@ komeda_fb_afbc_size_check(struct komeda_fb *kfb, struct drm_file *file,
kfb->afbc_size = kfb->offset_payload + n_blocks *
ALIGN(bpp * AFBC_SUPERBLK_PIXELS / 8,
AFBC_SUPERBLK_ALIGNMENT);
- min_size = kfb->afbc_size + fb->offsets[0];
+ if (check_add_overflow(kfb->afbc_size, fb->offsets[0], &min_size)) {
+ goto check_failed;
+ }
if (min_size > obj->size) {
DRM_DEBUG_KMS("afbc size check failed, obj_size: 0x%zx. min_size 0x%llx.\n",
obj->size, min_size);
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 492/969] drm/sun4i: backend: fix error pointer dereference
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (490 preceding siblings ...)
2026-05-30 16:00 ` [PATCH 6.1 491/969] drm/komeda: fix integer overflow in AFBC framebuffer size check Greg Kroah-Hartman
@ 2026-05-30 16:00 ` Greg Kroah-Hartman
2026-05-30 16:00 ` [PATCH 6.1 493/969] ASoC: sti: Return errors from regmap_field_alloc() Greg Kroah-Hartman
` (483 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ethan Tidmore, Chen-Yu Tsai,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ethan Tidmore <ethantidmore06@gmail.com>
[ Upstream commit 06277983eca4a31d3c2114fa33d99a6e82484b11 ]
The function drm_atomic_get_plane_state() can return an error pointer
and is not checked for it. Add error pointer check.
Detected by Smatch:
drivers/gpu/drm/sun4i/sun4i_backend.c:496 sun4i_backend_atomic_check() error:
'plane_state' dereferencing possible ERR_PTR()
Fixes: 96180dde23b79 ("drm/sun4i: backend: Add a custom atomic_check for the frontend")
Signed-off-by: Ethan Tidmore <ethantidmore06@gmail.com>
Reviewed-by: Chen-Yu Tsai <wens@kernel.org>
Link: https://patch.msgid.link/20260217014801.60760-1-ethantidmore06@gmail.com
Signed-off-by: Chen-Yu Tsai <wens@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/sun4i/sun4i_backend.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/gpu/drm/sun4i/sun4i_backend.c b/drivers/gpu/drm/sun4i/sun4i_backend.c
index 38070fc261f3a..d4fd621e33158 100644
--- a/drivers/gpu/drm/sun4i/sun4i_backend.c
+++ b/drivers/gpu/drm/sun4i/sun4i_backend.c
@@ -488,6 +488,9 @@ static int sun4i_backend_atomic_check(struct sunxi_engine *engine,
drm_for_each_plane_mask(plane, drm, crtc_state->plane_mask) {
struct drm_plane_state *plane_state =
drm_atomic_get_plane_state(state, plane);
+ if (IS_ERR(plane_state))
+ return PTR_ERR(plane_state);
+
struct sun4i_layer_state *layer_state =
state_to_sun4i_layer_state(plane_state);
struct drm_framebuffer *fb = plane_state->fb;
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 493/969] ASoC: sti: Return errors from regmap_field_alloc()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (491 preceding siblings ...)
2026-05-30 16:00 ` [PATCH 6.1 492/969] drm/sun4i: backend: fix error pointer dereference Greg Kroah-Hartman
@ 2026-05-30 16:00 ` Greg Kroah-Hartman
2026-05-30 16:00 ` [PATCH 6.1 494/969] ASoC: sti: use managed regmap_field allocations Greg Kroah-Hartman
` (482 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sander Vanheule, Mark Brown,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sander Vanheule <sander@svanheule.net>
[ Upstream commit 272aabef50bc3fe58edd26de000f4cdd41bdbe60 ]
When regmap_field_alloc() fails, it can return an error. Specifically,
it will return PTR_ERR(-ENOMEM) when the allocation returns a NULL
pointer. The code then uses these allocations with a simple NULL check:
if (player->clk_sel) {
// May dereference invalid pointer (-ENOMEM)
err = regmap_field_write(player->clk_sel, ...);
}
Ensure initialization fails by forwarding the errors from
regmap_field_alloc(), thus avoiding the use of the invalid pointers.
Fixes: 76c2145ded6b ("ASoC: sti: Add CPU DAI driver for playback")
Signed-off-by: Sander Vanheule <sander@svanheule.net>
Link: https://patch.msgid.link/20260220152634.480766-2-sander@svanheule.net
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/sti/uniperif_player.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/sound/soc/sti/uniperif_player.c b/sound/soc/sti/uniperif_player.c
index dd9013c476649..e5c4e5245b255 100644
--- a/sound/soc/sti/uniperif_player.c
+++ b/sound/soc/sti/uniperif_player.c
@@ -1029,7 +1029,12 @@ static int uni_player_parse_dt_audio_glue(struct platform_device *pdev,
}
player->clk_sel = regmap_field_alloc(regmap, regfield[0]);
+ if (IS_ERR(player->clk_sel))
+ return PTR_ERR(player->clk_sel);
+
player->valid_sel = regmap_field_alloc(regmap, regfield[1]);
+ if (IS_ERR(player->valid_sel))
+ return PTR_ERR(player->valid_sel);
return 0;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 494/969] ASoC: sti: use managed regmap_field allocations
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (492 preceding siblings ...)
2026-05-30 16:00 ` [PATCH 6.1 493/969] ASoC: sti: Return errors from regmap_field_alloc() Greg Kroah-Hartman
@ 2026-05-30 16:00 ` Greg Kroah-Hartman
2026-05-30 16:00 ` [PATCH 6.1 495/969] dm cache: fix null-deref with concurrent writes in passthrough mode Greg Kroah-Hartman
` (481 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sander Vanheule, Mark Brown,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sander Vanheule <sander@svanheule.net>
[ Upstream commit 1696fad8b259a2d46e51cd6e17e4bcdbe02279fa ]
The regmap_field objects allocated at player init are never freed and
may leak resources if the driver is removed.
Switch to devm_regmap_field_alloc() to automatically limit the lifetime
of the allocations the lifetime of the device.
Fixes: 76c2145ded6b ("ASoC: sti: Add CPU DAI driver for playback")
Signed-off-by: Sander Vanheule <sander@svanheule.net>
Link: https://patch.msgid.link/20260220152634.480766-3-sander@svanheule.net
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/sti/uniperif_player.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/sound/soc/sti/uniperif_player.c b/sound/soc/sti/uniperif_player.c
index e5c4e5245b255..da07f825f3c5f 100644
--- a/sound/soc/sti/uniperif_player.c
+++ b/sound/soc/sti/uniperif_player.c
@@ -1028,11 +1028,11 @@ static int uni_player_parse_dt_audio_glue(struct platform_device *pdev,
return PTR_ERR(regmap);
}
- player->clk_sel = regmap_field_alloc(regmap, regfield[0]);
+ player->clk_sel = devm_regmap_field_alloc(&pdev->dev, regmap, regfield[0]);
if (IS_ERR(player->clk_sel))
return PTR_ERR(player->clk_sel);
- player->valid_sel = regmap_field_alloc(regmap, regfield[1]);
+ player->valid_sel = devm_regmap_field_alloc(&pdev->dev, regmap, regfield[1]);
if (IS_ERR(player->valid_sel))
return PTR_ERR(player->valid_sel);
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 495/969] dm cache: fix null-deref with concurrent writes in passthrough mode
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (493 preceding siblings ...)
2026-05-30 16:00 ` [PATCH 6.1 494/969] ASoC: sti: use managed regmap_field allocations Greg Kroah-Hartman
@ 2026-05-30 16:00 ` Greg Kroah-Hartman
2026-05-30 16:00 ` [PATCH 6.1 496/969] dm cache: fix write path cache coherency " Greg Kroah-Hartman
` (480 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ming-Hung Tsai, Mikulas Patocka,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ming-Hung Tsai <mtsai@redhat.com>
[ Upstream commit 7d1f98d668ee34c1d15bdc0420fdd062f24a27c0 ]
In passthrough mode, when dm-cache starts to invalidate a cache
entry and bio prison cell lock fails due to concurrent write to
the same cached block, mg->cell remains NULL. The error path in
invalidate_complete() attempts to unlock and free the cell
unconditionally, causing a NULL pointer dereference:
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
CPU: 0 UID: 0 PID: 134 Comm: fio Not tainted 6.19.0-rc7 #3 PREEMPT
RIP: 0010:dm_cell_unlock_v2+0x3f/0x210
<snip>
Call Trace:
invalidate_complete+0xef/0x430
map_bio+0x130f/0x1a10
cache_map+0x320/0x6b0
__map_bio+0x458/0x510
dm_submit_bio+0x40e/0x16d0
__submit_bio+0x419/0x870
<snip>
Reproduce steps:
1. Create a cache device
dmsetup create cmeta --table "0 8192 linear /dev/sdc 0"
dmsetup create cdata --table "0 131072 linear /dev/sdc 8192"
dmsetup create corig --table "0 262144 linear /dev/sdc 262144"
dd if=/dev/zero of=/dev/mapper/cmeta bs=4k count=1 oflag=direct
dmsetup create cache --table "0 262144 cache /dev/mapper/cmeta \
/dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0"
2. Promote the first data block into cache
fio --filename=/dev/mapper/cache --name=populate --rw=write --bs=4k \
--direct=1 --size=64k
3. Reload the cache into passthrough mode
dmsetup suspend cache
dmsetup reload cache --table "0 262144 cache /dev/mapper/cmeta \
/dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 passthrough smq 0"
dmsetup resume cache
4. Write to the first cached block concurrently
fio --filename=/dev/mapper/cache --name test --rw=randwrite --bs=4k \
--randrepeat=0 --direct=1 --numjobs=2 --size 64k
Fix by checking if mg->cell is valid before attempting to unlock it.
Fixes: b29d4986d0da ("dm cache: significant rework to leverage dm-bio-prison-v2")
Signed-off-by: Ming-Hung Tsai <mtsai@redhat.com>
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/md/dm-cache-target.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/md/dm-cache-target.c b/drivers/md/dm-cache-target.c
index 66608b42ee1ad..e0373522cb88c 100644
--- a/drivers/md/dm-cache-target.c
+++ b/drivers/md/dm-cache-target.c
@@ -1440,8 +1440,10 @@ static void invalidate_complete(struct dm_cache_migration *mg, bool success)
struct cache *cache = mg->cache;
bio_list_init(&bios);
- if (dm_cell_unlock_v2(cache->prison, mg->cell, &bios))
- free_prison_cell(cache, mg->cell);
+ if (mg->cell) {
+ if (dm_cell_unlock_v2(cache->prison, mg->cell, &bios))
+ free_prison_cell(cache, mg->cell);
+ }
if (!success && mg->overwrite_bio)
bio_io_error(mg->overwrite_bio);
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 496/969] dm cache: fix write path cache coherency in passthrough mode
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (494 preceding siblings ...)
2026-05-30 16:00 ` [PATCH 6.1 495/969] dm cache: fix null-deref with concurrent writes in passthrough mode Greg Kroah-Hartman
@ 2026-05-30 16:00 ` Greg Kroah-Hartman
2026-05-30 16:00 ` [PATCH 6.1 497/969] dm cache: fix write hang " Greg Kroah-Hartman
` (479 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ming-Hung Tsai, Mikulas Patocka,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ming-Hung Tsai <mtsai@redhat.com>
[ Upstream commit 0c5eef0aad508231d8e43ff8392692925e131b68 ]
In passthrough mode, dm-cache defers write bio submission until cache
invalidation completes to maintain existing coherency, requiring the
target map function to return DM_MAPIO_SUBMITTED. The current map_bio()
returns DM_MAPIO_REMAPPED, violating the required ordering constraint.
Reproduce steps:
1. Create a cache device
dmsetup create cmeta --table "0 8192 linear /dev/sdc 0"
dmsetup create cdata --table "0 131072 linear /dev/sdc 8192"
dmsetup create corig --table "0 262144 linear /dev/sdc 262144"
dd if=/dev/zero of=/dev/mapper/cmeta bs=4k count=1 oflag=direct
dmsetup create cache --table "0 262144 cache /dev/mapper/cmeta \
/dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0"
2. Promote the first data block into the cache
fio --filename=/dev/mapper/cache --name=populate --rw=write --bs=4k \
--direct=1 --size=64k
3. Reload the cache into passthrough mode
dmsetup suspend cache
dmsetup reload cache --table "0 262144 cache /dev/mapper/cmeta \
/dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 passthrough smq 0"
dmsetup resume cache
4. Write to the first data block, and check io ordering using ftrace
echo 1 > /sys/kernel/debug/tracing/events/block/block_bio_queue/enable
echo 1 > /sys/kernel/debug/tracing/events/block/block_bio_complete/enable
echo 1 > /sys/kernel/debug/tracing/events/block/block_rq_complete/enable
fio --filename=/dev/mapper/cache --name=test --rw=write --bs=64k \
--direct=1 --size 64k
5. ftrace logs show that write operations to the cache origin (252:2)
and metadata operations (252:0) are unsynchronized: the origin write
occurs before metadata commit.
<snip>
fio-146 [000] ..... 420.139562: block_bio_queue: 252,3 WS 0 + 128 [fio]
fio-146 [000] ..... 420.149395: block_bio_queue: 252,2 WS 0 + 128 [fio]
fio-146 [000] ..... 420.149763: block_bio_queue: 8,32 WS 262144 + 128 [fio]
fio-146 [000] dNh1. 420.151446: block_rq_complete: 8,32 WS () 262144 + 128 be,0,4 [0]
fio-146 [000] dNh1. 420.152731: block_bio_complete: 252,2 WS 0 + 128 [0]
fio-146 [000] dNh1. 420.154229: block_bio_complete: 252,3 WS 0 + 128 [0]
kworker/0:0-9 [000] ..... 420.160530: block_bio_queue: 252,0 W 408 + 8 [kworker/0:0]
kworker/0:0-9 [000] ..... 420.161641: block_bio_queue: 8,32 W 408 + 8 [kworker/0:0]
kworker/0:0-9 [000] ..... 420.162533: block_bio_queue: 252,0 W 416 + 8 [kworker/0:0]
kworker/0:0-9 [000] ..... 420.162821: block_bio_queue: 8,32 W 416 + 8 [kworker/0:0]
<snip>
Fixes: b29d4986d0da ("dm cache: significant rework to leverage dm-bio-prison-v2")
Signed-off-by: Ming-Hung Tsai <mtsai@redhat.com>
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/md/dm-cache-target.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/md/dm-cache-target.c b/drivers/md/dm-cache-target.c
index e0373522cb88c..e2e234c3649a0 100644
--- a/drivers/md/dm-cache-target.c
+++ b/drivers/md/dm-cache-target.c
@@ -1676,6 +1676,7 @@ static int map_bio(struct cache *cache, struct bio *bio, dm_oblock_t block,
bio_drop_shared_lock(cache, bio);
atomic_inc(&cache->stats.demotion);
invalidate_start(cache, cblock, block, bio);
+ return DM_MAPIO_SUBMITTED;
} else
remap_to_origin_clear_discard(cache, bio, block);
} else {
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 497/969] dm cache: fix write hang in passthrough mode
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (495 preceding siblings ...)
2026-05-30 16:00 ` [PATCH 6.1 496/969] dm cache: fix write path cache coherency " Greg Kroah-Hartman
@ 2026-05-30 16:00 ` Greg Kroah-Hartman
2026-05-30 16:00 ` [PATCH 6.1 498/969] dm cache policy smq: fix missing locks in invalidating cache blocks Greg Kroah-Hartman
` (478 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ming-Hung Tsai, Mikulas Patocka,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ming-Hung Tsai <mtsai@redhat.com>
[ Upstream commit 4ca8b8bd952df7c3ccdc68af9bd3419d0839a04b ]
The invalidate_remove() function has incomplete logic for handling write
hit bios after cache invalidation. It sets up the remapping for the
overwrite_bio but then drops it immediately without submission, causing
write operations to hang.
Fix by adding a new invalidate_committed() continuation that submits
the remapped writes to the cache origin after metadata commit completes,
while using the overwrite_endio hook to ensure proper completion
sequencing. This maintains existing coherency. Also improve error
handling in invalidate_complete() to preserve the original error status
instead of using bio_io_error() unconditionally.
Fixes: b29d4986d0da ("dm cache: significant rework to leverage dm-bio-prison-v2")
Signed-off-by: Ming-Hung Tsai <mtsai@redhat.com>
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/md/dm-cache-target.c | 30 +++++++++++++++++++++++++-----
1 file changed, 25 insertions(+), 5 deletions(-)
diff --git a/drivers/md/dm-cache-target.c b/drivers/md/dm-cache-target.c
index e2e234c3649a0..f7da6f853ec33 100644
--- a/drivers/md/dm-cache-target.c
+++ b/drivers/md/dm-cache-target.c
@@ -1445,8 +1445,14 @@ static void invalidate_complete(struct dm_cache_migration *mg, bool success)
free_prison_cell(cache, mg->cell);
}
- if (!success && mg->overwrite_bio)
- bio_io_error(mg->overwrite_bio);
+ if (mg->overwrite_bio) {
+ // Set generic error if the bio hasn't been issued yet,
+ // e.g., invalidation or metadata commit failed before bio
+ // submission. Otherwise preserve the bio's own error status.
+ if (!success && !mg->overwrite_bio->bi_status)
+ mg->overwrite_bio->bi_status = BLK_STS_IOERR;
+ bio_endio(mg->overwrite_bio);
+ }
free_migration(mg);
defer_bios(cache, &bios);
@@ -1483,6 +1489,22 @@ static int invalidate_cblock(struct cache *cache, dm_cblock_t cblock)
return r;
}
+static void invalidate_committed(struct work_struct *ws)
+{
+ struct dm_cache_migration *mg = ws_to_mg(ws);
+ struct cache *cache = mg->cache;
+ struct bio *bio = mg->overwrite_bio;
+ struct per_bio_data *pb = get_per_bio_data(bio);
+
+ if (mg->k.input)
+ invalidate_complete(mg, false);
+
+ init_continuation(&mg->k, invalidate_completed);
+ remap_to_origin_clear_discard(cache, bio, mg->invalidate_oblock);
+ dm_hook_bio(&pb->hook_info, bio, overwrite_endio, mg);
+ dm_submit_bio_remap(bio, NULL);
+}
+
static void invalidate_remove(struct work_struct *ws)
{
int r;
@@ -1495,10 +1517,8 @@ static void invalidate_remove(struct work_struct *ws)
return;
}
- init_continuation(&mg->k, invalidate_completed);
+ init_continuation(&mg->k, invalidate_committed);
continue_after_commit(&cache->committer, &mg->k);
- remap_to_origin_clear_discard(cache, mg->overwrite_bio, mg->invalidate_oblock);
- mg->overwrite_bio = NULL;
schedule_commit(&cache->committer);
}
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 498/969] dm cache policy smq: fix missing locks in invalidating cache blocks
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (496 preceding siblings ...)
2026-05-30 16:00 ` [PATCH 6.1 497/969] dm cache: fix write hang " Greg Kroah-Hartman
@ 2026-05-30 16:00 ` Greg Kroah-Hartman
2026-05-30 16:00 ` [PATCH 6.1 499/969] dm cache: fix concurrent write failure in passthrough mode Greg Kroah-Hartman
` (477 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ming-Hung Tsai, Mikulas Patocka,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ming-Hung Tsai <mtsai@redhat.com>
[ Upstream commit 2d1f7b65f5deedd2e6b09fdc6ea27f8375f24b45 ]
In passthrough mode, the policy invalidate_mapping operation is called
simultaneously from multiple workers, thus it should be protected by a
lock. Otherwise, we might end up with data races on the allocated blocks
counter, or even use-after-free issues with internal data structures
when doing concurrent writes.
Note that the existing FIXME in smq_invalidate_mapping() doesn't affect
passthrough mode since migration tasks don't exist there, but would need
attention if supporting fast device shrinking via suspend/resume without
target reloading.
Reproduce steps:
1. Create a cache device consisting of 1024 cache entries
dmsetup create cmeta --table "0 8192 linear /dev/sdc 0"
dmsetup create cdata --table "0 131072 linear /dev/sdc 8192"
dmsetup create corig --table "0 262144 linear /dev/sdc 262144"
dd if=/dev/zero of=/dev/mapper/cmeta bs=4k count=1 oflag=direct
dmsetup create cache --table "0 262144 cache /dev/mapper/cmeta \
/dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0"
2. Populate the cache, and record the number of cached blocks
fio --name=populate --filename=/dev/mapper/cache --rw=randwrite --bs=4k \
--size=64m --direct=1
nr_cached=$(dmsetup status cache | awk '{split($7, a, "/"); print a[1]}')
3. Reload the cache into passthrough mode
dmsetup suspend cache
dmsetup reload cache --table "0 262144 cache /dev/mapper/cmeta \
/dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 passthrough smq 0"
dmsetup resume cache
4. Write to the passthrough cache. By setting multiple jobs with I/O
size equal to the cache block size, cache blocks are invalidated
concurrently from different workers.
fio --filename=/dev/mapper/cache --name=test --rw=randwrite --bs=64k \
--direct=1 --numjobs=2 --randrepeat=0 --size=64m
5. Check if demoted matches cached block count. These numbers should
match but may differ due to the data race.
nr_demoted=$(dmsetup status cache | awk '{print $12}')
echo "$nr_cached, $nr_demoted"
Fixes: b29d4986d0da ("dm cache: significant rework to leverage dm-bio-prison-v2")
Signed-off-by: Ming-Hung Tsai <mtsai@redhat.com>
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/md/dm-cache-policy-smq.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/md/dm-cache-policy-smq.c b/drivers/md/dm-cache-policy-smq.c
index c983cf240632e..d4c2bc5c0ef45 100644
--- a/drivers/md/dm-cache-policy-smq.c
+++ b/drivers/md/dm-cache-policy-smq.c
@@ -1587,14 +1587,18 @@ static int smq_invalidate_mapping(struct dm_cache_policy *p, dm_cblock_t cblock)
{
struct smq_policy *mq = to_smq_policy(p);
struct entry *e = get_entry(&mq->cache_alloc, from_cblock(cblock));
+ unsigned long flags;
if (!e->allocated)
return -ENODATA;
+ spin_lock_irqsave(&mq->lock, flags);
// FIXME: what if this block has pending background work?
del_queue(mq, e);
h_remove(&mq->table, e);
free_entry(&mq->cache_alloc, e);
+ spin_unlock_irqrestore(&mq->lock, flags);
+
return 0;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 499/969] dm cache: fix concurrent write failure in passthrough mode
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (497 preceding siblings ...)
2026-05-30 16:00 ` [PATCH 6.1 498/969] dm cache policy smq: fix missing locks in invalidating cache blocks Greg Kroah-Hartman
@ 2026-05-30 16:00 ` Greg Kroah-Hartman
2026-05-30 16:00 ` [PATCH 6.1 500/969] dm cache: support shrinking the origin device Greg Kroah-Hartman
` (476 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ming-Hung Tsai, Mikulas Patocka,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ming-Hung Tsai <mtsai@redhat.com>
[ Upstream commit e4f66341779d0cf4c83c74793753a84094286d9e ]
When bio prison cell lock acquisition fails due to concurrent writes to
the same block in passthrough mode, dm-cache incorrectly returns an I/O
error instead of properly handling the concurrency. This can occur in
both process and workqueue contexts when invalidate_lock() is called for
exclusive access to a data block. Fix this by deferring the write bios
to ensure proper block device behavior.
Reproduce steps:
1. Create a cache device
dmsetup create cmeta --table "0 8192 linear /dev/sdc 0"
dmsetup create cdata --table "0 131072 linear /dev/sdc 8192"
dmsetup create corig --table "0 262144 linear /dev/sdc 262144"
dd if=/dev/zero of=/dev/mapper/cmeta bs=4k count=1 oflag=direct
dmsetup create cache --table "0 262144 cache /dev/mapper/cmeta \
/dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0"
2. Promote the first data block into cache
fio --filename=/dev/mapper/cache --name=populate --rw=write --bs=4k \
--direct=1 --size=64k
3. Reload the cache into passthrough mode
dmsetup suspend cache
dmsetup reload cache --table "0 262144 cache /dev/mapper/cmeta \
/dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 passthrough smq 0"
dmsetup resume cache
4. Write to the first cached block concurrently. Sometimes one of the
processes will receive I/O errors.
fio --filename=/dev/mapper/cache --name test --rw=randwrite --bs=4k \
--randrepeat=0 --direct=1 --numjobs=2 --size 64k
<snip>
fio-3.41
fio: io_u error on file /dev/mapper/cache: Input/output error: write offset=4096, buflen=4096
fio: pid=106, err=5/file:io_u.c:2008, func=io_u error, error=Input/output error
test: (groupid=0, jobs=1): err= 0: pid=105
test: (groupid=0, jobs=1): err= 5 (file:io_u.c:2008, func=io_u error, error=Input/output error): pid=106
<snip>
Fixes: b29d4986d0da ("dm cache: significant rework to leverage dm-bio-prison-v2")
Signed-off-by: Ming-Hung Tsai <mtsai@redhat.com>
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/md/dm-cache-target.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/drivers/md/dm-cache-target.c b/drivers/md/dm-cache-target.c
index f7da6f853ec33..c57df4d91c9b2 100644
--- a/drivers/md/dm-cache-target.c
+++ b/drivers/md/dm-cache-target.c
@@ -1536,6 +1536,15 @@ static int invalidate_lock(struct dm_cache_migration *mg)
READ_WRITE_LOCK_LEVEL, prealloc, &mg->cell);
if (r < 0) {
free_prison_cell(cache, prealloc);
+
+ /* Defer the bio for retrying the cell lock */
+ if (mg->overwrite_bio) {
+ struct bio *bio = mg->overwrite_bio;
+
+ mg->overwrite_bio = NULL;
+ defer_bio(cache, bio);
+ }
+
invalidate_complete(mg, false);
return r;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 500/969] dm cache: support shrinking the origin device
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (498 preceding siblings ...)
2026-05-30 16:00 ` [PATCH 6.1 499/969] dm cache: fix concurrent write failure in passthrough mode Greg Kroah-Hartman
@ 2026-05-30 16:00 ` Greg Kroah-Hartman
2026-05-30 16:00 ` [PATCH 6.1 501/969] dm cache: fix dirty mapping checking in passthrough mode switching Greg Kroah-Hartman
` (475 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ming-Hung Tsai, Mikulas Patocka,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ming-Hung Tsai <mtsai@redhat.com>
[ Upstream commit c2662b1544cbd8ea3181381bb899b8e681dfedc7 ]
This patch introduces formal support for shrinking the cache origin by
reducing the cache target length via table reloads. Cache blocks mapped
beyond the new target length must be clean and are invalidated during
preresume. If any dirty blocks exist in the area being removed, the
preresume operation fails without setting the NEEDS_CHECK flag in
superblock, and the resume ioctl returns EFBIG. The cache device remains
suspended until a table reload with target length that fits existing
mappings is performed.
Without this patch, reducing the cache target length could result in
io errors (RHBZ: 2134334), out-of-bounds memory access to the discard
bitset, and security concerns regarding data leakage.
Verification steps:
1. create a cache metadata with some cached blocks mapped to the tail
of the origin device. Here we use cache_restore v1.0 to build a
metadata with one clean block mapped to the last origin block.
cat <<EOF >> cmeta.xml
<superblock uuid="" block_size="128" nr_cache_blocks="512" \
policy="smq" hint_width="4">
<mappings>
<mapping cache_block="0" origin_block="4095" dirty="false"/>
</mappings>
</superblock>
EOF
dmsetup create cmeta --table "0 8192 linear /dev/sdc 0"
cache_restore -i cmeta.xml -o /dev/mapper/cmeta --metadata-version=2
dmsetup remove cmeta
2. bring up the cache whilst shrinking the cache origin by one block:
dmsetup create cmeta --table "0 8192 linear /dev/sdc 0"
dmsetup create cdata --table "0 65536 linear /dev/sdc 8192"
dmsetup create corig --table "0 524160 linear /dev/sdc 262144"
dmsetup create cache --table "0 524160 cache /dev/mapper/cmeta \
/dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0"
3. check the number of cached data blocks via dmsetup status. It is
expected to be zero.
dmsetup status cache | cut -d ' ' -f 7
In addition to the script above, this patch can be verified using the
"cache/resize" tests in dmtest-python:
./dmtest run --rx cache/resize/shrink_origin --result-set default
Signed-off-by: Ming-Hung Tsai <mtsai@redhat.com>
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Stable-dep-of: 322586745bd1 ("dm cache: fix dirty mapping checking in passthrough mode switching")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/md/dm-cache-target.c | 72 ++++++++++++++++++++++++++++++++++--
1 file changed, 69 insertions(+), 3 deletions(-)
diff --git a/drivers/md/dm-cache-target.c b/drivers/md/dm-cache-target.c
index c57df4d91c9b2..cbc519f4895e1 100644
--- a/drivers/md/dm-cache-target.c
+++ b/drivers/md/dm-cache-target.c
@@ -405,6 +405,12 @@ struct cache {
mempool_t migration_pool;
struct bio_set bs;
+
+ /*
+ * Cache_size entries. Set bits indicate blocks mapped beyond the
+ * target length, which are marked for invalidation.
+ */
+ unsigned long *invalid_bitset;
};
struct per_bio_data {
@@ -1930,6 +1936,9 @@ static void __destroy(struct cache *cache)
if (cache->discard_bitset)
free_bitset(cache->discard_bitset);
+ if (cache->invalid_bitset)
+ free_bitset(cache->invalid_bitset);
+
if (cache->copier)
dm_kcopyd_client_destroy(cache->copier);
@@ -2518,6 +2527,13 @@ static int cache_create(struct cache_args *ca, struct cache **result)
}
clear_bitset(cache->discard_bitset, from_dblock(cache->discard_nr_blocks));
+ cache->invalid_bitset = alloc_bitset(from_cblock(cache->cache_size));
+ if (!cache->invalid_bitset) {
+ *error = "could not allocate bitset for invalid blocks";
+ goto bad;
+ }
+ clear_bitset(cache->invalid_bitset, from_cblock(cache->cache_size));
+
cache->copier = dm_kcopyd_client_create(&dm_kcopyd_throttle);
if (IS_ERR(cache->copier)) {
*error = "could not create kcopyd client";
@@ -2816,6 +2832,24 @@ static int load_mapping(void *context, dm_oblock_t oblock, dm_cblock_t cblock,
return policy_load_mapping(cache->policy, oblock, cblock, dirty, hint, hint_valid);
}
+static int load_filtered_mapping(void *context, dm_oblock_t oblock, dm_cblock_t cblock,
+ bool dirty, uint32_t hint, bool hint_valid)
+{
+ struct cache *cache = context;
+
+ if (from_oblock(oblock) >= from_oblock(cache->origin_blocks)) {
+ if (dirty) {
+ DMERR("%s: unable to shrink origin; cache block %u is dirty",
+ cache_device_name(cache), from_cblock(cblock));
+ return -EFBIG;
+ }
+ set_bit(from_cblock(cblock), cache->invalid_bitset);
+ return 0;
+ }
+
+ return load_mapping(context, oblock, cblock, dirty, hint, hint_valid);
+}
+
/*
* The discard block size in the on disk metadata is not
* necessarily the same as we're currently using. So we have to
@@ -2970,6 +3004,24 @@ static int resize_cache_dev(struct cache *cache, dm_cblock_t new_size)
return 0;
}
+static int truncate_oblocks(struct cache *cache)
+{
+ uint32_t nr_blocks = from_cblock(cache->cache_size);
+ uint32_t i;
+ int r;
+
+ for_each_set_bit(i, cache->invalid_bitset, nr_blocks) {
+ r = dm_cache_remove_mapping(cache->cmd, to_cblock(i));
+ if (r) {
+ DMERR_LIMIT("%s: invalidation failed; couldn't update on disk metadata",
+ cache_device_name(cache));
+ return r;
+ }
+ }
+
+ return 0;
+}
+
static int cache_preresume(struct dm_target *ti)
{
int r = 0;
@@ -2994,11 +3046,25 @@ static int cache_preresume(struct dm_target *ti)
}
if (!cache->loaded_mappings) {
+ /*
+ * The fast device could have been resized since the last
+ * failed preresume attempt. To be safe we start by a blank
+ * bitset for cache blocks.
+ */
+ clear_bitset(cache->invalid_bitset, from_cblock(cache->cache_size));
+
r = dm_cache_load_mappings(cache->cmd, cache->policy,
- load_mapping, cache);
+ load_filtered_mapping, cache);
if (r) {
DMERR("%s: could not load cache mappings", cache_device_name(cache));
- metadata_operation_failed(cache, "dm_cache_load_mappings", r);
+ if (r != -EFBIG)
+ metadata_operation_failed(cache, "dm_cache_load_mappings", r);
+ return r;
+ }
+
+ r = truncate_oblocks(cache);
+ if (r) {
+ metadata_operation_failed(cache, "dm_cache_remove_mapping", r);
return r;
}
@@ -3464,7 +3530,7 @@ static void cache_io_hints(struct dm_target *ti, struct queue_limits *limits)
static struct target_type cache_target = {
.name = "cache",
- .version = {2, 2, 0},
+ .version = {2, 3, 0},
.module = THIS_MODULE,
.ctr = cache_ctr,
.dtr = cache_dtr,
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 501/969] dm cache: fix dirty mapping checking in passthrough mode switching
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (499 preceding siblings ...)
2026-05-30 16:00 ` [PATCH 6.1 500/969] dm cache: support shrinking the origin device Greg Kroah-Hartman
@ 2026-05-30 16:00 ` Greg Kroah-Hartman
2026-05-30 16:00 ` [PATCH 6.1 502/969] dm cache metadata: fix memory leak on metadata abort retry Greg Kroah-Hartman
` (474 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ming-Hung Tsai, Mikulas Patocka,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ming-Hung Tsai <mtsai@redhat.com>
[ Upstream commit 322586745bd1a0e5f3559fd1635fdeb4dbd1d6b8 ]
As mentioned in commit 9b1cc9f251af ("dm cache: share cache-metadata
object across inactive and active DM tables"), dm-cache assumed table
reload occurs after suspension, while LVM's table preload breaks this
assumption. The dirty mapping check for passthrough mode was designed
around this assumption and is performed during table creation, causing
the check to fail with preload while metadata updates are ongoing. This
risks loading dirty mappings into passthrough mode, resulting in data
loss.
Reproduce steps:
1. Create a writeback cache with zero migration_threshold to produce
dirty mappings
dmsetup create cmeta --table "0 8192 linear /dev/sdc 0"
dmsetup create cdata --table "0 131072 linear /dev/sdc 8192"
dmsetup create corig --table "0 262144 linear /dev/sdc 262144"
dd if=/dev/zero of=/dev/mapper/cmeta bs=4k count=1 oflag=direct
dmsetup create cache --table "0 262144 cache /dev/mapper/cmeta \
/dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writeback smq \
2 migration_threshold 0"
2. Preload a table in passthrough mode
dmsetup reload cache --table "0 262144 cache /dev/mapper/cmeta \
/dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 passthrough smq 0"
3. Write to the first cache block to make it dirty
fio --filename=/dev/mapper/cache --name=populate --rw=write --bs=4k \
--direct=1 --size=64k
4. Resume the inactive table. Now it's possible to load the dirty block
into passthrough mode.
dmsetup resume cache
Fix by moving the checks to the preresume phase to support table
preloading. Also remove the unused function dm_cache_metadata_all_clean.
Fixes: 2ee57d587357 ("dm cache: add passthrough mode")
Signed-off-by: Ming-Hung Tsai <mtsai@redhat.com>
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/md/dm-cache-metadata.c | 11 -----------
drivers/md/dm-cache-metadata.h | 5 -----
drivers/md/dm-cache-target.c | 25 ++++++++-----------------
3 files changed, 8 insertions(+), 33 deletions(-)
diff --git a/drivers/md/dm-cache-metadata.c b/drivers/md/dm-cache-metadata.c
index f5b4c996dc05f..e921327caa369 100644
--- a/drivers/md/dm-cache-metadata.c
+++ b/drivers/md/dm-cache-metadata.c
@@ -1748,17 +1748,6 @@ int dm_cache_write_hints(struct dm_cache_metadata *cmd, struct dm_cache_policy *
return r;
}
-int dm_cache_metadata_all_clean(struct dm_cache_metadata *cmd, bool *result)
-{
- int r;
-
- READ_LOCK(cmd);
- r = blocks_are_unmapped_or_clean(cmd, 0, cmd->cache_blocks, result);
- READ_UNLOCK(cmd);
-
- return r;
-}
-
void dm_cache_metadata_set_read_only(struct dm_cache_metadata *cmd)
{
WRITE_LOCK_VOID(cmd);
diff --git a/drivers/md/dm-cache-metadata.h b/drivers/md/dm-cache-metadata.h
index b40322bc44cf7..9c970fb8e5717 100644
--- a/drivers/md/dm-cache-metadata.h
+++ b/drivers/md/dm-cache-metadata.h
@@ -137,11 +137,6 @@ void dm_cache_dump(struct dm_cache_metadata *cmd);
*/
int dm_cache_write_hints(struct dm_cache_metadata *cmd, struct dm_cache_policy *p);
-/*
- * Query method. Are all the blocks in the cache clean?
- */
-int dm_cache_metadata_all_clean(struct dm_cache_metadata *cmd, bool *result);
-
int dm_cache_metadata_needs_check(struct dm_cache_metadata *cmd, bool *result);
int dm_cache_metadata_set_needs_check(struct dm_cache_metadata *cmd);
void dm_cache_metadata_set_read_only(struct dm_cache_metadata *cmd);
diff --git a/drivers/md/dm-cache-target.c b/drivers/md/dm-cache-target.c
index cbc519f4895e1..cd48cefe0409a 100644
--- a/drivers/md/dm-cache-target.c
+++ b/drivers/md/dm-cache-target.c
@@ -2482,23 +2482,8 @@ static int cache_create(struct cache_args *ca, struct cache **result)
goto bad;
}
- if (passthrough_mode(cache)) {
- bool all_clean;
-
- r = dm_cache_metadata_all_clean(cache->cmd, &all_clean);
- if (r) {
- *error = "dm_cache_metadata_all_clean() failed";
- goto bad;
- }
-
- if (!all_clean) {
- *error = "Cannot enter passthrough mode unless all blocks are clean";
- r = -EINVAL;
- goto bad;
- }
-
+ if (passthrough_mode(cache))
policy_allow_migrations(cache->policy, false);
- }
spin_lock_init(&cache->lock);
bio_list_init(&cache->deferred_bios);
@@ -2824,6 +2809,12 @@ static int load_mapping(void *context, dm_oblock_t oblock, dm_cblock_t cblock,
struct cache *cache = context;
if (dirty) {
+ if (passthrough_mode(cache)) {
+ DMERR("%s: cannot enter passthrough mode unless all blocks are clean",
+ cache_device_name(cache));
+ return -EBUSY;
+ }
+
set_bit(from_cblock(cblock), cache->dirty_bitset);
atomic_inc(&cache->nr_dirty);
} else
@@ -3057,7 +3048,7 @@ static int cache_preresume(struct dm_target *ti)
load_filtered_mapping, cache);
if (r) {
DMERR("%s: could not load cache mappings", cache_device_name(cache));
- if (r != -EFBIG)
+ if (r != -EFBIG && r != -EBUSY)
metadata_operation_failed(cache, "dm_cache_load_mappings", r);
return r;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 502/969] dm cache metadata: fix memory leak on metadata abort retry
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (500 preceding siblings ...)
2026-05-30 16:00 ` [PATCH 6.1 501/969] dm cache: fix dirty mapping checking in passthrough mode switching Greg Kroah-Hartman
@ 2026-05-30 16:00 ` Greg Kroah-Hartman
2026-05-30 16:00 ` [PATCH 6.1 503/969] dm log: fix out-of-bounds write due to region_count overflow Greg Kroah-Hartman
` (473 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ming-Hung Tsai, Mikulas Patocka,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ming-Hung Tsai <mtsai@redhat.com>
[ Upstream commit 044ca491d4086dc5bf233e9fcb71db52df32f633 ]
When failing to acquire the root_lock in dm_cache_metadata_abort because
the block_manager is read-only, the temporary block_manager created
outside the root_lock is not properly released, causing a memory leak.
Reproduce steps:
This can be reproduced by reloading a new table while the metadata
is read-only. While the second call to dm_cache_metadata_abort is
caused by lack of support for table preload in dm-cache, mentioned
in commit 9b1cc9f251af ("dm cache: share cache-metadata object across
inactive and active DM tables"), it exposes the memory leak in
dm_cache_metadata_abort when the function is called multiple times.
Specifically, dm-cache fails to sync the new cache object's mode during
preresume, creating the reproducer condition.
This issue could also occur through concurrent metadata_operation_failed
calls due to races in cache mode updates, but the table preload scenario
below provides a reliable reproducer.
1. Create a cache device with some faulty trailing metadata blocks
dmsetup create cmeta <<EOF
0 200 linear /dev/sdc 0
200 7992 error
EOF
dmsetup create cdata --table "0 131072 linear /dev/sdc 8192"
dmsetup create corig --table "0 262144 linear /dev/sdc 262144"
dd if=/dev/zero of=/dev/mapper/cmeta bs=4k count=1 oflag=direct
dmsetup create cache --table "0 131072 cache /dev/mapper/cmeta \
/dev/mapper/cdata /dev/mapper/corig 128 1 writethrough smq 0"
2. Suspend and resume the cache to start a new metadata transaction and
trigger metadata io errors on the next metadata commit.
dmsetup suspend cache
dmsetup resume cache
3. Write to the cache device to update metadata
fio --filename=/dev/mapper/cache --name test --rw=randwrite --bs=4k \
--randrepeat=0 --direct=1 --size 64k
4. Preload the same table
dmsetup reload cache --table "$(dmsetup table cache)"
5. Resume the new table. This triggers the memory leak.
dmsetup suspend cache
dmsetup resume cache
kmemleak logs:
<snip>
unreferenced object 0xffff8880080c2010 (size 16):
comm "dmsetup", pid 132, jiffies 4294982580
hex dump (first 16 bytes):
00 38 b9 07 80 88 ff ff 6a 6b 6b 6b 6b 6b 6b a5 ...
backtrace (crc 3118f31c):
kmemleak_alloc+0x28/0x40
__kmalloc_cache_noprof+0x3d9/0x510
dm_block_manager_create+0x51/0x140
dm_cache_metadata_abort+0x85/0x320
metadata_operation_failed+0x103/0x1e0
cache_preresume+0xacd/0xe70
dm_table_resume_targets+0xd3/0x320
__dm_resume+0x1b/0xf0
dm_resume+0x127/0x170
<snip>
Fixes: 352b837a5541 ("dm cache: Fix ABBA deadlock between shrink_slab and dm_cache_metadata_abort")
Signed-off-by: Ming-Hung Tsai <mtsai@redhat.com>
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/md/dm-cache-metadata.c | 13 ++++++++-----
1 file changed, 8 insertions(+), 5 deletions(-)
diff --git a/drivers/md/dm-cache-metadata.c b/drivers/md/dm-cache-metadata.c
index e921327caa369..9c112ab72cbaa 100644
--- a/drivers/md/dm-cache-metadata.c
+++ b/drivers/md/dm-cache-metadata.c
@@ -1017,6 +1017,12 @@ static bool cmd_write_lock(struct dm_cache_metadata *cmd)
return; \
} while(0)
+#define WRITE_LOCK_OR_GOTO(cmd, label) \
+ do { \
+ if (!cmd_write_lock((cmd))) \
+ goto label; \
+ } while (0)
+
#define WRITE_UNLOCK(cmd) \
up_write(&(cmd)->root_lock)
@@ -1814,11 +1820,8 @@ int dm_cache_metadata_abort(struct dm_cache_metadata *cmd)
new_bm = dm_block_manager_create(cmd->bdev, DM_CACHE_METADATA_BLOCK_SIZE << SECTOR_SHIFT,
CACHE_MAX_CONCURRENT_LOCKS);
- WRITE_LOCK(cmd);
- if (cmd->fail_io) {
- WRITE_UNLOCK(cmd);
- goto out;
- }
+ /* cmd_write_lock() already checks fail_io with cmd->root_lock held */
+ WRITE_LOCK_OR_GOTO(cmd, out);
__destroy_persistent_data_objects(cmd, false);
old_bm = cmd->bm;
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 503/969] dm log: fix out-of-bounds write due to region_count overflow
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (501 preceding siblings ...)
2026-05-30 16:00 ` [PATCH 6.1 502/969] dm cache metadata: fix memory leak on metadata abort retry Greg Kroah-Hartman
@ 2026-05-30 16:00 ` Greg Kroah-Hartman
2026-05-30 16:00 ` [PATCH 6.1 504/969] spi: fsl-qspi: Use reinit_completion() for repeated operations Greg Kroah-Hartman
` (472 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yuhao Jiang, Junrui Luo,
Mikulas Patocka, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Junrui Luo <moonafterrain@outlook.com>
[ Upstream commit c20e36b7631d83e7535877f08af8b0af72c44b1a ]
The local variable region_count in create_log_context() is declared as
unsigned int (32-bit), but dm_sector_div_up() returns sector_t (64-bit).
When a device-mapper target has a sufficiently large ti->len with a small
region_size, the division result can exceed UINT_MAX. The truncated
value is then used to calculate bitset_size, causing clean_bits,
sync_bits, and recovering_bits to be allocated far smaller than needed
for the actual number of regions.
Subsequent log operations (log_set_bit, log_clear_bit, log_test_bit) use
region indices derived from the full untruncated region space, causing
out-of-bounds writes to kernel heap memory allocated by vmalloc.
This can be reproduced by creating a mirror target whose region_count
overflows 32 bits:
dmsetup create bigzero --table '0 8589934594 zero'
dmsetup create mymirror --table '0 8589934594 mirror \
core 2 2 nosync 2 /dev/mapper/bigzero 0 \
/dev/mapper/bigzero 0'
The status output confirms the truncation (sync_count=1 instead of
4294967297, because 0x100000001 was truncated to 1):
$ dmsetup status mymirror
0 8589934594 mirror 2 254:1 254:1 1/4294967297 ...
This leads to a kernel crash in core_in_sync:
BUG: scheduling while atomic: (udev-worker)/9150/0x00000000
RIP: 0010:core_in_sync+0x14/0x30 [dm_log]
CR2: 0000000000000008
Fixing recursive fault but reboot is needed!
Fix by widening the local region_count to sector_t and adding an
explicit overflow check before the value is assigned to lc->region_count.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reported-by: Yuhao Jiang <danisjiang@gmail.com>
Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/md/dm-log.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/drivers/md/dm-log.c b/drivers/md/dm-log.c
index da77878cb2c02..32a3cb131e578 100644
--- a/drivers/md/dm-log.c
+++ b/drivers/md/dm-log.c
@@ -366,7 +366,7 @@ static int create_log_context(struct dm_dirty_log *log, struct dm_target *ti,
struct log_c *lc;
uint32_t region_size;
- unsigned int region_count;
+ sector_t region_count;
size_t bitset_size, buf_size;
int r;
char dummy;
@@ -394,6 +394,10 @@ static int create_log_context(struct dm_dirty_log *log, struct dm_target *ti,
}
region_count = dm_sector_div_up(ti->len, region_size);
+ if (region_count > UINT_MAX) {
+ DMWARN("region count exceeds limit of %u", UINT_MAX);
+ return -EINVAL;
+ }
lc = kmalloc(sizeof(*lc), GFP_KERNEL);
if (!lc) {
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 504/969] spi: fsl-qspi: Use reinit_completion() for repeated operations
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (502 preceding siblings ...)
2026-05-30 16:00 ` [PATCH 6.1 503/969] dm log: fix out-of-bounds write due to region_count overflow Greg Kroah-Hartman
@ 2026-05-30 16:00 ` Greg Kroah-Hartman
2026-05-30 16:00 ` [PATCH 6.1 505/969] drm/sun4i: Fix resource leaks Greg Kroah-Hartman
` (471 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Felix Gu, Haibo Chen, Mark Brown,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Felix Gu <ustc.gu@gmail.com>
[ Upstream commit 981b080a79724738882b0af1c5bb7ade30d94f24 ]
The driver currently calls init_completion() during every spi_mem_op.
Tchnically it may work, but it's not the recommended pattern.
According to the kernel documentation: Calling init_completion() on
the same completion object twice is most likely a bug as it
re-initializes the queue to an empty queue and enqueued tasks could
get "lost" - use reinit_completion() in that case, but be aware of
other races.
So moves the initial initialization to probe function and uses
reinit_completion() for subsequent operations.
Fixes: 84d043185dbe ("spi: Add a driver for the Freescale/NXP QuadSPI controller")
Signed-off-by: Felix Gu <ustc.gu@gmail.com>
Reviewed-by: Haibo Chen <haibo.chen@nxp.com>
Link: https://patch.msgid.link/20260304-spi-nxp-v2-3-cd7d7726a27e@gmail.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/spi/spi-fsl-qspi.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/spi/spi-fsl-qspi.c b/drivers/spi/spi-fsl-qspi.c
index 85cc71ba624a9..aee9993fe09db 100644
--- a/drivers/spi/spi-fsl-qspi.c
+++ b/drivers/spi/spi-fsl-qspi.c
@@ -607,7 +607,7 @@ static int fsl_qspi_do_op(struct fsl_qspi *q, const struct spi_mem_op *op)
void __iomem *base = q->iobase;
int err = 0;
- init_completion(&q->c);
+ reinit_completion(&q->c);
/*
* Always start the sequence at the same index since we update
@@ -912,6 +912,7 @@ static int fsl_qspi_probe(struct platform_device *pdev)
if (ret < 0)
goto err_disable_clk;
+ init_completion(&q->c);
ret = devm_request_irq(dev, ret,
fsl_qspi_irq_handler, 0, pdev->name, q);
if (ret) {
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 505/969] drm/sun4i: Fix resource leaks
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (503 preceding siblings ...)
2026-05-30 16:00 ` [PATCH 6.1 504/969] spi: fsl-qspi: Use reinit_completion() for repeated operations Greg Kroah-Hartman
@ 2026-05-30 16:00 ` Greg Kroah-Hartman
2026-05-30 16:00 ` [PATCH 6.1 506/969] drm/amdgpu: Add default case in DVI mode validation Greg Kroah-Hartman
` (470 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ethan Tidmore, Jernej Skrabec,
Chen-Yu Tsai, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ethan Tidmore <ethantidmore06@gmail.com>
[ Upstream commit 127367ad2e0f4870de60c6d719ae82ecf68d674c ]
Three clocks are not being released in devm_regmap_init_mmio() error
path.
Add proper goto and set ret to the error code.
Fixes: 8270249fbeaf0 ("drm/sun4i: backend: Create regmap after access is possible")
Signed-off-by: Ethan Tidmore <ethantidmore06@gmail.com>
Reviewed-by: Jernej Skrabec <jernej.skrabec@gmail.com>
Link: https://patch.msgid.link/20260226163836.10335-1-ethantidmore06@gmail.com
Signed-off-by: Chen-Yu Tsai <wens@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/sun4i/sun4i_backend.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/sun4i/sun4i_backend.c b/drivers/gpu/drm/sun4i/sun4i_backend.c
index d4fd621e33158..7cabf677ab1fc 100644
--- a/drivers/gpu/drm/sun4i/sun4i_backend.c
+++ b/drivers/gpu/drm/sun4i/sun4i_backend.c
@@ -878,7 +878,8 @@ static int sun4i_backend_bind(struct device *dev, struct device *master,
&sun4i_backend_regmap_config);
if (IS_ERR(backend->engine.regs)) {
dev_err(dev, "Couldn't create the backend regmap\n");
- return PTR_ERR(backend->engine.regs);
+ ret = PTR_ERR(backend->engine.regs);
+ goto err_disable_ram_clk;
}
list_add_tail(&backend->engine.list, &drv->engine_list);
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 506/969] drm/amdgpu: Add default case in DVI mode validation
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (504 preceding siblings ...)
2026-05-30 16:00 ` [PATCH 6.1 505/969] drm/sun4i: Fix resource leaks Greg Kroah-Hartman
@ 2026-05-30 16:00 ` Greg Kroah-Hartman
2026-05-30 16:00 ` [PATCH 6.1 507/969] dm init: ensure device probing has finished in dm-mod.waitfor= Greg Kroah-Hartman
` (469 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dan Carpenter, Timur Kristóf,
Alex Deucher, Christian König, Srinivasan Shanmugam,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Srinivasan Shanmugam <srinivasan.shanmugam@amd.com>
[ Upstream commit e6020a55b8e364d15eac27f9c788e13114eec6b7 ]
amdgpu_connector_dvi_mode_valid() assigns max_digital_pixel_clock_khz
based on connector_object_id using a switch statement that lacks a
default case.
In practice this code path should never be hit because the existing
cases already cover all digital connector types that this function is
used for. This is also legacy display code which is not used for new
hardware.
Add a default case returning MODE_BAD to make the switch exhaustive and
silence the static analyzer smatch error. The new branch is effectively
defensive and should never be reached during normal operation.
Fixes: 585b2f685c56 ("drm/amdgpu: Respect max pixel clock for HDMI and DVI-D (v2)")
Cc: Dan Carpenter <dan.carpenter@linaro.org>
Cc: Timur Kristóf <timur.kristof@gmail.com>
Cc: Alex Deucher <alexander.deucher@amd.com>
Cc: Christian König <christian.koenig@amd.com>
Signed-off-by: Srinivasan Shanmugam <srinivasan.shanmugam@amd.com>
Acked-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c
index 02a731fdb2263..0661dcef14fb9 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c
@@ -1217,6 +1217,8 @@ static enum drm_mode_status amdgpu_connector_dvi_mode_valid(struct drm_connector
case CONNECTOR_OBJECT_ID_HDMI_TYPE_B:
max_digital_pixel_clock_khz = max_dvi_single_link_pixel_clock * 2;
break;
+ default:
+ return MODE_BAD;
}
/* When the display EDID claims that it's an HDMI display,
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 507/969] dm init: ensure device probing has finished in dm-mod.waitfor=
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (505 preceding siblings ...)
2026-05-30 16:00 ` [PATCH 6.1 506/969] drm/amdgpu: Add default case in DVI mode validation Greg Kroah-Hartman
@ 2026-05-30 16:00 ` Greg Kroah-Hartman
2026-05-30 16:00 ` [PATCH 6.1 508/969] fbdev: matroxfb: Mark variable with __maybe_unused to avoid W=1 build break Greg Kroah-Hartman
` (468 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Guillaume Gonnet, Mikulas Patocka,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Guillaume Gonnet <ggonnet.linux@gmail.com>
[ Upstream commit 99a2312f69805f4ba92d98a757625e0300a747ab ]
The early_lookup_bdev() function returns successfully when the disk
device is present but not necessarily its partitions. In this situation,
dm_early_create() fails as the partition block device does not exist
yet.
In my case, this phenomenon occurs quite often because the device is
an SD card with slow reading times, on which kernel takes time to
enumerate available partitions.
Fortunately, the underlying device is back to "probing" state while
enumerating partitions. Waiting for all probing to end is enough to fix
this issue.
That's also the reason why this problem never occurs with rootwait=
parameter: the while loop inside wait_for_root() explicitly waits for
probing to be done and then the function calls async_synchronize_full().
These lines were omitted in 035641b, even though the commit says it's
based on the rootwait logic...
Anyway, calling wait_for_device_probe() after our while loop does the
job (it both waits for probing and calls async_synchronize_full).
Fixes: 035641b01e72 ("dm init: add dm-mod.waitfor to wait for asynchronously probed block devices")
Signed-off-by: Guillaume Gonnet <ggonnet.linux@gmail.com>
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/md/dm-init.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/md/dm-init.c b/drivers/md/dm-init.c
index 6e9e73a558740..882dc385cf068 100644
--- a/drivers/md/dm-init.c
+++ b/drivers/md/dm-init.c
@@ -302,8 +302,10 @@ static int __init dm_init_init(void)
}
}
- if (waitfor[0])
+ if (waitfor[0]) {
+ wait_for_device_probe();
DMINFO("all devices available");
+ }
list_for_each_entry(dev, &devices, list) {
if (dm_early_create(&dev->dmi, dev->table,
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 508/969] fbdev: matroxfb: Mark variable with __maybe_unused to avoid W=1 build break
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (506 preceding siblings ...)
2026-05-30 16:00 ` [PATCH 6.1 507/969] dm init: ensure device probing has finished in dm-mod.waitfor= Greg Kroah-Hartman
@ 2026-05-30 16:00 ` Greg Kroah-Hartman
2026-05-30 16:00 ` [PATCH 6.1 509/969] padata: Remove cpu online check from cpu add and removal Greg Kroah-Hartman
` (467 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andy Shevchenko, Jason Yan,
Helge Deller, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
[ Upstream commit caf6144053b4e1c815aa56afb54745a176f999df ]
Clang is not happy about set but unused variable:
drivers/video/fbdev/matrox/g450_pll.c:412:18: error: variable 'mnp' set but not used
412 | unsigned int mnp;
| ^
1 error generated.
Since the commit 7b987887f97b ("video: fbdev: matroxfb: remove dead code
and set but not used variable") the 'mnp' became unused, but eliminating
that code might have side-effects. The question here is what should we do
with 'mnp'? The easiest way out is just mark it with __maybe_unused which
will shut the compiler up and won't change any possible IO flow. So does
this change.
A dive into the history of the driver:
The problem was revealed when the #if 0 guarded code along with unused
pixel_vco variable was removed. That code was introduced in the original
commit 213d22146d1f ("[PATCH] (1/3) matroxfb for 2.5.3"). And then guarded
in the commit 705e41f82988 ("matroxfb DVI updates: Handle DVI output on
G450/G550. Powerdown unused portions of G450/G550 DAC. Split G450/G550 DAC
from older DAC1064 handling. Modify PLL setting when both CRTCs use same
pixel clocks.").
NOTE: The two commits mentioned above pre-date Git era and available in
history.git repository for archaeological purposes.
Even without that guard the modern compilers may see that the pixel_vco
wasn't ever used and seems a leftover after some debug or review made
25 years ago.
The g450_mnp2vco() doesn't have any IO and as Jason said doesn't seem
to have any side effects either than some unneeded CPU processing during
runtime. I agree that's unlikely that timeout (or heating up the CPU) has
any effect on the HW (GPU/display) functionality.
Fixes: 7b987887f97b ("video: fbdev: matroxfb: remove dead code and set but not used variable")
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Reviewed-by: Jason Yan <yanaijie@huawei.com>
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/video/fbdev/matrox/g450_pll.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/video/fbdev/matrox/g450_pll.c b/drivers/video/fbdev/matrox/g450_pll.c
index ff8e321a22cef..b2d3f7328ea83 100644
--- a/drivers/video/fbdev/matrox/g450_pll.c
+++ b/drivers/video/fbdev/matrox/g450_pll.c
@@ -407,7 +407,7 @@ static int __g450_setclk(struct matrox_fb_info *minfo, unsigned int fout,
case M_VIDEO_PLL:
{
u_int8_t tmp;
- unsigned int mnp;
+ unsigned int mnp __maybe_unused;
unsigned long flags;
matroxfb_DAC_lock_irqsave(flags);
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 509/969] padata: Remove cpu online check from cpu add and removal
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (507 preceding siblings ...)
2026-05-30 16:00 ` [PATCH 6.1 508/969] fbdev: matroxfb: Mark variable with __maybe_unused to avoid W=1 build break Greg Kroah-Hartman
@ 2026-05-30 16:00 ` Greg Kroah-Hartman
2026-05-30 16:00 ` [PATCH 6.1 510/969] padata: Put CPU offline callback in ONLINE section to allow failure Greg Kroah-Hartman
` (466 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chuyi Zhou, Daniel Jordan,
Herbert Xu, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chuyi Zhou <zhouchuyi@bytedance.com>
[ Upstream commit 73117ea6470dca787f70f33c001f9faf437a1c0b ]
During the CPU offline process, the dying CPU is cleared from the
cpu_online_mask in takedown_cpu(). After this step, various CPUHP_*_DEAD
callbacks are executed to perform cleanup jobs for the dead CPU, so this
cpu online check in padata_cpu_dead() is unnecessary.
Similarly, when executing padata_cpu_online() during the
CPUHP_AP_ONLINE_DYN phase, the CPU has already been set in the
cpu_online_mask, the action even occurs earlier than the
CPUHP_AP_ONLINE_IDLE stage.
Remove this unnecessary cpu online check in __padata_add_cpu() and
__padata_remove_cpu().
Signed-off-by: Chuyi Zhou <zhouchuyi@bytedance.com>
Acked-by: Daniel Jordan <daniel.m.jordan@oracle.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Stable-dep-of: c8c4a2972f83 ("padata: Put CPU offline callback in ONLINE section to allow failure")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/padata.c | 26 ++++++++------------------
1 file changed, 8 insertions(+), 18 deletions(-)
diff --git a/kernel/padata.c b/kernel/padata.c
index 93e288dc373ee..d4298c0c747ce 100644
--- a/kernel/padata.c
+++ b/kernel/padata.c
@@ -737,32 +737,22 @@ EXPORT_SYMBOL(padata_set_cpumask);
static int __padata_add_cpu(struct padata_instance *pinst, int cpu)
{
- int err = 0;
-
- if (cpumask_test_cpu(cpu, cpu_online_mask)) {
- err = padata_replace(pinst);
+ int err = padata_replace(pinst);
- if (padata_validate_cpumask(pinst, pinst->cpumask.pcpu) &&
- padata_validate_cpumask(pinst, pinst->cpumask.cbcpu))
- __padata_start(pinst);
- }
+ if (padata_validate_cpumask(pinst, pinst->cpumask.pcpu) &&
+ padata_validate_cpumask(pinst, pinst->cpumask.cbcpu))
+ __padata_start(pinst);
return err;
}
static int __padata_remove_cpu(struct padata_instance *pinst, int cpu)
{
- int err = 0;
-
- if (!cpumask_test_cpu(cpu, cpu_online_mask)) {
- if (!padata_validate_cpumask(pinst, pinst->cpumask.pcpu) ||
- !padata_validate_cpumask(pinst, pinst->cpumask.cbcpu))
- __padata_stop(pinst);
-
- err = padata_replace(pinst);
- }
+ if (!padata_validate_cpumask(pinst, pinst->cpumask.pcpu) ||
+ !padata_validate_cpumask(pinst, pinst->cpumask.cbcpu))
+ __padata_stop(pinst);
- return err;
+ return padata_replace(pinst);
}
static inline int pinst_has_cpu(struct padata_instance *pinst, int cpu)
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 510/969] padata: Put CPU offline callback in ONLINE section to allow failure
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (508 preceding siblings ...)
2026-05-30 16:00 ` [PATCH 6.1 509/969] padata: Remove cpu online check from cpu add and removal Greg Kroah-Hartman
@ 2026-05-30 16:00 ` Greg Kroah-Hartman
2026-05-30 16:00 ` [PATCH 6.1 511/969] drm/amdgpu/gfx10: look at the right prop for gfx queue priority Greg Kroah-Hartman
` (465 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+123e1b70473ce213f3af,
Daniel Jordan, Herbert Xu, Sasha Levin, Thomas Gleixner
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Daniel Jordan <daniel.m.jordan@oracle.com>
[ Upstream commit c8c4a2972f83c8b68ff03b43cecdb898939ff851 ]
syzbot reported the following warning:
DEAD callback error for CPU1
WARNING: kernel/cpu.c:1463 at _cpu_down+0x759/0x1020 kernel/cpu.c:1463, CPU#0: syz.0.1960/14614
at commit 4ae12d8bd9a8 ("Merge tag 'kbuild-fixes-7.0-2' of git://git.kernel.org/pub/scm/linux/kernel/git/kbuild/linux")
which tglx traced to padata_cpu_dead() given it's the only
sub-CPUHP_TEARDOWN_CPU callback that returns an error.
Failure isn't allowed in hotplug states before CPUHP_TEARDOWN_CPU
so move the CPU offline callback to the ONLINE section where failure is
possible.
Fixes: 894c9ef9780c ("padata: validate cpumask without removed CPU during offline")
Reported-by: syzbot+123e1b70473ce213f3af@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/69af0a05.050a0220.310d8.002f.GAE@google.com/
Debugged-by: Thomas Gleixner <tglx@kernel.org>
Signed-off-by: Daniel Jordan <daniel.m.jordan@oracle.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/cpuhotplug.h | 1 -
include/linux/padata.h | 8 +--
kernel/padata.c | 120 +++++++++++++++++++------------------
3 files changed, 65 insertions(+), 64 deletions(-)
diff --git a/include/linux/cpuhotplug.h b/include/linux/cpuhotplug.h
index 67575bc8a7e29..762b88e1703c8 100644
--- a/include/linux/cpuhotplug.h
+++ b/include/linux/cpuhotplug.h
@@ -98,7 +98,6 @@ enum cpuhp_state {
CPUHP_IOMMU_IOVA_DEAD,
CPUHP_LUSTRE_CFS_DEAD,
CPUHP_AP_ARM_CACHE_B15_RAC_DEAD,
- CPUHP_PADATA_DEAD,
CPUHP_AP_DTPM_CPU_DEAD,
CPUHP_RANDOM_PREPARE,
CPUHP_WORKQUEUE_PREP,
diff --git a/include/linux/padata.h b/include/linux/padata.h
index 6f07e12a43819..72f5899cc7a95 100644
--- a/include/linux/padata.h
+++ b/include/linux/padata.h
@@ -147,23 +147,23 @@ struct padata_mt_job {
/**
* struct padata_instance - The overall control structure.
*
- * @cpu_online_node: Linkage for CPU online callback.
- * @cpu_dead_node: Linkage for CPU offline callback.
+ * @cpuhp_node: Linkage for CPU hotplug callbacks.
* @parallel_wq: The workqueue used for parallel work.
* @serial_wq: The workqueue used for serial work.
* @pslist: List of padata_shell objects attached to this instance.
* @cpumask: User supplied cpumasks for parallel and serial works.
+ * @validate_cpumask: Internal cpumask used to validate @cpumask during hotplug.
* @kobj: padata instance kernel object.
* @lock: padata instance lock.
* @flags: padata flags.
*/
struct padata_instance {
- struct hlist_node cpu_online_node;
- struct hlist_node cpu_dead_node;
+ struct hlist_node cpuhp_node;
struct workqueue_struct *parallel_wq;
struct workqueue_struct *serial_wq;
struct list_head pslist;
struct padata_cpumask cpumask;
+ cpumask_var_t validate_cpumask;
struct kobject kobj;
struct mutex lock;
u8 flags;
diff --git a/kernel/padata.c b/kernel/padata.c
index d4298c0c747ce..e62e10e9cfea5 100644
--- a/kernel/padata.c
+++ b/kernel/padata.c
@@ -540,7 +540,8 @@ static void padata_init_reorder_list(struct parallel_data *pd)
}
/* Allocate and initialize the internal cpumask dependend resources. */
-static struct parallel_data *padata_alloc_pd(struct padata_shell *ps)
+static struct parallel_data *padata_alloc_pd(struct padata_shell *ps,
+ int offlining_cpu)
{
struct padata_instance *pinst = ps->pinst;
struct parallel_data *pd;
@@ -566,6 +567,10 @@ static struct parallel_data *padata_alloc_pd(struct padata_shell *ps)
cpumask_and(pd->cpumask.pcpu, pinst->cpumask.pcpu, cpu_online_mask);
cpumask_and(pd->cpumask.cbcpu, pinst->cpumask.cbcpu, cpu_online_mask);
+ if (offlining_cpu >= 0) {
+ __cpumask_clear_cpu(offlining_cpu, pd->cpumask.pcpu);
+ __cpumask_clear_cpu(offlining_cpu, pd->cpumask.cbcpu);
+ }
padata_init_reorder_list(pd);
padata_init_squeues(pd);
@@ -612,11 +617,11 @@ static void __padata_stop(struct padata_instance *pinst)
}
/* Replace the internal control structure with a new one. */
-static int padata_replace_one(struct padata_shell *ps)
+static int padata_replace_one(struct padata_shell *ps, int offlining_cpu)
{
struct parallel_data *pd_new;
- pd_new = padata_alloc_pd(ps);
+ pd_new = padata_alloc_pd(ps, offlining_cpu);
if (!pd_new)
return -ENOMEM;
@@ -626,7 +631,7 @@ static int padata_replace_one(struct padata_shell *ps)
return 0;
}
-static int padata_replace(struct padata_instance *pinst)
+static int padata_replace(struct padata_instance *pinst, int offlining_cpu)
{
struct padata_shell *ps;
int err = 0;
@@ -634,7 +639,7 @@ static int padata_replace(struct padata_instance *pinst)
pinst->flags |= PADATA_RESET;
list_for_each_entry(ps, &pinst->pslist, list) {
- err = padata_replace_one(ps);
+ err = padata_replace_one(ps, offlining_cpu);
if (err)
break;
}
@@ -651,9 +656,21 @@ static int padata_replace(struct padata_instance *pinst)
/* If cpumask contains no active cpu, we mark the instance as invalid. */
static bool padata_validate_cpumask(struct padata_instance *pinst,
- const struct cpumask *cpumask)
+ const struct cpumask *cpumask,
+ int offlining_cpu)
{
- if (!cpumask_intersects(cpumask, cpu_online_mask)) {
+ cpumask_copy(pinst->validate_cpumask, cpu_online_mask);
+
+ /*
+ * @offlining_cpu is still in cpu_online_mask, so remove it here for
+ * validation. Using a sub-CPUHP_TEARDOWN_CPU hotplug state where
+ * @offlining_cpu wouldn't be in the online mask doesn't work because
+ * padata_cpu_offline() can fail but such a state doesn't allow failure.
+ */
+ if (offlining_cpu >= 0)
+ __cpumask_clear_cpu(offlining_cpu, pinst->validate_cpumask);
+
+ if (!cpumask_intersects(cpumask, pinst->validate_cpumask)) {
pinst->flags |= PADATA_INVALID;
return false;
}
@@ -669,13 +686,13 @@ static int __padata_set_cpumasks(struct padata_instance *pinst,
int valid;
int err;
- valid = padata_validate_cpumask(pinst, pcpumask);
+ valid = padata_validate_cpumask(pinst, pcpumask, -1);
if (!valid) {
__padata_stop(pinst);
goto out_replace;
}
- valid = padata_validate_cpumask(pinst, cbcpumask);
+ valid = padata_validate_cpumask(pinst, cbcpumask, -1);
if (!valid)
__padata_stop(pinst);
@@ -683,7 +700,7 @@ static int __padata_set_cpumasks(struct padata_instance *pinst,
cpumask_copy(pinst->cpumask.pcpu, pcpumask);
cpumask_copy(pinst->cpumask.cbcpu, cbcpumask);
- err = padata_setup_cpumasks(pinst) ?: padata_replace(pinst);
+ err = padata_setup_cpumasks(pinst) ?: padata_replace(pinst, -1);
if (valid)
__padata_start(pinst);
@@ -735,26 +752,6 @@ EXPORT_SYMBOL(padata_set_cpumask);
#ifdef CONFIG_HOTPLUG_CPU
-static int __padata_add_cpu(struct padata_instance *pinst, int cpu)
-{
- int err = padata_replace(pinst);
-
- if (padata_validate_cpumask(pinst, pinst->cpumask.pcpu) &&
- padata_validate_cpumask(pinst, pinst->cpumask.cbcpu))
- __padata_start(pinst);
-
- return err;
-}
-
-static int __padata_remove_cpu(struct padata_instance *pinst, int cpu)
-{
- if (!padata_validate_cpumask(pinst, pinst->cpumask.pcpu) ||
- !padata_validate_cpumask(pinst, pinst->cpumask.cbcpu))
- __padata_stop(pinst);
-
- return padata_replace(pinst);
-}
-
static inline int pinst_has_cpu(struct padata_instance *pinst, int cpu)
{
return cpumask_test_cpu(cpu, pinst->cpumask.pcpu) ||
@@ -766,27 +763,39 @@ static int padata_cpu_online(unsigned int cpu, struct hlist_node *node)
struct padata_instance *pinst;
int ret;
- pinst = hlist_entry_safe(node, struct padata_instance, cpu_online_node);
+ pinst = hlist_entry_safe(node, struct padata_instance, cpuhp_node);
if (!pinst_has_cpu(pinst, cpu))
return 0;
mutex_lock(&pinst->lock);
- ret = __padata_add_cpu(pinst, cpu);
+
+ ret = padata_replace(pinst, -1);
+
+ if (padata_validate_cpumask(pinst, pinst->cpumask.pcpu, -1) &&
+ padata_validate_cpumask(pinst, pinst->cpumask.cbcpu, -1))
+ __padata_start(pinst);
+
mutex_unlock(&pinst->lock);
return ret;
}
-static int padata_cpu_dead(unsigned int cpu, struct hlist_node *node)
+static int padata_cpu_offline(unsigned int cpu, struct hlist_node *node)
{
struct padata_instance *pinst;
int ret;
- pinst = hlist_entry_safe(node, struct padata_instance, cpu_dead_node);
+ pinst = hlist_entry_safe(node, struct padata_instance, cpuhp_node);
if (!pinst_has_cpu(pinst, cpu))
return 0;
mutex_lock(&pinst->lock);
- ret = __padata_remove_cpu(pinst, cpu);
+
+ if (!padata_validate_cpumask(pinst, pinst->cpumask.pcpu, cpu) ||
+ !padata_validate_cpumask(pinst, pinst->cpumask.cbcpu, cpu))
+ __padata_stop(pinst);
+
+ ret = padata_replace(pinst, cpu);
+
mutex_unlock(&pinst->lock);
return ret;
}
@@ -797,15 +806,14 @@ static enum cpuhp_state hp_online;
static void __padata_free(struct padata_instance *pinst)
{
#ifdef CONFIG_HOTPLUG_CPU
- cpuhp_state_remove_instance_nocalls(CPUHP_PADATA_DEAD,
- &pinst->cpu_dead_node);
- cpuhp_state_remove_instance_nocalls(hp_online, &pinst->cpu_online_node);
+ cpuhp_state_remove_instance_nocalls(hp_online, &pinst->cpuhp_node);
#endif
WARN_ON(!list_empty(&pinst->pslist));
free_cpumask_var(pinst->cpumask.pcpu);
free_cpumask_var(pinst->cpumask.cbcpu);
+ free_cpumask_var(pinst->validate_cpumask);
destroy_workqueue(pinst->serial_wq);
destroy_workqueue(pinst->parallel_wq);
kfree(pinst);
@@ -965,10 +973,10 @@ struct padata_instance *padata_alloc(const char *name)
if (!alloc_cpumask_var(&pinst->cpumask.pcpu, GFP_KERNEL))
goto err_free_serial_wq;
- if (!alloc_cpumask_var(&pinst->cpumask.cbcpu, GFP_KERNEL)) {
- free_cpumask_var(pinst->cpumask.pcpu);
- goto err_free_serial_wq;
- }
+ if (!alloc_cpumask_var(&pinst->cpumask.cbcpu, GFP_KERNEL))
+ goto err_free_p_mask;
+ if (!alloc_cpumask_var(&pinst->validate_cpumask, GFP_KERNEL))
+ goto err_free_cb_mask;
INIT_LIST_HEAD(&pinst->pslist);
@@ -976,7 +984,7 @@ struct padata_instance *padata_alloc(const char *name)
cpumask_copy(pinst->cpumask.cbcpu, cpu_possible_mask);
if (padata_setup_cpumasks(pinst))
- goto err_free_masks;
+ goto err_free_v_mask;
__padata_start(pinst);
@@ -985,18 +993,19 @@ struct padata_instance *padata_alloc(const char *name)
#ifdef CONFIG_HOTPLUG_CPU
cpuhp_state_add_instance_nocalls_cpuslocked(hp_online,
- &pinst->cpu_online_node);
- cpuhp_state_add_instance_nocalls_cpuslocked(CPUHP_PADATA_DEAD,
- &pinst->cpu_dead_node);
+ &pinst->cpuhp_node);
#endif
cpus_read_unlock();
return pinst;
-err_free_masks:
- free_cpumask_var(pinst->cpumask.pcpu);
+err_free_v_mask:
+ free_cpumask_var(pinst->validate_cpumask);
+err_free_cb_mask:
free_cpumask_var(pinst->cpumask.cbcpu);
+err_free_p_mask:
+ free_cpumask_var(pinst->cpumask.pcpu);
err_free_serial_wq:
destroy_workqueue(pinst->serial_wq);
err_put_cpus:
@@ -1039,7 +1048,7 @@ struct padata_shell *padata_alloc_shell(struct padata_instance *pinst)
ps->pinst = pinst;
cpus_read_lock();
- pd = padata_alloc_pd(ps);
+ pd = padata_alloc_pd(ps, -1);
cpus_read_unlock();
if (!pd)
@@ -1088,32 +1097,25 @@ void __init padata_init(void)
int ret;
ret = cpuhp_setup_state_multi(CPUHP_AP_ONLINE_DYN, "padata:online",
- padata_cpu_online, NULL);
+ padata_cpu_online, padata_cpu_offline);
if (ret < 0)
goto err;
hp_online = ret;
-
- ret = cpuhp_setup_state_multi(CPUHP_PADATA_DEAD, "padata:dead",
- NULL, padata_cpu_dead);
- if (ret < 0)
- goto remove_online_state;
#endif
possible_cpus = num_possible_cpus();
padata_works = kmalloc_array(possible_cpus, sizeof(struct padata_work),
GFP_KERNEL);
if (!padata_works)
- goto remove_dead_state;
+ goto remove_online_state;
for (i = 0; i < possible_cpus; ++i)
list_add(&padata_works[i].pw_list, &padata_free_works);
return;
-remove_dead_state:
-#ifdef CONFIG_HOTPLUG_CPU
- cpuhp_remove_multi_state(CPUHP_PADATA_DEAD);
remove_online_state:
+#ifdef CONFIG_HOTPLUG_CPU
cpuhp_remove_multi_state(hp_online);
err:
#endif
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 511/969] drm/amdgpu/gfx10: look at the right prop for gfx queue priority
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (509 preceding siblings ...)
2026-05-30 16:00 ` [PATCH 6.1 510/969] padata: Put CPU offline callback in ONLINE section to allow failure Greg Kroah-Hartman
@ 2026-05-30 16:00 ` Greg Kroah-Hartman
2026-05-30 16:00 ` [PATCH 6.1 512/969] spi: hisi-kunpeng: prevent infinite while() loop in hisi_spi_flush_fifo Greg Kroah-Hartman
` (464 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Alex Deucher, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alex Deucher <alexander.deucher@amd.com>
[ Upstream commit 355d96cdec5c61fd83f7eb54f1a28e38809645d6 ]
Look at hqd_queue_priority rather than hqd_pipe_priority.
In practice, it didn't matter as both were always set for
kernel queues, but that will change in the future.
Fixes: b07d1d73b09e ("drm/amd/amdgpu: Enable high priority gfx queue")
Reviewed-by:Jesse Zhang <jesse.zhang@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c b/drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c
index 48462beddccf0..8953f093b9617 100644
--- a/drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c
+++ b/drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c
@@ -6411,7 +6411,7 @@ static void gfx_v10_0_gfx_mqd_set_priority(struct amdgpu_device *adev,
/* set up default queue priority level
* 0x0 = low priority, 0x1 = high priority
*/
- if (prop->hqd_pipe_priority == AMDGPU_GFX_PIPE_PRIO_HIGH)
+ if (prop->hqd_queue_priority == AMDGPU_GFX_QUEUE_PRIORITY_MAXIMUM)
priority = 1;
tmp = RREG32_SOC15(GC, 0, mmCP_GFX_HQD_QUEUE_PRIORITY);
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 512/969] spi: hisi-kunpeng: prevent infinite while() loop in hisi_spi_flush_fifo
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (510 preceding siblings ...)
2026-05-30 16:00 ` [PATCH 6.1 511/969] drm/amdgpu/gfx10: look at the right prop for gfx queue priority Greg Kroah-Hartman
@ 2026-05-30 16:00 ` Greg Kroah-Hartman
2026-05-30 16:00 ` [PATCH 6.1 513/969] drm/msm/dpu: fix mismatch between power and frequency Greg Kroah-Hartman
` (463 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Pei Xiao, Mark Brown, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pei Xiao <xiaopei01@kylinos.cn>
[ Upstream commit 9f61daf2c2debe9f5cf4e1a4471e56a89a6fe45a ]
The hisi_spi_flush_fifo()'s inner while loop that lacks any timeout
mechanism. Maybe the hardware never becomes empty, the loop will spin
forever, causing the CPU to hang.
Fix this by adding a inner_limit based on loops_per_jiffy. The inner loop
now exits after approximately one jiffy if the FIFO remains non-empty, logs
a ratelimited warning, and breaks out of the outer loop. Additionally, add
a cpu_relax() inside the busy loop to improve power efficiency.
Fixes: c770d8631e18 ("spi: Add HiSilicon SPI Controller Driver for Kunpeng SoCs")
Signed-off-by: Pei Xiao <xiaopei01@kylinos.cn>
Link: https://patch.msgid.link/d834ce28172886bfaeb9c8ca00cfd9bf1c65d5a1.1773889292.git.xiaopei01@kylinos.cn
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/spi/spi-hisi-kunpeng.c | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/drivers/spi/spi-hisi-kunpeng.c b/drivers/spi/spi-hisi-kunpeng.c
index 54730e93fba45..06c8893243b7d 100644
--- a/drivers/spi/spi-hisi-kunpeng.c
+++ b/drivers/spi/spi-hisi-kunpeng.c
@@ -198,8 +198,18 @@ static void hisi_spi_flush_fifo(struct hisi_spi *hs)
unsigned long limit = loops_per_jiffy << 1;
do {
- while (hisi_spi_rx_not_empty(hs))
+ unsigned long inner_limit = loops_per_jiffy;
+
+ while (hisi_spi_rx_not_empty(hs) && --inner_limit) {
readl(hs->regs + HISI_SPI_DOUT);
+ cpu_relax();
+ }
+
+ if (!inner_limit) {
+ dev_warn_ratelimited(hs->dev, "RX FIFO flush timeout\n");
+ break;
+ }
+
} while (hisi_spi_busy(hs) && limit--);
}
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 513/969] drm/msm/dpu: fix mismatch between power and frequency
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (511 preceding siblings ...)
2026-05-30 16:00 ` [PATCH 6.1 512/969] spi: hisi-kunpeng: prevent infinite while() loop in hisi_spi_flush_fifo Greg Kroah-Hartman
@ 2026-05-30 16:00 ` Greg Kroah-Hartman
2026-05-30 16:00 ` [PATCH 6.1 514/969] drm/msm/dsi: rename MSM8998 DSI version from V2_2_0 to V2_0_0 Greg Kroah-Hartman
` (462 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yuanjie Yang, Konrad Dybcio,
Dmitry Baryshkov, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yuanjie Yang <yuanjie.yang@oss.qualcomm.com>
[ Upstream commit bc1dccc518cc5ab5140fba06c27e7188e0ed342b ]
During DPU runtime suspend, calling dev_pm_opp_set_rate(dev, 0) drops
the MMCX rail to MIN_SVS while the core clock frequency remains at its
original (highest) rate. When runtime resume re-enables the clock, this
may result in a mismatch between the rail voltage and the clock rate.
For example, in the DPU bind path, the sequence could be:
cpu0: dev_sync_state -> rpmhpd_sync_state
cpu1: dpu_kms_hw_init
timeline 0 ------------------------------------------------> t
After rpmhpd_sync_state, the voltage performance is no longer guaranteed
to stay at the highest level. During dpu_kms_hw_init, calling
dev_pm_opp_set_rate(dev, 0) drops the voltage, causing the MMCX rail to
fall to MIN_SVS while the core clock is still at its maximum frequency.
When the power is re-enabled, only the clock is enabled, leading to a
situation where the MMCX rail is at MIN_SVS but the core clock is at its
highest rate. In this state, the rail cannot sustain the clock rate,
which may cause instability or system crash.
Remove the call to dev_pm_opp_set_rate(dev, 0) from dpu_runtime_suspend
to ensure the correct vote is restored when DPU resumes.
Fixes: b0530eb11913 ("drm/msm/dpu: Use OPP API to set clk/perf state")
Signed-off-by: Yuanjie Yang <yuanjie.yang@oss.qualcomm.com>
Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
Patchwork: https://patchwork.freedesktop.org/patch/710077/
Link: https://lore.kernel.org/r/20260309063720.13572-1-yuanjie.yang@oss.qualcomm.com
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/msm/disp/dpu1/dpu_kms.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_kms.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_kms.c
index b7901b666612a..46fa3a703a1a5 100644
--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_kms.c
+++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_kms.c
@@ -1259,8 +1259,6 @@ static int __maybe_unused dpu_runtime_suspend(struct device *dev)
struct msm_drm_private *priv = platform_get_drvdata(pdev);
struct dpu_kms *dpu_kms = to_dpu_kms(priv->kms);
- /* Drop the performance state vote */
- dev_pm_opp_set_rate(dev, 0);
clk_bulk_disable_unprepare(dpu_kms->num_clocks, dpu_kms->clocks);
for (i = 0; i < dpu_kms->num_paths; i++)
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 514/969] drm/msm/dsi: rename MSM8998 DSI version from V2_2_0 to V2_0_0
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (512 preceding siblings ...)
2026-05-30 16:00 ` [PATCH 6.1 513/969] drm/msm/dpu: fix mismatch between power and frequency Greg Kroah-Hartman
@ 2026-05-30 16:00 ` Greg Kroah-Hartman
2026-05-30 16:00 ` [PATCH 6.1 515/969] drm/panel: simple: Correct G190EAN01 prepare timing Greg Kroah-Hartman
` (461 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Konrad Dybcio, Dmitry Baryshkov,
Alexander Koskovich, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexander Koskovich <akoskovich@pm.me>
[ Upstream commit 913a709dea0eff9c7b2e9470f8c8594b9a0114ab ]
The MSM8998 DSI controller is v2.0.0 as stated in commit 7b8c9e203039
("drm/msm/dsi: Add support for MSM8998 DSI controller"). The value was
always correct just the name was wrong.
Rename and reorder to maintain version sorting.
Fixes: 7b8c9e203039 ("drm/msm/dsi: Add support for MSM8998 DSI controller")
Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Signed-off-by: Alexander Koskovich <akoskovich@pm.me>
Patchwork: https://patchwork.freedesktop.org/patch/713717/
Link: https://lore.kernel.org/r/20260324-dsi-rgb101010-support-v5-3-ff6afc904115@pm.me
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/msm/dsi/dsi_cfg.c | 4 ++--
drivers/gpu/drm/msm/dsi/dsi_cfg.h | 2 +-
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/gpu/drm/msm/dsi/dsi_cfg.c b/drivers/gpu/drm/msm/dsi/dsi_cfg.c
index e0bd452a9f1e6..4c1c2a77dec98 100644
--- a/drivers/gpu/drm/msm/dsi/dsi_cfg.c
+++ b/drivers/gpu/drm/msm/dsi/dsi_cfg.c
@@ -286,10 +286,10 @@ static const struct msm_dsi_cfg_handler dsi_cfg_handlers[] = {
&msm8996_dsi_cfg, &msm_dsi_6g_host_ops},
{MSM_DSI_VER_MAJOR_6G, MSM_DSI_6G_VER_MINOR_V1_4_2,
&msm8976_dsi_cfg, &msm_dsi_6g_host_ops},
+ {MSM_DSI_VER_MAJOR_6G, MSM_DSI_6G_VER_MINOR_V2_0_0,
+ &msm8998_dsi_cfg, &msm_dsi_6g_v2_host_ops},
{MSM_DSI_VER_MAJOR_6G, MSM_DSI_6G_VER_MINOR_V2_1_0,
&sdm660_dsi_cfg, &msm_dsi_6g_v2_host_ops},
- {MSM_DSI_VER_MAJOR_6G, MSM_DSI_6G_VER_MINOR_V2_2_0,
- &msm8998_dsi_cfg, &msm_dsi_6g_v2_host_ops},
{MSM_DSI_VER_MAJOR_6G, MSM_DSI_6G_VER_MINOR_V2_2_1,
&sdm845_dsi_cfg, &msm_dsi_6g_v2_host_ops},
{MSM_DSI_VER_MAJOR_6G, MSM_DSI_6G_VER_MINOR_V2_3_0,
diff --git a/drivers/gpu/drm/msm/dsi/dsi_cfg.h b/drivers/gpu/drm/msm/dsi/dsi_cfg.h
index 8f04e685a74e9..7b56fc9297212 100644
--- a/drivers/gpu/drm/msm/dsi/dsi_cfg.h
+++ b/drivers/gpu/drm/msm/dsi/dsi_cfg.h
@@ -18,8 +18,8 @@
#define MSM_DSI_6G_VER_MINOR_V1_3_1 0x10030001
#define MSM_DSI_6G_VER_MINOR_V1_4_1 0x10040001
#define MSM_DSI_6G_VER_MINOR_V1_4_2 0x10040002
+#define MSM_DSI_6G_VER_MINOR_V2_0_0 0x20000000
#define MSM_DSI_6G_VER_MINOR_V2_1_0 0x20010000
-#define MSM_DSI_6G_VER_MINOR_V2_2_0 0x20000000
#define MSM_DSI_6G_VER_MINOR_V2_2_1 0x20020001
#define MSM_DSI_6G_VER_MINOR_V2_3_0 0x20030000
#define MSM_DSI_6G_VER_MINOR_V2_4_0 0x20040000
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 515/969] drm/panel: simple: Correct G190EAN01 prepare timing
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (513 preceding siblings ...)
2026-05-30 16:00 ` [PATCH 6.1 514/969] drm/msm/dsi: rename MSM8998 DSI version from V2_2_0 to V2_0_0 Greg Kroah-Hartman
@ 2026-05-30 16:00 ` Greg Kroah-Hartman
2026-05-30 16:00 ` [PATCH 6.1 516/969] ALSA: core: Validate compress device numbers without dynamic minors Greg Kroah-Hartman
` (460 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sebastian Reichel, Ian Ray,
Neil Armstrong, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sebastian Reichel <sebastian.reichel@collabora.com>
[ Upstream commit f1080f82570b797598c1ba7e9c800ae9e94aafc6 ]
The prepare timing specified by the G190EAN01 datasheet should be
between 30 and 50 ms. Considering it might take some time for the
LVDS encoder to enable the signal, we should only wait the min.
required time in the panel driver and not the max. allowed time.
Fixes: 2f7b832fc992 ("drm/panel: simple: Add support for AUO G190EAN01 panel")
Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
Signed-off-by: Ian Ray <ian.ray@gehealthcare.com>
Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org>
Signed-off-by: Neil Armstrong <neil.armstrong@linaro.org>
Link: https://patch.msgid.link/20260217142528.68613-1-ian.ray@gehealthcare.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/panel/panel-simple.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/panel/panel-simple.c b/drivers/gpu/drm/panel/panel-simple.c
index 3f41fd5edc333..316961a86b042 100644
--- a/drivers/gpu/drm/panel/panel-simple.c
+++ b/drivers/gpu/drm/panel/panel-simple.c
@@ -1099,7 +1099,7 @@ static const struct panel_desc auo_g190ean01 = {
.height = 301,
},
.delay = {
- .prepare = 50,
+ .prepare = 30,
.enable = 200,
.disable = 110,
.unprepare = 1000,
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 516/969] ALSA: core: Validate compress device numbers without dynamic minors
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (514 preceding siblings ...)
2026-05-30 16:00 ` [PATCH 6.1 515/969] drm/panel: simple: Correct G190EAN01 prepare timing Greg Kroah-Hartman
@ 2026-05-30 16:00 ` Greg Kroah-Hartman
2026-05-30 16:00 ` [PATCH 6.1 517/969] drm/amd/pm/ci: Use highest MCLK on CI when MCLK DPM is disabled Greg Kroah-Hartman
` (459 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Cássio Gabriel, Takashi Iwai,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cássio Gabriel <cassiogabrielcontato@gmail.com>
[ Upstream commit 796e119e9b14763be905ad0d023c71a14bc2e931 ]
Without CONFIG_SND_DYNAMIC_MINORS, ALSA reserves only two fixed minors
for compress devices on each card: comprD0 and comprD1.
snd_find_free_minor() currently computes the compress minor as
type + dev without validating dev first, so device numbers greater than
1 spill into the HWDEP minor range instead of failing registration.
ASoC passes rtd->id to snd_compress_new(), so this can happen on real
non-dynamic-minor builds.
Add a dedicated fixed-minor check for SNDRV_DEVICE_TYPE_COMPRESS in
snd_find_free_minor() and reject out-of-range device numbers with
-EINVAL before constructing the minor.
Also remove the stale TODO in compress_offload.c that still claims
multiple compress nodes are missing.
Fixes: 3eafc959b32f ("ALSA: core: add support for compressed devices")
Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com>
Link: https://patch.msgid.link/20260325-alsa-compress-static-minors-v1-1-0628573bee1c@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/core/compress_offload.c | 7 -------
sound/core/sound.c | 7 +++++++
2 files changed, 7 insertions(+), 7 deletions(-)
diff --git a/sound/core/compress_offload.c b/sound/core/compress_offload.c
index 243acad89fd3b..f1140a6bc996d 100644
--- a/sound/core/compress_offload.c
+++ b/sound/core/compress_offload.c
@@ -40,13 +40,6 @@
#define COMPR_CODEC_CAPS_OVERFLOW
#endif
-/* TODO:
- * - add substream support for multiple devices in case of
- * SND_DYNAMIC_MINORS is not used
- * - Multiple node representation
- * driver should be able to register multiple nodes
- */
-
struct snd_compr_file {
unsigned long caps;
struct snd_compr_stream stream;
diff --git a/sound/core/sound.c b/sound/core/sound.c
index df5571d986295..f3bb0adf37cce 100644
--- a/sound/core/sound.c
+++ b/sound/core/sound.c
@@ -219,9 +219,16 @@ static int snd_find_free_minor(int type, struct snd_card *card, int dev)
case SNDRV_DEVICE_TYPE_RAWMIDI:
case SNDRV_DEVICE_TYPE_PCM_PLAYBACK:
case SNDRV_DEVICE_TYPE_PCM_CAPTURE:
+ if (snd_BUG_ON(!card))
+ return -EINVAL;
+ minor = SNDRV_MINOR(card->number, type + dev);
+ break;
case SNDRV_DEVICE_TYPE_COMPRESS:
if (snd_BUG_ON(!card))
return -EINVAL;
+ if (dev < 0 ||
+ dev >= SNDRV_MINOR_HWDEP - SNDRV_MINOR_COMPRESS)
+ return -EINVAL;
minor = SNDRV_MINOR(card->number, type + dev);
break;
default:
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 517/969] drm/amd/pm/ci: Use highest MCLK on CI when MCLK DPM is disabled
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (515 preceding siblings ...)
2026-05-30 16:00 ` [PATCH 6.1 516/969] ALSA: core: Validate compress device numbers without dynamic minors Greg Kroah-Hartman
@ 2026-05-30 16:00 ` Greg Kroah-Hartman
2026-05-30 16:00 ` [PATCH 6.1 518/969] drm/amd/pm/ci: Disable MCLK DPM on problematic CI ASICs Greg Kroah-Hartman
` (458 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Timur Kristóf, Alex Deucher,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Timur Kristóf <timur.kristof@gmail.com>
[ Upstream commit 894f0d34d66cb47fe718fe2ae5c18729d22c5218 ]
When MCLK DPM is disabled for any reason, populate the MCLK
table with the highest MCLK DPM level, so that the ASIC can
use the highest possible memory clock to get good performance
even when MCLK DPM is disabled.
Fixes: 9f4b35411cfe ("drm/amd/powerplay: add CI asics support to smumgr (v3)")
Signed-off-by: Timur Kristóf <timur.kristof@gmail.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/pm/powerplay/smumgr/ci_smumgr.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/drivers/gpu/drm/amd/pm/powerplay/smumgr/ci_smumgr.c b/drivers/gpu/drm/amd/pm/powerplay/smumgr/ci_smumgr.c
index 9b8974e89145d..20419da731993 100644
--- a/drivers/gpu/drm/amd/pm/powerplay/smumgr/ci_smumgr.c
+++ b/drivers/gpu/drm/amd/pm/powerplay/smumgr/ci_smumgr.c
@@ -1323,6 +1323,14 @@ static int ci_populate_all_memory_levels(struct pp_hwmgr *hwmgr)
return result;
}
+ if (data->mclk_dpm_key_disabled && dpm_table->mclk_table.count) {
+ /* Populate the table with the highest MCLK level when MCLK DPM is disabled */
+ for (i = 0; i < dpm_table->mclk_table.count - 1; i++) {
+ levels[i] = levels[dpm_table->mclk_table.count - 1];
+ levels[i].DisplayWatermark = PPSMC_DISPLAY_WATERMARK_HIGH;
+ }
+ }
+
smu_data->smc_state_table.MemoryLevel[0].EnabledForActivity = 1;
dev_id = adev->pdev->device;
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 518/969] drm/amd/pm/ci: Disable MCLK DPM on problematic CI ASICs
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (516 preceding siblings ...)
2026-05-30 16:00 ` [PATCH 6.1 517/969] drm/amd/pm/ci: Use highest MCLK on CI when MCLK DPM is disabled Greg Kroah-Hartman
@ 2026-05-30 16:00 ` Greg Kroah-Hartman
2026-05-30 16:00 ` [PATCH 6.1 519/969] drm/amd/pm/smu7: Fix SMU7 voltage dependency on display clock Greg Kroah-Hartman
` (457 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Timur Kristóf, Alex Deucher,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Timur Kristóf <timur.kristof@gmail.com>
[ Upstream commit 9851f29cb06c09f7dad3867d8b0feec3fc71b6c8 ]
There are two known cases where MCLK DPM can causes issues:
Radeon R9 M380 found in iMac computers from 2015.
The SMU in this GPU just hangs as soon as we send it the
PPSMC_MSG_MCLKDPM_Enable command, even when MCLK switching is
disabled, and even when we only populate one MCLK DPM level.
Apply workaround to all devices with the same subsystem ID.
Radeon R7 260X due to old memory controller microcode.
We only flash the MC ucode when it isn't set up by the VBIOS,
therefore there is no way to make sure that it has the correct
ucode version.
I verified that this patch fixes the SMU hang on the R9 M380
which would previously fail to boot. This also fixes the UVD
initialization error on that GPU which happened because the
SMU couldn't ungate the UVD after it hung.
Fixes: 86457c3b21cb ("drm/amd/powerplay: Add support for CI asics to hwmgr")
Signed-off-by: Timur Kristóf <timur.kristof@gmail.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/pm/powerplay/hwmgr/hwmgr.c | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/hwmgr.c b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/hwmgr.c
index f2cef0930aa96..997435a50f21e 100644
--- a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/hwmgr.c
+++ b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/hwmgr.c
@@ -104,6 +104,21 @@ int hwmgr_early_init(struct pp_hwmgr *hwmgr)
PP_GFXOFF_MASK);
hwmgr->pp_table_version = PP_TABLE_V0;
hwmgr->od_enabled = false;
+ switch (hwmgr->chip_id) {
+ case CHIP_BONAIRE:
+ /* R9 M380 in iMac 2015: SMU hangs when enabling MCLK DPM
+ * R7 260X cards with old MC ucode: MCLK DPM is unstable
+ */
+ if (adev->pdev->subsystem_vendor == 0x106B ||
+ adev->pdev->device == 0x6658) {
+ dev_info(adev->dev, "disabling MCLK DPM on quirky ASIC");
+ adev->pm.pp_feature &= ~PP_MCLK_DPM_MASK;
+ hwmgr->feature_mask &= ~PP_MCLK_DPM_MASK;
+ }
+ break;
+ default:
+ break;
+ }
smu7_init_function_pointers(hwmgr);
break;
case AMDGPU_FAMILY_CZ:
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 519/969] drm/amd/pm/smu7: Fix SMU7 voltage dependency on display clock
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (517 preceding siblings ...)
2026-05-30 16:00 ` [PATCH 6.1 518/969] drm/amd/pm/ci: Disable MCLK DPM on problematic CI ASICs Greg Kroah-Hartman
@ 2026-05-30 16:00 ` Greg Kroah-Hartman
2026-05-30 16:00 ` [PATCH 6.1 520/969] drm/amd/pm/ci: Fix powertune defaults for Hawaii 0x67B0 Greg Kroah-Hartman
` (456 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Timur Kristóf, Alex Deucher,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Timur Kristóf <timur.kristof@gmail.com>
[ Upstream commit 0138610c14130425be53423b35336561829965e0 ]
The DCE (display controller engine) requires a minimum voltage
in order to function correctly, depending on which clock level
it currently uses.
Add a new table that contains display clock frequency levels
and the corresponding required voltages. The clock frequency
levels are taken from DC (and the old radeon driver's voltage
dependency table for CI in cases where its values were lower).
The voltage levels are taken from the following function:
phm_initializa_dynamic_state_adjustment_rule_settings().
Furthermore, in case of CI, call smu7_patch_vddc() on the new
table to account for leakage voltage (like in radeon).
Use the display clock value from amd_pp_display_configuration
to look up the voltage level needed by the DCE. Send the
voltage to the SMU via the PPSMC_MSG_VddC_Request command.
The previous implementation of this feature was non-functional
because it relied on a "dal_power_level" field which was never
assigned; and it was not at all implemented for CI ASICs.
I verified this on a Radeon R9 M380 which previously booted to
a black screen with DC enabled (default since Linux 6.19), but
now works correctly.
Fixes: 599a7e9fe1b6 ("drm/amd/powerplay: implement smu7 hwmgr to manager asics with smu ip version 7.")
Signed-off-by: Timur Kristóf <timur.kristof@gmail.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../drm/amd/pm/powerplay/hwmgr/smu7_hwmgr.c | 88 ++++++++++++++++++-
drivers/gpu/drm/amd/pm/powerplay/inc/hwmgr.h | 1 +
2 files changed, 86 insertions(+), 3 deletions(-)
diff --git a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu7_hwmgr.c b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu7_hwmgr.c
index d13ab986a5c20..f9454e43e5c63 100644
--- a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu7_hwmgr.c
+++ b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu7_hwmgr.c
@@ -2815,6 +2815,10 @@ static int smu7_patch_dependency_tables_with_leakage(struct pp_hwmgr *hwmgr)
if (tmp)
return -EINVAL;
+ tmp = smu7_patch_vddc(hwmgr, hwmgr->dyn_state.vddc_dependency_on_display_clock);
+ if (tmp)
+ return -EINVAL;
+
tmp = smu7_patch_vce_vddc(hwmgr, hwmgr->dyn_state.vce_clock_voltage_dependency_table);
if (tmp)
return -EINVAL;
@@ -2898,6 +2902,8 @@ static int smu7_hwmgr_backend_fini(struct pp_hwmgr *hwmgr)
{
kfree(hwmgr->dyn_state.vddc_dep_on_dal_pwrl);
hwmgr->dyn_state.vddc_dep_on_dal_pwrl = NULL;
+ kfree(hwmgr->dyn_state.vddc_dependency_on_display_clock);
+ hwmgr->dyn_state.vddc_dependency_on_display_clock = NULL;
kfree(hwmgr->backend);
hwmgr->backend = NULL;
@@ -2968,6 +2974,51 @@ static int smu7_update_edc_leakage_table(struct pp_hwmgr *hwmgr)
return ret;
}
+static int smu7_init_voltage_dependency_on_display_clock_table(struct pp_hwmgr *hwmgr)
+{
+ struct phm_clock_voltage_dependency_table *table;
+
+ if (!amdgpu_device_ip_get_ip_block(hwmgr->adev, AMD_IP_BLOCK_TYPE_DCE))
+ return 0;
+
+ table = kzalloc(struct_size(table, entries, 4), GFP_KERNEL);
+ if (!table)
+ return -ENOMEM;
+
+ if (hwmgr->chip_id >= CHIP_POLARIS10) {
+ table->entries[0].clk = 38918;
+ table->entries[1].clk = 45900;
+ table->entries[2].clk = 66700;
+ table->entries[3].clk = 113200;
+
+ table->entries[0].v = 700;
+ table->entries[1].v = 740;
+ table->entries[2].v = 800;
+ table->entries[3].v = 900;
+ } else {
+ if (hwmgr->chip_family == AMDGPU_FAMILY_CZ) {
+ table->entries[0].clk = 35200;
+ table->entries[1].clk = 35200;
+ table->entries[2].clk = 46700;
+ table->entries[3].clk = 64300;
+ } else {
+ table->entries[0].clk = 0;
+ table->entries[1].clk = 35200;
+ table->entries[2].clk = 54000;
+ table->entries[3].clk = 62500;
+ }
+
+ table->entries[0].v = 0;
+ table->entries[1].v = 720;
+ table->entries[2].v = 810;
+ table->entries[3].v = 900;
+ }
+
+ table->count = 4;
+ hwmgr->dyn_state.vddc_dependency_on_display_clock = table;
+ return 0;
+}
+
static int smu7_hwmgr_backend_init(struct pp_hwmgr *hwmgr)
{
struct amdgpu_device *adev = hwmgr->adev;
@@ -2996,6 +3047,10 @@ static int smu7_hwmgr_backend_init(struct pp_hwmgr *hwmgr)
smu7_get_elb_voltages(hwmgr);
}
+ result = smu7_init_voltage_dependency_on_display_clock_table(hwmgr);
+ if (result)
+ goto fail;
+
if (hwmgr->pp_table_version == PP_TABLE_V1) {
smu7_complete_dependency_tables(hwmgr);
smu7_set_private_data_based_on_pptable_v1(hwmgr);
@@ -3092,13 +3147,40 @@ static int smu7_force_dpm_highest(struct pp_hwmgr *hwmgr)
return 0;
}
+static uint32_t smu7_lookup_vddc_from_dispclk(struct pp_hwmgr *hwmgr)
+{
+ const struct amd_pp_display_configuration *cfg = hwmgr->display_config;
+ const struct phm_clock_voltage_dependency_table *vddc_dep_on_dispclk =
+ hwmgr->dyn_state.vddc_dependency_on_display_clock;
+ uint32_t i;
+
+ if (!vddc_dep_on_dispclk || !vddc_dep_on_dispclk->count ||
+ !cfg || !cfg->num_display || !cfg->display_clk)
+ return 0;
+
+ /* Start from 1 because ClocksStateUltraLow should not be used according to DC. */
+ for (i = 1; i < vddc_dep_on_dispclk->count; ++i)
+ if (vddc_dep_on_dispclk->entries[i].clk >= cfg->display_clk)
+ return vddc_dep_on_dispclk->entries[i].v;
+
+ return vddc_dep_on_dispclk->entries[vddc_dep_on_dispclk->count - 1].v;
+}
+
+static void smu7_apply_minimum_dce_voltage_request(struct pp_hwmgr *hwmgr)
+{
+ uint32_t req_vddc = smu7_lookup_vddc_from_dispclk(hwmgr);
+
+ smum_send_msg_to_smc_with_parameter(hwmgr,
+ PPSMC_MSG_VddC_Request,
+ req_vddc * VOLTAGE_SCALE,
+ NULL);
+}
+
static int smu7_upload_dpm_level_enable_mask(struct pp_hwmgr *hwmgr)
{
struct smu7_hwmgr *data = (struct smu7_hwmgr *)(hwmgr->backend);
- if (hwmgr->pp_table_version == PP_TABLE_V1)
- phm_apply_dal_min_voltage_request(hwmgr);
-/* TO DO for v0 iceland and Ci*/
+ smu7_apply_minimum_dce_voltage_request(hwmgr);
if (!data->sclk_dpm_key_disabled) {
if (data->dpm_level_enable_mask.sclk_dpm_enable_mask)
diff --git a/drivers/gpu/drm/amd/pm/powerplay/inc/hwmgr.h b/drivers/gpu/drm/amd/pm/powerplay/inc/hwmgr.h
index ec10643edea3e..dbd2ab50d150e 100644
--- a/drivers/gpu/drm/amd/pm/powerplay/inc/hwmgr.h
+++ b/drivers/gpu/drm/amd/pm/powerplay/inc/hwmgr.h
@@ -634,6 +634,7 @@ struct phm_dynamic_state_info {
struct phm_clock_voltage_dependency_table *vddci_dependency_on_mclk;
struct phm_clock_voltage_dependency_table *vddc_dependency_on_mclk;
struct phm_clock_voltage_dependency_table *mvdd_dependency_on_mclk;
+ struct phm_clock_voltage_dependency_table *vddc_dependency_on_display_clock;
struct phm_clock_voltage_dependency_table *vddc_dep_on_dal_pwrl;
struct phm_clock_array *valid_sclk_values;
struct phm_clock_array *valid_mclk_values;
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 520/969] drm/amd/pm/ci: Fix powertune defaults for Hawaii 0x67B0
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (518 preceding siblings ...)
2026-05-30 16:00 ` [PATCH 6.1 519/969] drm/amd/pm/smu7: Fix SMU7 voltage dependency on display clock Greg Kroah-Hartman
@ 2026-05-30 16:00 ` Greg Kroah-Hartman
2026-05-30 16:00 ` [PATCH 6.1 521/969] drm/amd/pm/ci: Clear EnabledForActivity field for memory levels Greg Kroah-Hartman
` (455 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Timur Kristóf, Alex Deucher,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Timur Kristóf <timur.kristof@gmail.com>
[ Upstream commit d784759c07924280f3c313f205fc48eb62d7cb71 ]
There is no AMD GPU with the ID 0x66B0, this looks like a typo.
It should be 0x67B0 which is actually part of the PCI ID list,
and should use the Hawaii XT powertune defaults according to
the old radeon driver.
Fixes: 9f4b35411cfe ("drm/amd/powerplay: add CI asics support to smumgr (v3)")
Signed-off-by: Timur Kristóf <timur.kristof@gmail.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/pm/powerplay/smumgr/ci_smumgr.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/amd/pm/powerplay/smumgr/ci_smumgr.c b/drivers/gpu/drm/amd/pm/powerplay/smumgr/ci_smumgr.c
index 20419da731993..a43753f11ee96 100644
--- a/drivers/gpu/drm/amd/pm/powerplay/smumgr/ci_smumgr.c
+++ b/drivers/gpu/drm/amd/pm/powerplay/smumgr/ci_smumgr.c
@@ -246,7 +246,7 @@ static void ci_initialize_power_tune_defaults(struct pp_hwmgr *hwmgr)
smu_data->power_tune_defaults = &defaults_hawaii_pro;
break;
case 0x67B8:
- case 0x66B0:
+ case 0x67B0:
smu_data->power_tune_defaults = &defaults_hawaii_xt;
break;
case 0x6640:
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 521/969] drm/amd/pm/ci: Clear EnabledForActivity field for memory levels
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (519 preceding siblings ...)
2026-05-30 16:00 ` [PATCH 6.1 520/969] drm/amd/pm/ci: Fix powertune defaults for Hawaii 0x67B0 Greg Kroah-Hartman
@ 2026-05-30 16:00 ` Greg Kroah-Hartman
2026-05-30 16:00 ` [PATCH 6.1 522/969] drm/amd/pm/ci: Fill DW8 fields from SMC Greg Kroah-Hartman
` (454 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Timur Kristóf, Alex Deucher,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Timur Kristóf <timur.kristof@gmail.com>
[ Upstream commit 5facfd4c4c67e8500116ffec0d9da35d92b9c787 ]
Follow what radeon did and what amdgpu does for other GPUs with SMU7.
Fixes: 9f4b35411cfe ("drm/amd/powerplay: add CI asics support to smumgr (v3)")
Signed-off-by: Timur Kristóf <timur.kristof@gmail.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/pm/powerplay/smumgr/ci_smumgr.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/amd/pm/powerplay/smumgr/ci_smumgr.c b/drivers/gpu/drm/amd/pm/powerplay/smumgr/ci_smumgr.c
index a43753f11ee96..0839be4dc38c7 100644
--- a/drivers/gpu/drm/amd/pm/powerplay/smumgr/ci_smumgr.c
+++ b/drivers/gpu/drm/amd/pm/powerplay/smumgr/ci_smumgr.c
@@ -1218,7 +1218,7 @@ static int ci_populate_single_memory_level(
}
memory_level->EnabledForThrottle = 1;
- memory_level->EnabledForActivity = 1;
+ memory_level->EnabledForActivity = 0;
memory_level->UpH = data->current_profile_setting.mclk_up_hyst;
memory_level->DownH = data->current_profile_setting.mclk_down_hyst;
memory_level->VoltageDownH = 0;
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 522/969] drm/amd/pm/ci: Fill DW8 fields from SMC
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (520 preceding siblings ...)
2026-05-30 16:00 ` [PATCH 6.1 521/969] drm/amd/pm/ci: Clear EnabledForActivity field for memory levels Greg Kroah-Hartman
@ 2026-05-30 16:00 ` Greg Kroah-Hartman
2026-05-30 16:00 ` [PATCH 6.1 523/969] drm/amd/pm/smu7: Add SCLK cap for quirky Hawaii board Greg Kroah-Hartman
` (453 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Timur Kristóf, Alex Deucher,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Timur Kristóf <timur.kristof@gmail.com>
[ Upstream commit baf28ec5795c077406d6f52b8ad39e614153bce6 ]
In ci_populate_dw8() we currently just read a value from the SMU
and then throw it away. Instead of throwing away the value,
we should use it to fill other fields in DW8 (like radeon).
Otherwise the value of the other fiels is just cleared when
we copy this data to the SMU later.
Fixes: 9f4b35411cfe ("drm/amd/powerplay: add CI asics support to smumgr (v3)")
Signed-off-by: Timur Kristóf <timur.kristof@gmail.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/pm/powerplay/smumgr/ci_smumgr.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/amd/pm/powerplay/smumgr/ci_smumgr.c b/drivers/gpu/drm/amd/pm/powerplay/smumgr/ci_smumgr.c
index 0839be4dc38c7..0b22563450a83 100644
--- a/drivers/gpu/drm/amd/pm/powerplay/smumgr/ci_smumgr.c
+++ b/drivers/gpu/drm/amd/pm/powerplay/smumgr/ci_smumgr.c
@@ -544,12 +544,11 @@ static int ci_populate_dw8(struct pp_hwmgr *hwmgr, uint32_t fuse_table_offset)
{
struct ci_smumgr *smu_data = (struct ci_smumgr *)(hwmgr->smu_backend);
const struct ci_pt_defaults *defaults = smu_data->power_tune_defaults;
- uint32_t temp;
if (ci_read_smc_sram_dword(hwmgr,
fuse_table_offset +
offsetof(SMU7_Discrete_PmFuses, TdcWaterfallCtl),
- (uint32_t *)&temp, SMC_RAM_END))
+ (uint32_t *)&smu_data->power_tune_table.TdcWaterfallCtl, SMC_RAM_END))
PP_ASSERT_WITH_CODE(false,
"Attempt to read PmFuses.DW6 (SviLoadLineEn) from SMC Failed!",
return -EINVAL);
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 523/969] drm/amd/pm/smu7: Add SCLK cap for quirky Hawaii board
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (521 preceding siblings ...)
2026-05-30 16:00 ` [PATCH 6.1 522/969] drm/amd/pm/ci: Fill DW8 fields from SMC Greg Kroah-Hartman
@ 2026-05-30 16:00 ` Greg Kroah-Hartman
2026-05-30 16:00 ` [PATCH 6.1 524/969] ALSA: hda/realtek: Whitespace fix Greg Kroah-Hartman
` (452 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Timur Kristóf, Alex Deucher,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Timur Kristóf <timur.kristof@gmail.com>
[ Upstream commit 4724bc5b8d78c34b993594f9406135408ccb312a ]
On a specific Radeon R9 390X board, the GPU can "randomly" hang
while gaming. Initially I thought this was a RADV bug and tried
to work around this in Mesa:
commit 8ea08747b86b ("radv: Mitigate GPU hang on Hawaii in Dota 2 and RotTR")
However, I got some feedback from other users who are reporting
that the above mitigation causes a significant performance
regression for them, and they didn't experience the hang on their
GPU in the first place.
After some further investigation, it turns out that the problem
is that the highest SCLK DPM level on this board isn't stable.
Lowering SCLK to 1040 MHz (from 1070 MHz) works around the issue,
and has a negligible impact on performance compared to the Mesa
patch. (Note that increasing the voltage can also work around it,
but we felt that lowering the SCLK is the safer option.)
To solve the above issue, add an "sclk_cap" field to smu7_hwmgr
and set this field for the affected board. The capped SCLK value
correctly appears on the sysfs interface and shows up in GUI
tools such as LACT.
Fixes: 9f4b35411cfe ("drm/amd/powerplay: add CI asics support to smumgr (v3)")
Signed-off-by: Timur Kristóf <timur.kristof@gmail.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../drm/amd/pm/powerplay/hwmgr/smu7_hwmgr.c | 30 ++++++++++++++++---
.../drm/amd/pm/powerplay/hwmgr/smu7_hwmgr.h | 1 +
2 files changed, 27 insertions(+), 4 deletions(-)
diff --git a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu7_hwmgr.c b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu7_hwmgr.c
index f9454e43e5c63..132669fb39860 100644
--- a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu7_hwmgr.c
+++ b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu7_hwmgr.c
@@ -788,7 +788,7 @@ static int smu7_setup_dpm_tables_v0(struct pp_hwmgr *hwmgr)
hwmgr->dyn_state.vddc_dependency_on_mclk;
struct phm_cac_leakage_table *std_voltage_table =
hwmgr->dyn_state.cac_leakage_table;
- uint32_t i;
+ uint32_t i, clk;
PP_ASSERT_WITH_CODE(allowed_vdd_sclk_table != NULL,
"SCLK dependency table is missing. This table is mandatory", return -EINVAL);
@@ -805,10 +805,12 @@ static int smu7_setup_dpm_tables_v0(struct pp_hwmgr *hwmgr)
data->dpm_table.sclk_table.count = 0;
for (i = 0; i < allowed_vdd_sclk_table->count; i++) {
+ clk = min(allowed_vdd_sclk_table->entries[i].clk, data->sclk_cap);
+
if (i == 0 || data->dpm_table.sclk_table.dpm_levels[data->dpm_table.sclk_table.count-1].value !=
- allowed_vdd_sclk_table->entries[i].clk) {
+ clk) {
data->dpm_table.sclk_table.dpm_levels[data->dpm_table.sclk_table.count].value =
- allowed_vdd_sclk_table->entries[i].clk;
+ clk;
data->dpm_table.sclk_table.dpm_levels[data->dpm_table.sclk_table.count].enabled = (i == 0) ? 1 : 0;
data->dpm_table.sclk_table.count++;
}
@@ -3019,6 +3021,25 @@ static int smu7_init_voltage_dependency_on_display_clock_table(struct pp_hwmgr *
return 0;
}
+static void smu7_set_sclk_cap(struct pp_hwmgr *hwmgr)
+{
+ struct amdgpu_device *adev = hwmgr->adev;
+ struct smu7_hwmgr *data = (struct smu7_hwmgr *)(hwmgr->backend);
+
+ data->sclk_cap = 0xffffffff;
+
+ if (hwmgr->od_enabled)
+ return;
+
+ /* R9 390X board: last sclk dpm level is unstable, use lower sclk */
+ if (adev->pdev->device == 0x67B0 &&
+ adev->pdev->subsystem_vendor == 0x1043)
+ data->sclk_cap = 104000; /* 1040 MHz */
+
+ if (data->sclk_cap != 0xffffffff)
+ dev_info(adev->dev, "sclk cap: %u kHz on quirky ASIC\n", data->sclk_cap * 10);
+}
+
static int smu7_hwmgr_backend_init(struct pp_hwmgr *hwmgr)
{
struct amdgpu_device *adev = hwmgr->adev;
@@ -3030,6 +3051,7 @@ static int smu7_hwmgr_backend_init(struct pp_hwmgr *hwmgr)
return -ENOMEM;
hwmgr->backend = data;
+ smu7_set_sclk_cap(hwmgr);
smu7_patch_voltage_workaround(hwmgr);
smu7_init_dpm_defaults(hwmgr);
@@ -3916,7 +3938,7 @@ static int smu7_get_pp_table_entry_callback_func_v0(struct pp_hwmgr *hwmgr,
/* Performance levels are arranged from low to high. */
performance_level->memory_clock = memory_clock;
- performance_level->engine_clock = engine_clock;
+ performance_level->engine_clock = min(engine_clock, data->sclk_cap);
pcie_gen_from_bios = visland_clk_info->ucPCIEGen;
diff --git a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu7_hwmgr.h b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu7_hwmgr.h
index d9e8b386bd4d3..66adabeab6a3a 100644
--- a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu7_hwmgr.h
+++ b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu7_hwmgr.h
@@ -234,6 +234,7 @@ struct smu7_hwmgr {
uint32_t pcie_gen_cap;
uint32_t pcie_lane_cap;
uint32_t pcie_spc_cap;
+ uint32_t sclk_cap;
struct smu7_leakage_voltage vddc_leakage;
struct smu7_leakage_voltage vddci_leakage;
struct smu7_leakage_voltage vddcgfx_leakage;
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 524/969] ALSA: hda/realtek: Whitespace fix
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (522 preceding siblings ...)
2026-05-30 16:00 ` [PATCH 6.1 523/969] drm/amd/pm/smu7: Add SCLK cap for quirky Hawaii board Greg Kroah-Hartman
@ 2026-05-30 16:00 ` Greg Kroah-Hartman
2026-05-30 16:00 ` [PATCH 6.1 525/969] ALSA: hda/realtek: fix code style (ERROR: else should follow close brace }) Greg Kroah-Hartman
` (451 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Luke D. Jones, Takashi Iwai,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Luke D. Jones <luke@ljones.dev>
[ Upstream commit 72cea3a3175b50a4875b3c112fb13df20c6218a5 ]
Remove an erroneous whitespace.
Fixes: 31278997add6 ("ALSA: hda/realtek - Add headset quirk for Dell DT")
Signed-off-by: Luke D. Jones <luke@ljones.dev>
Link: https://lore.kernel.org/r/20230704044619.19343-6-luke@ljones.dev
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Stable-dep-of: d1888bf848ad ("ALSA: hda/realtek: fix code style (ERROR: else should follow close brace '}')")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/pci/hda/patch_realtek.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
index 0889dfd80fa44..9bda2f43394cb 100644
--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -6040,7 +6040,7 @@ static void alc_fixup_headset_mode_alc255_no_hp_mic(struct hda_codec *codec,
struct alc_spec *spec = codec->spec;
spec->parse_flags |= HDA_PINCFG_HEADSET_MIC;
alc255_set_default_jack_type(codec);
- }
+ }
else
alc_fixup_headset_mode(codec, fix, action);
}
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 525/969] ALSA: hda/realtek: fix code style (ERROR: else should follow close brace })
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (523 preceding siblings ...)
2026-05-30 16:00 ` [PATCH 6.1 524/969] ALSA: hda/realtek: Whitespace fix Greg Kroah-Hartman
@ 2026-05-30 16:00 ` Greg Kroah-Hartman
2026-05-30 16:00 ` [PATCH 6.1 526/969] drm/msm/a6xx: Fix HLSQ register dumping Greg Kroah-Hartman
` (450 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Lei Huang, Takashi Iwai, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lei Huang <huanglei@kylinos.cn>
[ Upstream commit d1888bf848ade6a9e71c7ba516fd215aa1bd8d65 ]
Fix checkpatch code style errors:
ERROR: else should follow close brace '}'
#2300: FILE: sound/hda/codecs/realtek/alc269.c:2300:
+ }
+ else
Fixes: 31278997add6 ("ALSA: hda/realtek - Add headset quirk for Dell DT")
Signed-off-by: Lei Huang <huanglei@kylinos.cn>
Link: https://patch.msgid.link/20260331075405.78148-1-huanglei814@163.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/pci/hda/patch_realtek.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
index 9bda2f43394cb..7b4fd95c66f9b 100644
--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -6040,9 +6040,9 @@ static void alc_fixup_headset_mode_alc255_no_hp_mic(struct hda_codec *codec,
struct alc_spec *spec = codec->spec;
spec->parse_flags |= HDA_PINCFG_HEADSET_MIC;
alc255_set_default_jack_type(codec);
- }
- else
+ } else {
alc_fixup_headset_mode(codec, fix, action);
+ }
}
static void alc288_update_headset_jack_cb(struct hda_codec *codec,
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 526/969] drm/msm/a6xx: Fix HLSQ register dumping
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (524 preceding siblings ...)
2026-05-30 16:00 ` [PATCH 6.1 525/969] ALSA: hda/realtek: fix code style (ERROR: else should follow close brace }) Greg Kroah-Hartman
@ 2026-05-30 16:00 ` Greg Kroah-Hartman
2026-05-30 16:00 ` [PATCH 6.1 527/969] drm/msm/shrinker: Fix can_block() logic Greg Kroah-Hartman
` (449 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Connor Abbott, Rob Clark,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rob Clark <robin.clark@oss.qualcomm.com>
[ Upstream commit c289a6db9ba6cb974f0317da142e4f665d589566 ]
Fix the bitfield offset of HLSQ_READ_SEL state-type bitfield. Otherwise
we are always reading TP state when we wanted SP or HLSQ state.
Reported-by: Connor Abbott <cwabbott0@gmail.com>
Suggested-by: Connor Abbott <cwabbott0@gmail.com>
Fixes: 1707add81551 ("drm/msm/a6xx: Add a6xx gpu state")
Signed-off-by: Rob Clark <robin.clark@oss.qualcomm.com>
Patchwork: https://patchwork.freedesktop.org/patch/714236/
Message-ID: <20260325184043.1259312-1-robin.clark@oss.qualcomm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/msm/adreno/a6xx_gpu_state.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/msm/adreno/a6xx_gpu_state.c b/drivers/gpu/drm/msm/adreno/a6xx_gpu_state.c
index 7a30249974cff..de84bd623f16a 100644
--- a/drivers/gpu/drm/msm/adreno/a6xx_gpu_state.c
+++ b/drivers/gpu/drm/msm/adreno/a6xx_gpu_state.c
@@ -649,7 +649,7 @@ static void a6xx_get_crashdumper_hlsq_registers(struct msm_gpu *gpu,
u64 out = dumper->iova + A6XX_CD_DATA_OFFSET;
int i, regcount = 0;
- in += CRASHDUMP_WRITE(in, REG_A6XX_HLSQ_DBG_READ_SEL, regs->val1);
+ in += CRASHDUMP_WRITE(in, REG_A6XX_HLSQ_DBG_READ_SEL, (regs->val1 & 0xff) << 8);
for (i = 0; i < regs->count; i += 2) {
u32 count = RANGE(regs->registers, i);
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 527/969] drm/msm/shrinker: Fix can_block() logic
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (525 preceding siblings ...)
2026-05-30 16:00 ` [PATCH 6.1 526/969] drm/msm/a6xx: Fix HLSQ register dumping Greg Kroah-Hartman
@ 2026-05-30 16:00 ` Greg Kroah-Hartman
2026-05-30 16:00 ` [PATCH 6.1 528/969] drm/msm/a6xx: Use barriers while updating HFI Q headers Greg Kroah-Hartman
` (448 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Boris Brezillon, Rob Clark,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rob Clark <robin.clark@oss.qualcomm.com>
[ Upstream commit df0f439e3926817cf577ca6272aad68468ff7624 ]
The intention here was to allow blocking if DIRECT_RECLAIM or if called
from kswapd and KSWAPD_RECLAIM is set.
Reported by Claude code review: https://lore.gitlab.freedesktop.org/drm-ai-reviews/review-patch9-20260309151119.290217-10-boris.brezillon@collabora.com/ on a panthor patch which had copied similar logic.
Reported-by: Boris Brezillon <boris.brezillon@collabora.com>
Fixes: 7860d720a84c ("drm/msm: Fix build break with recent mm tree")
Signed-off-by: Rob Clark <robin.clark@oss.qualcomm.com>
Reviewed-by: Boris Brezillon <boris.brezillon@collabora.com>
Patchwork: https://patchwork.freedesktop.org/patch/714238/
Message-ID: <20260325184106.1259528-1-robin.clark@oss.qualcomm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/msm/msm_gem_shrinker.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/drivers/gpu/drm/msm/msm_gem_shrinker.c b/drivers/gpu/drm/msm/msm_gem_shrinker.c
index a35c98306f1e5..f1b330c272fb7 100644
--- a/drivers/gpu/drm/msm/msm_gem_shrinker.c
+++ b/drivers/gpu/drm/msm/msm_gem_shrinker.c
@@ -26,9 +26,8 @@ static bool can_swap(void)
static bool can_block(struct shrink_control *sc)
{
- if (!(sc->gfp_mask & __GFP_DIRECT_RECLAIM))
- return false;
- return current_is_kswapd() || (sc->gfp_mask & __GFP_RECLAIM);
+ return (sc->gfp_mask & __GFP_DIRECT_RECLAIM) ||
+ (current_is_kswapd() && (sc->gfp_mask & __GFP_KSWAPD_RECLAIM));
}
static unsigned long
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 528/969] drm/msm/a6xx: Use barriers while updating HFI Q headers
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (526 preceding siblings ...)
2026-05-30 16:00 ` [PATCH 6.1 527/969] drm/msm/shrinker: Fix can_block() logic Greg Kroah-Hartman
@ 2026-05-30 16:00 ` Greg Kroah-Hartman
2026-05-30 16:00 ` [PATCH 6.1 529/969] pmdomain: ti: omap_prm: Fix a reference leak on device node Greg Kroah-Hartman
` (447 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Akhil P Oommen, Rob Clark,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Akhil P Oommen <akhilpo@oss.qualcomm.com>
[ Upstream commit dc78b35d5ec09d1b0b8a937e6e640d2c5a030915 ]
To avoid harmful compiler optimizations and IO reordering in the HW, use
barriers and READ/WRITE_ONCE helpers as necessary while accessing the HFI
queue index variables.
Fixes: 4b565ca5a2cb ("drm/msm: Add A6XX device support")
Signed-off-by: Akhil P Oommen <akhilpo@oss.qualcomm.com>
Patchwork: https://patchwork.freedesktop.org/patch/714653/
Message-ID: <20260327-a8xx-gpu-batch2-v2-1-2b53c38d2101@oss.qualcomm.com>
Signed-off-by: Rob Clark <robin.clark@oss.qualcomm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/msm/adreno/a6xx_hfi.c | 14 ++++++++++----
1 file changed, 10 insertions(+), 4 deletions(-)
diff --git a/drivers/gpu/drm/msm/adreno/a6xx_hfi.c b/drivers/gpu/drm/msm/adreno/a6xx_hfi.c
index 2cc83e0496133..753a1bcc835cb 100644
--- a/drivers/gpu/drm/msm/adreno/a6xx_hfi.c
+++ b/drivers/gpu/drm/msm/adreno/a6xx_hfi.c
@@ -29,7 +29,7 @@ static int a6xx_hfi_queue_read(struct a6xx_gmu *gmu,
struct a6xx_hfi_queue_header *header = queue->header;
u32 i, hdr, index = header->read_index;
- if (header->read_index == header->write_index) {
+ if (header->read_index == READ_ONCE(header->write_index)) {
header->rx_request = 1;
return 0;
}
@@ -57,7 +57,10 @@ static int a6xx_hfi_queue_read(struct a6xx_gmu *gmu,
if (!gmu->legacy)
index = ALIGN(index, 4) % header->size;
- header->read_index = index;
+ /* Ensure all memory operations are complete before updating the read index */
+ dma_mb();
+
+ WRITE_ONCE(header->read_index, index);
return HFI_HEADER_SIZE(hdr);
}
@@ -69,7 +72,7 @@ static int a6xx_hfi_queue_write(struct a6xx_gmu *gmu,
spin_lock(&queue->lock);
- space = CIRC_SPACE(header->write_index, header->read_index,
+ space = CIRC_SPACE(header->write_index, READ_ONCE(header->read_index),
header->size);
if (space < dwords) {
header->dropped++;
@@ -90,7 +93,10 @@ static int a6xx_hfi_queue_write(struct a6xx_gmu *gmu,
queue->data[index] = 0xfafafafa;
}
- header->write_index = index;
+ /* Ensure all memory operations are complete before updating the write index */
+ dma_mb();
+
+ WRITE_ONCE(header->write_index, index);
spin_unlock(&queue->lock);
gmu_write(gmu, REG_A6XX_GMU_HOST2GMU_INTR_SET, 0x01);
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 529/969] pmdomain: ti: omap_prm: Fix a reference leak on device node
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (527 preceding siblings ...)
2026-05-30 16:00 ` [PATCH 6.1 528/969] drm/msm/a6xx: Use barriers while updating HFI Q headers Greg Kroah-Hartman
@ 2026-05-30 16:00 ` Greg Kroah-Hartman
2026-05-30 16:00 ` [PATCH 6.1 530/969] pmdomain: imx: scu-pd: Fix device_node reference leak during ->probe() Greg Kroah-Hartman
` (446 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Felix Gu, Ulf Hansson, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Felix Gu <gu_0233@qq.com>
[ Upstream commit 44c28e1c52764fef6dd1c1ada3a248728812e67f ]
When calling of_parse_phandle_with_args(), the caller is responsible
to call of_node_put() to release the reference of device node.
In omap_prm_domain_attach_dev, it does not release the reference.
Fixes: 58cbff023bfa ("soc: ti: omap-prm: Add basic power domain support")
Signed-off-by: Felix Gu <gu_0233@qq.com>
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/soc/ti/omap_prm.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/soc/ti/omap_prm.c b/drivers/soc/ti/omap_prm.c
index 33ef58195955d..1a85ae3507691 100644
--- a/drivers/soc/ti/omap_prm.c
+++ b/drivers/soc/ti/omap_prm.c
@@ -652,6 +652,7 @@ static int omap_prm_domain_attach_dev(struct generic_pm_domain *domain,
if (pd_args.args_count != 0)
dev_warn(dev, "%s: unusupported #power-domain-cells: %i\n",
prmd->pd.name, pd_args.args_count);
+ of_node_put(pd_args.np);
genpd_data = dev_gpd_data(dev);
genpd_data->data = NULL;
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 530/969] pmdomain: imx: scu-pd: Fix device_node reference leak during ->probe()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (528 preceding siblings ...)
2026-05-30 16:00 ` [PATCH 6.1 529/969] pmdomain: ti: omap_prm: Fix a reference leak on device node Greg Kroah-Hartman
@ 2026-05-30 16:00 ` Greg Kroah-Hartman
2026-05-30 16:00 ` [PATCH 6.1 531/969] ASoC: fsl_micfil: Fix event generation in micfil_quality_set() Greg Kroah-Hartman
` (445 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Felix Gu, Peng Fan, Ulf Hansson,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Felix Gu <ustc.gu@gmail.com>
[ Upstream commit c8e9b6a55702be6c6d034e973d519c52c3848415 ]
When calling of_parse_phandle_with_args(), the caller is responsible
to call of_node_put() to release the reference of device node.
In imx_sc_pd_get_console_rsrc(), it does not release the reference.
Fixes: 893cfb99734f ("firmware: imx: scu-pd: do not power off console domain")
Signed-off-by: Felix Gu <ustc.gu@gmail.com>
Reviewed-by: Peng Fan <peng.fan@nxp.com>
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/firmware/imx/scu-pd.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/firmware/imx/scu-pd.c b/drivers/firmware/imx/scu-pd.c
index af3d057e64217..f1977861cd429 100644
--- a/drivers/firmware/imx/scu-pd.c
+++ b/drivers/firmware/imx/scu-pd.c
@@ -235,6 +235,7 @@ static void imx_sc_pd_get_console_rsrc(void)
return;
imx_con_rsrc = specs.args[0];
+ of_node_put(specs.np);
}
static int imx_sc_pd_power(struct generic_pm_domain *domain, bool power_on)
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 531/969] ASoC: fsl_micfil: Fix event generation in micfil_quality_set()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (529 preceding siblings ...)
2026-05-30 16:00 ` [PATCH 6.1 530/969] pmdomain: imx: scu-pd: Fix device_node reference leak during ->probe() Greg Kroah-Hartman
@ 2026-05-30 16:00 ` Greg Kroah-Hartman
2026-05-30 16:00 ` [PATCH 6.1 532/969] ASoC: fsl_xcvr: Fix event generation in fsl_xcvr_arc_mode_put() Greg Kroah-Hartman
` (444 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Shengjiu Wang, Mark Brown,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shengjiu Wang <shengjiu.wang@nxp.com>
[ Upstream commit e5785093b1b45af7ee57d18619b2854a8aed073a ]
ALSA controls should return 1 if the value in the control changed but the
control put operation micfil_quality_set() only returns 0 or a negative
error code, causing ALSA to not generate any change events.
Add a suitable check in the function before updating the quality variable.
Also enable pm runtime before calling the function micfil_set_quality()
to make the regmap cache data align with the value in hardware.
Fixes: bea1d61d5892 ("ASoC: fsl_micfil: rework quality setting")
Signed-off-by: Shengjiu Wang <shengjiu.wang@nxp.com>
Link: https://patch.msgid.link/20260401094226.2900532-7-shengjiu.wang@nxp.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/fsl/fsl_micfil.c | 28 ++++++++++++++++++++++++++--
1 file changed, 26 insertions(+), 2 deletions(-)
diff --git a/sound/soc/fsl/fsl_micfil.c b/sound/soc/fsl/fsl_micfil.c
index 1b6f5e33ff93a..953192f7b6433 100644
--- a/sound/soc/fsl/fsl_micfil.c
+++ b/sound/soc/fsl/fsl_micfil.c
@@ -148,10 +148,34 @@ static int micfil_quality_set(struct snd_kcontrol *kcontrol,
{
struct snd_soc_component *cmpnt = snd_soc_kcontrol_component(kcontrol);
struct fsl_micfil *micfil = snd_soc_component_get_drvdata(cmpnt);
+ int val = ucontrol->value.integer.value[0];
+ bool change = false;
+ int old_val;
+ int ret;
+
+ if (val < QUALITY_HIGH || val > QUALITY_VLOW2)
+ return -EINVAL;
+
+ if (micfil->quality != val) {
+ ret = pm_runtime_resume_and_get(cmpnt->dev);
+ if (ret)
+ return ret;
+
+ old_val = micfil->quality;
+ micfil->quality = val;
+ ret = micfil_set_quality(micfil);
- micfil->quality = ucontrol->value.integer.value[0];
+ pm_runtime_put_autosuspend(cmpnt->dev);
+
+ if (ret) {
+ micfil->quality = old_val;
+ return ret;
+ }
+
+ change = true;
+ }
- return micfil_set_quality(micfil);
+ return change;
}
static const struct snd_kcontrol_new fsl_micfil_snd_controls[] = {
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 532/969] ASoC: fsl_xcvr: Fix event generation in fsl_xcvr_arc_mode_put()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (530 preceding siblings ...)
2026-05-30 16:00 ` [PATCH 6.1 531/969] ASoC: fsl_micfil: Fix event generation in micfil_quality_set() Greg Kroah-Hartman
@ 2026-05-30 16:00 ` Greg Kroah-Hartman
2026-05-30 16:00 ` [PATCH 6.1 533/969] ASoC: fsl_xcvr: Fix event generation in fsl_xcvr_mode_put() Greg Kroah-Hartman
` (443 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Shengjiu Wang, Mark Brown,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shengjiu Wang <shengjiu.wang@nxp.com>
[ Upstream commit 1b61c8103c9317a9c37fe544c2d83cee1c281149 ]
ALSA controls should return 1 if the value in the control changed but the
control put operation fsl_xcvr_arc_mode_put() only returns 0 or a negative
error code, causing ALSA to not generate any change events.
Add a suitable check in the function before updating the arc_mode
variable.
Fixes: 28564486866f ("ASoC: fsl_xcvr: Add XCVR ASoC CPU DAI driver")
Signed-off-by: Shengjiu Wang <shengjiu.wang@nxp.com>
Link: https://patch.msgid.link/20260401094226.2900532-8-shengjiu.wang@nxp.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/fsl/fsl_xcvr.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/sound/soc/fsl/fsl_xcvr.c b/sound/soc/fsl/fsl_xcvr.c
index 5b61b93772d64..83b1d497fbf5f 100644
--- a/sound/soc/fsl/fsl_xcvr.c
+++ b/sound/soc/fsl/fsl_xcvr.c
@@ -97,10 +97,17 @@ static int fsl_xcvr_arc_mode_put(struct snd_kcontrol *kcontrol,
struct fsl_xcvr *xcvr = snd_soc_dai_get_drvdata(dai);
struct soc_enum *e = (struct soc_enum *)kcontrol->private_value;
unsigned int *item = ucontrol->value.enumerated.item;
+ int val = snd_soc_enum_item_to_val(e, item[0]);
+ int ret;
- xcvr->arc_mode = snd_soc_enum_item_to_val(e, item[0]);
+ if (val < 0 || val > 1)
+ return -EINVAL;
- return 0;
+ ret = (xcvr->arc_mode != val);
+
+ xcvr->arc_mode = val;
+
+ return ret;
}
static int fsl_xcvr_arc_mode_get(struct snd_kcontrol *kcontrol,
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 533/969] ASoC: fsl_xcvr: Fix event generation in fsl_xcvr_mode_put()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (531 preceding siblings ...)
2026-05-30 16:00 ` [PATCH 6.1 532/969] ASoC: fsl_xcvr: Fix event generation in fsl_xcvr_arc_mode_put() Greg Kroah-Hartman
@ 2026-05-30 16:00 ` Greg Kroah-Hartman
2026-05-30 16:00 ` [PATCH 6.1 534/969] ASoC: fsl_easrc: Check the variable range in fsl_easrc_iec958_put_bits() Greg Kroah-Hartman
` (442 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Shengjiu Wang, Mark Brown,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shengjiu Wang <shengjiu.wang@nxp.com>
[ Upstream commit 64a496ba976324615b845d60739dfcdae3d57434 ]
ALSA controls should return 1 if the value in the control changed but the
control put operation fsl_xcvr_mode_put() only returns 0 or a negative
error code, causing ALSA to not generate any change events.
Add a suitable check in the function before updating the mode variable.
Fixes: 28564486866f ("ASoC: fsl_xcvr: Add XCVR ASoC CPU DAI driver")
Signed-off-by: Shengjiu Wang <shengjiu.wang@nxp.com>
Link: https://patch.msgid.link/20260401094226.2900532-9-shengjiu.wang@nxp.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/fsl/fsl_xcvr.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/sound/soc/fsl/fsl_xcvr.c b/sound/soc/fsl/fsl_xcvr.c
index 83b1d497fbf5f..513582d69bc15 100644
--- a/sound/soc/fsl/fsl_xcvr.c
+++ b/sound/soc/fsl/fsl_xcvr.c
@@ -205,10 +205,17 @@ static int fsl_xcvr_mode_put(struct snd_kcontrol *kcontrol,
struct fsl_xcvr *xcvr = snd_soc_dai_get_drvdata(dai);
struct soc_enum *e = (struct soc_enum *)kcontrol->private_value;
unsigned int *item = ucontrol->value.enumerated.item;
+ int val = snd_soc_enum_item_to_val(e, item[0]);
struct snd_soc_card *card = dai->component->card;
struct snd_soc_pcm_runtime *rtd;
+ int ret;
+
+ if (val < FSL_XCVR_MODE_SPDIF || val > FSL_XCVR_MODE_EARC)
+ return -EINVAL;
- xcvr->mode = snd_soc_enum_item_to_val(e, item[0]);
+ ret = (xcvr->mode != val);
+
+ xcvr->mode = val;
fsl_xcvr_activate_ctl(dai, fsl_xcvr_arc_mode_kctl.name,
(xcvr->mode == FSL_XCVR_MODE_ARC));
@@ -218,7 +225,7 @@ static int fsl_xcvr_mode_put(struct snd_kcontrol *kcontrol,
rtd = snd_soc_get_pcm_runtime(card, card->dai_link);
rtd->pcm->streams[SNDRV_PCM_STREAM_PLAYBACK].substream_count =
(xcvr->mode == FSL_XCVR_MODE_SPDIF ? 1 : 0);
- return 0;
+ return ret;
}
static int fsl_xcvr_mode_get(struct snd_kcontrol *kcontrol,
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 534/969] ASoC: fsl_easrc: Check the variable range in fsl_easrc_iec958_put_bits()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (532 preceding siblings ...)
2026-05-30 16:00 ` [PATCH 6.1 533/969] ASoC: fsl_xcvr: Fix event generation in fsl_xcvr_mode_put() Greg Kroah-Hartman
@ 2026-05-30 16:00 ` Greg Kroah-Hartman
2026-05-30 16:00 ` [PATCH 6.1 535/969] ASoC: fsl_easrc: Fix value type in fsl_easrc_iec958_get_bits() Greg Kroah-Hartman
` (441 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Shengjiu Wang, Mark Brown,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shengjiu Wang <shengjiu.wang@nxp.com>
[ Upstream commit 00541b86fb578d4949cfdd6aff1f82d43fcf07af ]
Add check of input value's range in fsl_easrc_iec958_put_bits(),
otherwise the wrong value may be written from user space.
Fixes: 955ac624058f ("ASoC: fsl_easrc: Add EASRC ASoC CPU DAI drivers")
Signed-off-by: Shengjiu Wang <shengjiu.wang@nxp.com>
Link: https://patch.msgid.link/20260401094226.2900532-10-shengjiu.wang@nxp.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/fsl/fsl_easrc.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/sound/soc/fsl/fsl_easrc.c b/sound/soc/fsl/fsl_easrc.c
index f04d183fe099f..bb8bad04fb47d 100644
--- a/sound/soc/fsl/fsl_easrc.c
+++ b/sound/soc/fsl/fsl_easrc.c
@@ -54,6 +54,9 @@ static int fsl_easrc_iec958_put_bits(struct snd_kcontrol *kcontrol,
unsigned int regval = ucontrol->value.integer.value[0];
int ret;
+ if (regval < EASRC_WIDTH_16_BIT || regval > EASRC_WIDTH_24_BIT)
+ return -EINVAL;
+
ret = (easrc_priv->bps_iec958[mc->regbase] != regval);
easrc_priv->bps_iec958[mc->regbase] = regval;
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 535/969] ASoC: fsl_easrc: Fix value type in fsl_easrc_iec958_get_bits()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (533 preceding siblings ...)
2026-05-30 16:00 ` [PATCH 6.1 534/969] ASoC: fsl_easrc: Check the variable range in fsl_easrc_iec958_put_bits() Greg Kroah-Hartman
@ 2026-05-30 16:00 ` Greg Kroah-Hartman
2026-05-30 16:01 ` [PATCH 6.1 536/969] ASoC: fsl_easrc: Change the type for iec958 channel status controls Greg Kroah-Hartman
` (440 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Shengjiu Wang, Mark Brown,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shengjiu Wang <shengjiu.wang@nxp.com>
[ Upstream commit aa21fe4a81458cf469c2615b08cbde5997dde25a ]
The value type of controls "Context 0 IEC958 Bits Per Sample" should be
integer, not enumerated, the issue is found by the mixer-test.
Fixes: 955ac624058f ("ASoC: fsl_easrc: Add EASRC ASoC CPU DAI drivers")
Signed-off-by: Shengjiu Wang <shengjiu.wang@nxp.com>
Link: https://patch.msgid.link/20260401094226.2900532-11-shengjiu.wang@nxp.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/fsl/fsl_easrc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sound/soc/fsl/fsl_easrc.c b/sound/soc/fsl/fsl_easrc.c
index bb8bad04fb47d..05aacebee884f 100644
--- a/sound/soc/fsl/fsl_easrc.c
+++ b/sound/soc/fsl/fsl_easrc.c
@@ -73,7 +73,7 @@ static int fsl_easrc_iec958_get_bits(struct snd_kcontrol *kcontrol,
struct soc_mreg_control *mc =
(struct soc_mreg_control *)kcontrol->private_value;
- ucontrol->value.enumerated.item[0] = easrc_priv->bps_iec958[mc->regbase];
+ ucontrol->value.integer.value[0] = easrc_priv->bps_iec958[mc->regbase];
return 0;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 536/969] ASoC: fsl_easrc: Change the type for iec958 channel status controls
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (534 preceding siblings ...)
2026-05-30 16:00 ` [PATCH 6.1 535/969] ASoC: fsl_easrc: Fix value type in fsl_easrc_iec958_get_bits() Greg Kroah-Hartman
@ 2026-05-30 16:01 ` Greg Kroah-Hartman
2026-05-30 16:01 ` [PATCH 6.1 537/969] ASoC: qcom: qdsp6: topology: check widget type before accessing data Greg Kroah-Hartman
` (439 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:01 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Shengjiu Wang, Mark Brown,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shengjiu Wang <shengjiu.wang@nxp.com>
[ Upstream commit 47f28a5bd154a95d5aa563dde02a801bd32ddb81 ]
Use the type SNDRV_CTL_ELEM_TYPE_IEC958 for iec958 channel status
controls, the original type will cause mixer-test to iterate all 32bit
values, which costs a lot of time. And using IEC958 type can reduce the
control numbers.
Also enable pm runtime before updating registers to make the regmap cache
data align with the value in hardware.
Fixes: 955ac624058f ("ASoC: fsl_easrc: Add EASRC ASoC CPU DAI drivers")
Signed-off-by: Shengjiu Wang <shengjiu.wang@nxp.com>
Link: https://patch.msgid.link/20260401094226.2900532-12-shengjiu.wang@nxp.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/fsl/fsl_easrc.c | 118 +++++++++++++++++++++++++++-----------
1 file changed, 84 insertions(+), 34 deletions(-)
diff --git a/sound/soc/fsl/fsl_easrc.c b/sound/soc/fsl/fsl_easrc.c
index 05aacebee884f..4c3b462512461 100644
--- a/sound/soc/fsl/fsl_easrc.c
+++ b/sound/soc/fsl/fsl_easrc.c
@@ -78,17 +78,47 @@ static int fsl_easrc_iec958_get_bits(struct snd_kcontrol *kcontrol,
return 0;
}
+static int fsl_easrc_iec958_info(struct snd_kcontrol *kcontrol,
+ struct snd_ctl_elem_info *uinfo)
+{
+ uinfo->type = SNDRV_CTL_ELEM_TYPE_IEC958;
+ uinfo->count = 1;
+ return 0;
+}
+
static int fsl_easrc_get_reg(struct snd_kcontrol *kcontrol,
struct snd_ctl_elem_value *ucontrol)
{
struct snd_soc_component *component = snd_kcontrol_chip(kcontrol);
struct soc_mreg_control *mc =
(struct soc_mreg_control *)kcontrol->private_value;
- unsigned int regval;
+ struct fsl_asrc *easrc = snd_soc_component_get_drvdata(component);
+ unsigned int *regval = (unsigned int *)ucontrol->value.iec958.status;
+ int ret;
+
+ ret = regmap_read(easrc->regmap, REG_EASRC_CS0(mc->regbase), ®val[0]);
+ if (ret)
+ return ret;
+
+ ret = regmap_read(easrc->regmap, REG_EASRC_CS1(mc->regbase), ®val[1]);
+ if (ret)
+ return ret;
+
+ ret = regmap_read(easrc->regmap, REG_EASRC_CS2(mc->regbase), ®val[2]);
+ if (ret)
+ return ret;
- regval = snd_soc_component_read(component, mc->regbase);
+ ret = regmap_read(easrc->regmap, REG_EASRC_CS3(mc->regbase), ®val[3]);
+ if (ret)
+ return ret;
+
+ ret = regmap_read(easrc->regmap, REG_EASRC_CS4(mc->regbase), ®val[4]);
+ if (ret)
+ return ret;
- ucontrol->value.integer.value[0] = regval;
+ ret = regmap_read(easrc->regmap, REG_EASRC_CS5(mc->regbase), ®val[5]);
+ if (ret)
+ return ret;
return 0;
}
@@ -100,22 +130,62 @@ static int fsl_easrc_set_reg(struct snd_kcontrol *kcontrol,
struct soc_mreg_control *mc =
(struct soc_mreg_control *)kcontrol->private_value;
struct fsl_asrc *easrc = snd_soc_component_get_drvdata(component);
- unsigned int regval = ucontrol->value.integer.value[0];
- bool changed;
+ unsigned int *regval = (unsigned int *)ucontrol->value.iec958.status;
+ bool changed, changed_all = false;
int ret;
- ret = regmap_update_bits_check(easrc->regmap, mc->regbase,
- GENMASK(31, 0), regval, &changed);
- if (ret != 0)
+ ret = pm_runtime_resume_and_get(component->dev);
+ if (ret)
return ret;
- return changed;
+ ret = regmap_update_bits_check(easrc->regmap, REG_EASRC_CS0(mc->regbase),
+ GENMASK(31, 0), regval[0], &changed);
+ if (ret != 0)
+ goto err;
+ changed_all |= changed;
+
+ ret = regmap_update_bits_check(easrc->regmap, REG_EASRC_CS1(mc->regbase),
+ GENMASK(31, 0), regval[1], &changed);
+ if (ret != 0)
+ goto err;
+ changed_all |= changed;
+
+ ret = regmap_update_bits_check(easrc->regmap, REG_EASRC_CS2(mc->regbase),
+ GENMASK(31, 0), regval[2], &changed);
+ if (ret != 0)
+ goto err;
+ changed_all |= changed;
+
+ ret = regmap_update_bits_check(easrc->regmap, REG_EASRC_CS3(mc->regbase),
+ GENMASK(31, 0), regval[3], &changed);
+ if (ret != 0)
+ goto err;
+ changed_all |= changed;
+
+ ret = regmap_update_bits_check(easrc->regmap, REG_EASRC_CS4(mc->regbase),
+ GENMASK(31, 0), regval[4], &changed);
+ if (ret != 0)
+ goto err;
+ changed_all |= changed;
+
+ ret = regmap_update_bits_check(easrc->regmap, REG_EASRC_CS5(mc->regbase),
+ GENMASK(31, 0), regval[5], &changed);
+ if (ret != 0)
+ goto err;
+ changed_all |= changed;
+err:
+ pm_runtime_put_autosuspend(component->dev);
+
+ if (ret != 0)
+ return ret;
+ else
+ return changed_all;
}
#define SOC_SINGLE_REG_RW(xname, xreg) \
{ .iface = SNDRV_CTL_ELEM_IFACE_PCM, .name = (xname), \
.access = SNDRV_CTL_ELEM_ACCESS_READWRITE, \
- .info = snd_soc_info_xr_sx, .get = fsl_easrc_get_reg, \
+ .info = fsl_easrc_iec958_info, .get = fsl_easrc_get_reg, \
.put = fsl_easrc_set_reg, \
.private_value = (unsigned long)&(struct soc_mreg_control) \
{ .regbase = xreg, .regcount = 1, .nbits = 32, \
@@ -146,30 +216,10 @@ static const struct snd_kcontrol_new fsl_easrc_snd_controls[] = {
SOC_SINGLE_VAL_RW("Context 2 IEC958 Bits Per Sample", 2),
SOC_SINGLE_VAL_RW("Context 3 IEC958 Bits Per Sample", 3),
- SOC_SINGLE_REG_RW("Context 0 IEC958 CS0", REG_EASRC_CS0(0)),
- SOC_SINGLE_REG_RW("Context 1 IEC958 CS0", REG_EASRC_CS0(1)),
- SOC_SINGLE_REG_RW("Context 2 IEC958 CS0", REG_EASRC_CS0(2)),
- SOC_SINGLE_REG_RW("Context 3 IEC958 CS0", REG_EASRC_CS0(3)),
- SOC_SINGLE_REG_RW("Context 0 IEC958 CS1", REG_EASRC_CS1(0)),
- SOC_SINGLE_REG_RW("Context 1 IEC958 CS1", REG_EASRC_CS1(1)),
- SOC_SINGLE_REG_RW("Context 2 IEC958 CS1", REG_EASRC_CS1(2)),
- SOC_SINGLE_REG_RW("Context 3 IEC958 CS1", REG_EASRC_CS1(3)),
- SOC_SINGLE_REG_RW("Context 0 IEC958 CS2", REG_EASRC_CS2(0)),
- SOC_SINGLE_REG_RW("Context 1 IEC958 CS2", REG_EASRC_CS2(1)),
- SOC_SINGLE_REG_RW("Context 2 IEC958 CS2", REG_EASRC_CS2(2)),
- SOC_SINGLE_REG_RW("Context 3 IEC958 CS2", REG_EASRC_CS2(3)),
- SOC_SINGLE_REG_RW("Context 0 IEC958 CS3", REG_EASRC_CS3(0)),
- SOC_SINGLE_REG_RW("Context 1 IEC958 CS3", REG_EASRC_CS3(1)),
- SOC_SINGLE_REG_RW("Context 2 IEC958 CS3", REG_EASRC_CS3(2)),
- SOC_SINGLE_REG_RW("Context 3 IEC958 CS3", REG_EASRC_CS3(3)),
- SOC_SINGLE_REG_RW("Context 0 IEC958 CS4", REG_EASRC_CS4(0)),
- SOC_SINGLE_REG_RW("Context 1 IEC958 CS4", REG_EASRC_CS4(1)),
- SOC_SINGLE_REG_RW("Context 2 IEC958 CS4", REG_EASRC_CS4(2)),
- SOC_SINGLE_REG_RW("Context 3 IEC958 CS4", REG_EASRC_CS4(3)),
- SOC_SINGLE_REG_RW("Context 0 IEC958 CS5", REG_EASRC_CS5(0)),
- SOC_SINGLE_REG_RW("Context 1 IEC958 CS5", REG_EASRC_CS5(1)),
- SOC_SINGLE_REG_RW("Context 2 IEC958 CS5", REG_EASRC_CS5(2)),
- SOC_SINGLE_REG_RW("Context 3 IEC958 CS5", REG_EASRC_CS5(3)),
+ SOC_SINGLE_REG_RW("Context 0 IEC958 CS", 0),
+ SOC_SINGLE_REG_RW("Context 1 IEC958 CS", 1),
+ SOC_SINGLE_REG_RW("Context 2 IEC958 CS", 2),
+ SOC_SINGLE_REG_RW("Context 3 IEC958 CS", 3),
};
/*
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 537/969] ASoC: qcom: qdsp6: topology: check widget type before accessing data
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (535 preceding siblings ...)
2026-05-30 16:01 ` [PATCH 6.1 536/969] ASoC: fsl_easrc: Change the type for iec958 channel status controls Greg Kroah-Hartman
@ 2026-05-30 16:01 ` Greg Kroah-Hartman
2026-05-30 16:01 ` [PATCH 6.1 538/969] PCI: Enable AtomicOps only if Root Port supports them Greg Kroah-Hartman
` (438 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Srinivas Kandagatla, Mark Brown,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
[ Upstream commit d5bfdd28e0cdd45043ae6e0ac168a451d59283dc ]
Check widget type before accessing the private data, as this could a
virtual widget which is no associated with a dsp graph, container and
module. Accessing witout check could lead to incorrect memory access.
Fixes: 36ad9bf1d93d ("ASoC: qdsp6: audioreach: add topology support")
Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
Link: https://patch.msgid.link/20260402081118.348071-4-srinivas.kandagatla@oss.qualcomm.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/qcom/qdsp6/topology.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/sound/soc/qcom/qdsp6/topology.c b/sound/soc/qcom/qdsp6/topology.c
index 600e39e73b87a..fdb87e585e276 100644
--- a/sound/soc/qcom/qdsp6/topology.c
+++ b/sound/soc/qcom/qdsp6/topology.c
@@ -814,14 +814,16 @@ static int audioreach_widget_unload(struct snd_soc_component *scomp,
struct audioreach_container *cont;
struct audioreach_module *mod;
- mod = dobj->private;
- cont = mod->container;
-
if (w->id == snd_soc_dapm_mixer) {
/* virtual widget */
kfree(dobj->private);
return 0;
}
+ mod = dobj->private;
+ if (!mod)
+ return 0;
+
+ cont = mod->container;
mutex_lock(&apm->lock);
idr_remove(&apm->modules_idr, mod->instance_id);
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 538/969] PCI: Enable AtomicOps only if Root Port supports them
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (536 preceding siblings ...)
2026-05-30 16:01 ` [PATCH 6.1 537/969] ASoC: qcom: qdsp6: topology: check widget type before accessing data Greg Kroah-Hartman
@ 2026-05-30 16:01 ` Greg Kroah-Hartman
2026-05-30 16:01 ` [PATCH 6.1 539/969] PCI: mediatek-gen3: Prevent leaking IRQ domains when IRQ not found Greg Kroah-Hartman
` (437 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexander Schmidt, Gerd Bayer,
Bjorn Helgaas, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gerd Bayer <gbayer@linux.ibm.com>
[ Upstream commit 1ae8c4ce157037e266184064a182af9ef9af278b ]
When inspecting the config space of a Connect-X physical function in an
s390 system after it was initialized by the mlx5_core device driver, we
found the function to be enabled to request AtomicOps despite the Root Port
lacking support for completing them:
00:00.1 Ethernet controller: Mellanox Technologies MT2894 Family [ConnectX-6 Lx]
Subsystem: Mellanox Technologies Device 0002
DevCtl2: Completion Timeout: 50us to 50ms, TimeoutDis-
AtomicOpsCtl: ReqEn+
On s390 and many virtualized guests, the Endpoint is visible but the Root
Port is not. In this case, pci_enable_atomic_ops_to_root() previously
enabled AtomicOps in the Endpoint even though it can't tell whether the
Root Port supports them as a completer.
Change pci_enable_atomic_ops_to_root() to fail if there's no Root Port or
the Root Port doesn't support AtomicOps.
Fixes: 430a23689dea ("PCI: Add pci_enable_atomic_ops_to_root()")
Reported-by: Alexander Schmidt <alexs@linux.ibm.com>
Signed-off-by: Gerd Bayer <gbayer@linux.ibm.com>
[bhelgaas: commit log, check RP first to simplify flow]
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Link: https://patch.msgid.link/20260330-fix_pciatops-v7-2-f601818417e8@linux.ibm.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pci/pci.c | 41 ++++++++++++++++++++---------------------
1 file changed, 20 insertions(+), 21 deletions(-)
diff --git a/drivers/pci/pci.c b/drivers/pci/pci.c
index 2cb94c77df780..953646cd759b0 100644
--- a/drivers/pci/pci.c
+++ b/drivers/pci/pci.c
@@ -3910,8 +3910,7 @@ int pci_rebar_set_size(struct pci_dev *pdev, int bar, int size)
*/
int pci_enable_atomic_ops_to_root(struct pci_dev *dev, u32 cap_mask)
{
- struct pci_bus *bus = dev->bus;
- struct pci_dev *bridge;
+ struct pci_dev *root, *bridge;
u32 cap, ctl2;
/*
@@ -3941,35 +3940,35 @@ int pci_enable_atomic_ops_to_root(struct pci_dev *dev, u32 cap_mask)
return -EINVAL;
}
- while (bus->parent) {
- bridge = bus->self;
+ root = pcie_find_root_port(dev);
+ if (!root)
+ return -EINVAL;
- pcie_capability_read_dword(bridge, PCI_EXP_DEVCAP2, &cap);
+ pcie_capability_read_dword(root, PCI_EXP_DEVCAP2, &cap);
+ if ((cap & cap_mask) != cap_mask)
+ return -EINVAL;
+ bridge = pci_upstream_bridge(dev);
+ while (bridge != root) {
switch (pci_pcie_type(bridge)) {
- /* Ensure switch ports support AtomicOp routing */
case PCI_EXP_TYPE_UPSTREAM:
- case PCI_EXP_TYPE_DOWNSTREAM:
- if (!(cap & PCI_EXP_DEVCAP2_ATOMIC_ROUTE))
- return -EINVAL;
- break;
-
- /* Ensure root port supports all the sizes we care about */
- case PCI_EXP_TYPE_ROOT_PORT:
- if ((cap & cap_mask) != cap_mask)
- return -EINVAL;
- break;
- }
-
- /* Ensure upstream ports don't block AtomicOps on egress */
- if (pci_pcie_type(bridge) == PCI_EXP_TYPE_UPSTREAM) {
+ /* Upstream ports must not block AtomicOps on egress */
pcie_capability_read_dword(bridge, PCI_EXP_DEVCTL2,
&ctl2);
if (ctl2 & PCI_EXP_DEVCTL2_ATOMIC_EGRESS_BLOCK)
return -EINVAL;
+ fallthrough;
+
+ /* All switch ports need to route AtomicOps */
+ case PCI_EXP_TYPE_DOWNSTREAM:
+ pcie_capability_read_dword(bridge, PCI_EXP_DEVCAP2,
+ &cap);
+ if (!(cap & PCI_EXP_DEVCAP2_ATOMIC_ROUTE))
+ return -EINVAL;
+ break;
}
- bus = bus->parent;
+ bridge = pci_upstream_bridge(bridge);
}
pcie_capability_set_word(dev, PCI_EXP_DEVCTL2,
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 539/969] PCI: mediatek-gen3: Prevent leaking IRQ domains when IRQ not found
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (537 preceding siblings ...)
2026-05-30 16:01 ` [PATCH 6.1 538/969] PCI: Enable AtomicOps only if Root Port supports them Greg Kroah-Hartman
@ 2026-05-30 16:01 ` Greg Kroah-Hartman
2026-05-30 16:01 ` [PATCH 6.1 540/969] selftests/mm: skip migration tests if NUMA is unavailable Greg Kroah-Hartman
` (436 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chen-Yu Tsai, Manivannan Sadhasivam,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chen-Yu Tsai <wenst@chromium.org>
[ Upstream commit 5573c44cb3fd01a9f62d569ae9ac870ef5f0e0ba ]
In mtk_pcie_setup_irq(), the IRQ domains are allocated before the
controller's IRQ is fetched. If the latter fails, the function
directly returns an error, without cleaning up the allocated domains.
Hence, reverse the order so that the IRQ domains are allocated after the
controller's IRQ is found.
This was flagged by Sashiko during a review of "[PATCH v6 0/7] PCI:
mediatek-gen3: add power control support".
Fixes: 814cceebba9b ("PCI: mediatek-gen3: Add INTx support")
Signed-off-by: Chen-Yu Tsai <wenst@chromium.org>
Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
Link: https://sashiko.dev/#/patchset/20260324052002.4072430-1-wenst%40chromium.org
Link: https://patch.msgid.link/20260324093542.18523-1-wenst@chromium.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pci/controller/pcie-mediatek-gen3.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/pci/controller/pcie-mediatek-gen3.c b/drivers/pci/controller/pcie-mediatek-gen3.c
index 40c38ca5a42e2..b7d87827b5f23 100644
--- a/drivers/pci/controller/pcie-mediatek-gen3.c
+++ b/drivers/pci/controller/pcie-mediatek-gen3.c
@@ -760,14 +760,14 @@ static int mtk_pcie_setup_irq(struct mtk_gen3_pcie *pcie)
struct platform_device *pdev = to_platform_device(dev);
int err;
- err = mtk_pcie_init_irq_domains(pcie);
- if (err)
- return err;
-
pcie->irq = platform_get_irq(pdev, 0);
if (pcie->irq < 0)
return pcie->irq;
+ err = mtk_pcie_init_irq_domains(pcie);
+ if (err)
+ return err;
+
irq_set_chained_handler_and_data(pcie->irq, mtk_pcie_irq_handler, pcie);
return 0;
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 540/969] selftests/mm: skip migration tests if NUMA is unavailable
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (538 preceding siblings ...)
2026-05-30 16:01 ` [PATCH 6.1 539/969] PCI: mediatek-gen3: Prevent leaking IRQ domains when IRQ not found Greg Kroah-Hartman
@ 2026-05-30 16:01 ` Greg Kroah-Hartman
2026-05-30 16:01 ` [PATCH 6.1 541/969] Documentation: fix a hugetlbfs reservation statement Greg Kroah-Hartman
` (435 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, AnishMulay, SeongJae Park, Dev Jain,
Anshuman Khandual, Sayali Patil, David Hildenbrand (Arm),
Liam Howlett, Lorenzo Stoakes, Michal Hocko, Mike Rapoport,
Shuah Khan, Suren Baghdasaryan, Vlastimil Babka, Andrew Morton,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: AnishMulay <anishm7030@gmail.com>
[ Upstream commit 54218f10dfbe88c8e41c744fd45a756cde60b8c4 ]
Currently, the migration test asserts that numa_available() returns 0. On
systems where NUMA is not available (returning -1), such as certain ARM64
configurations or single-node systems, this assertion fails and crashes
the test.
Update the test to check the return value of numa_available(). If it is
less than 0, skip the test gracefully instead of failing.
This aligns the behavior with other MM selftests (like rmap) that skip
when NUMA support is missing.
Link: https://lkml.kernel.org/r/20260218163941.13499-1-anishm7030@gmail.com
Fixes: 0c2d08728470 ("mm: add selftests for migration entries")
Signed-off-by: AnishMulay <anishm7030@gmail.com>
Reviewed-by: SeongJae Park <sj@kernel.org>
Reviewed-by: Dev Jain <dev.jain@arm.com>
Reviewed-by: Anshuman Khandual <anshuman.khandual@arm.com>
Tested-by: Sayali Patil <sayalip@linux.ibm.com>
Acked-by: David Hildenbrand (Arm) <david@kernel.org>
Cc: Liam Howlett <liam.howlett@oracle.com>
Cc: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
Cc: Michal Hocko <mhocko@suse.com>
Cc: Mike Rapoport <rppt@kernel.org>
Cc: Shuah Khan <shuah@kernel.org>
Cc: Suren Baghdasaryan <surenb@google.com>
Cc: Vlastimil Babka <vbabka@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/testing/selftests/vm/migration.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/tools/testing/selftests/vm/migration.c b/tools/testing/selftests/vm/migration.c
index 1cec8425e3caa..6ea9826e6f979 100644
--- a/tools/testing/selftests/vm/migration.c
+++ b/tools/testing/selftests/vm/migration.c
@@ -32,7 +32,8 @@ FIXTURE_SETUP(migration)
{
int n;
- ASSERT_EQ(numa_available(), 0);
+ if (numa_available() < 0)
+ SKIP(return, "NUMA not available");
self->nthreads = numa_num_task_cpus() - 1;
self->n1 = -1;
self->n2 = -1;
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 541/969] Documentation: fix a hugetlbfs reservation statement
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (539 preceding siblings ...)
2026-05-30 16:01 ` [PATCH 6.1 540/969] selftests/mm: skip migration tests if NUMA is unavailable Greg Kroah-Hartman
@ 2026-05-30 16:01 ` Greg Kroah-Hartman
2026-05-30 16:01 ` [PATCH 6.1 542/969] selftest: memcg: skip memcg_sock test if address family not supported Greg Kroah-Hartman
` (434 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jane Chu, David Hildenbrand,
Hillf Danton, Jonathan Corbet, Liam Howlett, Lorenzo Stoakes,
Michal Hocko, Mike Rapoport, Muchun Song, Oscar Salvador,
Shuah Khan, Suren Baghdasaryan, Vlastimil Babka, Andrew Morton,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jane Chu <jane.chu@oracle.com>
[ Upstream commit 7a197d346a44384a1a858a98ef03766840e561d4 ]
Documentation/mm/hugetlbfs_reserv.rst has
if (resv_needed <= (resv_huge_pages - free_huge_pages))
resv_huge_pages += resv_needed;
which describes this code in gather_surplus_pages()
needed = (h->resv_huge_pages + delta) - h->free_huge_pages;
if (needed <= 0) {
h->resv_huge_pages += delta;
return 0;
}
which means if there are enough free hugepages to account for the new
reservation, simply update the global reservation count without
further action.
But the description is backwards, it should be
if (resv_needed <= (free_huge_pages - resv_huge_pages))
instead.
Link: https://lkml.kernel.org/r/20260302201015.1824798-1-jane.chu@oracle.com
Fixes: 70bc0dc578b3 ("Documentation: vm, add hugetlbfs reservation overview")
Signed-off-by: Jane Chu <jane.chu@oracle.com>
Cc: David Hildenbrand <david@kernel.org>
Cc: Hillf Danton <hillf.zj@alibaba-inc.com>
Cc: Jonathan Corbet <corbet@lwn.net>
Cc: Liam Howlett <liam.howlett@oracle.com>
Cc: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
Cc: Michal Hocko <mhocko@suse.com>
Cc: Mike Rapoport <rppt@kernel.org>
Cc: Muchun Song <muchun.song@linux.dev>
Cc: Oscar Salvador <osalvador@suse.de>
Cc: Shuah Khan <skhan@linuxfoundation.org>
Cc: Suren Baghdasaryan <surenb@google.com>
Cc: Vlastimil Babka <vbabka@suse.cz>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
Documentation/mm/hugetlbfs_reserv.rst | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Documentation/mm/hugetlbfs_reserv.rst b/Documentation/mm/hugetlbfs_reserv.rst
index f143954e0d056..1c238b10e1772 100644
--- a/Documentation/mm/hugetlbfs_reserv.rst
+++ b/Documentation/mm/hugetlbfs_reserv.rst
@@ -157,7 +157,7 @@ are enough free huge pages to accommodate the reservation. If there are,
the global reservation count resv_huge_pages is adjusted something like the
following::
- if (resv_needed <= (resv_huge_pages - free_huge_pages))
+ if (resv_needed <= (free_huge_pages - resv_huge_pages)
resv_huge_pages += resv_needed;
Note that the global lock hugetlb_lock is held when checking and adjusting
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 542/969] selftest: memcg: skip memcg_sock test if address family not supported
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (540 preceding siblings ...)
2026-05-30 16:01 ` [PATCH 6.1 541/969] Documentation: fix a hugetlbfs reservation statement Greg Kroah-Hartman
@ 2026-05-30 16:01 ` Greg Kroah-Hartman
2026-05-30 16:01 ` [PATCH 6.1 543/969] ALSA: scarlett2: Add missing sentinel initializer field Greg Kroah-Hartman
` (433 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Waiman Long, Michal Koutný,
Shakeel Butt, Johannes Weiner, Michal Hocko, Mike Rapoport,
Muchun Song, Roman Gushchin, Shuah Khan, Tejun Heo, Andrew Morton,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Waiman Long <longman@redhat.com>
[ Upstream commit 2d028f3e4bbbfd448928a8d3d2814b0b04c214f4 ]
The test_memcg_sock test in memcontrol.c sets up an IPv6 socket and send
data over it to consume memory and verify that memory.stat.sock and
memory.current values are close.
On systems where IPv6 isn't enabled or not configured to support
SOCK_STREAM, the test_memcg_sock test always fails. When the socket()
call fails, there is no way we can test the memory consumption and verify
the above claim. I believe it is better to just skip the test in this
case instead of reporting a test failure hinting that there may be
something wrong with the memcg code.
Link: https://lkml.kernel.org/r/20260311200526.885899-1-longman@redhat.com
Fixes: 5f8f019380b8 ("selftests: cgroup/memcontrol: add basic test for socket accounting")
Signed-off-by: Waiman Long <longman@redhat.com>
Acked-by: Michal Koutný <mkoutny@suse.com>
Acked-by: Shakeel Butt <shakeel.butt@linux.dev>
Cc: Johannes Weiner <hannes@cmpxchg.org>
Cc: Michal Hocko <mhocko@kernel.org>
Cc: Michal Koutný <mkoutny@suse.com>
Cc: Mike Rapoport <rppt@kernel.org>
Cc: Muchun Song <muchun.song@linux.dev>
Cc: Roman Gushchin <roman.gushchin@linux.dev>
Cc: Shuah Khan <shuah@kernel.org>
Cc: Tejun Heo <tj@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/testing/selftests/cgroup/test_memcontrol.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/tools/testing/selftests/cgroup/test_memcontrol.c b/tools/testing/selftests/cgroup/test_memcontrol.c
index 5a526a8e7d333..e75ff9289e419 100644
--- a/tools/testing/selftests/cgroup/test_memcontrol.c
+++ b/tools/testing/selftests/cgroup/test_memcontrol.c
@@ -921,8 +921,11 @@ static int tcp_server(const char *cgroup, void *arg)
saddr.sin6_port = htons(srv_args->port);
sk = socket(AF_INET6, SOCK_STREAM, 0);
- if (sk < 0)
+ if (sk < 0) {
+ /* Pass back errno to the ctl_fd */
+ write(ctl_fd, &errno, sizeof(errno));
return ret;
+ }
if (setsockopt(sk, SOL_SOCKET, SO_REUSEADDR, &yes, sizeof(yes)) < 0)
goto cleanup;
@@ -1049,6 +1052,12 @@ static int test_memcg_sock(const char *root)
goto cleanup;
close(args.ctl[0]);
+ /* Skip if address family not supported by protocol */
+ if (err == EAFNOSUPPORT) {
+ ret = KSFT_SKIP;
+ goto cleanup;
+ }
+
if (!err)
break;
if (err != EADDRINUSE)
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 543/969] ALSA: scarlett2: Add missing sentinel initializer field
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (541 preceding siblings ...)
2026-05-30 16:01 ` [PATCH 6.1 542/969] selftest: memcg: skip memcg_sock test if address family not supported Greg Kroah-Hartman
@ 2026-05-30 16:01 ` Greg Kroah-Hartman
2026-05-30 16:01 ` [PATCH 6.1 544/969] ASoC: SOF: amd: Fix for reading position updates from stream box Greg Kroah-Hartman
` (432 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Panagiotis Petrakopoulos,
Takashi Iwai, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Panagiotis Petrakopoulos <npetrakopoulos2003@gmail.com>
[ Upstream commit 2428cd6e8b6fa80c36db4652702ca0acd2ce3f08 ]
A "-Wmissing-field-initializers" warning was emitted when compiling the
module using the W=2 option. There is a sentinel initializer field
missing in the end of scarlett2_devices[]. Tested using a
Scarlett Solo 4th gen.
Fixes: d98cc489029d ("ALSA: scarlett2: Move USB IDs out from device_info struct")
Signed-off-by: Panagiotis Petrakopoulos <npetrakopoulos2003@gmail.com>
Link: https://patch.msgid.link/20260405222548.8903-1-npetrakopoulos2003@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/usb/mixer_scarlett2.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sound/usb/mixer_scarlett2.c b/sound/usb/mixer_scarlett2.c
index 0366f4b386eb5..6c3a032d64adb 100644
--- a/sound/usb/mixer_scarlett2.c
+++ b/sound/usb/mixer_scarlett2.c
@@ -1011,7 +1011,7 @@ static const struct scarlett2_device_entry scarlett2_devices[] = {
{ USB_ID(0x1235, 0x820c), &clarett_8pre_info, "Clarett+" },
/* End of list */
- { 0, NULL },
+ { 0, NULL, NULL },
};
/* get the starting port index number for a given port type/direction */
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 544/969] ASoC: SOF: amd: Fix for reading position updates from stream box.
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (542 preceding siblings ...)
2026-05-30 16:01 ` [PATCH 6.1 543/969] ALSA: scarlett2: Add missing sentinel initializer field Greg Kroah-Hartman
@ 2026-05-30 16:01 ` Greg Kroah-Hartman
2026-05-30 16:01 ` [PATCH 6.1 545/969] ASoC: SOF: Prepare ipc_msg_data to be used with compress API Greg Kroah-Hartman
` (431 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, V sujith kumar Reddy, Mark Brown,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: V sujith kumar Reddy <Vsujithkumar.Reddy@amd.com>
[ Upstream commit aae7e412b0ec0378e392b18c50b612dae09cdb74 ]
By default the position updates are read from dsp box when streambox
size is not defined.if the streambox size is defined to some value
then position updates can be read from the streambox.
Signed-off-by: V sujith kumar Reddy <Vsujithkumar.Reddy@amd.com>
Link: https://lore.kernel.org/r/20221123121911.3446224-2-vsujithkumar.reddy@amd.corp-partner.google.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Stable-dep-of: 2c4fdd055f92 ("ASoC: SOF: compress: return the configured codec from get_params")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/sof/amd/acp-common.c | 1 +
sound/soc/sof/amd/acp-ipc.c | 30 +++++++++++++++++++++++++++++-
sound/soc/sof/amd/acp.h | 4 ++++
3 files changed, 34 insertions(+), 1 deletion(-)
diff --git a/sound/soc/sof/amd/acp-common.c b/sound/soc/sof/amd/acp-common.c
index 27b95187356e5..150e042e40392 100644
--- a/sound/soc/sof/amd/acp-common.c
+++ b/sound/soc/sof/amd/acp-common.c
@@ -76,6 +76,7 @@ struct snd_sof_dsp_ops sof_acp_common_ops = {
/*IPC */
.send_msg = acp_sof_ipc_send_msg,
.ipc_msg_data = acp_sof_ipc_msg_data,
+ .set_stream_data_offset = acp_set_stream_data_offset,
.get_mailbox_offset = acp_sof_ipc_get_mailbox_offset,
.get_window_offset = acp_sof_ipc_get_window_offset,
.irq_thread = acp_sof_ipc_irq_thread,
diff --git a/sound/soc/sof/amd/acp-ipc.c b/sound/soc/sof/amd/acp-ipc.c
index dd030566e3725..dd6e53c63407f 100644
--- a/sound/soc/sof/amd/acp-ipc.c
+++ b/sound/soc/sof/amd/acp-ipc.c
@@ -192,13 +192,41 @@ int acp_sof_ipc_msg_data(struct snd_sof_dev *sdev, struct snd_pcm_substream *sub
{
unsigned int offset = sdev->dsp_box.offset;
- if (!substream || !sdev->stream_box.size)
+ if (!substream || !sdev->stream_box.size) {
acp_mailbox_read(sdev, offset, p, sz);
+ } else {
+ struct acp_dsp_stream *stream = substream->runtime->private_data;
+
+ if (!stream)
+ return -ESTRPIPE;
+
+ acp_mailbox_read(sdev, stream->posn_offset, p, sz);
+ }
return 0;
}
EXPORT_SYMBOL_NS(acp_sof_ipc_msg_data, SND_SOC_SOF_AMD_COMMON);
+int acp_set_stream_data_offset(struct snd_sof_dev *sdev,
+ struct snd_pcm_substream *substream,
+ size_t posn_offset)
+{
+ struct acp_dsp_stream *stream = substream->runtime->private_data;
+
+ /* check for unaligned offset or overflow */
+ if (posn_offset > sdev->stream_box.size ||
+ posn_offset % sizeof(struct sof_ipc_stream_posn) != 0)
+ return -EINVAL;
+
+ stream->posn_offset = sdev->stream_box.offset + posn_offset;
+
+ dev_dbg(sdev->dev, "pcm: stream dir %d, posn mailbox offset is %zu",
+ substream->stream, stream->posn_offset);
+
+ return 0;
+}
+EXPORT_SYMBOL_NS(acp_set_stream_data_offset, SND_SOC_SOF_AMD_COMMON);
+
int acp_sof_ipc_get_mailbox_offset(struct snd_sof_dev *sdev)
{
const struct sof_amd_acp_desc *desc = get_chip_info(sdev->pdata);
diff --git a/sound/soc/sof/amd/acp.h b/sound/soc/sof/amd/acp.h
index b1414ac1ea985..b5bbdedb66697 100644
--- a/sound/soc/sof/amd/acp.h
+++ b/sound/soc/sof/amd/acp.h
@@ -144,6 +144,7 @@ struct acp_dsp_stream {
int stream_tag;
int active;
unsigned int reg_offset;
+ size_t posn_offset;
};
struct sof_amd_acp_desc {
@@ -205,6 +206,9 @@ int acp_dsp_block_read(struct snd_sof_dev *sdev, enum snd_sof_fw_blk_type blk_ty
irqreturn_t acp_sof_ipc_irq_thread(int irq, void *context);
int acp_sof_ipc_msg_data(struct snd_sof_dev *sdev, struct snd_pcm_substream *substream,
void *p, size_t sz);
+int acp_set_stream_data_offset(struct snd_sof_dev *sdev,
+ struct snd_pcm_substream *substream,
+ size_t posn_offset);
int acp_sof_ipc_send_msg(struct snd_sof_dev *sdev,
struct snd_sof_ipc_msg *msg);
int acp_sof_ipc_get_mailbox_offset(struct snd_sof_dev *sdev);
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 545/969] ASoC: SOF: Prepare ipc_msg_data to be used with compress API
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (543 preceding siblings ...)
2026-05-30 16:01 ` [PATCH 6.1 544/969] ASoC: SOF: amd: Fix for reading position updates from stream box Greg Kroah-Hartman
@ 2026-05-30 16:01 ` Greg Kroah-Hartman
2026-05-30 16:01 ` [PATCH 6.1 546/969] ASoC: SOF: Prepare set_stream_data_offset for " Greg Kroah-Hartman
` (430 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Paul Olaru, Iuliana Prodan,
Ranjani Sridharan, Peter Ujfalusi, Daniel Baluta, Mark Brown,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Daniel Baluta <daniel.baluta@nxp.com>
[ Upstream commit 1b905942d6cd182b7ef14e9f095178376d3847e6 ]
Make second parameter of ipc_msg_data generic
in order to be able to support compressed streams.
This patch doesn't hold any functional change.
With this case we can use ipc_msg_data, to retrieve information from
DSP for both PCM/Compress API.
Reviewed-by: Paul Olaru <paul.olaru@nxp.com>
Reviewed-by: Iuliana Prodan <iuliana.prodan@nxp.com>
Reviewed-by: Ranjani Sridharan <ranjani.sridharan@linux.intel.com>
Reviewed-by: Peter Ujfalusi <peter.ujfalusi@linux.intel.com>
Signed-off-by: Daniel Baluta <daniel.baluta@nxp.com>
Link: https://lore.kernel.org/r/20230117122533.201708-2-daniel.baluta@oss.nxp.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Stable-dep-of: 2c4fdd055f92 ("ASoC: SOF: compress: return the configured codec from get_params")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/sof/amd/acp-ipc.c | 5 +++--
sound/soc/sof/amd/acp.h | 3 ++-
sound/soc/sof/intel/hda-ipc.c | 5 +++--
sound/soc/sof/intel/hda.h | 2 +-
sound/soc/sof/ipc3.c | 4 ++--
sound/soc/sof/mediatek/mt8186/mt8186.c | 2 +-
sound/soc/sof/mediatek/mt8195/mt8195.c | 2 +-
sound/soc/sof/ops.h | 4 ++--
sound/soc/sof/sof-priv.h | 6 ++++--
sound/soc/sof/stream-ipc.c | 6 ++++--
10 files changed, 23 insertions(+), 16 deletions(-)
diff --git a/sound/soc/sof/amd/acp-ipc.c b/sound/soc/sof/amd/acp-ipc.c
index dd6e53c63407f..5d8a1b603c052 100644
--- a/sound/soc/sof/amd/acp-ipc.c
+++ b/sound/soc/sof/amd/acp-ipc.c
@@ -187,14 +187,15 @@ irqreturn_t acp_sof_ipc_irq_thread(int irq, void *context)
}
EXPORT_SYMBOL_NS(acp_sof_ipc_irq_thread, SND_SOC_SOF_AMD_COMMON);
-int acp_sof_ipc_msg_data(struct snd_sof_dev *sdev, struct snd_pcm_substream *substream,
+int acp_sof_ipc_msg_data(struct snd_sof_dev *sdev, struct snd_sof_pcm_stream *sps,
void *p, size_t sz)
{
unsigned int offset = sdev->dsp_box.offset;
- if (!substream || !sdev->stream_box.size) {
+ if (!sps || !sdev->stream_box.size) {
acp_mailbox_read(sdev, offset, p, sz);
} else {
+ struct snd_pcm_substream *substream = sps->substream;
struct acp_dsp_stream *stream = substream->runtime->private_data;
if (!stream)
diff --git a/sound/soc/sof/amd/acp.h b/sound/soc/sof/amd/acp.h
index b5bbdedb66697..ce5f32341ad2b 100644
--- a/sound/soc/sof/amd/acp.h
+++ b/sound/soc/sof/amd/acp.h
@@ -12,6 +12,7 @@
#define __SOF_AMD_ACP_H
#include "../sof-priv.h"
+#include "../sof-audio.h"
#define ACP_MAX_STREAM 8
@@ -204,7 +205,7 @@ int acp_dsp_block_read(struct snd_sof_dev *sdev, enum snd_sof_fw_blk_type blk_ty
/* IPC callbacks */
irqreturn_t acp_sof_ipc_irq_thread(int irq, void *context);
-int acp_sof_ipc_msg_data(struct snd_sof_dev *sdev, struct snd_pcm_substream *substream,
+int acp_sof_ipc_msg_data(struct snd_sof_dev *sdev, struct snd_sof_pcm_stream *sps,
void *p, size_t sz);
int acp_set_stream_data_offset(struct snd_sof_dev *sdev,
struct snd_pcm_substream *substream,
diff --git a/sound/soc/sof/intel/hda-ipc.c b/sound/soc/sof/intel/hda-ipc.c
index 9b3667c705e47..96f909441b44e 100644
--- a/sound/soc/sof/intel/hda-ipc.c
+++ b/sound/soc/sof/intel/hda-ipc.c
@@ -342,12 +342,13 @@ int hda_dsp_ipc_get_window_offset(struct snd_sof_dev *sdev, u32 id)
}
int hda_ipc_msg_data(struct snd_sof_dev *sdev,
- struct snd_pcm_substream *substream,
+ struct snd_sof_pcm_stream *sps,
void *p, size_t sz)
{
- if (!substream || !sdev->stream_box.size) {
+ if (!sps || !sdev->stream_box.size) {
sof_mailbox_read(sdev, sdev->dsp_box.offset, p, sz);
} else {
+ struct snd_pcm_substream *substream = sps->substream;
struct hdac_stream *hstream = substream->runtime->private_data;
struct sof_intel_hda_stream *hda_stream;
diff --git a/sound/soc/sof/intel/hda.h b/sound/soc/sof/intel/hda.h
index 9acd21901e68c..cea36d3bef81f 100644
--- a/sound/soc/sof/intel/hda.h
+++ b/sound/soc/sof/intel/hda.h
@@ -645,7 +645,7 @@ int hda_dsp_stream_spib_config(struct snd_sof_dev *sdev,
int enable, u32 size);
int hda_ipc_msg_data(struct snd_sof_dev *sdev,
- struct snd_pcm_substream *substream,
+ struct snd_sof_pcm_stream *sps,
void *p, size_t sz);
int hda_set_stream_data_offset(struct snd_sof_dev *sdev,
struct snd_pcm_substream *substream,
diff --git a/sound/soc/sof/ipc3.c b/sound/soc/sof/ipc3.c
index 60b96b0c2412f..1607e3602e22a 100644
--- a/sound/soc/sof/ipc3.c
+++ b/sound/soc/sof/ipc3.c
@@ -847,7 +847,7 @@ static void ipc3_period_elapsed(struct snd_sof_dev *sdev, u32 msg_id)
}
stream = &spcm->stream[direction];
- ret = snd_sof_ipc_msg_data(sdev, stream->substream, &posn, sizeof(posn));
+ ret = snd_sof_ipc_msg_data(sdev, stream, &posn, sizeof(posn));
if (ret < 0) {
dev_warn(sdev->dev, "failed to read stream position: %d\n", ret);
return;
@@ -882,7 +882,7 @@ static void ipc3_xrun(struct snd_sof_dev *sdev, u32 msg_id)
}
stream = &spcm->stream[direction];
- ret = snd_sof_ipc_msg_data(sdev, stream->substream, &posn, sizeof(posn));
+ ret = snd_sof_ipc_msg_data(sdev, stream, &posn, sizeof(posn));
if (ret < 0) {
dev_warn(sdev->dev, "failed to read overrun position: %d\n", ret);
return;
diff --git a/sound/soc/sof/mediatek/mt8186/mt8186.c b/sound/soc/sof/mediatek/mt8186/mt8186.c
index 181189e00e020..d727751e83ef6 100644
--- a/sound/soc/sof/mediatek/mt8186/mt8186.c
+++ b/sound/soc/sof/mediatek/mt8186/mt8186.c
@@ -489,7 +489,7 @@ static snd_pcm_uframes_t mt8186_pcm_pointer(struct snd_sof_dev *sdev,
}
stream = &spcm->stream[substream->stream];
- ret = snd_sof_ipc_msg_data(sdev, stream->substream, &posn, sizeof(posn));
+ ret = snd_sof_ipc_msg_data(sdev, stream, &posn, sizeof(posn));
if (ret < 0) {
dev_warn(sdev->dev, "failed to read stream position: %d\n", ret);
return 0;
diff --git a/sound/soc/sof/mediatek/mt8195/mt8195.c b/sound/soc/sof/mediatek/mt8195/mt8195.c
index ac96ea07e591b..040e9a003c060 100644
--- a/sound/soc/sof/mediatek/mt8195/mt8195.c
+++ b/sound/soc/sof/mediatek/mt8195/mt8195.c
@@ -525,7 +525,7 @@ static snd_pcm_uframes_t mt8195_pcm_pointer(struct snd_sof_dev *sdev,
}
stream = &spcm->stream[substream->stream];
- ret = snd_sof_ipc_msg_data(sdev, stream->substream, &posn, sizeof(posn));
+ ret = snd_sof_ipc_msg_data(sdev, stream, &posn, sizeof(posn));
if (ret < 0) {
dev_warn(sdev->dev, "failed to read stream position: %d\n", ret);
return 0;
diff --git a/sound/soc/sof/ops.h b/sound/soc/sof/ops.h
index 55d43adb6a295..3c86f2df2179a 100644
--- a/sound/soc/sof/ops.h
+++ b/sound/soc/sof/ops.h
@@ -449,10 +449,10 @@ static inline int snd_sof_load_firmware(struct snd_sof_dev *sdev)
/* host DSP message data */
static inline int snd_sof_ipc_msg_data(struct snd_sof_dev *sdev,
- struct snd_pcm_substream *substream,
+ struct snd_sof_pcm_stream *sps,
void *p, size_t sz)
{
- return sof_ops(sdev)->ipc_msg_data(sdev, substream, p, sz);
+ return sof_ops(sdev)->ipc_msg_data(sdev, sps, p, sz);
}
/* host side configuration of the stream's data offset in stream mailbox area */
static inline int
diff --git a/sound/soc/sof/sof-priv.h b/sound/soc/sof/sof-priv.h
index 3d70b57e4864d..85b84e09e1e8a 100644
--- a/sound/soc/sof/sof-priv.h
+++ b/sound/soc/sof/sof-priv.h
@@ -20,6 +20,8 @@
#include <uapi/sound/sof/fw.h>
#include <sound/sof/ext_manifest.h>
+struct snd_sof_pcm_stream;
+
/* Flag definitions used in sof_core_debug (sof_debug module parameter) */
#define SOF_DBG_ENABLE_TRACE BIT(0)
#define SOF_DBG_RETAIN_CTX BIT(1) /* prevent DSP D3 on FW exception */
@@ -240,7 +242,7 @@ struct snd_sof_dsp_ops {
/* host read DSP stream data */
int (*ipc_msg_data)(struct snd_sof_dev *sdev,
- struct snd_pcm_substream *substream,
+ struct snd_sof_pcm_stream *sps,
void *p, size_t sz); /* mandatory */
/* host side configuration of the stream's data offset in stream mailbox area */
@@ -743,7 +745,7 @@ int sof_block_read(struct snd_sof_dev *sdev, enum snd_sof_fw_blk_type blk_type,
u32 offset, void *dest, size_t size);
int sof_ipc_msg_data(struct snd_sof_dev *sdev,
- struct snd_pcm_substream *substream,
+ struct snd_sof_pcm_stream *sps,
void *p, size_t sz);
int sof_set_stream_data_offset(struct snd_sof_dev *sdev,
struct snd_pcm_substream *substream,
diff --git a/sound/soc/sof/stream-ipc.c b/sound/soc/sof/stream-ipc.c
index 5f1ceeea893a5..13e44501d4420 100644
--- a/sound/soc/sof/stream-ipc.c
+++ b/sound/soc/sof/stream-ipc.c
@@ -19,6 +19,7 @@
#include "ops.h"
#include "sof-priv.h"
+#include "sof-audio.h"
struct sof_stream {
size_t posn_offset;
@@ -26,12 +27,13 @@ struct sof_stream {
/* Mailbox-based Generic IPC implementation */
int sof_ipc_msg_data(struct snd_sof_dev *sdev,
- struct snd_pcm_substream *substream,
+ struct snd_sof_pcm_stream *sps,
void *p, size_t sz)
{
- if (!substream || !sdev->stream_box.size) {
+ if (!sps || !sdev->stream_box.size) {
snd_sof_dsp_mailbox_read(sdev, sdev->dsp_box.offset, p, sz);
} else {
+ struct snd_pcm_substream *substream = sps->substream;
struct sof_stream *stream = substream->runtime->private_data;
/* The stream might already be closed */
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 546/969] ASoC: SOF: Prepare set_stream_data_offset for compress API
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (544 preceding siblings ...)
2026-05-30 16:01 ` [PATCH 6.1 545/969] ASoC: SOF: Prepare ipc_msg_data to be used with compress API Greg Kroah-Hartman
@ 2026-05-30 16:01 ` Greg Kroah-Hartman
2026-05-30 16:01 ` [PATCH 6.1 547/969] ASoC: SOF: Add support for compress API for stream data/offset Greg Kroah-Hartman
` (429 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Paul Olaru, Iuliana Prodan,
Ranjani Sridharan, Peter Ujfalusi, Daniel Baluta, Mark Brown,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Daniel Baluta <daniel.baluta@nxp.com>
[ Upstream commit 249f186d6b0211fc59d83db128030f2b298063a1 ]
Make second parameter of set_stream_data_offset generic
in order to be used for both PCM and compress streams.
Current patch doesn't introduce any functional change,
just prepare the code for compress support.
Reviewed-by: Paul Olaru <paul.olaru@nxp.com>
Reviewed-by: Iuliana Prodan <iuliana.prodan@nxp.com>
Reviewed-by: Ranjani Sridharan <ranjani.sridharan@linux.intel.com>
Reviewed-by: Peter Ujfalusi <peter.ujfalusi@linux.intel.com>
Signed-off-by: Daniel Baluta <daniel.baluta@nxp.com>
Link: https://lore.kernel.org/r/20230117122533.201708-3-daniel.baluta@oss.nxp.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Stable-dep-of: 2c4fdd055f92 ("ASoC: SOF: compress: return the configured codec from get_params")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/sof/amd/acp-ipc.c | 3 ++-
sound/soc/sof/amd/acp.h | 2 +-
sound/soc/sof/intel/hda-ipc.c | 3 ++-
sound/soc/sof/intel/hda.h | 2 +-
sound/soc/sof/ipc3-pcm.c | 3 ++-
sound/soc/sof/ops.h | 4 ++--
sound/soc/sof/sof-priv.h | 4 ++--
sound/soc/sof/stream-ipc.c | 3 ++-
8 files changed, 14 insertions(+), 10 deletions(-)
diff --git a/sound/soc/sof/amd/acp-ipc.c b/sound/soc/sof/amd/acp-ipc.c
index 5d8a1b603c052..4b8a6bac2b830 100644
--- a/sound/soc/sof/amd/acp-ipc.c
+++ b/sound/soc/sof/amd/acp-ipc.c
@@ -209,9 +209,10 @@ int acp_sof_ipc_msg_data(struct snd_sof_dev *sdev, struct snd_sof_pcm_stream *sp
EXPORT_SYMBOL_NS(acp_sof_ipc_msg_data, SND_SOC_SOF_AMD_COMMON);
int acp_set_stream_data_offset(struct snd_sof_dev *sdev,
- struct snd_pcm_substream *substream,
+ struct snd_sof_pcm_stream *sps,
size_t posn_offset)
{
+ struct snd_pcm_substream *substream = sps->substream;
struct acp_dsp_stream *stream = substream->runtime->private_data;
/* check for unaligned offset or overflow */
diff --git a/sound/soc/sof/amd/acp.h b/sound/soc/sof/amd/acp.h
index ce5f32341ad2b..37fe2a17396d7 100644
--- a/sound/soc/sof/amd/acp.h
+++ b/sound/soc/sof/amd/acp.h
@@ -208,7 +208,7 @@ irqreturn_t acp_sof_ipc_irq_thread(int irq, void *context);
int acp_sof_ipc_msg_data(struct snd_sof_dev *sdev, struct snd_sof_pcm_stream *sps,
void *p, size_t sz);
int acp_set_stream_data_offset(struct snd_sof_dev *sdev,
- struct snd_pcm_substream *substream,
+ struct snd_sof_pcm_stream *sps,
size_t posn_offset);
int acp_sof_ipc_send_msg(struct snd_sof_dev *sdev,
struct snd_sof_ipc_msg *msg);
diff --git a/sound/soc/sof/intel/hda-ipc.c b/sound/soc/sof/intel/hda-ipc.c
index 96f909441b44e..ed87c00f345c9 100644
--- a/sound/soc/sof/intel/hda-ipc.c
+++ b/sound/soc/sof/intel/hda-ipc.c
@@ -367,9 +367,10 @@ int hda_ipc_msg_data(struct snd_sof_dev *sdev,
}
int hda_set_stream_data_offset(struct snd_sof_dev *sdev,
- struct snd_pcm_substream *substream,
+ struct snd_sof_pcm_stream *sps,
size_t posn_offset)
{
+ struct snd_pcm_substream *substream = sps->substream;
struct hdac_stream *hstream = substream->runtime->private_data;
struct sof_intel_hda_stream *hda_stream;
diff --git a/sound/soc/sof/intel/hda.h b/sound/soc/sof/intel/hda.h
index cea36d3bef81f..773df987d6473 100644
--- a/sound/soc/sof/intel/hda.h
+++ b/sound/soc/sof/intel/hda.h
@@ -648,7 +648,7 @@ int hda_ipc_msg_data(struct snd_sof_dev *sdev,
struct snd_sof_pcm_stream *sps,
void *p, size_t sz);
int hda_set_stream_data_offset(struct snd_sof_dev *sdev,
- struct snd_pcm_substream *substream,
+ struct snd_sof_pcm_stream *sps,
size_t posn_offset);
/*
diff --git a/sound/soc/sof/ipc3-pcm.c b/sound/soc/sof/ipc3-pcm.c
index dad57bef38f6d..627edc7361844 100644
--- a/sound/soc/sof/ipc3-pcm.c
+++ b/sound/soc/sof/ipc3-pcm.c
@@ -129,7 +129,8 @@ static int sof_ipc3_pcm_hw_params(struct snd_soc_component *component,
return ret;
}
- ret = snd_sof_set_stream_data_offset(sdev, substream, ipc_params_reply.posn_offset);
+ ret = snd_sof_set_stream_data_offset(sdev, &spcm->stream[substream->stream],
+ ipc_params_reply.posn_offset);
if (ret < 0) {
dev_err(component->dev, "%s: invalid stream data offset for PCM %d\n",
__func__, spcm->pcm.pcm_id);
diff --git a/sound/soc/sof/ops.h b/sound/soc/sof/ops.h
index 3c86f2df2179a..2c56ad69ede1e 100644
--- a/sound/soc/sof/ops.h
+++ b/sound/soc/sof/ops.h
@@ -457,11 +457,11 @@ static inline int snd_sof_ipc_msg_data(struct snd_sof_dev *sdev,
/* host side configuration of the stream's data offset in stream mailbox area */
static inline int
snd_sof_set_stream_data_offset(struct snd_sof_dev *sdev,
- struct snd_pcm_substream *substream,
+ struct snd_sof_pcm_stream *sps,
size_t posn_offset)
{
if (sof_ops(sdev) && sof_ops(sdev)->set_stream_data_offset)
- return sof_ops(sdev)->set_stream_data_offset(sdev, substream,
+ return sof_ops(sdev)->set_stream_data_offset(sdev, sps,
posn_offset);
return 0;
diff --git a/sound/soc/sof/sof-priv.h b/sound/soc/sof/sof-priv.h
index 85b84e09e1e8a..d7f4f828f38f9 100644
--- a/sound/soc/sof/sof-priv.h
+++ b/sound/soc/sof/sof-priv.h
@@ -247,7 +247,7 @@ struct snd_sof_dsp_ops {
/* host side configuration of the stream's data offset in stream mailbox area */
int (*set_stream_data_offset)(struct snd_sof_dev *sdev,
- struct snd_pcm_substream *substream,
+ struct snd_sof_pcm_stream *sps,
size_t posn_offset); /* optional */
/* pre/post firmware run */
@@ -748,7 +748,7 @@ int sof_ipc_msg_data(struct snd_sof_dev *sdev,
struct snd_sof_pcm_stream *sps,
void *p, size_t sz);
int sof_set_stream_data_offset(struct snd_sof_dev *sdev,
- struct snd_pcm_substream *substream,
+ struct snd_sof_pcm_stream *sps,
size_t posn_offset);
int sof_stream_pcm_open(struct snd_sof_dev *sdev,
diff --git a/sound/soc/sof/stream-ipc.c b/sound/soc/sof/stream-ipc.c
index 13e44501d4420..872a49550672c 100644
--- a/sound/soc/sof/stream-ipc.c
+++ b/sound/soc/sof/stream-ipc.c
@@ -48,9 +48,10 @@ int sof_ipc_msg_data(struct snd_sof_dev *sdev,
EXPORT_SYMBOL(sof_ipc_msg_data);
int sof_set_stream_data_offset(struct snd_sof_dev *sdev,
- struct snd_pcm_substream *substream,
+ struct snd_sof_pcm_stream *sps,
size_t posn_offset)
{
+ struct snd_pcm_substream *substream = sps->substream;
struct sof_stream *stream = substream->runtime->private_data;
/* check if offset is overflow or it is not aligned */
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 547/969] ASoC: SOF: Add support for compress API for stream data/offset
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (545 preceding siblings ...)
2026-05-30 16:01 ` [PATCH 6.1 546/969] ASoC: SOF: Prepare set_stream_data_offset for " Greg Kroah-Hartman
@ 2026-05-30 16:01 ` Greg Kroah-Hartman
2026-05-30 16:01 ` [PATCH 6.1 548/969] ASoC: SOF: compress: return the configured codec from get_params Greg Kroah-Hartman
` (428 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Paul Olaru, Iuliana Prodan,
Ranjani Sridharan, Peter Ujfalusi, Daniel Baluta, Mark Brown,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Daniel Baluta <daniel.baluta@nxp.com>
[ Upstream commit 090349a9feba3ceee3997d31d68ffe54e5b57acb ]
snd_sof_pcm_stream keeps information about both PCM (snd_pcm_substream)
and Compress (snd_compr_stream) streams.
When PCM substream pointer is NULL this means we are dealing with a
compress stream.
Reviewed-by: Paul Olaru <paul.olaru@nxp.com>
Reviewed-by: Iuliana Prodan <iuliana.prodan@nxp.com>
Reviewed-by: Ranjani Sridharan <ranjani.sridharan@linux.intel.com>
Reviewed-by: Peter Ujfalusi <peter.ujfalusi@linux.intel.com>
Signed-off-by: Daniel Baluta <daniel.baluta@nxp.com>
Link: https://lore.kernel.org/r/20230117122533.201708-4-daniel.baluta@oss.nxp.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Stable-dep-of: 2c4fdd055f92 ("ASoC: SOF: compress: return the configured codec from get_params")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/sof/sof-priv.h | 1 +
sound/soc/sof/stream-ipc.c | 48 ++++++++++++++++++++++++++++----------
2 files changed, 37 insertions(+), 12 deletions(-)
diff --git a/sound/soc/sof/sof-priv.h b/sound/soc/sof/sof-priv.h
index d7f4f828f38f9..6f5b06473011d 100644
--- a/sound/soc/sof/sof-priv.h
+++ b/sound/soc/sof/sof-priv.h
@@ -112,6 +112,7 @@ struct sof_compr_stream {
u32 sampling_rate;
u16 channels;
u16 sample_container_bytes;
+ size_t posn_offset;
};
struct snd_sof_dev;
diff --git a/sound/soc/sof/stream-ipc.c b/sound/soc/sof/stream-ipc.c
index 872a49550672c..216b454f6b94e 100644
--- a/sound/soc/sof/stream-ipc.c
+++ b/sound/soc/sof/stream-ipc.c
@@ -33,14 +33,27 @@ int sof_ipc_msg_data(struct snd_sof_dev *sdev,
if (!sps || !sdev->stream_box.size) {
snd_sof_dsp_mailbox_read(sdev, sdev->dsp_box.offset, p, sz);
} else {
- struct snd_pcm_substream *substream = sps->substream;
- struct sof_stream *stream = substream->runtime->private_data;
+ size_t posn_offset;
- /* The stream might already be closed */
- if (!stream)
- return -ESTRPIPE;
+ if (sps->substream) {
+ struct sof_stream *stream = sps->substream->runtime->private_data;
- snd_sof_dsp_mailbox_read(sdev, stream->posn_offset, p, sz);
+ /* The stream might already be closed */
+ if (!stream)
+ return -ESTRPIPE;
+
+ posn_offset = stream->posn_offset;
+ } else {
+
+ struct sof_compr_stream *sstream = sps->cstream->runtime->private_data;
+
+ if (!sstream)
+ return -ESTRPIPE;
+
+ posn_offset = sstream->posn_offset;
+ }
+
+ snd_sof_dsp_mailbox_read(sdev, posn_offset, p, sz);
}
return 0;
@@ -51,18 +64,29 @@ int sof_set_stream_data_offset(struct snd_sof_dev *sdev,
struct snd_sof_pcm_stream *sps,
size_t posn_offset)
{
- struct snd_pcm_substream *substream = sps->substream;
- struct sof_stream *stream = substream->runtime->private_data;
-
/* check if offset is overflow or it is not aligned */
if (posn_offset > sdev->stream_box.size ||
posn_offset % sizeof(struct sof_ipc_stream_posn) != 0)
return -EINVAL;
- stream->posn_offset = sdev->stream_box.offset + posn_offset;
+ posn_offset += sdev->stream_box.offset;
+
+ if (sps->substream) {
+ struct sof_stream *stream = sps->substream->runtime->private_data;
+
+ stream->posn_offset = posn_offset;
+ dev_dbg(sdev->dev, "pcm: stream dir %d, posn mailbox offset is %zu",
+ sps->substream->stream, posn_offset);
+ } else if (sps->cstream) {
+ struct sof_compr_stream *sstream = sps->cstream->runtime->private_data;
- dev_dbg(sdev->dev, "pcm: stream dir %d, posn mailbox offset is %zu",
- substream->stream, stream->posn_offset);
+ sstream->posn_offset = posn_offset;
+ dev_dbg(sdev->dev, "compr: stream dir %d, posn mailbox offset is %zu",
+ sps->cstream->direction, posn_offset);
+ } else {
+ dev_err(sdev->dev, "No stream opened");
+ return -EINVAL;
+ }
return 0;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 548/969] ASoC: SOF: compress: return the configured codec from get_params
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (546 preceding siblings ...)
2026-05-30 16:01 ` [PATCH 6.1 547/969] ASoC: SOF: Add support for compress API for stream data/offset Greg Kroah-Hartman
@ 2026-05-30 16:01 ` Greg Kroah-Hartman
2026-05-30 16:01 ` [PATCH 6.1 549/969] PCI: Add PCIE_PME_TO_L2_TIMEOUT_US L2 ready timeout value Greg Kroah-Hartman
` (427 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Cássio Gabriel, Mark Brown,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cássio Gabriel <cassiogabrielcontato@gmail.com>
[ Upstream commit 2c4fdd055f92a2fc8602dcd88bcea08c374b7e8b ]
The SOF compressed offload path accepts codec parameters in
sof_compr_set_params() and forwards them to firmware as
extended data in the SOF IPC stream params message.
However, sof_compr_get_params() still returns success without
filling the snd_codec structure. Since the compress core allocates
that structure zeroed and copies it back to userspace on success,
SNDRV_COMPRESS_GET_PARAMS returns an all-zero codec description
even after the stream has been configured successfully.
The stale TODO in this callback conflates get_params() with capability
discovery. Supported codec enumeration belongs in get_caps() and
get_codec_caps(). get_params() should report the current codec settings.
Cache the codec accepted by sof_compr_set_params() in the per-stream SOF
compress state and return it from sof_compr_get_params().
Fixes: 6324cf901e14 ("ASoC: SOF: compr: Add compress ops implementation")
Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com>
Link: https://patch.msgid.link/20260325-sof-compr-get-params-v1-1-0758815f13c7@gmail.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/sof/compress.c | 8 +++++---
sound/soc/sof/sof-priv.h | 2 ++
2 files changed, 7 insertions(+), 3 deletions(-)
diff --git a/sound/soc/sof/compress.c b/sound/soc/sof/compress.c
index 71c66c1b518c6..5ce304f010cfd 100644
--- a/sound/soc/sof/compress.c
+++ b/sound/soc/sof/compress.c
@@ -240,6 +240,7 @@ static int sof_compr_set_params(struct snd_soc_component *component,
sstream->sampling_rate = params->codec.sample_rate;
sstream->channels = params->codec.ch_out;
sstream->sample_container_bytes = pcm->params.sample_container_bytes;
+ sstream->codec_params = params->codec;
spcm->prepared[cstream->direction] = true;
@@ -252,9 +253,10 @@ static int sof_compr_set_params(struct snd_soc_component *component,
static int sof_compr_get_params(struct snd_soc_component *component,
struct snd_compr_stream *cstream, struct snd_codec *params)
{
- /* TODO: we don't query the supported codecs for now, if the
- * application asks for an unsupported codec the set_params() will fail.
- */
+ struct sof_compr_stream *sstream = cstream->runtime->private_data;
+
+ *params = sstream->codec_params;
+
return 0;
}
diff --git a/sound/soc/sof/sof-priv.h b/sound/soc/sof/sof-priv.h
index 6f5b06473011d..77c9741fc1480 100644
--- a/sound/soc/sof/sof-priv.h
+++ b/sound/soc/sof/sof-priv.h
@@ -17,6 +17,7 @@
#include <sound/sof/info.h>
#include <sound/sof/pm.h>
#include <sound/sof/trace.h>
+#include <sound/compress_params.h>
#include <uapi/sound/sof/fw.h>
#include <sound/sof/ext_manifest.h>
@@ -112,6 +113,7 @@ struct sof_compr_stream {
u32 sampling_rate;
u16 channels;
u16 sample_container_bytes;
+ struct snd_codec codec_params;
size_t posn_offset;
};
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 549/969] PCI: Add PCIE_PME_TO_L2_TIMEOUT_US L2 ready timeout value
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (547 preceding siblings ...)
2026-05-30 16:01 ` [PATCH 6.1 548/969] ASoC: SOF: compress: return the configured codec from get_params Greg Kroah-Hartman
@ 2026-05-30 16:01 ` Greg Kroah-Hartman
2026-05-30 16:01 ` [PATCH 6.1 550/969] PCI: tegra194: Fix polling delay for L2 state Greg Kroah-Hartman
` (426 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Frank Li, Lorenzo Pieralisi,
Manivannan Sadhasivam, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Frank Li <Frank.Li@nxp.com>
[ Upstream commit e78bd50b4078b3b2d9f85d97796b7c271e7860ca ]
Add the PCIE_PME_TO_L2_TIMEOUT_US macro to define the L2 ready timeout
as described in the PCI specifications.
Link: https://lore.kernel.org/r/20230821184815.2167131-2-Frank.Li@nxp.com
Signed-off-by: Frank Li <Frank.Li@nxp.com>
Signed-off-by: Lorenzo Pieralisi <lpieralisi@kernel.org>
Acked-by: Manivannan Sadhasivam <mani@kernel.org>
Stable-dep-of: adaffed907f1 ("PCI: tegra194: Fix polling delay for L2 state")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pci/pci.h | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/pci/pci.h b/drivers/pci/pci.h
index 85488bc8e7795..8b177931cf21e 100644
--- a/drivers/pci/pci.h
+++ b/drivers/pci/pci.h
@@ -14,6 +14,12 @@
#define PCI_EXP_AER_FLAGS (PCI_EXP_DEVCTL_CERE | PCI_EXP_DEVCTL_NFERE | \
PCI_EXP_DEVCTL_FERE | PCI_EXP_DEVCTL_URRE)
+/*
+ * PCIe r6.0, sec 5.3.3.2.1 <PME Synchronization>
+ * Recommends 1ms to 10ms timeout to check L2 ready.
+ */
+#define PCIE_PME_TO_L2_TIMEOUT_US 10000
+
extern const unsigned char pcie_link_speed[];
extern bool pci_early_dump;
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 550/969] PCI: tegra194: Fix polling delay for L2 state
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (548 preceding siblings ...)
2026-05-30 16:01 ` [PATCH 6.1 549/969] PCI: Add PCIE_PME_TO_L2_TIMEOUT_US L2 ready timeout value Greg Kroah-Hartman
@ 2026-05-30 16:01 ` Greg Kroah-Hartman
2026-05-30 16:01 ` [PATCH 6.1 551/969] PCI: tegra194: Increase LTSSM poll time on surprise link down Greg Kroah-Hartman
` (425 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vidya Sagar, Manikanta Maddireddy,
Manivannan Sadhasivam, Bjorn Helgaas, Jon Hunter, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vidya Sagar <vidyas@nvidia.com>
[ Upstream commit adaffed907f14f954096555665ad6af2ae724d83 ]
As per PCIe r7.0, sec 5.3.3.2.1, after sending PME_Turn_Off message, Root
Port should wait for 1-10 msec for PME_TO_Ack message. Currently, driver is
polling for 10 msec with 1 usec delay which is aggressive. Use existing
macro PCIE_PME_TO_L2_TIMEOUT_US to poll for 10 msec with 1 msec delay.
Since this function is used in non-atomic context only, use non-atomic poll
function.
Fixes: 56e15a238d92 ("PCI: tegra: Add Tegra194 PCIe support")
Signed-off-by: Vidya Sagar <vidyas@nvidia.com>
Signed-off-by: Manikanta Maddireddy <mmaddireddy@nvidia.com>
Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Tested-by: Jon Hunter <jonathanh@nvidia.com>
Reviewed-by: Jon Hunter <jonathanh@nvidia.com>
Link: https://patch.msgid.link/20260324190755.1094879-2-mmaddireddy@nvidia.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pci/controller/dwc/pcie-tegra194.c | 9 ++++-----
1 file changed, 4 insertions(+), 5 deletions(-)
diff --git a/drivers/pci/controller/dwc/pcie-tegra194.c b/drivers/pci/controller/dwc/pcie-tegra194.c
index 0dca4baad0dac..e6124eeb824d4 100644
--- a/drivers/pci/controller/dwc/pcie-tegra194.c
+++ b/drivers/pci/controller/dwc/pcie-tegra194.c
@@ -206,8 +206,6 @@
#define CAP_SPCIE_CAP_OFF_USP_TX_PRESET0_MASK GENMASK(11, 8)
#define CAP_SPCIE_CAP_OFF_USP_TX_PRESET0_SHIFT 8
-#define PME_ACK_TIMEOUT 10000
-
#define LTSSM_TIMEOUT 50000 /* 50ms */
#define GEN3_GEN4_EQ_PRESET_INIT 5
@@ -1569,9 +1567,10 @@ static int tegra_pcie_try_link_l2(struct tegra_pcie_dw *pcie)
val |= APPL_PM_XMT_TURNOFF_STATE;
appl_writel(pcie, val, APPL_RADM_STATUS);
- return readl_poll_timeout_atomic(pcie->appl_base + APPL_DEBUG, val,
- val & APPL_DEBUG_PM_LINKST_IN_L2_LAT,
- 1, PME_ACK_TIMEOUT);
+ return readl_poll_timeout(pcie->appl_base + APPL_DEBUG, val,
+ val & APPL_DEBUG_PM_LINKST_IN_L2_LAT,
+ PCIE_PME_TO_L2_TIMEOUT_US/10,
+ PCIE_PME_TO_L2_TIMEOUT_US);
}
static void tegra_pcie_dw_pme_turnoff(struct tegra_pcie_dw *pcie)
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 551/969] PCI: tegra194: Increase LTSSM poll time on surprise link down
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (549 preceding siblings ...)
2026-05-30 16:01 ` [PATCH 6.1 550/969] PCI: tegra194: Fix polling delay for L2 state Greg Kroah-Hartman
@ 2026-05-30 16:01 ` Greg Kroah-Hartman
2026-05-30 16:01 ` [PATCH 6.1 552/969] PCI: tegra194: Disable LTSSM after transition to Detect " Greg Kroah-Hartman
` (424 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vidya Sagar, Manikanta Maddireddy,
Manivannan Sadhasivam, Bjorn Helgaas, Jon Hunter, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Manikanta Maddireddy <mmaddireddy@nvidia.com>
[ Upstream commit 74dd8efe4d6cead433162147333af989a568aac7 ]
On surprise link down, LTSSM state transits from L0 -> Recovery.RcvrLock ->
Recovery.RcvrSpeed -> Gen1 Recovery.RcvrLock -> Detect. Recovery.RcvrLock
and Recovery.RcvrSpeed transit times are 24 ms and 48 ms respectively, so
the total time from L0 to Detect is ~96 ms. Increase the poll timeout to
120 ms to account for this.
While at it, add LTSSM state defines for Detect-related states and use them
in the poll condition. Use readl_poll_timeout() instead of
readl_poll_timeout_atomic() in tegra_pcie_dw_pme_turnoff() since that path
runs in non-atomic context.
Fixes: 56e15a238d92 ("PCI: tegra: Add Tegra194 PCIe support")
Signed-off-by: Vidya Sagar <vidyas@nvidia.com>
Signed-off-by: Manikanta Maddireddy <mmaddireddy@nvidia.com>
Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Tested-by: Jon Hunter <jonathanh@nvidia.com>
Reviewed-by: Jon Hunter <jonathanh@nvidia.com>
Link: https://patch.msgid.link/20260324190755.1094879-3-mmaddireddy@nvidia.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pci/controller/dwc/pcie-tegra194.c | 36 +++++++++++++---------
1 file changed, 21 insertions(+), 15 deletions(-)
diff --git a/drivers/pci/controller/dwc/pcie-tegra194.c b/drivers/pci/controller/dwc/pcie-tegra194.c
index e6124eeb824d4..f502b925d486b 100644
--- a/drivers/pci/controller/dwc/pcie-tegra194.c
+++ b/drivers/pci/controller/dwc/pcie-tegra194.c
@@ -140,7 +140,11 @@
#define APPL_DEBUG_PM_LINKST_IN_L0 0x11
#define APPL_DEBUG_LTSSM_STATE_MASK GENMASK(8, 3)
#define APPL_DEBUG_LTSSM_STATE_SHIFT 3
-#define LTSSM_STATE_PRE_DETECT 5
+#define LTSSM_STATE_DETECT_QUIET 0x00
+#define LTSSM_STATE_DETECT_ACT 0x08
+#define LTSSM_STATE_PRE_DETECT_QUIET 0x28
+#define LTSSM_STATE_DETECT_WAIT 0x30
+#define LTSSM_STATE_L2_IDLE 0xa8
#define APPL_RADM_STATUS 0xE4
#define APPL_PM_XMT_TURNOFF_STATE BIT(0)
@@ -206,7 +210,8 @@
#define CAP_SPCIE_CAP_OFF_USP_TX_PRESET0_MASK GENMASK(11, 8)
#define CAP_SPCIE_CAP_OFF_USP_TX_PRESET0_SHIFT 8
-#define LTSSM_TIMEOUT 50000 /* 50ms */
+#define LTSSM_DELAY_US 10000 /* 10 ms */
+#define LTSSM_TIMEOUT_US 120000 /* 120 ms */
#define GEN3_GEN4_EQ_PRESET_INIT 5
@@ -1613,15 +1618,14 @@ static void tegra_pcie_dw_pme_turnoff(struct tegra_pcie_dw *pcie)
data &= ~APPL_CTRL_LTSSM_EN;
writel(data, pcie->appl_base + APPL_CTRL);
- err = readl_poll_timeout_atomic(pcie->appl_base + APPL_DEBUG,
- data,
- ((data &
- APPL_DEBUG_LTSSM_STATE_MASK) >>
- APPL_DEBUG_LTSSM_STATE_SHIFT) ==
- LTSSM_STATE_PRE_DETECT,
- 1, LTSSM_TIMEOUT);
+ err = readl_poll_timeout(pcie->appl_base + APPL_DEBUG, data,
+ ((data & APPL_DEBUG_LTSSM_STATE_MASK) == LTSSM_STATE_DETECT_QUIET) ||
+ ((data & APPL_DEBUG_LTSSM_STATE_MASK) == LTSSM_STATE_DETECT_ACT) ||
+ ((data & APPL_DEBUG_LTSSM_STATE_MASK) == LTSSM_STATE_PRE_DETECT_QUIET) ||
+ ((data & APPL_DEBUG_LTSSM_STATE_MASK) == LTSSM_STATE_DETECT_WAIT),
+ LTSSM_DELAY_US, LTSSM_TIMEOUT_US);
if (err)
- dev_info(pcie->dev, "Link didn't go to detect state\n");
+ dev_info(pcie->dev, "LTSSM state: 0x%x detect timeout: %d\n", data, err);
}
/*
* DBI registers may not be accessible after this as PLL-E would be
@@ -1709,12 +1713,14 @@ static void pex_ep_event_pex_rst_assert(struct tegra_pcie_dw *pcie)
appl_writel(pcie, val, APPL_CTRL);
ret = readl_poll_timeout(pcie->appl_base + APPL_DEBUG, val,
- ((val & APPL_DEBUG_LTSSM_STATE_MASK) >>
- APPL_DEBUG_LTSSM_STATE_SHIFT) ==
- LTSSM_STATE_PRE_DETECT,
- 1, LTSSM_TIMEOUT);
+ ((val & APPL_DEBUG_LTSSM_STATE_MASK) == LTSSM_STATE_DETECT_QUIET) ||
+ ((val & APPL_DEBUG_LTSSM_STATE_MASK) == LTSSM_STATE_DETECT_ACT) ||
+ ((val & APPL_DEBUG_LTSSM_STATE_MASK) == LTSSM_STATE_PRE_DETECT_QUIET) ||
+ ((val & APPL_DEBUG_LTSSM_STATE_MASK) == LTSSM_STATE_DETECT_WAIT) ||
+ ((val & APPL_DEBUG_LTSSM_STATE_MASK) == LTSSM_STATE_L2_IDLE),
+ LTSSM_DELAY_US, LTSSM_TIMEOUT_US);
if (ret)
- dev_err(pcie->dev, "Failed to go Detect state: %d\n", ret);
+ dev_info(pcie->dev, "LTSSM state: 0x%x detect timeout: %d\n", val, ret);
reset_control_assert(pcie->core_rst);
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 552/969] PCI: tegra194: Disable LTSSM after transition to Detect on surprise link down
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (550 preceding siblings ...)
2026-05-30 16:01 ` [PATCH 6.1 551/969] PCI: tegra194: Increase LTSSM poll time on surprise link down Greg Kroah-Hartman
@ 2026-05-30 16:01 ` Greg Kroah-Hartman
2026-05-30 16:01 ` [PATCH 6.1 553/969] PCI: tegra194: Rename root_bus to root_port_bus in tegra_pcie_downstream_dev_to_D0() Greg Kroah-Hartman
` (423 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vidya Sagar, Manikanta Maddireddy,
Manivannan Sadhasivam, Bjorn Helgaas, Jon Hunter, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Manikanta Maddireddy <mmaddireddy@nvidia.com>
[ Upstream commit 9fa0c242f8d7acf1b124d4462d18f4023573ac1c ]
After the link reaches a Detect-related LTSSM state, disable LTSSM so it
does not keep toggling between Polling and Detect. Do this by polling for
the Detect state first, then clearing APPL_CTRL_LTSSM_EN in both
tegra_pcie_dw_pme_turnoff() and pex_ep_event_pex_rst_assert().
Fixes: 56e15a238d92 ("PCI: tegra: Add Tegra194 PCIe support")
Signed-off-by: Vidya Sagar <vidyas@nvidia.com>
Signed-off-by: Manikanta Maddireddy <mmaddireddy@nvidia.com>
Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Tested-by: Jon Hunter <jonathanh@nvidia.com>
Reviewed-by: Jon Hunter <jonathanh@nvidia.com>
Link: https://patch.msgid.link/20260324190755.1094879-4-mmaddireddy@nvidia.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pci/controller/dwc/pcie-tegra194.c | 29 ++++++++++++----------
1 file changed, 16 insertions(+), 13 deletions(-)
diff --git a/drivers/pci/controller/dwc/pcie-tegra194.c b/drivers/pci/controller/dwc/pcie-tegra194.c
index f502b925d486b..b6899d1f80fb5 100644
--- a/drivers/pci/controller/dwc/pcie-tegra194.c
+++ b/drivers/pci/controller/dwc/pcie-tegra194.c
@@ -1610,14 +1610,6 @@ static void tegra_pcie_dw_pme_turnoff(struct tegra_pcie_dw *pcie)
data &= ~APPL_PINMUX_PEX_RST;
appl_writel(pcie, data, APPL_PINMUX);
- /*
- * Some cards do not go to detect state even after de-asserting
- * PERST#. So, de-assert LTSSM to bring link to detect state.
- */
- data = readl(pcie->appl_base + APPL_CTRL);
- data &= ~APPL_CTRL_LTSSM_EN;
- writel(data, pcie->appl_base + APPL_CTRL);
-
err = readl_poll_timeout(pcie->appl_base + APPL_DEBUG, data,
((data & APPL_DEBUG_LTSSM_STATE_MASK) == LTSSM_STATE_DETECT_QUIET) ||
((data & APPL_DEBUG_LTSSM_STATE_MASK) == LTSSM_STATE_DETECT_ACT) ||
@@ -1626,6 +1618,14 @@ static void tegra_pcie_dw_pme_turnoff(struct tegra_pcie_dw *pcie)
LTSSM_DELAY_US, LTSSM_TIMEOUT_US);
if (err)
dev_info(pcie->dev, "LTSSM state: 0x%x detect timeout: %d\n", data, err);
+
+ /*
+ * Deassert LTSSM state to stop the state toggling between
+ * Polling and Detect.
+ */
+ data = readl(pcie->appl_base + APPL_CTRL);
+ data &= ~APPL_CTRL_LTSSM_EN;
+ writel(data, pcie->appl_base + APPL_CTRL);
}
/*
* DBI registers may not be accessible after this as PLL-E would be
@@ -1707,11 +1707,6 @@ static void pex_ep_event_pex_rst_assert(struct tegra_pcie_dw *pcie)
if (pcie->ep_state == EP_STATE_DISABLED)
return;
- /* Disable LTSSM */
- val = appl_readl(pcie, APPL_CTRL);
- val &= ~APPL_CTRL_LTSSM_EN;
- appl_writel(pcie, val, APPL_CTRL);
-
ret = readl_poll_timeout(pcie->appl_base + APPL_DEBUG, val,
((val & APPL_DEBUG_LTSSM_STATE_MASK) == LTSSM_STATE_DETECT_QUIET) ||
((val & APPL_DEBUG_LTSSM_STATE_MASK) == LTSSM_STATE_DETECT_ACT) ||
@@ -1722,6 +1717,14 @@ static void pex_ep_event_pex_rst_assert(struct tegra_pcie_dw *pcie)
if (ret)
dev_info(pcie->dev, "LTSSM state: 0x%x detect timeout: %d\n", val, ret);
+ /*
+ * Deassert LTSSM state to stop the state toggling between
+ * Polling and Detect.
+ */
+ val = appl_readl(pcie, APPL_CTRL);
+ val &= ~APPL_CTRL_LTSSM_EN;
+ appl_writel(pcie, val, APPL_CTRL);
+
reset_control_assert(pcie->core_rst);
tegra_pcie_disable_phy(pcie);
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 553/969] PCI: tegra194: Rename root_bus to root_port_bus in tegra_pcie_downstream_dev_to_D0()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (551 preceding siblings ...)
2026-05-30 16:01 ` [PATCH 6.1 552/969] PCI: tegra194: Disable LTSSM after transition to Detect " Greg Kroah-Hartman
@ 2026-05-30 16:01 ` Greg Kroah-Hartman
2026-05-30 16:01 ` [PATCH 6.1 554/969] PCI: tegra194: Dont force the device into the D0 state before L2 Greg Kroah-Hartman
` (422 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Manivannan Sadhasivam,
Manivannan Sadhasivam, Bjorn Helgaas, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Manivannan Sadhasivam <manivannan.sadhasivam@oss.qualcomm.com>
[ Upstream commit e1bd928479fb1fa60e9034b0fdb1ab9f3fa92f33 ]
In tegra_pcie_downstream_dev_to_D0(), PCI devices are transitioned to D0
state. For iterating over the devices, first the downstream bus of the Root
Port is searched from the root bus. But the name of the variable that holds
the Root Port downstream bus is named as 'root_bus', which is wrong.
Rename the variable to 'root_port_bus'. Also, move the comment on 'bringing
the devices to D0' to where the state is set exactly.
Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@oss.qualcomm.com>
Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Link: https://patch.msgid.link/20250922081057.15209-1-mani@kernel.org
Stable-dep-of: 71d9f67701e1 ("PCI: tegra194: Don't force the device into the D0 state before L2")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pci/controller/dwc/pcie-tegra194.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/drivers/pci/controller/dwc/pcie-tegra194.c b/drivers/pci/controller/dwc/pcie-tegra194.c
index b6899d1f80fb5..46fe5abfad8c1 100644
--- a/drivers/pci/controller/dwc/pcie-tegra194.c
+++ b/drivers/pci/controller/dwc/pcie-tegra194.c
@@ -1277,7 +1277,7 @@ static int tegra_pcie_bpmp_set_pll_state(struct tegra_pcie_dw *pcie,
static void tegra_pcie_downstream_dev_to_D0(struct tegra_pcie_dw *pcie)
{
struct dw_pcie_rp *pp = &pcie->pci.pp;
- struct pci_bus *child, *root_bus = NULL;
+ struct pci_bus *child, *root_port_bus = NULL;
struct pci_dev *pdev;
/*
@@ -1290,19 +1290,19 @@ static void tegra_pcie_downstream_dev_to_D0(struct tegra_pcie_dw *pcie)
*/
list_for_each_entry(child, &pp->bridge->bus->children, node) {
- /* Bring downstream devices to D0 if they are not already in */
if (child->parent == pp->bridge->bus) {
- root_bus = child;
+ root_port_bus = child;
break;
}
}
- if (!root_bus) {
- dev_err(pcie->dev, "Failed to find downstream devices\n");
+ if (!root_port_bus) {
+ dev_err(pcie->dev, "Failed to find downstream bus of Root Port\n");
return;
}
- list_for_each_entry(pdev, &root_bus->devices, bus_list) {
+ /* Bring downstream devices to D0 if they are not already in */
+ list_for_each_entry(pdev, &root_port_bus->devices, bus_list) {
if (PCI_SLOT(pdev->devfn) == 0) {
if (pci_set_power_state(pdev, PCI_D0))
dev_err(pcie->dev,
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 554/969] PCI: tegra194: Dont force the device into the D0 state before L2
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (552 preceding siblings ...)
2026-05-30 16:01 ` [PATCH 6.1 553/969] PCI: tegra194: Rename root_bus to root_port_bus in tegra_pcie_downstream_dev_to_D0() Greg Kroah-Hartman
@ 2026-05-30 16:01 ` Greg Kroah-Hartman
2026-05-30 16:01 ` [PATCH 6.1 555/969] PCI: tegra194: Disable PERST# IRQ only in Endpoint mode Greg Kroah-Hartman
` (421 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vidya Sagar, Manikanta Maddireddy,
Manivannan Sadhasivam, Bjorn Helgaas, Jon Hunter, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vidya Sagar <vidyas@nvidia.com>
[ Upstream commit 71d9f67701e1affc82d18ca88ae798c5361beddf ]
As per PCIe CEM r6.0, sec 2.3, the PCIe Endpoint device should be in D3cold
to assert WAKE# pin. The previous workaround that forced downstream devices
to D0 before taking the link to L2 cited PCIe r4.0, sec 5.2, "Link State
Power Management"; however, that spec does not explicitly require putting
the device into D0 and only indicates that power removal may be initiated
without transitioning to D3hot.
Remove the D0 workaround so that Endpoint devices can use wake
functionality (WAKE# from D3). With some Endpoints the link may not enter
L2 when they remain in D3, but the Root Port continues with the usual flow
after PME timeout, so there is no functional issue.
Fixes: 56e15a238d92 ("PCI: tegra: Add Tegra194 PCIe support")
Signed-off-by: Vidya Sagar <vidyas@nvidia.com>
Signed-off-by: Manikanta Maddireddy <mmaddireddy@nvidia.com>
Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Tested-by: Jon Hunter <jonathanh@nvidia.com>
Reviewed-by: Vidya Sagar <vidyas@nvidia.com>
Reviewed-by: Jon Hunter <jonathanh@nvidia.com>
Link: https://patch.msgid.link/20260324190755.1094879-5-mmaddireddy@nvidia.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pci/controller/dwc/pcie-tegra194.c | 41 ----------------------
1 file changed, 41 deletions(-)
diff --git a/drivers/pci/controller/dwc/pcie-tegra194.c b/drivers/pci/controller/dwc/pcie-tegra194.c
index 46fe5abfad8c1..c562a4b97da1c 100644
--- a/drivers/pci/controller/dwc/pcie-tegra194.c
+++ b/drivers/pci/controller/dwc/pcie-tegra194.c
@@ -1274,44 +1274,6 @@ static int tegra_pcie_bpmp_set_pll_state(struct tegra_pcie_dw *pcie,
return 0;
}
-static void tegra_pcie_downstream_dev_to_D0(struct tegra_pcie_dw *pcie)
-{
- struct dw_pcie_rp *pp = &pcie->pci.pp;
- struct pci_bus *child, *root_port_bus = NULL;
- struct pci_dev *pdev;
-
- /*
- * link doesn't go into L2 state with some of the endpoints with Tegra
- * if they are not in D0 state. So, need to make sure that immediate
- * downstream devices are in D0 state before sending PME_TurnOff to put
- * link into L2 state.
- * This is as per PCI Express Base r4.0 v1.0 September 27-2017,
- * 5.2 Link State Power Management (Page #428).
- */
-
- list_for_each_entry(child, &pp->bridge->bus->children, node) {
- if (child->parent == pp->bridge->bus) {
- root_port_bus = child;
- break;
- }
- }
-
- if (!root_port_bus) {
- dev_err(pcie->dev, "Failed to find downstream bus of Root Port\n");
- return;
- }
-
- /* Bring downstream devices to D0 if they are not already in */
- list_for_each_entry(pdev, &root_port_bus->devices, bus_list) {
- if (PCI_SLOT(pdev->devfn) == 0) {
- if (pci_set_power_state(pdev, PCI_D0))
- dev_err(pcie->dev,
- "Failed to transition %s to D0 state\n",
- dev_name(&pdev->dev));
- }
- }
-}
-
static int tegra_pcie_get_slot_regulators(struct tegra_pcie_dw *pcie)
{
pcie->slot_ctl_3v3 = devm_regulator_get_optional(pcie->dev, "vpcie3v3");
@@ -1641,7 +1603,6 @@ static void tegra_pcie_dw_pme_turnoff(struct tegra_pcie_dw *pcie)
static void tegra_pcie_deinit_controller(struct tegra_pcie_dw *pcie)
{
- tegra_pcie_downstream_dev_to_D0(pcie);
dw_pcie_host_deinit(&pcie->pci.pp);
tegra_pcie_dw_pme_turnoff(pcie);
tegra_pcie_unconfig_controller(pcie);
@@ -2353,7 +2314,6 @@ static int tegra_pcie_dw_suspend_noirq(struct device *dev)
if (!pcie->link_state)
return 0;
- tegra_pcie_downstream_dev_to_D0(pcie);
tegra_pcie_dw_pme_turnoff(pcie);
tegra_pcie_unconfig_controller(pcie);
@@ -2427,7 +2387,6 @@ static void tegra_pcie_dw_shutdown(struct platform_device *pdev)
return;
debugfs_remove_recursive(pcie->debugfs);
- tegra_pcie_downstream_dev_to_D0(pcie);
disable_irq(pcie->pci.pp.irq);
if (IS_ENABLED(CONFIG_PCI_MSI))
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 555/969] PCI: tegra194: Disable PERST# IRQ only in Endpoint mode
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (553 preceding siblings ...)
2026-05-30 16:01 ` [PATCH 6.1 554/969] PCI: tegra194: Dont force the device into the D0 state before L2 Greg Kroah-Hartman
@ 2026-05-30 16:01 ` Greg Kroah-Hartman
2026-05-30 16:01 ` [PATCH 6.1 556/969] PCI: tegra194: Use devm_gpiod_get_optional() to parse "nvidia,refclk-select" Greg Kroah-Hartman
` (420 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Manikanta Maddireddy,
Manivannan Sadhasivam, Bjorn Helgaas, Jon Hunter, Vidya Sagar,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Manikanta Maddireddy <mmaddireddy@nvidia.com>
[ Upstream commit 40658a31b6e134169c648041efc84944c4c71dcd ]
The PERST# GPIO interrupt is only registered when the controller is
operating in Endpoint mode. In Root Port mode, the PERST# GPIO is
configured as an output to control downstream devices, and no interrupt is
registered for it.
Currently, tegra_pcie_dw_stop_link() unconditionally calls disable_irq()
on pex_rst_irq, which causes issues in Root Port mode where this IRQ is
not registered.
Fix this by only disabling the PERST# IRQ when operating in Endpoint mode,
where the interrupt is actually registered and used to detect PERST#
assertion/deassertion from the host.
Fixes: c57247f940e8 ("PCI: tegra: Add support for PCIe endpoint mode in Tegra194")
Signed-off-by: Manikanta Maddireddy <mmaddireddy@nvidia.com>
Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Tested-by: Jon Hunter <jonathanh@nvidia.com>
Reviewed-by: Jon Hunter <jonathanh@nvidia.com>
Reviewed-by: Vidya Sagar <vidyas@nvidia.com>
Link: https://patch.msgid.link/20260324190755.1094879-6-mmaddireddy@nvidia.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pci/controller/dwc/pcie-tegra194.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/pci/controller/dwc/pcie-tegra194.c b/drivers/pci/controller/dwc/pcie-tegra194.c
index c562a4b97da1c..5085bacd2f542 100644
--- a/drivers/pci/controller/dwc/pcie-tegra194.c
+++ b/drivers/pci/controller/dwc/pcie-tegra194.c
@@ -1041,7 +1041,8 @@ static void tegra_pcie_dw_stop_link(struct dw_pcie *pci)
{
struct tegra_pcie_dw *pcie = to_tegra_pcie(pci);
- disable_irq(pcie->pex_rst_irq);
+ if (pcie->of_data->mode == DW_PCIE_EP_TYPE)
+ disable_irq(pcie->pex_rst_irq);
}
static const struct dw_pcie_ops tegra_dw_pcie_ops = {
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 556/969] PCI: tegra194: Use devm_gpiod_get_optional() to parse "nvidia,refclk-select"
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (554 preceding siblings ...)
2026-05-30 16:01 ` [PATCH 6.1 555/969] PCI: tegra194: Disable PERST# IRQ only in Endpoint mode Greg Kroah-Hartman
@ 2026-05-30 16:01 ` Greg Kroah-Hartman
2026-05-30 16:01 ` [PATCH 6.1 557/969] PCI: tegra194: Disable direct speed change for Endpoint mode Greg Kroah-Hartman
` (419 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vidya Sagar, Manikanta Maddireddy,
Manivannan Sadhasivam, Bjorn Helgaas, Jon Hunter, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vidya Sagar <vidyas@nvidia.com>
[ Upstream commit f62bc7917de1374dce86a852ffba8baf9cb7a56a ]
The GPIO DT property "nvidia,refclk-select", to select the PCIe reference
clock is optional. Use devm_gpiod_get_optional() to get it.
Fixes: c57247f940e8 ("PCI: tegra: Add support for PCIe endpoint mode in Tegra194")
Signed-off-by: Vidya Sagar <vidyas@nvidia.com>
Signed-off-by: Manikanta Maddireddy <mmaddireddy@nvidia.com>
Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Tested-by: Jon Hunter <jonathanh@nvidia.com>
Reviewed-by: Jon Hunter <jonathanh@nvidia.com>
Reviewed-by: Vidya Sagar <vidyas@nvidia.com>
Link: https://patch.msgid.link/20260324190755.1094879-7-mmaddireddy@nvidia.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pci/controller/dwc/pcie-tegra194.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/pci/controller/dwc/pcie-tegra194.c b/drivers/pci/controller/dwc/pcie-tegra194.c
index 5085bacd2f542..87851a56ebd2d 100644
--- a/drivers/pci/controller/dwc/pcie-tegra194.c
+++ b/drivers/pci/controller/dwc/pcie-tegra194.c
@@ -1183,9 +1183,9 @@ static int tegra_pcie_dw_parse_dt(struct tegra_pcie_dw *pcie)
return err;
}
- pcie->pex_refclk_sel_gpiod = devm_gpiod_get(pcie->dev,
- "nvidia,refclk-select",
- GPIOD_OUT_HIGH);
+ pcie->pex_refclk_sel_gpiod = devm_gpiod_get_optional(pcie->dev,
+ "nvidia,refclk-select",
+ GPIOD_OUT_HIGH);
if (IS_ERR(pcie->pex_refclk_sel_gpiod)) {
int err = PTR_ERR(pcie->pex_refclk_sel_gpiod);
const char *level = KERN_ERR;
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 557/969] PCI: tegra194: Disable direct speed change for Endpoint mode
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (555 preceding siblings ...)
2026-05-30 16:01 ` [PATCH 6.1 556/969] PCI: tegra194: Use devm_gpiod_get_optional() to parse "nvidia,refclk-select" Greg Kroah-Hartman
@ 2026-05-30 16:01 ` Greg Kroah-Hartman
2026-05-30 16:01 ` [PATCH 6.1 558/969] PCI: tegra194: Allow system suspend when the Endpoint link is not up Greg Kroah-Hartman
` (418 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vidya Sagar, Manikanta Maddireddy,
Manivannan Sadhasivam, Bjorn Helgaas, Jon Hunter, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vidya Sagar <vidyas@nvidia.com>
[ Upstream commit 976f6763f57970388bcd7118931f33f447916927 ]
Pre-silicon simulation showed the controller operating in Endpoint mode
initiating link speed change after completing Secondary Bus Reset. Ideally,
the Root Port or the Switch Downstream Port should initiate the link speed
change post SBR, not the Endpoint.
So, as per the hardware team recommendation, disable direct speed change
for the Endpoint mode to prevent it from initiating speed change after the
physical layer link is up at Gen1, leaving speed change ownership with the
host.
Fixes: c57247f940e8 ("PCI: tegra: Add support for PCIe endpoint mode in Tegra194")
Signed-off-by: Vidya Sagar <vidyas@nvidia.com>
Signed-off-by: Manikanta Maddireddy <mmaddireddy@nvidia.com>
[mani: commit log]
Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Tested-by: Jon Hunter <jonathanh@nvidia.com>
Reviewed-by: Jon Hunter <jonathanh@nvidia.com>
Reviewed-by: Vidya Sagar <vidyas@nvidia.com>
Link: https://patch.msgid.link/20260324190755.1094879-8-mmaddireddy@nvidia.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pci/controller/dwc/pcie-tegra194.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/pci/controller/dwc/pcie-tegra194.c b/drivers/pci/controller/dwc/pcie-tegra194.c
index 87851a56ebd2d..431ae321ba055 100644
--- a/drivers/pci/controller/dwc/pcie-tegra194.c
+++ b/drivers/pci/controller/dwc/pcie-tegra194.c
@@ -1825,6 +1825,10 @@ static void pex_ep_event_pex_rst_deassert(struct tegra_pcie_dw *pcie)
reset_control_deassert(pcie->core_rst);
+ val = dw_pcie_readl_dbi(pci, PCIE_LINK_WIDTH_SPEED_CONTROL);
+ val &= ~PORT_LOGIC_SPEED_CHANGE;
+ dw_pcie_writel_dbi(pci, PCIE_LINK_WIDTH_SPEED_CONTROL, val);
+
if (pcie->update_fc_fixup) {
val = dw_pcie_readl_dbi(pci, CFG_TIMER_CTRL_MAX_FUNC_NUM_OFF);
val |= 0x1 << CFG_TIMER_CTRL_ACK_NAK_SHIFT;
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 558/969] PCI: tegra194: Allow system suspend when the Endpoint link is not up
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (556 preceding siblings ...)
2026-05-30 16:01 ` [PATCH 6.1 557/969] PCI: tegra194: Disable direct speed change for Endpoint mode Greg Kroah-Hartman
@ 2026-05-30 16:01 ` Greg Kroah-Hartman
2026-05-30 16:01 ` [PATCH 6.1 559/969] spi: mtk-snfi: unregister ECC engine on probe failure and remove() callback Greg Kroah-Hartman
` (417 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vidya Sagar, Manikanta Maddireddy,
Manivannan Sadhasivam, Bjorn Helgaas, Jon Hunter, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vidya Sagar <vidyas@nvidia.com>
[ Upstream commit c76f8eae7d4695b1176c4ea5eb93c17e16a20272 ]
Host software initiates the L2 sequence. PCIe link is kept in L2 state
during suspend. If Endpoint mode is enabled and the link is up, the
software cannot proceed with suspend. However, when the PCIe Endpoint
driver is probed, but the PCIe link is not up, Tegra can go into suspend
state. So, allow system to suspend in this case.
Fixes: de2bbf2b71bb ("PCI: tegra194: Don't allow suspend when Tegra PCIe is in EP mode")
Signed-off-by: Vidya Sagar <vidyas@nvidia.com>
Signed-off-by: Manikanta Maddireddy <mmaddireddy@nvidia.com>
Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Tested-by: Jon Hunter <jonathanh@nvidia.com>
Reviewed-by: Jon Hunter <jonathanh@nvidia.com>
Reviewed-by: Vidya Sagar <vidyas@nvidia.com>
Link: https://patch.msgid.link/20260324190755.1094879-10-mmaddireddy@nvidia.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pci/controller/dwc/pcie-tegra194.c | 31 +++++++++++++++++-----
1 file changed, 25 insertions(+), 6 deletions(-)
diff --git a/drivers/pci/controller/dwc/pcie-tegra194.c b/drivers/pci/controller/dwc/pcie-tegra194.c
index 431ae321ba055..076d44c7c46ba 100644
--- a/drivers/pci/controller/dwc/pcie-tegra194.c
+++ b/drivers/pci/controller/dwc/pcie-tegra194.c
@@ -2287,16 +2287,28 @@ static int tegra_pcie_dw_remove(struct platform_device *pdev)
return 0;
}
-static int tegra_pcie_dw_suspend_late(struct device *dev)
+static int tegra_pcie_dw_suspend(struct device *dev)
{
struct tegra_pcie_dw *pcie = dev_get_drvdata(dev);
- u32 val;
if (pcie->of_data->mode == DW_PCIE_EP_TYPE) {
- dev_err(dev, "Failed to Suspend as Tegra PCIe is in EP mode\n");
- return -EPERM;
+ if (pcie->ep_state == EP_STATE_ENABLED) {
+ dev_err(dev, "Tegra PCIe is in EP mode, suspend not allowed\n");
+ return -EPERM;
+ }
+
+ disable_irq(pcie->pex_rst_irq);
+ return 0;
}
+ return 0;
+}
+
+static int tegra_pcie_dw_suspend_late(struct device *dev)
+{
+ struct tegra_pcie_dw *pcie = dev_get_drvdata(dev);
+ u32 val;
+
if (!pcie->link_state)
return 0;
@@ -2316,6 +2328,9 @@ static int tegra_pcie_dw_suspend_noirq(struct device *dev)
{
struct tegra_pcie_dw *pcie = dev_get_drvdata(dev);
+ if (pcie->of_data->mode == DW_PCIE_EP_TYPE)
+ return 0;
+
if (!pcie->link_state)
return 0;
@@ -2330,6 +2345,9 @@ static int tegra_pcie_dw_resume_noirq(struct device *dev)
struct tegra_pcie_dw *pcie = dev_get_drvdata(dev);
int ret;
+ if (pcie->of_data->mode == DW_PCIE_EP_TYPE)
+ return 0;
+
if (!pcie->link_state)
return 0;
@@ -2362,8 +2380,8 @@ static int tegra_pcie_dw_resume_early(struct device *dev)
u32 val;
if (pcie->of_data->mode == DW_PCIE_EP_TYPE) {
- dev_err(dev, "Suspend is not supported in EP mode");
- return -ENOTSUPP;
+ enable_irq(pcie->pex_rst_irq);
+ return 0;
}
if (!pcie->link_state)
@@ -2468,6 +2486,7 @@ static const struct of_device_id tegra_pcie_dw_of_match[] = {
};
static const struct dev_pm_ops tegra_pcie_dw_pm_ops = {
+ .suspend = tegra_pcie_dw_suspend,
.suspend_late = tegra_pcie_dw_suspend_late,
.suspend_noirq = tegra_pcie_dw_suspend_noirq,
.resume_noirq = tegra_pcie_dw_resume_noirq,
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 559/969] spi: mtk-snfi: unregister ECC engine on probe failure and remove() callback
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (557 preceding siblings ...)
2026-05-30 16:01 ` [PATCH 6.1 558/969] PCI: tegra194: Allow system suspend when the Endpoint link is not up Greg Kroah-Hartman
@ 2026-05-30 16:01 ` Greg Kroah-Hartman
2026-05-30 16:01 ` [PATCH 6.1 560/969] ALSA: sc6000: Use standard print API Greg Kroah-Hartman
` (416 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:01 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Pei Xiao, Mark Brown, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pei Xiao <xiaopei01@kylinos.cn>
[ Upstream commit ab00febad191d7a4400aa1c3468279fb508258d4 ]
mtk_snand_probe() registers the on-host NAND ECC engine, but teardown was
missing from both probe unwind and remove-time cleanup. Add a devm cleanup
action after successful registration so
nand_ecc_unregister_on_host_hw_engine() runs automatically on probe
failures and during device removal.
Fixes: 764f1b748164 ("spi: add driver for MTK SPI NAND Flash Interface")
Signed-off-by: Pei Xiao <xiaopei01@kylinos.cn>
Link: https://patch.msgid.link/20263f885f1a9c9d559f95275298cd6de4b11ed5.1775546401.git.xiaopei01@kylinos.cn
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/spi/spi-mtk-snfi.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/drivers/spi/spi-mtk-snfi.c b/drivers/spi/spi-mtk-snfi.c
index d66bf9762557c..7afb2202b2d95 100644
--- a/drivers/spi/spi-mtk-snfi.c
+++ b/drivers/spi/spi-mtk-snfi.c
@@ -1276,6 +1276,13 @@ static const struct spi_controller_mem_caps mtk_snand_mem_caps = {
.ecc = true,
};
+static void mtk_unregister_ecc_engine(void *data)
+{
+ struct nand_ecc_engine *eng = data;
+
+ nand_ecc_unregister_on_host_hw_engine(eng);
+}
+
static irqreturn_t mtk_snand_irq(int irq, void *id)
{
struct mtk_snand *snf = id;
@@ -1424,6 +1431,13 @@ static int mtk_snand_probe(struct platform_device *pdev)
goto disable_clk;
}
+ ret = devm_add_action_or_reset(&pdev->dev, mtk_unregister_ecc_engine,
+ &ms->ecc_eng);
+ if (ret) {
+ dev_err_probe(&pdev->dev, ret, "failed to add ECC unregister action\n");
+ goto release_ecc;
+ }
+
ctlr->num_chipselect = 1;
ctlr->mem_ops = &mtk_snand_mem_ops;
ctlr->mem_caps = &mtk_snand_mem_caps;
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 560/969] ALSA: sc6000: Use standard print API
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (558 preceding siblings ...)
2026-05-30 16:01 ` [PATCH 6.1 559/969] spi: mtk-snfi: unregister ECC engine on probe failure and remove() callback Greg Kroah-Hartman
@ 2026-05-30 16:01 ` Greg Kroah-Hartman
2026-05-30 16:01 ` [PATCH 6.1 561/969] ALSA: sc6000: Keep the programmed board state in card-private data Greg Kroah-Hartman
` (415 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jaroslav Kysela, Takashi Iwai,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
[ Upstream commit e7c475b92043c02c3e6cd0c20e308fbb6f03ebde ]
Use the standard print API with dev_*() instead of the old house-baked
one. It gives better information and allows dynamically control of
debug prints.
Some functions are changed to receive a device pointer to be passed to
dev_*() calls.
Reviewed-by: Jaroslav Kysela <perex@perex.cz>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Link: https://patch.msgid.link/20240807133452.9424-34-tiwai@suse.de
Stable-dep-of: fb79bf127ac2 ("ALSA: sc6000: Keep the programmed board state in card-private data")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/isa/sc6000.c | 177 +++++++++++++++++++++++----------------------
1 file changed, 90 insertions(+), 87 deletions(-)
diff --git a/sound/isa/sc6000.c b/sound/isa/sc6000.c
index 60398fced046b..3115c32b4061b 100644
--- a/sound/isa/sc6000.c
+++ b/sound/isa/sc6000.c
@@ -204,7 +204,7 @@ static int sc6000_read(char __iomem *vport)
}
-static int sc6000_write(char __iomem *vport, int cmd)
+static int sc6000_write(struct device *devptr, char __iomem *vport, int cmd)
{
unsigned char val;
int loop = 500000;
@@ -221,18 +221,19 @@ static int sc6000_write(char __iomem *vport, int cmd)
cpu_relax();
} while (loop--);
- snd_printk(KERN_ERR "DSP Command (0x%x) timeout.\n", cmd);
+ dev_err(devptr, "DSP Command (0x%x) timeout.\n", cmd);
return -EIO;
}
-static int sc6000_dsp_get_answer(char __iomem *vport, int command,
+static int sc6000_dsp_get_answer(struct device *devptr,
+ char __iomem *vport, int command,
char *data, int data_len)
{
int len = 0;
- if (sc6000_write(vport, command)) {
- snd_printk(KERN_ERR "CMD 0x%x: failed!\n", command);
+ if (sc6000_write(devptr, vport, command)) {
+ dev_err(devptr, "CMD 0x%x: failed!\n", command);
return -EIO;
}
@@ -265,82 +266,86 @@ static int sc6000_dsp_reset(char __iomem *vport)
}
/* detection and initialization */
-static int sc6000_hw_cfg_write(char __iomem *vport, const int *cfg)
+static int sc6000_hw_cfg_write(struct device *devptr,
+ char __iomem *vport, const int *cfg)
{
- if (sc6000_write(vport, COMMAND_6C) < 0) {
- snd_printk(KERN_WARNING "CMD 0x%x: failed!\n", COMMAND_6C);
+ if (sc6000_write(devptr, vport, COMMAND_6C) < 0) {
+ dev_warn(devptr, "CMD 0x%x: failed!\n", COMMAND_6C);
return -EIO;
}
- if (sc6000_write(vport, COMMAND_5C) < 0) {
- snd_printk(KERN_ERR "CMD 0x%x: failed!\n", COMMAND_5C);
+ if (sc6000_write(devptr, vport, COMMAND_5C) < 0) {
+ dev_err(devptr, "CMD 0x%x: failed!\n", COMMAND_5C);
return -EIO;
}
- if (sc6000_write(vport, cfg[0]) < 0) {
- snd_printk(KERN_ERR "DATA 0x%x: failed!\n", cfg[0]);
+ if (sc6000_write(devptr, vport, cfg[0]) < 0) {
+ dev_err(devptr, "DATA 0x%x: failed!\n", cfg[0]);
return -EIO;
}
- if (sc6000_write(vport, cfg[1]) < 0) {
- snd_printk(KERN_ERR "DATA 0x%x: failed!\n", cfg[1]);
+ if (sc6000_write(devptr, vport, cfg[1]) < 0) {
+ dev_err(devptr, "DATA 0x%x: failed!\n", cfg[1]);
return -EIO;
}
- if (sc6000_write(vport, COMMAND_C5) < 0) {
- snd_printk(KERN_ERR "CMD 0x%x: failed!\n", COMMAND_C5);
+ if (sc6000_write(devptr, vport, COMMAND_C5) < 0) {
+ dev_err(devptr, "CMD 0x%x: failed!\n", COMMAND_C5);
return -EIO;
}
return 0;
}
-static int sc6000_cfg_write(char __iomem *vport, unsigned char softcfg)
+static int sc6000_cfg_write(struct device *devptr,
+ char __iomem *vport, unsigned char softcfg)
{
- if (sc6000_write(vport, WRITE_MDIRQ_CFG)) {
- snd_printk(KERN_ERR "CMD 0x%x: failed!\n", WRITE_MDIRQ_CFG);
+ if (sc6000_write(devptr, vport, WRITE_MDIRQ_CFG)) {
+ dev_err(devptr, "CMD 0x%x: failed!\n", WRITE_MDIRQ_CFG);
return -EIO;
}
- if (sc6000_write(vport, softcfg)) {
- snd_printk(KERN_ERR "sc6000_cfg_write: failed!\n");
+ if (sc6000_write(devptr, vport, softcfg)) {
+ dev_err(devptr, "%s: failed!\n", __func__);
return -EIO;
}
return 0;
}
-static int sc6000_setup_board(char __iomem *vport, int config)
+static int sc6000_setup_board(struct device *devptr,
+ char __iomem *vport, int config)
{
int loop = 10;
do {
- if (sc6000_write(vport, COMMAND_88)) {
- snd_printk(KERN_ERR "CMD 0x%x: failed!\n",
- COMMAND_88);
+ if (sc6000_write(devptr, vport, COMMAND_88)) {
+ dev_err(devptr, "CMD 0x%x: failed!\n",
+ COMMAND_88);
return -EIO;
}
} while ((sc6000_wait_data(vport) < 0) && loop--);
if (sc6000_read(vport) < 0) {
- snd_printk(KERN_ERR "sc6000_read after CMD 0x%x: failed\n",
- COMMAND_88);
+ dev_err(devptr, "sc6000_read after CMD 0x%x: failed\n",
+ COMMAND_88);
return -EIO;
}
- if (sc6000_cfg_write(vport, config))
+ if (sc6000_cfg_write(devptr, vport, config))
return -ENODEV;
return 0;
}
-static int sc6000_init_mss(char __iomem *vport, int config,
+static int sc6000_init_mss(struct device *devptr,
+ char __iomem *vport, int config,
char __iomem *vmss_port, int mss_config)
{
- if (sc6000_write(vport, DSP_INIT_MSS)) {
- snd_printk(KERN_ERR "sc6000_init_mss [0x%x]: failed!\n",
- DSP_INIT_MSS);
+ if (sc6000_write(devptr, vport, DSP_INIT_MSS)) {
+ dev_err(devptr, "%s [0x%x]: failed!\n", __func__,
+ DSP_INIT_MSS);
return -EIO;
}
msleep(10);
- if (sc6000_cfg_write(vport, config))
+ if (sc6000_cfg_write(devptr, vport, config))
return -EIO;
iowrite8(mss_config, vmss_port);
@@ -348,7 +353,8 @@ static int sc6000_init_mss(char __iomem *vport, int config,
return 0;
}
-static void sc6000_hw_cfg_encode(char __iomem *vport, int *cfg,
+static void sc6000_hw_cfg_encode(struct device *devptr,
+ char __iomem *vport, int *cfg,
long xport, long xmpu,
long xmss_port, int joystick)
{
@@ -367,10 +373,11 @@ static void sc6000_hw_cfg_encode(char __iomem *vport, int *cfg,
cfg[0] |= 0x02;
cfg[1] |= 0x80; /* enable WSS system */
cfg[1] &= ~0x40; /* disable IDE */
- snd_printd("hw cfg %x, %x\n", cfg[0], cfg[1]);
+ dev_dbg(devptr, "hw cfg %x, %x\n", cfg[0], cfg[1]);
}
-static int sc6000_init_board(char __iomem *vport,
+static int sc6000_init_board(struct device *devptr,
+ char __iomem *vport,
char __iomem *vmss_port, int dev)
{
char answer[15];
@@ -384,14 +391,14 @@ static int sc6000_init_board(char __iomem *vport,
err = sc6000_dsp_reset(vport);
if (err < 0) {
- snd_printk(KERN_ERR "sc6000_dsp_reset: failed!\n");
+ dev_err(devptr, "sc6000_dsp_reset: failed!\n");
return err;
}
memset(answer, 0, sizeof(answer));
- err = sc6000_dsp_get_answer(vport, GET_DSP_COPYRIGHT, answer, 15);
+ err = sc6000_dsp_get_answer(devptr, vport, GET_DSP_COPYRIGHT, answer, 15);
if (err <= 0) {
- snd_printk(KERN_ERR "sc6000_dsp_copyright: failed!\n");
+ dev_err(devptr, "sc6000_dsp_copyright: failed!\n");
return -ENODEV;
}
/*
@@ -399,52 +406,52 @@ static int sc6000_init_board(char __iomem *vport,
* if we have something different, we have to be warned.
*/
if (strncmp("SC-6000", answer, 7))
- snd_printk(KERN_WARNING "Warning: non SC-6000 audio card!\n");
+ dev_warn(devptr, "Warning: non SC-6000 audio card!\n");
- if (sc6000_dsp_get_answer(vport, GET_DSP_VERSION, version, 2) < 2) {
- snd_printk(KERN_ERR "sc6000_dsp_version: failed!\n");
+ if (sc6000_dsp_get_answer(devptr, vport, GET_DSP_VERSION, version, 2) < 2) {
+ dev_err(devptr, "sc6000_dsp_version: failed!\n");
return -ENODEV;
}
- printk(KERN_INFO PFX "Detected model: %s, DSP version %d.%d\n",
+ dev_info(devptr, "Detected model: %s, DSP version %d.%d\n",
answer, version[0], version[1]);
/* set configuration */
- sc6000_write(vport, COMMAND_5C);
+ sc6000_write(devptr, vport, COMMAND_5C);
if (sc6000_read(vport) < 0)
old = 1;
if (!old) {
int cfg[2];
- sc6000_hw_cfg_encode(vport, &cfg[0], port[dev], mpu_port[dev],
+ sc6000_hw_cfg_encode(devptr,
+ vport, &cfg[0], port[dev], mpu_port[dev],
mss_port[dev], joystick[dev]);
- if (sc6000_hw_cfg_write(vport, cfg) < 0) {
- snd_printk(KERN_ERR "sc6000_hw_cfg_write: failed!\n");
+ if (sc6000_hw_cfg_write(devptr, vport, cfg) < 0) {
+ dev_err(devptr, "sc6000_hw_cfg_write: failed!\n");
return -EIO;
}
}
- err = sc6000_setup_board(vport, config);
+ err = sc6000_setup_board(devptr, vport, config);
if (err < 0) {
- snd_printk(KERN_ERR "sc6000_setup_board: failed!\n");
+ dev_err(devptr, "sc6000_setup_board: failed!\n");
return -ENODEV;
}
sc6000_dsp_reset(vport);
if (!old) {
- sc6000_write(vport, COMMAND_60);
- sc6000_write(vport, 0x02);
+ sc6000_write(devptr, vport, COMMAND_60);
+ sc6000_write(devptr, vport, 0x02);
sc6000_dsp_reset(vport);
}
- err = sc6000_setup_board(vport, config);
+ err = sc6000_setup_board(devptr, vport, config);
if (err < 0) {
- snd_printk(KERN_ERR "sc6000_setup_board: failed!\n");
+ dev_err(devptr, "sc6000_setup_board: failed!\n");
return -ENODEV;
}
- err = sc6000_init_mss(vport, config, vmss_port, mss_config);
+ err = sc6000_init_mss(devptr, vport, config, vmss_port, mss_config);
if (err < 0) {
- snd_printk(KERN_ERR "Cannot initialize "
- "Microsoft Sound System mode.\n");
+ dev_err(devptr, "Cannot initialize Microsoft Sound System mode.\n");
return -ENODEV;
}
@@ -491,39 +498,39 @@ static int snd_sc6000_match(struct device *devptr, unsigned int dev)
if (!enable[dev])
return 0;
if (port[dev] == SNDRV_AUTO_PORT) {
- printk(KERN_ERR PFX "specify IO port\n");
+ dev_err(devptr, "specify IO port\n");
return 0;
}
if (mss_port[dev] == SNDRV_AUTO_PORT) {
- printk(KERN_ERR PFX "specify MSS port\n");
+ dev_err(devptr, "specify MSS port\n");
return 0;
}
if (port[dev] != 0x220 && port[dev] != 0x240) {
- printk(KERN_ERR PFX "Port must be 0x220 or 0x240\n");
+ dev_err(devptr, "Port must be 0x220 or 0x240\n");
return 0;
}
if (mss_port[dev] != 0x530 && mss_port[dev] != 0xe80) {
- printk(KERN_ERR PFX "MSS port must be 0x530 or 0xe80\n");
+ dev_err(devptr, "MSS port must be 0x530 or 0xe80\n");
return 0;
}
if (irq[dev] != SNDRV_AUTO_IRQ && !sc6000_irq_to_softcfg(irq[dev])) {
- printk(KERN_ERR PFX "invalid IRQ %d\n", irq[dev]);
+ dev_err(devptr, "invalid IRQ %d\n", irq[dev]);
return 0;
}
if (dma[dev] != SNDRV_AUTO_DMA && !sc6000_dma_to_softcfg(dma[dev])) {
- printk(KERN_ERR PFX "invalid DMA %d\n", dma[dev]);
+ dev_err(devptr, "invalid DMA %d\n", dma[dev]);
return 0;
}
if (mpu_port[dev] != SNDRV_AUTO_PORT &&
(mpu_port[dev] & ~0x30L) != 0x300) {
- printk(KERN_ERR PFX "invalid MPU-401 port %lx\n",
+ dev_err(devptr, "invalid MPU-401 port %lx\n",
mpu_port[dev]);
return 0;
}
if (mpu_port[dev] != SNDRV_AUTO_PORT &&
mpu_irq[dev] != SNDRV_AUTO_IRQ && mpu_irq[dev] != 0 &&
!sc6000_mpu_irq_to_softcfg(mpu_irq[dev])) {
- printk(KERN_ERR PFX "invalid MPU-401 IRQ %d\n", mpu_irq[dev]);
+ dev_err(devptr, "invalid MPU-401 IRQ %d\n", mpu_irq[dev]);
return 0;
}
return 1;
@@ -534,7 +541,7 @@ static void snd_sc6000_free(struct snd_card *card)
char __iomem *vport = (char __force __iomem *)card->private_data;
if (vport)
- sc6000_setup_board(vport, 0);
+ sc6000_setup_board(card->dev, vport, 0);
}
static int __snd_sc6000_probe(struct device *devptr, unsigned int dev)
@@ -558,7 +565,7 @@ static int __snd_sc6000_probe(struct device *devptr, unsigned int dev)
if (xirq == SNDRV_AUTO_IRQ) {
xirq = snd_legacy_find_free_irq(possible_irqs);
if (xirq < 0) {
- snd_printk(KERN_ERR PFX "unable to find a free IRQ\n");
+ dev_err(devptr, "unable to find a free IRQ\n");
return -EBUSY;
}
}
@@ -566,42 +573,39 @@ static int __snd_sc6000_probe(struct device *devptr, unsigned int dev)
if (xdma == SNDRV_AUTO_DMA) {
xdma = snd_legacy_find_free_dma(possible_dmas);
if (xdma < 0) {
- snd_printk(KERN_ERR PFX "unable to find a free DMA\n");
+ dev_err(devptr, "unable to find a free DMA\n");
return -EBUSY;
}
}
if (!devm_request_region(devptr, port[dev], 0x10, DRV_NAME)) {
- snd_printk(KERN_ERR PFX
- "I/O port region is already in use.\n");
+ dev_err(devptr, "I/O port region is already in use.\n");
return -EBUSY;
}
vport = devm_ioport_map(devptr, port[dev], 0x10);
if (!vport) {
- snd_printk(KERN_ERR PFX
- "I/O port cannot be iomapped.\n");
+ dev_err(devptr, "I/O port cannot be iomapped.\n");
return -EBUSY;
}
card->private_data = (void __force *)vport;
/* to make it marked as used */
if (!devm_request_region(devptr, mss_port[dev], 4, DRV_NAME)) {
- snd_printk(KERN_ERR PFX
- "SC-6000 port I/O port region is already in use.\n");
+ dev_err(devptr,
+ "SC-6000 port I/O port region is already in use.\n");
return -EBUSY;
}
vmss_port = devm_ioport_map(devptr, mss_port[dev], 4);
if (!vmss_port) {
- snd_printk(KERN_ERR PFX
- "MSS port I/O cannot be iomapped.\n");
+ dev_err(devptr, "MSS port I/O cannot be iomapped.\n");
return -EBUSY;
}
- snd_printd("Initializing BASE[0x%lx] IRQ[%d] DMA[%d] MIRQ[%d]\n",
- port[dev], xirq, xdma,
- mpu_irq[dev] == SNDRV_AUTO_IRQ ? 0 : mpu_irq[dev]);
+ dev_dbg(devptr, "Initializing BASE[0x%lx] IRQ[%d] DMA[%d] MIRQ[%d]\n",
+ port[dev], xirq, xdma,
+ mpu_irq[dev] == SNDRV_AUTO_IRQ ? 0 : mpu_irq[dev]);
- err = sc6000_init_board(vport, vmss_port, dev);
+ err = sc6000_init_board(devptr, vport, vmss_port, dev);
if (err < 0)
return err;
card->private_free = snd_sc6000_free;
@@ -613,25 +617,24 @@ static int __snd_sc6000_probe(struct device *devptr, unsigned int dev)
err = snd_wss_pcm(chip, 0);
if (err < 0) {
- snd_printk(KERN_ERR PFX
- "error creating new WSS PCM device\n");
+ dev_err(devptr, "error creating new WSS PCM device\n");
return err;
}
err = snd_wss_mixer(chip);
if (err < 0) {
- snd_printk(KERN_ERR PFX "error creating new WSS mixer\n");
+ dev_err(devptr, "error creating new WSS mixer\n");
return err;
}
err = snd_sc6000_mixer(chip);
if (err < 0) {
- snd_printk(KERN_ERR PFX "the mixer rewrite failed\n");
+ dev_err(devptr, "the mixer rewrite failed\n");
return err;
}
if (snd_opl3_create(card,
0x388, 0x388 + 2,
OPL3_HW_AUTO, 0, &opl3) < 0) {
- snd_printk(KERN_ERR PFX "no OPL device at 0x%x-0x%x ?\n",
- 0x388, 0x388 + 2);
+ dev_err(devptr, "no OPL device at 0x%x-0x%x ?\n",
+ 0x388, 0x388 + 2);
} else {
err = snd_opl3_hwdep_new(opl3, 0, 1, NULL);
if (err < 0)
@@ -645,8 +648,8 @@ static int __snd_sc6000_probe(struct device *devptr, unsigned int dev)
MPU401_HW_MPU401,
mpu_port[dev], 0,
mpu_irq[dev], NULL) < 0)
- snd_printk(KERN_ERR "no MPU-401 device at 0x%lx ?\n",
- mpu_port[dev]);
+ dev_err(devptr, "no MPU-401 device at 0x%lx ?\n",
+ mpu_port[dev]);
}
strcpy(card->driver, DRV_NAME);
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 561/969] ALSA: sc6000: Keep the programmed board state in card-private data
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (559 preceding siblings ...)
2026-05-30 16:01 ` [PATCH 6.1 560/969] ALSA: sc6000: Use standard print API Greg Kroah-Hartman
@ 2026-05-30 16:01 ` Greg Kroah-Hartman
2026-05-30 16:01 ` [PATCH 6.1 562/969] dm cache: fix missing return in invalidate_committeds error path Greg Kroah-Hartman
` (414 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Cássio Gabriel, Takashi Iwai,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cássio Gabriel <cassiogabrielcontato@gmail.com>
[ Upstream commit fb79bf127ac2577b4876132da6dba768018aad4c ]
The driver may auto-select IRQ and DMA resources at probe time, but
sc6000_init_board() still derives the SC-6000 soft configuration from
the module parameter arrays. When irq=auto or dma=auto is used, the
codec is created with the selected resources while the board is
programmed with the unresolved values.
Store the mapped ports and generated SC-6000 board configuration in
card-private data, build that configuration from the live probe
results instead of the raw module parameters, and keep the probe-time
board programming in a shared helper.
This fixes the resource-programming mismatch and leaves the driver
with a stable board-state block that can be reused by suspend/resume.
Fixes: c282866101bf ("ALSA: sc6000: add support for SC-6600 and SC-7000")
Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Link: https://patch.msgid.link/20260410-alsa-sc6000-pm-v1-1-4d9e95493d26@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/isa/sc6000.c | 152 +++++++++++++++++++++++++++------------------
1 file changed, 92 insertions(+), 60 deletions(-)
diff --git a/sound/isa/sc6000.c b/sound/isa/sc6000.c
index 3115c32b4061b..4066b68a102e2 100644
--- a/sound/isa/sc6000.c
+++ b/sound/isa/sc6000.c
@@ -100,6 +100,15 @@ MODULE_PARM_DESC(joystick, "Enable gameport.");
#define PFX "sc6000: "
#define DRV_NAME "SC-6000"
+struct snd_sc6000 {
+ char __iomem *vport;
+ char __iomem *vmss_port;
+ u8 mss_config;
+ u8 config;
+ u8 hw_cfg[2];
+ bool old_dsp;
+};
+
/* hardware dependent functions */
/*
@@ -267,7 +276,7 @@ static int sc6000_dsp_reset(char __iomem *vport)
/* detection and initialization */
static int sc6000_hw_cfg_write(struct device *devptr,
- char __iomem *vport, const int *cfg)
+ char __iomem *vport, const u8 *cfg)
{
if (sc6000_write(devptr, vport, COMMAND_6C) < 0) {
dev_warn(devptr, "CMD 0x%x: failed!\n", COMMAND_6C);
@@ -353,8 +362,7 @@ static int sc6000_init_mss(struct device *devptr,
return 0;
}
-static void sc6000_hw_cfg_encode(struct device *devptr,
- char __iomem *vport, int *cfg,
+static void sc6000_hw_cfg_encode(struct device *devptr, u8 *cfg,
long xport, long xmpu,
long xmss_port, int joystick)
{
@@ -376,27 +384,83 @@ static void sc6000_hw_cfg_encode(struct device *devptr,
dev_dbg(devptr, "hw cfg %x, %x\n", cfg[0], cfg[1]);
}
-static int sc6000_init_board(struct device *devptr,
- char __iomem *vport,
- char __iomem *vmss_port, int dev)
+static void sc6000_prepare_board(struct device *devptr,
+ struct snd_sc6000 *sc6000,
+ unsigned int dev, int xirq, int xdma)
+{
+ sc6000->mss_config = sc6000_irq_to_softcfg(xirq) |
+ sc6000_dma_to_softcfg(xdma);
+ sc6000->config = sc6000->mss_config |
+ sc6000_mpu_irq_to_softcfg(mpu_irq[dev]);
+ sc6000_hw_cfg_encode(devptr, sc6000->hw_cfg, port[dev], mpu_port[dev],
+ mss_port[dev], joystick[dev]);
+}
+
+static void sc6000_detect_old_dsp(struct device *devptr,
+ struct snd_sc6000 *sc6000)
+{
+ sc6000_write(devptr, sc6000->vport, COMMAND_5C);
+ sc6000->old_dsp = sc6000_read(sc6000->vport) < 0;
+}
+
+static int sc6000_program_board(struct device *devptr,
+ struct snd_sc6000 *sc6000)
+{
+ int err;
+
+ if (!sc6000->old_dsp) {
+ if (sc6000_hw_cfg_write(devptr, sc6000->vport,
+ sc6000->hw_cfg) < 0) {
+ dev_err(devptr, "sc6000_hw_cfg_write: failed!\n");
+ return -EIO;
+ }
+ }
+
+ err = sc6000_setup_board(devptr, sc6000->vport, sc6000->config);
+ if (err < 0) {
+ dev_err(devptr, "sc6000_setup_board: failed!\n");
+ return -ENODEV;
+ }
+
+ sc6000_dsp_reset(sc6000->vport);
+
+ if (!sc6000->old_dsp) {
+ sc6000_write(devptr, sc6000->vport, COMMAND_60);
+ sc6000_write(devptr, sc6000->vport, 0x02);
+ sc6000_dsp_reset(sc6000->vport);
+ }
+
+ err = sc6000_setup_board(devptr, sc6000->vport, sc6000->config);
+ if (err < 0) {
+ dev_err(devptr, "sc6000_setup_board: failed!\n");
+ return -ENODEV;
+ }
+
+ err = sc6000_init_mss(devptr, sc6000->vport, sc6000->config,
+ sc6000->vmss_port, sc6000->mss_config);
+ if (err < 0) {
+ dev_err(devptr, "Cannot initialize Microsoft Sound System mode.\n");
+ return -ENODEV;
+ }
+
+ return 0;
+}
+
+static int sc6000_init_board(struct device *devptr, struct snd_sc6000 *sc6000)
{
char answer[15];
char version[2];
- int mss_config = sc6000_irq_to_softcfg(irq[dev]) |
- sc6000_dma_to_softcfg(dma[dev]);
- int config = mss_config |
- sc6000_mpu_irq_to_softcfg(mpu_irq[dev]);
int err;
- int old = 0;
- err = sc6000_dsp_reset(vport);
+ err = sc6000_dsp_reset(sc6000->vport);
if (err < 0) {
dev_err(devptr, "sc6000_dsp_reset: failed!\n");
return err;
}
memset(answer, 0, sizeof(answer));
- err = sc6000_dsp_get_answer(devptr, vport, GET_DSP_COPYRIGHT, answer, 15);
+ err = sc6000_dsp_get_answer(devptr, sc6000->vport, GET_DSP_COPYRIGHT,
+ answer, 15);
if (err <= 0) {
dev_err(devptr, "sc6000_dsp_copyright: failed!\n");
return -ENODEV;
@@ -408,54 +472,17 @@ static int sc6000_init_board(struct device *devptr,
if (strncmp("SC-6000", answer, 7))
dev_warn(devptr, "Warning: non SC-6000 audio card!\n");
- if (sc6000_dsp_get_answer(devptr, vport, GET_DSP_VERSION, version, 2) < 2) {
+ if (sc6000_dsp_get_answer(devptr, sc6000->vport,
+ GET_DSP_VERSION, version, 2) < 2) {
dev_err(devptr, "sc6000_dsp_version: failed!\n");
return -ENODEV;
}
dev_info(devptr, "Detected model: %s, DSP version %d.%d\n",
answer, version[0], version[1]);
- /* set configuration */
- sc6000_write(devptr, vport, COMMAND_5C);
- if (sc6000_read(vport) < 0)
- old = 1;
-
- if (!old) {
- int cfg[2];
- sc6000_hw_cfg_encode(devptr,
- vport, &cfg[0], port[dev], mpu_port[dev],
- mss_port[dev], joystick[dev]);
- if (sc6000_hw_cfg_write(devptr, vport, cfg) < 0) {
- dev_err(devptr, "sc6000_hw_cfg_write: failed!\n");
- return -EIO;
- }
- }
- err = sc6000_setup_board(devptr, vport, config);
- if (err < 0) {
- dev_err(devptr, "sc6000_setup_board: failed!\n");
- return -ENODEV;
- }
-
- sc6000_dsp_reset(vport);
-
- if (!old) {
- sc6000_write(devptr, vport, COMMAND_60);
- sc6000_write(devptr, vport, 0x02);
- sc6000_dsp_reset(vport);
- }
+ sc6000_detect_old_dsp(devptr, sc6000);
- err = sc6000_setup_board(devptr, vport, config);
- if (err < 0) {
- dev_err(devptr, "sc6000_setup_board: failed!\n");
- return -ENODEV;
- }
- err = sc6000_init_mss(devptr, vport, config, vmss_port, mss_config);
- if (err < 0) {
- dev_err(devptr, "Cannot initialize Microsoft Sound System mode.\n");
- return -ENODEV;
- }
-
- return 0;
+ return sc6000_program_board(devptr, sc6000);
}
static int snd_sc6000_mixer(struct snd_wss *chip)
@@ -538,10 +565,10 @@ static int snd_sc6000_match(struct device *devptr, unsigned int dev)
static void snd_sc6000_free(struct snd_card *card)
{
- char __iomem *vport = (char __force __iomem *)card->private_data;
+ struct snd_sc6000 *sc6000 = card->private_data;
- if (vport)
- sc6000_setup_board(card->dev, vport, 0);
+ if (sc6000->vport)
+ sc6000_setup_board(card->dev, sc6000->vport, 0);
}
static int __snd_sc6000_probe(struct device *devptr, unsigned int dev)
@@ -552,15 +579,17 @@ static int __snd_sc6000_probe(struct device *devptr, unsigned int dev)
int xirq = irq[dev];
int xdma = dma[dev];
struct snd_card *card;
+ struct snd_sc6000 *sc6000;
struct snd_wss *chip;
struct snd_opl3 *opl3;
char __iomem *vport;
char __iomem *vmss_port;
err = snd_devm_card_new(devptr, index[dev], id[dev], THIS_MODULE,
- 0, &card);
+ sizeof(*sc6000), &card);
if (err < 0)
return err;
+ sc6000 = card->private_data;
if (xirq == SNDRV_AUTO_IRQ) {
xirq = snd_legacy_find_free_irq(possible_irqs);
@@ -587,7 +616,7 @@ static int __snd_sc6000_probe(struct device *devptr, unsigned int dev)
dev_err(devptr, "I/O port cannot be iomapped.\n");
return -EBUSY;
}
- card->private_data = (void __force *)vport;
+ sc6000->vport = vport;
/* to make it marked as used */
if (!devm_request_region(devptr, mss_port[dev], 4, DRV_NAME)) {
@@ -600,12 +629,15 @@ static int __snd_sc6000_probe(struct device *devptr, unsigned int dev)
dev_err(devptr, "MSS port I/O cannot be iomapped.\n");
return -EBUSY;
}
+ sc6000->vmss_port = vmss_port;
dev_dbg(devptr, "Initializing BASE[0x%lx] IRQ[%d] DMA[%d] MIRQ[%d]\n",
port[dev], xirq, xdma,
mpu_irq[dev] == SNDRV_AUTO_IRQ ? 0 : mpu_irq[dev]);
- err = sc6000_init_board(devptr, vport, vmss_port, dev);
+ sc6000_prepare_board(devptr, sc6000, dev, xirq, xdma);
+
+ err = sc6000_init_board(devptr, sc6000);
if (err < 0)
return err;
card->private_free = snd_sc6000_free;
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 562/969] dm cache: fix missing return in invalidate_committeds error path
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (560 preceding siblings ...)
2026-05-30 16:01 ` [PATCH 6.1 561/969] ALSA: sc6000: Keep the programmed board state in card-private data Greg Kroah-Hartman
@ 2026-05-30 16:01 ` Greg Kroah-Hartman
2026-05-30 16:01 ` [PATCH 6.1 563/969] gfs2: Call unlock_new_inode before d_instantiate Greg Kroah-Hartman
` (413 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dan Carpenter, Ming-Hung Tsai,
Mikulas Patocka, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ming-Hung Tsai <mtsai@redhat.com>
[ Upstream commit 8c0ee19db81f0fa1ff25fd75b22b17c0cc2acde3 ]
In passthrough mode, dm-cache defers write submission until after
metadata commit completes via the invalidate_committed() continuation.
On commit error, invalidate_committed() calls invalidate_complete() to
end the bio and free the migration struct, after which it should return
immediately.
The patch 4ca8b8bd952d ("dm cache: fix write hang in passthrough mode")
omitted this early return, causing execution to fall through into the
success path on error. This results in use-after-free on the migration
struct in the subsequent calls.
Fix by adding the missing return after the invalidate_complete() call.
Fixes: 4ca8b8bd952d ("dm cache: fix write hang in passthrough mode")
Reported-by: Dan Carpenter <error27@gmail.com>
Closes: https://lore.kernel.org/dm-devel/adjMq6T5RRjv_uxM@stanley.mountain/
Signed-off-by: Ming-Hung Tsai <mtsai@redhat.com>
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/md/dm-cache-target.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/md/dm-cache-target.c b/drivers/md/dm-cache-target.c
index cd48cefe0409a..e47033fc53106 100644
--- a/drivers/md/dm-cache-target.c
+++ b/drivers/md/dm-cache-target.c
@@ -1502,8 +1502,10 @@ static void invalidate_committed(struct work_struct *ws)
struct bio *bio = mg->overwrite_bio;
struct per_bio_data *pb = get_per_bio_data(bio);
- if (mg->k.input)
+ if (mg->k.input) {
invalidate_complete(mg, false);
+ return;
+ }
init_continuation(&mg->k, invalidate_completed);
remap_to_origin_clear_discard(cache, bio, mg->invalidate_oblock);
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 563/969] gfs2: Call unlock_new_inode before d_instantiate
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (561 preceding siblings ...)
2026-05-30 16:01 ` [PATCH 6.1 562/969] dm cache: fix missing return in invalidate_committeds error path Greg Kroah-Hartman
@ 2026-05-30 16:01 ` Greg Kroah-Hartman
2026-05-30 16:01 ` [PATCH 6.1 564/969] ktest: Avoid undef warning when WARNINGS_FILE is unset Greg Kroah-Hartman
` (412 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+0ea5108a1f5fb4fcc2d8,
Andreas Gruenbacher, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andreas Gruenbacher <agruenba@redhat.com>
[ Upstream commit 2ff7cf7e0640ff071ebc5c7e3dc2df024a7c91e6 ]
As Neil Brown describes in detail in the link referenced below, new
inodes must be unlocked before they can be instantiated.
An even better fix is to use d_instantiate_new(), which combines
d_instantiate() and unlock_new_inode().
Fixes: 3d36e57ff768 ("gfs2: gfs2_create_inode rework")
Reported-by: syzbot+0ea5108a1f5fb4fcc2d8@syzkaller.appspotmail.com
Link: https://lore.kernel.org/linux-fsdevel/177153754005.8396.8777398743501764194@noble.neil.brown.name/
Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/gfs2/inode.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/fs/gfs2/inode.c b/fs/gfs2/inode.c
index 3048e3ca4b382..c291b9382e994 100644
--- a/fs/gfs2/inode.c
+++ b/fs/gfs2/inode.c
@@ -779,7 +779,7 @@ static int gfs2_create_inode(struct inode *dir, struct dentry *dentry,
goto fail_gunlock4;
mark_inode_dirty(inode);
- d_instantiate(dentry, inode);
+ d_instantiate_new(dentry, inode);
/* After instantiate, errors should result in evict which will destroy
* both inode and iopen glocks properly. */
if (file) {
@@ -791,7 +791,6 @@ static int gfs2_create_inode(struct inode *dir, struct dentry *dentry,
gfs2_glock_dq_uninit(ghs + 1);
gfs2_glock_put(io_gl);
gfs2_qa_put(dip);
- unlock_new_inode(inode);
return error;
fail_gunlock4:
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 564/969] ktest: Avoid undef warning when WARNINGS_FILE is unset
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (562 preceding siblings ...)
2026-05-30 16:01 ` [PATCH 6.1 563/969] gfs2: Call unlock_new_inode before d_instantiate Greg Kroah-Hartman
@ 2026-05-30 16:01 ` Greg Kroah-Hartman
2026-05-30 16:01 ` [PATCH 6.1 565/969] ktest: Honor empty per-test option overrides Greg Kroah-Hartman
` (411 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, John Hawley, Andrea Righi,
Marcos Paulo de Souza, Matthieu Baerts,
Fernando Fernandez Mancera, Pedro Falcato,
Ricardo B . Marlière, Steven Rostedt, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ricardo B. Marlière <rbm@suse.com>
[ Upstream commit 057854f8a595160656fe77ed7bf0d2403724b915 ]
check_buildlog() probes $warnings_file with -f even when WARNINGS_FILE is
not configured. Perl warns about the uninitialized value and adds noise to
the test log, which can hide the output we actually care about.
Check that WARNINGS_FILE is defined before testing whether the file exists.
Cc: John Hawley <warthog9@eaglescrag.net>
Cc: Andrea Righi <arighi@nvidia.com>
Cc: Marcos Paulo de Souza <mpdesouza@suse.com>
Cc: Matthieu Baerts <matttbe@kernel.org>
Cc: Fernando Fernandez Mancera <fmancera@suse.de>
Cc: Pedro Falcato <pfalcato@suse.de>
Link: https://patch.msgid.link/20260307-ktest-fixes-v1-1-565d412f4925@suse.com
Fixes: 4283b169abfb ("ktest: Add make_warnings_file and process full warnings")
Signed-off-by: Ricardo B. Marlière <rbm@suse.com>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/testing/ktest/ktest.pl | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tools/testing/ktest/ktest.pl b/tools/testing/ktest/ktest.pl
index b1bd8be3cf666..d752c4bd0d8b3 100755
--- a/tools/testing/ktest/ktest.pl
+++ b/tools/testing/ktest/ktest.pl
@@ -2465,7 +2465,7 @@ sub check_buildlog {
my $save_no_reboot = $no_reboot;
$no_reboot = 1;
- if (-f $warnings_file) {
+ if (defined($warnings_file) && -f $warnings_file) {
open(IN, $warnings_file) or
dodie "Error opening $warnings_file";
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 565/969] ktest: Honor empty per-test option overrides
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (563 preceding siblings ...)
2026-05-30 16:01 ` [PATCH 6.1 564/969] ktest: Avoid undef warning when WARNINGS_FILE is unset Greg Kroah-Hartman
@ 2026-05-30 16:01 ` Greg Kroah-Hartman
2026-05-30 16:01 ` [PATCH 6.1 566/969] ktest: Run POST_KTEST hooks on failure and cancellation Greg Kroah-Hartman
` (410 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, John Hawley, Andrea Righi,
Marcos Paulo de Souza, Matthieu Baerts,
Fernando Fernandez Mancera, Pedro Falcato,
Ricardo B . Marlière, Steven Rostedt, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ricardo B. Marlière <rbm@suse.com>
[ Upstream commit a2de57a3c8192dcd67cccaff6c341b93748d799b ]
A per-test override can clear an inherited default option by assigning an
empty value, but __set_test_option() still used option_defined() to decide
whether a per-test key existed. That turned an empty per-test assignment
back into "fall back to the default", so tests still could not clear
inherited settings.
For example:
DEFAULTS
(...)
LOG_FILE = /tmp/ktest-empty-override.log
CLEAR_LOG = 1
ADD_CONFIG = /tmp/.config
TEST_START
TEST_TYPE = build
BUILD_TYPE = nobuild
ADD_CONFIG =
This would run the test with ADD_CONFIG[1] = /tmp/.config
Fix by checking whether the per-test key exists before falling back. If it
does exist but is empty, treat it as unset for that test and stop the
fallback chain there.
Cc: John Hawley <warthog9@eaglescrag.net>
Cc: Andrea Righi <arighi@nvidia.com>
Cc: Marcos Paulo de Souza <mpdesouza@suse.com>
Cc: Matthieu Baerts <matttbe@kernel.org>
Cc: Fernando Fernandez Mancera <fmancera@suse.de>
Cc: Pedro Falcato <pfalcato@suse.de>
Link: https://patch.msgid.link/20260307-ktest-fixes-v1-4-565d412f4925@suse.com
Fixes: 22c37a9ac49d ("ktest: Allow tests to undefine default options")
Signed-off-by: Ricardo B. Marlière <rbm@suse.com>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/testing/ktest/ktest.pl | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/tools/testing/ktest/ktest.pl b/tools/testing/ktest/ktest.pl
index d752c4bd0d8b3..28eebfa32621d 100755
--- a/tools/testing/ktest/ktest.pl
+++ b/tools/testing/ktest/ktest.pl
@@ -4106,7 +4106,8 @@ sub __set_test_option {
my $option = "$name\[$i\]";
- if (option_defined($option)) {
+ if (exists($opt{$option})) {
+ return undef if (!option_defined($option));
return $opt{$option};
}
@@ -4114,7 +4115,8 @@ sub __set_test_option {
if ($i >= $test &&
$i < $test + $repeat_tests{$test}) {
$option = "$name\[$test\]";
- if (option_defined($option)) {
+ if (exists($opt{$option})) {
+ return undef if (!option_defined($option));
return $opt{$option};
}
}
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 566/969] ktest: Run POST_KTEST hooks on failure and cancellation
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (564 preceding siblings ...)
2026-05-30 16:01 ` [PATCH 6.1 565/969] ktest: Honor empty per-test option overrides Greg Kroah-Hartman
@ 2026-05-30 16:01 ` Greg Kroah-Hartman
2026-05-30 16:01 ` [PATCH 6.1 567/969] quota: Fix race of dquot_scan_active() with quota deactivation Greg Kroah-Hartman
` (409 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, John Hawley, Andrea Righi,
Marcos Paulo de Souza, Matthieu Baerts,
Fernando Fernandez Mancera, Pedro Falcato,
Ricardo B . Marlière, Steven Rostedt, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ricardo B. Marlière <rbm@suse.com>
[ Upstream commit bc6e165a452da909cef0efbc286e6695624db372 ]
PRE_KTEST can be useful for setting up the environment and POST_KTEST to
tear it down, however POST_KTEST only runs on the normal end-of-run path.
It is skipped when ktest exits through dodie() or cancel_test(). Final
cleanup hooks are skipped.
Factor the final hook execution into run_post_ktest(), call it from the
normal exit path and from the early exit paths, and guard it so the hook
runs at most once.
Cc: John Hawley <warthog9@eaglescrag.net>
Cc: Andrea Righi <arighi@nvidia.com>
Cc: Marcos Paulo de Souza <mpdesouza@suse.com>
Cc: Matthieu Baerts <matttbe@kernel.org>
Cc: Fernando Fernandez Mancera <fmancera@suse.de>
Cc: Pedro Falcato <pfalcato@suse.de>
Link: https://patch.msgid.link/20260307-ktest-fixes-v1-8-565d412f4925@suse.com
Fixes: 921ed4c7208e ("ktest: Add PRE/POST_KTEST and TEST options")
Signed-off-by: Ricardo B. Marlière <rbm@suse.com>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/testing/ktest/ktest.pl | 27 ++++++++++++++++++++++-----
1 file changed, 22 insertions(+), 5 deletions(-)
diff --git a/tools/testing/ktest/ktest.pl b/tools/testing/ktest/ktest.pl
index 28eebfa32621d..df8588dadc2ca 100755
--- a/tools/testing/ktest/ktest.pl
+++ b/tools/testing/ktest/ktest.pl
@@ -98,6 +98,7 @@ my $test_type;
my $build_type;
my $build_options;
my $final_post_ktest;
+my $post_ktest_done = 0;
my $pre_ktest;
my $post_ktest;
my $pre_test;
@@ -1530,6 +1531,24 @@ sub get_test_name() {
return $name;
}
+sub run_post_ktest {
+ my $cmd;
+
+ return if ($post_ktest_done);
+
+ if (defined($final_post_ktest)) {
+ $cmd = $final_post_ktest;
+ } elsif (defined($post_ktest)) {
+ $cmd = $post_ktest;
+ } else {
+ return;
+ }
+
+ my $cp_post_ktest = eval_kernel_version($cmd);
+ run_command $cp_post_ktest;
+ $post_ktest_done = 1;
+}
+
sub dodie {
# avoid recursion
return if ($in_die);
@@ -1589,6 +1608,7 @@ sub dodie {
if (defined($post_test)) {
run_command $post_test;
}
+ run_post_ktest;
die @_, "\n";
}
@@ -4223,6 +4243,7 @@ sub cancel_test {
send_email("KTEST: Your [$name] test was cancelled",
"Your test started at $script_start_time was cancelled: sig int");
}
+ run_post_ktest;
die "\nCaught Sig Int, test interrupted: $!\n"
}
@@ -4533,11 +4554,7 @@ for (my $i = 1; $i <= $opt{"NUM_TESTS"}; $i++) {
success $i;
}
-if (defined($final_post_ktest)) {
-
- my $cp_final_post_ktest = eval_kernel_version $final_post_ktest;
- run_command $cp_final_post_ktest;
-}
+run_post_ktest;
if ($opt{"POWEROFF_ON_SUCCESS"}) {
halt;
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 567/969] quota: Fix race of dquot_scan_active() with quota deactivation
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (565 preceding siblings ...)
2026-05-30 16:01 ` [PATCH 6.1 566/969] ktest: Run POST_KTEST hooks on failure and cancellation Greg Kroah-Hartman
@ 2026-05-30 16:01 ` Greg Kroah-Hartman
2026-05-30 16:01 ` [PATCH 6.1 568/969] gfs2: add some missing log locking Greg Kroah-Hartman
` (408 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:01 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Sam Sun, Jan Kara, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jan Kara <jack@suse.cz>
[ Upstream commit e93ab401da4b2e2c1b8ef2424de2f238d51c8b2d ]
dquot_scan_active() can race with quota deactivation in
quota_release_workfn() like:
CPU0 (quota_release_workfn) CPU1 (dquot_scan_active)
============================== ==============================
spin_lock(&dq_list_lock);
list_replace_init(
&releasing_dquots, &rls_head);
/* dquot X on rls_head,
dq_count == 0,
DQ_ACTIVE_B still set */
spin_unlock(&dq_list_lock);
synchronize_srcu(&dquot_srcu);
spin_lock(&dq_list_lock);
list_for_each_entry(dquot,
&inuse_list, dq_inuse) {
/* finds dquot X */
dquot_active(X) -> true
atomic_inc(&X->dq_count);
}
spin_unlock(&dq_list_lock);
spin_lock(&dq_list_lock);
dquot = list_first_entry(&rls_head);
WARN_ON_ONCE(atomic_read(&dquot->dq_count));
The problem is not only a cosmetic one as under memory pressure the
caller of dquot_scan_active() can end up working on freed dquot.
Fix the problem by making sure the dquot is removed from releasing list
when we acquire a reference to it.
Fixes: 869b6ea1609f ("quota: Fix slow quotaoff")
Reported-by: Sam Sun <samsun1006219@gmail.com>
Link: https://lore.kernel.org/all/CAEkJfYPTt3uP1vAYnQ5V2ZWn5O9PLhhGi5HbOcAzyP9vbXyjeg@mail.gmail.com
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/quota/dquot.c | 38 ++++++++++++++++++++++++++++++--------
include/linux/quotaops.h | 9 +--------
2 files changed, 31 insertions(+), 16 deletions(-)
diff --git a/fs/quota/dquot.c b/fs/quota/dquot.c
index 0f82db69d2d86..0aa0ed754f2e0 100644
--- a/fs/quota/dquot.c
+++ b/fs/quota/dquot.c
@@ -362,6 +362,31 @@ static inline int dquot_active(struct dquot *dquot)
return test_bit(DQ_ACTIVE_B, &dquot->dq_flags);
}
+static struct dquot *__dqgrab(struct dquot *dquot)
+{
+ lockdep_assert_held(&dq_list_lock);
+ if (!atomic_read(&dquot->dq_count))
+ remove_free_dquot(dquot);
+ atomic_inc(&dquot->dq_count);
+ return dquot;
+}
+
+/*
+ * Get reference to dquot when we got pointer to it by some other means. The
+ * dquot has to be active and the caller has to make sure it cannot get
+ * deactivated under our hands.
+ */
+struct dquot *dqgrab(struct dquot *dquot)
+{
+ spin_lock(&dq_list_lock);
+ WARN_ON_ONCE(!dquot_active(dquot));
+ dquot = __dqgrab(dquot);
+ spin_unlock(&dq_list_lock);
+
+ return dquot;
+}
+EXPORT_SYMBOL_GPL(dqgrab);
+
static inline int dquot_dirty(struct dquot *dquot)
{
return test_bit(DQ_MOD_B, &dquot->dq_flags);
@@ -640,15 +665,14 @@ int dquot_scan_active(struct super_block *sb,
continue;
if (dquot->dq_sb != sb)
continue;
- /* Now we have active dquot so we can just increase use count */
- atomic_inc(&dquot->dq_count);
+ __dqgrab(dquot);
spin_unlock(&dq_list_lock);
dqput(old_dquot);
old_dquot = dquot;
/*
* ->release_dquot() can be racing with us. Our reference
- * protects us from new calls to it so just wait for any
- * outstanding call and recheck the DQ_ACTIVE_B after that.
+ * protects us from dquot_release() proceeding so just wait for
+ * any outstanding call and recheck the DQ_ACTIVE_B after that.
*/
wait_on_dquot(dquot);
if (dquot_active(dquot)) {
@@ -716,7 +740,7 @@ int dquot_writeback_dquots(struct super_block *sb, int type)
/* Now we have active dquot from which someone is
* holding reference so we can safely just increase
* use count */
- dqgrab(dquot);
+ __dqgrab(dquot);
spin_unlock(&dq_list_lock);
err = dquot_write_dquot(dquot);
if (err && !ret)
@@ -971,9 +995,7 @@ struct dquot *dqget(struct super_block *sb, struct kqid qid)
spin_unlock(&dq_list_lock);
dqstats_inc(DQST_LOOKUPS);
} else {
- if (!atomic_read(&dquot->dq_count))
- remove_free_dquot(dquot);
- atomic_inc(&dquot->dq_count);
+ __dqgrab(dquot);
spin_unlock(&dq_list_lock);
dqstats_inc(DQST_CACHE_HITS);
dqstats_inc(DQST_LOOKUPS);
diff --git a/include/linux/quotaops.h b/include/linux/quotaops.h
index 3abd249ec3373..7078e6f2429af 100644
--- a/include/linux/quotaops.h
+++ b/include/linux/quotaops.h
@@ -44,14 +44,7 @@ int dquot_initialize(struct inode *inode);
bool dquot_initialize_needed(struct inode *inode);
void dquot_drop(struct inode *inode);
struct dquot *dqget(struct super_block *sb, struct kqid qid);
-static inline struct dquot *dqgrab(struct dquot *dquot)
-{
- /* Make sure someone else has active reference to dquot */
- WARN_ON_ONCE(!atomic_read(&dquot->dq_count));
- WARN_ON_ONCE(!test_bit(DQ_ACTIVE_B, &dquot->dq_flags));
- atomic_inc(&dquot->dq_count);
- return dquot;
-}
+struct dquot *dqgrab(struct dquot *dquot);
static inline bool dquot_is_busy(struct dquot *dquot)
{
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 568/969] gfs2: add some missing log locking
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (566 preceding siblings ...)
2026-05-30 16:01 ` [PATCH 6.1 567/969] quota: Fix race of dquot_scan_active() with quota deactivation Greg Kroah-Hartman
@ 2026-05-30 16:01 ` Greg Kroah-Hartman
2026-05-30 16:01 ` [PATCH 6.1 569/969] gfs2: prevent NULL pointer dereference during unmount Greg Kroah-Hartman
` (407 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:01 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Andreas Gruenbacher, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andreas Gruenbacher <agruenba@redhat.com>
[ Upstream commit fe2c8d051150b90b3ccb85f89e3b1d636cb88ec8 ]
Function gfs2_logd() calls the log flushing functions gfs2_ail1_start(),
gfs2_ail1_wait(), and gfs2_ail1_empty() without holding sdp->sd_log_flush_lock,
but these functions require exclusion against concurrent transactions.
To fix that, add a non-locking __gfs2_log_flush() function. Then, in
gfs2_logd(), take sdp->sd_log_flush_lock before calling the above mentioned log
flushing functions and __gfs2_log_flush().
Fixes: 5e4c7632aae1c ("gfs2: Issue revokes more intelligently")
Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/gfs2/log.c | 28 ++++++++++++++++++++--------
1 file changed, 20 insertions(+), 8 deletions(-)
diff --git a/fs/gfs2/log.c b/fs/gfs2/log.c
index 45f519ececd97..de6f38523db33 100644
--- a/fs/gfs2/log.c
+++ b/fs/gfs2/log.c
@@ -1025,14 +1025,15 @@ static void trans_drain(struct gfs2_trans *tr)
}
/**
- * gfs2_log_flush - flush incore transaction(s)
+ * __gfs2_log_flush - flush incore transaction(s)
* @sdp: The filesystem
* @gl: The glock structure to flush. If NULL, flush the whole incore log
* @flags: The log header flags: GFS2_LOG_HEAD_FLUSH_* and debug flags
*
*/
-void gfs2_log_flush(struct gfs2_sbd *sdp, struct gfs2_glock *gl, u32 flags)
+static void __gfs2_log_flush(struct gfs2_sbd *sdp, struct gfs2_glock *gl,
+ u32 flags)
{
struct gfs2_trans *tr = NULL;
unsigned int reserved_blocks = 0, used_blocks = 0;
@@ -1040,7 +1041,6 @@ void gfs2_log_flush(struct gfs2_sbd *sdp, struct gfs2_glock *gl, u32 flags)
unsigned int first_log_head;
unsigned int reserved_revokes = 0;
- down_write(&sdp->sd_log_flush_lock);
trace_gfs2_log_flush(sdp, 1, flags);
repeat:
@@ -1151,7 +1151,6 @@ void gfs2_log_flush(struct gfs2_sbd *sdp, struct gfs2_glock *gl, u32 flags)
gfs2_assert_withdraw_delayed(sdp, used_blocks < reserved_blocks);
gfs2_log_release(sdp, reserved_blocks - used_blocks);
}
- up_write(&sdp->sd_log_flush_lock);
gfs2_trans_free(sdp, tr);
if (gfs2_withdrawing(sdp))
gfs2_withdraw(sdp);
@@ -1174,6 +1173,13 @@ void gfs2_log_flush(struct gfs2_sbd *sdp, struct gfs2_glock *gl, u32 flags)
goto out_end;
}
+void gfs2_log_flush(struct gfs2_sbd *sdp, struct gfs2_glock *gl, u32 flags)
+{
+ down_write(&sdp->sd_log_flush_lock);
+ __gfs2_log_flush(sdp, gl, flags);
+ up_write(&sdp->sd_log_flush_lock);
+}
+
/**
* gfs2_merge_trans - Merge a new transaction into a cached transaction
* @sdp: the filesystem
@@ -1319,19 +1325,25 @@ int gfs2_logd(void *data)
}
if (gfs2_jrnl_flush_reqd(sdp) || t == 0) {
+ down_write(&sdp->sd_log_flush_lock);
gfs2_ail1_empty(sdp, 0);
- gfs2_log_flush(sdp, NULL, GFS2_LOG_HEAD_FLUSH_NORMAL |
- GFS2_LFC_LOGD_JFLUSH_REQD);
+ __gfs2_log_flush(sdp, NULL,
+ GFS2_LOG_HEAD_FLUSH_NORMAL |
+ GFS2_LFC_LOGD_JFLUSH_REQD);
+ up_write(&sdp->sd_log_flush_lock);
}
if (test_bit(SDF_FORCE_AIL_FLUSH, &sdp->sd_flags) ||
gfs2_ail_flush_reqd(sdp)) {
clear_bit(SDF_FORCE_AIL_FLUSH, &sdp->sd_flags);
+ down_write(&sdp->sd_log_flush_lock);
gfs2_ail1_start(sdp);
gfs2_ail1_wait(sdp);
gfs2_ail1_empty(sdp, 0);
- gfs2_log_flush(sdp, NULL, GFS2_LOG_HEAD_FLUSH_NORMAL |
- GFS2_LFC_LOGD_AIL_FLUSH_REQD);
+ __gfs2_log_flush(sdp, NULL,
+ GFS2_LOG_HEAD_FLUSH_NORMAL |
+ GFS2_LFC_LOGD_AIL_FLUSH_REQD);
+ up_write(&sdp->sd_log_flush_lock);
}
t = gfs2_tune_get(sdp, gt_logd_secs) * HZ;
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 569/969] gfs2: prevent NULL pointer dereference during unmount
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (567 preceding siblings ...)
2026-05-30 16:01 ` [PATCH 6.1 568/969] gfs2: add some missing log locking Greg Kroah-Hartman
@ 2026-05-30 16:01 ` Greg Kroah-Hartman
2026-05-30 16:01 ` [PATCH 6.1 570/969] efi/capsule-loader: fix incorrect sizeof in phys array reallocation Greg Kroah-Hartman
` (406 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, kernel test robot, Dan Carpenter,
Andreas Gruenbacher, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andreas Gruenbacher <agruenba@redhat.com>
[ Upstream commit 74b4dbb946060a3233604d91859a9abd3708141d ]
When flushing out outstanding glock work during an unmount, gfs2_log_flush()
can be called when sdp->sd_jdesc has already been deallocated and sdp->sd_jdesc
is NULL. Commit 35264909e9d1 ("gfs2: Fix NULL pointer dereference in
gfs2_log_flush") added a check for that to gfs2_log_flush() itself, but it
missed the sdp->sd_jdesc dereference in gfs2_log_release(). Fix that.
Reported-by: kernel test robot <lkp@intel.com>
Reported-by: Dan Carpenter <error27@gmail.com>
Closes: https://lore.kernel.org/r/202604071139.HNJiCaAi-lkp@intel.com/
Fixes: 35264909e9d1 ("gfs2: Fix NULL pointer dereference in gfs2_log_flush")
Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/gfs2/log.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/fs/gfs2/log.c b/fs/gfs2/log.c
index de6f38523db33..229ceed689f69 100644
--- a/fs/gfs2/log.c
+++ b/fs/gfs2/log.c
@@ -478,8 +478,9 @@ void gfs2_log_release(struct gfs2_sbd *sdp, unsigned int blks)
{
atomic_add(blks, &sdp->sd_log_blks_free);
trace_gfs2_log_blocks(sdp, blks);
- gfs2_assert_withdraw(sdp, atomic_read(&sdp->sd_log_blks_free) <=
- sdp->sd_jdesc->jd_blocks);
+ gfs2_assert_withdraw(sdp, !sdp->sd_jdesc ||
+ atomic_read(&sdp->sd_log_blks_free) <=
+ sdp->sd_jdesc->jd_blocks);
if (atomic_read(&sdp->sd_log_blks_needed))
wake_up(&sdp->sd_log_waitq);
}
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 570/969] efi/capsule-loader: fix incorrect sizeof in phys array reallocation
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (568 preceding siblings ...)
2026-05-30 16:01 ` [PATCH 6.1 569/969] gfs2: prevent NULL pointer dereference during unmount Greg Kroah-Hartman
@ 2026-05-30 16:01 ` Greg Kroah-Hartman
2026-05-30 16:01 ` [PATCH 6.1 571/969] ksmbd: fix use-after-free from async crypto on Qualcomm crypto engine Greg Kroah-Hartman
` (405 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thomas Huth, Ard Biesheuvel,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Huth <thuth@redhat.com>
[ Upstream commit 48a428215782321b56956974f23593e40ce84b7a ]
The krealloc() call for cap_info->phys in __efi_capsule_setup_info() uses
sizeof(phys_addr_t *) instead of sizeof(phys_addr_t), which might be
causing an undersized allocation.
The allocation is also inconsistent with the initial array allocation in
efi_capsule_open() that allocates one entry with sizeof(phys_addr_t),
and the efi_capsule_write() function that stores phys_addr_t values (not
pointers) via page_to_phys().
On 64-bit systems where sizeof(phys_addr_t) == sizeof(phys_addr_t *), this
goes unnoticed. On 32-bit systems with PAE where phys_addr_t is 64-bit but
pointers are 32-bit, this allocates half the required space, which might
lead to a heap buffer overflow when storing physical addresses.
This is similar to the bug fixed in commit fccfa646ef36 ("efi/capsule-loader:
fix incorrect allocation size") which fixed the same issue at the initial
allocation site.
Fixes: f24c4d478013 ("efi/capsule-loader: Reinstate virtual capsule mapping")
Assisted-by: Claude:claude-sonnet-4-5
Signed-off-by: Thomas Huth <thuth@redhat.com>
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/firmware/efi/capsule-loader.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/firmware/efi/capsule-loader.c b/drivers/firmware/efi/capsule-loader.c
index 97bafb5f70389..c6a8bdbcae71b 100644
--- a/drivers/firmware/efi/capsule-loader.c
+++ b/drivers/firmware/efi/capsule-loader.c
@@ -67,7 +67,7 @@ int __efi_capsule_setup_info(struct capsule_info *cap_info)
cap_info->pages = temp_page;
temp_page = krealloc(cap_info->phys,
- pages_needed * sizeof(phys_addr_t *),
+ pages_needed * sizeof(phys_addr_t),
GFP_KERNEL | __GFP_ZERO);
if (!temp_page)
return -ENOMEM;
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 571/969] ksmbd: fix use-after-free from async crypto on Qualcomm crypto engine
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (569 preceding siblings ...)
2026-05-30 16:01 ` [PATCH 6.1 570/969] efi/capsule-loader: fix incorrect sizeof in phys array reallocation Greg Kroah-Hartman
@ 2026-05-30 16:01 ` Greg Kroah-Hartman
2026-05-30 16:01 ` [PATCH 6.1 572/969] ARM: dts: mediatek: mt7623: fix efuse fallback compatible Greg Kroah-Hartman
` (404 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Joshua Klinesmith, Namjae Jeon,
Steve French, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Joshua Klinesmith <joshuaklinesmith@gmail.com>
[ Upstream commit 3e298897f41c61450c2e7a4f457e8b2485eb35b3 ]
ksmbd_crypt_message() sets a NULL completion callback on AEAD requests
and does not handle the -EINPROGRESS return code from async hardware
crypto engines like the Qualcomm Crypto Engine (QCE). When QCE returns
-EINPROGRESS, ksmbd treats it as an error and immediately frees the
request while the hardware DMA operation is still in flight. The DMA
completion callback then dereferences freed memory, causing a NULL
pointer crash:
pc : qce_skcipher_done+0x24/0x174
lr : vchan_complete+0x230/0x27c
...
el1h_64_irq+0x68/0x6c
ksmbd_free_work_struct+0x20/0x118 [ksmbd]
ksmbd_exit_file_cache+0x694/0xa4c [ksmbd]
Use the standard crypto_wait_req() pattern with crypto_req_done() as
the completion callback, matching the approach used by the SMB client
in fs/smb/client/smb2ops.c. This properly handles both synchronous
engines (immediate return) and async engines (-EINPROGRESS followed
by callback notification).
Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3")
Link: https://github.com/openwrt/openwrt/issues/21822
Signed-off-by: Joshua Klinesmith <joshuaklinesmith@gmail.com>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/smb/server/auth.c | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)
diff --git a/fs/smb/server/auth.c b/fs/smb/server/auth.c
index a9b73ea3a7427..38e0eb27bad53 100644
--- a/fs/smb/server/auth.c
+++ b/fs/smb/server/auth.c
@@ -1104,6 +1104,7 @@ int ksmbd_crypt_message(struct ksmbd_work *work, struct kvec *iov,
struct smb2_transform_hdr *tr_hdr = smb2_get_msg(iov[0].iov_base);
unsigned int assoc_data_len = sizeof(struct smb2_transform_hdr) - 20;
int rc;
+ DECLARE_CRYPTO_WAIT(wait);
struct scatterlist *sg;
u8 sign[SMB2_SIGNATURE_SIZE] = {};
u8 key[SMB3_ENC_DEC_KEY_SIZE];
@@ -1190,12 +1191,12 @@ int ksmbd_crypt_message(struct ksmbd_work *work, struct kvec *iov,
aead_request_set_crypt(req, sg, sg, crypt_len, iv);
aead_request_set_ad(req, assoc_data_len);
- aead_request_set_callback(req, CRYPTO_TFM_REQ_MAY_SLEEP, NULL, NULL);
+ aead_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG |
+ CRYPTO_TFM_REQ_MAY_SLEEP,
+ crypto_req_done, &wait);
- if (enc)
- rc = crypto_aead_encrypt(req);
- else
- rc = crypto_aead_decrypt(req);
+ rc = crypto_wait_req(enc ? crypto_aead_encrypt(req) :
+ crypto_aead_decrypt(req), &wait);
if (rc)
goto free_iv;
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 572/969] ARM: dts: mediatek: mt7623: fix efuse fallback compatible
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (570 preceding siblings ...)
2026-05-30 16:01 ` [PATCH 6.1 571/969] ksmbd: fix use-after-free from async crypto on Qualcomm crypto engine Greg Kroah-Hartman
@ 2026-05-30 16:01 ` Greg Kroah-Hartman
2026-05-30 16:01 ` [PATCH 6.1 573/969] memory: tegra124-emc: Fix dll_change check Greg Kroah-Hartman
` (403 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Rafał Miłecki,
AngeloGioacchino Del Regno, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rafał Miłecki <rafal@milecki.pl>
[ Upstream commit 5978ff33cc6f0988388a2830dc5cd2ea4e81f36a ]
Fix following validation error:
arch/arm/boot/dts/mediatek/mt7623a-rfb-emmc.dtb: efuse@10206000: compatible: 'oneOf' conditional failed, one must be fixed:
['mediatek,mt7623-efuse', 'mediatek,mt8173-efuse'] is too long
'mediatek,mt8173-efuse' was expected
'mediatek,efuse' was expected
from schema $id: http://devicetree.org/schemas/nvmem/mediatek,efuse.yaml#
arch/arm/boot/dts/mediatek/mt7623a-rfb-emmc.dtb: efuse@10206000: Unevaluated properties are not allowed ('compatible' was unexpected)
from schema $id: http://devicetree.org/schemas/nvmem/mediatek,efuse.yaml#
Fixes: 43c7a91b4b3a ("arm: dts: mt7623: add efuse nodes to the mt7623.dtsi file")
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
Signed-off-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm/boot/dts/mt7623.dtsi | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm/boot/dts/mt7623.dtsi b/arch/arm/boot/dts/mt7623.dtsi
index 74767b6703720..e7b09d0c3030a 100644
--- a/arch/arm/boot/dts/mt7623.dtsi
+++ b/arch/arm/boot/dts/mt7623.dtsi
@@ -329,7 +329,7 @@ sysirq: interrupt-controller@10200100 {
efuse: efuse@10206000 {
compatible = "mediatek,mt7623-efuse",
- "mediatek,mt8173-efuse";
+ "mediatek,efuse";
reg = <0 0x10206000 0 0x1000>;
#address-cells = <1>;
#size-cells = <1>;
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 573/969] memory: tegra124-emc: Fix dll_change check
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (571 preceding siblings ...)
2026-05-30 16:01 ` [PATCH 6.1 572/969] ARM: dts: mediatek: mt7623: fix efuse fallback compatible Greg Kroah-Hartman
@ 2026-05-30 16:01 ` Greg Kroah-Hartman
2026-05-30 16:01 ` [PATCH 6.1 574/969] memory: tegra30-emc: " Greg Kroah-Hartman
` (402 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mikko Perttunen, Krzysztof Kozlowski,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mikko Perttunen <mperttunen@nvidia.com>
[ Upstream commit 9597ab9a8296ab337e6820f8a717ff621078b632 ]
The code checking whether the specified memory timing enables DLL
in the EMRS register was reversed. DLL is enabled if bit A0 is low.
Fix the check.
Fixes: 73a7f0a90641 ("memory: tegra: Add EMC (external memory controller) driver")
Signed-off-by: Mikko Perttunen <mperttunen@nvidia.com>
Link: https://patch.msgid.link/20260126-fix-emc-dllchange-v1-1-47ad3bb63262@nvidia.com
Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/memory/tegra/tegra124-emc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/memory/tegra/tegra124-emc.c b/drivers/memory/tegra/tegra124-emc.c
index 00ed2b6a0d1b2..ca2714b0a521a 100644
--- a/drivers/memory/tegra/tegra124-emc.c
+++ b/drivers/memory/tegra/tegra124-emc.c
@@ -608,7 +608,7 @@ static int tegra_emc_prepare_timing_change(struct tegra_emc *emc,
if ((last->emc_mode_1 & 0x1) == (timing->emc_mode_1 & 0x1))
dll_change = DLL_CHANGE_NONE;
- else if (timing->emc_mode_1 & 0x1)
+ else if (!(timing->emc_mode_1 & 0x1))
dll_change = DLL_CHANGE_ON;
else
dll_change = DLL_CHANGE_OFF;
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 574/969] memory: tegra30-emc: Fix dll_change check
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (572 preceding siblings ...)
2026-05-30 16:01 ` [PATCH 6.1 573/969] memory: tegra124-emc: Fix dll_change check Greg Kroah-Hartman
@ 2026-05-30 16:01 ` Greg Kroah-Hartman
2026-05-30 16:01 ` [PATCH 6.1 575/969] arm64: dts: imx8mp-evk: Enable pull select bit for PCIe regulator GPIO (M.2 W_DISABLE1) Greg Kroah-Hartman
` (401 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mikko Perttunen, Krzysztof Kozlowski,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mikko Perttunen <mperttunen@nvidia.com>
[ Upstream commit 0a93f2355cf4922ad2399dbef5ea1049fef116d4 ]
The code checking whether the specified memory timing enables DLL
in the EMRS register was reversed. DLL is enabled if bit A0 is low.
Fix the check.
Fixes: e34212c75a68 ("memory: tegra: Introduce Tegra30 EMC driver")
Signed-off-by: Mikko Perttunen <mperttunen@nvidia.com>
Link: https://patch.msgid.link/20260126-fix-emc-dllchange-v1-2-47ad3bb63262@nvidia.com
Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/memory/tegra/tegra30-emc.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/memory/tegra/tegra30-emc.c b/drivers/memory/tegra/tegra30-emc.c
index 1ea3792beb86d..fb09e8a463bd5 100644
--- a/drivers/memory/tegra/tegra30-emc.c
+++ b/drivers/memory/tegra/tegra30-emc.c
@@ -554,14 +554,14 @@ static int emc_prepare_timing_change(struct tegra_emc *emc, unsigned long rate)
emc->emc_cfg = readl_relaxed(emc->regs + EMC_CFG);
emc_dbg = readl_relaxed(emc->regs + EMC_DBG);
- if (emc->dll_on == !!(timing->emc_mode_1 & 0x1))
+ if (emc->dll_on == !(timing->emc_mode_1 & 0x1))
dll_change = DLL_CHANGE_NONE;
- else if (timing->emc_mode_1 & 0x1)
+ else if (!(timing->emc_mode_1 & 0x1))
dll_change = DLL_CHANGE_ON;
else
dll_change = DLL_CHANGE_OFF;
- emc->dll_on = !!(timing->emc_mode_1 & 0x1);
+ emc->dll_on = !(timing->emc_mode_1 & 0x1);
if (timing->data[80] && !readl_relaxed(emc->regs + EMC_ZCAL_INTERVAL))
emc->zcal_long = true;
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 575/969] arm64: dts: imx8mp-evk: Enable pull select bit for PCIe regulator GPIO (M.2 W_DISABLE1)
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (573 preceding siblings ...)
2026-05-30 16:01 ` [PATCH 6.1 574/969] memory: tegra30-emc: " Greg Kroah-Hartman
@ 2026-05-30 16:01 ` Greg Kroah-Hartman
2026-05-30 16:01 ` [PATCH 6.1 576/969] arm64: dts: mediatek: mt6795: Fix gpio-ranges pin count Greg Kroah-Hartman
` (400 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:01 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Sherry Sun, Frank Li, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sherry Sun <sherry.sun@nxp.com>
[ Upstream commit d1e7eab6033f9885a02c4b4e8f09e34d8e9d21ab ]
The current pin configuration for MX8MP_IOMUXC_SD1_DATA4__GPIO2_IO06
sets the weak pull-up but does not enable the pull select field.
Bit 8 in the IOMUX register must be set in order for the weak pull-up
to actually take effect.
Update the pinctrl setting from 0x40 to 0x140 to enable both the pull
select and the weak pull-up, ensuring the line behaves as expected.
Fixes: d50650500064 ("arm64: dts: imx8mp-evk: Add PCIe support")
Signed-off-by: Sherry Sun <sherry.sun@nxp.com>
Reviewed-by: Frank Li <Frank.Li@nxp.com>
Signed-off-by: Frank Li <Frank.Li@nxp.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/freescale/imx8mp-evk.dts | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm64/boot/dts/freescale/imx8mp-evk.dts b/arch/arm64/boot/dts/freescale/imx8mp-evk.dts
index 126c839b45f2d..703eec6b0107e 100644
--- a/arch/arm64/boot/dts/freescale/imx8mp-evk.dts
+++ b/arch/arm64/boot/dts/freescale/imx8mp-evk.dts
@@ -551,7 +551,7 @@ MX8MP_IOMUXC_SD1_DATA5__GPIO2_IO07 0x40
pinctrl_pcie0_reg: pcie0reggrp {
fsl,pins = <
- MX8MP_IOMUXC_SD1_DATA4__GPIO2_IO06 0x40
+ MX8MP_IOMUXC_SD1_DATA4__GPIO2_IO06 0x140
>;
};
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 576/969] arm64: dts: mediatek: mt6795: Fix gpio-ranges pin count
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (574 preceding siblings ...)
2026-05-30 16:01 ` [PATCH 6.1 575/969] arm64: dts: imx8mp-evk: Enable pull select bit for PCIe regulator GPIO (M.2 W_DISABLE1) Greg Kroah-Hartman
@ 2026-05-30 16:01 ` Greg Kroah-Hartman
2026-05-30 16:01 ` [PATCH 6.1 577/969] arm64: dts: mediatek: mt7986a: " Greg Kroah-Hartman
` (399 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Akari Tsuyukusa,
AngeloGioacchino Del Regno, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Akari Tsuyukusa <akkun11.open@gmail.com>
[ Upstream commit c4c4823c8a5baa10b8100b01f49d7c3f4a871689 ]
The gpio-ranges in the MT6795 pinctrl node were incorrectly defined,
therefore, GPIO196 cannot be used.
Correct the range count to match the driver.
Fixes: b888886a4536 ("arm64: dts: mediatek: mt6795: Add pinctrl controller node")
Signed-off-by: Akari Tsuyukusa <akkun11.open@gmail.com>
Signed-off-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/mediatek/mt6795.dtsi | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm64/boot/dts/mediatek/mt6795.dtsi b/arch/arm64/boot/dts/mediatek/mt6795.dtsi
index 46f0e54be7664..8c715015284fb 100644
--- a/arch/arm64/boot/dts/mediatek/mt6795.dtsi
+++ b/arch/arm64/boot/dts/mediatek/mt6795.dtsi
@@ -200,7 +200,7 @@ pio: pinctrl@10005000 {
<GIC_SPI 154 IRQ_TYPE_LEVEL_HIGH>;
gpio-controller;
#gpio-cells = <2>;
- gpio-ranges = <&pio 0 0 196>;
+ gpio-ranges = <&pio 0 0 197>;
interrupt-controller;
#interrupt-cells = <2>;
};
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 577/969] arm64: dts: mediatek: mt7986a: Fix gpio-ranges pin count
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (575 preceding siblings ...)
2026-05-30 16:01 ` [PATCH 6.1 576/969] arm64: dts: mediatek: mt6795: Fix gpio-ranges pin count Greg Kroah-Hartman
@ 2026-05-30 16:01 ` Greg Kroah-Hartman
2026-05-30 16:01 ` [PATCH 6.1 578/969] soc: qcom: ocmem: use scoped device node handling to simplify error paths Greg Kroah-Hartman
` (398 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Akari Tsuyukusa,
AngeloGioacchino Del Regno, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Akari Tsuyukusa <akkun11.open@gmail.com>
[ Upstream commit 820ed0c1a13c5fafb36232538d793f99a0986ef3 ]
The gpio-ranges in the MT7986A pinctrl node were incorrectly defined,
therefore, pin 100 cannot be used.
Correct the range count to match the driver.
Fixes: c3a064a32ed9 ("arm64: dts: mediatek: add pinctrl support for mt7986a")
Signed-off-by: Akari Tsuyukusa <akkun11.open@gmail.com>
Signed-off-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/mediatek/mt7986a.dtsi | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm64/boot/dts/mediatek/mt7986a.dtsi b/arch/arm64/boot/dts/mediatek/mt7986a.dtsi
index 108931e796465..c647d99c9554a 100644
--- a/arch/arm64/boot/dts/mediatek/mt7986a.dtsi
+++ b/arch/arm64/boot/dts/mediatek/mt7986a.dtsi
@@ -153,7 +153,7 @@ pio: pinctrl@1001f000 {
"iocfg_lb", "iocfg_tr", "iocfg_tl", "eint";
gpio-controller;
#gpio-cells = <2>;
- gpio-ranges = <&pio 0 0 100>;
+ gpio-ranges = <&pio 0 0 101>;
interrupt-controller;
interrupts = <GIC_SPI 225 IRQ_TYPE_LEVEL_HIGH>;
interrupt-parent = <&gic>;
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 578/969] soc: qcom: ocmem: use scoped device node handling to simplify error paths
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (576 preceding siblings ...)
2026-05-30 16:01 ` [PATCH 6.1 577/969] arm64: dts: mediatek: mt7986a: " Greg Kroah-Hartman
@ 2026-05-30 16:01 ` Greg Kroah-Hartman
2026-05-30 16:01 ` [PATCH 6.1 579/969] soc: qcom: ocmem: register reasons for probe deferrals Greg Kroah-Hartman
` (397 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Krzysztof Kozlowski, Bjorn Andersson,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
[ Upstream commit f4c1c19f5c0e5cf2870df91dedc6b40400fd9c8a ]
Obtain the device node reference with scoped/cleanup.h to reduce error
handling and make the code a bit simpler.
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Link: https://lore.kernel.org/r/20240813-b4-cleanup-h-of-node-put-other-v1-4-cfb67323a95c@linaro.org
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Stable-dep-of: 9dfd69cd89cd ("soc: qcom: ocmem: register reasons for probe deferrals")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/soc/qcom/ocmem.c | 7 ++-----
1 file changed, 2 insertions(+), 5 deletions(-)
diff --git a/drivers/soc/qcom/ocmem.c b/drivers/soc/qcom/ocmem.c
index a21a196fdcc24..a8a0d89ab01b9 100644
--- a/drivers/soc/qcom/ocmem.c
+++ b/drivers/soc/qcom/ocmem.c
@@ -192,23 +192,20 @@ static void update_range(struct ocmem *ocmem, struct ocmem_buf *buf,
struct ocmem *of_get_ocmem(struct device *dev)
{
struct platform_device *pdev;
- struct device_node *devnode;
struct ocmem *ocmem;
- devnode = of_parse_phandle(dev->of_node, "sram", 0);
+ struct device_node *devnode __free(device_node) = of_parse_phandle(dev->of_node,
+ "sram", 0);
if (!devnode || !devnode->parent) {
dev_err(dev, "Cannot look up sram phandle\n");
- of_node_put(devnode);
return ERR_PTR(-ENODEV);
}
pdev = of_find_device_by_node(devnode->parent);
if (!pdev) {
dev_err(dev, "Cannot find device node %s\n", devnode->name);
- of_node_put(devnode);
return ERR_PTR(-EPROBE_DEFER);
}
- of_node_put(devnode);
ocmem = platform_get_drvdata(pdev);
put_device(&pdev->dev);
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 579/969] soc: qcom: ocmem: register reasons for probe deferrals
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (577 preceding siblings ...)
2026-05-30 16:01 ` [PATCH 6.1 578/969] soc: qcom: ocmem: use scoped device node handling to simplify error paths Greg Kroah-Hartman
@ 2026-05-30 16:01 ` Greg Kroah-Hartman
2026-05-30 16:01 ` [PATCH 6.1 580/969] soc: qcom: ocmem: return -EPROBE_DEFER is ocmem is not available Greg Kroah-Hartman
` (396 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dmitry Baryshkov, Brian Masney,
Konrad Dybcio, Bjorn Andersson, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
[ Upstream commit 9dfd69cd89cd6afa4723be9098979abeef3bb8c6 ]
Instead of printing messages to the dmesg, let the message be recorded
as a reason for the OCMEM client deferral.
Fixes: 88c1e9404f1d ("soc: qcom: add OCMEM driver")
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Reviewed-by: Brian Masney <bmasney@redhat.com>
Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
Link: https://lore.kernel.org/r/20260323-ocmem-v1-2-ad9bcae44763@oss.qualcomm.com
[bjorn: s/ERR_PTR(dev_err_probe)/dev_err_ptr_probe/
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/soc/qcom/ocmem.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/soc/qcom/ocmem.c b/drivers/soc/qcom/ocmem.c
index a8a0d89ab01b9..087271120ce3e 100644
--- a/drivers/soc/qcom/ocmem.c
+++ b/drivers/soc/qcom/ocmem.c
@@ -202,10 +202,10 @@ struct ocmem *of_get_ocmem(struct device *dev)
}
pdev = of_find_device_by_node(devnode->parent);
- if (!pdev) {
- dev_err(dev, "Cannot find device node %s\n", devnode->name);
- return ERR_PTR(-EPROBE_DEFER);
- }
+ if (!pdev)
+ return dev_err_ptr_probe(dev, -EPROBE_DEFER,
+ "Cannot find device node %s\n",
+ devnode->name);
ocmem = platform_get_drvdata(pdev);
put_device(&pdev->dev);
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 580/969] soc: qcom: ocmem: return -EPROBE_DEFER is ocmem is not available
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (578 preceding siblings ...)
2026-05-30 16:01 ` [PATCH 6.1 579/969] soc: qcom: ocmem: register reasons for probe deferrals Greg Kroah-Hartman
@ 2026-05-30 16:01 ` Greg Kroah-Hartman
2026-05-30 16:01 ` [PATCH 6.1 581/969] arm64: dts: qcom: sm8450: Fix GIC_ITS range length Greg Kroah-Hartman
` (395 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dmitry Baryshkov, Konrad Dybcio,
Bjorn Andersson, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
[ Upstream commit 91b59009c7d48b58dbc50fecb27f2ad20749a05a ]
If OCMEM is declared in DT, it is expected that it is present and
handled by the driver. The GPU driver will ignore -ENODEV error, which
typically means that OCMEM isn't defined in DT. Let ocmem return
-EPROBE_DEFER if it supposed to be used, but it is not probed (yet).
Fixes: 88c1e9404f1d ("soc: qcom: add OCMEM driver")
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
Link: https://lore.kernel.org/r/20260323-ocmem-v1-3-ad9bcae44763@oss.qualcomm.com
[bjorn: s/ERR_PTR(dev_err_probe)/dev_err_ptr_probe/
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/soc/qcom/ocmem.c | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/drivers/soc/qcom/ocmem.c b/drivers/soc/qcom/ocmem.c
index 087271120ce3e..2ecde3a275282 100644
--- a/drivers/soc/qcom/ocmem.c
+++ b/drivers/soc/qcom/ocmem.c
@@ -209,10 +209,9 @@ struct ocmem *of_get_ocmem(struct device *dev)
ocmem = platform_get_drvdata(pdev);
put_device(&pdev->dev);
- if (!ocmem) {
- dev_err(dev, "Cannot get ocmem\n");
- return ERR_PTR(-ENODEV);
- }
+ if (!ocmem)
+ return dev_err_ptr_probe(dev, -EPROBE_DEFER, "Cannot get ocmem\n");
+
return ocmem;
}
EXPORT_SYMBOL(of_get_ocmem);
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 581/969] arm64: dts: qcom: sm8450: Fix GIC_ITS range length
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (579 preceding siblings ...)
2026-05-30 16:01 ` [PATCH 6.1 580/969] soc: qcom: ocmem: return -EPROBE_DEFER is ocmem is not available Greg Kroah-Hartman
@ 2026-05-30 16:01 ` Greg Kroah-Hartman
2026-05-30 16:01 ` [PATCH 6.1 582/969] arm64: dts: qcom: sm8450: Enable UHS-I SDR50 and SDR104 SD card modes Greg Kroah-Hartman
` (394 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Konrad Dybcio, Neil Armstrong,
Abel Vesa, Bjorn Andersson, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
[ Upstream commit 14044fa192c50265bc1f636108371044bbdcf7b7 ]
Currently, the GITS_SGIR register is cut off. Fix it up.
Fixes: fc8b0b9b630d ("arm64: dts: qcom: sm8450 add ITS device tree node")
Signed-off-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org>
Reviewed-by: Abel Vesa <abel.vesa@oss.qualcomm.com>
Link: https://lore.kernel.org/r/20260317-topic-its_range_fixup-v1-3-49be8076adb1@oss.qualcomm.com
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/qcom/sm8450.dtsi | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm64/boot/dts/qcom/sm8450.dtsi b/arch/arm64/boot/dts/qcom/sm8450.dtsi
index 9420857871b1e..49502cdd1d4e0 100644
--- a/arch/arm64/boot/dts/qcom/sm8450.dtsi
+++ b/arch/arm64/boot/dts/qcom/sm8450.dtsi
@@ -2915,7 +2915,7 @@ intc: interrupt-controller@17100000 {
gic_its: msi-controller@17140000 {
compatible = "arm,gic-v3-its";
- reg = <0x0 0x17140000 0x0 0x20000>;
+ reg = <0x0 0x17140000 0x0 0x40000>;
msi-controller;
#msi-cells = <1>;
};
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 582/969] arm64: dts: qcom: sm8450: Enable UHS-I SDR50 and SDR104 SD card modes
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (580 preceding siblings ...)
2026-05-30 16:01 ` [PATCH 6.1 581/969] arm64: dts: qcom: sm8450: Fix GIC_ITS range length Greg Kroah-Hartman
@ 2026-05-30 16:01 ` Greg Kroah-Hartman
2026-05-30 16:01 ` [PATCH 6.1 583/969] arm64: dts: qcom: sdm845-xiaomi-beryllium: Mark l1a regulator as powered during boot Greg Kroah-Hartman
` (393 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Neil Armstrong, Konrad Dybcio,
Vladimir Zapolskiy, Bjorn Andersson, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vladimir Zapolskiy <vladimir.zapolskiy@linaro.org>
[ Upstream commit db0c5ef1abda6effdc5c85d6688fb6af2b351ae5 ]
The reported problem of some non-working UHS-I speed modes on SM8450
originates in commit 0a631a36f724 ("arm64: dts: qcom: Add device tree
for Sony Xperia 1 IV"), and then it was spread to all SM8450 powered
platforms by commit 9d561dc4e5cc ("arm64: dts: qcom: sm8450: disable
SDHCI SDR104/SDR50 on all boards").
The tests show that the rootcause of the problem was related to an
overclocking of SD cards, and it's fixed later on by commit a27ac3806b0a
("clk: qcom: gcc-sm8450: Use floor ops for SDCC RCGs").
Since then both SDR50 and SDR104 speed modes are working fine on SM8450,
tested on SM8450-HDK:
SDR50 speed mode:
mmc0: new UHS-I speed SDR50 SDHC card at address 0001
mmcblk0: mmc0:0001 00000 14.6 GiB
mmcblk0: p1
% dd if=/dev/mmcblk0p1 of=/dev/null bs=1M count=1024
1024+0 records in
1024+0 records out
1073741824 bytes (1.1 GB, 1.0 GiB) copied, 24.6254 s, 43.6 MB/s
SDR104 speed mode:
mmc0: new UHS-I speed SDR104 SDHC card at address 59b4
mmcblk0: mmc0:59b4 USDU1 28.3 GiB
mmcblk0: p1
% dd if=/dev/mmcblk0p1 of=/dev/null bs=1M count=1024
1024+0 records in
1024+0 records out
1073741824 bytes (1.1 GB, 1.0 GiB) copied, 12.3266 s, 87.1 MB/s
Remove the restrictions on SD card speed modes from the SM8450 platform
dtsi file and enable UHS-I speed modes.
Fixes: 9d561dc4e5cc ("arm64: dts: qcom: sm8450: disable SDHCI SDR104/SDR50 on all boards")
Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org>
Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
Signed-off-by: Vladimir Zapolskiy <vladimir.zapolskiy@linaro.org>
Link: https://lore.kernel.org/r/20260314023715.357512-5-vladimir.zapolskiy@linaro.org
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/qcom/sm8450.dtsi | 3 ---
1 file changed, 3 deletions(-)
diff --git a/arch/arm64/boot/dts/qcom/sm8450.dtsi b/arch/arm64/boot/dts/qcom/sm8450.dtsi
index 49502cdd1d4e0..c9ca7bd886397 100644
--- a/arch/arm64/boot/dts/qcom/sm8450.dtsi
+++ b/arch/arm64/boot/dts/qcom/sm8450.dtsi
@@ -3191,9 +3191,6 @@ sdhc_2: sdhci@8804000 {
bus-width = <4>;
dma-coherent;
- /* Forbid SDR104/SDR50 - broken hw! */
- sdhci-caps-mask = <0x3 0x0>;
-
status = "disabled";
sdhc2_opp_table: opp-table {
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 583/969] arm64: dts: qcom: sdm845-xiaomi-beryllium: Mark l1a regulator as powered during boot
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (581 preceding siblings ...)
2026-05-30 16:01 ` [PATCH 6.1 582/969] arm64: dts: qcom: sm8450: Enable UHS-I SDR50 and SDR104 SD card modes Greg Kroah-Hartman
@ 2026-05-30 16:01 ` Greg Kroah-Hartman
2026-05-30 16:01 ` [PATCH 6.1 584/969] soc/tegra: cbb: Set ERD on resume for err interrupt Greg Kroah-Hartman
` (392 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Heidelberg, Konrad Dybcio,
Bjorn Andersson, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Heidelberg <david@ixit.cz>
[ Upstream commit 3b0dd81eea6b7a239fce456ce4545af76f1a9715 ]
The regulator must be on, since it provides the display subsystem and
therefore the bootloader had turned it on before Linux booted.
Fixes: 77809cf74a8c ("arm64: dts: qcom: Add support for Xiaomi Poco F1 (Beryllium)")
Signed-off-by: David Heidelberg <david@ixit.cz>
Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
Link: https://lore.kernel.org/r/20260320-beryllium-booton-v2-1-931d1be21eae@ixit.cz
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/qcom/sdm845-xiaomi-beryllium.dts | 1 +
1 file changed, 1 insertion(+)
diff --git a/arch/arm64/boot/dts/qcom/sdm845-xiaomi-beryllium.dts b/arch/arm64/boot/dts/qcom/sdm845-xiaomi-beryllium.dts
index 6d6b3dd699475..9c0f7b410eee2 100644
--- a/arch/arm64/boot/dts/qcom/sdm845-xiaomi-beryllium.dts
+++ b/arch/arm64/boot/dts/qcom/sdm845-xiaomi-beryllium.dts
@@ -133,6 +133,7 @@ vreg_l1a_0p875: ldo1 {
regulator-min-microvolt = <880000>;
regulator-max-microvolt = <880000>;
regulator-initial-mode = <RPMH_REGULATOR_MODE_HPM>;
+ regulator-boot-on;
};
vreg_l5a_0p8: ldo5 {
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 584/969] soc/tegra: cbb: Set ERD on resume for err interrupt
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (582 preceding siblings ...)
2026-05-30 16:01 ` [PATCH 6.1 583/969] arm64: dts: qcom: sdm845-xiaomi-beryllium: Mark l1a regulator as powered during boot Greg Kroah-Hartman
@ 2026-05-30 16:01 ` Greg Kroah-Hartman
2026-05-30 16:01 ` [PATCH 6.1 585/969] unshare: fix nsproxy leak in ksys_unshare() on set_cred_ucounts() failure Greg Kroah-Hartman
` (391 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sumit Gupta, Thierry Reding,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sumit Gupta <sumitg@nvidia.com>
[ Upstream commit b6ff71c5d1d4ad858ddf6f39394d169c96689596 ]
Set the Error Response Disable (ERD) bit to mask SError responses
and use interrupt-based error reporting. When the ERD bit is set,
inband error responses to the initiator via SError are suppressed,
and fabric errors are reported via an interrupt instead.
The register is set during boot but the info is lost during system
suspend and needs to be set again on resume.
Fixes: fc2f151d2314 ("soc/tegra: cbb: Add driver for Tegra234 CBB 2.0")
Signed-off-by: Sumit Gupta <sumitg@nvidia.com>
Signed-off-by: Thierry Reding <treding@nvidia.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/soc/tegra/cbb/tegra234-cbb.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/soc/tegra/cbb/tegra234-cbb.c b/drivers/soc/tegra/cbb/tegra234-cbb.c
index 5813c55222ca3..2cf0ceb60bd0f 100644
--- a/drivers/soc/tegra/cbb/tegra234-cbb.c
+++ b/drivers/soc/tegra/cbb/tegra234-cbb.c
@@ -1185,6 +1185,10 @@ static int __maybe_unused tegra234_cbb_resume_noirq(struct device *dev)
{
struct tegra234_cbb *cbb = dev_get_drvdata(dev);
+ /* set ERD bit to mask SError and generate interrupt to report error */
+ if (cbb->fabric->off_mask_erd)
+ tegra234_cbb_mask_serror(cbb);
+
tegra234_cbb_error_enable(&cbb->base);
dev_dbg(dev, "%s resumed\n", cbb->fabric->name);
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 585/969] unshare: fix nsproxy leak in ksys_unshare() on set_cred_ucounts() failure
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (583 preceding siblings ...)
2026-05-30 16:01 ` [PATCH 6.1 584/969] soc/tegra: cbb: Set ERD on resume for err interrupt Greg Kroah-Hartman
@ 2026-05-30 16:01 ` Greg Kroah-Hartman
2026-05-30 16:01 ` [PATCH 6.1 586/969] ocfs2/dlm: validate qr_numregions in dlm_match_regions() Greg Kroah-Hartman
` (390 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michal Grzedzicki, Andrew Morton,
Alexey Gladkov (Intel), Ben Segall, David Hildenbrand,
Dietmar Eggemann, Ingo Molnar, Juri Lelli, Kees Cook,
Liam R. Howlett, Lorenzo Stoakes (Oracle), Mel Gorman,
Michal Hocko, Mike Rapoport, Peter Zijlstra, Steven Rostedt,
Suren Baghdasaryan, Valentin Schneider, Vincent Guittot,
Vlastimil Babka, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michal Grzedzicki <mge@meta.com>
[ Upstream commit a98621a0f187a934c115dcfe79a49520ae892111 ]
When set_cred_ucounts() fails in ksys_unshare() new_nsproxy is leaked.
Let's call put_nsproxy() if that happens.
Link: https://lkml.kernel.org/r/20260213193959.2556730-1-mge@meta.com
Fixes: 905ae01c4ae2 ("Add a reference to ucounts for each cred")
Signed-off-by: Michal Grzedzicki <mge@meta.com>
Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
Cc: Alexey Gladkov (Intel) <legion@kernel.org>
Cc: Ben Segall <bsegall@google.com>
Cc: David Hildenbrand <david@kernel.org>
Cc: Dietmar Eggemann <dietmar.eggemann@arm.com>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Juri Lelli <juri.lelli@redhat.com>
Cc: Kees Cook <kees@kernel.org>
Cc: "Liam R. Howlett" <Liam.Howlett@oracle.com>
Cc: Lorenzo Stoakes (Oracle) <ljs@kernel.org>
Cc: Mel Gorman <mgorman@suse.de>
Cc: Michal Hocko <mhocko@suse.com>
Cc: Mike Rapoport <rppt@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Steven Rostedt <rostedt@goodmis.org>
Cc: Suren Baghdasaryan <surenb@google.com>
Cc: Valentin Schneider <vschneid@redhat.com>
Cc: Vincent Guittot <vincent.guittot@linaro.org>
Cc: Vlastimil Babka <vbabka@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/fork.c | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/kernel/fork.c b/kernel/fork.c
index 96ecab82e38af..db2a9016f636f 100644
--- a/kernel/fork.c
+++ b/kernel/fork.c
@@ -3285,11 +3285,10 @@ int ksys_unshare(unsigned long unshare_flags)
new_cred, new_fs);
if (err)
goto bad_unshare_cleanup_cred;
-
if (new_cred) {
err = set_cred_ucounts(new_cred);
if (err)
- goto bad_unshare_cleanup_cred;
+ goto bad_unshare_cleanup_nsproxy;
}
if (new_fs || new_fd || do_sysvsem || new_cred || new_nsproxy) {
@@ -3305,8 +3304,10 @@ int ksys_unshare(unsigned long unshare_flags)
shm_init_task(current);
}
- if (new_nsproxy)
+ if (new_nsproxy) {
switch_task_namespaces(current, new_nsproxy);
+ new_nsproxy = NULL;
+ }
task_lock(current);
@@ -3335,13 +3336,15 @@ int ksys_unshare(unsigned long unshare_flags)
perf_event_namespaces(current);
+bad_unshare_cleanup_nsproxy:
+ if (new_nsproxy)
+ put_nsproxy(new_nsproxy);
bad_unshare_cleanup_cred:
if (new_cred)
put_cred(new_cred);
bad_unshare_cleanup_fd:
if (new_fd)
put_files_struct(new_fd);
-
bad_unshare_cleanup_fs:
if (new_fs)
free_fs_struct(new_fs);
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 586/969] ocfs2/dlm: validate qr_numregions in dlm_match_regions()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (584 preceding siblings ...)
2026-05-30 16:01 ` [PATCH 6.1 585/969] unshare: fix nsproxy leak in ksys_unshare() on set_cred_ucounts() failure Greg Kroah-Hartman
@ 2026-05-30 16:01 ` Greg Kroah-Hartman
2026-05-30 16:01 ` [PATCH 6.1 587/969] ocfs2/dlm: fix off-by-one in dlm_match_regions() region comparison Greg Kroah-Hartman
` (389 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Junrui Luo, Yuhao Jiang, Joseph Qi,
Mark Fasheh, Joel Becker, Junxiao Bi, Changwei Ge, Jun Piao,
Heming Zhao, Andrew Morton, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Junrui Luo <moonafterrain@outlook.com>
[ Upstream commit 7ab3fbb01bc6d79091bc375e5235d360cd9b78be ]
Patch series "ocfs2/dlm: fix two bugs in dlm_match_regions()".
In dlm_match_regions(), the qr_numregions field from a DLM_QUERY_REGION
network message is used to drive loops over the qr_regions buffer without
sufficient validation. This series fixes two issues:
- Patch 1 adds a bounds check to reject messages where qr_numregions
exceeds O2NM_MAX_REGIONS. The o2net layer only validates message
byte length; it does not constrain field values, so a crafted message
can set qr_numregions up to 255 and trigger out-of-bounds reads past
the 1024-byte qr_regions buffer.
- Patch 2 fixes an off-by-one in the local-vs-remote comparison loop,
which uses '<=' instead of '<', reading one entry past the valid range
even when qr_numregions is within bounds.
This patch (of 2):
The qr_numregions field from a DLM_QUERY_REGION network message is used
directly as loop bounds in dlm_match_regions() without checking against
O2NM_MAX_REGIONS. Since qr_regions is sized for at most O2NM_MAX_REGIONS
(32) entries, a crafted message with qr_numregions > 32 causes
out-of-bounds reads past the qr_regions buffer.
Add a bounds check for qr_numregions before entering the loops.
Link: https://lkml.kernel.org/r/SYBPR01MB7881A334D02ACEE5E0645801AF7BA@SYBPR01MB7881.ausprd01.prod.outlook.com
Link: https://lkml.kernel.org/r/SYBPR01MB788166F524AD04E262E174BEAF7BA@SYBPR01MB7881.ausprd01.prod.outlook.com
Fixes: ea2034416b54 ("ocfs2/dlm: Add message DLM_QUERY_REGION")
Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
Reported-by: Yuhao Jiang <danisjiang@gmail.com>
Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
Cc: Mark Fasheh <mark@fasheh.com>
Cc: Joel Becker <jlbec@evilplan.org>
Cc: Junxiao Bi <junxiao.bi@oracle.com>
Cc: Changwei Ge <gechangwei@live.cn>
Cc: Jun Piao <piaojun@huawei.com>
Cc: Heming Zhao <heming.zhao@suse.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ocfs2/dlm/dlmdomain.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/fs/ocfs2/dlm/dlmdomain.c b/fs/ocfs2/dlm/dlmdomain.c
index c4eccd499db8a..dff3d2a48b608 100644
--- a/fs/ocfs2/dlm/dlmdomain.c
+++ b/fs/ocfs2/dlm/dlmdomain.c
@@ -980,6 +980,14 @@ static int dlm_match_regions(struct dlm_ctxt *dlm,
goto bail;
}
+ if (qr->qr_numregions > O2NM_MAX_REGIONS) {
+ mlog(ML_ERROR, "Domain %s: Joining node %d has invalid "
+ "number of heartbeat regions %u\n",
+ qr->qr_domain, qr->qr_node, qr->qr_numregions);
+ status = -EINVAL;
+ goto bail;
+ }
+
r = remote;
for (i = 0; i < qr->qr_numregions; ++i) {
mlog(0, "Region %.*s\n", O2HB_MAX_REGION_NAME_LEN, r);
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 587/969] ocfs2/dlm: fix off-by-one in dlm_match_regions() region comparison
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (585 preceding siblings ...)
2026-05-30 16:01 ` [PATCH 6.1 586/969] ocfs2/dlm: validate qr_numregions in dlm_match_regions() Greg Kroah-Hartman
@ 2026-05-30 16:01 ` Greg Kroah-Hartman
2026-05-30 16:01 ` [PATCH 6.1 588/969] soc: qcom: llcc: fix v1 SB syndrome register offset Greg Kroah-Hartman
` (388 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Junrui Luo, Yuhao Jiang, Joseph Qi,
Mark Fasheh, Joel Becker, Junxiao Bi, Changwei Ge, Jun Piao,
Heming Zhao, Andrew Morton, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Junrui Luo <moonafterrain@outlook.com>
[ Upstream commit 01b61e8dda9b0fdb0d4cda43de25f4e390554d7b ]
The local-vs-remote region comparison loop uses '<=' instead of '<',
causing it to read one entry past the valid range of qr_regions. The
other loops in the same function correctly use '<'.
Fix the loop condition to use '<' for consistency and correctness.
Link: https://lkml.kernel.org/r/SYBPR01MB78813DA26B50EC5E01F00566AF7BA@SYBPR01MB7881.ausprd01.prod.outlook.com
Fixes: ea2034416b54 ("ocfs2/dlm: Add message DLM_QUERY_REGION")
Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
Reported-by: Yuhao Jiang <danisjiang@gmail.com>
Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
Cc: Mark Fasheh <mark@fasheh.com>
Cc: Joel Becker <jlbec@evilplan.org>
Cc: Junxiao Bi <junxiao.bi@oracle.com>
Cc: Changwei Ge <gechangwei@live.cn>
Cc: Jun Piao <piaojun@huawei.com>
Cc: Heming Zhao <heming.zhao@suse.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ocfs2/dlm/dlmdomain.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/ocfs2/dlm/dlmdomain.c b/fs/ocfs2/dlm/dlmdomain.c
index dff3d2a48b608..3cd86b5de10f3 100644
--- a/fs/ocfs2/dlm/dlmdomain.c
+++ b/fs/ocfs2/dlm/dlmdomain.c
@@ -1002,7 +1002,7 @@ static int dlm_match_regions(struct dlm_ctxt *dlm,
for (i = 0; i < localnr; ++i) {
foundit = 0;
r = remote;
- for (j = 0; j <= qr->qr_numregions; ++j) {
+ for (j = 0; j < qr->qr_numregions; ++j) {
if (!memcmp(l, r, O2HB_MAX_REGION_NAME_LEN)) {
foundit = 1;
break;
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 588/969] soc: qcom: llcc: fix v1 SB syndrome register offset
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (586 preceding siblings ...)
2026-05-30 16:01 ` [PATCH 6.1 587/969] ocfs2/dlm: fix off-by-one in dlm_match_regions() region comparison Greg Kroah-Hartman
@ 2026-05-30 16:01 ` Greg Kroah-Hartman
2026-05-30 16:01 ` [PATCH 6.1 589/969] soc: qcom: aoss: compare against normalized cooling state Greg Kroah-Hartman
` (387 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alok Tiwari, Manivannan Sadhasivam,
Konrad Dybcio, Bjorn Andersson, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alok Tiwari <alok.a.tiwari@oracle.com>
[ Upstream commit 24e7625df5ce065393249b78930781be593bc381 ]
The llcc_v1_edac_reg_offset table uses 0x2304c for trp_ecc_sb_err_syn0,
which is inconsistent with the surrounding TRP ECC registers (0x2034x)
and with llcc_v2_1_edac_reg_offset, where trp_ecc_sb_err_syn0 is 0x2034c
adjacent to trp_ecc_error_status0/1 at 0x20344/0x20348.
Use 0x2034c for llcc v1 so the SB syndrome register follows the expected
+0x4 progression from trp_ecc_error_status1. This fixes EDAC reading the
wrong register for SB syndrome reporting.
Fixes: c13d7d261e36 ("soc: qcom: llcc: Pass LLCC version based register offsets to EDAC driver")
Signed-off-by: Alok Tiwari <alok.a.tiwari@oracle.com>
Reviewed-by: Manivannan Sadhasivam <mani@kernel.org>
Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
Link: https://lore.kernel.org/r/20260330095118.2657362-1-alok.a.tiwari@oracle.com
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/soc/qcom/llcc-qcom.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/soc/qcom/llcc-qcom.c b/drivers/soc/qcom/llcc-qcom.c
index 16a05143d0d62..bf1e050002bf9 100644
--- a/drivers/soc/qcom/llcc-qcom.c
+++ b/drivers/soc/qcom/llcc-qcom.c
@@ -299,7 +299,7 @@ static const struct llcc_slice_config sm8450_data[] = {
static const struct llcc_edac_reg_offset llcc_v1_edac_reg_offset = {
.trp_ecc_error_status0 = 0x20344,
.trp_ecc_error_status1 = 0x20348,
- .trp_ecc_sb_err_syn0 = 0x2304c,
+ .trp_ecc_sb_err_syn0 = 0x2034c,
.trp_ecc_db_err_syn0 = 0x20370,
.trp_ecc_error_cntr_clear = 0x20440,
.trp_interrupt_0_status = 0x20480,
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 589/969] soc: qcom: aoss: compare against normalized cooling state
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (587 preceding siblings ...)
2026-05-30 16:01 ` [PATCH 6.1 588/969] soc: qcom: llcc: fix v1 SB syndrome register offset Greg Kroah-Hartman
@ 2026-05-30 16:01 ` Greg Kroah-Hartman
2026-05-30 16:01 ` [PATCH 6.1 590/969] arm64: dts: qcom: sm8250: Add missing CPU7 3.09GHz OPP Greg Kroah-Hartman
` (386 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alok Tiwari, Konrad Dybcio,
Bjorn Andersson, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alok Tiwari <alok.a.tiwari@oracle.com>
[ Upstream commit cd3c4670db3ffe997be9548c7a9db3952563cf14 ]
qmp_cdev_set_cur_state() normalizes the requested state to a boolean
(cdev_state = !!state). The existing early-return check compares
qmp_cdev->state == state, which can be wrong if state is non-boolean
(any non-zero value). Compare qmp_cdev->state against cdev_state instead,
so the check matches the effective state and avoids redundant updates.
Signed-off-by: Alok Tiwari <alok.a.tiwari@oracle.com>
Fixes: 05589b30b21a ("soc: qcom: Extend AOSS QMP driver to support resources that are used to wake up the SoC.")
Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
Link: https://lore.kernel.org/r/20260329195333.1478090-1-alok.a.tiwari@oracle.com
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/soc/qcom/qcom_aoss.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/soc/qcom/qcom_aoss.c b/drivers/soc/qcom/qcom_aoss.c
index 18c856056475c..8b828d7a59060 100644
--- a/drivers/soc/qcom/qcom_aoss.c
+++ b/drivers/soc/qcom/qcom_aoss.c
@@ -336,7 +336,7 @@ static int qmp_cdev_set_cur_state(struct thermal_cooling_device *cdev,
/* Normalize state */
cdev_state = !!state;
- if (qmp_cdev->state == state)
+ if (qmp_cdev->state == cdev_state)
return 0;
snprintf(buf, sizeof(buf),
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 590/969] arm64: dts: qcom: sm8250: Add missing CPU7 3.09GHz OPP
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (588 preceding siblings ...)
2026-05-30 16:01 ` [PATCH 6.1 589/969] soc: qcom: aoss: compare against normalized cooling state Greg Kroah-Hartman
@ 2026-05-30 16:01 ` Greg Kroah-Hartman
2026-05-30 16:01 ` [PATCH 6.1 591/969] ARM: OMAP1: Fix DEBUG_LL and earlyprintk on OMAP16XX Greg Kroah-Hartman
` (385 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexander Koskovich, Konrad Dybcio,
Bjorn Andersson, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexander Koskovich <AKoskovich@pm.me>
[ Upstream commit b683730e27ba4f91986c4c92f5cb7297f1e01a6d ]
This resolves the following error seen on the ASUS ROG Phone 3:
cpu cpu7: Voltage update failed freq=3091200
cpu cpu7: failed to update OPP for freq=3091200
Fixes: 8e0e8016cb79 ("arm64: dts: qcom: sm8250: Add CPU opp tables")
Signed-off-by: Alexander Koskovich <akoskovich@pm.me>
Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
Link: https://lore.kernel.org/r/20260307-sm8250-cpu7-opp-v1-1-435f5f6628a1@pm.me
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/qcom/sm8250.dtsi | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/arch/arm64/boot/dts/qcom/sm8250.dtsi b/arch/arm64/boot/dts/qcom/sm8250.dtsi
index 72ab4ca129459..ba912e03441ef 100644
--- a/arch/arm64/boot/dts/qcom/sm8250.dtsi
+++ b/arch/arm64/boot/dts/qcom/sm8250.dtsi
@@ -627,6 +627,11 @@ cpu7_opp20: opp-2841600000 {
opp-hz = /bits/ 64 <2841600000>;
opp-peak-kBps = <8368000 51609600>;
};
+
+ cpu7_opp21: opp-3091200000 {
+ opp-hz = /bits/ 64 <3091200000>;
+ opp-peak-kBps = <8368000 51609600>;
+ };
};
firmware {
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 591/969] ARM: OMAP1: Fix DEBUG_LL and earlyprintk on OMAP16XX
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (589 preceding siblings ...)
2026-05-30 16:01 ` [PATCH 6.1 590/969] arm64: dts: qcom: sm8250: Add missing CPU7 3.09GHz OPP Greg Kroah-Hartman
@ 2026-05-30 16:01 ` Greg Kroah-Hartman
2026-05-30 16:01 ` [PATCH 6.1 592/969] arm64/xor: fix conflicting attributes for xor_block_template Greg Kroah-Hartman
` (384 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Aaro Koskinen, Kevin Hilman,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Aaro Koskinen <aaro.koskinen@iki.fi>
[ Upstream commit 7e74b606dd39c46d4378d6f6563f560a00ab8694 ]
On OMAP16XX, the UART enable bit shifts are written instead of the actual
bits. This breaks the boot when DEBUG_LL and earlyprintk is enabled;
the UART gets disabled and some random bits get enabled. Fix that.
Fixes: 34c86239b184 ("ARM: OMAP1: clock: Fix early UART rate issues")
Signed-off-by: Aaro Koskinen <aaro.koskinen@iki.fi>
Link: https://patch.msgid.link/aca7HnXZ-aCSJPW7@darkstar.musicnaut.iki.fi
Signed-off-by: Kevin Hilman <khilman@baylibre.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm/mach-omap1/clock_data.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/arch/arm/mach-omap1/clock_data.c b/arch/arm/mach-omap1/clock_data.c
index 96d846c37c432..0b08aef5b3677 100644
--- a/arch/arm/mach-omap1/clock_data.c
+++ b/arch/arm/mach-omap1/clock_data.c
@@ -700,8 +700,8 @@ int __init omap1_clk_init(void)
/* Make sure UART clocks are enabled early */
if (cpu_is_omap16xx())
omap_writel(omap_readl(MOD_CONF_CTRL_0) |
- CONF_MOD_UART1_CLK_MODE_R |
- CONF_MOD_UART3_CLK_MODE_R, MOD_CONF_CTRL_0);
+ (1 << CONF_MOD_UART1_CLK_MODE_R) |
+ (1 << CONF_MOD_UART3_CLK_MODE_R), MOD_CONF_CTRL_0);
#endif
/* USB_REQ_EN will be disabled later if necessary (usb_dc_ck) */
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 592/969] arm64/xor: fix conflicting attributes for xor_block_template
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (590 preceding siblings ...)
2026-05-30 16:01 ` [PATCH 6.1 591/969] ARM: OMAP1: Fix DEBUG_LL and earlyprintk on OMAP16XX Greg Kroah-Hartman
@ 2026-05-30 16:01 ` Greg Kroah-Hartman
2026-05-30 16:01 ` [PATCH 6.1 593/969] ocfs2: fix listxattr handling when the buffer is full Greg Kroah-Hartman
` (383 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christoph Hellwig, Eric Biggers,
Albert Ou, Alexander Gordeev, Alexandre Ghiti, Andreas Larsson,
Anton Ivanov, Ard Biesheuvel, Arnd Bergmann,
Borislav Petkov (AMD), Catalin Marinas, Chris Mason,
Christian Borntraeger, Dan Williams, David S. Miller,
David Sterba, Heiko Carstens, Herbert Xu, H. Peter Anvin,
Huacai Chen, Ingo Molnar, Jason A. Donenfeld, Johannes Berg,
Li Nan, Madhavan Srinivasan, Magnus Lindholm, Matt Turner,
Michael Ellerman, Nicholas Piggin, Palmer Dabbelt,
Richard Henderson, Richard Weinberger, Russell King, Song Liu,
Sven Schnelle, Ted Tso, Vasily Gorbik, WANG Xuerui, Will Deacon,
Andrew Morton, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christoph Hellwig <hch@lst.de>
[ Upstream commit 675a0dd596e712404557286d0a883b54ee28e4f4 ]
Commit 2c54b423cf85 ("arm64/xor: use EOR3 instructions when available")
changes the definition to __ro_after_init instead of const, but failed to
update the external declaration in xor.h. This was not found because
xor-neon.c doesn't include <asm/xor.h>, and can't easily do that due to
current architecture of the XOR code.
Link: https://lkml.kernel.org/r/20260327061704.3707577-4-hch@lst.de
Fixes: 2c54b423cf85 ("arm64/xor: use EOR3 instructions when available")
Signed-off-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Eric Biggers <ebiggers@kernel.org>
Tested-by: Eric Biggers <ebiggers@kernel.org>
Cc: Albert Ou <aou@eecs.berkeley.edu>
Cc: Alexander Gordeev <agordeev@linux.ibm.com>
Cc: Alexandre Ghiti <alex@ghiti.fr>
Cc: Andreas Larsson <andreas@gaisler.com>
Cc: Anton Ivanov <anton.ivanov@cambridgegreys.com>
Cc: Ard Biesheuvel <ardb@kernel.org>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: "Borislav Petkov (AMD)" <bp@alien8.de>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Chris Mason <clm@fb.com>
Cc: Christian Borntraeger <borntraeger@linux.ibm.com>
Cc: Dan Williams <dan.j.williams@intel.com>
Cc: David S. Miller <davem@davemloft.net>
Cc: David Sterba <dsterba@suse.com>
Cc: Heiko Carstens <hca@linux.ibm.com>
Cc: Herbert Xu <herbert@gondor.apana.org.au>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: Huacai Chen <chenhuacai@kernel.org>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Jason A. Donenfeld <jason@zx2c4.com>
Cc: Johannes Berg <johannes@sipsolutions.net>
Cc: Li Nan <linan122@huawei.com>
Cc: Madhavan Srinivasan <maddy@linux.ibm.com>
Cc: Magnus Lindholm <linmag7@gmail.com>
Cc: Matt Turner <mattst88@gmail.com>
Cc: Michael Ellerman <mpe@ellerman.id.au>
Cc: Nicholas Piggin <npiggin@gmail.com>
Cc: Palmer Dabbelt <palmer@dabbelt.com>
Cc: Richard Henderson <richard.henderson@linaro.org>
Cc: Richard Weinberger <richard@nod.at>
Cc: Russell King <linux@armlinux.org.uk>
Cc: Song Liu <song@kernel.org>
Cc: Sven Schnelle <svens@linux.ibm.com>
Cc: Ted Ts'o <tytso@mit.edu>
Cc: Vasily Gorbik <gor@linux.ibm.com>
Cc: WANG Xuerui <kernel@xen0n.name>
Cc: Will Deacon <will@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/include/asm/xor.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm64/include/asm/xor.h b/arch/arm64/include/asm/xor.h
index befcd8a7abc98..7c03207157196 100644
--- a/arch/arm64/include/asm/xor.h
+++ b/arch/arm64/include/asm/xor.h
@@ -13,7 +13,7 @@
#ifdef CONFIG_KERNEL_MODE_NEON
-extern struct xor_block_template const xor_block_inner_neon;
+extern struct xor_block_template xor_block_inner_neon __ro_after_init;
static void
xor_neon_2(unsigned long bytes, unsigned long * __restrict p1,
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 593/969] ocfs2: fix listxattr handling when the buffer is full
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (591 preceding siblings ...)
2026-05-30 16:01 ` [PATCH 6.1 592/969] arm64/xor: fix conflicting attributes for xor_block_template Greg Kroah-Hartman
@ 2026-05-30 16:01 ` Greg Kroah-Hartman
2026-05-30 16:01 ` [PATCH 6.1 594/969] ocfs2: validate bg_bits during freefrag scan Greg Kroah-Hartman
` (382 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, ZhengYuan Huang, Joseph Qi,
Mark Fasheh, Joel Becker, Junxiao Bi, Changwei Ge, Jun Piao,
Heming Zhao, Andrew Morton, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: ZhengYuan Huang <gality369@gmail.com>
[ Upstream commit d12f558e6200b3f47dbef9331ed6d115d2410e59 ]
[BUG]
If an OCFS2 inode has both inline and block-based xattrs, listxattr()
can return a size larger than the caller's buffer when the inline names
consume that buffer exactly.
kernel BUG at mm/usercopy.c:102!
Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI
RIP: 0010:usercopy_abort+0xb7/0xd0 mm/usercopy.c:102
Call Trace:
__check_heap_object+0xe3/0x120 mm/slub.c:8243
check_heap_object mm/usercopy.c:196 [inline]
__check_object_size mm/usercopy.c:250 [inline]
__check_object_size+0x5c5/0x780 mm/usercopy.c:215
check_object_size include/linux/ucopysize.h:22 [inline]
check_copy_size include/linux/ucopysize.h:59 [inline]
copy_to_user include/linux/uaccess.h:219 [inline]
listxattr+0xb0/0x170 fs/xattr.c:926
filename_listxattr fs/xattr.c:958 [inline]
path_listxattrat+0x137/0x320 fs/xattr.c:988
__do_sys_listxattr fs/xattr.c:1001 [inline]
__se_sys_listxattr fs/xattr.c:998 [inline]
__x64_sys_listxattr+0x7f/0xd0 fs/xattr.c:998
...
[CAUSE]
Commit 936b8834366e ("ocfs2: Refactor xattr list and remove
ocfs2_xattr_handler().") replaced the old per-handler list accounting
with ocfs2_xattr_list_entry(), but it kept using size == 0 to detect
probe mode.
That assumption stops being true once ocfs2_listxattr() finishes the
inline-xattr pass. If the inline names fill the caller buffer exactly,
the block-xattr pass runs with a non-NULL buffer and a remaining size of
zero. ocfs2_xattr_list_entry() then skips the bounds check, keeps
counting block names, and returns a positive size larger than the
supplied buffer.
[FIX]
Detect probe mode by testing whether the destination buffer pointer is
NULL instead of whether the remaining size is zero.
That restores the pre-refactor behavior and matches the OCFS2 getxattr
helpers. Once the remaining buffer reaches zero while more names are
left, the block-xattr pass now returns -ERANGE instead of reporting a
size larger than the allocated list buffer.
Link: https://lkml.kernel.org/r/20260410040339.3837162-1-gality369@gmail.com
Fixes: 936b8834366e ("ocfs2: Refactor xattr list and remove ocfs2_xattr_handler().")
Signed-off-by: ZhengYuan Huang <gality369@gmail.com>
Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
Cc: Mark Fasheh <mark@fasheh.com>
Cc: Joel Becker <jlbec@evilplan.org>
Cc: Junxiao Bi <junxiao.bi@oracle.com>
Cc: Changwei Ge <gechangwei@live.cn>
Cc: Jun Piao <piaojun@huawei.com>
Cc: Heming Zhao <heming.zhao@suse.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ocfs2/xattr.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/fs/ocfs2/xattr.c b/fs/ocfs2/xattr.c
index 7ac7cb6117d4f..1f22ad21ae608 100644
--- a/fs/ocfs2/xattr.c
+++ b/fs/ocfs2/xattr.c
@@ -911,8 +911,8 @@ static int ocfs2_xattr_list_entry(struct super_block *sb,
total_len = prefix_len + name_len + 1;
*result += total_len;
- /* we are just looking for how big our buffer needs to be */
- if (!size)
+ /* No buffer means we are only looking for the required size. */
+ if (!buffer)
return 0;
if (*result > size)
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 594/969] ocfs2: validate bg_bits during freefrag scan
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (592 preceding siblings ...)
2026-05-30 16:01 ` [PATCH 6.1 593/969] ocfs2: fix listxattr handling when the buffer is full Greg Kroah-Hartman
@ 2026-05-30 16:01 ` Greg Kroah-Hartman
2026-05-30 16:01 ` [PATCH 6.1 595/969] ocfs2: validate group add input before caching Greg Kroah-Hartman
` (381 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, ZhengYuan Huang, Heming Zhao,
Joseph Qi, Mark Fasheh, Joel Becker, Junxiao Bi, Changwei Ge,
Jun Piao, Andrew Morton, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: ZhengYuan Huang <gality369@gmail.com>
[ Upstream commit 8f687eeed3da3012152b0f9473f578869de0cd7b ]
[BUG]
A crafted filesystem can trigger an out-of-bounds bitmap walk when
OCFS2_IOC_INFO is issued with OCFS2_INFO_FL_NON_COHERENT.
BUG: KASAN: use-after-free in instrument_atomic_read include/linux/instrumented.h:68 [inline]
BUG: KASAN: use-after-free in _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]
BUG: KASAN: use-after-free in test_bit_le include/asm-generic/bitops/le.h:21 [inline]
BUG: KASAN: use-after-free in ocfs2_info_freefrag_scan_chain fs/ocfs2/ioctl.c:495 [inline]
BUG: KASAN: use-after-free in ocfs2_info_freefrag_scan_bitmap fs/ocfs2/ioctl.c:588 [inline]
BUG: KASAN: use-after-free in ocfs2_info_handle_freefrag fs/ocfs2/ioctl.c:662 [inline]
BUG: KASAN: use-after-free in ocfs2_info_handle_request+0x1c66/0x3370 fs/ocfs2/ioctl.c:754
Read of size 8 at addr ffff888031bce000 by task syz.0.636/1435
Call Trace:
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0xbe/0x130 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xd1/0x650 mm/kasan/report.c:482
kasan_report+0xfb/0x140 mm/kasan/report.c:595
check_region_inline mm/kasan/generic.c:186 [inline]
kasan_check_range+0x11c/0x200 mm/kasan/generic.c:200
__kasan_check_read+0x11/0x20 mm/kasan/shadow.c:31
instrument_atomic_read include/linux/instrumented.h:68 [inline]
_test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]
test_bit_le include/asm-generic/bitops/le.h:21 [inline]
ocfs2_info_freefrag_scan_chain fs/ocfs2/ioctl.c:495 [inline]
ocfs2_info_freefrag_scan_bitmap fs/ocfs2/ioctl.c:588 [inline]
ocfs2_info_handle_freefrag fs/ocfs2/ioctl.c:662 [inline]
ocfs2_info_handle_request+0x1c66/0x3370 fs/ocfs2/ioctl.c:754
ocfs2_info_handle+0x18d/0x2a0 fs/ocfs2/ioctl.c:828
ocfs2_ioctl+0x632/0x6e0 fs/ocfs2/ioctl.c:913
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__x64_sys_ioctl+0x197/0x1e0 fs/ioctl.c:583
...
[CAUSE]
ocfs2_info_freefrag_scan_chain() uses on-disk bg_bits directly as the
bitmap scan limit. The coherent path reads group descriptors through
ocfs2_read_group_descriptor(), which validates the descriptor before
use. The non-coherent path uses ocfs2_read_blocks_sync() instead and
skips that validation, so an impossible bg_bits value can drive the
bitmap walk past the end of the block.
[FIX]
Compute the bitmap capacity from the filesystem format with
ocfs2_group_bitmap_size(), report descriptors whose bg_bits exceeds
that limit, and clamp the scan to the computed capacity. This keeps the
freefrag report going while avoiding reads beyond the buffer.
Link: https://lkml.kernel.org/r/20260410034220.3825769-1-gality369@gmail.com
Fixes: d24a10b9f8ed ("Ocfs2: Add a new code 'OCFS2_INFO_FREEFRAG' for o2info ioctl.")
Signed-off-by: ZhengYuan Huang <gality369@gmail.com>
Reviewed-by: Heming Zhao <heming.zhao@suse.com>
Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
Cc: Mark Fasheh <mark@fasheh.com>
Cc: Joel Becker <jlbec@evilplan.org>
Cc: Junxiao Bi <junxiao.bi@oracle.com>
Cc: Changwei Ge <gechangwei@live.cn>
Cc: Jun Piao <piaojun@huawei.com>
Cc: Heming Zhao <heming.zhao@suse.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ocfs2/ioctl.c | 18 +++++++++++++++++-
1 file changed, 17 insertions(+), 1 deletion(-)
diff --git a/fs/ocfs2/ioctl.c b/fs/ocfs2/ioctl.c
index afd54ec661030..84fb4bc33db9e 100644
--- a/fs/ocfs2/ioctl.c
+++ b/fs/ocfs2/ioctl.c
@@ -442,13 +442,16 @@ static int ocfs2_info_freefrag_scan_chain(struct ocfs2_super *osb,
struct buffer_head *bh = NULL;
struct ocfs2_group_desc *bg = NULL;
- unsigned int max_bits, num_clusters;
+ unsigned int max_bits, max_bitmap_bits, num_clusters;
unsigned int offset = 0, cluster, chunk;
unsigned int chunk_free, last_chunksize = 0;
if (!le32_to_cpu(rec->c_free))
goto bail;
+ max_bitmap_bits = 8 * ocfs2_group_bitmap_size(osb->sb, 0,
+ osb->s_feature_incompat);
+
do {
if (!bg)
blkno = le64_to_cpu(rec->c_blkno);
@@ -480,6 +483,19 @@ static int ocfs2_info_freefrag_scan_chain(struct ocfs2_super *osb,
continue;
max_bits = le16_to_cpu(bg->bg_bits);
+
+ /*
+ * Non-coherent scans read raw blocks and do not get the
+ * bg_bits validation from
+ * ocfs2_read_group_descriptor().
+ */
+ if (max_bits > max_bitmap_bits) {
+ mlog(ML_ERROR,
+ "Group desc #%llu has %u bits, max bitmap bits %u\n",
+ (unsigned long long)blkno, max_bits, max_bitmap_bits);
+ max_bits = max_bitmap_bits;
+ }
+
offset = 0;
for (chunk = 0; chunk < chunks_in_group; chunk++) {
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 595/969] ocfs2: validate group add input before caching
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (593 preceding siblings ...)
2026-05-30 16:01 ` [PATCH 6.1 594/969] ocfs2: validate bg_bits during freefrag scan Greg Kroah-Hartman
@ 2026-05-30 16:01 ` Greg Kroah-Hartman
2026-05-30 16:02 ` [PATCH 6.1 596/969] dmaengine: dw-axi-dmac: Remove unnecessary return statement from void function Greg Kroah-Hartman
` (380 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, ZhengYuan Huang, Joseph Qi,
Mark Fasheh, Joel Becker, Junxiao Bi, Changwei Ge, Jun Piao,
Heming Zhao, Andrew Morton, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: ZhengYuan Huang <gality369@gmail.com>
[ Upstream commit 70b672833f4025341c11b22c7f83778a5cd611bc ]
[BUG]
OCFS2_IOC_GROUP_ADD can trigger a BUG_ON in
ocfs2_set_new_buffer_uptodate():
kernel BUG at fs/ocfs2/uptodate.c:509!
Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI
RIP: 0010:ocfs2_set_new_buffer_uptodate+0x194/0x1e0 fs/ocfs2/uptodate.c:509
Code: ffffe88f 42b9fe4c 89e64889 dfe8b4df
Call Trace:
ocfs2_group_add+0x3f1/0x1510 fs/ocfs2/resize.c:507
ocfs2_ioctl+0x309/0x6e0 fs/ocfs2/ioctl.c:887
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__x64_sys_ioctl+0x197/0x1e0 fs/ioctl.c:583
x64_sys_call+0x1144/0x26a0 arch/x86/include/generated/asm/syscalls_64.h:17
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x93/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x76/0x7e
RIP: 0033:0x7bbfb55a966d
[CAUSE]
ocfs2_group_add() calls ocfs2_set_new_buffer_uptodate() on a
user-controlled group block before ocfs2_verify_group_and_input()
validates that block number. That helper is only valid for newly
allocated metadata and asserts that the block is not already present in
the chosen metadata cache. The code also uses INODE_CACHE(inode) even
though the group descriptor belongs to main_bm_inode and later journal
accesses use that cache context instead.
[FIX]
Validate the on-disk group descriptor before caching it, then add it to
the metadata cache tracked by INODE_CACHE(main_bm_inode). Keep the
validation failure path separate from the later cleanup path so we only
remove the buffer from that cache after it has actually been inserted.
This keeps the group buffer lifetime consistent across validation,
journaling, and cleanup.
Link: https://lkml.kernel.org/r/20260410020209.3786348-1-gality369@gmail.com
Fixes: 7909f2bf8353 ("[PATCH 2/2] ocfs2: Implement group add for online resize")
Signed-off-by: ZhengYuan Huang <gality369@gmail.com>
Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
Cc: Mark Fasheh <mark@fasheh.com>
Cc: Joel Becker <jlbec@evilplan.org>
Cc: Junxiao Bi <junxiao.bi@oracle.com>
Cc: Changwei Ge <gechangwei@live.cn>
Cc: Jun Piao <piaojun@huawei.com>
Cc: Heming Zhao <heming.zhao@suse.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ocfs2/resize.c | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)
diff --git a/fs/ocfs2/resize.c b/fs/ocfs2/resize.c
index 42c0d314f95e8..acf2769f4c8c7 100644
--- a/fs/ocfs2/resize.c
+++ b/fs/ocfs2/resize.c
@@ -500,14 +500,14 @@ int ocfs2_group_add(struct inode *inode, struct ocfs2_new_group_input *input)
goto out_unlock;
}
- ocfs2_set_new_buffer_uptodate(INODE_CACHE(inode), group_bh);
-
ret = ocfs2_verify_group_and_input(main_bm_inode, fe, input, group_bh);
if (ret) {
mlog_errno(ret);
goto out_free_group_bh;
}
+ ocfs2_set_new_buffer_uptodate(INODE_CACHE(main_bm_inode), group_bh);
+
trace_ocfs2_group_add((unsigned long long)input->group,
input->chain, input->clusters, input->frees);
@@ -515,7 +515,7 @@ int ocfs2_group_add(struct inode *inode, struct ocfs2_new_group_input *input)
if (IS_ERR(handle)) {
mlog_errno(PTR_ERR(handle));
ret = -EINVAL;
- goto out_free_group_bh;
+ goto out_remove_cache;
}
cl_bpc = le16_to_cpu(fe->id2.i_chain.cl_bpc);
@@ -569,9 +569,11 @@ int ocfs2_group_add(struct inode *inode, struct ocfs2_new_group_input *input)
out_commit:
ocfs2_commit_trans(osb, handle);
-out_free_group_bh:
+out_remove_cache:
if (ret < 0)
- ocfs2_remove_from_cache(INODE_CACHE(inode), group_bh);
+ ocfs2_remove_from_cache(INODE_CACHE(main_bm_inode), group_bh);
+
+out_free_group_bh:
brelse(group_bh);
out_unlock:
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 596/969] dmaengine: dw-axi-dmac: Remove unnecessary return statement from void function
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (594 preceding siblings ...)
2026-05-30 16:01 ` [PATCH 6.1 595/969] ocfs2: validate group add input before caching Greg Kroah-Hartman
@ 2026-05-30 16:02 ` Greg Kroah-Hartman
2026-05-30 16:02 ` [PATCH 6.1 597/969] soundwire: bus: demote UNATTACHED state warnings to dev_dbg() Greg Kroah-Hartman
` (379 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Khairul Anuar Romli, Vinod Koul,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Khairul Anuar Romli <karom.9560@gmail.com>
[ Upstream commit 48278a72fce8a8d30efaedeb206c9c3f05c1eb3f ]
checkpatch.pl --strict reports a WARNING in dw-axi-dmac-platform.c:
WARNING: void function return statements are not generally useful
FILE: drivers/dma/dw-axi-dmac/dw-axi-dmac-platform.c
According to Linux kernel coding style [Documentation/process/
coding-style.rst], explicit "return;" statements at the end of void
functions are redundant and should be omitted. The function will
automatically return upon reaching the closing brace, so the extra
statement adds unnecessary clutter without functional benefit.
This patch removes the superfluous "return;" statement in
dw_axi_dma_set_hw_channel() to comply with kernel coding standards and
eliminate the checkpatch warning.
Fixes: 32286e279385 ("dmaengine: dw-axi-dmac: Remove free slot check algorithm in dw_axi_dma_set_hw_channel")
Signed-off-by: Khairul Anuar Romli <karom.9560@gmail.com>
Link: https://patch.msgid.link/20260202060224.12616-4-karom.9560@gmail.com
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/dma/dw-axi-dmac/dw-axi-dmac-platform.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/drivers/dma/dw-axi-dmac/dw-axi-dmac-platform.c b/drivers/dma/dw-axi-dmac/dw-axi-dmac-platform.c
index 7596864bf8bb2..46b080941b621 100644
--- a/drivers/dma/dw-axi-dmac/dw-axi-dmac-platform.c
+++ b/drivers/dma/dw-axi-dmac/dw-axi-dmac-platform.c
@@ -540,8 +540,6 @@ static void dw_axi_dma_set_hw_channel(struct axi_dma_chan *chan, bool set)
(chan->id * DMA_APB_HS_SEL_BIT_SIZE));
reg_value |= (val << (chan->id * DMA_APB_HS_SEL_BIT_SIZE));
lo_hi_writeq(reg_value, chip->apb_regs + DMAC_APB_HW_HS_SEL_0);
-
- return;
}
/*
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 597/969] soundwire: bus: demote UNATTACHED state warnings to dev_dbg()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (595 preceding siblings ...)
2026-05-30 16:02 ` [PATCH 6.1 596/969] dmaengine: dw-axi-dmac: Remove unnecessary return statement from void function Greg Kroah-Hartman
@ 2026-05-30 16:02 ` Greg Kroah-Hartman
2026-05-30 16:02 ` [PATCH 6.1 598/969] dmaengine: mxs-dma: Fix missing return value from of_dma_controller_register() Greg Kroah-Hartman
` (378 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Cole Leavitt, Richard Fitzgerald,
Vinod Koul, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cole Leavitt <cole@unwrap.rs>
[ Upstream commit 2c96956fe764f8224f9ec93b2a9160a578949a7a ]
The dev_warn() messages in sdw_handle_slave_status() for UNATTACHED
transitions were added in commit d1b328557058 ("soundwire: bus: add
dev_warn() messages to track UNATTACHED devices") to debug attachment
failures with dynamic debug enabled.
These warnings fire during normal operation -- for example when a codec
driver triggers a hardware reset after firmware download, causing the
device to momentarily go UNATTACHED before re-attaching -- producing
misleading noise on every boot.
Demote the messages to dev_dbg() so they remain available via dynamic
debug for diagnosing real attachment failures without alarming users
during expected initialization sequences.
Fixes: d1b328557058 ("soundwire: bus: add dev_warn() messages to track UNATTACHED devices")
Signed-off-by: Cole Leavitt <cole@unwrap.rs>
Reviewed-by: Richard Fitzgerald <rf@opensource.cirrus.com>
Link: https://patch.msgid.link/20260218180210.9263-1-cole@unwrap.rs
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/soundwire/bus.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/soundwire/bus.c b/drivers/soundwire/bus.c
index f7b3e6a6975b4..1b6ba23edf0fa 100644
--- a/drivers/soundwire/bus.c
+++ b/drivers/soundwire/bus.c
@@ -1815,8 +1815,8 @@ int sdw_handle_slave_status(struct sdw_bus *bus,
if (status[i] == SDW_SLAVE_UNATTACHED &&
slave->status != SDW_SLAVE_UNATTACHED) {
- dev_warn(&slave->dev, "Slave %d state check1: UNATTACHED, status was %d\n",
- i, slave->status);
+ dev_dbg(&slave->dev, "Slave %d state check1: UNATTACHED, status was %d\n",
+ i, slave->status);
sdw_modify_slave_status(slave, SDW_SLAVE_UNATTACHED);
/* Ensure driver knows that peripheral unattached */
@@ -1867,8 +1867,8 @@ int sdw_handle_slave_status(struct sdw_bus *bus,
if (slave->status == SDW_SLAVE_UNATTACHED)
break;
- dev_warn(&slave->dev, "Slave %d state check2: UNATTACHED, status was %d\n",
- i, slave->status);
+ dev_dbg(&slave->dev, "Slave %d state check2: UNATTACHED, status was %d\n",
+ i, slave->status);
sdw_modify_slave_status(slave, SDW_SLAVE_UNATTACHED);
break;
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 598/969] dmaengine: mxs-dma: Fix missing return value from of_dma_controller_register()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (596 preceding siblings ...)
2026-05-30 16:02 ` [PATCH 6.1 597/969] soundwire: bus: demote UNATTACHED state warnings to dev_dbg() Greg Kroah-Hartman
@ 2026-05-30 16:02 ` Greg Kroah-Hartman
2026-05-30 16:02 ` [PATCH 6.1 599/969] tracing: Rebuild full_name on each hist_field_name() call Greg Kroah-Hartman
` (377 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:02 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Frank Li, Vinod Koul, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Frank Li <Frank.Li@nxp.com>
[ Upstream commit ab2bf6d4c0a0152907b18d25c1b118ea5ea779df ]
Propagate the return value of of_dma_controller_register() in probe()
instead of ignoring it.
Fixes: a580b8c5429a6 ("dmaengine: mxs-dma: add dma support for i.MX23/28")
Signed-off-by: Frank Li <Frank.Li@nxp.com>
Link: https://patch.msgid.link/20260225-mxsdma-module-v3-2-8f798b13baa6@nxp.com
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/dma/mxs-dma.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/dma/mxs-dma.c b/drivers/dma/mxs-dma.c
index dc147cc2436e9..5d34440b9e127 100644
--- a/drivers/dma/mxs-dma.c
+++ b/drivers/dma/mxs-dma.c
@@ -827,6 +827,7 @@ static int mxs_dma_probe(struct platform_device *pdev)
if (ret) {
dev_err(mxs_dma->dma_device.dev,
"failed to register controller\n");
+ return ret;
}
dev_info(mxs_dma->dma_device.dev, "initialized\n");
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 599/969] tracing: Rebuild full_name on each hist_field_name() call
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (597 preceding siblings ...)
2026-05-30 16:02 ` [PATCH 6.1 598/969] dmaengine: mxs-dma: Fix missing return value from of_dma_controller_register() Greg Kroah-Hartman
@ 2026-05-30 16:02 ` Greg Kroah-Hartman
2026-05-30 16:02 ` [PATCH 6.1 600/969] ima: check return value of crypto_shash_final() in boot aggregate Greg Kroah-Hartman
` (376 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tom Zanussi, Pengpeng Hou,
Steven Rostedt (Google), Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pengpeng Hou <pengpeng@iscas.ac.cn>
[ Upstream commit 5ec1d1e97de134beed3a5b08235a60fc1c51af96 ]
hist_field_name() uses a static MAX_FILTER_STR_VAL buffer for fully
qualified variable-reference names, but it currently appends into that
buffer with strcat() without rebuilding it first. As a result, repeated
calls append a new "system.event.field" name onto the previous one,
which can eventually run past the end of full_name.
Build the name with snprintf() on each call and return NULL if the fully
qualified name does not fit in MAX_FILTER_STR_VAL.
Link: https://patch.msgid.link/20260401112224.85582-1-pengpeng@iscas.ac.cn
Fixes: 067fe038e70f ("tracing: Add variable reference handling to hist triggers")
Reviewed-by: Tom Zanussi <zanussi@kernel.org>
Tested-by: Tom Zanussi <zanussi@kernel.org>
Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/trace/trace_events_hist.c | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)
diff --git a/kernel/trace/trace_events_hist.c b/kernel/trace/trace_events_hist.c
index 356360e75f9a7..b5276f2f2cf40 100644
--- a/kernel/trace/trace_events_hist.c
+++ b/kernel/trace/trace_events_hist.c
@@ -1346,12 +1346,14 @@ static const char *hist_field_name(struct hist_field *field,
field->flags & HIST_FIELD_FL_VAR_REF) {
if (field->system) {
static char full_name[MAX_FILTER_STR_VAL];
+ int len;
+
+ len = snprintf(full_name, sizeof(full_name), "%s.%s.%s",
+ field->system, field->event_name,
+ field->name);
+ if (len >= sizeof(full_name))
+ return NULL;
- strcat(full_name, field->system);
- strcat(full_name, ".");
- strcat(full_name, field->event_name);
- strcat(full_name, ".");
- strcat(full_name, field->name);
field_name = full_name;
} else
field_name = field->name;
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 600/969] ima: check return value of crypto_shash_final() in boot aggregate
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (598 preceding siblings ...)
2026-05-30 16:02 ` [PATCH 6.1 599/969] tracing: Rebuild full_name on each hist_field_name() call Greg Kroah-Hartman
@ 2026-05-30 16:02 ` Greg Kroah-Hartman
2026-05-30 16:02 ` [PATCH 6.1 601/969] HID: asus: make asus_resume adhere to linux kernel coding standards Greg Kroah-Hartman
` (375 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Daniel Hodges, Roberto Sassu,
Mimi Zohar, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Daniel Hodges <hodgesd@meta.com>
[ Upstream commit 870819434c8dfcc3158033b66e7851b81bb17e21 ]
The return value of crypto_shash_final() is not checked in
ima_calc_boot_aggregate_tfm(). If the hash finalization fails, the
function returns success and a corrupted boot aggregate digest could
be used for IMA measurements.
Capture the return value and propagate any error to the caller.
Fixes: 76bb28f6126f ("ima: use new crypto_shash API instead of old crypto_hash")
Signed-off-by: Daniel Hodges <hodgesd@meta.com>
Reviewed-by: Roberto Sassu <roberto.sassu@huawei.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
security/integrity/ima/ima_crypto.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/security/integrity/ima/ima_crypto.c b/security/integrity/ima/ima_crypto.c
index 64499056648ad..c5153f0d7306d 100644
--- a/security/integrity/ima/ima_crypto.c
+++ b/security/integrity/ima/ima_crypto.c
@@ -837,7 +837,7 @@ static int ima_calc_boot_aggregate_tfm(char *digest, u16 alg_id,
}
}
if (!rc)
- crypto_shash_final(shash, digest);
+ rc = crypto_shash_final(shash, digest);
return rc;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 601/969] HID: asus: make asus_resume adhere to linux kernel coding standards
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (599 preceding siblings ...)
2026-05-30 16:02 ` [PATCH 6.1 600/969] ima: check return value of crypto_shash_final() in boot aggregate Greg Kroah-Hartman
@ 2026-05-30 16:02 ` Greg Kroah-Hartman
2026-05-30 16:02 ` [PATCH 6.1 602/969] HID: asus: do not abort probe when not necessary Greg Kroah-Hartman
` (374 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:02 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Denis Benato, Jiri Kosina,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Denis Benato <denis.benato@linux.dev>
[ Upstream commit 51d33b42b8ae23da92819d28439fdd5636c45186 ]
Linux kernel coding standars requires functions opening brackets to be in
a newline: move the opening bracket of asus_resume in its own line.
Fixes: 546edbd26cff ("HID: hid-asus: reset the backlight brightness level on resume")
Signed-off-by: Denis Benato <denis.benato@linux.dev>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hid/hid-asus.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/hid/hid-asus.c b/drivers/hid/hid-asus.c
index a95e47ce6d1e5..b51988e478e59 100644
--- a/drivers/hid/hid-asus.c
+++ b/drivers/hid/hid-asus.c
@@ -996,7 +996,8 @@ static int asus_start_multitouch(struct hid_device *hdev)
return 0;
}
-static int __maybe_unused asus_resume(struct hid_device *hdev) {
+static int __maybe_unused asus_resume(struct hid_device *hdev)
+{
struct asus_drvdata *drvdata = hid_get_drvdata(hdev);
int ret = 0;
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 602/969] HID: asus: do not abort probe when not necessary
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (600 preceding siblings ...)
2026-05-30 16:02 ` [PATCH 6.1 601/969] HID: asus: make asus_resume adhere to linux kernel coding standards Greg Kroah-Hartman
@ 2026-05-30 16:02 ` Greg Kroah-Hartman
2026-05-30 16:02 ` [PATCH 6.1 603/969] mtd: physmap_of_gemini: Fix disabled pinctrl state check Greg Kroah-Hartman
` (373 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:02 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Denis Benato, Jiri Kosina,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Denis Benato <denis.benato@linux.dev>
[ Upstream commit 7253091766ded0fd81fe8d8be9b8b835495b06e8 ]
In order to avoid dereferencing a NULL pointer asus_probe is aborted early
and control of some asus devices is transferred over hid-generic after
erroring out even when such NULL dereference cannot happen: only early
abort when the NULL dereference can happen.
Also make the code shorter and more adherent to coding standards
removing square brackets enclosing single-line if-else statements.
Fixes: d3af6ca9a8c3 ("HID: asus: fix UAF via HID_CLAIMED_INPUT validation")
Signed-off-by: Denis Benato <denis.benato@linux.dev>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hid/hid-asus.c | 25 ++++++++++---------------
1 file changed, 10 insertions(+), 15 deletions(-)
diff --git a/drivers/hid/hid-asus.c b/drivers/hid/hid-asus.c
index b51988e478e59..9193dfed68368 100644
--- a/drivers/hid/hid-asus.c
+++ b/drivers/hid/hid-asus.c
@@ -1124,22 +1124,17 @@ static int asus_probe(struct hid_device *hdev, const struct hid_device_id *id)
* were freed during registration due to no usages being mapped,
* leaving drvdata->input pointing to freed memory.
*/
- if (!drvdata->input || !(hdev->claimed & HID_CLAIMED_INPUT)) {
- hid_err(hdev, "Asus input not registered\n");
- ret = -ENOMEM;
- goto err_stop_hw;
- }
-
- if (drvdata->tp) {
- drvdata->input->name = "Asus TouchPad";
- } else {
- drvdata->input->name = "Asus Keyboard";
- }
+ if (drvdata->input && (hdev->claimed & HID_CLAIMED_INPUT)) {
+ if (drvdata->tp)
+ drvdata->input->name = "Asus TouchPad";
+ else
+ drvdata->input->name = "Asus Keyboard";
- if (drvdata->tp) {
- ret = asus_start_multitouch(hdev);
- if (ret)
- goto err_stop_hw;
+ if (drvdata->tp) {
+ ret = asus_start_multitouch(hdev);
+ if (ret)
+ goto err_stop_hw;
+ }
}
return 0;
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 603/969] mtd: physmap_of_gemini: Fix disabled pinctrl state check
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (601 preceding siblings ...)
2026-05-30 16:02 ` [PATCH 6.1 602/969] HID: asus: do not abort probe when not necessary Greg Kroah-Hartman
@ 2026-05-30 16:02 ` Greg Kroah-Hartman
2026-05-30 16:02 ` [PATCH 6.1 604/969] mtd: spi-nor: core: correct the op.dummy.nbytes when check read operations Greg Kroah-Hartman
` (372 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chen Ni, Linus Walleij,
Miquel Raynal, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chen Ni <nichen@iscas.ac.cn>
[ Upstream commit b7c0982184b0661f5b1b805f3a56f1bd3757b63e ]
The condition for checking the disabled pinctrl state incorrectly checks
gf->enabled_state instead of gf->disabled_state. This causes misleading
error messages and could lead to incorrect behavior when only one of the
pinctrl states is defined.
Fix the condition to properly check gf->disabled_state.
Fixes: 9d3b5086f6d4 ("mtd: physmap_of_gemini: Handle pin control")
Signed-off-by: Chen Ni <nichen@iscas.ac.cn>
Reviewed-by: Linus Walleij <linusw@kernel.org>
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mtd/maps/physmap-gemini.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/mtd/maps/physmap-gemini.c b/drivers/mtd/maps/physmap-gemini.c
index d4a46e159d38f..8d5b791dd08d4 100644
--- a/drivers/mtd/maps/physmap-gemini.c
+++ b/drivers/mtd/maps/physmap-gemini.c
@@ -181,7 +181,7 @@ int of_flash_probe_gemini(struct platform_device *pdev,
dev_err(dev, "no enabled pin control state\n");
gf->disabled_state = pinctrl_lookup_state(gf->p, "disabled");
- if (IS_ERR(gf->enabled_state)) {
+ if (IS_ERR(gf->disabled_state)) {
dev_err(dev, "no disabled pin control state\n");
} else {
ret = pinctrl_select_state(gf->p, gf->disabled_state);
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 604/969] mtd: spi-nor: core: correct the op.dummy.nbytes when check read operations
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (602 preceding siblings ...)
2026-05-30 16:02 ` [PATCH 6.1 603/969] mtd: physmap_of_gemini: Fix disabled pinctrl state check Greg Kroah-Hartman
@ 2026-05-30 16:02 ` Greg Kroah-Hartman
2026-05-30 16:02 ` [PATCH 6.1 605/969] mtd: spi-nor: spansion: Rename s28hs512t prefix Greg Kroah-Hartman
` (371 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:02 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Haibo Chen, Pratyush Yadav,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haibo Chen <haibo.chen@nxp.com>
[ Upstream commit 756564a536ecd8c9d33edd89f0647a91a0b03587 ]
When check read operation, need to setting the op.dummy.nbytes based
on current read operation rather than the nor->read_proto.
Fixes: 0e30f47232ab ("mtd: spi-nor: add support for DTR protocol")
Signed-off-by: Haibo Chen <haibo.chen@nxp.com>
Reviewed-by: Pratyush Yadav <pratyush@kernel.org>
Signed-off-by: Pratyush Yadav (Google) <pratyush@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mtd/spi-nor/core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/mtd/spi-nor/core.c b/drivers/mtd/spi-nor/core.c
index 91622d9c9b032..3f38d67e1a336 100644
--- a/drivers/mtd/spi-nor/core.c
+++ b/drivers/mtd/spi-nor/core.c
@@ -2061,7 +2061,7 @@ static int spi_nor_spimem_check_readop(struct spi_nor *nor,
/* convert the dummy cycles to the number of bytes */
op.dummy.nbytes = (read->num_mode_clocks + read->num_wait_states) *
op.dummy.buswidth / 8;
- if (spi_nor_protocol_is_dtr(nor->read_proto))
+ if (spi_nor_protocol_is_dtr(read->proto))
op.dummy.nbytes *= 2;
return spi_nor_spimem_check_op(nor, &op);
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 605/969] mtd: spi-nor: spansion: Rename s28hs512t prefix
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (603 preceding siblings ...)
2026-05-30 16:02 ` [PATCH 6.1 604/969] mtd: spi-nor: core: correct the op.dummy.nbytes when check read operations Greg Kroah-Hartman
@ 2026-05-30 16:02 ` Greg Kroah-Hartman
2026-05-30 16:02 ` [PATCH 6.1 606/969] mtd: spi-nor: spansion: Replace hardcoded values for addr_nbytes/addr_mode_nbytes Greg Kroah-Hartman
` (370 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Takahiro Kuwano, Tudor Ambarus,
Michael Walle, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Takahiro Kuwano <Takahiro.Kuwano@infineon.com>
[ Upstream commit 06051322704bf38cbd721e14bdbd6e43c8e6d7e1 ]
Change prefix to support all other devices in SEMPER S28 family.
Signed-off-by: Takahiro Kuwano <Takahiro.Kuwano@infineon.com>
Signed-off-by: Tudor Ambarus <tudor.ambarus@microchip.com>
Reviewed-by: Michael Walle <michael@walle.cc>
Link: https://lore.kernel.org/r/8cf6bc9bffd50e486867c0817de1fa56c5d308ec.1661915569.git.Takahiro.Kuwano@infineon.com
Stable-dep-of: 3620d67b4849 ("mtd: spi-nor: update spi_nor_fixups::post_sfdp() documentation")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mtd/spi-nor/spansion.c | 20 ++++++++++----------
1 file changed, 10 insertions(+), 10 deletions(-)
diff --git a/drivers/mtd/spi-nor/spansion.c b/drivers/mtd/spi-nor/spansion.c
index 7e7c68fc7776d..0109fccca7ea2 100644
--- a/drivers/mtd/spi-nor/spansion.c
+++ b/drivers/mtd/spi-nor/spansion.c
@@ -288,7 +288,7 @@ static int cypress_nor_octal_dtr_enable(struct spi_nor *nor, bool enable)
cypress_nor_octal_dtr_dis(nor);
}
-static void s28hs512t_post_sfdp_fixup(struct spi_nor *nor)
+static void s28hx_t_post_sfdp_fixup(struct spi_nor *nor)
{
/*
* On older versions of the flash the xSPI Profile 1.0 table has the
@@ -316,23 +316,23 @@ static void s28hs512t_post_sfdp_fixup(struct spi_nor *nor)
nor->params->rdsr_addr_nbytes = 4;
}
-static int s28hs512t_post_bfpt_fixup(struct spi_nor *nor,
- const struct sfdp_parameter_header *bfpt_header,
- const struct sfdp_bfpt *bfpt)
+static int s28hx_t_post_bfpt_fixup(struct spi_nor *nor,
+ const struct sfdp_parameter_header *bfpt_header,
+ const struct sfdp_bfpt *bfpt)
{
return cypress_nor_set_page_size(nor);
}
-static void s28hs512t_late_init(struct spi_nor *nor)
+static void s28hx_t_late_init(struct spi_nor *nor)
{
nor->params->octal_dtr_enable = cypress_nor_octal_dtr_enable;
cypress_nor_ecc_init(nor);
}
-static const struct spi_nor_fixups s28hs512t_fixups = {
- .post_sfdp = s28hs512t_post_sfdp_fixup,
- .post_bfpt = s28hs512t_post_bfpt_fixup,
- .late_init = s28hs512t_late_init,
+static const struct spi_nor_fixups s28hx_t_fixups = {
+ .post_sfdp = s28hx_t_post_sfdp_fixup,
+ .post_bfpt = s28hx_t_post_bfpt_fixup,
+ .late_init = s28hx_t_late_init,
};
static int
@@ -468,7 +468,7 @@ static const struct flash_info spansion_nor_parts[] = {
FLAGS(SPI_NOR_NO_ERASE) },
{ "s28hs512t", INFO(0x345b1a, 0, 256 * 1024, 256)
PARSE_SFDP
- .fixups = &s28hs512t_fixups,
+ .fixups = &s28hx_t_fixups,
},
};
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 606/969] mtd: spi-nor: spansion: Replace hardcoded values for addr_nbytes/addr_mode_nbytes
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (604 preceding siblings ...)
2026-05-30 16:02 ` [PATCH 6.1 605/969] mtd: spi-nor: spansion: Rename s28hs512t prefix Greg Kroah-Hartman
@ 2026-05-30 16:02 ` Greg Kroah-Hartman
2026-05-30 16:02 ` [PATCH 6.1 607/969] mtd: spi-nor: spansion: Make RD_ANY_REG_OP macro take number of dummy bytes Greg Kroah-Hartman
` (369 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tudor Ambarus, Takahiro Kuwano,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tudor Ambarus <tudor.ambarus@microchip.com>
[ Upstream commit 05ebc1ccb8affcbaaa9f8b8fe56839cbfc9b9144 ]
We track in the core the internal address mode of the flash. Stop using
hardcoded values for the number of bytes of address and use
nor->addr_nbytes and nor->params->addr_mode_nbytes instead.
Signed-off-by: Tudor Ambarus <tudor.ambarus@microchip.com>
Tested-by: Takahiro Kuwano <Takahiro.Kuwano@infineon.com>
Link: https://lore.kernel.org/r/20220728041451.85559-2-tudor.ambarus@microchip.com
Stable-dep-of: 3620d67b4849 ("mtd: spi-nor: update spi_nor_fixups::post_sfdp() documentation")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mtd/spi-nor/spansion.c | 16 +++++++++++-----
1 file changed, 11 insertions(+), 5 deletions(-)
diff --git a/drivers/mtd/spi-nor/spansion.c b/drivers/mtd/spi-nor/spansion.c
index 0109fccca7ea2..faa8a49545be7 100644
--- a/drivers/mtd/spi-nor/spansion.c
+++ b/drivers/mtd/spi-nor/spansion.c
@@ -54,11 +54,13 @@ static int cypress_nor_octal_dtr_en(struct spi_nor *nor)
struct spi_mem_op op;
u8 *buf = nor->bouncebuf;
int ret;
+ u8 addr_mode_nbytes = nor->params->addr_mode_nbytes;
/* Use 24 dummy cycles for memory array reads. */
*buf = SPINOR_REG_CYPRESS_CFR2V_MEMLAT_11_24;
op = (struct spi_mem_op)
- CYPRESS_NOR_WR_ANY_REG_OP(3, SPINOR_REG_CYPRESS_CFR2V, 1, buf);
+ CYPRESS_NOR_WR_ANY_REG_OP(addr_mode_nbytes,
+ SPINOR_REG_CYPRESS_CFR2V, 1, buf);
ret = spi_nor_write_any_volatile_reg(nor, &op, nor->reg_proto);
if (ret)
@@ -69,14 +71,16 @@ static int cypress_nor_octal_dtr_en(struct spi_nor *nor)
/* Set the octal and DTR enable bits. */
buf[0] = SPINOR_REG_CYPRESS_CFR5V_OCT_DTR_EN;
op = (struct spi_mem_op)
- CYPRESS_NOR_WR_ANY_REG_OP(3, SPINOR_REG_CYPRESS_CFR5V, 1, buf);
+ CYPRESS_NOR_WR_ANY_REG_OP(addr_mode_nbytes,
+ SPINOR_REG_CYPRESS_CFR5V, 1, buf);
ret = spi_nor_write_any_volatile_reg(nor, &op, nor->reg_proto);
if (ret)
return ret;
/* Read flash ID to make sure the switch was successful. */
- ret = spi_nor_read_id(nor, 4, 3, buf, SNOR_PROTO_8_8_8_DTR);
+ ret = spi_nor_read_id(nor, nor->addr_nbytes, 3, buf,
+ SNOR_PROTO_8_8_8_DTR);
if (ret) {
dev_dbg(nor->dev, "error %d reading JEDEC ID after enabling 8D-8D-8D mode\n", ret);
return ret;
@@ -102,7 +106,8 @@ static int cypress_nor_octal_dtr_dis(struct spi_nor *nor)
buf[0] = SPINOR_REG_CYPRESS_CFR5V_OCT_DTR_DS;
buf[1] = 0;
op = (struct spi_mem_op)
- CYPRESS_NOR_WR_ANY_REG_OP(4, SPINOR_REG_CYPRESS_CFR5V, 2, buf);
+ CYPRESS_NOR_WR_ANY_REG_OP(nor->addr_nbytes,
+ SPINOR_REG_CYPRESS_CFR5V, 2, buf);
ret = spi_nor_write_any_volatile_reg(nor, &op, SNOR_PROTO_8_8_8_DTR);
if (ret)
return ret;
@@ -196,7 +201,8 @@ static int cypress_nor_quad_enable_volatile(struct spi_nor *nor)
static int cypress_nor_set_page_size(struct spi_nor *nor)
{
struct spi_mem_op op =
- CYPRESS_NOR_RD_ANY_REG_OP(3, SPINOR_REG_CYPRESS_CFR3V,
+ CYPRESS_NOR_RD_ANY_REG_OP(nor->params->addr_mode_nbytes,
+ SPINOR_REG_CYPRESS_CFR3V,
nor->bouncebuf);
int ret;
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 607/969] mtd: spi-nor: spansion: Make RD_ANY_REG_OP macro take number of dummy bytes
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (605 preceding siblings ...)
2026-05-30 16:02 ` [PATCH 6.1 606/969] mtd: spi-nor: spansion: Replace hardcoded values for addr_nbytes/addr_mode_nbytes Greg Kroah-Hartman
@ 2026-05-30 16:02 ` Greg Kroah-Hartman
2026-05-30 16:02 ` [PATCH 6.1 608/969] mtd: spi-nor: spansion: Add support for Infineon S25FS256T Greg Kroah-Hartman
` (368 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tudor Ambarus, Takahiro Kuwano,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Takahiro Kuwano <Takahiro.Kuwano@infineon.com>
[ Upstream commit d628783c46d3c317deb0671ceb986be358fbaf69 ]
Currently Read Any Register op is used to read volatile registers without
any dummy cycles, but the op requires dummy cycles depending on register
type (volatiler or non-volatile), device family, and device configuration.
Add 'ndummy' argument to RD_ANY_REG_OP macro to support other use cases.
Suggested-by: Tudor Ambarus <tudor.ambarus@linaro.org>
Signed-off-by: Takahiro Kuwano <Takahiro.Kuwano@infineon.com>
Link: https://lore.kernel.org/r/03756e9e3ac41d2016a71d2afb702398dd0b19ed.1677557525.git.Takahiro.Kuwano@infineon.com
Signed-off-by: Tudor Ambarus <tudor.ambarus@linaro.org>
Stable-dep-of: 3620d67b4849 ("mtd: spi-nor: update spi_nor_fixups::post_sfdp() documentation")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mtd/spi-nor/spansion.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/drivers/mtd/spi-nor/spansion.c b/drivers/mtd/spi-nor/spansion.c
index faa8a49545be7..3ae59c7822039 100644
--- a/drivers/mtd/spi-nor/spansion.c
+++ b/drivers/mtd/spi-nor/spansion.c
@@ -37,10 +37,10 @@
SPI_MEM_OP_NO_DUMMY, \
SPI_MEM_OP_DATA_OUT(ndata, buf, 0))
-#define CYPRESS_NOR_RD_ANY_REG_OP(naddr, addr, buf) \
+#define CYPRESS_NOR_RD_ANY_REG_OP(naddr, addr, ndummy, buf) \
SPI_MEM_OP(SPI_MEM_OP_CMD(SPINOR_OP_RD_ANY_REG, 0), \
SPI_MEM_OP_ADDR(naddr, addr, 0), \
- SPI_MEM_OP_NO_DUMMY, \
+ SPI_MEM_OP_DUMMY(ndummy, 0), \
SPI_MEM_OP_DATA_IN(1, buf, 0))
#define SPANSION_CLSR_OP \
@@ -148,7 +148,7 @@ static int cypress_nor_quad_enable_volatile(struct spi_nor *nor)
op = (struct spi_mem_op)
CYPRESS_NOR_RD_ANY_REG_OP(addr_mode_nbytes,
- SPINOR_REG_CYPRESS_CFR1V,
+ SPINOR_REG_CYPRESS_CFR1V, 0,
nor->bouncebuf);
ret = spi_nor_read_any_reg(nor, &op, nor->reg_proto);
@@ -173,7 +173,7 @@ static int cypress_nor_quad_enable_volatile(struct spi_nor *nor)
/* Read back and check it. */
op = (struct spi_mem_op)
CYPRESS_NOR_RD_ANY_REG_OP(addr_mode_nbytes,
- SPINOR_REG_CYPRESS_CFR1V,
+ SPINOR_REG_CYPRESS_CFR1V, 0,
nor->bouncebuf);
ret = spi_nor_read_any_reg(nor, &op, nor->reg_proto);
if (ret)
@@ -202,7 +202,7 @@ static int cypress_nor_set_page_size(struct spi_nor *nor)
{
struct spi_mem_op op =
CYPRESS_NOR_RD_ANY_REG_OP(nor->params->addr_mode_nbytes,
- SPINOR_REG_CYPRESS_CFR3V,
+ SPINOR_REG_CYPRESS_CFR3V, 0,
nor->bouncebuf);
int ret;
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 608/969] mtd: spi-nor: spansion: Add support for Infineon S25FS256T
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (606 preceding siblings ...)
2026-05-30 16:02 ` [PATCH 6.1 607/969] mtd: spi-nor: spansion: Make RD_ANY_REG_OP macro take number of dummy bytes Greg Kroah-Hartman
@ 2026-05-30 16:02 ` Greg Kroah-Hartman
2026-05-30 16:02 ` [PATCH 6.1 609/969] mtd: spi-nor: Allow post_sfdp hook to return errors Greg Kroah-Hartman
` (367 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Takahiro Kuwano, Tudor Ambarus,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Takahiro Kuwano <Takahiro.Kuwano@infineon.com>
[ Upstream commit 6afcc84080c415df81765c6d773edcba8fc30f6c ]
Infineon S25FS256T is 256Mbit Quad SPI NOR flash. The key features and
differences comparing to other Spansion/Cypress flash familes are:
- 4-byte address mode by factory default
- Quad mode is enabled by factory default
- OP_READ_FAST_4B(0Ch) is not supported
- Supports mixture of 128KB and 64KB sectors by OTP configuration
(this patch supports uniform 128KB only due to complexity of
non-uniform layout)
Tested on Xilinx Zynq-7000 FPGA board.
Link: https://www.infineon.com/dgdlac/Infineon-S25FS256T_256Mb_SEMPER_Nano_Flash_Quad_SPI_1.8V-DataSheet-v12_00-EN.pdf?fileId=8ac78c8c80027ecd0180740c5a46707a
Signed-off-by: Takahiro Kuwano <Takahiro.Kuwano@infineon.com>
Link: https://lore.kernel.org/r/097ef04484966593ba1326d0a99462753d7d1073.1677557525.git.Takahiro.Kuwano@infineon.com
Signed-off-by: Tudor Ambarus <tudor.ambarus@linaro.org>
Stable-dep-of: 3620d67b4849 ("mtd: spi-nor: update spi_nor_fixups::post_sfdp() documentation")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mtd/spi-nor/spansion.c | 60 ++++++++++++++++++++++++++++++++++
1 file changed, 60 insertions(+)
diff --git a/drivers/mtd/spi-nor/spansion.c b/drivers/mtd/spi-nor/spansion.c
index 3ae59c7822039..5914a6074a11e 100644
--- a/drivers/mtd/spi-nor/spansion.c
+++ b/drivers/mtd/spi-nor/spansion.c
@@ -29,6 +29,7 @@
SPINOR_REG_CYPRESS_CFR5_OPI)
#define SPINOR_REG_CYPRESS_CFR5V_OCT_DTR_DS SPINOR_REG_CYPRESS_CFR5_BIT6
#define SPINOR_OP_CYPRESS_RD_FAST 0xee
+#define SPINOR_REG_CYPRESS_ARCFN 0x00000006
/* Cypress SPI NOR flash operations. */
#define CYPRESS_NOR_WR_ANY_REG_OP(naddr, addr, ndata, buf) \
@@ -229,6 +230,62 @@ static void cypress_nor_ecc_init(struct spi_nor *nor)
nor->flags |= SNOR_F_ECC;
}
+static int
+s25fs256t_post_bfpt_fixup(struct spi_nor *nor,
+ const struct sfdp_parameter_header *bfpt_header,
+ const struct sfdp_bfpt *bfpt)
+{
+ struct spi_mem_op op;
+ int ret;
+
+ /* 4-byte address mode is enabled by default */
+ nor->params->addr_nbytes = 4;
+ nor->params->addr_mode_nbytes = 4;
+
+ /* Read Architecture Configuration Register (ARCFN) */
+ op = (struct spi_mem_op)
+ CYPRESS_NOR_RD_ANY_REG_OP(nor->params->addr_mode_nbytes,
+ SPINOR_REG_CYPRESS_ARCFN, 1,
+ nor->bouncebuf);
+ ret = spi_nor_read_any_reg(nor, &op, nor->reg_proto);
+ if (ret)
+ return ret;
+
+ /* ARCFN value must be 0 if uniform sector is selected */
+ if (nor->bouncebuf[0])
+ return -ENODEV;
+
+ return cypress_nor_set_page_size(nor);
+}
+
+static void s25fs256t_post_sfdp_fixup(struct spi_nor *nor)
+{
+ struct spi_nor_flash_parameter *params = nor->params;
+
+ /* PP_1_1_4_4B is supported but missing in 4BAIT. */
+ params->hwcaps.mask |= SNOR_HWCAPS_PP_1_1_4;
+ spi_nor_set_pp_settings(¶ms->page_programs[SNOR_CMD_PP_1_1_4],
+ SPINOR_OP_PP_1_1_4_4B,
+ SNOR_PROTO_1_1_4);
+}
+
+static void s25fs256t_late_init(struct spi_nor *nor)
+{
+ /*
+ * Programming is supported only in 16-byte ECC data unit granularity.
+ * Byte-programming, bit-walking, or multiple program operations to the
+ * same ECC data unit without an erase are not allowed. See chapter
+ * 5.3.1 and 5.6 in the datasheet.
+ */
+ nor->params->writesize = 16;
+}
+
+static struct spi_nor_fixups s25fs256t_fixups = {
+ .post_bfpt = s25fs256t_post_bfpt_fixup,
+ .post_sfdp = s25fs256t_post_sfdp_fixup,
+ .late_init = s25fs256t_late_init,
+};
+
static int
s25hx_t_post_bfpt_fixup(struct spi_nor *nor,
const struct sfdp_parameter_header *bfpt_header,
@@ -454,6 +511,9 @@ static const struct flash_info spansion_nor_parts[] = {
{ "s25fl256l", INFO(0x016019, 0, 64 * 1024, 512)
NO_SFDP_FLAGS(SECT_4K | SPI_NOR_DUAL_READ | SPI_NOR_QUAD_READ)
FIXUP_FLAGS(SPI_NOR_4B_OPCODES) },
+ { "s25fs256t", INFO6(0x342b19, 0x0f0890, 0, 0)
+ PARSE_SFDP
+ .fixups = &s25fs256t_fixups },
{ "s25hl512t", INFO6(0x342a1a, 0x0f0390, 256 * 1024, 256)
PARSE_SFDP
MFR_FLAGS(USE_CLSR)
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 609/969] mtd: spi-nor: Allow post_sfdp hook to return errors
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (607 preceding siblings ...)
2026-05-30 16:02 ` [PATCH 6.1 608/969] mtd: spi-nor: spansion: Add support for Infineon S25FS256T Greg Kroah-Hartman
@ 2026-05-30 16:02 ` Greg Kroah-Hartman
2026-05-30 16:02 ` [PATCH 6.1 610/969] mtd: spi-nor: sfdp: introduce smpt_read_dummy fixup hook Greg Kroah-Hartman
` (366 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:02 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Tudor Ambarus, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tudor Ambarus <tudor.ambarus@linaro.org>
[ Upstream commit e570f7872a34dc290014c80c7bad365d6577836b ]
Multi die flashes like s25hl02gt need to determine the page_size at
run-time by querying a configuration register for each die. Since the
number of dice is determined in an optional SFDP table, SCCR MC, the
page size configuration must be done in the post_sfdp hook. Allow
post_sfdp to return errors, as reading the configuration register might
return errors.
Link: https://lore.kernel.org/r/924ab710f128448ec62537cfbb377336e390043c.1680849425.git.Takahiro.Kuwano@infineon.com
Signed-off-by: Tudor Ambarus <tudor.ambarus@linaro.org>
Stable-dep-of: 3620d67b4849 ("mtd: spi-nor: update spi_nor_fixups::post_sfdp() documentation")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mtd/spi-nor/core.h | 2 +-
drivers/mtd/spi-nor/micron-st.c | 4 +++-
drivers/mtd/spi-nor/sfdp.c | 17 ++++++++++++-----
drivers/mtd/spi-nor/spansion.c | 12 +++++++++---
4 files changed, 25 insertions(+), 10 deletions(-)
diff --git a/drivers/mtd/spi-nor/core.h b/drivers/mtd/spi-nor/core.h
index 290613fd63ae7..cc70a2092494c 100644
--- a/drivers/mtd/spi-nor/core.h
+++ b/drivers/mtd/spi-nor/core.h
@@ -424,7 +424,7 @@ struct spi_nor_fixups {
int (*post_bfpt)(struct spi_nor *nor,
const struct sfdp_parameter_header *bfpt_header,
const struct sfdp_bfpt *bfpt);
- void (*post_sfdp)(struct spi_nor *nor);
+ int (*post_sfdp)(struct spi_nor *nor);
void (*late_init)(struct spi_nor *nor);
};
diff --git a/drivers/mtd/spi-nor/micron-st.c b/drivers/mtd/spi-nor/micron-st.c
index 3c9681a3f7a33..f8f6e14452d58 100644
--- a/drivers/mtd/spi-nor/micron-st.c
+++ b/drivers/mtd/spi-nor/micron-st.c
@@ -127,7 +127,7 @@ static void mt35xu512aba_default_init(struct spi_nor *nor)
nor->params->octal_dtr_enable = micron_st_nor_octal_dtr_enable;
}
-static void mt35xu512aba_post_sfdp_fixup(struct spi_nor *nor)
+static int mt35xu512aba_post_sfdp_fixup(struct spi_nor *nor)
{
/* Set the Fast Read settings. */
nor->params->hwcaps.mask |= SNOR_HWCAPS_READ_8_8_8_DTR;
@@ -145,6 +145,8 @@ static void mt35xu512aba_post_sfdp_fixup(struct spi_nor *nor)
* disable it.
*/
nor->params->quad_enable = NULL;
+
+ return 0;
}
static const struct spi_nor_fixups mt35xu512aba_fixups = {
diff --git a/drivers/mtd/spi-nor/sfdp.c b/drivers/mtd/spi-nor/sfdp.c
index 78110387be0b5..6f47982105bd9 100644
--- a/drivers/mtd/spi-nor/sfdp.c
+++ b/drivers/mtd/spi-nor/sfdp.c
@@ -1239,14 +1239,21 @@ static int spi_nor_parse_sccr(struct spi_nor *nor,
* Used to tweak various flash parameters when information provided by the SFDP
* tables are wrong.
*/
-static void spi_nor_post_sfdp_fixups(struct spi_nor *nor)
+static int spi_nor_post_sfdp_fixups(struct spi_nor *nor)
{
+ int ret;
+
if (nor->manufacturer && nor->manufacturer->fixups &&
- nor->manufacturer->fixups->post_sfdp)
- nor->manufacturer->fixups->post_sfdp(nor);
+ nor->manufacturer->fixups->post_sfdp) {
+ ret = nor->manufacturer->fixups->post_sfdp(nor);
+ if (ret)
+ return ret;
+ }
if (nor->info->fixups && nor->info->fixups->post_sfdp)
- nor->info->fixups->post_sfdp(nor);
+ return nor->info->fixups->post_sfdp(nor);
+
+ return 0;
}
/**
@@ -1429,7 +1436,7 @@ int spi_nor_parse_sfdp(struct spi_nor *nor)
}
}
- spi_nor_post_sfdp_fixups(nor);
+ err = spi_nor_post_sfdp_fixups(nor);
exit:
kfree(param_headers);
return err;
diff --git a/drivers/mtd/spi-nor/spansion.c b/drivers/mtd/spi-nor/spansion.c
index 5914a6074a11e..af97e3741f987 100644
--- a/drivers/mtd/spi-nor/spansion.c
+++ b/drivers/mtd/spi-nor/spansion.c
@@ -258,7 +258,7 @@ s25fs256t_post_bfpt_fixup(struct spi_nor *nor,
return cypress_nor_set_page_size(nor);
}
-static void s25fs256t_post_sfdp_fixup(struct spi_nor *nor)
+static int s25fs256t_post_sfdp_fixup(struct spi_nor *nor)
{
struct spi_nor_flash_parameter *params = nor->params;
@@ -267,6 +267,8 @@ static void s25fs256t_post_sfdp_fixup(struct spi_nor *nor)
spi_nor_set_pp_settings(¶ms->page_programs[SNOR_CMD_PP_1_1_4],
SPINOR_OP_PP_1_1_4_4B,
SNOR_PROTO_1_1_4);
+
+ return 0;
}
static void s25fs256t_late_init(struct spi_nor *nor)
@@ -297,7 +299,7 @@ s25hx_t_post_bfpt_fixup(struct spi_nor *nor,
return cypress_nor_set_page_size(nor);
}
-static void s25hx_t_post_sfdp_fixup(struct spi_nor *nor)
+static int s25hx_t_post_sfdp_fixup(struct spi_nor *nor)
{
struct spi_nor_erase_type *erase_type =
nor->params->erase_map.erase_type;
@@ -319,6 +321,8 @@ static void s25hx_t_post_sfdp_fixup(struct spi_nor *nor)
break;
}
}
+
+ return 0;
}
static void s25hx_t_late_init(struct spi_nor *nor)
@@ -351,7 +355,7 @@ static int cypress_nor_octal_dtr_enable(struct spi_nor *nor, bool enable)
cypress_nor_octal_dtr_dis(nor);
}
-static void s28hx_t_post_sfdp_fixup(struct spi_nor *nor)
+static int s28hx_t_post_sfdp_fixup(struct spi_nor *nor)
{
/*
* On older versions of the flash the xSPI Profile 1.0 table has the
@@ -377,6 +381,8 @@ static void s28hx_t_post_sfdp_fixup(struct spi_nor *nor)
* actual value for that is 4.
*/
nor->params->rdsr_addr_nbytes = 4;
+
+ return 0;
}
static int s28hx_t_post_bfpt_fixup(struct spi_nor *nor,
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 610/969] mtd: spi-nor: sfdp: introduce smpt_read_dummy fixup hook
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (608 preceding siblings ...)
2026-05-30 16:02 ` [PATCH 6.1 609/969] mtd: spi-nor: Allow post_sfdp hook to return errors Greg Kroah-Hartman
@ 2026-05-30 16:02 ` Greg Kroah-Hartman
2026-05-30 16:02 ` [PATCH 6.1 611/969] mtd: spi-nor: sfdp: introduce smpt_map_id " Greg Kroah-Hartman
` (365 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tudor Ambarus, Takahiro Kuwano,
Pratyush Yadav, Sasha Levin, Marek Vasut
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Takahiro Kuwano <Takahiro.Kuwano@infineon.com>
[ Upstream commit 653f6def567c81f37302f9591ffd54df3e2a11eb ]
SMPT contains config detection info that describes opcode, address, and
dummy cycles to read sector map config. The dummy cycles parameter can
be SMPT_CMD_READ_DUMMY_IS_VARIABLE and in that case nor->read_dummy
(initialized as 0) is used. In Infineon flash chips, Read Any Register
command with variable dummy cycle is defined in SMPT. S25Hx/S28Hx flash
has 0 dummy cycle by default to read volatile regiters and
nor->read_dummy can work. S25FS-S flash has 8 dummy cycles so we need a
hook that can fix dummy cycles with actually used value.
Inroduce smpt_read_dummy() in struct spi_nor_fixups. It is called when
the dummy cycle field in SMPT config detection is 'varialble'.
Reviewed-by: Tudor Ambarus <tudor.ambarus@linaro.org>
Tested-by: Marek Vasut <marek.vasut+renesas@mailbox.org> # S25FS512S
Signed-off-by: Takahiro Kuwano <Takahiro.Kuwano@infineon.com>
Signed-off-by: Pratyush Yadav <pratyush@kernel.org>
Stable-dep-of: 3620d67b4849 ("mtd: spi-nor: update spi_nor_fixups::post_sfdp() documentation")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mtd/spi-nor/core.h | 3 +++
drivers/mtd/spi-nor/sfdp.c | 18 ++++++++++++++++--
2 files changed, 19 insertions(+), 2 deletions(-)
diff --git a/drivers/mtd/spi-nor/core.h b/drivers/mtd/spi-nor/core.h
index cc70a2092494c..4aac34f06c7bb 100644
--- a/drivers/mtd/spi-nor/core.h
+++ b/drivers/mtd/spi-nor/core.h
@@ -407,6 +407,8 @@ struct spi_nor_flash_parameter {
* flash parameters when information provided by the flash_info
* table is incomplete or wrong.
* @post_bfpt: called after the BFPT table has been parsed
+ * @smpt_read_dummy: called during SMPT table is being parsed. Used to fix the
+ * number of dummy cycles in read register ops.
* @post_sfdp: called after SFDP has been parsed (is also called for SPI NORs
* that do not support RDSFDP). Typically used to tweak various
* parameters that could not be extracted by other means (i.e.
@@ -424,6 +426,7 @@ struct spi_nor_fixups {
int (*post_bfpt)(struct spi_nor *nor,
const struct sfdp_parameter_header *bfpt_header,
const struct sfdp_bfpt *bfpt);
+ void (*smpt_read_dummy)(const struct spi_nor *nor, u8 *read_dummy);
int (*post_sfdp)(struct spi_nor *nor);
void (*late_init)(struct spi_nor *nor);
};
diff --git a/drivers/mtd/spi-nor/sfdp.c b/drivers/mtd/spi-nor/sfdp.c
index 6f47982105bd9..66c233db20e8e 100644
--- a/drivers/mtd/spi-nor/sfdp.c
+++ b/drivers/mtd/spi-nor/sfdp.c
@@ -659,6 +659,17 @@ static u8 spi_nor_smpt_addr_nbytes(const struct spi_nor *nor, const u32 settings
}
}
+static void spi_nor_smpt_read_dummy_fixups(const struct spi_nor *nor,
+ u8 *read_dummy)
+{
+ if (nor->manufacturer && nor->manufacturer->fixups &&
+ nor->manufacturer->fixups->smpt_read_dummy)
+ nor->manufacturer->fixups->smpt_read_dummy(nor, read_dummy);
+
+ if (nor->info->fixups && nor->info->fixups->smpt_read_dummy)
+ nor->info->fixups->smpt_read_dummy(nor, read_dummy);
+}
+
/**
* spi_nor_smpt_read_dummy() - return the configuration detection command read
* latency, in clock cycles.
@@ -671,8 +682,11 @@ static u8 spi_nor_smpt_read_dummy(const struct spi_nor *nor, const u32 settings)
{
u8 read_dummy = SMPT_CMD_READ_DUMMY(settings);
- if (read_dummy == SMPT_CMD_READ_DUMMY_IS_VARIABLE)
- return nor->read_dummy;
+ if (read_dummy == SMPT_CMD_READ_DUMMY_IS_VARIABLE) {
+ read_dummy = nor->read_dummy;
+ spi_nor_smpt_read_dummy_fixups(nor, &read_dummy);
+ }
+
return read_dummy;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 611/969] mtd: spi-nor: sfdp: introduce smpt_map_id fixup hook
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (609 preceding siblings ...)
2026-05-30 16:02 ` [PATCH 6.1 610/969] mtd: spi-nor: sfdp: introduce smpt_read_dummy fixup hook Greg Kroah-Hartman
@ 2026-05-30 16:02 ` Greg Kroah-Hartman
2026-05-30 16:02 ` [PATCH 6.1 612/969] mtd: spi-nor: update spi_nor_fixups::post_sfdp() documentation Greg Kroah-Hartman
` (364 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Marek Vasut, Tudor Ambarus,
Takahiro Kuwano, Pratyush Yadav, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Takahiro Kuwano <Takahiro.Kuwano@infineon.com>
[ Upstream commit f74de390557bf2bcc5dca4a357b41c0701d3f76e ]
Certain chips have inconsistent Sector Map Parameter Table (SMPT) data,
which leads to the wrong map ID being identified, causing failures to
detect the correct sector map.
To fix this, introduce smpt_map_id() into the struct spi_nor_fixups.
This function will be called after the initial SMPT-based detection,
allowing chip-specific logic to correct the map ID.
Infineon S25FS512S needs this fixup as it has inconsistency between map
ID definition and configuration register value actually obtained.
Co-developed-by: Marek Vasut <marek.vasut+renesas@mailbox.org>
Signed-off-by: Marek Vasut <marek.vasut+renesas@mailbox.org>
Reviewed-by: Tudor Ambarus <tudor.ambarus@linaro.org>
Tested-by: Marek Vasut <marek.vasut+renesas@mailbox.org> # S25FS512S
Signed-off-by: Takahiro Kuwano <Takahiro.Kuwano@infineon.com>
Reviewed-by: Tudor Ambarus <tudor.ambarus@linaro.org>>
Signed-off-by: Pratyush Yadav <pratyush@kernel.org>
Stable-dep-of: 3620d67b4849 ("mtd: spi-nor: update spi_nor_fixups::post_sfdp() documentation")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mtd/spi-nor/core.h | 3 +++
drivers/mtd/spi-nor/sfdp.c | 12 ++++++++++++
2 files changed, 15 insertions(+)
diff --git a/drivers/mtd/spi-nor/core.h b/drivers/mtd/spi-nor/core.h
index 4aac34f06c7bb..1bf6bad5942d6 100644
--- a/drivers/mtd/spi-nor/core.h
+++ b/drivers/mtd/spi-nor/core.h
@@ -409,6 +409,8 @@ struct spi_nor_flash_parameter {
* @post_bfpt: called after the BFPT table has been parsed
* @smpt_read_dummy: called during SMPT table is being parsed. Used to fix the
* number of dummy cycles in read register ops.
+ * @smpt_map_id: called after map ID in SMPT table has been determined for the
+ * case the map ID is wrong and needs to be fixed.
* @post_sfdp: called after SFDP has been parsed (is also called for SPI NORs
* that do not support RDSFDP). Typically used to tweak various
* parameters that could not be extracted by other means (i.e.
@@ -427,6 +429,7 @@ struct spi_nor_fixups {
const struct sfdp_parameter_header *bfpt_header,
const struct sfdp_bfpt *bfpt);
void (*smpt_read_dummy)(const struct spi_nor *nor, u8 *read_dummy);
+ void (*smpt_map_id)(const struct spi_nor *nor, u8 *map_id);
int (*post_sfdp)(struct spi_nor *nor);
void (*late_init)(struct spi_nor *nor);
};
diff --git a/drivers/mtd/spi-nor/sfdp.c b/drivers/mtd/spi-nor/sfdp.c
index 66c233db20e8e..f738f6d5219a9 100644
--- a/drivers/mtd/spi-nor/sfdp.c
+++ b/drivers/mtd/spi-nor/sfdp.c
@@ -690,6 +690,16 @@ static u8 spi_nor_smpt_read_dummy(const struct spi_nor *nor, const u32 settings)
return read_dummy;
}
+static void spi_nor_smpt_map_id_fixups(const struct spi_nor *nor, u8 *map_id)
+{
+ if (nor->manufacturer && nor->manufacturer->fixups &&
+ nor->manufacturer->fixups->smpt_map_id)
+ nor->manufacturer->fixups->smpt_map_id(nor, map_id);
+
+ if (nor->info->fixups && nor->info->fixups->smpt_map_id)
+ nor->info->fixups->smpt_map_id(nor, map_id);
+}
+
/**
* spi_nor_get_map_in_use() - get the configuration map in use
* @nor: pointer to a 'struct spi_nor'
@@ -743,6 +753,8 @@ static const u32 *spi_nor_get_map_in_use(struct spi_nor *nor, const u32 *smpt,
map_id = map_id << 1 | !!(*buf & read_data_mask);
}
+ spi_nor_smpt_map_id_fixups(nor, &map_id);
+
/*
* If command descriptors are provided, they always precede map
* descriptors in the table. There is no need to start the iteration
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 612/969] mtd: spi-nor: update spi_nor_fixups::post_sfdp() documentation
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (610 preceding siblings ...)
2026-05-30 16:02 ` [PATCH 6.1 611/969] mtd: spi-nor: sfdp: introduce smpt_map_id " Greg Kroah-Hartman
@ 2026-05-30 16:02 ` Greg Kroah-Hartman
2026-05-30 16:02 ` [PATCH 6.1 613/969] mtd: spi-nor: swp: check SR_TB flag when getting tb_mask Greg Kroah-Hartman
` (363 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jonas Gorski, Pratyush Yadav,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jonas Gorski <jonas.gorski@gmail.com>
[ Upstream commit 3620d67b48493c6252bbc873dc88dde81641d56b ]
After commit 5273cc6df984 ("mtd: spi-nor: core: Call
spi_nor_post_sfdp_fixups() only when SFDP is defined")
spi_nor_post_sfdp_fixups() isn't called anymore if no SFDP is detected.
Update the documentation accordingly.
Fixes: 5273cc6df984 ("mtd: spi-nor: core: Call spi_nor_post_sfdp_fixups() only when SFDP is defined")
Signed-off-by: Jonas Gorski <jonas.gorski@gmail.com>
Reviewed-by: Pratyush Yadav <pratyush@kernel.org>
Signed-off-by: Pratyush Yadav (Google) <pratyush@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mtd/spi-nor/core.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/mtd/spi-nor/core.h b/drivers/mtd/spi-nor/core.h
index 1bf6bad5942d6..da451859c3910 100644
--- a/drivers/mtd/spi-nor/core.h
+++ b/drivers/mtd/spi-nor/core.h
@@ -411,7 +411,7 @@ struct spi_nor_flash_parameter {
* number of dummy cycles in read register ops.
* @smpt_map_id: called after map ID in SMPT table has been determined for the
* case the map ID is wrong and needs to be fixed.
- * @post_sfdp: called after SFDP has been parsed (is also called for SPI NORs
+ * @post_sfdp: called after SFDP has been parsed (is not called for SPI NORs
* that do not support RDSFDP). Typically used to tweak various
* parameters that could not be extracted by other means (i.e.
* when information provided by the SFDP/flash_info tables are
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 613/969] mtd: spi-nor: swp: check SR_TB flag when getting tb_mask
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (611 preceding siblings ...)
2026-05-30 16:02 ` [PATCH 6.1 612/969] mtd: spi-nor: update spi_nor_fixups::post_sfdp() documentation Greg Kroah-Hartman
@ 2026-05-30 16:02 ` Greg Kroah-Hartman
2026-05-30 16:02 ` [PATCH 6.1 614/969] mtd: parsers: ofpart: call of_node_put() only in ofpart_fail path Greg Kroah-Hartman
` (362 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Shiji Yang, Michael Walle,
Miquel Raynal, Pratyush Yadav (Google), Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shiji Yang <yangshiji66@outlook.com>
[ Upstream commit 94645aa41bf9ecb87c2ce78b1c3405bfb6074a37 ]
When the chip does not support top/bottom block protect, the tb_mask
must be set to 0, otherwise SR1 bit5 will be unexpectedly modified.
Signed-off-by: Shiji Yang <yangshiji66@outlook.com>
Fixes: 3dd8012a8eeb ("mtd: spi-nor: add TB (Top/Bottom) protect support")
Reviewed-by: Michael Walle <mwalle@kernel.org>
Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
Signed-off-by: Pratyush Yadav (Google) <pratyush@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mtd/spi-nor/swp.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/mtd/spi-nor/swp.c b/drivers/mtd/spi-nor/swp.c
index e63cdae6dd745..a587561dd476e 100644
--- a/drivers/mtd/spi-nor/swp.c
+++ b/drivers/mtd/spi-nor/swp.c
@@ -27,8 +27,10 @@ static u8 spi_nor_get_sr_tb_mask(struct spi_nor *nor)
{
if (nor->flags & SNOR_F_HAS_SR_TB_BIT6)
return SR_TB_BIT6;
- else
+ else if (nor->flags & SNOR_F_HAS_SR_TB)
return SR_TB_BIT5;
+ else
+ return 0;
}
static u64 spi_nor_get_min_prot_length_sr(struct spi_nor *nor)
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 614/969] mtd: parsers: ofpart: call of_node_put() only in ofpart_fail path
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (612 preceding siblings ...)
2026-05-30 16:02 ` [PATCH 6.1 613/969] mtd: spi-nor: swp: check SR_TB flag when getting tb_mask Greg Kroah-Hartman
@ 2026-05-30 16:02 ` Greg Kroah-Hartman
2026-05-30 16:02 ` [PATCH 6.1 615/969] mtd: parsers: ofpart: call of_node_get() for dedicated subpartitions Greg Kroah-Hartman
` (361 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Cosmin Tanislav, Tommaso Merciai,
Miquel Raynal, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cosmin Tanislav <cosmin-gabriel.tanislav.xa@renesas.com>
[ Upstream commit 0c87dea1aab86116211cb37387c404c9e9231c39 ]
ofpart_none can only be reached after the for_each_child_of_node() loop
finishes. for_each_child_of_node() correctly calls of_node_put() for all
device nodes it iterates over as long as we don't break or jump out of
the loop.
Calling of_node_put() inside the ofpart_none path will wrongly decrement
the ref count of the last node in the for_each_child_of_node() loop.
Move the call to of_node_put() under the ofpart_fail label to fix this.
Fixes: ebd5a74db74e ("mtd: ofpart: Check availability of reg property instead of name property")
Signed-off-by: Cosmin Tanislav <cosmin-gabriel.tanislav.xa@renesas.com>
Tested-by: Tommaso Merciai <tommaso.merciai.xr@bp.renesas.com>
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mtd/parsers/ofpart_core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/mtd/parsers/ofpart_core.c b/drivers/mtd/parsers/ofpart_core.c
index 3cf75b56d5a2e..110994b1e02f5 100644
--- a/drivers/mtd/parsers/ofpart_core.c
+++ b/drivers/mtd/parsers/ofpart_core.c
@@ -191,11 +191,11 @@ static int parse_fixed_partitions(struct mtd_info *master,
ofpart_fail:
pr_err("%s: error parsing ofpart partition %pOF (%pOF)\n",
master->name, pp, mtd_node);
+ of_node_put(pp);
ret = -EINVAL;
ofpart_none:
if (dedicated)
of_node_put(ofpart_node);
- of_node_put(pp);
kfree(parts);
return ret;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 615/969] mtd: parsers: ofpart: call of_node_get() for dedicated subpartitions
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (613 preceding siblings ...)
2026-05-30 16:02 ` [PATCH 6.1 614/969] mtd: parsers: ofpart: call of_node_put() only in ofpart_fail path Greg Kroah-Hartman
@ 2026-05-30 16:02 ` Greg Kroah-Hartman
2026-05-30 16:02 ` [PATCH 6.1 616/969] mtd: rawnand: sunxi: fix sunxi_nfc_hw_ecc_read_extra_oob Greg Kroah-Hartman
` (360 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Cosmin Tanislav, Tommaso Merciai,
Miquel Raynal, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cosmin Tanislav <cosmin-gabriel.tanislav.xa@renesas.com>
[ Upstream commit e882626c1747653f1f01ea9d12e278e613b11d0f ]
In order to parse sub-partitions, add_mtd_partitions() calls
parse_mtd_partitions() for all previously found partitions.
Each partition will end up being passed to parse_fixed_partitions(), and
its of_node will be treated as the ofpart_node.
Commit 7cce81df7d26 ("mtd: parsers: ofpart: fix OF node refcount leak in
parse_fixed_partitions()") added of_node_put() calls for ofpart_node on
all exit paths.
In the case where the partition passed to parse_fixed_partitions() has a
parent, it is treated as a dedicated partitions node, and of_node_put()
is wrongly called for it, even if of_node_get() was not called
explicitly.
On repeated bind / unbinds of the MTD, the extra of_node_put() ends up
decrementing the refcount down to 0, which should never happen,
resulting in the following error:
OF: ERROR: of_node_release() detected bad of_node_put() on
/soc/spi@80007000/flash@0/partitions/partition@0
Call of_node_get() to balance the call to of_node_put() done for
dedicated partitions nodes.
Fixes: 7cce81df7d26 ("mtd: parsers: ofpart: fix OF node refcount leak in parse_fixed_partitions()")
Signed-off-by: Cosmin Tanislav <cosmin-gabriel.tanislav.xa@renesas.com>
Tested-by: Tommaso Merciai <tommaso.merciai.xr@bp.renesas.com>
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mtd/parsers/ofpart_core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/mtd/parsers/ofpart_core.c b/drivers/mtd/parsers/ofpart_core.c
index 110994b1e02f5..c18fa1b3e3276 100644
--- a/drivers/mtd/parsers/ofpart_core.c
+++ b/drivers/mtd/parsers/ofpart_core.c
@@ -71,7 +71,7 @@ static int parse_fixed_partitions(struct mtd_info *master,
dedicated = false;
}
} else { /* Partition */
- ofpart_node = mtd_node;
+ ofpart_node = of_node_get(mtd_node);
}
of_id = of_match_node(parse_ofpart_match_table, ofpart_node);
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 616/969] mtd: rawnand: sunxi: fix sunxi_nfc_hw_ecc_read_extra_oob
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (614 preceding siblings ...)
2026-05-30 16:02 ` [PATCH 6.1 615/969] mtd: parsers: ofpart: call of_node_get() for dedicated subpartitions Greg Kroah-Hartman
@ 2026-05-30 16:02 ` Greg Kroah-Hartman
2026-05-30 16:02 ` [PATCH 6.1 617/969] HID: usbhid: fix deadlock in hid_post_reset() Greg Kroah-Hartman
` (359 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jernej Skrabec, Richard Genoud,
Miquel Raynal, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Richard Genoud <richard.genoud@bootlin.com>
[ Upstream commit 848c13996c55fe4ea6bf5acc3ce6c8c5c944b5f6 ]
When dumping the OOB, the bytes at the end where actually copied from
the beginning of the OOB instead of current_offset.
That leads to something like:
OOB: ff ff ff ff ff ff ff ff ea 19 00 3a 83 db aa 8d
OOB: 99 09 c8 9a 90 36 35 7d aa 15 13 07 3d 97 b2 a4
OOB: a8 bb 19 b3 07 e9 f6 25 52 d7 1a 23 e2 7e 0a e4
OOB: 52 8a 09 d2 1a 86 3d cf b4 99 43 13 d3 90 33 0b
OOB: ff ff ff ff ff ff ff ff ea 19 00 3a 83 db aa 8d
OOB: 99 09 c8 9a 90 36 35 7d aa 15 13 07 3d 97 b2 a4
OOB: a8 bb 19 b3 07 e9 f6 25 52 d7 1a 23 e2 7e 0a e4
OOB: 52 8a 09 d2 1a 86 3d cf b4 99 43 13 d3 90 33 0b
instead of:
OOB: ff ff ff ff ff ff ff ff ea 19 00 3a 83 db aa 8d
OOB: 99 09 c8 9a 90 36 35 7d aa 15 13 07 3d 97 b2 a4
OOB: a8 bb 19 b3 07 e9 f6 25 52 d7 1a 23 e2 7e 0a e4
OOB: 52 8a 09 d2 1a 86 3d cf b4 99 43 13 d3 90 33 0b
OOB: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
OOB: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
OOB: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
OOB: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
(example with BCH16, user data [8,0], no scrambling)
*cur_off (offset from the beginning of the page) was compared to offset
(offset from the beginning of the OOB), and then, the
nand_change_read_column_op() sets the current position to the beginning
of the OOB instead of OOB+offset
Fixes: 15d6f118285f ("mtd: rawnand: sunxi: Stop supporting ECC_HW_SYNDROME mode")
Reviewed-by: Jernej Skrabec <jernej.skrabec@gmail.com>
Signed-off-by: Richard Genoud <richard.genoud@bootlin.com>
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mtd/nand/raw/sunxi_nand.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/mtd/nand/raw/sunxi_nand.c b/drivers/mtd/nand/raw/sunxi_nand.c
index a9daf195cba50..16231ca93b599 100644
--- a/drivers/mtd/nand/raw/sunxi_nand.c
+++ b/drivers/mtd/nand/raw/sunxi_nand.c
@@ -898,9 +898,9 @@ static void sunxi_nfc_hw_ecc_read_extra_oob(struct nand_chip *nand,
if (len <= 0)
return;
- if (!cur_off || *cur_off != offset)
- nand_change_read_column_op(nand, mtd->writesize, NULL, 0,
- false);
+ if (!cur_off || *cur_off != (offset + mtd->writesize))
+ nand_change_read_column_op(nand, mtd->writesize + offset,
+ NULL, 0, false);
if (!randomize)
sunxi_nfc_read_buf(nand, oob + offset, len);
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 617/969] HID: usbhid: fix deadlock in hid_post_reset()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (615 preceding siblings ...)
2026-05-30 16:02 ` [PATCH 6.1 616/969] mtd: rawnand: sunxi: fix sunxi_nfc_hw_ecc_read_extra_oob Greg Kroah-Hartman
@ 2026-05-30 16:02 ` Greg Kroah-Hartman
2026-05-30 16:02 ` [PATCH 6.1 618/969] bpf, arm64: Fix off-by-one in check_imm signed range check Greg Kroah-Hartman
` (358 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:02 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Oliver Neukum, Jiri Kosina,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Oliver Neukum <oneukum@suse.com>
[ Upstream commit 8df2c1b47ee3cd50fd454f75c7a7e2ae8a6adf72 ]
You can build a USB device that includes a HID component
and a storage or UAS component. The components can be reset
only together. That means that hid_pre_reset() and hid_post_reset()
are in the block IO error handling. Hence no memory allocation
used in them may do block IO because the IO can deadlock
on the mutex held while resetting a device and calling the
interface drivers.
Use GFP_NOIO for all allocations in them.
Fixes: dc3c78e434690 ("HID: usbhid: Check HID report descriptor contents after device reset")
Signed-off-by: Oliver Neukum <oneukum@suse.com>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hid/usbhid/hid-core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/hid/usbhid/hid-core.c b/drivers/hid/usbhid/hid-core.c
index 352c9327d08b2..ccf0aad99a4b9 100644
--- a/drivers/hid/usbhid/hid-core.c
+++ b/drivers/hid/usbhid/hid-core.c
@@ -1544,7 +1544,7 @@ static int hid_post_reset(struct usb_interface *intf)
* configuration descriptors passed, we already know that
* the size of the HID report descriptor has not changed.
*/
- rdesc = kmalloc(hid->dev_rsize, GFP_KERNEL);
+ rdesc = kmalloc(hid->dev_rsize, GFP_NOIO);
if (!rdesc)
return -ENOMEM;
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 618/969] bpf, arm64: Fix off-by-one in check_imm signed range check
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (616 preceding siblings ...)
2026-05-30 16:02 ` [PATCH 6.1 617/969] HID: usbhid: fix deadlock in hid_post_reset() Greg Kroah-Hartman
@ 2026-05-30 16:02 ` Greg Kroah-Hartman
2026-05-30 16:02 ` [PATCH 6.1 619/969] bpf, sockmap: Fix af_unix iter deadlock Greg Kroah-Hartman
` (357 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Daniel Borkmann, Puranjay Mohan,
Alexei Starovoitov, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Daniel Borkmann <daniel@iogearbox.net>
[ Upstream commit 1dd8be4ec722ce54e4cace59f3a4ba658111b3ec ]
check_imm(bits, imm) is used in the arm64 BPF JIT to verify that
a branch displacement (in arm64 instruction units) fits into the
signed N-bit immediate field of a B, B.cond or CBZ/CBNZ encoding
before it is handed to the encoder. The macro currently tests for
(imm > 0 && imm >> bits) || (imm < 0 && ~imm >> bits) which admits
values in [-2^N, 2^N) — effectively a signed (N+1)-bit range. A
signed N-bit field only holds [-2^(N-1), 2^(N-1)), so the check
admits one extra bit of range on each side.
In particular, for check_imm19(), values in [2^18, 2^19) slip past
the check but do not fit into the 19-bit signed imm19 field of
B.cond. aarch64_insn_encode_immediate() then masks the raw value
into the 19-bit field, setting bit 18 (the sign bit) and flipping
a forward branch into a backward one. Same class of issue exists
for check_imm26() and the B/BL encoding. Shift by (bits - 1)
instead of bits so the actual signed N-bit range is enforced.
Fixes: e54bcde3d69d ("arm64: eBPF JIT compiler")
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Reviewed-by: Puranjay Mohan <puranjay@kernel.org>
Link: https://lore.kernel.org/r/20260415121403.639619-2-daniel@iogearbox.net
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/net/bpf_jit_comp.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/arch/arm64/net/bpf_jit_comp.c b/arch/arm64/net/bpf_jit_comp.c
index 783883721aaf5..e66218aed831d 100644
--- a/arch/arm64/net/bpf_jit_comp.c
+++ b/arch/arm64/net/bpf_jit_comp.c
@@ -33,8 +33,8 @@
#define FP_BOTTOM (MAX_BPF_JIT_REG + 4)
#define check_imm(bits, imm) do { \
- if ((((imm) > 0) && ((imm) >> (bits))) || \
- (((imm) < 0) && (~(imm) >> (bits)))) { \
+ if ((((imm) > 0) && ((imm) >> ((bits) - 1))) || \
+ (((imm) < 0) && (~(imm) >> ((bits) - 1)))) { \
pr_info("[%2d] imm=%d(0x%x) out of range\n", \
i, imm, imm); \
return -EINVAL; \
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 619/969] bpf, sockmap: Fix af_unix iter deadlock
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (617 preceding siblings ...)
2026-05-30 16:02 ` [PATCH 6.1 618/969] bpf, arm64: Fix off-by-one in check_imm signed range check Greg Kroah-Hartman
@ 2026-05-30 16:02 ` Greg Kroah-Hartman
2026-05-30 16:02 ` [PATCH 6.1 620/969] bpf, sockmap: Fix af_unix null-ptr-deref in proto update Greg Kroah-Hartman
` (356 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kuniyuki Iwashima, Martin KaFai Lau,
Michal Luczaj, Martin KaFai Lau, Jiayuan Chen, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michal Luczaj <mhal@rbox.co>
[ Upstream commit 4d328dd695383224aa750ddee6b4ad40c0f8d205 ]
bpf_iter_unix_seq_show() may deadlock when lock_sock_fast() takes the fast
path and the iter prog attempts to update a sockmap. Which ends up spinning
at sock_map_update_elem()'s bh_lock_sock():
WARNING: possible recursive locking detected
test_progs/1393 is trying to acquire lock:
ffff88811ec25f58 (slock-AF_UNIX){+...}-{3:3}, at: sock_map_update_elem+0xdb/0x1f0
but task is already holding lock:
ffff88811ec25f58 (slock-AF_UNIX){+...}-{3:3}, at: __lock_sock_fast+0x37/0xe0
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0
----
lock(slock-AF_UNIX);
lock(slock-AF_UNIX);
*** DEADLOCK ***
May be due to missing lock nesting notation
4 locks held by test_progs/1393:
#0: ffff88814b59c790 (&p->lock){+.+.}-{4:4}, at: bpf_seq_read+0x59/0x10d0
#1: ffff88811ec25fd8 (sk_lock-AF_UNIX){+.+.}-{0:0}, at: bpf_seq_read+0x42c/0x10d0
#2: ffff88811ec25f58 (slock-AF_UNIX){+...}-{3:3}, at: __lock_sock_fast+0x37/0xe0
#3: ffffffff85a6a7c0 (rcu_read_lock){....}-{1:3}, at: bpf_iter_run_prog+0x51d/0xb00
Call Trace:
dump_stack_lvl+0x5d/0x80
print_deadlock_bug.cold+0xc0/0xce
__lock_acquire+0x130f/0x2590
lock_acquire+0x14e/0x2b0
_raw_spin_lock+0x30/0x40
sock_map_update_elem+0xdb/0x1f0
bpf_prog_2d0075e5d9b721cd_dump_unix+0x55/0x4f4
bpf_iter_run_prog+0x5b9/0xb00
bpf_iter_unix_seq_show+0x1f7/0x2e0
bpf_seq_read+0x42c/0x10d0
vfs_read+0x171/0xb20
ksys_read+0xff/0x200
do_syscall_64+0x6b/0x3a0
entry_SYSCALL_64_after_hwframe+0x76/0x7e
Fixes: 2c860a43dd77 ("bpf: af_unix: Implement BPF iterator for UNIX domain socket.")
Suggested-by: Kuniyuki Iwashima <kuniyu@google.com>
Suggested-by: Martin KaFai Lau <martin.lau@linux.dev>
Signed-off-by: Michal Luczaj <mhal@rbox.co>
Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
Reviewed-by: Jiayuan Chen <jiayuan.chen@linux.dev>
Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com>
Link: https://patch.msgid.link/20260414-unix-proto-update-null-ptr-deref-v4-2-2af6fe97918e@rbox.co
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/unix/af_unix.c | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -3598,15 +3598,14 @@ static int bpf_iter_unix_seq_show(struct
struct bpf_prog *prog;
struct sock *sk = v;
uid_t uid;
- bool slow;
int ret;
if (v == SEQ_START_TOKEN)
return 0;
- slow = lock_sock_fast(sk);
+ lock_sock(sk);
- if (unlikely(sk_unhashed(sk))) {
+ if (unlikely(sock_flag(sk, SOCK_DEAD))) {
ret = SEQ_SKIP;
goto unlock;
}
@@ -3616,7 +3615,7 @@ static int bpf_iter_unix_seq_show(struct
prog = bpf_iter_get_info(&meta, false);
ret = unix_prog_seq_show(prog, &meta, v, uid);
unlock:
- unlock_sock_fast(sk, slow);
+ release_sock(sk);
return ret;
}
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 620/969] bpf, sockmap: Fix af_unix null-ptr-deref in proto update
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (618 preceding siblings ...)
2026-05-30 16:02 ` [PATCH 6.1 619/969] bpf, sockmap: Fix af_unix iter deadlock Greg Kroah-Hartman
@ 2026-05-30 16:02 ` Greg Kroah-Hartman
2026-05-30 16:02 ` [PATCH 6.1 621/969] bpf, sockmap: Take state lock for af_unix iter Greg Kroah-Hartman
` (355 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michal Luczaj,
钱一铭, Kuniyuki Iwashima, Martin KaFai Lau,
Martin KaFai Lau, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michal Luczaj <mhal@rbox.co>
[ Upstream commit dca38b7734d2ea00af4818ff3ae836fab33d5d5a ]
unix_stream_connect() sets sk_state (`WRITE_ONCE(sk->sk_state,
TCP_ESTABLISHED)`) _before_ it assigns a peer (`unix_peer(sk) = newsk`).
sk_state == TCP_ESTABLISHED makes sock_map_sk_state_allowed() believe that
socket is properly set up, which would include having a defined peer. IOW,
there's a window when unix_stream_bpf_update_proto() can be called on
socket which still has unix_peer(sk) == NULL.
CPU0 bpf CPU1 connect
-------- ------------
WRITE_ONCE(sk->sk_state, TCP_ESTABLISHED)
sock_map_sk_state_allowed(sk)
...
sk_pair = unix_peer(sk)
sock_hold(sk_pair)
sock_hold(newsk)
smp_mb__after_atomic()
unix_peer(sk) = newsk
BUG: kernel NULL pointer dereference, address: 0000000000000080
RIP: 0010:unix_stream_bpf_update_proto+0xa0/0x1b0
Call Trace:
sock_map_link+0x564/0x8b0
sock_map_update_common+0x6e/0x340
sock_map_update_elem_sys+0x17d/0x240
__sys_bpf+0x26db/0x3250
__x64_sys_bpf+0x21/0x30
do_syscall_64+0x6b/0x3a0
entry_SYSCALL_64_after_hwframe+0x76/0x7e
Initial idea was to move peer assignment _before_ the sk_state update[1],
but that involved an additional memory barrier, and changing the hot path
was rejected.
Then a NULL check during proto update in unix_stream_bpf_update_proto() was
considered[2], but the follow-up discussion[3] focused on the root cause,
i.e. sockmap update taking a wrong lock. Or, more specifically, missing
unix_state_lock()[4].
In the end it was concluded that teaching sockmap about the af_unix locking
would be unnecessarily complex[5].
Complexity aside, since BPF_PROG_TYPE_SCHED_CLS and BPF_PROG_TYPE_SCHED_ACT
are allowed to update sockmaps, sock_map_update_elem() taking the unix
lock, as it is currently implemented in unix_state_lock():
spin_lock(&unix_sk(s)->lock), would be problematic. unix_state_lock() taken
in a process context, followed by a softirq-context TC BPF program
attempting to take the same spinlock -- deadlock[6].
This way we circled back to the peer check idea[2].
[1]: https://lore.kernel.org/netdev/ba5c50aa-1df4-40c2-ab33-a72022c5a32e@rbox.co/
[2]: https://lore.kernel.org/netdev/20240610174906.32921-1-kuniyu@amazon.com/
[3]: https://lore.kernel.org/netdev/7603c0e6-cd5b-452b-b710-73b64bd9de26@linux.dev/
[4]: https://lore.kernel.org/netdev/CAAVpQUA+8GL_j63CaKb8hbxoL21izD58yr1NvhOhU=j+35+3og@mail.gmail.com/
[5]: https://lore.kernel.org/bpf/CAAVpQUAHijOMext28Gi10dSLuMzGYh+jK61Ujn+fZ-wvcODR2A@mail.gmail.com/
[6]: https://lore.kernel.org/bpf/dd043c69-4d03-46fe-8325-8f97101435cf@linux.dev/
Summary of scenarios where af_unix/stream connect() may race a sockmap
update:
1. connect() vs. bpf(BPF_MAP_UPDATE_ELEM), i.e. sock_map_update_elem_sys()
Implemented NULL check is sufficient. Once assigned, socket peer won't
be released until socket fd is released. And that's not an issue because
sock_map_update_elem_sys() bumps fd refcnf.
2. connect() vs BPF program doing update
Update restricted per verifier.c:may_update_sockmap() to
BPF_PROG_TYPE_TRACING/BPF_TRACE_ITER
BPF_PROG_TYPE_SOCK_OPS (bpf_sock_map_update() only)
BPF_PROG_TYPE_SOCKET_FILTER
BPF_PROG_TYPE_SCHED_CLS
BPF_PROG_TYPE_SCHED_ACT
BPF_PROG_TYPE_XDP
BPF_PROG_TYPE_SK_REUSEPORT
BPF_PROG_TYPE_FLOW_DISSECTOR
BPF_PROG_TYPE_SK_LOOKUP
Plus one more race to consider:
CPU0 bpf CPU1 connect
-------- ------------
WRITE_ONCE(sk->sk_state, TCP_ESTABLISHED)
sock_map_sk_state_allowed(sk)
sock_hold(newsk)
smp_mb__after_atomic()
unix_peer(sk) = newsk
sk_pair = unix_peer(sk)
if (unlikely(!sk_pair))
return -EINVAL;
CPU1 close
----------
skpair = unix_peer(sk);
unix_peer(sk) = NULL;
sock_put(skpair)
// use after free?
sock_hold(sk_pair)
2.1 BPF program invoking helper function bpf_sock_map_update() ->
BPF_CALL_4(bpf_sock_map_update(), ...)
Helper limited to BPF_PROG_TYPE_SOCK_OPS. Nevertheless, a unix sock
might be accessible via bpf_map_lookup_elem(). Which implies sk
already having psock, which in turn implies sk already having
sk_pair. Since sk_psock_destroy() is queued as RCU work, sk_pair
won't go away while BPF executes the update.
2.2 BPF program invoking helper function bpf_map_update_elem() ->
sock_map_update_elem()
2.2.1 Unix sock accessible to BPF prog only via sockmap lookup in
BPF_PROG_TYPE_SOCKET_FILTER, BPF_PROG_TYPE_SCHED_CLS,
BPF_PROG_TYPE_SCHED_ACT, BPF_PROG_TYPE_XDP,
BPF_PROG_TYPE_SK_REUSEPORT, BPF_PROG_TYPE_FLOW_DISSECTOR,
BPF_PROG_TYPE_SK_LOOKUP.
Pretty much the same as case 2.1.
2.2.2 Unix sock accessible to BPF program directly:
BPF_PROG_TYPE_TRACING, narrowed down to BPF_TRACE_ITER.
Sockmap iterator (sock_map_seq_ops) is safe: unix sock
residing in a sockmap means that the sock already went through
the proto update step.
Unix sock iterator (bpf_iter_unix_seq_ops), on the other hand,
gives access to socks that may still be unconnected. Which
means iterator prog can race sockmap/proto update against
connect().
BUG: KASAN: null-ptr-deref in unix_stream_bpf_update_proto+0x253/0x4d0
Write of size 4 at addr 0000000000000080 by task test_progs/3140
Call Trace:
dump_stack_lvl+0x5d/0x80
kasan_report+0xe4/0x1c0
kasan_check_range+0x125/0x200
unix_stream_bpf_update_proto+0x253/0x4d0
sock_map_link+0x71c/0xec0
sock_map_update_common+0xbc/0x600
sock_map_update_elem+0x19a/0x1f0
bpf_prog_bbbf56096cdd4f01_selective_dump_unix+0x20c/0x217
bpf_iter_run_prog+0x21e/0xae0
bpf_iter_unix_seq_show+0x1e0/0x2a0
bpf_seq_read+0x42c/0x10d0
vfs_read+0x171/0xb20
ksys_read+0xff/0x200
do_syscall_64+0xf7/0x5e0
entry_SYSCALL_64_after_hwframe+0x76/0x7e
While the introduced NULL check prevents null-ptr-deref in the
BPF program path as well, it is insufficient to guard against
a poorly timed close() leading to a use-after-free. This will
be addressed in a subsequent patch.
Fixes: c63829182c37 ("af_unix: Implement ->psock_update_sk_prot()")
Closes: https://lore.kernel.org/netdev/ba5c50aa-1df4-40c2-ab33-a72022c5a32e@rbox.co/
Reported-by: Michal Luczaj <mhal@rbox.co>
Reported-by: 钱一铭 <yimingqian591@gmail.com>
Suggested-by: Kuniyuki Iwashima <kuniyu@google.com>
Suggested-by: Martin KaFai Lau <martin.lau@linux.dev>
Signed-off-by: Michal Luczaj <mhal@rbox.co>
Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com>
Link: https://patch.msgid.link/20260414-unix-proto-update-null-ptr-deref-v4-4-2af6fe97918e@rbox.co
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/unix/unix_bpf.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/unix/unix_bpf.c b/net/unix/unix_bpf.c
index bca2d86ba97d8..976e035053e5a 100644
--- a/net/unix/unix_bpf.c
+++ b/net/unix/unix_bpf.c
@@ -184,6 +184,9 @@ int unix_stream_bpf_update_proto(struct sock *sk, struct sk_psock *psock, bool r
*/
if (!psock->sk_pair) {
sk_pair = unix_peer(sk);
+ if (unlikely(!sk_pair))
+ return -EINVAL;
+
sock_hold(sk_pair);
psock->sk_pair = sk_pair;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 621/969] bpf, sockmap: Take state lock for af_unix iter
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (619 preceding siblings ...)
2026-05-30 16:02 ` [PATCH 6.1 620/969] bpf, sockmap: Fix af_unix null-ptr-deref in proto update Greg Kroah-Hartman
@ 2026-05-30 16:02 ` Greg Kroah-Hartman
2026-05-30 16:02 ` [PATCH 6.1 622/969] bpf: Fix precedence bug in convert_bpf_ld_abs alignment check Greg Kroah-Hartman
` (354 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kuniyuki Iwashima, Michal Luczaj,
Martin KaFai Lau, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michal Luczaj <mhal@rbox.co>
[ Upstream commit 64c2f93fc3254d3bf5de4445fb732ee5c451edb6 ]
When a BPF iterator program updates a sockmap, there is a race condition in
unix_stream_bpf_update_proto() where the `peer` pointer can become stale[1]
during a state transition TCP_ESTABLISHED -> TCP_CLOSE.
CPU0 bpf CPU1 close
-------- ----------
// unix_stream_bpf_update_proto()
sk_pair = unix_peer(sk)
if (unlikely(!sk_pair))
return -EINVAL;
// unix_release_sock()
skpair = unix_peer(sk);
unix_peer(sk) = NULL;
sock_put(skpair)
sock_hold(sk_pair) // UaF
More practically, this fix guarantees that the iterator program is
consistently provided with a unix socket that remains stable during
iterator execution.
[1]:
BUG: KASAN: slab-use-after-free in unix_stream_bpf_update_proto+0x155/0x490
Write of size 4 at addr ffff8881178c9a00 by task test_progs/2231
Call Trace:
dump_stack_lvl+0x5d/0x80
print_report+0x170/0x4f3
kasan_report+0xe4/0x1c0
kasan_check_range+0x125/0x200
unix_stream_bpf_update_proto+0x155/0x490
sock_map_link+0x71c/0xec0
sock_map_update_common+0xbc/0x600
sock_map_update_elem+0x19a/0x1f0
bpf_prog_bbbf56096cdd4f01_selective_dump_unix+0x20c/0x217
bpf_iter_run_prog+0x21e/0xae0
bpf_iter_unix_seq_show+0x1e0/0x2a0
bpf_seq_read+0x42c/0x10d0
vfs_read+0x171/0xb20
ksys_read+0xff/0x200
do_syscall_64+0xf7/0x5e0
entry_SYSCALL_64_after_hwframe+0x76/0x7e
Allocated by task 2236:
kasan_save_stack+0x30/0x50
kasan_save_track+0x14/0x30
__kasan_slab_alloc+0x63/0x80
kmem_cache_alloc_noprof+0x1d5/0x680
sk_prot_alloc+0x59/0x210
sk_alloc+0x34/0x470
unix_create1+0x86/0x8a0
unix_stream_connect+0x318/0x15b0
__sys_connect+0xfd/0x130
__x64_sys_connect+0x72/0xd0
do_syscall_64+0xf7/0x5e0
entry_SYSCALL_64_after_hwframe+0x76/0x7e
Freed by task 2236:
kasan_save_stack+0x30/0x50
kasan_save_track+0x14/0x30
kasan_save_free_info+0x3b/0x70
__kasan_slab_free+0x47/0x70
kmem_cache_free+0x11c/0x590
__sk_destruct+0x432/0x6e0
unix_release_sock+0x9b3/0xf60
unix_release+0x8a/0xf0
__sock_release+0xb0/0x270
sock_close+0x18/0x20
__fput+0x36e/0xac0
fput_close_sync+0xe5/0x1a0
__x64_sys_close+0x7d/0xd0
do_syscall_64+0xf7/0x5e0
entry_SYSCALL_64_after_hwframe+0x76/0x7e
Fixes: 2c860a43dd77 ("bpf: af_unix: Implement BPF iterator for UNIX domain socket.")
Suggested-by: Kuniyuki Iwashima <kuniyu@google.com>
Signed-off-by: Michal Luczaj <mhal@rbox.co>
Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com>
Link: https://patch.msgid.link/20260414-unix-proto-update-null-ptr-deref-v4-5-2af6fe97918e@rbox.co
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/unix/af_unix.c | 2 ++
1 file changed, 2 insertions(+)
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -3604,6 +3604,7 @@ static int bpf_iter_unix_seq_show(struct
return 0;
lock_sock(sk);
+ unix_state_lock(sk);
if (unlikely(sock_flag(sk, SOCK_DEAD))) {
ret = SEQ_SKIP;
@@ -3615,6 +3616,7 @@ static int bpf_iter_unix_seq_show(struct
prog = bpf_iter_get_info(&meta, false);
ret = unix_prog_seq_show(prog, &meta, v, uid);
unlock:
+ unix_state_unlock(sk);
release_sock(sk);
return ret;
}
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 622/969] bpf: Fix precedence bug in convert_bpf_ld_abs alignment check
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (620 preceding siblings ...)
2026-05-30 16:02 ` [PATCH 6.1 621/969] bpf, sockmap: Take state lock for af_unix iter Greg Kroah-Hartman
@ 2026-05-30 16:02 ` Greg Kroah-Hartman
2026-05-30 16:02 ` [PATCH 6.1 623/969] bpf: allow UTF-8 literals in bpf_bprintf_prepare() Greg Kroah-Hartman
` (353 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Daniel Borkmann, Alexei Starovoitov,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Daniel Borkmann <daniel@iogearbox.net>
[ Upstream commit e5f635edd393aeaa7cad9e42831d397e6e2e1eed ]
Fix an operator precedence issue in convert_bpf_ld_abs() where the
expression offset + ip_align % size evaluates as offset + (ip_align % size)
due to % having higher precedence than +. That latter evaluation does
not make any sense. The intended check is (offset + ip_align) % size == 0
to verify that the packet load offset is properly aligned for direct
access.
With NET_IP_ALIGN == 2, the bug causes the inline fast-path for direct
packet loads to almost never be taken on !CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS
platforms. This forces nearly all cBPF BPF_LD_ABS packet loads through
the bpf_skb_load_helper slow path on the affected archs.
Fixes: e0cea7ce988c ("bpf: implement ld_abs/ld_ind in native bpf")
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Link: https://lore.kernel.org/r/20260416122719.661033-1-daniel@iogearbox.net
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/core/filter.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/core/filter.c b/net/core/filter.c
index aee85a0062ce6..90e986228ab9a 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -493,7 +493,7 @@ static bool convert_bpf_ld_abs(struct sock_filter *fp, struct bpf_insn **insnp)
((unaligned_ok && offset >= 0) ||
(!unaligned_ok && offset >= 0 &&
offset + ip_align >= 0 &&
- offset + ip_align % size == 0))) {
+ (offset + ip_align) % size == 0))) {
bool ldx_off_ok = offset <= S16_MAX;
*insn++ = BPF_MOV64_REG(BPF_REG_TMP, BPF_REG_H);
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 623/969] bpf: allow UTF-8 literals in bpf_bprintf_prepare()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (621 preceding siblings ...)
2026-05-30 16:02 ` [PATCH 6.1 622/969] bpf: Fix precedence bug in convert_bpf_ld_abs alignment check Greg Kroah-Hartman
@ 2026-05-30 16:02 ` Greg Kroah-Hartman
2026-05-30 16:02 ` [PATCH 6.1 624/969] bpf, arm32: Reject BPF-to-BPF calls and callbacks in the JIT Greg Kroah-Hartman
` (352 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yihan Ding, Paul Chaignon,
Alexei Starovoitov, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yihan Ding <dingyihan@uniontech.com>
[ Upstream commit b960430ea8862ef37ce53c8bf74a8dc79d3f2404 ]
bpf_bprintf_prepare() only needs ASCII parsing for conversion
specifiers. Plain text can safely carry bytes >= 0x80, so allow
UTF-8 literals outside '%' sequences while keeping ASCII control
bytes rejected and format specifiers ASCII-only.
This keeps existing parsing rules for format directives unchanged,
while allowing helpers such as bpf_trace_printk() to emit UTF-8
literal text.
Update test_snprintf_negative() in the same commit so selftests keep
matching the new plain-text vs format-specifier split during bisection.
Fixes: 48cac3f4a96d ("bpf: Implement formatted output helpers with bstr_printf")
Signed-off-by: Yihan Ding <dingyihan@uniontech.com>
Acked-by: Paul Chaignon <paul.chaignon@gmail.com>
Link: https://lore.kernel.org/r/20260416120142.1420646-2-dingyihan@uniontech.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/bpf/helpers.c | 17 ++++++++++++++++-
.../testing/selftests/bpf/prog_tests/snprintf.c | 3 ++-
2 files changed, 18 insertions(+), 2 deletions(-)
diff --git a/kernel/bpf/helpers.c b/kernel/bpf/helpers.c
index be9dc396537f1..a19524c672012 100644
--- a/kernel/bpf/helpers.c
+++ b/kernel/bpf/helpers.c
@@ -840,7 +840,13 @@ int bpf_bprintf_prepare(char *fmt, u32 fmt_size, const u64 *raw_args,
data->buf = buffers->buf;
for (i = 0; i < fmt_size; i++) {
- if ((!isprint(fmt[i]) && !isspace(fmt[i])) || !isascii(fmt[i])) {
+ unsigned char c = fmt[i];
+
+ /*
+ * Permit bytes >= 0x80 in plain text so UTF-8 literals can pass
+ * through unchanged, while still rejecting ASCII control bytes.
+ */
+ if (isascii(c) && !isprint(c) && !isspace(c)) {
err = -EINVAL;
goto out;
}
@@ -862,6 +868,15 @@ int bpf_bprintf_prepare(char *fmt, u32 fmt_size, const u64 *raw_args,
* always access fmt[i + 1], in the worst case it will be a 0
*/
i++;
+ c = fmt[i];
+ /*
+ * The format parser below only understands ASCII conversion
+ * specifiers and modifiers, so reject non-ASCII after '%'.
+ */
+ if (!isascii(c)) {
+ err = -EINVAL;
+ goto out;
+ }
/* skip optional "[0 +-][num]" width formatting field */
while (fmt[i] == '0' || fmt[i] == '+' || fmt[i] == '-' ||
diff --git a/tools/testing/selftests/bpf/prog_tests/snprintf.c b/tools/testing/selftests/bpf/prog_tests/snprintf.c
index 4be6fdb78c6a1..20a3c622bd28a 100644
--- a/tools/testing/selftests/bpf/prog_tests/snprintf.c
+++ b/tools/testing/selftests/bpf/prog_tests/snprintf.c
@@ -114,7 +114,8 @@ static void test_snprintf_negative(void)
ASSERT_ERR(load_single_snprintf("%--------"), "invalid specifier 5");
ASSERT_ERR(load_single_snprintf("%lc"), "invalid specifier 6");
ASSERT_ERR(load_single_snprintf("%llc"), "invalid specifier 7");
- ASSERT_ERR(load_single_snprintf("\x80"), "non ascii character");
+ ASSERT_OK(load_single_snprintf("\x80"), "non ascii plain text");
+ ASSERT_ERR(load_single_snprintf("%\x80"), "non ascii in specifier");
ASSERT_ERR(load_single_snprintf("\x1"), "non printable character");
}
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 624/969] bpf, arm32: Reject BPF-to-BPF calls and callbacks in the JIT
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (622 preceding siblings ...)
2026-05-30 16:02 ` [PATCH 6.1 623/969] bpf: allow UTF-8 literals in bpf_bprintf_prepare() Greg Kroah-Hartman
@ 2026-05-30 16:02 ` Greg Kroah-Hartman
2026-05-30 16:02 ` [PATCH 6.1 625/969] pinctrl: pinctrl-pic32: Fix resource leak Greg Kroah-Hartman
` (351 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Daniel Borkmann, Jonas Rebmann,
Puranjay Mohan, Emil Tsalapatis, Alexei Starovoitov, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Puranjay Mohan <puranjay@kernel.org>
[ Upstream commit e1d486445af3c392628532229f7ce5f5cf7891b6 ]
The ARM32 BPF JIT does not support BPF-to-BPF function calls
(BPF_PSEUDO_CALL) or callbacks (BPF_PSEUDO_FUNC), but it does
not reject them either.
When a program with subprograms is loaded (e.g. libxdp's XDP
dispatcher uses __noinline__ subprograms, or any program using
callbacks like bpf_loop or bpf_for_each_map_elem), the verifier
invokes bpf_jit_subprogs() which calls bpf_int_jit_compile()
for each subprogram.
For BPF_PSEUDO_CALL, since ARM32 does not reject it, the JIT
silently emits code using the wrong address computation:
func = __bpf_call_base + imm
where imm is a pc-relative subprogram offset, producing a bogus
function pointer.
For BPF_PSEUDO_FUNC, the ldimm64 handler ignores src_reg and
loads the immediate as a normal 64-bit value without error.
In both cases, build_body() reports success and a JIT image is
allocated. ARM32 lacks the jit_data/extra_pass mechanism needed
for the second JIT pass in bpf_jit_subprogs(). On the second
pass, bpf_int_jit_compile() performs a full fresh compilation,
allocating a new JIT binary and overwriting prog->bpf_func. The
first allocation is never freed. bpf_jit_subprogs() then detects
the function pointer changed and aborts with -ENOTSUPP, but the
original JIT binary has already been leaked. Each program
load/unload cycle leaks one JIT binary allocation, as reported
by kmemleak:
unreferenced object 0xbf0a1000 (size 4096):
backtrace:
bpf_jit_binary_alloc+0x64/0xfc
bpf_int_jit_compile+0x14c/0x348
bpf_jit_subprogs+0x4fc/0xa60
Fix this by rejecting both BPF_PSEUDO_CALL in the BPF_CALL
handler and BPF_PSEUDO_FUNC in the BPF_LD_IMM64 handler, falling
through to the existing 'notyet' path. This causes build_body()
to fail before any JIT binary is allocated, so
bpf_int_jit_compile() returns the original program unjitted.
bpf_jit_subprogs() then sees !prog->jited and cleanly falls
back to the interpreter with no leak.
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
Fixes: 1c2a088a6626 ("bpf: x64: add JIT support for multi-function programs")
Reported-by: Jonas Rebmann <jre@pengutronix.de>
Closes: https://lore.kernel.org/bpf/b63e9174-7a3d-4e22-8294-16df07a4af89@pengutronix.de
Tested-by: Jonas Rebmann <jre@pengutronix.de>
Signed-off-by: Puranjay Mohan <puranjay@kernel.org>
Reviewed-by: Emil Tsalapatis <emil@etsalapatis.com>
Link: https://lore.kernel.org/r/20260417143353.838911-1-puranjay@kernel.org
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm/net/bpf_jit_32.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/arch/arm/net/bpf_jit_32.c b/arch/arm/net/bpf_jit_32.c
index 6a1c9fca5260b..2292245cfe7a9 100644
--- a/arch/arm/net/bpf_jit_32.c
+++ b/arch/arm/net/bpf_jit_32.c
@@ -1594,6 +1594,9 @@ static int build_insn(const struct bpf_insn *insn, struct jit_ctx *ctx)
{
u64 val = (u32)imm | (u64)insn[1].imm << 32;
+ if (insn->src_reg == BPF_PSEUDO_FUNC)
+ goto notyet;
+
emit_a32_mov_i64(dst, val, ctx);
return 1;
@@ -1785,6 +1788,9 @@ static int build_insn(const struct bpf_insn *insn, struct jit_ctx *ctx)
const s8 *r5 = bpf2a32[BPF_REG_5];
const u32 func = (u32)__bpf_call_base + (u32)imm;
+ if (insn->src_reg == BPF_PSEUDO_CALL)
+ goto notyet;
+
emit_a32_mov_r64(true, r0, r1, ctx);
emit_a32_mov_r64(true, r1, r2, ctx);
emit_push_r64(r5, ctx);
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 625/969] pinctrl: pinctrl-pic32: Fix resource leak
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (623 preceding siblings ...)
2026-05-30 16:02 ` [PATCH 6.1 624/969] bpf, arm32: Reject BPF-to-BPF calls and callbacks in the JIT Greg Kroah-Hartman
@ 2026-05-30 16:02 ` Greg Kroah-Hartman
2026-05-30 16:02 ` [PATCH 6.1 626/969] pinctrl: cy8c95x0: remove duplicate error message Greg Kroah-Hartman
` (350 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ethan Tidmore, Linus Walleij,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ethan Tidmore <ethantidmore06@gmail.com>
[ Upstream commit fe5560688f3ba98364c7de7b4f8dc240ffd1ff75 ]
Fix three possible resource leaks by using the devres version of
clk_prepare_enable(). Also, update error message accordingly.
Detected by Smatch:
drivers/pinctrl/pinctrl-pic32.c:2211 pic32_pinctrl_probe() warn:
'pctl->clk' from clk_prepare_enable() not released on lines: 2208.
drivers/pinctrl/pinctrl-pic32.c:2274 pic32_gpio_probe() warn:
'bank->clk' from clk_prepare_enable() not released on lines: 2264,2272.
Fixes: 2ba384e6c3810 ("pinctrl: pinctrl-pic32: Add PIC32 pin control driver")
Signed-off-by: Ethan Tidmore <ethantidmore06@gmail.com>
Signed-off-by: Linus Walleij <linusw@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pinctrl/pinctrl-pic32.c | 20 ++++----------------
1 file changed, 4 insertions(+), 16 deletions(-)
diff --git a/drivers/pinctrl/pinctrl-pic32.c b/drivers/pinctrl/pinctrl-pic32.c
index 37acfdfc2cae0..ee9082a499c5f 100644
--- a/drivers/pinctrl/pinctrl-pic32.c
+++ b/drivers/pinctrl/pinctrl-pic32.c
@@ -2162,16 +2162,10 @@ static int pic32_pinctrl_probe(struct platform_device *pdev)
if (IS_ERR(pctl->reg_base))
return PTR_ERR(pctl->reg_base);
- pctl->clk = devm_clk_get(&pdev->dev, NULL);
+ pctl->clk = devm_clk_get_enabled(&pdev->dev, NULL);
if (IS_ERR(pctl->clk)) {
ret = PTR_ERR(pctl->clk);
- dev_err(&pdev->dev, "clk get failed\n");
- return ret;
- }
-
- ret = clk_prepare_enable(pctl->clk);
- if (ret) {
- dev_err(&pdev->dev, "clk enable failed\n");
+ dev_err(&pdev->dev, "Failed to get and enable clock\n");
return ret;
}
@@ -2227,16 +2221,10 @@ static int pic32_gpio_probe(struct platform_device *pdev)
if (irq < 0)
return irq;
- bank->clk = devm_clk_get(&pdev->dev, NULL);
+ bank->clk = devm_clk_get_enabled(&pdev->dev, NULL);
if (IS_ERR(bank->clk)) {
ret = PTR_ERR(bank->clk);
- dev_err(&pdev->dev, "clk get failed\n");
- return ret;
- }
-
- ret = clk_prepare_enable(bank->clk);
- if (ret) {
- dev_err(&pdev->dev, "clk enable failed\n");
+ dev_err(&pdev->dev, "Failed to get and enable clock\n");
return ret;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 626/969] pinctrl: cy8c95x0: remove duplicate error message
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (624 preceding siblings ...)
2026-05-30 16:02 ` [PATCH 6.1 625/969] pinctrl: pinctrl-pic32: Fix resource leak Greg Kroah-Hartman
@ 2026-05-30 16:02 ` Greg Kroah-Hartman
2026-05-30 16:02 ` [PATCH 6.1 627/969] pinctrl: cy8c95x0: Unify messages with help of dev_err_probe() Greg Kroah-Hartman
` (349 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andy Shevchenko, Linus Walleij,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
[ Upstream commit 970dacb3b9f0fedbbbcfd7dbf1f4f22340b3f359 ]
The pin control core is covered to report any error via message.
The devm_request_threaded_irq() already prints an error message.
Remove the duplicates.
While at it, drop the info message as the same information about
an IRQ in use can be retrieved differently.
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Signed-off-by: Linus Walleij <linusw@kernel.org>
Stable-dep-of: 5ad32c3607cf ("pinctrl: cy8c95x0: Avoid returning positive values to user space")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pinctrl/pinctrl-cy8c95x0.c | 21 +++++----------------
1 file changed, 5 insertions(+), 16 deletions(-)
diff --git a/drivers/pinctrl/pinctrl-cy8c95x0.c b/drivers/pinctrl/pinctrl-cy8c95x0.c
index f7c8ae9808133..c60886d804ce0 100644
--- a/drivers/pinctrl/pinctrl-cy8c95x0.c
+++ b/drivers/pinctrl/pinctrl-cy8c95x0.c
@@ -1206,6 +1206,7 @@ static int cy8c95x0_irq_setup(struct cy8c95x0_pinctrl *chip, int irq)
{
struct gpio_irq_chip *girq = &chip->gpio_chip.irq;
DECLARE_BITMAP(pending_irqs, MAX_LINE);
+ struct device *dev = chip->dev;
int ret;
mutex_init(&chip->irq_lock);
@@ -1232,17 +1233,9 @@ static int cy8c95x0_irq_setup(struct cy8c95x0_pinctrl *chip, int irq)
girq->handler = handle_simple_irq;
girq->threaded = true;
- ret = devm_request_threaded_irq(chip->dev, irq,
- NULL, cy8c95x0_irq_handler,
- IRQF_ONESHOT | IRQF_SHARED,
- dev_name(chip->dev), chip);
- if (ret) {
- dev_err(chip->dev, "failed to request irq %d\n", irq);
- return ret;
- }
- dev_info(chip->dev, "Registered threaded IRQ\n");
-
- return 0;
+ return devm_request_threaded_irq(dev, irq, NULL, cy8c95x0_irq_handler,
+ IRQF_ONESHOT | IRQF_SHARED,
+ dev_name(chip->dev), chip);
}
static int cy8c95x0_setup_pinctrl(struct cy8c95x0_pinctrl *chip)
@@ -1258,11 +1251,7 @@ static int cy8c95x0_setup_pinctrl(struct cy8c95x0_pinctrl *chip)
pd->owner = THIS_MODULE;
chip->pctldev = devm_pinctrl_register(chip->dev, pd, chip);
- if (IS_ERR(chip->pctldev))
- return dev_err_probe(chip->dev, PTR_ERR(chip->pctldev),
- "can't register controller\n");
-
- return 0;
+ return PTR_ERR_OR_ZERO(chip->pctldev);
}
static int cy8c95x0_detect(struct i2c_client *client,
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 627/969] pinctrl: cy8c95x0: Unify messages with help of dev_err_probe()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (625 preceding siblings ...)
2026-05-30 16:02 ` [PATCH 6.1 626/969] pinctrl: cy8c95x0: remove duplicate error message Greg Kroah-Hartman
@ 2026-05-30 16:02 ` Greg Kroah-Hartman
2026-05-30 16:02 ` [PATCH 6.1 628/969] pinctrl: cy8c95x0: Avoid returning positive values to user space Greg Kroah-Hartman
` (348 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andy Shevchenko, Linus Walleij,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
[ Upstream commit 014884732095b982412d13d3220c3fe8483b9b3e ]
Unify error messages that might appear during probe phase by
switching to use dev_err_probe().
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Signed-off-by: Linus Walleij <linusw@kernel.org>
Stable-dep-of: 5ad32c3607cf ("pinctrl: cy8c95x0: Avoid returning positive values to user space")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pinctrl/pinctrl-cy8c95x0.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/drivers/pinctrl/pinctrl-cy8c95x0.c b/drivers/pinctrl/pinctrl-cy8c95x0.c
index c60886d804ce0..01f3c74f3dfa4 100644
--- a/drivers/pinctrl/pinctrl-cy8c95x0.c
+++ b/drivers/pinctrl/pinctrl-cy8c95x0.c
@@ -1215,10 +1215,8 @@ static int cy8c95x0_irq_setup(struct cy8c95x0_pinctrl *chip, int irq)
/* Read IRQ status register to clear all pending interrupts */
ret = cy8c95x0_irq_pending(chip, pending_irqs);
- if (ret) {
- dev_err(chip->dev, "failed to clear irq status register\n");
- return ret;
- }
+ if (ret)
+ return dev_err_probe(dev, ret, "failed to clear irq status register\n");
/* Mask all interrupts */
bitmap_fill(chip->irq_mask, MAX_LINE);
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 628/969] pinctrl: cy8c95x0: Avoid returning positive values to user space
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (626 preceding siblings ...)
2026-05-30 16:02 ` [PATCH 6.1 627/969] pinctrl: cy8c95x0: Unify messages with help of dev_err_probe() Greg Kroah-Hartman
@ 2026-05-30 16:02 ` Greg Kroah-Hartman
2026-05-30 16:02 ` [PATCH 6.1 629/969] perf branch: Avoid incrementing NULL Greg Kroah-Hartman
` (347 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, kernel test robot, Dan Carpenter,
Andy Shevchenko, Linus Walleij, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
[ Upstream commit 5ad32c3607cf241a1a2680cabd64cbcd757227aa ]
When probe fails due to unclear interrupt status register, it returns
a positive number instead of the proper error code. Fix this accordingly.
Fixes: e6cbbe42944d ("pinctrl: Add Cypress cy8c95x0 support")
Reported-by: kernel test robot <lkp@intel.com>
Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
Closes: https://lore.kernel.org/r/202602271847.vVWkqLBD-lkp@intel.com/
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Signed-off-by: Linus Walleij <linusw@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pinctrl/pinctrl-cy8c95x0.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/pinctrl/pinctrl-cy8c95x0.c b/drivers/pinctrl/pinctrl-cy8c95x0.c
index 01f3c74f3dfa4..e4e8f744d27cb 100644
--- a/drivers/pinctrl/pinctrl-cy8c95x0.c
+++ b/drivers/pinctrl/pinctrl-cy8c95x0.c
@@ -1216,7 +1216,7 @@ static int cy8c95x0_irq_setup(struct cy8c95x0_pinctrl *chip, int irq)
/* Read IRQ status register to clear all pending interrupts */
ret = cy8c95x0_irq_pending(chip, pending_irqs);
if (ret)
- return dev_err_probe(dev, ret, "failed to clear irq status register\n");
+ return dev_err_probe(dev, -EBUSY, "failed to clear irq status register\n");
/* Mask all interrupts */
bitmap_fill(chip->irq_mask, MAX_LINE);
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 629/969] perf branch: Avoid incrementing NULL
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (627 preceding siblings ...)
2026-05-30 16:02 ` [PATCH 6.1 628/969] pinctrl: cy8c95x0: Avoid returning positive values to user space Greg Kroah-Hartman
@ 2026-05-30 16:02 ` Greg Kroah-Hartman
2026-05-30 16:02 ` [PATCH 6.1 630/969] perf: tools: cs-etm: Fix print issue for Coresight debug in ETE/TRBE trace Greg Kroah-Hartman
` (346 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:02 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ian Rogers, Namhyung Kim,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ian Rogers <irogers@google.com>
[ Upstream commit c969a9d7bbf46f983c4a48566b3b2f7340b02296 ]
If the entry is NULL the value is meaningless so early return NULL to
avoid an increment of NULL. This was happening in calls from
has_stitched_lbr when running the "perf record LBR tests". The return
value isn't used in that case, so returning NULL as no effect.
Fixes: 42bbabed09ce ("perf tools: Add hw_idx in struct branch_stack")
Signed-off-by: Ian Rogers <irogers@google.com>
Signed-off-by: Namhyung Kim <namhyung@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/perf/util/branch.h | 3 +++
1 file changed, 3 insertions(+)
diff --git a/tools/perf/util/branch.h b/tools/perf/util/branch.h
index dca75cad96f68..c99b389fac1e1 100644
--- a/tools/perf/util/branch.h
+++ b/tools/perf/util/branch.h
@@ -66,6 +66,9 @@ static inline struct branch_entry *perf_sample__branch_entries(struct perf_sampl
{
u64 *entry = (u64 *)sample->branch_stack;
+ if (entry == NULL)
+ return NULL;
+
entry++;
if (sample->no_hw_idx)
return (struct branch_entry *)entry;
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 630/969] perf: tools: cs-etm: Fix print issue for Coresight debug in ETE/TRBE trace
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (628 preceding siblings ...)
2026-05-30 16:02 ` [PATCH 6.1 629/969] perf branch: Avoid incrementing NULL Greg Kroah-Hartman
@ 2026-05-30 16:02 ` Greg Kroah-Hartman
2026-05-30 16:02 ` [PATCH 6.1 631/969] pinctrl: abx500: Fix type of argument variable Greg Kroah-Hartman
` (345 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Leo Yan, Mike Leach, Namhyung Kim,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mike Leach <mike.leach@arm.com>
[ Upstream commit 6c478e7b3eba3f387a2d6c749e3e3ee0f8ad1c53 ]
Building perf with CORESIGHT=1 and the optional CSTRACE_RAW=1 enables
additional debug printing of raw trace data when using command:-
perf report --dump.
This raw trace prints the CoreSight formatted trace frames, which may be
used to investigate suspected issues with trace quality / corruption /
decode.
These frames are not present in ETE + TRBE trace.
This fix removes the unnecessary call to print these frames.
This fix also rationalises implementation - original code had helper
function that unnecessarily repeated initialisation calls that had
already been made.
Due to an addtional fault with the OpenCSD library, this call when ETE/TRBE
are being decoded will cause a segfault in perf. This fix also prevents
that problem for perf using older (<= 1.8.0 version) OpenCSD libraries.
Fixes: 68ffe3902898 ("perf tools: Add decoder mechanic to support dumping trace data")
Reported-by: Leo Yan <leo.yan@arm.com>
Signed-off-by: Mike Leach <mike.leach@arm.com>
Signed-off-by: Namhyung Kim <namhyung@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../perf/util/cs-etm-decoder/cs-etm-decoder.c | 51 +++++--------------
1 file changed, 13 insertions(+), 38 deletions(-)
diff --git a/tools/perf/util/cs-etm-decoder/cs-etm-decoder.c b/tools/perf/util/cs-etm-decoder/cs-etm-decoder.c
index 31fa3b45134a2..fc74a95a23faf 100644
--- a/tools/perf/util/cs-etm-decoder/cs-etm-decoder.c
+++ b/tools/perf/util/cs-etm-decoder/cs-etm-decoder.c
@@ -214,46 +214,24 @@ cs_etm_decoder__init_def_logger_printing(struct cs_etm_decoder_params *d_params,
(void *)decoder,
cs_etm_decoder__print_str_cb);
if (ret != 0)
- ret = -1;
-
- return 0;
-}
+ return -1;
#ifdef CS_LOG_RAW_FRAMES
-static void
-cs_etm_decoder__init_raw_frame_logging(struct cs_etm_decoder_params *d_params,
- struct cs_etm_decoder *decoder)
-{
- /* Only log these during a --dump operation */
- if (d_params->operation == CS_ETM_OPERATION_PRINT) {
- /* set up a library default logger to process the
- * raw frame printer we add later
- */
- ocsd_def_errlog_init(OCSD_ERR_SEV_ERROR, 1);
-
- /* no stdout / err / file output */
- ocsd_def_errlog_config_output(C_API_MSGLOGOUT_FLG_NONE, NULL);
-
- /* set the string CB for the default logger,
- * passes strings to perf print logger.
- */
- ocsd_def_errlog_set_strprint_cb(decoder->dcd_tree,
- (void *)decoder,
- cs_etm_decoder__print_str_cb);
-
+ /*
+ * Only log raw frames if --dump operation and hardware is actually
+ * generating formatted CoreSight trace frames
+ */
+ if ((d_params->operation == CS_ETM_OPERATION_PRINT) &&
+ (d_params->formatted == true)) {
/* use the built in library printer for the raw frames */
- ocsd_dt_set_raw_frame_printer(decoder->dcd_tree,
- CS_RAW_DEBUG_FLAGS);
+ ret = ocsd_dt_set_raw_frame_printer(decoder->dcd_tree,
+ CS_RAW_DEBUG_FLAGS);
+ if (ret != 0)
+ return -1;
}
-}
-#else
-static void
-cs_etm_decoder__init_raw_frame_logging(
- struct cs_etm_decoder_params *d_params __maybe_unused,
- struct cs_etm_decoder *decoder __maybe_unused)
-{
-}
#endif
+ return 0;
+}
static ocsd_datapath_resp_t
cs_etm_decoder__do_soft_timestamp(struct cs_etm_queue *etmq,
@@ -716,9 +694,6 @@ cs_etm_decoder__new(int decoders, struct cs_etm_decoder_params *d_params,
if (ret != 0)
goto err_free_decoder;
- /* init raw frame logging if required */
- cs_etm_decoder__init_raw_frame_logging(d_params, decoder);
-
for (i = 0; i < decoders; i++) {
ret = cs_etm_decoder__create_etm_decoder(d_params,
&t_params[i],
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 631/969] pinctrl: abx500: Fix type of argument variable
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (629 preceding siblings ...)
2026-05-30 16:02 ` [PATCH 6.1 630/969] perf: tools: cs-etm: Fix print issue for Coresight debug in ETE/TRBE trace Greg Kroah-Hartman
@ 2026-05-30 16:02 ` Greg Kroah-Hartman
2026-05-30 16:02 ` [PATCH 6.1 632/969] perf expr: Return -EINVAL for syntax error in expr__find_ids() Greg Kroah-Hartman
` (344 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:02 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Yu-Chun Lin, Linus Walleij,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yu-Chun Lin <eleanor15x@gmail.com>
[ Upstream commit 34006f77890d050e6d80cbee365b5d703c1140b4 ]
The argument variable is assigned the return value of
pinconf_to_config_argument(), which returns a u32. Change its type from
enum pin_config_param to unsigned int to correctly store the configuration
argument.
Fixes: 03b054e9696c ("pinctrl: Pass all configs to driver on pin_config_set()")
Signed-off-by: Yu-Chun Lin <eleanor15x@gmail.com>
Signed-off-by: Linus Walleij <linusw@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pinctrl/nomadik/pinctrl-abx500.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/pinctrl/nomadik/pinctrl-abx500.c b/drivers/pinctrl/nomadik/pinctrl-abx500.c
index 7aa534576a459..609313d93e31a 100644
--- a/drivers/pinctrl/nomadik/pinctrl-abx500.c
+++ b/drivers/pinctrl/nomadik/pinctrl-abx500.c
@@ -850,7 +850,7 @@ static int abx500_pin_config_set(struct pinctrl_dev *pctldev,
int ret = -EINVAL;
int i;
enum pin_config_param param;
- enum pin_config_param argument;
+ unsigned int argument;
for (i = 0; i < num_configs; i++) {
param = pinconf_to_config_param(configs[i]);
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 632/969] perf expr: Return -EINVAL for syntax error in expr__find_ids()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (630 preceding siblings ...)
2026-05-30 16:02 ` [PATCH 6.1 631/969] pinctrl: abx500: Fix type of argument variable Greg Kroah-Hartman
@ 2026-05-30 16:02 ` Greg Kroah-Hartman
2026-05-30 16:02 ` [PATCH 6.1 633/969] perf util: Kill die() prototype, dead for a long time Greg Kroah-Hartman
` (343 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Leo Yan, Ian Rogers, Namhyung Kim,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Leo Yan <leo.yan@arm.com>
[ Upstream commit 3a61fd866ef9aaa1d3158b460f852b74a2df07f4 ]
expr__find_ids() propagates the parser return value directly. For syntax
errors, the parser can return a positive value, but callers treat it as
success, e.g., for below case on Arm64 platform:
metric expr 100 * (STALL_SLOT_BACKEND / (CPU_CYCLES * #slots) - BR_MIS_PRED * 3 / CPU_CYCLES) for backend_bound
parsing metric: 100 * (STALL_SLOT_BACKEND / (CPU_CYCLES * #slots) - BR_MIS_PRED * 3 / CPU_CYCLES)
Failure to read '#slots' literal: #slots = nan
syntax error
Convert positive parser returns in expr__find_ids() to -EINVAL, as a
result, the error value will be respected by callers.
Before:
perf stat -C 5
Failure to read '#slots'Failure to read '#slots'Failure to read '#slots'Failure to read '#slots'Segmentation fault
After:
perf stat -C 5
Failure to read '#slots'Cannot find metric or group `Default'
Fixes: ded80bda8bc9 ("perf expr: Migrate expr ids table to a hashmap")
Signed-off-by: Leo Yan <leo.yan@arm.com>
Reviewed-by: Ian Rogers <irogers@google.com>
Signed-off-by: Namhyung Kim <namhyung@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/perf/util/expr.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/tools/perf/util/expr.c b/tools/perf/util/expr.c
index aaacf514dc09c..2afd561a7aab9 100644
--- a/tools/perf/util/expr.c
+++ b/tools/perf/util/expr.c
@@ -380,7 +380,8 @@ int expr__find_ids(const char *expr, const char *one,
if (one)
expr__del_id(ctx, one);
- return ret;
+ /* A positive value means syntax error, convert to -EINVAL */
+ return ret > 0 ? -EINVAL : ret;
}
double expr_id_data__value(const struct expr_id_data *data)
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 633/969] perf util: Kill die() prototype, dead for a long time
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (631 preceding siblings ...)
2026-05-30 16:02 ` [PATCH 6.1 632/969] perf expr: Return -EINVAL for syntax error in expr__find_ids() Greg Kroah-Hartman
@ 2026-05-30 16:02 ` Greg Kroah-Hartman
2026-05-30 16:02 ` [PATCH 6.1 634/969] i3c: mipi-i3c-hci: fix IBI payload length calculation for final status Greg Kroah-Hartman
` (342 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ian Rogers, Arnaldo Carvalho de Melo,
Namhyung Kim, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Arnaldo Carvalho de Melo <acme@redhat.com>
[ Upstream commit e5cce1b9c82fbd48e2f1f7a25a9fad8ee228176f ]
In fef2a735167a827a ("perf tools: Kill die()") the die() function was
removed, but not the prototype in util.h, now when building with
LIBPERL=1, during a 'make -C tools/perf build-test' routine test, it is
failing as perl likes die() calls and then this clashes with this
remnant, remove it.
Fixes: fef2a735167a827a ("perf tools: Kill die()")
Reviewed-by: Ian Rogers <irogers@google.com>
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Namhyung Kim <namhyung@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/perf/util/util.h | 1 -
1 file changed, 1 deletion(-)
diff --git a/tools/perf/util/util.h b/tools/perf/util/util.h
index c1f2d423a9ecb..bdb6d5e7102db 100644
--- a/tools/perf/util/util.h
+++ b/tools/perf/util/util.h
@@ -17,7 +17,6 @@
/* General helper functions */
void usage(const char *err) __noreturn;
-void die(const char *err, ...) __noreturn __printf(1, 2);
struct dirent;
struct strlist;
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 634/969] i3c: mipi-i3c-hci: fix IBI payload length calculation for final status
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (632 preceding siblings ...)
2026-05-30 16:02 ` [PATCH 6.1 633/969] perf util: Kill die() prototype, dead for a long time Greg Kroah-Hartman
@ 2026-05-30 16:02 ` Greg Kroah-Hartman
2026-05-30 16:02 ` [PATCH 6.1 635/969] driver core: device.h: remove extern from function prototypes Greg Kroah-Hartman
` (341 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Billy Tsai, Frank Li,
Alexandre Belloni, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Billy Tsai <billy_tsai@aspeedtech.com>
[ Upstream commit d35a6db887eeae7c57b719521e39d64f929c6dc3 ]
In DMA mode, the IBI status descriptor encodes the payload using
CHUNKS (number of chunks) and DATA_LENGTH (valid bytes in the last
chunk). All preceding chunks are implicitly full-sized.
The current code accumulates full chunk sizes for non-final status
descriptors, but for the final status descriptor it only adds
DATA_LENGTH. This ignores the contribution of the preceding full
chunks described by the same final status entry.
As a result, the computed IBI payload length is truncated whenever
the final status spans multiple chunks. For example, with a chunk
size of 4 bytes, CHUNKS=2 and DATA_LENGTH=1 should result in a total
payload size of 5 bytes, but the current code reports only 1 byte.
Fix the calculation by adding the size of (CHUNKS - 1) full chunks
plus DATA_LENGTH for the last chunk.
Fixes: 9ad9a52cce28 ("i3c/master: introduce the mipi-i3c-hci driver")
Signed-off-by: Billy Tsai <billy_tsai@aspeedtech.com>
Reviewed-by: Frank Li <Frank.Li@nxp.com>
Link: https://patch.msgid.link/20260407-i3c-hci-dma-v2-1-a583187b9d22@aspeedtech.com
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/i3c/master/mipi-i3c-hci/dma.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/drivers/i3c/master/mipi-i3c-hci/dma.c b/drivers/i3c/master/mipi-i3c-hci/dma.c
index e270fcd0f7c38..624d00b853a51 100644
--- a/drivers/i3c/master/mipi-i3c-hci/dma.c
+++ b/drivers/i3c/master/mipi-i3c-hci/dma.c
@@ -636,7 +636,10 @@ static void hci_dma_process_ibi(struct i3c_hci *hci, struct hci_rh_data *rh)
if (!(ibi_status & IBI_LAST_STATUS)) {
ibi_size += chunks * rh->ibi_chunk_sz;
} else {
- ibi_size += FIELD_GET(IBI_DATA_LENGTH, ibi_status);
+ if (chunks) {
+ ibi_size += (chunks - 1) * rh->ibi_chunk_sz;
+ ibi_size += FIELD_GET(IBI_DATA_LENGTH, ibi_status);
+ }
last_ptr = ptr;
break;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 635/969] driver core: device.h: remove extern from function prototypes
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (633 preceding siblings ...)
2026-05-30 16:02 ` [PATCH 6.1 634/969] i3c: mipi-i3c-hci: fix IBI payload length calculation for final status Greg Kroah-Hartman
@ 2026-05-30 16:02 ` Greg Kroah-Hartman
2026-05-30 16:02 ` [PATCH 6.1 636/969] driver core: Move dev_err_probe() to where it belogs Greg Kroah-Hartman
` (340 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:02 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Rafael J. Wysocki, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit f43243c66e5e9ad839d235f82a58e73a7e7612af ]
The kernel coding style does not require 'extern' in function prototypes
in .h files, so remove them from include/linux/device.h as they are not
needed.
Acked-by: Rafael J. Wysocki <rafael@kernel.org>
Link: https://lore.kernel.org/r/20230324122711.2664537-1-gregkh@linuxfoundation.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Stable-dep-of: 797cc011ae02 ("backlight: sky81452-backlight: Check return value of devm_gpiod_get_optional() in sky81452_bl_parse_dt()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/device.h | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/include/linux/device.h b/include/linux/device.h
index 98e4a0d01e5a4..428c96ce6b4c4 100644
--- a/include/linux/device.h
+++ b/include/linux/device.h
@@ -1149,8 +1149,7 @@ void device_links_supplier_sync_state_pause(void);
void device_links_supplier_sync_state_resume(void);
void device_link_wait_removal(void);
-extern __printf(3, 4)
-int dev_err_probe(const struct device *dev, int err, const char *fmt, ...);
+__printf(3, 4) int dev_err_probe(const struct device *dev, int err, const char *fmt, ...);
/* Create alias, so I can be autoloaded. */
#define MODULE_ALIAS_CHARDEV(major,minor) \
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 636/969] driver core: Move dev_err_probe() to where it belogs
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (634 preceding siblings ...)
2026-05-30 16:02 ` [PATCH 6.1 635/969] driver core: device.h: remove extern from function prototypes Greg Kroah-Hartman
@ 2026-05-30 16:02 ` Greg Kroah-Hartman
2026-05-30 16:02 ` [PATCH 6.1 637/969] dev_printk: add new dev_err_probe() helpers Greg Kroah-Hartman
` (339 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andy Shevchenko, Andi Shyti,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
[ Upstream commit 9e0cace7a6254070159ebd86497eadc29ea307ca ]
dev_err_probe() belongs to the printing API, hence
move the definition from device.h to dev_printk.h.
There is no change to the callers at all, since:
1) implementation is located in the same core.c;
2) dev_printk.h is guaranteed to be included by device.h.
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Reviewed-by: Andi Shyti <andi.shyti@kernel.org>
Link: https://lore.kernel.org/r/20230721131309.16821-1-andriy.shevchenko@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Stable-dep-of: 797cc011ae02 ("backlight: sky81452-backlight: Check return value of devm_gpiod_get_optional() in sky81452_bl_parse_dt()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/dev_printk.h | 2 ++
include/linux/device.h | 2 --
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/include/linux/dev_printk.h b/include/linux/dev_printk.h
index 65eec5be8ccb9..ae80a303c216b 100644
--- a/include/linux/dev_printk.h
+++ b/include/linux/dev_printk.h
@@ -275,4 +275,6 @@ do { \
WARN_ONCE(condition, "%s %s: " format, \
dev_driver_string(dev), dev_name(dev), ## arg)
+__printf(3, 4) int dev_err_probe(const struct device *dev, int err, const char *fmt, ...);
+
#endif /* _DEVICE_PRINTK_H_ */
diff --git a/include/linux/device.h b/include/linux/device.h
index 428c96ce6b4c4..e642b366aa380 100644
--- a/include/linux/device.h
+++ b/include/linux/device.h
@@ -1149,8 +1149,6 @@ void device_links_supplier_sync_state_pause(void);
void device_links_supplier_sync_state_resume(void);
void device_link_wait_removal(void);
-__printf(3, 4) int dev_err_probe(const struct device *dev, int err, const char *fmt, ...);
-
/* Create alias, so I can be autoloaded. */
#define MODULE_ALIAS_CHARDEV(major,minor) \
MODULE_ALIAS("char-major-" __stringify(major) "-" __stringify(minor))
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 637/969] dev_printk: add new dev_err_probe() helpers
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (635 preceding siblings ...)
2026-05-30 16:02 ` [PATCH 6.1 636/969] driver core: Move dev_err_probe() to where it belogs Greg Kroah-Hartman
@ 2026-05-30 16:02 ` Greg Kroah-Hartman
2026-05-30 16:02 ` [PATCH 6.1 638/969] backlight: sky81452-backlight: Check return value of devm_gpiod_get_optional() in sky81452_bl_parse_dt() Greg Kroah-Hartman
` (338 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:02 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Nuno Sa, Jonathan Cameron,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nuno Sa <nuno.sa@analog.com>
[ Upstream commit dbbe7eaf0e4795bf003ac06872aaf52b6b6b1310 ]
This is similar to dev_err_probe() but for cases where an ERR_PTR() or
ERR_CAST() is to be returned simplifying patterns like:
dev_err_probe(dev, ret, ...);
return ERR_PTR(ret)
or
dev_err_probe(dev, PTR_ERR(ptr), ...);
return ERR_CAST(ptr)
Signed-off-by: Nuno Sa <nuno.sa@analog.com>
Link: https://patch.msgid.link/20240606-dev-add_dev_errp_probe-v3-1-51bb229edd79@analog.com
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Stable-dep-of: 797cc011ae02 ("backlight: sky81452-backlight: Check return value of devm_gpiod_get_optional() in sky81452_bl_parse_dt()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/dev_printk.h | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/include/linux/dev_printk.h b/include/linux/dev_printk.h
index ae80a303c216b..ca32b5bb28eb5 100644
--- a/include/linux/dev_printk.h
+++ b/include/linux/dev_printk.h
@@ -277,4 +277,12 @@ do { \
__printf(3, 4) int dev_err_probe(const struct device *dev, int err, const char *fmt, ...);
+/* Simple helper for dev_err_probe() when ERR_PTR() is to be returned. */
+#define dev_err_ptr_probe(dev, ___err, fmt, ...) \
+ ERR_PTR(dev_err_probe(dev, ___err, fmt, ##__VA_ARGS__))
+
+/* Simple helper for dev_err_probe() when ERR_CAST() is to be returned. */
+#define dev_err_cast_probe(dev, ___err_ptr, fmt, ...) \
+ ERR_PTR(dev_err_probe(dev, PTR_ERR(___err_ptr), fmt, ##__VA_ARGS__))
+
#endif /* _DEVICE_PRINTK_H_ */
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 638/969] backlight: sky81452-backlight: Check return value of devm_gpiod_get_optional() in sky81452_bl_parse_dt()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (636 preceding siblings ...)
2026-05-30 16:02 ` [PATCH 6.1 637/969] dev_printk: add new dev_err_probe() helpers Greg Kroah-Hartman
@ 2026-05-30 16:02 ` Greg Kroah-Hartman
2026-05-30 16:02 ` [PATCH 6.1 639/969] platform/surface: surfacepro3_button: Drop wakeup source on remove Greg Kroah-Hartman
` (337 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chen Ni, Linus Walleij,
Daniel Thompson (RISCstar), Lee Jones, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chen Ni <nichen@iscas.ac.cn>
[ Upstream commit 797cc011ae02bda26f93d25a4442d7a1a77d84df ]
The devm_gpiod_get_optional() function may return an ERR_PTR in case of
genuine GPIO acquisition errors, not just NULL which indicates the
legitimate absence of an optional GPIO.
Add an IS_ERR() check after the call in sky81452_bl_parse_dt(). On
error, return the error code to ensure proper failure handling rather
than proceeding with invalid pointers.
Fixes: e1915eec54a6 ("backlight: sky81452: Convert to GPIO descriptors")
Signed-off-by: Chen Ni <nichen@iscas.ac.cn>
Reviewed-by: Linus Walleij <linusw@kernel.org>
Reviewed-by: Daniel Thompson (RISCstar) <danielt@kernel.org>
Link: https://patch.msgid.link/20260203021625.578678-1-nichen@iscas.ac.cn
Signed-off-by: Lee Jones <lee@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/video/backlight/sky81452-backlight.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/video/backlight/sky81452-backlight.c b/drivers/video/backlight/sky81452-backlight.c
index c95e0de7f4e70..0cf1f588a3873 100644
--- a/drivers/video/backlight/sky81452-backlight.c
+++ b/drivers/video/backlight/sky81452-backlight.c
@@ -204,6 +204,9 @@ static struct sky81452_bl_platform_data *sky81452_bl_parse_dt(
pdata->dpwm_mode = of_property_read_bool(np, "skyworks,dpwm-mode");
pdata->phase_shift = of_property_read_bool(np, "skyworks,phase-shift");
pdata->gpiod_enable = devm_gpiod_get_optional(dev, NULL, GPIOD_OUT_HIGH);
+ if (IS_ERR(pdata->gpiod_enable))
+ return dev_err_cast_probe(dev, pdata->gpiod_enable,
+ "failed to get gpio\n");
ret = of_property_count_u32_elems(np, "led-sources");
if (ret < 0) {
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 639/969] platform/surface: surfacepro3_button: Drop wakeup source on remove
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (637 preceding siblings ...)
2026-05-30 16:02 ` [PATCH 6.1 638/969] backlight: sky81452-backlight: Check return value of devm_gpiod_get_optional() in sky81452_bl_parse_dt() Greg Kroah-Hartman
@ 2026-05-30 16:02 ` Greg Kroah-Hartman
2026-05-30 16:02 ` [PATCH 6.1 640/969] leds: lgm-sso: Remove duplicate assignments for priv->mmap Greg Kroah-Hartman
` (336 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Rafael J. Wysocki,
Ilpo Järvinen, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
[ Upstream commit 1410a228ab2d36fe2b383415a632ae12048d4f3a ]
The wakeup source added by device_init_wakeup() in surface_button_add()
needs to be dropped during driver removal, so update the driver to do
that.
Fixes: 19351f340765 ("platform/x86: surfacepro3: Support for wakeup from suspend-to-idle")
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Link: https://patch.msgid.link/4368848.1IzOArtZ34@rafael.j.wysocki
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/platform/surface/surfacepro3_button.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/platform/surface/surfacepro3_button.c b/drivers/platform/surface/surfacepro3_button.c
index 242fb690dcaf7..892fb71d5916f 100644
--- a/drivers/platform/surface/surfacepro3_button.c
+++ b/drivers/platform/surface/surfacepro3_button.c
@@ -243,6 +243,7 @@ static int surface_button_remove(struct acpi_device *device)
{
struct surface_button *button = acpi_driver_data(device);
+ device_init_wakeup(&device->dev, false);
input_unregister_device(button->input);
kfree(button);
return 0;
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 640/969] leds: lgm-sso: Remove duplicate assignments for priv->mmap
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (638 preceding siblings ...)
2026-05-30 16:02 ` [PATCH 6.1 639/969] platform/surface: surfacepro3_button: Drop wakeup source on remove Greg Kroah-Hartman
@ 2026-05-30 16:02 ` Greg Kroah-Hartman
2026-05-30 16:02 ` [PATCH 6.1 641/969] tty: hvc_iucv: fix off-by-one in number of supported devices Greg Kroah-Hartman
` (335 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:02 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Chen Ni, Lee Jones, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chen Ni <nichen@iscas.ac.cn>
[ Upstream commit 7186d0330c3f3e86de577687a82f4ebd96dcb5ac ]
Remove duplicate assignment of priv->mmap in intel_sso_led_probe().
Fixes: fba8a6f2263b ("leds: lgm-sso: Fix clock handling")
Signed-off-by: Chen Ni <nichen@iscas.ac.cn>
Link: https://patch.msgid.link/20260226033048.3715915-1-nichen@iscas.ac.cn
Signed-off-by: Lee Jones <lee@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/leds/blink/leds-lgm-sso.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/drivers/leds/blink/leds-lgm-sso.c b/drivers/leds/blink/leds-lgm-sso.c
index 6f270c0272fb1..a33a97c2abb65 100644
--- a/drivers/leds/blink/leds-lgm-sso.c
+++ b/drivers/leds/blink/leds-lgm-sso.c
@@ -807,8 +807,6 @@ static int intel_sso_led_probe(struct platform_device *pdev)
priv->fpid_clkrate = clk_get_rate(priv->clocks[1].clk);
- priv->mmap = syscon_node_to_regmap(dev->of_node);
-
priv->mmap = syscon_node_to_regmap(dev->of_node);
if (IS_ERR(priv->mmap)) {
dev_err(dev, "Failed to map iomem!\n");
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 641/969] tty: hvc_iucv: fix off-by-one in number of supported devices
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (639 preceding siblings ...)
2026-05-30 16:02 ` [PATCH 6.1 640/969] leds: lgm-sso: Remove duplicate assignments for priv->mmap Greg Kroah-Hartman
@ 2026-05-30 16:02 ` Greg Kroah-Hartman
2026-05-30 16:02 ` [PATCH 6.1 642/969] platform/x86: panasonic-laptop: Fix OPTD notifier registration and cleanup Greg Kroah-Hartman
` (334 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:02 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Randy Dunlap, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Randy Dunlap <rdunlap@infradead.org>
[ Upstream commit f2a880e802ad12d1e38039d1334fb1475d0f5241 ]
MAX_HVC_IUCV_LINES == HVC_ALLOC_TTY_ADAPTERS == 8.
This is the number of entries in:
static struct hvc_iucv_private *hvc_iucv_table[MAX_HVC_IUCV_LINES];
Sometimes hvc_iucv_table[] is limited by:
(a) if (num > hvc_iucv_devices) // for error detection
or
(b) for (i = 0; i < hvc_iucv_devices; i++) // in 2 places
(so these 2 don't agree; second one appears to be correct to me.)
hvc_iucv_devices can be 0..8. This is a counter.
(c) if (hvc_iucv_devices > MAX_HVC_IUCV_LINES)
If hvc_iucv_devices == 8, (a) allows the code to access hvc_iucv_table[8].
Oops.
Fixes: 44a01d5ba8a4 ("[S390] s390/hvc_console: z/VM IUCV hypervisor console support")
Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
Link: https://patch.msgid.link/20260130072939.1535869-1-rdunlap@infradead.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/tty/hvc/hvc_iucv.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/tty/hvc/hvc_iucv.c b/drivers/tty/hvc/hvc_iucv.c
index 7d49a872de48a..9551269e106a4 100644
--- a/drivers/tty/hvc/hvc_iucv.c
+++ b/drivers/tty/hvc/hvc_iucv.c
@@ -130,7 +130,7 @@ static struct iucv_handler hvc_iucv_handler = {
*/
static struct hvc_iucv_private *hvc_iucv_get_private(uint32_t num)
{
- if (num > hvc_iucv_devices)
+ if (num >= hvc_iucv_devices)
return NULL;
return hvc_iucv_table[num];
}
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 642/969] platform/x86: panasonic-laptop: Fix OPTD notifier registration and cleanup
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (640 preceding siblings ...)
2026-05-30 16:02 ` [PATCH 6.1 641/969] tty: hvc_iucv: fix off-by-one in number of supported devices Greg Kroah-Hartman
@ 2026-05-30 16:02 ` Greg Kroah-Hartman
2026-05-30 16:02 ` [PATCH 6.1 643/969] mfd: mc13xxx-core: Fix memory leak in mc13xxx_add_subdevice_pdata() Greg Kroah-Hartman
` (333 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Rafael J. Wysocki,
Ilpo Järvinen, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
[ Upstream commit 8baeff2c1d33dad8572216c6ad3a7425852507d4 ]
An ACPI notify handler is leaked if device_create_file() returns an
error in acpi_pcc_hotkey_add().
Also, it is pointless to call pcc_unregister_optd_notifier() in
acpi_pcc_hotkey_remove() if pcc->platform is NULL and it is better
to arrange the cleanup code in that function in the same order as
the rollback code in acpi_pcc_hotkey_add().
Address the above by placing the pcc_register_optd_notifier() call in
acpi_pcc_hotkey_add() after the device_create_file() return value
check and placing the pcc_unregister_optd_notifier() call in
acpi_pcc_hotkey_remove() right before the device_remove_file() call.
Fixes: d5a81d8e864b ("platform/x86: panasonic-laptop: Add support for optical driver power in Y and W series")
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Link: https://patch.msgid.link/2411055.ElGaqSPkdT@rafael.j.wysocki
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/platform/x86/panasonic-laptop.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/drivers/platform/x86/panasonic-laptop.c b/drivers/platform/x86/panasonic-laptop.c
index 99cbacd0cbba4..0a7c4e83cdea9 100644
--- a/drivers/platform/x86/panasonic-laptop.c
+++ b/drivers/platform/x86/panasonic-laptop.c
@@ -1081,9 +1081,10 @@ static int acpi_pcc_hotkey_add(struct acpi_device *device)
}
result = device_create_file(&pcc->platform->dev,
&dev_attr_cdpower);
- pcc_register_optd_notifier(pcc, "\\_SB.PCI0.EHCI.ERHB.OPTD");
if (result)
goto out_platform;
+
+ pcc_register_optd_notifier(pcc, "\\_SB.PCI0.EHCI.ERHB.OPTD");
} else {
pcc->platform = NULL;
}
@@ -1117,10 +1118,10 @@ static int acpi_pcc_hotkey_remove(struct acpi_device *device)
i8042_remove_filter(panasonic_i8042_filter);
if (pcc->platform) {
+ pcc_unregister_optd_notifier(pcc, "\\_SB.PCI0.EHCI.ERHB.OPTD");
device_remove_file(&pcc->platform->dev, &dev_attr_cdpower);
platform_device_unregister(pcc->platform);
}
- pcc_unregister_optd_notifier(pcc, "\\_SB.PCI0.EHCI.ERHB.OPTD");
sysfs_remove_group(&device->dev.kobj, &pcc_attr_group);
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 643/969] mfd: mc13xxx-core: Fix memory leak in mc13xxx_add_subdevice_pdata()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (641 preceding siblings ...)
2026-05-30 16:02 ` [PATCH 6.1 642/969] platform/x86: panasonic-laptop: Fix OPTD notifier registration and cleanup Greg Kroah-Hartman
@ 2026-05-30 16:02 ` Greg Kroah-Hartman
2026-05-30 16:02 ` [PATCH 6.1 644/969] nfs/blocklayout: Fix compilation error (`make W=1`) in bl_write_pagelist() Greg Kroah-Hartman
` (332 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:02 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Abdun Nihaal, Lee Jones, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Abdun Nihaal <nihaal@cse.iitm.ac.in>
[ Upstream commit a5a65a7fb2f7796bbe492cd6be59c92cb64377d1 ]
The memory allocated for cell.name using kmemdup() is not freed when
mfd_add_devices() fails. Fix that by using devm_kmemdup().
Fixes: 8e00593557c3 ("mfd: Add mc13892 support to mc13xxx")
Signed-off-by: Abdun Nihaal <nihaal@cse.iitm.ac.in>
Link: https://patch.msgid.link/20260120102622.66921-1-nihaal@cse.iitm.ac.in
Signed-off-by: Lee Jones <lee@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mfd/mc13xxx-core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/mfd/mc13xxx-core.c b/drivers/mfd/mc13xxx-core.c
index 1000572761a84..ddc90cbb7be52 100644
--- a/drivers/mfd/mc13xxx-core.c
+++ b/drivers/mfd/mc13xxx-core.c
@@ -377,7 +377,7 @@ static int mc13xxx_add_subdevice_pdata(struct mc13xxx *mc13xxx,
if (snprintf(buf, sizeof(buf), format, name) > sizeof(buf))
return -E2BIG;
- cell.name = kmemdup(buf, strlen(buf) + 1, GFP_KERNEL);
+ cell.name = devm_kmemdup(mc13xxx->dev, buf, strlen(buf) + 1, GFP_KERNEL);
if (!cell.name)
return -ENOMEM;
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 644/969] nfs/blocklayout: Fix compilation error (`make W=1`) in bl_write_pagelist()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (642 preceding siblings ...)
2026-05-30 16:02 ` [PATCH 6.1 643/969] mfd: mc13xxx-core: Fix memory leak in mc13xxx_add_subdevice_pdata() Greg Kroah-Hartman
@ 2026-05-30 16:02 ` Greg Kroah-Hartman
2026-05-30 16:02 ` [PATCH 6.1 645/969] fs/ntfs3: terminate the cached volume label after UTF-8 conversion Greg Kroah-Hartman
` (331 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Anna Schumaker, Jeff Layton,
Andy Shevchenko, Chuck Lever, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
[ Upstream commit f83c8dda456ce4863f346aa26d88efa276eda35d ]
Clang compiler is not happy about set but unused variable
(when dprintk() is no-op):
.../blocklayout/blocklayout.c:384:9: error: variable 'count' set but not used [-Werror,-Wunused-but-set-variable]
Remove a leftover from the previous cleanup.
Fixes: 3a6fd1f004fc ("pnfs/blocklayout: remove read-modify-write handling in bl_write_pagelist")
Acked-by: Anna Schumaker <anna.schumkaer@oracle.com>
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/nfs/blocklayout/blocklayout.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/fs/nfs/blocklayout/blocklayout.c b/fs/nfs/blocklayout/blocklayout.c
index e498aade8c479..15f66d949adda 100644
--- a/fs/nfs/blocklayout/blocklayout.c
+++ b/fs/nfs/blocklayout/blocklayout.c
@@ -381,14 +381,13 @@ bl_write_pagelist(struct nfs_pgio_header *header, int sync)
sector_t isect, extent_length = 0;
struct parallel_io *par = NULL;
loff_t offset = header->args.offset;
- size_t count = header->args.count;
struct page **pages = header->args.pages;
int pg_index = header->args.pgbase >> PAGE_SHIFT;
unsigned int pg_len;
struct blk_plug plug;
int i;
- dprintk("%s enter, %zu@%lld\n", __func__, count, offset);
+ dprintk("%s enter, %u@%lld\n", __func__, header->args.count, offset);
/* At this point, header->page_aray is a (sequential) list of nfs_pages.
* We want to write each, and if there is an error set pnfs_error
@@ -429,7 +428,6 @@ bl_write_pagelist(struct nfs_pgio_header *header, int sync)
}
offset += pg_len;
- count -= pg_len;
isect += (pg_len >> SECTOR_SHIFT);
extent_length -= (pg_len >> SECTOR_SHIFT);
}
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 645/969] fs/ntfs3: terminate the cached volume label after UTF-8 conversion
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (643 preceding siblings ...)
2026-05-30 16:02 ` [PATCH 6.1 644/969] nfs/blocklayout: Fix compilation error (`make W=1`) in bl_write_pagelist() Greg Kroah-Hartman
@ 2026-05-30 16:02 ` Greg Kroah-Hartman
2026-05-30 16:02 ` [PATCH 6.1 646/969] platform/x86: dell_rbu: avoid uninit value usage in packet_size_write() Greg Kroah-Hartman
` (330 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Pengpeng Hou, Konstantin Komarov,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pengpeng Hou <pengpeng@iscas.ac.cn>
[ Upstream commit a6cd43fe9b083fa23fe1595666d5738856cb261a ]
ntfs_fill_super() loads the on-disk volume label with utf16s_to_utf8s()
and stores the result in sbi->volume.label. The converted label is later
exposed through ntfs3_label_show() using %s, but utf16s_to_utf8s() only
returns the number of bytes written and does not add a trailing NUL.
If the converted label fills the entire fixed buffer,
ntfs3_label_show() can read past the end of sbi->volume.label while
looking for a terminator.
Terminate the cached label explicitly after a successful conversion and
clamp the exact-full case to the last byte of the buffer.
Fixes: 82cae269cfa9 ("fs/ntfs3: Add initialization of super block")
Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ntfs3/super.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/fs/ntfs3/super.c b/fs/ntfs3/super.c
index 7cf52b70987b0..35dd0018e2bd4 100644
--- a/fs/ntfs3/super.c
+++ b/fs/ntfs3/super.c
@@ -992,8 +992,13 @@ static int ntfs_fill_super(struct super_block *sb, struct fs_context *fc)
le32_to_cpu(attr->res.data_size) >> 1,
UTF16_LITTLE_ENDIAN, sbi->volume.label,
sizeof(sbi->volume.label));
- if (err < 0)
+ if (err < 0) {
sbi->volume.label[0] = 0;
+ } else if (err >= sizeof(sbi->volume.label)) {
+ sbi->volume.label[sizeof(sbi->volume.label) - 1] = 0;
+ } else {
+ sbi->volume.label[err] = 0;
+ }
} else {
/* Should we break mounting here? */
//err = -EINVAL;
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 646/969] platform/x86: dell_rbu: avoid uninit value usage in packet_size_write()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (644 preceding siblings ...)
2026-05-30 16:02 ` [PATCH 6.1 645/969] fs/ntfs3: terminate the cached volume label after UTF-8 conversion Greg Kroah-Hartman
@ 2026-05-30 16:02 ` Greg Kroah-Hartman
2026-05-30 16:02 ` [PATCH 6.1 647/969] platform/x86: dell-wmi-sysman: bound enumeration string aggregation Greg Kroah-Hartman
` (329 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Fedor Pchelkin, Ilpo Järvinen,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Fedor Pchelkin <pchelkin@ispras.ru>
[ Upstream commit f8fd138c2363c0e2d3235c32bfb4fb5c6474e4ae ]
Ensure the temp value has been properly parsed from the user-provided
buffer and initialized to be used in later operations. While at it,
prefer a convenient kstrtoul() helper.
Found by Linux Verification Center (linuxtesting.org) with Svace static
analysis tool.
Fixes: ad6ce87e5bd4 ("[PATCH] dell_rbu: changes in packet update mechanism")
Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>
Link: https://patch.msgid.link/20260403134240.604837-1-pchelkin@ispras.ru
[ij: add include]
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/platform/x86/dell/dell_rbu.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/drivers/platform/x86/dell/dell_rbu.c b/drivers/platform/x86/dell/dell_rbu.c
index fee20866b41e4..9039e494131fd 100644
--- a/drivers/platform/x86/dell/dell_rbu.c
+++ b/drivers/platform/x86/dell/dell_rbu.c
@@ -30,6 +30,7 @@
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
#include <linux/init.h>
+#include <linux/kstrtox.h>
#include <linux/module.h>
#include <linux/slab.h>
#include <linux/string.h>
@@ -617,9 +618,12 @@ static ssize_t packet_size_write(struct file *filp, struct kobject *kobj,
char *buffer, loff_t pos, size_t count)
{
unsigned long temp;
+
+ if (kstrtoul(buffer, 10, &temp))
+ return -EINVAL;
+
spin_lock(&rbu_data.lock);
packet_empty_list();
- sscanf(buffer, "%lu", &temp);
if (temp < 0xffffffff)
rbu_data.packetsize = temp;
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 647/969] platform/x86: dell-wmi-sysman: bound enumeration string aggregation
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (645 preceding siblings ...)
2026-05-30 16:02 ` [PATCH 6.1 646/969] platform/x86: dell_rbu: avoid uninit value usage in packet_size_write() Greg Kroah-Hartman
@ 2026-05-30 16:02 ` Greg Kroah-Hartman
2026-05-30 16:02 ` [PATCH 6.1 648/969] RDMA/core: Prefer NLA_NUL_STRING Greg Kroah-Hartman
` (328 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Pengpeng Hou, Ilpo Järvinen,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pengpeng Hou <pengpeng@iscas.ac.cn>
[ Upstream commit 3c34471c26abc52a37f5ad90949e2e4b8027eb14 ]
populate_enum_data() aggregates firmware-provided value-modifier
and possible-value strings into fixed 512-byte struct members.
The current code bounds each individual source string but then
appends every string and separator with raw strcat() and no
remaining-space check.
Switch the aggregation loops to a bounded append helper and
reject enumeration packages whose combined strings do not fit
in the destination buffers.
Fixes: e8a60aa7404b ("platform/x86: Introduce support for Systems Management Driver over WMI for Dell Systems")
Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
Link: https://patch.msgid.link/20260408084501.1-dell-wmi-sysman-v2-pengpeng@iscas.ac.cn
[ij: add include]
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../dell/dell-wmi-sysman/enum-attributes.c | 34 +++++++++++++++----
1 file changed, 28 insertions(+), 6 deletions(-)
diff --git a/drivers/platform/x86/dell/dell-wmi-sysman/enum-attributes.c b/drivers/platform/x86/dell/dell-wmi-sysman/enum-attributes.c
index fc2f58b4cbc6e..7e44ba3015627 100644
--- a/drivers/platform/x86/dell/dell-wmi-sysman/enum-attributes.c
+++ b/drivers/platform/x86/dell/dell-wmi-sysman/enum-attributes.c
@@ -6,10 +6,32 @@
* Copyright (c) 2020 Dell Inc.
*/
+#include <linux/bug.h>
+
#include "dell-wmi-sysman.h"
get_instance_id(enumeration);
+static int append_enum_string(char *dest, const char *src)
+{
+ size_t dest_len = strlen(dest);
+ ssize_t copied;
+
+ if (WARN_ON_ONCE(dest_len >= MAX_BUFF))
+ return -EINVAL;
+
+ copied = strscpy(dest + dest_len, src, MAX_BUFF - dest_len);
+ if (copied < 0)
+ return -EINVAL;
+
+ dest_len += copied;
+ copied = strscpy(dest + dest_len, ";", MAX_BUFF - dest_len);
+ if (copied < 0)
+ return -EINVAL;
+
+ return 0;
+}
+
static ssize_t current_value_show(struct kobject *kobj, struct kobj_attribute *attr, char *buf)
{
int instance_id = get_enumeration_instance_id(kobj);
@@ -176,9 +198,9 @@ int populate_enum_data(union acpi_object *enumeration_obj, int instance_id,
return -EINVAL;
if (check_property_type(enumeration, next_obj, ACPI_TYPE_STRING))
return -EINVAL;
- strcat(wmi_priv.enumeration_data[instance_id].dell_value_modifier,
- enumeration_obj[next_obj++].string.pointer);
- strcat(wmi_priv.enumeration_data[instance_id].dell_value_modifier, ";");
+ if (append_enum_string(wmi_priv.enumeration_data[instance_id].dell_value_modifier,
+ enumeration_obj[next_obj++].string.pointer))
+ return -EINVAL;
}
if (next_obj >= enum_property_count)
@@ -193,9 +215,9 @@ int populate_enum_data(union acpi_object *enumeration_obj, int instance_id,
return -EINVAL;
if (check_property_type(enumeration, next_obj, ACPI_TYPE_STRING))
return -EINVAL;
- strcat(wmi_priv.enumeration_data[instance_id].possible_values,
- enumeration_obj[next_obj++].string.pointer);
- strcat(wmi_priv.enumeration_data[instance_id].possible_values, ";");
+ if (append_enum_string(wmi_priv.enumeration_data[instance_id].possible_values,
+ enumeration_obj[next_obj++].string.pointer))
+ return -EINVAL;
}
return sysfs_create_group(attr_name_kobj, &enumeration_attr_group);
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 648/969] RDMA/core: Prefer NLA_NUL_STRING
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (646 preceding siblings ...)
2026-05-30 16:02 ` [PATCH 6.1 647/969] platform/x86: dell-wmi-sysman: bound enumeration string aggregation Greg Kroah-Hartman
@ 2026-05-30 16:02 ` Greg Kroah-Hartman
2026-05-30 16:02 ` [PATCH 6.1 649/969] clk: qcom: dispcc-sm8450: use RCG2 ops for DPTX1 AUX clock source Greg Kroah-Hartman
` (327 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Florian Westphal, Jason Gunthorpe,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Florian Westphal <fw@strlen.de>
[ Upstream commit 6ed3d14fc45d3da6025e7fe4a6a09066856698e2 ]
These attributes are evaluated as c-string (passed to strcmp), but
NLA_STRING doesn't check for the presence of a \0 terminator.
Either this needs to switch to nla_strcmp() and needs to adjust printf fmt
specifier to not use plain %s, or this needs to use NLA_NUL_STRING.
As the code has been this way for long time, it seems to me that userspace
does include the terminating nul, even tough its not enforced so far, and
thus NLA_NUL_STRING use is the simpler solution.
Fixes: 30dc5e63d6a5 ("RDMA/core: Add support for iWARP Port Mapper user space service")
Link: https://patch.msgid.link/r/20260330122742.13315-1-fw@strlen.de
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/infiniband/core/iwpm_msg.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/infiniband/core/iwpm_msg.c b/drivers/infiniband/core/iwpm_msg.c
index 3c9a9869212bb..feb09008eb9ca 100644
--- a/drivers/infiniband/core/iwpm_msg.c
+++ b/drivers/infiniband/core/iwpm_msg.c
@@ -365,9 +365,9 @@ int iwpm_remove_mapping(struct sockaddr_storage *local_addr, u8 nl_client)
/* netlink attribute policy for the received response to register pid request */
static const struct nla_policy resp_reg_policy[IWPM_NLA_RREG_PID_MAX] = {
[IWPM_NLA_RREG_PID_SEQ] = { .type = NLA_U32 },
- [IWPM_NLA_RREG_IBDEV_NAME] = { .type = NLA_STRING,
+ [IWPM_NLA_RREG_IBDEV_NAME] = { .type = NLA_NUL_STRING,
.len = IWPM_DEVNAME_SIZE - 1 },
- [IWPM_NLA_RREG_ULIB_NAME] = { .type = NLA_STRING,
+ [IWPM_NLA_RREG_ULIB_NAME] = { .type = NLA_NUL_STRING,
.len = IWPM_ULIBNAME_SIZE - 1 },
[IWPM_NLA_RREG_ULIB_VER] = { .type = NLA_U16 },
[IWPM_NLA_RREG_PID_ERR] = { .type = NLA_U16 }
@@ -677,7 +677,7 @@ int iwpm_remote_info_cb(struct sk_buff *skb, struct netlink_callback *cb)
/* netlink attribute policy for the received request for mapping info */
static const struct nla_policy resp_mapinfo_policy[IWPM_NLA_MAPINFO_REQ_MAX] = {
- [IWPM_NLA_MAPINFO_ULIB_NAME] = { .type = NLA_STRING,
+ [IWPM_NLA_MAPINFO_ULIB_NAME] = { .type = NLA_NUL_STRING,
.len = IWPM_ULIBNAME_SIZE - 1 },
[IWPM_NLA_MAPINFO_ULIB_VER] = { .type = NLA_U16 }
};
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 649/969] clk: qcom: dispcc-sm8450: use RCG2 ops for DPTX1 AUX clock source
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (647 preceding siblings ...)
2026-05-30 16:02 ` [PATCH 6.1 648/969] RDMA/core: Prefer NLA_NUL_STRING Greg Kroah-Hartman
@ 2026-05-30 16:02 ` Greg Kroah-Hartman
2026-05-30 16:02 ` [PATCH 6.1 650/969] scsi: sg: Resolve soft lockup issue when opening /dev/sgX Greg Kroah-Hartman
` (326 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dmitry Baryshkov, Abel Vesa,
Konrad Dybcio, Taniya Das, Bjorn Andersson, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
[ Upstream commit 141af1be817c42c7f1e1605348d4b1983d319bea ]
The clk_dp_ops are supposed to be used for DP-related clocks with a
proper MND divier. Use standard RCG2 ops for dptx1_aux_clk_src, the same
as all other DPTX AUX clocks in this driver.
Fixes: 16fb89f92ec4 ("clk: qcom: Add support for Display Clock Controller on SM8450")
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Reviewed-by: Abel Vesa <abel.vesa@oss.qualcomm.com>
Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
Reviewed-by: Taniya Das <taniya.das@oss.qualcomm.com>
Link: https://lore.kernel.org/r/20260112-dp-aux-clks-v1-2-456b0c11b069@oss.qualcomm.com
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clk/qcom/dispcc-sm8450.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/clk/qcom/dispcc-sm8450.c b/drivers/clk/qcom/dispcc-sm8450.c
index e7dd45a2058c1..e7fab9d38f85e 100644
--- a/drivers/clk/qcom/dispcc-sm8450.c
+++ b/drivers/clk/qcom/dispcc-sm8450.c
@@ -364,7 +364,7 @@ static struct clk_rcg2 disp_cc_mdss_dptx1_aux_clk_src = {
.parent_data = disp_cc_parent_data_1,
.num_parents = ARRAY_SIZE(disp_cc_parent_data_1),
.flags = CLK_SET_RATE_PARENT,
- .ops = &clk_dp_ops,
+ .ops = &clk_rcg2_ops,
},
};
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 650/969] scsi: sg: Resolve soft lockup issue when opening /dev/sgX
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (648 preceding siblings ...)
2026-05-30 16:02 ` [PATCH 6.1 649/969] clk: qcom: dispcc-sm8450: use RCG2 ops for DPTX1 AUX clock source Greg Kroah-Hartman
@ 2026-05-30 16:02 ` Greg Kroah-Hartman
2026-05-30 16:02 ` [PATCH 6.1 651/969] scsi: target: core: Fix integer overflow in UNMAP bounds check Greg Kroah-Hartman
` (325 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yang Erkun, Bart Van Assche,
Martin K. Petersen, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yang Erkun <yangerkun@huawei.com>
[ Upstream commit d06a310b45e153872033dd0cf19d5a2279121099 ]
The parameter def_reserved_size defines the default buffer size reserved
for each Sg_fd and should be restricted to a range between 0 and 1,048,576
(see https://tldp.org/HOWTO/SCSI-Generic-HOWTO/proc.html). Although the
function sg_proc_write_dressz enforces this limit, it is possible to bypass
it by directly modifying the module parameter as shown below, which then
causes a soft lockup:
echo -1 > /sys/module/sg/parameters/def_reserved_size
exec 4<> /dev/sg0
watchdog: BUG: soft lockup - CPU#5 stuck for 26 seconds! [bash:537]
Modules loaded:
CPU: 5 UID: 0 PID: 537 Command: bash, kernel version 6.19.0-rc3+ #134,
PREEMPT disabled
Hardware: QEMU Standard PC (i440FX + PIIX, 1996), BIOS version
1.16.1-2.fc37 dated 04/01/2014
...
Call Trace:
sg_build_reserve+0x5c/0xa0
sg_add_sfp+0x168/0x270
sg_open+0x16e/0x340
chrdev_open+0xbe/0x230
do_dentry_open+0x175/0x480
vfs_open+0x34/0xf0
do_open+0x265/0x3d0
path_openat+0x110/0x290
do_filp_open+0xc3/0x170
do_sys_openat2+0x71/0xe0
__x64_sys_openat+0x6d/0xa0
do_syscall_64+0x62/0x310
entry_SYSCALL_64_after_hwframe+0x76/0x7e
The fix is to use module_param_cb to validate and reject invalid values
assigned to def_reserved_size.
Fixes: 6460e75a104d ("[SCSI] sg: fixes for large page_size")
Signed-off-by: Yang Erkun <yangerkun@huawei.com>
Reviewed-by: Bart Van Assche <bvanassche@acm.org>
Link: https://patch.msgid.link/20260127062044.3034148-3-yangerkun@huawei.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/sg.c | 29 +++++++++++++++++++++++++++--
1 file changed, 27 insertions(+), 2 deletions(-)
diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
index b63f7c09c97a1..a7131500eafe7 100644
--- a/drivers/scsi/sg.c
+++ b/drivers/scsi/sg.c
@@ -1614,10 +1614,35 @@ sg_remove_device(struct device *cl_dev, struct class_interface *cl_intf)
}
module_param_named(scatter_elem_sz, scatter_elem_sz, int, S_IRUGO | S_IWUSR);
-module_param_named(def_reserved_size, def_reserved_size, int,
- S_IRUGO | S_IWUSR);
module_param_named(allow_dio, sg_allow_dio, int, S_IRUGO | S_IWUSR);
+static int def_reserved_size_set(const char *val, const struct kernel_param *kp)
+{
+ int size, ret;
+
+ if (!val)
+ return -EINVAL;
+
+ ret = kstrtoint(val, 0, &size);
+ if (ret)
+ return ret;
+
+ /* limit to 1 MB */
+ if (size < 0 || size > 1048576)
+ return -ERANGE;
+
+ def_reserved_size = size;
+ return 0;
+}
+
+static const struct kernel_param_ops def_reserved_size_ops = {
+ .set = def_reserved_size_set,
+ .get = param_get_int,
+};
+
+module_param_cb(def_reserved_size, &def_reserved_size_ops, &def_reserved_size,
+ S_IRUGO | S_IWUSR);
+
MODULE_AUTHOR("Douglas Gilbert");
MODULE_DESCRIPTION("SCSI generic (sg) driver");
MODULE_LICENSE("GPL");
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 651/969] scsi: target: core: Fix integer overflow in UNMAP bounds check
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (649 preceding siblings ...)
2026-05-30 16:02 ` [PATCH 6.1 650/969] scsi: sg: Resolve soft lockup issue when opening /dev/sgX Greg Kroah-Hartman
@ 2026-05-30 16:02 ` Greg Kroah-Hartman
2026-05-30 16:02 ` [PATCH 6.1 652/969] dt-bindings: clock: qcom,gcc-sc8180x: Add missing GDSCs Greg Kroah-Hartman
` (324 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yuhao Jiang, Junrui Luo,
Martin K. Petersen, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Junrui Luo <moonafterrain@outlook.com>
[ Upstream commit 2bf2d65f76697820dbc4227d13866293576dd90a ]
sbc_execute_unmap() checks LBA + range does not exceed the device capacity,
but does not guard against LBA + range wrapping around on 64-bit overflow.
Add an overflow check matching the pattern already used for WRITE_SAME in
the same file.
Fixes: 86d7182985d2 ("target: Add sbc_execute_unmap() helper")
Reported-by: Yuhao Jiang <danisjiang@gmail.com>
Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
Link: https://patch.msgid.link/SYBPR01MB7881593C61AD52C69FBDB0BDAF7CA@SYBPR01MB7881.ausprd01.prod.outlook.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/target/target_core_sbc.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/target/target_core_sbc.c b/drivers/target/target_core_sbc.c
index 1e3216de1e04d..7b08743c4f3ff 100644
--- a/drivers/target/target_core_sbc.c
+++ b/drivers/target/target_core_sbc.c
@@ -1133,7 +1133,8 @@ sbc_execute_unmap(struct se_cmd *cmd)
goto err;
}
- if (lba + range > dev->transport->get_blocks(dev) + 1) {
+ if (lba + range < lba ||
+ lba + range > dev->transport->get_blocks(dev) + 1) {
ret = TCM_ADDRESS_OUT_OF_RANGE;
goto err;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 652/969] dt-bindings: clock: qcom,gcc-sc8180x: Add missing GDSCs
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (650 preceding siblings ...)
2026-05-30 16:02 ` [PATCH 6.1 651/969] scsi: target: core: Fix integer overflow in UNMAP bounds check Greg Kroah-Hartman
@ 2026-05-30 16:02 ` Greg Kroah-Hartman
2026-05-30 16:02 ` [PATCH 6.1 653/969] clk: qcom: gcc-sc8180x: " Greg Kroah-Hartman
` (323 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Val Packett, Krzysztof Kozlowski,
Bjorn Andersson, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Val Packett <val@packett.cool>
[ Upstream commit 76404ffbf07f28a5ec04748e18fce3dac2e78ef6 ]
There are 5 more GDSCs that we were ignoring and not putting to sleep,
which are listed in downstream DTS. Add them.
Signed-off-by: Val Packett <val@packett.cool>
Acked-by: Krzysztof Kozlowski <krzysztof.kozlowski@oss.qualcomm.com>
Link: https://lore.kernel.org/r/20260312112321.370983-2-val@packett.cool
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Stable-dep-of: 3565741eb985 ("clk: qcom: gcc-sc8180x: Add missing GDSCs")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/dt-bindings/clock/qcom,gcc-sc8180x.h | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/include/dt-bindings/clock/qcom,gcc-sc8180x.h b/include/dt-bindings/clock/qcom,gcc-sc8180x.h
index 2569f874fe13c..be97a0ca2ade4 100644
--- a/include/dt-bindings/clock/qcom,gcc-sc8180x.h
+++ b/include/dt-bindings/clock/qcom,gcc-sc8180x.h
@@ -308,5 +308,10 @@
#define USB30_MP_GDSC 8
#define USB30_PRIM_GDSC 9
#define USB30_SEC_GDSC 10
+#define HLOS1_VOTE_MMNOC_MMU_TBU_HF0_GDSC 11
+#define HLOS1_VOTE_MMNOC_MMU_TBU_HF1_GDSC 12
+#define HLOS1_VOTE_MMNOC_MMU_TBU_SF_GDSC 13
+#define HLOS1_VOTE_TURING_MMU_TBU0_GDSC 14
+#define HLOS1_VOTE_TURING_MMU_TBU1_GDSC 15
#endif
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 653/969] clk: qcom: gcc-sc8180x: Add missing GDSCs
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (651 preceding siblings ...)
2026-05-30 16:02 ` [PATCH 6.1 652/969] dt-bindings: clock: qcom,gcc-sc8180x: Add missing GDSCs Greg Kroah-Hartman
@ 2026-05-30 16:02 ` Greg Kroah-Hartman
2026-05-30 16:02 ` [PATCH 6.1 654/969] clk: qcom: gcc-sc8180x: Use retention for USB power domains Greg Kroah-Hartman
` (322 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dmitry Baryshkov, Konrad Dybcio,
Val Packett, Bjorn Andersson, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Val Packett <val@packett.cool>
[ Upstream commit 3565741eb985a8a7cc6656eb33496195468cb99e ]
There are 5 more GDSCs that we were ignoring and not putting to sleep,
which are listed in downstream DTS. Add them.
Fixes: 4433594bbe5d ("clk: qcom: gcc: Add global clock controller driver for SC8180x")
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
Signed-off-by: Val Packett <val@packett.cool>
Link: https://lore.kernel.org/r/20260312112321.370983-3-val@packett.cool
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clk/qcom/gcc-sc8180x.c | 50 ++++++++++++++++++++++++++++++++++
1 file changed, 50 insertions(+)
diff --git a/drivers/clk/qcom/gcc-sc8180x.c b/drivers/clk/qcom/gcc-sc8180x.c
index ba004281f2944..00e2e22a14175 100644
--- a/drivers/clk/qcom/gcc-sc8180x.c
+++ b/drivers/clk/qcom/gcc-sc8180x.c
@@ -4200,6 +4200,51 @@ static struct gdsc usb30_mp_gdsc = {
.flags = POLL_CFG_GDSCR,
};
+static struct gdsc hlos1_vote_mmnoc_mmu_tbu_hf0_gdsc = {
+ .gdscr = 0x7d050,
+ .pd = {
+ .name = "hlos1_vote_mmnoc_mmu_tbu_hf0_gdsc",
+ },
+ .pwrsts = PWRSTS_OFF_ON,
+ .flags = VOTABLE,
+};
+
+static struct gdsc hlos1_vote_mmnoc_mmu_tbu_hf1_gdsc = {
+ .gdscr = 0x7d058,
+ .pd = {
+ .name = "hlos1_vote_mmnoc_mmu_tbu_hf1_gdsc",
+ },
+ .pwrsts = PWRSTS_OFF_ON,
+ .flags = VOTABLE,
+};
+
+static struct gdsc hlos1_vote_mmnoc_mmu_tbu_sf_gdsc = {
+ .gdscr = 0x7d054,
+ .pd = {
+ .name = "hlos1_vote_mmnoc_mmu_tbu_sf_gdsc",
+ },
+ .pwrsts = PWRSTS_OFF_ON,
+ .flags = VOTABLE,
+};
+
+static struct gdsc hlos1_vote_turing_mmu_tbu0_gdsc = {
+ .gdscr = 0x7d05c,
+ .pd = {
+ .name = "hlos1_vote_turing_mmu_tbu0_gdsc",
+ },
+ .pwrsts = PWRSTS_OFF_ON,
+ .flags = VOTABLE,
+};
+
+static struct gdsc hlos1_vote_turing_mmu_tbu1_gdsc = {
+ .gdscr = 0x7d060,
+ .pd = {
+ .name = "hlos1_vote_turing_mmu_tbu1_gdsc",
+ },
+ .pwrsts = PWRSTS_OFF_ON,
+ .flags = VOTABLE,
+};
+
static struct clk_regmap *gcc_sc8180x_clocks[] = {
[GCC_AGGRE_NOC_PCIE_TBU_CLK] = &gcc_aggre_noc_pcie_tbu_clk.clkr,
[GCC_AGGRE_UFS_CARD_AXI_CLK] = &gcc_aggre_ufs_card_axi_clk.clkr,
@@ -4500,6 +4545,11 @@ static struct gdsc *gcc_sc8180x_gdscs[] = {
[USB30_MP_GDSC] = &usb30_mp_gdsc,
[USB30_PRIM_GDSC] = &usb30_prim_gdsc,
[USB30_SEC_GDSC] = &usb30_sec_gdsc,
+ [HLOS1_VOTE_MMNOC_MMU_TBU_HF0_GDSC] = &hlos1_vote_mmnoc_mmu_tbu_hf0_gdsc,
+ [HLOS1_VOTE_MMNOC_MMU_TBU_HF1_GDSC] = &hlos1_vote_mmnoc_mmu_tbu_hf1_gdsc,
+ [HLOS1_VOTE_MMNOC_MMU_TBU_SF_GDSC] = &hlos1_vote_mmnoc_mmu_tbu_sf_gdsc,
+ [HLOS1_VOTE_TURING_MMU_TBU0_GDSC] = &hlos1_vote_turing_mmu_tbu0_gdsc,
+ [HLOS1_VOTE_TURING_MMU_TBU1_GDSC] = &hlos1_vote_turing_mmu_tbu1_gdsc,
};
static const struct regmap_config gcc_sc8180x_regmap_config = {
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 654/969] clk: qcom: gcc-sc8180x: Use retention for USB power domains
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (652 preceding siblings ...)
2026-05-30 16:02 ` [PATCH 6.1 653/969] clk: qcom: gcc-sc8180x: " Greg Kroah-Hartman
@ 2026-05-30 16:02 ` Greg Kroah-Hartman
2026-05-30 16:02 ` [PATCH 6.1 655/969] clk: qcom: gcc-sc8180x: Use retention for PCIe " Greg Kroah-Hartman
` (321 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dmitry Baryshkov, Konrad Dybcio,
Val Packett, Bjorn Andersson, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Val Packett <val@packett.cool>
[ Upstream commit 25bc96f26cd6c19dde13a0b9859183e531d6fbfc ]
The USB subsystem does not expect to lose its state on suspend:
xhci-hcd xhci-hcd.0.auto: xHC error in resume, USBSTS 0x401, Reinit
usb usb1: root hub lost power or was reset
(The reinitialization usually succeeds, but it does slow down resume.)
To maintain state during suspend, the relevant GDSCs need to stay in
retention mode, like they do on other similar SoCs. Change the mode to
PWRSTS_RET_ON to fix.
Fixes: 4433594bbe5d ("clk: qcom: gcc: Add global clock controller driver for SC8180x")
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
Signed-off-by: Val Packett <val@packett.cool>
Link: https://lore.kernel.org/r/20260312112321.370983-4-val@packett.cool
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clk/qcom/gcc-sc8180x.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/clk/qcom/gcc-sc8180x.c b/drivers/clk/qcom/gcc-sc8180x.c
index 00e2e22a14175..e0992f280692b 100644
--- a/drivers/clk/qcom/gcc-sc8180x.c
+++ b/drivers/clk/qcom/gcc-sc8180x.c
@@ -4106,7 +4106,7 @@ static struct gdsc usb30_sec_gdsc = {
.pd = {
.name = "usb30_sec_gdsc",
},
- .pwrsts = PWRSTS_OFF_ON,
+ .pwrsts = PWRSTS_RET_ON,
.flags = POLL_CFG_GDSCR,
};
@@ -4124,7 +4124,7 @@ static struct gdsc usb30_prim_gdsc = {
.pd = {
.name = "usb30_prim_gdsc",
},
- .pwrsts = PWRSTS_OFF_ON,
+ .pwrsts = PWRSTS_RET_ON,
.flags = POLL_CFG_GDSCR,
};
@@ -4196,7 +4196,7 @@ static struct gdsc usb30_mp_gdsc = {
.pd = {
.name = "usb30_mp_gdsc",
},
- .pwrsts = PWRSTS_OFF_ON,
+ .pwrsts = PWRSTS_RET_ON,
.flags = POLL_CFG_GDSCR,
};
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 655/969] clk: qcom: gcc-sc8180x: Use retention for PCIe power domains
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (653 preceding siblings ...)
2026-05-30 16:02 ` [PATCH 6.1 654/969] clk: qcom: gcc-sc8180x: Use retention for USB power domains Greg Kroah-Hartman
@ 2026-05-30 16:02 ` Greg Kroah-Hartman
2026-05-30 16:03 ` [PATCH 6.1 656/969] clk: qcom: dispcc-sm8250: Use shared ops on the mdss vsync clk Greg Kroah-Hartman
` (320 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dmitry Baryshkov, Val Packett,
Konrad Dybcio, Manivannan Sadhasivam, Bjorn Andersson,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Val Packett <val@packett.cool>
[ Upstream commit ccb92c78b42edd26225b4d5920847dfee3e1b093 ]
As the PCIe host controller driver does not yet support dealing with the
loss of state during suspend, use retention for relevant GDSCs.
This fixes the link not surviving upon resume:
nvme 0002:01:00.0: Unable to change power state from D3cold to D0, device inaccessible
nvme nvme0: controller is down; will reset: CSTS=0xffffffff, PCI_STATUS read failed (134)
nvme 0002:01:00.0: Unable to change power state from D3cold to D0, device inaccessible
nvme nvme0: Disabling device after reset failure: -19
Fixes: 4433594bbe5d ("clk: qcom: gcc: Add global clock controller driver for SC8180x")
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Signed-off-by: Val Packett <val@packett.cool>
Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
Reviewed-by: Manivannan Sadhasivam <mani@kernel.org>
Link: https://lore.kernel.org/r/20260312112321.370983-5-val@packett.cool
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clk/qcom/gcc-sc8180x.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/clk/qcom/gcc-sc8180x.c b/drivers/clk/qcom/gcc-sc8180x.c
index e0992f280692b..94da183fad68d 100644
--- a/drivers/clk/qcom/gcc-sc8180x.c
+++ b/drivers/clk/qcom/gcc-sc8180x.c
@@ -4133,7 +4133,7 @@ static struct gdsc pcie_0_gdsc = {
.pd = {
.name = "pcie_0_gdsc",
},
- .pwrsts = PWRSTS_OFF_ON,
+ .pwrsts = PWRSTS_RET_ON,
.flags = POLL_CFG_GDSCR,
};
@@ -4160,7 +4160,7 @@ static struct gdsc pcie_1_gdsc = {
.pd = {
.name = "pcie_1_gdsc",
},
- .pwrsts = PWRSTS_OFF_ON,
+ .pwrsts = PWRSTS_RET_ON,
.flags = POLL_CFG_GDSCR,
};
@@ -4169,7 +4169,7 @@ static struct gdsc pcie_2_gdsc = {
.pd = {
.name = "pcie_2_gdsc",
},
- .pwrsts = PWRSTS_OFF_ON,
+ .pwrsts = PWRSTS_RET_ON,
.flags = POLL_CFG_GDSCR,
};
@@ -4187,7 +4187,7 @@ static struct gdsc pcie_3_gdsc = {
.pd = {
.name = "pcie_3_gdsc",
},
- .pwrsts = PWRSTS_OFF_ON,
+ .pwrsts = PWRSTS_RET_ON,
.flags = POLL_CFG_GDSCR,
};
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 656/969] clk: qcom: dispcc-sm8250: Use shared ops on the mdss vsync clk
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (654 preceding siblings ...)
2026-05-30 16:02 ` [PATCH 6.1 655/969] clk: qcom: gcc-sc8180x: Use retention for PCIe " Greg Kroah-Hartman
@ 2026-05-30 16:03 ` Greg Kroah-Hartman
2026-05-30 16:03 ` [PATCH 6.1 657/969] clk: qcom: dispcc-sm8250: Enable parents for pixel clocks Greg Kroah-Hartman
` (319 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Val Packett, Dmitry Baryshkov,
Bjorn Andersson, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Val Packett <val@packett.cool>
[ Upstream commit 8c522da70f0c2e5148c4c13ccb1c64cca57a6fdb ]
mdss_gdsc can get stuck on boot due to RCGs being left on from last boot.
As a fix, commit 01a0a6cc8cfd ("clk: qcom: Park shared RCGs upon
registration") introduced a callback to ensure the RCG is off upon init.
However, the fix depends on all shared RCGs being marked as such in code.
For SM8150/SC8180X/SM8250 the MDSS vsync clock was using regular ops,
unlike the same clock in the SC7180 code. This was causing display to
frequently fail to initialize after rebooting on the Surface Pro X.
Fix by using shared ops for this clock.
Fixes: 80a18f4a8567 ("clk: qcom: Add display clock controller driver for SM8150 and SM8250")
Signed-off-by: Val Packett <val@packett.cool>
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Link: https://lore.kernel.org/r/20260312112321.370983-8-val@packett.cool
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clk/qcom/dispcc-sm8250.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/clk/qcom/dispcc-sm8250.c b/drivers/clk/qcom/dispcc-sm8250.c
index dcd76977a73b3..b7d3d3bd1f2af 100644
--- a/drivers/clk/qcom/dispcc-sm8250.c
+++ b/drivers/clk/qcom/dispcc-sm8250.c
@@ -618,7 +618,7 @@ static struct clk_rcg2 disp_cc_mdss_vsync_clk_src = {
.parent_data = disp_cc_parent_data_1,
.num_parents = ARRAY_SIZE(disp_cc_parent_data_1),
.flags = CLK_SET_RATE_PARENT,
- .ops = &clk_rcg2_ops,
+ .ops = &clk_rcg2_shared_ops,
},
};
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 657/969] clk: qcom: dispcc-sm8250: Enable parents for pixel clocks
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (655 preceding siblings ...)
2026-05-30 16:03 ` [PATCH 6.1 656/969] clk: qcom: dispcc-sm8250: Use shared ops on the mdss vsync clk Greg Kroah-Hartman
@ 2026-05-30 16:03 ` Greg Kroah-Hartman
2026-05-30 16:03 ` [PATCH 6.1 658/969] clk: imx: imx6q: Fix device node reference leak in pll6_bypassed() Greg Kroah-Hartman
` (318 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Val Packett, Dmitry Baryshkov,
Bjorn Andersson, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Val Packett <val@packett.cool>
[ Upstream commit acf7a91d0b0e9e3ef374944021de62062125b7e4 ]
Add CLK_OPS_PARENT_ENABLE to MDSS pixel clock sources to ensure parent
clocks are enabled during clock operations, preventing potential
stability issues during display configuration.
Fixes: 80a18f4a8567 ("clk: qcom: Add display clock controller driver for SM8150 and SM8250")
Signed-off-by: Val Packett <val@packett.cool>
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Link: https://lore.kernel.org/r/20260312112321.370983-9-val@packett.cool
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clk/qcom/dispcc-sm8250.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/clk/qcom/dispcc-sm8250.c b/drivers/clk/qcom/dispcc-sm8250.c
index b7d3d3bd1f2af..eb46f1fb8a3a1 100644
--- a/drivers/clk/qcom/dispcc-sm8250.c
+++ b/drivers/clk/qcom/dispcc-sm8250.c
@@ -564,7 +564,7 @@ static struct clk_rcg2 disp_cc_mdss_pclk0_clk_src = {
.name = "disp_cc_mdss_pclk0_clk_src",
.parent_data = disp_cc_parent_data_6,
.num_parents = ARRAY_SIZE(disp_cc_parent_data_6),
- .flags = CLK_SET_RATE_PARENT,
+ .flags = CLK_SET_RATE_PARENT | CLK_OPS_PARENT_ENABLE,
.ops = &clk_pixel_ops,
},
};
@@ -578,7 +578,7 @@ static struct clk_rcg2 disp_cc_mdss_pclk1_clk_src = {
.name = "disp_cc_mdss_pclk1_clk_src",
.parent_data = disp_cc_parent_data_6,
.num_parents = ARRAY_SIZE(disp_cc_parent_data_6),
- .flags = CLK_SET_RATE_PARENT,
+ .flags = CLK_SET_RATE_PARENT | CLK_OPS_PARENT_ENABLE,
.ops = &clk_pixel_ops,
},
};
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 658/969] clk: imx: imx6q: Fix device node reference leak in pll6_bypassed()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (656 preceding siblings ...)
2026-05-30 16:03 ` [PATCH 6.1 657/969] clk: qcom: dispcc-sm8250: Enable parents for pixel clocks Greg Kroah-Hartman
@ 2026-05-30 16:03 ` Greg Kroah-Hartman
2026-05-30 16:03 ` [PATCH 6.1 659/969] clk: imx: imx6q: Fix device node reference leak in of_assigned_ldb_sels() Greg Kroah-Hartman
` (317 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Felix Gu, Frank Li, Peng Fan,
Abel Vesa, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Felix Gu <ustc.gu@gmail.com>
[ Upstream commit 4b84d496c804b470124cd3a08e928df6801d8eae ]
The function pll6_bypassed() calls of_parse_phandle_with_args()
but never calls of_node_put() to release the reference, causing
a memory leak.
Fix this by adding proper cleanup calls on all exit paths.
Fixes: 3cc48976e9763 ("clk: imx6q: handle ENET PLL bypass")
Signed-off-by: Felix Gu <ustc.gu@gmail.com>
Reviewed-by: Frank Li <Frank.Li@nxp.com>
Reviewed-by: Peng Fan <peng.fan@nxp.com>
Link: https://patch.msgid.link/20260203-clk-imx6q-v3-1-6cd2696bb371@gmail.com
Signed-off-by: Abel Vesa <abel.vesa@oss.qualcomm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clk/imx/clk-imx6q.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/drivers/clk/imx/clk-imx6q.c b/drivers/clk/imx/clk-imx6q.c
index de36f58d551c0..b14c1606466d7 100644
--- a/drivers/clk/imx/clk-imx6q.c
+++ b/drivers/clk/imx/clk-imx6q.c
@@ -233,8 +233,11 @@ static bool pll6_bypassed(struct device_node *node)
return false;
if (clkspec.np == node &&
- clkspec.args[0] == IMX6QDL_PLL6_BYPASS)
+ clkspec.args[0] == IMX6QDL_PLL6_BYPASS) {
+ of_node_put(clkspec.np);
break;
+ }
+ of_node_put(clkspec.np);
}
/* PLL6 bypass is not part of the assigned clock list */
@@ -244,6 +247,9 @@ static bool pll6_bypassed(struct device_node *node)
ret = of_parse_phandle_with_args(node, "assigned-clock-parents",
"#clock-cells", index, &clkspec);
+ if (!ret)
+ of_node_put(clkspec.np);
+
if (clkspec.args[0] != IMX6QDL_CLK_PLL6)
return true;
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 659/969] clk: imx: imx6q: Fix device node reference leak in of_assigned_ldb_sels()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (657 preceding siblings ...)
2026-05-30 16:03 ` [PATCH 6.1 658/969] clk: imx: imx6q: Fix device node reference leak in pll6_bypassed() Greg Kroah-Hartman
@ 2026-05-30 16:03 ` Greg Kroah-Hartman
2026-05-30 16:03 ` [PATCH 6.1 660/969] clk: imx8mq: Correct the CSI PHY sels Greg Kroah-Hartman
` (316 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Felix Gu, Frank Li, Peng Fan,
Abel Vesa, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Felix Gu <ustc.gu@gmail.com>
[ Upstream commit 9faf207208951460f3f7eefbc112246c8d28ff1b ]
The function of_assigned_ldb_sels() calls of_parse_phandle_with_args()
but never calls of_node_put() to release the reference, causing a memory
leak.
Fix this by adding proper cleanup calls on all exit paths.
Fixes: 5d283b083800 ("clk: imx6: Fix procedure to switch the parent of LDB_DI_CLK")
Signed-off-by: Felix Gu <ustc.gu@gmail.com>
Reviewed-by: Frank Li <Frank.Li@nxp.com>
Reviewed-by: Peng Fan <peng.fan@nxp.com>
Link: https://patch.msgid.link/20260203-clk-imx6q-v3-2-6cd2696bb371@gmail.com
Signed-off-by: Abel Vesa <abel.vesa@oss.qualcomm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clk/imx/clk-imx6q.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/clk/imx/clk-imx6q.c b/drivers/clk/imx/clk-imx6q.c
index b14c1606466d7..a95f07718b653 100644
--- a/drivers/clk/imx/clk-imx6q.c
+++ b/drivers/clk/imx/clk-imx6q.c
@@ -183,9 +183,11 @@ static void of_assigned_ldb_sels(struct device_node *node,
}
if (clkspec.np != node || clkspec.args[0] >= IMX6QDL_CLK_END) {
pr_err("ccm: parent clock %d not in ccm\n", index);
+ of_node_put(clkspec.np);
return;
}
parent = clkspec.args[0];
+ of_node_put(clkspec.np);
rc = of_parse_phandle_with_args(node, "assigned-clocks",
"#clock-cells", index, &clkspec);
@@ -193,9 +195,11 @@ static void of_assigned_ldb_sels(struct device_node *node,
return;
if (clkspec.np != node || clkspec.args[0] >= IMX6QDL_CLK_END) {
pr_err("ccm: child clock %d not in ccm\n", index);
+ of_node_put(clkspec.np);
return;
}
child = clkspec.args[0];
+ of_node_put(clkspec.np);
if (child != IMX6QDL_CLK_LDB_DI0_SEL &&
child != IMX6QDL_CLK_LDB_DI1_SEL)
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 660/969] clk: imx8mq: Correct the CSI PHY sels
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (658 preceding siblings ...)
2026-05-30 16:03 ` [PATCH 6.1 659/969] clk: imx: imx6q: Fix device node reference leak in of_assigned_ldb_sels() Greg Kroah-Hartman
@ 2026-05-30 16:03 ` Greg Kroah-Hartman
2026-05-30 16:03 ` [PATCH 6.1 661/969] clk: qoriq: avoid format string warning Greg Kroah-Hartman
` (315 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sebastian Krzyszkowiak, Peng Fan,
Abel Vesa, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sebastian Krzyszkowiak <sebastian.krzyszkowiak@puri.sm>
[ Upstream commit d16f57caa78776e6e8a88b96cb2597797b376138 ]
According to i.MX 8M Quad Reference Manual (Section 5.1.2 Table 5-1)
MIPI_CSI1_PHY_REF_CLK_ROOT and MIPI_CSI2_PHY_REF_CLK_ROOT have
SYSTEM_PLL2_DIV3 available as their second source, which corresponds
to sys2_pll_333m rather than sys2_pll_125m.
Fixes: b80522040cd3 ("clk: imx: Add clock driver for i.MX8MQ CCM")
Signed-off-by: Sebastian Krzyszkowiak <sebastian.krzyszkowiak@puri.sm>
Reviewed-by: Peng Fan <peng.fan@nxp.com>
Link: https://patch.msgid.link/20260128-imx8mq-csi-clk-v1-1-ac028ed26e8c@puri.sm
Signed-off-by: Abel Vesa <abel.vesa@oss.qualcomm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clk/imx/clk-imx8mq.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/clk/imx/clk-imx8mq.c b/drivers/clk/imx/clk-imx8mq.c
index 0a75814b3bc77..db71b2aa8230a 100644
--- a/drivers/clk/imx/clk-imx8mq.c
+++ b/drivers/clk/imx/clk-imx8mq.c
@@ -237,7 +237,7 @@ static const char * const imx8mq_dsi_esc_sels[] = {"osc_25m", "sys2_pll_100m", "
static const char * const imx8mq_csi1_core_sels[] = {"osc_25m", "sys1_pll_266m", "sys2_pll_250m", "sys1_pll_800m",
"sys2_pll_1000m", "sys3_pll_out", "audio_pll2_out", "video_pll1_out", };
-static const char * const imx8mq_csi1_phy_sels[] = {"osc_25m", "sys2_pll_125m", "sys2_pll_100m", "sys1_pll_800m",
+static const char * const imx8mq_csi1_phy_sels[] = {"osc_25m", "sys2_pll_333m", "sys2_pll_100m", "sys1_pll_800m",
"sys2_pll_1000m", "clk_ext2", "audio_pll2_out", "video_pll1_out", };
static const char * const imx8mq_csi1_esc_sels[] = {"osc_25m", "sys2_pll_100m", "sys1_pll_80m", "sys1_pll_800m",
@@ -246,7 +246,7 @@ static const char * const imx8mq_csi1_esc_sels[] = {"osc_25m", "sys2_pll_100m",
static const char * const imx8mq_csi2_core_sels[] = {"osc_25m", "sys1_pll_266m", "sys2_pll_250m", "sys1_pll_800m",
"sys2_pll_1000m", "sys3_pll_out", "audio_pll2_out", "video_pll1_out", };
-static const char * const imx8mq_csi2_phy_sels[] = {"osc_25m", "sys2_pll_125m", "sys2_pll_100m", "sys1_pll_800m",
+static const char * const imx8mq_csi2_phy_sels[] = {"osc_25m", "sys2_pll_333m", "sys2_pll_100m", "sys1_pll_800m",
"sys2_pll_1000m", "clk_ext2", "audio_pll2_out", "video_pll1_out", };
static const char * const imx8mq_csi2_esc_sels[] = {"osc_25m", "sys2_pll_100m", "sys1_pll_80m", "sys1_pll_800m",
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 661/969] clk: qoriq: avoid format string warning
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (659 preceding siblings ...)
2026-05-30 16:03 ` [PATCH 6.1 660/969] clk: imx8mq: Correct the CSI PHY sels Greg Kroah-Hartman
@ 2026-05-30 16:03 ` Greg Kroah-Hartman
2026-05-30 16:03 ` [PATCH 6.1 662/969] clk: xgene: Fix mapping leak in xgene_pllclk_init() Greg Kroah-Hartman
` (314 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Arnd Bergmann, Kees Cook,
Stephen Boyd, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Arnd Bergmann <arnd@arndb.de>
[ Upstream commit 096abbb6682ee031a0f5ce9f4c71ead9fa63d31e ]
clang-22 warns about the use of non-variadic format arguments passed into
snprintf():
drivers/clk/clk-qoriq.c:925:39: error: diagnostic behavior may be improved by adding the
'format(printf, 7, 8)' attribute to the declaration of 'create_mux_common' [-Werror,-Wmissing-format-attribute]
910 | static struct clk * __init create_mux_common(struct clockgen *cg,
| __attribute__((format(printf, 7, 8)))
911 | struct mux_hwclock *hwc,
912 | const struct clk_ops *ops,
913 | unsigned long min_rate,
914 | unsigned long max_rate,
915 | unsigned long pct80_rate,
916 | const char *fmt, int idx)
917 | {
918 | struct clk_init_data init = {};
919 | struct clk *clk;
920 | const struct clockgen_pll_div *div;
921 | const char *parent_names[NUM_MUX_PARENTS];
922 | char name[32];
923 | int i, j;
924 |
925 | snprintf(name, sizeof(name), fmt, idx);
| ^
drivers/clk/clk-qoriq.c:910:28: note: 'create_mux_common' declared here
910 | static struct clk * __init create_mux_common(struct clockgen *cg,
Rework this to pass the 'int idx' as a varargs argument, allowing the
format string to be verified at the caller location.
Fixes: 0dfc86b3173f ("clk: qoriq: Move chip-specific knowledge into driver")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Reviewed-by: Kees Cook <kees@kernel.org>
Signed-off-by: Stephen Boyd <sboyd@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clk/clk-qoriq.c | 17 +++++++++--------
1 file changed, 9 insertions(+), 8 deletions(-)
diff --git a/drivers/clk/clk-qoriq.c b/drivers/clk/clk-qoriq.c
index 5eddb9f0d6bdb..4baec1bf3557f 100644
--- a/drivers/clk/clk-qoriq.c
+++ b/drivers/clk/clk-qoriq.c
@@ -905,13 +905,11 @@ static const struct clockgen_pll_div *get_pll_div(struct clockgen *cg,
return &cg->pll[pll].div[div];
}
-static struct clk * __init create_mux_common(struct clockgen *cg,
- struct mux_hwclock *hwc,
- const struct clk_ops *ops,
- unsigned long min_rate,
- unsigned long max_rate,
- unsigned long pct80_rate,
- const char *fmt, int idx)
+static struct clk * __init __printf(7, 8)
+create_mux_common(struct clockgen *cg, struct mux_hwclock *hwc,
+ const struct clk_ops *ops, unsigned long min_rate,
+ unsigned long max_rate, unsigned long pct80_rate,
+ const char *fmt, ...)
{
struct clk_init_data init = {};
struct clk *clk;
@@ -919,8 +917,11 @@ static struct clk * __init create_mux_common(struct clockgen *cg,
const char *parent_names[NUM_MUX_PARENTS];
char name[32];
int i, j;
+ va_list args;
- snprintf(name, sizeof(name), fmt, idx);
+ va_start(args, fmt);
+ vsnprintf(name, sizeof(name), fmt, args);
+ va_end(args);
for (i = 0, j = 0; i < NUM_MUX_PARENTS; i++) {
unsigned long rate;
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 662/969] clk: xgene: Fix mapping leak in xgene_pllclk_init()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (660 preceding siblings ...)
2026-05-30 16:03 ` [PATCH 6.1 661/969] clk: qoriq: avoid format string warning Greg Kroah-Hartman
@ 2026-05-30 16:03 ` Greg Kroah-Hartman
2026-05-30 16:03 ` [PATCH 6.1 663/969] dt-bindings: clock: qcom,dispcc-sc7180: Define MDSS resets Greg Kroah-Hartman
` (313 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Geert Uytterhoeven, Brian Masney,
Stephen Boyd, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Geert Uytterhoeven <geert+renesas@glider.be>
[ Upstream commit f520a492e07bc6718e26cfb7543ab4cadd8bb0e2 ]
If xgene_register_clk_pll() fails, the mapped register block is never
unmapped.
Fixes: 308964caeebc45eb ("clk: Add APM X-Gene SoC clock driver")
Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
Reviewed-by: Brian Masney <bmasney@redhat.com>
Signed-off-by: Stephen Boyd <sboyd@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clk/clk-xgene.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/clk/clk-xgene.c b/drivers/clk/clk-xgene.c
index 0c3d0cee98c83..a542b78d9c731 100644
--- a/drivers/clk/clk-xgene.c
+++ b/drivers/clk/clk-xgene.c
@@ -187,6 +187,8 @@ static void xgene_pllclk_init(struct device_node *np, enum xgene_pll_type pll_ty
of_clk_add_provider(np, of_clk_src_simple_get, clk);
clk_register_clkdev(clk, clk_name, NULL);
pr_debug("Add %s clock PLL\n", clk_name);
+ } else {
+ iounmap(reg);
}
}
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 663/969] dt-bindings: clock: qcom,dispcc-sc7180: Define MDSS resets
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (661 preceding siblings ...)
2026-05-30 16:03 ` [PATCH 6.1 662/969] clk: xgene: Fix mapping leak in xgene_pllclk_init() Greg Kroah-Hartman
@ 2026-05-30 16:03 ` Greg Kroah-Hartman
2026-05-30 16:03 ` [PATCH 6.1 664/969] clk: qcom: dispcc-sc7180: Add missing " Greg Kroah-Hartman
` (312 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Konrad Dybcio, Taniya Das,
Krzysztof Kozlowski, Bjorn Andersson, Sasha Levin, Val Packett
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
[ Upstream commit fc6e29d42872680dca017f2e5169eefe971f8d89 ]
The MDSS resets have so far been left undescribed. Fix that.
Fixes: 75616da71291 ("dt-bindings: clock: Introduce QCOM sc7180 display clock bindings")
Signed-off-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
Reviewed-by: Taniya Das <taniya.das@oss.qualcomm.com>
Acked-by: Krzysztof Kozlowski <krzysztof.kozlowski@oss.qualcomm.com>
Tested-by: Val Packett <val@packett.cool> # sc7180-ecs-liva-qc710
Link: https://lore.kernel.org/r/20260120-topic-7180_dispcc_bcr-v1-1-0b1b442156c3@oss.qualcomm.com
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Stable-dep-of: b0bc6011c549 ("clk: qcom: dispcc-sc7180: Add missing MDSS resets")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/dt-bindings/clock/qcom,dispcc-sc7180.h | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/include/dt-bindings/clock/qcom,dispcc-sc7180.h b/include/dt-bindings/clock/qcom,dispcc-sc7180.h
index b9b51617a335d..0705103060748 100644
--- a/include/dt-bindings/clock/qcom,dispcc-sc7180.h
+++ b/include/dt-bindings/clock/qcom,dispcc-sc7180.h
@@ -6,6 +6,7 @@
#ifndef _DT_BINDINGS_CLK_QCOM_DISP_CC_SC7180_H
#define _DT_BINDINGS_CLK_QCOM_DISP_CC_SC7180_H
+/* Clocks */
#define DISP_CC_PLL0 0
#define DISP_CC_PLL0_OUT_EVEN 1
#define DISP_CC_MDSS_AHB_CLK 2
@@ -40,7 +41,11 @@
#define DISP_CC_MDSS_VSYNC_CLK_SRC 31
#define DISP_CC_XO_CLK 32
-/* DISP_CC GDSCR */
+/* Resets */
+#define DISP_CC_MDSS_CORE_BCR 0
+#define DISP_CC_MDSS_RSCC_BCR 1
+
+/* GDSCs */
#define MDSS_GDSC 0
#endif
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 664/969] clk: qcom: dispcc-sc7180: Add missing MDSS resets
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (662 preceding siblings ...)
2026-05-30 16:03 ` [PATCH 6.1 663/969] dt-bindings: clock: qcom,dispcc-sc7180: Define MDSS resets Greg Kroah-Hartman
@ 2026-05-30 16:03 ` Greg Kroah-Hartman
2026-05-30 16:03 ` [PATCH 6.1 665/969] lib/hexdump: print_hex_dump_bytes() calls print_hex_dump_debug() Greg Kroah-Hartman
` (311 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Konrad Dybcio, Dmitry Baryshkov,
Taniya Das, Bjorn Andersson, Sasha Levin, Val Packett
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
[ Upstream commit b0bc6011c5499bdfddd0390262bfa13dce1eff74 ]
The MDSS resets have so far been left undescribed. Fix that.
Fixes: dd3d06622138 ("clk: qcom: Add display clock controller driver for SC7180")
Signed-off-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Reviewed-by: Taniya Das <taniya.das@oss.qualcomm.com>
Tested-by: Val Packett <val@packett.cool> # sc7180-ecs-liva-qc710
Link: https://lore.kernel.org/r/20260120-topic-7180_dispcc_bcr-v1-2-0b1b442156c3@oss.qualcomm.com
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clk/qcom/dispcc-sc7180.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/drivers/clk/qcom/dispcc-sc7180.c b/drivers/clk/qcom/dispcc-sc7180.c
index 5d2ae297e7413..040149f24d798 100644
--- a/drivers/clk/qcom/dispcc-sc7180.c
+++ b/drivers/clk/qcom/dispcc-sc7180.c
@@ -16,6 +16,7 @@
#include "clk-regmap-divider.h"
#include "common.h"
#include "gdsc.h"
+#include "reset.h"
enum {
P_BI_TCXO,
@@ -635,6 +636,11 @@ static struct gdsc mdss_gdsc = {
.flags = HW_CTRL,
};
+static const struct qcom_reset_map disp_cc_sc7180_resets[] = {
+ [DISP_CC_MDSS_CORE_BCR] = { 0x2000 },
+ [DISP_CC_MDSS_RSCC_BCR] = { 0x4000 },
+};
+
static struct gdsc *disp_cc_sc7180_gdscs[] = {
[MDSS_GDSC] = &mdss_gdsc,
};
@@ -686,6 +692,8 @@ static const struct qcom_cc_desc disp_cc_sc7180_desc = {
.config = &disp_cc_sc7180_regmap_config,
.clks = disp_cc_sc7180_clocks,
.num_clks = ARRAY_SIZE(disp_cc_sc7180_clocks),
+ .resets = disp_cc_sc7180_resets,
+ .num_resets = ARRAY_SIZE(disp_cc_sc7180_resets),
.gdscs = disp_cc_sc7180_gdscs,
.num_gdscs = ARRAY_SIZE(disp_cc_sc7180_gdscs),
};
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 665/969] lib/hexdump: print_hex_dump_bytes() calls print_hex_dump_debug()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (663 preceding siblings ...)
2026-05-30 16:03 ` [PATCH 6.1 664/969] clk: qcom: dispcc-sc7180: Add missing " Greg Kroah-Hartman
@ 2026-05-30 16:03 ` Greg Kroah-Hartman
2026-05-30 16:03 ` [PATCH 6.1 666/969] clk: visconti: pll: initialize clk_init_data to zero Greg Kroah-Hartman
` (310 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Geert Uytterhoeven, Petr Mladek,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Geert Uytterhoeven <geert+renesas@glider.be>
[ Upstream commit 36776b7f8a8955b4e75b5d490a75fee0c7a2a7ef ]
print_hex_dump_bytes() claims to be a simple wrapper around
print_hex_dump(), but it actally calls print_hex_dump_debug(), which
means no output is printed if (dynamic) DEBUG is disabled.
Update the documentation to match the implementation.
Fixes: 091cb0994edd20d6 ("lib/hexdump: make print_hex_dump_bytes() a nop on !DEBUG builds")
Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
Reviewed-by: Petr Mladek <pmladek@suse.com>
Link: https://patch.msgid.link/3d5c3069fd9102ecaf81d044b750cd613eb72a08.1774970392.git.geert+renesas@glider.be
Signed-off-by: Petr Mladek <pmladek@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/printk.h | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/include/linux/printk.h b/include/linux/printk.h
index b1a12916f0361..90f991cb2a5c9 100644
--- a/include/linux/printk.h
+++ b/include/linux/printk.h
@@ -748,7 +748,8 @@ static inline void print_hex_dump_debug(const char *prefix_str, int prefix_type,
#endif
/**
- * print_hex_dump_bytes - shorthand form of print_hex_dump() with default params
+ * print_hex_dump_bytes - shorthand form of print_hex_dump_debug() with default
+ * params
* @prefix_str: string to prefix each line with;
* caller supplies trailing spaces for alignment if desired
* @prefix_type: controls whether prefix of an offset, address, or none
@@ -756,7 +757,7 @@ static inline void print_hex_dump_debug(const char *prefix_str, int prefix_type,
* @buf: data blob to dump
* @len: number of bytes in the @buf
*
- * Calls print_hex_dump(), with log level of KERN_DEBUG,
+ * Calls print_hex_dump_debug(), with log level of KERN_DEBUG,
* rowsize of 16, groupsize of 1, and ASCII output included.
*/
#define print_hex_dump_bytes(prefix_str, prefix_type, buf, len) \
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 666/969] clk: visconti: pll: initialize clk_init_data to zero
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (664 preceding siblings ...)
2026-05-30 16:03 ` [PATCH 6.1 665/969] lib/hexdump: print_hex_dump_bytes() calls print_hex_dump_debug() Greg Kroah-Hartman
@ 2026-05-30 16:03 ` Greg Kroah-Hartman
2026-05-30 16:03 ` [PATCH 6.1 667/969] f2fs: Use sysfs_emit_at() to simplify code Greg Kroah-Hartman
` (309 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Brian Masney, Benoît Monin,
Nobuhiro Iwamatsu, Stephen Boyd, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Brian Masney <bmasney@redhat.com>
[ Upstream commit 1603cbb64173a0e9fa7500f2a686f4aa011c58b9 ]
Sashiko reported the following:
> The struct clk_init_data init is declared on the stack without being
> fully zero-initialized. While fields like name, flags, parent_names,
> num_parents, and ops are explicitly assigned, the parent_data and
> parent_hws fields are left containing stack garbage.
clk_core_populate_parent_map() currently prefers the parent names over
the parent data and hws, so this isn't a problem at the moment. If that
ordering ever changed in the future, then this could lead to some
unexpected crashes. Let's just go ahead and make sure that the struct
clk_init_data is initialized to zero as a good practice.
Fixes: b4cbe606dc367 ("clk: visconti: Add support common clock driver and reset driver")
Link: https://sashiko.dev/#/patchset/20260326042317.122536-1-rosenp%40gmail.com
Signed-off-by: Brian Masney <bmasney@redhat.com>
Reviewed-by: Benoît Monin <benoit.monin@bootlin.com>
Reviewed-by: Nobuhiro Iwamatsu <nobuhiro.iwamatsu.x90@mail.toshiba>
Signed-off-by: Stephen Boyd <sboyd@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clk/visconti/pll.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/clk/visconti/pll.c b/drivers/clk/visconti/pll.c
index e9cd80e085dc3..a540936196ca3 100644
--- a/drivers/clk/visconti/pll.c
+++ b/drivers/clk/visconti/pll.c
@@ -244,7 +244,7 @@ static struct clk_hw *visconti_register_pll(struct visconti_pll_provider *ctx,
const struct visconti_pll_rate_table *rate_table,
spinlock_t *lock)
{
- struct clk_init_data init;
+ struct clk_init_data init = {};
struct visconti_pll *pll;
struct clk_hw *pll_hw_clk;
size_t len;
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 667/969] f2fs: Use sysfs_emit_at() to simplify code
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (665 preceding siblings ...)
2026-05-30 16:03 ` [PATCH 6.1 666/969] clk: visconti: pll: initialize clk_init_data to zero Greg Kroah-Hartman
@ 2026-05-30 16:03 ` Greg Kroah-Hartman
2026-05-30 16:03 ` [PATCH 6.1 668/969] f2fs: protect extension_list reading with sb_lock in f2fs_sbi_show() Greg Kroah-Hartman
` (308 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chao Yu, Christophe JAILLET,
Jaegeuk Kim, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
[ Upstream commit f7a678bbe5a8f22cfcef5369757cc9b95f73e027 ]
This file already uses sysfs_emit(). So be consistent and also use
sysfs_emit_at().
This slightly simplifies the code and makes it more readable.
Reviewed-by: Chao Yu <chao@kernel.org>
Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Stable-dep-of: 5909bedbed38 ("f2fs: protect extension_list reading with sb_lock in f2fs_sbi_show()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/f2fs/sysfs.c | 45 +++++++++++++++++++++------------------------
1 file changed, 21 insertions(+), 24 deletions(-)
diff --git a/fs/f2fs/sysfs.c b/fs/f2fs/sysfs.c
index 4e643abbd891a..aeb95c74710eb 100644
--- a/fs/f2fs/sysfs.c
+++ b/fs/f2fs/sysfs.c
@@ -150,50 +150,50 @@ static ssize_t features_show(struct f2fs_attr *a,
int len = 0;
if (f2fs_sb_has_encrypt(sbi))
- len += scnprintf(buf, PAGE_SIZE - len, "%s",
+ len += sysfs_emit_at(buf, len, "%s",
"encryption");
if (f2fs_sb_has_blkzoned(sbi))
- len += scnprintf(buf + len, PAGE_SIZE - len, "%s%s",
+ len += sysfs_emit_at(buf, len, "%s%s",
len ? ", " : "", "blkzoned");
if (f2fs_sb_has_extra_attr(sbi))
- len += scnprintf(buf + len, PAGE_SIZE - len, "%s%s",
+ len += sysfs_emit_at(buf, len, "%s%s",
len ? ", " : "", "extra_attr");
if (f2fs_sb_has_project_quota(sbi))
- len += scnprintf(buf + len, PAGE_SIZE - len, "%s%s",
+ len += sysfs_emit_at(buf, len, "%s%s",
len ? ", " : "", "projquota");
if (f2fs_sb_has_inode_chksum(sbi))
- len += scnprintf(buf + len, PAGE_SIZE - len, "%s%s",
+ len += sysfs_emit_at(buf, len, "%s%s",
len ? ", " : "", "inode_checksum");
if (f2fs_sb_has_flexible_inline_xattr(sbi))
- len += scnprintf(buf + len, PAGE_SIZE - len, "%s%s",
+ len += sysfs_emit_at(buf, len, "%s%s",
len ? ", " : "", "flexible_inline_xattr");
if (f2fs_sb_has_quota_ino(sbi))
- len += scnprintf(buf + len, PAGE_SIZE - len, "%s%s",
+ len += sysfs_emit_at(buf, len, "%s%s",
len ? ", " : "", "quota_ino");
if (f2fs_sb_has_inode_crtime(sbi))
- len += scnprintf(buf + len, PAGE_SIZE - len, "%s%s",
+ len += sysfs_emit_at(buf, len, "%s%s",
len ? ", " : "", "inode_crtime");
if (f2fs_sb_has_lost_found(sbi))
- len += scnprintf(buf + len, PAGE_SIZE - len, "%s%s",
+ len += sysfs_emit_at(buf, len, "%s%s",
len ? ", " : "", "lost_found");
if (f2fs_sb_has_verity(sbi))
- len += scnprintf(buf + len, PAGE_SIZE - len, "%s%s",
+ len += sysfs_emit_at(buf, len, "%s%s",
len ? ", " : "", "verity");
if (f2fs_sb_has_sb_chksum(sbi))
- len += scnprintf(buf + len, PAGE_SIZE - len, "%s%s",
+ len += sysfs_emit_at(buf, len, "%s%s",
len ? ", " : "", "sb_checksum");
if (f2fs_sb_has_casefold(sbi))
- len += scnprintf(buf + len, PAGE_SIZE - len, "%s%s",
+ len += sysfs_emit_at(buf, len, "%s%s",
len ? ", " : "", "casefold");
if (f2fs_sb_has_readonly(sbi))
- len += scnprintf(buf + len, PAGE_SIZE - len, "%s%s",
+ len += sysfs_emit_at(buf, len, "%s%s",
len ? ", " : "", "readonly");
if (f2fs_sb_has_compression(sbi))
- len += scnprintf(buf + len, PAGE_SIZE - len, "%s%s",
+ len += sysfs_emit_at(buf, len, "%s%s",
len ? ", " : "", "compression");
- len += scnprintf(buf + len, PAGE_SIZE - len, "%s%s",
+ len += sysfs_emit_at(buf, len, "%s%s",
len ? ", " : "", "pin_file");
- len += scnprintf(buf + len, PAGE_SIZE - len, "\n");
+ len += sysfs_emit_at(buf, len, "\n");
return len;
}
@@ -310,17 +310,14 @@ static ssize_t f2fs_sbi_show(struct f2fs_attr *a,
int hot_count = sbi->raw_super->hot_ext_count;
int len = 0, i;
- len += scnprintf(buf + len, PAGE_SIZE - len,
- "cold file extension:\n");
+ len += sysfs_emit_at(buf, len, "cold file extension:\n");
for (i = 0; i < cold_count; i++)
- len += scnprintf(buf + len, PAGE_SIZE - len, "%s\n",
- extlist[i]);
+ len += sysfs_emit_at(buf, len, "%s\n", extlist[i]);
- len += scnprintf(buf + len, PAGE_SIZE - len,
- "hot file extension:\n");
+ len += sysfs_emit_at(buf, len, "hot file extension:\n");
for (i = cold_count; i < cold_count + hot_count; i++)
- len += scnprintf(buf + len, PAGE_SIZE - len, "%s\n",
- extlist[i]);
+ len += sysfs_emit_at(buf, len, "%s\n", extlist[i]);
+
return len;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 668/969] f2fs: protect extension_list reading with sb_lock in f2fs_sbi_show()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (666 preceding siblings ...)
2026-05-30 16:03 ` [PATCH 6.1 667/969] f2fs: Use sysfs_emit_at() to simplify code Greg Kroah-Hartman
@ 2026-05-30 16:03 ` Greg Kroah-Hartman
2026-05-30 16:03 ` [PATCH 6.1 669/969] drm/i915: Constify watermark state checker Greg Kroah-Hartman
` (307 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yongpeng Yang, Chao Yu, Jaegeuk Kim,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yongpeng Yang <yangyongpeng@xiaomi.com>
[ Upstream commit 5909bedbed38c558bee7cb6758ceedf9bc3a9194 ]
In f2fs_sbi_show(), the extension_list, extension_count and
hot_ext_count are read without holding sbi->sb_lock. If a concurrent
sysfs store modifies the extension list via f2fs_update_extension_list(),
the show path may read inconsistent count and array contents, potentially
leading to out-of-bounds access or displaying stale data.
Fix this by holding sb_lock around the entire extension list read
and format operation.
Fixes: b6a06cbbb5f7 ("f2fs: support hot file extension")
Signed-off-by: Yongpeng Yang <yangyongpeng@xiaomi.com>
Reviewed-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/f2fs/sysfs.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/fs/f2fs/sysfs.c b/fs/f2fs/sysfs.c
index aeb95c74710eb..503a50542ac53 100644
--- a/fs/f2fs/sysfs.c
+++ b/fs/f2fs/sysfs.c
@@ -306,10 +306,12 @@ static ssize_t f2fs_sbi_show(struct f2fs_attr *a,
if (!strcmp(a->attr.name, "extension_list")) {
__u8 (*extlist)[F2FS_EXTENSION_LEN] =
sbi->raw_super->extension_list;
- int cold_count = le32_to_cpu(sbi->raw_super->extension_count);
- int hot_count = sbi->raw_super->hot_ext_count;
+ int cold_count, hot_count;
int len = 0, i;
+ f2fs_down_read(&sbi->sb_lock);
+ cold_count = le32_to_cpu(sbi->raw_super->extension_count);
+ hot_count = sbi->raw_super->hot_ext_count;
len += sysfs_emit_at(buf, len, "cold file extension:\n");
for (i = 0; i < cold_count; i++)
len += sysfs_emit_at(buf, len, "%s\n", extlist[i]);
@@ -317,6 +319,7 @@ static ssize_t f2fs_sbi_show(struct f2fs_attr *a,
len += sysfs_emit_at(buf, len, "hot file extension:\n");
for (i = cold_count; i < cold_count + hot_count; i++)
len += sysfs_emit_at(buf, len, "%s\n", extlist[i]);
+ f2fs_up_read(&sbi->sb_lock);
return len;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 669/969] drm/i915: Constify watermark state checker
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (667 preceding siblings ...)
2026-05-30 16:03 ` [PATCH 6.1 668/969] f2fs: protect extension_list reading with sb_lock in f2fs_sbi_show() Greg Kroah-Hartman
@ 2026-05-30 16:03 ` Greg Kroah-Hartman
2026-05-30 16:03 ` [PATCH 6.1 670/969] drm/i915: Extract intel_dbuf_mdclk_cdclk_ratio_update() Greg Kroah-Hartman
` (306 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ville Syrjälä, Jani Nikula,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ville Syrjälä <ville.syrjala@linux.intel.com>
[ Upstream commit 487a2db8bc4eb79c53c9ff8fca65a7fc8350df6c ]
The skl+ wm state checker has no reason to modify the crtc state,
so make it const.
Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20231004155607.7719-6-ville.syrjala@linux.intel.com
Reviewed-by: Jani Nikula <jani.nikula@intel.com>
Stable-dep-of: a97c88a176b6 ("drm/i915/wm: Verify the correct plane DDB entry")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/i915/display/skl_watermark.c | 2 +-
drivers/gpu/drm/i915/display/skl_watermark.h | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/i915/display/skl_watermark.c b/drivers/gpu/drm/i915/display/skl_watermark.c
index a7adf02476f6a..b6951881c0570 100644
--- a/drivers/gpu/drm/i915/display/skl_watermark.c
+++ b/drivers/gpu/drm/i915/display/skl_watermark.c
@@ -3014,7 +3014,7 @@ void skl_wm_sanitize(struct drm_i915_private *i915)
}
void intel_wm_state_verify(struct intel_crtc *crtc,
- struct intel_crtc_state *new_crtc_state)
+ const struct intel_crtc_state *new_crtc_state)
{
struct drm_i915_private *i915 = to_i915(crtc->base.dev);
struct skl_hw_state {
diff --git a/drivers/gpu/drm/i915/display/skl_watermark.h b/drivers/gpu/drm/i915/display/skl_watermark.h
index 7a5a4e67cd738..d1a1fe322e869 100644
--- a/drivers/gpu/drm/i915/display/skl_watermark.h
+++ b/drivers/gpu/drm/i915/display/skl_watermark.h
@@ -42,7 +42,7 @@ void skl_wm_get_hw_state(struct drm_i915_private *i915);
void skl_wm_sanitize(struct drm_i915_private *i915);
void intel_wm_state_verify(struct intel_crtc *crtc,
- struct intel_crtc_state *new_crtc_state);
+ const struct intel_crtc_state *new_crtc_state);
void skl_watermark_ipc_init(struct drm_i915_private *i915);
void skl_watermark_ipc_update(struct drm_i915_private *i915);
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 670/969] drm/i915: Extract intel_dbuf_mdclk_cdclk_ratio_update()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (668 preceding siblings ...)
2026-05-30 16:03 ` [PATCH 6.1 669/969] drm/i915: Constify watermark state checker Greg Kroah-Hartman
@ 2026-05-30 16:03 ` Greg Kroah-Hartman
2026-05-30 16:03 ` [PATCH 6.1 671/969] drm/i915: Loop over all active pipes in intel_mbus_dbox_update Greg Kroah-Hartman
` (305 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Matt Roper, Gustavo Sousa,
Lucas De Marchi, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gustavo Sousa <gustavo.sousa@intel.com>
[ Upstream commit 66a0e0681392420b326f00ba732e6bda099eda29 ]
As of Xe2LPD, it is now possible to select the source of the MDCLK
as either the CD2XCLK or the CDCLK PLL.
Previous display IPs were hardcoded to use the CD2XCLK. For those, the
ratio between MDCLK and CDCLK remained constant, namely 2. For Xe2LPD,
when we select the CDCLK PLL as the source, the ratio will vary
according to the squashing configuration (since the cd2x divisor is
fixed for all supported configurations).
To help the transition to supporting changes in the ratio, extract the
function intel_dbuf_mdclk_cdclk_ratio_update() from the existing logic
and call it using 2 as hardcoded ratio. Upcoming changes will use that
function for updates in the ratio due to CDCLK changes.
Bspec: 50057, 69445, 49213, 68868
Reviewed-by: Matt Roper <matthew.d.roper@intel.com>
Signed-off-by: Gustavo Sousa <gustavo.sousa@intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20240312163639.172321-5-gustavo.sousa@intel.com
Signed-off-by: Lucas De Marchi <lucas.demarchi@intel.com>
Stable-dep-of: a97c88a176b6 ("drm/i915/wm: Verify the correct plane DDB entry")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/i915/display/skl_watermark.c | 30 +++++++++++++-------
1 file changed, 19 insertions(+), 11 deletions(-)
diff --git a/drivers/gpu/drm/i915/display/skl_watermark.c b/drivers/gpu/drm/i915/display/skl_watermark.c
index b6951881c0570..e553192e12b76 100644
--- a/drivers/gpu/drm/i915/display/skl_watermark.c
+++ b/drivers/gpu/drm/i915/display/skl_watermark.c
@@ -3346,6 +3346,21 @@ int intel_dbuf_init(struct drm_i915_private *i915)
return 0;
}
+static void intel_dbuf_mdclk_cdclk_ratio_update(struct drm_i915_private *i915,
+ u8 ratio,
+ bool joined_mbus)
+{
+ enum dbuf_slice slice;
+
+ if (joined_mbus)
+ ratio *= 2;
+
+ for_each_dbuf_slice(i915, slice)
+ intel_de_rmw(i915, DBUF_CTL_S(slice),
+ DBUF_MIN_TRACKER_STATE_SERVICE_MASK,
+ DBUF_MIN_TRACKER_STATE_SERVICE(ratio - 1));
+}
+
/*
* Configure MBUS_CTL and all DBUF_CTL_S of each slice to join_mbus state before
* update the request state of all DBUS slices.
@@ -3353,8 +3368,7 @@ int intel_dbuf_init(struct drm_i915_private *i915)
static void update_mbus_pre_enable(struct intel_atomic_state *state)
{
struct drm_i915_private *i915 = to_i915(state->base.dev);
- u32 mbus_ctl, dbuf_min_tracker_val;
- enum dbuf_slice slice;
+ u32 mbus_ctl;
const struct intel_dbuf_state *dbuf_state =
intel_atomic_get_new_dbuf_state(state);
@@ -3365,24 +3379,18 @@ static void update_mbus_pre_enable(struct intel_atomic_state *state)
* TODO: Implement vblank synchronized MBUS joining changes.
* Must be properly coordinated with dbuf reprogramming.
*/
- if (dbuf_state->joined_mbus) {
+ if (dbuf_state->joined_mbus)
mbus_ctl = MBUS_HASHING_MODE_1x4 | MBUS_JOIN |
MBUS_JOIN_PIPE_SELECT_NONE;
- dbuf_min_tracker_val = DBUF_MIN_TRACKER_STATE_SERVICE(3);
- } else {
+ else
mbus_ctl = MBUS_HASHING_MODE_2x2 |
MBUS_JOIN_PIPE_SELECT_NONE;
- dbuf_min_tracker_val = DBUF_MIN_TRACKER_STATE_SERVICE(1);
- }
intel_de_rmw(i915, MBUS_CTL,
MBUS_HASHING_MODE_MASK | MBUS_JOIN |
MBUS_JOIN_PIPE_SELECT_MASK, mbus_ctl);
- for_each_dbuf_slice(i915, slice)
- intel_de_rmw(i915, DBUF_CTL_S(slice),
- DBUF_MIN_TRACKER_STATE_SERVICE_MASK,
- dbuf_min_tracker_val);
+ intel_dbuf_mdclk_cdclk_ratio_update(i915, 2, dbuf_state->joined_mbus);
}
void intel_dbuf_pre_plane_update(struct intel_atomic_state *state)
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 671/969] drm/i915: Loop over all active pipes in intel_mbus_dbox_update
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (669 preceding siblings ...)
2026-05-30 16:03 ` [PATCH 6.1 670/969] drm/i915: Extract intel_dbuf_mdclk_cdclk_ratio_update() Greg Kroah-Hartman
@ 2026-05-30 16:03 ` Greg Kroah-Hartman
2026-05-30 16:03 ` [PATCH 6.1 672/969] drm/i915/wm: Verify the correct plane DDB entry Greg Kroah-Hartman
` (304 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Uma Shankar, Stanislav Lisovskiy,
Ville Syrjälä, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stanislav Lisovskiy <stanislav.lisovskiy@intel.com>
[ Upstream commit e8333ab22cd8c750b7c14d3da7c0eef3ba85527f ]
We need to loop through all active pipes, not just the ones, that
are in current state, because disabling and enabling even a particular
pipe affects credits in another one.
Reviewed-by: Uma Shankar <uma.shankar@intel.com>
Signed-off-by: Stanislav Lisovskiy <stanislav.lisovskiy@intel.com>
Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20240402155016.13733-6-ville.syrjala@linux.intel.com
Stable-dep-of: a97c88a176b6 ("drm/i915/wm: Verify the correct plane DDB entry")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/i915/display/skl_watermark.c | 7 +------
1 file changed, 1 insertion(+), 6 deletions(-)
diff --git a/drivers/gpu/drm/i915/display/skl_watermark.c b/drivers/gpu/drm/i915/display/skl_watermark.c
index e553192e12b76..2a60aa3fedf82 100644
--- a/drivers/gpu/drm/i915/display/skl_watermark.c
+++ b/drivers/gpu/drm/i915/display/skl_watermark.c
@@ -3456,10 +3456,8 @@ void intel_mbus_dbox_update(struct intel_atomic_state *state)
{
struct drm_i915_private *i915 = to_i915(state->base.dev);
const struct intel_dbuf_state *new_dbuf_state, *old_dbuf_state;
- const struct intel_crtc_state *new_crtc_state;
const struct intel_crtc *crtc;
u32 val = 0;
- int i;
if (DISPLAY_VER(i915) < 11)
return;
@@ -3503,12 +3501,9 @@ void intel_mbus_dbox_update(struct intel_atomic_state *state)
val |= MBUS_DBOX_B_CREDIT(8);
}
- for_each_new_intel_crtc_in_state(state, crtc, new_crtc_state, i) {
+ for_each_intel_crtc_in_pipe_mask(&i915->drm, crtc, new_dbuf_state->active_pipes) {
u32 pipe_val = val;
- if (!new_crtc_state->hw.active)
- continue;
-
if (DISPLAY_VER(i915) >= 14) {
if (xelpdp_is_only_pipe_per_dbuf_bank(crtc->pipe,
new_dbuf_state->active_pipes))
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 672/969] drm/i915/wm: Verify the correct plane DDB entry
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (670 preceding siblings ...)
2026-05-30 16:03 ` [PATCH 6.1 671/969] drm/i915: Loop over all active pipes in intel_mbus_dbox_update Greg Kroah-Hartman
@ 2026-05-30 16:03 ` Greg Kroah-Hartman
2026-05-30 16:03 ` [PATCH 6.1 673/969] crypto: sa2ul - Fix AEAD fallback algorithm names Greg Kroah-Hartman
` (303 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ville Syrjälä,
Vinod Govindapillai, Tvrtko Ursulin, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ville Syrjälä <ville.syrjala@linux.intel.com>
[ Upstream commit a97c88a176b6b8d116f4d3f508f3bd02bc77b462 ]
Actually verify the DDB entry for the plane we're looking
at instead of always verifying the cursor DDB.
Fixes: 7d4561722c3b ("drm/i915: Tweak plane ddb allocation tracking")
Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
Link: https://patch.msgid.link/20260324134843.2364-5-ville.syrjala@linux.intel.com
Reviewed-by: Vinod Govindapillai <vinod.govindapillai@intel.com>
(cherry picked from commit f002f7c7439de18117a31ca84dc87a59719c3dd6)
Signed-off-by: Tvrtko Ursulin <tursulin@ursulin.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/i915/display/skl_watermark.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/i915/display/skl_watermark.c b/drivers/gpu/drm/i915/display/skl_watermark.c
index 2a60aa3fedf82..965d8e762883f 100644
--- a/drivers/gpu/drm/i915/display/skl_watermark.c
+++ b/drivers/gpu/drm/i915/display/skl_watermark.c
@@ -3118,8 +3118,8 @@ void intel_wm_state_verify(struct intel_crtc *crtc,
}
/* DDB */
- hw_ddb_entry = &hw->ddb[PLANE_CURSOR];
- sw_ddb_entry = &new_crtc_state->wm.skl.plane_ddb[PLANE_CURSOR];
+ hw_ddb_entry = &hw->ddb[plane->id];
+ sw_ddb_entry = &new_crtc_state->wm.skl.plane_ddb[plane->id];
if (!skl_ddb_entry_equal(hw_ddb_entry, sw_ddb_entry)) {
drm_err(&i915->drm,
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 673/969] crypto: sa2ul - Fix AEAD fallback algorithm names
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (671 preceding siblings ...)
2026-05-30 16:03 ` [PATCH 6.1 672/969] drm/i915/wm: Verify the correct plane DDB entry Greg Kroah-Hartman
@ 2026-05-30 16:03 ` Greg Kroah-Hartman
2026-05-30 16:03 ` [PATCH 6.1 674/969] crypto: ccp - copy IV using skcipher ivsize Greg Kroah-Hartman
` (302 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, T Pratham, Manorit Chawdhry,
Herbert Xu, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: T Pratham <t-pratham@ti.com>
[ Upstream commit 8451ab6ad686ffdcdf9ddadaa446a79ab48e5590 ]
For authenc AEAD algorithms, sa2ul is trying to register very specific
-ce version as a fallback. This causes registration failure on SoCs
which do not have ARMv8-CE enabled/available. Change the fallback
algorithm from the specific driver name to generic algorithm name so
that the kernel can allocate any available fallback.
Fixes: d2c8ac187fc92 ("crypto: sa2ul - Add AEAD algorithm support")
Signed-off-by: T Pratham <t-pratham@ti.com>
Reviewed-by: Manorit Chawdhry <m-chawdhry@ti.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/crypto/sa2ul.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/crypto/sa2ul.c b/drivers/crypto/sa2ul.c
index e7efebf8127f0..2677062d33b8b 100644
--- a/drivers/crypto/sa2ul.c
+++ b/drivers/crypto/sa2ul.c
@@ -1774,13 +1774,13 @@ static int sa_cra_init_aead(struct crypto_aead *tfm, const char *hash,
static int sa_cra_init_aead_sha1(struct crypto_aead *tfm)
{
return sa_cra_init_aead(tfm, "sha1",
- "authenc(hmac(sha1-ce),cbc(aes-ce))");
+ "authenc(hmac(sha1),cbc(aes))");
}
static int sa_cra_init_aead_sha256(struct crypto_aead *tfm)
{
return sa_cra_init_aead(tfm, "sha256",
- "authenc(hmac(sha256-ce),cbc(aes-ce))");
+ "authenc(hmac(sha256),cbc(aes))");
}
static void sa_exit_tfm_aead(struct crypto_aead *tfm)
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 674/969] crypto: ccp - copy IV using skcipher ivsize
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (672 preceding siblings ...)
2026-05-30 16:03 ` [PATCH 6.1 673/969] crypto: sa2ul - Fix AEAD fallback algorithm names Greg Kroah-Hartman
@ 2026-05-30 16:03 ` Greg Kroah-Hartman
2026-05-30 16:03 ` [PATCH 6.1 675/969] arm64: dts: imx8mp-icore-mx8mp: Correct PAD settings for PMIC_nINT Greg Kroah-Hartman
` (301 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Paul Moses, Tom Lendacky, Herbert Xu,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paul Moses <p@1g4.org>
[ Upstream commit a7a1f3cdd64d8a165d9b8c9e9ad7fb46ac19dfc4 ]
AF_ALG rfc3686-ctr-aes-ccp requests pass an 8-byte IV to the driver.
ccp_aes_complete() restores AES_BLOCK_SIZE bytes into the caller's IV
buffer while RFC3686 skciphers expose an 8-byte IV, so the restore
overruns the provided buffer.
Use crypto_skcipher_ivsize() to copy only the algorithm's IV length.
Fixes: 2b789435d7f3 ("crypto: ccp - CCP AES crypto API support")
Signed-off-by: Paul Moses <p@1g4.org>
Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/crypto/ccp/ccp-crypto-aes.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/drivers/crypto/ccp/ccp-crypto-aes.c b/drivers/crypto/ccp/ccp-crypto-aes.c
index bed331953ff94..87b628bebf96e 100644
--- a/drivers/crypto/ccp/ccp-crypto-aes.c
+++ b/drivers/crypto/ccp/ccp-crypto-aes.c
@@ -28,8 +28,11 @@ static int ccp_aes_complete(struct crypto_async_request *async_req, int ret)
if (ret)
return ret;
- if (ctx->u.aes.mode != CCP_AES_MODE_ECB)
- memcpy(req->iv, rctx->iv, AES_BLOCK_SIZE);
+ if (ctx->u.aes.mode != CCP_AES_MODE_ECB) {
+ size_t ivsize = crypto_skcipher_ivsize(crypto_skcipher_reqtfm(req));
+
+ memcpy(req->iv, rctx->iv, ivsize);
+ }
return 0;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 675/969] arm64: dts: imx8mp-icore-mx8mp: Correct PAD settings for PMIC_nINT
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (673 preceding siblings ...)
2026-05-30 16:03 ` [PATCH 6.1 674/969] crypto: ccp - copy IV using skcipher ivsize Greg Kroah-Hartman
@ 2026-05-30 16:03 ` Greg Kroah-Hartman
2026-05-30 16:03 ` [PATCH 6.1 676/969] arm64: dts: imx8mp-dhcom-som: " Greg Kroah-Hartman
` (300 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:03 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Peng Fan, Frank Li, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peng Fan <peng.fan@nxp.com>
[ Upstream commit ea8c90f5c7ceeb6657a8fe564aa7b190dce298a6 ]
With commit 5d0efaf47ee90 ("regulator: pca9450: Correct interrupt type"),
there might be interrupt storm for this board. Need to set PAD PUE and PU
together to make pull up work properly.
Fixes: eefe06b295087 ("arm64: dts: imx8mp: Add Engicam i.Core MX8M Plus SoM")
Signed-off-by: Peng Fan <peng.fan@nxp.com>
Signed-off-by: Frank Li <Frank.Li@nxp.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/freescale/imx8mp-icore-mx8mp.dtsi | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm64/boot/dts/freescale/imx8mp-icore-mx8mp.dtsi b/arch/arm64/boot/dts/freescale/imx8mp-icore-mx8mp.dtsi
index a6319824ea2eb..69558ffefa9a6 100644
--- a/arch/arm64/boot/dts/freescale/imx8mp-icore-mx8mp.dtsi
+++ b/arch/arm64/boot/dts/freescale/imx8mp-icore-mx8mp.dtsi
@@ -132,7 +132,7 @@ MX8MP_IOMUXC_I2C1_SDA__I2C1_SDA 0x400001c3
pinctrl_pmic: pmicgrp {
fsl,pins = <
- MX8MP_IOMUXC_NAND_CE0_B__GPIO3_IO01 0x41
+ MX8MP_IOMUXC_NAND_CE0_B__GPIO3_IO01 0x1c0
>;
};
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 676/969] arm64: dts: imx8mp-dhcom-som: Correct PAD settings for PMIC_nINT
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (674 preceding siblings ...)
2026-05-30 16:03 ` [PATCH 6.1 675/969] arm64: dts: imx8mp-icore-mx8mp: Correct PAD settings for PMIC_nINT Greg Kroah-Hartman
@ 2026-05-30 16:03 ` Greg Kroah-Hartman
2026-05-30 16:03 ` [PATCH 6.1 677/969] PCMCIA: Fix garbled log messages for KERN_CONT Greg Kroah-Hartman
` (299 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:03 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Peng Fan, Frank Li, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peng Fan <peng.fan@nxp.com>
[ Upstream commit f9ed5afc988da3e22543725e35be6addbb0497bc ]
PMIC_nINT is low level triggered, but the current PAD settings is
PE=0,PUE=0,FSEL_1_FAST_SLEW_RATE=1,SION=1. So PAD needs to be configured
as PULL UP with PULL Enable, no need SION. Correct it.
Fixes: 8d6712695bc8e ("arm64: dts: imx8mp: Add support for DH electronics i.MX8M Plus DHCOM and PDK2")
Signed-off-by: Peng Fan <peng.fan@nxp.com>
Signed-off-by: Frank Li <Frank.Li@nxp.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/freescale/imx8mp-dhcom-som.dtsi | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm64/boot/dts/freescale/imx8mp-dhcom-som.dtsi b/arch/arm64/boot/dts/freescale/imx8mp-dhcom-som.dtsi
index 0b81b85887f40..9379a5b08e6dd 100644
--- a/arch/arm64/boot/dts/freescale/imx8mp-dhcom-som.dtsi
+++ b/arch/arm64/boot/dts/freescale/imx8mp-dhcom-som.dtsi
@@ -807,7 +807,7 @@ MX8MP_IOMUXC_HDMI_DDC_SDA__GPIO3_IO27 0x84
pinctrl_pmic: dhcom-pmic-grp {
fsl,pins = <
/* PMIC_nINT */
- MX8MP_IOMUXC_GPIO1_IO03__GPIO1_IO03 0x40000090
+ MX8MP_IOMUXC_GPIO1_IO03__GPIO1_IO03 0x1c0
>;
};
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 677/969] PCMCIA: Fix garbled log messages for KERN_CONT
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (675 preceding siblings ...)
2026-05-30 16:03 ` [PATCH 6.1 676/969] arm64: dts: imx8mp-dhcom-som: " Greg Kroah-Hartman
@ 2026-05-30 16:03 ` Greg Kroah-Hartman
2026-05-30 16:03 ` [PATCH 6.1 678/969] arm64: dts: imx8mn-tqma8mqnl: Correct PAD settings for PMIC_nINT Greg Kroah-Hartman
` (298 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, René Rebe, Dominik Brodowski,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: René Rebe <rene@exactco.de>
[ Upstream commit bfeaa6814bd3f9a1f6d525b3b35a03b9a0368961 ]
For years the PCMCIA info messages are messed up by superfluous
newlines. While f2e6cf76751d ("pcmcia: Convert dev_printk to
dev_<level>") converted the code to pr_cont(), dev_info enforces a \n
via vprintk_store setting LOG_NEWLINE, breaking subsequent pr_cont.
Fix by logging the device name manually to allow pr_cont to work for
more readable and not \n distorted logs.
Fixes: f2e6cf76751d ("pcmcia: Convert dev_printk to dev_<level>")
Signed-off-by: René Rebe <rene@exactco.de>
Signed-off-by: Dominik Brodowski <linux@dominikbrodowski.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pcmcia/rsrc_nonstatic.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/pcmcia/rsrc_nonstatic.c b/drivers/pcmcia/rsrc_nonstatic.c
index 0a4e439d46094..f9baf28bc32b8 100644
--- a/drivers/pcmcia/rsrc_nonstatic.c
+++ b/drivers/pcmcia/rsrc_nonstatic.c
@@ -188,7 +188,7 @@ static void do_io_probe(struct pcmcia_socket *s, unsigned int base,
int any;
u_char *b, hole, most;
- dev_info(&s->dev, "cs: IO port probe %#x-%#x:", base, base+num-1);
+ pr_info("%s: cs: IO port probe %#x-%#x:", dev_name(&s->dev), base, base+num-1);
/* First, what does a floating port look like? */
b = kzalloc(256, GFP_KERNEL);
@@ -410,8 +410,8 @@ static int do_mem_probe(struct pcmcia_socket *s, u_long base, u_long num,
struct socket_data *s_data = s->resource_data;
u_long i, j, bad, fail, step;
- dev_info(&s->dev, "cs: memory probe 0x%06lx-0x%06lx:",
- base, base+num-1);
+ pr_info("%s: cs: memory probe 0x%06lx-0x%06lx:",
+ dev_name(&s->dev), base, base+num-1);
bad = fail = 0;
step = (num < 0x20000) ? 0x2000 : ((num>>4) & ~0x1fff);
/* don't allow too large steps */
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 678/969] arm64: dts: imx8mn-tqma8mqnl: Correct PAD settings for PMIC_nINT
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (676 preceding siblings ...)
2026-05-30 16:03 ` [PATCH 6.1 677/969] PCMCIA: Fix garbled log messages for KERN_CONT Greg Kroah-Hartman
@ 2026-05-30 16:03 ` Greg Kroah-Hartman
2026-05-30 16:03 ` [PATCH 6.1 679/969] arm64: dts: imx8mm-tqma8mqml: " Greg Kroah-Hartman
` (297 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:03 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Peng Fan, Frank Li, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peng Fan <peng.fan@nxp.com>
[ Upstream commit 0fb37990774113afd943eaa91323679388584b6d ]
With commit 5d0efaf47ee90 ("regulator: pca9450: Correct interrupt type"),
there might be interrupt storm for this board. Need to set PAD PUE and PU
together to make pull up work properly.
Fixes: 3e56e354db6d3 ("arm64: dts: freescale: add initial device tree for TQMa8MQNL with i.MX8MN")
Signed-off-by: Peng Fan <peng.fan@nxp.com>
Signed-off-by: Frank Li <Frank.Li@nxp.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/freescale/imx8mn-tqma8mqnl.dtsi | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm64/boot/dts/freescale/imx8mn-tqma8mqnl.dtsi b/arch/arm64/boot/dts/freescale/imx8mn-tqma8mqnl.dtsi
index 0ed3475feb164..6d43327927b9b 100644
--- a/arch/arm64/boot/dts/freescale/imx8mn-tqma8mqnl.dtsi
+++ b/arch/arm64/boot/dts/freescale/imx8mn-tqma8mqnl.dtsi
@@ -282,7 +282,7 @@ pinctrl_i2c1_gpio: i2c1gpiogrp {
};
pinctrl_pmic: pmicgrp {
- fsl,pins = <MX8MN_IOMUXC_GPIO1_IO08_GPIO1_IO8 0x84>;
+ fsl,pins = <MX8MN_IOMUXC_GPIO1_IO08_GPIO1_IO8 0x1c4>;
};
pinctrl_reg_usdhc2_vmmc: regusdhc2vmmcgrp {
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 679/969] arm64: dts: imx8mm-tqma8mqml: Correct PAD settings for PMIC_nINT
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (677 preceding siblings ...)
2026-05-30 16:03 ` [PATCH 6.1 678/969] arm64: dts: imx8mn-tqma8mqnl: Correct PAD settings for PMIC_nINT Greg Kroah-Hartman
@ 2026-05-30 16:03 ` Greg Kroah-Hartman
2026-05-30 16:03 ` [PATCH 6.1 680/969] net/sched: sch_cake: fix NAT destination port not being updated in cake_update_flowkeys Greg Kroah-Hartman
` (296 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:03 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Peng Fan, Frank Li, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peng Fan <peng.fan@nxp.com>
[ Upstream commit 42a9f5a16328ed78a88e0498556965b6c6ec515c ]
With commit 5d0efaf47ee90 ("regulator: pca9450: Correct interrupt type"),
there might be interrupt storm for this board. Need to set PAD PUE and PU
together to make pull up work properly.
Fixes: dfcd1b6f7620e ("arm64: dts: freescale: add initial device tree for TQMa8MQML with i.MX8MM")
Signed-off-by: Peng Fan <peng.fan@nxp.com>
Signed-off-by: Frank Li <Frank.Li@nxp.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/freescale/imx8mm-tqma8mqml.dtsi | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm64/boot/dts/freescale/imx8mm-tqma8mqml.dtsi b/arch/arm64/boot/dts/freescale/imx8mm-tqma8mqml.dtsi
index f649dfacb4b69..4d79f388ebd26 100644
--- a/arch/arm64/boot/dts/freescale/imx8mm-tqma8mqml.dtsi
+++ b/arch/arm64/boot/dts/freescale/imx8mm-tqma8mqml.dtsi
@@ -280,7 +280,7 @@ pinctrl_i2c1_gpio: i2c1gpiogrp {
};
pinctrl_pmic: pmicgrp {
- fsl,pins = <MX8MM_IOMUXC_GPIO1_IO08_GPIO1_IO8 0x94>;
+ fsl,pins = <MX8MM_IOMUXC_GPIO1_IO08_GPIO1_IO8 0x1d4>;
};
pinctrl_reg_usdhc2_vmmc: regusdhc2vmmcgrp {
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 680/969] net/sched: sch_cake: fix NAT destination port not being updated in cake_update_flowkeys
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (678 preceding siblings ...)
2026-05-30 16:03 ` [PATCH 6.1 679/969] arm64: dts: imx8mm-tqma8mqml: " Greg Kroah-Hartman
@ 2026-05-30 16:03 ` Greg Kroah-Hartman
2026-05-30 16:03 ` [PATCH 6.1 681/969] nexthop: fix IPv6 route referencing IPv4 nexthop Greg Kroah-Hartman
` (295 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dudu Lu,
Toke Høiland-Jørgensen, Paolo Abeni, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dudu Lu <phx0fer@gmail.com>
[ Upstream commit f9e40664706927d7ae22a448a3383e23c38a4c0b ]
cake_update_flowkeys() is supposed to update the flow dissector keys
with the NAT-translated addresses and ports from conntrack, so that
CAKE's per-flow fairness correctly identifies post-NAT flows as
belonging to the same connection.
For the source port, this works correctly:
keys->ports.src = port;
But for the destination port, the assignment is reversed:
port = keys->ports.dst;
This means the NAT destination port is never updated in the flow keys.
As a result, when multiple connections are NATed to the same destination,
CAKE treats them as separate flows because the original (pre-NAT)
destination ports differ. This breaks CAKE's NAT-aware flow isolation
when using the "nat" mode.
The bug was introduced in commit b0c19ed6088a ("sch_cake: Take advantage
of skb->hash where appropriate") which refactored the original direct
assignment into a compare-and-conditionally-update pattern, but wrote
the destination port update backwards.
Fix by reversing the assignment direction to match the source port
pattern.
Fixes: b0c19ed6088a ("sch_cake: Take advantage of skb->hash where appropriate")
Signed-off-by: Dudu Lu <phx0fer@gmail.com>
Acked-by: Toke Høiland-Jørgensen <toke@toke.dk>
Link: https://patch.msgid.link/20260413110041.44704-1-phx0fer@gmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/sch_cake.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/sched/sch_cake.c b/net/sched/sch_cake.c
index e4fd66a1c5cd4..204cc04d4c6e8 100644
--- a/net/sched/sch_cake.c
+++ b/net/sched/sch_cake.c
@@ -619,7 +619,7 @@ static bool cake_update_flowkeys(struct flow_keys *keys,
}
port = rev ? tuple.src.u.all : tuple.dst.u.all;
if (port != keys->ports.dst) {
- port = keys->ports.dst;
+ keys->ports.dst = port;
upd = true;
}
}
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 681/969] nexthop: fix IPv6 route referencing IPv4 nexthop
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (679 preceding siblings ...)
2026-05-30 16:03 ` [PATCH 6.1 680/969] net/sched: sch_cake: fix NAT destination port not being updated in cake_update_flowkeys Greg Kroah-Hartman
@ 2026-05-30 16:03 ` Greg Kroah-Hartman
2026-05-30 16:03 ` [PATCH 6.1 682/969] net/sched: taprio: continue with other TXQs if one dequeue() failed Greg Kroah-Hartman
` (294 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jiayuan Chen, David Ahern,
Paolo Abeni, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiayuan Chen <jiayuan.chen@linux.dev>
[ Upstream commit 29c95185ba32b621fbc3800fb86e7dc3edf5c2be ]
syzbot reported a panic [1] [2].
When an IPv6 nexthop is replaced with an IPv4 nexthop, the has_v4 flag
of all groups containing this nexthop is not updated. This is because
nh_group_v4_update is only called when replacing AF_INET to AF_INET6,
but the reverse direction (AF_INET6 to AF_INET) is missed.
This allows a stale has_v4=false to bypass fib6_check_nexthop, causing
IPv6 routes to be attached to groups that effectively contain only AF_INET
members. Subsequent route lookups then call nexthop_fib6_nh() which
returns NULL for the AF_INET member, leading to a NULL pointer
dereference.
Fix by calling nh_group_v4_update whenever the family changes, not just
AF_INET to AF_INET6.
Reproducer:
# AF_INET6 blackhole
ip -6 nexthop add id 1 blackhole
# group with has_v4=false
ip nexthop add id 100 group 1
# replace with AF_INET (no -6), has_v4 stays false
ip nexthop replace id 1 blackhole
# pass stale has_v4 check
ip -6 route add 2001:db8::/64 nhid 100
# panic
ping -6 2001:db8::1
[1] https://syzkaller.appspot.com/bug?id=e17283eb2f8dcf3dd9b47fe6f67a95f71faadad0
[2] https://syzkaller.appspot.com/bug?id=8699b6ae54c9f35837d925686208402949e12ef3
Fixes: 7bf4796dd099 ("nexthops: add support for replace")
Signed-off-by: Jiayuan Chen <jiayuan.chen@linux.dev>
Reviewed-by: David Ahern <dsahern@kernel.org>
Link: https://patch.msgid.link/20260413114522.147784-1-jiayuan.chen@linux.dev
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/nexthop.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/ipv4/nexthop.c b/net/ipv4/nexthop.c
index 10cb365639aaa..49871e5f46802 100644
--- a/net/ipv4/nexthop.c
+++ b/net/ipv4/nexthop.c
@@ -2160,10 +2160,10 @@ static int replace_nexthop_single(struct net *net, struct nexthop *old,
goto err_notify;
}
- /* When replacing an IPv4 nexthop with an IPv6 nexthop, potentially
+ /* When replacing a nexthop with one of a different family, potentially
* update IPv4 indication in all the groups using the nexthop.
*/
- if (oldi->family == AF_INET && newi->family == AF_INET6) {
+ if (oldi->family != newi->family) {
list_for_each_entry(nhge, &old->grp_list, nh_list) {
struct nexthop *nhp = nhge->nh_parent;
struct nh_group *nhg;
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 682/969] net/sched: taprio: continue with other TXQs if one dequeue() failed
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (680 preceding siblings ...)
2026-05-30 16:03 ` [PATCH 6.1 681/969] nexthop: fix IPv6 route referencing IPv4 nexthop Greg Kroah-Hartman
@ 2026-05-30 16:03 ` Greg Kroah-Hartman
2026-05-30 16:03 ` [PATCH 6.1 683/969] net/sched: taprio: refactor one skb dequeue from TXQ to separate function Greg Kroah-Hartman
` (293 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vladimir Oltean, Kurt Kanzenbach,
David S. Miller, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vladimir Oltean <vladimir.oltean@nxp.com>
[ Upstream commit 1638bbbe4ececa615b273497d347d59ad71060a2 ]
This changes the handling of an unlikely condition to not stop dequeuing
if taprio failed to dequeue the peeked skb in taprio_dequeue().
I've no idea when this can happen, but the only side effect seems to be
that the atomic_sub_return() call right above will have consumed some
budget. This isn't a big deal, since either that made us remain without
any budget (and therefore, we'd exit on the next peeked skb anyway), or
we could send some packets from other TXQs.
I'm making this change because in a future patch I'll be refactoring the
dequeue procedure to simplify it, and this corner case will have to go
away.
Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
Reviewed-by: Kurt Kanzenbach <kurt@linutronix.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Stable-dep-of: 105425b1969c ("net/sched: taprio: fix use-after-free in advance_sched() on schedule switch")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/sch_taprio.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/sched/sch_taprio.c b/net/sched/sch_taprio.c
index 62219f23f76ab..aad95b084ae36 100644
--- a/net/sched/sch_taprio.c
+++ b/net/sched/sch_taprio.c
@@ -626,7 +626,7 @@ static struct sk_buff *taprio_dequeue(struct Qdisc *sch)
skb = child->ops->dequeue(child);
if (unlikely(!skb))
- goto done;
+ continue;
skb_found:
qdisc_bstats_update(sch, skb);
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 683/969] net/sched: taprio: refactor one skb dequeue from TXQ to separate function
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (681 preceding siblings ...)
2026-05-30 16:03 ` [PATCH 6.1 682/969] net/sched: taprio: continue with other TXQs if one dequeue() failed Greg Kroah-Hartman
@ 2026-05-30 16:03 ` Greg Kroah-Hartman
2026-05-30 16:03 ` [PATCH 6.1 684/969] net/sched: taprio: rename close_time to end_time Greg Kroah-Hartman
` (292 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vladimir Oltean, Kurt Kanzenbach,
David S. Miller, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vladimir Oltean <vladimir.oltean@nxp.com>
[ Upstream commit 92f966674f6a257eddfa60a85f9b6741d6087ccb ]
Future changes will refactor the TXQ selection procedure, and a lot of
stuff will become messy, the indentation of the bulk of the dequeue
procedure would increase, etc.
Break out the bulk of the function into a new one, which knows the TXQ
(child qdisc) we should perform a dequeue from.
Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
Reviewed-by: Kurt Kanzenbach <kurt@linutronix.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Stable-dep-of: 105425b1969c ("net/sched: taprio: fix use-after-free in advance_sched() on schedule switch")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/sch_taprio.c | 121 +++++++++++++++++++++--------------------
1 file changed, 63 insertions(+), 58 deletions(-)
diff --git a/net/sched/sch_taprio.c b/net/sched/sch_taprio.c
index aad95b084ae36..10e1a420d4495 100644
--- a/net/sched/sch_taprio.c
+++ b/net/sched/sch_taprio.c
@@ -551,6 +551,66 @@ static void taprio_set_budget(struct taprio_sched *q, struct sched_entry *entry)
atomic64_read(&q->picos_per_byte)));
}
+static struct sk_buff *taprio_dequeue_from_txq(struct Qdisc *sch, int txq,
+ struct sched_entry *entry,
+ u32 gate_mask)
+{
+ struct taprio_sched *q = qdisc_priv(sch);
+ struct net_device *dev = qdisc_dev(sch);
+ struct Qdisc *child = q->qdiscs[txq];
+ struct sk_buff *skb;
+ ktime_t guard;
+ int prio;
+ int len;
+ u8 tc;
+
+ if (unlikely(!child))
+ return NULL;
+
+ if (TXTIME_ASSIST_IS_ENABLED(q->flags)) {
+ skb = child->ops->dequeue(child);
+ if (!skb)
+ return NULL;
+ goto skb_found;
+ }
+
+ skb = child->ops->peek(child);
+ if (!skb)
+ return NULL;
+
+ prio = skb->priority;
+ tc = netdev_get_prio_tc_map(dev, prio);
+
+ if (!(gate_mask & BIT(tc)))
+ return NULL;
+
+ len = qdisc_pkt_len(skb);
+ guard = ktime_add_ns(taprio_get_time(q), length_to_duration(q, len));
+
+ /* In the case that there's no gate entry, there's no
+ * guard band ...
+ */
+ if (gate_mask != TAPRIO_ALL_GATES_OPEN &&
+ ktime_after(guard, entry->close_time))
+ return NULL;
+
+ /* ... and no budget. */
+ if (gate_mask != TAPRIO_ALL_GATES_OPEN &&
+ atomic_sub_return(len, &entry->budget) < 0)
+ return NULL;
+
+ skb = child->ops->dequeue(child);
+ if (unlikely(!skb))
+ return NULL;
+
+skb_found:
+ qdisc_bstats_update(sch, skb);
+ qdisc_qstats_backlog_dec(sch, skb);
+ sch->q.qlen--;
+
+ return skb;
+}
+
/* Will not be called in the full offload case, since the TX queues are
* attached to the Qdisc created using qdisc_create_dflt()
*/
@@ -576,64 +636,9 @@ static struct sk_buff *taprio_dequeue(struct Qdisc *sch)
goto done;
for (i = 0; i < dev->num_tx_queues; i++) {
- struct Qdisc *child = q->qdiscs[i];
- ktime_t guard;
- int prio;
- int len;
- u8 tc;
-
- if (unlikely(!child))
- continue;
-
- if (TXTIME_ASSIST_IS_ENABLED(q->flags)) {
- skb = child->ops->dequeue(child);
- if (!skb)
- continue;
- goto skb_found;
- }
-
- skb = child->ops->peek(child);
- if (!skb)
- continue;
-
- prio = skb->priority;
- tc = netdev_get_prio_tc_map(dev, prio);
-
- if (!(gate_mask & BIT(tc))) {
- skb = NULL;
- continue;
- }
-
- len = qdisc_pkt_len(skb);
- guard = ktime_add_ns(taprio_get_time(q),
- length_to_duration(q, len));
-
- /* In the case that there's no gate entry, there's no
- * guard band ...
- */
- if (gate_mask != TAPRIO_ALL_GATES_OPEN &&
- ktime_after(guard, entry->close_time)) {
- skb = NULL;
- continue;
- }
-
- /* ... and no budget. */
- if (gate_mask != TAPRIO_ALL_GATES_OPEN &&
- atomic_sub_return(len, &entry->budget) < 0) {
- skb = NULL;
- continue;
- }
-
- skb = child->ops->dequeue(child);
- if (unlikely(!skb))
- continue;
-
-skb_found:
- qdisc_bstats_update(sch, skb);
- qdisc_qstats_backlog_dec(sch, skb);
- sch->q.qlen--;
-
- goto done;
+ skb = taprio_dequeue_from_txq(sch, i, entry, gate_mask);
+ if (skb)
+ goto done;
}
done:
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 684/969] net/sched: taprio: rename close_time to end_time
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (682 preceding siblings ...)
2026-05-30 16:03 ` [PATCH 6.1 683/969] net/sched: taprio: refactor one skb dequeue from TXQ to separate function Greg Kroah-Hartman
@ 2026-05-30 16:03 ` Greg Kroah-Hartman
2026-05-30 16:03 ` [PATCH 6.1 685/969] net/sched: taprio: fix use-after-free in advance_sched() on schedule switch Greg Kroah-Hartman
` (291 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vladimir Oltean, Kurt Kanzenbach,
David S. Miller, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vladimir Oltean <vladimir.oltean@nxp.com>
[ Upstream commit e5517551112ff2395611e552443932152f83672d ]
There is a confusion in terms in taprio which makes what is called
"close_time" to be actually used for 2 things:
1. determining when an entry "closes" such that transmitted skbs are
never allowed to overrun that time (?!)
2. an aid for determining when to advance and/or restart the schedule
using the hrtimer
It makes more sense to call this so-called "close_time" "end_time",
because it's not clear at all to me what "closes". Future patches will
hopefully make better use of the term "to close".
This is an absolutely mechanical change.
Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
Reviewed-by: Kurt Kanzenbach <kurt@linutronix.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Stable-dep-of: 105425b1969c ("net/sched: taprio: fix use-after-free in advance_sched() on schedule switch")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/sch_taprio.c | 52 +++++++++++++++++++++---------------------
1 file changed, 26 insertions(+), 26 deletions(-)
diff --git a/net/sched/sch_taprio.c b/net/sched/sch_taprio.c
index 10e1a420d4495..ce529b9448819 100644
--- a/net/sched/sch_taprio.c
+++ b/net/sched/sch_taprio.c
@@ -37,11 +37,11 @@ static LIST_HEAD(taprio_list);
struct sched_entry {
struct list_head list;
- /* The instant that this entry "closes" and the next one
+ /* The instant that this entry ends and the next one
* should open, the qdisc will make some effort so that no
* packet leaves after this time.
*/
- ktime_t close_time;
+ ktime_t end_time;
ktime_t next_txtime;
atomic_t budget;
int index;
@@ -54,7 +54,7 @@ struct sched_gate_list {
struct rcu_head rcu;
struct list_head entries;
size_t num_entries;
- ktime_t cycle_close_time;
+ ktime_t cycle_end_time;
s64 cycle_time;
s64 cycle_time_extension;
s64 base_time;
@@ -591,7 +591,7 @@ static struct sk_buff *taprio_dequeue_from_txq(struct Qdisc *sch, int txq,
* guard band ...
*/
if (gate_mask != TAPRIO_ALL_GATES_OPEN &&
- ktime_after(guard, entry->close_time))
+ ktime_after(guard, entry->end_time))
return NULL;
/* ... and no budget. */
@@ -653,7 +653,7 @@ static bool should_restart_cycle(const struct sched_gate_list *oper,
if (list_is_last(&entry->list, &oper->entries))
return true;
- if (ktime_compare(entry->close_time, oper->cycle_close_time) == 0)
+ if (ktime_compare(entry->end_time, oper->cycle_end_time) == 0)
return true;
return false;
@@ -661,7 +661,7 @@ static bool should_restart_cycle(const struct sched_gate_list *oper,
static bool should_change_schedules(const struct sched_gate_list *admin,
const struct sched_gate_list *oper,
- ktime_t close_time)
+ ktime_t end_time)
{
ktime_t next_base_time, extension_time;
@@ -670,18 +670,18 @@ static bool should_change_schedules(const struct sched_gate_list *admin,
next_base_time = sched_base_time(admin);
- /* This is the simple case, the close_time would fall after
+ /* This is the simple case, the end_time would fall after
* the next schedule base_time.
*/
- if (ktime_compare(next_base_time, close_time) <= 0)
+ if (ktime_compare(next_base_time, end_time) <= 0)
return true;
- /* This is the cycle_time_extension case, if the close_time
+ /* This is the cycle_time_extension case, if the end_time
* plus the amount that can be extended would fall after the
* next schedule base_time, we can extend the current schedule
* for that amount.
*/
- extension_time = ktime_add_ns(close_time, oper->cycle_time_extension);
+ extension_time = ktime_add_ns(end_time, oper->cycle_time_extension);
/* FIXME: the IEEE 802.1Q-2018 Specification isn't clear about
* how precisely the extension should be made. So after
@@ -700,7 +700,7 @@ static enum hrtimer_restart advance_sched(struct hrtimer *timer)
struct sched_gate_list *oper, *admin;
struct sched_entry *entry, *next;
struct Qdisc *sch = q->root;
- ktime_t close_time;
+ ktime_t end_time;
spin_lock(&q->current_entry_lock);
entry = rcu_dereference_protected(q->current_entry,
@@ -719,41 +719,41 @@ static enum hrtimer_restart advance_sched(struct hrtimer *timer)
* entry of all schedules are pre-calculated during the
* schedule initialization.
*/
- if (unlikely(!entry || entry->close_time == oper->base_time)) {
+ if (unlikely(!entry || entry->end_time == oper->base_time)) {
next = list_first_entry(&oper->entries, struct sched_entry,
list);
- close_time = next->close_time;
+ end_time = next->end_time;
goto first_run;
}
if (should_restart_cycle(oper, entry)) {
next = list_first_entry(&oper->entries, struct sched_entry,
list);
- oper->cycle_close_time = ktime_add_ns(oper->cycle_close_time,
- oper->cycle_time);
+ oper->cycle_end_time = ktime_add_ns(oper->cycle_end_time,
+ oper->cycle_time);
} else {
next = list_next_entry(entry, list);
}
- close_time = ktime_add_ns(entry->close_time, next->interval);
- close_time = min_t(ktime_t, close_time, oper->cycle_close_time);
+ end_time = ktime_add_ns(entry->end_time, next->interval);
+ end_time = min_t(ktime_t, end_time, oper->cycle_end_time);
- if (should_change_schedules(admin, oper, close_time)) {
+ if (should_change_schedules(admin, oper, end_time)) {
/* Set things so the next time this runs, the new
* schedule runs.
*/
- close_time = sched_base_time(admin);
+ end_time = sched_base_time(admin);
switch_schedules(q, &admin, &oper);
}
- next->close_time = close_time;
+ next->end_time = end_time;
taprio_set_budget(q, next);
first_run:
rcu_assign_pointer(q->current_entry, next);
spin_unlock(&q->current_entry_lock);
- hrtimer_set_expires(&q->advance_timer, close_time);
+ hrtimer_set_expires(&q->advance_timer, end_time);
rcu_read_lock();
__netif_schedule(sch);
@@ -1033,8 +1033,8 @@ static int taprio_get_start_time(struct Qdisc *sch,
return 0;
}
-static void setup_first_close_time(struct taprio_sched *q,
- struct sched_gate_list *sched, ktime_t base)
+static void setup_first_end_time(struct taprio_sched *q,
+ struct sched_gate_list *sched, ktime_t base)
{
struct sched_entry *first;
ktime_t cycle;
@@ -1045,9 +1045,9 @@ static void setup_first_close_time(struct taprio_sched *q,
cycle = sched->cycle_time;
/* FIXME: find a better place to do this */
- sched->cycle_close_time = ktime_add_ns(base, cycle);
+ sched->cycle_end_time = ktime_add_ns(base, cycle);
- first->close_time = ktime_add_ns(base, first->interval);
+ first->end_time = ktime_add_ns(base, first->interval);
taprio_set_budget(q, first);
rcu_assign_pointer(q->current_entry, NULL);
}
@@ -1679,7 +1679,7 @@ static int taprio_change(struct Qdisc *sch, struct nlattr *opt,
if (admin)
call_rcu(&admin->rcu, taprio_free_sched_cb);
} else {
- setup_first_close_time(q, new_admin, start);
+ setup_first_end_time(q, new_admin, start);
/* Protects against advance_sched() */
spin_lock_irqsave(&q->current_entry_lock, flags);
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 685/969] net/sched: taprio: fix use-after-free in advance_sched() on schedule switch
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (683 preceding siblings ...)
2026-05-30 16:03 ` [PATCH 6.1 684/969] net/sched: taprio: rename close_time to end_time Greg Kroah-Hartman
@ 2026-05-30 16:03 ` Greg Kroah-Hartman
2026-05-30 16:03 ` [PATCH 6.1 686/969] container_of: remove container_of_safe() Greg Kroah-Hartman
` (290 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Junxi Qian, Vinicius Costa Gomes,
Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vinicius Costa Gomes <vinicius.gomes@intel.com>
[ Upstream commit 105425b1969c5affe532713cfac1c0b320d7ac2b ]
In advance_sched(), when should_change_schedules() returns true,
switch_schedules() is called to promote the admin schedule to oper.
switch_schedules() queues the old oper schedule for RCU freeing via
call_rcu(), but 'next' still points into an entry of the old oper
schedule. The subsequent 'next->end_time = end_time' and
rcu_assign_pointer(q->current_entry, next) are use-after-free.
Fix this by selecting 'next' from the new oper schedule immediately
after switch_schedules(), and using its pre-calculated end_time.
setup_first_end_time() sets the first entry's end_time to
base_time + interval when the schedule is installed, so the value
is already correct.
The deleted 'end_time = sched_base_time(admin)' assignment was also
harmful independently: it would overwrite the new first entry's
pre-calculated end_time with just base_time.
Fixes: a3d43c0d56f1 ("taprio: Add support adding an admin schedule")
Reported-by: Junxi Qian <qjx1298677004@gmail.com>
Signed-off-by: Vinicius Costa Gomes <vinicius.gomes@intel.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/sch_taprio.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/net/sched/sch_taprio.c b/net/sched/sch_taprio.c
index ce529b9448819..8da723f054f56 100644
--- a/net/sched/sch_taprio.c
+++ b/net/sched/sch_taprio.c
@@ -739,11 +739,12 @@ static enum hrtimer_restart advance_sched(struct hrtimer *timer)
end_time = min_t(ktime_t, end_time, oper->cycle_end_time);
if (should_change_schedules(admin, oper, end_time)) {
- /* Set things so the next time this runs, the new
- * schedule runs.
- */
- end_time = sched_base_time(admin);
switch_schedules(q, &admin, &oper);
+ /* After changing schedules, the next entry is the first one
+ * in the new schedule, with a pre-calculated end_time.
+ */
+ next = list_first_entry(&oper->entries, struct sched_entry, list);
+ end_time = next->end_time;
}
next->end_time = end_time;
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 686/969] container_of: remove container_of_safe()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (684 preceding siblings ...)
2026-05-30 16:03 ` [PATCH 6.1 685/969] net/sched: taprio: fix use-after-free in advance_sched() on schedule switch Greg Kroah-Hartman
@ 2026-05-30 16:03 ` Greg Kroah-Hartman
2026-05-30 16:03 ` [PATCH 6.1 687/969] container_of: add container_of_const() that preserves const-ness of the pointer Greg Kroah-Hartman
` (289 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sakari Ailus, Rafael J. Wysocki,
Andy Shevchenko, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit 848dba781f1951636c966c9f3a6a41a5b2f8b572 ]
It came in from a staging driver that has been long removed from the
tree, and there are no in-kernel users of the macro, and it's very
dubious if anyone should ever use this thing, so just remove it
entirely.
Reviewed-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Acked-by: Rafael J. Wysocki <rafael@kernel.org>
Acked-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Link: https://lore.kernel.org/r/20221024123933.3331116-1-gregkh@linuxfoundation.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Stable-dep-of: 21e92a38cfd8 ("tcp: add data-race annotations around tp->data_segs_out and tp->total_retrans")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/container_of.h | 16 ----------------
1 file changed, 16 deletions(-)
diff --git a/include/linux/container_of.h b/include/linux/container_of.h
index 2f4944b791b81..a6f242137b116 100644
--- a/include/linux/container_of.h
+++ b/include/linux/container_of.h
@@ -21,20 +21,4 @@
"pointer type mismatch in container_of()"); \
((type *)(__mptr - offsetof(type, member))); })
-/**
- * container_of_safe - cast a member of a structure out to the containing structure
- * @ptr: the pointer to the member.
- * @type: the type of the container struct this is embedded in.
- * @member: the name of the member within the struct.
- *
- * If IS_ERR_OR_NULL(ptr), ptr is returned unchanged.
- */
-#define container_of_safe(ptr, type, member) ({ \
- void *__mptr = (void *)(ptr); \
- static_assert(__same_type(*(ptr), ((type *)0)->member) || \
- __same_type(*(ptr), void), \
- "pointer type mismatch in container_of_safe()"); \
- IS_ERR_OR_NULL(__mptr) ? ERR_CAST(__mptr) : \
- ((type *)(__mptr - offsetof(type, member))); })
-
#endif /* _LINUX_CONTAINER_OF_H */
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 687/969] container_of: add container_of_const() that preserves const-ness of the pointer
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (685 preceding siblings ...)
2026-05-30 16:03 ` [PATCH 6.1 686/969] container_of: remove container_of_safe() Greg Kroah-Hartman
@ 2026-05-30 16:03 ` Greg Kroah-Hartman
2026-05-30 16:03 ` [PATCH 6.1 688/969] tcp: preserve const qualifier in tcp_sk() Greg Kroah-Hartman
` (288 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jason Gunthorpe, Sakari Ailus,
Matthew Wilcox (Oracle), Jason Gunthorpe, Andy Shevchenko,
Rafael J. Wysocki, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit 64f6a5d1922bf6d2b2d845de20d4563a6f328e2d ]
container_of does not preserve the const-ness of a pointer that is
passed into it, which can cause C code that passes in a const pointer to
get a pointer back that is not const and then scribble all over the data
in it. To prevent this, container_of_const() will preserve the const
status of the pointer passed into it using the newly available _Generic()
method.
Suggested-by: Jason Gunthorpe <jgg@ziepe.ca>
Suggested-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Reviewed-by: Matthew Wilcox (Oracle) <willy@infradead.org>
Reviewed-by: Jason Gunthorpe <jgg@nvidia.com>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Reviewed-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Acked-by: Rafael J. Wysocki <rafael@kernel.org>
Link: https://lore.kernel.org/r/20221205121206.166576-1-gregkh@linuxfoundation.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Stable-dep-of: 21e92a38cfd8 ("tcp: add data-race annotations around tp->data_segs_out and tp->total_retrans")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/container_of.h | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/include/linux/container_of.h b/include/linux/container_of.h
index a6f242137b116..c8d7cf8b8522c 100644
--- a/include/linux/container_of.h
+++ b/include/linux/container_of.h
@@ -21,4 +21,17 @@
"pointer type mismatch in container_of()"); \
((type *)(__mptr - offsetof(type, member))); })
+/**
+ * container_of_const - cast a member of a structure out to the containing
+ * structure and preserve the const-ness of the pointer
+ * @ptr: the pointer to the member
+ * @type: the type of the container struct this is embedded in.
+ * @member: the name of the member within the struct.
+ */
+#define container_of_const(ptr, type, member) \
+ _Generic(ptr, \
+ const typeof(*(ptr)) *: ((const type *)container_of(ptr, type, member)),\
+ default: ((type *)container_of(ptr, type, member)) \
+ )
+
#endif /* _LINUX_CONTAINER_OF_H */
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 688/969] tcp: preserve const qualifier in tcp_sk()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (686 preceding siblings ...)
2026-05-30 16:03 ` [PATCH 6.1 687/969] container_of: add container_of_const() that preserves const-ness of the pointer Greg Kroah-Hartman
@ 2026-05-30 16:03 ` Greg Kroah-Hartman
2026-05-30 16:03 ` [PATCH 6.1 689/969] tcp: add data-race annotations around tp->data_segs_out and tp->total_retrans Greg Kroah-Hartman
` (287 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, Simon Horman,
David S. Miller, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit e9d9da91548b21e189fcd0259a0f2d26d1afc509 ]
We can change tcp_sk() to propagate its argument const qualifier,
thanks to container_of_const().
We have two places where a const sock pointer has to be upgraded
to a write one. We have been using const qualifier for lockless
listeners to clearly identify points where writes could happen.
Add tcp_sk_rw() helper to better document these.
tcp_inbound_md5_hash(), __tcp_grow_window(), tcp_reset_check()
and tcp_rack_reo_wnd() get an additional const qualififer
for their @tp local variables.
smc_check_reset_syn_req() also needs a similar change.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Simon Horman <simon.horman@corigine.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Stable-dep-of: 21e92a38cfd8 ("tcp: add data-race annotations around tp->data_segs_out and tp->total_retrans")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/tcp.h | 10 ++++++----
include/net/tcp.h | 2 +-
net/ipv4/tcp.c | 2 +-
net/ipv4/tcp_input.c | 4 ++--
net/ipv4/tcp_minisocks.c | 5 +++--
net/ipv4/tcp_output.c | 9 +++++++--
net/ipv4/tcp_recovery.c | 2 +-
7 files changed, 21 insertions(+), 13 deletions(-)
diff --git a/include/linux/tcp.h b/include/linux/tcp.h
index 9cd289ad3f5b5..3ac0b55a6bc7b 100644
--- a/include/linux/tcp.h
+++ b/include/linux/tcp.h
@@ -471,10 +471,12 @@ enum tsq_flags {
TCPF_MTU_REDUCED_DEFERRED = (1UL << TCP_MTU_REDUCED_DEFERRED),
};
-static inline struct tcp_sock *tcp_sk(const struct sock *sk)
-{
- return (struct tcp_sock *)sk;
-}
+#define tcp_sk(ptr) container_of_const(ptr, struct tcp_sock, inet_conn.icsk_inet.sk)
+
+/* Variant of tcp_sk() upgrading a const sock to a read/write tcp socket.
+ * Used in context of (lockless) tcp listeners.
+ */
+#define tcp_sk_rw(ptr) container_of(ptr, struct tcp_sock, inet_conn.icsk_inet.sk)
struct tcp_timewait_sock {
struct inet_timewait_sock tw_sk;
diff --git a/include/net/tcp.h b/include/net/tcp.h
index 83e0362e3b721..9632ac801e016 100644
--- a/include/net/tcp.h
+++ b/include/net/tcp.h
@@ -535,7 +535,7 @@ static inline void tcp_synq_overflow(const struct sock *sk)
last_overflow = READ_ONCE(tcp_sk(sk)->rx_opt.ts_recent_stamp);
if (!time_between32(now, last_overflow, last_overflow + HZ))
- WRITE_ONCE(tcp_sk(sk)->rx_opt.ts_recent_stamp, now);
+ WRITE_ONCE(tcp_sk_rw(sk)->rx_opt.ts_recent_stamp, now);
}
/* syncookies: no recent synqueue overflow on this listening socket? */
diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
index fd81976d4beb7..44ddb82621300 100644
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -4642,7 +4642,7 @@ tcp_inbound_md5_hash(const struct sock *sk, const struct sk_buff *skb,
const __u8 *hash_location = NULL;
struct tcp_md5sig_key *hash_expected;
const struct tcphdr *th = tcp_hdr(skb);
- struct tcp_sock *tp = tcp_sk(sk);
+ const struct tcp_sock *tp = tcp_sk(sk);
int genhash, l3index;
u8 newhash[16];
diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
index e1334be1feba1..9b40204248488 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -484,7 +484,7 @@ static void tcp_sndbuf_expand(struct sock *sk)
static int __tcp_grow_window(const struct sock *sk, const struct sk_buff *skb,
unsigned int skbtruesize)
{
- struct tcp_sock *tp = tcp_sk(sk);
+ const struct tcp_sock *tp = tcp_sk(sk);
/* Optimize this! */
int truesize = tcp_win_from_space(sk, skbtruesize) >> 1;
int window = tcp_win_from_space(sk, READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_rmem[2])) >> 1;
@@ -5783,7 +5783,7 @@ static void tcp_urg(struct sock *sk, struct sk_buff *skb, const struct tcphdr *t
*/
static bool tcp_reset_check(const struct sock *sk, const struct sk_buff *skb)
{
- struct tcp_sock *tp = tcp_sk(sk);
+ const struct tcp_sock *tp = tcp_sk(sk);
return unlikely(TCP_SKB_CB(skb)->seq == (tp->rcv_nxt - 1) &&
(1 << sk->sk_state) & (TCPF_CLOSE_WAIT | TCPF_LAST_ACK |
diff --git a/net/ipv4/tcp_minisocks.c b/net/ipv4/tcp_minisocks.c
index bc94df0140bfd..0b934b6ebb55b 100644
--- a/net/ipv4/tcp_minisocks.c
+++ b/net/ipv4/tcp_minisocks.c
@@ -441,7 +441,7 @@ void tcp_ca_openreq_child(struct sock *sk, const struct dst_entry *dst)
}
EXPORT_SYMBOL_GPL(tcp_ca_openreq_child);
-static void smc_check_reset_syn_req(struct tcp_sock *oldtp,
+static void smc_check_reset_syn_req(const struct tcp_sock *oldtp,
struct request_sock *req,
struct tcp_sock *newtp)
{
@@ -470,7 +470,8 @@ struct sock *tcp_create_openreq_child(const struct sock *sk,
const struct inet_request_sock *ireq = inet_rsk(req);
struct tcp_request_sock *treq = tcp_rsk(req);
struct inet_connection_sock *newicsk;
- struct tcp_sock *oldtp, *newtp;
+ const struct tcp_sock *oldtp;
+ struct tcp_sock *newtp;
u32 seq;
if (!newsk)
diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
index a8d8e2f294ff2..0a27d89dcc731 100644
--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
@@ -4203,8 +4203,13 @@ int tcp_rtx_synack(const struct sock *sk, struct request_sock *req)
if (!res) {
TCP_INC_STATS(sock_net(sk), TCP_MIB_RETRANSSEGS);
NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPSYNRETRANS);
- if (unlikely(tcp_passive_fastopen(sk)))
- tcp_sk(sk)->total_retrans++;
+ if (unlikely(tcp_passive_fastopen(sk))) {
+ /* sk has const attribute because listeners are lockless.
+ * However in this case, we are dealing with a passive fastopen
+ * socket thus we can change total_retrans value.
+ */
+ tcp_sk_rw(sk)->total_retrans++;
+ }
trace_tcp_retransmit_synack(sk, req);
}
return res;
diff --git a/net/ipv4/tcp_recovery.c b/net/ipv4/tcp_recovery.c
index c085793691102..bba10110fbbc1 100644
--- a/net/ipv4/tcp_recovery.c
+++ b/net/ipv4/tcp_recovery.c
@@ -4,7 +4,7 @@
static u32 tcp_rack_reo_wnd(const struct sock *sk)
{
- struct tcp_sock *tp = tcp_sk(sk);
+ const struct tcp_sock *tp = tcp_sk(sk);
if (!tp->reord_seen) {
/* If reordering has not been observed, be aggressive during
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 689/969] tcp: add data-race annotations around tp->data_segs_out and tp->total_retrans
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (687 preceding siblings ...)
2026-05-30 16:03 ` [PATCH 6.1 688/969] tcp: preserve const qualifier in tcp_sk() Greg Kroah-Hartman
@ 2026-05-30 16:03 ` Greg Kroah-Hartman
2026-05-30 16:03 ` [PATCH 6.1 690/969] tcp: annotate data-races around tp->bytes_sent Greg Kroah-Hartman
` (286 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, Jakub Kicinski,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 21e92a38cfd891538598ba8f805e0165a820d532 ]
tcp_get_timestamping_opt_stats() intentionally runs lockless, we must
add READ_ONCE() and WRITE_ONCE() annotations to keep KCSAN happy.
Fixes: 7e98102f4897 ("tcp: record pkts sent and retransmistted")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20260416200319.3608680-3-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/tcp.c | 4 ++--
net/ipv4/tcp_output.c | 8 +++++---
2 files changed, 7 insertions(+), 5 deletions(-)
diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
index 44ddb82621300..17e6f5e90b1af 100644
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -4084,9 +4084,9 @@ struct sk_buff *tcp_get_timestamping_opt_stats(const struct sock *sk,
nla_put_u64_64bit(stats, TCP_NLA_SNDBUF_LIMITED,
info.tcpi_sndbuf_limited, TCP_NLA_PAD);
nla_put_u64_64bit(stats, TCP_NLA_DATA_SEGS_OUT,
- tp->data_segs_out, TCP_NLA_PAD);
+ READ_ONCE(tp->data_segs_out), TCP_NLA_PAD);
nla_put_u64_64bit(stats, TCP_NLA_TOTAL_RETRANS,
- tp->total_retrans, TCP_NLA_PAD);
+ READ_ONCE(tp->total_retrans), TCP_NLA_PAD);
rate = READ_ONCE(sk->sk_pacing_rate);
rate64 = (rate != ~0UL) ? rate : ~0ULL;
diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
index 0a27d89dcc731..bff8b08a11ba5 100644
--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
@@ -1380,7 +1380,8 @@ static int __tcp_transmit_skb(struct sock *sk, struct sk_buff *skb,
if (skb->len != tcp_header_size) {
tcp_event_data_sent(tp, sk);
- tp->data_segs_out += tcp_skb_pcount(skb);
+ WRITE_ONCE(tp->data_segs_out,
+ tp->data_segs_out + tcp_skb_pcount(skb));
tp->bytes_sent += skb->len - tcp_header_size;
}
@@ -3286,7 +3287,7 @@ int __tcp_retransmit_skb(struct sock *sk, struct sk_buff *skb, int segs)
TCP_ADD_STATS(sock_net(sk), TCP_MIB_RETRANSSEGS, segs);
if (TCP_SKB_CB(skb)->tcp_flags & TCPHDR_SYN)
__NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPSYNRETRANS);
- tp->total_retrans += segs;
+ WRITE_ONCE(tp->total_retrans, tp->total_retrans + segs);
tp->bytes_retrans += skb->len;
/* make sure skb->data is aligned on arches that require it
@@ -4208,7 +4209,8 @@ int tcp_rtx_synack(const struct sock *sk, struct request_sock *req)
* However in this case, we are dealing with a passive fastopen
* socket thus we can change total_retrans value.
*/
- tcp_sk_rw(sk)->total_retrans++;
+ WRITE_ONCE(tcp_sk_rw(sk)->total_retrans,
+ tcp_sk_rw(sk)->total_retrans + 1);
}
trace_tcp_retransmit_synack(sk, req);
}
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 690/969] tcp: annotate data-races around tp->bytes_sent
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (688 preceding siblings ...)
2026-05-30 16:03 ` [PATCH 6.1 689/969] tcp: add data-race annotations around tp->data_segs_out and tp->total_retrans Greg Kroah-Hartman
@ 2026-05-30 16:03 ` Greg Kroah-Hartman
2026-05-30 16:03 ` [PATCH 6.1 691/969] tcp: annotate data-races around tp->bytes_retrans Greg Kroah-Hartman
` (285 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, Jakub Kicinski,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit ee43e957ce2ec77b2ec47fef28f3c0df6ab01a31 ]
tcp_get_timestamping_opt_stats() intentionally runs lockless, we must
add READ_ONCE() and WRITE_ONCE() annotations to keep KCSAN happy.
Fixes: ba113c3aa79a ("tcp: add data bytes sent stats")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20260416200319.3608680-8-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/tcp.c | 2 +-
net/ipv4/tcp_output.c | 3 ++-
2 files changed, 3 insertions(+), 2 deletions(-)
diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
index 17e6f5e90b1af..eb59c3d022bb7 100644
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -4108,7 +4108,7 @@ struct sk_buff *tcp_get_timestamping_opt_stats(const struct sock *sk,
nla_put_u32(stats, TCP_NLA_SNDQ_SIZE, tp->write_seq - tp->snd_una);
nla_put_u8(stats, TCP_NLA_CA_STATE, inet_csk(sk)->icsk_ca_state);
- nla_put_u64_64bit(stats, TCP_NLA_BYTES_SENT, tp->bytes_sent,
+ nla_put_u64_64bit(stats, TCP_NLA_BYTES_SENT, READ_ONCE(tp->bytes_sent),
TCP_NLA_PAD);
nla_put_u64_64bit(stats, TCP_NLA_BYTES_RETRANS, tp->bytes_retrans,
TCP_NLA_PAD);
diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
index bff8b08a11ba5..bb023a07cb1fc 100644
--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
@@ -1382,7 +1382,8 @@ static int __tcp_transmit_skb(struct sock *sk, struct sk_buff *skb,
tcp_event_data_sent(tp, sk);
WRITE_ONCE(tp->data_segs_out,
tp->data_segs_out + tcp_skb_pcount(skb));
- tp->bytes_sent += skb->len - tcp_header_size;
+ WRITE_ONCE(tp->bytes_sent,
+ tp->bytes_sent + skb->len - tcp_header_size);
}
if (after(tcb->end_seq, tp->snd_nxt) || tcb->seq == tcb->end_seq)
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 691/969] tcp: annotate data-races around tp->bytes_retrans
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (689 preceding siblings ...)
2026-05-30 16:03 ` [PATCH 6.1 690/969] tcp: annotate data-races around tp->bytes_sent Greg Kroah-Hartman
@ 2026-05-30 16:03 ` Greg Kroah-Hartman
2026-05-30 16:03 ` [PATCH 6.1 692/969] tcp: annotate data-races around tp->dsack_dups Greg Kroah-Hartman
` (284 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, Jakub Kicinski,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 5efc7b9f7cbd43401f1af81d3d7f2be00f93390d ]
tcp_get_timestamping_opt_stats() intentionally runs lockless, we must
add READ_ONCE() and WRITE_ONCE() annotations to keep KCSAN happy.
Fixes: fb31c9b9f6c8 ("tcp: add data bytes retransmitted stats")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20260416200319.3608680-9-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/tcp.c | 4 ++--
net/ipv4/tcp_output.c | 2 +-
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
index eb59c3d022bb7..c60f8c69c19f5 100644
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -4110,8 +4110,8 @@ struct sk_buff *tcp_get_timestamping_opt_stats(const struct sock *sk,
nla_put_u64_64bit(stats, TCP_NLA_BYTES_SENT, READ_ONCE(tp->bytes_sent),
TCP_NLA_PAD);
- nla_put_u64_64bit(stats, TCP_NLA_BYTES_RETRANS, tp->bytes_retrans,
- TCP_NLA_PAD);
+ nla_put_u64_64bit(stats, TCP_NLA_BYTES_RETRANS,
+ READ_ONCE(tp->bytes_retrans), TCP_NLA_PAD);
nla_put_u32(stats, TCP_NLA_DSACK_DUPS, tp->dsack_dups);
nla_put_u32(stats, TCP_NLA_REORD_SEEN, tp->reord_seen);
nla_put_u32(stats, TCP_NLA_SRTT, tp->srtt_us >> 3);
diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
index bb023a07cb1fc..aa2832c90e272 100644
--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
@@ -3289,7 +3289,7 @@ int __tcp_retransmit_skb(struct sock *sk, struct sk_buff *skb, int segs)
if (TCP_SKB_CB(skb)->tcp_flags & TCPHDR_SYN)
__NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPSYNRETRANS);
WRITE_ONCE(tp->total_retrans, tp->total_retrans + segs);
- tp->bytes_retrans += skb->len;
+ WRITE_ONCE(tp->bytes_retrans, tp->bytes_retrans + skb->len);
/* make sure skb->data is aligned on arches that require it
* and check if ack-trimming & collapsing extended the headroom
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 692/969] tcp: annotate data-races around tp->dsack_dups
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (690 preceding siblings ...)
2026-05-30 16:03 ` [PATCH 6.1 691/969] tcp: annotate data-races around tp->bytes_retrans Greg Kroah-Hartman
@ 2026-05-30 16:03 ` Greg Kroah-Hartman
2026-05-30 16:03 ` [PATCH 6.1 693/969] tcp: annotate data-races around (tp->write_seq - tp->snd_nxt) Greg Kroah-Hartman
` (283 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, Jakub Kicinski,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit a984705ca88b976bf1087978fd98b7f3993da88c ]
tcp_get_timestamping_opt_stats() intentionally runs lockless, we must
add READ_ONCE() and WRITE_ONCE() annotations to keep KCSAN happy.
Fixes: 7e10b6554ff2 ("tcp: add dsack blocks received stats")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20260416200319.3608680-10-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/tcp.c | 2 +-
net/ipv4/tcp_input.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
index c60f8c69c19f5..518b439531b16 100644
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -4112,7 +4112,7 @@ struct sk_buff *tcp_get_timestamping_opt_stats(const struct sock *sk,
TCP_NLA_PAD);
nla_put_u64_64bit(stats, TCP_NLA_BYTES_RETRANS,
READ_ONCE(tp->bytes_retrans), TCP_NLA_PAD);
- nla_put_u32(stats, TCP_NLA_DSACK_DUPS, tp->dsack_dups);
+ nla_put_u32(stats, TCP_NLA_DSACK_DUPS, READ_ONCE(tp->dsack_dups));
nla_put_u32(stats, TCP_NLA_REORD_SEEN, tp->reord_seen);
nla_put_u32(stats, TCP_NLA_SRTT, tp->srtt_us >> 3);
nla_put_u16(stats, TCP_NLA_TIMEOUT_REHASH, tp->timeout_rehash);
diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
index 9b40204248488..645ff379c4254 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -1023,7 +1023,7 @@ static u32 tcp_dsack_seen(struct tcp_sock *tp, u32 start_seq,
else if (tp->tlp_high_seq && tp->tlp_high_seq == end_seq)
state->flag |= FLAG_DSACK_TLP;
- tp->dsack_dups += dup_segs;
+ WRITE_ONCE(tp->dsack_dups, tp->dsack_dups + dup_segs);
/* Skip the DSACK if dup segs weren't retransmitted by sender */
if (tp->dsack_dups > tp->total_retrans)
return 0;
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 693/969] tcp: annotate data-races around (tp->write_seq - tp->snd_nxt)
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (691 preceding siblings ...)
2026-05-30 16:03 ` [PATCH 6.1 692/969] tcp: annotate data-races around tp->dsack_dups Greg Kroah-Hartman
@ 2026-05-30 16:03 ` Greg Kroah-Hartman
2026-05-30 16:03 ` [PATCH 6.1 694/969] i40e: dont advertise IFF_SUPP_NOFCS Greg Kroah-Hartman
` (282 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, Jakub Kicinski,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 3a63b3d160560ef51e43fb4c880a5cde8078053c ]
tcp_get_timestamping_opt_stats() intentionally runs lockless, we must
add READ_ONCE() annotations to keep KCSAN happy.
WRITE_ONCE() annotations are already present.
Fixes: e08ab0b377a1 ("tcp: add bytes not sent to SCM_TIMESTAMPING_OPT_STATS")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20260416200319.3608680-14-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/tcp.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
index 518b439531b16..076aa73c99fa8 100644
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -4117,7 +4117,8 @@ struct sk_buff *tcp_get_timestamping_opt_stats(const struct sock *sk,
nla_put_u32(stats, TCP_NLA_SRTT, tp->srtt_us >> 3);
nla_put_u16(stats, TCP_NLA_TIMEOUT_REHASH, tp->timeout_rehash);
nla_put_u32(stats, TCP_NLA_BYTES_NOTSENT,
- max_t(int, 0, tp->write_seq - tp->snd_nxt));
+ max_t(int, 0,
+ READ_ONCE(tp->write_seq) - READ_ONCE(tp->snd_nxt)));
nla_put_u64_64bit(stats, TCP_NLA_EDT, orig_skb->skb_mstamp_ns,
TCP_NLA_PAD);
if (ack_skb)
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 694/969] i40e: dont advertise IFF_SUPP_NOFCS
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (692 preceding siblings ...)
2026-05-30 16:03 ` [PATCH 6.1 693/969] tcp: annotate data-races around (tp->write_seq - tp->snd_nxt) Greg Kroah-Hartman
@ 2026-05-30 16:03 ` Greg Kroah-Hartman
2026-05-30 16:03 ` [PATCH 6.1 695/969] e1000e: Unroll PTP in probe error handling Greg Kroah-Hartman
` (281 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kohei Enju, Aleksandr Loktionov,
Sunitha Mekala, Jacob Keller, Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kohei Enju <kohei@enjuk.jp>
[ Upstream commit a24162f18825684ad04e3a5d0531f8a50d679347 ]
i40e advertises IFF_SUPP_NOFCS, allowing users to use the SO_NOFCS
socket option. However, this option is silently ignored, as the driver
does not check skb->no_fcs, and always enables FCS insertion offload.
Fix this by removing the advertisement of IFF_SUPP_NOFCS.
This behavior can be reproduced with a simple AF_PACKET socket:
import socket
s = socket.socket(socket.AF_PACKET, socket.SOCK_RAW)
s.setsockopt(socket.SOL_SOCKET, 43, 1) # SO_NOFCS
s.bind(("eth0", 0))
s.send(b'\xff' * 64)
Previously, send() succeeds but the driver ignores SO_NOFCS.
With this change, send() fails with -EPROTONOSUPPORT, as expected.
Fixes: 41c445ff0f48 ("i40e: main driver core")
Signed-off-by: Kohei Enju <kohei@enjuk.jp>
Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
Tested-by: Sunitha Mekala <sunithax.d.mekala@intel.com>
Signed-off-by: Jacob Keller <jacob.e.keller@intel.com>
Link: https://patch.msgid.link/20260416-iwl-net-submission-2026-04-14-v2-9-686c33c9828d@intel.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/i40e/i40e_main.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethernet/intel/i40e/i40e_main.c
index be4471072fe28..a1a0e7c9fb7f2 100644
--- a/drivers/net/ethernet/intel/i40e/i40e_main.c
+++ b/drivers/net/ethernet/intel/i40e/i40e_main.c
@@ -13864,7 +13864,6 @@ static int i40e_config_netdev(struct i40e_vsi *vsi)
netdev->neigh_priv_len = sizeof(u32) * 4;
netdev->priv_flags |= IFF_UNICAST_FLT;
- netdev->priv_flags |= IFF_SUPP_NOFCS;
/* Setup netdev TC information */
i40e_vsi_config_netdev_tc(vsi, vsi->tc_config.enabled_tc);
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 695/969] e1000e: Unroll PTP in probe error handling
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (693 preceding siblings ...)
2026-05-30 16:03 ` [PATCH 6.1 694/969] i40e: dont advertise IFF_SUPP_NOFCS Greg Kroah-Hartman
@ 2026-05-30 16:03 ` Greg Kroah-Hartman
2026-05-30 16:03 ` [PATCH 6.1 696/969] ipv6: fix possible UAF in icmpv6_rcv() Greg Kroah-Hartman
` (280 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Matt Vollrath, Avigail Dahan,
Jacob Keller, Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matt Vollrath <tactii@gmail.com>
[ Upstream commit aa3f7fe409350857c25d050482a2eef2cfd69b58 ]
If probe fails after registering the PTP clock and its delayed work,
these resources must be released.
This was not an issue until a 2016 fix moved the e1000e_ptp_init() call
before the jump to err_register.
Fixes: aa524b66c5ef ("e1000e: don't modify SYSTIM registers during SIOCSHWTSTAMP ioctl")
Signed-off-by: Matt Vollrath <tactii@gmail.com>
Tested-by: Avigail Dahan <avigailx.dahan@intel.com>
Signed-off-by: Jacob Keller <jacob.e.keller@intel.com>
Link: https://patch.msgid.link/20260416-iwl-net-submission-2026-04-14-v2-12-686c33c9828d@intel.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/e1000e/netdev.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/net/ethernet/intel/e1000e/netdev.c b/drivers/net/ethernet/intel/e1000e/netdev.c
index fd056c17bd62e..f16668f47165b 100644
--- a/drivers/net/ethernet/intel/e1000e/netdev.c
+++ b/drivers/net/ethernet/intel/e1000e/netdev.c
@@ -7695,6 +7695,7 @@ static int e1000_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
err_register:
if (!(adapter->flags & FLAG_HAS_AMT))
e1000e_release_hw_control(adapter);
+ e1000e_ptp_remove(adapter);
err_eeprom:
if (hw->phy.ops.check_reset_block && !hw->phy.ops.check_reset_block(hw))
e1000_phy_hw_reset(&adapter->hw);
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 696/969] ipv6: fix possible UAF in icmpv6_rcv()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (694 preceding siblings ...)
2026-05-30 16:03 ` [PATCH 6.1 695/969] e1000e: Unroll PTP in probe error handling Greg Kroah-Hartman
@ 2026-05-30 16:03 ` Greg Kroah-Hartman
2026-05-30 16:03 ` [PATCH 6.1 697/969] sctp: fix OOB write to userspace in sctp_getsockopt_peer_auth_chunks Greg Kroah-Hartman
` (279 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet,
Fernando Fernandez Mancera, Joe Damato, Ido Schimmel,
Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit f996edd7615e686ada141b7f3395025729ff8ccb ]
Caching saddr and daddr before pskb_pull() is problematic
since skb->head can change.
Remove these temporary variables:
- We only access &ipv6_hdr(skb)->saddr and &ipv6_hdr(skb)->daddr
when net_dbg_ratelimited() is called in the slow path.
- Avoid potential future misuse after pskb_pull() call.
Fixes: 4b3418fba0fe ("ipv6: icmp: include addresses in debug messages")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Fernando Fernandez Mancera <fmancera@suse.de>
Reviewed-by: Joe Damato <joe@dama.to>
Reviewed-by: Ido Schimmel <idosch@nvidia.com>
Link: https://patch.msgid.link/20260416103505.2380753-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv6/icmp.c | 10 ++++------
1 file changed, 4 insertions(+), 6 deletions(-)
diff --git a/net/ipv6/icmp.c b/net/ipv6/icmp.c
index 80eabb22d144f..877cb5e8ded7b 100644
--- a/net/ipv6/icmp.c
+++ b/net/ipv6/icmp.c
@@ -889,7 +889,6 @@ static int icmpv6_rcv(struct sk_buff *skb)
struct net *net = dev_net(skb->dev);
struct net_device *dev = icmp6_dev(skb);
struct inet6_dev *idev = __in6_dev_get(dev);
- const struct in6_addr *saddr, *daddr;
struct icmp6hdr *hdr;
u8 type;
@@ -920,12 +919,10 @@ static int icmpv6_rcv(struct sk_buff *skb)
__ICMP6_INC_STATS(dev_net(dev), idev, ICMP6_MIB_INMSGS);
- saddr = &ipv6_hdr(skb)->saddr;
- daddr = &ipv6_hdr(skb)->daddr;
-
if (skb_checksum_validate(skb, IPPROTO_ICMPV6, ip6_compute_pseudo)) {
net_dbg_ratelimited("ICMPv6 checksum failed [%pI6c > %pI6c]\n",
- saddr, daddr);
+ &ipv6_hdr(skb)->saddr,
+ &ipv6_hdr(skb)->daddr);
goto csum_error;
}
@@ -1007,7 +1004,8 @@ static int icmpv6_rcv(struct sk_buff *skb)
break;
net_dbg_ratelimited("icmpv6: msg of unknown type [%pI6c > %pI6c]\n",
- saddr, daddr);
+ &ipv6_hdr(skb)->saddr,
+ &ipv6_hdr(skb)->daddr);
/*
* error of unknown type.
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 697/969] sctp: fix OOB write to userspace in sctp_getsockopt_peer_auth_chunks
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (695 preceding siblings ...)
2026-05-30 16:03 ` [PATCH 6.1 696/969] ipv6: fix possible UAF in icmpv6_rcv() Greg Kroah-Hartman
@ 2026-05-30 16:03 ` Greg Kroah-Hartman
2026-05-30 16:03 ` [PATCH 6.1 698/969] pppoe: drop PFC frames Greg Kroah-Hartman
` (278 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michael Bommarito, Xin Long,
Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
[ Upstream commit 0cf004ffb61cd32d140531c3a84afe975f9fc7ea ]
sctp_getsockopt_peer_auth_chunks() checks that the caller's optval
buffer is large enough for the peer AUTH chunk list with
if (len < num_chunks)
return -EINVAL;
but then writes num_chunks bytes to p->gauth_chunks, which lives
at offset offsetof(struct sctp_authchunks, gauth_chunks) == 8
inside optval. The check is missing the sizeof(struct
sctp_authchunks) = 8-byte header. When the caller supplies
len == num_chunks (for any num_chunks > 0) the test passes but
copy_to_user() writes sizeof(struct sctp_authchunks) = 8 bytes
past the declared buffer.
The sibling function sctp_getsockopt_local_auth_chunks() at the
next line already has the correct check:
if (len < sizeof(struct sctp_authchunks) + num_chunks)
return -EINVAL;
Align the peer variant with its sibling.
Reproducer confirms on v7.0-13-generic: an unprivileged userspace
caller that opens a loopback SCTP association with AUTH enabled,
queries num_chunks with a short optval, then issues the real
getsockopt with len == num_chunks and sentinel bytes painted past
the buffer observes those sentinel bytes overwritten with the
peer's AUTH chunk type. The bytes written are under the peer's
control but land in the caller's own userspace; this is not a
kernel memory corruption, but it is a kernel-side contract
violation that can silently corrupt adjacent userspace data.
Fixes: 65b07e5d0d09 ("[SCTP]: API updates to suport SCTP-AUTH extensions.")
Assisted-by: Claude:claude-opus-4-6
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Acked-by: Xin Long <lucien.xin@gmail.com>
Link: https://patch.msgid.link/20260416031903.1447072-1-michael.bommarito@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sctp/socket.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/sctp/socket.c b/net/sctp/socket.c
index dfc613859ff58..b544f403f7ca8 100644
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -6995,7 +6995,7 @@ static int sctp_getsockopt_peer_auth_chunks(struct sock *sk, int len,
/* See if the user provided enough room for all the data */
num_chunks = ntohs(ch->param_hdr.length) - sizeof(struct sctp_paramhdr);
- if (len < num_chunks)
+ if (len < sizeof(struct sctp_authchunks) + num_chunks)
return -EINVAL;
if (copy_to_user(to, ch->chunks, num_chunks))
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 698/969] pppoe: drop PFC frames
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (696 preceding siblings ...)
2026-05-30 16:03 ` [PATCH 6.1 697/969] sctp: fix OOB write to userspace in sctp_getsockopt_peer_auth_chunks Greg Kroah-Hartman
@ 2026-05-30 16:03 ` Greg Kroah-Hartman
2026-05-30 16:03 ` [PATCH 6.1 699/969] openvswitch: cap upcall PID array size and pre-size vport replies Greg Kroah-Hartman
` (277 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Qingfang Deng, Simon Horman,
Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Qingfang Deng <qingfang.deng@linux.dev>
[ Upstream commit cc1ff87bce1ccd38410ab10960f576dcd17db679 ]
RFC 2516 Section 7 states that Protocol Field Compression (PFC) is NOT
RECOMMENDED for PPPoE. In practice, pppd does not support negotiating
PFC for PPPoE sessions, and the current PPPoE driver assumes an
uncompressed (2-byte) protocol field. However, the generic PPP layer
function ppp_input() is not aware of the negotiation result, and still
accepts PFC frames.
If a peer with a broken implementation or an attacker sends a frame with
a compressed (1-byte) protocol field, the subsequent PPP payload is
shifted by one byte. This causes the network header to be 4-byte
misaligned, which may trigger unaligned access exceptions on some
architectures.
To reduce the attack surface, drop PPPoE PFC frames. Introduce
ppp_skb_is_compressed_proto() helper function to be used in both
ppp_generic.c and pppoe.c to avoid open-coding.
Fixes: 7fb1b8ca8fa1 ("ppp: Move PFC decompression to PPP generic layer")
Signed-off-by: Qingfang Deng <qingfang.deng@linux.dev>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20260415022456.141758-2-qingfang.deng@linux.dev
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ppp/ppp_generic.c | 2 +-
drivers/net/ppp/pppoe.c | 8 +++++++-
include/linux/ppp_defs.h | 16 ++++++++++++++++
3 files changed, 24 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c
index 89973d0959a68..df72070a3879d 100644
--- a/drivers/net/ppp/ppp_generic.c
+++ b/drivers/net/ppp/ppp_generic.c
@@ -2245,7 +2245,7 @@ ppp_do_recv(struct ppp *ppp, struct sk_buff *skb, struct channel *pch)
*/
static void __ppp_decompress_proto(struct sk_buff *skb)
{
- if (skb->data[0] & 0x01)
+ if (ppp_skb_is_compressed_proto(skb))
*(u8 *)skb_push(skb, 1) = 0x00;
}
diff --git a/drivers/net/ppp/pppoe.c b/drivers/net/ppp/pppoe.c
index c6f44af35889d..1744a3e3ae2cf 100644
--- a/drivers/net/ppp/pppoe.c
+++ b/drivers/net/ppp/pppoe.c
@@ -425,7 +425,7 @@ static int pppoe_rcv(struct sk_buff *skb, struct net_device *dev,
if (skb_mac_header_len(skb) < ETH_HLEN)
goto drop;
- if (!pskb_may_pull(skb, sizeof(struct pppoe_hdr)))
+ if (!pskb_may_pull(skb, PPPOE_SES_HLEN))
goto drop;
ph = pppoe_hdr(skb);
@@ -435,6 +435,12 @@ static int pppoe_rcv(struct sk_buff *skb, struct net_device *dev,
if (skb->len < len)
goto drop;
+ /* skb->data points to the PPP protocol header after skb_pull_rcsum.
+ * Drop PFC frames.
+ */
+ if (ppp_skb_is_compressed_proto(skb))
+ goto drop;
+
if (pskb_trim_rcsum(skb, len))
goto drop;
diff --git a/include/linux/ppp_defs.h b/include/linux/ppp_defs.h
index b7e57fdbd4139..b1d1f46d7d3be 100644
--- a/include/linux/ppp_defs.h
+++ b/include/linux/ppp_defs.h
@@ -8,6 +8,7 @@
#define _PPP_DEFS_H_
#include <linux/crc-ccitt.h>
+#include <linux/skbuff.h>
#include <uapi/linux/ppp_defs.h>
#define PPP_FCS(fcs, c) crc_ccitt_byte(fcs, c)
@@ -25,4 +26,19 @@ static inline bool ppp_proto_is_valid(u16 proto)
return !!((proto & 0x0101) == 0x0001);
}
+/**
+ * ppp_skb_is_compressed_proto - checks if PPP protocol in a skb is compressed
+ * @skb: skb to check
+ *
+ * Check if the PPP protocol field is compressed (the least significant
+ * bit of the most significant octet is 1). skb->data must point to the PPP
+ * protocol header.
+ *
+ * Return: Whether the PPP protocol field is compressed.
+ */
+static inline bool ppp_skb_is_compressed_proto(const struct sk_buff *skb)
+{
+ return unlikely(skb->data[0] & 0x01);
+}
+
#endif /* _PPP_DEFS_H_ */
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 699/969] openvswitch: cap upcall PID array size and pre-size vport replies
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (697 preceding siblings ...)
2026-05-30 16:03 ` [PATCH 6.1 698/969] pppoe: drop PFC frames Greg Kroah-Hartman
@ 2026-05-30 16:03 ` Greg Kroah-Hartman
2026-05-30 16:03 ` [PATCH 6.1 700/969] netfilter: nft_osf: restrict it to ipv4 Greg Kroah-Hartman
` (276 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xiang Mei, Weiming Shi,
Ilya Maximets, Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Weiming Shi <bestswngs@gmail.com>
[ Upstream commit 2091c6aa0df6aba47deb5c8ab232b1cb60af3519 ]
The vport netlink reply helpers allocate a fixed-size skb with
nlmsg_new(NLMSG_DEFAULT_SIZE, ...) but serialize the full upcall PID
array via ovs_vport_get_upcall_portids(). Since
ovs_vport_set_upcall_portids() accepts any non-zero multiple of
sizeof(u32) with no upper bound, a CAP_NET_ADMIN user can install a PID
array large enough to overflow the reply buffer, causing nla_put() to
fail with -EMSGSIZE and hitting BUG_ON(err < 0). On systems with
unprivileged user namespaces enabled (e.g., Ubuntu default), this is
reachable via unshare -Urn since OVS vport mutation operations use
GENL_UNS_ADMIN_PERM.
kernel BUG at net/openvswitch/datapath.c:2414!
Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI
CPU: 1 UID: 0 PID: 65 Comm: poc Not tainted 7.0.0-rc7-00195-geb216e422044 #1
RIP: 0010:ovs_vport_cmd_set+0x34c/0x400
Call Trace:
<TASK>
genl_family_rcv_msg_doit (net/netlink/genetlink.c:1116)
genl_rcv_msg (net/netlink/genetlink.c:1194)
netlink_rcv_skb (net/netlink/af_netlink.c:2550)
genl_rcv (net/netlink/genetlink.c:1219)
netlink_unicast (net/netlink/af_netlink.c:1344)
netlink_sendmsg (net/netlink/af_netlink.c:1894)
__sys_sendto (net/socket.c:2206)
__x64_sys_sendto (net/socket.c:2209)
do_syscall_64 (arch/x86/entry/syscall_64.c:63)
entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
</TASK>
Kernel panic - not syncing: Fatal exception
Reject attempts to set more PIDs than nr_cpu_ids in
ovs_vport_set_upcall_portids(), and pre-compute the worst-case reply
size in ovs_vport_cmd_msg_size() based on that bound, similar to the
existing ovs_dp_cmd_msg_size(). nr_cpu_ids matches the cap already
used by the per-CPU dispatch configuration on the datapath side
(ovs_dp_cmd_fill_info() serialises at most nr_cpu_ids PIDs), so the
two sides stay consistent.
Fixes: 5cd667b0a456 ("openvswitch: Allow each vport to have an array of 'port_id's.")
Reported-by: Xiang Mei <xmei5@asu.edu>
Assisted-by: Claude:claude-opus-4-6
Signed-off-by: Weiming Shi <bestswngs@gmail.com>
Reviewed-by: Ilya Maximets <i.maximets@ovn.org>
Link: https://patch.msgid.link/20260416024653.153456-2-bestswngs@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/openvswitch/datapath.c | 35 +++++++++++++++++++++++++++++++++--
net/openvswitch/vport.c | 3 +++
2 files changed, 36 insertions(+), 2 deletions(-)
diff --git a/net/openvswitch/datapath.c b/net/openvswitch/datapath.c
index a2d8b1b4c83e5..c751d6b36febd 100644
--- a/net/openvswitch/datapath.c
+++ b/net/openvswitch/datapath.c
@@ -2128,9 +2128,40 @@ static int ovs_vport_cmd_fill_info(struct vport *vport, struct sk_buff *skb,
return err;
}
+static size_t ovs_vport_cmd_msg_size(void)
+{
+ size_t msgsize = NLMSG_ALIGN(sizeof(struct ovs_header));
+
+ msgsize += nla_total_size(sizeof(u32)); /* OVS_VPORT_ATTR_PORT_NO */
+ msgsize += nla_total_size(sizeof(u32)); /* OVS_VPORT_ATTR_TYPE */
+ msgsize += nla_total_size(IFNAMSIZ); /* OVS_VPORT_ATTR_NAME */
+ msgsize += nla_total_size(sizeof(u32)); /* OVS_VPORT_ATTR_IFINDEX */
+ msgsize += nla_total_size(sizeof(s32)); /* OVS_VPORT_ATTR_NETNSID */
+
+ /* OVS_VPORT_ATTR_STATS */
+ msgsize += nla_total_size_64bit(sizeof(struct ovs_vport_stats));
+
+ /* OVS_VPORT_ATTR_UPCALL_STATS(OVS_VPORT_UPCALL_ATTR_SUCCESS +
+ * OVS_VPORT_UPCALL_ATTR_FAIL)
+ */
+ msgsize += nla_total_size(nla_total_size_64bit(sizeof(u64)) +
+ nla_total_size_64bit(sizeof(u64)));
+
+ /* OVS_VPORT_ATTR_UPCALL_PID */
+ msgsize += nla_total_size(nr_cpu_ids * sizeof(u32));
+
+ /* OVS_VPORT_ATTR_OPTIONS(OVS_TUNNEL_ATTR_DST_PORT +
+ * OVS_TUNNEL_ATTR_EXTENSION(OVS_VXLAN_EXT_GBP))
+ */
+ msgsize += nla_total_size(nla_total_size(sizeof(u16)) +
+ nla_total_size(nla_total_size(0)));
+
+ return msgsize;
+}
+
static struct sk_buff *ovs_vport_cmd_alloc_info(void)
{
- return nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
+ return genlmsg_new(ovs_vport_cmd_msg_size(), GFP_KERNEL);
}
/* Called with ovs_mutex, only via ovs_dp_notify_wq(). */
@@ -2140,7 +2171,7 @@ struct sk_buff *ovs_vport_cmd_build_info(struct vport *vport, struct net *net,
struct sk_buff *skb;
int retval;
- skb = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
+ skb = ovs_vport_cmd_alloc_info();
if (!skb)
return ERR_PTR(-ENOMEM);
diff --git a/net/openvswitch/vport.c b/net/openvswitch/vport.c
index 82a74f9989667..5d7af559a20be 100644
--- a/net/openvswitch/vport.c
+++ b/net/openvswitch/vport.c
@@ -342,6 +342,9 @@ int ovs_vport_set_upcall_portids(struct vport *vport, const struct nlattr *ids)
if (!nla_len(ids) || nla_len(ids) % sizeof(u32))
return -EINVAL;
+ if (nla_len(ids) / sizeof(u32) > nr_cpu_ids)
+ return -EINVAL;
+
old = ovsl_dereference(vport->upcall_portids);
vport_portids = kmalloc(sizeof(*vport_portids) + nla_len(ids),
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 700/969] netfilter: nft_osf: restrict it to ipv4
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (698 preceding siblings ...)
2026-05-30 16:03 ` [PATCH 6.1 699/969] openvswitch: cap upcall PID array size and pre-size vport replies Greg Kroah-Hartman
@ 2026-05-30 16:03 ` Greg Kroah-Hartman
2026-05-30 16:03 ` [PATCH 6.1 701/969] netfilter: nfnetlink_osf: fix divide-by-zero in OSF_WSS_MODULO Greg Kroah-Hartman
` (275 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Florian Westphal,
Fernando Fernandez Mancera, Pablo Neira Ayuso, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pablo Neira Ayuso <pablo@netfilter.org>
[ Upstream commit b336fdbb7103fb1484e1dcb6741151d4b5a41e35 ]
This expression only supports for ipv4, restrict it.
Fixes: b96af92d6eaf ("netfilter: nf_tables: implement Passive OS fingerprint module in nft_osf")
Acked-by: Florian Westphal <fw@strlen.de>
Reviewed-by: Fernando Fernandez Mancera <fmancera@suse.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/nft_osf.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/net/netfilter/nft_osf.c b/net/netfilter/nft_osf.c
index adacf95b6e2bd..9bf2dfd351846 100644
--- a/net/netfilter/nft_osf.c
+++ b/net/netfilter/nft_osf.c
@@ -28,6 +28,11 @@ static void nft_osf_eval(const struct nft_expr *expr, struct nft_regs *regs,
struct nf_osf_data data;
struct tcphdr _tcph;
+ if (nft_pf(pkt) != NFPROTO_IPV4) {
+ regs->verdict.code = NFT_BREAK;
+ return;
+ }
+
if (pkt->tprot != IPPROTO_TCP) {
regs->verdict.code = NFT_BREAK;
return;
@@ -119,7 +124,6 @@ static int nft_osf_validate(const struct nft_ctx *ctx,
switch (ctx->family) {
case NFPROTO_IPV4:
- case NFPROTO_IPV6:
case NFPROTO_INET:
hooks = (1 << NF_INET_LOCAL_IN) |
(1 << NF_INET_PRE_ROUTING) |
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 701/969] netfilter: nfnetlink_osf: fix divide-by-zero in OSF_WSS_MODULO
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (699 preceding siblings ...)
2026-05-30 16:03 ` [PATCH 6.1 700/969] netfilter: nft_osf: restrict it to ipv4 Greg Kroah-Hartman
@ 2026-05-30 16:03 ` Greg Kroah-Hartman
2026-05-30 16:03 ` [PATCH 6.1 702/969] netfilter: conntrack: remove sprintf usage Greg Kroah-Hartman
` (274 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Weiming Shi, Florian Westphal,
Pablo Neira Ayuso, Xiang Mei, Fernando Fernandez Mancera,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xiang Mei <xmei5@asu.edu>
[ Upstream commit 2195574dc6d9017d32ac346987e12659f931d932 ]
nf_osf_match_one() computes ctx->window % f->wss.val in the
OSF_WSS_MODULO branch with no guard for f->wss.val == 0. A
CAP_NET_ADMIN user can add such a fingerprint via nfnetlink; a
subsequent matching TCP SYN divides by zero and panics the kernel.
Reject the bogus fingerprint in nfnl_osf_add_callback() above the
per-option for-loop. f->wss is per-fingerprint, not per-option, so
the check must run regardless of f->opt_num (including 0). Also
reject wss.wc >= OSF_WSS_MAX; nf_osf_match_one() already treats that
as "should not happen".
Crash:
Oops: divide error: 0000 [#1] SMP KASAN NOPTI
RIP: 0010:nf_osf_match_one (net/netfilter/nfnetlink_osf.c:98)
Call Trace:
<IRQ>
nf_osf_match (net/netfilter/nfnetlink_osf.c:220)
xt_osf_match_packet (net/netfilter/xt_osf.c:32)
ipt_do_table (net/ipv4/netfilter/ip_tables.c:348)
nf_hook_slow (net/netfilter/core.c:622)
ip_local_deliver (net/ipv4/ip_input.c:265)
ip_rcv (include/linux/skbuff.h:1162)
__netif_receive_skb_one_core (net/core/dev.c:6181)
process_backlog (net/core/dev.c:6642)
__napi_poll (net/core/dev.c:7710)
net_rx_action (net/core/dev.c:7945)
handle_softirqs (kernel/softirq.c:622)
Fixes: 11eeef41d5f6 ("netfilter: passive OS fingerprint xtables match")
Reported-by: Weiming Shi <bestswngs@gmail.com>
Suggested-by: Florian Westphal <fw@strlen.de>
Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Xiang Mei <xmei5@asu.edu>
Reviewed-by: Fernando Fernandez Mancera <fmancera@suse.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/nfnetlink_osf.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/net/netfilter/nfnetlink_osf.c b/net/netfilter/nfnetlink_osf.c
index da9d5d6de98f4..000a5c280ef96 100644
--- a/net/netfilter/nfnetlink_osf.c
+++ b/net/netfilter/nfnetlink_osf.c
@@ -320,6 +320,10 @@ static int nfnl_osf_add_callback(struct sk_buff *skb,
if (f->opt_num > ARRAY_SIZE(f->opt))
return -EINVAL;
+ if (f->wss.wc >= OSF_WSS_MAX ||
+ (f->wss.wc == OSF_WSS_MODULO && f->wss.val == 0))
+ return -EINVAL;
+
for (i = 0; i < f->opt_num; i++) {
if (!f->opt[i].length || f->opt[i].length > MAX_IPOPTLEN)
return -EINVAL;
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 702/969] netfilter: conntrack: remove sprintf usage
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (700 preceding siblings ...)
2026-05-30 16:03 ` [PATCH 6.1 701/969] netfilter: nfnetlink_osf: fix divide-by-zero in OSF_WSS_MODULO Greg Kroah-Hartman
@ 2026-05-30 16:03 ` Greg Kroah-Hartman
2026-05-30 16:03 ` [PATCH 6.1 703/969] netfilter: xtables: restrict several matches to inet family Greg Kroah-Hartman
` (273 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yiming Qian, Florian Westphal,
Pablo Neira Ayuso, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Florian Westphal <fw@strlen.de>
[ Upstream commit 6e7066bdb481a87fe88c4fa563e348c03b2d373d ]
Replace it with scnprintf, the buffer sizes are expected to be large enough
to hold the result, no need for snprintf+overflow check.
Increase buffer size in mangle_content_len() while at it.
BUG: KASAN: stack-out-of-bounds in vsnprintf+0xea5/0x1270
Write of size 1 at addr [..]
vsnprintf+0xea5/0x1270
sprintf+0xb1/0xe0
mangle_content_len+0x1ac/0x280
nf_nat_sdp_session+0x1cc/0x240
process_sdp+0x8f8/0xb80
process_invite_request+0x108/0x2b0
process_sip_msg+0x5da/0xf50
sip_help_tcp+0x45e/0x780
nf_confirm+0x34d/0x990
[..]
Fixes: 9fafcd7b2032 ("[NETFILTER]: nf_conntrack/nf_nat: add SIP helper port")
Reported-by: Yiming Qian <yimingqian591@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/nf_nat_amanda.c | 2 +-
net/netfilter/nf_nat_sip.c | 33 ++++++++++++++++++---------------
2 files changed, 19 insertions(+), 16 deletions(-)
diff --git a/net/netfilter/nf_nat_amanda.c b/net/netfilter/nf_nat_amanda.c
index 98deef6cde694..8f1054920a857 100644
--- a/net/netfilter/nf_nat_amanda.c
+++ b/net/netfilter/nf_nat_amanda.c
@@ -50,7 +50,7 @@ static unsigned int help(struct sk_buff *skb,
return NF_DROP;
}
- sprintf(buffer, "%u", port);
+ snprintf(buffer, sizeof(buffer), "%u", port);
if (!nf_nat_mangle_udp_packet(skb, exp->master, ctinfo,
protoff, matchoff, matchlen,
buffer, strlen(buffer))) {
diff --git a/net/netfilter/nf_nat_sip.c b/net/netfilter/nf_nat_sip.c
index cf4aeb299bdef..c845b6d1a2bdf 100644
--- a/net/netfilter/nf_nat_sip.c
+++ b/net/netfilter/nf_nat_sip.c
@@ -68,25 +68,27 @@ static unsigned int mangle_packet(struct sk_buff *skb, unsigned int protoff,
}
static int sip_sprintf_addr(const struct nf_conn *ct, char *buffer,
+ size_t size,
const union nf_inet_addr *addr, bool delim)
{
if (nf_ct_l3num(ct) == NFPROTO_IPV4)
- return sprintf(buffer, "%pI4", &addr->ip);
+ return scnprintf(buffer, size, "%pI4", &addr->ip);
else {
if (delim)
- return sprintf(buffer, "[%pI6c]", &addr->ip6);
+ return scnprintf(buffer, size, "[%pI6c]", &addr->ip6);
else
- return sprintf(buffer, "%pI6c", &addr->ip6);
+ return scnprintf(buffer, size, "%pI6c", &addr->ip6);
}
}
static int sip_sprintf_addr_port(const struct nf_conn *ct, char *buffer,
+ size_t size,
const union nf_inet_addr *addr, u16 port)
{
if (nf_ct_l3num(ct) == NFPROTO_IPV4)
- return sprintf(buffer, "%pI4:%u", &addr->ip, port);
+ return scnprintf(buffer, size, "%pI4:%u", &addr->ip, port);
else
- return sprintf(buffer, "[%pI6c]:%u", &addr->ip6, port);
+ return scnprintf(buffer, size, "[%pI6c]:%u", &addr->ip6, port);
}
static int map_addr(struct sk_buff *skb, unsigned int protoff,
@@ -119,7 +121,7 @@ static int map_addr(struct sk_buff *skb, unsigned int protoff,
if (nf_inet_addr_cmp(&newaddr, addr) && newport == port)
return 1;
- buflen = sip_sprintf_addr_port(ct, buffer, &newaddr, ntohs(newport));
+ buflen = sip_sprintf_addr_port(ct, buffer, sizeof(buffer), &newaddr, ntohs(newport));
return mangle_packet(skb, protoff, dataoff, dptr, datalen,
matchoff, matchlen, buffer, buflen);
}
@@ -212,7 +214,7 @@ static unsigned int nf_nat_sip(struct sk_buff *skb, unsigned int protoff,
&addr, true) > 0 &&
nf_inet_addr_cmp(&addr, &ct->tuplehash[dir].tuple.src.u3) &&
!nf_inet_addr_cmp(&addr, &ct->tuplehash[!dir].tuple.dst.u3)) {
- buflen = sip_sprintf_addr(ct, buffer,
+ buflen = sip_sprintf_addr(ct, buffer, sizeof(buffer),
&ct->tuplehash[!dir].tuple.dst.u3,
true);
if (!mangle_packet(skb, protoff, dataoff, dptr, datalen,
@@ -229,7 +231,7 @@ static unsigned int nf_nat_sip(struct sk_buff *skb, unsigned int protoff,
&addr, false) > 0 &&
nf_inet_addr_cmp(&addr, &ct->tuplehash[dir].tuple.dst.u3) &&
!nf_inet_addr_cmp(&addr, &ct->tuplehash[!dir].tuple.src.u3)) {
- buflen = sip_sprintf_addr(ct, buffer,
+ buflen = sip_sprintf_addr(ct, buffer, sizeof(buffer),
&ct->tuplehash[!dir].tuple.src.u3,
false);
if (!mangle_packet(skb, protoff, dataoff, dptr, datalen,
@@ -247,7 +249,7 @@ static unsigned int nf_nat_sip(struct sk_buff *skb, unsigned int protoff,
htons(n) == ct->tuplehash[dir].tuple.dst.u.udp.port &&
htons(n) != ct->tuplehash[!dir].tuple.src.u.udp.port) {
__be16 p = ct->tuplehash[!dir].tuple.src.u.udp.port;
- buflen = sprintf(buffer, "%u", ntohs(p));
+ buflen = scnprintf(buffer, sizeof(buffer), "%u", ntohs(p));
if (!mangle_packet(skb, protoff, dataoff, dptr, datalen,
poff, plen, buffer, buflen)) {
nf_ct_helper_log(skb, ct, "cannot mangle rport");
@@ -418,7 +420,8 @@ static unsigned int nf_nat_sip_expect(struct sk_buff *skb, unsigned int protoff,
if (!nf_inet_addr_cmp(&exp->tuple.dst.u3, &exp->saved_addr) ||
exp->tuple.dst.u.udp.port != exp->saved_proto.udp.port) {
- buflen = sip_sprintf_addr_port(ct, buffer, &newaddr, port);
+ buflen = sip_sprintf_addr_port(ct, buffer, sizeof(buffer),
+ &newaddr, port);
if (!mangle_packet(skb, protoff, dataoff, dptr, datalen,
matchoff, matchlen, buffer, buflen)) {
nf_ct_helper_log(skb, ct, "cannot mangle packet");
@@ -438,8 +441,8 @@ static int mangle_content_len(struct sk_buff *skb, unsigned int protoff,
{
enum ip_conntrack_info ctinfo;
struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
+ char buffer[sizeof("4294967295")];
unsigned int matchoff, matchlen;
- char buffer[sizeof("65536")];
int buflen, c_len;
/* Get actual SDP length */
@@ -454,7 +457,7 @@ static int mangle_content_len(struct sk_buff *skb, unsigned int protoff,
&matchoff, &matchlen) <= 0)
return 0;
- buflen = sprintf(buffer, "%u", c_len);
+ buflen = scnprintf(buffer, sizeof(buffer), "%u", c_len);
return mangle_packet(skb, protoff, dataoff, dptr, datalen,
matchoff, matchlen, buffer, buflen);
}
@@ -491,7 +494,7 @@ static unsigned int nf_nat_sdp_addr(struct sk_buff *skb, unsigned int protoff,
char buffer[INET6_ADDRSTRLEN];
unsigned int buflen;
- buflen = sip_sprintf_addr(ct, buffer, addr, false);
+ buflen = sip_sprintf_addr(ct, buffer, sizeof(buffer), addr, false);
if (mangle_sdp_packet(skb, protoff, dataoff, dptr, datalen,
sdpoff, type, term, buffer, buflen))
return 0;
@@ -509,7 +512,7 @@ static unsigned int nf_nat_sdp_port(struct sk_buff *skb, unsigned int protoff,
char buffer[sizeof("nnnnn")];
unsigned int buflen;
- buflen = sprintf(buffer, "%u", port);
+ buflen = scnprintf(buffer, sizeof(buffer), "%u", port);
if (!mangle_packet(skb, protoff, dataoff, dptr, datalen,
matchoff, matchlen, buffer, buflen))
return 0;
@@ -529,7 +532,7 @@ static unsigned int nf_nat_sdp_session(struct sk_buff *skb, unsigned int protoff
unsigned int buflen;
/* Mangle session description owner and contact addresses */
- buflen = sip_sprintf_addr(ct, buffer, addr, false);
+ buflen = sip_sprintf_addr(ct, buffer, sizeof(buffer), addr, false);
if (mangle_sdp_packet(skb, protoff, dataoff, dptr, datalen, sdpoff,
SDP_HDR_OWNER, SDP_HDR_MEDIA, buffer, buflen))
return 0;
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 703/969] netfilter: xtables: restrict several matches to inet family
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (701 preceding siblings ...)
2026-05-30 16:03 ` [PATCH 6.1 702/969] netfilter: conntrack: remove sprintf usage Greg Kroah-Hartman
@ 2026-05-30 16:03 ` Greg Kroah-Hartman
2026-05-30 16:03 ` [PATCH 6.1 704/969] ipvs: fix MTU check for GSO packets in tunnel mode Greg Kroah-Hartman
` (272 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kito Xu (veritas501),
Pablo Neira Ayuso, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pablo Neira Ayuso <pablo@netfilter.org>
[ Upstream commit b6fe26f86a1649f84e057f3f15605b08eda15497 ]
This is a partial revert of:
commit ab4f21e6fb1c ("netfilter: xtables: use NFPROTO_UNSPEC in more extensions")
to allow ipv4 and ipv6 only.
- xt_mac
- xt_owner
- xt_physdev
These extensions are not used by ebtables in userspace.
Moreover, xt_realm is only for ipv4, since dst->tclassid is ipv4
specific.
Fixes: ab4f21e6fb1c ("netfilter: xtables: use NFPROTO_UNSPEC in more extensions")
Reported-by: "Kito Xu (veritas501)" <hxzene@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/xt_mac.c | 34 +++++++++++++++++++++++-----------
net/netfilter/xt_owner.c | 37 +++++++++++++++++++++++++------------
net/netfilter/xt_physdev.c | 29 +++++++++++++++++++----------
net/netfilter/xt_realm.c | 2 +-
4 files changed, 68 insertions(+), 34 deletions(-)
diff --git a/net/netfilter/xt_mac.c b/net/netfilter/xt_mac.c
index 81649da57ba5d..bd2354760895d 100644
--- a/net/netfilter/xt_mac.c
+++ b/net/netfilter/xt_mac.c
@@ -38,25 +38,37 @@ static bool mac_mt(const struct sk_buff *skb, struct xt_action_param *par)
return ret;
}
-static struct xt_match mac_mt_reg __read_mostly = {
- .name = "mac",
- .revision = 0,
- .family = NFPROTO_UNSPEC,
- .match = mac_mt,
- .matchsize = sizeof(struct xt_mac_info),
- .hooks = (1 << NF_INET_PRE_ROUTING) | (1 << NF_INET_LOCAL_IN) |
- (1 << NF_INET_FORWARD),
- .me = THIS_MODULE,
+static struct xt_match mac_mt_reg[] __read_mostly = {
+ {
+ .name = "mac",
+ .family = NFPROTO_IPV4,
+ .match = mac_mt,
+ .matchsize = sizeof(struct xt_mac_info),
+ .hooks = (1 << NF_INET_PRE_ROUTING) |
+ (1 << NF_INET_LOCAL_IN) |
+ (1 << NF_INET_FORWARD),
+ .me = THIS_MODULE,
+ },
+ {
+ .name = "mac",
+ .family = NFPROTO_IPV6,
+ .match = mac_mt,
+ .matchsize = sizeof(struct xt_mac_info),
+ .hooks = (1 << NF_INET_PRE_ROUTING) |
+ (1 << NF_INET_LOCAL_IN) |
+ (1 << NF_INET_FORWARD),
+ .me = THIS_MODULE,
+ },
};
static int __init mac_mt_init(void)
{
- return xt_register_match(&mac_mt_reg);
+ return xt_register_matches(mac_mt_reg, ARRAY_SIZE(mac_mt_reg));
}
static void __exit mac_mt_exit(void)
{
- xt_unregister_match(&mac_mt_reg);
+ xt_unregister_matches(mac_mt_reg, ARRAY_SIZE(mac_mt_reg));
}
module_init(mac_mt_init);
diff --git a/net/netfilter/xt_owner.c b/net/netfilter/xt_owner.c
index 50332888c8d23..7be2fe22b067e 100644
--- a/net/netfilter/xt_owner.c
+++ b/net/netfilter/xt_owner.c
@@ -127,26 +127,39 @@ owner_mt(const struct sk_buff *skb, struct xt_action_param *par)
return true;
}
-static struct xt_match owner_mt_reg __read_mostly = {
- .name = "owner",
- .revision = 1,
- .family = NFPROTO_UNSPEC,
- .checkentry = owner_check,
- .match = owner_mt,
- .matchsize = sizeof(struct xt_owner_match_info),
- .hooks = (1 << NF_INET_LOCAL_OUT) |
- (1 << NF_INET_POST_ROUTING),
- .me = THIS_MODULE,
+static struct xt_match owner_mt_reg[] __read_mostly = {
+ {
+ .name = "owner",
+ .revision = 1,
+ .family = NFPROTO_IPV4,
+ .checkentry = owner_check,
+ .match = owner_mt,
+ .matchsize = sizeof(struct xt_owner_match_info),
+ .hooks = (1 << NF_INET_LOCAL_OUT) |
+ (1 << NF_INET_POST_ROUTING),
+ .me = THIS_MODULE,
+ },
+ {
+ .name = "owner",
+ .revision = 1,
+ .family = NFPROTO_IPV6,
+ .checkentry = owner_check,
+ .match = owner_mt,
+ .matchsize = sizeof(struct xt_owner_match_info),
+ .hooks = (1 << NF_INET_LOCAL_OUT) |
+ (1 << NF_INET_POST_ROUTING),
+ .me = THIS_MODULE,
+ }
};
static int __init owner_mt_init(void)
{
- return xt_register_match(&owner_mt_reg);
+ return xt_register_matches(owner_mt_reg, ARRAY_SIZE(owner_mt_reg));
}
static void __exit owner_mt_exit(void)
{
- xt_unregister_match(&owner_mt_reg);
+ xt_unregister_matches(owner_mt_reg, ARRAY_SIZE(owner_mt_reg));
}
module_init(owner_mt_init);
diff --git a/net/netfilter/xt_physdev.c b/net/netfilter/xt_physdev.c
index 343e65f377d44..130842c35c6fa 100644
--- a/net/netfilter/xt_physdev.c
+++ b/net/netfilter/xt_physdev.c
@@ -115,24 +115,33 @@ static int physdev_mt_check(const struct xt_mtchk_param *par)
return 0;
}
-static struct xt_match physdev_mt_reg __read_mostly = {
- .name = "physdev",
- .revision = 0,
- .family = NFPROTO_UNSPEC,
- .checkentry = physdev_mt_check,
- .match = physdev_mt,
- .matchsize = sizeof(struct xt_physdev_info),
- .me = THIS_MODULE,
+static struct xt_match physdev_mt_reg[] __read_mostly = {
+ {
+ .name = "physdev",
+ .family = NFPROTO_IPV4,
+ .checkentry = physdev_mt_check,
+ .match = physdev_mt,
+ .matchsize = sizeof(struct xt_physdev_info),
+ .me = THIS_MODULE,
+ },
+ {
+ .name = "physdev",
+ .family = NFPROTO_IPV6,
+ .checkentry = physdev_mt_check,
+ .match = physdev_mt,
+ .matchsize = sizeof(struct xt_physdev_info),
+ .me = THIS_MODULE,
+ },
};
static int __init physdev_mt_init(void)
{
- return xt_register_match(&physdev_mt_reg);
+ return xt_register_matches(physdev_mt_reg, ARRAY_SIZE(physdev_mt_reg));
}
static void __exit physdev_mt_exit(void)
{
- xt_unregister_match(&physdev_mt_reg);
+ xt_unregister_matches(physdev_mt_reg, ARRAY_SIZE(physdev_mt_reg));
}
module_init(physdev_mt_init);
diff --git a/net/netfilter/xt_realm.c b/net/netfilter/xt_realm.c
index 6df485f4403d0..61b2f1e58d150 100644
--- a/net/netfilter/xt_realm.c
+++ b/net/netfilter/xt_realm.c
@@ -33,7 +33,7 @@ static struct xt_match realm_mt_reg __read_mostly = {
.matchsize = sizeof(struct xt_realm_info),
.hooks = (1 << NF_INET_POST_ROUTING) | (1 << NF_INET_FORWARD) |
(1 << NF_INET_LOCAL_OUT) | (1 << NF_INET_LOCAL_IN),
- .family = NFPROTO_UNSPEC,
+ .family = NFPROTO_IPV4,
.me = THIS_MODULE
};
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 704/969] ipvs: fix MTU check for GSO packets in tunnel mode
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (702 preceding siblings ...)
2026-05-30 16:03 ` [PATCH 6.1 703/969] netfilter: xtables: restrict several matches to inet family Greg Kroah-Hartman
@ 2026-05-30 16:03 ` Greg Kroah-Hartman
2026-05-30 16:03 ` [PATCH 6.1 705/969] netfilter: nfnetlink_osf: fix out-of-bounds read on option matching Greg Kroah-Hartman
` (271 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yingnan Zhang, Julian Anastasov,
Pablo Neira Ayuso, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yingnan Zhang <342144303@qq.com>
[ Upstream commit 67bf42cae41d847fd6e5749eb68278ca5d748b25 ]
Currently, IPVS skips MTU checks for GSO packets by excluding them with
the !skb_is_gso(skb) condition. This creates problems when IPVS tunnel
mode encapsulates GSO packets with IPIP headers.
The issue manifests in two ways:
1. MTU violation after encapsulation:
When a GSO packet passes through IPVS tunnel mode, the original MTU
check is bypassed. After adding the IPIP tunnel header, the packet
size may exceed the outgoing interface MTU, leading to unexpected
fragmentation at the IP layer.
2. Fragmentation with problematic IP IDs:
When net.ipv4.vs.pmtu_disc=1 and a GSO packet with multiple segments
is fragmented after encapsulation, each segment gets a sequentially
incremented IP ID (0, 1, 2, ...). This happens because:
a) The GSO packet bypasses MTU check and gets encapsulated
b) At __ip_finish_output, the oversized GSO packet is split into
separate SKBs (one per segment), with IP IDs incrementing
c) Each SKB is then fragmented again based on the actual MTU
This sequential IP ID allocation differs from the expected behavior
and can cause issues with fragment reassembly and packet tracking.
Fix this by properly validating GSO packets using
skb_gso_validate_network_len(). This function correctly validates
whether the GSO segments will fit within the MTU after segmentation. If
validation fails, send an ICMP Fragmentation Needed message to enable
proper PMTU discovery.
Fixes: 4cdd34084d53 ("netfilter: nf_conntrack_ipv6: improve fragmentation handling")
Signed-off-by: Yingnan Zhang <342144303@qq.com>
Acked-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/ipvs/ip_vs_xmit.c | 19 +++++++++++++++----
1 file changed, 15 insertions(+), 4 deletions(-)
diff --git a/net/netfilter/ipvs/ip_vs_xmit.c b/net/netfilter/ipvs/ip_vs_xmit.c
index 038f0bbbc9f6d..9793eb8884373 100644
--- a/net/netfilter/ipvs/ip_vs_xmit.c
+++ b/net/netfilter/ipvs/ip_vs_xmit.c
@@ -103,6 +103,18 @@ __ip_vs_dst_check(struct ip_vs_dest *dest)
return dest_dst;
}
+/* Based on ip_exceeds_mtu(). */
+static bool ip_vs_exceeds_mtu(const struct sk_buff *skb, unsigned int mtu)
+{
+ if (skb->len <= mtu)
+ return false;
+
+ if (skb_is_gso(skb) && skb_gso_validate_network_len(skb, mtu))
+ return false;
+
+ return true;
+}
+
static inline bool
__mtu_check_toobig_v6(const struct sk_buff *skb, u32 mtu)
{
@@ -112,10 +124,9 @@ __mtu_check_toobig_v6(const struct sk_buff *skb, u32 mtu)
*/
if (IP6CB(skb)->frag_max_size > mtu)
return true; /* largest fragment violate MTU */
- }
- else if (skb->len > mtu && !skb_is_gso(skb)) {
+ } else if (ip_vs_exceeds_mtu(skb, mtu))
return true; /* Packet size violate MTU size */
- }
+
return false;
}
@@ -233,7 +244,7 @@ static inline bool ensure_mtu_is_adequate(struct netns_ipvs *ipvs, int skb_af,
return true;
if (unlikely(ip_hdr(skb)->frag_off & htons(IP_DF) &&
- skb->len > mtu && !skb_is_gso(skb) &&
+ ip_vs_exceeds_mtu(skb, mtu) &&
!ip_vs_iph_icmp(ipvsh))) {
icmp_send(skb, ICMP_DEST_UNREACH, ICMP_FRAG_NEEDED,
htonl(mtu));
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 705/969] netfilter: nfnetlink_osf: fix out-of-bounds read on option matching
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (703 preceding siblings ...)
2026-05-30 16:03 ` [PATCH 6.1 704/969] ipvs: fix MTU check for GSO packets in tunnel mode Greg Kroah-Hartman
@ 2026-05-30 16:03 ` Greg Kroah-Hartman
2026-05-30 16:03 ` [PATCH 6.1 706/969] netfilter: nfnetlink_osf: fix potential NULL dereference in ttl check Greg Kroah-Hartman
` (270 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Florian Westphal,
Fernando Fernandez Mancera, Pablo Neira Ayuso, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Fernando Fernandez Mancera <fmancera@suse.de>
[ Upstream commit f5ca450087c3baf3651055e7a6de92600f827af3 ]
In nf_osf_match(), the nf_osf_hdr_ctx structure is initialized once
and passed by reference to nf_osf_match_one() for each fingerprint
checked. During TCP option parsing, nf_osf_match_one() advances the
shared ctx->optp pointer.
If a fingerprint perfectly matches, the function returns early without
restoring ctx->optp to its initial state. If the user has configured
NF_OSF_LOGLEVEL_ALL, the loop continues to the next fingerprint.
However, because ctx->optp was not restored, the next call to
nf_osf_match_one() starts parsing from the end of the options buffer.
This causes subsequent matches to read garbage data and fail
immediately, making it impossible to log more than one match or logging
incorrect matches.
Instead of using a shared ctx->optp pointer, pass the context as a
constant pointer and use a local pointer (optp) for TCP option
traversal. This makes nf_osf_match_one() strictly stateless from the
caller's perspective, ensuring every fingerprint check starts at the
correct option offset.
Fixes: 1a6a0951fc00 ("netfilter: nfnetlink_osf: add missing fmatch check")
Suggested-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Fernando Fernandez Mancera <fmancera@suse.de>
Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/nfnetlink_osf.c | 19 ++++++++-----------
1 file changed, 8 insertions(+), 11 deletions(-)
diff --git a/net/netfilter/nfnetlink_osf.c b/net/netfilter/nfnetlink_osf.c
index 000a5c280ef96..2207bda442d54 100644
--- a/net/netfilter/nfnetlink_osf.c
+++ b/net/netfilter/nfnetlink_osf.c
@@ -64,9 +64,9 @@ struct nf_osf_hdr_ctx {
static bool nf_osf_match_one(const struct sk_buff *skb,
const struct nf_osf_user_finger *f,
int ttl_check,
- struct nf_osf_hdr_ctx *ctx)
+ const struct nf_osf_hdr_ctx *ctx)
{
- const __u8 *optpinit = ctx->optp;
+ const __u8 *optp = ctx->optp;
unsigned int check_WSS = 0;
int fmatch = FMATCH_WRONG;
int foptsize, optnum;
@@ -95,17 +95,17 @@ static bool nf_osf_match_one(const struct sk_buff *skb,
check_WSS = f->wss.wc;
for (optnum = 0; optnum < f->opt_num; ++optnum) {
- if (f->opt[optnum].kind == *ctx->optp) {
+ if (f->opt[optnum].kind == *optp) {
__u32 len = f->opt[optnum].length;
- const __u8 *optend = ctx->optp + len;
+ const __u8 *optend = optp + len;
fmatch = FMATCH_OK;
- switch (*ctx->optp) {
+ switch (*optp) {
case OSFOPT_MSS:
- mss = ctx->optp[3];
+ mss = optp[3];
mss <<= 8;
- mss |= ctx->optp[2];
+ mss |= optp[2];
mss = ntohs((__force __be16)mss);
break;
@@ -113,7 +113,7 @@ static bool nf_osf_match_one(const struct sk_buff *skb,
break;
}
- ctx->optp = optend;
+ optp = optend;
} else
fmatch = FMATCH_OPT_WRONG;
@@ -156,9 +156,6 @@ static bool nf_osf_match_one(const struct sk_buff *skb,
}
}
- if (fmatch != FMATCH_OK)
- ctx->optp = optpinit;
-
return fmatch == FMATCH_OK;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 706/969] netfilter: nfnetlink_osf: fix potential NULL dereference in ttl check
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (704 preceding siblings ...)
2026-05-30 16:03 ` [PATCH 6.1 705/969] netfilter: nfnetlink_osf: fix out-of-bounds read on option matching Greg Kroah-Hartman
@ 2026-05-30 16:03 ` Greg Kroah-Hartman
2026-05-30 16:03 ` [PATCH 6.1 707/969] slip: reject VJ receive packets on instances with no rstate array Greg Kroah-Hartman
` (269 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kito Xu (veritas501),
Fernando Fernandez Mancera, Pablo Neira Ayuso, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Fernando Fernandez Mancera <fmancera@suse.de>
[ Upstream commit 711987ba281fd806322a7cd244e98e2a81903114 ]
The nf_osf_ttl() function accessed skb->dev to perform a local interface
address lookup without verifying that the device pointer was valid.
Additionally, the implementation utilized an in_dev_for_each_ifa_rcu
loop to match the packet source address against local interface
addresses. It assumed that packets from the same subnet should not see a
decrement on the initial TTL. A packet might appear it is from the same
subnet but it actually isn't especially in modern environments with
containers and virtual switching.
Remove the device dereference and interface loop. Replace the logic with
a switch statement that evaluates the TTL according to the ttl_check.
Fixes: 11eeef41d5f6 ("netfilter: passive OS fingerprint xtables match")
Reported-by: Kito Xu (veritas501) <hxzene@gmail.com>
Closes: https://lore.kernel.org/netfilter-devel/20260414074556.2512750-1-hxzene@gmail.com/
Signed-off-by: Fernando Fernandez Mancera <fmancera@suse.de>
Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/nfnetlink_osf.c | 22 +++++++---------------
1 file changed, 7 insertions(+), 15 deletions(-)
diff --git a/net/netfilter/nfnetlink_osf.c b/net/netfilter/nfnetlink_osf.c
index 2207bda442d54..6d3dfbeb398cb 100644
--- a/net/netfilter/nfnetlink_osf.c
+++ b/net/netfilter/nfnetlink_osf.c
@@ -31,26 +31,18 @@ EXPORT_SYMBOL_GPL(nf_osf_fingers);
static inline int nf_osf_ttl(const struct sk_buff *skb,
int ttl_check, unsigned char f_ttl)
{
- struct in_device *in_dev = __in_dev_get_rcu(skb->dev);
const struct iphdr *ip = ip_hdr(skb);
- const struct in_ifaddr *ifa;
- int ret = 0;
- if (ttl_check == NF_OSF_TTL_TRUE)
+ switch (ttl_check) {
+ case NF_OSF_TTL_TRUE:
return ip->ttl == f_ttl;
- if (ttl_check == NF_OSF_TTL_NOCHECK)
- return 1;
- else if (ip->ttl <= f_ttl)
+ break;
+ case NF_OSF_TTL_NOCHECK:
return 1;
-
- in_dev_for_each_ifa_rcu(ifa, in_dev) {
- if (inet_ifa_match(ip->saddr, ifa)) {
- ret = (ip->ttl == f_ttl);
- break;
- }
+ case NF_OSF_TTL_LESS:
+ default:
+ return ip->ttl <= f_ttl;
}
-
- return ret;
}
struct nf_osf_hdr_ctx {
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 707/969] slip: reject VJ receive packets on instances with no rstate array
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (705 preceding siblings ...)
2026-05-30 16:03 ` [PATCH 6.1 706/969] netfilter: nfnetlink_osf: fix potential NULL dereference in ttl check Greg Kroah-Hartman
@ 2026-05-30 16:03 ` Greg Kroah-Hartman
2026-05-30 16:03 ` [PATCH 6.1 708/969] slip: bound decode() reads against the compressed packet length Greg Kroah-Hartman
` (268 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xiang Mei, Weiming Shi, Simon Horman,
Paolo Abeni, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Weiming Shi <bestswngs@gmail.com>
[ Upstream commit e76607442d5b73e1ba6768f501ef815bb58c2c0e ]
slhc_init() accepts rslots == 0 as a valid configuration, with the
documented meaning of 'no receive compression'. In that case the
allocation loop in slhc_init() is skipped, so comp->rstate stays
NULL and comp->rslot_limit stays 0 (from the kzalloc of struct
slcompress).
The receive helpers do not defend against that configuration.
slhc_uncompress() dereferences comp->rstate[x] when the VJ header
carries an explicit connection ID, and slhc_remember() later assigns
cs = &comp->rstate[...] after only comparing the packet's slot number
to comp->rslot_limit. Because rslot_limit is 0, slot 0 passes the
range check, and the code dereferences a NULL rstate.
The configuration is reachable in-tree through PPP. PPPIOCSMAXCID
stores its argument in a signed int, and (val >> 16) uses arithmetic
shift. Passing 0xffff0000 therefore sign-extends to -1, so val2 + 1
is 0 and ppp_generic.c ends up calling slhc_init(0, 1). Because
/dev/ppp open is gated by ns_capable(CAP_NET_ADMIN), the whole path
is reachable from an unprivileged user namespace. Once the malformed
VJ state is installed, any inbound VJ-compressed or VJ-uncompressed
frame that selects slot 0 crashes the kernel in softirq context:
Oops: general protection fault, probably for non-canonical
address 0xdffffc0000000000: 0000 [#1] SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
RIP: 0010:slhc_uncompress (drivers/net/slip/slhc.c:519)
Call Trace:
<TASK>
ppp_receive_nonmp_frame (drivers/net/ppp/ppp_generic.c:2466)
ppp_input (drivers/net/ppp/ppp_generic.c:2359)
ppp_async_process (drivers/net/ppp/ppp_async.c:492)
tasklet_action_common (kernel/softirq.c:926)
handle_softirqs (kernel/softirq.c:623)
run_ksoftirqd (kernel/softirq.c:1055)
smpboot_thread_fn (kernel/smpboot.c:160)
kthread (kernel/kthread.c:436)
ret_from_fork (arch/x86/kernel/process.c:164)
</TASK>
Reject the receive side on such instances instead of touching rstate.
slhc_uncompress() falls through to its existing 'bad' label, which
bumps sls_i_error and enters the toss state. slhc_remember() mirrors
that with an explicit sls_i_error increment followed by slhc_toss();
the sls_i_runt counter is not used here because a missing rstate is
an internal configuration state, not a runt packet.
The transmit path is unaffected: the only in-tree caller that picks
rslots from userspace (ppp_generic.c) still supplies tslots >= 1, and
slip.c always calls slhc_init(16, 16), so comp->tstate remains valid
and slhc_compress() continues to work.
Fixes: 4ab42d78e37a ("ppp, slip: Validate VJ compression slot parameters completely")
Reported-by: Xiang Mei <xmei5@asu.edu>
Signed-off-by: Weiming Shi <bestswngs@gmail.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20260415204130.258866-2-bestswngs@gmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/slip/slhc.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/net/slip/slhc.c b/drivers/net/slip/slhc.c
index bf9e801cc61cc..3474792a37a67 100644
--- a/drivers/net/slip/slhc.c
+++ b/drivers/net/slip/slhc.c
@@ -506,6 +506,8 @@ slhc_uncompress(struct slcompress *comp, unsigned char *icp, int isize)
comp->sls_i_error++;
return 0;
}
+ if (!comp->rstate)
+ goto bad;
changes = *cp++;
if(changes & NEW_C){
/* Make sure the state index is in range, then grab the state.
@@ -649,6 +651,10 @@ slhc_remember(struct slcompress *comp, unsigned char *icp, int isize)
struct cstate *cs;
unsigned int ihl;
+ if (!comp->rstate) {
+ comp->sls_i_error++;
+ return slhc_toss(comp);
+ }
/* The packet is shorter than a legal IP header.
* Also make sure isize is positive.
*/
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 708/969] slip: bound decode() reads against the compressed packet length
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (706 preceding siblings ...)
2026-05-30 16:03 ` [PATCH 6.1 707/969] slip: reject VJ receive packets on instances with no rstate array Greg Kroah-Hartman
@ 2026-05-30 16:03 ` Greg Kroah-Hartman
2026-05-30 16:03 ` [PATCH 6.1 709/969] arm64: dts: meson-gxl-p230: fix ethernet PHY interrupt number Greg Kroah-Hartman
` (267 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Simon Horman, Weiming Shi,
Paolo Abeni, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Weiming Shi <bestswngs@gmail.com>
[ Upstream commit 4c1367a2d7aad643a6f87c6931b13cc1a25e8ca7 ]
slhc_uncompress() parses a VJ-compressed TCP header by advancing a
pointer through the packet via decode() and pull16(). Neither helper
bounds-checks against isize, and decode() masks its return with
& 0xffff so it can never return the -1 that callers test for -- those
error paths are dead code.
A short compressed frame whose change byte requests optional fields
lets decode() read past the end of the packet. The over-read bytes
are folded into the cached cstate and reflected into subsequent
reconstructed packets.
Make decode() and pull16() take the packet end pointer and return -1
when exhausted. Add a bounds check before the TCP-checksum read.
The existing == -1 tests now do what they were always meant to.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reported-by: Simon Horman <horms@kernel.org>
Closes: https://lore.kernel.org/netdev/20260414134126.758795-2-horms@kernel.org/
Signed-off-by: Weiming Shi <bestswngs@gmail.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20260416100147.531855-5-bestswngs@gmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/slip/slhc.c | 43 ++++++++++++++++++++++++-----------------
1 file changed, 25 insertions(+), 18 deletions(-)
diff --git a/drivers/net/slip/slhc.c b/drivers/net/slip/slhc.c
index 3474792a37a67..ef586ab250747 100644
--- a/drivers/net/slip/slhc.c
+++ b/drivers/net/slip/slhc.c
@@ -80,9 +80,9 @@
#include <asm/unaligned.h>
static unsigned char *encode(unsigned char *cp, unsigned short n);
-static long decode(unsigned char **cpp);
+static long decode(unsigned char **cpp, const unsigned char *end);
static unsigned char * put16(unsigned char *cp, unsigned short x);
-static unsigned short pull16(unsigned char **cpp);
+static long pull16(unsigned char **cpp, const unsigned char *end);
/* Allocate compression data structure
* slots must be in range 0 to 255 (zero meaning no compression)
@@ -190,30 +190,34 @@ encode(unsigned char *cp, unsigned short n)
return cp;
}
-/* Pull a 16-bit integer in host order from buffer in network byte order */
-static unsigned short
-pull16(unsigned char **cpp)
+/* Pull a 16-bit integer in host order from buffer in network byte order.
+ * Returns -1 if the buffer is exhausted, otherwise the 16-bit value.
+ */
+static long
+pull16(unsigned char **cpp, const unsigned char *end)
{
- short rval;
+ long rval;
+ if (*cpp + 2 > end)
+ return -1;
rval = *(*cpp)++;
rval <<= 8;
rval |= *(*cpp)++;
return rval;
}
-/* Decode a number */
+/* Decode a number. Returns -1 if the buffer is exhausted. */
static long
-decode(unsigned char **cpp)
+decode(unsigned char **cpp, const unsigned char *end)
{
int x;
+ if (*cpp >= end)
+ return -1;
x = *(*cpp)++;
- if(x == 0){
- return pull16(cpp) & 0xffff; /* pull16 returns -1 on error */
- } else {
- return x & 0xff; /* -1 if PULLCHAR returned error */
- }
+ if (x == 0)
+ return pull16(cpp, end);
+ return x & 0xff;
}
/*
@@ -499,6 +503,7 @@ slhc_uncompress(struct slcompress *comp, unsigned char *icp, int isize)
struct cstate *cs;
int len, hdrlen;
unsigned char *cp = icp;
+ const unsigned char *end = icp + isize;
/* We've got a compressed packet; read the change byte */
comp->sls_i_compressed++;
@@ -536,6 +541,8 @@ slhc_uncompress(struct slcompress *comp, unsigned char *icp, int isize)
thp = &cs->cs_tcp;
ip = &cs->cs_ip;
+ if (cp + 2 > end)
+ goto bad;
thp->check = *(__sum16 *)cp;
cp += 2;
@@ -566,26 +573,26 @@ slhc_uncompress(struct slcompress *comp, unsigned char *icp, int isize)
default:
if(changes & NEW_U){
thp->urg = 1;
- if((x = decode(&cp)) == -1) {
+ if((x = decode(&cp, end)) == -1) {
goto bad;
}
thp->urg_ptr = htons(x);
} else
thp->urg = 0;
if(changes & NEW_W){
- if((x = decode(&cp)) == -1) {
+ if((x = decode(&cp, end)) == -1) {
goto bad;
}
thp->window = htons( ntohs(thp->window) + x);
}
if(changes & NEW_A){
- if((x = decode(&cp)) == -1) {
+ if((x = decode(&cp, end)) == -1) {
goto bad;
}
thp->ack_seq = htonl( ntohl(thp->ack_seq) + x);
}
if(changes & NEW_S){
- if((x = decode(&cp)) == -1) {
+ if((x = decode(&cp, end)) == -1) {
goto bad;
}
thp->seq = htonl( ntohl(thp->seq) + x);
@@ -593,7 +600,7 @@ slhc_uncompress(struct slcompress *comp, unsigned char *icp, int isize)
break;
}
if(changes & NEW_I){
- if((x = decode(&cp)) == -1) {
+ if((x = decode(&cp, end)) == -1) {
goto bad;
}
ip->id = htons (ntohs (ip->id) + x);
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 709/969] arm64: dts: meson-gxl-p230: fix ethernet PHY interrupt number
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (707 preceding siblings ...)
2026-05-30 16:03 ` [PATCH 6.1 708/969] slip: bound decode() reads against the compressed packet length Greg Kroah-Hartman
@ 2026-05-30 16:03 ` Greg Kroah-Hartman
2026-05-30 16:03 ` [PATCH 6.1 710/969] ksmbd: destroy tree_conn_ida in ksmbd_session_destroy() Greg Kroah-Hartman
` (266 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jun Yan, Martin Blumenstingl,
Neil Armstrong, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jun Yan <jerrysteve1101@gmail.com>
[ Upstream commit 174a0ef3b33434f475c87e66f37980e39b73805a ]
Correct the interrupt number assigned to the Realtek PHY in the p230
following the same logic as commit 3106507e1004 ("ARM64: dts: meson-gxm:
fix q200 interrupt number"),as reported in [PATCH 0/2] Ethernet PHY
interrupt improvements [1].
[1] https://lore.kernel.org/all/20171202214037.17017-1-martin.blumenstingl@googlemail.com/
Fixes: b94d22d94ad2 ("ARM64: dts: meson-gx: add external PHY interrupt on some platforms")
Signed-off-by: Jun Yan <jerrysteve1101@gmail.com>
Reviewed-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
Link: https://patch.msgid.link/20260330145111.115318-1-jerrysteve1101@gmail.com
Signed-off-by: Neil Armstrong <neil.armstrong@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/amlogic/meson-gxl-s905d-p230.dts | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/arch/arm64/boot/dts/amlogic/meson-gxl-s905d-p230.dts b/arch/arm64/boot/dts/amlogic/meson-gxl-s905d-p230.dts
index c1470416faade..36e97ed585ae7 100644
--- a/arch/arm64/boot/dts/amlogic/meson-gxl-s905d-p230.dts
+++ b/arch/arm64/boot/dts/amlogic/meson-gxl-s905d-p230.dts
@@ -84,7 +84,8 @@ external_phy: ethernet-phy@0 {
reset-gpios = <&gpio GPIOZ_14 GPIO_ACTIVE_LOW>;
interrupt-parent = <&gpio_intc>;
- interrupts = <29 IRQ_TYPE_LEVEL_LOW>;
+ /* MAC_INTR on GPIOZ_15 */
+ interrupts = <25 IRQ_TYPE_LEVEL_LOW>;
eee-broken-1000t;
};
};
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 710/969] ksmbd: destroy tree_conn_ida in ksmbd_session_destroy()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (708 preceding siblings ...)
2026-05-30 16:03 ` [PATCH 6.1 709/969] arm64: dts: meson-gxl-p230: fix ethernet PHY interrupt number Greg Kroah-Hartman
@ 2026-05-30 16:03 ` Greg Kroah-Hartman
2026-05-30 16:03 ` [PATCH 6.1 711/969] ksmbd: scope conn->binding slowpath to bound sessions only Greg Kroah-Hartman
` (265 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, DaeMyung Kang, Namjae Jeon,
Steve French, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: DaeMyung Kang <charsyam@gmail.com>
[ Upstream commit c049ee14eb4343b69b6f7755563f961f5e153423 ]
When per-session tree_conn_ida was converted from a dynamically
allocated ksmbd_ida to an embedded struct ida, ksmbd_ida_free() was
removed from ksmbd_session_destroy() but no matching ida_destroy()
was added. The session is therefore freed with the IDA's backing
xarray still intact.
The kernel IDA API expects ida_init() and ida_destroy() to be paired
over an object's lifetime, so add the missing cleanup before the
enclosing session is freed.
Also move ida_init() to right after the session is allocated so that
it is always paired with the destroy call even on the early error
paths of __session_create() (ksmbd_init_file_table() or
__init_smb2_session() failures), both of which jump to the error
label and invoke ksmbd_session_destroy() on a partially initialised
session.
No leak has been observed in testing; this is a pairing fix to match
the IDA lifetime rules, not a response to a reproduced regression.
Fixes: d40012a83f87 ("cifsd: declare ida statically")
Signed-off-by: DaeMyung Kang <charsyam@gmail.com>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/smb/server/mgmt/user_session.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/fs/smb/server/mgmt/user_session.c b/fs/smb/server/mgmt/user_session.c
index 1b5ac28d7e66c..f7ba243c854e2 100644
--- a/fs/smb/server/mgmt/user_session.c
+++ b/fs/smb/server/mgmt/user_session.c
@@ -168,6 +168,7 @@ void ksmbd_session_destroy(struct ksmbd_session *sess)
free_channel_list(sess);
kfree(sess->Preauth_HashValue);
ksmbd_release_id(&session_ida, sess->id);
+ ida_destroy(&sess->tree_conn_ida);
kfree(sess);
}
@@ -404,6 +405,8 @@ static struct ksmbd_session *__session_create(int protocol)
if (!sess)
return NULL;
+ ida_init(&sess->tree_conn_ida);
+
if (ksmbd_init_file_table(&sess->file_table))
goto error;
@@ -422,8 +425,6 @@ static struct ksmbd_session *__session_create(int protocol)
if (ret)
goto error;
- ida_init(&sess->tree_conn_ida);
-
down_write(&sessions_table_lock);
hash_add(sessions_table, &sess->hlist, sess->id);
up_write(&sessions_table_lock);
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 711/969] ksmbd: scope conn->binding slowpath to bound sessions only
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (709 preceding siblings ...)
2026-05-30 16:03 ` [PATCH 6.1 710/969] ksmbd: destroy tree_conn_ida in ksmbd_session_destroy() Greg Kroah-Hartman
@ 2026-05-30 16:03 ` Greg Kroah-Hartman
2026-05-30 16:03 ` [PATCH 6.1 712/969] net/rds: zero per-item info buffer before handing it to visitors Greg Kroah-Hartman
` (264 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hyunwoo Kim, Namjae Jeon,
Steve French, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hyunwoo Kim <imv4bel@gmail.com>
[ Upstream commit b0da97c034b6107d14e537e212d4ce8b22109a58 ]
When the binding SESSION_SETUP sets conn->binding = true, the flag stays
set after the call so that the global session lookup in
ksmbd_session_lookup_all() can find the session, which was not added to
conn->sessions. Because the flag is connection-wide, the global lookup
path will also resolve any other session by id if asked.
Tighten the global lookup so that the returned session must have this
connection registered in its channel xarray (sess->ksmbd_chann_list).
The channel entry is installed by the existing binding_session path in
ntlm_authenticate()/krb5_authenticate() when a SESSION_SETUP completes
successfully, so this condition is a strict equivalent of "this
connection has been accepted as a channel of this session". Connections
that have not bound to a given session cannot reach it via the global
table.
The existing conn->binding gate for entering the slowpath is preserved
so that non-binding connections keep the fast-path-only behavior, and
the session->state check is unchanged.
Fixes: f5a544e3bab7 ("ksmbd: add support for SMB3 multichannel")
Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/smb/server/mgmt/user_session.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/fs/smb/server/mgmt/user_session.c b/fs/smb/server/mgmt/user_session.c
index f7ba243c854e2..08eeca8ab0042 100644
--- a/fs/smb/server/mgmt/user_session.c
+++ b/fs/smb/server/mgmt/user_session.c
@@ -323,8 +323,13 @@ struct ksmbd_session *ksmbd_session_lookup_all(struct ksmbd_conn *conn,
struct ksmbd_session *sess;
sess = ksmbd_session_lookup(conn, id);
- if (!sess && conn->binding)
+ if (!sess && conn->binding) {
sess = ksmbd_session_lookup_slowpath(id);
+ if (sess && !xa_load(&sess->ksmbd_chann_list, (long)conn)) {
+ ksmbd_user_session_put(sess);
+ sess = NULL;
+ }
+ }
if (sess && sess->state != SMB2_SESSION_VALID) {
ksmbd_user_session_put(sess);
sess = NULL;
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 712/969] net/rds: zero per-item info buffer before handing it to visitors
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (710 preceding siblings ...)
2026-05-30 16:03 ` [PATCH 6.1 711/969] ksmbd: scope conn->binding slowpath to bound sessions only Greg Kroah-Hartman
@ 2026-05-30 16:03 ` Greg Kroah-Hartman
2026-05-30 16:03 ` [PATCH 6.1 713/969] net_sched: sch_hhf: annotate data-races in hhf_dump_stats() Greg Kroah-Hartman
` (263 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michael Bommarito,
Sharath Srinivasan, Allison Henderson, Jakub Kicinski,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
[ Upstream commit c88eb7e8d8397a8c1db59c425332c5a30b2a1682 ]
rds_for_each_conn_info() and rds_walk_conn_path_info() both hand a
caller-allocated on-stack u64 buffer to a per-connection visitor and
then copy the full item_len bytes back to user space via
rds_info_copy() regardless of how much of the buffer the visitor
actually wrote.
rds_ib_conn_info_visitor() and rds6_ib_conn_info_visitor() only
write a subset of their output struct when the underlying
rds_connection is not in state RDS_CONN_UP (src/dst addr, tos, sl
and the two GIDs via explicit memsets). Several u32 fields
(max_send_wr, max_recv_wr, max_send_sge, rdma_mr_max, rdma_mr_size,
cache_allocs) and the 2-byte alignment hole between sl and
cache_allocs remain as whatever stack contents preceded the visitor
call and are then memcpy_to_user()'d out to user space.
struct rds_info_rdma_connection and struct rds6_info_rdma_connection
are the only rds_info_* structs in include/uapi/linux/rds.h that are
not marked __attribute__((packed)), so they have a real alignment
hole. The other info visitors (rds_conn_info_visitor,
rds6_conn_info_visitor, rds_tcp_tc_info, ...) write all fields of
their packed output struct today and are not known to be vulnerable,
but a future visitor that adds a conditional write-path would have
the same bug.
Reproduction on a kernel built without CONFIG_INIT_STACK_ALL_ZERO=y:
a local unprivileged user opens AF_RDS, sets SO_RDS_TRANSPORT=IB,
binds to a local address on an RDMA-capable netdev (rxe soft-RoCE on
any netdev is sufficient), sendto()'s any peer on the same subnet
(fails cleanly but installs an rds_connection in the global hash in
RDS_CONN_CONNECTING), then calls getsockopt(SOL_RDS,
RDS_INFO_IB_CONNECTIONS). The returned 68-byte item contains 26
bytes of stack garbage including kernel text/data pointers:
0..7 0a 63 00 01 0a 63 00 02 src=10.99.0.1 dst=10.99.0.2
8..39 00 ... gids (memset-zeroed)
40..47 e0 92 a3 81 ff ff ff ff kernel pointer (max_send_wr)
48..55 7f 37 b5 81 ff ff ff ff kernel pointer (rdma_mr_max)
56..59 01 00 08 00 rdma_mr_size (garbage)
60..61 00 00 tos, sl
62..63 00 00 alignment padding
64..67 18 00 00 00 cache_allocs (garbage)
Fix by zeroing the per-item buffer in both rds_for_each_conn_info()
and rds_walk_conn_path_info() before invoking the visitor. This
covers the IPv4/IPv6 IB visitors and hardens all current and future
visitors against the same class of bug.
No functional change for visitors that fully populate their output.
Changes in v2:
- retarget at the net tree (subject prefix "[PATCH net v2]",
net/rds: prefix in the title)
- pick up Reviewed-by tags from Sharath Srinivasan and
Allison Henderson
Fixes: ec16227e1414 ("RDS/IB: Infiniband transport")
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Reviewed-by: Sharath Srinivasan <sharath.srinivasan@oracle.com>
Reviewed-by: Allison Henderson <achender@kernel.org>
Assisted-by: Claude:claude-opus-4-7
Link: https://patch.msgid.link/20260418141047.3398203-1-michael.bommarito@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/rds/connection.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/net/rds/connection.c b/net/rds/connection.c
index 98c0d5ff9de9c..cd41f83863c89 100644
--- a/net/rds/connection.c
+++ b/net/rds/connection.c
@@ -673,6 +673,13 @@ void rds_for_each_conn_info(struct socket *sock, unsigned int len,
i++, head++) {
hlist_for_each_entry_rcu(conn, head, c_hash_node) {
+ /* Zero the per-item buffer before handing it to the
+ * visitor so any field the visitor does not write -
+ * including implicit alignment padding - cannot leak
+ * stack contents to user space via rds_info_copy().
+ */
+ memset(buffer, 0, item_len);
+
/* XXX no c_lock usage.. */
if (!visitor(conn, buffer))
continue;
@@ -722,6 +729,13 @@ static void rds_walk_conn_path_info(struct socket *sock, unsigned int len,
*/
cp = conn->c_path;
+ /* Zero the per-item buffer for the same reason as
+ * rds_for_each_conn_info(): any byte the visitor
+ * does not write (including alignment padding) must
+ * not leak stack contents via rds_info_copy().
+ */
+ memset(buffer, 0, item_len);
+
/* XXX no cp_lock usage.. */
if (!visitor(cp, buffer))
continue;
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 713/969] net_sched: sch_hhf: annotate data-races in hhf_dump_stats()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (711 preceding siblings ...)
2026-05-30 16:03 ` [PATCH 6.1 712/969] net/rds: zero per-item info buffer before handing it to visitors Greg Kroah-Hartman
@ 2026-05-30 16:03 ` Greg Kroah-Hartman
2026-05-30 16:03 ` [PATCH 6.1 714/969] net/sched: sch_pie: annotate data-races in pie_dump_stats() Greg Kroah-Hartman
` (262 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, Jamal Hadi Salim,
Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit a6edf2cd4156b71e07258876b7626692e158f7e8 ]
hhf_dump_stats() only runs with RTNL held,
reading fields that can be changed in qdisc fast path.
Add READ_ONCE()/WRITE_ONCE() annotations.
Fixes: edb09eb17ed8 ("net: sched: do not acquire qdisc spinlock in qdisc/class stats dump")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Jamal Hadi Salim <jhs@mojatatu.com>
Link: https://patch.msgid.link/20260421143349.4052215-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/sch_hhf.c | 19 ++++++++++---------
1 file changed, 10 insertions(+), 9 deletions(-)
diff --git a/net/sched/sch_hhf.c b/net/sched/sch_hhf.c
index 83fc44f20e31c..67b555c02f2c0 100644
--- a/net/sched/sch_hhf.c
+++ b/net/sched/sch_hhf.c
@@ -198,7 +198,8 @@ static struct hh_flow_state *seek_list(const u32 hash,
return NULL;
list_del(&flow->flowchain);
kfree(flow);
- q->hh_flows_current_cnt--;
+ WRITE_ONCE(q->hh_flows_current_cnt,
+ q->hh_flows_current_cnt - 1);
} else if (flow->hash_id == hash) {
return flow;
}
@@ -226,7 +227,7 @@ static struct hh_flow_state *alloc_new_hh(struct list_head *head,
}
if (q->hh_flows_current_cnt >= q->hh_flows_limit) {
- q->hh_flows_overlimit++;
+ WRITE_ONCE(q->hh_flows_overlimit, q->hh_flows_overlimit + 1);
return NULL;
}
/* Create new entry. */
@@ -234,7 +235,7 @@ static struct hh_flow_state *alloc_new_hh(struct list_head *head,
if (!flow)
return NULL;
- q->hh_flows_current_cnt++;
+ WRITE_ONCE(q->hh_flows_current_cnt, q->hh_flows_current_cnt + 1);
INIT_LIST_HEAD(&flow->flowchain);
list_add_tail(&flow->flowchain, head);
@@ -309,7 +310,7 @@ static enum wdrr_bucket_idx hhf_classify(struct sk_buff *skb, struct Qdisc *sch)
return WDRR_BUCKET_FOR_NON_HH;
flow->hash_id = hash;
flow->hit_timestamp = now;
- q->hh_flows_total_cnt++;
+ WRITE_ONCE(q->hh_flows_total_cnt, q->hh_flows_total_cnt + 1);
/* By returning without updating counters in q->hhf_arrays,
* we implicitly implement "shielding" (see Optimization O1).
@@ -403,7 +404,7 @@ static int hhf_enqueue(struct sk_buff *skb, struct Qdisc *sch,
return NET_XMIT_SUCCESS;
prev_backlog = sch->qstats.backlog;
- q->drop_overlimit++;
+ WRITE_ONCE(q->drop_overlimit, q->drop_overlimit + 1);
/* Return Congestion Notification only if we dropped a packet from this
* bucket.
*/
@@ -678,10 +679,10 @@ static int hhf_dump_stats(struct Qdisc *sch, struct gnet_dump *d)
{
struct hhf_sched_data *q = qdisc_priv(sch);
struct tc_hhf_xstats st = {
- .drop_overlimit = q->drop_overlimit,
- .hh_overlimit = q->hh_flows_overlimit,
- .hh_tot_count = q->hh_flows_total_cnt,
- .hh_cur_count = q->hh_flows_current_cnt,
+ .drop_overlimit = READ_ONCE(q->drop_overlimit),
+ .hh_overlimit = READ_ONCE(q->hh_flows_overlimit),
+ .hh_tot_count = READ_ONCE(q->hh_flows_total_cnt),
+ .hh_cur_count = READ_ONCE(q->hh_flows_current_cnt),
};
return gnet_stats_copy_app(d, &st, sizeof(st));
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 714/969] net/sched: sch_pie: annotate data-races in pie_dump_stats()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (712 preceding siblings ...)
2026-05-30 16:03 ` [PATCH 6.1 713/969] net_sched: sch_hhf: annotate data-races in hhf_dump_stats() Greg Kroah-Hartman
@ 2026-05-30 16:03 ` Greg Kroah-Hartman
2026-05-30 16:03 ` [PATCH 6.1 715/969] net/sched: sch_fq_codel: remove data-races from fq_codel_dump_stats() Greg Kroah-Hartman
` (261 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, Jamal Hadi Salim,
Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 5154561d9b119f781249f8e845fecf059b38b483 ]
pie_dump_stats() only runs with RTNL held,
reading fields that can be changed in qdisc fast path.
Add READ_ONCE()/WRITE_ONCE() annotations.
Alternative would be to acquire the qdisc spinlock, but our long-term
goal is to make qdisc dump operations lockless as much as we can.
tc_pie_xstats fields don't need to be latched atomically,
otherwise this bug would have been caught earlier.
Fixes: edb09eb17ed8 ("net: sched: do not acquire qdisc spinlock in qdisc/class stats dump")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Jamal Hadi Salim <jhs@mojatatu.com>
Link: https://patch.msgid.link/20260421142944.4009941-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/net/pie.h | 2 +-
net/sched/sch_pie.c | 38 +++++++++++++++++++-------------------
2 files changed, 20 insertions(+), 20 deletions(-)
diff --git a/include/net/pie.h b/include/net/pie.h
index 3fe2361e03b46..f6fd51e2b7daa 100644
--- a/include/net/pie.h
+++ b/include/net/pie.h
@@ -104,7 +104,7 @@ static inline void pie_vars_init(struct pie_vars *vars)
vars->dq_tstamp = DTIME_INVALID;
vars->accu_prob = 0;
vars->dq_count = DQCOUNT_INVALID;
- vars->avg_dq_rate = 0;
+ WRITE_ONCE(vars->avg_dq_rate, 0);
}
static inline struct pie_skb_cb *get_pie_cb(const struct sk_buff *skb)
diff --git a/net/sched/sch_pie.c b/net/sched/sch_pie.c
index e1bb151a97195..afa94f058f5f5 100644
--- a/net/sched/sch_pie.c
+++ b/net/sched/sch_pie.c
@@ -89,7 +89,7 @@ static int pie_qdisc_enqueue(struct sk_buff *skb, struct Qdisc *sch,
bool enqueue = false;
if (unlikely(qdisc_qlen(sch) >= sch->limit)) {
- q->stats.overlimit++;
+ WRITE_ONCE(q->stats.overlimit, q->stats.overlimit + 1);
goto out;
}
@@ -101,7 +101,7 @@ static int pie_qdisc_enqueue(struct sk_buff *skb, struct Qdisc *sch,
/* If packet is ecn capable, mark it if drop probability
* is lower than 10%, else drop it.
*/
- q->stats.ecn_mark++;
+ WRITE_ONCE(q->stats.ecn_mark, q->stats.ecn_mark + 1);
enqueue = true;
}
@@ -111,15 +111,15 @@ static int pie_qdisc_enqueue(struct sk_buff *skb, struct Qdisc *sch,
if (!q->params.dq_rate_estimator)
pie_set_enqueue_time(skb);
- q->stats.packets_in++;
+ WRITE_ONCE(q->stats.packets_in, q->stats.packets_in + 1);
if (qdisc_qlen(sch) > q->stats.maxq)
- q->stats.maxq = qdisc_qlen(sch);
+ WRITE_ONCE(q->stats.maxq, qdisc_qlen(sch));
return qdisc_enqueue_tail(skb, sch);
}
out:
- q->stats.dropped++;
+ WRITE_ONCE(q->stats.dropped, q->stats.dropped + 1);
q->vars.accu_prob = 0;
return qdisc_drop(skb, sch, to_free);
}
@@ -260,11 +260,11 @@ void pie_process_dequeue(struct sk_buff *skb, struct pie_params *params,
count = count / dtime;
if (vars->avg_dq_rate == 0)
- vars->avg_dq_rate = count;
+ WRITE_ONCE(vars->avg_dq_rate, count);
else
- vars->avg_dq_rate =
+ WRITE_ONCE(vars->avg_dq_rate,
(vars->avg_dq_rate -
- (vars->avg_dq_rate >> 3)) + (count >> 3);
+ (vars->avg_dq_rate >> 3)) + (count >> 3));
/* If the queue has receded below the threshold, we hold
* on to the last drain rate calculated, else we reset
@@ -374,7 +374,7 @@ void pie_calculate_probability(struct pie_params *params, struct pie_vars *vars,
if (delta > 0) {
/* prevent overflow */
if (vars->prob < oldprob) {
- vars->prob = MAX_PROB;
+ WRITE_ONCE(vars->prob, MAX_PROB);
/* Prevent normalization error. If probability is at
* maximum value already, we normalize it here, and
* skip the check to do a non-linear drop in the next
@@ -385,7 +385,7 @@ void pie_calculate_probability(struct pie_params *params, struct pie_vars *vars,
} else {
/* prevent underflow */
if (vars->prob > oldprob)
- vars->prob = 0;
+ WRITE_ONCE(vars->prob, 0);
}
/* Non-linear drop in probability: Reduce drop probability quickly if
@@ -396,7 +396,7 @@ void pie_calculate_probability(struct pie_params *params, struct pie_vars *vars,
/* Reduce drop probability to 98.4% */
vars->prob -= vars->prob / 64;
- vars->qdelay = qdelay;
+ WRITE_ONCE(vars->qdelay, qdelay);
vars->backlog_old = backlog;
/* We restart the measurement cycle if the following conditions are met
@@ -494,21 +494,21 @@ static int pie_dump_stats(struct Qdisc *sch, struct gnet_dump *d)
struct pie_sched_data *q = qdisc_priv(sch);
struct tc_pie_xstats st = {
.prob = q->vars.prob << BITS_PER_BYTE,
- .delay = ((u32)PSCHED_TICKS2NS(q->vars.qdelay)) /
+ .delay = ((u32)PSCHED_TICKS2NS(READ_ONCE(q->vars.qdelay))) /
NSEC_PER_USEC,
- .packets_in = q->stats.packets_in,
- .overlimit = q->stats.overlimit,
- .maxq = q->stats.maxq,
- .dropped = q->stats.dropped,
- .ecn_mark = q->stats.ecn_mark,
+ .packets_in = READ_ONCE(q->stats.packets_in),
+ .overlimit = READ_ONCE(q->stats.overlimit),
+ .maxq = READ_ONCE(q->stats.maxq),
+ .dropped = READ_ONCE(q->stats.dropped),
+ .ecn_mark = READ_ONCE(q->stats.ecn_mark),
};
/* avg_dq_rate is only valid if dq_rate_estimator is enabled */
st.dq_rate_estimating = q->params.dq_rate_estimator;
/* unscale and return dq_rate in bytes per sec */
- if (q->params.dq_rate_estimator)
- st.avg_dq_rate = q->vars.avg_dq_rate *
+ if (st.dq_rate_estimating)
+ st.avg_dq_rate = READ_ONCE(q->vars.avg_dq_rate) *
(PSCHED_TICKS_PER_SEC) >> PIE_SCALE;
return gnet_stats_copy_app(d, &st, sizeof(st));
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 715/969] net/sched: sch_fq_codel: remove data-races from fq_codel_dump_stats()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (713 preceding siblings ...)
2026-05-30 16:03 ` [PATCH 6.1 714/969] net/sched: sch_pie: annotate data-races in pie_dump_stats() Greg Kroah-Hartman
@ 2026-05-30 16:03 ` Greg Kroah-Hartman
2026-05-30 16:04 ` [PATCH 6.1 716/969] net/sched: sch_red: annotate data-races in red_dump_stats() Greg Kroah-Hartman
` (260 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, Jamal Hadi Salim,
Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit bbfaa73ea6871db03dc05d7f05f00557a8981f25 ]
fq_codel_dump_stats() acquires the qdisc spinlock a bit too late.
Move this acquisition before we fill st.qdisc_stats with live data.
Fixes: edb09eb17ed8 ("net: sched: do not acquire qdisc spinlock in qdisc/class stats dump")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Jamal Hadi Salim <jhs@mojatatu.com>
Link: https://patch.msgid.link/20260421142509.3967231-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/sch_fq_codel.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/sched/sch_fq_codel.c b/net/sched/sch_fq_codel.c
index 47b5a056165cb..056895df17854 100644
--- a/net/sched/sch_fq_codel.c
+++ b/net/sched/sch_fq_codel.c
@@ -568,6 +568,8 @@ static int fq_codel_dump_stats(struct Qdisc *sch, struct gnet_dump *d)
};
struct list_head *pos;
+ sch_tree_lock(sch);
+
st.qdisc_stats.maxpacket = q->cstats.maxpacket;
st.qdisc_stats.drop_overlimit = q->drop_overlimit;
st.qdisc_stats.ecn_mark = q->cstats.ecn_mark;
@@ -576,7 +578,6 @@ static int fq_codel_dump_stats(struct Qdisc *sch, struct gnet_dump *d)
st.qdisc_stats.memory_usage = q->memory_usage;
st.qdisc_stats.drop_overmemory = q->drop_overmemory;
- sch_tree_lock(sch);
list_for_each(pos, &q->new_flows)
st.qdisc_stats.new_flows_len++;
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 716/969] net/sched: sch_red: annotate data-races in red_dump_stats()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (714 preceding siblings ...)
2026-05-30 16:03 ` [PATCH 6.1 715/969] net/sched: sch_fq_codel: remove data-races from fq_codel_dump_stats() Greg Kroah-Hartman
@ 2026-05-30 16:04 ` Greg Kroah-Hartman
2026-05-30 16:04 ` [PATCH 6.1 717/969] net/sched: sch_sfb: annotate data-races in sfb_dump_stats() Greg Kroah-Hartman
` (259 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, Jamal Hadi Salim,
Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit a8f5192809caf636d05ba47c144f282cfd0e3839 ]
red_dump_stats() only runs with RTNL held,
reading fields that can be changed in qdisc fast path.
Add READ_ONCE()/WRITE_ONCE() annotations.
Alternative would be to acquire the qdisc spinlock, but our long-term
goal is to make qdisc dump operations lockless as much as we can.
tc_red_xstats fields don't need to be latched atomically,
otherwise this bug would have been caught earlier.
Fixes: edb09eb17ed8 ("net: sched: do not acquire qdisc spinlock in qdisc/class stats dump")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Jamal Hadi Salim <jhs@mojatatu.com>
Link: https://patch.msgid.link/20260421142309.3964322-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/sch_red.c | 31 +++++++++++++++++++++----------
1 file changed, 21 insertions(+), 10 deletions(-)
diff --git a/net/sched/sch_red.c b/net/sched/sch_red.c
index ea3580d1d19e8..5348b61053068 100644
--- a/net/sched/sch_red.c
+++ b/net/sched/sch_red.c
@@ -89,17 +89,20 @@ static int red_enqueue(struct sk_buff *skb, struct Qdisc *sch,
case RED_PROB_MARK:
qdisc_qstats_overlimit(sch);
if (!red_use_ecn(q)) {
- q->stats.prob_drop++;
+ WRITE_ONCE(q->stats.prob_drop,
+ q->stats.prob_drop + 1);
goto congestion_drop;
}
if (INET_ECN_set_ce(skb)) {
- q->stats.prob_mark++;
+ WRITE_ONCE(q->stats.prob_mark,
+ q->stats.prob_mark + 1);
skb = tcf_qevent_handle(&q->qe_mark, sch, skb, to_free, &ret);
if (!skb)
return NET_XMIT_CN | ret;
} else if (!red_use_nodrop(q)) {
- q->stats.prob_drop++;
+ WRITE_ONCE(q->stats.prob_drop,
+ q->stats.prob_drop + 1);
goto congestion_drop;
}
@@ -109,17 +112,20 @@ static int red_enqueue(struct sk_buff *skb, struct Qdisc *sch,
case RED_HARD_MARK:
qdisc_qstats_overlimit(sch);
if (red_use_harddrop(q) || !red_use_ecn(q)) {
- q->stats.forced_drop++;
+ WRITE_ONCE(q->stats.forced_drop,
+ q->stats.forced_drop + 1);
goto congestion_drop;
}
if (INET_ECN_set_ce(skb)) {
- q->stats.forced_mark++;
+ WRITE_ONCE(q->stats.forced_mark,
+ q->stats.forced_mark + 1);
skb = tcf_qevent_handle(&q->qe_mark, sch, skb, to_free, &ret);
if (!skb)
return NET_XMIT_CN | ret;
} else if (!red_use_nodrop(q)) {
- q->stats.forced_drop++;
+ WRITE_ONCE(q->stats.forced_drop,
+ q->stats.forced_drop + 1);
goto congestion_drop;
}
@@ -133,7 +139,8 @@ static int red_enqueue(struct sk_buff *skb, struct Qdisc *sch,
sch->qstats.backlog += len;
sch->q.qlen++;
} else if (net_xmit_drop_count(ret)) {
- q->stats.pdrop++;
+ WRITE_ONCE(q->stats.pdrop,
+ q->stats.pdrop + 1);
qdisc_qstats_drop(sch);
}
return ret;
@@ -461,9 +468,13 @@ static int red_dump_stats(struct Qdisc *sch, struct gnet_dump *d)
dev->netdev_ops->ndo_setup_tc(dev, TC_SETUP_QDISC_RED,
&hw_stats_request);
}
- st.early = q->stats.prob_drop + q->stats.forced_drop;
- st.pdrop = q->stats.pdrop;
- st.marked = q->stats.prob_mark + q->stats.forced_mark;
+ st.early = READ_ONCE(q->stats.prob_drop) +
+ READ_ONCE(q->stats.forced_drop);
+
+ st.pdrop = READ_ONCE(q->stats.pdrop);
+
+ st.marked = READ_ONCE(q->stats.prob_mark) +
+ READ_ONCE(q->stats.forced_mark);
return gnet_stats_copy_app(d, &st, sizeof(st));
}
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 717/969] net/sched: sch_sfb: annotate data-races in sfb_dump_stats()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (715 preceding siblings ...)
2026-05-30 16:04 ` [PATCH 6.1 716/969] net/sched: sch_red: annotate data-races in red_dump_stats() Greg Kroah-Hartman
@ 2026-05-30 16:04 ` Greg Kroah-Hartman
2026-05-30 16:04 ` [PATCH 6.1 718/969] net: dsa: realtek: rtl8365mb: fix mode mask calculation Greg Kroah-Hartman
` (258 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, Jakub Kicinski,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 1ada03fdef82d3d7d2edb9dcd3acc91917675e48 ]
sfb_dump_stats() only runs with RTNL held,
reading fields that can be changed in qdisc fast path.
Add READ_ONCE()/WRITE_ONCE() annotations.
Alternative would be to acquire the qdisc spinlock, but our long-term
goal is to make qdisc dump operations lockless as much as we can.
tc_sfb_xstats fields don't need to be latched atomically,
otherwise this bug would have been caught earlier.
Fixes: edb09eb17ed8 ("net: sched: do not acquire qdisc spinlock in qdisc/class stats dump")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20260421141655.3953721-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/sch_sfb.c | 54 +++++++++++++++++++++++++++------------------
1 file changed, 32 insertions(+), 22 deletions(-)
diff --git a/net/sched/sch_sfb.c b/net/sched/sch_sfb.c
index 1871a1c0224d4..ce67826fdf9b6 100644
--- a/net/sched/sch_sfb.c
+++ b/net/sched/sch_sfb.c
@@ -130,7 +130,7 @@ static void increment_one_qlen(u32 sfbhash, u32 slot, struct sfb_sched_data *q)
sfbhash >>= SFB_BUCKET_SHIFT;
if (b[hash].qlen < 0xFFFF)
- b[hash].qlen++;
+ WRITE_ONCE(b[hash].qlen, b[hash].qlen + 1);
b += SFB_NUMBUCKETS; /* next level */
}
}
@@ -159,7 +159,7 @@ static void decrement_one_qlen(u32 sfbhash, u32 slot,
sfbhash >>= SFB_BUCKET_SHIFT;
if (b[hash].qlen > 0)
- b[hash].qlen--;
+ WRITE_ONCE(b[hash].qlen, b[hash].qlen - 1);
b += SFB_NUMBUCKETS; /* next level */
}
}
@@ -179,12 +179,12 @@ static void decrement_qlen(const struct sk_buff *skb, struct sfb_sched_data *q)
static void decrement_prob(struct sfb_bucket *b, struct sfb_sched_data *q)
{
- b->p_mark = prob_minus(b->p_mark, q->decrement);
+ WRITE_ONCE(b->p_mark, prob_minus(b->p_mark, q->decrement));
}
static void increment_prob(struct sfb_bucket *b, struct sfb_sched_data *q)
{
- b->p_mark = prob_plus(b->p_mark, q->increment);
+ WRITE_ONCE(b->p_mark, prob_plus(b->p_mark, q->increment));
}
static void sfb_zero_all_buckets(struct sfb_sched_data *q)
@@ -202,11 +202,14 @@ static u32 sfb_compute_qlen(u32 *prob_r, u32 *avgpm_r, const struct sfb_sched_da
const struct sfb_bucket *b = &q->bins[q->slot].bins[0][0];
for (i = 0; i < SFB_LEVELS * SFB_NUMBUCKETS; i++) {
- if (qlen < b->qlen)
- qlen = b->qlen;
- totalpm += b->p_mark;
- if (prob < b->p_mark)
- prob = b->p_mark;
+ u32 b_qlen = READ_ONCE(b->qlen);
+ u32 b_mark = READ_ONCE(b->p_mark);
+
+ if (qlen < b_qlen)
+ qlen = b_qlen;
+ totalpm += b_mark;
+ if (prob < b_mark)
+ prob = b_mark;
b++;
}
*prob_r = prob;
@@ -294,7 +297,8 @@ static int sfb_enqueue(struct sk_buff *skb, struct Qdisc *sch,
if (unlikely(sch->q.qlen >= q->limit)) {
qdisc_qstats_overlimit(sch);
- q->stats.queuedrop++;
+ WRITE_ONCE(q->stats.queuedrop,
+ q->stats.queuedrop + 1);
goto drop;
}
@@ -347,7 +351,8 @@ static int sfb_enqueue(struct sk_buff *skb, struct Qdisc *sch,
if (unlikely(minqlen >= q->max)) {
qdisc_qstats_overlimit(sch);
- q->stats.bucketdrop++;
+ WRITE_ONCE(q->stats.bucketdrop,
+ q->stats.bucketdrop + 1);
goto drop;
}
@@ -373,7 +378,8 @@ static int sfb_enqueue(struct sk_buff *skb, struct Qdisc *sch,
}
if (sfb_rate_limit(skb, q)) {
qdisc_qstats_overlimit(sch);
- q->stats.penaltydrop++;
+ WRITE_ONCE(q->stats.penaltydrop,
+ q->stats.penaltydrop + 1);
goto drop;
}
goto enqueue;
@@ -388,14 +394,17 @@ static int sfb_enqueue(struct sk_buff *skb, struct Qdisc *sch,
* In either case, we want to start dropping packets.
*/
if (r < (p_min - SFB_MAX_PROB / 2) * 2) {
- q->stats.earlydrop++;
+ WRITE_ONCE(q->stats.earlydrop,
+ q->stats.earlydrop + 1);
goto drop;
}
}
if (INET_ECN_set_ce(skb)) {
- q->stats.marked++;
+ WRITE_ONCE(q->stats.marked,
+ q->stats.marked + 1);
} else {
- q->stats.earlydrop++;
+ WRITE_ONCE(q->stats.earlydrop,
+ q->stats.earlydrop + 1);
goto drop;
}
}
@@ -408,7 +417,8 @@ static int sfb_enqueue(struct sk_buff *skb, struct Qdisc *sch,
sch->q.qlen++;
increment_qlen(&cb, q);
} else if (net_xmit_drop_count(ret)) {
- q->stats.childdrop++;
+ WRITE_ONCE(q->stats.childdrop,
+ q->stats.childdrop + 1);
qdisc_qstats_drop(sch);
}
return ret;
@@ -597,12 +607,12 @@ static int sfb_dump_stats(struct Qdisc *sch, struct gnet_dump *d)
{
struct sfb_sched_data *q = qdisc_priv(sch);
struct tc_sfb_xstats st = {
- .earlydrop = q->stats.earlydrop,
- .penaltydrop = q->stats.penaltydrop,
- .bucketdrop = q->stats.bucketdrop,
- .queuedrop = q->stats.queuedrop,
- .childdrop = q->stats.childdrop,
- .marked = q->stats.marked,
+ .earlydrop = READ_ONCE(q->stats.earlydrop),
+ .penaltydrop = READ_ONCE(q->stats.penaltydrop),
+ .bucketdrop = READ_ONCE(q->stats.bucketdrop),
+ .queuedrop = READ_ONCE(q->stats.queuedrop),
+ .childdrop = READ_ONCE(q->stats.childdrop),
+ .marked = READ_ONCE(q->stats.marked),
};
st.maxqlen = sfb_compute_qlen(&st.maxprob, &st.avgprob, q);
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 718/969] net: dsa: realtek: rtl8365mb: fix mode mask calculation
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (716 preceding siblings ...)
2026-05-30 16:04 ` [PATCH 6.1 717/969] net/sched: sch_sfb: annotate data-races in sfb_dump_stats() Greg Kroah-Hartman
@ 2026-05-30 16:04 ` Greg Kroah-Hartman
2026-05-30 16:04 ` [PATCH 6.1 719/969] nfp: fix swapped arguments in nfp_encode_basic_qdr() calls Greg Kroah-Hartman
` (257 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Abdulkader Alrezej,
Mieczyslaw Nalewaj, Luiz Angelo Daros de Luca, Paolo Abeni,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mieczyslaw Nalewaj <namiltd@yahoo.com>
[ Upstream commit 0c078021d3861966614d5e594ee03587f0c9e74d ]
The RTL8365MB_DIGITAL_INTERFACE_SELECT_MODE_MASK macro was shifting
the 4-bit mask (0xF) by only (_extint % 2) bits instead of
(_extint % 2) * 4. This caused the mask to overlap with the adjacent
nibble when configuring odd-numbered external interfaces, selecting
the wrong bits entirely.
Align the shift calculation with the existing ...MODE_OFFSET macro.
Fixes: 4af2950c50c8 ("net: dsa: realtek-smi: add rtl8365mb subdriver for RTL8365MB-VC")
Signed-off-by: Abdulkader Alrezej <alrazj.abdulkader@gmail.com>
Signed-off-by: Mieczyslaw Nalewaj <namiltd@yahoo.com>
Reviewed-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
Link: https://patch.msgid.link/400a6387-a444-4576-af6d-26be5410bce3@yahoo.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/dsa/realtek/rtl8365mb.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/dsa/realtek/rtl8365mb.c b/drivers/net/dsa/realtek/rtl8365mb.c
index c22e69ab0deb1..97673ccb7ac79 100644
--- a/drivers/net/dsa/realtek/rtl8365mb.c
+++ b/drivers/net/dsa/realtek/rtl8365mb.c
@@ -212,7 +212,7 @@
(_extint) == 2 ? RTL8365MB_DIGITAL_INTERFACE_SELECT_REG1 : \
0x0)
#define RTL8365MB_DIGITAL_INTERFACE_SELECT_MODE_MASK(_extint) \
- (0xF << (((_extint) % 2)))
+ (0xF << (((_extint) % 2) * 4))
#define RTL8365MB_DIGITAL_INTERFACE_SELECT_MODE_OFFSET(_extint) \
(((_extint) % 2) * 4)
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 719/969] nfp: fix swapped arguments in nfp_encode_basic_qdr() calls
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (717 preceding siblings ...)
2026-05-30 16:04 ` [PATCH 6.1 718/969] net: dsa: realtek: rtl8365mb: fix mode mask calculation Greg Kroah-Hartman
@ 2026-05-30 16:04 ` Greg Kroah-Hartman
2026-05-30 16:04 ` [PATCH 6.1 720/969] tipc: fix double-free in tipc_buf_append() Greg Kroah-Hartman
` (256 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexey Kodanev, Jakub Kicinski,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexey Kodanev <aleksei.kodanev@bell-sw.com>
[ Upstream commit 4078c5611d7585548b249377ebd60c272e410490 ]
There is a mismatch between the passed arguments and the actual
nfp_encode_basic_qdr() function parameter names:
static int nfp_encode_basic_qdr(u64 addr, int dest_island, int cpp_tgt,
int mode, bool addr40, int isld1,
int isld0)
{
...
But "dest_island" and "cpp_tgt" are swapped at every call-site.
For example:
return nfp_encode_basic_qdr(*addr, cpp_tgt, dest_island,
mode, addr40, isld1, isld0);
As a result, nfp_encode_basic_qdr() receives "dest_island" as CPP target
type, which is always NFP_CPP_TARGET_QDR(2) for these calls, and "cpp_tgt"
as the destination island ID, which can accidentally match or be outside
the valid NFP_CPP_TARGET_* types (e.g. '-1' for any destination).
Since code already worked for years, also add extra pr_warn() to error
paths in nfp_encode_basic_qdr() to help identify any potential address
verification failures.
Detected using the static analysis tool - Svace.
Fixes: 4cb584e0ee7d ("nfp: add CPP access core")
Signed-off-by: Alexey Kodanev <aleksei.kodanev@bell-sw.com>
Link: https://patch.msgid.link/20260422160536.61855-1-aleksei.kodanev@bell-sw.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../ethernet/netronome/nfp/nfpcore/nfp_target.c | 17 +++++++++++------
1 file changed, 11 insertions(+), 6 deletions(-)
diff --git a/drivers/net/ethernet/netronome/nfp/nfpcore/nfp_target.c b/drivers/net/ethernet/netronome/nfp/nfpcore/nfp_target.c
index 79470f198a62a..9cf19446657c6 100644
--- a/drivers/net/ethernet/netronome/nfp/nfpcore/nfp_target.c
+++ b/drivers/net/ethernet/netronome/nfp/nfpcore/nfp_target.c
@@ -435,12 +435,17 @@ static int nfp_encode_basic_qdr(u64 addr, int dest_island, int cpp_tgt,
/* Full Island ID and channel bits overlap? */
ret = nfp_decode_basic(addr, &v, cpp_tgt, mode, addr40, isld1, isld0);
- if (ret)
+ if (ret) {
+ pr_warn("%s: decode dest_island failed: %d\n", __func__, ret);
return ret;
+ }
/* The current address won't go where expected? */
- if (dest_island != -1 && dest_island != v)
+ if (dest_island != -1 && dest_island != v) {
+ pr_warn("%s: dest_island mismatch: current (%d) != decoded (%d)\n",
+ __func__, dest_island, v);
return -EINVAL;
+ }
/* If dest_island was -1, we don't care where it goes. */
return 0;
@@ -493,7 +498,7 @@ static int nfp_encode_basic(u64 *addr, int dest_island, int cpp_tgt,
* the address but we can verify if the existing
* contents will point to a valid island.
*/
- return nfp_encode_basic_qdr(*addr, cpp_tgt, dest_island,
+ return nfp_encode_basic_qdr(*addr, dest_island, cpp_tgt,
mode, addr40, isld1, isld0);
iid_lsb = addr40 ? 34 : 26;
@@ -504,7 +509,7 @@ static int nfp_encode_basic(u64 *addr, int dest_island, int cpp_tgt,
return 0;
case 1:
if (cpp_tgt == NFP_CPP_TARGET_QDR && !addr40)
- return nfp_encode_basic_qdr(*addr, cpp_tgt, dest_island,
+ return nfp_encode_basic_qdr(*addr, dest_island, cpp_tgt,
mode, addr40, isld1, isld0);
idx_lsb = addr40 ? 39 : 31;
@@ -530,7 +535,7 @@ static int nfp_encode_basic(u64 *addr, int dest_island, int cpp_tgt,
* be set before hand and with them select an island.
* So we need to confirm that it's at least plausible.
*/
- return nfp_encode_basic_qdr(*addr, cpp_tgt, dest_island,
+ return nfp_encode_basic_qdr(*addr, dest_island, cpp_tgt,
mode, addr40, isld1, isld0);
/* Make sure we compare against isldN values
@@ -551,7 +556,7 @@ static int nfp_encode_basic(u64 *addr, int dest_island, int cpp_tgt,
* iid<1> = addr<30> = channel<0>
* channel<1> = addr<31> = Index
*/
- return nfp_encode_basic_qdr(*addr, cpp_tgt, dest_island,
+ return nfp_encode_basic_qdr(*addr, dest_island, cpp_tgt,
mode, addr40, isld1, isld0);
isld[0] &= ~3;
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 720/969] tipc: fix double-free in tipc_buf_append()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (718 preceding siblings ...)
2026-05-30 16:04 ` [PATCH 6.1 719/969] nfp: fix swapped arguments in nfp_encode_basic_qdr() calls Greg Kroah-Hartman
@ 2026-05-30 16:04 ` Greg Kroah-Hartman
2026-05-30 16:04 ` [PATCH 6.1 721/969] vhost_net: fix sleeping with preempt-disabled in vhost_net_busy_poll() Greg Kroah-Hartman
` (255 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tung Nguyen, Lee Jones,
Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lee Jones <lee@kernel.org>
[ Upstream commit d293ca716e7d5dffdaecaf6b9b2f857a33dc3d3a ]
tipc_msg_validate() can potentially reallocate the skb it is validating,
freeing the old one. In tipc_buf_append(), it was being called with a
pointer to a local variable which was a copy of the caller's skb
pointer.
If the skb was reallocated and validation subsequently failed, the error
handling path would free the original skb pointer, which had already
been freed, leading to double-free.
Fix this by checking if head now points to a newly allocated reassembled
skb. If it does, reassign *headbuf for later freeing operations.
Fixes: d618d09a68e4 ("tipc: enforce valid ratio between skb truesize and contents")
Suggested-by: Tung Nguyen <tung.quang.nguyen@est.tech>
Signed-off-by: Lee Jones <lee@kernel.org>
Reviewed-by: Tung Nguyen <tung.quang.nguyen@est.tech>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/tipc/msg.c | 14 +++++++++++++-
1 file changed, 13 insertions(+), 1 deletion(-)
diff --git a/net/tipc/msg.c b/net/tipc/msg.c
index 76284fc538ebd..b0bba0feef564 100644
--- a/net/tipc/msg.c
+++ b/net/tipc/msg.c
@@ -177,8 +177,20 @@ int tipc_buf_append(struct sk_buff **headbuf, struct sk_buff **buf)
if (fragid == LAST_FRAGMENT) {
TIPC_SKB_CB(head)->validated = 0;
- if (unlikely(!tipc_msg_validate(&head)))
+
+ /* If the reassembled skb has been freed in
+ * tipc_msg_validate() because of an invalid truesize,
+ * then head will point to a newly allocated reassembled
+ * skb, while *headbuf points to freed reassembled skb.
+ * In such cases, correct *headbuf for freeing the newly
+ * allocated reassembled skb later.
+ */
+ if (unlikely(!tipc_msg_validate(&head))) {
+ if (head != *headbuf)
+ *headbuf = head;
goto err;
+ }
+
*buf = head;
TIPC_SKB_CB(head)->tail = NULL;
*headbuf = NULL;
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 721/969] vhost_net: fix sleeping with preempt-disabled in vhost_net_busy_poll()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (719 preceding siblings ...)
2026-05-30 16:04 ` [PATCH 6.1 720/969] tipc: fix double-free in tipc_buf_append() Greg Kroah-Hartman
@ 2026-05-30 16:04 ` Greg Kroah-Hartman
2026-05-30 16:04 ` [PATCH 6.1 722/969] fs/adfs: validate nzones in adfs_validate_bblk() Greg Kroah-Hartman
` (254 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+6985cb8e543ea90ba8ee,
Kohei Enju, Michael S. Tsirkin, Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kohei Enju <kohei@enjuk.jp>
[ Upstream commit e08a9fac5cf8c3fecf4755e7e3ac059f78b8f83d ]
syzbot reported "sleeping function called from invalid context" in
vhost_net_busy_poll().
Commit 030881372460 ("vhost_net: basic polling support") introduced a
busy-poll loop and preempt_{disable,enable}() around it, where each
iteration calls a sleepable function inside the loop.
The purpose of disabling preemption was to keep local_clock()-based
timeout accounting on a single CPU, rather than as a requirement of
busy-poll itself:
https://lore.kernel.org/1448435489-5949-4-git-send-email-jasowang@redhat.com
>From this perspective, migrate_disable() is sufficient here, so replace
preempt_disable() with migrate_disable(), avoiding sleepable accesses
from a preempt-disabled context.
Fixes: 030881372460 ("vhost_net: basic polling support")
Tested-by: syzbot+6985cb8e543ea90ba8ee@syzkaller.appspotmail.com
Reported-by: syzbot+6985cb8e543ea90ba8ee@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/69e6a414.050a0220.24bfd3.002d.GAE@google.com/T/
Signed-off-by: Kohei Enju <kohei@enjuk.jp>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/vhost/net.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/vhost/net.c b/drivers/vhost/net.c
index 2797cecc6c8be..3ae572df07960 100644
--- a/drivers/vhost/net.c
+++ b/drivers/vhost/net.c
@@ -546,7 +546,7 @@ static void vhost_net_busy_poll(struct vhost_net *net,
busyloop_timeout = poll_rx ? rvq->busyloop_timeout:
tvq->busyloop_timeout;
- preempt_disable();
+ migrate_disable();
endtime = busy_clock() + busyloop_timeout;
while (vhost_can_busy_poll(endtime)) {
@@ -563,7 +563,7 @@ static void vhost_net_busy_poll(struct vhost_net *net,
cpu_relax();
}
- preempt_enable();
+ migrate_enable();
if (poll_rx || sock_has_rx_data(sock))
vhost_net_busy_poll_try_queue(net, vq);
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 722/969] fs/adfs: validate nzones in adfs_validate_bblk()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (720 preceding siblings ...)
2026-05-30 16:04 ` [PATCH 6.1 721/969] vhost_net: fix sleeping with preempt-disabled in vhost_net_busy_poll() Greg Kroah-Hartman
@ 2026-05-30 16:04 ` Greg Kroah-Hartman
2026-05-30 16:04 ` [PATCH 6.1 723/969] rtc: abx80x: Disable alarm feature if no interrupt attached Greg Kroah-Hartman
` (253 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Bae Yeonju, Russell King (Oracle),
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bae Yeonju <iwasbaeyz@gmail.com>
[ Upstream commit dd9d3e16c2d5fa166e13dce07413be51f42c8f5d ]
Reject ADFS disc records with a zero zone count during boot block
validation, before the disc record is used.
When nzones is 0, adfs_read_map() passes it to kmalloc_array(0, ...)
which returns ZERO_SIZE_PTR, and adfs_map_layout() then writes to
dm[-1], causing an out-of-bounds write before the allocated buffer.
adfs_validate_dr0() already rejects nzones != 1 for old-format
images. Add the equivalent check to adfs_validate_bblk() for
new-format images so that a crafted image with nzones == 0 is
rejected at probe time.
Found by syzkaller.
Fixes: f6f14a0d71b0 ("fs/adfs: map: move map-specific sb initialisation to map.c")
Signed-off-by: Bae Yeonju <iwasbaeyz@gmail.com>
Signed-off-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/adfs/super.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/fs/adfs/super.c b/fs/adfs/super.c
index e8bfc38239cd5..76e37c6d4cad4 100644
--- a/fs/adfs/super.c
+++ b/fs/adfs/super.c
@@ -343,6 +343,9 @@ static int adfs_validate_bblk(struct super_block *sb, struct buffer_head *bh,
if (adfs_checkdiscrecord(dr))
return -EILSEQ;
+ if ((dr->nzones | dr->nzones_high << 8) == 0)
+ return -EILSEQ;
+
*drp = dr;
return 0;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 723/969] rtc: abx80x: Disable alarm feature if no interrupt attached
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (721 preceding siblings ...)
2026-05-30 16:04 ` [PATCH 6.1 722/969] fs/adfs: validate nzones in adfs_validate_bblk() Greg Kroah-Hartman
@ 2026-05-30 16:04 ` Greg Kroah-Hartman
2026-05-30 16:04 ` [PATCH 6.1 724/969] fbdev: offb: fix PCI device reference leak on probe failure Greg Kroah-Hartman
` (252 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Anthony Pighin, Alexandre Belloni,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Anthony Pighin (Nokia) <anthony.pighin@nokia.com>
[ Upstream commit 0fedce7244e4b85c049ce579c87e298a1b0b811d ]
Commit 795cda8338ea ("rtc: interface: Fix long-standing race when setting
alarm") exposed an issue where the rtc-abx80x driver does not clear the
alarm feature bit, but instead relies on the set_alarm operation to return
invalid.
For example, when a RTC_UIE_ON ioctl is handled, it should abort at the
feature validation. Instead, it proceeds to the rtc_timer_enqueue(),
which used to return an error from the set_alarm call. However,
following the race condition handling, which likely should not be
discarding predecing errors, a success condition is returned to the
ioctl() caller. This results in (for example):
hwclock: select() to /dev/rtc0 to wait for clock tick timed out
Notwithstanding the validity of the race condition handling, if an interrupt
wasn't specified, or could not be attached, the driver should clear the
alarm feature bit.
Fixes: 718a820a303c ("rtc: abx80x: add alarm support")
Signed-off-by: Anthony Pighin <anthony.pighin@nokia.com>
Link: https://patch.msgid.link/BN0PR08MB69510928028C933749F4139383D1A@BN0PR08MB6951.namprd08.prod.outlook.com
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/rtc/rtc-abx80x.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/rtc/rtc-abx80x.c b/drivers/rtc/rtc-abx80x.c
index 2ea6fdd2ae984..651270e5f1e66 100644
--- a/drivers/rtc/rtc-abx80x.c
+++ b/drivers/rtc/rtc-abx80x.c
@@ -836,6 +836,8 @@ static int abx80x_probe(struct i2c_client *client,
client->irq = 0;
}
}
+ if (client->irq <= 0)
+ clear_bit(RTC_FEATURE_ALARM, priv->rtc->features);
err = rtc_add_group(priv->rtc, &rtc_calib_attr_group);
if (err) {
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 724/969] fbdev: offb: fix PCI device reference leak on probe failure
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (722 preceding siblings ...)
2026-05-30 16:04 ` [PATCH 6.1 723/969] rtc: abx80x: Disable alarm feature if no interrupt attached Greg Kroah-Hartman
@ 2026-05-30 16:04 ` Greg Kroah-Hartman
2026-05-30 16:04 ` [PATCH 6.1 725/969] mailbox: mailbox-test: free channels on probe error Greg Kroah-Hartman
` (251 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Myeonghun Pak, Ijae Kim, Taegyu Kim,
Yuho Choi, Helge Deller, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yuho Choi <dbgh9129@gmail.com>
[ Upstream commit 869b93ba04088713596e68453c1146f52f713290 ]
offb_init_nodriver() gets a referenced PCI device with pci_get_device().
If pci_enable_device() fails, the function returns without dropping that
reference.
Release the PCI device reference before returning from the
pci_enable_device() failure path.
Fixes: 5bda8f7b5468 ("video: fbdev: offb: Call pci_enable_device() before using the PCI VGA device")
Co-developed-by: Myeonghun Pak <mhun512@gmail.com>
Signed-off-by: Myeonghun Pak <mhun512@gmail.com>
Co-developed-by: Ijae Kim <ae878000@gmail.com>
Signed-off-by: Ijae Kim <ae878000@gmail.com>
Co-developed-by: Taegyu Kim <tmk5904@psu.edu>
Signed-off-by: Taegyu Kim <tmk5904@psu.edu>
Signed-off-by: Yuho Choi <dbgh9129@gmail.com>
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/video/fbdev/offb.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/drivers/video/fbdev/offb.c b/drivers/video/fbdev/offb.c
index ea232395e226f..e151b0d7b53c2 100644
--- a/drivers/video/fbdev/offb.c
+++ b/drivers/video/fbdev/offb.c
@@ -646,8 +646,13 @@ static void offb_init_nodriver(struct platform_device *parent, struct device_nod
vid = be32_to_cpup(vidp);
did = be32_to_cpup(didp);
pdev = pci_get_device(vid, did, NULL);
- if (!pdev || pci_enable_device(pdev))
+ if (!pdev)
return;
+
+ if (pci_enable_device(pdev)) {
+ pci_dev_put(pdev);
+ return;
+ }
}
#endif
/* kludge for valkyrie */
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 725/969] mailbox: mailbox-test: free channels on probe error
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (723 preceding siblings ...)
2026-05-30 16:04 ` [PATCH 6.1 724/969] fbdev: offb: fix PCI device reference leak on probe failure Greg Kroah-Hartman
@ 2026-05-30 16:04 ` Greg Kroah-Hartman
2026-05-30 16:04 ` [PATCH 6.1 726/969] cgroup/rdma: fix integer overflow in rdmacg_try_charge() Greg Kroah-Hartman
` (250 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:04 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Wolfram Sang, Jassi Brar,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wolfram Sang <wsa+renesas@sang-engineering.com>
[ Upstream commit c02053a9055d5fdfd32432287cca8958db1d5bc5 ]
On probe error, free the previously obtained channels. This not only
prevents a leak, but also UAF scenarios because the client structure
will be removed nonetheless because it was allocated with devm.
Link: https://sashiko.dev/#/patchset/20260327151217.5327-2-wsa%2Brenesas%40sang-engineering.com
Fixes: 8ea4484d0c2b ("mailbox: Add generic mechanism for testing Mailbox Controllers")
Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
Signed-off-by: Jassi Brar <jassisinghbrar@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mailbox/mailbox-test.c | 15 ++++++++++++---
1 file changed, 12 insertions(+), 3 deletions(-)
diff --git a/drivers/mailbox/mailbox-test.c b/drivers/mailbox/mailbox-test.c
index 29c04157b5e88..1d546cae922ce 100644
--- a/drivers/mailbox/mailbox-test.c
+++ b/drivers/mailbox/mailbox-test.c
@@ -405,18 +405,27 @@ static int mbox_test_probe(struct platform_device *pdev)
if (tdev->rx_channel) {
tdev->rx_buffer = devm_kzalloc(&pdev->dev,
MBOX_MAX_MSG_LEN, GFP_KERNEL);
- if (!tdev->rx_buffer)
- return -ENOMEM;
+ if (!tdev->rx_buffer) {
+ ret = -ENOMEM;
+ goto err_free_chans;
+ }
}
ret = mbox_test_add_debugfs(pdev, tdev);
if (ret)
- return ret;
+ goto err_free_chans;
init_waitqueue_head(&tdev->waitq);
dev_info(&pdev->dev, "Successfully registered\n");
return 0;
+
+err_free_chans:
+ if (tdev->tx_channel)
+ mbox_free_channel(tdev->tx_channel);
+ if (tdev->rx_channel)
+ mbox_free_channel(tdev->rx_channel);
+ return ret;
}
static int mbox_test_remove(struct platform_device *pdev)
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 726/969] cgroup/rdma: fix integer overflow in rdmacg_try_charge()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (724 preceding siblings ...)
2026-05-30 16:04 ` [PATCH 6.1 725/969] mailbox: mailbox-test: free channels on probe error Greg Kroah-Hartman
@ 2026-05-30 16:04 ` Greg Kroah-Hartman
2026-05-30 16:04 ` [PATCH 6.1 727/969] mailbox: add sanity check for channel array Greg Kroah-Hartman
` (249 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, cuitao, Michal Koutný,
Tejun Heo, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: cuitao <cuitao@kylinos.cn>
[ Upstream commit c802f460dd485c1332b5a35e7adcfb2bc22536a2 ]
The expression `rpool->resources[index].usage + 1` is computed in int
arithmetic before being assigned to s64 variable `new`. When usage equals
INT_MAX (the default "max" value), the addition overflows to INT_MIN.
This negative value then passes the `new > max` check incorrectly,
allowing a charge that should be rejected and corrupting usage to
negative.
Fix by casting usage to s64 before the addition so the arithmetic is
done in 64-bit.
Fixes: 39d3e7584a68 ("rdmacg: Added rdma cgroup controller")
Signed-off-by: cuitao <cuitao@kylinos.cn>
Reviewed-by: Michal Koutný <mkoutny@suse.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/cgroup/rdma.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/cgroup/rdma.c b/kernel/cgroup/rdma.c
index 3135406608c75..3265fbbbe7e29 100644
--- a/kernel/cgroup/rdma.c
+++ b/kernel/cgroup/rdma.c
@@ -281,7 +281,7 @@ int rdmacg_try_charge(struct rdma_cgroup **rdmacg,
ret = PTR_ERR(rpool);
goto err;
} else {
- new = rpool->resources[index].usage + 1;
+ new = (s64)rpool->resources[index].usage + 1;
if (new > rpool->resources[index].max) {
ret = -EAGAIN;
goto err;
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 727/969] mailbox: add sanity check for channel array
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (725 preceding siblings ...)
2026-05-30 16:04 ` [PATCH 6.1 726/969] cgroup/rdma: fix integer overflow in rdmacg_try_charge() Greg Kroah-Hartman
@ 2026-05-30 16:04 ` Greg Kroah-Hartman
2026-05-30 16:04 ` [PATCH 6.1 728/969] mailbox: mailbox-test: dont free the reused channel Greg Kroah-Hartman
` (248 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Wolfram Sang, Geert Uytterhoeven,
Jassi Brar, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wolfram Sang <wsa+renesas@sang-engineering.com>
[ Upstream commit c1aad75595fb67edc7fda8af249d3b886efa1be9 ]
Fail gracefully if there is no channel array attached to the mailbox
controller. Otherwise the later dereference will cause an OOPS which
might not be seen because mailbox controllers might instantiate very
early. Remove the comment explaining the obvious while here.
Fixes: 2b6d83e2b8b7 ("mailbox: Introduce framework for mailbox")
Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
Signed-off-by: Jassi Brar <jassisinghbrar@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mailbox/mailbox.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/drivers/mailbox/mailbox.c b/drivers/mailbox/mailbox.c
index ac8c162b689b2..c5b9d24efb69c 100644
--- a/drivers/mailbox/mailbox.c
+++ b/drivers/mailbox/mailbox.c
@@ -524,8 +524,7 @@ int mbox_controller_register(struct mbox_controller *mbox)
{
int i, txdone;
- /* Sanity check */
- if (!mbox || !mbox->dev || !mbox->ops || !mbox->num_chans)
+ if (!mbox || !mbox->dev || !mbox->ops || !mbox->chans || !mbox->num_chans)
return -EINVAL;
if (mbox->txdone_irq)
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 728/969] mailbox: mailbox-test: dont free the reused channel
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (726 preceding siblings ...)
2026-05-30 16:04 ` [PATCH 6.1 727/969] mailbox: add sanity check for channel array Greg Kroah-Hartman
@ 2026-05-30 16:04 ` Greg Kroah-Hartman
2026-05-30 16:04 ` [PATCH 6.1 729/969] mailbox: mailbox-test: initialize struct earlier Greg Kroah-Hartman
` (247 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:04 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Wolfram Sang, Jassi Brar,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wolfram Sang <wsa+renesas@sang-engineering.com>
[ Upstream commit 88ebadbf0deefdaccdab868b44ff70a0a257f473 ]
The RX channel can be aliased to the TX channel if it has a different
MMIO. This special case needs to be handled when freeing the channels
otherwise a double-free occurs.
Fixes: 8ea4484d0c2b ("mailbox: Add generic mechanism for testing Mailbox Controllers")
Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
Signed-off-by: Jassi Brar <jassisinghbrar@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mailbox/mailbox-test.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/mailbox/mailbox-test.c b/drivers/mailbox/mailbox-test.c
index 1d546cae922ce..247e83af060e3 100644
--- a/drivers/mailbox/mailbox-test.c
+++ b/drivers/mailbox/mailbox-test.c
@@ -423,7 +423,7 @@ static int mbox_test_probe(struct platform_device *pdev)
err_free_chans:
if (tdev->tx_channel)
mbox_free_channel(tdev->tx_channel);
- if (tdev->rx_channel)
+ if (tdev->rx_channel && tdev->rx_channel != tdev->tx_channel)
mbox_free_channel(tdev->rx_channel);
return ret;
}
@@ -436,7 +436,7 @@ static int mbox_test_remove(struct platform_device *pdev)
if (tdev->tx_channel)
mbox_free_channel(tdev->tx_channel);
- if (tdev->rx_channel)
+ if (tdev->rx_channel && tdev->rx_channel != tdev->tx_channel)
mbox_free_channel(tdev->rx_channel);
return 0;
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 729/969] mailbox: mailbox-test: initialize struct earlier
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (727 preceding siblings ...)
2026-05-30 16:04 ` [PATCH 6.1 728/969] mailbox: mailbox-test: dont free the reused channel Greg Kroah-Hartman
@ 2026-05-30 16:04 ` Greg Kroah-Hartman
2026-05-30 16:04 ` [PATCH 6.1 730/969] mailbox: mailbox-test: make data_ready a per-instance variable Greg Kroah-Hartman
` (246 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:04 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Wolfram Sang, Jassi Brar,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wolfram Sang <wsa+renesas@sang-engineering.com>
[ Upstream commit bbcf9af68bfedb3d9cc3c7eae62f5c844d8b78b9 ]
The waitqueue must be initialized before the debugfs files are created
because from that time, requests from userspace can already be made.
Similarily, drvdata and spinlock needs to be initialized before we
request the channel, otherwise dangling irqs might run into problems
like a NULL pointer exception.
Fixes: 8ea4484d0c2b ("mailbox: Add generic mechanism for testing Mailbox Controllers")
Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
Signed-off-by: Jassi Brar <jassisinghbrar@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mailbox/mailbox-test.c | 13 ++++++-------
1 file changed, 6 insertions(+), 7 deletions(-)
diff --git a/drivers/mailbox/mailbox-test.c b/drivers/mailbox/mailbox-test.c
index 247e83af060e3..41efe64976598 100644
--- a/drivers/mailbox/mailbox-test.c
+++ b/drivers/mailbox/mailbox-test.c
@@ -365,6 +365,12 @@ static int mbox_test_probe(struct platform_device *pdev)
if (!tdev)
return -ENOMEM;
+ tdev->dev = &pdev->dev;
+ spin_lock_init(&tdev->lock);
+ mutex_init(&tdev->mutex);
+ init_waitqueue_head(&tdev->waitq);
+ platform_set_drvdata(pdev, tdev);
+
/* It's okay for MMIO to be NULL */
res = platform_get_resource(pdev, IORESOURCE_MEM, 0);
tdev->tx_mmio = devm_ioremap_resource(&pdev->dev, res);
@@ -396,12 +402,6 @@ static int mbox_test_probe(struct platform_device *pdev)
if (!tdev->rx_channel && (tdev->rx_mmio != tdev->tx_mmio))
tdev->rx_channel = tdev->tx_channel;
- tdev->dev = &pdev->dev;
- platform_set_drvdata(pdev, tdev);
-
- spin_lock_init(&tdev->lock);
- mutex_init(&tdev->mutex);
-
if (tdev->rx_channel) {
tdev->rx_buffer = devm_kzalloc(&pdev->dev,
MBOX_MAX_MSG_LEN, GFP_KERNEL);
@@ -415,7 +415,6 @@ static int mbox_test_probe(struct platform_device *pdev)
if (ret)
goto err_free_chans;
- init_waitqueue_head(&tdev->waitq);
dev_info(&pdev->dev, "Successfully registered\n");
return 0;
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 730/969] mailbox: mailbox-test: make data_ready a per-instance variable
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (728 preceding siblings ...)
2026-05-30 16:04 ` [PATCH 6.1 729/969] mailbox: mailbox-test: initialize struct earlier Greg Kroah-Hartman
@ 2026-05-30 16:04 ` Greg Kroah-Hartman
2026-05-30 16:04 ` [PATCH 6.1 731/969] btrfs: fix double-decrement of bytes_may_use in submit_one_async_extent() Greg Kroah-Hartman
` (245 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:04 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Wolfram Sang, Jassi Brar,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wolfram Sang <wsa+renesas@sang-engineering.com>
[ Upstream commit 6e937f4e769e60947909e3525965f0137b9039e8 ]
While not the default case, multiple tests can be run simultaneously.
Then, data_ready being a global variable will be overwritten and the
per-instance lock will not help. Turn the global variable into a
per-instance one to avoid this problem.
Fixes: e339c80af95e ("mailbox: mailbox-test: don't rely on rx_buffer content to signal data ready")
Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
Signed-off-by: Jassi Brar <jassisinghbrar@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mailbox/mailbox-test.c | 9 ++++-----
1 file changed, 4 insertions(+), 5 deletions(-)
diff --git a/drivers/mailbox/mailbox-test.c b/drivers/mailbox/mailbox-test.c
index 41efe64976598..113858fe168c3 100644
--- a/drivers/mailbox/mailbox-test.c
+++ b/drivers/mailbox/mailbox-test.c
@@ -27,8 +27,6 @@
#define MBOX_HEXDUMP_MAX_LEN (MBOX_HEXDUMP_LINE_LEN * \
(MBOX_MAX_MSG_LEN / MBOX_BYTES_PER_LINE))
-static bool mbox_data_ready;
-
struct mbox_test_device {
struct device *dev;
void __iomem *tx_mmio;
@@ -41,6 +39,7 @@ struct mbox_test_device {
spinlock_t lock;
struct mutex mutex;
wait_queue_head_t waitq;
+ bool data_ready;
struct fasync_struct *async_queue;
struct dentry *root_debugfs_dir;
};
@@ -161,7 +160,7 @@ static bool mbox_test_message_data_ready(struct mbox_test_device *tdev)
unsigned long flags;
spin_lock_irqsave(&tdev->lock, flags);
- data_ready = mbox_data_ready;
+ data_ready = tdev->data_ready;
spin_unlock_irqrestore(&tdev->lock, flags);
return data_ready;
@@ -226,7 +225,7 @@ static ssize_t mbox_test_message_read(struct file *filp, char __user *userbuf,
*(touser + l) = '\0';
memset(tdev->rx_buffer, 0, MBOX_MAX_MSG_LEN);
- mbox_data_ready = false;
+ tdev->data_ready = false;
spin_unlock_irqrestore(&tdev->lock, flags);
@@ -296,7 +295,7 @@ static void mbox_test_receive_message(struct mbox_client *client, void *message)
message, MBOX_MAX_MSG_LEN);
memcpy(tdev->rx_buffer, message, MBOX_MAX_MSG_LEN);
}
- mbox_data_ready = true;
+ tdev->data_ready = true;
spin_unlock_irqrestore(&tdev->lock, flags);
wake_up_interruptible(&tdev->waitq);
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 731/969] btrfs: fix double-decrement of bytes_may_use in submit_one_async_extent()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (729 preceding siblings ...)
2026-05-30 16:04 ` [PATCH 6.1 730/969] mailbox: mailbox-test: make data_ready a per-instance variable Greg Kroah-Hartman
@ 2026-05-30 16:04 ` Greg Kroah-Hartman
2026-05-30 16:04 ` [PATCH 6.1 732/969] tracing: branch: Fix inverted check on stat tracer registration Greg Kroah-Hartman
` (244 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Qu Wenruo, Mark Harmstone,
David Sterba, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mark Harmstone <mark@harmstone.com>
[ Upstream commit 82323b1a7088b7a5c3e528a5d634bff447fa286f ]
submit_one_async_extent() calls btrfs_reserve_extent(), which decrements
bytes_may_use. If the call btrfs_create_io_em() fails, we jump to
out_free_reserve, which calls extent_clear_unlock_delalloc().
Because we're specifying EXTENT_DO_ACCOUNTING, i.e.
EXTENT_CLEAR_META_RESV | EXTENT_CLEAR_DATA_RESV, this decreases
bytes_may_use again. This can lead to problems later on, as an initial
write can fail only for the writeback to silently ENOSPC.
Fix this by replacing EXTENT_DO_ACCOUNTING with EXTENT_CLEAR_META_RESV.
This parallels a4fe134fc1d8eb ("btrfs: fix a double release on reserved
extents in cow_one_range()"), which is the same fix in cow_one_range().
Fixes: 151a41bc46df ("Btrfs: fix what bits we clear when erroring out from delalloc")
Reviewed-by: Qu Wenruo <wqu@suse.com>
Signed-off-by: Mark Harmstone <mark@harmstone.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/btrfs/inode.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c
index 6a5364b466be1..3cdda1e4ad79e 100644
--- a/fs/btrfs/inode.c
+++ b/fs/btrfs/inode.c
@@ -1069,7 +1069,7 @@ static int submit_one_async_extent(struct btrfs_inode *inode,
extent_clear_unlock_delalloc(inode, start, end,
NULL, EXTENT_LOCKED | EXTENT_DELALLOC |
EXTENT_DELALLOC_NEW |
- EXTENT_DEFRAG | EXTENT_DO_ACCOUNTING,
+ EXTENT_DEFRAG | EXTENT_CLEAR_META_RESV,
PAGE_UNLOCK | PAGE_START_WRITEBACK |
PAGE_END_WRITEBACK | PAGE_SET_ERROR);
free_async_extent_pages(async_extent);
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 732/969] tracing: branch: Fix inverted check on stat tracer registration
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (730 preceding siblings ...)
2026-05-30 16:04 ` [PATCH 6.1 731/969] btrfs: fix double-decrement of bytes_may_use in submit_one_async_extent() Greg Kroah-Hartman
@ 2026-05-30 16:04 ` Greg Kroah-Hartman
2026-05-30 16:04 ` [PATCH 6.1 733/969] nvmet-tcp: propagate nvmet_tcp_build_pdu_iovec() errors to its callers Greg Kroah-Hartman
` (243 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mathieu Desnoyers, Ingo Molnar,
Frederic Weisbecker, Breno Leitao, Masami Hiramatsu (Google),
Steven Rostedt, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Breno Leitao <leitao@debian.org>
[ Upstream commit 3b75dd76e64a04771861bb5647951c264919e563 ]
init_annotated_branch_stats() and all_annotated_branch_stats() check the
return value of register_stat_tracer() with "if (!ret)", but
register_stat_tracer() returns 0 on success and a negative errno on
failure. The inverted check causes the warning to be printed on every
successful registration, e.g.:
Warning: could not register annotated branches stats
while leaving real failures silent. The initcall also returned a
hard-coded 1 instead of the actual error.
Invert the check and propagate ret so that the warning fires on real
errors and the initcall reports the correct status.
Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Cc: Ingo Molnar <mingo@elte.hu>
Cc: Frederic Weisbecker <fweisbec@gmail.com>
Link: https://patch.msgid.link/20260420-tracing-v1-1-d8f4cd0d6af1@debian.org
Fixes: 002bb86d8d42 ("tracing/ftrace: separate events tracing and stats tracing engine")
Signed-off-by: Breno Leitao <leitao@debian.org>
Acked-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/trace/trace_branch.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/kernel/trace/trace_branch.c b/kernel/trace/trace_branch.c
index e47fdb4c92fbc..30f72e0ecb5d4 100644
--- a/kernel/trace/trace_branch.c
+++ b/kernel/trace/trace_branch.c
@@ -379,10 +379,10 @@ __init static int init_annotated_branch_stats(void)
int ret;
ret = register_stat_tracer(&annotated_branch_stats);
- if (!ret) {
+ if (ret) {
printk(KERN_WARNING "Warning: could not register "
"annotated branches stats\n");
- return 1;
+ return ret;
}
return 0;
}
@@ -444,10 +444,10 @@ __init static int all_annotated_branch_stats(void)
int ret;
ret = register_stat_tracer(&all_branch_stats);
- if (!ret) {
+ if (ret) {
printk(KERN_WARNING "Warning: could not register "
"all branches stats\n");
- return 1;
+ return ret;
}
return 0;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 733/969] nvmet-tcp: propagate nvmet_tcp_build_pdu_iovec() errors to its callers
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (731 preceding siblings ...)
2026-05-30 16:04 ` [PATCH 6.1 732/969] tracing: branch: Fix inverted check on stat tracer registration Greg Kroah-Hartman
@ 2026-05-30 16:04 ` Greg Kroah-Hartman
2026-05-30 16:04 ` [PATCH 6.1 734/969] netfilter: arp_tables: fix IEEE1394 ARP payload parsing Greg Kroah-Hartman
` (242 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hannes Reinecke, Yunje Shin,
Chaitanya Kulkarni, Maurizio Lombardi, Keith Busch, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Maurizio Lombardi <mlombard@redhat.com>
[ Upstream commit ea8e356acb165cb1fd75537a52e1f66e5e76c538 ]
Currently, when nvmet_tcp_build_pdu_iovec() detects an out-of-bounds
PDU length or offset, it triggers nvmet_tcp_fatal_error(cmd->queue)
and returns early. However, because the function returns void, the
callers are entirely unaware that a fatal error has occurred and
that the cmd->recv_msg.msg_iter was left uninitialized.
Callers such as nvmet_tcp_handle_h2c_data_pdu() proceed to blindly
overwrite the queue state with queue->rcv_state = NVMET_TCP_RECV_DATA
Consequently, the socket receiving loop may attempt to read incoming
network data into the uninitialized iterator.
Fix this by shifting the error handling responsibility to the callers.
Fixes: 52a0a9854934 ("nvmet-tcp: add bounds checks in nvmet_tcp_build_pdu_iovec")
Reviewed-by: Hannes Reinecke <hare@suse.de>
Reviewed-by: Yunje Shin <ioerts@kookmin.ac.kr>
Reviewed-by: Chaitanya Kulkarni <kch@nvidia.com>
Signed-off-by: Maurizio Lombardi <mlombard@redhat.com>
Signed-off-by: Keith Busch <kbusch@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/nvme/target/tcp.c | 51 ++++++++++++++++++++++-----------------
1 file changed, 29 insertions(+), 22 deletions(-)
diff --git a/drivers/nvme/target/tcp.c b/drivers/nvme/target/tcp.c
index a46c9f5110838..01d685499b97d 100644
--- a/drivers/nvme/target/tcp.c
+++ b/drivers/nvme/target/tcp.c
@@ -308,7 +308,7 @@ static void nvmet_tcp_free_cmd_buffers(struct nvmet_tcp_cmd *cmd)
static void nvmet_tcp_fatal_error(struct nvmet_tcp_queue *queue);
-static void nvmet_tcp_build_pdu_iovec(struct nvmet_tcp_cmd *cmd)
+static int nvmet_tcp_build_pdu_iovec(struct nvmet_tcp_cmd *cmd)
{
struct bio_vec *iov = cmd->iov;
struct scatterlist *sg;
@@ -321,22 +321,19 @@ static void nvmet_tcp_build_pdu_iovec(struct nvmet_tcp_cmd *cmd)
offset = cmd->rbytes_done;
cmd->sg_idx = offset / PAGE_SIZE;
sg_offset = offset % PAGE_SIZE;
- if (!cmd->req.sg_cnt || cmd->sg_idx >= cmd->req.sg_cnt) {
- nvmet_tcp_fatal_error(cmd->queue);
- return;
- }
+ if (!cmd->req.sg_cnt || cmd->sg_idx >= cmd->req.sg_cnt)
+ return -EPROTO;
+
sg = &cmd->req.sg[cmd->sg_idx];
sg_remaining = cmd->req.sg_cnt - cmd->sg_idx;
while (length) {
- if (!sg_remaining) {
- nvmet_tcp_fatal_error(cmd->queue);
- return;
- }
- if (!sg->length || sg->length <= sg_offset) {
- nvmet_tcp_fatal_error(cmd->queue);
- return;
- }
+ if (!sg_remaining)
+ return -EPROTO;
+
+ if (!sg->length || sg->length <= sg_offset)
+ return -EPROTO;
+
u32 iov_len = min_t(u32, length, sg->length - sg_offset);
bvec_set_page(iov, sg_page(sg), iov_len,
@@ -351,6 +348,7 @@ static void nvmet_tcp_build_pdu_iovec(struct nvmet_tcp_cmd *cmd)
iov_iter_bvec(&cmd->recv_msg.msg_iter, ITER_DEST, cmd->iov,
nr_pages, cmd->pdu_len);
+ return 0;
}
static void nvmet_tcp_fatal_error(struct nvmet_tcp_queue *queue)
@@ -906,7 +904,7 @@ static int nvmet_tcp_handle_icreq(struct nvmet_tcp_queue *queue)
return 0;
}
-static void nvmet_tcp_handle_req_failure(struct nvmet_tcp_queue *queue,
+static int nvmet_tcp_handle_req_failure(struct nvmet_tcp_queue *queue,
struct nvmet_tcp_cmd *cmd, struct nvmet_req *req)
{
size_t data_len = le32_to_cpu(req->cmd->common.dptr.sgl.length);
@@ -922,19 +920,23 @@ static void nvmet_tcp_handle_req_failure(struct nvmet_tcp_queue *queue,
if (!nvme_is_write(cmd->req.cmd) || !data_len ||
data_len > cmd->req.port->inline_data_size) {
nvmet_prepare_receive_pdu(queue);
- return;
+ return 0;
}
ret = nvmet_tcp_map_data(cmd);
if (unlikely(ret)) {
pr_err("queue %d: failed to map data\n", queue->idx);
nvmet_tcp_fatal_error(queue);
- return;
+ return -EPROTO;
}
queue->rcv_state = NVMET_TCP_RECV_DATA;
- nvmet_tcp_build_pdu_iovec(cmd);
cmd->flags |= NVMET_TCP_F_INIT_FAILED;
+ ret = nvmet_tcp_build_pdu_iovec(cmd);
+ if (unlikely(ret))
+ pr_err("queue %d: failed to build PDU iovec\n", queue->idx);
+
+ return ret;
}
static int nvmet_tcp_handle_h2c_data_pdu(struct nvmet_tcp_queue *queue)
@@ -986,7 +988,10 @@ static int nvmet_tcp_handle_h2c_data_pdu(struct nvmet_tcp_queue *queue)
goto err_proto;
}
cmd->pdu_recv = 0;
- nvmet_tcp_build_pdu_iovec(cmd);
+ if (unlikely(nvmet_tcp_build_pdu_iovec(cmd))) {
+ pr_err("queue %d: failed to build PDU iovec\n", queue->idx);
+ goto err_proto;
+ }
queue->cmd = cmd;
queue->rcv_state = NVMET_TCP_RECV_DATA;
@@ -1049,8 +1054,7 @@ static int nvmet_tcp_done_recv_pdu(struct nvmet_tcp_queue *queue)
req->cmd->common.opcode,
le32_to_cpu(req->cmd->common.dptr.sgl.length));
- nvmet_tcp_handle_req_failure(queue, queue->cmd, req);
- return 0;
+ return nvmet_tcp_handle_req_failure(queue, queue->cmd, req);
}
ret = nvmet_tcp_map_data(queue->cmd);
@@ -1067,8 +1071,11 @@ static int nvmet_tcp_done_recv_pdu(struct nvmet_tcp_queue *queue)
if (nvmet_tcp_need_data_in(queue->cmd)) {
if (nvmet_tcp_has_inline_data(queue->cmd)) {
queue->rcv_state = NVMET_TCP_RECV_DATA;
- nvmet_tcp_build_pdu_iovec(queue->cmd);
- return 0;
+ ret = nvmet_tcp_build_pdu_iovec(queue->cmd);
+ if (unlikely(ret))
+ pr_err("queue %d: failed to build PDU iovec\n",
+ queue->idx);
+ return ret;
}
/* send back R2T */
nvmet_tcp_queue_response(&queue->cmd->req);
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 734/969] netfilter: arp_tables: fix IEEE1394 ARP payload parsing
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (732 preceding siblings ...)
2026-05-30 16:04 ` [PATCH 6.1 733/969] nvmet-tcp: propagate nvmet_tcp_build_pdu_iovec() errors to its callers Greg Kroah-Hartman
@ 2026-05-30 16:04 ` Greg Kroah-Hartman
2026-05-30 16:04 ` [PATCH 6.1 735/969] nvme-pci: fix missed admin queue sq doorbell write Greg Kroah-Hartman
` (241 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xiang Mei, Pablo Neira Ayuso,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pablo Neira Ayuso <pablo@netfilter.org>
[ Upstream commit 1e8e3f449b1e73b73a843257635b9c50f0cc0f0a ]
Weiming Shi says:
"arp_packet_match() unconditionally parses the ARP payload assuming two
hardware addresses are present (source and target). However,
IPv4-over-IEEE1394 ARP (RFC 2734) omits the target hardware address
field, and arp_hdr_len() already accounts for this by returning a
shorter length for ARPHRD_IEEE1394 devices.
As a result, on IEEE1394 interfaces arp_packet_match() advances past a
nonexistent target hardware address and reads the wrong bytes for both
the target device address comparison and the target IP address. This
causes arptables rules to match against garbage data, leading to
incorrect filtering decisions: packets that should be accepted may be
dropped and vice versa.
The ARP stack in net/ipv4/arp.c (arp_create and arp_process) already
handles this correctly by skipping the target hardware address for
ARPHRD_IEEE1394. Apply the same pattern to arp_packet_match()."
Mangle the original patch to always return 0 (no match) in case user
matches on the target hardware address which is never present in
IEEE1394.
Note that this returns 0 (no match) for either normal and inverse match
because matching in the target hardware address in ARPHRD_IEEE1394 has
never been supported by arptables. This is intentional, matching on the
target hardware address should never evaluate true for ARPHRD_IEEE1394.
Moreover, adjust arpt_mangle to drop the packet too as AI suggests:
In arpt_mangle, the logic assumes a standard ARP layout. Because
IEEE1394 (FireWire) omits the target hardware address, the linear
pointer arithmetic miscalculates the offset for the target IP address.
This causes mangling operations to write to the wrong location, leading
to packet corruption. To ensure safety, this patch drops packets
(NF_DROP) when mangling is requested for these fields on IEEE1394
devices, as the current implementation cannot correctly map the FireWire
ARP payload.
This omits both mangling target hardware and IP address. Even if IP
address mangling should be possible in IEEE1394, this would require
to adjust arpt_mangle offset calculation, which has never been
supported.
Based on patch from Weiming Shi <bestswngs@gmail.com>.
Fixes: 6752c8db8e0c ("firewire net, ipv4 arp: Extend hardware address and remove driver-level packet inspection.")
Reported-by: Xiang Mei <xmei5@asu.edu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/netfilter/arp_tables.c | 18 +++++++++++++++---
net/ipv4/netfilter/arpt_mangle.c | 8 ++++++++
2 files changed, 23 insertions(+), 3 deletions(-)
diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
index 14365b20f1c5c..564054123772a 100644
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -110,13 +110,25 @@ static inline int arp_packet_match(const struct arphdr *arphdr,
arpptr += dev->addr_len;
memcpy(&src_ipaddr, arpptr, sizeof(u32));
arpptr += sizeof(u32);
- tgt_devaddr = arpptr;
- arpptr += dev->addr_len;
+
+ if (IS_ENABLED(CONFIG_FIREWIRE_NET) && dev->type == ARPHRD_IEEE1394) {
+ if (unlikely(memchr_inv(arpinfo->tgt_devaddr.mask, 0,
+ sizeof(arpinfo->tgt_devaddr.mask))))
+ return 0;
+
+ tgt_devaddr = NULL;
+ } else {
+ tgt_devaddr = arpptr;
+ arpptr += dev->addr_len;
+ }
memcpy(&tgt_ipaddr, arpptr, sizeof(u32));
if (NF_INVF(arpinfo, ARPT_INV_SRCDEVADDR,
arp_devaddr_compare(&arpinfo->src_devaddr, src_devaddr,
- dev->addr_len)) ||
+ dev->addr_len)))
+ return 0;
+
+ if (tgt_devaddr &&
NF_INVF(arpinfo, ARPT_INV_TGTDEVADDR,
arp_devaddr_compare(&arpinfo->tgt_devaddr, tgt_devaddr,
dev->addr_len)))
diff --git a/net/ipv4/netfilter/arpt_mangle.c b/net/ipv4/netfilter/arpt_mangle.c
index a4e07e5e9c118..f65dd339208e8 100644
--- a/net/ipv4/netfilter/arpt_mangle.c
+++ b/net/ipv4/netfilter/arpt_mangle.c
@@ -40,6 +40,10 @@ target(struct sk_buff *skb, const struct xt_action_param *par)
}
arpptr += pln;
if (mangle->flags & ARPT_MANGLE_TDEV) {
+ if (unlikely(IS_ENABLED(CONFIG_FIREWIRE_NET) &&
+ skb->dev->type == ARPHRD_IEEE1394))
+ return NF_DROP;
+
if (ARPT_DEV_ADDR_LEN_MAX < hln ||
(arpptr + hln > skb_tail_pointer(skb)))
return NF_DROP;
@@ -47,6 +51,10 @@ target(struct sk_buff *skb, const struct xt_action_param *par)
}
arpptr += hln;
if (mangle->flags & ARPT_MANGLE_TIP) {
+ if (unlikely(IS_ENABLED(CONFIG_FIREWIRE_NET) &&
+ skb->dev->type == ARPHRD_IEEE1394))
+ return NF_DROP;
+
if (ARPT_MANGLE_ADDR_LEN_MAX < pln ||
(arpptr + pln > skb_tail_pointer(skb)))
return NF_DROP;
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 735/969] nvme-pci: fix missed admin queue sq doorbell write
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (733 preceding siblings ...)
2026-05-30 16:04 ` [PATCH 6.1 734/969] netfilter: arp_tables: fix IEEE1394 ARP payload parsing Greg Kroah-Hartman
@ 2026-05-30 16:04 ` Greg Kroah-Hartman
2026-05-30 16:04 ` [PATCH 6.1 736/969] drm/amdgpu: fix spelling typos Greg Kroah-Hartman
` (240 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christoph Hellwig, Kanchan Joshi,
Keith Busch, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Keith Busch <kbusch@kernel.org>
[ Upstream commit 1cc4cdae2a3b7730d462d69e30f213fd2efe7807 ]
We can batch admin commands submitted through io_uring_cmd passthrough,
which means bd->last may be false and skips the doorbell write to
aggregate multiple commands per write. If a subsequent command can't be
dispatched for whatever reason, we have to provide the blk-mq ops'
commit_rqs callback in order to ensure we properly update the doorbell.
Fixes: 58e5bdeb9c2b ("nvme: enable uring-passthrough for admin commands")
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Kanchan Joshi <joshi.k@samsung.com>
Signed-off-by: Keith Busch <kbusch@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/nvme/host/pci.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c
index 394673a7f75cb..660e8fbb18136 100644
--- a/drivers/nvme/host/pci.c
+++ b/drivers/nvme/host/pci.c
@@ -1756,6 +1756,7 @@ static int nvme_create_queue(struct nvme_queue *nvmeq, int qid, bool polled)
static const struct blk_mq_ops nvme_mq_admin_ops = {
.queue_rq = nvme_queue_rq,
.complete = nvme_pci_complete_rq,
+ .commit_rqs = nvme_commit_rqs,
.init_hctx = nvme_admin_init_hctx,
.init_request = nvme_pci_init_request,
.timeout = nvme_timeout,
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 736/969] drm/amdgpu: fix spelling typos
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (734 preceding siblings ...)
2026-05-30 16:04 ` [PATCH 6.1 735/969] nvme-pci: fix missed admin queue sq doorbell write Greg Kroah-Hartman
@ 2026-05-30 16:04 ` Greg Kroah-Hartman
2026-05-30 16:04 ` [PATCH 6.1 737/969] drm/amdgpu/uvd3.1: Dont validate the firmware when already validated Greg Kroah-Hartman
` (239 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexandre Demers, Alex Deucher,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexandre Demers <alexandre.f.demers@gmail.com>
[ Upstream commit ce43abd7ec9464cf954f90e1c69e11768b02fa0a ]
Found some typos while exploring amdgpu code.
Signed-off-by: Alexandre Demers <alexandre.f.demers@gmail.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Stable-dep-of: 13e4cf116dbf ("drm/amdgpu/uvd3.1: Don't validate the firmware when already validated")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_gmc.c | 2 +-
drivers/gpu/drm/amd/amdgpu/uvd_v3_1.c | 6 +++---
drivers/gpu/drm/amd/amdgpu/uvd_v4_2.c | 3 ++-
drivers/gpu/drm/amd/amdgpu/vce_v2_0.c | 2 +-
4 files changed, 7 insertions(+), 6 deletions(-)
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_gmc.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_gmc.c
index 3a1576e2f8e3b..c76f1e1ee395c 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_gmc.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_gmc.c
@@ -256,7 +256,7 @@ void amdgpu_gmc_sysvm_location(struct amdgpu_device *adev, struct amdgpu_gmc *mc
* @adev: amdgpu device structure holding all necessary information
* @mc: memory controller structure holding memory information
*
- * Function will place try to place GART before or after VRAM.
+ * Function will try to place GART before or after VRAM.
* If GART size is bigger than space left then we ajust GART size.
* Thus function will never fails.
*/
diff --git a/drivers/gpu/drm/amd/amdgpu/uvd_v3_1.c b/drivers/gpu/drm/amd/amdgpu/uvd_v3_1.c
index e458e0d5801b0..fbfed90503868 100644
--- a/drivers/gpu/drm/amd/amdgpu/uvd_v3_1.c
+++ b/drivers/gpu/drm/amd/amdgpu/uvd_v3_1.c
@@ -98,7 +98,7 @@ static void uvd_v3_1_ring_emit_ib(struct amdgpu_ring *ring,
}
/**
- * uvd_v3_1_ring_emit_fence - emit an fence & trap command
+ * uvd_v3_1_ring_emit_fence - emit a fence & trap command
*
* @ring: amdgpu_ring pointer
* @addr: address
@@ -242,7 +242,7 @@ static void uvd_v3_1_mc_resume(struct amdgpu_device *adev)
uint64_t addr;
uint32_t size;
- /* programm the VCPU memory controller bits 0-27 */
+ /* program the VCPU memory controller bits 0-27 */
addr = (adev->uvd.inst->gpu_addr + AMDGPU_UVD_FIRMWARE_OFFSET) >> 3;
size = AMDGPU_UVD_FIRMWARE_SIZE(adev) >> 3;
WREG32(mmUVD_VCPU_CACHE_OFFSET0, addr);
@@ -416,7 +416,7 @@ static int uvd_v3_1_start(struct amdgpu_device *adev)
/* Set the write pointer delay */
WREG32(mmUVD_RBC_RB_WPTR_CNTL, 0);
- /* programm the 4GB memory segment for rptr and ring buffer */
+ /* Program the 4GB memory segment for rptr and ring buffer */
WREG32(mmUVD_LMI_EXT40_ADDR, upper_32_bits(ring->gpu_addr) |
(0x7 << 16) | (0x1 << 31));
diff --git a/drivers/gpu/drm/amd/amdgpu/uvd_v4_2.c b/drivers/gpu/drm/amd/amdgpu/uvd_v4_2.c
index c108b83817951..01d8e7d2caf97 100644
--- a/drivers/gpu/drm/amd/amdgpu/uvd_v4_2.c
+++ b/drivers/gpu/drm/amd/amdgpu/uvd_v4_2.c
@@ -298,7 +298,7 @@ static int uvd_v4_2_start(struct amdgpu_device *adev)
/* enable VCPU clock */
WREG32(mmUVD_VCPU_CNTL, 1 << 9);
- /* disable interupt */
+ /* disable interrupt */
WREG32_P(mmUVD_MASTINT_EN, 0, ~(1 << 1));
#ifdef __BIG_ENDIAN
@@ -308,6 +308,7 @@ static int uvd_v4_2_start(struct amdgpu_device *adev)
#endif
WREG32(mmUVD_LMI_SWAP_CNTL, lmi_swap_cntl);
WREG32(mmUVD_MP_SWAP_CNTL, mp_swap_cntl);
+
/* initialize UVD memory controller */
WREG32(mmUVD_LMI_CTRL, 0x203108);
diff --git a/drivers/gpu/drm/amd/amdgpu/vce_v2_0.c b/drivers/gpu/drm/amd/amdgpu/vce_v2_0.c
index 67eb01fef789b..479eb9382c77e 100644
--- a/drivers/gpu/drm/amd/amdgpu/vce_v2_0.c
+++ b/drivers/gpu/drm/amd/amdgpu/vce_v2_0.c
@@ -278,7 +278,7 @@ static int vce_v2_0_stop(struct amdgpu_device *adev)
int status;
if (vce_v2_0_lmi_clean(adev)) {
- DRM_INFO("vce is not idle \n");
+ DRM_INFO("VCE is not idle \n");
return 0;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 737/969] drm/amdgpu/uvd3.1: Dont validate the firmware when already validated
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (735 preceding siblings ...)
2026-05-30 16:04 ` [PATCH 6.1 736/969] drm/amdgpu: fix spelling typos Greg Kroah-Hartman
@ 2026-05-30 16:04 ` Greg Kroah-Hartman
2026-05-30 16:04 ` [PATCH 6.1 738/969] drm/amdgpu/gfx6: Support harvested SI chips with disabled TCCs (v2) Greg Kroah-Hartman
` (238 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Timur Kristóf,
Christian König, Alex Deucher, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Timur Kristóf <timur.kristof@gmail.com>
[ Upstream commit 13e4cf116dbf7a1fb8123a59bea2c098f30d3736 ]
UVD 3.1 firmware validation seems to always fail after
attempting it when it had already been validated.
(This works similarly with the VCE 1.0 as well.)
Don't attempt repeating the validation when it's already done.
This caused issues in situations when the system isn't able
to suspend the GPU properly and so the GPU isn't actually
powered down. Then amdgpu would fail when calling the IP
block resume function.
Closes: https://gitlab.freedesktop.org/drm/amd/-/work_items/2887
Fixes: bb7978111dd3 ("drm/amdgpu: fix SI UVD firmware validate resume fail")
Signed-off-by: Timur Kristóf <timur.kristof@gmail.com>
Reviewed-by: Christian König <christian.koenig@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 889a2cfd889c4a4dd9d0c89ce9a8e60b78be71dd)
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/amdgpu/uvd_v3_1.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/drivers/gpu/drm/amd/amdgpu/uvd_v3_1.c b/drivers/gpu/drm/amd/amdgpu/uvd_v3_1.c
index fbfed90503868..3a27bed57b4ff 100644
--- a/drivers/gpu/drm/amd/amdgpu/uvd_v3_1.c
+++ b/drivers/gpu/drm/amd/amdgpu/uvd_v3_1.c
@@ -242,6 +242,10 @@ static void uvd_v3_1_mc_resume(struct amdgpu_device *adev)
uint64_t addr;
uint32_t size;
+ /* When the keyselect is already set, don't perturb it. */
+ if (RREG32(mmUVD_FW_START))
+ return;
+
/* program the VCPU memory controller bits 0-27 */
addr = (adev->uvd.inst->gpu_addr + AMDGPU_UVD_FIRMWARE_OFFSET) >> 3;
size = AMDGPU_UVD_FIRMWARE_SIZE(adev) >> 3;
@@ -284,6 +288,12 @@ static int uvd_v3_1_fw_validate(struct amdgpu_device *adev)
int i;
uint32_t keysel = adev->uvd.keyselect;
+ if (RREG32(mmUVD_FW_START) & UVD_FW_STATUS__PASS_MASK) {
+ dev_dbg(adev->dev, "UVD keyselect already set: 0x%x (on CPU: 0x%x)\n",
+ RREG32(mmUVD_FW_START), adev->uvd.keyselect);
+ return 0;
+ }
+
WREG32(mmUVD_FW_START, keysel);
for (i = 0; i < 10; ++i) {
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 738/969] drm/amdgpu/gfx6: Support harvested SI chips with disabled TCCs (v2)
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (736 preceding siblings ...)
2026-05-30 16:04 ` [PATCH 6.1 737/969] drm/amdgpu/uvd3.1: Dont validate the firmware when already validated Greg Kroah-Hartman
@ 2026-05-30 16:04 ` Greg Kroah-Hartman
2026-05-30 16:04 ` [PATCH 6.1 739/969] netfilter: xt_policy: fix strict mode inbound policy matching Greg Kroah-Hartman
` (237 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Timur Kristóf,
Christian König, Alex Deucher, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Timur Kristóf <timur.kristof@gmail.com>
[ Upstream commit fe2b84f9228e2a0903221a4d0d8c350b018e9c0c ]
This commit fixes amdgpu to work on the Radeon HD 7870 XT
which has never worked with the Linux open source drivers before.
Some boards have "harvested" chips, meaning that some parts of
the chip are disabled and fused, and it's sold for cheaper and
under a different marketing name.
On a harvested chip, any of the following can be disabled:
- CUs (Compute Units)
- RBs (Render Backend, aka. ROP)
- Memory channels (ie. the chip has a lower bandwidth)
- TCCs (ie. less L2 cache)
Handle chips with harvested TCCs by patching the registers
that configure how TCCs are mapped.
If some TCCs are disabled, we need to make sure that
the disabled TCCs are not used, and the remaining TCCs
are used optimally.
TCP_CHAN_STEER_LO/HI control which TCC is used by TCP channels.
TCP_ADDR_CONFIG.NUM_TCC_BANKS controls how many channels are used.
Note that the TCC configuration is highly relevant to performance.
Suboptimal configuration (eg. CHAN_STEER=0) can significantly
reduce gaming performance.
For optimal performance:
- Rely on the CHAN_STEER from the golden registers table,
only skip disabled TCCs but keep the mapping order.
- Limit NUM_TCC_BANKS to number of active TCCs to avoid thrashing,
which performs better than using the same TCC twice.
v2:
- Also consider CGTS_USER_TCC_DISABLE for disabled TCCs.
Link: https://bugs.freedesktop.org/show_bug.cgi?id=60879
Closes: https://gitlab.freedesktop.org/drm/amd/-/work_items/2664
Fixes: 2cd46ad22383 ("drm/amdgpu: add graphic pipeline implementation for si v8")
Signed-off-by: Timur Kristóf <timur.kristof@gmail.com>
Reviewed-by: Christian König <christian.koenig@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 00218d15528fab9f6b31241fe5904eea4fcaa30d)
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/amdgpu/gfx_v6_0.c | 66 +++++++++++++++++++++++++++
1 file changed, 66 insertions(+)
diff --git a/drivers/gpu/drm/amd/amdgpu/gfx_v6_0.c b/drivers/gpu/drm/amd/amdgpu/gfx_v6_0.c
index 204b246f0e3f9..09cf6604e3d2c 100644
--- a/drivers/gpu/drm/amd/amdgpu/gfx_v6_0.c
+++ b/drivers/gpu/drm/amd/amdgpu/gfx_v6_0.c
@@ -1568,6 +1568,71 @@ static void gfx_v6_0_setup_spi(struct amdgpu_device *adev)
mutex_unlock(&adev->grbm_idx_mutex);
}
+/**
+ * gfx_v6_0_setup_tcc() - setup which TCCs are used
+ *
+ * @adev: amdgpu_device pointer
+ *
+ * Verify whether the current GPU has any TCCs disabled,
+ * which can happen when the GPU is harvested and some
+ * memory channels are disabled, reducing the memory bus width.
+ * For example, on the Radeon HD 7870 XT (Tahiti LE).
+ *
+ * If some TCCs are disabled, we need to make sure that
+ * the disabled TCCs are not used, and the remaining TCCs
+ * are used optimally.
+ *
+ * TCP_CHAN_STEER_LO/HI control which TCC is used by TCP channels.
+ * TCP_ADDR_CONFIG.NUM_TCC_BANKS controls how many channels are used.
+ *
+ * For optimal performance:
+ * - Rely on the CHAN_STEER from the golden registers table,
+ * only skip disabled TCCs but keep the mapping order.
+ * - Limit NUM_TCC_BANKS to number of active TCCs to avoid thrashing,
+ * which performs better than using the same TCC twice.
+ */
+static void gfx_v6_0_setup_tcc(struct amdgpu_device *adev)
+{
+ u32 i, tcc, tcp_addr_config, num_active_tcc = 0;
+ u64 chan_steer, patched_chan_steer = 0;
+ const u32 num_max_tcc = adev->gfx.config.max_texture_channel_caches;
+ const u32 dis_tcc_mask =
+ amdgpu_gfx_create_bitmask(num_max_tcc) &
+ (REG_GET_FIELD(RREG32(mmCGTS_TCC_DISABLE),
+ CGTS_TCC_DISABLE, TCC_DISABLE) |
+ REG_GET_FIELD(RREG32(mmCGTS_USER_TCC_DISABLE),
+ CGTS_USER_TCC_DISABLE, TCC_DISABLE));
+
+ /* When no TCC is disabled, the golden registers table already has optimal TCC setup */
+ if (!dis_tcc_mask)
+ return;
+
+ /* Each 4-bit nibble contains the index of a TCC used by all TCPs */
+ chan_steer = RREG32(mmTCP_CHAN_STEER_LO) | ((u64)RREG32(mmTCP_CHAN_STEER_HI) << 32ull);
+
+ /* Patch the TCP to TCC mapping to skip disabled TCCs */
+ for (i = 0; i < num_max_tcc; ++i) {
+ tcc = (chan_steer >> (u64)(4 * i)) & 0xf;
+
+ if (!((1 << tcc) & dis_tcc_mask)) {
+ /* Copy enabled TCC indices to the patched register value. */
+ patched_chan_steer |= (u64)tcc << (u64)(4 * num_active_tcc);
+ ++num_active_tcc;
+ }
+ }
+
+ WARN_ON(num_active_tcc != num_max_tcc - hweight32(dis_tcc_mask));
+
+ /* Patch number of TCCs used by TCPs */
+ tcp_addr_config = REG_SET_FIELD(RREG32(mmTCP_ADDR_CONFIG),
+ TCP_ADDR_CONFIG, NUM_TCC_BANKS,
+ num_active_tcc - 1);
+
+ WREG32(mmTCP_ADDR_CONFIG, tcp_addr_config);
+ WREG32(mmTCP_CHAN_STEER_HI, upper_32_bits(patched_chan_steer));
+ WREG32(mmTCP_CHAN_STEER_LO, lower_32_bits(patched_chan_steer));
+}
+
static void gfx_v6_0_config_init(struct amdgpu_device *adev)
{
adev->gfx.config.double_offchip_lds_buf = 0;
@@ -1726,6 +1791,7 @@ static void gfx_v6_0_constants_init(struct amdgpu_device *adev)
gfx_v6_0_tiling_mode_table_init(adev);
gfx_v6_0_setup_rb(adev);
+ gfx_v6_0_setup_tcc(adev);
gfx_v6_0_setup_spi(adev);
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 739/969] netfilter: xt_policy: fix strict mode inbound policy matching
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (737 preceding siblings ...)
2026-05-30 16:04 ` [PATCH 6.1 738/969] drm/amdgpu/gfx6: Support harvested SI chips with disabled TCCs (v2) Greg Kroah-Hartman
@ 2026-05-30 16:04 ` Greg Kroah-Hartman
2026-05-30 16:04 ` [PATCH 6.1 740/969] netfilter: nf_conntrack_sip: dont use simple_strtoul Greg Kroah-Hartman
` (236 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yuan Tan, Yifan Wu, Juefei Pu,
Xin Liu, Jiexun Wang, Ren Wei, Florian Westphal,
Pablo Neira Ayuso, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiexun Wang <wangjiexun2025@gmail.com>
[ Upstream commit 4b2b4d7d4e203c92db8966b163edfacb1f0e1e29 ]
match_policy_in() walks sec_path entries from the last transform to the
first one, but strict policy matching needs to consume info->pol[] in
the same forward order as the rule layout.
Derive the strict-match policy position from the number of transforms
already consumed so that multi-element inbound rules are matched
consistently.
Fixes: c4b885139203 ("[NETFILTER]: x_tables: replace IPv4/IPv6 policy match by address family independant version")
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Signed-off-by: Jiexun Wang <wangjiexun2025@gmail.com>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
Acked-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/xt_policy.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/netfilter/xt_policy.c b/net/netfilter/xt_policy.c
index cb6e8279010a4..b5fa65558318f 100644
--- a/net/netfilter/xt_policy.c
+++ b/net/netfilter/xt_policy.c
@@ -63,7 +63,7 @@ match_policy_in(const struct sk_buff *skb, const struct xt_policy_info *info,
return 0;
for (i = sp->len - 1; i >= 0; i--) {
- pos = strict ? i - sp->len + 1 : 0;
+ pos = strict ? sp->len - i - 1 : 0;
if (pos >= info->len)
return 0;
e = &info->pol[pos];
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 740/969] netfilter: nf_conntrack_sip: dont use simple_strtoul
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (738 preceding siblings ...)
2026-05-30 16:04 ` [PATCH 6.1 739/969] netfilter: xt_policy: fix strict mode inbound policy matching Greg Kroah-Hartman
@ 2026-05-30 16:04 ` Greg Kroah-Hartman
2026-05-30 16:04 ` [PATCH 6.1 741/969] drivers/spi-rockchip.c : Remove redundant variable slave Greg Kroah-Hartman
` (235 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Klaudia Kloc, Dawid Moczadło,
Florian Westphal, Pablo Neira Ayuso, Sasha Levin, Jenny Guanni Qu
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Florian Westphal <fw@strlen.de>
[ Upstream commit 8cf6809cddcbe301aedfc6b51bcd4944d45795f6 ]
Replace unsafe port parsing in epaddr_len(), ct_sip_parse_header_uri(),
and ct_sip_parse_request() with a new sip_parse_port() helper that
validates each digit against the buffer limit, eliminating the use of
simple_strtoul() which assumes NUL-terminated strings.
The previous code dereferenced pointers without bounds checks after
sip_parse_addr() and relied on simple_strtoul() on non-NUL-terminated
skb data. A port that reaches the buffer limit without a trailing
character is also rejected as malformed.
Also get rid of all simple_strtoul() usage in conntrack, prefer a
stricter version instead. There are intentional changes:
- Bail out if number is > UINT_MAX and indicate a failure, same for
too long sequences.
While we do accept 05535 as port 5535, we will not accept e.g.
'sip:10.0.0.1:005060'. While its syntactically valid under RFC 3261,
we should restrict this to not waste cycles when presented with
malformed packets with 64k '0' characters.
- Force base 10 in ct_sip_parse_numerical_param(). This is used to fetch
'expire=' and 'rports='; both are expected to use base-10.
- In nf_nat_sip.c, only accept the parsed value if its within the 1k-64k
range.
- epaddr_len now returns 0 if the port is invalid, as it already does
for invalid ip addresses. This is intentional. nf_conntrack_sip
performs lots of guesswork to find the right parts of the message
to parse. Being stricter could break existing setups.
Connection tracking helpers are designed to allow traffic to
pass, not to block it.
Based on an earlier patch from Jenny Guanni Qu <qguanni@gmail.com>.
Fixes: 05e3ced297fe ("[NETFILTER]: nf_conntrack_sip: introduce SIP-URI parsing helper")
Reported-by: Klaudia Kloc <klaudia@vidocsecurity.com>
Reported-by: Dawid Moczadło <dawid@vidocsecurity.com>
Reported-by: Jenny Guanni Qu <qguanni@gmail.com>.
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/nf_conntrack_sip.c | 152 ++++++++++++++++++++++++-------
net/netfilter/nf_nat_sip.c | 1 +
2 files changed, 119 insertions(+), 34 deletions(-)
diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/nf_conntrack_sip.c
index fda6fc1fc4c58..4b32ee408ea15 100644
--- a/net/netfilter/nf_conntrack_sip.c
+++ b/net/netfilter/nf_conntrack_sip.c
@@ -181,6 +181,57 @@ static int sip_parse_addr(const struct nf_conn *ct, const char *cp,
return 1;
}
+/* Parse optional port number after IP address.
+ * Returns false on malformed input, true otherwise.
+ * If port is non-NULL, stores parsed port in network byte order.
+ * If no port is present, sets *port to default SIP port.
+ */
+static bool sip_parse_port(const char *dptr, const char **endp,
+ const char *limit, __be16 *port)
+{
+ unsigned int p = 0;
+ int len = 0;
+
+ if (dptr >= limit)
+ return false;
+
+ if (*dptr != ':') {
+ if (port)
+ *port = htons(SIP_PORT);
+ if (endp)
+ *endp = dptr;
+ return true;
+ }
+
+ dptr++; /* skip ':' */
+
+ while (dptr < limit && isdigit(*dptr)) {
+ p = p * 10 + (*dptr - '0');
+ dptr++;
+ len++;
+ if (len > 5) /* max "65535" */
+ return false;
+ }
+
+ if (len == 0)
+ return false;
+
+ /* reached limit while parsing port */
+ if (dptr >= limit)
+ return false;
+
+ if (p < 1024 || p > 65535)
+ return false;
+
+ if (port)
+ *port = htons(p);
+
+ if (endp)
+ *endp = dptr;
+
+ return true;
+}
+
/* skip ip address. returns its length. */
static int epaddr_len(const struct nf_conn *ct, const char *dptr,
const char *limit, int *shift)
@@ -193,11 +244,8 @@ static int epaddr_len(const struct nf_conn *ct, const char *dptr,
return 0;
}
- /* Port number */
- if (*dptr == ':') {
- dptr++;
- dptr += digits_len(ct, dptr, limit, shift);
- }
+ if (!sip_parse_port(dptr, &dptr, limit, NULL))
+ return 0;
return dptr - aux;
}
@@ -228,6 +276,51 @@ static int skp_epaddr_len(const struct nf_conn *ct, const char *dptr,
return epaddr_len(ct, dptr, limit, shift);
}
+/* simple_strtoul stops after first non-number character.
+ * But as we're not dealing with c-strings, we can't rely on
+ * hitting \r,\n,\0 etc. before moving past end of buffer.
+ *
+ * This is a variant of simple_strtoul, but doesn't require
+ * a c-string.
+ *
+ * If value exceeds UINT_MAX, 0 is returned.
+ */
+static unsigned int sip_strtouint(const char *cp, unsigned int len, char **endp)
+{
+ const unsigned int max = sizeof("4294967295");
+ unsigned int olen = len;
+ const char *s = cp;
+ u64 result = 0;
+
+ if (len > max)
+ len = max;
+
+ while (olen > 0 && isdigit(*s)) {
+ unsigned int value;
+
+ if (len == 0)
+ goto err;
+
+ value = *s - '0';
+ result = result * 10 + value;
+
+ if (result > UINT_MAX)
+ goto err;
+ s++;
+ len--;
+ olen--;
+ }
+
+ if (endp)
+ *endp = (char *)s;
+
+ return result;
+err:
+ if (endp)
+ *endp = (char *)cp;
+ return 0;
+}
+
/* Parse a SIP request line of the form:
*
* Request-Line = Method SP Request-URI SP SIP-Version CRLF
@@ -241,7 +334,6 @@ int ct_sip_parse_request(const struct nf_conn *ct,
{
const char *start = dptr, *limit = dptr + datalen, *end;
unsigned int mlen;
- unsigned int p;
int shift = 0;
/* Skip method and following whitespace */
@@ -267,14 +359,8 @@ int ct_sip_parse_request(const struct nf_conn *ct,
if (!sip_parse_addr(ct, dptr, &end, addr, limit, true))
return -1;
- if (end < limit && *end == ':') {
- end++;
- p = simple_strtoul(end, (char **)&end, 10);
- if (p < 1024 || p > 65535)
- return -1;
- *port = htons(p);
- } else
- *port = htons(SIP_PORT);
+ if (!sip_parse_port(end, &end, limit, port))
+ return -1;
if (end == dptr)
return 0;
@@ -509,7 +595,6 @@ int ct_sip_parse_header_uri(const struct nf_conn *ct, const char *dptr,
union nf_inet_addr *addr, __be16 *port)
{
const char *c, *limit = dptr + datalen;
- unsigned int p;
int ret;
ret = ct_sip_walk_headers(ct, dptr, dataoff ? *dataoff : 0, datalen,
@@ -520,14 +605,8 @@ int ct_sip_parse_header_uri(const struct nf_conn *ct, const char *dptr,
if (!sip_parse_addr(ct, dptr + *matchoff, &c, addr, limit, true))
return -1;
- if (*c == ':') {
- c++;
- p = simple_strtoul(c, (char **)&c, 10);
- if (p < 1024 || p > 65535)
- return -1;
- *port = htons(p);
- } else
- *port = htons(SIP_PORT);
+ if (!sip_parse_port(c, &c, limit, port))
+ return -1;
if (dataoff)
*dataoff = c - dptr;
@@ -609,7 +688,7 @@ int ct_sip_parse_numerical_param(const struct nf_conn *ct, const char *dptr,
return 0;
start += strlen(name);
- *val = simple_strtoul(start, &end, 0);
+ *val = sip_strtouint(start, limit - start, (char **)&end);
if (start == end)
return -1;
if (matchoff && matchlen) {
@@ -1065,6 +1144,8 @@ static int process_sdp(struct sk_buff *skb, unsigned int protoff,
mediaoff = sdpoff;
for (i = 0; i < ARRAY_SIZE(sdp_media_types); ) {
+ char *end;
+
if (ct_sip_get_sdp_header(ct, *dptr, mediaoff, *datalen,
SDP_HDR_MEDIA, SDP_HDR_UNSPEC,
&mediaoff, &medialen) <= 0)
@@ -1080,8 +1161,8 @@ static int process_sdp(struct sk_buff *skb, unsigned int protoff,
mediaoff += t->len;
medialen -= t->len;
- port = simple_strtoul(*dptr + mediaoff, NULL, 10);
- if (port == 0)
+ port = sip_strtouint(*dptr + mediaoff, *datalen - mediaoff, (char **)&end);
+ if (port == 0 || *dptr + mediaoff == end)
continue;
if (port < 1024 || port > 65535) {
nf_ct_helper_log(skb, ct, "wrong port %u", port);
@@ -1255,7 +1336,7 @@ static int process_register_request(struct sk_buff *skb, unsigned int protoff,
*/
if (ct_sip_get_header(ct, *dptr, 0, *datalen, SIP_HDR_EXPIRES,
&matchoff, &matchlen) > 0)
- expires = simple_strtoul(*dptr + matchoff, NULL, 10);
+ expires = sip_strtouint(*dptr + matchoff, *datalen - matchoff, NULL);
ret = ct_sip_parse_header_uri(ct, *dptr, NULL, *datalen,
SIP_HDR_CONTACT, NULL,
@@ -1359,7 +1440,7 @@ static int process_register_response(struct sk_buff *skb, unsigned int protoff,
if (ct_sip_get_header(ct, *dptr, 0, *datalen, SIP_HDR_EXPIRES,
&matchoff, &matchlen) > 0)
- expires = simple_strtoul(*dptr + matchoff, NULL, 10);
+ expires = sip_strtouint(*dptr + matchoff, *datalen - matchoff, NULL);
while (1) {
unsigned int c_expires = expires;
@@ -1419,10 +1500,12 @@ static int process_sip_response(struct sk_buff *skb, unsigned int protoff,
struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
unsigned int matchoff, matchlen, matchend;
unsigned int code, cseq, i;
+ char *end;
if (*datalen < strlen("SIP/2.0 200"))
return NF_ACCEPT;
- code = simple_strtoul(*dptr + strlen("SIP/2.0 "), NULL, 10);
+ code = sip_strtouint(*dptr + strlen("SIP/2.0 "),
+ *datalen - strlen("SIP/2.0 "), NULL);
if (!code) {
nf_ct_helper_log(skb, ct, "cannot get code");
return NF_DROP;
@@ -1433,8 +1516,8 @@ static int process_sip_response(struct sk_buff *skb, unsigned int protoff,
nf_ct_helper_log(skb, ct, "cannot parse cseq");
return NF_DROP;
}
- cseq = simple_strtoul(*dptr + matchoff, NULL, 10);
- if (!cseq && *(*dptr + matchoff) != '0') {
+ cseq = sip_strtouint(*dptr + matchoff, *datalen - matchoff, (char **)&end);
+ if (*dptr + matchoff == end) {
nf_ct_helper_log(skb, ct, "cannot get cseq");
return NF_DROP;
}
@@ -1483,6 +1566,7 @@ static int process_sip_request(struct sk_buff *skb, unsigned int protoff,
for (i = 0; i < ARRAY_SIZE(sip_handlers); i++) {
const struct sip_handler *handler;
+ char *end;
handler = &sip_handlers[i];
if (handler->request == NULL)
@@ -1499,8 +1583,8 @@ static int process_sip_request(struct sk_buff *skb, unsigned int protoff,
nf_ct_helper_log(skb, ct, "cannot parse cseq");
return NF_DROP;
}
- cseq = simple_strtoul(*dptr + matchoff, NULL, 10);
- if (!cseq && *(*dptr + matchoff) != '0') {
+ cseq = sip_strtouint(*dptr + matchoff, *datalen - matchoff, (char **)&end);
+ if (*dptr + matchoff == end) {
nf_ct_helper_log(skb, ct, "cannot get cseq");
return NF_DROP;
}
@@ -1576,7 +1660,7 @@ static int sip_help_tcp(struct sk_buff *skb, unsigned int protoff,
&matchoff, &matchlen) <= 0)
break;
- clen = simple_strtoul(dptr + matchoff, (char **)&end, 10);
+ clen = sip_strtouint(dptr + matchoff, datalen - matchoff, (char **)&end);
if (dptr + matchoff == end)
break;
diff --git a/net/netfilter/nf_nat_sip.c b/net/netfilter/nf_nat_sip.c
index c845b6d1a2bdf..9fbfc6bff0c22 100644
--- a/net/netfilter/nf_nat_sip.c
+++ b/net/netfilter/nf_nat_sip.c
@@ -246,6 +246,7 @@ static unsigned int nf_nat_sip(struct sk_buff *skb, unsigned int protoff,
if (ct_sip_parse_numerical_param(ct, *dptr, matchend, *datalen,
"rport=", &poff, &plen,
&n) > 0 &&
+ n >= 1024 && n <= 65535 &&
htons(n) == ct->tuplehash[dir].tuple.dst.u.udp.port &&
htons(n) != ct->tuplehash[!dir].tuple.src.u.udp.port) {
__be16 p = ct->tuplehash[!dir].tuple.src.u.udp.port;
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 741/969] drivers/spi-rockchip.c : Remove redundant variable slave
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (739 preceding siblings ...)
2026-05-30 16:04 ` [PATCH 6.1 740/969] netfilter: nf_conntrack_sip: dont use simple_strtoul Greg Kroah-Hartman
@ 2026-05-30 16:04 ` Greg Kroah-Hartman
2026-05-30 16:04 ` [PATCH 6.1 742/969] spi: rockchip: switch to use modern name Greg Kroah-Hartman
` (234 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:04 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Lizhe, Mark Brown, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lizhe <sensor1010@163.com>
[ Upstream commit 8c220e6c6da9c2f70a78ba8b3121893b3634a54c ]
variable slave in spi_alloc_master() or spi_alloc_slave()
has been assigned. it is not necessary to be assigned again
Signed-off-by: Lizhe <sensor1010@163.com>
Link: https://lore.kernel.org/r/20230226063334.7489-1-sensor1010@163.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Stable-dep-of: b4683a239a40 ("spi: rockchip: Read ISR, not IMR, to detect cs-inactive IRQ")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/spi/spi-rockchip.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/drivers/spi/spi-rockchip.c b/drivers/spi/spi-rockchip.c
index b460a393a7fea..b3247fad5f7e2 100644
--- a/drivers/spi/spi-rockchip.c
+++ b/drivers/spi/spi-rockchip.c
@@ -772,7 +772,6 @@ static int rockchip_spi_probe(struct platform_device *pdev)
platform_set_drvdata(pdev, ctlr);
rs = spi_controller_get_devdata(ctlr);
- ctlr->slave = slave_mode;
/* Get basic io resource and map it */
mem = platform_get_resource(pdev, IORESOURCE_MEM, 0);
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 742/969] spi: rockchip: switch to use modern name
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (740 preceding siblings ...)
2026-05-30 16:04 ` [PATCH 6.1 741/969] drivers/spi-rockchip.c : Remove redundant variable slave Greg Kroah-Hartman
@ 2026-05-30 16:04 ` Greg Kroah-Hartman
2026-05-30 16:04 ` [PATCH 6.1 743/969] spi: rockchip: Read ISR, not IMR, to detect cs-inactive IRQ Greg Kroah-Hartman
` (233 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yang Yingliang, Heiko Stuebner,
Mark Brown, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yang Yingliang <yangyingliang@huawei.com>
[ Upstream commit 1a3ccff3bc39acc04e69e3a65833d474471598ec ]
Change legacy name master/slave to modern name host/target or controller.
No functional changed.
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Acked-by: Heiko Stuebner <heiko@sntech.e>
Link: https://lore.kernel.org/r/20230818093154.1183529-14-yangyingliang@huawei.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Stable-dep-of: b4683a239a40 ("spi: rockchip: Read ISR, not IMR, to detect cs-inactive IRQ")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/spi/spi-rockchip.c | 58 +++++++++++++++++++-------------------
1 file changed, 29 insertions(+), 29 deletions(-)
diff --git a/drivers/spi/spi-rockchip.c b/drivers/spi/spi-rockchip.c
index b3247fad5f7e2..6383451b6612c 100644
--- a/drivers/spi/spi-rockchip.c
+++ b/drivers/spi/spi-rockchip.c
@@ -104,8 +104,8 @@
#define CR0_XFM_RO 0x2
#define CR0_OPM_OFFSET 20
-#define CR0_OPM_MASTER 0x0
-#define CR0_OPM_SLAVE 0x1
+#define CR0_OPM_HOST 0x0
+#define CR0_OPM_TARGET 0x1
#define CR0_SOI_OFFSET 23
@@ -125,7 +125,7 @@
#define SR_TF_EMPTY (1 << 2)
#define SR_RF_EMPTY (1 << 3)
#define SR_RF_FULL (1 << 4)
-#define SR_SLAVE_TX_BUSY (1 << 5)
+#define SR_TARGET_TX_BUSY (1 << 5)
/* Bit fields in ISR, IMR, ISR, RISR, 5bit */
#define INT_MASK 0x1f
@@ -151,7 +151,7 @@
#define RXDMA (1 << 0)
#define TXDMA (1 << 1)
-/* sclk_out: spi master internal logic in rk3x can support 50Mhz */
+/* sclk_out: spi host internal logic in rk3x can support 50Mhz */
#define MAX_SCLK_OUT 50000000U
/*
@@ -194,8 +194,8 @@ struct rockchip_spi {
bool cs_asserted[ROCKCHIP_SPI_MAX_CS_NUM];
- bool slave_abort;
- bool cs_inactive; /* spi slave tansmition stop when cs inactive */
+ bool target_abort;
+ bool cs_inactive; /* spi target tansmition stop when cs inactive */
bool cs_high_supported; /* native CS supports active-high polarity */
struct spi_transfer *xfer; /* Store xfer temporarily */
@@ -206,13 +206,13 @@ static inline void spi_enable_chip(struct rockchip_spi *rs, bool enable)
writel_relaxed((enable ? 1U : 0U), rs->regs + ROCKCHIP_SPI_SSIENR);
}
-static inline void wait_for_tx_idle(struct rockchip_spi *rs, bool slave_mode)
+static inline void wait_for_tx_idle(struct rockchip_spi *rs, bool target_mode)
{
unsigned long timeout = jiffies + msecs_to_jiffies(5);
do {
- if (slave_mode) {
- if (!(readl_relaxed(rs->regs + ROCKCHIP_SPI_SR) & SR_SLAVE_TX_BUSY) &&
+ if (target_mode) {
+ if (!(readl_relaxed(rs->regs + ROCKCHIP_SPI_SR) & SR_TARGET_TX_BUSY) &&
!((readl_relaxed(rs->regs + ROCKCHIP_SPI_SR) & SR_BUSY)))
return;
} else {
@@ -349,9 +349,9 @@ static irqreturn_t rockchip_spi_isr(int irq, void *dev_id)
struct spi_controller *ctlr = dev_id;
struct rockchip_spi *rs = spi_controller_get_devdata(ctlr);
- /* When int_cs_inactive comes, spi slave abort */
+ /* When int_cs_inactive comes, spi target abort */
if (rs->cs_inactive && readl_relaxed(rs->regs + ROCKCHIP_SPI_IMR) & INT_CS_INACTIVE) {
- ctlr->slave_abort(ctlr);
+ ctlr->target_abort(ctlr);
writel_relaxed(0, rs->regs + ROCKCHIP_SPI_IMR);
writel_relaxed(0xffffffff, rs->regs + ROCKCHIP_SPI_ICR);
@@ -403,7 +403,7 @@ static void rockchip_spi_dma_rxcb(void *data)
struct rockchip_spi *rs = spi_controller_get_devdata(ctlr);
int state = atomic_fetch_andnot(RXDMA, &rs->state);
- if (state & TXDMA && !rs->slave_abort)
+ if (state & TXDMA && !rs->target_abort)
return;
if (rs->cs_inactive)
@@ -419,11 +419,11 @@ static void rockchip_spi_dma_txcb(void *data)
struct rockchip_spi *rs = spi_controller_get_devdata(ctlr);
int state = atomic_fetch_andnot(TXDMA, &rs->state);
- if (state & RXDMA && !rs->slave_abort)
+ if (state & RXDMA && !rs->target_abort)
return;
/* Wait until the FIFO data completely. */
- wait_for_tx_idle(rs, ctlr->slave);
+ wait_for_tx_idle(rs, ctlr->target);
spi_enable_chip(rs, false);
spi_finalize_current_transfer(ctlr);
@@ -523,7 +523,7 @@ static int rockchip_spi_prepare_dma(struct rockchip_spi *rs,
static int rockchip_spi_config(struct rockchip_spi *rs,
struct spi_device *spi, struct spi_transfer *xfer,
- bool use_dma, bool slave_mode)
+ bool use_dma, bool target_mode)
{
u32 cr0 = CR0_FRF_SPI << CR0_FRF_OFFSET
| CR0_BHT_8BIT << CR0_BHT_OFFSET
@@ -532,9 +532,9 @@ static int rockchip_spi_config(struct rockchip_spi *rs,
u32 cr1;
u32 dmacr = 0;
- if (slave_mode)
- cr0 |= CR0_OPM_SLAVE << CR0_OPM_OFFSET;
- rs->slave_abort = false;
+ if (target_mode)
+ cr0 |= CR0_OPM_TARGET << CR0_OPM_OFFSET;
+ rs->target_abort = false;
cr0 |= rs->rsd << CR0_RSD_OFFSET;
cr0 |= (spi->mode & 0x3U) << CR0_SCPH_OFFSET;
@@ -612,7 +612,7 @@ static size_t rockchip_spi_max_transfer_size(struct spi_device *spi)
return ROCKCHIP_SPI_MAX_TRANLEN;
}
-static int rockchip_spi_slave_abort(struct spi_controller *ctlr)
+static int rockchip_spi_target_abort(struct spi_controller *ctlr)
{
struct rockchip_spi *rs = spi_controller_get_devdata(ctlr);
u32 rx_fifo_left;
@@ -657,7 +657,7 @@ static int rockchip_spi_slave_abort(struct spi_controller *ctlr)
dmaengine_terminate_sync(ctlr->dma_tx);
atomic_set(&rs->state, 0);
spi_enable_chip(rs, false);
- rs->slave_abort = true;
+ rs->target_abort = true;
spi_finalize_current_transfer(ctlr);
return 0;
@@ -695,7 +695,7 @@ static int rockchip_spi_transfer_one(
rs->xfer = xfer;
use_dma = ctlr->can_dma ? ctlr->can_dma(ctlr, spi, xfer) : false;
- ret = rockchip_spi_config(rs, spi, xfer, use_dma, ctlr->slave);
+ ret = rockchip_spi_config(rs, spi, xfer, use_dma, ctlr->target);
if (ret)
return ret;
@@ -755,15 +755,15 @@ static int rockchip_spi_probe(struct platform_device *pdev)
struct resource *mem;
struct device_node *np = pdev->dev.of_node;
u32 rsd_nsecs, num_cs;
- bool slave_mode;
+ bool target_mode;
- slave_mode = of_property_read_bool(np, "spi-slave");
+ target_mode = of_property_read_bool(np, "spi-slave");
- if (slave_mode)
- ctlr = spi_alloc_slave(&pdev->dev,
+ if (target_mode)
+ ctlr = spi_alloc_target(&pdev->dev,
sizeof(struct rockchip_spi));
else
- ctlr = spi_alloc_master(&pdev->dev,
+ ctlr = spi_alloc_host(&pdev->dev,
sizeof(struct rockchip_spi));
if (!ctlr)
@@ -853,9 +853,9 @@ static int rockchip_spi_probe(struct platform_device *pdev)
ctlr->auto_runtime_pm = true;
ctlr->bus_num = pdev->id;
ctlr->mode_bits = SPI_CPOL | SPI_CPHA | SPI_LOOP | SPI_LSB_FIRST;
- if (slave_mode) {
+ if (target_mode) {
ctlr->mode_bits |= SPI_NO_CS;
- ctlr->slave_abort = rockchip_spi_slave_abort;
+ ctlr->target_abort = rockchip_spi_target_abort;
} else {
ctlr->flags = SPI_MASTER_GPIO_SS;
ctlr->max_native_cs = ROCKCHIP_SPI_MAX_CS_NUM;
@@ -910,7 +910,7 @@ static int rockchip_spi_probe(struct platform_device *pdev)
case ROCKCHIP_SPI_VER2_TYPE2:
rs->cs_high_supported = true;
ctlr->mode_bits |= SPI_CS_HIGH;
- if (ctlr->can_dma && slave_mode)
+ if (ctlr->can_dma && target_mode)
rs->cs_inactive = true;
else
rs->cs_inactive = false;
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 743/969] spi: rockchip: Read ISR, not IMR, to detect cs-inactive IRQ
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (741 preceding siblings ...)
2026-05-30 16:04 ` [PATCH 6.1 742/969] spi: rockchip: switch to use modern name Greg Kroah-Hartman
@ 2026-05-30 16:04 ` Greg Kroah-Hartman
2026-05-30 16:04 ` [PATCH 6.1 744/969] cdrom, scsi: sr: propagate read-only status to block layer via set_disk_ro() Greg Kroah-Hartman
` (232 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:04 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, John Madieu, Mark Brown, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: John Madieu <john.madieu@gmail.com>
[ Upstream commit b4683a239a409d65f88052f5630c748a8ba070cd ]
rockchip_spi_isr() decides whether the current interrupt was the
cs-inactive event by reading IMR:
if (rs->cs_inactive &&
readl_relaxed(rs->regs + ROCKCHIP_SPI_IMR) & INT_CS_INACTIVE)
ctlr->target_abort(ctlr);
IMR is the interrupt mask register: it tells which sources are enabled,
not which one fired. In the PIO path, rockchip_spi_prepare_irq() enables
both INT_RF_FULL and INT_CS_INACTIVE in IMR when rs->cs_inactive is true:
if (rs->cs_inactive)
writel_relaxed(INT_RF_FULL | INT_CS_INACTIVE,
rs->regs + ROCKCHIP_SPI_IMR);
so the IMR check is always true once cs_inactive is enabled, and every
PIO interrupt - including normal RF_FULL completions - is dispatched to
ctlr->target_abort(), aborting the transfer. The bug is reachable on
ROCKCHIP_SPI_VER2_TYPE2 in target mode with a DMA-capable controller
when the transfer is short enough to fall back to PIO
(rockchip_spi_can_dma() returns false below fifo_len).
Read ISR (which is RISR masked by IMR) so the check actually reflects
which interrupt fired, and parenthesise the expression for clarity while
at it.
Fixes: 869f2c94db92 ("spi: rockchip: Stop spi slave dma receiver when cs inactive")
Signed-off-by: John Madieu <john.madieu@gmail.com>
Link: https://patch.msgid.link/20260425092936.2590132-2-john.madieu@gmail.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/spi/spi-rockchip.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/spi/spi-rockchip.c b/drivers/spi/spi-rockchip.c
index 6383451b6612c..c38d515e4399e 100644
--- a/drivers/spi/spi-rockchip.c
+++ b/drivers/spi/spi-rockchip.c
@@ -350,7 +350,8 @@ static irqreturn_t rockchip_spi_isr(int irq, void *dev_id)
struct rockchip_spi *rs = spi_controller_get_devdata(ctlr);
/* When int_cs_inactive comes, spi target abort */
- if (rs->cs_inactive && readl_relaxed(rs->regs + ROCKCHIP_SPI_IMR) & INT_CS_INACTIVE) {
+ if (rs->cs_inactive &&
+ (readl_relaxed(rs->regs + ROCKCHIP_SPI_ISR) & INT_CS_INACTIVE)) {
ctlr->target_abort(ctlr);
writel_relaxed(0, rs->regs + ROCKCHIP_SPI_IMR);
writel_relaxed(0xffffffff, rs->regs + ROCKCHIP_SPI_ICR);
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 744/969] cdrom, scsi: sr: propagate read-only status to block layer via set_disk_ro()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (742 preceding siblings ...)
2026-05-30 16:04 ` [PATCH 6.1 743/969] spi: rockchip: Read ISR, not IMR, to detect cs-inactive IRQ Greg Kroah-Hartman
@ 2026-05-30 16:04 ` Greg Kroah-Hartman
2026-05-30 16:04 ` [PATCH 6.1 745/969] netdevsim: zero initialize struct iphdr in dummy sk_buff Greg Kroah-Hartman
` (231 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Daan De Meyer, Phillip Potter,
Martin K. Petersen, Jens Axboe, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Daan De Meyer <daan@amutable.com>
[ Upstream commit 0898a817621a2f0cddca8122d9b974003fe5036d ]
The cdrom core never calls set_disk_ro() for a registered device, so
BLKROGET on a CD-ROM device always returns 0 (writable), even when the
drive has no write capabilities and writes will inevitably fail. This
causes problems for userspace that relies on BLKROGET to determine
whether a block device is read-only. For example, systemd's loop device
setup uses BLKROGET to decide whether to create a loop device with
LO_FLAGS_READ_ONLY. Without the read-only flag, writes pass through the
loop device to the CD-ROM and fail with I/O errors. systemd-fsck
similarly checks BLKROGET to decide whether to run fsck in no-repair
mode (-n).
The write-capability bits in cdi->mask come from two different sources:
CDC_DVD_RAM and CDC_CD_RW are populated by the driver from the MODE
SENSE capabilities page (page 0x2A) before register_cdrom() is called,
while CDC_MRW_W and CDC_RAM require the MMC GET CONFIGURATION command
and were only probed by cdrom_open_write() at device open time. This
meant that any attempt to compute the writable state from the full
mask at probe time was incorrect, because the GET CONFIGURATION bits
were still unset (and cdi->mask is initialized such that capabilities
are assumed present).
Fix this by factoring the GET CONFIGURATION probing out of
cdrom_open_write() into a new exported helper,
cdrom_probe_write_features(), and having sr call it from sr_probe()
right after get_capabilities() has populated the MODE SENSE bits.
register_cdrom() then calls set_disk_ro() based on the full
write-capability mask (CDC_DVD_RAM | CDC_MRW_W | CDC_RAM | CDC_CD_RW)
so the block layer reflects the drive's actual write support. The
feature queries used (CDF_MRW and CDF_RWRT via GET CONFIGURATION with
RT=00) report drive-level capabilities that are persistent across
media, so a single probe before register_cdrom() is sufficient and the
redundant probe at open time is dropped.
With set_disk_ro() now accurate, the long-vestigial cd->writeable flag
in sr can go: get_capabilities() used to set cd->writeable based on
the same four mask bits, but because CDC_MRW_W and CDC_RAM default to
"capability present" in cdi->mask and aren't touched by MODE SENSE,
the condition that gated cd->writeable was always true, making it
unconditionally 1. Replace the corresponding gate in sr_init_command()
with get_disk_ro(cd->disk), which turns a previously no-op check into
a real one and also catches kernel-internal bio writers that bypass
blkdev_write_iter()'s bdev_read_only() check.
The sd driver (SCSI disks) does not have this problem because it
checks the MODE SENSE Write Protect bit and calls set_disk_ro()
accordingly. The sr driver cannot use the same approach because the
MMC specification does not define the WP bit in the MODE SENSE
device-specific parameter byte for CD-ROM devices.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Daan De Meyer <daan@amutable.com>
Reviewed-by: Phillip Potter <phil@philpotter.co.uk>
Reviewed-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Phillip Potter <phil@philpotter.co.uk>
Link: https://patch.msgid.link/20260427210139.1400-2-phil@philpotter.co.uk
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/cdrom/cdrom.c | 73 ++++++++++++++++++++++++++++---------------
drivers/scsi/sr.c | 11 ++-----
drivers/scsi/sr.h | 1 -
include/linux/cdrom.h | 1 +
4 files changed, 51 insertions(+), 35 deletions(-)
diff --git a/drivers/cdrom/cdrom.c b/drivers/cdrom/cdrom.c
index 8e3eeb96db63e..bba9eb8e2ca90 100644
--- a/drivers/cdrom/cdrom.c
+++ b/drivers/cdrom/cdrom.c
@@ -633,6 +633,16 @@ int register_cdrom(struct gendisk *disk, struct cdrom_device_info *cdi)
WARN_ON(!cdo->generic_packet);
+ /*
+ * Propagate the drive's write support to the block layer so BLKROGET
+ * reflects actual write capability. Drivers that use GET CONFIGURATION
+ * features (CDC_MRW_W, CDC_RAM) must have called
+ * cdrom_probe_write_features() before register_cdrom() so the mask is
+ * complete here.
+ */
+ set_disk_ro(disk, !CDROM_CAN(CDC_DVD_RAM | CDC_MRW_W | CDC_RAM |
+ CDC_CD_RW));
+
cd_dbg(CD_REG_UNREG, "drive \"/dev/%s\" registered\n", cdi->name);
mutex_lock(&cdrom_mutex);
list_add(&cdi->list, &cdrom_list);
@@ -747,6 +757,44 @@ static int cdrom_is_random_writable(struct cdrom_device_info *cdi, int *write)
return 0;
}
+/*
+ * Probe write-related MMC features via GET CONFIGURATION and update
+ * cdi->mask accordingly. Drivers that populate cdi->mask from the MODE SENSE
+ * capabilities page (e.g. sr) should call this after those MODE SENSE bits
+ * have been set but before register_cdrom(), so that the full set of
+ * write-capability bits is known by the time register_cdrom() decides on the
+ * initial read-only state of the disk.
+ */
+void cdrom_probe_write_features(struct cdrom_device_info *cdi)
+{
+ int mrw, mrw_write, ram_write;
+
+ mrw = 0;
+ if (!cdrom_is_mrw(cdi, &mrw_write))
+ mrw = 1;
+
+ if (CDROM_CAN(CDC_MO_DRIVE))
+ ram_write = 1;
+ else
+ (void) cdrom_is_random_writable(cdi, &ram_write);
+
+ if (mrw)
+ cdi->mask &= ~CDC_MRW;
+ else
+ cdi->mask |= CDC_MRW;
+
+ if (mrw_write)
+ cdi->mask &= ~CDC_MRW_W;
+ else
+ cdi->mask |= CDC_MRW_W;
+
+ if (ram_write)
+ cdi->mask &= ~CDC_RAM;
+ else
+ cdi->mask |= CDC_RAM;
+}
+EXPORT_SYMBOL(cdrom_probe_write_features);
+
static int cdrom_media_erasable(struct cdrom_device_info *cdi)
{
disc_information di;
@@ -899,33 +947,8 @@ static int cdrom_is_dvd_rw(struct cdrom_device_info *cdi)
*/
static int cdrom_open_write(struct cdrom_device_info *cdi)
{
- int mrw, mrw_write, ram_write;
int ret = 1;
- mrw = 0;
- if (!cdrom_is_mrw(cdi, &mrw_write))
- mrw = 1;
-
- if (CDROM_CAN(CDC_MO_DRIVE))
- ram_write = 1;
- else
- (void) cdrom_is_random_writable(cdi, &ram_write);
-
- if (mrw)
- cdi->mask &= ~CDC_MRW;
- else
- cdi->mask |= CDC_MRW;
-
- if (mrw_write)
- cdi->mask &= ~CDC_MRW_W;
- else
- cdi->mask |= CDC_MRW_W;
-
- if (ram_write)
- cdi->mask &= ~CDC_RAM;
- else
- cdi->mask |= CDC_RAM;
-
if (CDROM_CAN(CDC_MRW_W))
ret = cdrom_mrw_open_write(cdi);
else if (CDROM_CAN(CDC_DVD_RAM))
diff --git a/drivers/scsi/sr.c b/drivers/scsi/sr.c
index a278b739d0c5f..dc9c49dd1d0fd 100644
--- a/drivers/scsi/sr.c
+++ b/drivers/scsi/sr.c
@@ -392,7 +392,7 @@ static blk_status_t sr_init_command(struct scsi_cmnd *SCpnt)
switch (req_op(rq)) {
case REQ_OP_WRITE:
- if (!cd->writeable)
+ if (get_disk_ro(cd->disk))
goto out;
SCpnt->cmnd[0] = WRITE_10;
cd->cdi.media_written = 1;
@@ -672,6 +672,7 @@ static int sr_probe(struct device *dev)
error = -ENOMEM;
if (get_capabilities(cd))
goto fail_minor;
+ cdrom_probe_write_features(&cd->cdi);
sr_vendor_init(cd);
set_capacity(disk, cd->capacity);
@@ -890,14 +891,6 @@ static int get_capabilities(struct scsi_cd *cd)
/*else I don't think it can close its tray
cd->cdi.mask |= CDC_CLOSE_TRAY; */
- /*
- * if DVD-RAM, MRW-W or CD-RW, we are randomly writable
- */
- if ((cd->cdi.mask & (CDC_DVD_RAM | CDC_MRW_W | CDC_RAM | CDC_CD_RW)) !=
- (CDC_DVD_RAM | CDC_MRW_W | CDC_RAM | CDC_CD_RW)) {
- cd->writeable = 1;
- }
-
kfree(buffer);
return 0;
}
diff --git a/drivers/scsi/sr.h b/drivers/scsi/sr.h
index 1175f2e213b56..9809dac8b57d5 100644
--- a/drivers/scsi/sr.h
+++ b/drivers/scsi/sr.h
@@ -35,7 +35,6 @@ typedef struct scsi_cd {
struct scsi_device *device;
unsigned int vendor; /* vendor code, see sr_vendor.c */
unsigned long ms_offset; /* for reading multisession-CD's */
- unsigned writeable : 1;
unsigned use:1; /* is this device still supportable */
unsigned xa_flag:1; /* CD has XA sectors ? */
unsigned readcd_known:1; /* drive supports READ_CD (0xbe) */
diff --git a/include/linux/cdrom.h b/include/linux/cdrom.h
index 67caa909e3e61..24a344b15bed1 100644
--- a/include/linux/cdrom.h
+++ b/include/linux/cdrom.h
@@ -109,6 +109,7 @@ extern int cdrom_ioctl(struct cdrom_device_info *cdi, struct block_device *bdev,
extern unsigned int cdrom_check_events(struct cdrom_device_info *cdi,
unsigned int clearing);
+extern void cdrom_probe_write_features(struct cdrom_device_info *cdi);
extern int register_cdrom(struct gendisk *disk, struct cdrom_device_info *cdi);
extern void unregister_cdrom(struct cdrom_device_info *cdi);
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 745/969] netdevsim: zero initialize struct iphdr in dummy sk_buff
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (743 preceding siblings ...)
2026-05-30 16:04 ` [PATCH 6.1 744/969] cdrom, scsi: sr: propagate read-only status to block layer via set_disk_ro() Greg Kroah-Hartman
@ 2026-05-30 16:04 ` Greg Kroah-Hartman
2026-05-30 16:04 ` [PATCH 6.1 746/969] net/sched: netem: fix probability gaps in 4-state loss model Greg Kroah-Hartman
` (230 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nikola Z. Ivanov, Eric Dumazet,
Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nikola Z. Ivanov <zlatistiv@gmail.com>
[ Upstream commit 35eaa6d8d6c2ee65e96f507add856e0eacf24591 ]
Syzbot reports a KMSAN uninit-value originating from
nsim_dev_trap_skb_build, with the allocation also
being performed in the same function.
Fix this by calling skb_put_zero instead of skb_put to
guarantee zero initialization of the whole IP header.
Closes: https://syzkaller.appspot.com/bug?extid=23d7fcd204e3837866ff
Fixes: da58f90f11f5 ("netdevsim: Add devlink-trap support")
Signed-off-by: Nikola Z. Ivanov <zlatistiv@gmail.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20260426201434.742030-1-zlatistiv@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/netdevsim/dev.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/netdevsim/dev.c b/drivers/net/netdevsim/dev.c
index 971796b30605a..97ace81b0b4dc 100644
--- a/drivers/net/netdevsim/dev.c
+++ b/drivers/net/netdevsim/dev.c
@@ -758,7 +758,7 @@ static struct sk_buff *nsim_dev_trap_skb_build(void)
skb->protocol = htons(ETH_P_IP);
skb_set_network_header(skb, skb->len);
- iph = skb_put(skb, sizeof(struct iphdr));
+ iph = skb_put_zero(skb, sizeof(struct iphdr));
iph->protocol = IPPROTO_UDP;
iph->saddr = in_aton("192.0.2.1");
iph->daddr = in_aton("198.51.100.1");
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 746/969] net/sched: netem: fix probability gaps in 4-state loss model
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (744 preceding siblings ...)
2026-05-30 16:04 ` [PATCH 6.1 745/969] netdevsim: zero initialize struct iphdr in dummy sk_buff Greg Kroah-Hartman
@ 2026-05-30 16:04 ` Greg Kroah-Hartman
2026-05-30 16:04 ` [PATCH 6.1 747/969] net/sched: netem: fix queue limit check to include reordered packets Greg Kroah-Hartman
` (229 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stephen Hemminger, Simon Horman,
Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stephen Hemminger <stephen@networkplumber.org>
[ Upstream commit 732b463449fd0ef90acd13cda68eab1c91adb00c ]
The 4-state Markov chain in loss_4state() has gaps at the boundaries
between transition probability ranges. The comparisons use:
if (rnd < a4)
else if (a4 < rnd && rnd < a1 + a4)
When rnd equals a boundary value exactly, neither branch matches and
no state transition occurs. The redundant lower-bound check (a4 < rnd)
is already implied by being in the else branch.
Remove the unnecessary lower-bound comparisons so the ranges are
contiguous and every random value produces a transition, matching
the GI (General and Intuitive) loss model specification.
This bug goes back to original implementation of this model.
Fixes: 661b79725fea ("netem: revised correlated loss generator")
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20260418032027.900913-2-stephen@networkplumber.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/sch_netem.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/net/sched/sch_netem.c b/net/sched/sch_netem.c
index 2613353defde7..ab7074c357210 100644
--- a/net/sched/sch_netem.c
+++ b/net/sched/sch_netem.c
@@ -219,10 +219,10 @@ static bool loss_4state(struct netem_sched_data *q)
if (rnd < clg->a4) {
clg->state = LOST_IN_GAP_PERIOD;
return true;
- } else if (clg->a4 < rnd && rnd < clg->a1 + clg->a4) {
+ } else if (rnd < clg->a1 + clg->a4) {
clg->state = LOST_IN_BURST_PERIOD;
return true;
- } else if (clg->a1 + clg->a4 < rnd) {
+ } else {
clg->state = TX_IN_GAP_PERIOD;
}
@@ -239,9 +239,9 @@ static bool loss_4state(struct netem_sched_data *q)
case LOST_IN_BURST_PERIOD:
if (rnd < clg->a3)
clg->state = TX_IN_BURST_PERIOD;
- else if (clg->a3 < rnd && rnd < clg->a2 + clg->a3) {
+ else if (rnd < clg->a2 + clg->a3) {
clg->state = TX_IN_GAP_PERIOD;
- } else if (clg->a2 + clg->a3 < rnd) {
+ } else {
clg->state = LOST_IN_BURST_PERIOD;
return true;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 747/969] net/sched: netem: fix queue limit check to include reordered packets
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (745 preceding siblings ...)
2026-05-30 16:04 ` [PATCH 6.1 746/969] net/sched: netem: fix probability gaps in 4-state loss model Greg Kroah-Hartman
@ 2026-05-30 16:04 ` Greg Kroah-Hartman
2026-05-30 16:04 ` [PATCH 6.1 748/969] net/sched: netem: validate slot configuration Greg Kroah-Hartman
` (228 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stephen Hemminger, Simon Horman,
Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stephen Hemminger <stephen@networkplumber.org>
[ Upstream commit 4185701fcce6b426b6c3630b25330dddd9c47b0d ]
The queue limit check in netem_enqueue() uses q->t_len which only
counts packets in the internal tfifo. Packets placed in sch->q by
the reorder path (__qdisc_enqueue_head) are not counted, allowing
the total queue occupancy to exceed sch->limit under reordering.
Include sch->q.qlen in the limit check.
Fixes: f8d4bc455047 ("net/sched: netem: account for backlog updates from child qdisc")
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20260418032027.900913-3-stephen@networkplumber.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/sch_netem.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/sched/sch_netem.c b/net/sched/sch_netem.c
index ab7074c357210..288df378321d9 100644
--- a/net/sched/sch_netem.c
+++ b/net/sched/sch_netem.c
@@ -512,7 +512,7 @@ static int netem_enqueue(struct sk_buff *skb, struct Qdisc *sch,
1<<prandom_u32_max(8);
}
- if (unlikely(q->t_len >= sch->limit)) {
+ if (unlikely(sch->q.qlen >= sch->limit)) {
/* re-link segs, so that qdisc_drop_all() frees them all */
skb->next = segs;
qdisc_drop_all(skb, sch, to_free);
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 748/969] net/sched: netem: validate slot configuration
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (746 preceding siblings ...)
2026-05-30 16:04 ` [PATCH 6.1 747/969] net/sched: netem: fix queue limit check to include reordered packets Greg Kroah-Hartman
@ 2026-05-30 16:04 ` Greg Kroah-Hartman
2026-05-30 16:04 ` [PATCH 6.1 749/969] net/sched: netem: fix slot delay calculation overflow Greg Kroah-Hartman
` (227 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stephen Hemminger, Simon Horman,
Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stephen Hemminger <stephen@networkplumber.org>
[ Upstream commit 01801c359a74737b9b1aa28568b60374d857241a ]
Reject slot configurations that have no defensible meaning:
- negative min_delay or max_delay
- min_delay greater than max_delay
- negative dist_delay or dist_jitter
- negative max_packets or max_bytes
Negative or out-of-order delays underflow in get_slot_next(),
producing garbage intervals. Negative limits trip the per-slot
accounting (packets_left/bytes_left <= 0) on the first packet of
every slot, defeating the rate-limiting half of the slot feature.
Note that dist_jitter has been silently coerced to its absolute
value by get_slot() since the feature was introduced; rejecting
negatives here converts that silent coercion into -EINVAL. The
abs() can be removed in a follow-up.
Fixes: 836af83b54e3 ("netem: support delivering packets in delayed time slots")
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20260418032027.900913-5-stephen@networkplumber.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/sch_netem.c | 29 +++++++++++++++++++++++++++++
1 file changed, 29 insertions(+)
diff --git a/net/sched/sch_netem.c b/net/sched/sch_netem.c
index 288df378321d9..adb2bab79c87c 100644
--- a/net/sched/sch_netem.c
+++ b/net/sched/sch_netem.c
@@ -815,6 +815,29 @@ static int get_dist_table(struct disttable **tbl, const struct nlattr *attr)
return 0;
}
+static int validate_slot(const struct nlattr *attr, struct netlink_ext_ack *extack)
+{
+ const struct tc_netem_slot *c = nla_data(attr);
+
+ if (c->min_delay < 0 || c->max_delay < 0) {
+ NL_SET_ERR_MSG_ATTR(extack, attr, "negative slot delay");
+ return -EINVAL;
+ }
+ if (c->min_delay > c->max_delay) {
+ NL_SET_ERR_MSG_ATTR(extack, attr, "slot min delay greater than max delay");
+ return -EINVAL;
+ }
+ if (c->dist_delay < 0 || c->dist_jitter < 0) {
+ NL_SET_ERR_MSG_ATTR(extack, attr, "negative dist delay");
+ return -EINVAL;
+ }
+ if (c->max_packets < 0 || c->max_bytes < 0) {
+ NL_SET_ERR_MSG_ATTR(extack, attr, "negative slot limit");
+ return -EINVAL;
+ }
+ return 0;
+}
+
static void get_slot(struct netem_sched_data *q, const struct nlattr *attr)
{
const struct tc_netem_slot *c = nla_data(attr);
@@ -1027,6 +1050,12 @@ static int netem_change(struct Qdisc *sch, struct nlattr *opt,
goto table_free;
}
+ if (tb[TCA_NETEM_SLOT]) {
+ ret = validate_slot(tb[TCA_NETEM_SLOT], extack);
+ if (ret)
+ goto table_free;
+ }
+
sch_tree_lock(sch);
/* backup q->clg and q->loss_model */
old_clg = q->clg;
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 749/969] net/sched: netem: fix slot delay calculation overflow
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (747 preceding siblings ...)
2026-05-30 16:04 ` [PATCH 6.1 748/969] net/sched: netem: validate slot configuration Greg Kroah-Hartman
@ 2026-05-30 16:04 ` Greg Kroah-Hartman
2026-05-30 16:04 ` [PATCH 6.1 750/969] net/sched: sch_choke: annotate data-races in choke_dump_stats() Greg Kroah-Hartman
` (226 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stephen Hemminger, Simon Horman,
Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stephen Hemminger <stephen@networkplumber.org>
[ Upstream commit 51e94e1e2fef351c74d69eb53666df808d26af95 ]
get_slot_next() computes a random delay between min_delay and
max_delay using:
get_random_u32() * (max_delay - min_delay) >> 32
This overflows signed 64-bit arithmetic when the delay range exceeds
approximately 2.1 seconds (2^31 nanoseconds), producing a negative
result that effectively disables slot-based pacing. This is a
realistic configuration for WAN emulation (e.g., slot 1s 5s).
Use mul_u64_u32_shr() which handles the widening multiply without
overflow.
Fixes: 0a9fe5c375b5 ("netem: slotting with non-uniform distribution")
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20260418032027.900913-6-stephen@networkplumber.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/sch_netem.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/net/sched/sch_netem.c b/net/sched/sch_netem.c
index adb2bab79c87c..2c47bd8dba647 100644
--- a/net/sched/sch_netem.c
+++ b/net/sched/sch_netem.c
@@ -647,9 +647,8 @@ static void get_slot_next(struct netem_sched_data *q, u64 now)
if (!q->slot_dist)
next_delay = q->slot_config.min_delay +
- (get_random_u32() *
- (q->slot_config.max_delay -
- q->slot_config.min_delay) >> 32);
+ mul_u64_u32_shr(q->slot_config.max_delay - q->slot_config.min_delay,
+ get_random_u32(), 32);
else
next_delay = tabledist(q->slot_config.dist_delay,
(s32)(q->slot_config.dist_jitter),
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 750/969] net/sched: sch_choke: annotate data-races in choke_dump_stats()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (748 preceding siblings ...)
2026-05-30 16:04 ` [PATCH 6.1 749/969] net/sched: netem: fix slot delay calculation overflow Greg Kroah-Hartman
@ 2026-05-30 16:04 ` Greg Kroah-Hartman
2026-05-30 16:04 ` [PATCH 6.1 751/969] net/sched: sch_fq_pie: annotate data-races in fq_pie_dump_stats() Greg Kroah-Hartman
` (225 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, Jamal Hadi Salim,
Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit d3aeb889dcbd78e95f500d383799a23d949796e0 ]
choke_dump_stats() only runs with RTNL held.
It reads fields that can be changed in qdisc fast path.
Add READ_ONCE()/WRITE_ONCE() annotations.
Fixes: edb09eb17ed8 ("net: sched: do not acquire qdisc spinlock in qdisc/class stats dump")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Jamal Hadi Salim <jhs@mojatatu.com>
Link: https://patch.msgid.link/20260423062839.2524324-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/sch_choke.c | 26 ++++++++++++++++----------
1 file changed, 16 insertions(+), 10 deletions(-)
diff --git a/net/sched/sch_choke.c b/net/sched/sch_choke.c
index e38cf34287018..7283f96dead62 100644
--- a/net/sched/sch_choke.c
+++ b/net/sched/sch_choke.c
@@ -229,7 +229,7 @@ static int choke_enqueue(struct sk_buff *skb, struct Qdisc *sch,
/* Draw a packet at random from queue and compare flow */
if (choke_match_random(q, skb, &idx)) {
- q->stats.matched++;
+ WRITE_ONCE(q->stats.matched, q->stats.matched + 1);
choke_drop_by_idx(sch, idx, to_free);
goto congestion_drop;
}
@@ -241,11 +241,13 @@ static int choke_enqueue(struct sk_buff *skb, struct Qdisc *sch,
qdisc_qstats_overlimit(sch);
if (use_harddrop(q) || !use_ecn(q) ||
!INET_ECN_set_ce(skb)) {
- q->stats.forced_drop++;
+ WRITE_ONCE(q->stats.forced_drop,
+ q->stats.forced_drop + 1);
goto congestion_drop;
}
- q->stats.forced_mark++;
+ WRITE_ONCE(q->stats.forced_mark,
+ q->stats.forced_mark + 1);
} else if (++q->vars.qcount) {
if (red_mark_probability(p, &q->vars, q->vars.qavg)) {
q->vars.qcount = 0;
@@ -253,11 +255,13 @@ static int choke_enqueue(struct sk_buff *skb, struct Qdisc *sch,
qdisc_qstats_overlimit(sch);
if (!use_ecn(q) || !INET_ECN_set_ce(skb)) {
- q->stats.prob_drop++;
+ WRITE_ONCE(q->stats.prob_drop,
+ q->stats.prob_drop + 1);
goto congestion_drop;
}
- q->stats.prob_mark++;
+ WRITE_ONCE(q->stats.prob_mark,
+ q->stats.prob_mark + 1);
}
} else
q->vars.qR = red_random(p);
@@ -272,7 +276,7 @@ static int choke_enqueue(struct sk_buff *skb, struct Qdisc *sch,
return NET_XMIT_SUCCESS;
}
- q->stats.pdrop++;
+ WRITE_ONCE(q->stats.pdrop, q->stats.pdrop + 1);
return qdisc_drop(skb, sch, to_free);
congestion_drop:
@@ -460,10 +464,12 @@ static int choke_dump_stats(struct Qdisc *sch, struct gnet_dump *d)
{
struct choke_sched_data *q = qdisc_priv(sch);
struct tc_choke_xstats st = {
- .early = q->stats.prob_drop + q->stats.forced_drop,
- .marked = q->stats.prob_mark + q->stats.forced_mark,
- .pdrop = q->stats.pdrop,
- .matched = q->stats.matched,
+ .early = READ_ONCE(q->stats.prob_drop) +
+ READ_ONCE(q->stats.forced_drop),
+ .marked = READ_ONCE(q->stats.prob_mark) +
+ READ_ONCE(q->stats.forced_mark),
+ .pdrop = READ_ONCE(q->stats.pdrop),
+ .matched = READ_ONCE(q->stats.matched),
};
return gnet_stats_copy_app(d, &st, sizeof(st));
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 751/969] net/sched: sch_fq_pie: annotate data-races in fq_pie_dump_stats()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (749 preceding siblings ...)
2026-05-30 16:04 ` [PATCH 6.1 750/969] net/sched: sch_choke: annotate data-races in choke_dump_stats() Greg Kroah-Hartman
@ 2026-05-30 16:04 ` Greg Kroah-Hartman
2026-05-30 16:04 ` [PATCH 6.1 752/969] vrf: Fix a potential NPD when removing a port from a VRF Greg Kroah-Hartman
` (224 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, Jamal Hadi Salim,
Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 59b145771c7982cfe9020d4e9e22da92d6b5ae31 ]
fq_codel_dump_stats() acquires the qdisc spinlock a bit too late.
Move this acquisition before we fill tc_fq_pie_xstats with live data.
Alternative would be to add READ_ONCE() and WRITE_ONCE() annotations,
but the spinlock is needed anyway to scan q->new_flows and q->old_flows.
Fixes: ec97ecf1ebe4 ("net: sched: add Flow Queue PIE packet scheduler")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Jamal Hadi Salim <jhs@mojatatu.com>
Link: https://patch.msgid.link/20260423063527.2568262-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/sch_fq_pie.c | 19 ++++++++++---------
1 file changed, 10 insertions(+), 9 deletions(-)
diff --git a/net/sched/sch_fq_pie.c b/net/sched/sch_fq_pie.c
index 607c580d75e4b..4bd5ca9acc53f 100644
--- a/net/sched/sch_fq_pie.c
+++ b/net/sched/sch_fq_pie.c
@@ -498,18 +498,19 @@ static int fq_pie_dump(struct Qdisc *sch, struct sk_buff *skb)
static int fq_pie_dump_stats(struct Qdisc *sch, struct gnet_dump *d)
{
struct fq_pie_sched_data *q = qdisc_priv(sch);
- struct tc_fq_pie_xstats st = {
- .packets_in = q->stats.packets_in,
- .overlimit = q->stats.overlimit,
- .overmemory = q->overmemory,
- .dropped = q->stats.dropped,
- .ecn_mark = q->stats.ecn_mark,
- .new_flow_count = q->new_flow_count,
- .memory_usage = q->memory_usage,
- };
+ struct tc_fq_pie_xstats st = { 0 };
struct list_head *pos;
sch_tree_lock(sch);
+
+ st.packets_in = q->stats.packets_in;
+ st.overlimit = q->stats.overlimit;
+ st.overmemory = q->overmemory;
+ st.dropped = q->stats.dropped;
+ st.ecn_mark = q->stats.ecn_mark;
+ st.new_flow_count = q->new_flow_count;
+ st.memory_usage = q->memory_usage;
+
list_for_each(pos, &q->new_flows)
st.new_flows_len++;
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 752/969] vrf: Fix a potential NPD when removing a port from a VRF
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (750 preceding siblings ...)
2026-05-30 16:04 ` [PATCH 6.1 751/969] net/sched: sch_fq_pie: annotate data-races in fq_pie_dump_stats() Greg Kroah-Hartman
@ 2026-05-30 16:04 ` Greg Kroah-Hartman
2026-05-30 16:04 ` [PATCH 6.1 753/969] net: usb: rtl8150: fix use-after-free in rtl8150_start_xmit() Greg Kroah-Hartman
` (223 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Haoze Xie, Yifan Wu, Juefei Pu,
Yuan Tan, Ido Schimmel, David Ahern, Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ido Schimmel <idosch@nvidia.com>
[ Upstream commit 2674d603a9e6970463b2b9ebcf8e31e90beae169 ]
RCU readers that identified a net device as a VRF port using
netif_is_l3_slave() assume that a subsequent call to
netdev_master_upper_dev_get_rcu() will return a VRF device. They then
continue to dereference its l3mdev operations.
This assumption is not always correct and can result in a NPD [1]. There
is no RCU synchronization when removing a port from a VRF, so it is
possible for an RCU reader to see a new master device (e.g., a bridge)
that does not have l3mdev operations.
Fix by adding RCU synchronization after clearing the IFF_L3MDEV_SLAVE
flag. Skip this synchronization when a net device is removed from a VRF
as part of its deletion and when the VRF device itself is deleted. In
the latter case an RCU grace period will pass by the time RTNL is
released.
[1]
BUG: kernel NULL pointer dereference, address: 0000000000000000
[...]
RIP: 0010:l3mdev_fib_table_rcu (net/l3mdev/l3mdev.c:181)
[...]
Call Trace:
<TASK>
l3mdev_fib_table_by_index (net/l3mdev/l3mdev.c:201 net/l3mdev/l3mdev.c:189)
__inet_bind (net/ipv4/af_inet.c:499 (discriminator 3))
inet_bind_sk (net/ipv4/af_inet.c:469)
__sys_bind (./include/linux/file.h:62 (discriminator 1) ./include/linux/file.h:83 (discriminator 1) net/socket.c:1951 (discriminator 1))
__x64_sys_bind (net/socket.c:1969 (discriminator 1) net/socket.c:1967 (discriminator 1) net/socket.c:1967 (discriminator 1))
do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1))
entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
Fixes: fdeea7be88b1 ("net: vrf: Set slave's private flag before linking")
Reported-by: Haoze Xie <royenheart@gmail.com>
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Reported-by: Yuan Tan <yuantan098@gmail.com>
Closes: https://lore.kernel.org/netdev/20260419145332.3988923-1-n05ec@lzu.edu.cn/
Signed-off-by: Ido Schimmel <idosch@nvidia.com>
Reviewed-by: David Ahern <dsahern@kernel.org>
Link: https://patch.msgid.link/20260423063607.1208202-1-idosch@nvidia.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/vrf.c | 15 +++++++++++----
1 file changed, 11 insertions(+), 4 deletions(-)
diff --git a/drivers/net/vrf.c b/drivers/net/vrf.c
index 75e95f6dd816c..51b34882827e9 100644
--- a/drivers/net/vrf.c
+++ b/drivers/net/vrf.c
@@ -1126,6 +1126,7 @@ static int do_vrf_add_slave(struct net_device *dev, struct net_device *port_dev,
err:
port_dev->priv_flags &= ~IFF_L3MDEV_SLAVE;
+ synchronize_net();
return ret;
}
@@ -1145,10 +1146,16 @@ static int vrf_add_slave(struct net_device *dev, struct net_device *port_dev,
}
/* inverse of do_vrf_add_slave */
-static int do_vrf_del_slave(struct net_device *dev, struct net_device *port_dev)
+static int do_vrf_del_slave(struct net_device *dev, struct net_device *port_dev,
+ bool needs_sync)
{
netdev_upper_dev_unlink(port_dev, dev);
port_dev->priv_flags &= ~IFF_L3MDEV_SLAVE;
+ /* Make sure that concurrent RCU readers that identified the device
+ * as a VRF port see a VRF master or no master at all.
+ */
+ if (needs_sync)
+ synchronize_net();
cycle_netdev(port_dev, NULL);
@@ -1157,7 +1164,7 @@ static int do_vrf_del_slave(struct net_device *dev, struct net_device *port_dev)
static int vrf_del_slave(struct net_device *dev, struct net_device *port_dev)
{
- return do_vrf_del_slave(dev, port_dev);
+ return do_vrf_del_slave(dev, port_dev, true);
}
static void vrf_dev_uninit(struct net_device *dev)
@@ -1722,7 +1729,7 @@ static void vrf_dellink(struct net_device *dev, struct list_head *head)
struct list_head *iter;
netdev_for_each_lower_dev(dev, port_dev, iter)
- vrf_del_slave(dev, port_dev);
+ do_vrf_del_slave(dev, port_dev, false);
vrf_map_unregister_dev(dev);
@@ -1853,7 +1860,7 @@ static int vrf_device_event(struct notifier_block *unused,
goto out;
vrf_dev = netdev_master_upper_dev_get(dev);
- vrf_del_slave(vrf_dev, dev);
+ do_vrf_del_slave(vrf_dev, dev, false);
}
out:
return NOTIFY_DONE;
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 753/969] net: usb: rtl8150: fix use-after-free in rtl8150_start_xmit()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (751 preceding siblings ...)
2026-05-30 16:04 ` [PATCH 6.1 752/969] vrf: Fix a potential NPD when removing a port from a VRF Greg Kroah-Hartman
@ 2026-05-30 16:04 ` Greg Kroah-Hartman
2026-05-30 16:04 ` [PATCH 6.1 754/969] net: usb: rtl8150: free skb on usb_submit_urb() failure in xmit Greg Kroah-Hartman
` (222 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+3f46c095ac0ca048cb71,
Andrew Lunn, Zhan Jun, Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhan Jun <zhanjun@uniontech.com>
[ Upstream commit 23f0e34c64acba15cad4d23e50f41f533da195fa ]
syzbot reported a KASAN slab-use-after-free read in rtl8150_start_xmit()
when accessing skb->len for tx statistics after usb_submit_urb() has
been called:
BUG: KASAN: slab-use-after-free in rtl8150_start_xmit+0x71f/0x760
drivers/net/usb/rtl8150.c:712
Read of size 4 at addr ffff88810eb7a930 by task kworker/0:4/5226
The URB completion handler write_bulk_callback() frees the skb via
dev_kfree_skb_irq(dev->tx_skb). The URB may complete on another CPU
in softirq context before usb_submit_urb() returns in the submitter,
so by the time the submitter reads skb->len the skb has already been
queued to the per-CPU completion_queue and freed by net_tx_action():
CPU A (xmit) CPU B (USB completion softirq)
------------ ------------------------------
dev->tx_skb = skb;
usb_submit_urb() --+
|-------> write_bulk_callback()
| dev_kfree_skb_irq(dev->tx_skb)
| net_tx_action()
| napi_skb_cache_put() <-- free
netdev->stats.tx_bytes |
+= skb->len; <-- UAF read
Fix it by caching skb->len before submitting the URB and using the
cached value when updating the tx_bytes counter.
The pre-existing tx_bytes semantics are preserved: the counter tracks
the original frame length (skb->len), not the ETH_ZLEN/USB-alignment
padded "count" value that is handed to the device. Changing that
would be a user-visible accounting change and is out of scope for
this UAF fix.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reported-by: syzbot+3f46c095ac0ca048cb71@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/69e69ee7.050a0220.24bfd3.002b.GAE@google.com/
Closes: https://syzkaller.appspot.com/bug?extid=3f46c095ac0ca048cb71
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Signed-off-by: Zhan Jun <zhanjun@uniontech.com>
Link: https://patch.msgid.link/809895186B866C10+20260423004913.136655-1-zhangdandan@uniontech.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/usb/rtl8150.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/drivers/net/usb/rtl8150.c b/drivers/net/usb/rtl8150.c
index e40b0669d9f4b..8700ae392b10a 100644
--- a/drivers/net/usb/rtl8150.c
+++ b/drivers/net/usb/rtl8150.c
@@ -685,6 +685,7 @@ static netdev_tx_t rtl8150_start_xmit(struct sk_buff *skb,
struct net_device *netdev)
{
rtl8150_t *dev = netdev_priv(netdev);
+ unsigned int skb_len;
int count, res;
/* pad the frame and ensure terminating USB packet, datasheet 9.2.3 */
@@ -696,6 +697,8 @@ static netdev_tx_t rtl8150_start_xmit(struct sk_buff *skb,
return NETDEV_TX_OK;
}
+ skb_len = skb->len;
+
netif_stop_queue(netdev);
dev->tx_skb = skb;
usb_fill_bulk_urb(dev->tx_urb, dev->udev, usb_sndbulkpipe(dev->udev, 2),
@@ -711,7 +714,7 @@ static netdev_tx_t rtl8150_start_xmit(struct sk_buff *skb,
}
} else {
netdev->stats.tx_packets++;
- netdev->stats.tx_bytes += skb->len;
+ netdev->stats.tx_bytes += skb_len;
netif_trans_update(netdev);
}
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 754/969] net: usb: rtl8150: free skb on usb_submit_urb() failure in xmit
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (752 preceding siblings ...)
2026-05-30 16:04 ` [PATCH 6.1 753/969] net: usb: rtl8150: fix use-after-free in rtl8150_start_xmit() Greg Kroah-Hartman
@ 2026-05-30 16:04 ` Greg Kroah-Hartman
2026-05-30 16:04 ` [PATCH 6.1 755/969] NFC: trf7970a: Ignore antenna noise when checking for RF field Greg Kroah-Hartman
` (221 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andrew Lunn, Morduan Zang,
Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Morduan Zang <zhangdandan@uniontech.com>
[ Upstream commit adbe2cdf75461891e50dbe11896ac78e9af1f874 ]
When rtl8150_start_xmit() fails to submit the tx URB, the URB is never
handed to the USB core and write_bulk_callback() will not run. The
driver returns NETDEV_TX_OK, which tells the networking stack that the
skb has been consumed, but nothing actually frees the skb on this
error path:
dev->tx_skb = skb;
...
if ((res = usb_submit_urb(dev->tx_urb, GFP_ATOMIC))) {
...
/* no kfree_skb here */
}
return NETDEV_TX_OK;
This leaks the skb on every submit failure and also leaves dev->tx_skb
pointing at memory that the driver itself may later free, which is
fragile.
Free the skb with dev_kfree_skb_any() in the error path and clear
dev->tx_skb so no stale pointer is left behind.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Signed-off-by: Morduan Zang <zhangdandan@uniontech.com>
Link: https://patch.msgid.link/E7D3E1C013C5A859+20260424015517.9574-1-zhangdandan@uniontech.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/usb/rtl8150.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/drivers/net/usb/rtl8150.c b/drivers/net/usb/rtl8150.c
index 8700ae392b10a..647f28b367b99 100644
--- a/drivers/net/usb/rtl8150.c
+++ b/drivers/net/usb/rtl8150.c
@@ -712,6 +712,13 @@ static netdev_tx_t rtl8150_start_xmit(struct sk_buff *skb,
netdev->stats.tx_errors++;
netif_start_queue(netdev);
}
+ /*
+ * The URB was not submitted, so write_bulk_callback() will
+ * never run to free dev->tx_skb. Drop the skb here and
+ * clear tx_skb to avoid leaving a stale pointer.
+ */
+ dev->tx_skb = NULL;
+ dev_kfree_skb_any(skb);
} else {
netdev->stats.tx_packets++;
netdev->stats.tx_bytes += skb_len;
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 755/969] NFC: trf7970a: Ignore antenna noise when checking for RF field
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (753 preceding siblings ...)
2026-05-30 16:04 ` [PATCH 6.1 754/969] net: usb: rtl8150: free skb on usb_submit_urb() failure in xmit Greg Kroah-Hartman
@ 2026-05-30 16:04 ` Greg Kroah-Hartman
2026-05-30 16:04 ` [PATCH 6.1 756/969] neighbour: add RCU protection to neigh_tables[] Greg Kroah-Hartman
` (220 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Paul Geurts, Krzysztof Kozlowski,
Mark Greer, Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paul Geurts <paul.geurts@prodrive-technologies.com>
[ Upstream commit a9bc28aa4e64320668131349436a650bf42591a5 ]
The main channel Received Signal Strength Indicator (RSSI) measurement
is used to determine whether an RF field is present or not. RSSI != 0
is interpreted as an RF Field is present. This does not take RF noise
and measurement inaccuracy into account, and results in false positives
in the field.
Define a noise level and make sure the RF field is only interpreted as
present when the RSSI is above the noise level.
Fixes: 851ee3cbf850 ("NFC: trf7970a: Don't turn on RF if there is already an RF field")
Signed-off-by: Paul Geurts <paul.geurts@prodrive-technologies.com>
Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@oss.qualcomm.com>
Reviewed-by: Mark Greer <mgreer@animalcreek.com>
Link: https://patch.msgid.link/20260422100930.581237-1-paul.geurts@prodrive-technologies.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/nfc/trf7970a.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/nfc/trf7970a.c b/drivers/nfc/trf7970a.c
index 7968baa626d16..b7a8d525e3c29 100644
--- a/drivers/nfc/trf7970a.c
+++ b/drivers/nfc/trf7970a.c
@@ -311,6 +311,7 @@
#define TRF7970A_RSSI_OSC_STATUS_RSSI_MASK (BIT(2) | BIT(1) | BIT(0))
#define TRF7970A_RSSI_OSC_STATUS_RSSI_X_MASK (BIT(5) | BIT(4) | BIT(3))
#define TRF7970A_RSSI_OSC_STATUS_RSSI_OSC_OK BIT(6)
+#define TRF7970A_RSSI_OSC_STATUS_RSSI_NOISE_LEVEL 1
#define TRF7970A_SPECIAL_FCN_REG1_COL_7_6 BIT(0)
#define TRF7970A_SPECIAL_FCN_REG1_14_ANTICOLL BIT(1)
@@ -1253,7 +1254,7 @@ static int trf7970a_is_rf_field(struct trf7970a *trf, bool *is_rf_field)
if (ret)
return ret;
- if (rssi & TRF7970A_RSSI_OSC_STATUS_RSSI_MASK)
+ if ((rssi & TRF7970A_RSSI_OSC_STATUS_RSSI_MASK) > TRF7970A_RSSI_OSC_STATUS_RSSI_NOISE_LEVEL)
*is_rf_field = true;
else
*is_rf_field = false;
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 756/969] neighbour: add RCU protection to neigh_tables[]
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (754 preceding siblings ...)
2026-05-30 16:04 ` [PATCH 6.1 755/969] NFC: trf7970a: Ignore antenna noise when checking for RF field Greg Kroah-Hartman
@ 2026-05-30 16:04 ` Greg Kroah-Hartman
2026-05-30 16:04 ` [PATCH 6.1 757/969] neigh: let neigh_xmit take skb ownership Greg Kroah-Hartman
` (219 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, David S. Miller,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit f8f2eb9de69a1119117d198547c13d7a1123a5a9 ]
In order to remove RTNL protection from neightbl_dump_info()
and neigh_dump_info() later, we need to add
RCU protection to neigh_tables[].
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Stable-dep-of: 4438113be604 ("neigh: let neigh_xmit take skb ownership")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/core/neighbour.c | 30 +++++++++++++++++++-----------
1 file changed, 19 insertions(+), 11 deletions(-)
diff --git a/net/core/neighbour.c b/net/core/neighbour.c
index 92dc1f1788de7..fe0e839972ba7 100644
--- a/net/core/neighbour.c
+++ b/net/core/neighbour.c
@@ -1764,7 +1764,7 @@ static void neigh_parms_destroy(struct neigh_parms *parms)
static struct lock_class_key neigh_table_proxy_queue_class;
-static struct neigh_table *neigh_tables[NEIGH_NR_TABLES] __read_mostly;
+static struct neigh_table __rcu *neigh_tables[NEIGH_NR_TABLES] __read_mostly;
void neigh_table_init(int index, struct neigh_table *tbl)
{
@@ -1821,13 +1821,19 @@ void neigh_table_init(int index, struct neigh_table *tbl)
tbl->last_flush = now;
tbl->last_rand = now + tbl->parms.reachable_time * 20;
- neigh_tables[index] = tbl;
+ rcu_assign_pointer(neigh_tables[index], tbl);
}
EXPORT_SYMBOL(neigh_table_init);
+/*
+ * Only called from ndisc_cleanup(), which means this is dead code
+ * because we no longer can unload IPv6 module.
+ */
int neigh_table_clear(int index, struct neigh_table *tbl)
{
- neigh_tables[index] = NULL;
+ RCU_INIT_POINTER(neigh_tables[index], NULL);
+ synchronize_rcu();
+
/* It is not clean... Fix it to unload IPv6 module safely */
cancel_delayed_work_sync(&tbl->managed_work);
cancel_delayed_work_sync(&tbl->gc_work);
@@ -1859,10 +1865,10 @@ static struct neigh_table *neigh_find_table(int family)
switch (family) {
case AF_INET:
- tbl = neigh_tables[NEIGH_ARP_TABLE];
+ tbl = rcu_dereference_rtnl(neigh_tables[NEIGH_ARP_TABLE]);
break;
case AF_INET6:
- tbl = neigh_tables[NEIGH_ND_TABLE];
+ tbl = rcu_dereference_rtnl(neigh_tables[NEIGH_ND_TABLE]);
break;
}
@@ -2328,7 +2334,7 @@ static int neightbl_set(struct sk_buff *skb, struct nlmsghdr *nlh,
ndtmsg = nlmsg_data(nlh);
for (tidx = 0; tidx < NEIGH_NR_TABLES; tidx++) {
- tbl = neigh_tables[tidx];
+ tbl = rcu_dereference_rtnl(neigh_tables[tidx]);
if (!tbl)
continue;
if (ndtmsg->ndtm_family && tbl->family != ndtmsg->ndtm_family)
@@ -2516,7 +2522,7 @@ static int neightbl_dump_info(struct sk_buff *skb, struct netlink_callback *cb)
for (tidx = 0; tidx < NEIGH_NR_TABLES; tidx++) {
struct neigh_parms *p;
- tbl = neigh_tables[tidx];
+ tbl = rcu_dereference_rtnl(neigh_tables[tidx]);
if (!tbl)
continue;
@@ -2877,7 +2883,7 @@ static int neigh_dump_info(struct sk_buff *skb, struct netlink_callback *cb)
s_t = cb->args[0];
for (t = 0; t < NEIGH_NR_TABLES; t++) {
- tbl = neigh_tables[t];
+ tbl = rcu_dereference_rtnl(neigh_tables[t]);
if (!tbl)
continue;
@@ -3141,14 +3147,15 @@ int neigh_xmit(int index, struct net_device *dev,
const void *addr, struct sk_buff *skb)
{
int err = -EAFNOSUPPORT;
+
if (likely(index < NEIGH_NR_TABLES)) {
struct neigh_table *tbl;
struct neighbour *neigh;
- tbl = neigh_tables[index];
- if (!tbl)
- goto out;
rcu_read_lock();
+ tbl = rcu_dereference(neigh_tables[index]);
+ if (!tbl)
+ goto out_unlock;
if (index == NEIGH_ARP_TABLE) {
u32 key = *((u32 *)addr);
@@ -3164,6 +3171,7 @@ int neigh_xmit(int index, struct net_device *dev,
goto out_kfree_skb;
}
err = READ_ONCE(neigh->output)(neigh, skb);
+out_unlock:
rcu_read_unlock();
}
else if (index == NEIGH_LINK_TABLE) {
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 757/969] neigh: let neigh_xmit take skb ownership
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (755 preceding siblings ...)
2026-05-30 16:04 ` [PATCH 6.1 756/969] neighbour: add RCU protection to neigh_tables[] Greg Kroah-Hartman
@ 2026-05-30 16:04 ` Greg Kroah-Hartman
2026-05-30 16:04 ` [PATCH 6.1 758/969] ALSA: usb-audio: Fix potential leak of pd at parsing UAC3 streams Greg Kroah-Hartman
` (218 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Florian Westphal, Kuniyuki Iwashima,
Ido Schimmel, Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Florian Westphal <fw@strlen.de>
[ Upstream commit 4438113be604ee67a7bf4f81da6e1cca41332ce4 ]
neigh_xmit always releases the skb, except when no neighbour table is
found. But even the first added user of neigh_xmit (mpls) relied on
neigh_xmit to release the skb (or queue it for tx).
sashiko reported:
If neigh_xmit() is called with an uninitialized neighbor table (for
example, NEIGH_ND_TABLE when IPv6 is disabled), it returns -EAFNOSUPPORT
and bypasses its internal out_kfree_skb error path. Because the return
value of neigh_xmit() is ignored here, does this leak the SKB?
Assume full ownership and remove the last code path that doesn't
xmit or free skb.
Fixes: 4fd3d7d9e868 ("neigh: Add helper function neigh_xmit")
Signed-off-by: Florian Westphal <fw@strlen.de>
Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com>
Reviewed-by: Ido Schimmel <idosch@nvidia.com>
Link: https://patch.msgid.link/20260424145843.74055-1-fw@strlen.de
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/core/neighbour.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/net/core/neighbour.c b/net/core/neighbour.c
index fe0e839972ba7..7bdb2b5a6e014 100644
--- a/net/core/neighbour.c
+++ b/net/core/neighbour.c
@@ -3154,8 +3154,10 @@ int neigh_xmit(int index, struct net_device *dev,
rcu_read_lock();
tbl = rcu_dereference(neigh_tables[index]);
- if (!tbl)
- goto out_unlock;
+ if (!tbl) {
+ rcu_read_unlock();
+ goto out_kfree_skb;
+ }
if (index == NEIGH_ARP_TABLE) {
u32 key = *((u32 *)addr);
@@ -3171,7 +3173,6 @@ int neigh_xmit(int index, struct net_device *dev,
goto out_kfree_skb;
}
err = READ_ONCE(neigh->output)(neigh, skb);
-out_unlock:
rcu_read_unlock();
}
else if (index == NEIGH_LINK_TABLE) {
@@ -3181,11 +3182,10 @@ int neigh_xmit(int index, struct net_device *dev,
goto out_kfree_skb;
err = dev_queue_xmit(skb);
}
-out:
return err;
out_kfree_skb:
kfree_skb(skb);
- goto out;
+ return err;
}
EXPORT_SYMBOL(neigh_xmit);
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 758/969] ALSA: usb-audio: Fix potential leak of pd at parsing UAC3 streams
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (756 preceding siblings ...)
2026-05-30 16:04 ` [PATCH 6.1 757/969] neigh: let neigh_xmit take skb ownership Greg Kroah-Hartman
@ 2026-05-30 16:04 ` Greg Kroah-Hartman
2026-05-30 16:04 ` [PATCH 6.1 759/969] net: mctp i2c: check length before marking flow active Greg Kroah-Hartman
` (217 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:04 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Takashi Iwai, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
[ Upstream commit c39f0bc03f84ba64c9144c95714df1dc36150f6d ]
At parsing UAC3 streams, we allocate a PD object at each time, and
either assign or free it. But there is a case where the PD object may
be leaked; namely, in __snd_usb_parse_audio_interface() loop, when an
audioformat shares the same endpoint with others, it's put to a link
and returns from snd_usb_add_audio_stream(), but the PD is forgotten
afterwards. Overall, the treatment of PD object in the parser code is
a bit flaky, and we should be more careful about the object ownership.
This patch tries to fix the above case and improve the code a bit.
The pd object is now managed with the auto-cleanup in the loop, and
the ownership is updated when the pd object gets assigned to the
stream, which guarantees the release of the leftover object.
Fixes: 7edf3b5e6a45 ("ALSA: usb-audio: AudioStreaming Power Domain parsing")
Link: https://patch.msgid.link/20260427151508.12544-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/usb/quirks.c | 2 +-
sound/usb/stream.c | 58 ++++++++++++++++++----------------------------
sound/usb/stream.h | 3 ++-
3 files changed, 25 insertions(+), 38 deletions(-)
diff --git a/sound/usb/quirks.c b/sound/usb/quirks.c
index 23361e78189d0..8faf3731e3499 100644
--- a/sound/usb/quirks.c
+++ b/sound/usb/quirks.c
@@ -121,7 +121,7 @@ static int add_audio_stream_from_fixed_fmt(struct snd_usb_audio *chip,
snd_usb_audioformat_set_sync_ep(chip, fp);
- err = snd_usb_add_audio_stream(chip, stream, fp);
+ err = snd_usb_add_audio_stream(chip, stream, fp, NULL);
if (err < 0)
return err;
diff --git a/sound/usb/stream.c b/sound/usb/stream.c
index 920a718f91e68..f964082da3a63 100644
--- a/sound/usb/stream.c
+++ b/sound/usb/stream.c
@@ -79,7 +79,7 @@ static void snd_usb_audio_pcm_free(struct snd_pcm *pcm)
static void snd_usb_init_substream(struct snd_usb_stream *as,
int stream,
struct audioformat *fp,
- struct snd_usb_power_domain *pd)
+ struct snd_usb_power_domain **pdptr)
{
struct snd_usb_substream *subs = &as->substream[stream];
@@ -105,10 +105,11 @@ static void snd_usb_init_substream(struct snd_usb_stream *as,
if (fp->channels > subs->channels_max)
subs->channels_max = fp->channels;
- if (pd) {
- subs->str_pd = pd;
+ if (pdptr && *pdptr) {
+ subs->str_pd = *pdptr;
+ *pdptr = NULL; /* assigned */
/* Initialize Power Domain to idle status D1 */
- snd_usb_power_domain_set(subs->stream->chip, pd,
+ snd_usb_power_domain_set(subs->stream->chip, subs->str_pd,
UAC3_PD_STATE_D1);
}
@@ -486,11 +487,14 @@ snd_pcm_chmap_elem *convert_chmap_v3(struct uac3_cluster_header_descriptor
* if not, create a new pcm stream. note, fp is added to the substream
* fmt_list and will be freed on the chip instance release. do not free
* fp or do remove it from the substream fmt_list to avoid double-free.
+ *
+ * pdptr is optional and can be NULL. When it's non-NULL and the PD gets
+ * assigned to the stream, *pdptr is cleared to NULL upon return.
*/
-static int __snd_usb_add_audio_stream(struct snd_usb_audio *chip,
- int stream,
- struct audioformat *fp,
- struct snd_usb_power_domain *pd)
+int snd_usb_add_audio_stream(struct snd_usb_audio *chip,
+ int stream,
+ struct audioformat *fp,
+ struct snd_usb_power_domain **pdptr)
{
struct snd_usb_stream *as;
@@ -523,7 +527,7 @@ static int __snd_usb_add_audio_stream(struct snd_usb_audio *chip,
err = snd_pcm_new_stream(as->pcm, stream, 1);
if (err < 0)
return err;
- snd_usb_init_substream(as, stream, fp, pd);
+ snd_usb_init_substream(as, stream, fp, pdptr);
return add_chmap(as->pcm, stream, subs);
}
@@ -551,7 +555,7 @@ static int __snd_usb_add_audio_stream(struct snd_usb_audio *chip,
else
strcpy(pcm->name, "USB Audio");
- snd_usb_init_substream(as, stream, fp, pd);
+ snd_usb_init_substream(as, stream, fp, pdptr);
/*
* Keep using head insertion for M-Audio Audiophile USB (tm) which has a
@@ -569,21 +573,6 @@ static int __snd_usb_add_audio_stream(struct snd_usb_audio *chip,
return add_chmap(pcm, stream, &as->substream[stream]);
}
-int snd_usb_add_audio_stream(struct snd_usb_audio *chip,
- int stream,
- struct audioformat *fp)
-{
- return __snd_usb_add_audio_stream(chip, stream, fp, NULL);
-}
-
-static int snd_usb_add_audio_stream_v3(struct snd_usb_audio *chip,
- int stream,
- struct audioformat *fp,
- struct snd_usb_power_domain *pd)
-{
- return __snd_usb_add_audio_stream(chip, stream, fp, pd);
-}
-
static int parse_uac_endpoint_attributes(struct snd_usb_audio *chip,
struct usb_host_interface *alts,
int protocol, int iface_no)
@@ -1102,8 +1091,7 @@ snd_usb_get_audioformat_uac3(struct snd_usb_audio *chip,
}
}
- if (pd)
- *pd_out = pd;
+ *pd_out = pd;
return fp;
}
@@ -1118,7 +1106,6 @@ static int __snd_usb_parse_audio_interface(struct snd_usb_audio *chip,
struct usb_interface_descriptor *altsd;
int i, altno, err, stream;
struct audioformat *fp = NULL;
- struct snd_usb_power_domain *pd = NULL;
bool set_iface_first;
int num, protocol;
@@ -1160,6 +1147,12 @@ static int __snd_usb_parse_audio_interface(struct snd_usb_audio *chip,
if (snd_usb_apply_interface_quirk(chip, iface_no, altno))
continue;
+ /* pd may be allocated at snd_usb_get_audioformat_uac3() and
+ * assigned at snd_usb_add_audio_stream(); otherwise it'll be
+ * freed automatically by cleanup at each loop.
+ */
+ struct snd_usb_power_domain *pd __free(kfree) = NULL;
+
/*
* Roland audio streaming interfaces are marked with protocols
* 0/1/2, but are UAC 1 compatible.
@@ -1215,23 +1208,16 @@ static int __snd_usb_parse_audio_interface(struct snd_usb_audio *chip,
*has_non_pcm = true;
if ((fp->fmt_type == UAC_FORMAT_TYPE_I) == non_pcm) {
audioformat_free(fp);
- kfree(pd);
fp = NULL;
- pd = NULL;
continue;
}
snd_usb_audioformat_set_sync_ep(chip, fp);
dev_dbg(&dev->dev, "%u:%d: add audio endpoint %#x\n", iface_no, altno, fp->endpoint);
- if (protocol == UAC_VERSION_3)
- err = snd_usb_add_audio_stream_v3(chip, stream, fp, pd);
- else
- err = snd_usb_add_audio_stream(chip, stream, fp);
-
+ err = snd_usb_add_audio_stream(chip, stream, fp, &pd);
if (err < 0) {
audioformat_free(fp);
- kfree(pd);
return err;
}
diff --git a/sound/usb/stream.h b/sound/usb/stream.h
index d92e18d5818fe..61b9a133da018 100644
--- a/sound/usb/stream.h
+++ b/sound/usb/stream.h
@@ -7,7 +7,8 @@ int snd_usb_parse_audio_interface(struct snd_usb_audio *chip,
int snd_usb_add_audio_stream(struct snd_usb_audio *chip,
int stream,
- struct audioformat *fp);
+ struct audioformat *fp,
+ struct snd_usb_power_domain **pdptr);
#endif /* __USBAUDIO_STREAM_H */
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 759/969] net: mctp i2c: check length before marking flow active
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (757 preceding siblings ...)
2026-05-30 16:04 ` [PATCH 6.1 758/969] ALSA: usb-audio: Fix potential leak of pd at parsing UAC3 streams Greg Kroah-Hartman
@ 2026-05-30 16:04 ` Greg Kroah-Hartman
2026-05-30 16:04 ` [PATCH 6.1 760/969] net: phy: dp83869: fix setting CLK_O_SEL field Greg Kroah-Hartman
` (216 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, William A. Kennington III,
Jeremy Kerr, Paolo Abeni, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: William A. Kennington III <william@wkennington.com>
[ Upstream commit 4ca07b9239bd0478ae586632a2ed72be37ed8407 ]
Currently, mctp_i2c_get_tx_flow_state() is called before the packet length
sanity check. This function marks a new flow as active in the MCTP core.
If the sanity check fails, mctp_i2c_xmit() returns early without calling
mctp_i2c_lock_nest(). This results in a mismatched locking state: the
flow is active, but the I2C bus lock was never acquired for it.
When the flow is later released, mctp_i2c_release_flow() will see the
active state and queue an unlock marker. The TX thread will then
decrement midev->i2c_lock_count from 0, causing it to underflow to -1.
This underflow permanently breaks the driver's locking logic, allowing
future transmissions to occur without holding the I2C bus lock, leading
to bus collisions and potential hardware hangs.
Move the mctp_i2c_get_tx_flow_state() call to after the length sanity
check to ensure we only transition the flow state if we are actually
going to proceed with the transmission and locking.
Fixes: f5b8abf9fc3d ("mctp i2c: MCTP I2C binding driver")
Signed-off-by: William A. Kennington III <william@wkennington.com>
Acked-by: Jeremy Kerr <jk@codeconstruct.com.au>
Link: https://patch.msgid.link/20260423074741.201460-1-william@wkennington.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/mctp/mctp-i2c.c | 4 ++--
net/sched/cls_flower.c | 4 +++-
2 files changed, 5 insertions(+), 3 deletions(-)
diff --git a/drivers/net/mctp/mctp-i2c.c b/drivers/net/mctp/mctp-i2c.c
index 2eeccc3b70eff..cf0947b64a123 100644
--- a/drivers/net/mctp/mctp-i2c.c
+++ b/drivers/net/mctp/mctp-i2c.c
@@ -461,8 +461,6 @@ static void mctp_i2c_xmit(struct mctp_i2c_dev *midev, struct sk_buff *skb)
u8 *pecp;
int rc;
- fs = mctp_i2c_get_tx_flow_state(midev, skb);
-
hdr = (void *)skb_mac_header(skb);
/* Sanity check that packet contents matches skb length,
* and can't exceed MCTP_I2C_BUFSZ
@@ -474,6 +472,8 @@ static void mctp_i2c_xmit(struct mctp_i2c_dev *midev, struct sk_buff *skb)
return;
}
+ fs = mctp_i2c_get_tx_flow_state(midev, skb);
+
if (skb_tailroom(skb) >= 1) {
/* Linear case with space, we can just append the PEC */
skb_put(skb, 1);
diff --git a/net/sched/cls_flower.c b/net/sched/cls_flower.c
index a40a9e84c75f4..fd8c2f0f3256e 100644
--- a/net/sched/cls_flower.c
+++ b/net/sched/cls_flower.c
@@ -537,6 +537,7 @@ static int __fl_delete(struct tcf_proto *tp, struct cls_fl_filter *f,
struct netlink_ext_ack *extack)
{
struct cls_fl_head *head = fl_head_dereference(tp);
+ struct fl_flow_mask *mask;
*last = false;
@@ -553,11 +554,12 @@ static int __fl_delete(struct tcf_proto *tp, struct cls_fl_filter *f,
list_del_rcu(&f->list);
spin_unlock(&tp->lock);
- *last = fl_mask_put(head, f->mask);
+ mask = f->mask;
if (!tc_skip_hw(f->flags))
fl_hw_destroy_filter(tp, f, rtnl_held, extack);
tcf_unbind_filter(tp, &f->res);
__fl_put(f);
+ *last = fl_mask_put(head, mask);
return 0;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 760/969] net: phy: dp83869: fix setting CLK_O_SEL field.
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (758 preceding siblings ...)
2026-05-30 16:04 ` [PATCH 6.1 759/969] net: mctp i2c: check length before marking flow active Greg Kroah-Hartman
@ 2026-05-30 16:04 ` Greg Kroah-Hartman
2026-05-30 16:04 ` [PATCH 6.1 761/969] ASoC: codecs: ab8500: Fix casting of private data Greg Kroah-Hartman
` (215 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Heiko Schocher, Simon Horman,
Paolo Abeni, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Heiko Schocher <hs@nabladev.com>
[ Upstream commit 46f74a3f7d57d9cc0110b09cbc8163fa0a01afa2 ]
Table 7-121 in datasheet says we have to set register 0xc6
to value 0x10 before CLK_O_SEL can be modified. No more infos
about this field found in datasheet. With this fix, setting
of CLK_O_SEL field in IO_MUX_CFG register worked through dts
property "ti,clk-output-sel" on a DP83869HMRGZR.
Signed-off-by: Heiko Schocher <hs@nabladev.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Fixes: 01db923e8377 ("net: phy: dp83869: Add TI dp83869 phy")
Link: https://patch.msgid.link/20260425031339.3318-1-hs@nabladev.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/phy/dp83869.c | 13 ++++++++++++-
1 file changed, 12 insertions(+), 1 deletion(-)
diff --git a/drivers/net/phy/dp83869.c b/drivers/net/phy/dp83869.c
index b924f98b23973..35202f2e1d3dc 100644
--- a/drivers/net/phy/dp83869.c
+++ b/drivers/net/phy/dp83869.c
@@ -31,6 +31,7 @@
#define DP83869_RGMIICTL 0x0032
#define DP83869_STRAP_STS1 0x006e
#define DP83869_RGMIIDCTL 0x0086
+#define DP83869_ANA_PLL_PROG_PI 0x00c6
#define DP83869_RXFCFG 0x0134
#define DP83869_RXFPMD1 0x0136
#define DP83869_RXFPMD2 0x0137
@@ -802,12 +803,22 @@ static int dp83869_config_init(struct phy_device *phydev)
dp83869_config_port_mirroring(phydev);
/* Clock output selection if muxing property is set */
- if (dp83869->clk_output_sel != DP83869_CLK_O_SEL_REF_CLK)
+ if (dp83869->clk_output_sel != DP83869_CLK_O_SEL_REF_CLK) {
+ /*
+ * Table 7-121 in datasheet says we have to set register 0xc6
+ * to value 0x10 before CLK_O_SEL can be modified.
+ */
+ ret = phy_write_mmd(phydev, DP83869_DEVADDR,
+ DP83869_ANA_PLL_PROG_PI, 0x10);
+ if (ret)
+ return ret;
+
ret = phy_modify_mmd(phydev,
DP83869_DEVADDR, DP83869_IO_MUX_CFG,
DP83869_IO_MUX_CFG_CLK_O_SEL_MASK,
dp83869->clk_output_sel <<
DP83869_IO_MUX_CFG_CLK_O_SEL_SHIFT);
+ }
if (phy_interface_is_rgmii(phydev)) {
ret = phy_write_mmd(phydev, DP83869_DEVADDR, DP83869_RGMIIDCTL,
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 761/969] ASoC: codecs: ab8500: Fix casting of private data
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (759 preceding siblings ...)
2026-05-30 16:04 ` [PATCH 6.1 760/969] net: phy: dp83869: fix setting CLK_O_SEL field Greg Kroah-Hartman
@ 2026-05-30 16:04 ` Greg Kroah-Hartman
2026-05-30 16:04 ` [PATCH 6.1 762/969] netfilter: skip recording stale or retransmitted INIT Greg Kroah-Hartman
` (214 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christian A. Ehrhardt,
Uwe Kleine-König , Mark Brown, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christian A. Ehrhardt <christian.ehrhardt@codasip.com>
[ Upstream commit a201aef1a88b675e9eb8487e27d14e2eef3cef80 ]
ab8500_filter_controls[i].private_value is initialized using
.private_value = (unsigned long)&(struct filter_control)
{.count = xcount, .min = xmin, .max = xmax}
thus it's a pointer to a struct filter_control casted to unsigned long.
So to get back that pointer .private_data must be cast back, not its
address.
Fixes: 679d7abdc754 ("ASoC: codecs: Add AB8500 codec-driver")
Signed-off-by: Christian A. Ehrhardt <christian.ehrhardt@codasip.com>
Signed-off-by: Uwe Kleine-König (The Capable Hub) <u.kleine-koenig@baylibre.com>
Link: https://patch.msgid.link/20260428192255.2294705-2-u.kleine-koenig@baylibre.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/codecs/ab8500-codec.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/sound/soc/codecs/ab8500-codec.c b/sound/soc/codecs/ab8500-codec.c
index 68342917419e4..42e448978c4a0 100644
--- a/sound/soc/codecs/ab8500-codec.c
+++ b/sound/soc/codecs/ab8500-codec.c
@@ -2496,13 +2496,13 @@ static int ab8500_codec_probe(struct snd_soc_component *component)
return status;
}
fc = (struct filter_control *)
- &ab8500_filter_controls[AB8500_FILTER_ANC_FIR].private_value;
+ ab8500_filter_controls[AB8500_FILTER_ANC_FIR].private_value;
drvdata->anc_fir_values = (long *)fc->value;
fc = (struct filter_control *)
- &ab8500_filter_controls[AB8500_FILTER_ANC_IIR].private_value;
+ ab8500_filter_controls[AB8500_FILTER_ANC_IIR].private_value;
drvdata->anc_iir_values = (long *)fc->value;
fc = (struct filter_control *)
- &ab8500_filter_controls[AB8500_FILTER_SID_FIR].private_value;
+ ab8500_filter_controls[AB8500_FILTER_SID_FIR].private_value;
drvdata->sid_fir_values = (long *)fc->value;
snd_soc_dapm_disable_pin(dapm, "ANC Configure Input");
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 762/969] netfilter: skip recording stale or retransmitted INIT
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (760 preceding siblings ...)
2026-05-30 16:04 ` [PATCH 6.1 761/969] ASoC: codecs: ab8500: Fix casting of private data Greg Kroah-Hartman
@ 2026-05-30 16:04 ` Greg Kroah-Hartman
2026-05-30 16:04 ` [PATCH 6.1 763/969] sctp: discard stale INIT after handshake completion Greg Kroah-Hartman
` (213 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xin Long, Marcelo Ricardo Leitner,
Florian Westphal, Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xin Long <lucien.xin@gmail.com>
[ Upstream commit 576a5d2bad4814c881a829576b1261b9b8159d2b ]
An INIT whose init_tag matches the peer's vtag does not provide new state
information. It indicates either:
- a stale INIT (after INIT-ACK has already been seen on the same side), or
- a retransmitted INIT (after INIT has already been recorded on the same
side).
In both cases, the INIT must not update ct->proto.sctp.init[] state, since
it does not advance the handshake tracking and may otherwise corrupt
INIT/INIT-ACK validation logic.
Allow INIT processing only when the conntrack entry is newly created
(SCTP_CONNTRACK_NONE), or when the init_tag differs from the stored peer
vtag.
Note it skips the check for the ct with old_state SCTP_CONNTRACK_NONE in
nf_conntrack_sctp_packet(), as it is just created in sctp_new() where it
set ct->proto.sctp.vtag[IP_CT_DIR_REPLY] = ih->init_tag.
Fixes: 9fb9cbb1082d ("[NETFILTER]: Add nf_conntrack subsystem.")
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Reviewed-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Acked-by: Florian Westphal <fw@strlen.de>
Link: https://patch.msgid.link/ee56c3e416452b2a40589a2a85245ac2ad5e9f4b.1777214801.git.lucien.xin@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/nf_conntrack_proto_sctp.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/net/netfilter/nf_conntrack_proto_sctp.c b/net/netfilter/nf_conntrack_proto_sctp.c
index 90458799324ec..ae89f3c590e8b 100644
--- a/net/netfilter/nf_conntrack_proto_sctp.c
+++ b/net/netfilter/nf_conntrack_proto_sctp.c
@@ -484,9 +484,13 @@ int nf_conntrack_sctp_packet(struct nf_conn *ct,
if (!ih)
goto out_unlock;
- if (ct->proto.sctp.init[dir] && ct->proto.sctp.init[!dir])
- ct->proto.sctp.init[!dir] = 0;
- ct->proto.sctp.init[dir] = 1;
+ /* Do not record INIT matching peer vtag (stale or retransmitted INIT). */
+ if (old_state == SCTP_CONNTRACK_NONE ||
+ ct->proto.sctp.vtag[!dir] != ih->init_tag) {
+ if (ct->proto.sctp.init[dir] && ct->proto.sctp.init[!dir])
+ ct->proto.sctp.init[!dir] = 0;
+ ct->proto.sctp.init[dir] = 1;
+ }
pr_debug("Setting vtag %x for dir %d\n", ih->init_tag, !dir);
ct->proto.sctp.vtag[!dir] = ih->init_tag;
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 763/969] sctp: discard stale INIT after handshake completion
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (761 preceding siblings ...)
2026-05-30 16:04 ` [PATCH 6.1 762/969] netfilter: skip recording stale or retransmitted INIT Greg Kroah-Hartman
@ 2026-05-30 16:04 ` Greg Kroah-Hartman
2026-05-30 16:04 ` [PATCH 6.1 764/969] ipv4: rename and move ip_route_output_tunnel() Greg Kroah-Hartman
` (212 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xin Long, Marcelo Ricardo Leitner,
Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xin Long <lucien.xin@gmail.com>
[ Upstream commit 8a92cb475ca90d84db769e4d4383e631ace0d6e5 ]
After an association reaches ESTABLISHED, the peer’s init_tag is already
known from the handshake. Any subsequent INIT with the same init_tag is
not a valid restart, but a delayed or duplicate INIT.
Drop such INIT chunks in sctp_sf_do_unexpected_init() instead of
processing them as new association attempts.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Link: https://patch.msgid.link/5788c76c1ee122a3ed00189e88dcf9df1fba226c.1777214801.git.lucien.xin@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sctp/sm_statefuns.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
index 80a6b9fc964e5..1685f73602d5e 100644
--- a/net/sctp/sm_statefuns.c
+++ b/net/sctp/sm_statefuns.c
@@ -1556,6 +1556,12 @@ static enum sctp_disposition sctp_sf_do_unexpected_init(
/* Tag the variable length parameters. */
chunk->param_hdr.v = skb_pull(chunk->skb, sizeof(struct sctp_inithdr));
+ if (asoc->state >= SCTP_STATE_ESTABLISHED) {
+ /* Discard INIT matching peer vtag after handshake completion (stale INIT). */
+ if (ntohl(chunk->subh.init_hdr->init_tag) == asoc->peer.i.init_tag)
+ return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
+ }
+
/* Verify the INIT chunk before processing it. */
err_chunk = NULL;
if (!sctp_verify_init(net, ep, asoc, chunk->chunk_hdr->type,
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 764/969] ipv4: rename and move ip_route_output_tunnel()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (762 preceding siblings ...)
2026-05-30 16:04 ` [PATCH 6.1 763/969] sctp: discard stale INIT after handshake completion Greg Kroah-Hartman
@ 2026-05-30 16:04 ` Greg Kroah-Hartman
2026-05-30 16:04 ` [PATCH 6.1 765/969] ipv4: remove "proto" argument from udp_tunnel_dst_lookup() Greg Kroah-Hartman
` (211 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Guillaume Nault, Beniamino Galvani,
David Ahern, David S. Miller, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Beniamino Galvani <b.galvani@gmail.com>
[ Upstream commit bf3fcbf7e7a08015d3b169bad6281b29d45c272d ]
At the moment ip_route_output_tunnel() is used only by bareudp.
Ideally, other UDP tunnel implementations should use it, but to do so
the function needs to accept new parameters that are specific for UDP
tunnels, such as the ports.
Prepare for these changes by renaming the function to
udp_tunnel_dst_lookup() and move it to file
net/ipv4/udp_tunnel_core.c.
Suggested-by: Guillaume Nault <gnault@redhat.com>
Signed-off-by: Beniamino Galvani <b.galvani@gmail.com>
Reviewed-by: David Ahern <dsahern@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Stable-dep-of: aa6c6d9ee064 ("bareudp: fix NULL pointer dereference in bareudp_fill_metadata_dst()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/bareudp.c | 8 +++----
include/net/route.h | 6 -----
include/net/udp_tunnel.h | 6 +++++
net/ipv4/route.c | 48 --------------------------------------
net/ipv4/udp_tunnel_core.c | 48 ++++++++++++++++++++++++++++++++++++++
5 files changed, 58 insertions(+), 58 deletions(-)
diff --git a/drivers/net/bareudp.c b/drivers/net/bareudp.c
index cfbc0240126ef..bbc246d27f88a 100644
--- a/drivers/net/bareudp.c
+++ b/drivers/net/bareudp.c
@@ -325,8 +325,8 @@ static int bareudp_xmit_skb(struct sk_buff *skb, struct net_device *dev,
if (!sock)
return -ESHUTDOWN;
- rt = ip_route_output_tunnel(skb, dev, bareudp->net, &saddr, info,
- IPPROTO_UDP, use_cache);
+ rt = udp_tunnel_dst_lookup(skb, dev, bareudp->net, &saddr, info,
+ IPPROTO_UDP, use_cache);
if (IS_ERR(rt))
return PTR_ERR(rt);
@@ -505,8 +505,8 @@ static int bareudp_fill_metadata_dst(struct net_device *dev,
struct rtable *rt;
__be32 saddr;
- rt = ip_route_output_tunnel(skb, dev, bareudp->net, &saddr,
- info, IPPROTO_UDP, use_cache);
+ rt = udp_tunnel_dst_lookup(skb, dev, bareudp->net, &saddr,
+ info, IPPROTO_UDP, use_cache);
if (IS_ERR(rt))
return PTR_ERR(rt);
diff --git a/include/net/route.h b/include/net/route.h
index cdca622c5c6fe..568da3b95b06e 100644
--- a/include/net/route.h
+++ b/include/net/route.h
@@ -139,12 +139,6 @@ static inline struct rtable *__ip_route_output_key(struct net *net,
struct rtable *ip_route_output_flow(struct net *, struct flowi4 *flp,
const struct sock *sk);
-struct rtable *ip_route_output_tunnel(struct sk_buff *skb,
- struct net_device *dev,
- struct net *net, __be32 *saddr,
- const struct ip_tunnel_info *info,
- u8 protocol, bool use_cache);
-
struct dst_entry *ipv4_blackhole_route(struct net *net,
struct dst_entry *dst_orig);
diff --git a/include/net/udp_tunnel.h b/include/net/udp_tunnel.h
index cd2bd3826d168..f9a66a33e958b 100644
--- a/include/net/udp_tunnel.h
+++ b/include/net/udp_tunnel.h
@@ -161,6 +161,12 @@ int udp_tunnel6_xmit_skb(struct dst_entry *dst, struct sock *sk,
void udp_tunnel_sock_release(struct socket *sock);
+struct rtable *udp_tunnel_dst_lookup(struct sk_buff *skb,
+ struct net_device *dev,
+ struct net *net, __be32 *saddr,
+ const struct ip_tunnel_info *info,
+ u8 protocol, bool use_cache);
+
struct metadata_dst *udp_tun_rx_dst(struct sk_buff *skb, unsigned short family,
__be16 flags, __be64 tunnel_id,
int md_size);
diff --git a/net/ipv4/route.c b/net/ipv4/route.c
index 86893963b930d..60516c6ae62e0 100644
--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
@@ -2922,54 +2922,6 @@ struct rtable *ip_route_output_flow(struct net *net, struct flowi4 *flp4,
}
EXPORT_SYMBOL_GPL(ip_route_output_flow);
-struct rtable *ip_route_output_tunnel(struct sk_buff *skb,
- struct net_device *dev,
- struct net *net, __be32 *saddr,
- const struct ip_tunnel_info *info,
- u8 protocol, bool use_cache)
-{
-#ifdef CONFIG_DST_CACHE
- struct dst_cache *dst_cache;
-#endif
- struct rtable *rt = NULL;
- struct flowi4 fl4;
- __u8 tos;
-
-#ifdef CONFIG_DST_CACHE
- dst_cache = (struct dst_cache *)&info->dst_cache;
- if (use_cache) {
- rt = dst_cache_get_ip4(dst_cache, saddr);
- if (rt)
- return rt;
- }
-#endif
- memset(&fl4, 0, sizeof(fl4));
- fl4.flowi4_mark = skb->mark;
- fl4.flowi4_proto = protocol;
- fl4.daddr = info->key.u.ipv4.dst;
- fl4.saddr = info->key.u.ipv4.src;
- tos = info->key.tos;
- fl4.flowi4_tos = RT_TOS(tos);
-
- rt = ip_route_output_key(net, &fl4);
- if (IS_ERR(rt)) {
- netdev_dbg(dev, "no route to %pI4\n", &fl4.daddr);
- return ERR_PTR(-ENETUNREACH);
- }
- if (rt->dst.dev == dev) { /* is this necessary? */
- netdev_dbg(dev, "circular route to %pI4\n", &fl4.daddr);
- ip_rt_put(rt);
- return ERR_PTR(-ELOOP);
- }
-#ifdef CONFIG_DST_CACHE
- if (use_cache)
- dst_cache_set_ip4(dst_cache, &rt->dst, fl4.saddr);
-#endif
- *saddr = fl4.saddr;
- return rt;
-}
-EXPORT_SYMBOL_GPL(ip_route_output_tunnel);
-
/* called with rcu_read_lock held */
static int rt_fill_info(struct net *net, __be32 dst, __be32 src,
struct rtable *rt, u32 table_id, dscp_t dscp,
diff --git a/net/ipv4/udp_tunnel_core.c b/net/ipv4/udp_tunnel_core.c
index 732e21b75ba28..386e983560094 100644
--- a/net/ipv4/udp_tunnel_core.c
+++ b/net/ipv4/udp_tunnel_core.c
@@ -204,4 +204,52 @@ struct metadata_dst *udp_tun_rx_dst(struct sk_buff *skb, unsigned short family,
}
EXPORT_SYMBOL_GPL(udp_tun_rx_dst);
+struct rtable *udp_tunnel_dst_lookup(struct sk_buff *skb,
+ struct net_device *dev,
+ struct net *net, __be32 *saddr,
+ const struct ip_tunnel_info *info,
+ u8 protocol, bool use_cache)
+{
+#ifdef CONFIG_DST_CACHE
+ struct dst_cache *dst_cache;
+#endif
+ struct rtable *rt = NULL;
+ struct flowi4 fl4;
+ __u8 tos;
+
+#ifdef CONFIG_DST_CACHE
+ dst_cache = (struct dst_cache *)&info->dst_cache;
+ if (use_cache) {
+ rt = dst_cache_get_ip4(dst_cache, saddr);
+ if (rt)
+ return rt;
+ }
+#endif
+ memset(&fl4, 0, sizeof(fl4));
+ fl4.flowi4_mark = skb->mark;
+ fl4.flowi4_proto = protocol;
+ fl4.daddr = info->key.u.ipv4.dst;
+ fl4.saddr = info->key.u.ipv4.src;
+ tos = info->key.tos;
+ fl4.flowi4_tos = RT_TOS(tos);
+
+ rt = ip_route_output_key(net, &fl4);
+ if (IS_ERR(rt)) {
+ netdev_dbg(dev, "no route to %pI4\n", &fl4.daddr);
+ return ERR_PTR(-ENETUNREACH);
+ }
+ if (rt->dst.dev == dev) { /* is this necessary? */
+ netdev_dbg(dev, "circular route to %pI4\n", &fl4.daddr);
+ ip_rt_put(rt);
+ return ERR_PTR(-ELOOP);
+ }
+#ifdef CONFIG_DST_CACHE
+ if (use_cache)
+ dst_cache_set_ip4(dst_cache, &rt->dst, fl4.saddr);
+#endif
+ *saddr = fl4.saddr;
+ return rt;
+}
+EXPORT_SYMBOL_GPL(udp_tunnel_dst_lookup);
+
MODULE_LICENSE("GPL");
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 765/969] ipv4: remove "proto" argument from udp_tunnel_dst_lookup()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (763 preceding siblings ...)
2026-05-30 16:04 ` [PATCH 6.1 764/969] ipv4: rename and move ip_route_output_tunnel() Greg Kroah-Hartman
@ 2026-05-30 16:04 ` Greg Kroah-Hartman
2026-05-30 16:04 ` [PATCH 6.1 766/969] ipv4: add new arguments to udp_tunnel_dst_lookup() Greg Kroah-Hartman
` (210 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Guillaume Nault, Beniamino Galvani,
David Ahern, David S. Miller, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Beniamino Galvani <b.galvani@gmail.com>
[ Upstream commit 78f3655adcb52412275f282267ee771421731632 ]
The function is now UDP-specific, the protocol is always IPPROTO_UDP.
Suggested-by: Guillaume Nault <gnault@redhat.com>
Signed-off-by: Beniamino Galvani <b.galvani@gmail.com>
Reviewed-by: David Ahern <dsahern@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Stable-dep-of: aa6c6d9ee064 ("bareudp: fix NULL pointer dereference in bareudp_fill_metadata_dst()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/bareudp.c | 4 ++--
include/net/udp_tunnel.h | 2 +-
net/ipv4/udp_tunnel_core.c | 4 ++--
3 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/drivers/net/bareudp.c b/drivers/net/bareudp.c
index bbc246d27f88a..1a9a43ed462a8 100644
--- a/drivers/net/bareudp.c
+++ b/drivers/net/bareudp.c
@@ -326,7 +326,7 @@ static int bareudp_xmit_skb(struct sk_buff *skb, struct net_device *dev,
return -ESHUTDOWN;
rt = udp_tunnel_dst_lookup(skb, dev, bareudp->net, &saddr, info,
- IPPROTO_UDP, use_cache);
+ use_cache);
if (IS_ERR(rt))
return PTR_ERR(rt);
@@ -506,7 +506,7 @@ static int bareudp_fill_metadata_dst(struct net_device *dev,
__be32 saddr;
rt = udp_tunnel_dst_lookup(skb, dev, bareudp->net, &saddr,
- info, IPPROTO_UDP, use_cache);
+ info, use_cache);
if (IS_ERR(rt))
return PTR_ERR(rt);
diff --git a/include/net/udp_tunnel.h b/include/net/udp_tunnel.h
index f9a66a33e958b..fe843d1b42efe 100644
--- a/include/net/udp_tunnel.h
+++ b/include/net/udp_tunnel.h
@@ -165,7 +165,7 @@ struct rtable *udp_tunnel_dst_lookup(struct sk_buff *skb,
struct net_device *dev,
struct net *net, __be32 *saddr,
const struct ip_tunnel_info *info,
- u8 protocol, bool use_cache);
+ bool use_cache);
struct metadata_dst *udp_tun_rx_dst(struct sk_buff *skb, unsigned short family,
__be16 flags, __be64 tunnel_id,
diff --git a/net/ipv4/udp_tunnel_core.c b/net/ipv4/udp_tunnel_core.c
index 386e983560094..c3e6a88487dbc 100644
--- a/net/ipv4/udp_tunnel_core.c
+++ b/net/ipv4/udp_tunnel_core.c
@@ -208,7 +208,7 @@ struct rtable *udp_tunnel_dst_lookup(struct sk_buff *skb,
struct net_device *dev,
struct net *net, __be32 *saddr,
const struct ip_tunnel_info *info,
- u8 protocol, bool use_cache)
+ bool use_cache)
{
#ifdef CONFIG_DST_CACHE
struct dst_cache *dst_cache;
@@ -227,7 +227,7 @@ struct rtable *udp_tunnel_dst_lookup(struct sk_buff *skb,
#endif
memset(&fl4, 0, sizeof(fl4));
fl4.flowi4_mark = skb->mark;
- fl4.flowi4_proto = protocol;
+ fl4.flowi4_proto = IPPROTO_UDP;
fl4.daddr = info->key.u.ipv4.dst;
fl4.saddr = info->key.u.ipv4.src;
tos = info->key.tos;
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 766/969] ipv4: add new arguments to udp_tunnel_dst_lookup()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (764 preceding siblings ...)
2026-05-30 16:04 ` [PATCH 6.1 765/969] ipv4: remove "proto" argument from udp_tunnel_dst_lookup() Greg Kroah-Hartman
@ 2026-05-30 16:04 ` Greg Kroah-Hartman
2026-05-30 16:04 ` [PATCH 6.1 767/969] ipv6: rename and move ip6_dst_lookup_tunnel() Greg Kroah-Hartman
` (209 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Guillaume Nault, Beniamino Galvani,
David Ahern, David S. Miller, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Beniamino Galvani <b.galvani@gmail.com>
[ Upstream commit 72fc68c6356b663a8763f02d9b0ec773d59a4949 ]
We want to make the function more generic so that it can be used by
other UDP tunnel implementations such as geneve and vxlan. To do that,
add the following arguments:
- source and destination UDP port;
- ifindex of the output interface, needed by vxlan;
- the tos, because in some cases it is not taken from struct
ip_tunnel_info (for example, when it's inherited from the inner
packet);
- the dst cache, because not all tunnel types (e.g. vxlan) want to
use the one from struct ip_tunnel_info.
With these parameters, the function no longer needs the full struct
ip_tunnel_info as argument and we can pass only the relevant part of
it (struct ip_tunnel_key).
Suggested-by: Guillaume Nault <gnault@redhat.com>
Signed-off-by: Beniamino Galvani <b.galvani@gmail.com>
Reviewed-by: David Ahern <dsahern@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Stable-dep-of: aa6c6d9ee064 ("bareudp: fix NULL pointer dereference in bareudp_fill_metadata_dst()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/bareudp.c | 11 +++++++----
include/net/udp_tunnel.h | 8 +++++---
net/ipv4/udp_tunnel_core.c | 26 +++++++++++++-------------
3 files changed, 25 insertions(+), 20 deletions(-)
diff --git a/drivers/net/bareudp.c b/drivers/net/bareudp.c
index 1a9a43ed462a8..385cc386ecaee 100644
--- a/drivers/net/bareudp.c
+++ b/drivers/net/bareudp.c
@@ -325,8 +325,10 @@ static int bareudp_xmit_skb(struct sk_buff *skb, struct net_device *dev,
if (!sock)
return -ESHUTDOWN;
- rt = udp_tunnel_dst_lookup(skb, dev, bareudp->net, &saddr, info,
- use_cache);
+ rt = udp_tunnel_dst_lookup(skb, dev, bareudp->net, 0, &saddr, &info->key,
+ 0, 0, key->tos,
+ use_cache ?
+ (struct dst_cache *)&info->dst_cache : NULL);
if (IS_ERR(rt))
return PTR_ERR(rt);
@@ -505,8 +507,9 @@ static int bareudp_fill_metadata_dst(struct net_device *dev,
struct rtable *rt;
__be32 saddr;
- rt = udp_tunnel_dst_lookup(skb, dev, bareudp->net, &saddr,
- info, use_cache);
+ rt = udp_tunnel_dst_lookup(skb, dev, bareudp->net, 0, &saddr,
+ &info->key, 0, 0, info->key.tos,
+ use_cache ? &info->dst_cache : NULL);
if (IS_ERR(rt))
return PTR_ERR(rt);
diff --git a/include/net/udp_tunnel.h b/include/net/udp_tunnel.h
index fe843d1b42efe..f757c061aaa88 100644
--- a/include/net/udp_tunnel.h
+++ b/include/net/udp_tunnel.h
@@ -163,9 +163,11 @@ void udp_tunnel_sock_release(struct socket *sock);
struct rtable *udp_tunnel_dst_lookup(struct sk_buff *skb,
struct net_device *dev,
- struct net *net, __be32 *saddr,
- const struct ip_tunnel_info *info,
- bool use_cache);
+ struct net *net, int oif,
+ __be32 *saddr,
+ const struct ip_tunnel_key *key,
+ __be16 sport, __be16 dport, u8 tos,
+ struct dst_cache *dst_cache);
struct metadata_dst *udp_tun_rx_dst(struct sk_buff *skb, unsigned short family,
__be16 flags, __be64 tunnel_id,
diff --git a/net/ipv4/udp_tunnel_core.c b/net/ipv4/udp_tunnel_core.c
index c3e6a88487dbc..b04bea12c18f0 100644
--- a/net/ipv4/udp_tunnel_core.c
+++ b/net/ipv4/udp_tunnel_core.c
@@ -206,31 +206,31 @@ EXPORT_SYMBOL_GPL(udp_tun_rx_dst);
struct rtable *udp_tunnel_dst_lookup(struct sk_buff *skb,
struct net_device *dev,
- struct net *net, __be32 *saddr,
- const struct ip_tunnel_info *info,
- bool use_cache)
+ struct net *net, int oif,
+ __be32 *saddr,
+ const struct ip_tunnel_key *key,
+ __be16 sport, __be16 dport, u8 tos,
+ struct dst_cache *dst_cache)
{
-#ifdef CONFIG_DST_CACHE
- struct dst_cache *dst_cache;
-#endif
struct rtable *rt = NULL;
struct flowi4 fl4;
- __u8 tos;
#ifdef CONFIG_DST_CACHE
- dst_cache = (struct dst_cache *)&info->dst_cache;
- if (use_cache) {
+ if (dst_cache) {
rt = dst_cache_get_ip4(dst_cache, saddr);
if (rt)
return rt;
}
#endif
+
memset(&fl4, 0, sizeof(fl4));
fl4.flowi4_mark = skb->mark;
fl4.flowi4_proto = IPPROTO_UDP;
- fl4.daddr = info->key.u.ipv4.dst;
- fl4.saddr = info->key.u.ipv4.src;
- tos = info->key.tos;
+ fl4.flowi4_oif = oif;
+ fl4.daddr = key->u.ipv4.dst;
+ fl4.saddr = key->u.ipv4.src;
+ fl4.fl4_dport = dport;
+ fl4.fl4_sport = sport;
fl4.flowi4_tos = RT_TOS(tos);
rt = ip_route_output_key(net, &fl4);
@@ -244,7 +244,7 @@ struct rtable *udp_tunnel_dst_lookup(struct sk_buff *skb,
return ERR_PTR(-ELOOP);
}
#ifdef CONFIG_DST_CACHE
- if (use_cache)
+ if (dst_cache)
dst_cache_set_ip4(dst_cache, &rt->dst, fl4.saddr);
#endif
*saddr = fl4.saddr;
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 767/969] ipv6: rename and move ip6_dst_lookup_tunnel()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (765 preceding siblings ...)
2026-05-30 16:04 ` [PATCH 6.1 766/969] ipv4: add new arguments to udp_tunnel_dst_lookup() Greg Kroah-Hartman
@ 2026-05-30 16:04 ` Greg Kroah-Hartman
2026-05-30 16:04 ` [PATCH 6.1 768/969] bareudp: fix NULL pointer dereference in bareudp_fill_metadata_dst() Greg Kroah-Hartman
` (208 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Guillaume Nault, Beniamino Galvani,
David Ahern, David S. Miller, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Beniamino Galvani <b.galvani@gmail.com>
[ Upstream commit fc47e86dbfb75a864c0c9dd8e78affb6506296bb ]
At the moment ip6_dst_lookup_tunnel() is used only by bareudp.
Ideally, other UDP tunnel implementations should use it, but to do so
the function needs to accept new parameters that are specific for UDP
tunnels, such as the ports.
Prepare for these changes by renaming the function to
udp_tunnel6_dst_lookup() and move it to file
net/ipv6/ip6_udp_tunnel.c.
This is similar to what already done for IPv4 in commit bf3fcbf7e7a0
("ipv4: rename and move ip_route_output_tunnel()").
Suggested-by: Guillaume Nault <gnault@redhat.com>
Signed-off-by: Beniamino Galvani <b.galvani@gmail.com>
Reviewed-by: David Ahern <dsahern@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Stable-dep-of: aa6c6d9ee064 ("bareudp: fix NULL pointer dereference in bareudp_fill_metadata_dst()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/bareudp.c | 10 +++---
include/net/ipv6.h | 6 ----
include/net/udp_tunnel.h | 7 ++++
net/ipv6/ip6_output.c | 68 --------------------------------------
net/ipv6/ip6_udp_tunnel.c | 69 +++++++++++++++++++++++++++++++++++++++
5 files changed, 81 insertions(+), 79 deletions(-)
diff --git a/drivers/net/bareudp.c b/drivers/net/bareudp.c
index 385cc386ecaee..150049d9a81a7 100644
--- a/drivers/net/bareudp.c
+++ b/drivers/net/bareudp.c
@@ -393,8 +393,8 @@ static int bareudp6_xmit_skb(struct sk_buff *skb, struct net_device *dev,
if (!sock)
return -ESHUTDOWN;
- dst = ip6_dst_lookup_tunnel(skb, dev, bareudp->net, sock, &saddr, info,
- IPPROTO_UDP, use_cache);
+ dst = udp_tunnel6_dst_lookup(skb, dev, bareudp->net, sock, &saddr, info,
+ IPPROTO_UDP, use_cache);
if (IS_ERR(dst))
return PTR_ERR(dst);
@@ -520,9 +520,9 @@ static int bareudp_fill_metadata_dst(struct net_device *dev,
struct in6_addr saddr;
struct socket *sock = rcu_dereference(bareudp->sock);
- dst = ip6_dst_lookup_tunnel(skb, dev, bareudp->net, sock,
- &saddr, info, IPPROTO_UDP,
- use_cache);
+ dst = udp_tunnel6_dst_lookup(skb, dev, bareudp->net, sock,
+ &saddr, info, IPPROTO_UDP,
+ use_cache);
if (IS_ERR(dst))
return PTR_ERR(dst);
diff --git a/include/net/ipv6.h b/include/net/ipv6.h
index f4307b35294cf..e4715ac2ed672 100644
--- a/include/net/ipv6.h
+++ b/include/net/ipv6.h
@@ -1098,12 +1098,6 @@ struct dst_entry *ip6_dst_lookup_flow(struct net *net, const struct sock *sk, st
struct dst_entry *ip6_sk_dst_lookup_flow(struct sock *sk, struct flowi6 *fl6,
const struct in6_addr *final_dst,
bool connected);
-struct dst_entry *ip6_dst_lookup_tunnel(struct sk_buff *skb,
- struct net_device *dev,
- struct net *net, struct socket *sock,
- struct in6_addr *saddr,
- const struct ip_tunnel_info *info,
- u8 protocol, bool use_cache);
struct dst_entry *ip6_blackhole_route(struct net *net,
struct dst_entry *orig_dst);
diff --git a/include/net/udp_tunnel.h b/include/net/udp_tunnel.h
index f757c061aaa88..7421fa1d5ec96 100644
--- a/include/net/udp_tunnel.h
+++ b/include/net/udp_tunnel.h
@@ -168,6 +168,13 @@ struct rtable *udp_tunnel_dst_lookup(struct sk_buff *skb,
const struct ip_tunnel_key *key,
__be16 sport, __be16 dport, u8 tos,
struct dst_cache *dst_cache);
+struct dst_entry *udp_tunnel6_dst_lookup(struct sk_buff *skb,
+ struct net_device *dev,
+ struct net *net,
+ struct socket *sock,
+ struct in6_addr *saddr,
+ const struct ip_tunnel_info *info,
+ u8 protocol, bool use_cache);
struct metadata_dst *udp_tun_rx_dst(struct sk_buff *skb, unsigned short family,
__be16 flags, __be64 tunnel_id,
diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
index 4ea4da0e71c94..1e491fa7793ad 100644
--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -1305,74 +1305,6 @@ struct dst_entry *ip6_sk_dst_lookup_flow(struct sock *sk, struct flowi6 *fl6,
}
EXPORT_SYMBOL_GPL(ip6_sk_dst_lookup_flow);
-/**
- * ip6_dst_lookup_tunnel - perform route lookup on tunnel
- * @skb: Packet for which lookup is done
- * @dev: Tunnel device
- * @net: Network namespace of tunnel device
- * @sock: Socket which provides route info
- * @saddr: Memory to store the src ip address
- * @info: Tunnel information
- * @protocol: IP protocol
- * @use_cache: Flag to enable cache usage
- * This function performs a route lookup on a tunnel
- *
- * It returns a valid dst pointer and stores src address to be used in
- * tunnel in param saddr on success, else a pointer encoded error code.
- */
-
-struct dst_entry *ip6_dst_lookup_tunnel(struct sk_buff *skb,
- struct net_device *dev,
- struct net *net,
- struct socket *sock,
- struct in6_addr *saddr,
- const struct ip_tunnel_info *info,
- u8 protocol,
- bool use_cache)
-{
- struct dst_entry *dst = NULL;
-#ifdef CONFIG_DST_CACHE
- struct dst_cache *dst_cache;
-#endif
- struct flowi6 fl6;
- __u8 prio;
-
-#ifdef CONFIG_DST_CACHE
- dst_cache = (struct dst_cache *)&info->dst_cache;
- if (use_cache) {
- dst = dst_cache_get_ip6(dst_cache, saddr);
- if (dst)
- return dst;
- }
-#endif
- memset(&fl6, 0, sizeof(fl6));
- fl6.flowi6_mark = skb->mark;
- fl6.flowi6_proto = protocol;
- fl6.daddr = info->key.u.ipv6.dst;
- fl6.saddr = info->key.u.ipv6.src;
- prio = info->key.tos;
- fl6.flowlabel = ip6_make_flowinfo(prio, info->key.label);
-
- dst = ipv6_stub->ipv6_dst_lookup_flow(net, sock->sk, &fl6,
- NULL);
- if (IS_ERR(dst)) {
- netdev_dbg(dev, "no route to %pI6\n", &fl6.daddr);
- return ERR_PTR(-ENETUNREACH);
- }
- if (dst->dev == dev) { /* is this necessary? */
- netdev_dbg(dev, "circular route to %pI6\n", &fl6.daddr);
- dst_release(dst);
- return ERR_PTR(-ELOOP);
- }
-#ifdef CONFIG_DST_CACHE
- if (use_cache)
- dst_cache_set_ip6(dst_cache, dst, &fl6.saddr);
-#endif
- *saddr = fl6.saddr;
- return dst;
-}
-EXPORT_SYMBOL_GPL(ip6_dst_lookup_tunnel);
-
static inline struct ipv6_opt_hdr *ip6_opt_dup(struct ipv6_opt_hdr *src,
gfp_t gfp)
{
diff --git a/net/ipv6/ip6_udp_tunnel.c b/net/ipv6/ip6_udp_tunnel.c
index cdc4d4ee24206..7aef559e60ec5 100644
--- a/net/ipv6/ip6_udp_tunnel.c
+++ b/net/ipv6/ip6_udp_tunnel.c
@@ -1,3 +1,4 @@
+
// SPDX-License-Identifier: GPL-2.0-only
#include <linux/module.h>
#include <linux/errno.h>
@@ -111,4 +112,72 @@ int udp_tunnel6_xmit_skb(struct dst_entry *dst, struct sock *sk,
}
EXPORT_SYMBOL_GPL(udp_tunnel6_xmit_skb);
+/**
+ * udp_tunnel6_dst_lookup - perform route lookup on UDP tunnel
+ * @skb: Packet for which lookup is done
+ * @dev: Tunnel device
+ * @net: Network namespace of tunnel device
+ * @sock: Socket which provides route info
+ * @saddr: Memory to store the src ip address
+ * @info: Tunnel information
+ * @protocol: IP protocol
+ * @use_cache: Flag to enable cache usage
+ * This function performs a route lookup on a UDP tunnel
+ *
+ * It returns a valid dst pointer and stores src address to be used in
+ * tunnel in param saddr on success, else a pointer encoded error code.
+ */
+
+struct dst_entry *udp_tunnel6_dst_lookup(struct sk_buff *skb,
+ struct net_device *dev,
+ struct net *net,
+ struct socket *sock,
+ struct in6_addr *saddr,
+ const struct ip_tunnel_info *info,
+ u8 protocol,
+ bool use_cache)
+{
+ struct dst_entry *dst = NULL;
+#ifdef CONFIG_DST_CACHE
+ struct dst_cache *dst_cache;
+#endif
+ struct flowi6 fl6;
+ __u8 prio;
+
+#ifdef CONFIG_DST_CACHE
+ dst_cache = (struct dst_cache *)&info->dst_cache;
+ if (use_cache) {
+ dst = dst_cache_get_ip6(dst_cache, saddr);
+ if (dst)
+ return dst;
+ }
+#endif
+ memset(&fl6, 0, sizeof(fl6));
+ fl6.flowi6_mark = skb->mark;
+ fl6.flowi6_proto = protocol;
+ fl6.daddr = info->key.u.ipv6.dst;
+ fl6.saddr = info->key.u.ipv6.src;
+ prio = info->key.tos;
+ fl6.flowlabel = ip6_make_flowinfo(prio, info->key.label);
+
+ dst = ipv6_stub->ipv6_dst_lookup_flow(net, sock->sk, &fl6,
+ NULL);
+ if (IS_ERR(dst)) {
+ netdev_dbg(dev, "no route to %pI6\n", &fl6.daddr);
+ return ERR_PTR(-ENETUNREACH);
+ }
+ if (dst->dev == dev) { /* is this necessary? */
+ netdev_dbg(dev, "circular route to %pI6\n", &fl6.daddr);
+ dst_release(dst);
+ return ERR_PTR(-ELOOP);
+ }
+#ifdef CONFIG_DST_CACHE
+ if (use_cache)
+ dst_cache_set_ip6(dst_cache, dst, &fl6.saddr);
+#endif
+ *saddr = fl6.saddr;
+ return dst;
+}
+EXPORT_SYMBOL_GPL(udp_tunnel6_dst_lookup);
+
MODULE_LICENSE("GPL");
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 768/969] bareudp: fix NULL pointer dereference in bareudp_fill_metadata_dst()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (766 preceding siblings ...)
2026-05-30 16:04 ` [PATCH 6.1 767/969] ipv6: rename and move ip6_dst_lookup_tunnel() Greg Kroah-Hartman
@ 2026-05-30 16:04 ` Greg Kroah-Hartman
2026-05-30 16:04 ` [PATCH 6.1 769/969] net/sched: sch_cake: annotate data-races in cake_dump_stats() (V) Greg Kroah-Hartman
` (207 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xiang Mei, Weiming Shi,
Kuniyuki Iwashima, Eric Dumazet, Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Weiming Shi <bestswngs@gmail.com>
[ Upstream commit aa6c6d9ee064aabfede4402fd1283424e649ca19 ]
bareudp_fill_metadata_dst() passes bareudp->sock to
udp_tunnel6_dst_lookup() in the IPv6 path without a NULL check.
The socket is only created in bareudp_open() and NULLed in
bareudp_stop(), so calling this function while the device is down
triggers a NULL dereference via sock->sk.
BUG: kernel NULL pointer dereference, address: 0000000000000018
RIP: 0010:udp_tunnel6_dst_lookup (net/ipv6/ip6_udp_tunnel.c:160)
Call Trace:
<TASK>
bareudp_fill_metadata_dst (drivers/net/bareudp.c:532)
do_execute_actions (net/openvswitch/actions.c:901)
ovs_execute_actions (net/openvswitch/actions.c:1589)
ovs_packet_cmd_execute (net/openvswitch/datapath.c:700)
genl_family_rcv_msg_doit (net/netlink/genetlink.c:1114)
genl_rcv_msg (net/netlink/genetlink.c:1209)
netlink_rcv_skb (net/netlink/af_netlink.c:2550)
</TASK>
Add a NULL check returning -ESHUTDOWN, consistent with the xmit paths
in the same driver.
Fixes: 571912c69f0e ("net: UDP tunnel encapsulation module for tunnelling different protocols like MPLS, IP, NSH etc.")
Reported-by: Xiang Mei <xmei5@asu.edu>
Signed-off-by: Weiming Shi <bestswngs@gmail.com>
Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20260426165350.1663137-2-bestswngs@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/bareudp.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/net/bareudp.c b/drivers/net/bareudp.c
index 150049d9a81a7..b181c03368153 100644
--- a/drivers/net/bareudp.c
+++ b/drivers/net/bareudp.c
@@ -520,6 +520,9 @@ static int bareudp_fill_metadata_dst(struct net_device *dev,
struct in6_addr saddr;
struct socket *sock = rcu_dereference(bareudp->sock);
+ if (!sock)
+ return -ESHUTDOWN;
+
dst = udp_tunnel6_dst_lookup(skb, dev, bareudp->net, sock,
&saddr, info, IPPROTO_UDP,
use_cache);
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 769/969] net/sched: sch_cake: annotate data-races in cake_dump_stats() (V)
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (767 preceding siblings ...)
2026-05-30 16:04 ` [PATCH 6.1 768/969] bareudp: fix NULL pointer dereference in bareudp_fill_metadata_dst() Greg Kroah-Hartman
@ 2026-05-30 16:04 ` Greg Kroah-Hartman
2026-05-30 16:04 ` [PATCH 6.1 770/969] net: netconsole: move newline trimming to function Greg Kroah-Hartman
` (206 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet,
Toke Høiland-Jørgensen, Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit a6c95b833dc17e84d16a8ac0f40fd0931616a52d ]
cake_dump_stats() runs without qdisc spinlock being held.
In this final patch, I add READ_ONCE()/WRITE_ONCE() annotations
for cparams.target and cparams.interval.
Fixes: 046f6fd5daef ("sched: Add Common Applications Kept Enhanced (cake) qdisc")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Acked-by: "Toke Høiland-Jørgensen" <toke@toke.dk>
Link: https://patch.msgid.link/20260427083606.459355-6-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/sch_cake.c | 13 +++++++------
1 file changed, 7 insertions(+), 6 deletions(-)
diff --git a/net/sched/sch_cake.c b/net/sched/sch_cake.c
index 204cc04d4c6e8..c6c03f758d0d7 100644
--- a/net/sched/sch_cake.c
+++ b/net/sched/sch_cake.c
@@ -2313,10 +2313,11 @@ static void cake_set_rate(struct cake_tin_data *b, u64 rate, u32 mtu,
byte_target_ns = (byte_target * rate_ns) >> rate_shft;
- b->cparams.target = max((byte_target_ns * 3) / 2, target_ns);
- b->cparams.interval = max(rtt_est_ns +
- b->cparams.target - target_ns,
- b->cparams.target * 2);
+ WRITE_ONCE(b->cparams.target,
+ max((byte_target_ns * 3) / 2, target_ns));
+ WRITE_ONCE(b->cparams.interval,
+ max(rtt_est_ns + b->cparams.target - target_ns,
+ b->cparams.target * 2));
b->cparams.mtu_time = byte_target_ns;
b->cparams.p_inc = 1 << 24; /* 1/256 */
b->cparams.p_dec = 1 << 20; /* 1/4096 */
@@ -2930,9 +2931,9 @@ static int cake_dump_stats(struct Qdisc *sch, struct gnet_dump *d)
PUT_TSTAT_U32(BACKLOG_BYTES, b->tin_backlog);
PUT_TSTAT_U32(TARGET_US,
- ktime_to_us(ns_to_ktime(b->cparams.target)));
+ ktime_to_us(ns_to_ktime(READ_ONCE(b->cparams.target))));
PUT_TSTAT_U32(INTERVAL_US,
- ktime_to_us(ns_to_ktime(b->cparams.interval)));
+ ktime_to_us(ns_to_ktime(READ_ONCE(b->cparams.interval))));
PUT_TSTAT_U32(SENT_PACKETS, b->packets);
PUT_TSTAT_U32(DROPPED_PACKETS, b->tin_dropped);
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 770/969] net: netconsole: move newline trimming to function
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (768 preceding siblings ...)
2026-05-30 16:04 ` [PATCH 6.1 769/969] net/sched: sch_cake: annotate data-races in cake_dump_stats() (V) Greg Kroah-Hartman
@ 2026-05-30 16:04 ` Greg Kroah-Hartman
2026-05-30 16:04 ` [PATCH 6.1 771/969] netconsole: propagate device name truncation in dev_name_store() Greg Kroah-Hartman
` (205 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Matthew Wood, David S. Miller,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matthew Wood <thepacketgeek@gmail.com>
[ Upstream commit ae001dc67907618423fd15bbab2014308c00ad0b ]
Move newline trimming logic from `dev_name_store()` to a new function
(trim_newline()) for shared use in netconsole.c
Signed-off-by: Matthew Wood <thepacketgeek@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Stable-dep-of: 92ceb7bff62c ("netconsole: propagate device name truncation in dev_name_store()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/netconsole.c | 17 +++++++++++------
1 file changed, 11 insertions(+), 6 deletions(-)
diff --git a/drivers/net/netconsole.c b/drivers/net/netconsole.c
index 1e797f1ddc31c..f9bf2c9a3ae2a 100644
--- a/drivers/net/netconsole.c
+++ b/drivers/net/netconsole.c
@@ -240,6 +240,16 @@ static struct netconsole_target *to_target(struct config_item *item)
NULL;
}
+/* Get rid of possible trailing newline, returning the new length */
+static void trim_newline(char *s, size_t maxlen)
+{
+ size_t len;
+
+ len = strnlen(s, maxlen);
+ if (s[len - 1] == '\n')
+ s[len - 1] = '\0';
+}
+
/*
* Attribute operations for netconsole_target.
*/
@@ -404,7 +414,6 @@ static ssize_t dev_name_store(struct config_item *item, const char *buf,
size_t count)
{
struct netconsole_target *nt = to_target(item);
- size_t len;
mutex_lock(&dynamic_netconsole_mutex);
if (nt->enabled) {
@@ -415,11 +424,7 @@ static ssize_t dev_name_store(struct config_item *item, const char *buf,
}
strscpy(nt->np.dev_name, buf, IFNAMSIZ);
-
- /* Get rid of possible trailing newline from echo(1) */
- len = strnlen(nt->np.dev_name, IFNAMSIZ);
- if (nt->np.dev_name[len - 1] == '\n')
- nt->np.dev_name[len - 1] = '\0';
+ trim_newline(nt->np.dev_name, IFNAMSIZ);
mutex_unlock(&dynamic_netconsole_mutex);
return strnlen(buf, count);
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 771/969] netconsole: propagate device name truncation in dev_name_store()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (769 preceding siblings ...)
2026-05-30 16:04 ` [PATCH 6.1 770/969] net: netconsole: move newline trimming to function Greg Kroah-Hartman
@ 2026-05-30 16:04 ` Greg Kroah-Hartman
2026-05-30 16:04 ` [PATCH 6.1 772/969] ALSA: hda/conexant: fix some typos Greg Kroah-Hartman
` (204 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Breno Leitao, Jakub Kicinski,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Breno Leitao <leitao@debian.org>
[ Upstream commit 92ceb7bff62c2606f664c204750eca0b85d44112 ]
dev_name_store() calls strscpy(nt->np.dev_name, buf, IFNAMSIZ) without
checking the return value. If userspace writes an interface name longer
than IFNAMSIZ - 1, strscpy() silently truncates and returns -E2BIG, but
the function ignores it and reports a fully successful write back to
userspace.
If a real interface happens to match the truncated name, netconsole will
bind to the wrong device on the next enable, sending kernel logs and
panic output to an unintended network segment with no indication to
userspace that anything was rewritten.
Reject writes whose length cannot fit in nt->np.dev_name up front:
if (count >= IFNAMSIZ)
return -ENAMETOOLONG;
This is not a big deal of a problem, but, it is still the correct
approach.
Fixes: 0bcc1816188e57 ("[NET] netconsole: Support dynamic reconfiguration using configfs")
Signed-off-by: Breno Leitao <leitao@debian.org>
Link: https://patch.msgid.link/20260427-netconsole_ai_fixes-v2-3-59965f29d9cc@debian.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/netconsole.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/drivers/net/netconsole.c b/drivers/net/netconsole.c
index f9bf2c9a3ae2a..d150287c01a7d 100644
--- a/drivers/net/netconsole.c
+++ b/drivers/net/netconsole.c
@@ -414,6 +414,13 @@ static ssize_t dev_name_store(struct config_item *item, const char *buf,
size_t count)
{
struct netconsole_target *nt = to_target(item);
+ size_t len = count;
+
+ /* Account for a trailing newline appended by tools like echo */
+ if (len && buf[len - 1] == '\n')
+ len--;
+ if (len >= IFNAMSIZ)
+ return -ENAMETOOLONG;
mutex_lock(&dynamic_netconsole_mutex);
if (nt->enabled) {
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 772/969] ALSA: hda/conexant: fix some typos
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (770 preceding siblings ...)
2026-05-30 16:04 ` [PATCH 6.1 771/969] netconsole: propagate device name truncation in dev_name_store() Greg Kroah-Hartman
@ 2026-05-30 16:04 ` Greg Kroah-Hartman
2026-05-30 16:04 ` [PATCH 6.1 773/969] ALSA: hda/conexant: Renaming the codec with device ID 0x1f86 and 0x1f87 Greg Kroah-Hartman
` (203 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:04 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Oldherl Oh, Takashi Iwai,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Oldherl Oh <me@oldherl.one>
[ Upstream commit 73253f2fd1d0a44708735c842e37163712e3f03b ]
Fix some typos in patch_conexant.c
Signed-off-by: Oldherl Oh <me@oldherl.one>
Link: https://patch.msgid.link/20240930084132.3373750-1-me@oldherl.one
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Stable-dep-of: b0e2333a2311 ("ALSA: hda/conexant: Fix missing error check for jack detection")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/pci/hda/patch_conexant.c | 16 ++++++++--------
1 file changed, 8 insertions(+), 8 deletions(-)
diff --git a/sound/pci/hda/patch_conexant.c b/sound/pci/hda/patch_conexant.c
index e5837e47aa227..394932123b51d 100644
--- a/sound/pci/hda/patch_conexant.c
+++ b/sound/pci/hda/patch_conexant.c
@@ -166,18 +166,18 @@ static void cxt_init_gpio_led(struct hda_codec *codec)
static void cx_fixup_headset_recog(struct hda_codec *codec)
{
- unsigned int mic_persent;
+ unsigned int mic_present;
/* fix some headset type recognize fail issue, such as EDIFIER headset */
- /* set micbiasd output current comparator threshold from 66% to 55%. */
+ /* set micbias output current comparator threshold from 66% to 55%. */
snd_hda_codec_write(codec, 0x1c, 0, 0x320, 0x010);
- /* set OFF voltage for DFET from -1.2V to -0.8V, set headset micbias registor
+ /* set OFF voltage for DFET from -1.2V to -0.8V, set headset micbias register
* value adjustment trim from 2.2K ohms to 2.0K ohms.
*/
snd_hda_codec_write(codec, 0x1c, 0, 0x3b0, 0xe10);
/* fix reboot headset type recognize fail issue */
- mic_persent = snd_hda_codec_read(codec, 0x19, 0, AC_VERB_GET_PIN_SENSE, 0x0);
- if (mic_persent & AC_PINSENSE_PRESENCE)
+ mic_present = snd_hda_codec_read(codec, 0x19, 0, AC_VERB_GET_PIN_SENSE, 0x0);
+ if (mic_present & AC_PINSENSE_PRESENCE)
/* enable headset mic VREF */
snd_hda_codec_write(codec, 0x19, 0, AC_VERB_SET_PIN_WIDGET_CONTROL, 0x24);
else
@@ -247,9 +247,9 @@ static void cx_update_headset_mic_vref(struct hda_codec *codec, struct hda_jack_
{
unsigned int mic_present;
- /* In cx8070 and sn6140, the node 16 can only be config to headphone or disabled,
- * the node 19 can only be config to microphone or disabled.
- * Check hp&mic tag to process headset pulgin&plugout.
+ /* In cx8070 and sn6140, the node 16 can only be configured to headphone or disabled,
+ * the node 19 can only be configured to microphone or disabled.
+ * Check hp&mic tag to process headset plugin & plugout.
*/
mic_present = snd_hda_codec_read(codec, 0x19, 0, AC_VERB_GET_PIN_SENSE, 0x0);
if (!(mic_present & AC_PINSENSE_PRESENCE)) /* mic plugout */
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 773/969] ALSA: hda/conexant: Renaming the codec with device ID 0x1f86 and 0x1f87
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (771 preceding siblings ...)
2026-05-30 16:04 ` [PATCH 6.1 772/969] ALSA: hda/conexant: fix some typos Greg Kroah-Hartman
@ 2026-05-30 16:04 ` Greg Kroah-Hartman
2026-05-30 16:04 ` [PATCH 6.1 774/969] ALSA: hda/conexant: Fix missing error check for jack detection Greg Kroah-Hartman
` (202 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:04 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, wangdicheng, Takashi Iwai,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: wangdicheng <wangdicheng@kylinos.cn>
[ Upstream commit 7f4c540e0859e2025675d2c5c5c6ab88eaf817e2 ]
Due to changes in the manufacturer's plan, all 0x14f11f86 will be
named CX11880, and 0x14f11f87 will be named SN6140
Signed-off-by: wangdicheng <wangdicheng@kylinos.cn>
Link: https://patch.msgid.link/20250616074331.581309-1-wangdich9700@163.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Stable-dep-of: b0e2333a2311 ("ALSA: hda/conexant: Fix missing error check for jack detection")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/pci/hda/patch_conexant.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/sound/pci/hda/patch_conexant.c b/sound/pci/hda/patch_conexant.c
index 394932123b51d..7aeaccc9189c8 100644
--- a/sound/pci/hda/patch_conexant.c
+++ b/sound/pci/hda/patch_conexant.c
@@ -42,7 +42,7 @@ struct conexant_spec {
unsigned int gpio_led;
unsigned int gpio_mute_led_mask;
unsigned int gpio_mic_led_mask;
- bool is_cx8070_sn6140;
+ bool is_cx11880_sn6140;
};
@@ -195,7 +195,7 @@ static int cx_auto_init(struct hda_codec *codec)
cxt_init_gpio_led(codec);
snd_hda_apply_fixup(codec, HDA_FIXUP_ACT_INIT);
- if (spec->is_cx8070_sn6140)
+ if (spec->is_cx11880_sn6140)
cx_fixup_headset_recog(codec);
return 0;
@@ -247,7 +247,7 @@ static void cx_update_headset_mic_vref(struct hda_codec *codec, struct hda_jack_
{
unsigned int mic_present;
- /* In cx8070 and sn6140, the node 16 can only be configured to headphone or disabled,
+ /* In cx11880 and sn6140, the node 16 can only be configured to headphone or disabled,
* the node 19 can only be configured to microphone or disabled.
* Check hp&mic tag to process headset plugin & plugout.
*/
@@ -1210,11 +1210,11 @@ static int patch_conexant_auto(struct hda_codec *codec)
codec->spec = spec;
codec->patch_ops = cx_auto_patch_ops;
- /* init cx8070/sn6140 flag and reset headset_present_flag */
+ /* init cx11880/sn6140 flag and reset headset_present_flag */
switch (codec->core.vendor_id) {
case 0x14f11f86:
case 0x14f11f87:
- spec->is_cx8070_sn6140 = true;
+ spec->is_cx11880_sn6140 = true;
snd_hda_jack_detect_enable_callback(codec, 0x19, cx_update_headset_mic_vref);
break;
}
@@ -1302,7 +1302,7 @@ static int patch_conexant_auto(struct hda_codec *codec)
*/
static const struct hda_device_id snd_hda_id_conexant[] = {
- HDA_CODEC_ENTRY(0x14f11f86, "CX8070", patch_conexant_auto),
+ HDA_CODEC_ENTRY(0x14f11f86, "CX11880", patch_conexant_auto),
HDA_CODEC_ENTRY(0x14f11f87, "SN6140", patch_conexant_auto),
HDA_CODEC_ENTRY(0x14f12008, "CX8200", patch_conexant_auto),
HDA_CODEC_ENTRY(0x14f120d0, "CX11970", patch_conexant_auto),
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 774/969] ALSA: hda/conexant: Fix missing error check for jack detection
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (772 preceding siblings ...)
2026-05-30 16:04 ` [PATCH 6.1 773/969] ALSA: hda/conexant: Renaming the codec with device ID 0x1f86 and 0x1f87 Greg Kroah-Hartman
@ 2026-05-30 16:04 ` Greg Kroah-Hartman
2026-05-30 16:04 ` [PATCH 6.1 775/969] futex: Prevent lockup in requeue-PI during signal/ timeout wakeup Greg Kroah-Hartman
` (201 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:04 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, wangdicheng, Takashi Iwai,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: wangdicheng <wangdicheng@kylinos.cn>
[ Upstream commit b0e2333a231107adedd38c6fcfe1adc6162716fc ]
In cx_probe(), the return value of snd_hda_jack_detect_enable_callback()
is ignored. This function returns a pointer, and if it fails (e.g., due
to memory allocation failure), it returns an error pointer which must
be checked using IS_ERR().
If the registration fails, the driver continues to probe, but the jack
detection callback will not be registered. This can lead to a kernel
crash later when the driver attempts to handle jack events or accesses
the uninitialized structure.
Check the return value using IS_ERR() and propagate the error via
PTR_ERR() to the probe caller.
Fixes: 7aeb25908648 ("ALSA: hda/conexant: Fix headset auto detect fail in cx8070 and SN6140")
Signed-off-by: wangdicheng <wangdicheng@kylinos.cn>
Link: https://patch.msgid.link/20260428080450.108801-1-wangdich9700@163.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/pci/hda/patch_conexant.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/sound/pci/hda/patch_conexant.c b/sound/pci/hda/patch_conexant.c
index 7aeaccc9189c8..82186c4364c9b 100644
--- a/sound/pci/hda/patch_conexant.c
+++ b/sound/pci/hda/patch_conexant.c
@@ -1199,6 +1199,7 @@ static void add_cx5051_fake_mutes(struct hda_codec *codec)
static int patch_conexant_auto(struct hda_codec *codec)
{
struct conexant_spec *spec;
+ struct hda_jack_callback *callback;
int err;
codec_info(codec, "%s: BIOS auto-probing.\n", codec->core.chip_name);
@@ -1215,7 +1216,12 @@ static int patch_conexant_auto(struct hda_codec *codec)
case 0x14f11f86:
case 0x14f11f87:
spec->is_cx11880_sn6140 = true;
- snd_hda_jack_detect_enable_callback(codec, 0x19, cx_update_headset_mic_vref);
+ callback = snd_hda_jack_detect_enable_callback(codec, 0x19,
+ cx_update_headset_mic_vref);
+ if (IS_ERR(callback)) {
+ err = PTR_ERR(callback);
+ goto error;
+ }
break;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 775/969] futex: Prevent lockup in requeue-PI during signal/ timeout wakeup
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (773 preceding siblings ...)
2026-05-30 16:04 ` [PATCH 6.1 774/969] ALSA: hda/conexant: Fix missing error check for jack detection Greg Kroah-Hartman
@ 2026-05-30 16:04 ` Greg Kroah-Hartman
2026-05-30 16:05 ` [PATCH 6.1 776/969] drm/amd/display: Allow DCE link encoder without AUX registers Greg Kroah-Hartman
` (200 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Moritz Klammler,
Sebastian Andrzej Siewior, Thomas Gleixner, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
[ Upstream commit bc7304f3ae20972d11db6e0b1b541c63feda5f05 ]
During wait-requeue-pi (task A) and requeue-PI (task B) the following
race can happen:
Task A Task B
futex_wait_requeue_pi()
futex_setup_timer()
futex_do_wait()
futex_requeue()
CLASS(hb, hb1)(&key1);
CLASS(hb, hb2)(&key2);
*timeout*
futex_requeue_pi_wakeup_sync()
requeue_state = Q_REQUEUE_PI_IGNORE
*blocks on hb->lock*
futex_proxy_trylock_atomic()
futex_requeue_pi_prepare()
Q_REQUEUE_PI_IGNORE => -EAGAIN
double_unlock_hb(hb1, hb2)
*retry*
Task B acquires both hb locks and attempts to acquire the PI-lock of the
top most waiter (task B). Task A is leaving early due to a signal/
timeout and started removing itself from the queue. It updates its
requeue_state but can not remove it from the list because this requires
the hb lock which is owned by task B.
Usually task A is able to swoop the lock after task B unlocked it.
However if task B is of higher priority then task A may not be able to
wake up in time and acquire the lock before task B gets it again.
Especially on a UP system where A is never scheduled.
As a result task A blocks on the lock and task B busy loops, trying to
make progress but live locks the system instead. Tragic.
This can be fixed by removing the top most waiter from the list in this
case. This allows task B to grab the next top waiter (if any) in the
next iteration and make progress.
Remove the top most waiter if futex_requeue_pi_prepare() fails.
Let the waiter conditionally remove itself from the list in
handle_early_requeue_pi_wakeup().
Fixes: 07d91ef510fb1 ("futex: Prevent requeue_pi() lock nesting issue on RT")
Reported-by: Moritz Klammler <Moritz.Klammler@ferchau.com>
Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Signed-off-by: Thomas Gleixner <tglx@kernel.org>
Link: https://patch.msgid.link/20260428103425.dywXyPd3@linutronix.de
Closes: https://lore.kernel.org/all/VE1PR06MB6894BE61C173D802365BE19DFF4CA@VE1PR06MB6894.eurprd06.prod.outlook.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/futex/requeue.c | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)
diff --git a/kernel/futex/requeue.c b/kernel/futex/requeue.c
index 7e43839ca7b05..60b08247b07dd 100644
--- a/kernel/futex/requeue.c
+++ b/kernel/futex/requeue.c
@@ -307,8 +307,11 @@ futex_proxy_trylock_atomic(u32 __user *pifutex, struct futex_hash_bucket *hb1,
return -EINVAL;
/* Ensure that this does not race against an early wakeup */
- if (!futex_requeue_pi_prepare(top_waiter, NULL))
+ if (!futex_requeue_pi_prepare(top_waiter, NULL)) {
+ plist_del(&top_waiter->list, &hb1->chain);
+ futex_hb_waiters_dec(hb1);
return -EAGAIN;
+ }
/*
* Try to take the lock for top_waiter and set the FUTEX_WAITERS bit
@@ -707,10 +710,12 @@ int handle_early_requeue_pi_wakeup(struct futex_hash_bucket *hb,
/*
* We were woken prior to requeue by a timeout or a signal.
- * Unqueue the futex_q and determine which it was.
+ * Conditionally unqueue the futex_q and determine which it was.
*/
- plist_del(&q->list, &hb->chain);
- futex_hb_waiters_dec(hb);
+ if (!plist_node_empty(&q->list)) {
+ plist_del(&q->list, &hb->chain);
+ futex_hb_waiters_dec(hb);
+ }
/* Handle spurious wakeups gracefully */
ret = -EWOULDBLOCK;
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 776/969] drm/amd/display: Allow DCE link encoder without AUX registers
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (774 preceding siblings ...)
2026-05-30 16:04 ` [PATCH 6.1 775/969] futex: Prevent lockup in requeue-PI during signal/ timeout wakeup Greg Kroah-Hartman
@ 2026-05-30 16:05 ` Greg Kroah-Hartman
2026-05-30 16:05 ` [PATCH 6.1 777/969] drm/amd/display: Read EDID from VBIOS embedded panel info Greg Kroah-Hartman
` (199 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Timur Kristóf, Alex Deucher,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Timur Kristóf <timur.kristof@gmail.com>
[ Upstream commit ac27e3f99035f132f23bc0409d0e57f11f054c70 ]
Allow constructing the DCE link encoder without DDC,
which means the AUX registers array will be NULL.
This is necessary to support embedded connectors without DDC.
Fixes: 4562236b3bc0 ("drm/amd/dc: Add dc display driver (v2)")
Link: https://gitlab.freedesktop.org/drm/amd/-/work_items/5192
Signed-off-by: Timur Kristóf <timur.kristof@gmail.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 87f30b101af62590faf6020d106da07efdda199b)
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/display/dc/dce/dce_link_encoder.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/amd/display/dc/dce/dce_link_encoder.c b/drivers/gpu/drm/amd/display/dc/dce/dce_link_encoder.c
index 85926d2300444..e089407e24531 100644
--- a/drivers/gpu/drm/amd/display/dc/dce/dce_link_encoder.c
+++ b/drivers/gpu/drm/amd/display/dc/dce/dce_link_encoder.c
@@ -992,7 +992,9 @@ void dce110_link_encoder_hw_init(
ASSERT(result == BP_RESULT_OK);
}
- aux_initialize(enc110);
+
+ if (enc110->aux_regs)
+ aux_initialize(enc110);
/* reinitialize HPD.
* hpd_initialize() will pass DIG_FE id to HW context.
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 777/969] drm/amd/display: Read EDID from VBIOS embedded panel info
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (775 preceding siblings ...)
2026-05-30 16:05 ` [PATCH 6.1 776/969] drm/amd/display: Allow DCE link encoder without AUX registers Greg Kroah-Hartman
@ 2026-05-30 16:05 ` Greg Kroah-Hartman
2026-05-30 16:05 ` [PATCH 6.1 778/969] bonding: 802.3ad replace MAC_ADDRESS_EQUAL with __agg_has_partner Greg Kroah-Hartman
` (198 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Timur Kristóf, Alex Deucher,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Timur Kristóf <timur.kristof@gmail.com>
[ Upstream commit 9ea16f64189bf7b6ba50fc7f0325b3c1f836d105 ]
Some board manufacturers hardcode the EDID for the embedded
panel in the VBIOS. This EDID should be used when the panel
doesn't have a DDC.
For reference, see the legacy non-DC display code:
amdgpu_atombios_encoder_get_lcd_info()
This is necessary to support embedded connectors without DDC.
Fixes: 4562236b3bc0 ("drm/amd/dc: Add dc display driver (v2)")
Link: https://gitlab.freedesktop.org/drm/amd/-/work_items/5192
Signed-off-by: Timur Kristóf <timur.kristof@gmail.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit eb105e63b474c11ef6a84a1c6b18100d851ff364)
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../gpu/drm/amd/display/dc/bios/bios_parser.c | 62 +++++++++++++++++++
.../display/include/grph_object_ctrl_defs.h | 4 ++
2 files changed, 66 insertions(+)
diff --git a/drivers/gpu/drm/amd/display/dc/bios/bios_parser.c b/drivers/gpu/drm/amd/display/dc/bios/bios_parser.c
index 0f686e363d308..d8982aca8ef68 100644
--- a/drivers/gpu/drm/amd/display/dc/bios/bios_parser.c
+++ b/drivers/gpu/drm/amd/display/dc/bios/bios_parser.c
@@ -1215,6 +1215,60 @@ static enum bp_result bios_parser_get_embedded_panel_info(
return BP_RESULT_FAILURE;
}
+static enum bp_result get_embedded_panel_extra_info(
+ struct bios_parser *bp,
+ struct embedded_panel_info *info,
+ const uint32_t table_offset)
+{
+ uint8_t *record = bios_get_image(&bp->base, table_offset, 1);
+ ATOM_PANEL_RESOLUTION_PATCH_RECORD *panel_res_record;
+ ATOM_FAKE_EDID_PATCH_RECORD *fake_edid_record;
+
+ while (*record != ATOM_RECORD_END_TYPE) {
+ switch (*record) {
+ case LCD_MODE_PATCH_RECORD_MODE_TYPE:
+ record += sizeof(ATOM_PATCH_RECORD_MODE);
+ break;
+ case LCD_RTS_RECORD_TYPE:
+ record += sizeof(ATOM_LCD_RTS_RECORD);
+ break;
+ case LCD_CAP_RECORD_TYPE:
+ record += sizeof(ATOM_LCD_MODE_CONTROL_CAP);
+ break;
+ case LCD_FAKE_EDID_PATCH_RECORD_TYPE:
+ fake_edid_record = (ATOM_FAKE_EDID_PATCH_RECORD *)record;
+ if (fake_edid_record->ucFakeEDIDLength) {
+ if (fake_edid_record->ucFakeEDIDLength == 128)
+ info->fake_edid_size =
+ fake_edid_record->ucFakeEDIDLength;
+ else
+ info->fake_edid_size =
+ fake_edid_record->ucFakeEDIDLength * 128;
+
+ info->fake_edid = fake_edid_record->ucFakeEDIDString;
+
+ record += struct_size(fake_edid_record,
+ ucFakeEDIDString,
+ info->fake_edid_size);
+ } else {
+ /* empty fake edid record must be 3 bytes long */
+ record += sizeof(ATOM_FAKE_EDID_PATCH_RECORD) + 1;
+ }
+ break;
+ case LCD_PANEL_RESOLUTION_RECORD_TYPE:
+ panel_res_record = (ATOM_PANEL_RESOLUTION_PATCH_RECORD *)record;
+ info->panel_width_mm = panel_res_record->usHSize;
+ info->panel_height_mm = panel_res_record->usVSize;
+ record += sizeof(ATOM_PANEL_RESOLUTION_PATCH_RECORD);
+ break;
+ default:
+ return BP_RESULT_BADBIOSTABLE;
+ }
+ }
+
+ return BP_RESULT_OK;
+}
+
static enum bp_result get_embedded_panel_info_v1_2(
struct bios_parser *bp,
struct embedded_panel_info *info)
@@ -1331,6 +1385,10 @@ static enum bp_result get_embedded_panel_info_v1_2(
if (ATOM_PANEL_MISC_API_ENABLED & lvds->ucLVDS_Misc)
info->lcd_timing.misc_info.API_ENABLED = true;
+ if (lvds->usExtInfoTableOffset)
+ return get_embedded_panel_extra_info(bp, info,
+ le16_to_cpu(lvds->usExtInfoTableOffset) + DATA_TABLES(LCD_Info));
+
return BP_RESULT_OK;
}
@@ -1456,6 +1514,10 @@ static enum bp_result get_embedded_panel_info_v1_3(
(uint32_t) (ATOM_PANEL_MISC_V13_GREY_LEVEL &
lvds->ucLCD_Misc) >> ATOM_PANEL_MISC_V13_GREY_LEVEL_SHIFT;
+ if (lvds->usExtInfoTableOffset)
+ return get_embedded_panel_extra_info(bp, info,
+ le16_to_cpu(lvds->usExtInfoTableOffset) + DATA_TABLES(LCD_Info));
+
return BP_RESULT_OK;
}
diff --git a/drivers/gpu/drm/amd/display/include/grph_object_ctrl_defs.h b/drivers/gpu/drm/amd/display/include/grph_object_ctrl_defs.h
index 813463ffe15c5..8e776c90d21bf 100644
--- a/drivers/gpu/drm/amd/display/include/grph_object_ctrl_defs.h
+++ b/drivers/gpu/drm/amd/display/include/grph_object_ctrl_defs.h
@@ -153,6 +153,10 @@ struct embedded_panel_info {
uint32_t drr_enabled;
uint32_t min_drr_refresh_rate;
bool realtek_eDPToLVDS;
+ uint16_t panel_width_mm;
+ uint16_t panel_height_mm;
+ uint16_t fake_edid_size;
+ const uint8_t *fake_edid;
};
struct dc_firmware_info {
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 778/969] bonding: 802.3ad replace MAC_ADDRESS_EQUAL with __agg_has_partner
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (776 preceding siblings ...)
2026-05-30 16:05 ` [PATCH 6.1 777/969] drm/amd/display: Read EDID from VBIOS embedded panel info Greg Kroah-Hartman
@ 2026-05-30 16:05 ` Greg Kroah-Hartman
2026-05-30 16:05 ` [PATCH 6.1 779/969] net: bonding: add broadcast_neighbor option for 802.3ad Greg Kroah-Hartman
` (197 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jones Syue, Hangbin Liu, Jiri Pirko,
Jay Vosburgh, Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jones Syue 薛懷宗 <jonessyue@qnap.com>
[ Upstream commit 4440873f3655325f849366d75382aa05d09b5575 ]
Replace macro MAC_ADDRESS_EQUAL() for null_mac_addr checking with inline
function__agg_has_partner(). When MAC_ADDRESS_EQUAL() is verifiying
aggregator's partner mac addr with null_mac_addr, means that seeing if
aggregator has a valid partner or not. Using __agg_has_partner() makes it
more clear to understand.
In ad_port_selection_logic(), since aggregator->partner_system and
port->partner_oper.system has been compared first as a prerequisite, it is
safe to replace the upcoming MAC_ADDRESS_EQUAL() for null_mac_addr checking
with __agg_has_partner().
Delete null_mac_addr, which is not required anymore in bond_3ad.c, since
all references to it are gone.
Signed-off-by: Jones Syue <jonessyue@qnap.com>
Reviewed-by: Hangbin Liu <liuhangbin@gmail.com>
Reviewed-by: Jiri Pirko <jiri@nvidia.com>
Acked-by: Jay Vosburgh <jay.vosburgh@canonical.com>
Link: https://lore.kernel.org/r/SI2PR04MB5097BCA8FF2A2F03D9A5A3EEDC5A2@SI2PR04MB5097.apcprd04.prod.outlook.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Stable-dep-of: c4f050ce06c5 ("bonding: 3ad: implement proper RCU rules for port->aggregator")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/bonding/bond_3ad.c | 14 +++-----------
1 file changed, 3 insertions(+), 11 deletions(-)
diff --git a/drivers/net/bonding/bond_3ad.c b/drivers/net/bonding/bond_3ad.c
index 37364bbfdbdc4..29e08415b16a6 100644
--- a/drivers/net/bonding/bond_3ad.c
+++ b/drivers/net/bonding/bond_3ad.c
@@ -81,10 +81,6 @@ enum ad_link_speed_type {
#define MAC_ADDRESS_EQUAL(A, B) \
ether_addr_equal_64bits((const u8 *)A, (const u8 *)B)
-static const u8 null_mac_addr[ETH_ALEN + 2] __long_aligned = {
- 0, 0, 0, 0, 0, 0
-};
-
static const u16 ad_ticks_per_sec = 1000 / AD_TIMER_INTERVAL;
static const int ad_delta_in_ticks = (AD_TIMER_INTERVAL * HZ) / 1000;
@@ -1583,7 +1579,7 @@ static void ad_port_selection_logic(struct port *port, bool *update_slave_arr)
(aggregator->partner_system_priority == port->partner_oper.system_priority) &&
(aggregator->partner_oper_aggregator_key == port->partner_oper.key)
) &&
- ((!MAC_ADDRESS_EQUAL(&(port->partner_oper.system), &(null_mac_addr)) && /* partner answers */
+ ((__agg_has_partner(aggregator) && /* partner answers */
!aggregator->is_individual) /* but is not individual OR */
)
) {
@@ -2033,9 +2029,7 @@ static void ad_enable_collecting(struct port *port)
*/
static void ad_disable_distributing(struct port *port, bool *update_slave_arr)
{
- if (port->aggregator &&
- !MAC_ADDRESS_EQUAL(&port->aggregator->partner_system,
- &(null_mac_addr))) {
+ if (port->aggregator && __agg_has_partner(port->aggregator)) {
slave_dbg(port->slave->bond->dev, port->slave->dev,
"Disabling distributing on port %d (LAG %d)\n",
port->actor_port_number,
@@ -2075,9 +2069,7 @@ static void ad_enable_collecting_distributing(struct port *port,
static void ad_disable_collecting_distributing(struct port *port,
bool *update_slave_arr)
{
- if (port->aggregator &&
- !MAC_ADDRESS_EQUAL(&(port->aggregator->partner_system),
- &(null_mac_addr))) {
+ if (port->aggregator && __agg_has_partner(port->aggregator)) {
slave_dbg(port->slave->bond->dev, port->slave->dev,
"Disabling port %d (LAG %d)\n",
port->actor_port_number,
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 779/969] net: bonding: add broadcast_neighbor option for 802.3ad
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (777 preceding siblings ...)
2026-05-30 16:05 ` [PATCH 6.1 778/969] bonding: 802.3ad replace MAC_ADDRESS_EQUAL with __agg_has_partner Greg Kroah-Hartman
@ 2026-05-30 16:05 ` Greg Kroah-Hartman
2026-05-30 16:05 ` [PATCH 6.1 780/969] bonding: add support for per-port LACP actor priority Greg Kroah-Hartman
` (196 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jay Vosburgh, David S. Miller,
Eric Dumazet, Jakub Kicinski, Paolo Abeni, Simon Horman,
Jonathan Corbet, Andrew Lunn, Steven Rostedt, Masami Hiramatsu,
Mathieu Desnoyers, Nikolay Aleksandrov, Tonghao Zhang,
Zengbing Tu, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tonghao Zhang <tonghao@bamaicloud.com>
[ Upstream commit ce7a381697cb3958ffe0b45e5028ac69444e9288 ]
Stacking technology is a type of technology used to expand ports on
Ethernet switches. It is widely used as a common access method in
large-scale Internet data center architectures. Years of practice
have proved that stacking technology has advantages and disadvantages
in high-reliability network architecture scenarios. For instance,
in stacking networking arch, conventional switch system upgrades
require multiple stacked devices to restart at the same time.
Therefore, it is inevitable that the business will be interrupted
for a while. It is for this reason that "no-stacking" in data centers
has become a trend. Additionally, when the stacking link connecting
the switches fails or is abnormal, the stack will split. Although it is
not common, it still happens in actual operation. The problem is that
after the split, it is equivalent to two switches with the same
configuration appearing in the network, causing network configuration
conflicts and ultimately interrupting the services carried by the
stacking system.
To improve network stability, "non-stacking" solutions have been
increasingly adopted, particularly by public cloud providers and
tech companies like Alibaba, Tencent, and Didi. "non-stacking" is
a method of mimicing switch stacking that convinces a LACP peer,
bonding in this case, connected to a set of "non-stacked" switches
that all of its ports are connected to a single switch
(i.e., LACP aggregator), as if those switches were stacked. This
enables the LACP peer's ports to aggregate together, and requires
(a) special switch configuration, described in the linked article,
and (b) modifications to the bonding 802.3ad (LACP) mode to send
all ARP/ND packets across all ports of the active aggregator.
Note that, with multiple aggregators, the current broadcast mode
logic will send only packets to the selected aggregator(s).
+-----------+ +-----------+
| switch1 | | switch2 |
+-----------+ +-----------+
^ ^
| |
+-----------------+
| bond4 lacp |
+-----------------+
| |
| NIC1 | NIC2
+-----------------+
| server |
+-----------------+
- https://www.ruijie.com/fr-fr/support/tech-gallery/de-stack-data-center-network-architecture/
Cc: Jay Vosburgh <jv@jvosburgh.net>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: Eric Dumazet <edumazet@google.com>
Cc: Jakub Kicinski <kuba@kernel.org>
Cc: Paolo Abeni <pabeni@redhat.com>
Cc: Simon Horman <horms@kernel.org>
Cc: Jonathan Corbet <corbet@lwn.net>
Cc: Andrew Lunn <andrew+netdev@lunn.ch>
Cc: Steven Rostedt <rostedt@goodmis.org>
Cc: Masami Hiramatsu <mhiramat@kernel.org>
Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Cc: Nikolay Aleksandrov <razor@blackwall.org>
Signed-off-by: Tonghao Zhang <tonghao@bamaicloud.com>
Signed-off-by: Zengbing Tu <tuzengbing@didiglobal.com>
Link: https://patch.msgid.link/84d0a044514157bb856a10b6d03a1028c4883561.1751031306.git.tonghao@bamaicloud.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Stable-dep-of: c4f050ce06c5 ("bonding: 3ad: implement proper RCU rules for port->aggregator")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
Documentation/networking/bonding.rst | 6 +++
drivers/net/bonding/bond_main.c | 66 +++++++++++++++++++++++++---
drivers/net/bonding/bond_options.c | 42 ++++++++++++++++++
include/net/bond_options.h | 1 +
include/net/bonding.h | 3 ++
5 files changed, 112 insertions(+), 6 deletions(-)
diff --git a/Documentation/networking/bonding.rst b/Documentation/networking/bonding.rst
index 870b4e1343188..d0e6a0fc6fd85 100644
--- a/Documentation/networking/bonding.rst
+++ b/Documentation/networking/bonding.rst
@@ -562,6 +562,12 @@ lacp_rate
The default is slow.
+broadcast_neighbor
+
+ Option specifying whether to broadcast ARP/ND packets to all
+ active slaves. This option has no effect in modes other than
+ 802.3ad mode. The default is off (0).
+
max_bonds
Specifies the number of bonding devices to create for this
diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
index 14e7439717a3d..97821c3c8b9a8 100644
--- a/drivers/net/bonding/bond_main.c
+++ b/drivers/net/bonding/bond_main.c
@@ -209,6 +209,8 @@ atomic_t netpoll_block_tx = ATOMIC_INIT(0);
unsigned int bond_net_id __read_mostly;
+DEFINE_STATIC_KEY_FALSE(bond_bcast_neigh_enabled);
+
static const struct flow_dissector_key flow_keys_bonding_keys[] = {
{
.key_id = FLOW_DISSECTOR_KEY_CONTROL,
@@ -4334,6 +4336,9 @@ static int bond_open(struct net_device *bond_dev)
bond_for_each_slave(bond, slave, iter)
dev_mc_add(slave->dev, lacpdu_mcast_addr);
+
+ if (bond->params.broadcast_neighbor)
+ static_branch_inc(&bond_bcast_neigh_enabled);
}
if (bond_mode_can_use_xmit_hash(bond))
@@ -4357,6 +4362,10 @@ static int bond_close(struct net_device *bond_dev)
if (bond_is_lb(bond))
bond_alb_deinitialize(bond);
+ if (BOND_MODE(bond) == BOND_MODE_8023AD &&
+ bond->params.broadcast_neighbor)
+ static_branch_dec(&bond_bcast_neigh_enabled);
+
if (bond_uses_primary(bond)) {
rcu_read_lock();
slave = rcu_dereference(bond->curr_active_slave);
@@ -5243,6 +5252,37 @@ static struct slave *bond_xdp_xmit_3ad_xor_slave_get(struct bonding *bond,
return slaves->arr[hash % count];
}
+static bool bond_should_broadcast_neighbor(struct sk_buff *skb,
+ struct net_device *dev)
+{
+ struct bonding *bond = netdev_priv(dev);
+ struct {
+ struct ipv6hdr ip6;
+ struct icmp6hdr icmp6;
+ } *combined, _combined;
+
+ if (!static_branch_unlikely(&bond_bcast_neigh_enabled))
+ return false;
+
+ if (!bond->params.broadcast_neighbor)
+ return false;
+
+ if (skb->protocol == htons(ETH_P_ARP))
+ return true;
+
+ if (skb->protocol == htons(ETH_P_IPV6)) {
+ combined = skb_header_pointer(skb, skb_mac_header_len(skb),
+ sizeof(_combined),
+ &_combined);
+ if (combined && combined->ip6.nexthdr == NEXTHDR_ICMP &&
+ (combined->icmp6.icmp6_type == NDISC_NEIGHBOUR_SOLICITATION ||
+ combined->icmp6.icmp6_type == NDISC_NEIGHBOUR_ADVERTISEMENT))
+ return true;
+ }
+
+ return false;
+}
+
/* Use this Xmit function for 3AD as well as XOR modes. The current
* usable slave array is formed in the control path. The xmit function
* just calculates hash and sends the packet out.
@@ -5262,17 +5302,27 @@ static netdev_tx_t bond_3ad_xor_xmit(struct sk_buff *skb,
return bond_tx_drop(dev, skb);
}
-/* in broadcast mode, we send everything to all usable interfaces. */
+/* in broadcast mode, we send everything to all or usable slave interfaces.
+ * under rcu_read_lock when this function is called.
+ */
static netdev_tx_t bond_xmit_broadcast(struct sk_buff *skb,
- struct net_device *bond_dev)
+ struct net_device *bond_dev,
+ bool all_slaves)
{
struct bonding *bond = netdev_priv(bond_dev);
- struct slave *slave = NULL;
- struct list_head *iter;
+ struct bond_up_slave *slaves;
bool xmit_suc = false;
bool skb_used = false;
+ int slaves_count, i;
- bond_for_each_slave_rcu(bond, slave, iter) {
+ if (all_slaves)
+ slaves = rcu_dereference(bond->all_slaves);
+ else
+ slaves = rcu_dereference(bond->usable_slaves);
+
+ slaves_count = slaves ? READ_ONCE(slaves->count) : 0;
+ for (i = 0; i < slaves_count; i++) {
+ struct slave *slave = slaves->arr[i];
struct sk_buff *skb2;
if (!(bond_slave_is_up(slave) && slave->link == BOND_LINK_UP))
@@ -5510,10 +5560,13 @@ static netdev_tx_t __bond_start_xmit(struct sk_buff *skb, struct net_device *dev
case BOND_MODE_ACTIVEBACKUP:
return bond_xmit_activebackup(skb, dev);
case BOND_MODE_8023AD:
+ if (bond_should_broadcast_neighbor(skb, dev))
+ return bond_xmit_broadcast(skb, dev, false);
+ fallthrough;
case BOND_MODE_XOR:
return bond_3ad_xor_xmit(skb, dev);
case BOND_MODE_BROADCAST:
- return bond_xmit_broadcast(skb, dev);
+ return bond_xmit_broadcast(skb, dev, true);
case BOND_MODE_ALB:
return bond_alb_xmit(skb, dev);
case BOND_MODE_TLB:
@@ -6331,6 +6384,7 @@ static int bond_check_params(struct bond_params *params)
eth_zero_addr(params->ad_actor_system);
params->ad_user_port_key = ad_user_port_key;
params->coupled_control = 1;
+ params->broadcast_neighbor = 0;
if (packets_per_slave > 0) {
params->reciprocal_packets_per_slave =
reciprocal_value(packets_per_slave);
diff --git a/drivers/net/bonding/bond_options.c b/drivers/net/bonding/bond_options.c
index 62b5d29e6db6c..1faf10667c03e 100644
--- a/drivers/net/bonding/bond_options.c
+++ b/drivers/net/bonding/bond_options.c
@@ -87,6 +87,8 @@ static int bond_option_missed_max_set(struct bonding *bond,
const struct bond_opt_value *newval);
static int bond_option_coupled_control_set(struct bonding *bond,
const struct bond_opt_value *newval);
+static int bond_option_broadcast_neigh_set(struct bonding *bond,
+ const struct bond_opt_value *newval);
static const struct bond_opt_value bond_mode_tbl[] = {
{ "balance-rr", BOND_MODE_ROUNDROBIN, BOND_VALFLAG_DEFAULT},
@@ -240,6 +242,12 @@ static const struct bond_opt_value bond_coupled_control_tbl[] = {
{ NULL, -1, 0},
};
+static const struct bond_opt_value bond_broadcast_neigh_tbl[] = {
+ { "off", 0, BOND_VALFLAG_DEFAULT},
+ { "on", 1, 0},
+ { NULL, -1, 0}
+};
+
static const struct bond_option bond_opts[BOND_OPT_LAST] = {
[BOND_OPT_MODE] = {
.id = BOND_OPT_MODE,
@@ -513,6 +521,14 @@ static const struct bond_option bond_opts[BOND_OPT_LAST] = {
.flags = BOND_OPTFLAG_IFDOWN,
.values = bond_coupled_control_tbl,
.set = bond_option_coupled_control_set,
+ },
+ [BOND_OPT_BROADCAST_NEIGH] = {
+ .id = BOND_OPT_BROADCAST_NEIGH,
+ .name = "broadcast_neighbor",
+ .desc = "Broadcast neighbor packets to all active slaves",
+ .unsuppmodes = BOND_MODE_ALL_EX(BIT(BOND_MODE_8023AD)),
+ .values = bond_broadcast_neigh_tbl,
+ .set = bond_option_broadcast_neigh_set,
}
};
@@ -907,6 +923,13 @@ static int bond_option_mode_set(struct bonding *bond,
bond->params.arp_validate = BOND_ARP_VALIDATE_NONE;
bond->params.mode = newval->value;
+ /* When changing mode, the bond device is down, we may reduce
+ * the bond_bcast_neigh_enabled in bond_close() if broadcast_neighbor
+ * enabled in 8023ad mode. Therefore, only clear broadcast_neighbor
+ * to 0.
+ */
+ bond->params.broadcast_neighbor = 0;
+
if (bond->dev->reg_state == NETREG_REGISTERED) {
bool update = false;
@@ -1857,3 +1880,22 @@ static int bond_option_coupled_control_set(struct bonding *bond,
bond->params.coupled_control = newval->value;
return 0;
}
+
+static int bond_option_broadcast_neigh_set(struct bonding *bond,
+ const struct bond_opt_value *newval)
+{
+ if (bond->params.broadcast_neighbor == newval->value)
+ return 0;
+
+ bond->params.broadcast_neighbor = newval->value;
+ if (bond->dev->flags & IFF_UP) {
+ if (bond->params.broadcast_neighbor)
+ static_branch_inc(&bond_bcast_neigh_enabled);
+ else
+ static_branch_dec(&bond_bcast_neigh_enabled);
+ }
+
+ netdev_dbg(bond->dev, "Setting broadcast_neighbor to %s (%llu)\n",
+ newval->string, newval->value);
+ return 0;
+}
diff --git a/include/net/bond_options.h b/include/net/bond_options.h
index 18687ccf06383..022b122a9fb61 100644
--- a/include/net/bond_options.h
+++ b/include/net/bond_options.h
@@ -77,6 +77,7 @@ enum {
BOND_OPT_NS_TARGETS,
BOND_OPT_PRIO,
BOND_OPT_COUPLED_CONTROL,
+ BOND_OPT_BROADCAST_NEIGH,
BOND_OPT_LAST
};
diff --git a/include/net/bonding.h b/include/net/bonding.h
index 0a84a63d5e324..06a048d716b19 100644
--- a/include/net/bonding.h
+++ b/include/net/bonding.h
@@ -119,6 +119,8 @@ static inline int is_netpoll_tx_blocked(struct net_device *dev)
#define is_netpoll_tx_blocked(dev) (0)
#endif
+DECLARE_STATIC_KEY_FALSE(bond_bcast_neigh_enabled);
+
struct bond_params {
int mode;
int xmit_policy;
@@ -153,6 +155,7 @@ struct bond_params {
struct in6_addr ns_targets[BOND_MAX_NS_TARGETS];
#endif
int coupled_control;
+ int broadcast_neighbor;
/* 2 bytes of padding : see ether_addr_equal_64bits() */
u8 ad_actor_system[ETH_ALEN + 2];
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 780/969] bonding: add support for per-port LACP actor priority
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (778 preceding siblings ...)
2026-05-30 16:05 ` [PATCH 6.1 779/969] net: bonding: add broadcast_neighbor option for 802.3ad Greg Kroah-Hartman
@ 2026-05-30 16:05 ` Greg Kroah-Hartman
2026-05-30 16:05 ` [PATCH 6.1 781/969] bonding: print churn state via netlink Greg Kroah-Hartman
` (195 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:05 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Hangbin Liu, Paolo Abeni,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hangbin Liu <liuhangbin@gmail.com>
[ Upstream commit 6b6dc81ee7e8ca87c71a533e1d69cf96a4f1e986 ]
Introduce a new netlink attribute 'actor_port_prio' to allow setting
the LACP actor port priority on a per-slave basis. This extends the
existing bonding infrastructure to support more granular control over
LACP negotiations.
The priority value is embedded in LACPDU packets and will be used by
subsequent patches to influence aggregator selection policies.
Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
Link: https://patch.msgid.link/20250902064501.360822-2-liuhangbin@gmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Stable-dep-of: c4f050ce06c5 ("bonding: 3ad: implement proper RCU rules for port->aggregator")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
Documentation/networking/bonding.rst | 9 +++++++
drivers/net/bonding/bond_3ad.c | 4 ++++
drivers/net/bonding/bond_netlink.c | 16 +++++++++++++
drivers/net/bonding/bond_options.c | 36 ++++++++++++++++++++++++++++
include/net/bond_3ad.h | 1 +
include/net/bond_options.h | 1 +
include/uapi/linux/if_link.h | 1 +
7 files changed, 68 insertions(+)
diff --git a/Documentation/networking/bonding.rst b/Documentation/networking/bonding.rst
index d0e6a0fc6fd85..e90063cec821e 100644
--- a/Documentation/networking/bonding.rst
+++ b/Documentation/networking/bonding.rst
@@ -193,6 +193,15 @@ ad_actor_sys_prio
This parameter has effect only in 802.3ad mode and is available through
SysFs interface.
+actor_port_prio
+
+ In an AD system, this specifies the port priority. The allowed range
+ is 1 - 65535. If the value is not specified, it takes 255 as the
+ default value.
+
+ This parameter has effect only in 802.3ad mode and is available through
+ netlink interface.
+
ad_actor_system
In an AD system, this specifies the mac-address for the actor in
diff --git a/drivers/net/bonding/bond_3ad.c b/drivers/net/bonding/bond_3ad.c
index 29e08415b16a6..cf611dce8fad1 100644
--- a/drivers/net/bonding/bond_3ad.c
+++ b/drivers/net/bonding/bond_3ad.c
@@ -430,6 +430,7 @@ static void __ad_actor_update_port(struct port *port)
port->actor_system = BOND_AD_INFO(bond).system.sys_mac_addr;
port->actor_system_priority = BOND_AD_INFO(bond).system.sys_priority;
+ port->actor_port_priority = SLAVE_AD_INFO(port->slave)->port_priority;
}
/* Conversions */
@@ -2186,6 +2187,9 @@ void bond_3ad_bind_slave(struct slave *slave)
ad_initialize_port(port, &bond->params);
+ /* Port priority is initialized. Update it to slave's ad info */
+ SLAVE_AD_INFO(slave)->port_priority = port->actor_port_priority;
+
port->slave = slave;
port->actor_port_number = SLAVE_AD_INFO(slave)->id;
/* key is determined according to the link speed, duplex and
diff --git a/drivers/net/bonding/bond_netlink.c b/drivers/net/bonding/bond_netlink.c
index aebc814ad495d..7e47d405d74aa 100644
--- a/drivers/net/bonding/bond_netlink.c
+++ b/drivers/net/bonding/bond_netlink.c
@@ -28,6 +28,7 @@ static size_t bond_get_slave_size(const struct net_device *bond_dev,
nla_total_size(sizeof(u8)) + /* IFLA_BOND_SLAVE_AD_ACTOR_OPER_PORT_STATE */
nla_total_size(sizeof(u16)) + /* IFLA_BOND_SLAVE_AD_PARTNER_OPER_PORT_STATE */
nla_total_size(sizeof(s32)) + /* IFLA_BOND_SLAVE_PRIO */
+ nla_total_size(sizeof(u16)) + /* IFLA_BOND_SLAVE_ACTOR_PORT_PRIO */
0;
}
@@ -76,6 +77,10 @@ static int bond_fill_slave_info(struct sk_buff *skb,
ad_port->partner_oper.port_state))
goto nla_put_failure;
}
+
+ if (nla_put_u16(skb, IFLA_BOND_SLAVE_ACTOR_PORT_PRIO,
+ SLAVE_AD_INFO(slave)->port_priority))
+ goto nla_put_failure;
}
return 0;
@@ -128,6 +133,7 @@ static const struct nla_policy bond_policy[IFLA_BOND_MAX + 1] = {
static const struct nla_policy bond_slave_policy[IFLA_BOND_SLAVE_MAX + 1] = {
[IFLA_BOND_SLAVE_QUEUE_ID] = { .type = NLA_U16 },
[IFLA_BOND_SLAVE_PRIO] = { .type = NLA_S32 },
+ [IFLA_BOND_SLAVE_ACTOR_PORT_PRIO] = { .type = NLA_U16 },
};
static int bond_validate(struct nlattr *tb[], struct nlattr *data[],
@@ -178,6 +184,16 @@ static int bond_slave_changelink(struct net_device *bond_dev,
return err;
}
+ if (data[IFLA_BOND_SLAVE_ACTOR_PORT_PRIO]) {
+ u16 ad_prio = nla_get_u16(data[IFLA_BOND_SLAVE_ACTOR_PORT_PRIO]);
+
+ bond_opt_slave_initval(&newval, &slave_dev, ad_prio);
+ err = __bond_opt_set(bond, BOND_OPT_ACTOR_PORT_PRIO, &newval,
+ data[IFLA_BOND_SLAVE_ACTOR_PORT_PRIO], extack);
+ if (err)
+ return err;
+ }
+
return 0;
}
diff --git a/drivers/net/bonding/bond_options.c b/drivers/net/bonding/bond_options.c
index 1faf10667c03e..2991290f450ee 100644
--- a/drivers/net/bonding/bond_options.c
+++ b/drivers/net/bonding/bond_options.c
@@ -79,6 +79,8 @@ static int bond_option_tlb_dynamic_lb_set(struct bonding *bond,
const struct bond_opt_value *newval);
static int bond_option_ad_actor_sys_prio_set(struct bonding *bond,
const struct bond_opt_value *newval);
+static int bond_option_actor_port_prio_set(struct bonding *bond,
+ const struct bond_opt_value *newval);
static int bond_option_ad_actor_system_set(struct bonding *bond,
const struct bond_opt_value *newval);
static int bond_option_ad_user_port_key_set(struct bonding *bond,
@@ -223,6 +225,13 @@ static const struct bond_opt_value bond_ad_actor_sys_prio_tbl[] = {
{ NULL, -1, 0},
};
+static const struct bond_opt_value bond_actor_port_prio_tbl[] = {
+ { "minval", 0, BOND_VALFLAG_MIN},
+ { "maxval", 65535, BOND_VALFLAG_MAX},
+ { "default", 255, BOND_VALFLAG_DEFAULT},
+ { NULL, -1, 0},
+};
+
static const struct bond_opt_value bond_ad_user_port_key_tbl[] = {
{ "minval", 0, BOND_VALFLAG_MIN | BOND_VALFLAG_DEFAULT},
{ "maxval", 1023, BOND_VALFLAG_MAX},
@@ -484,6 +493,13 @@ static const struct bond_option bond_opts[BOND_OPT_LAST] = {
.values = bond_ad_actor_sys_prio_tbl,
.set = bond_option_ad_actor_sys_prio_set,
},
+ [BOND_OPT_ACTOR_PORT_PRIO] = {
+ .id = BOND_OPT_ACTOR_PORT_PRIO,
+ .name = "actor_port_prio",
+ .unsuppmodes = BOND_MODE_ALL_EX(BIT(BOND_MODE_8023AD)),
+ .values = bond_actor_port_prio_tbl,
+ .set = bond_option_actor_port_prio_set,
+ },
[BOND_OPT_AD_ACTOR_SYSTEM] = {
.id = BOND_OPT_AD_ACTOR_SYSTEM,
.name = "ad_actor_system",
@@ -1833,6 +1849,26 @@ static int bond_option_ad_actor_sys_prio_set(struct bonding *bond,
return 0;
}
+static int bond_option_actor_port_prio_set(struct bonding *bond,
+ const struct bond_opt_value *newval)
+{
+ struct slave *slave;
+
+ slave = bond_slave_get_rtnl(newval->slave_dev);
+ if (!slave) {
+ netdev_dbg(bond->dev, "%s called on NULL slave\n", __func__);
+ return -ENODEV;
+ }
+
+ netdev_dbg(newval->slave_dev, "Setting actor_port_prio to %llu\n",
+ newval->value);
+
+ SLAVE_AD_INFO(slave)->port_priority = newval->value;
+ bond_3ad_update_ad_actor_settings(bond);
+
+ return 0;
+}
+
static int bond_option_ad_actor_system_set(struct bonding *bond,
const struct bond_opt_value *newval)
{
diff --git a/include/net/bond_3ad.h b/include/net/bond_3ad.h
index 5047711944df9..579f3000a855e 100644
--- a/include/net/bond_3ad.h
+++ b/include/net/bond_3ad.h
@@ -271,6 +271,7 @@ struct ad_slave_info {
struct port port; /* 802.3ad port structure */
struct bond_3ad_stats stats;
u16 id;
+ u16 port_priority;
};
static inline const char *bond_3ad_churn_desc(churn_state_t state)
diff --git a/include/net/bond_options.h b/include/net/bond_options.h
index 022b122a9fb61..e6eedf23aea1a 100644
--- a/include/net/bond_options.h
+++ b/include/net/bond_options.h
@@ -78,6 +78,7 @@ enum {
BOND_OPT_PRIO,
BOND_OPT_COUPLED_CONTROL,
BOND_OPT_BROADCAST_NEIGH,
+ BOND_OPT_ACTOR_PORT_PRIO,
BOND_OPT_LAST
};
diff --git a/include/uapi/linux/if_link.h b/include/uapi/linux/if_link.h
index feebb4509abd7..d255239285841 100644
--- a/include/uapi/linux/if_link.h
+++ b/include/uapi/linux/if_link.h
@@ -967,6 +967,7 @@ enum {
IFLA_BOND_SLAVE_AD_ACTOR_OPER_PORT_STATE,
IFLA_BOND_SLAVE_AD_PARTNER_OPER_PORT_STATE,
IFLA_BOND_SLAVE_PRIO,
+ IFLA_BOND_SLAVE_ACTOR_PORT_PRIO,
__IFLA_BOND_SLAVE_MAX,
};
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 781/969] bonding: print churn state via netlink
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (779 preceding siblings ...)
2026-05-30 16:05 ` [PATCH 6.1 780/969] bonding: add support for per-port LACP actor priority Greg Kroah-Hartman
@ 2026-05-30 16:05 ` Greg Kroah-Hartman
2026-05-30 16:05 ` [PATCH 6.1 782/969] bonding: 3ad: implement proper RCU rules for port->aggregator Greg Kroah-Hartman
` (194 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:05 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Hangbin Liu, Paolo Abeni,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hangbin Liu <liuhangbin@gmail.com>
[ Upstream commit 4916f2e2f3fc9aef289fcd07949301e5c29094c2 ]
Currently, the churn state is printed only in sysfs. Add netlink support
so users could get the state via netlink.
Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
Link: https://patch.msgid.link/20260224020215.6012-1-liuhangbin@gmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Stable-dep-of: c4f050ce06c5 ("bonding: 3ad: implement proper RCU rules for port->aggregator")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/bonding/bond_netlink.c | 9 +++++++++
include/uapi/linux/if_link.h | 2 ++
2 files changed, 11 insertions(+)
diff --git a/drivers/net/bonding/bond_netlink.c b/drivers/net/bonding/bond_netlink.c
index 7e47d405d74aa..086233dce9c8d 100644
--- a/drivers/net/bonding/bond_netlink.c
+++ b/drivers/net/bonding/bond_netlink.c
@@ -29,6 +29,8 @@ static size_t bond_get_slave_size(const struct net_device *bond_dev,
nla_total_size(sizeof(u16)) + /* IFLA_BOND_SLAVE_AD_PARTNER_OPER_PORT_STATE */
nla_total_size(sizeof(s32)) + /* IFLA_BOND_SLAVE_PRIO */
nla_total_size(sizeof(u16)) + /* IFLA_BOND_SLAVE_ACTOR_PORT_PRIO */
+ nla_total_size(sizeof(u8)) + /* IFLA_BOND_SLAVE_AD_CHURN_ACTOR_STATE */
+ nla_total_size(sizeof(u8)) + /* IFLA_BOND_SLAVE_AD_CHURN_PARTNER_STATE */
0;
}
@@ -76,6 +78,13 @@ static int bond_fill_slave_info(struct sk_buff *skb,
IFLA_BOND_SLAVE_AD_PARTNER_OPER_PORT_STATE,
ad_port->partner_oper.port_state))
goto nla_put_failure;
+
+ if (nla_put_u8(skb, IFLA_BOND_SLAVE_AD_CHURN_ACTOR_STATE,
+ ad_port->sm_churn_actor_state))
+ goto nla_put_failure;
+ if (nla_put_u8(skb, IFLA_BOND_SLAVE_AD_CHURN_PARTNER_STATE,
+ ad_port->sm_churn_partner_state))
+ goto nla_put_failure;
}
if (nla_put_u16(skb, IFLA_BOND_SLAVE_ACTOR_PORT_PRIO,
diff --git a/include/uapi/linux/if_link.h b/include/uapi/linux/if_link.h
index d255239285841..d674eb4f1a90c 100644
--- a/include/uapi/linux/if_link.h
+++ b/include/uapi/linux/if_link.h
@@ -968,6 +968,8 @@ enum {
IFLA_BOND_SLAVE_AD_PARTNER_OPER_PORT_STATE,
IFLA_BOND_SLAVE_PRIO,
IFLA_BOND_SLAVE_ACTOR_PORT_PRIO,
+ IFLA_BOND_SLAVE_AD_CHURN_ACTOR_STATE,
+ IFLA_BOND_SLAVE_AD_CHURN_PARTNER_STATE,
__IFLA_BOND_SLAVE_MAX,
};
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 782/969] bonding: 3ad: implement proper RCU rules for port->aggregator
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (780 preceding siblings ...)
2026-05-30 16:05 ` [PATCH 6.1 781/969] bonding: print churn state via netlink Greg Kroah-Hartman
@ 2026-05-30 16:05 ` Greg Kroah-Hartman
2026-05-30 16:05 ` [PATCH 6.1 783/969] iavf: rename IAVF_VLAN_IS_NEW to IAVF_VLAN_ADDING Greg Kroah-Hartman
` (193 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+9bb2ff2a4ab9e17307e1,
Eric Dumazet, Jay Vosburgh, Andrew Lunn, Jakub Kicinski,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit c4f050ce06c56cfb5993268af4a5cb66ed1cd04e ]
syzbot found a data-race in bond_3ad_get_active_agg_info /
bond_3ad_state_machine_handler [1] which hints at lack of proper
RCU implementation.
Add __rcu qualifier to port->aggregator, and add proper RCU API.
[1]
BUG: KCSAN: data-race in bond_3ad_get_active_agg_info / bond_3ad_state_machine_handler
write to 0xffff88813cf5c4b0 of 8 bytes by task 36 on cpu 0:
ad_port_selection_logic drivers/net/bonding/bond_3ad.c:1659 [inline]
bond_3ad_state_machine_handler+0x9d5/0x2d60 drivers/net/bonding/bond_3ad.c:2569
process_one_work kernel/workqueue.c:3302 [inline]
process_scheduled_works+0x4f0/0x9c0 kernel/workqueue.c:3385
worker_thread+0x58a/0x780 kernel/workqueue.c:3466
kthread+0x22a/0x280 kernel/kthread.c:436
ret_from_fork+0x146/0x330 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
read to 0xffff88813cf5c4b0 of 8 bytes by task 22063 on cpu 1:
__bond_3ad_get_active_agg_info drivers/net/bonding/bond_3ad.c:2858 [inline]
bond_3ad_get_active_agg_info+0x8c/0x230 drivers/net/bonding/bond_3ad.c:2881
bond_fill_info+0xe0f/0x10f0 drivers/net/bonding/bond_netlink.c:853
rtnl_link_info_fill net/core/rtnetlink.c:906 [inline]
rtnl_link_fill+0x1d7/0x4e0 net/core/rtnetlink.c:927
rtnl_fill_ifinfo+0xf8e/0x1380 net/core/rtnetlink.c:2168
rtmsg_ifinfo_build_skb+0x11c/0x1b0 net/core/rtnetlink.c:4453
rtmsg_ifinfo_event net/core/rtnetlink.c:4486 [inline]
rtmsg_ifinfo+0x6d/0x110 net/core/rtnetlink.c:4495
__dev_notify_flags+0x76/0x390 net/core/dev.c:9790
netif_change_flags+0xac/0xd0 net/core/dev.c:9823
do_setlink+0x905/0x2950 net/core/rtnetlink.c:3180
rtnl_group_changelink net/core/rtnetlink.c:3813 [inline]
__rtnl_newlink net/core/rtnetlink.c:3981 [inline]
rtnl_newlink+0xf55/0x1400 net/core/rtnetlink.c:4109
rtnetlink_rcv_msg+0x64b/0x720 net/core/rtnetlink.c:6995
netlink_rcv_skb+0x123/0x220 net/netlink/af_netlink.c:2550
rtnetlink_rcv+0x1c/0x30 net/core/rtnetlink.c:7022
netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline]
netlink_unicast+0x5a8/0x680 net/netlink/af_netlink.c:1344
netlink_sendmsg+0x5c8/0x6f0 net/netlink/af_netlink.c:1894
sock_sendmsg_nosec net/socket.c:787 [inline]
__sock_sendmsg net/socket.c:802 [inline]
____sys_sendmsg+0x563/0x5b0 net/socket.c:2698
___sys_sendmsg+0x195/0x1e0 net/socket.c:2752
__sys_sendmsg net/socket.c:2784 [inline]
__do_sys_sendmsg net/socket.c:2789 [inline]
__se_sys_sendmsg net/socket.c:2787 [inline]
__x64_sys_sendmsg+0xd4/0x160 net/socket.c:2787
x64_sys_call+0x194c/0x3020 arch/x86/include/generated/asm/syscalls_64.h:47
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x12c/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
value changed: 0x0000000000000000 -> 0xffff88813cf5c400
Reported by Kernel Concurrency Sanitizer on:
CPU: 1 UID: 0 PID: 22063 Comm: syz.0.31122 Tainted: G W syzkaller #0 PREEMPT(full)
Tainted: [W]=WARN
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/18/2026
Fixes: 47e91f56008b ("bonding: use RCU protection for 3ad xmit path")
Reported-by: syzbot+9bb2ff2a4ab9e17307e1@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/netdev/69f0a82f.050a0220.3aadc4.0000.GAE@google.com/
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Jay Vosburgh <jv@jvosburgh.net>
Cc: Andrew Lunn <andrew+netdev@lunn.ch>
Link: https://patch.msgid.link/20260428123207.3809211-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/bonding/bond_3ad.c | 109 ++++++++++++++-----------
drivers/net/bonding/bond_main.c | 8 +-
drivers/net/bonding/bond_netlink.c | 16 ++--
drivers/net/bonding/bond_procfs.c | 3 +-
drivers/net/bonding/bond_sysfs_slave.c | 17 ++--
include/net/bond_3ad.h | 2 +-
6 files changed, 89 insertions(+), 66 deletions(-)
diff --git a/drivers/net/bonding/bond_3ad.c b/drivers/net/bonding/bond_3ad.c
index cf611dce8fad1..2849c2e6a8951 100644
--- a/drivers/net/bonding/bond_3ad.c
+++ b/drivers/net/bonding/bond_3ad.c
@@ -982,6 +982,7 @@ static int ad_marker_send(struct port *port, struct bond_marker *marker)
static void ad_mux_machine(struct port *port, bool *update_slave_arr)
{
struct bonding *bond = __get_bond_by_port(port);
+ struct aggregator *aggregator;
mux_states_t last_state;
/* keep current State Machine state to compare later if it was
@@ -989,6 +990,7 @@ static void ad_mux_machine(struct port *port, bool *update_slave_arr)
*/
last_state = port->sm_mux_state;
+ aggregator = rcu_dereference(port->aggregator);
if (port->sm_vars & AD_PORT_BEGIN) {
port->sm_mux_state = AD_MUX_DETACHED;
} else {
@@ -1008,7 +1010,7 @@ static void ad_mux_machine(struct port *port, bool *update_slave_arr)
* cycle to update ready variable, we check
* READY_N and update READY here
*/
- __set_agg_ports_ready(port->aggregator, __agg_ports_are_ready(port->aggregator));
+ __set_agg_ports_ready(aggregator, __agg_ports_are_ready(aggregator));
port->sm_mux_state = AD_MUX_DETACHED;
break;
}
@@ -1023,7 +1025,7 @@ static void ad_mux_machine(struct port *port, bool *update_slave_arr)
* update ready variable, we check READY_N and update
* READY here
*/
- __set_agg_ports_ready(port->aggregator, __agg_ports_are_ready(port->aggregator));
+ __set_agg_ports_ready(aggregator, __agg_ports_are_ready(aggregator));
/* if the wait_while_timer expired, and the port is
* in READY state, move to ATTACHED state
@@ -1039,7 +1041,7 @@ static void ad_mux_machine(struct port *port, bool *update_slave_arr)
if ((port->sm_vars & AD_PORT_SELECTED) &&
(port->partner_oper.port_state & LACP_STATE_SYNCHRONIZATION) &&
!__check_agg_selection_timer(port)) {
- if (port->aggregator->is_active) {
+ if (aggregator->is_active) {
int state = AD_MUX_COLLECTING_DISTRIBUTING;
if (!bond->params.coupled_control)
@@ -1055,9 +1057,9 @@ static void ad_mux_machine(struct port *port, bool *update_slave_arr)
* cycle to update ready variable, we check
* READY_N and update READY here
*/
- __set_agg_ports_ready(port->aggregator, __agg_ports_are_ready(port->aggregator));
+ __set_agg_ports_ready(aggregator, __agg_ports_are_ready(aggregator));
port->sm_mux_state = AD_MUX_DETACHED;
- } else if (port->aggregator->is_active) {
+ } else if (aggregator->is_active) {
port->actor_oper_port_state |=
LACP_STATE_SYNCHRONIZATION;
}
@@ -1068,7 +1070,7 @@ static void ad_mux_machine(struct port *port, bool *update_slave_arr)
* sure that a collecting distributing
* port in an active aggregator is enabled
*/
- if (port->aggregator->is_active &&
+ if (aggregator->is_active &&
!__port_is_collecting_distributing(port)) {
__enable_port(port);
*update_slave_arr = true;
@@ -1087,7 +1089,7 @@ static void ad_mux_machine(struct port *port, bool *update_slave_arr)
*/
struct slave *slave = port->slave;
- if (port->aggregator->is_active &&
+ if (aggregator->is_active &&
bond_is_slave_rx_disabled(slave)) {
ad_enable_collecting(port);
*update_slave_arr = true;
@@ -1107,8 +1109,8 @@ static void ad_mux_machine(struct port *port, bool *update_slave_arr)
* sure that a collecting distributing
* port in an active aggregator is enabled
*/
- if (port->aggregator &&
- port->aggregator->is_active &&
+ if (aggregator &&
+ aggregator->is_active &&
!__port_is_collecting_distributing(port)) {
__enable_port(port);
*update_slave_arr = true;
@@ -1140,7 +1142,7 @@ static void ad_mux_machine(struct port *port, bool *update_slave_arr)
port->sm_mux_timer_counter = __ad_timer_to_ticks(AD_WAIT_WHILE_TIMER, 0);
break;
case AD_MUX_ATTACHED:
- if (port->aggregator->is_active)
+ if (aggregator->is_active)
port->actor_oper_port_state |=
LACP_STATE_SYNCHRONIZATION;
else
@@ -1513,9 +1515,9 @@ static void ad_port_selection_logic(struct port *port, bool *update_slave_arr)
bond = __get_bond_by_port(port);
/* if the port is connected to other aggregator, detach it */
- if (port->aggregator) {
+ temp_aggregator = rcu_dereference(port->aggregator);
+ if (temp_aggregator) {
/* detach the port from its former aggregator */
- temp_aggregator = port->aggregator;
for (curr_port = temp_aggregator->lag_ports; curr_port;
last_port = curr_port,
curr_port = curr_port->next_port_in_aggregator) {
@@ -1538,7 +1540,7 @@ static void ad_port_selection_logic(struct port *port, bool *update_slave_arr)
/* clear the port's relations to this
* aggregator
*/
- port->aggregator = NULL;
+ RCU_INIT_POINTER(port->aggregator, NULL);
port->next_port_in_aggregator = NULL;
port->actor_port_aggregator_identifier = 0;
@@ -1561,7 +1563,7 @@ static void ad_port_selection_logic(struct port *port, bool *update_slave_arr)
port->slave->bond->dev->name,
port->slave->dev->name,
port->actor_port_number,
- port->aggregator->aggregator_identifier);
+ temp_aggregator->aggregator_identifier);
}
}
/* search on all aggregators for a suitable aggregator for this port */
@@ -1585,15 +1587,15 @@ static void ad_port_selection_logic(struct port *port, bool *update_slave_arr)
)
) {
/* attach to the founded aggregator */
- port->aggregator = aggregator;
+ rcu_assign_pointer(port->aggregator, aggregator);
port->actor_port_aggregator_identifier =
- port->aggregator->aggregator_identifier;
+ aggregator->aggregator_identifier;
port->next_port_in_aggregator = aggregator->lag_ports;
- port->aggregator->num_of_ports++;
+ aggregator->num_of_ports++;
aggregator->lag_ports = port;
slave_dbg(bond->dev, slave->dev, "Port %d joined LAG %d (existing LAG)\n",
port->actor_port_number,
- port->aggregator->aggregator_identifier);
+ aggregator->aggregator_identifier);
/* mark this port as selected */
port->sm_vars |= AD_PORT_SELECTED;
@@ -1608,39 +1610,40 @@ static void ad_port_selection_logic(struct port *port, bool *update_slave_arr)
if (!found) {
if (free_aggregator) {
/* assign port a new aggregator */
- port->aggregator = free_aggregator;
port->actor_port_aggregator_identifier =
- port->aggregator->aggregator_identifier;
+ free_aggregator->aggregator_identifier;
/* update the new aggregator's parameters
* if port was responsed from the end-user
*/
if (port->actor_oper_port_key & AD_DUPLEX_KEY_MASKS)
/* if port is full duplex */
- port->aggregator->is_individual = false;
+ free_aggregator->is_individual = false;
else
- port->aggregator->is_individual = true;
+ free_aggregator->is_individual = true;
- port->aggregator->actor_admin_aggregator_key =
+ free_aggregator->actor_admin_aggregator_key =
port->actor_admin_port_key;
- port->aggregator->actor_oper_aggregator_key =
+ free_aggregator->actor_oper_aggregator_key =
port->actor_oper_port_key;
- port->aggregator->partner_system =
+ free_aggregator->partner_system =
port->partner_oper.system;
- port->aggregator->partner_system_priority =
+ free_aggregator->partner_system_priority =
port->partner_oper.system_priority;
- port->aggregator->partner_oper_aggregator_key = port->partner_oper.key;
- port->aggregator->receive_state = 1;
- port->aggregator->transmit_state = 1;
- port->aggregator->lag_ports = port;
- port->aggregator->num_of_ports++;
+ free_aggregator->partner_oper_aggregator_key = port->partner_oper.key;
+ free_aggregator->receive_state = 1;
+ free_aggregator->transmit_state = 1;
+ free_aggregator->lag_ports = port;
+ free_aggregator->num_of_ports++;
+
+ rcu_assign_pointer(port->aggregator, free_aggregator);
/* mark this port as selected */
port->sm_vars |= AD_PORT_SELECTED;
slave_dbg(bond->dev, port->slave->dev, "Port %d joined LAG %d (new LAG)\n",
port->actor_port_number,
- port->aggregator->aggregator_identifier);
+ free_aggregator->aggregator_identifier);
} else {
slave_err(bond->dev, port->slave->dev,
"Port %d did not find a suitable aggregator\n",
@@ -1652,13 +1655,12 @@ static void ad_port_selection_logic(struct port *port, bool *update_slave_arr)
* in all aggregator's ports, else set ready=FALSE in all
* aggregator's ports
*/
- __set_agg_ports_ready(port->aggregator,
- __agg_ports_are_ready(port->aggregator));
+ aggregator = rcu_dereference(port->aggregator);
+ __set_agg_ports_ready(aggregator, __agg_ports_are_ready(aggregator));
- aggregator = __get_first_agg(port);
- ad_agg_selection_logic(aggregator, update_slave_arr);
+ ad_agg_selection_logic(__get_first_agg(port), update_slave_arr);
- if (!port->aggregator->is_active)
+ if (!aggregator->is_active)
port->actor_oper_port_state &= ~LACP_STATE_SYNCHRONIZATION;
}
@@ -2012,13 +2014,15 @@ static void ad_initialize_port(struct port *port, const struct bond_params *bond
*/
static void ad_enable_collecting(struct port *port)
{
- if (port->aggregator->is_active) {
+ struct aggregator *aggregator = rcu_dereference(port->aggregator);
+
+ if (aggregator->is_active) {
struct slave *slave = port->slave;
slave_dbg(slave->bond->dev, slave->dev,
"Enabling collecting on port %d (LAG %d)\n",
port->actor_port_number,
- port->aggregator->aggregator_identifier);
+ aggregator->aggregator_identifier);
__enable_collecting_port(port);
}
}
@@ -2030,11 +2034,13 @@ static void ad_enable_collecting(struct port *port)
*/
static void ad_disable_distributing(struct port *port, bool *update_slave_arr)
{
- if (port->aggregator && __agg_has_partner(port->aggregator)) {
+ struct aggregator *aggregator = rcu_dereference(port->aggregator);
+
+ if (aggregator && __agg_has_partner(aggregator)) {
slave_dbg(port->slave->bond->dev, port->slave->dev,
"Disabling distributing on port %d (LAG %d)\n",
port->actor_port_number,
- port->aggregator->aggregator_identifier);
+ aggregator->aggregator_identifier);
__disable_distributing_port(port);
/* Slave array needs an update */
*update_slave_arr = true;
@@ -2051,11 +2057,13 @@ static void ad_disable_distributing(struct port *port, bool *update_slave_arr)
static void ad_enable_collecting_distributing(struct port *port,
bool *update_slave_arr)
{
- if (port->aggregator->is_active) {
+ struct aggregator *aggregator = rcu_dereference(port->aggregator);
+
+ if (aggregator->is_active) {
slave_dbg(port->slave->bond->dev, port->slave->dev,
"Enabling port %d (LAG %d)\n",
port->actor_port_number,
- port->aggregator->aggregator_identifier);
+ aggregator->aggregator_identifier);
__enable_port(port);
/* Slave array needs update */
*update_slave_arr = true;
@@ -2070,11 +2078,13 @@ static void ad_enable_collecting_distributing(struct port *port,
static void ad_disable_collecting_distributing(struct port *port,
bool *update_slave_arr)
{
- if (port->aggregator && __agg_has_partner(port->aggregator)) {
+ struct aggregator *aggregator = rcu_dereference(port->aggregator);
+
+ if (aggregator && __agg_has_partner(aggregator)) {
slave_dbg(port->slave->bond->dev, port->slave->dev,
"Disabling port %d (LAG %d)\n",
port->actor_port_number,
- port->aggregator->aggregator_identifier);
+ aggregator->aggregator_identifier);
__disable_port(port);
/* Slave array needs an update */
*update_slave_arr = true;
@@ -2314,7 +2324,7 @@ void bond_3ad_unbind_slave(struct slave *slave)
*/
for (temp_port = aggregator->lag_ports; temp_port;
temp_port = temp_port->next_port_in_aggregator) {
- temp_port->aggregator = new_aggregator;
+ rcu_assign_pointer(temp_port->aggregator, new_aggregator);
temp_port->actor_port_aggregator_identifier = new_aggregator->aggregator_identifier;
}
@@ -2783,15 +2793,16 @@ int bond_3ad_set_carrier(struct bonding *bond)
int __bond_3ad_get_active_agg_info(struct bonding *bond,
struct ad_info *ad_info)
{
- struct aggregator *aggregator = NULL;
+ struct aggregator *aggregator = NULL, *tmp;
struct list_head *iter;
struct slave *slave;
struct port *port;
bond_for_each_slave_rcu(bond, slave, iter) {
port = &(SLAVE_AD_INFO(slave)->port);
- if (port->aggregator && port->aggregator->is_active) {
- aggregator = port->aggregator;
+ tmp = rcu_dereference(port->aggregator);
+ if (tmp && tmp->is_active) {
+ aggregator = tmp;
break;
}
}
diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
index 97821c3c8b9a8..d3c41dc57e547 100644
--- a/drivers/net/bonding/bond_main.c
+++ b/drivers/net/bonding/bond_main.c
@@ -1374,7 +1374,7 @@ static void bond_poll_controller(struct net_device *bond_dev)
if (BOND_MODE(bond) == BOND_MODE_8023AD) {
struct aggregator *agg =
- SLAVE_AD_INFO(slave)->port.aggregator;
+ rcu_dereference(SLAVE_AD_INFO(slave)->port.aggregator);
if (agg &&
agg->aggregator_identifier != ad_info.aggregator_id)
@@ -5183,15 +5183,16 @@ int bond_update_slave_arr(struct bonding *bond, struct slave *skipslave)
spin_unlock_bh(&bond->mode_lock);
agg_id = ad_info.aggregator_id;
}
+ rcu_read_lock();
bond_for_each_slave(bond, slave, iter) {
if (skipslave == slave)
continue;
all_slaves->arr[all_slaves->count++] = slave;
if (BOND_MODE(bond) == BOND_MODE_8023AD) {
- struct aggregator *agg;
+ const struct aggregator *agg;
- agg = SLAVE_AD_INFO(slave)->port.aggregator;
+ agg = rcu_dereference(SLAVE_AD_INFO(slave)->port.aggregator);
if (!agg || agg->aggregator_identifier != agg_id)
continue;
}
@@ -5203,6 +5204,7 @@ int bond_update_slave_arr(struct bonding *bond, struct slave *skipslave)
usable_slaves->arr[usable_slaves->count++] = slave;
}
+ rcu_read_unlock();
bond_set_slave_arr(bond, usable_slaves, all_slaves);
return ret;
diff --git a/drivers/net/bonding/bond_netlink.c b/drivers/net/bonding/bond_netlink.c
index 086233dce9c8d..0eaf4b0e06ffb 100644
--- a/drivers/net/bonding/bond_netlink.c
+++ b/drivers/net/bonding/bond_netlink.c
@@ -65,27 +65,29 @@ static int bond_fill_slave_info(struct sk_buff *skb,
const struct port *ad_port;
ad_port = &SLAVE_AD_INFO(slave)->port;
- agg = SLAVE_AD_INFO(slave)->port.aggregator;
+ rcu_read_lock();
+ agg = rcu_dereference(SLAVE_AD_INFO(slave)->port.aggregator);
if (agg) {
if (nla_put_u16(skb, IFLA_BOND_SLAVE_AD_AGGREGATOR_ID,
agg->aggregator_identifier))
- goto nla_put_failure;
+ goto nla_put_failure_rcu;
if (nla_put_u8(skb,
IFLA_BOND_SLAVE_AD_ACTOR_OPER_PORT_STATE,
ad_port->actor_oper_port_state))
- goto nla_put_failure;
+ goto nla_put_failure_rcu;
if (nla_put_u16(skb,
IFLA_BOND_SLAVE_AD_PARTNER_OPER_PORT_STATE,
ad_port->partner_oper.port_state))
- goto nla_put_failure;
+ goto nla_put_failure_rcu;
if (nla_put_u8(skb, IFLA_BOND_SLAVE_AD_CHURN_ACTOR_STATE,
ad_port->sm_churn_actor_state))
- goto nla_put_failure;
+ goto nla_put_failure_rcu;
if (nla_put_u8(skb, IFLA_BOND_SLAVE_AD_CHURN_PARTNER_STATE,
ad_port->sm_churn_partner_state))
- goto nla_put_failure;
+ goto nla_put_failure_rcu;
}
+ rcu_read_unlock();
if (nla_put_u16(skb, IFLA_BOND_SLAVE_ACTOR_PORT_PRIO,
SLAVE_AD_INFO(slave)->port_priority))
@@ -94,6 +96,8 @@ static int bond_fill_slave_info(struct sk_buff *skb,
return 0;
+nla_put_failure_rcu:
+ rcu_read_unlock();
nla_put_failure:
return -EMSGSIZE;
}
diff --git a/drivers/net/bonding/bond_procfs.c b/drivers/net/bonding/bond_procfs.c
index 43be458422b3f..bc919814eb504 100644
--- a/drivers/net/bonding/bond_procfs.c
+++ b/drivers/net/bonding/bond_procfs.c
@@ -187,6 +187,7 @@ static void bond_info_show_master(struct seq_file *seq)
}
}
+/* Note: runs under rcu_read_lock() */
static void bond_info_show_slave(struct seq_file *seq,
const struct slave *slave)
{
@@ -213,7 +214,7 @@ static void bond_info_show_slave(struct seq_file *seq,
if (BOND_MODE(bond) == BOND_MODE_8023AD) {
const struct port *port = &SLAVE_AD_INFO(slave)->port;
- const struct aggregator *agg = port->aggregator;
+ const struct aggregator *agg = rcu_dereference(port->aggregator);
if (agg) {
seq_printf(seq, "Aggregator ID: %d\n",
diff --git a/drivers/net/bonding/bond_sysfs_slave.c b/drivers/net/bonding/bond_sysfs_slave.c
index 313866f2c0e49..75df3e21b804d 100644
--- a/drivers/net/bonding/bond_sysfs_slave.c
+++ b/drivers/net/bonding/bond_sysfs_slave.c
@@ -62,10 +62,15 @@ static ssize_t ad_aggregator_id_show(struct slave *slave, char *buf)
const struct aggregator *agg;
if (BOND_MODE(slave->bond) == BOND_MODE_8023AD) {
- agg = SLAVE_AD_INFO(slave)->port.aggregator;
- if (agg)
- return sysfs_emit(buf, "%d\n",
- agg->aggregator_identifier);
+ rcu_read_lock();
+ agg = rcu_dereference(SLAVE_AD_INFO(slave)->port.aggregator);
+ if (agg) {
+ ssize_t res = sysfs_emit(buf, "%d\n",
+ agg->aggregator_identifier);
+ rcu_read_unlock();
+ return res;
+ }
+ rcu_read_unlock();
}
return sysfs_emit(buf, "N/A\n");
@@ -78,7 +83,7 @@ static ssize_t ad_actor_oper_port_state_show(struct slave *slave, char *buf)
if (BOND_MODE(slave->bond) == BOND_MODE_8023AD) {
ad_port = &SLAVE_AD_INFO(slave)->port;
- if (ad_port->aggregator)
+ if (rcu_access_pointer(ad_port->aggregator))
return sysfs_emit(buf, "%u\n",
ad_port->actor_oper_port_state);
}
@@ -93,7 +98,7 @@ static ssize_t ad_partner_oper_port_state_show(struct slave *slave, char *buf)
if (BOND_MODE(slave->bond) == BOND_MODE_8023AD) {
ad_port = &SLAVE_AD_INFO(slave)->port;
- if (ad_port->aggregator)
+ if (rcu_access_pointer(ad_port->aggregator))
return sysfs_emit(buf, "%u\n",
ad_port->partner_oper.port_state);
}
diff --git a/include/net/bond_3ad.h b/include/net/bond_3ad.h
index 579f3000a855e..3f4496df50acd 100644
--- a/include/net/bond_3ad.h
+++ b/include/net/bond_3ad.h
@@ -239,7 +239,7 @@ typedef struct port {
churn_state_t sm_churn_actor_state;
churn_state_t sm_churn_partner_state;
struct slave *slave; /* pointer to the bond slave that this port belongs to */
- struct aggregator *aggregator; /* pointer to an aggregator that this port related to */
+ struct aggregator __rcu *aggregator; /* pointer to an aggregator that this port related to */
struct port *next_port_in_aggregator; /* Next port on the linked list of the parent aggregator */
u32 transaction_id; /* continuous number for identification of Marker PDU's; */
struct lacpdu lacpdu; /* the lacpdu that will be sent for this port */
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 783/969] iavf: rename IAVF_VLAN_IS_NEW to IAVF_VLAN_ADDING
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (781 preceding siblings ...)
2026-05-30 16:05 ` [PATCH 6.1 782/969] bonding: 3ad: implement proper RCU rules for port->aggregator Greg Kroah-Hartman
@ 2026-05-30 16:05 ` Greg Kroah-Hartman
2026-05-30 16:05 ` [PATCH 6.1 784/969] iavf: stop removing VLAN filters from PF on interface down Greg Kroah-Hartman
` (192 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Petr Oros, Aleksandr Loktionov,
Rafal Romanowski, Simon Horman, Przemek Kitszel, Jacob Keller,
Paolo Abeni, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Petr Oros <poros@redhat.com>
[ Upstream commit 70d62b669f1f9080a25278fc90b64309f4ae8959 ]
Rename the IAVF_VLAN_IS_NEW state to IAVF_VLAN_ADDING to better
describe what the state represents: an ADD request has been sent to
the PF and is waiting for a response.
This is a pure rename with no behavioral change, preparing for a
cleanup of the VLAN filter state machine.
Signed-off-by: Petr Oros <poros@redhat.com>
Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
Tested-by: Rafal Romanowski <rafal.romanowski@intel.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Reviewed-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
Signed-off-by: Jacob Keller <jacob.e.keller@intel.com>
Link: https://patch.msgid.link/20260427-jk-iwl-net-petr-oros-fixes-v1-1-cdcb48303fd8@intel.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Stable-dep-of: f2ce65b9b917 ("iavf: stop removing VLAN filters from PF on interface down")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/iavf/iavf.h | 2 +-
drivers/net/ethernet/intel/iavf/iavf_virtchnl.c | 8 ++++----
2 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/drivers/net/ethernet/intel/iavf/iavf.h b/drivers/net/ethernet/intel/iavf/iavf.h
index ee0871d929302..64309bf18ef74 100644
--- a/drivers/net/ethernet/intel/iavf/iavf.h
+++ b/drivers/net/ethernet/intel/iavf/iavf.h
@@ -158,7 +158,7 @@ struct iavf_vlan {
enum iavf_vlan_state_t {
IAVF_VLAN_INVALID,
IAVF_VLAN_ADD, /* filter needs to be added */
- IAVF_VLAN_IS_NEW, /* filter is new, wait for PF answer */
+ IAVF_VLAN_ADDING, /* ADD sent to PF, waiting for response */
IAVF_VLAN_ACTIVE, /* filter is accepted by PF */
IAVF_VLAN_DISABLE, /* filter needs to be deleted by PF, then marked INACTIVE */
IAVF_VLAN_INACTIVE, /* filter is inactive, we are in IFF_DOWN */
diff --git a/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c b/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c
index 951ef350323a2..de01edc5df79b 100644
--- a/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c
+++ b/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c
@@ -642,7 +642,7 @@ static void iavf_vlan_add_reject(struct iavf_adapter *adapter)
spin_lock_bh(&adapter->mac_vlan_list_lock);
list_for_each_entry_safe(f, ftmp, &adapter->vlan_filter_list, list) {
- if (f->state == IAVF_VLAN_IS_NEW) {
+ if (f->state == IAVF_VLAN_ADDING) {
list_del(&f->list);
kfree(f);
adapter->num_vlan_filters--;
@@ -707,7 +707,7 @@ void iavf_add_vlans(struct iavf_adapter *adapter)
if (f->state == IAVF_VLAN_ADD) {
vvfl->vlan_id[i] = f->vlan.vid;
i++;
- f->state = IAVF_VLAN_IS_NEW;
+ f->state = IAVF_VLAN_ADDING;
if (i == count)
break;
}
@@ -771,7 +771,7 @@ void iavf_add_vlans(struct iavf_adapter *adapter)
vlan->tpid = f->vlan.tpid;
i++;
- f->state = IAVF_VLAN_IS_NEW;
+ f->state = IAVF_VLAN_ADDING;
}
}
@@ -2535,7 +2535,7 @@ void iavf_virtchnl_completion(struct iavf_adapter *adapter,
spin_lock_bh(&adapter->mac_vlan_list_lock);
list_for_each_entry(f, &adapter->vlan_filter_list, list) {
- if (f->state == IAVF_VLAN_IS_NEW)
+ if (f->state == IAVF_VLAN_ADDING)
f->state = IAVF_VLAN_ACTIVE;
}
spin_unlock_bh(&adapter->mac_vlan_list_lock);
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 784/969] iavf: stop removing VLAN filters from PF on interface down
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (782 preceding siblings ...)
2026-05-30 16:05 ` [PATCH 6.1 783/969] iavf: rename IAVF_VLAN_IS_NEW to IAVF_VLAN_ADDING Greg Kroah-Hartman
@ 2026-05-30 16:05 ` Greg Kroah-Hartman
2026-05-30 16:05 ` [PATCH 6.1 785/969] iavf: wait for PF confirmation before removing VLAN filters Greg Kroah-Hartman
` (191 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Petr Oros, Aleksandr Loktionov,
Rafal Romanowski, Simon Horman, Przemek Kitszel, Jacob Keller,
Paolo Abeni, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Petr Oros <poros@redhat.com>
[ Upstream commit f2ce65b9b917474a1a6ce68d357e15fac2aca0f2 ]
When a VF goes down, the driver currently sends DEL_VLAN to the PF for
every VLAN filter (ACTIVE -> DISABLE -> send DEL -> INACTIVE), then
re-adds them all on UP (INACTIVE -> ADD -> send ADD -> ADDING ->
ACTIVE). This round-trip is unnecessary because:
1. The PF disables the VF's queues via VIRTCHNL_OP_DISABLE_QUEUES,
which already prevents all RX/TX traffic regardless of VLAN filter
state.
2. The VLAN filters remaining in PF HW while the VF is down is
harmless - packets matching those filters have nowhere to go with
queues disabled.
3. The DEL+ADD cycle during down/up creates race windows where the
VLAN filter list is incomplete. With spoofcheck enabled, the PF
enables TX VLAN filtering on the first non-zero VLAN add, blocking
traffic for any VLANs not yet re-added.
Remove the entire DISABLE/INACTIVE state machinery:
- Remove IAVF_VLAN_DISABLE and IAVF_VLAN_INACTIVE enum values
- Remove iavf_restore_filters() and its call from iavf_open()
- Remove VLAN filter handling from iavf_clear_mac_vlan_filters(),
rename it to iavf_clear_mac_filters()
- Remove DEL_VLAN_FILTER scheduling from iavf_down()
- Remove all DISABLE/INACTIVE handling from iavf_del_vlans()
VLAN filters now stay ACTIVE across down/up cycles. Only explicit
user removal (ndo_vlan_rx_kill_vid) or PF/VF reset triggers VLAN
filter deletion/re-addition.
Fixes: ed1f5b58ea01 ("i40evf: remove VLAN filters on close")
Signed-off-by: Petr Oros <poros@redhat.com>
Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
Tested-by: Rafal Romanowski <rafal.romanowski@intel.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Reviewed-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
Signed-off-by: Jacob Keller <jacob.e.keller@intel.com>
Link: https://patch.msgid.link/20260427-jk-iwl-net-petr-oros-fixes-v1-2-cdcb48303fd8@intel.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/iavf/iavf.h | 6 +--
drivers/net/ethernet/intel/iavf/iavf_main.c | 39 ++-----------------
.../net/ethernet/intel/iavf/iavf_virtchnl.c | 33 +++-------------
3 files changed, 12 insertions(+), 66 deletions(-)
diff --git a/drivers/net/ethernet/intel/iavf/iavf.h b/drivers/net/ethernet/intel/iavf/iavf.h
index 64309bf18ef74..dbbe622dec12f 100644
--- a/drivers/net/ethernet/intel/iavf/iavf.h
+++ b/drivers/net/ethernet/intel/iavf/iavf.h
@@ -159,10 +159,8 @@ enum iavf_vlan_state_t {
IAVF_VLAN_INVALID,
IAVF_VLAN_ADD, /* filter needs to be added */
IAVF_VLAN_ADDING, /* ADD sent to PF, waiting for response */
- IAVF_VLAN_ACTIVE, /* filter is accepted by PF */
- IAVF_VLAN_DISABLE, /* filter needs to be deleted by PF, then marked INACTIVE */
- IAVF_VLAN_INACTIVE, /* filter is inactive, we are in IFF_DOWN */
- IAVF_VLAN_REMOVE, /* filter needs to be removed from list */
+ IAVF_VLAN_ACTIVE, /* PF confirmed, filter is in HW */
+ IAVF_VLAN_REMOVE, /* filter queued for DEL from PF */
};
struct iavf_vlan_filter {
diff --git a/drivers/net/ethernet/intel/iavf/iavf_main.c b/drivers/net/ethernet/intel/iavf/iavf_main.c
index 667949e8833bf..6346479366aa4 100644
--- a/drivers/net/ethernet/intel/iavf/iavf_main.c
+++ b/drivers/net/ethernet/intel/iavf/iavf_main.c
@@ -875,27 +875,6 @@ static void iavf_del_vlan(struct iavf_adapter *adapter, struct iavf_vlan vlan)
spin_unlock_bh(&adapter->mac_vlan_list_lock);
}
-/**
- * iavf_restore_filters
- * @adapter: board private structure
- *
- * Restore existing non MAC filters when VF netdev comes back up
- **/
-static void iavf_restore_filters(struct iavf_adapter *adapter)
-{
- struct iavf_vlan_filter *f;
-
- /* re-add all VLAN filters */
- spin_lock_bh(&adapter->mac_vlan_list_lock);
-
- list_for_each_entry(f, &adapter->vlan_filter_list, list) {
- if (f->state == IAVF_VLAN_INACTIVE)
- f->state = IAVF_VLAN_ADD;
- }
-
- spin_unlock_bh(&adapter->mac_vlan_list_lock);
- adapter->aq_required |= IAVF_FLAG_AQ_ADD_VLAN_FILTER;
-}
/**
* iavf_get_num_vlans_added - get number of VLANs added
@@ -1322,13 +1301,12 @@ static void iavf_up_complete(struct iavf_adapter *adapter)
}
/**
- * iavf_clear_mac_vlan_filters - Remove mac and vlan filters not sent to PF
- * yet and mark other to be removed.
+ * iavf_clear_mac_filters - Remove MAC filters not sent to PF yet and mark
+ * others to be removed.
* @adapter: board private structure
**/
-static void iavf_clear_mac_vlan_filters(struct iavf_adapter *adapter)
+static void iavf_clear_mac_filters(struct iavf_adapter *adapter)
{
- struct iavf_vlan_filter *vlf, *vlftmp;
struct iavf_mac_filter *f, *ftmp;
spin_lock_bh(&adapter->mac_vlan_list_lock);
@@ -1347,11 +1325,6 @@ static void iavf_clear_mac_vlan_filters(struct iavf_adapter *adapter)
}
}
- /* disable all VLAN filters */
- list_for_each_entry_safe(vlf, vlftmp, &adapter->vlan_filter_list,
- list)
- vlf->state = IAVF_VLAN_DISABLE;
-
spin_unlock_bh(&adapter->mac_vlan_list_lock);
}
@@ -1447,7 +1420,7 @@ void iavf_down(struct iavf_adapter *adapter)
iavf_napi_disable_all(adapter);
iavf_irq_disable(adapter);
- iavf_clear_mac_vlan_filters(adapter);
+ iavf_clear_mac_filters(adapter);
iavf_clear_cloud_filters(adapter);
iavf_clear_fdir_filters(adapter);
iavf_clear_adv_rss_conf(adapter);
@@ -1462,8 +1435,6 @@ void iavf_down(struct iavf_adapter *adapter)
*/
if (!list_empty(&adapter->mac_filter_list))
adapter->aq_required |= IAVF_FLAG_AQ_DEL_MAC_FILTER;
- if (!list_empty(&adapter->vlan_filter_list))
- adapter->aq_required |= IAVF_FLAG_AQ_DEL_VLAN_FILTER;
if (!list_empty(&adapter->cloud_filter_list))
adapter->aq_required |= IAVF_FLAG_AQ_DEL_CLOUD_FILTER;
if (!list_empty(&adapter->fdir_list_head))
@@ -4352,8 +4323,6 @@ static int iavf_open(struct net_device *netdev)
spin_unlock_bh(&adapter->mac_vlan_list_lock);
- /* Restore filters that were removed with IFF_DOWN */
- iavf_restore_filters(adapter);
iavf_restore_fdir_filters(adapter);
iavf_configure(adapter);
diff --git a/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c b/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c
index de01edc5df79b..ca7448e096a86 100644
--- a/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c
+++ b/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c
@@ -808,22 +808,12 @@ void iavf_del_vlans(struct iavf_adapter *adapter)
spin_lock_bh(&adapter->mac_vlan_list_lock);
list_for_each_entry_safe(f, ftmp, &adapter->vlan_filter_list, list) {
- /* since VLAN capabilities are not allowed, we dont want to send
- * a VLAN delete request because it will most likely fail and
- * create unnecessary errors/noise, so just free the VLAN
- * filters marked for removal to enable bailing out before
- * sending a virtchnl message
- */
if (f->state == IAVF_VLAN_REMOVE &&
!VLAN_FILTERING_ALLOWED(adapter)) {
list_del(&f->list);
kfree(f);
adapter->num_vlan_filters--;
- } else if (f->state == IAVF_VLAN_DISABLE &&
- !VLAN_FILTERING_ALLOWED(adapter)) {
- f->state = IAVF_VLAN_INACTIVE;
- } else if (f->state == IAVF_VLAN_REMOVE ||
- f->state == IAVF_VLAN_DISABLE) {
+ } else if (f->state == IAVF_VLAN_REMOVE) {
count++;
}
}
@@ -855,13 +845,7 @@ void iavf_del_vlans(struct iavf_adapter *adapter)
vvfl->vsi_id = adapter->vsi_res->vsi_id;
vvfl->num_elements = count;
list_for_each_entry_safe(f, ftmp, &adapter->vlan_filter_list, list) {
- if (f->state == IAVF_VLAN_DISABLE) {
- vvfl->vlan_id[i] = f->vlan.vid;
- f->state = IAVF_VLAN_INACTIVE;
- i++;
- if (i == count)
- break;
- } else if (f->state == IAVF_VLAN_REMOVE) {
+ if (f->state == IAVF_VLAN_REMOVE) {
vvfl->vlan_id[i] = f->vlan.vid;
list_del(&f->list);
kfree(f);
@@ -906,8 +890,7 @@ void iavf_del_vlans(struct iavf_adapter *adapter)
vvfl_v2->vport_id = adapter->vsi_res->vsi_id;
vvfl_v2->num_elements = count;
list_for_each_entry_safe(f, ftmp, &adapter->vlan_filter_list, list) {
- if (f->state == IAVF_VLAN_DISABLE ||
- f->state == IAVF_VLAN_REMOVE) {
+ if (f->state == IAVF_VLAN_REMOVE) {
struct virtchnl_vlan_supported_caps *filtering_support =
&adapter->vlan_v2_caps.filtering.filtering_support;
struct virtchnl_vlan *vlan;
@@ -921,13 +904,9 @@ void iavf_del_vlans(struct iavf_adapter *adapter)
vlan->tci = f->vlan.vid;
vlan->tpid = f->vlan.tpid;
- if (f->state == IAVF_VLAN_DISABLE) {
- f->state = IAVF_VLAN_INACTIVE;
- } else {
- list_del(&f->list);
- kfree(f);
- adapter->num_vlan_filters--;
- }
+ list_del(&f->list);
+ kfree(f);
+ adapter->num_vlan_filters--;
i++;
if (i == count)
break;
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 785/969] iavf: wait for PF confirmation before removing VLAN filters
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (783 preceding siblings ...)
2026-05-30 16:05 ` [PATCH 6.1 784/969] iavf: stop removing VLAN filters from PF on interface down Greg Kroah-Hartman
@ 2026-05-30 16:05 ` Greg Kroah-Hartman
2026-05-30 16:05 ` [PATCH 6.1 786/969] iavf: add VIRTCHNL_OP_ADD_VLAN to success completion handler Greg Kroah-Hartman
` (190 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Petr Oros, Aleksandr Loktionov,
Rafal Romanowski, Przemek Kitszel, Jacob Keller, Paolo Abeni,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Petr Oros <poros@redhat.com>
[ Upstream commit bbcbe4ed70dea948849549af7edf44bd42bbd695 ]
The VLAN filter DELETE path was asymmetric with the ADD path: ADD
waits for PF confirmation (ADD -> ADDING -> ACTIVE), but DELETE
immediately frees the filter struct after sending the DEL message
without waiting for the PF response.
This is problematic because:
- If the PF rejects the DEL, the filter remains in HW but the driver
has already freed the tracking structure, losing sync.
- Race conditions between DEL pending and other operations
(add, reset) cannot be properly resolved if the filter struct
is already gone.
Add IAVF_VLAN_REMOVING state to make the DELETE path symmetric:
REMOVE -> REMOVING (send DEL) -> PF confirms -> kfree
-> PF rejects -> ACTIVE
In iavf_del_vlans(), transition filters from REMOVE to REMOVING
instead of immediately freeing them. The new DEL completion handler
in iavf_virtchnl_completion() frees filters on success or reverts
them to ACTIVE on error.
Update iavf_add_vlan() to handle the REMOVING state: if a DEL is
pending and the user re-adds the same VLAN, queue it for ADD so
it gets re-programmed after the PF processes the DEL.
The !VLAN_FILTERING_ALLOWED early-exit path still frees filters
directly since no PF message is sent in that case.
Also update iavf_del_vlan() to skip filters already in REMOVING
state: DEL has been sent to PF and the completion handler will
free the filter when PF confirms. Without this guard, the sequence
DEL(pending) -> user-del -> second DEL could cause the PF to return
an error for the second DEL (filter already gone), causing the
completion handler to incorrectly revert a deleted filter back to
ACTIVE.
Fixes: 968996c070ef ("iavf: Fix VLAN_V2 addition/rejection")
Signed-off-by: Petr Oros <poros@redhat.com>
Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
Tested-by: Rafal Romanowski <rafal.romanowski@intel.com>
Reviewed-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
Signed-off-by: Jacob Keller <jacob.e.keller@intel.com>
Link: https://patch.msgid.link/20260427-jk-iwl-net-petr-oros-fixes-v1-3-cdcb48303fd8@intel.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/iavf/iavf.h | 1 +
drivers/net/ethernet/intel/iavf/iavf_main.c | 13 ++++---
.../net/ethernet/intel/iavf/iavf_virtchnl.c | 37 +++++++++++++------
3 files changed, 34 insertions(+), 17 deletions(-)
diff --git a/drivers/net/ethernet/intel/iavf/iavf.h b/drivers/net/ethernet/intel/iavf/iavf.h
index dbbe622dec12f..468449df9756e 100644
--- a/drivers/net/ethernet/intel/iavf/iavf.h
+++ b/drivers/net/ethernet/intel/iavf/iavf.h
@@ -161,6 +161,7 @@ enum iavf_vlan_state_t {
IAVF_VLAN_ADDING, /* ADD sent to PF, waiting for response */
IAVF_VLAN_ACTIVE, /* PF confirmed, filter is in HW */
IAVF_VLAN_REMOVE, /* filter queued for DEL from PF */
+ IAVF_VLAN_REMOVING, /* DEL sent to PF, waiting for response */
};
struct iavf_vlan_filter {
diff --git a/drivers/net/ethernet/intel/iavf/iavf_main.c b/drivers/net/ethernet/intel/iavf/iavf_main.c
index 6346479366aa4..0cf6260a83fb2 100644
--- a/drivers/net/ethernet/intel/iavf/iavf_main.c
+++ b/drivers/net/ethernet/intel/iavf/iavf_main.c
@@ -831,10 +831,10 @@ iavf_vlan_filter *iavf_add_vlan(struct iavf_adapter *adapter,
adapter->num_vlan_filters++;
iavf_schedule_aq_request(adapter, IAVF_FLAG_AQ_ADD_VLAN_FILTER);
} else if (f->state == IAVF_VLAN_REMOVE) {
- /* Re-add the filter since we cannot tell whether the
- * pending delete has already been processed by the PF.
- * A duplicate add is harmless.
- */
+ /* DEL not yet sent to PF, cancel it */
+ f->state = IAVF_VLAN_ACTIVE;
+ } else if (f->state == IAVF_VLAN_REMOVING) {
+ /* DEL already sent to PF, re-add after completion */
f->state = IAVF_VLAN_ADD;
iavf_schedule_aq_request(adapter,
IAVF_FLAG_AQ_ADD_VLAN_FILTER);
@@ -865,11 +865,14 @@ static void iavf_del_vlan(struct iavf_adapter *adapter, struct iavf_vlan vlan)
list_del(&f->list);
kfree(f);
adapter->num_vlan_filters--;
- } else {
+ } else if (f->state != IAVF_VLAN_REMOVING) {
f->state = IAVF_VLAN_REMOVE;
iavf_schedule_aq_request(adapter,
IAVF_FLAG_AQ_DEL_VLAN_FILTER);
}
+ /* If REMOVING, DEL is already sent to PF; completion
+ * handler will free the filter when PF confirms.
+ */
}
spin_unlock_bh(&adapter->mac_vlan_list_lock);
diff --git a/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c b/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c
index ca7448e096a86..6fb657ec654e8 100644
--- a/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c
+++ b/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c
@@ -844,12 +844,10 @@ void iavf_del_vlans(struct iavf_adapter *adapter)
vvfl->vsi_id = adapter->vsi_res->vsi_id;
vvfl->num_elements = count;
- list_for_each_entry_safe(f, ftmp, &adapter->vlan_filter_list, list) {
+ list_for_each_entry(f, &adapter->vlan_filter_list, list) {
if (f->state == IAVF_VLAN_REMOVE) {
vvfl->vlan_id[i] = f->vlan.vid;
- list_del(&f->list);
- kfree(f);
- adapter->num_vlan_filters--;
+ f->state = IAVF_VLAN_REMOVING;
i++;
if (i == count)
break;
@@ -889,7 +887,7 @@ void iavf_del_vlans(struct iavf_adapter *adapter)
vvfl_v2->vport_id = adapter->vsi_res->vsi_id;
vvfl_v2->num_elements = count;
- list_for_each_entry_safe(f, ftmp, &adapter->vlan_filter_list, list) {
+ list_for_each_entry(f, &adapter->vlan_filter_list, list) {
if (f->state == IAVF_VLAN_REMOVE) {
struct virtchnl_vlan_supported_caps *filtering_support =
&adapter->vlan_v2_caps.filtering.filtering_support;
@@ -904,9 +902,7 @@ void iavf_del_vlans(struct iavf_adapter *adapter)
vlan->tci = f->vlan.vid;
vlan->tpid = f->vlan.tpid;
- list_del(&f->list);
- kfree(f);
- adapter->num_vlan_filters--;
+ f->state = IAVF_VLAN_REMOVING;
i++;
if (i == count)
break;
@@ -2033,10 +2029,6 @@ void iavf_virtchnl_completion(struct iavf_adapter *adapter,
ether_addr_copy(adapter->hw.mac.addr, netdev->dev_addr);
wake_up(&adapter->vc_waitqueue);
break;
- case VIRTCHNL_OP_DEL_VLAN:
- dev_err(&adapter->pdev->dev, "Failed to delete VLAN filter, error %s\n",
- iavf_stat_str(&adapter->hw, v_retval));
- break;
case VIRTCHNL_OP_DEL_ETH_ADDR:
dev_err(&adapter->pdev->dev, "Failed to delete MAC filter, error %s\n",
iavf_stat_str(&adapter->hw, v_retval));
@@ -2520,6 +2512,27 @@ void iavf_virtchnl_completion(struct iavf_adapter *adapter,
spin_unlock_bh(&adapter->mac_vlan_list_lock);
}
break;
+ case VIRTCHNL_OP_DEL_VLAN:
+ case VIRTCHNL_OP_DEL_VLAN_V2: {
+ struct iavf_vlan_filter *f, *ftmp;
+
+ spin_lock_bh(&adapter->mac_vlan_list_lock);
+ list_for_each_entry_safe(f, ftmp, &adapter->vlan_filter_list,
+ list) {
+ if (f->state == IAVF_VLAN_REMOVING) {
+ if (v_retval) {
+ /* PF rejected DEL, keep filter */
+ f->state = IAVF_VLAN_ACTIVE;
+ } else {
+ list_del(&f->list);
+ kfree(f);
+ adapter->num_vlan_filters--;
+ }
+ }
+ }
+ spin_unlock_bh(&adapter->mac_vlan_list_lock);
+ }
+ break;
case VIRTCHNL_OP_ENABLE_VLAN_STRIPPING:
/* PF enabled vlan strip on this VF.
* Update netdev->features if needed to be in sync with ethtool.
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 786/969] iavf: add VIRTCHNL_OP_ADD_VLAN to success completion handler
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (784 preceding siblings ...)
2026-05-30 16:05 ` [PATCH 6.1 785/969] iavf: wait for PF confirmation before removing VLAN filters Greg Kroah-Hartman
@ 2026-05-30 16:05 ` Greg Kroah-Hartman
2026-05-30 16:05 ` [PATCH 6.1 787/969] ice: Pull common tasks into ice_vf_post_vsi_rebuild Greg Kroah-Hartman
` (189 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Petr Oros, Aleksandr Loktionov,
Rafal Romanowski, Przemek Kitszel, Jacob Keller, Paolo Abeni,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Petr Oros <poros@redhat.com>
[ Upstream commit 34d33313b52eeac3a97ad2e3176d523ec70d9283 ]
The V1 ADD_VLAN opcode had no success handler; filters sent via V1
stayed in ADDING state permanently. Add a fallthrough case so V1
filters also transition ADDING -> ACTIVE on PF confirmation.
Critically, add an `if (v_retval) break` guard: the error switch in
iavf_virtchnl_completion() does NOT return after handling errors,
it falls through to the success switch. Without this guard, a
PF-rejected ADD would incorrectly mark ADDING filters as ACTIVE,
creating a driver/HW mismatch where the driver believes the filter
is installed but the PF never accepted it.
For V2, this is harmless: iavf_vlan_add_reject() in the error
block already kfree'd all ADDING filters, so the success handler
finds nothing to transition.
Fixes: 968996c070ef ("iavf: Fix VLAN_V2 addition/rejection")
Signed-off-by: Petr Oros <poros@redhat.com>
Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
Tested-by: Rafal Romanowski <rafal.romanowski@intel.com>
Reviewed-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
Signed-off-by: Jacob Keller <jacob.e.keller@intel.com>
Link: https://patch.msgid.link/20260427-jk-iwl-net-petr-oros-fixes-v1-4-cdcb48303fd8@intel.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/iavf/iavf_virtchnl.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c b/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c
index 6fb657ec654e8..9ae7c92ae1b1f 100644
--- a/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c
+++ b/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c
@@ -2501,9 +2501,13 @@ void iavf_virtchnl_completion(struct iavf_adapter *adapter,
spin_unlock_bh(&adapter->adv_rss_lock);
}
break;
+ case VIRTCHNL_OP_ADD_VLAN:
case VIRTCHNL_OP_ADD_VLAN_V2: {
struct iavf_vlan_filter *f;
+ if (v_retval)
+ break;
+
spin_lock_bh(&adapter->mac_vlan_list_lock);
list_for_each_entry(f, &adapter->vlan_filter_list, list) {
if (f->state == IAVF_VLAN_ADDING)
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 787/969] ice: Pull common tasks into ice_vf_post_vsi_rebuild
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (785 preceding siblings ...)
2026-05-30 16:05 ` [PATCH 6.1 786/969] iavf: add VIRTCHNL_OP_ADD_VLAN to success completion handler Greg Kroah-Hartman
@ 2026-05-30 16:05 ` Greg Kroah-Hartman
2026-05-30 16:05 ` [PATCH 6.1 788/969] ice: fix NULL pointer dereference in ice_reset_all_vfs() Greg Kroah-Hartman
` (188 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jacob Keller, Marek Szlosek,
Tony Nguyen, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jacob Keller <jacob.e.keller@intel.com>
[ Upstream commit aeead3d04fa050a94ed314cc5de97125a957dc9f ]
The Single Root IOV implementation of .post_vsi_rebuild performs some tasks
that will ultimately need to be shared with the Scalable IOV implementation
such as rebuilding the host configuration.
Refactor by introducing a new wrapper function, ice_vf_post_vsi_rebuild
which performs the tasks that will be shared between SR-IOV and Scalable
IOV. Move the ice_vf_rebuild_host_cfg and ice_vf_set_initialized calls into
this wrapper. Then call the implementation specific post_vsi_rebuild
handler afterwards.
This ensures that we will properly re-initialize filters and expected
settings for both SR-IOV and Scalable IOV.
Signed-off-by: Jacob Keller <jacob.e.keller@intel.com>
Tested-by: Marek Szlosek <marek.szlosek@intel.com>
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Stable-dep-of: 54ef02487914 ("ice: fix NULL pointer dereference in ice_reset_all_vfs()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/ice/ice_sriov.c | 2 --
drivers/net/ethernet/intel/ice/ice_vf_lib.c | 19 +++++++++++++++++--
2 files changed, 17 insertions(+), 4 deletions(-)
diff --git a/drivers/net/ethernet/intel/ice/ice_sriov.c b/drivers/net/ethernet/intel/ice/ice_sriov.c
index b719e9a771e36..148712037bcbb 100644
--- a/drivers/net/ethernet/intel/ice/ice_sriov.c
+++ b/drivers/net/ethernet/intel/ice/ice_sriov.c
@@ -841,8 +841,6 @@ static int ice_sriov_vsi_rebuild(struct ice_vf *vf)
*/
static void ice_sriov_post_vsi_rebuild(struct ice_vf *vf)
{
- ice_vf_rebuild_host_cfg(vf);
- ice_vf_set_initialized(vf);
ice_ena_vf_mappings(vf);
wr32(&vf->pf->hw, VFGEN_RSTAT(vf->vf_id), VIRTCHNL_VFR_VFACTIVE);
}
diff --git a/drivers/net/ethernet/intel/ice/ice_vf_lib.c b/drivers/net/ethernet/intel/ice/ice_vf_lib.c
index 9dbe6e9bb1f79..d146259c7b82f 100644
--- a/drivers/net/ethernet/intel/ice/ice_vf_lib.c
+++ b/drivers/net/ethernet/intel/ice/ice_vf_lib.c
@@ -270,6 +270,21 @@ static int ice_vf_rebuild_vsi(struct ice_vf *vf)
return 0;
}
+/**
+ * ice_vf_post_vsi_rebuild - Reset tasks that occur after VSI rebuild
+ * @vf: the VF being reset
+ *
+ * Perform reset tasks which must occur after the VSI has been re-created or
+ * rebuilt during a VF reset.
+ */
+static void ice_vf_post_vsi_rebuild(struct ice_vf *vf)
+{
+ ice_vf_rebuild_host_cfg(vf);
+ ice_vf_set_initialized(vf);
+
+ vf->vf_ops->post_vsi_rebuild(vf);
+}
+
/**
* ice_is_any_vf_in_unicast_promisc - check if any VF(s)
* are in unicast promiscuous mode
@@ -495,7 +510,7 @@ void ice_reset_all_vfs(struct ice_pf *pf)
ice_vf_pre_vsi_rebuild(vf);
ice_vf_rebuild_vsi(vf);
- vf->vf_ops->post_vsi_rebuild(vf);
+ ice_vf_post_vsi_rebuild(vf);
mutex_unlock(&vf->cfg_lock);
}
@@ -647,7 +662,7 @@ int ice_reset_vf(struct ice_vf *vf, u32 flags)
goto out_unlock;
}
- vf->vf_ops->post_vsi_rebuild(vf);
+ ice_vf_post_vsi_rebuild(vf);
vsi = ice_get_vf_vsi(vf);
if (WARN_ON(!vsi)) {
err = -EINVAL;
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 788/969] ice: fix NULL pointer dereference in ice_reset_all_vfs()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (786 preceding siblings ...)
2026-05-30 16:05 ` [PATCH 6.1 787/969] ice: Pull common tasks into ice_vf_post_vsi_rebuild Greg Kroah-Hartman
@ 2026-05-30 16:05 ` Greg Kroah-Hartman
2026-05-30 16:05 ` [PATCH 6.1 789/969] net: tls: fix strparser anchor skb leak on offload RX setup failure Greg Kroah-Hartman
` (187 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Petr Oros, Rafal Romanowski,
Jacob Keller, Paolo Abeni, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Petr Oros <poros@redhat.com>
[ Upstream commit 54ef02487914c24170c7e1c061e45212dc55365e ]
ice_reset_all_vfs() ignores the return value of ice_vf_rebuild_vsi().
When the VSI rebuild fails (e.g. during NVM firmware update via
nvmupdate64e), ice_vsi_rebuild() tears down the VSI on its error path,
leaving txq_map and rxq_map as NULL. The subsequent unconditional call
to ice_vf_post_vsi_rebuild() leads to a NULL pointer dereference in
ice_ena_vf_q_mappings() when it accesses vsi->txq_map[0].
The single-VF reset path in ice_reset_vf() already handles this
correctly by checking the return value of ice_vf_reconfig_vsi() and
skipping ice_vf_post_vsi_rebuild() on failure.
Apply the same pattern to ice_reset_all_vfs(): check the return value
of ice_vf_rebuild_vsi() and skip ice_vf_post_vsi_rebuild() and
ice_eswitch_attach_vf() on failure. The VF is left safely disabled
(ICE_VF_STATE_INIT not set, VFGEN_RSTAT not set to VFACTIVE) and can
be recovered via a VFLR triggered by a PCI reset of the VF
(sysfs reset or driver rebind).
Note that this patch does not prevent the VF VSI rebuild from failing
during NVM update — the underlying cause is firmware being in a
transitional state while the EMP reset is processed, which can cause
Admin Queue commands (ice_add_vsi, ice_cfg_vsi_lan) to fail. This
patch only prevents the subsequent NULL pointer dereference that
crashes the kernel when the rebuild does fail.
crash> bt
PID: 50795 TASK: ff34c9ee708dc680 CPU: 1 COMMAND: "kworker/u512:5"
#0 [ff72159bcfe5bb50] machine_kexec at ffffffffaa8850ee
#1 [ff72159bcfe5bba8] __crash_kexec at ffffffffaaa15fba
#2 [ff72159bcfe5bc68] crash_kexec at ffffffffaaa16540
#3 [ff72159bcfe5bc70] oops_end at ffffffffaa837eda
#4 [ff72159bcfe5bc90] page_fault_oops at ffffffffaa893997
#5 [ff72159bcfe5bce8] exc_page_fault at ffffffffab528595
#6 [ff72159bcfe5bd10] asm_exc_page_fault at ffffffffab600bb2
[exception RIP: ice_ena_vf_q_mappings+0x79]
RIP: ffffffffc0a85b29 RSP: ff72159bcfe5bdc8 RFLAGS: 00010206
RAX: 00000000000f0000 RBX: ff34c9efc9c00000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000010 RDI: ff34c9efc9c00000
RBP: ff34c9efc27d4828 R8: 0000000000000093 R9: 0000000000000040
R10: ff34c9efc27d4828 R11: 0000000000000040 R12: 0000000000100000
R13: 0000000000000010 R14: R15:
ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018
#7 [ff72159bcfe5bdf8] ice_sriov_post_vsi_rebuild at ffffffffc0a85e2e [ice]
#8 [ff72159bcfe5be08] ice_reset_all_vfs at ffffffffc0a920b4 [ice]
#9 [ff72159bcfe5be48] ice_service_task at ffffffffc0a31519 [ice]
#10 [ff72159bcfe5be88] process_one_work at ffffffffaa93dca4
#11 [ff72159bcfe5bec8] worker_thread at ffffffffaa93e9de
#12 [ff72159bcfe5bf18] kthread at ffffffffaa946663
#13 [ff72159bcfe5bf50] ret_from_fork at ffffffffaa8086b9
The panic occurs attempting to dereference the NULL pointer in RDX at
ice_sriov.c:294, which loads vsi->txq_map (offset 0x4b8 in ice_vsi).
The faulting VSI is an allocated slab object but not fully initialized
after a failed ice_vsi_rebuild():
crash> struct ice_vsi 0xff34c9efc27d4828
netdev = 0x0,
rx_rings = 0x0,
tx_rings = 0x0,
q_vectors = 0x0,
txq_map = 0x0,
rxq_map = 0x0,
alloc_txq = 0x10,
num_txq = 0x10,
alloc_rxq = 0x10,
num_rxq = 0x10,
The nvmupdate64e process was performing NVM firmware update:
crash> bt 0xff34c9edd1a30000
PID: 49858 TASK: ff34c9edd1a30000 CPU: 1 COMMAND: "nvmupdate64e"
#0 [ff72159bcd617618] __schedule at ffffffffab5333f8
#4 [ff72159bcd617750] ice_sq_send_cmd at ffffffffc0a35347 [ice]
#5 [ff72159bcd6177a8] ice_sq_send_cmd_retry at ffffffffc0a35b47 [ice]
#6 [ff72159bcd617810] ice_aq_send_cmd at ffffffffc0a38018 [ice]
#7 [ff72159bcd617848] ice_aq_read_nvm at ffffffffc0a40254 [ice]
#8 [ff72159bcd6178b8] ice_read_flat_nvm at ffffffffc0a4034c [ice]
#9 [ff72159bcd617918] ice_devlink_nvm_snapshot at ffffffffc0a6ffa5 [ice]
dmesg:
ice 0000:13:00.0: firmware recommends not updating fw.mgmt, as it
may result in a downgrade. continuing anyways
ice 0000:13:00.1: ice_init_nvm failed -5
ice 0000:13:00.1: Rebuild failed, unload and reload driver
Fixes: 12bb018c538c ("ice: Refactor VF reset")
Signed-off-by: Petr Oros <poros@redhat.com>
Tested-by: Rafal Romanowski <rafal.romanowski@intel.com>
Signed-off-by: Jacob Keller <jacob.e.keller@intel.com>
Link: https://patch.msgid.link/20260427-jk-iwl-net-petr-oros-fixes-v1-5-cdcb48303fd8@intel.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/ice/ice_vf_lib.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/intel/ice/ice_vf_lib.c b/drivers/net/ethernet/intel/ice/ice_vf_lib.c
index d146259c7b82f..7be59008ea1a5 100644
--- a/drivers/net/ethernet/intel/ice/ice_vf_lib.c
+++ b/drivers/net/ethernet/intel/ice/ice_vf_lib.c
@@ -509,7 +509,12 @@ void ice_reset_all_vfs(struct ice_pf *pf)
ice_vf_ctrl_invalidate_vsi(vf);
ice_vf_pre_vsi_rebuild(vf);
- ice_vf_rebuild_vsi(vf);
+ if (ice_vf_rebuild_vsi(vf)) {
+ dev_err(dev, "VF %u VSI rebuild failed, leaving VF disabled\n",
+ vf->vf_id);
+ mutex_unlock(&vf->cfg_lock);
+ continue;
+ }
ice_vf_post_vsi_rebuild(vf);
mutex_unlock(&vf->cfg_lock);
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 789/969] net: tls: fix strparser anchor skb leak on offload RX setup failure
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (787 preceding siblings ...)
2026-05-30 16:05 ` [PATCH 6.1 788/969] ice: fix NULL pointer dereference in ice_reset_all_vfs() Greg Kroah-Hartman
@ 2026-05-30 16:05 ` Greg Kroah-Hartman
2026-05-30 16:05 ` [PATCH 6.1 790/969] net/sched: cls_flower: revert unintended changes Greg Kroah-Hartman
` (186 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jakub Kicinski, Vadim Fedorenko,
Paolo Abeni, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jakub Kicinski <kuba@kernel.org>
[ Upstream commit 58689498ca3384851145a754dbb1d8ed1cf9fb54 ]
When tls_set_device_offload_rx() fails at tls_dev_add(), the error path
calls tls_sw_free_resources_rx() to clean up the SW context that was
initialized by tls_set_sw_offload(). This function calls
tls_sw_release_resources_rx() (which stops the strparser via
tls_strp_stop()) and tls_sw_free_ctx_rx() (which kfrees the context),
but never frees the anchor skb that was allocated by alloc_skb(0) in
tls_strp_init().
Note that tls_sw_free_resources_rx() is exclusively used for this
"failed to start offload" code path, there's no other caller.
The leak did not exist before commit 84c61fe1a75b ("tls: rx: do not use
the standard strparser"), because the standard strparser doesn't try
to pre-allocate an skb.
The normal close path in tls_sk_proto_close() handles cleanup by calling
tls_sw_strparser_done() (which calls tls_strp_done()) after dropping
the socket lock, because tls_strp_done() does cancel_work_sync() and
the strparser work handler takes the socket lock.
Fixes: 84c61fe1a75b ("tls: rx: do not use the standard strparser")
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Reviewed-by: Vadim Fedorenko <vadim.fedorenko@linux.dev>
Link: https://patch.msgid.link/20260428231559.1358502-1-kuba@kernel.org
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/tls/tls.h | 1 +
net/tls/tls_strp.c | 6 ++++++
net/tls/tls_sw.c | 4 ++++
3 files changed, 11 insertions(+)
diff --git a/net/tls/tls.h b/net/tls/tls.h
index f25699517bdf8..8304afbe09e96 100644
--- a/net/tls/tls.h
+++ b/net/tls/tls.h
@@ -136,6 +136,7 @@ int tls_strp_dev_init(void);
void tls_strp_dev_exit(void);
void tls_strp_done(struct tls_strparser *strp);
+void __tls_strp_done(struct tls_strparser *strp);
void tls_strp_stop(struct tls_strparser *strp);
int tls_strp_init(struct tls_strparser *strp, struct sock *sk);
void tls_strp_data_ready(struct tls_strparser *strp);
diff --git a/net/tls/tls_strp.c b/net/tls/tls_strp.c
index 532230bed13b0..850146ed2d586 100644
--- a/net/tls/tls_strp.c
+++ b/net/tls/tls_strp.c
@@ -619,6 +619,12 @@ void tls_strp_done(struct tls_strparser *strp)
WARN_ON(!strp->stopped);
cancel_work_sync(&strp->work);
+ __tls_strp_done(strp);
+}
+
+/* For setup error paths where the strparser was initialized but never armed. */
+void __tls_strp_done(struct tls_strparser *strp)
+{
tls_strp_anchor_free(strp);
}
diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c
index a574d7ddd1499..ef7dda0915d33 100644
--- a/net/tls/tls_sw.c
+++ b/net/tls/tls_sw.c
@@ -2584,8 +2584,12 @@ void tls_sw_free_ctx_rx(struct tls_context *tls_ctx)
void tls_sw_free_resources_rx(struct sock *sk)
{
struct tls_context *tls_ctx = tls_get_ctx(sk);
+ struct tls_sw_context_rx *ctx;
+
+ ctx = tls_sw_ctx_rx(tls_ctx);
tls_sw_release_resources_rx(sk);
+ __tls_strp_done(&ctx->strp);
tls_sw_free_ctx_rx(tls_ctx);
}
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 790/969] net/sched: cls_flower: revert unintended changes
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (788 preceding siblings ...)
2026-05-30 16:05 ` [PATCH 6.1 789/969] net: tls: fix strparser anchor skb leak on offload RX setup failure Greg Kroah-Hartman
@ 2026-05-30 16:05 ` Greg Kroah-Hartman
2026-05-30 16:05 ` [PATCH 6.1 791/969] smb: client: correctly handle ErrorContextData as a flexible array Greg Kroah-Hartman
` (185 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:05 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jeremy Kerr, Paolo Abeni,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paolo Abeni <pabeni@redhat.com>
[ Upstream commit 1e01abec856593e02cd69fd95b784c10dd46880c ]
While applying the blamed commit 4ca07b9239bd ("net: mctp i2c: check
length before marking flow active"), I unintentionally included
unrelated and unacceptable changes.
Revert them.
Fixes: 4ca07b9239bd ("net: mctp i2c: check length before marking flow active")
Reported-by: Jeremy Kerr <jk@codeconstruct.com.au>
Closes: https://lore.kernel.org/netdev/bd8704fe0bd53e278add5cde4873256656623e2e.camel@codeconstruct.com.au/
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Link: https://patch.msgid.link/043026a53ff84da88b17648c4b0d17f0331749cb.1777447863.git.pabeni@redhat.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/cls_flower.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/net/sched/cls_flower.c b/net/sched/cls_flower.c
index fd8c2f0f3256e..a40a9e84c75f4 100644
--- a/net/sched/cls_flower.c
+++ b/net/sched/cls_flower.c
@@ -537,7 +537,6 @@ static int __fl_delete(struct tcf_proto *tp, struct cls_fl_filter *f,
struct netlink_ext_ack *extack)
{
struct cls_fl_head *head = fl_head_dereference(tp);
- struct fl_flow_mask *mask;
*last = false;
@@ -554,12 +553,11 @@ static int __fl_delete(struct tcf_proto *tp, struct cls_fl_filter *f,
list_del_rcu(&f->list);
spin_unlock(&tp->lock);
- mask = f->mask;
+ *last = fl_mask_put(head, f->mask);
if (!tc_skip_hw(f->flags))
fl_hw_destroy_filter(tp, f, rtnl_held, extack);
tcf_unbind_filter(tp, &f->res);
__fl_put(f);
- *last = fl_mask_put(head, mask);
return 0;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 791/969] smb: client: correctly handle ErrorContextData as a flexible array
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (789 preceding siblings ...)
2026-05-30 16:05 ` [PATCH 6.1 790/969] net/sched: cls_flower: revert unintended changes Greg Kroah-Hartman
@ 2026-05-30 16:05 ` Greg Kroah-Hartman
2026-05-30 16:05 ` [PATCH 6.1 792/969] smb: client: fix OOB reads parsing symlink error response Greg Kroah-Hartman
` (184 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Liang Jie, Tom Talpey, Steve French,
Alva Lan, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Liang Jie <liangjie@lixiang.com>
[ Upstream commit 215b7f9ecb8d7c14d56febdcdd246f3579c32aba ]
The `smb2_symlink_err_rsp` structure was previously defined with
`ErrorContextData` as a single `__u8` byte. However, the `ErrorContextData`
field is intended to be a variable-length array based on `ErrorDataLength`.
This mismatch leads to incorrect pointer arithmetic and potential memory
access issues when processing error contexts.
Updates the `ErrorContextData` field to be a flexible array
(`__u8 ErrorContextData[]`). Additionally, it modifies the corresponding
casts in the `symlink_data()` function to properly handle the flexible
array, ensuring correct memory calculations and data handling.
These changes improve the robustness of SMB2 symlink error processing.
Signed-off-by: Liang Jie <liangjie@lixiang.com>
Suggested-by: Tom Talpey <tom@talpey.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
[ Remove the __counted_by_le annotation in v6.1. ]
Signed-off-by: Alva Lan <alvalan9@foxmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/smb/client/smb2file.c | 4 ++--
fs/smb/client/smb2pdu.h | 2 +-
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/fs/smb/client/smb2file.c b/fs/smb/client/smb2file.c
index fe016144f3405..def2602ea0fb9 100644
--- a/fs/smb/client/smb2file.c
+++ b/fs/smb/client/smb2file.c
@@ -41,14 +41,14 @@ static struct smb2_symlink_err_rsp *symlink_data(const struct kvec *iov)
end = (struct smb2_error_context_rsp *)((u8 *)err + iov->iov_len);
do {
if (le32_to_cpu(p->ErrorId) == SMB2_ERROR_ID_DEFAULT) {
- sym = (struct smb2_symlink_err_rsp *)&p->ErrorContextData;
+ sym = (struct smb2_symlink_err_rsp *)p->ErrorContextData;
break;
}
cifs_dbg(FYI, "%s: skipping unhandled error context: 0x%x\n",
__func__, le32_to_cpu(p->ErrorId));
len = ALIGN(le32_to_cpu(p->ErrorDataLength), 8);
- p = (struct smb2_error_context_rsp *)((u8 *)&p->ErrorContextData + len);
+ p = (struct smb2_error_context_rsp *)(p->ErrorContextData + len);
} while (p < end);
} else if (le32_to_cpu(err->ByteCount) >= sizeof(*sym) &&
iov->iov_len >= SMB2_SYMLINK_STRUCT_SIZE) {
diff --git a/fs/smb/client/smb2pdu.h b/fs/smb/client/smb2pdu.h
index 2823526b66f7e..d12ca9c7e62bc 100644
--- a/fs/smb/client/smb2pdu.h
+++ b/fs/smb/client/smb2pdu.h
@@ -79,7 +79,7 @@ struct smb2_symlink_err_rsp {
struct smb2_error_context_rsp {
__le32 ErrorDataLength;
__le32 ErrorId;
- __u8 ErrorContextData; /* ErrorDataLength long array */
+ __u8 ErrorContextData[];
} __packed;
/* ErrorId values */
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 792/969] smb: client: fix OOB reads parsing symlink error response
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (790 preceding siblings ...)
2026-05-30 16:05 ` [PATCH 6.1 791/969] smb: client: correctly handle ErrorContextData as a flexible array Greg Kroah-Hartman
@ 2026-05-30 16:05 ` Greg Kroah-Hartman
2026-05-30 16:05 ` [PATCH 6.1 793/969] net/sched: sch_pie: annotate more data-races in pie_dump_stats() Greg Kroah-Hartman
` (183 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ronnie Sahlberg, Shyam Prasad N,
Tom Talpey, Bharath SM, linux-cifs, samba-technical, stable,
Paulo Alcantara (Red Hat), Steve French, Alva Lan, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit 3df690bba28edec865cf7190be10708ad0ddd67e ]
When a CREATE returns STATUS_STOPPED_ON_SYMLINK, smb2_check_message()
returns success without any length validation, leaving the symlink
parsers as the only defense against an untrusted server.
symlink_data() walks SMB 3.1.1 error contexts with the loop test "p <
end", but reads p->ErrorId at offset 4 and p->ErrorDataLength at offset
0. When the server-controlled ErrorDataLength advances p to within 1-7
bytes of end, the next iteration will read past it. When the matching
context is found, sym->SymLinkErrorTag is read at offset 4 from
p->ErrorContextData with no check that the symlink header itself fits.
smb2_parse_symlink_response() then bounds-checks the substitute name
using SMB2_SYMLINK_STRUCT_SIZE as the offset of PathBuffer from
iov_base. That value is computed as sizeof(smb2_err_rsp) +
sizeof(smb2_symlink_err_rsp), which is correct only when
ErrorContextCount == 0.
With at least one error context the symlink data sits 8 bytes deeper,
and each skipped non-matching context shifts it further by 8 +
ALIGN(ErrorDataLength, 8). The check is too short, allowing the
substitute name read to run past iov_len. The out-of-bound heap bytes
are UTF-16-decoded into the symlink target and returned to userspace via
readlink(2).
Fix this all up by making the loops test require the full context header
to fit, rejecting sym if its header runs past end, and bound the
substitute name against the actual position of sym->PathBuffer rather
than a fixed offset.
Because sub_offs and sub_len are 16bits, the pointer math will not
overflow here with the new greater-than.
Cc: Ronnie Sahlberg <ronniesahlberg@gmail.com>
Cc: Shyam Prasad N <sprasad@microsoft.com>
Cc: Tom Talpey <tom@talpey.com>
Cc: Bharath SM <bharathsm@microsoft.com>
Cc: linux-cifs@vger.kernel.org
Cc: samba-technical@lists.samba.org
Cc: stable <stable@kernel.org>
Reviewed-by: Paulo Alcantara (Red Hat) <pc@manguebit.org>
Assisted-by: gregkh_clanker_t1000
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Alva Lan <alvalan9@foxmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/smb/client/smb2file.c | 20 ++++++++++++--------
1 file changed, 12 insertions(+), 8 deletions(-)
diff --git a/fs/smb/client/smb2file.c b/fs/smb/client/smb2file.c
index def2602ea0fb9..43e38909e20bb 100644
--- a/fs/smb/client/smb2file.c
+++ b/fs/smb/client/smb2file.c
@@ -26,10 +26,11 @@ static struct smb2_symlink_err_rsp *symlink_data(const struct kvec *iov)
{
struct smb2_err_rsp *err = iov->iov_base;
struct smb2_symlink_err_rsp *sym = ERR_PTR(-EINVAL);
+ u8 *end = (u8 *)err + iov->iov_len;
u32 len;
if (err->ErrorContextCount) {
- struct smb2_error_context_rsp *p, *end;
+ struct smb2_error_context_rsp *p;
len = (u32)err->ErrorContextCount * (offsetof(struct smb2_error_context_rsp,
ErrorContextData) +
@@ -38,8 +39,7 @@ static struct smb2_symlink_err_rsp *symlink_data(const struct kvec *iov)
return ERR_PTR(-EINVAL);
p = (struct smb2_error_context_rsp *)err->ErrorData;
- end = (struct smb2_error_context_rsp *)((u8 *)err + iov->iov_len);
- do {
+ while ((u8 *)p + sizeof(*p) <= end) {
if (le32_to_cpu(p->ErrorId) == SMB2_ERROR_ID_DEFAULT) {
sym = (struct smb2_symlink_err_rsp *)p->ErrorContextData;
break;
@@ -49,14 +49,16 @@ static struct smb2_symlink_err_rsp *symlink_data(const struct kvec *iov)
len = ALIGN(le32_to_cpu(p->ErrorDataLength), 8);
p = (struct smb2_error_context_rsp *)(p->ErrorContextData + len);
- } while (p < end);
+ }
} else if (le32_to_cpu(err->ByteCount) >= sizeof(*sym) &&
iov->iov_len >= SMB2_SYMLINK_STRUCT_SIZE) {
sym = (struct smb2_symlink_err_rsp *)err->ErrorData;
}
- if (!IS_ERR(sym) && (le32_to_cpu(sym->SymLinkErrorTag) != SYMLINK_ERROR_TAG ||
- le32_to_cpu(sym->ReparseTag) != IO_REPARSE_TAG_SYMLINK))
+ if (!IS_ERR(sym) &&
+ ((u8 *)sym + sizeof(*sym) > end ||
+ le32_to_cpu(sym->SymLinkErrorTag) != SYMLINK_ERROR_TAG ||
+ le32_to_cpu(sym->ReparseTag) != IO_REPARSE_TAG_SYMLINK))
sym = ERR_PTR(-EINVAL);
return sym;
@@ -81,8 +83,10 @@ int smb2_parse_symlink_response(struct cifs_sb_info *cifs_sb, const struct kvec
print_len = le16_to_cpu(sym->PrintNameLength);
print_offs = le16_to_cpu(sym->PrintNameOffset);
- if (iov->iov_len < SMB2_SYMLINK_STRUCT_SIZE + sub_offs + sub_len ||
- iov->iov_len < SMB2_SYMLINK_STRUCT_SIZE + print_offs + print_len)
+ if ((char *)sym->PathBuffer + sub_offs + sub_len >
+ (char *)iov->iov_base + iov->iov_len ||
+ (char *)sym->PathBuffer + print_offs + print_len >
+ (char *)iov->iov_base + iov->iov_len)
return -EINVAL;
s = cifs_strndup_from_utf16((char *)sym->PathBuffer + sub_offs, sub_len, true,
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 793/969] net/sched: sch_pie: annotate more data-races in pie_dump_stats()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (791 preceding siblings ...)
2026-05-30 16:05 ` [PATCH 6.1 792/969] smb: client: fix OOB reads parsing symlink error response Greg Kroah-Hartman
@ 2026-05-30 16:05 ` Greg Kroah-Hartman
2026-05-30 16:05 ` [PATCH 6.1 794/969] net: bcmgenet: Initialize u64 stats seq counter Greg Kroah-Hartman
` (182 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, Jakub Kicinski,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 6d4106e8df94c0c52cf3ca6a6a0d01567fb3844e ]
My prior patch missed few READ_ONCE()/WRITE_ONCE() annotations.
Fixes: 5154561d9b11 ("net/sched: sch_pie: annotate data-races in pie_dump_stats()")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20260430080056.35104-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/sch_pie.c | 14 ++++++--------
1 file changed, 6 insertions(+), 8 deletions(-)
diff --git a/net/sched/sch_pie.c b/net/sched/sch_pie.c
index afa94f058f5f5..4ab296678b0b1 100644
--- a/net/sched/sch_pie.c
+++ b/net/sched/sch_pie.c
@@ -212,16 +212,14 @@ void pie_process_dequeue(struct sk_buff *skb, struct pie_params *params,
* packet timestamp.
*/
if (!params->dq_rate_estimator) {
- vars->qdelay = now - pie_get_enqueue_time(skb);
+ WRITE_ONCE(vars->qdelay,
+ backlog ? now - pie_get_enqueue_time(skb) : 0);
if (vars->dq_tstamp != DTIME_INVALID)
dtime = now - vars->dq_tstamp;
vars->dq_tstamp = now;
- if (backlog == 0)
- vars->qdelay = 0;
-
if (dtime == 0)
return;
@@ -369,7 +367,7 @@ void pie_calculate_probability(struct pie_params *params, struct pie_vars *vars,
if (qdelay > (PSCHED_NS2TICKS(250 * NSEC_PER_MSEC)))
delta += MAX_PROB / (100 / 2);
- vars->prob += delta;
+ WRITE_ONCE(vars->prob, vars->prob + delta);
if (delta > 0) {
/* prevent overflow */
@@ -394,7 +392,7 @@ void pie_calculate_probability(struct pie_params *params, struct pie_vars *vars,
if (qdelay == 0 && qdelay_old == 0 && update_prob)
/* Reduce drop probability to 98.4% */
- vars->prob -= vars->prob / 64;
+ WRITE_ONCE(vars->prob, vars->prob - vars->prob / 64);
WRITE_ONCE(vars->qdelay, qdelay);
vars->backlog_old = backlog;
@@ -493,7 +491,7 @@ static int pie_dump_stats(struct Qdisc *sch, struct gnet_dump *d)
{
struct pie_sched_data *q = qdisc_priv(sch);
struct tc_pie_xstats st = {
- .prob = q->vars.prob << BITS_PER_BYTE,
+ .prob = READ_ONCE(q->vars.prob) << BITS_PER_BYTE,
.delay = ((u32)PSCHED_TICKS2NS(READ_ONCE(q->vars.qdelay))) /
NSEC_PER_USEC,
.packets_in = READ_ONCE(q->stats.packets_in),
@@ -504,7 +502,7 @@ static int pie_dump_stats(struct Qdisc *sch, struct gnet_dump *d)
};
/* avg_dq_rate is only valid if dq_rate_estimator is enabled */
- st.dq_rate_estimating = q->params.dq_rate_estimator;
+ st.dq_rate_estimating = READ_ONCE(q->params.dq_rate_estimator);
/* unscale and return dq_rate in bytes per sec */
if (st.dq_rate_estimating)
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 794/969] net: bcmgenet: Initialize u64 stats seq counter
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (792 preceding siblings ...)
2026-05-30 16:05 ` [PATCH 6.1 793/969] net/sched: sch_pie: annotate more data-races in pie_dump_stats() Greg Kroah-Hartman
@ 2026-05-30 16:05 ` Greg Kroah-Hartman
2026-05-30 16:05 ` [PATCH 6.1 795/969] net: bcmgenet: fix leaking free_bds Greg Kroah-Hartman
` (181 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Florian Fainelli, Ryo Takakura,
Simon Horman, Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ryo Takakura <ryotkkr98@gmail.com>
[ Upstream commit ffc2c8c4a714df53a715827d6334ab9474424f6a ]
Initialize u64 stats as it uses seq counter on 32bit machines
as suggested by lockdep below.
[ 1.830953][ T1] INFO: trying to register non-static key.
[ 1.830993][ T1] The code is fine but needs lockdep annotation, or maybe
[ 1.831027][ T1] you didn't initialize this object before use?
[ 1.831057][ T1] turning off the locking correctness validator.
[ 1.831090][ T1] CPU: 1 UID: 0 PID: 1 Comm: swapper/0 Tainted: G W 6.16.0-rc2-v7l+ #1 PREEMPT
[ 1.831097][ T1] Tainted: [W]=WARN
[ 1.831099][ T1] Hardware name: BCM2711
[ 1.831101][ T1] Call trace:
[ 1.831104][ T1] unwind_backtrace from show_stack+0x18/0x1c
[ 1.831120][ T1] show_stack from dump_stack_lvl+0x8c/0xcc
[ 1.831129][ T1] dump_stack_lvl from register_lock_class+0x9e8/0x9fc
[ 1.831141][ T1] register_lock_class from __lock_acquire+0x420/0x22c0
[ 1.831154][ T1] __lock_acquire from lock_acquire+0x130/0x3f8
[ 1.831166][ T1] lock_acquire from bcmgenet_get_stats64+0x4a4/0x4c8
[ 1.831176][ T1] bcmgenet_get_stats64 from dev_get_stats+0x4c/0x408
[ 1.831184][ T1] dev_get_stats from rtnl_fill_stats+0x38/0x120
[ 1.831193][ T1] rtnl_fill_stats from rtnl_fill_ifinfo+0x7f8/0x1890
[ 1.831203][ T1] rtnl_fill_ifinfo from rtmsg_ifinfo_build_skb+0xd0/0x138
[ 1.831214][ T1] rtmsg_ifinfo_build_skb from rtmsg_ifinfo+0x48/0x8c
[ 1.831225][ T1] rtmsg_ifinfo from register_netdevice+0x8c0/0x95c
[ 1.831237][ T1] register_netdevice from register_netdev+0x28/0x40
[ 1.831247][ T1] register_netdev from bcmgenet_probe+0x690/0x6bc
[ 1.831255][ T1] bcmgenet_probe from platform_probe+0x64/0xbc
[ 1.831263][ T1] platform_probe from really_probe+0xd0/0x2d4
[ 1.831269][ T1] really_probe from __driver_probe_device+0x90/0x1a4
[ 1.831273][ T1] __driver_probe_device from driver_probe_device+0x38/0x11c
[ 1.831278][ T1] driver_probe_device from __driver_attach+0x9c/0x18c
[ 1.831282][ T1] __driver_attach from bus_for_each_dev+0x84/0xd4
[ 1.831291][ T1] bus_for_each_dev from bus_add_driver+0xd4/0x1f4
[ 1.831303][ T1] bus_add_driver from driver_register+0x88/0x120
[ 1.831312][ T1] driver_register from do_one_initcall+0x78/0x360
[ 1.831320][ T1] do_one_initcall from kernel_init_freeable+0x2bc/0x314
[ 1.831331][ T1] kernel_init_freeable from kernel_init+0x1c/0x144
[ 1.831339][ T1] kernel_init from ret_from_fork+0x14/0x20
[ 1.831344][ T1] Exception stack(0xf082dfb0 to 0xf082dff8)
[ 1.831349][ T1] dfa0: 00000000 00000000 00000000 00000000
[ 1.831353][ T1] dfc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 1.831356][ T1] dfe0: 00000000 00000000 00000000 00000000 00000013 00000000
Fixes: 59aa6e3072aa ("net: bcmgenet: switch to use 64bit statistics")
Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
Signed-off-by: Ryo Takakura <ryotkkr98@gmail.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20250702092417.46486-1-ryotkkr98@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/broadcom/genet/bcmgenet.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/net/ethernet/broadcom/genet/bcmgenet.c b/drivers/net/ethernet/broadcom/genet/bcmgenet.c
index 43fba7b47d1cd..64bc7b3afb514 100644
--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c
+++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c
@@ -4079,6 +4079,12 @@ static int bcmgenet_probe(struct platform_device *pdev)
for (i = 0; i <= priv->hw_params->rx_queues; i++)
priv->rx_rings[i].rx_max_coalesced_frames = 1;
+ /* Initialize u64 stats seq counter for 32bit machines */
+ for (i = 0; i <= priv->hw_params->rx_queues; i++)
+ u64_stats_init(&priv->rx_rings[i].stats64.syncp);
+ for (i = 0; i <= priv->hw_params->tx_queues; i++)
+ u64_stats_init(&priv->tx_rings[i].stats64.syncp);
+
/* libphy will determine the link state */
netif_carrier_off(dev);
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 795/969] net: bcmgenet: fix leaking free_bds
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (793 preceding siblings ...)
2026-05-30 16:05 ` [PATCH 6.1 794/969] net: bcmgenet: Initialize u64 stats seq counter Greg Kroah-Hartman
@ 2026-05-30 16:05 ` Greg Kroah-Hartman
2026-05-30 16:05 ` [PATCH 6.1 796/969] btrfs: tracepoints: fix sleep while in atomic context in btrfs_sync_file() Greg Kroah-Hartman
` (180 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Justin Chen, Florian Fainelli,
Nicolai Buchwitz, Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Justin Chen <justin.chen@broadcom.com>
[ Upstream commit 3f3168300efb839028328d720ab3962f91d6a0d0 ]
While reclaiming the tx queue we fast forward the write pointer to
drop any data in flight. These dropped frames are not added back
to the pool of free bds. We also need to tell the netdev that we
are dropping said data.
Fixes: f1bacae8b655 ("net: bcmgenet: support reclaiming unsent Tx packets")
Signed-off-by: Justin Chen <justin.chen@broadcom.com>
Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
Reviewed-by: Nicolai Buchwitz <nb@tipi-net.de>
Tested-by: Nicolai Buchwitz <nb@tipi-net.de>
Link: https://patch.msgid.link/20260406175756.134567-3-justin.chen@broadcom.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/broadcom/genet/bcmgenet.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/net/ethernet/broadcom/genet/bcmgenet.c b/drivers/net/ethernet/broadcom/genet/bcmgenet.c
index 64bc7b3afb514..cc7bcd0cc7ba8 100644
--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c
+++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c
@@ -1937,6 +1937,7 @@ static unsigned int bcmgenet_tx_reclaim(struct net_device *dev,
drop = (ring->prod_index - ring->c_index) & DMA_C_INDEX_MASK;
released += drop;
ring->prod_index = ring->c_index & DMA_C_INDEX_MASK;
+ ring->free_bds += drop;
while (drop--) {
cb_ptr = bcmgenet_put_txcb(priv, ring);
skb = cb_ptr->skb;
@@ -1948,6 +1949,7 @@ static unsigned int bcmgenet_tx_reclaim(struct net_device *dev,
}
if (skb)
dev_consume_skb_any(skb);
+ netdev_tx_reset_queue(netdev_get_tx_queue(dev, ring->index));
bcmgenet_tdma_ring_writel(priv, ring->index,
ring->prod_index, TDMA_PROD_INDEX);
wr_ptr = ring->write_ptr * WORDS_PER_BD(priv);
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 796/969] btrfs: tracepoints: fix sleep while in atomic context in btrfs_sync_file()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (794 preceding siblings ...)
2026-05-30 16:05 ` [PATCH 6.1 795/969] net: bcmgenet: fix leaking free_bds Greg Kroah-Hartman
@ 2026-05-30 16:05 ` Greg Kroah-Hartman
2026-05-30 16:05 ` [PATCH 6.1 797/969] ALSA: misc: Use guard() for spin locks Greg Kroah-Hartman
` (179 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Boris Burkov, Filipe Manana,
David Sterba, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Filipe Manana <fdmanana@suse.com>
[ Upstream commit c73370c677646e86fc4b1780fb07027bdf847375 ]
The trace event btrfs_sync_file() is called in an atomic context (all trace
events are) and its call to dput(), which is needed due to the call to
dget_parent(), can sleep, triggering a kernel splat.
This can be reproduced by enabling the trace event and running btrfs/056
from fstests for example. The splat shown in dmesg is the following:
[53.919] BUG: sleeping function called from invalid context at fs/dcache.c:970
[53.947] in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 32773, name: xfs_io
[53.988] preempt_count: 2, expected: 0
[53.967] RCU nest depth: 0, expected: 0
[53.943] Preemption disabled at:
[53.944] [<0000000000000000>] 0x0
[54.078] CPU: 0 UID: 0 PID: 32773 Comm: xfs_io Tainted: G W 7.1.0-rc1-btrfs-next-232+ #1 PREEMPT(full)
[54.070] Tainted: [W]=WARN
[54.071] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014
[54.072] Call Trace:
[54.074] <TASK>
[54.076] dump_stack_lvl+0x56/0x80
[54.079] __might_resched.cold+0xd6/0x10f
[54.072] dput.part.0+0x24/0x110
[54.078] trace_event_raw_event_btrfs_sync_file+0x75/0x140 [btrfs]
[54.089] btrfs_sync_file+0x1ed/0x530 [btrfs]
[54.087] ? __handle_mm_fault+0x8ae/0xed0
[54.089] btrfs_do_write_iter+0x172/0x210 [btrfs]
[54.091] vfs_write+0x21f/0x450
[54.094] __x64_sys_pwrite64+0x8d/0xc0
[54.096] ? do_user_addr_fault+0x20c/0x670
[54.099] do_syscall_64+0x60/0xf20
[54.092] ? clear_bhb_loop+0x60/0xb0
[54.094] entry_SYSCALL_64_after_hwframe+0x76/0x7e
So stop using dget_parent() and dput() and access the parent dentry
directly as dentry->d_parent. This is also what ext4 is doing in
its equivalent trace event ext4_sync_file_enter().
Fixes: a85b46db143f ("btrfs: tracepoints: get correct superblock from dentry in event btrfs_sync_file()")
Reviewed-by: Boris Burkov <boris@bur.io>
Signed-off-by: Filipe Manana <fdmanana@suse.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/trace/events/btrfs.h | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/include/trace/events/btrfs.h b/include/trace/events/btrfs.h
index 8054ce54807de..b2b41b98ec6d0 100644
--- a/include/trace/events/btrfs.h
+++ b/include/trace/events/btrfs.h
@@ -762,10 +762,8 @@ TRACE_EVENT(btrfs_sync_file,
TP_fast_assign(
struct dentry *dentry = file_dentry(file);
struct inode *inode = file_inode(file);
- struct dentry *parent = dget_parent(dentry);
- struct inode *parent_inode = d_inode(parent);
+ struct inode *parent_inode = d_inode(dentry->d_parent);
- dput(parent);
TP_fast_assign_fsid(btrfs_sb(inode->i_sb));
__entry->ino = btrfs_ino(BTRFS_I(inode));
__entry->parent = btrfs_ino(BTRFS_I(parent_inode));
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 797/969] ALSA: misc: Use guard() for spin locks
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (795 preceding siblings ...)
2026-05-30 16:05 ` [PATCH 6.1 796/969] btrfs: tracepoints: fix sleep while in atomic context in btrfs_sync_file() Greg Kroah-Hartman
@ 2026-05-30 16:05 ` Greg Kroah-Hartman
2026-05-30 16:05 ` [PATCH 6.1 798/969] ALSA: core: Serialize deferred fasync state checks Greg Kroah-Hartman
` (178 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:05 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Takashi Iwai, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
[ Upstream commit b8e1684163ae52db90f428965bd9aaff7205c02e ]
Clean up the code using guard() for spin locks.
Merely code refactoring, and no behavior change.
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Link: https://patch.msgid.link/20250829151335.7342-20-tiwai@suse.de
Stable-dep-of: 5337213381df ("ALSA: core: Serialize deferred fasync state checks")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/core/misc.c | 25 ++++++++++---------------
1 file changed, 10 insertions(+), 15 deletions(-)
diff --git a/sound/core/misc.c b/sound/core/misc.c
index 856edaa1dedbc..918d59a541c82 100644
--- a/sound/core/misc.c
+++ b/sound/core/misc.c
@@ -202,35 +202,30 @@ int snd_fasync_helper(int fd, struct file *file, int on,
INIT_LIST_HEAD(&fasync->list);
}
- spin_lock_irq(&snd_fasync_lock);
- if (*fasyncp) {
- kfree(fasync);
- fasync = *fasyncp;
- } else {
- if (!fasync) {
- spin_unlock_irq(&snd_fasync_lock);
- return 0;
+ scoped_guard(spinlock_irq, &snd_fasync_lock) {
+ if (*fasyncp) {
+ kfree(fasync);
+ fasync = *fasyncp;
+ } else {
+ if (!fasync)
+ return 0;
+ *fasyncp = fasync;
}
- *fasyncp = fasync;
+ fasync->on = on;
}
- fasync->on = on;
- spin_unlock_irq(&snd_fasync_lock);
return fasync_helper(fd, file, on, &fasync->fasync);
}
EXPORT_SYMBOL_GPL(snd_fasync_helper);
void snd_kill_fasync(struct snd_fasync *fasync, int signal, int poll)
{
- unsigned long flags;
-
if (!fasync || !fasync->on)
return;
- spin_lock_irqsave(&snd_fasync_lock, flags);
+ guard(spinlock_irqsave)(&snd_fasync_lock);
fasync->signal = signal;
fasync->poll = poll;
list_move(&fasync->list, &snd_fasync_list);
schedule_work(&snd_fasync_work);
- spin_unlock_irqrestore(&snd_fasync_lock, flags);
}
EXPORT_SYMBOL_GPL(snd_kill_fasync);
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 798/969] ALSA: core: Serialize deferred fasync state checks
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (796 preceding siblings ...)
2026-05-30 16:05 ` [PATCH 6.1 797/969] ALSA: misc: Use guard() for spin locks Greg Kroah-Hartman
@ 2026-05-30 16:05 ` Greg Kroah-Hartman
2026-05-30 16:05 ` [PATCH 6.1 799/969] ASoC: SOF: pcm: Clear the susbstream pointer to NULL on close Greg Kroah-Hartman
` (177 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Cássio Gabriel, Takashi Iwai,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cássio Gabriel <cassiogabrielcontato@gmail.com>
[ Upstream commit 5337213381df578058e2e41da93cbd0e4639935f ]
snd_fasync_helper() updates fasync->on under snd_fasync_lock, and
snd_fasync_work_fn() now also evaluates fasync->on under the same
lock. snd_kill_fasync() still tests the flag before taking the lock,
leaving an unsynchronized read against FASYNC enable/disable updates.
Move the enabled-state check into the locked section.
Also clear fasync->on under snd_fasync_lock in snd_fasync_free()
before unlinking the pending entry. Together with the locked sender-side
check, this publishes teardown before flushing the deferred work and
prevents a racing sender from requeueing the entry after free has
started.
Fixes: ef34a0ae7a26 ("ALSA: core: Add async signal helpers")
Fixes: 8146cd333d23 ("ALSA: core: Fix potential data race at fasync handling")
Cc: stable@vger.kernel.org
Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com>
Link: https://patch.msgid.link/20260506-alsa-core-fasync-on-lock-v1-1-ea48c77d6ca4@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/core/misc.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/sound/core/misc.c b/sound/core/misc.c
index 918d59a541c82..fd891a3ceb963 100644
--- a/sound/core/misc.c
+++ b/sound/core/misc.c
@@ -219,9 +219,11 @@ EXPORT_SYMBOL_GPL(snd_fasync_helper);
void snd_kill_fasync(struct snd_fasync *fasync, int signal, int poll)
{
- if (!fasync || !fasync->on)
+ if (!fasync)
return;
guard(spinlock_irqsave)(&snd_fasync_lock);
+ if (!fasync->on)
+ return;
fasync->signal = signal;
fasync->poll = poll;
list_move(&fasync->list, &snd_fasync_list);
@@ -234,8 +236,10 @@ void snd_fasync_free(struct snd_fasync *fasync)
if (!fasync)
return;
- scoped_guard(spinlock_irq, &snd_fasync_lock)
+ scoped_guard(spinlock_irq, &snd_fasync_lock) {
+ fasync->on = 0;
list_del_init(&fasync->list);
+ }
flush_work(&snd_fasync_work);
kfree(fasync);
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 799/969] ASoC: SOF: pcm: Clear the susbstream pointer to NULL on close
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (797 preceding siblings ...)
2026-05-30 16:05 ` [PATCH 6.1 798/969] ALSA: core: Serialize deferred fasync state checks Greg Kroah-Hartman
@ 2026-05-30 16:05 ` Greg Kroah-Hartman
2026-05-30 16:05 ` [PATCH 6.1 800/969] ASoC: SOF: stream-ipc: Check for cstream nullity in sof_ipc_msg_data() Greg Kroah-Hartman
` (176 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Curtis Malainey, Peter Ujfalusi,
Daniel Baluta, Ranjani Sridharan, Bard Liao, Mark Brown,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peter Ujfalusi <peter.ujfalusi@linux.intel.com>
[ Upstream commit 46c7b901e2a03536df5a3cb40b3b26e2be505df6 ]
The spcm->stream[substream->stream].substream is set during open and was
left untouched. After the first PCM stream it will never be NULL and we
have code which checks for substream NULLity as indication if the stream is
active or not.
For the compressed cstream pointer the same has been done, this change will
correct the handling of PCM streams.
Fixes: 090349a9feba ("ASoC: SOF: Add support for compress API for stream data/offset")
Cc: stable@vger.kernel.org
Reported-by: Curtis Malainey <cujomalainey@chromium.org>
Closes: https://github.com/thesofproject/linux/pull/5214
Signed-off-by: Peter Ujfalusi <peter.ujfalusi@linux.intel.com>
Reviewed-by: Daniel Baluta <daniel.baluta@nxp.com>
Reviewed-by: Ranjani Sridharan <ranjani.sridharan@linux.intel.com>
Reviewed-by: Bard Liao <yung-chuan.liao@linux.intel.com>
Reviewed-by: Curtis Malainey <cujomalainey@chromium.org>
Link: https://patch.msgid.link/20250205135232.19762-3-peter.ujfalusi@linux.intel.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/sof/pcm.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/sound/soc/sof/pcm.c b/sound/soc/sof/pcm.c
index be6f38af37b5d..c2cb005285e3f 100644
--- a/sound/soc/sof/pcm.c
+++ b/sound/soc/sof/pcm.c
@@ -484,6 +484,8 @@ static int sof_pcm_close(struct snd_soc_component *component,
*/
}
+ spcm->stream[substream->stream].substream = NULL;
+
return 0;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 800/969] ASoC: SOF: stream-ipc: Check for cstream nullity in sof_ipc_msg_data()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (798 preceding siblings ...)
2026-05-30 16:05 ` [PATCH 6.1 799/969] ASoC: SOF: pcm: Clear the susbstream pointer to NULL on close Greg Kroah-Hartman
@ 2026-05-30 16:05 ` Greg Kroah-Hartman
2026-05-30 16:05 ` [PATCH 6.1 801/969] mtd: spi-nor: spansion: Enable JFFS2 write buffer for S25FS256T Greg Kroah-Hartman
` (175 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Curtis Malainey, Peter Ujfalusi,
Daniel Baluta, Ranjani Sridharan, Bard Liao, Mark Brown,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peter Ujfalusi <peter.ujfalusi@linux.intel.com>
[ Upstream commit d8d99c3b5c485f339864aeaa29f76269cc0ea975 ]
The nullity of sps->cstream should be checked similarly as it is done in
sof_set_stream_data_offset() function.
Assuming that it is not NULL if sps->stream is NULL is incorrect and can
lead to NULL pointer dereference.
Fixes: 090349a9feba ("ASoC: SOF: Add support for compress API for stream data/offset")
Cc: stable@vger.kernel.org
Reported-by: Curtis Malainey <cujomalainey@chromium.org>
Closes: https://github.com/thesofproject/linux/pull/5214
Signed-off-by: Peter Ujfalusi <peter.ujfalusi@linux.intel.com>
Reviewed-by: Daniel Baluta <daniel.baluta@nxp.com>
Reviewed-by: Ranjani Sridharan <ranjani.sridharan@linux.intel.com>
Reviewed-by: Bard Liao <yung-chuan.liao@linux.intel.com>
Reviewed-by: Curtis Malainey <cujomalainey@chromium.org>
Link: https://patch.msgid.link/20250205135232.19762-2-peter.ujfalusi@linux.intel.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/sof/stream-ipc.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/sound/soc/sof/stream-ipc.c b/sound/soc/sof/stream-ipc.c
index 216b454f6b94e..3edcb0ea38488 100644
--- a/sound/soc/sof/stream-ipc.c
+++ b/sound/soc/sof/stream-ipc.c
@@ -43,7 +43,7 @@ int sof_ipc_msg_data(struct snd_sof_dev *sdev,
return -ESTRPIPE;
posn_offset = stream->posn_offset;
- } else {
+ } else if (sps->cstream) {
struct sof_compr_stream *sstream = sps->cstream->runtime->private_data;
@@ -51,6 +51,10 @@ int sof_ipc_msg_data(struct snd_sof_dev *sdev,
return -ESTRPIPE;
posn_offset = sstream->posn_offset;
+
+ } else {
+ dev_err(sdev->dev, "%s: No stream opened\n", __func__);
+ return -EINVAL;
}
snd_sof_dsp_mailbox_read(sdev, posn_offset, p, sz);
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 801/969] mtd: spi-nor: spansion: Enable JFFS2 write buffer for S25FS256T
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (799 preceding siblings ...)
2026-05-30 16:05 ` [PATCH 6.1 800/969] ASoC: SOF: stream-ipc: Check for cstream nullity in sof_ipc_msg_data() Greg Kroah-Hartman
@ 2026-05-30 16:05 ` Greg Kroah-Hartman
2026-05-30 16:05 ` [PATCH 6.1 802/969] netconsole: avoid out-of-bounds access on empty string in trim_newline() Greg Kroah-Hartman
` (174 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tudor Ambarus, Takahiro Kuwano,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Takahiro Kuwano <Takahiro.Kuwano@infineon.com>
[ Upstream commit a9180c298d3527f43563d02a62cb9e7e145642c6 ]
Infineon(Cypress) SEMPER NOR flash family has on-die ECC and its program
granularity is 16-byte ECC data unit size. JFFS2 supports write buffer
mode for ECC'd NOR flash. Provide a way to clear the MTD_BIT_WRITEABLE
flag in order to enable JFFS2 write buffer mode support. Drop the
comment as the same info is now specified in cypress_nor_ecc_init().
Fixes: 6afcc84080c4 ("mtd: spi-nor: spansion: Add support for Infineon S25FS256T")
Suggested-by: Tudor Ambarus <tudor.ambarus@linaro.org>
Signed-off-by: Takahiro Kuwano <Takahiro.Kuwano@infineon.com>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/641bfb26c6e059915ae920117b7ec278df1a6f0a.1680760742.git.Takahiro.Kuwano@infineon.com
Signed-off-by: Tudor Ambarus <tudor.ambarus@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mtd/spi-nor/spansion.c | 8 +-------
1 file changed, 1 insertion(+), 7 deletions(-)
diff --git a/drivers/mtd/spi-nor/spansion.c b/drivers/mtd/spi-nor/spansion.c
index af97e3741f987..cd2d6a95d66e1 100644
--- a/drivers/mtd/spi-nor/spansion.c
+++ b/drivers/mtd/spi-nor/spansion.c
@@ -273,13 +273,7 @@ static int s25fs256t_post_sfdp_fixup(struct spi_nor *nor)
static void s25fs256t_late_init(struct spi_nor *nor)
{
- /*
- * Programming is supported only in 16-byte ECC data unit granularity.
- * Byte-programming, bit-walking, or multiple program operations to the
- * same ECC data unit without an erase are not allowed. See chapter
- * 5.3.1 and 5.6 in the datasheet.
- */
- nor->params->writesize = 16;
+ cypress_nor_ecc_init(nor);
}
static struct spi_nor_fixups s25fs256t_fixups = {
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 802/969] netconsole: avoid out-of-bounds access on empty string in trim_newline()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (800 preceding siblings ...)
2026-05-30 16:05 ` [PATCH 6.1 801/969] mtd: spi-nor: spansion: Enable JFFS2 write buffer for S25FS256T Greg Kroah-Hartman
@ 2026-05-30 16:05 ` Greg Kroah-Hartman
2026-05-30 16:05 ` [PATCH 6.1 803/969] bonding: fix NULL pointer dereference in actor_port_prio setting Greg Kroah-Hartman
` (173 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Breno Leitao, Gustavo Luiz Duarte,
Simon Horman, Paolo Abeni, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Breno Leitao <leitao@debian.org>
[ Upstream commit 7079c8c13f2d33992bc846240517d88f4ab07781 ]
trim_newline() unconditionally dereferences s[len - 1] after computing
len = strnlen(s, maxlen). When the string is empty, len is 0 and the
expression underflows to s[(size_t)-1], reading (and potentially
writing) one byte before the buffer.
The two callers feed trim_newline() with the result of strscpy() from
configfs store callbacks (dev_name_store, userdatum_value_store).
configfs guarantees count >= 1 reaches the callback, but the byte
itself can be NUL: a userspace write(fd, "\0", 1) leaves the
destination empty after strscpy() and triggers the underflow. The OOB
write only fires if the adjacent byte happens to be '\n', so this is
not a security issue, but the access is undefined behaviour either way.
This pattern is commonly flagged by LLM-based code reviewers. While it
is not a security fix, the underlying access is undefined behaviour and
the change is small and self-contained, so it is a reasonable candidate
for the stable trees.
Guard the dereference on a non-zero length.
Fixes: ae001dc67907 ("net: netconsole: move newline trimming to function")
Cc: stable@vger.kernel.org
Signed-off-by: Breno Leitao <leitao@debian.org>
Reviewed-by: Gustavo Luiz Duarte <gustavold@gmail.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20260420-netcons_trim_newline-v1-1-dc35889aeedf@debian.org
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/netconsole.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/net/netconsole.c b/drivers/net/netconsole.c
index d150287c01a7d..988a8a0a67003 100644
--- a/drivers/net/netconsole.c
+++ b/drivers/net/netconsole.c
@@ -246,6 +246,8 @@ static void trim_newline(char *s, size_t maxlen)
size_t len;
len = strnlen(s, maxlen);
+ if (!len)
+ return;
if (s[len - 1] == '\n')
s[len - 1] = '\0';
}
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 803/969] bonding: fix NULL pointer dereference in actor_port_prio setting
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (801 preceding siblings ...)
2026-05-30 16:05 ` [PATCH 6.1 802/969] netconsole: avoid out-of-bounds access on empty string in trim_newline() Greg Kroah-Hartman
@ 2026-05-30 16:05 ` Greg Kroah-Hartman
2026-05-30 16:05 ` [PATCH 6.1 804/969] net: bonding: update the slave array for broadcast mode Greg Kroah-Hartman
` (172 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Liang Li, Hangbin Liu,
Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hangbin Liu <liuhangbin@gmail.com>
[ Upstream commit 067bf016e99ad72aa4ff869d6dec1fd62a9c6202 ]
Liang reported an issue where setting a slave’s actor_port_prio to
predefined values such as 0, 255, or 65535 would cause a system crash.
The problem occurs because in bond_opt_parse(), when the provided value
matches a predefined table entry, the function returns that table entry,
which does not contain slave information. Later, in
bond_option_actor_port_prio_set(), calling bond_slave_get_rtnl() leads
to a NULL pointer dereference.
Since actor_port_prio is defined as a u16 and initialized to the default
value of 255 in ad_initialize_port(), there is no need for the
bond_actor_port_prio_tbl. Using the BOND_OPTFLAG_RAWVAL flag is sufficient.
Fixes: 6b6dc81ee7e8 ("bonding: add support for per-port LACP actor priority")
Reported-by: Liang Li <liali@redhat.com>
Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
Link: https://patch.msgid.link/20251105072620.164841-1-liuhangbin@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/bonding/bond_options.c | 9 +--------
1 file changed, 1 insertion(+), 8 deletions(-)
diff --git a/drivers/net/bonding/bond_options.c b/drivers/net/bonding/bond_options.c
index 2991290f450ee..40731d180bb50 100644
--- a/drivers/net/bonding/bond_options.c
+++ b/drivers/net/bonding/bond_options.c
@@ -225,13 +225,6 @@ static const struct bond_opt_value bond_ad_actor_sys_prio_tbl[] = {
{ NULL, -1, 0},
};
-static const struct bond_opt_value bond_actor_port_prio_tbl[] = {
- { "minval", 0, BOND_VALFLAG_MIN},
- { "maxval", 65535, BOND_VALFLAG_MAX},
- { "default", 255, BOND_VALFLAG_DEFAULT},
- { NULL, -1, 0},
-};
-
static const struct bond_opt_value bond_ad_user_port_key_tbl[] = {
{ "minval", 0, BOND_VALFLAG_MIN | BOND_VALFLAG_DEFAULT},
{ "maxval", 1023, BOND_VALFLAG_MAX},
@@ -497,7 +490,7 @@ static const struct bond_option bond_opts[BOND_OPT_LAST] = {
.id = BOND_OPT_ACTOR_PORT_PRIO,
.name = "actor_port_prio",
.unsuppmodes = BOND_MODE_ALL_EX(BIT(BOND_MODE_8023AD)),
- .values = bond_actor_port_prio_tbl,
+ .flags = BOND_OPTFLAG_RAWVAL,
.set = bond_option_actor_port_prio_set,
},
[BOND_OPT_AD_ACTOR_SYSTEM] = {
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 804/969] net: bonding: update the slave array for broadcast mode
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (802 preceding siblings ...)
2026-05-30 16:05 ` [PATCH 6.1 803/969] bonding: fix NULL pointer dereference in actor_port_prio setting Greg Kroah-Hartman
@ 2026-05-30 16:05 ` Greg Kroah-Hartman
2026-05-30 16:05 ` [PATCH 6.1 805/969] crypto: af_alg - Cap AEAD AD length to 0x80000000 Greg Kroah-Hartman
` (171 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Simon Horman, Jonathan Corbet,
Andrew Lunn, Jiri Slaby, Tonghao Zhang, Hangbin Liu,
Nikolay Aleksandrov, Jay Vosburgh, Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tonghao Zhang <tonghao@bamaicloud.com>
[ Upstream commit e0caeb24f538c3c9c94f471882ceeb43d9dc2739 ]
This patch fixes ce7a381697cb ("net: bonding: add broadcast_neighbor option for 802.3ad").
Before this commit, on the broadcast mode, all devices were traversed using the
bond_for_each_slave_rcu. This patch supports traversing devices by using all_slaves.
Therefore, we need to update the slave array when enslave or release slave.
Fixes: ce7a381697cb ("net: bonding: add broadcast_neighbor option for 802.3ad")
Cc: Simon Horman <horms@kernel.org>
Cc: Jonathan Corbet <corbet@lwn.net>
Cc: Andrew Lunn <andrew+netdev@lunn.ch>
Cc: <stable@vger.kernel.org>
Reported-by: Jiri Slaby <jirislaby@kernel.org>
Tested-by: Jiri Slaby <jirislaby@kernel.org>
Link: https://lore.kernel.org/all/a97e6e1e-81bc-4a79-8352-9e4794b0d2ca@kernel.org/
Signed-off-by: Tonghao Zhang <tonghao@bamaicloud.com>
Reviewed-by: Hangbin Liu <liuhangbin@gmail.com>
Reviewed-by: Nikolay Aleksandrov <razor@blackwall.org>
Acked-by: Jay Vosburgh <jv@jvosburgh.net>
Link: https://patch.msgid.link/20251016125136.16568-1-tonghao@bamaicloud.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/bonding/bond_main.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
index d3c41dc57e547..e9e2dec1dcb13 100644
--- a/drivers/net/bonding/bond_main.c
+++ b/drivers/net/bonding/bond_main.c
@@ -2258,7 +2258,9 @@ int bond_enslave(struct net_device *bond_dev, struct net_device *slave_dev,
unblock_netpoll_tx();
}
- if (bond_mode_can_use_xmit_hash(bond))
+ /* broadcast mode uses the all_slaves to loop through slaves. */
+ if (bond_mode_can_use_xmit_hash(bond) ||
+ BOND_MODE(bond) == BOND_MODE_BROADCAST)
bond_update_slave_arr(bond, NULL);
if (!slave_dev->netdev_ops->ndo_bpf ||
@@ -2432,7 +2434,8 @@ static int __bond_release_one(struct net_device *bond_dev,
bond_upper_dev_unlink(bond, slave);
- if (bond_mode_can_use_xmit_hash(bond))
+ if (bond_mode_can_use_xmit_hash(bond) ||
+ BOND_MODE(bond) == BOND_MODE_BROADCAST)
bond_update_slave_arr(bond, slave);
slave_info(bond_dev, slave_dev, "Releasing %s interface\n",
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 805/969] crypto: af_alg - Cap AEAD AD length to 0x80000000
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (803 preceding siblings ...)
2026-05-30 16:05 ` [PATCH 6.1 804/969] net: bonding: update the slave array for broadcast mode Greg Kroah-Hartman
@ 2026-05-30 16:05 ` Greg Kroah-Hartman
2026-05-30 16:05 ` [PATCH 6.1 806/969] i40e: Cleanup PTP pins on probe failure Greg Kroah-Hartman
` (170 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:05 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Yiming Qian, Herbert Xu
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Herbert Xu <herbert@gondor.apana.org.au>
commit e4c06479d7059888adf2f22bc1ebcf053bf691a2 upstream.
In order to prevent arithmetic overflows when checking the TX
buffer size, cap the associated data length to 0x80000000.
Reported-by: Yiming Qian <yimingqian591@gmail.com>
Fixes: 400c40cf78da ("crypto: algif - add AEAD support")
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
crypto/af_alg.c | 2 ++
1 file changed, 2 insertions(+)
--- a/crypto/af_alg.c
+++ b/crypto/af_alg.c
@@ -475,6 +475,8 @@ static int af_alg_cmsg_send(struct msghd
if (cmsg->cmsg_len < CMSG_LEN(sizeof(u32)))
return -EINVAL;
con->aead_assoclen = *(u32 *)CMSG_DATA(cmsg);
+ if (con->aead_assoclen >= 0x80000000u)
+ return -EINVAL;
break;
default:
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 806/969] i40e: Cleanup PTP pins on probe failure
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (804 preceding siblings ...)
2026-05-30 16:05 ` [PATCH 6.1 805/969] crypto: af_alg - Cap AEAD AD length to 0x80000000 Greg Kroah-Hartman
@ 2026-05-30 16:05 ` Greg Kroah-Hartman
2026-05-30 16:05 ` [PATCH 6.1 807/969] netfilter: nf_conntrack_sip: get helper before allocating expectation Greg Kroah-Hartman
` (169 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kohei Enju, Matt Vollrath,
Paul Menzel, Aleksandr Loktionov, Sunitha Mekala, Jacob Keller,
Jakub Kicinski
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matt Vollrath <tactii@gmail.com>
commit 678b713ece1e853f11e670a84cb887c35e1381b7 upstream.
PTP pin structs are allocated early in probe, but never cleaned up.
Fix this by calling i40e_ptp_free_pins in the error path.
To support this, i40e_ptp_free_pins is added to the header and
pin_config is correctly nullified after being freed.
This has been an issue since i40e_ptp_alloc_pins was introduced.
Fixes: 1050713026a08 ("i40e: add support for PTP external synchronization clock")
Reported-by: Kohei Enju <kohei@enjuk.jp>
Cc: stable@vger.kernel.org
Signed-off-by: Matt Vollrath <tactii@gmail.com>
Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
Reviewed-by: Kohei Enju <kohei@enjuk.jp>
Tested-by: Sunitha Mekala <sunithax.d.mekala@intel.com>
Signed-off-by: Jacob Keller <jacob.e.keller@intel.com>
Link: https://patch.msgid.link/20260506-jk-iwl-net-2026-05-04-v2-2-a5ea4dc837a9@intel.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/intel/i40e/i40e.h | 1 +
drivers/net/ethernet/intel/i40e/i40e_main.c | 1 +
drivers/net/ethernet/intel/i40e/i40e_ptp.c | 3 ++-
3 files changed, 4 insertions(+), 1 deletion(-)
--- a/drivers/net/ethernet/intel/i40e/i40e.h
+++ b/drivers/net/ethernet/intel/i40e/i40e.h
@@ -1289,6 +1289,7 @@ void i40e_ptp_restore_hw_time(struct i40
void i40e_ptp_init(struct i40e_pf *pf);
void i40e_ptp_stop(struct i40e_pf *pf);
int i40e_ptp_alloc_pins(struct i40e_pf *pf);
+void i40e_ptp_free_pins(struct i40e_pf *pf);
int i40e_update_adq_vsi_queues(struct i40e_vsi *vsi, int vsi_offset);
int i40e_is_vsi_uplink_mode_veb(struct i40e_vsi *vsi);
int i40e_get_partition_bw_setting(struct i40e_pf *pf);
--- a/drivers/net/ethernet/intel/i40e/i40e_main.c
+++ b/drivers/net/ethernet/intel/i40e/i40e_main.c
@@ -16227,6 +16227,7 @@ err_vsis:
i40e_clear_interrupt_scheme(pf);
kfree(pf->vsi);
err_switch_setup:
+ i40e_ptp_free_pins(pf);
i40e_reset_interrupt_capability(pf);
del_timer_sync(&pf->service_timer);
err_mac_addr:
--- a/drivers/net/ethernet/intel/i40e/i40e_ptp.c
+++ b/drivers/net/ethernet/intel/i40e/i40e_ptp.c
@@ -947,12 +947,13 @@ int i40e_ptp_get_ts_config(struct i40e_p
*
* Release memory allocated for PTP pins.
**/
-static void i40e_ptp_free_pins(struct i40e_pf *pf)
+void i40e_ptp_free_pins(struct i40e_pf *pf)
{
if (i40e_is_ptp_pin_dev(&pf->hw)) {
kfree(pf->ptp_pins);
kfree(pf->ptp_caps.pin_config);
pf->ptp_pins = NULL;
+ pf->ptp_caps.pin_config = NULL;
}
}
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 807/969] netfilter: nf_conntrack_sip: get helper before allocating expectation
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (805 preceding siblings ...)
2026-05-30 16:05 ` [PATCH 6.1 806/969] i40e: Cleanup PTP pins on probe failure Greg Kroah-Hartman
@ 2026-05-30 16:05 ` Greg Kroah-Hartman
2026-05-30 16:05 ` [PATCH 6.1 808/969] audit: fix incorrect inheritable capability in CAPSET records Greg Kroah-Hartman
` (168 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:05 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Li Xiasong, Pablo Neira Ayuso
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Li Xiasong <lixiasong1@huawei.com>
commit eb6317739b1ea3ab28791e1f91b24781905fa815 upstream.
process_register_request() allocates an expectation and then checks
whether a conntrack helper is available. If helper lookup fails, the
function returns early and the allocated expectation is left behind.
Reorder the code to fetch and validate helper before calling
nf_ct_expect_alloc(). This keeps the logic simpler and removes the leak
path while preserving existing behavior.
Fixes: e14575fa7529 ("netfilter: nf_conntrack: use rcu accessors where needed")
Cc: stable@vger.kernel.org
Signed-off-by: Li Xiasong <lixiasong1@huawei.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/netfilter/nf_conntrack_sip.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/net/netfilter/nf_conntrack_sip.c
+++ b/net/netfilter/nf_conntrack_sip.c
@@ -1367,6 +1367,10 @@ static int process_register_request(stru
goto store_cseq;
}
+ helper = rcu_dereference(nfct_help(ct)->helper);
+ if (!helper)
+ return NF_DROP;
+
exp = nf_ct_expect_alloc(ct);
if (!exp) {
nf_ct_helper_log(skb, ct, "cannot alloc expectation");
@@ -1377,10 +1381,6 @@ static int process_register_request(stru
if (sip_direct_signalling)
saddr = &ct->tuplehash[!dir].tuple.src.u3;
- helper = rcu_dereference(nfct_help(ct)->helper);
- if (!helper)
- return NF_DROP;
-
nf_ct_expect_init(exp, SIP_EXPECT_SIGNALLING, nf_ct_l3num(ct),
saddr, &daddr, proto, NULL, &port);
exp->timeout.expires = sip_timeout * HZ;
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 808/969] audit: fix incorrect inheritable capability in CAPSET records
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (806 preceding siblings ...)
2026-05-30 16:05 ` [PATCH 6.1 807/969] netfilter: nf_conntrack_sip: get helper before allocating expectation Greg Kroah-Hartman
@ 2026-05-30 16:05 ` Greg Kroah-Hartman
2026-05-30 16:05 ` [PATCH 6.1 809/969] netfilter: nft_ct: fix missing expect put in obj eval Greg Kroah-Hartman
` (167 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ricardo Robaina, Sergio Correia,
Paul Moore
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sergio Correia <scorreia@redhat.com>
commit e4a640475e43f406fdfd56d370b1f34b0cbbc18d upstream.
__audit_log_capset() records the effective capability set into the
inheritable field due to a copy-paste error. Every CAPSET audit
record therefore reports cap_pi (process inheritable) with the value
of cap_effective instead of cap_inheritable.
This silently corrupts audit data used for compliance and forensic
analysis: an attacker who modifies inheritable capabilities to
prepare for a privilege-escalating exec would have the change masked
in the audit trail.
The bug has been present since the original introduction of CAPSET
audit records in 2008.
Cc: stable@vger.kernel.org
Fixes: e68b75a027bb ("When the capset syscall is used it is not possible for audit to record the actual capbilities being added/removed. This patch adds a new record type which emits the target pid and the eff, inh, and perm cap sets.")
Reviewed-by: Ricardo Robaina <rrobaina@redhat.com>
Assisted-by: Claude:claude-opus-4-6
Signed-off-by: Sergio Correia <scorreia@redhat.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/auditsc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -2841,7 +2841,7 @@ void __audit_log_capset(const struct cre
context->capset.pid = task_tgid_nr(current);
context->capset.cap.effective = new->cap_effective;
- context->capset.cap.inheritable = new->cap_effective;
+ context->capset.cap.inheritable = new->cap_inheritable;
context->capset.cap.permitted = new->cap_permitted;
context->capset.cap.ambient = new->cap_ambient;
context->type = AUDIT_CAPSET;
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 809/969] netfilter: nft_ct: fix missing expect put in obj eval
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (807 preceding siblings ...)
2026-05-30 16:05 ` [PATCH 6.1 808/969] audit: fix incorrect inheritable capability in CAPSET records Greg Kroah-Hartman
@ 2026-05-30 16:05 ` Greg Kroah-Hartman
2026-05-30 16:05 ` [PATCH 6.1 810/969] net: atlantic: preserve PCI wake-from-D3 on shutdown when WOL enabled Greg Kroah-Hartman
` (166 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:05 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Li Xiasong, Pablo Neira Ayuso
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Li Xiasong <lixiasong1@huawei.com>
commit 19f94b6fee75b3ef7fbc06f3745b9a771a8a19a4 upstream.
nft_ct_expect_obj_eval() allocates an expectation and may call
nf_ct_expect_related(), but never drops its local reference.
Add nf_ct_expect_put(exp) before return to balance allocation.
Fixes: 857b46027d6f ("netfilter: nft_ct: add ct expectations support")
Cc: stable@vger.kernel.org
Signed-off-by: Li Xiasong <lixiasong1@huawei.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/netfilter/nft_ct.c | 2 ++
1 file changed, 2 insertions(+)
--- a/net/netfilter/nft_ct.c
+++ b/net/netfilter/nft_ct.c
@@ -1346,6 +1346,8 @@ static void nft_ct_expect_obj_eval(struc
if (nf_ct_expect_related(exp, 0) != 0)
regs->verdict.code = NF_DROP;
+
+ nf_ct_expect_put(exp);
}
static const struct nla_policy nft_ct_expect_policy[NFTA_CT_EXPECT_MAX + 1] = {
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 810/969] net: atlantic: preserve PCI wake-from-D3 on shutdown when WOL enabled
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (808 preceding siblings ...)
2026-05-30 16:05 ` [PATCH 6.1 809/969] netfilter: nft_ct: fix missing expect put in obj eval Greg Kroah-Hartman
@ 2026-05-30 16:05 ` Greg Kroah-Hartman
2026-05-30 16:05 ` [PATCH 6.1 811/969] audit: enforce AUDIT_LOCKED for AUDIT_TRIM and AUDIT_MAKE_EQUIV Greg Kroah-Hartman
` (165 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zoran Ilievski, Sukhdeep Singh,
Jakub Kicinski
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zoran Ilievski <goodboy@rexbytes.com>
commit 2c308cf34284420963607d677d576a2b4124d8bd upstream.
The shutdown handler aq_pci_shutdown() unconditionally calls
pci_wake_from_d3(pdev, false), clearing the PCI PME_En bit even when
wake-on-LAN has been configured. While aq_nic_shutdown() correctly
programs the NIC firmware via aq_nic_set_power() to listen for magic
packets, the PCI subsystem will not propagate the resulting PME wake
event from D3, so the system never wakes after poweroff.
WOL from suspend (S3) is unaffected because aq_suspend_common() does
not touch pci_wake_from_d3() and relies on the PM core's wake
configuration via device_may_wakeup().
This affects all atlantic-supported NICs (AQC107/108/111/112/113);
users have reported that WOL works if the atlantic driver is never
loaded, but breaks once it has run its shutdown path.
Pass the configured WOL state to pci_wake_from_d3() instead of a
literal false, so the PCI PME_En bit is preserved when the user has
armed WOL via ethtool.
Fixes: 90869ddfefeb ("net: aquantia: Implement pci shutdown callback")
Cc: stable@vger.kernel.org
Signed-off-by: Zoran Ilievski <goodboy@rexbytes.com>
Reviewed-by: Sukhdeep Singh <sukhdeeps@marvell.com>
Link: https://patch.msgid.link/20260511064002.1857-1-goodboy@rexbytes.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/aquantia/atlantic/aq_pci_func.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/net/ethernet/aquantia/atlantic/aq_pci_func.c
+++ b/drivers/net/ethernet/aquantia/atlantic/aq_pci_func.c
@@ -374,7 +374,7 @@ static void aq_pci_shutdown(struct pci_d
pci_disable_device(pdev);
if (system_state == SYSTEM_POWER_OFF) {
- pci_wake_from_d3(pdev, false);
+ pci_wake_from_d3(pdev, self->aq_hw->aq_nic_cfg->wol);
pci_set_power_state(pdev, PCI_D3hot);
}
}
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 811/969] audit: enforce AUDIT_LOCKED for AUDIT_TRIM and AUDIT_MAKE_EQUIV
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (809 preceding siblings ...)
2026-05-30 16:05 ` [PATCH 6.1 810/969] net: atlantic: preserve PCI wake-from-D3 on shutdown when WOL enabled Greg Kroah-Hartman
@ 2026-05-30 16:05 ` Greg Kroah-Hartman
2026-05-30 16:05 ` [PATCH 6.1 812/969] KVM: Reject wrapped offset in kvm_reset_dirty_gfn() Greg Kroah-Hartman
` (164 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ricardo Robaina, Sergio Correia,
Paul Moore
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sergio Correia <scorreia@redhat.com>
commit f9e1c1324b4d98d591a6f7568fdebf5cf456dfc2 upstream.
AUDIT_ADD_RULE and AUDIT_DEL_RULE correctly check for AUDIT_LOCKED
and return -EPERM, but AUDIT_TRIM and AUDIT_MAKE_EQUIV do not. This
allows a process with CAP_AUDIT_CONTROL to modify directory tree
watches and equivalence mappings even when the audit configuration
has been locked, undermining the purpose of the lock.
Add AUDIT_LOCKED checks to both commands.
Cc: stable@vger.kernel.org
Reviewed-by: Ricardo Robaina <rrobaina@redhat.com>
Assisted-by: Claude:claude-opus-4-6
Signed-off-by: Sergio Correia <scorreia@redhat.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/audit.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -1428,6 +1428,8 @@ static int audit_receive_msg(struct sk_b
err = audit_list_rules_send(skb, seq);
break;
case AUDIT_TRIM:
+ if (audit_enabled == AUDIT_LOCKED)
+ return -EPERM;
audit_trim_trees();
audit_log_common_recv_msg(audit_context(), &ab,
AUDIT_CONFIG_CHANGE);
@@ -1440,6 +1442,8 @@ static int audit_receive_msg(struct sk_b
size_t msglen = data_len;
char *old, *new;
+ if (audit_enabled == AUDIT_LOCKED)
+ return -EPERM;
err = -EINVAL;
if (msglen < 2 * sizeof(u32))
break;
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 812/969] KVM: Reject wrapped offset in kvm_reset_dirty_gfn()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (810 preceding siblings ...)
2026-05-30 16:05 ` [PATCH 6.1 811/969] audit: enforce AUDIT_LOCKED for AUDIT_TRIM and AUDIT_MAKE_EQUIV Greg Kroah-Hartman
@ 2026-05-30 16:05 ` Greg Kroah-Hartman
2026-05-30 16:05 ` [PATCH 6.1 813/969] KVM: s390: pci: fix GAIT table indexing due to double-scaling pointer arithmetic Greg Kroah-Hartman
` (163 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:05 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Aaron Sacks, Paolo Bonzini
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Aaron Sacks <contact@xchglabs.com>
commit 577a8d3bae0531f0e5ccfac919cd8192f920a804 upstream.
kvm_reset_dirty_gfn() guards the gfn range with
if (!memslot || (offset + __fls(mask)) >= memslot->npages)
return;
but offset is u64 and the addition is unchecked. The check can be
silently bypassed by a u64 wrap.
The dirty ring backing those entries is MAP_SHARED at
KVM_DIRTY_LOG_PAGE_OFFSET of the vcpu fd, so the VMM can rewrite the
slot and offset fields of any entry between when the kernel pushes
them and when KVM_RESET_DIRTY_RINGS consumes them. On reset,
kvm_dirty_ring_reset() re-reads the values via READ_ONCE() and feeds
them straight back into this check; only the flags handshake is
treated as the handover, the slot/offset payload is taken on trust.
Crafting two entries
entry[i].offset = 0xffffffffffffffc1
entry[i+1].offset = 0
makes the coalescing loop in kvm_dirty_ring_reset() compute
delta = (s64)(0 - 0xffffffffffffffc1) = 63
which falls in [0, BITS_PER_LONG), so it folds entry[i+1] into the
existing mask by setting bit 63. The trailing kvm_reset_dirty_gfn()
call then sees offset = 0xffffffffffffffc1 and __fls(mask) = 63;
the sum is 0 in u64 and the bounds check passes.
That offset propagates into kvm_arch_mmu_enable_log_dirty_pt_masked()
unchanged. On the legacy MMU path -- kvm_memslots_have_rmaps() ==
true, i.e. shadow paging, any VM that has allocated shadow roots, or
a write-tracked slot -- it reaches gfn_to_rmap(), which indexes
slot->arch.rmap[0][] with a near-U64_MAX gfn. That is an
out-of-bounds load of a kvm_rmap_head, followed by a conditional
clear of PT_WRITABLE_MASK in whatever the loaded pointer points at.
The path is reachable from any process holding /dev/kvm.
Range-check offset on its own first, so the addition cannot wrap.
memslot->npages is bounded well below U64_MAX, so once offset <
npages holds, offset + __fls(mask) (with __fls(mask) < BITS_PER_LONG)
stays in range.
Fixes: fb04a1eddb1a ("KVM: X86: Implement ring-based dirty memory tracking")
Cc: stable@vger.kernel.org
Signed-off-by: Aaron Sacks <contact@xchglabs.com>
Link: https://patch.msgid.link/20260512060742.1628959-1-contact@xchglabs.com/
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
virt/kvm/dirty_ring.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/virt/kvm/dirty_ring.c
+++ b/virt/kvm/dirty_ring.c
@@ -49,7 +49,8 @@ static void kvm_reset_dirty_gfn(struct k
memslot = id_to_memslot(__kvm_memslots(kvm, as_id), id);
- if (!memslot || (offset + __fls(mask)) >= memslot->npages)
+ if (!memslot || offset >= memslot->npages ||
+ offset + __fls(mask) >= memslot->npages)
return;
KVM_MMU_LOCK(kvm);
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 813/969] KVM: s390: pci: fix GAIT table indexing due to double-scaling pointer arithmetic
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (811 preceding siblings ...)
2026-05-30 16:05 ` [PATCH 6.1 812/969] KVM: Reject wrapped offset in kvm_reset_dirty_gfn() Greg Kroah-Hartman
@ 2026-05-30 16:05 ` Greg Kroah-Hartman
2026-05-30 16:05 ` [PATCH 6.1 814/969] KVM: x86: Fix Xen hypercall tracepoint argument assignment Greg Kroah-Hartman
` (162 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yuhao Jiang, Junrui Luo,
Christian Borntraeger, Matthew Rosato
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Junrui Luo <moonafterrain@outlook.com>
commit 16d990a15491cf76cd6eef0846e1b4100e63261a upstream.
kvm_s390_pci_aif_enable(), kvm_s390_pci_aif_disable(), and
aen_host_forward() index the GAIT by manually multiplying the index
with sizeof(struct zpci_gaite).
Since aift->gait is already a struct zpci_gaite pointer, this
double-scales the offset, accessing element aisb*16 instead of aisb.
This causes out-of-bounds accesses when aisb >= 32 (with
ZPCI_NR_DEVICES=512)
Fix by removing the erroneous sizeof multiplication.
Fixes: 3c5a1b6f0a18 ("KVM: s390: pci: provide routines for enabling/disabling interrupt forwarding")
Fixes: 73f91b004321 ("KVM: s390: pci: enable host forwarding of Adapter Event Notifications")
Reported-by: Yuhao Jiang <danisjiang@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
Reviewed-by: Christian Borntraeger <borntraeger@linux.ibm.com>
Reviewed-by: Matthew Rosato <mjrosato@linux.ibm.com>
Tested-by: Matthew Rosato <mjrosato@linux.ibm.com>
Signed-off-by: Christian Borntraeger <borntraeger@linux.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/s390/kvm/interrupt.c | 3 +--
arch/s390/kvm/pci.c | 6 ++----
2 files changed, 3 insertions(+), 6 deletions(-)
--- a/arch/s390/kvm/interrupt.c
+++ b/arch/s390/kvm/interrupt.c
@@ -3323,8 +3323,7 @@ static void aen_host_forward(unsigned lo
struct zpci_gaite *gaite;
struct kvm *kvm;
- gaite = (struct zpci_gaite *)aift->gait +
- (si * sizeof(struct zpci_gaite));
+ gaite = aift->gait + si;
if (gaite->count == 0)
return;
if (gaite->aisb != 0)
--- a/arch/s390/kvm/pci.c
+++ b/arch/s390/kvm/pci.c
@@ -292,8 +292,7 @@ static int kvm_s390_pci_aif_enable(struc
phys_to_virt(fib->fmt0.aibv));
spin_lock_irq(&aift->gait_lock);
- gaite = (struct zpci_gaite *)aift->gait + (zdev->aisb *
- sizeof(struct zpci_gaite));
+ gaite = aift->gait + zdev->aisb;
/* If assist not requested, host will get all alerts */
if (assist)
@@ -359,8 +358,7 @@ static int kvm_s390_pci_aif_disable(stru
if (zdev->kzdev->fib.fmt0.aibv == 0)
goto out;
spin_lock_irq(&aift->gait_lock);
- gaite = (struct zpci_gaite *)aift->gait + (zdev->aisb *
- sizeof(struct zpci_gaite));
+ gaite = aift->gait + zdev->aisb;
isc = gaite->gisc;
gaite->count--;
if (gaite->count == 0) {
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 814/969] KVM: x86: Fix Xen hypercall tracepoint argument assignment
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (812 preceding siblings ...)
2026-05-30 16:05 ` [PATCH 6.1 813/969] KVM: s390: pci: fix GAIT table indexing due to double-scaling pointer arithmetic Greg Kroah-Hartman
@ 2026-05-30 16:05 ` Greg Kroah-Hartman
2026-05-30 16:05 ` [PATCH 6.1 815/969] smb/client: fix possible infinite loop and oob read in symlink_data() Greg Kroah-Hartman
` (161 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:05 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Qiang Ma, Paolo Bonzini
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Qiang Ma <maqianga@uniontech.com>
commit 2b72f1674e427c56e3772c5ccf785fdda2138820 upstream.
TRACE_EVENT(kvm_xen_hypercall) stores a5 in __entry->a4 instead of
__entry->a5.
That overwrites the recorded a4 argument and leaves a5 unset in the
trace entry. Fix the typo so both arguments are captured correctly.
Signed-off-by: Qiang Ma <maqianga@uniontech.com>
Link: https://patch.msgid.link/20260512015313.1685784-1-maqianga@uniontech.com/
Cc: stable@vger.kernel.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/trace.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/x86/kvm/trace.h
+++ b/arch/x86/kvm/trace.h
@@ -138,7 +138,7 @@ TRACE_EVENT(kvm_xen_hypercall,
__entry->a2 = a2;
__entry->a3 = a3;
__entry->a4 = a4;
- __entry->a4 = a5;
+ __entry->a5 = a5;
),
TP_printk("nr 0x%lx a0 0x%lx a1 0x%lx a2 0x%lx a3 0x%lx a4 0x%lx a5 %lx",
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 815/969] smb/client: fix possible infinite loop and oob read in symlink_data()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (813 preceding siblings ...)
2026-05-30 16:05 ` [PATCH 6.1 814/969] KVM: x86: Fix Xen hypercall tracepoint argument assignment Greg Kroah-Hartman
@ 2026-05-30 16:05 ` Greg Kroah-Hartman
2026-05-30 16:05 ` [PATCH 6.1 816/969] drm/i915/dp: Fix VSC dynamic range signaling for RGB formats Greg Kroah-Hartman
` (160 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:05 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, ChenXiaoSong, Ye Bin, Steve French
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ye Bin <yebin10@huawei.com>
commit 7d9a7f1f96cd617ee9e75bb22217c709038e26b8 upstream.
On 32-bit architectures, the infinite loop is as follows:
len = p->ErrorDataLength == 0xfffffff8
u8 *next = p->ErrorContextData + len
next == p
On 32-bit architectures, the out-of-bounds read is as follows:
len = p->ErrorDataLength == 0xfffffff0
u8 *next = p->ErrorContextData + len
next == (u8 *)p - 8
Reported-by: ChenXiaoSong <chenxiaosong@kylinos.cn>
Fixes: 76894f3e2f71 ("cifs: improve symlink handling for smb2+")
Cc: stable@vger.kernel.org
Signed-off-by: Ye Bin <yebin10@huawei.com>
Reviewed-by: ChenXiaoSong <chenxiaosong@kylinos.cn>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/client/smb2file.c | 3 +++
1 file changed, 3 insertions(+)
--- a/fs/smb/client/smb2file.c
+++ b/fs/smb/client/smb2file.c
@@ -48,6 +48,9 @@ static struct smb2_symlink_err_rsp *syml
__func__, le32_to_cpu(p->ErrorId));
len = ALIGN(le32_to_cpu(p->ErrorDataLength), 8);
+ if (len > end - ((u8 *)p + sizeof(*p)))
+ return ERR_PTR(-EINVAL);
+
p = (struct smb2_error_context_rsp *)(p->ErrorContextData + len);
}
} else if (le32_to_cpu(err->ByteCount) >= sizeof(*sym) &&
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 816/969] drm/i915/dp: Fix VSC dynamic range signaling for RGB formats
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (814 preceding siblings ...)
2026-05-30 16:05 ` [PATCH 6.1 815/969] smb/client: fix possible infinite loop and oob read in symlink_data() Greg Kroah-Hartman
@ 2026-05-30 16:05 ` Greg Kroah-Hartman
2026-05-30 16:05 ` [PATCH 6.1 817/969] ALSA: usb-audio: Bound MIDI endpoint descriptor scans Greg Kroah-Hartman
` (159 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, DeepChirp, Chaitanya Kumar Borah,
Suraj Kandpal, Tvrtko Ursulin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chaitanya Kumar Borah <chaitanya.kumar.borah@intel.com>
commit 1ae15b6c7965d137eef21f2cc7d367b29cb88369 upstream.
For RGB, set dynamic_range to CTA or VESA based on
crtc_state->limited_color_range so sinks apply correct
quantization. YCbCr remains limited (CTA) range.
(DP v1.4, Table 5-1)
v2:
- Added Reported-by and Tested-by tags
v3:
- Add back YCbCr comment(Suraj)
Cc: stable@vger.kernel.org #v5.8+
Reported-by: DeepChirp <DeepChirp@outlook.com>
Closes: https://gitlab.freedesktop.org/drm/i915/kernel/-/work_items/15874
Tested-by: DeepChirp <DeepChirp@outlook.com>
Fixes: 9799c4c3b76e ("drm/i915/dp: Add compute routine for DP VSC SDP")
Assisted-by: GitHub-Copilot:GPT-5.4
Signed-off-by: Chaitanya Kumar Borah <chaitanya.kumar.borah@intel.com>
Reviewed-by: Suraj Kandpal <suraj.kandpal@intel.com>
Signed-off-by: Suraj Kandpal <suraj.kandpal@intel.com>
Link: https://patch.msgid.link/20260505090920.2479112-1-chaitanya.kumar.borah@intel.com
(cherry picked from commit 38e10ddae6f8d42a2e8437fcd25a1cac51106c64)
Signed-off-by: Tvrtko Ursulin <tursulin@ursulin.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/i915/display/intel_dp.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
--- a/drivers/gpu/drm/i915/display/intel_dp.c
+++ b/drivers/gpu/drm/i915/display/intel_dp.c
@@ -1810,8 +1810,13 @@ static void intel_dp_compute_vsc_colorim
drm_WARN_ON(&dev_priv->drm,
vsc->bpc == 6 && vsc->pixelformat != DP_PIXELFORMAT_RGB);
- /* all YCbCr are always limited range */
- vsc->dynamic_range = DP_DYNAMIC_RANGE_CTA;
+ /* All YCbCr formats are always limited range. */
+ if (vsc->pixelformat == DP_PIXELFORMAT_RGB)
+ vsc->dynamic_range = crtc_state->limited_color_range ?
+ DP_DYNAMIC_RANGE_CTA : DP_DYNAMIC_RANGE_VESA;
+ else
+ vsc->dynamic_range = DP_DYNAMIC_RANGE_CTA;
+
vsc->content_type = DP_CONTENT_TYPE_NOT_DEFINED;
}
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 817/969] ALSA: usb-audio: Bound MIDI endpoint descriptor scans
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (815 preceding siblings ...)
2026-05-30 16:05 ` [PATCH 6.1 816/969] drm/i915/dp: Fix VSC dynamic range signaling for RGB formats Greg Kroah-Hartman
@ 2026-05-30 16:05 ` Greg Kroah-Hartman
2026-05-30 16:05 ` [PATCH 6.1 818/969] ceph: fix a buffer leak in __ceph_setxattr() Greg Kroah-Hartman
` (158 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:05 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Cássio Gabriel, Takashi Iwai
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cássio Gabriel <cassiogabrielcontato@gmail.com>
commit d6854daa67be623860f4e1873fd3d3c275aba4ed upstream.
snd_usbmidi_get_ms_info() validates the internal MIDIStreaming endpoint
descriptor size before using baAssocJackID[], but the descriptor walker can
still return a class-specific endpoint descriptor whose bLength exceeds the
remaining bytes in the endpoint-extra scan.
That leaves later flexible-array reads bounded by bLength, but not by the
remaining bytes in the endpoint-extra scan.
Stop walking when bLength is zero or
extends past the remaining endpoint-extra scan.
Fixes: 5c6cd7021a05 ("ALSA: usb-audio: Fix case when USB MIDI interface has more than one extra endpoint descriptor")
Cc: stable@vger.kernel.org
Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com>
Link: https://patch.msgid.link/20260507-usb-midi-endpoint-scan-bounds-v1-1-329d7348160e@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/usb/midi.c | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)
--- a/sound/usb/midi.c
+++ b/sound/usb/midi.c
@@ -1974,15 +1974,17 @@ static struct usb_ms_endpoint_descriptor
while (extralen > 3) {
struct usb_ms_endpoint_descriptor *ms_ep =
(struct usb_ms_endpoint_descriptor *)extra;
+ int length = ms_ep->bLength;
- if (ms_ep->bLength > 3 &&
+ if (!length || length > extralen)
+ break;
+
+ if (length > 3 &&
ms_ep->bDescriptorType == USB_DT_CS_ENDPOINT &&
ms_ep->bDescriptorSubtype == UAC_MS_GENERAL)
return ms_ep;
- if (!extra[0])
- break;
- extralen -= extra[0];
- extra += extra[0];
+ extralen -= length;
+ extra += length;
}
return NULL;
}
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 818/969] ceph: fix a buffer leak in __ceph_setxattr()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (816 preceding siblings ...)
2026-05-30 16:05 ` [PATCH 6.1 817/969] ALSA: usb-audio: Bound MIDI endpoint descriptor scans Greg Kroah-Hartman
@ 2026-05-30 16:05 ` Greg Kroah-Hartman
2026-05-30 16:05 ` [PATCH 6.1 819/969] powerpc/warp: Fix error handling in pika_dtm_thread Greg Kroah-Hartman
` (157 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Viacheslav Dubeyko, Alex Markuze,
Ilya Dryomov
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Viacheslav Dubeyko <Slava.Dubeyko@ibm.com>
commit 5d3cc36b4e77a27ce7b686b7c59c7072bcb3fa8e upstream.
The old_blob in __ceph_setxattr() can store
ci->i_xattrs.prealloc_blob value during the retry.
However, it is never called the ceph_buffer_put()
for the old_blob object. This patch fixes the issue of
the buffer leak.
Cc: stable@vger.kernel.org
Signed-off-by: Viacheslav Dubeyko <Slava.Dubeyko@ibm.com>
Reviewed-by: Alex Markuze <amarkuze@redhat.com>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ceph/xattr.c | 1 +
1 file changed, 1 insertion(+)
--- a/fs/ceph/xattr.c
+++ b/fs/ceph/xattr.c
@@ -1246,6 +1246,7 @@ retry:
do_sync:
spin_unlock(&ci->i_ceph_lock);
+ ceph_buffer_put(old_blob);
do_sync_unlocked:
if (lock_snap_rwsem)
up_read(&mdsc->snap_rwsem);
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 819/969] powerpc/warp: Fix error handling in pika_dtm_thread
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (817 preceding siblings ...)
2026-05-30 16:05 ` [PATCH 6.1 818/969] ceph: fix a buffer leak in __ceph_setxattr() Greg Kroah-Hartman
@ 2026-05-30 16:05 ` Greg Kroah-Hartman
2026-05-30 16:05 ` [PATCH 6.1 820/969] libceph: Fix potential out-of-bounds access in osdmap_decode() Greg Kroah-Hartman
` (156 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ma Ke, Christophe Leroy,
Madhavan Srinivasan
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ma Ke <make24@iscas.ac.cn>
commit 108d7f951271cbd36ca36efc5e5d106966f5180c upstream.
pika_dtm_thread() acquires client through of_find_i2c_device_by_node()
but fails to release it in error handling path. This could result in a
reference count leak, preventing proper cleanup and potentially
leading to resource exhaustion. Add put_device() to release the
reference in the error handling path.
Found by code review.
Cc: stable@vger.kernel.org
Fixes: 3984114f0562 ("powerpc/warp: Platform fix for i2c change")
Signed-off-by: Ma Ke <make24@iscas.ac.cn>
Reviewed-by: Christophe Leroy <christophe.leroy@csgroup.eu>
Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com>
Link: https://patch.msgid.link/20251116024411.21968-1-make24@iscas.ac.cn
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/powerpc/platforms/44x/warp.c | 2 ++
1 file changed, 2 insertions(+)
--- a/arch/powerpc/platforms/44x/warp.c
+++ b/arch/powerpc/platforms/44x/warp.c
@@ -262,6 +262,8 @@ static int pika_dtm_thread(void __iomem
schedule_timeout(HZ);
}
+ put_device(&client->dev);
+
return 0;
}
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 820/969] libceph: Fix potential out-of-bounds access in osdmap_decode()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (818 preceding siblings ...)
2026-05-30 16:05 ` [PATCH 6.1 819/969] powerpc/warp: Fix error handling in pika_dtm_thread Greg Kroah-Hartman
@ 2026-05-30 16:05 ` Greg Kroah-Hartman
2026-05-30 16:05 ` [PATCH 6.1 821/969] libceph: Fix potential null-ptr-deref in decode_choose_args() Greg Kroah-Hartman
` (155 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:05 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Raphael Zimmer, Ilya Dryomov
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Raphael Zimmer <raphael.zimmer@tu-ilmenau.de>
commit 35d0ed82d03e5ee77ea4f31f20e29562a7721649 upstream.
When decoding osd_state and osd_weight from an incoming osdmap in
osdmap_decode(), both are decoded for each osd, i.e., map->max_osd
times. The ceph_decode_need() check only accounts for
sizeof(*map->osd_weight) once. This can potentially result in an
out-of-bounds memory access if the incoming message is corrupted such
that the max_osd value exceeds the actual content of the osdmap message.
This patch fixes the issue by changing the corresponding part in the
ceph_decode_need() check to account for
map->max_osd*sizeof(*map->osd_weight).
Cc: stable@vger.kernel.org
Fixes: dcbc919a5dc8 ("libceph: switch osdmap decoding to use ceph_decode_entity_addr")
Signed-off-by: Raphael Zimmer <raphael.zimmer@tu-ilmenau.de>
Reviewed-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ceph/osdmap.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/ceph/osdmap.c
+++ b/net/ceph/osdmap.c
@@ -1703,7 +1703,7 @@ static int osdmap_decode(void **p, void
ceph_decode_need(p, end, 3*sizeof(u32) +
map->max_osd*(struct_v >= 5 ? sizeof(u32) :
sizeof(u8)) +
- sizeof(*map->osd_weight), e_inval);
+ map->max_osd*sizeof(*map->osd_weight), e_inval);
if (ceph_decode_32(p) != map->max_osd)
goto e_inval;
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 821/969] libceph: Fix potential null-ptr-deref in decode_choose_args()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (819 preceding siblings ...)
2026-05-30 16:05 ` [PATCH 6.1 820/969] libceph: Fix potential out-of-bounds access in osdmap_decode() Greg Kroah-Hartman
@ 2026-05-30 16:05 ` Greg Kroah-Hartman
2026-05-30 16:05 ` [PATCH 6.1 822/969] libceph: Fix potential out-of-bounds access in crush_decode() Greg Kroah-Hartman
` (154 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:05 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Raphael Zimmer, Ilya Dryomov
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Raphael Zimmer <raphael.zimmer@tu-ilmenau.de>
commit 28b0a2ab8c82d0bbdeb8013029c67c978ce6e4bf upstream.
A message of type CEPH_MSG_OSD_MAP contains an OSD map that itself
contains a CRUSH map. When decoding this CRUSH map in crush_decode(), an
array of max_buckets CRUSH buckets is decoded, where some indices may
not refer to actual buckets and are therefore set to NULL. The received
CRUSH map may optionally contain choose_args that get decoded in
decode_choose_args(). When decoding a crush_choose_arg_map, a series of
choose_args for different buckets is decoded, with the bucket_index
being read from the incoming message. It is only checked that the bucket
index does not exceed max_buckets, but not that it doesn't point to an
index with a NULL bucket. If a (potentially corrupted) message contains
a crush_choose_arg_map including such a bucket_index, a null pointer
dereference may occur in the subsequent processing when attempting to
access the bucket with the given index.
This patch fixes the issue by extending the affected check. Now, it is
only attempted to access the bucket if it is not NULL.
Cc: stable@vger.kernel.org
Signed-off-by: Raphael Zimmer <raphael.zimmer@tu-ilmenau.de>
Reviewed-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ceph/osdmap.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/net/ceph/osdmap.c
+++ b/net/ceph/osdmap.c
@@ -390,7 +390,8 @@ static int decode_choose_args(void **p,
goto fail;
if (arg->ids_size &&
- arg->ids_size != c->buckets[bucket_index]->size)
+ (!c->buckets[bucket_index] ||
+ arg->ids_size != c->buckets[bucket_index]->size))
goto e_inval;
}
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 822/969] libceph: Fix potential out-of-bounds access in crush_decode()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (820 preceding siblings ...)
2026-05-30 16:05 ` [PATCH 6.1 821/969] libceph: Fix potential null-ptr-deref in decode_choose_args() Greg Kroah-Hartman
@ 2026-05-30 16:05 ` Greg Kroah-Hartman
2026-05-30 16:05 ` [PATCH 6.1 823/969] libceph: handle rbtree insertion error in decode_choose_args() Greg Kroah-Hartman
` (153 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:05 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Raphael Zimmer, Ilya Dryomov
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Raphael Zimmer <raphael.zimmer@tu-ilmenau.de>
commit 4c79fc2d598694bda845b46229c9d48b65042970 upstream.
A message of type CEPH_MSG_OSD_MAP containing a crush map with at least
one bucket has two fields holding the bucket algorithm. If the values
in these two fields differ, an out-of-bounds access can occur. This is
the case because the first algorithm field (alg) is used to allocate
the correct amount of memory for a bucket of this type, while the second
algorithm field inside the bucket (b->alg) is used in the subsequent
processing.
This patch fixes the issue by adding a check that compares alg and
b->alg and aborts the processing in case they differ. Furthermore,
b->alg is set to 0 in this case, because the destruction of the crush
map also uses this field to determine the bucket type, which can again
result in an out-of-bounds access when trying to free the memory pointed
to by the fields of the bucket. To correctly free the memory allocated
for the bucket in such a case, the corresponding call to kfree is moved
from the algorithm-specific crush_destroy_bucket functions to the
generic crush_destroy_bucket().
Cc: stable@vger.kernel.org
Signed-off-by: Raphael Zimmer <raphael.zimmer@tu-ilmenau.de>
Reviewed-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ceph/crush/crush.c | 6 +-----
net/ceph/osdmap.c | 4 ++++
2 files changed, 5 insertions(+), 5 deletions(-)
--- a/net/ceph/crush/crush.c
+++ b/net/ceph/crush/crush.c
@@ -47,7 +47,6 @@ int crush_get_bucket_item_weight(const s
void crush_destroy_bucket_uniform(struct crush_bucket_uniform *b)
{
kfree(b->h.items);
- kfree(b);
}
void crush_destroy_bucket_list(struct crush_bucket_list *b)
@@ -55,14 +54,12 @@ void crush_destroy_bucket_list(struct cr
kfree(b->item_weights);
kfree(b->sum_weights);
kfree(b->h.items);
- kfree(b);
}
void crush_destroy_bucket_tree(struct crush_bucket_tree *b)
{
kfree(b->h.items);
kfree(b->node_weights);
- kfree(b);
}
void crush_destroy_bucket_straw(struct crush_bucket_straw *b)
@@ -70,14 +67,12 @@ void crush_destroy_bucket_straw(struct c
kfree(b->straws);
kfree(b->item_weights);
kfree(b->h.items);
- kfree(b);
}
void crush_destroy_bucket_straw2(struct crush_bucket_straw2 *b)
{
kfree(b->item_weights);
kfree(b->h.items);
- kfree(b);
}
void crush_destroy_bucket(struct crush_bucket *b)
@@ -99,6 +94,7 @@ void crush_destroy_bucket(struct crush_b
crush_destroy_bucket_straw2((struct crush_bucket_straw2 *)b);
break;
}
+ kfree(b);
}
/**
--- a/net/ceph/osdmap.c
+++ b/net/ceph/osdmap.c
@@ -518,6 +518,10 @@ static struct crush_map *crush_decode(vo
b->id = ceph_decode_32(p);
b->type = ceph_decode_16(p);
b->alg = ceph_decode_8(p);
+ if (b->alg != alg) {
+ b->alg = 0;
+ goto bad;
+ }
b->hash = ceph_decode_8(p);
b->weight = ceph_decode_32(p);
b->size = ceph_decode_32(p);
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 823/969] libceph: handle rbtree insertion error in decode_choose_args()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (821 preceding siblings ...)
2026-05-30 16:05 ` [PATCH 6.1 822/969] libceph: Fix potential out-of-bounds access in crush_decode() Greg Kroah-Hartman
@ 2026-05-30 16:05 ` Greg Kroah-Hartman
2026-05-30 16:05 ` [PATCH 6.1 824/969] iommu/vt-d: Disable DMAR for Intel Q35 IGFX Greg Kroah-Hartman
` (152 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:05 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Raphael Zimmer, Ilya Dryomov
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Raphael Zimmer <raphael.zimmer@tu-ilmenau.de>
commit d289478cfc0bcf81c7914200d6abdcb78bd04ded upstream.
A message of type CEPH_MSG_OSD_MAP contains an OSD map that itself
contains a CRUSH map. The received CRUSH map may optionally contain
choose_args that get decoded in decode_choose_args(). In this function,
num_choose_arg_maps is read from the message, and a corresponding number
of crush_choose_arg_maps gets decoded afterwards. Each
crush_choose_arg_map has a choose_args_index, which serves as the key
when inserting it into the choose_args rbtree of the decoded crush_map.
If a (potentially corrupted) message contains two crush_choose_arg_maps
with the same index, the assertion in insert_choose_arg_map() triggers a
kernel BUG when trying to insert the second crush_choose_arg_map.
This patch fixes the issue by switching to the non-asserting rbtree
insertion function and rejecting the message if the insertion fails.
[ idryomov: changelog ]
Cc: stable@vger.kernel.org
Signed-off-by: Raphael Zimmer <raphael.zimmer@tu-ilmenau.de>
Reviewed-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ceph/osdmap.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/net/ceph/osdmap.c
+++ b/net/ceph/osdmap.c
@@ -395,7 +395,10 @@ static int decode_choose_args(void **p,
goto e_inval;
}
- insert_choose_arg_map(&c->choose_args, arg_map);
+ if (!__insert_choose_arg_map(&c->choose_args, arg_map)) {
+ ret = -EEXIST;
+ goto fail;
+ }
}
return 0;
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 824/969] iommu/vt-d: Disable DMAR for Intel Q35 IGFX
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (822 preceding siblings ...)
2026-05-30 16:05 ` [PATCH 6.1 823/969] libceph: handle rbtree insertion error in decode_choose_args() Greg Kroah-Hartman
@ 2026-05-30 16:05 ` Greg Kroah-Hartman
2026-05-30 16:05 ` [PATCH 6.1 825/969] drm/i915: skip __i915_request_skip() for already signaled requests Greg Kroah-Hartman
` (151 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Naval Alcalá, Lu Baolu,
Joerg Roedel
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Naval Alcalá <ari@naval.cat>
commit 2cda2e10dc8343ae01eae9e999a876b7e7d37861 upstream.
Intel Q35 integrated graphics (8086:29b2) exhibits broken DMAR
behaviour similar to other G4x/GM45 devices for which DMAR is
already disabled via quirks.
When DMAR is enabled, the system may hard lock up during boot or
early device initialization, requiring a reset.
Add the missing PCI ID to the existing quirk list to disable
DMAR for this device.
Fixes: 1f76249cc3be ("iommu/vt-d: Declare Broadwell igfx dmar support snafu")
Cc: stable@vger.kernel.org
Closes: https://bugzilla.kernel.org/show_bug.cgi?id=201185
Closes: https://bugzilla.kernel.org/show_bug.cgi?id=216064
Signed-off-by: Naval Alcalá <ari@naval.cat>
Link: https://lore.kernel.org/r/20260410161622.13549-1-ari@naval.cat
Signed-off-by: Lu Baolu <baolu.lu@linux.intel.com>
Signed-off-by: Joerg Roedel <joerg.roedel@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iommu/intel/iommu.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/iommu/intel/iommu.c
+++ b/drivers/iommu/intel/iommu.c
@@ -4832,6 +4832,9 @@ static void quirk_iommu_igfx(struct pci_
dmar_map_gfx = 0;
}
+/* Q35 integrated gfx dmar support is totally busted. */
+DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, 0x29b2, quirk_iommu_igfx);
+
/* G4x/GM45 integrated gfx dmar support is totally busted. */
DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, 0x2a40, quirk_iommu_igfx);
DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, 0x2e00, quirk_iommu_igfx);
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 825/969] drm/i915: skip __i915_request_skip() for already signaled requests
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (823 preceding siblings ...)
2026-05-30 16:05 ` [PATCH 6.1 824/969] iommu/vt-d: Disable DMAR for Intel Q35 IGFX Greg Kroah-Hartman
@ 2026-05-30 16:05 ` Greg Kroah-Hartman
2026-05-30 16:05 ` [PATCH 6.1 826/969] drm/panfrost: Fix wait_bo ioctl leaking positive return from dma_resv_wait_timeout() Greg Kroah-Hartman
` (150 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sebastian Brzezinka, Krzysztof Karas,
Andi Shyti, Tvrtko Ursulin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sebastian Brzezinka <sebastian.brzezinka@intel.com>
commit 4cfe4c0efbdcde742a47813180cc69b132d7598e upstream.
After a GPU reset the HWSP is zeroed, so previously completed
requests appear incomplete. If such a request is picked up during
reset_rewind() and marked guilty, i915_request_set_error_once()
returns early (fence already signaled), leaving fence.error without
a fatal error code. The subsequent __i915_request_skip() then hits:
```
GEM_BUG_ON(!fatal_error(rq->fence.error))
```
Fixes a kernel BUG observed on Sandy Bridge (Gen6) during
heartbeat-triggered engine resets.
```
kernel BUG at drivers/gpu/drm/i915/i915_request.c:556!
RIP: __i915_request_skip+0x15e/0x1d0 [i915]
...
__i915_request_reset+0x212/0xa70 [i915]
reset_rewind+0xe4/0x280 [i915]
intel_gt_reset+0x30d/0x5b0 [i915]
heartbeat+0x516/0x530 [i915]
```
Guard __i915_request_skip() with i915_request_signaled(), if the
fence is already signaled, the ring content is committed and there
is nothing left to skip.
Fixes: 36e191f0644b ("drm/i915: Apply i915_request_skip() on submission")
Closes: https://gitlab.freedesktop.org/drm/i915/kernel/-/work_items/13729
Signed-off-by: Sebastian Brzezinka <sebastian.brzezinka@intel.com>
Cc: stable@vger.kernel.org # v5.7+
Reviewed-by: Krzysztof Karas <krzysztof.karas@intel.com>
Reviewed-by: Andi Shyti <andi.shyti@linux.intel.com>
Signed-off-by: Andi Shyti <andi.shyti@linux.intel.com>
Link: https://lore.kernel.org/r/fe76921d35b6ae85aa651822726d0d9815aa5362.1776339012.git.sebastian.brzezinka@intel.com
(cherry picked from commit 5ba54393dcd7adf75a9f39f5a933b1538349cad5)
Signed-off-by: Tvrtko Ursulin <tursulin@ursulin.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/i915/gt/intel_reset.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/gpu/drm/i915/gt/intel_reset.c
+++ b/drivers/gpu/drm/i915/gt/intel_reset.c
@@ -144,7 +144,8 @@ void __i915_request_reset(struct i915_re
rcu_read_lock(); /* protect the GEM context */
if (guilty) {
i915_request_set_error_once(rq, -EIO);
- __i915_request_skip(rq);
+ if (!i915_request_signaled(rq))
+ __i915_request_skip(rq);
banned = mark_guilty(rq);
} else {
i915_request_set_error_once(rq, -EAGAIN);
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 826/969] drm/panfrost: Fix wait_bo ioctl leaking positive return from dma_resv_wait_timeout()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (824 preceding siblings ...)
2026-05-30 16:05 ` [PATCH 6.1 825/969] drm/i915: skip __i915_request_skip() for already signaled requests Greg Kroah-Hartman
@ 2026-05-30 16:05 ` Greg Kroah-Hartman
2026-05-30 16:05 ` [PATCH 6.1 827/969] drm/gma500/oaktrail_hdmi: fix i2c adapter leak on setup Greg Kroah-Hartman
` (149 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Gyeyoung Baek, Adrián Larumbe,
Boris Brezillon, Steven Price
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gyeyoung Baek <gye976@gmail.com>
commit 459d75523b71c0ec254d153d8850d0b7008af396 upstream.
dma_resv_wait_timeout() returns a positive 'remaining jiffies' value
on success, 0 on timeout, and -errno on failure.
panfrost_ioctl_wait_bo() returns this 'long' result from an int-typed
ioctl handler, so positive values reach userspace as bogus errors.
Explicitly set ret to 0 on the success path.
Fixes: f3ba91228e8e ("drm/panfrost: Add initial panfrost driver")
Cc: stable@vger.kernel.org
Signed-off-by: Gyeyoung Baek <gye976@gmail.com>
Reviewed-by: Adrián Larumbe <adrian.larumbe@collabora.com>
Reviewed-by: Boris Brezillon <boris.brezillon@collabora.com>
Reviewed-by: Steven Price <steven.price@arm.com>
Link: https://patch.msgid.link/fe33f82fded7be1c18e2e0eb2db451d5a738cf39.1776581974.git.gye976@gmail.com
Signed-off-by: Steven Price <steven.price@arm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/panfrost/panfrost_drv.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/gpu/drm/panfrost/panfrost_drv.c
+++ b/drivers/gpu/drm/panfrost/panfrost_drv.c
@@ -330,6 +330,8 @@ panfrost_ioctl_wait_bo(struct drm_device
true, timeout);
if (!ret)
ret = timeout ? -ETIMEDOUT : -EBUSY;
+ else if (ret > 0)
+ ret = 0;
drm_gem_object_put(gem_obj);
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 827/969] drm/gma500/oaktrail_hdmi: fix i2c adapter leak on setup
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (825 preceding siblings ...)
2026-05-30 16:05 ` [PATCH 6.1 826/969] drm/panfrost: Fix wait_bo ioctl leaking positive return from dma_resv_wait_timeout() Greg Kroah-Hartman
@ 2026-05-30 16:05 ` Greg Kroah-Hartman
2026-05-30 16:05 ` [PATCH 6.1 828/969] drm/gma500/oaktrail_lvds: fix hang on init failure Greg Kroah-Hartman
` (148 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:05 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Johan Hovold, Patrik Jakobsson
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 950953f774b3f69da6f413e045ef075e1f3da2df upstream.
Make sure to drop the reference taken to the I2C adapter (and its
module) when setting up HDMI to allow the adapter to be deregistered.
Fixes: 1b082ccf5901 ("gma500: Add Oaktrail support")
Cc: stable@vger.kernel.org # 3.3
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Patrik Jakobsson <patrik.r.jakobsson@gmail.com>
Link: https://patch.msgid.link/20260508144446.59722-2-johan@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/gma500/oaktrail_hdmi.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/gpu/drm/gma500/oaktrail_hdmi.c
+++ b/drivers/gpu/drm/gma500/oaktrail_hdmi.c
@@ -577,6 +577,7 @@ static int oaktrail_hdmi_get_modes(struc
} else {
edid = (struct edid *)raw_edid;
/* FIXME ? edid = drm_get_edid(connector, i2c_adap); */
+ i2c_put_adapter(i2c_adap);
}
if (edid) {
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 828/969] drm/gma500/oaktrail_lvds: fix hang on init failure
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (826 preceding siblings ...)
2026-05-30 16:05 ` [PATCH 6.1 827/969] drm/gma500/oaktrail_hdmi: fix i2c adapter leak on setup Greg Kroah-Hartman
@ 2026-05-30 16:05 ` Greg Kroah-Hartman
2026-05-30 16:05 ` [PATCH 6.1 829/969] drm/gma500/oaktrail_lvds: fix i2c adapter leaks on init Greg Kroah-Hartman
` (147 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:05 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Patrik Jakobsson, Johan Hovold
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 657a091ab6d01d0091b77660c75cfed573c9a53e upstream.
The LVDS init code looks up an I2C adapter using i2c_get_adapter() and
tries to read the EDID before falling back to allocating and registering
its own adapter.
The error handling does not separate these cases so on a late init
failure it will try to deregister and free also an adapter that had
previously been registered. Since i2c_get_adapter() takes another
reference to the adapter, deregistration hangs indefinitely while
waiting for the reference to be released.
Fix this by only destroying adapters allocated during LVDS init on
errors.
Fixes: a57ebfc0b4da ("drm/gma500: Make oaktrail lvds use ddc adapter from drm_connector")
Cc: stable@vger.kernel.org # 6.0
Cc: Patrik Jakobsson <patrik.r.jakobsson@gmail.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Patrik Jakobsson <patrik.r.jakobsson@gmail.com>
Link: https://patch.msgid.link/20260508144446.59722-3-johan@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/gma500/oaktrail_lvds.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- a/drivers/gpu/drm/gma500/oaktrail_lvds.c
+++ b/drivers/gpu/drm/gma500/oaktrail_lvds.c
@@ -293,7 +293,7 @@ void oaktrail_lvds_init(struct drm_devic
{
struct gma_encoder *gma_encoder;
struct gma_connector *gma_connector;
- struct gma_i2c_chan *ddc_bus;
+ struct gma_i2c_chan *ddc_bus = NULL;
struct drm_connector *connector;
struct drm_encoder *encoder;
struct drm_psb_private *dev_priv = to_drm_psb_private(dev);
@@ -421,7 +421,8 @@ out:
err_unlock:
mutex_unlock(&dev->mode_config.mutex);
- gma_i2c_destroy(to_gma_i2c_chan(connector->ddc));
+ if (!IS_ERR_OR_NULL(ddc_bus))
+ gma_i2c_destroy(ddc_bus);
drm_encoder_cleanup(encoder);
err_connector_cleanup:
drm_connector_cleanup(connector);
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 829/969] drm/gma500/oaktrail_lvds: fix i2c adapter leaks on init
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (827 preceding siblings ...)
2026-05-30 16:05 ` [PATCH 6.1 828/969] drm/gma500/oaktrail_lvds: fix hang on init failure Greg Kroah-Hartman
@ 2026-05-30 16:05 ` Greg Kroah-Hartman
2026-05-30 16:05 ` [PATCH 6.1 830/969] io-wq: check that the predecessor is hashed in io_wq_remove_pending() Greg Kroah-Hartman
` (146 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:05 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Johan Hovold, Patrik Jakobsson
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 84d1c9b416d54afe760ca4c378bd95c89261254c upstream.
The LVDS init code looks up an I2C adapter using i2c_get_adapter() and
tries to read the EDID before falling back to allocating and registering
its own adapter.
Make sure to drop the references taken by i2c_get_adapter() when falling
back to allocating an adapter as well as on late errors to allow the
looked up adapter to be deregistered.
Fixes: 1b082ccf5901 ("gma500: Add Oaktrail support")
Cc: stable@vger.kernel.org # 3.3
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Patrik Jakobsson <patrik.r.jakobsson@gmail.com>
Link: https://patch.msgid.link/20260508144446.59722-4-johan@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/gma500/oaktrail_lvds.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/drivers/gpu/drm/gma500/oaktrail_lvds.c
+++ b/drivers/gpu/drm/gma500/oaktrail_lvds.c
@@ -367,6 +367,8 @@ void oaktrail_lvds_init(struct drm_devic
if (edid == NULL && dev_priv->lpc_gpio_base) {
ddc_bus = oaktrail_lvds_i2c_init(dev);
if (!IS_ERR(ddc_bus)) {
+ if (i2c_adap)
+ i2c_put_adapter(i2c_adap);
i2c_adap = &ddc_bus->base;
edid = drm_get_edid(connector, i2c_adap);
}
@@ -423,6 +425,8 @@ err_unlock:
mutex_unlock(&dev->mode_config.mutex);
if (!IS_ERR_OR_NULL(ddc_bus))
gma_i2c_destroy(ddc_bus);
+ else if (i2c_adap)
+ i2c_put_adapter(i2c_adap);
drm_encoder_cleanup(encoder);
err_connector_cleanup:
drm_connector_cleanup(connector);
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 830/969] io-wq: check that the predecessor is hashed in io_wq_remove_pending()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (828 preceding siblings ...)
2026-05-30 16:05 ` [PATCH 6.1 829/969] drm/gma500/oaktrail_lvds: fix i2c adapter leaks on init Greg Kroah-Hartman
@ 2026-05-30 16:05 ` Greg Kroah-Hartman
2026-05-30 16:05 ` [PATCH 6.1 831/969] net/rds: reset op_nents when zerocopy page pin fails Greg Kroah-Hartman
` (145 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:05 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Nicholas Carlini
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nicholas Carlini <nicholas@carlini.com>
io_wq_remove_pending() needs to fix up wq->hash_tail[] if the cancelled
work was the tail of its hash bucket. When doing this, it checks whether
the preceding entry in acct->work_list has the same hash value, but
never checks that the predecessor is hashed at all. io_get_work_hash()
is simply atomic_read(&work->flags) >> IO_WQ_HASH_SHIFT, and the hash
bits are never set for non-hashed work, so it returns 0. Thus, when a
hashed bucket-0 work is cancelled while a non-hashed work is its list
predecessor, the check spuriously passes and a pointer to the non-hashed
io_kiocb is stored in wq->hash_tail[0].
Because non-hashed work is dequeued via the fast path in
io_get_next_work(), which never touches hash_tail[], the stale pointer
is never cleared. Therefore, after the non-hashed io_kiocb completes and
is freed back to req_cachep, wq->hash_tail[0] is a dangling pointer. The
io_wq is per-task (tctx->io_wq) and survives ring open/close, so the
dangling pointer persists for the lifetime of the task; the next hashed
bucket-0 enqueue dereferences it in io_wq_insert_work() and
wq_list_add_after() writes through freed memory.
Add the missing io_wq_is_hashed() check so a non-hashed predecessor
never inherits a hash_tail[] slot.
Cc: stable@vger.kernel.org # 5.7+
Fixes: 204361a77f40 ("io-wq: fix hang after cancelling pending hashed work")
Signed-off-by: Nicholas Carlini <nicholas@carlini.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
io_uring/io-wq.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/io_uring/io-wq.c
+++ b/io_uring/io-wq.c
@@ -1034,7 +1034,8 @@ static inline void io_wqe_remove_pending
if (io_wq_is_hashed(work) && work == wqe->hash_tail[hash]) {
if (prev)
prev_work = container_of(prev, struct io_wq_work, list);
- if (prev_work && io_get_work_hash(prev_work) == hash)
+ if (prev_work && io_wq_is_hashed(prev_work) &&
+ io_get_work_hash(prev_work) == hash)
wqe->hash_tail[hash] = prev_work;
else
wqe->hash_tail[hash] = NULL;
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 831/969] net/rds: reset op_nents when zerocopy page pin fails
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (829 preceding siblings ...)
2026-05-30 16:05 ` [PATCH 6.1 830/969] io-wq: check that the predecessor is hashed in io_wq_remove_pending() Greg Kroah-Hartman
@ 2026-05-30 16:05 ` Greg Kroah-Hartman
2026-05-30 16:05 ` [PATCH 6.1 832/969] io_uring: prevent opcode speculation Greg Kroah-Hartman
` (144 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Allison Henderson, Simon Horman,
Jakub Kicinski
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Allison Henderson <achender@kernel.org>
commit e174929793195e0cd6a4adb0cad731b39f9019b4 upstream.
When iov_iter_get_pages2() fails in rds_message_zcopy_from_user(),
the pinned pages are released with put_page(), and
rm->data.op_mmp_znotifier is cleared. But we fail to properly
clear rm->data.op_nents.
Later when rds_message_purge() is called from rds_sendmsg() the
cleanup loop iterates over the incorrectly non zero number of
op_nents and frees them again.
Fix this by properly resetting op_nents when it should be in
rds_message_zcopy_from_user().
Fixes: 0cebaccef3ac ("rds: zerocopy Tx support.")
Signed-off-by: Allison Henderson <achender@kernel.org>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20260505234336.2132721-1-achender@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/rds/message.c | 1 +
1 file changed, 1 insertion(+)
--- a/net/rds/message.c
+++ b/net/rds/message.c
@@ -409,6 +409,7 @@ static int rds_message_zcopy_from_user(s
for (i = 0; i < rm->data.op_nents; i++)
put_page(sg_page(&rm->data.op_sg[i]));
+ rm->data.op_nents = 0;
mmp = &rm->data.op_mmp_znotifier->z_mmp;
mm_unaccount_pinned_pages(mmp);
ret = -EFAULT;
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 832/969] io_uring: prevent opcode speculation
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (830 preceding siblings ...)
2026-05-30 16:05 ` [PATCH 6.1 831/969] net/rds: reset op_nents when zerocopy page pin fails Greg Kroah-Hartman
@ 2026-05-30 16:05 ` Greg Kroah-Hartman
2026-05-30 16:05 ` [PATCH 6.1 833/969] s390/debug: Reject zero-length input before trimming a newline Greg Kroah-Hartman
` (143 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Pavel Begunkov, Li Zetao, Jens Axboe,
Robert Garcia, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pavel Begunkov <asml.silence@gmail.com>
[ Upstream commit 1e988c3fe1264708f4f92109203ac5b1d65de50b ]
sqe->opcode is used for different tables, make sure we santitise it
against speculations.
Cc: stable@vger.kernel.org
Fixes: d3656344fea03 ("io_uring: add lookup table for various opcode needs")
Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
Reviewed-by: Li Zetao <lizetao1@huawei.com>
Link: https://lore.kernel.org/r/7eddbf31c8ca0a3947f8ed98271acc2b4349c016.1739568408.git.asml.silence@gmail.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Robert Garcia <rob_garcia@163.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
io_uring/io_uring.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c
index d0d9ff6b87a08..fdb8afdb01353 100644
--- a/io_uring/io_uring.c
+++ b/io_uring/io_uring.c
@@ -2031,6 +2031,8 @@ static int io_init_req(struct io_ring_ctx *ctx, struct io_kiocb *req,
req->opcode = 0;
return io_init_fail_req(req, -EINVAL);
}
+ opcode = array_index_nospec(opcode, IORING_OP_LAST);
+
def = &io_op_defs[opcode];
if (unlikely(sqe_flags & ~SQE_COMMON_FLAGS)) {
/* enforce forwards compatibility on users */
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 833/969] s390/debug: Reject zero-length input before trimming a newline
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (831 preceding siblings ...)
2026-05-30 16:05 ` [PATCH 6.1 832/969] io_uring: prevent opcode speculation Greg Kroah-Hartman
@ 2026-05-30 16:05 ` Greg Kroah-Hartman
2026-05-30 16:05 ` [PATCH 6.1 834/969] wifi: mac80211: check tdls flag in ieee80211_tdls_oper Greg Kroah-Hartman
` (142 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Pengpeng Hou, Benjamin Block,
Vasily Gorbik, Alexander Gordeev, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pengpeng Hou <pengpeng@iscas.ac.cn>
[ Upstream commit c366a7b5ed7564e41345c380285bd3f6cb98971b ]
debug_get_user_string() copies the userspace buffer into a newly
allocated NUL-terminated buffer and then unconditionally looks at
buffer[user_len - 1] to strip a trailing newline.
A zero-length write reaches this helper unchanged, so the newline trim
reads before the start of the allocated buffer.
Reject empty writes before accessing the last input byte.
Fixes: 66a464dbc8e0 ("[PATCH] s390: debug feature changes")
Cc: stable@vger.kernel.org
Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
Reviewed-by: Benjamin Block <bblock@linux.ibm.com>
Reviewed-by: Vasily Gorbik <gor@linux.ibm.com>
Tested-by: Vasily Gorbik <gor@linux.ibm.com>
Link: https://lore.kernel.org/r/20260417073530.96002-1-pengpeng@iscas.ac.cn
Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/s390/kernel/debug.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/arch/s390/kernel/debug.c b/arch/s390/kernel/debug.c
index 9a94979ee4de5..65302aea77e85 100644
--- a/arch/s390/kernel/debug.c
+++ b/arch/s390/kernel/debug.c
@@ -1268,6 +1268,9 @@ static inline char *debug_get_user_string(const char __user *user_buf,
{
char *buffer;
+ if (!user_len)
+ return ERR_PTR(-EINVAL);
+
buffer = kmalloc(user_len + 1, GFP_KERNEL);
if (!buffer)
return ERR_PTR(-ENOMEM);
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 834/969] wifi: mac80211: check tdls flag in ieee80211_tdls_oper
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (832 preceding siblings ...)
2026-05-30 16:05 ` [PATCH 6.1 833/969] s390/debug: Reject zero-length input before trimming a newline Greg Kroah-Hartman
@ 2026-05-30 16:05 ` Greg Kroah-Hartman
2026-05-30 16:05 ` [PATCH 6.1 835/969] Revert "x86/vdso: Fix output operand size of RDPID" Greg Kroah-Hartman
` (141 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+56b6a844a4ea74487b7b,
Johannes Berg, Deepanshu Kartikey, Johannes Berg, Li hongliang,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Deepanshu Kartikey <kartikey406@gmail.com>
[ Upstream commit 7d73872d949c488a1d7c308031d6a9d89b5e0a8b ]
When NL80211_TDLS_ENABLE_LINK is called, the code only checks if the
station exists but not whether it is actually a TDLS station. This
allows the operation to proceed for non-TDLS stations, causing
unintended side effects like modifying channel context and HT
protection before failing.
Add a check for sta->sta.tdls early in the ENABLE_LINK case, before
any side effects occur, to ensure the operation is only allowed for
actual TDLS peers.
Reported-by: syzbot+56b6a844a4ea74487b7b@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=56b6a844a4ea74487b7b
Tested-by: syzbot+56b6a844a4ea74487b7b@syzkaller.appspotmail.com
Suggested-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
Link: https://patch.msgid.link/20260313092417.520807-1-kartikey406@gmail.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Li hongliang <1468888505@139.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/mac80211/tdls.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/mac80211/tdls.c b/net/mac80211/tdls.c
index 1f07b598a6a17..57bd4fc8d2375 100644
--- a/net/mac80211/tdls.c
+++ b/net/mac80211/tdls.c
@@ -1382,7 +1382,7 @@ int ieee80211_tdls_oper(struct wiphy *wiphy, struct net_device *dev,
mutex_lock(&local->sta_mtx);
sta = sta_info_get(sdata, peer);
- if (!sta) {
+ if (!sta || !sta->sta.tdls) {
mutex_unlock(&local->sta_mtx);
ret = -ENOLINK;
break;
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 835/969] Revert "x86/vdso: Fix output operand size of RDPID"
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (833 preceding siblings ...)
2026-05-30 16:05 ` [PATCH 6.1 834/969] wifi: mac80211: check tdls flag in ieee80211_tdls_oper Greg Kroah-Hartman
@ 2026-05-30 16:05 ` Greg Kroah-Hartman
2026-05-30 16:06 ` [PATCH 6.1 836/969] Revert "s390/cio: Fix device lifecycle handling in css_alloc_subchannel()" Greg Kroah-Hartman
` (140 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:05 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
This reverts commit 757a9e78a1c5b824d0a2b7de14c3cd8d841dfbee.
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/include/asm/segment.h | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/arch/x86/include/asm/segment.h b/arch/x86/include/asm/segment.h
index 7865f180eb087..2e7890dd58a47 100644
--- a/arch/x86/include/asm/segment.h
+++ b/arch/x86/include/asm/segment.h
@@ -243,7 +243,7 @@ static inline unsigned long vdso_encode_cpunode(int cpu, unsigned long node)
static inline void vdso_read_cpunode(unsigned *cpu, unsigned *node)
{
- unsigned long p;
+ unsigned int p;
/*
* Load CPU and node number from the GDT. LSL is faster than RDTSCP
@@ -253,10 +253,10 @@ static inline void vdso_read_cpunode(unsigned *cpu, unsigned *node)
*
* If RDPID is available, use it.
*/
- alternative_io ("lsl %[seg],%k[p]",
- "rdpid %[p]",
+ alternative_io ("lsl %[seg],%[p]",
+ ".byte 0xf3,0x0f,0xc7,0xf8", /* RDPID %eax/rax */
X86_FEATURE_RDPID,
- [p] "=r" (p), [seg] "r" (__CPUNODE_SEG));
+ [p] "=a" (p), [seg] "r" (__CPUNODE_SEG));
if (cpu)
*cpu = (p & VDSO_CPUNODE_MASK);
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 836/969] Revert "s390/cio: Fix device lifecycle handling in css_alloc_subchannel()"
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (834 preceding siblings ...)
2026-05-30 16:05 ` [PATCH 6.1 835/969] Revert "x86/vdso: Fix output operand size of RDPID" Greg Kroah-Hartman
@ 2026-05-30 16:06 ` Greg Kroah-Hartman
2026-05-30 16:06 ` [PATCH 6.1 837/969] smb: client: reject userspace cifs.spnego descriptions Greg Kroah-Hartman
` (139 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:06 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
This reverts commit fd295a75d828c11acfcc6869c2a12cdaaf9b7722.
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/s390/cio/css.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/s390/cio/css.c b/drivers/s390/cio/css.c
index 85c1734ebfe88..98a14c1f3d672 100644
--- a/drivers/s390/cio/css.c
+++ b/drivers/s390/cio/css.c
@@ -247,7 +247,7 @@ struct subchannel *css_alloc_subchannel(struct subchannel_id schid,
err_lock:
kfree(sch->lock);
err:
- put_device(&sch->dev);
+ kfree(sch);
return ERR_PTR(ret);
}
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 837/969] smb: client: reject userspace cifs.spnego descriptions
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (835 preceding siblings ...)
2026-05-30 16:06 ` [PATCH 6.1 836/969] Revert "s390/cio: Fix device lifecycle handling in css_alloc_subchannel()" Greg Kroah-Hartman
@ 2026-05-30 16:06 ` Greg Kroah-Hartman
2026-05-30 16:06 ` [PATCH 6.1 838/969] i3c: mipi-i3c-hci: Correct RING_CTRL_ABORT handling in DMA dequeue Greg Kroah-Hartman
` (138 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Howells,
Asim Viladi Oglu Manizada, Steve French
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Asim Viladi Oglu Manizada <manizada@pm.me>
commit 3da1fdf4efbc490041eb4f836bf596201203f8f2 upstream.
cifs.spnego key descriptions contain authority-bearing fields such as
pid, uid, creduid, and upcall_target that cifs.upcall treats as
kernel-originating inputs. However, userspace can also create keys of
this type through request_key(2) or add_key(2), allowing those fields to
be supplied without CIFS origin.
Only accept cifs.spnego descriptions while CIFS is using its private
spnego_cred to request the key.
Fixes: f1d662a7d5e5 ("[CIFS] Add upcall files for cifs to use spnego/kerberos")
Assisted-by: avom-custom-harness:gpt-5.5-qwen3.6-mod-mix
Reviewed-by: David Howells <dhowells@redhat.com>
Signed-off-by: Asim Viladi Oglu Manizada <manizada@pm.me>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/client/cifs_spnego.c | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
--- a/fs/smb/client/cifs_spnego.c
+++ b/fs/smb/client/cifs_spnego.c
@@ -8,6 +8,7 @@
*/
#include <linux/list.h>
+#include <linux/cred.h>
#include <linux/slab.h>
#include <linux/string.h>
#include <keys/user-type.h>
@@ -46,12 +47,27 @@ cifs_spnego_key_destroy(struct key *key)
kfree(key->payload.data[0]);
}
+static int
+cifs_spnego_key_vet_description(const char *description)
+{
+ /*
+ * cifs.spnego descriptions are authority-bearing inputs to cifs.upcall.
+ * They are only valid when produced by CIFS while using the private
+ * spnego_cred installed below. Do not let userspace create this type
+ * of key through request_key(2)/add_key(2), since the helper treats
+ * pid/uid/creduid/upcall_target as kernel-originating fields.
+ */
+ if (current_cred() != spnego_cred)
+ return -EPERM;
+ return 0;
+}
/*
* keytype for CIFS spnego keys
*/
struct key_type cifs_spnego_key_type = {
.name = "cifs.spnego",
+ .vet_description = cifs_spnego_key_vet_description,
.instantiate = cifs_spnego_key_instantiate,
.destroy = cifs_spnego_key_destroy,
.describe = user_describe,
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 838/969] i3c: mipi-i3c-hci: Correct RING_CTRL_ABORT handling in DMA dequeue
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (836 preceding siblings ...)
2026-05-30 16:06 ` [PATCH 6.1 837/969] smb: client: reject userspace cifs.spnego descriptions Greg Kroah-Hartman
@ 2026-05-30 16:06 ` Greg Kroah-Hartman
2026-05-30 16:06 ` [PATCH 6.1 839/969] sysfs: dont remove existing directory on update failure Greg Kroah-Hartman
` (137 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Adrian Hunter, Frank Li,
Alexandre Belloni, Jianqiang kang, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Adrian Hunter <adrian.hunter@intel.com>
[ Upstream commit b795e68bf3073d67bebbb5a44d93f49efc5b8cc7 ]
The logic used to abort the DMA ring contains several flaws:
1. The driver unconditionally issues a ring abort even when the ring has
already stopped.
2. The completion used to wait for abort completion is never
re-initialized, resulting in incorrect wait behavior.
3. The abort sequence unintentionally clears RING_CTRL_ENABLE, which
resets hardware ring pointers and disrupts the controller state.
4. If the ring is already stopped, the abort operation should be
considered successful without attempting further action.
Fix the abort handling by checking whether the ring is running before
issuing an abort, re-initializing the completion when needed, ensuring that
RING_CTRL_ENABLE remains asserted during abort, and treating an already
stopped ring as a successful condition.
Fixes: 9ad9a52cce282 ("i3c/master: introduce the mipi-i3c-hci driver")
Cc: stable@vger.kernel.org
Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
Reviewed-by: Frank Li <Frank.Li@nxp.com>
Link: https://patch.msgid.link/20260306072451.11131-9-adrian.hunter@intel.com
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Jianqiang kang <jianqkang@sina.cn>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/i3c/master/mipi-i3c-hci/dma.c | 27 +++++++++++++++++----------
1 file changed, 17 insertions(+), 10 deletions(-)
diff --git a/drivers/i3c/master/mipi-i3c-hci/dma.c b/drivers/i3c/master/mipi-i3c-hci/dma.c
index 624d00b853a51..61007167606fd 100644
--- a/drivers/i3c/master/mipi-i3c-hci/dma.c
+++ b/drivers/i3c/master/mipi-i3c-hci/dma.c
@@ -448,16 +448,23 @@ static bool hci_dma_dequeue_xfer(struct i3c_hci *hci,
struct hci_rh_data *rh = &rings->headers[xfer_list[0].ring_number];
unsigned int i;
bool did_unqueue = false;
-
- /* stop the ring */
- rh_reg_write(RING_CONTROL, RING_CTRL_ABORT);
- if (wait_for_completion_timeout(&rh->op_done, HZ) == 0) {
- /*
- * We're deep in it if ever this condition is ever met.
- * Hardware might still be writing to memory, etc.
- */
- dev_crit(&hci->master.dev, "unable to abort the ring\n");
- WARN_ON(1);
+ u32 ring_status;
+
+ ring_status = rh_reg_read(RING_STATUS);
+ if (ring_status & RING_STATUS_RUNNING) {
+ /* stop the ring */
+ reinit_completion(&rh->op_done);
+ rh_reg_write(RING_CONTROL, RING_CTRL_ENABLE | RING_CTRL_ABORT);
+ wait_for_completion_timeout(&rh->op_done, HZ);
+ ring_status = rh_reg_read(RING_STATUS);
+ if (ring_status & RING_STATUS_RUNNING) {
+ /*
+ * We're deep in it if ever this condition is ever met.
+ * Hardware might still be writing to memory, etc.
+ */
+ dev_crit(&hci->master.dev, "unable to abort the ring\n");
+ WARN_ON(1);
+ }
}
for (i = 0; i < n; i++) {
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 839/969] sysfs: dont remove existing directory on update failure
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (837 preceding siblings ...)
2026-05-30 16:06 ` [PATCH 6.1 838/969] i3c: mipi-i3c-hci: Correct RING_CTRL_ABORT handling in DMA dequeue Greg Kroah-Hartman
@ 2026-05-30 16:06 ` Greg Kroah-Hartman
2026-05-30 16:06 ` [PATCH 6.1 840/969] hwmon: (pmbus/adm1266) widen blackbox-info buffer to I2C_SMBUS_BLOCK_MAX Greg Kroah-Hartman
` (136 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Rajat Jain, stable,
Rafael J. Wysocki (Intel), Danilo Krummrich
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 237557b8a81ab948e8332f7c0058e758f081c0a3 upstream.
When sysfs_update_group() is called for a named group and create_files()
fails (e.g. -ENOMEM), internal_create_group() calls kernfs_remove(kn) on
the group directory. In the update path, kn was obtained via
kernfs_find_and_get() and refers to a directory that already existed
before this call. Removing it silently destroys a sysfs group that the
caller did not create.
Only remove the directory if we created it ourselves. On update failure
the directory remains as it is left empty by remove_files() inside
create_files(), but can be repopulated by a retry.
Cc: Rajat Jain <rajatja@google.com>
Fixes: c855cf2759d2 ("sysfs: Fix internal_create_group() for named group updates")
Cc: stable <stable@kernel.org>
Assisted-by: gkh_clanker_t1000
Reviewed-by: Rafael J. Wysocki (Intel) <rafael@kernel.org>
Reviewed-by: Danilo Krummrich <dakr@kernel.org>
Link: https://patch.msgid.link/2026052003-uniquely-hastily-c093@gregkh
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/sysfs/group.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/sysfs/group.c
+++ b/fs/sysfs/group.c
@@ -147,7 +147,7 @@ static int internal_create_group(struct
kernfs_get(kn);
error = create_files(kn, kobj, uid, gid, grp, update);
if (error) {
- if (grp->name)
+ if (grp->name && !update)
kernfs_remove(kn);
}
kernfs_put(kn);
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 840/969] hwmon: (pmbus/adm1266) widen blackbox-info buffer to I2C_SMBUS_BLOCK_MAX
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (838 preceding siblings ...)
2026-05-30 16:06 ` [PATCH 6.1 839/969] sysfs: dont remove existing directory on update failure Greg Kroah-Hartman
@ 2026-05-30 16:06 ` Greg Kroah-Hartman
2026-05-30 16:06 ` [PATCH 6.1 841/969] ALSA: ua101: Reject too-short USB descriptors Greg Kroah-Hartman
` (135 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:06 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Abdurrahman Hussain, Guenter Roeck
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Abdurrahman Hussain <abdurrahman@nexthop.ai>
commit eee213daa1e1b402eb631bcd1b8c5aa340a6b081 upstream.
adm1266_nvmem_read_blackbox() declares a 5-byte stack buffer and
passes it to i2c_smbus_read_block_data() to retrieve the 4-byte
BLACKBOX_INFO response. i2c_smbus_read_block_data() does not honour
caller buffer sizes -- it memcpy()s data.block[0] bytes from the
SMBus transaction (where data.block[0] is the length byte returned by
the slave device, up to I2C_SMBUS_BLOCK_MAX = 32):
memcpy(values, &data.block[1], data.block[0]);
If the device returns any block length above 5, the call overflows
the caller's 5-byte stack buffer before the post-call
if (ret != 4)
return -EIO;
check has a chance to reject the response.
Widen the local buffer to I2C_SMBUS_BLOCK_MAX so the helper has room
for any well-formed SMBus block response, matching the convention used
by the other i2c_smbus_read_block_data() callers in this driver.
Fixes: 15609d189302 ("hwmon: (pmbus/adm1266) read blackbox")
Cc: stable@vger.kernel.org
Signed-off-by: Abdurrahman Hussain <abdurrahman@nexthop.ai>
Link: https://lore.kernel.org/r/20260515-adm1266-fixes-v1-2-1c1ea1349cfe@nexthop.ai
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hwmon/pmbus/adm1266.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/hwmon/pmbus/adm1266.c
+++ b/drivers/hwmon/pmbus/adm1266.c
@@ -351,7 +351,7 @@ static int adm1266_nvmem_read_blackbox(s
{
int record_count;
char index;
- u8 buf[5];
+ u8 buf[I2C_SMBUS_BLOCK_MAX];
int ret;
ret = i2c_smbus_read_block_data(data->client, ADM1266_BLACKBOX_INFO, buf);
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 841/969] ALSA: ua101: Reject too-short USB descriptors
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (839 preceding siblings ...)
2026-05-30 16:06 ` [PATCH 6.1 840/969] hwmon: (pmbus/adm1266) widen blackbox-info buffer to I2C_SMBUS_BLOCK_MAX Greg Kroah-Hartman
@ 2026-05-30 16:06 ` Greg Kroah-Hartman
2026-05-30 16:06 ` [PATCH 6.1 842/969] ALSA: asihpi: Fix potential OOB array access at reading cache Greg Kroah-Hartman
` (134 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:06 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Cássio Gabriel, Takashi Iwai
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cássio Gabriel <cassiogabrielcontato@gmail.com>
commit b59d5c51bb328a60749b4dd5fe7e649bfb4089b4 upstream.
find_format_descriptor() walks the class-specific interface extras by
advancing with bLength. It rejects descriptors that extend past the
remaining buffer, but it does not reject descriptor lengths smaller than
a USB descriptor header.
Reject too-short descriptors before using bLength to advance the local
scan. This keeps the UA-101 parser robust against malformed descriptor
data and matches the usual USB descriptor walking rules.
Fixes: 63978ab3e3e9 ("sound: add Edirol UA-101 support")
Cc: stable@vger.kernel.org
Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com>
Link: https://patch.msgid.link/20260519-alsa-ua101-desc-len-v1-1-4307d1a5e054@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/usb/misc/ua101.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- a/sound/usb/misc/ua101.c
+++ b/sound/usb/misc/ua101.c
@@ -914,8 +914,9 @@ find_format_descriptor(struct usb_interf
struct uac_format_type_i_discrete_descriptor *desc;
desc = (struct uac_format_type_i_discrete_descriptor *)extra;
- if (desc->bLength > extralen) {
- dev_err(&interface->dev, "descriptor overflow\n");
+ if (desc->bLength < sizeof(struct usb_descriptor_header) ||
+ desc->bLength > extralen) {
+ dev_err(&interface->dev, "invalid descriptor length\n");
return NULL;
}
if (desc->bLength == UAC_FORMAT_TYPE_I_DISCRETE_DESC_SIZE(1) &&
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 842/969] ALSA: asihpi: Fix potential OOB array access at reading cache
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (840 preceding siblings ...)
2026-05-30 16:06 ` [PATCH 6.1 841/969] ALSA: ua101: Reject too-short USB descriptors Greg Kroah-Hartman
@ 2026-05-30 16:06 ` Greg Kroah-Hartman
2026-05-30 16:06 ` [PATCH 6.1 843/969] net: wwan: iosm: fix potential memory leaks in ipc_imem_init() Greg Kroah-Hartman
` (133 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:06 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Takashi Iwai
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
commit 7b7d6572145c1dab2dd9bfb550b188e5f0ff3c3f upstream.
find_control() to retrieve a cached info accesses the array with the
given index blindly, which may lead to an OOB array access.
Add a sanity check for avoiding it.
Link: https://sashiko.dev/#/patchset/20260511230121.28606-1-rosenp%40gmail.com
Cc: <stable@vger.kernel.org>
Link: https://patch.msgid.link/20260515085606.242284-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/pci/asihpi/hpicmn.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/sound/pci/asihpi/hpicmn.c
+++ b/sound/pci/asihpi/hpicmn.c
@@ -276,6 +276,12 @@ static short find_control(u16 control_in
return 0;
}
+ if (control_index >= p_cache->control_count) {
+ HPI_DEBUG_LOG(VERBOSE, "control_index out of bounce %d\n",
+ control_index);
+ return 0;
+ }
+
*pI = p_cache->p_info[control_index];
if (!*pI) {
HPI_DEBUG_LOG(VERBOSE, "Uncached Control %d\n",
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 843/969] net: wwan: iosm: fix potential memory leaks in ipc_imem_init()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (841 preceding siblings ...)
2026-05-30 16:06 ` [PATCH 6.1 842/969] ALSA: asihpi: Fix potential OOB array access at reading cache Greg Kroah-Hartman
@ 2026-05-30 16:06 ` Greg Kroah-Hartman
2026-05-30 16:06 ` [PATCH 6.1 844/969] Bluetooth: fix UAF in l2cap_sock_cleanup_listen() vs l2cap_conn_del() Greg Kroah-Hartman
` (132 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:06 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Abdun Nihaal, Jakub Kicinski
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Abdun Nihaal <nihaal@cse.iitm.ac.in>
commit c5d93b2c40355e999715262a824965aac025a427 upstream.
The memory allocated in ipc_protocol_init() is not freed on the error
paths that follow in ipc_imem_init(). Fix that by calling the
corresponding release function ipc_protocol_deinit() in the error path.
Fixes: 3670970dd8c6 ("net: iosm: shared memory IPC interface")
Cc: stable@vger.kernel.org
Signed-off-by: Abdun Nihaal <nihaal@cse.iitm.ac.in>
Link: https://patch.msgid.link/20260519062815.55545-1-nihaal@cse.iitm.ac.in
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wwan/iosm/iosm_ipc_imem.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/net/wwan/iosm/iosm_ipc_imem.c
+++ b/drivers/net/wwan/iosm/iosm_ipc_imem.c
@@ -1423,6 +1423,8 @@ imem_config_fail:
protocol_init_fail:
cancel_work_sync(&ipc_imem->run_state_worker);
ipc_task_deinit(ipc_imem->ipc_task);
+ if (ipc_imem->ipc_protocol)
+ ipc_protocol_deinit(ipc_imem->ipc_protocol);
ipc_task_init_fail:
kfree(ipc_imem->ipc_task);
ipc_task_fail:
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 844/969] Bluetooth: fix UAF in l2cap_sock_cleanup_listen() vs l2cap_conn_del()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (842 preceding siblings ...)
2026-05-30 16:06 ` [PATCH 6.1 843/969] net: wwan: iosm: fix potential memory leaks in ipc_imem_init() Greg Kroah-Hartman
@ 2026-05-30 16:06 ` Greg Kroah-Hartman
2026-05-30 16:06 ` [PATCH 6.1 845/969] Bluetooth: ISO: drop ISO_END frames received without prior ISO_START Greg Kroah-Hartman
` (131 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Siwei Zhang, Safa Karakuş,
Luiz Augusto von Dentz
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Safa Karakuş <safa.karakus@secunnix.com>
commit ab1513597c6cf17cd1ad2a21e3b045421b48e022 upstream.
bt_accept_dequeue() unlinks a not-yet-accepted child from the parent
accept queue and release_sock()s it before returning, so the returned
sk has no caller reference and is unlocked.
l2cap_sock_cleanup_listen() walks these children on listening-socket
close. A concurrent HCI disconnect drives hci_rx_work ->
l2cap_conn_del() which runs l2cap_chan_del() + l2cap_sock_kill() and
frees the child sk and its l2cap_chan; cleanup_listen() then uses both:
BUG: KASAN: slab-use-after-free in l2cap_sock_kill
l2cap_sock_kill / l2cap_sock_cleanup_listen / __x64_sys_close
Freed by: l2cap_conn_del -> l2cap_sock_close_cb -> l2cap_sock_kill
This is distinct from the two fixes already in this area: commit
e83f5e24da741 ("Bluetooth: serialize accept_q access") serialises the
accept_q list/poll and takes temporary refs inside bt_accept_dequeue(),
and CVE-2025-39860 serialises the userspace close()/accept() race by
calling cleanup_listen() under lock_sock() in l2cap_sock_release().
Neither covers l2cap_conn_del() running from hci_rx_work, so this UAF
still reproduces on current bluetooth/master.
Take the reference at the source: bt_accept_dequeue() does sock_hold()
while sk is still locked, before release_sock(); callers sock_put().
cleanup_listen() pins the chan with l2cap_chan_hold_unless_zero() under
a brief child sk lock (serialising vs l2cap_sock_teardown_cb()), drops
it before l2cap_chan_lock(), and skips a duplicate l2cap_sock_kill() on
SOCK_DEAD. conn->lock is not taken here: cleanup_listen() runs under
the parent sk lock and that would invert
conn->lock -> chan->lock -> sk_lock (lockdep).
KASAN/SMP: an unprivileged listen/close vs HCI-disconnect race produced
12 use-after-free reports per run before this change; 0, and no lockdep
report, over 1600+ raced iterations after it on bluetooth/master.
Fixes: 15f02b910562 ("Bluetooth: L2CAP: Add initial code for Enhanced Credit Based Mode")
Cc: stable@vger.kernel.org
Reported-by: Siwei Zhang <oss@fourdim.xyz>
Reviewed-by: Siwei Zhang <oss@fourdim.xyz>
Signed-off-by: Safa Karakuş <safa.karakus@secunnix.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/bluetooth/af_bluetooth.c | 10 ++++++++
net/bluetooth/iso.c | 9 ++++++-
net/bluetooth/l2cap_sock.c | 51 +++++++++++++++++++++++++++++++++++++------
net/bluetooth/rfcomm/sock.c | 9 ++++++-
net/bluetooth/sco.c | 9 ++++++-
5 files changed, 78 insertions(+), 10 deletions(-)
--- a/net/bluetooth/af_bluetooth.c
+++ b/net/bluetooth/af_bluetooth.c
@@ -282,6 +282,16 @@ restart:
if (newsock)
sock_graft(sk, newsock);
+ /* Hand the caller a reference taken while sk is
+ * still locked. bt_accept_unlink() just dropped
+ * the accept-queue reference; without this hold a
+ * concurrent teardown (e.g. l2cap_conn_del() ->
+ * l2cap_sock_kill()) could free sk between
+ * release_sock() and the caller using it. Every
+ * caller drops this with sock_put() when done.
+ */
+ sock_hold(sk);
+
release_sock(sk);
return sk;
}
--- a/net/bluetooth/iso.c
+++ b/net/bluetooth/iso.c
@@ -564,6 +564,8 @@ static void iso_sock_cleanup_listen(stru
while ((sk = bt_accept_dequeue(parent, NULL))) {
iso_sock_close(sk);
iso_sock_kill(sk);
+ /* Drop the reference handed back by bt_accept_dequeue(). */
+ sock_put(sk);
}
parent->sk_state = BT_CLOSED;
@@ -990,8 +992,13 @@ static int iso_sock_accept(struct socket
}
ch = bt_accept_dequeue(sk, newsock);
- if (ch)
+ if (ch) {
+ /* Drop the bridging ref from bt_accept_dequeue();
+ * the grafted socket keeps ch alive from here.
+ */
+ sock_put(ch);
break;
+ }
if (!timeo) {
err = -EAGAIN;
--- a/net/bluetooth/l2cap_sock.c
+++ b/net/bluetooth/l2cap_sock.c
@@ -367,8 +367,13 @@ static int l2cap_sock_accept(struct sock
}
nsk = bt_accept_dequeue(sk, newsock);
- if (nsk)
+ if (nsk) {
+ /* Drop the bridging ref from bt_accept_dequeue();
+ * the grafted socket keeps nsk alive from here.
+ */
+ sock_put(nsk);
break;
+ }
if (!timeo) {
err = -EAGAIN;
@@ -1477,22 +1482,54 @@ static void l2cap_sock_cleanup_listen(st
BT_DBG("parent %p state %s", parent,
state_to_string(parent->sk_state));
- /* Close not yet accepted channels */
+ /* Close not yet accepted channels.
+ *
+ * bt_accept_dequeue() now returns sk with an extra reference held
+ * (taken while sk was still locked) so a concurrent l2cap_conn_del()
+ * -> l2cap_sock_kill() cannot free sk under us.
+ *
+ * cleanup_listen() runs under the parent sk lock, so unlike
+ * l2cap_sock_shutdown() we must NOT take conn->lock here: that would
+ * establish sk_lock -> conn->lock and invert the established
+ * conn->lock -> chan->lock -> sk_lock order (lockdep deadlock).
+ *
+ * Instead, briefly take the child sk lock to fetch and pin its chan.
+ * l2cap_conn_del() reaches the chan free only via
+ * l2cap_chan_del() -> l2cap_sock_teardown_cb(), which itself takes
+ * the child sk lock; holding it across l2cap_chan_hold_unless_zero()
+ * therefore guarantees the chan cannot be freed while we read and
+ * pin it (hold_unless_zero() additionally skips a chan already past
+ * its last reference). We then drop the sk lock before taking
+ * chan->lock, so sk and chan locks are never held together.
+ */
while ((sk = bt_accept_dequeue(parent, NULL))) {
- struct l2cap_chan *chan = l2cap_pi(sk)->chan;
+ struct l2cap_chan *chan;
+
+ lock_sock_nested(sk, L2CAP_NESTING_NORMAL);
+ chan = l2cap_chan_hold_unless_zero(l2cap_pi(sk)->chan);
+ release_sock(sk);
+ if (!chan) {
+ /* l2cap_conn_del() already tearing this child down */
+ sock_put(sk);
+ continue;
+ }
BT_DBG("child chan %p state %s", chan,
state_to_string(chan->state));
- l2cap_chan_hold(chan);
l2cap_chan_lock(chan);
-
__clear_chan_timer(chan);
l2cap_chan_close(chan, ECONNRESET);
- l2cap_sock_kill(sk);
-
+ /* l2cap_conn_del() may already have killed this socket
+ * (it sets SOCK_DEAD); skip the duplicate to avoid a
+ * double sock_put()/l2cap_chan_put().
+ */
+ if (!sock_flag(sk, SOCK_DEAD))
+ l2cap_sock_kill(sk);
l2cap_chan_unlock(chan);
+
l2cap_chan_put(chan);
+ sock_put(sk);
}
}
--- a/net/bluetooth/rfcomm/sock.c
+++ b/net/bluetooth/rfcomm/sock.c
@@ -180,6 +180,8 @@ static void rfcomm_sock_cleanup_listen(s
while ((sk = bt_accept_dequeue(parent, NULL))) {
rfcomm_sock_close(sk);
rfcomm_sock_kill(sk);
+ /* Drop the reference handed back by bt_accept_dequeue(). */
+ sock_put(sk);
}
parent->sk_state = BT_CLOSED;
@@ -496,8 +498,13 @@ static int rfcomm_sock_accept(struct soc
}
nsk = bt_accept_dequeue(sk, newsock);
- if (nsk)
+ if (nsk) {
+ /* Drop the bridging ref from bt_accept_dequeue();
+ * the grafted socket keeps nsk alive from here.
+ */
+ sock_put(nsk);
break;
+ }
if (!timeo) {
err = -EAGAIN;
--- a/net/bluetooth/sco.c
+++ b/net/bluetooth/sco.c
@@ -433,6 +433,8 @@ static void sco_sock_cleanup_listen(stru
while ((sk = bt_accept_dequeue(parent, NULL))) {
sco_sock_close(sk);
sco_sock_kill(sk);
+ /* Drop the reference handed back by bt_accept_dequeue(). */
+ sock_put(sk);
}
parent->sk_state = BT_CLOSED;
@@ -716,8 +718,13 @@ static int sco_sock_accept(struct socket
}
ch = bt_accept_dequeue(sk, newsock);
- if (ch)
+ if (ch) {
+ /* Drop the bridging ref from bt_accept_dequeue();
+ * the grafted socket keeps ch alive from here.
+ */
+ sock_put(ch);
break;
+ }
if (!timeo) {
err = -EAGAIN;
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 845/969] Bluetooth: ISO: drop ISO_END frames received without prior ISO_START
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (843 preceding siblings ...)
2026-05-30 16:06 ` [PATCH 6.1 844/969] Bluetooth: fix UAF in l2cap_sock_cleanup_listen() vs l2cap_conn_del() Greg Kroah-Hartman
@ 2026-05-30 16:06 ` Greg Kroah-Hartman
2026-05-30 16:06 ` [PATCH 6.1 846/969] Bluetooth: bnep: Fix UAF read of dev->name Greg Kroah-Hartman
` (130 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:06 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, David Carlier,
Luiz Augusto von Dentz
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Carlier <devnexen@gmail.com>
commit 84c24fb151fc1179355296d7ff29129ac7c42129 upstream.
ISO data PDUs carry a packet-boundary flag indicating START, CONT, END
or SINGLE. The ISO_CONT branch of iso_recv() guards against a missing
ISO_START by checking conn->rx_len before touching conn->rx_skb, but
ISO_END does not.
If a peer sends an ISO_END as the first packet on a fresh ISO
connection, conn->rx_skb is still NULL and conn->rx_len is zero, so
skb_put(conn->rx_skb, ...) dereferences NULL and oopses. For BIS,
where receivers sync to a broadcaster without pairing, any broadcaster
on the air can trigger this.
Mirror the ISO_CONT check at the top of ISO_END so a stray end fragment
is logged and dropped instead of crashing the host.
Fixes: ccf74f2390d6 ("Bluetooth: Add BTPROTO_ISO socket type")
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-7
Signed-off-by: David Carlier <devnexen@gmail.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/bluetooth/iso.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/net/bluetooth/iso.c
+++ b/net/bluetooth/iso.c
@@ -1771,6 +1771,11 @@ void iso_recv(struct hci_conn *hcon, str
break;
case ISO_END:
+ if (!conn->rx_len) {
+ BT_ERR("Unexpected end frame (len %d)", skb->len);
+ goto drop;
+ }
+
skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
skb->len);
conn->rx_len -= skb->len;
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 846/969] Bluetooth: bnep: Fix UAF read of dev->name
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (844 preceding siblings ...)
2026-05-30 16:06 ` [PATCH 6.1 845/969] Bluetooth: ISO: drop ISO_END frames received without prior ISO_START Greg Kroah-Hartman
@ 2026-05-30 16:06 ` Greg Kroah-Hartman
2026-05-30 16:06 ` [PATCH 6.1 847/969] Bluetooth: hci_uart: fix UAFs and race conditions in close and init paths Greg Kroah-Hartman
` (129 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:06 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jann Horn, Luiz Augusto von Dentz
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jann Horn <jannh@google.com>
commit 59e932ded949fa6f0340bf7c6d7818f962fa4fd2 upstream.
bnep_add_connection() needs to keep holding the bnep_session_sem while
reading dev->name (just like bnep_get_connlist() does); otherwise the
bnep_session() thread can concurrently free the net_device, which can for
example be triggered by a concurrent bnep_del_connection().
(This UAF is fairly uninteresting from a security perspective;
calling bnep_add_connection() requires passing a capable(CAP_NET_ADMIN)
check. It also requires completely tearing down a netdev during a fairly
tight race window.)
Cc: stable@vger.kernel.org
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/bluetooth/bnep/core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/bluetooth/bnep/core.c
+++ b/net/bluetooth/bnep/core.c
@@ -638,8 +638,8 @@ int bnep_add_connection(struct bnep_conn
goto failed;
}
- up_write(&bnep_session_sem);
strcpy(req->device, dev->name);
+ up_write(&bnep_session_sem);
return 0;
failed:
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 847/969] Bluetooth: hci_uart: fix UAFs and race conditions in close and init paths
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (845 preceding siblings ...)
2026-05-30 16:06 ` [PATCH 6.1 846/969] Bluetooth: bnep: Fix UAF read of dev->name Greg Kroah-Hartman
@ 2026-05-30 16:06 ` Greg Kroah-Hartman
2026-05-30 16:06 ` [PATCH 6.1 848/969] Bluetooth: MGMT: validate Add Extended Advertising Data length Greg Kroah-Hartman
` (128 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:06 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Mingyu Wang, Luiz Augusto von Dentz
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mingyu Wang <25181214217@stu.xidian.edu.cn>
commit c1bb9336ae6b54a5f6a353c4bd4ed9a4307e429b upstream.
Vulnerabilities leading to Use-After-Free (UAF) and Null Pointer
Dereference (NPD) conditions were observed in the lifecycle management
of hci_uart.
The primary issue arises because the workqueues (init_ready and
write_work) are only flushed/cancelled if the HCI_UART_PROTO_READY
flag is set during TTY close. If a hangup occurs before setup completes,
hci_uart_tty_close() skips the teardown of these workqueues and
proceeds to free the `hu` struct. When the scheduled work executes
later, it blindly dereferences the freed `hu` struct.
Furthermore, several data races and UAFs were identified in the teardown
sequence:
1. Calling hci_uart_flush() from hci_uart_close() without effectively
disabling write_work causes a race condition where both can concurrently
double-free hu->tx_skb. This happens because protocol timers can
concurrently invoke hci_uart_tx_wakeup() and requeue write_work.
2. Calling hci_free_dev(hdev) before hu->proto->close(hu) causes a UAF
when vendor specific protocol close callbacks dereference hu->hdev.
3. In the initialization error paths, failing to take the proto_lock
write lock before clearing PROTO_READY leads to races with active
readers. Additionally, hci_uart_tty_receive() accesses hu->hdev
outside the read lock, leading to UAFs if the initialization error
path frees hdev concurrently.
Fix these synchronization and lifecycle issues by:
1. Re-ordering hci_uart_tty_close() to clear HCI_UART_PROTO_READY first,
followed immediately by a cancel_work_sync(&hu->write_work). Clearing
the flag locks out concurrent protocol timers from successfully invoking
hci_uart_tx_wakeup(), effectively rendering the cancellation permanent
and preventing the tx_skb double-free.
2. Note: Clearing PROTO_READY early causes hci_uart_close() to skip
hu->proto->flush(). This is perfectly safe in the tty_close path
because hu->proto->close() executes shortly after, which intrinsically
purges all protocol SKB queues and tears down the state.
3. Relocating hu->proto->close(hu) strictly prior to hci_free_dev(hdev)
across all close and error paths to prevent vendor-level UAFs.
4. Moving the hdev->stat.byte_rx increment in hci_uart_tty_receive()
inside the proto_lock read-side critical section to safely synchronize
with device unregistration.
5. Adding cancel_work_sync(&hu->write_work) to hci_uart_close() to safely
flush the workqueue before hci_uart_flush() is invoked via the HCI core.
6. Utilizing cancel_work_sync() instead of disable_work_sync() across
all paths to prevent permanently breaking user-space retry capabilities.
Fixes: 3b799254cf6f ("Bluetooth: hci_uart: Cancel init work before unregistering")
Cc: stable@vger.kernel.org
Signed-off-by: Mingyu Wang <25181214217@stu.xidian.edu.cn>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/bluetooth/hci_ldisc.c | 48 +++++++++++++++++++++++++++++++++++-------
1 file changed, 40 insertions(+), 8 deletions(-)
--- a/drivers/bluetooth/hci_ldisc.c
+++ b/drivers/bluetooth/hci_ldisc.c
@@ -194,7 +194,15 @@ void hci_uart_init_work(struct work_stru
err = hci_register_dev(hu->hdev);
if (err < 0) {
BT_ERR("Can't register HCI device");
+
+ percpu_down_write(&hu->proto_lock);
clear_bit(HCI_UART_PROTO_READY, &hu->flags);
+ percpu_up_write(&hu->proto_lock);
+
+ /* Safely cancel work after clearing flags */
+ cancel_work_sync(&hu->write_work);
+
+ /* Close protocol before freeing hdev */
hu->proto->close(hu);
hdev = hu->hdev;
hu->hdev = NULL;
@@ -263,8 +271,12 @@ static int hci_uart_open(struct hci_dev
/* Close device */
static int hci_uart_close(struct hci_dev *hdev)
{
+ struct hci_uart *hu = hci_get_drvdata(hdev);
+
BT_DBG("hdev %p", hdev);
+ cancel_work_sync(&hu->write_work);
+
hci_uart_flush(hdev);
hdev->flush = NULL;
return 0;
@@ -528,6 +540,7 @@ static void hci_uart_tty_close(struct tt
{
struct hci_uart *hu = tty->disc_data;
struct hci_dev *hdev;
+ bool proto_ready;
BT_DBG("tty %p", tty);
@@ -537,24 +550,38 @@ static void hci_uart_tty_close(struct tt
if (!hu)
return;
- hdev = hu->hdev;
- if (hdev)
- hci_uart_close(hdev);
+ /* Wait for init_ready to finish to prevent registration races */
+ cancel_work_sync(&hu->init_ready);
- if (test_bit(HCI_UART_PROTO_READY, &hu->flags)) {
+ proto_ready = test_bit(HCI_UART_PROTO_READY, &hu->flags);
+ if (proto_ready) {
percpu_down_write(&hu->proto_lock);
clear_bit(HCI_UART_PROTO_READY, &hu->flags);
percpu_up_write(&hu->proto_lock);
+ }
- cancel_work_sync(&hu->init_ready);
- cancel_work_sync(&hu->write_work);
+ /*
+ * Unconditionally cancel write_work AFTER clearing PROTO_READY.
+ * This ensures that concurrent protocol timers cannot requeue
+ * write_work via hci_uart_tx_wakeup(), permanently preventing
+ * double-free races and UAFs.
+ */
+ cancel_work_sync(&hu->write_work);
+
+ hdev = hu->hdev;
+ if (hdev)
+ hci_uart_close(hdev); /* proto->flush is safely skipped */
+ if (proto_ready) {
if (hdev) {
if (test_bit(HCI_UART_REGISTERED, &hu->flags))
hci_unregister_dev(hdev);
- hci_free_dev(hdev);
}
+ /* Close protocol before freeing hdev (intrinsically purges queues) */
hu->proto->close(hu);
+
+ if (hdev)
+ hci_free_dev(hdev);
}
clear_bit(HCI_UART_PROTO_SET, &hu->flags);
@@ -622,11 +649,12 @@ static void hci_uart_tty_receive(struct
* tty caller
*/
hu->proto->recv(hu, data, count);
- percpu_up_read(&hu->proto_lock);
if (hu->hdev)
hu->hdev->stat.byte_rx += count;
+ percpu_up_read(&hu->proto_lock);
+
tty_unthrottle(tty);
}
@@ -697,6 +725,10 @@ static int hci_uart_register_dev(struct
percpu_down_write(&hu->proto_lock);
clear_bit(HCI_UART_PROTO_INIT, &hu->flags);
percpu_up_write(&hu->proto_lock);
+ /* Cancel work after clearing flags */
+ cancel_work_sync(&hu->write_work);
+
+ /* Close protocol before freeing hdev */
hu->proto->close(hu);
hu->hdev = NULL;
hci_free_dev(hdev);
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 848/969] Bluetooth: MGMT: validate Add Extended Advertising Data length
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (846 preceding siblings ...)
2026-05-30 16:06 ` [PATCH 6.1 847/969] Bluetooth: hci_uart: fix UAFs and race conditions in close and init paths Greg Kroah-Hartman
@ 2026-05-30 16:06 ` Greg Kroah-Hartman
2026-05-30 16:06 ` [PATCH 6.1 849/969] phonet/pep: disable BH around forwarded sk_receive_skb() Greg Kroah-Hartman
` (127 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michael Bommarito,
Luiz Augusto von Dentz
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
commit d3f7d17960ed50df3a6709c5158caff989c8c905 upstream.
MGMT_OP_ADD_EXT_ADV_DATA is registered as a variable-length command,
with MGMT_ADD_EXT_ADV_DATA_SIZE as the fixed header size. The handler
then uses cp->adv_data_len and cp->scan_rsp_len to validate and copy
cp->data, but it never checks that those bytes are part of the mgmt
command payload.
A short command can therefore make add_ext_adv_data() pass an
out-of-bounds pointer into tlv_data_is_valid(). If the bytes beyond
the command buffer are addressable, they can also be copied into the
advertising instance as scan response data, where the caller can read
them back via MGMT_OP_GET_ADV_INSTANCE. The trigger requires
CAP_NET_ADMIN in the initial user namespace; KASAN reports an 8-byte
slab-out-of-bounds read.
Reject commands whose length does not match the fixed header plus both
advertising data lengths before parsing cp->data.
Fixes: 12410572833a ("Bluetooth: Break add adv into two mgmt commands")
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-7
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/bluetooth/mgmt.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/net/bluetooth/mgmt.c
+++ b/net/bluetooth/mgmt.c
@@ -9075,9 +9075,15 @@ static int add_ext_adv_data(struct sock
struct adv_info *adv_instance;
int err = 0;
struct mgmt_pending_cmd *cmd;
+ u16 expected_len;
BT_DBG("%s", hdev->name);
+ expected_len = struct_size(cp, data, cp->adv_data_len + cp->scan_rsp_len);
+ if (expected_len != data_len)
+ return mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_EXT_ADV_DATA,
+ MGMT_STATUS_INVALID_PARAMS);
+
hci_dev_lock(hdev);
adv_instance = hci_find_adv_instance(hdev, cp->instance);
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 849/969] phonet/pep: disable BH around forwarded sk_receive_skb()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (847 preceding siblings ...)
2026-05-30 16:06 ` [PATCH 6.1 848/969] Bluetooth: MGMT: validate Add Extended Advertising Data length Greg Kroah-Hartman
@ 2026-05-30 16:06 ` Greg Kroah-Hartman
2026-05-30 16:06 ` [PATCH 6.1 850/969] net: bcmgenet: keep RBUF EEE/PM disabled Greg Kroah-Hartman
` (126 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zijing Yin, Rémi Denis-Courmont,
syzbot+9f4a135646b66c509935, Eric Dumazet, Jakub Kicinski
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zijing Yin <yzjaurora@gmail.com>
commit dbc81608e3a653dea6cf403f20cae35468b8ab9c upstream.
The networking receive path is usually run from softirq context, but
protocols that take the socket lock may have packets stored in the
backlog and processed later from process context. In that case
release_sock() -> __release_sock() drops the slock with spin_unlock_bh()
and then calls sk->sk_backlog_rcv() with bottom halves enabled.
Typical sk_backlog_rcv handlers process the socket whose backlog is
being drained, so the BH state at entry is irrelevant for the slocks
they touch. pep_do_rcv() is different: when the inbound skb targets an
existing PEP pipe, it forwards the skb to a different *child* socket
via sk_receive_skb(). That helper takes the child slock with
bh_lock_sock_nested(), which is just spin_lock_nested() and assumes BH
is already off. The same child slock therefore ends up acquired with
BH on (process path) and with BH off (softirq path):
process context softirq context
--------------- ---------------
release_sock(listener) __netif_receive_skb()
__release_sock() phonet_rcv()
spin_unlock_bh() __sk_receive_skb(listener)
[BH now ENABLED] [BH already disabled]
sk_backlog_rcv: sk_backlog_rcv:
pep_do_rcv() pep_do_rcv()
sk_receive_skb(child) sk_receive_skb(child)
bh_lock_sock_nested(child) bh_lock_sock_nested(child)
=> SOFTIRQ-ON-W => IN-SOFTIRQ-W
Lockdep flags this as inconsistent lock state, and it can become a real
self-deadlock if a softirq on the same CPU tries to receive to the same
child socket while its slock is held in the BH-enabled path:
WARNING: inconsistent lock state
inconsistent {SOFTIRQ-ON-W} -> {IN-SOFTIRQ-W} usage.
(slock-AF_PHONET/1){+.?.}-{3:3}, at: __sk_receive_skb+0x1cf/0x900
__sk_receive_skb net/core/sock.c:563
sk_receive_skb include/net/sock.h:2022 [inline]
pep_do_rcv net/phonet/pep.c:675
sk_backlog_rcv include/net/sock.h:1190
__release_sock net/core/sock.c:3216
release_sock net/core/sock.c:3815
pep_sock_accept net/phonet/pep.c:879
Wrap the forwarded sk_receive_skb() in local_bh_disable() /
local_bh_enable() so the child slock is always acquired with BH off.
local_bh_disable() nests safely on the softirq path.
Discovered via in-house syzkaller fuzzing; the same root cause also
on the linux-6.1.y syzbot dashboard as extid 44f0626dd6284f02663c.
Reproduced under KASAN + LOCKDEP + PROVE_LOCKING, reproducer:
https://pastebin.com/A3t8xzCR
Fixes: 9641458d3ec4 ("Phonet: Pipe End Point for Phonet Pipes protocol")
Link: https://syzkaller.appspot.com/bug?extid=44f0626dd6284f02663c
Cc: stable@vger.kernel.org
Signed-off-by: Zijing Yin <yzjaurora@gmail.com>
Acked-by: Rémi Denis-Courmont <remi@remlab.net>
Reported-by: syzbot+9f4a135646b66c509935@syzkaller.appspotmail.com
Reviewed-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20260519172635.86304-1-yzjaurora@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/phonet/pep.c | 19 +++++++++++++++++--
1 file changed, 17 insertions(+), 2 deletions(-)
--- a/net/phonet/pep.c
+++ b/net/phonet/pep.c
@@ -671,8 +671,23 @@ static int pep_do_rcv(struct sock *sk, s
/* Look for an existing pipe handle */
sknode = pep_find_pipe(&pn->hlist, &dst, pipe_handle);
- if (sknode)
- return sk_receive_skb(sknode, skb, 1);
+ if (sknode) {
+ int rc;
+
+ /* pep_do_rcv() runs from two contexts: from softirq via
+ * phonet_rcv() -> __sk_receive_skb() with BH disabled,
+ * and from process context via
+ * release_sock() -> __release_sock(), which drops
+ * the listener slock with spin_unlock_bh() before draining
+ * the backlog. The child pipe slock is taken below via
+ * bh_lock_sock_nested(), which does not itself disable BH, so
+ * disable BH here to keep both acquire contexts consistent.
+ */
+ local_bh_disable();
+ rc = sk_receive_skb(sknode, skb, 1);
+ local_bh_enable();
+ return rc;
+ }
switch (hdr->message_id) {
case PNS_PEP_CONNECT_REQ:
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 850/969] net: bcmgenet: keep RBUF EEE/PM disabled
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (848 preceding siblings ...)
2026-05-30 16:06 ` [PATCH 6.1 849/969] phonet/pep: disable BH around forwarded sk_receive_skb() Greg Kroah-Hartman
@ 2026-05-30 16:06 ` Greg Kroah-Hartman
2026-05-30 16:06 ` [PATCH 6.1 851/969] net: ifb: report ethtool stats over num_tx_queues Greg Kroah-Hartman
` (125 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nicolai Buchwitz, Florian Fainelli,
Jakub Kicinski
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nicolai Buchwitz <nb@tipi-net.de>
commit 9a1730245e416d11ad5c0f2c100061d61cc43f60 upstream.
Setting RBUF_EEE_EN | RBUF_PM_EN in RBUF_ENERGY_CTRL breaks the RX
path on GENET hardware once MAC EEE becomes active. RX traffic stops
flowing while the link stays up and the usual descriptor/RX error
counters remain quiet. In that state the MAC still accepts frames
(rbuf_ovflow_cnt keeps climbing) but RBUF no longer forwards them to
DMA, so rx_packets is no longer incremented at the netdev level. On
some boards the corruption ends up as a paging fault in
skb_release_data via bcmgenet_rx_poll on an LPI exit.
Reproduced on Pi 4B (BCM2711 + BCM54213PE) and confirmed by Florian
Fainelli on an internal Broadcom 4908-family board with the same crash
signature. RBUF_PM_EN is not publicly documented.
This shows up more often now that phy_support_eee() enables EEE by
default, but it also affects older kernels as soon as TX LPI is
turned on via ethtool, so it is not specific to recent changes.
Always clear RBUF_EEE_EN | RBUF_PM_EN in bcmgenet_eee_enable_set so
the bits stay off across resets. UMAC and TBUF setup is left alone so
TX-side EEE keeps working.
Link: https://github.com/raspberrypi/linux/issues/7304
Fixes: 6ef398ea60d9 ("net: bcmgenet: add EEE support")
Cc: stable@vger.kernel.org
Signed-off-by: Nicolai Buchwitz <nb@tipi-net.de>
Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
Link: https://patch.msgid.link/20260520184320.652053-1-nb@tipi-net.de
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/broadcom/genet/bcmgenet.c | 9 ++++-----
1 file changed, 4 insertions(+), 5 deletions(-)
--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c
+++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c
@@ -1344,13 +1344,12 @@ void bcmgenet_eee_enable_set(struct net_
reg &= ~(TBUF_EEE_EN | TBUF_PM_EN);
bcmgenet_writel(reg, priv->base + off);
- /* Do the same for thing for RBUF */
+ /* RBUF EEE/PM can break the RX path on GENET. Keep it disabled. */
reg = bcmgenet_rbuf_readl(priv, RBUF_ENERGY_CTRL);
- if (enable)
- reg |= RBUF_EEE_EN | RBUF_PM_EN;
- else
+ if (reg & (RBUF_EEE_EN | RBUF_PM_EN)) {
reg &= ~(RBUF_EEE_EN | RBUF_PM_EN);
- bcmgenet_rbuf_writel(priv, reg, RBUF_ENERGY_CTRL);
+ bcmgenet_rbuf_writel(priv, reg, RBUF_ENERGY_CTRL);
+ }
if (!enable && priv->clk_eee_enabled) {
clk_disable_unprepare(priv->clk_eee);
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 851/969] net: ifb: report ethtool stats over num_tx_queues
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (849 preceding siblings ...)
2026-05-30 16:06 ` [PATCH 6.1 850/969] net: bcmgenet: keep RBUF EEE/PM disabled Greg Kroah-Hartman
@ 2026-05-30 16:06 ` Greg Kroah-Hartman
2026-05-30 16:06 ` [PATCH 6.1 852/969] netfilter: ip6t_hbh: reject oversized option lists Greg Kroah-Hartman
` (124 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:06 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Michael Bommarito, Jakub Kicinski
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
commit 5db89c99566fc4728cc92e941d8e1975711e24b5 upstream.
ifb_dev_init() allocates dp->tx_private to dev->num_tx_queues
entries via kzalloc_objs(*txp, dev->num_tx_queues). Both IFB
per-queue RX and TX stats live in those entries: ifb_xmit() updates
txp->rx_stats using the skb queue mapping, ifb_ri_tasklet() updates
txp->tx_stats, and ifb_stats64() aggregates both over
dev->num_tx_queues.
The ethtool stats callbacks instead size and walk the per-queue
stats with dev->real_num_rx_queues and dev->real_num_tx_queues. With
an asymmetric device where the RX queue count exceeds the TX queue
count, for example:
ip link add name ifb10 numtxqueues 1 numrxqueues 8 type ifb
ethtool -S ifb10
ifb_get_ethtool_stats() indexes past the tx_private allocation and
copies adjacent slab data through ETHTOOL_GSTATS.
Use dev->num_tx_queues consistently for the stats strings, the
stats count, and the stats data walks. This reports one RX stats
group and one TX stats group for each backing ifb_q_private entry,
which is the queue set IFB can actually populate.
Reproduced under UML+KASAN at v7.1-rc2:
BUG: KASAN: slab-out-of-bounds in ifb_fill_stats_data+0x3c/0xae
Read of size 8 at addr 0000000062dbd228 by task ethtool/36
ifb_fill_stats_data+0x3c/0xae
ifb_get_ethtool_stats+0xc0/0x129
__dev_ethtool+0x1ca5/0x363c
dev_ethtool+0x123/0x1b3
dev_ioctl+0x56c/0x744
sock_do_ioctl+0x15f/0x1b2
sock_ioctl+0x4d5/0x50a
sys_ioctl+0xd8b/0xde9
With the patch applied, the same UML+KASAN repro is silent and
ethtool -S ifb10 reports only the stats backed by the single
allocated tx_private entry.
Fixes: a21ee5b2fcb8 ("net: ifb: support ethtools stats")
Cc: stable@vger.kernel.org
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Link: https://patch.msgid.link/20260514013739.3549624-1-michael.bommarito@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ifb.c | 11 +++++------
1 file changed, 5 insertions(+), 6 deletions(-)
--- a/drivers/net/ifb.c
+++ b/drivers/net/ifb.c
@@ -211,12 +211,12 @@ static void ifb_get_strings(struct net_d
switch (stringset) {
case ETH_SS_STATS:
- for (i = 0; i < dev->real_num_rx_queues; i++)
+ for (i = 0; i < dev->num_tx_queues; i++)
for (j = 0; j < IFB_Q_STATS_LEN; j++)
ethtool_sprintf(&p, "rx_queue_%u_%.18s",
i, ifb_q_stats_desc[j].desc);
- for (i = 0; i < dev->real_num_tx_queues; i++)
+ for (i = 0; i < dev->num_tx_queues; i++)
for (j = 0; j < IFB_Q_STATS_LEN; j++)
ethtool_sprintf(&p, "tx_queue_%u_%.18s",
i, ifb_q_stats_desc[j].desc);
@@ -229,8 +229,7 @@ static int ifb_get_sset_count(struct net
{
switch (sset) {
case ETH_SS_STATS:
- return IFB_Q_STATS_LEN * (dev->real_num_rx_queues +
- dev->real_num_tx_queues);
+ return IFB_Q_STATS_LEN * dev->num_tx_queues * 2;
default:
return -EOPNOTSUPP;
}
@@ -262,12 +261,12 @@ static void ifb_get_ethtool_stats(struct
struct ifb_q_private *txp;
int i;
- for (i = 0; i < dev->real_num_rx_queues; i++) {
+ for (i = 0; i < dev->num_tx_queues; i++) {
txp = dp->tx_private + i;
ifb_fill_stats_data(&data, &txp->rx_stats);
}
- for (i = 0; i < dev->real_num_tx_queues; i++) {
+ for (i = 0; i < dev->num_tx_queues; i++) {
txp = dp->tx_private + i;
ifb_fill_stats_data(&data, &txp->tx_stats);
}
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 852/969] netfilter: ip6t_hbh: reject oversized option lists
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (850 preceding siblings ...)
2026-05-30 16:06 ` [PATCH 6.1 851/969] net: ifb: report ethtool stats over num_tx_queues Greg Kroah-Hartman
@ 2026-05-30 16:06 ` Greg Kroah-Hartman
2026-05-30 16:06 ` [PATCH 6.1 853/969] netfilter: nf_queue: hold bridge skb->dev while queued Greg Kroah-Hartman
` (123 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Yuan Tan, Yifan Wu,
Juefei Pu, Xin Liu, Zhengchuan Liang, Ren Wei, Pablo Neira Ayuso
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhengchuan Liang <zcliangcn@gmail.com>
commit 4322dcde6b4173c2d8e8e6118ed290794263bcc8 upstream.
struct ip6t_opts stores at most IP6T_OPTS_OPTSNR option descriptors,
but hbh_mt6_check() does not reject larger optsnr values supplied from
userspace.
Validate optsnr in the rule setup path so only match data that fits the
fixed-size opts array can be installed. This follows the existing xtables
pattern of rejecting invalid user-provided counts in checkentry() and
keeps the packet matching path unchanged.
`struct ip6t_opts` has a fixed `opts[IP6T_OPTS_OPTSNR]` array,
where `IP6T_OPTS_OPTSNR` is 16, then off-by-one array access is possible:
[ 137.924693][ T8692] UBSAN: array-index-out-of-bounds in ../net/ipv6/netfilter/ip6t_hbh.c:110:29
[ 137.926167][ T8692] index 16 is out of range for type '__u16 [16]'
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@kernel.org
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Signed-off-by: Zhengchuan Liang <zcliangcn@gmail.com>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv6/netfilter/ip6t_hbh.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/net/ipv6/netfilter/ip6t_hbh.c
+++ b/net/ipv6/netfilter/ip6t_hbh.c
@@ -168,6 +168,10 @@ static int hbh_mt6_check(const struct xt
pr_debug("unknown flags %X\n", optsinfo->invflags);
return -EINVAL;
}
+ if (optsinfo->optsnr > IP6T_OPTS_OPTSNR) {
+ pr_debug("too many supported opts specified\n");
+ return -EINVAL;
+ }
if (optsinfo->flags & IP6T_OPTS_NSTRICT) {
pr_debug("Not strict - not implemented");
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 853/969] netfilter: nf_queue: hold bridge skb->dev while queued
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (851 preceding siblings ...)
2026-05-30 16:06 ` [PATCH 6.1 852/969] netfilter: ip6t_hbh: reject oversized option lists Greg Kroah-Hartman
@ 2026-05-30 16:06 ` Greg Kroah-Hartman
2026-05-30 16:06 ` [PATCH 6.1 854/969] netfilter: ipset: stop hash:* range iteration at end Greg Kroah-Hartman
` (122 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Yuan Tan, Yifan Wu,
Juefei Pu, Xin Liu, Haoze Xie, Ren Wei, Pablo Neira Ayuso
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haoze Xie <royenheart@gmail.com>
commit e196115ec330a18de415bdb9f5071aa9f08e53ce upstream.
br_pass_frame_up() rewrites skb->dev from the ingress port to the bridge
master before queueing bridge LOCAL_IN packets. NFQUEUE only holds
references on state.in/out and bridge physdevs, so a queued bridge
packet can retain a freed bridge master in skb->dev until reinjection.
When the verdict is reinjected later, br_netif_receive_skb() re-enters
the receive path with skb->dev still pointing at the freed bridge master,
triggering a use-after-free.
Store skb->dev in the queue entry, hold a reference on it for the queue
lifetime, and use the saved device when dropping queued packets during
NETDEV_DOWN handling.
Fixes: ac2863445686 ("netfilter: bridge: add nf_afinfo to enable queuing to userspace")
Cc: stable@kernel.org
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Signed-off-by: Haoze Xie <royenheart@gmail.com>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/net/netfilter/nf_queue.h | 1 +
net/netfilter/nf_queue.c | 4 +++-
net/netfilter/nfnetlink_queue.c | 2 ++
3 files changed, 6 insertions(+), 1 deletion(-)
--- a/include/net/netfilter/nf_queue.h
+++ b/include/net/netfilter/nf_queue.h
@@ -12,6 +12,7 @@
struct nf_queue_entry {
struct list_head list;
struct sk_buff *skb;
+ struct net_device *skb_dev;
unsigned int id;
unsigned int hook_index; /* index in hook_entries->hook[] */
#if IS_ENABLED(CONFIG_BRIDGE_NETFILTER)
--- a/net/netfilter/nf_queue.c
+++ b/net/netfilter/nf_queue.c
@@ -60,6 +60,7 @@ static void nf_queue_entry_release_refs(
struct nf_hook_state *state = &entry->state;
/* Release those devices we held, or Alexey will kill me. */
+ dev_put(entry->skb_dev);
dev_put(state->in);
dev_put(state->out);
if (state->sk)
@@ -101,6 +102,7 @@ bool nf_queue_entry_get_refs(struct nf_q
if (state->sk && !refcount_inc_not_zero(&state->sk->sk_refcnt))
return false;
+ dev_hold(entry->skb_dev);
dev_hold(state->in);
dev_hold(state->out);
@@ -201,11 +203,11 @@ static int __nf_queue(struct sk_buff *sk
*entry = (struct nf_queue_entry) {
.skb = skb,
+ .skb_dev = skb->dev,
.state = *state,
.hook_index = index,
.size = sizeof(*entry) + route_key_size,
};
-
__nf_queue_entry_init_physdevs(entry);
if (!nf_queue_entry_get_refs(entry)) {
--- a/net/netfilter/nfnetlink_queue.c
+++ b/net/netfilter/nfnetlink_queue.c
@@ -951,6 +951,8 @@ dev_cmp(struct nf_queue_entry *entry, un
if (physinif == ifindex || physoutif == ifindex)
return 1;
#endif
+ if (entry->skb_dev && entry->skb_dev->ifindex == ifindex)
+ return 1;
if (entry->state.in)
if (entry->state.in->ifindex == ifindex)
return 1;
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 854/969] netfilter: ipset: stop hash:* range iteration at end
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (852 preceding siblings ...)
2026-05-30 16:06 ` [PATCH 6.1 853/969] netfilter: nf_queue: hold bridge skb->dev while queued Greg Kroah-Hartman
@ 2026-05-30 16:06 ` Greg Kroah-Hartman
2026-05-30 16:06 ` [PATCH 6.1 855/969] qed: fix double free in qed_cxt_tables_alloc() Greg Kroah-Hartman
` (121 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Yuan Tan, Yifan Wu,
Juefei Pu, Xin Liu, Nan Li, Ren Wei, Pablo Neira Ayuso
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nan Li <tonanli66@gmail.com>
commit 0d3a282ab5f165fc207ff49ea5b6ad8f54616bd6 upstream.
The following hash set variants:
hash:ip,mark
hash:ip,port
hash:ip,port,ip
hash:ip,port,net
iterate IPv4 ranges with a 32-bit iterator.
The iterator must stop once the last address in the requested range has
been processed. Advancing it once more can move the traversal state past
the end of the request, so a later retry may continue from an unintended
position.
Handle the iterator increment explicitly at the end of the loop and stop
once the upper bound has been processed. This keeps the existing retry
behaviour intact for valid ranges while preventing traversal from
continuing past the original boundary.
Fixes: 48596a8ddc46 ("netfilter: ipset: Fix adding an IPv4 range containing more than 2^31 addresses")
Cc: stable@kernel.org
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Signed-off-by: Nan Li <tonanli66@gmail.com>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/netfilter/ipset/ip_set_hash_ipmark.c | 6 +++++-
net/netfilter/ipset/ip_set_hash_ipport.c | 5 ++++-
net/netfilter/ipset/ip_set_hash_ipportip.c | 5 ++++-
net/netfilter/ipset/ip_set_hash_ipportnet.c | 5 ++++-
4 files changed, 17 insertions(+), 4 deletions(-)
--- a/net/netfilter/ipset/ip_set_hash_ipmark.c
+++ b/net/netfilter/ipset/ip_set_hash_ipmark.c
@@ -150,7 +150,7 @@ hash_ipmark4_uadt(struct ip_set *set, st
if (retried)
ip = ntohl(h->next.ip);
- for (; ip <= ip_to; ip++, i++) {
+ for (; ip <= ip_to; i++) {
e.ip = htonl(ip);
if (i > IPSET_MAX_RANGE) {
hash_ipmark4_data_next(&h->next, &e);
@@ -162,6 +162,10 @@ hash_ipmark4_uadt(struct ip_set *set, st
return ret;
ret = 0;
+
+ if (ip == ip_to)
+ break;
+ ip++;
}
return ret;
}
--- a/net/netfilter/ipset/ip_set_hash_ipport.c
+++ b/net/netfilter/ipset/ip_set_hash_ipport.c
@@ -175,7 +175,7 @@ hash_ipport4_uadt(struct ip_set *set, st
if (retried)
ip = ntohl(h->next.ip);
- for (; ip <= ip_to; ip++) {
+ for (; ip <= ip_to;) {
p = retried && ip == ntohl(h->next.ip) ? ntohs(h->next.port)
: port;
for (; p <= port_to; p++, i++) {
@@ -192,6 +192,9 @@ hash_ipport4_uadt(struct ip_set *set, st
ret = 0;
}
+ if (ip == ip_to)
+ break;
+ ip++;
}
return ret;
}
--- a/net/netfilter/ipset/ip_set_hash_ipportip.c
+++ b/net/netfilter/ipset/ip_set_hash_ipportip.c
@@ -182,7 +182,7 @@ hash_ipportip4_uadt(struct ip_set *set,
if (retried)
ip = ntohl(h->next.ip);
- for (; ip <= ip_to; ip++) {
+ for (; ip <= ip_to;) {
p = retried && ip == ntohl(h->next.ip) ? ntohs(h->next.port)
: port;
for (; p <= port_to; p++, i++) {
@@ -199,6 +199,9 @@ hash_ipportip4_uadt(struct ip_set *set,
ret = 0;
}
+ if (ip == ip_to)
+ break;
+ ip++;
}
return ret;
}
--- a/net/netfilter/ipset/ip_set_hash_ipportnet.c
+++ b/net/netfilter/ipset/ip_set_hash_ipportnet.c
@@ -274,7 +274,7 @@ hash_ipportnet4_uadt(struct ip_set *set,
p = port;
ip2 = ip2_from;
}
- for (; ip <= ip_to; ip++) {
+ for (; ip <= ip_to;) {
e.ip = htonl(ip);
for (; p <= port_to; p++) {
e.port = htons(p);
@@ -298,6 +298,9 @@ hash_ipportnet4_uadt(struct ip_set *set,
ip2 = ip2_from;
}
p = port;
+ if (ip == ip_to)
+ break;
+ ip++;
}
return ret;
}
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 855/969] qed: fix double free in qed_cxt_tables_alloc()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (853 preceding siblings ...)
2026-05-30 16:06 ` [PATCH 6.1 854/969] netfilter: ipset: stop hash:* range iteration at end Greg Kroah-Hartman
@ 2026-05-30 16:06 ` Greg Kroah-Hartman
2026-05-30 16:06 ` [PATCH 6.1 856/969] ring-buffer: Fix reporting of missed events in iterator Greg Kroah-Hartman
` (120 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:06 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Zilin Guan, Dawei Feng,
Jakub Kicinski
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dawei Feng <dawei.feng@seu.edu.cn>
commit 2bccfb8476ca5f3548afbd623dc7a6980d4e77de upstream.
If one of the later PF or VF CID bitmap allocations fails,
qed_cid_map_alloc() jumps to cid_map_fail and frees the previously
allocated CID bitmaps before returning an error. qed_cxt_tables_alloc()
then calls qed_cxt_mngr_free(), which invokes qed_cid_map_free()
again.
Fix this by setting each CID bitmap pointer to NULL after bitmap_free()
to avoid double free.
The bug was first flagged by an experimental analysis tool we are
developing for kernel memory-management bugs while analyzing
v6.13-rc1. The tool is still under development and is not yet publicly
available. Manual inspection confirms that the bug is still
present in v7.1-rc3.
Runtime reproduction was not attempted because exercising the failing
allocation path requires device-specific setup.
Fixes: fe56b9e6a8d9 ("qed: Add module with basic common support")
Cc: stable@vger.kernel.org
Signed-off-by: Zilin Guan <zilin@seu.edu.cn>
Signed-off-by: Dawei Feng <dawei.feng@seu.edu.cn>
Link: https://patch.msgid.link/20260520070323.2762379-1-dawei.feng@seu.edu.cn
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/qlogic/qed/qed_cxt.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/net/ethernet/qlogic/qed/qed_cxt.c
+++ b/drivers/net/ethernet/qlogic/qed/qed_cxt.c
@@ -1038,11 +1038,13 @@ static void qed_cid_map_free(struct qed_
for (type = 0; type < MAX_CONN_TYPES; type++) {
bitmap_free(p_mngr->acquired[type].cid_map);
+ p_mngr->acquired[type].cid_map = NULL;
p_mngr->acquired[type].max_count = 0;
p_mngr->acquired[type].start_cid = 0;
for (vf = 0; vf < MAX_NUM_VFS; vf++) {
bitmap_free(p_mngr->acquired_vf[type][vf].cid_map);
+ p_mngr->acquired_vf[type][vf].cid_map = NULL;
p_mngr->acquired_vf[type][vf].max_count = 0;
p_mngr->acquired_vf[type][vf].start_cid = 0;
}
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 856/969] ring-buffer: Fix reporting of missed events in iterator
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (854 preceding siblings ...)
2026-05-30 16:06 ` [PATCH 6.1 855/969] qed: fix double free in qed_cxt_tables_alloc() Greg Kroah-Hartman
@ 2026-05-30 16:06 ` Greg Kroah-Hartman
2026-05-30 16:06 ` [PATCH 6.1 857/969] vsock/vmci: fix UAF when peer resets connection during handshake Greg Kroah-Hartman
` (119 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mathieu Desnoyers,
Masami Hiramatsu (Google), Steven Rostedt
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Steven Rostedt <rostedt@goodmis.org>
commit a254b6d13b0edd6272926674d2afc46d46e496b7 upstream.
When tracing is active while reading the trace file, if the iterator
reading the buffer detects that the writer has passed the iterator head,
it will reset and set a "missed events" flag. This flag is passed to the
output processing to show the user that events were missed:
CPU:4 [LOST EVENTS]
The problem is that the flag is reset after it is checked in
ring_buffer_iter_dropped(). But the "trace" file iterates over all the CPU
ring buffers and it will check if they are dropped when figuring out which
buffer to print next. This prematurely clears the missed_events flag if
the CPU buffer with the missed events is not the one that is printed next.
On the iteration where the CPU buffer with the missed events is printed,
the check if it had missed events would return false and the output does
not show that events were missed.
Do not reset the missed_events flag when checking if there were missed
events, but instead clear it when moving the iterator head to the next
event.
Cc: stable@vger.kernel.org
Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Link: https://patch.msgid.link/20260520220801.4fd09d13@fedora
Fixes: c9b7a4a72ff64 ("ring-buffer/tracing: Have iterator acknowledge dropped events")
Acked-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/trace/ring_buffer.c | 8 +++-----
1 file changed, 3 insertions(+), 5 deletions(-)
--- a/kernel/trace/ring_buffer.c
+++ b/kernel/trace/ring_buffer.c
@@ -4387,6 +4387,7 @@ static void rb_iter_reset(struct ring_bu
iter->head_page = cpu_buffer->reader_page;
iter->head = cpu_buffer->reader_page->read;
iter->next_event = iter->head;
+ iter->missed_events = 0;
iter->cache_reader_page = iter->head_page;
iter->cache_read = cpu_buffer->read;
@@ -5000,10 +5001,7 @@ ring_buffer_peek(struct trace_buffer *bu
*/
bool ring_buffer_iter_dropped(struct ring_buffer_iter *iter)
{
- bool ret = iter->missed_events != 0;
-
- iter->missed_events = 0;
- return ret;
+ return iter->missed_events != 0;
}
EXPORT_SYMBOL_GPL(ring_buffer_iter_dropped);
@@ -5220,7 +5218,7 @@ void ring_buffer_iter_advance(struct rin
unsigned long flags;
raw_spin_lock_irqsave(&cpu_buffer->reader_lock, flags);
-
+ iter->missed_events = 0;
rb_advance_iter(iter);
raw_spin_unlock_irqrestore(&cpu_buffer->reader_lock, flags);
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 857/969] vsock/vmci: fix UAF when peer resets connection during handshake
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (855 preceding siblings ...)
2026-05-30 16:06 ` [PATCH 6.1 856/969] ring-buffer: Fix reporting of missed events in iterator Greg Kroah-Hartman
@ 2026-05-30 16:06 ` Greg Kroah-Hartman
2026-05-30 16:06 ` [PATCH 6.1 858/969] vsock/virtio: reset connection on receiving queue overflow Greg Kroah-Hartman
` (118 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:06 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Minh Nguyen, Bryan Tan,
Jakub Kicinski
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Minh Nguyen <minhnguyen.080505@gmail.com>
commit 99e22ddf4edb63dc8382bc028af928056d3450cf upstream.
vmci_transport_recv_connecting_server() returned err = 0 for a peer
RST in its default switch arm:
err = pkt->type == VMCI_TRANSPORT_PACKET_TYPE_RST ? 0 : -EINVAL;
That made vmci_transport_recv_listen() skip vsock_remove_pending(),
leaving the pending socket on the listener's pending_links with
sk_state = TCP_CLOSE while destroy: still dropped the explicit
reference taken before schedule_delayed_work().
One second later vsock_pending_work() observed is_pending=true and
performed full cleanup: vsock_remove_pending() then the two trailing
sock_put(sk) calls -- the first reached refcount 0 and __sk_freed
the socket, and the second wrote into the freed object:
BUG: KASAN: slab-use-after-free in refcount_warn_saturate
Write of size 4 at addr ffff88800b1cac80 by task kworker
Workqueue: events vsock_pending_work
Treat peer RST like any other unexpected packet type (err = -EINVAL).
All destroy: arms now return err < 0, so vmci_transport_recv_listen()
removes pending from pending_links synchronously and
vsock_pending_work() takes the is_pending=false / !rejected branch,
dropping only its own work reference. This also closes the
multi-packet race Sashiko reported on v2: pending is removed from
the list before any subsequent packet can find it.
The pre-existing sk_acceptq_removed() gap on the err < 0 path of
vmci_transport_recv_listen() that Sashiko also noted is not
introduced or changed by this patch.
Tested on lts-6.12.79 with KASAN: 52/100 unpatched -> 0/100 patched.
Fixes: d021c344051a ("VSOCK: Introduce VM Sockets")
Cc: stable@vger.kernel.org
Signed-off-by: Minh Nguyen <minhnguyen.080505@gmail.com>
Acked-by: Bryan Tan <bryan-bt.tan@broadcom.com>
Link: https://patch.msgid.link/20260519102310.237181-1-minhnguyen.080505@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/vmw_vsock/vmci_transport.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/vmw_vsock/vmci_transport.c
+++ b/net/vmw_vsock/vmci_transport.c
@@ -1156,7 +1156,7 @@ vmci_transport_recv_connecting_server(st
/* Close and cleanup the connection. */
vmci_transport_send_reset(pending, pkt);
skerr = EPROTO;
- err = pkt->type == VMCI_TRANSPORT_PACKET_TYPE_RST ? 0 : -EINVAL;
+ err = -EINVAL;
goto destroy;
}
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 858/969] vsock/virtio: reset connection on receiving queue overflow
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (856 preceding siblings ...)
2026-05-30 16:06 ` [PATCH 6.1 857/969] vsock/vmci: fix UAF when peer resets connection during handshake Greg Kroah-Hartman
@ 2026-05-30 16:06 ` Greg Kroah-Hartman
2026-05-30 16:06 ` [PATCH 6.1 859/969] wifi: ath11k: clear shared SRNG pointer state on restart Greg Kroah-Hartman
` (117 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:06 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Stefano Garzarella, Paolo Abeni
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stefano Garzarella <sgarzare@redhat.com>
commit a4f0b001782b21663d10df983b4b208195bec66c upstream.
When there is no more space to queue an incoming packet, the packet is
silently dropped. This causes data loss without any notification to
either peer, since there is no retransmission.
Under normal circumstances, this should never happen. However, it could
happen if the other peer doesn't respect the credit, or if the skb
overhead, which we recently began to take into account with commit
059b7dbd20a6 ("vsock/virtio: fix potential unbounded skb queue"),
is too high.
Fix this by resetting the connection and setting the local socket error
to ENOBUFS when virtio_transport_recv_enqueue() can no longer queue a
packet, so both peers are explicitly notified of the failure rather than
silently losing data.
Fixes: ae6fcfbf5f03 ("vsock/virtio: discard packets if credit is not respected")
Cc: stable@vger.kernel.org
Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
Link: https://patch.msgid.link/20260518090656.134588-2-sgarzare@redhat.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/vmw_vsock/virtio_transport_common.c | 20 +++++++++++++++-----
1 file changed, 15 insertions(+), 5 deletions(-)
--- a/net/vmw_vsock/virtio_transport_common.c
+++ b/net/vmw_vsock/virtio_transport_common.c
@@ -1063,7 +1063,7 @@ destroy:
return err;
}
-static void
+static bool
virtio_transport_recv_enqueue(struct vsock_sock *vsk,
struct sk_buff *skb)
{
@@ -1078,10 +1078,8 @@ virtio_transport_recv_enqueue(struct vso
spin_lock_bh(&vvs->rx_lock);
can_enqueue = virtio_transport_inc_rx_pkt(vvs, len);
- if (!can_enqueue) {
- free_pkt = true;
+ if (!can_enqueue)
goto out;
- }
if (le32_to_cpu(hdr->flags) & VIRTIO_VSOCK_SEQ_EOM)
vvs->msg_count++;
@@ -1119,6 +1117,8 @@ out:
spin_unlock_bh(&vvs->rx_lock);
if (free_pkt)
kfree_skb(skb);
+
+ return can_enqueue;
}
static int
@@ -1131,7 +1131,17 @@ virtio_transport_recv_connected(struct s
switch (le16_to_cpu(hdr->op)) {
case VIRTIO_VSOCK_OP_RW:
- virtio_transport_recv_enqueue(vsk, skb);
+ if (!virtio_transport_recv_enqueue(vsk, skb)) {
+ /* There is no more space to queue the packet, so let's
+ * close the connection; otherwise, we'll lose data.
+ */
+ (void)virtio_transport_reset(vsk, skb);
+ virtio_transport_do_close(vsk, true);
+ sk->sk_err = ENOBUFS;
+ sk_error_report(sk);
+ vsock_remove_sock(vsk);
+ break;
+ }
vsock_data_ready(sk);
return err;
case VIRTIO_VSOCK_OP_CREDIT_REQUEST:
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 859/969] wifi: ath11k: clear shared SRNG pointer state on restart
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (857 preceding siblings ...)
2026-05-30 16:06 ` [PATCH 6.1 858/969] vsock/virtio: reset connection on receiving queue overflow Greg Kroah-Hartman
@ 2026-05-30 16:06 ` Greg Kroah-Hartman
2026-05-30 16:06 ` [PATCH 6.1 860/969] ipv4: raw: reject IP_HDRINCL packets with ihl < 5 Greg Kroah-Hartman
` (116 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kyle Farnung, Rameshkumar Sundaram,
Baochen Qiang, Jeff Johnson
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kyle Farnung <kfarnung@gmail.com>
commit f51e4b3b5574ad8cb5b16b11f8a1452147ece87a upstream.
LMAC rings reuse the shared rdp/wrp pointer buffers without going
through the normal SRNG hw-init path that zeros non-LMAC ring
pointers. After restart, ath11k_hal_srng_clear() can therefore hand
stale hp/tp state from the previous firmware instance back to the new
one.
Clear the shared pointer buffers while keeping the allocations in
place so restart still avoids reallocating SRNG DMA memory, but starts
with fresh ring-pointer state.
Fixes: 32be3ca4cf78b ("wifi: ath11k: HAL SRNG: don't deinitialize and re-initialize again")
Cc: stable@vger.kernel.org
Closes: https://lore.kernel.org/all/CAOPSVF04q6uvVdq8GTRLHBrVMdpt9=o9wVcFMc6f-yhmSBcZqQ@mail.gmail.com/
Signed-off-by: Kyle Farnung <kfarnung@gmail.com>
Reviewed-by: Rameshkumar Sundaram <rameshkumar.sundaram@oss.qualcomm.com>
Reviewed-by: Baochen Qiang <baochen.qiang@oss.qualcomm.com>
Link: https://patch.msgid.link/20260513-kfarnung-ath11k-srng-clear-pointer-state-v1-1-bc700dd8b333@gmail.com
Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/ath/ath11k/hal.c | 14 +++++++++++---
1 file changed, 11 insertions(+), 3 deletions(-)
--- a/drivers/net/wireless/ath/ath11k/hal.c
+++ b/drivers/net/wireless/ath/ath11k/hal.c
@@ -1353,14 +1353,22 @@ EXPORT_SYMBOL(ath11k_hal_srng_deinit);
void ath11k_hal_srng_clear(struct ath11k_base *ab)
{
- /* No need to memset rdp and wrp memory since each individual
- * segment would get cleared in ath11k_hal_srng_src_hw_init()
- * and ath11k_hal_srng_dst_hw_init().
+ /*
+ * Preserve the shared pointer buffers, but clear the previous
+ * firmware instance's hp/tp state before handing them back to FW.
+ * LMAC rings reuse this shared memory without going through the
+ * normal SRNG hw-init path that zeros non-LMAC ring pointers.
*/
memset(ab->hal.srng_list, 0,
sizeof(ab->hal.srng_list));
memset(ab->hal.shadow_reg_addr, 0,
sizeof(ab->hal.shadow_reg_addr));
+ if (ab->hal.rdp.vaddr)
+ memset(ab->hal.rdp.vaddr, 0,
+ sizeof(*ab->hal.rdp.vaddr) * HAL_SRNG_RING_ID_MAX);
+ if (ab->hal.wrp.vaddr)
+ memset(ab->hal.wrp.vaddr, 0,
+ sizeof(*ab->hal.wrp.vaddr) * HAL_SRNG_NUM_LMAC_RINGS);
ab->hal.avail_blk_resource = 0;
ab->hal.current_blk_index = 0;
ab->hal.num_shadow_reg_configured = 0;
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 860/969] ipv4: raw: reject IP_HDRINCL packets with ihl < 5
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (858 preceding siblings ...)
2026-05-30 16:06 ` [PATCH 6.1 859/969] wifi: ath11k: clear shared SRNG pointer state on restart Greg Kroah-Hartman
@ 2026-05-30 16:06 ` Greg Kroah-Hartman
2026-05-30 16:06 ` [PATCH 6.1 861/969] ixgbevf: fix use-after-free in VEPA multicast source pruning Greg Kroah-Hartman
` (115 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Herbert Xu, Michael Bommarito,
Jakub Kicinski
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
commit 915fab69823a14c170dbaa3b41978768e0fe62fc upstream.
raw_send_hdrinc() validates that the caller-supplied IPv4 header
fits within the message length:
iphlen = iph->ihl * 4;
err = -EINVAL;
if (iphlen > length)
goto error_free;
if (iphlen >= sizeof(*iph)) {
/* fix up saddr, tot_len, id, csum, transport_header */
}
It does not, however, reject ihl < 5. For such a packet the
"if (iphlen >= sizeof(*iph))" branch is skipped, leaving the
crafted iphdr untouched, but the packet is still handed to
__ip_local_out() and onward. Downstream consumers that read
iph->ihl assume a sane value: net/ipv4/ah4.c:ah_output() in
particular subtracts sizeof(struct iphdr) from top_iph->ihl * 4
and passes the (signed-int-negative, then cast to size_t)
result to memcpy(), producing an OOB access of length close to
SIZE_MAX and a host kernel panic.
An IPv4 header with ihl < 5 is malformed by definition (RFC 791:
"Internet Header Length is the length of the internet header in
32 bit words ... Note that the minimum value for a correct header
is 5."). The kernel should not be willing to inject such a
packet into its own output path.
Reject "iphlen < sizeof(*iph)" alongside the existing
"iphlen > length" check. This matches the principle that locally
constructed packets that re-enter the IP stack must pass the same
basic sanity tests that a foreign packet would be subjected to.
Once this lands, the "if (iphlen >= sizeof(*iph))" wrapper around
the fixup branch becomes redundant; left in place to keep the
patch minimal and backport-friendly. A follow-up can unwrap it.
Note that commit 86f4c90a1c5c ("ipv4, ipv6: ensure raw socket
message is big enough to hold an IP header") ensures the message
buffer is large enough to hold an iphdr, but does not constrain
the self-reported iph->ihl.
Reachability: the malformed packet source is any caller with
CAP_NET_RAW, including an unprivileged process in a user+net
namespace on a kernel with CONFIG_USER_NS=y. The reproduced AH
crash also requires a matching xfrm AH policy on the outgoing
route; a container granted CAP_NET_ADMIN can install that state
and policy in its netns. Loopback bypasses xfrm_output, so the
trigger uses a real netdev.
Reproduced on UML + KASAN: kernel-mode fault at addr 0x0 with
memcpy_orig at the crash site. Same shape reproduces inside a
rootless Docker container with --cap-add NET_ADMIN on a stock
distro kernel.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Suggested-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Link: https://patch.msgid.link/77ec2b5e8111961c2c39883c92e8aa2709039c17.1778614451.git.michael.bommarito@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv4/raw.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/ipv4/raw.c
+++ b/net/ipv4/raw.c
@@ -381,7 +381,7 @@ static int raw_send_hdrinc(struct sock *
* in, reject the frame as invalid
*/
err = -EINVAL;
- if (iphlen > length)
+ if (iphlen > length || iphlen < sizeof(*iph))
goto error_free;
if (iphlen >= sizeof(*iph)) {
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 861/969] ixgbevf: fix use-after-free in VEPA multicast source pruning
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (859 preceding siblings ...)
2026-05-30 16:06 ` [PATCH 6.1 860/969] ipv4: raw: reject IP_HDRINCL packets with ihl < 5 Greg Kroah-Hartman
@ 2026-05-30 16:06 ` Greg Kroah-Hartman
2026-05-30 16:06 ` [PATCH 6.1 862/969] ice: fix setting promisc mode while adding VID filter Greg Kroah-Hartman
` (114 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michael Bommarito, Simon Horman,
Rafal Romanowski, Tony Nguyen, Jakub Kicinski
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
commit 5d49b568c188dc77199d8d2b959c91da8cc27cf1 upstream.
ixgbevf_clean_rx_irq() prunes frames whose source MAC matches the VF's
own address (VEPA multicast workaround) by freeing the skb and
continuing to the next descriptor:
dev_kfree_skb_irq(skb);
continue;
The skb pointer is declared outside the while loop and persists across
iterations. Because the continue skips the "skb = NULL" reset at the
bottom of the loop, the next iteration enters the "else if (skb)" path
and calls ixgbevf_add_rx_frag() on the freed skb, dereferencing
skb_shinfo(skb)->nr_frags - a use-after-free in NAPI softirq context.
The sibling driver iavf already handles this correctly by nulling the
pointer before continuing. Apply the same pattern here.
I do not have ixgbevf hardware; the bug was found by static analysis
(scan_drop_continue_loops.py + semgrep drop_continue_in_loop, multi-tool
corroboration with the highest score in the scan). The UAF was confirmed
under KASAN by loading a test module that reproduces the exact code
pattern (alloc skb, kfree_skb, then read skb_shinfo(skb)->nr_frags):
BUG: KASAN: slab-use-after-free in ixgbevf_uaf_test_init+0x100/0x1000
Read of size 8 at addr 000000006163ae78 by task insmod/30
freed 208-byte region [000000006163adc0, 000000006163ae90)
QEMU emulates igb (82576) but not ixgbe (82599), and the igbvf VF
driver does not include the VEPA source pruning path, so a full
end-to-end reproduction with emulated hardware was not possible.
Fixes: bad17234ba70 ("ixgbevf: Change receive model to use double buffered page based receives")
Cc: stable@vger.kernel.org
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Tested-by: Rafal Romanowski <rafal.romanowski@intel.com>
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Link: https://patch.msgid.link/20260515182419.1597859-8-anthony.l.nguyen@intel.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c
+++ b/drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c
@@ -1225,6 +1225,7 @@ static int ixgbevf_clean_rx_irq(struct i
ether_addr_equal(rx_ring->netdev->dev_addr,
eth_hdr(skb)->h_source)) {
dev_kfree_skb_irq(skb);
+ skb = NULL;
continue;
}
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 862/969] ice: fix setting promisc mode while adding VID filter
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (860 preceding siblings ...)
2026-05-30 16:06 ` [PATCH 6.1 861/969] ixgbevf: fix use-after-free in VEPA multicast source pruning Greg Kroah-Hartman
@ 2026-05-30 16:06 ` Greg Kroah-Hartman
2026-05-30 16:06 ` [PATCH 6.1 863/969] wifi: cfg80211: advance loop vars in cfg80211_merge_profile() Greg Kroah-Hartman
` (113 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Marcin Szycik, Aleksandr Loktionov,
Simon Horman, Tony Nguyen, Jakub Kicinski, Rinitha S
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Marcin Szycik <marcin.szycik@intel.com>
commit ebc8de716c9ec2be384abdc2dd866da26c6580d1 upstream.
There are at least two paths through which VSI promiscuous mode can be
independently configured via ice_fltr_set_vsi_promisc():
- ice_vlan_rx_add_vid() (netdev op)
- ice_service_task() -> ... -> ice_set_promisc()
Both paths may try to program promiscuous mode concurrently. One such
scenario is:
1. Add ice netdev to bond
2. Add the bond netdev to bridge
3. ice netdev enters allmulticast mode (IFF_ALLMULTI)
4. Service task programs promisc mode filter
5. Bridge -> bond calls ice_vlan_rx_add_vid()
Crucially, ice_vlan_rx_add_vid() fails if ice_fltr_set_vsi_promisc()
returns any error, including -EEXIST. This causes VLAN filtering setup
to fail on the bond interface. ice_set_promisc() already handles -EEXIST
correctly.
Fix by adding the same -EEXIST check to ice_vlan_rx_add_vid(): if the
promisc filter is already programmed, continue without returning error.
Fixes: 1273f89578f2 ("ice: Fix broken IFF_ALLMULTI handling")
Cc: stable@vger.kernel.org
Signed-off-by: Marcin Szycik <marcin.szycik@intel.com>
Signed-off-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Tested-by: Rinitha S <sx.rinitha@intel.com> (A Contingent worker at Intel)
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Link: https://patch.msgid.link/20260515182419.1597859-4-anthony.l.nguyen@intel.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/intel/ice/ice_main.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/net/ethernet/intel/ice/ice_main.c
+++ b/drivers/net/ethernet/intel/ice/ice_main.c
@@ -3616,7 +3616,7 @@ ice_vlan_rx_add_vid(struct net_device *n
ret = ice_fltr_set_vsi_promisc(&vsi->back->hw, vsi->idx,
ICE_MCAST_VLAN_PROMISC_BITS,
vid);
- if (ret)
+ if (ret && ret != -EEXIST)
goto finish;
}
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 863/969] wifi: cfg80211: advance loop vars in cfg80211_merge_profile()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (861 preceding siblings ...)
2026-05-30 16:06 ` [PATCH 6.1 862/969] ice: fix setting promisc mode while adding VID filter Greg Kroah-Hartman
@ 2026-05-30 16:06 ` Greg Kroah-Hartman
2026-05-30 16:06 ` [PATCH 6.1 864/969] cifs: Fix busy dentry used after unmounting Greg Kroah-Hartman
` (112 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:06 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, John Walker, Johannes Berg
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: John Walker <johnwalker0@gmail.com>
commit 7666dbb1bacc4ba522b96740cba7283d243d16e1 upstream.
cfg80211_merge_profile() reassembles a Multi-BSSID non-transmitted BSS
profile that has been split across multiple consecutive MBSSID elements.
Its while-loop calls
cfg80211_get_profile_continuation(ie, ielen, mbssid_elem, sub_elem)
but never advances mbssid_elem or sub_elem inside the body. Each
iteration therefore searches for a continuation that follows the same
fixed pair; the helper returns the same next_mbssid; and the same
next_sub bytes are memcpy()'d into merged_ie at a growing offset until
the buffer fills.
Advance both mbssid_elem and sub_elem to the just-consumed continuation
so the next call to cfg80211_get_profile_continuation() searches for a
further continuation beyond it (or returns NULL when none exists).
A specially-crafted malicious beacon can take advantage of this bug
to cause the kernel to spend an excessive amount of time in
cfg80211_merge_profile (up to as much as 2ms per beacon received),
which could theoretically be abused in some way.
Cc: stable@vger.kernel.org
Fixes: fe806e4992c9 ("cfg80211: support profile split between elements")
Signed-off-by: John Walker <johnwalker0@gmail.com>
Link: https://patch.msgid.link/20260507230720.64783-1-johnwalker0@gmail.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/wireless/scan.c | 3 +++
1 file changed, 3 insertions(+)
--- a/net/wireless/scan.c
+++ b/net/wireless/scan.c
@@ -2239,6 +2239,9 @@ size_t cfg80211_merge_profile(const u8 *
memcpy(merged_ie + copied_len, next_sub->data,
next_sub->datalen);
copied_len += next_sub->datalen;
+
+ mbssid_elem = next_mbssid;
+ sub_elem = next_sub;
}
return copied_len;
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 864/969] cifs: Fix busy dentry used after unmounting
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (862 preceding siblings ...)
2026-05-30 16:06 ` [PATCH 6.1 863/969] wifi: cfg80211: advance loop vars in cfg80211_merge_profile() Greg Kroah-Hartman
@ 2026-05-30 16:06 ` Greg Kroah-Hartman
2026-05-30 16:06 ` [PATCH 6.1 865/969] tracing: Do not call map->ops->elt_free() if elt_alloc() fails Greg Kroah-Hartman
` (111 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Shyam Prasad N, Zhihao Cheng,
Steve French
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhihao Cheng <chengzhihao1@huawei.com>
commit c68337442f03953237a94577beb468ab2662a851 upstream.
Since commit 340cea84f691c ("cifs: open files should not hold ref on
superblock"), cifs file only holds the dentry ref_cnt, the cifs file
close work(cfile->deferred) could be executed after unmounting, which
will trigger a warning in generic_shutdown_super:
BUG: Dentry 00000000a14a6845{i=c,n=file} still in use (1) [unmount of
cifs cifs]
The detailed processs is:
process A process B kworker
fd = open(PATH)
vfs_open
file->__f_path = *path // dentry->d_lockref.count = 1
cifs_open
cifs_new_fileinfo
cfile->dentry = dget(dentry) // dentry->d_lockref.count = 2
close(fd)
__fput
cifs_close
queue_delayed_work(deferredclose_wq, cfile->deferred)
dput(dentry) // dentry->d_lockref.count = 1
smb2_deferred_work_close
_cifsFileInfo_put
list_del(&cifs_file->flist)
umount
cleanup_mnt
deactivate_super
cifs_kill_sb
cifs_close_all_deferred_files_sb
cifs_close_all_deferred_files
// cannot find cfile, skip _cifsFileInfo_put
kill_anon_super
generic_shutdown_super
shrink_dcache_for_umount
umount_check
WARN ! // dentry->d_lockref.count = 1
cifsFileInfo_put_final
dput(cifs_file->dentry)
// dentry->d_lockref.count = 0
Fix it by flushing 'deferredclose_wq' before calling kill_anon_super.
Fetch a reproducer in https://bugzilla.kernel.org/show_bug.cgi?id=221548.
Fixes: 340cea84f691c ("cifs: open files should not hold ref on superblock")
Cc: stable@vger.kernel.org
Reviewed-by: Shyam Prasad N <sprasad@microsoft.com>
Signed-off-by: Zhihao Cheng <chengzhihao1@huawei.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/client/cifsfs.c | 2 ++
1 file changed, 2 insertions(+)
--- a/fs/smb/client/cifsfs.c
+++ b/fs/smb/client/cifsfs.c
@@ -296,6 +296,8 @@ static void cifs_kill_sb(struct super_bl
/* Wait for all pending oplock breaks to complete */
flush_workqueue(cifsoplockd_wq);
+ /* Wait for all opened files to release */
+ flush_workqueue(deferredclose_wq);
/* finally release root dentry */
dput(cifs_sb->root);
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 865/969] tracing: Do not call map->ops->elt_free() if elt_alloc() fails
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (863 preceding siblings ...)
2026-05-30 16:06 ` [PATCH 6.1 864/969] cifs: Fix busy dentry used after unmounting Greg Kroah-Hartman
@ 2026-05-30 16:06 ` Greg Kroah-Hartman
2026-05-30 16:06 ` [PATCH 6.1 866/969] KVM: arm64: vgic-its: Reject restored DTE with out-of-range num_eventid_bits Greg Kroah-Hartman
` (110 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tom Zanussi, Mathieu Desnoyers,
Rosen Penev, Sashiko, Masami Hiramatsu (Google), Steven Rostedt
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Masami Hiramatsu (Google) <mhiramat@kernel.org>
commit 8f0f5c4fb9df0e19a341e0c6ed8dc4fda9124f03 upstream.
In paths where tracing_map_elt_alloc() failed to allocate objects,
the map->ops->elt_alloc() call was never successful. In this case,
map->ops->elt_free() should not be called.
Link: https://sashiko.dev/#/patchset/20260520223101.34710-1-rosenp%40gmail.com
Cc: stable@vger.kernel.org
Cc: Tom Zanussi <tom.zanussi@linux.intel.com>
Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Cc: Rosen Penev <rosenp@gmail.com>
Reported-by: Sashiko <sashiko-bot@kernel.org>
Fixes: 2734b629525a ("tracing: Add per-element variable support to tracing_map")
Link: https://patch.msgid.link/177933895460.108746.5396070821443932634.stgit@devnote2
Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/trace/tracing_map.c | 17 +++++++++++++----
1 file changed, 13 insertions(+), 4 deletions(-)
--- a/kernel/trace/tracing_map.c
+++ b/kernel/trace/tracing_map.c
@@ -386,13 +386,11 @@ static void tracing_map_elt_init_fields(
}
}
-static void tracing_map_elt_free(struct tracing_map_elt *elt)
+static void __tracing_map_elt_free(struct tracing_map_elt *elt)
{
if (!elt)
return;
- if (elt->map->ops && elt->map->ops->elt_free)
- elt->map->ops->elt_free(elt);
kfree(elt->fields);
kfree(elt->vars);
kfree(elt->var_set);
@@ -400,6 +398,17 @@ static void tracing_map_elt_free(struct
kfree(elt);
}
+static void tracing_map_elt_free(struct tracing_map_elt *elt)
+{
+ if (!elt)
+ return;
+
+ /* Only objects initialized with alloc_elt() should be passed to free_elt().*/
+ if (elt->map->ops && elt->map->ops->elt_free)
+ elt->map->ops->elt_free(elt);
+ __tracing_map_elt_free(elt);
+}
+
static struct tracing_map_elt *tracing_map_elt_alloc(struct tracing_map *map)
{
struct tracing_map_elt *elt;
@@ -444,7 +453,7 @@ static struct tracing_map_elt *tracing_m
}
return elt;
free:
- tracing_map_elt_free(elt);
+ __tracing_map_elt_free(elt);
return ERR_PTR(err);
}
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 866/969] KVM: arm64: vgic-its: Reject restored DTE with out-of-range num_eventid_bits
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (864 preceding siblings ...)
2026-05-30 16:06 ` [PATCH 6.1 865/969] tracing: Do not call map->ops->elt_free() if elt_alloc() fails Greg Kroah-Hartman
@ 2026-05-30 16:06 ` Greg Kroah-Hartman
2026-05-30 16:06 ` [PATCH 6.1 867/969] drm/bridge: chipone-icn6211: use devm_drm_bridge_add in i2c probe Greg Kroah-Hartman
` (109 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:06 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Michael Bommarito, Marc Zyngier
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
commit 9ce754ed8e7ab4e3999767ce1505f85c449ccb07 upstream.
Userspace can restore an ITS Device Table Entry whose Size field encodes
more EventID bits than the virtual ITS supports. The live MAPD path
rejects that state, but vgic_its_restore_dte() accepts it and stores the
out-of-range value in dev->num_eventid_bits.
Reject restored DTEs with num_eventid_bits > VITS_TYPER_IDBITS before
allocating the device. This mirrors the MAPD check and prevents the
restored state from reaching vgic_its_restore_itt(), where the unchecked
value can be converted into an oversized scan_its_table() range.
Fixes: 57a9a117154c ("KVM: arm64: vgic-its: Device table save/restore")
Assisted-by: Claude:claude-opus-4-7
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Link: https://lore.kernel.org/r/20260519132519.2142458-1-michael.bommarito@gmail.com
Signed-off-by: Marc Zyngier <maz@kernel.org>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/kvm/vgic/vgic-its.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/arch/arm64/kvm/vgic/vgic-its.c
+++ b/arch/arm64/kvm/vgic/vgic-its.c
@@ -2413,6 +2413,10 @@ static int vgic_its_restore_dte(struct v
/* dte entry is valid */
offset = (entry & KVM_ITS_DTE_NEXT_MASK) >> KVM_ITS_DTE_NEXT_SHIFT;
+ /* Mimic the MAPD behaviour and reject invalid EID bits. */
+ if (num_eventid_bits > VITS_TYPER_IDBITS)
+ return -EINVAL;
+
if (!vgic_its_check_id(its, baser, id, NULL))
return -EINVAL;
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 867/969] drm/bridge: chipone-icn6211: use devm_drm_bridge_add in i2c probe
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (865 preceding siblings ...)
2026-05-30 16:06 ` [PATCH 6.1 866/969] KVM: arm64: vgic-its: Reject restored DTE with out-of-range num_eventid_bits Greg Kroah-Hartman
@ 2026-05-30 16:06 ` Greg Kroah-Hartman
2026-05-30 16:06 ` [PATCH 6.1 868/969] scsi: isci: Fix use-after-free in device removal path Greg Kroah-Hartman
` (108 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:06 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Osama Abdelkader, Luca Ceresoli
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Osama Abdelkader <osama.abdelkader@gmail.com>
commit 73d01051e8040c0b1de7fd26b3b8d0c2ffa6895c upstream.
Use devm_drm_bridge_add() so the bridge is released if probe
fails after registration, and drop drm_bridge_remove() in chipone_i2c_probe.
Signed-off-by: Osama Abdelkader <osama.abdelkader@gmail.com>
Fixes: 8dde6f7452a1 ("drm: bridge: icn6211: Add I2C configuration support")
Cc: stable@vger.kernel.org
Reviewed-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Link: https://patch.msgid.link/20260430194944.78119-1-osama.abdelkader@gmail.com
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/bridge/chipone-icn6211.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/gpu/drm/bridge/chipone-icn6211.c
+++ b/drivers/gpu/drm/bridge/chipone-icn6211.c
@@ -758,7 +758,9 @@ static int chipone_i2c_probe(struct i2c_
dev_set_drvdata(dev, icn);
i2c_set_clientdata(client, icn);
- drm_bridge_add(&icn->bridge);
+ ret = devm_drm_bridge_add(dev, &icn->bridge);
+ if (ret)
+ return ret;
return chipone_dsi_host_attach(icn);
}
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 868/969] scsi: isci: Fix use-after-free in device removal path
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (866 preceding siblings ...)
2026-05-30 16:06 ` [PATCH 6.1 867/969] drm/bridge: chipone-icn6211: use devm_drm_bridge_add in i2c probe Greg Kroah-Hartman
@ 2026-05-30 16:06 ` Greg Kroah-Hartman
2026-05-30 16:06 ` [PATCH 6.1 869/969] spi: sprd: fix error pointer deref after DMA setup failure Greg Kroah-Hartman
` (107 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:06 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Michael Bommarito,
Martin K. Petersen
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
commit b52a8d52c3125ec9a93106ed816582368de34426 upstream.
The ISCI completion tasklet is initialized in isci_host_alloc()
(drivers/scsi/isci/init.c:496) and scheduled from both MSI-X and legacy
interrupt handlers (drivers/scsi/isci/host.c:223,613).
isci_host_deinit() stops the controller and waits for stop completion,
but it never kills completion_tasklet before teardown continues. A
top-of-function tasklet_kill() is not sufficient here: interrupts are
only disabled when isci_host_stop_complete() runs, so until
wait_for_stop() returns the IRQ handlers can still requeue the
tasklet. The tasklet callback also re-enables interrupts after draining
completions, so killing the tasklet before the source is quiesced leaves
the same race open.
Once wait_for_stop() returns, no further IRQ-driven scheduling can
occur. Kill completion_tasklet there so teardown cannot race a queued
tasklet running on a dead ihost. On remove or unload, the stale callback
can otherwise dereference ihost and touch ihost->smu_registers after the
host lifetime ends.
A UML + KASAN analogue reproduced the failure class both with no
tasklet_kill() and with tasklet_kill() placed before source quiesce, and
stayed clean once the kill happened after quiescing the scheduling
source.
This mirrors commit f6ab594672d4 ("scsi: aic94xx: fix use-after-free in
device removal path"), but ISCI needs the kill after wait_for_stop().
Fixes: 6f231dda6808 ("isci: Intel(R) C600 Series Chipset Storage Control Unit Driver")
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-7
Assisted-by: Codex:gpt-5-4
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Link: https://patch.msgid.link/20260419210420.2134639-1-michael.bommarito@gmail.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/scsi/isci/host.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/scsi/isci/host.c
+++ b/drivers/scsi/isci/host.c
@@ -1252,6 +1252,9 @@ void isci_host_deinit(struct isci_host *
wait_for_stop(ihost);
+ /* No further IRQ-driven scheduling can happen past wait_for_stop(). */
+ tasklet_kill(&ihost->completion_tasklet);
+
/* phy stop is after controller stop to allow port and device to
* go idle before shutting down the phys, but the expectation is
* that i/o has been shut off well before we reach this
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 869/969] spi: sprd: fix error pointer deref after DMA setup failure
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (867 preceding siblings ...)
2026-05-30 16:06 ` [PATCH 6.1 868/969] scsi: isci: Fix use-after-free in device removal path Greg Kroah-Hartman
@ 2026-05-30 16:06 ` Greg Kroah-Hartman
2026-05-30 16:06 ` [PATCH 6.1 870/969] spi: ti-qspi: fix use-after-free " Greg Kroah-Hartman
` (106 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:06 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Lanqing Liu, Johan Hovold,
Mark Brown
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 3d67fffb74267772d461c02c67f1eff893ad547d upstream.
The driver falls back to PIO mode if DMA setup fails during probe.
Make sure to check the dma.enabled flag before trying to release the DMA
channels also on late probe errors to avoid dereferencing an error
pointer (or attempting to release a channel a second time).
This issue was flagged by Sashiko when reviewing a devres allocation
conversion patch.
Fixes: 386119bc7be9 ("spi: sprd: spi: sprd: Add DMA mode support")
Link: https://sashiko.dev/#/patchset/20260505072909.618363-1-johan%40kernel.org?part=10
Cc: stable@vger.kernel.org # 5.1
Cc: Lanqing Liu <lanqing.liu@unisoc.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20260512074733.915029-1-johan@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-sprd.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/spi/spi-sprd.c
+++ b/drivers/spi/spi-sprd.c
@@ -995,7 +995,8 @@ err_rpm_put:
disable_clk:
clk_disable_unprepare(ss->clk);
release_dma:
- sprd_spi_dma_release(ss);
+ if (ss->dma.enable)
+ sprd_spi_dma_release(ss);
free_controller:
spi_controller_put(sctlr);
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 870/969] spi: ti-qspi: fix use-after-free after DMA setup failure
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (868 preceding siblings ...)
2026-05-30 16:06 ` [PATCH 6.1 869/969] spi: sprd: fix error pointer deref after DMA setup failure Greg Kroah-Hartman
@ 2026-05-30 16:06 ` Greg Kroah-Hartman
2026-05-30 16:06 ` [PATCH 6.1 871/969] RDMA/siw: Reject MPA FPDU length underflow before signed receive math Greg Kroah-Hartman
` (105 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:06 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Vignesh R, Johan Hovold, Mark Brown
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit ea6ec3343e05f7937a53eb6d7617b3abdb4abc19 upstream.
The driver falls back to PIO mode if DMA setup fails during probe.
Make sure to clear the DMA channel pointer also if buffer allocation
fails to avoid passing a pointer to the released channel to the DMA
engine (or trying to free the channel a second time on late probe errors
or driver unbind).
This issue was flagged by Sashiko when reviewing a devres allocation
conversion patch.
Fixes: c687c46e9e45 ("spi: spi-ti-qspi: Use bounce buffer if read buffer is not DMA'ble")
Link: https://sashiko.dev/#/patchset/20260505072909.618363-1-johan%40kernel.org?part=17
Cc: stable@vger.kernel.org # 4.12
Cc: Vignesh R <vigneshr@ti.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20260512074809.915084-1-johan@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-ti-qspi.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/spi/spi-ti-qspi.c
+++ b/drivers/spi/spi-ti-qspi.c
@@ -875,6 +875,7 @@ static int ti_qspi_probe(struct platform
dev_err(qspi->dev,
"dma_alloc_coherent failed, using PIO mode\n");
dma_release_channel(qspi->rx_chan);
+ qspi->rx_chan = NULL;
goto no_dma;
}
master->dma_rx = qspi->rx_chan;
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 871/969] RDMA/siw: Reject MPA FPDU length underflow before signed receive math
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (869 preceding siblings ...)
2026-05-30 16:06 ` [PATCH 6.1 870/969] spi: ti-qspi: fix use-after-free " Greg Kroah-Hartman
@ 2026-05-30 16:06 ` Greg Kroah-Hartman
2026-05-30 16:06 ` [PATCH 6.1 872/969] LoongArch: Remove unused code to avoid build warning Greg Kroah-Hartman
` (104 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michael Bommarito, Bernard Metzler,
Jason Gunthorpe
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
commit 0ce1bc9e46ecabe84772bb561e373c0d9876d6f2 upstream.
A malicious connected siw peer can send an iWARP FPDU whose MPA length
field (c_hdr->mpa_len, 16 bit big-endian, peer-controlled) is smaller
than the fixed DDP/RDMAP header for the announced opcode. Soft-iWARP
parses the full header in siw_get_hdr() based on iwarp_pktinfo[opcode]
.hdr_len, but never compares mpa_len against that header length.
siw_tcp_rx_data() then derives
srx->fpdu_part_rem = be16_to_cpu(mpa_len) - fpdu_part_rcvd
+ MPA_HDR_SIZE;
where fpdu_part_rcvd equals iwarp_pktinfo[opcode].hdr_len at this
point. For a tagged WRITE (hdr_len 16, MPA_HDR_SIZE 2) the smallest
on-wire mpa_len of 0 yields fpdu_part_rem = -14, and any mpa_len below
hdr_len - MPA_HDR_SIZE underflows to a negative int.
The signed value then flows into siw_proc_write()/siw_proc_rresp() as
bytes = min(srx->fpdu_part_rem, srx->skb_new);
is handed to siw_check_mem() as an int len (whose interval check
addr + len > mem->va + mem->len is satisfied for a valid base when
len is negative), and reaches siw_rx_data() -> siw_rx_kva() /
siw_rx_umem() -> skb_copy_bits() as a signed copy length. The header
copy branch in skb_copy_bits() promotes that to size_t, producing a
multi-gigabyte read.
KASAN under a KUnit harness that drives the real kernel TCP receive
path -- a loopback AF_INET socketpair, the malformed FPDU written via
kernel_sendmsg, sk_data_ready firing in softirq, tcp_read_sock
dispatching to siw_tcp_rx_data -- reports:
BUG: KASAN: use-after-free in skb_copy_bits+0x284/0x480
Read of size 4294967295 at addr ffff888...
Call Trace:
skb_copy_bits
siw_rx_kva
siw_rx_data
siw_check_mem
siw_proc_write
siw_tcp_rx_data
__tcp_read_sock
siw_qp_llp_data_ready
tcp_data_ready
tcp_data_queue
Add the missing invariant at the earliest point where the peer header
is fully assembled. iwarp_pktinfo[*].hdr_len - MPA_HDR_SIZE is exactly
the value the siw transmitter uses as the minimum mpa_len for each
opcode (drivers/infiniband/sw/siw/siw_qp.c:33), so this matches the
protocol contract. Out-of-range FPDUs terminate the connection with
TERM_ERROR_LAYER_LLP / LLP_ETYPE_MPA / LLP_ECODE_FPDU_START -- which
is RFC 5044 Section 8 error code 3 ("Marker and ULPDU Length fields
do not agree on the start of an FPDU"), the correct framing-error
class for this inconsistency.
Fixes: 8b6a361b8c48 ("rdma/siw: receive path")
Link: https://patch.msgid.link/r/20260513175325.2042630-2-michael.bommarito@gmail.com
Cc: stable@vger.kernel.org
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Assisted-by: Claude:claude-opus-4-7
Acked-by: Bernard Metzler <bernard.metzler@linux.dev>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/infiniband/sw/siw/siw_qp_rx.c | 15 +++++++++++++++
1 file changed, 15 insertions(+)
--- a/drivers/infiniband/sw/siw/siw_qp_rx.c
+++ b/drivers/infiniband/sw/siw/siw_qp_rx.c
@@ -1102,6 +1102,21 @@ static int siw_get_hdr(struct siw_rx_str
}
/*
+ * Peer-controlled mpa_len must not underflow srx->fpdu_part_rem
+ * in siw_tcp_rx_data(); a negative value flows as a signed copy
+ * length into siw_check_mem() and skb_copy_bits().
+ */
+ if (unlikely(be16_to_cpu(c_hdr->mpa_len) + MPA_HDR_SIZE <
+ iwarp_pktinfo[opcode].hdr_len)) {
+ pr_warn_ratelimited("siw: short mpa_len %u for opcode %u (hdr_len %u)\n",
+ be16_to_cpu(c_hdr->mpa_len), opcode,
+ iwarp_pktinfo[opcode].hdr_len);
+ siw_init_terminate(rx_qp(srx), TERM_ERROR_LAYER_LLP,
+ LLP_ETYPE_MPA, LLP_ECODE_FPDU_START, 0);
+ return -EINVAL;
+ }
+
+ /*
* DDP/RDMAP header receive completed. Check if the current
* DDP segment starts a new RDMAP message or continues a previously
* started RDMAP message.
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 872/969] LoongArch: Remove unused code to avoid build warning
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (870 preceding siblings ...)
2026-05-30 16:06 ` [PATCH 6.1 871/969] RDMA/siw: Reject MPA FPDU length underflow before signed receive math Greg Kroah-Hartman
@ 2026-05-30 16:06 ` Greg Kroah-Hartman
2026-05-30 16:06 ` [PATCH 6.1 873/969] device property: set fwnode->secondary to NULL in fwnode_init() Greg Kroah-Hartman
` (103 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:06 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Guo Ren, Huacai Chen
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Huacai Chen <chenhuacai@loongson.cn>
commit 0ccc9d47cf020994097ff51827cebd04aa2b0bf4 upstream.
After commit feee6b2989165631b1 ("mm/memory_hotplug: shrink zones when
offlining memory"), __remove_pages() doesn't need the "zone" parameter
so the "page" variable is also unused. Remove the unused code to avoid
such build warning:
arch/loongarch/mm/init.c: In function 'arch_remove_memory':
arch/loongarch/mm/init.c:134:22: warning: variable 'page' set but not used [-Wunused-but-set-variable=]
134 | struct page *page = pfn_to_page(start_pfn);
Cc: <stable@vger.kernel.org>
Reviewed-by: Guo Ren <guoren@kernel.org>
Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/loongarch/mm/init.c | 4 ----
1 file changed, 4 deletions(-)
--- a/arch/loongarch/mm/init.c
+++ b/arch/loongarch/mm/init.c
@@ -132,11 +132,7 @@ void arch_remove_memory(u64 start, u64 s
{
unsigned long start_pfn = start >> PAGE_SHIFT;
unsigned long nr_pages = size >> PAGE_SHIFT;
- struct page *page = pfn_to_page(start_pfn);
- /* With altmap the first mapped page is offset from @start */
- if (altmap)
- page += vmem_altmap_offset(altmap);
__remove_pages(start_pfn, nr_pages, altmap);
}
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 873/969] device property: set fwnode->secondary to NULL in fwnode_init()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (871 preceding siblings ...)
2026-05-30 16:06 ` [PATCH 6.1 872/969] LoongArch: Remove unused code to avoid build warning Greg Kroah-Hartman
@ 2026-05-30 16:06 ` Greg Kroah-Hartman
2026-05-30 16:06 ` [PATCH 6.1 874/969] drm/virtio: use uninterruptible resv lock for plane updates Greg Kroah-Hartman
` (102 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Bartosz Golaszewski,
Rafael J. Wysocki (Intel), Andy Shevchenko, Sakari Ailus
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
commit 215c90ee656114f5e8c32408228d97082f8e0eef upstream.
If a firmware node is allocated on the stack (for instance: temporary
software node whose life-time we control) or on the heap - but using a
non-zeroing allocation function - and initialized using fwnode_init(),
its secondary pointer will contain uninitalized memory which likely will
be neither NULL nor IS_ERR() and so may end up being dereferenced (for
example: in dev_to_swnode()). Set fwnode->secondary to NULL on
initialization.
Cc: stable <stable@kernel.org>
Fixes: 01bb86b380a3 ("driver core: Add fwnode_init()")
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
Reviewed-by: Rafael J. Wysocki (Intel) <rafael@kernel.org>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Reviewed-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Link: https://patch.msgid.link/20260506115701.23035-1-bartosz.golaszewski@oss.qualcomm.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/fwnode.h | 1 +
1 file changed, 1 insertion(+)
--- a/include/linux/fwnode.h
+++ b/include/linux/fwnode.h
@@ -193,6 +193,7 @@ struct fwnode_operations {
static inline void fwnode_init(struct fwnode_handle *fwnode,
const struct fwnode_operations *ops)
{
+ fwnode->secondary = NULL;
fwnode->ops = ops;
INIT_LIST_HEAD(&fwnode->consumers);
INIT_LIST_HEAD(&fwnode->suppliers);
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 874/969] drm/virtio: use uninterruptible resv lock for plane updates
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (872 preceding siblings ...)
2026-05-30 16:06 ` [PATCH 6.1 873/969] device property: set fwnode->secondary to NULL in fwnode_init() Greg Kroah-Hartman
@ 2026-05-30 16:06 ` Greg Kroah-Hartman
2026-05-30 16:06 ` [PATCH 6.1 875/969] drm/bridge: it66121: acquire reset GPIO in probe Greg Kroah-Hartman
` (101 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+72bd3dd3a5d5f39a0271,
Deepanshu Kartikey, Dmitry Osipenko
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Deepanshu Kartikey <kartikey406@gmail.com>
commit 9af1b6e175c82daf4b423da339a722d8e67a735a upstream.
virtio_gpu_cursor_plane_update() and virtio_gpu_resource_flush() lock
the framebuffer BO's dma_resv via virtio_gpu_array_lock_resv() and
ignore its return value. The function can fail with -EINTR from
dma_resv_lock_interruptible() (signal during lock wait) or with
-ENOMEM from dma_resv_reserve_fences() (fence slot allocation),
leaving the resv lock not held. The queue path then walks the object
array and calls dma_resv_add_fence(), which requires the lock held;
with lockdep enabled this trips dma_resv_assert_held():
WARNING: drivers/dma-buf/dma-resv.c:296 at dma_resv_add_fence+0x71e/0x840
Call Trace:
virtio_gpu_array_add_fence
virtio_gpu_queue_ctrl_sgs
virtio_gpu_queue_fenced_ctrl_buffer
virtio_gpu_cursor_plane_update
drm_atomic_helper_commit_planes
drm_atomic_helper_commit_tail
commit_tail
drm_atomic_helper_commit
drm_atomic_commit
drm_atomic_helper_update_plane
__setplane_atomic
drm_mode_cursor_universal
drm_mode_cursor_common
drm_mode_cursor_ioctl
drm_ioctl
__x64_sys_ioctl
Beyond the WARN, mutating the dma_resv fence list without the lock
races with concurrent readers/writers and can corrupt the list.
Both call sites run inside the .atomic_update plane callback, which
DRM atomic helpers do not allow to fail (by the time it runs, the
commit has been signed off to userspace and there is no clean
rollback path). Moving the lock acquisition to .prepare_fb was
rejected because the broader lock scope deadlocks against other BO
locking paths in the same atomic commit.
Introduce virtio_gpu_lock_one_resv_uninterruptible() that uses
dma_resv_lock() instead of dma_resv_lock_interruptible(). This
eliminates the -EINTR failure mode -- the realistic syzbot trigger
-- without extending the lock hold across the commit. The helper
locks a single BO and rejects nents > 1 with -EINVAL; both fix
sites lock exactly one BO.
Use it from virtio_gpu_cursor_plane_update() and
virtio_gpu_resource_flush(); check the return value to handle the
remaining -ENOMEM case from dma_resv_reserve_fences() by freeing
the objs and skipping the plane update for that frame. The
framebuffer BOs touched here are not shared with other contexts
and lock contention is expected to be brief, so the loss of
signal-interruptibility is acceptable.
Other callers of virtio_gpu_array_lock_resv() (the ioctl paths)
continue to use the interruptible variant.
The bug was reported by syzbot, triggered via fault injection
(fail_nth) on the DRM_IOCTL_MODE_CURSOR path, which forces the
-ENOMEM branch in dma_resv_reserve_fences().
Reported-by: syzbot+72bd3dd3a5d5f39a0271@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=72bd3dd3a5d5f39a0271
Fixes: 5cfd31c5b3a3 ("drm/virtio: fix virtio_gpu_cursor_plane_update().")
Cc: stable@vger.kernel.org
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
Signed-off-by: Dmitry Osipenko <dmitry.osipenko@collabora.com>
Link: https://patch.msgid.link/20260519082247.34470-1-kartikey406@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/virtio/virtgpu_drv.h | 1 +
drivers/gpu/drm/virtio/virtgpu_gem.c | 17 +++++++++++++++++
drivers/gpu/drm/virtio/virtgpu_plane.c | 10 ++++++++--
3 files changed, 26 insertions(+), 2 deletions(-)
--- a/drivers/gpu/drm/virtio/virtgpu_drv.h
+++ b/drivers/gpu/drm/virtio/virtgpu_drv.h
@@ -311,6 +311,7 @@ virtio_gpu_array_from_handles(struct drm
void virtio_gpu_array_add_obj(struct virtio_gpu_object_array *objs,
struct drm_gem_object *obj);
int virtio_gpu_array_lock_resv(struct virtio_gpu_object_array *objs);
+int virtio_gpu_lock_one_resv_uninterruptible(struct virtio_gpu_object_array *objs);
void virtio_gpu_array_unlock_resv(struct virtio_gpu_object_array *objs);
void virtio_gpu_array_add_fence(struct virtio_gpu_object_array *objs,
struct dma_fence *fence);
--- a/drivers/gpu/drm/virtio/virtgpu_gem.c
+++ b/drivers/gpu/drm/virtio/virtgpu_gem.c
@@ -236,6 +236,23 @@ int virtio_gpu_array_lock_resv(struct vi
return ret;
}
+int virtio_gpu_lock_one_resv_uninterruptible(struct virtio_gpu_object_array *objs)
+{
+ int ret;
+
+ if (objs->nents != 1)
+ return -EINVAL;
+
+ dma_resv_lock(objs->objs[0]->resv, NULL);
+
+ ret = dma_resv_reserve_fences(objs->objs[0]->resv, 1);
+ if (ret) {
+ virtio_gpu_array_unlock_resv(objs);
+ return ret;
+ }
+ return 0;
+}
+
void virtio_gpu_array_unlock_resv(struct virtio_gpu_object_array *objs)
{
if (objs->nents == 1) {
--- a/drivers/gpu/drm/virtio/virtgpu_plane.c
+++ b/drivers/gpu/drm/virtio/virtgpu_plane.c
@@ -158,7 +158,10 @@ static void virtio_gpu_resource_flush(st
if (!objs)
return;
virtio_gpu_array_add_obj(objs, vgfb->base.obj[0]);
- virtio_gpu_array_lock_resv(objs);
+ if (virtio_gpu_lock_one_resv_uninterruptible(objs)) {
+ virtio_gpu_array_put_free(objs);
+ return;
+ }
virtio_gpu_cmd_resource_flush(vgdev, bo->hw_res_handle, x, y,
width, height, objs,
vgplane_st->fence);
@@ -329,7 +332,10 @@ static void virtio_gpu_cursor_plane_upda
if (!objs)
return;
virtio_gpu_array_add_obj(objs, vgfb->base.obj[0]);
- virtio_gpu_array_lock_resv(objs);
+ if (virtio_gpu_lock_one_resv_uninterruptible(objs)) {
+ virtio_gpu_array_put_free(objs);
+ return;
+ }
virtio_gpu_cmd_transfer_to_host_2d
(vgdev, 0,
plane->state->crtc_w,
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 875/969] drm/bridge: it66121: acquire reset GPIO in probe
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (873 preceding siblings ...)
2026-05-30 16:06 ` [PATCH 6.1 874/969] drm/virtio: use uninterruptible resv lock for plane updates Greg Kroah-Hartman
@ 2026-05-30 16:06 ` Greg Kroah-Hartman
2026-05-30 16:06 ` [PATCH 6.1 876/969] drm/bridge: megachips: remove bridge when irq request fails Greg Kroah-Hartman
` (100 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Julien Chauveau,
Javier Martinez Canillas
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Julien Chauveau <chauveau.julien@gmail.com>
commit e02b5262fd288cc235f14e12233ea54e78c04611 upstream.
The it66121_ctx structure has a gpio_reset field, and it66121_hw_reset()
calls gpiod_set_value() on it. However, the GPIO descriptor is never
acquired via devm_gpiod_get(), leaving gpio_reset as NULL throughout
the driver lifetime.
gpiod_set_value() silently returns when passed a NULL descriptor, so
the hardware reset sequence in it66121_hw_reset() is a no-op. This
leaves the chip in an undefined state at probe time, which can prevent
it from responding on the I2C bus.
The DT binding marks reset-gpios as a required property, so all
compliant device trees provide this GPIO. Add the missing
devm_gpiod_get() call after enabling power supplies and before the
hardware reset, so the chip is properly reset with power applied.
Fixes: 988156dc2fc9 ("drm: bridge: add it66121 driver")
Cc: stable@vger.kernel.org
Signed-off-by: Julien Chauveau <chauveau.julien@gmail.com>
Reviewed-by: Javier Martinez Canillas <javierm@redhat.com>
Tested-by: Javier Martinez Canillas <javierm@redhat.com>
Link: https://patch.msgid.link/20260324193011.16583-1-chauveau.julien@gmail.com
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/bridge/ite-it66121.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/drivers/gpu/drm/bridge/ite-it66121.c
+++ b/drivers/gpu/drm/bridge/ite-it66121.c
@@ -1582,6 +1582,11 @@ static int it66121_probe(struct i2c_clie
if (ret)
return ret;
+ ctx->gpio_reset = devm_gpiod_get(dev, "reset", GPIOD_OUT_LOW);
+ if (IS_ERR(ctx->gpio_reset))
+ return dev_err_probe(dev, PTR_ERR(ctx->gpio_reset),
+ "Failed to get reset GPIO\n");
+
it66121_hw_reset(ctx);
ctx->regmap = devm_regmap_init_i2c(client, &it66121_regmap_config);
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 876/969] drm/bridge: megachips: remove bridge when irq request fails
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (874 preceding siblings ...)
2026-05-30 16:06 ` [PATCH 6.1 875/969] drm/bridge: it66121: acquire reset GPIO in probe Greg Kroah-Hartman
@ 2026-05-30 16:06 ` Greg Kroah-Hartman
2026-05-30 16:06 ` [PATCH 6.1 877/969] drm/amd/display: Fix integer overflow in bios_get_image() Greg Kroah-Hartman
` (99 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Osama Abdelkader, Luca Ceresoli,
Ian Ray
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Osama Abdelkader <osama.abdelkader@gmail.com>
commit d45d5c819f2cd0b6b5d76a194a537a5f4aeefecb upstream.
If devm_request_threaded_irq() fails after drm_bridge_add(), remove the
bridge before returning.
Keep drm_bridge_add() rather than devm_drm_bridge_add(): registration is
tied to the STDP4028 device while ge_b850v3_register() may complete from
either I2C probe; devm would not unwind the bridge if the other client's
probe fails.
Signed-off-by: Osama Abdelkader <osama.abdelkader@gmail.com>
Fixes: fcfa0ddc18ed ("drm/bridge: Drivers for megachips-stdpxxxx-ge-b850v3-fw (LVDS-DP++)")
Cc: stable@vger.kernel.org
Reviewed-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Tested-by: Ian Ray <ian.ray@gehealthcare.com>
Link: https://patch.msgid.link/20260430195700.80317-1-osama.abdelkader@gmail.com
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/bridge/megachips-stdpxxxx-ge-b850v3-fw.c | 16 +++++++++------
1 file changed, 10 insertions(+), 6 deletions(-)
--- a/drivers/gpu/drm/bridge/megachips-stdpxxxx-ge-b850v3-fw.c
+++ b/drivers/gpu/drm/bridge/megachips-stdpxxxx-ge-b850v3-fw.c
@@ -302,7 +302,6 @@ static void ge_b850v3_lvds_remove(void)
goto out;
drm_bridge_remove(&ge_b850v3_lvds_ptr->bridge);
-
ge_b850v3_lvds_ptr = NULL;
out:
mutex_unlock(&ge_b850v3_lvds_dev_mutex);
@@ -312,6 +311,7 @@ static int ge_b850v3_register(void)
{
struct i2c_client *stdp4028_i2c = ge_b850v3_lvds_ptr->stdp4028_i2c;
struct device *dev = &stdp4028_i2c->dev;
+ int ret;
/* drm bridge initialization */
ge_b850v3_lvds_ptr->bridge.funcs = &ge_b850v3_lvds_funcs;
@@ -329,11 +329,15 @@ static int ge_b850v3_register(void)
if (!stdp4028_i2c->irq)
return 0;
- return devm_request_threaded_irq(&stdp4028_i2c->dev,
- stdp4028_i2c->irq, NULL,
- ge_b850v3_lvds_irq_handler,
- IRQF_TRIGGER_HIGH | IRQF_ONESHOT,
- "ge-b850v3-lvds-dp", ge_b850v3_lvds_ptr);
+ ret = devm_request_threaded_irq(&stdp4028_i2c->dev,
+ stdp4028_i2c->irq, NULL,
+ ge_b850v3_lvds_irq_handler,
+ IRQF_TRIGGER_HIGH | IRQF_ONESHOT,
+ "ge-b850v3-lvds-dp", ge_b850v3_lvds_ptr);
+ if (ret)
+ drm_bridge_remove(&ge_b850v3_lvds_ptr->bridge);
+
+ return ret;
}
static int stdp4028_ge_b850v3_fw_probe(struct i2c_client *stdp4028_i2c,
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 877/969] drm/amd/display: Fix integer overflow in bios_get_image()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (875 preceding siblings ...)
2026-05-30 16:06 ` [PATCH 6.1 876/969] drm/bridge: megachips: remove bridge when irq request fails Greg Kroah-Hartman
@ 2026-05-30 16:06 ` Greg Kroah-Hartman
2026-05-30 16:06 ` [PATCH 6.1 878/969] drm/amd/display: Validate GPIO pin LUT table size before iterating Greg Kroah-Hartman
` (98 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alex Hung, Harry Wentland,
Ivan Lipski, Dan Wheeler, Alex Deucher
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Harry Wentland <harry.wentland@amd.com>
commit cd86529ec61474a38c3837fb7823790a7c3f8cce upstream.
[Why&How]
The bounds check in bios_get_image() computes 'offset + size' using
unsigned 32-bit arithmetic before comparing against bios_size. If a
VBIOS image contains a near-UINT32_MAX offset the addition wraps to a
small value, the comparison passes, and the function returns a wild
pointer past the VBIOS mapping.
Additionally, the comparison uses '<' (strict), which incorrectly
rejects the valid exact-fit case where offset + size == bios_size.
Fix both issues by restructuring the check to avoid the addition
entirely: first reject if offset alone exceeds bios_size, then check
size against the remaining space (bios_size - offset). This eliminates
the overflow and correctly permits exact-fit accesses.
Assisted-by: GitHub Copilot:claude-opus-4.6
Reviewed-by: Alex Hung <alex.hung@amd.com>
Signed-off-by: Harry Wentland <harry.wentland@amd.com>
Signed-off-by: Ivan Lipski <ivan.lipski@amd.com>
Tested-by: Dan Wheeler <daniel.wheeler@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit d40fb392af659c4a02b560319f226842f6ec1a95)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/display/dc/bios/bios_parser_helper.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
--- a/drivers/gpu/drm/amd/display/dc/bios/bios_parser_helper.c
+++ b/drivers/gpu/drm/amd/display/dc/bios/bios_parser_helper.c
@@ -37,10 +37,13 @@ uint8_t *bios_get_image(struct dc_bios *
uint32_t offset,
uint32_t size)
{
- if (bp->bios && offset + size < bp->bios_size)
- return bp->bios + offset;
- else
+ if (!bp->bios)
return NULL;
+
+ if (offset > bp->bios_size || size > bp->bios_size - offset)
+ return NULL;
+
+ return bp->bios + offset;
}
#include "reg_helper.h"
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 878/969] drm/amd/display: Validate GPIO pin LUT table size before iterating
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (876 preceding siblings ...)
2026-05-30 16:06 ` [PATCH 6.1 877/969] drm/amd/display: Fix integer overflow in bios_get_image() Greg Kroah-Hartman
@ 2026-05-30 16:06 ` Greg Kroah-Hartman
2026-05-30 16:06 ` [PATCH 6.1 879/969] drm/amd/display: Validate payload length and link_index in dc_process_dmub_aux_transfer_async Greg Kroah-Hartman
` (97 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alex Hung, Harry Wentland,
Ivan Lipski, Dan Wheeler, Alex Deucher
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Harry Wentland <harry.wentland@amd.com>
commit 86d2b20644b11d21fe52c596e6e922b4590a3e3f upstream.
[Why&How]
The GPIO pin table parsers in get_gpio_i2c_info() and
bios_parser_get_gpio_pin_info() derive an element count from the VBIOS
table_header.structuresize field, then iterate over gpio_pin[] entries.
However, GET_IMAGE() only validates that the table header itself fits
within the BIOS image. If the VBIOS reports a structuresize larger than
the actual mapped data, the loop reads past the end of the BIOS image,
causing an out-of-bounds read.
Fix this by calling bios_get_image() to validate that the full claimed
structuresize is accessible within the BIOS image before entering the
loop in both functions.
Assisted-by: GitHub Copilot:claude-opus-4-6
Reviewed-by: Alex Hung <alex.hung@amd.com>
Signed-off-by: Harry Wentland <harry.wentland@amd.com>
Signed-off-by: Ivan Lipski <ivan.lipski@amd.com>
Tested-by: Dan Wheeler <daniel.wheeler@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit ba5e95b43b773ae1bf1f66ee6b31eb774e65afe3)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/display/dc/bios/bios_parser2.c | 9 +++++++++
1 file changed, 9 insertions(+)
--- a/drivers/gpu/drm/amd/display/dc/bios/bios_parser2.c
+++ b/drivers/gpu/drm/amd/display/dc/bios/bios_parser2.c
@@ -490,6 +490,10 @@ static enum bp_result get_gpio_i2c_info(
- sizeof(struct atom_common_table_header))
/ sizeof(struct atom_gpio_pin_assignment);
+ if (!bios_get_image(&bp->base, DATA_TABLES(gpio_pin_lut),
+ le16_to_cpu(header->table_header.structuresize)))
+ return BP_RESULT_BADBIOSTABLE;
+
pin = (struct atom_gpio_pin_assignment *) header->gpio_pin;
for (table_index = 0; table_index < count; table_index++) {
@@ -680,6 +684,11 @@ static enum bp_result bios_parser_get_gp
count = (le16_to_cpu(header->table_header.structuresize)
- sizeof(struct atom_common_table_header))
/ sizeof(struct atom_gpio_pin_assignment);
+
+ if (!bios_get_image(&bp->base, DATA_TABLES(gpio_pin_lut),
+ le16_to_cpu(header->table_header.structuresize)))
+ return BP_RESULT_BADBIOSTABLE;
+
for (i = 0; i < count; ++i) {
if (header->gpio_pin[i].gpio_id != gpio_id)
continue;
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 879/969] drm/amd/display: Validate payload length and link_index in dc_process_dmub_aux_transfer_async
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (877 preceding siblings ...)
2026-05-30 16:06 ` [PATCH 6.1 878/969] drm/amd/display: Validate GPIO pin LUT table size before iterating Greg Kroah-Hartman
@ 2026-05-30 16:06 ` Greg Kroah-Hartman
2026-05-30 16:06 ` [PATCH 6.1 880/969] batman-adv: mcast: fix use-after-free in orig_node RCU release Greg Kroah-Hartman
` (96 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alex Hung, Harry Wentland,
Ivan Lipski, Dan Wheeler, Alex Deucher
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Harry Wentland <harry.wentland@amd.com>
commit 6c92f6d9600efa3ef0d9e560a2b52776d9803c29 upstream.
[Why&How]
dc_process_dmub_aux_transfer_async() copies payload->length bytes into a
16-byte stack buffer (dpaux.data[16]) guarded only by an ASSERT(), which
is a no-op in release builds. If a caller ever passes length > 16 this
results in a stack buffer overflow via memcpy.
Additionally, link_index is used to dereference dc->links[] without
bounds checking against dc->link_count, risking an out-of-bounds access.
Replace the ASSERT with a hard runtime check that returns false when
payload->length exceeds the destination buffer size, and add a bounds
check for link_index before it is used.
Assisted-by: GitHub Copilot:Claude claude-4-opus
Reviewed-by: Alex Hung <alex.hung@amd.com>
Signed-off-by: Harry Wentland <harry.wentland@amd.com>
Signed-off-by: Ivan Lipski <ivan.lipski@amd.com>
Tested-by: Dan Wheeler <daniel.wheeler@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit ba4caa9fecdf7a38f98c878ad05a8a64148b6881)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/display/dc/core/dc.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
--- a/drivers/gpu/drm/amd/display/dc/core/dc.c
+++ b/drivers/gpu/drm/amd/display/dc/core/dc.c
@@ -4737,7 +4737,11 @@ bool dc_process_dmub_aux_transfer_async(
union dmub_rb_cmd cmd = {0};
struct dc_dmub_srv *dmub_srv = dc->ctx->dmub_srv;
- ASSERT(payload->length <= 16);
+ if (link_index >= dc->link_count || !dc->links[link_index])
+ return false;
+
+ if (payload->length > sizeof(cmd.dp_aux_access.aux_control.dpaux.data))
+ return false;
cmd.dp_aux_access.header.type = DMUB_CMD__DP_AUX_ACCESS;
cmd.dp_aux_access.header.payload_bytes = 0;
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 880/969] batman-adv: mcast: fix use-after-free in orig_node RCU release
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (878 preceding siblings ...)
2026-05-30 16:06 ` [PATCH 6.1 879/969] drm/amd/display: Validate payload length and link_index in dc_process_dmub_aux_transfer_async Greg Kroah-Hartman
@ 2026-05-30 16:06 ` Greg Kroah-Hartman
2026-05-30 16:06 ` [PATCH 6.1 881/969] batman-adv: clear current gateway during teardown Greg Kroah-Hartman
` (95 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Linus Lüssing,
Sven Eckelmann
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sven Eckelmann <sven@narfation.org>
commit 20c2d6a20ca936f5aaa6dd40f73f262ac45c87cc upstream.
batadv_mcast_purge_orig() removes entries from RCU-protected hlists but
does not wait for an RCU grace period before returning. Concurrent RCU
readers may still accesses references to those entries at the point of
removal. RCU-protected readers trying to operate on entries like
orig->mcast_want_all_ipv6_node will then access already freed memory.
Fix this by moving batadv_mcast_purge_orig() to batadv_orig_node_release(),
just before the call_rcu() invocation. This ensures RCU readers that were
active at purge time have drained before the orig_node memory is reclaimed.
Cc: stable@kernel.org
Fixes: ab49886e3da7 ("batman-adv: Add IPv4 link-local/IPv6-ll-all-nodes multicast support")
Acked-by: Linus Lüssing <linus.luessing@c0d3.blue>
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/batman-adv/originator.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/net/batman-adv/originator.c
+++ b/net/batman-adv/originator.c
@@ -823,8 +823,6 @@ static void batadv_orig_node_free_rcu(st
orig_node = container_of(rcu, struct batadv_orig_node, rcu);
- batadv_mcast_purge_orig(orig_node);
-
batadv_frag_purge_orig(orig_node, NULL);
kfree(orig_node->tt_buff);
@@ -878,6 +876,8 @@ void batadv_orig_node_release(struct kre
/* Free nc_nodes */
batadv_nc_purge_orig(orig_node->bat_priv, orig_node, NULL);
+ batadv_mcast_purge_orig(orig_node);
+
call_rcu(&orig_node->rcu, batadv_orig_node_free_rcu);
}
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 881/969] batman-adv: clear current gateway during teardown
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (879 preceding siblings ...)
2026-05-30 16:06 ` [PATCH 6.1 880/969] batman-adv: mcast: fix use-after-free in orig_node RCU release Greg Kroah-Hartman
@ 2026-05-30 16:06 ` Greg Kroah-Hartman
2026-05-30 16:06 ` [PATCH 6.1 882/969] batman-adv: dat: handle forward allocation error Greg Kroah-Hartman
` (94 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Yuan Tan, Yifan Wu,
Juefei Pu, Xin Liu, Ruijie Li, Zhanpeng Li, Ren Wei,
Sven Eckelmann
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ruijie Li <ruijieli51@gmail.com>
commit a340a51ed801eab7bb454150c226323b865263cc upstream.
batadv_gw_node_free() removes the gateway list entries during mesh teardown,
but it does not clear the currently selected gateway. This leaves stale
gateway state behind across cleanup and can break a later mesh recreation.
Clear bat_priv->gw.curr_gw before walking the gateway list so the selected
gateway reference is dropped as part of teardown.
Fixes: 2265c1410864 ("batman-adv: gateway election code refactoring")
Cc: stable@kernel.org
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Signed-off-by: Ruijie Li <ruijieli51@gmail.com>
Signed-off-by: Zhanpeng Li <lzhanpeng2025@lzu.edu.cn>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/batman-adv/gateway_client.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/net/batman-adv/gateway_client.c
+++ b/net/batman-adv/gateway_client.c
@@ -479,10 +479,14 @@ void batadv_gw_node_delete(struct batadv
*/
void batadv_gw_node_free(struct batadv_priv *bat_priv)
{
+ struct batadv_gw_node *curr_gw;
struct batadv_gw_node *gw_node;
struct hlist_node *node_tmp;
spin_lock_bh(&bat_priv->gw.list_lock);
+ curr_gw = rcu_replace_pointer(bat_priv->gw.curr_gw, NULL, true);
+ batadv_gw_node_put(curr_gw);
+
hlist_for_each_entry_safe(gw_node, node_tmp,
&bat_priv->gw.gateway_list, list) {
hlist_del_init_rcu(&gw_node->list);
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 882/969] batman-adv: dat: handle forward allocation error
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (880 preceding siblings ...)
2026-05-30 16:06 ` [PATCH 6.1 881/969] batman-adv: clear current gateway during teardown Greg Kroah-Hartman
@ 2026-05-30 16:06 ` Greg Kroah-Hartman
2026-05-30 16:06 ` [PATCH 6.1 883/969] batman-adv: fix fragment reassembly length accounting Greg Kroah-Hartman
` (93 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Yuan Tan, Yifan Wu,
Juefei Pu, Xin Liu, Sven Eckelmann
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sven Eckelmann <sven@narfation.org>
commit 2d8826a2d3657cea66fb0370f9e521575a673871 upstream.
batadv_dat_forward_data() calls pskb_copy_for_clone() to duplicate an skb
for each DHT candidate, but does not check the return value before passing
it to batadv_send_skb_prepare_unicast_4addr(). That function dereferences
the skb unconditionally, so a failed allocation triggers a NULL pointer
dereference.
Skip forwarding to the current DHT candidate on allocation failure.
Cc: stable@kernel.org
Fixes: 785ea1144182 ("batman-adv: Distributed ARP Table - create DHT helper functions")
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Reviewed-by: Yuan Tan <yuantan098@gmail.com>
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/batman-adv/distributed-arp-table.c | 3 +++
1 file changed, 3 insertions(+)
--- a/net/batman-adv/distributed-arp-table.c
+++ b/net/batman-adv/distributed-arp-table.c
@@ -698,6 +698,9 @@ static bool batadv_dat_forward_data(stru
goto free_orig;
tmp_skb = pskb_copy_for_clone(skb, GFP_ATOMIC);
+ if (!tmp_skb)
+ goto free_neigh;
+
if (!batadv_send_skb_prepare_unicast_4addr(bat_priv, tmp_skb,
cand[i].orig_node,
packet_subtype)) {
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 883/969] batman-adv: fix fragment reassembly length accounting
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (881 preceding siblings ...)
2026-05-30 16:06 ` [PATCH 6.1 882/969] batman-adv: dat: handle forward allocation error Greg Kroah-Hartman
@ 2026-05-30 16:06 ` Greg Kroah-Hartman
2026-05-30 16:06 ` [PATCH 6.1 884/969] batman-adv: fix tp_meter counter underflow during shutdown Greg Kroah-Hartman
` (92 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Yuan Tan, Yifan Wu,
Juefei Pu, Xin Liu, Ruide Cao, Ren Wei, Ren Wei, Sven Eckelmann
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ruide Cao <caoruide123@gmail.com>
commit 9cd3f16c320bfdadd4509358122368deb56a5741 upstream.
batman-adv keeps a running payload length for queued fragments and uses it
to validate a fragment chain before reassembly.
That accounting currently allows the accumulated fragment length to be
truncated during updates. As a result, malformed fragment chains can
bypass the intended validation and drive reassembly with inconsistent
length state, leading to a local denial of service.
Fix the accounting by storing the accumulated length in a length-typed
field and rejecting update overflows before the existing validation logic
runs.
The fix was verified against the original reproducer and against valid
fragment reassembly paths.
Fixes: 610bfc6bc99b ("batman-adv: Receive fragmented packets and merge")
Cc: stable@kernel.org
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Signed-off-by: Ruide Cao <caoruide123@gmail.com>
Tested-by: Ren Wei <enjou1224z@gmail.com>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/batman-adv/fragmentation.c | 23 +++++++++++++++++------
net/batman-adv/types.h | 2 +-
2 files changed, 18 insertions(+), 7 deletions(-)
--- a/net/batman-adv/fragmentation.c
+++ b/net/batman-adv/fragmentation.c
@@ -17,6 +17,7 @@
#include <linux/lockdep.h>
#include <linux/minmax.h>
#include <linux/netdevice.h>
+#include <linux/overflow.h>
#include <linux/skbuff.h>
#include <linux/slab.h>
#include <linux/spinlock.h>
@@ -81,9 +82,9 @@ void batadv_frag_purge_orig(struct batad
*
* Return: the maximum size of payload that can be fragmented.
*/
-static int batadv_frag_size_limit(void)
+static size_t batadv_frag_size_limit(void)
{
- int limit = BATADV_FRAG_MAX_FRAG_SIZE;
+ size_t limit = BATADV_FRAG_MAX_FRAG_SIZE;
limit -= sizeof(struct batadv_frag_packet);
limit *= BATADV_FRAG_MAX_FRAGMENTS;
@@ -144,7 +145,9 @@ static bool batadv_frag_insert_packet(st
struct batadv_frag_packet *frag_packet;
u8 bucket;
u16 seqno, hdr_size = sizeof(struct batadv_frag_packet);
+ bool overflow = false;
bool ret = false;
+ size_t data_len;
/* Linearize packet to avoid linearizing 16 packets in a row when doing
* the later merge. Non-linear merge should be added to remove this
@@ -154,6 +157,7 @@ static bool batadv_frag_insert_packet(st
goto err;
frag_packet = (struct batadv_frag_packet *)skb->data;
+ data_len = skb->len - hdr_size;
seqno = ntohs(frag_packet->seqno);
bucket = seqno % BATADV_FRAG_BUFFER_COUNT;
@@ -172,7 +176,7 @@ static bool batadv_frag_insert_packet(st
spin_lock_bh(&chain->lock);
if (batadv_frag_init_chain(chain, seqno)) {
hlist_add_head(&frag_entry_new->list, &chain->fragment_list);
- chain->size = skb->len - hdr_size;
+ chain->size = data_len;
chain->timestamp = jiffies;
chain->total_size = ntohs(frag_packet->total_size);
ret = true;
@@ -189,7 +193,11 @@ static bool batadv_frag_insert_packet(st
if (frag_entry_curr->no < frag_entry_new->no) {
hlist_add_before(&frag_entry_new->list,
&frag_entry_curr->list);
- chain->size += skb->len - hdr_size;
+
+ if (check_add_overflow(chain->size, data_len,
+ &chain->size))
+ overflow = true;
+
chain->timestamp = jiffies;
ret = true;
goto out;
@@ -202,13 +210,16 @@ static bool batadv_frag_insert_packet(st
/* Reached the end of the list, so insert after 'frag_entry_last'. */
if (likely(frag_entry_last)) {
hlist_add_behind(&frag_entry_new->list, &frag_entry_last->list);
- chain->size += skb->len - hdr_size;
+
+ if (check_add_overflow(chain->size, data_len, &chain->size))
+ overflow = true;
+
chain->timestamp = jiffies;
ret = true;
}
out:
- if (chain->size > batadv_frag_size_limit() ||
+ if (overflow || chain->size > batadv_frag_size_limit() ||
chain->total_size != ntohs(frag_packet->total_size) ||
chain->total_size > batadv_frag_size_limit()) {
/* Clear chain if total size of either the list or the packet
--- a/net/batman-adv/types.h
+++ b/net/batman-adv/types.h
@@ -294,7 +294,7 @@ struct batadv_frag_table_entry {
u16 seqno;
/** @size: accumulated size of packets in list */
- u16 size;
+ size_t size;
/** @total_size: expected size of the assembled packet */
u16 total_size;
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 884/969] batman-adv: fix tp_meter counter underflow during shutdown
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (882 preceding siblings ...)
2026-05-30 16:06 ` [PATCH 6.1 883/969] batman-adv: fix fragment reassembly length accounting Greg Kroah-Hartman
@ 2026-05-30 16:06 ` Greg Kroah-Hartman
2026-05-30 16:06 ` [PATCH 6.1 885/969] batman-adv: frag: disallow unicast fragment in fragment Greg Kroah-Hartman
` (91 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Yuan Tan, Yifan Wu,
Juefei Pu, Xin Liu, Luxiao Xu, Ren Wei, Sven Eckelmann
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Luxiao Xu <rakukuip@gmail.com>
commit 94f3b133168d1c49895e7cc6afbcf1cc0b354602 upstream.
batadv_tp_sender_shutdown() unconditionally decrements the "sending"
atomic counter. If multiple paths (e.g. timeout, user cancel, and
normal finish) call this function, the counter can underflow to -1.
Since the sender logic treats any non-zero value as "still sending",
a negative value causes the sender kthread to loop indefinitely.
This leads to a use-after-free when the interface is removed while
the zombie thread is still active.
Fix this by using atomic_xchg() to ensure the counter only transitions
from 1 to 0 once.
Fixes: 33a3bb4a3345 ("batman-adv: throughput meter implementation")
Cc: stable@kernel.org
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Signed-off-by: Luxiao Xu <rakukuip@gmail.com>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
[sven: added missing change in batadv_tp_send]
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/batman-adv/tp_meter.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/net/batman-adv/tp_meter.c
+++ b/net/batman-adv/tp_meter.c
@@ -435,7 +435,7 @@ static void batadv_tp_sender_end(struct
static void batadv_tp_sender_shutdown(struct batadv_tp_vars *tp_vars,
enum batadv_tp_meter_reason reason)
{
- if (!atomic_dec_and_test(&tp_vars->sending))
+ if (atomic_xchg(&tp_vars->sending, 0) != 1)
return;
tp_vars->reason = reason;
@@ -869,7 +869,7 @@ static int batadv_tp_send(void *arg)
"Meter: %s() cannot send packets (%d)\n",
__func__, err);
/* ensure nobody else tries to stop the thread now */
- if (atomic_dec_and_test(&tp_vars->sending))
+ if (atomic_xchg(&tp_vars->sending, 0) == 1)
tp_vars->reason = err;
break;
}
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 885/969] batman-adv: frag: disallow unicast fragment in fragment
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (883 preceding siblings ...)
2026-05-30 16:06 ` [PATCH 6.1 884/969] batman-adv: fix tp_meter counter underflow during shutdown Greg Kroah-Hartman
@ 2026-05-30 16:06 ` Greg Kroah-Hartman
2026-05-30 16:06 ` [PATCH 6.1 886/969] batman-adv: bla: fix report_work leak on backbone_gw purge Greg Kroah-Hartman
` (90 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Yuan Tan, Yifan Wu,
Juefei Pu, Xin Liu, Sven Eckelmann
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sven Eckelmann <sven@narfation.org>
commit bc62216dc8e221e3781afa14430f45208bfa9af9 upstream.
batadv_frag_skb_buffer() is called by batadv_batman_skb_recv() when a
BATADV_UNICAST_FRAG packet is received. Once all fragments are collected
and the packet is reassembled, batadv_recv_frag_packet() calls
batadv_batman_skb_recv() again to process the defragmented payload.
A malicious sender can craft a BATADV_UNICAST_FRAG packet whose reassembled
payload is itself a BATADV_UNICAST_FRAG packet (matryoshka-style nesting).
Each nesting level recurses through batadv_batman_skb_recv() without bound,
growing the kernel stack until it is exhausted.
Since refragmentation or fragments in fragments are not actually allowed,
discard all packets which are still BATADV_UNICAST_FRAG packets after the
defragmentation process.
Cc: stable@kernel.org
Fixes: 610bfc6bc99b ("batman-adv: Receive fragmented packets and merge")
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Reviewed-by: Yuan Tan <yuantan098@gmail.com>
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/batman-adv/fragmentation.c | 35 +++++++++++++++++++++++++++++++++++
1 file changed, 35 insertions(+)
--- a/net/batman-adv/fragmentation.c
+++ b/net/batman-adv/fragmentation.c
@@ -306,6 +306,31 @@ free:
}
/**
+ * batadv_skb_is_frag() - check if newly merged skb is gain a unicast packet
+ * @skb: newly merged skb
+ *
+ * Return: if newly skb is of type BATADV_UNICAST_FRAG
+ */
+static bool batadv_skb_is_frag(struct sk_buff *skb)
+{
+ struct batadv_ogm_packet *batadv_ogm_packet;
+
+ /* packet should hold at least type and version */
+ if (unlikely(!pskb_may_pull(skb, 2)))
+ return false;
+
+ batadv_ogm_packet = (struct batadv_ogm_packet *)skb->data;
+
+ if (batadv_ogm_packet->version != BATADV_COMPAT_VERSION)
+ return false;
+
+ if (batadv_ogm_packet->packet_type != BATADV_UNICAST_FRAG)
+ return false;
+
+ return true;
+}
+
+/**
* batadv_frag_skb_buffer() - buffer fragment for later merge
* @skb: skb to buffer
* @orig_node_src: originator that the skb is received from
@@ -338,6 +363,16 @@ bool batadv_frag_skb_buffer(struct sk_bu
if (!skb_out)
goto out_err;
+ /* fragment in fragment is not allowed. otherwise it is possible
+ * to exhaust the stack when receiving a matryoshka-style
+ * "fragments in a fragment packet"
+ */
+ if (batadv_skb_is_frag(skb_out)) {
+ kfree_skb(skb_out);
+ skb_out = NULL;
+ goto out_err;
+ }
+
out:
ret = true;
out_err:
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 886/969] batman-adv: bla: fix report_work leak on backbone_gw purge
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (884 preceding siblings ...)
2026-05-30 16:06 ` [PATCH 6.1 885/969] batman-adv: frag: disallow unicast fragment in fragment Greg Kroah-Hartman
@ 2026-05-30 16:06 ` Greg Kroah-Hartman
2026-05-30 16:06 ` [PATCH 6.1 887/969] batman-adv: tp_meter: avoid use of uninit sender vars Greg Kroah-Hartman
` (89 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Simon Wunderlich,
Sven Eckelmann
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sven Eckelmann <sven@narfation.org>
commit 0459430add32ea41f3e2ef9351610e6d33627a6b upstream.
batadv_bla_purge_backbone_gw() removes stale backbone gateway entries,
but fails to properly handle their associated report_work:
- If report_work is running, the purge must wait for it to finish before
freeing the backbone_gw, otherwise the worker may access freed memory
(e.g. bat_priv).
- If report_work is pending, the purge must cancel it and release the
reference held for that pending work item.
The previous implementation called hlist_for_each_entry_safe() inside a
spin_lock_bh() section, but cancel_work_sync() may sleep and therefore
cannot be called from within a spinlock-protected region.
Restructure the loop to handle one entry per spinlock critical section:
acquire the lock, find the next entry to purge, remove it from the hash
list, then release the lock before calling cancel_work_sync() and
dropping the hash_entry reference. Repeat until no more entries require
purging.
Cc: stable@kernel.org
Fixes: 23721387c409 ("batman-adv: add basic bridge loop avoidance code")
Reviewed-by: Simon Wunderlich <sw@simonwunderlich.de>
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/batman-adv/bridge_loop_avoidance.c | 60 ++++++++++++++++++++-------------
1 file changed, 38 insertions(+), 22 deletions(-)
--- a/net/batman-adv/bridge_loop_avoidance.c
+++ b/net/batman-adv/bridge_loop_avoidance.c
@@ -1224,6 +1224,7 @@ static void batadv_bla_purge_backbone_gw
struct hlist_head *head;
struct batadv_hashtable *hash;
spinlock_t *list_lock; /* protects write access to the hash lists */
+ bool purged;
int i;
hash = bat_priv->bla.backbone_hash;
@@ -1234,30 +1235,45 @@ static void batadv_bla_purge_backbone_gw
head = &hash->table[i];
list_lock = &hash->list_locks[i];
- spin_lock_bh(list_lock);
- hlist_for_each_entry_safe(backbone_gw, node_tmp,
- head, hash_entry) {
- if (now)
- goto purge_now;
- if (!batadv_has_timed_out(backbone_gw->lasttime,
- BATADV_BLA_BACKBONE_TIMEOUT))
- continue;
-
- batadv_dbg(BATADV_DBG_BLA, backbone_gw->bat_priv,
- "%s(): backbone gw %pM timed out\n",
- __func__, backbone_gw->orig);
+ do {
+ purged = false;
+
+ spin_lock_bh(list_lock);
+ hlist_for_each_entry_safe(backbone_gw, node_tmp,
+ head, hash_entry) {
+ if (now)
+ goto purge_now;
+ if (!batadv_has_timed_out(backbone_gw->lasttime,
+ BATADV_BLA_BACKBONE_TIMEOUT))
+ continue;
+
+ batadv_dbg(BATADV_DBG_BLA, backbone_gw->bat_priv,
+ "%s(): backbone gw %pM timed out\n",
+ __func__, backbone_gw->orig);
purge_now:
- /* don't wait for the pending request anymore */
- if (atomic_read(&backbone_gw->request_sent))
- atomic_dec(&bat_priv->bla.num_requests);
-
- batadv_bla_del_backbone_claims(backbone_gw);
-
- hlist_del_rcu(&backbone_gw->hash_entry);
- batadv_backbone_gw_put(backbone_gw);
- }
- spin_unlock_bh(list_lock);
+ purged = true;
+
+ /* don't wait for the pending request anymore */
+ if (atomic_read(&backbone_gw->request_sent))
+ atomic_dec(&bat_priv->bla.num_requests);
+
+ batadv_bla_del_backbone_claims(backbone_gw);
+
+ hlist_del_rcu(&backbone_gw->hash_entry);
+ break;
+ }
+ spin_unlock_bh(list_lock);
+
+ if (purged) {
+ /* reference for pending report_work */
+ if (cancel_work_sync(&backbone_gw->report_work))
+ batadv_backbone_gw_put(backbone_gw);
+
+ /* reference for hash_entry */
+ batadv_backbone_gw_put(backbone_gw);
+ }
+ } while (purged);
}
}
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 887/969] batman-adv: tp_meter: avoid use of uninit sender vars
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (885 preceding siblings ...)
2026-05-30 16:06 ` [PATCH 6.1 886/969] batman-adv: bla: fix report_work leak on backbone_gw purge Greg Kroah-Hartman
@ 2026-05-30 16:06 ` Greg Kroah-Hartman
2026-05-30 16:06 ` [PATCH 6.1 888/969] batman-adv: tt: fix negative last_changeset_len Greg Kroah-Hartman
` (88 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Yuan Tan, Yifan Wu,
Juefei Pu, Xin Liu, Sven Eckelmann
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sven Eckelmann <sven@narfation.org>
commit 6c65cf23d4c6170fcf5714c32aa64689718cb142 upstream.
batadv_tp_recv_ack() and batadv_tp_stop() are only valid for tp_vars in the
BATADV_TP_SENDER role. When called with a BATADV_TP_RECEIVER role, it
proceeds to read sender-only members that were never initialized, leading
to undefined behavior.
This can be triggered when a node that is currently acting as a receiver in
an ongoing tp_meter session receives a malicious ACK packet.
Guard against this by checking tp_vars->role immediately after the
lookup and bailing out if it is not BATADV_TP_SENDER, before any of
those members are accessed.
Cc: stable@kernel.org
Fixes: 33a3bb4a3345 ("batman-adv: throughput meter implementation")
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Reviewed-by: Yuan Tan <yuantan098@gmail.com>
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/batman-adv/tp_meter.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
--- a/net/batman-adv/tp_meter.c
+++ b/net/batman-adv/tp_meter.c
@@ -647,6 +647,9 @@ static void batadv_tp_recv_ack(struct ba
if (unlikely(!tp_vars))
return;
+ if (unlikely(tp_vars->role != BATADV_TP_SENDER))
+ goto out;
+
if (unlikely(atomic_read(&tp_vars->sending) == 0))
goto out;
@@ -1080,12 +1083,16 @@ void batadv_tp_stop(struct batadv_priv *
if (!tp_vars) {
batadv_dbg(BATADV_DBG_TP_METER, bat_priv,
"Meter: trying to interrupt an already over connection\n");
- goto out;
+ goto out_put_orig_node;
}
+ if (unlikely(tp_vars->role != BATADV_TP_SENDER))
+ goto out_put_tp_vars;
+
batadv_tp_sender_shutdown(tp_vars, return_value);
+out_put_tp_vars:
batadv_tp_vars_put(tp_vars);
-out:
+out_put_orig_node:
batadv_orig_node_put(orig_node);
}
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 888/969] batman-adv: tt: fix negative last_changeset_len
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (886 preceding siblings ...)
2026-05-30 16:06 ` [PATCH 6.1 887/969] batman-adv: tp_meter: avoid use of uninit sender vars Greg Kroah-Hartman
@ 2026-05-30 16:06 ` Greg Kroah-Hartman
2026-05-30 16:06 ` [PATCH 6.1 889/969] batman-adv: tt: fix negative tt_buff_len Greg Kroah-Hartman
` (87 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:06 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Sven Eckelmann
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sven Eckelmann <sven@narfation.org>
commit fc92cdfcb295cefa4344d71a527d61b638b7bfc4 upstream.
batadv_piv_tt::last_changeset_len len was declared as s16, but the field is
never intended to hold a negative value. When a value greater than 32767 is
assigned, it wraps to a negative signed integer.
In batadv_send_my_tt_response(), last_changeset_len is temporarily widened
to s32. The incorrectly negative s16 value propagates into the s32, causing
batadv_tt_prepare_tvlv_local_data() to allocate a full sized buffer but
populates only a small portion of it with the collected changeset. All
remaining bits are kept uninitialized.
Using an u16 avoids this type confusion and ensures that no (negative) sign
extension is performed in batadv_send_my_tt_response().
Cc: stable@kernel.org
Fixes: a73105b8d4c7 ("batman-adv: improved client announcement mechanism")
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/batman-adv/types.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/batman-adv/types.h
+++ b/net/batman-adv/types.h
@@ -993,7 +993,7 @@ struct batadv_priv_tt {
* @last_changeset_len: length of last tt changeset this host has
* generated
*/
- s16 last_changeset_len;
+ u16 last_changeset_len;
/**
* @last_changeset_lock: lock protecting last_changeset &
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 889/969] batman-adv: tt: fix negative tt_buff_len
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (887 preceding siblings ...)
2026-05-30 16:06 ` [PATCH 6.1 888/969] batman-adv: tt: fix negative last_changeset_len Greg Kroah-Hartman
@ 2026-05-30 16:06 ` Greg Kroah-Hartman
2026-05-30 16:06 ` [PATCH 6.1 890/969] hwmon: (pmbus/adm1266) seed timestamp from the real-time clock Greg Kroah-Hartman
` (86 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:06 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Sven Eckelmann
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sven Eckelmann <sven@narfation.org>
commit b64963a2ceeb7529310b6cf253a1e540784422f4 upstream.
batadv_orig_node::tt_buff_len was declared as s16, but the field is never
intended to hold a negative value. When a value greater than 32767 is
assigned, it wraps to a negative signed integer.
In batadv_send_other_tt_response(), tt_buff_len is temporarily widened to
s32. The incorrectly negative s16 value propagates into the s32, causing
batadv_tt_prepare_tvlv_global_data() to allocate a full sized buffer but
populates only a small portion of it with the collected changeset. All
remaining bits are kept uninitialized.
Using an u16 avoids this type confusion and ensures that no (negative) sign
extension is performed in batadv_send_other_tt_response().
Cc: stable@kernel.org
Fixes: a73105b8d4c7 ("batman-adv: improved client announcement mechanism")
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/batman-adv/types.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/batman-adv/types.h
+++ b/net/batman-adv/types.h
@@ -445,7 +445,7 @@ struct batadv_orig_node {
* @tt_buff_len: length of the last tt changeset this node received
* from the orig node
*/
- s16 tt_buff_len;
+ u16 tt_buff_len;
/** @tt_buff_lock: lock that protects tt_buff and tt_buff_len */
spinlock_t tt_buff_lock;
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 890/969] hwmon: (pmbus/adm1266) seed timestamp from the real-time clock
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (888 preceding siblings ...)
2026-05-30 16:06 ` [PATCH 6.1 889/969] batman-adv: tt: fix negative tt_buff_len Greg Kroah-Hartman
@ 2026-05-30 16:06 ` Greg Kroah-Hartman
2026-05-30 16:06 ` [PATCH 6.1 891/969] hwmon: (pmbus/adm1266) reject implausible blackbox record_count Greg Kroah-Hartman
` (85 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:06 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Abdurrahman Hussain, Guenter Roeck
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Abdurrahman Hussain <abdurrahman@nexthop.ai>
commit b86095e3d7dcf2bf80c747349a35912a87a85098 upstream.
adm1266_set_rtc() seeds the chip's SET_RTC register from
ktime_get_seconds(), which returns CLOCK_MONOTONIC -- i.e. seconds
since the host last booted, not seconds since the Unix epoch.
The chip stamps that value into every blackbox record it captures.
Userspace reading those timestamps back expects wall-clock seconds:
that's what the SET_RTC frame layout documents (datasheet Rev. D,
Table 84) and what every other consumer of "seconds since epoch"
assumes. Seeding from CLOCK_MONOTONIC gives blackbox records a
timestamp that is only meaningful within a single boot of the host
and silently resets to small values on every reboot.
Switch to ktime_get_real_seconds() so the seed matches what the
register is documented to hold.
Fixes: 15609d189302 ("hwmon: (pmbus/adm1266) read blackbox")
Cc: stable@vger.kernel.org
Signed-off-by: Abdurrahman Hussain <abdurrahman@nexthop.ai>
Link: https://lore.kernel.org/r/20260515-adm1266-fixes-v1-1-1c1ea1349cfe@nexthop.ai
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hwmon/pmbus/adm1266.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/hwmon/pmbus/adm1266.c
+++ b/drivers/hwmon/pmbus/adm1266.c
@@ -434,7 +434,7 @@ static int adm1266_set_rtc(struct adm126
char write_buf[6];
int i;
- kt = ktime_get_seconds();
+ kt = ktime_get_real_seconds();
memset(write_buf, 0, sizeof(write_buf));
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 891/969] hwmon: (pmbus/adm1266) reject implausible blackbox record_count
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (889 preceding siblings ...)
2026-05-30 16:06 ` [PATCH 6.1 890/969] hwmon: (pmbus/adm1266) seed timestamp from the real-time clock Greg Kroah-Hartman
@ 2026-05-30 16:06 ` Greg Kroah-Hartman
2026-05-30 16:06 ` [PATCH 6.1 892/969] hwmon: (pmbus/adm1266) include PEC byte in pmbus_block_xfer read buffer Greg Kroah-Hartman
` (84 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:06 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Abdurrahman Hussain, Guenter Roeck
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Abdurrahman Hussain <abdurrahman@nexthop.ai>
commit 4afca954622d672ea65ed961bed01cf91caa034e upstream.
adm1266_nvmem_read_blackbox() loops over a record_count that comes
straight from byte 3 of the BLACKBOX_INFO response. The destination
buffer is data->dev_mem, sized for the nvmem cell's declared 2048
bytes (ADM1266_BLACKBOX_MAX_RECORDS * ADM1266_BLACKBOX_SIZE = 32 * 64).
A device that reports a record_count greater than 32 -- whether due
to firmware bugs, bus corruption, or a non-responsive slave returning
0xff -- would walk read_buff past the end of the dev_mem allocation
on the trailing iterations.
Cap record_count at ADM1266_BLACKBOX_MAX_RECORDS (introduced here)
before entering the loop and return -EIO on any larger value, so a
malformed BLACKBOX_INFO response cannot drive the loop out of bounds.
Fixes: 15609d189302 ("hwmon: (pmbus/adm1266) read blackbox")
Cc: stable@vger.kernel.org
Signed-off-by: Abdurrahman Hussain <abdurrahman@nexthop.ai>
Link: https://lore.kernel.org/r/20260515-adm1266-fixes-v1-3-1c1ea1349cfe@nexthop.ai
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hwmon/pmbus/adm1266.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/hwmon/pmbus/adm1266.c
+++ b/drivers/hwmon/pmbus/adm1266.c
@@ -46,6 +46,7 @@
#define ADM1266_BLACKBOX_OFFSET 0
#define ADM1266_BLACKBOX_SIZE 64
+#define ADM1266_BLACKBOX_MAX_RECORDS 32
#define ADM1266_PMBUS_BLOCK_MAX 255
@@ -362,6 +363,8 @@ static int adm1266_nvmem_read_blackbox(s
return -EIO;
record_count = buf[3];
+ if (record_count > ADM1266_BLACKBOX_MAX_RECORDS)
+ return -EIO;
for (index = 0; index < record_count; index++) {
ret = adm1266_pmbus_block_xfer(data, ADM1266_READ_BLACKBOX, 1, &index, read_buff);
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 892/969] hwmon: (pmbus/adm1266) include PEC byte in pmbus_block_xfer read buffer
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (890 preceding siblings ...)
2026-05-30 16:06 ` [PATCH 6.1 891/969] hwmon: (pmbus/adm1266) reject implausible blackbox record_count Greg Kroah-Hartman
@ 2026-05-30 16:06 ` Greg Kroah-Hartman
2026-05-30 16:06 ` [PATCH 6.1 893/969] hwmon: (pmbus/adm1266) bounce blackbox records through a protocol-sized buffer Greg Kroah-Hartman
` (83 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:06 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Abdurrahman Hussain, Guenter Roeck
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Abdurrahman Hussain <abdurrahman@nexthop.ai>
commit 487566cb1ccdf3756fdd7bf8d875e612ff3169bb upstream.
adm1266_pmbus_block_xfer() sets up the read transaction with
.buf = data->read_buf,
.len = ADM1266_PMBUS_BLOCK_MAX + 2,
but read_buf in struct adm1266_data is declared as
u8 read_buf[ADM1266_PMBUS_BLOCK_MAX + 1];
For a max-length block response (length byte = 255 + up to 1 PEC
byte), the i2c controller is told to write 257 bytes into a 256-byte
buffer, putting one byte past the end of read_buf. The same response
also makes the subsequent PEC compare
if (crc != msgs[1].buf[msgs[1].buf[0] + 1])
read a byte beyond the array.
Bump the read_buf declaration to ADM1266_PMBUS_BLOCK_MAX + 2 so the
buffer can hold the length byte, up to 255 payload bytes, and the PEC
byte the i2c_msg length already accounts for.
Fixes: 407dc802a9c0 ("hwmon: (pmbus/adm1266) Add Block process call")
Cc: stable@vger.kernel.org
Signed-off-by: Abdurrahman Hussain <abdurrahman@nexthop.ai>
Link: https://lore.kernel.org/r/20260515-adm1266-fixes-v1-4-1c1ea1349cfe@nexthop.ai
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hwmon/pmbus/adm1266.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/hwmon/pmbus/adm1266.c
+++ b/drivers/hwmon/pmbus/adm1266.c
@@ -61,7 +61,7 @@ struct adm1266_data {
u8 *dev_mem;
struct mutex buf_mutex;
u8 write_buf[ADM1266_PMBUS_BLOCK_MAX + 1] ____cacheline_aligned;
- u8 read_buf[ADM1266_PMBUS_BLOCK_MAX + 1] ____cacheline_aligned;
+ u8 read_buf[ADM1266_PMBUS_BLOCK_MAX + 2] ____cacheline_aligned;
};
static const struct nvmem_cell_info adm1266_nvmem_cells[] = {
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 893/969] hwmon: (pmbus/adm1266) bounce blackbox records through a protocol-sized buffer
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (891 preceding siblings ...)
2026-05-30 16:06 ` [PATCH 6.1 892/969] hwmon: (pmbus/adm1266) include PEC byte in pmbus_block_xfer read buffer Greg Kroah-Hartman
@ 2026-05-30 16:06 ` Greg Kroah-Hartman
2026-05-30 16:06 ` [PATCH 6.1 894/969] hwmon: (pmbus/adm1266) cap PDIO scan in get_multiple at ADM1266_PDIO_NR Greg Kroah-Hartman
` (82 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:06 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Abdurrahman Hussain, Guenter Roeck
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Abdurrahman Hussain <abdurrahman@nexthop.ai>
commit 43cae21424ff8e33894a0f86c6b80b840c049fd7 upstream.
adm1266_pmbus_block_xfer() copies the device-supplied block payload
into the caller-provided buffer using the device-supplied length:
memcpy(data_r, &msgs[1].buf[1], msgs[1].buf[0]);
The helper does not know how large data_r is and trusts the device to
return at most one record's worth of bytes. adm1266_nvmem_read_blackbox()
violates that contract: it advances read_buff inside data->dev_mem in
ADM1266_BLACKBOX_SIZE (64-byte) strides while the helper is willing to
write up to ADM1266_PMBUS_BLOCK_MAX (255) bytes. A device that returns
more than 64 bytes on the trailing record (read_buff offset 1984 in
the 2048-byte dev_mem allocation) overflows dev_mem by up to 191 bytes
before the post-call
if (ret != ADM1266_BLACKBOX_SIZE)
return -EIO;
can reject the response.
Contain the fix in the caller without changing the helper signature:
read each record into a 255-byte local bounce buffer that matches the
helper's maximum output, validate the returned length, and only then
copy exactly ADM1266_BLACKBOX_SIZE bytes into the dev_mem slot.
Fixes: 407dc802a9c0 ("hwmon: (pmbus/adm1266) Add Block process call")
Cc: stable@vger.kernel.org
Signed-off-by: Abdurrahman Hussain <abdurrahman@nexthop.ai>
Link: https://lore.kernel.org/r/20260515-adm1266-fixes-v1-5-1c1ea1349cfe@nexthop.ai
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hwmon/pmbus/adm1266.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/hwmon/pmbus/adm1266.c
+++ b/drivers/hwmon/pmbus/adm1266.c
@@ -350,6 +350,7 @@ static void adm1266_init_debugfs(struct
static int adm1266_nvmem_read_blackbox(struct adm1266_data *data, u8 *read_buff)
{
+ u8 record[ADM1266_PMBUS_BLOCK_MAX];
int record_count;
char index;
u8 buf[I2C_SMBUS_BLOCK_MAX];
@@ -367,13 +368,14 @@ static int adm1266_nvmem_read_blackbox(s
return -EIO;
for (index = 0; index < record_count; index++) {
- ret = adm1266_pmbus_block_xfer(data, ADM1266_READ_BLACKBOX, 1, &index, read_buff);
+ ret = adm1266_pmbus_block_xfer(data, ADM1266_READ_BLACKBOX, 1, &index, record);
if (ret < 0)
return ret;
if (ret != ADM1266_BLACKBOX_SIZE)
return -EIO;
+ memcpy(read_buff, record, ADM1266_BLACKBOX_SIZE);
read_buff += ADM1266_BLACKBOX_SIZE;
}
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 894/969] hwmon: (pmbus/adm1266) cap PDIO scan in get_multiple at ADM1266_PDIO_NR
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (892 preceding siblings ...)
2026-05-30 16:06 ` [PATCH 6.1 893/969] hwmon: (pmbus/adm1266) bounce blackbox records through a protocol-sized buffer Greg Kroah-Hartman
@ 2026-05-30 16:06 ` Greg Kroah-Hartman
2026-05-30 16:06 ` [PATCH 6.1 895/969] hwmon: (pmbus/adm1266) dont clobber GPIO bits before PDIO read in get_multiple Greg Kroah-Hartman
` (81 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Abdurrahman Hussain,
Bartosz Golaszewski, Linus Walleij, Guenter Roeck
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Abdurrahman Hussain <abdurrahman@nexthop.ai>
commit d7834d92251baade796812876e95555e2066fa9f upstream.
adm1266_gpio_get_multiple() iterates the PDIO portion of the
caller-supplied mask using
for_each_set_bit_from(gpio_nr, mask,
ADM1266_GPIO_NR + ADM1266_PDIO_STATUS) {
...
}
where ADM1266_PDIO_STATUS is the PMBus command code (0xE9, i.e. 233),
not the number of PDIO pins. The intended upper bound is
ADM1266_GPIO_NR + ADM1266_PDIO_NR = 25.
gpiolib hands in a mask sized for gc.ngpio (= 25 bits on this chip),
so the iteration walks find_next_bit() up to 242, reading up to 217
extra bits (a handful of unsigned-long words: four on 64-bit, seven
on 32-bit) of whatever lives past the end of the mask in the
caller's stack. Any incidental set bit in that range then drives a
set_bit(gpio_nr, bits) call that writes past the end of the
caller-supplied bits array too -- both out-of-bounds.
Substitute ADM1266_PDIO_NR for the constant so the scan stops at the
last real PDIO bit.
Fixes: d98dfad35c38 ("hwmon: (pmbus/adm1266) Add support for GPIOs")
Cc: stable@vger.kernel.org
Signed-off-by: Abdurrahman Hussain <abdurrahman@nexthop.ai>
Reviewed-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
Reviewed-by: Linus Walleij <linusw@kernel.org>
Link: https://lore.kernel.org/r/20260518-adm1266-gpio-fixes-v3-1-e425e4f88139@nexthop.ai
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hwmon/pmbus/adm1266.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/hwmon/pmbus/adm1266.c
+++ b/drivers/hwmon/pmbus/adm1266.c
@@ -212,7 +212,7 @@ static int adm1266_gpio_get_multiple(str
status = read_buf[0] + (read_buf[1] << 8);
*bits = 0;
- for_each_set_bit_from(gpio_nr, mask, ADM1266_GPIO_NR + ADM1266_PDIO_STATUS) {
+ for_each_set_bit_from(gpio_nr, mask, ADM1266_GPIO_NR + ADM1266_PDIO_NR) {
if (test_bit(gpio_nr - ADM1266_GPIO_NR, &status))
set_bit(gpio_nr, bits);
}
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 895/969] hwmon: (pmbus/adm1266) dont clobber GPIO bits before PDIO read in get_multiple
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (893 preceding siblings ...)
2026-05-30 16:06 ` [PATCH 6.1 894/969] hwmon: (pmbus/adm1266) cap PDIO scan in get_multiple at ADM1266_PDIO_NR Greg Kroah-Hartman
@ 2026-05-30 16:06 ` Greg Kroah-Hartman
2026-05-30 16:07 ` [PATCH 6.1 896/969] hwmon: (pmbus/adm1266) register the gpio_chip after pmbus_do_probe() Greg Kroah-Hartman
` (80 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Abdurrahman Hussain,
Bartosz Golaszewski, Linus Walleij, Guenter Roeck
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Abdurrahman Hussain <abdurrahman@nexthop.ai>
commit 3327a12aee9e10ffa903e28b8445dfd1af5307c0 upstream.
adm1266_gpio_get_multiple() zeroes *bits before the GPIO_STATUS loop
and then a second time before the PDIO_STATUS loop:
*bits = 0;
for_each_set_bit(gpio_nr, mask, ADM1266_GPIO_NR) {
...
set_bit(gpio_nr, bits);
}
ret = i2c_smbus_read_block_data(data->client, ADM1266_PDIO_STATUS, ...);
...
*bits = 0;
for_each_set_bit_from(gpio_nr, mask, ADM1266_GPIO_NR + ADM1266_PDIO_NR) {
...
set_bit(gpio_nr, bits);
}
The second *bits = 0 throws away every GPIO bit the first loop just
populated, so callers asking for any combination of GPIO and PDIO
pins always see the GPIO portion of the returned bits as zero.
Drop the redundant second assignment so both halves of the result
survive.
Fixes: d98dfad35c38 ("hwmon: (pmbus/adm1266) Add support for GPIOs")
Cc: stable@vger.kernel.org
Signed-off-by: Abdurrahman Hussain <abdurrahman@nexthop.ai>
Reviewed-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
Reviewed-by: Linus Walleij <linusw@kernel.org>
Link: https://lore.kernel.org/r/20260518-adm1266-gpio-fixes-v3-2-e425e4f88139@nexthop.ai
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hwmon/pmbus/adm1266.c | 1 -
1 file changed, 1 deletion(-)
--- a/drivers/hwmon/pmbus/adm1266.c
+++ b/drivers/hwmon/pmbus/adm1266.c
@@ -211,7 +211,6 @@ static int adm1266_gpio_get_multiple(str
status = read_buf[0] + (read_buf[1] << 8);
- *bits = 0;
for_each_set_bit_from(gpio_nr, mask, ADM1266_GPIO_NR + ADM1266_PDIO_NR) {
if (test_bit(gpio_nr - ADM1266_GPIO_NR, &status))
set_bit(gpio_nr, bits);
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 896/969] hwmon: (pmbus/adm1266) register the gpio_chip after pmbus_do_probe()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (894 preceding siblings ...)
2026-05-30 16:06 ` [PATCH 6.1 895/969] hwmon: (pmbus/adm1266) dont clobber GPIO bits before PDIO read in get_multiple Greg Kroah-Hartman
@ 2026-05-30 16:07 ` Greg Kroah-Hartman
2026-05-30 16:07 ` [PATCH 6.1 897/969] hwmon: (pmbus/adm1266) register the nvmem device " Greg Kroah-Hartman
` (79 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Abdurrahman Hussain,
Bartosz Golaszewski, Guenter Roeck
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Abdurrahman Hussain <abdurrahman@nexthop.ai>
commit 491403b9b76cf66abd81301c5901aa4a4549f1e8 upstream.
adm1266_probe() calls adm1266_config_gpio() -- which goes on to
devm_gpiochip_add_data() and exposes the gpio_chip callbacks to
gpiolib -- before pmbus_do_probe() has initialised the per-client
PMBus state (notably the pmbus_lock mutex the core hands out via
pmbus_get_data()).
That ordering is already a latent hazard: any GPIO access that lands
between adm1266_config_gpio() and the end of pmbus_do_probe() (for
example a sysfs read from a user space agent that opens the gpiochip
the instant gpiolib advertises it) races pmbus_do_probe()'s own
device accesses with no serialisation.
Move adm1266_config_gpio() down past pmbus_do_probe() so the chip
isn't reachable from userspace until the PMBus state it depends on
is fully initialised.
Fixes: d98dfad35c38 ("hwmon: (pmbus/adm1266) Add support for GPIOs")
Cc: stable@vger.kernel.org
Signed-off-by: Abdurrahman Hussain <abdurrahman@nexthop.ai>
Reviewed-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
Link: https://lore.kernel.org/r/20260518-adm1266-gpio-fixes-v3-4-e425e4f88139@nexthop.ai
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hwmon/pmbus/adm1266.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/drivers/hwmon/pmbus/adm1266.c
+++ b/drivers/hwmon/pmbus/adm1266.c
@@ -468,10 +468,6 @@ static int adm1266_probe(struct i2c_clie
crc8_populate_msb(pmbus_crc_table, 0x7);
mutex_init(&data->buf_mutex);
- ret = adm1266_config_gpio(data);
- if (ret < 0)
- return ret;
-
ret = adm1266_set_rtc(data);
if (ret < 0)
return ret;
@@ -484,6 +480,10 @@ static int adm1266_probe(struct i2c_clie
if (ret)
return ret;
+ ret = adm1266_config_gpio(data);
+ if (ret < 0)
+ return ret;
+
adm1266_init_debugfs(data);
return 0;
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 897/969] hwmon: (pmbus/adm1266) register the nvmem device after pmbus_do_probe()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (895 preceding siblings ...)
2026-05-30 16:07 ` [PATCH 6.1 896/969] hwmon: (pmbus/adm1266) register the gpio_chip after pmbus_do_probe() Greg Kroah-Hartman
@ 2026-05-30 16:07 ` Greg Kroah-Hartman
2026-05-30 16:07 ` [PATCH 6.1 898/969] hwmon: (pmbus/adm1266) reject short block-read responses in the GPIO accessors Greg Kroah-Hartman
` (78 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:07 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Abdurrahman Hussain, Guenter Roeck
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Abdurrahman Hussain <abdurrahman@nexthop.ai>
commit 6af713af91d5c34ec049eb3cc2c5b3f5eba953b8 upstream.
adm1266_probe() calls adm1266_config_nvmem() -- which goes on to
devm_nvmem_register() and exposes adm1266_nvmem_read() to userspace --
before pmbus_do_probe() has initialised the per-client PMBus state.
Same latent hazard as the gpio_chip one fixed in the previous patch:
once the nvmem device is registered, gpiolib's nvmem char-dev / sysfs
interface is reachable, and any concurrent read triggers
adm1266_nvmem_read() -> adm1266_nvmem_read_blackbox(), which issues
PMBus traffic that races pmbus_do_probe()'s own device accesses with
no serialisation.
Move adm1266_config_nvmem() down past pmbus_do_probe() so the nvmem
device isn't reachable from userspace until the PMBus state the
nvmem accessors depend on is fully initialised.
Fixes: 15609d189302 ("hwmon: (pmbus/adm1266) read blackbox")
Cc: stable@vger.kernel.org
Signed-off-by: Abdurrahman Hussain <abdurrahman@nexthop.ai>
Link: https://lore.kernel.org/r/20260518-adm1266-gpio-fixes-v3-5-e425e4f88139@nexthop.ai
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hwmon/pmbus/adm1266.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/drivers/hwmon/pmbus/adm1266.c
+++ b/drivers/hwmon/pmbus/adm1266.c
@@ -472,14 +472,14 @@ static int adm1266_probe(struct i2c_clie
if (ret < 0)
return ret;
- ret = adm1266_config_nvmem(data);
- if (ret < 0)
- return ret;
-
ret = pmbus_do_probe(client, &data->info);
if (ret)
return ret;
+ ret = adm1266_config_nvmem(data);
+ if (ret < 0)
+ return ret;
+
ret = adm1266_config_gpio(data);
if (ret < 0)
return ret;
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 898/969] hwmon: (pmbus/adm1266) reject short block-read responses in the GPIO accessors
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (896 preceding siblings ...)
2026-05-30 16:07 ` [PATCH 6.1 897/969] hwmon: (pmbus/adm1266) register the nvmem device " Greg Kroah-Hartman
@ 2026-05-30 16:07 ` Greg Kroah-Hartman
2026-05-30 16:07 ` [PATCH 6.1 899/969] HID: uclogic: Fix regression of input name assignment Greg Kroah-Hartman
` (77 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Abdurrahman Hussain,
Bartosz Golaszewski, Guenter Roeck
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Abdurrahman Hussain <abdurrahman@nexthop.ai>
commit a7232f68c43ca62f545049b7f5fbfc75137b843b upstream.
adm1266_gpio_get() and adm1266_gpio_get_multiple() both compose the
pin-status word as
pins_status = read_buf[0] + (read_buf[1] << 8);
right after i2c_smbus_read_block_data(), guarding only against an
error return. A well-behaved device returns 2 bytes for
GPIO_STATUS/PDIO_STATUS, but the helper happily reports a 0- or
1-byte response too. If the device returns 0 bytes, both read_buf
slots are uninitialized stack memory; if it returns 1 byte, read_buf[1]
is.
The composed value then flows through set_bit() into the caller's
*bits in adm1266_gpio_get_multiple(), or into the return value of
adm1266_gpio_get(), and ends up in userspace via gpiolib (sysfs and
the char-dev ioctls). That leaks a few bits of kernel stack per
request on any device whose firmware glitch, bus error, or hostile
slave produces a short block-read response.
Add the missing length check to both call sites and surface a short
response as -EIO.
Fixes: d98dfad35c38 ("hwmon: (pmbus/adm1266) Add support for GPIOs")
Cc: stable@vger.kernel.org
Signed-off-by: Abdurrahman Hussain <abdurrahman@nexthop.ai>
Reviewed-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
Link: https://lore.kernel.org/r/20260518-adm1266-gpio-fixes-v3-3-e425e4f88139@nexthop.ai
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hwmon/pmbus/adm1266.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/drivers/hwmon/pmbus/adm1266.c
+++ b/drivers/hwmon/pmbus/adm1266.c
@@ -176,6 +176,8 @@ static int adm1266_gpio_get(struct gpio_
ret = i2c_smbus_read_block_data(data->client, pmbus_cmd, read_buf);
if (ret < 0)
return ret;
+ if (ret < 2)
+ return -EIO;
pins_status = read_buf[0] + (read_buf[1] << 8);
if (offset < ADM1266_GPIO_NR)
@@ -196,6 +198,8 @@ static int adm1266_gpio_get_multiple(str
ret = i2c_smbus_read_block_data(data->client, ADM1266_GPIO_STATUS, read_buf);
if (ret < 0)
return ret;
+ if (ret < 2)
+ return -EIO;
status = read_buf[0] + (read_buf[1] << 8);
@@ -208,6 +212,8 @@ static int adm1266_gpio_get_multiple(str
ret = i2c_smbus_read_block_data(data->client, ADM1266_PDIO_STATUS, read_buf);
if (ret < 0)
return ret;
+ if (ret < 2)
+ return -EIO;
status = read_buf[0] + (read_buf[1] << 8);
^ permalink raw reply [flat|nested] 982+ messages in thread
* [PATCH 6.1 899/969] HID: uclogic: Fix regression of input name assignment
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (897 preceding siblings ...)
2026-05-30 16:07 ` [PATCH 6.1 898/969] hwmon: (pmbus/adm1266) reject short block-read responses in the GPIO accessors Greg Kroah-Hartman
@ 2026-05-30 16:07 ` Greg Kroah-Hartman
2026-05-30 16:07 ` [PATCH 6.1 900/969] firmware: arm_ffa: Check for NULL FF-A ID table while driver registration Greg Kroah-Hartman
` (76 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:07 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Takashi Iwai, Jiri Kosina,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
[ Upstream commit 487359284509a6745e14b8c0518768bc277809b0 ]
The previous fix for adding the devm_kasprintf() return check in the
commit bd07f751208b ("HID: uclogic: Add NULL check in
uclogic_input_configured()") changed the condition of hi->input->name
assignment, and it resulted in missing the proper input device name
when no custom suffix is defined.
Restore the conditional to the original content to address the
regression.
Fixes: bd07f751208b ("HID: uclogic: Add NULL check in uclogic_input_configured()")
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hid/hid-uclogic-core.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/hid/hid-uclogic-core.c b/drivers/hid/hid-uclogic-core.c
index 5b35f9f321d41..7658bd678e7e3 100644
--- a/drivers/hid/hid-uclogic-core.c
+++ b/drivers/hid/hid-uclogic-core.c
@@ -142,7 +142,9 @@ static int uclogic_input_configured(struct hid_device *hdev,
suffix = "System Control";
break;
}
- } else {
+ }
+
+ if (suffix) {
hi->input->name = devm_kasprintf(&hdev->dev, GFP_KERNEL,
"%s %s", hdev->name, suffix);
if (!hi->input->name)
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 900/969] firmware: arm_ffa: Check for NULL FF-A ID table while driver registration
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (898 preceding siblings ...)
2026-05-30 16:07 ` [PATCH 6.1 899/969] HID: uclogic: Fix regression of input name assignment Greg Kroah-Hartman
@ 2026-05-30 16:07 ` Greg Kroah-Hartman
2026-05-30 16:07 ` [PATCH 6.1 901/969] firmware: arm_ffa: Skip free_pages on RX buffer alloc failure Greg Kroah-Hartman
` (75 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:07 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Sudeep Holla, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sudeep Holla <sudeep.holla@kernel.org>
[ Upstream commit 0a5e695095c557d2380131b613dea4e8d90371be ]
The bus match callback assumes that every FF-A driver provides an
id_table and dereferences it unconditionally. Enforce that contract at
registration time so a buggy client driver cannot crash the bus during
match.
Fixes: 92743071464f ("firmware: arm_ffa: Ensure drivers provide a probe function")
Link: https://patch.msgid.link/20260428-ffa_fixes-v2-1-8595ae450034@kernel.org
Signed-off-by: Sudeep Holla <sudeep.holla@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/firmware/arm_ffa/bus.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/firmware/arm_ffa/bus.c b/drivers/firmware/arm_ffa/bus.c
index 5bda5d7ade42d..4ef02f0125ab9 100644
--- a/drivers/firmware/arm_ffa/bus.c
+++ b/drivers/firmware/arm_ffa/bus.c
@@ -24,6 +24,8 @@ static int ffa_device_match(struct device *dev, struct device_driver *drv)
id_table = to_ffa_driver(drv)->id_table;
ffa_dev = to_ffa_dev(dev);
+ if (!id_table)
+ return 0;
while (!uuid_is_null(&id_table->uuid)) {
/*
@@ -107,7 +109,7 @@ int ffa_driver_register(struct ffa_driver *driver, struct module *owner,
{
int ret;
- if (!driver->probe)
+ if (!driver->probe || !driver->id_table)
return -EINVAL;
driver->driver.bus = &ffa_bus_type;
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 901/969] firmware: arm_ffa: Skip free_pages on RX buffer alloc failure
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (899 preceding siblings ...)
2026-05-30 16:07 ` [PATCH 6.1 900/969] firmware: arm_ffa: Check for NULL FF-A ID table while driver registration Greg Kroah-Hartman
@ 2026-05-30 16:07 ` Greg Kroah-Hartman
2026-05-30 16:07 ` [PATCH 6.1 902/969] kunit: config: Enable KUNIT_DEBUGFS by default Greg Kroah-Hartman
` (74 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:07 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Sudeep Holla, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sudeep Holla <sudeep.holla@kernel.org>
[ Upstream commit 09527e2c534911619d7e098729711100290bc3e1 ]
If the RX buffer allocation fails in ffa_init(), the error path jumps to
free_pages even though no buffer has been allocated yet. Route that case
directly to free_drv_info so the cleanup path is only used after at
least one RX/TX buffer allocation has succeeded.
Fixes: 3bbfe9871005 ("firmware: arm_ffa: Add initial Arm FFA driver support")
Link: https://patch.msgid.link/20260428-ffa_fixes-v2-2-8595ae450034@kernel.org
Signed-off-by: Sudeep Holla <sudeep.holla@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/firmware/arm_ffa/driver.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/firmware/arm_ffa/driver.c b/drivers/firmware/arm_ffa/driver.c
index e1e278d431e97..f7c72fcc9b5e3 100644
--- a/drivers/firmware/arm_ffa/driver.c
+++ b/drivers/firmware/arm_ffa/driver.c
@@ -816,7 +816,7 @@ static int __init ffa_init(void)
drv_info->rx_buffer = alloc_pages_exact(RXTX_BUFFER_SIZE, GFP_KERNEL);
if (!drv_info->rx_buffer) {
ret = -ENOMEM;
- goto free_pages;
+ goto free_drv_info;
}
drv_info->tx_buffer = alloc_pages_exact(RXTX_BUFFER_SIZE, GFP_KERNEL);
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 902/969] kunit: config: Enable KUNIT_DEBUGFS by default
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (900 preceding siblings ...)
2026-05-30 16:07 ` [PATCH 6.1 901/969] firmware: arm_ffa: Skip free_pages on RX buffer alloc failure Greg Kroah-Hartman
@ 2026-05-30 16:07 ` Greg Kroah-Hartman
2026-05-30 16:07 ` [PATCH 6.1 903/969] kunit: config: KUNIT_DEBUGFS should depend on DEBUG_FS Greg Kroah-Hartman
` (73 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:07 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, David Gow, Shuah Khan, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Gow <david@davidgow.net>
[ Upstream commit 17e4c68ff35090d8cb743e3c82c09f92fda1ebda ]
The KUNIT_DEBUGFS option is currently enabled based on the value of
KUNIT_ALL_TESTS, but it really doesn't have anything to do with the set of
enabled tests, so just enable it by default anyway. In particular, this
shouldn't be only visible if KUNIT_ALL_TESTS is set, which is quite
confusing.
Link: https://lore.kernel.org/r/20260425034155.53913-1-david@davidgow.net
Fixes: beaed42c427d ("kunit: default KUNIT_* fragments to KUNIT_ALL_TESTS")
Signed-off-by: David Gow <david@davidgow.net>
Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
lib/kunit/Kconfig | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/lib/kunit/Kconfig b/lib/kunit/Kconfig
index 626719b95badd..785c2cfc530c2 100644
--- a/lib/kunit/Kconfig
+++ b/lib/kunit/Kconfig
@@ -16,8 +16,8 @@ menuconfig KUNIT
if KUNIT
config KUNIT_DEBUGFS
- bool "KUnit - Enable /sys/kernel/debug/kunit debugfs representation" if !KUNIT_ALL_TESTS
- default KUNIT_ALL_TESTS
+ bool "KUnit - Enable /sys/kernel/debug/kunit debugfs representation"
+ default y
help
Enable debugfs representation for kunit. Currently this consists
of /sys/kernel/debug/kunit/<test_suite>/results files for each
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 903/969] kunit: config: KUNIT_DEBUGFS should depend on DEBUG_FS
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (901 preceding siblings ...)
2026-05-30 16:07 ` [PATCH 6.1 902/969] kunit: config: Enable KUNIT_DEBUGFS by default Greg Kroah-Hartman
@ 2026-05-30 16:07 ` Greg Kroah-Hartman
2026-05-30 16:07 ` [PATCH 6.1 904/969] pinctrl: qcom: Fix wakeirq map by removing disconnected irqs for sm8150 Greg Kroah-Hartman
` (72 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:07 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, David Gow, Shuah Khan, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Gow <david@davidgow.net>
[ Upstream commit 8f80b5b227ef9ea422080487715c841856339aed ]
CONFIG_KUNIT_DEBUGFS is totally useless without debugfs, so it should
depend on CONFIG_DEBUG_FS.
Link: https://lore.kernel.org/r/20260425034155.53913-2-david@davidgow.net
Fixes: e2219db280e3 ("kunit: add debugfs /sys/kernel/debug/kunit/<suite>/results display")
Signed-off-by: David Gow <david@davidgow.net>
Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
lib/kunit/Kconfig | 1 +
1 file changed, 1 insertion(+)
diff --git a/lib/kunit/Kconfig b/lib/kunit/Kconfig
index 785c2cfc530c2..49defb2f21b69 100644
--- a/lib/kunit/Kconfig
+++ b/lib/kunit/Kconfig
@@ -17,6 +17,7 @@ if KUNIT
config KUNIT_DEBUGFS
bool "KUnit - Enable /sys/kernel/debug/kunit debugfs representation"
+ depends on DEBUG_FS
default y
help
Enable debugfs representation for kunit. Currently this consists
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 904/969] pinctrl: qcom: Fix wakeirq map by removing disconnected irqs for sm8150
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (902 preceding siblings ...)
2026-05-30 16:07 ` [PATCH 6.1 903/969] kunit: config: KUNIT_DEBUGFS should depend on DEBUG_FS Greg Kroah-Hartman
@ 2026-05-30 16:07 ` Greg Kroah-Hartman
2026-05-30 16:07 ` [PATCH 6.1 905/969] ARM: integrator: Fix early initialization Greg Kroah-Hartman
` (71 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Konrad Dybcio, Maulik Shah,
Navya Malempati, Linus Walleij, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Maulik Shah <maulik.shah@oss.qualcomm.com>
[ Upstream commit 52ac35b8a151446481496404af3a8e5e889b3c5a ]
PDC interrupts 122-125 were meant for ibi_i3c wakeup but sm8150 do not
support i3c. GPIOs 39,51,88 and 144 are also connected to different PDC
pin and already reflected in the wake irq map.
Remove the unsupported wakeup interrupts from the map.
Fixes: 90337380c809 ("pinctrl: qcom: sm8150: Specify PDC map")
Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
Signed-off-by: Maulik Shah <maulik.shah@oss.qualcomm.com>
Signed-off-by: Navya Malempati <navya.malempati@oss.qualcomm.com>
Signed-off-by: Linus Walleij <linusw@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pinctrl/qcom/pinctrl-sm8150.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/pinctrl/qcom/pinctrl-sm8150.c b/drivers/pinctrl/qcom/pinctrl-sm8150.c
index 1cc622694553d..2bda8c1c89583 100644
--- a/drivers/pinctrl/qcom/pinctrl-sm8150.c
+++ b/drivers/pinctrl/qcom/pinctrl-sm8150.c
@@ -1504,18 +1504,18 @@ static const struct msm_gpio_wakeirq_map sm8150_pdc_map[] = {
{ 3, 31 }, { 5, 32 }, { 8, 33 }, { 9, 34 }, { 10, 100 },
{ 12, 104 }, { 24, 37 }, { 26, 38 }, { 27, 41 }, { 28, 42 },
{ 30, 39 }, { 36, 43 }, { 37, 44 }, { 38, 30 }, { 39, 118 },
- { 39, 125 }, { 41, 47 }, { 42, 48 }, { 46, 50 }, { 47, 49 },
- { 48, 51 }, { 49, 53 }, { 50, 52 }, { 51, 116 }, { 51, 123 },
+ { 41, 47 }, { 42, 48 }, { 46, 50 }, { 47, 49 },
+ { 48, 51 }, { 49, 53 }, { 50, 52 }, { 51, 116 },
{ 53, 54 }, { 54, 55 }, { 55, 56 }, { 56, 57 }, { 58, 58 },
{ 60, 60 }, { 61, 61 }, { 68, 62 }, { 70, 63 }, { 76, 71 },
{ 77, 66 }, { 81, 64 }, { 83, 65 }, { 86, 67 }, { 87, 84 },
- { 88, 117 }, { 88, 124 }, { 90, 69 }, { 91, 70 }, { 93, 75 },
+ { 88, 117 }, { 90, 69 }, { 91, 70 }, { 93, 75 },
{ 95, 72 }, { 96, 73 }, { 97, 74 }, { 101, 40 }, { 103, 77 },
{ 104, 78 }, { 108, 79 }, { 112, 80 }, { 113, 81 }, { 114, 82 },
{ 117, 85 }, { 118, 101 }, { 119, 87 }, { 120, 88 }, { 121, 89 },
{ 122, 90 }, { 123, 91 }, { 124, 92 }, { 125, 93 }, { 129, 94 },
{ 132, 105 }, { 133, 83 }, { 134, 36 }, { 136, 97 }, { 142, 103 },
- { 144, 115 }, { 144, 122 }, { 147, 102 }, { 150, 107 },
+ { 144, 115 }, { 147, 102 }, { 150, 107 },
{ 152, 108 }, { 153, 109 }
};
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 905/969] ARM: integrator: Fix early initialization
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (903 preceding siblings ...)
2026-05-30 16:07 ` [PATCH 6.1 904/969] pinctrl: qcom: Fix wakeirq map by removing disconnected irqs for sm8150 Greg Kroah-Hartman
@ 2026-05-30 16:07 ` Greg Kroah-Hartman
2026-05-30 16:07 ` [PATCH 6.1 906/969] netfilter: x_tables: unregister the templates first Greg Kroah-Hartman
` (70 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Linus Walleij, Guenter Roeck,
Arnd Bergmann, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Guenter Roeck <linux@roeck-us.net>
[ Upstream commit 90d77b30a666049ad24df463f52e5d529c44e8cd ]
Starting with commit bdb249fce9ad4 ("ARM: integrator: read counter using
syscon/regmap"), intcp_init_early calls syscon_regmap_lookup_by_compatible
which in turn calls of_syscon_register. This function allocates memory.
Since the memory management code has not been initialized at that time,
the call always fails. It either returns -ENOMEM or crashes as follows.
Unable to handle kernel NULL pointer dereference at virtual address 0000000c when read
[0000000c] *pgd=00000000
Internal error: Oops: 5 [#1] ARM
Modules linked in:
CPU: 0 UID: 0 PID: 0 Comm: swapper Not tainted 6.15.0-rc5-00026-g5fcc9bf84ee5 #1 PREEMPT
Hardware name: ARM Integrator/CP (Device Tree)
PC is at __kmalloc_cache_noprof+0xec/0x39c
LR is at __kmalloc_cache_noprof+0x34/0x39c
...
Call trace:
__kmalloc_cache_noprof from of_syscon_register+0x7c/0x310
of_syscon_register from device_node_get_regmap+0xa4/0xb0
device_node_get_regmap from intcp_init_early+0xc/0x40
intcp_init_early from start_kernel+0x60/0x688
start_kernel from 0x0
The crash is seen due to a dereferenced pointer which is not supposed to be
NULL but is NULL if the memory management subsystem has not been
initialized. The crash is not seen with all versions of gcc. Some versions
such as gcc 9.x apparently do not dereference the pointer, presumably if
tracing is disabled. The problem has been reproduced with gcc 10.x, 11.x,
and 13.x. Either case, if the crash is not seen, the call to
syscon_regmap_lookup_by_compatible returns -ENOMEM, and
sched_clock_register is never called.
Fix the problem by moving the early initialization code into the standard
machine initialization code.
Fixes: bdb249fce9ad4 ("ARM: integrator: read counter using syscon/regmap")
Cc: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Link: https://lore.kernel.org/20250518164118.3859567-1-linux@roeck-us.net
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Link: https://lore.kernel.org/r/20260505-integrator-fixes-v1-1-56ab9aac59db@kernel.org
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm/mach-versatile/integrator_cp.c | 13 ++++---------
1 file changed, 4 insertions(+), 9 deletions(-)
diff --git a/arch/arm/mach-versatile/integrator_cp.c b/arch/arm/mach-versatile/integrator_cp.c
index 2ed4ded56b3fe..03dfb5f720b7b 100644
--- a/arch/arm/mach-versatile/integrator_cp.c
+++ b/arch/arm/mach-versatile/integrator_cp.c
@@ -86,14 +86,6 @@ static u64 notrace intcp_read_sched_clock(void)
return val;
}
-static void __init intcp_init_early(void)
-{
- cm_map = syscon_regmap_lookup_by_compatible("arm,core-module-integrator");
- if (IS_ERR(cm_map))
- return;
- sched_clock_register(intcp_read_sched_clock, 32, 24000000);
-}
-
static void __init intcp_init_irq_of(void)
{
cm_init();
@@ -119,6 +111,10 @@ static void __init intcp_init_of(void)
{
struct device_node *cpcon;
+ cm_map = syscon_regmap_lookup_by_compatible("arm,core-module-integrator");
+ if (!IS_ERR(cm_map))
+ sched_clock_register(intcp_read_sched_clock, 32, 24000000);
+
cpcon = of_find_matching_node(NULL, intcp_syscon_match);
if (!cpcon)
return;
@@ -138,7 +134,6 @@ static const char * intcp_dt_board_compat[] = {
DT_MACHINE_START(INTEGRATOR_CP_DT, "ARM Integrator/CP (Device Tree)")
.reserve = integrator_reserve,
.map_io = intcp_map_io,
- .init_early = intcp_init_early,
.init_irq = intcp_init_irq_of,
.init_machine = intcp_init_of,
.dt_compat = intcp_dt_board_compat,
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 906/969] netfilter: x_tables: unregister the templates first
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (904 preceding siblings ...)
2026-05-30 16:07 ` [PATCH 6.1 905/969] ARM: integrator: Fix early initialization Greg Kroah-Hartman
@ 2026-05-30 16:07 ` Greg Kroah-Hartman
2026-05-30 16:07 ` [PATCH 6.1 907/969] netfilter: arptables: allow xtables-nft only builds Greg Kroah-Hartman
` (69 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tristan Madani, Florian Westphal,
Pablo Neira Ayuso, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Florian Westphal <fw@strlen.de>
[ Upstream commit d338693d778579b676a61346849bebd892427158 ]
When the module is going away we need to zap the template
first. Else there is a small race window where userspace
could instantiate a new table after the pernet exit function
has removed the current table.
Fixes: fdacd57c79b7 ("netfilter: x_tables: never register tables by default")
Reported-by: Tristan Madani <tristan@talencesecurity.com>
Reviewed-by: Tristan Madani <tristan@talencesecurity.com>
Closes: https://lore.kernel.org/netfilter-devel/20260429175613.1459342-1-tristmd@gmail.com/
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/netfilter/arptable_filter.c | 2 +-
net/ipv4/netfilter/iptable_filter.c | 2 +-
net/ipv4/netfilter/iptable_mangle.c | 2 +-
net/ipv4/netfilter/iptable_raw.c | 2 +-
net/ipv4/netfilter/iptable_security.c | 2 +-
net/ipv6/netfilter/ip6table_filter.c | 2 +-
net/ipv6/netfilter/ip6table_mangle.c | 2 +-
net/ipv6/netfilter/ip6table_raw.c | 2 +-
net/ipv6/netfilter/ip6table_security.c | 2 +-
9 files changed, 9 insertions(+), 9 deletions(-)
diff --git a/net/ipv4/netfilter/arptable_filter.c b/net/ipv4/netfilter/arptable_filter.c
index 78cd5ee24448f..359d00d74095b 100644
--- a/net/ipv4/netfilter/arptable_filter.c
+++ b/net/ipv4/netfilter/arptable_filter.c
@@ -82,8 +82,8 @@ static int __init arptable_filter_init(void)
static void __exit arptable_filter_fini(void)
{
- unregister_pernet_subsys(&arptable_filter_net_ops);
xt_unregister_template(&packet_filter);
+ unregister_pernet_subsys(&arptable_filter_net_ops);
kfree(arpfilter_ops);
}
diff --git a/net/ipv4/netfilter/iptable_filter.c b/net/ipv4/netfilter/iptable_filter.c
index b9062f4552ace..c03c1a4ea7cab 100644
--- a/net/ipv4/netfilter/iptable_filter.c
+++ b/net/ipv4/netfilter/iptable_filter.c
@@ -101,8 +101,8 @@ static int __init iptable_filter_init(void)
static void __exit iptable_filter_fini(void)
{
- unregister_pernet_subsys(&iptable_filter_net_ops);
xt_unregister_template(&packet_filter);
+ unregister_pernet_subsys(&iptable_filter_net_ops);
kfree(filter_ops);
}
diff --git a/net/ipv4/netfilter/iptable_mangle.c b/net/ipv4/netfilter/iptable_mangle.c
index 3abb430af9e6f..6a51e61b35562 100644
--- a/net/ipv4/netfilter/iptable_mangle.c
+++ b/net/ipv4/netfilter/iptable_mangle.c
@@ -134,8 +134,8 @@ static int __init iptable_mangle_init(void)
static void __exit iptable_mangle_fini(void)
{
- unregister_pernet_subsys(&iptable_mangle_net_ops);
xt_unregister_template(&packet_mangler);
+ unregister_pernet_subsys(&iptable_mangle_net_ops);
kfree(mangle_ops);
}
diff --git a/net/ipv4/netfilter/iptable_raw.c b/net/ipv4/netfilter/iptable_raw.c
index ca5e5b21587cd..33330e13ea18d 100644
--- a/net/ipv4/netfilter/iptable_raw.c
+++ b/net/ipv4/netfilter/iptable_raw.c
@@ -100,9 +100,9 @@ static int __init iptable_raw_init(void)
static void __exit iptable_raw_fini(void)
{
+ xt_unregister_template(&packet_raw);
unregister_pernet_subsys(&iptable_raw_net_ops);
kfree(rawtable_ops);
- xt_unregister_template(&packet_raw);
}
module_init(iptable_raw_init);
diff --git a/net/ipv4/netfilter/iptable_security.c b/net/ipv4/netfilter/iptable_security.c
index d885443cb2679..2b89adc1e5751 100644
--- a/net/ipv4/netfilter/iptable_security.c
+++ b/net/ipv4/netfilter/iptable_security.c
@@ -89,9 +89,9 @@ static int __init iptable_security_init(void)
static void __exit iptable_security_fini(void)
{
+ xt_unregister_template(&security_table);
unregister_pernet_subsys(&iptable_security_net_ops);
kfree(sectbl_ops);
- xt_unregister_template(&security_table);
}
module_init(iptable_security_init);
diff --git a/net/ipv6/netfilter/ip6table_filter.c b/net/ipv6/netfilter/ip6table_filter.c
index df785ebda0ca4..16a38d56b2e54 100644
--- a/net/ipv6/netfilter/ip6table_filter.c
+++ b/net/ipv6/netfilter/ip6table_filter.c
@@ -100,8 +100,8 @@ static int __init ip6table_filter_init(void)
static void __exit ip6table_filter_fini(void)
{
- unregister_pernet_subsys(&ip6table_filter_net_ops);
xt_unregister_template(&packet_filter);
+ unregister_pernet_subsys(&ip6table_filter_net_ops);
kfree(filter_ops);
}
diff --git a/net/ipv6/netfilter/ip6table_mangle.c b/net/ipv6/netfilter/ip6table_mangle.c
index a88b2ce4a3cb8..39f0716667131 100644
--- a/net/ipv6/netfilter/ip6table_mangle.c
+++ b/net/ipv6/netfilter/ip6table_mangle.c
@@ -127,8 +127,8 @@ static int __init ip6table_mangle_init(void)
static void __exit ip6table_mangle_fini(void)
{
- unregister_pernet_subsys(&ip6table_mangle_net_ops);
xt_unregister_template(&packet_mangler);
+ unregister_pernet_subsys(&ip6table_mangle_net_ops);
kfree(mangle_ops);
}
diff --git a/net/ipv6/netfilter/ip6table_raw.c b/net/ipv6/netfilter/ip6table_raw.c
index 08861d5d1f4db..01def8aa7a2e8 100644
--- a/net/ipv6/netfilter/ip6table_raw.c
+++ b/net/ipv6/netfilter/ip6table_raw.c
@@ -98,8 +98,8 @@ static int __init ip6table_raw_init(void)
static void __exit ip6table_raw_fini(void)
{
- unregister_pernet_subsys(&ip6table_raw_net_ops);
xt_unregister_template(&packet_raw);
+ unregister_pernet_subsys(&ip6table_raw_net_ops);
kfree(rawtable_ops);
}
diff --git a/net/ipv6/netfilter/ip6table_security.c b/net/ipv6/netfilter/ip6table_security.c
index 4df14a9bae782..66018b169b010 100644
--- a/net/ipv6/netfilter/ip6table_security.c
+++ b/net/ipv6/netfilter/ip6table_security.c
@@ -88,8 +88,8 @@ static int __init ip6table_security_init(void)
static void __exit ip6table_security_fini(void)
{
- unregister_pernet_subsys(&ip6table_security_net_ops);
xt_unregister_template(&security_table);
+ unregister_pernet_subsys(&ip6table_security_net_ops);
kfree(sectbl_ops);
}
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 907/969] netfilter: arptables: allow xtables-nft only builds
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (905 preceding siblings ...)
2026-05-30 16:07 ` [PATCH 6.1 906/969] netfilter: x_tables: unregister the templates first Greg Kroah-Hartman
@ 2026-05-30 16:07 ` Greg Kroah-Hartman
2026-05-30 16:07 ` [PATCH 6.1 908/969] netfilter: xtables: " Greg Kroah-Hartman
` (68 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Florian Westphal, Phil Sutter,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Florian Westphal <fw@strlen.de>
[ Upstream commit 4654467dc7e111e84f43ed1b70322873ae77e7be ]
Allows to build kernel that supports the arptables mangle target
via nftables' compat infra but without the arptables get/setsockopt
interface or the old arptables filter interpreter.
IOW, setting IP_NF_ARPFILTER=n will break arptables-legacy, but
arptables-nft will continue to work as long as nftables compat
support is enabled.
Signed-off-by: Florian Westphal <fw@strlen.de>
Reviewed-by: Phil Sutter <phil@nwl.cc>
Stable-dep-of: b4597d5fd7d2 ("netfilter: x_tables: add and use xtables_unregister_table_exit")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/netfilter/Kconfig | 28 +++++++++++++---------------
1 file changed, 13 insertions(+), 15 deletions(-)
diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig
index aab384126f61f..483778f379d44 100644
--- a/net/ipv4/netfilter/Kconfig
+++ b/net/ipv4/netfilter/Kconfig
@@ -323,36 +323,34 @@ endif # IP_NF_IPTABLES
# ARP tables
config IP_NF_ARPTABLES
- tristate "ARP tables support"
- select NETFILTER_XTABLES
- select NETFILTER_FAMILY_ARP
- depends on NETFILTER_ADVANCED
- help
- arptables is a general, extensible packet identification framework.
- The ARP packet filtering and mangling (manipulation)subsystems
- use this: say Y or M here if you want to use either of those.
-
- To compile it as a module, choose M here. If unsure, say N.
+ tristate
-if IP_NF_ARPTABLES
+config NFT_COMPAT_ARP
+ tristate
+ depends on NF_TABLES_ARP && NFT_COMPAT
+ default m if NFT_COMPAT=m
+ default y if NFT_COMPAT=y
config IP_NF_ARPFILTER
- tristate "ARP packet filtering"
+ tristate "arptables-legacy packet filtering support"
+ select IP_NF_ARPTABLES
help
ARP packet filtering defines a table `filter', which has a series of
rules for simple ARP packet filtering at local input and
- local output. On a bridge, you can also specify filtering rules
- for forwarded ARP packets. See the man page for arptables(8).
+ local output. This is only needed for arptables-legacy(8).
+ Neither arptables-nft nor nftables need this to work.
To compile it as a module, choose M here. If unsure, say N.
config IP_NF_ARP_MANGLE
tristate "ARP payload mangling"
+ depends on IP_NF_ARPTABLES || NFT_COMPAT_ARP
help
Allows altering the ARP packet payload: source and destination
hardware and network addresses.
-endif # IP_NF_ARPTABLES
+ This option is needed by both arptables-legacy and arptables-nft.
+ It is not used by nftables.
endmenu
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 908/969] netfilter: xtables: allow xtables-nft only builds
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (906 preceding siblings ...)
2026-05-30 16:07 ` [PATCH 6.1 907/969] netfilter: arptables: allow xtables-nft only builds Greg Kroah-Hartman
@ 2026-05-30 16:07 ` Greg Kroah-Hartman
2026-05-30 16:07 ` [PATCH 6.1 909/969] netfilter: ebtables: " Greg Kroah-Hartman
` (67 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:07 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Florian Westphal, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Florian Westphal <fw@strlen.de>
[ Upstream commit a9525c7f6219cee9284c0031c5930e8d41384677 ]
Add hidden IP(6)_NF_IPTABLES_LEGACY symbol.
When any of the "old" builtin tables are enabled the "old" iptables
interface will be supported.
To disable the old set/getsockopt interface the existing options
for the builtin tables need to be turned off:
CONFIG_IP_NF_IPTABLES=m
CONFIG_IP_NF_FILTER is not set
CONFIG_IP_NF_NAT is not set
CONFIG_IP_NF_MANGLE is not set
CONFIG_IP_NF_RAW is not set
CONFIG_IP_NF_SECURITY is not set
Same for CONFIG_IP6_NF_ variants.
This allows to build a kernel that only supports ip(6)tables-nft
(iptables-over-nftables api).
In the future the _LEGACY symbol will become visible and the select
statements will be turned into 'depends on', but for now be on safe side
so "make oldconfig" won't break things.
Signed-off-by: Florian Westphal <fw@strlen.de>
Stable-dep-of: b4597d5fd7d2 ("netfilter: x_tables: add and use xtables_unregister_table_exit")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/netfilter/Kconfig | 15 ++++++++++++---
net/ipv4/netfilter/Makefile | 2 +-
net/ipv6/netfilter/Kconfig | 20 ++++++++++++++------
net/ipv6/netfilter/Makefile | 2 +-
net/netfilter/Kconfig | 12 ++++++------
5 files changed, 34 insertions(+), 17 deletions(-)
diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig
index 483778f379d44..5ee86c7ae4dcb 100644
--- a/net/ipv4/netfilter/Kconfig
+++ b/net/ipv4/netfilter/Kconfig
@@ -10,6 +10,10 @@ config NF_DEFRAG_IPV4
tristate
default n
+# old sockopt interface and eval loop
+config IP_NF_IPTABLES_LEGACY
+ tristate
+
config NF_SOCKET_IPV4
tristate "IPv4 socket lookup support"
help
@@ -152,7 +156,7 @@ config IP_NF_MATCH_ECN
config IP_NF_MATCH_RPFILTER
tristate '"rpfilter" reverse path filter match support'
depends on NETFILTER_ADVANCED
- depends on IP_NF_MANGLE || IP_NF_RAW
+ depends on IP_NF_MANGLE || IP_NF_RAW || NFT_COMPAT
help
This option allows you to match packets whose replies would
go out via the interface the packet came in.
@@ -173,6 +177,7 @@ config IP_NF_MATCH_TTL
config IP_NF_FILTER
tristate "Packet filtering"
default m if NETFILTER_ADVANCED=n
+ select IP_NF_IPTABLES_LEGACY
help
Packet filtering defines a table `filter', which has a series of
rules for simple packet filtering at local input, forwarding and
@@ -182,7 +187,7 @@ config IP_NF_FILTER
config IP_NF_TARGET_REJECT
tristate "REJECT target support"
- depends on IP_NF_FILTER
+ depends on IP_NF_FILTER || NFT_COMPAT
select NF_REJECT_IPV4
default m if NETFILTER_ADVANCED=n
help
@@ -212,6 +217,7 @@ config IP_NF_NAT
default m if NETFILTER_ADVANCED=n
select NF_NAT
select NETFILTER_XT_NAT
+ select IP6_NF_IPTABLES_LEGACY
help
This enables the `nat' table in iptables. This allows masquerading,
port forwarding and other forms of full Network Address Port
@@ -252,6 +258,7 @@ endif # IP_NF_NAT
config IP_NF_MANGLE
tristate "Packet mangling"
default m if NETFILTER_ADVANCED=n
+ select IP_NF_IPTABLES_LEGACY
help
This option adds a `mangle' table to iptables: see the man page for
iptables(8). This table is used for various packet alterations
@@ -275,7 +282,7 @@ config IP_NF_TARGET_CLUSTERIP
config IP_NF_TARGET_ECN
tristate "ECN target support"
- depends on IP_NF_MANGLE
+ depends on IP_NF_MANGLE || NFT_COMPAT
depends on NETFILTER_ADVANCED
help
This option adds a `ECN' target, which can be used in the iptables mangle
@@ -300,6 +307,7 @@ config IP_NF_TARGET_TTL
# raw + specific targets
config IP_NF_RAW
tristate 'raw table support (required for NOTRACK/TRACE)'
+ select IP_NF_IPTABLES_LEGACY
help
This option adds a `raw' table to iptables. This table is the very
first in the netfilter framework and hooks in at the PREROUTING
@@ -313,6 +321,7 @@ config IP_NF_SECURITY
tristate "Security table"
depends on SECURITY
depends on NETFILTER_ADVANCED
+ select IP_NF_IPTABLES_LEGACY
help
This option adds a `security' table to iptables, for use
with Mandatory Access Control (MAC) policy.
diff --git a/net/ipv4/netfilter/Makefile b/net/ipv4/netfilter/Makefile
index 93bad11842517..2e606a13ee5ff 100644
--- a/net/ipv4/netfilter/Makefile
+++ b/net/ipv4/netfilter/Makefile
@@ -25,7 +25,7 @@ obj-$(CONFIG_NFT_FIB_IPV4) += nft_fib_ipv4.o
obj-$(CONFIG_NFT_DUP_IPV4) += nft_dup_ipv4.o
# generic IP tables
-obj-$(CONFIG_IP_NF_IPTABLES) += ip_tables.o
+obj-$(CONFIG_IP_NF_IPTABLES_LEGACY) += ip_tables.o
# the three instances of ip_tables
obj-$(CONFIG_IP_NF_FILTER) += iptable_filter.o
diff --git a/net/ipv6/netfilter/Kconfig b/net/ipv6/netfilter/Kconfig
index 0ba62f4868f97..f3c8e2d918e13 100644
--- a/net/ipv6/netfilter/Kconfig
+++ b/net/ipv6/netfilter/Kconfig
@@ -6,6 +6,10 @@
menu "IPv6: Netfilter Configuration"
depends on INET && IPV6 && NETFILTER
+# old sockopt interface and eval loop
+config IP6_NF_IPTABLES_LEGACY
+ tristate
+
config NF_SOCKET_IPV6
tristate "IPv6 socket lookup support"
help
@@ -147,7 +151,7 @@ config IP6_NF_MATCH_MH
config IP6_NF_MATCH_RPFILTER
tristate '"rpfilter" reverse path filter match support'
depends on NETFILTER_ADVANCED
- depends on IP6_NF_MANGLE || IP6_NF_RAW
+ depends on IP6_NF_MANGLE || IP6_NF_RAW || NFT_COMPAT
help
This option allows you to match packets whose replies would
go out via the interface the packet came in.
@@ -186,6 +190,8 @@ config IP6_NF_TARGET_HL
config IP6_NF_FILTER
tristate "Packet filtering"
default m if NETFILTER_ADVANCED=n
+ select IP6_NF_IPTABLES_LEGACY
+ tristate
help
Packet filtering defines a table `filter', which has a series of
rules for simple packet filtering at local input, forwarding and
@@ -195,7 +201,7 @@ config IP6_NF_FILTER
config IP6_NF_TARGET_REJECT
tristate "REJECT target support"
- depends on IP6_NF_FILTER
+ depends on IP6_NF_FILTER || NFT_COMPAT
select NF_REJECT_IPV6
default m if NETFILTER_ADVANCED=n
help
@@ -221,6 +227,7 @@ config IP6_NF_TARGET_SYNPROXY
config IP6_NF_MANGLE
tristate "Packet mangling"
default m if NETFILTER_ADVANCED=n
+ select IP6_NF_IPTABLES_LEGACY
help
This option adds a `mangle' table to iptables: see the man page for
iptables(8). This table is used for various packet alterations
@@ -230,6 +237,7 @@ config IP6_NF_MANGLE
config IP6_NF_RAW
tristate 'raw table support (required for TRACE)'
+ select IP6_NF_IPTABLES_LEGACY
help
This option adds a `raw' table to ip6tables. This table is the very
first in the netfilter framework and hooks in at the PREROUTING
@@ -243,6 +251,7 @@ config IP6_NF_SECURITY
tristate "Security table"
depends on SECURITY
depends on NETFILTER_ADVANCED
+ select IP6_NF_IPTABLES_LEGACY
help
This option adds a `security' table to iptables, for use
with Mandatory Access Control (MAC) policy.
@@ -254,6 +263,7 @@ config IP6_NF_NAT
depends on NF_CONNTRACK
depends on NETFILTER_ADVANCED
select NF_NAT
+ select IP6_NF_IPTABLES_LEGACY
select NETFILTER_XT_NAT
help
This enables the `nat' table in ip6tables. This allows masquerading,
@@ -262,25 +272,23 @@ config IP6_NF_NAT
To compile it as a module, choose M here. If unsure, say N.
-if IP6_NF_NAT
-
config IP6_NF_TARGET_MASQUERADE
tristate "MASQUERADE target support"
select NETFILTER_XT_TARGET_MASQUERADE
+ depends on IP6_NF_NAT
help
This is a backwards-compat option for the user's convenience
(e.g. when running oldconfig). It selects NETFILTER_XT_TARGET_MASQUERADE.
config IP6_NF_TARGET_NPT
tristate "NPT (Network Prefix translation) target support"
+ depends on IP6_NF_NAT || NFT_COMPAT
help
This option adds the `SNPT' and `DNPT' target, which perform
stateless IPv6-to-IPv6 Network Prefix Translation per RFC 6296.
To compile it as a module, choose M here. If unsure, say N.
-endif # IP6_NF_NAT
-
endif # IP6_NF_IPTABLES
endmenu
diff --git a/net/ipv6/netfilter/Makefile b/net/ipv6/netfilter/Makefile
index b8d6dc9aeeb6f..66ce6fa5b2f52 100644
--- a/net/ipv6/netfilter/Makefile
+++ b/net/ipv6/netfilter/Makefile
@@ -4,7 +4,7 @@
#
# Link order matters here.
-obj-$(CONFIG_IP6_NF_IPTABLES) += ip6_tables.o
+obj-$(CONFIG_IP6_NF_IPTABLES_LEGACY) += ip6_tables.o
obj-$(CONFIG_IP6_NF_FILTER) += ip6table_filter.o
obj-$(CONFIG_IP6_NF_MANGLE) += ip6table_mangle.o
obj-$(CONFIG_IP6_NF_RAW) += ip6table_raw.o
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index 4b8d04640ff32..344c287aa3f41 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -816,7 +816,7 @@ config NETFILTER_XT_TARGET_AUDIT
config NETFILTER_XT_TARGET_CHECKSUM
tristate "CHECKSUM target support"
- depends on IP_NF_MANGLE || IP6_NF_MANGLE
+ depends on IP_NF_MANGLE || IP6_NF_MANGLE || NFT_COMPAT
depends on NETFILTER_ADVANCED
help
This option adds a `CHECKSUM' target, which can be used in the iptables mangle
@@ -867,7 +867,7 @@ config NETFILTER_XT_TARGET_CONNSECMARK
config NETFILTER_XT_TARGET_CT
tristate '"CT" target support'
depends on NF_CONNTRACK
- depends on IP_NF_RAW || IP6_NF_RAW
+ depends on IP_NF_RAW || IP6_NF_RAW || NFT_COMPAT
depends on NETFILTER_ADVANCED
help
This options adds a `CT' target, which allows to specify initial
@@ -878,7 +878,7 @@ config NETFILTER_XT_TARGET_CT
config NETFILTER_XT_TARGET_DSCP
tristate '"DSCP" and "TOS" target support'
- depends on IP_NF_MANGLE || IP6_NF_MANGLE
+ depends on IP_NF_MANGLE || IP6_NF_MANGLE || NFT_COMPAT
depends on NETFILTER_ADVANCED
help
This option adds a `DSCP' target, which allows you to manipulate
@@ -894,7 +894,7 @@ config NETFILTER_XT_TARGET_DSCP
config NETFILTER_XT_TARGET_HL
tristate '"HL" hoplimit target support'
- depends on IP_NF_MANGLE || IP6_NF_MANGLE
+ depends on IP_NF_MANGLE || IP6_NF_MANGLE || NFT_COMPAT
depends on NETFILTER_ADVANCED
help
This option adds the "HL" (for IPv6) and "TTL" (for IPv4)
@@ -1078,7 +1078,7 @@ config NETFILTER_XT_TARGET_TPROXY
depends on NETFILTER_ADVANCED
depends on IPV6 || IPV6=n
depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n
- depends on IP_NF_MANGLE
+ depends on IP_NF_MANGLE || NFT_COMPAT
select NF_DEFRAG_IPV4
select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES != n
select NF_TPROXY_IPV4
@@ -1145,7 +1145,7 @@ config NETFILTER_XT_TARGET_TCPMSS
config NETFILTER_XT_TARGET_TCPOPTSTRIP
tristate '"TCPOPTSTRIP" target support'
- depends on IP_NF_MANGLE || IP6_NF_MANGLE
+ depends on IP_NF_MANGLE || IP6_NF_MANGLE || NFT_COMPAT
depends on NETFILTER_ADVANCED
help
This option adds a "TCPOPTSTRIP" target, which allows you to strip
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 909/969] netfilter: ebtables: allow xtables-nft only builds
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (907 preceding siblings ...)
2026-05-30 16:07 ` [PATCH 6.1 908/969] netfilter: xtables: " Greg Kroah-Hartman
@ 2026-05-30 16:07 ` Greg Kroah-Hartman
2026-05-30 16:07 ` [PATCH 6.1 910/969] netfilter: xtables: fix up kconfig dependencies Greg Kroah-Hartman
` (66 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:07 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Florian Westphal, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Florian Westphal <fw@strlen.de>
[ Upstream commit 7ad269787b6615ca56bb161063331991fce51abf ]
Same patch as previous one, but for ebtables.
To build a kernel that only supports ebtables-nft, the builtin tables
need to be disabled, i.e.:
CONFIG_BRIDGE_EBT_BROUTE=n
CONFIG_BRIDGE_EBT_T_FILTER=n
CONFIG_BRIDGE_EBT_T_NAT=n
The ebtables specific extensions can then be used nftables'
NFT_COMPAT interface.
Signed-off-by: Florian Westphal <fw@strlen.de>
Stable-dep-of: b4597d5fd7d2 ("netfilter: x_tables: add and use xtables_unregister_table_exit")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bridge/netfilter/Kconfig | 7 +++++++
net/bridge/netfilter/Makefile | 2 +-
2 files changed, 8 insertions(+), 1 deletion(-)
diff --git a/net/bridge/netfilter/Kconfig b/net/bridge/netfilter/Kconfig
index 7f304a19ac1bf..104c0125e32e8 100644
--- a/net/bridge/netfilter/Kconfig
+++ b/net/bridge/netfilter/Kconfig
@@ -39,6 +39,10 @@ config NF_CONNTRACK_BRIDGE
To compile it as a module, choose M here. If unsure, say N.
+# old sockopt interface and eval loop
+config BRIDGE_NF_EBTABLES_LEGACY
+ tristate
+
menuconfig BRIDGE_NF_EBTABLES
tristate "Ethernet Bridge tables (ebtables) support"
depends on BRIDGE && NETFILTER && NETFILTER_XTABLES
@@ -55,6 +59,7 @@ if BRIDGE_NF_EBTABLES
#
config BRIDGE_EBT_BROUTE
tristate "ebt: broute table support"
+ select BRIDGE_NF_EBTABLES_LEGACY
help
The ebtables broute table is used to define rules that decide between
bridging and routing frames, giving Linux the functionality of a
@@ -65,6 +70,7 @@ config BRIDGE_EBT_BROUTE
config BRIDGE_EBT_T_FILTER
tristate "ebt: filter table support"
+ select BRIDGE_NF_EBTABLES_LEGACY
help
The ebtables filter table is used to define frame filtering rules at
local input, forwarding and local output. See the man page for
@@ -74,6 +80,7 @@ config BRIDGE_EBT_T_FILTER
config BRIDGE_EBT_T_NAT
tristate "ebt: nat table support"
+ select BRIDGE_NF_EBTABLES_LEGACY
help
The ebtables nat table is used to define rules that alter the MAC
source address (MAC SNAT) or the MAC destination address (MAC DNAT).
diff --git a/net/bridge/netfilter/Makefile b/net/bridge/netfilter/Makefile
index 1c9ce49ab6513..b9a1303da9771 100644
--- a/net/bridge/netfilter/Makefile
+++ b/net/bridge/netfilter/Makefile
@@ -9,7 +9,7 @@ obj-$(CONFIG_NFT_BRIDGE_REJECT) += nft_reject_bridge.o
# connection tracking
obj-$(CONFIG_NF_CONNTRACK_BRIDGE) += nf_conntrack_bridge.o
-obj-$(CONFIG_BRIDGE_NF_EBTABLES) += ebtables.o
+obj-$(CONFIG_BRIDGE_NF_EBTABLES_LEGACY) += ebtables.o
# tables
obj-$(CONFIG_BRIDGE_EBT_BROUTE) += ebtable_broute.o
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 910/969] netfilter: xtables: fix up kconfig dependencies
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (908 preceding siblings ...)
2026-05-30 16:07 ` [PATCH 6.1 909/969] netfilter: ebtables: " Greg Kroah-Hartman
@ 2026-05-30 16:07 ` Greg Kroah-Hartman
2026-05-30 16:07 ` [PATCH 6.1 911/969] netfilter: arptables: Select NETFILTER_FAMILY_ARP when building arp_tables.c Greg Kroah-Hartman
` (65 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, kernel test robot, Randy Dunlap,
Florian Westphal, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Florian Westphal <fw@strlen.de>
[ Upstream commit 749d4ef0868c5d8a98e07073791b2198178c93b4 ]
Randy Dunlap reports arptables build failure:
arp_tables.c:(.text+0x20): undefined reference to `xt_find_table'
... because recent change removed a 'select' on the xtables core.
Add a "depends" clause on arptables to resolve this.
Kernel test robot reports another build breakage:
iptable_nat.c:(.text+0x8): undefined reference to `ipt_unregister_table_exit'
... because of a typo, the nat table selected ip6tables.
Reported-by: kernel test robot <lkp@intel.com>
Reported-by: Randy Dunlap <rdunlap@infradead.org>
Closes: https://lore.kernel.org/netfilter-devel/d0dfbaef-046a-4c42-9daa-53636664bf6d@infradead.org/
Fixes: a9525c7f6219 ("netfilter: xtables: allow xtables-nft only builds")
Fixes: 4654467dc7e1 ("netfilter: arptables: allow xtables-nft only builds")
Acked-by: Randy Dunlap <rdunlap@infradead.org>
Tested-by: Randy Dunlap <rdunlap@infradead.org> # build-tested
Signed-off-by: Florian Westphal <fw@strlen.de>
Stable-dep-of: b4597d5fd7d2 ("netfilter: x_tables: add and use xtables_unregister_table_exit")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/netfilter/Kconfig | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig
index 5ee86c7ae4dcb..0f60a740d117d 100644
--- a/net/ipv4/netfilter/Kconfig
+++ b/net/ipv4/netfilter/Kconfig
@@ -217,7 +217,7 @@ config IP_NF_NAT
default m if NETFILTER_ADVANCED=n
select NF_NAT
select NETFILTER_XT_NAT
- select IP6_NF_IPTABLES_LEGACY
+ select IP_NF_IPTABLES_LEGACY
help
This enables the `nat' table in iptables. This allows masquerading,
port forwarding and other forms of full Network Address Port
@@ -343,6 +343,7 @@ config NFT_COMPAT_ARP
config IP_NF_ARPFILTER
tristate "arptables-legacy packet filtering support"
select IP_NF_ARPTABLES
+ depends on NETFILTER_XTABLES
help
ARP packet filtering defines a table `filter', which has a series of
rules for simple ARP packet filtering at local input and
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 911/969] netfilter: arptables: Select NETFILTER_FAMILY_ARP when building arp_tables.c
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (909 preceding siblings ...)
2026-05-30 16:07 ` [PATCH 6.1 910/969] netfilter: xtables: fix up kconfig dependencies Greg Kroah-Hartman
@ 2026-05-30 16:07 ` Greg Kroah-Hartman
2026-05-30 16:07 ` [PATCH 6.1 912/969] netfilter: Make legacy configs user selectable Greg Kroah-Hartman
` (64 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzkaller, Kuniyuki Iwashima,
Simon Horman, Pablo Neira Ayuso, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kuniyuki Iwashima <kuniyu@amazon.com>
[ Upstream commit 15fba562f7a9f04322b8bfc8f392e04bb93d81be ]
syzkaller started to report a warning below [0] after consuming the
commit 4654467dc7e1 ("netfilter: arptables: allow xtables-nft only
builds").
The change accidentally removed the dependency on NETFILTER_FAMILY_ARP
from IP_NF_ARPTABLES.
If NF_TABLES_ARP is not enabled on Kconfig, NETFILTER_FAMILY_ARP will
be removed and some code necessary for arptables will not be compiled.
$ grep -E "(NETFILTER_FAMILY_ARP|IP_NF_ARPTABLES|NF_TABLES_ARP)" .config
CONFIG_NETFILTER_FAMILY_ARP=y
# CONFIG_NF_TABLES_ARP is not set
CONFIG_IP_NF_ARPTABLES=y
$ make olddefconfig
$ grep -E "(NETFILTER_FAMILY_ARP|IP_NF_ARPTABLES|NF_TABLES_ARP)" .config
# CONFIG_NF_TABLES_ARP is not set
CONFIG_IP_NF_ARPTABLES=y
So, when nf_register_net_hooks() is called for arptables, it will
trigger the splat below.
Now IP_NF_ARPTABLES is only enabled by IP_NF_ARPFILTER, so let's
restore the dependency on NETFILTER_FAMILY_ARP in IP_NF_ARPFILTER.
[0]:
WARNING: CPU: 0 PID: 242 at net/netfilter/core.c:316 nf_hook_entry_head+0x1e1/0x2c0 net/netfilter/core.c:316
Modules linked in:
CPU: 0 PID: 242 Comm: syz-executor.0 Not tainted 6.8.0-12821-g537c2e91d354 #10
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
RIP: 0010:nf_hook_entry_head+0x1e1/0x2c0 net/netfilter/core.c:316
Code: 83 fd 04 0f 87 bc 00 00 00 e8 5b 84 83 fd 4d 8d ac ec a8 0b 00 00 e8 4e 84 83 fd 4c 89 e8 5b 5d 41 5c 41 5d c3 e8 3f 84 83 fd <0f> 0b e8 38 84 83 fd 45 31 ed 5b 5d 4c 89 e8 41 5c 41 5d c3 e8 26
RSP: 0018:ffffc90000b8f6e8 EFLAGS: 00010293
RAX: 0000000000000000 RBX: 0000000000000003 RCX: ffffffff83c42164
RDX: ffff888106851180 RSI: ffffffff83c42321 RDI: 0000000000000005
RBP: 0000000000000000 R08: 0000000000000005 R09: 000000000000000a
R10: 0000000000000003 R11: ffff8881055c2f00 R12: ffff888112b78000
R13: 0000000000000000 R14: ffff8881055c2f00 R15: ffff8881055c2f00
FS: 00007f377bd78800(0000) GS:ffff88811b000000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000496068 CR3: 000000011298b003 CR4: 0000000000770ef0
PKRU: 55555554
Call Trace:
<TASK>
__nf_register_net_hook+0xcd/0x7a0 net/netfilter/core.c:428
nf_register_net_hook+0x116/0x170 net/netfilter/core.c:578
nf_register_net_hooks+0x5d/0xc0 net/netfilter/core.c:594
arpt_register_table+0x250/0x420 net/ipv4/netfilter/arp_tables.c:1553
arptable_filter_table_init+0x41/0x60 net/ipv4/netfilter/arptable_filter.c:39
xt_find_table_lock+0x2e9/0x4b0 net/netfilter/x_tables.c:1260
xt_request_find_table_lock+0x2b/0xe0 net/netfilter/x_tables.c:1285
get_info+0x169/0x5c0 net/ipv4/netfilter/arp_tables.c:808
do_arpt_get_ctl+0x3f9/0x830 net/ipv4/netfilter/arp_tables.c:1444
nf_getsockopt+0x76/0xd0 net/netfilter/nf_sockopt.c:116
ip_getsockopt+0x17d/0x1c0 net/ipv4/ip_sockglue.c:1777
tcp_getsockopt+0x99/0x100 net/ipv4/tcp.c:4373
do_sock_getsockopt+0x279/0x360 net/socket.c:2373
__sys_getsockopt+0x115/0x1e0 net/socket.c:2402
__do_sys_getsockopt net/socket.c:2412 [inline]
__se_sys_getsockopt net/socket.c:2409 [inline]
__x64_sys_getsockopt+0xbd/0x150 net/socket.c:2409
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0x4f/0x110 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x46/0x4e
RIP: 0033:0x7f377beca6fe
Code: 1f 44 00 00 48 8b 15 01 97 0a 00 f7 d8 64 89 02 b8 ff ff ff ff eb b8 0f 1f 44 00 00 f3 0f 1e fa 49 89 ca b8 37 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 0a c3 66 0f 1f 84 00 00 00 00 00 48 8b 15 c9
RSP: 002b:00000000005df728 EFLAGS: 00000246 ORIG_RAX: 0000000000000037
RAX: ffffffffffffffda RBX: 00000000004966e0 RCX: 00007f377beca6fe
RDX: 0000000000000060 RSI: 0000000000000000 RDI: 0000000000000003
RBP: 000000000042938a R08: 00000000005df73c R09: 00000000005df800
R10: 00000000004966e8 R11: 0000000000000246 R12: 0000000000000003
R13: 0000000000496068 R14: 0000000000000003 R15: 00000000004bc9d8
</TASK>
Fixes: 4654467dc7e1 ("netfilter: arptables: allow xtables-nft only builds")
Reported-by: syzkaller <syzkaller@googlegroups.com>
Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Stable-dep-of: b4597d5fd7d2 ("netfilter: x_tables: add and use xtables_unregister_table_exit")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/netfilter/Kconfig | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig
index 0f60a740d117d..6146ef5fc728f 100644
--- a/net/ipv4/netfilter/Kconfig
+++ b/net/ipv4/netfilter/Kconfig
@@ -343,6 +343,7 @@ config NFT_COMPAT_ARP
config IP_NF_ARPFILTER
tristate "arptables-legacy packet filtering support"
select IP_NF_ARPTABLES
+ select NETFILTER_FAMILY_ARP
depends on NETFILTER_XTABLES
help
ARP packet filtering defines a table `filter', which has a series of
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 912/969] netfilter: Make legacy configs user selectable
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (910 preceding siblings ...)
2026-05-30 16:07 ` [PATCH 6.1 911/969] netfilter: arptables: Select NETFILTER_FAMILY_ARP when building arp_tables.c Greg Kroah-Hartman
@ 2026-05-30 16:07 ` Greg Kroah-Hartman
2026-05-30 16:07 ` [PATCH 6.1 913/969] netfilter: Exclude LEGACY TABLES on PREEMPT_RT Greg Kroah-Hartman
` (63 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Breno Leitao, Pablo Neira Ayuso,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Breno Leitao <leitao@debian.org>
[ Upstream commit 6c959fd5e17387201dba3619b2e6af213939a0a7 ]
This option makes legacy Netfilter Kconfig user selectable, giving users
the option to configure iptables without enabling any other config.
Make the following KConfig entries user selectable:
* BRIDGE_NF_EBTABLES_LEGACY
* IP_NF_ARPTABLES
* IP_NF_IPTABLES_LEGACY
* IP6_NF_IPTABLES_LEGACY
Signed-off-by: Breno Leitao <leitao@debian.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Stable-dep-of: b4597d5fd7d2 ("netfilter: x_tables: add and use xtables_unregister_table_exit")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bridge/netfilter/Kconfig | 8 +++++++-
net/ipv4/netfilter/Kconfig | 16 ++++++++++++++--
net/ipv6/netfilter/Kconfig | 9 ++++++++-
3 files changed, 29 insertions(+), 4 deletions(-)
diff --git a/net/bridge/netfilter/Kconfig b/net/bridge/netfilter/Kconfig
index 104c0125e32e8..f16bbbbb94817 100644
--- a/net/bridge/netfilter/Kconfig
+++ b/net/bridge/netfilter/Kconfig
@@ -41,7 +41,13 @@ config NF_CONNTRACK_BRIDGE
# old sockopt interface and eval loop
config BRIDGE_NF_EBTABLES_LEGACY
- tristate
+ tristate "Legacy EBTABLES support"
+ depends on BRIDGE && NETFILTER_XTABLES
+ default n
+ help
+ Legacy ebtables packet/frame classifier.
+ This is not needed if you are using ebtables over nftables
+ (iptables-nft).
menuconfig BRIDGE_NF_EBTABLES
tristate "Ethernet Bridge tables (ebtables) support"
diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig
index 6146ef5fc728f..1d0a89a67acf5 100644
--- a/net/ipv4/netfilter/Kconfig
+++ b/net/ipv4/netfilter/Kconfig
@@ -12,7 +12,13 @@ config NF_DEFRAG_IPV4
# old sockopt interface and eval loop
config IP_NF_IPTABLES_LEGACY
- tristate
+ tristate "Legacy IP tables support"
+ default n
+ select NETFILTER_XTABLES
+ help
+ iptables is a legacy packet classifier.
+ This is not needed if you are using iptables over nftables
+ (iptables-nft).
config NF_SOCKET_IPV4
tristate "IPv4 socket lookup support"
@@ -332,7 +338,13 @@ endif # IP_NF_IPTABLES
# ARP tables
config IP_NF_ARPTABLES
- tristate
+ tristate "Legacy ARPTABLES support"
+ depends on NETFILTER_XTABLES
+ default n
+ help
+ arptables is a legacy packet classifier.
+ This is not needed if you are using arptables over nftables
+ (iptables-nft).
config NFT_COMPAT_ARP
tristate
diff --git a/net/ipv6/netfilter/Kconfig b/net/ipv6/netfilter/Kconfig
index f3c8e2d918e13..e087a8e97ba78 100644
--- a/net/ipv6/netfilter/Kconfig
+++ b/net/ipv6/netfilter/Kconfig
@@ -8,7 +8,14 @@ menu "IPv6: Netfilter Configuration"
# old sockopt interface and eval loop
config IP6_NF_IPTABLES_LEGACY
- tristate
+ tristate "Legacy IP6 tables support"
+ depends on INET && IPV6
+ select NETFILTER_XTABLES
+ default n
+ help
+ ip6tables is a legacy packet classifier.
+ This is not needed if you are using iptables over nftables
+ (iptables-nft).
config NF_SOCKET_IPV6
tristate "IPv6 socket lookup support"
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 913/969] netfilter: Exclude LEGACY TABLES on PREEMPT_RT.
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (911 preceding siblings ...)
2026-05-30 16:07 ` [PATCH 6.1 912/969] netfilter: Make legacy configs user selectable Greg Kroah-Hartman
@ 2026-05-30 16:07 ` Greg Kroah-Hartman
2026-05-30 16:07 ` [PATCH 6.1 914/969] netfilter: x_tables: add and use xt_unregister_table_pre_exit Greg Kroah-Hartman
` (62 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sebastian Andrzej Siewior,
Pablo Neira Ayuso, Sasha Levin, Florian Westphal
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pablo Neira Ayuso <pablo@netfilter.org>
[ Upstream commit 9fce66583f06c212e95e4b76dd61d8432ffa56b6 ]
The seqcount xt_recseq is used to synchronize the replacement of
xt_table::private in xt_replace_table() against all readers such as
ipt_do_table()
To ensure that there is only one writer, the writing side disables
bottom halves. The sequence counter can be acquired recursively. Only the
first invocation modifies the sequence counter (signaling that a writer
is in progress) while the following (recursive) writer does not modify
the counter.
The lack of a proper locking mechanism for the sequence counter can lead
to live lock on PREEMPT_RT if the high prior reader preempts the
writer. Additionally if the per-CPU lock on PREEMPT_RT is removed from
local_bh_disable() then there is no synchronisation for the per-CPU
sequence counter.
The affected code is "just" the legacy netfilter code which is replaced
by "netfilter tables". That code can be disabled without sacrificing
functionality because everything is provided by the newer
implementation. This will only requires the usage of the "-nft" tools
instead of the "-legacy" ones.
The long term plan is to remove the legacy code so lets accelerate the
progress.
Relax dependencies on iptables legacy, replace select with depends on,
this should cause no harm to existing kernel configs and users can still
toggle IP{6}_NF_IPTABLES_LEGACY in any case.
Make EBTABLES_LEGACY, IPTABLES_LEGACY and ARPTABLES depend on
NETFILTER_XTABLES_LEGACY. Hide xt_recseq and its users,
xt_register_table() and xt_percpu_counter_alloc() behind
NETFILTER_XTABLES_LEGACY. Let NETFILTER_XTABLES_LEGACY depend on
!PREEMPT_RT.
This will break selftest expecing the legacy options enabled and will be
addressed in a following patch.
Co-developed-by: Florian Westphal <fw@strlen.de>
Co-developed-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Stable-dep-of: b4597d5fd7d2 ("netfilter: x_tables: add and use xtables_unregister_table_exit")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bridge/netfilter/Kconfig | 10 +++++-----
net/ipv4/netfilter/Kconfig | 24 ++++++++++++------------
net/ipv6/netfilter/Kconfig | 19 +++++++++----------
net/netfilter/Kconfig | 10 ++++++++++
net/netfilter/x_tables.c | 16 +++++++++++-----
5 files changed, 47 insertions(+), 32 deletions(-)
diff --git a/net/bridge/netfilter/Kconfig b/net/bridge/netfilter/Kconfig
index f16bbbbb94817..60f28e4fb5c0a 100644
--- a/net/bridge/netfilter/Kconfig
+++ b/net/bridge/netfilter/Kconfig
@@ -42,8 +42,8 @@ config NF_CONNTRACK_BRIDGE
# old sockopt interface and eval loop
config BRIDGE_NF_EBTABLES_LEGACY
tristate "Legacy EBTABLES support"
- depends on BRIDGE && NETFILTER_XTABLES
- default n
+ depends on BRIDGE && NETFILTER_XTABLES_LEGACY
+ default n
help
Legacy ebtables packet/frame classifier.
This is not needed if you are using ebtables over nftables
@@ -65,7 +65,7 @@ if BRIDGE_NF_EBTABLES
#
config BRIDGE_EBT_BROUTE
tristate "ebt: broute table support"
- select BRIDGE_NF_EBTABLES_LEGACY
+ depends on BRIDGE_NF_EBTABLES_LEGACY
help
The ebtables broute table is used to define rules that decide between
bridging and routing frames, giving Linux the functionality of a
@@ -76,7 +76,7 @@ config BRIDGE_EBT_BROUTE
config BRIDGE_EBT_T_FILTER
tristate "ebt: filter table support"
- select BRIDGE_NF_EBTABLES_LEGACY
+ depends on BRIDGE_NF_EBTABLES_LEGACY
help
The ebtables filter table is used to define frame filtering rules at
local input, forwarding and local output. See the man page for
@@ -86,7 +86,7 @@ config BRIDGE_EBT_T_FILTER
config BRIDGE_EBT_T_NAT
tristate "ebt: nat table support"
- select BRIDGE_NF_EBTABLES_LEGACY
+ depends on BRIDGE_NF_EBTABLES_LEGACY
help
The ebtables nat table is used to define rules that alter the MAC
source address (MAC SNAT) or the MAC destination address (MAC DNAT).
diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig
index 1d0a89a67acf5..ffb1f193a8bd5 100644
--- a/net/ipv4/netfilter/Kconfig
+++ b/net/ipv4/netfilter/Kconfig
@@ -13,8 +13,8 @@ config NF_DEFRAG_IPV4
# old sockopt interface and eval loop
config IP_NF_IPTABLES_LEGACY
tristate "Legacy IP tables support"
- default n
- select NETFILTER_XTABLES
+ depends on NETFILTER_XTABLES_LEGACY
+ default m if NETFILTER_XTABLES_LEGACY
help
iptables is a legacy packet classifier.
This is not needed if you are using iptables over nftables
@@ -182,8 +182,8 @@ config IP_NF_MATCH_TTL
# `filter', generic and specific targets
config IP_NF_FILTER
tristate "Packet filtering"
- default m if NETFILTER_ADVANCED=n
- select IP_NF_IPTABLES_LEGACY
+ default m if NETFILTER_ADVANCED=n || IP_NF_IPTABLES_LEGACY
+ depends on IP_NF_IPTABLES_LEGACY
help
Packet filtering defines a table `filter', which has a series of
rules for simple packet filtering at local input, forwarding and
@@ -220,10 +220,10 @@ config IP_NF_TARGET_SYNPROXY
config IP_NF_NAT
tristate "iptables NAT support"
depends on NF_CONNTRACK
+ depends on IP_NF_IPTABLES_LEGACY
default m if NETFILTER_ADVANCED=n
select NF_NAT
select NETFILTER_XT_NAT
- select IP_NF_IPTABLES_LEGACY
help
This enables the `nat' table in iptables. This allows masquerading,
port forwarding and other forms of full Network Address Port
@@ -263,8 +263,8 @@ endif # IP_NF_NAT
# mangle + specific targets
config IP_NF_MANGLE
tristate "Packet mangling"
- default m if NETFILTER_ADVANCED=n
- select IP_NF_IPTABLES_LEGACY
+ default m if NETFILTER_ADVANCED=n || IP_NF_IPTABLES_LEGACY
+ depends on IP_NF_IPTABLES_LEGACY
help
This option adds a `mangle' table to iptables: see the man page for
iptables(8). This table is used for various packet alterations
@@ -313,7 +313,7 @@ config IP_NF_TARGET_TTL
# raw + specific targets
config IP_NF_RAW
tristate 'raw table support (required for NOTRACK/TRACE)'
- select IP_NF_IPTABLES_LEGACY
+ depends on IP_NF_IPTABLES_LEGACY
help
This option adds a `raw' table to iptables. This table is the very
first in the netfilter framework and hooks in at the PREROUTING
@@ -327,7 +327,7 @@ config IP_NF_SECURITY
tristate "Security table"
depends on SECURITY
depends on NETFILTER_ADVANCED
- select IP_NF_IPTABLES_LEGACY
+ depends on IP_NF_IPTABLES_LEGACY
help
This option adds a `security' table to iptables, for use
with Mandatory Access Control (MAC) policy.
@@ -339,8 +339,8 @@ endif # IP_NF_IPTABLES
# ARP tables
config IP_NF_ARPTABLES
tristate "Legacy ARPTABLES support"
- depends on NETFILTER_XTABLES
- default n
+ depends on NETFILTER_XTABLES_LEGACY
+ default n
help
arptables is a legacy packet classifier.
This is not needed if you are using arptables over nftables
@@ -356,7 +356,7 @@ config IP_NF_ARPFILTER
tristate "arptables-legacy packet filtering support"
select IP_NF_ARPTABLES
select NETFILTER_FAMILY_ARP
- depends on NETFILTER_XTABLES
+ depends on NETFILTER_XTABLES_LEGACY
help
ARP packet filtering defines a table `filter', which has a series of
rules for simple ARP packet filtering at local input and
diff --git a/net/ipv6/netfilter/Kconfig b/net/ipv6/netfilter/Kconfig
index e087a8e97ba78..276860f65baae 100644
--- a/net/ipv6/netfilter/Kconfig
+++ b/net/ipv6/netfilter/Kconfig
@@ -9,9 +9,8 @@ menu "IPv6: Netfilter Configuration"
# old sockopt interface and eval loop
config IP6_NF_IPTABLES_LEGACY
tristate "Legacy IP6 tables support"
- depends on INET && IPV6
- select NETFILTER_XTABLES
- default n
+ depends on INET && IPV6 && NETFILTER_XTABLES_LEGACY
+ default m if NETFILTER_XTABLES_LEGACY
help
ip6tables is a legacy packet classifier.
This is not needed if you are using iptables over nftables
@@ -196,8 +195,8 @@ config IP6_NF_TARGET_HL
config IP6_NF_FILTER
tristate "Packet filtering"
- default m if NETFILTER_ADVANCED=n
- select IP6_NF_IPTABLES_LEGACY
+ default m if NETFILTER_ADVANCED=n || IP6_NF_IPTABLES_LEGACY
+ depends on IP6_NF_IPTABLES_LEGACY
tristate
help
Packet filtering defines a table `filter', which has a series of
@@ -233,8 +232,8 @@ config IP6_NF_TARGET_SYNPROXY
config IP6_NF_MANGLE
tristate "Packet mangling"
- default m if NETFILTER_ADVANCED=n
- select IP6_NF_IPTABLES_LEGACY
+ default m if NETFILTER_ADVANCED=n || IP6_NF_IPTABLES_LEGACY
+ depends on IP6_NF_IPTABLES_LEGACY
help
This option adds a `mangle' table to iptables: see the man page for
iptables(8). This table is used for various packet alterations
@@ -244,7 +243,7 @@ config IP6_NF_MANGLE
config IP6_NF_RAW
tristate 'raw table support (required for TRACE)'
- select IP6_NF_IPTABLES_LEGACY
+ depends on IP6_NF_IPTABLES_LEGACY
help
This option adds a `raw' table to ip6tables. This table is the very
first in the netfilter framework and hooks in at the PREROUTING
@@ -258,7 +257,7 @@ config IP6_NF_SECURITY
tristate "Security table"
depends on SECURITY
depends on NETFILTER_ADVANCED
- select IP6_NF_IPTABLES_LEGACY
+ depends on IP6_NF_IPTABLES_LEGACY
help
This option adds a `security' table to iptables, for use
with Mandatory Access Control (MAC) policy.
@@ -269,8 +268,8 @@ config IP6_NF_NAT
tristate "ip6tables NAT support"
depends on NF_CONNTRACK
depends on NETFILTER_ADVANCED
+ depends on IP6_NF_IPTABLES_LEGACY
select NF_NAT
- select IP6_NF_IPTABLES_LEGACY
select NETFILTER_XT_NAT
help
This enables the `nat' table in ip6tables. This allows masquerading,
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index 344c287aa3f41..4937f32bcd6e7 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -760,6 +760,16 @@ config NETFILTER_XTABLES_COMPAT
If unsure, say N.
+config NETFILTER_XTABLES_LEGACY
+ bool "Netfilter legacy tables support"
+ depends on !PREEMPT_RT
+ help
+ Say Y here if you still require support for legacy tables. This is
+ required by the legacy tools (iptables-legacy) and is not needed if
+ you use iptables over nftables (iptables-nft).
+ Legacy support is not limited to IP, it also includes EBTABLES and
+ ARPTABLES.
+
comment "Xtables combined modules"
config NETFILTER_XT_MARK
diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index 650cb725ba271..be786cd704508 100644
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -1339,12 +1339,13 @@ void xt_compat_unlock(u_int8_t af)
EXPORT_SYMBOL_GPL(xt_compat_unlock);
#endif
-DEFINE_PER_CPU(seqcount_t, xt_recseq);
-EXPORT_PER_CPU_SYMBOL_GPL(xt_recseq);
-
struct static_key xt_tee_enabled __read_mostly;
EXPORT_SYMBOL_GPL(xt_tee_enabled);
+#ifdef CONFIG_NETFILTER_XTABLES_LEGACY
+DEFINE_PER_CPU(seqcount_t, xt_recseq);
+EXPORT_PER_CPU_SYMBOL_GPL(xt_recseq);
+
static int xt_jumpstack_alloc(struct xt_table_info *i)
{
unsigned int size;
@@ -1536,6 +1537,7 @@ void *xt_unregister_table(struct xt_table *table)
return private;
}
EXPORT_SYMBOL_GPL(xt_unregister_table);
+#endif
#ifdef CONFIG_PROC_FS
static void *xt_table_seq_start(struct seq_file *seq, loff_t *pos)
@@ -1919,6 +1921,7 @@ void xt_proto_fini(struct net *net, u_int8_t af)
}
EXPORT_SYMBOL_GPL(xt_proto_fini);
+#ifdef CONFIG_NETFILTER_XTABLES_LEGACY
/**
* xt_percpu_counter_alloc - allocate x_tables rule counter
*
@@ -1973,6 +1976,7 @@ void xt_percpu_counter_free(struct xt_counters *counters)
free_percpu((void __percpu *)pcnt);
}
EXPORT_SYMBOL_GPL(xt_percpu_counter_free);
+#endif
static int __net_init xt_net_init(struct net *net)
{
@@ -2005,8 +2009,10 @@ static int __init xt_init(void)
unsigned int i;
int rv;
- for_each_possible_cpu(i) {
- seqcount_init(&per_cpu(xt_recseq, i));
+ if (IS_ENABLED(CONFIG_NETFILTER_XTABLES_LEGACY)) {
+ for_each_possible_cpu(i) {
+ seqcount_init(&per_cpu(xt_recseq, i));
+ }
}
xt = kcalloc(NFPROTO_NUMPROTO, sizeof(struct xt_af), GFP_KERNEL);
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 914/969] netfilter: x_tables: add and use xt_unregister_table_pre_exit
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (912 preceding siblings ...)
2026-05-30 16:07 ` [PATCH 6.1 913/969] netfilter: Exclude LEGACY TABLES on PREEMPT_RT Greg Kroah-Hartman
@ 2026-05-30 16:07 ` Greg Kroah-Hartman
2026-05-30 16:07 ` [PATCH 6.1 915/969] netfilter: x_tables: add and use xtables_unregister_table_exit Greg Kroah-Hartman
` (61 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tristan Madani, Florian Westphal,
Pablo Neira Ayuso, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Florian Westphal <fw@strlen.de>
[ Upstream commit 527d6931473b75d90e38942aae6537d1a527f1fd ]
Remove the copypasted variants of _pre_exit and add one single
function in the xtables core. ebtables is not compatible with
x_tables and therefore unchanged.
This is a preparation patch to reduce noise in the followup
bug fixes.
Reviewed-by: Tristan Madani <tristan@talencesecurity.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Stable-dep-of: b4597d5fd7d2 ("netfilter: x_tables: add and use xtables_unregister_table_exit")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/netfilter/x_tables.h | 1 +
include/linux/netfilter_arp/arp_tables.h | 1 -
include/linux/netfilter_ipv4/ip_tables.h | 1 -
include/linux/netfilter_ipv6/ip6_tables.h | 1 -
net/ipv4/netfilter/arp_tables.c | 9 -------
net/ipv4/netfilter/arptable_filter.c | 2 +-
net/ipv4/netfilter/ip_tables.c | 9 -------
net/ipv4/netfilter/iptable_filter.c | 2 +-
net/ipv4/netfilter/iptable_mangle.c | 2 +-
net/ipv4/netfilter/iptable_nat.c | 1 +
net/ipv4/netfilter/iptable_raw.c | 2 +-
net/ipv4/netfilter/iptable_security.c | 2 +-
net/ipv6/netfilter/ip6_tables.c | 9 -------
net/ipv6/netfilter/ip6table_filter.c | 2 +-
net/ipv6/netfilter/ip6table_mangle.c | 2 +-
net/ipv6/netfilter/ip6table_nat.c | 1 +
net/ipv6/netfilter/ip6table_raw.c | 2 +-
net/ipv6/netfilter/ip6table_security.c | 2 +-
net/netfilter/x_tables.c | 29 +++++++++++++++++++++++
19 files changed, 41 insertions(+), 39 deletions(-)
diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h
index 5897f3dbaf7c3..df2022fe440b0 100644
--- a/include/linux/netfilter/x_tables.h
+++ b/include/linux/netfilter/x_tables.h
@@ -310,6 +310,7 @@ struct xt_table *xt_register_table(struct net *net,
struct xt_table_info *bootstrap,
struct xt_table_info *newinfo);
void *xt_unregister_table(struct xt_table *table);
+void xt_unregister_table_pre_exit(struct net *net, u8 af, const char *name);
struct xt_table_info *xt_replace_table(struct xt_table *table,
unsigned int num_counters,
diff --git a/include/linux/netfilter_arp/arp_tables.h b/include/linux/netfilter_arp/arp_tables.h
index a40aaf645fa47..05631a25e6229 100644
--- a/include/linux/netfilter_arp/arp_tables.h
+++ b/include/linux/netfilter_arp/arp_tables.h
@@ -53,7 +53,6 @@ int arpt_register_table(struct net *net, const struct xt_table *table,
const struct arpt_replace *repl,
const struct nf_hook_ops *ops);
void arpt_unregister_table(struct net *net, const char *name);
-void arpt_unregister_table_pre_exit(struct net *net, const char *name);
extern unsigned int arpt_do_table(void *priv, struct sk_buff *skb,
const struct nf_hook_state *state);
diff --git a/include/linux/netfilter_ipv4/ip_tables.h b/include/linux/netfilter_ipv4/ip_tables.h
index 132b0e4a6d4df..13593391d6058 100644
--- a/include/linux/netfilter_ipv4/ip_tables.h
+++ b/include/linux/netfilter_ipv4/ip_tables.h
@@ -26,7 +26,6 @@ int ipt_register_table(struct net *net, const struct xt_table *table,
const struct ipt_replace *repl,
const struct nf_hook_ops *ops);
-void ipt_unregister_table_pre_exit(struct net *net, const char *name);
void ipt_unregister_table_exit(struct net *net, const char *name);
/* Standard entry. */
diff --git a/include/linux/netfilter_ipv6/ip6_tables.h b/include/linux/netfilter_ipv6/ip6_tables.h
index 8b8885a73c764..c6d5b927830dd 100644
--- a/include/linux/netfilter_ipv6/ip6_tables.h
+++ b/include/linux/netfilter_ipv6/ip6_tables.h
@@ -27,7 +27,6 @@ extern void *ip6t_alloc_initial_table(const struct xt_table *);
int ip6t_register_table(struct net *net, const struct xt_table *table,
const struct ip6t_replace *repl,
const struct nf_hook_ops *ops);
-void ip6t_unregister_table_pre_exit(struct net *net, const char *name);
void ip6t_unregister_table_exit(struct net *net, const char *name);
extern unsigned int ip6t_do_table(void *priv, struct sk_buff *skb,
const struct nf_hook_state *state);
diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
index 564054123772a..9b905c6562313 100644
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -1581,15 +1581,6 @@ int arpt_register_table(struct net *net,
return ret;
}
-void arpt_unregister_table_pre_exit(struct net *net, const char *name)
-{
- struct xt_table *table = xt_find_table(net, NFPROTO_ARP, name);
-
- if (table)
- nf_unregister_net_hooks(net, table->ops, hweight32(table->valid_hooks));
-}
-EXPORT_SYMBOL(arpt_unregister_table_pre_exit);
-
void arpt_unregister_table(struct net *net, const char *name)
{
struct xt_table *table = xt_find_table(net, NFPROTO_ARP, name);
diff --git a/net/ipv4/netfilter/arptable_filter.c b/net/ipv4/netfilter/arptable_filter.c
index 359d00d74095b..382345567a600 100644
--- a/net/ipv4/netfilter/arptable_filter.c
+++ b/net/ipv4/netfilter/arptable_filter.c
@@ -43,7 +43,7 @@ static int arptable_filter_table_init(struct net *net)
static void __net_exit arptable_filter_net_pre_exit(struct net *net)
{
- arpt_unregister_table_pre_exit(net, "filter");
+ xt_unregister_table_pre_exit(net, NFPROTO_ARP, "filter");
}
static void __net_exit arptable_filter_net_exit(struct net *net)
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index a6208efcfccfc..7c6b21f8174a3 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -1791,14 +1791,6 @@ int ipt_register_table(struct net *net, const struct xt_table *table,
return ret;
}
-void ipt_unregister_table_pre_exit(struct net *net, const char *name)
-{
- struct xt_table *table = xt_find_table(net, NFPROTO_IPV4, name);
-
- if (table)
- nf_unregister_net_hooks(net, table->ops, hweight32(table->valid_hooks));
-}
-
void ipt_unregister_table_exit(struct net *net, const char *name)
{
struct xt_table *table = xt_find_table(net, NFPROTO_IPV4, name);
@@ -1953,7 +1945,6 @@ static void __exit ip_tables_fini(void)
}
EXPORT_SYMBOL(ipt_register_table);
-EXPORT_SYMBOL(ipt_unregister_table_pre_exit);
EXPORT_SYMBOL(ipt_unregister_table_exit);
EXPORT_SYMBOL(ipt_do_table);
module_init(ip_tables_init);
diff --git a/net/ipv4/netfilter/iptable_filter.c b/net/ipv4/netfilter/iptable_filter.c
index c03c1a4ea7cab..fb85745793ba5 100644
--- a/net/ipv4/netfilter/iptable_filter.c
+++ b/net/ipv4/netfilter/iptable_filter.c
@@ -61,7 +61,7 @@ static int __net_init iptable_filter_net_init(struct net *net)
static void __net_exit iptable_filter_net_pre_exit(struct net *net)
{
- ipt_unregister_table_pre_exit(net, "filter");
+ xt_unregister_table_pre_exit(net, NFPROTO_IPV4, "filter");
}
static void __net_exit iptable_filter_net_exit(struct net *net)
diff --git a/net/ipv4/netfilter/iptable_mangle.c b/net/ipv4/netfilter/iptable_mangle.c
index 6a51e61b35562..6259bcf178bba 100644
--- a/net/ipv4/netfilter/iptable_mangle.c
+++ b/net/ipv4/netfilter/iptable_mangle.c
@@ -95,7 +95,7 @@ static int iptable_mangle_table_init(struct net *net)
static void __net_exit iptable_mangle_net_pre_exit(struct net *net)
{
- ipt_unregister_table_pre_exit(net, "mangle");
+ xt_unregister_table_pre_exit(net, NFPROTO_IPV4, "mangle");
}
static void __net_exit iptable_mangle_net_exit(struct net *net)
diff --git a/net/ipv4/netfilter/iptable_nat.c b/net/ipv4/netfilter/iptable_nat.c
index 12ca666d6e2c1..ca6964b957ead 100644
--- a/net/ipv4/netfilter/iptable_nat.c
+++ b/net/ipv4/netfilter/iptable_nat.c
@@ -129,6 +129,7 @@ static int iptable_nat_table_init(struct net *net)
static void __net_exit iptable_nat_net_pre_exit(struct net *net)
{
ipt_nat_unregister_lookups(net);
+ xt_unregister_table_pre_exit(net, NFPROTO_IPV4, "nat");
}
static void __net_exit iptable_nat_net_exit(struct net *net)
diff --git a/net/ipv4/netfilter/iptable_raw.c b/net/ipv4/netfilter/iptable_raw.c
index 33330e13ea18d..c7b91b2042dc6 100644
--- a/net/ipv4/netfilter/iptable_raw.c
+++ b/net/ipv4/netfilter/iptable_raw.c
@@ -53,7 +53,7 @@ static int iptable_raw_table_init(struct net *net)
static void __net_exit iptable_raw_net_pre_exit(struct net *net)
{
- ipt_unregister_table_pre_exit(net, "raw");
+ xt_unregister_table_pre_exit(net, NFPROTO_IPV4, "raw");
}
static void __net_exit iptable_raw_net_exit(struct net *net)
diff --git a/net/ipv4/netfilter/iptable_security.c b/net/ipv4/netfilter/iptable_security.c
index 2b89adc1e5751..81175c20ccbe8 100644
--- a/net/ipv4/netfilter/iptable_security.c
+++ b/net/ipv4/netfilter/iptable_security.c
@@ -50,7 +50,7 @@ static int iptable_security_table_init(struct net *net)
static void __net_exit iptable_security_net_pre_exit(struct net *net)
{
- ipt_unregister_table_pre_exit(net, "security");
+ xt_unregister_table_pre_exit(net, NFPROTO_IPV4, "security");
}
static void __net_exit iptable_security_net_exit(struct net *net)
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index b844e519da1b4..1324413fb29c3 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -1797,14 +1797,6 @@ int ip6t_register_table(struct net *net, const struct xt_table *table,
return ret;
}
-void ip6t_unregister_table_pre_exit(struct net *net, const char *name)
-{
- struct xt_table *table = xt_find_table(net, NFPROTO_IPV6, name);
-
- if (table)
- nf_unregister_net_hooks(net, table->ops, hweight32(table->valid_hooks));
-}
-
void ip6t_unregister_table_exit(struct net *net, const char *name)
{
struct xt_table *table = xt_find_table(net, NFPROTO_IPV6, name);
@@ -1960,7 +1952,6 @@ static void __exit ip6_tables_fini(void)
}
EXPORT_SYMBOL(ip6t_register_table);
-EXPORT_SYMBOL(ip6t_unregister_table_pre_exit);
EXPORT_SYMBOL(ip6t_unregister_table_exit);
EXPORT_SYMBOL(ip6t_do_table);
diff --git a/net/ipv6/netfilter/ip6table_filter.c b/net/ipv6/netfilter/ip6table_filter.c
index 16a38d56b2e54..982900920e730 100644
--- a/net/ipv6/netfilter/ip6table_filter.c
+++ b/net/ipv6/netfilter/ip6table_filter.c
@@ -60,7 +60,7 @@ static int __net_init ip6table_filter_net_init(struct net *net)
static void __net_exit ip6table_filter_net_pre_exit(struct net *net)
{
- ip6t_unregister_table_pre_exit(net, "filter");
+ xt_unregister_table_pre_exit(net, NFPROTO_IPV6, "filter");
}
static void __net_exit ip6table_filter_net_exit(struct net *net)
diff --git a/net/ipv6/netfilter/ip6table_mangle.c b/net/ipv6/netfilter/ip6table_mangle.c
index 39f0716667131..475361aa81310 100644
--- a/net/ipv6/netfilter/ip6table_mangle.c
+++ b/net/ipv6/netfilter/ip6table_mangle.c
@@ -88,7 +88,7 @@ static int ip6table_mangle_table_init(struct net *net)
static void __net_exit ip6table_mangle_net_pre_exit(struct net *net)
{
- ip6t_unregister_table_pre_exit(net, "mangle");
+ xt_unregister_table_pre_exit(net, NFPROTO_IPV6, "mangle");
}
static void __net_exit ip6table_mangle_net_exit(struct net *net)
diff --git a/net/ipv6/netfilter/ip6table_nat.c b/net/ipv6/netfilter/ip6table_nat.c
index 52d597b16b658..bef2d309369bc 100644
--- a/net/ipv6/netfilter/ip6table_nat.c
+++ b/net/ipv6/netfilter/ip6table_nat.c
@@ -131,6 +131,7 @@ static int ip6table_nat_table_init(struct net *net)
static void __net_exit ip6table_nat_net_pre_exit(struct net *net)
{
ip6t_nat_unregister_lookups(net);
+ xt_unregister_table_pre_exit(net, NFPROTO_IPV6, "nat");
}
static void __net_exit ip6table_nat_net_exit(struct net *net)
diff --git a/net/ipv6/netfilter/ip6table_raw.c b/net/ipv6/netfilter/ip6table_raw.c
index 01def8aa7a2e8..a99879f173b4a 100644
--- a/net/ipv6/netfilter/ip6table_raw.c
+++ b/net/ipv6/netfilter/ip6table_raw.c
@@ -52,7 +52,7 @@ static int ip6table_raw_table_init(struct net *net)
static void __net_exit ip6table_raw_net_pre_exit(struct net *net)
{
- ip6t_unregister_table_pre_exit(net, "raw");
+ xt_unregister_table_pre_exit(net, NFPROTO_IPV6, "raw");
}
static void __net_exit ip6table_raw_net_exit(struct net *net)
diff --git a/net/ipv6/netfilter/ip6table_security.c b/net/ipv6/netfilter/ip6table_security.c
index 66018b169b010..c44834d93fc79 100644
--- a/net/ipv6/netfilter/ip6table_security.c
+++ b/net/ipv6/netfilter/ip6table_security.c
@@ -49,7 +49,7 @@ static int ip6table_security_table_init(struct net *net)
static void __net_exit ip6table_security_net_pre_exit(struct net *net)
{
- ip6t_unregister_table_pre_exit(net, "security");
+ xt_unregister_table_pre_exit(net, NFPROTO_IPV6, "security");
}
static void __net_exit ip6table_security_net_exit(struct net *net)
diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index be786cd704508..6a4bca66a0ae6 100644
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -1537,6 +1537,35 @@ void *xt_unregister_table(struct xt_table *table)
return private;
}
EXPORT_SYMBOL_GPL(xt_unregister_table);
+
+/**
+ * xt_unregister_table_pre_exit - pre-shutdown unregister of a table
+ * @net: network namespace
+ * @af: address family (e.g., NFPROTO_IPV4, NFPROTO_IPV6)
+ * @name: name of the table to unregister
+ *
+ * Unregisters the specified netfilter table from the given network namespace
+ * and also unregisters the hooks from netfilter core: no new packets will be
+ * processed.
+ */
+void xt_unregister_table_pre_exit(struct net *net, u8 af, const char *name)
+{
+ struct xt_pernet *xt_net = net_generic(net, xt_pernet_id);
+ struct xt_table *t;
+
+ mutex_lock(&xt[af].mutex);
+ list_for_each_entry(t, &xt_net->tables[af], list) {
+ if (strcmp(t->name, name) == 0) {
+ mutex_unlock(&xt[af].mutex);
+
+ if (t->ops) /* nat table registers with nat core, t->ops is NULL. */
+ nf_unregister_net_hooks(net, t->ops, hweight32(t->valid_hooks));
+ return;
+ }
+ }
+ mutex_unlock(&xt[af].mutex);
+}
+EXPORT_SYMBOL(xt_unregister_table_pre_exit);
#endif
#ifdef CONFIG_PROC_FS
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 915/969] netfilter: x_tables: add and use xtables_unregister_table_exit
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (913 preceding siblings ...)
2026-05-30 16:07 ` [PATCH 6.1 914/969] netfilter: x_tables: add and use xt_unregister_table_pre_exit Greg Kroah-Hartman
@ 2026-05-30 16:07 ` Greg Kroah-Hartman
2026-05-30 16:07 ` [PATCH 6.1 916/969] netfilter: ebtables: move to two-stage removal scheme Greg Kroah-Hartman
` (60 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tristan Madani, Florian Westphal,
Pablo Neira Ayuso, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Florian Westphal <fw@strlen.de>
[ Upstream commit b4597d5fd7d2f8cebfffd40dffb5e003cc78964c ]
Previous change added xtables_unregister_table_pre_exit to detach the
table from the packetpath and to unlink it from the active table list.
In case of rmmod, userspace that is doing set/getsockopt for this table
will not be able to re-instantiate the table:
1. The larval table has been removed already
2. existing instantiated table is no longer on the xt pernet table list.
This adds the second stage helper:
unlink the table from the dying list, free the hook ops (if any) and do
the audit notification. It replaces xt_unregister_table().
Fixes: fdacd57c79b7 ("netfilter: x_tables: never register tables by default")
Reported-by: Tristan Madani <tristan@talencesecurity.com>
Reviewed-by: Tristan Madani <tristan@talencesecurity.com>
Closes: https://lore.kernel.org/netfilter-devel/20260429175613.1459342-1-tristmd@gmail.com/
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/netfilter/x_tables.h | 2 +-
net/ipv4/netfilter/arp_tables.c | 9 ++--
net/ipv4/netfilter/ip_tables.c | 9 ++--
net/ipv4/netfilter/iptable_nat.c | 5 +-
net/ipv6/netfilter/ip6_tables.c | 9 ++--
net/ipv6/netfilter/ip6table_nat.c | 5 +-
net/netfilter/x_tables.c | 81 +++++++++++++++++++++++-------
7 files changed, 83 insertions(+), 37 deletions(-)
diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h
index df2022fe440b0..706f08839050a 100644
--- a/include/linux/netfilter/x_tables.h
+++ b/include/linux/netfilter/x_tables.h
@@ -309,8 +309,8 @@ struct xt_table *xt_register_table(struct net *net,
const struct xt_table *table,
struct xt_table_info *bootstrap,
struct xt_table_info *newinfo);
-void *xt_unregister_table(struct xt_table *table);
void xt_unregister_table_pre_exit(struct net *net, u8 af, const char *name);
+struct xt_table *xt_unregister_table_exit(struct net *net, u8 af, const char *name);
struct xt_table_info *xt_replace_table(struct xt_table *table,
unsigned int num_counters,
diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
index 9b905c6562313..f9dd18244f251 100644
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -1501,13 +1501,11 @@ static int do_arpt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len
static void __arpt_unregister_table(struct net *net, struct xt_table *table)
{
- struct xt_table_info *private;
- void *loc_cpu_entry;
+ struct xt_table_info *private = table->private;
struct module *table_owner = table->me;
+ void *loc_cpu_entry;
struct arpt_entry *iter;
- private = xt_unregister_table(table);
-
/* Decrease module usage counts and free resources */
loc_cpu_entry = private->entries;
xt_entry_foreach(iter, loc_cpu_entry, private->size)
@@ -1515,6 +1513,7 @@ static void __arpt_unregister_table(struct net *net, struct xt_table *table)
if (private->number > private->initial_entries)
module_put(table_owner);
xt_free_table_info(private);
+ kfree(table);
}
int arpt_register_table(struct net *net,
@@ -1583,7 +1582,7 @@ int arpt_register_table(struct net *net,
void arpt_unregister_table(struct net *net, const char *name)
{
- struct xt_table *table = xt_find_table(net, NFPROTO_ARP, name);
+ struct xt_table *table = xt_unregister_table_exit(net, NFPROTO_ARP, name);
if (table)
__arpt_unregister_table(net, table);
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index 7c6b21f8174a3..0ff9b7c9dc59c 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -1706,12 +1706,10 @@ do_ipt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
static void __ipt_unregister_table(struct net *net, struct xt_table *table)
{
- struct xt_table_info *private;
- void *loc_cpu_entry;
+ struct xt_table_info *private = table->private;
struct module *table_owner = table->me;
struct ipt_entry *iter;
-
- private = xt_unregister_table(table);
+ void *loc_cpu_entry;
/* Decrease module usage counts and free resources */
loc_cpu_entry = private->entries;
@@ -1720,6 +1718,7 @@ static void __ipt_unregister_table(struct net *net, struct xt_table *table)
if (private->number > private->initial_entries)
module_put(table_owner);
xt_free_table_info(private);
+ kfree(table);
}
int ipt_register_table(struct net *net, const struct xt_table *table,
@@ -1793,7 +1792,7 @@ int ipt_register_table(struct net *net, const struct xt_table *table,
void ipt_unregister_table_exit(struct net *net, const char *name)
{
- struct xt_table *table = xt_find_table(net, NFPROTO_IPV4, name);
+ struct xt_table *table = xt_unregister_table_exit(net, NFPROTO_IPV4, name);
if (table)
__ipt_unregister_table(net, table);
diff --git a/net/ipv4/netfilter/iptable_nat.c b/net/ipv4/netfilter/iptable_nat.c
index ca6964b957ead..87d934b12bcb6 100644
--- a/net/ipv4/netfilter/iptable_nat.c
+++ b/net/ipv4/netfilter/iptable_nat.c
@@ -119,8 +119,11 @@ static int iptable_nat_table_init(struct net *net)
}
ret = ipt_nat_register_lookups(net);
- if (ret < 0)
+ if (ret < 0) {
+ xt_unregister_table_pre_exit(net, NFPROTO_IPV4, "nat");
+ synchronize_rcu();
ipt_unregister_table_exit(net, "nat");
+ }
kfree(repl);
return ret;
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index 1324413fb29c3..baa1c094faf48 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -1715,12 +1715,10 @@ do_ip6t_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
static void __ip6t_unregister_table(struct net *net, struct xt_table *table)
{
- struct xt_table_info *private;
- void *loc_cpu_entry;
+ struct xt_table_info *private = table->private;
struct module *table_owner = table->me;
struct ip6t_entry *iter;
-
- private = xt_unregister_table(table);
+ void *loc_cpu_entry;
/* Decrease module usage counts and free resources */
loc_cpu_entry = private->entries;
@@ -1729,6 +1727,7 @@ static void __ip6t_unregister_table(struct net *net, struct xt_table *table)
if (private->number > private->initial_entries)
module_put(table_owner);
xt_free_table_info(private);
+ kfree(table);
}
int ip6t_register_table(struct net *net, const struct xt_table *table,
@@ -1799,7 +1798,7 @@ int ip6t_register_table(struct net *net, const struct xt_table *table,
void ip6t_unregister_table_exit(struct net *net, const char *name)
{
- struct xt_table *table = xt_find_table(net, NFPROTO_IPV6, name);
+ struct xt_table *table = xt_unregister_table_exit(net, NFPROTO_IPV6, name);
if (table)
__ip6t_unregister_table(net, table);
diff --git a/net/ipv6/netfilter/ip6table_nat.c b/net/ipv6/netfilter/ip6table_nat.c
index bef2d309369bc..cf260d8ebdb70 100644
--- a/net/ipv6/netfilter/ip6table_nat.c
+++ b/net/ipv6/netfilter/ip6table_nat.c
@@ -121,8 +121,11 @@ static int ip6table_nat_table_init(struct net *net)
}
ret = ip6t_nat_register_lookups(net);
- if (ret < 0)
+ if (ret < 0) {
+ xt_unregister_table_pre_exit(net, NFPROTO_IPV6, "nat");
+ synchronize_rcu();
ip6t_unregister_table_exit(net, "nat");
+ }
kfree(repl);
return ret;
diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index 6a4bca66a0ae6..cba2b8d2f9069 100644
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -55,6 +55,9 @@ static struct list_head xt_templates[NFPROTO_NUMPROTO];
struct xt_pernet {
struct list_head tables[NFPROTO_NUMPROTO];
+
+ /* stash area used during netns exit */
+ struct list_head dead_tables[NFPROTO_NUMPROTO];
};
struct compat_delta {
@@ -1521,23 +1524,6 @@ struct xt_table *xt_register_table(struct net *net,
}
EXPORT_SYMBOL_GPL(xt_register_table);
-void *xt_unregister_table(struct xt_table *table)
-{
- struct xt_table_info *private;
-
- mutex_lock(&xt[table->af].mutex);
- private = table->private;
- list_del(&table->list);
- mutex_unlock(&xt[table->af].mutex);
- audit_log_nfcfg(table->name, table->af, private->number,
- AUDIT_XT_OP_UNREGISTER, GFP_KERNEL);
- kfree(table->ops);
- kfree(table);
-
- return private;
-}
-EXPORT_SYMBOL_GPL(xt_unregister_table);
-
/**
* xt_unregister_table_pre_exit - pre-shutdown unregister of a table
* @net: network namespace
@@ -1547,6 +1533,14 @@ EXPORT_SYMBOL_GPL(xt_unregister_table);
* Unregisters the specified netfilter table from the given network namespace
* and also unregisters the hooks from netfilter core: no new packets will be
* processed.
+ *
+ * This must be called prior to xt_unregister_table_exit() from the pernet
+ * .pre_exit callback. After this call, the table is no longer visible to
+ * the get/setsockopt path. In case of rmmod, module exit path must have
+ * called xt_unregister_template() prior to unregistering pernet ops to
+ * prevent re-instantiation of the table.
+ *
+ * See also: xt_unregister_table_exit()
*/
void xt_unregister_table_pre_exit(struct net *net, u8 af, const char *name)
{
@@ -1556,6 +1550,7 @@ void xt_unregister_table_pre_exit(struct net *net, u8 af, const char *name)
mutex_lock(&xt[af].mutex);
list_for_each_entry(t, &xt_net->tables[af], list) {
if (strcmp(t->name, name) == 0) {
+ list_move(&t->list, &xt_net->dead_tables[af]);
mutex_unlock(&xt[af].mutex);
if (t->ops) /* nat table registers with nat core, t->ops is NULL. */
@@ -1566,6 +1561,50 @@ void xt_unregister_table_pre_exit(struct net *net, u8 af, const char *name)
mutex_unlock(&xt[af].mutex);
}
EXPORT_SYMBOL(xt_unregister_table_pre_exit);
+
+/**
+ * xt_unregister_table_exit - remove a table during namespace teardown
+ * @net: the network namespace from which to unregister the table
+ * @af: address family (e.g., NFPROTO_IPV4, NFPROTO_IPV6)
+ * @name: name of the table to unregister
+ *
+ * Completes the unregister process for a table. This must be called from
+ * the pernet ops .exit callback. This is the second stage after
+ * xt_unregister_table_pre_exit().
+ *
+ * pair with xt_unregister_table_pre_exit() during namespace shutdown.
+ *
+ * Return: the unregistered table or NULL if the table was never
+ * instantiated. The caller needs to kfree() the table after it
+ * has removed the family specific matches/targets.
+ */
+struct xt_table *xt_unregister_table_exit(struct net *net, u8 af, const char *name)
+{
+ struct xt_pernet *xt_net = net_generic(net, xt_pernet_id);
+ struct xt_table *table;
+
+ mutex_lock(&xt[af].mutex);
+ list_for_each_entry(table, &xt_net->dead_tables[af], list) {
+ struct nf_hook_ops *ops = NULL;
+
+ if (strcmp(table->name, name) != 0)
+ continue;
+
+ list_del(&table->list);
+
+ audit_log_nfcfg(table->name, table->af, table->private->number,
+ AUDIT_XT_OP_UNREGISTER, GFP_KERNEL);
+ swap(table->ops, ops);
+ mutex_unlock(&xt[af].mutex);
+
+ kfree(ops);
+ return table;
+ }
+ mutex_unlock(&xt[af].mutex);
+
+ return NULL;
+}
+EXPORT_SYMBOL_GPL(xt_unregister_table_exit);
#endif
#ifdef CONFIG_PROC_FS
@@ -2012,8 +2051,10 @@ static int __net_init xt_net_init(struct net *net)
struct xt_pernet *xt_net = net_generic(net, xt_pernet_id);
int i;
- for (i = 0; i < NFPROTO_NUMPROTO; i++)
+ for (i = 0; i < NFPROTO_NUMPROTO; i++) {
INIT_LIST_HEAD(&xt_net->tables[i]);
+ INIT_LIST_HEAD(&xt_net->dead_tables[i]);
+ }
return 0;
}
@@ -2022,8 +2063,10 @@ static void __net_exit xt_net_exit(struct net *net)
struct xt_pernet *xt_net = net_generic(net, xt_pernet_id);
int i;
- for (i = 0; i < NFPROTO_NUMPROTO; i++)
+ for (i = 0; i < NFPROTO_NUMPROTO; i++) {
WARN_ON_ONCE(!list_empty(&xt_net->tables[i]));
+ WARN_ON_ONCE(!list_empty(&xt_net->dead_tables[i]));
+ }
}
static struct pernet_operations xt_net_ops = {
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 916/969] netfilter: ebtables: move to two-stage removal scheme
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (914 preceding siblings ...)
2026-05-30 16:07 ` [PATCH 6.1 915/969] netfilter: x_tables: add and use xtables_unregister_table_exit Greg Kroah-Hartman
@ 2026-05-30 16:07 ` Greg Kroah-Hartman
2026-05-30 16:07 ` [PATCH 6.1 917/969] netfilter: ebtables: close dangling table module init race Greg Kroah-Hartman
` (59 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tristan Madani, Florian Westphal,
Pablo Neira Ayuso, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Florian Westphal <fw@strlen.de>
[ Upstream commit b7f0544d86d439cb946515d2ef6a0a75e8626710 ]
Like previous patches for x_tables, follow same pattern in ebtables.
We can't reuse xt helpers: ebt_table struct layout is incompatible.
table->ops assignment is now done while still holding the ebt mutex
to make sure we never expose partially-filled table struct.
Fixes: 87663c39f898 ("netfilter: ebtables: do not hook tables by default")
Reviewed-by: Tristan Madani <tristan@talencesecurity.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bridge/netfilter/ebtable_broute.c | 2 +-
net/bridge/netfilter/ebtable_filter.c | 2 +-
net/bridge/netfilter/ebtable_nat.c | 2 +-
net/bridge/netfilter/ebtables.c | 60 +++++++++++++++++----------
4 files changed, 40 insertions(+), 26 deletions(-)
diff --git a/net/bridge/netfilter/ebtable_broute.c b/net/bridge/netfilter/ebtable_broute.c
index 8f19253024b0a..33d8640d21ac1 100644
--- a/net/bridge/netfilter/ebtable_broute.c
+++ b/net/bridge/netfilter/ebtable_broute.c
@@ -128,8 +128,8 @@ static int __init ebtable_broute_init(void)
static void __exit ebtable_broute_fini(void)
{
- unregister_pernet_subsys(&broute_net_ops);
ebt_unregister_template(&broute_table);
+ unregister_pernet_subsys(&broute_net_ops);
}
module_init(ebtable_broute_init);
diff --git a/net/bridge/netfilter/ebtable_filter.c b/net/bridge/netfilter/ebtable_filter.c
index 278f324e67524..fdb988c24916a 100644
--- a/net/bridge/netfilter/ebtable_filter.c
+++ b/net/bridge/netfilter/ebtable_filter.c
@@ -109,8 +109,8 @@ static int __init ebtable_filter_init(void)
static void __exit ebtable_filter_fini(void)
{
- unregister_pernet_subsys(&frame_filter_net_ops);
ebt_unregister_template(&frame_filter);
+ unregister_pernet_subsys(&frame_filter_net_ops);
}
module_init(ebtable_filter_init);
diff --git a/net/bridge/netfilter/ebtable_nat.c b/net/bridge/netfilter/ebtable_nat.c
index 9066f7f376d57..8b981b2041b5d 100644
--- a/net/bridge/netfilter/ebtable_nat.c
+++ b/net/bridge/netfilter/ebtable_nat.c
@@ -109,8 +109,8 @@ static int __init ebtable_nat_init(void)
static void __exit ebtable_nat_fini(void)
{
- unregister_pernet_subsys(&frame_nat_net_ops);
ebt_unregister_template(&frame_nat);
+ unregister_pernet_subsys(&frame_nat_net_ops);
}
module_init(ebtable_nat_init);
diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
index f99e348c8f37f..ec286e54229b7 100644
--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -42,6 +42,7 @@
struct ebt_pernet {
struct list_head tables;
+ struct list_head dead_tables;
};
struct ebt_template {
@@ -1162,11 +1163,6 @@ static int do_replace(struct net *net, sockptr_t arg, unsigned int len)
static void __ebt_unregister_table(struct net *net, struct ebt_table *table)
{
- mutex_lock(&ebt_mutex);
- list_del(&table->list);
- mutex_unlock(&ebt_mutex);
- audit_log_nfcfg(table->name, AF_BRIDGE, table->private->nentries,
- AUDIT_XT_OP_UNREGISTER, GFP_KERNEL);
EBT_ENTRY_ITERATE(table->private->entries, table->private->entries_size,
ebt_cleanup_entry, net, NULL);
if (table->private->nentries)
@@ -1267,13 +1263,15 @@ int ebt_register_table(struct net *net, const struct ebt_table *input_table,
for (i = 0; i < num_ops; i++)
ops[i].priv = table;
- list_add(&table->list, &ebt_net->tables);
- mutex_unlock(&ebt_mutex);
-
table->ops = ops;
ret = nf_register_net_hooks(net, ops, num_ops);
- if (ret)
+ if (ret) {
+ synchronize_rcu();
__ebt_unregister_table(net, table);
+ } else {
+ list_add(&table->list, &ebt_net->tables);
+ }
+ mutex_unlock(&ebt_mutex);
audit_log_nfcfg(repl->name, AF_BRIDGE, repl->nentries,
AUDIT_XT_OP_REGISTER, GFP_KERNEL);
@@ -1339,7 +1337,7 @@ void ebt_unregister_template(const struct ebt_table *t)
}
EXPORT_SYMBOL(ebt_unregister_template);
-static struct ebt_table *__ebt_find_table(struct net *net, const char *name)
+void ebt_unregister_table_pre_exit(struct net *net, const char *name)
{
struct ebt_pernet *ebt_net = net_generic(net, ebt_pernet_id);
struct ebt_table *t;
@@ -1348,30 +1346,36 @@ static struct ebt_table *__ebt_find_table(struct net *net, const char *name)
list_for_each_entry(t, &ebt_net->tables, list) {
if (strcmp(t->name, name) == 0) {
+ list_move(&t->list, &ebt_net->dead_tables);
mutex_unlock(&ebt_mutex);
- return t;
+ nf_unregister_net_hooks(net, t->ops, hweight32(t->valid_hooks));
+ return;
}
}
mutex_unlock(&ebt_mutex);
- return NULL;
-}
-
-void ebt_unregister_table_pre_exit(struct net *net, const char *name)
-{
- struct ebt_table *table = __ebt_find_table(net, name);
-
- if (table)
- nf_unregister_net_hooks(net, table->ops, hweight32(table->valid_hooks));
}
EXPORT_SYMBOL(ebt_unregister_table_pre_exit);
void ebt_unregister_table(struct net *net, const char *name)
{
- struct ebt_table *table = __ebt_find_table(net, name);
+ struct ebt_pernet *ebt_net = net_generic(net, ebt_pernet_id);
+ struct ebt_table *t;
- if (table)
- __ebt_unregister_table(net, table);
+ mutex_lock(&ebt_mutex);
+
+ list_for_each_entry(t, &ebt_net->dead_tables, list) {
+ if (strcmp(t->name, name) == 0) {
+ list_del(&t->list);
+ audit_log_nfcfg(t->name, AF_BRIDGE, t->private->nentries,
+ AUDIT_XT_OP_UNREGISTER, GFP_KERNEL);
+ __ebt_unregister_table(net, t);
+ mutex_unlock(&ebt_mutex);
+ return;
+ }
+ }
+
+ mutex_unlock(&ebt_mutex);
}
/* userspace just supplied us with counters */
@@ -2556,11 +2560,21 @@ static int __net_init ebt_pernet_init(struct net *net)
struct ebt_pernet *ebt_net = net_generic(net, ebt_pernet_id);
INIT_LIST_HEAD(&ebt_net->tables);
+ INIT_LIST_HEAD(&ebt_net->dead_tables);
return 0;
}
+static void __net_exit ebt_pernet_exit(struct net *net)
+{
+ struct ebt_pernet *ebt_net = net_generic(net, ebt_pernet_id);
+
+ WARN_ON_ONCE(!list_empty(&ebt_net->tables));
+ WARN_ON_ONCE(!list_empty(&ebt_net->dead_tables));
+}
+
static struct pernet_operations ebt_net_ops = {
.init = ebt_pernet_init,
+ .exit = ebt_pernet_exit,
.id = &ebt_pernet_id,
.size = sizeof(struct ebt_pernet),
};
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 917/969] netfilter: ebtables: close dangling table module init race
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (915 preceding siblings ...)
2026-05-30 16:07 ` [PATCH 6.1 916/969] netfilter: ebtables: move to two-stage removal scheme Greg Kroah-Hartman
@ 2026-05-30 16:07 ` Greg Kroah-Hartman
2026-05-30 16:07 ` [PATCH 6.1 918/969] netfilter: x_tables: " Greg Kroah-Hartman
` (58 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tristan Madani, Florian Westphal,
Pablo Neira Ayuso, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Florian Westphal <fw@strlen.de>
[ Upstream commit 92c603fa07bc0d6a17345de3ad7954730b8de44b ]
sashiko reported for a related patch:
In modules like iptable_raw.c, [..], if register_pernet_subsys() fails,
the rollback might call kfree(rawtable_ops) before [..]
During this window, could a concurrent userspace process find the globally
visible template, trigger table_init(), [..]
The table init functions must always register the template last.
Otherwise, set/getsockopt can instantiate a table in a namespace
while the required pernet ops (contain the destructor) isn't available.
This change is also required in x_tables, handled in followup change.
Fixes: 87663c39f898 ("netfilter: ebtables: do not hook tables by default")
Reviewed-by: Tristan Madani <tristan@talencesecurity.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bridge/netfilter/ebtable_broute.c | 12 +++++-------
net/bridge/netfilter/ebtable_filter.c | 12 +++++-------
net/bridge/netfilter/ebtable_nat.c | 10 ++++------
3 files changed, 14 insertions(+), 20 deletions(-)
diff --git a/net/bridge/netfilter/ebtable_broute.c b/net/bridge/netfilter/ebtable_broute.c
index 33d8640d21ac1..43c808e525e87 100644
--- a/net/bridge/netfilter/ebtable_broute.c
+++ b/net/bridge/netfilter/ebtable_broute.c
@@ -112,18 +112,16 @@ static struct pernet_operations broute_net_ops = {
static int __init ebtable_broute_init(void)
{
- int ret = ebt_register_template(&broute_table, broute_table_init);
+ int ret = register_pernet_subsys(&broute_net_ops);
if (ret)
return ret;
- ret = register_pernet_subsys(&broute_net_ops);
- if (ret) {
- ebt_unregister_template(&broute_table);
- return ret;
- }
+ ret = ebt_register_template(&broute_table, broute_table_init);
+ if (ret)
+ unregister_pernet_subsys(&broute_net_ops);
- return 0;
+ return ret;
}
static void __exit ebtable_broute_fini(void)
diff --git a/net/bridge/netfilter/ebtable_filter.c b/net/bridge/netfilter/ebtable_filter.c
index fdb988c24916a..f76d45dfe9b46 100644
--- a/net/bridge/netfilter/ebtable_filter.c
+++ b/net/bridge/netfilter/ebtable_filter.c
@@ -93,18 +93,16 @@ static struct pernet_operations frame_filter_net_ops = {
static int __init ebtable_filter_init(void)
{
- int ret = ebt_register_template(&frame_filter, frame_filter_table_init);
+ int ret = register_pernet_subsys(&frame_filter_net_ops);
if (ret)
return ret;
- ret = register_pernet_subsys(&frame_filter_net_ops);
- if (ret) {
- ebt_unregister_template(&frame_filter);
- return ret;
- }
+ ret = ebt_register_template(&frame_filter, frame_filter_table_init);
+ if (ret)
+ unregister_pernet_subsys(&frame_filter_net_ops);
- return 0;
+ return ret;
}
static void __exit ebtable_filter_fini(void)
diff --git a/net/bridge/netfilter/ebtable_nat.c b/net/bridge/netfilter/ebtable_nat.c
index 8b981b2041b5d..af0732e2f889d 100644
--- a/net/bridge/netfilter/ebtable_nat.c
+++ b/net/bridge/netfilter/ebtable_nat.c
@@ -93,16 +93,14 @@ static struct pernet_operations frame_nat_net_ops = {
static int __init ebtable_nat_init(void)
{
- int ret = ebt_register_template(&frame_nat, frame_nat_table_init);
+ int ret = register_pernet_subsys(&frame_nat_net_ops);
if (ret)
return ret;
- ret = register_pernet_subsys(&frame_nat_net_ops);
- if (ret) {
- ebt_unregister_template(&frame_nat);
- return ret;
- }
+ ret = ebt_register_template(&frame_nat, frame_nat_table_init);
+ if (ret)
+ unregister_pernet_subsys(&frame_nat_net_ops);
return ret;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 918/969] netfilter: x_tables: close dangling table module init race
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (916 preceding siblings ...)
2026-05-30 16:07 ` [PATCH 6.1 917/969] netfilter: ebtables: close dangling table module init race Greg Kroah-Hartman
@ 2026-05-30 16:07 ` Greg Kroah-Hartman
2026-05-30 16:07 ` [PATCH 6.1 919/969] netfilter: bridge: eb_tables: close " Greg Kroah-Hartman
` (57 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Florian Westphal, Pablo Neira Ayuso,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Florian Westphal <fw@strlen.de>
[ Upstream commit 16bc4b6686b2c112c10e67d6b493adc3607256d3 ]
Similar to the previous ebtables patch:
template add exposes the table to userspace, we must do this last to
rnsure the pernet ops are set up (contain the destructors).
Fixes: fdacd57c79b7 ("netfilter: x_tables: never register tables by default")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/netfilter/arptable_filter.c | 23 ++++++++++++-----------
net/ipv4/netfilter/iptable_filter.c | 23 ++++++++++++-----------
net/ipv4/netfilter/iptable_mangle.c | 25 +++++++++++++------------
net/ipv4/netfilter/iptable_raw.c | 22 +++++++++++-----------
net/ipv4/netfilter/iptable_security.c | 23 ++++++++++++-----------
net/ipv6/netfilter/ip6table_filter.c | 22 +++++++++++-----------
net/ipv6/netfilter/ip6table_mangle.c | 23 ++++++++++++-----------
net/ipv6/netfilter/ip6table_raw.c | 20 ++++++++++----------
net/ipv6/netfilter/ip6table_security.c | 23 ++++++++++++-----------
9 files changed, 105 insertions(+), 99 deletions(-)
diff --git a/net/ipv4/netfilter/arptable_filter.c b/net/ipv4/netfilter/arptable_filter.c
index 382345567a600..370b635e3523b 100644
--- a/net/ipv4/netfilter/arptable_filter.c
+++ b/net/ipv4/netfilter/arptable_filter.c
@@ -58,25 +58,26 @@ static struct pernet_operations arptable_filter_net_ops = {
static int __init arptable_filter_init(void)
{
- int ret = xt_register_template(&packet_filter,
- arptable_filter_table_init);
-
- if (ret < 0)
- return ret;
+ int ret;
arpfilter_ops = xt_hook_ops_alloc(&packet_filter, arpt_do_table);
- if (IS_ERR(arpfilter_ops)) {
- xt_unregister_template(&packet_filter);
+ if (IS_ERR(arpfilter_ops))
return PTR_ERR(arpfilter_ops);
- }
ret = register_pernet_subsys(&arptable_filter_net_ops);
+ if (ret < 0)
+ goto err_free;
+
+ ret = xt_register_template(&packet_filter,
+ arptable_filter_table_init);
if (ret < 0) {
- xt_unregister_template(&packet_filter);
- kfree(arpfilter_ops);
- return ret;
+ unregister_pernet_subsys(&arptable_filter_net_ops);
+ goto err_free;
}
+ return 0;
+err_free:
+ kfree(arpfilter_ops);
return ret;
}
diff --git a/net/ipv4/netfilter/iptable_filter.c b/net/ipv4/netfilter/iptable_filter.c
index fb85745793ba5..409e96c72164b 100644
--- a/net/ipv4/netfilter/iptable_filter.c
+++ b/net/ipv4/netfilter/iptable_filter.c
@@ -77,26 +77,27 @@ static struct pernet_operations iptable_filter_net_ops = {
static int __init iptable_filter_init(void)
{
- int ret = xt_register_template(&packet_filter,
- iptable_filter_table_init);
-
- if (ret < 0)
- return ret;
+ int ret;
filter_ops = xt_hook_ops_alloc(&packet_filter, ipt_do_table);
- if (IS_ERR(filter_ops)) {
- xt_unregister_template(&packet_filter);
+ if (IS_ERR(filter_ops))
return PTR_ERR(filter_ops);
- }
ret = register_pernet_subsys(&iptable_filter_net_ops);
+ if (ret < 0)
+ goto err_free;
+
+ ret = xt_register_template(&packet_filter,
+ iptable_filter_table_init);
if (ret < 0) {
- xt_unregister_template(&packet_filter);
- kfree(filter_ops);
- return ret;
+ unregister_pernet_subsys(&iptable_filter_net_ops);
+ goto err_free;
}
return 0;
+err_free:
+ kfree(filter_ops);
+ return ret;
}
static void __exit iptable_filter_fini(void)
diff --git a/net/ipv4/netfilter/iptable_mangle.c b/net/ipv4/netfilter/iptable_mangle.c
index 6259bcf178bba..b8618bdf5fdc4 100644
--- a/net/ipv4/netfilter/iptable_mangle.c
+++ b/net/ipv4/netfilter/iptable_mangle.c
@@ -110,25 +110,26 @@ static struct pernet_operations iptable_mangle_net_ops = {
static int __init iptable_mangle_init(void)
{
- int ret = xt_register_template(&packet_mangler,
- iptable_mangle_table_init);
- if (ret < 0)
- return ret;
+ int ret;
mangle_ops = xt_hook_ops_alloc(&packet_mangler, iptable_mangle_hook);
- if (IS_ERR(mangle_ops)) {
- xt_unregister_template(&packet_mangler);
- ret = PTR_ERR(mangle_ops);
- return ret;
- }
+ if (IS_ERR(mangle_ops))
+ return PTR_ERR(mangle_ops);
ret = register_pernet_subsys(&iptable_mangle_net_ops);
+ if (ret < 0)
+ goto err_free;
+
+ ret = xt_register_template(&packet_mangler,
+ iptable_mangle_table_init);
if (ret < 0) {
- xt_unregister_template(&packet_mangler);
- kfree(mangle_ops);
- return ret;
+ unregister_pernet_subsys(&iptable_mangle_net_ops);
+ goto err_free;
}
+ return 0;
+err_free:
+ kfree(mangle_ops);
return ret;
}
diff --git a/net/ipv4/netfilter/iptable_raw.c b/net/ipv4/netfilter/iptable_raw.c
index c7b91b2042dc6..94ad7fad3a1f3 100644
--- a/net/ipv4/netfilter/iptable_raw.c
+++ b/net/ipv4/netfilter/iptable_raw.c
@@ -77,24 +77,24 @@ static int __init iptable_raw_init(void)
pr_info("Enabling raw table before defrag\n");
}
- ret = xt_register_template(table,
- iptable_raw_table_init);
- if (ret < 0)
- return ret;
-
rawtable_ops = xt_hook_ops_alloc(table, ipt_do_table);
- if (IS_ERR(rawtable_ops)) {
- xt_unregister_template(table);
+ if (IS_ERR(rawtable_ops))
return PTR_ERR(rawtable_ops);
- }
ret = register_pernet_subsys(&iptable_raw_net_ops);
+ if (ret < 0)
+ goto err_free;
+
+ ret = xt_register_template(table,
+ iptable_raw_table_init);
if (ret < 0) {
- xt_unregister_template(table);
- kfree(rawtable_ops);
- return ret;
+ unregister_pernet_subsys(&iptable_raw_net_ops);
+ goto err_free;
}
+ return 0;
+err_free:
+ kfree(rawtable_ops);
return ret;
}
diff --git a/net/ipv4/netfilter/iptable_security.c b/net/ipv4/netfilter/iptable_security.c
index 81175c20ccbe8..491894511c544 100644
--- a/net/ipv4/netfilter/iptable_security.c
+++ b/net/ipv4/netfilter/iptable_security.c
@@ -65,25 +65,26 @@ static struct pernet_operations iptable_security_net_ops = {
static int __init iptable_security_init(void)
{
- int ret = xt_register_template(&security_table,
- iptable_security_table_init);
-
- if (ret < 0)
- return ret;
+ int ret;
sectbl_ops = xt_hook_ops_alloc(&security_table, ipt_do_table);
- if (IS_ERR(sectbl_ops)) {
- xt_unregister_template(&security_table);
+ if (IS_ERR(sectbl_ops))
return PTR_ERR(sectbl_ops);
- }
ret = register_pernet_subsys(&iptable_security_net_ops);
+ if (ret < 0)
+ goto err_free;
+
+ ret = xt_register_template(&security_table,
+ iptable_security_table_init);
if (ret < 0) {
- xt_unregister_template(&security_table);
- kfree(sectbl_ops);
- return ret;
+ unregister_pernet_subsys(&iptable_security_net_ops);
+ goto err_free;
}
+ return 0;
+err_free:
+ kfree(sectbl_ops);
return ret;
}
diff --git a/net/ipv6/netfilter/ip6table_filter.c b/net/ipv6/netfilter/ip6table_filter.c
index 982900920e730..f444071346859 100644
--- a/net/ipv6/netfilter/ip6table_filter.c
+++ b/net/ipv6/netfilter/ip6table_filter.c
@@ -76,25 +76,25 @@ static struct pernet_operations ip6table_filter_net_ops = {
static int __init ip6table_filter_init(void)
{
- int ret = xt_register_template(&packet_filter,
- ip6table_filter_table_init);
-
- if (ret < 0)
- return ret;
+ int ret;
filter_ops = xt_hook_ops_alloc(&packet_filter, ip6t_do_table);
- if (IS_ERR(filter_ops)) {
- xt_unregister_template(&packet_filter);
+ if (IS_ERR(filter_ops))
return PTR_ERR(filter_ops);
- }
ret = register_pernet_subsys(&ip6table_filter_net_ops);
+ if (ret < 0)
+ goto err_free;
+
+ ret = xt_register_template(&packet_filter, ip6table_filter_table_init);
if (ret < 0) {
- xt_unregister_template(&packet_filter);
- kfree(filter_ops);
- return ret;
+ unregister_pernet_subsys(&ip6table_filter_net_ops);
+ goto err_free;
}
+ return 0;
+err_free:
+ kfree(filter_ops);
return ret;
}
diff --git a/net/ipv6/netfilter/ip6table_mangle.c b/net/ipv6/netfilter/ip6table_mangle.c
index 475361aa81310..dbc64e4428403 100644
--- a/net/ipv6/netfilter/ip6table_mangle.c
+++ b/net/ipv6/netfilter/ip6table_mangle.c
@@ -103,25 +103,26 @@ static struct pernet_operations ip6table_mangle_net_ops = {
static int __init ip6table_mangle_init(void)
{
- int ret = xt_register_template(&packet_mangler,
- ip6table_mangle_table_init);
-
- if (ret < 0)
- return ret;
+ int ret;
mangle_ops = xt_hook_ops_alloc(&packet_mangler, ip6table_mangle_hook);
- if (IS_ERR(mangle_ops)) {
- xt_unregister_template(&packet_mangler);
+ if (IS_ERR(mangle_ops))
return PTR_ERR(mangle_ops);
- }
ret = register_pernet_subsys(&ip6table_mangle_net_ops);
+ if (ret < 0)
+ goto err_free;
+
+ ret = xt_register_template(&packet_mangler,
+ ip6table_mangle_table_init);
if (ret < 0) {
- xt_unregister_template(&packet_mangler);
- kfree(mangle_ops);
- return ret;
+ unregister_pernet_subsys(&ip6table_mangle_net_ops);
+ goto err_free;
}
+ return 0;
+err_free:
+ kfree(mangle_ops);
return ret;
}
diff --git a/net/ipv6/netfilter/ip6table_raw.c b/net/ipv6/netfilter/ip6table_raw.c
index a99879f173b4a..1eadf553c746e 100644
--- a/net/ipv6/netfilter/ip6table_raw.c
+++ b/net/ipv6/netfilter/ip6table_raw.c
@@ -75,24 +75,24 @@ static int __init ip6table_raw_init(void)
pr_info("Enabling raw table before defrag\n");
}
- ret = xt_register_template(table, ip6table_raw_table_init);
- if (ret < 0)
- return ret;
-
/* Register hooks */
rawtable_ops = xt_hook_ops_alloc(table, ip6t_do_table);
- if (IS_ERR(rawtable_ops)) {
- xt_unregister_template(table);
+ if (IS_ERR(rawtable_ops))
return PTR_ERR(rawtable_ops);
- }
ret = register_pernet_subsys(&ip6table_raw_net_ops);
+ if (ret < 0)
+ goto err_free;
+
+ ret = xt_register_template(table, ip6table_raw_table_init);
if (ret < 0) {
- kfree(rawtable_ops);
- xt_unregister_template(table);
- return ret;
+ unregister_pernet_subsys(&ip6table_raw_net_ops);
+ goto err_free;
}
+ return 0;
+err_free:
+ kfree(rawtable_ops);
return ret;
}
diff --git a/net/ipv6/netfilter/ip6table_security.c b/net/ipv6/netfilter/ip6table_security.c
index c44834d93fc79..4bd5d97b8ab65 100644
--- a/net/ipv6/netfilter/ip6table_security.c
+++ b/net/ipv6/netfilter/ip6table_security.c
@@ -64,25 +64,26 @@ static struct pernet_operations ip6table_security_net_ops = {
static int __init ip6table_security_init(void)
{
- int ret = xt_register_template(&security_table,
- ip6table_security_table_init);
-
- if (ret < 0)
- return ret;
+ int ret;
sectbl_ops = xt_hook_ops_alloc(&security_table, ip6t_do_table);
- if (IS_ERR(sectbl_ops)) {
- xt_unregister_template(&security_table);
+ if (IS_ERR(sectbl_ops))
return PTR_ERR(sectbl_ops);
- }
ret = register_pernet_subsys(&ip6table_security_net_ops);
+ if (ret < 0)
+ goto err_free;
+
+ ret = xt_register_template(&security_table,
+ ip6table_security_table_init);
if (ret < 0) {
- kfree(sectbl_ops);
- xt_unregister_template(&security_table);
- return ret;
+ unregister_pernet_subsys(&ip6table_security_net_ops);
+ goto err_free;
}
+ return 0;
+err_free:
+ kfree(sectbl_ops);
return ret;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 919/969] netfilter: bridge: eb_tables: close module init race
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (917 preceding siblings ...)
2026-05-30 16:07 ` [PATCH 6.1 918/969] netfilter: x_tables: " Greg Kroah-Hartman
@ 2026-05-30 16:07 ` Greg Kroah-Hartman
2026-05-30 16:07 ` [PATCH 6.1 920/969] tcp: Fix imbalanced icsk_accept_queue count Greg Kroah-Hartman
` (56 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Florian Westphal, Pablo Neira Ayuso,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Florian Westphal <fw@strlen.de>
[ Upstream commit 27414ff1b287ea9a2a11675149ec28e05539f3cc ]
sashiko reports for unrelated patch:
Does the core ebtables initialization in ebtables.c suffer from a similar race?
Once nf_register_sockopt() completes, the sockopts are exposed globally.
sockopt has to be registered last, just like in ip/ip6/arptables.
Fixes: 5b53951cfc85 ("netfilter: ebtables: use net_generic infra")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bridge/netfilter/ebtables.c | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)
diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
index ec286e54229b7..ca426e49ea1a1 100644
--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -2583,19 +2583,20 @@ static int __init ebtables_init(void)
{
int ret;
- ret = xt_register_target(&ebt_standard_target);
+ ret = register_pernet_subsys(&ebt_net_ops);
if (ret < 0)
return ret;
- ret = nf_register_sockopt(&ebt_sockopts);
+
+ ret = xt_register_target(&ebt_standard_target);
if (ret < 0) {
- xt_unregister_target(&ebt_standard_target);
+ unregister_pernet_subsys(&ebt_net_ops);
return ret;
}
- ret = register_pernet_subsys(&ebt_net_ops);
+ ret = nf_register_sockopt(&ebt_sockopts);
if (ret < 0) {
- nf_unregister_sockopt(&ebt_sockopts);
xt_unregister_target(&ebt_standard_target);
+ unregister_pernet_subsys(&ebt_net_ops);
return ret;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 920/969] tcp: Fix imbalanced icsk_accept_queue count.
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (918 preceding siblings ...)
2026-05-30 16:07 ` [PATCH 6.1 919/969] netfilter: bridge: eb_tables: close " Greg Kroah-Hartman
@ 2026-05-30 16:07 ` Greg Kroah-Hartman
2026-05-30 16:07 ` [Intel-wired-lan] " Greg Kroah-Hartman
` (55 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Damiano Melotti, Kuniyuki Iwashima,
Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kuniyuki Iwashima <kuniyu@google.com>
[ Upstream commit 7eca3292cac7c26dad4c236f51ba225c39a0523f ]
When TCP socket migration happens in reqsk_timer_handler(),
@sk_listener will be updated with the new listener.
When we call __inet_csk_reqsk_queue_drop(), the listener must
be the one stored in req->rsk_listener.
The cited commit accidentally replaced oreq->rsk_listener with
sk_listener, leading to imbalanced icsk_accept_queue count.
Let's pass the correct listener to __inet_csk_reqsk_queue_drop().
Fixes: e8c526f2bdf1 ("tcp/dccp: Don't use timer_pending() in reqsk_queue_unlink().")
Reported-by: Damiano Melotti <melotti@google.com>
Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
Link: https://patch.msgid.link/20260506035954.1563147-3-kuniyu@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/inet_connection_sock.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/ipv4/inet_connection_sock.c b/net/ipv4/inet_connection_sock.c
index dc32a3d8ef874..a275ab5321a96 100644
--- a/net/ipv4/inet_connection_sock.c
+++ b/net/ipv4/inet_connection_sock.c
@@ -1112,7 +1112,7 @@ static void reqsk_timer_handler(struct timer_list *t)
}
drop:
- __inet_csk_reqsk_queue_drop(sk_listener, oreq, true);
+ __inet_csk_reqsk_queue_drop(oreq->rsk_listener, oreq, true);
reqsk_put(oreq);
}
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 921/969] ice: fix locking in ice_dcb_rebuild()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
@ 2026-05-30 16:07 ` Greg Kroah-Hartman
2026-05-30 15:52 ` [PATCH 6.1 002/969] ALSA: hda/realtek: Add HP ENVY Laptop 13-ba0xxx quirk Greg Kroah-Hartman
` (974 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, intel-wired-lan, Bart Van Assche,
Aleksandr Loktionov, Przemek Kitszel, Arpana Arland, Jacob Keller,
Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bart Van Assche <bvanassche@acm.org>
[ Upstream commit 0ded1f36ba4021cba50513e80be6b6e173710168 ]
Move the mutex_lock() call up to prevent that DCB settings change after
the first ice_query_port_ets() call. The second ice_query_port_ets()
call in ice_dcb_rebuild() is already protected by pf->tc_mutex.
This also fixes a bug in an error path, as before taking the first
"goto dcb_error" in the function jumped over mutex_lock() to
mutex_unlock().
This bug has been detected by the clang thread-safety analyzer.
Cc: intel-wired-lan@lists.osuosl.org
Fixes: 242b5e068b25 ("ice: Fix DCB rebuild after reset")
Signed-off-by: Bart Van Assche <bvanassche@acm.org>
Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
Reviewed-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
Tested-by: Arpana Arland <arpanax.arland@intel.com>
Signed-off-by: Jacob Keller <jacob.e.keller@intel.com>
Link: https://patch.msgid.link/20260506-jk-iwl-net-2026-05-04-v2-6-a5ea4dc837a9@intel.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/ice/ice_dcb_lib.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/intel/ice/ice_dcb_lib.c b/drivers/net/ethernet/intel/ice/ice_dcb_lib.c
index 9aa0437aa598e..cc097207cf97f 100644
--- a/drivers/net/ethernet/intel/ice/ice_dcb_lib.c
+++ b/drivers/net/ethernet/intel/ice/ice_dcb_lib.c
@@ -530,14 +530,14 @@ void ice_dcb_rebuild(struct ice_pf *pf)
struct ice_dcbx_cfg *err_cfg;
int ret;
+ mutex_lock(&pf->tc_mutex);
+
ret = ice_query_port_ets(pf->hw.port_info, &buf, sizeof(buf), NULL);
if (ret) {
dev_err(dev, "Query Port ETS failed\n");
goto dcb_error;
}
- mutex_lock(&pf->tc_mutex);
-
if (!pf->hw.port_info->qos_cfg.is_sw_lldp)
ice_cfg_etsrec_defaults(pf->hw.port_info);
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [Intel-wired-lan] [PATCH 6.1 921/969] ice: fix locking in ice_dcb_rebuild()
@ 2026-05-30 16:07 ` Greg Kroah-Hartman
0 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, intel-wired-lan, Bart Van Assche,
Aleksandr Loktionov, Przemek Kitszel, Arpana Arland, Jacob Keller,
Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bart Van Assche <bvanassche@acm.org>
[ Upstream commit 0ded1f36ba4021cba50513e80be6b6e173710168 ]
Move the mutex_lock() call up to prevent that DCB settings change after
the first ice_query_port_ets() call. The second ice_query_port_ets()
call in ice_dcb_rebuild() is already protected by pf->tc_mutex.
This also fixes a bug in an error path, as before taking the first
"goto dcb_error" in the function jumped over mutex_lock() to
mutex_unlock().
This bug has been detected by the clang thread-safety analyzer.
Cc: intel-wired-lan@lists.osuosl.org
Fixes: 242b5e068b25 ("ice: Fix DCB rebuild after reset")
Signed-off-by: Bart Van Assche <bvanassche@acm.org>
Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
Reviewed-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
Tested-by: Arpana Arland <arpanax.arland@intel.com>
Signed-off-by: Jacob Keller <jacob.e.keller@intel.com>
Link: https://patch.msgid.link/20260506-jk-iwl-net-2026-05-04-v2-6-a5ea4dc837a9@intel.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/ice/ice_dcb_lib.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/intel/ice/ice_dcb_lib.c b/drivers/net/ethernet/intel/ice/ice_dcb_lib.c
index 9aa0437aa598e..cc097207cf97f 100644
--- a/drivers/net/ethernet/intel/ice/ice_dcb_lib.c
+++ b/drivers/net/ethernet/intel/ice/ice_dcb_lib.c
@@ -530,14 +530,14 @@ void ice_dcb_rebuild(struct ice_pf *pf)
struct ice_dcbx_cfg *err_cfg;
int ret;
+ mutex_lock(&pf->tc_mutex);
+
ret = ice_query_port_ets(pf->hw.port_info, &buf, sizeof(buf), NULL);
if (ret) {
dev_err(dev, "Query Port ETS failed\n");
goto dcb_error;
}
- mutex_lock(&pf->tc_mutex);
-
if (!pf->hw.port_info->qos_cfg.is_sw_lldp)
ice_cfg_etsrec_defaults(pf->hw.port_info);
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 922/969] net: lan966x: avoid unregistering netdev on register failure
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (920 preceding siblings ...)
2026-05-30 16:07 ` [Intel-wired-lan] " Greg Kroah-Hartman
@ 2026-05-30 16:07 ` Greg Kroah-Hartman
2026-05-30 16:07 ` [PATCH 6.1 923/969] phy: marvell: mvebu-a3700-utmi: fix incorrect USB2_PHY_CTRL register access Greg Kroah-Hartman
` (53 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ijae Kim, Myeonghun Pak,
Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Myeonghun Pak <mhun512@gmail.com>
[ Upstream commit c4f3d6eb1fcf6cd9ce4644f604d5aad1ce594dfc ]
lan966x_probe_port() stores the newly allocated net_device in the
port before calling register_netdev(). If register_netdev() fails,
the probe error path calls lan966x_cleanup_ports(), which sees
port->dev and calls unregister_netdev() for a device that was never
registered.
Destroy the phylink instance created for this port and clear port->dev
before returning the registration error. The common cleanup path now skips
ports without port->dev before reaching the registered netdev cleanup, so
it only handles ports that reached the registered-netdev lifetime.
This also avoids treating an uninitialized FDMA netdev and the failed port
as a NULL == NULL match in the common cleanup path.
Fixes: d28d6d2e37d1 ("net: lan966x: add port module support")
Co-developed-by: Ijae Kim <ae878000@gmail.com>
Signed-off-by: Ijae Kim <ae878000@gmail.com>
Signed-off-by: Myeonghun Pak <mhun512@gmail.com>
Link: https://patch.msgid.link/20260506124331.31945-1-mhun512@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/microchip/lan966x/lan966x_main.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/drivers/net/ethernet/microchip/lan966x/lan966x_main.c b/drivers/net/ethernet/microchip/lan966x/lan966x_main.c
index 8c048ffde23d6..8347def40f9d4 100644
--- a/drivers/net/ethernet/microchip/lan966x/lan966x_main.c
+++ b/drivers/net/ethernet/microchip/lan966x/lan966x_main.c
@@ -688,11 +688,10 @@ static void lan966x_cleanup_ports(struct lan966x *lan966x)
for (p = 0; p < lan966x->num_phys_ports; p++) {
port = lan966x->ports[p];
- if (!port)
+ if (!port || !port->dev)
continue;
- if (port->dev)
- unregister_netdev(port->dev);
+ unregister_netdev(port->dev);
if (lan966x->fdma && lan966x->fdma_ndev == port->dev)
lan966x_fdma_netdev_deinit(lan966x, port->dev);
@@ -805,6 +804,9 @@ static int lan966x_probe_port(struct lan966x *lan966x, u32 p,
err = register_netdev(dev);
if (err) {
dev_err(lan966x->dev, "register_netdev failed\n");
+ phylink_destroy(phylink);
+ port->phylink = NULL;
+ port->dev = NULL;
return err;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 923/969] phy: marvell: mvebu-a3700-utmi: fix incorrect USB2_PHY_CTRL register access
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (921 preceding siblings ...)
2026-05-30 16:07 ` [PATCH 6.1 922/969] net: lan966x: avoid unregistering netdev on register failure Greg Kroah-Hartman
@ 2026-05-30 16:07 ` Greg Kroah-Hartman
2026-05-30 16:07 ` [PATCH 6.1 924/969] irqchip/ath79-cpu: Remove unused function Greg Kroah-Hartman
` (52 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Gabor Juhos, Miquel Raynal,
Vinod Koul, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gabor Juhos <j4g8y7@gmail.com>
[ Upstream commit 91ddf6f722084383fb05be731c0107814b055c0c ]
The mvebu_a3700_utmi_phy_power_off() function tries to modify the
USB2_PHY_CTRL register by using the IO address of the PHY IP block along
with the readl/writel IO accessors. However, the register exist in the
USB miscellaneous register space, and as such it must be accessed via
regmap like it is done in the mvebu_a3700_utmi_phy_power_on() function.
Change the code to use regmap_update_bits() for modífying the register
to fix this.
Fixes: cc8b7a0ae866 ("phy: add A3700 UTMI PHY driver")
Signed-off-by: Gabor Juhos <j4g8y7@gmail.com>
Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
Link: https://patch.msgid.link/20260321-a3700-utmi-fix-usb2_phy_ctrl-access-v1-1-6005ff4b5058@gmail.com
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/phy/marvell/phy-mvebu-a3700-utmi.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/drivers/phy/marvell/phy-mvebu-a3700-utmi.c b/drivers/phy/marvell/phy-mvebu-a3700-utmi.c
index 8834436bc9dbc..e3a9278c06842 100644
--- a/drivers/phy/marvell/phy-mvebu-a3700-utmi.c
+++ b/drivers/phy/marvell/phy-mvebu-a3700-utmi.c
@@ -168,9 +168,8 @@ static int mvebu_a3700_utmi_phy_power_off(struct phy *phy)
u32 reg;
/* Disable PHY pull-up and enable USB2 suspend */
- reg = readl(utmi->regs + USB2_PHY_CTRL(usb32));
- reg &= ~(RB_USB2PHY_PU | RB_USB2PHY_SUSPM(usb32));
- writel(reg, utmi->regs + USB2_PHY_CTRL(usb32));
+ regmap_update_bits(utmi->usb_misc, USB2_PHY_CTRL(usb32),
+ RB_USB2PHY_PU | RB_USB2PHY_SUSPM(usb32), 0);
/* Power down OTG module */
if (usb32) {
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 924/969] irqchip/ath79-cpu: Remove unused function
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (922 preceding siblings ...)
2026-05-30 16:07 ` [PATCH 6.1 923/969] phy: marvell: mvebu-a3700-utmi: fix incorrect USB2_PHY_CTRL register access Greg Kroah-Hartman
@ 2026-05-30 16:07 ` Greg Kroah-Hartman
2026-05-30 16:07 ` [PATCH 6.1 925/969] irq_work: Fix use-after-free in irq_work_single() on PREEMPT_RT Greg Kroah-Hartman
` (51 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, kernel test robot, Rosen Penev,
Thomas Gleixner, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rosen Penev <rosenp@gmail.com>
[ Upstream commit 0fa10fb77069fb67aa51384868ef3702b7791465 ]
ath79_cpu_irq_init() was part of the legacy pre-OF code that got removed a
while back.
Remove it to get rid of a missing prototype warning, reported by the kernel test
robot.
[ tglx: Fix the subject prefix. Sigh ... ]
Fixes: 51fa4f8912c0 ("MIPS: ath79: drop legacy IRQ code")
Reported-by: kernel test robot <lkp@intel.com>
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Signed-off-by: Thomas Gleixner <tglx@kernel.org>
Link: https://patch.msgid.link/20260506085522.1210143-1-rosenp@gmail.com
Closes: https://lore.kernel.org/oe-kbuild-all/202412011509.kGQkDr1y-lkp@intel.com/
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/irqchip/irq-ath79-cpu.c | 7 -------
1 file changed, 7 deletions(-)
diff --git a/drivers/irqchip/irq-ath79-cpu.c b/drivers/irqchip/irq-ath79-cpu.c
index 923e4bba37767..9b7273a7f8ced 100644
--- a/drivers/irqchip/irq-ath79-cpu.c
+++ b/drivers/irqchip/irq-ath79-cpu.c
@@ -85,10 +85,3 @@ static int __init ar79_cpu_intc_of_init(
}
IRQCHIP_DECLARE(ar79_cpu_intc, "qca,ar7100-cpu-intc",
ar79_cpu_intc_of_init);
-
-void __init ath79_cpu_irq_init(unsigned irq_wb_chan2, unsigned irq_wb_chan3)
-{
- irq_wb_chan[2] = irq_wb_chan2;
- irq_wb_chan[3] = irq_wb_chan3;
- mips_cpu_irq_init();
-}
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 925/969] irq_work: Fix use-after-free in irq_work_single() on PREEMPT_RT
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (923 preceding siblings ...)
2026-05-30 16:07 ` [PATCH 6.1 924/969] irqchip/ath79-cpu: Remove unused function Greg Kroah-Hartman
@ 2026-05-30 16:07 ` Greg Kroah-Hartman
2026-05-30 16:07 ` [PATCH 6.1 926/969] net: ethernet: cortina: Make RX SKB per-port Greg Kroah-Hartman
` (50 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sebastian Andrzej Siewior,
Steven Rostedt, Jiayuan Chen, Thomas Gleixner, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiayuan Chen <jiayuan.chen@linux.dev>
[ Upstream commit 91840be8f710370607f949a627e070896faeddb8 ]
On PREEMPT_RT, non-HARD irq_work runs in per-CPU kthreads via
run_irq_workd(), so irq_work_sync() uses rcuwait() to wait for BUSY==0.
After irq_work_single() clears BUSY via atomic_cmpxchg(), it still
dereferences @work for irq_work_is_hard() and rcuwait_wake_up().
An irq_work_sync() caller on another CPU that enters after BUSY is cleared
can observe BUSY==0 immediately, return, and free the work before those
accesses complete — causing a use-after-free.
Fix this by wrapping run_irq_workd() in guard(rcu)() so that the entire
irq_work_single() execution is within an RCU read-side critical
section. Then add synchronize_rcu() in irq_work_sync() after
rcuwait_wait_event() to ensure the caller waits for the RCU grace period
before returning, preventing premature frees.
Fixes: 810979682ccc ("irq_work: Allow irq_work_sync() to sleep if irq_work() no IRQ support.")
Suggested-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Suggested-by: Steven Rostedt <rostedt@goodmis.org>
Signed-off-by: Jiayuan Chen <jiayuan.chen@linux.dev>
Signed-off-by: Thomas Gleixner <tglx@kernel.org>
Reviewed-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Link: https://patch.msgid.link/20260330073234.303732-1-jiayuan.chen@linux.dev
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/irq_work.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/kernel/irq_work.c b/kernel/irq_work.c
index 7afa40fe5cc43..6a286b2681178 100644
--- a/kernel/irq_work.c
+++ b/kernel/irq_work.c
@@ -282,6 +282,12 @@ void irq_work_sync(struct irq_work *work)
!arch_irq_work_has_interrupt()) {
rcuwait_wait_event(&work->irqwait, !irq_work_is_busy(work),
TASK_UNINTERRUPTIBLE);
+ /*
+ * Ensure irq_work_single() does not access @work
+ * after removing IRQ_WORK_BUSY. It is always
+ * accessed within a RCU-read section.
+ */
+ synchronize_rcu();
return;
}
@@ -292,6 +298,7 @@ EXPORT_SYMBOL_GPL(irq_work_sync);
static void run_irq_workd(unsigned int cpu)
{
+ guard(rcu)();
irq_work_run_list(this_cpu_ptr(&lazy_list));
}
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 926/969] net: ethernet: cortina: Make RX SKB per-port
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (924 preceding siblings ...)
2026-05-30 16:07 ` [PATCH 6.1 925/969] irq_work: Fix use-after-free in irq_work_single() on PREEMPT_RT Greg Kroah-Hartman
@ 2026-05-30 16:07 ` Greg Kroah-Hartman
2026-05-30 16:07 ` [PATCH 6.1 927/969] net: ethernet: cortina: Drop half-assembled SKB Greg Kroah-Hartman
` (49 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:07 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Linus Walleij, Paolo Abeni,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Linus Walleij <linusw@kernel.org>
[ Upstream commit 06937db21ee311ed07eba47954447245041a982d ]
The SKB used to assemble packets from fragments in gmac_rx()
is static local, but the Gemini has two ethernet ports, meaning
there can be races between the ports on a bad day if a device
is using both.
Make the RX SKB a per-port variable and carry it over between
invocations in the port struct instead.
Zero the pointer once we call napi_gro_frags(), on error (after
calling napi_free_frags()) or if the port is stopped.
Zero it in some place where not strictly necessary just to
emphasize what is going on.
This was found by Sashiko during normal patch review.
Fixes: 4d5ae32f5e1e ("net: ethernet: Add a driver for Gemini gigabit ethernet")
Link: https://sashiko.dev/#/patchset/20260505-gemini-ethernet-fix-v2-1-997c31d06079%40kernel.org
Signed-off-by: Linus Walleij <linusw@kernel.org>
Link: https://patch.msgid.link/20260509-gemini-ethernet-fixes-v1-2-6c5d20ddc35b@kernel.org
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/cortina/gemini.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/cortina/gemini.c b/drivers/net/ethernet/cortina/gemini.c
index 729a69007ec47..dbfcbdb8d751a 100644
--- a/drivers/net/ethernet/cortina/gemini.c
+++ b/drivers/net/ethernet/cortina/gemini.c
@@ -121,6 +121,8 @@ struct gemini_ethernet_port {
struct napi_struct napi;
struct hrtimer rx_coalesce_timer;
unsigned int rx_coalesce_nsecs;
+ struct sk_buff *rx_skb;
+
unsigned int freeq_refill;
struct gmac_txq txq[TX_QUEUE_NUM];
unsigned int txq_order;
@@ -1447,10 +1449,10 @@ static unsigned int gmac_rx(struct net_device *netdev, unsigned int budget)
unsigned short m = (1 << port->rxq_order) - 1;
struct gemini_ethernet *geth = port->geth;
void __iomem *ptr_reg = port->rxq_rwptr;
+ struct sk_buff *skb = port->rx_skb;
unsigned int frame_len, frag_len;
struct gmac_rxdesc *rx = NULL;
struct gmac_queue_page *gpage;
- static struct sk_buff *skb;
union gmac_rxdesc_0 word0;
union gmac_rxdesc_1 word1;
union gmac_rxdesc_3 word3;
@@ -1504,6 +1506,7 @@ static unsigned int gmac_rx(struct net_device *netdev, unsigned int budget)
if (skb) {
napi_free_frags(&port->napi);
port->stats.rx_dropped++;
+ skb = NULL;
}
skb = gmac_skb_if_good_frame(port, word0, frame_len);
@@ -1554,6 +1557,7 @@ static unsigned int gmac_rx(struct net_device *netdev, unsigned int budget)
port->stats.rx_dropped++;
}
+ port->rx_skb = skb;
writew(r, ptr_reg);
return budget;
}
@@ -1882,6 +1886,7 @@ static int gmac_stop(struct net_device *netdev)
gmac_disable_tx_rx(netdev);
gmac_stop_dma(port);
napi_disable(&port->napi);
+ port->rx_skb = NULL;
gmac_enable_irq(netdev, 0);
gmac_cleanup_rxq(netdev);
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 927/969] net: ethernet: cortina: Drop half-assembled SKB
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (925 preceding siblings ...)
2026-05-30 16:07 ` [PATCH 6.1 926/969] net: ethernet: cortina: Make RX SKB per-port Greg Kroah-Hartman
@ 2026-05-30 16:07 ` Greg Kroah-Hartman
2026-05-30 16:07 ` [PATCH 6.1 928/969] net: ethernet: cortina: Carry over frag counter Greg Kroah-Hartman
` (48 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andreas Haarmann-Thiemann,
Linus Walleij, Alexander Lobakin, Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andreas Haarmann-Thiemann <eitschman@nebelreich.de>
[ Upstream commit b266bacba796ff5c4dcd2ae2fc08aacf7ab39153 ]
In gmac_rx() (drivers/net/ethernet/cortina/gemini.c), when
gmac_get_queue_page() returns NULL for the second page of a multi-page
fragment, the driver logs an error and continues — but does not free the
partially assembled skb that was being assembled via napi_build_skb() /
napi_get_frags().
Free the in-progress partially assembled skb via napi_free_frags()
and increase the number of dropped frames appropriately
and assign the skb pointer NULL to make sure it is not lingering
around, matching the pattern already used elsewhere in the driver.
Fixes: 4d5ae32f5e1e ("net: ethernet: Add a driver for Gemini gigabit ethernet")
Signed-off-by: Andreas Haarmann-Thiemann <eitschman@nebelreich.de>
Signed-off-by: Linus Walleij <linusw@kernel.org>
Reviewed-by: Alexander Lobakin <aleksander.lobakin@intel.com>
Link: https://patch.msgid.link/20260505-gemini-ethernet-fix-v2-1-997c31d06079@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/cortina/gemini.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/net/ethernet/cortina/gemini.c b/drivers/net/ethernet/cortina/gemini.c
index dbfcbdb8d751a..51108bf65845d 100644
--- a/drivers/net/ethernet/cortina/gemini.c
+++ b/drivers/net/ethernet/cortina/gemini.c
@@ -1498,6 +1498,11 @@ static unsigned int gmac_rx(struct net_device *netdev, unsigned int budget)
gpage = gmac_get_queue_page(geth, port, mapping + PAGE_SIZE);
if (!gpage) {
dev_err(geth->dev, "could not find mapping\n");
+ if (skb) {
+ napi_free_frags(&port->napi);
+ port->stats.rx_dropped++;
+ skb = NULL;
+ }
continue;
}
page = gpage->page;
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 928/969] net: ethernet: cortina: Carry over frag counter
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (926 preceding siblings ...)
2026-05-30 16:07 ` [PATCH 6.1 927/969] net: ethernet: cortina: Drop half-assembled SKB Greg Kroah-Hartman
@ 2026-05-30 16:07 ` Greg Kroah-Hartman
2026-05-30 16:07 ` [PATCH 6.1 929/969] net: ethernet: cs89x0: remove stale CONFIG_MACH_MX31ADS reference Greg Kroah-Hartman
` (47 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:07 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Linus Walleij, Paolo Abeni,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Linus Walleij <linusw@kernel.org>
[ Upstream commit ebd8ec2b309e3a447851b456ccaf8fb39f3661e7 ]
The gmac_rx() NAPI poll function assembles packets in an
SKB from a ring buffer.
If the ring buffer gets completely emptied during a poll cycle,
we exit gmac_rx(), but the packet is not yet completely
assembled in the SKB, yet the fragment counter frag_nr is
reset to zero on the next invocation.
Solve this by making the RX fragment counter a part of the
port struct, and carry it over between invocations.
Reset the fragment counter only right after calling
napi_gro_frags(), on error (after calling napi_free_frags())
or if stopping the port.
Reset it in some place where not strictly necessary just to
emphasize what is going on.
This was found by Sashiko during normal patch review.
Fixes: 4d5ae32f5e1e ("net: ethernet: Add a driver for Gemini gigabit ethernet")
Link: https://sashiko.dev/#/patchset/20260505-gemini-ethernet-fix-v2-1-997c31d06079%40kernel.org
Signed-off-by: Linus Walleij <linusw@kernel.org>
Link: https://patch.msgid.link/20260509-gemini-ethernet-fixes-v1-3-6c5d20ddc35b@kernel.org
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/cortina/gemini.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/cortina/gemini.c b/drivers/net/ethernet/cortina/gemini.c
index 51108bf65845d..3f0e63c7342bd 100644
--- a/drivers/net/ethernet/cortina/gemini.c
+++ b/drivers/net/ethernet/cortina/gemini.c
@@ -122,6 +122,7 @@ struct gemini_ethernet_port {
struct hrtimer rx_coalesce_timer;
unsigned int rx_coalesce_nsecs;
struct sk_buff *rx_skb;
+ unsigned int rx_frag_nr;
unsigned int freeq_refill;
struct gmac_txq txq[TX_QUEUE_NUM];
@@ -1449,6 +1450,7 @@ static unsigned int gmac_rx(struct net_device *netdev, unsigned int budget)
unsigned short m = (1 << port->rxq_order) - 1;
struct gemini_ethernet *geth = port->geth;
void __iomem *ptr_reg = port->rxq_rwptr;
+ unsigned int frag_nr = port->rx_frag_nr;
struct sk_buff *skb = port->rx_skb;
unsigned int frame_len, frag_len;
struct gmac_rxdesc *rx = NULL;
@@ -1462,7 +1464,6 @@ static unsigned int gmac_rx(struct net_device *netdev, unsigned int budget)
unsigned short r, w;
union dma_rwptr rw;
dma_addr_t mapping;
- int frag_nr = 0;
spin_lock_irqsave(&geth->irq_lock, flags);
rw.bits32 = readl(ptr_reg);
@@ -1502,6 +1503,7 @@ static unsigned int gmac_rx(struct net_device *netdev, unsigned int budget)
napi_free_frags(&port->napi);
port->stats.rx_dropped++;
skb = NULL;
+ frag_nr = 0;
}
continue;
}
@@ -1512,6 +1514,7 @@ static unsigned int gmac_rx(struct net_device *netdev, unsigned int budget)
napi_free_frags(&port->napi);
port->stats.rx_dropped++;
skb = NULL;
+ frag_nr = 0;
}
skb = gmac_skb_if_good_frame(port, word0, frame_len);
@@ -1546,6 +1549,7 @@ static unsigned int gmac_rx(struct net_device *netdev, unsigned int budget)
if (word3.bits32 & EOF_BIT) {
napi_gro_frags(&port->napi);
skb = NULL;
+ frag_nr = 0;
--budget;
}
continue;
@@ -1554,6 +1558,7 @@ static unsigned int gmac_rx(struct net_device *netdev, unsigned int budget)
if (skb) {
napi_free_frags(&port->napi);
skb = NULL;
+ frag_nr = 0;
}
if (mapping)
@@ -1563,6 +1568,7 @@ static unsigned int gmac_rx(struct net_device *netdev, unsigned int budget)
}
port->rx_skb = skb;
+ port->rx_frag_nr = frag_nr;
writew(r, ptr_reg);
return budget;
}
@@ -1892,6 +1898,7 @@ static int gmac_stop(struct net_device *netdev)
gmac_stop_dma(port);
napi_disable(&port->napi);
port->rx_skb = NULL;
+ port->rx_frag_nr = 0;
gmac_enable_irq(netdev, 0);
gmac_cleanup_rxq(netdev);
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 929/969] net: ethernet: cs89x0: remove stale CONFIG_MACH_MX31ADS reference
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (927 preceding siblings ...)
2026-05-30 16:07 ` [PATCH 6.1 928/969] net: ethernet: cortina: Carry over frag counter Greg Kroah-Hartman
@ 2026-05-30 16:07 ` Greg Kroah-Hartman
2026-05-30 16:07 ` [PATCH 6.1 930/969] wifi: ath11k: fix error path leaks in some WMI WOW calls Greg Kroah-Hartman
` (46 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ethan Nelson-Moore, Paolo Abeni,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ethan Nelson-Moore <enelsonmoore@gmail.com>
[ Upstream commit 36a8d04a8293afcb9304cf0cd3741f67698f2a1a ]
The legacy ARM board file for MACH_MX31ADS was removed in commit
c93197b0041d ("ARM: imx: Remove i.MX31 board files"), but a reference
to it remained in the cs89x0 driver. Drop this unused code.
Signed-off-by: Ethan Nelson-Moore <enelsonmoore@gmail.com>
Fixes: c93197b0041d ("ARM: imx: Remove i.MX31 board files")
Link: https://patch.msgid.link/20260509023732.42256-1-enelsonmoore@gmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/cirrus/cs89x0.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/drivers/net/ethernet/cirrus/cs89x0.c b/drivers/net/ethernet/cirrus/cs89x0.c
index 06a0c00af99c7..75ab9b9668172 100644
--- a/drivers/net/ethernet/cirrus/cs89x0.c
+++ b/drivers/net/ethernet/cirrus/cs89x0.c
@@ -1270,7 +1270,6 @@ static const struct net_device_ops net_ops = {
static void __init reset_chip(struct net_device *dev)
{
-#if !defined(CONFIG_MACH_MX31ADS)
struct net_local *lp = netdev_priv(dev);
unsigned long reset_start_time;
@@ -1297,7 +1296,6 @@ static void __init reset_chip(struct net_device *dev)
while ((readreg(dev, PP_SelfST) & INIT_DONE) == 0 &&
time_before(jiffies, reset_start_time + 2))
;
-#endif /* !CONFIG_MACH_MX31ADS */
}
/* This is the real probe routine.
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 930/969] wifi: ath11k: fix error path leaks in some WMI WOW calls
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (928 preceding siblings ...)
2026-05-30 16:07 ` [PATCH 6.1 929/969] net: ethernet: cs89x0: remove stale CONFIG_MACH_MX31ADS reference Greg Kroah-Hartman
@ 2026-05-30 16:07 ` Greg Kroah-Hartman
2026-05-30 16:07 ` [PATCH 6.1 931/969] HID: quirks: really enable the intended work around for appledisplay Greg Kroah-Hartman
` (45 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nicolas Escande, Baochen Qiang,
Rameshkumar Sundaram, Jeff Johnson, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nicolas Escande <nico.escande@gmail.com>
[ Upstream commit 55dda532bbc261aef495e403c8900c5e2ab5fa34 ]
Fix two instances where we used to directly return the result of
ath11k_wmi_cmd_send(...). Because we did not check the return value, we
also did not free the skb in the error path.
Fixes: 79802b13a492 ("ath11k: implement WoW enable and wakeup commands")
Signed-off-by: Nicolas Escande <nico.escande@gmail.com>
Reviewed-by: Baochen Qiang <baochen.qiang@oss.qualcomm.com>
Reviewed-by: Rameshkumar Sundaram <rameshkumar.sundaram@oss.qualcomm.com>
Link: https://patch.msgid.link/20260506134240.2284016-2-nico.escande@gmail.com
Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/ath/ath11k/wmi.c | 19 ++++++++++++++++---
1 file changed, 16 insertions(+), 3 deletions(-)
diff --git a/drivers/net/wireless/ath/ath11k/wmi.c b/drivers/net/wireless/ath/ath11k/wmi.c
index 8b50dbc47300b..31128630d8b62 100644
--- a/drivers/net/wireless/ath/ath11k/wmi.c
+++ b/drivers/net/wireless/ath/ath11k/wmi.c
@@ -8482,6 +8482,7 @@ int ath11k_wmi_wow_host_wakeup_ind(struct ath11k *ar)
struct wmi_wow_host_wakeup_ind *cmd;
struct sk_buff *skb;
size_t len;
+ int ret;
len = sizeof(*cmd);
skb = ath11k_wmi_alloc_skb(ar->wmi->wmi_ab, len);
@@ -8495,14 +8496,20 @@ int ath11k_wmi_wow_host_wakeup_ind(struct ath11k *ar)
ath11k_dbg(ar->ab, ATH11K_DBG_WMI, "wmi tlv wow host wakeup ind\n");
- return ath11k_wmi_cmd_send(ar->wmi, skb, WMI_WOW_HOSTWAKEUP_FROM_SLEEP_CMDID);
+ ret = ath11k_wmi_cmd_send(ar->wmi, skb, WMI_WOW_HOSTWAKEUP_FROM_SLEEP_CMDID);
+ if (ret) {
+ ath11k_warn(ar->ab, "failed to send WMI_WOW_HOSTWAKEUP_FROM_SLEEP_CMDID\n");
+ dev_kfree_skb(skb);
+ }
+
+ return ret;
}
int ath11k_wmi_wow_enable(struct ath11k *ar)
{
struct wmi_wow_enable_cmd *cmd;
struct sk_buff *skb;
- int len;
+ int ret, len;
len = sizeof(*cmd);
skb = ath11k_wmi_alloc_skb(ar->wmi->wmi_ab, len);
@@ -8517,7 +8524,13 @@ int ath11k_wmi_wow_enable(struct ath11k *ar)
cmd->pause_iface_config = WOW_IFACE_PAUSE_ENABLED;
ath11k_dbg(ar->ab, ATH11K_DBG_WMI, "wmi tlv wow enable\n");
- return ath11k_wmi_cmd_send(ar->wmi, skb, WMI_WOW_ENABLE_CMDID);
+ ret = ath11k_wmi_cmd_send(ar->wmi, skb, WMI_WOW_ENABLE_CMDID);
+ if (ret) {
+ ath11k_warn(ar->ab, "failed to send WMI_WOW_ENABLE_CMDID\n");
+ dev_kfree_skb(skb);
+ }
+
+ return ret;
}
int ath11k_wmi_scan_prob_req_oui(struct ath11k *ar,
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 931/969] HID: quirks: really enable the intended work around for appledisplay
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (929 preceding siblings ...)
2026-05-30 16:07 ` [PATCH 6.1 930/969] wifi: ath11k: fix error path leaks in some WMI WOW calls Greg Kroah-Hartman
@ 2026-05-30 16:07 ` Greg Kroah-Hartman
2026-05-30 16:07 ` [PATCH 6.1 932/969] net/smc: avoid NULL deref of conn->lnk in smc_msg_event tracepoint Greg Kroah-Hartman
` (44 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:07 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Lukas Bulwahn, Jiri Kosina,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lukas Bulwahn <lukas.bulwahn@redhat.com>
[ Upstream commit 5f90dcfa8dc32a488581b78e575cdd7808ba5c78 ]
Commit c7fabe4ad921 ("HID: quirks: work around VID/PID conflict for
appledisplay") intends to add a quirk for kernels built with Apple Cinema
Display support, but it refers to the non-existing config option
CONFIG_APPLEDISPLAY, whereas the config option for Apple Cinema Display
support is named CONFIG_USB_APPLEDISPLAY.
Refer to the intended config option CONFIG_USB_APPLEDISPLAY in the ifdef
directive.
Fixes: c7fabe4ad921 ("HID: quirks: work around VID/PID conflict for appledisplay")
Signed-off-by: Lukas Bulwahn <lukas.bulwahn@redhat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hid/hid-quirks.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/hid/hid-quirks.c b/drivers/hid/hid-quirks.c
index 99fca77d16641..91ce2b6840144 100644
--- a/drivers/hid/hid-quirks.c
+++ b/drivers/hid/hid-quirks.c
@@ -222,7 +222,7 @@ static const struct hid_device_id hid_quirks[] = {
* used as a driver. See hid_scan_report().
*/
static const struct hid_device_id hid_have_special_driver[] = {
-#if IS_ENABLED(CONFIG_APPLEDISPLAY)
+#if IS_ENABLED(CONFIG_USB_APPLEDISPLAY)
{ HID_USB_DEVICE(USB_VENDOR_ID_APPLE, 0x9218) },
{ HID_USB_DEVICE(USB_VENDOR_ID_APPLE, 0x9219) },
{ HID_USB_DEVICE(USB_VENDOR_ID_APPLE, 0x921c) },
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 932/969] net/smc: avoid NULL deref of conn->lnk in smc_msg_event tracepoint
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (930 preceding siblings ...)
2026-05-30 16:07 ` [PATCH 6.1 931/969] HID: quirks: really enable the intended work around for appledisplay Greg Kroah-Hartman
@ 2026-05-30 16:07 ` Greg Kroah-Hartman
2026-05-30 16:07 ` [PATCH 6.1 933/969] ethtool: fix ethnl_bitmap32_not_zero() bit interval semantics Greg Kroah-Hartman
` (43 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Weiming Shi, Xiang Mei, Dust Li,
Sidraya Jayagond, Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xiang Mei <xmei5@asu.edu>
[ Upstream commit 7bf563badd37cb796df5477d2b78bb64148a1268 ]
The smc_msg_event tracepoint class, shared by smc_tx_sendmsg and
smc_rx_recvmsg, unconditionally dereferences smc->conn.lnk:
__string(name, smc->conn.lnk->ibname)
conn->lnk is only set for SMC-R; for SMC-D it is NULL. Other code on
these paths already handles this (e.g. !conn->lnk in
SMC_STAT_RMB_TX_SIZE_SMALL()). With the tracepoint enabled, the first
sendmsg()/recvmsg() on an SMC-D socket crashes:
Oops: general protection fault, probably for non-canonical address
KASAN: null-ptr-deref in range [...]
RIP: 0010:strlen+0x1e/0xa0
Call Trace:
trace_event_raw_event_smc_msg_event (net/smc/smc_tracepoint.h:44)
smc_rx_recvmsg (net/smc/smc_rx.c:515)
smc_recvmsg (net/smc/af_smc.c:2859)
__sys_recvfrom (net/socket.c:2315)
__x64_sys_recvfrom (net/socket.c:2326)
do_syscall_64
The faulting address 0x3e0 is offsetof(struct smc_link, ibname),
confirming the NULL ->lnk deref. Enabling the tracepoint requires
root, but the trigger itself is unprivileged: socket(AF_SMC, ...) has
no capability check, and SMC-D negotiation needs no admin step on
s390 or on x86 with the loopback ISM device loaded.
Log an empty device name for SMC-D instead of dereferencing NULL.
Fixes: aff3083f10bf ("net/smc: Introduce tracepoints for tx and rx msg")
Reported-by: Weiming Shi <bestswngs@gmail.com>
Signed-off-by: Xiang Mei <xmei5@asu.edu>
Reviewed-by: Dust Li <dust.li@linux.alibaba.com>
Reviewed-by: Sidraya Jayagond <sidraya@linux.ibm.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/smc/smc_tracepoint.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/smc/smc_tracepoint.h b/net/smc/smc_tracepoint.h
index 9fc5e586d24ab..380451912c4f1 100644
--- a/net/smc/smc_tracepoint.h
+++ b/net/smc/smc_tracepoint.h
@@ -51,7 +51,7 @@ DECLARE_EVENT_CLASS(smc_msg_event,
__field(const void *, smc)
__field(u64, net_cookie)
__field(size_t, len)
- __string(name, smc->conn.lnk->ibname)
+ __string(name, smc->conn.lnk ? smc->conn.lnk->ibname : "")
),
TP_fast_assign(
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 933/969] ethtool: fix ethnl_bitmap32_not_zero() bit interval semantics
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (931 preceding siblings ...)
2026-05-30 16:07 ` [PATCH 6.1 932/969] net/smc: avoid NULL deref of conn->lnk in smc_msg_event tracepoint Greg Kroah-Hartman
@ 2026-05-30 16:07 ` Greg Kroah-Hartman
2026-05-30 16:07 ` [PATCH 6.1 934/969] drm/msm/dsi: dont dump registers past the mapped region Greg Kroah-Hartman
` (42 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chenguang Zhao, Jakub Kicinski,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chenguang Zhao <zhaochenguang@kylinos.cn>
[ Upstream commit 3d042592ebd4c7e44974d556de0b727cb7db4dab ]
ethnl_bitmap32_not_zero() should return true if some bit in [start, end)
is set:
- Fix inverted memchr_inv() sense: return true when the scan finds a
non-zero byte, not when the middle words are all zero.
- Return false for an empty interval (end <= start).
- When end is 32-bit aligned, indices in [start, end) do not include any
bits from map[end_word]; return false after earlier checks found no
non-zero data.
Fixes: 10b518d4e6dd ("ethtool: netlink bitset handling")
Signed-off-by: Chenguang Zhao <zhaochenguang@kylinos.cn>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ethtool/bitset.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/net/ethtool/bitset.c b/net/ethtool/bitset.c
index f0883357d12e5..4691d6d0f2b75 100644
--- a/net/ethtool/bitset.c
+++ b/net/ethtool/bitset.c
@@ -91,7 +91,7 @@ static bool ethnl_bitmap32_not_zero(const u32 *map, unsigned int start,
u32 mask;
if (end <= start)
- return true;
+ return false;
if (start % 32) {
mask = ethnl_upper_bits(start);
@@ -104,11 +104,11 @@ static bool ethnl_bitmap32_not_zero(const u32 *map, unsigned int start,
start_word++;
}
- if (!memchr_inv(map + start_word, '\0',
- (end_word - start_word) * sizeof(u32)))
+ if (memchr_inv(map + start_word, '\0',
+ (end_word - start_word) * sizeof(u32)))
return true;
if (end % 32 == 0)
- return true;
+ return false;
return map[end_word] & ethnl_lower_bits(end);
}
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 934/969] drm/msm/dsi: dont dump registers past the mapped region
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (932 preceding siblings ...)
2026-05-30 16:07 ` [PATCH 6.1 933/969] ethtool: fix ethnl_bitmap32_not_zero() bit interval semantics Greg Kroah-Hartman
@ 2026-05-30 16:07 ` Greg Kroah-Hartman
2026-05-30 16:07 ` [PATCH 6.1 935/969] drm/msm: Fix iommu_map_sgtable() return value check and avoid WARN Greg Kroah-Hartman
` (41 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dmitry Baryshkov, Konrad Dybcio,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
[ Upstream commit 5b49a46baa853b26dbefa65c6c75dd9ff69f63d4 ]
On DSI 6G platforms the IO address space is internally adjusted by
io_offset. Later this adjusted address might be used for memory dumping.
However the size that is used for memory dumping isn't adjusted to
account for the io_offset, leading to the potential access to the
unmapped region. Lower ctrl_size by the io_offset value to prevent
access past the mapped area.
msm_disp_snapshot_add_block+0x1d4/0x3c8 [msm] (P)
msm_dsi_host_snapshot+0x4c/0x78 [msm]
msm_dsi_snapshot+0x28/0x50 [msm]
msm_disp_snapshot_capture_state+0x74/0x140 [msm]
msm_disp_snapshot_state_sync+0x60/0x90 [msm]
_msm_disp_snapshot_work+0x30/0x90 [msm]
kthread_worker_fn+0xdc/0x460
kthread+0x120/0x140
Fixes: bac2c6a62ed9 ("drm/msm: get rid of msm_iomap_size")
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
Patchwork: https://patchwork.freedesktop.org/patch/721747/
Link: https://lore.kernel.org/r/20260428-msm-fix-dsi-dump-v1-1-5d4cb5ccfac7@oss.qualcomm.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/msm/dsi/dsi_host.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/gpu/drm/msm/dsi/dsi_host.c b/drivers/gpu/drm/msm/dsi/dsi_host.c
index 88843505d89c9..a2a6cb3a2262d 100644
--- a/drivers/gpu/drm/msm/dsi/dsi_host.c
+++ b/drivers/gpu/drm/msm/dsi/dsi_host.c
@@ -1947,6 +1947,7 @@ int msm_dsi_host_init(struct msm_dsi *msm_dsi)
/* fixup base address by io offset */
msm_host->ctrl_base += cfg->io_offset;
+ msm_host->ctrl_size -= cfg->io_offset;
ret = devm_regulator_bulk_get_const(&pdev->dev, cfg->num_regulators,
cfg->regulator_data,
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 935/969] drm/msm: Fix iommu_map_sgtable() return value check and avoid WARN
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (933 preceding siblings ...)
2026-05-30 16:07 ` [PATCH 6.1 934/969] drm/msm/dsi: dont dump registers past the mapped region Greg Kroah-Hartman
@ 2026-05-30 16:07 ` Greg Kroah-Hartman
2026-05-30 16:07 ` [PATCH 6.1 936/969] powerpc/time: Remove redundant preempt_disable|enable() calls from arch_irq_work_raise() Greg Kroah-Hartman
` (40 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:07 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Mikko Perttunen, Rob Clark,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mikko Perttunen <mperttunen@nvidia.com>
[ Upstream commit 55e0f0d1c1a4ee1e46da7da4d443eb3044fb3851 ]
Commit "iommu: return full error code from iommu_map_sg[_atomic]()"
changed iommu_map_sgtable() to return an ssize_t and negative values
in error cases, rather than a size_t and a zero.
Store the return value in the appropriate type and in case of error,
return it rather than WARNing.
Fixes: ad8f36e4b6b1 ("iommu: return full error code from iommu_map_sg[_atomic]()")
Signed-off-by: Mikko Perttunen <mperttunen@nvidia.com>
Patchwork: https://patchwork.freedesktop.org/patch/719685/
Message-ID: <20260421-iommu_map_sgtable-return-v1-3-fb484c07d2a1@nvidia.com>
Signed-off-by: Rob Clark <robin.clark@oss.qualcomm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/msm/msm_iommu.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/msm/msm_iommu.c b/drivers/gpu/drm/msm/msm_iommu.c
index 0de3612135e96..aa69713ea7f80 100644
--- a/drivers/gpu/drm/msm/msm_iommu.c
+++ b/drivers/gpu/drm/msm/msm_iommu.c
@@ -359,14 +359,15 @@ static int msm_iommu_map(struct msm_mmu *mmu, uint64_t iova,
struct sg_table *sgt, size_t len, int prot)
{
struct msm_iommu *iommu = to_msm_iommu(mmu);
- size_t ret;
+ ssize_t ret;
/* The arm-smmu driver expects the addresses to be sign extended */
if (iova & BIT_ULL(48))
iova |= GENMASK_ULL(63, 49);
ret = iommu_map_sgtable(iommu->domain, iova, sgt, prot);
- WARN_ON(!ret);
+ if (ret < 0)
+ return ret;
return (ret == len) ? 0 : -EINVAL;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 936/969] powerpc/time: Remove redundant preempt_disable|enable() calls from arch_irq_work_raise()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (934 preceding siblings ...)
2026-05-30 16:07 ` [PATCH 6.1 935/969] drm/msm: Fix iommu_map_sgtable() return value check and avoid WARN Greg Kroah-Hartman
@ 2026-05-30 16:07 ` Greg Kroah-Hartman
2026-05-30 16:07 ` [PATCH 6.1 937/969] net/smc: reject CHID-0 ACCEPT that matches an empty ism_dev slot Greg Kroah-Hartman
` (39 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mahesh Salgaonkar, Shrikanth Hegde,
Ritesh Harjani (IBM), Sayali Patil, Madhavan Srinivasan,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sayali Patil <sayalip@linux.ibm.com>
[ Upstream commit 31467b23823ffec1f6fff407f8e3ca9af8b7491a ]
A kernel panic is observed when handling machine check exceptions from
real mode.
BUG: Unable to handle kernel data access on read at 0xc00000006be21300
Oops: Kernel access of bad area, sig: 11 [#1]
MSR: 8000000000001003 <SF,ME,RI,LE> CR: 88222248 XER: 00000005
CFAR: c00000000003ffc4 DAR: c00000006be21300 DSISR: 40000000 IRQMASK: 0
NIP [c000000000029e40] arch_irq_work_raise+0x10/0x70
LR [c00000000003ffc8] machine_check_queue_event+0xa8/0x150
Call Trace:
[c0000000179d3c70] [c00000000003ff64] machine_check_queue_event+0x44/0x150
[c0000000179d3d30] [c0000000000084e0] machine_check_early_common+0x1f0/0x2c0
The crash occurs because arch_irq_work_raise() calls preempt_disable()
from machine check exception (MCE) handlers running in real mode. In
this context, accessing the preempt_count can fault, leading to the panic.
The preempt_disable()/preempt_enable() pair in arch_irq_work_raise()
was originally added by commit 0fe1ac48bef0 ("powerpc/perf_event: Fix
oops due to perf_event_do_pending call") to avoid races while raising
irq work from exception context.
Later, commit 471ba0e686cb ("irq_work: Do not raise an IPI when
queueing work on the local CPU") added preemption protection in
irq_work_queue() path, while commit 20b876918c06 ("irq_work: Use per
cpu atomics instead of regular atomics") added equivalent
protection in irq_work_queue_on() before reaching arch_irq_work_raise():
irq_work_queue() / irq_work_queue_on()
-> preempt_disable()
-> __irq_work_queue_local()
-> irq_work_raise()
-> arch_irq_work_raise()
As a result, callers other than mce_irq_work_raise() already execute
with preemption disabled, making the additional
preempt_disable()/preempt_enable() pair in arch_irq_work_raise()
redundant.
The arch_irq_work_raise() function executes in NMI context when called
from MCE handler. Hence we will not be preempted or scheduled out since
we are in NMI context with MSR[EE]=0. Therefore, it is safe to remove
the preempt_disable()/preempt_enable() calls from here.
Remove it to avoid accessing preempt_count from real mode context.
Fixes: cc15ff327569 ("powerpc/mce: Avoid using irq_work_queue() in realmode")
Suggested-by: Mahesh Salgaonkar <mahesh@linux.ibm.com>
Acked-by: Shrikanth Hegde <sshegde@linux.ibm.com>
Reviewed-by: Ritesh Harjani (IBM) <ritesh.list@gmail.com>
Signed-off-by: Sayali Patil <sayalip@linux.ibm.com>
[Maddy: Fixed the commit title]
Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com>
Link: https://patch.msgid.link/20260513081413.222490-1-sayalip@linux.ibm.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/powerpc/kernel/time.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/arch/powerpc/kernel/time.c b/arch/powerpc/kernel/time.c
index 285159e65a3ba..6628b65b9ecad 100644
--- a/arch/powerpc/kernel/time.c
+++ b/arch/powerpc/kernel/time.c
@@ -454,6 +454,10 @@ DEFINE_PER_CPU(u8, irq_work_pending);
#endif /* 32 vs 64 bit */
+/*
+ * Must be called with preemption disabled since it updates
+ * per-CPU irq_work state and programs the local CPU decrementer.
+ */
void arch_irq_work_raise(void)
{
/*
@@ -467,10 +471,8 @@ void arch_irq_work_raise(void)
* which could get tangled up if we're messing with the same state
* here.
*/
- preempt_disable();
set_irq_work_pending_flag();
set_dec(1);
- preempt_enable();
}
static void set_dec_or_work(u64 val)
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 937/969] net/smc: reject CHID-0 ACCEPT that matches an empty ism_dev slot
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (935 preceding siblings ...)
2026-05-30 16:07 ` [PATCH 6.1 936/969] powerpc/time: Remove redundant preempt_disable|enable() calls from arch_irq_work_raise() Greg Kroah-Hartman
@ 2026-05-30 16:07 ` Greg Kroah-Hartman
2026-05-30 16:07 ` [PATCH 6.1 938/969] net: tls: fix off-by-one in sg_chain entry count for wrapped sk_msg ring Greg Kroah-Hartman
` (38 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Weiming Shi, Xiang Mei, Paolo Abeni,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xiang Mei <xmei5@asu.edu>
[ Upstream commit 277740023def559a4a2ddc3e8e784ee37a0f16a9 ]
On the SMC-D client, slot 0 of ini->ism_dev[]/ini->ism_chid[] is
reserved for an SMC-Dv1 device. smc_find_ism_v2_device_clnt()
populates V2 entries starting at index 1, so when no V1 device is
selected slot 0 is left in its kzalloc()'ed state with ism_dev[0] ==
NULL and ism_chid[0] == 0.
smc_v2_determine_accepted_chid() then matches the peer's CHID against
the array starting from index 0 using the CHID alone. A malicious
peer replying to a SMC-Dv2-only proposal with d1.chid == 0 matches
the empty slot, ini->ism_selected becomes 0, and the subsequent
ism_dev[0]->lgr_lock dereference in smc_conn_create() faults at
offsetof(struct smcd_dev, lgr_lock) == 0x68:
BUG: KASAN: null-ptr-deref in _raw_spin_lock_bh+0x79/0xe0
Write of size 4 at addr 0000000000000068 by task exploit/144
Call Trace:
_raw_spin_lock_bh
smc_conn_create (net/smc/smc_core.c:1997)
__smc_connect (net/smc/af_smc.c:1447)
smc_connect (net/smc/af_smc.c:1720)
__sys_connect
__x64_sys_connect
do_syscall_64
Require ism_dev[i] to be non-NULL before accepting a CHID match.
Fixes: a7c9c5f4af7f ("net/smc: CLC accept / confirm V2")
Reported-by: Weiming Shi <bestswngs@gmail.com>
Assisted-by: Claude:claude-opus-4-7
Signed-off-by: Xiang Mei <xmei5@asu.edu>
Link: https://patch.msgid.link/20260511062138.2839584-1-xmei5@asu.edu
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/smc/af_smc.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/smc/af_smc.c b/net/smc/af_smc.c
index a609b220b215d..b0f8eca077b89 100644
--- a/net/smc/af_smc.c
+++ b/net/smc/af_smc.c
@@ -1346,7 +1346,8 @@ smc_v2_determine_accepted_chid(struct smc_clc_msg_accept_confirm_v2 *aclc,
int i;
for (i = 0; i < ini->ism_offered_cnt + 1; i++) {
- if (ini->ism_chid[i] == ntohs(aclc->d1.chid)) {
+ if (ini->ism_dev[i] &&
+ ini->ism_chid[i] == ntohs(aclc->d1.chid)) {
ini->ism_selected = i;
return 0;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 938/969] net: tls: fix off-by-one in sg_chain entry count for wrapped sk_msg ring
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (936 preceding siblings ...)
2026-05-30 16:07 ` [PATCH 6.1 937/969] net/smc: reject CHID-0 ACCEPT that matches an empty ism_dev slot Greg Kroah-Hartman
@ 2026-05-30 16:07 ` Greg Kroah-Hartman
2026-05-30 16:07 ` [PATCH 6.1 939/969] net: tls: prevent chain-after-chain in plain text SG Greg Kroah-Hartman
` (37 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, 钱一铭,
Jakub Kicinski, Sabrina Dubroca, Paolo Abeni, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jakub Kicinski <kuba@kernel.org>
[ Upstream commit 285943c6e7ca309bbea84b253745154241d9788a ]
When an sk_msg scatterlist ring wraps (sg.end < sg.start),
tls_push_record() chains the tail portion of the ring to the head
using sg_chain(). An extra entry in the sg array is reserved for
this:
struct sk_msg_sg {
[...]
/* The extra two elements:
* 1) used for chaining the front and sections when the list becomes
* partitioned (e.g. end < start). The crypto APIs require the
* chaining;
* 2) to chain tailer SG entries after the message.
*/
struct scatterlist data[MAX_MSG_FRAGS + 2];
The current code uses MAX_SKB_FRAGS + 1 as the ring size:
sg_chain(&msg_pl->sg.data[msg_pl->sg.start],
MAX_SKB_FRAGS - msg_pl->sg.start + 1,
msg_pl->sg.data);
This places the chain pointer at
sg_chain(data[start], (MAX_SKB_FRAGS - msg_start + 1) .. =
&data[start] + (MAX_SKB_FRAGS - msg_start + 1) - 1 =
data[start + (MAX_SKB_FRAGS - start + 1) - 1] =
data[MAX_SKB_FRAGS]
instead of the true last entry. This is likely due to a "race" of
the commit under Fixes landing close to
commit 031097d9e079 ("bpf: sk_msg, zap ingress queue on psock down")
Convert to ARRAY_SIZE and drop the data[start] / - start (as suggested
by Sabrina).
Reported-by: 钱一铭 <yimingqian591@gmail.com>
Fixes: 9aaaa56845a0 ("bpf: Sockmap/tls, skmsg can have wrapped skmsg that needs extra chaining")
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Reviewed-by: Sabrina Dubroca <sd@queasysnail.net>
Link: https://patch.msgid.link/20260511174920.433155-2-kuba@kernel.org
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/tls/tls_sw.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c
index ef7dda0915d33..a46f3cc4b3f14 100644
--- a/net/tls/tls_sw.c
+++ b/net/tls/tls_sw.c
@@ -801,11 +801,9 @@ static int tls_push_record(struct sock *sk, int flags,
sg_mark_end(sk_msg_elem(msg_pl, i));
}
- if (msg_pl->sg.end < msg_pl->sg.start) {
- sg_chain(&msg_pl->sg.data[msg_pl->sg.start],
- MAX_SKB_FRAGS - msg_pl->sg.start + 1,
+ if (msg_pl->sg.end < msg_pl->sg.start)
+ sg_chain(msg_pl->sg.data, ARRAY_SIZE(msg_pl->sg.data),
msg_pl->sg.data);
- }
i = msg_pl->sg.start;
sg_chain(rec->sg_aead_in, 2, &msg_pl->sg.data[i]);
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 939/969] net: tls: prevent chain-after-chain in plain text SG
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (937 preceding siblings ...)
2026-05-30 16:07 ` [PATCH 6.1 938/969] net: tls: fix off-by-one in sg_chain entry count for wrapped sk_msg ring Greg Kroah-Hartman
@ 2026-05-30 16:07 ` Greg Kroah-Hartman
2026-05-30 16:07 ` [PATCH 6.1 940/969] spi: mtk-snfi: Fix resource leak in mtk_snand_read_page_cache() Greg Kroah-Hartman
` (36 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sashiko, Jakub Kicinski, Paolo Abeni,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jakub Kicinski <kuba@kernel.org>
[ Upstream commit ff26a0e8377dec07e4a7230db7675bed1b9a6d03 ]
Sashiko points out that if end = 0 (start != 0) the current
code will create a chain link to content type right after
the wrap link:
This would create a chain where the wrap link points directly
to another chain link. The scatterlist API sg_next iterator
does not recursively resolve consecutive chain links.
meaning this is illegal input to crypto.
The wrapping link is unnecessary if end = 0. end is the entry after
the last one used so end = 0 means there's nothing pushed after
the wrap:
end start i
v v v
[ ]...[ ][ d ][ d ][ d ][ d ][rsv for wrap]
Skip the wrapping in this case.
TLS 1.3 can use the "wrapping slot" for it's chaining if end = 0.
This avoids the chain-after-chain.
Move the wrap chaining before marking END and chaining off content
type, that feels like more logical ordering to me, but should not
matter from functional perspective.
Reported-by: Sashiko <sashiko-bot@kernel.org>
Fixes: 9aaaa56845a0 ("bpf: Sockmap/tls, skmsg can have wrapped skmsg that needs extra chaining")
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Link: https://patch.msgid.link/20260511174920.433155-3-kuba@kernel.org
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/tls/tls_sw.c | 24 ++++++++++++++++++------
1 file changed, 18 insertions(+), 6 deletions(-)
diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c
index a46f3cc4b3f14..de85e26d9675d 100644
--- a/net/tls/tls_sw.c
+++ b/net/tls/tls_sw.c
@@ -790,21 +790,33 @@ static int tls_push_record(struct sock *sk, int flags,
i = msg_pl->sg.end;
sk_msg_iter_var_prev(i);
+ /* msg_pl->sg.data is a ring; data[MAX+1] is reserved for the wrap
+ * link (frags won't use it). 'i' is now the last filled entry:
+ *
+ * i end start
+ * v v v [ rsv ]
+ * [ d ][ d ][ ][ ]...[ ][ d ][ d ][ d ][chain]
+ * ^ END v
+ * `-----------------------------------------'
+ *
+ * Note that SGL does not allow chain-after-chain, so for TLS 1.3,
+ * we must make sure we don't create the wrap entry and then chain
+ * link to content_type immediately at index 0.
+ */
+ if (i < msg_pl->sg.start)
+ sg_chain(msg_pl->sg.data, ARRAY_SIZE(msg_pl->sg.data),
+ msg_pl->sg.data);
+
rec->content_type = record_type;
if (prot->version == TLS_1_3_VERSION) {
/* Add content type to end of message. No padding added */
sg_set_buf(&rec->sg_content_type, &rec->content_type, 1);
sg_mark_end(&rec->sg_content_type);
- sg_chain(msg_pl->sg.data, msg_pl->sg.end + 1,
- &rec->sg_content_type);
+ sg_chain(msg_pl->sg.data, i + 2, &rec->sg_content_type);
} else {
sg_mark_end(sk_msg_elem(msg_pl, i));
}
- if (msg_pl->sg.end < msg_pl->sg.start)
- sg_chain(msg_pl->sg.data, ARRAY_SIZE(msg_pl->sg.data),
- msg_pl->sg.data);
-
i = msg_pl->sg.start;
sg_chain(rec->sg_aead_in, 2, &msg_pl->sg.data[i]);
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 940/969] spi: mtk-snfi: Fix resource leak in mtk_snand_read_page_cache()
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (938 preceding siblings ...)
2026-05-30 16:07 ` [PATCH 6.1 939/969] net: tls: prevent chain-after-chain in plain text SG Greg Kroah-Hartman
@ 2026-05-30 16:07 ` Greg Kroah-Hartman
2026-05-30 16:07 ` [PATCH 6.1 941/969] drm/msm/snapshot: fix dumping of the unaligned regions Greg Kroah-Hartman
` (35 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:07 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Felix Gu, Mark Brown, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Felix Gu <ustc.gu@gmail.com>
[ Upstream commit 496ba79b9496b8b3747cbc764ebd33ee7325e806 ]
When DMA read times out in mtk_snand_read_page_cache(), the original code
erroneously jumped to cleanup label which skips DMA unmapping and ECC
disable, causing a resource leak.
Fixes: 764f1b748164 ("spi: add driver for MTK SPI NAND Flash Interface")
Signed-off-by: Felix Gu <ustc.gu@gmail.com>
Link: https://patch.msgid.link/20260510-snfi-v1-1-bc375cf1af8e@gmail.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/spi/spi-mtk-snfi.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/spi/spi-mtk-snfi.c b/drivers/spi/spi-mtk-snfi.c
index 7afb2202b2d95..ef14ef31eac1d 100644
--- a/drivers/spi/spi-mtk-snfi.c
+++ b/drivers/spi/spi-mtk-snfi.c
@@ -930,7 +930,7 @@ static int mtk_snand_read_page_cache(struct mtk_snand *snf,
&snf->op_done, usecs_to_jiffies(SNFI_POLL_INTERVAL))) {
dev_err(snf->dev, "DMA timed out for reading from cache.\n");
ret = -ETIMEDOUT;
- goto cleanup;
+ goto cleanup2;
}
// Wait for BUS_SEC_CNTR returning expected value
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 941/969] drm/msm/snapshot: fix dumping of the unaligned regions
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (939 preceding siblings ...)
2026-05-30 16:07 ` [PATCH 6.1 940/969] spi: mtk-snfi: Fix resource leak in mtk_snand_read_page_cache() Greg Kroah-Hartman
@ 2026-05-30 16:07 ` Greg Kroah-Hartman
2026-05-30 16:07 ` [PATCH 6.1 942/969] wifi: ath11k: Trigger sta disconnect on hardware restart Greg Kroah-Hartman
` (34 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Salendarsingh Gaud, Dmitry Baryshkov,
Rob Clark, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
[ Upstream commit 76824d2467feb1828b745d6add2541918d7be3da ]
The snapshotting code internally aligns data segment to 16 bytes. This
works fine for DPU code (where most of the regions are aligned), but
fails for snapshotting of the DSI data (because DSI data region is
shifted by 4 bytes). Fix the code by removing length alignment and by
accurately printing last registers in the region. While reworking the
code also fix the 16x memory overallocation in
msm_disp_state_dump_regs().
Fixes: 98659487b845 ("drm/msm: add support to take dpu snapshot")
Reported-by: Salendarsingh Gaud <sgaud@qti.qualcomm.com>
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Patchwork: https://patchwork.freedesktop.org/patch/725449/
Message-ID: <20260516-msm-fix-dsi-dump-2-v2-1-9e49fb2d240e@oss.qualcomm.com>
Signed-off-by: Rob Clark <robin.clark@oss.qualcomm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../gpu/drm/msm/disp/msm_disp_snapshot_util.c | 24 ++++++++++++++-----
1 file changed, 18 insertions(+), 6 deletions(-)
diff --git a/drivers/gpu/drm/msm/disp/msm_disp_snapshot_util.c b/drivers/gpu/drm/msm/disp/msm_disp_snapshot_util.c
index 4d55e3cf570f0..a966a03167cc0 100644
--- a/drivers/gpu/drm/msm/disp/msm_disp_snapshot_util.c
+++ b/drivers/gpu/drm/msm/disp/msm_disp_snapshot_util.c
@@ -9,7 +9,7 @@
#include "msm_disp_snapshot.h"
-static void msm_disp_state_dump_regs(u32 **reg, u32 aligned_len, void __iomem *base_addr)
+static void msm_disp_state_dump_regs(u32 **reg, u32 len, void __iomem *base_addr)
{
u32 len_padded;
u32 num_rows;
@@ -19,11 +19,11 @@ static void msm_disp_state_dump_regs(u32 **reg, u32 aligned_len, void __iomem *b
void __iomem *end_addr;
int i;
- len_padded = aligned_len * REG_DUMP_ALIGN;
- num_rows = aligned_len / REG_DUMP_ALIGN;
+ len_padded = round_up(len, REG_DUMP_ALIGN);
+ num_rows = DIV_ROUND_UP(len, REG_DUMP_ALIGN);
addr = base_addr;
- end_addr = base_addr + aligned_len;
+ end_addr = base_addr + len;
if (!(*reg))
*reg = kvzalloc(len_padded, GFP_KERNEL);
@@ -51,8 +51,8 @@ static void msm_disp_state_dump_regs(u32 **reg, u32 aligned_len, void __iomem *b
static void msm_disp_state_print_regs(const u32 *dump_addr, u32 len,
void __iomem *base_addr, struct drm_printer *p)
{
+ void __iomem *addr, *end_addr;
int i;
- void __iomem *addr;
u32 num_rows;
if (!dump_addr) {
@@ -61,6 +61,7 @@ static void msm_disp_state_print_regs(const u32 *dump_addr, u32 len,
}
addr = base_addr;
+ end_addr = base_addr + len;
num_rows = len / REG_DUMP_ALIGN;
for (i = 0; i < num_rows; i++) {
@@ -70,6 +71,17 @@ static void msm_disp_state_print_regs(const u32 *dump_addr, u32 len,
dump_addr[i * 4 + 2], dump_addr[i * 4 + 3]);
addr += REG_DUMP_ALIGN;
}
+
+ if (addr != end_addr) {
+ drm_printf(p, "0x%lx : %08x",
+ (unsigned long)(addr - base_addr),
+ dump_addr[i * 4]);
+ if (addr + 0x4 < end_addr)
+ drm_printf(p, " %08x", dump_addr[i * 4 + 1]);
+ if (addr + 0x8 < end_addr)
+ drm_printf(p, " %08x", dump_addr[i * 4 + 2]);
+ drm_printf(p, "\n");
+ }
}
void msm_disp_state_print(struct msm_disp_state *state, struct drm_printer *p)
@@ -189,7 +201,7 @@ void msm_disp_snapshot_add_block(struct msm_disp_state *disp_state, u32 len,
va_end(va);
INIT_LIST_HEAD(&new_blk->node);
- new_blk->size = ALIGN(len, REG_DUMP_ALIGN);
+ new_blk->size = len;
new_blk->base_addr = base_addr;
msm_disp_state_dump_regs(&new_blk->state, new_blk->size, base_addr);
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 942/969] wifi: ath11k: Trigger sta disconnect on hardware restart
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (940 preceding siblings ...)
2026-05-30 16:07 ` [PATCH 6.1 941/969] drm/msm/snapshot: fix dumping of the unaligned regions Greg Kroah-Hartman
@ 2026-05-30 16:07 ` Greg Kroah-Hartman
2026-05-30 16:07 ` [PATCH 6.1 943/969] wifi: ath11k: update hw params for IPQ5018 Greg Kroah-Hartman
` (33 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, kernel test robot,
Youghandhar Chintala, Kalle Valo, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Youghandhar Chintala <quic_youghand@quicinc.com>
[ Upstream commit a018750a2cceaf4427c4ee3d9ce3e83a171d5bd6 ]
Currently after the hardware restart triggered from the driver, the
station interface connection remains intact, since a disconnect trigger
is not sent to userspace. This can lead to a problem in targets where
the wifi mac sequence is added by the firmware.
After the target restart, its wifi mac sequence number gets reset to
zero. Hence AP to which our device is connected will receive frames with
a wifi mac sequence number jump to the past, thereby resulting in the
AP dropping all these frames, until the frame arrives with a wifi mac
sequence number which AP was expecting.
To avoid such frame drops, its better to trigger a station disconnect
upon target hardware restart which can be done with API
ieee80211_reconfig_disconnect exposed to mac80211.
The other targets are not affected by this change, since the hardware
params flag is not set.
Reported-by: kernel test robot <lkp@intel.com>
Tested-on: WCN6750 hw1.0 AHB WLAN.MSL.1.0.1-00887-QCAMSLSWPLZ-1
Signed-off-by: Youghandhar Chintala <quic_youghand@quicinc.com>
Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
Link: https://lore.kernel.org/r/20221104085403.11025-1-quic_youghand@quicinc.com
Stable-dep-of: 2a2451a34afd ("wifi: ath11k: fix peer resolution on rx path when peer_id=0")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/ath/ath11k/core.c | 6 ++++++
drivers/net/wireless/ath/ath11k/hw.h | 1 +
drivers/net/wireless/ath/ath11k/mac.c | 7 +++++++
3 files changed, 14 insertions(+)
diff --git a/drivers/net/wireless/ath/ath11k/core.c b/drivers/net/wireless/ath/ath11k/core.c
index 9b5349230ad34..7a61c84939cb3 100644
--- a/drivers/net/wireless/ath/ath11k/core.c
+++ b/drivers/net/wireless/ath/ath11k/core.c
@@ -195,6 +195,7 @@ static const struct ath11k_hw_params ath11k_hw_params[] = {
.tcl_ring_retry = true,
.tx_ring_size = DP_TCL_DATA_RING_SIZE,
.smp2p_wow_exit = false,
+ .support_fw_mac_sequence = false,
},
{
.name = "qca6390 hw2.0",
@@ -277,6 +278,7 @@ static const struct ath11k_hw_params ath11k_hw_params[] = {
.tcl_ring_retry = true,
.tx_ring_size = DP_TCL_DATA_RING_SIZE,
.smp2p_wow_exit = false,
+ .support_fw_mac_sequence = true,
},
{
.name = "qcn9074 hw1.0",
@@ -356,6 +358,7 @@ static const struct ath11k_hw_params ath11k_hw_params[] = {
.tcl_ring_retry = true,
.tx_ring_size = DP_TCL_DATA_RING_SIZE,
.smp2p_wow_exit = false,
+ .support_fw_mac_sequence = false,
},
{
.name = "wcn6855 hw2.0",
@@ -438,6 +441,7 @@ static const struct ath11k_hw_params ath11k_hw_params[] = {
.tcl_ring_retry = true,
.tx_ring_size = DP_TCL_DATA_RING_SIZE,
.smp2p_wow_exit = false,
+ .support_fw_mac_sequence = true,
},
{
.name = "wcn6855 hw2.1",
@@ -519,6 +523,7 @@ static const struct ath11k_hw_params ath11k_hw_params[] = {
.tcl_ring_retry = true,
.tx_ring_size = DP_TCL_DATA_RING_SIZE,
.smp2p_wow_exit = false,
+ .support_fw_mac_sequence = true,
},
{
.name = "wcn6750 hw1.0",
@@ -597,6 +602,7 @@ static const struct ath11k_hw_params ath11k_hw_params[] = {
.tcl_ring_retry = false,
.tx_ring_size = DP_TCL_DATA_RING_SIZE_WCN6750,
.smp2p_wow_exit = true,
+ .support_fw_mac_sequence = true,
},
};
diff --git a/drivers/net/wireless/ath/ath11k/hw.h b/drivers/net/wireless/ath/ath11k/hw.h
index 8a3f24862edc4..0c5ef8a526d85 100644
--- a/drivers/net/wireless/ath/ath11k/hw.h
+++ b/drivers/net/wireless/ath/ath11k/hw.h
@@ -219,6 +219,7 @@ struct ath11k_hw_params {
bool tcl_ring_retry;
u32 tx_ring_size;
bool smp2p_wow_exit;
+ bool support_fw_mac_sequence;
};
struct ath11k_hw_ops {
diff --git a/drivers/net/wireless/ath/ath11k/mac.c b/drivers/net/wireless/ath/ath11k/mac.c
index 6a244f110dca6..2ef03ad1c9051 100644
--- a/drivers/net/wireless/ath/ath11k/mac.c
+++ b/drivers/net/wireless/ath/ath11k/mac.c
@@ -7981,6 +7981,7 @@ ath11k_mac_op_reconfig_complete(struct ieee80211_hw *hw,
struct ath11k *ar = hw->priv;
struct ath11k_base *ab = ar->ab;
int recovery_count;
+ struct ath11k_vif *arvif;
if (reconfig_type != IEEE80211_RECONFIG_TYPE_RESTART)
return;
@@ -8016,6 +8017,12 @@ ath11k_mac_op_reconfig_complete(struct ieee80211_hw *hw,
ath11k_dbg(ab, ATH11K_DBG_BOOT, "reset success\n");
}
}
+ if (ar->ab->hw_params.support_fw_mac_sequence) {
+ list_for_each_entry(arvif, &ar->arvifs, list) {
+ if (arvif->is_up && arvif->vdev_type == WMI_VDEV_TYPE_STA)
+ ieee80211_hw_restart_disconnect(arvif->vif);
+ }
+ }
}
mutex_unlock(&ar->conf_mutex);
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 943/969] wifi: ath11k: update hw params for IPQ5018
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (941 preceding siblings ...)
2026-05-30 16:07 ` [PATCH 6.1 942/969] wifi: ath11k: Trigger sta disconnect on hardware restart Greg Kroah-Hartman
@ 2026-05-30 16:07 ` Greg Kroah-Hartman
2026-05-30 16:07 ` [PATCH 6.1 944/969] wifi: ath11k: update ce configurations " Greg Kroah-Hartman
` (32 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sriram R, Karthikeyan Kathirvel,
Kalle Valo, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sriram R <quic_srirrama@quicinc.com>
[ Upstream commit 8dfe875aa24aec68baf6702018633c84c2c1feca ]
Add new compatible string for IPQ5018 and add
required hw params for IPQ5018. The hw descriptors size and
datapath ops are similar to QCN9074, hence reuse the same.
Tested-on: IPQ5018 hw1.0 AHB WLAN.HK.2.6.0.1-00861-QCAHKSWPL_SILICONZ-1
Signed-off-by: Sriram R <quic_srirrama@quicinc.com>
Co-developed-by: Karthikeyan Kathirvel <quic_kathirve@quicinc.com>
Signed-off-by: Karthikeyan Kathirvel <quic_kathirve@quicinc.com>
Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
Link: https://lore.kernel.org/r/20221122132152.17771-3-quic_kathirve@quicinc.com
Stable-dep-of: 2a2451a34afd ("wifi: ath11k: fix peer resolution on rx path when peer_id=0")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/ath/ath11k/core.c | 71 ++++++++++++++++++++++++++
drivers/net/wireless/ath/ath11k/core.h | 8 +++
2 files changed, 79 insertions(+)
diff --git a/drivers/net/wireless/ath/ath11k/core.c b/drivers/net/wireless/ath/ath11k/core.c
index 7a61c84939cb3..c8fb72d9613fa 100644
--- a/drivers/net/wireless/ath/ath11k/core.c
+++ b/drivers/net/wireless/ath/ath11k/core.c
@@ -604,6 +604,77 @@ static const struct ath11k_hw_params ath11k_hw_params[] = {
.smp2p_wow_exit = true,
.support_fw_mac_sequence = true,
},
+ {
+ .hw_rev = ATH11K_HW_IPQ5018_HW10,
+ .name = "ipq5018 hw1.0",
+ .fw = {
+ .dir = "IPQ5018/hw1.0",
+ .board_size = 256 * 1024,
+ .cal_offset = 128 * 1024,
+ },
+ .max_radios = MAX_RADIOS_5018,
+ .bdf_addr = 0x4BA00000,
+ /* hal_desc_sz and hw ops are similar to qcn9074 */
+ .hal_desc_sz = sizeof(struct hal_rx_desc_qcn9074),
+ .qmi_service_ins_id = ATH11K_QMI_WLFW_SERVICE_INS_ID_V01_IPQ8074,
+ .ring_mask = &ath11k_hw_ring_mask_ipq8074,
+ .credit_flow = false,
+ .max_tx_ring = 1,
+ .spectral = {
+ .fft_sz = 2,
+ .fft_pad_sz = 0,
+ .summary_pad_sz = 16,
+ .fft_hdr_len = 24,
+ .max_fft_bins = 1024,
+ },
+ .internal_sleep_clock = false,
+ .host_ce_config = ath11k_host_ce_config_qcn9074,
+ .ce_count = CE_CNT_5018,
+ .rxdma1_enable = true,
+ .num_rxmda_per_pdev = RXDMA_PER_PDEV_5018,
+ .rx_mac_buf_ring = false,
+ .vdev_start_delay = false,
+ .htt_peer_map_v2 = true,
+ .interface_modes = BIT(NL80211_IFTYPE_STATION) |
+ BIT(NL80211_IFTYPE_AP) |
+ BIT(NL80211_IFTYPE_MESH_POINT),
+ .supports_monitor = false,
+ .supports_sta_ps = false,
+ .supports_shadow_regs = false,
+ .fw_mem_mode = 0,
+ .num_vdevs = 16 + 1,
+ .num_peers = 512,
+ .supports_regdb = false,
+ .idle_ps = false,
+ .supports_suspend = false,
+ .hal_params = &ath11k_hw_hal_params_ipq8074,
+ .single_pdev_only = false,
+ .cold_boot_calib = true,
+ .fix_l1ss = true,
+ .supports_dynamic_smps_6ghz = false,
+ .alloc_cacheable_memory = true,
+ .supports_rssi_stats = false,
+ .fw_wmi_diag_event = false,
+ .current_cc_support = false,
+ .dbr_debug_support = true,
+ .global_reset = false,
+ .bios_sar_capa = NULL,
+ .m3_fw_support = false,
+ .fixed_bdf_addr = true,
+ .fixed_mem_region = true,
+ .static_window_map = false,
+ .hybrid_bus_type = false,
+ .fixed_fw_mem = false,
+ .support_off_channel_tx = false,
+ .supports_multi_bssid = false,
+
+ .sram_dump = {},
+
+ .tcl_ring_retry = true,
+ .tx_ring_size = DP_TCL_DATA_RING_SIZE,
+ .smp2p_wow_exit = false,
+ .support_fw_mac_sequence = false,
+ },
};
static inline struct ath11k_pdev *ath11k_core_get_single_pdev(struct ath11k_base *ab)
diff --git a/drivers/net/wireless/ath/ath11k/core.h b/drivers/net/wireless/ath/ath11k/core.h
index a46fe85e592d8..09e40ff461730 100644
--- a/drivers/net/wireless/ath/ath11k/core.h
+++ b/drivers/net/wireless/ath/ath11k/core.h
@@ -142,6 +142,7 @@ enum ath11k_hw_rev {
ATH11K_HW_WCN6855_HW20,
ATH11K_HW_WCN6855_HW21,
ATH11K_HW_WCN6750_HW10,
+ ATH11K_HW_IPQ5018_HW10,
};
enum ath11k_firmware_mode {
@@ -230,6 +231,13 @@ struct ath11k_he {
#define MAX_RADIOS 3
+/* ipq5018 hw param macros */
+#define MAX_RADIOS_5018 1
+#define CE_CNT_5018 6
+#define TARGET_CE_CNT_5018 9
+#define SVC_CE_MAP_LEN_5018 17
+#define RXDMA_PER_PDEV_5018 1
+
enum {
WMI_HOST_TP_SCALE_MAX = 0,
WMI_HOST_TP_SCALE_50 = 1,
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 944/969] wifi: ath11k: update ce configurations for IPQ5018
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (942 preceding siblings ...)
2026-05-30 16:07 ` [PATCH 6.1 943/969] wifi: ath11k: update hw params for IPQ5018 Greg Kroah-Hartman
@ 2026-05-30 16:07 ` Greg Kroah-Hartman
2026-05-30 16:07 ` [PATCH 6.1 945/969] wifi: ath11k: remap ce register space " Greg Kroah-Hartman
` (31 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sriram R, Karthikeyan Kathirvel,
Kalle Valo, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sriram R <quic_srirrama@quicinc.com>
[ Upstream commit 26af7aabd2d8225c6b2056234626ba5099610871 ]
IPQ5018 is a single pdev device. Update host
and target CE configurations accordingly.
Tested-on: IPQ5018 hw1.0 AHB WLAN.HK.2.6.0.1-00861-QCAHKSWPL_SILICONZ-1
Signed-off-by: Sriram R <quic_srirrama@quicinc.com>
Co-developed-by: Karthikeyan Kathirvel <quic_kathirve@quicinc.com>
Signed-off-by: Karthikeyan Kathirvel <quic_kathirve@quicinc.com>
Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
Link: https://lore.kernel.org/r/20221122132152.17771-4-quic_kathirve@quicinc.com
Stable-dep-of: 2a2451a34afd ("wifi: ath11k: fix peer resolution on rx path when peer_id=0")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/ath/ath11k/core.c | 4 +
drivers/net/wireless/ath/ath11k/core.h | 3 +
drivers/net/wireless/ath/ath11k/hw.c | 191 +++++++++++++++++++++++++
3 files changed, 198 insertions(+)
diff --git a/drivers/net/wireless/ath/ath11k/core.c b/drivers/net/wireless/ath/ath11k/core.c
index c8fb72d9613fa..4c234d576b3d9 100644
--- a/drivers/net/wireless/ath/ath11k/core.c
+++ b/drivers/net/wireless/ath/ath11k/core.c
@@ -630,6 +630,10 @@ static const struct ath11k_hw_params ath11k_hw_params[] = {
.internal_sleep_clock = false,
.host_ce_config = ath11k_host_ce_config_qcn9074,
.ce_count = CE_CNT_5018,
+ .target_ce_config = ath11k_target_ce_config_wlan_ipq5018,
+ .target_ce_count = TARGET_CE_CNT_5018,
+ .svc_to_ce_map = ath11k_target_service_to_ce_map_wlan_ipq5018,
+ .svc_to_ce_map_len = SVC_CE_MAP_LEN_5018,
.rxdma1_enable = true,
.num_rxmda_per_pdev = RXDMA_PER_PDEV_5018,
.rx_mac_buf_ring = false,
diff --git a/drivers/net/wireless/ath/ath11k/core.h b/drivers/net/wireless/ath/ath11k/core.h
index 09e40ff461730..c0ddcf7bcd90b 100644
--- a/drivers/net/wireless/ath/ath11k/core.h
+++ b/drivers/net/wireless/ath/ath11k/core.h
@@ -1147,6 +1147,9 @@ extern const struct service_to_pipe ath11k_target_service_to_ce_map_wlan_ipq6018
extern const struct ce_pipe_config ath11k_target_ce_config_wlan_qca6390[];
extern const struct service_to_pipe ath11k_target_service_to_ce_map_wlan_qca6390[];
+extern const struct ce_pipe_config ath11k_target_ce_config_wlan_ipq5018[];
+extern const struct service_to_pipe ath11k_target_service_to_ce_map_wlan_ipq5018[];
+
extern const struct ce_pipe_config ath11k_target_ce_config_wlan_qcn9074[];
extern const struct service_to_pipe ath11k_target_service_to_ce_map_wlan_qcn9074[];
int ath11k_core_qmi_firmware_ready(struct ath11k_base *ab);
diff --git a/drivers/net/wireless/ath/ath11k/hw.c b/drivers/net/wireless/ath/ath11k/hw.c
index 332664643c7b4..1928da8415518 100644
--- a/drivers/net/wireless/ath/ath11k/hw.c
+++ b/drivers/net/wireless/ath/ath11k/hw.c
@@ -1973,6 +1973,197 @@ const struct ath11k_hw_ring_mask ath11k_hw_ring_mask_wcn6750 = {
},
};
+/* Target firmware's Copy Engine configuration for IPQ5018 */
+const struct ce_pipe_config ath11k_target_ce_config_wlan_ipq5018[] = {
+ /* CE0: host->target HTC control and raw streams */
+ {
+ .pipenum = __cpu_to_le32(0),
+ .pipedir = __cpu_to_le32(PIPEDIR_OUT),
+ .nentries = __cpu_to_le32(32),
+ .nbytes_max = __cpu_to_le32(2048),
+ .flags = __cpu_to_le32(CE_ATTR_FLAGS),
+ .reserved = __cpu_to_le32(0),
+ },
+
+ /* CE1: target->host HTT + HTC control */
+ {
+ .pipenum = __cpu_to_le32(1),
+ .pipedir = __cpu_to_le32(PIPEDIR_IN),
+ .nentries = __cpu_to_le32(32),
+ .nbytes_max = __cpu_to_le32(2048),
+ .flags = __cpu_to_le32(CE_ATTR_FLAGS),
+ .reserved = __cpu_to_le32(0),
+ },
+
+ /* CE2: target->host WMI */
+ {
+ .pipenum = __cpu_to_le32(2),
+ .pipedir = __cpu_to_le32(PIPEDIR_IN),
+ .nentries = __cpu_to_le32(32),
+ .nbytes_max = __cpu_to_le32(2048),
+ .flags = __cpu_to_le32(CE_ATTR_FLAGS),
+ .reserved = __cpu_to_le32(0),
+ },
+
+ /* CE3: host->target WMI */
+ {
+ .pipenum = __cpu_to_le32(3),
+ .pipedir = __cpu_to_le32(PIPEDIR_OUT),
+ .nentries = __cpu_to_le32(32),
+ .nbytes_max = __cpu_to_le32(2048),
+ .flags = __cpu_to_le32(CE_ATTR_FLAGS),
+ .reserved = __cpu_to_le32(0),
+ },
+
+ /* CE4: host->target HTT */
+ {
+ .pipenum = __cpu_to_le32(4),
+ .pipedir = __cpu_to_le32(PIPEDIR_OUT),
+ .nentries = __cpu_to_le32(256),
+ .nbytes_max = __cpu_to_le32(256),
+ .flags = __cpu_to_le32(CE_ATTR_FLAGS | CE_ATTR_DIS_INTR),
+ .reserved = __cpu_to_le32(0),
+ },
+
+ /* CE5: target->host Pktlog */
+ {
+ .pipenum = __cpu_to_le32(5),
+ .pipedir = __cpu_to_le32(PIPEDIR_IN),
+ .nentries = __cpu_to_le32(32),
+ .nbytes_max = __cpu_to_le32(2048),
+ .flags = __cpu_to_le32(CE_ATTR_FLAGS),
+ .reserved = __cpu_to_le32(0),
+ },
+
+ /* CE6: Reserved for target autonomous hif_memcpy */
+ {
+ .pipenum = __cpu_to_le32(6),
+ .pipedir = __cpu_to_le32(PIPEDIR_INOUT),
+ .nentries = __cpu_to_le32(32),
+ .nbytes_max = __cpu_to_le32(16384),
+ .flags = __cpu_to_le32(CE_ATTR_FLAGS),
+ .reserved = __cpu_to_le32(0),
+ },
+
+ /* CE7 used only by Host */
+ {
+ .pipenum = __cpu_to_le32(7),
+ .pipedir = __cpu_to_le32(PIPEDIR_OUT),
+ .nentries = __cpu_to_le32(32),
+ .nbytes_max = __cpu_to_le32(2048),
+ .flags = __cpu_to_le32(0x2000),
+ .reserved = __cpu_to_le32(0),
+ },
+
+ /* CE8 target->host used only by IPA */
+ {
+ .pipenum = __cpu_to_le32(8),
+ .pipedir = __cpu_to_le32(PIPEDIR_INOUT),
+ .nentries = __cpu_to_le32(32),
+ .nbytes_max = __cpu_to_le32(16384),
+ .flags = __cpu_to_le32(CE_ATTR_FLAGS),
+ .reserved = __cpu_to_le32(0),
+ },
+};
+
+/* Map from service/endpoint to Copy Engine for IPQ5018.
+ * This table is derived from the CE TABLE, above.
+ * It is passed to the Target at startup for use by firmware.
+ */
+const struct service_to_pipe ath11k_target_service_to_ce_map_wlan_ipq5018[] = {
+ {
+ .service_id = __cpu_to_le32(ATH11K_HTC_SVC_ID_WMI_DATA_VO),
+ .pipedir = __cpu_to_le32(PIPEDIR_OUT), /* out = UL = host -> target */
+ .pipenum = __cpu_to_le32(3),
+ },
+ {
+ .service_id = __cpu_to_le32(ATH11K_HTC_SVC_ID_WMI_DATA_VO),
+ .pipedir = __cpu_to_le32(PIPEDIR_IN), /* in = DL = target -> host */
+ .pipenum = __cpu_to_le32(2),
+ },
+ {
+ .service_id = __cpu_to_le32(ATH11K_HTC_SVC_ID_WMI_DATA_BK),
+ .pipedir = __cpu_to_le32(PIPEDIR_OUT), /* out = UL = host -> target */
+ .pipenum = __cpu_to_le32(3),
+ },
+ {
+ .service_id = __cpu_to_le32(ATH11K_HTC_SVC_ID_WMI_DATA_BK),
+ .pipedir = __cpu_to_le32(PIPEDIR_IN), /* in = DL = target -> host */
+ .pipenum = __cpu_to_le32(2),
+ },
+ {
+ .service_id = __cpu_to_le32(ATH11K_HTC_SVC_ID_WMI_DATA_BE),
+ .pipedir = __cpu_to_le32(PIPEDIR_OUT), /* out = UL = host -> target */
+ .pipenum = __cpu_to_le32(3),
+ },
+ {
+ .service_id = __cpu_to_le32(ATH11K_HTC_SVC_ID_WMI_DATA_BE),
+ .pipedir = __cpu_to_le32(PIPEDIR_IN), /* in = DL = target -> host */
+ .pipenum = __cpu_to_le32(2),
+ },
+ {
+ .service_id = __cpu_to_le32(ATH11K_HTC_SVC_ID_WMI_DATA_VI),
+ .pipedir = __cpu_to_le32(PIPEDIR_OUT), /* out = UL = host -> target */
+ .pipenum = __cpu_to_le32(3),
+ },
+ {
+ .service_id = __cpu_to_le32(ATH11K_HTC_SVC_ID_WMI_DATA_VI),
+ .pipedir = __cpu_to_le32(PIPEDIR_IN), /* in = DL = target -> host */
+ .pipenum = __cpu_to_le32(2),
+ },
+ {
+ .service_id = __cpu_to_le32(ATH11K_HTC_SVC_ID_WMI_CONTROL),
+ .pipedir = __cpu_to_le32(PIPEDIR_OUT), /* out = UL = host -> target */
+ .pipenum = __cpu_to_le32(3),
+ },
+ {
+ .service_id = __cpu_to_le32(ATH11K_HTC_SVC_ID_WMI_CONTROL),
+ .pipedir = __cpu_to_le32(PIPEDIR_IN), /* in = DL = target -> host */
+ .pipenum = __cpu_to_le32(2),
+ },
+
+ {
+ .service_id = __cpu_to_le32(ATH11K_HTC_SVC_ID_RSVD_CTRL),
+ .pipedir = __cpu_to_le32(PIPEDIR_OUT), /* out = UL = host -> target */
+ .pipenum = __cpu_to_le32(0),
+ },
+ {
+ .service_id = __cpu_to_le32(ATH11K_HTC_SVC_ID_RSVD_CTRL),
+ .pipedir = __cpu_to_le32(PIPEDIR_IN), /* in = DL = target -> host */
+ .pipenum = __cpu_to_le32(1),
+ },
+
+ {
+ .service_id = __cpu_to_le32(ATH11K_HTC_SVC_ID_TEST_RAW_STREAMS),
+ .pipedir = __cpu_to_le32(PIPEDIR_OUT), /* out = UL = host -> target */
+ .pipenum = __cpu_to_le32(0),
+ },
+ {
+ .service_id = __cpu_to_le32(ATH11K_HTC_SVC_ID_TEST_RAW_STREAMS),
+ .pipedir = __cpu_to_le32(PIPEDIR_IN), /* in = DL = target -> host */
+ .pipenum = __cpu_to_le32(1),
+ },
+ {
+ .service_id = __cpu_to_le32(ATH11K_HTC_SVC_ID_HTT_DATA_MSG),
+ .pipedir = __cpu_to_le32(PIPEDIR_OUT), /* out = UL = host -> target */
+ .pipenum = __cpu_to_le32(4),
+ },
+ {
+ .service_id = __cpu_to_le32(ATH11K_HTC_SVC_ID_HTT_DATA_MSG),
+ .pipedir = __cpu_to_le32(PIPEDIR_IN), /* in = DL = target -> host */
+ .pipenum = __cpu_to_le32(1),
+ },
+ {
+ .service_id = __cpu_to_le32(ATH11K_HTC_SVC_ID_PKT_LOG),
+ .pipedir = __cpu_to_le32(PIPEDIR_IN), /* in = DL = target -> host */
+ .pipenum = __cpu_to_le32(5),
+ },
+
+ /* (Additions here) */
+
+ { /* terminator entry */ }
+};
+
const struct ath11k_hw_regs ipq8074_regs = {
/* SW2TCL(x) R0 ring configuration address */
.hal_tcl1_ring_base_lsb = 0x00000510,
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 945/969] wifi: ath11k: remap ce register space for IPQ5018
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (943 preceding siblings ...)
2026-05-30 16:07 ` [PATCH 6.1 944/969] wifi: ath11k: update ce configurations " Greg Kroah-Hartman
@ 2026-05-30 16:07 ` Greg Kroah-Hartman
2026-05-30 16:07 ` [PATCH 6.1 946/969] wifi: ath11k: update hal srng regs " Greg Kroah-Hartman
` (30 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sriram R, Karthikeyan Kathirvel,
Kalle Valo, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sriram R <quic_srirrama@quicinc.com>
[ Upstream commit b42b3678c91f3ca6e0888bf5a15c1e8678fd5f2d ]
In IPQ5018 ce register space is moved out of wcss unlike
ipq8074 or ipq6018 and the space is not contiguous,
hence remap the CE registers to a new space to access them.
Register read/write is modified to check if the register to be written
falls in the CE register space and corresponding register is written.
Also adjust the interrupt register address to ce irq enable/disable.
Tested-on: IPQ5018 hw1.0 AHB WLAN.HK.2.6.0.1-00861-QCAHKSWPL_SILICONZ-1
Signed-off-by: Sriram R <quic_srirrama@quicinc.com>
Co-developed-by: Karthikeyan Kathirvel <quic_kathirve@quicinc.com>
Signed-off-by: Karthikeyan Kathirvel <quic_kathirve@quicinc.com>
Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
Link: https://lore.kernel.org/r/20221122132152.17771-5-quic_kathirve@quicinc.com
Stable-dep-of: 2a2451a34afd ("wifi: ath11k: fix peer resolution on rx path when peer_id=0")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/ath/ath11k/ahb.c | 44 ++++++++++++++++++++++----
drivers/net/wireless/ath/ath11k/ce.h | 16 ++++++++++
drivers/net/wireless/ath/ath11k/core.c | 8 +++++
drivers/net/wireless/ath/ath11k/core.h | 1 +
drivers/net/wireless/ath/ath11k/hal.c | 17 ++++++----
drivers/net/wireless/ath/ath11k/hal.h | 5 +++
drivers/net/wireless/ath/ath11k/hw.c | 17 ++++++++++
drivers/net/wireless/ath/ath11k/hw.h | 9 ++++++
drivers/net/wireless/ath/ath11k/pci.c | 2 ++
9 files changed, 107 insertions(+), 12 deletions(-)
diff --git a/drivers/net/wireless/ath/ath11k/ahb.c b/drivers/net/wireless/ath/ath11k/ahb.c
index 70d468f013383..db20b39c0bf56 100644
--- a/drivers/net/wireless/ath/ath11k/ahb.c
+++ b/drivers/net/wireless/ath/ath11k/ahb.c
@@ -267,30 +267,42 @@ static void ath11k_ahb_clearbit32(struct ath11k_base *ab, u8 bit, u32 offset)
static void ath11k_ahb_ce_irq_enable(struct ath11k_base *ab, u16 ce_id)
{
const struct ce_attr *ce_attr;
+ const struct ce_ie_addr *ce_ie_addr = ab->hw_params.ce_ie_addr;
+ u32 ie1_reg_addr, ie2_reg_addr, ie3_reg_addr;
+
+ ie1_reg_addr = ce_ie_addr->ie1_reg_addr + ATH11K_CE_OFFSET(ab);
+ ie2_reg_addr = ce_ie_addr->ie2_reg_addr + ATH11K_CE_OFFSET(ab);
+ ie3_reg_addr = ce_ie_addr->ie3_reg_addr + ATH11K_CE_OFFSET(ab);
ce_attr = &ab->hw_params.host_ce_config[ce_id];
if (ce_attr->src_nentries)
- ath11k_ahb_setbit32(ab, ce_id, CE_HOST_IE_ADDRESS);
+ ath11k_ahb_setbit32(ab, ce_id, ie1_reg_addr);
if (ce_attr->dest_nentries) {
- ath11k_ahb_setbit32(ab, ce_id, CE_HOST_IE_2_ADDRESS);
+ ath11k_ahb_setbit32(ab, ce_id, ie2_reg_addr);
ath11k_ahb_setbit32(ab, ce_id + CE_HOST_IE_3_SHIFT,
- CE_HOST_IE_3_ADDRESS);
+ ie3_reg_addr);
}
}
static void ath11k_ahb_ce_irq_disable(struct ath11k_base *ab, u16 ce_id)
{
const struct ce_attr *ce_attr;
+ const struct ce_ie_addr *ce_ie_addr = ab->hw_params.ce_ie_addr;
+ u32 ie1_reg_addr, ie2_reg_addr, ie3_reg_addr;
+
+ ie1_reg_addr = ce_ie_addr->ie1_reg_addr + ATH11K_CE_OFFSET(ab);
+ ie2_reg_addr = ce_ie_addr->ie2_reg_addr + ATH11K_CE_OFFSET(ab);
+ ie3_reg_addr = ce_ie_addr->ie3_reg_addr + ATH11K_CE_OFFSET(ab);
ce_attr = &ab->hw_params.host_ce_config[ce_id];
if (ce_attr->src_nentries)
- ath11k_ahb_clearbit32(ab, ce_id, CE_HOST_IE_ADDRESS);
+ ath11k_ahb_clearbit32(ab, ce_id, ie1_reg_addr);
if (ce_attr->dest_nentries) {
- ath11k_ahb_clearbit32(ab, ce_id, CE_HOST_IE_2_ADDRESS);
+ ath11k_ahb_clearbit32(ab, ce_id, ie2_reg_addr);
ath11k_ahb_clearbit32(ab, ce_id + CE_HOST_IE_3_SHIFT,
- CE_HOST_IE_3_ADDRESS);
+ ie3_reg_addr);
}
}
@@ -1148,10 +1160,26 @@ static int ath11k_ahb_probe(struct platform_device *pdev)
goto err_core_free;
}
+ ab->mem_ce = ab->mem;
+
ret = ath11k_core_pre_init(ab);
if (ret)
goto err_core_free;
+ if (ab->hw_params.ce_remap) {
+ const struct ce_remap *ce_remap = ab->hw_params.ce_remap;
+ /* ce register space is moved out of wcss unlike ipq8074 or ipq6018
+ * and the space is not contiguous, hence remapping the CE registers
+ * to a new space for accessing them.
+ */
+ ab->mem_ce = ioremap(ce_remap->base, ce_remap->size);
+ if (IS_ERR(ab->mem_ce)) {
+ dev_err(&pdev->dev, "ce ioremap error\n");
+ ret = -ENOMEM;
+ goto err_core_free;
+ }
+ }
+
ret = ath11k_ahb_setup_resources(ab);
if (ret)
goto err_core_free;
@@ -1242,6 +1270,10 @@ static void ath11k_ahb_free_resources(struct ath11k_base *ab)
ath11k_ahb_release_smp2p_handle(ab);
ath11k_ahb_fw_resource_deinit(ab);
ath11k_ce_free_pipes(ab);
+
+ if (ab->hw_params.ce_remap)
+ iounmap(ab->mem_ce);
+
ath11k_core_free(ab);
platform_set_drvdata(pdev, NULL);
}
diff --git a/drivers/net/wireless/ath/ath11k/ce.h b/drivers/net/wireless/ath/ath11k/ce.h
index 9644ff909502e..1fc6360e7f01b 100644
--- a/drivers/net/wireless/ath/ath11k/ce.h
+++ b/drivers/net/wireless/ath/ath11k/ce.h
@@ -49,6 +49,11 @@ void ath11k_ce_byte_swap(void *mem, u32 len);
#define CE_HOST_IE_2_ADDRESS 0x00A18040
#define CE_HOST_IE_3_ADDRESS CE_HOST_IE_ADDRESS
+/* CE IE registers are different for IPQ5018 */
+#define CE_HOST_IPQ5018_IE_ADDRESS 0x0841804C
+#define CE_HOST_IPQ5018_IE_2_ADDRESS 0x08418050
+#define CE_HOST_IPQ5018_IE_3_ADDRESS CE_HOST_IPQ5018_IE_ADDRESS
+
#define CE_HOST_IE_3_SHIFT 0xC
#define CE_RING_IDX_INCR(nentries_mask, idx) (((idx) + 1) & (nentries_mask))
@@ -84,6 +89,17 @@ struct ce_pipe_config {
__le32 reserved;
};
+struct ce_ie_addr {
+ u32 ie1_reg_addr;
+ u32 ie2_reg_addr;
+ u32 ie3_reg_addr;
+};
+
+struct ce_remap {
+ u32 base;
+ u32 size;
+};
+
struct ce_attr {
/* CE_ATTR_* values */
unsigned int flags;
diff --git a/drivers/net/wireless/ath/ath11k/core.c b/drivers/net/wireless/ath/ath11k/core.c
index 4c234d576b3d9..ce87e67dc638c 100644
--- a/drivers/net/wireless/ath/ath11k/core.c
+++ b/drivers/net/wireless/ath/ath11k/core.c
@@ -54,6 +54,7 @@ static const struct ath11k_hw_params ath11k_hw_params[] = {
.target_ce_count = 11,
.svc_to_ce_map = ath11k_target_service_to_ce_map_wlan_ipq8074,
.svc_to_ce_map_len = 21,
+ .ce_ie_addr = &ath11k_ce_ie_addr_ipq8074,
.single_pdev_only = false,
.rxdma1_enable = true,
.num_rxmda_per_pdev = 1,
@@ -137,6 +138,7 @@ static const struct ath11k_hw_params ath11k_hw_params[] = {
.target_ce_count = 11,
.svc_to_ce_map = ath11k_target_service_to_ce_map_wlan_ipq6018,
.svc_to_ce_map_len = 19,
+ .ce_ie_addr = &ath11k_ce_ie_addr_ipq8074,
.single_pdev_only = false,
.rxdma1_enable = true,
.num_rxmda_per_pdev = 1,
@@ -218,6 +220,7 @@ static const struct ath11k_hw_params ath11k_hw_params[] = {
.target_ce_count = 9,
.svc_to_ce_map = ath11k_target_service_to_ce_map_wlan_qca6390,
.svc_to_ce_map_len = 14,
+ .ce_ie_addr = &ath11k_ce_ie_addr_ipq8074,
.single_pdev_only = true,
.rxdma1_enable = false,
.num_rxmda_per_pdev = 2,
@@ -301,6 +304,7 @@ static const struct ath11k_hw_params ath11k_hw_params[] = {
.target_ce_count = 9,
.svc_to_ce_map = ath11k_target_service_to_ce_map_wlan_qcn9074,
.svc_to_ce_map_len = 18,
+ .ce_ie_addr = &ath11k_ce_ie_addr_ipq8074,
.rxdma1_enable = true,
.num_rxmda_per_pdev = 1,
.rx_mac_buf_ring = false,
@@ -381,6 +385,7 @@ static const struct ath11k_hw_params ath11k_hw_params[] = {
.target_ce_count = 9,
.svc_to_ce_map = ath11k_target_service_to_ce_map_wlan_qca6390,
.svc_to_ce_map_len = 14,
+ .ce_ie_addr = &ath11k_ce_ie_addr_ipq8074,
.single_pdev_only = true,
.rxdma1_enable = false,
.num_rxmda_per_pdev = 2,
@@ -546,6 +551,7 @@ static const struct ath11k_hw_params ath11k_hw_params[] = {
.target_ce_count = 9,
.svc_to_ce_map = ath11k_target_service_to_ce_map_wlan_qca6390,
.svc_to_ce_map_len = 14,
+ .ce_ie_addr = &ath11k_ce_ie_addr_ipq8074,
.single_pdev_only = true,
.rxdma1_enable = false,
.num_rxmda_per_pdev = 1,
@@ -634,6 +640,8 @@ static const struct ath11k_hw_params ath11k_hw_params[] = {
.target_ce_count = TARGET_CE_CNT_5018,
.svc_to_ce_map = ath11k_target_service_to_ce_map_wlan_ipq5018,
.svc_to_ce_map_len = SVC_CE_MAP_LEN_5018,
+ .ce_ie_addr = &ath11k_ce_ie_addr_ipq5018,
+ .ce_remap = &ath11k_ce_remap_ipq5018,
.rxdma1_enable = true,
.num_rxmda_per_pdev = RXDMA_PER_PDEV_5018,
.rx_mac_buf_ring = false,
diff --git a/drivers/net/wireless/ath/ath11k/core.h b/drivers/net/wireless/ath/ath11k/core.h
index c0ddcf7bcd90b..2e4f89bac61b1 100644
--- a/drivers/net/wireless/ath/ath11k/core.h
+++ b/drivers/net/wireless/ath/ath11k/core.h
@@ -853,6 +853,7 @@ struct ath11k_base {
struct ath11k_dp dp;
void __iomem *mem;
+ void __iomem *mem_ce;
unsigned long mem_len;
struct {
diff --git a/drivers/net/wireless/ath/ath11k/hal.c b/drivers/net/wireless/ath/ath11k/hal.c
index e4114cc35b10c..87ed147c5968d 100644
--- a/drivers/net/wireless/ath/ath11k/hal.c
+++ b/drivers/net/wireless/ath/ath11k/hal.c
@@ -1245,16 +1245,20 @@ static int ath11k_hal_srng_create_config(struct ath11k_base *ab)
s->reg_start[1] = HAL_SEQ_WCSS_UMAC_TCL_REG + HAL_TCL_STATUS_RING_HP;
s = &hal->srng_config[HAL_CE_SRC];
- s->reg_start[0] = HAL_SEQ_WCSS_UMAC_CE0_SRC_REG(ab) + HAL_CE_DST_RING_BASE_LSB;
- s->reg_start[1] = HAL_SEQ_WCSS_UMAC_CE0_SRC_REG(ab) + HAL_CE_DST_RING_HP;
+ s->reg_start[0] = HAL_SEQ_WCSS_UMAC_CE0_SRC_REG(ab) + HAL_CE_DST_RING_BASE_LSB +
+ ATH11K_CE_OFFSET(ab);
+ s->reg_start[1] = HAL_SEQ_WCSS_UMAC_CE0_SRC_REG(ab) + HAL_CE_DST_RING_HP +
+ ATH11K_CE_OFFSET(ab);
s->reg_size[0] = HAL_SEQ_WCSS_UMAC_CE1_SRC_REG(ab) -
HAL_SEQ_WCSS_UMAC_CE0_SRC_REG(ab);
s->reg_size[1] = HAL_SEQ_WCSS_UMAC_CE1_SRC_REG(ab) -
HAL_SEQ_WCSS_UMAC_CE0_SRC_REG(ab);
s = &hal->srng_config[HAL_CE_DST];
- s->reg_start[0] = HAL_SEQ_WCSS_UMAC_CE0_DST_REG(ab) + HAL_CE_DST_RING_BASE_LSB;
- s->reg_start[1] = HAL_SEQ_WCSS_UMAC_CE0_DST_REG(ab) + HAL_CE_DST_RING_HP;
+ s->reg_start[0] = HAL_SEQ_WCSS_UMAC_CE0_DST_REG(ab) + HAL_CE_DST_RING_BASE_LSB +
+ ATH11K_CE_OFFSET(ab);
+ s->reg_start[1] = HAL_SEQ_WCSS_UMAC_CE0_DST_REG(ab) + HAL_CE_DST_RING_HP +
+ ATH11K_CE_OFFSET(ab);
s->reg_size[0] = HAL_SEQ_WCSS_UMAC_CE1_DST_REG(ab) -
HAL_SEQ_WCSS_UMAC_CE0_DST_REG(ab);
s->reg_size[1] = HAL_SEQ_WCSS_UMAC_CE1_DST_REG(ab) -
@@ -1262,8 +1266,9 @@ static int ath11k_hal_srng_create_config(struct ath11k_base *ab)
s = &hal->srng_config[HAL_CE_DST_STATUS];
s->reg_start[0] = HAL_SEQ_WCSS_UMAC_CE0_DST_REG(ab) +
- HAL_CE_DST_STATUS_RING_BASE_LSB;
- s->reg_start[1] = HAL_SEQ_WCSS_UMAC_CE0_DST_REG(ab) + HAL_CE_DST_STATUS_RING_HP;
+ HAL_CE_DST_STATUS_RING_BASE_LSB + ATH11K_CE_OFFSET(ab);
+ s->reg_start[1] = HAL_SEQ_WCSS_UMAC_CE0_DST_REG(ab) + HAL_CE_DST_STATUS_RING_HP +
+ ATH11K_CE_OFFSET(ab);
s->reg_size[0] = HAL_SEQ_WCSS_UMAC_CE1_DST_REG(ab) -
HAL_SEQ_WCSS_UMAC_CE0_DST_REG(ab);
s->reg_size[1] = HAL_SEQ_WCSS_UMAC_CE1_DST_REG(ab) -
diff --git a/drivers/net/wireless/ath/ath11k/hal.h b/drivers/net/wireless/ath/ath11k/hal.h
index 84b070b479582..f2341acf0730f 100644
--- a/drivers/net/wireless/ath/ath11k/hal.h
+++ b/drivers/net/wireless/ath/ath11k/hal.h
@@ -321,6 +321,10 @@ struct ath11k_base;
#define HAL_WBM2SW_RELEASE_RING_BASE_MSB_RING_SIZE 0x000fffff
#define HAL_RXDMA_RING_MAX_SIZE 0x0000ffff
+/* IPQ5018 ce registers */
+#define HAL_IPQ5018_CE_WFSS_REG_BASE 0x08400000
+#define HAL_IPQ5018_CE_SIZE 0x200000
+
/* Add any other errors here and return them in
* ath11k_hal_rx_desc_get_err().
*/
@@ -519,6 +523,7 @@ enum hal_srng_dir {
#define HAL_SRNG_FLAGS_MSI_INTR 0x00020000
#define HAL_SRNG_FLAGS_CACHED 0x20000000
#define HAL_SRNG_FLAGS_LMAC_RING 0x80000000
+#define HAL_SRNG_FLAGS_REMAP_CE_RING 0x10000000
#define HAL_SRNG_TLV_HDR_TAG GENMASK(9, 1)
#define HAL_SRNG_TLV_HDR_LEN GENMASK(25, 10)
diff --git a/drivers/net/wireless/ath/ath11k/hw.c b/drivers/net/wireless/ath/ath11k/hw.c
index 1928da8415518..5639e261d834e 100644
--- a/drivers/net/wireless/ath/ath11k/hw.c
+++ b/drivers/net/wireless/ath/ath11k/hw.c
@@ -2164,6 +2164,23 @@ const struct service_to_pipe ath11k_target_service_to_ce_map_wlan_ipq5018[] = {
{ /* terminator entry */ }
};
+const struct ce_ie_addr ath11k_ce_ie_addr_ipq8074 = {
+ .ie1_reg_addr = CE_HOST_IE_ADDRESS,
+ .ie2_reg_addr = CE_HOST_IE_2_ADDRESS,
+ .ie3_reg_addr = CE_HOST_IE_3_ADDRESS,
+};
+
+const struct ce_ie_addr ath11k_ce_ie_addr_ipq5018 = {
+ .ie1_reg_addr = CE_HOST_IPQ5018_IE_ADDRESS - HAL_IPQ5018_CE_WFSS_REG_BASE,
+ .ie2_reg_addr = CE_HOST_IPQ5018_IE_2_ADDRESS - HAL_IPQ5018_CE_WFSS_REG_BASE,
+ .ie3_reg_addr = CE_HOST_IPQ5018_IE_3_ADDRESS - HAL_IPQ5018_CE_WFSS_REG_BASE,
+};
+
+const struct ce_remap ath11k_ce_remap_ipq5018 = {
+ .base = HAL_IPQ5018_CE_WFSS_REG_BASE,
+ .size = HAL_IPQ5018_CE_SIZE,
+};
+
const struct ath11k_hw_regs ipq8074_regs = {
/* SW2TCL(x) R0 ring configuration address */
.hal_tcl1_ring_base_lsb = 0x00000510,
diff --git a/drivers/net/wireless/ath/ath11k/hw.h b/drivers/net/wireless/ath/ath11k/hw.h
index 0c5ef8a526d85..e2ed5d0477430 100644
--- a/drivers/net/wireless/ath/ath11k/hw.h
+++ b/drivers/net/wireless/ath/ath11k/hw.h
@@ -80,6 +80,8 @@
#define ATH11K_M3_FILE "m3.bin"
#define ATH11K_REGDB_FILE_NAME "regdb.bin"
+#define ATH11K_CE_OFFSET(ab) (ab->mem_ce - ab->mem)
+
enum ath11k_hw_rate_cck {
ATH11K_HW_RATE_CCK_LP_11M = 0,
ATH11K_HW_RATE_CCK_LP_5_5M,
@@ -158,6 +160,8 @@ struct ath11k_hw_params {
u32 target_ce_count;
const struct service_to_pipe *svc_to_ce_map;
u32 svc_to_ce_map_len;
+ const struct ce_ie_addr *ce_ie_addr;
+ const struct ce_remap *ce_remap;
bool single_pdev_only;
@@ -277,6 +281,11 @@ extern const struct ath11k_hw_ring_mask ath11k_hw_ring_mask_qca6390;
extern const struct ath11k_hw_ring_mask ath11k_hw_ring_mask_qcn9074;
extern const struct ath11k_hw_ring_mask ath11k_hw_ring_mask_wcn6750;
+extern const struct ce_ie_addr ath11k_ce_ie_addr_ipq8074;
+extern const struct ce_ie_addr ath11k_ce_ie_addr_ipq5018;
+
+extern const struct ce_remap ath11k_ce_remap_ipq5018;
+
extern const struct ath11k_hw_hal_params ath11k_hw_hal_params_ipq8074;
extern const struct ath11k_hw_hal_params ath11k_hw_hal_params_qca6390;
extern const struct ath11k_hw_hal_params ath11k_hw_hal_params_wcn6750;
diff --git a/drivers/net/wireless/ath/ath11k/pci.c b/drivers/net/wireless/ath/ath11k/pci.c
index 79d2876a46b53..a8431ce1ab9ac 100644
--- a/drivers/net/wireless/ath/ath11k/pci.c
+++ b/drivers/net/wireless/ath/ath11k/pci.c
@@ -543,6 +543,8 @@ static int ath11k_pci_claim(struct ath11k_pci *ab_pci, struct pci_dev *pdev)
goto clear_master;
}
+ ab->mem_ce = ab->mem;
+
ath11k_dbg(ab, ATH11K_DBG_BOOT, "boot pci_mem 0x%pK\n", ab->mem);
return 0;
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 946/969] wifi: ath11k: update hal srng regs for IPQ5018
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (944 preceding siblings ...)
2026-05-30 16:07 ` [PATCH 6.1 945/969] wifi: ath11k: remap ce register space " Greg Kroah-Hartman
@ 2026-05-30 16:07 ` Greg Kroah-Hartman
2026-05-30 16:07 ` [PATCH 6.1 947/969] wifi: ath11k: initialize hw_ops " Greg Kroah-Hartman
` (29 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sriram R, Karthikeyan Kathirvel,
Kalle Valo, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sriram R <quic_srirrama@quicinc.com>
[ Upstream commit 711b80acbdfb9667a9cf8374e13320a6e624ce73 ]
IPQ5018 hal srng register address & offsets are not
similar to IPQ8074/IPQ6018/QCN9074, hence define a
new set of srng register group data for IPQ5018.
Tested-on: IPQ5018 hw1.0 AHB WLAN.HK.2.6.0.1-00861-QCAHKSWPL_SILICONZ-1
Signed-off-by: Sriram R <quic_srirrama@quicinc.com>
Co-developed-by: Karthikeyan Kathirvel <quic_kathirve@quicinc.com>
Signed-off-by: Karthikeyan Kathirvel <quic_kathirve@quicinc.com>
Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
Link: https://lore.kernel.org/r/20221122132152.17771-6-quic_kathirve@quicinc.com
Stable-dep-of: 2a2451a34afd ("wifi: ath11k: fix peer resolution on rx path when peer_id=0")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/ath/ath11k/core.c | 1 +
drivers/net/wireless/ath/ath11k/hw.c | 79 ++++++++++++++++++++++++++
drivers/net/wireless/ath/ath11k/hw.h | 1 +
3 files changed, 81 insertions(+)
diff --git a/drivers/net/wireless/ath/ath11k/core.c b/drivers/net/wireless/ath/ath11k/core.c
index ce87e67dc638c..a5a9b485a50d2 100644
--- a/drivers/net/wireless/ath/ath11k/core.c
+++ b/drivers/net/wireless/ath/ath11k/core.c
@@ -634,6 +634,7 @@ static const struct ath11k_hw_params ath11k_hw_params[] = {
.max_fft_bins = 1024,
},
.internal_sleep_clock = false,
+ .regs = &ipq5018_regs,
.host_ce_config = ath11k_host_ce_config_qcn9074,
.ce_count = CE_CNT_5018,
.target_ce_config = ath11k_target_ce_config_wlan_ipq5018,
diff --git a/drivers/net/wireless/ath/ath11k/hw.c b/drivers/net/wireless/ath/ath11k/hw.c
index 5639e261d834e..6135a45f255d1 100644
--- a/drivers/net/wireless/ath/ath11k/hw.c
+++ b/drivers/net/wireless/ath/ath11k/hw.c
@@ -2646,6 +2646,85 @@ static const struct ath11k_hw_tcl2wbm_rbm_map ath11k_hw_tcl2wbm_rbm_map_wcn6750[
},
};
+const struct ath11k_hw_regs ipq5018_regs = {
+ /* SW2TCL(x) R0 ring configuration address */
+ .hal_tcl1_ring_base_lsb = 0x00000694,
+ .hal_tcl1_ring_base_msb = 0x00000698,
+ .hal_tcl1_ring_id = 0x0000069c,
+ .hal_tcl1_ring_misc = 0x000006a4,
+ .hal_tcl1_ring_tp_addr_lsb = 0x000006b0,
+ .hal_tcl1_ring_tp_addr_msb = 0x000006b4,
+ .hal_tcl1_ring_consumer_int_setup_ix0 = 0x000006c4,
+ .hal_tcl1_ring_consumer_int_setup_ix1 = 0x000006c8,
+ .hal_tcl1_ring_msi1_base_lsb = 0x000006dc,
+ .hal_tcl1_ring_msi1_base_msb = 0x000006e0,
+ .hal_tcl1_ring_msi1_data = 0x000006e4,
+ .hal_tcl2_ring_base_lsb = 0x000006ec,
+ .hal_tcl_ring_base_lsb = 0x0000079c,
+
+ /* TCL STATUS ring address */
+ .hal_tcl_status_ring_base_lsb = 0x000008a4,
+
+ /* REO2SW(x) R0 ring configuration address */
+ .hal_reo1_ring_base_lsb = 0x000001ec,
+ .hal_reo1_ring_base_msb = 0x000001f0,
+ .hal_reo1_ring_id = 0x000001f4,
+ .hal_reo1_ring_misc = 0x000001fc,
+ .hal_reo1_ring_hp_addr_lsb = 0x00000200,
+ .hal_reo1_ring_hp_addr_msb = 0x00000204,
+ .hal_reo1_ring_producer_int_setup = 0x00000210,
+ .hal_reo1_ring_msi1_base_lsb = 0x00000234,
+ .hal_reo1_ring_msi1_base_msb = 0x00000238,
+ .hal_reo1_ring_msi1_data = 0x0000023c,
+ .hal_reo2_ring_base_lsb = 0x00000244,
+ .hal_reo1_aging_thresh_ix_0 = 0x00000564,
+ .hal_reo1_aging_thresh_ix_1 = 0x00000568,
+ .hal_reo1_aging_thresh_ix_2 = 0x0000056c,
+ .hal_reo1_aging_thresh_ix_3 = 0x00000570,
+
+ /* REO2SW(x) R2 ring pointers (head/tail) address */
+ .hal_reo1_ring_hp = 0x00003028,
+ .hal_reo1_ring_tp = 0x0000302c,
+ .hal_reo2_ring_hp = 0x00003030,
+
+ /* REO2TCL R0 ring configuration address */
+ .hal_reo_tcl_ring_base_lsb = 0x000003fc,
+ .hal_reo_tcl_ring_hp = 0x00003058,
+
+ /* SW2REO ring address */
+ .hal_sw2reo_ring_base_lsb = 0x0000013c,
+ .hal_sw2reo_ring_hp = 0x00003018,
+
+ /* REO CMD ring address */
+ .hal_reo_cmd_ring_base_lsb = 0x000000e4,
+ .hal_reo_cmd_ring_hp = 0x00003010,
+
+ /* REO status address */
+ .hal_reo_status_ring_base_lsb = 0x00000504,
+ .hal_reo_status_hp = 0x00003070,
+
+ /* WCSS relative address */
+ .hal_seq_wcss_umac_ce0_src_reg = 0x08400000
+ - HAL_IPQ5018_CE_WFSS_REG_BASE,
+ .hal_seq_wcss_umac_ce0_dst_reg = 0x08401000
+ - HAL_IPQ5018_CE_WFSS_REG_BASE,
+ .hal_seq_wcss_umac_ce1_src_reg = 0x08402000
+ - HAL_IPQ5018_CE_WFSS_REG_BASE,
+ .hal_seq_wcss_umac_ce1_dst_reg = 0x08403000
+ - HAL_IPQ5018_CE_WFSS_REG_BASE,
+
+ /* WBM Idle address */
+ .hal_wbm_idle_link_ring_base_lsb = 0x00000874,
+ .hal_wbm_idle_link_ring_misc = 0x00000884,
+
+ /* SW2WBM release address */
+ .hal_wbm_release_ring_base_lsb = 0x000001ec,
+
+ /* WBM2SW release address */
+ .hal_wbm0_release_ring_base_lsb = 0x00000924,
+ .hal_wbm1_release_ring_base_lsb = 0x0000097c,
+};
+
const struct ath11k_hw_hal_params ath11k_hw_hal_params_ipq8074 = {
.rx_buf_rbm = HAL_RX_BUF_RBM_SW3_BM,
.tcl2wbm_rbm_map = ath11k_hw_tcl2wbm_rbm_map_ipq8074,
diff --git a/drivers/net/wireless/ath/ath11k/hw.h b/drivers/net/wireless/ath/ath11k/hw.h
index e2ed5d0477430..b8afd51d0c1ea 100644
--- a/drivers/net/wireless/ath/ath11k/hw.h
+++ b/drivers/net/wireless/ath/ath11k/hw.h
@@ -415,6 +415,7 @@ extern const struct ath11k_hw_regs qca6390_regs;
extern const struct ath11k_hw_regs qcn9074_regs;
extern const struct ath11k_hw_regs wcn6855_regs;
extern const struct ath11k_hw_regs wcn6750_regs;
+extern const struct ath11k_hw_regs ipq5018_regs;
static inline const char *ath11k_bd_ie_type_str(enum ath11k_bd_ie_type type)
{
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 947/969] wifi: ath11k: initialize hw_ops for IPQ5018
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (945 preceding siblings ...)
2026-05-30 16:07 ` [PATCH 6.1 946/969] wifi: ath11k: update hal srng regs " Greg Kroah-Hartman
@ 2026-05-30 16:07 ` Greg Kroah-Hartman
2026-05-30 16:07 ` [PATCH 6.1 948/969] wifi: ath11k: add new hw ops for IPQ5018 to get rx dest ring hashmap Greg Kroah-Hartman
` (28 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sriram R, Karthikeyan Kathirvel,
Kalle Valo, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sriram R <quic_srirrama@quicinc.com>
[ Upstream commit ba60f2793d3a37a00da14bb56a26558a902d2831 ]
The ipq5018_ops is initialized for IPQ5018. This is different from
other platforms.
Tested-on: IPQ5018 hw1.0 AHB WLAN.HK.2.6.0.1-00861-QCAHKSWPL_SILICONZ-1
Signed-off-by: Sriram R <quic_srirrama@quicinc.com>
Co-developed-by: Karthikeyan Kathirvel <quic_kathirve@quicinc.com>
Signed-off-by: Karthikeyan Kathirvel <quic_kathirve@quicinc.com>
Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
Link: https://lore.kernel.org/r/20221122132152.17771-7-quic_kathirve@quicinc.com
Stable-dep-of: 2a2451a34afd ("wifi: ath11k: fix peer resolution on rx path when peer_id=0")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/ath/ath11k/core.c | 1 +
drivers/net/wireless/ath/ath11k/hw.c | 40 ++++++++++++++++++++++++++
drivers/net/wireless/ath/ath11k/hw.h | 1 +
3 files changed, 42 insertions(+)
diff --git a/drivers/net/wireless/ath/ath11k/core.c b/drivers/net/wireless/ath/ath11k/core.c
index a5a9b485a50d2..be7d0644a6e8f 100644
--- a/drivers/net/wireless/ath/ath11k/core.c
+++ b/drivers/net/wireless/ath/ath11k/core.c
@@ -635,6 +635,7 @@ static const struct ath11k_hw_params ath11k_hw_params[] = {
},
.internal_sleep_clock = false,
.regs = &ipq5018_regs,
+ .hw_ops = &ipq5018_ops,
.host_ce_config = ath11k_host_ce_config_qcn9074,
.ce_count = CE_CNT_5018,
.target_ce_config = ath11k_target_ce_config_wlan_ipq5018,
diff --git a/drivers/net/wireless/ath/ath11k/hw.c b/drivers/net/wireless/ath/ath11k/hw.c
index 6135a45f255d1..7632220469dab 100644
--- a/drivers/net/wireless/ath/ath11k/hw.c
+++ b/drivers/net/wireless/ath/ath11k/hw.c
@@ -1085,6 +1085,46 @@ const struct ath11k_hw_ops wcn6750_ops = {
.get_ring_selector = ath11k_hw_wcn6750_get_tcl_ring_selector,
};
+/* IPQ5018 hw ops is similar to QCN9074 except for the dest ring remap */
+const struct ath11k_hw_ops ipq5018_ops = {
+ .get_hw_mac_from_pdev_id = ath11k_hw_ipq6018_mac_from_pdev_id,
+ .wmi_init_config = ath11k_init_wmi_config_ipq8074,
+ .mac_id_to_pdev_id = ath11k_hw_mac_id_to_pdev_id_ipq8074,
+ .mac_id_to_srng_id = ath11k_hw_mac_id_to_srng_id_ipq8074,
+ .tx_mesh_enable = ath11k_hw_qcn9074_tx_mesh_enable,
+ .rx_desc_get_first_msdu = ath11k_hw_qcn9074_rx_desc_get_first_msdu,
+ .rx_desc_get_last_msdu = ath11k_hw_qcn9074_rx_desc_get_last_msdu,
+ .rx_desc_get_l3_pad_bytes = ath11k_hw_qcn9074_rx_desc_get_l3_pad_bytes,
+ .rx_desc_get_hdr_status = ath11k_hw_qcn9074_rx_desc_get_hdr_status,
+ .rx_desc_encrypt_valid = ath11k_hw_qcn9074_rx_desc_encrypt_valid,
+ .rx_desc_get_encrypt_type = ath11k_hw_qcn9074_rx_desc_get_encrypt_type,
+ .rx_desc_get_decap_type = ath11k_hw_qcn9074_rx_desc_get_decap_type,
+ .rx_desc_get_mesh_ctl = ath11k_hw_qcn9074_rx_desc_get_mesh_ctl,
+ .rx_desc_get_ldpc_support = ath11k_hw_qcn9074_rx_desc_get_ldpc_support,
+ .rx_desc_get_mpdu_seq_ctl_vld = ath11k_hw_qcn9074_rx_desc_get_mpdu_seq_ctl_vld,
+ .rx_desc_get_mpdu_fc_valid = ath11k_hw_qcn9074_rx_desc_get_mpdu_fc_valid,
+ .rx_desc_get_mpdu_start_seq_no = ath11k_hw_qcn9074_rx_desc_get_mpdu_start_seq_no,
+ .rx_desc_get_msdu_len = ath11k_hw_qcn9074_rx_desc_get_msdu_len,
+ .rx_desc_get_msdu_sgi = ath11k_hw_qcn9074_rx_desc_get_msdu_sgi,
+ .rx_desc_get_msdu_rate_mcs = ath11k_hw_qcn9074_rx_desc_get_msdu_rate_mcs,
+ .rx_desc_get_msdu_rx_bw = ath11k_hw_qcn9074_rx_desc_get_msdu_rx_bw,
+ .rx_desc_get_msdu_freq = ath11k_hw_qcn9074_rx_desc_get_msdu_freq,
+ .rx_desc_get_msdu_pkt_type = ath11k_hw_qcn9074_rx_desc_get_msdu_pkt_type,
+ .rx_desc_get_msdu_nss = ath11k_hw_qcn9074_rx_desc_get_msdu_nss,
+ .rx_desc_get_mpdu_tid = ath11k_hw_qcn9074_rx_desc_get_mpdu_tid,
+ .rx_desc_get_mpdu_peer_id = ath11k_hw_qcn9074_rx_desc_get_mpdu_peer_id,
+ .rx_desc_copy_attn_end_tlv = ath11k_hw_qcn9074_rx_desc_copy_attn_end,
+ .rx_desc_get_mpdu_start_tag = ath11k_hw_qcn9074_rx_desc_get_mpdu_start_tag,
+ .rx_desc_get_mpdu_ppdu_id = ath11k_hw_qcn9074_rx_desc_get_mpdu_ppdu_id,
+ .rx_desc_set_msdu_len = ath11k_hw_qcn9074_rx_desc_set_msdu_len,
+ .rx_desc_get_attention = ath11k_hw_qcn9074_rx_desc_get_attention,
+ .rx_desc_get_msdu_payload = ath11k_hw_qcn9074_rx_desc_get_msdu_payload,
+ .mpdu_info_get_peerid = ath11k_hw_ipq8074_mpdu_info_get_peerid,
+ .rx_desc_mac_addr2_valid = ath11k_hw_ipq9074_rx_desc_mac_addr2_valid,
+ .rx_desc_mpdu_start_addr2 = ath11k_hw_ipq9074_rx_desc_mpdu_start_addr2,
+
+};
+
#define ATH11K_TX_RING_MASK_0 BIT(0)
#define ATH11K_TX_RING_MASK_1 BIT(1)
#define ATH11K_TX_RING_MASK_2 BIT(2)
diff --git a/drivers/net/wireless/ath/ath11k/hw.h b/drivers/net/wireless/ath/ath11k/hw.h
index b8afd51d0c1ea..9f45d061d8265 100644
--- a/drivers/net/wireless/ath/ath11k/hw.h
+++ b/drivers/net/wireless/ath/ath11k/hw.h
@@ -275,6 +275,7 @@ extern const struct ath11k_hw_ops qca6390_ops;
extern const struct ath11k_hw_ops qcn9074_ops;
extern const struct ath11k_hw_ops wcn6855_ops;
extern const struct ath11k_hw_ops wcn6750_ops;
+extern const struct ath11k_hw_ops ipq5018_ops;
extern const struct ath11k_hw_ring_mask ath11k_hw_ring_mask_ipq8074;
extern const struct ath11k_hw_ring_mask ath11k_hw_ring_mask_qca6390;
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 948/969] wifi: ath11k: add new hw ops for IPQ5018 to get rx dest ring hashmap
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (946 preceding siblings ...)
2026-05-30 16:07 ` [PATCH 6.1 947/969] wifi: ath11k: initialize hw_ops " Greg Kroah-Hartman
@ 2026-05-30 16:07 ` Greg Kroah-Hartman
2026-05-30 16:07 ` [PATCH 6.1 949/969] wifi: ath11k: fix rssi station dump not updated in QCN9074 Greg Kroah-Hartman
` (27 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sriram R, Karthikeyan Kathirvel,
Kalle Valo, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sriram R <quic_srirrama@quicinc.com>
[ Upstream commit 69968f88f1770d61cae0febef805fd00d66cf6a1 ]
The Destination ring control register is different
for IPQ5018 when compared to IPQ8074/IPQ6018/QCN9074.
Hence create a new hw ops to fetch the hash ring map
for different device variants. ipq5018 hw ops
is similar to qcn9074 except for this change, so reuse
all the qcn9074 ops for ipq5018.
Tested-on: IPQ5018 hw1.0 AHB WLAN.HK.2.6.0.1-00861-QCAHKSWPL_SILICONZ-1
Signed-off-by: Sriram R <quic_srirrama@quicinc.com>
Co-developed-by: Karthikeyan Kathirvel <quic_kathirve@quicinc.com>
Signed-off-by: Karthikeyan Kathirvel <quic_kathirve@quicinc.com>
Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
Link: https://lore.kernel.org/r/20221122132152.17771-8-quic_kathirve@quicinc.com
Stable-dep-of: 2a2451a34afd ("wifi: ath11k: fix peer resolution on rx path when peer_id=0")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/ath/ath11k/hw.c | 44 ++++++++++++++++++++++++++++
1 file changed, 44 insertions(+)
diff --git a/drivers/net/wireless/ath/ath11k/hw.c b/drivers/net/wireless/ath/ath11k/hw.c
index 7632220469dab..60ac215e06786 100644
--- a/drivers/net/wireless/ath/ath11k/hw.c
+++ b/drivers/net/wireless/ath/ath11k/hw.c
@@ -792,6 +792,49 @@ static void ath11k_hw_wcn6855_reo_setup(struct ath11k_base *ab)
ring_hash_map);
}
+static void ath11k_hw_ipq5018_reo_setup(struct ath11k_base *ab)
+{
+ u32 reo_base = HAL_SEQ_WCSS_UMAC_REO_REG;
+ u32 val;
+
+ /* Each hash entry uses three bits to map to a particular ring. */
+ u32 ring_hash_map = HAL_HASH_ROUTING_RING_SW1 << 0 |
+ HAL_HASH_ROUTING_RING_SW2 << 4 |
+ HAL_HASH_ROUTING_RING_SW3 << 8 |
+ HAL_HASH_ROUTING_RING_SW4 << 12 |
+ HAL_HASH_ROUTING_RING_SW1 << 16 |
+ HAL_HASH_ROUTING_RING_SW2 << 20 |
+ HAL_HASH_ROUTING_RING_SW3 << 24 |
+ HAL_HASH_ROUTING_RING_SW4 << 28;
+
+ val = ath11k_hif_read32(ab, reo_base + HAL_REO1_GEN_ENABLE);
+
+ val &= ~HAL_REO1_GEN_ENABLE_FRAG_DST_RING;
+ val |= FIELD_PREP(HAL_REO1_GEN_ENABLE_FRAG_DST_RING,
+ HAL_SRNG_RING_ID_REO2SW1) |
+ FIELD_PREP(HAL_REO1_GEN_ENABLE_AGING_LIST_ENABLE, 1) |
+ FIELD_PREP(HAL_REO1_GEN_ENABLE_AGING_FLUSH_ENABLE, 1);
+ ath11k_hif_write32(ab, reo_base + HAL_REO1_GEN_ENABLE, val);
+
+ ath11k_hif_write32(ab, reo_base + HAL_REO1_AGING_THRESH_IX_0(ab),
+ HAL_DEFAULT_REO_TIMEOUT_USEC);
+ ath11k_hif_write32(ab, reo_base + HAL_REO1_AGING_THRESH_IX_1(ab),
+ HAL_DEFAULT_REO_TIMEOUT_USEC);
+ ath11k_hif_write32(ab, reo_base + HAL_REO1_AGING_THRESH_IX_2(ab),
+ HAL_DEFAULT_REO_TIMEOUT_USEC);
+ ath11k_hif_write32(ab, reo_base + HAL_REO1_AGING_THRESH_IX_3(ab),
+ HAL_DEFAULT_REO_TIMEOUT_USEC);
+
+ ath11k_hif_write32(ab, reo_base + HAL_REO1_DEST_RING_CTRL_IX_0,
+ ring_hash_map);
+ ath11k_hif_write32(ab, reo_base + HAL_REO1_DEST_RING_CTRL_IX_1,
+ ring_hash_map);
+ ath11k_hif_write32(ab, reo_base + HAL_REO1_DEST_RING_CTRL_IX_2,
+ ring_hash_map);
+ ath11k_hif_write32(ab, reo_base + HAL_REO1_DEST_RING_CTRL_IX_3,
+ ring_hash_map);
+}
+
static u16 ath11k_hw_ipq8074_mpdu_info_get_peerid(u8 *tlv_data)
{
u16 peer_id = 0;
@@ -1118,6 +1161,7 @@ const struct ath11k_hw_ops ipq5018_ops = {
.rx_desc_get_mpdu_ppdu_id = ath11k_hw_qcn9074_rx_desc_get_mpdu_ppdu_id,
.rx_desc_set_msdu_len = ath11k_hw_qcn9074_rx_desc_set_msdu_len,
.rx_desc_get_attention = ath11k_hw_qcn9074_rx_desc_get_attention,
+ .reo_setup = ath11k_hw_ipq5018_reo_setup,
.rx_desc_get_msdu_payload = ath11k_hw_qcn9074_rx_desc_get_msdu_payload,
.mpdu_info_get_peerid = ath11k_hw_ipq8074_mpdu_info_get_peerid,
.rx_desc_mac_addr2_valid = ath11k_hw_ipq9074_rx_desc_mac_addr2_valid,
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 949/969] wifi: ath11k: fix rssi station dump not updated in QCN9074
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (947 preceding siblings ...)
2026-05-30 16:07 ` [PATCH 6.1 948/969] wifi: ath11k: add new hw ops for IPQ5018 to get rx dest ring hashmap Greg Kroah-Hartman
@ 2026-05-30 16:07 ` Greg Kroah-Hartman
2026-05-30 16:07 ` [PATCH 6.1 950/969] wifi: ath11k: fix peer resolution on rx path when peer_id=0 Greg Kroah-Hartman
` (26 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:07 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, P Praneesh, Kalle Valo, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: P Praneesh <quic_ppranees@quicinc.com>
[ Upstream commit 031ffa6c2cd305a57ccc6d610f2decd956b2e7f6 ]
In QCN9074, station dump signal values display default value which
is -95 dbm, since there is firmware header change for HAL_RX_MPDU_START
between QCN9074 and IPQ8074 which cause wrong peer_id fetch from msdu.
Fix this by updating hal_rx_mpdu_info with corresponding QCN9074 tlv
format.
Tested-on: QCN9074 hw1.0 PCI WLAN.HK.2.7.0.1-01744-QCAHKSWPL_SILICONZ-1
Tested-on: IPQ8074 hw2.0 AHB WLAN.HK.2.4.0.1-01695-QCAHKSWPL_SILICONZ-1
Signed-off-by: P Praneesh <quic_ppranees@quicinc.com>
Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
Link: https://lore.kernel.org/r/20230320110312.20639-1-quic_ppranees@quicinc.com
Stable-dep-of: 2a2451a34afd ("wifi: ath11k: fix peer resolution on rx path when peer_id=0")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/ath/ath11k/hal_rx.c | 10 ++++++++-
drivers/net/wireless/ath/ath11k/hal_rx.h | 18 +++++++++++++++-
drivers/net/wireless/ath/ath11k/hw.c | 27 ++++++++++++++++--------
drivers/net/wireless/ath/ath11k/hw.h | 2 +-
4 files changed, 45 insertions(+), 12 deletions(-)
diff --git a/drivers/net/wireless/ath/ath11k/hal_rx.c b/drivers/net/wireless/ath/ath11k/hal_rx.c
index d1785e71ffc98..47bd937591470 100644
--- a/drivers/net/wireless/ath/ath11k/hal_rx.c
+++ b/drivers/net/wireless/ath/ath11k/hal_rx.c
@@ -866,6 +866,12 @@ ath11k_hal_rx_populate_mu_user_info(void *rx_tlv, struct hal_rx_mon_ppdu_info *p
ath11k_hal_rx_populate_byte_count(rx_tlv, ppdu_info, rx_user_status);
}
+static u16 ath11k_hal_rx_mpduinfo_get_peerid(struct ath11k_base *ab,
+ struct hal_rx_mpdu_info *mpdu_info)
+{
+ return ab->hw_params.hw_ops->mpdu_info_get_peerid(mpdu_info);
+}
+
static enum hal_rx_mon_status
ath11k_hal_rx_parse_mon_status_tlv(struct ath11k_base *ab,
struct hal_rx_mon_ppdu_info *ppdu_info,
@@ -1460,9 +1466,11 @@ ath11k_hal_rx_parse_mon_status_tlv(struct ath11k_base *ab,
break;
}
case HAL_RX_MPDU_START: {
+ struct hal_rx_mpdu_info *mpdu_info =
+ (struct hal_rx_mpdu_info *)tlv_data;
u16 peer_id;
- peer_id = ab->hw_params.hw_ops->mpdu_info_get_peerid(tlv_data);
+ peer_id = ath11k_hal_rx_mpduinfo_get_peerid(ab, mpdu_info);
if (peer_id)
ppdu_info->peer_id = peer_id;
break;
diff --git a/drivers/net/wireless/ath/ath11k/hal_rx.h b/drivers/net/wireless/ath/ath11k/hal_rx.h
index f6bae07abfd3e..47e8208b22e13 100644
--- a/drivers/net/wireless/ath/ath11k/hal_rx.h
+++ b/drivers/net/wireless/ath/ath11k/hal_rx.h
@@ -405,7 +405,7 @@ struct hal_rx_phyrx_rssi_legacy_info {
#define HAL_RX_MPDU_INFO_INFO0_PEERID_WCN6855 GENMASK(15, 0)
#define HAL_RX_MPDU_INFO_INFO1_MPDU_LEN GENMASK(13, 0)
-struct hal_rx_mpdu_info {
+struct hal_rx_mpdu_info_ipq8074 {
__le32 rsvd0;
__le32 info0;
__le32 rsvd1[11];
@@ -413,12 +413,28 @@ struct hal_rx_mpdu_info {
__le32 rsvd2[9];
} __packed;
+struct hal_rx_mpdu_info_qcn9074 {
+ __le32 rsvd0[10];
+ __le32 info0;
+ __le32 rsvd1[2];
+ __le32 info1;
+ __le32 rsvd2[9];
+} __packed;
+
struct hal_rx_mpdu_info_wcn6855 {
__le32 rsvd0[8];
__le32 info0;
__le32 rsvd1[14];
} __packed;
+struct hal_rx_mpdu_info {
+ union {
+ struct hal_rx_mpdu_info_ipq8074 ipq8074;
+ struct hal_rx_mpdu_info_qcn9074 qcn9074;
+ struct hal_rx_mpdu_info_wcn6855 wcn6855;
+ } u;
+} __packed;
+
#define HAL_RX_PPDU_END_DURATION GENMASK(23, 0)
struct hal_rx_ppdu_end_duration {
__le32 rsvd0[9];
diff --git a/drivers/net/wireless/ath/ath11k/hw.c b/drivers/net/wireless/ath/ath11k/hw.c
index 60ac215e06786..6b4355a68e266 100644
--- a/drivers/net/wireless/ath/ath11k/hw.c
+++ b/drivers/net/wireless/ath/ath11k/hw.c
@@ -835,26 +835,35 @@ static void ath11k_hw_ipq5018_reo_setup(struct ath11k_base *ab)
ring_hash_map);
}
-static u16 ath11k_hw_ipq8074_mpdu_info_get_peerid(u8 *tlv_data)
+static u16
+ath11k_hw_ipq8074_mpdu_info_get_peerid(struct hal_rx_mpdu_info *mpdu_info)
{
u16 peer_id = 0;
- struct hal_rx_mpdu_info *mpdu_info =
- (struct hal_rx_mpdu_info *)tlv_data;
peer_id = FIELD_GET(HAL_RX_MPDU_INFO_INFO0_PEERID,
- __le32_to_cpu(mpdu_info->info0));
+ __le32_to_cpu(mpdu_info->u.ipq8074.info0));
return peer_id;
}
-static u16 ath11k_hw_wcn6855_mpdu_info_get_peerid(u8 *tlv_data)
+static u16
+ath11k_hw_qcn9074_mpdu_info_get_peerid(struct hal_rx_mpdu_info *mpdu_info)
+{
+ u16 peer_id = 0;
+
+ peer_id = FIELD_GET(HAL_RX_MPDU_INFO_INFO0_PEERID,
+ __le32_to_cpu(mpdu_info->u.qcn9074.info0));
+
+ return peer_id;
+}
+
+static u16
+ath11k_hw_wcn6855_mpdu_info_get_peerid(struct hal_rx_mpdu_info *mpdu_info)
{
u16 peer_id = 0;
- struct hal_rx_mpdu_info_wcn6855 *mpdu_info =
- (struct hal_rx_mpdu_info_wcn6855 *)tlv_data;
peer_id = FIELD_GET(HAL_RX_MPDU_INFO_INFO0_PEERID_WCN6855,
- __le32_to_cpu(mpdu_info->info0));
+ __le32_to_cpu(mpdu_info->u.wcn6855.info0));
return peer_id;
}
@@ -1042,7 +1051,7 @@ const struct ath11k_hw_ops qcn9074_ops = {
.rx_desc_get_attention = ath11k_hw_qcn9074_rx_desc_get_attention,
.rx_desc_get_msdu_payload = ath11k_hw_qcn9074_rx_desc_get_msdu_payload,
.reo_setup = ath11k_hw_ipq8074_reo_setup,
- .mpdu_info_get_peerid = ath11k_hw_ipq8074_mpdu_info_get_peerid,
+ .mpdu_info_get_peerid = ath11k_hw_qcn9074_mpdu_info_get_peerid,
.rx_desc_mac_addr2_valid = ath11k_hw_ipq9074_rx_desc_mac_addr2_valid,
.rx_desc_mpdu_start_addr2 = ath11k_hw_ipq9074_rx_desc_mpdu_start_addr2,
.get_ring_selector = ath11k_hw_ipq8074_get_tcl_ring_selector,
diff --git a/drivers/net/wireless/ath/ath11k/hw.h b/drivers/net/wireless/ath/ath11k/hw.h
index 9f45d061d8265..6a5dd2dbdb3ab 100644
--- a/drivers/net/wireless/ath/ath11k/hw.h
+++ b/drivers/net/wireless/ath/ath11k/hw.h
@@ -263,7 +263,7 @@ struct ath11k_hw_ops {
struct rx_attention *(*rx_desc_get_attention)(struct hal_rx_desc *desc);
u8 *(*rx_desc_get_msdu_payload)(struct hal_rx_desc *desc);
void (*reo_setup)(struct ath11k_base *ab);
- u16 (*mpdu_info_get_peerid)(u8 *tlv_data);
+ u16 (*mpdu_info_get_peerid)(struct hal_rx_mpdu_info *mpdu_info);
bool (*rx_desc_mac_addr2_valid)(struct hal_rx_desc *desc);
u8* (*rx_desc_mpdu_start_addr2)(struct hal_rx_desc *desc);
u32 (*get_ring_selector)(struct sk_buff *skb);
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 950/969] wifi: ath11k: fix peer resolution on rx path when peer_id=0
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (948 preceding siblings ...)
2026-05-30 16:07 ` [PATCH 6.1 949/969] wifi: ath11k: fix rssi station dump not updated in QCN9074 Greg Kroah-Hartman
@ 2026-05-30 16:07 ` Greg Kroah-Hartman
2026-05-30 16:07 ` [PATCH 6.1 951/969] net: dsa: mt7530: sync driver-specific behavior of MT7531 variants Greg Kroah-Hartman
` (25 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Baochen Qiang, Matthew Leach,
P Praneesh, Jeff Johnson, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matthew Leach <matthew.leach@collabora.com>
[ Upstream commit 2a2451a34afdf563b3102d36a4b6cf335cf813e2 ]
It has been observed that on certain chipsets a peer can be assigned
peer_id=0. For reception of non-aggregated MPDUs this is fine as
ath11k_dp_rx_h_find_peer() has a fallback case where it locates the peer
based upon the source MAC address. On an aggregated link, the mpdu_start
header is only populated by hardware on the first sub-MSDU. This causes
the peer resolution to be skipped for the subsequent MSDUs and the
encryption type of these frames to be set to an incorrect value,
resulting in these MSDUs being dropped by ieee80211.
ath11k_pci 0000:03:00.0: data rx skb 000000002f4b704d len 1534 peer xx:xx:xx:xx:xx:xx 0 ucast sn 3063 he160 rate_idx 9 vht_nss 2 freq 5240 band 1 flag 0x40d1a fcs-err 0 mic-err 0 amsdu-more 0 peer_id 0 first_msdu 1 last_msdu 0
ath11k_pci 0000:03:00.0: data rx skb 0000000038acd580 len 1534 peer (null) 0 ucast sn 3063 he160 rate_idx 9 vht_nss 2 freq 5240 band 1 flag 0x40d00 fcs-err 0 mic-err 0 amsdu-more 0 peer_id 0 first_msdu 0 last_msdu 1
Remove the null peer_id checks in ath11k_dp_rx_h_find_peer() and
ath11k_hal_rx_parse_mon_status_tlv(), allowing peers with an assigned ID
of 0 to be resolved.
Tested-on: QCA2066 hw2.1 PCI WLAN.HSP.1.1-03926.13-QCAHSPSWPL_V2_SILICONZ_CE-2.52297.9
Fixes: 2167fa606c0f ("ath11k: Add support for RX decapsulation offload")
Reviewed-by: Baochen Qiang <baochen.qiang@oss.qualcomm.com>
Signed-off-by: Matthew Leach <matthew.leach@collabora.com>
Reviewed-by: P Praneesh <praneesh.p@oss.qualcomm.com>
Link: https://patch.msgid.link/20260424-ath11k-null-peerid-workaround-v4-1-252b224d3cf6@collabora.com
Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/ath/ath11k/dp_rx.c | 3 +--
drivers/net/wireless/ath/ath11k/hal_rx.c | 5 +----
2 files changed, 2 insertions(+), 6 deletions(-)
diff --git a/drivers/net/wireless/ath/ath11k/dp_rx.c b/drivers/net/wireless/ath/ath11k/dp_rx.c
index be00ea6fbf8b6..397ce654bb3fd 100644
--- a/drivers/net/wireless/ath/ath11k/dp_rx.c
+++ b/drivers/net/wireless/ath/ath11k/dp_rx.c
@@ -2226,8 +2226,7 @@ ath11k_dp_rx_h_find_peer(struct ath11k_base *ab, struct sk_buff *msdu)
lockdep_assert_held(&ab->base_lock);
- if (rxcb->peer_id)
- peer = ath11k_peer_find_by_id(ab, rxcb->peer_id);
+ peer = ath11k_peer_find_by_id(ab, rxcb->peer_id);
if (peer)
return peer;
diff --git a/drivers/net/wireless/ath/ath11k/hal_rx.c b/drivers/net/wireless/ath/ath11k/hal_rx.c
index 47bd937591470..a3fbff807948c 100644
--- a/drivers/net/wireless/ath/ath11k/hal_rx.c
+++ b/drivers/net/wireless/ath/ath11k/hal_rx.c
@@ -1468,11 +1468,8 @@ ath11k_hal_rx_parse_mon_status_tlv(struct ath11k_base *ab,
case HAL_RX_MPDU_START: {
struct hal_rx_mpdu_info *mpdu_info =
(struct hal_rx_mpdu_info *)tlv_data;
- u16 peer_id;
- peer_id = ath11k_hal_rx_mpduinfo_get_peerid(ab, mpdu_info);
- if (peer_id)
- ppdu_info->peer_id = peer_id;
+ ppdu_info->peer_id = ath11k_hal_rx_mpduinfo_get_peerid(ab, mpdu_info);
break;
}
case HAL_RXPCU_PPDU_END_INFO: {
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 951/969] net: dsa: mt7530: sync driver-specific behavior of MT7531 variants
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (949 preceding siblings ...)
2026-05-30 16:07 ` [PATCH 6.1 950/969] wifi: ath11k: fix peer resolution on rx path when peer_id=0 Greg Kroah-Hartman
@ 2026-05-30 16:07 ` Greg Kroah-Hartman
2026-05-30 16:07 ` [PATCH 6.1 952/969] net: dsa: mt7530: fix FDB entries not aging out with short timeout Greg Kroah-Hartman
` (24 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Daniel Golle, Chester A. Unal,
Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Daniel Golle <daniel@makrotopia.org>
[ Upstream commit 497041d763016c2e8314d2f6a329a9b77c3797ca ]
MT7531 standalone and MMIO variants found in MT7988 and EN7581 share
most basic properties. Despite that, assisted_learning_on_cpu_port and
mtu_enforcement_ingress were only applied for MT7531 but not for MT7988
or EN7581, causing the expected issues on MMIO devices.
Apply both settings equally also for MT7988 and EN7581 by moving both
assignments form mt7531_setup() to mt7531_setup_common().
This fixes unwanted flooding of packets due to unknown unicast
during DA lookup, as well as issues with heterogenous MTU settings.
Fixes: 7f54cc9772ce ("net: dsa: mt7530: split-off common parts from mt7531_setup")
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Reviewed-by: Chester A. Unal <chester.a.unal@arinc9.com>
Link: https://patch.msgid.link/89ed7ec6d4fa0395ac53ad2809742bb1ce61ed12.1745290867.git.daniel@makrotopia.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Stable-dep-of: e824e40d0e84 ("net: dsa: mt7530: fix FDB entries not aging out with short timeout")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/dsa/mt7530.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/net/dsa/mt7530.c b/drivers/net/dsa/mt7530.c
index 1aba0cf38630f..308e56a73df01 100644
--- a/drivers/net/dsa/mt7530.c
+++ b/drivers/net/dsa/mt7530.c
@@ -2558,6 +2558,9 @@ mt7531_setup_common(struct dsa_switch *ds)
struct mt7530_priv *priv = ds->priv;
int ret, i;
+ ds->assisted_learning_on_cpu_port = true;
+ ds->mtu_enforcement_ingress = true;
+
mt753x_trap_frames(priv);
/* Enable and reset MIB counters */
@@ -2701,9 +2704,6 @@ mt7531_setup(struct dsa_switch *ds)
if (ret)
return ret;
- ds->assisted_learning_on_cpu_port = true;
- ds->mtu_enforcement_ingress = true;
-
return 0;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 952/969] net: dsa: mt7530: fix FDB entries not aging out with short timeout
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (950 preceding siblings ...)
2026-05-30 16:07 ` [PATCH 6.1 951/969] net: dsa: mt7530: sync driver-specific behavior of MT7531 variants Greg Kroah-Hartman
@ 2026-05-30 16:07 ` Greg Kroah-Hartman
2026-05-30 16:07 ` [PATCH 6.1 953/969] net: dsa: mt7530: rename mt753x_bpdu_port_fw enum to mt753x_to_cpu_fw Greg Kroah-Hartman
` (23 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:07 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Daniel Golle, Paolo Abeni,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Daniel Golle <daniel@makrotopia.org>
[ Upstream commit e824e40d0e841fab66ab7897d6c7b14dc81c66a7 ]
The DSA forwarding selftests bridge_vlan_aware.sh and
bridge_vlan_unaware.sh configure the bridge with ageing_time set to
LOW_AGEING_TIME (1000 centiseconds, i.e. 10 seconds) and then run
learning_test() in lib.sh, which expects a learned FDB entry to be
removed after ageing_time + 10 seconds. On MT7530/MT7531 the entry
persisted past the deadline and the "Found FDB record when should
not" assertion failed.
With msecs=10000, the algorithm in mt7530_set_ageing_time() finds
AGE_CNT=0 and AGE_UNIT=9 as the first exact match (starting the
search from tmp_age_count=0). The per-entry aging counter is
initialized to AGE_CNT when a MAC address is learned, so with
AGE_CNT=0 new entries start with a counter value of 0, which the
hardware treats as "already aged" and never removes, effectively
disabling aging.
Fix this by starting the search from tmp_age_count=1 to ensure
entries always have a non-zero initial aging counter. For a
10-second ageing time this yields AGE_CNT=1 and AGE_UNIT=4 instead:
the timer ticks every 5 seconds and entries are removed after 2
ticks.
Starting the search at AGE_CNT=1 raises the minimum representable
ageing time from 1 to 2 seconds. Without bounds, a stale ageing_time
of 1 second would now make the loop fall through without setting
age_count and age_unit, leaving them uninitialized when written to
the MT7530_AAC hardware register. Set ds->ageing_time_min and
ds->ageing_time_max so the DSA core validates the range before the
callback is invoked, and drop the now-redundant range check from
mt7530_set_ageing_time().
Fixes: ea6d5c924e39 ("net: dsa: mt7530: support setting ageing time")
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Link: https://patch.msgid.link/7788ded12dc07b1bce329ec35fa70f4b45f3f9b7.1778766629.git.daniel@makrotopia.org
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/dsa/mt7530.c | 20 ++++++++++++++------
1 file changed, 14 insertions(+), 6 deletions(-)
diff --git a/drivers/net/dsa/mt7530.c b/drivers/net/dsa/mt7530.c
index 308e56a73df01..3e81871688a9f 100644
--- a/drivers/net/dsa/mt7530.c
+++ b/drivers/net/dsa/mt7530.c
@@ -911,12 +911,16 @@ mt7530_set_ageing_time(struct dsa_switch *ds, unsigned int msecs)
unsigned int age_count;
unsigned int age_unit;
- /* Applied timer is (AGE_CNT + 1) * (AGE_UNIT + 1) seconds */
- if (secs < 1 || secs > (AGE_CNT_MAX + 1) * (AGE_UNIT_MAX + 1))
- return -ERANGE;
-
- /* iterate through all possible age_count to find the closest pair */
- for (tmp_age_count = 0; tmp_age_count <= AGE_CNT_MAX; ++tmp_age_count) {
+ /* Applied timer is (AGE_CNT + 1) * (AGE_UNIT + 1) seconds.
+ * The DSA core has already validated the range using
+ * ds->ageing_time_min and ds->ageing_time_max.
+ *
+ * Iterate through all possible age_count values to find the closest
+ * pair. Start from 1 because the per-entry aging counter is
+ * initialized to AGE_CNT and a value of 0 means the entry will
+ * never be aged out.
+ */
+ for (tmp_age_count = 1; tmp_age_count <= AGE_CNT_MAX; ++tmp_age_count) {
unsigned int tmp_age_unit = secs / (tmp_age_count + 1) - 1;
if (tmp_age_unit <= AGE_UNIT_MAX) {
@@ -2381,6 +2385,8 @@ mt7530_setup(struct dsa_switch *ds)
ds->assisted_learning_on_cpu_port = true;
ds->mtu_enforcement_ingress = true;
+ ds->ageing_time_min = 2 * 1000;
+ ds->ageing_time_max = (AGE_CNT_MAX + 1) * (AGE_UNIT_MAX + 1) * 1000;
if (priv->id == ID_MT7530) {
regulator_set_voltage(priv->core_pwr, 1000000, 1000000);
@@ -2560,6 +2566,8 @@ mt7531_setup_common(struct dsa_switch *ds)
ds->assisted_learning_on_cpu_port = true;
ds->mtu_enforcement_ingress = true;
+ ds->ageing_time_min = 2 * 1000;
+ ds->ageing_time_max = (AGE_CNT_MAX + 1) * (AGE_UNIT_MAX + 1) * 1000;
mt753x_trap_frames(priv);
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 953/969] net: dsa: mt7530: rename mt753x_bpdu_port_fw enum to mt753x_to_cpu_fw
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (951 preceding siblings ...)
2026-05-30 16:07 ` [PATCH 6.1 952/969] net: dsa: mt7530: fix FDB entries not aging out with short timeout Greg Kroah-Hartman
@ 2026-05-30 16:07 ` Greg Kroah-Hartman
2026-05-30 16:07 ` [PATCH 6.1 954/969] net: dsa: mt7530: preserve VLAN tags on trapped link-local frames Greg Kroah-Hartman
` (22 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Arınç ÜNAL,
David S. Miller, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Arınç ÜNAL <arinc.unal@arinc9.com>
[ Upstream commit 7603a0c7d2210a253265394b50567c64fbb977e4 ]
The mt753x_bpdu_port_fw enum is globally used for manipulating the process
of deciding the forwardable ports, specifically concerning the CPU port(s).
Therefore, rename it and the values in it to mt753x_to_cpu_fw.
Change FOLLOW_MFC to SYSTEM_DEFAULT to be on par with the switch documents.
Signed-off-by: Arınç ÜNAL <arinc.unal@arinc9.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Stable-dep-of: 3ac85bcfd404 ("net: dsa: mt7530: preserve VLAN tags on trapped link-local frames")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/dsa/mt7530.c | 44 ++++++++++-------------
drivers/net/dsa/mt7530.h | 76 ++++++++++++++++++++--------------------
2 files changed, 56 insertions(+), 64 deletions(-)
diff --git a/drivers/net/dsa/mt7530.c b/drivers/net/dsa/mt7530.c
index 3e81871688a9f..fc3c97d0df4fc 100644
--- a/drivers/net/dsa/mt7530.c
+++ b/drivers/net/dsa/mt7530.c
@@ -1191,42 +1191,34 @@ mt753x_trap_frames(struct mt7530_priv *priv)
* VLAN-untagged.
*/
mt7530_rmw(priv, MT753X_BPC,
- MT753X_PAE_BPDU_FR | MT753X_PAE_EG_TAG_MASK |
- MT753X_PAE_PORT_FW_MASK | MT753X_BPDU_EG_TAG_MASK |
- MT753X_BPDU_PORT_FW_MASK,
- MT753X_PAE_BPDU_FR |
- MT753X_PAE_EG_TAG(MT7530_VLAN_EG_UNTAGGED) |
- MT753X_PAE_PORT_FW(MT753X_BPDU_CPU_ONLY) |
- MT753X_BPDU_EG_TAG(MT7530_VLAN_EG_UNTAGGED) |
- MT753X_BPDU_CPU_ONLY);
+ PAE_BPDU_FR | PAE_EG_TAG_MASK | PAE_PORT_FW_MASK |
+ BPDU_EG_TAG_MASK | BPDU_PORT_FW_MASK,
+ PAE_BPDU_FR | PAE_EG_TAG(MT7530_VLAN_EG_UNTAGGED) |
+ PAE_PORT_FW(TO_CPU_FW_CPU_ONLY) |
+ BPDU_EG_TAG(MT7530_VLAN_EG_UNTAGGED) |
+ TO_CPU_FW_CPU_ONLY);
/* Trap frames with :01 and :02 MAC DAs to the CPU port(s) and egress
* them VLAN-untagged.
*/
mt7530_rmw(priv, MT753X_RGAC1,
- MT753X_R02_BPDU_FR | MT753X_R02_EG_TAG_MASK |
- MT753X_R02_PORT_FW_MASK | MT753X_R01_BPDU_FR |
- MT753X_R01_EG_TAG_MASK | MT753X_R01_PORT_FW_MASK,
- MT753X_R02_BPDU_FR |
- MT753X_R02_EG_TAG(MT7530_VLAN_EG_UNTAGGED) |
- MT753X_R02_PORT_FW(MT753X_BPDU_CPU_ONLY) |
- MT753X_R01_BPDU_FR |
- MT753X_R01_EG_TAG(MT7530_VLAN_EG_UNTAGGED) |
- MT753X_BPDU_CPU_ONLY);
+ R02_BPDU_FR | R02_EG_TAG_MASK | R02_PORT_FW_MASK |
+ R01_BPDU_FR | R01_EG_TAG_MASK | R01_PORT_FW_MASK,
+ R02_BPDU_FR | R02_EG_TAG(MT7530_VLAN_EG_UNTAGGED) |
+ R02_PORT_FW(TO_CPU_FW_CPU_ONLY) | R01_BPDU_FR |
+ R01_EG_TAG(MT7530_VLAN_EG_UNTAGGED) |
+ TO_CPU_FW_CPU_ONLY);
/* Trap frames with :03 and :0E MAC DAs to the CPU port(s) and egress
* them VLAN-untagged.
*/
mt7530_rmw(priv, MT753X_RGAC2,
- MT753X_R0E_BPDU_FR | MT753X_R0E_EG_TAG_MASK |
- MT753X_R0E_PORT_FW_MASK | MT753X_R03_BPDU_FR |
- MT753X_R03_EG_TAG_MASK | MT753X_R03_PORT_FW_MASK,
- MT753X_R0E_BPDU_FR |
- MT753X_R0E_EG_TAG(MT7530_VLAN_EG_UNTAGGED) |
- MT753X_R0E_PORT_FW(MT753X_BPDU_CPU_ONLY) |
- MT753X_R03_BPDU_FR |
- MT753X_R03_EG_TAG(MT7530_VLAN_EG_UNTAGGED) |
- MT753X_BPDU_CPU_ONLY);
+ R0E_BPDU_FR | R0E_EG_TAG_MASK | R0E_PORT_FW_MASK |
+ R03_BPDU_FR | R03_EG_TAG_MASK | R03_PORT_FW_MASK,
+ R0E_BPDU_FR | R0E_EG_TAG(MT7530_VLAN_EG_UNTAGGED) |
+ R0E_PORT_FW(TO_CPU_FW_CPU_ONLY) | R03_BPDU_FR |
+ R03_EG_TAG(MT7530_VLAN_EG_UNTAGGED) |
+ TO_CPU_FW_CPU_ONLY);
}
static int
diff --git a/drivers/net/dsa/mt7530.h b/drivers/net/dsa/mt7530.h
index 6441e8d7f05d9..54d806a1c2713 100644
--- a/drivers/net/dsa/mt7530.h
+++ b/drivers/net/dsa/mt7530.h
@@ -66,47 +66,47 @@ enum mt753x_id {
#define MT753X_MIRROR_MASK(id) (((id) == ID_MT7531) ? \
MT7531_MIRROR_MASK : MIRROR_MASK)
-/* Registers for BPDU and PAE frame control*/
+/* Register for BPDU and PAE frame control */
#define MT753X_BPC 0x24
-#define MT753X_PAE_BPDU_FR BIT(25)
-#define MT753X_PAE_EG_TAG_MASK GENMASK(24, 22)
-#define MT753X_PAE_EG_TAG(x) FIELD_PREP(MT753X_PAE_EG_TAG_MASK, x)
-#define MT753X_PAE_PORT_FW_MASK GENMASK(18, 16)
-#define MT753X_PAE_PORT_FW(x) FIELD_PREP(MT753X_PAE_PORT_FW_MASK, x)
-#define MT753X_BPDU_EG_TAG_MASK GENMASK(8, 6)
-#define MT753X_BPDU_EG_TAG(x) FIELD_PREP(MT753X_BPDU_EG_TAG_MASK, x)
-#define MT753X_BPDU_PORT_FW_MASK GENMASK(2, 0)
-
-/* Register for :01 and :02 MAC DA frame control */
+#define PAE_BPDU_FR BIT(25)
+#define PAE_EG_TAG_MASK GENMASK(24, 22)
+#define PAE_EG_TAG(x) FIELD_PREP(PAE_EG_TAG_MASK, x)
+#define PAE_PORT_FW_MASK GENMASK(18, 16)
+#define PAE_PORT_FW(x) FIELD_PREP(PAE_PORT_FW_MASK, x)
+#define BPDU_EG_TAG_MASK GENMASK(8, 6)
+#define BPDU_EG_TAG(x) FIELD_PREP(BPDU_EG_TAG_MASK, x)
+#define BPDU_PORT_FW_MASK GENMASK(2, 0)
+
+/* Register for 01-80-C2-00-00-[01,02] MAC DA frame control */
#define MT753X_RGAC1 0x28
-#define MT753X_R02_BPDU_FR BIT(25)
-#define MT753X_R02_EG_TAG_MASK GENMASK(24, 22)
-#define MT753X_R02_EG_TAG(x) FIELD_PREP(MT753X_R02_EG_TAG_MASK, x)
-#define MT753X_R02_PORT_FW_MASK GENMASK(18, 16)
-#define MT753X_R02_PORT_FW(x) FIELD_PREP(MT753X_R02_PORT_FW_MASK, x)
-#define MT753X_R01_BPDU_FR BIT(9)
-#define MT753X_R01_EG_TAG_MASK GENMASK(8, 6)
-#define MT753X_R01_EG_TAG(x) FIELD_PREP(MT753X_R01_EG_TAG_MASK, x)
-#define MT753X_R01_PORT_FW_MASK GENMASK(2, 0)
-
-/* Register for :03 and :0E MAC DA frame control */
+#define R02_BPDU_FR BIT(25)
+#define R02_EG_TAG_MASK GENMASK(24, 22)
+#define R02_EG_TAG(x) FIELD_PREP(R02_EG_TAG_MASK, x)
+#define R02_PORT_FW_MASK GENMASK(18, 16)
+#define R02_PORT_FW(x) FIELD_PREP(R02_PORT_FW_MASK, x)
+#define R01_BPDU_FR BIT(9)
+#define R01_EG_TAG_MASK GENMASK(8, 6)
+#define R01_EG_TAG(x) FIELD_PREP(R01_EG_TAG_MASK, x)
+#define R01_PORT_FW_MASK GENMASK(2, 0)
+
+/* Register for 01-80-C2-00-00-[03,0E] MAC DA frame control */
#define MT753X_RGAC2 0x2c
-#define MT753X_R0E_BPDU_FR BIT(25)
-#define MT753X_R0E_EG_TAG_MASK GENMASK(24, 22)
-#define MT753X_R0E_EG_TAG(x) FIELD_PREP(MT753X_R0E_EG_TAG_MASK, x)
-#define MT753X_R0E_PORT_FW_MASK GENMASK(18, 16)
-#define MT753X_R0E_PORT_FW(x) FIELD_PREP(MT753X_R0E_PORT_FW_MASK, x)
-#define MT753X_R03_BPDU_FR BIT(9)
-#define MT753X_R03_EG_TAG_MASK GENMASK(8, 6)
-#define MT753X_R03_EG_TAG(x) FIELD_PREP(MT753X_R03_EG_TAG_MASK, x)
-#define MT753X_R03_PORT_FW_MASK GENMASK(2, 0)
-
-enum mt753x_bpdu_port_fw {
- MT753X_BPDU_FOLLOW_MFC,
- MT753X_BPDU_CPU_EXCLUDE = 4,
- MT753X_BPDU_CPU_INCLUDE = 5,
- MT753X_BPDU_CPU_ONLY = 6,
- MT753X_BPDU_DROP = 7,
+#define R0E_BPDU_FR BIT(25)
+#define R0E_EG_TAG_MASK GENMASK(24, 22)
+#define R0E_EG_TAG(x) FIELD_PREP(R0E_EG_TAG_MASK, x)
+#define R0E_PORT_FW_MASK GENMASK(18, 16)
+#define R0E_PORT_FW(x) FIELD_PREP(R0E_PORT_FW_MASK, x)
+#define R03_BPDU_FR BIT(9)
+#define R03_EG_TAG_MASK GENMASK(8, 6)
+#define R03_EG_TAG(x) FIELD_PREP(R03_EG_TAG_MASK, x)
+#define R03_PORT_FW_MASK GENMASK(2, 0)
+
+enum mt753x_to_cpu_fw {
+ TO_CPU_FW_SYSTEM_DEFAULT,
+ TO_CPU_FW_CPU_EXCLUDE = 4,
+ TO_CPU_FW_CPU_INCLUDE = 5,
+ TO_CPU_FW_CPU_ONLY = 6,
+ TO_CPU_FW_DROP = 7,
};
/* Registers for address table access */
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 954/969] net: dsa: mt7530: preserve VLAN tags on trapped link-local frames
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (952 preceding siblings ...)
2026-05-30 16:07 ` [PATCH 6.1 953/969] net: dsa: mt7530: rename mt753x_bpdu_port_fw enum to mt753x_to_cpu_fw Greg Kroah-Hartman
@ 2026-05-30 16:07 ` Greg Kroah-Hartman
2026-05-30 16:07 ` [PATCH 6.1 955/969] net: mana: Fix TOCTOU double-fetch of hwc_msg_id from DMA buffer Greg Kroah-Hartman
` (21 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Daniel Golle, Chester A. Unal,
Paolo Abeni, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Daniel Golle <daniel@makrotopia.org>
[ Upstream commit 3ac85bcfd404b588298c95c6fba8aad4ad334f57 ]
The BPC, RGAC1 and RGAC2 registers control the handling of link-local
frames with reserved MAC DAs (01:80:C2:00:00:0x). These frames are
correctly trapped to the CPU port, but the egress VLAN tag attribute was
set to MT7530_VLAN_EG_UNTAGGED which causes the switch to strip any
VLAN tags from trapped frames before they reach the CPU.
This causes VLAN-tagged link-local frames (STP BPDUs, LLDP, PTP Peer
Delay Requests) to arrive at the CPU without their VLAN tag, so they
are delivered to the base network interface instead of the VLAN
sub-interface. The DSA local_termination selftest confirms this: all
link-local protocol tests on VLAN upper interfaces fail.
Set the EG_TAG attribute to MT7530_VLAN_EG_DISABLED (system default)
so that the switch does not modify VLAN tags in trapped frames. This
way VLAN-tagged frames retain their original tag and are delivered to
the correct VLAN sub-interface, matching the behavior of non-trapped
frames which pass through without VLAN tag modification.
Fixes: 69ddba9d170b ("net: dsa: mt7530: fix handling of all link-local frames")
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Acked-by: Chester A. Unal <chester.a.unal@arinc9.com>
Link: https://patch.msgid.link/891e0cd34db2a5fe20ceb73283a81fb5f71427ca.1778766629.git.daniel@makrotopia.org
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/dsa/mt7530.c | 27 +++++++++++++++------------
1 file changed, 15 insertions(+), 12 deletions(-)
diff --git a/drivers/net/dsa/mt7530.c b/drivers/net/dsa/mt7530.c
index fc3c97d0df4fc..73eeb6aeac5cc 100644
--- a/drivers/net/dsa/mt7530.c
+++ b/drivers/net/dsa/mt7530.c
@@ -1187,37 +1187,40 @@ static void mt7530_setup_port5(struct dsa_switch *ds, phy_interface_t interface)
static void
mt753x_trap_frames(struct mt7530_priv *priv)
{
- /* Trap 802.1X PAE frames and BPDUs to the CPU port(s) and egress them
- * VLAN-untagged.
+ /* Trap 802.1X PAE frames and BPDUs to the CPU port(s) and egress
+ * them with the EG_TAG attribute set to disabled (system default)
+ * so that any VLAN tags in the frame are not modified by the
+ * switch egress VLAN tag processing. This preserves VLAN tags
+ * for reception on VLAN sub-interfaces.
*/
mt7530_rmw(priv, MT753X_BPC,
PAE_BPDU_FR | PAE_EG_TAG_MASK | PAE_PORT_FW_MASK |
BPDU_EG_TAG_MASK | BPDU_PORT_FW_MASK,
- PAE_BPDU_FR | PAE_EG_TAG(MT7530_VLAN_EG_UNTAGGED) |
+ PAE_BPDU_FR | PAE_EG_TAG(MT7530_VLAN_EG_DISABLED) |
PAE_PORT_FW(TO_CPU_FW_CPU_ONLY) |
- BPDU_EG_TAG(MT7530_VLAN_EG_UNTAGGED) |
+ BPDU_EG_TAG(MT7530_VLAN_EG_DISABLED) |
TO_CPU_FW_CPU_ONLY);
- /* Trap frames with :01 and :02 MAC DAs to the CPU port(s) and egress
- * them VLAN-untagged.
+ /* Trap frames with :01 and :02 MAC DAs to the CPU port(s) and
+ * egress them with EG_TAG disabled.
*/
mt7530_rmw(priv, MT753X_RGAC1,
R02_BPDU_FR | R02_EG_TAG_MASK | R02_PORT_FW_MASK |
R01_BPDU_FR | R01_EG_TAG_MASK | R01_PORT_FW_MASK,
- R02_BPDU_FR | R02_EG_TAG(MT7530_VLAN_EG_UNTAGGED) |
+ R02_BPDU_FR | R02_EG_TAG(MT7530_VLAN_EG_DISABLED) |
R02_PORT_FW(TO_CPU_FW_CPU_ONLY) | R01_BPDU_FR |
- R01_EG_TAG(MT7530_VLAN_EG_UNTAGGED) |
+ R01_EG_TAG(MT7530_VLAN_EG_DISABLED) |
TO_CPU_FW_CPU_ONLY);
- /* Trap frames with :03 and :0E MAC DAs to the CPU port(s) and egress
- * them VLAN-untagged.
+ /* Trap frames with :03 and :0E MAC DAs to the CPU port(s) and
+ * egress them with EG_TAG disabled.
*/
mt7530_rmw(priv, MT753X_RGAC2,
R0E_BPDU_FR | R0E_EG_TAG_MASK | R0E_PORT_FW_MASK |
R03_BPDU_FR | R03_EG_TAG_MASK | R03_PORT_FW_MASK,
- R0E_BPDU_FR | R0E_EG_TAG(MT7530_VLAN_EG_UNTAGGED) |
+ R0E_BPDU_FR | R0E_EG_TAG(MT7530_VLAN_EG_DISABLED) |
R0E_PORT_FW(TO_CPU_FW_CPU_ONLY) | R03_BPDU_FR |
- R03_EG_TAG(MT7530_VLAN_EG_UNTAGGED) |
+ R03_EG_TAG(MT7530_VLAN_EG_DISABLED) |
TO_CPU_FW_CPU_ONLY);
}
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 955/969] net: mana: Fix TOCTOU double-fetch of hwc_msg_id from DMA buffer
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (953 preceding siblings ...)
2026-05-30 16:07 ` [PATCH 6.1 954/969] net: dsa: mt7530: preserve VLAN tags on trapped link-local frames Greg Kroah-Hartman
@ 2026-05-30 16:07 ` Greg Kroah-Hartman
2026-05-30 16:08 ` [PATCH 6.1 956/969] platform/x86: adv_swbutton: Check ACPI_HANDLE() against NULL Greg Kroah-Hartman
` (20 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Erni Sri Satya Vennela, Paolo Abeni,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Erni Sri Satya Vennela <ernis@linux.microsoft.com>
[ Upstream commit 35f0f0a2536a4d604b4dbad92c85c4a8fdebb870 ]
In mana_hwc_rx_event_handler(), resp->response.hwc_msg_id is read from
DMA-coherent memory and bounds-checked, then mana_hwc_handle_resp()
re-reads the same field from the same DMA buffer for test_bit() and
pointer arithmetic.
DMA-coherent memory is mapped uncacheable on x86 and is shared,
unencrypted, in Confidential VMs (SEV-SNP/TDX), so each load goes
directly to host-visible memory. A H/W can modify the value
between the check and the use, bypassing the bounds validation.
Fix this by reading hwc_msg_id exactly once using READ_ONCE() into a
stack-local variable in mana_hwc_rx_event_handler(), and passing the
validated value as a parameter to mana_hwc_handle_resp().
Fixes: ca9c54d2d6a5 ("net: mana: Add a driver for Microsoft Azure Network Adapter (MANA)")
Signed-off-by: Erni Sri Satya Vennela <ernis@linux.microsoft.com>
Link: https://patch.msgid.link/20260514194156.466823-1-ernis@linux.microsoft.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../net/ethernet/microsoft/mana/hw_channel.c | 23 +++++++++++--------
1 file changed, 13 insertions(+), 10 deletions(-)
diff --git a/drivers/net/ethernet/microsoft/mana/hw_channel.c b/drivers/net/ethernet/microsoft/mana/hw_channel.c
index 8111f181f9572..d429ecdbc5d4f 100644
--- a/drivers/net/ethernet/microsoft/mana/hw_channel.c
+++ b/drivers/net/ethernet/microsoft/mana/hw_channel.c
@@ -75,21 +75,19 @@ static int mana_hwc_post_rx_wqe(const struct hwc_wq *hwc_rxq,
}
static void mana_hwc_handle_resp(struct hw_channel_context *hwc, u32 resp_len,
- struct hwc_work_request *rx_req)
+ struct hwc_work_request *rx_req, u16 msg_id)
{
const struct gdma_resp_hdr *resp_msg = rx_req->buf_va;
struct hwc_caller_ctx *ctx;
int err;
- if (!test_bit(resp_msg->response.hwc_msg_id,
- hwc->inflight_msg_res.map)) {
- dev_err(hwc->dev, "hwc_rx: invalid msg_id = %u\n",
- resp_msg->response.hwc_msg_id);
+ if (!test_bit(msg_id, hwc->inflight_msg_res.map)) {
+ dev_err(hwc->dev, "hwc_rx: invalid msg_id = %u\n", msg_id);
mana_hwc_post_rx_wqe(hwc->rxq, rx_req);
return;
}
- ctx = hwc->caller_ctx + resp_msg->response.hwc_msg_id;
+ ctx = hwc->caller_ctx + msg_id;
err = mana_hwc_verify_resp_msg(ctx, resp_msg, resp_len);
if (err)
goto out;
@@ -200,6 +198,7 @@ static void mana_hwc_rx_event_handler(void *ctx, u32 gdma_rxq_id,
struct gdma_sge *sge;
u64 rq_base_addr;
u64 rx_req_idx;
+ u16 msg_id;
u8 *wqe;
if (WARN_ON_ONCE(hwc_rxq->gdma_wq->id != gdma_rxq_id))
@@ -218,13 +217,17 @@ static void mana_hwc_rx_event_handler(void *ctx, u32 gdma_rxq_id,
rx_req = &hwc_rxq->msg_buf->reqs[rx_req_idx];
resp = (struct gdma_resp_hdr *)rx_req->buf_va;
- if (resp->response.hwc_msg_id >= hwc->num_inflight_msg) {
- dev_err(hwc->dev, "HWC RX: wrong msg_id=%u\n",
- resp->response.hwc_msg_id);
+ /* Read msg_id once from DMA buffer to prevent TOCTOU:
+ * DMA memory is shared/unencrypted in CVMs - host can
+ * modify it between reads.
+ */
+ msg_id = READ_ONCE(resp->response.hwc_msg_id);
+ if (msg_id >= hwc->num_inflight_msg) {
+ dev_err(hwc->dev, "HWC RX: wrong msg_id=%u\n", msg_id);
return;
}
- mana_hwc_handle_resp(hwc, rx_oob->tx_oob_data_size, rx_req);
+ mana_hwc_handle_resp(hwc, rx_oob->tx_oob_data_size, rx_req, msg_id);
/* Can no longer use 'resp', because the buffer is posted to the HW
* in mana_hwc_handle_resp() above.
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 956/969] platform/x86: adv_swbutton: Check ACPI_HANDLE() against NULL
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (954 preceding siblings ...)
2026-05-30 16:07 ` [PATCH 6.1 955/969] net: mana: Fix TOCTOU double-fetch of hwc_msg_id from DMA buffer Greg Kroah-Hartman
@ 2026-05-30 16:08 ` Greg Kroah-Hartman
2026-05-30 16:08 ` [PATCH 6.1 957/969] platform/x86: hp_accel: Check ACPI_COMPANION() " Greg Kroah-Hartman
` (19 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Rafael J. Wysocki, Andy Shevchenko,
Ilpo Järvinen, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
[ Upstream commit e7a9a6ea40e352cd7977f6a8c80bdeadf65ad838 ]
Every platform driver can be forced to match a device that doesn't match
its list of device IDs because of device_match_driver_override(), so
platform drivers that rely on the existence of a device's ACPI companion
object need to verify its presence.
Accordingly, add a requisite ACPI_HANDLE() check against NULL to the
platform/x86 adv_swbutton driver.
Fixes: 3d904005f686 ("platform/x86: add support for Advantech software defined button")
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Link: https://patch.msgid.link/5115425.31r3eYUQgx@rafael.j.wysocki
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/platform/x86/adv_swbutton.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/drivers/platform/x86/adv_swbutton.c b/drivers/platform/x86/adv_swbutton.c
index 38693b735c876..87b7fd09a6f6f 100644
--- a/drivers/platform/x86/adv_swbutton.c
+++ b/drivers/platform/x86/adv_swbutton.c
@@ -48,10 +48,14 @@ static int adv_swbutton_probe(struct platform_device *device)
{
struct adv_swbutton *button;
struct input_dev *input;
- acpi_handle handle = ACPI_HANDLE(&device->dev);
+ acpi_handle handle;
acpi_status status;
int error;
+ handle = ACPI_HANDLE(&device->dev);
+ if (!handle)
+ return -ENODEV;
+
button = devm_kzalloc(&device->dev, sizeof(*button), GFP_KERNEL);
if (!button)
return -ENOMEM;
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 957/969] platform/x86: hp_accel: Check ACPI_COMPANION() against NULL
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (955 preceding siblings ...)
2026-05-30 16:08 ` [PATCH 6.1 956/969] platform/x86: adv_swbutton: Check ACPI_HANDLE() against NULL Greg Kroah-Hartman
@ 2026-05-30 16:08 ` Greg Kroah-Hartman
2026-05-30 16:08 ` [PATCH 6.1 958/969] platform/x86: intel-hid: Check ACPI_HANDLE() " Greg Kroah-Hartman
` (18 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Rafael J. Wysocki, Andy Shevchenko,
Ilpo Järvinen, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
[ Upstream commit abfbe5ee8ae89f1f5449790423d5dd3e423545bd ]
Every platform driver can be forced to match a device that doesn't match
its list of device IDs because of device_match_driver_override(), so
platform drivers that rely on the existence of a device's ACPI companion
object need to verify its presence.
Accordingly, add a requisite ACPI_COMPANION() check against NULL to the
platform/x86 hp_accel driver.
Fixes: 8ebcb6c94c71 ("platform/x86: hp_accel: Convert to be a platform driver")
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Link: https://patch.msgid.link/2425918.ElGaqSPkdT@rafael.j.wysocki
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/platform/x86/hp/hp_accel.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/platform/x86/hp/hp_accel.c b/drivers/platform/x86/hp/hp_accel.c
index 6477591747cfd..690825c9117f0 100644
--- a/drivers/platform/x86/hp/hp_accel.c
+++ b/drivers/platform/x86/hp/hp_accel.c
@@ -300,6 +300,9 @@ static int lis3lv02d_probe(struct platform_device *device)
int ret;
lis3_dev.bus_priv = ACPI_COMPANION(&device->dev);
+ if (!lis3_dev.bus_priv)
+ return -ENODEV;
+
lis3_dev.init = lis3lv02d_acpi_init;
lis3_dev.read = lis3lv02d_acpi_read;
lis3_dev.write = lis3lv02d_acpi_write;
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 958/969] platform/x86: intel-hid: Check ACPI_HANDLE() against NULL
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (956 preceding siblings ...)
2026-05-30 16:08 ` [PATCH 6.1 957/969] platform/x86: hp_accel: Check ACPI_COMPANION() " Greg Kroah-Hartman
@ 2026-05-30 16:08 ` Greg Kroah-Hartman
2026-05-30 16:08 ` [PATCH 6.1 959/969] platform/x86: intel-vbtn: " Greg Kroah-Hartman
` (17 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Rafael J. Wysocki, Andy Shevchenko,
Ilpo Järvinen, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
[ Upstream commit 5c69e090ae5dd93d910f70db0796357080707d26 ]
Every platform driver can be forced to match a device that doesn't match
its list of device IDs because of device_match_driver_override(), so
platform drivers that rely on the existence of a device's ACPI companion
object need to verify its presence.
Accordingly, add a requisite ACPI_HANDLE() check against NULL to the
platform/x86 intel-hid driver.
Fixes: ecc83e52b28c ("intel-hid: new hid event driver for hotkeys")
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Link: https://patch.msgid.link/1971512.tdWV9SEqCh@rafael.j.wysocki
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/platform/x86/intel/hid.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/drivers/platform/x86/intel/hid.c b/drivers/platform/x86/intel/hid.c
index 761d88929ef97..ddf46fceb1c37 100644
--- a/drivers/platform/x86/intel/hid.c
+++ b/drivers/platform/x86/intel/hid.c
@@ -638,12 +638,16 @@ static bool button_array_present(struct platform_device *device)
static int intel_hid_probe(struct platform_device *device)
{
- acpi_handle handle = ACPI_HANDLE(&device->dev);
unsigned long long mode, dummy;
struct intel_hid_priv *priv;
+ acpi_handle handle;
acpi_status status;
int err;
+ handle = ACPI_HANDLE(&device->dev);
+ if (!handle)
+ return -ENODEV;
+
intel_hid_init_dsm(handle);
if (!intel_hid_evaluate_method(handle, INTEL_HID_DSM_HDMM_FN, &mode)) {
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 959/969] platform/x86: intel-vbtn: Check ACPI_HANDLE() against NULL
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (957 preceding siblings ...)
2026-05-30 16:08 ` [PATCH 6.1 958/969] platform/x86: intel-hid: Check ACPI_HANDLE() " Greg Kroah-Hartman
@ 2026-05-30 16:08 ` Greg Kroah-Hartman
2026-05-30 16:08 ` [PATCH 6.1 960/969] RDMA/rtrs: Fix use-after-free in path file creation cleanup Greg Kroah-Hartman
` (16 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Rafael J. Wysocki, Andy Shevchenko,
Ilpo Järvinen, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
[ Upstream commit a9f305c5a355efeb240d406d378491d9eec02d07 ]
Every platform driver can be forced to match a device that doesn't match
its list of device IDs because of device_match_driver_override(), so
platform drivers that rely on the existence of a device's ACPI companion
object need to verify its presence.
Accordingly, add a requisite ACPI_HANDLE() check against NULL to the
platform/x86 intel-vbtn driver.
Fixes: 26173179fae1 ("platform/x86: intel-vbtn: Eval VBDL after registering our notifier")
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Link: https://patch.msgid.link/3426431.aeNJFYEL58@rafael.j.wysocki
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/platform/x86/intel/vbtn.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/drivers/platform/x86/intel/vbtn.c b/drivers/platform/x86/intel/vbtn.c
index 224139006a433..1b590bbbd8f8f 100644
--- a/drivers/platform/x86/intel/vbtn.c
+++ b/drivers/platform/x86/intel/vbtn.c
@@ -272,12 +272,16 @@ static bool intel_vbtn_has_switches(acpi_handle handle, bool dual_accel)
static int intel_vbtn_probe(struct platform_device *device)
{
- acpi_handle handle = ACPI_HANDLE(&device->dev);
bool dual_accel, has_buttons, has_switches;
struct intel_vbtn_priv *priv;
+ acpi_handle handle;
acpi_status status;
int err;
+ handle = ACPI_HANDLE(&device->dev);
+ if (!handle)
+ return -ENODEV;
+
dual_accel = dual_accel_detect();
has_buttons = acpi_has_method(handle, "VBDL");
has_switches = intel_vbtn_has_switches(handle, dual_accel);
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 960/969] RDMA/rtrs: Fix use-after-free in path file creation cleanup
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (958 preceding siblings ...)
2026-05-30 16:08 ` [PATCH 6.1 959/969] platform/x86: intel-vbtn: " Greg Kroah-Hartman
@ 2026-05-30 16:08 ` Greg Kroah-Hartman
2026-05-30 16:08 ` [PATCH 6.1 961/969] net: bridge: Flush multicast groups when snooping is disabled Greg Kroah-Hartman
` (15 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Guangshuo Li, Leon Romanovsky,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Guangshuo Li <lgs201920130244@gmail.com>
[ Upstream commit 5b74373390113fba798a76b483837029ab010fef ]
In the error path of rtrs_srv_create_path_files(), the sysfs root folders
may already have been created and srv_path->kobj may already have been
initialized. If a later step fails, the cleanup currently calls
kobject_put(&srv_path->kobj) before
rtrs_srv_destroy_once_sysfs_root_folders(srv_path).
kobject_put() may drop the last reference to srv_path->kobj and invoke the
release callback, rtrs_srv_release(), which frees srv_path. The following
call to rtrs_srv_destroy_once_sysfs_root_folders(srv_path) then
dereferences srv_path internally to access srv_path->srv, resulting in a
use-after-free.
This failure path is reached before rtrs_srv_create_path_files() returns
success, so the successful-path lifetime handling is not involved.
Fix this by destroying the sysfs root folders before calling
kobject_put(&srv_path->kobj), so srv_path is still valid while the helper
accesses it.
This issue was found by a static analysis tool I am developing.
Fixes: ae4c81644e91 ("RDMA/rtrs-srv: Rename rtrs_srv_sess to rtrs_srv_path")
Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com>
Link: https://patch.msgid.link/20260514113834.865530-1-lgs201920130244@gmail.com
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/infiniband/ulp/rtrs/rtrs-srv-sysfs.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/infiniband/ulp/rtrs/rtrs-srv-sysfs.c b/drivers/infiniband/ulp/rtrs/rtrs-srv-sysfs.c
index 2a3c9ac64a42e..fade349daf39e 100644
--- a/drivers/infiniband/ulp/rtrs/rtrs-srv-sysfs.c
+++ b/drivers/infiniband/ulp/rtrs/rtrs-srv-sysfs.c
@@ -296,8 +296,8 @@ int rtrs_srv_create_path_files(struct rtrs_srv_path *srv_path)
put_kobj:
kobject_del(&srv_path->kobj);
destroy_root:
- kobject_put(&srv_path->kobj);
rtrs_srv_destroy_once_sysfs_root_folders(srv_path);
+ kobject_put(&srv_path->kobj);
return err;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 961/969] net: bridge: Flush multicast groups when snooping is disabled
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (959 preceding siblings ...)
2026-05-30 16:08 ` [PATCH 6.1 960/969] RDMA/rtrs: Fix use-after-free in path file creation cleanup Greg Kroah-Hartman
@ 2026-05-30 16:08 ` Greg Kroah-Hartman
2026-05-30 16:08 ` [PATCH 6.1 962/969] bridge: mcast: Fix a possible use-after-free when removing a bridge port Greg Kroah-Hartman
` (14 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Petr Machata, Ido Schimmel,
Nikolay Aleksandrov, Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Petr Machata <petrm@nvidia.com>
[ Upstream commit 68800bbf583f26f71491141e4b3c8582f9cfcbde ]
When forwarding multicast packets, the bridge takes MDB into account when
IGMP / MLD snooping is enabled. Currently, when snooping is disabled, the
MDB is retained, even though it is not used anymore.
At the same time, during the time that snooping is disabled, the IGMP / MLD
control packets are obviously ignored, and after the snooping is reenabled,
the administrator has to assume it is out of sync. In particular, missed
join and leave messages would lead to traffic being forwarded to wrong
interfaces.
Keeping the MDB entries around thus serves no purpose, and just takes
memory. Note also that disabling per-VLAN snooping does actually flush the
relevant MDB entries.
This patch flushes non-permanent MDB entries as global snooping is
disabled.
Signed-off-by: Petr Machata <petrm@nvidia.com>
Reviewed-by: Ido Schimmel <idosch@nvidia.com>
Acked-by: Nikolay Aleksandrov <razor@blackwall.org>
Link: https://patch.msgid.link/5e992df1bb93b88e19c0ea5819e23b669e3dde5d.1761228273.git.petrm@nvidia.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Stable-dep-of: 4df78ff02629 ("bridge: mcast: Fix a possible use-after-free when removing a bridge port")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bridge/br_multicast.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/net/bridge/br_multicast.c b/net/bridge/br_multicast.c
index 140dbcfc8b949..a58b85d21468e 100644
--- a/net/bridge/br_multicast.c
+++ b/net/bridge/br_multicast.c
@@ -4468,6 +4468,14 @@ static void br_multicast_start_querier(struct net_bridge_mcast *brmctx,
rcu_read_unlock();
}
+static void br_multicast_del_grps(struct net_bridge *br)
+{
+ struct net_bridge_port *port;
+
+ list_for_each_entry(port, &br->port_list, list)
+ __br_multicast_disable_port_ctx(&port->multicast_ctx);
+}
+
int br_multicast_toggle(struct net_bridge *br, unsigned long val,
struct netlink_ext_ack *extack)
{
@@ -4488,6 +4496,7 @@ int br_multicast_toggle(struct net_bridge *br, unsigned long val,
br_opt_toggle(br, BROPT_MULTICAST_ENABLED, !!val);
if (!br_opt_get(br, BROPT_MULTICAST_ENABLED)) {
change_snoopers = true;
+ br_multicast_del_grps(br);
goto unlock;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 962/969] bridge: mcast: Fix a possible use-after-free when removing a bridge port
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (960 preceding siblings ...)
2026-05-30 16:08 ` [PATCH 6.1 961/969] net: bridge: Flush multicast groups when snooping is disabled Greg Kroah-Hartman
@ 2026-05-30 16:08 ` Greg Kroah-Hartman
2026-05-30 16:08 ` [PATCH 6.1 963/969] tracing: Avoid NULL return from hist_field_name() on truncation Greg Kroah-Hartman
` (13 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+ae231e0552fa77b26ea1,
Thomas Gleixner, Nikolay Aleksandrov, Ido Schimmel,
Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ido Schimmel <idosch@nvidia.com>
[ Upstream commit 4df78ff02629c7729168f0696a7a2123c389818d ]
When per-VLAN multicast snooping is enabled, the bridge iterates over
all the bridge ports, disables the per-port multicast context on each
port and enables the per-{port, VLAN} multicast contexts instead. The
reverse happens when per-VLAN multicast snooping is disabled.
When global multicast snooping is enabled, the bridge iterates over all
the bridge ports and enables the per-port multicast context on each
port. The reverse happens when multicast snooping is disabled.
The above scheme can result in a situation where both types of contexts
(per-port and per-{port, VLAN}) are enabled on a single bridge port:
# ip link add name br1 up type bridge mcast_snooping 1 mcast_querier 1 vlan_filtering 1
# ip link add name dummy1 up master br1 type dummy
# ip link set dev br1 type bridge mcast_vlan_snooping 1
# ip link set dev br1 type bridge mcast_snooping 0
# ip link set dev br1 type bridge mcast_snooping 1
This is not intended and it is a problem since the commit cited below.
Prior to this commit, when removing a bridge port,
br_multicast_disable_port() would disable the per-port multicast context
and the per-{port, VLAN} multicast contexts would get disabled when
flushing VLANs.
After this commit, br_multicast_disable_port() only disables the
per-port multicast context if per-VLAN multicast snooping is disabled.
If both types of contexts were enabled on the port when it was removed,
the per-port multicast context would remain enabled when freeing the
bridge port, leading to a use-after-free [1].
Fix by preventing the bridge from enabling / disabling the per-port
multicast contexts when toggling global multicast snooping if per-VLAN
multicast snooping is enabled.
[1]
ODEBUG: free active (active state 0) object: ffff88810f8bda78 object type: timer_list hint: br_ip6_multicast_port_query_expired (net/bridge/br_multicast.c:1927)
WARNING: lib/debugobjects.c:629 at debug_print_object+0x1b1/0x3e0, CPU#5: swapper/5/0
[...]
Call Trace:
<IRQ>
__debug_check_no_obj_freed (lib/debugobjects.c:1116)
kfree (mm/slub.c:2620 mm/slub.c:6250 mm/slub.c:6565)
kobject_cleanup (lib/kobject.c:689)
rcu_do_batch (kernel/rcu/tree.c:2617)
rcu_core (kernel/rcu/tree.c:2869)
handle_softirqs (kernel/softirq.c:622)
__irq_exit_rcu (kernel/softirq.c:656 kernel/softirq.c:496 kernel/softirq.c:735)
irq_exit_rcu (kernel/softirq.c:752)
sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1061 (discriminator 47) arch/x86/kernel/apic/apic.c:1061 (discriminator 47))
</IRQ>
Fixes: 4b30ae9adb04 ("net: bridge: mcast: re-implement br_multicast_{enable, disable}_port functions")
Reported-by: syzbot+ae231e0552fa77b26ea1@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/netdev/87qznowlfs.ffs@tglx/
Reported-by: Thomas Gleixner <tglx@kernel.org>
Acked-by: Nikolay Aleksandrov <nikolay@nvidia.com>
Signed-off-by: Ido Schimmel <idosch@nvidia.com>
Link: https://patch.msgid.link/20260517121122.188333-2-idosch@nvidia.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bridge/br_multicast.c | 22 +++++++++++++++++-----
1 file changed, 17 insertions(+), 5 deletions(-)
diff --git a/net/bridge/br_multicast.c b/net/bridge/br_multicast.c
index a58b85d21468e..9b54fe10d280a 100644
--- a/net/bridge/br_multicast.c
+++ b/net/bridge/br_multicast.c
@@ -4468,10 +4468,24 @@ static void br_multicast_start_querier(struct net_bridge_mcast *brmctx,
rcu_read_unlock();
}
-static void br_multicast_del_grps(struct net_bridge *br)
+static void br_multicast_enable_all_ports(struct net_bridge *br)
{
struct net_bridge_port *port;
+ if (br_opt_get(br, BROPT_MCAST_VLAN_SNOOPING_ENABLED))
+ return;
+
+ list_for_each_entry(port, &br->port_list, list)
+ __br_multicast_enable_port_ctx(&port->multicast_ctx);
+}
+
+static void br_multicast_disable_all_ports(struct net_bridge *br)
+{
+ struct net_bridge_port *port;
+
+ if (br_opt_get(br, BROPT_MCAST_VLAN_SNOOPING_ENABLED))
+ return;
+
list_for_each_entry(port, &br->port_list, list)
__br_multicast_disable_port_ctx(&port->multicast_ctx);
}
@@ -4479,7 +4493,6 @@ static void br_multicast_del_grps(struct net_bridge *br)
int br_multicast_toggle(struct net_bridge *br, unsigned long val,
struct netlink_ext_ack *extack)
{
- struct net_bridge_port *port;
bool change_snoopers = false;
int err = 0;
@@ -4496,7 +4509,7 @@ int br_multicast_toggle(struct net_bridge *br, unsigned long val,
br_opt_toggle(br, BROPT_MULTICAST_ENABLED, !!val);
if (!br_opt_get(br, BROPT_MULTICAST_ENABLED)) {
change_snoopers = true;
- br_multicast_del_grps(br);
+ br_multicast_disable_all_ports(br);
goto unlock;
}
@@ -4504,8 +4517,7 @@ int br_multicast_toggle(struct net_bridge *br, unsigned long val,
goto unlock;
br_multicast_open(br);
- list_for_each_entry(port, &br->port_list, list)
- __br_multicast_enable_port_ctx(&port->multicast_ctx);
+ br_multicast_enable_all_ports(br);
change_snoopers = true;
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 963/969] tracing: Avoid NULL return from hist_field_name() on truncation
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (961 preceding siblings ...)
2026-05-30 16:08 ` [PATCH 6.1 962/969] bridge: mcast: Fix a possible use-after-free when removing a bridge port Greg Kroah-Hartman
@ 2026-05-30 16:08 ` Greg Kroah-Hartman
2026-05-30 16:08 ` [PATCH 6.1 964/969] net: ag71xx: check error for platform_get_irq Greg Kroah-Hartman
` (12 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Carlier, Steven Rostedt,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Carlier <devnexen@gmail.com>
[ Upstream commit 576ec047d20b368b43c4d5db98c4f2e0f3c101ec ]
hist_field_name() returns "" everywhere except the fully-qualified
VAR_REF/EXPR case, where snprintf() truncation returns NULL early
and bypasses the bottom NULL->"" guard. Callers don't expect NULL:
strcat(expr, hist_field_name(field, 0)) at trace_events_hist.c:1758
and the strcmp() in the sort-key match loop at :4804 both deref it.
system and event_name are bounded by MAX_EVENT_NAME_LEN, but the
field name on a VAR_REF is kstrdup'd from a histogram variable
name parsed out of the trigger string and has no length cap, so
a long enough var name in a fully qualified reference can reach
the truncation path.
Keep the length check but leave field_name as "" on overflow.
Link: https://patch.msgid.link/20260508195747.25492-1-devnexen@gmail.com
Fixes: 5ec1d1e97de1 ("tracing: Rebuild full_name on each hist_field_name() call")
Signed-off-by: David Carlier <devnexen@gmail.com>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/trace/trace_events_hist.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/kernel/trace/trace_events_hist.c b/kernel/trace/trace_events_hist.c
index b5276f2f2cf40..336fc54d8ec86 100644
--- a/kernel/trace/trace_events_hist.c
+++ b/kernel/trace/trace_events_hist.c
@@ -1351,10 +1351,8 @@ static const char *hist_field_name(struct hist_field *field,
len = snprintf(full_name, sizeof(full_name), "%s.%s.%s",
field->system, field->event_name,
field->name);
- if (len >= sizeof(full_name))
- return NULL;
-
- field_name = full_name;
+ if (len < sizeof(full_name))
+ field_name = full_name;
} else
field_name = field->name;
} else if (field->flags & HIST_FIELD_FL_TIMESTAMP)
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 964/969] net: ag71xx: check error for platform_get_irq
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (962 preceding siblings ...)
2026-05-30 16:08 ` [PATCH 6.1 963/969] tracing: Avoid NULL return from hist_field_name() on truncation Greg Kroah-Hartman
@ 2026-05-30 16:08 ` Greg Kroah-Hartman
2026-05-30 16:08 ` [PATCH 6.1 965/969] string: add mem_is_zero() helper to check if memory area is all zeros Greg Kroah-Hartman
` (11 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Rosen Penev, Oleksij Rempel,
Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rosen Penev <rosenp@gmail.com>
[ Upstream commit e7c70bf97e90d974cd575e4c90f8f9b07d056da3 ]
Complete error handling for a failed platform_get_irq() call
Fixes: d51b6ce441d3 ("net: ethernet: add ag71xx driver")
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Reviewed-by: Oleksij Rempel <o.rempel@pengutronix.de>
Link: https://patch.msgid.link/20260516212616.11758-1-rosenp@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/atheros/ag71xx.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/net/ethernet/atheros/ag71xx.c b/drivers/net/ethernet/atheros/ag71xx.c
index ff93b00dcd613..c7b5b87362546 100644
--- a/drivers/net/ethernet/atheros/ag71xx.c
+++ b/drivers/net/ethernet/atheros/ag71xx.c
@@ -1880,6 +1880,9 @@ static int ag71xx_probe(struct platform_device *pdev)
return -ENOMEM;
ndev->irq = platform_get_irq(pdev, 0);
+ if (ndev->irq < 0)
+ return ndev->irq;
+
err = devm_request_irq(&pdev->dev, ndev->irq, ag71xx_interrupt,
0x0, dev_name(&pdev->dev), ndev);
if (err) {
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 965/969] string: add mem_is_zero() helper to check if memory area is all zeros
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (963 preceding siblings ...)
2026-05-30 16:08 ` [PATCH 6.1 964/969] net: ag71xx: check error for platform_get_irq Greg Kroah-Hartman
@ 2026-05-30 16:08 ` Greg Kroah-Hartman
2026-05-30 16:08 ` [PATCH 6.1 966/969] gpiolib: cdev: use !mem_is_zero() instead of memchr_inv(s, 0, n) Greg Kroah-Hartman
` (10 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kees Cook, Andy Shevchenko,
Jani Nikula, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jani Nikula <jani.nikula@intel.com>
[ Upstream commit 3942bb49728ad9e1f94d953a88af169a8f5d8099 ]
Almost two thirds of the memchr_inv() usages check if the memory area is
all zeros, with no interest in where in the buffer the first non-zero
byte is located. Checking for !memchr_inv(s, 0, n) is also not very
intuitive or discoverable. Add an explicit mem_is_zero() helper for this
use case.
Reviewed-by: Kees Cook <kees@kernel.org>
Reviewed-by: Andy Shevchenko <andy@kernel.org>
Link: https://patchwork.freedesktop.org/patch/msgid/20240814100035.3100852-1-jani.nikula@intel.com
Signed-off-by: Jani Nikula <jani.nikula@intel.com>
Stable-dep-of: 3e6ccd790ed6 ("gpio: cdev: check if uAPI v2 config attributes are correctly zeroed")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/string.h | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/include/linux/string.h b/include/linux/string.h
index e7ade5223d422..356b941d1ddac 100644
--- a/include/linux/string.h
+++ b/include/linux/string.h
@@ -212,6 +212,18 @@ static inline void memcpy_flushcache(void *dst, const void *src, size_t cnt)
void *memchr_inv(const void *s, int c, size_t n);
char *strreplace(char *s, char old, char new);
+/**
+ * mem_is_zero - Check if an area of memory is all 0's.
+ * @s: The memory area
+ * @n: The size of the area
+ *
+ * Return: True if the area of memory is all 0's.
+ */
+static inline bool mem_is_zero(const void *s, size_t n)
+{
+ return !memchr_inv(s, 0, n);
+}
+
extern void kfree_const(const void *x);
extern char *kstrdup(const char *s, gfp_t gfp) __malloc;
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 966/969] gpiolib: cdev: use !mem_is_zero() instead of memchr_inv(s, 0, n)
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (964 preceding siblings ...)
2026-05-30 16:08 ` [PATCH 6.1 965/969] string: add mem_is_zero() helper to check if memory area is all zeros Greg Kroah-Hartman
@ 2026-05-30 16:08 ` Greg Kroah-Hartman
2026-05-30 16:08 ` [PATCH 6.1 967/969] gpio: cdev: check if uAPI v2 config attributes are correctly zeroed Greg Kroah-Hartman
` (9 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andy Shevchenko, Bartosz Golaszewski,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andy Shevchenko <andy.shevchenko@gmail.com>
[ Upstream commit e106b1dd38e723ec2bb2bf57ea9b2aff464b9423 ]
Use the mem_is_zero() helper where possible.
Signed-off-by: Andy Shevchenko <andy.shevchenko@gmail.com>
Link: https://lore.kernel.org/r/20241110201706.16614-1-andy.shevchenko@gmail.com
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
Stable-dep-of: 3e6ccd790ed6 ("gpio: cdev: check if uAPI v2 config attributes are correctly zeroed")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpio/gpiolib-cdev.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/gpio/gpiolib-cdev.c b/drivers/gpio/gpiolib-cdev.c
index 897d20996a8c6..944aa0c1cd5c7 100644
--- a/drivers/gpio/gpiolib-cdev.c
+++ b/drivers/gpio/gpiolib-cdev.c
@@ -16,7 +16,6 @@
#include <linux/hte.h>
#include <linux/interrupt.h>
#include <linux/irqreturn.h>
-#include <linux/kernel.h>
#include <linux/kfifo.h>
#include <linux/module.h>
#include <linux/mutex.h>
@@ -25,6 +24,7 @@
#include <linux/rbtree.h>
#include <linux/seq_file.h>
#include <linux/spinlock.h>
+#include <linux/string.h>
#include <linux/timekeeping.h>
#include <linux/uaccess.h>
#include <linux/workqueue.h>
@@ -1339,7 +1339,7 @@ static int gpio_v2_line_config_validate(struct gpio_v2_line_config *lc,
if (lc->num_attrs > GPIO_V2_LINE_NUM_ATTRS_MAX)
return -EINVAL;
- if (memchr_inv(lc->padding, 0, sizeof(lc->padding)))
+ if (!mem_is_zero(lc->padding, sizeof(lc->padding)))
return -EINVAL;
for (i = 0; i < num_lines; i++) {
@@ -1781,7 +1781,7 @@ static int linereq_create(struct gpio_device *gdev, void __user *ip)
if ((ulr.num_lines == 0) || (ulr.num_lines > GPIO_V2_LINES_MAX))
return -EINVAL;
- if (memchr_inv(ulr.padding, 0, sizeof(ulr.padding)))
+ if (!mem_is_zero(ulr.padding, sizeof(ulr.padding)))
return -EINVAL;
lc = &ulr.config;
@@ -2541,7 +2541,7 @@ static int lineinfo_get(struct gpio_chardev_data *cdev, void __user *ip,
if (copy_from_user(&lineinfo, ip, sizeof(lineinfo)))
return -EFAULT;
- if (memchr_inv(lineinfo.padding, 0, sizeof(lineinfo.padding)))
+ if (!mem_is_zero(lineinfo.padding, sizeof(lineinfo.padding)))
return -EINVAL;
desc = gpiochip_get_desc(cdev->gdev->chip, lineinfo.offset);
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 967/969] gpio: cdev: check if uAPI v2 config attributes are correctly zeroed
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (965 preceding siblings ...)
2026-05-30 16:08 ` [PATCH 6.1 966/969] gpiolib: cdev: use !mem_is_zero() instead of memchr_inv(s, 0, n) Greg Kroah-Hartman
@ 2026-05-30 16:08 ` Greg Kroah-Hartman
2026-05-30 16:08 ` [PATCH 6.1 968/969] net: mana: validate rx_req_idx to prevent out-of-bounds array access Greg Kroah-Hartman
` (8 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kent Gibson, Bartosz Golaszewski,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
[ Upstream commit 3e6ccd790ed69bedd3d9626d01dd35cf9821c121 ]
We check the padding of other uAPI v2 structures but not that of line
config attributes. For used attributes: check if their padding is
zeroed, for unused: check if the entire structure is zeroed.
Fixes: 3c0d9c635ae2 ("gpiolib: cdev: support GPIO_V2_GET_LINE_IOCTL and GPIO_V2_LINE_GET_VALUES_IOCTL")
Reviewed-by: Kent Gibson <warthog618@gmail.com>
Link: https://patch.msgid.link/20260521-gpio-cdev-attr-padding-check-v3-1-ec3bcbe2e358@oss.qualcomm.com
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpio/gpiolib-cdev.c | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/drivers/gpio/gpiolib-cdev.c b/drivers/gpio/gpiolib-cdev.c
index 944aa0c1cd5c7..5d4646f0baacd 100644
--- a/drivers/gpio/gpiolib-cdev.c
+++ b/drivers/gpio/gpiolib-cdev.c
@@ -1332,6 +1332,7 @@ static int gpio_v2_line_flags_validate(u64 flags)
static int gpio_v2_line_config_validate(struct gpio_v2_line_config *lc,
unsigned int num_lines)
{
+ size_t unused_attrs;
unsigned int i;
u64 flags;
int ret;
@@ -1339,9 +1340,21 @@ static int gpio_v2_line_config_validate(struct gpio_v2_line_config *lc,
if (lc->num_attrs > GPIO_V2_LINE_NUM_ATTRS_MAX)
return -EINVAL;
+ unused_attrs = GPIO_V2_LINE_NUM_ATTRS_MAX - lc->num_attrs;
+
if (!mem_is_zero(lc->padding, sizeof(lc->padding)))
return -EINVAL;
+ for (i = 0; i < lc->num_attrs; i++) {
+ if (lc->attrs[i].attr.padding != 0)
+ return -EINVAL;
+ }
+
+ if (unused_attrs) {
+ if (!mem_is_zero(&lc->attrs[lc->num_attrs], unused_attrs * sizeof(*lc->attrs)))
+ return -EINVAL;
+ }
+
for (i = 0; i < num_lines; i++) {
flags = gpio_v2_line_config_flags(lc, i);
ret = gpio_v2_line_flags_validate(flags);
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 968/969] net: mana: validate rx_req_idx to prevent out-of-bounds array access
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (966 preceding siblings ...)
2026-05-30 16:08 ` [PATCH 6.1 967/969] gpio: cdev: check if uAPI v2 config attributes are correctly zeroed Greg Kroah-Hartman
@ 2026-05-30 16:08 ` Greg Kroah-Hartman
2026-05-30 16:08 ` [PATCH 6.1 969/969] security/keys: fix missed RCU read section on lookup Greg Kroah-Hartman
` (7 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Aditya Garg, Haiyang Zhang,
Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Aditya Garg <gargaditya@linux.microsoft.com>
[ Upstream commit b809d0409991b75a6cff846a5ac27c3062953f84 ]
In mana_hwc_rx_event_handler(), rx_req_idx is derived from
sge->address in DMA-coherent memory. In Confidential VMs
(SEV-SNP/TDX), this memory is shared unencrypted and HW can modify
WQE contents at any time. No bounds check exists on rx_req_idx,
which can lead to an out-of-bounds access into reqs[].
Add bounds check on rx_req_idx in mana_hwc_rx_event_handler() before
using it to index the reqs[] array.
Fixes: ca9c54d2d6a5 ("net: mana: Add a driver for Microsoft Azure Network Adapter (MANA)")
Signed-off-by: Aditya Garg <gargaditya@linux.microsoft.com>
Reviewed-by: Haiyang Zhang <haiyangz@microsoft.com>
Link: https://patch.msgid.link/20260520051553.857120-1-gargaditya@linux.microsoft.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/microsoft/mana/hw_channel.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/net/ethernet/microsoft/mana/hw_channel.c b/drivers/net/ethernet/microsoft/mana/hw_channel.c
index d429ecdbc5d4f..e21f10e40d188 100644
--- a/drivers/net/ethernet/microsoft/mana/hw_channel.c
+++ b/drivers/net/ethernet/microsoft/mana/hw_channel.c
@@ -214,6 +214,12 @@ static void mana_hwc_rx_event_handler(void *ctx, u32 gdma_rxq_id,
rq_base_addr = hwc_rxq->msg_buf->mem_info.dma_handle;
rx_req_idx = (sge->address - rq_base_addr) / hwc->max_req_msg_size;
+ if (rx_req_idx >= hwc_rxq->msg_buf->num_reqs) {
+ dev_err(hwc->dev, "HWC RX: wrong rx_req_idx=%llu, num_reqs=%u\n",
+ rx_req_idx, hwc_rxq->msg_buf->num_reqs);
+ return;
+ }
+
rx_req = &hwc_rxq->msg_buf->reqs[rx_req_idx];
resp = (struct gdma_resp_hdr *)rx_req->buf_va;
--
2.53.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* [PATCH 6.1 969/969] security/keys: fix missed RCU read section on lookup
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (967 preceding siblings ...)
2026-05-30 16:08 ` [PATCH 6.1 968/969] net: mana: validate rx_req_idx to prevent out-of-bounds array access Greg Kroah-Hartman
@ 2026-05-30 16:08 ` Greg Kroah-Hartman
2026-05-30 17:15 ` [PATCH 6.1 000/969] 6.1.175-rc1 review Brett A C Sheffield
` (6 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-30 16:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nicholas Carlini, David Howells,
Jarkko Sakkinen, Paul Moore, James Morris James Morris,
Serge E. Hallyn, Linus Torvalds
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Linus Torvalds <torvalds@linux-foundation.org>
commit 43a1e3744548e6fd85873e6fb43e293eb4010694 upstream.
Nicholas Carlini reports that the keyring code calls assoc_array_find()
in find_key_to_update() without holding the RCU read lock, while the
assoc_array_gc() code really is designed around removing the node from
the tree and then freeing it after an RCU grace-period.
The regular key handling doesn't see this because holding the keyring
semaphore hides any lifetime issues, but the persistent key handling
uses a different model.
Instead of extending the keyring locking, just do the simple RCU locking
that the assoc_array was designed for.
Reported-by: Nicholas Carlini <npc@anthropic.com>
Cc: David Howells <dhowells@redhat.com>
Cc: Jarkko Sakkinen <jarkko@kernel.org>
Cc: Paul Moore <paul@paul-moore.com>
Cc: James Morris James Morris <jmorris@namei.org>
Cc: Serge E. Hallyn <serge@hallyn.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
security/keys/keyring.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/security/keys/keyring.c b/security/keys/keyring.c
index b39038f7dd31..5a9887d6b7be 100644
--- a/security/keys/keyring.c
+++ b/security/keys/keyring.c
@@ -1109,6 +1109,7 @@ key_ref_t find_key_to_update(key_ref_t keyring_ref,
kenter("{%d},{%s,%s}",
keyring->serial, index_key->type->name, index_key->description);
+ guard(rcu)();
object = assoc_array_find(&keyring->keys, &keyring_assoc_array_ops,
index_key);
--
2.54.0
^ permalink raw reply related [flat|nested] 982+ messages in thread
* Re: [PATCH 6.1 000/969] 6.1.175-rc1 review
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (968 preceding siblings ...)
2026-05-30 16:08 ` [PATCH 6.1 969/969] security/keys: fix missed RCU read section on lookup Greg Kroah-Hartman
@ 2026-05-30 17:15 ` Brett A C Sheffield
2026-05-30 20:18 ` Peter Schneider
` (5 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Brett A C Sheffield @ 2026-05-30 17:15 UTC (permalink / raw)
To: gregkh
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, rwarsow, conor, hargar, broonie, achill, sr,
Brett A C Sheffield
# Librecast Test Results
020/020 [ OK ] liblcrq
010/010 [ OK ] libmld
120/120 [ OK ] liblibrecast
CPU/kernel: Linux auntie 6.1.175-rc1-00982-g02eba76b9117 #1 SMP PREEMPT_DYNAMIC Sat May 30 17:06:16 -00 2026 x86_64 AMD Ryzen 9 9950X 16-Core Processor AuthenticAMD GNU/Linux
Tested-by: Brett A C Sheffield <bacs@librecast.net>
^ permalink raw reply [flat|nested] 982+ messages in thread
* Re: [PATCH 6.1 000/969] 6.1.175-rc1 review
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (969 preceding siblings ...)
2026-05-30 17:15 ` [PATCH 6.1 000/969] 6.1.175-rc1 review Brett A C Sheffield
@ 2026-05-30 20:18 ` Peter Schneider
2026-05-31 6:36 ` Miguel Ojeda
` (4 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Peter Schneider @ 2026-05-30 20:18 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: patches, linux-kernel, torvalds, akpm, linux, shuah, patches,
lkft-triage, pavel, jonathanh, f.fainelli, sudipm.mukherjee,
rwarsow, conor, hargar, broonie, achill, sr
Am 30.05.2026 um 17:52 schrieb Greg Kroah-Hartman:
> This is the start of the stable review cycle for the 6.1.175 release.
> There are 969 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
Builds, boots and works on my 2-socket Ivy Bridge Xeon E5-2697 v2 server. No dmesg oddities or regressions found.
Tested-by: Peter Schneider <pschneider1968@googlemail.com>
Beste Grüße,
Peter Schneider
--
Climb the mountain not to plant your flag, but to embrace the challenge,
enjoy the air and behold the view. Climb it so you can see the world,
not so the world can see you. -- David McCullough Jr.
OpenPGP: 0xA3828BD796CCE11A8CADE8866E3A92C92C3FF244
Download: https://www.peters-netzplatz.de/download/pschneider1968_pub.asc
https://keys.mailvelope.com/pks/lookup?op=get&search=pschneider1968@googlemail.com
https://keys.mailvelope.com/pks/lookup?op=get&search=pschneider1968@gmail.com
^ permalink raw reply [flat|nested] 982+ messages in thread
* Re: [PATCH 6.1 000/969] 6.1.175-rc1 review
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (970 preceding siblings ...)
2026-05-30 20:18 ` Peter Schneider
@ 2026-05-31 6:36 ` Miguel Ojeda
2026-06-01 2:01 ` Ron Economos
` (3 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Miguel Ojeda @ 2026-05-31 6:36 UTC (permalink / raw)
To: gregkh
Cc: achill, akpm, broonie, conor, f.fainelli, hargar, jonathanh,
linux-kernel, linux, lkft-triage, patches, patches, pavel,
rwarsow, shuah, sr, stable, sudipm.mukherjee, torvalds,
Miguel Ojeda
On Sat, 30 May 2026 17:52:04 +0200 Greg Kroah-Hartman <gregkh@linuxfoundation.org> wrote:
>
> This is the start of the stable review cycle for the 6.1.175 release.
> There are 969 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Mon, 01 Jun 2026 16:01:39 +0000.
> Anything received after that time might be too late.
Boot-tested under QEMU for Rust x86_64:
Tested-by: Miguel Ojeda <ojeda@kernel.org>
Thanks!
Cheers,
Miguel
^ permalink raw reply [flat|nested] 982+ messages in thread
* Re: [PATCH 6.1 054/969] ALSA: usb-audio: Improve Focusrite sample rate filtering
2026-05-30 15:52 ` [PATCH 6.1 054/969] ALSA: usb-audio: Improve Focusrite sample rate filtering Greg Kroah-Hartman
@ 2026-05-31 15:13 ` Geoffrey D. Bennett
2026-06-01 2:11 ` Sasha Levin
0 siblings, 1 reply; 982+ messages in thread
From: Geoffrey D. Bennett @ 2026-05-31 15:13 UTC (permalink / raw)
To: Greg Kroah-Hartman; +Cc: stable, patches, Takashi Iwai, Sasha Levin
On Sat, May 30, 2026 at 05:52:58PM +0200, Greg Kroah-Hartman wrote:
> 6.1-stable review patch. If anyone has any objections, please let me know.
>
> ------------------
>
> From: Geoffrey D. Bennett <g@b4.vu>
>
> [ Upstream commit 24d2d3c5f94007a5a0554065ab7349bb69e28bcb ]
>
> Replace the bLength == 10 max_rate check in
> focusrite_valid_sample_rate() with filtering that also examines the
> bmControls VAL_ALT_SETTINGS bit.
>
> When VAL_ALT_SETTINGS is readable, the device uses strict
> per-altsetting rate filtering (only the highest rate pair for that
> altsetting is valid). When it is not readable, all rates up to
> max_rate are valid.
>
> For devices without the bLength == 10 Format Type descriptor extension
> but with VAL_ALT_SETTINGS readable and multiple altsettings (only seen
> in Scarlett 18i8 3rd Gen playback), fall back to the Focusrite
> convention: alt 1 = 48kHz, alt 2 = 96kHz, alt 3 = 192kHz.
>
> This produces correct rate tables for all tested Focusrite devices
> (all Scarlett 2nd, 3rd, and 4th Gen, Clarett+, and Vocaster) using
> only USB descriptors, allowing QUIRK_FLAG_VALIDATE_RATES to be removed
> for Focusrite in the next commit.
>
> Signed-off-by: Geoffrey D. Bennett <g@b4.vu>
> Signed-off-by: Takashi Iwai <tiwai@suse.de>
> Link: https://patch.msgid.link/7e18c1f393a6ecb6fc75dd867a2c4dbe135e3e22.1771594828.git.g@b4.vu
> Signed-off-by: Sasha Levin <sashal@kernel.org>
> ---
> sound/usb/format.c | 86 +++++++++++++++++++++++++++++++++++++++-------
> 1 file changed, 74 insertions(+), 12 deletions(-)
>
> diff --git a/sound/usb/format.c b/sound/usb/format.c
> index f33d25a4e4cc7..682adbdf7ee79 100644
[...]
Hi Greg,
Please drop these from 6.1 and 5.15. They're part of a 3-patch series
that needs all 3 to get the benefit (plus 5 more fixes on top for the
1st Gen Scarletts that the series regressed).
The series avoids leaving the device at 192kHz after probe (which
mutes the internal mixer and disables the Air/Safe modes until an
application opens the PCM). But the part that actually fixes that,
38c322068a26 ("Add QUIRK_FLAG_SKIP_IFACE_SETUP"), wasn't selected.
Without it, __snd_usb_parse_audio_interface() still calls
snd_usb_init_sample_rate(rate_max) at probe, so removing
VALIDATE_RATES on its own doesn't help.
Unfortunately 38c322068a26 is a regression for some 1st Gen Scarletts,
and those exclusions were found one model at a time, so I'm not 100%
confident every affected model is covered, although there have been no
further reports in nearly 8 weeks. I'm not sure for 6.1/5.15 if the
benefit outweighs the risk, but if you'd rather take it all, the full
set in order is:
24d2d3c5f940 ALSA: usb-audio: Improve Focusrite sample rate filtering
a8cc55bf81a4 ALSA: usb-audio: Remove VALIDATE_RATES quirk for Focusrite devices
38c322068a26 ALSA: usb-audio: Add QUIRK_FLAG_SKIP_IFACE_SETUP
8780f561f671 ALSA: usb-audio: Exclude Scarlett 2i2 1st Gen from SKIP_IFACE_SETUP
990a8b0732cf ALSA: usb-audio: Exclude Scarlett 2i4 1st Gen from SKIP_IFACE_SETUP
f025ac8c698a ALSA: usb-audio: Exclude Scarlett Solo 1st Gen from SKIP_IFACE_SETUP
a0dafdbd1049 ALSA: usb-audio: Exclude Scarlett 2i2 1st Gen (8016) from SKIP_IFACE_SETUP
a47306a74c31 ALSA: usb-audio: Exclude Scarlett 18i20 1st Gen from SKIP_IFACE_SETUP
Same issue applies to 6.6 and 6.12: they took the first two (filter +
VALIDATE_RATES removal) but not 38c322068a26, so the 192kHz behaviour
is unchanged there. They should probably get the same treatment.
Thanks,
Geoffrey
^ permalink raw reply [flat|nested] 982+ messages in thread
* Re: [PATCH 6.1 000/969] 6.1.175-rc1 review
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (971 preceding siblings ...)
2026-05-31 6:36 ` Miguel Ojeda
@ 2026-06-01 2:01 ` Ron Economos
2026-06-01 8:56 ` Pavel Machek
` (2 subsequent siblings)
975 siblings, 0 replies; 982+ messages in thread
From: Ron Economos @ 2026-06-01 2:01 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: patches, linux-kernel, torvalds, akpm, linux, shuah, patches,
lkft-triage, pavel, jonathanh, f.fainelli, sudipm.mukherjee,
rwarsow, conor, hargar, broonie, achill, sr
On 5/30/26 08:52, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 6.1.175 release.
> There are 969 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Mon, 01 Jun 2026 16:01:39 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.1.175-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.1.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
Built and booted successfully on RISC-V RV64 (HiFive Unmatched).
Tested-by: Ron Economos <re@w6rz.net>
^ permalink raw reply [flat|nested] 982+ messages in thread
* Re: [PATCH 6.1 054/969] ALSA: usb-audio: Improve Focusrite sample rate filtering
2026-05-31 15:13 ` Geoffrey D. Bennett
@ 2026-06-01 2:11 ` Sasha Levin
0 siblings, 0 replies; 982+ messages in thread
From: Sasha Levin @ 2026-06-01 2:11 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: Sasha Levin, stable, patches, Takashi Iwai, Geoffrey D. Bennett
On Mon, 2026-06-01 at 00:43 +0930, Geoffrey D. Bennett wrote:
> Please drop these from 6.1 and 5.15. They're part of a 3-patch series
> that needs all 3 to get the benefit (plus 5 more fixes on top for the
> 1st Gen Scarletts that the series regressed).
Dropped from the 6.1 and 5.15 queues. In 5.15 I also dropped the companion
"ALSA: usb-audio: Remove VALIDATE_RATES quirk for Focusrite devices"
(a8cc55bf81a4), since it builds on this one and dropping the filtering
patch alone would leave validation removed atop the old filtering logic.
--
Thanks,
Sasha
^ permalink raw reply [flat|nested] 982+ messages in thread
* Re: [PATCH 6.1 000/969] 6.1.175-rc1 review
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (972 preceding siblings ...)
2026-06-01 2:01 ` Ron Economos
@ 2026-06-01 8:56 ` Pavel Machek
2026-06-01 10:51 ` Francesco Dolcini
2026-06-01 17:30 ` Florian Fainelli
975 siblings, 0 replies; 982+ messages in thread
From: Pavel Machek @ 2026-06-01 8:56 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, rwarsow, conor, hargar, broonie, achill, sr
[-- Attachment #1: Type: text/plain, Size: 503 bytes --]
Hi!
> This is the start of the stable review cycle for the 6.1.175 release.
> There are 969 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
CIP testing did not find any problems here:
https://gitlab.com/cip-project/cip-testing/linux-stable-rc-ci/-/tree/linux-6.1.y
Tested-by: Pavel Machek (CIP) <pavel@nabladev.com>
Best regards,
Pavel
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]
^ permalink raw reply [flat|nested] 982+ messages in thread
* Re: [PATCH 6.1 000/969] 6.1.175-rc1 review
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (973 preceding siblings ...)
2026-06-01 8:56 ` Pavel Machek
@ 2026-06-01 10:51 ` Francesco Dolcini
2026-06-01 17:30 ` Florian Fainelli
975 siblings, 0 replies; 982+ messages in thread
From: Francesco Dolcini @ 2026-06-01 10:51 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, rwarsow, conor, hargar, broonie, achill, sr
On Sat, May 30, 2026 at 05:52:04PM +0200, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 6.1.175 release.
> There are 969 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
Tested-by: Francesco Dolcini <francesco.dolcini@toradex.com>
^ permalink raw reply [flat|nested] 982+ messages in thread
* Re: [PATCH 6.1 000/969] 6.1.175-rc1 review
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
` (974 preceding siblings ...)
2026-06-01 10:51 ` Francesco Dolcini
@ 2026-06-01 17:30 ` Florian Fainelli
975 siblings, 0 replies; 982+ messages in thread
From: Florian Fainelli @ 2026-06-01 17:30 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: patches, linux-kernel, torvalds, akpm, linux, shuah, patches,
lkft-triage, pavel, jonathanh, sudipm.mukherjee, rwarsow, conor,
hargar, broonie, achill, sr
On 5/30/2026 8:52 AM, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 6.1.175 release.
> There are 969 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Mon, 01 Jun 2026 16:01:39 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.1.175-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.1.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
On ARCH_BRCMSTB using 32-bit and 64-bit ARM kernels, build tested on
BMIPS_GENERIC:
Tested-by: Florian Fainelli <florian.fainelli@broadcom.com>
--
Florian
^ permalink raw reply [flat|nested] 982+ messages in thread
* Re: [PATCH 6.1 431/969] bcache: fix uninitialized closure object
2026-05-30 15:59 ` [PATCH 6.1 431/969] bcache: fix uninitialized closure object Greg Kroah-Hartman
@ 2026-06-01 17:34 ` Mahmoud Nagy Adam
2026-06-02 18:21 ` Sasha Levin
0 siblings, 1 reply; 982+ messages in thread
From: Mahmoud Nagy Adam @ 2026-06-01 17:34 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: stable, patches, Mingzhe Zou, Coly Li, Jens Axboe, nagy
Hey Greg,
Greg Kroah-Hartman <gregkh@linuxfoundation.org> writes:
> 6.1-stable review patch. If anyone has any objections, please let me know.
>
> ------------------
>
> From: Mingzhe Zou <mingzhe.zou@easystack.cn>
>
> commit 20a8e451ec1c7e99060b1bbaaad03ce88c39ddb8 upstream.
>
Just a heads up, that this fix patch is missing from 6.6->6.18
kernels. While being backported to older kernels (< 6.1). Any blockers
for it to be backported to newer kernels as well?
Regards,
Mahmoud Nagy Adam
Amazon Web Services Development Center Germany GmbH
Tamara-Danz-Str. 13
10243 Berlin
Geschaeftsfuehrung: Christof Hellmis, Andreas Stieger
Eingetragen am Amtsgericht Charlottenburg unter HRB 257764 B
Sitz: Berlin
Ust-ID: DE 365 538 597
^ permalink raw reply [flat|nested] 982+ messages in thread
* Re: [PATCH 6.1 431/969] bcache: fix uninitialized closure object
2026-06-01 17:34 ` Mahmoud Nagy Adam
@ 2026-06-02 18:21 ` Sasha Levin
0 siblings, 0 replies; 982+ messages in thread
From: Sasha Levin @ 2026-06-02 18:21 UTC (permalink / raw)
To: Mahmoud Nagy Adam, Greg Kroah-Hartman
Cc: Sasha Levin, stable, patches, Mingzhe Zou, Coly Li, Jens Axboe,
nagy
On Sun, Jun 01, 2026 at 07:34:24PM +0200, Mahmoud Nagy Adam wrote:
> This fix (20a8e451ec1c "bcache: fix uninitialized closure object") is
> missing from 6.6 through 7.0.
Now queued from mainline (20a8e451ec1c) to 7.0.y, 6.18.y, 6.12.y and
6.6.y.
Thanks,
Sasha
^ permalink raw reply [flat|nested] 982+ messages in thread
end of thread, other threads:[~2026-06-02 18:21 UTC | newest]
Thread overview: 982+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-30 15:52 [PATCH 6.1 000/969] 6.1.175-rc1 review Greg Kroah-Hartman
2026-05-30 15:52 ` [PATCH 6.1 001/969] ASoC: amd: yc: Add DMI quirk for ASUS EXPERTBOOK BM1403CDA Greg Kroah-Hartman
2026-05-30 15:52 ` [PATCH 6.1 002/969] ALSA: hda/realtek: Add HP ENVY Laptop 13-ba0xxx quirk Greg Kroah-Hartman
2026-05-30 15:52 ` [PATCH 6.1 003/969] media: rkvdec: reduce stack usage in rkvdec_init_v4l2_vp9_count_tbl() Greg Kroah-Hartman
2026-05-30 15:52 ` [PATCH 6.1 004/969] ALSA: asihpi: avoid write overflow check warning Greg Kroah-Hartman
2026-05-30 15:52 ` [PATCH 6.1 005/969] ASoC: amd: yc: Add DMI quirk for Thin A15 B7VF Greg Kroah-Hartman
2026-05-30 15:52 ` [PATCH 6.1 006/969] ASoC: SOF: topology: reject invalid vendor array size in token parser Greg Kroah-Hartman
2026-05-30 15:52 ` [PATCH 6.1 007/969] can: mcp251x: add error handling for power enable in open and resume Greg Kroah-Hartman
2026-05-30 15:52 ` [PATCH 6.1 008/969] btrfs: tracepoints: get correct superblock from dentry in event btrfs_sync_file() Greg Kroah-Hartman
2026-05-30 15:52 ` [PATCH 6.1 009/969] ALSA: hda/realtek: Add mute LED quirk for HP Pavilion 15-eg0xxx Greg Kroah-Hartman
2026-05-30 15:52 ` [PATCH 6.1 010/969] netfilter: nft_set_pipapo_avx2: dont return non-matching entry on expiry Greg Kroah-Hartman
2026-05-30 15:52 ` [PATCH 6.1 011/969] ALSA: hda/realtek: add quirk for Framework F111:000F Greg Kroah-Hartman
2026-05-30 15:52 ` [PATCH 6.1 012/969] wifi: wl1251: validate packet IDs before indexing tx_frames Greg Kroah-Hartman
2026-05-30 15:52 ` [PATCH 6.1 013/969] ASoC: soc-core: call missing INIT_LIST_HEAD() for card_aux_list Greg Kroah-Hartman
2026-05-30 15:52 ` [PATCH 6.1 014/969] ALSA: usb-audio: Fix quirk flags for NeuralDSP Quad Cortex Greg Kroah-Hartman
2026-05-30 15:52 ` [PATCH 6.1 015/969] fs/smb/client: fix out-of-bounds read in cifs_sanitize_prepath Greg Kroah-Hartman
2026-05-30 15:52 ` [PATCH 6.1 016/969] ASoC: amd: yc: Add DMI entry for HP Laptop 15-fc0xxx Greg Kroah-Hartman
2026-05-30 15:52 ` [PATCH 6.1 017/969] pinctrl: intel: Fix the revision for new features (1kOhm PD, HW debouncer) Greg Kroah-Hartman
2026-05-30 15:52 ` [PATCH 6.1 018/969] HID: quirks: add HID_QUIRK_ALWAYS_POLL for 8BitDo Pro 3 Greg Kroah-Hartman
2026-05-30 15:52 ` [PATCH 6.1 019/969] ALSA: hda/realtek: Add quirk for Lenovo Yoga Pro 7 14IAH10 Greg Kroah-Hartman
2026-05-30 15:52 ` [PATCH 6.1 020/969] HID: roccat: fix use-after-free in roccat_report_event Greg Kroah-Hartman
2026-05-30 15:52 ` [PATCH 6.1 021/969] ata: ahci: force 32-bit DMA for JMicron JMB582/JMB585 Greg Kroah-Hartman
2026-05-30 15:52 ` [PATCH 6.1 022/969] wifi: brcmfmac: validate bsscfg indices in IF events Greg Kroah-Hartman
2026-05-30 15:52 ` [PATCH 6.1 023/969] ASoC: stm32_sai: fix incorrect BCLK polarity for DSP_A/B, LEFT_J Greg Kroah-Hartman
2026-05-30 15:52 ` [PATCH 6.1 024/969] soc: aspeed: socinfo: Mask table entries for accurate SoC ID matching Greg Kroah-Hartman
2026-05-30 15:52 ` [PATCH 6.1 025/969] arm64: dts: imx8mq: Set the correct gpu_ahb clock frequency Greg Kroah-Hartman
2026-05-30 15:52 ` [PATCH 6.1 026/969] PCI: hv: Set default NUMA node to 0 for devices without affinity info Greg Kroah-Hartman
2026-05-30 15:52 ` [PATCH 6.1 027/969] drm/vc4: Release runtime PM reference after binding V3D Greg Kroah-Hartman
2026-05-30 15:52 ` [PATCH 6.1 028/969] drm/vc4: Fix memory leak of BO array in hang state Greg Kroah-Hartman
2026-05-30 15:52 ` [PATCH 6.1 029/969] drm/vc4: Fix a memory leak in hang state error path Greg Kroah-Hartman
2026-05-30 15:52 ` [PATCH 6.1 030/969] drm/vc4: Protect madv read in vc4_gem_object_mmap() with madv_lock Greg Kroah-Hartman
2026-05-30 15:52 ` [PATCH 6.1 031/969] epoll: use refcount to reduce ep_mutex contention Greg Kroah-Hartman
2026-05-30 15:52 ` [PATCH 6.1 032/969] eventpoll: defer struct eventpoll free to RCU grace period Greg Kroah-Hartman
2026-05-30 15:52 ` [PATCH 6.1 033/969] net: sched: act_csum: validate nested VLAN headers Greg Kroah-Hartman
2026-05-30 15:52 ` [PATCH 6.1 034/969] net: lapbether: handle NETDEV_PRE_TYPE_CHANGE Greg Kroah-Hartman
2026-05-30 15:52 ` [PATCH 6.1 035/969] ipv4: icmp: fix null-ptr-deref in icmp_build_probe() Greg Kroah-Hartman
2026-05-30 15:52 ` [PATCH 6.1 036/969] nfc: s3fwrn5: allocate rx skb before consuming bytes Greg Kroah-Hartman
2026-05-30 15:52 ` [PATCH 6.1 037/969] dt-bindings: net: Fix Tegra234 MGBE PTP clock Greg Kroah-Hartman
2026-05-30 15:52 ` [PATCH 6.1 038/969] tracing/probe: reject non-closed empty immediate strings Greg Kroah-Hartman
2026-05-30 15:52 ` [PATCH 6.1 039/969] ixgbevf: add missing negotiate_features op to Hyper-V ops table Greg Kroah-Hartman
2026-05-30 15:52 ` [PATCH 6.1 040/969] e1000: check return value of e1000_read_eeprom Greg Kroah-Hartman
2026-05-30 15:52 ` [PATCH 6.1 041/969] xsk: tighten UMEM headroom validation to account for tailroom and min frame Greg Kroah-Hartman
2026-05-30 15:52 ` [PATCH 6.1 042/969] xfrm: Wait for RCU readers during policy netns exit Greg Kroah-Hartman
2026-05-30 15:52 ` [PATCH 6.1 043/969] xfrm_user: fix info leak in build_mapping() Greg Kroah-Hartman
2026-05-30 15:52 ` [PATCH 6.1 044/969] selftests: net: bridge_vlan_mcast: wait for h1 before querier check Greg Kroah-Hartman
2026-05-30 15:52 ` [PATCH 6.1 045/969] netfilter: nfnetlink_log: initialize nfgenmsg in NLMSG_DONE terminator Greg Kroah-Hartman
2026-05-30 15:52 ` [PATCH 6.1 046/969] netfilter: xt_multiport: validate range encoding in checkentry Greg Kroah-Hartman
2026-05-30 15:52 ` [PATCH 6.1 047/969] netfilter: ip6t_eui64: reject invalid MAC header for all packets Greg Kroah-Hartman
2026-05-30 15:52 ` [PATCH 6.1 048/969] af_unix: read UNIX_DIAG_VFS data under unix_state_lock Greg Kroah-Hartman
2026-05-30 15:52 ` [PATCH 6.1 049/969] l2tp: Drop large packets with UDP encap Greg Kroah-Hartman
2026-05-30 15:52 ` [PATCH 6.1 050/969] gpio: tegra: fix irq_release_resources calling enable instead of disable Greg Kroah-Hartman
2026-05-30 15:52 ` [PATCH 6.1 051/969] perf/x86/intel/uncore: Skip discovery table for offline dies Greg Kroah-Hartman
2026-05-30 15:52 ` [PATCH 6.1 052/969] Revert "drm: Fix use-after-free on framebuffers and property blobs when calling drm_dev_unplug" Greg Kroah-Hartman
2026-05-30 15:52 ` [PATCH 6.1 053/969] netfilter: conntrack: add missing netlink policy validations Greg Kroah-Hartman
2026-05-30 15:52 ` [PATCH 6.1 054/969] ALSA: usb-audio: Improve Focusrite sample rate filtering Greg Kroah-Hartman
2026-05-31 15:13 ` Geoffrey D. Bennett
2026-06-01 2:11 ` Sasha Levin
2026-05-30 15:52 ` [PATCH 6.1 055/969] drm/i915/psr: Do not use pipe_src as borders for SU area Greg Kroah-Hartman
2026-05-30 15:53 ` [PATCH 6.1 056/969] nfc: llcp: add missing return after LLCP_CLOSED checks Greg Kroah-Hartman
2026-05-30 15:53 ` [PATCH 6.1 057/969] can: raw: fix ro->uniq use-after-free in raw_rcv() Greg Kroah-Hartman
2026-05-30 15:53 ` [PATCH 6.1 058/969] i2c: s3c24xx: check the size of the SMBUS message before using it Greg Kroah-Hartman
2026-05-30 15:53 ` [PATCH 6.1 059/969] staging: rtl8723bs: initialize le_tmp64 in rtw_BIP_verify() Greg Kroah-Hartman
2026-05-30 15:53 ` [PATCH 6.1 060/969] HID: alps: fix NULL pointer dereference in alps_raw_event() Greg Kroah-Hartman
2026-05-30 15:53 ` [PATCH 6.1 061/969] HID: core: clamp report_size in s32ton() to avoid undefined shift Greg Kroah-Hartman
2026-05-30 15:53 ` [PATCH 6.1 062/969] net: usb: cdc-phonet: fix skb frags[] overflow in rx_complete() Greg Kroah-Hartman
2026-05-30 15:53 ` [PATCH 6.1 063/969] NFC: digital: Bounds check NFC-A cascade depth in SDD response handler Greg Kroah-Hartman
2026-05-30 15:53 ` [PATCH 6.1 064/969] drm/vc4: platform_get_irq_byname() returns an int Greg Kroah-Hartman
2026-05-30 15:53 ` [PATCH 6.1 065/969] ALSA: fireworks: bound device-supplied status before string array lookup Greg Kroah-Hartman
2026-05-30 15:53 ` [PATCH 6.1 066/969] fbdev: tdfxfb: avoid divide-by-zero on FBIOPUT_VSCREENINFO Greg Kroah-Hartman
2026-05-30 15:53 ` [PATCH 6.1 067/969] usb: gadget: f_ncm: validate minimum block_len in ncm_unwrap_ntb() Greg Kroah-Hartman
2026-05-30 15:53 ` [PATCH 6.1 068/969] usb: gadget: f_phonet: fix skb frags[] overflow in pn_rx_complete() Greg Kroah-Hartman
2026-05-30 15:53 ` [PATCH 6.1 069/969] usb: gadget: renesas_usb3: validate endpoint index in standard request handlers Greg Kroah-Hartman
2026-05-30 15:53 ` [PATCH 6.1 070/969] ksmbd: validate EaNameLength in smb2_get_ea() Greg Kroah-Hartman
2026-05-30 15:53 ` [PATCH 6.1 071/969] ksmbd: require 3 sub-authorities before reading sub_auth[2] Greg Kroah-Hartman
2026-05-30 15:53 ` [PATCH 6.1 072/969] usbip: validate number_of_packets in usbip_pack_ret_submit() Greg Kroah-Hartman
2026-05-30 15:53 ` [PATCH 6.1 073/969] usb: storage: Expand range of matched versions for VL817 quirks entry Greg Kroah-Hartman
2026-05-30 15:53 ` [PATCH 6.1 074/969] USB: cdc-acm: Add quirks for Yoga Book 9 14IAH10 INGENIC touchscreen Greg Kroah-Hartman
2026-05-30 15:53 ` [PATCH 6.1 075/969] usb: port: add delay after usb_hub_set_port_power() Greg Kroah-Hartman
2026-05-30 15:53 ` [PATCH 6.1 076/969] fbdev: udlfb: avoid divide-by-zero on FBIOPUT_VSCREENINFO Greg Kroah-Hartman
2026-05-30 15:53 ` [PATCH 6.1 077/969] scripts: generate_rust_analyzer.py: avoid FD leak Greg Kroah-Hartman
2026-05-30 15:53 ` [PATCH 6.1 078/969] staging: sm750fb: fix division by zero in ps_to_hz() Greg Kroah-Hartman
2026-05-30 15:53 ` [PATCH 6.1 079/969] USB: serial: option: add Telit Cinterion FN990A MBIM composition Greg Kroah-Hartman
2026-05-30 15:53 ` [PATCH 6.1 080/969] Docs/admin-guide/mm/damon/reclaim: warn commit_inputs vs param updates race Greg Kroah-Hartman
2026-05-30 15:53 ` [PATCH 6.1 081/969] ALSA: ctxfi: Limit PTP to a single page Greg Kroah-Hartman
2026-05-30 15:53 ` [PATCH 6.1 082/969] dcache: Limit the minimal number of bucket to two Greg Kroah-Hartman
2026-05-30 15:53 ` [PATCH 6.1 083/969] media: vidtv: fix NULL pointer dereference in vidtv_channel_pmt_match_sections Greg Kroah-Hartman
2026-05-30 15:53 ` [PATCH 6.1 084/969] ocfs2: fix possible deadlock between unlink and dio_end_io_write Greg Kroah-Hartman
2026-05-30 15:53 ` [PATCH 6.1 085/969] ocfs2: fix use-after-free in ocfs2_fault() when VM_FAULT_RETRY Greg Kroah-Hartman
2026-05-30 15:53 ` [PATCH 6.1 086/969] ocfs2: handle invalid dinode in ocfs2_group_extend Greg Kroah-Hartman
2026-05-30 15:53 ` [PATCH 6.1 087/969] KVM: SEV: Drop WARN on large size for KVM_MEMORY_ENCRYPT_REG_REGION Greg Kroah-Hartman
2026-05-30 15:53 ` [PATCH 6.1 088/969] Revert "dmaengine: idxd: Fix not releasing workqueue on .release()" Greg Kroah-Hartman
2026-05-30 15:53 ` [PATCH 6.1 089/969] ALSA: usb-audio: fix race condition to UAF in snd_usbmidi_free Greg Kroah-Hartman
2026-05-30 15:53 ` [PATCH 6.1 090/969] net: add proper RCU protection to /proc/net/ptype Greg Kroah-Hartman
2026-05-30 15:53 ` [PATCH 6.1 091/969] net: sched: fix TCF_LAYER_TRANSPORT handling in tcf_get_base_ptr() Greg Kroah-Hartman
2026-05-30 15:53 ` [PATCH 6.1 092/969] bonding: return detailed error when loading native XDP fails Greg Kroah-Hartman
2026-05-30 15:53 ` [PATCH 6.1 093/969] bonding: check xdp prog when set bond mode Greg Kroah-Hartman
2026-05-30 15:53 ` [PATCH 6.1 094/969] drm/amdgpu: remove two invalid BUG_ON()s Greg Kroah-Hartman
2026-05-30 15:53 ` [PATCH 6.1 095/969] nf_tables: nft_dynset: fix possible stateful expression memleak in error path Greg Kroah-Hartman
2026-05-30 15:53 ` [PATCH 6.1 096/969] rxrpc: proc: size address buffers for %pISpc output Greg Kroah-Hartman
2026-05-30 15:53 ` [PATCH 6.1 097/969] checkpatch: add support for Assisted-by tag Greg Kroah-Hartman
2026-05-30 15:53 ` [PATCH 6.1 098/969] KVM: x86: Use scratch field in MMIO fragment to hold small write values Greg Kroah-Hartman
2026-05-30 15:53 ` [PATCH 6.1 099/969] mm/kasan: fix double free for kasan pXds Greg Kroah-Hartman
2026-05-30 15:53 ` [PATCH 6.1 100/969] mm: blk-cgroup: fix use-after-free in cgwb_release_workfn() Greg Kroah-Hartman
2026-05-30 15:53 ` [PATCH 6.1 101/969] media: vidtv: fix nfeeds state corruption on start_streaming failure Greg Kroah-Hartman
2026-05-30 15:53 ` [PATCH 6.1 102/969] media: em28xx: fix use-after-free in em28xx_v4l2_open() Greg Kroah-Hartman
2026-05-30 15:53 ` [PATCH 6.1 103/969] ALSA: 6fire: fix use-after-free on disconnect Greg Kroah-Hartman
2026-05-30 15:53 ` [PATCH 6.1 104/969] bcache: fix cached_dev.sb_bio use-after-free and crash Greg Kroah-Hartman
2026-05-30 15:53 ` [PATCH 6.1 105/969] media: as102: fix to not free memory after the device is registered in as102_usb_probe() Greg Kroah-Hartman
2026-05-30 15:53 ` [PATCH 6.1 106/969] nilfs2: fix NULL i_assoc_inode dereference in nilfs_mdt_save_to_shadow_map Greg Kroah-Hartman
2026-05-30 15:53 ` [PATCH 6.1 107/969] media: vidtv: fix pass-by-value structs causing MSAN warnings Greg Kroah-Hartman
2026-05-30 15:53 ` [PATCH 6.1 108/969] media: hackrf: fix to not free memory after the device is registered in hackrf_probe() Greg Kroah-Hartman
2026-05-30 15:53 ` [PATCH 6.1 109/969] PCI: endpoint: pci-epf-vntb: Remove duplicate resource teardown Greg Kroah-Hartman
2026-05-30 15:53 ` [PATCH 6.1 110/969] Revert "net: ethernet: xscale: Check for PTP support properly" Greg Kroah-Hartman
2026-05-30 15:53 ` [PATCH 6.1 111/969] Revert "net: ixp4xx_eth: convert to ndo_hwtstamp_get() and ndo_hwtstamp_set()" Greg Kroah-Hartman
2026-05-30 15:53 ` [PATCH 6.1 112/969] ipv6: add NULL checks for idev in SRv6 paths Greg Kroah-Hartman
2026-05-30 15:53 ` [PATCH 6.1 113/969] gfs2: Improve gfs2_consist_inode() usage Greg Kroah-Hartman
2026-05-30 15:53 ` [PATCH 6.1 114/969] gfs2: Validate i_depth for exhash directories Greg Kroah-Hartman
2026-05-30 15:53 ` [PATCH 6.1 115/969] wifi: mac80211: always free skb on ieee80211_tx_prepare_skb() failure Greg Kroah-Hartman
2026-05-30 15:54 ` [PATCH 6.1 116/969] net: dsa: clean up FDB, MDB, VLAN entries on unbind Greg Kroah-Hartman
2026-05-30 15:54 ` [PATCH 6.1 117/969] arm64: dts: imx8mq-librem5: Set the DVS voltages lower Greg Kroah-Hartman
2026-05-30 15:54 ` [PATCH 6.1 118/969] arm64: dts: imx8mq-librem5: Bump BUCK1 suspend voltage to 0.81V Greg Kroah-Hartman
2026-05-30 15:54 ` [PATCH 6.1 119/969] Revert "arm64: dts: imx8mq-librem5: Set the DVS voltages lower" Greg Kroah-Hartman
2026-05-30 15:54 ` [PATCH 6.1 120/969] arm64: dts: imx8mq-librem5: Bump BUCK1 suspend voltage up to 0.85V Greg Kroah-Hartman
2026-05-30 15:54 ` [PATCH 6.1 121/969] ocfs2: add inline inode consistency check to ocfs2_validate_inode_block() Greg Kroah-Hartman
2026-05-30 15:54 ` [PATCH 6.1 122/969] ocfs2: validate inline data i_size during inode read Greg Kroah-Hartman
2026-05-30 15:54 ` [PATCH 6.1 123/969] ocfs2: fix out-of-bounds write in ocfs2_write_end_inline Greg Kroah-Hartman
2026-05-30 15:54 ` [PATCH 6.1 124/969] rxrpc: Fix key quota calculation for multitoken keys Greg Kroah-Hartman
2026-05-30 15:54 ` [PATCH 6.1 125/969] rxrpc: Fix call removal to use RCU safe deletion Greg Kroah-Hartman
2026-05-30 15:54 ` [PATCH 6.1 126/969] Revert "wifi: cfg80211: stop NAN and P2P in cfg80211_leave" Greg Kroah-Hartman
2026-05-30 15:54 ` [PATCH 6.1 127/969] rxrpc: reject undecryptable rxkad response tickets Greg Kroah-Hartman
2026-05-30 15:54 ` [PATCH 6.1 128/969] KVM: x86: Use __DECLARE_FLEX_ARRAY() for UAPI structures with VLAs Greg Kroah-Hartman
2026-05-30 15:54 ` [PATCH 6.1 129/969] ublk: fix deadlock when reading partition table Greg Kroah-Hartman
2026-05-30 15:54 ` [PATCH 6.1 130/969] scripts: generate_rust_analyzer.py: define scripts Greg Kroah-Hartman
2026-05-30 15:54 ` [PATCH 6.1 131/969] PCI: endpoint: pci-epf-vntb: Stop cmd_handler work in epf_ntb_epc_cleanup Greg Kroah-Hartman
2026-05-30 15:54 ` [PATCH 6.1 132/969] soc: qcom: apr: make remove callback of apr driver void returned Greg Kroah-Hartman
2026-05-30 15:54 ` [PATCH 6.1 133/969] ASoC: qcom: q6apm: move component registration to unmanaged version Greg Kroah-Hartman
2026-05-30 15:54 ` [PATCH 6.1 134/969] rxrpc: Fix recvmsg() unconditional requeue Greg Kroah-Hartman
2026-05-30 15:54 ` [PATCH 6.1 135/969] scsi: ufs: core: Fix use-after free in init error and remove paths Greg Kroah-Hartman
2026-05-30 15:54 ` [PATCH 6.1 136/969] ALSA: control: Avoid WARN() for symlink errors Greg Kroah-Hartman
2026-05-30 15:54 ` [PATCH 6.1 137/969] f2fs: fix null-ptr-deref in f2fs_submit_page_bio() Greg Kroah-Hartman
2026-05-30 15:54 ` [PATCH 6.1 138/969] wifi: iwlwifi: read txq->read_ptr under lock Greg Kroah-Hartman
2026-05-30 15:54 ` [PATCH 6.1 139/969] scripts/dtc: Remove unused dts_version in dtc-lexer.l Greg Kroah-Hartman
2026-05-30 15:54 ` [PATCH 6.1 140/969] arm64: mm: fix VA-range sanity check Greg Kroah-Hartman
2026-05-30 15:54 ` [PATCH 6.1 141/969] rxrpc: Fix anonymous key handling Greg Kroah-Hartman
2026-05-30 15:54 ` [PATCH 6.1 142/969] rxrpc: only handle RESPONSE during service challenge Greg Kroah-Hartman
2026-05-30 15:54 ` [PATCH 6.1 143/969] fs/ntfs3: validate rec->used in journal-replay file record check Greg Kroah-Hartman
2026-05-30 15:54 ` [PATCH 6.1 144/969] fuse: reject oversized dirents in page cache Greg Kroah-Hartman
2026-05-30 15:54 ` [PATCH 6.1 145/969] fuse: quiet down complaints in fuse_conn_limit_write Greg Kroah-Hartman
2026-05-30 15:54 ` [PATCH 6.1 146/969] smb: server: fix active_num_conn leak on transport allocation failure Greg Kroah-Hartman
2026-05-30 15:54 ` [PATCH 6.1 147/969] smb: server: fix max_connections off-by-one in tcp accept path Greg Kroah-Hartman
2026-05-30 15:54 ` [PATCH 6.1 148/969] smb: client: require a full NFS mode SID before reading mode bits Greg Kroah-Hartman
2026-05-30 15:54 ` [PATCH 6.1 149/969] smb: client: fix OOB read in smb2_ioctl_query_info QUERY_INFO path Greg Kroah-Hartman
2026-05-30 15:54 ` [PATCH 6.1 150/969] ksmbd: fix out-of-bounds write in smb2_get_ea() EA alignment Greg Kroah-Hartman
2026-05-30 15:54 ` [PATCH 6.1 151/969] ksmbd: use check_add_overflow() to prevent u16 DACL size overflow Greg Kroah-Hartman
2026-05-30 15:54 ` [PATCH 6.1 152/969] f2fs: fix use-after-free of sbi in f2fs_compress_write_end_io() Greg Kroah-Hartman
2026-05-30 15:54 ` [PATCH 6.1 153/969] ALSA: usb-audio: apply quirk for MOONDROP JU Jiu Greg Kroah-Hartman
2026-05-30 15:54 ` [PATCH 6.1 154/969] ALSA: caiaq: take a reference on the USB device in create_card() Greg Kroah-Hartman
2026-05-30 15:54 ` [PATCH 6.1 155/969] crypto: ccp: Dont attempt to copy CSR to userspace if PSP command failed Greg Kroah-Hartman
2026-05-30 15:54 ` [PATCH 6.1 156/969] crypto: ccp: Dont attempt to copy PDH cert " Greg Kroah-Hartman
2026-05-30 15:54 ` [PATCH 6.1 157/969] crypto: ccp: Dont attempt to copy ID " Greg Kroah-Hartman
2026-05-30 15:54 ` [PATCH 6.1 158/969] rxrpc: Fix missing validation of ticket length in non-XDR key preparsing Greg Kroah-Hartman
2026-05-30 15:54 ` [PATCH 6.1 159/969] ALSA: usb-audio: stop parsing UAC2 rates at MAX_NR_RATES Greg Kroah-Hartman
2026-05-30 15:54 ` [PATCH 6.1 160/969] ALSA: usb-audio: Avoid false E-MU sample-rate notifications Greg Kroah-Hartman
2026-05-30 15:54 ` [PATCH 6.1 161/969] ALSA: usb-audio: Fix Audio Advantage Micro II SPDIF switch Greg Kroah-Hartman
2026-05-30 15:54 ` [PATCH 6.1 162/969] usb: xhci: Make usb_host_endpoint.hcpriv survive endpoint_disable() Greg Kroah-Hartman
2026-05-30 15:54 ` [PATCH 6.1 163/969] ALSA: usb-audio: Evaluate packsize caps at the right place Greg Kroah-Hartman
2026-05-30 15:54 ` [PATCH 6.1 164/969] drm/nouveau: fix u32 overflow in pushbuf reloc bounds check Greg Kroah-Hartman
2026-05-30 15:54 ` [PATCH 6.1 165/969] misc: ibmasm: fix OOB MMIO read in ibmasm_handle_mouse_interrupt() Greg Kroah-Hartman
2026-05-30 15:54 ` [PATCH 6.1 166/969] ibmasm: fix OOB reads in command_file_write due to missing size checks Greg Kroah-Hartman
2026-05-30 15:54 ` [PATCH 6.1 167/969] ibmasm: fix heap over-read in ibmasm_send_i2o_message() Greg Kroah-Hartman
2026-05-30 15:54 ` [PATCH 6.1 168/969] firmware: google: framebuffer: Do not mark framebuffer as busy Greg Kroah-Hartman
2026-05-30 15:54 ` [PATCH 6.1 169/969] padata: Fix pd UAF once and for all Greg Kroah-Hartman
2026-05-30 15:54 ` [PATCH 6.1 170/969] padata: Remove comment for reorder_work Greg Kroah-Hartman
2026-05-30 15:54 ` [PATCH 6.1 171/969] drm/amdgpu: Use vmemdup_array_user in amdgpu_bo_create_list_entry_array Greg Kroah-Hartman
2026-05-30 15:54 ` [PATCH 6.1 172/969] drm/amdgpu: Limit BO list entry count to prevent resource exhaustion Greg Kroah-Hartman
2026-05-30 15:54 ` [PATCH 6.1 173/969] net: enetc: fix the deadlock of enetc_mdio_lock Greg Kroah-Hartman
2026-05-30 15:54 ` [PATCH 6.1 174/969] blk-mq: fix NULL dereference on q->elevator in blk_mq_elv_switch_none Greg Kroah-Hartman
2026-05-30 15:54 ` [PATCH 6.1 175/969] arm64: set __exception_irq_entry with __irq_entry as a default Greg Kroah-Hartman
2026-05-30 15:55 ` [PATCH 6.1 176/969] regset: use kvzalloc() for regset_get_alloc() Greg Kroah-Hartman
2026-05-30 15:55 ` [PATCH 6.1 177/969] device property: Make modifications of fwnode "flags" thread safe Greg Kroah-Hartman
2026-05-30 15:55 ` [PATCH 6.1 178/969] ocfs2: split transactions in dio completion to avoid credit exhaustion Greg Kroah-Hartman
2026-05-30 15:55 ` [PATCH 6.1 179/969] driver core: Dont let a device probe until its ready Greg Kroah-Hartman
2026-05-30 15:55 ` [PATCH 6.1 180/969] wifi: rtw88: check for PCI upstream bridge existence Greg Kroah-Hartman
2026-05-30 15:55 ` [PATCH 6.1 181/969] um: drivers: call kernel_strrchr() explicitly in cow_user.c Greg Kroah-Hartman
2026-05-30 15:55 ` [PATCH 6.1 182/969] f2fs: fix to detect potential corrupted nid in free_nid_list Greg Kroah-Hartman
2026-05-30 15:55 ` [PATCH 6.1 183/969] crypto: pcrypt - Fix handling of MAY_BACKLOG requests Greg Kroah-Hartman
2026-05-30 15:55 ` [PATCH 6.1 184/969] media: amphion: Fix race between m2m job_abort and device_run Greg Kroah-Hartman
2026-05-30 15:55 ` [PATCH 6.1 185/969] ALSA: control: Validate buf_len before strnlen() in snd_ctl_elem_init_enum_names() Greg Kroah-Hartman
2026-05-30 15:55 ` [PATCH 6.1 186/969] net: caif: clear client service pointer on teardown Greg Kroah-Hartman
2026-05-30 15:55 ` [PATCH 6.1 187/969] net: strparser: fix skb_head leak in strp_abort_strp() Greg Kroah-Hartman
2026-05-30 15:55 ` [PATCH 6.1 188/969] PCI: endpoint: pci-epf-ntb: Remove duplicate resource teardown Greg Kroah-Hartman
2026-05-30 15:55 ` [PATCH 6.1 189/969] Revert "ALSA: usb: Increase volume range that triggers a warning" Greg Kroah-Hartman
2026-05-30 15:55 ` [PATCH 6.1 190/969] lib/ts_kmp: fix integer overflow in pattern length calculation Greg Kroah-Hartman
2026-05-30 15:55 ` [PATCH 6.1 191/969] media: i2c: imx219: Check return value of devm_gpiod_get_optional() in imx219_probe() Greg Kroah-Hartman
2026-05-30 15:55 ` [PATCH 6.1 192/969] net: qrtr: ns: Fix use-after-free in driver remove() Greg Kroah-Hartman
2026-05-30 15:55 ` [PATCH 6.1 193/969] ext2: reject inodes with zero i_nlink and valid mode in ext2_iget() Greg Kroah-Hartman
2026-05-30 15:55 ` [PATCH 6.1 194/969] ALSA: aoa: i2sbus: fix OF node lifetime handling Greg Kroah-Hartman
2026-05-30 15:55 ` [PATCH 6.1 195/969] ALSA: ctxfi: Add fallback to default RSR for S/PDIF Greg Kroah-Hartman
2026-05-30 15:55 ` [PATCH 6.1 196/969] ALSA: seq_oss: return full count for successful SEQ_FULLSIZE writes Greg Kroah-Hartman
2026-05-30 15:55 ` [PATCH 6.1 197/969] erofs: fix the out-of-bounds nameoff handling for trailing dirents Greg Kroah-Hartman
2026-05-30 15:55 ` [PATCH 6.1 198/969] md/raid10: fix deadlock with check operation and nowait requests Greg Kroah-Hartman
2026-05-30 15:55 ` [PATCH 6.1 199/969] nvme-pci: add NVME_QUIRK_DISABLE_WRITE_ZEROES for Kingston OM3SGP4 Greg Kroah-Hartman
2026-05-30 15:55 ` [PATCH 6.1 200/969] nvme: respect NVME_QUIRK_DISABLE_WRITE_ZEROES when wzsl is set Greg Kroah-Hartman
2026-05-30 15:55 ` [PATCH 6.1 201/969] parisc: _llseek syscall is only available for 32-bit userspace Greg Kroah-Hartman
2026-05-30 15:55 ` [PATCH 6.1 202/969] selftests/mqueue: Fix incorrectly named file Greg Kroah-Hartman
2026-05-30 15:55 ` [PATCH 6.1 203/969] rbd: fix null-ptr-deref when device_add_disk() fails Greg Kroah-Hartman
2026-05-30 15:55 ` [PATCH 6.1 204/969] io_uring/timeout: check unused sqe fields Greg Kroah-Hartman
2026-05-30 15:55 ` [PATCH 6.1 205/969] iio: adc: ti-ads7950: use iio_push_to_buffers_with_ts_unaligned() Greg Kroah-Hartman
2026-05-30 15:55 ` [PATCH 6.1 206/969] io_uring/poll: fix signed comparison in io_poll_get_ownership() Greg Kroah-Hartman
2026-05-30 15:55 ` [PATCH 6.1 207/969] io_uring/poll: ensure EPOLL_ONESHOT is propagated for EPOLL_URING_WAKE Greg Kroah-Hartman
2026-05-30 15:55 ` [PATCH 6.1 208/969] ALSA: core: Fix potential data race at fasync handling Greg Kroah-Hartman
2026-05-30 15:55 ` [PATCH 6.1 209/969] ALSA: caiaq: Fix control_put() result and cache rollback Greg Kroah-Hartman
2026-05-30 15:55 ` [PATCH 6.1 210/969] ALSA: caiaq: Handle probe errors properly Greg Kroah-Hartman
2026-05-30 15:55 ` [PATCH 6.1 211/969] ALSA: 6fire: Fix input volume change detection Greg Kroah-Hartman
2026-05-30 15:55 ` [PATCH 6.1 212/969] iio: adc: ad7768-1: fix one-shot mode data acquisition Greg Kroah-Hartman
2026-05-30 15:55 ` [PATCH 6.1 213/969] tools/accounting: handle truncated taskstats netlink messages Greg Kroah-Hartman
2026-05-30 15:55 ` [PATCH 6.1 214/969] net: rds: fix MR cleanup on copy error Greg Kroah-Hartman
2026-05-30 15:55 ` [PATCH 6.1 215/969] net/smc: avoid early lgr access in smc_clc_wait_msg Greg Kroah-Hartman
2026-05-30 15:55 ` [PATCH 6.1 216/969] net: ks8851: Reinstate disabling of BHs around IRQ handler Greg Kroah-Hartman
2026-05-30 15:55 ` [PATCH 6.1 217/969] net: ks8851: Avoid excess softirq scheduling Greg Kroah-Hartman
2026-05-30 15:55 ` [PATCH 6.1 218/969] drm/arcpgu: fix device node leak Greg Kroah-Hartman
2026-05-30 15:55 ` [PATCH 6.1 219/969] RDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv Greg Kroah-Hartman
2026-05-30 15:55 ` [PATCH 6.1 220/969] ipv4: icmp: validate reply type before using icmp_pointers Greg Kroah-Hartman
2026-05-30 15:55 ` [PATCH 6.1 221/969] libceph: Prevent potential null-ptr-deref in ceph_handle_auth_reply() Greg Kroah-Hartman
2026-05-30 15:55 ` [PATCH 6.1 222/969] extract-cert: Wrap key_pass with #ifdef USE_PKCS11_ENGINE Greg Kroah-Hartman
2026-05-30 15:55 ` [PATCH 6.1 223/969] tpm: avoid -Wunused-but-set-variable Greg Kroah-Hartman
2026-05-30 15:55 ` [PATCH 6.1 224/969] LoongArch: Show CPU vulnerabilites correctly Greg Kroah-Hartman
2026-05-30 15:55 ` [PATCH 6.1 225/969] power: supply: axp288_charger: Do not cancel work before initializing it Greg Kroah-Hartman
2026-05-30 15:55 ` [PATCH 6.1 226/969] randomize_kstack: Maintain kstack_offset per task Greg Kroah-Hartman
2026-05-30 15:55 ` [PATCH 6.1 227/969] mmc: block: use single block write in retry Greg Kroah-Hartman
2026-05-30 15:55 ` [PATCH 6.1 228/969] mmc: sdhci-of-dwcmshc: Disable clock before DLL configuration Greg Kroah-Hartman
2026-05-30 15:55 ` [PATCH 6.1 229/969] tpm: tpm_tis: add error logging for data transfer Greg Kroah-Hartman
2026-05-30 15:55 ` [PATCH 6.1 230/969] rtc: ntxec: fix OF node reference imbalance Greg Kroah-Hartman
2026-05-30 15:55 ` [PATCH 6.1 231/969] userfaultfd: allow registration of ranges below mmap_min_addr Greg Kroah-Hartman
2026-05-30 15:55 ` [PATCH 6.1 232/969] KVM: nSVM: Mark all of vmcb02 dirty when restoring nested state Greg Kroah-Hartman
2026-05-30 15:55 ` [PATCH 6.1 233/969] KVM: nSVM: Sync NextRIP to cached vmcb12 after VMRUN of L2 Greg Kroah-Hartman
2026-05-30 15:55 ` [PATCH 6.1 234/969] KVM: nSVM: Sync interrupt shadow " Greg Kroah-Hartman
2026-05-30 15:55 ` [PATCH 6.1 235/969] KVM: SVM: Inject #UD for INVLPGA if EFER.SVME=0 Greg Kroah-Hartman
2026-05-30 15:56 ` [PATCH 6.1 236/969] KVM: SVM: Explicitly mark vmcb01 dirty after modifying VMCB intercepts Greg Kroah-Hartman
2026-05-30 15:56 ` [PATCH 6.1 237/969] KVM: nSVM: Ensure AVIC is inhibited when restoring a vCPU to guest mode Greg Kroah-Hartman
2026-05-30 15:56 ` [PATCH 6.1 238/969] KVM: nSVM: Use vcpu->arch.cr2 when updating vmcb12 on nested #VMEXIT Greg Kroah-Hartman
2026-05-30 15:56 ` [PATCH 6.1 239/969] KVM: nSVM: Always inject a #GP if mapping VMCB12 fails on nested VMRUN Greg Kroah-Hartman
2026-05-30 15:56 ` [PATCH 6.1 240/969] KVM: nSVM: Clear GIF on nested #VMEXIT(INVALID) Greg Kroah-Hartman
2026-05-30 15:56 ` [PATCH 6.1 241/969] KVM: nSVM: Clear tracking of L1->L2 NMI and soft IRQ on nested #VMEXIT Greg Kroah-Hartman
2026-05-30 15:56 ` [PATCH 6.1 242/969] KVM: nSVM: Add missing consistency check for EFER, CR0, CR4, and CS Greg Kroah-Hartman
2026-05-30 15:56 ` [PATCH 6.1 243/969] KVM: nSVM: Add missing consistency check for nCR3 validity Greg Kroah-Hartman
2026-05-30 15:56 ` [PATCH 6.1 244/969] mtd: docg3: Convert to platform remove callback returning void Greg Kroah-Hartman
2026-05-30 15:56 ` [PATCH 6.1 245/969] mtd: docg3: fix use-after-free in docg3_release() Greg Kroah-Hartman
2026-05-30 15:56 ` [PATCH 6.1 246/969] io_uring/poll: fix multishot recv missing EOF on wakeup race Greg Kroah-Hartman
2026-05-30 15:56 ` [PATCH 6.1 247/969] ext4: fix missing brelse() in ext4_xattr_inode_dec_ref_all() Greg Kroah-Hartman
2026-05-30 15:56 ` [PATCH 6.1 248/969] md/raid5: fix soft lockup in retry_aligned_read() Greg Kroah-Hartman
2026-05-30 15:56 ` [PATCH 6.1 249/969] md/raid5: validate payload size before accessing journal metadata Greg Kroah-Hartman
2026-05-30 15:56 ` [PATCH 6.1 250/969] inotify: fix watch count leak when fsnotify_add_inode_mark_locked() fails Greg Kroah-Hartman
2026-05-30 15:56 ` [PATCH 6.1 251/969] tcp: call sk_data_ready() after listener migration Greg Kroah-Hartman
2026-05-30 15:56 ` [PATCH 6.1 252/969] taskstats: set version in TGID exit notifications Greg Kroah-Hartman
2026-05-30 15:56 ` [PATCH 6.1 253/969] Bluetooth: hci_event: fix potential UAF in SSP passkey handlers Greg Kroah-Hartman
2026-05-30 15:56 ` [PATCH 6.1 254/969] can: ucan: fix devres lifetime Greg Kroah-Hartman
2026-05-30 15:56 ` [PATCH 6.1 255/969] crypto: arm64/aes - Fix 32-bit aes_mac_update() arg treated as 64-bit Greg Kroah-Hartman
2026-05-30 15:56 ` [PATCH 6.1 256/969] crypto: atmel-aes - Fix 3-page memory leak in atmel_aes_buff_cleanup Greg Kroah-Hartman
2026-05-30 15:56 ` [PATCH 6.1 257/969] crypto: atmel-ecc - Release client on allocation failure Greg Kroah-Hartman
2026-05-30 15:56 ` [PATCH 6.1 258/969] crypto: hisilicon - Fix dma_unmap_single() direction Greg Kroah-Hartman
2026-05-30 15:56 ` [PATCH 6.1 259/969] crypto: ccree - fix a memory leak in cc_mac_digest() Greg Kroah-Hartman
2026-05-30 15:56 ` [PATCH 6.1 260/969] crypto: atmel-tdes - fix DMA sync direction Greg Kroah-Hartman
2026-05-30 15:56 ` [PATCH 6.1 261/969] crypto: atmel-sha204a - Fix potential UAF and memory leak in remove path Greg Kroah-Hartman
2026-05-30 15:56 ` [PATCH 6.1 262/969] dm mirror: fix integer overflow in create_dirty_log() Greg Kroah-Hartman
2026-05-30 15:56 ` [PATCH 6.1 263/969] IB/core: Fix zero dmac race in neighbor resolution Greg Kroah-Hartman
2026-05-30 15:56 ` [PATCH 6.1 264/969] ktest: Fix the month in the name of the failure directory Greg Kroah-Hartman
2026-05-30 15:56 ` [PATCH 6.1 265/969] ntfs3: add buffer boundary checks to run_unpack() Greg Kroah-Hartman
2026-05-30 15:56 ` [PATCH 6.1 266/969] ntfs3: fix integer overflow in run_unpack() volume boundary check Greg Kroah-Hartman
2026-05-30 15:56 ` [PATCH 6.1 267/969] rtmutex: Use waiter::task instead of current in remove_waiter() Greg Kroah-Hartman
2026-05-30 15:56 ` [PATCH 6.1 268/969] scsi: sd: fix missing put_disk() when device_add(&disk_dev) fails Greg Kroah-Hartman
2026-05-30 15:56 ` [PATCH 6.1 269/969] seg6: fix seg6 lwtunnel output redirect for L2 reduced encap mode Greg Kroah-Hartman
2026-05-30 15:56 ` [PATCH 6.1 270/969] crypto: authencesn - reject short ahash digests during instance creation Greg Kroah-Hartman
2026-05-30 15:56 ` [PATCH 6.1 271/969] driver core: Add kernel-doc for DEV_FLAG_COUNT enum value Greg Kroah-Hartman
2026-05-30 15:56 ` [PATCH 6.1 272/969] ALSA: caiaq: Fix potentially leftover ep1_in_urb at error path Greg Kroah-Hartman
2026-05-30 15:56 ` [PATCH 6.1 273/969] ALSA: caiaq: Dont abort when no input device is available Greg Kroah-Hartman
2026-05-30 15:56 ` [PATCH 6.1 274/969] ipv6: rpl: reserve mac_len headroom when recompressed SRH grows Greg Kroah-Hartman
2026-05-30 15:56 ` [PATCH 6.1 275/969] drm/amdgpu: fix zero-size GDS range init on RDNA4 Greg Kroah-Hartman
2026-05-30 15:56 ` [PATCH 6.1 276/969] ALSA: caiaq: fix usb_dev refcount leak on probe failure Greg Kroah-Hartman
2026-05-30 15:56 ` [PATCH 6.1 277/969] net: ipv6: fix NOREF dst use in seg6 and rpl lwtunnels Greg Kroah-Hartman
2026-05-30 15:56 ` [PATCH 6.1 278/969] netfilter: reject zero shift in nft_bitwise Greg Kroah-Hartman
2026-05-30 15:56 ` [PATCH 6.1 279/969] scsi: target: configfs: Bound snprintf() return in tg_pt_gp_members_show() Greg Kroah-Hartman
2026-05-30 15:56 ` [PATCH 6.1 280/969] ipmi: Add limits to event and receive message requests Greg Kroah-Hartman
2026-05-30 15:56 ` [PATCH 6.1 281/969] ipmi: Check event message buffer response for bad data Greg Kroah-Hartman
2026-05-30 15:56 ` [PATCH 6.1 282/969] ipmi:si: Return state to normal if message allocation fails Greg Kroah-Hartman
2026-05-30 15:56 ` [PATCH 6.1 283/969] fbdev: udlfb: add vm_ops to dlfb_ops_mmap to prevent use-after-free Greg Kroah-Hartman
2026-05-30 15:56 ` [PATCH 6.1 284/969] ACPI: scan: Use acpi_dev_put() in object add error paths Greg Kroah-Hartman
2026-05-30 15:56 ` [PATCH 6.1 285/969] ACPI: CPPC: Fix related_cpus inconsistency during CPU hotplug Greg Kroah-Hartman
2026-05-30 15:56 ` [PATCH 6.1 286/969] ACPI: video: force native backlight on HP OMEN 16 (8A44) Greg Kroah-Hartman
2026-05-30 15:56 ` [PATCH 6.1 287/969] ASoC: SOF: Dont allow pointer operations on unconfigured streams Greg Kroah-Hartman
2026-05-30 15:56 ` [PATCH 6.1 288/969] spi: rockchip: fix controller deregistration Greg Kroah-Hartman
2026-05-30 15:56 ` [PATCH 6.1 289/969] drm/amd/display: Do not skip unrelated mode changes in DSC validation Greg Kroah-Hartman
2026-05-30 15:56 ` [PATCH 6.1 290/969] spi: meson-spicc: Fix double-put in remove path Greg Kroah-Hartman
2026-05-30 15:56 ` [PATCH 6.1 291/969] ext4: validate p_idx bounds in ext4_ext_correct_indexes Greg Kroah-Hartman
2026-05-30 15:56 ` [PATCH 6.1 292/969] KVM: x86: Fix shadow paging use-after-free due to unexpected GFN Greg Kroah-Hartman
2026-05-30 15:56 ` [PATCH 6.1 293/969] net: Fix icmp host relookup triggering ip_rt_bug Greg Kroah-Hartman
2026-05-30 15:56 ` [PATCH 6.1 294/969] flow_dissector: do not dissect PPPoE PFC frames Greg Kroah-Hartman
2026-05-30 15:56 ` [PATCH 6.1 295/969] net/sched: sch_red: Replace direct dequeue call with peek and qdisc_dequeue_peeked Greg Kroah-Hartman
2026-05-30 15:57 ` [PATCH 6.1 296/969] Bluetooth: hci_sync: Remove remaining dependencies of hci_request Greg Kroah-Hartman
2026-05-30 15:57 ` [PATCH 6.1 297/969] Bluetooth: btintel: serialize btintel_hw_error() with hci_req_sync_lock Greg Kroah-Hartman
2026-05-30 15:57 ` [PATCH 6.1 298/969] ice: Fix memory leak in ice_set_ringparam() Greg Kroah-Hartman
2026-05-30 15:57 ` [PATCH 6.1 299/969] exit: prevent preemption of oopsing TASK_DEAD task Greg Kroah-Hartman
2026-05-30 15:57 ` [PATCH 6.1 300/969] wifi: mt76: mt7921: fix a potential clc buffer length underflow Greg Kroah-Hartman
2026-05-30 15:57 ` [PATCH 6.1 301/969] wifi: b43legacy: enforce bounds check on firmware key index in RX path Greg Kroah-Hartman
2026-05-30 15:57 ` [PATCH 6.1 302/969] wifi: rsi: fix kthread lifetime race between self-exit and external-stop Greg Kroah-Hartman
2026-05-30 15:57 ` [PATCH 6.1 303/969] wifi: ath5k: do not access array OOB Greg Kroah-Hartman
2026-05-30 15:57 ` [PATCH 6.1 304/969] wifi: b43: enforce bounds check on firmware key index in b43_rx() Greg Kroah-Hartman
2026-05-30 15:57 ` [PATCH 6.1 305/969] usb: usblp: fix heap leak in IEEE 1284 device ID via short response Greg Kroah-Hartman
2026-05-30 15:57 ` [PATCH 6.1 306/969] usb: usblp: fix uninitialized heap leak via LPGETSTATUS ioctl Greg Kroah-Hartman
2026-05-30 15:57 ` [PATCH 6.1 307/969] ALSA: usb-audio: Avoid potential endless loop in convert_chmap_v3() Greg Kroah-Hartman
2026-05-30 15:57 ` [PATCH 6.1 308/969] ALSA: usb-audio: Fix UAC3 cluster descriptor size check Greg Kroah-Hartman
2026-05-30 15:57 ` [PATCH 6.1 309/969] USB: omap_udc: DMA: Dont enable burst 4 mode Greg Kroah-Hartman
2026-05-30 15:57 ` [PATCH 6.1 310/969] USB: serial: option: add Telit Cinterion LE910Cx compositions Greg Kroah-Hartman
2026-05-30 15:57 ` [PATCH 6.1 311/969] usb: ulpi: fix memory leak on ulpi_register() error paths Greg Kroah-Hartman
2026-05-30 15:57 ` [PATCH 6.1 312/969] ALSA: firewire-tascam: Do not drop unread control events Greg Kroah-Hartman
2026-05-30 15:57 ` [PATCH 6.1 313/969] powerpc/kdump: fix KASAN sanitization flag for core_$(BITS).o Greg Kroah-Hartman
2026-05-30 15:57 ` [PATCH 6.1 314/969] xfrm: provide message size for XFRM_MSG_MAPPING Greg Kroah-Hartman
2026-05-30 15:57 ` [PATCH 6.1 315/969] ipv6: xfrm6: release dst on error in xfrm6_rcv_encap() Greg Kroah-Hartman
2026-05-30 15:57 ` [PATCH 6.1 316/969] Bluetooth: virtio_bt: clamp rx length before skb_put Greg Kroah-Hartman
2026-05-30 15:57 ` [PATCH 6.1 317/969] Bluetooth: virtio_bt: validate rx pkt_type header length Greg Kroah-Hartman
2026-05-30 15:57 ` [PATCH 6.1 318/969] Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_new_connection_cb() Greg Kroah-Hartman
2026-05-30 15:57 ` [PATCH 6.1 319/969] Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_state_change_cb() Greg Kroah-Hartman
2026-05-30 15:57 ` [PATCH 6.1 320/969] spi: zynqmp-gqspi: fix controller deregistration Greg Kroah-Hartman
2026-05-30 15:57 ` [PATCH 6.1 321/969] staging: vme_user: fix root device leak on init failure Greg Kroah-Hartman
2026-05-30 15:57 ` [PATCH 6.1 322/969] fanotify: fix false positive on permission events Greg Kroah-Hartman
2026-05-30 15:57 ` [PATCH 6.1 323/969] net: rtnetlink: zero ifla_vf_broadcast to avoid stack infoleak in rtnl_fill_vfinfo Greg Kroah-Hartman
2026-05-30 15:57 ` [PATCH 6.1 324/969] sound: ua101: fix division by zero at probe Greg Kroah-Hartman
2026-05-30 15:57 ` [PATCH 6.1 325/969] ip6_gre: Use cached t->net in ip6erspan_changelink() Greg Kroah-Hartman
2026-05-30 15:57 ` [PATCH 6.1 326/969] net/rds: handle zerocopy send cleanup before the message is queued Greg Kroah-Hartman
2026-05-30 15:57 ` [PATCH 6.1 327/969] parisc: Fix IRQ leak in LASI driver Greg Kroah-Hartman
2026-05-30 15:57 ` [PATCH 6.1 328/969] hwmon: (ltc2992) Clamp threshold writes to hardware range Greg Kroah-Hartman
2026-05-30 15:57 ` [PATCH 6.1 329/969] hwmon: (ltc2992) Fix u32 overflow in power read path Greg Kroah-Hartman
2026-05-30 15:57 ` [PATCH 6.1 330/969] hwmon: (corsair-psu) Close HID device on probe errors Greg Kroah-Hartman
2026-05-30 15:57 ` [PATCH 6.1 331/969] cifs: abort open_cached_dir if we dont request leases Greg Kroah-Hartman
2026-05-30 15:57 ` [PATCH 6.1 332/969] cifs: change_conf needs to be called for session setup Greg Kroah-Hartman
2026-05-30 15:57 ` [PATCH 6.1 333/969] extcon: ptn5150: handle pending IRQ events during system resume Greg Kroah-Hartman
2026-05-30 15:57 ` [PATCH 6.1 334/969] hv_sock: fix ARM64 support Greg Kroah-Hartman
2026-05-30 15:57 ` [PATCH 6.1 335/969] ibmveth: Disable GSO for packets with small MSS Greg Kroah-Hartman
2026-05-30 15:57 ` [PATCH 6.1 336/969] udf: reject descriptors with oversized CRC length Greg Kroah-Hartman
2026-05-30 15:57 ` [PATCH 6.1 337/969] thermal/drivers/sprd: Fix temperature clamping in sprd_thm_temp_to_rawdata Greg Kroah-Hartman
2026-05-30 15:57 ` [PATCH 6.1 338/969] thermal/drivers/sprd: Fix raw temperature clamping in sprd_thm_rawdata_to_temp Greg Kroah-Hartman
2026-05-30 15:57 ` [PATCH 6.1 339/969] spi: topcliff-pch: fix use-after-free on unbind Greg Kroah-Hartman
2026-05-30 15:57 ` [PATCH 6.1 340/969] clk: microchip: mpfs-ccc: fix out of bounds access during output registration Greg Kroah-Hartman
2026-05-30 15:57 ` [PATCH 6.1 341/969] cpuidle: powerpc: avoid double clear when breaking snooze Greg Kroah-Hartman
2026-05-30 15:57 ` [PATCH 6.1 342/969] ASoC: amd: yc: Add HP OMEN Gaming Laptop 16-ap0xxx product line in quirk table Greg Kroah-Hartman
2026-05-30 15:57 ` [PATCH 6.1 343/969] ASoC: fsl_easrc: fix comment typo Greg Kroah-Hartman
2026-05-30 15:57 ` [PATCH 6.1 344/969] ASoC: Intel: bytcr_wm5102: Fix MCLK leak on platform_clock_control error Greg Kroah-Hartman
2026-05-30 15:57 ` [PATCH 6.1 345/969] ASoC: qcom: q6apm-dai: reset queue ptr on trigger stop Greg Kroah-Hartman
2026-05-30 15:57 ` [PATCH 6.1 346/969] ASoC: qcom: q6apm-lpass-dai: Fix multiple graph opens Greg Kroah-Hartman
2026-05-30 15:57 ` [PATCH 6.1 347/969] ASoC: qcom: q6apm: remove child devices when apm is removed Greg Kroah-Hartman
2026-05-30 15:57 ` [PATCH 6.1 348/969] btrfs: fix double free in create_space_info() error path Greg Kroah-Hartman
2026-05-30 15:57 ` [PATCH 6.1 349/969] dm-thin: fix metadata refcount underflow Greg Kroah-Hartman
2026-05-30 15:57 ` [PATCH 6.1 350/969] dm: dont report warning when doing deferred remove Greg Kroah-Hartman
2026-05-30 15:57 ` [PATCH 6.1 351/969] dm: fix a buffer overflow in ioctl processing Greg Kroah-Hartman
2026-05-30 15:57 ` [PATCH 6.1 352/969] dm-verity-fec: correctly reject too-small FEC devices Greg Kroah-Hartman
2026-05-30 15:57 ` [PATCH 6.1 353/969] dm-verity-fec: correctly reject too-small hash devices Greg Kroah-Hartman
2026-05-30 15:57 ` [PATCH 6.1 354/969] isofs: validate Rock Ridge CE continuation extent against volume size Greg Kroah-Hartman
2026-05-30 15:57 ` [PATCH 6.1 355/969] isofs: validate block number from NFS file handle in isofs_export_iget Greg Kroah-Hartman
2026-05-30 15:58 ` [PATCH 6.1 356/969] libceph: Fix slab-out-of-bounds access in auth message processing Greg Kroah-Hartman
2026-05-30 15:58 ` [PATCH 6.1 357/969] md/raid10: fix divide-by-zero in setup_geo() with zero far_copies Greg Kroah-Hartman
2026-05-30 15:58 ` [PATCH 6.1 358/969] nvme-apple: drop invalid put of admin queue reference count Greg Kroah-Hartman
2026-05-30 15:58 ` [PATCH 6.1 359/969] nvmet: avoid recursive nvmet-wq flush in nvmet_ctrl_free Greg Kroah-Hartman
2026-05-30 15:58 ` [PATCH 6.1 360/969] openvswitch: vport: fix self-deadlock on release of tunnel ports Greg Kroah-Hartman
2026-05-30 15:58 ` [PATCH 6.1 361/969] RDMA/hns: Fix unlocked call to hns_roce_qp_remove() Greg Kroah-Hartman
2026-05-30 15:58 ` [PATCH 6.1 362/969] s390/debug: Reject zero-length input in debug_input_flush_fn() Greg Kroah-Hartman
2026-05-30 15:58 ` [PATCH 6.1 363/969] smb/client: fix out-of-bounds read in symlink_data() Greg Kroah-Hartman
2026-05-30 15:58 ` [PATCH 6.1 364/969] PCI/AER: Clear only error bits in PCIe Device Status Greg Kroah-Hartman
2026-05-30 15:58 ` [PATCH 6.1 365/969] PCI/AER: Stop ruling out unbound devices as error source Greg Kroah-Hartman
2026-05-30 15:58 ` [PATCH 6.1 366/969] power: supply: max17042: avoid overflow when determining health Greg Kroah-Hartman
2026-05-30 15:58 ` [PATCH 6.1 367/969] RDMA/mlx4: Fix resource leak on error in mlx4_ib_create_srq() Greg Kroah-Hartman
2026-05-30 15:58 ` [PATCH 6.1 368/969] RDMA/ocrdma: Dont NULL deref uctx on errors in ocrdma_copy_pd_uresp() Greg Kroah-Hartman
2026-05-30 15:58 ` [PATCH 6.1 369/969] RDMA/rxe: Reject unknown opcodes before ICRC processing Greg Kroah-Hartman
2026-05-30 15:58 ` [PATCH 6.1 370/969] RDMA/vmw_pvrdma: Fix double free on pvrdma_alloc_ucontext() error path Greg Kroah-Hartman
2026-05-30 15:58 ` [PATCH 6.1 371/969] mptcp: use MPJoinSynAckHMacFailure for SynAck HMAC failure Greg Kroah-Hartman
2026-05-30 15:58 ` [PATCH 6.1 372/969] mptcp: use MPTCP_RST_EMPTCP for ACK HMAC validation failure Greg Kroah-Hartman
2026-05-30 15:58 ` [PATCH 6.1 373/969] mptcp: sockopt: set timestamp flags on subflow socket, not msk Greg Kroah-Hartman
2026-05-30 15:58 ` [PATCH 6.1 374/969] mptcp: fix scheduling with atomic in timestamp sockopt Greg Kroah-Hartman
2026-05-30 15:58 ` [PATCH 6.1 375/969] f2fs: add READ_ONCE() for i_blocks in f2fs_update_inode() Greg Kroah-Hartman
2026-05-30 15:58 ` [PATCH 6.1 376/969] f2fs: fix fiemap boundary handling when read extent cache is incomplete Greg Kroah-Hartman
2026-05-30 15:58 ` [PATCH 6.1 377/969] f2fs: fix incorrect multidevice info in trace_f2fs_map_blocks() Greg Kroah-Hartman
2026-05-30 15:58 ` [PATCH 6.1 378/969] KVM: arm64: vgic: Fix IIDR revision field extracted from wrong value Greg Kroah-Hartman
2026-05-30 15:58 ` [PATCH 6.1 379/969] LoongArch: Fix potential ADE in loongson_gpu_fixup_dma_hang() Greg Kroah-Hartman
2026-05-30 15:58 ` [PATCH 6.1 380/969] LoongArch: Use per-root-bridge PCIH flag to skip mem resource fixup Greg Kroah-Hartman
2026-05-30 15:58 ` [PATCH 6.1 381/969] f2fs: compress: change the first parameter of page_array_{alloc,free} to sbi Greg Kroah-Hartman
2026-05-30 15:58 ` [PATCH 6.1 382/969] f2fs: compress: fix UAF of f2fs_inode_info in f2fs_free_dic Greg Kroah-Hartman
2026-05-30 15:58 ` [PATCH 6.1 383/969] exit: Sleep at TASK_IDLE when waiting for application core dump Greg Kroah-Hartman
2026-05-30 15:58 ` [PATCH 6.1 384/969] media: uvcvideo: Enable VB2_DMABUF for metadata stream Greg Kroah-Hartman
2026-05-30 15:58 ` [PATCH 6.1 385/969] media: i2c: ov8856: free control handler on error in ov8856_init_controls() Greg Kroah-Hartman
2026-05-30 15:58 ` [PATCH 6.1 386/969] staging: media: atomisp: Disallow all private IOCTLs Greg Kroah-Hartman
2026-05-30 15:58 ` [PATCH 6.1 387/969] regulator: max77650: fix OF node reference imbalance Greg Kroah-Hartman
2026-05-30 15:58 ` [PATCH 6.1 388/969] media: rc: xbox_remote: heed DMA restrictions Greg Kroah-Hartman
2026-05-30 15:58 ` [PATCH 6.1 389/969] media: rc: streamzap: Error handling in probe Greg Kroah-Hartman
2026-05-30 15:58 ` [PATCH 6.1 390/969] regulator: act8945a: fix OF node reference imbalance Greg Kroah-Hartman
2026-05-30 15:58 ` [PATCH 6.1 391/969] regulator: bd9571mwv: " Greg Kroah-Hartman
2026-05-30 15:58 ` [PATCH 6.1 392/969] media: saa7164: add ioremap return checks and cleanups Greg Kroah-Hartman
2026-05-30 15:58 ` [PATCH 6.1 393/969] platform/x86: hp-wmi: Ignore backlight and FnLock events Greg Kroah-Hartman
2026-05-30 15:58 ` [PATCH 6.1 394/969] media: pci: zoran: fix potential memory leak in zoran_probe() Greg Kroah-Hartman
2026-05-30 15:58 ` [PATCH 6.1 395/969] media: dib8000: avoid division by 0 in dib8000_set_dds() Greg Kroah-Hartman
2026-05-30 15:58 ` [PATCH 6.1 396/969] media: i2c: imx412: Assert reset GPIO during probe Greg Kroah-Hartman
2026-05-30 15:58 ` [PATCH 6.1 397/969] media: i2c: ov08d10: fix image vertical start setting Greg Kroah-Hartman
2026-05-30 15:58 ` [PATCH 6.1 398/969] media: omap3isp: drop the use count of v4l2 pipeline Greg Kroah-Hartman
2026-05-30 15:58 ` [PATCH 6.1 399/969] spi: mtk-nor: fix controller deregistration Greg Kroah-Hartman
2026-05-30 15:58 ` [PATCH 6.1 400/969] spi: imx: fix runtime pm leak on probe deferral Greg Kroah-Hartman
2026-05-30 15:58 ` [PATCH 6.1 401/969] spi: orion: fix clock imbalance on registration failure Greg Kroah-Hartman
2026-05-30 15:58 ` [PATCH 6.1 402/969] spi: mpc52xx: fix use-after-free on unbind Greg Kroah-Hartman
2026-05-30 15:58 ` [PATCH 6.1 403/969] drm/amdgpu: Add bounds checking to ib_{get,set}_value Greg Kroah-Hartman
2026-05-30 15:58 ` [PATCH 6.1 404/969] drm/amdgpu/vce: Prevent partial address patches Greg Kroah-Hartman
2026-05-30 15:58 ` [PATCH 6.1 405/969] drm/amdgpu/vcn4: Prevent OOB reads when parsing dec msg Greg Kroah-Hartman
2026-05-30 15:58 ` [PATCH 6.1 406/969] drm/amdgpu/vcn3: " Greg Kroah-Hartman
2026-05-30 15:58 ` [PATCH 6.1 407/969] drm/gem: Fix inconsistent plane dimension calculation in drm_gem_fb_init_with_funcs() Greg Kroah-Hartman
2026-05-30 15:58 ` [PATCH 6.1 408/969] drm/amdkfd: validate SVM ioctl nattr against buffer size Greg Kroah-Hartman
2026-05-30 15:58 ` [PATCH 6.1 409/969] drm/radeon: add missing revision check for CI Greg Kroah-Hartman
2026-05-30 15:58 ` [PATCH 6.1 410/969] drm/amdgpu: zero-initialize GART table on allocation Greg Kroah-Hartman
2026-05-30 15:58 ` [PATCH 6.1 411/969] drm/amdgpu/gfx9: drop unnecessary 64-bit fence flag check in KIQ Greg Kroah-Hartman
2026-05-30 15:58 ` [PATCH 6.1 412/969] drm/amdgpu/sdma4: replace BUG_ON with WARN_ON in fence emission Greg Kroah-Hartman
2026-05-30 15:58 ` [PATCH 6.1 413/969] drm/amdgpu/pm: add missing revision check for CI Greg Kroah-Hartman
2026-05-30 15:58 ` [PATCH 6.1 414/969] drm/amdgpu/pm: align Hawaii mclk workaround with radeon Greg Kroah-Hartman
2026-05-30 15:58 ` [PATCH 6.1 415/969] sctp: revalidate list cursor after sctp_sendmsg_to_asoc() in SCTP_SENDALL Greg Kroah-Hartman
2026-05-30 15:59 ` [PATCH 6.1 416/969] batman-adv: fix integer overflow on buff_pos Greg Kroah-Hartman
2026-05-30 15:59 ` [PATCH 6.1 417/969] batman-adv: reject new tp_meter sessions during teardown Greg Kroah-Hartman
2026-05-30 15:59 ` [PATCH 6.1 418/969] batman-adv: stop caching unowned originator pointers in BAT IV Greg Kroah-Hartman
2026-05-30 15:59 ` [PATCH 6.1 419/969] batman-adv: bla: prevent use-after-free when deleting claims Greg Kroah-Hartman
2026-05-30 15:59 ` [PATCH 6.1 420/969] batman-adv: bla: only purge non-released claims Greg Kroah-Hartman
2026-05-30 15:59 ` [PATCH 6.1 421/969] batman-adv: bla: put backbone reference on failed claim hash insert Greg Kroah-Hartman
2026-05-30 15:59 ` [PATCH 6.1 422/969] Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_get_sndtimeo_cb() Greg Kroah-Hartman
2026-05-30 15:59 ` [PATCH 6.1 423/969] mtd: spi-nor: sst: Factor out common write operation to `sst_nor_write_data()` Greg Kroah-Hartman
2026-05-30 15:59 ` [PATCH 6.1 424/969] mtd: spi-nor: sst: Fix write enable before AAI sequence Greg Kroah-Hartman
2026-05-30 15:59 ` [PATCH 6.1 425/969] pwm: imx-tpm: Count the number of enabled channels in probe Greg Kroah-Hartman
2026-05-30 15:59 ` [PATCH 6.1 426/969] vsock: fix buffer size clamping order Greg Kroah-Hartman
2026-05-30 15:59 ` [PATCH 6.1 427/969] vsock/virtio: fix accept queue count leak on transport mismatch Greg Kroah-Hartman
2026-05-30 15:59 ` [PATCH 6.1 428/969] drm/amdgpu/vcn3: Avoid overflow on msg bound check Greg Kroah-Hartman
2026-05-30 15:59 ` [PATCH 6.1 429/969] drm/amdgpu/vcn4: " Greg Kroah-Hartman
2026-05-30 15:59 ` [PATCH 6.1 430/969] mtd: spi-nor: sst: Fix SST write failure Greg Kroah-Hartman
2026-05-30 15:59 ` [PATCH 6.1 431/969] bcache: fix uninitialized closure object Greg Kroah-Hartman
2026-06-01 17:34 ` Mahmoud Nagy Adam
2026-06-02 18:21 ` Sasha Levin
2026-05-30 15:59 ` [PATCH 6.1 432/969] blk-cgroup: wait for blkcg cleanup before initializing new disk Greg Kroah-Hartman
2026-05-30 15:59 ` [PATCH 6.1 433/969] fs/omfs: reject s_sys_blocksize smaller than OMFS_DIR_START Greg Kroah-Hartman
2026-05-30 15:59 ` [PATCH 6.1 434/969] drbd: Balance RCU calls in drbd_adm_dump_devices() Greg Kroah-Hartman
2026-05-30 15:59 ` [PATCH 6.1 435/969] nilfs2: reject zero bd_oblocknr in nilfs_ioctl_mark_blocks_dirty() Greg Kroah-Hartman
2026-05-30 15:59 ` [PATCH 6.1 436/969] pstore/ram: fix resource leak when ioremap() fails Greg Kroah-Hartman
2026-05-30 15:59 ` [PATCH 6.1 437/969] devres: fix missing node debug info in devm_krealloc() Greg Kroah-Hartman
2026-05-30 15:59 ` [PATCH 6.1 438/969] thermal/drivers/spear: Fix error condition for reading st,thermal-flags Greg Kroah-Hartman
2026-05-30 15:59 ` [PATCH 6.1 439/969] debugfs: check for NULL pointer in debugfs_create_str() Greg Kroah-Hartman
2026-05-30 15:59 ` [PATCH 6.1 440/969] irqchip/irq-pic32-evic: Address warning related to wrong printf() formatter Greg Kroah-Hartman
2026-05-30 15:59 ` [PATCH 6.1 441/969] hrtimers: Update the return type of enqueue_hrtimer() Greg Kroah-Hartman
2026-05-30 15:59 ` [PATCH 6.1 442/969] hrtimer: Avoid pointless reprogramming in __hrtimer_start_range_ns() Greg Kroah-Hartman
2026-05-30 15:59 ` [PATCH 6.1 443/969] hrtimer: Reduce trace noise in hrtimer_start() Greg Kroah-Hartman
2026-05-30 15:59 ` [PATCH 6.1 444/969] locking: Fix rwlock support in <linux/spinlock_up.h> Greg Kroah-Hartman
2026-05-30 15:59 ` [PATCH 6.1 445/969] firmware: dmi: Correct an indexing error in dmi.h Greg Kroah-Hartman
2026-05-30 15:59 ` [PATCH 6.1 446/969] wifi: mwifiex: Fix memory leak in mwifiex_11n_aggregate_pkt() Greg Kroah-Hartman
2026-05-30 15:59 ` [PATCH 6.1 447/969] wifi: rtlwifi: pci: fix possible use-after-free caused by unfinished irq_prepare_bcn_tasklet Greg Kroah-Hartman
2026-05-30 15:59 ` [PATCH 6.1 448/969] bpf: Add CHECKSUM_COMPLETE to bpf test progs Greg Kroah-Hartman
2026-05-30 15:59 ` [PATCH 6.1 449/969] bpf: test_run: Fix the null pointer dereference issue in bpf_lwt_xmit_push_encap Greg Kroah-Hartman
2026-05-30 15:59 ` [PATCH 6.1 450/969] dpaa2: add independent dependencies for FSL_DPAA2_SWITCH Greg Kroah-Hartman
2026-05-30 15:59 ` [PATCH 6.1 451/969] dpaa2: compile dpaa2 even CONFIG_FSL_DPAA2_ETH=n Greg Kroah-Hartman
2026-05-30 15:59 ` [PATCH 6.1 452/969] kernel: param: rename locate_module_kobject Greg Kroah-Hartman
2026-05-30 15:59 ` [PATCH 6.1 453/969] kernel: globalize lookup_or_create_module_kobject() Greg Kroah-Hartman
2026-05-30 15:59 ` [PATCH 6.1 454/969] params: Replace __modinit with __init_or_module Greg Kroah-Hartman
2026-05-30 15:59 ` [PATCH 6.1 455/969] module: Fix freeing of charp module parameters when CONFIG_SYSFS=n Greg Kroah-Hartman
2026-05-30 15:59 ` [PATCH 6.1 456/969] bpf, devmap: Remove unnecessary if check in for loop Greg Kroah-Hartman
2026-05-30 15:59 ` [PATCH 6.1 457/969] bpf: Use RCU-safe iteration in dev_map_redirect_multi() SKB path Greg Kroah-Hartman
2026-05-30 15:59 ` [PATCH 6.1 458/969] wifi: rtw89: phy: fix uninitialized variable access in rtw89_phy_cfo_set_crystal_cap() Greg Kroah-Hartman
2026-05-30 15:59 ` [PATCH 6.1 459/969] r8152: fix incorrect register write to USB_UPHY_XTAL Greg Kroah-Hartman
2026-05-30 15:59 ` [PATCH 6.1 460/969] powerpc/crash: fix backup region offset update to elfcorehdr Greg Kroah-Hartman
2026-05-30 15:59 ` [PATCH 6.1 461/969] macvlan: annotate data-races around port->bc_queue_len_used Greg Kroah-Hartman
2026-05-30 15:59 ` [PATCH 6.1 462/969] bpf: fix end-of-list detection in cgroup_storage_get_next_key() Greg Kroah-Hartman
2026-05-30 15:59 ` [PATCH 6.1 463/969] wifi: brcmfmac: Fix error pointer dereference Greg Kroah-Hartman
2026-05-30 15:59 ` [PATCH 6.1 464/969] bpf: Drop task_to_inode and inet_conn_established from lsm sleepable hooks Greg Kroah-Hartman
2026-05-30 15:59 ` [PATCH 6.1 465/969] bpf: reject negative CO-RE accessor indices in bpf_core_parse_spec() Greg Kroah-Hartman
2026-05-30 15:59 ` [PATCH 6.1 466/969] ACPI: AGDI: fix missing newline in error message Greg Kroah-Hartman
2026-05-30 15:59 ` [PATCH 6.1 467/969] arm64: kexec: Remove duplicate allocation for trans_pgd Greg Kroah-Hartman
2026-05-30 15:59 ` [PATCH 6.1 468/969] net: bcmgenet: fix off-by-one in bcmgenet_put_txcb Greg Kroah-Hartman
2026-05-30 15:59 ` [PATCH 6.1 469/969] net: bcmgenet: Remove TX ring full logging Greg Kroah-Hartman
2026-05-30 15:59 ` [PATCH 6.1 470/969] net: bcmgenet: Remove custom ndo_poll_controller() Greg Kroah-Hartman
2026-05-30 15:59 ` [PATCH 6.1 471/969] net: bcmgenet: add bcmgenet_has_* helpers Greg Kroah-Hartman
2026-05-30 15:59 ` [PATCH 6.1 472/969] net: bcmgenet: move DESC_INDEX flow to ring 0 Greg Kroah-Hartman
2026-05-30 15:59 ` [PATCH 6.1 473/969] net: bcmgenet: support reclaiming unsent Tx packets Greg Kroah-Hartman
2026-05-30 15:59 ` [PATCH 6.1 474/969] net: bcmgenet: switch to use 64bit statistics Greg Kroah-Hartman
2026-05-30 15:59 ` [PATCH 6.1 475/969] net: bcmgenet: fix racing timeout handler Greg Kroah-Hartman
2026-05-30 16:00 ` [PATCH 6.1 476/969] netfilter: xt_socket: enable defrag after all other checks Greg Kroah-Hartman
2026-05-30 16:00 ` [PATCH 6.1 477/969] netfilter: nft_fwd_netdev: check ttl/hl before forwarding Greg Kroah-Hartman
2026-05-30 16:00 ` [PATCH 6.1 478/969] 6pack: propagage new tty types Greg Kroah-Hartman
2026-05-30 16:00 ` [PATCH 6.1 479/969] net: hamradio: 6pack: fix uninit-value in sixpack_receive_buf Greg Kroah-Hartman
2026-05-30 16:00 ` [PATCH 6.1 480/969] net/sched: act_ct: Only release RCU read lock after ct_ft Greg Kroah-Hartman
2026-05-30 16:00 ` [PATCH 6.1 481/969] net/rds: Optimize rds_ib_laddr_check Greg Kroah-Hartman
2026-05-30 16:00 ` [PATCH 6.1 482/969] net/rds: Restrict use of RDS/IB to the initial network namespace Greg Kroah-Hartman
2026-05-30 16:00 ` [PATCH 6.1 483/969] ppp: require CAP_NET_ADMIN in target netns for unattached ioctls Greg Kroah-Hartman
2026-05-30 16:00 ` [PATCH 6.1 484/969] bpf: reject short IPv4/IPv6 inputs in bpf_prog_test_run_skb Greg Kroah-Hartman
2026-05-30 16:00 ` [PATCH 6.1 485/969] Bluetooth: L2CAP: Fix printing wrong information if SDU length exceeds MTU Greg Kroah-Hartman
2026-05-30 16:00 ` [PATCH 6.1 486/969] Bluetooth: hci_ldisc: Clear HCI_UART_PROTO_INIT on error Greg Kroah-Hartman
2026-05-30 16:00 ` [PATCH 6.1 487/969] Bluetooth: fix locking in hci_conn_request_evt() with HCI_PROTO_DEFER Greg Kroah-Hartman
2026-05-30 16:00 ` [PATCH 6.1 488/969] Bluetooth: l2cap: Add missing chan lock in l2cap_ecred_reconf_rsp Greg Kroah-Hartman
2026-05-30 16:00 ` [PATCH 6.1 489/969] sctp: fix missing encap_port propagation for GSO fragments Greg Kroah-Hartman
2026-05-30 16:00 ` [PATCH 6.1 490/969] net, bpf: fix null-ptr-deref in xdp_master_redirect() for down master Greg Kroah-Hartman
2026-05-30 16:00 ` [PATCH 6.1 491/969] drm/komeda: fix integer overflow in AFBC framebuffer size check Greg Kroah-Hartman
2026-05-30 16:00 ` [PATCH 6.1 492/969] drm/sun4i: backend: fix error pointer dereference Greg Kroah-Hartman
2026-05-30 16:00 ` [PATCH 6.1 493/969] ASoC: sti: Return errors from regmap_field_alloc() Greg Kroah-Hartman
2026-05-30 16:00 ` [PATCH 6.1 494/969] ASoC: sti: use managed regmap_field allocations Greg Kroah-Hartman
2026-05-30 16:00 ` [PATCH 6.1 495/969] dm cache: fix null-deref with concurrent writes in passthrough mode Greg Kroah-Hartman
2026-05-30 16:00 ` [PATCH 6.1 496/969] dm cache: fix write path cache coherency " Greg Kroah-Hartman
2026-05-30 16:00 ` [PATCH 6.1 497/969] dm cache: fix write hang " Greg Kroah-Hartman
2026-05-30 16:00 ` [PATCH 6.1 498/969] dm cache policy smq: fix missing locks in invalidating cache blocks Greg Kroah-Hartman
2026-05-30 16:00 ` [PATCH 6.1 499/969] dm cache: fix concurrent write failure in passthrough mode Greg Kroah-Hartman
2026-05-30 16:00 ` [PATCH 6.1 500/969] dm cache: support shrinking the origin device Greg Kroah-Hartman
2026-05-30 16:00 ` [PATCH 6.1 501/969] dm cache: fix dirty mapping checking in passthrough mode switching Greg Kroah-Hartman
2026-05-30 16:00 ` [PATCH 6.1 502/969] dm cache metadata: fix memory leak on metadata abort retry Greg Kroah-Hartman
2026-05-30 16:00 ` [PATCH 6.1 503/969] dm log: fix out-of-bounds write due to region_count overflow Greg Kroah-Hartman
2026-05-30 16:00 ` [PATCH 6.1 504/969] spi: fsl-qspi: Use reinit_completion() for repeated operations Greg Kroah-Hartman
2026-05-30 16:00 ` [PATCH 6.1 505/969] drm/sun4i: Fix resource leaks Greg Kroah-Hartman
2026-05-30 16:00 ` [PATCH 6.1 506/969] drm/amdgpu: Add default case in DVI mode validation Greg Kroah-Hartman
2026-05-30 16:00 ` [PATCH 6.1 507/969] dm init: ensure device probing has finished in dm-mod.waitfor= Greg Kroah-Hartman
2026-05-30 16:00 ` [PATCH 6.1 508/969] fbdev: matroxfb: Mark variable with __maybe_unused to avoid W=1 build break Greg Kroah-Hartman
2026-05-30 16:00 ` [PATCH 6.1 509/969] padata: Remove cpu online check from cpu add and removal Greg Kroah-Hartman
2026-05-30 16:00 ` [PATCH 6.1 510/969] padata: Put CPU offline callback in ONLINE section to allow failure Greg Kroah-Hartman
2026-05-30 16:00 ` [PATCH 6.1 511/969] drm/amdgpu/gfx10: look at the right prop for gfx queue priority Greg Kroah-Hartman
2026-05-30 16:00 ` [PATCH 6.1 512/969] spi: hisi-kunpeng: prevent infinite while() loop in hisi_spi_flush_fifo Greg Kroah-Hartman
2026-05-30 16:00 ` [PATCH 6.1 513/969] drm/msm/dpu: fix mismatch between power and frequency Greg Kroah-Hartman
2026-05-30 16:00 ` [PATCH 6.1 514/969] drm/msm/dsi: rename MSM8998 DSI version from V2_2_0 to V2_0_0 Greg Kroah-Hartman
2026-05-30 16:00 ` [PATCH 6.1 515/969] drm/panel: simple: Correct G190EAN01 prepare timing Greg Kroah-Hartman
2026-05-30 16:00 ` [PATCH 6.1 516/969] ALSA: core: Validate compress device numbers without dynamic minors Greg Kroah-Hartman
2026-05-30 16:00 ` [PATCH 6.1 517/969] drm/amd/pm/ci: Use highest MCLK on CI when MCLK DPM is disabled Greg Kroah-Hartman
2026-05-30 16:00 ` [PATCH 6.1 518/969] drm/amd/pm/ci: Disable MCLK DPM on problematic CI ASICs Greg Kroah-Hartman
2026-05-30 16:00 ` [PATCH 6.1 519/969] drm/amd/pm/smu7: Fix SMU7 voltage dependency on display clock Greg Kroah-Hartman
2026-05-30 16:00 ` [PATCH 6.1 520/969] drm/amd/pm/ci: Fix powertune defaults for Hawaii 0x67B0 Greg Kroah-Hartman
2026-05-30 16:00 ` [PATCH 6.1 521/969] drm/amd/pm/ci: Clear EnabledForActivity field for memory levels Greg Kroah-Hartman
2026-05-30 16:00 ` [PATCH 6.1 522/969] drm/amd/pm/ci: Fill DW8 fields from SMC Greg Kroah-Hartman
2026-05-30 16:00 ` [PATCH 6.1 523/969] drm/amd/pm/smu7: Add SCLK cap for quirky Hawaii board Greg Kroah-Hartman
2026-05-30 16:00 ` [PATCH 6.1 524/969] ALSA: hda/realtek: Whitespace fix Greg Kroah-Hartman
2026-05-30 16:00 ` [PATCH 6.1 525/969] ALSA: hda/realtek: fix code style (ERROR: else should follow close brace }) Greg Kroah-Hartman
2026-05-30 16:00 ` [PATCH 6.1 526/969] drm/msm/a6xx: Fix HLSQ register dumping Greg Kroah-Hartman
2026-05-30 16:00 ` [PATCH 6.1 527/969] drm/msm/shrinker: Fix can_block() logic Greg Kroah-Hartman
2026-05-30 16:00 ` [PATCH 6.1 528/969] drm/msm/a6xx: Use barriers while updating HFI Q headers Greg Kroah-Hartman
2026-05-30 16:00 ` [PATCH 6.1 529/969] pmdomain: ti: omap_prm: Fix a reference leak on device node Greg Kroah-Hartman
2026-05-30 16:00 ` [PATCH 6.1 530/969] pmdomain: imx: scu-pd: Fix device_node reference leak during ->probe() Greg Kroah-Hartman
2026-05-30 16:00 ` [PATCH 6.1 531/969] ASoC: fsl_micfil: Fix event generation in micfil_quality_set() Greg Kroah-Hartman
2026-05-30 16:00 ` [PATCH 6.1 532/969] ASoC: fsl_xcvr: Fix event generation in fsl_xcvr_arc_mode_put() Greg Kroah-Hartman
2026-05-30 16:00 ` [PATCH 6.1 533/969] ASoC: fsl_xcvr: Fix event generation in fsl_xcvr_mode_put() Greg Kroah-Hartman
2026-05-30 16:00 ` [PATCH 6.1 534/969] ASoC: fsl_easrc: Check the variable range in fsl_easrc_iec958_put_bits() Greg Kroah-Hartman
2026-05-30 16:00 ` [PATCH 6.1 535/969] ASoC: fsl_easrc: Fix value type in fsl_easrc_iec958_get_bits() Greg Kroah-Hartman
2026-05-30 16:01 ` [PATCH 6.1 536/969] ASoC: fsl_easrc: Change the type for iec958 channel status controls Greg Kroah-Hartman
2026-05-30 16:01 ` [PATCH 6.1 537/969] ASoC: qcom: qdsp6: topology: check widget type before accessing data Greg Kroah-Hartman
2026-05-30 16:01 ` [PATCH 6.1 538/969] PCI: Enable AtomicOps only if Root Port supports them Greg Kroah-Hartman
2026-05-30 16:01 ` [PATCH 6.1 539/969] PCI: mediatek-gen3: Prevent leaking IRQ domains when IRQ not found Greg Kroah-Hartman
2026-05-30 16:01 ` [PATCH 6.1 540/969] selftests/mm: skip migration tests if NUMA is unavailable Greg Kroah-Hartman
2026-05-30 16:01 ` [PATCH 6.1 541/969] Documentation: fix a hugetlbfs reservation statement Greg Kroah-Hartman
2026-05-30 16:01 ` [PATCH 6.1 542/969] selftest: memcg: skip memcg_sock test if address family not supported Greg Kroah-Hartman
2026-05-30 16:01 ` [PATCH 6.1 543/969] ALSA: scarlett2: Add missing sentinel initializer field Greg Kroah-Hartman
2026-05-30 16:01 ` [PATCH 6.1 544/969] ASoC: SOF: amd: Fix for reading position updates from stream box Greg Kroah-Hartman
2026-05-30 16:01 ` [PATCH 6.1 545/969] ASoC: SOF: Prepare ipc_msg_data to be used with compress API Greg Kroah-Hartman
2026-05-30 16:01 ` [PATCH 6.1 546/969] ASoC: SOF: Prepare set_stream_data_offset for " Greg Kroah-Hartman
2026-05-30 16:01 ` [PATCH 6.1 547/969] ASoC: SOF: Add support for compress API for stream data/offset Greg Kroah-Hartman
2026-05-30 16:01 ` [PATCH 6.1 548/969] ASoC: SOF: compress: return the configured codec from get_params Greg Kroah-Hartman
2026-05-30 16:01 ` [PATCH 6.1 549/969] PCI: Add PCIE_PME_TO_L2_TIMEOUT_US L2 ready timeout value Greg Kroah-Hartman
2026-05-30 16:01 ` [PATCH 6.1 550/969] PCI: tegra194: Fix polling delay for L2 state Greg Kroah-Hartman
2026-05-30 16:01 ` [PATCH 6.1 551/969] PCI: tegra194: Increase LTSSM poll time on surprise link down Greg Kroah-Hartman
2026-05-30 16:01 ` [PATCH 6.1 552/969] PCI: tegra194: Disable LTSSM after transition to Detect " Greg Kroah-Hartman
2026-05-30 16:01 ` [PATCH 6.1 553/969] PCI: tegra194: Rename root_bus to root_port_bus in tegra_pcie_downstream_dev_to_D0() Greg Kroah-Hartman
2026-05-30 16:01 ` [PATCH 6.1 554/969] PCI: tegra194: Dont force the device into the D0 state before L2 Greg Kroah-Hartman
2026-05-30 16:01 ` [PATCH 6.1 555/969] PCI: tegra194: Disable PERST# IRQ only in Endpoint mode Greg Kroah-Hartman
2026-05-30 16:01 ` [PATCH 6.1 556/969] PCI: tegra194: Use devm_gpiod_get_optional() to parse "nvidia,refclk-select" Greg Kroah-Hartman
2026-05-30 16:01 ` [PATCH 6.1 557/969] PCI: tegra194: Disable direct speed change for Endpoint mode Greg Kroah-Hartman
2026-05-30 16:01 ` [PATCH 6.1 558/969] PCI: tegra194: Allow system suspend when the Endpoint link is not up Greg Kroah-Hartman
2026-05-30 16:01 ` [PATCH 6.1 559/969] spi: mtk-snfi: unregister ECC engine on probe failure and remove() callback Greg Kroah-Hartman
2026-05-30 16:01 ` [PATCH 6.1 560/969] ALSA: sc6000: Use standard print API Greg Kroah-Hartman
2026-05-30 16:01 ` [PATCH 6.1 561/969] ALSA: sc6000: Keep the programmed board state in card-private data Greg Kroah-Hartman
2026-05-30 16:01 ` [PATCH 6.1 562/969] dm cache: fix missing return in invalidate_committeds error path Greg Kroah-Hartman
2026-05-30 16:01 ` [PATCH 6.1 563/969] gfs2: Call unlock_new_inode before d_instantiate Greg Kroah-Hartman
2026-05-30 16:01 ` [PATCH 6.1 564/969] ktest: Avoid undef warning when WARNINGS_FILE is unset Greg Kroah-Hartman
2026-05-30 16:01 ` [PATCH 6.1 565/969] ktest: Honor empty per-test option overrides Greg Kroah-Hartman
2026-05-30 16:01 ` [PATCH 6.1 566/969] ktest: Run POST_KTEST hooks on failure and cancellation Greg Kroah-Hartman
2026-05-30 16:01 ` [PATCH 6.1 567/969] quota: Fix race of dquot_scan_active() with quota deactivation Greg Kroah-Hartman
2026-05-30 16:01 ` [PATCH 6.1 568/969] gfs2: add some missing log locking Greg Kroah-Hartman
2026-05-30 16:01 ` [PATCH 6.1 569/969] gfs2: prevent NULL pointer dereference during unmount Greg Kroah-Hartman
2026-05-30 16:01 ` [PATCH 6.1 570/969] efi/capsule-loader: fix incorrect sizeof in phys array reallocation Greg Kroah-Hartman
2026-05-30 16:01 ` [PATCH 6.1 571/969] ksmbd: fix use-after-free from async crypto on Qualcomm crypto engine Greg Kroah-Hartman
2026-05-30 16:01 ` [PATCH 6.1 572/969] ARM: dts: mediatek: mt7623: fix efuse fallback compatible Greg Kroah-Hartman
2026-05-30 16:01 ` [PATCH 6.1 573/969] memory: tegra124-emc: Fix dll_change check Greg Kroah-Hartman
2026-05-30 16:01 ` [PATCH 6.1 574/969] memory: tegra30-emc: " Greg Kroah-Hartman
2026-05-30 16:01 ` [PATCH 6.1 575/969] arm64: dts: imx8mp-evk: Enable pull select bit for PCIe regulator GPIO (M.2 W_DISABLE1) Greg Kroah-Hartman
2026-05-30 16:01 ` [PATCH 6.1 576/969] arm64: dts: mediatek: mt6795: Fix gpio-ranges pin count Greg Kroah-Hartman
2026-05-30 16:01 ` [PATCH 6.1 577/969] arm64: dts: mediatek: mt7986a: " Greg Kroah-Hartman
2026-05-30 16:01 ` [PATCH 6.1 578/969] soc: qcom: ocmem: use scoped device node handling to simplify error paths Greg Kroah-Hartman
2026-05-30 16:01 ` [PATCH 6.1 579/969] soc: qcom: ocmem: register reasons for probe deferrals Greg Kroah-Hartman
2026-05-30 16:01 ` [PATCH 6.1 580/969] soc: qcom: ocmem: return -EPROBE_DEFER is ocmem is not available Greg Kroah-Hartman
2026-05-30 16:01 ` [PATCH 6.1 581/969] arm64: dts: qcom: sm8450: Fix GIC_ITS range length Greg Kroah-Hartman
2026-05-30 16:01 ` [PATCH 6.1 582/969] arm64: dts: qcom: sm8450: Enable UHS-I SDR50 and SDR104 SD card modes Greg Kroah-Hartman
2026-05-30 16:01 ` [PATCH 6.1 583/969] arm64: dts: qcom: sdm845-xiaomi-beryllium: Mark l1a regulator as powered during boot Greg Kroah-Hartman
2026-05-30 16:01 ` [PATCH 6.1 584/969] soc/tegra: cbb: Set ERD on resume for err interrupt Greg Kroah-Hartman
2026-05-30 16:01 ` [PATCH 6.1 585/969] unshare: fix nsproxy leak in ksys_unshare() on set_cred_ucounts() failure Greg Kroah-Hartman
2026-05-30 16:01 ` [PATCH 6.1 586/969] ocfs2/dlm: validate qr_numregions in dlm_match_regions() Greg Kroah-Hartman
2026-05-30 16:01 ` [PATCH 6.1 587/969] ocfs2/dlm: fix off-by-one in dlm_match_regions() region comparison Greg Kroah-Hartman
2026-05-30 16:01 ` [PATCH 6.1 588/969] soc: qcom: llcc: fix v1 SB syndrome register offset Greg Kroah-Hartman
2026-05-30 16:01 ` [PATCH 6.1 589/969] soc: qcom: aoss: compare against normalized cooling state Greg Kroah-Hartman
2026-05-30 16:01 ` [PATCH 6.1 590/969] arm64: dts: qcom: sm8250: Add missing CPU7 3.09GHz OPP Greg Kroah-Hartman
2026-05-30 16:01 ` [PATCH 6.1 591/969] ARM: OMAP1: Fix DEBUG_LL and earlyprintk on OMAP16XX Greg Kroah-Hartman
2026-05-30 16:01 ` [PATCH 6.1 592/969] arm64/xor: fix conflicting attributes for xor_block_template Greg Kroah-Hartman
2026-05-30 16:01 ` [PATCH 6.1 593/969] ocfs2: fix listxattr handling when the buffer is full Greg Kroah-Hartman
2026-05-30 16:01 ` [PATCH 6.1 594/969] ocfs2: validate bg_bits during freefrag scan Greg Kroah-Hartman
2026-05-30 16:01 ` [PATCH 6.1 595/969] ocfs2: validate group add input before caching Greg Kroah-Hartman
2026-05-30 16:02 ` [PATCH 6.1 596/969] dmaengine: dw-axi-dmac: Remove unnecessary return statement from void function Greg Kroah-Hartman
2026-05-30 16:02 ` [PATCH 6.1 597/969] soundwire: bus: demote UNATTACHED state warnings to dev_dbg() Greg Kroah-Hartman
2026-05-30 16:02 ` [PATCH 6.1 598/969] dmaengine: mxs-dma: Fix missing return value from of_dma_controller_register() Greg Kroah-Hartman
2026-05-30 16:02 ` [PATCH 6.1 599/969] tracing: Rebuild full_name on each hist_field_name() call Greg Kroah-Hartman
2026-05-30 16:02 ` [PATCH 6.1 600/969] ima: check return value of crypto_shash_final() in boot aggregate Greg Kroah-Hartman
2026-05-30 16:02 ` [PATCH 6.1 601/969] HID: asus: make asus_resume adhere to linux kernel coding standards Greg Kroah-Hartman
2026-05-30 16:02 ` [PATCH 6.1 602/969] HID: asus: do not abort probe when not necessary Greg Kroah-Hartman
2026-05-30 16:02 ` [PATCH 6.1 603/969] mtd: physmap_of_gemini: Fix disabled pinctrl state check Greg Kroah-Hartman
2026-05-30 16:02 ` [PATCH 6.1 604/969] mtd: spi-nor: core: correct the op.dummy.nbytes when check read operations Greg Kroah-Hartman
2026-05-30 16:02 ` [PATCH 6.1 605/969] mtd: spi-nor: spansion: Rename s28hs512t prefix Greg Kroah-Hartman
2026-05-30 16:02 ` [PATCH 6.1 606/969] mtd: spi-nor: spansion: Replace hardcoded values for addr_nbytes/addr_mode_nbytes Greg Kroah-Hartman
2026-05-30 16:02 ` [PATCH 6.1 607/969] mtd: spi-nor: spansion: Make RD_ANY_REG_OP macro take number of dummy bytes Greg Kroah-Hartman
2026-05-30 16:02 ` [PATCH 6.1 608/969] mtd: spi-nor: spansion: Add support for Infineon S25FS256T Greg Kroah-Hartman
2026-05-30 16:02 ` [PATCH 6.1 609/969] mtd: spi-nor: Allow post_sfdp hook to return errors Greg Kroah-Hartman
2026-05-30 16:02 ` [PATCH 6.1 610/969] mtd: spi-nor: sfdp: introduce smpt_read_dummy fixup hook Greg Kroah-Hartman
2026-05-30 16:02 ` [PATCH 6.1 611/969] mtd: spi-nor: sfdp: introduce smpt_map_id " Greg Kroah-Hartman
2026-05-30 16:02 ` [PATCH 6.1 612/969] mtd: spi-nor: update spi_nor_fixups::post_sfdp() documentation Greg Kroah-Hartman
2026-05-30 16:02 ` [PATCH 6.1 613/969] mtd: spi-nor: swp: check SR_TB flag when getting tb_mask Greg Kroah-Hartman
2026-05-30 16:02 ` [PATCH 6.1 614/969] mtd: parsers: ofpart: call of_node_put() only in ofpart_fail path Greg Kroah-Hartman
2026-05-30 16:02 ` [PATCH 6.1 615/969] mtd: parsers: ofpart: call of_node_get() for dedicated subpartitions Greg Kroah-Hartman
2026-05-30 16:02 ` [PATCH 6.1 616/969] mtd: rawnand: sunxi: fix sunxi_nfc_hw_ecc_read_extra_oob Greg Kroah-Hartman
2026-05-30 16:02 ` [PATCH 6.1 617/969] HID: usbhid: fix deadlock in hid_post_reset() Greg Kroah-Hartman
2026-05-30 16:02 ` [PATCH 6.1 618/969] bpf, arm64: Fix off-by-one in check_imm signed range check Greg Kroah-Hartman
2026-05-30 16:02 ` [PATCH 6.1 619/969] bpf, sockmap: Fix af_unix iter deadlock Greg Kroah-Hartman
2026-05-30 16:02 ` [PATCH 6.1 620/969] bpf, sockmap: Fix af_unix null-ptr-deref in proto update Greg Kroah-Hartman
2026-05-30 16:02 ` [PATCH 6.1 621/969] bpf, sockmap: Take state lock for af_unix iter Greg Kroah-Hartman
2026-05-30 16:02 ` [PATCH 6.1 622/969] bpf: Fix precedence bug in convert_bpf_ld_abs alignment check Greg Kroah-Hartman
2026-05-30 16:02 ` [PATCH 6.1 623/969] bpf: allow UTF-8 literals in bpf_bprintf_prepare() Greg Kroah-Hartman
2026-05-30 16:02 ` [PATCH 6.1 624/969] bpf, arm32: Reject BPF-to-BPF calls and callbacks in the JIT Greg Kroah-Hartman
2026-05-30 16:02 ` [PATCH 6.1 625/969] pinctrl: pinctrl-pic32: Fix resource leak Greg Kroah-Hartman
2026-05-30 16:02 ` [PATCH 6.1 626/969] pinctrl: cy8c95x0: remove duplicate error message Greg Kroah-Hartman
2026-05-30 16:02 ` [PATCH 6.1 627/969] pinctrl: cy8c95x0: Unify messages with help of dev_err_probe() Greg Kroah-Hartman
2026-05-30 16:02 ` [PATCH 6.1 628/969] pinctrl: cy8c95x0: Avoid returning positive values to user space Greg Kroah-Hartman
2026-05-30 16:02 ` [PATCH 6.1 629/969] perf branch: Avoid incrementing NULL Greg Kroah-Hartman
2026-05-30 16:02 ` [PATCH 6.1 630/969] perf: tools: cs-etm: Fix print issue for Coresight debug in ETE/TRBE trace Greg Kroah-Hartman
2026-05-30 16:02 ` [PATCH 6.1 631/969] pinctrl: abx500: Fix type of argument variable Greg Kroah-Hartman
2026-05-30 16:02 ` [PATCH 6.1 632/969] perf expr: Return -EINVAL for syntax error in expr__find_ids() Greg Kroah-Hartman
2026-05-30 16:02 ` [PATCH 6.1 633/969] perf util: Kill die() prototype, dead for a long time Greg Kroah-Hartman
2026-05-30 16:02 ` [PATCH 6.1 634/969] i3c: mipi-i3c-hci: fix IBI payload length calculation for final status Greg Kroah-Hartman
2026-05-30 16:02 ` [PATCH 6.1 635/969] driver core: device.h: remove extern from function prototypes Greg Kroah-Hartman
2026-05-30 16:02 ` [PATCH 6.1 636/969] driver core: Move dev_err_probe() to where it belogs Greg Kroah-Hartman
2026-05-30 16:02 ` [PATCH 6.1 637/969] dev_printk: add new dev_err_probe() helpers Greg Kroah-Hartman
2026-05-30 16:02 ` [PATCH 6.1 638/969] backlight: sky81452-backlight: Check return value of devm_gpiod_get_optional() in sky81452_bl_parse_dt() Greg Kroah-Hartman
2026-05-30 16:02 ` [PATCH 6.1 639/969] platform/surface: surfacepro3_button: Drop wakeup source on remove Greg Kroah-Hartman
2026-05-30 16:02 ` [PATCH 6.1 640/969] leds: lgm-sso: Remove duplicate assignments for priv->mmap Greg Kroah-Hartman
2026-05-30 16:02 ` [PATCH 6.1 641/969] tty: hvc_iucv: fix off-by-one in number of supported devices Greg Kroah-Hartman
2026-05-30 16:02 ` [PATCH 6.1 642/969] platform/x86: panasonic-laptop: Fix OPTD notifier registration and cleanup Greg Kroah-Hartman
2026-05-30 16:02 ` [PATCH 6.1 643/969] mfd: mc13xxx-core: Fix memory leak in mc13xxx_add_subdevice_pdata() Greg Kroah-Hartman
2026-05-30 16:02 ` [PATCH 6.1 644/969] nfs/blocklayout: Fix compilation error (`make W=1`) in bl_write_pagelist() Greg Kroah-Hartman
2026-05-30 16:02 ` [PATCH 6.1 645/969] fs/ntfs3: terminate the cached volume label after UTF-8 conversion Greg Kroah-Hartman
2026-05-30 16:02 ` [PATCH 6.1 646/969] platform/x86: dell_rbu: avoid uninit value usage in packet_size_write() Greg Kroah-Hartman
2026-05-30 16:02 ` [PATCH 6.1 647/969] platform/x86: dell-wmi-sysman: bound enumeration string aggregation Greg Kroah-Hartman
2026-05-30 16:02 ` [PATCH 6.1 648/969] RDMA/core: Prefer NLA_NUL_STRING Greg Kroah-Hartman
2026-05-30 16:02 ` [PATCH 6.1 649/969] clk: qcom: dispcc-sm8450: use RCG2 ops for DPTX1 AUX clock source Greg Kroah-Hartman
2026-05-30 16:02 ` [PATCH 6.1 650/969] scsi: sg: Resolve soft lockup issue when opening /dev/sgX Greg Kroah-Hartman
2026-05-30 16:02 ` [PATCH 6.1 651/969] scsi: target: core: Fix integer overflow in UNMAP bounds check Greg Kroah-Hartman
2026-05-30 16:02 ` [PATCH 6.1 652/969] dt-bindings: clock: qcom,gcc-sc8180x: Add missing GDSCs Greg Kroah-Hartman
2026-05-30 16:02 ` [PATCH 6.1 653/969] clk: qcom: gcc-sc8180x: " Greg Kroah-Hartman
2026-05-30 16:02 ` [PATCH 6.1 654/969] clk: qcom: gcc-sc8180x: Use retention for USB power domains Greg Kroah-Hartman
2026-05-30 16:02 ` [PATCH 6.1 655/969] clk: qcom: gcc-sc8180x: Use retention for PCIe " Greg Kroah-Hartman
2026-05-30 16:03 ` [PATCH 6.1 656/969] clk: qcom: dispcc-sm8250: Use shared ops on the mdss vsync clk Greg Kroah-Hartman
2026-05-30 16:03 ` [PATCH 6.1 657/969] clk: qcom: dispcc-sm8250: Enable parents for pixel clocks Greg Kroah-Hartman
2026-05-30 16:03 ` [PATCH 6.1 658/969] clk: imx: imx6q: Fix device node reference leak in pll6_bypassed() Greg Kroah-Hartman
2026-05-30 16:03 ` [PATCH 6.1 659/969] clk: imx: imx6q: Fix device node reference leak in of_assigned_ldb_sels() Greg Kroah-Hartman
2026-05-30 16:03 ` [PATCH 6.1 660/969] clk: imx8mq: Correct the CSI PHY sels Greg Kroah-Hartman
2026-05-30 16:03 ` [PATCH 6.1 661/969] clk: qoriq: avoid format string warning Greg Kroah-Hartman
2026-05-30 16:03 ` [PATCH 6.1 662/969] clk: xgene: Fix mapping leak in xgene_pllclk_init() Greg Kroah-Hartman
2026-05-30 16:03 ` [PATCH 6.1 663/969] dt-bindings: clock: qcom,dispcc-sc7180: Define MDSS resets Greg Kroah-Hartman
2026-05-30 16:03 ` [PATCH 6.1 664/969] clk: qcom: dispcc-sc7180: Add missing " Greg Kroah-Hartman
2026-05-30 16:03 ` [PATCH 6.1 665/969] lib/hexdump: print_hex_dump_bytes() calls print_hex_dump_debug() Greg Kroah-Hartman
2026-05-30 16:03 ` [PATCH 6.1 666/969] clk: visconti: pll: initialize clk_init_data to zero Greg Kroah-Hartman
2026-05-30 16:03 ` [PATCH 6.1 667/969] f2fs: Use sysfs_emit_at() to simplify code Greg Kroah-Hartman
2026-05-30 16:03 ` [PATCH 6.1 668/969] f2fs: protect extension_list reading with sb_lock in f2fs_sbi_show() Greg Kroah-Hartman
2026-05-30 16:03 ` [PATCH 6.1 669/969] drm/i915: Constify watermark state checker Greg Kroah-Hartman
2026-05-30 16:03 ` [PATCH 6.1 670/969] drm/i915: Extract intel_dbuf_mdclk_cdclk_ratio_update() Greg Kroah-Hartman
2026-05-30 16:03 ` [PATCH 6.1 671/969] drm/i915: Loop over all active pipes in intel_mbus_dbox_update Greg Kroah-Hartman
2026-05-30 16:03 ` [PATCH 6.1 672/969] drm/i915/wm: Verify the correct plane DDB entry Greg Kroah-Hartman
2026-05-30 16:03 ` [PATCH 6.1 673/969] crypto: sa2ul - Fix AEAD fallback algorithm names Greg Kroah-Hartman
2026-05-30 16:03 ` [PATCH 6.1 674/969] crypto: ccp - copy IV using skcipher ivsize Greg Kroah-Hartman
2026-05-30 16:03 ` [PATCH 6.1 675/969] arm64: dts: imx8mp-icore-mx8mp: Correct PAD settings for PMIC_nINT Greg Kroah-Hartman
2026-05-30 16:03 ` [PATCH 6.1 676/969] arm64: dts: imx8mp-dhcom-som: " Greg Kroah-Hartman
2026-05-30 16:03 ` [PATCH 6.1 677/969] PCMCIA: Fix garbled log messages for KERN_CONT Greg Kroah-Hartman
2026-05-30 16:03 ` [PATCH 6.1 678/969] arm64: dts: imx8mn-tqma8mqnl: Correct PAD settings for PMIC_nINT Greg Kroah-Hartman
2026-05-30 16:03 ` [PATCH 6.1 679/969] arm64: dts: imx8mm-tqma8mqml: " Greg Kroah-Hartman
2026-05-30 16:03 ` [PATCH 6.1 680/969] net/sched: sch_cake: fix NAT destination port not being updated in cake_update_flowkeys Greg Kroah-Hartman
2026-05-30 16:03 ` [PATCH 6.1 681/969] nexthop: fix IPv6 route referencing IPv4 nexthop Greg Kroah-Hartman
2026-05-30 16:03 ` [PATCH 6.1 682/969] net/sched: taprio: continue with other TXQs if one dequeue() failed Greg Kroah-Hartman
2026-05-30 16:03 ` [PATCH 6.1 683/969] net/sched: taprio: refactor one skb dequeue from TXQ to separate function Greg Kroah-Hartman
2026-05-30 16:03 ` [PATCH 6.1 684/969] net/sched: taprio: rename close_time to end_time Greg Kroah-Hartman
2026-05-30 16:03 ` [PATCH 6.1 685/969] net/sched: taprio: fix use-after-free in advance_sched() on schedule switch Greg Kroah-Hartman
2026-05-30 16:03 ` [PATCH 6.1 686/969] container_of: remove container_of_safe() Greg Kroah-Hartman
2026-05-30 16:03 ` [PATCH 6.1 687/969] container_of: add container_of_const() that preserves const-ness of the pointer Greg Kroah-Hartman
2026-05-30 16:03 ` [PATCH 6.1 688/969] tcp: preserve const qualifier in tcp_sk() Greg Kroah-Hartman
2026-05-30 16:03 ` [PATCH 6.1 689/969] tcp: add data-race annotations around tp->data_segs_out and tp->total_retrans Greg Kroah-Hartman
2026-05-30 16:03 ` [PATCH 6.1 690/969] tcp: annotate data-races around tp->bytes_sent Greg Kroah-Hartman
2026-05-30 16:03 ` [PATCH 6.1 691/969] tcp: annotate data-races around tp->bytes_retrans Greg Kroah-Hartman
2026-05-30 16:03 ` [PATCH 6.1 692/969] tcp: annotate data-races around tp->dsack_dups Greg Kroah-Hartman
2026-05-30 16:03 ` [PATCH 6.1 693/969] tcp: annotate data-races around (tp->write_seq - tp->snd_nxt) Greg Kroah-Hartman
2026-05-30 16:03 ` [PATCH 6.1 694/969] i40e: dont advertise IFF_SUPP_NOFCS Greg Kroah-Hartman
2026-05-30 16:03 ` [PATCH 6.1 695/969] e1000e: Unroll PTP in probe error handling Greg Kroah-Hartman
2026-05-30 16:03 ` [PATCH 6.1 696/969] ipv6: fix possible UAF in icmpv6_rcv() Greg Kroah-Hartman
2026-05-30 16:03 ` [PATCH 6.1 697/969] sctp: fix OOB write to userspace in sctp_getsockopt_peer_auth_chunks Greg Kroah-Hartman
2026-05-30 16:03 ` [PATCH 6.1 698/969] pppoe: drop PFC frames Greg Kroah-Hartman
2026-05-30 16:03 ` [PATCH 6.1 699/969] openvswitch: cap upcall PID array size and pre-size vport replies Greg Kroah-Hartman
2026-05-30 16:03 ` [PATCH 6.1 700/969] netfilter: nft_osf: restrict it to ipv4 Greg Kroah-Hartman
2026-05-30 16:03 ` [PATCH 6.1 701/969] netfilter: nfnetlink_osf: fix divide-by-zero in OSF_WSS_MODULO Greg Kroah-Hartman
2026-05-30 16:03 ` [PATCH 6.1 702/969] netfilter: conntrack: remove sprintf usage Greg Kroah-Hartman
2026-05-30 16:03 ` [PATCH 6.1 703/969] netfilter: xtables: restrict several matches to inet family Greg Kroah-Hartman
2026-05-30 16:03 ` [PATCH 6.1 704/969] ipvs: fix MTU check for GSO packets in tunnel mode Greg Kroah-Hartman
2026-05-30 16:03 ` [PATCH 6.1 705/969] netfilter: nfnetlink_osf: fix out-of-bounds read on option matching Greg Kroah-Hartman
2026-05-30 16:03 ` [PATCH 6.1 706/969] netfilter: nfnetlink_osf: fix potential NULL dereference in ttl check Greg Kroah-Hartman
2026-05-30 16:03 ` [PATCH 6.1 707/969] slip: reject VJ receive packets on instances with no rstate array Greg Kroah-Hartman
2026-05-30 16:03 ` [PATCH 6.1 708/969] slip: bound decode() reads against the compressed packet length Greg Kroah-Hartman
2026-05-30 16:03 ` [PATCH 6.1 709/969] arm64: dts: meson-gxl-p230: fix ethernet PHY interrupt number Greg Kroah-Hartman
2026-05-30 16:03 ` [PATCH 6.1 710/969] ksmbd: destroy tree_conn_ida in ksmbd_session_destroy() Greg Kroah-Hartman
2026-05-30 16:03 ` [PATCH 6.1 711/969] ksmbd: scope conn->binding slowpath to bound sessions only Greg Kroah-Hartman
2026-05-30 16:03 ` [PATCH 6.1 712/969] net/rds: zero per-item info buffer before handing it to visitors Greg Kroah-Hartman
2026-05-30 16:03 ` [PATCH 6.1 713/969] net_sched: sch_hhf: annotate data-races in hhf_dump_stats() Greg Kroah-Hartman
2026-05-30 16:03 ` [PATCH 6.1 714/969] net/sched: sch_pie: annotate data-races in pie_dump_stats() Greg Kroah-Hartman
2026-05-30 16:03 ` [PATCH 6.1 715/969] net/sched: sch_fq_codel: remove data-races from fq_codel_dump_stats() Greg Kroah-Hartman
2026-05-30 16:04 ` [PATCH 6.1 716/969] net/sched: sch_red: annotate data-races in red_dump_stats() Greg Kroah-Hartman
2026-05-30 16:04 ` [PATCH 6.1 717/969] net/sched: sch_sfb: annotate data-races in sfb_dump_stats() Greg Kroah-Hartman
2026-05-30 16:04 ` [PATCH 6.1 718/969] net: dsa: realtek: rtl8365mb: fix mode mask calculation Greg Kroah-Hartman
2026-05-30 16:04 ` [PATCH 6.1 719/969] nfp: fix swapped arguments in nfp_encode_basic_qdr() calls Greg Kroah-Hartman
2026-05-30 16:04 ` [PATCH 6.1 720/969] tipc: fix double-free in tipc_buf_append() Greg Kroah-Hartman
2026-05-30 16:04 ` [PATCH 6.1 721/969] vhost_net: fix sleeping with preempt-disabled in vhost_net_busy_poll() Greg Kroah-Hartman
2026-05-30 16:04 ` [PATCH 6.1 722/969] fs/adfs: validate nzones in adfs_validate_bblk() Greg Kroah-Hartman
2026-05-30 16:04 ` [PATCH 6.1 723/969] rtc: abx80x: Disable alarm feature if no interrupt attached Greg Kroah-Hartman
2026-05-30 16:04 ` [PATCH 6.1 724/969] fbdev: offb: fix PCI device reference leak on probe failure Greg Kroah-Hartman
2026-05-30 16:04 ` [PATCH 6.1 725/969] mailbox: mailbox-test: free channels on probe error Greg Kroah-Hartman
2026-05-30 16:04 ` [PATCH 6.1 726/969] cgroup/rdma: fix integer overflow in rdmacg_try_charge() Greg Kroah-Hartman
2026-05-30 16:04 ` [PATCH 6.1 727/969] mailbox: add sanity check for channel array Greg Kroah-Hartman
2026-05-30 16:04 ` [PATCH 6.1 728/969] mailbox: mailbox-test: dont free the reused channel Greg Kroah-Hartman
2026-05-30 16:04 ` [PATCH 6.1 729/969] mailbox: mailbox-test: initialize struct earlier Greg Kroah-Hartman
2026-05-30 16:04 ` [PATCH 6.1 730/969] mailbox: mailbox-test: make data_ready a per-instance variable Greg Kroah-Hartman
2026-05-30 16:04 ` [PATCH 6.1 731/969] btrfs: fix double-decrement of bytes_may_use in submit_one_async_extent() Greg Kroah-Hartman
2026-05-30 16:04 ` [PATCH 6.1 732/969] tracing: branch: Fix inverted check on stat tracer registration Greg Kroah-Hartman
2026-05-30 16:04 ` [PATCH 6.1 733/969] nvmet-tcp: propagate nvmet_tcp_build_pdu_iovec() errors to its callers Greg Kroah-Hartman
2026-05-30 16:04 ` [PATCH 6.1 734/969] netfilter: arp_tables: fix IEEE1394 ARP payload parsing Greg Kroah-Hartman
2026-05-30 16:04 ` [PATCH 6.1 735/969] nvme-pci: fix missed admin queue sq doorbell write Greg Kroah-Hartman
2026-05-30 16:04 ` [PATCH 6.1 736/969] drm/amdgpu: fix spelling typos Greg Kroah-Hartman
2026-05-30 16:04 ` [PATCH 6.1 737/969] drm/amdgpu/uvd3.1: Dont validate the firmware when already validated Greg Kroah-Hartman
2026-05-30 16:04 ` [PATCH 6.1 738/969] drm/amdgpu/gfx6: Support harvested SI chips with disabled TCCs (v2) Greg Kroah-Hartman
2026-05-30 16:04 ` [PATCH 6.1 739/969] netfilter: xt_policy: fix strict mode inbound policy matching Greg Kroah-Hartman
2026-05-30 16:04 ` [PATCH 6.1 740/969] netfilter: nf_conntrack_sip: dont use simple_strtoul Greg Kroah-Hartman
2026-05-30 16:04 ` [PATCH 6.1 741/969] drivers/spi-rockchip.c : Remove redundant variable slave Greg Kroah-Hartman
2026-05-30 16:04 ` [PATCH 6.1 742/969] spi: rockchip: switch to use modern name Greg Kroah-Hartman
2026-05-30 16:04 ` [PATCH 6.1 743/969] spi: rockchip: Read ISR, not IMR, to detect cs-inactive IRQ Greg Kroah-Hartman
2026-05-30 16:04 ` [PATCH 6.1 744/969] cdrom, scsi: sr: propagate read-only status to block layer via set_disk_ro() Greg Kroah-Hartman
2026-05-30 16:04 ` [PATCH 6.1 745/969] netdevsim: zero initialize struct iphdr in dummy sk_buff Greg Kroah-Hartman
2026-05-30 16:04 ` [PATCH 6.1 746/969] net/sched: netem: fix probability gaps in 4-state loss model Greg Kroah-Hartman
2026-05-30 16:04 ` [PATCH 6.1 747/969] net/sched: netem: fix queue limit check to include reordered packets Greg Kroah-Hartman
2026-05-30 16:04 ` [PATCH 6.1 748/969] net/sched: netem: validate slot configuration Greg Kroah-Hartman
2026-05-30 16:04 ` [PATCH 6.1 749/969] net/sched: netem: fix slot delay calculation overflow Greg Kroah-Hartman
2026-05-30 16:04 ` [PATCH 6.1 750/969] net/sched: sch_choke: annotate data-races in choke_dump_stats() Greg Kroah-Hartman
2026-05-30 16:04 ` [PATCH 6.1 751/969] net/sched: sch_fq_pie: annotate data-races in fq_pie_dump_stats() Greg Kroah-Hartman
2026-05-30 16:04 ` [PATCH 6.1 752/969] vrf: Fix a potential NPD when removing a port from a VRF Greg Kroah-Hartman
2026-05-30 16:04 ` [PATCH 6.1 753/969] net: usb: rtl8150: fix use-after-free in rtl8150_start_xmit() Greg Kroah-Hartman
2026-05-30 16:04 ` [PATCH 6.1 754/969] net: usb: rtl8150: free skb on usb_submit_urb() failure in xmit Greg Kroah-Hartman
2026-05-30 16:04 ` [PATCH 6.1 755/969] NFC: trf7970a: Ignore antenna noise when checking for RF field Greg Kroah-Hartman
2026-05-30 16:04 ` [PATCH 6.1 756/969] neighbour: add RCU protection to neigh_tables[] Greg Kroah-Hartman
2026-05-30 16:04 ` [PATCH 6.1 757/969] neigh: let neigh_xmit take skb ownership Greg Kroah-Hartman
2026-05-30 16:04 ` [PATCH 6.1 758/969] ALSA: usb-audio: Fix potential leak of pd at parsing UAC3 streams Greg Kroah-Hartman
2026-05-30 16:04 ` [PATCH 6.1 759/969] net: mctp i2c: check length before marking flow active Greg Kroah-Hartman
2026-05-30 16:04 ` [PATCH 6.1 760/969] net: phy: dp83869: fix setting CLK_O_SEL field Greg Kroah-Hartman
2026-05-30 16:04 ` [PATCH 6.1 761/969] ASoC: codecs: ab8500: Fix casting of private data Greg Kroah-Hartman
2026-05-30 16:04 ` [PATCH 6.1 762/969] netfilter: skip recording stale or retransmitted INIT Greg Kroah-Hartman
2026-05-30 16:04 ` [PATCH 6.1 763/969] sctp: discard stale INIT after handshake completion Greg Kroah-Hartman
2026-05-30 16:04 ` [PATCH 6.1 764/969] ipv4: rename and move ip_route_output_tunnel() Greg Kroah-Hartman
2026-05-30 16:04 ` [PATCH 6.1 765/969] ipv4: remove "proto" argument from udp_tunnel_dst_lookup() Greg Kroah-Hartman
2026-05-30 16:04 ` [PATCH 6.1 766/969] ipv4: add new arguments to udp_tunnel_dst_lookup() Greg Kroah-Hartman
2026-05-30 16:04 ` [PATCH 6.1 767/969] ipv6: rename and move ip6_dst_lookup_tunnel() Greg Kroah-Hartman
2026-05-30 16:04 ` [PATCH 6.1 768/969] bareudp: fix NULL pointer dereference in bareudp_fill_metadata_dst() Greg Kroah-Hartman
2026-05-30 16:04 ` [PATCH 6.1 769/969] net/sched: sch_cake: annotate data-races in cake_dump_stats() (V) Greg Kroah-Hartman
2026-05-30 16:04 ` [PATCH 6.1 770/969] net: netconsole: move newline trimming to function Greg Kroah-Hartman
2026-05-30 16:04 ` [PATCH 6.1 771/969] netconsole: propagate device name truncation in dev_name_store() Greg Kroah-Hartman
2026-05-30 16:04 ` [PATCH 6.1 772/969] ALSA: hda/conexant: fix some typos Greg Kroah-Hartman
2026-05-30 16:04 ` [PATCH 6.1 773/969] ALSA: hda/conexant: Renaming the codec with device ID 0x1f86 and 0x1f87 Greg Kroah-Hartman
2026-05-30 16:04 ` [PATCH 6.1 774/969] ALSA: hda/conexant: Fix missing error check for jack detection Greg Kroah-Hartman
2026-05-30 16:04 ` [PATCH 6.1 775/969] futex: Prevent lockup in requeue-PI during signal/ timeout wakeup Greg Kroah-Hartman
2026-05-30 16:05 ` [PATCH 6.1 776/969] drm/amd/display: Allow DCE link encoder without AUX registers Greg Kroah-Hartman
2026-05-30 16:05 ` [PATCH 6.1 777/969] drm/amd/display: Read EDID from VBIOS embedded panel info Greg Kroah-Hartman
2026-05-30 16:05 ` [PATCH 6.1 778/969] bonding: 802.3ad replace MAC_ADDRESS_EQUAL with __agg_has_partner Greg Kroah-Hartman
2026-05-30 16:05 ` [PATCH 6.1 779/969] net: bonding: add broadcast_neighbor option for 802.3ad Greg Kroah-Hartman
2026-05-30 16:05 ` [PATCH 6.1 780/969] bonding: add support for per-port LACP actor priority Greg Kroah-Hartman
2026-05-30 16:05 ` [PATCH 6.1 781/969] bonding: print churn state via netlink Greg Kroah-Hartman
2026-05-30 16:05 ` [PATCH 6.1 782/969] bonding: 3ad: implement proper RCU rules for port->aggregator Greg Kroah-Hartman
2026-05-30 16:05 ` [PATCH 6.1 783/969] iavf: rename IAVF_VLAN_IS_NEW to IAVF_VLAN_ADDING Greg Kroah-Hartman
2026-05-30 16:05 ` [PATCH 6.1 784/969] iavf: stop removing VLAN filters from PF on interface down Greg Kroah-Hartman
2026-05-30 16:05 ` [PATCH 6.1 785/969] iavf: wait for PF confirmation before removing VLAN filters Greg Kroah-Hartman
2026-05-30 16:05 ` [PATCH 6.1 786/969] iavf: add VIRTCHNL_OP_ADD_VLAN to success completion handler Greg Kroah-Hartman
2026-05-30 16:05 ` [PATCH 6.1 787/969] ice: Pull common tasks into ice_vf_post_vsi_rebuild Greg Kroah-Hartman
2026-05-30 16:05 ` [PATCH 6.1 788/969] ice: fix NULL pointer dereference in ice_reset_all_vfs() Greg Kroah-Hartman
2026-05-30 16:05 ` [PATCH 6.1 789/969] net: tls: fix strparser anchor skb leak on offload RX setup failure Greg Kroah-Hartman
2026-05-30 16:05 ` [PATCH 6.1 790/969] net/sched: cls_flower: revert unintended changes Greg Kroah-Hartman
2026-05-30 16:05 ` [PATCH 6.1 791/969] smb: client: correctly handle ErrorContextData as a flexible array Greg Kroah-Hartman
2026-05-30 16:05 ` [PATCH 6.1 792/969] smb: client: fix OOB reads parsing symlink error response Greg Kroah-Hartman
2026-05-30 16:05 ` [PATCH 6.1 793/969] net/sched: sch_pie: annotate more data-races in pie_dump_stats() Greg Kroah-Hartman
2026-05-30 16:05 ` [PATCH 6.1 794/969] net: bcmgenet: Initialize u64 stats seq counter Greg Kroah-Hartman
2026-05-30 16:05 ` [PATCH 6.1 795/969] net: bcmgenet: fix leaking free_bds Greg Kroah-Hartman
2026-05-30 16:05 ` [PATCH 6.1 796/969] btrfs: tracepoints: fix sleep while in atomic context in btrfs_sync_file() Greg Kroah-Hartman
2026-05-30 16:05 ` [PATCH 6.1 797/969] ALSA: misc: Use guard() for spin locks Greg Kroah-Hartman
2026-05-30 16:05 ` [PATCH 6.1 798/969] ALSA: core: Serialize deferred fasync state checks Greg Kroah-Hartman
2026-05-30 16:05 ` [PATCH 6.1 799/969] ASoC: SOF: pcm: Clear the susbstream pointer to NULL on close Greg Kroah-Hartman
2026-05-30 16:05 ` [PATCH 6.1 800/969] ASoC: SOF: stream-ipc: Check for cstream nullity in sof_ipc_msg_data() Greg Kroah-Hartman
2026-05-30 16:05 ` [PATCH 6.1 801/969] mtd: spi-nor: spansion: Enable JFFS2 write buffer for S25FS256T Greg Kroah-Hartman
2026-05-30 16:05 ` [PATCH 6.1 802/969] netconsole: avoid out-of-bounds access on empty string in trim_newline() Greg Kroah-Hartman
2026-05-30 16:05 ` [PATCH 6.1 803/969] bonding: fix NULL pointer dereference in actor_port_prio setting Greg Kroah-Hartman
2026-05-30 16:05 ` [PATCH 6.1 804/969] net: bonding: update the slave array for broadcast mode Greg Kroah-Hartman
2026-05-30 16:05 ` [PATCH 6.1 805/969] crypto: af_alg - Cap AEAD AD length to 0x80000000 Greg Kroah-Hartman
2026-05-30 16:05 ` [PATCH 6.1 806/969] i40e: Cleanup PTP pins on probe failure Greg Kroah-Hartman
2026-05-30 16:05 ` [PATCH 6.1 807/969] netfilter: nf_conntrack_sip: get helper before allocating expectation Greg Kroah-Hartman
2026-05-30 16:05 ` [PATCH 6.1 808/969] audit: fix incorrect inheritable capability in CAPSET records Greg Kroah-Hartman
2026-05-30 16:05 ` [PATCH 6.1 809/969] netfilter: nft_ct: fix missing expect put in obj eval Greg Kroah-Hartman
2026-05-30 16:05 ` [PATCH 6.1 810/969] net: atlantic: preserve PCI wake-from-D3 on shutdown when WOL enabled Greg Kroah-Hartman
2026-05-30 16:05 ` [PATCH 6.1 811/969] audit: enforce AUDIT_LOCKED for AUDIT_TRIM and AUDIT_MAKE_EQUIV Greg Kroah-Hartman
2026-05-30 16:05 ` [PATCH 6.1 812/969] KVM: Reject wrapped offset in kvm_reset_dirty_gfn() Greg Kroah-Hartman
2026-05-30 16:05 ` [PATCH 6.1 813/969] KVM: s390: pci: fix GAIT table indexing due to double-scaling pointer arithmetic Greg Kroah-Hartman
2026-05-30 16:05 ` [PATCH 6.1 814/969] KVM: x86: Fix Xen hypercall tracepoint argument assignment Greg Kroah-Hartman
2026-05-30 16:05 ` [PATCH 6.1 815/969] smb/client: fix possible infinite loop and oob read in symlink_data() Greg Kroah-Hartman
2026-05-30 16:05 ` [PATCH 6.1 816/969] drm/i915/dp: Fix VSC dynamic range signaling for RGB formats Greg Kroah-Hartman
2026-05-30 16:05 ` [PATCH 6.1 817/969] ALSA: usb-audio: Bound MIDI endpoint descriptor scans Greg Kroah-Hartman
2026-05-30 16:05 ` [PATCH 6.1 818/969] ceph: fix a buffer leak in __ceph_setxattr() Greg Kroah-Hartman
2026-05-30 16:05 ` [PATCH 6.1 819/969] powerpc/warp: Fix error handling in pika_dtm_thread Greg Kroah-Hartman
2026-05-30 16:05 ` [PATCH 6.1 820/969] libceph: Fix potential out-of-bounds access in osdmap_decode() Greg Kroah-Hartman
2026-05-30 16:05 ` [PATCH 6.1 821/969] libceph: Fix potential null-ptr-deref in decode_choose_args() Greg Kroah-Hartman
2026-05-30 16:05 ` [PATCH 6.1 822/969] libceph: Fix potential out-of-bounds access in crush_decode() Greg Kroah-Hartman
2026-05-30 16:05 ` [PATCH 6.1 823/969] libceph: handle rbtree insertion error in decode_choose_args() Greg Kroah-Hartman
2026-05-30 16:05 ` [PATCH 6.1 824/969] iommu/vt-d: Disable DMAR for Intel Q35 IGFX Greg Kroah-Hartman
2026-05-30 16:05 ` [PATCH 6.1 825/969] drm/i915: skip __i915_request_skip() for already signaled requests Greg Kroah-Hartman
2026-05-30 16:05 ` [PATCH 6.1 826/969] drm/panfrost: Fix wait_bo ioctl leaking positive return from dma_resv_wait_timeout() Greg Kroah-Hartman
2026-05-30 16:05 ` [PATCH 6.1 827/969] drm/gma500/oaktrail_hdmi: fix i2c adapter leak on setup Greg Kroah-Hartman
2026-05-30 16:05 ` [PATCH 6.1 828/969] drm/gma500/oaktrail_lvds: fix hang on init failure Greg Kroah-Hartman
2026-05-30 16:05 ` [PATCH 6.1 829/969] drm/gma500/oaktrail_lvds: fix i2c adapter leaks on init Greg Kroah-Hartman
2026-05-30 16:05 ` [PATCH 6.1 830/969] io-wq: check that the predecessor is hashed in io_wq_remove_pending() Greg Kroah-Hartman
2026-05-30 16:05 ` [PATCH 6.1 831/969] net/rds: reset op_nents when zerocopy page pin fails Greg Kroah-Hartman
2026-05-30 16:05 ` [PATCH 6.1 832/969] io_uring: prevent opcode speculation Greg Kroah-Hartman
2026-05-30 16:05 ` [PATCH 6.1 833/969] s390/debug: Reject zero-length input before trimming a newline Greg Kroah-Hartman
2026-05-30 16:05 ` [PATCH 6.1 834/969] wifi: mac80211: check tdls flag in ieee80211_tdls_oper Greg Kroah-Hartman
2026-05-30 16:05 ` [PATCH 6.1 835/969] Revert "x86/vdso: Fix output operand size of RDPID" Greg Kroah-Hartman
2026-05-30 16:06 ` [PATCH 6.1 836/969] Revert "s390/cio: Fix device lifecycle handling in css_alloc_subchannel()" Greg Kroah-Hartman
2026-05-30 16:06 ` [PATCH 6.1 837/969] smb: client: reject userspace cifs.spnego descriptions Greg Kroah-Hartman
2026-05-30 16:06 ` [PATCH 6.1 838/969] i3c: mipi-i3c-hci: Correct RING_CTRL_ABORT handling in DMA dequeue Greg Kroah-Hartman
2026-05-30 16:06 ` [PATCH 6.1 839/969] sysfs: dont remove existing directory on update failure Greg Kroah-Hartman
2026-05-30 16:06 ` [PATCH 6.1 840/969] hwmon: (pmbus/adm1266) widen blackbox-info buffer to I2C_SMBUS_BLOCK_MAX Greg Kroah-Hartman
2026-05-30 16:06 ` [PATCH 6.1 841/969] ALSA: ua101: Reject too-short USB descriptors Greg Kroah-Hartman
2026-05-30 16:06 ` [PATCH 6.1 842/969] ALSA: asihpi: Fix potential OOB array access at reading cache Greg Kroah-Hartman
2026-05-30 16:06 ` [PATCH 6.1 843/969] net: wwan: iosm: fix potential memory leaks in ipc_imem_init() Greg Kroah-Hartman
2026-05-30 16:06 ` [PATCH 6.1 844/969] Bluetooth: fix UAF in l2cap_sock_cleanup_listen() vs l2cap_conn_del() Greg Kroah-Hartman
2026-05-30 16:06 ` [PATCH 6.1 845/969] Bluetooth: ISO: drop ISO_END frames received without prior ISO_START Greg Kroah-Hartman
2026-05-30 16:06 ` [PATCH 6.1 846/969] Bluetooth: bnep: Fix UAF read of dev->name Greg Kroah-Hartman
2026-05-30 16:06 ` [PATCH 6.1 847/969] Bluetooth: hci_uart: fix UAFs and race conditions in close and init paths Greg Kroah-Hartman
2026-05-30 16:06 ` [PATCH 6.1 848/969] Bluetooth: MGMT: validate Add Extended Advertising Data length Greg Kroah-Hartman
2026-05-30 16:06 ` [PATCH 6.1 849/969] phonet/pep: disable BH around forwarded sk_receive_skb() Greg Kroah-Hartman
2026-05-30 16:06 ` [PATCH 6.1 850/969] net: bcmgenet: keep RBUF EEE/PM disabled Greg Kroah-Hartman
2026-05-30 16:06 ` [PATCH 6.1 851/969] net: ifb: report ethtool stats over num_tx_queues Greg Kroah-Hartman
2026-05-30 16:06 ` [PATCH 6.1 852/969] netfilter: ip6t_hbh: reject oversized option lists Greg Kroah-Hartman
2026-05-30 16:06 ` [PATCH 6.1 853/969] netfilter: nf_queue: hold bridge skb->dev while queued Greg Kroah-Hartman
2026-05-30 16:06 ` [PATCH 6.1 854/969] netfilter: ipset: stop hash:* range iteration at end Greg Kroah-Hartman
2026-05-30 16:06 ` [PATCH 6.1 855/969] qed: fix double free in qed_cxt_tables_alloc() Greg Kroah-Hartman
2026-05-30 16:06 ` [PATCH 6.1 856/969] ring-buffer: Fix reporting of missed events in iterator Greg Kroah-Hartman
2026-05-30 16:06 ` [PATCH 6.1 857/969] vsock/vmci: fix UAF when peer resets connection during handshake Greg Kroah-Hartman
2026-05-30 16:06 ` [PATCH 6.1 858/969] vsock/virtio: reset connection on receiving queue overflow Greg Kroah-Hartman
2026-05-30 16:06 ` [PATCH 6.1 859/969] wifi: ath11k: clear shared SRNG pointer state on restart Greg Kroah-Hartman
2026-05-30 16:06 ` [PATCH 6.1 860/969] ipv4: raw: reject IP_HDRINCL packets with ihl < 5 Greg Kroah-Hartman
2026-05-30 16:06 ` [PATCH 6.1 861/969] ixgbevf: fix use-after-free in VEPA multicast source pruning Greg Kroah-Hartman
2026-05-30 16:06 ` [PATCH 6.1 862/969] ice: fix setting promisc mode while adding VID filter Greg Kroah-Hartman
2026-05-30 16:06 ` [PATCH 6.1 863/969] wifi: cfg80211: advance loop vars in cfg80211_merge_profile() Greg Kroah-Hartman
2026-05-30 16:06 ` [PATCH 6.1 864/969] cifs: Fix busy dentry used after unmounting Greg Kroah-Hartman
2026-05-30 16:06 ` [PATCH 6.1 865/969] tracing: Do not call map->ops->elt_free() if elt_alloc() fails Greg Kroah-Hartman
2026-05-30 16:06 ` [PATCH 6.1 866/969] KVM: arm64: vgic-its: Reject restored DTE with out-of-range num_eventid_bits Greg Kroah-Hartman
2026-05-30 16:06 ` [PATCH 6.1 867/969] drm/bridge: chipone-icn6211: use devm_drm_bridge_add in i2c probe Greg Kroah-Hartman
2026-05-30 16:06 ` [PATCH 6.1 868/969] scsi: isci: Fix use-after-free in device removal path Greg Kroah-Hartman
2026-05-30 16:06 ` [PATCH 6.1 869/969] spi: sprd: fix error pointer deref after DMA setup failure Greg Kroah-Hartman
2026-05-30 16:06 ` [PATCH 6.1 870/969] spi: ti-qspi: fix use-after-free " Greg Kroah-Hartman
2026-05-30 16:06 ` [PATCH 6.1 871/969] RDMA/siw: Reject MPA FPDU length underflow before signed receive math Greg Kroah-Hartman
2026-05-30 16:06 ` [PATCH 6.1 872/969] LoongArch: Remove unused code to avoid build warning Greg Kroah-Hartman
2026-05-30 16:06 ` [PATCH 6.1 873/969] device property: set fwnode->secondary to NULL in fwnode_init() Greg Kroah-Hartman
2026-05-30 16:06 ` [PATCH 6.1 874/969] drm/virtio: use uninterruptible resv lock for plane updates Greg Kroah-Hartman
2026-05-30 16:06 ` [PATCH 6.1 875/969] drm/bridge: it66121: acquire reset GPIO in probe Greg Kroah-Hartman
2026-05-30 16:06 ` [PATCH 6.1 876/969] drm/bridge: megachips: remove bridge when irq request fails Greg Kroah-Hartman
2026-05-30 16:06 ` [PATCH 6.1 877/969] drm/amd/display: Fix integer overflow in bios_get_image() Greg Kroah-Hartman
2026-05-30 16:06 ` [PATCH 6.1 878/969] drm/amd/display: Validate GPIO pin LUT table size before iterating Greg Kroah-Hartman
2026-05-30 16:06 ` [PATCH 6.1 879/969] drm/amd/display: Validate payload length and link_index in dc_process_dmub_aux_transfer_async Greg Kroah-Hartman
2026-05-30 16:06 ` [PATCH 6.1 880/969] batman-adv: mcast: fix use-after-free in orig_node RCU release Greg Kroah-Hartman
2026-05-30 16:06 ` [PATCH 6.1 881/969] batman-adv: clear current gateway during teardown Greg Kroah-Hartman
2026-05-30 16:06 ` [PATCH 6.1 882/969] batman-adv: dat: handle forward allocation error Greg Kroah-Hartman
2026-05-30 16:06 ` [PATCH 6.1 883/969] batman-adv: fix fragment reassembly length accounting Greg Kroah-Hartman
2026-05-30 16:06 ` [PATCH 6.1 884/969] batman-adv: fix tp_meter counter underflow during shutdown Greg Kroah-Hartman
2026-05-30 16:06 ` [PATCH 6.1 885/969] batman-adv: frag: disallow unicast fragment in fragment Greg Kroah-Hartman
2026-05-30 16:06 ` [PATCH 6.1 886/969] batman-adv: bla: fix report_work leak on backbone_gw purge Greg Kroah-Hartman
2026-05-30 16:06 ` [PATCH 6.1 887/969] batman-adv: tp_meter: avoid use of uninit sender vars Greg Kroah-Hartman
2026-05-30 16:06 ` [PATCH 6.1 888/969] batman-adv: tt: fix negative last_changeset_len Greg Kroah-Hartman
2026-05-30 16:06 ` [PATCH 6.1 889/969] batman-adv: tt: fix negative tt_buff_len Greg Kroah-Hartman
2026-05-30 16:06 ` [PATCH 6.1 890/969] hwmon: (pmbus/adm1266) seed timestamp from the real-time clock Greg Kroah-Hartman
2026-05-30 16:06 ` [PATCH 6.1 891/969] hwmon: (pmbus/adm1266) reject implausible blackbox record_count Greg Kroah-Hartman
2026-05-30 16:06 ` [PATCH 6.1 892/969] hwmon: (pmbus/adm1266) include PEC byte in pmbus_block_xfer read buffer Greg Kroah-Hartman
2026-05-30 16:06 ` [PATCH 6.1 893/969] hwmon: (pmbus/adm1266) bounce blackbox records through a protocol-sized buffer Greg Kroah-Hartman
2026-05-30 16:06 ` [PATCH 6.1 894/969] hwmon: (pmbus/adm1266) cap PDIO scan in get_multiple at ADM1266_PDIO_NR Greg Kroah-Hartman
2026-05-30 16:06 ` [PATCH 6.1 895/969] hwmon: (pmbus/adm1266) dont clobber GPIO bits before PDIO read in get_multiple Greg Kroah-Hartman
2026-05-30 16:07 ` [PATCH 6.1 896/969] hwmon: (pmbus/adm1266) register the gpio_chip after pmbus_do_probe() Greg Kroah-Hartman
2026-05-30 16:07 ` [PATCH 6.1 897/969] hwmon: (pmbus/adm1266) register the nvmem device " Greg Kroah-Hartman
2026-05-30 16:07 ` [PATCH 6.1 898/969] hwmon: (pmbus/adm1266) reject short block-read responses in the GPIO accessors Greg Kroah-Hartman
2026-05-30 16:07 ` [PATCH 6.1 899/969] HID: uclogic: Fix regression of input name assignment Greg Kroah-Hartman
2026-05-30 16:07 ` [PATCH 6.1 900/969] firmware: arm_ffa: Check for NULL FF-A ID table while driver registration Greg Kroah-Hartman
2026-05-30 16:07 ` [PATCH 6.1 901/969] firmware: arm_ffa: Skip free_pages on RX buffer alloc failure Greg Kroah-Hartman
2026-05-30 16:07 ` [PATCH 6.1 902/969] kunit: config: Enable KUNIT_DEBUGFS by default Greg Kroah-Hartman
2026-05-30 16:07 ` [PATCH 6.1 903/969] kunit: config: KUNIT_DEBUGFS should depend on DEBUG_FS Greg Kroah-Hartman
2026-05-30 16:07 ` [PATCH 6.1 904/969] pinctrl: qcom: Fix wakeirq map by removing disconnected irqs for sm8150 Greg Kroah-Hartman
2026-05-30 16:07 ` [PATCH 6.1 905/969] ARM: integrator: Fix early initialization Greg Kroah-Hartman
2026-05-30 16:07 ` [PATCH 6.1 906/969] netfilter: x_tables: unregister the templates first Greg Kroah-Hartman
2026-05-30 16:07 ` [PATCH 6.1 907/969] netfilter: arptables: allow xtables-nft only builds Greg Kroah-Hartman
2026-05-30 16:07 ` [PATCH 6.1 908/969] netfilter: xtables: " Greg Kroah-Hartman
2026-05-30 16:07 ` [PATCH 6.1 909/969] netfilter: ebtables: " Greg Kroah-Hartman
2026-05-30 16:07 ` [PATCH 6.1 910/969] netfilter: xtables: fix up kconfig dependencies Greg Kroah-Hartman
2026-05-30 16:07 ` [PATCH 6.1 911/969] netfilter: arptables: Select NETFILTER_FAMILY_ARP when building arp_tables.c Greg Kroah-Hartman
2026-05-30 16:07 ` [PATCH 6.1 912/969] netfilter: Make legacy configs user selectable Greg Kroah-Hartman
2026-05-30 16:07 ` [PATCH 6.1 913/969] netfilter: Exclude LEGACY TABLES on PREEMPT_RT Greg Kroah-Hartman
2026-05-30 16:07 ` [PATCH 6.1 914/969] netfilter: x_tables: add and use xt_unregister_table_pre_exit Greg Kroah-Hartman
2026-05-30 16:07 ` [PATCH 6.1 915/969] netfilter: x_tables: add and use xtables_unregister_table_exit Greg Kroah-Hartman
2026-05-30 16:07 ` [PATCH 6.1 916/969] netfilter: ebtables: move to two-stage removal scheme Greg Kroah-Hartman
2026-05-30 16:07 ` [PATCH 6.1 917/969] netfilter: ebtables: close dangling table module init race Greg Kroah-Hartman
2026-05-30 16:07 ` [PATCH 6.1 918/969] netfilter: x_tables: " Greg Kroah-Hartman
2026-05-30 16:07 ` [PATCH 6.1 919/969] netfilter: bridge: eb_tables: close " Greg Kroah-Hartman
2026-05-30 16:07 ` [PATCH 6.1 920/969] tcp: Fix imbalanced icsk_accept_queue count Greg Kroah-Hartman
2026-05-30 16:07 ` [PATCH 6.1 921/969] ice: fix locking in ice_dcb_rebuild() Greg Kroah-Hartman
2026-05-30 16:07 ` [Intel-wired-lan] " Greg Kroah-Hartman
2026-05-30 16:07 ` [PATCH 6.1 922/969] net: lan966x: avoid unregistering netdev on register failure Greg Kroah-Hartman
2026-05-30 16:07 ` [PATCH 6.1 923/969] phy: marvell: mvebu-a3700-utmi: fix incorrect USB2_PHY_CTRL register access Greg Kroah-Hartman
2026-05-30 16:07 ` [PATCH 6.1 924/969] irqchip/ath79-cpu: Remove unused function Greg Kroah-Hartman
2026-05-30 16:07 ` [PATCH 6.1 925/969] irq_work: Fix use-after-free in irq_work_single() on PREEMPT_RT Greg Kroah-Hartman
2026-05-30 16:07 ` [PATCH 6.1 926/969] net: ethernet: cortina: Make RX SKB per-port Greg Kroah-Hartman
2026-05-30 16:07 ` [PATCH 6.1 927/969] net: ethernet: cortina: Drop half-assembled SKB Greg Kroah-Hartman
2026-05-30 16:07 ` [PATCH 6.1 928/969] net: ethernet: cortina: Carry over frag counter Greg Kroah-Hartman
2026-05-30 16:07 ` [PATCH 6.1 929/969] net: ethernet: cs89x0: remove stale CONFIG_MACH_MX31ADS reference Greg Kroah-Hartman
2026-05-30 16:07 ` [PATCH 6.1 930/969] wifi: ath11k: fix error path leaks in some WMI WOW calls Greg Kroah-Hartman
2026-05-30 16:07 ` [PATCH 6.1 931/969] HID: quirks: really enable the intended work around for appledisplay Greg Kroah-Hartman
2026-05-30 16:07 ` [PATCH 6.1 932/969] net/smc: avoid NULL deref of conn->lnk in smc_msg_event tracepoint Greg Kroah-Hartman
2026-05-30 16:07 ` [PATCH 6.1 933/969] ethtool: fix ethnl_bitmap32_not_zero() bit interval semantics Greg Kroah-Hartman
2026-05-30 16:07 ` [PATCH 6.1 934/969] drm/msm/dsi: dont dump registers past the mapped region Greg Kroah-Hartman
2026-05-30 16:07 ` [PATCH 6.1 935/969] drm/msm: Fix iommu_map_sgtable() return value check and avoid WARN Greg Kroah-Hartman
2026-05-30 16:07 ` [PATCH 6.1 936/969] powerpc/time: Remove redundant preempt_disable|enable() calls from arch_irq_work_raise() Greg Kroah-Hartman
2026-05-30 16:07 ` [PATCH 6.1 937/969] net/smc: reject CHID-0 ACCEPT that matches an empty ism_dev slot Greg Kroah-Hartman
2026-05-30 16:07 ` [PATCH 6.1 938/969] net: tls: fix off-by-one in sg_chain entry count for wrapped sk_msg ring Greg Kroah-Hartman
2026-05-30 16:07 ` [PATCH 6.1 939/969] net: tls: prevent chain-after-chain in plain text SG Greg Kroah-Hartman
2026-05-30 16:07 ` [PATCH 6.1 940/969] spi: mtk-snfi: Fix resource leak in mtk_snand_read_page_cache() Greg Kroah-Hartman
2026-05-30 16:07 ` [PATCH 6.1 941/969] drm/msm/snapshot: fix dumping of the unaligned regions Greg Kroah-Hartman
2026-05-30 16:07 ` [PATCH 6.1 942/969] wifi: ath11k: Trigger sta disconnect on hardware restart Greg Kroah-Hartman
2026-05-30 16:07 ` [PATCH 6.1 943/969] wifi: ath11k: update hw params for IPQ5018 Greg Kroah-Hartman
2026-05-30 16:07 ` [PATCH 6.1 944/969] wifi: ath11k: update ce configurations " Greg Kroah-Hartman
2026-05-30 16:07 ` [PATCH 6.1 945/969] wifi: ath11k: remap ce register space " Greg Kroah-Hartman
2026-05-30 16:07 ` [PATCH 6.1 946/969] wifi: ath11k: update hal srng regs " Greg Kroah-Hartman
2026-05-30 16:07 ` [PATCH 6.1 947/969] wifi: ath11k: initialize hw_ops " Greg Kroah-Hartman
2026-05-30 16:07 ` [PATCH 6.1 948/969] wifi: ath11k: add new hw ops for IPQ5018 to get rx dest ring hashmap Greg Kroah-Hartman
2026-05-30 16:07 ` [PATCH 6.1 949/969] wifi: ath11k: fix rssi station dump not updated in QCN9074 Greg Kroah-Hartman
2026-05-30 16:07 ` [PATCH 6.1 950/969] wifi: ath11k: fix peer resolution on rx path when peer_id=0 Greg Kroah-Hartman
2026-05-30 16:07 ` [PATCH 6.1 951/969] net: dsa: mt7530: sync driver-specific behavior of MT7531 variants Greg Kroah-Hartman
2026-05-30 16:07 ` [PATCH 6.1 952/969] net: dsa: mt7530: fix FDB entries not aging out with short timeout Greg Kroah-Hartman
2026-05-30 16:07 ` [PATCH 6.1 953/969] net: dsa: mt7530: rename mt753x_bpdu_port_fw enum to mt753x_to_cpu_fw Greg Kroah-Hartman
2026-05-30 16:07 ` [PATCH 6.1 954/969] net: dsa: mt7530: preserve VLAN tags on trapped link-local frames Greg Kroah-Hartman
2026-05-30 16:07 ` [PATCH 6.1 955/969] net: mana: Fix TOCTOU double-fetch of hwc_msg_id from DMA buffer Greg Kroah-Hartman
2026-05-30 16:08 ` [PATCH 6.1 956/969] platform/x86: adv_swbutton: Check ACPI_HANDLE() against NULL Greg Kroah-Hartman
2026-05-30 16:08 ` [PATCH 6.1 957/969] platform/x86: hp_accel: Check ACPI_COMPANION() " Greg Kroah-Hartman
2026-05-30 16:08 ` [PATCH 6.1 958/969] platform/x86: intel-hid: Check ACPI_HANDLE() " Greg Kroah-Hartman
2026-05-30 16:08 ` [PATCH 6.1 959/969] platform/x86: intel-vbtn: " Greg Kroah-Hartman
2026-05-30 16:08 ` [PATCH 6.1 960/969] RDMA/rtrs: Fix use-after-free in path file creation cleanup Greg Kroah-Hartman
2026-05-30 16:08 ` [PATCH 6.1 961/969] net: bridge: Flush multicast groups when snooping is disabled Greg Kroah-Hartman
2026-05-30 16:08 ` [PATCH 6.1 962/969] bridge: mcast: Fix a possible use-after-free when removing a bridge port Greg Kroah-Hartman
2026-05-30 16:08 ` [PATCH 6.1 963/969] tracing: Avoid NULL return from hist_field_name() on truncation Greg Kroah-Hartman
2026-05-30 16:08 ` [PATCH 6.1 964/969] net: ag71xx: check error for platform_get_irq Greg Kroah-Hartman
2026-05-30 16:08 ` [PATCH 6.1 965/969] string: add mem_is_zero() helper to check if memory area is all zeros Greg Kroah-Hartman
2026-05-30 16:08 ` [PATCH 6.1 966/969] gpiolib: cdev: use !mem_is_zero() instead of memchr_inv(s, 0, n) Greg Kroah-Hartman
2026-05-30 16:08 ` [PATCH 6.1 967/969] gpio: cdev: check if uAPI v2 config attributes are correctly zeroed Greg Kroah-Hartman
2026-05-30 16:08 ` [PATCH 6.1 968/969] net: mana: validate rx_req_idx to prevent out-of-bounds array access Greg Kroah-Hartman
2026-05-30 16:08 ` [PATCH 6.1 969/969] security/keys: fix missed RCU read section on lookup Greg Kroah-Hartman
2026-05-30 17:15 ` [PATCH 6.1 000/969] 6.1.175-rc1 review Brett A C Sheffield
2026-05-30 20:18 ` Peter Schneider
2026-05-31 6:36 ` Miguel Ojeda
2026-06-01 2:01 ` Ron Economos
2026-06-01 8:56 ` Pavel Machek
2026-06-01 10:51 ` Francesco Dolcini
2026-06-01 17:30 ` Florian Fainelli
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.